Cisco Systems IE 2000 Security Features

1-7

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 1 Configuration Overview

Feature Software Licensing

• VLAN 1 minimization for reducing the risk of spanning-tree loops or storms by allowing VLAN 1

to be disabled on any individual VLAN trunk link. With this feature enabled, no user traffic is sent

or received on the trunk. The switch CPU continues to send and receive control protocol frames.

• VLAN FlexLink load balancing to provide Layer 2 redundancy without requ iring Spanning Tree

Protocol (STP). A pair of interfaces configured as primary and backup links can load balance traffic

based on VLAN.

• Support for 802.1x authentication with restricted VLANs (also known as authentication failed

VLANs).

• Support for VTP version 3 that includes support for configuring extended range VLANs (VLANs

1006 to 4096) in any VTP mode, enhanced authentication (hidden or secret passwords), propagation

of other databases in addition to VTP, VTP primary and secondary servers, and the option to turn

VTP on or off by port.

Security Features

• IP Service Level Agreements (IP SLAs) support to measure network performance by using active

traffic monitoring

• IP SLAs EOT to use the output from IP SLAs tracking operations triggered by an action such as

latency, jitter, or packet loss for a standby router failover takeover (requires the LAN Base image)

• Web authentication to allow a supplicant (client) that does not support IEEE 802.1x functionality to

be authenticated using a web browser

• Local web authentication banner so that a custom banner or an image file can be displ ayed at a web

authentication login screen

• MAC authentication bypass (MAB) aging timer to detect inactive hosts that have authenticated after

they have authenticated by using MAB

• Password-protected access (read-only and read-write access) to management interfaces (Device

Manager, Network Assistant, and the CLI) for protection against unauthorize d configuration

changes

• Multilevel security for a choice of security level, notification, and resulting actions

• Static MAC addressing for ensuring security

• Protected port option for restricting the forwarding of traffic to designated ports on t he same switch

• Port security option for limiting and identifying MAC addresses of the stations allowed to access

the port

• VLAN-aware port security option to shut down the VLAN on the port when a violation occurs,

instead of shutting down the entire port

• Port security aging to set the aging time for secure addresses on a port

• Protocol storm protection to control the rate of incoming prot ocol traffic to a switch by dropping

packets that exceed a specified ingress rate

• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs

• Standard and extended IP access control lists (ACLs) for defining security policies in both direct ions

on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs)

• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2

interfaces

• Source and destination MAC-based ACLs for filtering non-IP traffic