Cisco Systems OL-8550-09 Security Features

1-10

Catalyst 3750 SwitchSoftware Configuration Guide

OL-8550-09

Chapter1 Overview

Features

Security Features

•IP Service Level Agreements (IP SLAs) support to measure network performance by using active

traffic monitoring

•IP SLAs EOT to use the output from IP SLAs tracking operations triggered by an action such as

latency, jitter, or packet loss for a standby router failover takeover

•Web authentication to allow a supplicant (client) that does not support IEEE 802.1x functionality to

be authenticated using a web browser

•Local web authentication banner so that a custom banner or an image file can be displayed at a web

authentication login screen

•MAC authentication bypass (MAB) aging timer to detect inactive hosts that have authenticated after

they have authenticated by using MAB

•Password-protected access (read-only and read-write access) to management interfaces (device

manager, Network Assistant, and the CLI) for protection against unauthorized configuration

changes

•Multilevel security for a choice of security level, notification, and resulting actions

•Static MAC addressing for ensuring security

•Protected port option for restricting the forwarding of traffic to designated ports on the same switch

•Port security option for limiting and identifying MAC addresses of the stations allowed to access

the port

•VLAN aware port security option to shut down the VLAN on the port when a violation occurs,

instead of shutting down the entire port.

•Port security aging to set the aging time for secure addresses on a port

•BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs

•Standard and extended IP access control lists (ACLs) for defining security policies in both directions

on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs)

•Extended MAC access control lists for defining security policies in the inbound direction on Layer 2

interfaces

•VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on

information in the MAC, IP, and TCP/UDP headers

•Source and destination MAC-based ACLs for filtering non-IP traffic

•IPv6 ACLs to be applied to interfaces to filter IPv6 traffic

•DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers

•IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP

snooping database and IP source bindings

•Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP

requests and responses to other ports in the same VLAN

•IEEE 802.1Q tunneling so that customers with users at remote sites across a service-provider

network can keep VLANs segregated from other customers and Layer 2 protocol tunneling to ensure

that the customer’s network has complete STP, CDP, and VTP information about all users

•Layer 2 point-to-point tunneling to facilitate the automatic creation of EtherChannels

•Layer 2 protocol tunneling bypass feature to provide interoperability with third-party vendors