1-14
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter1 Product Overview
Security Features
For information on flood blocking, see Chapter 35, “Port Unicast and Multicast Flood Blocking.”
IP Source Guard
Similar to DHCP snooping, this feature is enabled on an untrusted 12 port that is configured for DHCP
snooping. Initially all IP traffic on the port is blocked except for the DHCP packets, which are captured
by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, a
PVACL is installed on the port, which restricts the client IP traffic only to clients with assigned IP
addresses, so any IP traffic with source IP addresses other than those assigned by the DHCP server will
be filtered out. This filtering prevents a malicious host from attacking a network by hijacking neighbor
host's IP address.
For information on configuring IP Source Guard, see Chapter31, “Configuring DHCP Snooping and IP
Source Guard.”
Local Authentication, RADIUS, and TACACS+ Authentication
RADIUS and TACACS+ control access to the switch. For additional information, refer to the chapter
“Authentication, Authorization, and Accounting (AAA),” in Cisco IOS Security Configuration Guide,
Release 12.1, at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/secur_c/scprt1/index.htm
Network Security with ACLs
An access control list (ACL) filters network traffic by controlling whether routed packets are forwarded
or blocked at the router interfaces. The Catalyst4500 series switch examines each packet to determine
whether to forward or drop the packet based on the criteria you specified within the access lists.
MAC access control lists (MACLs) and VLAN access control lists (VACLs) are supported. VACLs are
also known as VLAN maps in Cisco IOS.
The following security features are supported:
MAC address filtering, which enables you to block unicast traffic for a MAC address on a VLAN
interface.
Port ACLs, which enable you to apply ACLs to Layer 2 interfaces on a switch for inbound traffic.
For information on ACLs, MACLs, VLAN maps, MAC address filtering, and Port ACLs, see
Chapter 33, “Configuring Network Security with ACLs.”
Port Security
Port Security restricts traffic on a port based upon the MAC address of the workstation that accesses the
port. Trunk port security extends this feature to trunks, including private VLAN i solated trunks, on a
per-VLAN basis.
For information on port security, see Chapter 30, “Configuring Port Security and Trunk Port Security.”