Cisco Systems WSC4500X16SFP Manual De Usuario
1-13
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 1 Product Overview
Security Features
802.1X Identity-Based Network Security
This security feature consists of the following:
•
802.1X protocol—This feature provides a means for a host that is connected to a switch port to be
authenticated before it is given access to the switch services.
authenticated before it is given access to the switch services.
•
802.1X with VLAN assignment—This feature enables you to enable non-802.1X-capable hosts to
access networks that use 802.1X authentication.
access networks that use 802.1X authentication.
•
802.1X authentication for guest VLANs—This feature enables you to use VLAN assignment to
limit network access for certain users.
limit network access for certain users.
•
802.1X RADIUS accounting—This feature enables you to track the usage of network devices.
•
802.1X with Voice VLAN—This feature enables you to use 802.1X security on a port while
enabling it to be used by both Cisco IP phones and devices with 802.1X supplicant support.
enabling it to be used by both Cisco IP phones and devices with 802.1X supplicant support.
For more information on 802.1X identity-based network security, see
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) intercepts all ARP requests, replies on untrusted ports, and verifies each
intercepted packet for valid IP to MAC bindings. Dynamic ARP Inspection helps to prevent attacks on
a network by not relaying invalid ARP replies out to other ports in the same VLAN. Denied ARP packets
are logged by the switch for auditing.
intercepted packet for valid IP to MAC bindings. Dynamic ARP Inspection helps to prevent attacks on
a network by not relaying invalid ARP replies out to other ports in the same VLAN. Denied ARP packets
are logged by the switch for auditing.
For more information on dynamic ARP inspection, see
Dynamic Host Configuration Protocol Snooping
Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that is a component of a
DHCP server. DHCP snooping provides security by intercepting untrusted DHCP messages and by
building and maintaining a DHCP snooping binding table. An untrusted message is a message that is
received from outside the network or firewall that can cause traffic attacks within your network.
DHCP server. DHCP snooping provides security by intercepting untrusted DHCP messages and by
building and maintaining a DHCP snooping binding table. An untrusted message is a message that is
received from outside the network or firewall that can cause traffic attacks within your network.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also provides a way
to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected
to the DHCP server or another switch.
to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected
to the DHCP server or another switch.
For DHCP server configuration information, refer to the chapter, “Configuring DHCP,” in the Cisco IOS
IP and IP Routing Configuration Guide at the following URL:
IP and IP Routing Configuration Guide at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ip_c/ipcprt1/1cddhcp.htm
For information on configuring DHCP snooping, see
Flood Blocking
Flood blocking enables users to disable the flooding of unicast and multicast packets on a per-port basis.
Occasionally, unknown unicast or multicast traffic from an unprotected port is flooded to a protected port
because a MAC address has timed out or has not been learned by the switch.
Occasionally, unknown unicast or multicast traffic from an unprotected port is flooded to a protected port
because a MAC address has timed out or has not been learned by the switch.