Cisco Systems WSC4500X16SFP Manual De Usuario
1-14
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 1 Product Overview
Security Features
For information on flood blocking, see
IP Source Guard
Similar to DHCP snooping, this feature is enabled on an untrusted 12 port that is configured for DHCP
snooping. Initially all IP traffic on the port is blocked except for the DHCP packets, which are captured
by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, a
PVACL is installed on the port, which restricts the client IP traffic only to clients with assigned IP
addresses, so any IP traffic with source IP addresses other than those assigned by the DHCP server will
be filtered out. This filtering prevents a malicious host from attacking a network by hijacking neighbor
host's IP address.
snooping. Initially all IP traffic on the port is blocked except for the DHCP packets, which are captured
by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, a
PVACL is installed on the port, which restricts the client IP traffic only to clients with assigned IP
addresses, so any IP traffic with source IP addresses other than those assigned by the DHCP server will
be filtered out. This filtering prevents a malicious host from attacking a network by hijacking neighbor
host's IP address.
For information on configuring IP Source Guard, see
Local Authentication, RADIUS, and TACACS+ Authentication
RADIUS and TACACS+ control access to the switch. For additional information, refer to the chapter
“Authentication, Authorization, and Accounting (AAA),” in Cisco IOS Security Configuration Guide,
Release 12.1, at the following URL:
“Authentication, Authorization, and Accounting (AAA),” in Cisco IOS Security Configuration Guide,
Release 12.1, at the following URL:
Network Security with ACLs
An access control list (ACL) filters network traffic by controlling whether routed packets are forwarded
or blocked at the router interfaces. The Catalyst 4500 series switch examines each packet to determine
whether to forward or drop the packet based on the criteria you specified within the access lists.
or blocked at the router interfaces. The Catalyst 4500 series switch examines each packet to determine
whether to forward or drop the packet based on the criteria you specified within the access lists.
MAC access control lists (MACLs) and VLAN access control lists (VACLs) are supported. VACLs are
also known as VLAN maps in Cisco IOS.
also known as VLAN maps in Cisco IOS.
The following security features are supported:
•
MAC address filtering, which enables you to block unicast traffic for a MAC address on a VLAN
interface.
interface.
•
Port ACLs, which enable you to apply ACLs to Layer 2 interfaces on a switch for inbound traffic.
For information on ACLs, MACLs, VLAN maps, MAC address filtering, and Port ACLs, see
Port Security
Port Security restricts traffic on a port based upon the MAC address of the workstation that accesses the
port. Trunk port security extends this feature to trunks, including private VLAN isolated trunks, on a
per-VLAN basis.
port. Trunk port security extends this feature to trunks, including private VLAN isolated trunks, on a
per-VLAN basis.
For information on port security, see