Cisco Systems 3560 Manual De Usuario
1-9
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 1 Overview
Features
•
Standard and extended IP access control lists (ACLs) for defining security policies in both
directions on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port
ACLs)
directions on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port
ACLs)
•
Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces
interfaces
•
VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on
information in the MAC, IP, and TCP/UDP headers
information in the MAC, IP, and TCP/UDP headers
•
Source and destination MAC-based ACLs for filtering non-IP traffic
•
IPv6 ACLs to be applied to interfaces to filter IPv6 traffic:
•
DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers
•
IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP
snooping database and IP source bindings
snooping database and IP source bindings
•
Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP
requests and responses to other ports in the same VLAN
requests and responses to other ports in the same VLAN
•
IEEE 802.1Q tunneling so that customers with users at remote sites across a service-provider
network can keep VLANs segregated from other customers and Layer 2 protocol tunneling to ensure
that the customer’s network has complete STP, CDP, and VTP information about all users
network can keep VLANs segregated from other customers and Layer 2 protocol tunneling to ensure
that the customer’s network has complete STP, CDP, and VTP information about all users
•
Layer 2 point-to-point tunneling to facilitate the automatic creation of EtherChannels
•
Layer 2 protocol tunneling bypass feature to provide interoperability with third-party vendors
•
IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining
access to the network. These features are supported:
access to the network. These features are supported:
–
Multidomain authentication (MDA) to allow both a data device and a voice device, such as an
IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled
switch port
IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled
switch port
–
Dynamic voice virtual LAN (VLAN) for MDA to allow a dynamic voice VLAN on an
MDA-enabled port
MDA-enabled port
–
VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN
–
Port security for controlling access to 802.1x ports
–
Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized
or unauthorized state of the port
or unauthorized state of the port
–
IP phone detection enhancement to detect and recognize a Cisco IP phone.
–
Guest VLAN to provide limited services to non-802.1x-compliant users
–
Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not have
the credentials to authenticate via the standard 802.1x processes
the credentials to authenticate via the standard 802.1x processes
–
802.1x accounting to track network usage
–
802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt of a
specific Ethernet frame
specific Ethernet frame
–
802.1x readiness check to determine the readiness of connected end hosts before configuring
IEEE 802.1x on the switch
IEEE 802.1x on the switch
–
Voice aware 802.1x security to apply traffic violation actions only on the VLAN on which a
security violation occurs.
security violation occurs.
–
MAC authentication bypass to authorize clients based on the client MAC address.