1-12
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Overview
Software Features
• VACL Logging to generate syslog messages for ACL denied IP packets (supported only on switches
running the IP Base or IP Services feature set)
• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers
• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP
snooping database and IP source bindings
• Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP
requests and responses to other ports in the same VLAN
• IEEE 802.1Q tunneling so that customers with users at remote sites across a service-provider
network can keep VLANs segregated from other customers and Layer 2 protocol tunneling to ensure
that the customer’s network has complete STP, CDP, and VTP information about all users
• Layer 2 point-to-point tunneling to facilitate the automatic creation of EtherChannels
• Layer 2 protocol tunneling bypass feature to provide interoperability with third-party vendors
• IEEE 802.1x with open access to allow a host to access the network before being authenticated
• Flexible-authentication sequencing to configure the order of the authentication methods that a port
tries when authenticating a new host
• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining
access to the network. These features are supported:
–
Multidomain authentication (MDA) to allow both a data device and a voice device, such as an
IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled
switch port
–
VLAN assignment for restricting IEEE 802.1x-authenticated users to a specified VLAN
–
Support for VLAN assignment on a port configured for multi-auth mode. The RADIUS server
assigns a VLAN to the first host to authenticate on the port, and subsequent hosts use the same
VLAN. Voice VLAN assignment is supported for one IP phone (supported only on switches
running the IP Base or IP Services feature set).
–
Port security for controlling access to IEEE 802.1x ports
–
Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized
or unauthorized state of the port
–
IP phone detection enhancement to detect and recognize a Cisco IP phone
–
Guest VLAN to provide limited services to non-IEEE 802.1x-compliant users
–
Restricted VLAN to provide limited services to users who are IEEE 802.1x compliant, but do
not have the credentials to authenticate via the standard IEEE 802.1x processes
–
IEEE 802.1x accounting to track network usage
–
IEEE 802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt
of a specific Ethernet frame
–
Voice aware IEEE 802.1x security to apply traffic violation actions only on the VLAN on which
a security violation occurs
–
Network Edge Access Topology (NEAT) with 802.1x switch supplicant, host authorization with
CISP, and auto enablement to authenticate a switch outside a wiring closet as a supplicant to
another switch.
–
NEAT enhancement to control access to the supplicant port during authentication (supported
only on switches running the IP Base or IP Services feature set)
To Next Page
Loading...
Need help?
General
