1-33
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
OL-25340-01
Chapter 1 Product Overview
Security Features
Cisco TrustSec MACsec Encryption
Note Although the ® Catalyst® 4500-X Series Switch supports Cisco TrustSec® technology, it does not
support TrustSec MACsec Encryption.
MACsec (Media Access Control Security) is the IEEE 802.1AE standard for authenticating and
encrypting packets between two MACsec-capable devices. The Catalyst 4500 series switch supports
802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between
the switch and host devices. The switch also supports MACsec link layer switch-to-switch security by
using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association
Protocol (SAP) key exchange. Link layer security can include both packet authentication between
switches and MACsec encryption between switches (encryption is optional).
For more information on TrustSec MACsec encryption, see Chapter 43, “Configuring MACsec
Encryption.”
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) intercepts all ARP requests, replies on untrusted ports, and verifies each
intercepted packet for valid IP to MAC bindings. Dynamic ARP Inspection helps to prevent attacks on
a network by not relaying invalid ARP replies out to other ports in the same VLAN. Denied ARP packets
are logged by the switch for auditing.
For more information on dynamic ARP inspection, see Chapter 49, “Configuring Dynamic ARP
Inspection.”
Dynamic Host Configuration Protocol Snooping
Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that is a component of a
DHCP server. DHCP snooping provides security by intercepting untrusted DHCP messages and by
building and maintaining a DHCP snooping binding table. An untrusted message is a message that is
received from outside the network or firewall that can cause traffic attacks within your network.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also provides a way
to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected
to the DHCP server or another switch.
With SSO support, DHCP Snooping propagates the DHCP-snooped data from the active supervisor
engine to the redundant supervisor engine so that when a switchover occurs, the newly active supervisor
engine is aware of the DHCP data that was already snooped, and the security benefits continue
uninterrupted.
For DHCP server configuration information, refer to the chapter, “Configuring DHCP,” in the Cisco IOS
IP and IP Routing Configuration Guide at the following URL:
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_rdmp_ps6350_TSD_Produ
cts_Configuration_Guide_Chapter.html
For information on configuring DHCP snooping, see Chapter 50, “Configuring DHCP Snooping, IP
Source Guard, and IPSG for Static Hosts.”
To Next Page
Loading...
