1-7
Catalyst 3750 Switch Software Configuration Guide
78-16180-02
Chapter 1 Overview
Features
• Protected port option for restricting the forwarding of traffic to designated ports on the same switch
• Port security option for limiting and identifying MAC addresses of the stations allowed to access
the port
• Port security aging to set the aging time for secure addresses on a port
• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs
• Standard and extended IP access control lists (ACLs) for defining security policies in both directions
on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs)
• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces
• VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on
information in the MAC, IP, and TCP/UDP headers
• Source and destination MAC-based ACLs for filtering non-IP traffic
• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers
• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP
snooping database and IP source bindings (requires the EMI)
• Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP
requests and responses to other ports in the same VLAN (requires the EMI)
• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining
access to the network
–
802.1x with VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN
–
802.1x with port security for controlling access to 802.1x ports
–
802.1x with voice VLAN to permit an IP phone access to the voice VLAN regardless of the
authorized or unauthorized state of the port
–
802.1x with guest VLAN to provide limited services to non-802.1x-compliant users
–
802.1x accounting to track network usage.
• TACACS+, a proprietary feature for managing network security through a TACACS server
• RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users
through authentication, authorization, and accounting (AAA) services
• Kerberos security system to authenticate requests for network resources by using a trusted third
party (requires the cryptographic versions of the SMI and EMI)
QoS and CoS Features
• Automatic QoS (auto-QoS) to simplify the deployment of existing QoS features by classifying
traffic and configuring egress queues
• Cross-stack QoS for configuring QoS features to all switches in a switch stack rather than on an
individual-switch basis
• Classification
–
IP type-of-service/Differentiated Services Code Point (IP ToS/DSCP) and 802.1p CoS marking
priorities on a per-port basis for protecting the performance of mission-critical applications
–
IP ToS/DSCP and 802.1p CoS marking based on flow-based packet classification (classification
based on information in the MAC, IP, and TCP/UDP headers) for high-performance quality of
service at the network edge, allowing for differentiated service levels for different types of
network traffic and for prioritizing mission-critical traffic in the network
To Next Page
Loading...
