Security Overview
Network Security Features
Feature Default Security Guidelines More Information and
Setting Configuration Details
Connection- none
Rate Filtering
based on
Virus-Throttling
Technology
This feature helps protect the network from attack and
is recommended for use on the network edge. It is
primarily focused on the class of worm-like malicious
code that tries to replicate itself by taking advantage of
weaknesses in network applications behind unsecured
ports. In this case, the malicious code tries to create a
large number of outbound connections on an interface
in a short time. Connection-Rate filtering detects hosts
that are generating traffic that exhibits this behavior, and
causes the switch to generate warning messages and
(optionally) to throttle or drop all traffic from the
offending hosts.
Chapter 3, “Virus Throttling
(Connection-Rate Filtering)”
Spanning Tree none
Protection
These features prevent your switch from malicious
attacks or configuration errors:
• BPDU Filtering and BPDU Protection: Protects the
network from denial-of-service attacks that use
spoofing BPDUs by dropping incoming BPDU frames
and/or blocking traffic through a port.
• STP Root Guard: Protects the STP root bridge from
malicious attacks or configuration mistakes.
Advanced Traffic
Management Guide, refer to
the chapter “Multiple
Instance Spanning-Tree
Operation”
DHCP Snooping, none
Dynamic ARP
Protection, and
Dynamic IP
Lockdown
These features provide the following additional Chapter 11, “Configuring
protections for your network: Advanced Threat
• DHCP Snooping: Protects your network from
Protection”
common DHCP attacks, such as address spoofing
and repeated address requests.
• Dynamic ARP Protection: Protects your network
from ARP cache poisoning.
• Dynamic IP Lockdown: Prevents IP source address
spoofing on a per-port and per-VLAN basis
• Instrumentation Monitor. Helps identify a variety of
malicious attacks by generating alerts for detected
anomalies on the switch.
1-8
To Next Page
Loading...
Need help?
General