Security Overview
Network Security Features
■ protocol filters: Inbound traffic having the selected frame (protocol)
type will be forwarded or dropped on a per-port (destination) basis.
For details, refer to Chapter 8, “Traffic/Security Filters and Monitors”.
Port Security, MAC Lockdown, and MAC Lockout
The features listed below provide device-based access security in the follow-
ing ways:
■ Port security: Enables configuration of each switch port with a unique
list of the MAC addresses of devices that are authorized to access the
network through that port. This enables individual ports to detect, pre-
vent, and log attempts by unauthorized devices to communicate through
the switch. Some switch models also include eavesdrop prevention in the
port security feature.
■ MAC lockdown: This “static addressing” feature is used as an alternative
to port security to prevent station movement and MAC address “hijacking”
by allowing a given MAC address to use only one assigned port on the
switch. MAC lockdown also restricts the client device to a specific VLAN.
■ MAC lockout: This feature enables blocking of a specific MAC address
so that the switch drops all traffic to or from the specified address.
Precedence of Security Options. Where the switch is running multiple
security options, it implements network traffic security based on the OSI
(Open Systems Interconnection model) precedence of the individual options,
from the lowest to the highest. The following list shows the order in which the
switch implements configured security features on traffic moving through a
given port.
1. Disabled/Enabled physical port
2. MAC lockout (Applies to all ports on the switch.)
3. MAC lockdown
4. Port security
5. Authorized IP Managers
6. Application features at higher levels in the OSI model, such as SSH.
(The above list does not address the mutually exclusive relationship that
exists among some security features.)
For more information, refer to Chapter 10, “Configuring and Monitoring Port
Security”.
1-10
To Next Page
Loading...
