Cisco Cisco 3900 series Manual de usuario descargar pdf (Pagina 6)

Data Sheet

Secure Networking

Because security needs to be embedded throughout the network, routers and Cisco EtherSwitch devices play a

critical role in any network defense strategy. Cisco Enhanced EtherSwitch Service Modules provide a rich set of

security features and can be a crucial component of your secure network strategy. The modules support a

comprehensive set of security features for connectivity and access control, including ACLs, authentication, port-level

security, and identity-based network services with 802.1x and extensions. This set of comprehensive features not

only helps prevent external attacks, but defends the network against "man-in-the-middle" attacks, a primary concern

in today's business environment. Table 4 highlights the benefits of the Enhanced EtherSwitch Service Module LAN

security features.

Table 4. LAN Security Features

Feature Benefit

Dynamic ARP Inspection (DAI)

DAI helps ensure user integrity by preventing malicious users from exploiting the insecure nature of the

Address Resolution Protocol (ARP).

DHCP Snooping

This feature prevents malicious users from spoofing a Dynamic Host Configuration Protocol (DHCP)

server and sending out bogus addresses. It is used by other primary security features to prevent

numerous other attacks such as ARP poisoning.

IP Source Guard

IP Source Guard prevents a malicious user from spoofing or taking over another user's IP address by

creating a binding table between the client's IP and MAC address, port, and VLAN.

Private VLANs

Private VLANs restrict traffic between hosts in a common segment by segregating traffic at Layer 2,

turning a broadcast segment into a nonbroadcast multiaccess-like segment; this feature is available in the

ES3 only.

Private VLAN Edge provides security and isolation between switch ports, helping ensure that users

cannot snoop on other users' traffic; this feature is available in the ES3 only.

Unicast Reverse Path Forwarding

(RPF)

This feature helps mitigate problems caused by the introduction of malformed or forged (spoofed) IP

source addresses into a network by discarding IP packets that lack a verifiable IP source address; it is

available in the ES3 only.

IEEE 802.1x

IEEE 802.1x allows dynamic, port-based security, providing user authentication.

IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless of

where the user is connected.

IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of the

authorized or unauthorized state of the port.

IEEE 802.1x and port security are provided to authenticate the port and manage network access for all

MAC addresses, including that of the client.

IEEE 802.1x with an ACL assignment allows for specific identity-based security policies regardless of

where the user is connected.

IEEE 802.1x with guest VLAN allows guests without 802.1x clients to have limited network access on the

guest VLAN.

Web authentication for non-802.1x clients allows non-802.1x clients to use an SSL-based browser for

authentication.

Multidomain Authentication

Multidomain authentication allows an IP phone and a PC to authenticate on the same switch port while

placing them on the appropriate voice and data VLAN.

MAC Authentication Bypass

MAC Auth Bypass (MAB) for voice allows third-party IP phones without an 802.1x supplicant to get

authenticated using the MAC address; it is available in the ES3 only.

Advanced ACLs

Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being bridged within

VLANs; this feature is available in the ES3 only.

Cisco standard and extended IP Security router ACLs define security policies on routed interfaces for

control- and data-plane traffic. IPv6 ACLs can be applied to filter IPv6 traffic; this feature is available in

the ES3 only.

Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.

Administrative Traffic Protection

Secure Shell (SSH) Protocol, Kerberos (ES3 only), and SNMPv3 provide network security by encrypting

administrator traffic during Telnet and SNMP sessions. SSH, Kerberos (ES3 only), and the cryptographic

version of SNMPv3 require a special cryptographic software image because of U.S. export restrictions.

Switched Port Analyzer (SPAN)

Bidirectional data support on the SPAN port allows the Cisco Intrusion Detection System (IDS) to take

action when an intruder is detected.

Centralized Authentication

TACACS+ and RADIUS authentication facilitates centralized control of the switch and restricts

unauthorized users from altering the configuration.

MAC Address Authentication

MAC address notification allows administrators to be notified of users added to or removed from the

network.

Port Security

Port security secures the access to an access or trunk port based on MAC address.

1 2 3 4 5 6 7 8 9 10 11

Comentarios a estos manuales

Sin comentarios

Cisco Cisco 3900 series Manual de usuario Pagina 6

Comentarios a estos manuales

Relacionado con productos y manuales para Redes Cisco Cisco 3900 series