The VBS supports a comprehensive set of security features for connectivity and access control, including ACLs, authentication, port-level security, and identity-based network services with IEEE 802.1x and extensions. This set of comprehensive features not only helps prevent external attacks, but defends the network against "man-in-the-middle" attacks, a primary concern in today's business environment. The switch also supports the Network Admission Control (NAC) security framework.
Security features include the following:
• Dynamic Address Resolution Protocol (ARP) Inspection (DAI) helps ensure user integrity by preventing malicious users from exploiting the insecure nature of the ARP protocol.
• DHCP snooping prevents malicious users from spoofing a DHCP server and sending out bogus addresses. This feature is used by other primary security features to prevent a number of other attacks such as ARP poisoning.
• IP source guard prevents a malicious user from spoofing or taking over another user's
IP address by creating a binding table between the client's IP and MAC address, port,
• Private VLANs restrict traffic between hosts in a common segment by segregating traffic at Layer 2, turning a broadcast segment into a nonbroadcast multi-access-like segment.
• Private VLAN Edge provides security and isolation between switch ports, which helps ensure that users cannot snoop on other users' traffic.
• The nicast Reverse Path Forwarding (RPF) feature helps mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address.
• IEEE 802.1x enables dynamic, port-based security, providing user authentication.
• IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless of where the user is connected.
• IEEE 802.1x and port security are provided to authenticate the port and manage network access for all MAC addresses, including that of the client.
• IEEE 802.1x with an ACL assignment enables the user of specific identity-based security policies regardless of where the user is connected.
• IEEE 802.1x with guest VLAN allows guests without IEEE 802.1x clients to have limited network access on the guest VLAN.
• Web authentication for non-IEEE 802.1x clients allows non-IEEE 802.1x clients to use a Secure Sockets Layer (SSL) based browser for authentication.
• Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being bridged within VLANs.
• Cisco standard and extended IP security router ACLs define security policies on routed interfaces for control plane and data plane traffic. IPv6 ACLs can be applied to filter
• Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.
• Secure Shell (SSH) Protocol, Kerberos, and Simple Network Management Protocol Version 3 (SNMPv3) provide network security by encrypting administrator traffic during Telnet and SNMP sessions. SSH, Kerberos, and the cryptographic version of SNMPv3 require a special cryptographic software image because of U.S. export restrictions.
• Bidirectional data support on the Switched Port Analyzer (SPAN) port allows the Cisco Intrusion Detection System (IDS) to take action when an intruder is detected.
• TACACS+ and RADIUS authentication facilitates centralized control of the switch and restricts unauthorized users from altering the configuration.
• MAC address notification allows administrators to be notified of users added to or removed from the network.
• Port security secures the access to an access or trunk port based on the MAC address.
• Multilevel security on console access prevents unauthorized users from altering the switch configuration.
• Bridge protocol data unit (BPDU) guard shuts down Spanning Tree PortFast-enabled interfaces when BPDUs are received to avoid accidental topology loops.
• Spanning Tree Root Guard (STRG) prevents edge devices not in the network administrator's control from becoming Spanning Tree Protocol root nodes.
• IGMP filtering provides multicast authentication by filtering out nonsubscribers and limits the number of concurrent multicast streams available per port.
• Dynamic VLAN assignment is supported through implementation of VLAN membership policy server client capability to provide flexibility in assigning ports to VLANs. Dynamic VLAN facilitates the fast assignment of IP addresses.