Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
21222324252627282930
27
OL-11615-01
Catalyst Integrated Security
The first sections of this document presented a collection of basic tools and techniques for infrastructure
protection. This section introduces a set of advanced security features that are designed to take advantage
of the unique Catalyst 6500 and 4500 hardware architectures, making these switching platforms more
resilient to attacks, and thereby providing enhanced protection for the infrastructure.
The following advanced security features are covered in this section:
Port Security, page 27
MAC Address Monitoring, page 30
Traffic Storm Control, page 32
Unicast and Multicast Flood Blocking, page 37
DHCP Snooping, page 39
IP Source Guard, page 43
Dynamic ARP Inspection (DAI), page 46
Note Catalyst 6500 and 4500 Series switches provide other security services that are not directly related to
infrastructure protection, but that help secure the network. Refer to
Other Security Services, page 109 to
learn more about these other security services.
Port Security
Port security is an available feature on Catalyst 6500 and 4500 Series switches running Catalyst OS and
Cisco IOS software that can be configured in a port to restrict the MAC addresses that are allowed to
send traffic into that port. Port security helps mitigate MAC flooding and other Layer 2 Content
Addressable Memory (CAM) overflow attacks. With port security, a list of allowed MAC addresses can
be dynamically learned or statically configured. After a list of secure (trusted) MAC addresses is defined
for a port, only packets with source addresses in that list get forwarded throughout that port.
The list of secure MAC addresses can be statically configured by manually declaring each trusted MAC
address, or they can be dynamically learned by defining a maximum number of MAC addresses to be
learned as traffic is received from the port. If the number of secure MAC addresses is set to one and only
one secure MAC address is assigned, the workstation attached to that port has the full bandwidth of the
port.
When a port configured with port security receives a packet with a source MAC address that is not found
in the trusted list, and if the maximum number of secure MAC addresses has been reached, a security
violation occurs.
In Catalyst OS, a port can be set to the following two modes to handle a security violation:
Shutdown—Shuts down the port permanently or for a specified time. Permanent shutdown is the
default mode.
Restrict—Drops all packets from insecure hosts, but remains enabled.
In Cisco IOS, there are three ways a port can react when a security violation takes place:
Protect—Drops packets with unknown source addresses until you remove a sufficient number of
secure MAC addresses to drop below the maximum value.