Users Guide

Table Of Contents
Usage
information
Use the ocsp-check command to enable OCSP verification of certificates presented by the external
devices for a PKI-enabled application on the switch.
The no version of the command disables OCSP revocation checking in a security profile.
Example
OS10(config)# crypto security-profile profile-1
OS10(config-sec-profile)# ocsp-check http://ocspresponder.example.net
Supported
releases
10.5.2.0 or later
Network security
OS10 switch has security features to restrict network traffic, protect the network from attacks, and prevent unauthorized
access to the network.
Access control lists
Access control lists (ACLs) restrict network traffic using policies and improve network performance. For more information about
ACL, see Access control lists.
DHCP snooping
DHCP snooping protects your network from attacks by monitoring the DHCP messages and blocking untrusted or rogue DHCP
servers. For more information about DHCP snooping, see DHCP snooping.
802.1X port access control
802.1x defines access control that prevents unauthorized devices or users from connecting to a network. For more information
about 802.1X, see 802.1X.
Port security
Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control
MAC address movement.
Port security is a package of the following sub features that provide added security to the system:
1. MAC address learning limit (MLL)
2. Sticky MAC
3. MAC address movement control
Use the port security feature to define the number of workstations that can send traffic through an interface. MAC addresses
that are learnt or statically configured on a port security enabled interface are called secure MAC addresses.
NOTE: Port security features are not supported in a VLT setup.
There are three types of Secure MAC addresses :
1. Static secure MAC addresses are configured manually. These MAC addresses are stored both in the MAC address table
and in the running configuration of the switch. Similar to static MAC addresses, when the system reloads, the system
does not remove the static secure MAC addresses. When you enable port security on an interface, all existing static MAC
addresses become static secure MAC addresses. These static secure MAC addresses remain in the system until you remove
them.
2. Dynamic secure MAC addresses are dynamically-learned by the switch and stored in the MAC address table. These MAC
addresses are removed from the MAC address table when the switch restarts. By default, dynamic secure MAC addresses
do not age out.
1390
Security