Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesCisco BLp-Class Ethernet Switch

1-7

380261-003

Chapter 1 Overview

Features

Security Features

The switch ships with these security features:

• Password-protected access (read-only and read-write access) to management interfaces (device

manager, Network Assistant, and the CLI for protection against unauthorized configuration changes

• Multilevel security for a choice of security level, notification, and resulting actions

• Static MAC addressing for ensuring security

• Protected port option for restricting the forwarding of traffic to designated ports on the same switch

• Port security option for limiting and identifying MAC addresses of the stations allowed to access

the port

• VLAN aware port security option shut down the VLAN on the port when a violation occurs, instead

of shutting down the entire port.

• Port security aging to set the aging time for secure addresses on a port

• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs

• Standard and extended IP access control lists (ACLs) for defining security policies in both

directions on VLANs and inbound on Layer 2 interfaces (port ACLs)

• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2

interfaces

• VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on

information in the MAC, IP, and TCP/UDP headers

• Source and destination MAC-based ACLs for filtering non-IP traffic

• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers

• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining

access to the network. These features are supported:

–

VLAN assignment for restricting IEEE 802.1x-authenticated users to a specified VLAN

–

Port security for controlling access to IEEE 802.1x ports

–

Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized

or unauthorized state of the port

–

Guest VLAN to provide limited services to non-IEEE 802.1x-compliant users

–

Restricted VLAN to provide limited services to users who are IEEE 802.1x compliant, but do

not have the credentials to authenticate via the standard IEEE 802.1x processes

–

IEEE 802.1x accounting to track network usage

–

IEEE 802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt

of a specific Ethernet frame

• MAC authentication bypass to authorize clients based on the client MAC address

• Nework Admission Control (NAC) Layer 2 IEEE 802.1x validation of the antivirus condition or

posture of endpoint systems or clients before granting the devices network access.

• TACACS+, a proprietary feature for managing network security through a TACACS server

• RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users

through authentication, authorization, and accounting (AAA) services