1-9
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-02
Chapter 1 Overview
Features
• Protected port option for restricting the forwarding of traffic to designated ports on the same switch
• Port security option for limiting and identifying MAC addresses of the stations allowed to access
the port
• VLAN aware port security option to shut down the VLAN on the port when a violation occurs,
instead of shutting down the entire port
• Port security aging to set the aging time for secure addresses on a port
• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs
• Standard and extended IP access control lists (ACLs) for defining security policies in both
directions on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port
ACLs)
• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces
• VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on
information in the MAC, IP, and TCP/UDP headers
• Source and destination MAC-based ACLs for filtering non-IP traffic
• IPv6 ACLs to be applied to interfaces to filter IPv6 traffic
• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers
• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP
snooping database and IP source bindings
• Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP
requests and responses to other ports in the same VLAN
• IEEE 802.1Q tunneling so that customers with users at remote sites across a service-provider
network can keep VLANs segregated from other customers and Layer 2 protocol tunneling to ensure
that the customer’s network has complete STP, CDP, and VTP information about all users
• Layer 2 point-to-point tunneling to facilitate the automatic creation of EtherChannels
• Layer 2 protocol tunneling bypass feature to provide interoperability with third-party vendors
• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining
access to the network. These features are supported:
–
Multidomain authentication (MDA) to allow both a data device and a voice device, such as an
IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled
switch port
–
VLAN assignment for restricting IEEE 802.1x-authenticated users to a specified VLAN
–
Port security for controlling access to IEEE 802.1x ports
–
Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized
or unauthorized state of the port
–
IP phone detection enhancement to detect and recognize a Cisco IP phone
–
Guest VLAN to provide limited services to non-IEEE 802.1x-compliant users
–
Restricted VLAN to provide limited services to users who are IEEE 802.1x compliant, but do
not have the credentials to authenticate via the standard IEEE 802.1x processes
–
IEEE 802.1x accounting to track network usage
–
IEEE 802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt
of a specific Ethernet frame
