1-8
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 1 Configuration Overview
Feature Software Licensing
• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers
• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP
snooping database and IP source bindings
• Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP
requests and responses to other ports in the same VLAN
• Layer 2 protocol tunneling bypass feature to provide interoperability with third-party vendors
• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining
access to the network. These features are supported:
–
Multidomain authentication (MDA) to allow both a data device and a voice device, such as an
IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled
switch port
–
Dynamic voice virtual LAN (VLAN) for MDA to allow a dynamic voice VLAN on an
MDA-enabled port
–
VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN
–
Port security for controlling access to 802.1x ports
–
Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized
or unauthorized state of the port
–
IP phone detection enhancement to detect and recognize a Cisco IP phone
–
Guest VLAN to provide limited services to non-802.1x-compliant users
–
Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not have
the credentials to authenticate via the standard 802.1x processes
–
802.1x accounting to track network usage
–
802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt of a
specific Ethernet frame
–
802.1x readiness check to determine the readiness of connected end hosts before configuring
IEEE 802.1x on the switch
–
Voice-aware 802.1x security to apply traffic violation actions only on the VLAN on which a
security violation occurs
–
MAC authentication bypass to authorize clients based on the client MAC address
–
Network Edge Access Topology (NEAT) with 802.1X switch supplicant, host authorization
with CISP, and auto enablement to authenticate a switch outside a wiring closet as a supplicant
to another switch
–
IEEE 802.1x with open access to allow a host to access the network before being authenticated
–
IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACL
downloads from a Cisco Secure ACS server to an authenticated switch
–
Flexible-authentication sequencing to configure the order of the authentication methods that a
port tries when authenticating a new host
–
Multiple-user authentication to allow more than one host to authenticate on an 802.1x-enabled
port
• Network Admission Control (NAC) features:
–
NAC Layer 2 802.1x validation of the antivirus condition or posture of endpoint systems or
clients before granting the devices network access
