Security Overview
Network Security Features
Feature Default
Setting
Security Guidelines More Information and
Configuration Details
Access Control none ACLs can filter traffic to or from a host, a group of hosts,
Chapter 10, “IPv4 Access
Lists (ACLs) or entire subnets. Layer 3 IP filtering with Access Control
Control Lists (ACLs)”
Lists (ACLs) enables you to improve network
performance and restrict network use by creating
policies for:
• Switch Management Access: Permits or denies in-
band management access. This includes preventing
the use of certain TCP or UDP applications (such as
Telnet, SSH, Web browser, and SNMP) for
transactions between specific source and
destination IP addresses.)
• Application Access Security: Eliminating unwanted
IP, TCP, or UDP traffic by filtering packets where they
enter or leave the switch on specific interfaces.
Note on ACL Security Use:
ACLs can enhance network security by blocking
selected IP traffic, and can serve as one aspect of
maintaining network security. However, because ACLs
do not provide user or device authentication, or
protection from malicious manipulation of data carried
in IP packet transmissions, they should not be relied
upon for a complete security solution.
Port Security, none The features listed below provide device-based access
Chapter 13, “Configuring and
MAC Lockdown, security in the following ways:
Monitoring Port Security”
and MAC
• Port security: Enables configuration of each switch
Lockout
port with a unique list of the MAC addresses of
See also “Precedence of
devices that are authorized to access the network
Port-Based Security
through that port. This enables individual ports to
Options” on page 1-18
detect, prevent, and log attempts by unauthorized
devices to communicate through the switch. Some
switch models also include eavesdrop prevention in
the port security feature.
• MAC lockdown: This “static addressing” feature is
used as an alternative to port security to prevent
station movement and MAC address “hijacking” by
allowing a given MAC address to use only one
assigned port on the switch. MAC lockdown also
restricts the client device to a specific VLAN.
• MAC lockout: This feature enables blocking of a
specific MAC address so that the switch drops all
traffic to or from the specified address.
1-8
