Filter
Top Products
1-28
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 1 Product Overview
Security Features
NAC Layer 2 IP is an integral part of Cisco Network Admission Control. It offers the first line of
defense for infected hosts (PCs and other devices attached to a LAN port) attempting to connect to
the corporate network. NAC Layer 2 IP on the Cisco Catalyst 4500 series switch performs posture
validation at the Layer 2 edge of the network for non-802.1x-enabled host devices. Host device
posture validation includes antivirus state and OS patch levels. Depending on the corporate access
policy and host device posture, a host may be unconditionally admitted, admitted with restricted
access, or quarantined to prevent the spread of viruses across the network.
For more information on Layer 2 IP validation, see the URL:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
1/configuration/guide/nac_conf.html
• NAC Layer 2 802.1X authentication
The Cisco Catalyst 4500 series switch extends NAC support to 802.1x-enabled devices. Like NAC
Layer 2 IP, the NAC Layer 2 802.1x feature determines the level of network access based on
endpoint information.
For more information on 802.1X identity-based network security, see Chapter 40, “Configuring
802.1X Port-Based Authentication.”
Network Security with ACLs
An access control list (ACL) filters network traffic by controlling whether routed packets are forwarded
or blocked at the router interfaces. The Catalyst 4500 series switch examines each packet to determine
whether to forward or drop the packet based on the criteria you specified within the access lists.
MAC access control lists (MACLs) and VLAN access control lists (VACLs) are supported. VACLs are
also known as VLAN maps in Cisco IOS.
The following security features are supported:
• MAC address filtering, which enables you to block unicast traffic for a MAC address on a VLAN
interface.
• Port ACLs, which enable you to apply ACLs to Layer 2 interfaces on a switch for inbound traffic.
For information on ACLs, MACLs, VLAN maps, MAC address filtering, and Port ACLs, see
Chapter 47, “Configuring Network Security with ACLs.”
Port Security
Port security restricts traffic on a port based upon the MAC address of the workstation that accesses the
port. Trunk port security extends this feature to trunks, including private VLAN isolated trunks, on a
per-VLAN basis.
Sticky port security extends port security by saving the dynamically learned MAC addresses in the
running configuration to survive port link down and switch reset. It enables a network administrator to
restrict the MAC addresses allowed or the maximum number of MAC addresses on each port.
Voice VLAN sticky port security further extends the sticky port security to the voice-over-IP
deployment. Voice VLAN sticky port security locks a port and blocks access from a station with a MAC
address different from the IP phone and the workstation behind the IP phone.
For information on port security, see Chapter 43, “Configuring Port Security.”