1-6
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
78-17058-01
Chapter 1 Overview
Features
• Configuration file security so that only authenticated and authorized users have access to the
configuration file, preventing users from accessing the configuration file by using the password
recovery process
• Multilevel security for a choice of security level, notification, and resulting actions
• Port security option for limiting and identifying MAC addresses of the stations allowed to access
the port
• Port security aging to set the aging time for secure addresses on a port
• UNI default port state is disabled
• Automatic control-plane protection to protect the CPU from accidental or malicious overload due to
Layer 2 control traffic on UNIs
• TACACS+, a proprietary feature for managing network security through a TACACS server
• RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users
through authentication, authorization, and accounting (AAA) services
• Kerberos security system to authenticate requests for network resources by using a trusted third
party (requires the cryptographic versions of the switch software)
Network Security
• Static MAC addressing for ensuring security
• Standard and extended IP access control lists (ACLs) for defining security policies in both directions
on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs)
• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces
• VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on
information in the MAC, IP, and TCP/UDP headers
• Source and destination MAC-based ACLs for filtering non-IP traffic
• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining
access to the network. These features are supported:
–
VLAN assignment for restricting IEEE 802.1x-authenticated users to a specified VLAN
–
Port security for controlling access to IEEE 802.1x ports
–
IEEE 802.1x accounting to track network usage
Quality of Service and Class of Service Features
• Cisco modular quality of service (QoS) command-line (MQC) implementation
• Classification based on IP precedence, Differentiated Services Code Point (DSCP), and IEEE
802.1p class of service (CoS) packet fields, ACL lookup, or assigning a QoS label for output
classification
• Policing
–
One-rate policing based on average rate and burst rate for a policer
–
Two-color policing that allows different actions for packets that conform to or exceed the rate
–
Aggregate policing for policers shared by multiple traffic classes