1-7
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-06
Chapter 1 Overview
Features
Switch Security
Note The Kerberos feature listed in this section is only available on the cryptographic versions of the switch
software.
• Password-protected access (read-only and read-write access) to management interfaces for
protection against unauthorized configuration changes
• Configuration file security so that only authenticated and authorized users have access to the
configuration file, preventing users from accessing the configuration file by using the password
recovery process
• Multilevel security for a choice of security level, notification, and resulting actions
• Port security option for limiting and identifying MAC addresses of the stations allowed to access
the port
• Port security aging to set the aging time for secure addresses on a port
• LLDP (Link Layer Discovery Protocol) and LLLDP-MED (Media Extensions)—Adds support for
IEEE 802.1AB link layer discovery protocol for interoperability in multi-vendor networks. Switches
exchange speed, duplex, and power settings with end devices such as IP Phones.
• UNI and ENI default port state is disabled
• Automatic control-plane protection to protect the CPU from accidental or malicious overload due to
Layer 2 control traffic on UNIs or ENIs
• Configurable control plane security that provides service providers with the flexibility to drop
customers control-plane traffic on a per-port, per-protocol basis. Allows configuring of ENI protocol
control packets for CDP, STP, LLDP, (LACP, or PAgP.
• TACACS+, a proprietary feature for managing network security through a TACACS server
• RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users
through authentication, authorization, and accounting (AAA) services
• Kerberos security system to authenticate requests for network resources by using a trusted third
party (requires the cryptographic versions of the switch software)
Network Security
• Static MAC addressing for ensuring security
• Standard and extended IP access control lists (ACLs) for defining security policies in both directions
on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs)
• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces
• VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on
information in the MAC, IP, and TCP/UDP headers
• Source and destination MAC-based ACLs for filtering non-IP traffic
• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining
access to the network. These features are supported:
–
VLAN assignment for restricting IEEE 802.1x-authenticated users to a specified VLAN
–
Port security for controlling access to IEEE 802.1x ports
