Security Features Overview
• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs.
• Standard and extended IP access control lists (ACLs) for defining inbound security policies on Layer 2
interfaces (port ACLs).
• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces.
• Source and destination MAC-based ACLs for filtering non-IP traffic.
• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers.
• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snooping
database and IP source bindings.
• Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP requests
and responses to other ports in the same VLAN.
This feature is not supported on LanLite images on Catalyst 2960-X Series Switches.
• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to
the network. These 802.1x features are supported:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
750
◦ Multidomain authentication (MDA) to allow both a data device and a voice device, such as an IP
phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled switch
port.
◦ Dynamic voice virtual LAN (VLAN) for MDA to allow a dynamic voice VLAN on an
MDA-enabled port.
◦ VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN.
◦ Support for VLAN assignment on a port configured for multi-auth mode. The RADIUS server
assigns a VLAN to the first host to authenticate on the port, and subsequent hosts use the same
VLAN. Voice VLAN assignment is supported for one IP phone.
◦ Port security for controlling access to 802.1x ports.
◦ Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized
or unauthorized state of the port.
◦ IP phone detection enhancement to detect and recognize a Cisco IP phone.
◦ Guest VLAN to provide limited services to non-802.1x-compliant users.
◦ Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not have
the credentials to authenticate via the standard 802.1x processes.
◦ 802.1x accounting to track network usage.
◦ 802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt of a specific
Ethernet frame.
◦ 802.1x readiness check to determine the readiness of connected end hosts before configuring IEEE
802.1x on the switch.
◦ Voice aware 802.1x security to apply traffic violation actions only on the VLAN on which a security
violation occurs.
◦ MAC authentication bypass (MAB) to authorize clients based on the client MAC address.