Network security features

This section outlines features and defense mechanisms for protecting access through the switch to the network.

Network Security—Default Settings and Security Guidelines


Default setting

Security guidelines

More information and configuration details

Secure File Transfers

not applicable

Secure Copy and SFTP provide a secure alternative to TFTP and auto-TFTP for transferring sensitive information such as configuration files and log information between the switch and other devices.

Management and configuration guide, Appendix A "File Transfers", see "Using Secure Copy and SFTP."

Traffic/Security Filters


These statically configured filters enhance in-band security (and improve control over access to network resources) by forwarding or dropping inbound network traffic according to the configured criteria. Filter options include:
  • source-port filters: Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis.

  • multicast filters: Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports or dropped on a per-port (destination) basis.

  • protocol filters: Inbound traffic having the selected frame (protocol) type will be forwarded or dropped on a per-port (destination) basis.

Access Control Lists (ACLs)


ACLs can filter traffic to or from a host, a group of hosts, or entire subnets. Layer 3 IP filtering with Access Control Lists (ACLs) enables you to improve network performance and restrict network use by creating policies for:
  • Switch Management Access: Permits or denies in-band management access. This includes preventing the use of certain TCP or UDP applications (such as Telnet, SSH, WebAgent, and SNMP) for transactions between specific source and destination IP addresses.)

  • Application Access Security: Eliminating unwanted IP, TCP, or UDP traffic by filtering packets where they enter or leave the switch on specific interfaces.


On ACL Security Use:

ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.

IPv4 Access Control Lists (ACLs)

Port Security, MAC Lockdown, and MAC Lockout


The features listed below provide device-based access security in the following ways:
  • Port security:

    Enables configuration of each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port. This enables individual ports to detect, prevent, and log attempts by unauthorized devices to communicate through the switch. Some switch models also include eavesdrop prevention in the port security feature.

  • MAC lockdown:

    This static addressing feature is used as an alternative to port security to prevent station movement and MAC address hijacking by restricting a given MAC address to use only one assigned port on the switch, the client device to a specific VLAN.

  • MAC lockout:

    This feature enables blocking of a specific MAC address so that the switch drops all traffic to or from the specified address.

Port SecuritySee also Precedence of Port-based security options.

Key Management System (KMS



KMS is available in several switch models and is designed to configure and maintain key chains for use with KMS-capable routing protocols that use time-dependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request.

Key Management System

Connection-Rate Filtering based on Virus-Throttling Technology


This feature helps protect the network from attack and is recommended for use on the network edge. It is primarily focused on the class of worm-like malicious code that tries to replicate itself by taking advantage of weaknesses in network applications behind unsecured ports. In this case, the malicious code tries to create many outbound connections on an interface in a short time. Connection-Rate filtering detects hosts that are generating traffic that exhibits this behavior, and causes the switch to generate warning messages and (optionally) to throttle or drop all traffic from the offending hosts.

Virus throttling (connection-rate filtering)

ICMP Rate-Limiting


This feature helps defeat ICMP denial-of-service attacks by restricting ICMP traffic to percentage levels that permit necessary ICMP functions, but throttle additional traffic that may be due to worms or viruses (reducing their spread and effect).

Management and configuration guide, in the chapter on "Port Traffic Controls" see "ICMP Rate-Limiting."

Spanning Tree Protection


These features prevent your switch from malicious attacks or configuration errors:
  • BPDU Filtering and BPDU Protection:

    Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and blocking traffic through a port.

  • STP Root Guard:

    Protects the STP root bridge from malicious attacks or configuration mistakes.

Advanced traffic management guide, see "Multiple Instance Spanning-Tree Operation"

DHCP Snooping, Dynamic ARP Protection, and Dynamic IP Lockdown


These features provide the following additional protections for your network:
  • DHCP Snooping:

    Protects your network from common DHCP attacks, such as address spoofing and repeated address requests.

  • Dynamic ARP Protection:

    Protects your network from ARP cache poisoning.

  • Dynamic IP Lockdown:

    Prevents IP source address spoofing on a per-port and per-VLAN basis.

  • Instrumentation Monitor:

    Helps identify a variety of malicious attacks by generating alerts for detected anomalies on the switch.