Network security features
This section outlines features and defense mechanisms for protecting access through the switch to the network.
Feature |
Default setting |
Security guidelines |
More information and configuration details |
---|---|---|---|
Secure File Transfers | not applicable |
Secure Copy and SFTP provide a secure alternative to TFTP and auto-TFTP for transferring sensitive information such as configuration files and log information between the switch and other devices. |
management and configuration guide, see "File Transfers" and "Using Secure Copy and SFTP". |
Traffic/Security Filters | none |
These statically configured filters enhance in-band security (and improve control over access to network resources) by forwarding or dropping inbound network traffic according to the configured criteria. Filter options include:
|
|
Access Control Lists (ACLs) | none |
ACLs can filter traffic to or from a host, a group of hosts, or entire subnets. Layer 3 IP filtering with Access Control Lists (ACLs) enables you to improve network performance and restrict network use by creating policies for:
NOTE:
On ACL Security Use: ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution. |
|
Port Security, MAC Lockdown, and MAC Lockout | none |
The features listed below provide device-based access security in the following ways:
|
Configuring and Monitoring Port SecuritySee also Precedence of port-based security options. |
Key Management System (KMS ) |
none |
KMS is available in several switch models and is designed to configure and maintain key chains for use with KMS-capable routing protocols that use time-dependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request. |
|
ICMP Rate-Limiting IMPORTANT:
This feature is only available for the 2620 switch series. |
none |
This feature helps defeat ICMP denial-of-service attacks by restricting ICMP traffic to percentage levels that permit necessary ICMP functions, but throttle additional traffic that may be due to worms or viruses (reducing their spread and effect). |
management and configuration guide see “Port Traffic Controls" and "ICMP Rate-Limiting". |
Spanning Tree Protection | none |
These features prevent your switch from malicious attacks or configuration errors:
|
advanced traffic management guide see "Multiple Instance Spanning-Tree Operation". |
DHCP Snooping, Dynamic ARP Protection, and Dynamic IP Lockdown | none |
These features provide the following additional protections for your network:
|