1-37
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 1 Product Overview
Security Features
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) intercepts all ARP requests, replies on untrusted ports, and verifies each
intercepted packet for valid IP to MAC bindings. Dynamic ARP Inspection helps to prevent attacks on
a network by not relaying invalid ARP replies out to other ports in the same VLAN. Denied ARP packets
are logged by the switch for auditing.
For more information on dynamic ARP inspection, see
Chapter 58, “Configuring Dynamic ARP
Dynamic Host Configuration Protocol Snooping
Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that is a component of a
DHCP server. DHCP snooping provides security by intercepting untrusted DHCP messages and by
building and maintaining a DHCP snooping binding table. An untrusted message is a message that is
received from outside the network or firewall that can cause traffic attacks within your network.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also provides a way
to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected
to the DHCP server or another switch.
With SSO support, DHCP Snooping propagates the DHCP-snooped data from the active supervisor
engine to the redundant supervisor engine so that when a switchover occurs, the newly active supervisor
engine is aware of the DHCP data that was already snooped, and the security benefits continue
uninterrupted.
For DHCP server configuration information, refer to the chapter, “Configuring DHCP,” in the
Cisco IOS
IP and IP Routing Configuration Guide
at the following URL:
For information on configuring DHCP snooping, see
Chapter 60, “Configuring DHCP Snooping, IP
Source Guard, and IPSG for Static Hosts.”
Flood Blocking
Flood blocking enables users to disable the flooding of unicast and multicast packets on a per-port basis.
Occasionally, unknown unicast or multicast traffic from an unprotected port is flooded to a protected port
because a MAC address has timed out or has not been learned by the switch.
For information on flood blocking, see
Chapter 64, “Port Unicast and Multicast Flood Blocking.”
Hardware-Based Control Plane Policing
Control Plane Policing provides a unified solution to limit the rate of CPU bound control plane traffic in
hardware. It enables users to install system wide control plane ACLs to protect the CPU by limiting rates
or filtering out malicious DoS attacks. Control plane policing ensures the network stability, availability
and packet forwarding, and prevents network outages such as loss of protocol updates despite an attack
or heavy load on the switch. Hardware-based control plane policing is available for all
Catalyst 4500 supervisor engines. It supports various Layer 2 and Layer 3 control protocols, such as
Содержание Catalyst 4500 Series
Страница 2: ......
Страница 4: ......
Страница 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...