73
Security features
Packet filter
Packet filter uses ACLs to filter incoming or outgoing packets on interfaces, VLANs, or globally. An
interface permits packets that match permit statements to pass through, and denies packets that
match deny statements. The default action applies to packets that do not match any ACL rules.
IP source guard
Overview
IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match
legitimate packets. It drops all packets that do not match the table.
The IPSG binding table can include the following bindings:
•
IP-interface.
•
MAC-interface.
•
IP-MAC-interface.
•
IP-VLAN-interface.
•
MAC-VLAN-interface.
•
IP-MAC-VLAN-interface.
Interface-specific static IPv4SG bindings
Interface-specific static IPv4SG bindings are configured manually and take effect only on the
interface. They are suitable for scenarios where a few hosts exist on a LAN and their IP addresses
are manually configured. For example, you can configure a static IPv4SG binding on an interface
that connects to a server. This binding allows the interface to receive packets only from the server.
Static IPv4SG bindings on an interface implements the following functions:
•
Filter incoming IPv4 packets on the interface.
•
Cooperate with ARP detection for user validity checking.
You can configure the same static IPv4SG binding on different interfaces.
802.1X
802.1X is a port-based network access control protocol that controls network access by
authenticating the devices connected to 802.1X-enabled LAN ports.
802.1X architecture
802.1X includes the following entities:
•
Client
—A user terminal seeking access to the LAN. The terminal must have 802.1X software to
authenticate to the access device.
•
Access
device
—Authenticates the client to control access to the LAN. In a typical 802.1X
environment, the access device uses an authentication server to perform authentication.
