Professional Documents
Culture Documents
To help you get the most functionality, value and ROI from your Cisco
Power Up routers and switches, we want to ensure you’re aware of the many
Turn on all these features to
powerful features residing within. Our Turn it On program is designed to
leverage the full value of Cisco
empower Federal agencies like yours to take full advantage of Cisco’s
routers and switches.
powerful core networking solutions to maximize your productivity,
efficiency and technology investment.
• Protective QoS Features
- Control Plane Policing (CoPP)
Catalyst Integrated Security Features (CISF)
- Network-Based Application
Recognition (NBAR) Layer 2 switched environments can prove easy targets for security attacks. These attacks
• VRF-Lite/Multi-VRF CE exploit normal protocol processing such as a switches’ ability to learn MAC addresses,
end-station Media Access Control (MAC) address resolution through Address Resolution
• Advanced VPN Services:
Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP) IP address assignments.
- Dynamic Multipoint VPN And because any user can gain access to any Ethernet port and potentially hack into the
(DMVPN)
network using readily available, menu-driven hacker tools available on the Internet, open
- Group Encrypted Transport campus networks cannot guarantee network security.
(GET VPN)
The rich set of industry-leading integrated security features on Cisco Catalyst Switches
• Catalyst Integrated (CISF) proactively protect your critical network infrastructure. Delivering powerful,
Security Features (CISF) easy-to-use tools to effectively prevent the most common—and potentially damaging—
• Spanning-Tree Protocol (STP) Toolkit Layer 2 security threats, CISF provides robust security throughout the network. And
• Encapsulated Remote Switched these powerful features already reside on your Cisco Catalyst switches. All you have to
Port Analyzer (ERSPAN) do is turn them on.
Protection against Rogue/Malicious DHCP Server 3. Rate limit ARP Requests from client ports. Stop port scanning
4. Drop BOGUS gratuitous ARP’s. Stop ARP Poisoning / MIM attacks
DHCP Snooping Function
Unauthorized DHCP Responses How it works: Prevents attackers and Internet worms from
DHCP Snooping
launching attacks by assuming a valid user’s IP address. IP
1. Track the Request (Discover) Source Guard only permits forwarding of packets with valid
2. Track the Response (Offer) source addresses.
3. Rate limit Requests on Trusted Interfaces. Limit DOS attacks IP Source Guard Protection against incorrect/malicious hard
on DHCP Server
coded IP Address
4. Deny Responses (Offers) on non trusted interfaces. Stop
Malicious or errant DHCP Server
IP Source Guard
Protection against incorrect/malicious hard coded IP Address
CISF 3: Dynamic ARP Inspection DHCP Snooping/ Dynamic ARP Inspection
My GW is IP Source Guard
Function: Adds security to ARP using DHCP snooping table 10.1.1.1
How it Works: Cisco’s patented Dynamic ARP Inspection (DAI) DHCP Requests DHCP Responses
feature helps ensure that the access switch relays only “valid” Untrusted Trusted
ARP requests and responses. DAI intercepts every ARP packet Not by my
DHCP
Server
on the switch, and verifies the ARP information before updating Manually change IP I’m your GW: binding table
Address to gateway’s 10.1.1.1 Port ACL
the switch ARP cache or forwarding packets to the appropriate address
destination. This prevents malicious hosts from invisibly
eavesdropping on the conversation between the two endpoints IP Source Guard
to glean passwords, data or listen to IP phone conversations. 1. Use DHCP Snooping Binding Table
2. Track IP Address to Port associations
3. Dynamically Program Port ACL to drop traffic not originating
from IP Address assigned via DHCP
Make the switch to security
Cisco’s Integrated Security Features are
Notes
available in varying capacities on these Catalyst • The 4 items that make up CISF’s are available in different fashions on
switches, as well as on some End-of-Sale (EoS) different switches. In fact some of the features are available on EoS
switches as well.
switches.
• Everything here is inline with a secure port. With a dynamically learned
• 3560/3560-E • 4500 mac address we can limit the number of learned mac addresses in order
to deny mac address-flooding.
• 3750/3750-E • 6500
Contact your Cisco Systems Engineer for more information and assistance in turning on the full functionality of your Cisco
routers and switches. To learn about enabling additional Cisco features, visit www.cisco.com/go/turniton.
Copyright © 2007 Cisco Systems, Inc. All rights reserved. Cisco, Cisco Systems, and the Cisco Systems logo are registered
trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.