General security measures – LevelOne FGL-2870 User Manual

General Security Measures

3-109

3

General Security Measures

This switch supports many methods of segregating traffic for clients attached to
each of the data ports, and for ensuring that only authorized clients gain access to
the network. Private VLANs and port-based authentication using IEEE 802.1X are
commonly used for these purposes. In addition to these methods, several other
options of providing client security are supported by this switch. These include
port-based authentication, which can be configured for network client access
by specifying a fixed set of MAC addresses. The addresses assigned to DHCP
clients can also be carefully controlled using static or dynamic bindings with the IP
Source Guard and DHCP Snooping commands.

This switch provides client security using the following options:

• Private VLANs – Provide port-based security and isolation between ports within the

assigned VLAN. (See "Private VLANs" on page 3-228.)

• Port Security – Configure secure addresses for individual ports.
• 802.1X – Use IEEE 802.1X port authentication to control access to specific ports.

(See "Configuring 802.1X Port Authentication" on page 3-99.)

• Web Authentication - Allows stations to authenticate and access the network in

situations where 802.1X or Network Access authentication methods are infeasible
or impractical.

• Network Access - Configures MAC authentication and dynamic VLAN assignment.
• ACL - Access Control Lists provide packet filtering for IPv4 frames (based on

address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames
(based on address, next header type, or flow label), or any frames (based on MAC
address or Ethernet type).

• ARP Inspection – Security feature that validates the MAC Address bindings for

Address Resolution Protocol packets. Provides protection against ARP traffic with
invalid MAC to IP Address bindings, which forms the basis for certain
“man-in-the-middle” attacks.

• DHCP Snooping – Filters IP traffic on insecure ports for which the source address

cannot be identified via DHCP snooping. (See "DHCP Snooping" on page 3-143.)

• IP Source Guard – Filters untrusted DHCP messages on insecure ports by building

and maintaining a DHCP snooping binding table. (See "IP Source Guard" on page
3-150.)

Note:

The priority of execution for the filtering commands is Port Security, Port
Authentication, Network Access, Web Authentication, Access Control Lists, IP
Source Guard, and then DHCP Snooping.