Chapter 1
Product Overview
Local Authentication, RADIUS, and TACACS+ Authentication
Local Authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access
Controller Access Control System Plus (TACACS+) authentication methods control access to the switch.
For additional information, refer to the following URL:
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authentifcn_ps635
0_TSD_Products_Configuration_Guide_Chapter.html
Network Admission Control
Network Admission Control consists of two features:
•
•
Network Security with ACLs
An access control list (ACL) filters network traffic by controlling whether routed packets are forwarded
or blocked at the router interfaces. The Catalyst 4500 series switch examines each packet to determine
whether to forward or drop the packet based on the criteria you specified within the access lists.
MAC access control lists (MACLs) and VLAN access control lists (VACLs) are supported. VACLs are
also known as VLAN maps in Cisco IOS.
The Catalyst 4500 series switch supports three types of ACLs:
•
•
•
OL-25340-01
NAC Layer 2 IP validation
NAC Layer 2 IP is an integral part of Cisco Network Admission Control. It offers the first line of
defense for infected hosts (PCs and other devices attached to a LAN port) attempting to connect to
the corporate network. NAC Layer 2 IP on the Cisco Catalyst 4500 series switch performs posture
validation at the Layer 2 edge of the network for non-802.1x-enabled host devices. Host device
posture validation includes antivirus state and OS patch levels. Depending on the corporate access
policy and host device posture, a host may be unconditionally admitted, admitted with restricted
access, or quarantined to prevent the spread of viruses across the network.
For more information on Layer 2 IP validation, see the URL:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
1/configuration/guide/nac_conf.html
NAC Layer 2 802.1X authentication
The Cisco Catalyst 4500 series switch extends NAC support to 802.1x-enabled devices. Like NAC
Layer 2 IP, the NAC Layer 2 802.1x feature determines the level of network access based on
endpoint information.
For more information on 802.1X identity-based network security, see
802.1X Port-Based Authentication."
IP ACLs, which filter IP traffic, including TCP, the User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP)
IPv6 ACLs
MAC ACLs which match based on Ethernet addresses and Ether Type
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Security Features
Chapter 44, "Configuring
1-35