Data Sheet
For in-band switch management, management ACLs on CPU interface (Control Plane ACLs) are used to dene the IP/MAC or protocol through which management
access is allowed for increased HTTP/HTTPS or Telnet/SSH management security
Out-of-band management is available via dedicated service port (1G RJ45 OOB) when in-band management can be prohibited via management ACLs
Bridge protocol data unit (BPDU) Guardallows the network administrator to enforce the Spanning Tree (STP) domain borders and keep the active topology consistent
and predictable - unauthorized devices or switches behind the edge ports that have BPDU enabled will not be able to inuence the overall STP by creating loops
Spanning Tree Root Guard (STRG)enforces the Layer 2 network topology by preventing rogue root bridges potential issues when for instance, unauthorized or
unexpected new equipment in the network may accidentally become a root bridge for a given VLAN
Dynamic 802.1x VLAN assignment mode, including
Dynamic VLAN creation mode and Guest VLAN / Un-
authenticated VLAN are supported for rigorous user
and equipment RADIUS policy server enforcement
• Up to 48 clients (802.1x) per port are supported, including the authentication of the users domain, in order
to facilitate convergent deployments. For instance when IP phones connect PCs on their bridge, IP phones
and PCs can authenticate on the same switch port but under different VLAN assignment policies (Voice
VLAN versus other Production VLANs)
802.1x MAC Address Authentication Bypass (MAB) is
a supplemental authentication mechanism that lets
non-802.1x devices bypass the traditional 802.1x
process altogether, letting them authenticate to
the network using their client MAC address as an
identier
• A list of authorized MAC addresses of client NICs is maintained on the RADIUS server for MAB purpose
• MAB can be congured on a per-port basis on the switch
• MAB initiates after unsuccessful dot1x authentication process (congurable time out), when clients don’t
respond to any of EAPOL packets
• When 802.1X unaware clients try to connect, the switch sends the MAC address of each client to the authen-
tication server
• The RADIUS server checks the MAC address of the client NIC against the list of authorized addresses
• The RADIUS server returns the access policy and VLAN assignment to the switch for each client
With Successive Tiering, the Authentication Manager
allows for authentication methods per port for a
Tiered Authentication based on congured time-outs
• By default, conguration authentication methods are tried in this order: Dot1x, then MAB, then Captive Portal
(web authentication)
• With BYOD, such Tiered Authentication is powerful and simple to implement with strict policies
– For instance, when a client is connecting, M4300 tries to authenticate the user/client using the three
methods above, the one after the other
• The admin can restrict the conguration such that no other method is allowed to follow the captive portal
method, for instance
Double VLANs (DVLAN) pass trafc from one customer domain to another through the “metro core” in a multi-tenancy environment: customer VLAN IDs are preserved
and a service provider VLAN ID is added to the trafc so the trafc can pass the metro core in a simple, secure manner
Private VLANs (with Primary VLAN, Isolated VLAN,
Community VLAN, Promiscuous port, Host port,
Trunks) provide Layer 2 isolation between ports that
share the same broadcast domain, allowing a VLAN
broadcast domain to be partitioned into smaller
point-to-multipoint subdomains accross switches in
the same Layer 2 network
• Private VLANs are useful in DMZ when servers are not supposed to communicate with each other but need
to communicate with a router
• They remove the need for more complex port-based VLANs with respective IP interface/subnets and
associated L3 routing
• Another Private VLANs typical application are carrier-class deployments when users shouldn’t see, snoop or
attack other users’ trafc
SSL version 3 and TLS version 2 ensure Web GUI sessions are secured
Secure Shell (SSH version 2) and SNMPv3 (with or without MD5 or SHA authentication) ensure SNMP and Telnet sessions are secured
2048-bit RSA key pairs, SHA2-256 and SHA2-512 cryptographic hash functions for SSLv3 and SSHv2 are supported on all M4300 models
TACACS+ and RADIUS enhanced administrator management provides strict “Login” and “Enable” authentication enforcement for the switch conguration, based on
latest industry standards: exec authorization using TACACS+ or RADIUS; command authorization using TACACS+ and RADIUS Server; user exec accounting for HTTP
and HTTPS using TACACS+ or RADIUS; and authentication based on user domain in addition to user ID and password
Superior quality of service
Advanced classier-based hardware implementation for Layer 2 (MAC), Layer 3 (IP) and Layer 4 (UDP/TCP transport ports) prioritization
8 queues (7 in a stack) for priorities and various QoS policies based on 802.1p (CoS) and DiffServ can be applied to interfaces and VLANs
Advanced rate limiting down to 1 Kbps granularity and mininum-guaranteed bandwidth can be associated with ACLs for best granularity
Single Rate Policing feature enables support for
Single Rate Policer as dened by RFC 2697
• Committed Information Rate (average allowable rate for the class)
• Committed Burst Size (maximum amount of contiguous packets for the class)
• Excessive Burst Size (additional burst size for the class with credits rell at a slower rate than committed
burst size)
• DiffServ feature applied to class maps
Automatic Voice over IP prioritization with protocol-based (SIP, H323 and SCCP ) or OUI-based Auto-VoIP up to 144 simultaneous voice calls
iSCSI Flow Acceleration and automatic protection / QoS with Auto-iSCSI
Intelligent Edge Managed Switches
Data Sheet | M4300 series
PAGE 14 of 60