Data Sheet

ManualsBrandsNETGEAR ManualsComputers & Accessories48x10G/25G SFP28 and 8x100G QSFP28 Managed Switch

MAC-based Port Security • The port security feature limits access on a port to users with speciﬁc MAC addresses. These addresses

are manually deﬁned or learned on that port. When a frame is seen on a locked port, and the frame source

MAC address is not tied to that port, the protection mechanism is invoked.

RADIUS Client •The switch has a Remote Authentication Dial In User Service (RADIUS) client and can support up to 32

authentication and accounting RADIUS servers.

TACACS+ Client • The switch has a TACACS+ client. TACACS+ provides centralized security for validation of users accessing

the switch. TACACS+ provides a centralized user management system while still retaining consistency with

RADIUS and other authentication processes.

Dot1x Authentication (IEEE 802.1X) • Dot1x authentication enables the authentication of system users through a local internal server or an

external server. Only authenticated and approved system users can transmit and receive data. Supplicants

are authenticated using the Extensible Authentication Protocol (EAP). Also supported are PEAP, EAP-TTL,

EAP- TTLS, and EAP-TLS. M4500 supports RADIUS-based assignment (via 802.1X) of VLANs, including

guest and unauthenticated VLANs. The Dot1X feature also supports RADIUS-based assignment of ﬁlter

IDs as well as MAC-based authentication, which allows multiple supplicants connected to the same port to

each authenticate individually.

MAC Authentication Bypass • The switch supports the MAC-based Authentication Bypass (MAB) feature, which provides 802.1x-

unaware clients (such as printers and fax machines) controlled access to the network using the devices’

MAC address as an identiﬁer. This requires that the known and allowable MAC address and corresponding

access rights be pre-populated in the authentication server. MAB works only when the port control mode

of the port is MAC- based.

DHCP Snooping • DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP

server. It ﬁlters harmful DHCP messages and builds a bindings database of (MAC address, IP address, VLAN

ID, port) tuples that are speciﬁed as authorized. DHCP snooping can be enabled globally and on speciﬁc

VLANs. Ports within the VLAN can be conﬁgured to be trusted or untrusted. DHCP servers must be

reached through trusted ports. This feature is supported for both IPv4 and IPv6 packets.

DHCPv6 Snooping In an IPv6 domain, a node can obtain an IPv6 address using the following mechanisms:

• IPv6 address auto-conﬁguration using router advertisements

• The DHCPv6 protocol

In a typical man-in-the-middle (MiM) attack, the attacker can snoop or spoof the trac act as a rogue

DHCPv6 server. To prevent such attacks, DHCPv6 snooping helps to secure the IPv6 address conﬁgura-

tion in the network. DHCPv6 snooping enables the Brocade device to ﬁlter untrusted DHCPv6 packets in a

subnet on an IPv6 network. DHCPv6 snooping can ward o MiM attacks, such as a malicious user posing as

a DHCPv6 server sending false DHCPv6 server reply packets with the intention of misdirecting other users.

DHCPv6 snooping can also stop unauthorized DHCPv6 servers and prevent errors due to user misconﬁgura-

tion of DHCPv6 servers.

Dynamic ARP Inspection • Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. The

feature prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts trac for

other stations by poisoning the ARP caches of its unsuspecting neighbors. The malicious station sends ARP

requests or responses mapping another station’s IP address to its own MAC address.

IP Source Address Guard •IP Source Guard and Dynamic ARP Inspection use the DHCP snooping bindings database. When IP Source

Guard is enabled, the switch drops incoming packets that do not match a binding in the bindings database.

IP Source Guard can be conﬁgured to enforce just the source IP address or both the source IP address and

source MAC address. Dynamic ARP Inspection uses the bindings database to validate ARP packets. This

feature is supported for both IPv4 and IPv6 packets.

Quality of Service Features

Access Control Lists (ACL) Access Control Lists (ACLs) ensure that only authorized users have access to speciﬁc resources while block-

ing o any unwarranted attempts to reach network resources. ACLs are used to provide trac ﬂow control,

restrict contents of routing updates, decide which types of trac are forwarded or blocked, and above all

provide security for the network. M4500 supports the following ACL types:

• IPv4 ACLs

• IPv6 ACLs

• MAC ACLs

For all ACL types, you can apply the ACL rule when the packet enters or exits the physical port, Port-channel,

or VLAN interface (ingress and egress ACLs).

ACL Remarks • Users can use ACL remarks to include comments for ACL rule entries in any MAC ACL. Remarks assist the

user in understanding ACL rules easily.

100GE-Enabled Managed Switches Data Sheet

M4500 series

Page 9 of 29