Datasheet
ProSafe
®
10 Gigabit Managed Switches M7100 series
- 6 -
Modern Access Layer Features Highlights (continued)
Enterprise security
Traffic control MAC Filter and Port Security help restrict the traffic allowed into and out of specified ports or interfaces in the system in order to increase overall security and
block MAC address flooding issues
DHCP Snooping monitors DHCP traffic between DHCP clients and DHCP servers to filter harmful DHCP message and builds a bindings database of (MAC address, IP
address, VLAN ID, port) tuples that are considered authorized in order to prevent DHCP server spoofing attacks
IP Source Guard and Dynamic ARP Inspection use the DHCP snooping bindings database per port and per VLAN to drop incoming packets that do not match any binding
and to enforce source IP/MAC addresses for malicious users traffic elimination
Layer 2 / Layer 3-v4 / Layer 3-v6 / Layer 4 Access Control Lists (ACLs) can be binded to ports, Layer 2 interfaces, VLANs and LAGs (Link Aggregation Groups or Port
channel) for fast unauthorized data prevention and right granularity
ACLs on CPU interface (Control Plane ACLs) are used to define the IP/MAC or protocol through which management access is allowed for increased HTTP/HTTPS or Telnet/
SSH management security
Bridge protocol data unit (BPDU) Guard allows the network administrator to enforce the Spanning Tree (STP) domain borders and keep the active topology consistent and
predictable - unauthorized devices or switches behind the edge ports that have BPDU enabled will not be able to influence the overall STP topology by creating loops
Spanning Tree Root Guard (STRG) enforces the Layer 2 network topology by preventing rogue root bridges potential issues when for instance, unauthorized or unexpected
new equipment in the network may accidentally become a root bridge for a given VLAN
Dynamic 802.1x VLAN assignment mode, including
Dynamic VLAN creation mode and Guest VLAN/
Unauthenticated VLAN are supported for rigorous
user and equipment RADIUS policy server enforcement
•Upto48clients(802.1x)perportaresupported,includingtheauthenticationoftheusersdomain,inorderto
facilitate convergent deployments: for instance when IP phones connect PCs on their bridge, IP phones and PCs
can authenticate on the same switch port but under different VLAN assignment policies (Voice VLAN versus
data VLANs
802.1x MAC Address Authentication Bypass (MAB) is a: •AlistofauthorizedMACaddressesofclientNICsismaintainedontheRADIUSserverforMABpurpose
•MABcanbeconfiguredonaper-portbasisontheswitch
•MABinitiatesonlyafterthedot1xauthenticationprocesstimesout,andonlywhenclientsdon’trespondtoany
of the EAPOL packets sent by the switch
•When802.1Xunawareclientstrytoconnect,theswitchsendstheMACaddressofeachclienttothe
authentication server
•TheRADIUSservercheckstheMACaddressoftheclientNICagainstthelistofauthorizedaddresses
•TheRADIUSserverreturnstheaccesspolicyandVLANassignmenttotheswitchforeachclient
Double VLANs (DVLAN - QoQ) pass traffic from one customer domain to another through the “metro core” in a multi-tenancy environment:customer VLAN IDs are
preserved and a service provider VLAN ID is added to the traffic so the traffic so the traffic can pass the metro core in a simple, secure manner
Private VLANs (with Primary VLAN, Isolated VLAN,
Community VLAN, Promiscuous port, Host port,
Trunks) provide Layer 2 isolation between ports that
share the same broadcast domain, allowing a VLAN
broadcast domain to be partitioned into smaller point-
to-multipoint subdomains accross switches in the same
Layer 2 network
•PrivateVLANsareusefulinDMZwhenserversarenotsupposedtocommunicatewitheachotherbutneedto
communicate with a router; they remove the need for more complex port-based VLANs with respective IP inter
face/subnets and associated L3 routing
•AnotherPrivateVLANstypicalapplicationarecarrier-classdeploymentswhenusersshouldn’tsee,snoopor
attackotherusers’traffic
Secure Shell (SSH) and SNMPv3 (with or without MD5 or SHA authentication) ensure SNMP and Telnet sessions are secure
TACACS+ and RADIUS enhanced administrator management provides strict “Login” and “Enable” authentication enforcement for the switch configuration, based on latest
industry standards: exec authorization using TACACS+ or RADIUS; command authorization using TACACS+ and RADIUS Server; user exec accounting for HTTP and HTTPS
using TACACS+ or RADIUS; and authentication based on user domain in addition to user ID and password
Superior quality of service
Advanced classifier-based hardware implementation for Layer 2 (MAC), Layer 3 (IP) and Layer 4 (UDP/TCP transport ports) prioritization
8 queues for priorities and various QoS policies based on 802.1p (CoS) and DiffServ can be applied to interfaces and VLANs
Advanced rate limiting down to 1 Kbps granularity and mininum-guaranteed bandwidth can be associated with ACLs for best granularity
Automatic Voice over IP prioritization with Auto-VoIP
iSCSI Flow Acceleration and automatic protection/QoS with Auto-iSCSI
Flow Control
802.3x Flow Control implementation per IEEE 802.3
Annex 31 B specifications with Symmetric flow control,
Asymmetric flow control or No flow control
•AsymmetricflowcontrolallowstheswitchtorespondtoreceivedPAUSEframes,buttheportscannotgenerate
PAUSE frames
•Symmetricflowcontrolallowstheswitchtobothrespondto,andgenerateMACcontrolPAUSEframes
Allows traffic from one device to be throttled for a specified period of time: a device that wishes to inhibit transmission of data frames from another device on the LAN
transmits a PAUSE frame
UDLD Support
UDLD implementation detects unidirectional links
physical ports (UDLD must be enabled on both sides of
the link in order to detect an unidirectional link)
•UDLDprotocoloperatesbyexchangingpacketscontaininginformationaboutneighboringdevices
•ThepurposeistodetectandavoidunidirectionallinkforwardinganomaliesinaLayer2communication
channel in which a bi-directional link stops passing traffic in one direction
Both “normal-mode” and “aggressive-mode” are supported for perfect compatibility with other vendors implementations, including port “D-Disable” triggering cases in
both modes