Cisco Catalyst 3560-X Software Configuration Manual page 53

Chapter 1 Overview
Note
FIPS 140-2 is a cryptographic-focused certification, required by many government and enterprise
customers, which ensures the compliance of the encryption and decryption operations performed by
the switch to the approved FIPS cryptographic strengths and management methods for safeguarding
these operations. For more information, see:
–
–
Common Criteria is an international standard (ISO/IEC 15408) for computer security certification.
This standard is a set of requirements, tests, and evaluation methods that ensures that the Target of
Evaluation complies with a specific Protection Profile or custom Security Target. For more
information, see the security target document at:
http://www.niap-ccevs.org/st/vid10488/
Web authentication to allow a supplicant (client) that does not support IEEE 802.1x functionality to
•
be authenticated using a web browser.
Password-protected access (read-only and read-write access) to management interfaces (device
•
manager, Network Assistant, and the CLI) for protection against unauthorized configuration
changes
Multilevel security for a choice of security level, notification, and resulting actions
•
• Static MAC addressing for ensuring security
• Protected port option for restricting the forwarding of traffic to designated ports on the same switch
• Port security option for limiting and identifying MAC addresses of the stations allowed to access
the port
• VLAN aware port security option to shut down the VLAN on the port when a violation occurs,
instead of shutting down the entire port
• Port security aging to set the aging time for secure addresses on a port
• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs
• Standard and extended IP access control lists (ACLs) for defining security policies in both directions
on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs)
• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces
• VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on
information in the MAC, IP, and TCP/UDP headers
Source and destination MAC-based ACLs for filtering non-IP traffic
•
IPv6 ACLs to be applied to interfaces to filter IPv6 traffic
•
• Support for dynamic creation or attachment of an auth-default ACL on a port that has no configured
static ACLs (supported only on switches running the IP Base or IP Services feature set)
OL-25303-03
The images for the Cisco IOS Release 15.0(2)SE1 on the Catalyst 3750-X and 3560-X
switches are FIPS certified. For information about using FIPS certified images, see the
"Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation" section on
page 1-25 of the software configuration guide.
The security policy document at:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2011.htm#1657
The installation notes at:
http://www.cisco.com/en/US/products/ps10745/prod_installation_guides_list.html
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
Software Features
1-11