The S5700-EI implements complex S2700-26TP-SI-AC traffic classification based on packet information . ACLs can be applied to inbound or outbound direction on an interface. The S5700-EI supports a flow-based two-rate three-color CAR. Each port supports eight priority queues and multiple queue scheduling algorithms such as WRR, DRR, SP, WRR+SP, and DRR+SP. All of these ensure the quality of voice, video, and data services.
The S5700-EI supports DHCP snooping, which generates user binding entries based on MAC addresses, IP addresses, IP address leases, VLAN IDs, and access interfaces of users. DHCP snooping discards invalid packets that do not match any binding entries, such as ARP spoofing packets and IP spoofing packets. This prevents man-in-the-middle attacks to campus networks that hackers initiate by using ARP packets. The interface connected to a DHCP server can be configured as a trusted interface to protect the system against bogus DHCP server attacks.
The S5700-EI supports strict ARP learning, which prevents ARP spoofing attacks that will exhaust ARP entries. It also provides IP source check to prevent DoS attacks caused by MAC address spoofing, IP address spoofing, and MAC/IP spoofing.
The S5700-EI supports centralized MAC address authentication, 802.1x authentication,
The S5700-EI can limit the number of MAC addresses learned on an interface to prevent attackers from exhausting MAC address entries by using bogus source MAC addresses. This function minimizes packet flooding that occurs when MAC addresses of users cannot be found S2700-26TP-SI-AC in the MAC address table.
没有评论:
发表评论