System DescriptionH3C S3600 Series Ethernet Switches Chapter 3 Software Features3-15same time. The SSH client allows users to connect to the Ethernet switches and UNIXmainframes that support SSH servers.3.9.3 Port IsolationPort isolation means layer 2 isolation of the ports in the same VLAN so that layer 2 relaycannot be done between a port and another ( or another group of ) port, but it cancommunicate with the port in the upper layer. It prevents visiting between the ports,effectively controls unnecessary broadcasting and increases the network throughput.3.9.4 Packet FilterPacket filter filters invalid or non-interesting data packets. The switch filters each packetbased on the defined rules, by comparing the source or destination address forexample. With packet filter, session state is ignored and data is not analyzed. You candefine which packets are permitted and which are denied.3.9.5 IEEE 802.1X AuthenticationIEEE 802.1x is virtually a port based network access control protocol. As the nameimplies, the NAS on a LAN authenticates and controls the connected customerpremises equipment (CPE) at the port level. If the CPE connected to a port passesauthentication, it is allowed to access the LAN resources. Otherwise, it is rejected justlike its physical link is disconnected.In implementing 802.1x, the Ethernet switches not only support the port-based accessauthentication, but also extend and optimize it by: Allowing a physical port to be connected to several terminals. Supporting access control (that is user authentication) based on MAC address inaddition to port.The system thus becomes securer and more operational and manageable.Note that, although 802.1x provides an implementation scheme for user authentication,the protocol itself is not enough to implement the scheme. The NAS administrators,however, can use RADIUS or local authentication to complete the user authenticationwith 802.1x.3.9.6 Centralized MAC Address AuthenticationCentralized MAC address authentication: the server or the Ethernet switch stores theinformation on user MAC addresses. Once a new user is detected, the switchauthenticates the user by taking its MAC address as its user name and password. Itsearches the MAC addresses table in the server or the switch for the user’s MAC