Switch User Manual
Data Sheet
All contents are Copyright © 1992–2006, 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 23
Feature Benefit
Granular Rate
Limiting
●
Cisco committed information rate (CIR) function provides bandwidth in increments as low as 8 Kbps.
●
Rate limiting is provided based on source and destination IP address, source and destination MAC
address, Layer 4 TCP/UDP information, or any combination of these fields, using QoS ACLs (IP ACLs
or MAC ACLs), class maps, and policy maps.
●
Asynchronous data flows upstream and downstream from the end station or on the uplink are easily
managed using ingress policing and egress shaping.
●
Up to 64 aggregate or individual policers are available per Fast Ethernet or Gigabit Ethernet port.
Network Security
Networkwide
Security
Features
●
IEEE 802.1x allows dynamic, port-based security, providing user authentication.
●
IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless
of where the user is connected.
●
IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of the
authorized or unauthorized state of the port.
●
IEEE 802.1x and port security are provided to authenticate the port and manage network access for all
MAC addresses, including that of the client.
●
IEEE 802.1x with an ACL assignment allows for specific identity-based security policies regardless of
where the user is connected.
●
IEEE 802.1x with guest VLAN allows guests without 802.1x clients to have limited network access on
the guest VLAN.
●
Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being bridged within
VLANs.
●
Cisco standard and extended IP security router ACLs define security policies on routed interfaces for
control-plane and data-plane traffic.
●
Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.
●
Secure Shell (SSH) Protocol, Kerberos, and Simple Network Management Protocol Version 3
(SNMPv3) provide network security by encrypting administrator traffic during Telnet and SNMP
sessions. SSH Protocol, Kerberos, and the cryptographic version of SNMPv3 require a special
cryptographic software image because of U.S. export restrictions.
●
Private VLAN Edge provides security and isolation between switch ports, which helps ensure that
users cannot snoop on other users’ traffic.
●
Dynamic ARP Inspection helps ensure user integrity by preventing malicious users from exploiting the
insecure nature of the ARP protocol.
●
DHCP Snooping prevents malicious users from spoofing a DHCP server and sending out bogus
addresses. This feature is used by other primary security features to prevent a number of other attacks
such as ARP poisoning.
●
IP source guard prevents a malicious user from spoofing or taking over another user’s IP address by
creating a binding table between client’s IP and MAC address, port, and VLAN.
●
Bidirectional data support on the Switched Port Analyzer (SPAN) port allows a Cisco Intrusion
Detection System (IDS) to take action when an intruder is detected.
●
TACACS+ and RADIUS authentication facilitate centralized control of the switch and restrict
unauthorized users from altering the configuration.
●
MAC address notification allows administrators to be notified of users added to or removed from the
network.
●
DHCP Snooping helps administrators with consistent mapping of IP to MAC addresses. This can be
used to prevent attacks that attempt to poison the DHCP binding database and to rate-limit the
amount of DHCP traffic that enters a switch port.
●
Port security secures the access to an access or trunk port based on MAC address.
●
After a specific timeframe, the aging feature removes the MAC address from the switch to allow
another device to connect to the same port.
●
Trusted boundary provides the ability to trust the QoS priority settings if an IP phone is present and to
disable the trust setting in the event that the IP phone is removed, thereby preventing a malicious user
from overriding prioritization policies in the network.
●
Multilevel security on console access prevents unauthorized users from altering the switch
configuration.
●
The user-selectable address-learning mode simplifies configuration and enhances security.
●
Bridge protocol data unit (BPDU) guard shuts down Spanning Tree PortFast-enabled interfaces when
BPDUs are received to avoid accidental topology loops.
●
Spanning Tree Root Guard (STRG) prevents edge devices not in the network administrator’s control
from becoming Spanning Tree Protocol root nodes.
●
IGMP filtering provides multicast authentication by filtering out nonsubscribers and limits the number of
concurrent multicast streams available per port.
●
Dynamic VLAN assignment is supported through implementation of VLAN Membership Policy Server
client capability to provide flexibility in assigning ports to VLANs. Dynamic VLAN facilitates the fast
assignment of IP addresses.
●
Cisco CMS Software security wizards ease the deployment of security features for restricting user
access to a server as well as to a portion or all of the network.
●
1000 access control entries (ACEs) are supported.