Data Sheet
Data Sheet
© 1992-2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 15
Secure Shell (SSH) Protocol and SNMPv3 protect information from tampering or eavesdropping
by encrypting information being passed along the network, thereby guarding administrative
information. Private VLAN Edge isolates ports on a switch, helping ensure that traffic travels
directly from the entry point to the aggregation device through a virtual path and cannot be
directed to another port.
Port-based access control parameters (ACPs) restrict sensitive portions of the network by
denying packets based on source and destination MAC addresses, IP addresses, or Transmission
Control Protocol/User Datagram Protocol (TCP/UDP) ports. ACP lookups are done in hardware,
so forwarding performance is not compromised when implementing this type of security in the
network. In addition, time-based ACPs allow configuration of differentiated services based on
time periods. ACPs can also be applied to filter traffic based on differentiated services code point
(DSCP) values. Port security provides another means to help ensure that appropriate users are on
the network, by limiting access based on MAC addresses.
For authentication of users with a Terminal Access Controller Access Control System (TACACS+)
or RADIUS server, 802.1x provides port-level security. 802.1x in conjunction with a RADIUS
server allows for dynamic port-based user authentication. 802.1x-based user authentication can
be extended to dynamically assign a virtual LAN (VLAN) based on a specific user, regardless of
where that user connects on the network. This intelligent adaptability provides greater flexibility
and mobility to the network's stratified user populations. By combining access control and user
profiles with secure network connectivity, services, and applications, customers can more
effectively manage user mobility and drastically reduce the overhead associated with
granting and managing access to network resources.
With multilayer Cisco Catalyst 2955 Series Switches, network managers can implement high
levels of console security. Multilevel access security on the switch console and a Web-based
management interface prevent unauthorized users from accessing or altering switch configurations.
TACACS+ or RADIUS authentication enable centralized access control of the switch and restrict
unauthorized users from altering the configuration. Deploying security can be done through Cisco
Network Assistant security wizards, which ease the deployment of security features that restrict
user access to a server, a portion of the network, or the entire network.
Network Control through Advanced QoS and Rate Limiting
Cisco Catalyst 2955 Series Switches offer superior and highly granular QoS based on Layers 2–4
information, to help ensure that network traffic is classified and prioritized, and that congestion is
avoided in the best possible manner. These switches can classify, reclassify, police (determine if
the packet is in or out of predetermined profiles and affect actions on the packet), and mark or drop
the incoming packets before the packet is placed in the shared buffer. Packet classification allows
the network elements to discriminate between various traffic flows and to enforce rate-limiting
policies based on Layer 2 and Layer 3 QoS fields.
To implement QoS, these switches first identify traffic flows or packet groups. They classify or
reclassify these groups using the DSCP field in the IP packet and/or the 802.1p class of service
(CoS) field in the Ethernet packet. Classification and reclassification can also be based on criteria
as specific as the source or destination IP address, source or destination MAC address, or the
Layer 4 TCP/UDP ports. At the ingress (incoming port) level, Cisco Catalyst 2955 Series Switches
can also perform policing and marking of the packet.