Data Sheet
Data Sheet
© 1992-2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 15
Feature
Benefit
instance per VLAN, enabling Layer 2 load sharing on redundant links.
●
VLAN Trunking Protocol (VTP) pruning limits bandwidth consumption on VTP
trunks by flooding broadcast traffic only on trunk links required to reach the
destination devices. Dynamic Trunking Protocol (DTP) enables dynamic trunk
configuration across all ports on the switch.
●
Internet Group Management Protocol Version 3 (IGMPv3) snooping provides
for fast client joins and leaves of multicast streams and limits bandwidth-
intensive video traffic to only the requestors. Multicast VLAN Registration
MVR, IGMP filtering, and fast-join and immediate leave are available as
enhancements. The number of IGMP groups can be limited with IGMP
throttling. IGMP Snooping time can be adjusted to optimize the performance
of multicast data flows.
●
MVR continuously sends multicast streams in a multicast VLAN while
isolating the streams from subscriber VLANs for bandwidth and security
reasons.
●
Supports additional frame formats: Ethernet II (tagged and untagged), 802.3
(SNAP encapsulated, tagged and untagged frames).
Security
Network Security Features
●
Filtering of incoming traffic flows based on Layer 2, Layer 3, or Layer 4 ACPs
prevents unauthorized data flows.
◦ The following Layer 2 ACPs or a combination can be used for security
classification of incoming packets: source MAC address, destination MAC
address, and 16-bit Ethertype.
◦ The following Layer 3 and Layer 4 fields or a combination can be used for
security classification of incoming packets: source IP address, destination
IP address, TCP source or destination port number, UDP source, or
destination port number. ACLs can also be used to filter based on DSCP
values.
◦ Time-based ACLs allow configuration of differentiated services based on
time periods.
●
Private VLAN edge provides security and isolation between ports on a switch,
helping ensure that voice traffic travels directly from its entry point to the
aggregation device through a virtual path and cannot be directed to a different
port.
●
Support for the 802.1x standard allows users to be authenticated, regardless
of which LAN port they are accessing, and provides unique benefits to
customers who have a large base of mobile (wireless) users accessing the
network.
◦ IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment
for a specific user, regardless of where the user is connected.
◦ IEEE 802.1x with voice VLAN gives an IP phone access to the voice VLAN,
regardless of the authorized or unauthorized state of the port.
◦ IEEE 802.1x with port security authenticates the port and manages network
access for all MAC addresses, including the clients'.
◦ IEEE 802.1x with guest VLAN allows guests without 802.1x clients to have
limited network access on the guest VLAN.
●
SSHv2 and SNMPv3 provide network security by encrypting administrator
traffic during Telnet and SNMP sessions. SSHv2 and the crypto version of
SNMPv3 require a special crypto software image because of U.S. export
restrictions.
●
Port Security and unicast MAC filtering secure the access to a port based on
MAC addresses. The aging feature of port security removes the MAC
address from the switch after a specific time frame to allow another device to
connect to the same port. Unicast MAC filtering allows non-IP packets to be
filtered as well.
●
With unknown unicast/multicast port blocking, the switch will not flood packets
with unknown destination MAC addresses to all Ethernet ports. Unknown
unicast/multicast port blocking disables flooding on a per-port basis.
●
MAC address notification allows administrators to be notified of new users
added or removed from the network.
●
Spanning-tree root guard (STRG) prevents edge devices not in the network
administrator's control from becoming Spanning-Tree Protocol root nodes.
●
The Spanning-Tree Protocol PortFast/bridge protocol data unit (BPDU) guard
feature disables access ports with Spanning-Tree Protocol PortFast enabled
upon reception of a BPDU, and increases network reliability, manageability,
and security.
●
Multilevel console access security prevents unauthorized users from altering
the switch configuration.
●
TACACS+ and RADIUS authentication enables centralized control of the
switch and restricts unauthorized users from altering the configuration.
●
The user-selectable address-learning mode simplifies configuration and
enhances security.