Datasheet

Data Sheet
All contents are Copyright © 1992–2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 12
Networkwide Security
Features
IEEE 802.1x allows dynamic, port-based security, providing user authentication.
IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user
regardless of where the user is connected.
IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of
the authorized or unauthorized state of the port.
IEEE 802.1x and port security are provided to authenticate the port and manage network
access for all MAC addresses, including those of the client.
IEEE 802.1x with Guest VLAN allows guests without 802.1x clients to have limited network
access on the guest VLAN.
MAC Auth Bypass (MAB) for voice allows third-party IP phones without an 802.1x supplicant
to get authenticated using their MAC address.
Unicast MAC filtering prevents the forwarding of any type of packet with a matching MAC
address.
Unknown unicast and multicast port blocking allows tight control by filtering packets that the
switch has not already learned how to forward.
SSHv2 and SNMPv3 provide network security by encrypting administrator traffic during Telnet
and SNMP sessions. SSHv2 and the cryptographic version of SNMPv3 require a special
cryptographic software image because of U.S. export restrictions.
Bidirectional data support on the Switched Port Analyzer (SPAN) port allows the Cisco Secure
intrusion detection system (IDS) to take action when an intruder is detected.
TACACS+ and RADIUS authentication enable centralized control of the switch and restrict
unauthorized users from altering the configuration.
MAC address notification allows administrators to be notified of users added to or removed
from the network.
Port security secures the access to an access or trunk port based on MAC address.
After a specific timeframe, the aging feature removes the MAC address from the switch to
allow another device to connect to the same port.
Multilevel security on console access prevents unauthorized users from altering the switch
configuration.
The user-selectable address-learning mode simplifies configuration and enhances security.
BPDU Guard shuts down Spanning Tree Protocol PortFast-enabled interfaces when BPDU’s
are received to avoid accidental topology loops.
Spanning-Tree Root Guard (STRG) prevents edge devices not in the network administrator’s
control from becoming Spanning Tree Protocol root nodes.
Voice VLAN aware port security and BPDU Guard allow Voice VLAN traffic to not be
disrupted when security violations occur.
IGMP filtering provides multicast authentication by filtering out no subscribers and limits the
number of concurrent multicast streams available per port.
Dynamic VLAN assignment is supported through implementation of VLAN Membership Policy
Server (VMPS) client functions to provide flexibility in assigning ports to VLANs. Dynamic
VLAN helps enable the fast assignment of IP addresses.
Cisco Network Assistant software security wizards ease the deployment of security features
for restricting user access to a server as well as to a portion of or the entire network.