Datasheet
Table Of Contents
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 8 of 17
Security
Network-wide
Security Features
• IEEE 802.1x allows dynamic, port-based security, providing user authentication.
• IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific
user, regardless of where the user is connected.
• IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN, regardless of
the authorized or unauthorized state of the port.
• IEEE 802.1x and port security are provided to authenticate the port and manage network
access for all MAC addresses, including those of the client.
• IEEE 802.1x with an ACL assignment allows for specific identity-based security policies,
regardless of where the user is connected.
• IEEE 802.1x with Guest VLAN allows guests without 802.1x clients to have limited
network access on the Guest VLAN.
• Cisco security VLAN ACLs (VACLs) on all VLANs prevent unauthorized data flows from
being bridged within VLANs.
• Port-based ACLs (PACLs) allow security policies to be applied on individual switch ports.
• SSH Protocol, Kerberos, and SNMPv3 provide network security by encrypting
administrator traffic during Telnet and SNMP sessions. SSH, Kerberos, and the
cryptographic version of SNMPv3 require a special cryptographic software image due
to U.S. export restrictions.
• Private VLAN Edge provides security and isolation between switch ports, helping to
ensure that users cannot snoop on other users’ traffic.
• Bidirectional data support on the Switched Port Analyzer (SPAN) port allows Cisco Secure
Intrusion Detection System (IDS) to take action when an intruder is detected.
• TACACS+ and RADIUS authentication enable centralized control of the switch and restrict
unauthorized users from altering the configuration.
• MAC address notification allows administrators to be notified of users added to or
removed from the network.
• Port security secures the access to an access or trunk port based on the MAC address.
• After a specific timeframe, the aging feature removes the MAC address from the switch
to allow another device to connect to the same port.
• Trusted boundary provides the ability to trust the QoS priority settings if an IP phone is
present and to disable the trust settings if the IP phone is removed, preventing a
malicious user from overriding prioritization policies in the network.
• Multilevel security on console access prevents unauthorized users from altering the
switch configuration.
• The user-selectable address-learning mode simplifies configuration and enhances
security.
• BPDU Guard shuts down Spanning-Tree Protocol PortFast-enabled interfaces when
BPDUs are received to avoid accidental topology loops.
• Spanning-Tree Root Guard (STRG) prevents edge devices not in the network
administrator’s control from becoming Spanning-Tree Protocol root nodes.
• IGMP filtering provides multicast authentication by filtering out non-subscribers, and
limits the number of concurrent multicast streams available per port.
• Dynamic VLAN assignment is supported through implementation of the VLAN
Membership Policy Server (VMPS) client function to provide flexibility in assigning ports
to VLANs. Dynamic VLAN enables the fast assignment of IP addresses.
• Cisco CMS Software security wizards ease the deployment of security features for
restricting user access to a server, to a portion of the network, or to the entire network.
• 1000 security access control entries are supported.
Table 1 Product Features and Benefits (Continued)
Feature Benefit