Datasheet
Data Sheet
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 21
network. This setup allows IT departments to enable strong security policies without compromising
user mobility-and with minimal administrative overhead.
To guard against denial-of-service and other attacks, ACLs can be used to restrict access to
sensitive portions of the network by denying packets based on source and destination MAC
addresses, IP addresses, or TCP/UDP ports. ACL lookups are done in hardware, so forwarding
performance is not compromised when implementing ACL-based security.
Port security can be used to limit access on an Ethernet port based on the MAC address of the
device to which it is connected. It also can be used to limit the total number of devices plugged
into a switch port, thereby protecting the switch from a MAC flooding attack as well as reducing
the risks of rogue wireless access points or hubs.
With Dynamic Host Configuration Protocol (DHCP) snooping, DHCP spoofing can be thwarted
by allowing only DHCP requests (but not responses) from untrusted user-facing ports. Additionally,
the DHCP Interface Tracker (Option 82) helps enable granular control over IP address assignment
by augmenting a host IP address request with the switch port ID. Building further on the DHCP
snooping capabilities, IP address spoofing can be thwarted using Dynamic ARP Inspection and
IP Source Guard.
The MAC Address Notification feature can be used to monitor the network and track users by
sending an alert to a management station so that network administrators know when and where
users entered the network. The Private VLAN feature isolates ports on a switch, helping ensure
that traffic travels directly from the entry point to the aggregation device through a virtual path
and cannot be directed to another port.
Secure Shell (SSH) Protocol Version 2, Kerberos, and Simple Network Management Protocol
Version 3 (SNMPv3) encrypt administrative and network-management information, protecting
the network from tampering or eavesdropping. TACACS+ or RADIUS authentication enables
centralized access control of switches and restricts unauthorized users from altering the
configurations. Alternatively, a local username and password database can be configured on the
switch itself. Fifteen levels of authorization on the switch console and two levels on the Web-based
management interface provide the ability to give different levels of configuration capabilities to
different administrators.
Availability and Scalability
The Cisco Catalyst 3560 Series is equipped with a robust set of features that allow for network
scalability and higher availability through IP routing as well as a complete suite of Spanning Tree
Protocol enhancements aimed to maximize availability in a Layer 2 network.
The Cisco Catalyst 3560 switches deliver high-performance, hardware-based IP routing. The Cisco
Express Forwarding-based routing architecture allows for increased scalability and performance.
This architecture allows for very high-speed lookups while also ensuring the stability and scalability
necessary to meet the needs of future requirements. In addition to dynamic IP unicast routing,
the Cisco Catalyst 3560 Series is perfectly equipped for networks requiring multicast support.
Protocol Independent Multicast (PIM) and Internet Group Management Protocol (IGMP)
snooping in hardware make the Cisco Catalyst 3560 Series switches ideal for intensive
multicast environments.