Datasheet
Data Sheet
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 24
Advanced Security
The Cisco Catalyst 3560-E Series supports a comprehensive set of security features for
connectivity and access control, including ACLs, authentication, port-level security, and identity-
based network services with 802.1x and extensions. This set of comprehensive features not only
helps prevent external attacks, but defends the network against “man-in-the-middle” attacks, a
primary concern in today’s business environment. The switch also supports the Network
Admission Control (NAC) security framework.
●
DHCP Snooping prevents malicious users from spoofing a DHCP server and sending out
invalid addresses. This feature is used by other primary security features to prevent a
number of other attacks such as ARP poisoning.
●
Dynamic ARP Inspection (DAI) helps ensure user integrity by preventing malicious users
from exploiting the insecure nature of the ARP protocol.
●
IP source guard prevents a malicious user from spoofing or taking over another user’s IP
address by creating a binding table between the client’s IP and MAC address, port, and
VLAN.
●
Private VLANs restrict traffic between hosts in a common segment by segregating traffic at
Layer 2, turning a broadcast segment into a nonbroadcast multi-access-like segment.
●
Private VLAN Edge provides security and isolation between switch ports, which helps
ensure that users cannot snoop on other users’ traffic.
●
Unicast RPF feature helps mitigate problems caused by the introduction of malformed or
forged (spoofed) IP source addresses into a network by discarding IP packets that lack a
verifiable IP source address.
●
IEEE 802.1x allows dynamic, port-based security, providing user authentication.
●
IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user
regardless of where the user is connected.
●
IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of
the authorized or unauthorized state of the port.
●
IEEE 802.1x and port security are provided to authenticate the port and manage network
access for all MAC addresses, including that of the client.
●
IEEE 802.1x with an ACL assignment allows for specific identity-based security policies
regardless of where the user is connected.
●
IEEE 802.1x with guest VLAN allows guests without 802.1x clients to have limited network
access on the guest VLAN.
●
Web authentication for non-802.1x clients allows non-802.1x clients to use an SSL-based
browser for authentication.
●
Multi-Domain Authentication allows an IP phone and a PC to authenticate on the same
switch port while placing them on appropriate voice and data VLANs.
●
MAC Auth Bypass (MAB) for voice allows third-party IP phones without an 802.1x
supplicant to get authenticated using their MAC address.
●
Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being
bridged within VLANs.
●
Cisco standard and extended IP security router ACLs define security policies on routed
interfaces for control-plane and data-plane traffic. IPv6 ACLs can be applied to filter IPv6
traffic.