Datasheet
Data Sheet
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 23
●
Unicast RPF feature helps mitigate problems caused by the introduction of malformed or
forged (spoofed) IP source addresses into a network by discarding IP packets that lack a
verifiable IP source address.
●
IEEE 802.1x allows dynamic, port-based security, providing user authentication.
●
IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user
regardless of where the user is connected.
●
IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of
the authorized or unauthorized state of the port.
●
IEEE 802.1x and port security are provided to authenticate the port and manage network
access for all MAC addresses, including that of the client.
●
IEEE 802.1x with an ACL assignment allows for specific identity-based security policies
regardless of where the user is connected.
●
IEEE 802.1x with guest VLAN allows guests without 802.1x clients to have limited network
access on the guest VLAN.
●
Web authentication for non-802.1x clients allows non-802.1x clients to use an SSL-based
browser for authentication.
●
Multi-Domain Authentication allows an IP phone and a PC to authenticate on the same
switch port while placing them on appropriate voice and data VLANs.
●
MAC Auth Bypass (MAB) for voice allows third-party IP phones without an 802.1x
supplicant to get authenticated using their MAC address.
●
Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being
bridged within VLANs.
●
Cisco standard and extended IP security router ACLs define security policies on routed
interfaces for control-plane and data-plane traffic. IPv6 ACLs can be applied to filter IPv6
traffic.
●
Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual
switch ports.
●
Secure Shell (SSH) Protocol, Kerberos, and Simple Network Management Protocol Version
3 (SNMPv3) provide network security by encrypting administrator traffic during Telnet and
SNMP sessions. SSH Protocol, Kerberos, and the cryptographic version of SNMPv3 require
a special cryptographic software image because of U.S. export restrictions.
●
Bidirectional data support on the Switched Port Analyzer (SPAN) port allows the Cisco
intrusion detection system (IDS) to take action when an intruder is detected.
●
TACACS+ and RADIUS authentication facilitates centralized control of the switch and
restricts unauthorized users from altering the configuration.
●
MAC Address Notification allows administrators to be notified of users added to or removed
from the network.
●
Port Security secures the access to an access or trunk port based on MAC address.
●
Multilevel security on console access prevents unauthorized users from altering the switch
configuration.
●
Bridge protocol data unit (BPDU) guard shuts down Spanning Tree PortFast-enabled
interfaces when BPDUs are received to avoid accidental topology loops.