Datasheet
© 2005 Cisco Systems, Inc. All right reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com
Page 8 of 25
Feature Benefit
Networkwide Security
Features
• IEEE 802.1x allows dynamic, port-based security, providing user authentication.
• IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless of
where the user is connected.
• IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of the authorized
or unauthorized state of the port.
• IEEE 802.1x and port security are provided to authenticate the port and manage network access for all MAC
addresses, including that of the client.
• IEEE 802.1x with an ACL assignment allows for specific identity-based security policies regardless of where
the user is connected.
• IEEE 802.1x with guest VLAN allows guests without 802.1x clients to have limited network access on the
guest VLAN.
• Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being bridged within
VLANs.
• Cisco standard and extended IP security router ACLs define security policies on routed interfaces for
control-plane and data-plane traffic.
• Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.
• Secure Shell (SSH) Protocol, Kerberos, and Simple Network Management Protocol Version 3 (SNMPv3)
provide network security by encrypting administrator traffic during Telnet and SNMP sessions. SSH
Protocol, Kerberos, and the cryptographic version of SNMPv3 require a special cryptographic software
image because of U.S. export restrictions.
• Private VLAN Edge provides security and isolation between switch ports, which helps ensure that users
cannot snoop on other users’ traffic.
• Dynamic ARP Inspection helps ensure user integrity by preventing malicious users from exploiting the
insecure nature of the ARP protocol.
• DHCP Snooping prevents malicious users from spoofing a DHCP server and sending out bogus addresses.
This feature is used by other primary security features to prevent a number of other attacks such as ARP
poisoning.
• IP source guard prevents a malicious user from spoofing or taking over another user's IP address by creating
a binding table between client's IP and MAC address, port, and VLAN.
• Bidirectional data support on the Switched Port Analyzer (SPAN) port allows Cisco Intrusion Detection
System (IDS) to take action when an intruder is detected.
• TACACS+ and RADIUS authentication facilitate centralized control of the switch and restrict unauthorized
users from altering the configuration.
• MAC address notification allows administrators to be notified of users added to or removed from the
network.
• DHCP Snooping helps administrators with consistent mapping of IP to MAC addresses. This can be used to
prevent attacks that attempt to poison the DHCP binding database, and to rate-limit the amount of DHCP
traffic that enters a switch port.
• Port security secures the access to an access or trunk port based on MAC address.
• After a specific timeframe, the aging feature removes the MAC address from the switch to allow another
device to connect to the same port.