Datasheet

© 2005 Cisco Systems, Inc. All right reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com
Page 8 of 25
Feature Benefit
Networkwide Security
Features
IEEE 802.1x allows dynamic, port-based security, providing user authentication.
IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless of
where the user is connected.
IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of the authorized
or unauthorized state of the port.
IEEE 802.1x and port security are provided to authenticate the port and manage network access for all MAC
addresses, including that of the client.
IEEE 802.1x with an ACL assignment allows for specific identity-based security policies regardless of where
the user is connected.
IEEE 802.1x with guest VLAN allows guests without 802.1x clients to have limited network access on the
guest VLAN.
Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being bridged within
VLANs.
Cisco standard and extended IP security router ACLs define security policies on routed interfaces for
control-plane and data-plane traffic.
Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.
Secure Shell (SSH) Protocol, Kerberos, and Simple Network Management Protocol Version 3 (SNMPv3)
provide network security by encrypting administrator traffic during Telnet and SNMP sessions. SSH
Protocol, Kerberos, and the cryptographic version of SNMPv3 require a special cryptographic software
image because of U.S. export restrictions.
Private VLAN Edge provides security and isolation between switch ports, which helps ensure that users
cannot snoop on other users’ traffic.
Dynamic ARP Inspection helps ensure user integrity by preventing malicious users from exploiting the
insecure nature of the ARP protocol.
DHCP Snooping prevents malicious users from spoofing a DHCP server and sending out bogus addresses.
This feature is used by other primary security features to prevent a number of other attacks such as ARP
poisoning.
IP source guard prevents a malicious user from spoofing or taking over another user's IP address by creating
a binding table between client's IP and MAC address, port, and VLAN.
Bidirectional data support on the Switched Port Analyzer (SPAN) port allows Cisco Intrusion Detection
System (IDS) to take action when an intruder is detected.
TACACS+ and RADIUS authentication facilitate centralized control of the switch and restrict unauthorized
users from altering the configuration.
MAC address notification allows administrators to be notified of users added to or removed from the
network.
DHCP Snooping helps administrators with consistent mapping of IP to MAC addresses. This can be used to
prevent attacks that attempt to poison the DHCP binding database, and to rate-limit the amount of DHCP
traffic that enters a switch port.
Port security secures the access to an access or trunk port based on MAC address.
After a specific timeframe, the aging feature removes the MAC address from the switch to allow another
device to connect to the same port.