Specifications
Data Sheet
All contents are Copyright © 1992–2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 15
Feature Benefit
Network Security Features
●
Filtering of incoming traffic flows based on Layer 2, Layer 3, or Layer 4 ACPs
prevents unauthorized data flows.
The following Layer 2 ACPs or a combination can be used for security
classification of incoming packets: source MAC address, destination MAC
address, and 16-bit Ethertype.
The following Layer 3 and Layer 4 fields or a combination can be used for
security classification of incoming packets: source IP address, destination IP
address, TCP source or destination port number, UDP source, or
destination port number. ACLs can also be used to filter based on DSCP
values.
Time-based ACLs allow configuration of differentiated services based on
time periods.
●
Private VLAN edge provides security and isolation between ports on a switch,
helping ensure that voice traffic travels directly from its entry point to the
aggregation device through a virtual path and cannot be directed to a different
port.
●
Support for the 802.1x standard allows users to be authenticated, regardless
of which LAN port they are accessing, and provides unique benefits to
customers who have a large base of mobile (wireless) users accessing the
network.
IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for
a specific user, regardless of where the user is connected.
IEEE 802.1x with voice VLAN gives an IP phone access to the voice VLAN,
regardless of the authorized or unauthorized state of the port.
IEEE 802.1x with port security authenticates the port and manages network
access for all MAC addresses, including the clients'.
IEEE 802.1x with guest VLAN allows guests without 802.1x clients to have
limited network access on the guest VLAN.
●
SSHv2 and SNMPv3 provide network security by encrypting administrator
traffic during Telnet and SNMP sessions. SSHv2 and the crypto version of
SNMPv3 require a special crypto software image because of U.S. export
restrictions.
●
Port Security and unicast MAC filtering secure the access to a port based on
MAC addresses. The aging feature of port security removes the MAC address
from the switch after a specific time frame to allow another device to connect
to the same port. Unicast MAC filtering allows non-IP packets to be filtered as
well.
●
With unknown unicast/multicast port blocking, the switch will not flood packets
with unknown destination MAC addresses to all Ethernet ports. Unknown
unicast/multicast port blocking disables flooding on a per-port basis.
●
MAC address notification allows administrators to be notified of new users
added or removed from the network.
●
Spanning-tree root guard (STRG) prevents edge devices not in the network
administrator's control from becoming Spanning-Tree Protocol root nodes.
●
The Spanning-Tree Protocol PortFast/bridge protocol data unit (BPDU) guard
feature disables access ports with Spanning-Tree Protocol PortFast enabled
upon reception of a BPDU, and increases network reliability, manageability,
and security.
●
Multilevel console access security prevents unauthorized users from altering
the switch configuration.
●
TACACS+ and RADIUS authentication enables centralized control of the
switch and restricts unauthorized users from altering the configuration.
●
The user-selectable address-learning mode simplifies configuration and
enhances security.
●
Trusted Boundary provides the ability to trust the QoS priority settings if a
Cisco IP phone is present and to disable the trust setting if the IP phone is
removed, preventing a rogue user from overriding prioritization policies in the
network.
●
IGMP Filtering provides multicast authentication by filtering out nonsubscribers
and limits the number of concurrent multicast streams available per port.
●
Support for dynamic VLAN assignment through implementation of VLAN
Membership Policy Server (VMPS) client functionality provides flexibility in
assigning ports to VLANs. Dynamic VLAN enables fast assignment of IP
addresses.
●
SPAN support of intrusion detection systems (IDSs) to monitor, repel, and
report network security violations.
●
Cisco Network Assistant software security wizards ease the deployment of
security features for restricting user access to a server, a portion of the
network, or the network.
QoS