Feature
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Benefit
•
IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of the authorized or
unauthorized state of the port.
•
IEEE 802.1x and port security are provided to authenticate the port and manage network access for all MAC
addresses, including those of the client.
•
IEEE 802.1x with Guest VLAN allows guests without 802.1x clients to have limited network access on the guest
VLAN.
•
Port-based ACLs for Layer 2 interfaces allow application of security policies on individual switch ports.
•
Unicast MAC filtering prevents the forwarding of any type of packet with a matching MAC address.
•
Unknown unicast and multicast port blocking allows tight control by filtering packets that the switch has not
already learned how to forward.
•
SSHv2 and SNMPv3 provide network security by encrypting administrator traffic during Telnet and SNMP
sessions. SSHv2 and the cryptographic version of SNMPv3 require a special cryptographic software image
because of U.S. export restrictions.
•
Bidirectional data support on the Switched Port Analyzer (SPAN) port allows the Cisco Secure intrusion
detection system (IDS) to take action when an intruder is detected.
•
TACACS+ and RADIUS authentication enable centralized control of the switch and restrict unauthorized users
from altering the configuration.
•
MAC address notification allows administrators to be notified of users added to or removed from the network.
•
DHCP snooping allows administrators to ensure consistent mapping of IP to MAC addresses. This can be used
to prevent attacks that attempt to poison the DHCP binding database, and to rate-limit the amount of DHCP
traffic that enters a switch port.
•
DHCP Interface Tracker (Option 82) feature augments a host IP address request with the switch port ID.
•
Port security secures the access to an access or trunk port based on MAC address.
•
After a specific timeframe, the aging feature removes the MAC address from the switch to allow another device
to connect to the same port.
•
Trusted Boundary provides the ability to trust the QoS priority settings if an IP phone is present and to disable
the trust setting if the IP phone is removed, thereby preventing a malicious user from overriding prioritization
policies in the network.
•
Multilevel security on console access prevents unauthorized users from altering the switch configuration.
•
The user-selectable address-learning mode simplifies configuration and enhances security.
•
BPDU Guard shuts down Spanning Tree Protocol PortFast-enabled interfaces when BPDU's are received
to avoid accidental topology loops.
•
Spanning-Tree Root Guard (STRG) prevents edge devices not in the network administrator's control from
becoming Spanning Tree Protocol root nodes.
•
IGMP filtering provides multicast authentication by filtering out no subscribers and limits the number of
concurrent multicast streams available per port.
•
Dynamic VLAN assignment is supported through implementation of VLAN Membership Policy Server (VMPS)
client functions to provide flexibility in assigning ports to VLANs. Dynamic VLAN helps enable the fast
assignment of IP addresses.
•
Cisco Network Assistant software security wizards ease the deployment of security features for restricting user
access to a server as well as to a portion of or the entire network.
•
Up to 512 (Aces) are supported, with two profiles: Security (384 Security ACL entries and 128 QoS policies),
and QoS (128 Security ACL entries and 384 QoS polices).
© 2005 Cisco Systems, Inc. All rights reserved.
Page 7 of 16