Feature
Security
Network-Wide Security
Features
All contents are Copyright © 2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Benefit
• Filtering of incoming traffic flows based on Layer 2, Layer 3 or Layer 4 access control
parameters (ACPs) prevents unauthorized data flows.
– The following Layer 2 ACPs or a combination can be used for security classification
of incoming packets: source Media Access Control (MAC) address, destination MAC
address, and 16-bit Ethertype.
– The following Layer 3 and Layer 4 fields or a combination can be used for security
classification of incoming packets: source IP address, destination IP address, TCP
source or destination port number, User Datagram Protocol (UDP) source, or
destination port number. ACLs can also be applied to filter based on DSCP-values.
– Time-based ACLs allow configuration of differentiated services based on
time-periods.
• Secure Shell Protocol (SSH) provides secure login sessions and other
communications between two untrusted hosts over an insecure network by
encrypting the entire session. SSH features strong cryptographic authentication,
strong encryption, and integrity protection. To use this feature, the crypto (encrypted)
Catalyst 2950 LRE software image must be installed on your switch.
• SNMPv3 with encryption provides secure access to devices by authenticating and
encrypting all SNMP packets over the network. The encryption portion of SNMPv3
requires the crypto Catalyst 2950 LRE software image to be installed on your switch.
• Password recovery feature allows the administrator to protect access to the switch
configuration files by forcing a user with physical access to the switch to interrupt the
switch start process only by agreeing to set the system back to default configuration.
• SNMPv3 (non-crypto) monitors and controls network devices, manages
configurations, statistics collection, performance, and security
• Private VLAN edge (protected port) provides security and isolation between ports on a
switch, ensuring that voice traffic travels directly from its entry point to the
aggregation device through a virtual path and cannot be directed to a different port.
• Support for the 802.1x standard allows users to be authenticated regardless of which
LAN port they are accessing, and provides unique benefits to customers who have a
large base of mobile (wireless) users accessing the network.
• Port Security secures the access to a port based on the MAC address of a users device.
The aging feature removes the MAC address from the switch after a specific timeframe
to allow another device to connect to the same port.
• MAC Address Notification allows administrators to be notified of new users added or
removed from the network.
• Spanning-tree root guard (STRG) prevents edge devices not in the network
administrator's control from becoming Spanning-Tree Protocol root nodes.
• The Spanning-Tree Protocol PortFast/bridge protocol data unit (BPDU) guard feature
disables access ports with Spanning-Tree Protocol PortFast-enabled upon reception of
a BPDU, and increases network reliability, manageability, and security.
• Multilevel security on console access prevents unauthorized users from altering the
switch configuration.
• TACACS+ and RADIUS authentication to enable centralized control of the switch and
restrict unauthorized users from altering the configuration.
• The user-selectable address-learning mode simplifies configuration and enhances
security.
• Trusted Boundary provides the ability to trust the QoS priority settings if an IP phone
is present and disable the trust setting in the event that the IP phone is removed,
thereby preventing a rogue user from overriding prioritization policies in the network.
Cisco Systems, Inc.
Page 10 of 19