Feature | Benefit |
| • IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of the authorized or |
| unauthorized state of the port. |
| • IEEE 802.1x and port security are provided to authenticate the port and manage network access for all MAC |
| addresses, including those of the client. |
| • IEEE 802.1x with Guest VLAN allows guests without 802.1x clients to have limited network access on the guest |
| VLAN. |
| • |
| • Unicast MAC filtering prevents the forwarding of any type of packet with a matching MAC address. |
| • Unknown unicast and multicast port blocking allows tight control by filtering packets that the switch has not |
| already learned how to forward. |
| • SSHv2 and SNMPv3 provide network security by encrypting administrator traffic during Telnet and SNMP |
| sessions. SSHv2 and the cryptographic version of SNMPv3 require a special cryptographic software image |
| because of U.S. export restrictions. |
| • Bidirectional data support on the Switched Port Analyzer (SPAN) port allows the Cisco Secure intrusion |
| detection system (IDS) to take action when an intruder is detected. |
| • TACACS+ and RADIUS authentication enable centralized control of the switch and restrict unauthorized users |
| from altering the configuration. |
| • MAC address notification allows administrators to be notified of users added to or removed from the network. |
| • DHCP snooping allows administrators to ensure consistent mapping of IP to MAC addresses. This can be used |
| to prevent attacks that attempt to poison the DHCP binding database, and to |
| traffic that enters a switch port. |
| • DHCP Interface Tracker (Option 82) feature augments a host IP address request with the switch port ID. |
| • Port security secures the access to an access or trunk port based on MAC address. |
| • After a specific timeframe, the aging feature removes the MAC address from the switch to allow another device |
| to connect to the same port. |
| • Trusted Boundary provides the ability to trust the QoS priority settings if an IP phone is present and to disable |
| the trust setting if the IP phone is removed, thereby preventing a malicious user from overriding prioritization |
| policies in the network. |
| • Multilevel security on console access prevents unauthorized users from altering the switch configuration. |
| • The |
| • BPDU Guard shuts down Spanning Tree Protocol |
| to avoid accidental topology loops. |
| • |
| becoming Spanning Tree Protocol root nodes. |
| • IGMP filtering provides multicast authentication by filtering out no subscribers and limits the number of |
| concurrent multicast streams available per port. |
| • Dynamic VLAN assignment is supported through implementation of VLAN Membership Policy Server (VMPS) |
| client functions to provide flexibility in assigning ports to VLANs. Dynamic VLAN helps enable the fast |
| assignment of IP addresses. |
| • Cisco Network Assistant software security wizards ease the deployment of security features for restricting user |
| access to a server as well as to a portion of or the entire network. |
| • Up to 512 (Aces) are supported, with two profiles: Security (384 Security ACL entries and 128 QoS policies), |
| and QoS (128 Security ACL entries and 384 QoS polices). |
© 2005 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 7 of 16
