Cisco Systems 3560 Security Features

1-8

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 1 Overview

Features

• Inter-Switch Link (ISL) and IEEE 802.1Q trunking encapsulation on all ports for network moves,

adds, and changes; management and control of broadcast and multicast traffic; and network security

by establishing VLAN groups for high-security users and network resources

• Dynamic Trunking Protocol (DTP) for negotiating trunking on a link between two devices and for

negotiating the type of trunking encapsulation (IEEE 802.1Q or ISL) to be used

• VLAN Trunking Protocol (VTP) and VTP pruning for reducing network traffic by restricting

flooded traffic to links destined for stations receiving the traffic

• Voice VLAN for creating subnets for voice traffic from Cisco IP Phones

• VLAN 1 minimization for reducing the risk of spanning-tree loops or storms by allowing VLAN 1

to be disabled on any individual VLAN trunk link. With this feature enabled, no user traffic is sent

or received on the trunk. The switch CPU continues to send and receive control protocol frames.

• Private VLANs to address VLAN scalability problems, to provide a more controlled IP address

allocation , and to allow Layer 2 ports to be isolated from other ports on th e switch

• Port security on a PVLAN host to limit the number of MAC addresses learned on a port, or define

which MAC addresses may be learned on a port

• VLAN Flex Link Load Balancing to provide Layer 2 redundancy without requiring Spanning Tree

Protocol (STP). A pair of interfaces configured as primary and backup links can load balance traffic

based on VLAN.

Security Features

• IP Service Level Agreements (IP SLAs) support to measure network performance by using active

traffic monitoring

• IP SLAs EOT to use the output from IP SLAs tracking operations triggered by an action such as

latency, jitter, or packet loss for a standby router failover takeover

• Web authentication to allow a supplicant (client) that does not support IEEE 802.1x functionality to

be authenticated using a web browser

• Local web authentication banner so that a custom banner or an image file can be displayed at a web

authentication login screen

• MAC authentication bypass (MAB) aging timer to detect inactive hosts that have authenticated after

they have authenticated by using MAB

• Password-protected access (read-only and read-write access) to management interfaces (device

manager, Network Assistant, and the CLI) for protection against unauthorized configuration

changes

• Multilevel security for a choice of security level, notification, and resulting actions

• Static MAC addressing for ensuring security

• Protected port option for restricting the forwarding of traffic to designated ports on the same switch

• Port security option for limiting and identifying MAC addresses of the stations allowed to access

the port

• VLAN aware port security option to shut down the VLAN on the port when a violation occurs,

instead of shutting down the entire port.

• Port security aging to set the aging time for secure addresses on a port

• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs