Data Sheet
Feature | Benefit |
|
|
Granular Rate | ● Cisco committed information rate (CIR) function provides bandwidth in increments as low as 8 Kbps. |
Limiting | ● Rate limiting is provided based on source and destination IP address, source and destination MAC |
| address, Layer 4 TCP/UDP information, or any combination of these fields, using QoS ACLs (IP ACLs |
| or MAC ACLs), class maps, and policy maps. |
●Asynchronous data flows upstream and downstream from the end station or on the uplink are easily managed using ingress policing and egress shaping.
●Up to 64 aggregate or individual policers are available per Fast Ethernet or Gigabit Ethernet port.
Network Security
Networkwide | ● IEEE 802.1x allows dynamic, |
Security | ● IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless |
Features | of where the user is connected. |
| |
| ● IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of the |
| authorized or unauthorized state of the port. |
| ● IEEE 802.1x and port security are provided to authenticate the port and manage network access for all |
| MAC addresses, including that of the client. |
| ● IEEE 802.1x with an ACL assignment allows for specific |
| where the user is connected. |
| ● IEEE 802.1x with guest VLAN allows guests without 802.1x clients to have limited network access on |
| the guest VLAN. |
| ● Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being bridged within |
| VLANs. |
| ● Cisco standard and extended IP security router ACLs define security policies on routed interfaces for |
| |
| ● |
| ● Secure Shell (SSH) Protocol, Kerberos, and Simple Network Management Protocol Version 3 |
| (SNMPv3) provide network security by encrypting administrator traffic during Telnet and SNMP |
| sessions. SSH Protocol, Kerberos, and the cryptographic version of SNMPv3 require a special |
| cryptographic software image because of U.S. export restrictions. |
| ● Private VLAN Edge provides security and isolation between switch ports, which helps ensure that |
| users cannot snoop on other users’ traffic. |
| ● Dynamic ARP Inspection helps ensure user integrity by preventing malicious users from exploiting the |
| insecure nature of the ARP protocol. |
| ● DHCP Snooping prevents malicious users from spoofing a DHCP server and sending out bogus |
| addresses. This feature is used by other primary security features to prevent a number of other attacks |
| such as ARP poisoning. |
| ● IP source guard prevents a malicious user from spoofing or taking over another user’s IP address by |
| creating a binding table between client’s IP and MAC address, port, and VLAN. |
| ● Bidirectional data support on the Switched Port Analyzer (SPAN) port allows a Cisco Intrusion |
| Detection System (IDS) to take action when an intruder is detected. |
| ● TACACS+ and RADIUS authentication facilitate centralized control of the switch and restrict |
| unauthorized users from altering the configuration. |
| ● MAC address notification allows administrators to be notified of users added to or removed from the |
| network. |
| ● DHCP Snooping helps administrators with consistent mapping of IP to MAC addresses. This can be |
| used to prevent attacks that attempt to poison the DHCP binding database and to |
| amount of DHCP traffic that enters a switch port. |
| ● Port security secures the access to an access or trunk port based on MAC address. |
| ● After a specific timeframe, the aging feature removes the MAC address from the switch to allow |
| another device to connect to the same port. |
| ● Trusted boundary provides the ability to trust the QoS priority settings if an IP phone is present and to |
| disable the trust setting in the event that the IP phone is removed, thereby preventing a malicious user |
| from overriding prioritization policies in the network. |
| ● Multilevel security on console access prevents unauthorized users from altering the switch |
| configuration. |
| ● The |
| ● Bridge protocol data unit (BPDU) guard shuts down Spanning Tree |
| BPDUs are received to avoid accidental topology loops. |
| ● Spanning Tree Root Guard (STRG) prevents edge devices not in the network administrator’s control |
| from becoming Spanning Tree Protocol root nodes. |
| ● IGMP filtering provides multicast authentication by filtering out nonsubscribers and limits the number of |
| concurrent multicast streams available per port. |
| ● Dynamic VLAN assignment is supported through implementation of VLAN Membership Policy Server |
| client capability to provide flexibility in assigning ports to VLANs. Dynamic VLAN facilitates the fast |
| assignment of IP addresses. |
| ● Cisco CMS Software security wizards ease the deployment of security features for restricting user |
| access to a server as well as to a portion or all of the network. |
| ● 1000 access control entries (ACEs) are supported. |
All contents are Copyright © | Page 8 of 23 |
