© 2004 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 7 of 18
Feature
Benefit
Security
Network-Security
Features
•
Filtering of incoming traffic flows based on Layer 2, Layer 3 or Layer 4 access control parameters (ACPs) prevents
unauthorized data flows.
•
The following Layer 2 ACPs or a combination can be used for security classification of incoming packets: source Media
Access Control (MAC) address, destination MAC address, and 16-bit Ethertype.
•
The following Layer 3 and Layer 4 fields or a combination can be used for security classification of incoming packets:
source/destination IP address, TCP source/destination port number, User Datagram Protocol (UDP) source, or destination
port number. ACLs can also be applied to filter based on DSCP values.
•
Time-based ACLs allow configuration of differentiated services based on time-periods.
•
Private VLAN edge provides security and isolation between ports on a switch, ensuring that voice traffic travels directly
from its entry point to the aggregation device through a virtual path and cannot be directed to a different port.
•
Support for the IEEE 802.1x standard allows users to be authenticated regardless of which LAN port they are accessing,
and provides unique benefits to customers who have a large base of mobile (wireless) users accessing the network.
–
IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless of where
the user is connected.
–
IEEE 802.1x with voice VLAN to permit an IP phone access to the voice VLANirrespective of the authorized or
unauthorized state of the port.
–
IEEE 802.1x with port security for authenticating the port and managing network access for all MAC addresses,
including that of the client.
–
IEEE 802.1x with Guest VLAN allows guests without 802.1x clients to have limited network access on the Guest
VLAN.
•
SSHv2 and SNMPv3 provide network security by encrypting administrator traffic during Telnet and SNMP sessions.
SSHv2 and the crypto version of SNMPv3 require a special crypto software image due to US export restrictions
•
Port Security and unicast MAC filtering secures the access to a port based on MAC addresses. The aging feature of port
security removes the MAC address from the switch after a specific timeframe to allow another device to connect to the
same port. Unicast MAC filtering allows non-IP packets to be filtered as well.
•
With unknown unicast/multicast port blocking, the switch will not flood packets with unknown destination MAC
addresses to all Ethernet ports. Unknown unicast/multicast port blocking disables flooding on a per-port basis. (Catalyst
2950G24, 2950G48, 2950G12, 2950G24DC only)
•
MAC Address Notification allows administrators to be notified of new users added or removed from the network.
•
Spanning-tree root guard (STRG) prevents edge devices not in the network administrator's control from becoming
Spanning-Tree Protocol root nodes.
•
The Spanning-Tree Protocol PortFast/bridge protocol data unit (BPDU) guard feature disables access ports with
SpanningTree Protocol PortFastenabled upon reception of a BPDU, and increases network reliability, manageability,
and security.
•
Multilevel security on console access prevents unauthorized users from altering the switch configuration.
•
and RADIUS authentication enable centralized control of the switch and restrict unauthorized users from
altering the configuration.
•
The user-selectable address-learning mode simplifies configuration and enhances security.
•
Trusted Boundary provides the ability to trust the QoS priority settings if an IP phone is present, and to disable the trust
settings in the event that the IP phone is removed. This prevents a rogue user from overriding prioritization policies in
the network.
•
IGMP Filtering provides multicast authentication by filtering out nonsubscribers and limits the number of concurrent
multicast streams available per port.
