© 2012-2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 6 of 17
Ɣ
Automation in managing hardware inventories, security vulnerabilities (PSIRTS) and platform end-of-life
and support cycles
For detailed information about Cisco Prime, visit
http://www.cisco.com/go/prime
.
Security Features
The Cisco Catalyst 2960-SF Series Switches provide superior Layer 2 threat defense capabilities for mitigating
man-in-the-middle attacks (such as MAC, IP, and ARP spoofing). TrustSec, a primary element of Borderless
Security Architecture, helps enterprise customers secure their networks, data and resources with policy-based
access control, identity and role-aware networking, pervasive integrity, and confidentiality. Borderless security is
enabled by the following feature sets in the Cisco Catalyst 2960-SF Series Switches:
Ɣ
Threat defense
Ɣ
Cisco TrustSec
Ɣ
Other advanced security features
Threat Defense
Cisco Integrated Security Features is an industry-leading solution available on Cisco Catalyst Switches that
proactively protects your critical network infrastructure. Delivering powerful, easy-to-use tools to effectively prevent
the most common and potentially damaging Layer 2 security threats, Cisco Integrated Security Features provides
robust security throughout the network. Cisco Integrated Security Features include Port Security, DHCP Snooping,
Dynamic ARP Inspection, and IP Source guard.
Ɣ
Port Security
secures the access to an access or trunk port based on MAC address. It limits the number of
learned MAC addresses to deny MAC address flooding.
Ɣ
DHCP Snooping
prevents malicious users from spoofing a DHCP server and sending out bogus
addresses. This feature is used by other primary security features to prevent a number of other attacks
such as ARP poisoning.
Ɣ
Dynamic ARP Inspection (DAI)
helps ensure user integrity by preventing malicious users from exploiting
the insecure nature of the ARP protocol.
Ɣ
IP source guard
prevents a malicious user from spoofing or taking over another user’s IP address by
creating a binding table between the client’s IP and MAC address, port, and VLAN.
Cisco TrustSec
TrustSec secures access to the network, enforces security policies, and delivers standard based security solutions
such as 802.1X enabling secure collaboration and policy compliance. TrustSec capabilities reflect Cisco thought
leadership, innovations, and commitment to customer success. These new capabilities include:
Ɣ
Flexible authentication
that supports multiple authentication mechanisms including 802.1X, MAC
Authentication Bypass and web authentication using a single, consistent configuration.
Ɣ
Open mode
that creates a user friendly environment for 802.1X operations.
Ɣ
Integration of device profiling technology and guest access
handling with Cisco switching to
significantly improve security while reducing deployment and operational challenges.
Ɣ
RADIUS Change of Authorization and downloadable calls
for comprehensive policy management
capabilities.