Data Sheet
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 5 of 14
Security
The Cisco Catalyst 2960 LAN Lite Switches support security features that can help your business protect important
information, keep unauthorized people off the network, guard privacy, and maintain uninterrupted operation.
The Cisco Identity-Based Networking Services (IBNS) solution provides authentication, access control, and security
policy administration to secure network connectivity and resources. Cisco IBNS in the Cisco Catalyst 2960 LAN Lite
Series prevents unauthorized access and helps ensure that users get only their designated privileges.
With Cisco IBNS you can dynamically administer granular levels of network access. Using the 802.1x standard and
the Cisco Secure Access Control Server (ACS), you can assign users a VLAN upon authentication, regardless of
where they connect to the network. This setup allows your IT department to enable strong security policies without
compromising user mobility, and with minimal administrative overhead.
You can use port security to limit access on an Ethernet port based on the MAC address of the device to which it is
connected. You also can use it to limit the total number of devices plugged into a switch port, thereby protecting the
switch from a MAC flooding attack as well as reducing the risks of rogue wireless access points or hubs.
You can use the MAC Address Notification feature to monitor the network and track users by sending an alert to a
management station so that your network administrators know when and where users entered the network. Secure
Shell Protocol Version 2 (SSHv2) and SNMPv3 encrypt administrative and network-management information,
protecting your network from tampering or eavesdropping. or RADIUS authentication enables centralized
access control of switches and restricts unauthorized users from altering the configurations. Alternatively, you can
configure a local username and password database on the switch itself. Fifteen levels of authorization on the switch
console and two levels on the web-based management interface allow you to give different levels of configuration
capabilities to different administrators.
Key security features include:
●
IEEE 802.1x allows dynamic, port-based security, providing user authentication.
●
IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless of
where the user is connected.
●
IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of the authorized
or unauthorized state of the port.
●
IEEE 802.1x and port security are provided to authenticate the port and manage network access for all MAC
addresses, including those of the client.
●
IEEE 802.1x with Guest VLAN allows guests without 802.1x clients to have limited network access on the
guest VLAN.
●
MAC Auth Bypass (MAB) for voice or data devices allows controlled network access without 802.1x
supplicant to get authenticated using their MAC address.
●
Unicast MAC filtering prevents the forwarding of any type of packet with a matching MAC address.
●
SSHv2 and SNMPv3 provide network security by encrypting administrator traffic during Telnet and SNMP
sessions. SSHv2 and the cryptographic version of SNMPv3 require a special cryptographic software image
because of U.S. export restrictions.
●
and RADIUS authentication enables centralized control of the switch and restricts unauthorized
users from altering the configuration.
●
MAC address notification allows administrators to be notified of users added to or removed from the
network.
●
Per-port broadcast, multicast, and unicast storm control and CPU queues prevents faulty end stations
from degrading overall systems performance and denial of service attacks.
