© 2005 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 8 of 18
Feature
Benefit
SECURITY
Security
•
Bridge protocol data unit (BPDU) guard shuts down Spanning-Tree Protocol PortFast-enabled interfaces when
BPDUs are received to avoid accidental topology loops.
•
Spanning-tree root guard (STRG) prevents edge devices not in the network administrator's control from becoming
Spanning-Tree Protocol root nodes.
•
IGMP Filtering provides multicast authentication by filtering out non-subscribers and limits the number of
concurrent multicast streams available per port.
•
Private VLAN edge provides security and isolation between ports on a switch, ensuring that users cannot snoop on
other users’ traffic.
•
Trusted Boundary provides the ability to trust the QoS priority settings if an IP phone is present and disable the trust
setting in the event that the IP phone is removed, thereby preventing a malicious user from overriding prioritization
policies in the network.
•
Switch Port Analyzer (SPAN) for Cisco Secure Intrusion Detection System (IDS) support allows the IDS to take
action when an intruder is detected.
•
The user-selectable address-learning mode simplifies configuration and enhances security.
•
Cisco CMS Software Security Wizards ease the deployment of security features for restricting user access to a server,
a portion of the network or access to the network.
Network
Administration
Security
•
and RADIUS authentication to enable centralized control of the switch and restrict unauthorized users
from altering the configuration. Multilevel security on console access prevents unauthorized users from altering the
switch configuration.
•
SSH, Kerberos, and SNMPv3 provides network security by encrypting administrator traffic during Telnet and SNMP
sessions—SSH, Kerberos, and the crypto version of SNMPv3 require a special crypto software image due to US
export restrictions.
User and Device
Authentication
•
IEEE 802.1x for dynamic port-based security to prevent unauthorized clients from gaining access to the network.
•
Port Security secures the access to a port based on the MAC address of a users device. The aging feature removes the
MAC address from the switch after a specific timeframe to allow another device to connect to the same port, thereby
eliminating administrative overhead associated with this feature.
Granular Access
Control and Identity-
based Network
Services
•
Cisco security VLAN ACLs (VACLs) on all VLANs to prevent unauthorized data flows to be bridged within
VLANs.
•
Cisco standard and extended IP security Router ACLs (RACLs) for defining security policies on routed interfaces
for control plane and data plane traffic.
•
Port-based ACLs (PACLs) for Layer 2 interfaces allows security policies to be applied on individual switch ports.
•
Time-based ACLs allow the implementation of security settings during specific periods of the day or days of the
week.
•
802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless of where the user
is connected.
•
802.1x with an ACL assignment allows for specific security policies based on a user regardless of where the user is
connected.
•
802.1x with voice VLAN to permit an IP phone access to the voice VLAN irrespective of the authorized or
unauthorized state of the port.
•
802.1x and port security for authenticating the port and managing network access for all MAC addresses, including
that of the client.
•
Support for dynamic VLAN assignment through implementation of VLAN Membership Policy Server (VMPS)
client functionality provides flexibility in assigning ports to VLANs. Dynamic VLAN enables fast assignment
of IP address.
