Datasheet
Data Sheet
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 18
Network Security
Comprehensive Security
Solutions
Subscriber Security
●
IEEE 802.1x allows dynamic, port-based security by providing user authentication.
●
IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user
regardless of where the user is connected.
●
IEEE 802.1x and port security are provided to authenticate the port and manage network
access for all MAC addresses.
●
IEEE 802.1x readiness check simplifies deployment by generating a report for end hosts
capable of 802.1x.
●
An absence of local switching behavior provides security and isolation between UNIs, helping
ensure that users cannot monitor or access other users’ traffic on the same switch.
●
DHCP Snooping prevents malicious users from spoofing a DHCP server and sending out
bogus addresses. This feature also prevents numerous other attacks such as Address
Resolution Protocol (ARP) poisoning.
●
Dynamic ARP Inspection helps ensure user integrity by preventing malicious users from
exploiting the insecure nature of the ARP protocol.
●
IP Source Guard prevents a malicious user from spoofing or taking over another user’s IP
address by creating a binding table between client’s IP and MAC address, port, and VLAN.
Switch Security
●
Control Plane Security prevents DoS attacks on the CPU.
●
Secure Shell (SSH) Protocol, Kerberos, and SNMPv3 provide network security by encrypting
administrator traffic during Telnet and SNMP sessions. SSH, Kerberos, and the cryptographic
version of SNMPv3 require a special cryptographic software image because of U.S. export
restrictions.
●
Port security secures the access to an access or trunk port based on MAC address. After a
specific timeframe, the aging feature removes the MAC address from the switch to allow
another device to connect to the same port.
●
Multilevel security on the console access prevents unauthorized users from altering the switch
configuration.
●
TACACS+ and RADIUS authentication facilitate centralized control of the switch and restrict
unauthorized users from altering the configuration.
●
Configuration File Security helps ensure that only authenticated users have access to the
configuration file.
●
Per VLAN MAC address learning prevents MAC address table overflow attack.
Network Security
●
Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being bridged
within VLANs.
●
Cisco standard and extended IP security router ACLs define security policies on routed
interfaces for control-plane and data-plane traffic.
●
Port-based ACLs for Layer 2 interfaces allow for application of security policies on individual
switch ports.
MAC address notification allows administrators to be notified of users added to or removed from
the network.
Network Monitoring
●
Remote Switched Port Analyzer (RSPAN) allows for remote monitoring of the user interface.
Bidirectional data support on the Switched Port Analyzer (SPAN) port allows the Cisco intrusion
detection system (IDS) to take action when an intruder is detected.