Cisco Catalyst 2960-XR Security Configuration Manual page 36

Security Features Overview
Note
• Password-protected access (read-only and read-write access) to management interfaces (device manager,
Network Assistant, and the CLI) for protection against unauthorized configuration changes
• Multilevel security for a choice of security level, notification, and resulting actions
• Static MAC addressing for ensuring security
• Protected port option for restricting the forwarding of traffic to designated ports on the same switch
• Port security option for limiting and identifying MAC addresses of the stations allowed to access the
port
• VLAN aware port security option to shut down the VLAN on the port when a violation occurs,instead
of shutting down the entire port.
• Port security aging to set the aging time for secure addresses on a port.
• Protocol storm protection to control the rate of incoming protocol traffic to a switch by dropping packets
that exceed a specified ingress rate.
• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs.
• Standard and extended IP access control lists (ACLs) for defining inbound security policies on Layer 2
interfaces (port ACLs).
• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces.
• Source and destination MAC-based ACLs for filtering non-IP traffic.
• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers.
• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snooping
database and IP source bindings
• Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP requests
and responses to other ports in the same VLAN
• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to
the network. These 802.1x features are supported:
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
14
To use Web Authentication, the switch must be running the LAN Base image.
◦ Multidomain authentication (MDA) to allow both a data device and a voice device, such as an IP
phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled switch
port.
To use MDA, the switch must be running the LAN Base image.
Note
◦ Dynamic voice virtual LAN (VLAN) for MDA to allow a dynamic voice VLAN on an
MDA-enabled port.
◦ VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN.
Security Features Overview
OL-29434-01