Enhanced Security - Cisco Catalyst 3560-24TS Datasheet

Data Sheet
than traditional network management capabilities. Cisco EnergyWise's management interfaces
allow facilities and network management applications to communicate with endpoints and each
other using the network as a unifying fabric. The management interface uses standard SNMP or
SSL to integrate Cisco and third-party management systems.
Cisco EnergyWise extends the network as a platform for power control plane for gathering,
managing, and reducing power consumption of all devices, resulting in companywide optimized
power delivery and reduced energy costs.

Enhanced Security

With the wide range of security features that the Cisco Catalyst 3560 Series offers, businesses
can protect important information, keep unauthorized people off the network, guard privacy, and
maintain uninterrupted operation.
Cisco Identity Based Networking Services (IBNS) provides authentication, access control, and
security policy administration to secure network connectivity and resources. Cisco IBNS in the
Cisco Catalyst 3560 Series prevents unauthorized access and helps ensure that users get only
their designated privileges. It provides the ability to dynamically administer granular levels of
network access. Using the 802.1x standard and the Cisco Access Control Server (ACS), users can
be assigned a VLAN or an ACL upon authentication, regardless of where they connect to the
network. This setup allows IT departments to enable strong security policies without compromising
user mobility-and with minimal administrative overhead.
To guard against denial-of-service and other attacks, ACLs can be used to restrict access to
sensitive portions of the network by denying packets based on source and destination MAC
addresses, IP addresses, or TCP/UDP ports. ACL lookups are done in hardware, so forwarding
performance is not compromised when implementing ACL-based security.
Port security can be used to limit access on an Ethernet port based on the MAC address of the
device to which it is connected. It also can be used to limit the total number of devices plugged into
a switch port, thereby protecting the switch from a MAC flooding attack as well as reducing the
risks of rogue wireless access points or hubs.
With Dynamic Host Configuration Protocol (DHCP) snooping, DHCP spoofing can be thwarted by
allowing only DHCP requests (but not responses) from untrusted user-facing ports. Additionally,
the DHCP Interface Tracker (Option 82) helps enable granular control over IP address assignment
by augmenting a host IP address request with the switch port ID. Building further on the DHCP
snooping capabilities, IP address spoofing can be thwarted using Dynamic ARP Inspection and IP
Source Guard.
The MAC Address Notification feature can be used to monitor the network and track users by
sending an alert to a management station so that network administrators know when and where
users entered the network. The Private VLAN feature isolates ports on a switch, helping ensure
that traffic travels directly from the entry point to the aggregation device through a virtual path and
cannot be directed to another port.
Secure Shell (SSH) Protocol Version 2, Kerberos, and Simple Network Management Protocol
Version 3 (SNMPv3) encrypt administrative and network-management information, protecting the
network from tampering or eavesdropping. TACACS+ or RADIUS authentication enables
centralized access control of switches and restricts unauthorized users from altering the
configurations. Alternatively, a local username and password database can be configured on the
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 22