Enhanced Security - Cisco Catalyst 2960 Series Datasheet

Data Sheet
As companies increasingly rely on networks as their strategic business infrastructure, it is more
important than ever to help ensure their high availability, security, scalability, and control. By
adding Cisco intelligent functions for LAN access, you can now deploy networkwide intelligent
services that consistently address these requirements from the desktop to the core and through
the WAN.
Cisco Catalyst Intelligent Ethernet switches help you realize the full benefits of adding intelligent
services into your networks. Deploying capabilities that make the network infrastructure highly
available to accommodate time-critical needs, scalable to accommodate growth, secure enough to
protect confidential information, and capable of differentiating and controlling traffic flows is critical
to further optimizing network operations.

Enhanced Security

The wide range of security features that the Cisco Catalyst 2960 LAN Base Series offers helps you
protect important information, keep unauthorized people off the network, guard privacy, and
maintain uninterrupted operation.
The Cisco Identity-Based Networking Services (IBNS) solution provides authentication, access
control, and security policy administration to secure network connectivity and resources. Cisco
IBNS in the Cisco Catalyst 2960 LAN Base Series prevents unauthorized access and helps ensure
that users get only their designated privileges. It provides the ability to dynamically administer
granular levels of network access. Using the 802.1x standard and the Cisco Secure Access
Control Server (ACS), users can be assigned a VLAN upon authentication, regardless of where
they connect to the network. This setup allows IT departments to enable strong security policies
without compromising user mobility and with minimal administrative overhead.
To guard against denial-of-service (DoS) and other attacks, ACLs can be used to restrict access to
sensitive portions of the network by denying packets based on source and destination MAC
addresses, IP addresses, or TCP/User Datagram Protocol (UDP) ports. ACL lookups are done in
hardware, so forwarding performance is not compromised when ACL-based security is
implemented.
Port security can be used to limit access on an Ethernet port based on the MAC address of the
device to which it is connected. It also can be used to limit the total number of devices plugged into
a switch port, thereby protecting the switch from a MAC flooding attack as well as reducing the
risks of rogue wireless access points or hubs.
With Dynamic Host Configuration Protocol (DHCP) snooping, DHCP spoofing can be thwarted by
allowing only DHCP requests (but not responses) from untrusted user-facing ports. Additionally,
the DHCP Interface Tracker (Option 82) feature helps enable granular control over IP address
assignment by augmenting a host IP address request with the switch port ID.
The MAC Address Notification feature can be used to monitor the network and track users by
sending an alert to a management station so that network administrators know when and where
users entered the network. Secure Shell Protocol Version 2 (SSHv2) and Simple Network
Management Protocol Version 3 (SNMPv3) encrypt administrative and network-management
information, protecting the network from tampering or eavesdropping. TACACS+ or RADIUS
authentication enables centralized access control of switches and restricts unauthorized users
from altering the configurations. Alternatively, a local username and password database can be
configured on the switch itself. Fifteen levels of authorization on the switch console and two levels
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 21