Cisco Catalyst 3560V2-24PS Datasheet page 6

SSHv2, Kerberos, and SNMPv3 provide network security by encrypting administrator traffic during Telnet and
●
SNMP sessions. SSHv2, Kerberos, and the cryptographic version of SNMPv3 require a special cryptographic
software image because of U.S. export restrictions.
Private VLAN Edge provides security and isolation between switch ports, helping ensure that users cannot
●
snoop on other users' traffic.
Private VLANs restrict traffic between hosts in a common segment by segregating traffic at Layer 2, turning a
●
broadcast segment into a nonbroadcast multi-access-like segment.
Bidirectional data support on the Switched Port Analyzer (SPAN) port allows the Cisco Secure Intrusion
●
Detection System (IDS) to take action when an intruder is detected.
TACACS+ and RADIUS authentication enable centralized control of the switch and restrict unauthorized
●
users from altering the configuration.
MAC address notification allows administrators to be notified of users added to or removed from the network.
●
Dynamic ARP Inspection (DAI) helps ensure user integrity by preventing malicious users from exploiting the
●
insecure nature of the ARP protocol.
DHCP snooping allows administrators to help ensure consistent mapping of IP to MAC addresses. This can
●
be used to prevent attacks that attempt to poison the DHCP binding database, and to rate limit the amount of
DHCP traffic that enters a switch port.
IP source guard prevents a malicious user from spoofing or taking over another user's IP address by creating
●
a binding table between the client's IP and MAC address, port, and VLAN.
DHCP Interface Tracker (Option 82) augments a host IP address request with the switch port ID.
●
Port security secures the access to an access or trunk port based on MAC address.
●
After a specific timeframe, the aging feature removes the MAC address from the switch to allow another
●
device to connect to the same port.
Trusted Boundary provides the ability to trust the QoS priority settings if an IP phone is present and to disable
●
the trust setting if the IP phone is removed, thereby preventing a malicious user from overriding prioritization
policies in the network.
Multilevel security on console access prevents unauthorized users from altering the switch configuration.
●
The user-selectable address-learning mode simplifies configuration and enhances security.
●
BPDU Guard shuts down Spanning Tree Protocol PortFast-enabled interfaces when BPDUs are received to
●
avoid accidental topology loops.
Spanning-Tree Root Guard (STRG) prevents edge devices not in the network administrator's control from
●
becoming Spanning Tree Protocol root nodes.
IGMP filtering provides multicast authentication by filtering out nonsubscribers and limits the number of
●
concurrent multicast streams available per port.
Dynamic VLAN assignment is supported through implementation of VLAN Membership Policy Server (VMPS)
●
client functions to provide flexibility in assigning ports to VLANs. Dynamic VLAN helps enable the fast
assignment of IP addresses.
Cisco Network Assistant software security wizards ease the deployment of security features for restricting
●
user access to a server as well as to a portion of or the entire network.
Two thousand access control entries (ACEs) are supported.
●
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Data Sheet
Page 6 of 20