Threat Defense; Cisco Trustsec; Other Advanced Security Features - Cisco Catalyst 3560X-24P Datasheet

Threat Defense

Cisco Integrated Security Features is an industry-leading solution available on Cisco Catalyst Switches that
proactively protects your critical network infrastructure. Delivering powerful, easy-to-use tools to effectively prevent
the most common and potentially damaging Layer 2 security threats, Cisco Integrated Security Features provides
robust security throughout the network. Cisco Integrated Security Features include Port Security, DHCP Snooping,
Dynamic ARP Inspection, and IP Source guard.
Port Security secures the access to an access or trunk port based on MAC address. It limits the number of
●
learned MAC addresses to deny MAC address-flooding.
DHCP Snooping prevents malicious users from spoofing a DHCP server and sending out bogus addresses.
●
This feature is used by other primary security features to prevent a number of other attacks such as ARP
poisoning.
Dynamic ARP Inspection (DAI) helps ensure user integrity by preventing malicious users from exploiting the
●
insecure nature of the ARP protocol.
IP source guard prevents a malicious user from spoofing or taking over another user's IP address by
●
creating a binding table between the client's IP and MAC address, port, and VLAN.

Cisco TrustSec

TrustSec secures access to the network, enforces security policies, and delivers standard based security solutions
such as 802.1X enabling secure collaboration and policy compliance. TrustSec capabilities reflect Cisco thought
leadership, innovations, and commitment to customer success. These new capabilities include:
IEEE 802.1AE MACsec with prestandard 802.1X-REV Key management: industry's first fixed switches with
●
prestandard 802.1X-Rev key management. Available on Cisco Catalyst 3750-X and 3560-X Series Switches,
MACsec provides Layer 2, line rate Ethernet data confidentiality and integrity on host facing ports, protecting
against man-in-the-middle attacks (snooping, tampering, and replay).
Flexible authentication that supports multiple authentication mechanisms including 802.1X, MAC
●
Authentication Bypass and web authentication using a single, consistent configuration.
Open mode that creates a user friendly environment for 802.1X operations.
●
Integration of device profiling technology and guest access handling with Cisco switching to significantly
●
improve security while reducing deployment and operational challenges.
RADIUS Change of Authorization and downloadable Calls for Comprehensive policy management
●
capabilities.
802.1X Supplicant with Network Edge Access Transport (NEAT) enables extended secure access where
●
compact switches in the conference rooms have the same level of security as switches inside the locked
wiring closet.

Other Advanced Security Features

Other Advanced Security features include but are not limited to:
Private VLANs restrict traffic between hosts in a common segment by segregating traffic at Layer 2, turning a
●
broadcast segment into a nonbroadcast multiaccesslike segment.
Private VLAN Edge provides security and isolation between switch ports, which helps ensure that users
●
cannot snoop on other users' traffic.
Unicast Reverse Path Forwarding (RPF) feature helps mitigate problems caused by the introduction of
●
malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a
verifiable IP source address.
© 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Data Sheet
Page 12 of 28