Cisco WS-C3560-48PS-S Software Configuration Manual page 44

Features
•
•
•
•
•
Security Features
Note The Kerberos feature listed in this section is available only on the cryptographic (that is, supports
encryption) versions of the SMI and EMI.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Catalyst 3560 Switch Software Configuration Guide
1-6
Inter-Switch Link (ISL) and IEEE 802.1Q trunking encapsulation on all ports for network moves,
adds, and changes; management and control of broadcast and multicast traffic; and network security
by establishing VLAN groups for high-security users and network resources
Dynamic Trunking Protocol (DTP) for negotiating trunking on a link between two devices and for
negotiating the type of trunking encapsulation (802.1Q or ISL) to be used
VLAN Trunking Protocol (VTP) and VTP pruning for reducing network traffic by restricting
flooded traffic to links destined for stations receiving the traffic
Voice VLAN for creating subnets for voice traffic from Cisco IP Phones
VLAN1 minimization for reducing the risk of spanning-tree loops or storms by allowing VLAN 1
to be disabled on any individual VLAN trunk link. With this feature enabled, no user traffic is sent
or received on the trunk. The switch CPU continues to send and receive control protocol frames.
Password-protected access (read-only and read-write access) to management interfaces (CMS and
CLI) for protection against unauthorized configuration changes
Multilevel security for a choice of security level, notification, and resulting actions
Static MAC addressing for ensuring security
Protected port option for restricting the forwarding of traffic to designated ports on the same switch
Port security option for limiting and identifying MAC addresses of the stations allowed to access
the port
Port security aging to set the aging time for secure addresses on a port
BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs
Standard and extended IP access control lists (ACLs) for defining security policies in both directions
on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs)
Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces
VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on
information in the MAC, IP, and TCP/User Datagram Protocol (UDP) headers
Source and destination MAC-based ACLs for filtering non-IP traffic
DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers
IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining
access to the network
802.1X with VLAN assignment for restricting 802.1X-authenticated users to a specified VLAN
–
– 802.1X with port security for controlling access to 802.1X ports
– 802.1X with voice VLAN to permit an IP phone access to the voice VLAN regardless of the
authorized or unauthorized state of the port
– 802.1X with guest VLAN to provide limited services to non-802.1X-compliant users
Terminal Access Controller Access Control System Plus (TACACS+), a proprietary feature for
managing network security through a TACACS server
Chapter 1 Overview
78-16156-01