Table of Contents
Advertisement
Features and benefits
Quality of Service (QoS)
• IEEE 802.1p prioritization: delivers data to
devices based on the priority and type of traffic
• Class of Service (CoS): sets the IEEE 802.1p
priority tag based on IP address, IP Type of Service
(ToS), Layer 3 protocol, TCP/UDP port number,
source port, and DiffServ
• Bandwidth shaping:
– Port-based rate limiting: provides per-port
ingress-/egress-enforced maximum bandwidth
– Classifier-based rate limiting: uses an
access control list (ACL) to enforce maximum
bandwidth for ingress traffic on each port
– Guaranteed minimum: provides per-port,
per-queue egress-based guaranteed minimum
bandwidth
• Congestion avoidance: Weighted Random
Early Detection (WRED)/Random Early Detection
(RED)
• Powerful QoS feature: supports the following
congestion actions: strict priority (SP) queuing,
weighted round robin (WRR), weighted fair queuing
(WFQ), and WRED
• Traffic policing: supports Committed Access Rate
(CAR) and line rate
Intrusion detection/prevention system
(IDS/IPS)
• Deep packet inspection: module supports deep
packet inspection and examines the packet payload
as well as the frame and packet headers; packets
are dropped if attacks or intrusions are detected
using signature-based or protocol anomaly-based
detection
• Signature-based detection: detects attacks that
have known attack patterns; IPS maintains a
signature database that contains the pattern
definitions for known attacks that can be
automatically updated using a subscription service
• Protocol anomaly-based detection: detects
attacks that use anomalies in application protocol
payloads
• Severity-based action policies: involve action
taken against attacks based on their severity;
available actions are "allow," "block," and
"terminate connection" to provide appropriate
mitigation
• Signature update service: provides regular
updates to the signature database, helping to ensure
that the latest available signatures are installed
Firewall
• Stateful firewall: enforces firewall policies to
control traffic and filter access to network services;
maintains session information for every connection
passing through it, enabling the firewall to control
packets based on existing sessions
• Zone-based access policies: logically groups
virtual LANs (VLANs) into zones that share common
security policies; allows both unicast and multicast
policy settings by zones instead of by individual
VLANs
• Application-level gateway (ALG): deep
packet inspection in the firewall discovers the IP
address and service port information embedded in
the application data; the firewall then dynamically
opens appropriate connections for specific
applications
• NAT/PAT: choice of dynamic or static network
address translation (NAT) preserves a network's IP
address pool or conceals the private address of
network resources, such as Web servers, which are
made accessible to users of a guest or public
wireless LAN
Virtual private network (VPN)
• IPSec: provides secure tunneling over an untrusted
network such as the Internet or a wireless network;
offers data confidentiality, authenticity, and integrity
between two endpoints of the network
• Generic Routing Encapsulation (GRE): can be
used to transport Layer 2 connectivity over a Layer 3
path in a secured way; enables the segregation of
traffic from site to site
• Manual or automatic Internet Key
Exchange (IKE): provides both manual or
automatic key exchange required for the algorithms
used in encryption or authentication; auto-IKE allows
automated management of the public key exchange,
providing the highest levels of encryption
2
Hide quick links:
Advertisement
Table of Contents
