Product Overview And Benefit
● MAC-based VLAN assignment enables different users to authenticate on different VLANs. This feature enables each user to have a different data VLAN on the same interface.
● Cisco TrustSec uses SXP to simplify security and policy enforcement throughout the network. For more information about Cisco TrustSec security solutions.
● Comprehensive 802.1X Features to control access to the network, including Flexible Authentication, 802.1x Monitor Mode, and RADIUS Change of Authorization.
● IPv6 First-Hop Security enhances Layer-2 and Layer-3 network access from proliferating IPv6 devices especially BYOD devices. It protects against rogue router advertisements, address spoofing, fake DHCP replies and other risks introduced by IPv6 technology.
● Device Sensor and Device Classifier enable seamless versatile device profiles including BYOD devices. They also enable Cisco Identity Services Engine (ISE) to provision identity based security policies. This feature is available on both the 2960-X and the 2960-XR product families.
● Cisco Trust Anchor Technology enables easy distribution of a single universal image for all models of Catalyst 2960-X by verifying the authenticity of IOS images. This technology allows the switch to perform IOS integrity checks at boot-up by verifying the signature, verifying the Trusted Asset under Management and authenticating the license.
● Cisco Threat Defense features including Port Security, Dynamic ARP Inspection, and IP Source Guard.
● Private VLANs restrict traffic between hosts in a common segment by segregating traffic at Layer 2, turning a broadcast segment into a nonbroadcast multi access like segment. This feature is available in IP-Lite feature set only.
◦ Private VLAN Edge provides security and isolation between switch ports, which helps ensure that users cannot snoop on other users’ traffic.
● Unicast Reverse Path Forwarding (uRPF) feature helps mitigate problems caused by the introduction of malformed or forged (spoofed) IP source address into a network by discarding IP packets that lack a verifiable IP source address. This feature is available in IP-Lite feature set only.
● Multidomain Authentication allows an IP phone and a PC to authenticate on the same switch port while placing them on appropriate voice and data VLAN.
● Access Control Lists (ACLs) for IPv6 and IPv4 for security and QoS ACEs.
◦ VLAN ACLs on all VLANs prevent unauthorized data flows from being bridged within VLANs.
◦ Router ACLs define security policies on routed interfaces for control-plane and data-plane traffic. IPv6 ACLs can be applied to filter IPv6 traffic.
◦ Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.
● Secure Shell (SSH) Protocol, Kerberos, and Simple Network Management Protocol Version 3 (SNMPv3) provide network security by encrypting administrator traffic during Telnet and SNMP sessions. SSH Protocol, Kerberos, and the cryptographic version of SNMPv3 require a special cryptographic software image because of U.S. export restrictions.
● Switched Port Analyzer (SPAN), with bidirectional data support, allows Cisco Intrusion Detection System (IDS) to take action when an intruder is detected.
● TACACS+ and RADIUS authentication facilitates centralized control of the switch and restricts unauthorized users from altering the configuration.
● MAC Address Notification allows administrators to be notified of users added to or removed from the network.
● Multilevel security on console access prevents unauthorized users from altering the switch configuration.
● Bridge protocol data unit (BPDU) Guard shuts down Spanning Tree Port Fast-enabled interfaces when BPDUs are received to avoid accidental topology loops.
● Spanning Tree Root Guard (STRG) prevents edge devices not in the network administrator’s control from becoming Spanning Tree Protocol root nodes.
● IGMP filtering provides multicast authentication by filtering out nonsubscribers and limits the number of concurrent multicast streams available per port.
● Dynamic VLAN assignment is supported through implementation of VLAN Membership Policy Server client capability to provide flexibility in assigning ports to VLANs. Dynamic VLAN facilitates the fast assignment of IP addresses.