IEEE 802.1x allows dynamic, port-based security, providing server authentication.
IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific server, regardless of where the server is connected.
IEEE 802.1x and port security are provided to authenticate the port and manage network access for all MAC addresses, including those of the server.
IEEE 802.1x with an ACL assignment allows specific identity-based security policies, regardless of where the server is connected.
IEEE 802.1x with guest VLAN allows servers without IEEE 802.1x clients to have limited network access on the guest VLAN.
Cisco security VLAN ACLs (VACLs) on all VLANs prevent unauthorized data flows from being bridged within VLANs.
Port-based ACLs (PACLs) allow security policies to be applied on individual switch ports.
SSHv2, Kerberos, and SNMPv3 provide network security by encrypting administrator traffic during Telnet and SNMP sessions. SSH, Kerberos, and the cryptographic version of SNMPv3 require a special cryptographic software image because of U.S. export restrictions.
Secure Sockets Layer (SSL) provides a secure means to use Web-based tools such as HTML-based device managers.
Private VLAN Edge provides security and isolation between switch ports, helping ensure that users cannot snoop on other users’ traffic.
Bidirectional data support on the Switched Port Analyzer (SPAN) port allows the Cisco Secure Intrusion Detection System (IDS) [[PLS PROVIDE FULL PRODUCT NAME; NOT ON MDS]] to take action when an intruder is detected.
TACACS+ and RADIUS authentication enables centralized control of the switch and restricts unauthorized users from altering the configuration.
MAC address notification allows administrators to be notified of servers added to or removed from the network.
Port security secures access to an access or trunk port based on the MAC address.
After a specific time period, the Aging feature removes the MAC address from the switch to allow another server to connect to the same port.
Multilevel security on console access prevents unauthorized users from altering the switch configuration.
The user-selectable address-learning mode simplifies configuration and enhances security.
BPDU Guard shuts down Spanning Tree Protocol PortFast-enabled interfaces when BPDUs are received to avoid accidental topology loops.
Spanning Tree Root Guard (STRG) prevents edge devices not in the network administrator’s control from becoming Spanning Tree Protocol root nodes.
IGMP filtering provides multicast authentication by filtering out nonsubscribers and limits the number of concurrent multicast streams available per port.
Dynamic VLAN assignment is supported through implementation of the VLAN Membership Policy Server (VMPS) client function to provide flexibility in assigning ports to VLANs. Dynamic VLAN enables the fast assignment of IP addresses.
1000 security access control entries are supported.
Dynamic Address Resolution Protocol (ARP) Inspection (DAI) helps ensure user integrity by preventing malicious users from exploiting the insecure nature of ARP.
DHCP Snooping prevents malicious users from spoofing a DHCP server and sending out bogus addresses. This feature is used by other primary security features to prevent a number of other attacks such as ARP poisoning.
IP Source Guard prevents a malicious user from spoofing or taking over another user’s IP address by creating a binding table between the client’s IP and MAC address, port, and VLAN.
Private VLANs restrict traffic between hosts in a common segment by segregating traffic at Layer