Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 3 of 19
Secure Shell (SSH) Protocol and SNMPv3 protect information from tampering or eavesdropping by encrypting
information being passed along the network, thereby guarding administrative information. Private VLAN Edge
isolates ports on a switch, ensuringthat traffic travels directly from the entry point to the aggregation device through
a virtual path and cannot be directed to another port.
Port-based access control parameters (ACPs) restrict sensitive portions of the network by denying packets based on
source and destination MAC addresses, IP addresses, or Transmission Control Protocol/User Datagram Protocol
(TCP/UDP) ports. ACP lookups are done in hardware, so forwarding performance is not compromised when
implementing thistype of securityin the network.In addition, time-basedACPs allow configuration of differentiated
services based on time periods. ACPs can also be applied to filter traffic based on differentiated services code point
(DSCP) values.Port security provides another means to ensure that appropriate users are on thenetwork, by limiting
access based on MAC addresses.
For authentication of userswith a Terminal AccessController Access ControlSystem (TACACS+)or RADIUS server,
802.1x provides port-level security. 802.1x inconjunction with aRADIUS server allows for dynamic port-based user
authentication. 802.1x-based user authentication can be extended to dynamically assign a virtual LAN (VLAN)
based on a specific user, regardless of where that user connects on the network. This intelligent adaptability provides
greater flexibility and mobility to the network’s stratified user populations. By combining access control and user
profiles with secure network connectivity, services, and applications, customers can more effectively manage user
mobility and drastically reduce the overhead associated with granting and managing access to network resources.
With multilayer Cisco Catalyst 2955 Series switches, network managers can implement high levels of console
security. Multilevel access security on the switch console and a Web-based management interface prevent
unauthorized users from accessing or altering switch configurations. TACACS+ or RADIUS authentication enable
centralized access control of the switch and restrict unauthorized users from altering the configuration. Deploying
security can be done through Cisco CMS Software Security Wizards, which ease the deployment of security features
that restrict user access to a server, a portion of the network, or the entire network.
Network Control through Advanced QoS and Rate Limiting
Cisco Catalyst 2955Series switches offer superior and highlygranular QoS based on Layers 2-4information, to help
ensure that network traffic is classified and prioritized, and that congestion is avoided in the best possible manner.
These switches can classify, reclassify, police (determine if the packet is in or out of predetermined profiles and affect
actionson thepacket), andmark ordrop theincoming packets beforethe packetis placedin theshared buffer.Packet
classification allows the network elements to discriminate between various traffic flows and to enforce rate-limiting
policies based on Layer 2 and Layer 3 QoS fields.
To implement QoS, these switches first identify traffic flows or packet groups. They classify or reclassify these groups
using the DSCP field in the IP packet and/or the 802.1p class of service (CoS) field in the Ethernet packet.
Classification and reclassification can also be based on criteria as specific as the source or destination IP address,
source or destination MAC address, or the Layer 4 TCP/UDP ports. At the ingress (incoming port) level, Cisco
Catalyst 2955 Series switches can also perform policing and marking of the packet.
After the packet goes through classification, policing, and marking, it is assigned to the appropriate queue before
exiting the switch. Cisco Catalyst 2955 Series switches support four egress (outgoing port) queues per port, allowing
the network administrator to be more discriminating and specific in assigning priorities for the various applications
on the network. Atthe egress level,the switch performsscheduling—an algorithmthat determines theorder in which
Comments to this Manuals