Cisco's 2960-X and XR switch line
The Cisco 2960-XR switches deliver enhanced application visibility, network reliability, and network resiliency, which continue to make it a great networking choice.
Cisco Catalyst 2960-X and 2960-XR Series Switches provide a range of security features to limit access to the network and mitigate threats, including:
● MAC-based VLAN assignment, enabling different users to authenticate on different VLANs. This feature enables each user to have a different data VLAN on the same interface.
● Cisco TrustSec®, which uses Security Group Exchange Protocol (SXP) to simplify security and policy enforcement throughout the network. For more information about Cisco TrustSec security solutions, visit https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html.
● Comprehensive 802.1X features to control access to the network, including Flexible Authentication, 802.1X monitor mode, and RADIUS Change of Authorization.
● IPv6 First-Hop Security enhances Layer 2 and Layer 3 network access for proliferating IPv6 devices, especially BYOD devices. It protects against rogue router advertisements, address spoofing, fake Dynamic Host Configuration Protocol (DHCP) replies, and other risks introduced by IPv6 technology.
● Device sensor and device classifier, enabling seamless versatile device profiles, including BYOD devices. They also enable the Cisco Identity Services Engine (ISE) to provision identity-based security policies. This feature is available on both the 2960-X and 2960-XR Series switches.
● Cisco Trust Anchor Technology, enabling easy distribution of a single universal image for all models of the 2960-X and 2960-XR Series by verifying the authenticity of Cisco IOS Software images. This technology allows the switch to perform Cisco IOS integrity checks at boot-up by verifying the signature, verifying the trusted asset under management, and authenticating the license.
● Cisco Threat Defense features, including Port Security, Dynamic ARP Inspection (DAI), and IP Source Guard.
● Private VLANs that restrict traffic between hosts in a common segment by segregating traffic at Layer 2, turning a broadcast segment into a nonbroadcast multiaccess-like segment. This feature is supported on both 2960-X and 2960-XR Series and is available in both LAN Base and IP Lite feature sets.
◦ Private VLAN Edge to provide security and isolation between switch ports, which helps ensure that users cannot snoop on other users’ traffic.
● Unicast Reverse Path Forwarding (uRPF) to help mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. This feature is available in the IP Lite feature set only.
● Multidomain Authentication to allow an IP phone and a PC to authenticate on the same switch port while being placed on appropriate voice and data VLANs.
● Access Control Lists (ACLs) for IPv6 and IPv4 for security and QoS ACL elements (ACEs).
◦ VLAN ACLs on all VLANs to prevent unauthorized data flows from being bridged within VLANs.
◦ Router ACLs that define security policies on routed interfaces for control-plane and data-plane traffic. IPv6 ACLs can be applied to filter IPv6 traffic.
◦ Port-based ACLs for Layer 2 interfaces to allow security policies to be applied on individual switch ports.
◦ Downloadable ACLs (dACLs) to download ACLs from a RADIUS server during 802.1X authentication.
● SSH, Kerberos, and SNMPv3, providing network security by encrypting administrator traffic during Telnet and SNMP sessions. SSH, Kerberos, and the cryptographic version of SNMPv3 require a special cryptographic software image because of U.S. export restrictions.
● SPAN, with bidirectional data support, to allow Cisco Intrusion Detection System (IDS) to take action when an intruder is detected.
● TACACS+ and RADIUS authentication to facilitate centralized control of the switch and restrict unauthorized users from altering the configuration.
● MAC address Notification to notify administrators about users added to or removed from the network.
● Multilevel security on console access to prevent unauthorized users from altering the switch configuration.
● BPDU Guard to shut down Spanning-Tree Port Fast-enabled interfaces when BPDUs are received to avoid accidental topology loops.
● Spanning Tree Root Guard (STRG) to prevent edge devices that are not in the network administrator’s control from becoming Spanning Tree Protocol (STP) root nodes.
● Internet Group Management Protocol (IGMP) filtering to provide multicast authentication by filtering out nonsubscribers and to limit the number of concurrent multicast streams available per port.
● Dynamic VLAN assignment through implementation of VLAN Membership Policy Server client capability to provide flexibility in assigning ports to VLANs. Dynamic VLAN facilitates the fast assignment of IP addresses.
● Cisco Identity Services Engine (ISE) support to enable the 2960-XR Series switches to offer security management for all connected devices.
The Cisco Catalyst 2960-X and 2960-XR Series Switches offer intelligent traffic management that keeps everything flowing smoothly. Flexible mechanisms for marking, classification, and scheduling deliver superior performance for data, voice, and video traffic, all at wire speed. Primary QoS features include:
● Up to eight egress queues per port and strict priority queuing so that the highest-priority packets are serviced ahead of all other traffic.
● Shaped Round Robin (SRR) scheduling and Weighted Tail Drop (WTD) congestion avoidance.
● Flow-based rate limiting and up to 256 aggregate or individual policers per port.
● 802.1p Class of Service (CoS) and Differentiated Services Code Point (DSCP) classification, with marking and reclassification on a per-packet basis by source and destination IP address, MAC address, or Layer 4 TCP/UDP port number.
● Cross-stack QoS to allow QoS to be configured across a stack of 2960-X and 2960-XR Series switches.
● Cisco Committed Information Rate (CIR) function, providing bandwidth in increments as low as 8 Kbps.
● Rate limiting based on source and destination IP address, source and destination MAC address, Layer 4 TCP/UDP information, or any combination of these fields, using QoS ACLs (IP ACLs or MAC ACLs), class maps, and policy maps.
Switching Database Manager (SDM) templates for LAN Base and IP Lite licenses allow the administrator to automatically optimize the Ternary Content-Addressable Memory (TCAM) allocation to the desired features based on deployment-specific requirements, including MAC, routing, security, and QoS scalability numbers, depending on the type of template used in the switch.