Features and Benefits
24 Ports gigabit POE+ Stackable Switch
Cisco Catalyst 2960-X and 2960-XR Series Switches provide a range of
security features to limit access to the network and mitigate threats,
â— MAC-based VLAN assignment, enabling different users to
authenticate on different VLANs. This feature enables each user to have
a different data VLAN on the same interface.
â— Cisco TrustSecÃ‚, which uses Security Group Exchange
Protocol (SXP) to simplify security and policy enforcement throughout
the network. For more information about Cisco TrustSec security
â— Comprehensive 802.1X features to control access to the
network, including Flexible Authentication, 802.1X monitor mode, and
RADIUS Change of Authorization.
â— IPv6 First-Hop Security enhances Layer 2 and Layer 3
network access for proliferating IPv6 devices, especially BYOD devices.
It protects against rogue router advertisements, address spoofing, fake
Dynamic Host Configuration Protocol (DHCP) replies, and other risks
introduced by IPv6 technology.
â— Device sensor and device classifier, enabling seamless
versatile device profiles, including BYOD devices. They also enable the
Cisco Identity Services Engine (ISE) to provision identity-based
security policies. This feature is available on both the 2960-X and
2960-XR Series switches.
â— Cisco Trust Anchor Technology, enabling easy distribution
of a single universal image for all models of the 2960-X and 2960-XR
Series by verifying the authenticity of Cisco IOS Software images. This
technology allows the switch to perform Cisco IOS integrity checks at
boot-up by verifying the signature, verifying the trusted asset under
management, and authenticating the license.
â— Cisco Threat Defense features, including Port Security,
Dynamic ARP Inspection (DAI), and IP Source Guard.
â— Private VLANs that restrict traffic between hosts in a
common segment by segregating traffic at Layer 2, turning a broadcast
segment into a nonbroadcast multiaccess-like segment. This feature is
supported on both 2960-X and 2960-XR Series and is available in both
LAN Base and IP Lite feature sets.
â—¦ Private VLAN Edge to provide security and
isolation between switch ports, which helps ensure that users cannot
snoop on other usersÃ¢ traffic.
â— Unicast Reverse Path Forwarding (uRPF) to help mitigate
problems caused by the introduction of malformed or forged (spoofed) IP
source addresses into a network by discarding IP packets that lack a
verifiable IP source address. This feature is available in the IP Lite
feature set only.
â— Multidomain Authentication to allow an IP phone and a PC
to authenticate on the same switch port while being placed on
appropriate voice and data VLANs.
â— Access Control Lists (ACLs) for IPv6 and IPv4 for
security and QoS ACL elements (ACEs).
â—¦ VLAN ACLs on all VLANs to prevent
unauthorized data flows from being bridged within VLANs.
â—¦ Router ACLs that define security policies on
routed interfaces for control-plane and data-plane traffic. IPv6 ACLs
can be applied to filter IPv6 traffic.
â—¦ Port-based ACLs for Layer 2 interfaces to
allow security policies to be applied on individual switch ports.
â—¦ Downloadable ACLs (dACLs) to download ACLs
from a RADIUS server during 802.1X authentication.
â— SSH, Kerberos, and SNMPv3, providing network security by
encrypting administrator traffic during Telnet and SNMP sessions. SSH,
Kerberos, and the cryptographic version of SNMPv3 require a special
cryptographic software image because of U.S. export restrictions.
â— SPAN, with bidirectional data support, to allow Cisco
Intrusion Detection System (IDS) to take action when an intruder is
â— TACACS+ and RADIUS authentication to facilitate
centralized control of the switch and restrict unauthorized users from
altering the configuration.
â— MAC address Notification to notify administrators about
users added to or removed from the network.
â— Multilevel security on console access to prevent
unauthorized users from altering the switch configuration.
â— BPDU Guard to shut down Spanning-Tree Port Fast-enabled
interfaces when BPDUs are received to avoid accidental topology loops.
â— Spanning Tree Root Guard (STRG) to prevent edge devices
that are not in the network administratorÃ¢s control from becoming
Spanning Tree Protocol (STP) root nodes.
â— Internet Group Management Protocol (IGMP) filtering to
provide multicast authentication by filtering out nonsubscribers and to
limit the number of concurrent multicast streams available per port.
â— Dynamic VLAN assignment through implementation of VLAN
Membership Policy Server client capability to provide flexibility in
assigning ports to VLANs. Dynamic VLAN facilitates the fast assignment
of IP addresses.
â— Cisco Identity Services Engine (ISE) support to enable
the 2960-XR Series switches to offer security management for all
The Cisco Catalyst 2960-X and 2960-XR Series Switches offer intelligent
traffic management that keeps everything flowing smoothly. Flexible
mechanisms for marking, classification, and scheduling deliver superior
performance for data, voice, and video traffic, all at wire speed.
Primary QoS features include:
â— Up to eight egress queues per port and strict priority
queuing so that the highest-priority packets are serviced ahead of all
â— Shaped Round Robin (SRR) scheduling and Weighted Tail
Drop (WTD) congestion avoidance.
â— Flow-based rate limiting and up to 256 aggregate or
individual policers per port.
â— 802.1p Class of Service (CoS) and Differentiated Services
Code Point (DSCP) classification, with marking and reclassification on
a per-packet basis by source and destination IP address, MAC address,
or Layer 4 TCP/UDP port number.
â— Cross-stack QoS to allow QoS to be configured across a
stack of 2960-X and 2960-XR Series switches.
â— Cisco Committed Information Rate (CIR) function,
providing bandwidth in increments as low as 8 Kbps.
â— Rate limiting based on source and destination IP address,
source and destination MAC address, Layer 4 TCP/UDP information, or any
combination of these fields, using QoS ACLs (IP ACLs or MAC ACLs),
class maps, and policy maps.
Switching Database Manager (SDM) templates for LAN Base and IP Lite
licenses allow the administrator to automatically optimize the Ternary
Content-Addressable Memory (TCAM) allocation to the desired features
based on deployment-specific requirements, including MAC, routing,
security, and QoS scalability numbers, depending on the type of
template used in the switch.