Cisco Catalyst Series Switches
Mauricio Martínez Systems Engineer, CCIE 17838
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Agenda
Cisco ® Catalyst ® Switches Overview
Cisco Catalyst 500, 2960, 3560-E, 3750-E
Intelligent Services
Summary
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 SMB Top of Mind and Network Relevance
Protected … and Do All That Collaborative with Limited Staff and Budget? How do I How Can Protect We be More My Assets? Productive ?
How Can I How Can I Be Increase My More Adaptive ? Profitability ?
Connected Responsive
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 Key Network Considerations
Simplicity and ease-of-use Increase network security Network transparency— make technology easier to deploy and control Pressure to reduce total cost of network ownership –Manage more with less Peace of Mind— (or individually) “The Networking Infrastructure Will Always –Future-proofed for the Be Available and Will next technology wave Always Work” –Expandable for future growth
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 The Role of the Network
Safe, Secure and Reliable Wired/Wireless Connections Connectivity
Networked Reliable and Efficient Application Delivery Organization Access to That’s Easy to Deploy Applications
Cost Savings in Terms of Time, Staff and Network Budget Convergence
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 Catalyst Switching Portfolio
Distribution/Core
Catalyst 6500
Catalyst 4500
Datacenter Access Catalyst 6500
Catalyst 4948
Blade Switches Wiring Closet Catalyst 6500 Catalyst 4500 Catalyst 3750-E Catalyst 3560-E and Catalyst 3750 Catalyst 2960 and Catalyst 3560 Catalyst Express Features, Scalability, Longevity Scalability, Features, Catalyst 2960
Small Medium-sized Large
Number of Employees/Density
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 Most Complete Line of Fixed Configuration LAN Products
Full Layer 3 Routing Cisco Catalyst 4948 10/100/1000 + 2 10GE wire speed switching Rack-optimized server switching Jumbo frame support Dual, hot swappable, internal power supplies Hot swappable fan tray Cisco Catalyst 3750-E and Catalyst 3750 Stackable 10/100 and GE configurations + 2 10GE Cisco StackWise™ Plus and StackWise technology Enterprise-class intelligent Layer 3/4 services Modular power supply with 3750-E PoE configurations with up to 15.4W on all 48 ports Cisco Catalyst 3560-E and Catalyst 3560 10/100 and GE configurations + 2 10GE Enterprise-class intelligent Layer 3/4 services Modular power supply with 3560-E PoE configurations with up to 15.4W on all 48 ports Layer 2 Intelligent Services Cisco Catalyst 2960 10/100 and 10/100/1000 Layer 2 switching Price-Performance 8, 24, and 48 port configurations with dual-purpose Gig uplinks PoE configurations with up to 15.4W up to 24 ports Entry level LAN Lite IOS and enhanced LAN Base IOS for intelligent services GUI-Managed Cisco Catalyst Express 500 Low-density, standalone, managed 10/100 switching Tailored for businesses with up to 250 users
Function, Flexibility, Scalability
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7 Agenda
Cisco ® Catalyst ® Switches Overview
Cisco Catalyst 500, 2960, 3560-E, 3750-E
Intelligent Services
Summary
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 Cisco Catalyst Express 500 Series Purpose Built Switches for 20–250 User Networks
Smart Future proof network with Cisco Technology and Power over Ethernet Ready for innovative technologies such as IP Telephony and Wireless LAN Integrated intelligence to detect network issues before they become problems
Simple Eliminate complexity with Cisco Network Assistant Easy to use Diagnostics via Troubleshooting Advisor Ease of deployment and management with Cisco Smartports Multiple Configurations Suited to SMB Needs (10/100, 10/100 Secure Easily customize network access level PoE or 10/100/1000) with Security Policy Slider Securely attach and install WLAN Access Points Encrypted Management
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 Cisco Catalyst Express 500 Series Model Overview
Catalyst Express 500-24TT Catalyst Express 500-24LC
• 24 10/100 ports • 20 10/100 ports • 2 10/100/1000Base-T ports • 4 10/100 PoE ports • 2 10/100/1000BT or SFP ports • 62W IEEE 802.3af / Cisco prestandard PoE
Catalyst Express 500-24PC Catalyst Express 500G-12TC
• 24 10/100 PoE ports • 8 10/100/1000BT ports • 2 10/100/1000BT/SFP ports • 4 10/100/1000BT or SFP ports • 370W IEEE 802.3af / Cisco pre-standard PoE
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 Cisco Catalyst 2960 Series Switches Catalyst 2960 LAN Base Series Catalyst 2960 LAN Lite Series
Fast Ethernet and Gigabit Ethernet in 8, 24, and 48 Fast Ethernet in 24 and 48 port configurations port configurations for entry-level enterprise and mid-market customers for small branch offices and wiring closets PoE configurations with up to 15.4W up to 24 ports Offers standard Layer 2 services with entry- Offers enhanced Layer 2+ intelligent LAN services: level availability, security, and QoS – Availability – Scalable and secure network management – Enhanced security Simplified management and troubleshooting – Advanced quality of service (QoS) for lower total cost of ownership Simplified management and troubleshooting for lower total cost of ownership Cisco Network Assistant and Cisco Cisco Network Assistant and Cisco Smartports Smartports Limited lifetime hardware warranty and software Limited lifetime hardware warranty and updates at no additional charge software updates at no additional charge
Uses Cisco ASICs for superior quality and hardware and software integration
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 Cisco Catalyst 2960 LAN Base Series — Model Overview Catalyst ® 2960-24PC-L Catalyst 2960-24LT-L Catalyst 2960PD-8TT-L New New New 8 10/100/1000 ports 24 10/100 PoE ports 24 10/100 ports (8 PoE ports) 1 10/100/1000 PoE Input port 2 dual-purpose uplink ports 2 10/100/1000 uplink ports Compact form-factor with no fan Catalyst ® 2960G-24TC-L Catalyst 2960G-48TC-L Catalyst 2960G-8TC-L
7 10/100/1000 ports 20 10/100/1000 ports 44 10/100/1000 ports 1 dual-purpose uplink port 4 dual-purpose uplink ports 4 dual-purpose uplink ports Compact form-factor with no fan Catalyst 2960-24TC-L Catalyst 2960-48TC-L Catalyst 2960-8TC-L
8 10/100 ports 24 10/100 ports 48 10/100 ports 1 dual-purpose uplink port 2 dual-purpose uplink ports 2 dual-purpose uplink ports Compact form-factor with no fan
Catalyst 2960-24TT-L Catalyst 2960-48TT-L Software LAN Base Image Enterprise-class intelligent 24 10/100 ports 48 10/100 ports services: Advanced QoS, 2 10/100/1000 uplink ports 2 10/100/1000 uplink ports enhanced security, high availability
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 Dual Purpose Uplink Port Behavior
Only one port either SFP or 10/100/1000 Copper will be SFP A C active at any time. Copper B D Users can manually select the media type using “media-type [sfp] or [rj45] ” interface command Dual Purpose Uplink Validity or leave it to auto-select. Combination A B No SFP always gets the preference A C Yes on switch boot-up or when the A D Yes interface is enabled (shut/no shut). In all other cases which B C Yes ever media linkup first will be B D Yes selected as active media. C D No
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 Cisco Catalyst 2960 Supported Small Form - Factor Pluggable Modules
Catalyst 2960 Catalyst 2960 SFP Transceiver LAN Base LAN Lite GLC-LH-SM Yes Yes
GLC-SX-MM Yes Yes
GLC-ZX-SM Yes No
GLC-T Yes* Yes
GLC-BX-D Yes No SFP GLC-BX-U
GLC-GE-100FX Yes* Yes GLC-FE-100FX
GLC-FE-100LX Yes No
GLC-FE-100BX-D Yes No GLC-FE-100BX-U LC Connectors 8 CWDM SFPs Yes No
*GLC-T and GLC-GE-100FX are not supported on the Catalyst 2960 Compact switches. For 100BASE-FX connectivity, use the GLC-FE-100FX instead.
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 Cisco Catalyst 2960 LAN Lite Series — Model Overview
Catalyst 2960-24TC-S Catalyst 2960-48TC-S
24 10/100 ports 48 10/100 ports 2 dual-purpose uplink ports 2 dual-purpose uplink ports
Catalyst 2960-24-S Software New LAN Lite Image
24 10/100 ports Entry level QoS, security, and availability with a focus on ease-of- use and lower total cost of ownership
Note: Catalyst 2960 Switches cannot be upgraded or downgraded between LAN Base and LAN Lite software.
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 Catalyst 2960 Power Over Ethernet (PoE) switches
Benefits Prepare the network for IP Telephony and Wireless access Eliminate the need for separate electrical wiring Protect your investment and avoid a costly upgrade Cisco pre-standard POE and 802.3af are fully supported Cisco IOS provides intelligent power management with granular control Wide selection of standards-based IEEE 802.3af powered devices –IP Phones –Wireless Access Points –Surveillance cameras –Access Card Readers
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16 Catalyst 2960 Compact Switches
Meeting unique physical requirements of the office workspace, conference rooms, and classrooms, and micro branch offices
• Small size (H x W x D) 4.4cm x 27cm x 16-23cm • Flexible wall and under the desk mounting • Durable metal shell • Cable guard • Internal power supply and right angle power cord • Passive cooling (no fan) • Magnet included • Security locking slot • 19 inch rack mount option
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17 Redundant Power System 2300
Benefits Increases network availability Seamlessly provides backup power to network devices Modular power supplies and fan for flexibility and increased availability Management and configuration capabilities allow users to define and implement the failover policy Easier to Use Six RPS connectors—Up to 2 switches actively backed up Seamless failover to RPS 2300 when switch power supply fails RPS 2300 and switch can have separate AC sources Greater Modularity Uses the same 1150W and 750W power supplies as the Cisco Catalyst 3750E and 3560E switches Replaceable fan module
Note: The Catalyst 2960 LAN Lite Switches and Catalyst 2960 Compact Switches do not have RPS support. The Catalyst 2960 PoE switches require CAB-2300-E= which allows users to manage C97-373923-01RPS via© 2007 the Cisco Systems,switch. Inc. All rights reserved. Cisco Confidential 18 Catalyst 3750-E and 3560-E Series Switches Innovative Stacking 24 or 48 10/100/1000 ports with 2 Sets New Standards wire speed 10 Gigabit uplinks for Resiliency and 10 second 10 Gigabit upgrade Management Full Class 3 (15.4W) Power over Ethernet support on all 48 ports StackWise Plus: Backwards compatible, 64 Gbps and local switching Field replaceable power supply and fan Redundant power system support High performance IP routing
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19 Catalyst 3750-E Models
PoE and data only options Any 3750-E model can be connected with another through 24 10/100/1000T Ports + 2x 10GE StackWise Plus 3750-E models can be combined in a stack with existing 3750 48 10/100/1000T Ports + 2x 10GE models in a mixed stack
24 10/100/1000T Ports w/POE + 2x 10GE
48 10/100/1000T Ports w/POE + 2x 10GE
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20 Catalyst 3560-E Models
The 3560-E is for standalone deployments Similar features to the 3750-E, but 24 10/100/1000T Ports + 2x 10GE StackWise is removed –Same software features
–Same PoE options 48 10/100/1000T Ports + 2x 10GE
24 10/100/1000T Ports w/POE + 2x 10GE
48 10/100/1000T Ports w/POE + 2x 10GE
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21 Extending Flexibility – Catalyst 3560E-12D
New
12-port 10 Gigabit Ethernet Aggregation switch 10 GE X2 Transceiver support: SR, LR, ER, CX4, LX4, LRM TwinGig Converter Module for mixed GE/10GE uplinks 60 Gbps; 90 Mpps 1 Rack Unit Front to back cooling Dynamic routing– EIGRP, OSPF, BGPv4 3 software license types
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22 Catalyst 3560E-12SD
New Jan 2008
12 Gig SFP ports and 2 X2 10 GE ports Dual redundant FRU power supplies, with a DC option Redundant FRU fans Transceiver support –TwinGig Converter Module –10GE X2: SR, LR, ER, CX4, LX4, LRM Catalyst 3560-E IOS feature set
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23 StackWise Plus
• 64Gbps Stacking Throughput* Unified Stacking, • Local switching Behaving As a Single Unit • Intelligently traffic forwarding • Backward compatible with the original StackWise • Fault-tolerant, Bi-directional stack interconnection • Automated Configuration & Management • Single network instance (IP, SNMP, CLI, STPProtocol , VLAN) • Master/secondary architecture with master failover • Cross-Stack EtherChannel®, cross-stack QoS
* For typical traffic patterns, actual performance may be higher or lower
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24 10 Gigabit Ethernet
Two 10GE uplink interfaces Wire rate forwarding performance Supported X2 Transceivers –SR (MMF) –LR (SMF 10km) –ER (SMF 40km) –CX4 (Copper) –LX4 (MMF - 300m SMF - 10km)
TwinGig Adapter converts an X2 interface into dual SFP interfaces All SFPs supported on 3750 platform are supported with the TwinGig Adapter TwinGig Adapters are hot swappable with X2 modules
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25 StackWise Plus Architecture
Local Switching C E F D
24 or 48 ports wire speed 1 No packets traverse StackWise connections 2 4 StackWise Plus StackWise3 Plus Ring
2 Ingress Policing 1 Egress queuing and 3 load balancing
Destination switch 4 removes packets and A B delivers them
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26 Agenda
Cisco ® Catalyst ® Switches Overview
Cisco Catalyst 500, 2960, 3560-E, 3750-E
Intelligent Services
Summary
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27 Cisco Catalyst Intelligent Switching Infrastructure
Intelligent Switching is a Common Foundation of Capabilities across Cisco ® Catalyst ® Switches
Performance, QoS Security Manageability Availability Layer 2, 3, 4 access End-to-end manageability Layer 2, 3, 4 control for centralized Wire-speed classification forwarding Identity-based administration Policing and shaping authentication No performance Web-based or command- effect with all Multiple queues Management security line interface (CLI) services enabled Granular control Admission control Analysis and planning tools
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28 Intelligence Through More-Capable ASICs
* IP TCP/UDP MAC DA MAC SA802.1Q/1p Length Header TOS… IP SA IP DA … DATA Header Info
Layer 2 Info Layer 3 Info Layer 4 Info
Layer 2 switches are limited to the processing and forwarding of Layer 2 information. Multilayer switches can look deeper into the frame => intelligent decisions based on Layer 3 or Layer 4 information. Examples of why this scenario is useful: Preserve bandwidth by limiting traffic based on a user’s IP address. Preserve bandwidth by limiting traffic based on applications using a constant TCP/UDP port number—Web browsing, enterprise resource planning (ERP) applications, etc. Prevent access to network resources based on user’s IP address. Classify and mark traffic based on Layer 3 QoS (DSCP). Cisco ® innovative ASICs with Cisco IOS ® Software integration enable superior intelligent services that will not bottleneck the network.
* Not to Scale C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29 Cisco Catalyst Intelligent Switching Infrastructure
Features Layer 2, 3, 4 traffic classification Shaping, sharing, and policing Granular control Advanced QoS Wire-speed performance Benefits Security Manage bandwidth to meet business priorities Availability Maintain performance for time-sensitive applications Manageability Better meet defined SLAs Suffer no performance degradation with services enabled
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30 Where Congestion Exists, QoS is Required
Aggregation Speed Mismatch LAN to WAN
10 Mbps 10 Mbps
1000 Mbps 64 kbps
Points of aggregation Links and buffers Points of substantial speed mismatch Transmit buffers tend to fill (TCP windowing) Buffering reduces loss, introduces delay
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31 Not All Traffic is Created Equal
Data Mission- Voice Video (Best-Effort) Critical Data Low to Moderate to Moderate to Low to Bandwidth Moderate High High Moderate Random Drop Low Low High High Sensitivity Delay Moderate to High High Low Sensitivity High Jitter Low to High High Low Sensitivity Moderate
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32 S2 Cisco Catalyst 2960 Series Extensive QoS Features
Traffic Classification and Marking for Differentiated Services Per-Port or Individual/Aggregate Flow Classification and Rewriting of MAC Address, 802.1p CoS/DSCP, IP Address, and TCP/UDP Port
Ingress Queue 1 Egress Queuing/ Queuing/ Ingress Queue 2 RX Classify Mark Scheduling Scheduling TX Police Congestion Queue 3 Congestion Control Queue 4 Control
Admission Control Advanced Traffic Shaping and Scheduling Prevent Network Congestion Four Queues per Port Input and Output Policing Shaped Round Robin per Port Strict Priority Queuing
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33 Campus QoS Considerations Trust Boundary Extension and Operation
“I See You’re an IP Phone, 1 So I Will Trust Your CoS” PC VLAN = 10
Phone VLAN = 110
TRUST BOUNDARY 4 2 “CoS 5 = DSCP 46 ” “Voice = 5, Signaling = 3 ” “CoS 3 = DSCP 24 ” “CoS 0 = DSCP 0 ” All PC Traffic Is Reset to CoS 0 3 PC Sets CoS to 5 for All Traffic 1 Switch and Phone Exchange CDP; Trust Boundary Is Extended to IP Phone 2 Phone Sets CoS to 5 for VoIP and to 3 for Call-Signaling Traffic 3 Phone Rewrites CoS from PC Port to 0 4 Switch Trusts CoS from Phone and Maps CoS DSCP for Output Queuing
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34 Cisco IOS IP SLAs Uses
Service Level TCP/IP VoIP Network Availability Agreements Health Monitor Performance Monitoring Assessment (SLA’s)
Measurement Metrics
Packet Network Dist. of Connection Loss Elapsed Time Latency Loss Jitter Stats (Reachability)
Operations
Jitter FTP DNS DHCP DLSW ICMP UDP TCP HTTP LDP H.323 SIP G711 G729
Defined Packet Size, Spacing COS and Protocol IP Server
Source IP SLA MIB Data Active Generated Traffic Destination to measure the network IP SLA IP SLA Catalyst 2960 Responder C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35 Cisco Catalyst Intelligent Switching Infrastructure
Features Identity-based authentication Wire-speed access control lists Controlled access to system Advanced QoS maintenance Integrated security services Security Benefits Authenticate and control access Availability based upon user identity Protect critical business assets Manageability Prevent downtime Prevent network attacks from within
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36 Cisco Catalyst Switching Integrated Security
Secure Connectivity Threat Defense Trust and Identity
Man-in-Middle Attack Mitigation: Port Security, DHCP Snooping SSL
Scavenger-Class QoS SSH SNMPv3 Si Si Si Si Identity-Based Networking L2-4 ACLs (802.1x extensions) Private VLAN Edge Si
Quarantine VLAN (remediation) Web and MAC Based Cisco ® Trust Agent Authentication Network Admission Control
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37 The Need for Admission Control
Viruses, worms, spyware, etc. still #1 cause of financial loss*. Downtime, recovery, lost productivity, credibility, legal implications.
Users routinely authenticated, but...
Endpoint devices (laptops, PCs, PDAs) are not checked for security policy compliance.
Unprotected endpoints spread infection. Required security software not installed, disabled, or out of date “Endpoint systems are vulnerable Checking for compliance is difficult and represent the most likely point of and expensive. infection from which a virus or worm can spread rapidly and cause serious disruption and economic damage. ” —Burton Group *2005 FBI/CSI Report
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38 Cisco Catalyst Access Control Lists
What It Does: Benefits: Allows or denies access Prevents unauthorized access based on the source or to servers and applications destination address Allows designated users to Restricts users to access specified servers designated areas of the Takes advantage of TCAMs, network, blocking enabling wire speed performance unauthorized access to all other applications and Forwarding performance not compromised by ACLs because information lookups are done in hardware Provides ability to access control all packets, either internally bridged within a VLAN or routed between VLANs
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39 Protecting Against Worms
How It Works: The ACL provides a mechanism to protect servers, users, and applications against worms by determining what traffic streams or users can access what ports. Port 1434
Internal Network
Using ACLs, the virus or worm is not able to replicate from its hosts.
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40 Mitigating Unauthorized Devices Protecting Against Well-Intentioned Users
® Network Instability Unauthorized Cisco Secure ACS Unauthorized Switch Switch BPDU Guard
Incorrect Root Guard STP Info Enterprise Enterprise Server Server Authorized Authorized Switch Switch Problem: Solution: Well-intentioned users place Cisco Catalyst ® Switches support unauthorized network devices on the rogue BPDU filtering: BPDU Guard, network, possibly causing instability. Root Guard
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41 Secure Connectivity
Secure Shell (SSH) Protocol SSH encrypts administration traffic during Telnet sessions while configuring or troubleshooting switches. Secure Sockets Layer (SSL) SSL encrypts network management traffic, allowing the secure use of tools such as the Cisco ® Network Assistant. SNMPv3 (with crypto support) Encrypted Data SNMPv3 provides network security by encrypting administrator traffic during SNMP session to configure or troubleshoot switches. Kerberos Kerberos authenticates users and network services using a trusted third party to perform secure verification. Secure Copy SCP provides a secure and authenticated method for copying switch configurations or switch image files. SCP relies on SSH.
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42 Securing Layer 2 from Surveillance Attacks Cutting Off MAC-Based Attacks
00:0e:00:aa:aa:aa Only 3 MAC 00:0e:00:bb:bb:bb Addresses Allowed on the 250,000 Bogus Port: Shutdown MAC addresses per Second
Problem: Solution: “Script Kiddie” Hacking Tools Enable Port Security Limits MAC Flooding Attackers’ Flood Switch CAM Tables Attack and Locks Down Port and with Bogus MAC Addresses, Turning Sends an SNMP Trap the VLAN into a “Hub” and Eliminating switchport port-security Privacy switchport port-security maximum 3 Switch CAM Table Limit Is Finite switchport port-security violation restrict switchport port-security aging time 2 Number of MAC Addresses switchport port-security aging type inactivity
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43 Voice (VLAN) aware Port Security
Scenario – IP phone + host on same switch port
Port security & STP violations are Si Si now VLAN/voice aware Violations for the host only affect “data” VLAN Only affected VLAN is placed in error disable state Voice VLAN remains unaffected Improves network availability
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44 DHCP Spoofing Attack
Rogue DHCP Offer DHCP IP: 10.1.1.20/24 Server GW: 10.1.1.1 DNS: 192.168.1.122 √ DHCP Server User Ports DHCP Discovery Untrusted Broadcast Victim Problem: Solution Malicious user pretends to be the network Do not trust user ports so DHCP server. only DHCP requests can Misconfigured user starts up a DHCP server be sent. incorrectly. Snoop DHCP information Malicious user can send out bogus address, for integrity. deplete the address space, or spoof the default gateway.
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45 DHCP Snooping
What It Does: Switch forwards only DHCP DHCP Snooping Enabled requests from untrusted access ports, and drops all other types Si Trusted of DHCP traffic. DHCP t s e snooping allows only u q designated DHCP ports or e D R H DHCP P C uplink ports trusted to relay C P Server DHCP messages. It builds H Untrusted X A D X C a DHCP binding table K containing client IP address, √ client MAC address, port, and VLAN number. Benefit: DHCP DHCP snooping eliminates Client rogue devices from behaving Rogue Server as the DHCP server .
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46 Identity-Based Network Services
What It Does: Using the 802.1x Standard with Cisco ® Enhancements, the Network Grants Privileges Based on User Login Information, Regardless of the User’s Location or Device.
Benefits: Allows different people to use the same PC and have different capabilities. Ensures that users get only their designated privileges, no matter how they are logged into the network. Reports unauthorized access.
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47 Identity-Based Network Services
How It Works: All users trying to enter the network must receive authorization based on their personal username and password.
Valid Username RADIUS Valid Password Server
Yes TACACS+ or RADIUS No
Equivalent to placing a security guard at each Invalid Username switch port. Invalid Password Only authorized users can get network access. Client Unauthorized users can be locked out or Accessing placed into “guest” VLANs. Switch These services prevent unauthorized or “rogue” access points.
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48 Standard 802.1x/VLAN Assignment
Restrict users to a specified RADIUS VLAN to limit their network 2. Authentication ok, access. assign VLAN3 and ACL14 to Accountant Standard 802.1X- on port5 authenticated ports are 1. User ok? assigned to a VLAN based on the username of the client connected to that port. 802.1x Switched LAN The RADIUS server database Requires maintains the username-to- Marketing Mgr: 802.1x Clients VLAN mappings. Is on Marketing VLAN, and cannot access any finance or Authentication is similar to accounting servers VMPS/VQP function, except Finance Mgr: Is on Finance VLAN it uses 802.1x/RADIUS as and can access all the authentication finance and accounting servers. mechanism. Accountant: Is on Finance VLAN but can access only accounting server.
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49 Standard 802.1x and Voice VLAN
PC Needs to Authenticate with 802.1x
Voice Traffic Allowed through Cisco Discovery Protocol
When the switch recognizes through Cisco ® Discovery Protocol that a Cisco phone is attached to the port, voice traffic is allowed onto the auxiliary VLAN without the authentication of the supplicant on the primary VLAN. The non-IP phone supplicant (PC) connected to the port is authenticated through 802.1x and uses the PVID. The IP phone has access to the VVID for its voice traffic irrespective of the authorized or unauthorized state of the port.
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50 The Cisco Advantage With IBNS
Cisco’s experience and leadership make 802.1x integrated and deployable through Identity Based Network Services 802.1x with Integrated Port Security 802.1x Wake on LAN 802.1x with Dynamic VLAN assignment 802.1x with Guest VLAN 802.1x with Voice VLAN ID Support 802.1x with Dynamic ACLs 802.1x MAC Auth Bypass 802.1x Auth-Fail-VLAN 802.1x AAA-Fail-Open 802.1x MIB and Accounting 802.1x Web Based Proxy 802.1x Readiness Check
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51 Cisco Catalyst Intelligent Switching Infrastructure
Features Wire-speed forwarding No performance effect with all services enabled
Advanced QoS Load balancing Redundancy Security Benefits Network remains operable Availability despite failures Defined SLAs can be met Manageability Offers business resiliency Reduces maintenance cost
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52 Wire-Speed Services
Wire-speed, high- 35 Mpps touch services with no performance hit: Hardware Services 512 QoS policies Software-Based 1024 security policies Services 64 policers Packet Drop, Cache 4 queues per port Misses, CPU Overload
Services Load, for Example, ACLs, QoS, and Multicast
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53 FlexLinks—L2 Redundancy
Achieve Layer 2 redundancy without requiring STP (Spanning Tree Protocol) Si Si Access switches with backup links to Distribution switches—deployed as Flex link pair Si Si Fast convergence upon forwarding Distribution link failover Sub 100msec cut over Convergence time independent of number of VLANs and MAC- Access addresses
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54 FlexLinks—L2 Redundancy
Cat6K Cat6K
1. Primary link down detected (24msec poll) 2. Backup link √ becomes the X active link Active Link Backup Link
Catalyst 2960
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55 Flexlink Performance—Timings
MSTP MSTP Flexlink Flexlink
VLANs Macs UpStrm DnStrm UpStrm DnStrm 1 2 144 143 19 31
32 1280 1033 1231 20 199
64 2560 1581 1899 45 590
128 3840 2423 3022 16 633
1000 6000 7507 8454 46 4820
(in milliseconds)
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56 Flexlink VLAN load balancing
Primary link down detected Backup carries X VLANs 60, 50, 20 Primary Link - Backup Link - Carries VLANs 60, 50 carries VLAN 20 gi2/0/6 gi2/0/8
Cat2960
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57 Cisco Catalyst 2960 Multicast Support
IGMP snooping used Multicast Servers (Source) for managing group membership information
Per-port broadcast, multicast, and unicast storm control LAN
Multicast VLAN registration
Virtual Trunking Protocol pruning
Hosts (Receivers or Groups)
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58 Cisco Catalyst Intelligent Switching Infrastructure
Features End-to-end manageability through common set of management tools Centralized administration Advanced QoS and software upgrades Web-based access Security Benefits
Availability Simplify implementation, troubleshooting, and upgrades Reduce operational costs Manageability Simplify intelligent service implementation Reduce maintenance cost
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59 Integrated Time Domain Reflectometer (TDR)
Layer1 Troubleshooting tool TDR helps to determine: The length of a cable Whether the cable is correctly wired internally (pin-to-pin wire mapping) Whether the cable contains a short circuit (wires touching each other through damaged or missing insulation) Whether the cable contains a broken wire (called an “open”) Whether the cable suffers from electrical cross talk (interference). CISCO-CABLE-DIAG-MIB
P Cable P O O R R T Fault T
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60 Broadest Range of Network Management Products
Tens of thousands of devices WAN Manager Service provisioning Global WANs Cisco ® IGX, BPX ®, and MGX ® Switches only
CiscoWorks LAN Thousands of devices Management Service management Solution (LMS) WANs and LANs Price-Performance Cisco Network Assistant Up to 40 switches and routers
Free Catalyst Device Manager One switch, initial setup only Function and Flexibility Small and Enterprise Service Provider Medium Business *Small Network Management Solution (SNMS) C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61 Management Interfaces
Cisco Catalyst Device Manager Cisco Network Assistant
Manages a single device Manages a 40-device SMB network Web-based—HTML Router, switch, IP phone, wireless… Web-based—Java
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 62 3 Cisco Network Assistant 00K + Down Release 5.0 loads
Multi-product, multi-technology management tool Supports up to 40 devices Switches, Routers and Firewalls and unlimited IP Phones and Access points Interactive topology and front panel views Configuration, Monitoring, Troubleshooting & Network Optimization Highlight your VLANs, Telnet to devices, Drag-n-Drop IOS upgrades Localized in French, Italian, German, Spanish, Chinese and Japanese Free download www.cisco.com/go/cna
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 63 The Business Relevance of Cisco Smartports
Benefits Cisco ® Smartports allows for Simple Simplified feature deployment and accurate deployment of high-value Less chance of errors network-optimizing intelligent features. Deployment consistency across the network Greater value from Internet Intranet the intelligent network through Increased feature usage What It Does Preconfigured macros enables fast and easy configuration of advanced Cisco Catalyst ®
intelligent capabilities Si Si Quickly enables QoS, security, and availability features with a single command Offers granular flexibility on a per- port basis Offers ability to create customized macros
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 64 Cisco Smartports From This: To This: Global Commands failureserrdisable recovery cause link-flap errdisable recovery cause udld errdisable recovery interval 60 vtp domain [smartports] vtp mode transparent udld aggressive spanning-tree mode rapid-pvst spanning-tree loopguard default spanning-tree extend system-id
Interface Commands default interface range FastEthernet[1]/0/[1–48] interface range FastEthernet[1]/0/[1–48] switchport access vlan [data] switchport mode access switchport voice vlan [voice] switchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity auto qos voip cisco-phone spanning-tree portfast spanning-tree bpduguard enable
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 65 Agenda
Cisco ® Catalyst ® Switches Overview
Cisco Catalyst 2960 Product Overview
Intelligent Services
Summary
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 66 Pushing the Technology Curve Cisco Technology Innovator $4 billion R&D investment annually Over 100 companies acquired 17,000 engineers in 10 global labs More than 2,300 patents in last 10 years PISA Inline Power StackWise EtherChannel GOLD Modular IOS SLA IOS Twin CDP Tag NetFlow Switching DAI DHCP Gig HSRP RSRB ISL MISTP Snooping EEM ISSU
1990 1995 2000 2005 802.1q MPLS DLSw IPFix VRRP 802.3ad LLDP 802.1s 802.af
Cisco employees chair over 20 IETF working groups and are on IEEE committees
Cisco Contributing to Standards
C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 67 C97-373923-01 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 68