Anda di halaman 1dari 76

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential C97-373923-02 1


Cisco Catalyst 2960
Series Switches
Technical Presentation
2 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 Product Overview
Intelligent Services
Feature Matrix
Cisco


Catalyst


Switches Overview
Agenda
3 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst Switching Portfolio
Number of Employees/Density
Cisco Catalyst 4500
Cisco


Catalyst


6500
F
e
a
t
u
r
e
s
,

S
c
a
l
a
b
i
l
i
t
y
,

L
o
n
g
e
v
i
t
y
Small Medium-Sized Large
Blade Switches
Cisco Catalyst
6500
Cisco Catalyst 4900
Distribution or Core
Data-Center Access
Cisco Catalyst 2960
Cisco Catalyst
3750-E and
Catalyst 3750
Cisco Catalyst
3560-E and
Catalyst 3560
Cisco Catalyst 4500
Cisco Catalyst
6500
Cisco Catalyst Express 520
New
Wiring Closet
4 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Full Layer 3 Routing
Layer 2 Intelligent Services
GUI-Managed
Most Complete

Line of Fixed
Configuration LAN Products
Function, Flexibility, Scalability
P
r
i
c
e
-
P
e
r
f
o
r
m
a
n
c
e
Cisco Catalyst 3560-E and Catalyst 3560
10/100 and GE configurations + 2 10GE
Enterprise-class intelligent Layer 3/4 services
Modular power supply with 3560-E
PoE configurations with up to 15.4W on all 48 ports
Cisco Catalyst 2960
10/100 and 10/100/1000 Layer 2 switching
8-, 24-, and 48-port configurations with dual-purpose Gig uplinks
PoE configurations with up to 15.4W up to 24 ports
Entry level LAN Lite IOS and enhanced LAN Base IOS for intelligent services
Cisco Catalyst 3750-E and Catalyst 3750
Stackable 10/100 and GE configurations + 2 10GE
Cisco StackWisePlus and StackWise technology
Enterprise-class intelligent Layer 3/4 services
Modular power supply with 3750-E
PoE configurations with up to 15.4W on all 48 ports
Cisco Catalyst 4948
10/100/1000 + 2 10GE wire-speed switching
Rack-optimized server switching
Jumbo frame support
Dual, hot swappable, internal power supplies
Hot swappable fan tray
Cisco


Catalyst


Express 500
Low-density, standalone, managed 10/100 switching
Tailored for businesses with up to 250 users
5 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco


Catalyst


Switches Overview
Intelligent Services
Feature Matrix
Cisco Catalyst 2960 Product Overview
Agenda
6 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 Series Switches
Offers Fast Ethernet in 8, 24- and 48-port
configurations for small branch offices and
wiring closets
Offers standard Layer 2 services with entry-
level availability, security, and QoS
Scalable and secure network management
Offers simplified management and
troubleshooting for lower total cost of
ownership
Offers CiscoWorks LMS, Cisco Network
Assistant and Cisco Smartports
Provides limited lifetime hardware warranty
and software updates at no additional charge
Provides Fast Ethernet, Gigabit Ethernet, and
Power over Ethernet for entry-level enterprise and
mid-market customers
Offers enhanced Layer 2+ intelligent LAN services:
Availability
Enhanced security
Advanced quality of service (QoS)
Offers simplified management and troubleshooting
for lower total cost of ownership
Offers CiscoWorks LMS, Cisco Network Assistant
and Cisco Smartports
Provides limited lifetime hardware warranty and
software updates at no additional charge
Cisco


Catalyst


2960 LAN Base Series Cisco Catalyst 2960 LAN Lite

Series
Uses Cisco ASICs

for superior quality and hardware and software integration
7 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 LAN Base Series

Model Overview
24 10/100 ports
2 10/100/1000 uplink ports
Cisco Catalyst 2960-24TT-L
24 10/100 ports
2 dual-purpose uplink ports
Cisco Catalyst 2960-24TC-L
20 10/100/1000 ports
4 dual-purpose uplink ports
Cisco

Catalyst 2960G-24TC-L
24 10/100 PoE ports
2 dual-purpose uplink ports
Cisco


Catalyst


2960-24PC-L
48 10/100 ports
2 10/100/1000 uplink ports
Cisco Catalyst 2960-48TT-L
Cisco Catalyst 2960-48TC-L
48 10/100 ports
2 dual-purpose uplink ports
Cisco

Catalyst 2960G-48TC-L
44 10/100/1000 ports
4 dual-purpose uplink ports
Cisco Catalyst 2960-24LT-L
24 10/100 ports (8 PoE ports)
2 10/100/1000 uplink ports
Enterprise-class intelligent
services: Advanced QoS,
enhanced security, high availability
8 10/100 ports
1 dual-purpose uplink port
Compact form-factor with no fan
Cisco Catalyst 2960-8TC-L
7 10/100/1000 ports
1 dual-purpose uplink port
Compact form-factor with no fan
Cisco Catalyst 2960G-8TC-L
Software
LAN Base Image
8 10/100/1000 ports
1 10/100/1000 PoE Input port
Compact form-factor with no fan
Cisco Catalyst 2960PD-8TT-L
8 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 LAN Lite Series

Model Overview
Note: Cisco Catalyst 2960 Switches Cannot Be Upgraded or Downgraded Between LAN Base and LAN Lite Software.
Software
LAN Lite Image
Cisco Catalyst 2960-48TC-S
48 10/100 ports
2 dual-purpose uplink ports
Entry level QoS, security, and
availability with a focus on ease-of-
use and lower total cost of ownership
Cisco Catalyst 2960-48TT-S
48 10/100 ports
2 10/100/1000 uplink ports
24 10/100 ports
Cisco Catalyst 2960-24-S
24 10/100 ports
2 dual-purpose uplink ports
Cisco

Catalyst

2960-24TC-S
8 10/100 ports
1 dual-purpose uplink port
Compact form-factor with no fan
Cisco Catalyst 2960-8TC-S
Sep.
08

Sep.
08
Sep.
08

Sep.
08
9 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 Power over Ethernet
(PoE) Switches
Benefits
Prepare the network for IP telephony and wireless access.
Eliminate the need for separate electrical wiring.
Protect your investment and avoid a costly upgrade.
Cisco pre-standard POE and 802.3af are fully supported.
Cisco IOS provides intelligent power management with
granular control.
Wide selection of standards-based IEEE 802.3af-powered devices:
IP phones
Wireless access points
Surveillance cameras
Access card readers
10 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Building
Access
Control
IP Integrated Video
Surveillance Fire Protection
Resilient, Available IP
Network with Scalable
Power Delivery
Powered IP
Telephone
A Glimpse into the Future

The Ethernet-Powered Organization
Power over Ethernet
(PoE) Delivers 48V DC
Power over a Standard
Copper Ethernet Cable
The Power and Network Is
Used by the Connected
Devices for Their Operation
Wireless Access Points
11 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Extending the Versatility of Ethernet

The Benefits of Powering Devices with Ethernet
Power over
Ethernet
extends the
value,
simplicity, and
flexibility of
Ethernet to
enable new
uses for the
network.
AC-Free
Deployments
Mobility and
Simplicity
Safety
Operational
Resiliency
Simplified
Manageability
Reduced
Capex and
Opex
Cisco 802.3af Power over Ethernet

S.P. Shalita


February, 2004

R10b
12 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Small size (H x W x D)
4.4cm x 27cm x 1623cm
Flexible wall and under-
the-desk mounting
Durable metal shell
Cable guard
Internal power supply
and right-angle power cord
Passive cooling (no fan)
Magnet included
Security locking slot
19-inch rack mount option
Cisco Catalyst 2960 Compact Switches
Meeting unique physical requirements of the office workspace,
conference rooms, classrooms, and micro branch offices
13 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
LC Connectors
SFP
Cisco Catalyst 2960 Supported Small Form
Factor Pluggable Modules
GLC-T and GLC-GE-100FX are not supported on the
Cisco Catalyst 2960-8TC-S, 2960-8TC-L and 2960G-
8TC-L switches. For 100BASE-FX connectivity, use the
GLC-FE-100FX instead for compact switches.
SFP
Transceiver
Cisco


Catalyst


2960 LAN Base
Switches
Cisco Catalyst
2960 LAN Lite
Switches
GLC-LH-SM= Yes Yes
GLC-SX-MM= Yes Yes
GLC-ZX-SM= Yes No
GLC-T= Yes* Yes
GLC-BX-D=
GLC-BX-U=
Yes No
GLC-GE-100FX=
GLC-FE-100FX=
Yes* Yes
GLC-FE-100LX= Yes No
GLC-FE-100BX-D=
GLC-FE-100BX-U=
Yes No
CWDM SFPs Yes No
14 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Dual-Purpose Uplink Port Behavior
Only one port, either SFP or
10/100/1000 copper, will be
active at any time.
Users can manually select the
media type using the media-type
[sfp] or [rj45] interface command
or leave it to auto-select.
SFP always gets the preference
on switch boot-up or when the
interface is enabled (shut/no
shut). In all other cases, the
media that linkup first will be
selected as active media.
Dual-Purpose Uplink
Combination
Validity
A B No
A C Yes
A D Yes
B C Yes
B D Yes
C D No
SFP
Copper
A
B
C
D
15 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Redundant Power System 2300
Benefits
Increases network availability.
Seamlessly provides backup power to network devices.
Modular power supplies and fan for flexibility and increased availability.
Management and configuration capabilities allow users to define and
implement the failover policy.
Easier to Use
Six RPS connectorsup to two switches are actively backed up.
Seamless failover to RPS 2300 when switch power supply fails.
RPS 2300 and switch can have separate AC sources.
Greater Modularity
Uses the same 1150W and 750W power supplies as the Cisco Catalyst
3750E and 3560E switches.
Replaceable fan module.
Note: Cisco


Catalyst


2960 LAN Lite

Switches and Cisco Catalyst 2960 Compact Switches do not have
RPS support. Catalyst 2960 PoE

switches require CAB-2300-E=, which allows users to manage RPS via the
switch.
16 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Services and Warranty for
The Cisco Catalyst 2960 Series
Limited lifetime hardware warranty
Advance Replacement shipping within 10 business days
Guest access to Cisco.com
Ongoing Cisco IOS Software updates at no additional cost
Cisco

SMARTnet

and SMARTnet Onsite Support


Around-the-clock, global access to the Cisco Technical Assistance Center (TAC)
Access to the extensive Cisco.com knowledgebase and tools
Next-business-day advance hardware replacement (premium options available
for business-critical devices, such as two-hour replacement and onsite parts
replacement and installation)
Cisco Smart Foundation Service (formerly SMB
Support Assistant)
Cisco Foundation Technology Optimization Service
17 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco


Catalyst


Switches Overview
Cisco Catalyst 2960 Product Overview
Feature Matrix
Intelligent Services
Agenda
18 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst
Intelligent Switching Infrastructure
Intelligent Switching

is a Common Foundation of Capabilities
Across Cisco


Catalyst


Switches
Performance,
Availability
Wire-speed
forwarding
No performance
effect with all
services enabled
QoS
Layer 2, 3, 4
classification
Policing and shaping
Multiple queues
Granular control
Security
Layer 2, 3, 4 access
control
Identity-based
authentication
Management security
Admission control
Manageability
End-to-end manageability
for centralized
administration
Web-based or command-
line interface (CLI)
Analysis and planning tools
19 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Intelligence Through More Capable ASICs
Layer 2 switches are limited to the processing and forwarding of Layer 2 information.
Multilayer switches can look deeper into the frame => intelligent decisions
based on Layer 3 or Layer 4 information.
Examples of why this scenario is useful:
Preserve bandwidth by limiting traffic based on a users IP address.
Preserve bandwidth by limiting traffic based on applications using a constant TCP/UDP
port numberWeb browsing, enterprise resource planning (ERP) applications, etc.
Prevent access to network resources based on users IP address.
Classify and mark traffic based on Layer 3 QoS

(DSCP).
Cisco

innovative ASICs with Cisco IOS

software integration enable


superior intelligent services that will not bottleneck the network.
*Not to scale.
MAC DA MAC SA Length 802.1Q/1p
IP
Header
Info
TOS IP SA IP DA

TCP/UDP
Header
DATA

Layer 2 Info Layer 3 Info Layer 4 Info


*
20 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Advanced QoS
Security
Availability
Manageability
Features
Layer 2, 3, 4 traffic classification
Shaping, sharing, and policing
Granular control
Wire-speed performance
Benefits
Manage bandwidth to
meet business priorities
Maintain performance for
time-sensitive applications
Better meet defined SLAs
Suffer no performance
degradation with services
enabled
Cisco Catalyst
Intelligent Switching Infrastructure
21 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Aggregation Speed Mismatch
10 Mbps
1000 Mbps
Where Congestion Exists, QoS

Is Required
Points of aggregation
Links and buffers
Points of substantial speed mismatch
Transmit buffers tend to fill (TCP windowing)
Buffering reduces loss, introduces delay
LAN to WAN
10 Mbps
64 kbps
22 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Not All Traffic Is Created Equal
Voice Video
Data
(Best Effort)
Mission-

Critical Data
Bandwidth
Low to
Moderate
Moderate
to High
Moderate
to High
Low to
Moderate
Random
Drop
Sensitivity
Low Low High High
Delay
Sensitivity
High High Low
Moderate
to High
Jitter
Sensitivity
High High Low
Low to
Moderate
23 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 Series
Extensive QoS

Features
RX
Queue 1
Queue 2
Queue 3
Queue 4
Ingress
Police
Classify TX
Ingress

Queuing/
Scheduling
Congestion

Control
Mark
S
2
Advanced Traffic Shaping and Scheduling
Four Queues per Port
Shaped Round Robin
Strict Priority Queuing
Admission Control
Prevent Network Congestion
Input and Output Policing
per Port
Traffic Classification and Marking for Differentiated Services
Per-Port or Individual/Aggregate Flow Classification and Rewriting of
MAC Address, 802.1p CoS/DSCP, IP Address, and TCP/UDP Port
Egress

Queuing/
Scheduling
Congestion

Control
24 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02

Auto QoS
One Command per Interface to Enable and Configure QoS.
Modify Global and Interface Settings to Make QoS

for VoIP Work.
WAN
Cisco


CallManager
Cisco Unity


Software
Voice
Applications
Voice

Gateways
25 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Phone VLAN = 110
Campus QoS

Considerations

Trust Boundary Extension and Operation
1
Switch and Phone Exchange CDP; Trust Boundary Is Extended to IP Phone
2
Phone Sets CoS

to 5 for VoIP and to 3 for Call-Signaling Traffic
3
Phone Rewrites CoS

from PC Port to 0
All PC Traffic Is Reset to CoS

0
4
Switch Trusts CoS

from Phone and Maps CoS DSCP for Output Queuing
CoS

5 = DSCP 46
CoS

3 = DSCP 24
CoS

0 = DSCP 0
4
1
So I Will Trust Your CoS
I See Youre an IP Phone,
TRUST BOUNDARY
Voice = 5, Signaling

= 3
2
PC Sets CoS

to 5 for All Traffic 3
PC VLAN = 10
26 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
FTP DNS DHCP TCP Jitter ICMP UDP DLSW HTTP
TCP/IP
Performance
Service Level
Agreements
(SLAs)
Network
Assessment
Health Monitor
VoIP
Monitoring
Availability
Operations
Measurement Metrics
Uses
IP Server
MIB Data
Active Generated Traffic
to Measure the Network
Destination
Source
Defined Packet Size, Spacing
COS, and Protocol
Catalyst 2960
Responder
LDP H.323 SIP
IP SLA IP SLA
IP SLA IP SLA
Cisco IOS IP SLAs
G711 G729
Latency
Network
Jitter
Dist. of
Stats
Connection Loss
(Reachability)
Packet
Loss
Elapsed Time
IP SLA IP SLA
27 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Advanced QoS
Security
Availability
Manageability
Features
Identity-based authentication
Wire-speed access control lists
Controlled access to system
maintenance
Integrated security services
Benefits
Authenticate and control access
based on user identity
Protect critical business assets
Prevent downtime
Prevent network attacks from
within
Cisco Catalyst
Intelligent Switching Infrastructure
28 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco


Trust Agent
Network Admission
Control
Secure Connectivity Threat Defense Trust and Identity
Cisco Catalyst Switching
Integrated Security
SSL
Man-in-Middle
Attack Mitigation:

Port Security,
DHCP Snooping
Quarantine VLAN
(Remediation)
SSH
SNMPv3
Identity-Based

Networking
(802.1x extensions)
Web-

and MAC-

Based
Authentication
Si Si Si Si Si Si
Si Si
Si Si
L2-4 ACLs
Private VLAN Edge
Scavenger-Class
QoS
29 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
The Need for Admission Control
Viruses, worms, spyware, etc.
still #1 cause of financial loss.*
Downtime, recovery, lost productivity,
credibility, legal implications.
Users routinely authenticated, but...
Endpoint devices (laptops,
PCs, PDAs) are not checked
for security policy compliance.
Unprotected endpoints spread infection.
Required security software not
installed, disabled, or out of date
Checking for compliance is difficult
and expensive.
Endpoint systems are vulnerable

and represent the most likely point of
infection from which a virus or worm
can spread rapidly and cause serious
disruption and economic damage.
Burton Group
*2005 FBI/CSI Report.
30 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Network Admission Control Options
NAC Framework: Vendor products assess and remediate across an intelligent network.
Cisco

Clean Access: Easily deployed NAC appliance authenticates, assesses,


and remediate.
Two Paths: Both Take Advantage of Cisco Network
Cisco Network Access Device
Authentication
Policy
Enforcement
Discovery
Remediation
Clean
Access
Agent
Remediation
NAC
Framework
NAC
Appliance
AAA
Authentication
Enforcement
Discovery
Policy
Cisco Network Access Device
Cisco
Trust
Agent
31 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Security:

NAC Framework Deployment
Options on Fixed-Configuration Switches
LAN Port 802.1X Basic LAN Port IP
Switch Models
Cisco


Catalyst


3750, Catalyst
3560, and Catalyst 2960
Cisco Catalyst 3750 and

Catalyst 3560
Credentials
Carries credentials inside
EAPoL

along with user
authentication
Carries credentials inside
EAPoUDP, completely independent
of any user authentication
Trigger
Triggered by normal 802.1X
exchange
Triggered by ARP or DHCP traffic
from the host
Enforcement
Policy
RADIUS VLAN assignment RADIUS IP downloadable ACLs
Client
Requirements
Requires an enhanced
supplicant with Cisco Trust
Agent built in
Can be used with or without

Cisco Trust Agent (clientless host)
32 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst Access Control Lists
What It Does:
Allows or denies access
based on the source or
destination address
Restricts users to
designated areas of the
network, blocking
unauthorized access to
all other applications and
information
Benefits:
Prevents unauthorized access
to servers and applications
Allows designated users to
access specified servers
Takes advantage of TCAMs,
enabling wire speed performance
Forwarding performance not
compromised by ACLs

because
lookups are done in hardware
Provides ability to access control
all packets, either internally
bridged within a VLAN or routed
between VLANs
33 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Protecting Against Worms
How It Works:
The ACL provides a mechanism to protect servers, users, and
applications against worms by determining what traffic streams
or users can access which ports.
Using ACLs, the virus
or worm is not able to
replicate from its hosts.
Port 1434
Internal

Network
34 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Unauthorized
Switch
Cisco


Secure
ACS
Enterprise
Server
Authorized
Switch
Solution:

Cisco


Catalyst


Switches support
rogue BPDU filtering: BPDU Guard,
Root Guard.
Mitigating Unauthorized Devices
Network Instability
Root Guard
BPDU Guard
Protecting Against Well-Intentioned Users
Unauthorized
Switch
Enterprise
Server
Incorrect
STP Info
Authorized
Switch
Problem:

Well-intentioned users place
unauthorized network devices on the
network, possibly causing instability.
35 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Secure Connectivity
Secure Shell (SSH) Protocol
SSH encrypts administration traffic during Telnet sessions
while configuring or troubleshooting switches.
Secure Sockets Layer (SSL)
SSL encrypts network management traffic, allowing
the secure use of tools such as the Cisco

Network
Assistant.
SNMPv3 (with crypto support)
SNMPv3 provides network security by encrypting
administrator traffic during SNMP sessions to configure or
troubleshoot switches.
Kerberos
Kerberos authenticates users and network services using
a trusted third party to perform secure verification.
Secure Copy
SCP provides a secure and authenticated method for
copying switch configurations or switch image files. SCP
relies on SSH.
Encrypted Data
36 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Securing Layer 2 from Surveillance Attacks

Cutting Off MAC-Based Attacks
Problem:
Script Kiddie hacking tools enable
attackers flood switch CAM tables with
bogus MAC addresses, turning the
VLAN into a hub and eliminating
privacy.
Switch CAM table limit is finite number
of MAC addresses.
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
250,000 Bogus
MAC Addresses
per Second
Solution:
Port security limits MAC flooding
attack, locks down port, and sends an
SNMP trap.
Only 3 MAC
Addresses
Allowed on the
Port: Shutdown
swi t chpor t por t - secur i t y
swi t chpor t por t - secur i t y maxi mum3
swi t chpor t por t - secur i t y vi ol at i on r est r i ct
swi t chpor t por t - secur i t y agi ng t i me 2
swi t chpor t por t - secur i t y agi ng t ype i nact i vi t y
37 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Voice (VLAN) Aware Port Security
Scenario IP phone + host on
same switch port.
Port security & STP violations are
now VLAN/voice aware.
Violations for the host only affect
data VLAN:
Only affected VLAN is placed in
error disable state.
Voice VLAN remains unaffected.
Improves network availability.
Si Si
Si Si
38 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
DHCP Spoofing Attack
Problem:
Malicious user pretends to be the network
DHCP server.
Misconfigured user starts up a DHCP server
incorrectly.
Malicious user can send out bogus address,
deplete the address space, or spoof the
default gateway.
Solution
Do not trust user ports so only
DHCP requests can be sent.
Snoop DHCP information for
integrity.
User Ports

Untrusted
DHCP
Server

Rogue DHCP Offer


IP: 10.1.1.20/24
GW: 10.1.1.1
DNS: 192.168.1.122
DHCP Discovery
Broadcast Victim
DHCP
Server
39 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
DHCP
Client
DHCP
Server
Si Si
Rogue Server
Trusted
DHCP Snooping Enabled
D
H
C
P

R
e
q
u
e
s
t
X
X
D
H
C
P

A
C
K
Untrusted

DHCP Snooping
What It Does:
Switch forwards only DHCP
requests from untrusted access
ports and drops all other types
of DHCP traffic. DHCP
snooping allows only
designated DHCP ports or
uplink ports trusted to relay
DHCP messages. It builds
a DHCP binding table
containing client IP address,
client MAC address, port, and
VLAN number.
Benefit:
DHCP snooping eliminates
rogue devices from behaving
as the DHCP server.
40 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Identity-Based Network Services
What It Does:
Using the 802.1x Standard with Cisco

Enhancements, the network grants


privileges based on user login
information, regardless of the users
location or device.
Benefits:
Allows different people to use
the same PC and have different
capabilities.
Ensures that users get only their
designated privileges, no matter how
they are logged into the network.
Reports unauthorized access.
41 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
How It Works:
All users trying to enter the network must receive authorization

based on
their personal username and password.
Client
Accessing
Switch
RADIUS
Server
Valid Username
Valid Password
Yes
Yes
Invalid Username
Invalid Password
No
Identity-Based Network Services
TACACS+ or
RADIUS
Equivalent to placing a security guard at each
switch port.
Only authorized users can get network access.
Unauthorized users can be locked out or placed
into guest VLANs.
These services prevent unauthorized or rogue
access points.
42 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Standard 802.1x/VLAN Assignment
Restricts users to a specified
VLAN to limit their network
access.
Standard 802.1X-
authenticated ports are
assigned to a VLAN based
on the username of the
client connected to that port.
The RADIUS server database
maintains the username-to-
VLAN mappings.
Authentication is similar to
VMPS/VQP function, except
that it uses 802.1x/RADIUS
as the authentication
mechanism.
802.1x Switched LAN
Requires

802.1x Clients
RADIUS
2.

Authentication ok,
assign VLAN3 and
ACL14 to Accountant
on port5
Marketing Mgr:

Is on Marketing VLAN,
and cannot access
any finance or
accounting servers
Accountant:

Is on Finance VLAN but
can access only
accounting server.
Finance Mgr:

Is on Finance VLAN
and can access all
finance and
accounting servers.
1.

User ok?
43 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Standard 802.1x and Voice VLAN
When the switch recognizes through Cisco

Discovery Protocol that


a Cisco phone is attached to the port, voice traffic is allowed onto the
auxiliary VLAN without the authentication of the supplicant on the
primary VLAN.
The non-IP phone supplicant (PC) connected to the
port is authenticated through 802.1x and uses the PVID.
The IP phone has access to the VVID for its voice traffic regardless
of the authorized or unauthorized state of the port.
Voice traffic
allowed through Cisco
Discovery Protocol
PC needs to
authenticate

with 802.1x
44 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Web Authentication for Non-802.1x Users
RADIUS Authentication
HTTP
Login Prompt
User -

Authenticated
User starts HTTP or HTTPs connection.
Switch intercepts and prompts for user login/password.
Switch sends user credentials to RADIUS server.
User is authenticated.
Proxy ACL is downloaded (mapped to host IP).
45 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Multi Domain Authentication (MDA)
Deployment : IP phone (Cisco or 3
rd
party) + single
host behind the phone
Enhanced security with independent 802.1x
authentication and authorization of IP phone and
host
Host is placed in data VLAN, and IP phone in voice
VLAN - on the same switch port
Data VLAN can be downloaded from RADIUS
server
MAC Auth Bypass - Non 802.1x IP phone and host
can be authenticated using the MAC address of the
device
Si Si
Si Si
Voice Domain
Data Domain
46 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
The Cisco Advantage with IBNS
802.1x with Integrated Port Security
802.1x Wake on LAN
802.1x with Dynamic VLAN assignment
802.1x with Guest VLAN
802.1x with Voice VLAN ID Support
802.1x with RADIUS assigned ACL
802.1x MAC Authentication Bypass
802.1x Auth-Fail-VLAN
802.1x AAA-Fail-Open
802.1x MIB and Accounting
802.1x Web-Based Proxy
802.1x Readiness Check
802.1x Multi-Domain Authentication
Ciscos experience and leadership make 802.1x integrated
and deployable through Identity-Based Network Services
47 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Advanced QoS
Security
Availability
Manageability
Features
Wire-speed forwarding
No performance effect
with all services enabled
Load balancing
Redundancy
Benefits
Network remains operable
despite failures
Defined SLAs can be met
Offers business resiliency
Reduces maintenance costs
Cisco Catalyst
Intelligent Switching Infrastructure
48 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Wire-Speed Services
Wire-speed, high-

touch services with
no performance hit:
Services load

for example,
ACLs, QoS, and Multicast
Hardware

Services
Packet Drop, Cache
Misses, CPU Overload
Software-Based
Services
35 Mpps
512 QoS policies
1024 security policies
64 policers
4 queues per port
49 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
IEEE 802.1s/w
Standards 802.1s and 802.1w enable
loop-free Layer 2 network.
Uses as few spanning-tree
instances as possible
Multiple spanning-tree system allows
for larger Layer 2 topologies.
Rapidly accelerates convergence
if a failure occurs
The standards save CPU cycles and
are interoperable across multiple
vendors.
Cisco implementation enables
smooth migration to Multiple
Spanning Tree from Per VLAN
Spanning Tree Plus (PVST+) while
preserving full standards compliance.
Cisco Extended the
802.1s/w Standards by
Automatically Running
the Spanning Tree
802.1w when 802.1s is
Configured.
50 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
FlexLinksL2 Redundancy
Achieve Layer 2 redundancy without
requiring STP (Spanning Tree
Protocol).
Access switches with backup links
to distribution switchesdeployed as
FlexLink pair.
Fast convergence upon forwarding
link failover.
Sub-100msec cut over
Convergence time independent
of number of VLANs and MAC-
addresses.
Si Si Si Si
Si Si Si Si
Access
Distribution
51 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco


Catalyst


2960
Cat6K
Cat6K
FlexlinksL2 Redundancy
1.

Primary link
down detected
(24msec poll).
2.

Backup link
becomes the
active link.
X
X

Active Link
Backup Link
52 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Flexlink

PerformanceTimings
MSTP MSTP Flexlink Flexlink
VLANs Macs UpStrm DnStrm UpStrm DnStrm
1 2 144 143 19 31
32 1280 1033 1231 20 199
64 2560 1581 1899 45 590
128 3840 2423 3022 16 633
1000 6000 7507 8454 46 4820
(in milliseconds)
53 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco


Catalyst


2960
Flexlink

VLAN Load Balancing
Primary link
down detected
Backup carries
VLANs

60, 50, 20
X
X
Primary link -
carries VLANs

60, 50
Backup link -

carries VLAN 20
gi2/0/8 gi2/0/6
54 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 Multicast Support
IGMP snooping used
for managing group membership
information
Per-port broadcast, multicast,
and unicast storm control
Multicast VLAN registration
Virtual Trunking Protocol pruning
Multicast Servers (Source)
Hosts (Receivers or Groups)
LAN
55 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
IPv6 Host and IPv6 MLD Snooping
IPv6 host support is a key capability allowing the switch to be
managed in an IPv6 network.
Multicast Listener Discovery (MLD) snooping enables efficient and
selective distribution of IPv6 multicast data to client VLANs.
IPv6 Host Features
Dual v4/v6 stack IPv6 Express setup
Unicast

address types TCAM templates
Ping/ICMPv6/redirect IPv6 SNMP -

New
AAAA DNS lookups over v4 IPv6 Syslog

-

New
Secure Shell over v6 IPv6 HTTP support -

New
Input ACLs


control plane only IPv6 autoconfiguration

-

New
CDP neighbor discovery
Telnet/DNS/TFTP/Traceroute
56 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Advanced QoS
Security
Availability
Manageability
Features
End-to-end manageability
using a common set of
management tools
Centralized administration
and software upgrades
Web-based access
Benefits
Simplify implementation,
troubleshooting, and upgrades
Reduce operational costs
Simplify intelligent
service implementation
Reduce maintenance costs
Cisco Catalyst
Intelligent Switching Infrastructure
57 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
DHCP Auto Install and Auto Image


Simplifies deployment of a large number of switches


Auto installation of configuration and IOS image
DHCP auto image (New)
Allows automatic image download
DHCP-based auto configuration
Allows a switch to download a config

from TFTP server
Install configuration
New Switch
DHCP
Server
TFTP
Server
58 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Integrated Time Domain Reflectometer

(TDR)
Layer1 Troubleshooting tool
TDR helps to determine:
The length of a cable
Whether the cable is correctly wired
internally (pin-to-pin wire mapping)
Whether the cable contains a short circuit
(wires touching each other through
damaged or missing insulation)
Whether the cable contains a broken
wire (called an open)
Whether the cable suffers from electrical
crosstalk (interference).
CISCO-CABLE-DIAG-MIB
P
O
R
T
Cable
Fault
P
O
R
T
59 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
UniDirectional

Link Detection (UDLD)

Protecting Against One-Way Communication
Highly available networks require UDLD to protect against one-way
communication or partially failed links and the effect that they

could
have on protocols like STP and RSTP.
Primarily used on fiber optic
links where patch panel
errors could cause link up/up
with mismatched
transmit/receive pairs.
Neighboring ports
should see their
own device/port
ID (echo) in the
packets received
from the other
side.
Failing to receive
this information
indicates
misconfiguration
and the port is
error-disabled.
Si Si
Si Si
Are You
Echoing

My
Hellos?
60 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Error Disable MIB
Error disable allows software features to disable a port or VLAN
upon detecting abnormal conditions.
Provides the ability to configure and monitor error disable
conditions proactively.
Examples
Port security violations on a VLAN

disable the VLAN.
Storm control

disables the port when broadcast threshold exceeds.
CISCO-ERR-DISABLE MIB
Provides the reason for port/VLAN error disable condition.
Automatic recovery time interval

can be set

after this time,
re-enables port or VLAN.
Generates notification when error disable occurs
(rate can be specified).
61 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
LLDP-MED
Superset of LLDP (IEEE 802.3ab Link Layer Discovery)
When do we need LLDP-MED?
For interoperability between Cisco Catalyst switches and

third-party IP phones for VLAN and power exchange.
CDP provides Cisco end-to-end value add (granular power
negotiation and many other capabilities).
LLDP-MED support
L2 neighbor discovery for IP phones.
Allows exchange of VLAN and power (MED doesnt provide
power negotiation).
LLDP-MED Location
Location is configured on the switch.
Switch sends location to the IP phone using LLDP-MED.
Enables location-based services.
1 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Network Assistant
Up to 40 switches and routers
Thousands of devices
Service management
WANs and LANs
CiscoWorks LAN
Management
Solution (LMS)
WAN Manager
Tens of thousands of
devices
Service provisioning
Global WANs
Cisco

IGX, BPX

, and
MGX

switches only
Catalyst Device Manager One switch, initial setup only
*Small Network Management Solution (SNMS)
Broadest Range of Network
Management Products
Small and
Medium Business
Enterprise
Service Provider
Function and Flexibility
Free
P
r
i
c
e
-
P
e
r
f
o
r
m
a
n
c
e
63 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
CiscoWorks

LAN Management Solution (LMS)
Simplifies and automates tasks associated with
day-to-day managementtaking inventory,
configuration, IOS software deployment, and
troubleshooting.
Breadth of device support (over 400 Cisco device
types) provides a single application suite for
managing most Cisco-labeled devices.
Provides detailed visibility of users, ports, and
network connectivitytopology services, user
tracking, inventory.
Automates the change management process,
quickly identifying hardware, software, and
configuration changeschange audit reports.
LMS is a suite of applications designed to
simplify and augment the daily tasks required
to manage a Cisco end-to-end network

reducing total cost of ownership and improving
network availability.
64 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Management Interfaces
Cisco Network Assistant
Manages a 40-device
SMB network
Router, switch, IP phone,
wireless
Web-basedJava
Manages a single device
Web-basedHTML
Cisco


Catalyst


Device
Manager
65 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Express Setup
1.

Power up the switch and hold the
mode button for a few seconds until
all the mode LEDs

are green.
2.

Connect the PC into the Ethernet
port and launch the browser.
3.

Launch the Express Setup page by
entering the IP address of 10.0.0.1
in the browser.
4.

Assign the switch IP address and
management VLAN; enable the
secret password, (optional) Telnet
password, and SNMP configuration.
66 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst Device Manager
Embedded in the switch.
View and configure a single switch using a Web browser.
Display switch trends, status, and port statistics.
Integrated Smart Ports for simple port configuration.
67 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Network Assistant

Release 5.4
Multi-product, multi-technology
management tool
Supports up to 40 devices:
switches, routers, and firewalls,
and unlimited IP phones and
access points
Interactive topology and front
panel views
Configuration, monitoring,
troubleshooting, & network
optimization
Highlight your VLANs, Telnet to
devices, drag-n-drop IOS
upgrades
Localized in French, Italian,
German, Spanish, Chinese, and
Japanese
Free download:
www.cisco.com/go/cna
7
0
0
K

+
D
o
w
n
l
o
a
d
s
7
0
0
K

+
D
o
w
n
l
o
a
d
s
68 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
The Business Relevance of Cisco Smartports
Benefits
Simplified feature deployment
Less chance of errors
Deployment consistency across the
network
Greater value from
the intelligent network through
Increased feature usage
What It Does
Preconfigured macros enable fast
and easy configuration of advanced
Cisco Catalyst

intelligent capabilities
Quickly enables QoS, security, and
availability features with a single
command
Offers granular flexibility on a
per-port basis
Provides ability to create
customized macros
Cisco


Smartports

allows for simple and
accurate deployment of high-value,
network-optimizing intelligent features.
Si Si Si Si
Internet
Intranet
69 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Global Commands
failureserrdisable

recovery cause link-flap
errdisable

recovery cause udld

errdisable

recovery interval 60

vtp

domain [smartports]

vtp

mode transparent

udld

aggressive

spanning-tree mode rapid-pvst

spanning-tree loopguard

default
spanning-tree extend system-id
Interface Commands
default interface range FastEthernet[1]/0/[148]
interface range FastEthernet[1]/0/[148]
switchport

access vlan

[data]
switchport

mode access

switchport

voice vlan

[voice]
switchport

port-security
switchport

port-security maximum 3
switchport

port-security violation restrict
switchport

port-security aging time 2
switchport

port-security aging type inactivity

auto qos

voip

cisco-phone
spanning-tree portfast
spanning-tree bpduguard

enable
Cisco Smartports
From This: To This:
Transition
70 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco


Catalyst


Switches Overview
Cisco Catalyst 2960 Product Overview
Intelligent Services
Feature Matrix
Agenda
71 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 Software Feature Matrix
For more detailed information, please read the Cisco Catalyst 2960 LAN Base and Cisco Catalyst
2960 LAN Lite

datasheets.
Cisco


Catalyst


2960
LAN Lite
Cisco Catalyst 2960
LAN Base
Flash/DRAM 32 / 64 MB 32 / 64 MB
RPS Support No Yes
Jumbo Frames Yes Yes
VLANs 64 255
Disable MAC Learning per VLAN No Yes
Voice VLAN Yes Yes
VTPv2 Yes Yes
CDPv2 Yes Yes
LLDP Yes Yes (+MED)
STP Instances 64 128
802.1w/802.1s Yes Yes
PVST/PVRST+ Yes Yes
Port Fast/Uplink Fast Yes Yes
802.3ad LACP Yes Yes
Enhanced PAgP

for VSS No Yes
Flex Link No Yes
Link State Tracking No Yes
72 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Quality of Service
Cisco


Catalyst


2960
LAN Lite
Cisco Catalyst 2960
LAN Base
Port CoS

Trust/Override Yes Yes
Trusted Boundary No Yes
ACL Classification No Yes
Ingress Policing (1MB incr.) No Yes
Auto QoS No Yes
802.1p Queues 4 4
Shaped Round Robin Scheduling Yes Yes
Priority Queuing Yes Yes
Configure CoS

Priority Queues Yes Yes
Configure Queue Weights No Yes
Configure Buffers/Thresholds No Yes
Class & Policy Maps No Yes
Modify CoS/DSCP Mapping No Yes
DSCP Transparency Yes Yes
Weighted Tail Drop Yes Yes
73 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Security
Cisco


Catalyst


2960
LAN Lite
Cisco Catalyst 2960
LAN Base
SSH/SSL/SCP Yes Yes
RADIUS/TACACS+ Yes Yes
SNMPv3 crypto Yes Yes
802.1x Yes Yes
802.1x Accounting/MIB Yes Yes
802.1x w/ Port Security Yes Yes
802.1x w/ Voice VLAN Yes Yes
802.1x Readiness Check No Yes
802.1x Guest VLAN Yes Yes
802.1x VLAN assignment Yes Yes
802.1x Auth-Fail VLAN No Yes
802.1x AAA Fail Open No Yes
802.1x Wake-On-LAN No Yes
802.1x RADIUS ACL Filter ID No Yes
802.1x Multi-Domain Authentication No Yes
802.1x MAC-Auth Bypass Yes Yes
Web-Authentication No Yes
74 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Security, Multicast, IPv6
Cisco


Catalyst


2960
LAN Lite
Cisco Catalyst 2960
LAN Base
Cisco NAC-NAD-MIB No Yes
Cisco-PAE-MIB No Yes
L2-4 ACLs

(Port, Time, and DSCP-based) No Yes
BPDU/Root Guard Yes (voice aware) Yes (voice aware)
Port Security Yes (voice aware) Yes (voice aware)
DHCP Snooping No Yes
DHCP Option 82 No Yes
DHCP Server No Yes
Private VLAN Edge Yes Yes
Storm Control Yes Yes
Block Unknown Unicast/Multicast Yes Yes
IPv6 Host (SNMP, Syslog, HTTP, Auto
configuration, Telnet, etc.)
No Yes
IPv6 MLD Snooping No Yes
MVR No Yes
IGMP Snooping Yes Yes
IGMP Filter/Throttle Yes Yes
75 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Management and Troubleshooting
Cisco


Catalyst


2960
LAN Lite
Cisco Catalyst 2960
LAN Base
Auto-MDIX Yes Yes
TDR Yes Yes
UDLD Yes Yes
IP SLA Responder No Yes
Layer 2/IP Traceroute Yes Yes
SPAN (number of sessions) Yes (1) Yes (2)
RSPAN No Yes
Express Setup Yes Yes
Device Manager Yes Yes
Cisco Network Assistant Yes Yes
Smartports

+ Adviser Yes Yes
Troubleshooting Adviser Yes Yes
Drag-and-drop IOS Upgrade Yes Yes
IP Address DHCP Yes Yes
Config

Replace Yes Yes
DHCP Auto Config

- New Yes Yes
DHCP Auto Image Upgrade Yes Yes
Error Disable MIB Yes Yes
76 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02

Anda mungkin juga menyukai