N-Series Technical Overview

“There is nothing more important
than our customers”
Enterasys Matrix™ N-Series Architectural Overview

Modular Switching - Matrix™ N-Series
Agenda
Switch Architectural Approaches

“There is nothing more important
Product Review & Positioning than our customers”
Feature Overview
Competitive Positioning
Summary
Centralized Design •There are two primary

Redundant Switch/Route/Mgmt approaches to designing
Switch/Route/Mgmt chassis based
switch/router
Point-to-Point Backplane
architectures
Line Card Line Card Line Card Line Card
The traditional approach, used
by most vendors leverages
centralized forwarding
architectures
Distributed Design
Matrix™ NSeries is based on
Switch/Route/ Switch/Route/ a distributed forwarding
Mgmt/Line Card Mgmt/Line Card architecture, designed from
inception to support high
Fully Meshed Backplane availability environments
Switch/Route/ Switch/Route/
Mgmt/Line Card Mgmt/Line Card
© 2007 Enterasys Networks, Inc. All rights reserved.

Traditional Centralized Architecture
Packet
Packet Forwarding
Forwarding Packet Access Ports: 10/100,
Uplinks: Packet Queuing 10/100/1000 or 100FX
Gigabit Queuing
Switch
Fabric
Packet
Switch Fabric Backplane
CPU Forwarding
Packet Access Ports: 10/100,
Queuing 10/100/1000 or 100FX
Control
Packet
CPU
Switch
Fabric
Forwarding
Packet Uplinks:
Uplinks: Packet Queuing Gigabit
Gigabit Queuing
Packet
Forwarding

Traditional Centralized Architecture
• Performance limited by
Switch/Route/Mgmt modules
• As modules are added, overall system
performance decreases
• Higher performance requires modules
Centralized Design and daughtercard upgrades
• No feedback QoS mechanism between
Redundant Switch/Route/Mgmt
Central Switch/Router and Line Cards
Switch/Route/Mgmt
• Limited guarantee of High priority
traffic (specifically Voice) QoS
• More than Two Uplinks requires Costly
Line Card Line Card Line Card Line Card Additional Line Cards
• Maximum 1+1 redundancy
To achieve distributed forwarding,
additional option modules are necessary,
increasing overall system cost
› In one vendor’s platform, the maximum
central performance is 30M 64 byte packets
per second, the equivalent of 20 Gbps
maximum through put
• Slot dependencies can limit customer

flexibility

Distributed Architecture
• Designed from inception to support

high availability environments
• Every module provides both control
plane and forwarding plane functionality
• Performance scales as modules are
added
Distributed Design • Future generation modules add new
services without forcing the obsolesce
Switch/Route/ Switch/Route/ of existing modules
Mgmt/Line Card Mgmt/Line Card
• Control functions are distributed
Fully Meshed Backplane • N+6 Redundancy
• Modules are automatically upgraded
Switch/Route/ Switch/Route/ and configured as they are plugged into
Mgmt/Line Card Mgmt/Line Card the system
• Optimized for Edge, Distribution and
Server farm connectivity
• No Slot dependencies

Enterasys Matrix N-Series Architecture
Packet Packet
Forwarding Forwarding
Switch
Switch
Fabric
Fabric
Access and/or Packet Packet Access and/or
Uplinks Queuing Queuing Uplinks
CPU CPU
DFE DFE
Fully Meshed Backplane

Queuing Control Across
all Modules
Packet Packet
Forwarding Forwarding
Switch
Switch
Fabric
Fabric
Access and/or Packet Packet Access and/or
Uplinks Queuing Queuing Uplinks
CPU CPU
DFE DFE

Enterasys nTera™ ASIC Family
Increases Host
Performance for nTera™
Host
Concurrent (and Future) Host
Processor
Services Accelerator
nTera™
Increase Overall Packet Packet
Scalability, Performance and Processor
Control User Ports
nTera™ nTera™
Packet Distributed
Processor Fabric
Enables High-Capacity
Distributed Switching and nTera™
Backplane
Reliability Packet
Processor
DFE Architecture

Matrix™ NSeries Distributed Architecture
• Advantages:
High Availability (N:6) – No single CPU Fully Distributed Passive Backplane
Low Entry Cost; Redundancy built into

each switch module – Pay as you go
Scalability; Port Density and Performance
Return on Investment - Inherent
backwards compatibility and future
proofing
Low Latency - Each module has a
connection to every other module
• Performance Characteristics
Total Backplane Capacity with 20 Gbps
per slot
Slot 3
Slot 6
Slot 7
Slot 2
Slot 1
Slot 4
Slot 5
› 21 segments X 20 Gb = 420 Gb
Future Backplane Capacity at 80 Gbps
› 21 segments X 80 Gb = 1.68 Tb
Each of the 21 Backplane Segments
supports 20 Gbps (10 Gbps
Bidirectional)
Agenda
Product Review & Positioning
Feature Overview
Summary

Matrix N7 Switch
• 7 Slot Fully Redundant Chassis

All slots are usable for connectivity and
hotswappable
• Meshed 1.68 Tbps Backplane
• Scalable Port Densities
504 10/100 Ethernet ports
420 10/100/1000 Ethernet ports
336 100BaseFX Ethernet ports
168 Gigabit Ethernet ports
14 10 Gigabit Ethernet ports
• Industry Leading Performance
Switch Fabric Capacity: 126 Gbps
Switch Performance: 94.5 Mpps
Matrix N7

N Series - N7 Power Supply : 6C207-3
• 1600 Watt capacity

• Required to support Matrix E7 configurations with six or seven
Distributed Forwarding Engines
• Advanced System Monitoring
SNMP traps for power supply failure, loss of redundancy, and fan failure

Matrix N5 Switch
• 5 Slot Fully Redundant Chassis with integrated

PoE Power Shelf
All slots are usable for connectivity and hot
swappable
• Integrated Power over Ethernet (PoE) Power Shelf
4,800 Watts Total Power (4 x 1,200W supplies)
PoE DFEs draw PoE power from the backplane
360 10/100 Ethernet ports
360 10/100/1000 Ethernet ports
240 100BaseFX Ethernet ports
• Industry Leading Performance
Matrix N5

Matrix N3 Switch
• 3 Slot Fully Redundant Chassis

All slots are usable for
connectivity and hotswappable
216 10/100 BaseTX Ethernet
ports
216 10/100/1000 BaseTX
Ethernet ports
144 100 Base FX Ethernet ports
Industry Leading Performance
Matrix N3

Introducing the N-1
• Matrix N1 single slot chassis
• Dual Redundant AutoRanging
AC Power Supplies
• 2 RU in height
• Flexible and Capable of
supporting all DFE Gold and
Platinum Modules
Optimum edge configuration for
small to medium wiring closets
› 10/100 Densities from 2572 Ports
Optimum aggregation
configuration for Small
Distribution deployments
› Fiber Using the 12 Port GIG SFP
module
› Copper –Using the 30 Port Triple
Speed Module

2G4082-25 Systems
Lowest cost of entry for the N-Series

Platinum feature set
1. 2G408225SYS 7G-6MGBIC-A
6 Port SFP
2G428225 DFE
7C111 (1 Slot Chassis)
1. 2G408225SYSU
2G428225 DFE
2G4282-25
7C111 (1 Slot Chassis)
24 Port Tri-speed
7G6MGBICA w/NEM
• When operating with multislot NChassis

It will work as a standalone device
• Shipped in a overpack (assembly required)
7C111
1 Slot N Chassis

Matrix N Standalone Switch
A Premium Edge/Data Center

switch for smaller wiring closets
• Creates a broader range of NSeries solutions
The N Series scales with switch solutions from 48 to
420 10/100/1000 ports in the same product family
Allows customers to deploy common N Series
solutions throughout all network tiers
Supports all NSeries Platinum features
• 10/100/1000 Switch/Router
(48) 10/100/1000 RJ45 Ports
(4) SFP ports
• 2 U Standalone
• Redundant power

MatrixTM NSeries Chassis Modules
(Distributed Forwarding Engine)
• Leverages Enterasys’ nTera™ ASIC Design

Fully integrated advanced Switching, Routing, and Management
Unmatched Userbased Multilayer Packet Classification/QoS and
Rate Limiting
Industrystandard SNMP and CLI management
High Performance, Capacity and Density
• Scalable Performance/Bandwidth
13.5 Mpps/18 Gbps per DFE
• Wide Range of Ethernet Interfaces
10/100BaseTX, 1000BaseX, 10/100/1000BaseTX, 100BaseFX
and 10GigE
• Power over Ethernet Support
10/100 and 10/100/100 BaseTX with 802.3af PoE
• Three Types to Meet Different Requirements
Diamond DFE (Enhanced routing, security and policy scalability)
Platinum DFE (High Features/Performance for Edge, Distribution,
and Core)
Gold DFE (CostEffective Edge Connectivity)
Distributed Forwarding
Engine (DFE)

Diamond DFEs
Significant Processing Enhancements over Platinum DFE’s, plus increased Security, Routing
& Policy Scalability.
• Per slot control processor upgraded

50% increase in processing capacity per slot
30% improvement in ACL processing
• Increased Flow Capacity

Double the Flow Table Capacity per blade
Diamond up to 512K/blade, 3.6M/Chassis
› Platinum up to 256k/blade, 1.8M/Chassis
• Diamond modules include Platinum options

256 MB Host memory included on all blades
NEOSL3 Advanced Router license
NEOSPPC Per Port User Capacity Increases
• Optimized for backbone routing

Enables the DFE to handle larger backbones, larger ACL lists, complex
route policies
© 2007 Enterasys Networks, Inc. All rights reserved. Last Updated August 2007
Power over Ethernet DFE Modules
• 48 port 10/100 Power over Ethernet (802.3af) w/NEM

NEM Uplink option slot (MSM, 1Gb, 10Gb)
• 48 port 10/100/1000 Power over Ethernet (802.3af)
w/NEM
NEM Uplink option slot (MSM, 1Gb, 10Gb)
• 72 port 10/100/1000 with PoE
Operates as triple speed blade in a N1, N3, N7
• Provides power to any 802.3af compliant device
IP Phones
Access Points
Web video cameras
• Legacy Cisco detect support
• Supports all DFE embedded software features
• Fully interoperable with all other DFEs
• 48 Port blades supported in the Matrix N1, N3 and N7
with external power shelf
• 48 and 72 port blades supported in the Matrix N5 via
internal power

MatrixTM N7& N3 PoE
• External Power Shelf for Matrix N3, N7

and E7
Enables N1/N3/N7 to support PoE DFE modules
N5 Power Shelf is integrated in the chassis
• 4,800 Watts Total Power (4
x 1,200W supplies)
Supports up to 336 class 2 devices such
as a VoIP phone N5 has integrated Power Shelf
• Fully 802.3af compliant

• Multiple chassis can be supported by a
single Power Shelf (up to 7 DFEs per shelf)
• Supports Class 1 (4 Watts) Class 2 (7
Watts), and Class 3 (15.4 Watts) devices
• Requires a DFE-POE-CBL-2M for every PoE
DFE (Ordered separately - Not required on N5)
• Power management via CLI and SNMP
N3 with PoE Power Shelf

Matrix Security Module
Matrix N7
• Available for all modular

Matrix NSeries chassis
Supports all Distributed
Forwarding Engines (DFEs)
with Network Expansion
Matrix N5 Modules (NEM)
Supports Gold, Platinum and
Diamond DFEs
• Two options
Matrix N3
Dragon Intrusion Defense
Enterasys NAC Apliance
Matrix N1

Extensive DFE Portfolio
Platinum DFE Types
• 48 port 10/100 (RJ45) w/exp. slot • 10 & 12 port 1G (Fiber)
• 72 port 10/100 (RJ45) • 18 port 1G (Fiber) w/exp. slot
• 48 port 10/100 (RJ21) w/exp. slot • 30 port 10/100/1000
• 72 port 10/100 (RJ21) • 2 port 10 Gigabit
• 48 port 100FX w/exp. Slot • 48 port 10/100/1000 w/exp. Slot
• 48 port 10/100 (RJ45) with PoE and • 72 port 10/100/1000
exp. slot
• 48 port 10/100/1000 w/exp. Slot POE
• 72 port 10/100/1000 POE
Gold DFE Types Diamond DFE Types

• 48 port 10/100 (RJ45) w/exp. slot • 12 port 1 G (Fiber)
• 72 port 10/100 (RJ45) • 18 port 1G (Fiber) w/exp. slot
• 48 port 10/100 (RJ21) w/exp. slot • 30 port 10/100/1000
• 72 port 10/100 (RJ21) • 2 port 10 Gigabit
• 48 port 100FX w/exp. Slot
• 48 port 10/100 (RJ45) with PoE and exp. Slot Network Expansion Module
• 48 port 10/100/1000 w/ & w/o PoE and exp. Slot • 6 port 1G (Fiber)
• 72 port 10/100/1000 w/ & w/o PoE • 6 port 1G (Fiber) + 2 port 10 G
• Dragon IDS/IPS
• Sentinel Processor
Matrix N Series Port Densities
Matrix N3 Matrix N5 Matrix N7
10/100 ports 216 360 504
10/100 ports (with uplink option*) 144 240 336
10/100/1000 ports 216 360 504
10/100/1000 ports (with uplink option*) 144 240 336
100FX ports 144 240 336
100FX ports (with uplink option*) 144 240 336
1000 BaseX Ports 72 120 168
10 Gigabit Ports 6 10 14
*Includes a single module with the Expansion Slot for uplinks

Matrix N-Series: Optimized High
Availability (N+6)
• Automatic Service FailOver (Self Routing

Healing) Host
Services
Services
All Services in Milliseconds Port
Services
Intrachassis Routing Redundancy Switching
Services
• Automatic Module Self Multicast
Configuration Services
Inserted “blank” module gets

configuration from other modules
• Local Module Upgrades

Only affects users on upgraded
module
Services Automatically Distributed

across DFEs at Chassis Boot-up
Gold DFE 1+1 Redundancy
• Centralized system administration, protocol

participation (spanning tree, OSPF, etc) and
management
• Distributed Switching, VLAN, multicast, QoS, etc
• Rapid ~1 sec Failover (typical switches 60+ sec)
• Automatic module reconfiguration
Primary and Secondary

located in slots 1 and 2
Simple software license (N-EOS-RED) enables redundancy

MatrixTM NSeries Overview
GOLD PLATINUM DIAMOND
Interface Types Edge Edge, Dist and Core Distribution and Core
Diamond
(7R Series)
Performance (Module/System 6.5/45.5 Mpps 13.5/94.5 Mpps 13.5/94.5 Mpps
Maximum)
High Availability 1+1 (optional) Optimized N:6 Optimized N:6
Policybased, Flow Switching Yes Yes Yes

(Double Platinum
Platinum Capacity)
(7 Series)
Advanced QoS/Rate Limiting/Mirroring No Yes Yes

Features
Authentication/Policy Services Single User/ Per Port MultiUser/ MultiUser/

Per Port Per Port
Basic and Advanced (optional) Routing Basic Advanced (with license)Advanced (large route
tables)
Gold
(4 Series)
Legacy Matrix E7 chassis support Yes Yes Yes
1st , 2nd and 3rd Gen Modules No Yes Yes

Interoperability

DFE Configuration Rules
• Chassis Support
Gold DFEs .Platinum DFEs and Diamond DFEs can go into any slot in the Matrix N3, N5
or N7 chassis.
Multiple Gold DFEs work seamlessly in the same chassis, but can not be mixed with
Platinum or Diamond DFE in the same chassis.
Gold DFEs work in a Matrix E7 chassis, but without any other type module.
Platinum DFEs and Diamond DFEs can be mixed in the same chassis, it is
recommended to have a minimum of two Diamond DFEs in a mixed configuration.
• High Availability
By default the Gold DFE does not provide any high availability (system redundancy).
To get 1+1 redundancy, the NEOSRED software license must be purchased and
installed. Only one 1+1 Redundancy license (NEOSRED) is required per chassis.
For redundancy, the primary and secondary Gold DFE have to be in slots 1 and 2.
• Routing
Basic EOS routing (static routes and RIP) is included with each Gold DFE.
Gold DFEs support Enterasys’ Advanced Routing Package (NEOSL3) that includes
OSPF, DVMRP, and PIMSM.
Only one advanced Routing Package (NEOSL3) is required per chassis.
Diamond DFEs ship with the advanced Routing Package (NEOSL3)

FlowBased Switching
• A Flow is basically a conversation between end devices

• MatrixTM N-Series Traffic is flow-based (Enterasys’ nTera™ ASIC Design)
Provides context for network traffic
› Who, Where, What
Packet fields of interest are described below for standard network functions.
(L2) Switching– SA, DA, Port, VLAN
(L3) Routing – DA, VLAN, EtherType, SIP, DIP
(L4) Application –’LSNAT’ – DA, VLAN, EtherType, SIP, DIP, L4 Source, L4 Dest
• Packet forwarding switches do not keep track of context

Traffic is forwarded based upon “next hop” only
Cannot differentiate one connection from another
• Secure Networks configuration contributes fields to the flow definition
based on active profiles and their rule-sets.

Matrix™ N Series Distributed Flow Based
Switching
• Granular visibility and control of the

individual flow between users and IT
resources SAP traffic.
Permit/Deny/Prioritize/Rate Limit
Discover, classify and prioritize
IPT soft phone clients and IPT handsets
connected to the same port as user Market Data Feed
desktop/laptop
Advanced flow mirroring Traffic Flows
• Centralized policy administration

ensures ease of configuration and Known Worm/Virus
deployment while distributed
enforcement delivers scalability
Firewalllike control everywhere without
the boxbybox configuration burdens or
extensive CLI scripting Zero day threat

controlled by
Flow Setup Throttling

MatrixTM NSeries DFE Applications
Collapsed Backbone
Backbone
Routing (tier two
Matrix N7
environments)
s
er
Us
Matrix N7
er
Fib
E
Gb
s
Internet
10
er
Us
VPN/Intranet
Matrix N3/N5 Matrix N7
s
er
10/1
rv
00/1
Se
000
Matrix N7
Server Aggregation
Premium Edge

Three Tier Implementation
Matrix N7
s
er
Us
SecureStack
C2
Matrix X4
s
er
s
Us
er
rv
Se
Matrix X4
SecureStack
C2 Matrix N7
• Three Tier Implementation – 10-Gigabit Ethernet connectivity

between Distribution and Core, Gigabit connectivity between Edge
and Distribution, user ports 10/100/1000
Core MatrixTM X
Distribution – MatrixTM N with Platinum and/or Diamond DFE
Edge – SecureStack B/C

Two Tier Implementation
Matrix N7
s
er
Us
SecureStack
C2
s
er
Us
s
er
SecureStack
rv
Se
C2 Matrix N7
• Two Tier Implementation

Often see this design in buildings supporting 10001500 devices
Perfect for NSeries & Diamond providing granular control and integrated security
for the core and distribution layers

Agenda
Feature Overview
Summary

Enterasys OS (EOS) Feature Summary
• User, Port and Device Level • Spanning Trees, Multiple Spanning • IPv4 Unicast/Multicast
• Multiple Control Features Trees, VLANs • RIP 1/2, OSPF
• Granular QoS/Rate Limiting • Link Aggregation/Rapid • IGMP, DVMRP
• VLAN to Policy Mapping Reconfiguration • Multi-Path OSPF
• Multi-field Classification • Span Guard • VRRP
• Flow Setup Throttling • PIM-SM (Sparse Mode)
Multilayer Switching/ Native

Classification VLAN Services IP Routing
Security (User, Management,

Network & Host) Control and Analysis
• User: Auth (802.1X, MAC and Web), • Industry-Standard CLI,

MAC Locking • SNMP v1/v2c and Web
• Multi-user Authentication/Policy
• Network: ACL – Basic and Extended,
Integrated • RMON (1,2,3,9)
• TELNET
Policy-based Services (Acceptable Services • BOOTP, DHCP,TFTP
Use) Design • Multiple images
• Host: SSH, SNMP v3

DFE Packet Classification/QoS
Packet Classification/QoS enables the

delivery of critical applications to specific
users via traffic awareness and control
• Layer 2 through 4 Packet Classification

• QoS Mapping to WFQ Priority Queues (802.1p)
4 TX queues per 10/100 and 10/100/1000 port
16 TX queues per GbE and 10GbE port
• Bandwidth Control (Rate Limiting)
Granular 8 kbps – 4 Gbps
Per Port, Flow, Aggregate of Flows and Classification Rules

Dynamic Flow Based Classification: scaleable up to
56k rules per system
Granularity
- What can I identify?
Why does Enterasys make the best Secure - What can I control?
Networks™ switches in the industry? - How can I control it?
DFE Switching/VLAN Services
Switching/VLAN Services provides high-

performance connectivity, aggregation,
and adaptation to device failure
• HighPerformance Switching
• VLAN Services Support
Link Aggregation (IEEE 802.3ad)
Multiple Spanning Trees (IEEE 802.1s)
Rapid Reconfiguration of Spanning Tree (IEEE 802.1w)
• Policybased Switching

DFE IP Routing
IP Routing provides dynamic traffic

optimization, broadcast containment and
more efficient network resilience
•Base Routing Features •Protocol Support

IPv4 Unicast Routing (perport) IPv4 Unicast/Multicast
›RIP version 1 and 2, OSPF v2 and RIP 1/2, OSPF
DHCP/BootP Relay
IGMP, DVMRP, PIMSM (Sparse
•Routing Upgrade (via Software License) Mode)
•Fully distributed forwarding engine MultiPath OSPF
Frames are routed locally (one hop routing) VRRP
Forwarding Databases are resident on all LSNAT
modules
(Route table and ARP table) •Advanced Routing features are
licensed – (NEOSL3)
•Control Plane resides on a single module LSNAT, PIM, OSPF, DVMRP and
Up to two active control planes Extended ACLs.
Redundancy through industry standard •Scalable capacities via memory
routing protocols (Including VRRP) expansion
DFE Security
Security protects a business against

network misuse, and controls access to
resources and confidential information
• User Security
Authentication (802.1X, MAC and Web), MAC (Static and Dynamic) Port
Locking
MultiUser Authentication/Policies
• Network Security
Access Control Lists (ACL) – Basic and Extended
Policybased Security Services (Examples: Spoofing, Unsupported Protocol
Access, Intrusion Prevention, DoS Attacks Limits)
• Host
Secure access to the Matrix NSeries via SSH, SSL, SNMP v3

DFE Management, Control and Analysis
Management, Control and Analysis

provide streamlined tools for maintaining
network availability and health
• Configuration
IndustryStandard CLI and Web Support
Multiple Images with Editable Up/Downloadable configuration files
• Network Analysis
SNMP v1/v2c/v3, RMON/RMON II, and SMON (rfc2613) VLAN and Stats
Port/VLAN Mirroring (One to one, one to many, many to many)
• Automated Setup and Maintenance

Replacement engine will automatically get previous engine configuration

Security and Control: ACL and VLAN vs. Policy
Issues
VLAN-based • Costly, timeconsuming VLAN
management
Port mapped to VLAN (with • Mobility becomes an issue as
VLAN access control (ACLs) VLAN spread across the campus
• VLANs provide no inherent
security
User authenticated Network within the VLAN no control
to port
All users share the same ACL
Matrix N-Series • VLAN changes for quarantine
require proper endsystem
support (DHCP renew etc.)
Benefits
Policy-based
• Simple, quick to implement
Access control (policies) • Rapid response to security threats
mapped to user • Much more granular control
• Far more scaleable
User authenticated • No mobility issues
Network
to port • No issues when user is quarantined
Matrix N-Series

Multi-user Authentication/Policy
• Diamond/Platinum DFE feature that allows a large number of users to be
authenticated on a single port, and unique policies to be enforced.
User physically
connected here
Matrix
N-Series
Access Backbone
User authenticated/access and

application control enforced here
Extends access and application control (for security, convergence, and on-
demand networking) to users aggregated by devices with limited features

Layer 2 Availability: Spanning Tree
• IEEE 802.1D Spanning Tree

Rapid Reconvergence
• IEEE 802.1w Rapid Re-
Convergence of Spanning Tree
Reduces Spanning Tree convergence
times
• IEEE 802.1s Multiple Spanning
Trees
Matrix E7 Matrix E7
Network VLAN’s into multiple Spanning
Trees
› Convergence of one of the Spanning
Trees does not impact the others
Overall network availability increases as
uplinks can now loadshare traffic
64 Spanning Tree Instances supported

Layer 2 Availability: Link Aggregation
• IEEE 802.3ad Link Aggregation

Up to 32 groups
Up to 8 ports per group
Ability to aggregate links over
multiple blades in a chassis
Multiply bandwidth between
switches
Improve resiliency
• No support for SmartTrunking

Advanced Port Mirroring
• Supported Mirrors:
Physical ports (Front Panel, FTM1)
Virtual Ports (802.3ad Aggregated Link, Host)
VLAN
IDS
› One to many mirror
• Destination ports allowed to be active at any time:

One Intrusion Detection Systems mirror
or
One Port and one VLAN mirror

or
Three Port mirrors

or
Three VLANs mirrors

• Port Mirroring configured at the system-level using NetSight
Atlas via the SMON MIB or by CLI

Port Mirroring Features
• Possibility to mirror:
Received frames only
Transmitted frames only
Or both
• All frames are copied to the destination port in the same format as it
was received by the switch
Any header changes performed by the switch will be done after the frame
has been mirrored
• There is no restriction on the number of ports or VLANs that
can be included in the mirror to a destination port

Intrusion Detection System Mirroring
Network Core
• One to many port mirror

designed for use with an
Intrusion Detection System
• Source traffic is loadshared
Dragon between all destination ports to
Sensors ensure no packet loss

Advanced Set-up and Maintenance
• Ability to store 2 functional images (firmware) on the chassis

Every module keeps a copy of both images
All modules have same firmware version
› Upgrading a module equals upgrading the entire chassis
• Ability to store several configuration files on each module

• Every module keeps a copy of the current configuration
Editable txt appended configuration files contain L2 and L3 configuration
› Generic chassis configuration txt
› Board specific configuration txt
• The result : automated set-up and maintenance

Add a blank module in the chassis and this module will automatically get its
configuration from the other blades
Remove a module and replace it by a blank same module and the new
module will automatically get the same configuration as the previous module

Enhanced Security
• Protect selected resources

• Create secure workgroups
• Secure management access
• Authenticate users & devices
• Policy network access, communications and access to information

Extensive Security Mechanisms
• Host
Hardened OS
Management VLANs
RADIUS Authentication
SSH v2
• User
802.1X User Authentication
User Personalized Networking (UPN)
MAC Based Port Locking
MAC Authentication

User-Based Security
• IEEE 802.1X User Authentication:

Support for IEEE 802.1X means that true standards based User
based VLANs are now possible.
› When an endstation powers up, to an 802.1X supporting switch, the user
will be prompted for a login and password to authenticate to the network.
› Existing authentication methods like RADIUS can be used to keep the cost
of ownership down.
Key component of Secure Networks

User-Based Security
• Other Authentication Methods

MACbased Authentication
› Allows authentication of devices that have no supplicant
Printers
Light clients (XTerms…)
› Provides Layer 2 mobility
Webbased Authentication
› Operating System Independent
› No need to purchase 3rd party 802.1X supplicants
› No need to “touch” every desktop to install supplicants

Multi-User Authentication
• Feature :
Ability to authenticate multiple users on a single Matrix
N Series port
Ability to map several different network policies
(profiles) on a single Matrix N Series port
• Benefits :
Authenticate users even if the edge switches do not
support authentication
Deliver PolicyBased Network even if the edge switches
do not support authentication and/or policing
User A User B

Security and Control: Multi-user Authentication and
Policy
• From 8 up to 256 per port (with N-EOS-PPC) and 2048 per system (with N-EOS-PUC).
• Different authentication methods (in random combination per port/user)
802.1x, PWA (Web), MAC authentication, Default Role
• Single physical interface
Filter ID  Credit
802.1X Policy Credit

Dynamic
Admin Rule
SMAC = Anita 802.1X Credentials
RADIUS Authority
802.1X Login
MUA Logic
Filter ID  Policy Sales
PWA Policy Sales

Dynamic
Admin Rule
SMAC = Bob
PWA Login
PWA Credentials
Port X
SMAC = Ted
Any Traffic MAC Policy
Dynamic
Admin Rule
Filter ID  Policy Engineering
Engineering
MAC Credentials
DFE

Security and Control: non sampled NetFlow
• NetFlow flow accounting technology

• Provides high fidelity instrumentation
Non sampled statistics!
Usable for security applications
• Netflow function will work in-band and out-
of-band
OoB means the N-Series can become
a NBAD sensor within enterprise class
networks
• The N-Series becomes a reason to sell
Dragon SCC
Analysis of network wide NBAD data
collection

Security and Control: Network Attack
Characteristics
• Network worms and hacker attacks rely on ability to discover machines on a network and assess
their vulnerability.
The process of discovering machines on a network is typically done by attempting to establish ICMP
communication with a randomly generated IP destination address (address scanning).
• Each attempt to discover network device or assess its vulnerability requires new flow to be
created. Since attacks desire to discover susceptible machines as quickly as possible, flow build
up is unavoidable.
Worm description User Duration Packet (flows) Fps (mean) Packet size
(mean)
Welchia: ICMP sweep 140.112.215.131 18.94 1203 63.52 110
Welchia: ICMP sweep 140.115.240.83 18.95 1894 100 110
SQL: UDP 1434 scan 140.115.95.47 17.871 34985 1957.66 421.721

Flow Setup Throttling
• Flow Setup Throttling (FST) is Enterasys proprietary solution which tracks flow setup and provides
mechanism to respond to excessive flow buildup (typically a suspicious behavior).
• Using FST, network administrator can define acceptable per port flow counts and flow setup
rate.
When violations are detected, FST can apply reactive measures such as SNMP notifications (and start a ASM
reponse (via SEG) or disabling the interface.
• Flow monitoring provides additional visibility into network activities by indicating the network
communication paths or how many conversations are occurring. Like bandwidth utilization
indicator, flow buildup can warn of suspicious behavior.
• FST provides ability to limit the number of flows on a port.
Putting restriction of flow usage penalizes the user as far as number of network activities (conversations) that can be
performed at once, but the user is not penalized (but can be through DIR/ASM) in bandwidth usage.
• FST is only implemented on flowbased systems (NSeries, Matrix E1/E6/E7).
• Other detection mechanisms available on the Matrix N Series

Policy Hit Accounting
Inbound Rate Limiter (pps rates)
Anti Spoofing
Dragon Integrated Security Processor
Netflow

MAC Based Port Locking (Dynamic)
• The first MAC address learned on

the port will be the only one
allowed to communicate on the
network
Enterprise
• Traffic from other MAC addresses Network
will be discarded
• Prevents the use of Unauthorized
hubs
• When the locked station goes
away, the next MAC address to be Unauthorized hub
learned will be locked
• Easy configuration with NetSight
Atlas Policy Manager
Valid User Rouge User

MAC Based Port Locking (Static)
• Use NetSight Policy Manager to statically define which MAC address(es) can
communicate on the port

Advanced Management and Control
• Via Single IP Address System Management

N + 6 Redundant Management Support
One module acts as the master manager for the system, all other modules act as
backup
• Web Based Management Support
• Secure Socket Layer : Secure access to embedded configuration web server
• SNMP v1/v2c/v3
• RMON (9 Groups) / RMON2
• SMON : VLAN and priority statistics, Port/VLAN mirroring configuration

• RFC 2674 (Standards based VLAN management)

• Port/VLAN Mirroring
One to one, one to many
• Industry standard CLI
• Telnet
• Secured Shell 2 : secure access to chassis configuration
• Broadcast Suppression

• Enterasys Discovery Protocol (neighbor discovery)

• Node & Alias Table : mapping of device name and MAC/IP address
• Simple Network Time Protocol : Allows automated setup of date/time on device
• Syslog : export all events to external management system
• RADIUS Accounting
• NetSight Atlas management applications support

IPv6 Strategy
• IPv6 extends IPv4 theoretical limit of 4 billion

addresses to 340 trillion
Internet devices will grow by magnitudes over the
following years
IPv4 addresses may run out sometimes between 2006
and 2010
• For the Enterprise network, IPv6 provides

improvements over IPv4
Security, mobility, QoS, and scalability
• IPv6 will become the de facto standard for the

Internet in the future
• Today’s Matrix NSeries chassis is IPv6ready
IPv6 will now be provided in the NSeries in
Generation 5 DFEs

Agenda
Feature Overview
Summary

Competitive Products
• Matrix Gold DFEs

Cisco Catalyst 4500
• Matrix Platinum DFEs
Cisco Catalyst 6500
• Matrix Diamond DFEs
Cisco Catalyst 6500

Matrix X and N Series Competition – Cisco Catalyst
6500 Series
• High Performance
720 Gbps system performance
400 Mpps throughput
• The Catalyst 6500 Family of Multi Layer • Hardware based IP
Switches is Cisco’s Flagship switch products. Wirespeed IPv4, IPv6 & MPLS
5 chassis. (6513, 6509NEBS, 6509, 6507,6503) • Advanced Virtual Network capabilities
All 6500 series modules can be used in any MPLS L2 and L3 VPNs
chassis variant
IP in IP Tunneling
● Cisco claims significant performance levels and
very advanced functionality and low cost !! Generic Router Encapsulation
• Supports high density LAN, Metropolitan Area • Advanced Security Capabilities

and WAN interfaces, Security Modules, High performance Firewall Modules
Firewall & IDS Modules, and IP Telephony
Modules. 5 Gbps per module
Intruder Detection & Prevention Module
SSL and Traditional VPN Gateways
Identity Based Network Policies

Common Components
• Three types of modules

Supervisors Supervisor Engines
› Central Control Plane, 1 required
per chassis
› Forwarding engine in many
configurations
Fabrics Switch Fabric Module

› Enables the Fabric backplane
which can operate at 256 Gbps or
720 Gbps
I/O Modules › The Supervisor 720 is both Control
Module and Switch Fabric on a
single blade
I/O Modules
› Provides LAN, MAN and WAN
interfaces
› Highest density is 48 ports
› Special Service Modules for
Firewall, IDS and Telephony

Catalyst Backplanes
• The Catalyst supports two different

backplane types
• The Classic Bus backplane is
Fabric Backplane
marketed as a 32 Gbps bus that
Classic Bus
provides for a useful 16 Gbps of

bandwidth
• The Fabric Backplane provides high
speed dedicated channels to every
slot and requires that a switch fabric
module is installed within the chassis
Each fabric channel can be clocked
at 16 Gbps or 40 Gbps Full Duplex
The backplane is not fully
implemented within the 6513

Catalyst 6500 Supervisor Positioning
• Supervisor 720
Enterprise Core, Data Center, Service Provider Applications
› Hardware IPv6, MPLS, 30 Mpps Supervisor IPv4 performance
› Distributed forwarding allows for maximum of 400 Mpps forwarding
• Supervisor 2 with MSFC2 & PFC2

Distribution and WAN Edge
› Hardware IPv4 only, 30 Mpps Supervisor IPv4 performance
› Distributed forwarding allows for maximum of 100 Mpps forwarding
• Supervisor 2 with PFC2 Only

Premium Wiring Closet and Server Farms
› 30 Mpps Bridging Only
› Enhanced Security & QoS
• Supervisor 1A without PFC2 or MSFC2

Wiring Closet
› Up to 15Mpps Bridging and IPv4 Forwarding / 32Gbps shared bus

Catalyst Switch Fabrics
• The Catalyst’s Fabric backplane provides a high speed interconnect for the various Catalyst
modules.
• There are two switch fabric models available for the Catalyst
The Supervisor 720 provides 16 channels which allow for up to 20 Gbps operation per direction per
channel. The Channels can be clocked down to support 8 Gbps per direction operation allowing
support for older generation module
The Switch Fabric Module (SFM) provides for 16 channels with 8 Gbps per direction performance.
Newer CEF720 modules will not operate with a SFM.
All packet lookup takes place on a supervisor engine, unless Distributed Forwarding Cards are
installed. Switch Fabrics only act as transport. A Supervisor Engine can look up 30 Million headers a
second whether the received frame was 64 bytes or 1500 bytes long. This capability allows for full
wirespeed fabric operation with large packets even if no DFCs are installed.
Switch Fabric Module (SFM)

Cisco Sales Tactics
• Cat 6500 has an extensive list of modules.
Enables broad performance and feature claims while still being able to offer extremely low priced
configurations to customers
• Every Cisco sales person will claim that the Cat6500 is a 720 Gbps with 400 Mpps,
• But..... they will most certainly lead with Classic Bus or Generation 2 (CEF256) Modules which
never hit the 720 Gbps performance plateau, and are significantly less expensive.
Bait & Switch
• Almost all of Cisco’s line modules rely on the supervisor engine for packet look up & they will
not operate without a supervisor in the chassis.
• Fabric enabled line cards can have local lookup engines called Distributed Forwarding Modules
enabling slot to slot communications without a supervisor engine. DFC’s list for about $7500.
• Ensure you are comparing Apples with Apples

Diamond Competitive Comparison
General Specifications
Matrix N-Series Catalyst 6500 Black Diamond 8800 FastIron Super X

Diamond
# of Slots 1/3/5/7 3/6/9/13 6/10 8/16
Chassis Distributed Centralized Centralized Centralized

Switching and Routing Supervisor Engine with
Architecture DCEF cards
Fault Tolerance Distributed 1+1 Supervisor Engine 1+1 MSM 1+1 Switch Fabric
Fault Tolerance
Port Density 504 10/100/1000 577 10/100/1000 384 10/100/1000 384 10/100/1000
168 1000BaseX 410 1000BaseX 224 1000BaseX 384 1000BaseX
14 10Gbps 32 10Gbps 32 10Gbps 36 10Gbps
Forwarding Flowbased Longest prefix match Longest prefix match Longest prefix match
granular policy via Cisco Express
Architecture visibility and control Forwarding
Layer 2 Topology 802.3ad/s/w 802.3ad/s/w 802.3ad/s/w 802.3ad/s/w

ASICbased Proprietary EMISTP
QoS & rate shaping
L2L4 Classification
Layer 3 Topology RIP/OSPF RIP/OSPF/BGP/MPLS/ RIP/OSPF/BGP/MPLS/ RIP/OSPF/BGP/MPLS

VRRP VRRP/HSRP VRRP/ESRP/EAPS VRRP
DVMRP/PIMSM DVMRP/PIMSM DVMRP/PIMSM DVMRP/PIMSM

Diamond Competitive Comparison
Policybased Security & QoS
Matrix N-Series Catalyst 6500 Black Diamond 8800 FastIron Super X

Diamond
Security Port/VLAN/Flow Port/VLAN via ACL Port/VLAN via ACL Port/VLAN via ACL
via centrally administered
Granularity Policy
Convergence Standardsbased Proprietary Proprietary Proprietary

Discovery LLDP/LLDPMED 802.1ab
Multimethod YES NO NO NO
Authentication 802.1x 802.1x 802.1x 802.1x
Webbased PWA
MAC Address
Multiuser YES NO NO NO
Authentication 1,000 users per port using
MAC, PWA or 802.1x
simultaneously
Access Control Embedded Embedded External External

NAC/IDS/IPS/NBA/SI Firewall/IDS/VPN
Zeroday
Threat Protection
Policy Enforcement Dynamic based on

User, Application, Device,
Static based on
Port or VLAN
Static based on
Port or VLAN
Static based on
Port or VLAN
Flow,
Port or VLAN
Location Services YES NO NO NO

Embedded directory with
MAC/IP/Host/Port

Agenda
Feature Overview
Summary

NSeries
•Secure Networks!
Why •Most sophisticated SN feature set in the
customers Enterasys portfolio
•Distributed Management
choose
•High availability
N-Series…
•Flexibility
• Chassis footprints
• Module Port speeds and densities from
edge to core
• Performance and Price Points (Gold /
Platinum/ Diamond)

Thankyou
Last UpdatedSeptember2007
© 2007 Enterasys Networks, Inc. All rights reserved. 77

N-Series Technical Overview

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

N-Series Technical Overview

Diunggah oleh

Hak Cipta:

Format Tersedia

“There is nothing more important

than our customers”

Enterasys Matrix™ N-Series Architectural Overview

Switch Architectural Approaches

Centralized Design •There are two primary

© 2007 Enterasys Networks, Inc. All rights reserved.

Switch Fabric Backplane

© 2007 Enterasys Networks, Inc. All rights reserved.

• Slot dependencies can limit customer

© 2007 Enterasys Networks, Inc. All rights reserved.

• Designed from inception to support

© 2007 Enterasys Networks, Inc. All rights reserved.

Fully Meshed Backplane

© 2007 Enterasys Networks, Inc. All rights reserved.

© 2007 Enterasys Networks, Inc. All rights reserved.

­ Low Entry Cost; Redundancy built into

Switch Architectural Approaches

Product Review & Positioning

© 2007 Enterasys Networks, Inc. All rights reserved.

• 7 Slot Fully Redundant Chassis

© 2007 Enterasys Networks, Inc. All rights reserved.

• 1600 Watt capacity

© 2007 Enterasys Networks, Inc. All rights reserved.

• 5 Slot Fully Redundant Chassis with integrated

© 2007 Enterasys Networks, Inc. All rights reserved.

• 3 Slot Fully Redundant Chassis

© 2007 Enterasys Networks, Inc. All rights reserved.

© 2007 Enterasys Networks, Inc. All rights reserved.

Lowest cost of entry for the N-Series

• When operating with multi­slot N­Chassis

© 2007 Enterasys Networks, Inc. All rights reserved.

A Premium Edge/Data Center

© 2007 Enterasys Networks, Inc. All rights reserved.

• Leverages Enterasys’ nTera™ ASIC Design

© 2007 Enterasys Networks, Inc. All rights reserved.

• Per slot control processor upgraded

• Increased Flow Capacity

• Diamond modules include Platinum options

• Optimized for backbone routing

• 48 port 10/100 Power over Ethernet (802.3af) w/NEM

© 2007 Enterasys Networks, Inc. All rights reserved.

• External Power Shelf for Matrix N3, N7

• Fully 802.3af compliant

N3 with PoE Power Shelf

• Available for all modular

© 2007 Enterasys Networks, Inc. All rights reserved.

Gold DFE Types Diamond DFE Types

Matrix N3 Matrix N5 Matrix N7

10/100 ports 216 360 504

10/100 ports (with uplink option*) 144 240 336

10/100/1000 ports 216 360 504

10/100/1000 ports (with uplink option*) 144 240 336

100FX ports 144 240 336

100FX ports (with uplink option*) 144 240 336

1000 Base­X Ports 72 120 168

*Includes a single module with the Expansion Slot for uplinks

© 2007 Enterasys Networks, Inc. All rights reserved.

• Automatic Service Fail­Over (Self Routing

­ Inserted “blank” module gets

• Local Module Upgrades

Services Automatically Distributed

• Centralized system administration, protocol

Primary and Secondary

Low Entry Cost; Redundancy built into

• When operating with multislot NChassis

1000 BaseX Ports 72 120 168

• Automatic Service FailOver (Self Routing

Inserted “blank” module gets

Policybased, Flow Switching Yes Yes Yes

Authentication/Policy Services Single User/ Per Port MultiUser/ MultiUser/

• Automated Setup and Maintenance

One Port and one VLAN mirror

Three Port mirrors

Three VLANs mirrors