cisco switch product update · ws-x6724-sfp •24-port sfp cef720 linecard •20 gbps connection to...
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Cisco Switch Product Update
Kanyarat FhaikhaoSystems [email protected]
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Agenda
Cisco Catalyst 6500 SwitchCisco Catalyst 4500 SwitchCisco Catalyst 3750 SwitchCisco Catalyst 3560 SwitchCisco Catalyst 2960 SwitchIntegrated Security FeatureLAN Management Solution
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
SiSi SiSi
SiSiSiSi
SiSi SiSi
Building Block
Hierarchical Network DesignWithout a Rock Solid Foundation the Rest Doesn’t Matter
Access
Distribution
Core
Distribution
Access• Offers hierarchy – each layer has specific
role
• Modular topology - building blocks
• Easy to grow, understand, and troubleshoot
• Creates small fault domains – Clear demarcations and isolation
• Promotes load balancing and redundancy
• Promotes deterministic traffic patterns
• Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both
• Utilizes Layer 3 Routing for load balancing, fast convergence, scalability, and control
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Cisco’s Comprehensive Catalyst LAN Switching Portfolio
Serv
ices
& D
ensi
tySe
rvic
es &
Den
sity
Serv
ices
& D
ensi
ty
PerformancePerformancePerformance
Catalyst 4500Catalyst 4500
Catalyst 6500Catalyst 6500
Catalyst 3750Catalyst 3750
Catalyst 3560Catalyst 3560
Catalyst 2960Catalyst 2960
Catalyst 2960Robust Layer 2 stackable Robust Layer 2 stackable
offering layer 2/3/4 offering layer 2/3/4 intelligent services for smallintelligent services for small
and medium network and medium network deploymentsdeployments
Catalyst 3560/3750Robust layer 3 stackable Robust layer 3 stackable
delivering layer 2/3/4 delivering layer 2/3/4 intelligent services with intelligent services with scalable performance scalable performance and resilient stacking and resilient stacking
optionsoptions
Catalyst 4500MidMid--range, mediumrange, medium--
density modular density modular chassis delivering chassis delivering robust layer 2/3/4 robust layer 2/3/4
intelligence, resiliency intelligence, resiliency and network controland network control
Catalyst 6500Industry leading highIndustry leading high--
performance, highperformance, high--density density modular chassis offering, modular chassis offering, superior scalability and superior scalability and
integrated advanced integrated advanced IP services modulesIP services modules
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Cisco Catalyst 6500 Switch
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
IntroductionCatalyst 6500 Chassis Family
6503/6503-E(3- Slot Chassis)
6504-E(Four Slot Chassis)
6506/6506-E(Six Slot Chassis)
6513(Thirteen Slot Chassis)
6509/6509-E(Nine Slot Chassis)
6509-NEB-A(Nine Slot Chassis)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
IntroductionCatalyst 6500 Supervisor Family
Sup32-10GE - 2 x 10GE ports, 15Mpps, Integrated PFC3B, MSFC2a, Access Layer Deployments…
Sup32-8GE - 8 x GE SFP ports, 15Mpps, Integrated PFC3B, MSFC2a, Access Layer Deployments…
Sup720 - 2 x GE ports, Integrated PFC3/3B/3BXL, MSFC3, 720Gb Switch Fabric, Core/Distribution Deployments
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
IntroductionCatalyst 6500 Linecard Family
Classic LinecardsClassic Linecards
Examples include…WS-X6148-RJ45, WS-X6148-SFP, WS-X6148-GETX,
WS-X6148A-GETX
Examples include…WS-X6148-RJ45, WS-X6148-SFP, WS-X6148-GETX,
WS-X6148A-GETX
CEF256/dCEF256 LinecardsCEF256/dCEF256 Linecards
CEF720 LinecardsCEF720 Linecards
WS-X6724-SFP, WS-X6748-SFP, WS-X6748-GETX,WS-X6704-10GE, WS-X6708-10GE-3C,
WS-X6708-10GE-3CXL
WS-X6724-SFP, WS-X6748-SFP, WS-X6748-GETX,WS-X6704-10GE, WS-X6708-10GE-3C,
WS-X6708-10GE-3CXL
Examples include…WS-X6548-GETX, WS-X6516-GBIC, WS-X6516-GETX,
WS-X6516A-GBIC, WS-X6816-GBIC
Examples include…WS-X6548-GETX, WS-X6516-GBIC, WS-X6516-GETX,
WS-X6516A-GBIC, WS-X6816-GBIC
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Core/Distribution & Data Center Linecards Wiring Closet Linecards
WS-X6704-10GE •4-port 10GE XENPAK CEF720 Linecard •40 Gbps Connection to the Sup720 •ER, LR, LX4, SR, CX4 XENPAKs•Optional WS-F6700-DFC3A, B, BXL•List Price: $20,000 (Base)
WS-X6148A-RJ45
WS-X6148A-45AF
•48-port 10/100 Classic Linecard •Integrated TDR•Optional 802.3af PoE module•List Price: $6,000 (Data)•List Price: $8,000 (PoE)
WS-X6748-SFP •48-port SFP CEF720 Linecard •40 Gbps Connection to the Sup720 •SX, LX, ZX, Tx, CWDM SFPs•Optional WS-F6700-DFC3A, B, BXL•List Price: $25,000 (Base)
WS-X6196-RJ-21
WS-X6196-21AF
•96-Port 10/100 Classic Linecard•Twice the density in a single slot with standard RJ-21 connectors•Optional 802.3af PoE Module•List Price: $10,500 (Data)•List Price: $14,000 (PoE)
WS-X6724-SFP •24-Port SFP CEF720 Linecard•20 Gbps Connection to the Sup720•SX, LX, ZX, Tx, CWDM SFPs•Optional WS-F6700-DFC3A, B, BXL•List Price: $15,000 (Base)
WS-X6148-FE-SFP •48-port 100Base-X SFP card•Supports the buy as grow model with the SFP optics.•Scales from 48-576 per system•Optics supported – FX, LX, BX-U and BX-D•List Price: $9,000
WS-X6748-GE-TX •48-port 10/100/1000 CEF720 Linecard •40 Gbps Connection to the Sup720•Supports Time Delay Reflectometer (TDR)•Optional WS-F6700-DFC3A, B, BXL•List Price: $15,000 (Base)
WS-X6148A-GETX
WS-X6148A-GE-45AF
•48-Port 10/100/1000 Classic card •New support for Jumbo Frames, WRED•Integrated TDR •Optional 802.3af PoE Module•List Price: $7,000 (Data)•List Price: $9,000 (PoE)
Catalyst 6500Ethernet Linecard Portfolio
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Catalyst 6500Services Modules Summary
Catalyst 6500 Service Modules Portfolio
Firewall • 5.5 Gbps module• 100 virtual contexts• Routed or Transparent• Coming: 250 contexts, M’cast, IPv6
Anomaly Detection & Guard
• Detect and Mitigae DDoSattacks automatically
• 8 Gps performance• Available NOW
Content Switching &SSL
• Converged technologies• 1MM CSM Concurrent connections• 1500 SSL cps• 30K SSL Clients
Wireless LAN • Converge wireless and wired infrastructure
• 300 APs & 6000 clients• L3 mobility within 50ms
SSL • Offload from servers (OpEx)• Deterministic performance for Web
traffic• 2-way trust Certificates• HA using HSRP
Intrusion Detection
• Simultaneously monitor multiple VLANs
• Unlimited VLAN support• Transparent via passive
promiscuous operation
VPN • Stateful HA with VRF-Aware IPSec• SafeNet Client Interoperability• CVDM support• Coming: 16K IPSec tunnels per
platform, NAC over IPSec tunnels
Network Analysis • L2-7 protocol visibility, analysis and decode
• Real-Time and historical statistics
• Coming: Server Farm Stats, App Response Time
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Catalyst 6500 Linecards Services Modules - ACE
ACE
Virtual partitioning (up to 250 Contexts)Up to 16Gbps performance6.5Mpps350,000 SYSLOG’s per second4 Million concurrent connections16K Real or Virtual Servers
Multiple probes (ICMP, TCP, UDP, etc)HTTP deep packet inspectionBi-Directional NAT/PATTCP Connection State TrackingTCP Header validation and window size checkingURPF check at session establishment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Cisco Catalyst 4500 Switch
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Cisco Catalyst 4500 Family OverviewCommon Architecture
Single Supervisor-Based
Chassis
Redundant Supervisor-Based
Chassis
Cisco Catalyst 4507R
Cisco Catalyst 4510R
Cisco Catalyst 4506
Cisco Catalyst 4503
Single RU Fixed Configuration
Same SwitchingArchitecture
and Common Cisco IOS®
Cisco Catalyst 4948 and 4948-10GigE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Catalyst 4500 Family OverviewSupervisor Roles
Supervisor V
Supervisor V-10GEEnhanced Layer 3 Supervisors
Supervisor IV
(E)IGRP,OSPF, BGP, ISIS
128k IP CEF Entries
4096 VLAN’s and SVI interfaces
28K(L3) 16K (L2) Multicast Routes
3000 Spanning Tree instances
Netflow
Supervisor II+
Supervisor II+10GEBasic Layer 3 Supervisors
Supervisor II+TS
RIP, Static Routes & EIGRP Stub
32k IP CEF Entries
2048 VLAN’s and SVI interfaces
12K(L3) 8K (L2) Multicast Routes
1500 Spanning Tree instances
• 4503 only
• HW BCast & MCast suppression
• 4507, 4506, 4503
• 4507, 4506, 4503
• Netflow 2• 4510R, 4507R, 4506,
4503
• Netflow 1 (Opt.)• 4510R, 4507R, 4506,
4503
• Netflow 1 (Opt.)• 4507R, 4506, 4503
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Cisco Catalyst 4500 Supervisor Supervisor Comparison
Supervisor II+ II+ 10GigE IV V V-10GigE
Switching Capacity 64 Gbps 108 Gbps
75 Mpps
Basic L2/3/4 Services
EIGRP-Stub, RIPv2
No
Yes
C4006, C4503, C4506, C4507R
666 MHz
32K
256/512
64 Gbps
2K
12K(L3) 8K (L2)
Throughput 48 Mpps 48 Mpps
136 Gbps96 Gbps
72 Mpps
Full L2/3/4 Services EIGRP, OSPF,
IS-IS, BGP
Yes
Yes
C4006, C4503, C4506,
C4507R, C4510R
400 MHz
128K
512
Multilayer SwitchingBasic
L2/3/4 ServicesEIGRP-Stub,
RIPv2
Full L2/3/4 Services EIGRP, OSPF,
IS-IS, BGP
4K
102 Mpps
Full L2/3/4 Services EIGRP, OSPF,
IS-IS, BGP
Yes
Yes
C4503, C4506, C4507R, C4510R
833 MHz
128k
512
4k
(E)IGRP, OSPF, BGP, ISIS
No Yes
RIP, Static Routes, EIGRP Stub
Yes Yes
Chassis Support C4006, C4503, C4506, C4507R
C4006, C4503, C4506, C4507R
CPU 266 MHz 333 MHz
IP CEF Entries 32K 128K
SDRAM 256 512
Active VLANs 2K
28K(L3) 16K (L2) 28K(L3) 16K (L2)
4K
Multicast Entries 12K(L3) 8K (L2) 28K(L3) 16K (L2)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Catalyst 4500 Cisco IOS Supervisor Comparison
Supervisor II+ II+ 10GigE IV V V-10GE1.5K
1K
512 KB
No
Hardware
Yes
All Ports
In Hardware
2 x 10GE
STP Instance 1.5K 3K 3K 3k
SVI 1K 4K 4K 4k
NVRAM 512 KB 512 KB 512 KB 512 KB
NetFlow Support No Yes (NFL) Yes (NFL) Yes (NFL2)
Broadcast Suppression Software Software Hardware Hardware
Multicast Suppression No No Yes Yes
QoS Sharing Nonblocking GE Only
Nonblocking GE Only All Ports All Ports
QinQ Pass-Through Pass-Through In Hardware In Hardware
Sup Uplinks 2 GE 2 GE 2 GE 2 x 10GE or 4 x GE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Catalyst 4500 SeriesEthernet Line Card Modules
Fast Ethernet– 48-port 10/100 (RJ-45 or RJ-21) with or without Power over Ethernet– 24-port 10/100 (RJ-45) with or without Power over Ethernet– 24 or 48-port 100-FX – 48-port 100-LX10– 48-port 100BX (Bi-Directional)
Gigabit Ethernet– 2-port Gigabit Ethernet (GBIC)– 6-port Gigabit Ethernet (GBIC, SFP or 10/100/1000 PoE)– 18-port Gigabit Ethernet (GBIC)– 24 or 48-port 10/100/1000 (RJ-45) with or without Power over Ethernet–48-port Gigabit Ethernet (SFP)
Fiber Uplinks– 2-port Gigabit Ethernet (Supervisor)– 32-port 10/100 + 4-port 100-FX– 32-port 10/100 + 2-port GE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Cisco Catalyst 3750 Switch
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Cisco Catalyst 3750 SeriesInnovative Stacking
Sets New Standards for Resiliency and Management
Enterprise-class ServicesWire-speed switching and routingCisco StackWise™ Technology
Fault-tolerant, Bi-directional 32-Gbps stack interconnectionAutomated Configuration & ManagementSingle network instance (IP, SNMP, CLI, Spanning-Tree Protocol , VLAN)Master/secondary architecture with master failoverCross-Stack EtherChannel®, cross-stack QoS
Next Generation in Desktop SwitchingOptimized for Gigabit EthernetIPv6-capable in hardware
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Cisco Catalyst 3750 Series Model Overview
• 24 10/100 + 2 SFP ports
Catalyst 3750-24TS Catalyst 3750-48TS
• 48 10/100 + 4 SFP ports
• 48 10/100 + 4 SFP ports• 370W PoE
• 24 10/100 + 2 SFP ports• 370W PoE
Catalyst 3560G-24PS Catalyst 3560G-48PSCatalyst 3750-24PS Catalyst 3750-48PS
• 24 10/100/1000 + 4 SFP
Catalyst 3750G-24TS-1U Catalyst 3750G-48TS
• 48 10/100/1000 + 4 SFP
• 24 10/100/1000 + 4 SFP• 370W PoE
Catalyst 3560G-24PS Catalyst 3560G-48PSCatalyst 3750G-24PS Catalyst 3750G-48PS
• 48 10/100/1000 + 4 SFP• 370W PoE
• 24 10/100/1000
Catalyst 3750-24TS
• 12 SFP (AC or DC)
Catalyst 3560G-24PSCatalyst 3750-24PS
• 16 10/100/1000 • 1x 10GE XENPAK
Catalyst 3750G-24TS-1U
• 24 10/100/1000
Catalyst 3750-24FS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
SoftwareThree Software Licenses
IP Base (SMI)• Enterprise-class intelligent services:
advanced QoS, enhanced security, RIP, and static IP routing
IP Services (EMI)• IP Base feature set plus: dynamic IP unicast
routing, smart multicast routing, and PBR
Advanced IP Services • Adds IPv6 capability (hardware supported)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Cisco Catalyst 3560 Series SwitchesPositioning
Enterprise-class, fixed configuration, multilayer switching line optimized for access layer deployments requiring IEEE 802.3af or Cisco® prestandard Power over Ethernet
Fast Ethernet and Gigabit Ethernet access configurationsIdeal for small enterprise wiring closets and branch office environments
Enables the deployment of network-wide intelligent services for converged applications
Enhanced securityAdvanced quality of service (QoS)Availability
Intelligent power management features provide granular control
Express Setup and Cisco Network Assistant software supports easy deployment and configuration
Uses Cisco ASICs for superior hardware and software integration, and innovative features
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Cisco Catalyst 3650 Switch
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Cisco Catalyst 3560 Series Model Overview
• 24 10/100 + 2 SFP ports
Catalyst 3560-24TS Catalyst 3560-48TS
• 48 10/100 + 4 SFP ports
• 48 10/100 + 4 SFP ports• 370W PoE
• 24 10/100 + 2 SFP ports• 370W PoE
Catalyst 3560G-24PS Catalyst 3560G-48PSCatalyst 3560-24PS Catalyst 3560-48PS
Three Software Licenses
IP Base Software License• Enterprise-class intelligent
services: advanced QoS, enhanced security, RIP, and static IP routing
IP Services Software License• IP Base feature set plus:
dynamic IP unicast routing, smart multicast routing, and PBR
Advanced IP Services License• Adds IPv6 capability
• 24 10/100/1000 + 4 SFP
Catalyst 3560G-24TS Catalyst 3560G-48TS
• 48 10/100/1000 + 4 SFP
• 24 10/100/1000 + 4 SFP• 370W PoE
Catalyst 3560G-24PS Catalyst 3560G-48PSCatalyst 3560G-24PS Catalyst 3560G-48PS
• 48 10/100/1000 + 4 SFP• 370W PoE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Power Over EthernetWhy PoE
Prepare the network for IP Telephony and Wireless access Eliminate the need for separate electrical wiringProtect your investment and avoid a costly upgrade
Cisco Catalyst AdvantagesStandards-based IEEE 802.3af guarantees device interoperabilityCisco IOS provides intelligent power management with granular controlCisco’s Redundant Power Supply (RPS675) maximizes reliabilityBoth Cisco pre-standard POE and 802.3af are fully supportedWide selection of powered devices
IP PhonesWireless Access PointsSurveillance camerasAccess Card Readers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
Catalyst 3750-E and 3560-E Switch Models
Catalyst 3750-E Series Stackable Switches24 10/100/1000T Ports + 2x 10GE48 10/100/1000T Ports + 2x 10GE24 10/100/1000T Ports w/POE + 2x 10GE48 10/100/1000T Ports w/POE + 2x 10GE
Catalyst 3560-E Series Stand-Alone Switches24 10/100/1000T Ports + 2x 10GE48 10/100/1000T Ports + 2x 10GE24 10/100/1000T Ports w/POE + 2x 10GE48 10/100/1000T Ports w/POE + 2x 10GE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Cisco Catalyst 2960 Series Model OverviewFast Ethernet Models
Software• LAN Base Image
Enterprise-class intelligent services: Advanced QoS, enhanced security, high availability
• Orderable with latest IOS software version
NEWNEWNEWNEW
• 48 10/100 ports• 2 10/100/1000 Uplink
ports
• 24 10/100 ports• 2 10/100/1000 Uplink
Ports
Catalyst 2960-24TT Catalyst 2960-48TT
• 24 10/100 ports• 2 Dual-Purpose Uplink
ports
Catalyst 2960-24TC Catalyst 2960-48TC
• 48 10/100 ports• 2 Dual Purpose Uplink
ports
NEWNEW NEWNEW
Uplinks• Dual Purpose
UplinksOne 10/100/1000 TX Port and One SFP Port
One port active at a time
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Cisco Catalyst 2960 Series Model OverviewGigabit Ethernet Model
• 20 10/100/1000 ports• 4 Dual-Purpose Uplink Ports
Catalyst 2960G-24TC-L
Software• LAN Base Image
Enterprise-class intelligent services: Advanced QoS, enhanced security, high availability
• Orderable with latest IOS software version
Uplinks• Dual Purpose
UplinksOne 10/100/1000 TX Port and One SFP Port
One port active at a time
• 44 10/100/1000 ports• 4 Dual-Purpose Uplink Ports
Catalyst 2960G-48TC-L
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
Catalyst 3560 and 2960 Compact Switches
Enable advanced technology at the network edge for deployments outside the wiring closet.
Office workspaces, micro branch offices, classrooms, cruise ships, and other wiring constrained environments
Product ID Product Family Access Ports Uplink Port
WS-C3560-8PC-S Catalyst 3560 8 10/100 PoE 1 10/100/1000 or SFP
WS-C2960-8TC-L Catalyst 2960 8 10/100 1 10/100/1000 or SFP
WS-C2960G-8TC-L Catalyst 2960 7 10/100/1000 1 10/100/1000 or SFP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
Integrated Security Feature
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Cisco Trust AgentNetwork Admission Control
Secure Connectivity
ThreatDefense
Trust andIdentity
Cisco Catalyst SwitchingIntegrated Security
SSL VPN
Man-in-Middle Attack Mitigation:DHCP Snooping,
DAI, IPSG
Quarantine VLAN(Remediation)
IPSecVPN
Identity-BasedNetworking (802.1x
extensions)
Web and MAC-based Authentication
SiSi SiSi SiSi
SiSi
SiSi
PVLAN
Scavenger-ClassQoS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
Security - Treat DefenseCatalyst Integrated Security Toolkit
CATALYST FEATURES …• Port Security• DHCP Snooping• DHCP Rate Limiting• Dynamic ARP Inspection• ARP Rate limiting• IP Source Guard• Private VLAN• Wirespeed ACL’s:RACL/PACL/VACL• Unicast Port Flood Blocking• Unicast MAC Filtering• BPDU Guard/Root Guard• VVID Trusted Boundary• SSH v2• VMPS client• Radius/TACACS+ Support
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
No YourNot!
I’m YourEmail Server
IP Source Guard
Dynamic ARP Inspection
DHCP Snooping
Port Security
Email ServerInnocent User
I’m TheUser
Typical Internal Attacks
Attack Catalyst Feature
MAC Address Flooding
Port SecurityPort Security
DHCP Rogue Server for Default Gateway Interception
DHCP Snooping DHCP Snooping
ARP Spoofing or ARP Poisoning
Dynamic ARP Dynamic ARP InspectionInspection
IP Spoofing IP Source GuardIP Source Guard
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
DHCP SnoopingProtection Against Rogue/Malicious DHCP Server
DHCP requests (discover) and responses (offer) trackedRate-limit requests on trusted interfaces; limits DOS attacks on DHCP serverDeny responses (offers) on non trusted interfaces; stop malicious or errant DHCP Server
DHCP Server
1000s of DHCP Requests to Overrun the
DHCP Server
1
2
DHCP RequestBogus
DHCP
Response
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
Securing Layer 2 from Surveillance AttacksProtection Against ARP Poisoning
Dynamic ARP Inspection Protects against ARP Poisoning (ettercap, dsnif, arpspoof)
Uses the DHCP snooping binding table
Tracks MAC to IP from DHCP transactions
Rate-limits ARP requests from client ports; stop port scanning
Drop BOGUS gratuitous ARP’s; stop ARP poisoning/MIM attacks
SiSiGateway = 10.1.1.1
MAC=A
Attacker = 10.1.1.25MAC=B
Victim = 10.1.1.50MAC=C
Gratuitous ARPGratuitous ARP10.1.1.1=MAC_B10.1.1.1=MAC_B
Gratuitous ARPGratuitous ARP10.1.1.50=MAC_B10.1.1.50=MAC_B
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
IP Source GuardProtection Against Spoofed IP Addresses
IP source guard protects against spoofed IP addresses
Uses the DHCP snooping binding table
Tracks IP address to port associations
Dynamically programs port ACL to drop traffic not originating from IP address assigned via DHCP
SiSi
Gateway = 10.1.1.1
Attacker = 10.1.1.25 Victim = 10.1.1.50
Hey, I’m 10.1.1.50 !
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
LAN Management Solution
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
LMS 2.6 Overview
• LMS is a suite of management tools that simplifies configuration, administration, monitoring and troubleshooting of Cisco networks
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
LMS 2.6 Features, Functions, Benefits
Component Functions Benefits
Common Services
CiscoView
Resource ManagerEssentials
Campus Manager
Device Fault Manager
InternetworkPerformanceMonitor
•UI•Web Services•Security
•Database•DCR•Job Sched
Features•Common device list•Embedded Db•Integrated framework
•Application consistency•Integrated functionality•Ease-of-use – common UI
•Real-time monitoring•Device configuration
•HTML interface•SNMP-based•Graphical display
•Easy-to-use•Quick problem isolation and troubleshootin
•Inventory, configuration•Software image deploy•Automated change mgmt
•HTML interface•Inventory•Config•Syslog
•SWIM•NetShow•NetConfig
•Automated Config audit and change reporting•Network inventory and config
•Topology/Connectivity •User tracking•VLAN Config•Discrepancy reporting
•Topo Svcs•VLAN Mgr•Path Trace•User Tracking
•Device troubleshooting•Root cause analysis•Event correlation
•Response time analysis•Historical reporting
•HTML interface•Active Alarm Display•App integration
•Simplified user experience and improved performance•New features reduce time to problem resolution
•Integrated lightweight UI quickly helps with root cause analysis and fix
•Utilizes SA Agent in IOS•UI for config and reporting
•Helps isolate and report on response time issues for the wide area network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
LMS 2.6 Home Page
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
CiscoView
SNMP-based device management tool – all monitoring and configuration capabilities based on MIB supportMonitor real-time statistics for interfaces, resource utilization, and device performanceSimple point and click to configure multiple ports and chassis parametersCurrently supports entire range of switches and routers.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
CiscoView 6.1
New lightweight HTML interface IPv6 complianceMini-RMON support
• SNMPv3 (AuthNoPriv)• More granularity in user-roles
through the ability to integrate with an ACS server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
Resource Manager EssentialsInventory Manager
Complete Cisco asset managementSoftware Image Manager
Software lifecycle management of Cisco hardware
Improved browse bug by deviceConfiguration Manager
Version control, archival, editing and reporting of device configurations
Network-wide config changesChange Audit Services
Single interface for all hardware, software, and configuration changes
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
Resource Manager Essentials
Syslog AnalyzerDistributed collection, flexible
reporting, and action scripts to pinpoint network incidents
Diagnostics & ToolsTroubleshoot device connectivityDesktop integration of partner and
customer applicationsUser customizable Network-wide
show command tool
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
RME 4.0
New lightweight UI and improved workflowsImproved scheduling of data collectionCentralized reporting with print friendly, email and new scheduling optionsSignificant improvements in overall performance and scalability
Software Image Manager module includes major scalability enhancements
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
Reporting Framework
Reports are “centralized”
Any report can be scheduledimmediatebatchperiodic
Export in HTML, printer and email friendly format
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
Network based management of switch services and traffic performance
• Enhanced network discovery and topology mapping
• Auto Network Discovery
• VLAN Management
• Extended ATM Management
• End-station mobility and tracking
• Path Trace Analysis
Campus Manager
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
Campus Manager 4.0New workflows -Campus administration user interface
Extensive spanning rree support (PVST+/MSTP) and advanced reporting
Enhanced VLAN & PVLAN support (end to end support)
Enhanced User Tracking reports
New lightweight HTML based User Tracking user interface
Hierarchal maps
Time Delay Reflectometry (TDR)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49
New workflows
Lightweight HTML user interface
Support up to 100,000 end hosts
Launch points for Device Center
Supports DEE XML export of User Tracking records
CM 4.0 – User Tracking
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 50
Switch Port Usage ReportsRecently Down ReportShows the ports which had end hosts connected to the device and are now removed
Unused Down Report
Shows the unused ports in a device, which are administratively down
Unused Up ReportShows the unused ports in a device, which are administratively up
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 51
User Tracking Utility (UTU) 1.1
UTU 1.1 updated for support of Campus Manager 4.0 with enhanced options:
Copy to Clipboard VLANPort Speed/DuplexLast Seen Field
Ships with LMS 2.6 and available as a no charge download from Cisco.comSoftware Center
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
Device Fault Manager
Device level fault analysis for Cisco productsIdentify POSSIBLE ProblemsMonitor for high availabilityPager/Email/Trap notificationMIBs, Polling Intervals and Thresholds Set - OUT OF THE BOX
NO RULES TO WRITE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 53
Device Fault Manager 2.0
New lightweight Active Alarm DisplayDevice Grouping
“Random” grouping – pick what devices you want for any group
Improved IntegrationSynchronization with Common
Services Device Credential Repository
Launch Fault History, CiscoView and Device Center from AAD
Common Groups shared from Common Services
Device Fault Manager
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54
DFM Engine
DFM Functional Architecture
SNMP QueriesPer Polling
SettingsThresholdSettings
ThresholdSettings
SNMPPort
TrapReceiving
Port
TrapForwarding
Port
Notification Services
Notify based on user criteria
Notify based on user criteria
EmailEmail
TrapTrap
SyslogSyslog
DFM Alerts & Activities
Display
Third PartyNMS or Event
Notification System
Raw Traps
DFM Server
Users
Traps
Fault History DB(Stores 31 days of
data)
Fault History Display
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55
Internetwork Performance Monitor
WAN Troubleshooting
Measures hop-by-hop response time, availability, jitter, and drops
Provides real-time and historical reports
Utilizes IP SLA (previously known as Cisco’s Service Assurance Agent) embedded in Cisco IOS
Validates & measures TCP, UDP, HTTP, VoIP, DNS, ICMP with QoS awareness
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56
TCO Example RME
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
Internetwork Performance Monitor 2.6
Improved UI consistency across bundleImproved integration within bundle
Device ImportDevice CenterEliminated separate web serverACS based user roles for security
Support for Differentiated Services Code PointAbility to specify source port addressImproved scalability (2000 collectors)Optional SSL between client and server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 58