foundation: next generation routing and … · • cisco sdm & ios for set up & management...
TRANSCRIPT
1© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
FOUNDATION:NEXT GENERATION ROUTING AND MULTIFUNCTION SWITCHING
CISCO BUSINESS SOLUTIONS WORKSHOP FOR RESELLERS
222© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Agenda
• Technology Trends Shaping the Business World
• Cisco Integrated Services Router Solutions
• Catalyst Intelligent Switching Solutions
• Ease of Management
• Summary
• Question and Answer
333© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Pressure to Maintain
and Grow Business
Protect and Increase Top-Line Growth
Improve Operational Efficiency• Solutions to reduce operational
expenses and protect assets
• Collaborative tools to improve employee productivity
• Improved total value from network solution
• Customers are increasingly interested in internet-based services
• Customer service needs to deliver rapid and dependable response
• Your company needs technology agility to keep pace with competition also offering new services
Your Technology Helping You Keep Pace?
444© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Getting the Best Value for Your Infrastructure Investment
THE NETWORK IS THE FOUNDATION—
INVEST IN TECHNICAL SOPHISTICATION
• Today’s network deployments are expected to last longer than ever before
Today’s deployments are critical for tomorrow’s successEnable new application deployments—PoE, 10/100/1000
• Effective investments today provide greater long-term value
Minimize network disruptionsAvoid unnecessary downtimeLeverage investment more effectively
555© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Traditional Business Solution
Branch Access Router
Hybrid/Key SystemHybrid/Key System
Content Engine
Firewall, IDS and VPN Appliances
Firewall, IDS and VPN Appliances
LAN SwitchLAN Switch
Security
Content Delivery
Voice Services
Data
Local Connectivity
666© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Cisco: Integrated Systems
Integrated Services Integrated Services
Embedded SecurityEmbedded Security
Voice ReadyVoice Ready
Video IntegrationVideo Integration
777© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Applications and User Access New Demands on Networks—Even in Small Offices
0%
10%
20%
30%
40%
50%
60%
>100Employees
100–999Employees
Firewall
IDS/IPS
Virus Scanning
Remote AccessVPN
Wireless LAN
Smallest Companies
Planning to Deploy Security Basics,
Wireless LAN over Next 12 Months
Source: Cisco Sponsored Survey; May 2004
VoD – Idle Aire(File title:
idleair_final.wmv)
10593_01_2005_G_c2 888NDA—Cisco Confidential© 2005 Cisco Systems, Inc. All rights reserved.
999© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
CISCO INTEGRATED SERVICES ROUTERS
999
101010© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Cisco’s New Integrated Services Routers
Secure, Concurrent Services at Wire Speed!
Up to… 5X Service Density, 7X
Performance, 4X Memory!
Embedded Security, Tightly Integrated with
Voice
Industry-Leading Network Availability
and Resilience
Plus Headroom to Grow!
Backward Compatibility with
Existing Router Modules for Solid
Investment Protection
Integrated Services Routers
1800 Series1800 Series
2800 Series2800 Series3800 Series3800 Series
111111© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
WHAT’S NEW IN INTEGRATED ROUTER SECURITY
111111
121212© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Cisco Integrated Security on Integrated Services Routers
Network FoundationProtection
Trust and Identity Secure ConnectivityVPN Concentrator
Cisco Firewall
CiscoIDS Sensors
Routing Technology Leadership20 Years of Routing & IP Services ExpertiseRouting Technology Leadership20 Years of Routing & IP Services Expertise
Security Technology LeadershipBest-of-Breed Security
Security Technology LeadershipBest-of-Breed Security
An IndustryFirst
Cisco IOS VPN
Prevent, Protect and Police the network infrastructure from attacks
Leverage the networkto intelligently protect Endpoints
Secure and scalable network Connectivity
Merging Best-of-Breed Network Security Technology with Over 20 Years of Routing and IP Services Expertise
Network Security—Standard on Every New Router for End-to-End Network Protection
Threat Defense
Prevent and respondto network attacks and threats such as worms
Cisco ISR & Mid Range Routers
131313© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Cisco IOS IPSNew Features and Engines—All Inline!
• String Engines enable custom matching of any string in the packet
Customize signatures for quick reaction to new threats
• 400 worm and attack signatures added – nearly 1200 total signatures from which to dynamically select
NEW ATTACK PREVENTION ENGINES• TCP String• UDP String• ICMP String• Trend Micro
131313© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1 CISCO CONFIDENTIAL
141414© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Internet
Companies Are Opening Port 80Attacks Enter Through Web-Enabled Applications
Internal Users
Port 80Web services
Web enabled apps
IM traffic
Rich media
Internet access
43%
43%
55%
43%
98%
64% of enterprises have opened Port 80 on their firewalls for their growing web application traffic
Source: Aug 2002 InfoWorld/Network Computing survey of IT Professionals
“…75% of successful attacks against Web servers are entering through applications and not at the network level.”
80 –HTTP
John Pescatore, VP and Research Director, Gartner, June 2002.
151515© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Cisco IOS Application FirewallGet Control of Port 80!
I am http web traffic… honest!
Payload Port 80
CorporateOfficeServer Farm
• Enables application inspection and control of tunneled trafficConvergence of Cisco IOS® Firewall and Inline IPS technologies
• Control misuse of port 80 by rogue applications—apps that tunnel traffic inside http to avoid scrutiny
Example: Instant messaging and peer-to-peer applications such as Kazaa
Manage bandwidth consumption through usage policies
• Protocol anomaly detection services
161616© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
USB PortsRemovable Credentials
First Routers in the Industry with
USB Ports
• USB ports integrated into all Cisco ISRs• Initial support for secure token and FLASH memory
Provisioning—secure configuration distributionDrop-ship router to locationProvision boot-strap into token, send token to locationPlug token into router, turn router on, router loads off bootstrap, router uses configuration on token or downloads configuration
Distribution and storage of VPN credentials (preshared keys and/or certificates)
Leverages etoken technology for highly secure and removable credentials
Bulk flash for image distribution/storage as alternative to compact flash deployment
2 USB Ports on 3800, 2851, 2821, 2811 Models1 USB Port on 2801, 1841
AIM AIMVPNVPNPower + 802.3afPower + 802.3af
USBUSBUSBUSB
NMENME
EVMEVMHWICHWICHWICHWIC
HWICHWICHWICHWICGEGE GEGE
171717© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Easier to Install and Maintain: Cisco Router and Security Device Manager (SDM) v2.1
Featured on 100—7301 Routers• Cisco SDM Express
Consumer-friendly interface for quick router setup
• SDM on PCResellers can manage Cisco routers without SDM image on flash
• Three new IPS signature engines• PPPoA configuration
xDSL deployments
• Available in six languages (Q2 CY ’05)
“Miercom broadly endorses a slick software tool for configuring and monitoring your Cisco routers. It works, it’s free, and it’s from Cisco.”
ED MIER, MIERCOM
Intuitive, Web-Based Device Management Tool for Cisco Routers
SMALL BUSINESS SERIES (SB 100 SERIES)
10593_01_2005_G_c2 181818NDA—Cisco Confidential© 2005 Cisco Systems, Inc. All rights reserved.
191919© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Small Business Access Router Portfolio
3800 Series3800 Series
2800 Series2800 Series
1800 Series1800 Series
Highest Density and Performance for Concurrent Services
Embedded, Advanced Voice, Video, Data and Security Services
High Performance Integrated Security and Data
Secure Broadband Connectivity
Perf
orm
ance
and
Ser
vice
s D
ensi
ty
Enterprise Branch OfficeSmall Branch
Small Remote Offices
800 Series800 SeriesSmall
Business 100 Series
Small Business 100 Series
TeleworkerSingle Site Small Business
Offi
ce S
ize
Cisco Integrated Services Routers
202020© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Small Business 100 (SB100) Series Broadband Access for Small Business Networks
Cisco SB106 Shown• Affordable Cisco router for data-only applications in small businesses offices up to five users
• Secure connectivity with integrated stateful firewall
• DSL/Cable—ADSL, ADSL over ISDN or Ethernet WAN Interface
• Models: SB 101 (100MB Ethernet) SB 106/SB 107 (DSL)
• 4-port 10/100 MB Ethernet switch
• Simple setup and remote management capabilities of Cisco IOS® software
Stateful Firewall
DSL WAN Port or Ethernet WAN Port Connects to SP Network or DSL/Cable Modem
ISDN Port (106 Only)ISDN Line for Out-of-Band Management
Console Port/Virtual AUX Connects to PC or Modem for Configuration
10/100 MB Ethernet Switch
NEW MODELS AND SERVICES IN CISCO INTEGRATED SERVICES ROUTERS
NEW MODELS AND SERVICES IN CISCO INTEGRATED SERVICES ROUTERS
212121CISCO CONFIDENTIAL10983_04_2004_c1 © 2005 Cisco Systems, Inc. All rights reserved.
222222© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
The Right Router for
Every OfficeCisco Integrated Services RoutersM
arke
ts Enterprise
Medium Business
Small Business
New Models for Small Offices
3800 Series3800 Series
2800 Series2800 Series
1800 Series1800 SeriesHighest Density and Performance for Concurrent Services
Embedded, Advanced Voice, Video, Data and Security Services
High-Performance Integrated Security and Data
Secure Broadband and Wireless Connectivity
Perf
orm
ance
and
Ser
vice
s D
ensi
ty
800 Series800 SeriesModular Modular FixedFixed
Enterprise Branch OfficeSmall Branch
Small Remote Offices
Offi
ce S
ize
TeleworkerSingle-Site Small Business
232323© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
ISR Fixed-Configuration Wireless RoutersProduct Comparison
Price
• Broadband Performance• Stateful inspection
firewall & IPSec 3DES/AES VPNs
• 4-port 10/100 switch• 802.11b/g with single
fixed antenna• Cisco SDM & IOS for set
up & management
• Stateful inspection firewall, IPSec 3DES or AES VPNs, IPS, Antivirus/NAC
• 802.11b/g with multiple replaceable antennas
• Advanced QoS features• Software & Memory Upgrades• 4-port 10/100 managed switch• Up to 3 VLANs, external POE• Cisco SDM & IOS for set up &
management• High Performance
• Broadband performance• Stateful inspection firewall, IPSec
3DES or AES VPNs, IPS, Antivirus/NAC
• Integrated ISDN, analog modem, or Ethernet backup port for redundant WAN links and load balancing
• 802.11a and 802.11b/g with multiple replaceable antennas
• 8-port 10/100 managed switch, internal power supply, PoE
• Up to 8 VLANs• Cisco SDM & IOS for set up &
management
Cisco 1800 Series
Value (Feature, Performance)
Cisco 850 Series
Cisco 870 Series
KEY SERVICES FOR THE SMALL OFFICE
242424CISCO CONFIDENTIAL10983_04_2004_c1 © 2005 Cisco Systems, Inc. All rights reserved.
252525© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Key Services—Business-Class Broadband
Integrated DSL or External Modem or Metro Ethernet
Cisco 1800
DMZ for Servers
Optional—PSTN Backup Network
8 Port Switch
Integrated POTS/ISDN Back Up and Out of Band Management
WAN 1
WAN 2
Load Balancing
and FailoverSP Network
Cisco 800
External POTS Back Up and Out of Band
Management
4 Port Switch
Internet
DMZ for Servers
Cisco IOS Software for Reliability and Remote Troubleshooting
262626© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Integrated Security Services in the Small Office
Corporation Cisco 800/1800
Remote Office
IPSec VPN
Deep Packet Inspection FirewallFor Managed Firewall Service
High-Speed Encryption for Managed IPSec or AES VPNs
Inline IPS Inline Threat Containment - Create Zones of Protection
Cisco SDM Used for Setup and Monitoring of Security Policy
User Authentication with 802.1xInternet
SP Network
Antivirus PolicySystem
Router enforces Firewall, Antivirus, URL Access Policies at the Small Office
N2H2/ Websense URL Policy
Server
272727© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Key Services—Secure Wireless LAN
Enterprise-Class Wireless LANs at the Remote Site
• Single Device for WAN and WLAN Reduces Hardware Cost and Deployment Cost
• WLAN Set Up Simplified with Cisco SDM
• WLAN, WAN, and Local Authentication for a True Enterprise Class Wireless Solution at the Remote Office
• Visibility and Control through the Remote Management Features
Cisco 800/1800/2800/3800
10BaseT/100BaseTX PC Clients
IP Phone
WAN Link
802.11b IP phones
HQ Router
802.11 b/g Client or 802.11a*
*802.11a not supported on Cisco 800
282828© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Key Services—Voice for Small Remote Office or Teleworker
MPLS/Encrypted VPN Tunnel
VPN Headend Router
Cisco 800/1800
Broadband Internet
Corporate Network
Centralized managementIT managed security policies
Integrated security and identity services
Advanced application support (voice, video)
Corporate phone, toll-bypass, centralized voicemail
IP Phone
Corporate pushedsecurity policies(not user-managed)
Apps
Voice
Video
Wireless
Optional Secure Wireless LAN
Call Manager
VoD – Idle Aire(File title: IDLE AIRE.wmv)
292929292929CISCO CONFIDENTIAL10983_04_2004_c1 © 2005 Cisco Systems, Inc. All rights reserved.
303030© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Integrated Systems ApproachEnabling Growth and Customer/Partner Success
HighAvailability
HighAvailability
MobilityMobility
Self-Defending Network
Self-Defending Network
IPCommunications
IPCommunications
Availability/ Resiliency
Availability/ Resiliency
IntegratedSecurity
IntegratedSecurity
DeliveryOptimization
DeliveryOptimization
PredictablePerformance
EnhancedManageability
EnhancedManageability
INTELLIGENT SWITCHING AND
ROUTING
INTELLIGENT SWITCHING AND
ROUTING
CATALYST INTELLIGENT SWITCHING PRODUCT UPDATE
313131CISCO CONFIDENTIAL10983_04_2004_c1 © 2005 Cisco Systems, Inc. All rights reserved.
323232© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
The Evolution of the NetworkTechnology Trends
• Converged networks driving requirements for:
PoE, 10/100/1000 connectivity
Security everywhere
Easier management
• New and growing application deployment with increased unpredictable and time sensitive traffic patterns
• Longer investment protectionNetworks are lasting longer than before
S2
SECURITY
VOICE
VIDEODATASAN
333333© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Future Cost Assessment
The Cost of Purchasing Future-Ready Technology Is Lower than Upgrading Later
Cost to Upgrade to PoE CardTomorrow
Cost to PurchaseNon-PoE Card Today
Cost to Purchase PoE Card Today
$5,500 $7,500 $13,000
36% More 170% More
Things to Consider Beyond Purchase Cost:
• Reinstallation and configuration• Network disruption• Missed opportunities• Future trade-in value
2x Cost to 2x Cost to Upgrade LaterUpgrade Later
343434© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
A Glimpse into the Future…The Ethernet Powered Organization
Resilient, Available IP Network with Scalable
Power Delivery
Wireless Access PointsIP Integrated Video
Surveillance
Building Access Control
Fire Protection
Powered IP Telephone
Power over Ethernet (PoE) Is the Ability to Deliver
Regulated -48V DC Power over a Standard Copper
Ethernet Cable
Cisco Products Support Both the Pre-Standard
Inline Power AND the IEEE 802.3af Standard
353535© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
LAN Access TrendsApplication Ready Desktop Connectivity: 10/100/1000 and PoE
• Strong adoption of 10/100/1000 and PoE
10/100/1000 has already crossed over 10/100 on modular platformsCisco has shipped over 25 million PoE ports to dateWidest range of 10/100/1000 and PoE options
• Why 10/100/1000 and PoE Minimal price premium over non-PoE, 10/100/1000 switchesPCs ship with 10/100/1000 NICsIP-Tel and increase in new PoE end devicesLonger investment protection
Catalyst4500
Catalyst6500
Catalyst 3750/3560
GbEIP Phone
Cross Portfolio
Cross Portfolio
10/100/1000and PoE
10/100/1000and PoE
NEW
NEW
FIXED AND STACKABLE SWITCH UPDATE
363636CISCO CONFIDENTIAL10983_04_2004_c1 © 2005 Cisco Systems, Inc. All rights reserved.
373737© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Most Complete Line of Fixed Configuration LAN Products in the Industry
Catalyst 2950
• 10/100/1000 and GE configurations• Enterprise-class intelligent Layer 3/4 services• Power over Ethernet (PoE) configurations
• 10/100 wire speed switching• Fixed uplink and GBIC-based gigabit connectivity• Basic through advanced intelligent services
Catalyst 4948
• Stackable GE and 10/100/1000 configurations• Cisco StackWise™ technology• Enterprise-class intelligent Layer 3/4 services• Single mgmt interface with auto configuration• Power over Ethernet (PoE) configurations
• 10/100/1000 wire speed switching• Advanced intelligent services
Catalyst 2940• Low-density, standalone, managed 10/100 switching• Small form factor for deployment outside the wiring closet• Basic services
Full Layer 3 Routing
Layer 2 Intelligent Services
Catalyst 3750
• 10/100/1000 wire speed switching• Rack-optimized server switching• Jumbo frame support• Dual, hot swappable, internal power supplies• Hot swappable fan tray
Catalyst 3550 and 3560
PRIC
E-PE
RFO
RM
AN
CE
Catalyst 2970
NEW
FUNCTION, FLEXIBILITY, SCALABILITY
383838© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Cisco Catalyst 3750 and 3560 Series
• Enterprise-class services• Wire-speed switching
and routing• Power over Ethernet support• Cisco StackWise™ Technology (3750
Series only)Fault-tolerant, bidirectional 32-Gbps stack interconnectionAutomated configuration and managementSingle network instance (IP, SNMP, CLI, Spanning-Tree Protocol, VLAN)Master/secondary architecture with master failoverCross-Stack EtherChannel®, cross-stack QoS
• Next generation in stackable switching
Optimized for Gigabit EthernetIPv6-capable in hardware
Innovative Stacking Sets New Standards for
Resiliency and Management
CATALYST 4500 SERIES
393939CISCO CONFIDENTIAL10983_04_2004_c1 © 2005 Cisco Systems, Inc. All rights reserved.
404040© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Catalyst 4500—Evolutionary ArchitectureBackward Compatibility
1998 2002 20072004 2010
SAME LINE CARDS Extended Lifecycle
Layer2Layer2 10/100/100010/100/1000 1010--GbEGbESSOSSO
PoEPoE L2/3/4L2/3/4
DevelopmentDevelopment
414141© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Why Buy a Modular Switch?
Flexibility and ScalabilityFlexibility and Scalability Ease of UseEase of Use
Stronger Protection Against Security Threats that Can Adversely Affect Business
Broad Range of Options with Headroom for Future Growth
Maximize Network Uptime and Ease Serviceability
Minimize Complexity Resulting in Lower Opex
Innovative SecurityInnovative Security Reliability/AvailabilityReliability/Availability
Investment ProtectionInvestment Protection
INTELLIGENT SECURITY FEATURE
424242CISCO CONFIDENTIAL10983_04_2004_c1 © 2005 Cisco Systems, Inc. All rights reserved.
434343© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Catalyst Integrated Security
SOLU
TION
INTEGRATED SECURITY
Loss of Privacy (Packet Sniffing)
Impersonation (Identity Spoofing)
Bringing Downthe Network
Data Theft
Internal and External Attacks
Denial of Service Attacks
NETWORK SECURITY CHALLENGESNETWORK SECURITY CHALLENGES
Trust and Identity Management
Threat Defense
Secure Connectivity
Authenticate, Authorize, and Audit
Control Network/Application AccessInternal Attack Mitigation
Protect Traffic Across Untrusted Networks
444444© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Why Is Trust and Identity Important?
CorporateResources
SiSiSTOPSTOP
SiSi SiSi
Authorized User
Tailgater/Unauthorized User
• What if…someone “tailgated” into the building?• What if…they connected to the network?• What if…they had were infected with a virus that
could bring down the network?• What if…they had malicious intent?• What if…a trusted employee had malicious intent?
454545© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
First Line of Defense and Segmentation—802.1xTrust and Identity
How It Works:• Each person trying to enter the network must receive authorization based on
their personal username and password
Identity-Based 802.1x
Authentication
√√Valid CredentialsValid Credentials
MarketingNetwork
AuthorizedUser
√√Invalid/No Credentials
GuestNetworkGuest
User
Internet
XX FinanceNetwork
464646© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Hosts Attempting
Network Access
Hosts Attempting
Network AccessCisco Network Access Device
Security Policy Enforcement
Security Policy Enforcement
Security Policy Creation
Security Policy Creation
AV Policy EvaluationAV Policy Evaluation
Self-Defending Networks: Network Admission Control (NAC)
Vendor Application Policy Server
Security Credential Checking
Cisco Policy Server
Antivirus Client
Cisco Security
Agent
Cisco Trust Agent
IBM Tivoli Client
• Key element of the Cisco Self-Defending Network Initiative• Enforces access policy based on endpoint security posture• Focused on limiting damage through quarantine and remediation• Integration with Symantec, Network Associates, Trend Micro, and IBM
NEW
474747© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Layer 2 AttacksIs This Your Weakest Link?
APPLICATIONAPPLICATION
PRESENTATIONPRESENTATION
SESSIONSESSION
TRANSPORTTRANSPORT
NETWORKNETWORK
DATA LINK
PHYSICALPHYSICAL
Security Operations Normally Work with Layer 3 and Higher Protocols—Most Are Not Aware of Layer 2 Technology And Terminology…
7
6
5
4
BUT, The Network Is Only as Strong as the Weakest Link—Compromise Layer 2 and Other Layers Can Be Compromised as Well…
!!3
2
1
484848© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Layer 2 AttacksThere Are Lots of Tools Out There!!!
494949© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Port Security Protects Against MAC Address Flooding Attacks
Port Security Limits the number of devices that can use that port.
Thief can not gain access
00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb
Thief can plug a device onto the wire before the switch port and
gain access to the network
Only 3 MAC Only 3 MAC Addresses Addresses allowed on allowed on
the port: the port: ShutdownShutdown
Problem: Solution:
XXXX
494949© 2005 Cisco Systems, Inc. All rights reserved.10593_01_2005_C_c2
505050© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
DHCP Snooping
DHCP Server
SiSi
DHCP Snooping Enabled
DHCP Client Rogue Server
(Pretends to Be the DHCP Server)
√√DHCP R
eques
t
XX
DHCP ACK
What It Does:Switch forwards only DHCP requests from trusted access ports, drops all other types of DHCP traffic
Allows only designated DHCP ports or uplink ports trusted to relay DHCP Messages
Builds a DHCP binding table containing client IP address, client MAC address, port, VLAN number
Benefit:Eliminates rogue devices from behaving as the DHCP server
515151© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Dynamic ARP Inspection
My GW Is10.1.1.1
IP: 10.1.1.1
10.1.1.2I’m Your
GW: 10.1.1.1
Not by my Binding Table
MAC: 0000.0000.0001
Gratuitous ARP to Change End Device MAC to ARP Tables
What It Does:Maintains a binding table containing IP and MAC address associations dynamically populated using DHCP Snooping
Benefit:Ensures integrity of user and default gateway information such that traffic cannot be captured
515151© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1 CISCO CONFIDENTIAL
EASE OF MANAGEMENT
525252CISCO CONFIDENTIAL10983_04_2004_c1 © 2005 Cisco Systems, Inc. All rights reserved.
535353© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
Device Management – made easy
Switch Device MangerBasic monitoring and configuration of the switch. Graphical device management provides real-time views of the configuration and performance conditions for switch.
Cisco Network AssistantCisco Network Assistant is an entry-level network management tool optimized for SMB networks Centralized management of Cisco switches, routers and access points
SmartportsPreconfigured macros on a per-port basisAbility to create customized macros
545454© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1
In Closing
Connect the Value of the Network to Enabling the Organization Sell Solutions, Not Point-Products
• Focus on the value of the network, enabling applications, and the benefits of Intelligent Service
• Focus on reducing complexity• Leverage Cisco resources, technology innovation and
leadershipComplete end-to-end product portfolio
• Emphasize ease of adding services over time, no need for forklift upgrade
Q AND A
555555CISCO CONFIDENTIAL10983_04_2004_c1 © 2005 Cisco Systems, Inc. All rights reserved.
565656CISCO CONFIDENTIAL10983_04_2004_c1 © 2005 Cisco Systems, Inc. All rights reserved.