foundation: next generation routing and … · • cisco sdm & ios for set up & management...

1© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1

FOUNDATION:NEXT GENERATION ROUTING AND MULTIFUNCTION SWITCHING

CISCO BUSINESS SOLUTIONS WORKSHOP FOR RESELLERS


Agenda

• Technology Trends Shaping the Business World

• Cisco Integrated Services Router Solutions

• Catalyst Intelligent Switching Solutions

• Ease of Management

• Summary

• Question and Answer


Pressure to Maintain

and Grow Business

Protect and Increase Top-Line Growth

Improve Operational Efficiency• Solutions to reduce operational

expenses and protect assets

• Collaborative tools to improve employee productivity

• Improved total value from network solution

• Customers are increasingly interested in internet-based services

• Customer service needs to deliver rapid and dependable response

• Your company needs technology agility to keep pace with competition also offering new services

Your Technology Helping You Keep Pace?


Getting the Best Value for Your Infrastructure Investment

THE NETWORK IS THE FOUNDATION—

INVEST IN TECHNICAL SOPHISTICATION

• Today’s network deployments are expected to last longer than ever before

Today’s deployments are critical for tomorrow’s successEnable new application deployments—PoE, 10/100/1000

• Effective investments today provide greater long-term value

Minimize network disruptionsAvoid unnecessary downtimeLeverage investment more effectively


Traditional Business Solution

Branch Access Router

Hybrid/Key SystemHybrid/Key System

Content Engine

Firewall, IDS and VPN Appliances

Firewall, IDS and VPN Appliances

LAN SwitchLAN Switch

Security

Content Delivery

Voice Services

Data

Local Connectivity


Cisco: Integrated Systems

Integrated Services Integrated Services

Embedded SecurityEmbedded Security

Voice ReadyVoice Ready

Video IntegrationVideo Integration


Applications and User Access New Demands on Networks—Even in Small Offices

0%

10%

20%

30%

40%

50%

60%

>100Employees

100–999Employees

Firewall

IDS/IPS

Virus Scanning

Remote AccessVPN

Wireless LAN

Smallest Companies

Planning to Deploy Security Basics,

Wireless LAN over Next 12 Months

Source: Cisco Sponsored Survey; May 2004

VoD – Idle Aire(File title:

idleair_final.wmv)

10593_01_2005_G_c2 888NDA—Cisco Confidential© 2005 Cisco Systems, Inc. All rights reserved.


CISCO INTEGRATED SERVICES ROUTERS

999


Cisco’s New Integrated Services Routers

Secure, Concurrent Services at Wire Speed!

Up to… 5X Service Density, 7X

Performance, 4X Memory!

Embedded Security, Tightly Integrated with

Voice

Industry-Leading Network Availability

and Resilience

Plus Headroom to Grow!

Backward Compatibility with

Existing Router Modules for Solid

Investment Protection

Integrated Services Routers

1800 Series1800 Series

2800 Series2800 Series3800 Series3800 Series


WHAT’S NEW IN INTEGRATED ROUTER SECURITY

111111


Cisco Integrated Security on Integrated Services Routers

Network FoundationProtection

Trust and Identity Secure ConnectivityVPN Concentrator

Cisco Firewall

CiscoIDS Sensors

Routing Technology Leadership20 Years of Routing & IP Services ExpertiseRouting Technology Leadership20 Years of Routing & IP Services Expertise

Security Technology LeadershipBest-of-Breed Security

Security Technology LeadershipBest-of-Breed Security

An IndustryFirst

Cisco IOS VPN

Prevent, Protect and Police the network infrastructure from attacks

Leverage the networkto intelligently protect Endpoints

Secure and scalable network Connectivity

Merging Best-of-Breed Network Security Technology with Over 20 Years of Routing and IP Services Expertise

Network Security—Standard on Every New Router for End-to-End Network Protection

Threat Defense

Prevent and respondto network attacks and threats such as worms

Cisco ISR & Mid Range Routers


Cisco IOS IPSNew Features and Engines—All Inline!

• String Engines enable custom matching of any string in the packet

Customize signatures for quick reaction to new threats

• 400 worm and attack signatures added – nearly 1200 total signatures from which to dynamically select

NEW ATTACK PREVENTION ENGINES• TCP String• UDP String• ICMP String• Trend Micro

131313© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1 CISCO CONFIDENTIAL


Internet

Companies Are Opening Port 80Attacks Enter Through Web-Enabled Applications

Internal Users

Port 80Web services

Web enabled apps

IM traffic

Rich media

Internet access

43%

43%

55%

43%

98%

64% of enterprises have opened Port 80 on their firewalls for their growing web application traffic

Source: Aug 2002 InfoWorld/Network Computing survey of IT Professionals

“…75% of successful attacks against Web servers are entering through applications and not at the network level.”

80 –HTTP

John Pescatore, VP and Research Director, Gartner, June 2002.


Cisco IOS Application FirewallGet Control of Port 80!

I am http web traffic… honest!

Payload Port 80

CorporateOfficeServer Farm

• Enables application inspection and control of tunneled trafficConvergence of Cisco IOS® Firewall and Inline IPS technologies

• Control misuse of port 80 by rogue applications—apps that tunnel traffic inside http to avoid scrutiny

Example: Instant messaging and peer-to-peer applications such as Kazaa

Manage bandwidth consumption through usage policies

• Protocol anomaly detection services


USB PortsRemovable Credentials

First Routers in the Industry with

USB Ports

• USB ports integrated into all Cisco ISRs• Initial support for secure token and FLASH memory

Provisioning—secure configuration distributionDrop-ship router to locationProvision boot-strap into token, send token to locationPlug token into router, turn router on, router loads off bootstrap, router uses configuration on token or downloads configuration

Distribution and storage of VPN credentials (preshared keys and/or certificates)

Leverages etoken technology for highly secure and removable credentials

Bulk flash for image distribution/storage as alternative to compact flash deployment

2 USB Ports on 3800, 2851, 2821, 2811 Models1 USB Port on 2801, 1841

AIM AIMVPNVPNPower + 802.3afPower + 802.3af

USBUSBUSBUSB

NMENME

EVMEVMHWICHWICHWICHWIC

HWICHWICHWICHWICGEGE GEGE


Easier to Install and Maintain: Cisco Router and Security Device Manager (SDM) v2.1

Featured on 100—7301 Routers• Cisco SDM Express

Consumer-friendly interface for quick router setup

• SDM on PCResellers can manage Cisco routers without SDM image on flash

• Three new IPS signature engines• PPPoA configuration

xDSL deployments

• Available in six languages (Q2 CY ’05)

“Miercom broadly endorses a slick software tool for configuring and monitoring your Cisco routers. It works, it’s free, and it’s from Cisco.”

ED MIER, MIERCOM

Intuitive, Web-Based Device Management Tool for Cisco Routers

SMALL BUSINESS SERIES (SB 100 SERIES)

10593_01_2005_G_c2 181818NDA—Cisco Confidential© 2005 Cisco Systems, Inc. All rights reserved.


Small Business Access Router Portfolio




Highest Density and Performance for Concurrent Services

Embedded, Advanced Voice, Video, Data and Security Services

High Performance Integrated Security and Data

Secure Broadband Connectivity

Perf

orm

ance

and

Ser

vice

s D

ensi

ty

Enterprise Branch OfficeSmall Branch

Small Remote Offices

800 Series800 SeriesSmall

Business 100 Series

Small Business 100 Series

TeleworkerSingle Site Small Business

Offi

ce S

ize

Cisco Integrated Services Routers


Small Business 100 (SB100) Series Broadband Access for Small Business Networks

Cisco SB106 Shown• Affordable Cisco router for data-only applications in small businesses offices up to five users

• Secure connectivity with integrated stateful firewall

• DSL/Cable—ADSL, ADSL over ISDN or Ethernet WAN Interface

• Models: SB 101 (100MB Ethernet) SB 106/SB 107 (DSL)

• 4-port 10/100 MB Ethernet switch

• Simple setup and remote management capabilities of Cisco IOS® software

Stateful Firewall

DSL WAN Port or Ethernet WAN Port Connects to SP Network or DSL/Cable Modem

ISDN Port (106 Only)ISDN Line for Out-of-Band Management

Console Port/Virtual AUX Connects to PC or Modem for Configuration

10/100 MB Ethernet Switch

NEW MODELS AND SERVICES IN CISCO INTEGRATED SERVICES ROUTERS

NEW MODELS AND SERVICES IN CISCO INTEGRATED SERVICES ROUTERS

212121CISCO CONFIDENTIAL10983_04_2004_c1 © 2005 Cisco Systems, Inc. All rights reserved.


The Right Router for

Every OfficeCisco Integrated Services RoutersM

arke

ts Enterprise

Medium Business

Small Business

New Models for Small Offices



1800 Series1800 SeriesHighest Density and Performance for Concurrent Services

Embedded, Advanced Voice, Video, Data and Security Services

High-Performance Integrated Security and Data

Secure Broadband and Wireless Connectivity

Perf

orm

ance

and

Ser

vice

s D

ensi

ty

800 Series800 SeriesModular Modular FixedFixed

Enterprise Branch OfficeSmall Branch

Small Remote Offices

Offi

ce S

ize

TeleworkerSingle-Site Small Business


ISR Fixed-Configuration Wireless RoutersProduct Comparison

Price

• Broadband Performance• Stateful inspection

firewall & IPSec 3DES/AES VPNs

• 4-port 10/100 switch• 802.11b/g with single

fixed antenna• Cisco SDM & IOS for set

up & management

• Stateful inspection firewall, IPSec 3DES or AES VPNs, IPS, Antivirus/NAC

• 802.11b/g with multiple replaceable antennas

• Advanced QoS features• Software & Memory Upgrades• 4-port 10/100 managed switch• Up to 3 VLANs, external POE• Cisco SDM & IOS for set up &

management• High Performance

• Broadband performance• Stateful inspection firewall, IPSec

3DES or AES VPNs, IPS, Antivirus/NAC

• Integrated ISDN, analog modem, or Ethernet backup port for redundant WAN links and load balancing

• 802.11a and 802.11b/g with multiple replaceable antennas

• 8-port 10/100 managed switch, internal power supply, PoE

• Up to 8 VLANs• Cisco SDM & IOS for set up &

management

Cisco 1800 Series

Value (Feature, Performance)

Cisco 850 Series

Cisco 870 Series

KEY SERVICES FOR THE SMALL OFFICE



Key Services—Business-Class Broadband

Integrated DSL or External Modem or Metro Ethernet

Cisco 1800

DMZ for Servers

Optional—PSTN Backup Network

8 Port Switch

Integrated POTS/ISDN Back Up and Out of Band Management

WAN 1

WAN 2

Load Balancing

and FailoverSP Network

Cisco 800

External POTS Back Up and Out of Band

Management

4 Port Switch

Internet

DMZ for Servers

Cisco IOS Software for Reliability and Remote Troubleshooting


Integrated Security Services in the Small Office

Corporation Cisco 800/1800

Remote Office

IPSec VPN

Deep Packet Inspection FirewallFor Managed Firewall Service

High-Speed Encryption for Managed IPSec or AES VPNs

Inline IPS Inline Threat Containment - Create Zones of Protection

Cisco SDM Used for Setup and Monitoring of Security Policy

User Authentication with 802.1xInternet

SP Network

Antivirus PolicySystem

Router enforces Firewall, Antivirus, URL Access Policies at the Small Office

N2H2/ Websense URL Policy

Server


Key Services—Secure Wireless LAN

Enterprise-Class Wireless LANs at the Remote Site

• Single Device for WAN and WLAN Reduces Hardware Cost and Deployment Cost

• WLAN Set Up Simplified with Cisco SDM

• WLAN, WAN, and Local Authentication for a True Enterprise Class Wireless Solution at the Remote Office

• Visibility and Control through the Remote Management Features

Cisco 800/1800/2800/3800

10BaseT/100BaseTX PC Clients

IP Phone

WAN Link

802.11b IP phones

HQ Router

802.11 b/g Client or 802.11a*

*802.11a not supported on Cisco 800


Key Services—Voice for Small Remote Office or Teleworker

MPLS/Encrypted VPN Tunnel

VPN Headend Router

Cisco 800/1800

Broadband Internet

Corporate Network

Centralized managementIT managed security policies

Integrated security and identity services

Advanced application support (voice, video)

Corporate phone, toll-bypass, centralized voicemail

IP Phone

Corporate pushedsecurity policies(not user-managed)

Apps

E-Mail

Voice

Video

Wireless

Optional Secure Wireless LAN

Call Manager

VoD – Idle Aire(File title: IDLE AIRE.wmv)



Integrated Systems ApproachEnabling Growth and Customer/Partner Success

HighAvailability

HighAvailability

MobilityMobility

Self-Defending Network

Self-Defending Network

IPCommunications

IPCommunications

Availability/ Resiliency

Availability/ Resiliency

IntegratedSecurity

IntegratedSecurity

DeliveryOptimization

DeliveryOptimization

PredictablePerformance

EnhancedManageability

EnhancedManageability

INTELLIGENT SWITCHING AND

ROUTING

INTELLIGENT SWITCHING AND

ROUTING

CATALYST INTELLIGENT SWITCHING PRODUCT UPDATE



The Evolution of the NetworkTechnology Trends

• Converged networks driving requirements for:

PoE, 10/100/1000 connectivity

Security everywhere

Easier management

• New and growing application deployment with increased unpredictable and time sensitive traffic patterns

• Longer investment protectionNetworks are lasting longer than before

S2

SECURITY

VOICE

VIDEODATASAN


Future Cost Assessment

The Cost of Purchasing Future-Ready Technology Is Lower than Upgrading Later

Cost to Upgrade to PoE CardTomorrow

Cost to PurchaseNon-PoE Card Today

Cost to Purchase PoE Card Today

$5,500 $7,500 $13,000

36% More 170% More

Things to Consider Beyond Purchase Cost:

• Reinstallation and configuration• Network disruption• Missed opportunities• Future trade-in value

2x Cost to 2x Cost to Upgrade LaterUpgrade Later


A Glimpse into the Future…The Ethernet Powered Organization

Resilient, Available IP Network with Scalable

Power Delivery

Wireless Access PointsIP Integrated Video

Surveillance

Building Access Control

Fire Protection

Powered IP Telephone

Power over Ethernet (PoE) Is the Ability to Deliver

Regulated -48V DC Power over a Standard Copper

Ethernet Cable

Cisco Products Support Both the Pre-Standard

Inline Power AND the IEEE 802.3af Standard


LAN Access TrendsApplication Ready Desktop Connectivity: 10/100/1000 and PoE

• Strong adoption of 10/100/1000 and PoE

10/100/1000 has already crossed over 10/100 on modular platformsCisco has shipped over 25 million PoE ports to dateWidest range of 10/100/1000 and PoE options

• Why 10/100/1000 and PoE Minimal price premium over non-PoE, 10/100/1000 switchesPCs ship with 10/100/1000 NICsIP-Tel and increase in new PoE end devicesLonger investment protection

Catalyst4500

Catalyst6500

Catalyst 3750/3560

GbEIP Phone

Cross Portfolio

Cross Portfolio

10/100/1000and PoE

10/100/1000and PoE

NEW

NEW

FIXED AND STACKABLE SWITCH UPDATE



Most Complete Line of Fixed Configuration LAN Products in the Industry

Catalyst 2950

• 10/100/1000 and GE configurations• Enterprise-class intelligent Layer 3/4 services• Power over Ethernet (PoE) configurations

• 10/100 wire speed switching• Fixed uplink and GBIC-based gigabit connectivity• Basic through advanced intelligent services

Catalyst 4948

• Stackable GE and 10/100/1000 configurations• Cisco StackWise™ technology• Enterprise-class intelligent Layer 3/4 services• Single mgmt interface with auto configuration• Power over Ethernet (PoE) configurations

• 10/100/1000 wire speed switching• Advanced intelligent services

Catalyst 2940• Low-density, standalone, managed 10/100 switching• Small form factor for deployment outside the wiring closet• Basic services

Full Layer 3 Routing

Layer 2 Intelligent Services

Catalyst 3750

• 10/100/1000 wire speed switching• Rack-optimized server switching• Jumbo frame support• Dual, hot swappable, internal power supplies• Hot swappable fan tray

Catalyst 3550 and 3560

PRIC

E-PE

RFO

RM

AN

CE

Catalyst 2970

NEW

FUNCTION, FLEXIBILITY, SCALABILITY


Cisco Catalyst 3750 and 3560 Series

• Enterprise-class services• Wire-speed switching

and routing• Power over Ethernet support• Cisco StackWise™ Technology (3750

Series only)Fault-tolerant, bidirectional 32-Gbps stack interconnectionAutomated configuration and managementSingle network instance (IP, SNMP, CLI, Spanning-Tree Protocol, VLAN)Master/secondary architecture with master failoverCross-Stack EtherChannel®, cross-stack QoS

• Next generation in stackable switching

Optimized for Gigabit EthernetIPv6-capable in hardware

Innovative Stacking Sets New Standards for

Resiliency and Management

CATALYST 4500 SERIES



Catalyst 4500—Evolutionary ArchitectureBackward Compatibility

1998 2002 20072004 2010

SAME LINE CARDS Extended Lifecycle

Layer2Layer2 10/100/100010/100/1000 1010--GbEGbESSOSSO

PoEPoE L2/3/4L2/3/4

DevelopmentDevelopment


Why Buy a Modular Switch?

Flexibility and ScalabilityFlexibility and Scalability Ease of UseEase of Use

Stronger Protection Against Security Threats that Can Adversely Affect Business

Broad Range of Options with Headroom for Future Growth

Maximize Network Uptime and Ease Serviceability

Minimize Complexity Resulting in Lower Opex

Innovative SecurityInnovative Security Reliability/AvailabilityReliability/Availability

Investment ProtectionInvestment Protection

INTELLIGENT SECURITY FEATURE



Catalyst Integrated Security

SOLU

TION

INTEGRATED SECURITY

Loss of Privacy (Packet Sniffing)

Impersonation (Identity Spoofing)

Bringing Downthe Network

Data Theft

Internal and External Attacks

Denial of Service Attacks

NETWORK SECURITY CHALLENGESNETWORK SECURITY CHALLENGES

Trust and Identity Management

Threat Defense

Secure Connectivity

Authenticate, Authorize, and Audit

Control Network/Application AccessInternal Attack Mitigation

Protect Traffic Across Untrusted Networks


Why Is Trust and Identity Important?

CorporateResources

SiSiSTOPSTOP

SiSi SiSi

Authorized User

Tailgater/Unauthorized User

• What if…someone “tailgated” into the building?• What if…they connected to the network?• What if…they had were infected with a virus that

could bring down the network?• What if…they had malicious intent?• What if…a trusted employee had malicious intent?


First Line of Defense and Segmentation—802.1xTrust and Identity

How It Works:• Each person trying to enter the network must receive authorization based on

their personal username and password

Identity-Based 802.1x

Authentication

√√Valid CredentialsValid Credentials

MarketingNetwork

AuthorizedUser

√√Invalid/No Credentials

GuestNetworkGuest

User

Internet

XX FinanceNetwork


Hosts Attempting

Network Access

Hosts Attempting

Network AccessCisco Network Access Device

Security Policy Enforcement

Security Policy Enforcement

Security Policy Creation

Security Policy Creation

AV Policy EvaluationAV Policy Evaluation

Self-Defending Networks: Network Admission Control (NAC)

Vendor Application Policy Server

Security Credential Checking

Cisco Policy Server

Antivirus Client

Cisco Security

Agent

Cisco Trust Agent

IBM Tivoli Client

• Key element of the Cisco Self-Defending Network Initiative• Enforces access policy based on endpoint security posture• Focused on limiting damage through quarantine and remediation• Integration with Symantec, Network Associates, Trend Micro, and IBM

NEW


Layer 2 AttacksIs This Your Weakest Link?

APPLICATIONAPPLICATION

PRESENTATIONPRESENTATION

SESSIONSESSION

TRANSPORTTRANSPORT

NETWORKNETWORK

DATA LINK

PHYSICALPHYSICAL

Security Operations Normally Work with Layer 3 and Higher Protocols—Most Are Not Aware of Layer 2 Technology And Terminology…

7

6

5

4

BUT, The Network Is Only as Strong as the Weakest Link—Compromise Layer 2 and Other Layers Can Be Compromised as Well…

!!3

2

1


Layer 2 AttacksThere Are Lots of Tools Out There!!!


Port Security Protects Against MAC Address Flooding Attacks

Port Security Limits the number of devices that can use that port.

Thief can not gain access

00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb

Thief can plug a device onto the wire before the switch port and

gain access to the network

Only 3 MAC Only 3 MAC Addresses Addresses allowed on allowed on

the port: the port: ShutdownShutdown

Problem: Solution:

XXXX

494949© 2005 Cisco Systems, Inc. All rights reserved.10593_01_2005_C_c2


DHCP Snooping

DHCP Server

SiSi

DHCP Snooping Enabled

DHCP Client Rogue Server

(Pretends to Be the DHCP Server)

√√DHCP R

eques

t

XX

DHCP ACK

What It Does:Switch forwards only DHCP requests from trusted access ports, drops all other types of DHCP traffic

Allows only designated DHCP ports or uplink ports trusted to relay DHCP Messages

Builds a DHCP binding table containing client IP address, client MAC address, port, VLAN number

Benefit:Eliminates rogue devices from behaving as the DHCP server


Dynamic ARP Inspection

My GW Is10.1.1.1

IP: 10.1.1.1

10.1.1.2I’m Your

GW: 10.1.1.1

Not by my Binding Table

MAC: 0000.0000.0001

Gratuitous ARP to Change End Device MAC to ARP Tables

What It Does:Maintains a binding table containing IP and MAC address associations dynamically populated using DHCP Snooping

Benefit:Ensures integrity of user and default gateway information such that traffic cannot be captured

515151© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2004_c1 CISCO CONFIDENTIAL

EASE OF MANAGEMENT



Device Management – made easy

Switch Device MangerBasic monitoring and configuration of the switch. Graphical device management provides real-time views of the configuration and performance conditions for switch.

Cisco Network AssistantCisco Network Assistant is an entry-level network management tool optimized for SMB networks Centralized management of Cisco switches, routers and access points

SmartportsPreconfigured macros on a per-port basisAbility to create customized macros


In Closing

Connect the Value of the Network to Enabling the Organization Sell Solutions, Not Point-Products

• Focus on the value of the network, enabling applications, and the benefits of Intelligent Service

• Focus on reducing complexity• Leverage Cisco resources, technology innovation and

leadershipComplete end-to-end product portfolio

• Emphasize ease of adding services over time, no need for forklift upgrade

Q AND A


foundation: next generation routing and … · • cisco sdm & ios for set up & management...

Documents