Cisco Catalyst 2960 Series Switches Tdm

5/20/2018 Cisco Catalyst 2960 Series Switches Tdm

1/76

2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02 1

Cisco Catalyst 2960Series Switches

Technical Presentation


2/76

2 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02

Cisco Catalyst 2960 Product Overview

Intelligent Services

Feature Matrix

Cisco

Catalyst

Switches Overview

Agenda


3/76


Cisco Catalyst Switching Portfolio

Number of Employees/Density

Cisco Catalyst 4500

Cisco

Catalyst

6500

Features,

Scalabil

ity,

Longev

ity

Small Medium-Sized Large

Blade Switches

Cisco Catalyst

6500

Cisco Catalyst 4900

Distribution or Core

Data-Center Access

Cisco Catalyst 2960

Cisco Catalyst3750-E and

Catalyst 3750Cisco Catalyst

3560-E andCatalyst 3560

Cisco Catalyst 4500

Cisco Catalyst

6500

Cisco Catalyst Express 520

New

Wiring Closet


4/76


Full Layer 3 Routing

Layer 2 Intelligent Services

GUI-Managed

Most Complete

Line of FixedConfiguration LAN Products

Function, Flexibility, Scalability

P

rice-Performance

Cisco Catalyst 3560-E and Catalyst 3560 10/100 and GE configurations + 2 10GE

Enterprise-class intelligent Layer 3/4 services

Modular power supply with 3560-E

PoE configurations with up to 15.4W on all 48 ports

Cisco Catalyst 2960

10/100 and 10/100/1000 Layer 2 switching

8-, 24-, and 48-port configurations with dual-purpose Gig uplinks

PoE configurations with up to 15.4W up to 24 ports

Entry level LAN Lite IOS and enhanced LAN Base IOS for intelligent services

Cisco Catalyst 3750-E and Catalyst 3750

Stackable 10/100 and GE configurations + 2 10GE

Cisco StackWise Plus and StackWise technology

Enterprise-class intelligent Layer 3/4 services

Modular power supply with 3750-E

PoE configurations with up to 15.4W on all 48 ports

Cisco Catalyst 4948

10/100/1000 + 2 10GE wire-speed switching

Rack-optimized server switching

Jumbo frame support

Dual, hot swappable, internal power supplies

Hot swappable fan tray

Cisco

Catalyst

Express 500

Low-density, standalone, managed 10/100 switching

Tailored for businesses with up to 250 users


5/76


Cisco

Catalyst

Switches Overview


Feature Matrix


Agenda


6/766 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02

Cisco Catalyst 2960 Series Switches

Offers Fast Ethernet in 8, 24- and 48-port

configurations for small branch offices andwiring closets

Offers standard Layer 2 services with entry-level availability, security, and QoS

Scalable and secure network management

Offers simplified management and

troubleshooting for lower total cost ofownership

Offers CiscoWorks LMS, Cisco NetworkAssistant and Cisco Smartports

Provides limited lifetime hardware warrantyand software updates at no additional charge

Provides Fast Ethernet, Gigabit Ethernet, and

Power over Ethernet for entry-level enterprise andmid-market customers

Offers enhanced Layer 2+ intelligent LAN services:

Availability

Enhanced security

Advanced quality of service (QoS)

Offers simplified management and troubleshootingfor lower total cost of ownership

Offers CiscoWorks LMS, Cisco Network Assistantand Cisco Smartports

Provides limited lifetime hardware warranty andsoftware updates at no additional charge

Cisco

Catalyst

2960 LAN Base Series Cisco Catalyst 2960 LAN Lite

Series

Uses Cisco ASICs for superior quality and hardware and software integration



Cisco Catalyst 2960 LAN Base Series

Model Overview

24 10/100 ports

2 10/100/1000 uplink ports

Cisco Catalyst 2960-24TT-L

24 10/100 ports

2 dual-purpose uplink ports

Cisco Catalyst 2960-24TC-L

20 10/100/1000 ports


Cisco

Catalyst 2960G-24TC-L

24 10/100 PoE ports


Cisco

Catalyst

2960-24PC-L

48 10/100 ports


Cisco Catalyst 2960-48TT-L


48 10/100 ports


Cisco

Catalyst 2960G-48TC-L

44 10/100/1000 ports


Cisco Catalyst 2960-24LT-L

24 10/100 ports (8 PoE ports)


Enterprise-class intelligent

services: Advanced QoS,

enhanced security, high availability

8 10/100 ports

1 dual-purpose uplink port

Compact form-factor with no fan


7 10/100/1000 ports



Cisco Catalyst 2960G-8TC-L

Software

LAN Base Image

8 10/100/1000 ports

1 10/100/1000 PoE Input port


Cisco Catalyst 2960PD-8TT-L



Cisco Catalyst 2960 LAN Lite Series

Model Overview

Note: Cisco Catalyst 2960 Switches Cannot Be Upgraded or Downgraded Between LAN Base and LAN Lite Software.

Software

LAN Lite Image

Cisco Catalyst 2960-48TC-S

48 10/100 ports


Entry level QoS, security, andavailability with a focus on ease-of-use and lower total cost of ownership

Cisco Catalyst 2960-48TT-S

48 10/100 ports


24 10/100 ports

Cisco Catalyst 2960-24-S

24 10/100 ports


Cisco

Catalyst

2960-24TC-S

8 10/100 ports



Cisco Catalyst 2960-8TC-S

Sep.

08

Sep.

08

Sep.08

Sep.08



Cisco Catalyst 2960 Power over Ethernet(PoE) Switches

Benefits

Prepare the network for IP telephony and wireless access.

Eliminate the need for separate electrical wiring. Protect your investment and avoid a costly upgrade.

Cisco pre-standard POE and 802.3af are fully supported.

Cisco IOS provides intelligent power management withgranular control.

Wide selection of standards-based IEEE 802.3af-powered devices:

IP phones

Wireless access points

Surveillance cameras

Access card readers



Building

Access

Control

IP Integrated Video

SurveillanceFire Protection

Resilient, Available IP

Network with Scalable

Power Delivery

Powered IP

Telephone

A Glimpse into the Future

The Ethernet-Powered Organization

Power over Ethernet(PoE) Delivers 48V DCPower over a StandardCopper Ethernet Cable

The Power and Network IsUsed by the ConnectedDevices for Their Operation

Wireless Access Points



Extending the Versatility of Ethernet

The Benefits of Powering Devices with Ethernet

Power over

Ethernet

extends the

value,

simplicity, and

flexibility of

Ethernet toenable new

uses for the

network.

AC-FreeDeployments

Mobility andSimplicity

Safety

OperationalResiliency

Simplified

Manageability

ReducedCapex and

Opex

Cisco 802.3af Power over Ethernet S.P. Shalita February, 2004 R10b



Small size (H x W x D)4.4cm x 27cm x 1623cm

Flexible wall and under-the-desk mounting

Durable metal shell

Cable guard

Internal power supplyand right-angle power cord

Passive cooling (no fan) Magnet included

Security locking slot

19-inch rack mount option

Cisco Catalyst 2960 Compact SwitchesMeeting unique physical requirements of the office workspace,

conference rooms, classrooms, and micro branch offices



LC Connectors

SFP

Cisco Catalyst 2960 Supported Small FormFactor Pluggable Modules

GLC-T and GLC-GE-100FX are not supported on theCisco Catalyst 2960-8TC-S, 2960-8TC-L and 2960G-8TC-L switches. For 100BASE-FX connectivity, use the

GLC-FE-100FX instead for compact switches.

SFP

Transceiver

Cisco

Catalyst

2960 LAN Base

Switches

Cisco Catalyst

2960 LAN Lite

Switches

GLC-LH-SM= Yes Yes

GLC-SX-MM= Yes Yes

GLC-ZX-SM= Yes No

GLC-T= Yes* Yes

GLC-BX-D=

GLC-BX-U=Yes No

GLC-GE-100FX=

GLC-FE-100FX=Yes* Yes

GLC-FE-100LX= Yes No

GLC-FE-100BX-D=

GLC-FE-100BX-U=Yes No

CWDM SFPs Yes No



Dual-Purpose Uplink Port Behavior

Only one port, either SFP or

10/100/1000 copper, will be

active at any time.

Users can manually select the

media type using the media-type

[sfp] or [rj45] interface commandor leave it to auto-select.

SFP always gets the preference

on switch boot-up or when the

interface is enabled (shut/no

shut). In all other cases, the

media that linkup first will be

selected as active media.

Dual-Purpose UplinkCombination Validity

A B No

A C Yes

A D Yes

B C Yes

B D Yes

C D No

SFP

Copper

A

B

C

D



Redundant Power System 2300

Benefits

Increases network availability.

Seamlessly provides backup power to network devices.

Modular power supplies and fan for flexibility and increased availability.

Management and configuration capabilities allow users to define and

implement the failover policy.

Easier to Use

Six RPS connectorsup to two switches are actively backed up.

Seamless failover to RPS 2300 when switch power supply fails.

RPS 2300 and switch can have separate AC sources.

Greater Modularity Uses the same 1150W and 750W power supplies as the Cisco Catalyst

3750E and 3560E switches.

Replaceable fan module.

Note: Cisco

Catalyst

2960 LAN Lite

Switches and Cisco Catalyst 2960 Compact Switches do not haveRPS support. Catalyst 2960 PoE switches require CAB-2300-E=, which allows users to manage RPS via theswitch.



Services and Warranty forThe Cisco Catalyst 2960 Series

Limited lifetime hardware warranty

Advance Replacement shipping within 10 business days

Guest access to Cisco.com Ongoing Cisco IOS Software updates at no additional cost

Cisco SMARTnet and SMARTnet Onsite Support

Around-the-clock, global access to the Cisco Technical Assistance Center (TAC)Access to the extensive Cisco.com knowledgebase and tools

Next-business-day advance hardware replacement (premium options availablefor business-critical devices, such as two-hour replacement and onsite parts

replacement and installation) Cisco Smart Foundation Service (formerly SMB

Support Assistant)

Cisco Foundation Technology Optimization Service



Cisco

Catalyst

Switches Overview


Feature Matrix


Agenda



Cisco CatalystIntelligent Switching Infrastructure

Intelligent Switching

is a Common Foundation of CapabilitiesAcross Cisco

Catalyst

Switches

Performance,

Availability

Wire-speedforwarding

No performanceeffect with all

services enabled

QoS

Layer 2, 3, 4classification

Policing and shaping

Multiple queues

Granular control

Security

Layer 2, 3, 4 accesscontrol

Identity-basedauthentication

Management security

Admission control

Manageability

End-to-end manageabilityfor centralizedadministration

Web-based or command-line interface (CLI)

Analysis and planning tools



Intelligence Through More Capable ASICs

Layer 2 switches are limited to the processing and forwarding of Layer 2 information.

Multilayer switches can look deeper into the frame => intelligent decisionsbased on Layer 3 or Layer 4 information.

Examples of why this scenario is useful:

Preserve bandwidth by limiting traffic based on a users IP address.

Preserve bandwidth by limiting traffic based on applications using a constant TCP/UDPport numberWeb browsing, enterprise resource planning (ERP) applications, etc.

Prevent access to network resources based on users IP address.

Classify and mark traffic based on Layer 3 QoS

(DSCP).

Cisco innovative ASICs with Cisco IOS software integration enable

superior intelligent services that will not bottleneck the network.

*Not to scale.

MAC DA MAC SA Length802.1Q/1p

IP

Header

Info

TOS IP SA IP DA TCP/UDP

HeaderDATA

Layer 2 Info Layer 3 Info Layer 4 Info

*



Advanced QoS

Security

Availability

Manageability

Features

Layer 2, 3, 4 traffic classification

Shaping, sharing, and policing

Granular control

Wire-speed performance

Benefits

Manage bandwidth tomeet business priorities

Maintain performance fortime-sensitive applications

Better meet defined SLAs

Suffer no performance

degradation with servicesenabled




Aggregation Speed Mismatch

10 Mbps

1000 Mbps

Where Congestion Exists, QoS

Is Required

Points of aggregation

Links and buffers

Points of substantial speed mismatch

Transmit buffers tend to fill (TCP windowing)

Buffering reduces loss, introduces delay

LAN to WAN

10 Mbps

64 kbps



Not All Traffic Is Created Equal

Voice VideoData

(Best Effort)

Mission-

Critical Data

BandwidthLow to

Moderate

Moderate

to High

Moderate

to High

Low to

Moderate

RandomDrop

Sensitivity

Low Low High High

Delay

SensitivityHigh High Low

Moderate

to High

Jitter

SensitivityHigh High Low

Low to

Moderate

S2



Cisco Catalyst 2960 SeriesExtensive QoS

Features

RX

Queue 1

Queue 2

Queue 3

Queue 4

IngressPolice

Classify TX

Ingress

Queuing/Scheduling

Congestion

Control

Mark

Advanced Traffic Shaping and Scheduling Four Queues per Port

Shaped Round Robin

Strict Priority Queuing

Admission Control Prevent Network Congestion

Input and Output Policing

per Port

Traffic Classification and Marking for Differentiated ServicesPer-Port or Individual/Aggregate Flow Classification and Rewriting of

MAC Address, 802.1p CoS/DSCP, IP Address, and TCP/UDP Port

Egress

Queuing/Scheduling

Congestion

Control



Auto QoS

One Command per Interface to Enable and Configure QoS.

Modify Global and Interface Settings to Make QoS

for VoIP Work.

WAN

Cisco

CallManager

Cisco Unity

Software

Voice

Applications

Voice

Gateways



Phone VLAN = 110

Campus QoS

Considerations

Trust Boundary Extension and Operation

1 Switch and Phone Exchange CDP; Trust Boundary Is Extended to IP Phone

2 Phone Sets CoS

to 5 for VoIP and to 3 for Call-Signaling Traffic

3 Phone Rewrites CoS

from PC Port to 0

All PC Traffic Is Reset to CoS

0

4 Switch Trusts CoS

from Phone and Maps CoS DSCP for Output Queuing

CoS

5 = DSCP 46

CoS

3 = DSCP 24

CoS

0 = DSCP 0

4

1So I Will Trust Your CoS

I See Youre an IP Phone,

TRUST BOUNDARY

Voice = 5, Signaling

= 32

PC Sets CoS

to 5 for All Traffic3

PC VLAN = 10



FTP DNS DHCP TCPJitter ICMP UDPDLSW HTTP

TCP/IPPerformance

Service LevelAgreements

(SLAs)

NetworkAssessment

Health MonitorVoIP

MonitoringAvailability

Operations

Measurement Metrics

Uses

IP Server

MIB Data Active Generated Traffic

to Measure the Network

DestinationSource

Defined Packet Size, SpacingCOS, and Protocol

Catalyst 2960Responder

LDP H.323 SIP

IP SLAIP SLA

IP SLAIP SLA

Cisco IOS IP SLAs

G711 G729

LatencyNetwork

JitterDist. ofStats

Connection Loss(Reachability)

PacketLoss

Elapsed Time

IP SLAIP SLA



Advanced QoS

Security

Availability

Manageability

Features

Identity-based authentication

Wire-speed access control lists

Controlled access to systemmaintenance

Integrated security services

Benefits

Authenticate and control accessbased on user identity

Protect critical business assets

Prevent downtime

Prevent network attacks from

within




Cisco

Trust AgentNetwork Admission

Control

Secure Connectivity Threat Defense Trust and Identity

Cisco Catalyst SwitchingIntegrated Security

SSL

Man-in-Middle

Attack Mitigation:

Port Security,DHCP Snooping

Quarantine VLAN(Remediation)

SSHSNMPv3

Identity-Based

Networking

(802.1x extensions)

Web-

and MAC-

BasedAuthentication

SiSi SiSi SiSi

SiSi

SiSi

L2-4 ACLsPrivate VLAN Edge

Scavenger-ClassQoS



The Need for Admission Control

Viruses, worms, spyware, etc.still #1 cause of financial loss.*

Downtime, recovery, lost productivity,credibility, legal implications.

Users routinely authenticated, but...

Endpoint devices (laptops,

PCs, PDAs) are not checkedfor security policy compliance.

Unprotected endpoints spread infection.

Required security software notinstalled, disabled, or out of date

Checking for compliance is difficultand expensive.

Endpoint systems are vulnerable

and represent the most likely point ofinfection from which a virus or wormcan spread rapidly and cause seriousdisruption and economic damage.

Burton Group

*2005 FBI/CSI Report.


30/76


Network Admission Control Options

NAC Framework: Vendor products assess and remediate across an intelligent network.

Cisco Clean Access: Easily deployed NAC appliance authenticates, assesses,and remediate.

Two Paths: Both Take Advantage of Cisco Network

Cisco Network Access Device

AuthenticationPolicy

Enforcement

Discovery

Remediation

CleanAccess

Agent

Remediation

NACFramework

NACAppliance

AAAAuthentication

Enforcement

Discovery

PolicyCisco Network Access Device

CiscoTrust

Agent
http://www.ca.com/


31/76


Security:

NAC Framework DeploymentOptions on Fixed-Configuration Switches

LAN Port 802.1X Basic LAN Port IP

Switch ModelsCisco

Catalyst

3750, Catalyst

3560, and Catalyst 2960

Cisco Catalyst 3750 and

Catalyst 3560

Credentials

Carries credentials inside

EAPoL

along with user

authentication

Carries credentials inside

EAPoUDP, completely independent

of any user authentication

TriggerTriggered by normal 802.1X

exchange

Triggered by ARP or DHCP traffic

from the host

EnforcementPolicy

RADIUS VLAN assignment RADIUS IP downloadable ACLs

Client

Requirements

Requires an enhanced

supplicant with Cisco Trust

Agent built in

Can be used with or without

Cisco Trust Agent (clientless host)


32/76


Cisco Catalyst Access Control Lists

What It Does:

Allows or denies access

based on the source ordestination address

Restricts users to

designated areas of the

network, blockingunauthorized access to

all other applications and

information

Benefits:

Prevents unauthorized access

to servers and applications

Allows designated users to

access specified servers

Takes advantage of TCAMs,enabling wire speed performance

Forwarding performance not

compromised by ACLs

because

lookups are done in hardware

Provides ability to access control

all packets, either internally

bridged within a VLAN or routed

between VLANs


33/76


Protecting Against Worms

How It Works:

The ACL provides a mechanism to protect servers, users, andapplications against worms by determining what traffic streamsor users can access which ports.

Using ACLs, the virusor worm is not able to

replicate from its hosts.

Port 1434

Internal

Network


34/76


UnauthorizedSwitch

Cisco

SecureACS

EnterpriseServer

AuthorizedSwitch

Solution:

Cisco

Catalyst

Switches supportrogue BPDU filtering: BPDU Guard,Root Guard.

Mitigating Unauthorized Devices

Network Instability

Root Guard

BPDU Guard

Protecting Against Well-Intentioned Users

UnauthorizedSwitch

EnterpriseServer

Incorrect

STP Info

AuthorizedSwitch

Problem:

Well-intentioned users placeunauthorized network devices on thenetwork, possibly causing instability.


35/76


Secure Connectivity

Secure Shell (SSH) Protocol

SSH encrypts administration traffic during Telnet sessionswhile configuring or troubleshooting switches.

Secure Sockets Layer (SSL) SSL encrypts network management traffic, allowing

the secure use of tools such as the Cisco NetworkAssistant.

SNMPv3 (with crypto support)

SNMPv3 provides network security by encryptingadministrator traffic during SNMP sessions to configure ortroubleshoot switches.

Kerberos

Kerberos authenticates users and network services usinga trusted third party to perform secure verification.

Secure Copy

SCP provides a secure and authenticated method forcopying switch configurations or switch image files. SCP

relies on SSH.

Encrypted Data


36/76


Securing Layer 2 from Surveillance AttacksCutting Off MAC-Based Attacks

Problem:

Script Kiddie hacking tools enableattackers flood switch CAM tables withbogus MAC addresses, turning theVLAN into a hub and eliminatingprivacy.

Switch CAM table limit is finite number

of MAC addresses.

00:0e:00:aa:aa:aa

00:0e:00:bb:bb:bb

250,000 Bogus

MAC Addresses

per Second

Solution:

Port security limits MAC floodingattack, locks down port, and sends anSNMP trap.

Only 3 MAC

Addresses

Allowed on thePort: Shutdown

swi t chpor t por t - secur i t yswi t chpor t por t - secur i t y maxi mum 3swi t chpor t por t - secur i t y vi ol at i on r est r i ct

swi t chpor t por t - secur i t y agi ng t i me 2swi t chpor t por t - secur i t y agi ng t ype i nact i vi t y


37/76


Voice (VLAN) Aware Port Security

Scenario IP phone + host onsame switch port.

Port security & STP violations arenow VLAN/voice aware.

Violations for the host only affect

data VLAN:Only affected VLAN is placed inerror disable state.

Voice VLAN remains unaffected.

Improves network availability.

SiSi SiSi


38/76


DHCP Spoofing Attack

Problem:

Malicious user pretends to be the network

DHCP server. Misconfigured user starts up a DHCP server

incorrectly.

Malicious user can send out bogus address,deplete the address space, or spoof thedefault gateway.

Solution

Do not trust user ports so only

DHCP requests can be sent. Snoop DHCP information for

integrity.

User Ports

Untrusted

DHCPServer

Rogue DHCP OfferIP: 10.1.1.20/24

GW: 10.1.1.1

DNS: 192.168.1.122

DHCP DiscoveryBroadcast Victim

DHCPServer


39/76


DHCPClient

DHCPServer

SiSi

Rogue Server

Trusted

DHCP Snooping Enabled

DHCP

Request

XX

DHCPAC

KUntrusted

DHCP Snooping

What It Does:

Switch forwards only DHCPrequests from untrusted access

ports and drops all other typesof DHCP traffic. DHCPsnooping allows onlydesignated DHCP ports oruplink ports trusted to relay

DHCP messages. It buildsa DHCP binding tablecontaining client IP address,client MAC address, port, andVLAN number.

Benefit:

DHCP snooping eliminatesrogue devices from behavingas the DHCP server.


40/76


Identity-Based Network Services

What It Does:

Using the 802.1x Standard with Cisco

Enhancements, the network grants

privileges based on user logininformation, regardless of the userslocation or device.

Benefits:

Allows different people to usethe same PC and have differentcapabilities.

Ensures that users get only their

designated privileges, no matter howthey are logged into the network.

Reports unauthorized access.


41/76


How It Works:All users trying to enter the network must receive authorization

based ontheir personal username and password.

Client

Accessing

Switch

RADIUSServer

Valid UsernameValid Password

YesYes

Invalid Username

Invalid Password

No

Identity-Based Network Services

TACACS+ or

RADIUS

Equivalent to placing a security guard at each

switch port. Only authorized users can get network access.

Unauthorized users can be locked out or placedinto guest VLANs.

These services prevent unauthorized or rogueaccess points.


42/76


Standard 802.1x/VLAN Assignment

Restricts users to a specifiedVLAN to limit their networkaccess.

Standard 802.1X-authenticated ports areassigned to a VLAN basedon the username of the

client connected to that port. The RADIUS server database

maintains the username-to-VLAN mappings.

Authentication is similar toVMPS/VQP function, exceptthat it uses 802.1x/RADIUSas the authenticationmechanism.

802.1x Switched LAN

Requires

802.1x Clients

RADIUS

2.

Authentication ok,assign VLAN3 andACL14 to Accountant

on port5

Marketing Mgr:

Is on Marketing VLAN,and cannot accessany finance or

accounting servers

Accountant:

Is on Finance VLAN butcan access only

accounting server.

Finance Mgr:

Is on Finance VLANand can access allfinance andaccounting servers.

1.

User ok?


43/76


Standard 802.1x and Voice VLAN

When the switch recognizes through Cisco Discovery Protocol thata Cisco phone is attached to the port, voice traffic is allowed onto theauxiliary VLAN without the authentication of the supplicant on the

primary VLAN.The non-IP phone supplicant (PC) connected to theport is authenticated through 802.1x and uses the PVID.

The IP phone has access to the VVID for its voice traffic regardless

of the authorized or unauthorized state of the port.

Voice traffic

allowed through Cisco

Discovery Protocol

PC needs to

authenticate

with 802.1x


44/76


Web Authentication for Non-802.1x Users

RADIUS Authentication

HTTP

Login Prompt

User -

Authenticated

User starts HTTP or HTTPs connection.

Switch intercepts and prompts for user login/password. Switch sends user credentials to RADIUS server.

User is authenticated.

Proxy ACL is downloaded (mapped to host IP).


45/76


Multi Domain Authentication (MDA)

Deployment : IP phone (Cisco or 3rd party) + singlehost behind the phone

Enhanced security with independent 802.1xauthentication and authorization of IP phone andhost

Host is placed in data VLAN, and IP phone in voiceVLAN - on the same switch port

Data VLAN can be downloaded from RADIUSserver

MAC Auth Bypass - Non 802.1x IP phone and host

can be authenticated using the MAC address of thedevice

SiSi SiSi

Voice Domain

Data Domain


46/76


The Cisco Advantage with IBNS

802.1x with Integrated Port Security

802.1x Wake on LAN

802.1x with Dynamic VLAN assignment

802.1x with Guest VLAN

802.1x with Voice VLAN ID Support

802.1x with RADIUS assigned ACL

802.1x MAC Authentication Bypass

802.1x Auth-Fail-VLAN

802.1x AAA-Fail-Open

802.1x MIB and Accounting

802.1x Web-Based Proxy

802.1x Readiness Check

802.1x Multi-Domain Authentication

Ciscos experience and leadership make 802.1x integrated

and deployable through Identity-Based Network Services


47/76


Advanced QoS

Security

Availability

Manageability

Features

Wire-speed forwarding

No performance effectwith all services enabled

Load balancing

Redundancy

Benefits

Network remains operabledespite failures

Defined SLAs can be met

Offers business resiliency

Reduces maintenance costs



48/76


Wire-Speed Services

Wire-speed, high-

touch services with

no performance hit:

Services load

for example,

ACLs, QoS, and Multicast

Hardware

Services

Packet Drop, Cache

Misses, CPU Overload

Software-Based

Services

35 Mpps

512 QoS policies

1024 security policies

64 policers

4 queues per port


49/76


IEEE 802.1s/w

Standards 802.1s and 802.1w enableloop-free Layer 2 network.

Uses as few spanning-treeinstances as possible

Multiple spanning-tree system allowsfor larger Layer 2 topologies.

Rapidly accelerates convergenceif a failure occurs

The standards save CPU cycles andare interoperable across multiplevendors.

Cisco implementation enablessmooth migration to MultipleSpanning Tree from Per VLANSpanning Tree Plus (PVST+) while

preserving full standards compliance.

Cisco Extended the802.1s/w Standards by

Automatically Runningthe Spanning Tree802.1w when 802.1s isConfigured.


50/76


FlexLinksL2 Redundancy

Achieve Layer 2 redundancy withoutrequiring STP (Spanning Tree

Protocol). Access switches with backup links

to distribution switchesdeployed asFlexLink pair.

Fast convergence upon forwardinglink failover.

Sub-100msec cut over

Convergence time independentof number of VLANs and MAC-addresses.

SiSiSiSi

SiSiSiSi

Access

Distribution


51/76


Cisco

Catalyst

2960

Cat6K Cat6K

FlexlinksL2 Redundancy

1.

Primary linkdown detected(24msec poll). 2.

Backup linkbecomes theactive link.XX

Active Link Backup Link


52/76


Flexlink

PerformanceTimings

MSTP MSTP Flexlink Flexlink

VLANs Macs UpStrm DnStrm UpStrm DnStrm

1 2 144 143 19 31

32 1280 1033 1231 20 19964 2560 1581 1899 45 590

128 3840 2423 3022 16 633

1000 6000 7507 8454 46 4820

(in milliseconds)


53/76


Cisco

Catalyst

2960

Flexlink

VLAN Load Balancing

Primary linkdown detected Backup carriesVLANs

60, 50, 20

XXPrimary link -

carries VLANs

60, 50

Backup link -

carries VLAN 20

gi2/0/8gi2/0/6


54/76


Cisco Catalyst 2960 Multicast Support

IGMP snooping used

for managing group membership

information

Per-port broadcast, multicast,

and unicast storm control

Multicast VLAN registration

Virtual Trunking Protocol pruning

Multicast Servers (Source)

Hosts (Receivers or Groups)

LAN


55/76


IPv6 Host and IPv6 MLD Snooping

IPv6 host support is a key capability allowing the switch to bemanaged in an IPv6 network.

Multicast Listener Discovery (MLD) snooping enables efficient and

selective distribution of IPv6 multicast data to client VLANs.

IPv6 Host Features

Dual v4/v6 stack IPv6 Express setup

Unicast

address types TCAM templates

Ping/ICMPv6/redirect IPv6 SNMP -

New

AAAA DNS lookups over v4 IPv6 Syslog

-

New

Secure Shell over v6 IPv6 HTTP support -

New

Input ACLs

control plane only IPv6 autoconfiguration

-

New

CDP neighbor discovery

Telnet/DNS/TFTP/Traceroute

Ci C t l t


56/76


Advanced QoS

Security

Availability

Manageability

Features

End-to-end manageabilityusing a common set ofmanagement tools

Centralized administrationand software upgrades

Web-based accessBenefits

Simplify implementation,troubleshooting, and upgrades

Reduce operational costs

Simplify intelligentservice implementation

Reduce maintenance costs



57/76


DHCP Auto Install and Auto Image

Simplifies deployment of a large number of switches

Auto installation of configuration and IOS image

DHCP auto image (New)

Allows automatic image download

DHCP-based auto configuration

Allows a switch to download a config

from TFTP serverInstall configuration

New Switch

DHCP

ServerTFTP

Server


58/76


Integrated Time Domain Reflectometer

(TDR)

Layer1 Troubleshooting tool

TDR helps to determine:

The length of a cable

Whether the cable is correctly wiredinternally (pin-to-pin wire mapping)

Whether the cable contains a short circuit(wires touching each other throughdamaged or missing insulation)

Whether the cable contains a brokenwire (called an open)

Whether the cable suffers from electricalcrosstalk (interference).

CISCO-CABLE-DIAG-MIB

P

O

RT

Cable

Fault

P

O

RT

U iDi ti l Li k D t ti (UDLD)


59/76


UniDirectional

Link Detection (UDLD)

Protecting Against One-Way Communication

Highly available networks require UDLD to protect against one-waycommunication or partially failed links and the effect that they

couldhave on protocols like STP and RSTP.

Primarily used on fiber opticlinks where patch panel

errors could cause link up/upwith mismatched

transmit/receive pairs.

Neighboring portsshould see theirown device/portID (echo) in the

packets receivedfrom the otherside.

Failing to receive

this informationindicatesmisconfigurationand the port is

error-disabled.

SiSi

SiSi

Are YouEchoing

My

Hellos?


60/76


Cisco Error Disable MIB

Error disable allows software features to disable a port or VLANupon detecting abnormal conditions.

Provides the ability to configure and monitor error disable

conditions proactively.

Examples

Port security violations on a VLAN

disable the VLAN.

Storm control

disables the port when broadcast threshold exceeds. CISCO-ERR-DISABLE MIB

Provides the reason for port/VLAN error disable condition.

Automatic recovery time interval

can be set

after this time,

re-enables port or VLAN.

Generates notification when error disable occurs(rate can be specified).


61/76


LLDP-MED

Superset of LLDP (IEEE 802.3ab Link Layer Discovery)

When do we need LLDP-MED?

For interoperability between Cisco Catalyst switches and

third-party IP phones for VLAN and power exchange.

CDP provides Cisco end-to-end value add (granular powernegotiation and many other capabilities).

LLDP-MED supportL2 neighbor discovery for IP phones.

Allows exchange of VLAN and power (MED doesnt providepower negotiation).

LLDP-MED Location

Location is configured on the switch.

Switch sends location to the IP phone using LLDP-MED.

Enables location-based services.

Broadest Range of Network


62/76


Cisco Network Assistant Up to 40 switches and routers

Thousands of devices

Service management

WANs and LANs

CiscoWorks LAN

Management

Solution (LMS)

WAN Manager

Tens of thousands ofdevices

Service provisioning

Global WANs

Cisco IGX, BPX, andMGX switches only

Catalyst Device Manager One switch, initial setup only

*Small Network Management Solution (SNMS)

Broadest Range of NetworkManagement Products

Small andMedium Business

Enterprise Service Provider

Function and Flexibility

Free

Price-Perfo

rmance


63/76


CiscoWorks

LAN Management Solution (LMS)

Simplifies and automates tasks associated withday-to-day managementtaking inventory,configuration, IOS software deployment, andtroubleshooting.

Breadth of device support (over 400 Cisco devicetypes) provides a single application suite formanaging most Cisco-labeled devices.

Provides detailed visibility of users, ports, and

network connectivitytopology services, usertracking, inventory.

Automates the change management process,quickly identifying hardware, software, and

configuration changeschange audit reports.

LMS is a suite of applications designed tosimplify and augment the daily tasks requiredto manage a Cisco end-to-end network

reducing total cost of ownership and improving

network availability.


64/76


Management Interfaces

Cisco Network Assistant

Manages a 40-deviceSMB network

Router, switch, IP phone,wireless

Web-basedJava

Manages a single device

Web-basedHTML

Cisco

Catalyst

DeviceManager


65/76


Express Setup

1.

Power up the switch and hold themode button for a few seconds untilall the mode LEDs

are green.

2.

Connect the PC into the Ethernetport and launch the browser.

3.

Launch the Express Setup page by

entering the IP address of 10.0.0.1in the browser.

4.

Assign the switch IP address andmanagement VLAN; enable the

secret password, (optional) Telnetpassword, and SNMP configuration.


66/76


Cisco Catalyst Device Manager

Embedded in the switch.

View and configure a single switch using a Web browser.

Display switch trends, status, and port statistics.

Integrated Smart Ports for simple port configuration.



67/76



Release 5.4

Multi-product, multi-technologymanagement tool

Supports up to 40 devices:switches, routers, and firewalls,

and unlimited IP phones andaccess points

Interactive topology and frontpanel views

Configuration, monitoring,troubleshooting, & networkoptimization

Highlight your VLANs, Telnet todevices, drag-n-drop IOSupgrades

Localized in French, Italian,German, Spanish, Chinese, andJapanese

Free download:

www.cisco.com/go/cna

700K+Downloads

700K+Downloads


68/76


The Business Relevance of Cisco Smartports

Benefits

Simplified feature deployment

Less chance of errors

Deployment consistency across the

network

Greater value fromthe intelligent network throughIncreased feature usage

What It Does

Preconfigured macros enable fastand easy configuration of advancedCisco Catalyst

intelligent capabilities

Quickly enables QoS, security, andavailability features with a singlecommand

Offers granular flexibility on aper-port basis

Provides ability to createcustomized macros

Cisco

Smartports

allows for simple and

accurate deployment of high-value,

network-optimizing intelligent features.

SiSi SiSi

Internet Intranet


69/76


Global Commandsfailureserrdisable

recovery cause link-flap

errdisable

recovery cause udld

errdisable

recovery interval 60

vtp

domain [smartports]

vtp

mode transparent

udld

aggressive

spanning-tree mode rapid-pvst

spanning-tree loopguard

default

spanning-tree extend system-id

Interface Commandsdefault interface range FastEthernet[1]/0/[148]

interface range FastEthernet[1]/0/[148]

switchport

access vlan

[data]

switchport

mode access

switchport

voice vlan

[voice]

switchport

port-securityswitchport

port-security maximum 3

switchport

port-security violation restrict

switchport

port-security aging time 2

switchport

port-security aging type inactivity

auto qos

voip

cisco-phone

spanning-tree portfastspanning-tree bpduguard

enable

Cisco SmartportsFrom This: To This:

Transition


70/76


Cisco

Catalyst

Switches Overview



Feature Matrix

Agenda


71/76


Cisco Catalyst 2960 Software Feature Matrix

For more detailed information, please read the Cisco Catalyst 2960 LAN Base and Cisco Catalyst

2960 LAN Lite datasheets.

Cisco

Catalyst

2960LAN Lite

Cisco Catalyst 2960LAN Base

Flash/DRAM 32 / 64 MB 32 / 64 MB

RPS Support No Yes

Jumbo Frames Yes Yes

VLANs 64 255Disable MAC Learning per VLAN No Yes

Voice VLAN Yes Yes

VTPv2 Yes Yes

CDPv2 Yes Yes

LLDP Yes Yes (+MED)

STP Instances 64 128

802.1w/802.1s Yes Yes

PVST/PVRST+ Yes Yes

Port Fast/Uplink Fast Yes Yes

802.3ad LACP Yes Yes

Enhanced PAgP

for VSS No Yes

Flex Link No Yes

Link State Tracking No Yes

Q lit f S i


72/76


Quality of Service

Cisco

Catalyst

2960LAN Lite


Port CoS

Trust/Override Yes Yes

Trusted Boundary No Yes

ACL Classification No YesIngress Policing (1MB incr.) No Yes

Auto QoS No Yes

802.1p Queues 4 4

Shaped Round Robin Scheduling Yes Yes

Priority Queuing Yes Yes

Configure CoS

Priority Queues Yes Yes

Configure Queue Weights No Yes

Configure Buffers/Thresholds No Yes

Class & Policy Maps No YesModify CoS/DSCP Mapping No Yes

DSCP Transparency Yes Yes

Weighted Tail Drop Yes Yes

S it


73/76


Security

Cisco

Catalyst

2960LAN Lite Cisco Catalyst 2960LAN Base

SSH/SSL/SCP Yes Yes

RADIUS/TACACS+ Yes Yes

SNMPv3 crypto Yes Yes

802.1x Yes Yes

802.1x Accounting/MIB Yes Yes

802.1x w/ Port Security Yes Yes

802.1x w/ Voice VLAN Yes Yes

802.1x Readiness Check No Yes

802.1x Guest VLAN Yes Yes

802.1x VLAN assignment Yes Yes

802.1x Auth-Fail VLAN No Yes

802.1x AAA Fail Open No Yes

802.1x Wake-On-LAN No Yes

802.1x RADIUS ACL Filter ID No Yes

802.1x Multi-Domain Authentication No Yes

802.1x MAC-Auth Bypass Yes Yes

Web-Authentication No Yes

S it M lti t IP 6


74/76


Security, Multicast, IPv6

Cisco

Catalyst

2960LAN Lite


Cisco NAC-NAD-MIB No Yes

Cisco-PAE-MIB No Yes

L2-4 ACLs

(Port, Time, and DSCP-based) No Yes

BPDU/Root Guard Yes (voice aware) Yes (voice aware)

Port Security Yes (voice aware) Yes (voice aware)

DHCP Snooping No Yes

DHCP Option 82 No Yes

DHCP Server No Yes

Private VLAN Edge Yes Yes

Storm Control Yes Yes

Block Unknown Unicast/Multicast Yes Yes

IPv6 Host (SNMP, Syslog, HTTP, Autoconfiguration, Telnet, etc.)

No Yes

IPv6 MLD Snooping No Yes

MVR No Yes

IGMP Snooping Yes Yes

IGMP Filter/Throttle Yes Yes

M t d T bl h ti


75/76


Management and Troubleshooting

Cisco

Catalyst

2960LAN Lite Cisco Catalyst 2960LAN Base

Auto-MDIX Yes Yes

TDR Yes Yes

UDLD Yes Yes

IP SLA Responder No Yes

Layer 2/IP Traceroute Yes Yes

SPAN (number of sessions) Yes (1) Yes (2)

RSPAN No Yes

Express Setup Yes YesDevice Manager Yes Yes

Cisco Network Assistant Yes Yes

Smartports

+ Adviser Yes Yes

Troubleshooting Adviser Yes Yes

Drag-and-drop IOS Upgrade Yes Yes

IP Address DHCP Yes Yes

Config

Replace Yes Yes

DHCP Auto Config

- New Yes Yes

DHCP Auto Image Upgrade Yes YesError Disable MIB Yes Yes


76/76

Documents

Cisco Catalyst 2960 Series Switches Tdm