Upload
xuankhanh333
View
29
Download
0
Embed Size (px)
Citation preview
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
1/76
2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02 1
Cisco Catalyst 2960Series Switches
Technical Presentation
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
2/76
2 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Catalyst 2960 Product Overview
Intelligent Services
Feature Matrix
Cisco
Catalyst
Switches Overview
Agenda
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
3/76
3 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Catalyst Switching Portfolio
Number of Employees/Density
Cisco Catalyst 4500
Cisco
Catalyst
6500
Features,
Scalabil
ity,
Longev
ity
Small Medium-Sized Large
Blade Switches
Cisco Catalyst
6500
Cisco Catalyst 4900
Distribution or Core
Data-Center Access
Cisco Catalyst 2960
Cisco Catalyst3750-E and
Catalyst 3750Cisco Catalyst
3560-E andCatalyst 3560
Cisco Catalyst 4500
Cisco Catalyst
6500
Cisco Catalyst Express 520
New
Wiring Closet
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
4/76
4 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Full Layer 3 Routing
Layer 2 Intelligent Services
GUI-Managed
Most Complete
Line of FixedConfiguration LAN Products
Function, Flexibility, Scalability
P
rice-Performance
Cisco Catalyst 3560-E and Catalyst 3560 10/100 and GE configurations + 2 10GE
Enterprise-class intelligent Layer 3/4 services
Modular power supply with 3560-E
PoE configurations with up to 15.4W on all 48 ports
Cisco Catalyst 2960
10/100 and 10/100/1000 Layer 2 switching
8-, 24-, and 48-port configurations with dual-purpose Gig uplinks
PoE configurations with up to 15.4W up to 24 ports
Entry level LAN Lite IOS and enhanced LAN Base IOS for intelligent services
Cisco Catalyst 3750-E and Catalyst 3750
Stackable 10/100 and GE configurations + 2 10GE
Cisco StackWise Plus and StackWise technology
Enterprise-class intelligent Layer 3/4 services
Modular power supply with 3750-E
PoE configurations with up to 15.4W on all 48 ports
Cisco Catalyst 4948
10/100/1000 + 2 10GE wire-speed switching
Rack-optimized server switching
Jumbo frame support
Dual, hot swappable, internal power supplies
Hot swappable fan tray
Cisco
Catalyst
Express 500
Low-density, standalone, managed 10/100 switching
Tailored for businesses with up to 250 users
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
5/76
5 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco
Catalyst
Switches Overview
Intelligent Services
Feature Matrix
Cisco Catalyst 2960 Product Overview
Agenda
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
6/766 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Catalyst 2960 Series Switches
Offers Fast Ethernet in 8, 24- and 48-port
configurations for small branch offices andwiring closets
Offers standard Layer 2 services with entry-level availability, security, and QoS
Scalable and secure network management
Offers simplified management and
troubleshooting for lower total cost ofownership
Offers CiscoWorks LMS, Cisco NetworkAssistant and Cisco Smartports
Provides limited lifetime hardware warrantyand software updates at no additional charge
Provides Fast Ethernet, Gigabit Ethernet, and
Power over Ethernet for entry-level enterprise andmid-market customers
Offers enhanced Layer 2+ intelligent LAN services:
Availability
Enhanced security
Advanced quality of service (QoS)
Offers simplified management and troubleshootingfor lower total cost of ownership
Offers CiscoWorks LMS, Cisco Network Assistantand Cisco Smartports
Provides limited lifetime hardware warranty andsoftware updates at no additional charge
Cisco
Catalyst
2960 LAN Base Series Cisco Catalyst 2960 LAN Lite
Series
Uses Cisco ASICs for superior quality and hardware and software integration
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
7/767 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Catalyst 2960 LAN Base Series
Model Overview
24 10/100 ports
2 10/100/1000 uplink ports
Cisco Catalyst 2960-24TT-L
24 10/100 ports
2 dual-purpose uplink ports
Cisco Catalyst 2960-24TC-L
20 10/100/1000 ports
4 dual-purpose uplink ports
Cisco
Catalyst 2960G-24TC-L
24 10/100 PoE ports
2 dual-purpose uplink ports
Cisco
Catalyst
2960-24PC-L
48 10/100 ports
2 10/100/1000 uplink ports
Cisco Catalyst 2960-48TT-L
Cisco Catalyst 2960-48TC-L
48 10/100 ports
2 dual-purpose uplink ports
Cisco
Catalyst 2960G-48TC-L
44 10/100/1000 ports
4 dual-purpose uplink ports
Cisco Catalyst 2960-24LT-L
24 10/100 ports (8 PoE ports)
2 10/100/1000 uplink ports
Enterprise-class intelligent
services: Advanced QoS,
enhanced security, high availability
8 10/100 ports
1 dual-purpose uplink port
Compact form-factor with no fan
Cisco Catalyst 2960-8TC-L
7 10/100/1000 ports
1 dual-purpose uplink port
Compact form-factor with no fan
Cisco Catalyst 2960G-8TC-L
Software
LAN Base Image
8 10/100/1000 ports
1 10/100/1000 PoE Input port
Compact form-factor with no fan
Cisco Catalyst 2960PD-8TT-L
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
8/768 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Catalyst 2960 LAN Lite Series
Model Overview
Note: Cisco Catalyst 2960 Switches Cannot Be Upgraded or Downgraded Between LAN Base and LAN Lite Software.
Software
LAN Lite Image
Cisco Catalyst 2960-48TC-S
48 10/100 ports
2 dual-purpose uplink ports
Entry level QoS, security, andavailability with a focus on ease-of-use and lower total cost of ownership
Cisco Catalyst 2960-48TT-S
48 10/100 ports
2 10/100/1000 uplink ports
24 10/100 ports
Cisco Catalyst 2960-24-S
24 10/100 ports
2 dual-purpose uplink ports
Cisco
Catalyst
2960-24TC-S
8 10/100 ports
1 dual-purpose uplink port
Compact form-factor with no fan
Cisco Catalyst 2960-8TC-S
Sep.
08
Sep.
08
Sep.08
Sep.08
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
9/769 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Catalyst 2960 Power over Ethernet(PoE) Switches
Benefits
Prepare the network for IP telephony and wireless access.
Eliminate the need for separate electrical wiring. Protect your investment and avoid a costly upgrade.
Cisco pre-standard POE and 802.3af are fully supported.
Cisco IOS provides intelligent power management withgranular control.
Wide selection of standards-based IEEE 802.3af-powered devices:
IP phones
Wireless access points
Surveillance cameras
Access card readers
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
10/7610 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Building
Access
Control
IP Integrated Video
SurveillanceFire Protection
Resilient, Available IP
Network with Scalable
Power Delivery
Powered IP
Telephone
A Glimpse into the Future
The Ethernet-Powered Organization
Power over Ethernet(PoE) Delivers 48V DCPower over a StandardCopper Ethernet Cable
The Power and Network IsUsed by the ConnectedDevices for Their Operation
Wireless Access Points
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
11/7611 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Extending the Versatility of Ethernet
The Benefits of Powering Devices with Ethernet
Power over
Ethernet
extends the
value,
simplicity, and
flexibility of
Ethernet toenable new
uses for the
network.
AC-FreeDeployments
Mobility andSimplicity
Safety
OperationalResiliency
Simplified
Manageability
ReducedCapex and
Opex
Cisco 802.3af Power over Ethernet S.P. Shalita February, 2004 R10b
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
12/7612 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Small size (H x W x D)4.4cm x 27cm x 1623cm
Flexible wall and under-the-desk mounting
Durable metal shell
Cable guard
Internal power supplyand right-angle power cord
Passive cooling (no fan) Magnet included
Security locking slot
19-inch rack mount option
Cisco Catalyst 2960 Compact SwitchesMeeting unique physical requirements of the office workspace,
conference rooms, classrooms, and micro branch offices
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
13/7613 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
LC Connectors
SFP
Cisco Catalyst 2960 Supported Small FormFactor Pluggable Modules
GLC-T and GLC-GE-100FX are not supported on theCisco Catalyst 2960-8TC-S, 2960-8TC-L and 2960G-8TC-L switches. For 100BASE-FX connectivity, use the
GLC-FE-100FX instead for compact switches.
SFP
Transceiver
Cisco
Catalyst
2960 LAN Base
Switches
Cisco Catalyst
2960 LAN Lite
Switches
GLC-LH-SM= Yes Yes
GLC-SX-MM= Yes Yes
GLC-ZX-SM= Yes No
GLC-T= Yes* Yes
GLC-BX-D=
GLC-BX-U=Yes No
GLC-GE-100FX=
GLC-FE-100FX=Yes* Yes
GLC-FE-100LX= Yes No
GLC-FE-100BX-D=
GLC-FE-100BX-U=Yes No
CWDM SFPs Yes No
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
14/7614 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Dual-Purpose Uplink Port Behavior
Only one port, either SFP or
10/100/1000 copper, will be
active at any time.
Users can manually select the
media type using the media-type
[sfp] or [rj45] interface commandor leave it to auto-select.
SFP always gets the preference
on switch boot-up or when the
interface is enabled (shut/no
shut). In all other cases, the
media that linkup first will be
selected as active media.
Dual-Purpose UplinkCombination Validity
A B No
A C Yes
A D Yes
B C Yes
B D Yes
C D No
SFP
Copper
A
B
C
D
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
15/7615 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Redundant Power System 2300
Benefits
Increases network availability.
Seamlessly provides backup power to network devices.
Modular power supplies and fan for flexibility and increased availability.
Management and configuration capabilities allow users to define and
implement the failover policy.
Easier to Use
Six RPS connectorsup to two switches are actively backed up.
Seamless failover to RPS 2300 when switch power supply fails.
RPS 2300 and switch can have separate AC sources.
Greater Modularity Uses the same 1150W and 750W power supplies as the Cisco Catalyst
3750E and 3560E switches.
Replaceable fan module.
Note: Cisco
Catalyst
2960 LAN Lite
Switches and Cisco Catalyst 2960 Compact Switches do not haveRPS support. Catalyst 2960 PoE switches require CAB-2300-E=, which allows users to manage RPS via theswitch.
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
16/7616 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Services and Warranty forThe Cisco Catalyst 2960 Series
Limited lifetime hardware warranty
Advance Replacement shipping within 10 business days
Guest access to Cisco.com Ongoing Cisco IOS Software updates at no additional cost
Cisco SMARTnet and SMARTnet Onsite Support
Around-the-clock, global access to the Cisco Technical Assistance Center (TAC)Access to the extensive Cisco.com knowledgebase and tools
Next-business-day advance hardware replacement (premium options availablefor business-critical devices, such as two-hour replacement and onsite parts
replacement and installation) Cisco Smart Foundation Service (formerly SMB
Support Assistant)
Cisco Foundation Technology Optimization Service
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
17/7617 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco
Catalyst
Switches Overview
Cisco Catalyst 2960 Product Overview
Feature Matrix
Intelligent Services
Agenda
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
18/7618 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco CatalystIntelligent Switching Infrastructure
Intelligent Switching
is a Common Foundation of CapabilitiesAcross Cisco
Catalyst
Switches
Performance,
Availability
Wire-speedforwarding
No performanceeffect with all
services enabled
QoS
Layer 2, 3, 4classification
Policing and shaping
Multiple queues
Granular control
Security
Layer 2, 3, 4 accesscontrol
Identity-basedauthentication
Management security
Admission control
Manageability
End-to-end manageabilityfor centralizedadministration
Web-based or command-line interface (CLI)
Analysis and planning tools
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
19/7619 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Intelligence Through More Capable ASICs
Layer 2 switches are limited to the processing and forwarding of Layer 2 information.
Multilayer switches can look deeper into the frame => intelligent decisionsbased on Layer 3 or Layer 4 information.
Examples of why this scenario is useful:
Preserve bandwidth by limiting traffic based on a users IP address.
Preserve bandwidth by limiting traffic based on applications using a constant TCP/UDPport numberWeb browsing, enterprise resource planning (ERP) applications, etc.
Prevent access to network resources based on users IP address.
Classify and mark traffic based on Layer 3 QoS
(DSCP).
Cisco innovative ASICs with Cisco IOS software integration enable
superior intelligent services that will not bottleneck the network.
*Not to scale.
MAC DA MAC SA Length802.1Q/1p
IP
Header
Info
TOS IP SA IP DA TCP/UDP
HeaderDATA
Layer 2 Info Layer 3 Info Layer 4 Info
*
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
20/7620 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Advanced QoS
Security
Availability
Manageability
Features
Layer 2, 3, 4 traffic classification
Shaping, sharing, and policing
Granular control
Wire-speed performance
Benefits
Manage bandwidth tomeet business priorities
Maintain performance fortime-sensitive applications
Better meet defined SLAs
Suffer no performance
degradation with servicesenabled
Cisco CatalystIntelligent Switching Infrastructure
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
21/7621 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Aggregation Speed Mismatch
10 Mbps
1000 Mbps
Where Congestion Exists, QoS
Is Required
Points of aggregation
Links and buffers
Points of substantial speed mismatch
Transmit buffers tend to fill (TCP windowing)
Buffering reduces loss, introduces delay
LAN to WAN
10 Mbps
64 kbps
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
22/7622 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Not All Traffic Is Created Equal
Voice VideoData
(Best Effort)
Mission-
Critical Data
BandwidthLow to
Moderate
Moderate
to High
Moderate
to High
Low to
Moderate
RandomDrop
Sensitivity
Low Low High High
Delay
SensitivityHigh High Low
Moderate
to High
Jitter
SensitivityHigh High Low
Low to
Moderate
S2
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
23/7623 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Catalyst 2960 SeriesExtensive QoS
Features
RX
Queue 1
Queue 2
Queue 3
Queue 4
IngressPolice
Classify TX
Ingress
Queuing/Scheduling
Congestion
Control
Mark
Advanced Traffic Shaping and Scheduling Four Queues per Port
Shaped Round Robin
Strict Priority Queuing
Admission Control Prevent Network Congestion
Input and Output Policing
per Port
Traffic Classification and Marking for Differentiated ServicesPer-Port or Individual/Aggregate Flow Classification and Rewriting of
MAC Address, 802.1p CoS/DSCP, IP Address, and TCP/UDP Port
Egress
Queuing/Scheduling
Congestion
Control
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
24/7624 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Auto QoS
One Command per Interface to Enable and Configure QoS.
Modify Global and Interface Settings to Make QoS
for VoIP Work.
WAN
Cisco
CallManager
Cisco Unity
Software
Voice
Applications
Voice
Gateways
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
25/7625 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Phone VLAN = 110
Campus QoS
Considerations
Trust Boundary Extension and Operation
1 Switch and Phone Exchange CDP; Trust Boundary Is Extended to IP Phone
2 Phone Sets CoS
to 5 for VoIP and to 3 for Call-Signaling Traffic
3 Phone Rewrites CoS
from PC Port to 0
All PC Traffic Is Reset to CoS
0
4 Switch Trusts CoS
from Phone and Maps CoS DSCP for Output Queuing
CoS
5 = DSCP 46
CoS
3 = DSCP 24
CoS
0 = DSCP 0
4
1So I Will Trust Your CoS
I See Youre an IP Phone,
TRUST BOUNDARY
Voice = 5, Signaling
= 32
PC Sets CoS
to 5 for All Traffic3
PC VLAN = 10
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
26/7626 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
FTP DNS DHCP TCPJitter ICMP UDPDLSW HTTP
TCP/IPPerformance
Service LevelAgreements
(SLAs)
NetworkAssessment
Health MonitorVoIP
MonitoringAvailability
Operations
Measurement Metrics
Uses
IP Server
MIB Data Active Generated Traffic
to Measure the Network
DestinationSource
Defined Packet Size, SpacingCOS, and Protocol
Catalyst 2960Responder
LDP H.323 SIP
IP SLAIP SLA
IP SLAIP SLA
Cisco IOS IP SLAs
G711 G729
LatencyNetwork
JitterDist. ofStats
Connection Loss(Reachability)
PacketLoss
Elapsed Time
IP SLAIP SLA
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
27/7627 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Advanced QoS
Security
Availability
Manageability
Features
Identity-based authentication
Wire-speed access control lists
Controlled access to systemmaintenance
Integrated security services
Benefits
Authenticate and control accessbased on user identity
Protect critical business assets
Prevent downtime
Prevent network attacks from
within
Cisco CatalystIntelligent Switching Infrastructure
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
28/7628 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco
Trust AgentNetwork Admission
Control
Secure Connectivity Threat Defense Trust and Identity
Cisco Catalyst SwitchingIntegrated Security
SSL
Man-in-Middle
Attack Mitigation:
Port Security,DHCP Snooping
Quarantine VLAN(Remediation)
SSHSNMPv3
Identity-Based
Networking
(802.1x extensions)
Web-
and MAC-
BasedAuthentication
SiSi SiSi SiSi
SiSi
SiSi
L2-4 ACLsPrivate VLAN Edge
Scavenger-ClassQoS
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
29/7629 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
The Need for Admission Control
Viruses, worms, spyware, etc.still #1 cause of financial loss.*
Downtime, recovery, lost productivity,credibility, legal implications.
Users routinely authenticated, but...
Endpoint devices (laptops,
PCs, PDAs) are not checkedfor security policy compliance.
Unprotected endpoints spread infection.
Required security software notinstalled, disabled, or out of date
Checking for compliance is difficultand expensive.
Endpoint systems are vulnerable
and represent the most likely point ofinfection from which a virus or wormcan spread rapidly and cause seriousdisruption and economic damage.
Burton Group
*2005 FBI/CSI Report.
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
30/76
30 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Network Admission Control Options
NAC Framework: Vendor products assess and remediate across an intelligent network.
Cisco Clean Access: Easily deployed NAC appliance authenticates, assesses,and remediate.
Two Paths: Both Take Advantage of Cisco Network
Cisco Network Access Device
AuthenticationPolicy
Enforcement
Discovery
Remediation
CleanAccess
Agent
Remediation
NACFramework
NACAppliance
AAAAuthentication
Enforcement
Discovery
PolicyCisco Network Access Device
CiscoTrust
Agent
http://www.ca.com/5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
31/76
31 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Security:
NAC Framework DeploymentOptions on Fixed-Configuration Switches
LAN Port 802.1X Basic LAN Port IP
Switch ModelsCisco
Catalyst
3750, Catalyst
3560, and Catalyst 2960
Cisco Catalyst 3750 and
Catalyst 3560
Credentials
Carries credentials inside
EAPoL
along with user
authentication
Carries credentials inside
EAPoUDP, completely independent
of any user authentication
TriggerTriggered by normal 802.1X
exchange
Triggered by ARP or DHCP traffic
from the host
EnforcementPolicy
RADIUS VLAN assignment RADIUS IP downloadable ACLs
Client
Requirements
Requires an enhanced
supplicant with Cisco Trust
Agent built in
Can be used with or without
Cisco Trust Agent (clientless host)
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
32/76
32 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Catalyst Access Control Lists
What It Does:
Allows or denies access
based on the source ordestination address
Restricts users to
designated areas of the
network, blockingunauthorized access to
all other applications and
information
Benefits:
Prevents unauthorized access
to servers and applications
Allows designated users to
access specified servers
Takes advantage of TCAMs,enabling wire speed performance
Forwarding performance not
compromised by ACLs
because
lookups are done in hardware
Provides ability to access control
all packets, either internally
bridged within a VLAN or routed
between VLANs
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
33/76
33 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Protecting Against Worms
How It Works:
The ACL provides a mechanism to protect servers, users, andapplications against worms by determining what traffic streamsor users can access which ports.
Using ACLs, the virusor worm is not able to
replicate from its hosts.
Port 1434
Internal
Network
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
34/76
34 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
UnauthorizedSwitch
Cisco
SecureACS
EnterpriseServer
AuthorizedSwitch
Solution:
Cisco
Catalyst
Switches supportrogue BPDU filtering: BPDU Guard,Root Guard.
Mitigating Unauthorized Devices
Network Instability
Root Guard
BPDU Guard
Protecting Against Well-Intentioned Users
UnauthorizedSwitch
EnterpriseServer
Incorrect
STP Info
AuthorizedSwitch
Problem:
Well-intentioned users placeunauthorized network devices on thenetwork, possibly causing instability.
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
35/76
35 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Secure Connectivity
Secure Shell (SSH) Protocol
SSH encrypts administration traffic during Telnet sessionswhile configuring or troubleshooting switches.
Secure Sockets Layer (SSL) SSL encrypts network management traffic, allowing
the secure use of tools such as the Cisco NetworkAssistant.
SNMPv3 (with crypto support)
SNMPv3 provides network security by encryptingadministrator traffic during SNMP sessions to configure ortroubleshoot switches.
Kerberos
Kerberos authenticates users and network services usinga trusted third party to perform secure verification.
Secure Copy
SCP provides a secure and authenticated method forcopying switch configurations or switch image files. SCP
relies on SSH.
Encrypted Data
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
36/76
36 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Securing Layer 2 from Surveillance AttacksCutting Off MAC-Based Attacks
Problem:
Script Kiddie hacking tools enableattackers flood switch CAM tables withbogus MAC addresses, turning theVLAN into a hub and eliminatingprivacy.
Switch CAM table limit is finite number
of MAC addresses.
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
250,000 Bogus
MAC Addresses
per Second
Solution:
Port security limits MAC floodingattack, locks down port, and sends anSNMP trap.
Only 3 MAC
Addresses
Allowed on thePort: Shutdown
swi t chpor t por t - secur i t yswi t chpor t por t - secur i t y maxi mum 3swi t chpor t por t - secur i t y vi ol at i on r est r i ct
swi t chpor t por t - secur i t y agi ng t i me 2swi t chpor t por t - secur i t y agi ng t ype i nact i vi t y
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
37/76
37 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Voice (VLAN) Aware Port Security
Scenario IP phone + host onsame switch port.
Port security & STP violations arenow VLAN/voice aware.
Violations for the host only affect
data VLAN:Only affected VLAN is placed inerror disable state.
Voice VLAN remains unaffected.
Improves network availability.
SiSi SiSi
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
38/76
38 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
DHCP Spoofing Attack
Problem:
Malicious user pretends to be the network
DHCP server. Misconfigured user starts up a DHCP server
incorrectly.
Malicious user can send out bogus address,deplete the address space, or spoof thedefault gateway.
Solution
Do not trust user ports so only
DHCP requests can be sent. Snoop DHCP information for
integrity.
User Ports
Untrusted
DHCPServer
Rogue DHCP OfferIP: 10.1.1.20/24
GW: 10.1.1.1
DNS: 192.168.1.122
DHCP DiscoveryBroadcast Victim
DHCPServer
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
39/76
39 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
DHCPClient
DHCPServer
SiSi
Rogue Server
Trusted
DHCP Snooping Enabled
DHCP
Request
XX
DHCPAC
KUntrusted
DHCP Snooping
What It Does:
Switch forwards only DHCPrequests from untrusted access
ports and drops all other typesof DHCP traffic. DHCPsnooping allows onlydesignated DHCP ports oruplink ports trusted to relay
DHCP messages. It buildsa DHCP binding tablecontaining client IP address,client MAC address, port, andVLAN number.
Benefit:
DHCP snooping eliminatesrogue devices from behavingas the DHCP server.
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
40/76
40 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Identity-Based Network Services
What It Does:
Using the 802.1x Standard with Cisco
Enhancements, the network grants
privileges based on user logininformation, regardless of the userslocation or device.
Benefits:
Allows different people to usethe same PC and have differentcapabilities.
Ensures that users get only their
designated privileges, no matter howthey are logged into the network.
Reports unauthorized access.
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
41/76
41 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
How It Works:All users trying to enter the network must receive authorization
based ontheir personal username and password.
Client
Accessing
Switch
RADIUSServer
Valid UsernameValid Password
YesYes
Invalid Username
Invalid Password
No
Identity-Based Network Services
TACACS+ or
RADIUS
Equivalent to placing a security guard at each
switch port. Only authorized users can get network access.
Unauthorized users can be locked out or placedinto guest VLANs.
These services prevent unauthorized or rogueaccess points.
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
42/76
42 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Standard 802.1x/VLAN Assignment
Restricts users to a specifiedVLAN to limit their networkaccess.
Standard 802.1X-authenticated ports areassigned to a VLAN basedon the username of the
client connected to that port. The RADIUS server database
maintains the username-to-VLAN mappings.
Authentication is similar toVMPS/VQP function, exceptthat it uses 802.1x/RADIUSas the authenticationmechanism.
802.1x Switched LAN
Requires
802.1x Clients
RADIUS
2.
Authentication ok,assign VLAN3 andACL14 to Accountant
on port5
Marketing Mgr:
Is on Marketing VLAN,and cannot accessany finance or
accounting servers
Accountant:
Is on Finance VLAN butcan access only
accounting server.
Finance Mgr:
Is on Finance VLANand can access allfinance andaccounting servers.
1.
User ok?
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
43/76
43 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Standard 802.1x and Voice VLAN
When the switch recognizes through Cisco Discovery Protocol thata Cisco phone is attached to the port, voice traffic is allowed onto theauxiliary VLAN without the authentication of the supplicant on the
primary VLAN.The non-IP phone supplicant (PC) connected to theport is authenticated through 802.1x and uses the PVID.
The IP phone has access to the VVID for its voice traffic regardless
of the authorized or unauthorized state of the port.
Voice traffic
allowed through Cisco
Discovery Protocol
PC needs to
authenticate
with 802.1x
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
44/76
44 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Web Authentication for Non-802.1x Users
RADIUS Authentication
HTTP
Login Prompt
User -
Authenticated
User starts HTTP or HTTPs connection.
Switch intercepts and prompts for user login/password. Switch sends user credentials to RADIUS server.
User is authenticated.
Proxy ACL is downloaded (mapped to host IP).
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
45/76
45 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Multi Domain Authentication (MDA)
Deployment : IP phone (Cisco or 3rd party) + singlehost behind the phone
Enhanced security with independent 802.1xauthentication and authorization of IP phone andhost
Host is placed in data VLAN, and IP phone in voiceVLAN - on the same switch port
Data VLAN can be downloaded from RADIUSserver
MAC Auth Bypass - Non 802.1x IP phone and host
can be authenticated using the MAC address of thedevice
SiSi SiSi
Voice Domain
Data Domain
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
46/76
46 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
The Cisco Advantage with IBNS
802.1x with Integrated Port Security
802.1x Wake on LAN
802.1x with Dynamic VLAN assignment
802.1x with Guest VLAN
802.1x with Voice VLAN ID Support
802.1x with RADIUS assigned ACL
802.1x MAC Authentication Bypass
802.1x Auth-Fail-VLAN
802.1x AAA-Fail-Open
802.1x MIB and Accounting
802.1x Web-Based Proxy
802.1x Readiness Check
802.1x Multi-Domain Authentication
Ciscos experience and leadership make 802.1x integrated
and deployable through Identity-Based Network Services
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
47/76
47 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Advanced QoS
Security
Availability
Manageability
Features
Wire-speed forwarding
No performance effectwith all services enabled
Load balancing
Redundancy
Benefits
Network remains operabledespite failures
Defined SLAs can be met
Offers business resiliency
Reduces maintenance costs
Cisco CatalystIntelligent Switching Infrastructure
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
48/76
48 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Wire-Speed Services
Wire-speed, high-
touch services with
no performance hit:
Services load
for example,
ACLs, QoS, and Multicast
Hardware
Services
Packet Drop, Cache
Misses, CPU Overload
Software-Based
Services
35 Mpps
512 QoS policies
1024 security policies
64 policers
4 queues per port
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
49/76
49 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
IEEE 802.1s/w
Standards 802.1s and 802.1w enableloop-free Layer 2 network.
Uses as few spanning-treeinstances as possible
Multiple spanning-tree system allowsfor larger Layer 2 topologies.
Rapidly accelerates convergenceif a failure occurs
The standards save CPU cycles andare interoperable across multiplevendors.
Cisco implementation enablessmooth migration to MultipleSpanning Tree from Per VLANSpanning Tree Plus (PVST+) while
preserving full standards compliance.
Cisco Extended the802.1s/w Standards by
Automatically Runningthe Spanning Tree802.1w when 802.1s isConfigured.
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
50/76
50 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
FlexLinksL2 Redundancy
Achieve Layer 2 redundancy withoutrequiring STP (Spanning Tree
Protocol). Access switches with backup links
to distribution switchesdeployed asFlexLink pair.
Fast convergence upon forwardinglink failover.
Sub-100msec cut over
Convergence time independentof number of VLANs and MAC-addresses.
SiSiSiSi
SiSiSiSi
Access
Distribution
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
51/76
51 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco
Catalyst
2960
Cat6K Cat6K
FlexlinksL2 Redundancy
1.
Primary linkdown detected(24msec poll). 2.
Backup linkbecomes theactive link.XX
Active Link Backup Link
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
52/76
52 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Flexlink
PerformanceTimings
MSTP MSTP Flexlink Flexlink
VLANs Macs UpStrm DnStrm UpStrm DnStrm
1 2 144 143 19 31
32 1280 1033 1231 20 19964 2560 1581 1899 45 590
128 3840 2423 3022 16 633
1000 6000 7507 8454 46 4820
(in milliseconds)
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
53/76
53 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco
Catalyst
2960
Flexlink
VLAN Load Balancing
Primary linkdown detected Backup carriesVLANs
60, 50, 20
XXPrimary link -
carries VLANs
60, 50
Backup link -
carries VLAN 20
gi2/0/8gi2/0/6
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
54/76
54 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Catalyst 2960 Multicast Support
IGMP snooping used
for managing group membership
information
Per-port broadcast, multicast,
and unicast storm control
Multicast VLAN registration
Virtual Trunking Protocol pruning
Multicast Servers (Source)
Hosts (Receivers or Groups)
LAN
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
55/76
55 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
IPv6 Host and IPv6 MLD Snooping
IPv6 host support is a key capability allowing the switch to bemanaged in an IPv6 network.
Multicast Listener Discovery (MLD) snooping enables efficient and
selective distribution of IPv6 multicast data to client VLANs.
IPv6 Host Features
Dual v4/v6 stack IPv6 Express setup
Unicast
address types TCAM templates
Ping/ICMPv6/redirect IPv6 SNMP -
New
AAAA DNS lookups over v4 IPv6 Syslog
-
New
Secure Shell over v6 IPv6 HTTP support -
New
Input ACLs
control plane only IPv6 autoconfiguration
-
New
CDP neighbor discovery
Telnet/DNS/TFTP/Traceroute
Ci C t l t
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
56/76
56 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Advanced QoS
Security
Availability
Manageability
Features
End-to-end manageabilityusing a common set ofmanagement tools
Centralized administrationand software upgrades
Web-based accessBenefits
Simplify implementation,troubleshooting, and upgrades
Reduce operational costs
Simplify intelligentservice implementation
Reduce maintenance costs
Cisco CatalystIntelligent Switching Infrastructure
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
57/76
57 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
DHCP Auto Install and Auto Image
Simplifies deployment of a large number of switches
Auto installation of configuration and IOS image
DHCP auto image (New)
Allows automatic image download
DHCP-based auto configuration
Allows a switch to download a config
from TFTP serverInstall configuration
New Switch
DHCP
ServerTFTP
Server
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
58/76
58 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Integrated Time Domain Reflectometer
(TDR)
Layer1 Troubleshooting tool
TDR helps to determine:
The length of a cable
Whether the cable is correctly wiredinternally (pin-to-pin wire mapping)
Whether the cable contains a short circuit(wires touching each other throughdamaged or missing insulation)
Whether the cable contains a brokenwire (called an open)
Whether the cable suffers from electricalcrosstalk (interference).
CISCO-CABLE-DIAG-MIB
P
O
RT
Cable
Fault
P
O
RT
U iDi ti l Li k D t ti (UDLD)
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
59/76
59 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
UniDirectional
Link Detection (UDLD)
Protecting Against One-Way Communication
Highly available networks require UDLD to protect against one-waycommunication or partially failed links and the effect that they
couldhave on protocols like STP and RSTP.
Primarily used on fiber opticlinks where patch panel
errors could cause link up/upwith mismatched
transmit/receive pairs.
Neighboring portsshould see theirown device/portID (echo) in the
packets receivedfrom the otherside.
Failing to receive
this informationindicatesmisconfigurationand the port is
error-disabled.
SiSi
SiSi
Are YouEchoing
My
Hellos?
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
60/76
60 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Error Disable MIB
Error disable allows software features to disable a port or VLANupon detecting abnormal conditions.
Provides the ability to configure and monitor error disable
conditions proactively.
Examples
Port security violations on a VLAN
disable the VLAN.
Storm control
disables the port when broadcast threshold exceeds. CISCO-ERR-DISABLE MIB
Provides the reason for port/VLAN error disable condition.
Automatic recovery time interval
can be set
after this time,
re-enables port or VLAN.
Generates notification when error disable occurs(rate can be specified).
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
61/76
61 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
LLDP-MED
Superset of LLDP (IEEE 802.3ab Link Layer Discovery)
When do we need LLDP-MED?
For interoperability between Cisco Catalyst switches and
third-party IP phones for VLAN and power exchange.
CDP provides Cisco end-to-end value add (granular powernegotiation and many other capabilities).
LLDP-MED supportL2 neighbor discovery for IP phones.
Allows exchange of VLAN and power (MED doesnt providepower negotiation).
LLDP-MED Location
Location is configured on the switch.
Switch sends location to the IP phone using LLDP-MED.
Enables location-based services.
Broadest Range of Network
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
62/76
1 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Network Assistant Up to 40 switches and routers
Thousands of devices
Service management
WANs and LANs
CiscoWorks LAN
Management
Solution (LMS)
WAN Manager
Tens of thousands ofdevices
Service provisioning
Global WANs
Cisco IGX, BPX, andMGX switches only
Catalyst Device Manager One switch, initial setup only
*Small Network Management Solution (SNMS)
Broadest Range of NetworkManagement Products
Small andMedium Business
Enterprise Service Provider
Function and Flexibility
Free
Price-Perfo
rmance
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
63/76
63 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
CiscoWorks
LAN Management Solution (LMS)
Simplifies and automates tasks associated withday-to-day managementtaking inventory,configuration, IOS software deployment, andtroubleshooting.
Breadth of device support (over 400 Cisco devicetypes) provides a single application suite formanaging most Cisco-labeled devices.
Provides detailed visibility of users, ports, and
network connectivitytopology services, usertracking, inventory.
Automates the change management process,quickly identifying hardware, software, and
configuration changeschange audit reports.
LMS is a suite of applications designed tosimplify and augment the daily tasks requiredto manage a Cisco end-to-end network
reducing total cost of ownership and improving
network availability.
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
64/76
64 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Management Interfaces
Cisco Network Assistant
Manages a 40-deviceSMB network
Router, switch, IP phone,wireless
Web-basedJava
Manages a single device
Web-basedHTML
Cisco
Catalyst
DeviceManager
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
65/76
65 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Express Setup
1.
Power up the switch and hold themode button for a few seconds untilall the mode LEDs
are green.
2.
Connect the PC into the Ethernetport and launch the browser.
3.
Launch the Express Setup page by
entering the IP address of 10.0.0.1in the browser.
4.
Assign the switch IP address andmanagement VLAN; enable the
secret password, (optional) Telnetpassword, and SNMP configuration.
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
66/76
66 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Catalyst Device Manager
Embedded in the switch.
View and configure a single switch using a Web browser.
Display switch trends, status, and port statistics.
Integrated Smart Ports for simple port configuration.
Cisco Network Assistant
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
67/76
67 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Network Assistant
Release 5.4
Multi-product, multi-technologymanagement tool
Supports up to 40 devices:switches, routers, and firewalls,
and unlimited IP phones andaccess points
Interactive topology and frontpanel views
Configuration, monitoring,troubleshooting, & networkoptimization
Highlight your VLANs, Telnet todevices, drag-n-drop IOSupgrades
Localized in French, Italian,German, Spanish, Chinese, andJapanese
Free download:
www.cisco.com/go/cna
700K+Downloads
700K+Downloads
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
68/76
68 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
The Business Relevance of Cisco Smartports
Benefits
Simplified feature deployment
Less chance of errors
Deployment consistency across the
network
Greater value fromthe intelligent network throughIncreased feature usage
What It Does
Preconfigured macros enable fastand easy configuration of advancedCisco Catalyst
intelligent capabilities
Quickly enables QoS, security, andavailability features with a singlecommand
Offers granular flexibility on aper-port basis
Provides ability to createcustomized macros
Cisco
Smartports
allows for simple and
accurate deployment of high-value,
network-optimizing intelligent features.
SiSi SiSi
Internet Intranet
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
69/76
69 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Global Commandsfailureserrdisable
recovery cause link-flap
errdisable
recovery cause udld
errdisable
recovery interval 60
vtp
domain [smartports]
vtp
mode transparent
udld
aggressive
spanning-tree mode rapid-pvst
spanning-tree loopguard
default
spanning-tree extend system-id
Interface Commandsdefault interface range FastEthernet[1]/0/[148]
interface range FastEthernet[1]/0/[148]
switchport
access vlan
[data]
switchport
mode access
switchport
voice vlan
[voice]
switchport
port-securityswitchport
port-security maximum 3
switchport
port-security violation restrict
switchport
port-security aging time 2
switchport
port-security aging type inactivity
auto qos
voip
cisco-phone
spanning-tree portfastspanning-tree bpduguard
enable
Cisco SmartportsFrom This: To This:
Transition
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
70/76
70 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco
Catalyst
Switches Overview
Cisco Catalyst 2960 Product Overview
Intelligent Services
Feature Matrix
Agenda
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
71/76
71 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Cisco Catalyst 2960 Software Feature Matrix
For more detailed information, please read the Cisco Catalyst 2960 LAN Base and Cisco Catalyst
2960 LAN Lite datasheets.
Cisco
Catalyst
2960LAN Lite
Cisco Catalyst 2960LAN Base
Flash/DRAM 32 / 64 MB 32 / 64 MB
RPS Support No Yes
Jumbo Frames Yes Yes
VLANs 64 255Disable MAC Learning per VLAN No Yes
Voice VLAN Yes Yes
VTPv2 Yes Yes
CDPv2 Yes Yes
LLDP Yes Yes (+MED)
STP Instances 64 128
802.1w/802.1s Yes Yes
PVST/PVRST+ Yes Yes
Port Fast/Uplink Fast Yes Yes
802.3ad LACP Yes Yes
Enhanced PAgP
for VSS No Yes
Flex Link No Yes
Link State Tracking No Yes
Q lit f S i
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
72/76
72 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Quality of Service
Cisco
Catalyst
2960LAN Lite
Cisco Catalyst 2960LAN Base
Port CoS
Trust/Override Yes Yes
Trusted Boundary No Yes
ACL Classification No YesIngress Policing (1MB incr.) No Yes
Auto QoS No Yes
802.1p Queues 4 4
Shaped Round Robin Scheduling Yes Yes
Priority Queuing Yes Yes
Configure CoS
Priority Queues Yes Yes
Configure Queue Weights No Yes
Configure Buffers/Thresholds No Yes
Class & Policy Maps No YesModify CoS/DSCP Mapping No Yes
DSCP Transparency Yes Yes
Weighted Tail Drop Yes Yes
S it
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
73/76
73 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Security
Cisco
Catalyst
2960LAN Lite Cisco Catalyst 2960LAN Base
SSH/SSL/SCP Yes Yes
RADIUS/TACACS+ Yes Yes
SNMPv3 crypto Yes Yes
802.1x Yes Yes
802.1x Accounting/MIB Yes Yes
802.1x w/ Port Security Yes Yes
802.1x w/ Voice VLAN Yes Yes
802.1x Readiness Check No Yes
802.1x Guest VLAN Yes Yes
802.1x VLAN assignment Yes Yes
802.1x Auth-Fail VLAN No Yes
802.1x AAA Fail Open No Yes
802.1x Wake-On-LAN No Yes
802.1x RADIUS ACL Filter ID No Yes
802.1x Multi-Domain Authentication No Yes
802.1x MAC-Auth Bypass Yes Yes
Web-Authentication No Yes
S it M lti t IP 6
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
74/76
74 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Security, Multicast, IPv6
Cisco
Catalyst
2960LAN Lite
Cisco Catalyst 2960LAN Base
Cisco NAC-NAD-MIB No Yes
Cisco-PAE-MIB No Yes
L2-4 ACLs
(Port, Time, and DSCP-based) No Yes
BPDU/Root Guard Yes (voice aware) Yes (voice aware)
Port Security Yes (voice aware) Yes (voice aware)
DHCP Snooping No Yes
DHCP Option 82 No Yes
DHCP Server No Yes
Private VLAN Edge Yes Yes
Storm Control Yes Yes
Block Unknown Unicast/Multicast Yes Yes
IPv6 Host (SNMP, Syslog, HTTP, Autoconfiguration, Telnet, etc.)
No Yes
IPv6 MLD Snooping No Yes
MVR No Yes
IGMP Snooping Yes Yes
IGMP Filter/Throttle Yes Yes
M t d T bl h ti
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
75/76
75 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-373923-02
Management and Troubleshooting
Cisco
Catalyst
2960LAN Lite Cisco Catalyst 2960LAN Base
Auto-MDIX Yes Yes
TDR Yes Yes
UDLD Yes Yes
IP SLA Responder No Yes
Layer 2/IP Traceroute Yes Yes
SPAN (number of sessions) Yes (1) Yes (2)
RSPAN No Yes
Express Setup Yes YesDevice Manager Yes Yes
Cisco Network Assistant Yes Yes
Smartports
+ Adviser Yes Yes
Troubleshooting Adviser Yes Yes
Drag-and-drop IOS Upgrade Yes Yes
IP Address DHCP Yes Yes
Config
Replace Yes Yes
DHCP Auto Config
- New Yes Yes
DHCP Auto Image Upgrade Yes YesError Disable MIB Yes Yes
5/20/2018 Cisco Catalyst 2960 Series Switches Tdm
76/76