Академический Документы
Профессиональный Документы
Культура Документы
Catalyst
Switches Overview
Agenda
3 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst Switching Portfolio
Number of Employees/Density
Cisco Catalyst 4500
Cisco
Catalyst
6500
F
e
a
t
u
r
e
s
,
S
c
a
l
a
b
i
l
i
t
y
,
L
o
n
g
e
v
i
t
y
Small Medium-Sized Large
Blade Switches
Cisco Catalyst
6500
Cisco Catalyst 4900
Distribution or Core
Data-Center Access
Cisco Catalyst 2960
Cisco Catalyst
3750-E and
Catalyst 3750
Cisco Catalyst
3560-E and
Catalyst 3560
Cisco Catalyst 4500
Cisco Catalyst
6500
Cisco Catalyst Express 520
New
Wiring Closet
4 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Full Layer 3 Routing
Layer 2 Intelligent Services
GUI-Managed
Most Complete
Line of Fixed
Configuration LAN Products
Function, Flexibility, Scalability
P
r
i
c
e
-
P
e
r
f
o
r
m
a
n
c
e
Cisco Catalyst 3560-E and Catalyst 3560
10/100 and GE configurations + 2 10GE
Enterprise-class intelligent Layer 3/4 services
Modular power supply with 3560-E
PoE configurations with up to 15.4W on all 48 ports
Cisco Catalyst 2960
10/100 and 10/100/1000 Layer 2 switching
8-, 24-, and 48-port configurations with dual-purpose Gig uplinks
PoE configurations with up to 15.4W up to 24 ports
Entry level LAN Lite IOS and enhanced LAN Base IOS for intelligent services
Cisco Catalyst 3750-E and Catalyst 3750
Stackable 10/100 and GE configurations + 2 10GE
Cisco StackWisePlus and StackWise technology
Enterprise-class intelligent Layer 3/4 services
Modular power supply with 3750-E
PoE configurations with up to 15.4W on all 48 ports
Cisco Catalyst 4948
10/100/1000 + 2 10GE wire-speed switching
Rack-optimized server switching
Jumbo frame support
Dual, hot swappable, internal power supplies
Hot swappable fan tray
Cisco
Catalyst
Express 500
Low-density, standalone, managed 10/100 switching
Tailored for businesses with up to 250 users
5 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco
Catalyst
Switches Overview
Intelligent Services
Feature Matrix
Cisco Catalyst 2960 Product Overview
Agenda
6 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 Series Switches
Offers Fast Ethernet in 8, 24- and 48-port
configurations for small branch offices and
wiring closets
Offers standard Layer 2 services with entry-
level availability, security, and QoS
Scalable and secure network management
Offers simplified management and
troubleshooting for lower total cost of
ownership
Offers CiscoWorks LMS, Cisco Network
Assistant and Cisco Smartports
Provides limited lifetime hardware warranty
and software updates at no additional charge
Provides Fast Ethernet, Gigabit Ethernet, and
Power over Ethernet for entry-level enterprise and
mid-market customers
Offers enhanced Layer 2+ intelligent LAN services:
Availability
Enhanced security
Advanced quality of service (QoS)
Offers simplified management and troubleshooting
for lower total cost of ownership
Offers CiscoWorks LMS, Cisco Network Assistant
and Cisco Smartports
Provides limited lifetime hardware warranty and
software updates at no additional charge
Cisco
Catalyst
2960 LAN Base Series Cisco Catalyst 2960 LAN Lite
Series
Uses Cisco ASICs
for superior quality and hardware and software integration
7 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 LAN Base Series
Model Overview
24 10/100 ports
2 10/100/1000 uplink ports
Cisco Catalyst 2960-24TT-L
24 10/100 ports
2 dual-purpose uplink ports
Cisco Catalyst 2960-24TC-L
20 10/100/1000 ports
4 dual-purpose uplink ports
Cisco
Catalyst 2960G-24TC-L
24 10/100 PoE ports
2 dual-purpose uplink ports
Cisco
Catalyst
2960-24PC-L
48 10/100 ports
2 10/100/1000 uplink ports
Cisco Catalyst 2960-48TT-L
Cisco Catalyst 2960-48TC-L
48 10/100 ports
2 dual-purpose uplink ports
Cisco
Catalyst 2960G-48TC-L
44 10/100/1000 ports
4 dual-purpose uplink ports
Cisco Catalyst 2960-24LT-L
24 10/100 ports (8 PoE ports)
2 10/100/1000 uplink ports
Enterprise-class intelligent
services: Advanced QoS,
enhanced security, high availability
8 10/100 ports
1 dual-purpose uplink port
Compact form-factor with no fan
Cisco Catalyst 2960-8TC-L
7 10/100/1000 ports
1 dual-purpose uplink port
Compact form-factor with no fan
Cisco Catalyst 2960G-8TC-L
Software
LAN Base Image
8 10/100/1000 ports
1 10/100/1000 PoE Input port
Compact form-factor with no fan
Cisco Catalyst 2960PD-8TT-L
8 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 LAN Lite Series
Model Overview
Note: Cisco Catalyst 2960 Switches Cannot Be Upgraded or Downgraded Between LAN Base and LAN Lite Software.
Software
LAN Lite Image
Cisco Catalyst 2960-48TC-S
48 10/100 ports
2 dual-purpose uplink ports
Entry level QoS, security, and
availability with a focus on ease-of-
use and lower total cost of ownership
Cisco Catalyst 2960-48TT-S
48 10/100 ports
2 10/100/1000 uplink ports
24 10/100 ports
Cisco Catalyst 2960-24-S
24 10/100 ports
2 dual-purpose uplink ports
Cisco
Catalyst
2960-24TC-S
8 10/100 ports
1 dual-purpose uplink port
Compact form-factor with no fan
Cisco Catalyst 2960-8TC-S
Sep.
08
Sep.
08
Sep.
08
Sep.
08
9 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 Power over Ethernet
(PoE) Switches
Benefits
Prepare the network for IP telephony and wireless access.
Eliminate the need for separate electrical wiring.
Protect your investment and avoid a costly upgrade.
Cisco pre-standard POE and 802.3af are fully supported.
Cisco IOS provides intelligent power management with
granular control.
Wide selection of standards-based IEEE 802.3af-powered devices:
IP phones
Wireless access points
Surveillance cameras
Access card readers
10 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Building
Access
Control
IP Integrated Video
Surveillance Fire Protection
Resilient, Available IP
Network with Scalable
Power Delivery
Powered IP
Telephone
A Glimpse into the Future
The Ethernet-Powered Organization
Power over Ethernet
(PoE) Delivers 48V DC
Power over a Standard
Copper Ethernet Cable
The Power and Network Is
Used by the Connected
Devices for Their Operation
Wireless Access Points
11 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Extending the Versatility of Ethernet
The Benefits of Powering Devices with Ethernet
Power over
Ethernet
extends the
value,
simplicity, and
flexibility of
Ethernet to
enable new
uses for the
network.
AC-Free
Deployments
Mobility and
Simplicity
Safety
Operational
Resiliency
Simplified
Manageability
Reduced
Capex and
Opex
Cisco 802.3af Power over Ethernet
S.P. Shalita
February, 2004
R10b
12 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Small size (H x W x D)
4.4cm x 27cm x 1623cm
Flexible wall and under-
the-desk mounting
Durable metal shell
Cable guard
Internal power supply
and right-angle power cord
Passive cooling (no fan)
Magnet included
Security locking slot
19-inch rack mount option
Cisco Catalyst 2960 Compact Switches
Meeting unique physical requirements of the office workspace,
conference rooms, classrooms, and micro branch offices
13 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
LC Connectors
SFP
Cisco Catalyst 2960 Supported Small Form
Factor Pluggable Modules
GLC-T and GLC-GE-100FX are not supported on the
Cisco Catalyst 2960-8TC-S, 2960-8TC-L and 2960G-
8TC-L switches. For 100BASE-FX connectivity, use the
GLC-FE-100FX instead for compact switches.
SFP
Transceiver
Cisco
Catalyst
2960 LAN Base
Switches
Cisco Catalyst
2960 LAN Lite
Switches
GLC-LH-SM= Yes Yes
GLC-SX-MM= Yes Yes
GLC-ZX-SM= Yes No
GLC-T= Yes* Yes
GLC-BX-D=
GLC-BX-U=
Yes No
GLC-GE-100FX=
GLC-FE-100FX=
Yes* Yes
GLC-FE-100LX= Yes No
GLC-FE-100BX-D=
GLC-FE-100BX-U=
Yes No
CWDM SFPs Yes No
14 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Dual-Purpose Uplink Port Behavior
Only one port, either SFP or
10/100/1000 copper, will be
active at any time.
Users can manually select the
media type using the media-type
[sfp] or [rj45] interface command
or leave it to auto-select.
SFP always gets the preference
on switch boot-up or when the
interface is enabled (shut/no
shut). In all other cases, the
media that linkup first will be
selected as active media.
Dual-Purpose Uplink
Combination
Validity
A B No
A C Yes
A D Yes
B C Yes
B D Yes
C D No
SFP
Copper
A
B
C
D
15 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Redundant Power System 2300
Benefits
Increases network availability.
Seamlessly provides backup power to network devices.
Modular power supplies and fan for flexibility and increased availability.
Management and configuration capabilities allow users to define and
implement the failover policy.
Easier to Use
Six RPS connectorsup to two switches are actively backed up.
Seamless failover to RPS 2300 when switch power supply fails.
RPS 2300 and switch can have separate AC sources.
Greater Modularity
Uses the same 1150W and 750W power supplies as the Cisco Catalyst
3750E and 3560E switches.
Replaceable fan module.
Note: Cisco
Catalyst
2960 LAN Lite
Switches and Cisco Catalyst 2960 Compact Switches do not have
RPS support. Catalyst 2960 PoE
switches require CAB-2300-E=, which allows users to manage RPS via the
switch.
16 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Services and Warranty for
The Cisco Catalyst 2960 Series
Limited lifetime hardware warranty
Advance Replacement shipping within 10 business days
Guest access to Cisco.com
Ongoing Cisco IOS Software updates at no additional cost
Cisco
SMARTnet
Catalyst
Switches Overview
Cisco Catalyst 2960 Product Overview
Feature Matrix
Intelligent Services
Agenda
18 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst
Intelligent Switching Infrastructure
Intelligent Switching
is a Common Foundation of Capabilities
Across Cisco
Catalyst
Switches
Performance,
Availability
Wire-speed
forwarding
No performance
effect with all
services enabled
QoS
Layer 2, 3, 4
classification
Policing and shaping
Multiple queues
Granular control
Security
Layer 2, 3, 4 access
control
Identity-based
authentication
Management security
Admission control
Manageability
End-to-end manageability
for centralized
administration
Web-based or command-
line interface (CLI)
Analysis and planning tools
19 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Intelligence Through More Capable ASICs
Layer 2 switches are limited to the processing and forwarding of Layer 2 information.
Multilayer switches can look deeper into the frame => intelligent decisions
based on Layer 3 or Layer 4 information.
Examples of why this scenario is useful:
Preserve bandwidth by limiting traffic based on a users IP address.
Preserve bandwidth by limiting traffic based on applications using a constant TCP/UDP
port numberWeb browsing, enterprise resource planning (ERP) applications, etc.
Prevent access to network resources based on users IP address.
Classify and mark traffic based on Layer 3 QoS
(DSCP).
Cisco
TCP/UDP
Header
DATA
Auto QoS
One Command per Interface to Enable and Configure QoS.
Modify Global and Interface Settings to Make QoS
for VoIP Work.
WAN
Cisco
CallManager
Cisco Unity
Software
Voice
Applications
Voice
Gateways
25 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Phone VLAN = 110
Campus QoS
Considerations
Trust Boundary Extension and Operation
1
Switch and Phone Exchange CDP; Trust Boundary Is Extended to IP Phone
2
Phone Sets CoS
to 5 for VoIP and to 3 for Call-Signaling Traffic
3
Phone Rewrites CoS
from PC Port to 0
All PC Traffic Is Reset to CoS
0
4
Switch Trusts CoS
from Phone and Maps CoS DSCP for Output Queuing
CoS
5 = DSCP 46
CoS
3 = DSCP 24
CoS
0 = DSCP 0
4
1
So I Will Trust Your CoS
I See Youre an IP Phone,
TRUST BOUNDARY
Voice = 5, Signaling
= 3
2
PC Sets CoS
to 5 for All Traffic 3
PC VLAN = 10
26 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
FTP DNS DHCP TCP Jitter ICMP UDP DLSW HTTP
TCP/IP
Performance
Service Level
Agreements
(SLAs)
Network
Assessment
Health Monitor
VoIP
Monitoring
Availability
Operations
Measurement Metrics
Uses
IP Server
MIB Data
Active Generated Traffic
to Measure the Network
Destination
Source
Defined Packet Size, Spacing
COS, and Protocol
Catalyst 2960
Responder
LDP H.323 SIP
IP SLA IP SLA
IP SLA IP SLA
Cisco IOS IP SLAs
G711 G729
Latency
Network
Jitter
Dist. of
Stats
Connection Loss
(Reachability)
Packet
Loss
Elapsed Time
IP SLA IP SLA
27 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Advanced QoS
Security
Availability
Manageability
Features
Identity-based authentication
Wire-speed access control lists
Controlled access to system
maintenance
Integrated security services
Benefits
Authenticate and control access
based on user identity
Protect critical business assets
Prevent downtime
Prevent network attacks from
within
Cisco Catalyst
Intelligent Switching Infrastructure
28 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco
Trust Agent
Network Admission
Control
Secure Connectivity Threat Defense Trust and Identity
Cisco Catalyst Switching
Integrated Security
SSL
Man-in-Middle
Attack Mitigation:
Port Security,
DHCP Snooping
Quarantine VLAN
(Remediation)
SSH
SNMPv3
Identity-Based
Networking
(802.1x extensions)
Web-
and MAC-
Based
Authentication
Si Si Si Si Si Si
Si Si
Si Si
L2-4 ACLs
Private VLAN Edge
Scavenger-Class
QoS
29 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
The Need for Admission Control
Viruses, worms, spyware, etc.
still #1 cause of financial loss.*
Downtime, recovery, lost productivity,
credibility, legal implications.
Users routinely authenticated, but...
Endpoint devices (laptops,
PCs, PDAs) are not checked
for security policy compliance.
Unprotected endpoints spread infection.
Required security software not
installed, disabled, or out of date
Checking for compliance is difficult
and expensive.
Endpoint systems are vulnerable
and represent the most likely point of
infection from which a virus or worm
can spread rapidly and cause serious
disruption and economic damage.
Burton Group
*2005 FBI/CSI Report.
30 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Network Admission Control Options
NAC Framework: Vendor products assess and remediate across an intelligent network.
Cisco
Catalyst
3750, Catalyst
3560, and Catalyst 2960
Cisco Catalyst 3750 and
Catalyst 3560
Credentials
Carries credentials inside
EAPoL
along with user
authentication
Carries credentials inside
EAPoUDP, completely independent
of any user authentication
Trigger
Triggered by normal 802.1X
exchange
Triggered by ARP or DHCP traffic
from the host
Enforcement
Policy
RADIUS VLAN assignment RADIUS IP downloadable ACLs
Client
Requirements
Requires an enhanced
supplicant with Cisco Trust
Agent built in
Can be used with or without
Cisco Trust Agent (clientless host)
32 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst Access Control Lists
What It Does:
Allows or denies access
based on the source or
destination address
Restricts users to
designated areas of the
network, blocking
unauthorized access to
all other applications and
information
Benefits:
Prevents unauthorized access
to servers and applications
Allows designated users to
access specified servers
Takes advantage of TCAMs,
enabling wire speed performance
Forwarding performance not
compromised by ACLs
because
lookups are done in hardware
Provides ability to access control
all packets, either internally
bridged within a VLAN or routed
between VLANs
33 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Protecting Against Worms
How It Works:
The ACL provides a mechanism to protect servers, users, and
applications against worms by determining what traffic streams
or users can access which ports.
Using ACLs, the virus
or worm is not able to
replicate from its hosts.
Port 1434
Internal
Network
34 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Unauthorized
Switch
Cisco
Secure
ACS
Enterprise
Server
Authorized
Switch
Solution:
Cisco
Catalyst
Switches support
rogue BPDU filtering: BPDU Guard,
Root Guard.
Mitigating Unauthorized Devices
Network Instability
Root Guard
BPDU Guard
Protecting Against Well-Intentioned Users
Unauthorized
Switch
Enterprise
Server
Incorrect
STP Info
Authorized
Switch
Problem:
Well-intentioned users place
unauthorized network devices on the
network, possibly causing instability.
35 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Secure Connectivity
Secure Shell (SSH) Protocol
SSH encrypts administration traffic during Telnet sessions
while configuring or troubleshooting switches.
Secure Sockets Layer (SSL)
SSL encrypts network management traffic, allowing
the secure use of tools such as the Cisco
Network
Assistant.
SNMPv3 (with crypto support)
SNMPv3 provides network security by encrypting
administrator traffic during SNMP sessions to configure or
troubleshoot switches.
Kerberos
Kerberos authenticates users and network services using
a trusted third party to perform secure verification.
Secure Copy
SCP provides a secure and authenticated method for
copying switch configurations or switch image files. SCP
relies on SSH.
Encrypted Data
36 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Securing Layer 2 from Surveillance Attacks
Cutting Off MAC-Based Attacks
Problem:
Script Kiddie hacking tools enable
attackers flood switch CAM tables with
bogus MAC addresses, turning the
VLAN into a hub and eliminating
privacy.
Switch CAM table limit is finite number
of MAC addresses.
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
250,000 Bogus
MAC Addresses
per Second
Solution:
Port security limits MAC flooding
attack, locks down port, and sends an
SNMP trap.
Only 3 MAC
Addresses
Allowed on the
Port: Shutdown
swi t chpor t por t - secur i t y
swi t chpor t por t - secur i t y maxi mum3
swi t chpor t por t - secur i t y vi ol at i on r est r i ct
swi t chpor t por t - secur i t y agi ng t i me 2
swi t chpor t por t - secur i t y agi ng t ype i nact i vi t y
37 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Voice (VLAN) Aware Port Security
Scenario IP phone + host on
same switch port.
Port security & STP violations are
now VLAN/voice aware.
Violations for the host only affect
data VLAN:
Only affected VLAN is placed in
error disable state.
Voice VLAN remains unaffected.
Improves network availability.
Si Si
Si Si
38 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
DHCP Spoofing Attack
Problem:
Malicious user pretends to be the network
DHCP server.
Misconfigured user starts up a DHCP server
incorrectly.
Malicious user can send out bogus address,
deplete the address space, or spoof the
default gateway.
Solution
Do not trust user ports so only
DHCP requests can be sent.
Snoop DHCP information for
integrity.
User Ports
Untrusted
DHCP
Server
DHCP Snooping
What It Does:
Switch forwards only DHCP
requests from untrusted access
ports and drops all other types
of DHCP traffic. DHCP
snooping allows only
designated DHCP ports or
uplink ports trusted to relay
DHCP messages. It builds
a DHCP binding table
containing client IP address,
client MAC address, port, and
VLAN number.
Benefit:
DHCP snooping eliminates
rogue devices from behaving
as the DHCP server.
40 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Identity-Based Network Services
What It Does:
Using the 802.1x Standard with Cisco
Catalyst
2960
Cat6K
Cat6K
FlexlinksL2 Redundancy
1.
Primary link
down detected
(24msec poll).
2.
Backup link
becomes the
active link.
X
X
Active Link
Backup Link
52 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Flexlink
PerformanceTimings
MSTP MSTP Flexlink Flexlink
VLANs Macs UpStrm DnStrm UpStrm DnStrm
1 2 144 143 19 31
32 1280 1033 1231 20 199
64 2560 1581 1899 45 590
128 3840 2423 3022 16 633
1000 6000 7507 8454 46 4820
(in milliseconds)
53 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco
Catalyst
2960
Flexlink
VLAN Load Balancing
Primary link
down detected
Backup carries
VLANs
60, 50, 20
X
X
Primary link -
carries VLANs
60, 50
Backup link -
carries VLAN 20
gi2/0/8 gi2/0/6
54 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 Multicast Support
IGMP snooping used
for managing group membership
information
Per-port broadcast, multicast,
and unicast storm control
Multicast VLAN registration
Virtual Trunking Protocol pruning
Multicast Servers (Source)
Hosts (Receivers or Groups)
LAN
55 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
IPv6 Host and IPv6 MLD Snooping
IPv6 host support is a key capability allowing the switch to be
managed in an IPv6 network.
Multicast Listener Discovery (MLD) snooping enables efficient and
selective distribution of IPv6 multicast data to client VLANs.
IPv6 Host Features
Dual v4/v6 stack IPv6 Express setup
Unicast
address types TCAM templates
Ping/ICMPv6/redirect IPv6 SNMP -
New
AAAA DNS lookups over v4 IPv6 Syslog
-
New
Secure Shell over v6 IPv6 HTTP support -
New
Input ACLs
control plane only IPv6 autoconfiguration
-
New
CDP neighbor discovery
Telnet/DNS/TFTP/Traceroute
56 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Advanced QoS
Security
Availability
Manageability
Features
End-to-end manageability
using a common set of
management tools
Centralized administration
and software upgrades
Web-based access
Benefits
Simplify implementation,
troubleshooting, and upgrades
Reduce operational costs
Simplify intelligent
service implementation
Reduce maintenance costs
Cisco Catalyst
Intelligent Switching Infrastructure
57 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
DHCP Auto Install and Auto Image
Simplifies deployment of a large number of switches
Auto installation of configuration and IOS image
DHCP auto image (New)
Allows automatic image download
DHCP-based auto configuration
Allows a switch to download a config
from TFTP server
Install configuration
New Switch
DHCP
Server
TFTP
Server
58 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Integrated Time Domain Reflectometer
(TDR)
Layer1 Troubleshooting tool
TDR helps to determine:
The length of a cable
Whether the cable is correctly wired
internally (pin-to-pin wire mapping)
Whether the cable contains a short circuit
(wires touching each other through
damaged or missing insulation)
Whether the cable contains a broken
wire (called an open)
Whether the cable suffers from electrical
crosstalk (interference).
CISCO-CABLE-DIAG-MIB
P
O
R
T
Cable
Fault
P
O
R
T
59 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
UniDirectional
Link Detection (UDLD)
Protecting Against One-Way Communication
Highly available networks require UDLD to protect against one-way
communication or partially failed links and the effect that they
could
have on protocols like STP and RSTP.
Primarily used on fiber optic
links where patch panel
errors could cause link up/up
with mismatched
transmit/receive pairs.
Neighboring ports
should see their
own device/port
ID (echo) in the
packets received
from the other
side.
Failing to receive
this information
indicates
misconfiguration
and the port is
error-disabled.
Si Si
Si Si
Are You
Echoing
My
Hellos?
60 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Error Disable MIB
Error disable allows software features to disable a port or VLAN
upon detecting abnormal conditions.
Provides the ability to configure and monitor error disable
conditions proactively.
Examples
Port security violations on a VLAN
disable the VLAN.
Storm control
disables the port when broadcast threshold exceeds.
CISCO-ERR-DISABLE MIB
Provides the reason for port/VLAN error disable condition.
Automatic recovery time interval
can be set
after this time,
re-enables port or VLAN.
Generates notification when error disable occurs
(rate can be specified).
61 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
LLDP-MED
Superset of LLDP (IEEE 802.3ab Link Layer Discovery)
When do we need LLDP-MED?
For interoperability between Cisco Catalyst switches and
third-party IP phones for VLAN and power exchange.
CDP provides Cisco end-to-end value add (granular power
negotiation and many other capabilities).
LLDP-MED support
L2 neighbor discovery for IP phones.
Allows exchange of VLAN and power (MED doesnt provide
power negotiation).
LLDP-MED Location
Location is configured on the switch.
Switch sends location to the IP phone using LLDP-MED.
Enables location-based services.
1 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Network Assistant
Up to 40 switches and routers
Thousands of devices
Service management
WANs and LANs
CiscoWorks LAN
Management
Solution (LMS)
WAN Manager
Tens of thousands of
devices
Service provisioning
Global WANs
Cisco
IGX, BPX
, and
MGX
switches only
Catalyst Device Manager One switch, initial setup only
*Small Network Management Solution (SNMS)
Broadest Range of Network
Management Products
Small and
Medium Business
Enterprise
Service Provider
Function and Flexibility
Free
P
r
i
c
e
-
P
e
r
f
o
r
m
a
n
c
e
63 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
CiscoWorks
LAN Management Solution (LMS)
Simplifies and automates tasks associated with
day-to-day managementtaking inventory,
configuration, IOS software deployment, and
troubleshooting.
Breadth of device support (over 400 Cisco device
types) provides a single application suite for
managing most Cisco-labeled devices.
Provides detailed visibility of users, ports, and
network connectivitytopology services, user
tracking, inventory.
Automates the change management process,
quickly identifying hardware, software, and
configuration changeschange audit reports.
LMS is a suite of applications designed to
simplify and augment the daily tasks required
to manage a Cisco end-to-end network
reducing total cost of ownership and improving
network availability.
64 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Management Interfaces
Cisco Network Assistant
Manages a 40-device
SMB network
Router, switch, IP phone,
wireless
Web-basedJava
Manages a single device
Web-basedHTML
Cisco
Catalyst
Device
Manager
65 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Express Setup
1.
Power up the switch and hold the
mode button for a few seconds until
all the mode LEDs
are green.
2.
Connect the PC into the Ethernet
port and launch the browser.
3.
Launch the Express Setup page by
entering the IP address of 10.0.0.1
in the browser.
4.
Assign the switch IP address and
management VLAN; enable the
secret password, (optional) Telnet
password, and SNMP configuration.
66 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst Device Manager
Embedded in the switch.
View and configure a single switch using a Web browser.
Display switch trends, status, and port statistics.
Integrated Smart Ports for simple port configuration.
67 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Network Assistant
Release 5.4
Multi-product, multi-technology
management tool
Supports up to 40 devices:
switches, routers, and firewalls,
and unlimited IP phones and
access points
Interactive topology and front
panel views
Configuration, monitoring,
troubleshooting, & network
optimization
Highlight your VLANs, Telnet to
devices, drag-n-drop IOS
upgrades
Localized in French, Italian,
German, Spanish, Chinese, and
Japanese
Free download:
www.cisco.com/go/cna
7
0
0
K
+
D
o
w
n
l
o
a
d
s
7
0
0
K
+
D
o
w
n
l
o
a
d
s
68 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
The Business Relevance of Cisco Smartports
Benefits
Simplified feature deployment
Less chance of errors
Deployment consistency across the
network
Greater value from
the intelligent network through
Increased feature usage
What It Does
Preconfigured macros enable fast
and easy configuration of advanced
Cisco Catalyst
intelligent capabilities
Quickly enables QoS, security, and
availability features with a single
command
Offers granular flexibility on a
per-port basis
Provides ability to create
customized macros
Cisco
Smartports
allows for simple and
accurate deployment of high-value,
network-optimizing intelligent features.
Si Si Si Si
Internet
Intranet
69 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Global Commands
failureserrdisable
recovery cause link-flap
errdisable
recovery cause udld
errdisable
recovery interval 60
vtp
domain [smartports]
vtp
mode transparent
udld
aggressive
spanning-tree mode rapid-pvst
spanning-tree loopguard
default
spanning-tree extend system-id
Interface Commands
default interface range FastEthernet[1]/0/[148]
interface range FastEthernet[1]/0/[148]
switchport
access vlan
[data]
switchport
mode access
switchport
voice vlan
[voice]
switchport
port-security
switchport
port-security maximum 3
switchport
port-security violation restrict
switchport
port-security aging time 2
switchport
port-security aging type inactivity
auto qos
voip
cisco-phone
spanning-tree portfast
spanning-tree bpduguard
enable
Cisco Smartports
From This: To This:
Transition
70 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco
Catalyst
Switches Overview
Cisco Catalyst 2960 Product Overview
Intelligent Services
Feature Matrix
Agenda
71 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Cisco Catalyst 2960 Software Feature Matrix
For more detailed information, please read the Cisco Catalyst 2960 LAN Base and Cisco Catalyst
2960 LAN Lite
datasheets.
Cisco
Catalyst
2960
LAN Lite
Cisco Catalyst 2960
LAN Base
Flash/DRAM 32 / 64 MB 32 / 64 MB
RPS Support No Yes
Jumbo Frames Yes Yes
VLANs 64 255
Disable MAC Learning per VLAN No Yes
Voice VLAN Yes Yes
VTPv2 Yes Yes
CDPv2 Yes Yes
LLDP Yes Yes (+MED)
STP Instances 64 128
802.1w/802.1s Yes Yes
PVST/PVRST+ Yes Yes
Port Fast/Uplink Fast Yes Yes
802.3ad LACP Yes Yes
Enhanced PAgP
for VSS No Yes
Flex Link No Yes
Link State Tracking No Yes
72 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Quality of Service
Cisco
Catalyst
2960
LAN Lite
Cisco Catalyst 2960
LAN Base
Port CoS
Trust/Override Yes Yes
Trusted Boundary No Yes
ACL Classification No Yes
Ingress Policing (1MB incr.) No Yes
Auto QoS No Yes
802.1p Queues 4 4
Shaped Round Robin Scheduling Yes Yes
Priority Queuing Yes Yes
Configure CoS
Priority Queues Yes Yes
Configure Queue Weights No Yes
Configure Buffers/Thresholds No Yes
Class & Policy Maps No Yes
Modify CoS/DSCP Mapping No Yes
DSCP Transparency Yes Yes
Weighted Tail Drop Yes Yes
73 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Security
Cisco
Catalyst
2960
LAN Lite
Cisco Catalyst 2960
LAN Base
SSH/SSL/SCP Yes Yes
RADIUS/TACACS+ Yes Yes
SNMPv3 crypto Yes Yes
802.1x Yes Yes
802.1x Accounting/MIB Yes Yes
802.1x w/ Port Security Yes Yes
802.1x w/ Voice VLAN Yes Yes
802.1x Readiness Check No Yes
802.1x Guest VLAN Yes Yes
802.1x VLAN assignment Yes Yes
802.1x Auth-Fail VLAN No Yes
802.1x AAA Fail Open No Yes
802.1x Wake-On-LAN No Yes
802.1x RADIUS ACL Filter ID No Yes
802.1x Multi-Domain Authentication No Yes
802.1x MAC-Auth Bypass Yes Yes
Web-Authentication No Yes
74 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Security, Multicast, IPv6
Cisco
Catalyst
2960
LAN Lite
Cisco Catalyst 2960
LAN Base
Cisco NAC-NAD-MIB No Yes
Cisco-PAE-MIB No Yes
L2-4 ACLs
(Port, Time, and DSCP-based) No Yes
BPDU/Root Guard Yes (voice aware) Yes (voice aware)
Port Security Yes (voice aware) Yes (voice aware)
DHCP Snooping No Yes
DHCP Option 82 No Yes
DHCP Server No Yes
Private VLAN Edge Yes Yes
Storm Control Yes Yes
Block Unknown Unicast/Multicast Yes Yes
IPv6 Host (SNMP, Syslog, HTTP, Auto
configuration, Telnet, etc.)
No Yes
IPv6 MLD Snooping No Yes
MVR No Yes
IGMP Snooping Yes Yes
IGMP Filter/Throttle Yes Yes
75 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02
Management and Troubleshooting
Cisco
Catalyst
2960
LAN Lite
Cisco Catalyst 2960
LAN Base
Auto-MDIX Yes Yes
TDR Yes Yes
UDLD Yes Yes
IP SLA Responder No Yes
Layer 2/IP Traceroute Yes Yes
SPAN (number of sessions) Yes (1) Yes (2)
RSPAN No Yes
Express Setup Yes Yes
Device Manager Yes Yes
Cisco Network Assistant Yes Yes
Smartports
+ Adviser Yes Yes
Troubleshooting Adviser Yes Yes
Drag-and-drop IOS Upgrade Yes Yes
IP Address DHCP Yes Yes
Config
Replace Yes Yes
DHCP Auto Config
- New Yes Yes
DHCP Auto Image Upgrade Yes Yes
Error Disable MIB Yes Yes
76 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential C97-373923-02