Cisco WS-C3550-12G Switch Guide - Page 204
Service Module, 10GB-T Module, MACsec
View all Cisco WS-C3550-12G manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 204 highlights
Fixed-Configuration Switches: Cisco Catalyst 3560-X Series Cisco Catalyst 3560-X Spotlight Service Module The new Cisco Service Module offers enhaced security and Flexible Netflow (FNF) features on the uplink ports of the Catalyst 3750-X and 3560-X. The service module is supported with IP Base or IP Services feature set. It can be used with SFP or SFP+ at 1G or 10G speeds. The new Cisco Service Module has custom dedicated hardware for FNF monitoring, separate from the dedicated hardware for MACSec. Therefore there is no impact on packet forwarding performance & latency. It offers flexibility with the user being able to define flows. The new Cisco Service Module enables the following services: • Line rate (40G) Flexible NetFlow for Network Monitoring and Security Anomaly Detection • Supported version 9 • 32,000 simultaneous flows • 128 of simultaneous active monitors • Line rate (40G) MACsec encryption (please refer to MACsec section below) FNF is a networking monitoring technology. A NetFlow table can be used to collect flow statistics. The flow information can be used by customers for a variety of use cases like understanding: 1. Applications running on the network, and identify undesired applications, P2P etc 2. Granular Local and aggregated Campus view (Top N applications, drill down etc). 3. Top talkers (ports, users, applications) for application usage, productivity and asset utilization etc. 4. Security Anomaly Detection by examining flows that do not traverse trust boundaries for inside the perimeter attacks 5. Impacts of network and application changes 6. Compliance conformation 7. Traffic patterns for capacity planning Enabling FNF at the access switch ensures you get all flows. The access switch is the most logical place in the network for collecting statistics and monitoring all flows. With Netflow, you can obtain MAC-address and access port information associated with the flow, to get directly to the source of the flow. Most collectors are able to leverage the location based on MAC-address and interface port number provided by the access switch to the collector. Thus by enabling FNF at the access switch you are able to get the location information of the flow. The access switch has a variety of identity mechanism for user authentication and adding user awareness is the natural progression that can be developed. Access switches are an order of magnitude greater than distribution and core which makes them scale well for FNF and ensure there are no performance impacts of oversubscription at aggregation and core. 10GB-T Module The new Cisco 10G Base-T module is hot-swapable and can operate at either 10GE or GE speed (with manual configuration). MACsec The Cisco Catalyst 3560-X Series Switches offer exceptional security with integrated hardware support for MACsec defined in IEEE 802.1AE. MACsec provides MAC layer encryption over wired networks using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) protocol provides the required session keys and manages the keys required for encryption when configured. MKA and MACsec are implemented following successful authentication using 802.1x Extensible Authentication Protocol (EAP) framework. In Cisco Catalyst 3560-X Series Switches both the user/down-link ports (links between the switch and endpoint devices such as a PC or IP phone) and, using the service module, the network/up-link ports can be secured using MACsec. With the service module you can encrypt switch to switch links such as access to distribution, or encrypt dark fiber links within a building or between buildings. 202