Maintenance Release 1.2.5 Cisco 300 Series Switches Ivor Diedricks Sr. Product Manager
300 Series sample features LLDP-MED MAC-based VLAN Static Routing CCA DOS Attack Prevention Private VLAN Time-based 802.1x Guest VLAN Policer Stats MLD Snooping DHCP Option 66/67 Dual images ACLs IPv6 Fanless CDP Localization TextView/CLI L3 Isolation More Gigabit ports Energy Efficiency Bonjour Dynamic VLAN Assignment VLAN Mirroring QinQ Protected Ports FindIT TCP Congestion Avoidance Voice VLAN IGMP Querier Smartports Option 82 Spanning Tree
300 series enhancements in version 1.2.5 Extend the already feature-rich Security capabilities Add support for Denial-of-Service Attack Prevention capabilities Secures file transfers to/from the switch Secure mechanism to handle sensitive data (passwords/keys, etc) on the switch as well as populating it to other switches. Secure Auto-configuration of the switches Extend the time-based capabilities of the switches Deliver network access for users, devices, applications on a time schedule Time-based ACLs and port operation Extend the Green energy savings capabilities of the switches Disable LEDs Enhanced visibility to help troubleshooting and enables billing Support for Radius Accounting
1.2.5 Key Features/Benefits Denial-of-Service Attack prevention DHCP Snooping Eliminates rogue devices from behaving as the DHCP Server IP Source Guard Prevents IP Address Spoofing Dynamic ARP Inspection Prevents man-in-the-middle attacks IP/Mac/Port Binding (IPMB) Features above work together to prevent DOS attacks in the network Increase network availability SSD (Secure Sensitive Data) Secure passwords, keys, certificates, config file Securely manage sensitive data in the network protects customer secrets and prevents tampering Secure Auto-config Eases secure automatic mass deployment or network changes which lowers operational costs Secure Copy SCP A secure and authenticated method for copying switch image or config files Time-based network connectivity/access (in addition to 802.1x) Time-based ACLs Schedule Activate/De-activate ACLs. Provide secure access to resources on a time schedule Time-based Port operation Activate/De-activate a port based on a schedule – lower operational costs. E.g. guest connectivity Additional Energy Savings Turn off LEDs Lowers operational costs (lowers power consumption & cooling requirements) Multicast TV VLAN Yes Optimizes the network resource consumption for multicast traffic improving user productivity Radius Accounting Function allows tracking of resources being used by a session for billing or intelligence purposes Differences Between 500/500x Sx500 – 10G Resilient Ring Stacking Low cost stackable switches Gigabit and 10/100 versions Advanced features + high power PoE (802.3at 30W vs 15W) SG500X – 20G Resilient Ring Stacking SG500 with 10G stacking/uplink SFP+ ports (Gigabit only) Supports stacking or connections to server with 10G interfaces SG500X adds Dynamic Layer 3 switching Higher POE budget VRRP – Virtual Router Redundancy Protocol (HSRP)
Security – DHCP Snooping What It Does: Switch forwards only DHCP requests from untrusted access ports; drops all other types of DHCP traffic Allows only designated DHCP ports or uplink ports trusted to relay DHCP Messages Builds a DHCP binding table containing client’s IP address, MAC address, port, VLAN Benefit: Eliminates rogue devices from behaving as the DHCP server DHCP Snooping Enabled DHCP Server Trusted DHCP Request X DHCP ACK √ DHCP Client Rogue Server
Security – IP Source Guard What It Does: If user assigned IP address via DHCP, switch can enforce that assignment by blocking packets sent from client's port claiming to be from different IP addresses This is accomplished by enabling DHCP snooping and IP source guard Prevents a malicious user from using an IP Address not assigned to them Benefit: IP address “spoofing” is prevented No, you’re not! “I’m assigned IP address 10.2.2.15” “I’m going to steal address 10.2.2.15” Binds client IP address, client MAC address, port, VLAN number
Security – Dynamic ARP Inspection What It Does: Discards ARP packets with invalid IP-to-MAC address bindings This uses the DHCP binding table that was dynamically populated by DCHP Snooping Benefit: Effectively stops “man-in-the-middle” attacks and “ARP Spoofing” Not by My Binding Table IP: 10.1.1.1 My GW Is 10.1.1.1 MAC: 0000.0000.0001 10.1.1.2 I’m Your GW: 10.1.1.1 Gratuitous ARP to Change End Device MAC to ARP Tables
Combined Advanced Security - IPMB: DAI + DHCP Snooping + IPSG + Port security Feature Allow ARP packets from Trusted ports, while denying those from untrusted ports Maintain DHCP negotiated IP/MAC binding table in the switch for future ARP packet comparison Use IPSG to only allow legal MAC+IP source in DHCP database Use DHCP Snooping to prevent illegal private servers Combination known as IP/MAC/Port Binding or IPMB Advantages Anti-ARP attack Prevent illegal private servers connecting to intranet IP Address Spoofing prevention Sets User limits at a single port All ARP packets from untrusted ports will be analyzed and filtered
Secure Sensitive Data (SSD) - Overview Architecture that facilitates the protection of sensitive data on a switch Sensitive data = passwords, keys, passphrases Makes use of passphrase, product secrets, encryption, access control, and secured user authentication to provide secure solution for managing sensitive data Protects configuration files containing sensitive data from being tampered with – file integrity control Also supports zero-touch auto-configuration with sensitive data SSD enables the secure backup and sharing of configuration files containing sensitive data SSD permits & denies access to sensitive data – in encrypted & plain text format SSD permissions are based on user credentials and SSD rules SSD protects sensitive data on a device with SSD rules, SSD properties, and user authentication Configuration of SSD rules, SSD properties and user authentication are themselves sensitive data protected by SSD
Protection Levels SSD provides administrators with the flexibility to configure the desired level of protection on their sensitive data; No protection with sensitive data in plaintext Minimum protection with encryption based on the default passphrase High level protection with encryption based on user-defined passphrase SSD grants read permission to sensitive data only to authenticated and authorized users, based on SSD rules The Switch authenticates and authorizes management access to users through the user authentication process Only SSD platforms have secrets to be able to decrypt encrypted data of others
SSD Details Key – 128-bits (AES) Generated from passphrase with padding both sides Also uses non-reversible MD5 hash to verify config file integrity and SSD control block integrity SSD Rules Permissions for users/groups Access on a specific channel – Console, SSH, HTTPS, SCP, Telnet, HTTP, etc Can view in Plaintext, Encrypted, or both Zero touch Auto-config with User-defined passphrase Config file will have User-defined passphrase as Encrypted data Receiving device learns the User-defined passphrase from the config file No need for pre-config of User-defined passphrase on receiving device
SSD Zero Touch Auto Configuration Auto Configuration by DHCP Configure SSD passphrase, access rules, and other configuration including sensitive data A Reboot with the new configuration file F Switch 1 Upload switch configuration to tftp server B Switch N Configuration file from switch 1 (encrypted sensitive data Encrypted passphrase) C Configuration file from switch 1 (encrypted sensitive data encrypted passphrase) E Sensitive data are protected with encryption Zero-touch: No need to manual configuration of passphrase into every switches. Passphrase is learnt from the configuration file. Facilities mass deployment (service provider) and remote offices. Configuration file of switch 1 TFTP server Legend Manual step Automatic step © 2009, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Time Based Switch operations Time Based operations are useful when it is needed to restrict traffic/access based on: A certain time range A certain Day A certain Date Periodic settings Time range supported for multiple capabilities i.e. ACL, 802.1x (supported in prior release), PoE (future release) and Port operation Time-based ACLs: Restrict traffic based on time schedule For example, user might employ time-based ACLs: To only allow web surfing during a particular time of day Allow access to a particular server only during work hours Time-based Port Operation Allows the administrator to define days/hours in the week when a port is in ‘up’ state When device clock is not within the time range the port will be shutdown May want to have an Ethernet port in a Guest office only be active during office hours
Disable port LEDs The device LEDs (Link, Speed, PoE) are power consumers In order to minimize power consumption thereby saving on Operational costs, admin might want to disable port LEDs This feature allows user to control the LEDs: Disable the port LEDs when they are not required Enable the port LEDs if needed for debugging, connecting additional devices etc The System LED is not impacted
Multicast TV VLAN Maximizes network efficiency in the presence of multicast Reduces duplication of multicast traffic across multiple VLANs in Layer 2 networks by centralizing the distribution of multicast traffic in a single video VLAN Endpoints live in their isolated VLAN segments while listening for multicast traffic in this VLAN Similar to MVR (Multicast VLAN Registration)
“They were the most energy efficient…” Report: DR120119 – 24 Feb 2012 www.miercom.com Report: #211103 – Feb 2011 www.tolly.com Cisco 200/300 switches versus: HP E2620, E2810, E2520, E2510, E1810 D-Link – DES-3052 / DES-3052P Cisco 300 switches versus: HP E2610, E2810, E2510 D-Link – DES-3528 / DES-3528P Netgear – FSM726, GSM7224 “They were the most energy efficient…” “Cisco had the most extensive feature set for IPv6 transitions” “easiest to configure and implement” “forwarded line rate full mesh traffic at all frame sizes with zero loss” “Cisco switches more economical” “Highest capacity and scalability” “Best resiliency when subjected to a DOS attack” “We were impressed with the comprehensive set of features, performance, overall power efficiency, and ease-of-use of the Cisco switches” – Rob Smithers, CEO, Miercom “Lowest power consumption and best- in-class efficiency overall” “Most extensive set of IPv6 protocol and application support” “Best usability with simplified UI” “Wirespeed, non-blocking, L2 performance at all frame sizes” “Best price/performance” “Most extensive feature set” “most extensive capabilities, best performance, lowest latency, lowest overall Energy consumption, and best user experience” “Cisco has raised the bar for this product category” – Kevin Tolly, founder, The Tolly Group
The leader in Switching solutions for small to medium businesses Cisco SMB Switching The leader in Switching solutions for small to medium businesses Over 20 million Switching ports shipped in the last year Solid market share = right features, price, & reliability for your business Purpose-built for SMB: Pricing, functionality, and ease that customers are asking for Easy to install and maintain Part of a complete data, voice and video networking solution Simplified integration for data, voice and video communications needs Backed by Cisco Comprehensive quality and integration testing works as you expect it to work Superior support better tools, documentation and technical support for Cisco class support
Resources and URLs Cisco® 300 Series Switches www.cisco.com/go/300switches Partner Central Small Business Switching www.cisco.com/go/smbpartner/switching Cisco Small Business Support Community https://www.myciscocommunity.com/community/smallbizsupport Cisco 300 Series Switches Warranty http://www.Cisco.com/go/warranty Cisco Small Business Service www.cisco.com/go/smbservices