1. Maintenance Release 1.2.5 Cisco 300 Series Switches
Ivor Diedricks
Sr. Product Manager

2. 300 Series sample features
LLDP-MED
MAC-based VLAN
Static Routing
CCA
DOS Attack
Prevention
Private VLAN
Time-based 802.1x
Guest
VLAN
Policer
Stats
MLD Snooping
DHCP Option 66/67
Dual images
ACLs
IPv6
Fanless
CDP
Localization
TextView/CLI
L3 Isolation
More Gigabit ports
Energy Efficiency
Bonjour
Dynamic VLAN
Assignment
VLAN Mirroring
QinQ
Protected Ports
FindIT
TCP Congestion Avoidance
Voice VLAN
IGMP Querier
Smartports
Option 82
Spanning Tree

3. 300 series enhancements in version 1.2.5
Extend the already feature-rich Security capabilities
Add support for Denial-of-Service Attack Prevention capabilities
Secures file transfers to/from the switch
Secure mechanism to handle sensitive data (passwords/keys, etc) on the switch as well as populating it to other switches.
Secure Auto-configuration of the switches
Extend the time-based capabilities of the switches
Deliver network access for users, devices, applications on a time schedule
Time-based ACLs and port operation
Extend the Green energy savings capabilities of the switches
Disable LEDs
Enhanced visibility to help troubleshooting and enables billing
Support for Radius Accounting

4. 1.2.5 Key Features/Benefits
Denial-of-Service Attack prevention
DHCP Snooping
Eliminates rogue devices from behaving as the DHCP Server
IP Source Guard
Prevents IP Address Spoofing
Dynamic ARP Inspection
Prevents man-in-the-middle attacks
IP/Mac/Port Binding (IPMB)
Features above work together to prevent DOS attacks in the network
Increase network availability
SSD (Secure Sensitive Data)
Secure passwords, keys, certificates, config file
Securely manage sensitive data in the network protects customer secrets and prevents tampering
Secure Auto-config
Eases secure automatic mass deployment or network changes which lowers operational costs
Secure Copy
SCP
A secure and authenticated method for copying switch image or config files
Time-based network connectivity/access (in addition to 802.1x)
Time-based ACLs
Schedule Activate/De-activate ACLs. Provide secure access to resources on a time schedule
Time-based Port operation
Activate/De-activate a port based on a schedule – lower operational costs. E.g. guest connectivity
Additional Energy Savings
Turn off LEDs
Lowers operational costs (lowers power consumption & cooling requirements)
Multicast TV VLAN
Yes
Optimizes the network resource consumption for multicast traffic improving user productivity
Radius Accounting
Function allows tracking of resources being used by a session for billing or intelligence purposes
Differences Between 500/500x
Sx500 – 10G Resilient Ring Stacking
Low cost stackable switches
Gigabit and 10/100 versions
Advanced features + high power PoE (802.3at 30W vs 15W)
SG500X – 20G Resilient Ring Stacking
SG500 with 10G stacking/uplink SFP+ ports (Gigabit only)
Supports stacking or connections to server with 10G interfaces
SG500X adds
Dynamic Layer 3 switching
Higher POE budget
VRRP – Virtual Router Redundancy Protocol (HSRP)

5. Security – DHCP Snooping
What It Does:
Switch forwards only DHCP requests from untrusted access ports; drops all other types of DHCP traffic
Allows only designated DHCP ports or uplink ports trusted to relay DHCP Messages
Builds a DHCP binding table containing client’s IP address, MAC address, port, VLAN
Benefit:
Eliminates rogue devices from behaving as the DHCP server
DHCP Snooping Enabled
DHCP Server
Trusted
DHCP Request X
DHCP ACK √
DHCP Client
Rogue Server

6. Security – IP Source Guard
What It Does:
If user assigned IP address via DHCP, switch can enforce that assignment by blocking packets sent from client's port claiming to be from different IP addresses
This is accomplished by enabling DHCP snooping and IP source guard
Prevents a malicious user from using an IP Address not assigned to them
Benefit:
IP address “spoofing” is prevented
No, you’re not!
“I’m assigned IP address ”
“I’m going to steal address ”
Binds client IP address, client MAC address, port, VLAN number

7. Security – Dynamic ARP Inspection
What It Does:
Discards ARP packets with invalid IP-to-MAC address bindings
This uses the DHCP binding table that was dynamically populated by DCHP Snooping
Benefit:
Effectively stops “man-in-the-middle” attacks and “ARP Spoofing”
Not by My
Binding Table
IP:
My GW Is
MAC:
I’m Your GW:
Gratuitous ARP to Change End Device MAC to ARP Tables

8. Combined Advanced Security - IPMB:
DAI + DHCP Snooping + IPSG + Port security
Feature
Allow ARP packets from Trusted ports, while denying those from untrusted ports
Maintain DHCP negotiated IP/MAC binding table in the switch for future ARP packet comparison
Use IPSG to only allow legal MAC+IP source in DHCP database
Use DHCP Snooping to prevent illegal private servers
Combination known as IP/MAC/Port Binding or IPMB
Advantages
Anti-ARP attack
Prevent illegal private servers connecting to intranet
IP Address Spoofing prevention
Sets User limits at a single port
All ARP packets from untrusted ports will be analyzed and filtered

9. Secure Sensitive Data (SSD) - Overview
Architecture that facilitates the protection of sensitive data on a switch
Sensitive data = passwords, keys, passphrases
Makes use of passphrase, product secrets, encryption, access control, and secured user authentication to provide secure solution for managing sensitive data
Protects configuration files containing sensitive data from being tampered with – file integrity control
Also supports zero-touch auto-configuration with sensitive data
SSD enables the secure backup and sharing of configuration files containing sensitive data
SSD permits & denies access to sensitive data – in encrypted & plain text format
SSD permissions are based on user credentials and SSD rules
SSD protects sensitive data on a device with SSD rules, SSD properties, and user authentication
Configuration of SSD rules, SSD properties and user authentication are themselves sensitive data protected by SSD

10. Protection Levels
SSD provides administrators with the flexibility to configure the desired level of protection on their sensitive data;
No protection with sensitive data in plaintext
Minimum protection with encryption based on the default passphrase
High level protection with encryption based on user-defined passphrase
SSD grants read permission to sensitive data only to authenticated and authorized users, based on SSD rules
The Switch authenticates and authorizes management access to users through the user authentication process
Only SSD platforms have secrets to be able to decrypt encrypted data of others

11. SSD Details Key – 128-bits (AES)
Generated from passphrase with padding both sides
Also uses non-reversible MD5 hash to verify config file integrity and SSD control block integrity
SSD Rules
Permissions for users/groups
Access on a specific channel – Console, SSH, HTTPS, SCP, Telnet, HTTP, etc
Can view in Plaintext, Encrypted, or both
Zero touch Auto-config with User-defined passphrase
Config file will have User-defined passphrase as Encrypted data
Receiving device learns the User-defined passphrase from the config file
No need for pre-config of User-defined passphrase on receiving device

12. SSD Zero Touch Auto Configuration
Auto Configuration by DHCP
Configure SSD passphrase, access rules, and other configuration including sensitive data A
Reboot with the new configuration file F
Switch 1
Upload switch configuration to tftp server B
Switch N
Configuration file from switch 1
(encrypted sensitive data
Encrypted passphrase) C
Configuration file from switch 1
(encrypted sensitive data
encrypted passphrase) E
Sensitive data are protected with encryption
Zero-touch: No need to manual configuration of passphrase into every switches. Passphrase is learnt from the configuration file.
Facilities mass deployment (service provider) and remote offices.
Configuration file of switch 1
TFTP server
Legend
Manual step
Automatic step
© 2009, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

13. Time Based Switch operations
Time Based operations are useful when it is needed to restrict traffic/access based on:
A certain time range
A certain Day
A certain Date
Periodic settings
Time range supported for multiple capabilities i.e. ACL, 802.1x (supported in prior release), PoE (future release) and Port operation
Time-based ACLs:
Restrict traffic based on time schedule
For example, user might employ time-based ACLs:
To only allow web surfing during a particular time of day
Allow access to a particular server only during work hours
Time-based Port Operation
Allows the administrator to define days/hours in the week when a port is in ‘up’ state
When device clock is not within the time range the port will be shutdown
May want to have an Ethernet port in a Guest office only be active during office hours

14. Disable port LEDs
The device LEDs (Link, Speed, PoE) are power consumers
In order to minimize power consumption thereby saving on Operational costs, admin might want to disable port LEDs
This feature allows user to control the LEDs:
Disable the port LEDs when they are not required
Enable the port LEDs if needed for debugging, connecting additional devices etc
The System LED is not impacted

15. Multicast TV VLAN
Maximizes network efficiency in the presence of multicast
Reduces duplication of multicast traffic across multiple VLANs in Layer 2 networks by centralizing the distribution of multicast traffic in a single video VLAN
Endpoints live in their isolated VLAN segments while listening for multicast traffic in this VLAN
Similar to MVR (Multicast VLAN Registration)

16. “They were the most energy efficient…”
Report: DR – 24 Feb 2012
Report: # – Feb 2011
Cisco 200/300 switches versus:
HP E2620, E2810, E2520, E2510, E1810 D-Link – DES-3052 / DES-3052P
Cisco 300 switches versus:
HP E2610, E2810, E2510
D-Link – DES-3528 / DES-3528P
Netgear – FSM726, GSM7224
“They were the most energy efficient…”
“Cisco had the most extensive feature set for IPv6 transitions”
“easiest to configure and implement”
“forwarded line rate full mesh traffic at all frame sizes with zero loss”
“Cisco switches more economical”
“Highest capacity and scalability”
“Best resiliency when subjected to a DOS attack”
“We were impressed with the comprehensive set of features, performance, overall power efficiency, and ease-of-use of the Cisco switches” – Rob Smithers, CEO, Miercom
“Lowest power consumption and best- in-class efficiency overall”
“Most extensive set of IPv6 protocol and application support”
“Best usability with simplified UI”
“Wirespeed, non-blocking, L2 performance at all frame sizes”
“Best price/performance”
“Most extensive feature set”
“most extensive capabilities, best performance, lowest latency, lowest overall Energy consumption, and best user experience”
“Cisco has raised the bar for this product category” – Kevin Tolly, founder, The Tolly Group

17. The leader in Switching solutions for small to medium businesses
Cisco SMB Switching
The leader in Switching solutions for small to medium businesses
Over 20 million Switching ports shipped in the last year
Solid market share = right features, price, & reliability for your business
Purpose-built for SMB:
Pricing, functionality, and ease that customers are asking for
Easy to install and maintain
Part of a complete data, voice and video networking solution
Simplified integration for data, voice and video communications needs
Backed by Cisco
Comprehensive quality and integration testing  works as you expect it to work
Superior support  better tools, documentation and technical support for Cisco class support

18. Resources and URLs
Cisco® 300 Series Switches
Partner Central Small Business Switching
Cisco Small Business Support Community
Cisco 300 Series Switches Warranty
Cisco Small Business Service