Details
Cisco® Enhanced EtherSwitch® Service Modules can reduce your company's total cost of ownership by integrating Gigabit Ethernet (GE) and Fast Ethernet (FE) switch ports within Cisco 3900 and 2900 Series Integrated Services Routers. This integration allows network administrators to manage a single device using Cisco management tools orthe router command-line interface (CLI) for LAN and WAN management needs. This approach reduces network complexity, lowers maintenance contract costs, lessens staff training needs, simplifies software qualification efforts, increases availability, and delivers a consistent user experience at branch offices and headquarters.
Product Overview
Figure 1. Cisco Enhanced EtherSwitch Service Modules

Cisco Enhanced EtherSwitch Service Module Types
Table 1. Entry-Level and Advanced Cisco Enhanced EtherSwitch Service Modules
Cisco Enhanced EtherSwitch Service Module |
Description |
Cisco ES3 Enhanced EtherSwitch Service Module |
• Best-of-class Ethernet switching
• High-density Gigabit Ethernet support
• Layer 2/3 switching in hardware
• Multicast routing
• IPv6 routing, and access control list (ACL) in hardware
• Full feature parity with the Cisco Catalyst 3560-E IP Base and IP Services Universal images
• IP Base feature set, which includes advanced quality of service (QoS), a suite of security features, rate limiting, ACLs, basic static and Routing Information Protocol (RIP) routing capability, and Hot Standby Router Protocol (HSRP)
• The IP Services feature set provides a richer set of enterprise-class features, including advanced hardware-based IP Unicast and IP Multicast routing; Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Protocol Independent Multicast (PIM), and IPv6 routing; OSPFv3; EIGRPv6; IP Service-Level Agreement (IPSLA) packet monitoring; Cisco Port Security; and Virtual Route Forwarding Lite (VRF Lite)
• Cisco EnergyWise technology, an innovative architecture that promotes companywide sustainability by reducing energy consumption across an entire corporate infrastructure; Cisco EnergyWise technology can help your company measure the power consumption of network infrastructure and network-attached devices and manage power consumption with specific policies, reducing power consumption to realize increased cost savings; potentially any powered device is affected
• Power over Ethernet; up to 1014 watts per chassis on a Cisco 3900 Series router
• Cisco Enhanced PoE (ePoE), up to 20 watts per port
• IEEE 802.3af PoE support, up to 15.4 watts per port
• Cisco pre-standard PoE
|
Cisco ES2 Enhanced EtherSwitch Service Module |
• Entry-level, lower-cost solution
• Layer 2 switching in hardware
• Full feature parity with the Cisco Catalyst 2960 LAN Base image
• Cisco EnergyWise
• Power over Ethernet; up to 1014 watts per chassis on Cisco 3900 Series router
• IEEE 802.3af PoE support, up to 15.4 watts per port
• Cisco pre-standard PoE
|
Secure Network Connectivity for Data, Voice, and Video
Figure 2. Cisco EtherSwitch Service Module with a Cisco 3945 Integrated Services Router

Features and Benefits
Architecture Features and Benefits
Table 2. Cisco Enhanced EtherSwitch Service Module Addresses Customer Needs
Customer Needs |
How Addressed by Cisco Enhanced EtherSwitch Service Module |
Green IT |
|
• Cisco EnergyWise technology
• Single power supply for Cisco EtherSwitch device and router
|
• Cisco EnergyWise technology helps enable Cisco EtherSwitch devices to automatically reduce off-peak use of PoE.
• The modules offer two to eight times lower power consumption than standalone switches.
• Because no additional rack space or power supply is needed, there is less to rack, stack, and cool.
|
Total Cost of Ownership (TCO) |
|
• Scaling network infrastructure across multiple sites
• Increasing costs of operating multiple devices at the branch office
• Maximizing IT resources
|
• An integrated switch solution lowers operations costs, simplifies troubleshooting, and enables businesses to scale.
• Cisco Catalyst 2960 and Catalyst 3560-E software parity enables IT to certify and deploy the same services at the main office and branch office.
• The modules offer lower mean time to repair (MTTR). One vendor means one support center to decrease troubleshooting time and eliminate finger pointing among vendors.
• Cisco SMARTnet ® support covers both integrated services routers and Cisco EtherSwitch devices.
|
Investment Protection |
|
• Ensuring compatibility of your network with future networks to deliver leading technology
|
• The Cisco Enhanced EtherSwitch Service Module and Cisco Catalyst 2960 and Catalyst 3560-E features, schedule, and roadmap are aligned to provide a consistent user experience and to ensure no new hardware is required to support the latest innovations.
|
High Availability |
|
• Minimizing downtime that affects business operations
|
• Cisco Enhanced EtherSwitch Service Modules run their own Cisco IOS Software images and can be upgraded independent of the host router image.
• A single-box solution simplifies remote management and improves services interoperability to help ensure the highest reliability for all users.
• End-to-end testing for standards-based and innovative Cisco proprietary features provides superior services interoperability and excellent value.
• The modules offer optional redundant power supplies, including an integrated redundant power system (RPS) on the Cisco 3900 Series and external RPS 2300 support on the Cisco 2911 through Cisco 2951 Integrated Services Routers.
• Fewer components (for example, power supplies and fans) results in fewer failures and less downtime.
• Mean time between failure (MTBF) is at least two times higher than that for a standalone switch.
|
Scalability with High-Performance IP Routing for the LAN (ES3) |
|
• Isolation of LAN traffic and route between VLANs on the Cisco Enhanced EtherSwitch Service Module
|
• Cisco Express Forwarding hardware routing architecture delivers extremely high-performance IP routing and promotes scalability.
• The modules offer inter-VLAN IP routing with full local Layer 3 switching between two or more VLANs.
• Traffic can be forwarded between service modules over the MGF without affecting the router CPU.
|
Cisco EnergyWise Technology
Advanced PoE Support
• Per-port power consumption control allows you to specify a maximum power setting on an individual port.
• Per-port PoE power sensing measures the actual power being drawn, enabling more intelligent control of powered devices.
• The Cisco PoE MIBs provide proactive visibility into power usage and allow you to set different power-level thresholds.
• Cisco Discovery Protocol Version 2 allows the Cisco Enhanced EtherSwitch Service Modules to negotiate a more granular power setting than IEEE classification provides when connecting to a Cisco powered device such as IP phones or access points.
• The Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED) link layer discovery protocol and MIB enable interoperability in multivendor networks. Switches exchange speed, duplex, and power settings with end devices such as IP phones.
• Normal: One PoE power supply
• Redundant: Two PoE internal power supplies (Cisco 3925 and 3945) or one PoE power supply plus an external Cisco RPS 2300 Redundant Power Supply Unit (Cisco 2911, 2921, and 2951), where one is active and one is standby
• Boost: Two PoE internal power supplies (Cisco 3925 and 3945) or one PoE power supply plus an external Cisco RPS2300 (Cisco 2900), where both are actively supplying PoE power
Table 3. Power Output
Router |
Normal PoE with Single POE Power Supply (Watts) |
Maximum Number of Ports Running at 15.4W in Normal Mode |
Maximum Number of Ports Running at 20W in Normal Mode |
Maximum Power with Dual POE Supplies in Boost Mode (Watts) |
Maximum Number of Ports Running at 15.4W in Boost Mode |
Maximum Number of Ports Running at 20W in Boost Mode |
Cisco 3945 |
520 |
33 |
16 |
1040 |
65 |
50 |
Cisco 3925 |
520 |
33 |
16 |
1040 |
65 |
50 |
Cisco 2951 |
370 |
24 |
18 |
750 |
48 |
37 |
Cisco 2921 |
280 |
18 |
16 |
750 |
48 |
37 |
Cisco 2911 |
200 |
12 |
10 |
750 |
48 |
37 |
Secure Networking
Table 4. LAN Security Features
Feature |
Benefit |
Dynamic ARP Inspection (DAI) |
• DAI helps ensure user integrity by preventing malicious users from exploiting the insecure nature of the Address Resolution Protocol (ARP).
|
DHCP Snooping |
• This feature prevents malicious users from spoofing a Dynamic Host Configuration Protocol (DHCP) server and sending out bogus addresses. It is used by other primary security features to prevent numerous other attacks such as ARP poisoning.
|
IP Source Guard |
• IP Source Guard prevents a malicious user from spoofing or taking over another user's IP address by creating a binding table between the client's IP and MAC address, port, and VLAN.
|
Private VLANs |
• Private VLANs restrict traffic between hosts in a common segment by segregating traffic at Layer 2, turning a broadcast segment into a nonbroadcast multiaccess-like segment; this feature is available in the ES3 only.
• Private VLAN Edge provides security and isolation between switch ports, helping ensure that users cannot snoop on other users' traffic; this feature is available in the ES3 only.
|
Unicast Reverse Path Forwarding (RPF) |
• This feature helps mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address; it is available in the ES3 only.
|
IEEE 802.1x |
• IEEE 802.1x allows dynamic, port-based security, providing user authentication.
• IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless of where the user is connected.
• IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of the authorized or unauthorized state of the port.
• IEEE 802.1x and port security are provided to authenticate the port and manage network access for all MAC addresses, including that of the client.
• IEEE 802.1x with an ACL assignment allows for specific identity-based security policies regardless of where the user is connected.
• IEEE 802.1x with guest VLAN allows guests without 802.1x clients to have limited network access on the guest VLAN.
• Web authentication for non-802.1x clients allows non-802.1x clients to use an SSL-based browser for authentication.
|
Multidomain Authentication |
• Multidomain authentication allows an IP phone and a PC to authenticate on the same switch port while placing them on the appropriate voice and data VLAN.
|
MAC Authentication Bypass |
• MAC Auth Bypass (MAB) for voice allows third-party IP phones without an 802.1x supplicant to get authenticated using the MAC address; it is available in the ES3 only.
|
Advanced ACLs |
• Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being bridged within VLANs; this feature is available in the ES3 only.
• Cisco standard and extended IP Security router ACLs define security policies on routed interfaces for control- and data-plane traffic. IPv6 ACLs can be applied to filter IPv6 traffic; this feature is available in the ES3 only.
• Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.
|
Administrative Traffic Protection |
• Secure Shell (SSH) Protocol, Kerberos (ES3 only), and SNMPv3 provide network security by encrypting administrator traffic during Telnet and SNMP sessions. SSH, Kerberos (ES3 only), and the cryptographic version of SNMPv3 require a special cryptographic software image because of U.S. export restrictions.
|
Switched Port Analyzer (SPAN) |
• Bidirectional data support on the SPAN port allows the Cisco Intrusion Detection System (IDS) to take action when an intruder is detected.
|
Centralized Authentication |
• TACACS+ and RADIUS authentication facilitates centralized control of the switch and restricts unauthorized users from altering the configuration.
|
MAC Address Authentication |
• MAC address notification allows administrators to be notified of users added to or removed from the network.
|
Port Security |
• Port security secures the access to an access or trunk port based on MAC address.
|
Console Security |
• Multilevel security on console access prevents unauthorized users from altering the switch configuration.
|
Bridge Protocol Data Unit (BPDU) Guard |
• BPDU guard shuts down Spanning Tree PortFast-enabled interfaces when BPDUs are received to avoid accidental topology loops.
|
Spanning-Tree Root Guard (STRG) |
• STRG prevents edge devices not in the network administrator's control from becoming Spanning Tree Protocol root nodes.
|
Internet Group Management Protocol (IGMP) Filtering |
• IGMP filtering provides multicast authentication by filtering out nonsubscribers and limits the number of concurrent multicast streams available per port.
|
Dynamic VLAN Assignment |
• Dynamic VLAN assignment is supported through implementation of VLAN Membership Policy Server client capability to provide flexibility in assigning ports to VLANs. Dynamic VLAN facilitates the fast assignment of IP addresses.
|
Ease of Management and Troubleshooting
Table 5. Management and Troubleshooting Features
Feature |
Additional Information
![]() logoutCloselogout![]() loginCloselogin
SM-D-ES3G-48-P-RF AED AED 0 0 |