Details
Cisco® Enhanced EtherSwitch® Service Modules can reduce your company's total cost of ownership by integrating Gigabit Ethernet (GE) and Fast Ethernet (FE) switch ports within Cisco 3900 and 2900 Series Integrated Services Routers. This integration allows network administrators to manage a single device using Cisco management tools orthe router command-line interface (CLI) for LAN and WAN management needs. This approach reduces network complexity, lowers maintenance contract costs, lessens staff training needs, simplifies software qualification efforts, increases availability, and delivers a consistent user experience at branch offices and headquarters.
Product Overview
The Cisco Enhanced EtherSwitch Service Modules (Figure 1) greatly expands the router's capabilities by integrating industry-leading Layer 2 and Layer 3 switching with feature sets identical to those found in the Cisco Catalyst ® 3560-E and Catalyst 2960 Series Switches. The new Cisco Enhanced EtherSwitch Service Modules are the first modules to take advantage of the increased capabilities on the Cisco 3900 and 2900 Series Integrated Services Routers. Additionally, these service modules enable Cisco's industry-leading power initiatives, Cisco EnergyWise ®, Cisco Enhanced Power over Ethernet (ePoE), and per-port PoE power monitoring-all of which enhance the ability of the branch office to scale to next-generation requirements and still meet important initiatives for IT teams to operate a power efficient network. Furthermore, the Cisco Enhanced EtherSwitch Service Modules not only perform local line-rate switching and routing but also support direct service module-to-service module communication through the Integrated Services Router Generation 2 multigigabit fabric (MGF) which separates LAN traffic from WAN resources.
Figure 1. Cisco Enhanced EtherSwitch Service Modules
Cisco Enhanced EtherSwitch Service Module Types
Two types of Cisco Enhanced EtherSwitch Service Modules are available (Table 1): Entry Level (ES2) and Advanced (ES3).
Table 1. Entry-Level and Advanced Cisco Enhanced EtherSwitch Service Modules
|
Cisco Enhanced EtherSwitch Service Module |
Description |
|
Cisco ES3 Enhanced EtherSwitch Service Module |
• Best-of-class Ethernet switching
• High-density Gigabit Ethernet support
• Layer 2/3 switching in hardware
• Multicast routing
• IPv6 routing, and access control list (ACL) in hardware
• Full feature parity with the Cisco Catalyst 3560-E IP Base and IP Services Universal images
• IP Base feature set, which includes advanced quality of service (QoS), a suite of security features, rate limiting, ACLs, basic static and Routing Information Protocol (RIP) routing capability, and Hot Standby Router Protocol (HSRP)
• The IP Services feature set provides a richer set of enterprise-class features, including advanced hardware-based IP Unicast and IP Multicast routing; Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Protocol Independent Multicast (PIM), and IPv6 routing; OSPFv3; EIGRPv6; IP Service-Level Agreement (IPSLA) packet monitoring; Cisco Port Security; and Virtual Route Forwarding Lite (VRF Lite)
• Cisco EnergyWise technology, an innovative architecture that promotes companywide sustainability by reducing energy consumption across an entire corporate infrastructure; Cisco EnergyWise technology can help your company measure the power consumption of network infrastructure and network-attached devices and manage power consumption with specific policies, reducing power consumption to realize increased cost savings; potentially any powered device is affected
• Power over Ethernet; up to 1014 watts per chassis on a Cisco 3900 Series router
• Cisco Enhanced PoE (ePoE), up to 20 watts per port
• IEEE 802.3af PoE support, up to 15.4 watts per port
• Cisco pre-standard PoE
|
|
Cisco ES2 Enhanced EtherSwitch Service Module |
• Entry-level, lower-cost solution
• Layer 2 switching in hardware
• Full feature parity with the Cisco Catalyst 2960 LAN Base image
• Cisco EnergyWise
• Power over Ethernet; up to 1014 watts per chassis on Cisco 3900 Series router
• IEEE 802.3af PoE support, up to 15.4 watts per port
• Cisco pre-standard PoE
|
Secure Network Connectivity for Data, Voice, and Video
When inserted within a Cisco 2900 or 3900 Series Integrated Services Router, such as the Cisco 3945 (Figure 2), the Cisco Enhanced EtherSwitch Service Modules provide a fully integrated, secure networking and converged IP communications solution. From a single platform with an integrated switch, you can connect IP phones, wireless access points, and IP-based video cameras to your network and power them using the IEEE 802.3af, Cisco ePoE, or Cisco pre-standard PoE. With the optional integration of Cisco Unified Communications Manager Express, the router can also provide call-processing for the phones. As users attempt network access through the Cisco Enhanced EtherSwitch Service Module, the module can use IEEE 802.1x and a large number of Cisco 802.1x extensions to validate the credentials of the end device and place the user in the appropriate VLAN or Cisco TrustSec group. As the end-user data leaves the LAN, the router can encrypt the traffic and place it on a multitude of VPNs, securing communications between branch offices and central sites.
This high degree of convergence simplifies the network architecture and allows for cost-effective deployment of advanced services at the branch-office level. Furthermore, because the Cisco Enhanced EtherSwitch Service Modules support the same feature sets as the Cisco Catalyst 2960 and Catalyst 3560-E Switches, you can provide a ubiquitous configuration at headquarters and at the branch office to create a consistent experience throughout your network.
Figure 2. Cisco EtherSwitch Service Module with a Cisco 3945 Integrated Services Router
Features and Benefits
Architecture Features and Benefits
The Cisco Enhanced EtherSwitch Service Module helps ensure maximum availability, high performance, ease of upgrade, and expandability. The modules have their own processors, switching engines, and flash memory that run independently of host router resources, helping ensure maximum concurrent switching and routing performance as well as providing integrated PoE, security, and increased ease of management. Additionally, Cisco Enhanced EtherSwitch Service Modules run their own Cisco IOS ® Software, independent of the router Cisco IOS Software image, allowing for easy upgrades and ongoing software and feature commonality with Cisco Catalyst 2960 and Catalyst 3560-E Series Switches. Table 2 lists some of the features and benefits of this architecture.
Table 2. Cisco Enhanced EtherSwitch Service Module Addresses Customer Needs
|
Customer Needs |
How Addressed by Cisco Enhanced EtherSwitch Service Module |
|
Green IT |
|
|
• Cisco EnergyWise technology
• Single power supply for Cisco EtherSwitch device and router
|
• Cisco EnergyWise technology helps enable Cisco EtherSwitch devices to automatically reduce off-peak use of PoE.
• The modules offer two to eight times lower power consumption than standalone switches.
• Because no additional rack space or power supply is needed, there is less to rack, stack, and cool.
|
|
Total Cost of Ownership (TCO) |
|
|
• Scaling network infrastructure across multiple sites
• Increasing costs of operating multiple devices at the branch office
• Maximizing IT resources
|
• An integrated switch solution lowers operations costs, simplifies troubleshooting, and enables businesses to scale.
• Cisco Catalyst 2960 and Catalyst 3560-E software parity enables IT to certify and deploy the same services at the main office and branch office.
• The modules offer lower mean time to repair (MTTR). One vendor means one support center to decrease troubleshooting time and eliminate finger pointing among vendors.
• Cisco SMARTnet ® support covers both integrated services routers and Cisco EtherSwitch devices.
|
|
Investment Protection |
|
|
• Ensuring compatibility of your network with future networks to deliver leading technology
|
• The Cisco Enhanced EtherSwitch Service Module and Cisco Catalyst 2960 and Catalyst 3560-E features, schedule, and roadmap are aligned to provide a consistent user experience and to ensure no new hardware is required to support the latest innovations.
|
|
High Availability |
|
|
• Minimizing downtime that affects business operations
|
• Cisco Enhanced EtherSwitch Service Modules run their own Cisco IOS Software images and can be upgraded independent of the host router image.
• A single-box solution simplifies remote management and improves services interoperability to help ensure the highest reliability for all users.
• End-to-end testing for standards-based and innovative Cisco proprietary features provides superior services interoperability and excellent value.
• The modules offer optional redundant power supplies, including an integrated redundant power system (RPS) on the Cisco 3900 Series and external RPS 2300 support on the Cisco 2911 through Cisco 2951 Integrated Services Routers.
• Fewer components (for example, power supplies and fans) results in fewer failures and less downtime.
• Mean time between failure (MTBF) is at least two times higher than that for a standalone switch.
|
|
Scalability with High-Performance IP Routing for the LAN (ES3) |
|
|
• Isolation of LAN traffic and route between VLANs on the Cisco Enhanced EtherSwitch Service Module
|
• Cisco Express Forwarding hardware routing architecture delivers extremely high-performance IP routing and promotes scalability.
• The modules offer inter-VLAN IP routing with full local Layer 3 switching between two or more VLANs.
• Traffic can be forwarded between service modules over the MGF without affecting the router CPU.
|
Cisco EnergyWise Technology
Cisco EnergyWise technology is an innovative architecture added to a large number of Cisco Catalyst switches, the Cisco 2900 and 3900 Series Integrated Services Routers, and the Cisco ES2 and ES3 Enhanced EtherSwitch Service Modules to promote companywide sustainability by reducing energy consumption across an entire network infrastructure.
Cisco EnergyWise technology encompasses a highly intelligent network-based approach to communicate messages that measure and control energy between network devices and endpoints. The network discovers Cisco EnergyWise manageable devices, monitors their power consumption, and takes action based on business rules to reduce power consumption. The technology uses an innovative domain-naming system to query and summarize information from large sets of devices, making it simpler than traditional network management capabilities. The management interfaces of this technology allow facilities and network management applications to communicate with endpoints and each other using the network as a unifying fabric. The management interface uses standard Simple Network Management Protocol (SNMP) or Secure Sockets Layer (SSL) to integrate Cisco and third-party management systems.
Cisco EnergyWise technology extends the network as a platform for the power control plane for gathering, managing, and reducing power consumption of all devices, resulting in companywide optimized power delivery and reduced energy costs.
Advanced PoE Support
Although Power over Ethernet (PoE) has been employed for more than a decade, it is still an evolving technology. New and innovative applications continue to raise expectations for power requirements. The Cisco Enhanced EtherSwitch Service Modules are the first EtherSwitch modules to take advantage of the increased power capabilities of the Cisco 2900 and 3900 Series routers. Table 3 gives information about total PoE power output. Depending on the Cisco 2900 and 3900 Series router model, the available PoE power ranges from 200 to 1014 watts. The Cisco Enhanced EtherSwitch Service Module supports not only IEEE 802.1af (15.4 watts), but also Cisco ePoE (20 watts, ES3 only) as well as Cisco pre-standard PoE. The support of both new and old power levels demonstrates Cisco's commitment to protection of your initial investment while planning for the future. Additional PoE features include:
• Per-port power consumption control allows you to specify a maximum power setting on an individual port.
• Per-port PoE power sensing measures the actual power being drawn, enabling more intelligent control of powered devices.
• The Cisco PoE MIBs provide proactive visibility into power usage and allow you to set different power-level thresholds.
• Cisco Discovery Protocol Version 2 allows the Cisco Enhanced EtherSwitch Service Modules to negotiate a more granular power setting than IEEE classification provides when connecting to a Cisco powered device such as IP phones or access points.
• The Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED) link layer discovery protocol and MIB enable interoperability in multivendor networks. Switches exchange speed, duplex, and power settings with end devices such as IP phones.
Power over Ethernet requires the PoE versions of the router power supplies. The Cisco 2900 and 3900 Series routers support multiple PoE powering modes:
• Normal: One PoE power supply
• Redundant: Two PoE internal power supplies (Cisco 3925 and 3945) or one PoE power supply plus an external Cisco RPS 2300 Redundant Power Supply Unit (Cisco 2911, 2921, and 2951), where one is active and one is standby
• Boost: Two PoE internal power supplies (Cisco 3925 and 3945) or one PoE power supply plus an external Cisco RPS2300 (Cisco 2900), where both are actively supplying PoE power
Table 3. Power Output
|
Router |
Normal PoE with Single POE Power Supply (Watts) |
Maximum Number of Ports Running at 15.4W in Normal Mode |
Maximum Number of Ports Running at 20W in Normal Mode |
Maximum Power with Dual POE Supplies in Boost Mode (Watts) |
Maximum Number of Ports Running at 15.4W in Boost Mode |
Maximum Number of Ports Running at 20W in Boost Mode |
|
Cisco 3945 |
520 |
33 |
16 |
1040 |
65 |
50 |
|
Cisco 3925 |
520 |
33 |
16 |
1040 |
65 |
50 |
|
Cisco 2951 |
370 |
24 |
18 |
750 |
48 |
37 |
|
Cisco 2921 |
280 |
18 |
16 |
750 |
48 |
37 |
|
Cisco 2911 |
200 |
12 |
10 |
750 |
48 |
37 |
Secure Networking
Because security needs to be embedded throughout the network, routers and Cisco EtherSwitch devices play a critical role in any network defense strategy. Cisco Enhanced EtherSwitch Service Modules provide a rich set of security features and can be a crucial component of your secure network strategy. The modules support a comprehensive set of security features for connectivity and access control, including ACLs, authentication, port-level security, and identity-based network services with 802.1x and extensions. This set of comprehensive features not only helps prevent external attacks, but defends the network against "man-in-the-middle" attacks, a primary concern in today's business environment. Table 4 highlights the benefits of the Enhanced EtherSwitch Service Module LAN security features.
Table 4. LAN Security Features
|
Feature |
Benefit |
|
Dynamic ARP Inspection (DAI) |
• DAI helps ensure user integrity by preventing malicious users from exploiting the insecure nature of the Address Resolution Protocol (ARP).
|
|
DHCP Snooping |
• This feature prevents malicious users from spoofing a Dynamic Host Configuration Protocol (DHCP) server and sending out bogus addresses. It is used by other primary security features to prevent numerous other attacks such as ARP poisoning.
|
|
IP Source Guard |
• IP Source Guard prevents a malicious user from spoofing or taking over another user's IP address by creating a binding table between the client's IP and MAC address, port, and VLAN.
|
|
Private VLANs |
• Private VLANs restrict traffic between hosts in a common segment by segregating traffic at Layer 2, turning a broadcast segment into a nonbroadcast multiaccess-like segment; this feature is available in the ES3 only.
• Private VLAN Edge provides security and isolation between switch ports, helping ensure that users cannot snoop on other users' traffic; this feature is available in the ES3 only.
|
|
Unicast Reverse Path Forwarding (RPF) |
• This feature helps mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address; it is available in the ES3 only.
|
|
IEEE 802.1x |
• IEEE 802.1x allows dynamic, port-based security, providing user authentication.
• IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless of where the user is connected.
• IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of the authorized or unauthorized state of the port.
• IEEE 802.1x and port security are provided to authenticate the port and manage network access for all MAC addresses, including that of the client.
• IEEE 802.1x with an ACL assignment allows for specific identity-based security policies regardless of where the user is connected.
• IEEE 802.1x with guest VLAN allows guests without 802.1x clients to have limited network access on the guest VLAN.
• Web authentication for non-802.1x clients allows non-802.1x clients to use an SSL-based browser for authentication.
|
|
Multidomain Authentication |
• Multidomain authentication allows an IP phone and a PC to authenticate on the same switch port while placing them on the appropriate voice and data VLAN.
|
|
MAC Authentication Bypass |
• MAC Auth Bypass (MAB) for voice allows third-party IP phones without an 802.1x supplicant to get authenticated using the MAC address; it is available in the ES3 only.
|
|
Advanced ACLs |
• Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being bridged within VLANs; this feature is available in the ES3 only.
• Cisco standard and extended IP Security router ACLs define security policies on routed interfaces for control- and data-plane traffic. IPv6 ACLs can be applied to filter IPv6 traffic; this feature is available in the ES3 only.
• Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.
|
|
Administrative Traffic Protection |
• Secure Shell (SSH) Protocol, Kerberos (ES3 only), and SNMPv3 provide network security by encrypting administrator traffic during Telnet and SNMP sessions. SSH, Kerberos (ES3 only), and the cryptographic version of SNMPv3 require a special cryptographic software image because of U.S. export restrictions.
|
|
Switched Port Analyzer (SPAN) |
• Bidirectional data support on the SPAN port allows the Cisco Intrusion Detection System (IDS) to take action when an intruder is detected.
|
|
Centralized Authentication |
• TACACS+ and RADIUS authentication facilitates centralized control of the switch and restricts unauthorized users from altering the configuration.
|
|
MAC Address Authentication |
• MAC address notification allows administrators to be notified of users added to or removed from the network.
|
|
Port Security |
• Port security secures the access to an access or trunk port based on MAC address.
|
|
Console Security |
• Multilevel security on console access prevents unauthorized users from altering the switch configuration.
|
|
Bridge Protocol Data Unit (BPDU) Guard |
• BPDU guard shuts down Spanning Tree PortFast-enabled interfaces when BPDUs are received to avoid accidental topology loops.
|
|
Spanning-Tree Root Guard (STRG) |
• STRG prevents edge devices not in the network administrator's control from becoming Spanning Tree Protocol root nodes.
|
|
Internet Group Management Protocol (IGMP) Filtering |
• IGMP filtering provides multicast authentication by filtering out nonsubscribers and limits the number of concurrent multicast streams available per port.
|
|
Dynamic VLAN Assignment |
• Dynamic VLAN assignment is supported through implementation of VLAN Membership Policy Server client capability to provide flexibility in assigning ports to VLANs. Dynamic VLAN facilitates the fast assignment of IP addresses.
|
Ease of Management and Troubleshooting
Cisco EtherSwitch Service Modules offer many ease-of-management advantages. For instance, administrators can manage the service modules through the host router CLI, providing one point of management for the LAN and WAN. Because the Cisco Enhanced EtherSwitch Service Modules run the same software image as the Cisco Catalyst 2960 and Catalyst 3560-E Series, the CLI commands are identical to those used on these Cisco Catalyst switches. This setup greatly simplifies management across the LAN and WAN, resulting in lower training costs, lower software qualifications costs, and a reduction in the possibility of configuration errors. Additionally, the Cisco Enhanced EtherSwitch Service Modules can be managed using one of Cisco's advanced GUI management tools. This provides an easy to use Web-based management interfaces can be accessed through a standard Web browser. Table 5 lists other management and troubleshooting features.
Table 5. Management and Troubleshooting Features
|
Feature |
Additional Information
|
