Q. What are the Cisco
® SM-X Layer 2/3 EtherSwitch
A. The Cisco SM-X EtherSwitch Modules are an enterprise-class line of switches in Cisco Integrated Services Router (ISR) Extended Service Module form factor for the Cisco 2900 and 3900 Series and Cisco 4451-X ISRs. These EtherSwitch service modules greatly expand the capabilities of the router by integrating industry-leading Layer 2 and Layer 3 switching with feature sets identical to those found in the Cisco Catalyst
® 3560-X Series. Cisco SM-X EtherSwitch Modules facilitate the deployment of highly secure converged applications while maximizing investment protection for evolving network and application requirements. Combining 10/100/1000, Power over Ethernet Plus (PoE+), Media Access Control Security (MACsec), and Cisco TrustSec
® security, the Cisco SM-X EtherSwitch Modules enhance worker productivity by enabling applications such as encryption, IP telephony, wireless, and video.
The Cisco SM-X EtherSwitch Modules are built on the existing Cisco Catalyst 3560-X Series Switches, using the same port application-specific integrated circuit (ASIC), switch fabric, and Cisco IOS
® Software feature sets.
Q. What is new in the Cisco SM-X EtherSwitch Modules?
A. The Cisco SM-X EtherSwitch Modules build on the Cisco Catalyst 3560-X Series Switches and add the following features:
• Full 802.3at PoE+ support provides 30W per port on all ports.
• A new LAN Base feature set offers comprehensive Layer 2 functions.
• MACsec provides hardware-based encryption (802.1ae) at line rate on all ports (requires IP Base). It includes MACsec Key Agreement (MKA) (included in Dot1X-rev).
• Open Shortest Path First (OSPF) is supported for routed access in the IP Base image.
• Cisco TrustSec security is supported.
Q. What are the benefits of using the Cisco SM-X EtherSwitch Modules?
A. Integrated switching and routing provides:
• Lower cost of ownership: It allows network administrators to manage a single device using the router command-line interface (CLI) or Cisco management tools for LAN and WAN management needs.
• Lower mean time to repair (MTTR): One vendor means one support center to decrease troubleshooting time and eliminate blaming among vendors.
• Software parity: Cisco Catalyst® 3560-X software parity enables IT to certify and deploy the same services at the main and branch offices.
• Single maintenance contract: A Cisco SMARTnet® contract covers both the router and the Cisco EtherSwitch Module.
• Schedule and roadmap alignment for features: The schedule and roadmap for features on the Cisco SM-X EtherSwitch Service Modules and on the Cisco Catalyst 3560-X Series Switches are aligned to provide a consistent user experience.
• Easy upgrades: Cisco SM-X EtherSwitch Service Modules run their own Cisco IOS Software image and can be upgraded independently of the Cisco IOS Software release on the host router.
• Fewer components: Fewer power supplies, fans, etc. results in fewer failures and less downtime.
• Mean time between failure (MTBF): The MTBF is at least double that of a standalone switch.
Q. What Cisco IOS Software feature sets do the Cisco SM-X EtherSwitch Modules support?
A. The Cisco SM-X EtherSwitch Modules come with a universal image and support the standard IP Base and IP Services feature sets, in addition to the new LAN Base feature set.
Q. What is the difference between the Cisco IOS Software feature sets?
A. Table 1 shows the differences between Cisco IOS Software feature sets.
Table 1. Cisco IOS Software Feature Set Overview
• Enterprise access Layer 2
• Wide range of Layer 2 access features for enterprise deployments
• Complete access Layer 2
• Support for all Cisco Catalyst 2000 and Catalyst 3000 Layer 2 features, including hot standby protocols
• Static IP routing support
• Support for Switched Virtual Interface (SVI)
• Enterprise access Layer 3
• Routing Information Protocol (RIP), static and stub Protocol Independent Multicast (PIM), and Enhanced Internet Gateway Routing Protocol (EIGRP) stub OSPF for routed access
• Complete access Layer 3
• OSPF, EIGRP, Border Gateway Protocol (BGP), and Intermediate System-to-Intermediate System (IS-IS)
• Virtual Route Forwarding lite (VRF-lite), Web Cache Control Protocol (WCCP), and Cisco Policy Based Routing (PBR)
• Basic manageability
• Support for a wide range of MIBs, IP service-level agreement (IPSLA) Responder, and Remote Switched Port Analyzer (RSPAN)
• Enterprise access Layer 3
• Cisco IOS Embedded Event Manager (EEM)
• Complete access Layer 3
• Enterprise access security
• DHCP Snooping, IP Source Guard (IPSG), Dynamic ARP Inspection (DAI), Private Access Control Lists (PACLs), Cisco Identity 4.0, Network Access Control (NAC), and 802.1x features
• Complete access security
• Router and VLAN ACLs, private VLANs, complete identity and security, Cisco TrustSec SGT Exchange Protocol over TCP (SXP), and IEEE 802.1AE
Quality of service (QoS)
• Enterprise access QoS
• Ingress policing, trust boundary, AutoQoS, and DSCP mapping
• Complete access QoS
• Support for all Cisco Catalyst 2000 and Catalyst 3000 QoS features, including per-VLAN policies
Q. What Cisco SM-X EtherSwitch Modules are available?
A. Table 2 shows the SKUs that are offered. All switch modules are shipped from the factory with the LAN Base feature set license installed.
Table 2. Product Specifications
Gigabit Ethernet Ports
Layer 2 Switching
Layer 2/3 Switching
PoE and PoE+
Service Module Width
Cisco SM-X EtherSwitch Modules Features and Feature sets
Q. What is the difference between the Cisco SM-X EtherSwitch LAN Base and IP Base models?
A. The LAN Base feature set enables comprehensive Layer 2 functions, whereas the IP Base feature set provides more advanced features such as MACsec, PIM stub, EIGRP stub, and full OSPF routing.
Q. Can I upgrade any Cisco SM-X EtherSwitch Module from LAN Base to IP Base for Layer 3 features?
A. Yes. You can upgrade any Cisco SM-X EtherSwitch Module from LAN Base to a Layer 3-capable switch with IP Base using the normal license structure.
Q. Is static IP routing supported in the LAN Base feature set?
A. Yes. LAN Base supports static IP routing.
Q. Does the LAN Base feature set support MACsec on the Cisco SM-X EtherSwitch Modules?
A. No. IP Base is the minimum required to support MACsec.
Q. Can I upgrade a Cisco SM-X IP Base EtherSwitch Module to IP Services?
A. Yes, you can upgrade a Cisco SM-X IP Base EtherSwitch Module to IP Services.
Q. Do the Cisco SM-X EtherSwitch Modules support Cisco EnergyWise
A. Yes. Cisco EnergyWise technology is a Cisco solution for power management across an entire enterprise that enables the network to control, report, and monitor the power use.
Q. What are the differences between the Cisco SM-X EtherSwitch Modules and the previous service-module EtherSwitch switches?
A. The Cisco SM-X EtherSwitch Modules are line-rate nonblocking switches that are identical to the Cisco Catalyst 3560-E Series with the following added features:
• Full 802.3at PoE+: Supports 30W per port
• Three software feature sets: LAN Base, IP Base, and IP Services
• MACsec: Hardware-based encryption (802.1ae) that includes MKA (included in Dot1X-rev)
• Cisco TrustSec security
Q. Do the Cisco SM-X EtherSwitch Modules have feature parity with the existing Cisco Catalyst 3000 Switches?
A. Yes. The Cisco SM-X EtherSwitch Modules have all the features of the Cisco Catalyst 3750-E and 3560-E Series, respectively, and will have feature parity with existing respective Cisco Catalyst 3000 Switches. All Cisco Catalyst 3000 Switches run the same Cisco IOS Software train, providing maximum compatibility.
Q. What is the performance of the Cisco SM-X EtherSwitch Modules?
A. The Cisco SM-X EtherSwitch Modules have a nonblocking switching architecture capable of forwarding traffic for all ports at line rate.
PoE Support (IEEE 802.3af and IEEE 802.3at)
Q. Do the Cisco SM-X EtherSwitch Modules support the IEEE 802.3af or 802.3.at standards?
A. Both standards are supported; that is, the Cisco SM-X EtherSwitch Modules can detect and support 802.3af and 802.3at powered devices. Up to 30W per port is possible.
Q. Can I deploy both PoE and non-PoE Cisco EtherSwitch Modules together in the same chassis?
A. Yes, but only in Cisco Integrated Services Routers Generation 2 (ISR G2) routers that support existing non-PoE versions of EtherSwitch modules. You can deploy them in any slot.
Q. Can the Cisco SM-X EtherSwitch Modules detect Type 1 and Type 2 powered devices?
A. The Cisco SM-X EtherSwitch Modules support both the PoE and PoE+ standards and can classify a powered device as either Type 1 or 2 with a one-event classification. A Type 2 powered device supports Class 4 in order to obtain more power than is supported by the older power levels (30W). A Type 1 powered device can support only up to Class 3, or 15.4W.
Q. Can the Cisco SM-X EtherSwitch Modules support two-event classification?
A. No. Two-event classification is specific to midspans that work power supplying equipment (PSE). The Cisco SM-X EtherSwitch Modules support only one-event classification.
Q. Do the Cisco SM-X EtherSwitch Modules support power classification?
A. Yes, these modules can optionally detect the powered-device power classification signature and budget the appropriate power, reducing the maximum power that must be budgeted by the switch and provisioned in the wiring closet.
Q. What is the maximum power per port that the Cisco SM-X EtherSwitch Modules can supply?
A. The Cisco SM-X EtherSwitch Modules support both PoE standards, 802.3af and 802.3at, which define the maximum power that can be supplied to a port. The switches can provide up to 30W per port.
Q. Do I need two power supplies on the Cisco SM-X EtherSwitch Modules to deploy PoE+ (802.3at)?
A. No, but you won't get PoE+ on all ports. One PoE power supply will provide 500W, but the requirement for PoE+ on all ports would be 720W for a 24-port switch. By using two PoE power supplies in PoE Boost mode, the total available power doubles from that of a single power supply. Table 3 lists the maximum PoE power for each platform.
Table 3. Maximum PoE Power per Platform
PoE Boost from RPS 2300
PoE Boost from Dual Power Supply
Cisco 2911 ISR
Cisco 2921 ISR
Cisco 2951 ISR
Cisco 3925E ISR
Cisco 3945E ISR
Cisco 4451-X ISR
Q. Do the Cisco SM-X EtherSwitch Modules support the Cisco TrustSec solution?
A. The Cisco TrustSec solution is an end-to-end solution, and the Cisco SM-X EtherSwitch Modules support it. At first customer shipment (FCS), encryption will be supported only on the user ports, along with support for the SGT Exchange Protocol (SXP). No hardware tagging is supported at this time.
Q. What hardware encryption is included in the Cisco SM-X EtherSwitch Modules?
A. The Cisco SM-X EtherSwitch Modules support 802.1ae encryption at line rate. This hardware encryption is done between the switch port and the client's network interface card (NIC). Some Intel NIC and LAN on Motherboard (LoM) components already support 802.1ae. Some PC and laptop manufacturers may have not implemented the encryption feature, although the capability is already available.
Q. The NICs in my installed client base do not have encryption capability. Will I be able to deploy Cisco SM-X EtherSwitch Modules in my network?
A. Cisco will offer a software-based application that can provide encryption for older PCs and laptops. In these cases, the software client will handle encryption. This client will also provide for key negotiation as described by MKA.
Q. Do the Cisco SM-X EtherSwitch Modules have encryption on all ports, including the uplinks?
A. No. Hardware encryption is provided only on the user ports (downlinks).
Q. What is the competition doing in terms of hardware encryption?
A. IEEE 802.1ae is a standard; hence any competitor has the same opportunity to build products that support encryption. The strength of the Cisco SM-X EtherSwitch Modules as well as Cisco Catalyst 3750-X and Catalyst 3560-X Series Switches is that encryption is just one piece of the whole Cisco TrustSec solution, and competitors can offer only point products or features.
Q. What is MACsec?
A. MACsec is the IEEE 802.1ae industry standard for Layer 2 hop-by-hop encryption.
Q. Do I need a specific hardware addition for encrypting user access ports connecting to PCs, IP phones, and so on?
A. No. The Cisco SM-X EtherSwitch Module supports MACsec on downlink ports connecting to user access devices such as PCs and IP phones without requiring a service module.
Q. What can I expect in terms of MACsec performance? Is there any degradation in switch performance?
A. No. MACsec is supported at line rate and the encryption is done in hardware, helping ensure that there is no performance degradation.
Q. Could I connect the copper ports of two Cisco SM-X EtherSwitch Modules and encrypt the link between them using MACsec?
A. Although this use is not common because of the distance limitations of copper, it is supported. Any time a switch-to-switch link needs to be encrypted, both ends of the link have to be configured with Cisco Service Advertising Protocol (SAP) for key management.
Q. Can I use MKA key management for encrypting switch-to-switch links?
A. No. MKA is supported only for end-user access ports such as PCs, phones, and other user access devices. Typically downlink ports connect to end-user access ports and need to be configured with MKA. Any time a switch-to-switch link needs to be encrypted, both ends of the link must be configured with Cisco SAP for key management.
Q. If a Cisco Catalyst 3560C Compact Switch is connected to a Cisco SM-X EtherSwitch on the downlink port, how do I set up MACsec between them?
A. Any time a switch-to-switch link needs to be encrypted, both ends of the link have to be configured with Cisco SAP for key management. Compact switch support for switch-to-switch encryption is planned for a future release. With this future release, the link between a Cisco SM-X EtherSwitch Module and Cisco Catalyst 3560C Compact Switch can be encrypted with Cisco SAP.
Q. Is there a requirement for a specific client for user access port encryption?
A. Yes. Cisco AnyConnect
® 3.0 client is required for MACsec encryption on a client.
Hardware and Architecture
Q. What platforms support the Cisco SM-X EtherSwitch Module, and how many service modules can I install in each platform?
A. Table 4 lists the platforms that support the new service module and the maximum number of modules you can install in each platform.
Table 4. Product Specifications
Maximum No. of Ports
2 Single wide
3 Single wide
4 Single wide
Cisco 2911 ISR
Cisco 2921 ISR
Cisco 2951 ISR
Cisco 3925E ISR
Cisco 3945E ISR
Cisco 4451-X ISR
Q. What Small Form-Factor Pluggable (SFP) transceivers are supported?
Q. Do the Cisco SM-X EtherSwitch Modules interoperate with the existing Cisco EtherSwitch Network Modules?
A. It depends on the platform. Cisco SM-X EtherSwitch Modules can coexist with the existing Cisco EtherSwitch Modules in the ISR G2 integrated services routers. The existing service modules (SMs), enhanced network modules (NMEs), and Cisco EtherSwitch Network Modules, however, are not supported in the Cisco 4451-X Integrated Services Router.
Q. Is local switching between two Cisco EtherSwitch Modules supported?
A. Yes, it is supported and is accomplished through the Multigigabit Fabric (MGF), which provides direct 1-Gbps full-duplex connectivity between two Cisco SM-X EtherSwitch Modules through the backplane without CPU involvement. ISR G2 routers support local switching between Cisco EtherSwitch modules of both generations, SM and SM-X.
Q. Is online insertion and removal (OIR) supported?
A. Yes, by using the
oir-stop command-line interface (CLI) commands. The part numbers of the replacement module and the one removed must be the same.
Q. Which Cisco IOS Software releases support the Cisco SM-X EtherSwitch Modules?
A. The Cisco SM-X EtherSwitch Modules require two Cisco IOS Software releases, one for the router and one for the switching module. Table 5 shows the minimum required Cisco IOS Software combinations.
Q. Do the Cisco SM-X EtherSwitch Modules require licensing to enable Cisco IOS Software feature sets?
A. Yes. The Cisco SM-X EtherSwitch Modules run the Universal image, meaning that a license is required to enable the Cisco IOS Software feature sets: LAN Base, IP Base, and IP Services. Note that the proper license comes already installed in the switch from manufacturing as ordered.
Q. Can I upgrade images and feature sets independently on the module and hosting router?
A. Yes, as long as the minimum Cisco IOS Software release requirements are met, you can change images on either the router or the module without affecting the other component. You can upgrade, reboot, and reload each component independently without affecting the other component.
Q. Do I need to load a license file into my switch?
A. When you order a new switch, it will arrive with the proper feature set license already loaded. The only time you need to install a license file into your switch is when you do a feature set upgrade.
Q. How do I request a return materials authorization (RMA) for an IP Services switch?
A. RMAs are done like-for-like by SKU for the Cisco SM-X EtherSwitch models. Currently, there are only LAN Base and IP Base SKUs; therefore, LAN Base and IP Base switches can be replaced, and IP Services switches must be rehosted on site by customers.
Q. How do I purchase the feature-set upgrades for the module?