Foundation for Innovation-Powered by Cisco
Figure 1. Catalyst 3560 Series Switches
in Fast Ethernet and Gigabit Ethernet configurations. The Cisco Catalyst 3560 is an ideal access-layer switch for small enterprise LAN access or branch-office environments, combining both 10/100/1000 and PoE configurations for maximum productivity and investment protection while facilitating the deployment of new applications such as IP telephony, wireless access, video surveillance, building management systems, and remote video kiosks. Customers can deploy networkwide intelligent services-such as advanced quality of service (QoS), rate limiting, access control lists (ACLs), multicast management, and high-performance IP routing-while maintaining the simplicity of traditional LAN switching.
IEEE 802.3af and Cisco Prestandard Power over Ethernet
can protect important information, keep unauthorized people off the network, guard privacy, and maintain uninterrupted operation. The Cisco Catalyst 3560 Series supports a comprehensive set of security features for connectivity and access control, including network admission control (NAC), ACLs, Dynamic ARP Inspection, IP Source Guard, VPN Routing/Forwarding Lite (VRF Lite), port-level security, and identity-based network services with 802.1x and extensions. These features increase LAN security; protect passwords and configuration information; offer options for network security based on users, ports, or MAC addresses; and help quicken responses to intruder and hacker detection. NAC helps organizations to limit damage from viruses and worms by enforcing security-policy compliance on endpoint devices.
Availability and Scalability
to meet the needs of future requirements. Implementing routed uplinks to the core will improve network availability by enabling faster failover protection and simplifying the Spanning Tree Protocol algorithm by terminating all Spanning Tree Protocol instances at the aggregator switch. Additionally, routed uplinks allow better bandwidth utilization by implementing equal cost routing (ECR) on the uplinks to perform load balancing. Routed uplinks optimize the utility of uplinks out
of the wiring closet by eliminating unnecessary broadcast data flows into the network backbone. Private VLANs improve scalability and provide IP address management benefits and Layer 2 security by partitioning a regular VLAN domain into subdomains. Support for the IPv6 industry standard in the Cisco Catalyst 3560 Series also alleviates address space problems.
Advanced Quality of Service
• The Cisco Catalyst 3560 Series supports Network Admission Control (NAC), an industry initiative sponsored by Cisco Systems® that uses the network infrastructure to enforce security-policy compliance on all devices seeking to access network computing resources, thereby limiting damage from viruses and worms. Using NAC, organizations can provide network access to endpoint devices such as PCs, personal digital assistants (PDAs), and servers that are verified to be fully compliant with established security policy. NAC can also identify noncompliant devices and deny them access, place them in a quarantined area, or give them restricted access to computing resources.
• Dynamic ARP Inspection and IP Source Guard are security features in the Cisco Catalyst 3560 Series that protect the network from certain man-in-the-middle attacks. Dynamic ARP Inspection validates Address Resolution Protocol (ARP) packets in a network and ensures that only valid ARP requests and responses are relayed. IP Source Guard restricts IP traffic from untrusted sources.
• VPN Routing/Forwarding Lite (VRF Lite) in the Cisco Catalyst 3560 Series helps enable unique VPNs without additional equipment at the customer site.
• The IEEE 802.1x standard supported by the Cisco Catalyst 3560 Series prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated.
• Cisco Identity Based Networking Services (IBNS) in the Catalyst 3560 Series prevents unauthorized access and helps ensure that users receive only their designated privileges.
It provides the ability to dynamically administer granular levels of network access.
• Secure Shell Protocol Version 2 (SSHv2) and Simple Network Management Protocol Version 3 (SNMPv3) provide network security by encrypting administrator traffic-preventing unauthorized users from accessing passwords or configuration information.
• Access control lists (ACLs) can be used to restrict access to sensitive portions of the network by denying packets based on source and destination MAC addresses, IP addresses, or TCP/UDP ports. ACLs can be used to guard against denial-of-service (DoS) and other attacks, and because ACL processing is done in hardware, forwarding performance of the switch is not compromised when implementing ACL-based security.
• Private VLAN edge provides security and isolation between ports on a switch, helping ensure that voice traffic travels directly from its entry point to the aggregation device through a virtual path and cannot be directed to a different port.
• Port security can be used to limit access on an Ethernet port based on the MAC address
of the device that is connected to it. It also can be used to limit the total number of devices plugged into a switch port, thereby reducing the risks of rogue wireless access points
• MAC Address Notification can be used to monitor the network and track users by sending an alert to a management station so that network administrators know when and where users entered the network. The Dynamic Host Configuration Protocol (DHCP) Interface Tracker (Option 82) feature tracks where a user is physically connected on a network by providing both switch and port ID to a DHCP server. Additionally, the DHCP Snooping Option 82 feature enables granular control over IP address assignment by a DHCP server by augmenting a host IP address request so that the DHCP server can make a more sophisticated address assignment.
• TACACS+ or RADIUS authentication facilitates centralized access control of switches and restricts unauthorized users from altering the configurations. Alternatively, a local username and password database can be configured on the switch itself. Fifteen levels of authorization on the switch console and two levels on the Web-based management interface provide the ability to give different levels of configuration capabilities to different administrators.
• Per VLAN Rapid Spanning Tree Plus (PVRST+) allows rapid spanning-tree reconvergence on a per-VLAN spanning-tree basis, without requiring the implementation of spanning-tree instances.
• Flex Links are a pair of Layer 2 interfaces (switch ports or port channels), where one interface is configured to act as a backup to the other. This feature provides an alternative solution to the Spanning Tree Protocol, allowing users to turn off Spanning Tree Protocol and still provide basic link redundancy.
• 802.1s Multiple Spanning Tree Protocol facilitates load balancing and improves network fault tolerance by providing multiple forwarding paths for data traffic. 802.1w Rapid Spanning Tree Protocol provides rapid recovery of uplink connectivity following failure.
• Cisco Hot Standby Router Protocol (HSRP) is supported to create redundant, failsafe routing topologies.
• Equal cost routing (ECR) provides load balancing and redundancy. Basic IP Unicast routing protocols (static, RIPv1, and RIPv2) are supported for small-network routing applications. Advanced IP Unicast routing protocols (OSPF, Interior Gateway Routing Protocol [IGRP], Enhanced IGRP [EIGRP], and Border Gateway Protocol Version 4 [BGPv4]) are supported for load balancing and constructing scalable LANs. IP Services is required.
• Switch port auto-recovery (errdisable) automatically attempts to re-enable a link that is disabled because of a network error.
• The optional Cisco RPS 675 Redundant Power System protects against internal power supply failures.
• IEEE 802.3af and Cisco prestandard PoE support come with automatic discovery to detect a Cisco prestandard or IEEE 802.3af endpoint, negotiate the power to be budgeted for that device, and provide the necessary power-all done by the Cisco Catalyst 3560 Series switch without any user configuration.
• Cisco Smartport macros offer a set of verified feature templates per connection type in an easy-to-apply manner. With these templates, users can consistently and reliably configure essential security, IP telephony, availability, QoS, and manageability features with minimal effort and expertise. Smartport macros simplify the configuration of critical features for Ethernet networks.
• All Cisco Catalyst 3560 Series switches can be managed by the CiscoWorks LAN Management Solution (LMS) applications such as Resource Manager Essentials, Campus Manager, Device Fault Manager, and CiscoView. CiscoWorks LMS is a suite of powerful management tools that simplify the configuration, administration, monitoring, and troubleshooting of large Cisco networks. It integrates these capabilities into a world-class solution for improving the accuracy and efficiency of operations staff, increasing the overall availability of networks through proactive planning, and maximizing network security.
• Cisco Network Assistant software can manage a small network consisting of a diverse array of network devices, such as Cisco routers and Cisco Aironet wireless access points. A few mouse clicks enable the security, availability, and QoS features recommended by Cisco, without the need to consult a detailed design guide. The Security wizard automatically restricts unauthorized access to servers with sensitive data. Cisco Smartports and wizards save hours of time for network administrators, reduce human errors, and help ensure that the configuration of the switch is optimized for these applications. Available at no cost, Cisco Network Assistant can be downloaded from http://www.cisco.com/go/cna.
• The Cisco Express Setup feature simplifies initial configuration, eliminating the need for more complex terminal emulation programs and knowledge of CLI. This reduces the cost
of deployment by enabling less-skilled personnel to quickly and simply set up switches.
• The DHCP Server feature enables a convenient deployment option for the assignment of
IP addresses in networks that do not have a dedicated DHCP server.
• Voice VLAN allows network administrators to assign voice traffic to a VLAN dedicated to IP telephony, simplifying phone installations and providing easier network traffic administration and troubleshooting.
• Cisco Fast EtherChannel® and Gigabit EtherChannel technology allows for aggregating ports for up to 2 Gbps full duplex on network or server connections. Use Port Aggregation Protocol (PAgP) for automatic configuration. Similarly, Link Aggregation Group Protocol (LACP) allows creation of Ethernet channeling with devices that conform to IEEE 802.3ad standard.
• Internet Group Management Protocol (IGMP) facilitates monitoring and management of multicast applications (such as e-learning and videoconferencing) while minimizing the performance impact of managing group membership information.
• The Cisco Catalyst 3560 Series supports the IPv6 standard, which increases Internet global address space to accommodate the rapidly increasing number of users and applications that require unique global IP addresses.
• In addition to the larger address space, the Cisco Catalyst 3560 Series switches also make the most of other IPv6 features such as address autoconfiguration, embedded IP Security (IPSec), routing optimized for mobile devices, and Duplicate Address Detection.
Advanced Quality of Service
• The Cisco Catalyst 3560 Series can identify traffic flows or traffic groups, and classify or reclassify these groups using Differentiated Services Code Point (DSCP) in the IP packet and the 802.1p class of service (CoS) field in the Ethernet packet.
• Users can mitigate DoS attacks by assigning a minimal bandwidth queue to "scavenger traffic" or unimportant traffic used for peer-to-peer media sharing, gaming, or any entertainment video applications. This reduces scavenger traffic during periods of congestion, but allows it to be available if bandwidth is not being used for business purposes, for example during off-peak hours.
• Rate limiting gives control over the amount of bandwidth across any configured interface,
for appropriate distribution of available bandwidth.
• Four egress queues help network administrators to be more discriminating and specific in assigning priorities for the various applications on the LAN. Scheduling is performed in egress to assign the appropriate queues to the outgoing packets.
• Shaped Round Robin (SRR) scheduling helps ensure differential prioritization of packet flows by intelligently servicing the ingress queues and egress queues.
• Weighted Tail Drop (WTD) provides congestion avoidance at the ingress and egress queues before a disruption occurs.
• 64 policers per 10/100 or Gigabit Ethernet port used to allocate bandwidth based on source/destination (IP address, MAC address) or TCP/UDP port numbers.
CISCO CATALYST 3560 SERIES SWITCHES
Table 1. Cisco Catalyst 3560 Series Switches
FOR MORE INFORMATION