Table of Contents
Cisco SM-X Layer 2/3 EtherSwitch Service Module (ESM) Configuration Guide for Cisco 2900 and Cisco 3900 Series ISRs
The Cisco SM-X Layer 2/3 EtherSwitch Service Modules (Cisco SM-X Layer 2/3 ESM) integrates the Layer 2 and Layer 3 switching features and provide the Cisco 2900 series and Cisco 3900 series ISRs the ability to use the Cisco SM-X Layer 2/3 ESM as an independent Layer 3 switch when running the Cisco IOS software.
The Cisco SM-X Layer 2/3 ESMs are capable of providing up to 30 watts of power per port with the robust Power over Ethernet Plus (PoE+) feature along with IEEE 802.3ae Media Access Control Security (MACSec) port-based, hop-to-hop, encryption, and Cisco TrustSec (CTS) that work on multiple router families
The Cisco SM-X Layer 2/3 ESM can co-exist with EtherSwitch service modules from previous releases on the host Cisco 2900 and 3900 series ISRs and these modules are capable of interoperability with each other. Support for the maximum number of service modules that can be present on the 2900 and 3900 series ISRs is dictated by the total number of service module slot count on the host router.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
The Cisco IOS version on the Cisco SM-X Layer 2/3 ESMs must be compatible with the Cisco IOS software release and feature set on the router. See the Feature History for Cisco SM-X Layer 2/3 ESM (SM-X-ES3-16-P and SM-X-ES3-24-P).
Note For a list of Switch IOS feature documentation with information on various supported features on your Cisco SM-X Layer 2/3 ESM, see the Related Documents
Cisco SM-X Layer 2/3 ESM are modules to which you can connect devices such as Cisco IP phones, Cisco wireless access points, workstations, and other network devices such as servers, routers, and switches.
- SM-X-ES3-16-P—16-port 10/100/1000 Gigabit Ethernet, PoE+, MACSec enabled Service Module, single-wide form factor
- SM-X-ES3-24-P—24-port 10/100/1000 Gigabit Ethernet, PoE+, MACSec enabled Service Module, single-wide form factor
- SM-X-ES3D-48-P—48-port, 10/100/1000 Gigabit Ethernet, 100/1000 Mbps SFPs, PoE+, MACSec enabled Service Module, double-wide form factor
For complete information about the Cisco SM-X Layer 2/3 ESMs hardware,
see the Connecting Cisco SM-X Layer 2/3 ESMs to the Network guide.
The Cisco TrustSec security architecture builds secure networks by establishing clouds of trusted network devices. Each device in the cloud is authenticated by its neighbors. Communication on the links between devices in the cloud is secured with a combination of encryption, message integrity checks, and data-path replay protection mechanisms. Cisco TrustSec also uses the device and user identification information acquired during authentication for classifying, or coloring, the packets as they enter the network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path. The tag, also called the security group tag (SGT), allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic. See Configuring Cisco TrustSec Chapter in the Catalyst 3560 Switch Software Configuration Guide, Cisco IOS Release 15.0(2)SE and Later.
The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that prevents clients from connecting to a LAN through publicly accessible ports unless they are authenticated. The authentication server authenticates each client connected to a port before making available any services offered by the router or the LAN.
Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication, normal traffic can pass through the port. See Configuring IEEE 802.1x Port-Based Authentication Chapter in the Catalyst 3560 Switch Software Configuration Guide, Cisco IOS Release 15.0(2)SE and Later for information on configuring this feature.
The Cisco SM-X Layer 2/3 ESM utilizes the Cisco licensing software activation mechanism for different levels of technology software packages. This mechanism is referred to as technology package licensing and leverages the universal technology package based licensing solution. A universal image containing all levels of a software package is loaded on your Cisco SM-X Layer 2/3 ESM.
- LAN Base: Enterprise access Layer 2 switching features
- IP Base: Enterprise access Layer 3 switching features
- IP Services: Advanced Layer 3 switching (IPv4 and IPv6) features.
You can deploy a specific feature package by applying corresponding software activation licenses. See Upgrading your License Using Right-To-Use Features for more information on licensing and software activation.
Media Access Control Security (MACsec) encryption is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. MACsec encyprtion is defined in 802.1AE to provide MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP) framework. Only host facing links (links between network access devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.
The Cisco SM-X Layer 2/3 ESM supports 802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between the module and host devices. The module also supports MACsec link layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP) key exchange. Link layer security can include both packet authentication between switches and MACsec encryption between switches (encryption is optional). See Configuring MACsec Encryption Chapter in the Catalyst 3560 Switch Software Configuration Guide, Cisco IOS Release 15.0(2)SE and Later for information on configuring this feature.
The Cisco SM-X Layer 2/3 ESM is capable of providing power to connected Cisco pre-standard and IEEE 802.3af-compliant powered devices (PD) from Power over Ethernet (PoE)-capable ports when the switch detects that there is no power on the circuit.
The ESM supports IEEE 802.3at (PoE+), that increases the available power for PDs from 15.4W to 30 W per port. For more information, see the Power over Ethernet Ports . The PoE plus feature supports the cisco discovery protocol (CDP) with power consumption reporting and allows the PDs to notify the amount of power consumed. The PoE plus feature also supports the link layer discovery protocol (LLDP)
The PoE plus feature enable automatic detection and power budgeting; the switch maintains a power budget, monitors, and tracks requests for power, and grants power only when it is available. See the Configuring the External PoE Service Module Power Supply Mode section in the Catalyst 3560 Switch Software Configuration Guide, Cisco IOS Release 15.0(2)SE and Later.
The power policing or power sensing feature allows you to monitor the real-time power consumption. On a per-PoE port basis, the switch senses the total power consumption, polices the power usage, and reports the power usage. For more information on this feature, see Power Monitoring and Power Policing section in the Catalyst 3560 Switch Software Configuration Guide, Cisco IOS Release 15.0(2)SE and Later
The Cisco SM-X Layer 2/3 ESM supports the Smart Install feature. The Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. You can ship a switch to a location, place it in the network and power it on with no configuration required on the device.
A network using Smart Install includes a group of networking devices, known as clients, that are served by a common Layer 3 switch or router that acts as a director. In a Smart Install network, you can use the Zero-Touch Installation process to install new access layer switches into the network without any assistance from the network administrator. The Smart Install Configuration Guide provides detailed information on configuring and using this feature.
The online insertion and removal (OIR) feature allows you to insert or remove your Cisco SM-X Layer 2/3 ESM from a router. The Cisco SM-X Layer 2/3 ESM must be gracefully powered down before removing it from the router using the managed OIR or soft OIR feature. The managed OIR feature allows you to stop the power supply to your module using the hw-module sm command and remove a module from one of the subslots while other active modules remain installed on the router.
The oir-stop option allows you to gracefully deactivate a module and the module is rebooted when the- oir-start option of the command is executed. The reload option will stop or deactivate a specified module and restart it. See the Shutting Down, Resetting, and Reloading the Cisco SM-X Layer 2/3 ESM for more information.
Cisco SM-X Layer 2/3 ESM manages the layer 2 switching properties such as access, trunk, and dynamic mode with the help of the two MGF ports, GE0 and GE1. The MGF port use certain switchport CLI to perform different functions for different modes. For example, the access mode is used for end devices, trunk mode is used for lines between switches and other lines that send multiple VLANs over a single connection, and the dynamic mode automatically detects what kind of device is connected and initiate its port accordingly.
When there are no legacy switch modules such as the HWIC-4ESW module in the router, a 2nd GE interface gigabitethernet slot/1 is created for the SM. This is a Layer-2 switch interface and used to manage the inter module connectivity with other SM in the system via the backplane MGF. You can use the switchport CLIs to manage the L2 switch properties (e.g. access mode, trunk mode, native vlan etc.) for this interface.
Note You can install up to one Cisco SM-X-ES3-16-P or SM-X-ES3-24-P in Cisco 2911 routers and in Cisco 2921 routers. You can install up to two Cisco SM-X-ES3-16P or SM-X-ES3-24-P in Cisco 2951 and Cisco 3925 routers. You can install up to four Cisco SM-X-ES3-16-P or SM-X-ES3-24-P ESMs in Cisco 3945 routers.
The Figure 1 below displays the internal port mapping for the Cisco SM-X Layer 2/3 ESM for the Cisco ISR G2. The variable “x” indicates the slot number where the Cisco SM-X-ES3-24-P and Cisco SM-X- ES3-16-P SKUs of the module are inserted on Cisco 3945 ISR G2.
- Accessing the CLI Through a Console Connection or Through Telnet (required)
- Configuring the Cisco SM-X Layer 2/3 ESM in the Router
- Monitoring Real-Time Power Consumption (power sensing)
- Shutting Down, Resetting, and Reloading the Cisco SM-X Layer 2/3 ESM
- Understanding Interface Types on the Cisco SM-X Layer 2/3 ESMs (optional)
Before you can access the Cisco SM-X Layer 2/3 ESM CLI, you must connect to the host router through the router console or through Telnet. Once you are connected to the router, you must configure an IP address on the Gigabit Ethernet interface connected to the Cisco SM-X Layer 2/3 ESM. Open a session to the Cisco SM-X Layer 2/3 ESM using the service-module gigabitethernet x/0 session command in privileged EXEC mode on the router.
- Connect to the router console using Telnet or Secure Shell (SSH) and open a session to the switch using the service-module gigabitethernet x/0 session command in privileged EXEC mode on the router.
- Use any Telnet TCP/IP or encrypted SSH package from a remote management station. The internal interface must have network connectivity with the Telnet or SSH client, and the internal interface must have an enable secret password configured. After you connect through the CLI, a Telnet session, or an SSH session, the user EXEC prompt appears on the management station.
The Cisco SM-X Layer 2/3 ESM or switch supports up to 5 simultaneous secure SSH sessions and up to 16 simultaneous Telnet sessions. Changes made by one Telnet user are reflected in all other Telnet sessions.
- To configure an IP address and subnet mask for Gigabit Ethernet interface (gigabitethernet 1/0) on the router, use the following command:
This section describes the different types of interfaces supported by the Cisco SM-X Layer 2/3 ESM with references to chapters that contain more detailed information about configuring these interface types.
This section describes how to perform the initial configuration on the router with a Cisco SM-X Layer 2/3 ESM installed. This section also describes the initial configuration on the Cisco SM-X Layer 2/3 ESM itself. Once an IP address has been configured on the Gigabit Ethernet interface on the router (representing the Cisco SM-X Layer 2/3 ESM), you can open a console session to the Cisco SM-X Layer 2/3 ESM and configure its Gigabit Ethernet interface for Layer 2 or Layer 3 features.
Note During auto boot loader operation, you are not presented with the boot loader command-line prompt. You gain access to the boot loader command line if the switch is set to boot manually or, if a corrupted Cisco IOS image is loaded. You can also access the boot loader if you have lost or forgotten the switch password.
Note The argument slot indicates the number of the router chassis slot for the service module. The argument unit indicates the number of the daughter card on the service module. For Cisco SM-X Layer 2/3 ESMs, always use 0.
- Sample Output for the service-module gigabitethernet shutdown Command
- Sample Output for the service-module gigabitethernet reset Command
- Sample Output for the service-module gigabitethernet reload Command
Cisco SM-X Layer 2/3 ESMs’ hardware allows the ESM to accurately monitor the real-time power consumption on each port by measuring the port current as well as the voltage while the powered devices such as IP phones and wireless access points are powered up.
If a powered device is misbehaving by consuming more power than the actual configured value, you can take an appropriate ‘action’ by enabling the power policing or sensing feature on a port using the power inline (config-if) command. The ‘action’ is either “logging a warning message” (also knows as lax policing) or shutting down a misbehaving port (strict policing). The ESM constantly monitors the power drawn by the powered devices and takes appropriate action on misbehaving ports. You can monitor the power drawn by the powered devices through show power inline CLI.
You can monitor the power drawn at the router level through show power inline command on the Cisco ISR-G2 routers. To monitor port-level power consumption use the show power inline command on the Cisco SM-X Layer 2/3 ESM in Exec mode.
When power policing is enabled on a port, you can pick a cutoff power value of “x” watts per port and choose an ‘action’ to be taken on the misbehaving ports. Power policing is disabled by default on all ports.
Note You must take the cable loss into consideration when configuring the power monitoring or power policing value for a given port of the switch. There might be some cable loss while configuring power cutoff value at the PSE. The switch can only police the power drawn at the PSE RJ45 port and not the actual power consumed by the powered device.
- Because the switch can only monitor the power drawn at the PSE RJ45 port and not what the PD actually consumes, you must plan for the worst case cable loss when configuring the power cutoff value.
- When power drawn by the power devices exceeds the maximum limit after a period of 1 second or more, the system considers the ports as, “misbehaving ports” and shuts down the power supply.
- Establish connectivity from your ESM’s front panel port to the TFTP server where the desired switch Cisco.com image is stored
- Copy the switch image (available on Cisco.com) to the router’s flash and copy this image to ESM flash through TFTP.]
Loading ciscouser/c3560e-universalk9-mz from 172.16.1.100 (via GigabitEthernet0/1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!O!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Note IP address here should in the same subnet as mentioned in the example in Step 5.
- Recovering from a Corrupted Software Image Using Recovery Image
- Recovering from a Lost or Forgotten Password
- Recovering from a Lost or Forgotten Password When Password Recovery Is Disabled
The Cisco SM-X Layer 2/3 EtherSwitch Service Module software can get corrupted when downloading a wrong file during the software upgrade process and when the image is invalid or even when there is no image available.
The load_ recovery command boots the ESM with an IOS image (recovery image). Once the ESM is booted, desired Cisco.com switch image can be copied to the ESM flash through TFTP from the router’s flash or through the ESM front panel switch ports.
Loading "rs:/c3560e-universalk9-mz.recovery_04302013"...Verifying image rs:/c3560e-universalk9-mz.recovery_04302013......................................................................................................................................................................................................................................................................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013.
Now you can upgrade to a new switch image, see the Upgrading the Cisco SM-X Layer 2/3 ESM Software.
During auto boot loader operation, you are not presented with the boot loader command-line prompt. You gain access to the boot loader command line if the switch is set to manually boot or, if an error occurs, the operating system (a corrupted Cisco IOS image) is loaded. You can also access the boot loader if you have lost or forgotten the switch password.
Note The default configuration for Cisco SM-X Layer 2/3 ESMs allows an end user to recover from a lost password. The password recovery disable feature allows the system administrator to protect access to the switch password by disabling part of this functionality and allowing the user to interrupt the boot process only by agreeing to set the system back to the default configuration. With password recovery disabled, the user can still interrupt the boot process and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat) are deleted.
When password recovery is disabled, access to the boot loader prompt through the password-recovery mechanism is disallowed even though the password-recovery mechanism has been triggered. If you agree to let the system be reset to the default system configuration, access to the boot loader prompt is then allowed, and you can set the environment variables.
Loading "flash:c3560e-universalk9-mz"...Verifying image flash:c3560e-universalk9-mz ......................................................................................................................................................................................................................................................................................................................
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.