Cisco WS-C3550-12G Manual page 204

Fixed-Configuration Switches: Cisco Catalyst 3560-X Series
Cisco Catalyst 3560-X Spotlight
Service Module
The new Cisco Service Module offers enhaced
security and Flexible Netflow (FNF) features on the
uplink ports of the Catalyst 3750-X and 3560-X.
The service module is supported with IP Base or
IP Services feature set. It can be used with SFP or
SFP+ at 1G or 10G speeds. The new Cisco Service
Module has custom dedicated hardware for FNF
monitoring, separate from the dedicated hardware
for MACSec. Therefore there is no impact on packet
forwarding performance & latency. It offers flexibility
with the user being able to define flows. The new
Cisco Service Module enables the following
services:
• Line rate (40G) Flexible NetFlow for Network
Monitoring and Security Anomaly Detection
• Supported version 9
• 32,000 simultaneous flows
• 128 of simultaneous active monitors
• Line rate (40G) MACsec encryption (please refer
to MACsec section below)
FNF is a networking monitoring technology. A
NetFlow table can be used to collect flow statistics.
The flow information can be used by customers for
a variety of use cases like understanding:
1. Applications running on the network, and
identify undesired applications, P2P etc
2. Granular Local and aggregated Campus view
(Top N applications, drill down etc).
3. Top talkers (ports, users, applications) for
application usage, productivity and asset
utilization etc.
4. Security Anomaly Detection by examining flows
that do not traverse trust boundaries for inside
the perimeter attacks
5. Impacts of network and application changes
6. Compliance conformation
7. Traffic patterns for capacity planning
Enabling FNF at the access switch ensures you
get all flows. The access switch is the most logical
202
place in the network for collecting statistics and
monitoring all flows. With Netflow, you can obtain
MAC-address and access port information
associated with the flow, to get directly to the source
of the flow. Most collectors are able to leverage
the location based on MAC-address and interface
port number provided by the access switch to
the collector. Thus by enabling FNF at the access
switch you are able to get the location information of
the flow. The access switch has a variety of identity
mechanism for user authentication and adding
user awareness is the natural progression that can
be developed. Access switches are an order of
magnitude greater than distribution and core which
makes them scale well for FNF and ensure there
are no performance impacts of oversubscription at
aggregation and core.
10GB-T Module
The new Cisco 10G Base-T module is hot-swapable
and can operate at either 10GE or GE speed (with
manual configuration).
MACsec
The Cisco Catalyst 3560-X Series Switches offer
exceptional security with integrated hardware
support for MACsec defined in IEEE 802. 1 AE.
MACsec provides MAC layer encryption over wired
networks using out-of-band methods for encryption
keying. The MACsec Key Agreement (MKA)
protocol provides the required session keys and
manages the keys required for encryption when
configured. MKA and MACsec are implemented
following successful authentication using 802. 1 x
Extensible Authentication Protocol (EAP) framework.
In Cisco Catalyst 3560-X Series Switches both the
user/down-link ports (links between the switch and
endpoint devices such as a PC or IP phone) and,
using the service module, the network/up-link ports
can be secured using MACsec. With the service
module you can encrypt switch to switch links such
as access to distribution, or encrypt dark fiber links
within a building or between buildings.