Cisco CD-3550-EMI, Datasheet

Page: 4 / 18

© 2005 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 4 of 18
aggregator switch. If one of the uplinks fails, quicker failover to the redundant uplink can be achieved via a scalable routing protocol such as Open
Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP) rather than relying on standard Spanning-Tree Protocol
convergence. Redirection of a packet after a link failure via a routing protocol results in faster failover than a solution that uses Layer 2 Spanning
Tree enhancements. Additionally, routed uplinks allow better bandwidth utilization by implementing equal cost routing (ECR) on the uplinks to
perform load balancing. This results in dynamic load balancing in a part of the network that often acts as the bottleneck. And, routed uplinks
optimize the utility of uplinks out of the wiring closet by eliminating unnecessary broadcast data flows into the network backbone.
The Catalyst 3550 also offers dramatic bandwidth savings as a stackable wiring closet switch in a multicast environment. Using routed uplinks to the
network core will eliminate the requirement to transmit multiple streams of the same multicast from the upstream content servers to the wiring
closet. For example, if three users are assigned to three separate virtual LANs (VLANs) and they all want to view multicast ABC, then three streams
of multicast ABC are required to be transmitted from the upstream router to the wiring closet switch—assuming the wiring closet switch is not
capable of routed uplinks. Deploying IP routing to the core with Catalyst 3550 switches allows users to create a scalable, multicast- rich network.
NETWORK SECURITY THROUGH ENHANCED SECURITY FEATURES
The Cisco Catalyst 3550 Series switches offer enhanced data security through a wide range of security features that protect network management
and administrative traffic, secure the network from unauthorized users, provide granular levels of network access to users, and track where users
are located.
Secure Shell (SSH), Kerberos, and Simple Network Management Protocol version 3 (SNMPv3) encrypt administrative and network management
information, thereby protecting it from tampering or eavesdropping. Terminal Access Controller Access Control System () or Remote
Access Dial-In User Service (RADIUS) authentication enables centralized access control of switches and restricts unauthorized users from altering
the configurations. Alternatively, a local username and password database can be configured on the switch itself. Fifteen levels of authorization on
the switch console and two levels on the web-based management interface provide the ability to give different levels of configuration capabilities
to different administrators.
Port security and 802.1x provide the ability to keep unauthorized users from accessing the network. Port security limits access on an Ethernet port
based on the MAC address of the device that is connected to it. It can also be used to limit the total number of devices plugged into a switch port,
thereby reducing the risks of rogue wireless access points or hubs. 802.1x can be used to authenticate users based on username and password (or
other credentials) via a centralized RADIUS server. This is particularly useful for a mobile workforce because the authentication will be executed
regardless of where the user connects to the network.
ACLs restrict access to sensitive portions of the network by denying packets based on source and destination MAC addresses, IP addresses, or
TCP/UDP ports. ACL lookups are done in hardware; therefore, forwarding and routing performance is not compromised when implementing ACL-
based security in the network. Catalyst 3550 Series switches offer VLAN, router and port-based ACLs. Deploying ACLs can be done through Cisco
CMS Software Security Wizards, which in a few easy steps can restrict user access to a server, a portion of the network, or the usage of certain
applications.
Identity-based Networking Services (IBNS) provide the ability to dynamically administer granular levels of network access. Leveraging the 802.1x
standard and Cisco’s Access Control Server (ACS), when users authenticate they can be assigned a VLAN and/or an ACL regardless of where they
connect to the network. This functionality allows IT departments to enable strong security policies without compromising user mobility and with
minimal administrative overhead.
The MAC Address Notification feature can be used to monitor the network and track users by sending an alert to a management station so that
network administrators know when and where users entered the network. The Dynamic Host Configuration Protocol (DHCP) Interface Tracker
(Option 82) feature tracks where a user is physically connected on a network by providing both switch and port ID to a DHCP Server.