All stock codes associated to this product
SMXES324P, SM-X-ES3-24-P
Cisco SM-X-ES3-24-P SM-X Layer 2/3 EtherSwitch Service
Module
Overview
The CiscoSM-X Layer2/3 EtherSwitchService Module can reduce your company's total cost of
ownership (TCO) by integrating Gigabit Ethernet (GE) ports within the Cisco
4451-X and Cisco 3900 and 2900 Series Integrated Services Routers (ISRs). This
integration allows network administrators to manage a single device using Cisco
management tools or the router command-line interface (CLI) for LAN and WAN
management needs. This approach reduces network complexity, lowers maintenance
contract costs, lessens staff training needs, simplifies software qualification
efforts, increases availability, and delivers a consistent user experience at
branch offices and headquarters.
The Cisco SM-X Layer2/3 EtherSwitch Modules are an enterprise
class line of switches in Cisco ISR extended service module form factor for the
Cisco 2900 and 3900 Series and Cisco 4451-X ISRs. These Cisco EtherSwitch
Service Modules greatly expand the capabilities of the router by integrating
industry-leading Layer 2 and Layer 3 switching with feature sets identical to
those found in the Cisco Catalyst3560-X Series.
The new Cisco SM-X Layer2/3 EtherSwitch Service Modules
take advantage of the increased capabilities on the Cisco Catalyst 3560-X Series
Switches and provide scalability, security, energy efficiency, and ease of
operation with innovative features such as Cisco TrustSecand Media Access Control Security (MACsec) features.
Additionally, these service modules enable Cisco's industry-leading power
initiatives with IEEE 802.3at Power over Ethernet Plus (PoE+) configurations and
per-port PoE power monitoring - all of which enhance the ability of the branch
office to scale to next-generation requirements and still meet important
initiatives for IT teams to operate a power efficient network. Furthermore, the
Cisco Enhanced EtherSwitch Service Modules not only perform local line-rate
switching and routing but also support direct service module-to-service module
communication through the Integrated Services Routers Generation 2 (ISR G2)
Multigigabit Fabric (MGF), which separates LAN traffic from WAN
resources.
Because the Cisco SM-X Layer2/3 EtherSwitch Service Modules
support the same feature sets as the Cisco Catalyst 3560-X Switches, you can
provide a ubiquitous configuration at headquarters and at the branch office to
create a consistent experience throughout your network.
Cisco SM-X EtherSwitch Service
Modules
Cisco SM-X Layer2/3 EtherSwitch Service Module
Software
In addition to IP Base and IP Services feature sets, the
Cisco SM-X Layer2/3 EtherSwitch Modules come with a new LAN Base feature set.
The three feature sets available with all Cisco SM-X EtherSwitch Modules
follow:
- LAN Base: Enterprise access Layer 2 switching
features
- IP Base: Baseline enterprise access Layer 3 switching
features
- IP Services: Advanced Layer 3 switching (IPv4 and
IPv6) features
The LAN Base feature set includes comprehensive Layer
2 features, with up to 255 VLANs. The IP Base feature set provides baseline
enterprise services in addition to all LAN Base features, with 1000 VLANs. IP
Base also includes support for routed access and MACsec. The IP Services feature
set provides full enterprise services that include advanced Layer 3 features
such as Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path
First (OSPF), Border Gateway Protocol (BGP), Protocol Independent Multicast
(PIM), and IPv6 routing such as OSPFv3 and EIGRPv6. All software feature sets
support advanced security, quality of service (QoS), and management
features.
Features and
Benefits
The Cisco SM-X Layer2/3 EtherSwitch Service Module
helps ensure maximum availability, high performance, ease of upgrade, and
expandability. The modules have their own processors, switching engines, and
flash memory that run independently of host router resources, helping ensure
maximum concurrent switching and routing performance as well as providing
integrated PoE+, security, and increased ease of management. Additionally, Cisco
SM-X EtherSwitch Service Modules run their own Cisco IOSSoftware, independent of the router Cisco IOS Software
image, allowing for easy upgrades and ongoing software and feature commonality
with Cisco Catalyst 3560-X Series Switches. Table 1 lists some of the features
and benefits of this architecture.
When inserted within a Cisco 2900 or 3900
Series or Cisco 4451-X Integrated Services Router, the Cisco SM-X EtherSwitch
Service Modules provide a fully integrated, secure networking and converged IP
communications solution. From a single platform with an integrated switch, you
can connect IP phones, wireless access points, and IP-based video cameras to
your network and power them using the IEEE 802.3af or IEEE 802.3at PoE+. With
the optional integration of Cisco Unified Communications Manager Express, the
router can also provide call processing for the
phones.
As users attempt network access through the
Cisco Enhanced EtherSwitch Service Module, the module can use IEEE 802.1x and a
large number of Cisco 802.1x extensions to validate the credentials of the end
device and place the user in the appropriate VLAN or Cisco TrustSec group. As
the end-user data traverses between the switch module and other network entities
or between buildings, this traffic can be encrypted at Layer 2 using
MACsec.
How Cisco SM-X
EtherSwitch Service Module Addresses Customer
Needs
Customer Needs |
How Addressed by Cisco
Enhanced EtherSwitch Service Module |
Green IT |
Cisco EnergyWisetechnology
Single power supply for Cisco EtherSwitch device
and router |
Cisco EnergyWise technology enables Cisco
EtherSwitch devices to automatically reduce off-peak use of
PoE.
The modules offer two to eight times lower power
consumption than standalone switches.
Because no additional rack space or power supply is
needed, there is less to rack, stack, and
cool. |
Total TCO |
Scaling network infrastructure across multiple
sites
Increasing costs of operating multiple devices at
the branch office
Maximizing IT
resources |
An
integrated switch solution lowers operating costs, simplifies
troubleshooting, and enables businesses to scale.
Cisco Catalyst 3560-X software parity enables IT to
certify and deploy the same services at the main office and branch
office.
The modules offer lower mean time to repair (MTTR).
One vendor means one support center to decrease troubleshooting time and
eliminate finger pointing among vendors.
Cisco SMARTnetsupport covers both integrated services routers
and Cisco EtherSwitch
devices. |
Investment
Protection |
Ensuring compatibility of your network with future
networks to deliver leading technology |
The Cisco SM-X EtherSwitch Service Module and Cisco
Catalyst 3560-X features, schedule, and roadmap are aligned to provide a
consistent user experience and to help ensure no new hardware is required
to support the latest innovations. |
High
Availability |
Minimizing downtime that affects business
operations |
Cisco SM-X EtherSwitch Service Modules run their
own Cisco IOS Software images and can be upgraded independent of the host
router image.
A
single-box solution simplifies remote management and improves services
interoperability to help ensure the highest reliability for all
users.
End-to-end testing for standards-based and
innovative Cisco proprietary features provides superior services
interoperability and excellent value.
The modules will use the optional redundant power
supplies in Cisco ISRs, including an integrated redundant power system
(RPS) on the Cisco 4451-X and Cisco 3900 Series and external Cisco
Redundant Power System2300
(RPS 2300) support on the Cisco 2911 through Cisco 2951 ISRs.
Fewer components (for example, power supplies and
fans) results in fewer failures and less downtime.
Mean Time Between Failure (MTBF) is at least twice
as high as that for a standalone
switch. |
Scalability with
High-Performance IP Routing for the LAN (IP Base and IP
Services) |
Isolation of LAN traffic and route between VLANs on
the Cisco SM-X EtherSwitch Service Module |
Cisco Express Forwarding hardware routing
architecture delivers extremely high-performance IP routing and promotes
scalability.
The modules offer inter-VLAN IP routing with full
local Layer 3 switching between two or more VLANs.
Traffic can be forwarded between service modules
over the MGF without affecting the router
CPU. |
Advanced PoE Support
PoE removes the need for wall power to each PoE-enabled device and eliminates
the cost for additional electrical cabling and circuits that would otherwise be
necessary in IP phone and wireless LAN (WLAN) deployments.
Although PoE has been employed for more than a decade, it is still an
evolving technology. New and innovative applications continue to raise
expectations for power requirements.
IEEE 802.3at Power over Ethernet
In addition to 802.3af PoE, the Cisco Enhanced EtherSwitch Service Modules
support PoE+ (IEEE 802.3at standard), which provides up to 30W of power per
port. The Cisco SM-X EtherSwitch Service Modules can thereby provide a lower TCO
for deployments that incorporate Cisco IP Phones, Cisco Aironetwireless LAN access points, or any IEEE
802.3af-compliant end device.
PoE+ enabled ports can, in addition to PoE+ 30W, also be used to
deliver power for current PoE and enhanced ePoE solutions.
Table 2 gives information about total PoE power output. Depending on
the Cisco 2900, 3900, or 4451-X router model, the available PoE power ranges
from 200 to 1014 watts. Additional PoE features include the
following:
- Per-port power consumption control allows you to specify a
maximum power setting on an individual port.
- Per-port PoE power sensing measures the actual power being
drawn, enabling more intelligent control of powered devices.
- The Cisco PoE MIBs provide proactive visibility into power
usage and allow you to set different power-level thresholds.
- Cisco Discovery Protocol Version 2 allows the Cisco SM-X EtherSwitch
Service Modules to negotiate a more granular power setting than IEEE
classification provides when connecting to a Cisco powered device such as IP
phones or access points.
- The Link Layer Discovery Protocol Media Endpoint Discovery
(LLDP-MED) link layer discovery protocol and MIB enable interoperability in
multivendor networks. Switches exchange speed, duplex, and power settings with
end devices such as IP phones.
Power over Ethernet requires the PoE versions of the router power
supplies (See Table 3.). The Cisco 2900, 3900, and 4451-X routers support
multiple PoE powering modes:
- Normal: One PoE power supply.
- Redundant: Two PoE internal power supplies (Cisco 4451-X and
Cisco 3900 Series) or one PoE power supply plus an external Cisco RPS 2300
Redundant Power Supply Unit (Cisco 2911, 2921, and 2951), where one is active
and one is standby.
- Boost: Two PoE internal power supplies (Cisco 4451-X and Cisco
3900 Series) or one PoE power supply plus an external Cisco RPS 2300 (Cisco
2900), where both are actively supplying PoE power; redundancy will not be
supported in this mode because both power supplies are in active use
simultaneously.
Security Features of Cisco SM-X
EtherSwitch Service Module
Feature |
Benefit |
Dynamic ARP Inspection
(DAI) |
DAI helps ensure user integrity by preventing
malicious users from exploiting the insecure nature of the Address
Resolution Protocol (ARP). |
DHCP Snooping |
This feature prevents malicious users from spoofing
a Dynamic Host Configuration Protocol (DHCP) server and sending out bogus
addresses. Other primary security features use DHCP Snooping to prevent
numerous other attacks such as ARP poisoning. |
IP Source Guard |
IP
Source Guard prevents a malicious user from spoofing or taking over
another user's IP address by creating a binding table between the client's
IP and MAC address, port, and VLAN. |
Private VLANs |
Private VLANs restrict traffic between hosts in a
common segment by segregating traffic at Layer 2, turning a broadcast
segment into a nonbroadcast multiaccess-like segment.
Private VLAN Edge provides security and isolation
between switch ports, helping ensure that users cannot snoop on other
users' traffic.
These features are available in the IP Base and IP
Services license levels. |
Unicast Reverse Path
Forwarding (URPF) |
This feature helps mitigate problems caused by the
introduction of malformed or forged (spoofed) IP source addresses into a
network by discarding IP packets that lack a verifiable IP source
address.
This feature is available in the IP Base and IP
Services license levels only. |
IEEE 802.1x |
IEEE 802.1x allows dynamic, port-based security,
providing user authentication.
IEEE 802.1x with VLAN assignment allows a dynamic
VLAN assignment for a specific user regardless of where the user is
connected.
IEEE 802.1x with voice VLAN permits an IP phone to
access the voice VLAN irrespective of the authorized or unauthorized state
of the port.
IEEE 802.1x and port security are provided to
authenticate the port and manage network access for all MAC addresses,
including that of the client.
IEEE 802.1x with an ACL assignment allows for
specific identity-based security policies regardless of where the user is
connected.
IEEE 802.1x with guest VLAN allows guests without
802.1x clients to have limited network access on the guest
VLAN.
Web authentication for non-802.1x clients allows
non-802.1x clients to use an SSL-based browser for
authentication. |
Cisco TrustSec
security |
Cisco TrustSec classification and policy
enforcement functions are embedded in the Cisco Enhanced EtherSwitch
Service Modules.
Cisco TrustSec security simplifies the provisioning
and management of secure access to network services and applications by
classifying traffic based on the contextual identity of the endpoint
versus its IP address. It enables more flexible access controls for
dynamic networking environments.
Cisco TrustSec security defines policies using
logical policy groupings, so secure access is consistently maintained even
as resources are moved in mobile and virtualized networks. De-coupling
access entitlements from IP addresses allows common access policies to be
applied to wired, wireless, and VPN access
consistently. |
MACsec |
Exceptional security with integrated hardware
support for MACsec is defined in IEEE 802.1AE. MACsec provides MAC layer
encryption over wired networks using out-of-band methods for encryption
keying.
The MACsec Key Agreement (MKA) Protocol provides
the required session keys and manages the keys required for encryption
when configured. MKA and MACsec are implemented following successful
authentication using the 802.1x Extensible Authentication Protocol (EAP)
framework.
In
Cisco Enhanced EtherSwitch Service Modules, both the user and down-link
ports (links between the switch and endpoint devices such as a PC or IP
phone) as well as the network and up-link ports can be secured using
MACsec.
With MACsec you can encrypt switch-to-switch links
such as access to distribution, or encrypt dark fiber links within a
building or between
buildings. |
Multidomain
authentication |
Multidomain authentication allows an IP phone and a
PC to authenticate on the same switch port while placing them on the
appropriate voice and data VLAN. |
MAC Authentication Bypass
(MAB) |
MAB for voice allows third-party IP phones without
an 802.1x supplicant to get authenticated using the MAC
address.
This feature is available in the IP Base and IP
Services license levels only. |
Advanced ACLs |
Cisco security VLAN ACLs on all VLANs prevent
unauthorized data flows from being bridged within VLANs.
This feature is available in the IP Base and IP
Services license levels only.
Cisco standard and extended IP Security router ACLs
define security policies on routed interfaces for control- and data-plane
traffic. IPv6 ACLs can be applied to filter IPv6 traffic.
This feature is available in the IP Base and IP
Services license levels only.
Port-based ACLs for Layer 2 interfaces allow
security policies to be applied on individual switch
ports. |
Administrative traffic
protection |
Secure Shell (SSH) Protocol, Kerberos, and Simple
Network Management Protocol Version 3 (SNMPv3) provide network security by
encrypting administrator traffic during Telnet and SNMP sessions. SSH,
Kerberos, and the cryptographic version of SNMPv3 require a special
cryptographic software image because of U.S. export
restrictions.
Some of these features are available in the IP Base
and IP Services license levels only. |
Switched Port Analyzer
(SPAN) |
Bidirectional data support on the SPAN port allows
the Cisco Intrusion Detection System (IDS) to take action when an intruder
is detected. |
Centralized
authentication |
TACACS+ and RADIUS authentication facilitates
centralized control of the switch and restricts unauthorized users from
altering the configuration. |
MAC address
authentication |
MAC address notification allows administrators to
be notified of users added to or removed from the
network. |
Port security |
Port security secures the access to an access or
trunk port based on MAC address. |
Console security |
Multilevel security on console access prevents
unauthorized users from altering the switch
configuration. |
Bridge Protocol Data Unit
(BPDU) Guard |
BPDU guard shuts down Spanning Tree
PortFast-enabled interfaces when BPDUs are received to avoid accidental
topology loops. |
Spanning-Tree Root
Guard |
This feature prevents edge devices not in the
network administrator's control from becoming Spanning Tree Protocol root
nodes. |
Internet Group Management
Protocol (IGMP) Filtering |
IGMP filtering provides multicast authentication by
filtering out nonsubscribers and limits the number of concurrent multicast
streams available per port. |
Dynamic VLAN
Assignment |
Dynamic VLAN assignment is supported through
implementation of VLAN Membership Policy Server client capability to
provide flexibility in assigning ports to VLANs. Dynamic VLAN facilitates
the fast assignment of IP
addresses. |
Summary
Cisco SM-X Layer2/3 EtherSwitch Service Modules enable a higher level of
control and security with the introduction of Cisco TrustSec security and
MACsec. Cisco TrustSec security provides more scalable and advanced
authentication of users, whereas MACsec introduces automatic encryption of
switch-to-switch traffic. Cisco SM-X EtherSwitch Service Modules also offer
enhanced PoE power levels with the introduction of IEEE 802.3at PoE+, broadening
the span of network equipment powered from the switch.
By minimizing operating expenses (OpEx) without sacrificing any advanced
switching features, Cisco SM-X EtherSwitch Service Modules can help you maximize
your return on investment (ROI) for the network infrastructure and accelerate
the deployment of productivity-enhancing services to your enterprise branch
offices or small to midsize business offices.
Specifications
Model |
SM-X-ES3-24-P |
Gigabit
Ethernet Ports |
24 |
Layer 2
Switching |
LAN
Base |
Layer 2/3
Switching |
IP
Base |
PoE/PoE+ |
X |
Service Module
Width |
Single |
Cisco IOS Software Release Module
Support
Model |
SM-X-ES3-24-P |
Default
Software |
LAN
Base |
Minimum Cisco
EtherSwitch Release |
15.0(2)EJ |
Minimum Cisco IOS
M&T Software Release |
15.3(3)M |
Minimum Router Cisco
IOS XE Software Release |
3.1 |
Module Specifications
Model |
SM-X-ES3-24-P |
Dimensions:
Wide x Deep x High (cm) |
20.6 x 20.7 x 4.0 |
Weight
(kg) |
0.9 |
Operational
Temperature |
0 to
40C |
Nonoperational
Temperature |
-20 to
65C |
Operational
Humidity |
5 to
85% |
Nonoperational
Humidity |
5 to
95% |
Ordering Information
Part
Number |
SM-X-ES3-24-P |
Description |
SM-X EtherSwitch SM,
Layer 2/3 switching, 24 ports Gigabit GE, POE+
capable |
Step One: License
Product ID |
Step 2:
Choose Upgrade License Product ID |
Product Number
and Description |
Product
Number |
Product
Description |
C3560X-LIC= |
SM-X EtherSwitch LAN
Base to IP Base |
(License Product ID for
SM-X EtherSwitch Modules) |
C3560X-24-L-S |
SM-X-ES3-24-P LAN Base
to IP Base Paper License |
|
SM-X EtherSwitch LAN
Base to IP Service |
|
C3560X-24-L-E |
SM-X-ES3-24-P LAN Base
to IP Service Paper License |
|
SM-X EtherSwitch IP
Base to IP Service |
|
C3560X-24-S-E |
SM-X-ES3-24-P IP Base
to IP Service Paper
License |