n-series technical overview

“There is nothing more important than our customers”

Enterasys Matrix™ N-Series Architectural Overview

Modular Switching - Matrix™ N-Series

“There is nothing more important than our customers”

Agenda

Switch Architectural Approaches

Product Review & Positioning

Feature Overview

Competitive Positioning

Summary

EOSL© 2007 Enterasys Networks, Inc. All rights reserved.


Redundant Switch/Route/MgmtRedundant Switch/Route/Mgmt

Switch/Route/MgmtSwitch/Route/Mgmt

Point-to-Point Backplane

Line CardLine Card Line CardLine Card Line CardLine Card Line CardLine Card

Centralized DesignCentralized Design

Distributed DesignDistributed Design

Fully Meshed Backplane

Switch/Route/ Mgmt/Line CardSwitch/Route/

Mgmt/Line CardSwitch/Route/


Mgmt/Line Card




Mgmt/Line Card

•There are two primary approaches to designing chassis based switch/router architectures The traditional approach,

used by most vendors leverages centralized forwarding architectures

Matrix™ N-Series is based on a distributed forwarding architecture, designed from inception to support high availability environments


Traditional Centralized Architecture

Access Ports: 10/100, 10/100/1000 or 100FX

Uplinks: Gigabit

Uplinks: Gigabit

Packet Forwarding

Packet Forwarding

CPUCPU

Packet Queuing

Packet Forwarding

Packet Forwarding

CPUCPU

Packet Queuing

Co

ntr

ol

Access Ports: 10/100, 10/100/1000 or 100FX

Uplinks: Gigabit

Sw

itch

Fab

ric

Bac

kpla

ne

Sw

itc

h

Fa

bri

cS

wit

ch

F

ab

ric

Sw

itc

h

Fa

bri

cS

wit

ch

F

ab

ric

Po

int-

to-P

oin

t B

ack

pla

ne

Packet Queuing

Packet Queuing

Packet Forwarding

Packet Forwarding

Packet Forwarding

Packet Forwarding

Packet Forwarding

Packet Forwarding

Packet Queuing


Traditional Centralized Architecture

• Performance limited by Switch/Route/Mgmt modules

• As modules are added, overall system performance decreases

• Higher performance requires modules and daughter-card upgrades

• No feedback QoS mechanism between Central Switch/Router and Line Cards

• Limited guarantee of High priority traffic (specifically Voice) QoS

• More than Two Uplinks requires Costly Additional Line Cards

• Maximum 1+1 redundancy

To achieve distributed forwarding, additional option modules are necessary, increasing overall system cost

› In one vendor’s platform, the maximum central performance is 30M 64 byte packets per second, the equivalent of 20 Gbps maximum through put

• Slot dependencies can limit customer flexibility

Redundant Switch/Route/MgmtRedundant Switch/Route/Mgmt

Switch/Route/MgmtSwitch/Route/Mgmt

Point-to-Point Backplane

Line CardLine Card Line CardLine Card Line CardLine Card Line CardLine Card

Centralized DesignCentralized Design


Distributed Architecture

• Designed from inception to support high availability environments

• Every module provides both control plane and forwarding plane functionality

• Performance scales as modules are added

• Future generation modules add new services without forcing the obsolesce of existing modules

• Control functions are distributed

• N+6 Redundancy

• Modules are automatically upgraded and configured as they are plugged into the system

• Optimized for Edge, Distribution and Server farm connectivity

• No Slot dependencies

Distributed DesignDistributed Design





Mgmt/Line Card




Mgmt/Line Card


Access and/or Uplinks

Enterasys Matrix N-Series Architecture


Packet Forwarding

Packet Forwarding

CPUCPU

Packet QueuingS

wit

ch

F

ab

ric

Sw

itc

h

Fa

bri

c

DFE

Packet Forwarding

Packet Forwarding

CPUCPU

Packet QueuingS

wit

ch

F

ab

ric

Sw

itc

h

Fa

bri

cDFE

Packet Forwarding

Packet Forwarding

CPUCPU

Packet Queuing S

wit

ch

F

ab

ric

Sw

itc

h

Fa

bri

c

DFE

Packet Forwarding

Packet Forwarding

CPUCPU

Packet Queuing S

wit

ch

F

ab

ric

Sw

itc

h

Fa

bri

c

DFE




Queuing Control Across all Modules


Enterasys nTera™ ASIC Family

Use

r P

ort

s

nTera™ Host

Accelerator

nTera™ Host

Accelerator

Host Processor

Host Processor

Bac

kpla

ne

DFE Architecture

nTera™ Distributed

Fabric

nTera™ Distributed

Fabric

nTera™ Packet

Processor

nTera™ Packet

Processor

nTera™ Packet

Processor

nTera™ Packet

Processor

nTera™ Packet

Processor

nTera™ Packet

Processor

Increases Host Performance for

Concurrent (and Future) Services

Increase Overall Packet Scalability, Performance and

Control

Enables High-Capacity Distributed Switching and

Reliability


•Advantages:

High Availability (N:6) – No single CPU

Low Entry Cost; Redundancy built into each switch module – Pay as you go

Scalability; Port Density and Performance

Return on Investment - Inherent backwards compatibility and future proofing

Low Latency - Each module has a connection to every other module

•Performance Characteristics Total Backplane Capacity with 20 Gbps

per slot› 21 segments X 20 Gb = 420 Gb

Future Backplane Capacity at 80 Gbps› 21 segments X 80 Gb = 1.68 Tb

Slo

t 7

Slo

t 6

Slo

t 5

Slo

t 4

Slo

t 3

Slo

t 2

Slo

t 1

Fully Distributed Passive Backplane

Matrix™ N-Series Distributed Architecture

Each of the 21 Backplane Segments supports 20 Gbps (10 Gbps

Bidirectional)


Agenda



Feature Overview


Summary


Matrix N7 Switch

• 7 Slot Fully Redundant Chassis

All slots are usable for connectivity and hot-swappable

• Meshed 1.68 Tbps Backplane

• Scalable Port Densities

504 10/100 Ethernet ports

420 10/100/1000 Ethernet ports

336 100BaseFX Ethernet ports

168 Gigabit Ethernet ports

14 10 Gigabit Ethernet ports

• Industry Leading Performance

Switch Fabric Capacity: 126 Gbps

Switch Performance: 94.5 MppsMatrix N7


N Series - N7 Power Supply : 6C207-3

• 1600 Watt capacity

• Required to support Matrix E7 configurations with six or seven Distributed Forwarding Engines

• Advanced System Monitoring

SNMP traps for power supply failure, loss of redundancy, and fan failure


Matrix N5 Switch

• 5 Slot Fully Redundant Chassis with integrated PoE Power Shelf


• Integrated Power over Ethernet (PoE) Power Shelf

4,800 Watts Total Power (4 x 1,200W supplies)

PoE DFEs draw PoE power from the backplane


360 10/100 Ethernet ports

360 10/100/1000 Ethernet ports

240 100BaseFX Ethernet ports



• Industry Leading Performance


Switch Performance: 67.5 MppsMatrix N5


Matrix N3 Switch

• 3 Slot Fully Redundant Chassis



216 10/100 Base-TX Ethernet ports

216 10/100/1000 Base-TX Ethernet ports

144 100 Base FX Ethernet ports



Industry Leading Performance


Switch Performance: 40.5 Mpps

Matrix N3


Introducing the N-1

• Matrix N1 single slot chassis

• Dual Redundant Auto-Ranging AC Power Supplies

• 2 RU in height

• Flexible and Capable of supporting all DFE Gold and Platinum Modules Optimum edge configuration for

small to medium wiring closets› 10/100 Densities from 25-72 Ports

Optimum aggregation configuration for Small Distribution deployments

› Fiber - Using the 12 Port GIG SFP module

› Copper –Using the 30 Port Triple Speed Module


2G4082-25 Systems

Lowest cost of entry for the N-Series

Platinum feature set

1. 2G4082-25-SYS

2G4282-25 DFE

7C111 (1 Slot Chassis)

2. 2G4082-25-SYS-U

2G4282-25 DFE

7C111 (1 Slot Chassis)

7G6MGBIC-A

• When operating with multi-slot N-Chassis

It will work as a standalone device

• Shipped in a overpack (assembly required)

2G4282-25

24 Port Tri-speed w/NEM

7G-6MGBIC-A

6 Port SFP

7C111

1 Slot N Chassis


Matrix N Standalone Switch

A Premium Edge/Data Center switch for smaller wiring closets

• Creates a broader range of N-Series solutions

The N Series scales with switch solutions from 48 to 420 10/100/1000 ports in the same product family

Allows customers to deploy common N Series solutions throughout all network tiers

Supports all N-Series Platinum features

• 10/100/1000 Switch/Router

(48) 10/100/1000 RJ-45 Ports

(4) SFP ports

• 2 U Standalone

• Redundant power


• Leverages Enterasys’ nTera™ ASIC Design Fully integrated advanced Switching, Routing, and

Management Unmatched User-based Multilayer Packet

Classification/QoS and Rate Limiting Industry-standard SNMP and CLI management High Performance, Capacity and Density

• Scalable Performance/Bandwidth 13.5 Mpps/18 Gbps per DFE

• Wide Range of Ethernet Interfaces 10/100Base-TX, 1000Base-X, 10/100/1000Base-TX,

100Base-FX and 10GigE

• Power over Ethernet Support 10/100 and 10/100/100 Base-TX with 802.3af PoE

• Three Types to Meet Different Requirements

Diamond DFE (Enhanced routing, security and policy scalability)

Platinum DFE (High Features/Performance for Edge, Distribution, and Core)

Gold DFE (Cost-Effective Edge Connectivity)Distributed Forwarding Engine (DFE)

MatrixTM N-Series Chassis Modules(Distributed Forwarding Engine)

EOSL© 2007 Enterasys Networks, Inc. All rights reserved. Last Updated August 2007

• Per slot control processor upgraded 50% increase in processing capacity per slot

30% improvement in ACL processing

• Increased Flow Capacity Double the Flow Table Capacity per blade

Diamond up to 512K/blade, 3.6M/Chassis

› Platinum up to 256k/blade, 1.8M/Chassis

• Diamond modules include Platinum options 256 MB Host memory included on all blades

N-EOS-L3 - Advanced Router license

N-EOS-PPC - Per Port User Capacity Increases

• Optimized for backbone routing Enables the DFE to handle larger backbones, larger ACL lists, complex

route policies

Significant Processing Enhancements over Platinum DFE’s, plus increased Security, Routing & Policy Scalability.

Diamond DFEs


• 48 port 10/100 Power over Ethernet (802.3af) w/NEM NEM Uplink option slot (MSM, 1Gb, 10Gb)

• 48 port 10/100/1000 Power over Ethernet (802.3af) w/NEM

NEM Uplink option slot (MSM, 1Gb, 10Gb)

• 72 port 10/100/1000 with PoE Operates as triple speed blade in a N1, N3, N7

• Provides power to any 802.3af compliant device IP Phones

Access Points

Web video cameras

• Legacy Cisco detect support

• Supports all DFE embedded software features

• Fully interoperable with all other DFEs

• 48 Port blades supported in the Matrix N1, N3 and N7 with external power shelf

• 48 and 72 port blades supported in the Matrix N5 via internal power

Power over Ethernet DFE Modules


• External Power Shelf for Matrix N3, N7 and E7

Enables N1/N3/N7 to support PoE DFE modules

N5 Power Shelf is integrated in the chassis

• 4,800 Watts Total Power (4 x 1,200W supplies)

Supports up to 336 class 2 devices such

as a VoIP phone

• Fully 802.3af compliant

• Multiple chassis can be supported by a single Power Shelf (up to 7 DFEs per shelf)

• Supports Class 1 (4 Watts) Class 2 (7 Watts), and Class 3 (15.4 Watts) devices

• Requires a DFE-POE-CBL-2M for every PoE DFE (Ordered separately - Not required on N5)

• Power management via CLI and SNMP

N3 with PoE Power Shelf

N5 has integrated Power Shelf

MatrixTM N7& N3 PoE


Matrix Security Module

Matrix N3

Matrix N1

Matrix N5

Matrix N7

• Available for all modular Matrix N-Series chassis

Supports all Distributed Forwarding Engines (DFEs) with Network Expansion Modules (NEM)

Supports Gold, Platinum and Diamond DFEs

• Two options

Dragon Intrusion Defense

Enterasys NAC Apliance


Extensive DFE Portfolio

• 48 port 10/100 (RJ45) w/exp. slot• 72 port 10/100 (RJ45) • 48 port 10/100 (RJ21) w/exp. slot• 72 port 10/100 (RJ21) • 48 port 100FX w/exp. Slot• 48 port 10/100 (RJ45) with PoE and

exp. slot• 48 port 10/100/1000 w/exp. Slot POE• 72 port 10/100/1000 POE

• 48 port 10/100 (RJ45) w/exp. slot• 72 port 10/100 (RJ45) • 48 port 10/100 (RJ21) w/exp. slot• 72 port 10/100 (RJ21) • 48 port 100FX w/exp. Slot• 48 port 10/100 (RJ45) with PoE and

exp. slot• 48 port 10/100/1000 w/exp. Slot POE• 72 port 10/100/1000 POE

Platinum DFE TypesPlatinum DFE Types

• 10 & 12 port 1G (Fiber)• 18 port 1G (Fiber) w/exp. slot• 30 port 10/100/1000• 2 port 10 Gigabit• 48 port 10/100/1000 w/exp. Slot• 72 port 10/100/1000

• 10 & 12 port 1G (Fiber)• 18 port 1G (Fiber) w/exp. slot• 30 port 10/100/1000• 2 port 10 Gigabit• 48 port 10/100/1000 w/exp. Slot• 72 port 10/100/1000

• 48 port 10/100 (RJ45) w/exp. slot• 72 port 10/100 (RJ45) • 48 port 10/100 (RJ21) w/exp. slot• 72 port 10/100 (RJ21) • 48 port 100FX w/exp. Slot• 48 port 10/100 (RJ45) with PoE and exp. Slot• 48 port 10/100/1000 w/ & w/o PoE and exp. Slot• 72 port 10/100/1000 w/ & w/o PoE

Gold DFE Types

Network Expansion Module• 6 port 1G (Fiber) • 6 port 1G (Fiber) + 2 port 10 G• Dragon IDS/IPS• Sentinel Processor

Diamond DFE Types

• 12 port 1 G (Fiber)• 18 port 1G (Fiber) w/exp. slot• 30 port 10/100/1000• 2 port 10 Gigabit

Diamond DFE Types

• 12 port 1 G (Fiber)• 18 port 1G (Fiber) w/exp. slot• 30 port 10/100/1000• 2 port 10 Gigabit


Matrix N Series Port Densities

Matrix N3Matrix N3 Matrix N5Matrix N5 Matrix N7Matrix N7

10/100 ports 216 360 504

10/100 ports (with uplink option*) 144 240 336

10/100/1000 ports 216 360 504

10/100/1000 ports (with uplink option*) 144 240 336

100FX ports 144 240 336

100FX ports (with uplink option*) 144 240 336

1000 Base-X Ports 72 120 168

10 Gigabit Ports 6 10 14

*Includes a single module with the Expansion Slot for uplinks


Matrix N-Series: Optimized High Availability (N+6)

•Automatic Service Fail-Over (Self Healing)

All Services in Milliseconds

Intra-chassis Routing Redundancy

•Automatic Module Self-Configuration

Inserted “blank” module gets configuration from other modules

•Local Module Upgrades

Only affects users on upgraded module

Services Automatically Distributed across DFEs at Chassis Boot-up

SwitchingServices SwitchingServices

RoutingServices Routing

Services

MulticastServices MulticastServices

PortServices

PortServices

HostServices

HostServices


Gold DFE 1+1 Redundancy

• Centralized system administration, protocol participation (spanning tree, OSPF, etc) and management

• Distributed Switching, VLAN, multicast, QoS, etc

• Rapid ~1 sec Failover (typical switches 60+ sec)

• Automatic module re-configuration

Primary and Secondary located in slots 1 and 2

Simple software license (N-EOS-RED) enables redundancy Simple software license (N-EOS-RED) enables redundancy


Platinum

(7 Series)

GOLD PLATINUM DIAMOND

Interface Types Edge Edge, Dist and Core

Distribution and Core

Performance (Module/System Maximum)

6.5/45.5 Mpps

13.5/94.5 Mpps 13.5/94.5 Mpps

High Availability 1+1 (optional)

Optimized N:6 Optimized N:6

Policy-based, Flow Switching Yes Yes Yes

(Double Platinum Capacity)

Advanced QoS/Rate Limiting/Mirroring Features

No Yes Yes

Authentication/Policy Services Single User/ Per Port

Multi-User/Per Port

Multi-User/Per Port

Basic and Advanced (optional) Routing

Basic Advanced (with license)

Advanced (large route

tables)

Legacy Matrix E7 chassis support Yes Yes Yes

1st, 2nd and 3rd Gen Modules Interoperability

No Yes Yes

Gold

(4 Series)

MatrixTM N-Series Overview

Diamond

(7R Series)


DFE Configuration Rules

• Chassis Support Gold DFEs .Platinum DFEs and Diamond DFEs can go into any slot in the Matrix N3,

N5 or N7 chassis.

Multiple Gold DFEs work seamlessly in the same chassis, but can not be mixed with Platinum or Diamond DFE in the same chassis.

Gold DFEs work in a Matrix E7 chassis, but without any other type module.

Platinum DFEs and Diamond DFEs can be mixed in the same chassis, it is recommended to have a minimum of two Diamond DFEs in a mixed configuration.

• High Availability By default the Gold DFE does not provide any high availability (system redundancy).

To get 1+1 redundancy, the N-EOS-RED software license must be purchased and installed. Only one 1+1 Redundancy license (N-EOS-RED) is required per chassis.

For redundancy, the primary and secondary Gold DFE have to be in slots 1 and 2.

• Routing Basic EOS routing (static routes and RIP) is included with each Gold DFE.

Gold DFEs support Enterasys’ Advanced Routing Package (N-EOS-L3) that includes OSPF, DVMRP, and PIM-SM.

Only one advanced Routing Package (N-EOS-L3) is required per chassis.

Diamond DFEs ship with the advanced Routing Package (N-EOS-L3)


• A Flow is basically a conversation between end devices

• MatrixTM N-Series Traffic is flow-based (Enterasys’ nTera™ ASIC Design)

Provides context for network traffic

› Who, Where, What

Packet fields of interest are described below for standard network functions.(L2) Switching– SA, DA, Port, VLAN

(L3) Routing – DA, VLAN, EtherType, SIP, DIP

(L4) Application –’LSNAT’ – DA, VLAN, EtherType, SIP, DIP, L4 Source, L4 Dest

• Packet forwarding switches do not keep track of context

Traffic is forwarded based upon “next hop” only

Cannot differentiate one connection from another

• Secure Networks configuration contributes fields to the flow definition based on active profiles and their rule-sets.

Flow-Based Switching


Matrix™ N Series Distributed Flow Based Switching

• Granular visibility and control of the individual flow between users and IT resources

Permit/Deny/Prioritize/Rate Limit

Discover, classify and prioritize IPT soft phone clients and IPT handsets connected to the same port as user desktop/laptop

Advanced flow mirroring

• Centralized policy administration ensures ease of configuration and deployment while distributed enforcement delivers scalability

Firewall-like control everywhere without the box-by-box configuration burdens or

extensive CLI scripting

Traffic Flows

SAP traffic.

Market Data Feed

Known Worm/Virus

Zero day threat controlled by

Flow Setup Throttling


10 G

bE F

iber

10 G

bE F

iber

InternetVPN/IntranetU

sers

Use

rs

Use

rsU

sers

Ser

vers

Ser

vers

Premium EdgePremium Edge

Collapsed BackboneCollapsed Backbone

Matrix N7

Matrix N7

Backbone Routing (tier two

environments)

Backbone Routing (tier two

environments)

Server AggregationServer Aggregation

Matrix N7

10/100/1000

10/100/1000

Matrix N7

Matrix N3/N5

MatrixTM N-Series DFE Applications


• Three Tier Implementation – 10-Gigabit Ethernet connectivity between Distribution and Core, Gigabit connectivity between Edge and Distribution, user ports 10/100/1000

Core - MatrixTM X

Distribution – MatrixTM N with Platinum and/or Diamond DFE

Edge – SecureStack B/C

Use

rsU

sers

Use

rsU

sers

Ser

vers

Ser

vers

Matrix X4

SecureStack C2

SecureStack C2

Matrix N7

Matrix N7

Matrix X4

Three Tier Implementation


• Two Tier Implementation

Often see this design in buildings supporting 1000-1500 devices

Perfect for N-Series & Diamond providing granular control and integrated security for the core and distribution layers

Use

rsU

sers

Use

rsU

sers

Ser

vers

Ser

vers

SecureStack C2

SecureStack C2

Matrix N7

Matrix N7

Two Tier Implementation


Agenda



Feature Overview


Summary


Integrated Services Design

Enterasys OS (EOS) Feature Summary

Multilayer Classification

Multilayer Classification

Switching/ VLAN Services

Switching/ VLAN Services

Native IP Routing

Native IP Routing

Security (User, Network & Host)Security (User,

Network & Host)Management,

Control and AnalysisManagement,

Control and Analysis

• Spanning Trees, Multiple Spanning Trees, VLANs

• Link Aggregation/Rapid Reconfiguration

• Span Guard• Flow Setup Throttling

• User, Port and Device Level• Multiple Control Features• Granular QoS/Rate Limiting• VLAN to Policy Mapping• Multi-field Classification

• IPv4 Unicast/Multicast• RIP 1/2, OSPF • IGMP, DVMRP• Multi-Path OSPF • VRRP• PIM-SM (Sparse Mode)

• User: Auth (802.1X, MAC and Web), MAC Locking

• Multi-user Authentication/Policy• Network: ACL – Basic and Extended,

Policy-based Services (Acceptable Use)

• Host: SSH, SNMP v3

• Industry-Standard CLI, • SNMP v1/v2c and Web• RMON (1,2,3,9)• TELNET• BOOTP, DHCP,TFTP • Multiple images


DFE Packet Classification/QoS

• Layer 2 through 4 Packet Classification

• QoS Mapping to WFQ Priority Queues (802.1p) 4 TX queues per 10/100 and 10/100/1000 port

16 TX queues per GbE and 10GbE port

• Bandwidth Control (Rate Limiting) Granular 8 kbps – 4 Gbps

Per Port, Flow, Aggregate of Flows and Classification Rules

Packet Classification/QoS enables the delivery of critical applications to specific

users via traffic awareness and control

Packet Classification/QoS enables the delivery of critical applications to specific

users via traffic awareness and control


Dynamic Flow Based Classification: scaleable up to 56k rules per system

Sept 5, 2003 17Enterasys Confidential (Internal Only)

Dynamic Flow-based Packet Classification (DFPC)

Deny

Permit

Contain

Priority/QoS

Rate Limit

Access ControlLayer 2 MAC Address EtherType (IP, IPX, AppleTalk, etc)

Layer 3 IP Address IP Protocol (TCP, UDP, etc) ToS

Layer 4 TCP/UDP port (HTTP, SAP, Kazaa, etc)

Layer 2 MAC Address EtherType (IP, IPX, AppleTalk, etc)

Layer 3 IP Address IP Protocol (TCP, UDP, etc) ToS

Layer 4 TCP/UDP port (HTTP, SAP, Kazaa, etc)

Class of Service

Us

er

Po

rt

Matrix N-Series

Sw

itc

hF

low

VL

AN

Granularity

Why does Enterasys make the best Secure Networks™ switches in the industry?

- What can I identify?

- What can I control?

- How can I control it?


DFE Switching/VLAN Services

•High-Performance Switching

•VLAN Services Support Link Aggregation (IEEE 802.3ad)

Multiple Spanning Trees (IEEE 802.1s)

Rapid Reconfiguration of Spanning Tree (IEEE 802.1w)

•Policy-based Switching

Switching/VLAN Services provides high-performance connectivity, aggregation,

and adaptation to device failure

Switching/VLAN Services provides high-performance connectivity, aggregation,

and adaptation to device failure


DFE IP Routing

IP Routing provides dynamic traffic optimization, broadcast containment and

more efficient network resilience

IP Routing provides dynamic traffic optimization, broadcast containment and

more efficient network resilience

•Base Routing Features IPv4 Unicast Routing (per-port)

›RIP version 1 and 2, OSPF v2 and DHCP/BootP Relay

•Routing Upgrade (via Software License)•Fully distributed forwarding engine

Frames are routed locally (one hop routing) Forwarding Databases are resident on all modules

(Route table and ARP table)

•Control Plane resides on a single module Up to two active control planes Redundancy through industry standard routing protocols (Including VRRP)

•Protocol Support IPv4 Unicast/Multicast RIP 1/2, OSPF IGMP, DVMRP, PIM-SM (Sparse Mode) Multi-Path OSPF VRRP LSNAT

•Advanced Routing features are licensed – (N-EOS-L3)

LSNAT, PIM, OSPF, DVMRP and Extended ACLs.

•Scalable capacities via memory expansion


DFE Security

•User Security Authentication (802.1X, MAC and Web), MAC (Static and Dynamic) Port

Locking

Multi-User Authentication/Policies

•Network Security Access Control Lists (ACL) – Basic and Extended

Policy-based Security Services (Examples: Spoofing, Unsupported Protocol Access, Intrusion Prevention, DoS Attacks Limits)

•Host Secure access to the Matrix N-Series via SSH, SSL, SNMP v3

Security protects a business against network misuse, and controls access to resources and confidential information

Security protects a business against network misuse, and controls access to resources and confidential information


DFE Management, Control and Analysis

•Configuration Industry-Standard CLI and Web Support

Multiple Images with Editable Up/Downloadable configuration files

•Network Analysis

SNMP v1/v2c/v3, RMON/RMON II, and SMON (rfc2613) VLAN and Stats

Port/VLAN Mirroring (One to one, one to many, many to many)

•Automated Set-up and Maintenance Replacement engine will automatically get previous engine configuration

Management, Control and Analysis provide streamlined tools for maintaining

network availability and health

Management, Control and Analysis provide streamlined tools for maintaining

network availability and health


Network

Security and Control: ACL and VLAN vs. Policy

Issues

• Costly, time-consuming VLAN management

• Mobility becomes an issue as VLAN spread across the campus

• VLANs provide no inherent security

within the VLAN no control

All users share the same ACL

• VLAN changes for quarantine require proper endsystem support (DHCP renew etc.)

Benefits

• Simple, quick to implement

• Rapid response to security threats

• Much more granular control

• Far more scaleable

• No mobility issues

• No issues when user is quarantined

Matrix N-Series

Policy-based

User authenticated to port


Access control (policies) mapped to user

Access control (policies) mapped to user

VLAN-based

Network

Matrix N-Series



Port mapped to VLAN (with VLAN access control (ACLs)Port mapped to VLAN (with

VLAN access control (ACLs)


Multi-user Authentication/Policy

• Diamond/Platinum DFE feature that allows a large number of users to be authenticated on a single port, and unique policies to be enforced.

Backbone

Matrix N-Series

Extends access and application control (for security, convergence, and on-demand networking) to users aggregated by devices with limited features

Access

User authenticated/access and application control enforced here

User physically connected here


Rapid Reconvergence

Matrix E7 Matrix E7

Layer 2 Availability: Spanning Tree

• IEEE 802.1D Spanning Tree

• IEEE 802.1w Rapid Re-Convergence of Spanning Tree

Reduces Spanning Tree convergence times

• IEEE 802.1s Multiple Spanning Trees

Network VLAN’s into multiple Spanning Trees

› Convergence of one of the Spanning Trees does not impact the others

Overall network availability increases as uplinks can now load-share traffic

64 Spanning Tree Instances supported


Layer 2 Availability: Link Aggregation

•IEEE 802.3ad Link Aggregation

Up to 32 groups

Up to 8 ports per group

Ability to aggregate links over multiple blades in a chassis

Multiply bandwidth between switches

Improve resiliency

•No support for SmartTrunking


Advanced Port Mirroring

• Supported Mirrors: Physical ports (Front Panel, FTM-1)

Virtual Ports (802.3ad Aggregated Link, Host)

VLAN

IDS› One to many mirror

• Destination ports allowed to be active at any time:

- One Intrusion Detection Systems mirroror

- One Port and one VLAN mirroror

- Three Port mirrorsor

- Three VLANs mirrors

• Port Mirroring configured at the system-level using NetSight Atlas via the SMON MIB or by CLI


Port Mirroring Features

• Possibility to mirror: Received frames only

Transmitted frames only

Or both

• All frames are copied to the destination port in the same format as it was received by the switch Any header changes performed by the switch will be done after the frame

has been mirrored

• There is no restriction on the number of ports or VLANs that can be included in the mirror to a destination port


DragonSensors

Network Core

Intrusion Detection System Mirroring

• One to many port mirror designed for use with an Intrusion Detection System

• Source traffic is load-shared between all destination ports to ensure no packet loss


Advanced Set-up and Maintenance

• Ability to store 2 functional images (firmware) on the chassis Every module keeps a copy of both images

All modules have same firmware version› Upgrading a module equals upgrading the entire chassis

• Ability to store several configuration files on each module

• Every module keeps a copy of the current configuration Editable txt appended configuration files contain L2 and L3 configuration

› Generic chassis configuration txt

› Board specific configuration txt

• The result : automated set-up and maintenance Add a blank module in the chassis and this module will automatically get its

configuration from the other blades

Remove a module and replace it by a blank same module and the new module will automatically get the same configuration as the previous module


Enhanced Security

• Protect selected resources

• Create secure workgroups

• Secure management access

• Authenticate users & devices

• Policy network access, communications and access to information


• Host

Hardened OS

Management VLANs

RADIUS Authentication

SSH v2

• User

802.1X User Authentication

User Personalized Networking (UPN)

MAC Based Port Locking

MAC Authentication

Extensive Security Mechanisms


User-Based Security

• IEEE 802.1X User Authentication:

Support for IEEE 802.1X means that true standards based User-based VLANs are now possible.

› When an endstation powers up, to an 802.1X supporting switch, the user will be prompted for a login and password to authenticate to the network.

› Existing authentication methods like RADIUS can be used to keep the cost of ownership down.

Key component of Secure Networks


User-Based Security

• Other Authentication Methods MAC-based Authentication

› Allows authentication of devices that have no supplicant Printers Light clients (X-Terms…)

› Provides Layer 2 mobility

Web-based Authentication› Operating System Independent

› No need to purchase 3rd party 802.1X supplicants

› No need to “touch” every desktop to install supplicants


Multi-User Authentication

• Feature : Ability to authenticate multiple users on a single Matrix

N Series port

Ability to map several different network policies (profiles) on a single Matrix N Series port

• Benefits : Authenticate users even if the edge switches do not

support authentication

Deliver Policy-Based Network even if the edge switches do not support authentication and/or policing

User A User B


MU

A L

og

ic

802.1X

PWA

MAC

RA

DIU

S A

uth

ority

Dynamic Admin Rule

DFE

802.1X Credentials

PWA Credentials

802.1X Login

Filter ID Policy Sales

SMAC = Anita

SMAC = BobPWA Login

SMAC = TedAny Traffic

MAC Credentials

Filter ID Policy Engineering

Dynamic Admin Rule

Dynamic Admin Rule

Port X

Filter ID Credit

Policy Sales

Policy Credit

Policy Engineering

• From 8 up to 256 per port (with N-EOS-PPC) and 2048 per system (with N-EOS-PUC).

• Different authentication methods (in random combination per port/user)

802.1x, PWA (Web), MAC authentication, Default Role

• Single physical interface

Security and Control: Multi-user Authentication and Policy


Security and Control: non sampled NetFlow

• NetFlow flow accounting technology

• Provides high fidelity instrumentation

Non sampled statistics!

Usable for security applications

• Netflow function will work in-band and out-of-band

OoB means the N-Series can become a NBAD sensor within enterprise class networks

• The N-Series becomes a reason to sell Dragon SCC

Analysis of network wide NBAD data collection


Security and Control: Network Attack Characteristics

• Network worms and hacker attacks rely on ability to discover machines on a network and assess their vulnerability.

The process of discovering machines on a network is typically done by attempting to establish ICMP communication with a randomly generated IP destination address (address scanning).

• Each attempt to discover network device or assess its vulnerability requires new flow to be created. Since attacks desire to discover susceptible machines as quickly as possible, flow build-up is unavoidable.

Worm description User Duration Packet (flows) Fps (mean)Packet size

(mean)

Welchia: ICMP sweep 140.112.215.131 18.94 1203 63.52 110





Welchia: ICMP sweep 140.115.240.83 18.95 1894 100 110





SQL: UDP 1434 scan 140.115.95.47 17.871 34985 1957.66 421.721


Flow Setup Throttling

• Flow Setup Throttling (FST) is Enterasys proprietary solution which tracks flow setup and provides mechanism to respond to excessive flow buildup (typically a suspicious behavior).

• Using FST, network administrator can define acceptable per port flow counts and flow setup rate.

When violations are detected, FST can apply reactive measures such as SNMP notifications (and start a ASM reponse (via SEG) or disabling the interface.

• Flow monitoring provides additional visibility into network activities by indicating the network communication paths or how many conversations are occurring. Like bandwidth utilization indicator, flow buildup can warn of suspicious behavior.

• FST provides ability to limit the number of flows on a port.

Putting restriction of flow usage penalizes the user as far as number of network activities (conversations) that can be performed at once, but the user is not penalized (but can be through DIR/ASM) in bandwidth usage.

• FST is only implemented on flow-based systems (N-Series, Matrix E1/E6/E7).

• Other detection mechanisms available on the Matrix N Series

Policy Hit Accounting

Inbound Rate Limiter (pps rates)

Anti Spoofing

Dragon Integrated Security Processor

Netflow


MAC Based Port Locking (Dynamic)

• The first MAC address learned on the port will be the only one allowed to communicate on the network

• Traffic from other MAC addresses will be discarded

• Prevents the use of Unauthorized hubs

• When the locked station goes away, the next MAC address to be learned will be locked

• Easy configuration with NetSight Atlas Policy Manager

Valid User Rouge User

Enterprise Network

Unauthorized hub


MAC Based Port Locking (Static)

• Use NetSight Policy Manager to statically define which MAC address(es) can communicate on the port


Advanced Management and Control

• Via Single IP Address System Management

N + 6 Redundant Management Support

One module acts as the master manager for the system, all other modules act as backup

• Web Based Management Support

• Secure Socket Layer : Secure access to embedded configuration web server

• SNMP v1/v2c/v3

• RMON (9 Groups) / RMON2

• SMON : VLAN and priority statistics, Port/VLAN mirroring configuration



• RFC 2674 (Standards based VLAN management)

• Port/VLAN Mirroring

One to one, one to many

• Industry standard CLI

• Telnet

• Secured Shell 2 : secure access to chassis configuration

• Broadcast Suppression



• Enterasys Discovery Protocol (neighbor discovery)

• Node & Alias Table : mapping of device name and MAC/IP address

• Simple Network Time Protocol : Allows automated set-up of date/time on device

• Syslog : export all events to external management system

• RADIUS Accounting

• NetSight Atlas management applications support


IPv6 Strategy

• IPv6 extends IPv4 theoretical limit of 4 billion addresses to 340 trillion

Internet devices will grow by magnitudes over the following years

IPv4 addresses may run out sometimes between 2006 and 2010

• For the Enterprise network, IPv6 provides improvements over IPv4

Security, mobility, QoS, and scalability

• IPv6 will become the de facto standard for the Internet in the future

• Today’s Matrix N-Series chassis is IPv6-ready

IPv6 will now be provided in the N-Series in Generation 5 DFEs


Agenda



Feature Overview


Summary


Competitive Products

•Matrix Gold DFEs

Cisco Catalyst 4500

•Matrix Platinum DFEs

Cisco Catalyst 6500

•Matrix Diamond DFEs

Cisco Catalyst 6500


Matrix X and N Series Competition – Cisco Catalyst 6500 Series

• The Catalyst 6500 Family of Multi Layer Switches is Cisco’s Flagship switch products.

5 chassis. (6513, 6509NEBS, 6509, 6507,6503)

All 6500 series modules can be used in any chassis variant

● Cisco claims significant performance levels and very advanced functionality and low cost !!

• Supports high density LAN, Metropolitan Area and WAN interfaces, Security Modules, Firewall & IDS Modules, and IP Telephony Modules.

• High Performance

720 Gbps system performance

400 Mpps throughput

• Hardware based IP

Wirespeed IPv4, IPv6 & MPLS

• Advanced Virtual Network capabilities

MPLS L2 and L3 VPNs

IP in IP Tunneling

Generic Router Encapsulation

• Advanced Security Capabilities

High performance Firewall Modules

5 Gbps per module

Intruder Detection & Prevention Module

SSL and Traditional VPN Gateways

Identity Based Network Policies


Common Components

•Three types of modules

Supervisor Engines

› Central Control Plane, 1 required per chassis

› Forwarding engine in many configurations

Switch Fabric Module

› Enables the Fabric backplane which can operate at 256 Gbps or 720 Gbps

› The Supervisor 720 is both Control Module and Switch Fabric on a single blade

I/O Modules

› Provides LAN, MAN and WAN interfaces

› Highest density is 48 ports

› Special Service Modules for Firewall, IDS and Telephony

Supervisors

Fabrics

I/O Modules


Classic B

us

Fabric B

ackplane

Catalyst Backplanes

• The Catalyst supports two different backplane types

• The Classic Bus backplane is marketed as a 32 Gbps bus that provides for a useful 16 Gbps of bandwidth

• The Fabric Backplane provides high speed dedicated channels to every slot and requires that a switch fabric module is installed within the chassis

Each fabric channel can be clocked at 16 Gbps or 40 Gbps Full Duplex

The backplane is not fully implemented within the 6513


Catalyst 6500 Supervisor Positioning

• Supervisor 720

Enterprise Core, Data Center, Service Provider Applications

› Hardware IPv6, MPLS, 30 Mpps Supervisor IPv4 performance

› Distributed forwarding allows for maximum of 400 Mpps forwarding

• Supervisor 2 with MSFC2 & PFC2

Distribution and WAN Edge

› Hardware IPv4 only, 30 Mpps Supervisor IPv4 performance

› Distributed forwarding allows for maximum of 100 Mpps forwarding

• Supervisor 2 with PFC2 Only

Premium Wiring Closet and Server Farms

› 30 Mpps Bridging Only

› Enhanced Security & QoS

• Supervisor 1A without PFC2 or MSFC2

Wiring Closet

› Up to 15Mpps Bridging and IPv4 Forwarding / 32Gbps shared bus


Catalyst Switch Fabrics

• The Catalyst’s Fabric backplane provides a high speed interconnect for the various Catalyst modules.

• There are two switch fabric models available for the Catalyst

The Supervisor 720 provides 16 channels which allow for up to 20 Gbps operation per direction per channel. The Channels can be clocked down to support 8 Gbps per direction operation allowing support for older generation module

The Switch Fabric Module (SFM) provides for 16 channels with 8 Gbps per direction performance. Newer CEF720 modules will not operate with a SFM.

All packet lookup takes place on a supervisor engine, unless Distributed Forwarding Cards are installed. Switch Fabrics only act as transport. A Supervisor Engine can look up 30 Million headers a second whether the received frame was 64 bytes or 1500 bytes long. This capability allows for full wirespeed fabric operation with large packets even if no DFCs are installed.

Switch Fabric Module (SFM)


Cisco Sales Tactics

• Cat 6500 has an extensive list of modules.

Enables broad performance and feature claims while still being able to offer extremely low priced configurations to customers

• Every Cisco sales person will claim that the Cat6500 is a 720 Gbps with 400 Mpps,

• But..... they will most certainly lead with Classic Bus or Generation 2 (CEF256) Modules which never hit the 720 Gbps performance plateau, and are significantly less expensive.

• Almost all of Cisco’s line modules rely on the supervisor engine for packet look up & they will not operate without a supervisor in the chassis.

• Fabric enabled line cards can have local look-up engines called Distributed Forwarding Modules enabling slot to slot communications without a supervisor engine. DFC’s list for about $7500.

• Ensure you are comparing Apples with Apples

Bait & Switch


Diamond Competitive Comparison

General Specifications

Matrix N-Series Diamond

Catalyst 6500 Black Diamond 8800 FastIron Super X

# of Slots 1/3/5/7 3/6/9/13 6/10 8/16

Chassis Architecture

Distributed Switching and Routing

Centralized Supervisor Engine with DCEF cards

Centralized Centralized

Fault Tolerance Distributed Fault Tolerance

1+1 Supervisor Engine 1+1 MSM 1+1 Switch Fabric

Port Density 504 10/100/1000168 1000BaseX14 10Gbps

577 10/100/1000410 1000BaseX32 10Gbps

384 10/100/1000224 1000BaseX32 10Gbps

384 10/100/1000384 1000BaseX36 10Gbps

Forwarding Architecture

Flow-basedgranular policyvisibility and control

Longest prefix match via Cisco Express Forwarding

Longest prefix match Longest prefix match

Layer 2 Topology 802.3ad/s/w

ASIC-based QoS & rate shaping

L2-L4 Classification

802.3ad/s/w 802.3ad/s/w

Proprietary EMISTP

802.3ad/s/w

Layer 3 Topology RIP/OSPFVRRPDVMRP/PIM-SM

RIP/OSPF/BGP/MPLS/ VRRP/HSRPDVMRP/PIM-SM

RIP/OSPF/BGP/MPLS/ VRRP/ESRP/EAPSDVMRP/PIM-SM

RIP/OSPF/BGP/MPLSVRRPDVMRP/PIM-SM


Diamond Competitive Comparison

Policy-based Security & QoS

Matrix N-Series Diamond

Catalyst 6500 Black Diamond 8800 FastIron Super X

Security Granularity

Port/VLAN/Flowvia centrally administered Policy

Port/VLAN via ACL Port/VLAN via ACL Port/VLAN via ACL

Convergence Discovery

Standards-based

LLDP/LLDP-MED 802.1ab

Proprietary Proprietary Proprietary

Multi-method Authentication

YES

802.1xWeb-based PWAMAC Address

NO

802.1x

NO

802.1x

NO

802.1x

Multi-user Authentication

YES

1,000 users per port using MAC, PWA or 802.1x simultaneously

NO NO NO

Access Control EmbeddedNAC/IDS/IPS/NBA/SI

Zero-day Threat Protection

EmbeddedFirewall/IDS/VPN

External External

Policy Enforcement

Dynamic based on User, Application, Device, Flow, Port or VLAN

Static based onPort or VLAN



Location Services

YES

Embedded directory with MAC/IP/Host/Port

NO NO NO


Agenda



Feature Overview


Summary


•Secure Networks!•Most sophisticated SN feature set in the Enterasys portfolio

•Distributed Management

•High availability

•Flexibility

•Chassis footprints

•Module Port speeds and densities from edge to core

•Performance and Price Points (Gold / Platinum/ Diamond)

Why customers choose

N-Series…

N-Series

n-series technical overview

Documents