Cisco Cisco SM-X Layer 2 3 EtherSwitch Service Module
Cisco SM-X Layer 2/3 EtherSwitch Service Module (ESM) Configuration Guide for Cisco 2900 and Cisco 3900 Series
Information About the Cisco SM-X Layer 2/3 ESMs
5
Cisco SM-X Layer 2/3 EtherSwitch Service Module (ESM) Configuration Guide for Cisco 2900 and Cisco 3900 Series ISRs
You can deploy a specific feature package by applying corresponding software activation licenses. See
for more information on licensing and software
activation.
MACsec Encryption
Media Access Control Security (MACsec) encryption is the IEEE 802.1AE standard for authenticating and
encrypting packets between two MACsec-capable devices. MACsec encyprtion is defined in 802.1AE to
provide MAC-layer encryption over wired networks by using out-of-band methods for encryption keying.
The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required
encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x
Extensible Authentication Protocol (EAP) framework. Only host facing links (links between network access
devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.
The Cisco SM-X Layer 2/3 ESM supports 802.1AE encryption with MACsec Key Agreement (MKA) on
downlink ports for encryption between the module and host devices. The module also supports MACsec link
layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and
the Security Association Protocol (SAP) key exchange. Link layer security can include both packet authenti-
cation between switches and MACsec encryption between switches (encryption is optional). See
encrypting packets between two MACsec-capable devices. MACsec encyprtion is defined in 802.1AE to
provide MAC-layer encryption over wired networks by using out-of-band methods for encryption keying.
The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required
encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x
Extensible Authentication Protocol (EAP) framework. Only host facing links (links between network access
devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.
The Cisco SM-X Layer 2/3 ESM supports 802.1AE encryption with MACsec Key Agreement (MKA) on
downlink ports for encryption between the module and host devices. The module also supports MACsec link
layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and
the Security Association Protocol (SAP) key exchange. Link layer security can include both packet authenti-
cation between switches and MACsec encryption between switches (encryption is optional). See
Configur-
ing MACsec Encryption
Chapter in the
for information on configuring this feature.
Power over Ethernet (Plus) Features
The Cisco SM-X Layer 2/3 ESM is capable of providing power to connected Cisco pre-standard and IEEE
802.3af-compliant powered devices (PD) from Power over Ethernet (PoE)-capable ports when the switch
detects that there is no power on the circuit.
The ESM supports IEEE 802.3at (PoE+), that increases the available power for PDs from 15.4W to 30 W
per port. For more information, see the
802.3af-compliant powered devices (PD) from Power over Ethernet (PoE)-capable ports when the switch
detects that there is no power on the circuit.
The ESM supports IEEE 802.3at (PoE+), that increases the available power for PDs from 15.4W to 30 W
per port. For more information, see the
. The PoE plus feature supports the cisco
discovery protocol (CDP) with power consumption reporting and allows the PDs to notify the amount of
power consumed. The PoE plus feature also supports the link layer discovery protocol (LLDP)
power consumed. The PoE plus feature also supports the link layer discovery protocol (LLDP)
Cisco Intelligent Power Management
The PDs and the switch negotiate through power-negotiation CDP messages for an agreed power-consump-
tion level. The negotiation allows a high-power Cisco PDs to operate at its highest power mode.
The PoE plus feature enable automatic detection and power budgeting; the switch maintains a power budget,
monitors, and tracks requests for power, and grants power only when it is available. See the
tion level. The negotiation allows a high-power Cisco PDs to operate at its highest power mode.
The PoE plus feature enable automatic detection and power budgeting; the switch maintains a power budget,
monitors, and tracks requests for power, and grants power only when it is available. See the
section in the
Power Policing (Sensing)
The power policing or power sensing feature allows you to monitor the real-time power consumption. On a
per-PoE port basis, the switch senses the total power consumption, polices the power usage, and reports the
power usage. For more information on this feature, see
per-PoE port basis, the switch senses the total power consumption, polices the power usage, and reports the
power usage. For more information on this feature, see
Power Monitoring and Power Policing
section in the