Cisco 4503-e - catalyst data bundle switch User manual

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Cisco Catalyst 4500 Series

Switches (4503-E, 4506-E,

4507R+E, 4510R+E, 4500X and

4500X-F) Running IOS-XE 3.5.2E

Security Target

Revision 1.0

11 March 2014

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Table of Contents

1Security Target Introduction................................................................................................... 6

1.1 Security Target and TOE Identification............................................................... 6

1.2 Acronyms and Abbreviations............................................................................... 6

1.3 TOE Overview ..................................................................................................... 8

1.3.1 TOE Evaluated Configuration ...................................................................... 8

1.3.2 TOE Type...................................................................................................... 9

1.3.3 Required non-TOE Hardware/Software/Firmware....................................... 9

1.4 TOE Description ................................................................................................ 10

1.4.1 TOE Architecture and Security Capabilities............................................... 10

1.5 TOE Environment and Configuration................................................................ 11

1.6 Physical Scope of the TOE................................................................................. 13

1.6.1 USB Console Port....................................................................................... 23

1.6.2 Network Ports ............................................................................................. 23

1.6.3 Serial Port.................................................................................................... 23

1.6.4 Compact Flash Slot..................................................................................... 24

1.6.5 Physical Scope of the TOE......................................................................... 24

1.7 Logical Scope of the TOE.................................................................................. 24

1.7.1 Security Audit............................................................................................. 25

1.7.2 Cryptographic Support................................................................................ 25

1.7.3 User Data Protection................................................................................... 25

1.7.4 Identification and Authentication ............................................................... 26

1.7.5 Security Management ................................................................................. 26

1.7.6 Protection of the TSF.................................................................................. 27

1.7.7 Resource Utilization.................................................................................... 28

1.7.8 TOE Access ................................................................................................ 28

1.7.9 Trusted Path/Channels ................................................................................ 28

1.8 Excluded Functionality ...................................................................................... 28

2Conformance Claims ............................................................................................................ 30

2.1 Common Criteria Conformance Claim .............................................................. 30

2.2 Protection Profile Conformance Claim.............................................................. 30

2.3 Protection Profile Conformance Claim Rationale.............................................. 30

2.3.1 TOE Appropriateness.................................................................................. 30

2.3.2 TOE Security Problem Definition Conformance........................................ 30

2.3.3 Statement of Security Objectives Conformance......................................... 30

2.3.4 Statement of Security Requirements Conformance.................................... 31

3Security Problem Definition................................................................................................. 32

3.1 Introduction........................................................................................................ 32

3.2 External Entities................................................................................................. 32

3.3 Assets ................................................................................................................. 32

3.3.1 Primary Assets ............................................................................................ 32

3.3.2 Secondary Assets ........................................................................................ 33

3.4 Assumptions....................................................................................................... 33

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

3.5 Threats................................................................................................................ 34

3.6 Organizational Security Policies........................................................................ 35

3.6.1 OSPs enforced by TOE............................................................................... 35

4Security Objectives............................................................................................................... 36

4.1 Security Objectives for the TOE........................................................................ 36

4.2 Security Objectives for the Environment........................................................... 37

5Security Requirements.......................................................................................................... 37

5.1 Conventions........................................................................................................ 38

5.2 TOE Security Functional Requirements ............................................................ 38

5.2.1 Security audit (FAU)................................................................................... 40

5.2.2 Cryptographic Support (FCS)..................................................................... 43

5.2.3 User data protection (FDP)......................................................................... 47

5.2.4 Identification and authentication (FIA) ...................................................... 47

5.2.5 Security management (FMT)...................................................................... 48

5.2.6 Protection of the TSF (FPT) ....................................................................... 49

5.2.7 FRU –Resource Utilization........................................................................ 50

5.2.8 TOE Access (FTA)..................................................................................... 51

5.2.9 Trusted Path/Channel (FTP)....................................................................... 51

5.3 Extended Components Definition...................................................................... 52

5.4 TOE SFR Dependencies Rationale .................................................................... 54

5.5 Security Assurance Requirements...................................................................... 56

5.5.1 SAR Requirements...................................................................................... 56

5.5.2 Security Assurance Requirements Rationale.............................................. 57

5.6 Assurance Measures........................................................................................... 57

6TOE Summary Specification................................................................................................ 59

6.1 TOE Security Functional Requirement Measures.............................................. 59

6.2 TOE Bypass and interference/logical tampering Protection Measures.............. 79

7Rationale............................................................................................................................... 81

7.1 Rationale for TOE Security Objectives.............................................................. 81

7.2 Rationale for the Security Objectives for the Environment............................... 83

7.3 Rationale for TOE Security Functional Requirements ...................................... 84

Annex A: References..................................................................................................................... 88

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

List of Tables

TABLE 1ST AND TOE IDENTIFICATION .............................................................................. 6

TABLE 2ACRONYMS........................................................................................................... 6

TABLE 3EVALUATED CONFIGURATION .............................................................................. 8

TABLE 4IT ENVIRONMENT COMPONENTS ........................................................................... 9

TABLE 5CATALYST 4500 SERIES SWITCH CHASSIS FEATURES ......................................... 14

TABLE 6CATALYST 4500 SERIES SWITCH CHASSIS LINE CARDS ...................................... 16

TABLE 7EXTERNAL ENTITIES INTERACTING WITH TOE..................................................... 32

TABLE 8PRIMARY ASSETS TO BE PROTECTED .................................................................... 32

TABLE 9SECONDARY ASSETS TO BE PROTECTED ............................................................... 33

TABLE 10 OPERATIONAL ASSUMPTIONS ............................................................................ 33

TABLE 11 THREATS ........................................................................................................... 34

TABLE 12 ORGANIZATIONAL SECURITY POLICIES ............................................................. 35

TABLE 13 SECURITY OBJECTIVES FOR THE TOE................................................................ 36

TABLE 14 SECURITY OBJECTIVES FOR THE ENVIRONMENT................................................ 37

TABLE 15 SECURITY FUNCTIONAL REQUIREMENTS........................................................... 38

TABLE 16: AUDITABLE EVENTS ........................................................................................ 41

TABLE 17: SFR DEPENDENCY RATIONALE (FROM NDPP)................................................. 54

TABLE 18: ASSURANCE MEASURES ................................................................................... 56

TABLE 19: ASSURANCE MEASURES ................................................................................... 57

TABLE 20: HOW TOE SFRS ARE MET ............................................................................... 59

TABLE 21: THREAT/OBJECTIVES/POLICIES MAPPINGS....................................................... 81

TABLE 22: THREAT/POLICIES/TOE OBJECTIVES RATIONALE ............................................ 82

TABLE 23: ASSUMPTIONS/ENVIRONMENT OBJECTIVES MAPPINGS .................................... 83

TABLE 24: ASSUMPTIONS/THREATS/OBJECTIVES RATIONALE........................................... 83

TABLE 25: SECURITY OBJECTIVE TO SECURITY REQUIREMENTS MAPPINGS...................... 84

TABLE 26: OBJECTIVES TO REQUIREMENTS RATIONALE.................................................... 86

TABLE 27: REFERENCES..................................................................................................... 88

List of Figures

FIGURE 1TOE ENVIRONMENT ........................................................................................... 12

FIGURE 2CATALYST 4500 SERIES SWITCH CHASSIS.......................................................... 14

FIGURE 3CISCO CATALYST 4500-X SERIES CHASSIS AND MODULES................................ 21

FIGURE 432 X 10 GIGABIT ETHERNET PORT SWITCH WITH OPTIONAL UPLINK MODULE

SLOT .......................................................................................................................... 21

FIGURE 516 X 10 GIGABIT ETHERNET PORT SWITCH WITH OPTIONAL UPLINK MODULE

SLOT.......................................................................................................................... 21

FIGURE 68X 10 GIGABIT ETHERNET PORT UPLINK MODULE ......................................... 21

FIGURE 7FRONT-TO-BACK AIRFLOW REAR VIEW............................................................. 22

FIGURE 8BACK-TO-FRONT AIRFLOW REAR VIEW............................................................. 22

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

DOCUMENT INTRODUCTION

Prepared By:

Cisco Systems, Inc.

170 West Tasman Dr.

San Jose, CA 95134

This document provides the basis for an evaluation of a specific Target of Evaluation

(TOE), the Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E,

4500X and 4500X-F) running IOS-XE 3.5.2E. This Security Target (ST) defines a set of

assumptions about the aspects of the environment, a list of threats that the product intends

to counter, a set of security objectives, a set of security requirements, and the IT security

functions provided by the TOE which meet the set of requirements.

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

1 SECURITY TARGET INTRODUCTION

The Security Target contains the following sections:

Security Target Introduction [Section 1]

Conformance Claims [Section 2]

Security Problem Definition [Section 3]

Security Objectives [Section 4]

IT Security Requirements [Section 5]

TOE Summary Specification [Section 6]

Rationale [Section 7]

The structure and content of this ST comply with the requirements specified in the

Common Criteria (CC), Part 1, Annex A, and Part 3, Chapter 4.

1.1 Security Target and TOE Identification

This section provides information needed to identify and control this ST and its TOE.

Table 1 ST and TOE Identification

ST Title

Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E,

4500X and 4500X-F) Running IOS-XE 3.5.2E Security Target

ST Version

1.0

Publication Date

11 March 2014

ST Author

Cisco Systems, Inc.

Developer of the TOE

Cisco Systems, Inc.

TOE Reference

Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E,

4500X and 4500X-F) running IOS-XE 3.5.2E

TOE Hardware Models

Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E,

4500X and 4500X-F), including one or more Supervisor cards and one or

more of the line cards as identified in Table 3

TOE Software Version

IOS XE 3.5.2E

Keywords

Audit, Authentication, Encryption, Information Flow, Protection, Switch,

Traffic

1.2 Acronyms and Abbreviations

The following acronyms and abbreviations are used in this Security Target:

Table 2 Acronyms

Acronyms /

Abbreviations

Definition

AAA

Administration, Authorization, and Accounting

ACL

Access Control List

AES

Advanced Encryption Standard

BGP

Border Gateway Protocol. An exterior gateway protocol. It performs routing

between multiple autonomous systems and exchanges routing and reachability

information with other BGP systems.

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Acronyms /

Abbreviations

Definition

Common Criteria for Information Technology Security Evaluation

CEM

Common Evaluation Methodology for Information Technology Security

CLI

Command Line Interface

Configuration Management

Diffie-Hellman

EAL

Evaluation Assurance Level

EEPROM

Electrically erasable programmable read-only memory, specifically the memory

in the switch where the Cisco IOS is stored.

EIGRP

Enhanced Interior Gateway Routing Protocol

FIPS

Federal Information Processing Standard

HMAC

Hashed Message Authentication Code

HTTPS

Hyper-Text Transport Protocol Secure

IEEE

Institute of Electrical and Electronics Engineers

IGMP

Internet Group Management Protocol

IOS

The proprietary operating system developed by Cisco Systems.

Internet Protocol

IPSEC

IP Security

Information Technology

MAC

Media Access Control

NTP

Network Time Protocol

NVRAM

Non-volatile random access memory, specifically the memory in the switch

where the configuration parameters are stored.

Operating System

OSPF

Open Shortest Path First. An interior gateway protocol (routes within a single

autonomous system). A link-state routing protocol which calculates the shortest

path to each node.

Packet

A block of data sent over the network transmitting the identities of the sending

and receiving stations, error-control information, and message.

Protection Profile

PRNG

Pseudo Random Number Generator

PVLAN

Private VLAN

RADIUS

Remote Authentication Dial In User Service

RIP

Routing Information Protocol. An interior gateway protocol (routes within a

single autonomous system). A distance-vector protocol that uses hop count as it’s

metric.

RNG

Random Number Generator

RSA

Rivest, Shamir and Adleman (algorithm for public-key cryptography)

Service Module

SSH

Secure Shell

SSHv2

Secure Shell (version 2)

Security Target

TACACS

Terminal Access Controller Access Control System

TCP

Transport Control Protocol

TCP/IP

Transmission Control Protocol/Internet Protocol

TDES

Triple Data Encryption Standard

TLS

Transport Layer Security

TOE

Target of Evaluation

TSC

TSF Scope of Control

TSF

TOE Security Function

TSP

TOE Security Policy

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Acronyms /

Abbreviations

Definition

UDP

User Datagram Protocol

VACL

Virtual Access Control List

VLAN

Virtual Local Area Network

VSS

Virtual Switching System

1.3 TOE Overview

The TOE is the Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E,

4510R+E, 4500X and 4500X-F) running IOS XE 3.5.2E (herein after referred to as

Catalyst Switches). The TOE is a purpose-built, switching and routing platform with OSI

Layer2 and Layer3 traffic filtering capabilities.

Cisco IOS is a Cisco-developed highly configurable proprietary operating system that

provides for efficient and effective routing and switching. Although IOS performs many

networking functions, this Security Target only addresses the functions that provide for

the security of the TOE itself as described in Section 1.7 TOE logical scope below.

1.3.1 TOE Evaluated Configuration

The TOE consists of any one of a number of hardware configurations, each running the

same version of IOS XE software. The Catalyst 4500 Series Switches chassis provides

power, cooling, and backplane for the Supervisor Engine, line cards, and service modules

(SM)

. The Supervisor Engines run the IOS XE software. The evaluated configurations

consist of the following components (e.g. at least one of the listed chassis, at least one

supervisor card running IOS-XE 3.5.2E software and at least one line card):

Table 3 Evaluated Configuration

TOE

One or more WS-C4503-E, WS-C4506-E, WS-C4507R+E, WS-C4510R+E,

WS-C4500X-32SFP+, WS-C4500X-F-32SFP+, WS-C4500X-16SFP+, WS-

C4500X-F-16SFP+, WS-C4500X-24X-ES, 4500X-24X-IPB, or WS-

C4500X-40X-ES Switch Chassis (Two chassis configured support High

Availability)

One or more supervisors cards (WS-X45-SUP7-E, WS-X45-Sup7L-E) or

dual supervisor cards (WS-X45-SUP7-E, WS-X45-Sup7L-E) per chassis

(Two Supervisor cards in one chassis provides failover), each supervisor

card running IOS XE 3.5.2E (FIPS validated) software

With one or more of the following line cards:

WS-X4748-RJ45V+E

WS-X4712-SFP+E

No specific service modules, such as the Firewall Blade, Wireless Service and Network Analysis being

claimed in the evaluated configuration as they require additional license

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

WS-X4640-CSFP-E

WS-X4748-UPOE+E

WS-X4748-RJ45-E

The TOE can optionally connect to an NTP server on its internal network for time

services. If an NTP server is used, it must only be accessible via the internal network (an

internal network isolated from user traffic and intended for use by TOE administrators

only).

If the TOE is to be remotely administered, SSHv2 must be used for that purpose.

The TOE will transmit syslog message to a remote syslog server through an IPsec tunnel.

The TOE can also be configured to use a remote AAA server (RADIUS or TACACS+)

for centralized authentication, and can also connect to those servers through an IPsec

tunnel.

1.3.2 TOE Type

The Cisco Catalyst Switches are a switching and routing platform used to construct IP

networks by interconnecting multiple smaller networks or network segments. As a

Layer2 switch, it performs analysis of incoming frames, makes forwarding decisions

based on information contained in the frames, and forwards the frames toward the

destination. As a Layer3 switch, it supports routing of traffic based on tables identifying

available routes, conditions, distance, and costs to determine the best route for a given

packet. Routing protocols used by the TOE include BGPv4, EIGRP, EIGRPv6 for IPv6,

RIPv2, and OSPFv2. BGPv4, EIGRP, and EIGRPv6 supports routing updates with IPv6

or IPv4, while RIPv2 and OSPFv2 routing protocol support routing updates for IPv4

only. Note, the information flow functionality is not included in the scope of the

evaluation. The evaluated configuration is the configuration of the TOE that satisfies the

requirements as defined in this Security Target (ST).

1.3.3 Required non-TOE Hardware/Software/Firmware

The TOE supports (in some cases optionally) the following hardware, software, and

firmware in its environment:

Table 4 IT Environment Components

Component

Required

Usage/Purpose Description for TOE performance

Authentication

Server

Yes

This includes any authentication server (RADIUS RFC

2865, 2866, 2869 and RFC 3162 (IPv6) and TACACS+

RFC 1492)) that can be leveraged for remote user

authentication. The AAA server needs to be able of acting

as an IPsec peer or as an IPsec endpoint.

Management

Workstation

with SSH

Client

Yes

This includes any IT Environment Management

workstation with a SSH client installed that is used by the

TOE administrator to support TOE administration through

SSH protected channels. Any SSH client that supports

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Component

Required

Usage/Purpose Description for TOE performance

SSHv2 and a key size of 2048 bits or greater may be used.

Syslog server

Yes

The syslog audit server is used for remote storage of audit

records that have been generated by and transmitted from

the TOE. The TOE would ensure that messages are

encrypted within an IPsec tunnel as they leave the TOE.

The syslog server needs to be able of acting as an IPsec

peer or as an IPsec endpoint.

NTP Server

The TOE supports communications with an NTP server to

receive clock updates. Any server that supports NTPv1

(RFC 1059), NTPv2 (RFC 1119), or NTP v3 (RFC 1305)

may be used.

1.4 TOE Description

The TOE description explains the TOE in more detail than was provided in the TOE

overview.

1.4.1 TOE Architecture and Security Capabilities

The Cisco Catalyst 4500 Series are network devices that protect themselves by offering

only a minimal logical interface to the network and control of that interface. The Switch

IOS subsystem is special purpose software that runs on the Cisco Catalyst 4500 Series

Switch hardware. The Catalyst Switches have been designed so that all locally

maintained security relevant data can only be manipulated via the secured management

interface, a CLI and provides no general purpose programming capability. There are no

undocumented interfaces for managing the Catalyst switches.

All network traffic to the TOE protected (internal) network passes through Catalyst

Switches. There are no unmediated traffic flows into or out of the TOE. Once network

traffic is received on one of the network ports, it is always subject to the security policy

rules as applied to each traffic flow. Traffic flows characterized as unauthorized are

discarded and not permitted to circumvent the Catalyst Switch. Configuration and

management of the Catalyst Switch is through an SSHv2 session via Management

workstation or via a local console connection. The management interfaces require user

identification and authentication prior to allowing management operations. As described

in Section 6, all management functions are restricted to the authorized administrator of

the TOE. The term “authorized administrator”

is used in this ST to refer to any

administrative user which has been assigned to a privilege level that is permitted to

perform the relevant action; therefore has the appropriate privileges to perform the

requested functions.

Note, the term ‘authorized administrator’ as used in this ST is synonymous with the ‘Security

Administrator’ referenced in the NDPP.

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Protection of the TOE from physical tampering is ensured by its environment. It is

assumed that the switches will remain attached to the physical connections made by an

administrator so that the switch cannot be bypassed. The TOE is completely self-

contained. The hardware, software and firmware provided by Catalyst Switches provide

all of the services necessary to implement the TOE. There are no external interfaces into

the TOE other than the physical ports provided. No general purpose operating system,

user interface, disk storage, or programming interface is provided by the TOE.

The Catalyst Switches that comprise the TOE have common hardware characteristics.

These characteristics affect only non-TSF relevant functions of the switches (such as

throughput, line-card slots, and amount of storage) and therefore support security

equivalency of the switches in terms of hardware:

Central processor that supports all system operations

Dynamic memory, used by the central processor for all system operations

Flash memory (EEPROM), used to store the Cisco IOS image (binary program)

USB slot, used to connect USB devices to the TOE (not relevant as none of the

USB devices are included in the TOE)

Non-volatile read-only memory (ROM) is used to store the bootstrap program and

power-on diagnostic programs

Non-volatile random-access memory (NVRAM) is used to store switch

configuration parameters used to initialize the system at start-up

Physical network interfaces (minimally two) (e.g. RJ45 serial and standard 10/100

Ethernet ports). Some models have a fixed number and/or type of interfaces; some

models have slots that accept additional network interfaces

10 Gigabit Ethernet (GE) uplinks and supports Power over Ethernet Plus (PoE+)

and Universal POEP (UPOE). (Universal POEP is an enhancement to the PoEP

(802.3at) standard to allow powered devices up to 60W to connect over a single

Cat 5e cable. Standard PoEP uses only 2 twisted pairs (out of 4) in the Ethernet

cable. UPOE uses all 4 twisted pairs to deliver 60W to the port.)

Redundant power supplies and fans

Cisco IOS XE is a Cisco-developed highly configurable proprietary operating system that

provides for efficient and effective routing and switching. Although IOS XE performs

many networking functions, this TOE only addresses the functions that provide for the

security of the TOE itself as described in Section 1.7 Logical Scope of the TOE below.

1.5 TOE Environment and Configuration

The TOE consists of one or more physical devices; the Catalyst Switch with Cisco IOS

XE software. The Catalyst Switch has two or more network interfaces and is connected

to at least one internal and one external network. The Cisco IOS configuration determines

how packets are handled to and from the switches’ network interfaces. The switch

configuration will determine how traffic flows received on an interface will be handled.

Typically, packet flows are passed through the network device and forwarded to their

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

configured destination. BGPv4, EIGRP, EIGRPv6 for IPv6, RIPv2, and OSPFv2 Routing

protocols are used on all of the Catalyst Switch models.

The TOE can optionally connect to an NTP server on its internal network for time

services. In addition, if the Catalyst Switch is to be remotely administered, then the

management station must be connected to an internal network, SSHv2 must be used to

connect to the switch. A syslog server can also be used to store audit records. A remote

authentication server can also be used for centralized authentication. If these servers are

used, they must be attached to the internal (trusted) network. The internal (trusted)

network is meant to be separated effectively from unauthorized individuals and user

traffic; one that is in a controlled environment where implementation of security policies

can be enforced.

The following figure provides a visual depiction of an example TOE deployment.

Figure 1 TOE environment

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

1.6 Physical Scope of the TOE

The TOE is a hardware and software solution that makes up the following switch models;

Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E, 4500X and

4500X-F) running IOS XE 3.5.2E. The following tables further identify the supported

configurations. The network, on which they reside, is part of the environment.

The Cisco Catalyst Switches, 4503-E, 4506-E, 4507R+E, 4510R+E offers four chassis

options and two supervisor engine options and are extremely flexible and support either 6

Gbps, 24 Gbps, or 48 Gbps per line-card slot. The TOE can optionally support any

other line card or service module (SM)

that is compatible with the supervisors and

chassis models included in the TOE. These line cards and SMs are not security-relevant

No specific service modules, such as the Firewall Blade, Wireless Service and Network Analysis being

claimed in the evaluated configuration as they require additional license

Cisco ASR 1006

PWR

STATUS

ASR1000 SIP10

PWR

STATUS

ASR1000 SIP10

PWR

STAT

STBY

ASR1000-ESP20

ACTV

PWR

STAT

STBY

ASR1000-ESP20

ACTV

STAT

ASR1000-RP1

STBY

ACTV

MIN

MAJ

CRIT

CM1

PWR

USB

DISK

CARRIER

LINK

BITS

CON

AUX

MGMTE THERNE T

CM1

STAT

ASR1000-RP1

STBY

ACTV

MIN

MAJ

CRIT

CM1

PWR

USB

DISK

CARRIER

LINK

BITS

CON

AUX

MGMTE THERNE T

CM1

PWR

STATUS

ASR1000 SIP10

Cisco

ETH

ACT

PWR

SLOT0

SLOT1

SLOT2

1700

SERIES

ROUTER

COL

Peer

TOE Boundary

Mgt

Workstation

SSH

Connection

Catalyst 4K Switch

Syslog

Server

AAA Server

NTP Server

IPsec

Connection

IPsec

Connection

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

to the CC-evaluated security functional requirements, however the supervisor cards are

security relevant.

Figure 2 Catalyst 4500 Series Switch Chassis

Table 5 Catalyst 4500 Series Switch Chassis Features

Feature

Cisco Catalyst

WS-C4503-E

Chassis

Cisco Catalyst

WS-C4506-E

Chassis

Cisco Catalyst

WS-C4507R+E

Chassis

Cisco Catalyst

WS-C4510R+E

Chassis

Total number of

slots

Line-card slots

Supervisor

engine slots

Dedicated

supervisor

engine slot

numbers

3 and 4

5 and 6

Supervisor

engine

redundancy

Yes

Yes (Supervisor

V-10GE, 6-E and

7-E)

Supervisor

engines

Supervisor 7-E

Slot 1 is reserved for supervisor engine only; slots 2 and higher are reserved for line cards.

Slots 3 and 4 are reserved for supervisor engines only in Cisco Catalyst 4507R-E and 4507R+E; slots 1-2 and 5-7 are

reserved for line cards.

Slots 5 and 6 are reserved for supervisor engines only in Cisco Catalyst 4510R-E and 4510R+E; slots 1-4 and 7-10 are

reserved for line cards

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Feature

Cisco Catalyst

WS-C4503-E

Chassis

Cisco Catalyst

WS-C4506-E

Chassis

Cisco Catalyst

WS-C4507R+E

Chassis

Cisco Catalyst

WS-C4510R+E

Chassis

supported

Supervisor 7L-E

Maximum PoE

per slot

1,500W

1,500W slots 1

and 2,

750W slots

3,4,7-10

Bandwidth

scalability per

line-card slot

Up to 48 Gbps

on all slots

Up to 48 Gbps

on all slots

Up to 48 Gbps

on all slots7

Up to 48 Gbps

on all slots5

Number of

power supply

bays

AC input power

Yes

DC Input power

Yes

Integrated

Power over

Ethernet

Yes

Minimum

number of

power supplies

Power supplies

supported

● 1000W AC

● 1400W AC

● 1300W ACV

● 2800W ACV

● 4200W ACV

● 6000W ACV

● 1400W DC

(triple input)

● 1400W-DC-P

● 1000W AC

● 1400W AC

● 1300W ACV

● 2800W ACV

● 4200W ACV

● 6000W ACV

● 1400W DC

(triple input)

● 1400W-DC-P

● 1000W AC

● 1400W AC

● 1300W ACV

● 2800W ACV

● 4200W ACV

● 6000W ACV

● 1400W DC

(triple input)

● 1400W-DC-P

● 1400W AC

● 2800W ACV

● 4200W ACV

● 6000W ACV

● 1400W DC

(triple input)

● 1400W-DC-P

Number of fan-

tray bays

Location of 19-

inch rack mount

Front

WS-C4507R-E and WS-C4510R-E chassis support up to 24G per line-card slot when used with Sup6-E

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Feature

Cisco Catalyst

WS-C4503-E

Chassis

Cisco Catalyst

WS-C4506-E

Chassis

Cisco Catalyst

WS-C4507R+E

Chassis

Cisco Catalyst

WS-C4510R+E

Chassis

Location of 23-

inch rack mount

Front (option)

Cisco Catalyst 4500 Series line cards can be mixed and matched to suit numerous LAN

access, server connectivity, or branch-office deployments. The Cisco Catalyst 4500

Series supports the following supervisor and line cards, by product number:

Table 6 Catalyst 4500 Series Switch Chassis Line Cards

Product Number /Description

Cisco Catalyst 4500E Supervisor Cards

Supervisor Engine 7-E

• Performance and capability

–848 Gbps switching capacity with 250 Mpps of throughput

–4 nonblocking 10 Gigabit Ethernet uplinks (Small Form-Factor

Pluggable Plus [SFP+])

–SFP support on uplinks to offer flexibility for up to 4 Gigabit

Ethernet ports

–384 ports of nonblocking 10/100/1000

–PoEP (30W) capabilities on all ports in a line card simultaneously

–UPOE (60W) capabilities on all line-card slots

–Energy Efficient Ethernet (IEEE 802.3az)

–196 ports of nonblocking Gigabit Ethernet SFP

–100 ports of 10 Gigabit Ethernet SFP+ (4 uplinks ports + 96 line-

card ports)

–128,000 FNF entries in hardware

–External USB and Secure Digital (SD) card support for flexible

storage options

–256,000 routing entries for high-end campus access and

aggregation deployments

–IPv6 support in hardware, providing wire-rate forwarding for IPv6

networks

–Dynamic hardware forwarding-table allocations for ease of IPv4-

to-IPv6 migration

–Scalable routing (IPv4, IPv6, and multicast) tables, Layer 2 tables,

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Product Number /Description

and access-control-list (ACL) and quality-of-service (QoS) entries to

use 8 queues/port and comprehensive security policies per port

• Infrastructure services

–Cisco IOS XE Software, the modular open application platform for

virtualized borderless services

–Maximum resiliency with redundant components, Nonstop

Forwarding/Stateful Switchover (NSF/SSO), and ISSU support

–Network virtualization through Multi-Virtual Route Forwarding

(VRF) and Easy Virtual Networking (EVN) technology for Layer 3

segmentation

–Automation through Embedded Event Manager (EEM), Cisco

Smart Call Home, AutoQoS, and Auto SmartPorts for fast

provisioning, diagnosis, and reporting

• Cisco Borderless Networks Services

–Optimized application performance through deep visibility with

FNF supporting rich Layer 2/3/4 information (MAC, VLAN, and

TCP Flags) and synthetic traffic monitoring with IP service-level

agreement (IP SLA)

–Medianet capabilities to simplify video QoS, monitoring, and

security

–Energy-efficient design with Cisco EnergyWise technology to

manage network, PoEP, and PC

• Investment protection and reduced total cost of ownership (TCO)

–Full backward compatibility with 6-, 24-, and 48-Gbps slot line

cards with no performance degradation

The Cisco Catalyst 4500E Supervisor Engine 7-E is compatible with

classic Cisco Catalyst 4500 line cards and power supplies, providing

full investment protection. The Supervisor Engine 7-E is not

compatible with classic Cisco Catalyst 4500 chassis. When you

deploy the Cisco Catalyst 4500E Supervisor Engine 7-E with classic

line cards, all of the new features except the 24- and 48-Gbps per-

slot switching capacity are inherited.

Supervisor Engine 7L-E

• Performance and scalability:

–520-Gbps switching capacity with 225 mpps of throughput

–2 nonblocking 10 Gigabit Ethernet uplinks (SFP+) or 4

nonblocking 1 Gigabit Ethernet uplinks (SFP)

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Product Number /Description

–Supports 3-, 6-, and 7-slot Cisco Catalyst 4500E chassis

–Supports a maximum of 244 ports of 10/100/1000 Base-T and 400

ports of 1000Base-X (CSFP) in a 7-slot chassis

–Supports up to 124 1GE nonblocking fiber ports or 62 10GE fiber

ports in a 7-slot chassis

–Enables next-generation Universal Power Over Ethernet (UPOE,

WS-X4748-UPOE+E) in addition to backward compatibility with

other PoE standards

–Enables EEE (IEEE 802.3az)

–128,000 Flexible NetFlow entries in hardware

–External USB and SD card support for flexible storage options

–10/100/1000 RJ-45 console and management port

–64,000/32,000 IPv4/IPv6 routing entries for campus access and

aggregation deployments

–IPv6 in hardware, providing wire-rate forwarding for IPv6

networks and support for dual stack with innovative resource usage

–Dynamic hardware forwarding-table allocations for ease of IPv4-

to-IPv6 migration

–Scalable routing (IPv4, IPv6, and multicast) tables, Layer 2 tables,

and access-control-list (ACL) and quality-of-service (QoS) entries to

make use of 8 queues per port and comprehensive security policies

per port

• Infrastructure services:

–Cisco IOS XE Software, the modular open application platform for

virtualized borderless services

–Maximum resiliency with redundant components, Nonstop

Forwarding/Stateful Switchover (NSF/SSO), and In-Service

Software Upgrade (ISSU) support

–Network virtualization through Multi-Virtual Route Forwarding

(VRF) technology for Layer 3 segmentation

–Automation through Embedded Event Manager (EEM), Cisco

Smart Call Home, AutoQoS, and Auto SmartPorts for fast

provisioning, diagnosis, and reporting

• Borderless network services:

–Optimized application performance through deep visibility with

Flexible NetFlow supporting rich Layer 2/3/4 information (MAC,

VLAN, TCP Flags) and synthetic traffic monitoring with IP service-

level agreement (SLA)

–Medianet capabilities to simplify video quality of service,

monitoring, and security. In addition, multicast features such as

Protocol Independent Multicast (PIM) and Source-Specific

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Product Number /Description

Multicast (SSM) that provide enterprise customers the additional

scalability to support multimedia applications

–Energy-efficient design with Cisco EnergyWise™technology

• Investment protection and reduced total cost of ownership (TCO):

–Full backward compatibility with 6 G, 24 G, and 48 Gbps slot line

cards with no performance degradation

The Cisco Catalyst 4500E Supervisor Engine 7L-E is compatible

with classic Cisco Catalyst 4500 line cards and power supplies,

providing full investment protection. Supervisor Engine 7L-E is not

compatible with classic Cisco Catalyst 4500 chassis.

Cisco Catalyst 4500E Series Line Cards

WS-X4748-UPOE+E

• 48 ports nonblocking

• 10/100/1000 module (RJ-45)

• Cisco IOS XE Release 3.1.0SG or later

• UPOE: capable of up to 60 W per port up to 1440 W

• Energy Efficient Ethernet 802.3az

• IEEE 802.3af/at and Cisco prestandard PoE, IEEE 802.3x flow

control

• IEEE 802.1AE and Cisco TrustSec capability in hardware

• L2-4 Jumbo Frame support (up to 9216 bytes)

• Capable of up to 30 W of inline power per port on all ports

simultaneously

• Enterprise and commercial: designed to power next-generation IP

phones, wireless base stations, video cameras, virtual desktop

clients, and other PoE/UPOE devices

• Campus and branch applications requiring enhanced performance

for large file transfers and network backups

WS-X4748-RJ45V+E

• 48 ports nonblocking

• 10/100/1000 module (RJ-45)

• Cisco IOS XE Release 3.1.0SG or later

• IEEE 802.3af/at and Cisco prestandard PoE, IEEE 802.3x flow

control

• IEEE 802.1AE and Cisco TrustSec capability in hardware

• L2-4 Jumbo Frame support (up to 9216 bytes)

• Capable of up to 30 W of inline power per port on all ports

simultaneously

• Enterprise and commercial: designed to power next-generation IP

phones, wireless base stations, video cameras, and other PoE

devices

• Campus and branch applications requiring enhanced performance

for large file transfers and network backups

Cisco Cat4K NDPP ST 11 March 2014

EDCS-1228241

Product Number /Description

WS-X4748-RJ45-E

• 48 ports nonblocking

• 10/100/1000 module (RJ-45)

• Cisco IOS XE Release 3.1.0SG or later

• Energy Efficient Ethernet 802.3az

• IEEE 802.1AE and Cisco TrustSec capability in hardware

• L2-4 Jumbo Frame support (up to 9216 bytes)

• Enterprise and commercial: designed for data only user access

• Campus and branch applications requiring enhanced performance

for large file transfers and network backups

WS-X4712-SFP+E

• 48 gigabits per-slot capacity

• Bandwidth is allocated across four 3-port groups, providing 12

Gbps per port group (2.5:1)

• Up to 12 ports 10GE SFP+ (10GBASE-R) or 12 ports GE SFP

(1GBASE-X)

• SFP+ and SFP can be used simultaneously on the same line card

without any restrictions

• Cisco IOS XE Release 3.1.0SG or later

• IEEE 802.1AE and Cisco TrustSec capability in hardware

• L2-4 Jumbo Frame support (up to 9216 bytes)

• Enterprise and commercial: designed for high-speed backbone

and switch-to-switch applications

• Service provider: 10GE/GE mix aggregation for

DSLAM/PON/mobile data backhaul

• WS-X4712-SFP+E is not supported on 4507R-E and 4510R-E

chassis

WS-X4640-CSFP-E

• 40 modules of Gigabit SFP line card (1000BaseX), providing 24

gigabits per-slot capacity (SFP optional)

• 40 ports with Gigabit SFP (2:1 oversubscribed)

• 80 ports with Gigabit compact SFP (4:1 oversubscribed)

• Customers can mix and match Gigabit SFP and Gigabit compact

SFPs

• 6E/6LE Supports WS-X4640-CSFP-E with IOS version

15.1.(1)SG

• 7E, 7L-E supports WS-X4640-CSFP-E from 15.0(2)SG1 /

3.2.0SG onwards

• Supported on 3, 6, and 7 slot chassis

• IEEE 802.3, IEEE 802.3ah, IEEE 802.3x flow control

• L2-4 Jumbo Frame support (up to 9216 bytes)

• Inherits supervisor engine QoS capability

• Service Provider: Point-to-Point fiber to the home (FTTH) or

building (FTTB) for residential and business applications

• Enterprise: Providing Fiber to the Desktop (FTTD), for

deployments where non-blocking is not a mandatory requirement

Other manuals for 4503-E - Catalyst Data Bundle Switch

This manual suits for next models

Table of contents

Other Cisco Switch manuals

Cisco

Cisco Aironet 350 Series User manual

Cisco

Cisco SG 300-20 User manual

Cisco

Cisco Nexus 3000 series Manual

Cisco

Cisco MDS 9700 Series Instruction Manual

Cisco

Cisco 6500 - Catalyst Series 10 Gigabit EN Interface Module... Manual

Cisco

Cisco Catalyst PON Series Manual

Cisco

Cisco Nexus 3600 NX-OS User manual

Cisco

Cisco Nexus 7000 Series User manual

Cisco

Cisco WS X4148 RJ21 - Catalyst 4000 Series 10/100 Telco... User manual

Cisco

Cisco Nexus 9000 Series User manual

Cisco

Cisco SD208P User manual

Cisco

Cisco Nexus 9396PX Manual

Cisco

Cisco Nexus 3000 series User manual

Cisco

Cisco Catalyst 3650 Series User manual

Cisco

Cisco Small Business SF200-24P User manual

Cisco

Cisco Nexus 9200 Series User manual

Cisco

Cisco WS-X45-SUP6L-E Quick guide

Cisco

Cisco InfiniBand 4x User manual

Cisco

Cisco Catalyst 2960X-48FPD-L Manual

Cisco

Cisco 11154 - CSS - Switch User manual

Cisco

Cisco IE-3000-8TC User manual

Cisco

Cisco Nexus 5500 Series User manual

Cisco

Cisco NME-16ES-1G - Etherswitch Service Mod 16 Specification sheet

Cisco

Cisco Catalyst 9500 Series Manual

Popular Switch manuals by other brands

Allied Telesis

Allied Telesis AT-8116 installation guide

FSR

FSR DV-MFSS-71 manual

Matrix Switch Corporation

Matrix Switch Corporation MSC-2HD1632S product manual

ADLINK Technology

ADLINK Technology aTCA-3710 user manual

Alcatel-Lucent

Alcatel-Lucent 7450 Basic system configuration guide

Cabletron Systems

Cabletron Systems CyberSWITCH CSX150 user guide

Sony

Sony DVS-7200A Operation manual

Lutron Electronics

Lutron Electronics Maestro MS-OPS5M manual

steute

steute RF GFSI SW868 Mounting and wiring instructions

Hama

Hama 74011488 Operating instruction

KanexPro

KanexPro SW-HD3X14K user manual

Extron electronics

Extron electronics MPS 112 user manual

Siemens

Siemens SIMATIC SCALANCE X-300M PoE Compact operating instructions

EtherWAN

EtherWAN EX77900 Series installation guide

Parallax

Parallax PDT-NSU-7005-MP-I Operation manual

Planet Networking & Communication

Planet Networking & Communication IGS-10020MT Quick installation guide

Perle

Perle IDS-409F quick start guide

Dell

Dell PowerConnect 2216 Technical Specifications Update

Cisco 4503-E - Catalyst Data Bundle Switch User manual

Popular Switch manuals by other brands