Continued Innovation Reduces Total Cost of Ownership
• Simplifying network infrastructure-Organizations today have limited resources to keep pace with growing business application requirements. As a result, network managers must find ways to implement value-added services without adding to management complexity and overhead.
• Maximizing return on network investment-To compete in a global market, organizations are under pressure to operate on leaner budgets while improving productivity. IT staffs must find ways to improve staff efficiency and get the most value from their network investment.
• Implementing pervasive security-Greater network reach and access increase the risk of external and internal threats to an organization's operations and intellectual property. In addition, new laws require organizations to protect and preserve sensitive financial and personnel information and communications. Network managers must be able to provide stronger, more integrated protection at all levels of the network to ensure that valuable data is protected and that business operations will survive disruptions and attacks.
• Taking advantage of services innovation-Organizations need innovative, real-time collaborative applications and communications tools to successfully compete in a rapidly shifting business climate. These new applications require more performance, quality of service (QoS), and application integration capabilities from their network. Network managers must be able to quickly deploy new and emerging technologies, and provide greater access to these advanced applications, regardless of user location.
Figure 1. Cisco Catalyst 6500 Series Switches with Integrated Service Modules
• Provide local, remote, and wireless users with transparent access to resources
• Optimize capacity and bandwidth to manage multiple advanced bandwidth-intensive applications without service degradation
• Protect the network against threats at all levels
• Deliver network- and application-level services on every port
Table 1. Cisco Catalyst 6500 Service Modules
Simplifying the Network Infrastructure
• Integration-System integration takes advantage of shared functionality and collaborative processes between the switch and service modules. For example:
– The Cisco FWSM enforces communication policies between VLANs and private VLANs and external interfaces.
– The Cisco ACE supports bidirectional content inspection, SSL encryption and decryption, and transaction logging to provide rich levels of application and network security.
– As illustrated in Figure 2, the Cisco NAM offers a diverse set of traffic-analysis capabilities to strengthen network integrity by analyzing traffic types and their resource usage, helping network administrators to plan and manage the secure growth of networks, services, and applications.
Figure 2. Cisco Catalyst 6500 NAM Application Response Time Monitoring
• Virtualization-This capability allows network managers to configure, deploy, and manage services as if they were separate devices or subnets. For example:
– The Cisco ACE supports virtual partitioning to segment and isolate resources and define levels of service for up to 250 different business organizations, applications, or customers and partners, eliminating the need for multiple standalone devices.
– Acting as a network interception point for all application traffic, the Cisco AON module can configure each node as a virtual sensor to capture, process, and log highly granular information about application messages.
– The Cisco FWSM delivers multiple virtual firewalls (up to 250) on one physical hardware platform, allowing service providers and large enterprises to implement policies for different customers or functional areas over the same physical infrastructure.
• High availability-Platform design characteristics such as Cisco IOS® Software modularity, which allows subsystems to run as independent processes, and redundancy in critical hardware components minimize downtime. For example:
– The Cisco IPsec VPN SPA offers blade-to-blade active stateful failover with two blades in the same chassis slot.
– The Cisco WiSM automatically adjusts power and traffic to adjacent lightweight access points to sustain wireless network operation in the event of a failed access point.
– The Survivable Remote Site Telephony (SRST) feature in the Cisco CMM increases network resiliency by managing temporary connections for Cisco IP phones when a connection to a Cisco CallManager device is unavailable.
Maximizing Return on Network Investment
• Reduced TCO-Network managers can incorporate new capabilities simply by adding specific service modules to the switch chassis.
– Service consolidation eliminates the need to purchase, track, maintain, and manage separate specialized devices.
– The integrated solution also avoids the added expense and effort of redesigning or overhauling the network to incorporate new technologies and services. It also capitalizes on administrator expertise managing the existing infrastructure to quickly deliver new services.
– Compared to a fleet of disparate, standalone devices, the deployment of a single chassis with integrated service module requires less rack space, power and cabling, reducing overall environmental costs.
• Lower Operational Expenditures through simplified management and maintenance-The integrated service modules are managed and controlled through a common Cisco IOS management interface, which simplifies management and troubleshooting, and reduces training and staffing costs. For example:
– Using the Cisco NAM's embedded Web-based interface, network managers can quickly access easy-to-read performance reports on data, voice, and video traffic at any time from any desktop.
– The Cisco NAM offers centralized LAN and WAN traffic visibility to broaden network and application monitoring. Using the switch's Encapsulated Remote SPAN (ERSPAN) feature, network managers can troubleshoot "hot spots" in remote areas of the network without having to send personnel offsite.
– The Cisco CMM functions as a high-density, high-performance VoIP gateway to the PSTN, existing PBXs, traditional analog devices, and network-based media services, supporting T1, E1, foreign exchange station (FXS), scheduled and unscheduled conferencing, media termination point (MTP), and transcoding functions through one convenient management interface.
Deploying Pervasive Security
• Broad protection suite-VPN, firewall, intrusion detection, and DDoS protection. Service modules protect users and network resources across the entire extended enterprise-wired, wireless, remote, mobile-without expensive equipment overhaul or network alteration. For example:
– SSL and next-generation Transport Layer Security (TLS) protocols in the Cisco WebVPN Services Module securely connect remote users to specific, supported internal resources configured at a central site. The module supports clientless, thin-client, and SSL tunneling client access methods to support a range of wireless devices and manage the appropriate level of application access.
– The Cisco FWSM, WebVPN Services Module, IPsec VPN SPA, and IDSM-2 easily extend firewall, intrusion detection, and secure Internet access capabilities to every port on the switch.
– The Cisco IDSM-2 provides dynamic signatures to identify, monitor, and stop malware attacks, worms, and viruses.
• End-to end-security-System integration takes advantage of the shared functionality and collaborative processes between modules, as well as the security capabilities of the switch to increase operating efficiency and strengthen protection at all layers of the enterprise network. Examples include:
– The Cisco FWSM works together with the Cisco IDSM-2 Services Module to identify and prevent malicious traffic from propagating; it works with the Cisco IPsec VPN SPA to provide firewall policies per VPN tunnel.
• Advanced application protection-Service modules also use the high-speed, QoS, and traffic management capabilities and intelligence of the Catalyst 6500 Series platform to provide comprehensive application protection. For example:
– The Cisco FWSM delivers strong application-layer security through intelligent, application-aware inspection engines that examine network flows at Layers 4 to 7, supplying market-leading protection to VoIP, multimedia, instant messaging, and peer-to-peer applications.
– The Cisco IPsec VPN SPA delivers advanced site-to-site and remote access encryption over LAN and WAN interfaces using Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES), the latest standard demanded by government agencies and leading financial institutions.
– The Cisco Traffic ADM and AGM use a unique, patented multi-verification process (MVP) architecture, the latest in behavioral analysis and attack-recognition technology, to proactively detect and mitigate DDoS attacks on Web, e-mail, and DNS servers, and the Session Initiation Protocol (SIP) VoIP infrastructure.
Taking Advantage of Service Innovation
• Industry-leading scalability and performance-The integrated service modules take full advantage of the switching platform's 720-Gbps performance, high port densities, and low latency. For example:
– The Cisco ACE can manage large-scale operations with its 16-Gigabit throughput and 345,000 sustained connections-per-second capacity. Unique WAN latency and bandwidth reduction capabilities speed end-user response times across the network.
– The Cisco IPsec VPN SPA provides 2.47-Gbps encrypted throughput per blade and up to 25 Gbps per chassis. It supports up to 8000 simultaneous VPN tunnels and up to 100 tunnel connections per second.
– The Cisco Traffic ADM and AGM high-speed filtering engines support a 1-Gigabit interface, 1.5 million concurrent connections, 150,000 dynamic filters, and less than 1-millisecond (ms) latency to detect, divert, isolate, and remove malicious attack flows without affecting legitimate transactions.
• Multilayer capabilities and intelligence-The integrated service modules are designed to make the most of the switching platform's advanced Layer 4-7 load balancing and Layer 2-3 switching and routing capabilities such as QoS traffic prioritization, multicast traffic delivery, and content switching.
– The Cisco IDSM-2 protects the network through Layer 2-7 traffic inspection using multiple detection techniques: anomaly detection, vulnerability and exploit signatures, stateful pattern matching, heuristic and protocol or traffic anomaly detection, and host intrusion prevention collaboration.
– The Cisco FWSM delivers strong application-layer security through intelligent, application-aware inspection engines that examine network flows at Layers 4-7 for VoIP, multimedia, instant messaging, and peer-to-peer applications.
– Operating at the application layer, the Cisco AON module provides a high degree of flexibility in the intelligent message-routing capabilities of the switch.
• Service convergence-The unique interaction of the integrated service modules bolster network performance, enhance application and security services, and expand monitoring, reporting, and configuration capabilities.
– Used with the Cisco IDSM-2, IPsec VPN SPA, and WebVPN Services Module, the Cisco FWSM prevents Internet-edge attacks and integrates VPN services; used with the Cisco ACE, the Cisco FWSM protects and optimizes applications for data center resources.
– The Cisco IPsec VPN SPA and WebVPN Services Module combine to offer both IPsec and SSL VPN remote access aggregation in a single integrated platform.
FOR MORE INFORMATION