The Cisco® Catalyst® 6500 Supervisor Engine 32 Programmable Intelligent Services Accelerator (PISA) delivers superior deep packet inspection, application awareness, security, availability, and manageability services for the networks of small and medium-sized business, enterprises, and service providers. This supervisor engine is ideal for securing campus access networks, converged services MAN/WAN applications and small/medium backbone functions.
The PISA on the Supervisor Engine 32 PISA provides hardware acceleration of services such as network-based application recognition (NBAR) and flexible packet matching (FPM) at multigigabit speeds, in addition to the management and control plane functions traditionally provided by the multilayer switch feature card (MSFC). The Supervisor Engine 32 PISA is offered with the Policy Feature Card 3B (PFC3B), to ensure feature and performance compatibility with the Cisco Catalyst 6500 Supervisor Engine 32. Two uplink options are available: 8-port Gigabit Ethernet Small Form-Factor Pluggable (SFP)-based uplinks (Figure 1) and 2-port 10 Gigabit Ethernet XENPAK-based uplinks (Figure 2). In addition to these modular uplinks, the Supervisor Engine 32 PISA also includes one port of 10/100/1000 RJ-45 for ease of network management. All ports on the Supervisor Engine 32 PISA can be active at the same time.
Figure 1. Supervisor Engine 32 PISA with 8-Port Gigabit Ethernet and PFC3B
Figure 2. Supervisor Engine 32 PISA with 2-Port 10 Gigabit Ethernet and PFC3B
The Supervisor Engine 32 PISA offers:
• Deep Packet Inspection and Application Awareness: Support for hardware acceleration of intelligent services like NBAR and FPM at multigigabit speeds and inspection 4096 bytes into the packet. NBAR is a classification engine that can recognize a wide variety of applications, including Web-based applications and client/server applications that dynamically assign TCP or User Datagram Protocol (UDP) port numbers. After the application is recognized, the network can invoke specific services for that particular application. NBAR works with quality-of-service (QoS) features to help ensure that the network bandwidth is best used to fulfill the company's objectives. These features include the ability to guarantee bandwidth to critical applications, limit bandwidth to other applications, drop selective packets to avoid congestion, and mark packets appropriately so that the network and the service provider's network can provide QoS from end to end. FPM provides the means to inspect packets for characteristics of an attack, and to take appropriate actions (log, drop). FPM provides a flexible Layer 2 through Layer 7 stateless classification mechanism. The user can specify classification criteria based on any protocol and any field of the traffic's protocol stack. Based on the classification result, actions such as drop or log can be taken on the classified traffic.
• Programmable Architecture: The Supervisor Engine 32 PISA is based on an adaptable, programmable architecture that adjusts to grow with the dynamic needs of the network. As new techniques for network intrusion or application compromise are created, the programmable nature of the Supervisor Engine 32 PISA ensures that the network administrator has the ability to quickly react to the changing environment. Additionally, the architecture integrates a high-performance hardware-based AES encryption engine to potentially next-generation Layer 2 through 7 services requiring multigigabit encryption services in the future.
• Integrated security: The Supervisor Engine 32 PISA helps mitigate damage from denial-of-service (DoS) attacks using Control Plane Policing, hardware-based MAC learning, and user-based rate limiting. It limits threats from the Dynamic Host Configuration Protocol (DHCP) server, default gateway, or end-user IP address spoofing using features such as DHCP snooping, Dynamic Address Resolution Protocol inspection (DAI), and Unicast Reverse Path Forwarding (uRPF). The supervisor engine allows close control over which users can access the network and what privileges they are granted through identity-based networking with IEEE 802.1x and port-based security. These integrated security features are hardware-based so they can be enabled concurrently without compromising system performance as traffic levels increase. The intrusion detection services module, firewall services module, or the IPsec VPN SPA can be installed in the same chassis for
maximum security.
• High availability: The Supervisor Engine 32 PISA helps ensure business continuity through minimizing network downtime with its support of Layer 2 Stateful Switchover (SSO), Layer 3 Nonstop Forwarding (NSF), Gateway Load-Balancing Protocol (GLBP), multimodule Cisco EtherChannel®, and rapid convergence protocols such as IEEE 802.1s and 802.1w. It also supports proactive detection and prevention of network equipment failures using Generic Online Diagnostics (GOLD).
• Enhanced manageability: Enhancements include support for the Embedded Event Manager (EEM), a powerful ally for device and system management, enabling network administrators to harness the network intelligence intrinsic to Cisco IOS® Software and customize the behavior based on real network events as they happen; support for ACE counters for identifying the frequency that specific access-control-list (ACL) entries are hit; support for hardware-based NetFlow, providing a metering base for a key set of applications, including network traffic accounting, usage-based network billing, network planning, as well as denial of service monitoring capabilities; and support for Encapsulated Remote SPAN (ERSPAN), Digital Optical Monitoring, and Generic Online Diagnostic functions to simplify operational complexity. These enhanced capabilities enable network administrators to respond quickly to user access problems and simplify network management.
• Slot efficiency: Uplink density of eight Gigabit Ethernet SFP-based ports and increased bandwidth to two 10 Gigabit Ethernet XENPAK-based ports save slots for deployment of integrated service modules or higher-density chassis.
• Investment protection: The Supervisor Engine 32 PISA supports Cisco Catalyst 6500 Series classic modules and Cisco Express Forwarding 256-based (CEF256) modules and is backward-compatible with all Cisco Catalyst 6500 Series chassis, allowing deployment of new, advanced services on existing equipment. The Supervisor Engine 32 PISA also supports the Enhanced FlexWAN module and the shared port adapter (SPA) Interface Processors (SIPs) along with the associated SPAs. This prolongs the deployment lifetime of interface modules and provides greater return on investment.
• Superior traffic management: Uplinks are available with four transmit queues per port, with one strict priority queue for high-priority, low-latency traffic, and two receive queues per port. Each port supports Weighted Random Early Detection (WRED) for congestion avoidance within each queue, and Shaped Round Robin (SRR) as well as Deficit Weighted Round Robin (DWRR) for scheduling between queues to aid in traffic prioritization. Up to eight thresholds can be configured to manage differentiated levels of service.
• Extensive management tools: The Supervisor Engine 32 PISA supports the CiscoWorks network management platform; QoS Policy Manager (QPM); Network Analysis Module (NAM); Simple Network Management Protocol (SNMP) Versions 1, 2, and 3; Cisco Security Manager; and four Remote Monitoring (RMON) groups (statistics, history, alarms,
and events).
Applications
Secure Enterprise LAN Access
The Supervisor Engine 32 PISA provides deep packet inspection, application awareness, high levels of security, availability, and manageability for enterprise LAN access deployments. Support for hardware-accelerated FPM and NBAR on the Supervisor Engine 32 PISA allows customers to move security and classification right to the edge of their networks, providing a comprehensive worm mitigation and application classification solution. Supervisor Engine 32 PISA is capable of accelerating services at 2Gbps for Internet mix (IMIX) traffic, which is optimal for standard campus access networks of typical enterprises using a pair of Gigabit Ethernet Small Form-Factor Pluggable (SFP) uplinks to each distribution layer switch. See Figure 3 for a deployment example.
Figure 3. Supervisor Engine 32 PISA Deployment Example in LAN Access
Enterprise WAN Edge, Internet Gateway and Service Provider Services
The Supervisor Engine 32 PISA is purpose built for enterprise WAN edge, Internet gateway, and Metro Ethernet deployments. The PISA on the Supervisor Engine 32 PISA provides hardware acceleration of intelligent services like NBAR and FPM to provide application classification and worm and virus mitigation at multigigabit speeds. Support for these intelligent services, coupled with the support for 256k routes and interface support from T1 to OC48 with shaping, makes the Supervisor Engine 32 PISA an ideal platform for WAN aggregation and Internet gateway deployments. Additionally, equipped with PFC3B, the Supervisor Engine 32 PISA ensures feature and performance compatibility with the Cisco Catalyst 6500 Supervisor Engine 32. It offers advanced hardware-accelerated IP services such as Multiprotocol Label Switching (MPLS), IPv6, Network Address Translation (NAT), generic routing encapsulation (GRE) tunneling, ACLs, rate limiting, and advanced QoS to enable network administrators to build feature-rich networks. (See Figure 4) The uplinks of the Supervisor Engine 32 PISA can also support SRR for rate limiting traffic.
Figure 4. Supervisor Engine 32 PISA Deployment Example in WAN Aggregation and as a Service Appliance
Service Appliance
The Cisco Catalyst 6504-E, together with the Supervisor Engine 32 PISA and up to three service modules, forms an ideal service appliance. High availability can be incorporated in this appliance by making use of a dual Supervisor Engine 32 PISA configuration. Hardware-accelerated services on the PISA, along with service modules like the firewall services module and intrusion detection services (IDS) module, can be deployed together as a security appliance. These advanced services can then be distributed in the network over the integrated eight-port Gigabit Ethernet uplinks or two-port 10 Gigabit Ethernet uplinks from the Supervisor Engine 32 PISA.
Features and Benefits
Table 1 lists the features and benefits of the Supervisor Engine 32 PISA.
Table 1. Features and Benefits of Supervisor Engine 32 PISA
Features
Benefits
Secure Application Fluency and Deep Packet Inspection
Network Based Application Recognition at Multigigabit Speeds
• Provides the ability to discover protocols and applications running on the network
• Allows Intelligent traffic classification based on application type
• Supports addition of new protocols and applications using packet description language modules (PDLMs)
• Provides the ability to load new PDLM's without changing Cisco IOS Software releases and without rebooting the switch
• Supports a wide variety of applications and protocols, including:
- P2P: BitTorrent, eDonkey/eMule, FastTrack, Gnutella, KaZaA
- Enterprise applications: PCAnywhere, Citrix ICA, Microsoft SQL Server
- Streaming Media applications: Real Time Streaming Protocol (RTSP), CU SeeMe, Netshow, StreamWorks, VDOLive
- Network Mail Services: Simple Mail Transfer Protocol(SMTP), point of presence (POP3), Internet Mail Access Protocol (IMAP), Lotus Notes, Microsoft Exchange
- Internet: HTTP(Hypertext Transfer Protocol) , FTP (File Transfer Protocol), NNTP (Network News Transfer Protocol ), IRC (Internet Relay Chat)
• GUI based management using QoS Policy Manager (QPM)
Flexible Packet Matching at Multigigabit Speeds
• Provides next generation "Super ACL" pattern matching capability for granular and customized packet filtering
• Provides the ability to match on arbitrary bits of a packet at arbitrary depth (offset) in the packet header and payload hence allowing detection of malicious patterns deep within the packet
• Allows users to define customized classification criteria for stateless traffic using CLI or off-box via XML
• Provides the ability to install new filters on switches without reload
• Provides protection again notable worms/viruses such as Slammer and MyDoom and protects against malicious attacks such as Fragmented UDP, HTTP vulnerabilities, and TCP SYN floods.
• Supports Flexible Configuration in the Cisco Security Manager to push configuration files to switches
Improves the scalability of IP deployments, allowing high-performing network evolution. Multicast protocols and QoS features optimize triple-play and video delivery over an end-to-end IP architecture.
L2 Switching
• IEEE 802.1Q
• 802.1Q Tunneling
• Layer 2 Protocol Tunneling (L2PT)
• VLAN Translation
802.1Q and L2PT are the service enablers to offer Layer 2 VPNs. By encapsulating subscribers' data frames in a service provider 802.1Q tag and by tunneling subscribers' PDU, 802.1Q tunneling offers Transparent LAN Services (TLS) to scale the number of Metro Ethernet subscribers beyond the 4096 VLAN boundary.
VLAN Translation increases the flexibility of single tagged 802.1Q service by decoupling subscribers' and service providers' VLAN IDs.
• IEEE 802.1D
• IEEE 802.1w
Protocols such as IEEE 802.1D, IEEE 802.1w, and IEEE 802.1s help ensure business continuity by minimizing the network convergence time for time-sensitive applications.
• IEEE 802.1s
• Flexlink
• Port Aggregation Protocol (PAgP)
• IEEE 802.3ad (LACP)
• Unidirectional Link Detection
Flexlink provides fast failover over point-to-point connections, without the overhead of control protocols.
PAgP and IEEE 802.3ad increase bandwidth availability and provide fast link failover within the Cisco EtherChannel bundle.
Unidirectional Link Detection (UDLD) increases the network reliability by quickly detecting unidirectional links or misplaced fiber connectors.
• Cisco Discovery Protocol
• VLAN Trunk Protocol (VTP)
Cisco Discovery Protocol and VTP ease the network and service configuration by detecting peer capability and by propagating the VLAN's information within the service provider network.
DDoS and Spoofing Protection, Intrusion Detection
• DHCP snooping
• Dynamic ARP inspection (DAI)
• CPU rate limiting
• Control Plane Policing
• Hardware enabled NetFlow
• User-based rate limiting
• Unicast Reverse Path Forwarding (uRPF)
• Hardware-based MAC learning
• Cisco Catalyst 6500 IDS and Firewall modules
• Broadcast and multicast suppression
• Port Security on Access, 802.1Q Trunks, and 802.1Q Tunneling ports
Provides local containment of security threats and protects networks against security vulnerabilities, including malicious and inadvertent intrusion.
Trust, Identity, and Data Confidentiality
• Identity-based networking services with IEEE 802.1x
• Network Admission Control
• IPsec support through IPsec SPA and SSC-400
Allows close control over which users can access the network and what privileges they are granted. Identifies posture (or compliance) of the device to help ensure the device can be safely admitted to the network without undue hazard.
Provides confidentiality and integrity for data, voice, and management traffic.
High Availability
• Hot-Swapping of Standby Supervisor Engines
• Layer 2 rapid convergence protocol suite
• Hardware redundancy with subsecond stateful failover (SSO) and Non Stop Forwarding (NSF)
• Generic Online Diagnostics
• Hot Standby Router Protocol (HSRP)
• Virtual Router Redundancy Protocol (VRRP)
• Gateway Load Balancing Protocol (GLBP)
• Fault management:
- Fault detection and troubleshooting
- System health check
- Enhanced memory protection
- Proactive detection and prevention of network Equipment failures using GOLD
Helps ensure business continuity through minimizing network downtime for mission-critical applications.
• Internet Group Management Protocol (IGMP) Querier
• Router-port Group Management Protocol (RGMP)
• Multiprotocol Border Gateway Protocol (MBGP)
• Multicast Virtual Private Networks (MVPN)
• PIM SM, PIM SSM, and PIM snooping
• IGMP Versions 1, 2, and 3
Enables efficient video broadcasting, e-learning, and information sharing.
Slot Efficiency and Backward Compatibility
Eight Gigabit Ethernet SFP-based ports or two10-Gigabit Ethernet XENPAK-based ports
Increases uplink density and saves slots to deploy integrated service modules or higher-density chassis. In addition to the uplinks, each supervisor provides a copper 10/100/1000 uplink.
Support for all Cisco Catalyst 6500 classic and Cisco Express Forwarding 256-based modules and relevant services modules; support for all Cisco Catalyst 6500 Series chassis
Allows deployment of new advanced services on existing equipment, prolonging the deployment lifetime of interface modules and providing greater return on investment.
Advanced Quality of Service (QoS)
• Packet classification, marking, and congestion avoidance based on Layer 2-4 header information
• User-based rate limiting enforces any of 64 policy rates, maintaining service-level agreements on a per-user basis independent of traffic type or IP address
• QoS scheduling rules with thresholds can be configured in the switch for multiple receive and transmit queues
Superior traffic management enables efficient handling of converged networks that carry a mix of mission-critical, time-sensitive, and bandwidth-intensive multimedia applications.
• Priority Queue
• Shaped Round Robin (SRR)
• Deficit Weighted Round Robin (DWRR)
• Weighted Random Early Detection (WRED)
• Egress Policing
Intelligent queuing mechanism helps ensure that the highest-priority data is serviced ahead of other traffic.
Congestion avoidance and scheduling algorithms help regulate traffic and prevent network congestion. SRR enhances the scheduling algorithm by shaping the traffic that egresses each queue.
MPLS
• Ethernet over MPLS (EoMPLS)
• EoMPLS VC Type 4 and VC Type 5
• MPLS VPNs (RFC4364/RFC2547bis)
• MPLS Traffic Engineering (MPLS TE)
• MPLS Fast Reroute (MPLS FRR)
Enhanced MPLS service flexibility allowing Layer 2 and Layer 3 services integration on the same platform.
Advanced Layer 2-4 Services
• Hardware-enabled GRE tunnels for IP traffic
• NAT-Translates addresses for inbound and outbound traffic in hardware, allowing clean separation between internal and external networks
Advanced Layer 2-4 forwarding enables service providers and enterprises to build feature-rich networks.
