Guest

Cisco Services Modules

Cisco Catalyst 6500 Series Service Modules Family

Hierarchical Navigation

Downloads

Solution Overview

Continued Innovation Reduces Total Cost of Ownership

EXECUTIVE SUMMARY

Laying the right foundation for cost-effective, scalable technology innovation is essential for anticipating challenges and changes in today's competitive business environment. The Cisco® Catalyst® 6500 Series Switch unites a high-performance platform with industry-leading Layer 2-3 features and functionality and a flexible, adaptable integrated service module architecture. The modular design not only supports today's advanced services, it will take full advantage of future technology advancements.

CHALLENGE

Enterprise networks have become overly complex as discrete systems supporting new technologies and applications are bolted on to the basic infrastructure over time. This unwieldy retrofit approach compounds IT support loads and operational costs. Network managers are looking for alternative ways to address the challenges of network complexity and reduce the total cost of ownership (TCO) as they plan for network upgrades and technology refresh. Their goals include:

Simplifying network infrastructure-Organizations today have limited resources to keep pace with growing business application requirements. As a result, network managers must find ways to implement value-added services without adding to management complexity and overhead.

Maximizing return on network investment-To compete in a global market, organizations are under pressure to operate on leaner budgets while improving productivity. IT staffs must find ways to improve staff efficiency and get the most value from their network investment.

Implementing pervasive security-Greater network reach and access increase the risk of external and internal threats to an organization's operations and intellectual property. In addition, new laws require organizations to protect and preserve sensitive financial and personnel information and communications. Network managers must be able to provide stronger, more integrated protection at all levels of the network to ensure that valuable data is protected and that business operations will survive disruptions and attacks.

Taking advantage of services innovation-Organizations need innovative, real-time collaborative applications and communications tools to successfully compete in a rapidly shifting business climate. These new applications require more performance, quality of service (QoS), and application integration capabilities from their network. Network managers must be able to quickly deploy new and emerging technologies, and provide greater access to these advanced applications, regardless of user location.

SOLUTION

Cisco Systems® addresses the challenge of reducing network complexity with the Cisco Catalyst 6500 Series Switch. As shown in Figure 1, the switch family offers models designed for diverse network-wide deployments, from the data center to the wiring closet, in medium-sized and large enterprise and service provider networks.

Figure 1. Cisco Catalyst 6500 Series Switches with Integrated Service Modules

The Catalyst 6500 Series offers a wide range of integrated service modules on a single networking platform. These service modules add Layer 4-7 functionality to the existing Layer 2-3 capabilities of the switch, transforming the Catalyst 6500 Series into a fully functional Layer 2-7 device. The integrated service modules use the high-speed switching backplane and intelligent networking capabilities to:

• Provide local, remote, and wireless users with transparent access to resources

• Optimize capacity and bandwidth to manage multiple advanced bandwidth-intensive applications without service degradation

• Protect the network against threats at all levels

• Deliver network- and application-level services on every port

Cisco continues to develop new integrated service modules to respond to customer needs and technology advancements. Table 1 lists some of the most popular current service modules for the Catalyst 6500 Series Switch.

Table 1. Cisco Catalyst 6500 Service Modules

Service Module Name

Description and Benefits

APPLICATION NETWORKING

Application Control Engine (ACE)

Provides new levels of control over the way applications and business services are deployed, operated, delivered, secured, and managed. Virtual partitioning and hierarchical management domains with role-based access control capabilities centralize control while decentralizing management for complex enterprise or service provider environments.

Application-Oriented Networking (AON) Module

Embeds application intelligence into the network to better meet the underlying needs of applications for real-time visibility, security, and event-based messaging. Helps enable the network to understand application messages (such as purchase orders, delivery notices, or stock trades) and apply policies for routing, transformation, and security.

IP COMMUNICATIONS

Communication Media Module (CMM)

Connects the existing time-division multiplexing (TDM) network to an organization's IP communications network, to provide connectivity to the public switched telephone network (PSTN), and enable conferencing and transcoding services.

NETWORK MONITORING

Network Analysis Module (NAM -1, NAM-2)

Detects what applications are running on the network and how they are performing to help manage valuable network resources, plan for changes in resource use, and proactively resolve problems before they affect users.

SECURITY

Firewall Services Module (FWSM)

Integrates high-performance stateful-inspection firewall with application- and protocol-inspection engines into the network infrastructure, allowing any port to operate as a firewall port to prevent unauthorized access from outside users, and controlling which outside resources can be accessed by internal users.

Intrusion Detection System Services Module (IDSM-2)

Safeguards organizations from costly and debilitating network threats, such as malicious Internet worms, denial-of-service (DoS) attacks, and e-business application attacks.

IP Security (IPsec) VPN Shared Port Adapter (IPsec VPN SPA)

Securely and reliably transports virtually any type of network traffic over the Internet-including multicast and IP telephony-to supply remote offices or individual users with secure access to network resources and services.

Secure Sockets Layer (SSL) VPN Service Module (also known as WebVPN Service Module)

Provides easy access to a broad range of Web resources and applications from almost any computer that can reach Secure HTTP (HTTPS) Internet sites. SSL VPN support creates secure, end-to-end, private connections over the Internet.

Traffic Anomaly Detector Module (ADM)

Anomaly Guard Module (AGM)

Work together to protect against distributed-denial-of-service (DDoS) and other network attacks by detecting, diverting, isolating, and removing malicious attack flows without affecting legitimate transactions.

WIRELESS

Wireless Services Module (WiSM)

Delivers centralized security policies, wireless intrusion prevention system (IPS) capabilities, RF management, quality of service (QoS), and Layer 3 fast secure roaming for wireless LANs.

BUSINESS BENEFITS

The following sections explain how the Cisco Catalyst 6500 Series integrated service modules help organizations address the challenges of simplification, maximum return on investment, security, and technology innovations. Each benefit section notes a few examples from selected modules, but all modules have multiple features that serve these needs.

Simplifying the Network Infrastructure

With the innovative Cisco integrated service modules, network managers can deploy a broad range of LAN and WAN interfaces, security services, and content and network analysis services within the same platform. The modules are designed to take full advantage of the functionality and intelligence of the Catalyst 6500 Series platform.
The integrated service module architecture simplifies infrastructure complexity through system and services integration, network virtualization, and simplified management and high availability.

Integration-System integration takes advantage of shared functionality and collaborative processes between the switch and service modules. For example:

– The Cisco FWSM enforces communication policies between VLANs and private VLANs and external interfaces.

– The Cisco ACE supports bidirectional content inspection, SSL encryption and decryption, and transaction logging to provide rich levels of application and network security.

– As illustrated in Figure 2, the Cisco NAM offers a diverse set of traffic-analysis capabilities to strengthen network integrity by analyzing traffic types and their resource usage, helping network administrators to plan and manage the secure growth of networks, services, and applications.

Figure 2. Cisco Catalyst 6500 NAM Application Response Time Monitoring

Virtualization-This capability allows network managers to configure, deploy, and manage services as if they were separate devices or subnets. For example:

– The Cisco ACE supports virtual partitioning to segment and isolate resources and define levels of service for up to 250 different business organizations, applications, or customers and partners, eliminating the need for multiple standalone devices.

– Acting as a network interception point for all application traffic, the Cisco AON module can configure each node as a virtual sensor to capture, process, and log highly granular information about application messages.

– The Cisco FWSM delivers multiple virtual firewalls (up to 250) on one physical hardware platform, allowing service providers and large enterprises to implement policies for different customers or functional areas over the same physical infrastructure.

High availability-Platform design characteristics such as Cisco IOS® Software modularity, which allows subsystems to run as independent processes, and redundancy in critical hardware components minimize downtime. For example:

– The Cisco IPsec VPN SPA offers blade-to-blade active stateful failover with two blades in the same chassis slot.

– The Cisco WiSM automatically adjusts power and traffic to adjacent lightweight access points to sustain wireless network operation in the event of a failed access point.

– The Survivable Remote Site Telephony (SRST) feature in the Cisco CMM increases network resiliency by managing temporary connections for Cisco IP phones when a connection to a Cisco CallManager device is unavailable.

More importantly, all Service Modules installed within the Catalyst 6500 chassis, benefit from platform resiliency features as well as system configurations (dual SUPs, dual Power supplies), all without the need for additional cabling nor installation and management of redundant, standalone equipment. This establishes a highly available services network, one that is free of complicated wiring interconnections between lots of standalone devices.

Maximizing Return on Network Investment

An investment made in the Cisco Catalyst 6500 Series platform several years ago still pays dividends today and will continue to in the future as the platform expands in performance, scalability, and functionality. Network managers benefit in several ways:

Reduced TCO-Network managers can incorporate new capabilities simply by adding specific service modules to the switch chassis.

– Service consolidation eliminates the need to purchase, track, maintain, and manage separate specialized devices.

– The integrated solution also avoids the added expense and effort of redesigning or overhauling the network to incorporate new technologies and services. It also capitalizes on administrator expertise managing the existing infrastructure to quickly deliver new services.

– Compared to a fleet of disparate, standalone devices, the deployment of a single chassis with integrated service module requires less rack space, power and cabling, reducing overall environmental costs.

Lower Operational Expenditures through simplified management and maintenance-The integrated service modules are managed and controlled through a common Cisco IOS management interface, which simplifies management and troubleshooting, and reduces training and staffing costs. For example:

– Using the Cisco NAM's embedded Web-based interface, network managers can quickly access easy-to-read performance reports on data, voice, and video traffic at any time from any desktop.

– The Cisco NAM offers centralized LAN and WAN traffic visibility to broaden network and application monitoring. Using the switch's Encapsulated Remote SPAN (ERSPAN) feature, network managers can troubleshoot "hot spots" in remote areas of the network without having to send personnel offsite.

– The Cisco CMM functions as a high-density, high-performance VoIP gateway to the PSTN, existing PBXs, traditional analog devices, and network-based media services, supporting T1, E1, foreign exchange station (FXS), scheduled and unscheduled conferencing, media termination point (MTP), and transcoding functions through one convenient management interface.

Deploying Pervasive Security

Cisco Catalyst 6500 Series integrated service modules take a multi-vector approach to threat identification, traffic analysis, and encryption protection. Every port is a security port within the platform. The result is a comprehensive, solid WAN and LAN defense that can adapt to new threats at multiple layers as they arise. This integrated security approach offers important additional advantages over disparate systems:

Broad protection suite-VPN, firewall, intrusion detection, and DDoS protection. Service modules protect users and network resources across the entire extended enterprise-wired, wireless, remote, mobile-without expensive equipment overhaul or network alteration. For example:

– SSL and next-generation Transport Layer Security (TLS) protocols in the Cisco WebVPN Services Module securely connect remote users to specific, supported internal resources configured at a central site. The module supports clientless, thin-client, and SSL tunneling client access methods to support a range of wireless devices and manage the appropriate level of application access.

– The Cisco FWSM, WebVPN Services Module, IPsec VPN SPA, and IDSM-2 easily extend firewall, intrusion detection, and secure Internet access capabilities to every port on the switch.

– The Cisco IDSM-2 provides dynamic signatures to identify, monitor, and stop malware attacks, worms, and viruses.

End-to end-security-System integration takes advantage of the shared functionality and collaborative processes between modules, as well as the security capabilities of the switch to increase operating efficiency and strengthen protection at all layers of the enterprise network. Examples include:

– The Cisco FWSM works together with the Cisco IDSM-2 Services Module to identify and prevent malicious traffic from propagating; it works with the Cisco IPsec VPN SPA to provide firewall policies per VPN tunnel.

Advanced application protection-Service modules also use the high-speed, QoS, and traffic management capabilities and intelligence of the Catalyst 6500 Series platform to provide comprehensive application protection. For example:

– The Cisco FWSM delivers strong application-layer security through intelligent, application-aware inspection engines that examine network flows at Layers 4 to 7, supplying market-leading protection to VoIP, multimedia, instant messaging, and peer-to-peer applications.

– The Cisco IPsec VPN SPA delivers advanced site-to-site and remote access encryption over LAN and WAN interfaces using Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES), the latest standard demanded by government agencies and leading financial institutions.

– The Cisco Traffic ADM and AGM use a unique, patented multi-verification process (MVP) architecture, the latest in behavioral analysis and attack-recognition technology, to proactively detect and mitigate DDoS attacks on Web, e-mail, and DNS servers, and the Session Initiation Protocol (SIP) VoIP infrastructure.

Taking Advantage of Service Innovation

Since its introduction, the Catalyst 6500 Series Switch has kept pace with industry advancements through service module innovations. Recent innovations focus on scalability and performance, multilayer capabilities and intelligence, and service convergence.

• Industry-leading scalability and performance-The integrated service modules take full advantage of the switching platform's 720-Gbps performance, high port densities, and low latency. For example:

– The Cisco ACE can manage large-scale operations with its 16-Gigabit throughput and 345,000 sustained connections-per-second capacity. Unique WAN latency and bandwidth reduction capabilities speed end-user response times across the network.

– The Cisco IPsec VPN SPA provides 2.47-Gbps encrypted throughput per blade and up to 25 Gbps per chassis. It supports up to 8000 simultaneous VPN tunnels and up to 100 tunnel connections per second.

– The Cisco Traffic ADM and AGM high-speed filtering engines support a 1-Gigabit interface, 1.5 million concurrent connections, 150,000 dynamic filters, and less than 1-millisecond (ms) latency to detect, divert, isolate, and remove malicious attack flows without affecting legitimate transactions.

Multilayer capabilities and intelligence-The integrated service modules are designed to make the most of the switching platform's advanced Layer 4-7 load balancing and Layer 2-3 switching and routing capabilities such as QoS traffic prioritization, multicast traffic delivery, and content switching.

– The Cisco IDSM-2 protects the network through Layer 2-7 traffic inspection using multiple detection techniques: anomaly detection, vulnerability and exploit signatures, stateful pattern matching, heuristic and protocol or traffic anomaly detection, and host intrusion prevention collaboration.

– The Cisco FWSM delivers strong application-layer security through intelligent, application-aware inspection engines that examine network flows at Layers 4-7 for VoIP, multimedia, instant messaging, and peer-to-peer applications.

– Operating at the application layer, the Cisco AON module provides a high degree of flexibility in the intelligent message-routing capabilities of the switch.

Service convergence-The unique interaction of the integrated service modules bolster network performance, enhance application and security services, and expand monitoring, reporting, and configuration capabilities.

– Used with the Cisco IDSM-2, IPsec VPN SPA, and WebVPN Services Module, the Cisco FWSM prevents Internet-edge attacks and integrates VPN services; used with the Cisco ACE, the Cisco FWSM protects and optimizes applications for data center resources.

– The Cisco IPsec VPN SPA and WebVPN Services Module combine to offer both IPsec and SSL VPN remote access aggregation in a single integrated platform.

WHY CISCO

Some networking vendors offer discrete point products that can create interoperability, scalability, and integration problems in the long term. Cisco takes a more unified approach, offering functionally integrated, advanced network and application services that help make businesses run more smoothly, cost-effectively, and productively.
The Cisco Catalyst 6500 Series recently earned the distinction, "Most Successful Networking Product," by Cisco in April, 2006 by generating the highest revenue of any product in the industry. What makes this product so successful? Its modular design and continued services innovation deliver tangible business benefits to enterprises.
The distinctive Cisco Catalyst 6500 Series with its integrated service module approach engineers centralized intelligence, security, and management within the network infrastructure. This cohesive network solution creates more efficient and innovative business operations: network managers can rapidly deploy new productivity applications, respond more quickly to emerging network threats, and take advantage of new technologies and business opportunities.

FOR MORE INFORMATION

For more information about the Cisco Catalyst 6500 Series Switch and Cisco integrated service modules, visit http://www.cisco.com/go/catalyst6500 or the following Websites, or contact your local account representative.
Cisco Catalyst 6500 Series Network Analysis Module (NAM-1, NAM-2) http://www.cisco.com/en/US/products/hw/modules/ps2706/ps5025/index.html or http://www.cisco.com/go/nam
Cisco Catalyst 6500 Series Application Control Engine (ACE) http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/product_data_sheet0900aecd8045861b.html
Cisco Catalyst 6500 Series Application-Oriented Networking (AON) Module http://www.cisco.com/en/US/products/hw/switches/ps708/products_data_sheet0900aecd802c1fe9.html
Cisco Catalyst 6500 Series Firewall Services Module (FWSM) http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services Module http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps5058/product_data_sheet09186a00801e55dd.html
Cisco Catalyst 6500 Series IPsec VPN Shared Port Adapter (IPsec VPN SPA) http://www.cisco.com/en/US/products/ps6267/products_data_sheet0900aecd8027cbb2.html
Cisco Catalyst 6500 Series Traffic Anomaly Detector Module (ADM) and Anomaly Guard Module (AGM) http://www.cisco.com/en/US/products/hw/switches/ps708/products_data_sheet0900aecd80220a6e.html
Cisco Catalyst 6500 Series WebVPN Services Module http://www.cisco.com/en/US/products/hw/switches/ps708/products_data_sheet0900aecd802aff73.html
Cisco Catalyst 6500 Wireless Services Module (WiSM) http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6526/product_data_sheet0900aecd80364340.html