Product and Architecture Overview
Q. What is the Cisco® Catalyst® 6500 Supervisor Engine 32 Programmable Intelligent Services Accelerator (PISA)?
A. The Supervisor Engine 32 PISA is an intelligent services supervisor for the Cisco Catalyst 6500 Series modular switches, delivering superior deep packet inspection, application awareness, security, availability, and manageability services for the networks of small and medium-sized business, enterprises, and service providers.
The PISA on the Cisco Catalyst 6500 Series Supervisor Engine 32 PISA provides hardware acceleration of intelligent services such as network-based application recognition (NBAR) and flexible packet matching (FPM) at multigigabit speeds, in addition to the management and control plane functions traditionally provided by the multilayer switch feature card (MSFC). The Supervisor Engine 32 PISA is offered with the Policy Feature Card 3B (PFC3B) to help ensure feature and performance compatibility with the Cisco Catalyst 6500 Supervisor Engine 32.
Q. Where can I deploy the Supervisor Engine 32 PISA?
A. This supervisor engine is ideal for securing campus access networks, converged services, MAN/WAN applications, and small/medium backbone functions.
Q. What different uplink options are available on the Supervisor Engine 32 PISA?
A. The Supervisor Engine 32 PISA is available in two options:
• Supervisor Engine 32 PISA with eight Gigabit Ethernet uplinks plus one 10/100/1000 port
• Supervisor Engine 32 PISA with two 10 Gigabit Ethernet uplinks plus one 10/100/1000 port
Q. Is the PISA available as a daughter card upgrade on the Supervisor Engine 32?
A. No. The PISA is only available in the form of two new supervisor engine options on the Cisco Catalyst 6500.
Q. What is the difference between the MSFC2a and the PISA?
A. The PISA is a superset of the MSFC2A. The PISA provides all the management and control plane functions traditionally provided by the MSFC2A. In addition, it provides hardware acceleration of intelligent services such as NBAR and FPM at multigigabit speeds. Also, the PISA offers stronger control plane CPU and bigger default memory configuration with 1 GB of default route processor memory (compared to 512 MB in MSFC2A) and 256 MB of internal bootflash (compared to 64 MB in MSFC2A). These allows the PISA to deliver more scalable control plane services and be better future proof in terms of memory and CPU headroom.
Q. Does the Supervisor Engine 32 PISA support all the hardware features supported on the Supervisor Engine 32?
A. Yes. The Supervisor Engine 32 PISA is offered with the PFC3B, delivering the same features and services available on the Supervisor Engine 32.
Q. What are the architectural capabilities of the PISA on the Supervisor Engine 32 PISA?
A. The Supervisor Engine 32 PISA enables integration of high-performance, programmable deep packet inspection capabilities for application-aware services. The architecture enables multiples of these services to operate at multigigabit speeds in parallel. Additionally, the architecture integrates a high-performance hardware-based Advanced Encryption Standard (AES) encryption engine to potentially next-generation Layer 2 through 7 services requiring multigigabit encryption services in the future.
Q. What are the sizes of the default DRAM and flash memory DRAM on the Supervisor Engine 32 PISA?
A. Table 1 shows the DRAM sizes.
Table 1. DRAM Sizes
Q. Does the Supervisor Engine 32 PISA support compact flash removable storage?
A. Yes, the Supervisor Engine 32 PISA has a single external compact flash slot, which can take a 256-MB, 512-MB, or 1-GB compact flash card.
Q. What line cards are supported with the Supervisor Engine 32 PISA?
A. All classic line cards and all CEF256 line cards (without a DFC) are supported with the Supervisor Engine 32 PISA.
Q. What WAN interfaces are supported with the Supervisor Engine 32 PISA?
A. The Supervisor Engine 32 PISA supports the enhanced FlexWAN module and the shared port adapter (SPA) interface processors (SIPs) along with the associated SPAs already supported with the Supervisor Engine 32 in Cisco IOS® Software Release 12.2(18)SXF. For the most recent information, refer to the software release notes.
Q. What service modules are supported with the Supervisor Engine 32 PISA?
A. The Supervisor Engine 32 PISA supports the firewall services module (FWSM), intrusion detection services module (IDSM2), IP Security (IPsec) SPA, and network analysis module (NAM).
Q. Can two Supervisor Engine 32 boards be used in a high-availability configuration?
A. Yes. The Supervisor Engine 32 PISA supports nonstop forwarding/stateful switchover (NSF/SSO) on the uplinks on the active as well as the standby supervisor. In order to support high availability the same type of supervisors should be used on the Cisco Catalyst 6500.
Q. Is NBAR and FPM functionality on the Supervisor Engine 32 PISA SSO aware?
A. NBAR is not SSO aware in the initial Supervisor Engine 32 software release. However, SSO awareness for NBAR is planned for a subsequent release. Since FPM is a stateless feature, SSO awareness does not apply to this functionality.
Services and Scalability Overview
Q. What is the hardware acceleration performance of intelligent services such as NBAR and FPM on the PISA?
A. The PISA is capable of accelerating intelligent services such as NBAR and FPM up to 2-Gbps speed, which is optimal for standard campus access networks of typical enterprises using a pair of Gigabit Ethernet Small Form-Factor Pluggable (SFP) uplinks to each distribution layer switch. The PISA also provides support for OC48/STM16 interfaces for WAN/MAN deployments. Cisco IOS Software Release 12.2(18)ZYA will provide the capability to define "interesting" traffic that can be redirected to the PISA for acceleration, essentially allowing these networks to operate at multigigabit speeds.
Q. What do I need to do in order to get maximum services acceleration performance on the Supervisor Engine 32 PISA?
A. In order to obtain maximum performance, up to two external gigabit uplinks on the Supervisor Engine 32 PISA need to be converted into a dedicated PISA channel interface.
Q. How deep can packets be inspected for intelligent services such as NBAR and FPM on the PISA?
A. FPM and NBAR can look as far as 4 KB into the packet. NBAR custom policies are restricted to 256 bytes into the packet.
Q. Are jumbo frames supported for NBAR and FPM on the Supervisor Engine 32 PISA?
A. Jumbo frames are supported with the Supervisor Engine 32 PISA. The initial release will allow up to 4K bytes frames to be inspected.
Q. What are the deep packet inspection and application policy scalability limits for NBAR on the PISA?
A. Table 2 provides the deep packet inspection and application policy scalability limits for NBAR on the PISA.
Table 2. NBAR Scalability Limits
Q. What are the deep packet inspection and application policy scalability limits for FPM on the PISA?
A. Table 3 provides the deep packet inspection and application policy scalability limits for FPM on the PISA.
Table 3. FPM Scalability Limits
Q. How does the system decide if a packet needs to be hardware accelerated by the PISA?
A. The decision to send traffic to the PISA is primarily based on whether intelligent services such as NBAR and FPM are configured on an interface. If either of these features is configured, traffic is redirected to the PISA for deep packet inspection; otherwise it flows through the regular PFC data path. From Release 12.2(18)ZYA, switch administrators have an option to define "interesting" traffic to be redirected to the PISA for deep packet inspection. This way, only a desirable subset of traffic on NBAR- or FPM-enabled interfaces is subject to PISA inspection.
Q. Where do I go to download NBAR PDLMs for the Supervisor Engine 32 PISA?
A. To download NBAR PDLMs for the Supervisor Engine 32 PISA, go to
http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm.
http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm.
Q. How do I know which protocols/applications are supported with NBAR on the Supervisor Engine 32 PISA?
A. The Supervisor Engine 32 PISA data sheet lists the protocols/applications supported with NBAR. To access the Supervisor Engine 32 data sheet, go to http://www.cisco.com/en/US/products/hw/switches/ps708/products_data_sheets_list.html.
Q. Where can I download FPM PHDF files for the Supervisor Engine 32 PISA?
A. They can be accessed at http://www.cisco.com/pcgi-bin/tablebuild.pl/fpm.
Q. What type of interfaces can have FPM and NBAR policies applied to them on the Supervisor Engine 32 PISA?
A. FPM and NBAR policies can be applied on any Layer 3 LAN port (routed ports, SVIs, EtherChannel® ports). They cannot be applied to WAN interfaces or Multiprotocol Label Switching (MPLS) VPN/tunnel interfaces. From Release 12.2(18)ZYA, FPM and NBAR policies can also be applied to Layer 2 LAN ports (access ports, trunk port, Layer 2 VLAN, and EtherChannel ports).
Q. Which features are incompatible when NBAR or FPM is configured on an interface on the Supervisor Engine 32 PISA?
A. Microflow policing is not supported with FPM or NBAR on a given interface.
Q. Where can I find more information about FPM and NBAR?
A. More information is at http://www.cisco.com/go/nbar and http://www.cisco.com/go/fpm.
Q. Can I use the Supervisor Engine 32 PISA to look into HTTP traffic and block undesired Websites?
A. Yes. From Release 12.2(18)ZYA, the PISA URL filtering service allows enterprises to enforce Internet usage policy by checking users' Internet request against an URL policy server provided by WebSense Inc. This helps enterprises to improve employee productivity, conserve network bandwidth, and mitigate legal liability.
Q. Does the Cisco Catalyst 6500 Series Supervisor Engine 32 PISA support Cisco enhanced Power over Ethernet (PoE)?
A. Yes. From Release 12.2(18)ZYA, the Cisco Catalyst 6500 Series Supervisor Engine 32 PISA will support Cisco enhanced PoE and Cisco Aironet® 1250 Series Access Points that utilize this technology.
Q. Can the PISA application intelligence service be used by other Cisco networking product?
A. Yes. Release 12.2(18)ZYA delivers software integration between the Cisco Aironet 1250 Series Access Point and the Cisco Catalyst 6500 Series Firewall Services Module (FWSM). This integration allows the FWSM to define an enhanced application-based access control policy by using the stateful application classification information provided by the Supervisor Engine 32 PISA. The Supervisor Engine 32 PISA recognizes applications at the campus access edge and tags the application information along with the IP packets. The upstream FWSM is then able to apply access control policy based on this application knowledge provided by the PISA.
Software Overview
Q. What images will be supported at first customer ship (FCS) for the Supervisor Engine 32 PISA?
A. Table 4 shows what images will be supported for the Supervisor Engine 32 PISA at FCS. The Supervisor Engine 32 PISA will ship with IP Services as the base software image.
Table 4. Software Options for Supervisor Engine 32 PISA
Q. Do Cisco IOS Software modularity images support the Supervisor Engine 32 PISA?
A. Cisco IOS Software modularity images will not support the Supervisor Engine 32 PISA in the initial release. A subsequent release will add this support.
Q. With which Supervisor Engine 32 image does Cisco IOS Software Release 12.2(18)ZY have feature parity?
A. Cisco IOS Software Release 12.2(18)ZY has feature parity with the latest 12.2(18)SXF release.
Q. Does the Supervisor Engine 32 PISA support IPv6, multicast, and MPLS traffic?
A. Yes, the Supervisor Engine 32 PISA does support IPv6, multicast, and MPLS traffic. However, NBAR and FPM support for IPv6, multicast, and MPLS does not exist in the initial release.
Manageability Overview
Q. What relevant MIBs are supported with the Supervisor Engine 32 PISA?
A. The following are supported:
• CISCO-NBAR-PROTOCOL-DISCOVERY-MIB: Provides the ability to retrieve NBAR protocol discovery statistics using Simple Network Management Protocol (SNMP) into a central performance monitoring system.
• CISCO-CLASS-BASED-QOS-MIB: Provides read access to quality-of-service (QoS) configurations. It also provides QoS statistics information based on the modular QoS CLI, including information regarding class map and policy map parameters.
Q. What provisioning and monitoring tools are available for NBAR support on the Supervisor Engine 32 PISA?
A. The QoS Policy Manager (QPM) can be used for provisioning and monitoring NBAR on the Supervisor Engine 32 PISA. In addition, NBAR monitoring is supported by Cisco QoS partners such as NetQoS, AdvenNet, Computer Associates, InfoVista, and Micromuse. From Release 12.2(18)ZYA, NBAR is integrated with NetFlow to allow application monitoring using NetFlow export with standard NetFlow v9 format.
Q. What provisioning and monitoring tools are available for FPM support on the Supervisor Engine 32 PISA?
A. FPM provisioning can be managed through the flexible configuration option on the Cisco Security Manager. A future release of Cisco Security Manager will support FPM policy management and monitoring on the Supervisor Engine 32 PISA.