FOURTH QUARTER 2002 ARCHIVE ISSUE

Intelligent Switching

Enhancements to Cisco Catalyst Series switches provide smarter choices for business.

BY GAIL MEREDITH

Snapshot: Cisco continues to drive technology innovation through ongoing developments of important Intelligent Switching capabilities for its entire Catalyst® product family. Recent enhancements to Cisco's switching portfolio include the new Catalyst 4500 Series that enables resilience and control for converged networks. There also have been a number of valuable security enhancements to the Catalyst 6500, 3550, and 2950 Series switches. All of these new products and security enhancements combine to give network administrators greater functionality, performance, and overall smarter choices for their business. Keywords: Cisco Catalyst 4500 Series, Cisco Catalyst 6500 Series, Cisco Catalyst 2950 and 3550 Series, Intelligent Switching, security

FURTHER READING Catalyst 6500 Series Catalyst 4500 Series Catalyst 3550 and 2950 Series Cisco SAFE Blueprint "Integrated Network Security" Tech Talk Webcast (through March 18, 2003)

If a house is only as strong as its foundation, a network is only as good as its infrastructure -- the devices required to effectively deliver needed applications. When those applications involve sophisticated transactions or converged data, voice, and video traffic, the network needs intelligent features and services including quality of service (QoS), security, availability, and performance to ensure their efficient coexistence.

The foundation of intelligent, converged networking is Cisco AVVID (Architecture for Voice, Video and Integrated Data). A component of Cisco AVVID is Cisco Intelligent Switching, which provides intelligent services across a full line of Cisco Catalyst® Series switches. Enabling business-critical solutions and functionality such as voice, security, storage-area networking, and user mobility via seamless integration to wireless networks, the portfolio of Cisco Catalyst Series Intelligent switches offers a proven range of increasing functionality, port densities, and configurations to accommodate diverse and demanding network requirements.

"Cisco is elevating its discussion beyond 'speeds and feeds' toward the actual business problems that solutions are solving," says Chris Kozup, senior research analyst at META Group. "This higher-level conversation resonates with enterprise customers because they are focusing on business-level problems such as security, high availability, and user mobility."

SMART AND REDUNDANT: Building on the strengths of the highly successful Cisco Catalyst 4000 Series switches, the new Catalyst 4500 Series enables converged network deployment with intelligence, control, and resilience for the edge, branch office, and midrange networks.

Intelligent Switching anticipates what is happening in the enterprise, where network managers are feeling the pressure of powerful new desktop computers and servers, bandwidth-intensive applications, and devices such as IP phones and wireless access points. Intelligent Switching balances the distinct requirements of each network segment and traffic type with innovative hardware integration and proven QoS mechanisms of Cisco IOS® Software, which enables the classification and marking of traffic priority at the network edge, even in the smallest Catalyst switch. Next, integrated security features and services modules make internal vigilance much easier and faster, helping network managers contain security threats wherever they may occur. In addition, Intelligent Switching enables strong business resilience through high-availability features that help keep the network up, ensure no single point of failure along critical pathways, and provide a quick resolution from network failures. What's more, the Cisco Catalyst Series can support massive bandwidth growth in the enterprise with support for high density gigabit and 10 Gigabit Ethernet solutions, along with highly scalable architectures that protect network investments and enable networks to scale and support more bandwidth-intensive applications.

Cisco continues to drive technology innovation through ongoing developments of important Intelligent Switching capabilities for its entire Catalyst product family. Recent product enhancements highlight Cisco's commitment to bringing greater degrees of intelligence to the network. For example, recent enhancements to Cisco's switching portfolio include the new Catalyst 4500 Series that enables resilience and control for converged networks. There also have been a number of valuable security enhancements to the Catalyst 6500, 3550, and 2950 Series switches.

Catalyst 4500 Series Switches

Building on the foundation of the highly successful Cisco Catalyst 4000 Series switches, the new Catalyst 4500 Series brings further control and resilience for converged networks in a flexible, modular chassis. The 4500 Series offers three chassis sizes: the three-slot Catalyst 4503, the six-slot Catalyst 4506, and the seven-slot Catalyst 4507R that supports redundancy. The Catalyst 4500 chassis design addresses many requirements that users have been requesting. The Catalyst 4500 Series leverages a new power supply design that integrates 48-volt DC inline power for IP telephones and wireless access points.

"The sweet spot of the Catalyst 4500 is that it brings performance, resiliency, and a lot of advanced service features into the 500-user site, the right size for our campuses."

Bob Denis, Chief Information Officer, Trimble

The chassis also supports two power supplies for 1-plus-1 power redundancy that enables greater network resilience. The Catalyst 4500 supports up to 240 10/100 or 10/100/1000 Ethernet ports for high-density Gigabit Ethernet to desktop deployments. It offers robust capabilities, yet is highly flexible for deployment in enterprise wiring closets, midsized networks, and integrated branch offices providing IP telephony integration and WAN connectivity. Furthermore, the Catalyst 4500 Series continues to set the standard for midrange, modular Ethernet switches by delivering predictable, wirespeed performance with a great degree of scalability and flexibility. These attributes enable organizations to take advantage of essential intelligent services such as QoS, advanced security, and management. Based on its scalable architecture and passive chassis design, functionality for all switching modules in the chassis is defined by the Supervisor that is deployed, enabling organizations to preserve much of their technology investments as they add incremental functionality to their network.

"The Catalyst 4500 chassis supports all existing Catalyst 4000 Series line cards, including the Supervisor Engine II for deployments requiring Layer 2 switching and services," says Steven Shalita, senior manager of worldwide product marketing in the Gigabit Switching Unit at Cisco. All services and switching is performed by the Supervisor Engine, allowing for incremental functionality on all existing line cards via a simple Supervisor Engine upgrade.

Along with the Catalyst 4500, a new Supervisor Engine was introduced. Building on Supervisor Engine III, Supervisor Engine IV offers wirespeed Layer 2/3/4 switching with QoS, security, multicasting, and voice services enabled. The new Supervisor Engine IV operates in any Catalyst 4500 and is backward-compatible with the Catalyst 4006 chassis. In addition to enabling redundancy in the Catalyst 4507R, Supervisor Engine IV is field upgradable to support a future NetFlow Services Module for NetFlow accounting and services for the entire chassis. The NetFlow Services Module will be available in the first half of 2003.

An important capability introduced with the Catalyst 4500 Series is Supervisor redundancy. "Although the concept of Supervisor redundancy isn't new, Catalyst 4507R now enables organizations to deploy resilience everywhere in the network," says Shalita. "As organizations are deploying more business-critical applications like IP telephony, the network is becoming an essential delivery vehicle, and organizations simply cannot afford prolonged downtime. Catalyst 4507R addresses this growing need." With sub-minute failover times for most configurations, Catalyst 4507R addresses availability and minimizes downtime.

Leveraging the new functionality and resilience offered by the Catalyst 4500 Series is Trimble, a Sunnyvale, California-based leading innovator and manufacturer of Global Positioning System (GPS) systems and navigational products for surveying, automobile navigation, and other uses. Trimble needed a converged network to control information technology (IT) costs and support chip design engineers who place heavy demands on the network. Trimble finds the Cisco Catalyst 4500 platform ideal for its midsized network.

"Our engineers will burn Gigabit Ethernet ports just looking at you," says Bob Denis, chief information officer at Trimble.

Enabling network convergence -- particularly Cisco IP telephony -- helps Trimble keep a tight rein on its IT budget. The IP telephony solution, based on a converged network infrastructure consisting of Catalyst 4500 Series switches, lets Trimble solve its immediate problem of unpredictable Centrex expenses and provide an infrastructure that supports future integrated applications. "It is a huge cost savings opportunity for Trimble, because it allows us to deploy more than basic telephony," says Shawn Wilde, director of IT at Trimble. "We can reduce dependence on outside suppliers for implementations and enhancements. My expectation is that if we continue to grow with Cisco, some of the more exotic telephony features of the future will be available in as timely, or more timely, a manner than their competitors offer."

Catalyst 6500 Security Modules

Three new security modules and an upgraded network management module have been added to the flagship Catalyst 6500 Series switches. Also compatible with Cisco 7600 Series Internet routers, these modules follow the precepts of the Cisco SAFE Blueprint for securing enterprise networks and supplement the Cisco Catalyst 6500 Intrusion Detection System (IDS) Module introduced a year ago. Cisco SAFE recommends multilayered security with a range of solutions that together protect against the widest range of possible attacks.

"With these modules, Cisco is creating a new category of switch: an application services switch that can layer network security services into the network in ways that it wasn't capable of before," says Ben Goldman, director of the Catalyst 6500 Series at Cisco. "The Catalyst 6500 becomes an integrated security and services application-switching environment with much more granular detail about what's happening in a network. We're putting infrastructure and feature sets in place in both the switch and modules to make them work cohesively together."

The Firewall Services Module integrates the functionality of a Cisco PIX® Firewall functionality directly into a Catalyst 6500 chassis. This module is the highest-performance rendition of Cisco PIX technology to date, with 5-Gbps throughput per module, monitoring up to 1 million concurrent connections and more than 100,000 connection setups/teardowns per second. No ports reside on the card; it filters traffic crossing the backplane. This feature allows any port on the switch to operate as a firewall port and monitors traffic in as many as 100 virtual LANs (VLANs), even those originating on other Cisco Catalyst Series switches.

"The Firewall Services Module brings the additional benefits of being able to use Layer 2 and Layer 3 features like VLAN tagging and QoS, as a result of integration in the Catalyst 6500 Series," says Doug Gourlay, senior manager of product marketing on the Catalyst 6500 marketing team at Cisco.

Like the standalone Cisco PIX Firewall Series, the Firewall Services Module supports Adaptive Security Algorithm (ASA), a stateful-inspection engine that inspects traffic integrity. ASA takes source/destination addresses and ports, TCP sequence numbers, and additional TCP flags, hashing the IP header information. Hashing creates a code that uniquely identifies clients that initiate inbound or outbound connections. Why put a firewall inside a switch? "It reflects the changing role of firewalls in an enterprise network, which faces threats from both inside and outside," says Gourlay. "Enterprises can better implement an internal security strategy that permits or denies internal users access to sensitive applications, servers, or subnets. It also provides an extra layer of protection against insidious attacks such as viruses or Trojan horses by filtering unnecessary internal traffic."

The IPSec VPN Services Module allows enterprises to terminate site-to-site virtual private network (VPN) connections at the switch. With faster tunnel setup, 1.9 Gbps of Triple Data Encryption Standard (3DES) encrypted throughput, and supporting up to 8000 connections, this module makes it easier for campuses to deploy secure converged network services such as multicast, IP telephony, and storage-area networks. It includes support for IP Security (IPSec) tunneling and encryption for deployment across shared service provider core networks.

Leonard Thompson, LAN/WAN manager at ARRIS, plans to deploy the IPSec VPN Services Module to support business-to-business (B2B) connections with client networks. ARRIS specializes in the design and engineering of broadband local-access networks. As a developer, manufacturer, and supplier of optical transmission, cable telephony and Internet access, and outside plant construction and maintenance equipment for cable system operators, ARRIS currently runs Generic Routing Encapsulation (GRE) tunnels between its external Cisco PIX Firewall and Catalyst 6500 Series Switch.

"We're running out of room on the firewall," says Thompson. "We want to use EIGRP [Enhanced Interior Gateway Routing Protocol] across VPN connections in the B2B network. As we add new VPN locations, EIGRP would update the routing tables, making them much cleaner. It's less maintenance for us to use the IPSec VPN Services Module because it would be atop the Layer 3 modules we already have inside our Catalyst 6500 Switch."

The SSL Services Module offloads processing of Secure Sockets Layer (SSL) encryption and decryption from backend servers to improve server scalability and reduce the cost of data-center management. Running at 300 Mbps and enabling 60,000 concurrent sessions, with a connection setup rate of 3000 transactions per second, the SSL Termination Module gives deterministic performance to server farms, removing some of the many variables involved in troubleshooting. Decrypting SSL requests in the switch enables advanced server load balancing. It improves SSL transaction persistence -- "stickiness" -- by correctly identifying the destination server for each user. SSL transaction persistence is useful in e-commerce sites, where customers fill a shopping cart in cleartext, then convert to an encrypted session for checkout. This feature is equally critical for transaction-based applications such as supply-chain e-procurements and sales force automation. The module also saves money by centrally managing keys and certificates.

Last, the new and enhanced Network Analysis Module (NAM) boosts performance over the first-generation NAM with versions supporting 500-Mbps or 1-Gbps performance. It provides application-level remote monitoring (RMON) functions based on RMON2 and other Management Information Bases (MIBs). It analyzes traffic flows for applications, flows, hosts, conversations, and network services such as QoS and voice over IP (VoIP). This intelligence helps network administrators identify application or server errors and reduces network failures through proactive alerts on performance degradation.

The new Catalyst 6500 modules represent "a proof point of Cisco's overall higher-level acquisition strategy," says Gourlay. "The new 6500 modules are not just resident within the switch. They are highly integrated. The VPN module uses the IPSec code running in the Multilayer Switch Feature Card. The SSL module integrates with the Content Switching Module."

Catalyst 3550 and 2950 Series

Midsized companies or enterprise branch offices need protection as much as large campus networks do. With few or no resources at these sites, making security easy to deploy is critical. The stackable, fixed-configuration Cisco Catalyst 3550 and 2950 Series Intelligent Ethernet switches provide security features that meet customer needs as outlined in the Cisco SAFE Blueprint.

One of the most pressing needs was secure remote management. These desktop switches now support Simple Network Management Protocol (SNMP) version 3, which can be encrypted. Secure Shell (SSH) support allows Telnet session encryption. These capabilities are required for smaller networks where it is not cost-efficient to build a dedicated, offline management network. Coupled with Cisco Cluster Management Suite (CMS) Software, these enhancements offer a robust, intuitive management interface for smaller networks. Cisco CMS is embedded in the switches for free and is easy to use. For example, Cisco CMS management wizards use a question-and-answer format to configure QoS. "Wizards are ideal in smaller environments because it makes seemingly complex features accessible to everyone," says Greg Beach, product manager for the Catalyst 3550 Series in the Desktop Switching Business Unit at Cisco.

Another Catalyst 3550 Series enhancement is the addition of port-based, VLAN-based, and router interface-based access control lists (ACLs). "It's valuable to filter traffic at the edge of the network for both security and bandwidth reasons. You don't want unfiltered traffic propagating from the wiring closet into the distribution layer and putting your data at risk," says Beach.

These switches also enforce security policy by user identity, with IEEE 802.1x dynamic port-based authentication. Rate limiting protects against denial-of-service attacks. These and other enhancements equip the Catalyst 3550 and 2950 Series switches for the demands of converged networking, with additional features that support voice, wireless networking, and multicast applications.

Innovating to Compete

The innovative Intelligent Switching features of the Catalyst 6500, 4500, 3550, and 2950 Series demonstrate value to organizations because they enable services that keep enterprises competitive through enabling advanced, Internet-based business solutions.

Reader Feedback: Tell us what you think.

Return to the Fourth Quarter 2002 Table of Contents

Download a PDF of this article. (Or download a PDF of this issue of Packet.)