Cisco Catalyst 6500 Series Switches

The FWSM is a high-speed integrated firewall module for the Cisco Catalyst 6500 Series switches that provides data throughput up to 5 Gbps, 100,000 connections per second, and 1 million concurrent connections. Up to four firewall modules can be installed in a single chassis providing scalability to 20 Gbps per chassis. As part of the industry-leading Cisco PIX^® firewalls, the FWSM provides enterprises and service providers with superior security, reliability, and performance.

The FWSM is commonly deployed in Internet edge environments and between corporate and Internet data centers, and the LAN and WAN.

Notes:

Requires Cisco Catalyst 6000 Multilayer Switch Feature Card MSFC2 and Cisco IOS Software for the MSFC2 Release 12.1(13)E3.

Currently supported only on Supervisor Engine 2 in hybrid configurations.

Integrated service module for the Cisco Catalyst 6500 Series that offloads the processor-intensive tasks related to securing traffic with SSL and thus increases the number of secure connections supported by a Web site. Offering 3000 connection setups per second per module (12,000 per chassis) and 300-Mbps bulk encrypted throughput per module (1.2 Gbps per chassis) while maintaining 60,000 concurrent client connections (200,000 per chassis), the SSL Services Module provides the fastest session setup rates and bulk encrypted throughput in the industry.

The SSL module is commonly deployed with a Content Switching Module (CSM) to scale the performance and improve the persistence mechanisms and manageability of a Web site.

Notes: Up to four SSL modules supported in a single chassis.

Requires Cisco MSFC2 and Cisco IOS for the MSFC2 Software Release 12.1(13)E3.

Currently supported only on Supervisor Engine 2 in hybrid configurations.

Hardware FCS January, 2003.

The CSM integrates advanced Layer 4 - Layer 7 content switching into the Cisco Catalyst 6500 Series to provide high-performance, high-availability load balancing, while taking advantage of the Catalyst support of Layer 2 and Layer 3 switching. With features such as full regular expression support, full stateful redundancy, server and firewall load balancing, configurable network address translation (NAT), virtual private networking (VPN) and IPsec load balancing, HTTP 1.1 persistence support, sticky connections, and many load balancing predictors, the CSM provides the flexibility to improve the performance and reliability of most network infrastructures.

The CSM is commonly deployed with the SSL Services Module in the Internet-corporate data center.

Note: Requires Cisco MSFC2 and Cisco IOS for the MSFC2 Release 12.1(13)E3.

The IDSM2 is an integrated services module for the Cisco Catalyst 6500 Series chassis offering performance speeds of 400 Mbps. The IDSM2 detects unauthorized activity traversing the network by analyzing traffic in real time, helping enable users to quickly respond to security breaches.

Support for 64 MB ATA Flash (Type I and Type II) on Supervisor Engine 2, allowing the storage of more backup images.

Note: Requires ROM Monitor (ROMMON) version 7.1 or later.

Allows port security to be configured on an 802.1x-enabled port. If port security is enabled for only one Media Access Control (MAC) address on a port, only that MAC address will authenticate via the Remote Authentication Dial-In User Service (RADIUS) server. All other MAC addresses will be denied access to the network, which eliminates the security risk of additional users attaching to a hub to bypass authentication. When 802.1x and port security are enabled in the multiple authentication mode, all hosts attempting to connect through a switch port will be required to authenticate using 802.1x.

X

Helps enable organizations to combine the benefits of Cisco AVVID (Architecture for Voice, Video and Integrated Data) voice over IP (VoIP), and dynamic port security. Users can configure the auxiliary VLAN feature on an 802.1x port and vice versa. When the switch recognizes a phone is attached to a port via CDP, it allows phone traffic on the auxiliary VLAN without 802.1x authentication. Then, the PC or Workstation connected (behind the phone) to the 802.1x port of the switch will use the port VLAN ID and authenticate following the dot1x protocol.

The IP phone connected to the 802.1x port will use the VVID of the port for its voice traffic independent of whether the 802.1x port status is authorized or unauthorized.

X

Enables organizations to offer restricted "guest" network access. With this feature enabled, users are placed into the Guest VLAN if they fail authentication or if a non-802.1x client is connected to an 802.1x-enabled port. The guest VLAN is configured globally from the normal or extended VLAN range.

X

This feature offers synchronization of runtime information between active and standby supervisors so that the 802.1x port state, either authorized or unauthorized, is maintained during a high-availability switchover.

X

Port security is used to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses specified for that port. Alternatively, it is used to filter traffic destined to or received from a specific host based on the host MAC address.

High-availability with port security ensures that the port-security database is synchronized from the active supervisor engine to the standby supervisor engine during a supervisor switchover. This allows the new active supervisor engine to take over from the latest protocol state, rather than restarting.

X

AutoQoS is a feature that simplifies quality of service (QoS) configuration for voice-enabled switches. When issued, the autoqos command on the Cisco Catalyst 6500 Series switch will dynamically set QoS parameters on the switch ports according to Cisco best practice recommendations.

AutoQoS consists of two macros. The first covers all the related QoS configurations required for implementing the recommended Cisco AVVID settings for a voice port (AutoQoS). The second macro is a superset of the first, configuring all features required for a Cisco IP Phone to work properly on the Catalyst 6500 platform.

When the AutoQoS commands are issued, VoIP-QoS configurations are automated and the script intelligence allows voice traffic to be prioritized appropriately.

X

Per-VLAN Rapid Spanning Tree (PVRST+), also known as Rapid PVST+, provides the ability to apply rapid spanning tree convergence on a per-VLAN basis. Prior to this software release, achieving rapid spanning tree convergence was done by implementing IEEE 802.1s, Multiple Instance Spanning Tree, and IEEE 802.1w, Rapid Spanning Tree, protocols. There was not a means to achieve the Rapid Spanning Tree convergence on a per-VLAN basis prior to Cisco Catalyst OS Software version 7.5(1).

This eases the overall deployment for customers familiar with the operation of IEEE 802.1d Spanning Tree and Per VLAN Spanning Tree implementations common in most enterprises and service provider environments.

X

X

Prevents ARP spoofing and "man-in-the-middle" attacks by ensuring an attacker cannot hijack the default gateway address of a user so as to intercept all of the user's data. ARP inspection prevents malicious users from impersonating other hosts or routers by inspecting all ARP packets. It provides the network administrator the ability to configure a set of order-dependent rules within the security access control list (ACL) framework, to prevent the attack described above.

If an ARP inspection specific rule exists in the security ACL on a VLAN, all ARP packets will be directed to the CPU (through Access Control Entries, ACEs, in the VACL). These packets would be inspected by the ARP validation task for conformance to the specified rules. Conforming packets will be forwarded, while non-conforming packets will be dropped and possibly logged.

Note: Supported only on the Supervisor Engine 2.

X

The sc1 interface is a second management interface on the Cisco Catalyst 6500 Series Switch similar to the existing sc0 interface. Using the inband port on the chassis, the sc1 is a valid interface for image downloads, outgoing ping and telnet, and Simple Network Management Protocol (SNMP) functions.

X

IGMP is used by hosts and routers to report their IP multicast group membership to neighboring multicast routers. IGMPv3 adds support for source-based filtering which allows systems to report interest in packets from a specified source, and eliminate the leave group message.

IGMPv3 snooping is backward compatible with IGMPv1 and IGMPv2 snooping.

X

NBAR is used to classify IP unicast traffic into application specific flows. It determines which protocols and applications are currently running on a network so that an appropriate QoS policy can be created based on the current traffic mix and application requirements.

NBAR is capable of classifying packets belonging to the following four types of protocols/applications:

The classification information can be used for several purposes, such as QoS policing, traffic shaping, and Class-based Weighted Fair Queuing and identifying viruses such as NIMDA.

Notes:

X

Prior to release 7.5(1), Cisco Catalyst OS provided authentication of users by using TACACS, RADIUS or KERBEROS and local authentication was limited to authentication for normal mode and enable mode.

Local username/password provides the switch administrators the ability to create and manage users local to a switch. Users are created with privilege levels of either 0 or 15. Users with privilege level 0 are restricted to access commands in "normal mode" and users with privilege level 15 have access to commands in "enable mode."

A maximum of 25 local users can be created. Once this feature is enabled, the console and telnet processes will prompt for "local username" followed by a prompt for "password."

X

X

Port Unicast Block enables a user to block unicast flooding on a per-port basis. By default, all Ethernet ports are configured to allow unicast flooding. When port security is enabled and MAC addresses are learned, the unicast flooded packets to this port can be blocked.

This is accomplished by configuring the "port security" port to blocking mode. Once the address count on the port reaches the maximum threshold count, and the port is in blocking mode, unicast flooding is blocked.

X

X

Port Security is used to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses specified for that port. Alternatively, it is used to filter traffic destined to or received from a specific host based on the host MAC address.

High availability with port security ensures that the port-security database is synchronized from the active supervisor engine to the standby supervisor engine during a supervisor switchover. This allows the new active supervisor engine to take over from the latest protocol state, rather than restarting.

X

The Dot1q-all-tagged feature command prior to Cisco Catalyst OS Software version 7.5(1) was a global command. It configured a switch to forward all frames from 802.1Q trunks with 802.1Q tagging, including traffic in the native VLAN (default VLAN), and admit only 802.1Q tagged frames on 802.1Q trunks, dropping any untagged traffic, including untagged traffic in the native VLAN.

In Cisco Catalyst OS Software version 7.5(1) and later, the dont1q-all-tagged feature can be enabled or disabled on a per port basis, should some network devices, for example customer premise equipment in Metro area deployments, not support tagged packets.

X

Prior to Cisco Catalyst OS version 7.5(1), rate limiting was not available for logging router access control list (RACL) denied packets. In that case, all denials were sent to the MSFC and there existed the possibility of overloading the MSFC.

With the enhancement in Cisco Catalyst OS Software version 7.5(1) of rate limit log ACL, the user can rate limit the amount of denials that are sent to the MSFC. Those packets that exceed the limit will be dropped.

X

NetFlow Data Export (NDE) is used for collecting accounting statistics on IP flow information for routed and bridged traffic. NDE makes these statistics available for analysis by an external data collector to improve manageability of the network.

The NetFlow version 5 format is now supported on the Cisco Catalyst 6500 Series switches.

X

Maximizes Catalyst 6500 series supervisor engine QoS ACL capacity so that 500 interfaces can contain IP, IPX and MAC ACLs for a total of 1500 global ACLs.

X

With this trap, the switch can send an SNMP trap to a pre-defined network management system station if it learns a new MAC address. This occurs when running port security and a new MAC address is learned, and also when a MAC address ages out.

This feature also provides a means to specify a time interval for when these traps are sent so that if there are multiple users accessing the network simultaneously, traps aren't continuously traversing the network.

X

CISCO-SWITCH-ENGINE-MIB Enhancements

CISCO-CATOS-ACL-QOS-MIB Enhancement

CISCO-IGMP-SNOOPING-MIB

CISCO-PAE-MIB Enhancement

CISCO-FLASH-MIB Enhancement

CISCO-L2-TUNNEL-CONFIG-MIB

CISCO-STP-EXTENSION-MIB Enhancement

CISCO-VLAN-MEMBERSHIP-MIB Enhancement

CISCO-VTP-MIB Enhancement

RFC2665 ETHERLIKE-MIB Enhancement

RFC2863 IF-MIB Enhancement

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

Cisco Catalyst 4000 Supervisor Flash image, version 7.5.1

Spare

cat4000-k8

Cisco Catalyst 4000 CiscoView image, version 7.5.1

Spare

cat4000-cv

Cisco Catalyst 4000 Supervisor Flash image with SSH, version 7.5.1

Spare

cat4000-k9

Catalyst 6000 Supervisor 1 Flash Image, Release 7.5.1

Spare

cat6000-supk8

Catalyst 6000 Supervisor 2 Flash Image, Release 7.5.1

Spare

cat6000-sup2k8

Cat6K Supervisor 1 Flash Image w/CiscoView, Release 7.5.1

Spare

cat6000-supcvk8

Cat6K Supervisor 2 Flash Image w/CiscoView, Release 7.5.1

Spare

cat6000-sup2cvk8

Catalyst 6000 Supervisor 1 Flash Image w/SSH, Release 7.5.1

Spare

cat6000-supk9

Catalyst 6000 Supervisor 2 Flash Image w/SSH, Release 7.5.1

Spare

cat6000-sup2k9

Catalyst 6000 Sup 1 Flash Image w/CV and SSH, Release 7.5.1

Spare

cat6000-supcvk9

Catalyst 6000 Sup 2 Flash Image w/CV and SSH, Release 7.5.1

Spare

cat6000-sup2cvk9