ASK THE EXPERT - STATEFUL APPLICATION INTELLIGENCE AND INTEGRATED SECURITY

Unanswered Question
May 18th, 2007

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn with Cisco expert Sachin Gupta how embedded deep packet inspection capabilities on the Catalyst 6500 deliver Stateful Application Intelligence and Integrated Security. Sachin is a senior manager in the Catalyst 6500 product management team. He has been at Cisco for 10 years and has held leadership roles in Customer Advocacy and the IOS Technologies division before joining the Catalyst 6500 team four years ago.

Remember to use the rating system to let Sachin know if you have received an adequate response.

Sachin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 1, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lalajee123 Fri, 05/18/2007 - 21:03

Dear Cisco,

I have Cisco Airo Net 1300, when I give Manual IP then its giving me the error (Reload Reason: Could Not Fallback to DHCP) and after this it reload.

please guide me who is the expert/correct person which i can contact and he resolve my problem.

waiting for your prompt response

Nasir Mehmood

System Administrator

+92-300-5125583

[email protected]

Pakistan

sagupta Sun, 05/20/2007 - 11:39

Hi Nasir,

This forum is really to discuss new application intelligence and security capabilities of the Catalyst 6500 with Supervisor Engine 32 PISA. I recommend that you get your question answered through Cisco TAC.

Sachin

cool_mhar04 Wed, 05/23/2007 - 16:20

Hi sir;

I know this is for the expert,, but im not an expert, just started my carrer in networking, hope you could help me with my wonderings :) :) I am very much interested in multi-layer switching, using RSM and the route switch feature card and the supervisor engines management specifically on switching, bridging, trunking, STP, routing(internal-routing), ACL, though i had already an idea on those i mention, just want to know how the multilayer switch deal with those since it is already integrated, its operations, how, to's,, do you mind sir if you can give me something to read for me know its operation.. Hope you could help me sir,, your help would greately appreciated. thank so much.

bijuja2005 Sun, 05/20/2007 - 10:51

Hi,

Planning to implement DARPI with DHCP Snooping and Port Security on 3750 edge switch which is connected to 6513. DHCP server connected to 6513.

How can we implement?

sagupta Tue, 05/22/2007 - 21:00

I'm not familiar with DARPI. Can you please clarify what you are trying to implement?

bijuja2005 Tue, 05/22/2007 - 21:22

Hello,

DARPI - Dynamic ARP Inspection. This is a serious Layer 2 security vulnerability where attacker can use ARP poisoning. To mitigate this issue, DHCP Snooping along with Port Security need to be configured.

Anyone implemented in an Enterprise level, please help

bbaley Wed, 05/23/2007 - 07:05

Hi Sachin,

What does Flexible Packet Matching (FPM) do for me that I can't do with Access Control Lists (ACLs)?

Thanks,

Bill

sagupta Wed, 05/23/2007 - 09:38

Hi Bill,

Flexible Packet Matching allows you to filter at any offset in the packet whereas ACLs are limited to L4 ports. For example, the Slammer worm is a UDP packet that has a certain bit string at a 224 byte offset - ACLs can't match this exactly but FPM can. You can examples of FPM filters at:

http://www.cisco.com/cgi-bin/tablebuild.pl/fpm

Sachin

cool_mhar04 Wed, 05/23/2007 - 16:30

Hi sir;

I know this is for the expert,, but im not an expert, just started my carrer in networking, hope you could help me with my wonderings :) :) I am very much interested in multi-layer switching, using RSM and the route switch feature card and the supervisor engines management specifically on switching, bridging, trunking, STP, routing(internal-routing), ACL, though i had already an idea on those i mention, just want to know how the multilayer switch deal with those since it is already integrated, its operations, how, to's,, do you mind sir if you can give me something to read for me know its operation.. Hope you could help me sir,, your help would greately appreciated. thank so much.

raloraimi Thu, 05/24/2007 - 02:38

Hi,

I'm running currently Cat6513 with SUP720..

what is the added value that can entice to upgrade to PISA ?

sagupta Thu, 05/24/2007 - 11:43

Hi,

You are good with Sup720! If you are using your 6513 in a campus access (wiring closet) or Enterprise WAN type of deployment, Sup32 PISA offers you the ability apply QoS and Security policies to traffic flows based on application or based on patterns deep in the packets. Basically, you can prioritize based on HTTP URL, or match things like Citrix or VoIP statefully. You can also block BitTorrent or Skype - if that is your corporate policy. And you can do all this in hardware at multi-Gigabit speeds.

Sachin

sagupta Fri, 06/01/2007 - 09:03

I'm sorry, but I don't have the expertise to answer this question. I would recommend that you contact TAC.

pauschool Fri, 05/25/2007 - 11:45

Can Sup-Eng 2 on Cat6500 deliver stateful application Intelligence and Integrated Security?

sagupta Fri, 05/25/2007 - 11:49

You need to upgrade to Supervisor Engine 32 PISA to get this new capability.

Sachin

amritpatek Tue, 05/29/2007 - 13:12

Hi Sachin,

Is there a way for me to define my own applications?

Thank you,

Amrit

sagupta Tue, 05/29/2007 - 13:22

Hi Amrit,

The Stateful Application Intelligence piece uses "PDLM" files to describe new protocols which today come from Cisco. We are hoping to enable this functionality for customers in CY08. You can define some protocols on your own today using the CLI but not very complex ones.

The Flexible Packet Matching function can be completely configured through an XML definition language.

Sachin

Grizzwald Wed, 05/30/2007 - 13:42

Hello Sachin;

We have the hybrid 7604 containing the SUP720 engine.

When trying to apply QOS to the separate vlan interfaces, (GigabitEthernet1/1 sub-interfaces), the device returns the error message :

'shape average command is not supported in output direction for this interface

Configuration failed!'

Is this possibly an IOS issue?

(I ask this here, because the 7604 is really a 6500 in disguise as a router)

Thanks

sagupta Fri, 06/01/2007 - 09:03

Shaping is not supported on the regular Ethernet interfaces on the 6500 or the 7600. You need specialized SIP/SPA modules for this function.

ROBERTO TACCON Thu, 05/31/2007 - 04:28

Hi,

1)

which is the differences between the PISA and the IOS NBAR ?

2)

Whit PISA can I inspect the new versions of skype or P2P applications ?

In the previous post you tell "with PISA you can block Skype and P2P tech": with NBAR I can't block the Skype protocol version 2.x or 3.x ... and I think the new version of P2P protocols with "protocol obfuscation" are in the same situation ...

3)

The Pisa tech. will be implemented in the FWSM module ? and in the Supervisor 720 ?

Best regards.

sagupta Fri, 06/01/2007 - 09:02

1) PISA accelerates IOS NBAR in hardware to support multi-Gigabit speeds.

2) PISA can stop new versions of Skype and P2P applications during login pretty easily using Flexible Packet Matching. NBAR definitions for newer versions of the protocols take a little longer to develop but we plan to make them available.

3) There are no plans to integrate this functionality in the FWSM since we see these these as complementary products with specialized functions. There are no committed plans for PISA on Sup720 at this time.

Actions

This Discussion