Datasheet
Product Bulletin
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 8
Secure Description Benefit
Access Control List
(ACL) with Object
Groups
ACLs are used to restrict network access based on a set of filters
defined as access-list entries (ACE). An ACL is applied to an
interface or globally to all interfaces.
ACLs are used to filter interesting traffic and instruct the ACE to
either permit or deny the traffic based on the criteria defined in
the filter.
The filters can be based on criteria such as source address,
destination address, protocol, protocol-specific parameters such
as ports (for TCP or UDP), etc.
ACLs permit/deny access from a client to a server for a specific
service. In large configurations there can be multiple
combinations of client, server and services resulting in large
number of ACL entries. Managing this large number of ACLs can
become very challenging.
Object-Grouping provides the capability to group client
addresses, server addresses and services together in a single
ACL entry.
Streamlines configuration of
multiple ACL entries.
TCP SYN Cookie—
Denial-of-Service (DoS)
Protection
A successful TCP three-way handshake (SYN, SYN-ACK, ACK)
is required for a client to connect to the server.
Occasionally the three-way handshake may not complete. Such
occurrences are normal if the frequency is low, however a high
volume of such occurrences could signal a hacker trying to
attack the server.
A TCP SYN cookie is an initial sequence number calculated by
the server to a SYN request from a client and inserted in the
SYN-ACK response.
A TCP SYN flood attack is characterized by large number of
SYN requests sent to a server from one or more clients with
source IP addresses that are invalid and unreachable, the goal
being to overwhelm the target server, consume its resources,
and cause it to deny service to legitimate connection requests.
SYN Cookie feature on ACE provides a mechanism to
authenticate a client thereby preventing SYN floods from a rogue
client.
ACE protects itself and
servers in the applications
from DOS attacks
Multimedia and Voice
over IP (VoIP): SIP, and
Skinny Client Control
Protocol (SCCP)
In addition to existing support for hardware-accelerated
application inspection for HTTP, FTP, DNS, ICMP and RTSP
protocols.
ACE extends this capability to SIP, SCCP and ILS/LDAP.
Database and OS
Services: Internet
Locator Services and
Lightweight Directory
Access Protocol
(ILS/LDAP)
Application protocol inspection helps verify the protocol behavior
and identify unwanted or malicious traffic attempting to pass
through the ACE.
Secures multimedia and VOIP
applications and services
Table 4. Cisco Catalyst 6500 and Cisco 7600 Series System Requirements
Requirement Details
Chassis All Cisco Catalyst 6500 Series and Cisco 7600 Series chassis
Supervisor Engines
●
Cisco Catalyst 6500 Series Supervisor Engine 720 and Supervisor Engine 720-10GE
●
Cisco 7600 Series Supervisor Engine 720 and Route Switch Processor 720
Chassis OS
●
Cisco Catalyst 6500 Series running Cisco IOS
®
Software Release 12.2(18)SXF4 or later for
Supervisor Engine 720, and 12.2(33)SXH or later for Supervisor Engine 720-10GE
●
Cisco 7600 Series running Cisco IOS Software Release 12.2(18)SXF4 or later and
12.2(33)SRB or later for Supervisor Engine 720, and 12.2(33)SRC or later for Route Switch
Processor 720
Chassis Connectivity Functions as a fabric-enabled line card
Chassis Slots Required Occupies 1 slot in the chassis
Ordering Information
Table 5. Ordering Information
Part Number Product Description
WS-C6509E-ACE20-K9** Cisco ACE20 6509 Bundle with 8 Gbps Throughput License