Cisco Cisco Catalyst 6500 Cisco 7600 Router Anomaly Guard Module Guida Informativa

Page 1 of 4

Q&A

CISCO CATALYST 6500/CISCO 7600 ROUTER ANOMALY GUARD
MODULE AND CISCO CATALYST 6500/CISCO 7600 ROUTER
TRAFFIC ANOMALY DETECTOR MODULE PRODUCT LAUNCH

What is Cisco Systems announcing with this product release?

With this release, Cisco

DDoS anomaly detection and mitigation solutions are now available as services modules integrated into industry-

leading Cisco Catalyst

6500 Series switches and Cisco 7600 Series routers. These services modules complement the existing appliances by

providing an additional flexible, modular approach for deployment with Cisco switching and routing, as well as other Layer 4–7 network and

security services.

Are these new services modules similar to the existing Cisco Guard and Cisco Traffic Anomaly Detector appliances?

Yes. The services modules are targeted toward the same DDoS detection and mitigation applications as the existing appliances. As with the

appliances, the services modules feature separate Guard and Traffic Anomaly Detector products that can be deployed individually or together as

a complete solution. They offer similar capabilities and performance as the appliances, with a few platform-driven differences. Most importantly,

even while integrated into Cisco Catalyst 6500 Series switches or Cisco 7600 Series routers, the Guard maintains its powerful “on-demand”

scrubbing capability via routing-based dynamic diversion, rather than as a traditional, always-inline device.

Will the appliance versions of Cisco Guard and Cisco Traffic Anomaly Detector still be available?

The current appliance versions of the Cisco 5650 Guard XT DDoS Mitigation Appliance and the Cisco 5600 Traffic Anomaly Detector XT

will continue to be sold and supported. The appliances will also continue to adopt new features, for the foreseeable future.

What software releases will be supported by the new services modules?

The first customer shipment (FCS) versions of the Cisco Anomaly Guard Module and the Cisco Traffic Anomaly Detector Module will ship

with Cisco MVP Software Release 4.0. This release is specifically designed for the services modules and is equivalent to Release 3.0(8) for the

appliances, with the addition of a new packet-capture feature. The appliances currently ship with Release 3.1, and the services modules will not

include Release 3.1 features—enhanced TACACS+ and Extensible Markup Language (XML) formatted reports—until the next major release.

This next major release (Release 5.0) will be used on both the appliances and the services modules, and will provide the same features for both

(with some platform-driven differences).

To run the new DDoS detection and mitigation services modules, users will also need to upgrade their Cisco Catalyst 6500 Series switches to Cisco

IOS

Software Release 12.2(18)SXD3 (currently available) or later. The Cisco 7600 Series routers will be officially certified for these new services

modules with the upcoming Cisco IOS Software Release 12.2(18)SXE.

Although capabilities are essentially the same, what are the platform-driven differences mentioned above?

The differences include the following:

First, the services modules, which have no external interfaces, connect to the Cisco Catalyst 6500 Series Switch directly via a gigabit backplane

interface. Like the appliances, however, the modules can interconnect with multiple ports for configuration flexibility.

Second, routing functions are now distributed to the industry-leading Cisco IOS router in the supervisor engine; therefore, the Anomaly Guard

Module does not include an integrated router (unlike the appliance version). Intrachassis routing updates for dynamic diversion are communicated

via the Cisco Route Health Injection (RHI) protocol.