Pisa Integration Overview; Pisa Integration Guidelines And Limitations; Using Gre For Tagging - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 21
Configuring Advanced Connection Features
You might want to deny certain types of application traffic when you want to preserve bandwidth for
critical application types. For example, you might deny the use of peer-to-peer (P2P) applications if they
are affecting your other critical applications.
This section includes the following topics:
•
•
•
•
PISA Integration Overview
This section describes how the PISA works with the FWSM, and includes the following topics:
•
•
•
PISA Integration Guidelines and Limitations
The following guidelines and limitations apply to PISA integration:
•
•
•
•
•
•
See also the
Using GRE for Tagging
After the PISA identifies the application used by a given traffic flow, it encapsulates all packets using
GRE and includes a tag informing the FWSM of the application type. In addition, an outer IP header
almost identical (except for the Layer 4 protocol, which now indicates GRE) to the inner/original IP
header is added. The original Layer 2 header is maintained. This preserves the original routing/switching
paths for the modified packet. The GRE encapsulation adds 32 bytes (20 bytes for the outer IP header
and 12 bytes for the GRE header).
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
PISA Integration Overview, page 21-5
Configuring the FWSM to Deny PISA Traffic, page 21-6
Configuring the Switch for PISA/FWSM Integration, page 21-7
Monitoring PISA Connections, page 21-10
PISA Integration Guidelines and Limitations, page 21-5
Using GRE for Tagging, page 21-5
Failover Support, page 21-6
The PISA and the FWSM cannot be in the same switch chassis. You can, however, use multiple
PISAs upstream and downstream of the FWSM if desired.
There is a slight performance impact on the PISA for traffic sent to the FWSM, due to the need to
tag the packets for the FWSM (see the
When a UDP packet is denied due to the FWSM service policy, the corresponding session is not
immediately deleted. Instead, it is allowed to time out, and the packets that hit this session in the
meantime are dropped.
It is possible for an end-user application to use the special GRE key that is used between the FWSM
and the PISA. In such instances, the PISA generates a syslog message and drops these packets.
The PISA takes several packets to determine the application type; therefore a session starts to be
established on the FWSM before the PISA tagging commences. When the PISA tagging
commences, the FWSM security policy is then applied, and if the policy is to deny the flow, the
session is prevented from completing.
For fragmented packets, the PISA tags the first fragment, and the FWSM reassembles the packet and
acts upon it based on the encapsulation included in the first fragment.
"PISA Limitations and Restrictions" section on page
Permitting or Denying Application Types with PISA Integration
"Using GRE for Tagging"
21-7.
section.)
21-5
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
