Catalyst 4500-X Fixed 10 GE Aggregation Switch
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Under NDA<br />
Updated on<br />
January 2, 2013<br />
<strong>Catalyst</strong> <strong>4500</strong>-X<br />
<strong>Fixed</strong> <strong>10</strong> <strong>GE</strong> <strong>Aggregation</strong> <strong>Switch</strong><br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
Introduction, Product Portfolio, Performance & Scalability, IOS-XE, Licensing & Architecture<br />
• High Availability<br />
VSS<br />
• Application Visibility and Troubleshooting<br />
NetFlow and Flexible NetFlow<br />
Embedded Event Manager (EEM)<br />
Network Packet Analyzer (Wireshark)<br />
• Network Virtualization<br />
VRF Lite<br />
Easy Virtual Network (EVN)<br />
• Software Services<br />
Medianet<br />
• Security<br />
IPv6 First Hop Security<br />
• Simplified Operations<br />
Smart Install<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
INNOVATION<br />
Virtual <strong>Switch</strong>ing System (VSS)<br />
Flexible NetFlow<br />
Easy Virtual Network (EVN)<br />
IOS XE Open Application<br />
Platform (Wireshark)<br />
ISSU, NSF, SSO w/ VSS<br />
Cisco TrustSec (MACSec)*<br />
Medianet<br />
OPERATIONAL SIMPLICITY<br />
Automation<br />
Investment protection<br />
Modular 8-port <strong>10</strong><strong>GE</strong> uplink<br />
Hot-swappable dual redundant<br />
power supplies & five<br />
individual fans<br />
Limited Lifetime Warranty<br />
800 Gbps System<br />
1.6Tbps w/ VSS<br />
Smallest Size – 1RU<br />
21” Deep<br />
Highest Scalability<br />
Richest Services<br />
Industry<br />
Leadership<br />
Lower<br />
TCO<br />
Revolutionizing The <strong>Fixed</strong> <strong>10</strong><strong>GE</strong> Campus <strong>Aggregation</strong>!!<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
<strong>Catalyst</strong> <strong>4500</strong>-X Advantages:<br />
‣1.6 Tbps <strong>Switch</strong>ing Capacity w/VSS<br />
‣Small size – 1RU, 21” deep<br />
‣Supports <strong>GE</strong> SFP and <strong>10</strong> <strong>GE</strong> SFP+ on any ports<br />
‣Low power consumption ~ 330W<br />
‣Flexibility for future growth to 40G<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
Introduction<br />
Product Portfolio<br />
Hardware Features & Caveats<br />
Performance & Scalability<br />
IOS-XE<br />
Licensing<br />
Architecture<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
<strong>Catalyst</strong> <strong>4500</strong>-X PORTFOLIO<br />
WS-C<strong>4500</strong>X-40X-ES<br />
WS-C<strong>4500</strong>X-32SFP+<br />
WS-C<strong>4500</strong>X-24X-ES<br />
Software Release: IOS-XE 3.3.0 SG<br />
WS-C<strong>4500</strong>X-F-16SFP+<br />
Front to Back Airflow<br />
Burgandy color fan and P/S handle<br />
Back to Front Airflow<br />
Blue color fan and P/S handle<br />
8-port <strong>10</strong><strong>GE</strong> Modular Uplink Module<br />
C4KX-NM-8SFP+<br />
Removable Fan Module<br />
750WAC Modular P/S<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
Introduction<br />
Product Portfolio<br />
Hardware Features & Caveats<br />
Performance & Scalability<br />
IOS-XE<br />
Licensing<br />
Architecture<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Dual redundant AC/DC P/S and 5 Fans<br />
Airflow vent above the ports for optimal cooling<br />
Burgundy color fan and P/S handles<br />
for front to back airflow<br />
Blue color fan and P/S handles for<br />
back to front airflow<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Warning: Removing a module incorrectly will<br />
result in an error message and the system will<br />
reset and return to ROMMON mode.<br />
OIR button & LED<br />
Step 1<br />
Stop the module with ”hw-module module number stop” command or by pressing the OIR button for 5 seconds.<br />
Step 2<br />
Wait for “%C4K_IOSMODPORTMAN-6-MODULEOFFLINE” console message to appear or wait for the OIR LED to turn Green.<br />
Step 3<br />
Remove the module. Reinsert another module.<br />
Step 4<br />
Start the module with ”hw-module module number start” command.<br />
Example:<br />
<strong>Switch</strong># hw-module module 2 stop<br />
% Module 2 stopped<br />
*Feb 5 16:34:37.325: %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 2 is offline<br />
<strong>Switch</strong># hw-module module 2 start<br />
*Feb 5 16:36:27.352: %C4K_IOSMODPORTMAN-6-MODULEINSERTED: Module 2 is inserted<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
Introduction<br />
Product Portfolio<br />
Hardware Features & Caveats<br />
Performance & Scalability<br />
IOS-XE<br />
Licensing<br />
Architecture<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential <strong>10</strong>
System<br />
Feature C3750X-24S Supervisor 7-E <strong>Catalyst</strong> <strong>4500</strong>-X<br />
<strong>Switch</strong>ing Capacity 160 Gbps 848Gbps 800 Gbps<br />
(limited by max front panel ports)<br />
Throughput 65.5 Mpps 250 Mpps (125 Mpps for<br />
IPv6)<br />
Bandwidth / Slot NA Upto 48G NA<br />
250 Mpps (125 Mpps for<br />
IPv6)<br />
CPU Dual Core 1.5 GHz Dual Core 1.5 GHz<br />
Egress Buffer 2-4 MB 32 MB 32 MB<br />
Number of Packet<br />
buffers<br />
NA 128K 128K<br />
DRAM 512 MB 2G ( Upgradable to 4G) 4G<br />
Bootflash 128 MB 1G 2G<br />
Number of 1<strong>GE</strong> ports 24 Upto 192 on Line cards<br />
Upto 4 on uplinks<br />
Number of <strong>10</strong><strong>GE</strong> ports 2 w/uplink Upto 96 on Line cards<br />
Upto 4 on Supervisors<br />
16/32 ports + 8 port<br />
module<br />
16/32 ports + 8 port<br />
module<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Layer 2<br />
Feature C3750X-24S Supervisor 7-E <strong>Catalyst</strong> <strong>4500</strong>-X<br />
Unicast MAC entries 12K 55000 55000<br />
ARP entries 3K 47K 47K<br />
Number of VLANs <strong>10</strong>05 4094 4094<br />
Virtual Port Instances <strong>10</strong>K <strong>10</strong>K<br />
Number of<br />
Etherchannels<br />
48 64 40<br />
(limited by max front panel ports)<br />
Layer 3<br />
Feature C3750X-24S Supervisor 7-E <strong>Catalyst</strong> <strong>4500</strong>-X<br />
Routing Entries – IPv4/IPv6 11K 256K/128K 256K/128K (32 Port Model)<br />
64K/32K (16 Port Model)<br />
Number of VRFs/EVN VRF- 26<br />
EVN - No<br />
64/32 64/32<br />
Netflow Entries 32K 128K 128K<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Qos and ACLS<br />
Feature C3750X-24S Supervisor 7-E <strong>Catalyst</strong> <strong>4500</strong>-X<br />
ACLs 1K 128K (64K input & 64K output)<br />
(Shared with QoS)<br />
Number of Policers 64 per port 16K 16K<br />
QoS clasification<br />
entries<br />
0.5K 128K (64K input & 64K output)<br />
(Shared with ACL)<br />
128K (64K input & 64K output)<br />
(Shared with QoS)<br />
128K (64K input & 64K output)<br />
(Shared with ACL)<br />
Queues per port 4 queues 8 queues – 1p7q1t 8 queues – 1p7q1t<br />
Multicast and SPAN<br />
Feature Supervisor 7-E <strong>Catalyst</strong> <strong>4500</strong>-X<br />
Number of SPAN sessions 8 bidirectional 8 bidirectional<br />
Number of L2 Multicast Entries 32000 32000<br />
Multicast Routes IPv4/IPv6 32K/32K 32K/32K (32 Port Model)<br />
24K/12K (16 Port Model)<br />
Multicast Replication Performance 230 Mpps (115 Mpps IPv6) 230 Mpps (115 Mpps IPv6)<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Feature Supervisor 7-E <strong>Catalyst</strong> <strong>4500</strong>-X<br />
High Availability RPR/SSO, NSF, ISSU, VSS VSS<br />
Security TrustSec (MACSec, SGT*, SGACL*) TrustSec (MACSec*, SGT*, SGACL*)<br />
Medianet<br />
Management<br />
Network Virtualization<br />
Mediatrace, Video Monitoring, IPSLA VO, MSI Proxy<br />
FnF, EEM, SPAN/RSPAN, Wireshark<br />
EVN, VRF-Lite<br />
* roadmap<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
Introduction<br />
Product Portfolio<br />
Hardware Features & Caveats<br />
Performance & Scalability<br />
IOS-XE<br />
Licensing<br />
Architecture<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
IOS-XE<br />
• Modern IOS to enable multi-core CPU<br />
• Easy customer migration<br />
• while maintaining IOS functionality and look and feel<br />
• Allow hosted applications like Wireshark<br />
IOS 15.1(1)SG<br />
IOS<br />
Features<br />
Components<br />
IOS XE 3.3.0SG<br />
IOSd<br />
Features<br />
Components<br />
Hosted<br />
Apps<br />
Infra<br />
Mgmt<br />
Drivers<br />
Kernels<br />
Common Infrastructure / HA<br />
Management Interface<br />
Module Drivers<br />
Kernel<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
IOS XE Application Hosting Example<br />
Wireshark<br />
IOSd<br />
Features<br />
Components<br />
Hosted<br />
Apps<br />
WireShark<br />
Common Infrastructure / HA<br />
Management Interface<br />
Module Drivers<br />
Kernel<br />
• Embedded Wireshark<br />
application for real time traffic<br />
capture and decoding with<br />
customer-familiar user interface<br />
• Simplified monitoring and<br />
troubleshooting<br />
• WireShark hosted as a 3 rd party<br />
application<br />
• Leverages IOS capabilities for<br />
selective packet capture<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
Introduction<br />
Product Portfolio<br />
Hardware Features & Caveats<br />
Performance & Scalability<br />
IOS-XE<br />
Licensing<br />
Architecture<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
IP Base<br />
Enterprise Services<br />
• Auto QoS<br />
• Flexlink+<br />
• Flexible<br />
Netflow<br />
• IGMP/MLD<br />
snooping<br />
• Rapid-PVST+<br />
• HSRP/GLBP/VR<br />
RP<br />
• EEM<br />
• PVLAN<br />
• IEEE 802.1x<br />
• Smartports<br />
• PACL/VACL<br />
• Static<br />
routing<br />
• RIP<br />
• Stub<br />
multicast<br />
• WCCP<br />
• EIGRP stub<br />
• OSPF (256 routes, 1<br />
process)<br />
• QinQ<br />
• IP SLA<br />
• Network<br />
mobility services<br />
• L2PT<br />
• Medianet<br />
• VSS<br />
• BGPv4/v6<br />
• IS-ISv4/v6<br />
• EIGRP<br />
• OSPF v2/v3<br />
• PBR<br />
• VRF-lite<br />
• NSF<br />
• Multicast VRFlite<br />
• EVN<br />
• EIGRP<br />
• Enh Multicast<br />
load splitting<br />
• Multicast BGP<br />
• Multicast<br />
Routing<br />
Monitor<br />
• VRF aware<br />
TACACS+<br />
Upgrade from IP Base to Enterprise with a License Key -- No new software download<br />
needed for license upgrade<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
Introduction<br />
Product Portfolio<br />
Hardware Features & Caveats<br />
Performance & Scalability<br />
IOS-XE<br />
Licensing<br />
Architecture<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
8 x <strong>10</strong>G<br />
8 x <strong>10</strong>G<br />
8 x <strong>10</strong>G<br />
8 x <strong>10</strong>G<br />
Packet Processor<br />
FPGA<br />
<strong>10</strong>G<br />
1.5GHz CPU<br />
Integrated<br />
Forwarding Engine<br />
+<br />
NetFlow Engine<br />
8 x <strong>10</strong>G<br />
FPGA<br />
USB Host<br />
Ctrlr<br />
RS232 to<br />
USB<br />
SDRAM<br />
Stub<br />
ASIC<br />
(MACSec)<br />
Stub<br />
ASIC<br />
(MACSec)<br />
Stub<br />
ASIC<br />
(MACSec)<br />
Stub<br />
ASIC<br />
(MACSec)<br />
Stub<br />
ASIC<br />
(MACSec)<br />
Quad<br />
Phy<br />
Quad<br />
Phy<br />
Quad<br />
Phy<br />
Quad<br />
Phy<br />
Quad<br />
Phy<br />
Quad<br />
Phy<br />
Quad<br />
Phy<br />
Quad<br />
Phy<br />
Quad<br />
Phy<br />
Quad<br />
Phy<br />
Uplinks<br />
2 x 8 SFP/SFP+<br />
2 x 8 SFP/SFP+<br />
8 x SFP/SFP+<br />
SD<br />
USB<br />
(Type A)<br />
USB<br />
(Type B)<br />
Console<br />
Mgmt<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
F<br />
R<br />
O<br />
N<br />
T<br />
P<br />
A<br />
N<br />
E<br />
L<br />
P<br />
O<br />
R<br />
T<br />
S<br />
PLD: Packet Lookup Descriptor<br />
PTD: Packet Transmit Descriptor<br />
Packet<br />
Memory<br />
Packet<br />
Processor<br />
PLD<br />
PTD<br />
Queue<br />
Memory<br />
STP<br />
Lookup<br />
Input<br />
Classification<br />
TCAM<br />
Forwarding Engine +<br />
NetFlow Engine<br />
DHM<br />
Forwarding<br />
Lookup<br />
TCAM<br />
Output<br />
Classification<br />
TCAM<br />
Forwarding<br />
Lookup<br />
Memory<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
F<br />
R<br />
O<br />
N<br />
T<br />
STP<br />
Lookup<br />
Input<br />
Classification<br />
TCAM<br />
Forwarding<br />
Lookup<br />
TCAM<br />
Forwarding<br />
Lookup<br />
Memory<br />
P<br />
A<br />
N<br />
E<br />
L<br />
Packet<br />
Memory<br />
Packet<br />
Processor<br />
PLD<br />
PTD<br />
Replication<br />
Queue<br />
Forwarding Engine +<br />
NetFlow Engine<br />
Replication<br />
Module<br />
P<br />
O<br />
R<br />
T<br />
S<br />
Queue<br />
Memory<br />
DHM<br />
Replication<br />
Table<br />
Output<br />
Classification<br />
TCAM<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
Virtual <strong>Switch</strong>ing System (VSS)<br />
Multicast HA<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Increased<br />
Operational<br />
Efficiency<br />
Non Stop<br />
Communication<br />
Doubles System<br />
Bandwidth<br />
Use Existing<br />
Architecture<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Advantages<br />
Advantages • Operational simplicity – Single Control-Plane between layers<br />
Highly Redundant Network Design<br />
• Redundant Network Paths<br />
• Redundant System and network paths on mission-critical network points<br />
• Single chassis system redundancy<br />
• Protects network availability during major network fault event<br />
• Cost-effective solution for small size network design<br />
Si<br />
Si<br />
Si<br />
Disadvantages<br />
• Single Becomes point-of-failure complex as design it scales<br />
• Any Increase major control network and fault management can cause plane a complete network outage<br />
• May Redundant not be control-plane very cost-effective with redundant design compared topology with information dual chassis<br />
systems<br />
Si<br />
Si<br />
Si<br />
Si<br />
Si<br />
Si<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26<br />
2
• Redundant design with sub-optimal topology and complex<br />
operation.<br />
• Stabilize network topology with several L2 settings :<br />
STP Primary and Backup Root Bridge<br />
Bridge<br />
Assurance<br />
Rootguard<br />
Loopguard or Bridge Assurance<br />
STP Root<br />
STP Edge Protection<br />
• Protocol restricted forwarding topology –<br />
HSRP<br />
Active<br />
Si<br />
Si<br />
STP FWD/ALT/BLK Port<br />
Single Active FHRP Gateway<br />
Asymmetric forwarding<br />
Unicast Flood<br />
Rootguard<br />
Loopguard or<br />
Bridge<br />
Assurance<br />
• Protocol dependent driven network recovery<br />
PVST/RPVST+<br />
FHRP Tunings<br />
BPDU Guard or<br />
PortFast<br />
Port Security<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27<br />
2
Traditional Enterprise Campus Multi-layer Design<br />
Traditional Enterprise Campus networks have been designed to scale,<br />
allow differentiated services, and offer high availability.<br />
However these networks can also face many challenges..<br />
Layer3 Core<br />
Extensive routing<br />
topology, Routing<br />
reconvergence<br />
L2/L3<br />
Distribution<br />
FHRP, Spanning-tree,<br />
Asymmetric routing,<br />
Policy Management<br />
Access<br />
Single active uplink per<br />
VLAN (PVST), L2<br />
reconvergence<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
• Multiple parallel Layer 2 network path builds STP<br />
loop network<br />
• VSS with MEC builds single loop-free network to<br />
utilize all available links.<br />
• Distributed EtherChannel minimizes STP<br />
complexities compared to standalone distribution<br />
design<br />
STP Root<br />
Rootguard<br />
• STP toolkit should be deployed to safe-guard<br />
multilayer network<br />
BPDU Guard or<br />
PortFast<br />
Port Security<br />
STP BLK Port<br />
Loop-free L2 EtherChannel<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
• Single logical Layer 3 gateway.<br />
• Eliminates need for FHRP protocols.<br />
• Without FHRP dependencies, this increases Layer 3 network<br />
scalability.<br />
• Hardware based rapid fault-detection and network recovery<br />
with default protocol timers.<br />
R1<br />
• Deterministic network sub-second network convergence in<br />
multiple fault conditions.<br />
Single IP<br />
Gateway<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Standalone VSS (Physical view) VSS (logical view)<br />
Multi-Chassis<br />
Etherchannel<br />
Multi-Chassis<br />
Etherchannel<br />
MEC<br />
Access <strong>Switch</strong> or<br />
ToR or Blades<br />
Access <strong>Switch</strong><br />
Access <strong>Switch</strong><br />
Access <strong>Switch</strong><br />
Simplifies operational Manageability via Single point of Management, FHRP<br />
Doubles bandwidth utilization with Active-Active Multi-Chassis Etherchannel (802.3ad/PagP) Reduce Latency<br />
Minimizes traffic disruption from switch or uplink failure with Deterministic subsecond Stateful and Graceful<br />
Recovery (SSO/NSF)<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
One Cat <strong>4500</strong>E/X operates as the<br />
Active Control Plane for the VSS<br />
VSS Domain: Defines two Cat <strong>4500</strong>s that peer<br />
as a single Virtual <strong>Switch</strong>ing System<br />
Virtual <strong>Switch</strong> Primary<br />
Virtual <strong>Switch</strong> Domain<br />
Virtual <strong>Switch</strong> Secondary<br />
Active Control Plane<br />
Active Data Plane<br />
Hot Standby Control Plane<br />
Active Data Plane<br />
Virtual <strong>Switch</strong> Link<br />
MINIMUM 2 links.<br />
4 or more is safer<br />
Up to 8 x 1<strong>GE</strong> link bundle joining two <strong>Catalyst</strong> 45xx’s allowing<br />
them to operate as a single logical device<br />
<strong>Catalyst</strong> <strong>4500</strong>E/X operates as the<br />
Hot Standby Control Plane for the VSS<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
- VSS is supported beginning in IOS XE 3.4.0SG– Dec 2012<br />
- <strong>4500</strong>E chassis with Sup 7E with IP Base or higher;<br />
- <strong>4500</strong>E chassis with Sup7L-E with Enterprise License.<br />
- Both <strong>4500</strong>E chassis need symmetrical chassis and Sup.<br />
- You can combine <strong>4500</strong>E Sup ports and line-card ports on one VSL or MEC as long as<br />
they are the same speed.<br />
- <strong>4500</strong>X VSS peers need to have same baseboard (16/24 or 32/40)<br />
- A VSL bundle can consist of up to 8 x <strong>10</strong>GbE or 8 x 1<strong>GE</strong> links<br />
* VSL requires dedicated ports<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Platform<br />
LAN<br />
Base<br />
IP base<br />
Enterpris<br />
e<br />
Services<br />
<strong>Catalyst</strong><br />
<strong>4500</strong>E<br />
(Sup7E)<br />
<strong>Catalyst</strong><br />
<strong>4500</strong>E<br />
(Sup7L-E)<br />
<strong>Catalyst</strong><br />
<strong>4500</strong>-X<br />
No Separate Feature License required for VSS<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Supervisor 47xx Linecards 46xx Linecards Legacy Linecards*<br />
Supervisor 7-E WS-X4748-RJ45V+E WS-X4606-X2-E WS-X4548-GB-RJ45V<br />
Supervisor 7L-E<br />
WS-X4712-SFP+E<br />
WS-X4648-RJ45V-<br />
E & +E<br />
WS-X4548-RJ45V+<br />
WS-X4748-UPOE+E WS-X4648-RJ45-E WS-X4548-RJ45V+<br />
<strong>4500</strong>-X: VSL support<br />
on all 1<strong>GE</strong>/<strong>10</strong><strong>GE</strong> links<br />
WS-X4748-RJ45-E<br />
WS-X4640-CSFP-<br />
E<br />
WS-X4624-SFP-E<br />
WS-X4548-GB-RJ45<br />
WS-X4448-GB-SFP<br />
WS-X4612-SFP-E<br />
WS-X4248-RJ45V<br />
1G/ <strong>10</strong>G ports on Sup Uplink, 46xx, 47xx can be config as VSL Link<br />
WS-X4248-FE-SFP<br />
WS-X4148-FX-MT<br />
WS-X4148-RJ<br />
* Classic Linecards will be Supported in Phase II.<br />
However, they cannot be configured as VSL Links<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Capability<br />
Single-sup cross-chassis VSS<br />
support<br />
Quad Sup Forwarding Uplinks<br />
L2-based Multi-chassis EC<br />
L3 based Multi-chassis EC<br />
Split Brain Detection (Dual<br />
Active)<br />
Cross-chassis NSF/SSO<br />
Cross-chassis ISSU<br />
PoE LC support in VSS*<br />
<strong>Catalyst</strong> <strong>4500</strong>E/X<br />
Phase I<br />
(Shipping Now)<br />
ePAgP<br />
<strong>Catalyst</strong> <strong>4500</strong>E/X<br />
Phase II<br />
(IOS-XE3.5.0E -<br />
3QCY2013)<br />
Fast-Hello,<br />
ePAgP<br />
Support for Classic Line<br />
Cards<br />
Asymmetric chassis (VSL<br />
between different slot<br />
chassis)<br />
series)<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36<br />
(E
Features Standalone VSS<br />
VLAN Management Policy Server<br />
(VMPS) Client<br />
Unidirectional Ethernet (UDE)<br />
CFM D8.1<br />
REP and associated features<br />
Flexlinks<br />
PVL,L2PT, Fast UDLD<br />
WCCP<br />
Dot1q Tunnel (Dot1Q tunnel)<br />
Vlan Translation (1:1, 1:2-Selective<br />
QinQ)<br />
Mediatrace and Metadata<br />
EnergyWise<br />
Smart Install Director<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
<strong>Catalyst</strong> <strong>4500</strong>E VSS<br />
1<br />
Mix Fiber/PoE line cards in VSS config.<br />
Ideal for Collapsed Designs<br />
2<br />
Create VSL Link over 1G (Copper and Fiber)<br />
Price Optimize your BOM<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
<strong>Catalyst</strong> <strong>4500</strong>E VSS<br />
<strong>10</strong>G Core - <strong>10</strong>G VSL<br />
Traditional Deployments<br />
Guest SSID can hog the bandwidth<br />
Core<br />
<strong>10</strong>G Core - 1G VSL<br />
Core<br />
2x<strong>10</strong>G<br />
2x<strong>10</strong>G<br />
2x<strong>10</strong>G<br />
2x<strong>10</strong>G<br />
Sup7-E<br />
VSS<br />
2x<strong>10</strong>G<br />
VSL<br />
n x1G<br />
VSL<br />
Sup7L-E<br />
VSS<br />
1G<br />
1G<br />
1G<br />
1G<br />
Optimal Configuration<br />
• Sup7-E has 4x<strong>10</strong>G Uplinks<br />
• <strong>10</strong>G Line Card NOT required<br />
Optimal Configuration<br />
• VSL Link now possible over 1G<br />
• Up to 8x1G VSL links (Fiber/Copper)<br />
• <strong>10</strong>G Line Card NOT required<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
<strong>Catalyst</strong> <strong>4500</strong>E VSS<br />
Beyond 384 Ports in Closet<br />
Traditional Deployments<br />
Guest SSID can hog the bandwidth<br />
Backbone<br />
Optimize <strong>10</strong>G/1G ports in Backbone<br />
Single<br />
Backbone point of VSS<br />
Mgmt<br />
<strong>10</strong>G/1G<br />
VSL<br />
Wiring Closet #1<br />
VSS in Access<br />
Details<br />
• Up to 768 ports per closet<br />
• Single point of management<br />
• Optimize number of closet uplinks<br />
• 2x<strong>10</strong>G VSL links (Copper) or<br />
• Up to 8x1G VSL links (Copper)<br />
<strong>Catalyst</strong> 6500<br />
13 Slot Chassis<br />
Wiring Closet<br />
#1<br />
<strong>10</strong>G/1G<br />
VSL<br />
VSS in Access<br />
<strong>Catalyst</strong> <strong>4500</strong>E<br />
Wiring Closet<br />
2 x <strong>10</strong>-Slot Chassis<br />
6500 <strong>4500</strong>E<br />
Details<br />
Max • Minimize Ports # of closets to manage 576 768<br />
• U shaped design for resiliency<br />
Max • 2x<strong>10</strong>G Power VSL links (Fiber) 9000W or 12000W<br />
Product • Up to 8x1G List (576p VSL links SS) (Copper/Fiber) 166K $154K<br />
SmartNet List 11.55K $5.41K<br />
#2<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
<strong>Switch</strong> virtual domain #<br />
<strong>Switch</strong> 1 <strong>Switch</strong> 2<br />
T1/1<br />
T1/1<br />
Si<br />
T1/2<br />
VSL Port Channel<br />
T1/2<br />
Si<br />
<strong>Switch</strong>port trunk<br />
Channel-group XX<br />
Port-Channel XX<br />
Virtual Link 1<br />
Port-Channel YY<br />
Virtual Link 2<br />
<strong>Switch</strong>port trunk<br />
Channel-group YY<br />
See these config steps on next slide.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
<strong>Switch</strong> 1 <strong>Switch</strong> 2<br />
SWITCH # 1:<br />
switch virtual domain 7<br />
switch 1<br />
mac-address use-virtual<br />
interface port-channel 11<br />
switchport<br />
switch virtual link 1<br />
interface T1/1<br />
channel-group 11 mode on<br />
interface T2/1 channel-group<br />
11 mode on<br />
switch convert mode virtual<br />
SWITCH# 2<br />
switch virtual domain 7<br />
switch 2<br />
mac-address use-virtual<br />
interface port-channel 12<br />
switchport<br />
switch virtual link 2<br />
interface T1/1<br />
channel-group 12 mode on<br />
interface T2/1<br />
channel-group 12 mode on<br />
switch convert mode virtual<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Si<br />
Si<br />
<strong>Switch</strong> 1 <strong>Switch</strong> 2<br />
Si<br />
VSL<br />
(config)#switch virtual domain 7<br />
Domain ID 7 config will take effect only<br />
after the exec command 'switch convert mode virtual' is<br />
issued<br />
<strong>4500</strong>VSS1#(config-vs-domain)#switch 1<br />
<strong>4500</strong>VSS#(config-vs-domain)#interface port-channel 11<br />
<strong>4500</strong>VSS#(config-vs-domain)#mac-address use-virtual<br />
<strong>4500</strong>VSS#(config-if)#switchport<br />
<strong>4500</strong>VSS#(config-if)#switch virtual link 1<br />
<strong>4500</strong>VSS#(config-if)#interface Ten1/1<br />
<strong>4500</strong>VSs#(config-if)#channel-group 11 mode on<br />
WARNING: Interface TenGigabitEthernet1/1 placed in<br />
restricted config mode. All extraneous configs removed!<br />
<strong>4500</strong>VSS#(config-if)#interface Ten2/1<br />
<strong>4500</strong>VSS#(config-if)#channel-group 11 mode on<br />
WARNING: Interface TenGigabitEthernet2/1 placed in<br />
restricted config mode. All extraneous configs removed!<br />
<strong>4500</strong>VSS#(config-if)#end<br />
<strong>4500</strong>VSS##wri mem<br />
*Nov 2 20:15:57.468: %SPANTREE-6-PORTDEL_ALL_VLANS:<br />
Port-channel11 deleted from all Vlans<br />
Si<br />
Global<br />
config<br />
Interface<br />
config for<br />
the VSL<br />
Repeat for switch 2:<br />
- with same domain #,<br />
- indicate “switch 2”<br />
- Add a unique port-channel -<br />
and indicate “switch virtual link 2.”<br />
- The two standalone switch’s portchannels<br />
configured with virtual links<br />
1 and 2 will be combined by the<br />
Active peer to create the VSL after<br />
conversion to Virtual mode, using<br />
priv command:<br />
# switch convert mode virtual.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
show etherchannel summary<br />
P - bundled in port-channel<br />
Group Port-channel Protocol Ports<br />
------+-------------+-----------+----------------------------<br />
11 Po11(SU) - Te1/1/1(P) Te1/2/1(P)<br />
12 Po12(SU) - Te2/1/1(P) Te2/2/1(P)<br />
“P” is good. Any other state on any<br />
VSS port-channel needs to be<br />
investigated and corrected.<br />
These two MC etherchannels were created on two separate standalone switches.<br />
After converting to switch mode virtual, check the etherchannel summary<br />
VSS allows the Active peer to manage both switches - including all combined slots and ports -<br />
as one logical unit.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Si<br />
Si<br />
<strong>4500</strong>VSS#show switch virtual<br />
Executing the command on VSS member switch role = VSS Active, id = 2<br />
<strong>Switch</strong> mode<br />
: Virtual <strong>Switch</strong><br />
Virtual switch domain number : 7<br />
Local switch number : 2<br />
Local switch operational role: Virtual <strong>Switch</strong> Active<br />
Peer switch number : 1<br />
Peer switch operational role : Virtual <strong>Switch</strong> Standby<br />
In this example, switch # 2<br />
is Active (the switch being<br />
actively managed)<br />
Executing the command on VSS member switch role = VSS Standby, id = 1<br />
<strong>Switch</strong> mode<br />
: Virtual <strong>Switch</strong><br />
Virtual switch domain number : 7<br />
Local switch number : 1<br />
Local switch operational role: Virtual <strong>Switch</strong> Standby<br />
Peer switch number : 2<br />
Peer switch operational role : Virtual <strong>Switch</strong> Active<br />
<strong>4500</strong>VSS#<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
<strong>Switch</strong> 1<br />
Si<br />
Physical<br />
Topology<br />
<strong>Switch</strong> 2<br />
Si<br />
Tips for building MECs (some examples)<br />
1. Build port-channels first.(example po123)<br />
2. Shutdown physical ports before adding<br />
to port-channel<br />
3. Configure ports:<br />
• <strong>Switch</strong>port mode trunk<br />
• <strong>Switch</strong>port trunk allowed vlan xyz<br />
• Channel-group 123 mode xxxxx<br />
4. At least one MEC should run PAgP, ex.<br />
a) Chan 123 mode desirable<br />
5. Some edge switches will prefer LACP:<br />
a) Chan 133 mode active<br />
Logical; functional<br />
<strong>Switch</strong> 1<br />
<strong>Switch</strong> 2<br />
MEC-2<br />
MEC-2<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
• Build port channels on the edge switches to connect to the VSS.<br />
• Use either <strong>10</strong>G or 1G links in these trunks.<br />
• Use at least two uplinks from each edge switch.<br />
• At least one of your MECs should be mode PAgP (mode “desirable”).<br />
• PAgP can be used by the VSS as a backup signaling path, reconnecting the VSS peers<br />
if the VSL trunk should fail completely, or is misconfigured.<br />
• Other trunking protocols can be used to connect edge switches to the VSS, including LACP,<br />
etherchannel, or set to auto on one side, and either PAgP, LACP or ON on the vss side.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
A VSS pair acts as a single switch with a multi-port trunk to each edge client switch.<br />
MECs are different from the VSL because MECs are created AFTER the switch virtual conversion, when there<br />
is only one mgt interface, accessing both physical switch’s resources<br />
interface Port-channel140<br />
switchport<br />
switchport trunk allowed vlan 140<br />
switchport mode trunk<br />
!<br />
interface Port-channel150<br />
switchport<br />
switchport trunk allowed vlan 150<br />
switchport mode trunk<br />
interface TenGigabitEthernet1/1/31<br />
switchport trunk allowed vlan 140<br />
switchport mode trunk<br />
channel-group 140 mode on<br />
!<br />
interface TenGigabitEthernet1/1/32<br />
switchport trunk allowed vlan 150<br />
switchport mode trunk<br />
channel-group 150 mode on<br />
If the VSL sees that the portchannel<br />
spans both switches<br />
(“switches 1 and 2”), it treats this<br />
port-channel as a MEC.<br />
The allowed vlan on this portchannel<br />
then also becomes a<br />
member of the VSL port channel<br />
interface TenGigabitEthernet2/1/31<br />
switchport trunk allowed vlan 140<br />
switchport mode trunk<br />
channel-group 140 mode on<br />
!<br />
interface TenGigabitEthernet2/1/32<br />
switchport trunk allowed vlan 150<br />
switchport mode trunk<br />
channel-group 150 mode on<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
! <strong>4500</strong> VSS<br />
interface Port-channel137<br />
description MEC-to-3750-<strong>10</strong>G<br />
switchport<br />
switchport trunk allowed vlan 37<br />
switchport mode trunk<br />
interface TenGigabitEthernet1/1/1<br />
description VSSMEC137to3750<br />
switchport trunk allowed vlan 37<br />
switchport mode trunk<br />
channel-group 137 mode desirable<br />
interface TenGigabitEthernet2/1/1<br />
description VSS-MEC137_to3750<br />
switchport trunk allowed vlan 37<br />
switchport mode trunk<br />
channel-group 137 mode desirable<br />
! Cat 3750 Edge <strong>Switch</strong><br />
interface Port-channel37<br />
description toVSS-MEC-137<br />
switchport trunk encapsulation dot1q<br />
switchport trunk allowed vlan 37<br />
switchport mode trunk<br />
interface TenGigabitEthernet1/1/1<br />
description toVSSMEC37<br />
switchport trunk encapsulation dot1q<br />
switchport trunk allowed vlan 37<br />
channel-group 37 mode auto<br />
interface TenGigabitEthernet1/1/2<br />
description toVSSMEC37<br />
switchport trunk encapsulation dot1q<br />
switchport trunk allowed vlan 37<br />
channel-group 37 mode auto<br />
Desirable = PAgP. Auto = “I will negotiate.” Alternatively, both sides can be set to Desirable, but both sides cannot be Auto<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
VSS side: Client switch side :<br />
<strong>4500</strong>VSS#show etherchannel summary<br />
Flags: D - down P - bundled in port-channel<br />
I - stand-alone s - suspended<br />
H - Hot-standby (LACP only)<br />
R - Layer3 S - Layer2<br />
U - in use f - failed to allocate<br />
aggregator<br />
M - not in use, minimum links not met<br />
u - unsuitable for bundling<br />
w - waiting to be aggregated<br />
d - default port<br />
Number of channel-groups in use: 6<br />
Number of aggregators: 6<br />
PAgP is used by VSS<br />
as a backup signaling<br />
Group Port-channel Protocol Ports protocol in case the<br />
------+-------------+-----------+----------------------<br />
VSL fails on all ports<br />
11 Po11(SU) - Te1/1/1(P) Te1/2/1(P)<br />
12 Po12(SU) - Te2/1/1(P) Te2/2/1(P)<br />
135 Po135(SU) PAgP Te1/1/2(P) Te2/1/2(P)<br />
137 Po137(SU) PAgP Te1/1/1(P) Te2/1/1(P)<br />
140 Po140(SU) LACP Te1/1/31(P) Te2/1/31(P)<br />
150 Po150(SU) LACP Te1/1/32(P) Te2/1/32(P)<br />
C3750#show etherchannel summary<br />
Flags: D - down P - bundled in port-channel<br />
I - stand-alone s - suspended<br />
H - Hot-standby (LACP only)<br />
R - Layer3 S - Layer2<br />
U - in use f - failed to allocate<br />
aggregator<br />
M - not in use, minimum links not met<br />
u - unsuitable for bundling<br />
w - waiting to be aggregated<br />
d - default port<br />
Number of channel-groups in use: 1<br />
Number of aggregators: 1<br />
Group Port-channel Protocol Ports<br />
------+-------------+-----------+--------------<br />
37 Po37(SU) PAgP Te1/1/1(P) Te1/1/2(P)<br />
P = bundled in port-channel: This is good!<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
IOS XE 3.4.0 SGintroduces VSS-based In Service Software Upgrade, or VSS-<br />
ISSU<br />
• ISSU has two configuration options: The Four-step method, and Single command<br />
• ISSU allows routine upgrade maintenance to be minimally service-impacting.<br />
• ISSU using the 4-step method is discussed here to better explain the process of ISSU.<br />
• The single-step process “changeversion” is described briefly in upcoming slides.<br />
• ISSU allow an upgrade to be stopped, backed out, and reverted back to the previous image.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
• The 4-command syntax is as follows (from the priv # prompt)<br />
• issu loadversion bootflash:new_image <br />
slavebootflash:new_image<br />
• This command will reboot the standby and install the new image on the standby sup.<br />
• issu runversion slavebootflash:new_image<br />
• A switchover happens at this point. The new Active is now on the new image. The former.<br />
Active is now standby – has not rebooted, and is still running the old code in hot-standby.<br />
• issu accept version bootflash:new_image<br />
• (optional) Use this issu command if you want to stop the rollback timer (default is 45<br />
minutes) which is used as a safety feature to revert back to the original version if the issu<br />
process kills communication between the 2 sups.<br />
• issu commitversion slavebootflash:new_image<br />
• reboots the new standby Sup and loads the new slavebootflash image.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Which ISSU method should you use? 4-step or 1-step?<br />
• The 4-step method: hands-on, interactive, and can be monitored closely.<br />
• User controls the images and commands manually<br />
• Complete within a 45 minute window or the system will revert itself back to the previous image<br />
• The 1-step method – “changeversion” is not very interactive; but it’s more convenient, and<br />
• If you have already completed a 4-step ISSU on another similar system<br />
• If you are confident that the pre-and post images you are using are compatible.<br />
• You can use changeversion to schedule ISSU upgrades to start now or later.<br />
• BOTH methods require you to first copy the current and a compatible upgrade images to bootflash on<br />
both active and standby.<br />
• Copy running-configs to bootflash:saved.name.cfg bef<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Run these commands before, during and after ISSU to monitor the process<br />
show issu state detail<br />
Slot = 11<br />
RP State = Active<br />
ISSU State = Load Version<br />
Operating Mode = Stateful <strong>Switch</strong>over<br />
Current Image = bootflash:<strong>4500</strong>-SG511.bin<br />
Pre-ISSU (Original) Image = bootflash:<strong>4500</strong>-SG511.bin<br />
Post-ISSU (Targeted) Image = bootflash:<strong>4500</strong>-SG522.bin<br />
Slot = 1<br />
RP State = Standby<br />
ISSU State = Load Version<br />
Operating Mode = Stateful <strong>Switch</strong>over<br />
Current Image =bootflash:<strong>4500</strong>-SG522.bin<br />
Pre-ISSU (Original) Image = bootflash:<strong>4500</strong>-SG511.bin<br />
Post-ISSU (Targeted) Image = bootflash:<strong>4500</strong>-SG522.bin<br />
You need to know which Slot# your Active and Standby<br />
are using. For more info, use the command:<br />
show virtual slot-map<br />
These two fully functioning <strong>4500</strong>s in<br />
VSS mode are actually running 2<br />
different versions of code. But these<br />
images are ISSU compatible.<br />
*** Do not attempt ISSU unless you<br />
are certain that the two images can coexist<br />
in a VSS platform, and are ISSUcapable.<br />
The current state in this example is<br />
that the standby has just completed an<br />
in-service loadversion upgrade from<br />
“SG511” to the “SG522” image, has<br />
reloaded, and is back in service.*<br />
* These image names are fictional, for simplicity, and to conserve space.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
<strong>Switch</strong># show switch virtual slot-map<br />
Virtual Slot to Remote <strong>Switch</strong>/Physical Slot Mapping Table:<br />
VSS sees all ports and<br />
“slots” in both chassis<br />
as belonging to one<br />
chassis.<br />
This command shows<br />
you the demarcation<br />
point between physical<br />
switches 1 and 2.<br />
You will need to know<br />
which slots are the<br />
Active and Standby<br />
Slot<br />
No<br />
<strong>Switch</strong><br />
No<br />
Slot No Uptime<br />
1 1 1 22:33:43<br />
2 1 2 22:34:<br />
3 1 3<br />
4 1 4<br />
5 1 5<br />
6 1 6<br />
7 1 7<br />
8 1 8<br />
9 1 9<br />
<strong>10</strong> 1 <strong>10</strong><br />
11 2 1 22:13:03<br />
12 2 2 22:12:21<br />
13 2 3<br />
14 2 4<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
PAGP<br />
The VSL is configured as a Port Channel, so the possibility of the<br />
entire VSL bundle failing is remote.<br />
However, that possibility does exist. So remedial action is necessary<br />
in that scenario.<br />
Dual-Active Detection and Recovery tackles the unlikely scenario of a<br />
failed VSL bundle, with an innovative solution:<br />
using “Trusted MECs,” configured with PAgP.<br />
Si<br />
Si<br />
It is advisable to deploy the VSL with at least 2 links, and to distribute those interfaces across<br />
multiple modules to ensure the greatest redundancy<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
If the entire VSL bundle should fail, the Virtual <strong>Switch</strong>ing System Domain will enter a “Dual-Active” condition<br />
where both switches transition to Active state and share the same network configuration (IP addresses, MAC<br />
address, Router IDs, etc…) causing communication problems through the network…<br />
3 Step Process in Dual-Active Detection and Recovery:<br />
1<br />
Dual-Active detection uses PAgP to sends new Active<br />
switch ID in PAgP TLV field.<br />
VSS pair<br />
2<br />
Further network disruption is avoided by error-disabling<br />
previous VSS active switch interfaces connected to<br />
neighboring devices .<br />
Si<br />
Si<br />
3<br />
Dual-Active recovery, when VSL recovers, the switch that<br />
error-disabled its non-VSL interfaces in the previous step<br />
will reload to boot in standby state, re-enabling errordisabled<br />
ports<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
PAGP<br />
1. IF Standby loses contact with Active, it assumes Active peer has<br />
failed, and so it transitions to Active state.<br />
• Now there are “dual actives.”<br />
2. The new Active sends out new active switch ID over the trusted<br />
MEC in PAgP frames.<br />
• (ePAgP uses TLV to carry new Active SW ID)<br />
Si<br />
Si<br />
3. Original Active switch sees new active sw-id on MEC and begins<br />
Dual Active Recovery operations on itself:<br />
• All non-VSL interfaces are error-disabled<br />
• It waits in “recovery mode” until the VSL is operational.<br />
• Once VSL is recovered, former Active reloads, boots into<br />
Standby mode, and the formerly error-disabled ports are reenabled<br />
after bootup.<br />
If the VSL fails, the standby sends<br />
PAgP with TLV containing (new) Active<br />
<strong>Switch</strong> ID. Original Active reacts by<br />
error-disabling all non-VSL ports.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
PAGP<br />
Default settings; Example config<br />
Si<br />
Si<br />
• Dual-Active Detection: Enabled by default<br />
• Requires MEC with PAgP trunking protocol on both sides of link.<br />
• Dual-Active Recovery: Not enabled by default<br />
• Choose and designate at least one trusted MEC using PAgP:<br />
• <strong>Switch</strong> virtual domain #<br />
• (config-vs-domain)#dual-active detection pagp trust channel-group 35<br />
• Dual-active detection and recovery tasks are not currently supported over LACP based MECs.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
These uplinks can be used as VSL or uplink ports<br />
What happens to Supervisors when VSS switchover happens ?<br />
• VSS Standby switch becomes active<br />
<strong>Switch</strong> 1<br />
Active<br />
Sup<br />
uplink<br />
VSS<br />
<strong>Switch</strong> 2<br />
• Former Active Sup in switch 1 reloads.<br />
• In-chassis standby Sup in switch 1 stays in rommon,<br />
with uplinks down.<br />
Si<br />
Inchassis<br />
redundant<br />
Sup<br />
uplink<br />
Si<br />
• After bootup, the former active Sup becomes VSS hot<br />
standby and in-chassis Sup stays in rommon mode<br />
with active uplinks.<br />
MEC-1<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
<strong>Switch</strong> 1<br />
Physical<br />
<strong>Switch</strong> 2<br />
•High availability, double aggregation bandwidth, no need for STP,<br />
HSRP, VRRP.<br />
•Allows two physical <strong>4500</strong> chassis to operate as a single logical <strong>4500</strong><br />
switch. Much easier to manage.<br />
Si<br />
Si<br />
•Sub-second data plane and control plane recovery for MEC or VSL link<br />
failure, or even VSS active or standby switch failure.<br />
MEC-2<br />
•In Service SW Upgrade or switchover – no outage windows<br />
•Hardware optimization for VSS using 1G or <strong>10</strong>G interfaces for VSL or<br />
MECs.<br />
•Enhanced PAGP Dual Active recovery mechanism in case of VSL<br />
failure.<br />
<strong>Switch</strong> 1<br />
<strong>Switch</strong> 2<br />
MEC-2<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
Virtual <strong>Switch</strong>ing System (VSS)<br />
Multicast HA<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
SSO allows redundant Supervisors to run a stateful IOS and stateful applications to exchange state in order<br />
to minimize outage at the time of switchover from Active to Standby Supervisor<br />
• Multicast Non-Stop Forwarding (NSF) with Stateful<br />
<strong>Switch</strong>-Over (SSO)<br />
• Offers single-node Multicast HA on <strong>Catalyst</strong> <strong>4500</strong> with<br />
Sup7E/7LE, 6E/6LE<br />
• In Service Software Upgrade (ISSU) allows software<br />
upgrade with minimal disruption<br />
• Synchronizes all critical multicast forwarding state &<br />
entries from the Active to Standby supervisor<br />
• Multicast Forwarding Information Base (MFIB) Entries<br />
• RP (Local or Auto RP or BSR) Information<br />
• Replica Expansion Table (RET)<br />
• IGMP / MLD Snooping state<br />
• Minimizes multicast traffic disruption during supervisor<br />
switchover<br />
• Traffic Interruption:
• Use-Case: Any SSO/NSF capable<br />
“highly available” multicast<br />
deployment<br />
• Helps rebuilds the multicast routing “state” very quickly<br />
after switchover<br />
• On switchover, new Active<br />
supervisor sends PIM Hellos with<br />
new “Generation ID”<br />
• PIM neighbors use the new GenID as an indication that<br />
the neighbor on that Interface has no multicast state<br />
• Neighbor sends “triggered” PIM<br />
Join messages for all (*,G) & (S,G)<br />
mroutes, which have that PIM<br />
Interface as the RPF Interface<br />
• Assumption is that all PIM neighbors know how to<br />
interpret GenID field in PIM hellos<br />
RP<br />
Active Standby<br />
Active<br />
Failure<br />
Periodic PIM Hellos<br />
Periodic PIM Joins<br />
Hello with new GenID<br />
Triggered PIM Joins<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
• Before <strong>Switch</strong>over<br />
Active’s MFIB and MRIB are in communication<br />
MFIB Synced to Standby<br />
Standby MFIB connected to Active’s MRIB<br />
• Upon <strong>Switch</strong>over<br />
MFIB enters NSF mode<br />
Forwards using stale state<br />
MFIB has no connection to MRIB<br />
Control plane instructs MFIB to Sync with MRIB<br />
• After <strong>Switch</strong>over<br />
PIM joins/prunes generated<br />
PIM Populates MRIB<br />
MFIB reads from MRIB to Sync its state<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Active Sup<br />
Active & Standby MFIB is in Sync.<br />
Standby Sup<br />
Active & Standby Hardware is in Sync.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
• May experience traffic loss for some groups when more than16K<br />
mroutes populated (Bug ID: CSCua94955)<br />
• MRIB to MFIB sync hold down time – default: 30 Seconds<br />
- to change this timer, use “ip multicast redundancy routeflush maxtime” CLI<br />
• IPv6 BSR – not supported for SSO with multicast<br />
Workaround: Static RP<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
NetFlow and Flexible NetFlow<br />
Embedded Event Manager (EEM)<br />
Network Packet Analyzer (Wireshark)<br />
• Network Virtualization<br />
• Software Services<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Bandwidth/Capacity Reports<br />
• What is eating up my network resources?<br />
• When do I need a capacity upgrade?<br />
• What is causing congestion?<br />
Subscriber Demographic Reports<br />
• What percentage is using P2P/gaming application?<br />
• What are the usage patterns of different subscriber groups?<br />
• What is the cost impact of my top subscribers?<br />
Server Activity<br />
• What are the popular Web hosts used?<br />
• What are the popular streaming sites?<br />
Security Reports<br />
• Which subscribers are infected and attacking others?<br />
• Which subscribers are spamming?<br />
• Which subscriber is attacking network resources?<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Unprecedented Application Visibility<br />
Visibility<br />
Day0 Attacks<br />
Detect Anomaly<br />
Compliance<br />
SLA<br />
App. M&T<br />
Capacity Planning<br />
Control<br />
With EEM<br />
Integration<br />
<strong>Catalyst</strong> <strong>4500</strong>E Flexible NetFlow<br />
IP, Ports<br />
TCP<br />
Flags<br />
L2<br />
MAC<br />
L2<br />
VLAN<br />
UDP<br />
Flags<br />
IPv6<br />
IP<br />
Options<br />
Multicast<br />
…<br />
Campus<br />
Branch<br />
Mobility, Unified Communications, Network Virtualization<br />
Collector Ecosystem<br />
Benefits:<br />
• Lower CAPEX<br />
- Better insight for capacity planning,<br />
network upgrade<br />
• Lower OPEX:<br />
- Better service and user experience<br />
- Increased IT staff productivity<br />
<strong>Catalyst</strong> <strong>4500</strong>-X Capabilities:<br />
• Unprecedented visibility w/ new L2~7 fields<br />
• Scalable, flexible flow monitors<br />
• On-box Customizable policy action w/ EEM<br />
• Broad collector partner ecosystem<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Traditional NetFlow vs. Flexible NetFlow<br />
Traditional NetFlow<br />
<strong>Fixed</strong> definition of flow record<br />
globally<br />
Export only to one collector<br />
<strong>Fixed</strong> 7 keys<br />
Flexible NetFlow<br />
Flow Monitor 1<br />
Flow Monitor 2<br />
Flow Monitor 3<br />
SrcIf SrcIPadd DstIf DstIPadd Protocol SrcPort DstPort<br />
Fa1/0 173.<strong>10</strong>0.21.2 Fa0/0 <strong>10</strong>.0.227.1211 00A2 00A2<br />
Fa1/0 173.<strong>10</strong>0.3.2 Fa0/0 <strong>10</strong>.0.227.126 15 15<br />
Fa1/0 173.<strong>10</strong>0.20.2 Fa0/0 <strong>10</strong>.0.227.1211 00A1 00A1<br />
Fa1/0 173.<strong>10</strong>0.6.2 Fa0/0 <strong>10</strong>.0.227.126 19 19<br />
Flow cache 1<br />
DstIPadd Protocol TOS<br />
<strong>10</strong>.0.227.12 11 80<br />
<strong>10</strong>.0.227.12 6 40<br />
<strong>10</strong>.0.227.12 11 80<br />
<strong>10</strong>.0.227.12 6 40<br />
Flow cache 2<br />
Protocol TOS Flgs<br />
11 80 <strong>10</strong><br />
6 40 0<br />
11 80 <strong>10</strong><br />
6 40 0<br />
Flow cache 3<br />
SrcIf SrcIPadd DstIf<br />
Fa1/0 173.<strong>10</strong>0.21.2 Fa0/0<br />
Fa1/0 173.<strong>10</strong>0.3.2 Fa0/0<br />
Fa1/0 173.<strong>10</strong>0.20.2 Fa0/0<br />
Fa1/0 173.<strong>10</strong>0.6.2 Fa0/0<br />
Export<br />
Export<br />
Export<br />
NetFlow Cache<br />
Export Destination 1<br />
Destination 2<br />
Destination 3<br />
IT team#1<br />
Security<br />
focused<br />
analyzer<br />
IT team#2<br />
Flexible definition of flow records applied to<br />
Ability to export flow information to multiple<br />
selected interface or VLAN<br />
collectors/analyzers<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
REFERENCE<br />
Interface<br />
IPv4<br />
IPv6<br />
Transport<br />
Input<br />
Source IP address<br />
Source IP address<br />
ICMP Code<br />
Layer 2<br />
Destination IP address<br />
Protocol<br />
Destination IP address<br />
Protocol<br />
ICMP Type<br />
IGMP Type<br />
Dot1q priority<br />
Precedence<br />
Traffic Class<br />
TCP Source Port<br />
Dot1q Vlan ID<br />
Source MAC address<br />
Destination MAC<br />
address<br />
DSCP<br />
TTL<br />
Total Length<br />
Flow Label<br />
Total Length<br />
Extension Headers**<br />
TCP Destination Port<br />
UDP Source Port<br />
UDP Destination Port<br />
DSCP<br />
Next-header*<br />
Hop-Limit<br />
--- New Key Fields in FnF<br />
Is-multicast<br />
•Only first header is reported<br />
** TBD<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
REFERENCE<br />
Counters<br />
Bytes<br />
(32 bit counters)<br />
Bytes Long<br />
(64 bit counters)<br />
Packets<br />
(32 bit counters)<br />
Packets Long<br />
(64 bit counters)<br />
Interface<br />
Output<br />
IPv4<br />
TTL Minimum<br />
TTL Maximum<br />
Fragmentation Flags*<br />
ToS<br />
Transport<br />
TCP Flags: ACK, FIN,<br />
PSH, RST, SYN, URG<br />
Timestamp<br />
First Seen<br />
Last Seen<br />
IPv6<br />
Total Length Minimum<br />
Total Length Maximum<br />
Option Header<br />
Hop-limit minimum<br />
Hop-limit maximum<br />
Routing<br />
Forwarding Status<br />
Is-multicast<br />
--- New Non-Key Fields in FnF<br />
*more fragment fields<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
NetFlow and Flexible NetFlow<br />
Embedded Event Manager (EEM)<br />
Network Packet Analyzer (Wireshark)<br />
• Network Virtualization<br />
• Software Services<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Embedded Event Manager<br />
‣ Provides a means to automate the operational management in real time<br />
‣ Monitors for specific events on the switch<br />
‣ Invoke predefined actions to correct, take remedial action and report an event to<br />
network operations…<br />
IOS Policy Director<br />
EEM Applet<br />
Policy<br />
EEM Tcl<br />
Policy Tcl Shell<br />
IOS<br />
Subsystems<br />
IOS Embedded Event Manager Server<br />
IOS Event Detectors<br />
Application<br />
Configuration Environment<br />
IOS<br />
Watchdog<br />
SNMP<br />
Syslog<br />
CLI<br />
Counters<br />
I/F Counters<br />
OIR<br />
RF<br />
Timer<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
REFERENCE<br />
Example:<br />
<strong>Switch</strong>#event manager applet test<br />
event nf monitor-name “test” event-type update event1 entry-value “<strong>10</strong>00” field<br />
counter bytes rate-interval 15 entry-op gt event2 entry-value “192.168.1.1” field<br />
ipv4 destination address entry-op eq<br />
IPv4<br />
Destination IP addr<br />
DSCP<br />
Precedence<br />
Protocol<br />
Source IP address<br />
ToS<br />
Total-length<br />
TTL<br />
IPv6<br />
Destination IP addr<br />
DSCP<br />
Flow-label<br />
Hop-limit<br />
Next-header<br />
Precedence<br />
Protocol<br />
Source IP address<br />
Traffic-class<br />
Datalink<br />
dot1q<br />
Source MAC address<br />
Destination MAC<br />
address<br />
Counter<br />
Bytes<br />
Packets<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
REFERENCE<br />
Example:<br />
action 1.0 syslog msg "flow record with low TTL"<br />
Reload the system<br />
Run a pre-registered policy<br />
Execute a CLI command<br />
Modify a counter value<br />
Force a software switchover<br />
Foreach loop, if condition, else<br />
condition<br />
Gets line of input from active tty<br />
Set/Increment/decrement a<br />
variable<br />
Obtain system specific info<br />
Send an email<br />
Publish an application<br />
specific event<br />
Puts data to active tty<br />
Regular expression match<br />
Specify value for the SNMP<br />
get request<br />
Send an SNMP trap<br />
String commands<br />
Log a syslog message<br />
Read/set a tracking object<br />
While loop<br />
Wait for a specified amount<br />
of time<br />
More customized requirement can be done through Tcl scripts<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
NetFlow and Flexible NetFlow<br />
Embedded Event Manager (EEM)<br />
Network Packet Analyzer (Wireshark)<br />
• Network Virtualization<br />
• Software Services<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
• SPAN/RSPAN<br />
• Packet Forward capability<br />
• No local display<br />
• Need external PC/sniffer to store and<br />
decode<br />
Sits in between “debug ip packet” and<br />
SPAN/RSPAN<br />
• Wireshark<br />
• Freeware<br />
• Supports wide variety of protocols<br />
• Bundled with switch Operating System<br />
• Onboard Capture and decode tool<br />
• Quick Analysis<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
• IOS XE on <strong>4500</strong>-X can host third-party apps.<br />
• Wireshark is a software process<br />
• Capture filters<br />
• Display filters<br />
• Store packets in PCAP file that user can<br />
manually TFTP/SSH to remote server.<br />
• Support for multiple active capture points<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
Local Display<br />
Store PCAP on<br />
Remote Server<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
• Display packets in brief mode<br />
<strong>Switch</strong># show monitor capture file bootflash:mycapture.pcap<br />
1 0.000000 192.85.1.3 -> 192.85.1.4 UDP Source port: <strong>10</strong>24 Destination port: 28960<br />
2 0.000000 192.85.1.3 -> 192.85.1.4 UDP Source port: <strong>10</strong>24 Destination port: 28960<br />
3 0.000000 192.85.1.3 -> 192.85.1.4 UDP Source port: <strong>10</strong>24 Destination port: 28960<br />
4 0.000000 192.85.1.3 -> 192.85.1.4 UDP Source port: <strong>10</strong>24 Destination port: 28960<br />
• Display packets in hexadecimal mode<br />
<strong>Switch</strong># show monitor capture file bootflash:mycapture.pcap dump<br />
0000 00 00 94 00 00 04 00 00 94 00 00 03 08 00 45 c0 ..............E.<br />
00<strong>10</strong> 05 1e 0f 28 00 00 ff 11 24 35 c0 55 01 03 c0 55 ...(....$5.U...U<br />
0020 01 04 04 00 71 20 05 0a db 21 00 00 00 00 00 00 ....q ...!......<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
• Display packets in detailed mode<br />
<strong>Switch</strong># show monitor capture file bootflash:mycapture.pcap detailed<br />
Frame 1: 1328 bytes on wire (<strong>10</strong>624 bits), 1328 bytes captured (<strong>10</strong>624 bits)<br />
Arrival Time: Jan 1, 1970 00:00:00.000000000 Universal<br />
Epoch Time: 0.000000000 seconds<br />
<br />
Frame Number: 1<br />
Frame Length: 1328 bytes (<strong>10</strong>624 bits)<br />
Capture Length: 1328 bytes (<strong>10</strong>624 bits)<br />
<br />
[Protocols in frame: eth:ip:udp:data]<br />
Ethernet II, Src: 00:00:94:00:00:03 (00:00:94:00:00:03), Dst: 00:00:94:00:00:04 (00:00:94:00:00:04)<br />
Destination: 00:00:94:00:00:04 (00:00:94:00:00:04)<br />
Address: 00:00:94:00:00:04 (00:00:94:00:00:04)<br />
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)<br />
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<br />
Source: 00:00:94:00:00:03 (00:00:94:00:00:03)<br />
Address: 00:00:94:00:00:03 (00:00:94:00:00:03)<br />
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)<br />
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<br />
Type: IP (0x0800)<br />
Frame check sequence: 0x99c15111 [incorrect, should be 0x379d<strong>10</strong>df]<br />
Internet Protocol, Src: 192.85.1.3 (192.85.1.3), Dst: 192.85.1.4 (192.85.1.4)<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
Overview<br />
VRF-Lite<br />
Easy Virtual Network (EVN)<br />
• Software Services<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
• Creation of Logical Partitions<br />
• Virtualization: one-to-many (one network supports many virtual networks)<br />
• End-user perspective is that of being connected to a dedicated network<br />
(security, independent set of policies, routing decisions…)<br />
• Must have a rock-solid campus design in place before adding virtualization to the<br />
network<br />
Outsourced<br />
IT Department<br />
Merged New<br />
Company<br />
Segregated Department<br />
(Regulatory Compliance)<br />
Virtual Network<br />
Virtual Network<br />
Virtual Network<br />
Actual Physical Infrastructure<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
Data Center 1<br />
WAN<br />
Internet<br />
Red VRF<br />
Green VRF<br />
Yellow VRF<br />
Branch 1<br />
Campus<br />
Si<br />
Si<br />
Red VRF<br />
Green VRF<br />
Yellow VRF<br />
Si<br />
Si<br />
Branch 2<br />
Si<br />
Si<br />
Si<br />
Si<br />
Red VRF<br />
Green VRF<br />
Yellow VRF<br />
Data Center 2<br />
Branch 3<br />
Building 1 Building 2<br />
Distribution Blocks<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
Overview<br />
VRF-Lite<br />
Easy Virtual Network (EVN)<br />
• Software Services<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92
Today: VRF-Lite<br />
• A hop-by-hop virtualization<br />
technology<br />
EVN<br />
Campus<br />
Segmentation, guest, reduce cost<br />
• Configuration and operation can<br />
be complex<br />
Campus<br />
IGPs<br />
VNET trunk<br />
multiplexes VRF traffic.<br />
No sub-interface needed.<br />
Only one IP address<br />
Si<br />
Si<br />
VNET Tag<br />
L3<br />
L2<br />
IGPs<br />
Si<br />
Si<br />
Incoming VLAN traffic<br />
mapped to VRF<br />
Each VRF requires a<br />
sub-int, IP address,<br />
and VLAN ID<br />
Incoming VLAN traffic<br />
mapped to VRF<br />
L3<br />
L2<br />
EVN—Simplified Operations<br />
• “VNET trunk” to simplify provisioning<br />
• Virtual CLI context for easy troubleshooting<br />
• Support shared services with IGP<br />
• Work with existing VRF-aware services<br />
• Fully Interoperable with VRF-Lite and MPLS<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93
VRF-Lite Subinterface Config<br />
ip vrf red<br />
!<br />
ip vrf green<br />
!<br />
interface TenGigabitEthernet1/1<br />
ip address <strong>10</strong>.122.5.1 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
!<br />
interface TenGigabitEthernet1/1.<strong>10</strong>1<br />
description Subinterface for Red VRF<br />
encapsulation dot1Q <strong>10</strong>1<br />
ip vrf forwarding red<br />
ip address <strong>10</strong>.122.5.6 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
!<br />
interface TenGigabitEthernet1/1.<strong>10</strong>2<br />
description Subinterface for green VRF<br />
encapsulation dot1Q <strong>10</strong>2<br />
ip vrf forwarding green<br />
ip address <strong>10</strong>.122.5.12 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
ip vrf red<br />
!<br />
ip vrf green<br />
!<br />
interface TenGigabitEthernet1/1<br />
ip address <strong>10</strong>.122.5.2 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
!<br />
interface TenGigabitEthernet1/1.<strong>10</strong>1<br />
description Subinterface for red VRF<br />
encapsulation dot1Q <strong>10</strong>1<br />
ip vrf forwarding red<br />
ip address <strong>10</strong>.122.5.7 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
!<br />
interface TenGigabitEthernet1/1.<strong>10</strong>2<br />
description Subinterface for green VRF<br />
encapsulation dot1Q <strong>10</strong>2<br />
ip vrf forwarding green<br />
ip address <strong>10</strong>.122.5.13 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94
OSPF Example<br />
router ospf 1<br />
network <strong>10</strong>.0.0.0 0.255.255.255 area 0<br />
passive-interface default<br />
no passive-interface vlan 2000<br />
!<br />
router ospf <strong>10</strong>0 vrf green<br />
network 11.0.0.0 0.255.255.255 area 0<br />
no passive-interface vlan 2001<br />
!<br />
router ospf 200 vrf red<br />
network 12.0.0.0 0.255.255.255 area 0<br />
no passive-interface vlan 2002<br />
EIGRP Example<br />
router eigrp <strong>10</strong>0<br />
network <strong>10</strong>.0.0.0 0.255.255.255<br />
passive-interface default<br />
no passive-interface vlan 2000<br />
no auto-summary<br />
!<br />
address-family ipv4 vrf green autonomous-system <strong>10</strong>0<br />
network 11.0.0.0 0.255.255.255<br />
no auto-summary<br />
exit-address-family<br />
!<br />
address-family ipv4 vrf red autonomous-system <strong>10</strong>0<br />
network 12.0.0.0 0.255.255.255<br />
no auto-summary<br />
exit-address-family<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 95
• EVN uses existing Virtual Route Forwarding (VRF)-Lite technology to:<br />
Simplify Layer 3 network virtualization<br />
Improve shared services support<br />
Enhance management, troubleshooting, and usability<br />
• EVN reduces network virtualization configuration significantly across the entire<br />
network infrastructure with the Virtual Network Trunk. The traditional VRF-Lite<br />
solution requires creating one subinterface per VRF on all switches and routers<br />
involved in the data path, creating a lot of burden in configuration management<br />
802.1q vnet tag<br />
802.1q<br />
• Backward compatible with VRF-Lite<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 96
VRF-Lite Subinterface Config<br />
interface TenGigabitEthernet1/1<br />
ip address <strong>10</strong>.122.5.1 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
logging event link-status<br />
interface TenGigabitEthernet1/1.<strong>10</strong>1<br />
description Subinterface for Red VRF<br />
encapsulation dot1Q <strong>10</strong>1<br />
ip vrf forwarding red<br />
ip address <strong>10</strong>.122.5.6 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
logging event subif-link-status<br />
interface TenGigabitEthernet1/1.<strong>10</strong>2<br />
description Subinterface for Green VRF<br />
encapsulation dot1Q <strong>10</strong>2<br />
ip vrf forwarding green<br />
ip address <strong>10</strong>.122.5.12 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
logging event subif-link-status<br />
VNET Trunk config<br />
interface TenGigabitEthernet1/1<br />
vnet trunk<br />
ip address <strong>10</strong>.122.5.2 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
logging event link-status<br />
Both routers have VRFs defined<br />
VNET router has tags<br />
Global Config:<br />
vrf definition red<br />
vnet tag <strong>10</strong>1<br />
vrf definition green<br />
vnet tag <strong>10</strong>2<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 97
VRF-Lite Subinterfaces<br />
interface TenGigabitEthernet1/1.<strong>10</strong>1<br />
description <strong>10</strong><strong>GE</strong> to core 3<br />
encapsulation dot1Q <strong>10</strong>1<br />
ip vrf forwarding red<br />
ip address <strong>10</strong>.122.5.6 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
VNET Trunks<br />
interface TenGigabitEthernet1/1<br />
description <strong>10</strong><strong>GE</strong> to core 3<br />
vnet trunk<br />
ip address <strong>10</strong>.122.5.1 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
interface TenGigabitEthernet1/1.<strong>10</strong>2<br />
description <strong>10</strong><strong>GE</strong> to core 3<br />
encapsulation dot1Q <strong>10</strong>2<br />
ip vrf forwarding green<br />
ip address <strong>10</strong>.122.5.12 255.255.255.252<br />
ip pim query-interval 1<br />
ip pim sparse-mode<br />
1 point-to-point<br />
subinterface configuration,<br />
per VRF per Physical<br />
interfaces.<br />
1 point-to-point trunk<br />
configuration per<br />
physical interface<br />
Virtual<br />
Networks<br />
Neighbors<br />
VRF<br />
Subinterfaces<br />
VRF<br />
Trunks<br />
VRF-lite requires 1 point-to-point subinterface<br />
configuration per VRF per Physical interfaces.<br />
VRF Trunks requires 1 point-to-point trunk<br />
configuration per physical interface<br />
4 4 16 4<br />
<strong>10</strong> 4 40 4<br />
20 4 80 4<br />
30 4 120 4<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98
Campus<br />
Core<br />
g1/0<br />
vrf definition red<br />
vnet tag <strong>10</strong>1<br />
vrf definition green<br />
vnet tag <strong>10</strong>2<br />
vrf definition blue<br />
vnet tag <strong>10</strong>3<br />
Layer 3<br />
Si<br />
Si<br />
interface g1/0<br />
vnet trunk<br />
Layer 2<br />
Layer 2<br />
Trunks<br />
g1/1<br />
interface vlan 21<br />
vrf forwarding red<br />
interface vlan 22<br />
vrf forwarding green<br />
interface vlan 23<br />
vrf forwarding blue<br />
VLAN 21 Red<br />
VLAN 22 Green<br />
VLAN 23 Blue<br />
VLAN 31 Red<br />
VLAN 32 Green<br />
VLAN 33 Blue<br />
interface vlan 31<br />
vrf forwarding red<br />
interface vlan 32<br />
vrf forwarding green<br />
interface vlan 33<br />
vrf forwarding blue<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 99
Normal show run<br />
Router# show run<br />
.<br />
.<br />
interface Ethernet1/0<br />
vnet trunk<br />
ip address <strong>10</strong>.122.6.11 255.255.255.0<br />
ip pim sparse-mode<br />
.<br />
.<br />
show derived-config<br />
Router# show derived-config<br />
.<br />
.<br />
interface Ethernet1/0<br />
vnet trunk<br />
ip address <strong>10</strong>.122.6.11 255.255.255.0<br />
ip pim sparse-mode<br />
!<br />
interface Ethernet1/0.<strong>10</strong>1<br />
description Subinterface for VNET red<br />
vrf forwarding red<br />
encapsulation dot1Q <strong>10</strong>1<br />
ip address <strong>10</strong>.122.6.11 255.255.255.0<br />
ip pim sparse-mode<br />
!<br />
interface Ethernet1/0.<strong>10</strong>2<br />
description Subinterface for VNET green<br />
vrf forwarding green<br />
encapsulation dot1Q <strong>10</strong>2<br />
ip address <strong>10</strong>.122.6.11 255.255.255.0<br />
ip pim sparse-mode<br />
.<br />
.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential <strong>10</strong>0
vrf definition red<br />
vnet tag <strong>10</strong>1<br />
vrf definition green<br />
vnet tag <strong>10</strong>2<br />
!<br />
interface Ethernet1/0<br />
vnet trunk<br />
ip address <strong>10</strong>.1.95.1 255.255.255.0<br />
!<br />
interface Ethernet2/0<br />
vnet trunk<br />
ip address <strong>10</strong>.1.96.1 255.255.255.0<br />
show ip int brief - displays all subinterfaces<br />
Router# show ip int brief<br />
Interface IP-Address OK? Method Status Protocol<br />
Ethernet1/0 <strong>10</strong>.1.95.1 YES NVRAM up up<br />
Ethernet1/0.<strong>10</strong>1 <strong>10</strong>.1.95.1 YES NVRAM up up<br />
Ethernet1/0.<strong>10</strong>2 <strong>10</strong>.1.95.1 YES NVRAM up up<br />
.<br />
Ethernet2/0 <strong>10</strong>.1.96.1 YES NVRAM up up<br />
Ethernet2/0.<strong>10</strong>1 <strong>10</strong>.1.96.1 YES NVRAM up up<br />
Ethernet2/0.<strong>10</strong>2 <strong>10</strong>.1.96.1 YES NVRAM up up<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential <strong>10</strong>1
• Specify VRFs carried on trunks<br />
Red VRF<br />
Yellow VRF<br />
Group A<br />
R2<br />
vrf list group-a<br />
member red<br />
member yellow<br />
interface g1/0<br />
vnet trunk vrf-list group-a<br />
Red VRF<br />
VRF lists can filter<br />
traffic carried over<br />
VNET trunks<br />
R4<br />
R5<br />
R1<br />
Green VRF<br />
Yellow VRF<br />
R6<br />
R7<br />
Red VRF<br />
Green VRF<br />
R3<br />
Group B<br />
vrf list group-b<br />
member red<br />
member green<br />
interface g2/0<br />
vnet trunk vrf-list group-b<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential <strong>10</strong>2
Before: Sharing services in<br />
existing technologies<br />
ip vrf SHARED<br />
rd 3:3<br />
route-target export 3:3<br />
route-target import 1:1<br />
route-target import 2:2<br />
!<br />
ip vrf RED<br />
rd 1:1<br />
route-target export 1:1<br />
route-target import 3:3<br />
!<br />
ip vrf GREEN<br />
rd 2:2<br />
route-target export 2:2<br />
route-target import 3:3<br />
!<br />
router bgp 65001<br />
bgp log-neighbor-changes<br />
!<br />
address-family ipv4 vrf SHARED<br />
redistribute ospf 3<br />
no auto-summary<br />
no synchronization<br />
exit-address-family<br />
!<br />
address-family ipv4 vrf RED<br />
redistribute ospf 1<br />
no auto-summary<br />
no synchronization<br />
exit-address-family<br />
!<br />
address-family ipv4 vrf GREEN<br />
redistribute ospf 2<br />
no auto-summary<br />
no synchronization<br />
exit-address-family<br />
!<br />
After: Simple shared service definition<br />
vrf definition SHARED<br />
address-family ipv4<br />
route-replicate from vrf RED unicast all route-map red-map<br />
route-replicate from vrf GREEN unicast all route-map grn-map<br />
vrf definition RED<br />
address-family ipv4<br />
route-replicate from vrf SHARED unicast all<br />
vrf definition GREEN<br />
address-family ipv4<br />
route-replicate from vrf SHARED unicast all<br />
Route-Replication Advantage:<br />
• No BGP required<br />
• No Route Distinguisher required<br />
• No Route Targets required<br />
• No Import/Export required<br />
• Simple Deployment<br />
• Supports both Unicast/Mcast<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential <strong>10</strong>3
IOS CLI<br />
Router# show ip route vrf red<br />
Routing table output for red<br />
Router# ping vrf red <strong>10</strong>.1.1.1<br />
Ping result using VRF red<br />
Router# telnet <strong>10</strong>.1.1.1 /vrf red<br />
Telnet to <strong>10</strong>.1.1.1 in VRF red<br />
Router# traceroute vrf red <strong>10</strong>.1.1.1<br />
Traceroute output in VRF red<br />
Routing context<br />
Router# routing-context vrf red<br />
Router%red#<br />
Router%red# show ip route<br />
Routing table output for red<br />
Router%red# ping <strong>10</strong>.1.1.1<br />
Ping result using VRF red<br />
Router%red# telnet <strong>10</strong>.1.1.1<br />
Telnet to <strong>10</strong>.1.1.1 in VRF red<br />
Router%red# traceroute <strong>10</strong>.1.1.1<br />
Traceroute output in VRF red<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential <strong>10</strong>4
• Displays VRF configuration info<br />
for:<br />
VRF Definitions<br />
Interfaces in VRFs<br />
Protocol configs for Multi-VRF<br />
router# show run vrf green<br />
vrf definition green<br />
!<br />
address-family ipv4<br />
exit-address-family<br />
!<br />
interface GigabitEthernet0/1<br />
vrf forwarding green<br />
ip address 11.2.2.1 255.255.255.0<br />
!<br />
interface Tunnel2<br />
vrf forwarding green<br />
ip address 11.2.1.1 255.255.255.0<br />
tunnel source Loopback<strong>10</strong>1<br />
tunnel destination 126.<strong>10</strong>1.1.2<br />
!<br />
router eigrp <strong>10</strong>0<br />
!<br />
address-family ipv4 vrf green<br />
network 11.2.0.0 0.0.255.255<br />
autonomous-system <strong>10</strong>2<br />
exit-address-family<br />
!<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential <strong>10</strong>5
VRF Traceroute<br />
Router%Red# trace <strong>10</strong>.1.3.1<br />
Tracing the route to 125.0.<strong>10</strong>.12<br />
VRF info: (vrf in name/id, vrf out name/id)<br />
1 <strong>10</strong>.1.1.2 (red/<strong>10</strong>01, red/<strong>10</strong>01)<br />
2 <strong>10</strong>.2.1.2 (red/<strong>10</strong>01, red/<strong>10</strong>01)<br />
Router%Red# trace <strong>10</strong>.1.2.1<br />
Tracing the route to 125.0.<strong>10</strong>.12<br />
VRF info: (vrf in name/id, vrf out name/id)<br />
1 <strong>10</strong>.1.1.2 (red/<strong>10</strong>01, red/<strong>10</strong>01)<br />
2 <strong>10</strong>.2.1.2 (red/<strong>10</strong>01, green/<strong>10</strong>02)<br />
3 <strong>10</strong>.2.2.2 (green/<strong>10</strong>02, green/<strong>10</strong>02)<br />
4 * * *<br />
VRF Instrumentation<br />
• Improved CLI for VRF-aware SNMP<br />
• New CISCO-VRF-MIB for VRF<br />
discovery and management<br />
• Netflow data using Flexible Netflow<br />
VRF-aware debug<br />
R2# debug condition vrf red<br />
R2# debug condition vrf blue<br />
R2# debug ip ospf hello<br />
R2# debug ip ospf spf<br />
Display debug output for configured VRF<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential <strong>10</strong>6
• VRF-aware services have the following characteristics:<br />
The user can ping a host in a user-specified VRF.<br />
ARP entries are learned in separate VRFs. The user can display Address Resolution Protocol (ARP)<br />
entries for specific VRFs.<br />
• These services are VRF-Aware:<br />
ARP<br />
Ping<br />
Simple Network Management Protocol (SNMP)<br />
Unicast Reverse Path Forwarding (uRPF)<br />
Syslog<br />
Traceroute<br />
FTP and TFTP<br />
Telnet and SSH<br />
NTP<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential <strong>10</strong>7
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
Medianet<br />
Overview<br />
Plug & Play<br />
Performance Monitor<br />
Mediatrace<br />
IPSLA VO<br />
MSI & MSI Proxy<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential <strong>10</strong>8
Business Meetings<br />
and Ad Hoc<br />
Communication<br />
Safety and<br />
Security<br />
Corporate<br />
Events<br />
Faster Decisions Improve Protection Extend Reach<br />
Training /<br />
Knowledge Sharing<br />
Corporate<br />
Communications<br />
Advertising<br />
Customer Care<br />
Share Expertise Better Change Mgmt Personalize Ads Expert-on-Demand<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. <strong>10</strong>9
Business Drivers<br />
•More Video Apps<br />
•More Video Endpoints<br />
•Rising Expectations for Video<br />
IT Drivers<br />
•Reduce Complexity<br />
•Accelerate Deployment<br />
•Optimize Quality of Experience<br />
A medianet is an intelligent network optimized for rich media applications:<br />
• It is media-, endpoint-, and network-aware<br />
• It extends the network boundary to include the endpoints in order to scale,<br />
optimize, and enhance the performance of video.<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 1<strong>10</strong>
An end-to-end IP architecture<br />
that enables pervasive rich<br />
media experiences<br />
Smarter<br />
Network<br />
Medianet technology<br />
embedded into<br />
routers and switches<br />
Adaptation<br />
Integration<br />
Automation<br />
Medianet technology<br />
embedded into<br />
endpoints<br />
Smarter<br />
Endpoints<br />
Shared<br />
Media<br />
Services<br />
Shared<br />
networked<br />
resources<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 111
Deliver the Network Optimized for Video Anytime, Anywhere, Any Device<br />
Video, Voice and Data Applications<br />
Media Services Interface (end-point and Proxy) APIs<br />
Plug &<br />
Play<br />
Media<br />
Services<br />
Proxy<br />
NBAR<br />
SAF<br />
Multicast<br />
PfR<br />
NetFlow<br />
QoS<br />
RSVP<br />
IPSLA<br />
Media<br />
Awareness<br />
Media<br />
Monitoring<br />
Security<br />
Management<br />
Media<br />
Optimization<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 112
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
Medianet<br />
Overview<br />
Plug & Play<br />
Performance Monitor<br />
Mediatrace<br />
IPSLA VO<br />
MSI & MSI Proxy<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 113
Automate network configuration – Auto Smartports<br />
Location awareness – Applications automatically learn from the network<br />
Camera registers with MSI:<br />
it’s send location ‘device info type’ =<br />
with ‘Camera’ its manager via CDP<br />
<strong>Switch</strong> provides civic &<br />
geo location info to<br />
endpoint – CDP: location<br />
Assign to VLAN <strong>10</strong> &<br />
= bldg 24/room 5<br />
apply QoS policy x<br />
How many IP<br />
cameras do I have<br />
installed in Bldg 24<br />
CiscoWorks<br />
LMS<br />
MSE provides geo<br />
location info to switches<br />
Cisco Mobility<br />
Service Engine<br />
WAN<br />
IP Surveillance<br />
Manager<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 114
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
Medianet<br />
Overview<br />
Plug & Play<br />
Performance Monitor<br />
Mediatrace<br />
IPSLA VO<br />
MSI & MSI Proxy<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 115
• What traffic to monitor?<br />
How to identify that traffic<br />
MQC/C3PL tools are available: NBAR, ACLs, DSCP<br />
• What information to gather?<br />
Which flow identifiers, interface information, and metrics are<br />
needed<br />
• Where to monitor?<br />
Which routers, which interfaces, inbound/outbound*<br />
• Service Targets?<br />
SLAs to threshold against<br />
• Where to send information<br />
NetFlow, MIB, syslog, SNMP traps<br />
* Cat4K only supports Inbound Policy maps<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 116
• Metrics can be tested against thresholds to trigger actions<br />
Multi-level Alarm Raise/Clear, SNMP Traps, Syslog<br />
SyslogWatcher<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 117
Cisco Prime Assurance Manager<br />
Third Party Tools<br />
ActionPacked LiveAction<br />
Plixer Scrutinizer<br />
SevOne SevOneNMS<br />
CA/NetQoS UCM<br />
More info: CDN Partners Page:<br />
http://developer.cisco.com/web/mnets/partners<br />
ActionPacked<br />
plixer<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 118
• Variety of network<br />
centric metrics added.<br />
• More metrics and<br />
protocols coming<br />
Metric/Data Value<br />
transport rtp ssrc<br />
application media packets counter (long)<br />
application media bytes counter (long)<br />
application media bytes rate<br />
application media packet rate<br />
transport packets lost counter<br />
transport packets expected counter<br />
transport packets lost rate<br />
counter bytes rate<br />
transport event packet-loss counter<br />
transport round-trip-time<br />
transport rtp jitter maximum<br />
transport rtp jitter minimum<br />
transport rtp jitter mean<br />
application media packets rate variation<br />
application media event<br />
counter packets dropped<br />
Protocol<br />
RTP<br />
All<br />
All<br />
All<br />
All<br />
RTP,<br />
RTP,<br />
RTP,<br />
All<br />
TCP, RTP<br />
TCP<br />
RTP<br />
RTP<br />
RTP<br />
IP-CBR<br />
-<br />
All<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 119
Fast0/0<br />
Performance monitor policy map<br />
(applied inbound)*<br />
class-map<br />
sets traffic<br />
selection<br />
criteria<br />
class X<br />
class Y<br />
flow monitor<br />
flow record<br />
flow exporter<br />
react<br />
config(thresholds)<br />
monitoring<br />
and metric<br />
parameters<br />
optional<br />
* Cat4K only supports Inbound Policy maps<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 120
• Can apply directly on interface<br />
• Limited to single class<br />
Fast0/0<br />
NEW! Inline policy<br />
maps<br />
Interface FastEthernet0/0<br />
service-policy type performance-traffic inline input<br />
match dscp cs5 ef af41<br />
flow monitor inline<br />
record default-rtp<br />
react 1 transport-packets-lost-rate<br />
threshold value gt <strong>10</strong>.00<br />
alarm severity error<br />
action syslog<br />
for reference<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 121
1861-AA0213#show performance monitor history<br />
Load for five secs: 20%/16%; one minute: 8%; five minutes: 4%<br />
Time source is NTP, 01:52:12.052 EST Fri Oct 29 20<strong>10</strong><br />
Codes: * - field is not configurable under flow record<br />
NA - field is not applicable for configured parameters<br />
• Individual monitor<br />
intervals:<br />
show performance monitor history<br />
• <strong>Aggregation</strong> over all<br />
stored intervals:<br />
show performance monitor status<br />
Match: ipv4 src addr = <strong>10</strong>.1.160.19, ipv4 dst addr = <strong>10</strong>.1.3.5, ipv4 prot<br />
= udp, trns src port = 32760, trns dst port = 22802, SSRC = 1717646439<br />
Policy: all-apps, Class: telepresence-CS4, Interface: FastEthernet0/0,<br />
Direction: input<br />
start time 01:51:31<br />
============<br />
*history bucket number : 1<br />
*counter flow : 1<br />
counter bytes : 162329<br />
counter bytes rate (Bps) : 54<strong>10</strong><br />
*counter bytes rate per flow (Bps) : 54<strong>10</strong><br />
*counter bytes rate per flow min (Bps) : 54<strong>10</strong><br />
*counter bytes rate per flow max (Bps) : 54<strong>10</strong><br />
counter packets : 773<br />
*counter packets rate per flow : 25<br />
counter packets dropped : 0<br />
routing forwarding-status reason<br />
: Unknown<br />
interface input<br />
: Fa0/0<br />
interface output<br />
: Vl<strong>10</strong>00<br />
monitor event<br />
: false<br />
ipv4 dscp : 32<br />
ipv4 ttl : 58<br />
application media bytes counter : 146869<br />
application media packets counter : 773<br />
application media bytes rate (Bps) : 4895<br />
*application media bytes rate per flow (Bps) : 4895<br />
*application media bytes rate per flow min (Bps) : 4895<br />
*application media bytes rate per flow max (Bps) : 4895<br />
application media packets rate (pps) : 25<br />
application media event<br />
: Normal<br />
*transport rtp flow count : 1<br />
transport rtp jitter mean (usec) : 476<br />
transport rtp jitter minimum (usec) : 1<br />
transport rtp jitter maximum (usec) : 1997<br />
*transport rtp payload type : 96<br />
transport event packet-loss counter : 0<br />
*transport event packet-loss counter min : 0<br />
*transport event packet-loss counter max : 0<br />
transport packets expected counter : 773<br />
transport packets lost counter : 0<br />
*transport packets lost counter minimum : 0<br />
*transport packets lost counter maximum : 0<br />
transport packets lost rate ( % ) : 0.00<br />
*transport packets lost rate min ( % ) : 0.00<br />
*transport packets lost rate max ( % ) : 0.00<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 122
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
Medianet<br />
Overview<br />
Plug & Play<br />
Performance Monitor<br />
Mediatrace<br />
IPSLA VO<br />
MSI & MSI Proxy<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 123
Let mediatrace do the walking for you!<br />
• Mediatrace discovers and queries L2 and L3 nodes along a flow’s<br />
path<br />
• Gathers system resource, interface and flow specific (perf-mon) stats<br />
For performance monitor: dynamically configures monitoring policy (if<br />
needed) 5-tuple + intervals etc. match static policy).<br />
• Consolidates information into a single screen<br />
• Allows for easy comparisons of device behavior<br />
Which interface dropping packets?<br />
Where is DSCP getting reset?<br />
• Can be requested by remote device<br />
• Automatically (based on thresholds) via EEM script<br />
Built into MSI applications, operator or automatic triggering<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 124
• Requestor – origin of request<br />
Video end system, NMS, same node as initiator, remote router/switch<br />
• Initiator - injects the trace<br />
• Responder - sends data back to initiator<br />
• Multiple types of data requests<br />
Hops – hop discovery<br />
System – system information<br />
Performance monitor – enables perf-mon, then collects data<br />
• Multiple execution formats<br />
Poll – minimal config, run from IOS exec<br />
Session – flexible configuration, allows for periodic, recurring requests and history<br />
flow Initiator +<br />
requestor<br />
responder<br />
responder<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 125
• Run from Cisco IOS Software CLI or periodically<br />
through configuration<br />
• Modes:<br />
Hop Poll: performs only path discovery<br />
System Poll: in addition to performing node and interface<br />
discovery, statistics from the interfaces are collected<br />
Perf-Mon Poll: collects flow specific statistics. If additional<br />
information, such as the IP protocol and Layer 4 ports, is<br />
specified, the query will be as detailed as possible<br />
Learn More<br />
Quick Start Guide<br />
http://www.cisco.com/en/US/solutions/collateral/ns340/ns856/ns156/ns<strong>10</strong>94/whitepaper_c11-653899.pdf<br />
Deployment Guide<br />
http://www.cisco.com/web/solutions/medianet/docs/guide_c07-684466_v2.pdf<br />
Configuration Guide<br />
http://www.cisco.com/en/US/docs/ios/media_monitoring/configuration/guide/mm_mediatrace.html<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 126
Feature Poll Session<br />
Command Mode Exec Configuration<br />
Type of execution One shot Recurring<br />
Settings Default Configurable<br />
Scheduling flexibility Now Now, later, @ start-time<br />
etc<br />
Minimum number of lines<br />
of config<br />
1 ><strong>10</strong><br />
Best used by Manual NMS<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 127
• Cisco Prime<br />
Collaboration Manager<br />
(CM) uses mediatrace<br />
for flow specific stats<br />
• Mediascope research<br />
project<br />
mediascope<br />
Cisco Prime Collaboration Manager<br />
More info:<br />
Cisco Prime CM: cisco.com/go/cpcm<br />
Mediascope: medianet.sourceforge.net<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 128
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
Medianet<br />
Overview<br />
Plug & Play<br />
Performance Monitor<br />
Mediatrace<br />
IPSLA VO<br />
MSI & MSI Proxy<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 129
X<br />
X<br />
• IPSLA known in industry for jitter,<br />
ICMP, etc. probes<br />
• Most probes measure experience<br />
without affecting user traffic<br />
• Need traffic to stress test network<br />
• IPSLA VO provides<br />
• pre-packaged profiles:<br />
• IPTV, Video Surv, CTS<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 130
• Convenient for pre-deployment assessment, pre-event testing<br />
and post-event troubleshooting.<br />
Is my network<br />
ready for <strong>10</strong>0 HD<br />
Desktop Cameras,<br />
30 IPVSC and a<br />
new Telepresence<br />
room?<br />
• More bandwidth needed? Deploy PfR?<br />
• QoS needed?<br />
• Fully integrated with IPSLA control and scheduling framework<br />
• Extension to current IPSLA CLI and MIB interface to allow easy<br />
integration with NMS products<br />
• Traffic is RTP: can use mediatrace and performance-monitor to<br />
do fault-isolation<br />
<strong>Switch</strong> D<br />
Router C<br />
Router B<br />
<strong>Switch</strong> A<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 131
•IPSLA Video Operation<br />
ActionPacked LiveAction<br />
SevOne<br />
Collaboration Manager: for CTS traffic<br />
Cisco Prime LMS 4.1, 4.0 Patch<br />
Cisco Prime Performance Manager 1.0.3<br />
• 14 more NMS application vendors engaged!<br />
More info:<br />
Cisco Prime LMS: cisco.com/go/lms<br />
Cisco Prime CM: cisco.com/go/cpcm<br />
Cisco Prime Performance Manager:<br />
http://www.cisco.com/en/US/products/ps11715<br />
CDN Partners Page:<br />
http://developer.cisco.com/web/mnets/partners<br />
Cisco Prime Collaboration<br />
Manager (IPSLA VO)<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 132
Cisco TelePresence overview and session level details<br />
• Obtain complete summary of<br />
any problems affecting sessions<br />
in progress, endpoints, and<br />
service infrastructure devices<br />
Summary Session Monitoring Dashboard<br />
• Filter by alarm severity of all<br />
sessions – in progress, recently<br />
completed, and scheduled<br />
• View topology and rapidly<br />
determine whether issues are in<br />
endpoints or in the network<br />
Session Endpoint View Service Session and Progress Alarms and Filter Infrastruture<br />
Topology Session and All With Sessions Inventory Statistics Alarms<br />
• See detailed endpoint and<br />
session statistics – latency,<br />
jitter, packet loss<br />
cisco.com/go/cpcm<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 133
Visualize end-to-end media path between CTS endpoints<br />
• Media path visualization and flow<br />
statistics identify network issues<br />
degrading service quality<br />
• Analyze detailed device<br />
information, CPU, Memory,<br />
Interface statistics<br />
• Medianet enabled devices<br />
provide additional flow based<br />
details – packet loss and jitter<br />
• Troubleshooting data can be<br />
captured and exported for<br />
trending and later analysis<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 134
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
Medianet<br />
Overview<br />
Plug & Play<br />
Performance Monitor<br />
Mediatrace<br />
IPSLA VO<br />
MSI & MSI Proxy<br />
• Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 135
• Media Services Interface will be embedded with WebEx install for<br />
FR26<br />
• Endpoint instrumentation for WebEx traffic<br />
Ability to generate/respond mediatrace<br />
Mediatrace supported<br />
SP<br />
Network<br />
Enterprise<br />
Network<br />
2. Mediatrace on outgoing flow<br />
3. Flow stats along path gathered.<br />
4. Last mediatrace node discovered<br />
© 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. 136
PAIN POINTS<br />
• Many different device types (consumer<br />
devices, Cisco or non-Cisco)<br />
• Lack cloud application visibility<br />
CISCO SOLUTIONS<br />
• Dynamically discover the device type &<br />
application type, provide visibility and apply<br />
predefined policies<br />
Cloud<br />
ISR G2<br />
MPLS<br />
<strong>Catalyst</strong><br />
<strong>4500</strong><br />
ISR G2<br />
Internet<br />
ASR <strong>10</strong>00<br />
<strong>Catalyst</strong><br />
<strong>4500</strong><br />
<strong>Switch</strong>es discover the device type & apply medianet<br />
services (autoconfig, QoS, etc.)<br />
Network elements discover the application type (e.g. cloud<br />
applications at Internet edge, or softphones at user edge)<br />
via NBAR2 or SIP snooping, apply medianet services such<br />
as metadata to share flow information to the rest of the<br />
network.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 137
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
• Security<br />
IPv6 First Hop Security<br />
• Smart Operations<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 138
Example of Inside Attacks exploiting IPv6 Link Operations<br />
Data Security at Edge<br />
Authenticated Device<br />
Si<br />
Si<br />
Si<br />
Si<br />
The Challenge<br />
IPv6 Link Operations can be<br />
easily attacked<br />
inside the local network<br />
Attacks Inside the network<br />
The attacker can spoof a user<br />
address by snooping Neighbor<br />
Solicitation and poisoning<br />
Neighbor Advertisement<br />
The attacker can become<br />
the local default gateway<br />
by sending rogue Router<br />
Advertisements<br />
The attacker can disable<br />
the local IPv6 network by<br />
poisoning Duplicate<br />
Address Detection<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 139
Intelligent Perimeter at the edge<br />
Data Security at Edge<br />
Pre-configure port roles<br />
and dynamically learn a<br />
trusted domain of<br />
routers/DHCP servers<br />
Track IPv6 devices by snooping neighbor<br />
and router solicitations, DHCP requests and<br />
query their status when they become<br />
inactive<br />
Authenticated Device<br />
Si<br />
Si<br />
Intf IPv6 MAC VLAN State<br />
g1/<strong>10</strong> ::001A 001A 1<strong>10</strong> Active<br />
Si<br />
Si<br />
NS<br />
ND<br />
RS<br />
DAD NS<br />
DHCP<br />
RA<br />
g1/11 ::001B 001B 1<strong>10</strong> Active<br />
g1/12 ::001C 001C 1<strong>10</strong> Stale<br />
g1/15 ::001D 001D 1<strong>10</strong> Active<br />
g1/16 ::001E 001E 200 Verifying<br />
g1/17 ::0020 0020 200 Active<br />
g1/21 ::0021 0021 200 Active<br />
… … … … …<br />
The Solution<br />
IPv6 First<br />
Hop Security<br />
in the access<br />
switch<br />
IPv6 Snooping and Guard<br />
Block rogue advertisements<br />
from illegitimate routers and<br />
DHCP servers with RA<br />
Guard and DHCPV6<br />
Guard<br />
Monitor device<br />
address assignment<br />
with Binding<br />
Integrity Guard<br />
Maintain a trustworthy<br />
database of IPv6 devices<br />
and block illegitimate IPv6<br />
data traffic with Source<br />
Guard<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 140
Prevent Rogue Router Advertisements from taking down the network<br />
Before RA Guard<br />
After RA Guard<br />
Host A<br />
First Hop <strong>Switch</strong><br />
Host A<br />
First Hop <strong>Switch</strong><br />
Si<br />
Si<br />
RA<br />
RA<br />
I am a<br />
router<br />
Yea!<br />
Thanks<br />
I am a<br />
router<br />
Not<br />
according to<br />
me<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 141
• The <strong>Catalyst</strong> <strong>4500</strong> series switches provide limited support for IPv6 RA Guard<br />
• Host Mode Only – Can be enabled on interfaces to block Router<br />
Advertisements from malicious hosts.<br />
• This is available from Sup 6E onwards<br />
• Limitations :<br />
• Cannot selectively block Router Advertisements in a particular direction (required for ports<br />
connected to switches)<br />
• Cannot apply filters (Prefixes etc)<br />
• Configuration does not follow the First Hop security of global policy definition and interface policy<br />
application<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 142
Host A<br />
First Hop <strong>Switch</strong><br />
Router B<br />
Si<br />
RA<br />
RA<br />
Key Parameters<br />
Device Roles<br />
Host<br />
Monitor<br />
Router<br />
<strong>Switch</strong><br />
Router Preference<br />
Low<br />
Medium<br />
High<br />
Match<br />
ACL list<br />
Prefix list<br />
With this release, we are providing complete support for IPv6 RA Guard on the <strong>4500</strong><br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 143
Host A<br />
First Hop <strong>Switch</strong><br />
Router B<br />
Si<br />
RA<br />
RA<br />
Creating a RA guard policy<br />
<strong>4500</strong>E-fhs-access(config)#ipv6 nd raguard policy hostpolicy<br />
<strong>4500</strong>E-fhs-access(config-nd-raguard)#device-role host<br />
<strong>4500</strong>E-fhs-access(config-nd-raguard)#exit<br />
<strong>4500</strong>E-fhs-access(config)#int gi0/5<br />
<strong>4500</strong>E-fhs-access(config-if)# ipv6 ndraguard attach-policy hostpolicy<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 144
See RFC 6<strong>10</strong>4 for details<br />
Wireless to Wired – Internet sharing<br />
Host on Wireless<br />
Network (coffee shop,<br />
home etc)<br />
Firewall<br />
First Hop <strong>Switch</strong><br />
Si<br />
Internet sharing enabled<br />
RA<br />
Host becomes 6to4 gateway<br />
Host moves to wired network<br />
First Hop <strong>Switch</strong><br />
No RA seen, turning on ICS<br />
First Hop <strong>Switch</strong><br />
Si<br />
Si<br />
RA<br />
RA<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 145
Prevent Rogue DHCP responses from misleading the client<br />
Before DHCP Guard<br />
After DHCP Guard<br />
I am a<br />
DHCP Server<br />
DHCP Server<br />
I am a<br />
DHCP Server<br />
DHCP Server<br />
Host First Hop <strong>Switch</strong> Host First Hop <strong>Switch</strong><br />
Si<br />
Si<br />
DHCP Request<br />
DHCP Request<br />
I am a<br />
DHCP Server<br />
I am a<br />
DHCP Server<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 146
Host A<br />
First Hop <strong>Switch</strong><br />
DHCP Server<br />
Si<br />
DHCP Request<br />
DHCP response<br />
Key Parameters<br />
DHCP response<br />
Rogue DHCP<br />
Server<br />
Device Roles<br />
Client<br />
Server<br />
Preference<br />
Minimum<br />
Maximum<br />
Match<br />
prefix-list<br />
access-list<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 147
Host A<br />
First Hop <strong>Switch</strong><br />
DHCP Server<br />
Si<br />
DHCP Request<br />
DHCP response<br />
Creating a DHCP Guard policy<br />
DHCP response<br />
Rogue DHCP<br />
Server<br />
<strong>4500</strong>E-fhs-access(config)#ipv6 dhcp guard policy clientpolicy<br />
<strong>4500</strong>E-fhs-access(config-dhcp-guard)#device-role client<br />
<strong>4500</strong>E-fhs-access(config-nd-raguard)#exit<br />
<strong>4500</strong>E-fhs-access(config)#int gi0/5<br />
<strong>4500</strong>E-fhs-access(config-if)# ipv6 dhcp guard attach-policy clientpolicy<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 148
Creates and maintains a v6 binding table to ensure rogue users cannot<br />
spoof or steal addresses<br />
• ND Inspection<br />
• Address Glean (ND , DHCP)<br />
IPv6 Binding Table<br />
Intf IPv6 MAC VLAN State<br />
g1/<strong>10</strong> ::001A 001A 1<strong>10</strong> Active<br />
Si<br />
g1/11 ::001C 001C 1<strong>10</strong> Stale<br />
g1/16 ::001E 001E 200 Verifying<br />
IPv6 Source Guard (<br />
will be supported in<br />
later release)<br />
IPv6 Destination<br />
Guard<br />
Device Tracking<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 149
Host A<br />
First Hop <strong>Switch</strong><br />
Si<br />
IPv6 Binding Table<br />
Intf IPv6 MAC VLAN State<br />
g1/<strong>10</strong> ::001A 001A 1<strong>10</strong> Active<br />
g1/11 ::001C 001C 1<strong>10</strong> Stale<br />
g1/16 ::001E 001E 200 Verifying<br />
DHCP Request<br />
ND / NS / RA<br />
Key Parameters<br />
Commands<br />
IPv6 snooping<br />
Device Roles<br />
node<br />
switch<br />
Protocol to Glean<br />
nd<br />
dhcp<br />
• ND Inspection<br />
• DHCPGlean<br />
• ND Glean<br />
Limit address count<br />
1 - <strong>10</strong>000<br />
Security level<br />
guard<br />
glean<br />
inspect<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 150
• One command to do them all!<br />
Host A<br />
First Hop <strong>Switch</strong><br />
IPv6 Binding Table<br />
Intf IPv6 MAC VLAN State<br />
g1/<strong>10</strong> ::001A 001A 1<strong>10</strong> Active<br />
Si<br />
g1/11 ::001C 001C 1<strong>10</strong> Stale<br />
g1/16 ::001E 001E 200 Verifying<br />
DHCP Request<br />
ND / NS / RA<br />
Creating an ipv6 snooping policy<br />
<strong>4500</strong>E-fhs-access(config)#ipv6 snooping policy node policy<br />
<strong>4500</strong>E-fhs-access(config-ipv6-snooping)#device-role node<br />
<strong>4500</strong>E-fhs-access(config-ipv6-snooping)#protocol dhcp<br />
<strong>4500</strong>E-fhs-access(config-ipv6-snooping)#protocol ndp<br />
<strong>4500</strong>E-fhs-access(config-ipv6-snooping)#limit address-count <strong>10</strong>0<br />
<strong>4500</strong>E-fhs-access(config-ipv6-snooping)#exit<br />
<strong>4500</strong>E-fhs-access(config-t)# int gi0/5<br />
<strong>4500</strong>E-fhs-access(config-if)# ipv6 snooping attach-policy test<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 151
Use SysLog messages to verify IPv6 FHS RA Violations on a switch.<br />
RA Guard<br />
If the client port is configured as host and receives any RA message the switch logs<br />
the messages as below<br />
*Mar 1 00:23:37.449: %SISF-4-PAK_DROP: Message dropped A=FE80::F2F7:55FF:FEBF:F144 G=- V=22 I=Gi1/34<br />
P=NDP::RA Reason=Message unauthorized on port<br />
*Mar 1 00:24:03.197: %SISF-4-PAK_DROP: Message dropped A=FE80::F2F7:55FF:FEBF:F144 G=- V=22 I=Gi1/34<br />
P=NDP::RA Reason=Message unauthorized on port<br />
The port remains in forwarding state as violating packets are dropped<br />
DHCPv6 Guard<br />
<strong>Switch</strong># debug ipv6 snooping dhcp-guard<br />
*Mar 1 01:18:29.212: SISF[DHG]: Gi1/25 vlan 22 DHCP Guard setting sec level to GUARD<br />
*Mar 1 01:18:29.212: SISF[DHG]: Gi1/25 vlan 22 DHCP Server message for role dhcp client – Deny<br />
The port remains in forwarding state as violating packets are dropped<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 152
FEATURE<br />
<strong>Catalyst</strong><br />
<strong>4500</strong>E<br />
(Sup 7E/<br />
7L-E)<br />
<strong>Catalyst</strong><br />
<strong>4500</strong>E<br />
(Sup 6E/<br />
6L-E)<br />
<strong>Catalyst</strong><br />
<strong>4500</strong>-X<br />
4900M,<br />
4948E, and<br />
4948E-F<br />
RA Guard ✔ ✔ ✔ ✔<br />
DHCPv6<br />
Guard<br />
✔ ✔ ✔ ✔<br />
DAD Proxy ✔ ✔ ✔ ✔<br />
IPv6<br />
Snooping<br />
Destination<br />
Guard<br />
✔ ✔ ✔ ✔<br />
✔ ✔ ✔ ✔<br />
DHCPv6<br />
LDRA ✔ ✔ ✔ ✔<br />
All specs subject to change without notice<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 153
• Cisco <strong>Catalyst</strong> <strong>4500</strong>-X <strong>Switch</strong>es<br />
• High Availability<br />
• Application Visibility and Troubleshooting<br />
• Network Virtualization<br />
• Software Services<br />
• Security<br />
• Smart Operations<br />
Smart Install Director<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 154
Zero-touch Deployment and Maintenance<br />
Zero-touch Installation<br />
•Plug-n-Play for<br />
<strong>Switch</strong>es<br />
•Anyone can install a<br />
switch:<br />
•Reduce travel<br />
•Less skilled labor<br />
•Speeds up deployment<br />
for large installs:<br />
•Network does IOS<br />
SW install<br />
Centralized Image and<br />
Config Management<br />
•<strong>Catalyst</strong> switch update<br />
from a single point of<br />
control<br />
•Ensure Configuration<br />
consistency across<br />
<strong>Catalyst</strong> switches<br />
•Prevents manual<br />
configuration errors<br />
Automated Replacement<br />
•Configurations<br />
automatically backed up<br />
•RMA supported:<br />
• New Client <strong>Switch</strong><br />
automatically<br />
configured same as<br />
old.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 155<br />
1
• DHCP and TFTP Servers – Centrally located<br />
and shared across network<br />
• Director – manages Client image installation<br />
and configuration<br />
• Client - Receives image and configuration<br />
from Director<br />
• Groups - Collection of Clients with same<br />
image and configuration<br />
LAN<br />
TFTP,<br />
DHCP<br />
servers<br />
Director<br />
Cat<strong>4500</strong><br />
3.4.0SG/15.1(2)SG<br />
Client group 2<br />
Client group 2<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 156<br />
1
New Client Install Example, Director as DHCP Server<br />
TFTP servers<br />
1. New switch connected<br />
2. Director discovers client via CDP<br />
3. New switch issues DHCP discover<br />
Si<br />
Director<br />
DHCP Server<br />
TFTP<br />
4. Director adds options to DHCP offer<br />
5. Client retrieves image, config via TFTP<br />
DHCP<br />
~20<br />
Minutes<br />
CDP<br />
Client<br />
6. Client reboots with new configuration and image<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 158<br />
15<br />
8
Key metrics and details<br />
<strong>4500</strong> as Director can be<br />
TFTP server<br />
DHCP server<br />
Description<br />
Number of clients 64<br />
Value<br />
• <strong>4500</strong> as Director supports<br />
External TFTP server<br />
External DHCP server<br />
Clients not directly connected<br />
• Director discovers clients<br />
Using CDP<br />
• Clients grouped with<br />
common image and<br />
configuration<br />
Time for 1 client to<br />
install<br />
Minimum License<br />
Level<br />
20 minutes approx<br />
IP Base<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 159
Smart Install Clients<br />
<strong>Catalyst</strong> 3K<br />
3750, 3750v2, 3750E, 3750G, 3750X,<br />
3560, 3560v2 3560E, 3560G, 3560X<br />
<strong>Catalyst</strong> 2K<br />
2960, 2960S,, 2960SF, 2960G<br />
<strong>Catalyst</strong> 2K/3K Compact<br />
2960C, 3560C<br />
Additional platforms will be supported in future releases<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 160<br />
1
Additional Smart Install Items<br />
• Support for on-demand update of startup-config for multiple client switches<br />
vstack download-config flash:vstack/client_cfg_update index <br />
• Support for on-demand update of IOS image for multiple client switches<br />
vstack download-image tar flash:vstack/C2960s-universalk9-tar-150-<br />
2.SE index <br />
• A client switch entry can be removed from a director's database<br />
Clear vstack director-db entry <br />
• Change client startup vlan<br />
Vstack startup-vlan <br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 161
Segment Smart Install Functions<br />
• Create and utilize dedicated VLAN/DHCP Scope only for Smart<br />
Install operation<br />
• Configure SI DHCP scope on director switch<br />
• Eliminate or severely restrict outside traffic into SI VLAN<br />
• Enable <strong>Catalyst</strong> Security features on every switchport in the<br />
smart install VLAN<br />
• DHCP Snooping, DAI, IP SRC Guard, Port Security max<br />
macs<br />
Segment Smart Install Functions<br />
Director <strong>Switch</strong> (<strong>4500</strong>)<br />
Running DHCP Server for<br />
SI VLAN <strong>10</strong><br />
VLAN <strong>10</strong> not routed<br />
3750X<br />
Si<br />
Hardened TFTP<br />
server for clientswitch<br />
images and<br />
config<br />
PACL: permit vlan<strong>10</strong><br />
tftp-server tftp<br />
• <strong>Switch</strong>port vlan <strong>10</strong><br />
• <strong>Catalyst</strong> Security Features<br />
Enabled<br />
• Utilize Join Window on Director<br />
• Schedule a time-window for zero-touch image and config<br />
upgrades<br />
• Clients cannot download image/config outside the window<br />
• Disable TFTP server switchport or TFTP Service outside of Join<br />
Window<br />
• Configure PACL on TFTP server that only allows tftp from smart<br />
install vlan dhcp scope<br />
• Prune SI VLAN from trunks when not in use<br />
3750X SI Client<br />
Zero Touch Install<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 162
Client to upstream switch connection – Vlan mismatch<br />
TFTP, DHCP<br />
servers<br />
Port Channel not in effect on client side<br />
Reverts to individual links with STP<br />
Native vlan mismatch:<br />
Vlan 1 on client is mismatched with 4001 on Director<br />
Si<br />
Director<br />
Gig 2/1<br />
Vlan 4001<br />
director Gig 2/1 config<br />
switchport mode trunk<br />
switchport trunk native vlan 4001<br />
switchport trunk allowed vlan <strong>10</strong>,20,30,4000<br />
end<br />
Client(s)<br />
Vlan 1<br />
1/0/49<br />
Gig<br />
client Gig 1/0/49 default config<br />
!!! No Intf config by default<br />
!!! Vlan 1 is untagged access vlan<br />
end<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 163<br />
16<br />
3
Client Behavior before 15.0(2)SE: Client to upstream switch<br />
connection<br />
• New clients attempt to acquire IP address on vlan 1 interface by default<br />
• Changing Vlan 1 behavior on client breaks zero touch deployment<br />
No need for Smart Install if customer touches all clients<br />
• Cisco best practices requests/requires no vlan 1 in L2 network<br />
<strong>Aggregation</strong>/distribution layer will not have vlan 1 configured.<br />
• Customers uncomfortable with vlan “hopping”<br />
Willing to allow for short term – to get new client operational<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 164<br />
16<br />
4
2960, 3560, 3750 Client connect to SMI start-up management vlan – starting 15.0(2)SE<br />
• Director advertises start up management vlan to all clients<br />
• Client will connect on advertised vlan interface<br />
Creates start-up vlan interface<br />
Does DHCP on start-up vlan interface<br />
• New client learns startup mgmt vlan via CDP<br />
Client needs to run 15.0(2)SE or later<br />
Supported by <strong>4500</strong> as Director in 15.1(2)SG<br />
CDP IOS changes in 3750/3560 release 15.0(2)SE - Aug 2012<br />
• Q: When will <strong>Catalyst</strong> Clients have 15.0(2)SE in manufacturing?<br />
• A: Sometime in 2013<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 165
• Configuration command to enable SMI management Vlan<br />
<strong>Switch</strong>(config)# vstack startup-vlan 80<br />
• Show command to see SMI management vlan<br />
<strong>Switch</strong># show vstack config<br />
• Example output on Director<br />
<strong>Switch</strong># show vstack config<br />
Role: Director (SmartInstall enabled)<br />
Vstack Director IP address: 192.168.80.1<br />
Vstack Mode: Basic<br />
Vstack default management vlan: 1<br />
Vstack start-up management vlan: 80<br />
Vstack management Vlans: 80<br />
Vstack Hostname prefix: C2960S_<br />
Join Window Details:<br />
Window: Open (default)<br />
Operation Mode: auto (default)<br />
Vstack Backup Details:<br />
Mode: Off<br />
Repository: flash:/vstack (default)<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 166
• Syslog on Client: receiving startup vlan<br />
*Mar 1 00:02:43.016: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to down<br />
*Mar 1 00:02:45.323: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/48, changed state to up<br />
*Mar 1 00:02:47.352: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/48, changed state to up<br />
*Mar 1 00:02:47.992: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id <strong>10</strong> on GigabitEthernet1/0/48<br />
VLAN1.<br />
*Mar 1 00:02:47.992: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/0/48 on VLAN0001. Inconsistent local vlan.<br />
*Mar 1 00:02:57.880: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan80, changed state to down<br />
*Mar 1 00:03:27.869: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan80, changed state to up<br />
*Mar 1 00:03:32.876: DHCP: No configured hostname - not including Hostname option<br />
*Mar 1 00:03:35.901: Setting system hostname to C2960S_-d3.b0c1<br />
*Mar 1 00:03:35.922: %DHCP-6-ADDRESS_ASSIGN: Interface Vlan80 assigned DHCP address 192.168.80.2, mask 255.255.255.0,<br />
hostname<br />
got vend id vend spec. info ret: succeed got vend id vend spec. info ret: succeed<br />
*Mar 1 00:04:11.<strong>10</strong>7: %SMI-3-IMG_CFG_NOT_CONFIGURED: IBC (IP Address :192.168.80.2) : The Director does not have a image file<br />
or a configuration file configured for this Product-ID<br />
*Mar 1 00:04:11.112: %SMI-6-AUTOINSTALL: Continue AUTOINSTALL<br />
*Mar 1 00:04:11.112: %SMI-6-AUTOINSTALL: Aborted AUTOINSTALL<br />
*Mar 1 00:04:11.112: AUTOINSTALL: Obtain tftp server address (opt 150) 192.168.80.1<br />
1. STP blocks vlan 1 on uplinks because of vlan mismatch (00:02:47.992)<br />
2. CDP signals vlan 80, vlan 80 intf created (00:02:57:880)<br />
3. Client gets IP address from Director on vlan 80, Smart Install process begins (00:03:35.922)<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 167
SMI client: behavior changes on uplink interface<br />
• Client receives start-up mgmt vlan via CDP TLV<br />
• Client converts uplink to “trunk” mode<br />
• Client adds start-up mgmt vlan to allowed list for trunk interface<br />
Uplink Interface configuration<br />
switchport access vlan 4000<br />
switchport trunk encapsulation dot1q<br />
switchport trunk native vlan 4000<br />
switchport mode dynamic desirable<br />
Global configuration<br />
Client matches with interface<br />
configuration change<br />
<strong>Switch</strong>port access vlan 1<br />
<strong>Switch</strong>port trunk native vlan 1<br />
<strong>Switch</strong>port trunk allowed vlan 80<br />
Layer 3 interface<br />
startup vlan 80 interface vlan 80<br />
ip address dhcp<br />
vstack management vlan 80<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 168
• Upstream device<br />
Must be in trunk mode (eg: switchport mode dynamic desirable)<br />
• Client side interface changes<br />
Client side changes intf to trunk<br />
Client side does not change access/native vlan id; remains vlan 1<br />
Client adds mgmt vlan (eg: 80) to allowed vlans list on trunk<br />
• Table below showing upstream switch intf config scenario<br />
Table assumes smart install management /startup not vlan 1<br />
Eg: vlan 80 is startup vlan configured on Director<br />
Remove vlan 1 from trunks to clients<br />
Si<br />
Director<br />
Gig 2/2<br />
mode: trunk<br />
Native: Vlan 4000<br />
Allowed: vlan 80<br />
Gig 0/1<br />
mode: auto<br />
Native: Vlan 1<br />
Allowed: vlan 80<br />
Client<br />
Upstream <strong>Switch</strong> Interface<br />
config;<br />
smart install mgmt vlan is 80<br />
Acces<br />
s/<br />
Trunk<br />
Native<br />
vlan id<br />
Trunk 4000<br />
Trunk 1<br />
Vlan 1<br />
allowed on<br />
trunk<br />
yes<br />
yes<br />
Client side<br />
Smart<br />
Install<br />
works?<br />
Works<br />
Works;<br />
comments<br />
Trunk created; vlan 80 is added to allowed<br />
list<br />
Trunk created; vlan 80 added to allowed list<br />
even with Vlan 1 allowed on upstream link<br />
Trunk 80 no No client cannot change the native vlan ID<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 169
Workaround without CDP signalled start-up vlan<br />
Current CVD recommendation<br />
interface Port-channel<strong>10</strong>1<br />
description TO new client switches<br />
switchport<br />
switchport trunk encapsulation dot1q<br />
switchport trunk native vlan 4001<br />
switchport trunk allowed vlan 2-17,4093<br />
switchport mode trunk<br />
logging event link-status<br />
logging event bundle-status<br />
Change to..<br />
interface Port-channel<strong>10</strong>1<br />
description TO new client switches<br />
switchport<br />
switchport trunk encapsulation dot1q<br />
switchport access vlan 4093<br />
!! VLAN 4093 is Smart Install VLAN !!<br />
switchport trunk native vlan 4001<br />
switchport trunk allowed vlan 2-17,4093<br />
switchport mode trunk<br />
• Configuration changes applicable to physical ports as well<br />
• With new configuration, the client switch negotiates the mode to ‘access’ and gets IP on the access vlan<br />
• Smart Install works as before without vlan 1 being enabled on the Director and other switches<br />
• Tested SBA and UAG TME labs.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 170
!<br />
ip dhcp remember<br />
!<br />
interface Loopback0<br />
ip address 15.15.15.15 255.255.255.255<br />
!<br />
interface GigabitEthernet 1/2<br />
ip address 1.1.1.1 255.255.255.0<br />
ip helper-address 15.15.15.15<br />
!<br />
Director IP<br />
DHCP<br />
helper<br />
vstack group custom 3750v2 mac<br />
image flash0:c3750-ipbasek9-tar.122-55.SE.tar<br />
config flash0:config_3750.txt<br />
match mac 0015.c6e8.6480<br />
!<br />
vstack group custom 2960S mac<br />
image flash0:c2960-lanbasek9-tar.122-55.SE.tar<br />
config flash0:2960_sales_3.txt<br />
match mac 9c4e.2059.f680<br />
!<br />
vstack group built-in 2960 8<br />
image flash0:c2960-lanbasek9-tar.122-55.SE.tar<br />
config flash0:config_2960_1.txt<br />
Client groups<br />
tftp-server flash0:default_imglist.txt<br />
tftp-server flash0:seed_config.txt<br />
tftp-server flash0:config_2960G_1.txt<br />
tftp-server flash0:config_3750.txt<br />
tftp-server flash0:2960_sales_3.txt<br />
tftp-server client_cfg.txt<br />
tftp-server flash0:2960g-8-imagelist.txt<br />
tftp-server flash0:c3750-ipbasek9-tar.122-55.SE.tar<br />
tftp-server flash0:3750-imagelist.txt<br />
tftp-server flash0:c2960-lanbasek9-tar.122-55.SE.tar<br />
tftp-server flash0:2960G-imagelist.txt<br />
!<br />
TFTP<br />
Server<br />
!<br />
vstack hostname-prefix springfield<br />
!<br />
vstack dhcp-localserver pool1<br />
address-pool 1.1.1.1 255.255.255.224<br />
file-server 1.1.1.1<br />
default-router 1.1.1.1<br />
!<br />
DHCP server<br />
vstack director 15.15.15.15<br />
vstack basic<br />
!<br />
end<br />
Enable Smart<br />
Install<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 171<br />
1
Software Release<br />
Roadmap<br />
© 2011 20<strong>10</strong> Cisco and/or its affiliates. All rights reserved. All specifications subject to change Cisco Confidential without notice<br />
172
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4<br />
CY20<strong>10</strong> CY2011 CY2012 CY2013<br />
XE 3.2.0SG,<br />
15.0(2)SG<br />
Young<br />
Last Software Train for Non-E Platforms e.g. SUP2, SUP4, SUPV-<strong>10</strong>G<br />
XE 3.2.0XO<br />
SUP7L-E Intro<br />
Release<br />
C4K New Feature Release<br />
C4K Extended Maintenance Release<br />
XE 3.3.0SG,<br />
15.1(1)SG<br />
Yap<br />
C2K/3K New Feature Release<br />
C2K/3K Extended Maintenance<br />
Release<br />
2K/3K/4K New Feature Converged<br />
Release<br />
2K/3K/4K Extended Maintenance<br />
Converged Release<br />
15.0(2)SE<br />
Nile<br />
XE 3.4.0SG,<br />
15.1(2)SG<br />
Texel<br />
15.2(1)E<br />
Indus<br />
(Converged<br />
Release)<br />
Last SW Train for C2960G, C3560G, C3750G, C3560E & C3750E<br />
15.0(1)SE Summer11<br />
Wall-E Intro Release<br />
12.2(58SE)<br />
Winter11<br />
12.2(55)SE<br />
Summer<strong>10</strong><br />
Last SW Train for 16 MB flash platforms e.g. C3560-24TS/24PS, C3750G-24T/12S, C2350, C2975<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 173
TEXEL (Cat <strong>4500</strong>E, <strong>4500</strong>-X and 4900M, 4948E, and 4948E-F)<br />
NEW FEATURE RELEASE<br />
Feature<br />
<strong>Catalyst</strong> <strong>4500</strong>E<br />
(Supervisor 6/6L-<br />
E)<br />
<strong>Catalyst</strong> <strong>4500</strong>E<br />
(Supervisor 7/7L-<br />
E)<br />
Platform<br />
<strong>Catalyst</strong><br />
<strong>4500</strong>-X<br />
VSS Functionality IP Base IP Base<br />
C4948E C4948E-F C4900M<br />
IPV6 First Hop<br />
Security<br />
Smart Install Director<br />
Support<br />
Multicast High<br />
Availability (NSF/SSO)<br />
for IPv4 & IPv6<br />
IPv6 VACL & IPv6 ACL<br />
support for SPAN<br />
session<br />
Support for X2 <strong>10</strong>G<br />
Base T (Infrastructure)<br />
LAN Base LAN Base IP Base LAN Base LAN Base LAN Base<br />
LAN Base LAN Base IP Base IP Base IP Base IP Base<br />
IP Base IP Base IP Base<br />
LAN Base LAN Base IP Base IP Base IP Base IP Base<br />
LAN Base LAN Base IP Base<br />
Policy Based Routing<br />
(PBR) Next Hop<br />
Support<br />
Enterprise<br />
Services<br />
Enterprise<br />
Services<br />
Enterprise<br />
Services<br />
Enterprise<br />
Services<br />
Enterprise<br />
Services<br />
Enterprise<br />
Services<br />
Bootstrap Router<br />
(BSR) Scoped Zone<br />
Support<br />
Enterprise<br />
Services<br />
Enterprise<br />
Services<br />
Enterprise<br />
Services<br />
Enterprise<br />
Services<br />
Enterprise<br />
Services<br />
Enterprise<br />
Services<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 174
• Please check the www.cisco.com/go/<strong>4500</strong>x for:<br />
Datasheet<br />
Video Datasheet<br />
At-a-glance<br />
Architecture Whitepaper<br />
Product Bulletin<br />
Flash video presentation<br />
Kaon 3-D view<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 175
Thank you.