7600-unified service mapping
TRANSCRIPT
Cisco Highly Confidential (Internal Only)
Unified Service Mapping on 7600
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES40 Architecture 1
Wei Yin Tay
Consulting Systems Engineer
Mapping on 7600
Cisco Highly Confidential (Internal Only)
ES+ Series 4-Port 10GE Line Cards ES+ Series 40-Port GE Line Cards
ES+ Product Family – For Field UsePhoto Gallery
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 2
ES+ Series 4-Port 10GE Line Cards ES+ Series 40-Port GE Line Cards
ES+ Series 2-Port 10GE Line Cards ES+ Series 20-Port GE Line Cards
Cisco Highly Confidential (Internal Only)
� UNI Connectivity Models
� Service Mapping Options
� MAC Hashing Internals
� ES+ EVC and Packet Flow
Agenda
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 3
� ES+ EVC and Packet Flow
� L2VPN HA
� SRD EVC Features
Cisco Highly Confidential (Internal Only)
Flexible UNI – EVC
UNI EvolutionEVC – Enhancements
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 4
Switchport
or
Routed Port/sub-interface
Mux UNI
12.2(18)SXF
and earlier12.2(33)SRA 12.2(33)SRB 12.2(33)SRC, SRD, SRE
Cisco Highly Confidential (Internal Only)
Access Edge
Content Farm
VOD TV SIP
Mobile
MSPP
Residential
Aggregation
Flexible Ethernet Edge ����New EVC Ethernet Infrastructure
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 5
BRAS
SR/PE
DPI
Core Network
MPLS /IP
Content Farm
VOD TV SIP
DSLResidential
STB
ETTx
PON
Cable
Business
Corporate
STB
L2 P-to-P (local or xconnect)
L2 MP local bridging
L2 MP VPLS
L3 routed
Untagged
Single tagged
Double tagged
802.1q
802.1ad
etc
Cisco Highly Confidential (Internal Only)
Normal L2 switchport + SVI
for L2/L3 service
L2 and L3 co-exist on the same port
� P2P EoMPLS under sub-interface
� L2 bridging via L2 switchport main interface
� L3/VRF and VPLS via SVI
No VLAN local significance, 4k VLANs max.VLAN 6
Cascades
LAN Mux UNI – Catalyst LAN and SIP-600
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 6
Sub-interface for xconnect
VLAN 7
VLAN 8
VLAN 11
VLAN 12
LAN or SIP-600
Cisco Highly Confidential (Internal Only)
No global VLAN resource needed for xconnect ���� VLAN Scalability
VLAN 6
VLAN 7
VLAN 8 L3/VRF termination (single tag only)
Split-horizon option provide “isolation” between sub-interfaces
E-MPB on SIP-400
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 7
L2 and L3 co-exist on the same port
Flexible L2/L3 service mapping
VLAN local port significance and VLAN Scalability
H-QoS support on main-interface/sub-interface
VLAN 6
VLAN 7
VLAN 9
Bridge-domain 100
[dot1q-tunnel]
[bpdu transparent | drop]
VLAN local port significance
Bridge-domain is global VLAN which has L2/L3 service associated
SIP-400
Put maximum 120 sub-interfaces (per SIP-400) into same bridge domain
Have option to add second vlan tag or replace the encap vlan tag
Have option to drop or transparently forward CE BPDU
Cisco Highly Confidential (Internal Only)
•• The The Flexible Ethernet Flexible Ethernet UNIUNI
defines a unique, virtual defines a unique, virtual
L2L2 or or L3L3 service instanceservice instance
per customerper customer
•• A service instance can be a A service instance can be a
MAC address, MAC address, VLANVLAN, Q, Q--inin--Q Q
VLANVLAN, , L2L2 VPLSVPLS pseudowirepseudowire, ,
OSS / Policy ManagementOSS / Policy Management
Cisco 7600 Flexible Ethernet UNIConvergence of Residential Quad Play + Business VPN
Barracuda
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 8
IP address, or IP address, or L3L3 MPLSMPLS VPNVPN
•• For each service instance, For each service instance,
Flexible Flexible UNIUNI offers:offers:
•• Unique ID with service Unique ID with service
separation via separation via VLANVLAN or MACor MAC
translationtranslation
•• HH--QoSQoS with shaping per VCwith shaping per VC
•• IP+MACIP+MAC spoofing preventionspoofing prevention
•• Ethernet and Ethernet and MPLSMPLS OAMOAM
•• Each service instance can in Each service instance can in
turn be flexibly mapped to:turn be flexibly mapped to:
•• L2L2: : PseudowiresPseudowires, H, H--VPLSVPLS
•• L3L3: IP, : IP, IPv6IPv6, , MPLSMPLS VPNVPN
L3 IP, IPv6L3 IP, IPv6
L3 MPLS VPNL3 MPLS VPN
EoMPLS, HEoMPLS, H--VPLSVPLS
L2, Point to PointL2, Point to Point
L2, BridgedL2, Bridged
L2/L3 integrationL2/L3 integration
H-QoS
per
EFP
Flexible
MAC / VLAN
Translation
1:1
2:2
1:2
Security
OAM
SBC
Video
Cisco Highly Confidential (Internal Only)
Flexible UNI – CLI Model
service instance ethernet
encapsulation <dot1q/QinQ | untagged | default | dot1.ad | etc>
rewrite ingress <push | pop | translate> symmetric
xconnect | bridge-domain ���� (Forwarding Commands)
service-policy input
service-policy output
<other features>
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 9
Frame Matching
Ingress Encap Rewrite
Egress Encap Rewrite
Global VLAN
BD (MP)
Xconnect (P2P)
L2 Bridging
L3/VRF
VPLS/EoMPLS
Egress LC
L2 LAN or IP/MPLS
combination of up to two vlan tags
pop/push/ translate vlan tags
Forwarding
Local connect (P2P)
SVI
SVI
L2 SIP
push/pop/ translate tags
Ingress LC (ES+/ES20/SIP)
L3/VRF Termination (using sub-interface)
Features
Cisco Highly Confidential (Internal Only)
Flexible Frame Matching CLI
� Single tagged frame
encapsulation dot1q {any | “<vlan-id>[,<vlan-id>[-<vlain-id>]]”}
Vlan tag can be single, multiple or range or any (1-4096).
� Double tagged frame (only look up to 2 tags if receive more than 2 tagged frames)
interface gig 1/1/1
service instance 1 ethernet
encapsulation ?
default catch-all unconfigured encapsulation
dot1ad 802.1ad - Provider Bridges
dot1q IEEE 802.1Q Virtual LAN or S-VLAN
untagged Untagged encapsulation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 10
� Double tagged frame (only look up to 2 tags if receive more than 2 tagged frames)
encapsulation dot1q <vlan-id> second-dot1q {any | “<vlan-id>[,<vlan-id>[-<vlain-id>]]”}
First vlan tag must be unique, second vlan tag can be any, unique, range or multiple
� Default tag
encapsulation default
Match all frames tagged or untagged that are not matched by other more specific service instances
� untagged
encapsulation untagged
Match no tagged frames, for example native vlan 1
Cisco Highly Confidential (Internal Only)
Flexible Frame Matching Examples
� Ethernet Flow Points ...
– Provide classification of L2 flows on Ethernet interfaces
– Are also referred to as EVC service-instances
– Support dot1q and Q-in-Q
EFPs on Interface
100
101
102
Match VLAN range:
100-102
14Match
VLAN: 14
Physical Ethernet interface (GE/10GE)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 11
– Support dot1q and Q-in-Q
– Support VLAN lists
– Support VLAN ranges
– Support VLAN Lists and Ranges combined
– Coexist with routed subinterfaces
200
203
210
Match
VLAN list: 200, 203, 210
300,100
Match
VLAN: 300,100
400,1
400,2
400,3
Match
outer VLAN 400,
inner VLAN range: 1-3
400,11
400,17
400,34
Match
outer 400,
inner VLAN list:
11,17,34
Cisco Highly Confidential (Internal Only)
NPE1(config-if-srv)#rewrite ingress tag pop ?
1 Pop the outermost tag remove 1 tag
2 Pop two outermost tags remove 2 tag
NPE1(config-if-srv)#rewrite ingress tag pop dot1q 10 remove one tag
NPE1(config-if-srv)#rewrite ingress tag pop dot1q 10 second-dot1q 20 remove two tag
interface gig 1/1/1
service instance 1 ethernet
encapsulation dot1q 10
rewrite ingress tag ?
pop Pop the tag
push Rewrite Operation of push
translate Translate Tag
EVC – Flexible VLAN Tag Manipulation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 12
NPE1(config-if-srv)#rewrite ingress tag pop dot1q 10 second-dot1q 20 remove two tag
NPE1(config-if-srv)#rewrite ingress tag translate ?
1-to-1 Translate 1-to-1
1-to-2 Translate 1-to-2
2-to-1 Translate 2-to-1
2-to-2 Translate 2-to-2
Cisco Highly Confidential (Internal Only)
Service CLI Example – Point-to-pointP-to-P no MAC learning/forwarding.
Point-to-point local connect
connect <name> <interface-type/slot/port> <efp-id> <ethernet-type/slot/port> <efp-id>
interface GigabitEthernet4/1/0
service instance 3 ethernet
encapsulation dot1q 51
rewrite ingress tag translate 1-to-2 dot1q 52 second-dot1q 52 symmetric
interface GigabitEthernet4/1/1
service instance 3 ethernet
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 13
encapsulation dot1q 52 second-dot1q 52
connect eline-3 GigabitEthernet4/1/0 3 GigabitEthernet4/1/1 3
Point-to-point xconnect
xconnect <peer-add> <VC-ID> encapsulation mpls
interface GigabitEthernet4/1/1
service instance 11 ethernet
encapsulation dot1q 101 second-dot1q 60-70
xconnect 10.0.0.3 101 encapsulation mpls
Cisco Highly Confidential (Internal Only)
Service CLI Example – MultipointMAC based forwarding
Multiple point local bridging and VPLSbridge-domain <global-vlan-id> [split-horizon]
Split-horizon to disable L2 communication between two EFPs
Local Bridging
interface GigabitEthernet4/1/0
service instance 101 ethernet
VPLS
interface GigabitEthernet4/1/0
service instance 2 ethernet
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 14
service instance 101 ethernet
encapsulation dot1q 101-1000
bridge-domain 100
interface GigabitEthernet4/1/1
service instance 101 ethernet
encapsulation dot1q 101-1000
bridge-domain 100
interface GigabitEthernet3/1
switchport access vlan 100
switchport mode dot1q-tunnel
service instance 2 ethernet
encapsulation dot1q 20
bridge-domain 20 split-horizon
interface GigabitEthernet4/1/1
service instance 2 ethernet
encapsulation dot1q 20
bridge-domain 20 split-horizon
interface Vlan20
xconnect vfi vpls-20
Cisco Highly Confidential (Internal Only)
Service CLI Example – L3 routed
Single tag termination
Option 1
interface GigabitEthernet4/1/1
service instance 100 ethernet
encapsulation dot1q 100
rewrite ingress tag pop 1 symmetric
bridge-domain 100
Double tag termination
Option 1
interface GigabitEthernet4/1/1
service instance 100 ethernet
encapsulation dot1q 100 second 200
rewrite ingress tag pop 2 symmetric
bridge-domain 100
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 15
bridge-domain 100
interface Vlan100
ip address 100.1.100.1 255.255.255.0
Option 2
interface GigabitEthernet4/1/1.100
encapsulation dot1q 100
ip address 100.1.100.1 255.255.255.0
bridge-domain 100
interface Vlan100
ip address 100.1.100.1 255.255.255.0
Option 2
interface GigabitEthernet4/1/1.100
encapsulation dot1q 100 second 200
ip address 100.1.100.1 255.255.255.0
Cisco Highly Confidential (Internal Only)
� Uses Sub-interface for configuration
� Uses IDB
� Use for L3 and L3 VPN Termination (no support for mpls ip under sub-if)
� L3 sub-interfaces and Main-interfaces consume internal VLAN
Flexible UNI – L3 Termination
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 16
Cisco Highly Confidential (Internal Only)
� EVC only uses Non-Exact matching which is outer most tags matching
� ‘encap dot1q 10’ matches any packets with outmost tag equals to 10:
Exact vs. Non-Exact Matching
10
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 17
10 200
10 100
10 100 1000
• ‘encap dot1q 10 sec 100’ matches any packets with outmost
tag as 10 and second most tag as 100
Cisco Highly Confidential (Internal Only)
Longest tag match
EVC supports longest tag matching within the same GigE port. Matching double tag first, then single tag
10
10 200dot1q 10
Match
dot1q 10
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 18
10 100dot1q 10
sec 100
10 130
dot1q 10
sec 128-133
Int G3/0/0
EFP configurationFrame received
Cisco Highly Confidential (Internal Only)
Encapsulation Types
� “Any”
Port has no service instance configured with tag
service instance 10 ethernet
encap dot1q any
‘encap dot1q any’ is translated by the parser to ‘encap dot1q 1-4094’.
Port has service instance configured with tag
service instance 10 ethernet
encap dot1q 10
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 19
encap dot1q 10
service instance 20 ethernet
encap dot1q any
‘encap dot1q any’ is equivalent to remaining VLAN ranges, in this example, it’s ‘encap dot1q 1-9, 11-4094’
Same rule applies to any for second tag
What happen if configure “encap dot1q any” at first, then followed by “encap dot1q 10”? System will treat this as invalid configuration and won’t take it
� “Default”
“catch all unspecified” entry; catches any packet that does not meet any other existing EFP configuration
One per interface
Can be used to configure port mode services
Cisco Highly Confidential (Internal Only)
EVC Encapsulation Match Order
1. From most specific to most general
2. No exact match based on outmost tag #
3. Encap untag matches untagged packet
4. Encap default catches all remaining traffic w/o specific
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 20
4. Encap default catches all remaining traffic w/o specific match. If there is no encap untag configured, it also catches untag packet.
Cisco Highly Confidential (Internal Only)
L2 Control Protocol Handling (includes STP/VTP/CDP)
No <l2protocol forward> With <l2protocol forward>
Local Connect Forwarded transparently as data
N/A
Xconnect Forwarded transparently N/A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 21
Xconnect Forwarded transparently as data
N/A
SVI/Bridge Domain
Drop all BPDU Forwarded transparently as data
Native VLAN Under service instance “encap untag” dropped
Under service instance “encap untag” forwarded transparently
Cisco Highly Confidential (Internal Only)
MPLSFR Bridging
(RFC 1490)
VFI
7600
pseudo port
Ethernet
switcport
ATM Bridging
(RFC 1483)
VPLS Attachment CircuitHow Do I Tunnel STP/VTP/CDP?
pseudo port
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 22
Ethernet
EFP
� For each VPLS instance, it can have multiple attachment circuits (ACs) and multiple virtual circuits (VCs). ACs and VCs are in the same L2 broadcast domain, packet is forwarded based on MAC address
� AC could be different type, like ATM (RFC1483) bridging, FR (RFC 1490) bridging, native Ethernet switchport, native Ethernet EFP (EVC based configuration).
� L2PT apply to Ethernet AC only. Normally it’s STP, CDP and VTP packets
Cisco Highly Confidential (Internal Only)
PW Status TLV for Error Codes, etc …
� The current implementation of the AToM control plane has no provision for PW status. What this typically means is that when the AC (access circuit interface) associated with a PW is down (or being held down for PW redundancy) labels advertised to peers will be withdrawn. This is because AToM has no other way of signalling the AC status to the peer. However, this is not ideal as upon switch-over there is now extra delay in advertising labels to our new peer
RFC specifies extensions for LDP which allow PW status to be
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 23
� RFC4447 specifies extensions for LDP which allow PW status to be carried in notification messages to peers. This diverges LDP label mappings from the AC status notification and allows labels to be retained through AC status changes:
- as soon as the xconnect is provisioned,
- and until the xconnect is unprovisioned or AC interface shutdown.
� The upshot of this is less time to do a switch-over as the labels have already been exchanged
Cisco Highly Confidential (Internal Only)
Flexible UNI Features Summary
UNIFeature
Hardware Highlights
Mux UNI Catalyst LAN and SIP-600(cascade)
L2 switchport main interface coexist with eompls sub-interface under same physical port
E-MPB SIP-400(cascade)
� L2 and L3 service co-exist on the same port
� Flexible L2/L3 service mapping
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 24
� VLAN scalability
� Split horizon provide similar feature as private vlan “isolated port”
Flexible QinQ
SIP-400 with V2GE SPA
ES20
ES+
Same benefit as E-MPB +
� Vlan local significance
�2 vlan tag awareness (matching, termination, CoS, etc)
� matching range of vlan tags
� Flexible vlan tag manipulation (pop/push) and translation (1-1, 1-2, 2-1, 2-2)
� More VLAN scalability
� Local connect support including hair pinning
Cisco Highly Confidential (Internal Only)
� UNI Connectivity Models
� Service Mapping Options
� MAC Hashing Internals
� ES+ EVC and Packet Flow
Agenda
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 25
� ES+ EVC and Packet Flow
� L2VPN HA
� SRD EVC Features
Cisco Highly Confidential (Internal Only)
VPLS Deployment Options in SRD
UNI NNI
ES+ ES+
UNI
NNI
ES20/SIP400 ES+Option 1 Option 2
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 26
UNI NNI
67xx ES+Option 3
UNI NNI
Any DFC ES20
Any
DFC
LC
Legacy
Option 4
Cisco Highly Confidential (Internal Only)
EoMPLS Deployment Options in SRD
UNI
NNI
ES+ ES+/67xx
UNI NNI
ES+/ES20/SIP400 ES+Option 1Option 2
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 27
UNI NNI
67xx
ES+Option 3
UNI
NNI
67xxLegacy
Option 467xx
Cisco Highly Confidential (Internal Only)
L3VPN Deployment Options in SRD
UNI
NNI
ES+ ES+/67xx
UNI NNI
ES+/ES20/SIP400 ES+Option 1Option 2
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 28
UNI NNI
67xx
ES+Option 3
UNI
NNI
67xxLegacy
Option 467xx
Cisco Highly Confidential (Internal Only)
� UNI Connectivity Models
� Service Mapping Options
� MAC Hashing Internals
� ES+ EVC and Packet Flow
Agenda
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 29
� ES+ EVC and Packet Flow
� L2VPN HA
� SRD EVC Features
Cisco Highly Confidential (Internal Only)
Cisco 7600 Internals Basics of a Layer 2 Forwarding Operation
The MAC Address Table (or CAM Table) is a piece of memory in a switch that is used to store MAC
addresses and the ports from which they were learnt…
A
B
D
E
1
2
3
4
5
6
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 30
CAM tables range in size
across the different switch
platforms
CAM table can also store
VLAN within which MAC
was learnt
CAM TableMAC
A
B
C
D
E
F
Port
1
2
3
4
5
6
C F
3 6
Cisco Highly Confidential (Internal Only)
Cisco 7600 Internals Layer 2 Forwarding on the PFC3
PFC3B
On the PFC3B is an
integrated CAM Table that
supports up to 64,000 MAC
address entries…
(PFC3C up to 96,000 MAC)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 31
MAC Table
16 pages
4096 rows
4K*16=64K entries
Cisco Highly Confidential (Internal Only)
Cisco 7600 Internals Layer 2 Forwarding on the PFC3
16 pages
PFC3B
Frame
VLAN MAC
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 32
MAC Table
4096 rows
20 | 0000.2222.7777
10 | 0000.1111.cccc
30 | 0000.bbbb.ac1c
30 | 0000.dddd.a112
4K*16=64K entries
Hash
MAC Table Row
Hit!!!1. Hash result identifies starting page and row in MAC table
2. Lookup key (VLAN and MAC) compared to contents of indexed line on each page, sequentially
3. Destination lookup: Match returns destination interface(s), miss results in flood Source lookup: Match updates
age of matching entry, miss installs new entry in table
Cisco Highly Confidential (Internal Only)
Cisco 7600 Internals Layer 2 Forwarding on the PFC3
Cisco IOS show mac-address-table6509#show mac-address-table dynamic vlan 30
Codes: * - primary entry
6509#show mac-address-table dynamic vlan 30
Codes: * - primary entry
The MAC addresses that have been learned by the Switch can be viewed from the switch CLI using the
following command - note that for each MAC address learned, the port from where the Address arrived
is stored along with the VLAN of which the host is a part …
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 33
<…>
6509#
vlan mac address type learn qos ports
------+----------------+--------+-----+---+-----------------------
* 30 0003.a088.c408 dynamic Yes -- Fa3/18
* 30 0012.d949.04d2 dynamic Yes -- Gi5/1
* 30 0003.a08a.15f3 dynamic Yes -- Fa3/24
* 30 0090.a400.1850 dynamic Yes -- Fa3/14
* 30 0003.a08a.15f9 dynamic Yes -- Fa3/25
<…>
6509#NOTE: You can have duplicate MAC addresses as long as they appear in a different VLAN
NOTE: MAC address learning is done in HARDWARE
Cisco Highly Confidential (Internal Only)
� UNI Connectivity Models
� Service Mapping Options
� MAC Hashing Internals
� ES+ EVC and Packet Flow
Agenda
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 34
� ES+ EVC and Packet Flow
� L2VPN HA
� SRD EVC Features
Cisco Highly Confidential (Internal Only)
ES+ Trident NPU Overview
� 10GE full duplex, 30Mpps packet processing capability
� 20 bytes preamble and IFG emulation – Not Reported in LC/RP stats
� VPLS, QinQ Termination, QinQ Selective mapping, EoMPLS, 802.1ah, Scalable EoMPLS, E-MPB, EVC
� AToM/VPLS Tunnel Select, H-VPLS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 35
� AToM/VPLS Tunnel Select, H-VPLS
� L2 Multicast
� All MQC QoS (i.e. no MLS QoS CLI)
� Strict priority support at all levels in TM (priority propagation)
� Etc ….
Cisco Highly Confidential (Internal Only)
VLAN ID - Global or Local port Significant?
L2 switchport Sub-interface EVC model
LAN Global Global N/A
SIP600 Global Global Global
ES20 Global QinQ Local Local
LCConfig
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 36
ES20 Global QinQ Local
Dot1q Global
Local
ES+ Global Local Local
SIP400 N/A Local Local
Other WAN N/A Local N/A
Cisco Highly Confidential (Internal Only)
7600 VLAN Local Significance Support
Interface Types ES+
(aka. ES+40/20)
ES20 SIP400 67xx
EVC Dot1q Yes Yes Yes No
EVC QinQ Yes Yes Yes No
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 37
Sub-interface Dot1q Yes No (Fugu Asic limitation)
Yes No
Sub-interface QinQ Yes Yes Yes No
� VLAN Local Significance means:
1. VLAN is terminated in the NPU
2. VLAN lookup, rewrites, etc … are performed in NPU
Cisco Highly Confidential (Internal Only)
EVC QinQ EoMPLS System Packet FlowNo EVC rewrite and No QoS Marking
UNI
PE1 PE2P
UNI
ES+ orAnyDFC
NNI
ES+ orAnyDFC
NNI
ES+/ES20/SIP400 ES+/ES20/SIP400
DBus DBus
service instance 300 ethernet
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 38
Ingress Pkt
From Link
Packet with
Dbus CoS
Ingress
Rewrite
Ingress
Marking
After
Imposition
None
EXP = 5
Dbus-CoS = 5 Dbus-CoS = 5 Dbus-CoS = 5
S-CoS = 5 S-CoS = 5 S-CoS = 5 S-CoS = 5 S-CoS = 5
C-CoS = 4 C-CoS = 4 C-CoS = 4 C-CoS = 4 C-CoS = 4
Egress
Rewrite
Egress
Marking
Egress Pkt
On Link
None
EXP = 5
Dbus-CoS = 5 Dbus-CoS = 5
S-CoS = 5 S-CoS = 5 S-CoS = 5
C-CoS = 4 C-CoS = 4 C-CoS = 4
description ** EVC EoMPLS, No rewrite, No QoS
encapsulation dot1q 50 second-dot1q 1-4094
xconnect 2.2.2.2 50 encapsulation mpls
Cisco Highly Confidential (Internal Only)
EVC QinQ EoMPLS System Packet FlowEVC rewrite POP 1 and No QoS Marking
UNI
PE1 PE2P
UNI
ES+ orAnyDFC
NNI
ES+ orAnyDFC
NNI
ES+/ES20/SIP400 ES+/ES20/SIP400
DBus DBus
service instance 300 ethernet
description ** EVC EoMPLS, rewrite POP 1, No QoS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 39
Ingress Pkt
From Link
Packet with
Dbus CoS
Ingress
Rewrite
Ingress
Marking
After
Imposition
POP 1
DCoS=S-CoS
None
EXP = 5
Dbus-CoS = 5 Dbus-CoS = 5 Dbus-CoS = 5
S-CoS = 5 S-CoS = 5 S-CoS = 5 --- ---
C-CoS = 4 C-CoS = 4 C-CoS = 4 C-CoS = 4 C-CoS = 4
Egress
Rewrite
Egress
Marking
Egress Pkt
On Link
Push 1
S-CoS=DCoS
None
EXP = 5
Dbus-CoS = 5 Dbus-CoS = 5
--- S-CoS = 5 S-CoS = 5
C-CoS = 4 C-CoS = 4 C-CoS = 4
description ** EVC EoMPLS, rewrite POP 1, No QoS
encapsulation dot1q 50 second-dot1q 1-4094
rewrite ingress tag pop 1 symmetric
xconnect 2.2.2.2 50 encapsulation mpls
Cisco Highly Confidential (Internal Only)
EVC QinQ EoMPLS System Packet FlowEVC rewrite POP 1 and Set CoS=7 Marking
UNI
PE1 PE2P
UNI
ES+ orAnyDFC
NNI
ES+ orAnyDFC
NNI
ES+/ES20/SIP400 ES+/ES20/SIP400
DBus DBus
service instance 300 ethernet
description ** EVC EoMPLS, rewrite POP 1, Set CoS = 7
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 40
Ingress Pkt
From Link
Packet with
Dbus CoS
Ingress
Rewrite
Ingress
Marking
After
Imposition
POP 1
DCoS=S-CoS
Set CoS = 7
DCoS = set-CoS
EXP = 7
Dbus-CoS = 5 Dbus-CoS = 5 Dbus-CoS = 7
S-CoS = 5 S-CoS = 5 S-CoS = 5 --- ---
C-CoS = 4 C-CoS = 4 C-CoS = 4 C-CoS = 4 C-CoS = 4
Egress
Rewrite
Egress
Marking
Egress Pkt
On Link
Push 1
S-CoS=DCoS
None
EXP = 7
Dbus-CoS = 7 Dbus-CoS = 7
--- S-CoS = 5 S-CoS = 7
C-CoS = 4 C-CoS = 4 C-CoS = 4
description ** EVC EoMPLS, rewrite POP 1, Set CoS = 7
encapsulation dot1q 50 second-dot1q 1-4094
rewrite ingress tag pop 1 symmetric
service-policy input set-cos=7
xconnect 2.2.2.2 50 encapsulation mpls
Cisco Highly Confidential (Internal Only)
� UNI Connectivity Models
� Service Mapping Options
� MAC Hashing Internals
� ES+ EVC and Packet Flow
Agenda
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 41
� ES+ EVC and Packet Flow
� L2VPN HA
� SRD EVC Features
Cisco Highly Confidential (Internal Only)
L2VPN NSF/SSO in 12.2 SRC Release
� No extra commands introduced
� Supported for targeted LDP and local switching configurations
� AToM related commands are sync’d as part of the config between active and standby SUP/RSP
� If there is a version command mismatch, the router will revert back to RPR+
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 42
to RPR+
Commands with version mismatch are reported in ISSU show/debug outputs
� Features supported:
AToM P2P: Eth (all flavors), ATM, FR, HDLC, PPP, CEM
VPLS and H-VPLS
ATM/FR Local Switching, TDM
Tunnel Select
Interworking
Cisco Highly Confidential (Internal Only)
� UNI Connectivity Models
� Service Mapping Options
� MAC Hashing Internals
� ES+ EVC and Packet Flow
Agenda
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 43
� ES+ EVC and Packet Flow
� L2VPN HA
� SRD EVC Features
Cisco Highly Confidential (Internal Only)
EVC Port/MAC Securityservice instance 415 ethernet 415
encapsulation dot1q 415
rewrite ingress tag pop 1 symmetric
bridge-domain 415 split-horizon
mac security maximum addresses 3
mac security address permit 0000.0415.0301
mac security sticky
mac security violation restrict
mac security
AGG1-rossi(config-if-srv)# mac security aging ?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 44
static Apply aging controls to statically configured addresses also
sticky Apply aging controls to persistent ("sticky") addresses also
time Configure aging time
� Port security works with dynamically learned and static MAC to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.
� A security violation occurs in either of these situations:
maximum number of secure MAC addresses is reached
source MAC address is different from identified secure MAC
traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN
Cisco Highly Confidential (Internal Only)
DHCP snooping /w Option 82
� Traditional “port + VLAN” information is not enough to identify the subscriber uniquely. It may require access encapsulation VLAN information
Normal (not EVC)
1 6 0 4 portmodinternal vlan
suboption circuit id
Subscriber string is user configurable
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 45
q-in-q encapsulation
802.1q encapsulation
suboption
type/length
circuit id
type/length
1 12+st
r len2 10 portmod
outer
.1q
tag
1 14 +
str
len
3 12 portmodinternal vlan
internal vlan EFP id
inner
.1q
tag
EVC, no encapsulation (i.e. raw)
1 10+st
r len1 8 portmodinternal vlan EFP id
.1q tag
EFP id
subscriber str
subscriber str
subscriber
str
New enhancement for EVC
Cisco Highly Confidential (Internal Only)
Dynamic ARP Inspection� Uses the DHCP Snooping
Binding Table Information
� Dynamic ARP InspectionAll ARP packets must match the
IP/MAC Binding table entries
If the entries do not match, throw them in the bit bucket
10.1.1.1
MAC A
ARP 10.1.1.1 ARP 10.1.1.1 Saying Saying
10.1.1.2 is MAC C10.1.1.2 is MAC C
None Matching
ARP’s in the Bit Bucket
=> DENY
DHCP Snooping Enabled
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 46
10.1.1.2
MAC B
10.1.1.3
MAC CARP 10.1.1.2 ARP 10.1.1.2
Saying Saying
10.1.1.1 is MAC C10.1.1.1 is MAC C
DHCP Snooping Enabled
Dynamic ARP inspection Enabled
Cisco Highly Confidential (Internal Only)
IP Source Guard
� Uses the DHCP Snooping Binding Table Information
� IP Source GuardOperates just like Dynamic ARP Inspection, but looks at every packet, not just ARP Packet
10.1.1.1
MAC A
Traffic Sent withTraffic Sent with
IP 10.1.1.3IP 10.1.1.3
Mac BMac B
Is this is my Binding Table?NO!NO!Non Matching
Traffic Dropped DHCP Snooping Enabled
Dynamic ARP inspection Enabled
IP Source Guard Enabled
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 47
10.1.1.2
MAC B
10.1.1.3
MAC C
Received Traffic
Source IP
10.1.1.2
Mac B
10.1.1.3
MAC C
Traffic Sent with Traffic Sent with IP 10.1.1.2 IP 10.1.1.2
Mac CMac C
AGG1-rossi(config-if-srv)#ip verify source vlan dhcp-snooping validate IP only
AGG1-rossi(config-if-srv)#ip verify source vlan dhcp-snooping port-security validate both IP and MAC
Cisco Highly Confidential (Internal Only)
7600 EVC Storm Control
� EVC storm control is enabled per port level, it only apply to broadcast and multicast traffic, not unicast traffic
� Storm control is implemented on the NP micro code using the 1 rate police
� The rate should be shared by all type of traffic
� Broadcast and Multicast suppression share the same police so they would both need to have the same suppression rate. If Operator configures the higher or smaller rate for broadcast or multicast then the latest rate would be in effect for both of them.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 48
in effect for both of them.
� If 0% is specified then all traffic would be dropped
� If 100% is specified then all traffic would be allowed
AGG1-rossi(config)#int gig 2/37
AGG1-rossi(config-if)#storm-control broadcast level 1.00
AGG1-rossi(config-if)#storm-control multicast level 1.00
AGG11(config-if)#storm unicast level 10
Command Rejected: Unicast suppression is not supported on Gi2/20
AGG1-rossi#sh int gig 2/37 counters storm-control
Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards
Gi2/37 100.00 1.00 1.00 250596
Cisco Highly Confidential (Internal Only)
7600 EVC L2 ACL
� EVC L2 MAC ACL only works for src and/or dst MAC address, it doesn’t work for ethertype, VLAN ID, etc
� The ACL counters is per ACL, not per ACE
� Like other IOS ACL, it has implicit “deny any any” at the end of the ACL
mac access-list extended mac-415
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 49
permit host 0000.0415.0401 any
permit host 0000.0415.0401 host 0000.0415.0302
service instance 415 ethernet
mac access-group mac-415 in
AGG2-duhan#show ethernet service instance id 415 interface gig 2/0/16 detail | inc ACL
L2 ACL (inbound): mac-415
L2 ACL permit count: 189418
L2 ACL deny count: 367339
Cisco Highly Confidential (Internal Only)
LACP Port Channel /w EVC
� Port Channel interfaces represent aggregated Ethernet ports for both bandwidth increasing and link redundancy
� 7600 supports routed interfaces and L2 switchports over port channels long time ago
� EVC Port Channel allows Ethernet service instances (EVCs) to be configured over port channel interfaces. It’s supported from SRC release with static channel mode “on”
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 50
release with static channel mode “on”
� SRD release will support LACP as channel protocol in addition to static channel mode on configuration. PAGP is not supported
� SIP-400 doesn’t support port-channel
Cisco Highly Confidential (Internal Only)
Port Channel Traffic Load Balancing
� Ingress traffic for an EVC can be received on any of the member ports of the port channel depends on the load balancing algorithm used on the peer device
� Egress traffic for an EVC is transmitted out of a single pre-determined member port. Thus the egress load balancing is per service instance
� Manual EVC load balancing considered for SRE*
EVC 1
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 51
Gi4/0/0
Gi4/0/10
Interface po5
Forwarding
Function
EVC 1
EVC 2
EVC 1
EVC 2
Gi4/0/0
Gi4/0/10
Interface po5
Forwarding
Function
EVC 1
EVC 2
Ingress Egress
*SRE is not EC’d, subject to change
Cisco Highly Confidential (Internal Only)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Javed Asghar
ES+ Architecture 52