catalyst 6500 - cisco · catalyst 6500 series lifecycle vss pisa …. 2003 2006 2008 2009 20102007...
TRANSCRIPT
© Cisco Systems 2008
Catalyst 6500Platform Update – Australia East
Bradley Wong
Technical Marketing Engineer, CSSTG
May 2008
Catalyst 6500 Product Update
Strategic Product Direction…
Video
Peer to Peer
Power
Latest OS
Collaboration
Physical SecurityVideo on Demand
Telepresence
E-mail, Chat, and IM
Unified Messaging
Power Efficiency
On-Line Gaming
File Sharing
Bandwidth &Services
DPI / Policy
ePoE
IPv4 / IPv6
Security
Device Explosion Wired/Wireless
Power Management
WebEx
Video Conferencing
Linux
Apple OS XWindows Vista
Power Scalability
Laptops
Hand HeldsAPs & Surveillance
TrendsDriving New Network Challenges
Catalyst 6500 SeriesLifecycle
VSS
PISA
2007…. 2003 2006 2008 2009 2010 2011 2012 2020
Supervisor Engine 720 with MPLS, IPv6, GRE, NAT, and Bi-dir PIM in HW
40G/100G uplinks
Supervisor Engine 2T
PFC4 (Earl8)
40G interfaces
EARL9 – 150Mpps
DCE L2MP
VoQ
E-Series Chassis
“Big Bang”
720G VSS 1440 2T/ VSS 4T
2003 - 2007
C2
2003 - 2008
• 10GbE Switching
• ISSU Ph1
• Adv. IP Services (IPv6,
MPLS)
• Virtual Switching
• Cisco TrustSec Ph1
• IBNS / NAC Integration
• L4-7 Integration
(ACE, WISM, FWSM, NAM)
• Software Modularity
• Adv. Diagnostics
(GOLD, EEM, Smart Call
Home)
Integrated Services
• 384 GE Ports
• 128 10G Ports
Embedded Services &
Control
CX
2011 - 2012
• 150Mpps
• 40G/100G Uplinks
• Virtual Output Queuing
• DCE L2MP
• Embedded Application
Aware Port Security
and Services
C4
2009 - 2010
Intelligent Networks
• 2 Terabit; 80G/ slot
• 6513E Chassis
• 8p 10G card (CTS, 80G)
• VNET
• VPLS
• Role Based Access Control
• Cisco TrustSec Ph2
• Service Insertion Arch.
• Flexible Netflow
• ACL Dry-run
• Connectivity Mgmt
Processor (CMP)
• 528 GE Ports
• 180 10G Ports
• >40 40G Ports
Infrastructure
Virtualization
Security
Manageability
Application
Intelligence/
Services
Port Density (Chassis)
Campus Distribution/Core Flagship Catalyst 6500
• >500 GE Ports
• >250 10G Ports
• >40 40G Ports
• 100G
Catalyst 6500 IOS Software
Whitney1
12.2(33)SXH
Shipped – Aug’07
• Sup720-10GE
• 6509V-E
• 16 port 10GE linecard
• Virtual Switching
• CatOS transition Ph 1
- Address highest priority features
• Routing/MPLS features from 12.2(33)S
• LLDP-MED
• Lawful Intercept
• 50 new MIBs
Whitney2
12.2(33)SXI
EC – Q3CY08
• ISSU-Phase1 with Virtual Switching and Modular Software
• Virtual Switching Enhancements
• Cisco TrustSec software solution
• CatOS transition Ph 2
• Address some additional priority features
• Identity 4.0
• IPv6 Leadership: 6VPE, EIGRPv6, HSRPv6, IPv6 DHCP Relay, Syslog and SNMP over IPv6, IPsec for IPv6
Half Dome
12.2(50)SY
Target – 1HCY10
• New PFC4 and DFC4
• Flexible Netflow
• End-to-end L2 Encryption
• VPLS and H-VPLS in hardware
• New 80G/slot linecards
Cisco IOS Software Modularity
Cisco IOS
Whitney2.x
12.2(33)SX…
Target – 1HCY09
• IPv6/MPLS with VSS
• 4 Byte BGP ASN
• Enh. HSRP SSO
• BFD SSO
• CSM support
• PBR Set VRF
• REP
• SFP+ Adapter for X2 Slots
• Identity ACL assignment enh.
• Identity over Trunks
• Rollback confirmed change
Unified Network Services
Non-Stop Communication
Operational Manageability
Virtualization
Application Intelligence
Integrated Security
Wiring Closet Backbone Data Center EWAN Metro
SP
Network
Whitney 2
12.2(33)SXI
FCS–Q3CY08
�EIGRPv6
�CTS Infrastructure
�WiSM support on VSS
�IPv6 Support on VSS
�EIGRPv6
�Service advertisement
Framework
�FWSM, ACE, IDSM
support on VSS
�IPsec Leadership with Granikos�Static VTI�IPSec for IPv6
�VTPv3
�E-LMI
�ISSU support for SIP
modules, MPLS-TE, VSS.
�Call-Home Phase 2
�IPSLA integration with E-
OAM
�802.1ak (MRP)
� E-OAM 802.1ag
�802.1x, MAC Auth, Web Auth for Access Control�HSRPv6 on VRF
�HSRPv6 on VRF
�VRF-Lite Aware PBR
�PBR set VRF
� BFD support for HSRP
L2, L3 VPN Innovations
�VRF Aware PBR�6vPE
�OAM RFI link fault fast
recovery
�IPv6 DHCP relay �IPv6 DHCP relay •VSS support for 512
Ether-channels
�IPSec QoS
�Netflow for GRE/GRE-
IPSec
�802.1ad
�802.1x enhancement
�Multihop SXP
�CTS infrastructure
�PACL support on VSS
interface
�FWSM support on VSS
�Encrypt multicast over IPSec
�802.1ak (MRP)
�ISSU Phase-1 �VSS & ISSU�VSS & ISSU
�HSRP/GLBPv6
�Show health, Syslog
Granularity
�Mini-protocol analyzer
�SNMP, Syslog over IPv6
�Mini-protocol analyzer
�Netconf over SSH
�CTS Infrastructure
�Multihop SXP
�PACL support on VSS
interface
�SNMP, Syslog over IPv6
�LLDP-MIB
�Syslog Granularity
�ISSU support for
MPLS-TE
�Pseudowire
redundancy
Catalyst 6500 Product Update
Campus Core, Distribution & Data
Centre Innovations…
Catalyst 6500 SupervisorsSupervisor 720-10G VSS
The Supervisor 720-10G VSS is designed for deployment in the Core and Distribution Layers of
the Network - it is the highest performing Supervisor option available for the Catalyst 6500
platform coupled with the PFC3C/XL, enabling Virtual Switching System (VSS)…
Catalyst 6500 Supervisors PFC3 Comparison
Feature PFC3A PFC3B PFC3BXL PFC3C PFC3CXL
FIB TCAM 256K 256K 1M 256K 1M
Adjacency
Table
1M 1M 1M 1M 1M
Netflow
Table128K (64K) 128K (115K) 256K (230K) 128K (115K) 256K (230K)
MAC Table 64K (32K) 64K (32K) 64K (32K) 96K (80K) 96K(80K)
IPv6 128K 128K 500K 128K 500K
Bi-Dir PIM Hardware Hardware Hardware Hardware Hardware
Native MPLS No Yes Yes Yes Yes
EoMPLS No Yes Yes Yes Yes
VRF Lite Yes Yes Yes Yes Yes
TunnelsHardware Hardware + QoS
Policies
Hardware + QoS
Policies
Hardware + QoS
Policies
Hardware + QoS
Policies
NAT Hardware Hardware + UDP Hardware + UDP Hardware + UDP Hardware + UDP
VSS No No No Yes Yes
Catalyst 6500 WS-X6716-10G-3C/XL
Cisco TrustSec (CTS)
Cisco TrustSec (CTS) affects multiple areas of the network and comprises of improvements in
the following areas:
Confidentiality & Integrity
Centralized Attribute Based Access Control (ABAC) Policy Administration
1
2
3 Identification, Authentication and Authorization for all networked entities,
and classification into topology independent security groups
Cisco TrustSecEndpoint Access
Endpoint Access in Cisco TrustSec deals with how workstations and server resources alike are
able to authenticate into a CTS-enabled network, and are provided appropriate authorization
credentials, including a Security Group Tag (SGT)…
Cisco TrustSecNetwork Device Access
Network Device Access in Cisco TrustSec deals with how Network Devices (Routers &
Switches) are able to authenticate into a CTS-enabled network, and are provided appropriate
authorization credentials, including a Security Group Tag (SGT)…
Cisco TrustSecConfidentiality & Integrity
As part of the Cisco TrustSec architecture, Confidentiality and Integrity may also be provided
via hop-by-hop 802.1ae LinkSec encryption coupled with Replay Protection of each and every
frame, ensuring that each frame is uniquely authenticated…
Cisco TrustSecSGT Imposition
After Endpoint Admission where the endpoint is authenticated and authorized, an SGT will be
derived and associated. If the Access device hardware is capable of imposing an SGT, every
frame that is transmitted with also have an SGT appended as well…
Cisco TrustSecSGT Enforcement
Once the frame reaches a Hardware-capable CTS device that has RBACL enforcement enabled,
the SGT from the workstation will be compared with the DGT associated with the resource it
wishes to access and an enforcement decision will be made…
Service Insertion Architecture Before SIA…
- Modify topology to redirect via WCCP (Svc1)
- Check to ensure network still works
- Modify topology to redirect via PBR (Svc 2)
- Make sure network + WCCP still work
- Modify topology to create two VLANS and routes between them (Svc3)
- Make sure network + WCCP + PBR still work
- Modify topology to create two more VLANs and routes between them (Svc 4)
- Make sure network +WCCP + PBR + additional VLANs / routes still work
- Modify topology to create two more VLANs and routes between them
- Make sure network + WCCP + PBR + add. VLANs and routes still work (Svc 5)
- For redundancy, more configurations needed.
- For troubleshooting, more configurations needed
Service Insertion Architecture With SIA…
- Enable SIA Infrastructure / Service
- Configure “Service Path” on Service Directory
- Service Aware Infrastructure converges around configured service path
- Initiate SIA’ping’ / SIA’traceroute’ to validate service path
SIA SIMPLIFIES service deployment and implementation
X2 - SFP+ Converter ModuleCode Name “Prosciutto”
• Will convert any X2 slot into a SFP+ slot
• Offers flexibility for
long range (X2 - ER, ZR, DWDM),
campus (X2 - LX4, CX4, LR, SR, LRM) and
future
datacenter focused (SFP+ SR, LR, SFP+ direct
attached cable) connectivity options
• Provides seat for 1 x 10G SFP+ slot into a
single X2 10G port
• Available on 6500 with Whitney 2.x 1HCY09
SFP+ direct attachedCX1
• SFP+ copper twinax with direct attached
cables: two SFP+ and one cable in one part
number.
• Lowest cost 10G interconnect mainly
targeted at server-to-switch applications.
• Currently available in 1m, 3m, 5m; 10m
coming later this year.
• Will be available on C6k and C4k via
Prosciutto adapter
Product Type Product ID
10GBASE-CU SFP+ Cable 1 MeterSFP-H10GB-CU1M
10GBASE-CU SFP+ Cable 3 Meter SFP-H10GB-CU3M
10GBASE-CU SFP+ Cable 5 Meter SFP-H10GB-CU5M
Virtual Switching System
Virtual Switching System is a new technology break through for the Catalyst 6500 family…
Virtual Switching SystemVSL Hardware Considerations
“Cisco's virtual switch smashes throughput records”
“The results were impressive: VSS not only delivers a 20 fold improvement in failover times but also eliminates layer-2 and layer-3 redundancy protocols at the same time”
“The performance numbers are even more startling: A VSS-enabled virtual switch moved a
record 770 million frames per second in one test, and routed more than 5.6 billion unicast and
multicast flows in another”
“Cisco's VSS is a significant advancement in the state of the switching art. It dramatically
improves availability with much faster recovery times, while simultaneously providing a big
boost in bandwidth.”
http://www.networkworld.com/reviews/2008/010308-cisco-virtual-switching-test.html
4.65
Published Jan 7th 2008
• Selected “Best of Show” among 240 IT solution vendors, including Applications, Servers, Networks.
• Award was selected by Press and Writers from the 10 major IT magazines and News sites in Japan.
• VSS has received award for break trough technology for reducing TCO and also building Non-stop Networks.
• http://itpro.nikkeibp.co.jp/expo/introduction/index.html
• Selected “Best of Show” among 240 IT solution vendors, including Applications, Servers, Networks.
• Award was selected by Press and Writers from the 10 major IT magazines and News sites in Japan.
• VSS has received award for break trough technology for reducing TCO and also building Non-stop Networks.
• http://itpro.nikkeibp.co.jp/expo/introduction/index.html
*Valid through 2008 Jan 31 -2009 Jan 31
VSS wins “Best of Show”Network Category in Japan IT Pro Expo Trade Show
• 67xx Card with CFC/DFC3C
• Single Supervisor per Chassis
• Any 2 Chassis (E or Non-E )
• NAM 1 & 2
• Hitless IOS Patching1
• Sub200ms Failover
• 128 Multi-chassis Etherchannel (MEC)
12.2(33)SXH112.2(33)SXH1
• ISSU – Hitless Full IOS Upgrade
• ACE 10/20, FWSM, WiSM, IDSM
• PACL support
• VSL support on 6716-10GE
• ESE Campus SRND 3.0
• ESE Data Center SRND
• 512 MEC
• MPLS, IPv62
12.2(33)SXI12.2(33)SXI
1 Full IOS upgrade will require up to 1-2 minutes outage.2 First Rebuild 12.2(33)SXIx
• VSS Value-add features
• Dual Supervisor per System
• Dual Supervisor with “Intra and Inter” chassis SSO
• VPN SPA
• UNBL
• 4 chassis VSS
RadarRadar
VSS Blog ���� http://vsearch.cisco.com/?blog=7531New
• 50+ customers live with VSS in production Network
• External References: First American, Chicago Mercantile Exchange, T-Systems, Swisscom-
IT, Haier, HCL
First VSS Reference in Production
Virtual Switching System – RoadmapDeployment Consideration for VSS Mode Only
Catalyst 6500 Product Update
Campus Access & Wiring Closet
Innovations…
Catalyst 6500 Series Switches
Modular PoE upgradePoE upgradeability
WS-F6K-48-AF=
Modular PoE upgradePoE upgradeability
WS-F6K-48-AF=
EnginesSupervisor 32 8x1GE
Supervisor 32 2x10GE
Supervisor 32 PISA 8x1GE
Supervisor 32 PISA 2x10GE
EnginesSupervisor 32 8x1GE
Supervisor 32 2x10GE
Supervisor 32 PISA 8x1GE
Supervisor 32 PISA 2x10GE
Power SupplyIndustry leading PoE scalability
3000Watt
6000Watt
8700Watt
Power SupplyIndustry leading PoE scalability
3000Watt
6000Watt
8700Watt
Ethernet Line CardsLeading PoE density and scalability, ePoE Ready
TDR, Jumbo Frames, Deep per-port Buffers
WS-X6148A-GE-TX: 48 Port 10/100/1000 with PoE Option
WS-X6148A-RJ-45: 48 Port 10/100 with PoE Option
and others
PoEP Line Card in CY2009 (CC’d)
Ethernet Line CardsLeading PoE density and scalability, ePoE Ready
TDR, Jumbo Frames, Deep per-port Buffers
WS-X6148A-GE-TX: 48 Port 10/100/1000 with PoE Option
WS-X6148A-RJ-45: 48 Port 10/100 with PoE Option
and others
PoEP Line Card in CY2009 (CC’d)
PFC 3BConsistent feature set with
backbone
PFC 3BConsistent feature set with
backbone
Catalyst 6500 Campus AccessWhat to Sell…
Catalyst 6500PoEP Line Cards
6148B
61xx based 48 port
10/100/1000 RJ45 Line card
Feature/performance parity
with 6148A
New PoEP Daughter Card
Field upgradeable
Planned FCS: 1HCY09
All 48 ports 802.3af (15.4W)
All 48 ports Cisco enhanced POE (20W)
Any 32 ports 802.3at (~30W)
6148A 6148B
Today’s PoE DC Yes Not Supported
PoEP DC Not Supported Yes
High AvailabilityCurrent Innovations
Physical Redundancy
• Redundant supervisors, power supplies,
switch fabrics, and clocks
Non-Stop Forwarding /
Stateful Switch Over (NSF/SSO)• Traffic continues flowing after a
primary supervisor failure
• Sub-second recovery in
L2 and L3 networks
• No line card resetGeneric Online Diagnostics(GOLD)
• Proactively detect and address
potential hardware and software
faults in the switch before they
adversely impact network traffic
Catalyst 6500
Cisco IOS Software Modularity• Subsystem In-Service Software Upgrades (ISSU)
• Stateful Process Restarts
• Fault Containment, Memory Protection
High AvailabilityFuture Innovations
Enhanced FSU (EFSU)
• SSO Synchronization across
different Software releases
Full System ISSU with MDR• All of the EFSU capabilities
• Line Cards do not restart
4 Supervisors in VSS
• Allows 4 Supervisors in VSS together
with uplinks in forwarding state
• Active and Hot Standby Supervisors
in SSO state, Cold Standby
Supervisors in RPR state
Catalyst 6500
4 Supervisors with SSO in VSS• All of the previous innovations
• Cold Standby Supervisors are also brought into Hot
Standby State with 4 Supervisor SSO
802.1x with Default Access:
� Allows Bootstrapping a Device on a controlled port
� Allows customer the control to specify what app/protocols can communicate on controlled .1x & MAB ports
Flexible Authentication Sequence
� Simplified configuration
� One configuration addresses all use cases
� Per-user downloadable ACL enforcement
� Support 802.1x/MAB/Webauth on both single- or multi-auth port
Catalyst 6500Identity 4.0 Key Features – 12.2(33)SXI
Guest Access, NAC Solution Integration
� Guest Access Integration with Centralized Web Authentication
� NAC Profiler integration for better device profiling
� NAC Radius solution integration in progress
Enhanced IPT Support
� Multi-domain auth (MDA) to authenticate IP phones (Cisco or 3rd party) w/ 802.1x/MAB
� Solves “PC move” issue with MAB aging and new CDP “host presence” TLV
� Eliminate CAPEX/OPEX of having to upgrade or replace all phones
Catalyst 6500Identity 4.0 Key Features – 12.2(33)SXI
Catalyst 6500 and Cisco TrustSecSecurity eXchange Protocol (SXP)
The adoption of CTS into existing networks may be easier managed by not requiring the
network devices to be upgraded to hardware-capable components initially. SGT eXchange
Protocol (SXP) acts as a IP-to-SGT binding protocol from software-capable CTS devices to
hardware-capable devices…
Catalyst 6500 Supervisor 32 PISA
►►►► NBAR
Application awareness and intelligent classification
Supervisor Engine 32 PISA
2x10GE Uplinks + 1x 10/100/1000
Supervisor Engine 32 PISA
8x1GE Uplinks + 1x 10/100/1000
►►►► Flexible Packet Matching
Rapid Security Protection
Multigigabit Performance
Multigigabit Performance
►►►► Programmable architecture
Seamless new service adoption
►►►► Full Integration with
IPv4 & IPv6 in hardware
Advanced multicast & MPLS
Enhanced Manageability
HA with NSF/SSO and more
011111101010101011111101010101
Supervisor 32 PISA options
Arrowhead
12.2(33)SXJ
Target 1HCY09*
GlacierPark
12.2(18)ZYA
Target 1HCY08
12.2(18)ZY
Shipping
• Stateful Application
Intelligence (SAI)
• QoS Policy Manager
• Flexible Packet
Matching (FPM)
• Cisco Security
Manager
• FPM Filter Repository
• Identity based
application policies
• OER/ PfR
• Automatic malware detection
and mitigation
• ACT Integration
• Enhanced FPM policy actions
(QoS, PBR etc)
• DMVPNv3/GETVPN support for
VPN SPA
• L2 NBAR/FPM
• Intelligent Traffic Redirect
• NBAR / Netflow Integration
• New Applications
. IM (Yahoo, Lotus Notes etc)
. Cisco SoftPhone
. Exchange
. CIFS
. DICOM and HL7
. FIX
• FWSM & PISA Integration
• URL Filtering
• FPM support for fragmented packets
* - Not committed
Application Intelligence
Security
Catalyst 6500 PISAStrategic Roadmap
PFC – HW Data Plane (32
Gbps)
Selective Redirect
with user-defined
ACL
PISA – DPI Data Plane (2Gbps)
Intelligent Traffic Redirect – Ability to define a redirect ACL to allow only
interesting traffic goes through Sup32-PISA, resulting in a 32Gbps system with
multi-gigabit deep packet inspection capability
Intelligent Traffic Redirect – Ability to define a redirect ACL to allow only
interesting traffic goes through Sup32-PISA, resulting in a 32Gbps system with
multi-gigabit deep packet inspection capability
Supervisor 32 PISA OptimizationsIntelligent Traffic Redirect
Campus LAN
NetFlow/Co
llector
Corporate
Network
Internet
SIP DIP SP DP Proto IF Dir AppID10.1.1.10 10.10.1.10 1050 1494 TCP G1/1 IN Citrix
10.1.1.10 10.10.10.10 2001 110 TCP G1/1 IN Exchange
10.1.1.10 x.x.x.x 2050 80 TCP G1/1 IN HTTP
…. …. …. …. …. …. …. ….
PISA NBAR and NetFlow Integration
� NetFlow becomes application-aware with PISA intelligence
� NetFlow export of application classification information obtained from PISA
� Helps customers gain better L7 visibility of the network
NetFlow and NBAR IntegrationExporting Application-level Visibility
