Sup720 Hardware Assisted Features

(1)

1

RDV Produits – Les commutateurs de cœur de réseau – 13 Novembre 2003

Sup720

Hardware Assisted Features

2 2 2

RDV Produits – Les commutateurs de cœur de réseau – 13 Novembre 2003 IPV6 HARDWARE FEATURES

IPV6 HARDWARE FEATURES 128K FIB entries

IPV6 Load Sharing up to 16 paths Etherchannel hash across 48 bits IPV6 Policing/Netflow/Classification STD and EXT V6 ACL’s

IPV6 QoS lookups IPV6 Multicast V6 to V4 Tunneling IPV6 Edge over MPLS (6PE) 128K FIB entries

IPV6 Load Sharing up to 16 paths Etherchannel hash across 48 bits IPV6 Policing/Netflow/Classification STD and EXT V6 ACL’s

IPV6 QoS lookups IPV6 Multicast V6 to V4 Tunneling IPV6 Edge over MPLS (6PE)

IPV6 SOFTWARE FEATURES IPV6 SOFTWARE FEATURES

IPV6 Addressing ICMP for IPV6 DNS for IPV6

V6 MTU Path Discovery SSH for IPV6

IPV6 Telnet IPV6 Traceroute dCEF for IPV6 RIP for IPV6 IS-IS for IPV6 OSPF V3 for IPV6 BGP for IPV6 IPV6 Addressing ICMP for IPV6 DNS for IPV6

V6 MTU Path Discovery SSH for IPV6

IPV6 Telnet IPV6 Traceroute dCEF for IPV6 RIP for IPV6 IS-IS for IPV6 OSPF V3 for IPV6 BGP for IPV6

IPV6 function located

on PFC3

Catalyst 6500 Hardware Features

(2)

3 3 3

IPv6 Hardware Forwarding

• Introduction in 12.2(17a)SX1

• IPv6 hardware forwarding support:

Centralon the PFC3A on the Supervisor 720 for all modules supported with Supervisor 720 Distributedon the DFC3A on (d)CEF256 and CEF720 modules with DFC3A present • Hardware IPv6 support for:

IPv6 unicastforwarding—IPv6 Aggregatable Global Unicast (AGU) addresses, site local, v4 compatible

IPv6 tunneling—Configured, automatic, 6to4, and ISATAP tunnels

IPv6 ACLs—Extended and reflexive ACLs IPv6 NetFlowstatistics

• IPv6 QoS and IPv6 multicast NOT supported in 12.2(17a)SX1

Catalyst 6500 Hardware Features

RP Rate Limiters

While switching in hardware operates at millions of pps, the Route Processor supports processing rates in the ‘000’s packets per second,. RP Rate limiters have been introduced to limit the impact of traffic flooding to the RP and swamping the CPU….

Rate Limiters applied to…

Input and Output ACL traffic CEF Receive Traffic CEF Glean Traffic MTU Failures ICMP Redirect VACL Logging

L3 Security Feature traffic TTF failures

RPF Failures

Input and Output ACL traffic CEF Receive Traffic CEF Glean Traffic MTU Failures ICMP Redirect VACL Logging

L3 Security Feature traffic TTF failures

RPF Failures Supervisor 720

MSFC Data

(3)

5 5 5

RP Rate Limiters Monitoring

Router(config)# show mls rate-limit

Rate Limiter Type Status Packets/s Burst

--- --- ---

---MCAST_NON_RPF Off -

-MCAST_DFLT_ADJ On 100000 100

MCAST_DIRECT_CON Off -

-ACL BRIDGED IN Off -

-ACL BRIDGED OUT Off -

-L3_SEC_FEATURES Off -

-VACL LOG On 2000 1

FIB RECEIVE Off -

-FIB GLEAN Off -

-MCAST_PARTIAL_SC On 100000 100 RPF FAILURE On/Sharing 500 10

TTL FAILURE Off -

-NO ROUTE On 500 10 ICMP UNREACHABLE On 500 10

ICMP REDIRECT Off -

-MTU FAILURE Off -

-6 6 6

RDV Produits – Les commutateurs de cœur de réseau – 13 Novembre 2003 GRE Tunnel

GRE hardware Acceleration is enabled on the new PFC3

on the Supervisor 720 GRE Performance is up to 10Mpps centralized and up to 25Mpps de-centralized interface Tunnel2 ip address 10.60.1.1 255.255.255.0 tunnel source 10.20.2.1 tunnel destination 192.168.100.1 tunnel mode greip

interface Tunnel1

ip address 192.168.100.1 255.255.255.0 tunnel source 192.168.5.22

tunnel destination 10.60.1.1 tunnel mode greip

Catalyst 6500 Hardware Features

(4)

7 7 7

Egress Policing on Supervisor 720

Egress Policing is now supported on egress…. Application of egress policer can be performed on a routed (layer 3 port) or a VLAN switched Virtual interface (SVI) – cannot be applied to a layer 2 port…

Data Data Data Data Data Data Data Data Data I N P U T O U T P U T Policing Engine Egress Policer Data Data

Catalyst 6500 Hardware Features

Network and Port Address Translation on Supervisor 720

L3 Addressing information changed L4 Addressing information changed NAT PAT 10.1.1.1 203.16.10.1 Data 201.1.14.22203.16.10.1 Data Sup720 Supports..

Software Translation setup, then Hardware-based IPV4 NAT & PAT Up to 20 Mppson the Sup720

(5)

9 9 9

Multipath Unicast Reverse Path Forwarding (URPF)

6500 Routing Table

Prefix Next Hop Interface 10.1.0.0/16 10.1.1.1 gig 3/1 10.2.0.0/16 10.2.1.1 gig 3/2 Source IP: 10.1.10.5 Destination: 10.2.20.34 Source IP: 10.200.1.64 Destination: 10.2.20.34

Unicast Reverse Path Forwarding (uRPF) Check mitigates problems caused by spoofed or malformed IP source addresses. uRPF will drop packets whose source address is not in the local forwarding tables.

10 10 10

Catalyst 6500 Hardware Features

Multipath Unicast Reverse Path Forwarding (URPF)

• Up to six reverse-paths per prefix in hardware • Two reverse-path interfaces for all prefixes

• Four user-configurable “multipath interface groups” to define additional interfaces to do uRPF in hardware

10.255.0.0/16 10.20.0.0/16 Catalyst 6500 with Supervisor Engine 720 gig 6/3 6500 Routing Table

Prefix Next Hop Interface

10.255.0.0/16 10.1.1.1 fas 3/1 10.1.2.1 fas 3/2 10.1.3.1 fas 3/3 10.1.4.1 fas 3/4 10.1.5.1 fas 3/5 10.1.6.1 fas 3/6 10.20.0.0/16 10.20.1.1 gig 6/3 f3/1 f3/2 f3/3 f3/4 f3/5 f3/6

(6)

11 11 11

Traffic from Dorms

Ingress Microflow policer Applied to user ports(s)

Source-only Flow mask

Use ACL to limit the scope of source IP addresses to intended users

Traffic from Internet

Ingress Microflow policer Applied to uplink ports

Dest-only Flow mask

Use ACL to limit the scope of destination IP addresses to intended

users

User-Based Rate Limiting

Catalyst 6500 Hardware Features

User-Based Rate Limiting

SIP DIP Netflow Table 123.53.23.6 145.23.1.12 SIP DIP 1242 23 SPrt DPrt

Apply QoS ACL

access- list 101 permit ip any 145.0.0.0 0.0.0.255

QoS ACL Match Drives Flow Mask Result – Apply Source -Only Mask

123.53.23.6 145.23.1.12 1242 23 123.53.23.6 --Create new Netflow Entry 156.63.41.132 --67.33.1.54 --93.45.21.72 --34.5.34.32 --71.35.53.129 --122.24.57.2 --154.13.1.10 --Apply Rate Limit (Policer) to packets that hit this Netflow entry

(7)

13 13 13

ERSPAN

ERSPAN

ERSPAN’d packets are encapsulated in GRE header directed to IP address of ERSPAN destination 10.1.1.2 203.16.10.1 Data 10.1.1.1 110.1.43.4 Data 200.10.10.1 200.10.10.1 10.1.1.2 203.16.10.1 Data 10.1.1.1 110.1.43.4 Data 233.1.1.1 233.1.1.1 PT47 PT47 GRE Encapsulation Ses id Ses id RSPAN Header 10.1.1.2 203.16.10.1 Data 10.1.1.1 110.1.43.4 Data

Data follows shortest path

SPAN’d data is directed to ERSPAN Destination

Support up to 24 ERSPAN destinations per Sup720

14 14 14

Catalyst 6500 Hardware Features

MPLS on PFC3

MPLS HARDWARE FEATURES MPLS HARDWARE FEATURES Up to 1000 MPLS VPN’s MPLS VPN (RFC2457) on ANY Ethernet port MPLS Multicast VPN

MPLS Label Switch Router (LSR) MPLS Label Edge Router (LER) MPLS Traffic Engineering (TE) MPLS Ethernet over MPLS (EoMPLS)

on PFC3b DSCP to EXP Mapping Up to 1000 MPLS VPN’s MPLS VPN (RFC2457) on ANY Ethernet port MPLS Multicast VPN

MPLS Label Switch Router (LSR) MPLS Label Edge Router (LER) MPLS Traffic Engineering (TE) MPLS Ethernet over MPLS (EoMPLS)

on PFC3b

DSCP to EXP Mapping

MPLS function located

_{on PFC3}

MPLS applies to any Ethernet port on

the following linecards…

Classic Ethernet Line Cards CEF256 Ethernet Line Cards dCEF256 Ethernet Line Cards

CEF720 Ethernet Line Cards dCEF720 Ethernet Line Cards

(8)

15 15 15

Q

oS Features

Classification/ Scheduling Policing/ Classification Rewrite Queuing & Scheduling Actions at ingress

Actions at ingress Actions by ForwardingActions by Forwarding Actions at egressActions at egress Engine

Engine

Scheduling – Queue And threshold based on

Incoming CoS Received CoS can be

Overwritten if Port is untrusted

Classification at Layer 2/3/4 via ACL Assign trust via ACL

Police traffic based On byte or burst

(token bucket) Exceed action on Policer is drop or Mark down priority

Rewrite ToS header

Scheduling queue and threshold based on CoS Map

Each queue has configurable size and Threshold

WRED and Tail Drop Congestion Mgmt Dequeue using WRR and Strict Priority

Process of policing is to rate limit a flow down to a prescribedrate

Data OUT Aggregate (Limit total traffic count) Microflow (Limit flow traffic count) 40Mb 30 Mb 40 Mb 30 Mb 30 Mb

Can apply microflow and/or aggregate policing to

PORT and/or VLAN

25Mb Total

8Mb

Catalyst 6500 Hardware Features

Q

oS Features - Policing

(9)

17

Catalyst 6500 Service Modules

18 18 18

Catalyst 6500 Service Modules

Overview

Content Switching Module (CSM) Communications Media Module (CMM)) SSL Module (SSL) Network Analysis Module (NAM2) Content Services Gateway (CSG) Firewall Services Module (FWSM)

VPN Services Module (VPNSM)

Intrusion Detection Module (IDSM2)

Catalyst 6500

Service Module Family

(10)

19 19 19

Content Services Module

The WS-X6066-SLB-APCsupports the following…

- Classic Linecard

- URL and cookie-based SLB - Balancing up to 1,000 regular

expressions can be defined - Establishes up to 200,000 L4 cps - Supports 1,000,000 concurrent

connections while sustaining multi-gigabit throughput and simultaneously inspecting URLs and Cookies

- User Session Stickiness brings users back to same server based on Secure Socket Layer (SSL) session ID, IP address, or HTTP redirection GE ASIC IXP ASIC IXP ASIC IXP ASIC IXP ASIC IXP ASIC

Catalyst 6500 Service Modules

Firewall Services Module

The WS-SVC-FWM-1supports the following… Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Based on PIX Firewall code

Supports 100 VLAN Interfaces Adds dynamic OSPF routing support Supports 128K Rule Set

Up to 5-Gbps throughput Up to 1M concurrent connections Performance up to 3Mpps Up to 4 FWSM blades in a chassis Active/Standby Failover

Supported in IOS and Hybrid … GE ASIC NP1 NP2 NP3 CPU

(11)

21 21 21

Intrusion Detection Services Module

The WS-SVC-IDSM2supports the following… Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Comprehensive attack recognition Same code base as IDS appliances Monitors up to 600Mbps of traffic Supports arrival rate of up to 100 flows/sec Passive Monitoring

Extensive Signature Database Built in Web based management (IDM) Support IDS Event Viewer

Sensor Stateful Failover

Supports Alarms, Shunning and TCP Resets …

22 22 22

Catalyst 6500 Service Modules

VPN Services Module

The WS-SVC-IPSEC-1supports the following… Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Cisco IOS support only

Hybrid support (future) IPSec site to site VPN EZ-VPN Client Support 8000 tunnels (16,000 future)

1.9Gbps 3DES performance (500+ byte packets) 1.6Gbps 3DES performance (300+ byte packets) Tunnel setup rate 60/sec

IKE, IKE-XAUTH, MD5, SHA-1, SSH Kerberos Telnet, X.509 Digital signatures Shared Secrets

ESP DES and 3DES … GE ASIC NP CPU IKE Crypto TCAM Inbound Outbound

(12)

23 23 23

Network Analysis Module

The WS-SVC-NAM2supports the following… Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Application Monitoring Performance management Fault Isolation Troubleshooting Trend Analysis Capacity Planning VOIP Monitoring MIB II

RMON I and II, SMON, HCRMON, DSMON ART MIB

…

Catalyst 6500 Service Modules

Secure Socket Layer Module

The WS-SVC-SSL-1supports the following…

•SSL 3.0, SSL3.1/TLS1.0

•SSL2.0 (Client Hello Only)

•Session Reuse

•Session Re -Negotiate

•Symmetric Algorithms (RC4, DES/3DES)

•300-400 Mbps symmetric throughput

•Asymmetric Algorithms (RSA 1024-bit, 2048-bit)

•3K-4K Sessions/Sec

•Hash Algorithms (MD5, SHA1)

•Key Generation

•Secure Key Storage

•Certificate Enrollment

•Key Import/Export (IOS) … GE ASIC Crypto Crypto SSL TCP Key Storage FDU