7600-Unified Service Mapping

Cisco Highly Confidential (Internal Only)

Unified Service Mapping on 7600

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Javed Asghar

ES40 Architecture 1

Wei Yin Tay

Consulting Systems Engineer

Mapping on 7600


ES+ Series 4-Port 10GE Line Cards ES+ Series 40-Port GE Line Cards

ES+ Product Family – For Field UsePhoto Gallery


Javed Asghar

ES+ Architecture 2




� UNI Connectivity Models

� Service Mapping Options

� MAC Hashing Internals

� ES+ EVC and Packet Flow

Agenda


Javed Asghar

ES+ Architecture 3


� L2VPN HA

� SRD EVC Features


Flexible UNI – EVC

UNI EvolutionEVC – Enhancements


Javed Asghar

ES+ Architecture 4

Switchport

or

Routed Port/sub-interface

Mux UNI

12.2(18)SXF

and earlier12.2(33)SRA 12.2(33)SRB 12.2(33)SRC, SRD, SRE


Access Edge

Content Farm

VOD TV SIP

Mobile

MSPP

Residential

Aggregation

Flexible Ethernet Edge ��New EVC Ethernet Infrastructure


Javed Asghar

ES+ Architecture 5

BRAS

SR/PE

DPI

Core Network

MPLS /IP

Content Farm

VOD TV SIP

DSLResidential

STB

ETTx

PON

Cable

Business

Corporate

STB

L2 P-to-P (local or xconnect)

L2 MP local bridging

L2 MP VPLS

L3 routed

Untagged

Single tagged

Double tagged

802.1q

802.1ad

etc


Normal L2 switchport + SVI

for L2/L3 service

L2 and L3 co-exist on the same port

� P2P EoMPLS under sub-interface

� L2 bridging via L2 switchport main interface

� L3/VRF and VPLS via SVI

No VLAN local significance, 4k VLANs max.VLAN 6

Cascades

LAN Mux UNI – Catalyst LAN and SIP-600


Javed Asghar

ES+ Architecture 6

Sub-interface for xconnect

VLAN 7

VLAN 8

VLAN 11

VLAN 12

LAN or SIP-600


No global VLAN resource needed for xconnect �� VLAN Scalability

VLAN 6

VLAN 7

VLAN 8 L3/VRF termination (single tag only)

Split-horizon option provide “isolation” between sub-interfaces

E-MPB on SIP-400


Javed Asghar

ES+ Architecture 7

L2 and L3 co-exist on the same port

Flexible L2/L3 service mapping

VLAN local port significance and VLAN Scalability

H-QoS support on main-interface/sub-interface

VLAN 6

VLAN 7

VLAN 9

Bridge-domain 100

[dot1q-tunnel]

[bpdu transparent | drop]

VLAN local port significance

Bridge-domain is global VLAN which has L2/L3 service associated

SIP-400

Put maximum 120 sub-interfaces (per SIP-400) into same bridge domain

Have option to add second vlan tag or replace the encap vlan tag

Have option to drop or transparently forward CE BPDU


•• The The Flexible Ethernet Flexible Ethernet UNIUNI

defines a unique, virtual defines a unique, virtual

L2L2 or or L3L3 service instanceservice instance

per customerper customer

•• A service instance can be a A service instance can be a

MAC address, MAC address, VLANVLAN, Q, Q--inin--Q Q

VLANVLAN, , L2L2 VPLSVPLS pseudowirepseudowire, ,

OSS / Policy ManagementOSS / Policy Management

Cisco 7600 Flexible Ethernet UNIConvergence of Residential Quad Play + Business VPN

Barracuda


Javed Asghar

ES+ Architecture 8

IP address, or IP address, or L3L3 MPLSMPLS VPNVPN

•• For each service instance, For each service instance,

Flexible Flexible UNIUNI offers:offers:

•• Unique ID with service Unique ID with service

separation via separation via VLANVLAN or MACor MAC

translationtranslation

•• HH--QoSQoS with shaping per VCwith shaping per VC

•• IP+MACIP+MAC spoofing preventionspoofing prevention

•• Ethernet and Ethernet and MPLSMPLS OAMOAM

•• Each service instance can in Each service instance can in

turn be flexibly mapped to:turn be flexibly mapped to:

•• L2L2: : PseudowiresPseudowires, H, H--VPLSVPLS

•• L3L3: IP, : IP, IPv6IPv6, , MPLSMPLS VPNVPN

L3 IP, IPv6L3 IP, IPv6

L3 MPLS VPNL3 MPLS VPN

EoMPLS, HEoMPLS, H--VPLSVPLS

L2, Point to PointL2, Point to Point

L2, BridgedL2, Bridged

L2/L3 integrationL2/L3 integration

H-QoS

per

EFP

Flexible

MAC / VLAN

Translation

1:1

2:2

1:2

Security

OAM

SBC

Video


Flexible UNI – CLI Model

service instance ethernet

encapsulation <dot1q/QinQ | untagged | default | dot1.ad | etc>

rewrite ingress <push | pop | translate> symmetric

xconnect | bridge-domain �� (Forwarding Commands)

service-policy input

service-policy output

<other features>


Javed Asghar

ES+ Architecture 9

Frame Matching

Ingress Encap Rewrite

Egress Encap Rewrite

Global VLAN

BD (MP)

Xconnect (P2P)

L2 Bridging

L3/VRF

VPLS/EoMPLS

Egress LC

L2 LAN or IP/MPLS

combination of up to two vlan tags

pop/push/ translate vlan tags

Forwarding

Local connect (P2P)

SVI

SVI

L2 SIP

push/pop/ translate tags

Ingress LC (ES+/ES20/SIP)

L3/VRF Termination (using sub-interface)

Features


Flexible Frame Matching CLI

� Single tagged frame

encapsulation dot1q {any | “<vlan-id>[,<vlan-id>[-<vlain-id>]]”}

Vlan tag can be single, multiple or range or any (1-4096).

� Double tagged frame (only look up to 2 tags if receive more than 2 tagged frames)

interface gig 1/1/1

service instance 1 ethernet

encapsulation ?

default catch-all unconfigured encapsulation

dot1ad 802.1ad - Provider Bridges

dot1q IEEE 802.1Q Virtual LAN or S-VLAN

untagged Untagged encapsulation


Javed Asghar

ES+ Architecture 10

� Double tagged frame (only look up to 2 tags if receive more than 2 tagged frames)

encapsulation dot1q <vlan-id> second-dot1q {any | “<vlan-id>[,<vlan-id>[-<vlain-id>]]”}

First vlan tag must be unique, second vlan tag can be any, unique, range or multiple

� Default tag

encapsulation default

Match all frames tagged or untagged that are not matched by other more specific service instances

� untagged

encapsulation untagged

Match no tagged frames, for example native vlan 1


Flexible Frame Matching Examples

� Ethernet Flow Points ...

– Provide classification of L2 flows on Ethernet interfaces

– Are also referred to as EVC service-instances

– Support dot1q and Q-in-Q

EFPs on Interface

100

101

102

Match VLAN range:

100-102

14Match

VLAN: 14

Physical Ethernet interface (GE/10GE)


Javed Asghar

ES+ Architecture 11

– Support dot1q and Q-in-Q

– Support VLAN lists

– Support VLAN ranges

– Support VLAN Lists and Ranges combined

– Coexist with routed subinterfaces

200

203

210

Match

VLAN list: 200, 203, 210

300,100

Match

VLAN: 300,100

400,1

400,2

400,3

Match

outer VLAN 400,

inner VLAN range: 1-3

400,11

400,17

400,34

Match

outer 400,

inner VLAN list:

11,17,34


NPE1(config-if-srv)#rewrite ingress tag pop ?

1 Pop the outermost tag remove 1 tag

2 Pop two outermost tags remove 2 tag

NPE1(config-if-srv)#rewrite ingress tag pop dot1q 10 remove one tag

NPE1(config-if-srv)#rewrite ingress tag pop dot1q 10 second-dot1q 20 remove two tag

interface gig 1/1/1


encapsulation dot1q 10

rewrite ingress tag ?

pop Pop the tag

push Rewrite Operation of push

translate Translate Tag

EVC – Flexible VLAN Tag Manipulation


Javed Asghar

ES+ Architecture 12

NPE1(config-if-srv)#rewrite ingress tag pop dot1q 10 second-dot1q 20 remove two tag

NPE1(config-if-srv)#rewrite ingress tag translate ?

1-to-1 Translate 1-to-1





Service CLI Example – Point-to-pointP-to-P no MAC learning/forwarding.

Point-to-point local connect

connect <name> <interface-type/slot/port> <efp-id> <ethernet-type/slot/port> <efp-id>

interface GigabitEthernet4/1/0



rewrite ingress tag translate 1-to-2 dot1q 52 second-dot1q 52 symmetric




Javed Asghar

ES+ Architecture 13

encapsulation dot1q 52 second-dot1q 52

connect eline-3 GigabitEthernet4/1/0 3 GigabitEthernet4/1/1 3

Point-to-point xconnect

xconnect <peer-add> <VC-ID> encapsulation mpls



encapsulation dot1q 101 second-dot1q 60-70

xconnect 10.0.0.3 101 encapsulation mpls


Service CLI Example – MultipointMAC based forwarding

Multiple point local bridging and VPLSbridge-domain <global-vlan-id> [split-horizon]

Split-horizon to disable L2 communication between two EFPs

Local Bridging



VPLS




Javed Asghar

ES+ Architecture 14


encapsulation dot1q 101-1000

bridge-domain 100



encapsulation dot1q 101-1000

bridge-domain 100

interface GigabitEthernet3/1

switchport access vlan 100

switchport mode dot1q-tunnel



bridge-domain 20 split-horizon





interface Vlan20

xconnect vfi vpls-20


Service CLI Example – L3 routed

Single tag termination

Option 1




rewrite ingress tag pop 1 symmetric

bridge-domain 100

Double tag termination

Option 1



encapsulation dot1q 100 second 200


bridge-domain 100


Javed Asghar

ES+ Architecture 15

bridge-domain 100

interface Vlan100

ip address 100.1.100.1 255.255.255.0

Option 2

interface GigabitEthernet4/1/1.100


ip address 100.1.100.1 255.255.255.0

bridge-domain 100

interface Vlan100

ip address 100.1.100.1 255.255.255.0

Option 2

interface GigabitEthernet4/1/1.100

encapsulation dot1q 100 second 200

ip address 100.1.100.1 255.255.255.0


� Uses Sub-interface for configuration

� Uses IDB

� Use for L3 and L3 VPN Termination (no support for mpls ip under sub-if)

� L3 sub-interfaces and Main-interfaces consume internal VLAN

Flexible UNI – L3 Termination


Javed Asghar

ES+ Architecture 16


� EVC only uses Non-Exact matching which is outer most tags matching

� ‘encap dot1q 10’ matches any packets with outmost tag equals to 10:

Exact vs. Non-Exact Matching

10


Javed Asghar

ES+ Architecture 17

10 200

10 100

10 100 1000

• ‘encap dot1q 10 sec 100’ matches any packets with outmost

tag as 10 and second most tag as 100


Longest tag match

EVC supports longest tag matching within the same GigE port. Matching double tag first, then single tag

10

10 200dot1q 10

Match

dot1q 10


Javed Asghar

ES+ Architecture 18

10 100dot1q 10

sec 100

10 130

dot1q 10

sec 128-133

Int G3/0/0

EFP configurationFrame received


Encapsulation Types

� “Any”

Port has no service instance configured with tag


encap dot1q any

‘encap dot1q any’ is translated by the parser to ‘encap dot1q 1-4094’.

Port has service instance configured with tag


encap dot1q 10


Javed Asghar

ES+ Architecture 19

encap dot1q 10


encap dot1q any

‘encap dot1q any’ is equivalent to remaining VLAN ranges, in this example, it’s ‘encap dot1q 1-9, 11-4094’

Same rule applies to any for second tag

What happen if configure “encap dot1q any” at first, then followed by “encap dot1q 10”? System will treat this as invalid configuration and won’t take it

� “Default”

“catch all unspecified” entry; catches any packet that does not meet any other existing EFP configuration

One per interface

Can be used to configure port mode services


EVC Encapsulation Match Order

1. From most specific to most general

2. No exact match based on outmost tag #

3. Encap untag matches untagged packet

4. Encap default catches all remaining traffic w/o specific


Javed Asghar

ES+ Architecture 20

4. Encap default catches all remaining traffic w/o specific match. If there is no encap untag configured, it also catches untag packet.


L2 Control Protocol Handling (includes STP/VTP/CDP)

No <l2protocol forward> With <l2protocol forward>

Local Connect Forwarded transparently as data

N/A

Xconnect Forwarded transparently N/A


Javed Asghar

ES+ Architecture 21

Xconnect Forwarded transparently as data

N/A

SVI/Bridge Domain

Drop all BPDU Forwarded transparently as data

Native VLAN Under service instance “encap untag” dropped

Under service instance “encap untag” forwarded transparently


MPLSFR Bridging

(RFC 1490)

VFI

7600

pseudo port

Ethernet

switcport

ATM Bridging

(RFC 1483)

VPLS Attachment CircuitHow Do I Tunnel STP/VTP/CDP?

pseudo port


Javed Asghar

ES+ Architecture 22

Ethernet

EFP

� For each VPLS instance, it can have multiple attachment circuits (ACs) and multiple virtual circuits (VCs). ACs and VCs are in the same L2 broadcast domain, packet is forwarded based on MAC address

� AC could be different type, like ATM (RFC1483) bridging, FR (RFC 1490) bridging, native Ethernet switchport, native Ethernet EFP (EVC based configuration).

� L2PT apply to Ethernet AC only. Normally it’s STP, CDP and VTP packets


PW Status TLV for Error Codes, etc …

� The current implementation of the AToM control plane has no provision for PW status. What this typically means is that when the AC (access circuit interface) associated with a PW is down (or being held down for PW redundancy) labels advertised to peers will be withdrawn. This is because AToM has no other way of signalling the AC status to the peer. However, this is not ideal as upon switch-over there is now extra delay in advertising labels to our new peer

RFC specifies extensions for LDP which allow PW status to be


Javed Asghar

ES+ Architecture 23

� RFC4447 specifies extensions for LDP which allow PW status to be carried in notification messages to peers. This diverges LDP label mappings from the AC status notification and allows labels to be retained through AC status changes:

- as soon as the xconnect is provisioned,

- and until the xconnect is unprovisioned or AC interface shutdown.

� The upshot of this is less time to do a switch-over as the labels have already been exchanged


Flexible UNI Features Summary

UNIFeature

Hardware Highlights

Mux UNI Catalyst LAN and SIP-600(cascade)

L2 switchport main interface coexist with eompls sub-interface under same physical port

E-MPB SIP-400(cascade)

� L2 and L3 service co-exist on the same port

� Flexible L2/L3 service mapping


Javed Asghar

ES+ Architecture 24

� VLAN scalability

� Split horizon provide similar feature as private vlan “isolated port”

Flexible QinQ

SIP-400 with V2GE SPA

ES20

ES+

Same benefit as E-MPB +

� Vlan local significance

�2 vlan tag awareness (matching, termination, CoS, etc)

� matching range of vlan tags

� Flexible vlan tag manipulation (pop/push) and translation (1-1, 1-2, 2-1, 2-2)

� More VLAN scalability

� Local connect support including hair pinning






Agenda


Javed Asghar

ES+ Architecture 25


� L2VPN HA



VPLS Deployment Options in SRD

UNI NNI

ES+ ES+

UNI

NNI

ES20/SIP400 ES+Option 1 Option 2


Javed Asghar

ES+ Architecture 26

UNI NNI

67xx ES+Option 3

UNI NNI

Any DFC ES20

Any

DFC

LC

Legacy

Option 4


EoMPLS Deployment Options in SRD

UNI

NNI

ES+ ES+/67xx

UNI NNI

ES+/ES20/SIP400 ES+Option 1Option 2


Javed Asghar

ES+ Architecture 27

UNI NNI

67xx

ES+Option 3

UNI

NNI

67xxLegacy

Option 467xx


L3VPN Deployment Options in SRD

UNI

NNI

ES+ ES+/67xx

UNI NNI

ES+/ES20/SIP400 ES+Option 1Option 2


Javed Asghar

ES+ Architecture 28

UNI NNI

67xx

ES+Option 3

UNI

NNI

67xxLegacy

Option 467xx






Agenda


Javed Asghar

ES+ Architecture 29


� L2VPN HA



Cisco 7600 Internals Basics of a Layer 2 Forwarding Operation

The MAC Address Table (or CAM Table) is a piece of memory in a switch that is used to store MAC

addresses and the ports from which they were learnt…

A

B

D

E

1

2

3

4

5

6


Javed Asghar

ES+ Architecture 30

CAM tables range in size

across the different switch

platforms

CAM table can also store

VLAN within which MAC

was learnt

CAM TableMAC

A

B

C

D

E

F

Port

1

2

3

4

5

6

C F

3 6


Cisco 7600 Internals Layer 2 Forwarding on the PFC3

PFC3B

On the PFC3B is an

integrated CAM Table that

supports up to 64,000 MAC

address entries…

(PFC3C up to 96,000 MAC)


Javed Asghar

ES+ Architecture 31

MAC Table

16 pages

4096 rows

4K*16=64K entries



16 pages

PFC3B

Frame

VLAN MAC


Javed Asghar

ES+ Architecture 32

MAC Table

4096 rows

20 | 0000.2222.7777

10 | 0000.1111.cccc

30 | 0000.bbbb.ac1c

30 | 0000.dddd.a112

4K*16=64K entries

Hash

MAC Table Row

Hit!!!1. Hash result identifies starting page and row in MAC table

2. Lookup key (VLAN and MAC) compared to contents of indexed line on each page, sequentially

3. Destination lookup: Match returns destination interface(s), miss results in flood Source lookup: Match updates

age of matching entry, miss installs new entry in table



Cisco IOS show mac-address-table6509#show mac-address-table dynamic vlan 30

Codes: * - primary entry

6509#show mac-address-table dynamic vlan 30

Codes: * - primary entry

The MAC addresses that have been learned by the Switch can be viewed from the switch CLI using the

following command - note that for each MAC address learned, the port from where the Address arrived

is stored along with the VLAN of which the host is a part …


Javed Asghar

ES+ Architecture 33

<…>

6509#

vlan mac address type learn qos ports

------+----------------+--------+-----+---+-----------------------

* 30 0003.a088.c408 dynamic Yes -- Fa3/18

* 30 0012.d949.04d2 dynamic Yes -- Gi5/1

* 30 0003.a08a.15f3 dynamic Yes -- Fa3/24

* 30 0090.a400.1850 dynamic Yes -- Fa3/14

* 30 0003.a08a.15f9 dynamic Yes -- Fa3/25

<…>

6509#NOTE: You can have duplicate MAC addresses as long as they appear in a different VLAN

NOTE: MAC address learning is done in HARDWARE






Agenda


Javed Asghar

ES+ Architecture 34


� L2VPN HA



ES+ Trident NPU Overview

� 10GE full duplex, 30Mpps packet processing capability

� 20 bytes preamble and IFG emulation – Not Reported in LC/RP stats

� VPLS, QinQ Termination, QinQ Selective mapping, EoMPLS, 802.1ah, Scalable EoMPLS, E-MPB, EVC

� AToM/VPLS Tunnel Select, H-VPLS


Javed Asghar

ES+ Architecture 35

� AToM/VPLS Tunnel Select, H-VPLS

� L2 Multicast

� All MQC QoS (i.e. no MLS QoS CLI)

� Strict priority support at all levels in TM (priority propagation)

� Etc ….


VLAN ID - Global or Local port Significant?

L2 switchport Sub-interface EVC model

LAN Global Global N/A

SIP600 Global Global Global

ES20 Global QinQ Local Local

LCConfig


Javed Asghar

ES+ Architecture 36

ES20 Global QinQ Local

Dot1q Global

Local

ES+ Global Local Local

SIP400 N/A Local Local

Other WAN N/A Local N/A


7600 VLAN Local Significance Support

Interface Types ES+

(aka. ES+40/20)

ES20 SIP400 67xx

EVC Dot1q Yes Yes Yes No

EVC QinQ Yes Yes Yes No


Javed Asghar

ES+ Architecture 37

Sub-interface Dot1q Yes No (Fugu Asic limitation)

Yes No

Sub-interface QinQ Yes Yes Yes No

� VLAN Local Significance means:

1. VLAN is terminated in the NPU

2. VLAN lookup, rewrites, etc … are performed in NPU


EVC QinQ EoMPLS System Packet FlowNo EVC rewrite and No QoS Marking

UNI

PE1 PE2P

UNI

ES+ orAnyDFC

NNI

ES+ orAnyDFC

NNI

ES+/ES20/SIP400 ES+/ES20/SIP400

DBus DBus



Javed Asghar

ES+ Architecture 38

Ingress Pkt

From Link

Packet with

Dbus CoS

Ingress

Rewrite

Ingress

Marking

After

Imposition

None

EXP = 5

Dbus-CoS = 5 Dbus-CoS = 5 Dbus-CoS = 5

S-CoS = 5 S-CoS = 5 S-CoS = 5 S-CoS = 5 S-CoS = 5

C-CoS = 4 C-CoS = 4 C-CoS = 4 C-CoS = 4 C-CoS = 4

Egress

Rewrite

Egress

Marking

Egress Pkt

On Link

None

EXP = 5

Dbus-CoS = 5 Dbus-CoS = 5

S-CoS = 5 S-CoS = 5 S-CoS = 5

C-CoS = 4 C-CoS = 4 C-CoS = 4

description ** EVC EoMPLS, No rewrite, No QoS




EVC QinQ EoMPLS System Packet FlowEVC rewrite POP 1 and No QoS Marking

UNI

PE1 PE2P

UNI

ES+ orAnyDFC

NNI

ES+ orAnyDFC

NNI


DBus DBus


description ** EVC EoMPLS, rewrite POP 1, No QoS


Javed Asghar

ES+ Architecture 39

Ingress Pkt

From Link

Packet with

Dbus CoS

Ingress

Rewrite

Ingress

Marking

After

Imposition

POP 1

DCoS=S-CoS

None

EXP = 5


S-CoS = 5 S-CoS = 5 S-CoS = 5 --- ---


Egress

Rewrite

Egress

Marking

Egress Pkt

On Link

Push 1

S-CoS=DCoS

None

EXP = 5


--- S-CoS = 5 S-CoS = 5


description ** EVC EoMPLS, rewrite POP 1, No QoS





EVC QinQ EoMPLS System Packet FlowEVC rewrite POP 1 and Set CoS=7 Marking

UNI

PE1 PE2P

UNI

ES+ orAnyDFC

NNI

ES+ orAnyDFC

NNI


DBus DBus


description ** EVC EoMPLS, rewrite POP 1, Set CoS = 7


Javed Asghar

ES+ Architecture 40

Ingress Pkt

From Link

Packet with

Dbus CoS

Ingress

Rewrite

Ingress

Marking

After

Imposition

POP 1

DCoS=S-CoS

Set CoS = 7

DCoS = set-CoS

EXP = 7


S-CoS = 5 S-CoS = 5 S-CoS = 5 --- ---


Egress

Rewrite

Egress

Marking

Egress Pkt

On Link

Push 1

S-CoS=DCoS

None

EXP = 7


--- S-CoS = 5 S-CoS = 7


description ** EVC EoMPLS, rewrite POP 1, Set CoS = 7



service-policy input set-cos=7







Agenda


Javed Asghar

ES+ Architecture 41


� L2VPN HA



L2VPN NSF/SSO in 12.2 SRC Release

� No extra commands introduced

� Supported for targeted LDP and local switching configurations

� AToM related commands are sync’d as part of the config between active and standby SUP/RSP

� If there is a version command mismatch, the router will revert back to RPR+


Javed Asghar

ES+ Architecture 42

to RPR+

Commands with version mismatch are reported in ISSU show/debug outputs

� Features supported:

AToM P2P: Eth (all flavors), ATM, FR, HDLC, PPP, CEM

VPLS and H-VPLS

ATM/FR Local Switching, TDM

Tunnel Select

Interworking






Agenda


Javed Asghar

ES+ Architecture 43


� L2VPN HA



EVC Port/MAC Securityservice instance 415 ethernet 415




mac security maximum addresses 3

mac security address permit 0000.0415.0301

mac security sticky

mac security violation restrict

mac security

AGG1-rossi(config-if-srv)# mac security aging ?


Javed Asghar

ES+ Architecture 44

static Apply aging controls to statically configured addresses also

sticky Apply aging controls to persistent ("sticky") addresses also

time Configure aging time

� Port security works with dynamically learned and static MAC to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.

� A security violation occurs in either of these situations:

maximum number of secure MAC addresses is reached

source MAC address is different from identified secure MAC

traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN


DHCP snooping /w Option 82

� Traditional “port + VLAN” information is not enough to identify the subscriber uniquely. It may require access encapsulation VLAN information

Normal (not EVC)

1 6 0 4 portmodinternal vlan

suboption circuit id

Subscriber string is user configurable


Javed Asghar

ES+ Architecture 45

q-in-q encapsulation

802.1q encapsulation

suboption

type/length

circuit id

type/length

1 12+st

r len2 10 portmod

outer

.1q

tag

1 14 +

str

len

3 12 portmodinternal vlan

internal vlan EFP id

inner

.1q

tag

EVC, no encapsulation (i.e. raw)

1 10+st

r len1 8 portmodinternal vlan EFP id

.1q tag

EFP id

subscriber str

subscriber str

subscriber

str

New enhancement for EVC


Dynamic ARP Inspection� Uses the DHCP Snooping

Binding Table Information

� Dynamic ARP InspectionAll ARP packets must match the

IP/MAC Binding table entries

If the entries do not match, throw them in the bit bucket

10.1.1.1

MAC A

ARP 10.1.1.1 ARP 10.1.1.1 Saying Saying

10.1.1.2 is MAC C10.1.1.2 is MAC C

None Matching

ARP’s in the Bit Bucket

=> DENY

DHCP Snooping Enabled


Javed Asghar

ES+ Architecture 46

10.1.1.2

MAC B

10.1.1.3

MAC CARP 10.1.1.2 ARP 10.1.1.2

Saying Saying

10.1.1.1 is MAC C10.1.1.1 is MAC C

DHCP Snooping Enabled

Dynamic ARP inspection Enabled


IP Source Guard

� Uses the DHCP Snooping Binding Table Information

� IP Source GuardOperates just like Dynamic ARP Inspection, but looks at every packet, not just ARP Packet

10.1.1.1

MAC A

Traffic Sent withTraffic Sent with

IP 10.1.1.3IP 10.1.1.3

Mac BMac B

Is this is my Binding Table?NO!NO!Non Matching

Traffic Dropped DHCP Snooping Enabled

Dynamic ARP inspection Enabled

IP Source Guard Enabled


Javed Asghar

ES+ Architecture 47

10.1.1.2

MAC B

10.1.1.3

MAC C

Received Traffic

Source IP

10.1.1.2

Mac B

10.1.1.3

MAC C

Traffic Sent with Traffic Sent with IP 10.1.1.2 IP 10.1.1.2

Mac CMac C

AGG1-rossi(config-if-srv)#ip verify source vlan dhcp-snooping validate IP only

AGG1-rossi(config-if-srv)#ip verify source vlan dhcp-snooping port-security validate both IP and MAC


7600 EVC Storm Control

� EVC storm control is enabled per port level, it only apply to broadcast and multicast traffic, not unicast traffic

� Storm control is implemented on the NP micro code using the 1 rate police

� The rate should be shared by all type of traffic

� Broadcast and Multicast suppression share the same police so they would both need to have the same suppression rate. If Operator configures the higher or smaller rate for broadcast or multicast then the latest rate would be in effect for both of them.


Javed Asghar

ES+ Architecture 48

in effect for both of them.

� If 0% is specified then all traffic would be dropped

� If 100% is specified then all traffic would be allowed

AGG1-rossi(config)#int gig 2/37

AGG1-rossi(config-if)#storm-control broadcast level 1.00

AGG1-rossi(config-if)#storm-control multicast level 1.00

AGG11(config-if)#storm unicast level 10

Command Rejected: Unicast suppression is not supported on Gi2/20

AGG1-rossi#sh int gig 2/37 counters storm-control

Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards

Gi2/37 100.00 1.00 1.00 250596


7600 EVC L2 ACL

� EVC L2 MAC ACL only works for src and/or dst MAC address, it doesn’t work for ethertype, VLAN ID, etc

� The ACL counters is per ACL, not per ACE

� Like other IOS ACL, it has implicit “deny any any” at the end of the ACL

mac access-list extended mac-415


Javed Asghar

ES+ Architecture 49

permit host 0000.0415.0401 any

permit host 0000.0415.0401 host 0000.0415.0302


mac access-group mac-415 in

AGG2-duhan#show ethernet service instance id 415 interface gig 2/0/16 detail | inc ACL

L2 ACL (inbound): mac-415

L2 ACL permit count: 189418

L2 ACL deny count: 367339


LACP Port Channel /w EVC

� Port Channel interfaces represent aggregated Ethernet ports for both bandwidth increasing and link redundancy

� 7600 supports routed interfaces and L2 switchports over port channels long time ago

� EVC Port Channel allows Ethernet service instances (EVCs) to be configured over port channel interfaces. It’s supported from SRC release with static channel mode “on”


Javed Asghar

ES+ Architecture 50

release with static channel mode “on”

� SRD release will support LACP as channel protocol in addition to static channel mode on configuration. PAGP is not supported

� SIP-400 doesn’t support port-channel


Port Channel Traffic Load Balancing

� Ingress traffic for an EVC can be received on any of the member ports of the port channel depends on the load balancing algorithm used on the peer device

� Egress traffic for an EVC is transmitted out of a single pre-determined member port. Thus the egress load balancing is per service instance

� Manual EVC load balancing considered for SRE*

EVC 1


Javed Asghar

ES+ Architecture 51

Gi4/0/0

Gi4/0/10

Interface po5

Forwarding

Function

EVC 1

EVC 2

EVC 1

EVC 2

Gi4/0/0

Gi4/0/10

Interface po5

Forwarding

Function

EVC 1

EVC 2

Ingress Egress

*SRE is not EC’d, subject to change



Javed Asghar

ES+ Architecture 52

Documents

7600-Unified Service Mapping