Agenda€¦ · However they also face many ... Multichassis EtherChannel (MEC) Prior to Virtual Switching System, Etherchannels were restricted to reside within the same ... Dual-Active

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1Session_ID

Presentation_ID

Agenda:

09:00 - 09:30 - Dobrodošlica - Suzana Radović09:30 - 10:15 - Catalyst 6500 Virtual Switching System - Tatjana Bošković10:15 - 11:00 - Cisco Nexus svičevi - Aleksandar Vulović11:00 - 11:15 - Kafe pauza11:15 - 12:45 - Data Centar security – Christopher Paggen12:45 - 13:30 - Ručak13:30 - 14:15 - Data Center - Disaster recovery - Višnja Milovanović14:15 - 15:00 - Cisco Kontakt Centri - Aleksandar Vulović15:00 - 15:15 - Kafe pauza15:15 - 16:00 - Ironport - Tatjana Bošković16:00 - 16:45 - Digital Media System (demonstracija uživo) - Višnja

Milovanović

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Session_ID

Presentation_ID 2

Catalyst 6500 Catalyst 6500 Virtual Switching System Virtual Switching System

(VSS)(VSS)

Tatjana Boskovic, Channel SE

[email protected]

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKRST-3468

14516_04_2008_c2

Agenda

� Introduction

� Architecture

� High Availability

� Hardware Requirements and service module support

� Q&A


14516_04_2008_c2

VSS Introduction


14516_04_2008_c2

SiSi SiSi

Campus and Data Center Networks

Servers

AccessSiSi SiSi

Access

Distribution

Large, Complex Networks = Challenging Network Management

In-deterministic Recovery from Network Failure = Business Downtime

Inefficient Resource Utilization = Lost Investment

STP/HSRP

NIC Teaming

Increasing Real-time Applications = Latency Sensitive

Catalyst 6500 Virtual Switching System 1440Targeted Customer Issues


14516_04_2008_c2

Current Network ChallengesEnterprise Campus

Traditional Enterprise Campus deployments have been designed in such a way that allows for

scalability, differentiated services and high availability. However they also face many

challenges, some of which are listed in the below diagram…

Access

L2/L3

Distribution

L3 Core

FHRP, STP,

Asymmetric routing,

Policy Management

Extensive routing

topology, Routing

reconvergence

Single active uplink

per VLAN (PVST), L2

reconvergence


14516_04_2008_c2

Virtual Switching SystemVirtual Switching System System is a new technology break through for the Catalyst 6500

family…


14516_04_2008_c2

Introduction to Virtual Switching SystemConcepts

Uses one supervisor in each chassis with inter-chassis Stateful Switchover (SSO) method in with

one supervisor is ACTIVE and other in HOT_STANDBY mode

Active/standby supervisors run in synchronized mode (boot-env, running-configuration, protocol

state, and line cards status gets synchronized)


14516_04_2008_c2

Benefits of VSSSimplifies Operational Manageability via Single point of Management,

Elimination of STP, FHRP etc

Deterministic sub-200ms Stateful and Graceful Recovery from Switch or Uplink Failure to Minimize Traffic Disruption

Active-Active Multi-Chassis Etherchannel (802.3ad) to Double Bandwidth Utilization and Reduce Latency

Catalyst 6500 Virtual Switching System 1440Network System Virtualization

VSS (Physical View) VSS (Logical View)

SiSi SiSi SiSi SiSi

Today

Access Switch orToR or Blades

Server Server

Server

802.3ad802.3ad

10GE 10GE

802.3ad802.3ad

Cat6500Sup720-10GE

Cat6500Sup720-10GE

Access Switch orToR or Blades Access Switch or

ToR or Blades


14516_04_2008_c2

Virtual Switching System SystemEnterprise Campus

A Virtual Switching System-enabled Enterprise Campus network takes on multiple benefits

including simplified management & administration, facilitating greater high availability, while

maintaining a flexible and scalable architecture…

Access

L2/L3

Distribution

L3 Core

No FHRPs

No Looped topology

Policy Management

Reduced routing

neighbors, Minimal

L3 reconvergence

Multiple active

uplinks per VLAN, No

STP convergence


14516_04_2008_c2

VSS Architecture


14516_04_2008_c2

Virtual Switching System ArchitectureVirtual Switch Link

The Virtual Switch Link is a special link joining each physical switch together - it extends the out

of band channel allowing the active control plane to manage the hardware in the second

chassis…

A Virtual Switch Link bundle can consist of upto 8 x 10GE links

All traffic traversing the VSL link is encapsulated with 32 byte “Virtual Switch Header” containing ingress and egress switchport indexes, class of service (COS), VLAN number, other important information from the layer 2 and layer 3 header

Control plane uses VSL CPU to CPU communications while the data plane uses VSL to extend the internal chassis fabric to the remote chassis

Virtual Switch Active Virtual Switch Standby

Virtual Switch Link

VS HeaderVS Header L2 L2 HdrHdr L3 L3 HdrHdr Data Data CRCCRC


14516_04_2008_c2

Virtual Switching System ArchitectureVSL Initialization

Before the Virtual Switching System domain can become active, the Virtual Switch Link (VSL)

must be brought online to determine Active and Standby roles. The initialization process

essentially consists of 3 steps:

Role Resolution Protocol (RRP) used to determine compatible Hardware and Software versions to

form the VSL as well as determine which switch becomes Active and Hot Standby from a control

plane perspective

Role Resolution Protocol (RRP) used to determine compatible Hardware and Software versions to

form the VSL as well as determine which switch becomes Active and Hot Standby from a control

plane perspective

LMPLMP LMPLMP

RRPRRPRRPRRP

Link Management Protocol (LMP) used to track and reject Unidirectional Links, Exchange Chassis

ID and other information between the 2 switches

Link Management Protocol (LMP) used to track and reject Unidirectional Links, Exchange Chassis

ID and other information between the 2 switches

Link Bringup to determine which ports form the VSLLink Bringup to determine which ports form the VSL1

2

3


14516_04_2008_c2

Etherchannel ConceptsAn Etherchannel combines multiple physical links into a single logical link. Ideal for load

sharing or link redundancy – can be used by both layer 2 and Layer 3 subsystems…

Physical ViewMultiple ports are

defined as being

part of an

Etherchannel

group

Logical ViewSubsystems running

on the switch only

see one logical link

An Etherchannel can be defined on Ethernet, Fast Ethernet, Gigabit Ethernet or 10 Gigabit

Ethernet Ports

An Etherchannel can be defined on Ethernet, Fast Ethernet, Gigabit Ethernet or 10 Gigabit

Ethernet Ports


14516_04_2008_c2

Etherchannel ConceptsMultichassis EtherChannel (MEC)

Prior to Virtual Switching System, Etherchannels were restricted to reside within the same

physical switch. In a Virtual Switching environment, the 2 physical switches form a single

logical network entity - therefore Etherchannels can now also be extended across the 2

physical chassis…

Regular Etherchannel on single chassis Multichassis EtherChannel across 2 VSL-

enabled Chassis

Virtual Switch

Both LACP and PAGP Etherchannel

protocols and Manual ON modes are

supported…

Both LACP and PAGP Etherchannel

protocols and Manual ON modes are

supported…

Standalone


14516_04_2008_c2

Etherchannel ConceptsEtherchannel Hash for MEC

Deciding on which link of a Multi-chassis Etherchannel to use in a Virtual Switch is skewed in

favor towards local links in the bundle - this is done to avoid overloading the Virtual Switch

Link (VSL) with unnecessary traffic loads. Localizing the decision to use a link in the bundle

that is resident on the local Switch (thus avoiding forwarding over the VSL) is done as follow…

� The BUNDLE_SELECT register in the port ASIC is programmed to

see only the local links of the Etherchannel bundle even though links

may exist in the same bundle are resident in the VSS peer chassis…

This behavior is fixed and cannot be changed by any configuration

option…NOTE: If all links in the local bundle go down, then the BUNDLE_SELECT

register is programmed to point packets to the VSL…

Virtual Switch

RBH (for MEC)

8 Link Bundle Example

RBH (for MEC)

8 Link Bundle Example

Bit 7Bit 7 Link 1Link 1








� RBH values are reprogrammed for each core to reflect only the local

links that are in the Etherchannel bundle…

A new hash distribution algorithm has been introduced with the

12.2(33)SXH release which allows for members of a port channel to be

added or removed without the requirement for all traffic on the existing

members to be temporarily dropped…vss(config)#port-channel hash-distribution

adaptive


14516_04_2008_c2

High Availability


14516_04_2008_c2

High AvailabilityRedundancy Schemes

The default redundancy mechanism between the 2 VSS chassis and their associated supervisors is

NSF/SSO, allowing state information and configuration to be synchronized. Additionally, only in NSF/SSO

mode does the Standby supervisor PFC, Switch Fabric, modules and their associated DFCs become

active…

VSL

Should a mismatch of information occur between the Active and Standby Chassis, the Standby Chassis will

revert to RPR mode, where only configuration is synchronized, but PFC, Switch Fabric and modules will not

be brought up

Switch 1

12.2(33)SXH1

Active

Switch 2

12.2(33)SXH1

NSF/SSO

VSL

Switch 1

12.2(33)SXH1

Active

Switch 2

12.2(33)SXH2

RPR


14516_04_2008_c2

Virtual Switching SystemInter Chassis NSF/SSO

Virtual Switch Hot Standby

Virtual Switch Active

Virtual Switching System

Virtual Switch ActiveSwitch Is down

Virtual Switching System

Virtual Switch Active incurs a supervisor outage

12 Standby Supervisor takes over as Virtual switch

Active

Virtual Switch Standby initiates graceful restart

Non Stop forwarding of packets will continue using hardware entries as Switch-2 assumes active role

NSF aware neighbors exchange updates with Virtual Switch Active

Switch-1 Switch-2

Switch-2Switch-1


14516_04_2008_c2

High AvailabilityNSF Aware Layer 3 Neighbors

NSF feature with SSO minimizes the amount of traffic loss following supervisor switchover while continuing to forward traffic using hardware entries. In VSS environment this feature is required to minimize traffic disruption in the event such as supervisor failure that causes supervisor switchover.

� NSF-aware and NSF-capable routers provide for transparent

routing protocol recovery

� Graceful restart extensions enable neighbor recovery without

resetting adjacencies

� Routing database re-synchronization occurs in the background

� An NSF-capable router continuously forwards packets during an

SSO processor recovery

� EIGRP, OSPF, IS-IS and BGP are NSF capable and aware protocols

� Sup720, Sup32, Sup IV/V and Cat37xx supports NSF functionality

SiSiSiSi

Neighbors should

be NSF-Aware


14516_04_2008_c2

High AvailabilityDual-Active Detection

In a Virtual Switching System Domain, one switch

is elected as Active and the other is elected as

Standby during boot up by VSLP. Since the VSL is

always configured as a Port Channel, the possibility

of the entire VSL bundle going down is remote,

however it is a possibility…

It is always recommended to deploy the VSL with 2 or more links and distribute those

interfaces across multiple modules to ensure the greatest redundancy

It is always recommended to deploy the VSL with 2 or more links and distribute those

interfaces across multiple modules to ensure the greatest redundancy

Active Hot Standby

Switch 1 Switch 2

VSL


14516_04_2008_c2

Active Hot Standby

Switch 1 Switch 2

VSL


If the entire VSL bundle should happen to go down, the Virtual Switching System Domain will

enter a Dual Active scenario where both switches transition to Active state and share the same

network configuration (IP addresses, MAC address, Router IDs, etc…) potentially causing

communication problems through the network…

Following to Dual Active scenario, if the Virtual Switching System is configured for dual-active detection following steps will take place.

Dual-Active detection using the detection method enabled in the system. Dual-Active protocols are Pagp+, Fast Hello and IP BFD

1

Dual-Active recovery, when VSL recovers , the switch that has all it’s interfaces brought down in the previous step will reload to boot in a preferred standby state

Further network disruption is avoided by bringing down VSS active switch interfaces connected to neighboring devices .

2

3

Hot Standby Active


14516_04_2008_c2


Pagp+ Dual-Active IP

BFD

Dual-Active

Fast Hello

Convergence Sub-Sec

Convergence

Secs of Convergence* Sub-Sec

Convergence

Communication

Medium

Layer-2 Layer-3 Layer-2

Heart beat

communication path

Through compatible

neighbor **

Direct-L3-Link Direct-L2-Link

Software release 12.2(33)SXH1 or later 12.2(33)SXH1 or later 12.2(33)SXI

* Dual-Active detection time with IP BFD is longer than Fast Hello and Pagp+ that is because IP BFD is layer-3 protocol and up on dual-active, standby RP ( Previously Hot Standby) has to come up before it can start the dual-active detection using BFD.** Enhanced Pagp feature is supported in Cat45xx platform in 12.2(44)SE and Cat37xx platform will be supporting this feature in 12.2(46)SE.


14516_04_2008_c2

Active Hot Standby

Switch 1 Switch 2

VSL


VSL DownDual-Active

When VSL breaks and during dual-active scenario switch-1 and switch-2 will resume active role and start communicating to neighbor devices with same mac-address and ip address creates network connectivity issues.

Up on detecting dual-active scenario, previous active interfaces will be brought down to avoid network connectivity issues that occur during dual-active.

Active Active

Switch 1 Switch 2

VSL

Previous Active interface will be brought down


14516_04_2008_c2

High AvailabilityDual-Active Detection - Exclude Interfaces

Upon detection of a Dual Active scenario, all interfaces on the previous-Active switch will be

brought down so as not to disrupt the functioning of the remainder of the network. The

exception interfaces include VSL members as well as pre-determined interfaces which may be

used for management purposes…

vs-vsl#conf t

Enter configuration commands, one per line. End with CNTL/Z.

vs-vsl(config)#switch virtual domain 100

vs-vsl(config-vs-domain)#dual-active exclude interface Gig 1/5/1


vs-vsl(config-vs-domain)# ^Z

vs-vsl#

vs-vsl#conf t

Enter configuration commands, one per line. End with CNTL/Z.

vs-vsl(config)#switch virtual domain 100



vs-vsl(config-vs-domain)# ^Z

vs-vsl#


14516_04_2008_c2

High AvailabilityDual-Active Recovery

Upon the restoration of one or more VSL interfaces, VSLP will detect this and will proceed to

reload Switch 1 so that it will be able to bootup in preferred Hot Standby role after bootup…

After role has been resolved and SSO Hot Standby mode is possible, interfaces will be brought

up and traffic will resume back to 100% capacity…

VSL Up! …VSL Up! …

Active Active

Switch 1 Switch 2

VSL

Switch-1 will reload and boot up in Hot standby mode

VSL Up! …VSL Up! …

Active Active

Switch 1 Switch 2

VSLHot Standby


14516_04_2008_c2

High AvailabilityDual-Active Detection - Enhanced PAgP

Enhanced PAgP allows for new TLVs to be relayed from the individual Virtual Switches to a remote device

that is EtherChanneled to the Virtual Switching System Domain. During normal operation the Virtual

Switches will send the ID of the Active VS to the PAgP neighbor, and it will respond with the same Active

ID…

Switch 1 Switch 2

Active: Switch 1 Hot Standby: Switch 2

Should the VSL go down, the Standby switch will transition immediately to Active state and

start sending PAgP message with the new Active switch ID

Switch 1 Switch 2

Active: Switch 1 Hot Standby: Switch 2


14516_04_2008_c2

High AvailabilityDual-Active Detection - Enhanced PAgP

The Enhnaced PAgP-capable neighbor will proceed to send the new Active Switch ID to all member ports of

the port channel that it received the new Active Switch ID on, including the previous-active Virtual switch

(Switch 1) …

On Switch 1, Upon reception of PAgP messages with the Active ID of Switch 2, it will be aware

that a Dual-Active scenario has occurred and will proceed to bring down all local interfaces*

Dual-Active!!Dual-Active!!

Switch 1 Switch 2

Active: Switch 1 Active: Switch 2

Switch 1

Active: Switch 1

Switch 2

Active: Switch 2


14516_04_2008_c2

High AvailabilityDual-Active Detection - IP-BFD

Dual-Active Detection with IP-BFD allows for the detection of a Dual-Active scenario subsequent to the

Standby RP becoming Active. This mechanism requires that a direct heartbeat link be used to carry the IP-

BFD frames from Switch 1 to Switch 2…

The IP-BFD Heartbeat link may exist on any interface but must have an IP address assigned to it

on a different network

The IP-BFD Heartbeat link may exist on any interface but must have an IP address assigned to it

on a different network

Hot Standby Active

Switch 1 Switch 2

Hot Standby Active

Switch 1 Switch 2

BFDBFD BFDBFDHeart Beat Link


14516_04_2008_c2

High AvailabilityDual-Active Detection: VSLP Fast Hello

It is a new feature will be available in 12.2(33)SXI software release. Dual-Active heartbeat messages are

exchanged over a heart beat link between switch-1 and switch-2. Information such as Switch-id, Priority and

Peer state information exchanged to deterministically decide the switch role during dual-active detection.

Hot Standby Active

Switch 1 Switch 2

VSLPVSLP VSLPVSLP

Hot Standby Active

Switch 1 Switch 2

VSLPVSLP VSLPVSLP

Subsequent to Dual Active event, dual active detection takes place and switch-1 will bring down all it’s local interfaces *


14516_04_2008_c2

VSS Enabled Campus DesignCapacity Planning for the Virtual Switch Link

� Capacity planning and link sizing for VSS is almost identical to traditional multilayer design

� The only traffic that should flow across the VSL under normal conditions is control plane traffic

� In an access switch uplink failure half of the downstream traffic will be forwarded across the VSL link

� Control plane load is very small and sent with strict priority over the VSL link

� Redundancy of the VSL is critical and should take priority over capacity planning

SiSiSiSi


14516_04_2008_c2

Hardware Requirements and service module

support


14516_04_2008_c2

Hardware and Software Requirements

In order to enable the Virtual Switching System feature and configure the Virtual Switch Links

(VSL) between 2 Catalyst 6500 chassis, the new Catalyst 6500 Virtual Switching Supervisor 720

is required to be used. It is the only Supervisor that will support VSS as it supports both the

new PFC3C/XL forwarding engine…

The PFC3C/XL contains new

hardware to support the extra LTL

indices and mappings required to

forward traffic across multiple

physical chassis, lookup

enhancements as well as MAC

address table handling

enhancements…

VS-S720-10G-3C/XL

12.2(33)SXH1 or later; current recommendation is 12.2(33)SXH2(a)


14516_04_2008_c2

Hardware RequirementsVSL-Capable Interfaces

The VSL is a special link that requires extra headers to be imposed onto the frame. These

require new port ASICs that exist only on the 10 GigabitEthernet interfaces on the following

modules… WS-X6716-10G-3C/XL module is supported starting from 12.2(33)SXH2* in non VSL

config

These interfaces are based off the

new port ASIC, allowing for frames

across the VSL to be encapsulated

/ de-encapsulated with the VSH…

WS-X6708-10G-3C/XL

Note that these interfaces may also be used as

standard network interfaces

WS-X6716-10G-3C/XLsupport for VSL is from 12.2(33)SXI

onwards*

VS-S720-10G-3C/XL


14516_04_2008_c2

Hardware RequirementsOther Supported Modules…

Modules that may exist with current software version in the VSS domain include all WS-X67xx-

series, as well as SVC-NAM-1 and SVC-NAM-2.

12.2(33)SXH1

WS-X67xx

and NAM

12.2(33)SXH1

WS-X67xx

and NAMWS-X6708-10G-3C/XL

WS-X6704-10G-3C/XL

WS-X6748-GE-TX

WS-X6748-SFPWS-X6724-SFP

SVC-NAM-1 and 2


14516_04_2008_c2

Hardware RequirementsService Module support…

Other modules that may exist in the VSS domain with software release 12.2(33)SXI is Service

modules FWSM,ACE,IDSM-2 and FWSM.

12.2(33)SXI12.2(33)SXI

Application Control Engine (ACE)

ACE10/20-6500-K9

WS-SVC-IDSM2-K9

Intrusion Detection System Services Module (IDSM-2)

WS-SVC-WISM-1-K9

Wireless Services Module (WiSM)

WS-SVC-FWM-1-K9

Firewall Services Module (FWSM)


14516_04_2008_c2

VSS Service Module Integration: ACE/FWSM High Availability

Active-Standby Redundancy, One of the FWSM modules in a VSS system will be Active and second one will be Standby. Secure data traffic is required to be seen by active FWSM module.

Switch forwards secure traffic to Active FWSM by learning Active’s Mac-address

Switch-1

(VSS Active)Switch-2

(VSS Standby)

VSL

Service Module ActiveService Module Standby

Virtual Switch Domain

Data Plane ActiveData Plane Active

Control Plane ActiveControl Plane Hot

Standby

Failover/State sync Vlan


14516_04_2008_c2

VSS Service Module IntegrationACE/FWSM High Availability

Active-Active Redundancy- Both Service modules are active and act as a back up for each other

In Active-Active configuration, Certain Firewall Contexts will be Active on FWSM placed in Switch-1 and those context will be standby on FWSM placed in Switch-2 and vice versa. ..

Switch-1


(VSS Standby)

VSL

Service Module ActiveService Module Standby


Data Plane ActiveData Plane Active

Control Plane ActiveControl Plane Hot

Standby

Failover/State sync Vlan

Context BContext B

Context AContext A


14516_04_2008_c2

VSS Service Module IntegrationACE/FWSM Integration: Packet Flow

Based upon the neighbor device’s load-balancing configuration, it is expected to have traffic transmitted across all interfaces that are part of MEC

Switch-1


(VSS Standby)

VSL

Service Module Active Service Module Standby


Data Plane Active

Supervisor Active

Data Plane Active

Supervisor Hot Standby


14516_04_2008_c2

Switch-1


(VSS Standby)

VSL



Data Plane Active

Supervisor Active

v

Data Plane Active


Switch-2 ingress traffic will be redirected to the Active Service module in Switch-1. Therefore it is expected to have traffic destined to active Service Module traversing VSL link.

Recommendation: Size the VSL link based on expected bandwidth requirement. Tune the load sharing algorithm for best traffic distribution.

VSS Service Module Integration:ACE/FWSM Packet Flow Con’t


14516_04_2008_c2

VSS Service Module Integration: ACE/FESM Packet Flow Con’t

Switch-1


(VSS Standby)

VSL



Supervisor Active

Data Plane Active

v

SupervisorHot Standby

Flows that are arrived on switch-1 and flows that are redirected from switch -2 will be processed by Active Service Module and forwarded to next hop device.

For egress traffic, locally connected interfaces are favored in MEC and L3 ECMP interfaces

Data Plane Active


14516_04_2008_c2

Switch-2

Service ModuleActive

Service ModuleStandby

Supervisor Active

Data Plane Active

v

Data Plane Active


Switch-1

VSS Service Module IntegrationACE/FWSM Packet Flow comparison

Traffic Flow in VSS

Service Module Active

Service Module Standby

Supervisor Active

Data Plane Active

v

Data Plane Active

Supervisor Active

Distribution-1

Traffic Flow in Standalone

Distribution-2


14516_04_2008_c2

Q & A


14516_04_2008_c2

Recommended Reading

� VSS White paper

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/prod_white_paper0900aecd806ee2ed.html

� VSS Q&A

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/prod_qas0900aecd806ed74b.html

� VSS Independent Study Report

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/white_paper_ciscos_virtual_switch_smashes_throughput_records.pdf


14516_04_2008_c2

Documents

Agenda€¦ · However they also face many ... Multichassis EtherChannel (MEC) Prior to Virtual Switching System, Etherchannels were restricted to reside within the same ... Dual-Active