Sup720 Hardware Assisted Features

Transcription

1 Sup720 Hardware Assisted Features 1 IPV6 Switching on Supervisor 720 IPV6 IPV6 SOFTWARE SOFTWARE FEATURES FEATURES IPV6 IPV6 HARDWARE HARDWARE FEATURES FEATURES 128K 128K FIB FIB entries entries IPV6 IPV6 Load Load Sharing Sharing up up to to paths paths Etherchannel Etherchannel hash hash across across bits bits IPV6 IPV6 Policing/Netflow/Classification STD STD and and EXT EXT V6 V6 ACL s ACL s IPV6 IPV6 QoS QoS lookups lookups IPV6 IPV6 Multicast Multicast V6 V6 to to V4 V4 Tunneling Tunneling IPV6 IPV6 Edge Edge over over MPLS MPLS (6PE) (6PE) IPV6 IPV6 Addressing Addressing ICMP ICMP for for IPV6 IPV6 DNS DNS for for IPV6 IPV6 V6 V6 MTU MTU Path Path Discovery Discovery SSH SSH for for IPV6 IPV6 IPV6 IPV6 Telnet Telnet IPV6 IPV6 Traceroute Traceroute dcef dcef for for IPV6 IPV6 RIP RIP for for IPV6 IPV6 IS-IS IS-IS for for IPV6 IPV6 OSPF OSPF V3 V3 for for IPV6 IPV6 BGP BGP for for IPV6 IPV6 IPV6 function located on PFC3 2

2 IPv6 Hardware Forwarding Introduction in 12.2(17a)SX1 IPv6 hardware forwarding support: Central on the PFC3A on the Supervisor 720 for all modules supported with Supervisor 720 Distributedon the DFC3A on (d)cef256 and CEF720 modules with DFC3A present Hardware IPv6 support for: IPv6 unicastforwarding IPv6 Aggregatable Global Unicast (AGU) addresses, site local, v4 compatible IPv6 tunneling Configured, automatic, 6to4, and ISATAP tunnels IPv6 ACLs Extended and reflexive ACLs IPv6 NetFlow statistics IPv6 QoS and IPv6 multicast NOT supported in 12.2(17a)SX1 3 RP Rate Limiters While switching in hardware operates at millions of pps, the Route Processor supports processing rates in the 000 s packets per second,. RP Rate limiters have been introduced to limit the impact of traffic flooding to the RP and swamping the CPU. Rate Rate Limiters Limiters applied applied to to Input Input and and Output Output ACL ACL traffic traffic CEF CEF Receive Receive Traffic Traffic CEF CEF Glean Glean Traffic Traffic MTU MTU Failures Failures ICMP ICMP Redirect Redirect VACL VACL Logging Logging L3 L3 Security Security Feature Feature traffic traffic MSFC TTF TTF failures failures RPF RPF Failures Failures Supervisor 720 4

3 RP Rate Limiters Monitoring Router(config)# show mls rate-limit Rate Limiter Type Status Packets/s Burst MCAST_NON_RPF Off - - MCAST_DFLT_ADJ On MCAST_DIRECT_CON Off - - ACL BRIDGED IN Off - - ACL BRIDGED OUT Off - - L3_SEC_FEATURES Off - - VACL LOG On FIB RECEIVE Off - - FIB GLEAN Off - - MCAST_PARTIAL_SC On RPF FAILURE On/Sharing TTL FAILURE Off - - NO ROUTE On ICMP UNREACHABLE On ICMP REDIRECT Off - - MTU FAILURE Off GRE Tunnels GRE Tunnel GRE hardware Acceleration is enabled on the new PFC3 on the Supervisor 720 GRE Performance is up to 10Mpps centralized and up to 25Mpps de-centralized interface Tunnel2 ip address tunnel source tunnel destination tunnel mode greip interface Tunnel1 ip address tunnel source tunnel destination tunnel mode greip 6

4 Egress Policing on Supervisor 720 Egress Policing is now supported on egress. Application of egress policer can be performed on a routed (layer 3 port) or a VLAN switched Virtual interface (SVI) cannot be applied to a layer 2 port Egress Policer I N P U T Policing Engine O U T P U T 7 Network and Port Address Translation on Supervisor Sup720 Supports.. Software Translation setup, then Hardware-based IPV4 NAT & PAT Up to 20 Mppson the Sup720 NAT PAT L3 Addressing information changed L4 Addressing information changed

5 Multipath Unicast Reverse Path Forwarding (URPF) Source IP: Destination: Source IP: Destination: Routing Table Prefix Next Hop Interface / gig 3/ / gig 3/2 Unicast Reverse Path Forwarding (urpf) Check mitigates problems caused by spoofed or malformed IP source addresses. urpf will drop packets whose source address is not in the local forwarding tables. 9 Multipath Unicast Reverse Path Forwarding (URPF) f3/1 Catalyst 6500 with Supervisor Engine 720 f3/2 f3/ /16 f3/4 gig 6/ /16 f3/5 f3/ Routing Table Prefix Next Hop Interface / fas 3/ fas 3/ fas 3/ fas 3/ fas 3/ fas 3/ / gig 6/3 Up to six reverse-paths per prefix in hardware Two reverse-path interfaces for all prefixes Four user-configurable multipath interface groups to define additional interfaces to do urpf in hardware 10

6 User-Based Rate Limiting Traffic from Dorms Ingress Microflow policer Applied to user ports(s) Source-only Flow mask Use ACL to limit the scope of source IP addresses to intended users Traffic from Internet Ingress Microflow policer Applied to uplink ports Dest-only Flow mask Use ACL to limit the scope of destination IP addresses to intended users 11 User-Based Rate Limiting A new packet arrives DPrt SPrt DIP SIP Apply QoS ACL access-list 101 permit ip any Netflow Table SIP DIP QoS ACL Match Drives Flow Mask Result Apply Source-Only Mask Create new Netflow Entry Apply Rate Limit (Policer) to packets that hit this Netflow entry

7 ERSPAN ERSPAN d packets are encapsulated in GRE header directed to IP address of ERSPAN destination GRE Encapsulation PT47 Ses id PT47 Ses id ERSPAN RSPAN Header SPAN d data is directed to ERSPAN Destination Support up to 24 ERSPAN destinations per Sup follows shortest path 13 MPLS on PFC3 MPLS applies to any Ethernet port on the following linecards Classic Ethernet Line Cards MPLS MPLS HARDWARE HARDWARE FEATURES FEATURES Up Up to to MPLS MPLS VPN s VPN s MPLS MPLS VPN VPN (RFC2457) (RFC2457) on on ANY ANY Ethernet Ethernet port port MPLS MPLS Multicast Multicast VPN VPN MPLS MPLS Label Label Switch Switch Router Router (LSR) (LSR) MPLS MPLS Label Label Edge Edge Router Router (LER) (LER) MPLS MPLS Traffic Traffic Engineering Engineering (TE) (TE) MPLS MPLS Ethernet Ethernet over over MPLS MPLS (EoMPLS) (EoMPLS) on on PFC3b PFC3b DSCP DSCP to to EXP EXP Mapping Mapping CEF256 Ethernet Line Cards dcef256 Ethernet Line Cards CEF720 Ethernet Line Cards dcef720 Ethernet Line Cards MPLS function located on PFC3 14

8 QoS Features Actions at ingress Actions by Forwarding Engine Actions at egress Classification/ Scheduling Policing/ Classification Rewrite Queuing & Scheduling Scheduling Queue And threshold based on Incoming CoS Received CoS can be Overwritten if Port is untrusted Classification at Layer 2/3/4 via ACL Assign trust via ACL Police traffic based On byte or burst (token bucket) Exceed action on Policer is drop or Mark down priority Rewrite ToS header Scheduling queue and threshold based on CoS Map Each queue has configurable size and Threshold WRED and Tail Drop Congestion Mgmt Dequeue using WRR and Strict Priority 15 QoS Features - Policing Process of policing is to rate limit a flow down to a prescribedrate IN Can apply microflow and/or aggregate policing to PORT and/or VLAN 40Mb 30 Mb Aggregate (Limit total traffic count) 25Mb Total OUT 40 Mb Microflow 30 Mb (Limit flow traffic count) 30 Mb 8Mb 16

9 Catalyst 6500 Service Modules 17 Catalyst 6500 Service Modules Overview Firewall Services Module (FWSM) Intrusion Detection Module (IDSM2) Content Switching Module (CSM) VPN Services Module (VPNSM) Catalyst 6500 Service Module Family Network Analysis Module (NAM2) Communications Media Module (CMM)) Content Services Gateway (CSG) SSL Module (SSL) 18

10 Catalyst 6500 Service Modules Content Services Module The WS-X6066-SLB-APC supports the following GE IXP IXP IXP IXP IXP - Classic Linecard - URL and cookie-based SLB - Balancing up to 1,000 regular expressions can be defined - Establishes up to 200,000 L4 cps - Supports 1,000,000 concurrent connections while sustaining multi-gigabit throughput and simultaneously inspecting URLs and Cookies - User Session Stickiness brings users back to same server based on Secure Socket Layer (SSL) session ID, IP address, or HTTP redirection 19 Catalyst 6500 Service Modules Firewall Services Module The WS-SVC -FWM-1 supports the following GE NP2 NP1 NP3 CPU Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Based on PIX Firewall code Supports 100 VLAN Interfaces Adds dynamic OSPF routing support Supports 128K Rule Set Up to 5-Gbps throughput Up to 1M concurrent connections Performance up to 3Mpps Up to 4 FWSM blades in a chassis Active/Standby Failover Supported in IOS and Hybrid 20

11 Catalyst 6500 Service Modules Intrusion Detection Services Module The WS-SVC -IDSM2 supports the following Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Comprehensive attack recognition Same code base as IDS appliances Monitors up to 600Mbps of traffic Supports arrival rate of up to 100 flows/sec Passive Monitoring Extensive Signature base Built in Web based management (IDM) Support IDS Event Viewer Sensor Stateful Failover Supports Alarms, Shunning and TCP Resets 21 Catalyst 6500 Service Modules VPN Services Module The WS-SVC -IPSEC-1 supports the following GE Crypto TCAM IKE NP CPU Inbound Outbound Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Cisco IOS support only Hybrid support (future) IPSec site to site VPN EZ-VPN Client Support 8000 tunnels (16,000 future) 1.9Gbps 3DES performance (500+ byte packets) 1.6Gbps 3DES performance (300+ byte packets) Tunnel setup rate 60/sec IKE, IKE-XAUTH, MD5, SHA-1, SSH Kerberos Telnet, X.509 Digital signatures Shared Secrets ESP DES and 3DES 22

12 Catalyst 6500 Service Modules Network Analysis Module The WS-SVC -NAM2 supports the following Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Application Monitoring Performance management Fault Isolation Troubleshooting Trend Analysis Capacity Planning VOIP Monitoring MIB II RMON I and II, SMON, HCRMON, DSMON ART MIB 23 Catalyst 6500 Service Modules Secure Socket Layer Module The WS-SVC -SSL -1 supports the following GE Crypto FDU Crypto SSL TCP SSL 3.0, SSL3.1/TLS1.0 SSL2.0 (Client Hello Only) Session Reuse Session Re -Negotiate Symmetric Algorithms (RC4, DES/3DES) Mbps symmetric throughput Asymmetric Algorithms (RSA 1024-bit, 2048-bit) 3K-4K Sessions/Sec Hash Algorithms (MD5, SHA1) Key Generation Secure Key Storage Certificate Enrollment Key Import/Export (IOS) Key Storage 24