Sup720 Hardware Assisted Features



Similar documents
Understanding Quality of Service on the Catalyst 6500 Switch

Configuring Denial of Service Protection

FWSM introduction Intro 5/1

Cisco 7600 Series Route Switch Processor 720

(d-5273) CCIE Security v3.0 Written Exam Topics

Configuring Denial of Service Protection

- Multiprotocol Label Switching -

Unicast Reverse Path Forwarding

Cisco 7600 Series Routers Cisco 7600 Series: Ethernet Services 20G Line Cards for Carrier Ethernet

Enterprise Data Center Topology

Cisco Integrated Services Routers Performance Overview

Designing and Developing Scalable IP Networks

Cisco ASA, PIX, and FWSM Firewall Handbook

Cisco ASR 1000 Series Embedded Services Processors

Securing Networks with PIX and ASA

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Configuring MPLS QoS

Outline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap

Implementing Cisco IOS Network Security

IINS Implementing Cisco Network Security 3.0 (IINS)

Configuring Flexible NetFlow

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Introduction of Quidway SecPath 1000 Security Gateway

Cisco Integrators Cisco Partners installing and implementing the Cisco Catalyst 6500 Series Switches

TABLE OF CONTENTS NETWORK SECURITY 2...1

Network Worm/DoS. System Engineer. Cisco Systems Korea

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Configuring a Load-Balancing Scheme

What's New in Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500 and Cisco 7600 Series Software Release 2.1.0

Configuring QoS and Per Port Per VLAN QoS

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

CCIE Security Written Exam ( ) version 4.0

Content Switching Module for the Catalyst 6500 and Cisco 7600 Internet Router

Configuring Quality of Service

Implementing Cisco Quality of Service QOS v2.5; 5 days, Instructor-led

Cisco Configuring Basic MPLS Using OSPF

Configuring a Load-Balancing Scheme

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Cisco IOS Flexible NetFlow Technology

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

CCT vs. CCENT Skill Set Comparison

BUY ONLINE AT:

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre

Cisco - Catalyst 2950 Series Switches Quality of Service (QoS) FAQ

Securing Networks with Juniper Networks

Network Virtualization with the Cisco Catalyst 6500/6800 Supervisor Engine 2T

Cisco CCNP Implementing Secure Converged Wide Area Networks (ISCW)

New Features in Cisco IOS Software Release 12.2(33)SXI2

Cisco Intrusion Detection System Services Module (IDSM-2)

Cisco Catalyst 6500/Cisco 7600 Series Supervisor Engine 720

Broadband Network Architecture

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

IP Network Traffic Plane Security Concepts

Cisco Networking Academy CCNP Multilayer Switching

MPLS over Various IP Tunnels. W. Mark Townsley

WAN Topologies MPLS. 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Systems, Inc. All rights reserved.

FIREWALLS & CBAC. philip.heimer@hh.se

OpenDaylight Project Proposal Dynamic Flow Management

Securing Cisco Network Devices (SND)

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall

Foreword Introduction Product Overview Introduction to Network Security Firewall Technologies Network Firewalls Packet-Filtering Techniques

Configuring the Transparent or Routed Firewall

2. Are explicit proxy connections also affected by the ARM config?

Secure Network Foundation 1.1 Design Guide for Single Site Deployments

Configuring Control Plane Policing

Table of Contents. Cisco Configuring a Basic MPLS VPN

Cisco Catalyst 6500 Series Supervisor Engine 2T

Cisco. Patrick Grossetete Cisco Systems Cisco IOS IPv6 Product Manager pgrosset@cisco.com

Course Contents CCNP (CISco certified network professional)

Configuring Network Security with ACLs

20 GE + 4 GE Combo SFP G Slots L3 Managed Stackable Switch

"Charting the Course to Your Success!" QOS - Implementing Cisco Quality of Service 2.5 Course Summary

- QoS Classification and Marking -

Securing Networks with Cisco Routers and Switches 1.0 (SECURE)

Description: To participate in the hands-on labs in this class, you need to bring a laptop computer with the following:

Troubleshooting the Firewall Services Module

Cisco IOS Software Release 15.0(1)SY1 New Features and Hardware Support

Cisco CCNP Optimizing Converged Cisco Networks (ONT)

EdgeRouter Lite 3-Port Router. Datasheet. Model: ERLite-3. Sophisticated Routing Features. Advanced Security, Monitoring, and Management

Catalyst 6500 Architecture

Deploying the Cisco Catalyst 6500 Firewall Services Module in Transparent Mode

Computer Network Architectures and Multimedia. Guy Leduc. Chapter 2 MPLS networks. Chapter 2: MPLS

IMPLEMENTING CISCO QUALITY OF SERVICE V2.5 (QOS)

Content Networking Fundamentals

HP VSR1000 Virtual Services Router Series

NetFlow Subinterface Support

Multiprotocol Label Switching Load Balancing

Improving Quality of Service

How Routers Forward Packets

Cisco RV180 VPN Router

Introducing Basic MPLS Concepts

Configuring IPS High Bandwidth Using EtherChannel Load Balancing

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Cisco Certified Network Expert (CCNE)

Network Analysis Modules

Transcription:

Sup720 Hardware Assisted Features 1 IPV6 Switching on Supervisor 720 IPV6 IPV6 SOFTWARE SOFTWARE FEATURES FEATURES IPV6 IPV6 HARDWARE HARDWARE FEATURES FEATURES 128K 128K FIB FIB entries entries IPV6 IPV6 Load Load Sharing Sharing up up to to 16 16 paths paths Etherchannel Etherchannel hash hash across across 48 48 bits bits IPV6 IPV6 Policing/Netflow/Classification STD STD and and EXT EXT V6 V6 ACL s ACL s IPV6 IPV6 QoS QoS lookups lookups IPV6 IPV6 Multicast Multicast V6 V6 to to V4 V4 Tunneling Tunneling IPV6 IPV6 Edge Edge over over MPLS MPLS (6PE) (6PE) IPV6 IPV6 Addressing Addressing ICMP ICMP for for IPV6 IPV6 DNS DNS for for IPV6 IPV6 V6 V6 MTU MTU Path Path Discovery Discovery SSH SSH for for IPV6 IPV6 IPV6 IPV6 Telnet Telnet IPV6 IPV6 Traceroute Traceroute dcef dcef for for IPV6 IPV6 RIP RIP for for IPV6 IPV6 IS-IS IS-IS for for IPV6 IPV6 OSPF OSPF V3 V3 for for IPV6 IPV6 BGP BGP for for IPV6 IPV6 IPV6 function located on PFC3 2

IPv6 Hardware Forwarding Introduction in 12.2(17a)SX1 IPv6 hardware forwarding support: Central on the PFC3A on the Supervisor 720 for all modules supported with Supervisor 720 Distributedon the DFC3A on (d)cef256 and CEF720 modules with DFC3A present Hardware IPv6 support for: IPv6 unicastforwarding IPv6 Aggregatable Global Unicast (AGU) addresses, site local, v4 compatible IPv6 tunneling Configured, automatic, 6to4, and ISATAP tunnels IPv6 ACLs Extended and reflexive ACLs IPv6 NetFlow statistics IPv6 QoS and IPv6 multicast NOT supported in 12.2(17a)SX1 3 RP Rate Limiters While switching in hardware operates at millions of pps, the Route Processor supports processing rates in the 000 s packets per second,. RP Rate limiters have been introduced to limit the impact of traffic flooding to the RP and swamping the CPU. Rate Rate Limiters Limiters applied applied to to Input Input and and Output Output ACL ACL traffic traffic CEF CEF Receive Receive Traffic Traffic CEF CEF Glean Glean Traffic Traffic MTU MTU Failures Failures ICMP ICMP Redirect Redirect VACL VACL Logging Logging L3 L3 Security Security Feature Feature traffic traffic MSFC TTF TTF failures failures RPF RPF Failures Failures Supervisor 720 4

RP Rate Limiters Monitoring Router(config)# show mls rate-limit Rate Limiter Type Status Packets/s Burst ----------------- ---------- --------- ----- MCAST_NON_RPF Off - - MCAST_DFLT_ADJ On 100000 100 MCAST_DIRECT_CON Off - - ACL BRIDGED IN Off - - ACL BRIDGED OUT Off - - L3_SEC_FEATURES Off - - VACL LOG On 2000 1 FIB RECEIVE Off - - FIB GLEAN Off - - MCAST_PARTIAL_SC On 100000 100 RPF FAILURE On/Sharing 500 10 TTL FAILURE Off - - NO ROUTE On 500 10 ICMP UNREACHABLE On 500 10 ICMP REDIRECT Off - - MTU FAILURE Off - - 5 GRE Tunnels GRE Tunnel GRE hardware Acceleration is enabled on the new PFC3 on the Supervisor 720 GRE Performance is up to 10Mpps centralized and up to 25Mpps de-centralized interface Tunnel2 ip address 10.60.1.1 255.255.255.0 tunnel source 10.20.2.1 tunnel destination 192.168.100.1 tunnel mode greip interface Tunnel1 ip address 192.168.100.1 255.255.255.0 tunnel source 192.168.5.22 tunnel destination 10.60.1.1 tunnel mode greip 6

Egress Policing on Supervisor 720 Egress Policing is now supported on egress. Application of egress policer can be performed on a routed (layer 3 port) or a VLAN switched Virtual interface (SVI) cannot be applied to a layer 2 port Egress Policer I N P U T Policing Engine O U T P U T 7 Network and Port Address Translation on Supervisor 720 10.1.1.1 203.16.10.1 201.1.14.22 203.16.10.1 Sup720 Supports.. Software Translation setup, then Hardware-based IPV4 NAT & PAT Up to 20 Mppson the Sup720 NAT PAT L3 Addressing information changed L4 Addressing information changed 10.1.1.1 203.16.10.1 3010 80 194.1.20.3 203.16.10.1 2001 80 8

Multipath Unicast Reverse Path Forwarding (URPF) Source IP: 10.1.10.5 Destination: 10.2.20.34 Source IP: 10.200.1.64 Destination: 10.2.20.34 6500 Routing Table Prefix Next Hop Interface 10.1.0.0/16 10.1.1.1 gig 3/1 10.2.0.0/16 10.2.1.1 gig 3/2 Unicast Reverse Path Forwarding (urpf) Check mitigates problems caused by spoofed or malformed IP source addresses. urpf will drop packets whose source address is not in the local forwarding tables. 9 Multipath Unicast Reverse Path Forwarding (URPF) f3/1 Catalyst 6500 with Supervisor Engine 720 f3/2 f3/3 10.255.0.0/16 f3/4 gig 6/3 10.20.0.0/16 f3/5 f3/6 6500 Routing Table Prefix Next Hop Interface 10.255.0.0/16 10.1.1.1 fas 3/1 10.1.2.1 fas 3/2 10.1.3.1 fas 3/3 10.1.4.1 fas 3/4 10.1.5.1 fas 3/5 10.1.6.1 fas 3/6 10.20.0.0/16 10.20.1.1 gig 6/3 Up to six reverse-paths per prefix in hardware Two reverse-path interfaces for all prefixes Four user-configurable multipath interface groups to define additional interfaces to do urpf in hardware 10

User-Based Rate Limiting Traffic from Dorms Ingress Microflow policer Applied to user ports(s) Source-only Flow mask Use ACL to limit the scope of source IP addresses to intended users Traffic from Internet Ingress Microflow policer Applied to uplink ports Dest-only Flow mask Use ACL to limit the scope of destination IP addresses to intended users 11 User-Based Rate Limiting A new packet arrives DPrt SPrt DIP SIP 23 1242 145.23.1.12 123.53.23.6 Apply QoS ACL access-list 101 permit ip any 145.0.0.0 0.0.0.255 Netflow Table SIP DIP 156.63.41.132 -- 67.33.1.54 -- 93.45.21.72 -- 34.5.34.32 -- 71.35.53.129 -- 122.24.57.2 -- 154.13.1.10 -- 123.53.23.6 -- QoS ACL Match Drives Flow Mask Result Apply Source-Only Mask Create new Netflow Entry Apply Rate Limit (Policer) to packets that hit this Netflow entry 23 1242 145.23.1.12 123.53.23.6 12

ERSPAN ERSPAN d packets are encapsulated in GRE header directed to IP address of ERSPAN destination 10.1.1.1 110.1.43.4 10.1.1.2203.16.10.1 GRE Encapsulation 200.10.10.1 233.1.1.1 PT47 Ses id 10.1.1.1 110.1.43.4 200.10.10.1 233.1.1.1 PT47 Ses id 10.1.1.2 203.16.10.1 ERSPAN RSPAN Header SPAN d data is directed to ERSPAN Destination Support up to 24 ERSPAN destinations per Sup720 10.1.1.1 110.1.43.4 10.1.1.2203.16.10.1 follows shortest path 13 MPLS on PFC3 MPLS applies to any Ethernet port on the following linecards Classic Ethernet Line Cards MPLS MPLS HARDWARE HARDWARE FEATURES FEATURES Up Up to to 1000 1000 MPLS MPLS VPN s VPN s MPLS MPLS VPN VPN (RFC2457) (RFC2457) on on ANY ANY Ethernet Ethernet port port MPLS MPLS Multicast Multicast VPN VPN MPLS MPLS Label Label Switch Switch Router Router (LSR) (LSR) MPLS MPLS Label Label Edge Edge Router Router (LER) (LER) MPLS MPLS Traffic Traffic Engineering Engineering (TE) (TE) MPLS MPLS Ethernet Ethernet over over MPLS MPLS (EoMPLS) (EoMPLS) on on PFC3b PFC3b DSCP DSCP to to EXP EXP Mapping Mapping CEF256 Ethernet Line Cards dcef256 Ethernet Line Cards CEF720 Ethernet Line Cards dcef720 Ethernet Line Cards MPLS function located on PFC3 14

QoS Features Actions at ingress Actions by Forwarding Engine Actions at egress Classification/ Scheduling Policing/ Classification Rewrite Queuing & Scheduling Scheduling Queue And threshold based on Incoming CoS Received CoS can be Overwritten if Port is untrusted Classification at Layer 2/3/4 via ACL Assign trust via ACL Police traffic based On byte or burst (token bucket) Exceed action on Policer is drop or Mark down priority Rewrite ToS header Scheduling queue and threshold based on CoS Map Each queue has configurable size and Threshold WRED and Tail Drop Congestion Mgmt Dequeue using WRR and Strict Priority 15 QoS Features - Policing Process of policing is to rate limit a flow down to a prescribedrate IN Can apply microflow and/or aggregate policing to PORT and/or VLAN 40Mb 30 Mb Aggregate (Limit total traffic count) 25Mb Total OUT 40 Mb Microflow 30 Mb (Limit flow traffic count) 30 Mb 8Mb 16

Catalyst 6500 Service Modules 17 Catalyst 6500 Service Modules Overview Firewall Services Module (FWSM) Intrusion Detection Module (IDSM2) Content Switching Module (CSM) VPN Services Module (VPNSM) Catalyst 6500 Service Module Family Network Analysis Module (NAM2) Communications Media Module (CMM)) Content Services Gateway (CSG) SSL Module (SSL) 18

Catalyst 6500 Service Modules Content Services Module The WS-X6066-SLB-APC supports the following GE IXP IXP IXP IXP IXP - Classic Linecard - URL and cookie-based SLB - Balancing up to 1,000 regular expressions can be defined - Establishes up to 200,000 L4 cps - Supports 1,000,000 concurrent connections while sustaining multi-gigabit throughput and simultaneously inspecting URLs and Cookies - User Session Stickiness brings users back to same server based on Secure Socket Layer (SSL) session ID, IP address, or HTTP redirection 19 Catalyst 6500 Service Modules Firewall Services Module The WS-SVC -FWM-1 supports the following GE NP2 NP1 NP3 CPU Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Based on PIX Firewall code Supports 100 VLAN Interfaces Adds dynamic OSPF routing support Supports 128K Rule Set Up to 5-Gbps throughput Up to 1M concurrent connections Performance up to 3Mpps Up to 4 FWSM blades in a chassis Active/Standby Failover Supported in IOS and Hybrid 20

Catalyst 6500 Service Modules Intrusion Detection Services Module The WS-SVC -IDSM2 supports the following Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Comprehensive attack recognition Same code base as IDS appliances Monitors up to 600Mbps of traffic Supports arrival rate of up to 100 flows/sec Passive Monitoring Extensive Signature base Built in Web based management (IDM) Support IDS Event Viewer Sensor Stateful Failover Supports Alarms, Shunning and TCP Resets 21 Catalyst 6500 Service Modules VPN Services Module The WS-SVC -IPSEC-1 supports the following GE Crypto TCAM IKE NP CPU Inbound Outbound Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Cisco IOS support only Hybrid support (future) IPSec site to site VPN EZ-VPN Client Support 8000 tunnels (16,000 future) 1.9Gbps 3DES performance (500+ byte packets) 1.6Gbps 3DES performance (300+ byte packets) Tunnel setup rate 60/sec IKE, IKE-XAUTH, MD5, SHA-1, SSH Kerberos Telnet, X.509 Digital signatures Shared Secrets ESP DES and 3DES 22

Catalyst 6500 Service Modules Network Analysis Module The WS-SVC -NAM2 supports the following Supports connection to 32-Gbps Shared Bus Supports single 8-Gbps fabric connection Application Monitoring Performance management Fault Isolation Troubleshooting Trend Analysis Capacity Planning VOIP Monitoring MIB II RMON I and II, SMON, HCRMON, DSMON ART MIB 23 Catalyst 6500 Service Modules Secure Socket Layer Module The WS-SVC -SSL -1 supports the following GE Crypto FDU Crypto SSL TCP SSL 3.0, SSL3.1/TLS1.0 SSL2.0 (Client Hello Only) Session Reuse Session Re -Negotiate Symmetric Algorithms (RC4, DES/3DES) 300-400 Mbps symmetric throughput Asymmetric Algorithms (RSA 1024-bit, 2048-bit) 3K-4K Sessions/Sec Hash Algorithms (MD5, SHA1) Key Generation Secure Key Storage Certificate Enrollment Key Import/Export (IOS) Key Storage 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information