Advanced Enterprise Campus Design Instant Access

Transcription

1

2 Advanced Enterprise Campus Design Instant Access Divya Rao Technical Marketing Engineer CCIE #25083 BRKCRS-3502

3 Advanced Enterprise Campus Design Instant Access Abstract Advanced Enterprise Campus Design session is focused on Catalyst Instant Access (IA) technology. The session provides in-depth understanding of 1. The solution overview of how it simplifies the design and deployment of a 3 tier enterprise network architecture and achieving simplified operations, Catalyst 6500 / 6800 features at the access layer and consistent CLI, which in turn drive down total cost of ownership (TCO). 2. Deep dive into rich Enterprise Network use cases such as TrustSec x, Security Group Tagging (SGT), SGACL, Flexible NetFlow (FnF), Network Resiliency/High Availability, Network Virtualization- Easy Virtual Network (EVN), MPLS 3. Design and deployment best practices for Instant Access solution Attendees can expect to learn about the specific requirements for deploying an Instant Access topology as well as the expected behaviors related convergence and scalability.

4 Presentation Legend Standalone Multilayer Switch Virtual Switching System Layer 2 Link Layer 3 Link Fabric Link Catalyst Instant Access Catalyst 6800IA Client All the Content applicable to IPv4 & IPv6

5 Catalyst Instant Access Key Benefits ISE Cisco Prime Managed Devices = 120+ Benefits Single Point of Management, Configuration and Troubleshooting A Single Image to deploy and manage across Distribution Block Simplified Network design for VLANs and port channels Agile Infrastructure to add new features uniformly across Access Layer Client capable of Stacking, PoE Port Campus Distribution Block REDUCED TCO

6 Agenda What is Instant Access? Recommended Topologies Deployment Scenarios High Availability Performance

7 Agenda What is Instant Access? Components Control Plane Data Plane Recommended Topologies Deployment Scenarios High Availability Performance

8 What is Instant Access?

9 Catalyst Instant Access Evolution of the Campus STANDALONE VSS INSTANT ACCESS LACP or PAGP LACP or PAGP VSL LACP or PAGP VSL SDP SRP SCP Access Switch Access Switch Access Switch Access Switch Instant Access Client Instant Access Client

10 Deployment Models 6500/6800 ISE PRIME 6500/6800 WiSM2/ L2/L3 Links L2/L3 Links Fabric Links MA MA CAPWAP Tunnel Sup7E/3750-X Sup8E/3850-X 6800IA TRADITIONAL ACCESS CONVERGED ACCESS INSTANT ACCESS Wireless Wired Centralized Distributed Distributed Distributed Centralized Centralized

11 Instant Access Parent Switch and Client Switch Parent Switch in VSS Mode IEEE 802.3ae 10 Gbps Interfaces or IEEE 802.3z 1 Gbps Interfaces C6500-E or C6807-XL or C6880-X or C6840-X Series Client Switch C6800IA Data Only or C6800IA PoE+ or C6800IA or 3560CX Dual PS Compact

12 Instant Access Key Components WS-X G + CVR-4SFP * IA Parent Virtual Switching System (VSS) WS-X G + CVR-4SFP * Supervisor 2T * Additional modules are C P10G, C P10G, and C6800-8P10G IA Client Supervisor 2T Port-Channel FEX-Fabric

13 Instant Access Key Components Catalyst 6500-E IA Parent Catalyst 6807-XL WS-X G * + CVR-4SFP Virtual Switching System (VSS) Catalyst 6880-X/6840-X WS-X G * + CVR-4SFP Supervisor 2T * Additional modules are C P10G, C P10G, and C6800-8P10G IA Client Supervisor 2T Port-Channel FEX-Fabric

14 Instant Access Parent: Catalyst 6500E and 6807-XL WS-X G with Flexible 40GE and 1/10GE Supports integrated DFC4/DFC4XL 4 ports CFP 40GE (SR4 and LR4) 16 ports SFP+ 10GE (with FourX) Supports VSL on all ports Port 5,6,7,8 Port 13,14,15,16 80G per slot Supports VNTAG on all ports 16 x 10G SFP+ Adapter Port 9,10,11,12 Port 17,18,19,20 CVR-4SFP10G (FourX) 10G SFP+ SR, LRM, LR, and ER fiber Twinax copper

15 Catalyst G Portfolio Instant Access Parent Switch - Linecards 32x10G SFP+ 16x10G SFP+ 8x10G SFP+ Bandwidth 160G 80G 80G Optics: SFP/SFP+ SFP/SFP+ SFP/SFP+ Egress Buffer: 250 MB 250 MB 500 MB Features: Full-feature L2/L3 module with MPLS, VPLS. IPv4/IPv6 capabilities, 1M IPv4 Routes, 2M NetFlow Full-feature L2/L3 module with MPLS, VPLS. IPv4/IPv6 capabilities, 1M IPv4 Routes, 1M NetFlow Full-feature L2/L3 module with MPLS, VPLS. IPv4/IPv6 capabilities, 1M+ IPv4 Routes, 1M NetFlow Additional Features: Large Buffers, SGT, MACSec, LISP, Dual Priority Queues, Two Level Shaping, Instant Access VNTAG on all ports Large Buffers, SGT, MACSec, LISP, Dual Priority Queues, Two Level Shaping, Instant Access VNTAG on all ports Large Buffers, SGT, MACSec, LISP, Dual Priority Queues, Two Level Shaping, Instant Access VNTAG on all ports

16 Instant Access Parent: Catalyst 6880-X Up to eighty 1G/10G ports Low power Low noise fans Platinum efficiency Redundant AC and DC PS MACsec, VSS, Instant Access, MPLS, VPLS, LISP, SGT on every port Sixteen 10/100/1000/10G Fixed module sixteen 10/100/1000/10G or up to four 40G X86 2 GHz CPU 4 GB DRAM

17 New Parent Switch: Catalyst 6840-X Target FCS Q3CY15 40 ports of SFP/SFP+ Up to 12 ports of QSFP 10/100/1000M GLC-T 100M FX 256K IPv4 Routes 1.5M NetFlow 64K QoS / ACL 2 x 40G QSFP Uplinks Breakout to 4 x SFP+ Height: 2RU Depth: 21.8 High-Scale Control Plane with X86 CPU Higher Scale for IA VSS, Instant Access, LISP, SGT, MACSec, HQoS, etc 750W / 1100W Redundant AC/DC Front-to-Back Airflow All Catalyst 6800 Features in a Smaller Fixed Form Factor

18 Catalyst 6840-X Portfolio The four models of switches Target Q3CY15 C6816-X-LE 15.2(1)SY Q4CY (1)SY Q4CY2014 C6832-X-LE C6824-X-LE-40G C6840-X-LE-40G Ports 16x10G 32x10G 24x10G + 2x40G 40x10G + 2x40G Native Optics: SFP/SFP+ SFP/SFP+ SFP/SFP+ and QSFP SFP/SFP+ and QSFP # of 10G Ports: using breakout using breakout # of 40G Ports: 4 using reverse adapter 8 using reverse adapter using reverse adapter using reverse adapter Features: Full-feature L2/L3 with MPLS, VPLS. IPv4/IPv6 capabilities, 512K Netflow Full-feature L2/L3 with MPLS, VPLS. IPv4/IPv6 capabilities, 1M Netflow Full-feature L2/L3 with MPLS, VPLS. IPv4/IPv6 capabilities, 1M Netflow Full-feature L2/L3 with MPLS, VPLS. IPv4/IPv6 capabilities, 1.5M Netflow Additional Hardware Features: Large Buffers, SGT, MACSec, LISP, Dual Priority Queues, Two Level Shaping, Instant Access Large Buffers, SGT, MACSec, LISP, Dual Priority Queues, Two Level Shaping, Instant Access Large Buffers, SGT, MACSec, LISP, Dual Priority Queues, Two Level Shaping, Instant Access Large Buffers, SGT, MACSec, LISP, Dual Priority Queues, Two Level Shaping, Instant Access

19 Catalyst Instant Access Client Portfolio C6800IA-48TD C6800IA-48FPD C6800IA-48FPDR C3560-CX PoE/PoE+ No Yes 48 ports, 740W Yes 48 ports, 740W Yes 12 ports or 8 ports, 240W Down Link Ports 48x1G Cu 48x1G Cu 48x1G Cu [12x1G] or [6x1G+ 2 x mgig] Uplink Ports 2x10G SFP+ 2x10G SFP+ 2x10G SFP+ 2x10G SFP+ (for IA mode), 2x1G Cu FEX ID Access Ports Scalability /1500* /1500* /1500* 500/300* Stack Dual Power Supply No No Yes No Standalone Mode No No No Yes * Sup2T scalability

20 Catalyst Instant Access Client Catalyst 6800IA Family Stackable up to 5 member switches System and Status LEDs 48 x 1G RJ45 Ports Data and PoE/PoE+ Options 740W POE Budget 15W on 48 ports or 30W on 24 ports Catalyst 6500 features at the Access layer 2 x 10G SFP+ Uplink Ports

21 Catalyst Instant Access Client Catalyst 3560-CX (8-port switch and 12-port switch) WS-C3560CX-12PD-S 15.2(1)SY (Shipping) WS-C3560CX-8XPD-S 15.2(1)SY1 Power Saving Hibernate Mode NetFlow Lite L2/L3 SW TrustSec- Ready DC-Powered Option Silent/Fanless Operation 12x1G and 8x1G Options Instant Access Option (with 10G) 1G SFP/Copper Uplinks mgig 10G SFP+ Uplinks Option* * Available with 8-port version

22 The New Compact MultiGigabit Switch WS-C3560CX-8XPD-S Target FCS Q3CY x 1G/PoE+ 2 x mgig PoE+ 2 x 10G SFP+ Multiple Use Cases 1 2 MultiGigabit for ac AP Deployments MultiGigabit as Uplinks Connected to Access Switches (Cat 3K/4K)

23 Instant Access Platform Support Summary Instant Access Parent Instant Access Client Catalyst 6500-E Sup2T WS-X G/XL C P10G/XL FourX Adapter C P10G/XL C6800-8P10G/XL Catalyst 6800IA/3560CX Catalyst 6807-XL Sup2T WS-X G/XL C P10G/XL C P10G/XL C6800-8P10G/XL FourX Adapter 6800IA-48TD 6800IA-48FPD 6800IA-48FPDR Catalyst 6880-X OR Catalyst 6840-X Series WS-C3560CX-12PD-S WS-C3560CX-8XPD-S

24 Parent to Client Span Distances Diagram Not to Scale Copper Twin-Ax for internal rack connectivity 1m, 3m, 5m, 7m 220m 300m 10GBASE-LRM MMF & SMF for intra building connectivity using legacy fiber 26m 400m 10GBASE-SR MMF for rack to rack and intra-building connectivity Up to 10Km 10GBASE-LR SMF, for inter-building, campus and metro connectivity Up to 30Km 40Km 10GBASE-ER SMF, for inter-site connectivity DWDM transport network 80Km and greater DWDM, for inter-site and long-haul connectivity

25 SFP+ Transceiver Types Supported on C6800-Series Cisco SFP+ Wavelength Cable Type Cisco SFP-10G-SR 850 MMF Core Size (microns) Modal Bandwidth 160 (FDDI) 200 (OM1) (OM2) 2000 (OM3) 4700 (OM4) Cable Distance 26m 33m 66m 82m 300m 400m SFP-10G-LR 1310 SMF G km SFP-10G-LRM 1310 MMF SMF G.652 SFP-10G-ER 1550 SMF G Km, 40Km ** SFP-H10GB-CU1M SFP-H10GB-CU3M SFP-H10GB-CU5M DWDM-SFP10G-xx.xx - Twinax cable, passive, 30AWG cable assembly 40 non-tunable ITU 100-GHz wavelengths. SMF m 100m 220m 300m - - 1, 3m, 5M respectively 80Km+, DWDM transport network dependent Always Check the The Release Notes for the Latest Hardware and Software Compatibility

26 Release 15.1(2)SY2 SFP Transceiver Types Supported on C6800-Series Cisco SFP+ Wavelength Cable Type Core Size (microns) Modal Bandwidth 1000BASE-SX 850 MMF (FDDI-grade) 220m (OM1) 275m (400/400) 500m (OM2) 550m (OM3) 1Km 1000BASE-LX/LH 1310 MMF * m m m SMF Km Cable Distance Always Check the The Release Notes for the Latest Hardware and Software Compatibility

27 SFP Transceiver Types Supported on C6800-Series Cisco SFP Wavelength Cable Type Core Size (microns) Modal Bandwidth Cable Distance 1000BASE-ZX 1550 SMF - - Approximately 70 km depending on link loss 1000BASE-EX 1310 SMF - ** - 40Km 1000BASE-BX-U 1310 SMF - ** - 10Km 1000BASE-BX-D 1490 SMF - ** - 10Km GLC-T= Cat5 copper 100m Using 10GbE interfaces between IA Parent and Client switch is the recommended design. However 1Gbe interfaces are supported and provide an option for specific use cases where anticipated traffic bandwidth will not exceed the 1Gbs uplinks. Always Check the The Release Notes for the Latest Hardware and Software Compatibility

28 Instant Access Control Plane and Data Plane

29 Catalyst Instant Access: Control Plane Switch Discovery Protocol (SDP) Fabric link discovery switchport mode fex-fabric IA Client Discovery fex associate <fex ID> Switch Registration Protocol (SRP) Compatibility info Client registration Image management Client OIR Switch Configuration Protocol (SCP) Configuration, status, statistics Inter Card Communication (ICC) Syslog, QoS, remote login, etc Configuration Interface Stats 4 Remote Login Syslog, QoS Instant Access Parent 1 2 Client ID Image Check VIF ID

30 Catalyst Instant Access Control Protocols SDP: Switch Discovery Protocol The first protocol to send Hello s (keep-alive) Establishes communication between IA Parent and Client Switch Link-based protocol, runs on every link between IA Parent and Client Communicates all attributes to/from each IA Client (Client ID, VIFs, SKU ) SRP: Switch Registration Protocol Completes the OIR and registration of IA Client on the IA Parent Switch SCP: Switch Configuration Protocol Configuration and management protocol established between Parent and Client Lightweight Layer 2-based protocol ICC: Inter Card Communication Protocol for heavyweight features running over Cisco IPC

31 Catalyst Instant Access: Data Plane Components IA Parent IA Control Plane VIF Association VNTAG Assignment IA Data Plane MAC Learning L2 and L3 Features IA Client VNTAG Encapsulation Local Multicast Replication Quality of Service (QoS) Instant Access Parent

32 VNTAG Frame Format (802.1Qbh) Unicast D=1 Unicast to FEX Host Port Multicast P=1 Pointer to Multicast Table on FEX Client DA[6] SA[6] VNTAG[6] 802.1Q[4] Frame Payload. CRC[4] VNTAG ETHERTYPE (0X8926) D[1] P[1] DVIF [14] L[1] R[1] R[1 ] R[1 ] SVIF[12] Destination VIF Source VIF Destination Bit (Unicast) Pointer bit (multicast) Loopback bit Reserved

33 Virtual Interfaces (VIFs) Ingress Mapping VIF 1 IF 1 VIF 2 IF 2 (VIF 1 ) (VIF 2 ) IA Parent Automatically Assigns VIF IA Parent VIF = 0 One VIF to each Host Port One VIF to each Ether Channel One VIF to FEX CPU for Control Channel Multicast/Broadcast: Pointer to Replication Table in IA Client F101 IF 1 IF 2 Host 1 Host 2 VNTAG: Virtual NIC Tag VIF Virtual Interface IA Client Hosts

34 Packet Flow Unicast Forwarding SA=MAC1, DA=MAC2+ Payload SA=MAC1, DA=MAC2+ Payload VNTAG SVIF = VIF 1 DVIF = 0 SA=MAC1, DA=MAC2+ Payload VNTAG SVIF = VIF 1 DVIF = 0 SA=MAC1, DA=MAC2+ Payload F101 IF 1 IF 2 (VIF 1 )(VIF 2 ) VNTAG SVIF = 0 DVIF = VIF 2 SA=MAC1, DA=MAC2+ Payload VNTAG SVIF = 0 DVIF = VIF 2 SA=MAC1, DA=MAC2+ Payload SA=MAC1, DA=MAC2+ Payload Host 1 MAC 1 Host 2 MAC 2 SA=MAC1, DA=MAC2+ Payload VNTAG: Virtual NIC Tag

35 Packet Flow Multicast & Broadcast , Incoming Interface: FortyGig 5/1 RPF Neighbor Outgoing interface list: Gigabitethernet 101/1/0/1, Forward/Dense, 0:57:31/0:02:52 Gigabitethernet 101/1/0/2, Forward/Dense, 0:56:55/0:01:28 IA Parent MAC + Payload VNTAG SVIF = 0 1 DVIF = G VIF MAC + Payload MAC + Payload Host 1 F101 IF 1 IF 2 (VIF 1 ) (VIF 2 ) Host 2 IF 1 IA Client IF 2 Hosts MAC + Payload VNTAG: Virtual NIC Tag VIF Virtual Interface

36 Agenda What is Instant Access? Recommended Topologies Distribution Switches Stacking Access Clients Fabric Link Connectivity Host Port-Channels Quality of Service (QoS) Deployment Scenarios High Availability Performance

37 Catalyst Instant Access: Parent Switch Single Switch VSS Mode Recommended VSS Pair Recommended VSS Quad-Sup SSO Single Cat6500/6800 Switch in VSS Mode w/ Active & Standby Sup (RPR+) FEX ID is mapped to a Virtual Slot High Availability with a Supervisor in each Chassis. MEC across VSS Pair HA with 2 Supervisors in each chassis in SSO Mode Hyper High Availability

38 Stacking Access Clients (C6800IA)

39 Catalyst Instant Access Phase 1 Scalability SY Software Release Train Maximum Client Node User Ports 1008 Maximum FEX IDs 12 Client Node ID is a single client or a stack. If using individual clients max of 12 switches supported. Maximum Client Switches 21 Maximum Clients in Stack 3 Maximum User Ports in Stack 144 Most optimum where IDF has 96 or greater Single Client IDF s support fewer overall ports # of IDFs # of Ports/IDF # of Clients in a Stack # of Access Ports

40 Catalyst Instant Access (Phase 1) Stacking Scenarios Stack of 3 (Phase 1) Max FEX-ID 12 7 Nodes of 144 ports each = 1008 FEX 101 FEX 102 FEX 103 FEX 104 FEX 105 FEX 106 FEX Nodes of 96 ports each + 1 Node of 48 port = 1008 FEX 101 FEX 102 FEX 103 FEX 104 FEX 105 FEX 106 FEX 107 FEX 108 FEX 109 FEX 110 FEX 111

41 Catalyst Instant Access (Phase 1) Stacking Scenarios Stack of 3 (Phase 1) Max FEX-ID Nodes of 48 ports each = 576 ports FEX 101 FEX 102 FEX 103 FEX 104 FEX 105 FEX 106 FEX 107 FEX 108 FEX 109 FEX 110 FEX 111 FEX 112 Max 21 Stacks Switches = 1008 ports. FEX 101 FEX 102 FEX 103 FEX 104 FEX 105 FEX 106 FEX 107 FEX 108 FEX 109

42 Catalyst Instant Access Phase 2 Scalability 15.2(1)SY1 Software Release Train 6880-X Feature Port Scale Fabric Link Stacking Supervisor 2T Feature Port Scale Fabric Link Stacking Phase 1 Phase (2)SY 15.2(1)SY and 15.2(1)SY (2)SY 15.2(1)SY -> 15.2(1)SY > > * Note: Scale with Compact client 3560CX is 504 or 336 ports / 42 switches

43 Boosting Instant Access Scale 15.1(2)SY Release Train 15.2(1)SY Release Train 3 STACKING 5 FABRIC LINK FEX 101 FEX 102 FEX 103 FEX 104 FEX 105 FEX 106 FEX 107 FEX 108 FEX 109 FEX 110 FEX 111 FEX 101 FEX 102 FEX 103 FEX 104 FEX 105 FEX 106 FEX 139 FEX 140 FEX 141 FEX

44 Boosting Instant Access Scale Switch#show module fex 101 Switch Number: 101 Role: FEX Mod Ports Card Type Model Serial No C6800IA 48GE C6800IA-48TD FOC1737W0PF 2 48 C6800IA 48GE POE C6800IA-48FPD FOC1736Z C6800IA 48GE C6800IA-48TD FOC1737W0NP 4 48 C6800IA 48GE POE C6800IA-48FPD FOC1741S58N 5 48 C6800IA 48GE POE C6800IA-48FPD FOC1736Z03L Switch#show etherchannel 10 summary Flags: D - down P - bundled in port-channel! Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports Po10(SU) - Te1/2/5(P) Te1/2/6(P) Te1/2/7(P) Te1/2/8(P) Te2/2/5(P) Te2/2/6(P) Te2/2/7(P) Te2/2/8(P) Switch#show fex 101 detail FEX: 101 Description: FEX0101 state: online FEX version: 15.2(3.2.3)E Extender Model: C6800IA-48FPD, Extender Serial: FOC1736Z036 FCP ready: yes Image Version Check: enforced Fabric Portchannel Ports: 8 Fabric port for control traffic: Te1/2/5 Fabric interface state: Po10 - Interface Up. Te1/2/5 - Interface Up. state: bound Te1/2/6 - Interface Up. state: bound Te1/2/7 - Interface Up. state: bound Te1/2/8 - Interface Up. state: bound Te2/2/5 - Interface Up. state: bound Te2/2/6 - Interface Up. state: bound Te2/2/7 - Interface Up. state: bound Te2/2/8 - Interface Up. state: bound Last applied Hash Distribution Algorithm: Adaptive

45 Catalyst Instant Access Phase 2 Scalability 6880-X Switch SUP2T* 15.2(1)SY -> 15.2(1)SY1 Maximum Client Node User Ports > 1500 Maximum FEX IDs 25 -> 32 Maximum Client Switches 25 -> 32 Maximum Clients in Stack (1)SY and 15.2(1)SY1 Maximum Client Node User Ports 2000 Maximum FEX IDs 42 Maximum Client Switches 42 Maximum Clients in Stack 5 Maximum User Ports in Stack 240 Maximum User Ports in Stack 240 *Maximum supported by TAC 6880X-VSS#show fex system platform usage FEX slot usage details FEX-id Switch-id Vslot Pslot Status In-use <snip> In-use Total Used Reserved Free FEX ports usage details FEX-id Switch-id Ports Total Used Free Stack members usage details FEX-id Switch-id Used Free VNTAG MGR Usage Max unicast VIFs available 2048 Total unicast VIFs used 2016 Max non-mdest VIFs available 1019 Total non-mdest VIFs used 59 Max mdest VIFs available Total mdest VIFs used 2409

46 Catalyst Instant Access Phase 2 Scalability 6880-X Switch SUP2T* 15.2(1)SY -> 15.2(1)SY1 Maximum Client Node User Ports > 1500 Maximum FEX IDs 25 -> 32 Maximum Client Switches 25 -> 32 Maximum Clients in Stack (1)SY and 15.2(1)SY1 Maximum Client Node User Ports 2000 Maximum FEX IDs 42 Maximum Client Switches 42 Maximum Clients in Stack 5 Maximum User Ports in Stack 240 Maximum User Ports in Stack 240 *Maximum supported by TAC 6807-XL#show fex system platform usage FEX slot usage details FEX-id Switch-id Vslot Pslot Status In-use <snip> In-use Total Used Reserved Temp-Use/Free Free /5 15 FEX ports usage details FEX-id Switch-id Ports <snip> Total Used Free Stack members usage details FEX-id Switch-id Used Free <snip> VNTAG MGR Usage Max unicast VIFs available 2048 Total unicast VIFs used 1536 Max non-mdest VIFs available 1019 Total non-mdest VIFs used 8 Max mdest VIFs available Total mdest VIFs used 1292

47 Instant Access with C3560-CX WS-C3560CX-12PD-S 15.2(1)SY (Shipping) WS-C3560CX-8XPD-S 15.2(1)SY1 Distribution Access 3K-CX 6K Catalyst 6500/6800 VSS C6800IA C3560-CX IA C3560-CX IA C3560CX# fex-mode enable System will reload after mode conversion. Do you want to continue? [no] yes FEX-130# show fex FEX FEX FEX FEX Number Description State Model Serial Local FEX online WS-C3560CX-12PD-S FHH1810P07A C6K-VSS# show fex FEX FEX FEX FEX Number Description State Model Serial FEX0110 online C6800IA-48TD FOC1725X2AG 130 FEX0130 online WS-C3560CX-12PD-S FHH1810P07A Compact IA scale: 42 clients (FEXs) 504 ports with 3560CX-12PD-S 336 ports with 3560CX-8XPD-S Standalone mode (default) Instant Access mode (CLI, auto detect) New image for 3560-CX bundled with Sup2T (~20 MB increase in image size) Can be converted to standalone mode from Instant Access Parent switch using reload fex <fexid> standalone

48 Instant Access with C3560-CX Dynamic conversion Distribution Access Catalyst 6500/6800 VSS C6800IA C3560-CX IA C3560-CX IA 15.2(1)SY1 Dynamic FEX conversion reload fex <fex-id> standalone dissociate Convert this fex to Standalone mode and remove fex association 6K DIST-VSS#reload fex 102 standalone? dissociate Convert this fex to Standalone mode and remove fex association <cr> DIST-VSS#reload fex 102 standalone dissociate Requires FEX auto config feature to be disabled The portchannel on the Parent switch is disassociated from the FEX ID in ~ seconds, and it takes the client switch ~4 minutes to reload in standalone mode and pass the POST bootup tests

49 Instant Access with WS-C3560CX switches Distribution Access Catalyst 6500/6800 VSS 15.2(1)SY1 on Cat6K : Mixed clients are supported: C6800IA C3560-CX IA C3560-CX IA DIST-VSS#show fex FEX FEX FEX FEX Number Description State Model Serial FEX0101 online C6800IA-48TD FOC1741S1FD 102 FEX0102 online WS-C3560CX-12PD-S FOC1906Y1HB 103 FEX0103 online WS-C3560CX-8XPD-S FOC1852Z001 DIST-VSS# 6800ia family WS-C3560CX-12PD-S WS-C3560CX-8XPD-S Scale with mixed clients will be a total of 42 clients.

50 Instant Access with mgig support 15.2(1)SY1 DIST-VSS#show int status fex 103 Port Name Status Vlan Duplex Speed Type Gi103/1/0/1 disabled 1 full auto 10/100/1000BaseT... Gi103/1/0/6 disabled 1 full auto 10/100/1000BaseT Te103/1/0/7 disabled 1 a-full auto 100/1G/2.5G/5G/10GBaseT Te103/1/0/8 disabled 1 a-full auto 100/1G/2.5G/5G/10GBaseT DIST-VSS# DIST-VSS(config)#int t103/1/0/8 DIST-VSS(config-if)#speed? 100 Force 100 Mbps operation 1000 Force 1000 Mbps operation Force Mbps operation 2500 Force 2500 Mbps operation 5000 Force 5000 Mbps operation auto Enable AUTO speed configuration DIST-VSS#show int t103/1/0/8 status Port Name Status Vlan Duplex Speed Type Te103/1/0/8 connected 1 full a-10g 100/1G/2.5G/5G/10GBaseT DIST-VSS# 10 M 100 M 1000 M 2.5 G 5 G 10 G

51 Instant Access Console Disable Common Criteria Compliance Catalyst 6500/6800 VSS FEX 101 Console Disable Active Console Disable Active Console Disable Active FEX 102 FEX 103 Console Disable Active Console Disable Active Console Disable Active Console Disabled Enable Active Console Enabled Disable C3650-CX C6800IA 15.1 train: 15.1(2)SY3 onwards 15.2 train: 15.2(1)SY onwards (Debug CLI available to temporarily enable console)

52 Fabric Link Connectivity

53 Catalyst Instant Access Fabric Link Connectivity Scenarios Dual Homed to VSS Pair Recommended Design Dual Homed to VSS Pair Dual Homed across Stack Members Up to 8 uplinks (80G) MEC across Client to Parent

54 Catalyst Instant Access Fabric Link Connectivity Scenarios Single Homed to VSS Pair Possible but Not Recommended Single homed to VSS pair Single Homed upto 8 links in MEC Across Stack members

55 Catalyst Instant Access Fabric Link Connectivity Scenarios Single Switch VSS Mode Possible but Not Recommended Single Homed to Switch 1 in VSS mode Dual Homed to Single Switch in VSS mode Up to 8 links in MEC homed to Single Switch in VSS Mode

56 Host Port Etherchannel

57 Catalyst Instant Access Host Port Connectivity Options Host Single Homed End devices to IA Client dual homed to VSS Pair MEC at IA Ports across Stack Members

58 Catalyst Instant Access Unsupported Topologies VSS Domain 1 VSS Domain 2 VSS VSS Host IA Client can not be connected to two Standalone Switches in VSS Mode Ether channel across Multiple FEX IDs not supported Ether channel across IA Client and Native Cat6k ports not supported

59 Quality of Service (QoS)

60 Client Fabric Link Subscription Ratios VSS Pair at Distribution IA Client Non Stacked VSS Pair at Distribution IA Client Stacked 48 IA Client Host Ports Two 10G Fex-Fabric links (MEC) to VSS Pair 2.4 : 1 Subscription Ratio Recommended Design 240 IA Client Host Ports Two 10G Fabric link (MEC) to VSS Pair 12 : 1 Subscription Ratio

61 IA Client Fabric Link Subscription Ratios IA Parent Singe Switch IA Client Non Stacked IA Parent Single Switch IA Client Stacked 48 IA Host Ports 240 IA Host Ports One 10G Fabric Link One 10G Fabric link 4.8 : 1 Subscription Ratio 24 : 1 Subscription Ratio Not Recommended Design Reduced Redundancy and Lower Bandwidth with Single Uplinks

62 Catalyst Instant Access QoS IA Client Fabric Link IA Parent Trust DSCP 4 Queues on Host Ports downstream 4 Queues on Fabric Upstream DSCP- Queue Map Classification Marking/Remarking Policing Aggregate Microflow 8 Queues Downlink Shaping & Queuing on Fabric Link not supported

63 Catalyst Instant Access QoS Ingress IA Client Host Port Over Fabric Link Data Data DSCP-QUEUE MAP Queue 1: 32, 33, DSCP 40 DSCP 25 Queue 2: 16-24, 26-31, 34-39, Queue 3: 0-7, 25 Queue 4: 8,9,11,13,15 IA Control Traffic IA Client Fabric Link Queues (1P3Q3T) Priority (1) Standard Q (2) Standard Q (3) Standard Q (4) IA Parent Trust DSCP at IA Host Port DSCP to Output Q Map 1 Priority Queue 3 Standard Queues Shared Queue Marking/Re-Marking at IA Parent Policing at IA Parent

64 Catalyst Instant Access QoS Egress IA Parent to IA Client over Fabric Link IA Client Fabric Link IA Parent Queues (1P7Q4T) Priority (1) Standard Q (2) Standard Q (3) IA Control Traffic Data Data DSCP 40 DSCP 25 Standard Q (4) Standard Q (5) Standard Q (6) Standard Q (7) TRUST DSCP MAP TABLE AT IA PARENT Queue 1: 32, 33, Queue 2: 16-24, 26-31, 34-39, Queue 3: 0-7, 25 Queue 4: 8,9,11,13,15

65 Catalyst Instant Access QoS Egress IA Client Host Ports IA Client Fabric Link IA Parent Trust DSCP/COS 1P3QT3 Egress Host Port Queues (1P3Q3T) Queues (1P7Q4T) Shared Priority (1) Data DSCP 40 Priority (1) Standard Q (2) Standard Q (2) Standard Q (3) Data DSCP 16 Standard Q (3) Standard Q (4) DSCP-QUEUE MAP Queue 1: 32, 33, Queue 2: 16-24, 26-31, 34-39, Queue 3: 0-7, 25 Queue 4: 8,9,11,13,15 Standard Q (4) Standard Q (5) Standard Q (6) Standard Q (7)

66 QoS with Instant Access 6880-VSS#show queueing interface g109/1/0/1 Interface GigabitEthernet109/1/0/1 queueing strategy: Weighted Round-Robin QoS on Instant Access host ports: Priority Queuing Queue Bandwidth DSCP to queue map Queue limit/buffer Supported capabilities with 15.2(1)SY1 Configuration applies to entire IA stack Uses MQC policy maps of type lan-queuing policy-map type lan-queuing test class type lan-queuing data priority class type lan-queuing video bandwidth remaining percent 20 queue-buffers ratio 30! class-map type lan-queuing match-any video match dscp cs4 cs5 class-map type lan-queuing match-all data match dscp cs1 Port QoS is enabled globally Queueing on Gi109/1/0/1: Tx Enabled Rx Disabled Trust boundary disabled Trust state: trust DSCP Trust state in queueing: trust DSCP Default COS is 0 Class-map to Queue in Tx direction Class-map Queue Id data 1 video 4 class-default (1)SY1 Queueing Mode In Tx direction: mode-cos Transmit queues [type = 1p3q3t]: Queue Id Scheduling Num of thresholds Priority 3 2 WRR 3 3 WRR 3 4 WRR 3 WRR bandwidth ratios: 80[queue 2] 0[queue 3] 20[queue 4] queue-limit ratios: 15[Pri Queue] 100[queue 2] 0[queue 3] 30[queue 4] queue thresh dscp-map VSS#

67 Agenda What is Instant Access? Recommended Topologies Deployment Scenarios Day 0 Provisioning Traditional Layer 2 Traditional Layer 3 VRF-Lite / EVN MPLS-VRF Trustsec Case Studies High Availability Performance

68 Catalyst Instant Access Provisioning Automatic Discovery of IA Client Step 1 interface Port-channel20 switchport switchport mode fex-fabric fex associate 118 Step 2 interface range TenGig1/2/5, TenGig2/2/5 switchport channel-group 20 mode on The Discovery process starts automatically once the FEX-Fabric is configured on downlinks to IA Client No Console Access Required to Instant Access Client Provisioning

69 New Deployment of Instant Access Simplicity of Provisioning Automatic-Provisioning on Connection A Client gets automatically discovered and provisioned using IA Control Protocol when connected. Automatic Discovery and Stack Member by Parent via Stack Master F 110 F 11 Pre-Provisioning Provision IA Client and interface Configurations before even physically connecting the IA Client mod provision create fex 111 type c6800ia-48fpd mod provision create fex 111 type c6800ia-48fpd slot 2

70 Provisioning Client Switches C6500-VSS-2#module provision create fex 188 type c6800ia-48fpd FEX 188 slot 1 module provisioning entry added. C6500-VSS-2#show interface summary begin 188 GigabitEthernet188/1/0/ GigabitEthernet188/1/0/ GigabitEthernet188/1/0/ GigabitEthernet188/1/0/ GigabitEthernet188/1/0/ GigabitEthernet188/1/0/ GigabitEthernet188/1/0/ Use module provision command to create the logical interface representation within the system configuration without even connecting the physical client switch

71 Apply Configuration to Provisioned FEX Clients C6500-VSS-2#show run fex 188 Building configuration... Current configuration : 5900 bytes! interface GigabitEthernet188/1/0/1 switchport switchport trunk allowed vlan 1 switchport mode dynamic auto shutdown! interface GigabitEthernet188/1/0/2 switchport switchport trunk allowed vlan 1 switchport mode dynamic auto shutdown! C6500-VSS-2#conf t Enter configuration commands, one per line. End with CNTL/Z. C6500-VSS-2(config)#int gi 188/1/0/1 C6500-VSS-2(config-if)#switchport mode access C6500-VSS-2(config-if)#switchport access vlan 100 C6500-VSS-2(config-if)#

72 Catalyst Instant Access Host Port: Interface Naming Convention <Interface-type>/<fex-id>/<module>/<submode>/<port> FEX ID Stack Sub Module FEX Port interface GigabitEthernet 118/1/0/1 interface GigabitEthernet 118/2/0/1

73 Easy VSS Traditional VSS configuration: Assign Virtual Switch Domain Assign Switch ID Create Port-channel Configure Port-channel as VSL Add interfaces to the VSL Port-channel Switch convert mode virtual Easy VSS configuration: 15.2(1)SY1 Single line command to convert to VSS Easy VSS Feature can be enabled or disabled globally Start with two Standalone systems Apply one-time VSS Conversion commands and reload Both systems are now a Single VSS

74 Conversion to VSS Conversion Example For the purposes of explanation let us assume the following setup Switch 1 Switch 2 T5/4 Virtual Switch Link T5/4 T5/5 T5/5 Port-Channel 1 Port-Channel 2 Virtual Domain 100

75 Conversion to VSS Conversion Example CONFIGURE THE VSS DOMAIN, SWITCH ID & VSL PORT-CHANNEL Switch 1 Switch 2 Router(config)#hostname VSS VSS(config)#switch virtual domain Router(config)#hostname VSS VSS(config)#switch virtual domain 100 Domain ID 10 config will take effect only after the exec command 'switch convert mode virtual' is issued VSS(config-vs-domain)#switch 1 VSS(config-vs-domain)#exit 2 Domain ID 10 config will take effect only after the exec command 'switch convert mode virtual' is issued VSS(config-vs-domain)#switch 2 VSS(config-vs-domain)#exit VSS(config)#interface port-channel 1 VSS(config-if)#switch virtual link 1 VSS(config-if)#no shutdown VSS(config-if)#interface range TenGig 5/4-5 VSS(config-if-range)#channel-group 1 mode on VSS(config-if-range)#no shutdown 3 4 VSS(config)#interface port-channel 2 VSS(config-if)#switch virtual link 2 VSS(config-if)#no shutdown VSS(config-if)#interface range TenGig 5/4-5 VSS(config-if-range)#channel-group 2 mode on VSS(config-if-range)#no shutdown

76 Conversion to VSS Conversion Example CONVERT FROM STAND-ALONE TO VIRTUAL SWITCHING Switch 1 Switch 2 VSS# switch convert mode virtual 5 VSS# switch convert mode virtual This command will convert all interface names to naming convention "interface-type switchnumber/slot/port", save the running config to startup-config and reload the switch. Do you want to proceed? [yes/no]: yes Converting interface names Building configuration... [OK] Saving converted configuration to bootflash:... Destination filename [startup-config.converted_vs ]? AT THIS POINT SWITCH 1 WILL REBOOT... This command will convert all interface names to naming convention "interface-type switchnumber/slot/port", save the running config to startup-config and reload the switch. Do you want to proceed? [yes/no]: yes Converting interface names Building configuration... [OK] Saving converted configuration to bootflash:... Destination filename [startup-config.converted_vs ]? AT THIS POINT SWITCH 2 WILL REBOOT...

77 Easy VSS Conversion Example CONVERT FROM STAND-ALONE TO VIRTUAL SWITCHING Switch (1)SY1 Switch 2 To enable (or disable) the feature Switch1(config)#switch virtual easy To enable (or disable) the feature Switch2(config)#switch virtual easy To convert to VSS switch convert mode easy-virtual-switch domain [domain id] links [intf1..intf8] To convert to VSS Requires interfaces to be up, and CDP enabled on both switches Switch1#switch convert mode easy-virtual-switch? domain Select Unique VSL Domain number in your Network, Default domain ID is 100 links Select VSL Links

78 Auto FEX Conversion Example To enable FEX configuration by simply doing a no shut on the interfaces FEX config fex 110 description FEX0110 interface Port-channel110 switchport switchport mode fex-fabric fex associate 110 end interface TenGigabitEthernet1/4/7 switchport switchport mode fex-fabric switchport nonegotiate channel-group 110 mode on end With Auto FEX To enable (or disable) the feature fex auto-config To configure a FEX 15.2(1)SY1 interface TenGigabitEthernet1/4/7 no shutdown end

79 Provisioning Instant Access Log messages when Instant Access client comes online 15.2(1)SY1 DIST-VSS# *Apr 1 21:04:26.335: %FEXMGR-SW2-6-IMAGE_DNLD_STATUS: (FEX 103) Auto Image Download : In progress *Apr 1 21:04:48.899: %FEXMGR-SW2-6-IMAGE_DNLD_STATUS: (FEX 103) Auto Image Download : Installing the images *Apr 1 21:04:53.039: %FEXMGR-SW2-6-IMAGE_DNLD_STATUS: (FEX 103) Auto Image Download : Software Installation completed *Apr 1 21:04:56.043: %FEXMGR-SW2-6-IMAGE_DNLD_STATUS: (FEX 103) Auto Image Download : Reloading the FEX DIST-VSS# DIST-VSS#show fex FEX FEX FEX FEX Number Description State Model Serial FEX0101 online C6800IA-48TD FOC1741S1FD 102 FEX0102 online WS-C3560CX-12PD-S FOC1906Y1HB 103 FEX0103 online WS-C3560CX-8XPD-S FOC1852Z001 DIST-VSS# Catalyst 6500/6800 VSS C6800IA C3560-CX IA C3560-CX IA

80 Easy FEX Using interface aliases Associate an interface with an alias and use this alias name to address the interface: 15.2(1)SY1 DIST-VSS(config)#interface g101/1/0/48 DIST-VSS(config-if)#alias? LINE Up to 80 characters describing this interface DIST-VSS(config-if)#alias blue DIST-VSS(config-if)#end DIST-VSS#show interfaces alias all Interface Name Alias GigabitEthernet101/1/0/48 blue DIST-VSS# DIST-VSS(config)#interface alias blue DIST-VSS(config-if)#no switchport trunk allowed vlan 1 DIST-VSS(config-if)#end DIST-VSS#

81 Interface Templates Benefits Overview Consistent configuration across interfaces Smaller switch configuration files Built-in interface templates for ease of use All interface templates are customizable Templates updates immediately ripple to interfaces Per session or per port templates No change to running-config Full rollback and precedence management Compatible with session networking/autoconf

82 Interface Templates Adding an Interface Template Interface-level commands available for templates Only these commands can be used in interface templates Other interface level commands configured the usual way Switch(config)# template IA_TEMPLATE Switch(config-template)#? Template configuration commands: aaa Authentication, Authorization and Accounting. access-session Access Session specific Interface Configuration authentication Auth Manager Interface Configuration Commands auto Configure Automation carrier-delay Specify delay for interface transitions channel-group Etherchannel/port bundling configuration channel-protocol Select the channel protocol (LACP, PAgP) dampening Enable event dampening default Set a command to its defaults description Interface specific description dot1x Interface Config Commands for IEEE 802.1X ethernet Ethernet service exit Exit from template configuration mode hold-queue Set hold queue depth ip IP template config keepalive Enable keepalive load-interval interface Specify interval for load calculation for an mab udld 15.2(1)SY Shipping MAC Authentication Bypass Interface Config Configure UDLD enabled or disabled and ignore global UDLD

83 Interface Templates Static Apply an Interface Template with source 15.2(1)SY Shipping Easy to Use Statically apply interface template with source template <templatename> interface CLI Full interface configuration use show derived-config interface <intf> Template name appears in show running interface <intf> By default, access vlan is 1. Switch#show run sec template template IA_TEMPLATE switchport mode access switchport access vlan 100 switchport nonegotiate switchport port-security source template IA_TEMPLATE2 template IA_TEMPLATE2 spanning-tree portfast edge Switch(config)#int range g101/1/0/1-3 Switch(config-if-range)#source template IA_TEMPLATE Switch#show run int g101/1/0/1 interface GigabitEthernet1/1 switchport source template IA_TEMPLATE end

84 Interface Templates Adding an Interface Template Easy to Modify Editing is easy; add or modify configuration, e.g., change access vlan for template Create new or customize existing with command template <name> Change propagates to templates in place! ASP has to re-apply macro after change Changing built-in template, entire template appears in running and startup configuration Unchanged template not in config Restore to original built-in with no command no source template Switch# show derived-config int g101/1/0/1 interface GigabitEthernet101/1/0/1 switchport switchport access vlan 100 switchport trunk allowed vlan 1 switchport mode access switchport nonegotiate switchport port-security spanning-tree portfast edge Switch(config)#template IA_TEMPLATE Switch(config-template)#switchport access vlan 200 Switch(config-template)#end Switch# show derived-config int g101/1/0/1 Derived configuration : 155 bytes! interface GigabitEthernet101/1/0/1 switchport switchport access vlan 200 switchport trunk allowed vlan 1 switchport mode access switchport nonegotiate switchport port-security spanning-tree portfast edge end 15.2(1)SY Shipping

85 Switch Renumbering in a Stack Easy replacement during RMA 6880-VSS#show mod fex 109 Switch Number: 109 Role: FEX Mod Ports Card Type Model Serial No C6800IA 48GE POE C6800IA-48FPDR FDO1804B02N 2 48 C6800IA 48GE POE C6800IA-48FPDR FDO1804B02C C6800IA 48GE POE C6800IA-48FPDR FDO1804B02W 48 C6800IA 48GE POE C6800IA-48FPDR FDO1804B C6800IA 48GE POE C6800IA-48FPDR FDO1804B01V <snip> 6880-VSS# 15.2(1)SY VSS#module provision update fex VSS(exec-fex-update)#renumber 5 to 4 %FEX 109 slot 5 will reload upon commit. Are you sure you want to proceed? [no]: yes 6880-VSS(exec-fex-update)#renumber 4 to 5 %FEX 109 slot 4 will reload upon commit. Are you sure you want to proceed? [no]: yes 6880-VSS(exec-fex-update)#show Current module renumber mappings for FEX renumber 4 to 5 renumber 5 to 4 Current module Priority mappings for FEX Change switch number of replaced switch, to derive the configuration of the previously failed stack member SWITCH 1 SWITCH 2 SWITCH 3 SWITCH 4 SWITCH 5 Temp vslots allowed:no Current Temp vslot allowed FEXs: 6880-VSS(exec-fex-update)#commit %FEX 109 renumbered modules will reload. Are you sure you want to proceed? [no]: yes 6880-VSS(exec-fex-update)#end 6880-VSS#

86 New Deployment of Instant Access Traditional L2 Design with Instant Access Continue to maintain traditional L2 deployment design in IA Architecture with smaller L2 domain per Switch/IDF VLAN 100 VLAN 10 VLAN 110 VLAN 20 VLAN 120 VLAN 30 VLAN 130 VLAN 40 VLAN 140 VLAN 50 VLAN 150 Interface range Gig110/1/0/1-20 Switchport access vlan 10 interface Gig110/1/0/21-40 switchport access vlan 110 interface Gig110/1/0/41-48 Switchport access vlan 100 Interface range Gig111/1/0/1-20 Switchport access vlan 20 VLAN 10 VLAN 110 VLAN 20 VLAN 120 VLAN 30 VLAN 130 VLAN 40 VLAN 140 VLAN 50 VLAN 150 VLAN 100

87 Traditional L3 Design with Instant Access No need for Routing Protocols Between Distribution and Access Interface range Gig110/1/0/1-20 no switchport Ip address interface Gig110/1/0/21-40 switchport ip address interface Gig110/1/0/41-48 switchport ip addresss

88 Catalyst Instant Access Cascading a Switch Cascaded Switching Independently Managed Disable BPDU Guard on host port STP at Cat6500/6800 (IA Parent) STP running across VIF at IA Parent Smart Install

89 Catalyst Instant Access Smart Install across Cascaded Switch Smart Install configuration vstack vlan 209! vstack group built-in 2960c 8-poe image bootdisk:c2960c405-universalk9-tar e.tar config bootdisk:cseriestemplate.conf.txt! vstack dhcp-localserver pool209 address-pool file-server default-router ! vstack director vstack basic vstack startup-vlan 209 no vstack Port configuration interface GigabitEthernet106/1/0/5 switchport switchport access vlan 209 switchport trunk allowed vlan 1-499, switchport mode dynamic desirable end

90 Catalyst Instant Access + Network Virtualization EVN, VRF-Lite 802.1Q VRF created at every Access Switch interface g1/0 vnet trunk Layer 2 Trunks uplinks VNET Trunks, Hop by Hop VLAN 21 Dept-a VLAN 22 Dept-c VLAN 23 Dept-b Layer 2 Trunks VLAN 21 Dept-a VLAN 22 Dept-c VLAN 23 Dept-b VLAN 21 Dept-a VLAN 22 Dept-c VLAN 23 Dept-b Layer 2 Trunks VLAN 21 Dept-a VLAN 22 Dept-c VLAN 23 Dept-b

91 Catalyst Instant Access + Network Virtualization EVN, Further Simplified No L2 Trunks VRF only at Distribution for the whole POD. No Configurations at Access VLAN 21 Dept-a VLAN 22 Dept-c VLAN 23 Dept-b Layer 2 Trunks interface g1/0 vnet trunk VLAN 21 Dept-a VLAN 22 Dept-c VLAN 23 Dept-b Layer 2 Trunks VLAN 21 Dept-a VLAN 22 Dept-c VLAN 23 Dept-b VLAN 21 Dept-a VLAN 22 Dept-c VLAN 23 Dept-b VLAN 21 Dept-a VLAN 22 Dept-c VLAN 23 Dept-b VLAN 21 Dept-a VLAN 22 Dept-c VLAN 23 Dept-b

92 Network Virtualization MPLS-VRF VPN at Campus Access MPLS based L3 VPN Services at Access Layer VRF configuration only on Distribution No IGP relationship between access and distribution Fabric Links No LDP between distribution and access no additional control overhead No MP-BGP on access devices Higher Scaling than 802.1Q-based segmentation at Layer 2 Group Segregation with ASA-SM service module VRF C MPLS VRF at Access VRF B Enterprise MPLS Core/ Access VRF A VRF C interface GigabitEthernet103/1/0/24 no switchport vrf forwarding PCI ip address mpls ip VRF B VRF A

93 Comprehensive End-to-End Security Cisco TrustSec Context-Aware Control Segmentation (Compliance) Protect Network Infrastructure What Where When Who How IDENTITY Role-Based Access Control with Security Group Tagging (SGT) Identify, Profile Devices with Device Sensor 802.1X Authentication Topology Independent Segmentation with Secure Group Access (SGA) MACsec Encryption (Hardware ready) Network Device Admission Control (NDAC)

94 Catalyst Instant Access SGT, SGACL Security Group Tagging and Forwarding IP Address SGT SGT SGT SGT SGT SGT RADIUS Session Cisco TrustSec Domain Network Device Authentication SGACL Enforcement cts role-based permissions from 100 to 3200 permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 138 permit tcp des eq 139 deny ip Identity Service Engine SXP Session IP Address SGT 802.1x, MAB, WebAuth Identity Services with SXP for SGT Mapping

95 Case Studies

96 Case Study #1 Medium Enterprise Lower Operations Costs Large School District in United States Business and Technology Drivers Small operations staff and needs to scale services Spend less time managing the network Many legacy applications requiring L2 connectivity still in use No Cisco certified IT staff onsite New building deployment, future growth planned Instant Access domain size less than 800 ports Already using Catalyst 6500 in core, distribution and access in many existing locations

97 Case Study #1 IA Topology New Building VLAN 10 VLAN 110 VLAN 210 VLAN 20 VLAN 310 VLAN 30 VLAN 410 VLAN 40 VLAN 510 VLAN 50 Five floors with wired ports per floor 2 X10GbE uplinks per fex Instant Access domain size 720 total access ports with PoE RPS2300 for redundant power Key applications Third party VoIP Appletalk print services Key functionality enabled VLAN bridging for Appletalk Carefully consider L2 domain size whenever extending VLANs across multiple switches

98 Case Study #2 Medium Enterprise Deploying Segmentation Manufacturing Company Northern Europe Business and Technology Drivers Extending network segmentation to the access layer with minimal complexity Option to extend MPLS further down to the distribution/access layer Instant Access domain size 5 Instant Access Domains 100 total Instant Access client switches Key applications Data Collection for factories Traditional Enterprise, and collaboration Key functionality enabled Multi-VRF IP multicast

99 Case Study #2 IA Topology HQ-DC C-Core MPLS Backbone MPLS Backbone HQ-DC 21 Clients 21 Clients 20 Clients 20 Clients 13 Clients Migrating to Instant Access in phases Traditional multi-layer deployment today 2 x10 GbE and 4 X 10GbE fex uplink configurations Executed internal proof of concept testing MPLS L3 VPNs extended to the Data Center and some remote locations Provide network isolation for multiple customer resources and data Allows flexibility and agility in deployments

100 Case Study #3 Medium Campus, Factory Floor Simplified Operations Global Corporation with Diversified Business Groups Including Aerospace and Others Business and Technology Drivers High Availability network designs Highly secure environment Future network segmentation options including VRF-lite, MPLS Instant Access domain size 8 Instant Access domains over two locations Near 1000 ports in each Instant Access domain Key applications Engineering Traditional enterprise applications including , collaboration Key functionality enabled Wired and wireless user authentication with IEEE 802.1x

101 Case Study #3 IA Topology Campus Network C-Core Migrating to Instant Access in phases Traditional multi-layer deployment today 2 x 10GbE and 4 X 10GbE fex uplink configurations 21 Clients 21 Clients 6 IA Domains 21 Clients 21 Clients Manufacturing Facility Considering 1GbE uplinks in future manufacturing floor deployments Considering VRF-lite extensions to the Instant Access domains

102 Agenda What is Instant Access? Recommended Topologies Deployment Scenarios High Availability Performance

103 About the Performance Testing Real World Traffic testing Customer proof of concept testing with main focus on HA Across IPv4, IPv6, Multicast traffic

104 Catalyst Instant Access High Availability VSS / VSS Quad-Sup SSO EtherChannel Load Balancing Up to 6 10G in MEC Bundle Load Sharing Ca6k Hash Algorithms Up to 3 Stack Members 80G stack bandwidth between stack members EtherChannel Across Stack Members Up to 6 10G into One EtherChannels Dual Active detection on fabric links Upto 2 Host Ports per Etherchannel Host Port EtherChannel Across Stack Members Master Failure will not reset Etherchannel

105 Network Topology Traffic Generator BGP OSPF VSL Fast-hello VSL Bi-Directional Unicast Traffic Traffic Gen Hosts 100 Flows to each Host MEC Hash: Src-Dst-Port Multicast (Anycast, Sparse) Traffic Gen All Hosts Host A Host D Host B Host C Host F Host E

106 High Availability: Fabric-Link Failure Traffic Generator VSL Fast-hello VSL 1 st Uplink failure Host A,B ~ 15ms Multicast - Hitless 2 nd Uplink failure Host A,B,C ~ 50ms Multicast ~ 612ms 3 rd Uplink failure Host A,C ~ 25ms Multicast - Hitless Host A Host B Host C Host F Host D Host E

107 High Availability: Fabric-Link Failure Traffic Generator VSL Fast-hello Fabric Link Recovery Host A,B, C ~ 25-50ms Multicast ~ 0 90ms VSL Host A Host B Host C Host F Host D Host E

108 High Availability: Supervisor Failure Traffic Generator VSL Fast-hello Supervisor Failure Host A,B,C,D,E,F ~ 15ms - 60 ms Multicast ~ 800ms VSL Host A Host B Host C Host F Host D Host E

109 High Availability: Stacking - Uplink Failover Distribution Host A Host B Host C SW1 SW2 SW3 1) Pulled Stack cable between SW1 and SW3: Host A,B Hitless, Host C ~ 30ms Mutlicast Hitless 2) Pulled Stack cable between SW1 and SW2: Host B ~ 30ms Loss Multicast ~ 204 ms Host A, C Hitless Traffic Flow Fabric link Stacking Cable

110 High Availability: Stack Master Failure Distribution Host A Host B Host C SW1 SW2 SW3 (Stack Master) Power removed from Stack Master (SW1) Host B, C ~ 96ms Loss Multicast - Hitless

111 High Availability: VSL Link Failure Traffic Generator VSL Fast-hello VSL Link Failure Host A,B,C,D,E,F ~ ms Multicast ~ 500ms VSL Dual-Active Detection Host A Host B Host C Host F Host D Host E

112 High Availability: Quad Supervisor Failure Traffic Generator VSL Fast-hello Switch 1: Supervisor 1: Failure Host A,B,C,D,E,F - Hitless Multicast - Hitless VSL Switch 2: Supervisor 1: Failure Host A,B,C,D,E,F - Hitless Multicast - Hitless Host A Host B Host C Host F Host D Host E

113 Instant Access: VSS Dual Active Detection Enhanced PAgP Switch 1 Switch 2 Enhanced SDP (Fabric Link Discovery Protocol) Switch 1 Switch 2 Active Hot Standby Active Hot Standby Requires epagp capable neighbor : 3750: 12.2(46)SE 4500: 12.2(44)SE 6500: 12.2(33)SXH1 Sub-second convergence Cat6500-VSS#show fex dual-active FEX dual-active detection enabled: Yes Requires esdp Neighbor: Channel Group 16 (FEX Catalyst 132) 6800ia: 15.1(2)SY Dual Active detection capable: Yes switch 1 member port state: Te1/2/5 Sub-second - Interface Up. convergence state: bound Te1/2/13 - Interface Up. state: bound switch 2 member port state: Te2/2/5 - Interface Up. state: bound Te2/2/13 SDP Satellite - Interface Discover Up. Protocolstate: bound

114 Catalyst Instant Access efsu A = Active S=Standby LC=Line Card Old Code Newer Code A LC1 LC2 S LC1 LC2 issu load version A LC1 LC2 S LC1 LC2 issu run version S LC1 LC2 A LC1 LC2 issu accept version Issu run version fex 103 LC3 LC3 LC3 LC3 LC3 LC3 101 F 102 F 103 F 103 F 103 F 101 F 102 F 103 F 103 F 103 F 101 F 102 F 103 F 103 F 103 S LC1 A LC1 LC2 LC2 LC3 LC3 S LC1 LC2 LC3 F 101 A LC1 LC2 LC3 F 102 F 103 F 103 F 103 issu commit version S LC1 LC2 LC3 F 101 A LC1 LC2 LC3 F 102 F 103 F 103 F 103 F 101 Issu run version fex 102, 101 Rolling Upgrade Across FEX-ID s F 102 F 103 F 103 F 103

115 Distribution High Availability: Software upgrade Upgrade of Distribution and Access 1 VSS-1# issu load version Version 1 Version 2 VSS-1 VSS-2 Te2/2/15 - Interface Down. state: idle Te2/2/16 - Interface Down. state: idle Te1/2/15 - Interface Up. state: bound Te1/2/16 - Interface Up. state: bound Unicast ~25-50ms Multicast ~ 300ms 2 VSS-1# issu runversion [SSO VSS1 VSS2 ] Host A Host B Host C Host F Host D Host E Te2/2/15 - Interface Up. state: bound Te2/2/16 - Interface Up. state: bound Te1/2/15 - Interface Up. state: bound Te1/2/16 - Interface Up. state: bound Unicast ~25-50ms Multicast ~ 300ms

116 Distribution High Availability: Software upgrade Upgrade of Distribution and Access VSS-1 VSS-2 3 VSS-1# issu runversion fex 106 Cat6500-VSS#issu runversion fex 106 % Successfully initiated 'runversion fex' for Fex IDs: 106. Image download with no disruption of traffic (4.5 min) Te1/2/15 - Interface Up. state: bound Te1/2/16 - Interface Up. state: bound Te2/2/15 - Interface Up. state: bound Te2/2/16 - Interface Up. state: bound Host A Host B Host C Host F Host D Host E Unicast: No Loss Multicast: No Loss C6800IA reloads with new image Traffic Loss during reboot of C6800IA ~ 5-6 min 4 VSS-1# issu commitversion

117 Key Takeaways Instant Access is a deployment model with specific benefits: Simplified operations Single point of management Image management Configuration management Troubleshooting Eliminates configuration complexity at the access uplink VLAN trunks, VRF-Lite, MPLS and other segmentation protocols Specific hardware and software requirements Centralized wired and wireless switching designs Instant Access is shipping and ready to deploy Scalability up to 2000 nodes and different client platforms included

118 Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could Be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to View the official rules at

119 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online