Bop features
This presentation is the property of its rightful owner.
Sponsored Links
1 / 46

BoP Features PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on
  • Presentation posted in: General

BoP Features. Agenda. Introduction Performance The Value propositions (AOS v5.1) Availability Element resiliency Network resiliency Security Element security Network security Intelligence Manageability Next Step for future releases Hardware Software. Introduction.

Download Presentation

BoP Features

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Bop features

BoP Features


Agenda

Agenda

  • Introduction

  • Performance

  • The Value propositions (AOS v5.1)

    • Availability

      • Element resiliency

      • Network resiliency

    • Security

      • Element security

      • Network security

    • Intelligence

    • Manageability

  • Next Step for future releases

    • Hardware

    • Software


Introduction

Introduction

The Distributed Processing Structure


Distributed processing structure

Distributed Processing Structure

  • Distributed Architecture

    • CMM

      • Controls the system

      • Provides a single interface for management (SNMP/CLI)

    • NIs

      • Provide wire-rate L2 and L3 forwarding

      • Provide distributed processing for

        • Source Learning

        • Spanning Tree

        • “slow-path” L2 & L3 forwarding for exception frames not switched or routed (IGMP - ARP)


Distributed processing structure1

Distributed Processing Structure

  • Communication between elements

    • NI <-> CMM and CMM <-> CMM

      • Using a shared bus (BBUS)

    • NI <-> NI

      • Using the Switching Fabric for high performance transfer (those “packets” are internally called IPC)


Performance

Performance


Performance1

Performance

  • OmniSwitch 7000 Family

    • OS-7700

      • Raw Switching Capacity:64 Gbps

      • Effective Switching Capacity:50 Gbps

      • Effective Throughput:30 Mpps

    • OS-7800

      • Raw Switching Capacity:128 Gbps

      • Effective Switching Capacity:100 Gbps

      • Effective Throughput: 60 Mpps

  • OmniSwitch 8800

    • Raw Switching Capacity:512 Gbps

    • Effective Switching Capacity:400 Gbps

    • Effective Throughput:240 Mpps


Performance2

Performance

  • Where the numbers come from…

    • OS-7800

      • Fabric Capacity:128 Gbps

      • Effective Switching Capacity:100 Gbps

      • Effective Throughput: 60 Mpps

From the FBUS and SFM

4.0 Gbps x 2 (FD) x 16 (# of Coronado)

Best case, using 1518B packets on GNI-U12

3.2Gbps per Coronado

(Large packets optimize Switching by reducing the overhead)

Best case, using 64B packets on GNI-U12

2.5Gbps per Coronado(Using large packets doesn’t help here)


Performance3

Performance

  • Performance are …

    • Independents of traffic type

      • Layer 2 (OS-7800: 100Gbps & 60Mpps)

      • Layer 3 (OS-7800: 100Gbps & 60Mpps)

    • Based on packet size

      • Because of traffic related overhead

      • Only impacts the result on switching capacity, not throughput

60Mpps

19Mpps

6Mpps

5Mpps


Performance4

Performance

  • Layer 2 & Layer 3

    • Forwarding

      • Table: 128,000 entries

        • 32k L2-SA

        • 32k L2-DA

        • 64k L3/L4

      • Rate on Gig port:

      • Rate on 10/100 port:Wire-rate on GA hardware !

      • Rate on 100 port:

    • Broadcast:

      • Wire-rate, limited in throughput by SW (user defined)

    • Multicast:

      • Wire-rate for known Multicast Flow, limited in BW through SW

      • Processed in SW when flow is unknown or on 802.1Q link


Performance5

Performance

  • Routing protocols & Layer 3 features (5.1.1R03)

    • RIP

      • 70 interfaces

      • 10,000 routes

    • OSPF

      • 10 areas

      • 70 interfaces

      • 70 adjacent routers

      • 30,000 routes

    • BGP

      • 20 peers

      • 20 interfaces

      • 20,000 routes

    • VRRP

      • 256 VRRP routers MAC addresses { 00:00:5E:00:01:xx (with xx = [00..FF])}


Various numbers

Various Numbers

  • Bridging

    • 1024 VLANs

  • Routing

    • 256 IP interfaces in normal mode (1 MAC for all IP)

    • 32+32 IP interfaces in XOS mode (1 MAC per IP)

    • 1 IP interface per VLAN

  • QoS

    • 2048 Queues per NI

    • 64 Priority Descriptors per NI

    • 1 DSCP mapping table per NI

    • Ingress Flood Queue (per NI) : 5 Mbps

      • Set by SW and user configurable

    • Ingress Multicast Queues : 10 Mbps

      • Set by SW and user configurable / Total MC throughput of one Coronado is 610 Mbps


Various numbers1

Various Numbers

  • Server Load Balancing

    • Dimensioning

      • Up to 75 Clusters (1 Virtual IP per Cluster)

      • Up to 75 servers per Cluster

      • 1 server can belong to multiples clusters

      • As long as total sum of servers for each cluster does not exceed 75

    • Servers can be distributed on several Nis

  • Link Aggregation

    • Maximum of 32 aggregations per chassis

      • applies for both OmniChannel AND 802.3ad

    • Maximum of 16 ports per aggregation

    • One port can only belong to one link aggregation


The aos v5 1

The AOS v5.1

Availability


Element resiliency

Element Resiliency

  • Redundant & Hot swappable

    • Modules (NI, CMM & SFM)

    • Power Supply Unit

    • Fans

  • Minimized CMM/Fabric boot and switch over time

    • Cold & Warm Boot time is around 90 seconds

    • Switch over time is around 10 seconds AND transparent to users (Smart Continuous Switching)

  • Power Monitoring

    • Checks the power requirement of newly inserted boards before feeding them.

  • Thermal shutdown

    • As soon as the temperature is above Tmax


Thermal protection

Thermal Protection

  • Automatic shutdown

    • 2 thresholds

      • TMax - Triggers shutdown (80 ºC - 176 ºF)

      • TNormal- Sends administrative alerts (default 60 ºC - 140 ºF)


Element resiliency1

Element Resiliency

  • Flash Memory – 32 MB per CMM

    • BootROM,

      • Checks and select the MiniBoot (default or backup)

      • BootROM is in a write protected area of the flash

    • MiniBoot

      • Starts the OS and loads services from the OS archive file (fos.img)

      • 2 versions are present on the Flash, the default and the backup

      • backup MiniBoot is in a write protected area of the flash

    • File System

      • Provides storage for system and configuration files

      • 2 versions are present on the flash, the working and the certified


Element resiliency2

Element Resiliency

  • Configuration rollback

    • Based on the working and certified File System

    • Applies to system files and configuration file

      • A certified version (SW + conf) will be used as a backup when dealing with any changes (modification, upgrades, …)

  • Downloadable bootstrap

    • Loading MiniBoot allows the use of FTP and ZMODEM

  • Dynamically loaded feature

    • Only the required services are loaded

    • Applies to Advanced Routing and Advanced Security

  • Unique MAC address for each chassis

    • Located on 2 EEPROM located on either the midplane (OS-8800) or the backplane (OS-7000)


Boot sequence image rollback

Flash/ROM

RAM

BootROM

1

2

MiniBoot

MiniBoot

root directory

4

3

boot.params

/working directory

kernel.lnk fromOS package

Productionkernel

5

/certified directory

kernel.lnk fromOS package

Boot Sequence / Image Rollback

  • Bootstrap Basic Operation

    • Initializes Hardware

    • Performs memory diagnostics

    • Selects a right Miniboot

  • Copy & execute MiniBoot

  • MiniBoot Basic Operation

    • Initializes basic kernel

  • Selection of image

    • Based on boot.params

  • Copy & load the OS

    • The image contains its own copy of the kernel specific to the SW version


Network resiliency l2

Network Resiliency – L2

  • Distributed L2 services

    • Continuous L2 services during fail over

  • Spanning Tree Protocol

    • Spanning Tree Protocol (802.1d w/o GARP)

    • Multiple Spanning Tree Protocol (proprietary, no standard)

    • Fast Spanning Tree Protocol (802.1w)

  • Link Aggregation

    • Static (OmniChannel) or Dynamic (802.3ad/LACP)

    • Load balancing based on L2 SA/DA (in bridging) or L3 SA/DA (in routing)


Distributed l2

Distributed L2

  • Source Learning

    • Independent from the presence of the CMM

      • CMM handles static entries

      • CMM maintains a GLOBAL DB of all MAC learnt for mngt only

    • Occurs whenever an L2 lookup miss

      • Miss on L2-SA: the SA/DA are sent to ALL Coronados + CMM

        • All Coronados perform a SA/DA lookup

        • Any other Coronado with the MAC-SA in their SA table will assume a move

        • Coronado w/ the MAC-DA in its SA table will update its DA table w/ the SA

      • Miss on L2-DA: the SA/DA are sent to ALL Coronados + CMM

        • All Coronados perform a SA/DA lookup

        • The Coronado with the MAC-DA in its SA table will answer to the request

        • The requester will update its DA table

        • The answerer will look if the MAC-SA is in its DA table, and update it if not


Distributed l21

Distributed L2

  • Source Learning

    • Each NI is different

      • Independent L2 (SA/DA) Forwarding Data Base (FDB)

      • PseudoCAM populated on demand

    • Aging time – Default to 300 seconds for L2 entries (SA)

      • Fast aging based on pCAM utilization

        • 85% full => divide aging time by 2 - age out in 150s

        • 95% full => divide aging time by 3 - age out in 100s

        • 99% full => divide aging time by 10 - age out in 30s

        • 100% full => no learning – packet is processed in slow path

    • When a NI is removed associated pCAM-DA are freed

    • During Fail-over

      • Flushing may occurs after the fail-over if the ‘certify’ flag is cleared


Distributed l22

Distributed L2

  • Distributed Spanning Tree

    • Principle

      • Continuous STP in case of CMM failure/take-over

      • No CMM CPU overload (load is spread across the NI)

    • Implementation

      • STP Manager on the CMM

        • Manages the configuration and transmits it to the STP Agent

        • Answers all users queries

      • STP Agent on the NI

        • Manages the dynamic events and performs the algorithm

        • Dynamic events can be either STP events or internal DSTP events

        • A STP events will generate DSTP events to others NI/CMM

    • During Fail-over

      • Only the STP manager is unavailable

      • STP Agents maintain the Spanning Tree Protocol on the switch


Network resiliency l3

Network Resiliency – L3

  • Routing Protocol

    • RIP, OSPF, BGP

    • DVMRP, PIM-SM

  • VRRP (RFC-2338)

  • OSPF ECMP

  • Distributed architecture

    • Limited impact during CMM fail-over on L3 flows (L3 tables are flushed once the CMM take-over)


Distributed l3

Distributed L3

  • ARP table & Layer 3 FDB are duplicated & synchronized

    • On each Coronado (SDRAM0)

    • On the CMM

    • PseudoCAM is still populated on demand on each Coronado

  • Unknown IP Destination Address

    • Will be processed by the SW (no ARP capability though)

    • Will have the L3 pCAM updated for next packets

  • During Fail-over

    • Chassis informs the NI – No more L3 (ARP and FDB) learning

    • Normal forwarding continues based on actual knowledge

    • Secondary CMM

      • Retrieves the ARP table from one NI

      • Retrieves L3 FDB from one NI and adds an ‘old’ tag for each entry

      • Adds/updates new entries with a ‘new’ tag

      • Flushes all ‘old’ entries after a timer expires


The aos v5 11

The AOS v5.1

Security


Element security

Element Security

  • Authenticated Switch Access

    • Provides (full) admin privileges

      • Applies for console, telnet, FTP, HTTP and SNMP

      • Based on either local base or remote RADIUS, LDAP or ACE

  • Secure Socket Layer (SSL)

    • Secures communications to or from the switch

      • for WebView

      • for LDAP

    • Using SSLv2, SSLv3 and TLSv1 based on RSA C code


Element security1

Element Security

  • Partition Management

    • Provides a customized access based on accounts

      • Applies for CLI, FTP, HTTP & SNMP

      • Based on either local base or remote LDAP/RADIUS

    • Defines the following domains

      • adminfile image bootrom telnet reset debug

      • systemsystem xip snmp rmon webmngt config

      • physical chassis module interface pmm flood health

      • networkip rip ospf bgp vrrp iprm ipx ipmr ipms

      • layer 2vlan bridge stp 802.1q linkagg bootp

      • servicesldap dhcp

      • policyqos policy slb

      • securitysession binding avlan aaa


Element security2

Element Security

  • Denial of Services defense

    • Provides defense against common attacks

      • Ping of Death

      • Land Attack

      • Smurf (by keeping the directed BC disabled)

      • Pepsi (feature of VxWork)

      • Bonk (feature of VxWork)

      • Boink (feature of VxWork)

  • SNMP v3

    • Backward compatible with v1 & v2

    • Provides

      • Authentication (MD5 or SHA)

      • Encryption (DES) of SNMP PDU


Network security

Network Security

  • Authenticated VLANs

    • Applies to users connected on authenticated ports

    • Users must authenticate through AV-Client, TELNET or HTTP

    • Authentication is based on either local base or LDAP/RADIUS

    • Then, the client MAC is associated within the correct VLAN

  • ACL

    • ASIC-based packet filtering based on L2/L3/L4

    • Policies are created either from CLI/WebView

    • Each policy is global to the switch and has …

      • a precedence (0..65535) – higher comes first

      • a flag to be characterized as reflexive In case a flow is allowed while its answer is not

      • an action – accept, drop or deny


Access control list

Access Control List

  • ACL is the filtering part of policies

    • Policies apply to prioritization, bandwidth mngt, filtering, IP translation, server load balancing and IPMS filtering

  • ACL policies come from

    • WebView (SNMP) /CLI

  • ACL policies apply

    • For the whole chassis

    • At ingress only

    • On Layer 2 & Layer 3 / Layer 4


Access control list1

Access Control List

  • Description of an ACL policy

    • Parameters are

      • Policy name<name>

      • Condition name<name>

      • Action name<name>

      • Precedence0-65535(higher first)

      • ReflexiveY/N

    • Condition

      • Layer 2

        • MAC-DA, src port, src VLAN, dest port, dest VLAN

      • Layer 3 / Layer 4

        • IP-DA, IP-SA, L4 protocol (UDP/TCP) , TCP/UDP dest Port, TCP/UDP src Port

    • Action

      • Accept, Drop or Deny


Access control list2

Access Control List

  • Side effects / Limitations of ACL

    • Selective flush on existing pCAM entries if needed

      • Learning (in slow path) must be re-initiated

      • Impact decreased by having all policies pushed at once

    • Fragmented frames are processed in SW

    • Excessive consumption of pCAM entries can occur

      • According to the classification requests

    • At first, deny will behave like drop (no ICMP msg)


Network security1

Network Security

  • NAT / PAT

    • Hide private addresses from public

      • NAT : one-to-one

      • PAT : many-to-one (only on TCP/UDP – no ICMP)

  • Binding VLAN

    • Based on 6 combinations

      • MAC + Port + IP

      • MAC + Port

      • MAC + IP

      • MAC + Port + Protocol

      • Port + Protocol

      • Port + IP


The aos v5 12

The AOS v5.1

Intelligence


Intelligence

Intelligence

  • Policy precedence rule

    • SLB -> NAT -> QOS & ACL (based on precedence)

  • L2/L3/L4 wirespeed classification & forwarding

    • Using same policies as ACL

      • L2-DA, Dest port, Dest VLAN, 802.1p

      • IP-DA, IP-SA, TOSp, DSCP

      • TCP/UDP dest. port, TCP/UDP src port

  • QoS enforcement, mapping & marking

    • Based on 802.1p, TOS precedence and DSCP

  • IP fragmentation (for jumbo frames up to 9K)

    • MTU information stored in the header cache entry


Intelligence1

Intelligence

  • Server Load Balancing

    • Provides a Virtual IP for a cluster of servers

    • Distributes traffic to the server based on IP-SA in Round Robin fashion

    • Provides Health Monitoring of the servers based on

      • Link states (port Up or Down)

      • ICMP(answering ping request from the CMM)

  • Congestion avoidance

    • 802.3x

      • At ingress – whenever a port is consuming too much buffers in the Queue Manager a pause frame is transmitted

      • At egress – whenever a pause frame is received, a coupon is sent to Nantucket to pause traffic transmission


The aos v5 13

The AOS v5.1

Manageability


Manageability

Manageability

  • Group Mobility

    • Applies on mobile port (no more Mobile Group)

    • Assigned on rules

      • Port, Network Address, Protocol, DHCP, MAC Address, Custom

      • Binding

  • Policy

    • QoS, ACL, SLB are all policies based features

  • Directory services

    • Most services (Policies, A-VLAN, PM) can have all their information in a remote location using LDAP/RADIUS/ACE

  • Unified management for Voice & Data


Group mobility

Group Mobility

  • VLAN Classification

    • Based on GM rules if the GM bit of the port is set

    • Default GId or 802.1Q-VId is used otherwise

    • pCAM lookup based on L2-SA, Protocol and SPPN

  • Default VLAN handling (renaming)

    • Default VLAN enable-> default_Group

      • Will default VLAN be supported when no GM rules match ?

    • Default VLAN permanent-> move_from_def

      • Will default VLAN be supported when a GM rule matches ?

    • Default VLAN restore-> move_to_def

      • Will the default VLAN be restored when the matching GM ages out ?


Next step

Next Step


Next step hw

Next Step - HW

  • New ASIC

    • Firenze replaces Catalina on new modules bringing

      • Oversubscription (Up to 6 Gig ports per ASIC)

      • WRED

  • New modules (based on new Firenze ASIC)

    • OS-7000

      • 12-port Gigabit Ethernet module using SFP (Mini-GBIC)

      • 24-port 10/100 Ethernet In-Line Power module (RJ-45)

    • OS-8800

      • 24-port 10/100/1000 Ethernet Copper module (RJ45)

      • 24-port Gigabit Ethernet module using SFP (Mini-GBIC)

  • New Hardware

    • DC PSU for OS-7000 (600 W – 48V)

    • DC PSU for OS-8800 (1375 W – 48V)


Next step sw

Next Step - SW

  • Version 5.1.x

    • NetBIOS Relay

    • Extended Local Proxy ARP

    • Policy Based Routing L3/L4

  • Version 5.2

    • IEEE 802.1v – VLAN Classif. by protocol and port

    • IEEE 802.1x

    • IEEE 802.1s

    • Secure Shell (SSH)

    • and more to come …


Thank you

THANK YOU !!!

Any questions ???


Hw roadmap

HW Roadmap

  • HW Roadmap for OS-7000 / OS-8000

  • OS-7000 (5.1)

  • OS7700 & OS7800

  • OS7-GNI-U2

  • OS7-ENI-F12

  • OS7-ENI-C24

  • OS7-PS-0600AC

  • OS-7000 (5.1.4)

  • OS7-GNI-U12

  • OS7-GNI-C12

  • OS-7000 (5.1.5)

  • OS7-ENI-PD24

  • PowerShelf

  • 900W Ac

  • 900DC

  • OS7-PS-0600DC

Q3’02

Q4’02

Q1’03

Q2’03

  • OS-8000 (5.1.4)

  • OS8800

  • OS8-GNI-U8

  • OS8-GNI-C8

  • OS8-ENI-C24

  • OS8-PS-1375AC

  • OS8-PS-1375DC

  • OS-8000 (5.1.5)

  • OS8-GNI-U24

  • OS8-GNI-C24

  • OS-8000 (5.2)

  • OS8-NP-U4

  • OS8-10G-U1


Sw roadmap

SW Roadmap

  • SW Roadmap for OS-7000 / OS-8000

AOS 5.1.1

First release of AOS

  • AOS 5.1.4

  • 802.1x

  • NTP

  • AOS 5.2

  • MPLS

  • IPv6

  • SSH

  • Multineting

Q3’02

Q4’02

Q1’03

Q2’03

  • AOS 5.1.3

  • Policy Based Routing

  • Netbios (UDP) Relay

  • Multiple (Per VLAN) DHCP

  • Learned Port Security

  • Local Proxy ARP

  • SSH Basic

  • End User Partitioning

  • StoneBeat HA support

  • AOS 5.1.5

  • Multicast VLAN


  • Login