ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Unanswered Question
Apr 10th, 2009
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn about Cat6500 VSS integration with services modules including Firewall Services Module (FWSM) with Cisco expert Reza Saadat. Reza is a technical marketing engineer with campus switching systems technology group at Cisco with focus on services modules in general and firewall services module (FWSM) in particular. He has over 10 years of experience in the field of networking at Cisco and over 12 years of experience in software development prior to that. While at Cisco he has focused on optical platforms, catalyst switches and service modules (Layer4-Layer7 Services). His primary responsibilities include training and support of customers/partners/system engineers, delivering presentations at various events, providing design and deployment recommendations as well as creating technical solutions and guidelines. Reza also makes recommendations on product improvements and future enhancements as part of engineering planning and development cycle.


Remember to use the rating system to let Reza know if you have received an adequate response.


Reza might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through April 24, 2009. Visit this forum often to view

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
rsaadat Mon, 04/13/2009 - 09:40
User Badges:

This question does not seem related to our topic (i.e. Virtual Switching Systems and service module integration”) but let me try to answer it ...

A good starting point is to check the Cisco Storage Networking site: http://www.cisco.com/en/US/partner/products/hw/ps4159/index.html


For example “Getting Started”: http://cisco.com/en/US/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ov.html


aamercado Fri, 04/10/2009 - 16:38
User Badges:
  • Bronze, 100 points or more

Here's my following questions:


1. Assuming each c6k slot only allows 40Gig, you can only achieve line rate with 6704 module. Otherwise, oversubscription of 2:1 for 6708 and 4:1 on 6716 right?


2. The VSS only supports line rate of 40Gig btwn two 6500 right? I mean we can put 80Gig VSS but due to oversubscription of 2:1, is it still 40Gig?


3. If #2 is correct, you do not get true 1440 on a 2c6k x 720 as the bottleneck is on the the 40Gig VSS line rate?


4. If all 3 questions above is correct, what is the advantage of having a VSS solution with LACP-VPC from access to VSS when I can go layer 3 Port-Channel to a 6500


5. If I wanted to use VSS for core, is Cisco advocating a recommend design on a 2-tier core/dist and access layer with VSS design. Why is this the case as don't you still want a separate distribution layer for redundancy and scalability?


6. On the LACP from Access(ie Nexus5k) to a VSS core solution, what is the max bw? 80gig or 40gig given a 40Gig limit on the slot?


7. On a redundant VSS-720 Sup, can I use all 4X10Gig on both Sup as the VSS connection or is it limit to 2x10Gig

rsaadat Mon, 04/13/2009 - 09:33
User Badges:

Thanks for showing interest in VSS technology. These questions do not seem completely related to our topic (i.e. Virtual Switching Systems and service module integration”) but let me try to answer them ...


1) Yes, the oversubscriptions are as follow:

6704 1:1 - 4 port 10GE (fibre)

6708 2:1 - 8 port 10GE (fibre)

6716 4:1 - 16 port 10GE (fibre)


2) Correct.

3) The VSS provides an aggregated bandwidth of 1440Gbps. In a VSS, the data plane and switch fabric of both supervisor engines are active at the same time in both chassis, thereby providing a combined system switching capacity of 1440Gbps.

4) VSS simply provides an adidtional option with significant overall deployment advantages. Some of the advantages are:

Single point of management.

Multi-chassis EtherChannel (MEC) creates simplified loop-free topologies, eliminating the dependency on Spanning Tree Protocol (STP).

Interchassis stateful failover results in no disruption to applications that rely on network state information.

VSS scales system bandwidth capacity to 1.4 Tbps.

5) The VSS option does not dismiss the multi layer design it simply provides an alternative with improved resiliency and single point of manageability. Note that with VSS option, the network will view both physical chassis as a single VSS chassis and hence the seamless single point of management and resiliency.

6) You can have up to 8 ports for Etherchannel (80Gbs) but the fabric connections are up to 40Gbps and you'll get oversubscription if traffic is at line rate.

7) There is currently no support for redundant SUP in VSS and you can use up to 2 x 10G uplink for the VSL connection.

asifali007 Sat, 04/11/2009 - 23:15
User Badges:

Dear Sir,


I have very simple qustion which is that I want to know the difference between the Cisco Swtiches Part Numbers. Can you give me any link from where I can check the difference between part numbers like WS-C3750-48PS-E this one is Eand some or with TTL some are S.Therefore Iwant to knwo difference between them. Can u help me in this .


Thanks & Regards

rsaadat Mon, 04/13/2009 - 10:03
User Badges:

Thanks for showing interest in Cisco Switches. This question does not seem related to the topic but let me redirect you to Cisco site. Once you log in, you can use many tools available to you in order to get your answers. http://www.cisco.com/

For example, Ordering -> Pricing tool:

Catalyst 3750 Series

Catalyst 3750 Series 10/100 Workgroup Switches

Product Number Product Description

WS-C3750-48PS-E Catalyst 3750 48 10/100 PoE + 4 SFP + IPS Image


mhashemi1358 Mon, 04/13/2009 - 01:23
User Badges:

Hello


I see some difference between MEF site and Cisco website,In MEF website 6500 series switches such as 6509 with sup720 known as a Metro ethernet series but it not define as a Metro ethernet in cisco website and just cisco 6524 known as a Metro ethernet series,why they are not known as a metro ethernet series and 6500 series switches are Metro ethernet or not

Thanks in advance for helping Me

please send me my answer to [email protected]

rsaadat Mon, 04/13/2009 - 15:09
User Badges:

This question does not seem related to the topic but I'll try to answer it ...

Yes , the 6500 with SUP720 may also be used in Metro Ethernet deployments. The content of the WEB pages are planned for further updates to reflect information that are relevant to 6500 SP/MetroE deployments. However, usually 7600 is used for Carrier Ethernet/SP deployments because it is the primary platform for these scenarios.


mhashemi1358 Mon, 04/13/2009 - 23:25
User Badges:

Dear Reza


Thanks alot for replying my question and Eide shoma mobarak


BR

M.Hashemi

fayyaz_s Mon, 04/13/2009 - 11:32
User Badges:

Dear,

I have couple of questions related to VSS.


1) The CPU utilization is higher then the normal 6500 on VSS and specially if we do show run or sh tech support command the CPU Utilization goes upto 90% for while and comeback to normal, also show run command take more time, even I used parser config cache interface but there is no improvement on cpu utilization as well as time taken by show run command to build the config.


2) upgrade of VSS with minimal dowmtime specially if I have lower version the 12.2.33SXI, since 12.2.33SXH4 does not support eFSU, also if you can let me know exactly the service disturbance expected while follow the eFSU or other procedure to upgrade 12.2.33SXH

also if you have any document while to upgrade to 12.2.33SXH4 from lower version.

3) what is the difference in 6509-E or 6509-V-E chassis.

4) What is the configuration options available to configure Multi chassis port channel I mean LACP is supported or not?


Regards


Fayyaz

rsaadat Mon, 04/13/2009 - 14:51
User Badges:

1) You may want to contact Cisco TAC for resolving issues but you should not see CPU over-utilization in VSS mode vs. non-VSS mode. Here are some guidelines:

- The CPU utilization in VSS and non VSS mode should not differ significantly. As the net effect of added (VSS) processes are minimal and are offset by reduction in other processes (e.g. STP) compared to non-VSS mode.

- show run and tech will always cause CPU spikes and that is expected.

- If CPU utilization is sustained at 90% for extended period of time, that is alarming but a quick spike is acceptable.

- VSS mode does not increase CPU by itself. There could be other processes running in the background causing CPU spike. Also running in modular (ION) causes more CPU utilization in general but I am not sure if you are running ION.

2) The option here is mainly eFSU where you'll get RPR fall back and lose 50% of the bandwidth. If the connections are dual home then the user may not notice the impact.

3) The main differences are 6509-V-E has redundant fan tray and air filter, front to back air flow and vertical slots.

4) Yes, LACP is supported.

siljupillai Mon, 04/13/2009 - 11:54
User Badges:

Hi Reza,


Is MPLS supported on VSS? Are there any limitations if we run MPLS?


You mentioned the CPU utilization goes upto 90% when you give a show run command. Does it have any impact on the user traffic?


Regards,

Silju

siljupillai Mon, 04/13/2009 - 11:59
User Badges:

Hi Reza,


Just noticed that it was not you mentioned about CPU utilization..apologies for the mistake..


hope its not a normal behaviour of VSS..


Regards,

Silju




rsaadat Mon, 04/13/2009 - 14:58
User Badges:

No. As I posted earlier, there should not be significant CPU utilization difference in VSS mode vs. non-VSS mode while everything else is kept the same.

rsaadat Mon, 04/13/2009 - 14:56
User Badges:

MPLS is not currently supported with VSS. This is targeted for support in upcoming release later this CY.

francisco_1 Tue, 04/14/2009 - 00:11
User Badges:
  • Gold, 750 points or more

Will the 6500's in VSS ever support virtualization device context similiar to nexus VDC's?


Francisco.

francisco_1 Tue, 04/14/2009 - 00:23
User Badges:
  • Gold, 750 points or more

also there are few limitations in the FWSM such as no VPN, Limited ACL's and xlate. will there be future improvement to the FWSM?

francisco_1 Tue, 04/14/2009 - 00:31
User Badges:
  • Gold, 750 points or more

what is the best pratice to follow when deploying the FWSM with ACE, In routed mode or looped Mode?


Francisco.

rsaadat Tue, 04/14/2009 - 08:29
User Badges:

New features and improvement are continuously being assessed and committed. For Example, there were considerable improvements in ACL limitation in 3.x vs. 2.x and there are even more significant improvements in 4.x vs. 3.x. In 4.x, the ACL memory utilization is improved by over 30% in addition to other improvements. See http://www.cisco.com/en/US/partner/docs/security/fwsm/fwsm40/release/notes/fwsmrn40.html#wp168772

francisco_1 Wed, 04/15/2009 - 02:52
User Badges:
  • Gold, 750 points or more

ABDOLREZA,


my understanding is with all the new improvements, cisco has announced that they will not be continuing with the Service Module range in future! is that true?

rsaadat Wed, 04/15/2009 - 13:50
User Badges:

No, Cisco has NOT even announced EOS on firewall service module and is continuing to investigate in further enhancements on service modules as well to this date.

rsaadat Tue, 04/14/2009 - 08:27
User Badges:

VDC support is not currently committed for 6500.

gnijs Tue, 04/14/2009 - 12:41
User Badges:
  • Bronze, 100 points or more

Dear,

I have a question related to VSS:


1) I feel the most vulnerable part of VSS is the single control plane. Even with dual chassis, dual bandwidth, dual MEC uplinks to dual core switches, a single CPU spike (long or short) can interrupt control plane packets like OSPF or LACP resulting in complete loss of all OSPF neighbors or loss of LACP Etherchannel bundling (especially with fast lacp). For example, just entering the "test crash" command generates a 1-5 second CPU peak, enough to loose ALL ospf neighbors on the uplinks when using sub-second OSPF timers. Has Cisco implemented special precautions or specific VSS features to protect VSS more than a single standalone C6500 chassis from 100% cpu utilization ?


2) Is Copp supported on VSS ?

rsaadat Tue, 04/14/2009 - 17:34
User Badges:

1) VSS unified control plane is not an issue. VSS control packets are given top priority and hence you should be protected. In modular IOS, starting with 12.2(33)SXI, we run the VSLP (Virtual Switch Link Protocol) as a separate thread which has high priority. Having said that you should consider the amount of fast hello configuration as you would need in non-VSS scenario which consequently would load the CPU. The best way is for you to configure the necessary features and see how the CPU load is behaving. But we do protect the control packet handling.


By the way regarding “test crash”, this is not a realistic command to test VSS behavior or use in product network.. It is an unsupported command used in development testing. After all the command is meant to simulate a box crashing and so seeing OSPF neighbor going down is not unexpected.


2) Yes, it is supported.


c.captari Tue, 04/14/2009 - 22:05
User Badges:
  • Bronze, 100 points or more

I was looking into many design recommendation from Cisco and in most of them FWSM is used in transparent mode.


As i only have used routed mode before this is quite new to me and i have some questions:


1. the proposed solution by Cisco is to have 1 vlan: say Vlan6 which extends basically between FWSM and access layer (thats the inside vlan). and the second vlan , eg. 106 (outside vlan) which extends from FWSM to MSFC on 6500.

This pair is part of a single security context in FWSM.


To my understanding for each and every vlan pairs i have to have separate contexts?


This solution does seem quite inflexible to me. If i have license for only 20 security contexts will it mean that i can only use 20 vlans in the FWSM? Is there any other recommended more flexible solution? FWSM seems to have license for 250 security contexts so that might solve the issue, but what if i have an external Services layer, with Cisco ASA. To my understanding this only has a maximum of 50 security contexts. How do you work around that in terms of a large network with more than 50 vlans in the access layer.



2. Can you explain how the transparent mode works? The inside and outside vlans are just bridged together? this is the principle, or there's more to it?



francisco_1 Wed, 04/15/2009 - 03:27
User Badges:
  • Gold, 750 points or more

ABDOLREZA,


my understanding is with all the new improvements on FWSM, cisco has announced that they will not be continuing with the Service Module range in future! is that true?

rsaadat Wed, 04/15/2009 - 13:49
User Badges:

No, Cisco has NOT even announced EOS on firewall service module and is continuing to investigate in further enhancements on service modules as well to this date.

francisco_1 Mon, 04/20/2009 - 01:18
User Badges:
  • Gold, 750 points or more

ok. thanks.


I have rated your comment..


Francisco

rsaadat Wed, 04/15/2009 - 13:43
User Badges:

1) The transparent firewall (aka L2 firewall or stealth firewall) basically can do everything that routed firewall does (except routing features) in transparent mode. Namely, it will bridge between the two VLANs and apply your security policies on top of that. Starting with FWSM3.x, you can have up to 8 pairs of interfaces per L2 context. For example, if you have 20 context then you may potentially have up to 160 pairs of VLANs across those 20 L2 firewalls.


2) Yes, basically that is what it does. It will bridge between the VLANs and apply the firewall policies. As you may have already noticed from Cisco design recommendation, this type of design is very prevalent in Data Centers where you can for example drop the firewall in between tiers of servers (within the same subnet) without making modifications in that subnet - hence the term stealth (L2) firewall.

c.captari Wed, 04/15/2009 - 21:48
User Badges:
  • Bronze, 100 points or more

Thank you for your answer.

Can you point out any cisco documentation that would show me how to configure multiple pairs per context. All cisco documentation that i found shows how to do that with only one pair per context.


Is this the bridge-group option?

Do i have the same flexibility of 8 pairs per context on a Cisco ASA? or this is only for FWSM?

gnijs Thu, 04/16/2009 - 00:55
User Badges:
  • Bronze, 100 points or more

Are there any plans at Cisco to improve VSS upgrade time in cases you can't use ISSU (for example, probably during major release upgrades). In current RPR mode, the "cold" standby switch must initiate its linecards during takeover. This can take any time between 1 and 10 minutes, depending on the number of LC installed.

anil.gupta3 Thu, 04/16/2009 - 02:55
User Badges:

Hi,


How can I differentiate stacking and VSS technolgy other then switch model?

rsaadat Thu, 04/16/2009 - 15:06
User Badges:

VSS technology can be distinguished by having larger backplane speeds, greater 10G density and greater horsepower in general.

rsaadat Thu, 04/16/2009 - 15:02
User Badges:

The improvements mainly revolve around ISSU and refraining from rebooting linecards. As for RPR, those limitations will most likely remain.

anil.gupta3 Thu, 04/16/2009 - 02:58
User Badges:

Hi,


How can I differentiate stacking and VSS technolgy other then switch model?



francisco_1 Mon, 04/20/2009 - 01:17
User Badges:
  • Gold, 750 points or more

ABDOLREZA,


I have 2 sites connected via couple of layer 2/Layer 3 switches and spanning is introduced on all links. the sites are connected via 2 pairs of dark fibers. One of the dark fiber link is blocked by spanning-tree. what i would like to introduce is a loop free (No STP) infratsructure so i can utilizes all links. Also I have couple of vlans i am routing between site. Inter-vlan routing is enable for all vlans but i would like to isolate few of the vlans. I dont want any traffic routed between those vlans so i am planning to use vrf's to completely isolate the vlans traffic. My plan is use in total 4 6509's in vss 1440 with vrf's (2 6500 in each site) interconnected via DWDM's. do you think VSS will work for me?



Francisco

rsaadat Tue, 04/21/2009 - 11:22
User Badges:

Hi Francisco,

For such a point to point connectivity, DWDM and MEC between sites should be fine.

markschnabel Mon, 04/20/2009 - 11:43
User Badges:

We are currently getting ready to deploy a new VSS. I see that SXI1 is out. Can anyone share any recommendations for which IOS to use in a data center deployment.

thanks in advance.

rsaadat Mon, 04/20/2009 - 15:46
User Badges:

Hi Mark:

Just as a reference, 12.2(33)SXI1 provided VSS support on IP Base images and it has been out since end of March, 2009. 12.2(33)SXI has been out since 4QCY2008.


mmacdonald70 Mon, 04/20/2009 - 15:57
User Badges:

We are planning to test out VSS for our network. Most of our network uses routed links to the access layer using equal cost multipath. We will be using MEC to connect the access layer switches to the VSS but I would like to know if Cisco recommends using L3 etherchannel or VLan interfaces for this.



rsaadat Tue, 04/21/2009 - 11:25
User Badges:

L3 MEC is recommended because during convergence, the number of routes will not change the convergence time. In L3 ECMP, the number of routes is what determines the amount of convergence time.

mmacdonald70 Tue, 04/21/2009 - 14:32
User Badges:

Thanks. What I actually meant was do you recommend using L3 MEC (ie put an IP address on the MEC interface) or Vlan interfaces (ie put the MEC interface into a vlan and assign an IP address to the vlan interface).

rsaadat Wed, 04/22/2009 - 07:55
User Badges:

No preferences of one over the other. Both create a logical L3 routing interface and are a single routing instance so from a routing protocol perspective it should not make much of an impact either way.

dgj1 Tue, 04/21/2009 - 13:58
User Badges:

Hi Reza,


We are converting from a collapsed core/distribution to a 3-Tier Architecture and we have just purchased two 6509 VSS switches for our distribution layer. My question is: From a best practice point of view where should my VLAN interfaces be defined; on the Cores or on the VSS Distribution switches? Should the connections from the VSS Distribution switches to the Core be Layer 2 or Layer 3?


Thank you

rsaadat Wed, 04/22/2009 - 07:56
User Badges:

Hi,

It would be deployment dependent - for Data Center deployment, it may make sense to keep VSS distribution as strictly L2 and have L3 on the core but generally distribution to core can be L3.


Thanks.

vijendrapds Tue, 04/21/2009 - 22:00
User Badges:

Hi,


I wish I know a definitive difference between VS-C6509E-S720-10G & VS-C6509VE-S72010G, as I'm designing the VSS for 265 Ports on a 6509-E.


Tks & rgds,


Vijayeendra

rsaadat Wed, 04/22/2009 - 07:58
User Badges:

Hi Vijayeendra,

I believe we covered this earlier. The main differences are 6509-VE has redundant fan tray and air filter, front to back air flow with vertical slots.


Regards.

Actions

This Discussion