Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn about Cat6500 VSS integration with services modules including Firewall Services Module (FWSM) with Cisco expert Reza Saadat. Reza is a technical marketing engineer with campus switching systems technology group at Cisco with focus on services modules in general and firewall services module (FWSM) in particular. He has over 10 years of experience in the field of networking at Cisco and over 12 years of experience in software development prior to that. While at Cisco he has focused on optical platforms, catalyst switches and service modules (Layer4-Layer7 Services). His primary responsibilities include training and support of customers/partners/system engineers, delivering presentations at various events, providing design and deployment recommendations as well as creating technical solutions and guidelines. Reza also makes recommendations on product improvements and future enhancements as part of engineering planning and development cycle.

Remember to use the rating system to let Reza know if you have received an adequate response.

Reza might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through April 24, 2009. Visit this forum often to view

50 REPLIES
New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Hi

I'm in desprete need to learn how to configure an MDS 9000 switch, if you can provide a doc that I can read, or some simple instructions after you log in, I would appreciate it very much.

I don't see any doc that can help me?

Please respond to my E-mail if possible.

jorge11b@yahoo.com

Jorge

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

This question does not seem related to our topic (i.e. Virtual Switching Systems and service module integration”) but let me try to answer it ...

A good starting point is to check the Cisco Storage Networking site: http://www.cisco.com/en/US/partner/products/hw/ps4159/index.html

For example “Getting Started”: http://cisco.com/en/US/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ov.html

Bronze

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Here's my following questions:

1. Assuming each c6k slot only allows 40Gig, you can only achieve line rate with 6704 module. Otherwise, oversubscription of 2:1 for 6708 and 4:1 on 6716 right?

2. The VSS only supports line rate of 40Gig btwn two 6500 right? I mean we can put 80Gig VSS but due to oversubscription of 2:1, is it still 40Gig?

3. If #2 is correct, you do not get true 1440 on a 2c6k x 720 as the bottleneck is on the the 40Gig VSS line rate?

4. If all 3 questions above is correct, what is the advantage of having a VSS solution with LACP-VPC from access to VSS when I can go layer 3 Port-Channel to a 6500

5. If I wanted to use VSS for core, is Cisco advocating a recommend design on a 2-tier core/dist and access layer with VSS design. Why is this the case as don't you still want a separate distribution layer for redundancy and scalability?

6. On the LACP from Access(ie Nexus5k) to a VSS core solution, what is the max bw? 80gig or 40gig given a 40Gig limit on the slot?

7. On a redundant VSS-720 Sup, can I use all 4X10Gig on both Sup as the VSS connection or is it limit to 2x10Gig

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Thanks for showing interest in VSS technology. These questions do not seem completely related to our topic (i.e. Virtual Switching Systems and service module integration”) but let me try to answer them ...

1) Yes, the oversubscriptions are as follow:

6704 1:1 - 4 port 10GE (fibre)

6708 2:1 - 8 port 10GE (fibre)

6716 4:1 - 16 port 10GE (fibre)

2) Correct.

3) The VSS provides an aggregated bandwidth of 1440Gbps. In a VSS, the data plane and switch fabric of both supervisor engines are active at the same time in both chassis, thereby providing a combined system switching capacity of 1440Gbps.

4) VSS simply provides an adidtional option with significant overall deployment advantages. Some of the advantages are:

Single point of management.

Multi-chassis EtherChannel (MEC) creates simplified loop-free topologies, eliminating the dependency on Spanning Tree Protocol (STP).

Interchassis stateful failover results in no disruption to applications that rely on network state information.

VSS scales system bandwidth capacity to 1.4 Tbps.

5) The VSS option does not dismiss the multi layer design it simply provides an alternative with improved resiliency and single point of manageability. Note that with VSS option, the network will view both physical chassis as a single VSS chassis and hence the seamless single point of management and resiliency.

6) You can have up to 8 ports for Etherchannel (80Gbs) but the fabric connections are up to 40Gbps and you'll get oversubscription if traffic is at line rate.

7) There is currently no support for redundant SUP in VSS and you can use up to 2 x 10G uplink for the VSL connection.

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Dear Sir,

I have very simple qustion which is that I want to know the difference between the Cisco Swtiches Part Numbers. Can you give me any link from where I can check the difference between part numbers like WS-C3750-48PS-E this one is Eand some or with TTL some are S.Therefore Iwant to knwo difference between them. Can u help me in this .

Thanks & Regards

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Thanks for showing interest in Cisco Switches. This question does not seem related to the topic but let me redirect you to Cisco site. Once you log in, you can use many tools available to you in order to get your answers. http://www.cisco.com/

For example, Ordering -> Pricing tool:

Catalyst 3750 Series

Catalyst 3750 Series 10/100 Workgroup Switches

Product Number Product Description

WS-C3750-48PS-E Catalyst 3750 48 10/100 PoE + 4 SFP + IPS Image

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Hello

I see some difference between MEF site and Cisco website,In MEF website 6500 series switches such as 6509 with sup720 known as a Metro ethernet series but it not define as a Metro ethernet in cisco website and just cisco 6524 known as a Metro ethernet series,why they are not known as a metro ethernet series and 6500 series switches are Metro ethernet or not

Thanks in advance for helping Me

please send me my answer to Mhashemi58@gmail.com

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

This question does not seem related to the topic but I'll try to answer it ...

Yes , the 6500 with SUP720 may also be used in Metro Ethernet deployments. The content of the WEB pages are planned for further updates to reflect information that are relevant to 6500 SP/MetroE deployments. However, usually 7600 is used for Carrier Ethernet/SP deployments because it is the primary platform for these scenarios.

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Dear Reza

Thanks alot for replying my question and Eide shoma mobarak

BR

M.Hashemi

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

no problem.

cheers,

Reza

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Dear,

I have couple of questions related to VSS.

1) The CPU utilization is higher then the normal 6500 on VSS and specially if we do show run or sh tech support command the CPU Utilization goes upto 90% for while and comeback to normal, also show run command take more time, even I used parser config cache interface but there is no improvement on cpu utilization as well as time taken by show run command to build the config.

2) upgrade of VSS with minimal dowmtime specially if I have lower version the 12.2.33SXI, since 12.2.33SXH4 does not support eFSU, also if you can let me know exactly the service disturbance expected while follow the eFSU or other procedure to upgrade 12.2.33SXH

also if you have any document while to upgrade to 12.2.33SXH4 from lower version.

3) what is the difference in 6509-E or 6509-V-E chassis.

4) What is the configuration options available to configure Multi chassis port channel I mean LACP is supported or not?

Regards

Fayyaz

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

1) You may want to contact Cisco TAC for resolving issues but you should not see CPU over-utilization in VSS mode vs. non-VSS mode. Here are some guidelines:

- The CPU utilization in VSS and non VSS mode should not differ significantly. As the net effect of added (VSS) processes are minimal and are offset by reduction in other processes (e.g. STP) compared to non-VSS mode.

- show run and tech will always cause CPU spikes and that is expected.

- If CPU utilization is sustained at 90% for extended period of time, that is alarming but a quick spike is acceptable.

- VSS mode does not increase CPU by itself. There could be other processes running in the background causing CPU spike. Also running in modular (ION) causes more CPU utilization in general but I am not sure if you are running ION.

2) The option here is mainly eFSU where you'll get RPR fall back and lose 50% of the bandwidth. If the connections are dual home then the user may not notice the impact.

3) The main differences are 6509-V-E has redundant fan tray and air filter, front to back air flow and vertical slots.

4) Yes, LACP is supported.

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Hi Reza,

Is MPLS supported on VSS? Are there any limitations if we run MPLS?

You mentioned the CPU utilization goes upto 90% when you give a show run command. Does it have any impact on the user traffic?

Regards,

Silju

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Hi Reza,

Just noticed that it was not you mentioned about CPU utilization..apologies for the mistake..

hope its not a normal behaviour of VSS..

Regards,

Silju

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

No. As I posted earlier, there should not be significant CPU utilization difference in VSS mode vs. non-VSS mode while everything else is kept the same.

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

MPLS is not currently supported with VSS. This is targeted for support in upcoming release later this CY.

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Will the 6500's in VSS ever support virtualization device context similiar to nexus VDC's?

Francisco.

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

also there are few limitations in the FWSM such as no VPN, Limited ACL's and xlate. will there be future improvement to the FWSM?

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

what is the best pratice to follow when deploying the FWSM with ACE, In routed mode or looped Mode?

Francisco.

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

New features and improvement are continuously being assessed and committed. For Example, there were considerable improvements in ACL limitation in 3.x vs. 2.x and there are even more significant improvements in 4.x vs. 3.x. In 4.x, the ACL memory utilization is improved by over 30% in addition to other improvements. See http://www.cisco.com/en/US/partner/docs/security/fwsm/fwsm40/release/notes/fwsmrn40.html#wp168772

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

ABDOLREZA,

my understanding is with all the new improvements, cisco has announced that they will not be continuing with the Service Module range in future! is that true?

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

No, Cisco has NOT even announced EOS on firewall service module and is continuing to investigate in further enhancements on service modules as well to this date.

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

VDC support is not currently committed for 6500.

Bronze

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

Dear,

I have a question related to VSS:

1) I feel the most vulnerable part of VSS is the single control plane. Even with dual chassis, dual bandwidth, dual MEC uplinks to dual core switches, a single CPU spike (long or short) can interrupt control plane packets like OSPF or LACP resulting in complete loss of all OSPF neighbors or loss of LACP Etherchannel bundling (especially with fast lacp). For example, just entering the "test crash" command generates a 1-5 second CPU peak, enough to loose ALL ospf neighbors on the uplinks when using sub-second OSPF timers. Has Cisco implemented special precautions or specific VSS features to protect VSS more than a single standalone C6500 chassis from 100% cpu utilization ?

2) Is Copp supported on VSS ?

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

1) VSS unified control plane is not an issue. VSS control packets are given top priority and hence you should be protected. In modular IOS, starting with 12.2(33)SXI, we run the VSLP (Virtual Switch Link Protocol) as a separate thread which has high priority. Having said that you should consider the amount of fast hello configuration as you would need in non-VSS scenario which consequently would load the CPU. The best way is for you to configure the necessary features and see how the CPU load is behaving. But we do protect the control packet handling.

By the way regarding “test crash”, this is not a realistic command to test VSS behavior or use in product network.. It is an unsupported command used in development testing. After all the command is meant to simulate a box crashing and so seeing OSPF neighbor going down is not unexpected.

2) Yes, it is supported.

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

I was looking into many design recommendation from Cisco and in most of them FWSM is used in transparent mode.

As i only have used routed mode before this is quite new to me and i have some questions:

1. the proposed solution by Cisco is to have 1 vlan: say Vlan6 which extends basically between FWSM and access layer (thats the inside vlan). and the second vlan , eg. 106 (outside vlan) which extends from FWSM to MSFC on 6500.

This pair is part of a single security context in FWSM.

To my understanding for each and every vlan pairs i have to have separate contexts?

This solution does seem quite inflexible to me. If i have license for only 20 security contexts will it mean that i can only use 20 vlans in the FWSM? Is there any other recommended more flexible solution? FWSM seems to have license for 250 security contexts so that might solve the issue, but what if i have an external Services layer, with Cisco ASA. To my understanding this only has a maximum of 50 security contexts. How do you work around that in terms of a large network with more than 50 vlans in the access layer.

2. Can you explain how the transparent mode works? The inside and outside vlans are just bridged together? this is the principle, or there's more to it?

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

ABDOLREZA,

my understanding is with all the new improvements on FWSM, cisco has announced that they will not be continuing with the Service Module range in future! is that true?

New Member

Re: ASK THE EXPERT - CAT6500 VIRTUAL SWITCHING SYSTEM

No, Cisco has NOT even announced EOS on firewall service module and is continuing to investigate in further enhancements on service modules as well to this date.

949
Views
4
Helpful
50
Replies