BoP Features

BoP Features

Agenda • Introduction • Performance • The Value propositions (AOS v5.1) • Availability • Element resiliency • Network resiliency • Security • Element security • Network security • Intelligence • Manageability • Next Step for future releases • Hardware • Software

Introduction The Distributed Processing Structure

Distributed Processing Structure • Distributed Architecture • CMM • Controls the system • Provides a single interface for management (SNMP/CLI) • NIs • Provide wire-rate L2 and L3 forwarding • Provide distributed processing for • Source Learning • Spanning Tree • “slow-path” L2 & L3 forwarding for exception frames not switched or routed (IGMP - ARP)

Distributed Processing Structure • Communication between elements • NI <-> CMM and CMM <-> CMM • Using a shared bus (BBUS) • NI <-> NI • Using the Switching Fabric for high performance transfer (those “packets” are internally called IPC)

Performance

Performance • OmniSwitch 7000 Family • OS-7700 • Raw Switching Capacity: 64 Gbps • Effective Switching Capacity: 50 Gbps • Effective Throughput: 30 Mpps • OS-7800 • Raw Switching Capacity: 128 Gbps • Effective Switching Capacity: 100 Gbps • Effective Throughput: 60 Mpps • OmniSwitch 8800 • Raw Switching Capacity: 512 Gbps • Effective Switching Capacity: 400 Gbps • Effective Throughput: 240 Mpps

Performance • Where the numbers come from… • OS-7800 • Fabric Capacity: 128 Gbps • Effective Switching Capacity: 100 Gbps • Effective Throughput: 60 Mpps From the FBUS and SFM 4.0 Gbps x 2 (FD) x 16 (# of Coronado) Best case, using 1518B packets on GNI-U12 3.2Gbps per Coronado (Large packets optimize Switching by reducing the overhead) Best case, using 64B packets on GNI-U12 2.5Gbps per Coronado(Using large packets doesn’t help here)

Performance • Performance are … • Independents of traffic type • Layer 2 (OS-7800: 100Gbps & 60Mpps) • Layer 3 (OS-7800: 100Gbps & 60Mpps) • Based on packet size • Because of traffic related overhead • Only impacts the result on switching capacity, not throughput 60Mpps 19Mpps 6Mpps 5Mpps

Performance • Layer 2 & Layer 3 • Forwarding • Table: 128,000 entries • 32k L2-SA • 32k L2-DA • 64k L3/L4 • Rate on Gig port: • Rate on 10/100 port: Wire-rate on GA hardware ! • Rate on 100 port: • Broadcast: • Wire-rate, limited in throughput by SW (user defined) • Multicast: • Wire-rate for known Multicast Flow, limited in BW through SW • Processed in SW when flow is unknown or on 802.1Q link

Performance • Routing protocols & Layer 3 features (5.1.1R03) • RIP • 70 interfaces • 10,000 routes • OSPF • 10 areas • 70 interfaces • 70 adjacent routers • 30,000 routes • BGP • 20 peers • 20 interfaces • 20,000 routes • VRRP • 256 VRRP routers MAC addresses { 00:00:5E:00:01:xx (with xx = [00..FF])}

Various Numbers • Bridging • 1024 VLANs • Routing • 256 IP interfaces in normal mode (1 MAC for all IP) • 32+32 IP interfaces in XOS mode (1 MAC per IP) • 1 IP interface per VLAN • QoS • 2048 Queues per NI • 64 Priority Descriptors per NI • 1 DSCP mapping table per NI • Ingress Flood Queue (per NI) : 5 Mbps • Set by SW and user configurable • Ingress Multicast Queues : 10 Mbps • Set by SW and user configurable / Total MC throughput of one Coronado is 610 Mbps

Various Numbers • Server Load Balancing • Dimensioning • Up to 75 Clusters (1 Virtual IP per Cluster) • Up to 75 servers per Cluster • 1 server can belong to multiples clusters • As long as total sum of servers for each cluster does not exceed 75 • Servers can be distributed on several Nis • Link Aggregation • Maximum of 32 aggregations per chassis • applies for both OmniChannel AND 802.3ad • Maximum of 16 ports per aggregation • One port can only belong to one link aggregation

The AOS v5.1 Availability

Element Resiliency • Redundant & Hot swappable • Modules (NI, CMM & SFM) • Power Supply Unit • Fans • Minimized CMM/Fabric boot and switch over time • Cold & Warm Boot time is around 90 seconds • Switch over time is around 10 seconds AND transparent to users (Smart Continuous Switching) • Power Monitoring • Checks the power requirement of newly inserted boards before feeding them. • Thermal shutdown • As soon as the temperature is above Tmax

Thermal Protection • Automatic shutdown • 2 thresholds • TMax - Triggers shutdown (80 ºC - 176 ºF) • TNormal - Sends administrative alerts (default 60 ºC - 140 ºF)

Element Resiliency • Flash Memory – 32 MB per CMM • BootROM, • Checks and select the MiniBoot (default or backup) • BootROM is in a write protected area of the flash • MiniBoot • Starts the OS and loads services from the OS archive file (fos.img) • 2 versions are present on the Flash, the default and the backup • backup MiniBoot is in a write protected area of the flash • File System • Provides storage for system and configuration files • 2 versions are present on the flash, the working and the certified

Element Resiliency • Configuration rollback • Based on the working and certified File System • Applies to system files and configuration file • A certified version (SW + conf) will be used as a backup when dealing with any changes (modification, upgrades, …) • Downloadable bootstrap • Loading MiniBoot allows the use of FTP and ZMODEM • Dynamically loaded feature • Only the required services are loaded • Applies to Advanced Routing and Advanced Security • Unique MAC address for each chassis • Located on 2 EEPROM located on either the midplane (OS-8800) or the backplane (OS-7000)

Flash/ROM RAM BootROM 1 2 MiniBoot MiniBoot root directory 4 3 boot.params /working directory kernel.lnk fromOS package Productionkernel 5 /certified directory kernel.lnk fromOS package Boot Sequence / Image Rollback • Bootstrap Basic Operation • Initializes Hardware • Performs memory diagnostics • Selects a right Miniboot • Copy & execute MiniBoot • MiniBoot Basic Operation • Initializes basic kernel • Selection of image • Based on boot.params • Copy & load the OS • The image contains its own copy of the kernel specific to the SW version

Network Resiliency – L2 • Distributed L2 services • Continuous L2 services during fail over • Spanning Tree Protocol • Spanning Tree Protocol (802.1d w/o GARP) • Multiple Spanning Tree Protocol (proprietary, no standard) • Fast Spanning Tree Protocol (802.1w) • Link Aggregation • Static (OmniChannel) or Dynamic (802.3ad/LACP) • Load balancing based on L2 SA/DA (in bridging) or L3 SA/DA (in routing)

Distributed L2 • Source Learning • Independent from the presence of the CMM • CMM handles static entries • CMM maintains a GLOBAL DB of all MAC learnt for mngt only • Occurs whenever an L2 lookup miss • Miss on L2-SA: the SA/DA are sent to ALL Coronados + CMM • All Coronados perform a SA/DA lookup • Any other Coronado with the MAC-SA in their SA table will assume a move • Coronado w/ the MAC-DA in its SA table will update its DA table w/ the SA • Miss on L2-DA: the SA/DA are sent to ALL Coronados + CMM • All Coronados perform a SA/DA lookup • The Coronado with the MAC-DA in its SA table will answer to the request • The requester will update its DA table • The answerer will look if the MAC-SA is in its DA table, and update it if not

Distributed L2 • Source Learning • Each NI is different • Independent L2 (SA/DA) Forwarding Data Base (FDB) • PseudoCAM populated on demand • Aging time – Default to 300 seconds for L2 entries (SA) • Fast aging based on pCAM utilization • 85% full => divide aging time by 2 - age out in 150s • 95% full => divide aging time by 3 - age out in 100s • 99% full => divide aging time by 10 - age out in 30s • 100% full => no learning – packet is processed in slow path • When a NI is removed associated pCAM-DA are freed • During Fail-over • Flushing may occurs after the fail-over if the ‘certify’ flag is cleared

Distributed L2 • Distributed Spanning Tree • Principle • Continuous STP in case of CMM failure/take-over • No CMM CPU overload (load is spread across the NI) • Implementation • STP Manager on the CMM • Manages the configuration and transmits it to the STP Agent • Answers all users queries • STP Agent on the NI • Manages the dynamic events and performs the algorithm • Dynamic events can be either STP events or internal DSTP events • A STP events will generate DSTP events to others NI/CMM • During Fail-over • Only the STP manager is unavailable • STP Agents maintain the Spanning Tree Protocol on the switch

Network Resiliency – L3 • Routing Protocol • RIP, OSPF, BGP • DVMRP, PIM-SM • VRRP (RFC-2338) • OSPF ECMP • Distributed architecture • Limited impact during CMM fail-over on L3 flows (L3 tables are flushed once the CMM take-over)

Distributed L3 • ARP table & Layer 3 FDB are duplicated & synchronized • On each Coronado (SDRAM0) • On the CMM • PseudoCAM is still populated on demand on each Coronado • Unknown IP Destination Address • Will be processed by the SW (no ARP capability though) • Will have the L3 pCAM updated for next packets • During Fail-over • Chassis informs the NI – No more L3 (ARP and FDB) learning • Normal forwarding continues based on actual knowledge • Secondary CMM • Retrieves the ARP table from one NI • Retrieves L3 FDB from one NI and adds an ‘old’ tag for each entry • Adds/updates new entries with a ‘new’ tag • Flushes all ‘old’ entries after a timer expires

The AOS v5.1 Security

Element Security • Authenticated Switch Access • Provides (full) admin privileges • Applies for console, telnet, FTP, HTTP and SNMP • Based on either local base or remote RADIUS, LDAP or ACE • Secure Socket Layer (SSL) • Secures communications to or from the switch • for WebView • for LDAP • Using SSLv2, SSLv3 and TLSv1 based on RSA C code

Element Security • Partition Management • Provides a customized access based on accounts • Applies for CLI, FTP, HTTP & SNMP • Based on either local base or remote LDAP/RADIUS • Defines the following domains • admin file image bootrom telnet reset debug • system system xip snmp rmon webmngt config • physical chassis module interface pmm flood health • network ip rip ospf bgp vrrp iprm ipx ipmr ipms • layer 2 vlan bridge stp 802.1q linkagg bootp • services ldap dhcp • policy qos policy slb • security session binding avlan aaa

Element Security • Denial of Services defense • Provides defense against common attacks • Ping of Death • Land Attack • Smurf (by keeping the directed BC disabled) • Pepsi (feature of VxWork) • Bonk (feature of VxWork) • Boink (feature of VxWork) • SNMP v3 • Backward compatible with v1 & v2 • Provides • Authentication (MD5 or SHA) • Encryption (DES) of SNMP PDU

Network Security • Authenticated VLANs • Applies to users connected on authenticated ports • Users must authenticate through AV-Client, TELNET or HTTP • Authentication is based on either local base or LDAP/RADIUS • Then, the client MAC is associated within the correct VLAN • ACL • ASIC-based packet filtering based on L2/L3/L4 • Policies are created either from CLI/WebView • Each policy is global to the switch and has … • a precedence (0..65535) – higher comes first • a flag to be characterized as reflexive In case a flow is allowed while its answer is not • an action – accept, drop or deny

Access Control List • ACL is the filtering part of policies • Policies apply to prioritization, bandwidth mngt, filtering, IP translation, server load balancing and IPMS filtering • ACL policies come from • WebView (SNMP) /CLI • ACL policies apply • For the whole chassis • At ingress only • On Layer 2 & Layer 3 / Layer 4

Access Control List • Description of an ACL policy • Parameters are • Policy name <name> • Condition name <name> • Action name <name> • Precedence 0-65535 (higher first) • Reflexive Y/N • Condition • Layer 2 • MAC-DA, src port, src VLAN, dest port, dest VLAN • Layer 3 / Layer 4 • IP-DA, IP-SA, L4 protocol (UDP/TCP) , TCP/UDP dest Port, TCP/UDP src Port • Action • Accept, Drop or Deny

Access Control List • Side effects / Limitations of ACL • Selective flush on existing pCAM entries if needed • Learning (in slow path) must be re-initiated • Impact decreased by having all policies pushed at once • Fragmented frames are processed in SW • Excessive consumption of pCAM entries can occur • According to the classification requests • At first, deny will behave like drop (no ICMP msg)

Network Security • NAT / PAT • Hide private addresses from public • NAT : one-to-one • PAT : many-to-one (only on TCP/UDP – no ICMP) • Binding VLAN • Based on 6 combinations • MAC + Port + IP • MAC + Port • MAC + IP • MAC + Port + Protocol • Port + Protocol • Port + IP

The AOS v5.1 Intelligence

Intelligence • Policy precedence rule • SLB -> NAT -> QOS & ACL (based on precedence) • L2/L3/L4 wirespeed classification & forwarding • Using same policies as ACL • L2-DA, Dest port, Dest VLAN, 802.1p • IP-DA, IP-SA, TOSp, DSCP • TCP/UDP dest. port, TCP/UDP src port • QoS enforcement, mapping & marking • Based on 802.1p, TOS precedence and DSCP • IP fragmentation (for jumbo frames up to 9K) • MTU information stored in the header cache entry

Intelligence • Server Load Balancing • Provides a Virtual IP for a cluster of servers • Distributes traffic to the server based on IP-SA in Round Robin fashion • Provides Health Monitoring of the servers based on • Link states (port Up or Down) • ICMP (answering ping request from the CMM) • Congestion avoidance • 802.3x • At ingress – whenever a port is consuming too much buffers in the Queue Manager a pause frame is transmitted • At egress – whenever a pause frame is received, a coupon is sent to Nantucket to pause traffic transmission

The AOS v5.1 Manageability

Manageability • Group Mobility • Applies on mobile port (no more Mobile Group) • Assigned on rules • Port, Network Address, Protocol, DHCP, MAC Address, Custom • Binding • Policy • QoS, ACL, SLB are all policies based features • Directory services • Most services (Policies, A-VLAN, PM) can have all their information in a remote location using LDAP/RADIUS/ACE • Unified management for Voice & Data

Group Mobility • VLAN Classification • Based on GM rules if the GM bit of the port is set • Default GId or 802.1Q-VId is used otherwise • pCAM lookup based on L2-SA, Protocol and SPPN • Default VLAN handling (renaming) • Default VLAN enable -> default_Group • Will default VLAN be supported when no GM rules match ? • Default VLAN permanent -> move_from_def • Will default VLAN be supported when a GM rule matches ? • Default VLAN restore -> move_to_def • Will the default VLAN be restored when the matching GM ages out ?

Next Step

Next Step - HW • New ASIC • Firenze replaces Catalina on new modules bringing • Oversubscription (Up to 6 Gig ports per ASIC) • WRED • New modules (based on new Firenze ASIC) • OS-7000 • 12-port Gigabit Ethernet module using SFP (Mini-GBIC) • 24-port 10/100 Ethernet In-Line Power module (RJ-45) • OS-8800 • 24-port 10/100/1000 Ethernet Copper module (RJ45) • 24-port Gigabit Ethernet module using SFP (Mini-GBIC) • New Hardware • DC PSU for OS-7000 (600 W – 48V) • DC PSU for OS-8800 (1375 W – 48V)

Next Step - SW • Version 5.1.x • NetBIOS Relay • Extended Local Proxy ARP • Policy Based Routing L3/L4 • Version 5.2 • IEEE 802.1v – VLAN Classif. by protocol and port • IEEE 802.1x • IEEE 802.1s • Secure Shell (SSH) • and more to come …

THANK YOU !!! Any questions ???

HW Roadmap • HW Roadmap for OS-7000 / OS-8000 • OS-7000 (5.1) • OS7700 & OS7800 • OS7-GNI-U2 • OS7-ENI-F12 • OS7-ENI-C24 • OS7-PS-0600AC • OS-7000 (5.1.4) • OS7-GNI-U12 • OS7-GNI-C12 • OS-7000 (5.1.5) • OS7-ENI-PD24 • PowerShelf • 900W Ac • 900DC • OS7-PS-0600DC Q3’02 Q4’02 Q1’03 Q2’03 • OS-8000 (5.1.4) • OS8800 • OS8-GNI-U8 • OS8-GNI-C8 • OS8-ENI-C24 • OS8-PS-1375AC • OS8-PS-1375DC • OS-8000 (5.1.5) • OS8-GNI-U24 • OS8-GNI-C24 • OS-8000 (5.2) • OS8-NP-U4 • OS8-10G-U1

SW Roadmap • SW Roadmap for OS-7000 / OS-8000 AOS 5.1.1 First release of AOS • AOS 5.1.4 • 802.1x • NTP • AOS 5.2 • MPLS • IPv6 • SSH • Multineting Q3’02 Q4’02 Q1’03 Q2’03 • AOS 5.1.3 • Policy Based Routing • Netbios (UDP) Relay • Multiple (Per VLAN) DHCP • Learned Port Security • Local Proxy ARP • SSH Basic • End User Partitioning • StoneBeat HA support • AOS 5.1.5 • Multicast VLAN

BoP Features

BoP Features

Presentation Transcript

Teleuse@BOP

Correcting a BoP Deficit

Teleuse@BOP

Balance of Payment (BOP)

The Bop

BOP links

BOP PHARMACY

Revised MT BOP Software

Bop

BOP PHARMACY

Teleuse@BOP

Water for the BOP

Solution to BOP:

BOP links

BoP Overview

8. The Bop

Teleuse@BOP