Lippis Report 179: New Design Principles in Campus and Data Center Networking: In the Age of the Next Gen Catalyst 6K with Supervisor 2T
By all counts, Cisco’s upgrade of the Catalyst 6K via its new Supervisor 2T, or Sup2T, is its most ambitious and thoughtful yet for the venerable platform. The Sup2T is a 2 Terabit (Tb) platform that triples the previous Sup720 performance. Thanks to the support of Virtual Switching System (VSS), the platform allows two 2 Tbps switches to combine into a single 4 Tbps virtual switch. The Sup2T is a major upgrade to the most widely-deployed switching platform in campus and data center networking in the industry. But while these performance numbers are impressive, it’s the new Cat6K’s network services and pricing that deliver most of the value. From a services’ point of view, the Cat6K stands alone.
HP Networking Nearly 2 Years After 3Com Acquisition: What A Disappointment
Cisco’s Cat6K is the firm’s most successful product with over 700,000 systems and 110 million ports installed, worth some $42 billion. This product’s success increases the stakes for Cisco as it introduces a major upgrade. Cisco had to consider backward and forward customer migration, increased competition and pricing pressure especially as many firms are starting to offer core switches based upon merchant silicon. In short, Cisco had to eliminate the trade-off of innovation versus investment protection and find a way to deliver both simultaneously. A detailed review of the new Cat6K with Sup2T finds that Cisco has navigated well by incorporating customer feedback from multiple theaters and industry segments in the form of some 200 features, most of which are incorporated into ASICs, something with which merchant silicon based switching firms cannot compete.
Merchant Silicon versus Custom ASIC
There will be an increase in the number of core switches offered from various vendors during 2012 thanks to the availability of merchant silicon, but these products, for the most part, will be focused on primarily performance while falling short on network services. Network services are hardware and software features that provide the tools, customization and design options for IT architects to optimize their networks and applications to either run faster and maintain secure, reliable, high-quality user experiences whether it’s for video traffic, virtualized desktops, general purpose office productivity or client facing web traffic.
Cisco Delivers Next Generation Nexus Network Operating System for Virtualized and Converged Clouds
For example, consider something as mundane as counters. In the Cat6K Sup2T and new modules, there are more than two million counters, enough to have separate counters for every protocol, including IPv4, IPv6, multicast, unicast, MPLS, etc. What this says is that Network Operations engineers will be afforded a level of granularity and visibility into the network well beyond anything they previously could gather. But I digress; let’s focus on the big picture of the new Cat6K.
The New Cat6K by the Numbers
The last major upgrade for the Cat 6K was the Sup720-10G in 2007, which was the first management module with 10GbE uplinks. The Sup2T enables 40GbE interoperability and interface speed transition as the Cat6K will support 100MbE, 1GbE, 10GbE and now 40GbE in a modular chassis platform. The performance leap on the 2 Tb portfolio is complemented by a quadrupling, or more, of the NetFlow, Access Control List and Quality of Service capacities of the platform to meet the increasing manageability, security and service demands of enterprise networks. The platform now offers 720 Mpps of IPv4 and 360 Mpps of IPv6 performance, roughly a twofold increase over the previous generation. In a word, the Cat6K scales logically.
Cisco Universal Power over Ethernet: Unleash the Power of Your Network
What Cisco engineering has done is tripled the performance, quadrupled the platform scalability and added new network services—several of which are industry firsts and all of which protect investment by being backward compatible with these forward innovations. For example, central forwarding line cards that started shipping in 2003 are supported in the Sup2T. The E-series chassis and power supplies that started shipping in 2004 are supported with the Sup2T. For a large segment of the Cat6K installed base, all that is required is the install of the new Sup2T to gain increased performance, scale and network services. This is perhaps one of the easiest refresh offers Cisco has ever made.
Network Services Rich
As for network services, the Cat6K supports some 2,600 features that the market has demanded. Most of these features were developed over time with many firms depending upon them to run their networks. In addition to hardware backward compatibility, Cisco had to be software backward compatible too by supporting these 2,600 features, which are supported in the Sup720 and the wiring closet Sup32, in the Sup2T. Some of these features include IPv6, multicast, NetFlow, MPLS, etc. But clearly the market does not stand still, and Cisco engineering has added some 200 new innovations to the Sup2T, some of which will also be supported on previous versions of supervisor engines.
VMready: Virtual Machine-aware Networking
Interestingly enough is that with backward support of new network services supported on the Sup720, IT architects can choose to move these Cat6Ks down a network layer and place the Sup2T Cat6Ks in the distribution and core, extending the entire portfolio of network services from access, distribution and core. Some of these new innovations are Flexible NetFlow, Role-based Access Control, Virtual Private LAN Service (VPLS), Bridged Domain Technology, etc. Following are a few of the next generation innovations introduced with the Sup2T.
NetFlow: NetFlow scalability in the Cat6K Sup2T has increased fourfold with larger tables being supported in the ASICs. Up to 13 million NetFlow entries are possible in a single system. That is up to eight times the visibility afforded by the previous generation of NetFlow hardware. Over time, most networks will have a mix of 1GbE, 10GbE and 40GbE; this new version of NetFlow introduced sample NetFlow so NetOps does not have to export all traffic to collector, a huge complexity and time reduction. Also NetFlow visibility is now protocol independent, meaning that it does not matter if a network is running IPv4, IPv6, MPLS, Unicast, Multicast, etc. In addition, select modules, rather than the central supervisor, are able to export NetFlow to the NetFlow collector offering yet another way to scale.
A New Holistic Approach to Enterprise Network Management Integrated Wired, Wireless and Policy Management
MACsec: From a security perspective, the Cat6K Sup2T natively supports MACsec, or IEEE 802.1AE, embedding it within line cards offering line-rate, hop-by-hop encryption and decryption. In addition to the new Cat6K, the Nexus 7K, Cat 3K and Cat 4K currently support MACsec, thereby enabling end-to-end secure communications much like IPSec and SSL but over the LAN.
Role-Based Access Control List (RBACL): Access Control Lists, or ACLs, can now be programmed in role-based scenarios controlling user access to IT resources. Roles can be finance, human resources, marketing, engineering, sales, executive management, etc. Role-based access control allows NetOps to configure which IT resources each user is allowed to access for each type of job role, thereby controlling their access to servers, applications, WAN connections, etc. Role-based access control is an addition to the Sup2T’s ACL Dry Run, which first tests if ACL changes will fit in the ACL Ternary Content-Addressable Memory or TCAM before they go live with the configuration. Using ACL Dry Run will help avoid potential network disruption since NetOps engineers will know whether the ACL changes will be supported in hardware before implementing them. If an ACL change does not pass the Dry Run, then the system will indicate which resources are being exhausted, allowing the NetOps staff to adjust the ACL accordingly.
Building Cloud-Scale Networks Using Open Fabric Architectures
Network Virtualization: The new Cat6K Sup2T boosts its network virtualization capabilities that enables physical infrastructure to be logically divided. For example, airports, such as Zurich, Munich, Toronto, etc., use network virtualization to change gate attributes as an airline carrier completes the boarding process and transitions the gate to another carrier. They also use network virtualization to separate out kiosk vendors from operations from WLAN AP guest access to airline carrier support, etc. Governments network virtualization to logically segment departments while they share the same physical building/floors/office spaces. Universities use network virtualization to logically segment administration, research, faculty and student interests. Just as with other previously-mentioned capabilities, Sup2T increases the scalability for network virtualization up to fourfold with support for up to 4K MPLS VPNs, 32 instances of (VPN Routing and Forwarding) VRF-lite, native VPLS in hardware, allowing for VPLS-facing interfaces to be any interface in the system, and more.
New Service Modules
Admittedly, the Cat6K with the Sup2T is not the fastest Ethernet switch on the market with 2 Tbps of switching capacity. Cat6K doesn’t need to be the fastest given its place in campus networking and mid-range data centers. However, it does need more than enough performance to never be the bottleneck in IT delivery while providing a wide range of software options to control traffic and optimally design enterprise IP networks. Cisco engineering has done this with 2 Tbps, and 4Tbps with VSS, far greater capacity of most, if not all, campus and mid-range data center networks operating at a range of 10/100/100, 10GbE and soon 40GbE. For higher performance, Cisco offers the Nexus 7K with 9 Tbps of switching capacity for data center switching designs.
Understanding VXLAN Virtual-Physical-Cloud L2/L3 Networks
To increase performance in the Cat6K, it’s not just the supervisor engine that’s been upgraded. New service modules, such as the new Wireless Service Module 2 (WiSM-2), Adaptive Security Appliance Service Module (ASA-SM) firewall, Network Analysis Module 3 (NAM-3) and Application Control Engine 30 (ACE30) load balancing were introduced to take the Cat6K with Sup2T to the next level of hardware-based services processing. Remember, service modules allow IT business leaders to reduce the number of devices in their network they need to manage, improving energy efficiency and reducing carbon footprint. These new service modules have been upgraded for performance and scalability, as services performance has to scale with network performance. For example, the ASA-SM offers a threefold increase in performance with 15-20 Gbps of stateful application firewalling. NAM-3 has been upgraded in performance by a factor of fifteen, allowing application visibility and analysis at 15 Gbps. The WiSM-2 scales up to 20 Gbps of throughput and support for up to1,000 centrally-managed access points, a threefold increase in performance and scalability.
Integrated and Virtualized Network Services
Unique to a Cisco environment is that service modules and appliances basically share the same operating system, meaning that there is operational consistency between the two platforms. For example, if an IT architect implements an ASA appliance and ASA-SM, NetOps will experience the same operating system, management and look and feel between the appliance and service module. This consistency allows NetOps to best utilize and manage network services independent of physical packaging and network location, thereby increasing operational efficiency and innovation injection. Thanks to network services being integrated into the Cat6K, and the ability to virtualize services, IT architects are afforded design choices where they can regulate the number of appliances versus service modules in their network by choosing to utilize service modules more over time and obtain their green benefits too. Note that the ASA-SM and ACE-30 can be virtualized or divided between users/groups, thereby extending their reach throughout a corporate network and reducing the number of appliances in the process.
Cat6K with Sup2T Pays to Upgrade to 10GbE
From a pricing point of view, it’s best to think of the Cat6K with Sup2T as the device to transition a campus and mid-range data center network from 1GbE to 10GbE. With 1GbE in the access layer, via upgraded Cat4K with Sup7-E and/or Cat3K / 3750X, connected to a Cat6K with Sup2T in the distribution layer providing 10GbE to the core, Cisco estimates that this configuration will be 20% less costly than a similar configuration utilizing the Sup720 and older versions of the Cat4K and 3K. This design provides for 10GbE between access, distribution and core. In essence, Cisco is paying IT leaders 20% to upgrade to 10GbE with a new generation of switching.
Economics plays a large role in network design. From an economics perspective, Cisco is responding to competitive pressure with new pricing and design options with this Cat6K upgrade. While the Cisco Cat6K Sup2T represents increased performance, what IT business leaders will find is that for typical configurations independent of data center or campus, 1GbE, or 10GbE, the overall cost of a Cat6K network is actually reduced by 20 to 25%. For example, the 48 port 10/100/1000 copper line cards were sold in two versions: centralized and distributed forwarding modes. The centralized forwarding mode is priced at $15K and comes with 256MB of memory, while distributed forwarding is $22.5K. New Ethernet line cards (6800 Series) have Distributed Forwarding Card 4 (DFC4) daughtercards by default and come with 1GB of memory that are priced at the same $15K as the centralized forwarding mode cards, closing the price gap between centralized and distributed forwarding mode to the lower cost centralized pricing. IT architects are offered distributed forwarding performing line cards, which are higher performance throughout the system, at a third of previous generation cards. This is but one important example that demonstrates that the Sup2T is a price reduction over Sup720 around 10GbE.
New Network Design Options and Economics
Campus networking traffic patterns are dominated by north-to-south flows, thanks to the centralization of IT application delivery within data centers. While over time, an increase in east-to-west flows may occur thanks to peer-to-peer applications, north-to-south flows are getting thicker and denser especially as the industry adopts virtualized desktop computing and real time video communications. These thicker north-to-south flows are being accentuated as more applications are being hosted in corporate data centers and private cloud facilities for IT complexity and cost reduction. At the same time, enterprise mobile computing has skyrocketed with the adoption of iPhones, Android-based devices and iPads. For example, Gartner predicts that 55 million tablets will be sold worldwide by the end of 2011. Thanks to lower power output antennas on these new mobile devices, the density of WLAN APs are also increasing to provide coverage. This is creating a challenge to roam seamlessly without user experience interruption.
Mobile and cloud computing economics and increasing traffic volume are driving a new model for campus networking. It’s a model that seeks to increase wired and wireless network bandwidth, scale logical networking and extend network services such as security throughout the enterprise network via centralized management control methods. It’s a model that also seeks greater visibility and control of flows to optimize performance and apply resources where needed. Network virtualization, where physical network infrastructure is logically segmented to assign different network attributes to various groups/departments/entities, has become a mandatory requirement in some industry segments. And from a design point of view, high reliability needs to be systemic as all corporate productivity is flowing across this IT asset.
For those with Cat6K-based networks, installing the Sup2T offers a range of new network design options and economics. For example, encryption is now embedded and integrated. Network services are increasingly becoming virtualized, offering greater reach, cost effectiveness and lower carbon footprint. 10GbE and 40GbE speeds can be strategically placed where bandwidth is needed. NetOps is offered a common look and feel between appliances and service modules, reducing operational cost and increasing efficiency. Logical networking can scale to support more IPv6, more WLAN APs and users, greater visibility into the network via NetFlow, greater stateful application firewalling, etc. It’s clear that Cisco engineering has made tremendous efforts on security with TrustSec, taking ACLs to the next level, NetFlow’s deeper visibility, network virtualization via MPLS or VPLS for segmentation and bringing parity to IPv6 and IPv4.
Cisco is paying customers to upgrade to both the Cat6K Sup2T and 10GbE. Obviously, there’s additional capital cost to spend to gain the return, but from a historic perspective, the upgrade cost is a fraction of previous switch generations. With the Cat6K Sup2T upgrade, IT business leaders gain a wide range of network services, some of which are mentioned above, that will prove to be invaluable as IT marches on toward an IT delivery model dominated by mobile and cloud computing with nearly everything becoming virtualized.