33217473 rst 3009 cisco nexus 7000 switch architecture
TRANSCRIPT
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
1© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
2© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Cisco Nexus 7000 Switch Architecture
RST-3009
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
3© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Full featured 10G density for
aggregating 10G top of rack and
10G blade servers
10G Aggregation Density
AggLayer
Nexus7000
Top of Rack
BladeServers
High performance, highly available
10GE core connectivity
10G Core Performance
Core Layer
Nexus7000
Introduction to Cisco Nexus 7000 Series
As virtualisationdrives host I/O
utilisation, 10G to the host
requirements are becoming reality
Access 1G/10G to the Host
Access Layer
Nexus7000
AggLayer
Nexus7000
Enables new Ethernet
capabilities such as lossless Ethernet, L2
multipathing, and FCoE
Data Centre Ethernet (DCE)
(future)
UnifiedFabric
LAN SAN
IPC
4© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Session Goal
To provide you with a thorough understanding of the Cisco Nexus 7000 switching architecture, I/O module design, packet flows, and key forwarding engine functions.
This session will NOT examine Unified I/O, FCoE, DCE, Nexus 5000, or the NX-OS software architecture.
Related sessions:
RST-2017: NX-OS Software Architecture
DCT-2012: Fibre Channel over Ethernet: First step to Unified Fabric & Introducing Nexus 5000 Architecture
DCT-2007: Evolution of Ethernet in the Data Centre
444
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
5© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Agenda
Chassis Architecture Supervisor Engine Architecture
I/O Module Architecture
Forwarding Engine Architecture
Fabric Architecture
Layer 2 Forwarding
IP Forwarding
IP Multicast Forwarding
ACLs
QoS
NetFlow
6© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Nexus 7010 Chassis
Optional locking front
doors
Front Rear
System statusLEDs
Integrated cablemanagement
with cover
Supervisor slots (5-6)
Payload slots(1-4, 7-10)
Air intake with optional filter
Air exhaust
Crossbar fabric modules
System fan trays
Power supplies
Fabric fan trays
21RU
ID LEDs on all FRUs
Front-to-back airflow
Locking ejector levers
Common equipment removes from rear
Two chassis per 7’ rack
N7K-C7010
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
7© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Power and Cooling
6000W AC power supply for Nexus 7000 series chassis
Dual inputs at 220/240V or 110/120V
Proportional load-sharing among supplies
Variable speed redundant fans provide system cooling
Redundant system fan traysprovide cooling of I/O modules and supervisor engines
Redundant fabric fans provide cooling of crossbar fabric modules
6000W AC Power Supply
Fabric Fan Tray
System Fan TrayN7K-AC-6.0KW
N7K-C7010-FAN-F
N7K-C7010-FAN-S
8© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
220V
N+1 redundancy
18kW12kW9kW
Grid redundancy
Power RedundancyPower redundancy mode dictates
how system budgets power:
N+1 redundancy – Reserves capacity equal to sum of lowest two power supplies (default)
Grid/input source redundancy –Reserves capacity equal to sum of half capacity of each power supply
Note: power budget and actualpower draw are typically not equal! Actual draw ~30% lower than budget under normal operating conditions.
Grid 1 Grid 2
Available Power
220V
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
9© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Agenda
Chassis Architecture
Supervisor Engine Architecture I/O Module Architecture
Forwarding Engine Architecture
Fabric Architecture
Layer 2 Forwarding
IP Forwarding
IP Multicast Forwarding
ACLs
QoS
NetFlow
10© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Supervisor Engine
Performs control plane and management functions
Dual-core 1.66GHz Intel Xeon processor with 4GB DRAM
2MB NVRAM, 2GB internal bootdisk, 2 external compact flash slots
Out-of-band 10/100/1000 management interface
Connectivity Management Processor (CMP)Always-on Ethernet connectivity for lights-out management
Console & auxiliary serial ports
USB ports for file transfer
ID LED
Console Port
AUX Port
ManagementEthernet
USB Ports CMP Ethernet
Reset ButtonStatusLEDs
Compact FlashSlots
N7K-SUP1
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
11© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Management Interfaces
Management Ethernet
10/100/1000 interface used exclusively for system management
Belongs to dedicated “management” VRF
Prevents data plane traffic from entering/exiting from mgmt0 interface
Cannot move mgmt0 interface to another VRF
Cannot assign other system ports to management VRF
Connectivity Management Processor (CMP) Ethernet
Connects to standalone, always-on microprocessor on supervisor engine
Runs lightweight Linux kernel and network stack
Completely independent of DC-OS on main CPU
Provides ‘lights out’ remote management and disaster recovery via 10/100/1000 interface
Removes need for terminal servers
12© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
To Fabrics
MainCPU
System Controller
Internal CF
CMP
CentralArbiter
PHY PHY
LinkEncryption
NVRAM
OBFLFlash
SecurityProcessor
DRAM Flash
DRAM
FabricASIC
SwitchedEOBC
To Modules To Modules
Fabric Interfaceand VOQ
Supervisor Engine Architecture
Console AUXMgmtEnet
CMPEnet
slot0:
log-flash:
usb
usbusb
SwitchedGigabitEthernet
1GE Inband1GE EOBC
ArbitrationPath
10/100/1000 10/100/1000
2GB
4GB
1.66GHzDual-Core
266MHz
n * 23G
128MB 16MB
ArbitrationPath
2MB
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
13© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Agenda
Chassis Architecture
Supervisor Engine Architecture
I/O Module Architecture Forwarding Engine Architecture
Fabric Architecture
Layer 2 Forwarding
IP Forwarding
IP Multicast Forwarding
ACLs
QoS
NetFlow
14© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
32-Port 10GE I/O Module
32 10GE ports
SFP+ transceivers
80G full-duplex fabric connectivity
Integrated forwarding engine
4:1 port-level oversubscription
Virtual output queuing (VOQ)
802.1AE LinkSec
N7K-M132XP-12
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
15© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
32-Port 10GE I/O Module Architecture
2,4,6,8 10,12,14,16 18,20,22,24 26,28,30,32
Fabric Interfaceand VOQ
Layer 2Engine
Fabric Interfaceand VOQ
Fabric ASIC
To Fabrics
Port ASIC Port ASIC Port ASIC Port ASIC
CTS and4:1 Mux
CTS and4:1 Mux
CTS and4:1 Mux
CTS and4:1 Mux
CTS and4:1 Mux
CTS and4:1 Mux
CTS and4:1 Mux
CTS and4:1 Mux
Port ASIC Port ASIC Port ASIC Port ASIC
Mezzanine Card
1,3,5,7 9,11,13,15 17,19,21,23 25,27,29,31
Layer 3Engine
FE DaughterCard
LCCPU
To Central ArbiterEOBC
(to Port ASIC) (to LC CPU)
Inband
ReplicationEngine
METReplicationEngine
MET
ReplicationEngine
METReplicationEngine
MET
10G 10G 10G 10G
23G 23G 23G 23G
10G 10G 10G 10G
n * 46G
16© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Shared versus Dedicated Mode
9 11 13 15
9 11 13 15
Dedicated modeOne interface in port group
gets 10G bandwidth
Other three interfaces in portgroup disabled
Shared modeFour interfaces in port group
share 10G bandwidth
10G
To fabric
10G
To fabric
“Port group” — group of contiguous even or odd ports that share 10G of bandwidth (e.g., ports 1,3,5,7)
rate-mode shared(default)
rate-mode dedicated
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
17© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
48-Port 10/100/1000 I/O Module
48 10/100/1000 RJ-45 ports
40G full duplex fabric connectivity
Integrated forwarding engine
Virtual output queuing (VOQ)
802.1AE LinkSec
N7K-M148GT-11
18© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
48-Port 10/100/1000 I/O Module Architecture
ReplicationEngine
MET
Port ASIC
Layer 2Engine
Fabric ASIC
FE DaughterCard
To Fabrics
Layer 3Engine
Fabric Interfaceand VOQ
CTS CTS CTS
Port ASIC
CTS CTS CTS
Port ASIC
CTS CTS CTS
Port ASIC
CTS CTS CTS
1-4
To Central Arbiter
LCCPU
EOBC
(to Port ASIC)
(to LC CPU)
Inband
ReplicationEngine
MET
12G 12G 12G 12G
23G 23G
5-8 9-12 25-28 29-32 33-36
13-16 17-20 21-24 37-40 41-44 45-48
n * 46G
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
19© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Agenda
Chassis Architecture
Supervisor Engine Architecture
I/O Module Architecture
Forwarding Engine Architecture Fabric Architecture
Layer 2 Forwarding
IP Forwarding
IP Multicast Forwarding
ACLs
QoS
NetFlow
20© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Forwarding Engine Hardware
FIB TCAM 128K
MAC table 128K
Classification TCAM (ACL and QoS) 64K
NetFlow Table 512K
Table sizes optimised forData Centre
Hardware forwarding engine integrated on every I/O module
60Mpps Layer 2 bridging with hardware MAC learning
60Mpps IPv4 and 30Mpps IPv6 unicast
IPv4 and IPv6 multicast (SM, SSM, bidir)
RACL/VACL/PACLs
Cisco TrustSec security group tag support
Unicast RPF check and IP source guard
QoS remarking and policing policies
Ingress and egress NetFlow (full and sampled)
GRE tunnels
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
21© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Forwarding Engine Architecture
Forwarding engine chipset consists of two ASICs:
Layer 2 EngineIngress and egress SMAC/DMAC lookups
Hardware MAC learning
IGMP snooping and IP-based Layer 2 multicast constraint
Layer 3 EngineIPv4/IPv6 Layer 3/Layer 4 lookups
FIB, ACL, QoS, NetFlow processing
Linear, pipelined architecture
22© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Layer 3Engine
Forwarding Engine Pipelined ArchitectureFE DaughterCard
Layer 2Engine
Packet Headers fromI/O Module Replication Engine
Final lookup result to I/O Module Replication Engine
Ingress Pipeline
Egress Pipeline
Ingress MAC table lookups IGMP snooping
lookups IGMP snooping
redirection
Egress MAC lookups IGMP snooping
lookups
Unicast RPF check
Ingress ACL and QoSclassification lookups
Ingress NetFlowcollection
Egress policing
Egress ACL and QoSclassification lookups
Egress NetFlowcollection
Ingress policing
FIB TCAM and adjacency table lookups for Layer 3 forwardingECMP hashingMulticast RPF
check
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
23© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Forwarding Engine Details
Every packet subjected to both ingress and egress pipeline in forwarding engine
Enabling features does not affect forwarding engine performance
Forwarding engine on INGRESS I/O module performs lookups for both ingress interface/VLAN and egress interface/VLAN
However, forwarding engine on EGRESS I/O module also performs lookups:
Layer 2-only lookup to ensure current MAC table information
Layer 2/3/4 lookups for multicast egress replicated packets
24© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Agenda
Chassis Architecture
Supervisor Engine Architecture
I/O Module Architecture
Forwarding Engine Architecture
Fabric Architecture Layer 2 Forwarding
IP Forwarding
IP Multicast Forwarding
ACLs
QoS
NetFlow
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
25© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Fabric Module
Nexus 7000 implements multistage crossbar switch fabric
Each fabric module provides 46Gbps per I/O module slot
Up to 230Gbps per slot with 5 fabric modules
Initially shipping I/O modules do not leverage full fabric bandwidth
Maximum 80G per slot with 10G module
Traffic load-sharing across all active fabric modules
Access to fabric controlled using QoS-aware central arbitration with VOQ
N7K-C7010-FAB-1
26© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Traffic Flow
2nd StageCrossbar(Fabric
modules)
EgressFabric
Interface
3rd StageCrossbar(Egress
I/O module)
1st StageCrossbar(Ingress
I/O module)
IngressFabric
Interface
EgressI/O Module
CrossbarFabricASIC Fabric Interface
and VOQ
Fabric Interfaceand VOQ
Multistage Crossbar Switch Fabric Three-stage architecture crossbar architecture
Fabric modules form 2nd stage of switch fabric 1Crossbar
FabricASIC
2CrossbarFabricASIC
3CrossbarFabricASIC
4
CrossbarFabricASIC
5
CrossbarFabricASIC
IngressI/O Module
CrossbarFabricASICFabric Interface
and VOQ
Fabric Interfaceand VOQ
Fabric Modules
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
27© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Fabric Module Capacity
46Gbps92Gbps138Gbps184Gbps230Gbpsper slot bandwidth
2 x 23G channels perI/O module slot
1CrossbarFabricASIC
2CrossbarFabricASIC
4
CrossbarFabricASIC
5
CrossbarFabricASIC
3CrossbarFabricASIC
46Gbps/slot
1 x 23G channel persupervisor slot
46Gbps/slot
46Gbps/slot
46Gbps/slot
46Gbps/slot
Fabric Modules
28© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
46Gbps92Gbps138Gbps184Gbps230Gbps
40G80G
I/O Module Capacity
4th and 5th fabric modules provide additional redundancy and future-proofing
1CrossbarFabricASIC
2CrossbarFabricASIC
4
CrossbarFabricASIC
5
CrossbarFabricASIC
3CrossbarFabricASIC
46Gbps/slot
46Gbps/slot
46Gbps/slot
46Gbps/slot
46Gbps/slot
per slot bandwidth
Requires 2 fabrics for N+1 redundancy
10/100/1000 module Requires 1 fabric for full
bandwidth
Fabric Modules
10G module
Requires 3 fabrics for N+1 redundancy
Requires 2 fabrics for full bandwidth
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
29© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
46Gbps92Gbps138Gbps184Gbps230Gbps
40G80G
Fabric Module Redundancy
Fabric removal or failure results in reduction of overall system bandwidth
1CrossbarFabricASIC
2CrossbarFabricASIC
4
CrossbarFabricASIC
5
CrossbarFabricASIC
3CrossbarFabricASIC
46Gbps/slot
46Gbps/slot
46Gbps/slot
46Gbps/slot
46Gbps/slot
per slot bandwidth
10G module10/100/1000 module
46Gbps
30© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
EgressI/O Module
CrossbarFabricASIC Fabric Interface
and VOQ
Fabric Interfaceand VOQ
1CrossbarFabricASIC
2CrossbarFabricASIC
3CrossbarFabricASIC
4
CrossbarFabricASIC
5
CrossbarFabricASIC
IngressI/O Module
CrossbarFabricASICFabric Interface
and VOQ
Fabric Interfaceand VOQ
Fabric Load-Sharing Ingress fabric interface ASIC knows all active paths through 3-stage crossbar to
each destination
Unicast – Pseudo round-robin traffic distribution across all active paths to egress fabric interface ASIC
Multicast – Selects one of the active paths to egress fabric interface ASIC for the packet based on hash algorithm
2 possible paths
10 possible paths
Ingress port Egress port
2 possible paths
2 possible paths
Fabric Modules
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
31© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Access to Fabric Bandwidth
Access to fabric controlled using central arbitration
Arbiter ASIC on supervisor engine provides fabric arbitration
Egress module bandwidth represented by Virtual Output Queues (VOQs) at ingress to fabric
32© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Virtual Output Queues (VOQs) on ingress modules represent bandwidth capacity on egress modules
Guaranteed delivery across fabric for arbitrated packetsIf VOQ available on ingress, capacity exists at egress
VOQ is NOT equivalent to ingress or egress port buffer or queuesRelates ONLY to ASICs at ingress and egress to fabric
VOQ is “virtual” because it represents EGRESS capacity but resides on INGRESS modules
It is PHYSICAL buffer where packets are stored
What Are VOQs?
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
33© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Benefits of Central Arbitration with VOQ
Ensures priority traffic takes precedence over best-effort traffic across fabric
Four levels of priority for each VOQ destination
Ensures fair access to bandwidth for multiple ingress ports transmitting to one egress port
Central arbiter ensures all traffic sources get appropriate access to fabric bandwidth, even with traffic sources on different modules
Prevents congested egress ports from blocking ingress traffic destined to other ports
Mitigates head-of-line blocking by providing dedicated buffer for individual destinations across the fabric
In future, will provide lossless service for FCoE traffic across the fabricCan provide strict priority and backpressure (blocking instead of dropping) for certain traffic classes, such as SAN traffic
34© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
VOQ Destinations
For every “destination” on other modules in system, each module has corresponding VOQ with four priority levels
One VOQ with four priority levels serves one of the following “VOQ destinations” on an egress module:
One front-panel 10G port (dedicated mode) -or-
Four front-panel 10G ports (shared mode) -or-
Twelve front-panel 10/100/1000 ports
10G I/O module 10/100/1000 I/O module
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
35© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Agenda
Chassis Architecture
Supervisor Engine Architecture
I/O Module Architecture
Forwarding Engine Architecture
Fabric Architecture
Layer 2 Forwarding IP Forwarding
IP Multicast Forwarding
ACLs
QoS
NetFlow
36© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Layer 2 Forwarding
MAC table is 128K entries (115K effective)
Hardware MAC learning
CPU not directly involved in learning
All modules have copy of MAC table
New learns communicated to other modules via hardware “flood to fabric” mechanism
Software process ensures continuous MAC table sync
Spanning tree (PVRST or MST) ensures loop-free Layer 2 topology
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
37© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
I/O ModuleI/O Module I/O Module
Supervisor Engine
L2FM
Hardware
MAC Table
Layer 2 Forwarding Architecture
Layer 2 Forwarding Manager (L2FM) maintains central database of MAC tables
L2FM keeps MAC table on all forwarding engines in sync
L2FM-Client process on I/O modules interfaces between L2FM and hardware MAC table
Hardware
L2FM-C
HardwareHardware
L2FM-C L2FM-C
Hardware MAC Learning
n7010# sh processes cpu | egrep PID|l2fmPID Runtime(ms) Invoked uSecs 1Sec Process3848 1106 743970580 0 0 l2fmn7010# attach mod 9Attaching to module 9 ...To exit type 'exit', to abort type '$.'Last login: Mon Apr 21 15:58:12 2008 from sup02 on pts/0Linux lc9 2.6.10_mvl401-pc_target #1 Fri Mar 21 23:26:28 PDT 2008 ppc GNU/Linuxmodule-9# sh processes cpu | egrep l2fm1544 6396 388173 16 0.0 l2fmcmodule-9#
38© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Hardware Layer 2 Forwarding Process
MAC table lookup in Layer 2 Engine based on {VLAN,MAC} pairs
Source MAC and destination MAC lookups performed for each frame
Source MAC lookup drives new learns and refreshes aging timers
Destination MAC lookup dictates outgoingswitchport
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
39© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Layer 2 Forwarding Table Design
MAC Table
16 pages 4096 rows
4K*16*2 = 128K entries115 bits
Bank 1 Bank 2
40© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
40 | 0000.eeee.eeee
60 | 0000.ffff. ffff
200 | 0000.acac.acac
100 | 0000.abab.abab
Destination interface(s)
DMAC lookup
UpdateEntry
SMAC lookup
Layer 2 Lookup
Bank 1
Bank 2
20 | 0000.cccc.cccc
10 | 0000.bbbb.bbbb
30 | 0000.dddd.dddd
10 | 0000.aaaa.aaaa
Lookup Key
Frame
Bank 1Hash
Bank 2Hash
Bank 2Row
Bank 1Row
10 | 0000.aaaa.aaaa10 | 0000.aaaa.aaaaMAC AddressVLAN
Compare
Compare
6
1
2
3
4
5
HIT!
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
41© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Layer 2Engine
Layer 3Engine
Forwarding Engine
L2 Unicast Packet Flow
Fabric Module 1
Fabric ASIC
Fabric Interfaceand VOQ
Port ASIC
CTS and4:1 Mux
ReplicationEngine
Fabric ASIC
Module 1
Layer 2Engine
Layer 3Engine
Forwarding Engine
Fabric Interfaceand VOQ
Port ASIC
CTS and4:1 Mux
ReplicationEngine
Fabric ASIC
Module 2
Supervisor Engine
Central Arbiter
Fabric Module 2
Fabric ASIC
Fabric Module 3
Fabric ASIC
2nd stage ingress queuing and scheduling
CTS LinkSec decryption and verification
1st stage ingress queuing and scheduling
Submit packet for lookup
Layer 2 SMAC/DMAC lookups
ACL/QoS/NetFlowlookups Queuing and
VOQ arbitration request
Credit grant for fabric access
Packet transmission
Packet transmission
Receive from fabric
Return buffer credit
Submit packet for egress L2 lookup
Layer 2 only SMAC/DMAC lookup
Egress queuing and scheduling
CTS LinkSecencryption
Receive packet from wire
Packet transmission
Transmit to fabric
e1/1 e2/7
Transmit packet on wire
42© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Agenda
Chassis Architecture
Supervisor Engine Architecture
I/O Module Architecture
Forwarding Engine Architecture
Fabric Architecture
Layer 2 Forwarding
IP Forwarding IP Multicast Forwarding
ACLs
QoS
NetFlow
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
43© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
IP Forwarding
Nexus 7000 decouples control plane and data plane
Forwarding tables built on control plane using routing protocols or static configuration
OSPF, EIGRP, IS-IS, RIP, BGP for dynamic routing
Tables downloaded to forwarding engine hardware for data plane forwarding
44© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
I/O ModuleI/O Module I/O Module
Supervisor Engine
BGP OSPF ISIS RIP EIGRP
URIB/U6RIB
UFDM
Hardware
FIB TCAM ADJ Table
IP Forwarding Architecture
Routing protocol processes learn routing information from neighbours
IPv4 and IPv6 unicast RIBs calculate routing/next-hop information
Unicast Forwarding Distribution Manager (UFDM) interfaces between URIBs on supervisor and IP FIB on I/O modules
IP FIB process programs forwarding engine hardware on I/O modules
FIB TCAM contains IP prefixes
Adjacency table contains next-hop information
Hardware
IP FIB
HardwareHardware
IP FIB IP FIB
n7010# sh processes cpu | egrep ospf|PIDPID Runtime(ms) Invoked uSecs 1Sec Process20944 93 33386880 0 0 ospfn7010# sh processes cpu | egrep u.?rib3573 117 44722390 0 0 u6rib3574 150 34200830 0 0 uribn7010# sh processes cpu | egrep ufdm3836 1272 743933460 0 0 ufdm
module-9# sh processes cpu | egrep fib1534 80042 330725 242 0.0 ipfibmodule-9#
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
45© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Hardware IP Forwarding Process
FIB TCAM lookup based on destination prefix (longest-match)
FIB “hit” returns adjacency, adjacency contains rewrite information (next-hop)
Pipelined forwarding engine architecture also performs ACL, QoS, and NetFlow lookups, affecting final forwarding result
46© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
FIB TCAM
128K FIB TCAM entries
FIB TCAM hardware statically partitioned (4.0 release)
Protocol Logical Entries Physical Entries
IPv4 unicast prefixes 56K 56K
IPv4 multicast routes;IPv6 unicast prefixes (shared)
32K 64K
IPv6 multicast routes 2K 8K
FIB
TC
AM
Par
titio
ning
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
47© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Hardware Adjacency Entries
Contains information about next-hopsOutgoing interface, destination MAC address, MTU, etc.
Hardware adjacency table shared among protocols
1M adjacency entries shared between IPv4/IPv6 unicast and IPv4/IPv6 multicast
Individual adjacency table entries are not shared among protocols
For example, same next-hop device for IPv4 and IPv6 will use two adjacency entries
48© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Adj Index
Result
IF, MACs, MTU
IF, MACs, MTU
IF, MACs, MTU
IF, MACs, MTU
Compare
FIB TCAM
FFFFFFFF
10.1.1.2
10.1.1.3
10.10.0.10
10.10.0.100
10.10.0.33
10.100.1.1
10.100.1.2
10.1.1.4
10.1.2.xx
10.1.3.xx
10.1.1.xx
10.100.1.xx
10.10.0.xx
10.100.1.xx
10.10.100.xx
IPv4 FIB TCAM Lookup
Lookup Key
Generate Lookup
Key
DIP10.1.1.10
Packet
/32 entries (compare all
bits)
/24 entries (mask last
octet)
10.1.1.xx10.1.1.1010.1.1.10
HIT!
Load-SharingHash
Flow Data
Adjacency Table
Offset
1
2
3
4
5
6
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
49© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
“Routing” versus “Forwarding”
“Routing” information refers to unicast RIB contents in supervisor control plane
“Forwarding” information refers to FIB contents at I/O module
50© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Displaying Routing and Forwarding Information
show routing [ipv4|ipv6] [<prefix>] [vrf<vrf>]
Displays software routing (URIB) information
Can also use traditional show ip route command
show forwarding [ipv4|ipv6] route module <mod> [vrf <vrf>]
Displays routing (FIB) information on per-module basis
show forwarding adjacency module <mod>
Displays hardware adjacency table information on per-module basis
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
51© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Displaying Routing and Forwarding Information (Cont)
n7010# sh routing ipv4 10.100.7.0/24
IP Route Table for VRF "default"
10.100.7.0/24, 1 ucast next-hops, 0 mcast next-hops
*via 10.1.2.2, Ethernet9/2, [110/5], 00:02:30, ospf-1, type-1
n7010# show forwarding ipv4 route 10.100.7.0/24 module 9
IPv4 routes for table default/base
------------------+------------------+---------------------
Prefix | Next-hop | Interface
------------------+------------------+---------------------
10.100.7.0/24 10.1.2.2 Ethernet9/2
n7010# show forwarding adjacency 10.1.2.2 module 9
IPv4 adjacency information, adjacency count 1
next-hop rewrite info interface
--------------- -------------- ----------
10.1.2.2 0010.9400.0001 Ethernet9/2
n7010#
52© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
ECMP Load Sharing
Up to 16 hardware load-sharing paths per prefix
Use maximum-paths command in routing protocols to control number of load-sharing paths
Load-sharing is per-IP flowNo per-packet load-balancing today
Configure load-sharing hash options with ipload-sharing command:
Source and Destination IP addresses (default)
Source and Destination IP addresses plus L4 ports
Destination IP address and L4 port
Additional randomised number added to hash prevents polarisation
Automatically generated or user configurable value
10.10.0.0/16
A B
10.10.0.0/16via Rtr-Avia Rtr-B
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
53© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
ECMP Prefix Entry Example
n7010# sh routing ipv4 10.200.0.0
IP Route Table for VRF "default"
10.200.0.0/16, 2 ucast next-hops, 0 mcast next-hops
*via 10.1.1.2, Ethernet9/1, [110/5], 00:03:33, ospf-1, inter
*via 10.1.2.2, Ethernet9/2, [110/5], 00:00:13, ospf-1, inter
n7010# sh forwarding ipv4 route 10.200.0.0 module 9
IPv4 routes for table default/base
------------------+------------------+---------------------
Prefix | Next-hop | Interface
------------------+------------------+---------------------
10.200.0.0/16 10.1.1.2 Ethernet9/1
10.1.2.2 Ethernet9/2
n7010#
54© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Identifying the ECMP Path for a Flow
show routing [ipv4|ipv6] hash <sip> <dip> [<sport> <dport>] [vrf <vrf>]
n7010# sh routing hash 192.168.44.12 10.200.71.188
Load-share parameters used for software forwarding:
load-share type: 1
Randomizing seed (network order): 0xebae8b9a
Hash for VRF "default"
Hashing to path *10.1.2.2 (hash: 0x29), for route:
10.200.0.0/16, 2 ucast next-hops, 0 mcast next-hops
*via 10.1.1.2, Ethernet9/1, [110/5], 00:14:18, ospf-1, inter
*via 10.1.2.2, Ethernet9/2, [110/5], 00:10:58, ospf-1, inter
n7010#
Same hash algorithm applies to both hardware and software forwarding
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
55© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Layer 2Engine
Layer 3Engine
Forwarding Engine
L3 Unicast Packet Flow
Fabric Module 1
Fabric ASIC
Fabric Interfaceand VOQ
Port ASIC
CTS and4:1 Mux
ReplicationEngine
Fabric ASIC
Module 1
Layer 2Engine
Layer 3Engine
Forwarding Engine
Fabric Interfaceand VOQ
Port ASIC
CTS and4:1 Mux
ReplicationEngine
Fabric ASIC
Module 2
Supervisor Engine
Central Arbiter
Fabric Module 2
Fabric ASIC
Fabric Module 3
Fabric ASIC
2nd stage ingress queuing and scheduling
CTS LinkSec decryption and verification
1st stage ingress queuing and scheduling
Submit packet for lookup Layer 2 ingress
and egress SMAC/DMAC lookups
L3 FIB lookup Ingress/egress
ACL/QoS/NetFlowlookups
Queuing and VOQ arbitration request
Credit grant for fabric access
Packet transmission
Packet transmission
Receive from fabric
Return buffer credit
Submit packet for lookup
Layer 2 only egress SMAC/DMAC lookups
Egress queuing and scheduling
CTS LinkSecencryption
Packet transmission
Transmit to fabric
e1/1 e2/7 Receive
packet from wire
Transmit packet on wire
56© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Agenda
Chassis Architecture
Supervisor Engine Architecture
I/O Module Architecture
Forwarding Engine Architecture
Fabric Architecture
Layer 2 Forwarding
IP Forwarding
IP Multicast Forwarding ACLs
QoS
NetFlow
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
57© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
IP Multicast Forwarding
Forwarding tables built on control plane using multicast protocols
PIM-SM, PIM-SSM, PIM-Bidir, IGMP, MLD
Tables downloaded to:
Forwarding engine hardware for data plane forwarding
Replication engines for data plane packet replication
58© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
I/O ModuleI/O Module I/O Module
Supervisor Engine
PIM IGMP PIM6 ICMP6 BGP MSDP
MRIB/M6RIB
MFDM
Hardware
FIB TCAM ADJ Table
MET
IP Multicast Forwarding Architecture Multicast routing processes learn routing
information from neighbours/hosts
IPv4 and IPv6 multicast RIBs calculate multicast routing/RP/RPF/OIL information
Multicast Forwarding Distribution Manager (MFDM) interfaces between MRIBs on supervisor and IP FIB on I/O modules
IP FIB process programs hardware:FIB TCAM in forwarding engine contains (*,G) and (S,G) forwarding entries and RPF information
Adjacency table in forwarding engine contains MET pointer
MET in replication engines contains OILsHardware
IP FIB
HardwareHardware
IP FIB IP FIB
n7010# sh processes cpu | egrep pim|igmp|PIDPID Runtime(ms) Invoked uSecs 1Sec Process3842 109 32911620 0 0 pim3850 133 33279940 0 0 igmpn7010# sh processes cpu | egrep m.?rib3843 177 33436550 0 0 mrib3847 115 47169180 0 0 m6ribn7010# sh processes cpu | egrep mfdm3846 2442 743581240 0 0 mfdm
module-9# sh processes cpu | egrep fib1534 80153 330725 242 0.0 ipfibmodule-9#
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
59© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Hardware Programming
IP FIB process on I/O modules programs hardware:
FIB TCAMPart of Layer 3 Engine ASIC on forwarding engine
Consists of (S,G) and (*,G) entries as well as RPF interface
Adjacency Table (ADJ)Part of Layer 3 Engine ASIC on forwarding engine
Contains MET indexes, packet rewrite data, control fields
Multicast Expansion Table (MET)Part of replication engine ASIC on I/O modules
Contains output interface lists (OILs), i.e., lists of interfaces requiring replication
60© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
ReplicationEngine
Multicast FIB TCAM Lookup
Ingressmulticast
packet header
Compare lookup key to multicast entries in FIB TCAM
FIB TCAM
10.1.1.12, 239.1.1.1
10.1.1.10, 232.1.2.3
10.6.6.10, 239.44.2.1
10.4.7.10, 225.8.8.8
10.1.1.10, 239.1.1.1
GenerateLookup Key
10.1.1.10, 239.1.1.1
Generate TCAM lookup key based on packet header data (source and group IP addresses)
RPF interface;ADJ Index
RPF interface;ADJ Index
RPF interface;ADJ Index
RPF interface;ADJ Index
FIB DRAM
RPF interface;ADJ Index
Hit in FIB returns result in FIB DRAM
Adjacency contains MET index to drive replication
MET Index
MET Index
MET Index
MET Index
Adjacency
MET Index
OIL
OIL
MET
OIL Replication engine uses MET index in lookup result to find correct OIL for replication
HIT!
Replication engine replicates to OIFs specified in MET (one copy per OIF listed)
OIL
FIB DRAM contains RPF interface and index to rewrite data in adjacency table Forwarding Engine
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
61© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
e4/12
vlan100
e7/1.100
tun0
e4/4
e8/1
po100
vlan777
e4/3.44
Entry
0
1
2
Index 0 from ADJ
Index 1 from ADJ
Index 2 from ADJ
OIFs
MET Block
Multicast Expansion Table (MET)
ReplicationEngine
MET
MET blocks are shared by mroutes with identical fan-out
62© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Displaying Multicast Routing and Forwarding Information
show routing [ipv4|ipv6] multicast [vrf <vrf>] [<source-ip>] [<group-ip>] [summary]
Displays software multicast routing (MRIB) information
Can also use traditional show ip mroute command
show forwarding [ipv4|ipv6] multicast route [source <ip>] [group <ip>] [vrf <vrf>] module <mod>
Displays hardware multicast routing (FIB) information on per-module basis
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
63© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Displaying Multicast Routing and Forwarding Information (Cont)n7010# sh routing multicast 10.1.1.2 239.1.1.1
IP Multicast Routing Table for VRF "default"
(10.1.1.2/32, 239.1.1.1/32), uptime: 00:40:31, ip mrib pim
Incoming interface: Ethernet9/1, RPF nbr: 10.1.1.2, internal
Outgoing interface list: (count: 2)
Ethernet9/17, uptime: 00:05:57, mrib
Ethernet9/2, uptime: 00:06:12, mrib
n7010# sh routing multicast 239.1.1.1 summary
IP Multicast Routing Table for VRF "default"
Total number of routes: 202
Total number of (*,G) routes: 1
Total number of (S,G) routes: 200
Total number of (*,G-prefix) routes: 1
Group count: 1, average sources per group: 200.0
Group: 239.1.1.1/32, Source count: 200
Source packets bytes aps pps bit-rate oifs
(*,G) 767 84370 110 0 0 bps 2
10.1.1.2 9917158 1269395810 127 4227 4 mbps 2
10.1.1.3 9917143 1269393890 127 4227 4 mbps 2
10.1.1.4 9917127 1269391824 127 4227 4 mbps 2
<…>
64© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Displaying Multicast Routing and Forwarding Information (Cont)
n7010# sh forwarding ipv4 multicast route group 239.1.1.1 source 10.1.1.2 module 9
(10.1.1.2/32, 239.1.1.1/32), RPF Interface: Ethernet9/1, flags:
Received Packets: 10677845 Bytes: 1366764160
Number of Outgoing Interfaces: 2
Outgoing Interface List Index: 15
Ethernet9/2 Outgoing Packets:432490865 Bytes:55358830720
Ethernet9/17 Outgoing Packets:419538767 Bytes:53700962176
n7010#
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
65© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Egress Replication Distributes multicast replication load among
replication engines of all I/O modules with OIFs
Input packets get lookup on ingress FE
For OIFs on ingress module, ingress replication engine performs the replication
For OIFs on other modules, ingress replication engine replicates a single copy of packet over fabric to all egress modules
Replication engine on egress module performs replication for local OIFs
Fabric ASIC
Fabric ASIC
Fabric ASIC Fabric ASIC Fabric ASIC
Module 1
FabricModule
2 3 4
LocalOIF
LocalOIFs
LocalOIFs
LocalOIFs
ReplicationEngine
METReplicationEngine
METReplicationEngine
MET
FabricCopy
ReplicationEngine
MET
IIF
66© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Layer 2Engine
Layer 3Engine
Forwarding Engine
L3 Multicast Packet Flow
Fabric Module 1
Fabric ASIC
Fabric Interfaceand VOQ
Port ASIC
CTS and4:1 Mux
ReplicationEngine
Fabric ASIC
Module 1e1/1
Layer 2Engine
Layer 3Engine
Forwarding Engine
Fabric Interfaceand VOQ
Port ASIC
CTS and4:1 Mux
ReplicationEngine
Fabric ASIC
Module 2
Fabric Module 2
Fabric ASIC
Fabric Module 3
Fabric ASIC
e2/7
2nd stage ingress queuing and scheduling CTS LinkSec decryption and
verification 1st stage ingress queuing and
scheduling
Submit packet for lookup Ingress L2 and
IGMP snooping lookups
L3 multicast FIB lookup
Ingress ACL/QoS/NetFlow lookups
Queuing and transmitting multicast distribution packet to fabric
Packet transmission
Packet transmission
Receive from multicast fabric plane
Egress L2 and IGMP snooping lookups
Egress ACL/QoS/NetFlowlookups
Egress queuing and scheduling
CTS LinkSecencryption
Receive packet from wire
Transmit packet on wire
Packet transmission
Ingress multicast replication
Egress multicast replication
Submit packet for lookup
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
67© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Agenda
Chassis Architecture
Supervisor Engine Architecture
I/O Module Architecture
Forwarding Engine Architecture
Fabric Architecture
Layer 2 Forwarding
IP Forwarding
IP Multicast Forwarding
ACLs QoS
NetFlow
68© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Security ACLs
Enforce security policies based on Layer 2, Layer 3, and Layer 4 information
Classification TCAM (CL TCAM) provides ACL lookups in forwarding engine
Router ACL (RACL)—Enforced for all traffic crossing a Layer 3 interface in a specified direction
IPv4 RACLs supported
VLAN ACLs (VACLs)—Enforced for all traffic in the VLAN
IPv4, MAC VACLs supported
Port ACLs (PACLs)—Enforced for all traffic input on a Layer 2 interface
IPv4, MAC PACLs supported
Security Group ACLs (SGACLs)—Part of Cisco Trusted Security, enforces policies based on tags
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
69© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
I/O ModuleI/O Module I/O Module
Supervisor Engine
ACL Manager
CLI XML
Hardware
CL TCAM
ACL Architecture
ACL manager receives policy via configuration
ACL manager distributes policies to ACL/QoS Clients on I/O modules
Clients perform ACL merge and program ACEs in Classification (CL) TCAM in forwarding engines
Hardware
ACL/QoS-C
HardwareHardware
ACL/QoS-C ACL/QoS-C
n7010# sh processes cpu | egrep aclmgr|PIDPID Runtime(ms) Invoked uSecs 1Sec Process3589 1662 516430000 0 0 aclmgr
module-9# sh processes cpu | egrep aclqos1532 9885 671437 14 0.0 aclqosmodule-9#
70© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Classification TCAM
Hardware-based packet classification for ACLs and QoS
CL TCAM stores entries in hardwareResources shared between security ACLs and QoS
CL TCAM Entries: Total unique ACEs
LOUs: Logical Operation Units, registers that allow more efficient storage and matching for L4 operations
Labels: Identifies a unique policy configuration applied to an interface or VLAN
L4ops per Label: Number of LOU register pointers a single label can reference
Resource Entries
CL TCAM entries 64K (16K/bank)
LOUs 104 (208 registers)
Labels 16K
L4Ops per label 10Cla
ssifi
catio
nR
esou
rces
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
71© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Displaying Classification Resources show system internal access-list resource utilization module <mod>
n7010# sh system internal access-list resource utilization module 9
Hardware Modules Used Free Percent
Utilization
-----------------------------------------------------
Tcam 0, Bank 0 1 16383 0.000
Tcam 0, Bank 1 4121 12263 25.000
Tcam 1, Bank 0 4013 12371 24.000
Tcam 1, Bank 1 4078 12306 24.000
LOU 2 102 1.000
Both LOU Operands 0
Single LOU Operands 2
TCP Flags 0 16 0.000
Protocol CAM 4 3 57.000
Mac Etype/Proto CAM 0 14 0.000
Non L4op labels, Tcam 0 3 6140 0.000
Non L4op labels, Tcam 1 3 6140 0.000
L4 op labels, Tcam 0 0 2047 0.000
L4 op labels, Tcam 1 1 2046 0.000
n7010#
72© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
xxxxxxx | 10.1.2.100 | xx | xxx | xxx
xxxxxxx | 10.1.68.101 | xx | xxx | xxx
xxxxxxx | 10.33.2.25 | xx | xxx | xxx
xxxxxxx | xxxxxxx | 06 | xxx | 0016
xxxxxxx | xxxxxxx | 06 | xxx | 0017
xxxxxxx | xxxxxxx | 06 | xxx | 0050
xxxxxxx | xxxxxxx | 11 | xxx | 00A1
xxxxxxx | xxxxxxx | 11 | xxx | 0202
ACL CL TCAM Lookup
Packet header:SIP: 10.1.1.1DIP: 10.2.2.2Protocol: TCPSPORT: 33992DPORT: 80
CL TCAM
GenerateLookup Key
Generate TCAM lookup key based on packet
header data (source and dest IP addresses,
protocol, L4 ports, etc.)
Permit
Deny
Deny
Deny
Results SRAM Result affects final
packet handling
Permit
Deny
Permit
Permit
ip access-list example
permit ip any host 10.1.2.100
deny ip any host 10.1.68.101
deny ip any host 10.33.2.25
permit tcp any any eq 22
deny tcp any any eq 23
deny udp any any eq 514
permit tcp any any eq 80
permit udp any any eq 161
10.1.1.1 | 10.2.2.2 | 06 | 84C8 | 0050
xxxxxxx | 10.2.2.2 | xx | xxx | xxx
xxxxxxx | xxxxxxx | 06 | xxx | 0050
SIP | DIP | Protocol | SPORT | DPORT
Compare lookup key to ACL entries in CL
TCAM
X=“Mask”
HIT!
Hit in CL TCAM returns contents of
results SRAM
Security ACL
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
73© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
ACL Statistics
ACL statistics NOT enabled by default
Enable statistics on per-ACL basis using statisticskeyword in ACL configuration mode
Use show [ip|mac] access-list to view ACL matches
Use clear [ip|mac] access-list to clear ACL statistics
74© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Displaying ACL Statistics
show [ip|mac|arp] access-lists
n7010# sh ip access example
IP access list example
statistics
10 permit ip any 10.1.2.100/32 [match=3452]
20 deny ip any 10.1.68.101/32 [match=49920]
30 deny ip any 10.33.2.25/32 [match=232324]
40 permit tcp any any eq 22 [match=9881]
50 deny tcp any any eq telnet [match=442]
60 deny udp any any eq syslog [match=87112]
70 permit tcp any any eq www [match=4345667]
80 permit udp any any eq snmp [match=234222]
n7010#
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
75© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Agenda
Chassis Architecture
Supervisor Engine Architecture
I/O Module Architecture
Forwarding Engine Architecture
Fabric Architecture
Layer 2 Forwarding
IP Forwarding
IP Multicast Forwarding
ACLs
QoS NetFlow
76© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Quality of Service
Comprehensive LAN QoS feature set
Ingress and egress queuing and scheduling
Applied in I/O module port ASICs
Ingress and egress mutation, classification, marking, policing
Applied in I/O module forwarding engines
All configuration through Modular QoS CLI (MQC)
All QoS features applied using class-maps/policy-maps/service-policies
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
77© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
I/O ModuleI/O Module I/O Module
Supervisor Engine
QoS Manager
CLI XML
QoS Architecture
QoS manager receives policy via configuration
QoS manager distributes policies to ACL/QoS Clients on I/O modules
Clients perform ACL merge and program hardware:
ACEs in Classification (CL) TCAM in forwarding engines
Queuing policies in I/O module port ASICs
Hardware
CL TCAM I/O Module ASICs
n7010# sh processes cpu | egrep qos|PIDPID Runtime(ms) Invoked uSecs 1Sec Process3849 1074 66946870 0 0 ipqosmgr
module-9# sh processes cpu | egrep aclqos1532 9885 671437 14 0.0 aclqosmodule-9#
Hardware
ACL/QoS-C
HardwareHardware
ACL/QoS-C ACL/QoS-C
78© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Port QoS—32-Port 10G Module
BuffersIngress (2-stage ingress buffering)
Dedicated mode: 1MB per port + 65MB per port
Shared mode: 1MB per port + 65MB per port group
Egress
Dedicated mode: 80MB per port
Shared mode: 80MB per port-group
Queue structure8q2t + 2q1t ingress
1p7q4t egress
Dedicated mode: per port
Shared mode: per port-group
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
79© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Egress
1 2
2q1t
Ingress
10G Module Buffering—Shared Mode
2,4,6,8
Port ASIC
CTS and4:1 Mux
ReplicationEngine
Port 41MB
Port 21MB
Port 81MB
Port 61MB
Ports 2,4,6,865MB
Port 2,4,6,880MB
1 2 3 4 5 6 7 8
8q2t
Port Group
1p7q4t
1 2 3 4 5 6 7 8(Fixed)
80© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Port 21MB1 2 3 4 5 6 7 8
8q2t
Ingress
Egress
10G Module Buffering—Dedicated Mode
2,4,6,8
Port ASIC
CTS and4:1 Mux
ReplicationEngine
Port 265MB
Port 280MB
Port Group
1p7q4t
1 2 3 4 5 6 7 81 2
2q1t
(Fixed)
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
81© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Port QoS—48-Port 10/100/1000
Buffers
7.56MB ingress per port 6.15MB egress per port
Queue structure
2q4t ingress
1p3q4t egress
82© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Ingress
Port 77.6MB
Port 87.6MB
Port 97.6MB
Port 107.6MB
Port 117.6MB
Port 127.6MB
Egress
10/100/1000 Module Buffering
Port 17.6MB 1p3q4t
1 2 3 4
1-4
Port ASIC
ReplicationEngine
CTS CTS CTS
2q4t
1 2
Port 27.6MB
Port 37.6MB
Port 47.6MB
Port 57.6MB
Port 67.6MB
Port 76.2MB
Port 86.2MB
Port 96.2MB
Port 106.2MB
Port 116.2MB
Port 126.2MB
Port 16.2MB
Port 26.2MB
Port 36.2MB
Port 46.2MB
Port 56.2MB
Port 66.2MB
5-8 9-12
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
83© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Marking and Policing
After classification, traffic can be marked or policed
Marking policies statically set QoS values for each class
Policing performs markdown and/or policing (drop)
Policers use classic token-bucket scheme
Uses Layer 2 frame size when determining rate
Note: policing performed on per-forwarding engine basis
Shared interfaces (such as SVI/EtherChannel) and egress policies could be policed at <policing rate> * <number of forwarding engines>
84© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
xxxxxxx | 10.3.3.xx | xx | xxx | xxx
xxxxxxx | 10.4.24.xx | xx | xxx | xxx
10.1.1.xx | xxxxxxx | 11 | xxx | xxx
10.1.1.xx | xxxxxxx | 06 | xxx | xxx
xxxxxxx | 10.5.5.xx| 06 | xxx | 0017
QoS CL TCAM Lookup
Packet header:SIP: 10.1.1.1DIP: 10.2.2.2Protocol: TCPSPORT: 33992DPORT: 80
CL TCAM
GenerateLookup Key
Generate TCAM lookup key based on packet
header data (source and dest IP addresses,
protocol, L4 ports, etc.)
ip access-list police
permit ip any 10.3.3.0/24
permit ip any 10.4.12.0/24
ip access-list remark-dscp-32
permit udp 10.1.1.0/24 any
ip access-list remark-dscp-40
permit tcp 10.1.1.0/24 any
ip access-list remark-prec-3
permit tcp any 10.5.5.0/24 eq 23
10.1.1.1 | 10.2.2.2 | 06 | 84C8 | 0050
xxxxxxx | 10.2.2.xx | xx | xxx | xxx
10.1.1.xx | xxxxxxx | 06 | xxx| xxx
SIP | DIP | Protocol | SPORT | DPORT
Compare lookup key to QoS entries in CL
TCAM
HIT!
Hit in CL TCAM returns contents of
results SRAM
Policer ID 1
Policer ID 1
Remark IP Prec 3
Remark DSCP 32
Results SRAM
Remark DSCP 40
Result affects finalpacket handling
QoS Classification ACLs
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
85© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Monitoring QoS Service Policies
show policy-map interface [[<interface>] [type qos|queuing]]|brief]
n7010# show policy-map interface e9/1
Global statistics status : enabled
Ethernet9/1
Service-policy (qos) input: mark
policy statistics status: enabled
Class-map (qos): udp-mcast (match-all)
432117468 packets
Match: access-group multicast
set dscp cs4
Class-map (qos): udp (match-all)
76035663 packets
Match: access-group other-udp
police cir 2 mbps bc 1000 bytes pir 4 mbps be 1000 bytes
conformed 587624064 bytes, 3999632 bps action: transmit
exceeded 293811456 bytes, 1999812 bps action: set dscp dscp table cir-markdown-map
violated 22511172352 bytes, 153221133 bps action: drop
n7010#
86© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Agenda
Chassis Architecture
Supervisor Engine Architecture
I/O Module Architecture
Forwarding Engine Architecture
Fabric Architecture
Layer 2 Forwarding
IP Forwarding
IP Multicast Forwarding
ACLs
QoS
NetFlow
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
87© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
NetFlow
NetFlow table is 512K entries (490K effective), shared between ingress/egress NetFlow
Hardware NetFlow creation
CPU not involved in NetFlow entry creation/update
All modules have independent NetFlow table
Full and sampled NetFlow supported by hardware
88© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
I/O ModuleI/O Module I/O Module
Supervisor Engine
CLI XML
NetFlow Manager
Hardware
NF Table
NetFlow Architecture
NetFlow manager receives configuration via CLI/XML
NetFlow manager distributes configuration to NetFlow-Clients on I/O modules
NetFlow-Clients apply policy to hardware
Hardware
NF-C
HardwareHardware
NF-C NF-C
Hardware NetFlow Creation
n7010# sh processes cpu | egrep nfm|PIDPID Runtime(ms) Invoked uSecs 1Sec Process24016 1463 735183570 0 0 nfm
module-9# sh processes cpu | egrep nfp1538 68842 424290 162 0.0 nfpmodule-9#
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
89© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
NetFlow Table
NetFlow “Table” actually consists of three components in forwarding engine:
NetFlow Lookup Table—Contains NetFlow Entry Keys and associated NetFlow Entry Table indexes
NetFlow Entry Table—Contains actual NetFlow flow data
NetFlow Statistics Table—Contains statistics for corresponding flow entries
90© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
512Kentries
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Forwarding Engine NetFlow Tables
Netflow Lookup Table Netflow Entry Table
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
NetflowStatistics
Table
512Kentries
512Kentries
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
4 pages
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
91© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Index
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Entry Key
Netflow Lookup Table
Entry Key
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
Flow Data
NetFlow Lookup
Netflow Entry Table
1
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
NetflowStatistics
Table
7
LookupKey
UpdateStats
Indexes row in Lookup Table3
4
5
Index toNF Entry
Table
Compareall pages
Flow KeyFlow Key
Packet
CompareFlow Data
6
Entry Key
HIT! HIT!
2
Hash Function
SIP=10.1.1.10DIP=10.1.2.11
Protocol=TCP (6)SPORT=33992
DPORT=80
92© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Full versus Sampled NetFlow
NetFlow configured per-direction and per-interface
Ingress and/or egress on per-interface basis
Each interface can collect full or sampled flow data
Full NetFlow: accounts for every packet of every flow on interface, up to capacity of NetFlow table
Sampled NetFlow: accounts for M in N packets on interface, up to capacity of NetFlow table
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
93© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Sampled NetFlow
Random packet-based sampling
M:N sampling: Out of N consecutive packets, select M consecutivepackets and account only for those flows in the hardware NetFlowtable
Sampled flows aged and exported from NetFlow table normally
AdvantagesReduces NetFlow table utilisation
Reduces CPU load on switch and collector
Disadvantages
Accuracy may be sacrificed—Collector or user must extrapolate total traffic load based on configured sampling rate
94© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
NetFlow Aging
Process of removing stale NetFlow entries
Each I/O module CPU ages entries independently
Types of agingActive—Maximum lifetime for flows (30m by default, 60s
minimum)
Inactive—Fixed idle time for flows (15s by default, 15s minimum)
Fast—More aggressive aging of active flows (disabled by default)
Aggressive—Table-utilisation based aging of flows (disabled by default)
Session—Session-based aging (uses TCP FIN/RST flags) (disabled by default)
n7010# sh flow timeoutFlow timeout values
Active timeout: 1800 secondsInactive timeout: 15 secondsFast timeout: DisabledSession aging timeout: DisabledAggressive aging timeout: Disabled
n7010#
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
95© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Viewing NetFlow Records
n7010# sh system internal flow ip interface e9/1 module 9
D - Direction; IF - Intf/VLAN; L4 Info - Protocol:Source Port:Destination Port
TCP Flags: Ack, Flush, Push, Reset, Syn, Urgent
D IF SrcAddr DstAddr L4 Info PktCnt TCP Flags
-+-----+---------------+---------------+---------------+----------+-----------
I 9/1 010.001.001.002 010.001.002.002 006:01024:01024 0001403880 A . . . S .
I 9/1 010.001.001.003 010.001.002.003 006:01024:01024 0001403880 A . . . S .
I 9/1 010.001.001.004 010.001.002.004 006:01024:01024 0001403880 . . . . S .
<…>
n7010# sh system internal flow ip interface e9/1 detail module 9
D - Direction; IF - Intf/VLAN; L4 Info - Protocol:Source Port:Destination Port
TCP Flags: Ack, Flush, Push, Reset, Syn, Urgent; FR - FRagment; FA - FastAging
SID - Sampler/Policer ID; AP - Adjacency/RIT Pointer
CRT - Creation Time; LUT - Last Used Time; NtAddr - NT Table Address
D IF SrcAddr DstAddr L4 Info PktCnt TCP Flags
-+-----+---------------+---------------+---------------+----------+-----------
ByteCnt TOS FR FA SID AP CRT LUT NtAddr
-------------+---+--+--+-----+--------+-----+-----+--------
I 9/1 010.001.001.002 010.001.002.002 006:01024:01024 0001706722 A . . . S .
0000218460416 000 N Y 0x000 0x000000 02168 02571 0x000331
show system internal flow ip [detail] module <mod>
96© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
FabricASIC
Fabric Interfaceand VOQ
NetFlow Data Export
MgmtEnet
SupervisorEngine
ForwardingEngine
LCCPU
NetFlowTable
I/O Module
ForwardingEngine
LCCPU
NetFlowTable
I/O Module
ForwardingEngine
LCCPU
NetFlowTable
I/O Module
HardwareFlow Creation
HardwareFlow Creation
HardwareFlow Creation
Aged Flows
Aged Flows
Aged Flows
Generate NetFlow v5 or v9 export packets
MainCPU
To NetFlow Collector
To NetFlow Collector
SwitchedEOBC
via Inband
via mgmt0
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
97© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Viewing Flow Exporter Statistics
n7010# sh flow exporter
Flow exporter nw:
Destination: 172.20.151.12
VRF: management (1)
Destination UDP Port 10000
Source Interface mgmt0 (172.20.151.40)
Export Version 9
Exporter Statistics
Number of Flow Records Exported 988399
Number of Templates Exported 236
Number of Export Packets Sent 22686
Number of Export Bytes Sent 32189280
Number of Destination Unreachable Events 0
Number of No Buffer Events 0
Number of Packets Dropped (No Route to Host) 0
Number of Packets Dropped (other) 0
Number of Packets Dropped (LC to RP Error) 0
Number of Packets Dropped (Output Drops) 0
Time statistics were last cleared: Never
n7010#
show flow exporter [<name>]
98© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Conclusion
You should now have a thorough understanding of the Nexus 7000 switching architecture, I/O module design, packet flows, and key forwarding engine functions…
ANY QUESTIONS?
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
100© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Q and A
101© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Recommended Reading
Check the Recommended Reading flyer for suggested books
Continue your Cisco Networkers learning experience by visiting the following Demos located in the World of Solutions
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
102© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
World of Solutions Demos
Nexus Range of Switches
Unified Communications Manager, Unity & MeetingPlace 7.0
Cisco Contact Centre Express 7.0
Cisco Wireless & Cisco Motion
Cisco and Ironport Security
Cisco ASR and Triple Play solutions with FTTx and Cisco IPTV
Infiniband and Virtual Blade Switches
Continue your Cisco Networkers learning experience by visiting the following Demos located in the World of Solutions
103© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Meet the Expert Make the most of your time at Cisco Networkers by
meeting one-on-one with a Cisco Expert. This is an invaluable opportunity so don’t miss out!
Visit the Meeting Centre in the World of Solutions to select your topic of interest, your preferred expert in that field and to set up a specific time to meet onsite.
© 2008, Cisco Systems, Inc. All rights reserved.RST-3009
104© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009
Complete Your Online Session Evaluation
Win fabulous prizes by giving us your feedback!
Go to the Internet stations located throughout the Convention Centre to complete your session evaluation.
105© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicRST-3009