330 likes | 612 Views
Release 5.1.6.r01. March 2005. AOS 5.1.6.r01 Overview. OS8800, OS7000 and OS6600 is on the 5.1.x SW release tree OS6800 is on the 5.3.1 SW release tree AOS 5.3.2 release will bring all platforms together under a single release
E N D
Release 5.1.6.r01 March 2005
AOS 5.1.6.r01 Overview • OS8800, OS7000 and OS6600 is on the 5.1.x SW release tree • OS6800 is on the 5.3.1 SW release tree • AOS 5.3.2 release will bring all platforms together under a single release • This presentation will only talk to the features specific to the OS8800, OS7000 and OS6600
AOS 5.1.6.r01Features • IPv6 • 802.1s • Multi-netting • Port monitoring • SLB probes • 802.1x multi-client / VLAN • LPS release • Extended proxy ARP • Generic UDP relay • Traceroute to VRRP interface
Sales e-Business Networking Division
AOS 5.1.6 – IPv6Introduction • What • First official implementation of IPv6 in AOS • Supported platforms: OS-7x00 & OS-8800 • OS-6600 is not planned for IPv6 support • OS-6800 is planned for IPv6 in future release • Market drivers for IPv6 • NA federal government • TIC Test 2004 already included IPv6 test suite • US DoD IPv6 migration policy mandate by 2008 • IPv6 & APAC- Different level of initiatives & market maturity • China: “Must Have” in most university bids - Connection to IPv6 backbone • South Korea: Government initiative to promote IPv6 dissemination across public organizations (IPv6 strategic Council with Korea Carriers) • Japan: Officially required by Japanese Government (2006)
AOS 5.1.6 – IPv6Introduction • Benefits • Demonstrates Alcatel’s commitment to IPv6 • Customers wanting to become IPv6 adept can play • Simplification because of stateless configuration • IPv6 automatically checks for duplicate IP address • DHCP no longer required for address assignment, only address control • Bigger address space • Goes from 32 bit addresses to 128 bit addresses
AOS 5.1.6 – IPv6Competitive Overview • Competitor landscape and evolution • Core switch & next gen systems released after 2003 • Same hardware for IPV4 / IPv6, no upgrade requirements • No price premium for IPv4 / IPv6 migration, progressive software / firm upgrade • Hardware base performance with extensive features sets, providing all deployment scenario • Edge and small / medium core switch • More diversified landscape • Solutions ranging from no IPv6 support at all to solutions including HW and SW support • Edge / stack / standalone device form factor • IPv6 support coming out on merchant silicon with extensive IPv6 functionality • Devices relying on home grown ASIC (high end, feature rich)
AOS 5.1.6 – IPv6Competitor Overview • Foundry Networks • Considered one of the key technologies in their technology pitch • Implemented on edge / stack to large core platforms • Common Ironware features set across platforms • Extreme Networks • Hasn’t demonstrated any IPv6 features for any platform so far • Cisco Networks • Extensive support in their portfolio with differing levels of performance • Cisco Catalyst 6500 - Hardware based • Cisco Catalyst 4500 - Software based (announced hardware-based support coming) • Cisco Catalyst 3750 range – indicate hardware based but CLI missing
AOS 5.1.6 – 802.1sIntroduction • What • IEEE standard for Multiple Spanning Tree (M-STP) • 802.1s allows for a set of VLANs to be mapped to a single Multiple Spanning Tree instance • Backward compatible with previous IEEE STP standard • Benefits • RFP requirement – 802.1s requested on tenders • Improve network performance through traffic balancing • Standards-based interoperability between vendors • Reduce number of STPs by grouping VLANs together
AOS 5.1.6 – Misc. (1) • Multi-Netting • What – multi-netting is when a number of IP subnets are brought together in a single broadcast domain • Benefits • No longer limited to one IP interface per VLAN (up to 8) • Easy network configuration / migration • Port Monitoring • What - captures data on the OS6600 and store it in Sniffer format on switch • Benefits • Remote and local troubleshooting (e.g. looking at ARP frames) • Allows local display of the monitored data in real time • SLB Probes • What – health monitoring for load-balanced applications
AOS 5.1.6 – Misc. (2) • 802.1x Multi-client / VLAN • What - provides the capability to force every user behind a given port to be authenticated and allow them to be placed into different VLANs • Benefits - allow multiple users to authenticate on a single port instead of only one • LPS Release • What - ability to unlock, locked ports with only a single command • Benefits – Eases management burden • Extended Proxy ARP Filtering • What - ability to block specific IP addresses in the extended proxy ARP process
AOS 5.1.6 – Misc. (3) • Generic UDP relay • What- ability to relay a L2 broadcast (UDP) to a remote unicast destination (NetBIOS over IP) • Benefits – Brings user configurable UDP relay to the whole product family • Traceroute to VRRP Interface • What - ability for a VRRP interface to reply to traceroute command for simplified troubleshooting • Benefits - Eases management burden
System Engineers e-Business Networking Division
AOS 5.1.6 – IPv6Reminders • IPv4 => 32-bit address (ex: 192.168.1.101) • ~4,000,000,000 addresses • IPv6 => 128-bit address (ex: 2002:1::123: 4567:89:ABCD:EF) • 340,282,366,920,938,463,463,374,607,431,768,211,456 (340 undecillion) • IPv4 forwarding principles are maintained but software / hardware is heavily impacted • While software can be re-written, hardware (ASICs) cannot !
AOS 5.1.6 – IPv6Implementation • AOS will comply with all mandatory aspects of ICMPv6 with abase requirements set of: • Dual Stack IPv4/IPv6 • Tunneling • ICMPv6 • Neighbor discovery • Stateless auto configuration • RIPng • Dual stack support and IPv6 protocols will support: • IPv4, IPv6, or “dual stack” (IPv4 and IPv6) • Ability to send or receive locally originated or destined IPv6 frames over any VLAN • Switch will operate as if two independent protocol stacks are present • ICMPv6 will support the generation of multicast group registration (multicast listener report) • Security - admin privileges consistent with IPv4 and mandatoryIPv6 security
AOS 5.1.6 – IPv6Supported Standards (1) • Dual stack IPv4 / IPv6 • RFC 2292 – Advanced Sockets API for IPv6 • RFC 2373 – IPv6 Addressing Architecture • RFC 2374 – An IPv6 aggregate able global unicast address format • RFC 2460 – IPv6 base specification • RFC 2553 – Basic socket interface extensions for IPv6 • Ping, traceroute, FTP server and telnet server • ICMPv6 • RFC 2463 – ICMPv6 • Neighbor Discovery Protocol • RFC 2461 – Neighbor Discovery Protocol • Stateless auto configuration • RFC 2462 – Stateless auto configuration • Routing • Static routes • RFC 2080 – RIPng
AOS 5.1.6 – IPv6Supported Standards (2) • IPv6 over Ethernet • RFC 2464 - A method for the transmission of IPv6 packets over Ethernet networks • Tunneling: Configured and 6to4 dynamic tunneling • RFC 2893 – Transition mechanisms for IPv6 hosts and routers • RFC 3056 – 6to4 dynamic tunneling • DNS using AAAA records (client) • RFC 1886 – DNS extensions to support IP version 6 • MIB support • RFC 2452 – IP version 6 management information base for the TCP • RFC 2454 – IP version 6 management information base for the UDP • RFC 2465 – MIB for IP version 6: Textual conventions and general group • RFC 2466 – MIB base for IP version 6: ICMPv6 group
AOS 5.1.6 – 802.1sAvailable Spanning Trees • Single Spanning Tree (a.k.a., flat mode) • Support for IEEE 802.1D-1998 • One single tree is applied to all VLANs (ignoring VLANs assignment) • Support for IEEE 802.1w-2001 • One single tree is applied to all VLANs (ignoring VLANs assignment) • Re-convergence is enhanced compared to IEEE 802.1D-1998 • Multiple Spanning Tree • Support of 1x1 • Each VLAN runs its own flat STP, BPDUs are Q-tagged over Q-links • Support for IEEE 802.1s-2002
AOS 5.1.6 – 802.1sMultiple Spanning Tree Definitions • MST region - switches that share the same attribute values are all considered part of the same MST region. • Switches in a region must share the same region name, revision level and VLAN mappings. • A single switch can belong to only one MST region at a time. • All switches within a region must have the same VLANs assigned to the same MSTI • CIST - Common and Internal Spanning Tree – used to communicate with other MST regions or bridges running other Spanning Tree Protocols • CIST is mandatory • By default, all VLANs belong to the CIST instance (0) • MSTI - Multiple Spanning Tree Instance – A Spanning Tree Instance to which VLANs can be mapped. • MSTIs are optional, and limited to 16 instances (1 => 16)
AOS 5.1.6 – 802.1sImplementation • MSTP - Multiple Spanning Tree Protocol • Supported on OS8800, OS7000, and OS6600 • Support for up to 16 802.1s MSTIs per switch • OmniSwitch must be in flat mode for 802.1s to be active • MSTP with RSTP and STP • MSTP is designed to interoperate with STP and RSTP bridges seamlessly without additional operational management • MSTP with 1x1 Spanning Tree • MSTP will interact with 1x1 spanning tree bridges only on the default VLAN • MSTP will reject tagged BPDUs from 1x1 Spanning Tree bridge causing ports on the 1x1 bridge attached to a MSTP bridge to go forwarding for the tagged VLANs • Odd behavior might result if default VLAN for more than one link between 1x1 and MST bridge, is different
CIST MSTI-1 MSTI-2 AOS 5.1.6 – 802.1sOverview (1) • A region is defined by a set of switches sharing the same MSTP configuration • This includes region’s name but also VLAN assignment to each CIST/MSTI • Within a region, each VLAN belong to a single given Spanning Tree instance • Either the CIST (default instance) or MSTI (specific instance) • Each instance will have its own root bridge and all associated STP parameters (PPC) MST Region A Bridge-1 Bridge-2 Bridge-3 Bridge-4
Legacy Region MST Region B AOS 5.1.6 – 802.1sOverview (2) • For the “outside” world, a region is seen as a single virtual bridge • Between regions, and legacy regions (non-802.1s bridges), only flat STP is supported • The CIST is extended to the outside port => CST (basically a flat STP) MST Region A Virtual Bridge “A” Virtual Bridge “B”
AOS 5.1.6 – 802.1sConfiguration • Set the MST region • Optionally create MSTIs • Any VLAN not assigned to an MSTI will be assigned to the default CIST • Assign VLANs to MSTI • It is mandatory that all bridges within a region the same list of VLAN is assigned to the same MSTI • violation of this rule will exclude the bridge from the region (will be considered as another region)
AOS 5.1.6 – Multi-NettingImplementation • No longer limited to one IP interface per VLAN • Up to eight IPs per VLAN (each IP being in different subnet) • All existing dynamic routing protocols supported • VRRP supported • ACLS supported • Each IP interface is individually controlled • The overall limit of IP interfaces per system still applies • Single MAC mode: currently at 256 for AOS 5.1.4 • Multiple MAC mode: currently at 64 for AOS 5.1.4 • Redundancy and hot swap is persistent • Feature native to IPv6, as multiple prefixes (equivalent to subnets) can be assigned per VLAN • Supported on OS8800, OS7000
VLAN 10 192.168.10.0 192.168.12.0 192.168.11.0 192.168.13.0 AOS 5.1.6 – Multi-nettingExample • VLAN IP subnet of: • 192.168.10.0/255 & 192.168.11.0/255 & 192.168.12.0/255 & 192.168.12.0/255 • Can route between each of the multi-netted subnets in one VLAN • Can route between each of the multi-netted subnets in other VLANs • Broadcast traffic from one subnet will be seen by users in different subnets • Broadcast traffic in the 192.168.10.0 network will be seen by users in the 192.168.11.0 network and vice-versa • Old command: vlan [vid] router ip [ip address] – (no longer supported) • New command: ip interface [name] address [ip address] vlan [vid] VLAN 20
AOS 5.1.6 – Port Monitoring Implementation • Enable port monitoring on a single port in system • One session supported • Options: • Specify the filename (Default – pmonitor.enc) • Traffic capture options are ingress, egress or bi-directional • Captured traffic: • stored in file on local switch in sniffer format • display monitored data in real time • Uploaded to the primary CMM when port monitoring is complete • File size limited to 130 Mbytes • Destinations: console port, local file (Compressed header format for display) • Port monitoring can not operate with port mirroring • Port mirroring and monitoring cannot be done on the same ASIC • Packets modified identical to port mirroring • Only supported on OS6600
AOS 5.1.6 – SLB ProbesImplementation (1) • SLB enhancements to provide application monitoring • Support consists of: • Server heath monitoring using Ethernet link state detection (existing implementation) • Server heath monitoring using IPv4 ICMP Ping (existing implementation) • Server heath monitoring using Content Verification Probe (new implementation) • Probes – Content verification probe customized and sent to the specified application port • Basic probe: ping • Application probes: ftp, http, https, mail (pop, pops, imap, imaps, smtp), nntp • Custom probes: tcp • Probe’s parameters include • period: time interval between two consecutive requests • time-out: time before declaring the probing unsuccessful • retries: the number of time consecutive probing needed to be failing to declare the server down • Server states returned include • In Service • Link Down • No Answer • Retrying • Discovery • Supported on OS8800 and OS7000
AOS 5.1.6 – SLB ProbesConfiguration & Operation • Detection method is user configurable • Probes have predetermined round trip time between server and switch • Delay between probes is user configurable • Number of failed probes in a row, used to determine inoperable probe is user configurable • If server deemed inoperative, trap can be generated • Probes can be configured to monitor clusters or single server • Server can be set to “under maintenance” so probe will not report it as down
AOS 5.1.6 – 802.1xMulti-client and Multi-VLAN • 802.1x Multi-clients: provides the capability to force every user behind a given port to authenticate and be placed into their own applicable VLANs • Open-global/unique no longer required • Previous versions only authenticated one user, the rest were either dropped (open-unique) OR • Processed using mobility rules (open-global), no longer supported • Different users can implement different authentication methods • TTLS, TLS, MD5, and PEAP • Supported on the OS8800, OS7000 and OS6600 • 802.1x Multi-VLAN: if users authenticate to different VLANs the switch enforces the placement of these authenticated users into the VLAN(s) returned by the Radius or LDAP server • If authentication successful, and not VLAN value returned by Radius server, group mobility rules applied to classify MAC into a VLAN • Being tested with: • Meetinghouse 802.1x client • Microsoft 802.1x client • Sygate and Funk • Supported on the OS8800, OS7000
AOS 5.1.6 – Misc.LPS Release Command & Extended Proxy ARP Filtering • LPS release command • Issue: • When a port is locked by LPS, a number of commands are required to release the port • or when an LPS port is violated by a MAC@ and the administrator wants to authorize it, again a number of commands are required • Feature: • New command implemented • -> port-security slot/port release • Supported on OS8800, OS7000 and OS6600 • Extended Proxy ARP Filtering • Issue: • Extended Proxy ARP allows the switch to answer an ARP request with it’s own MAC address even for the same subnet that the initiating host is sitting • Feature: • Ability to block/filter specific IP-addresses in the extended proxy ARP process • Supported on OS8800 and OS7000
AOS 5.1.6 – Misc.Generic UDP Relay and Traceroute for VRRP • Generic UDP relay • Brings support to the OS-6600 • Up to three different relays can be defined • Traceroute for VRRP interface • Allows switch to send notification of hop count reaching 0
Q & A e-Business Networking Division
IPv6 Limitations • Software implementation – expected throughput <20 Kpps per Coronado; no packet loss • No hardware based forwarding plane support • Currently RIPng supported, future brings OSPFv3 or MP-BGP • No support for ACLs/QoS • Performance is SW based, next product will provide HW based solution • No support for multicast • Including MLD snooping / PIM-SM / PIM-DM • No support for OS-6600 • CPU performance would be low <1k pps • What to say to customers: • This implementation demonstrates Alcatel’s commitment IPv6 and it provides a proof of concept where the next product will be all hw based