Network Design
Network Design
Network Design
Copyright Except where expressly stated otherwise, no use should be made of materials on this site, the Documentation, Software, or Hardware provided by Avaya. All content on this site, the documentation and the Product provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software unless expressly authorized by Avaya. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law. Third-party components Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements (Third Party Components), which may contain terms that expand or limit rights to use certain portions of the Product (Third Party Terms). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site: http://support.avaya.com/Copyright. Preventing Toll Fraud Toll fraud is the unauthorized use of your telecommunications system by an unauthorized party (for example, a person who is not a corporate employee, agent, subcontractor, or is not working on your company's behalf). Be aware that there can be a risk of Toll Fraud associated with your system and that, if Toll Fraud occurs, it can result in substantial additional charges for your telecommunications services. Avaya Toll Fraud Intervention If you suspect that you are being victimized by Toll Fraud and you need technical assistance or support, call Technical Service Center Toll Fraud Intervention Hotline at +1-800-643-2353 for the United States and Canada. For additional support telephone numbers, see the Avaya Support Web site: http://support.avaya.com. Suspected security vulnerabilities with Avaya products should be reported to Avaya by sending mail to: [email protected]. Trademarks The trademarks, logos and service marks (Marks) displayed in this site, the Documentation and Product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the Documentation and Product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All non-Avaya trademarks are the property of their respective owners, and Linux is a registered trademark of Linus Torvalds. Downloading Documentation For the most current versions of Documentation, see the Avaya Support Web site: http://support.avaya.com. Contact Avaya Support Avaya provides a telephone number for you to use to report problems or to ask questions about your Product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site: http://support.avaya.com.
All Rights Reserved. Notice While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes. Documentation disclaimer Documentation means information published by Avaya in varying mediums which may include product information, operating instructions and performance specifications that Avaya generally makes available to users of its products. Documentation does not include marketing materials. Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of documentation unless such modifications, additions, or deletions were performed by Avaya. End User agrees to indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User. Link disclaimer Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages. Warranty Avaya provides a limited warranty on its Hardware and Software (Product(s)). Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avayas standard warranty language, as well as information regarding support for this Product while under warranty is available to Avaya customers and other parties through the Avaya Support Web site: http://support.avaya.com. Please note that if you acquired the Product(s) from an authorized Avaya reseller outside of the United States and Canada, the warranty is provided to you by said Avaya reseller and not by Avaya. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER; AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS YOU AND END USER), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE ( AVAYA).
January 2012
January 2012
January 2012
Border Gateway Protocol.......................................................................................................................... 133 BGP scaling...................................................................................................................................... 134 BGP considerations.......................................................................................................................... 134 BGP and other vendor interoperability............................................................................................. 135 BGP design examples...................................................................................................................... 135 IPv6 BGP+........................................................................................................................................ 139 Open Shortest Path First........................................................................................................................... 140 OSPF scaling guidelines.................................................................................................................. 141 OSPF design guidelines................................................................................................................... 142 OSPF and CPU utilization................................................................................................................ 142 OSPF network design examples...................................................................................................... 142 IP routed interface scaling......................................................................................................................... 146 Internet Protocol version 6........................................................................................................................ 146 IPv6 requirements............................................................................................................................ 147 IPv6 design recommendations......................................................................................................... 147 Transition mechanisms for IPv6....................................................................................................... 147 Dual-stack tunnels............................................................................................................................ 147 Chapter 11: SPBM design guidelines................................................................................ 149 SPBM IEEE 802.1aq standards compliance............................................................................................. 149 SPBM 802.1aq standard........................................................................................................................... 150 SPBM provisioning.................................................................................................................................... 152 SPBM implementation options.................................................................................................................. 152 SPBM reference architectures.................................................................................................................. 157 Campus architecture........................................................................................................................ 160 Multicast architecture....................................................................................................................... 163 Large data center architecture......................................................................................................... 163 SPBM scaling and performance capabilities............................................................................................. 168 SPBM best practices................................................................................................................................. 176 Migration best practices............................................................................................................................ 178 Restrictions and limitations....................................................................................................................... 179 Chapter 12: Multicast network design.............................................................................. 183 General multicast considerations.............................................................................................................. 183 Multicast and VRF-lite...................................................................................................................... 183 Multicast and Multi-Link Trunking considerations............................................................................. 188 Multicast scalability design rules...................................................................................................... 190 IP multicast address range restrictions............................................................................................ 191 Multicast MAC address mapping considerations............................................................................. 192 Dynamic multicast configuration changes........................................................................................ 194 IGMPv2 back-down to IGMPv1........................................................................................................ 194 IGMPv3 backward compatibility....................................................................................................... 194 TTL in IP multicast packets.............................................................................................................. 195 Multicast MAC filtering...................................................................................................................... 196 Guidelines for multicast access policies........................................................................................... 196 Split-subnet and multicast................................................................................................................ 197 Layer 2 multicast features......................................................................................................................... 198 IGMP snoop and proxy..................................................................................................................... 198 Multicast VLAN Registration (MVR)................................................................................................. 199
January 2012
IGMP Layer 2 querier....................................................................................................................... 199 Pragmatic General Multicast guidelines.................................................................................................... 200 Distance Vector Multicast Routing Protocol guidelines............................................................................. 201 DVMRP scalability............................................................................................................................ 201 DVMRP design guidelines................................................................................................................ 202 DVMRP timer tuning......................................................................................................................... 203 DVMRP policies............................................................................................................................... 203 Protocol Independent Multicast-Sparse Mode guidelines......................................................................... 208 PIM-SM and PIM-SSM scalability.................................................................................................... 209 PIM general requirements................................................................................................................ 210 PIM and Shortest Path Tree switchover........................................................................................... 212 PIM traffic delay and SMLT peer reboot........................................................................................... 213 PIM-SM to DVMRP connection: MBR.............................................................................................. 213 Circuitless IP for PIM-SM................................................................................................................. 217 PIM-SM and static RP...................................................................................................................... 217 Rendezvous Point router considerations.......................................................................................... 221 PIM-SM receivers and VLANs.......................................................................................................... 223 PIM network with non-PIM interfaces............................................................................................... 224 Protocol Independent Multicast-Source Specific Multicast guidelines...................................................... 225 IGMPv3 and PIM-SSM operation..................................................................................................... 226 RP Set configuration considerations................................................................................................ 226 PIM-SSM design considerations...................................................................................................... 226 MSDP........................................................................................................................................................ 227 Peers................................................................................................................................................ 228 MSDP configuration considerations................................................................................................. 229 Static mroute............................................................................................................................................. 229 DVMRP and PIM comparison................................................................................................................... 231 Flood and prune versus shared and shortest path trees.................................................................. 231 Unicast routes for PIM versus DMVRP own routes.......................................................................... 231 Convergence and timers.................................................................................................................. 232 PIM versus DVMRP shutdown......................................................................................................... 232 IGMP and routing protocol interactions..................................................................................................... 232 IGMP and DVMRP interaction.......................................................................................................... 233 IGMP and PIM-SM interaction.......................................................................................................... 234 Multicast and SMLT guidelines................................................................................................................. 234 Triangle topology multicast guidelines.............................................................................................. 235 Square and full-mesh topology multicast guidelines........................................................................ 236 SMLT and multicast traffic issues..................................................................................................... 236 PIM-SSM over SMLT/RSMLT........................................................................................................... 239 Static-RP in SMLT using the same CLIP address............................................................................ 244 Multicast for multimedia............................................................................................................................ 246 Static routes..................................................................................................................................... 246 Join and leave performance............................................................................................................. 246 Fast Leave........................................................................................................................................ 247 Last Member Query Interval tuning.................................................................................................. 247 Internet Group Membership Authentication Protocol................................................................................ 248 IGAP and MLT.................................................................................................................................. 249
January 2012
January 2012
Management port............................................................................................................................. 299 Management access control............................................................................................................ 300 High Secure mode............................................................................................................................ 301 Security and access policies............................................................................................................ 301 RADIUS authentication.................................................................................................................... 302 RADIUS over IPv6............................................................................................................................ 304 TACACS+......................................................................................................................................... 304 Encryption of control plane traffic..................................................................................................... 305 SNMP header network address....................................................................................................... 306 SNMPv3 support.............................................................................................................................. 307 Other security equipment................................................................................................................. 307 For more information................................................................................................................................. 308 Chapter 16: QoS design guidelines................................................................................... 309 QoS mechanisms...................................................................................................................................... 309 QoS classification and mapping....................................................................................................... 309 QoS and queues.............................................................................................................................. 311 QoS and filters.................................................................................................................................. 312 Policing and shaping........................................................................................................................ 314 Provisioning QoS networks using Advanced filters................................................................................... 315 QoS interface considerations.................................................................................................................... 315 Trusted and untrusted interfaces...................................................................................................... 316 Bridged and routed traffic................................................................................................................. 317 802.1p and 802.1Q recommendations............................................................................................. 317 Network congestion and QoS design........................................................................................................ 318 QoS examples and recommendations...................................................................................................... 319 Bridged traffic................................................................................................................................... 319 Routed traffic.................................................................................................................................... 322 Chapter 17: Customer service........................................................................................... 325 Getting technical documentation............................................................................................................... 325 Getting Product training............................................................................................................................ 325 Getting help from a distributor or reseller.................................................................................................. 325 Getting technical support from the Avaya Web site.................................................................................. 325 Appendix A: Hardware and supporting software compatibility..................................... 327 Appendix B: Supported standards, RFCs, and MIBs...................................................... 333 IEEE standards......................................................................................................................................... 333 IETF RFCs................................................................................................................................................ 334 IPv4 Layer 3/Layer 4 Intelligence..................................................................................................... 334 IPv4 Multicast................................................................................................................................... 337 IPv6.................................................................................................................................................. 338 Platform............................................................................................................................................ 339 Quality of Service (QoS)................................................................................................................... 339 Network Management...................................................................................................................... 339 Supported network management MIBs..................................................................................................... 340 Glossary............................................................................................................................... 345
January 2012
Notices
Notice paragraphs alert you about issues that require your attention. The following sections describe the types of notices.
Attention notice
Important: An attention notice provides important information regarding the installation and operation of Avaya products.
January 2012
Safety messages
Electrostatic alert: PRECAUCIN ESD (Descarga electrosttica) El aviso de ESD brinda informacin acerca de cmo evitar una descarga de electricidad esttica y el dao posterior a los productos Avaya. Electrostatic alert: CUIDADO ESD Os avisos do ESD oferecem informaes sobre como evitar descarga de eletricidade esttica e os conseqentes danos aos produtos da Avaya. Electrostatic alert: ATTENZIONE ESD Le indicazioni ESD forniscono informazioni per evitare scariche di elettricit statica e i danni correlati per i prodotti Avaya.
Caution notice
Caution: Caution notices provide information about how to avoid possible service disruption or damage to Avaya products. Caution: ATTENTION La mention Attention fournit des informations sur les moyens de prvenir une perturbation possible du service et d'viter d'endommager les produits Avaya. Caution: ACHTUNG Achtungshinweise bieten Informationen dazu, wie man mgliche Dienstunterbrechungen oder Schden an Avaya-Produkten verhindert. Caution: PRECAUCIN Los avisos de Precaucin brindan informacin acerca de cmo evitar posibles interrupciones del servicio o el dao a los productos Avaya. Caution: CUIDADO
10
January 2012
Notices
Os avisos de cuidado oferecem informaes sobre como evitar possveis interrupes do servio ou danos aos produtos da Avaya. Caution: ATTENZIONE Le indicazioni di attenzione forniscono informazioni per evitare possibili interruzioni del servizio o danni ai prodotti Avaya.
January 2012
11
Safety messages
12
January 2012
January 2012
13
14
January 2012
Features
See the following section for information about feature changes.
Other changes
See the following section for information about changes in release 7.1.3 that are not featurerelated.
January 2012
15
16
January 2012
These levels are based on the software function. A driver is the lowest level of software that actually performs a function. Drivers reside on a single module and do not interact with other modules or external devices. Drivers are very stable. MultiLink Trunking (MLT) is a prime example of Local Software because it interacts with several modules within the same device. No external interaction is needed, so you can easily test its function. Interacting Software is the most complex level of software because it depends on interaction with external devices. The Open Shortest Path First (OSPF) protocol is a good example of this software level. Interaction can occur between devices of the same type or with devices of other vendors than run a completely different implementation. Based on network problem-tracking statistics, the following is a stability estimation model of a system using these components: Hardware and drivers represent a small portion of network problems. Local Software represents a more significant share. Interacting Software represents the vast majority of the reported issues.
January 2012
17
Based on this model, one goal of network design is to off-load the interacting software level as much as possible to the other levels, especially to the hardware level. Therefore, Avaya recommends that you follow these generic rules when you design networks: Design networks as simply as possible. Provide redundancy, but do not over-engineer your network. Use a toolbox to design your network. Design according to the product capabilities described in the latest Release Notes. Follow the design rules provided in this document and also in the various configuration guides for your switch.
18
January 2012
Chassis considerations
This section discusses chassis power and cooling considerations. You must properly power and cool your chassis, or nonoptimal switch operation can result.
January 2012
19
You can use the dual-input 8005DI AC power supply with two other single-phase AC sources of different power feeds. To share the two power feeds with the dual input supply, connect the AC source Power Feed 1 to input 1 on the dual-input supply, and then connect the AC source Power Feed 2 to input 2 on the dual-input supply. Avaya recommends this configuration to provide full power feed redundancy. See the following figure.
On the 8005DI AC power supply, the two AC input sources can be out of synchronization with each other, having a different voltage, frequency, phase rotation, and phase angle as long as the power characteristics for each separate input AC source remain within the range of the manufacturers specifications.
Chassis cooling
You can use two basic methods to determine the cooling capacity required to cool the switch. You can use the Avaya Power Supply Calculator Tool to determine power draw in watts, or you can use a worse-case power draw. You can use the Avaya Power Supply Calculator Tool to determine the power draw for a chassis configuration. Use this power draw in the following cooling capacity formula: Cooling capacity (BTU) = power draw (W) x 3.412 The chassis configuration can affect the switch cooling requirements. If you change the switch configuration, the cooling requirements can also change. The alternative method is to determine a worse-case power draw on the power supply, and then use this value in the cooling capacity formula.
20
January 2012
Modules
When using the second method, take into consideration the number of power supplies and redundancy. The worse-case power draw is the maximum power draw plus the number of supplies required to operate the system without redundancy. For example, if two 8005AC power supplies power a chassis, and a third is added for redundancy, the worse-case value is the maximum power draw of a single 8005AC power supply times two (the total of two power supplies, not three). For the 8005AC power supplies, the actual draw depends on the input voltage. For a nominal input voltage of 110 VAC, the draw is 1140 watts (W). For 220 AC volts (VAC), the draw is 1462 W. For a three-power supply system running at 110 VAC, the maximum worse-case power draw is 1140 W x 2, or 2280 W. Therefore this system requires a cooling capacity of 7164 British thermal units (BTU). You also need to consider the cooling requirements of the power supplies themselves. For more information about these specifications, see Avaya Ethernet Routing Switch 8800/8600 Installation AC Power Supply, NN46205-306 and Avaya Ethernet Routing Switch 8800/8600 Installation DC Power Supply, NN46205-307. Add these values to the cooling capacity calculation. For a multiple power supply system, you need to factor into the calculation the maximum nonredundant number of power supplies. You must also consider the type of module installed on the chassis. If you install an RS or 8800 module in the chassis, you must install the high speed cooling modules. If you do not install the high speed cooling modules, the software cannot operate on the module. For information about installing high speed cooling modules, see Avaya Ethernet Routing Switch 8800/8600 Installation Cooling Module, NN46205-302. Design a cooling system with a cooling capacity slightly greater than that calculated to maintain a safe margin for error and to allow for future growth.
Modules
Use modules to interface the switch to the network. This section discusses design guidelines and considerations for Avaya Ethernet Routing Switch 8800/8600 modules.
SF/CPU modules
The switch fabric/CPU (SF/CPU) module performs intelligent switching and routing. Every chassis must have at least one SF/CPU; for redundancy, install two SF/CPUs. Release 7.0 supports only the 8895 SF/CPU and the 8692 SF/CPU with SuperMezz. The 8692 SF/CPU must be equipped with the Enterprise Enhanced CPU Daughter Card (SuperMezz) for proper functioning with Release 7.0 and later. The 8895 SF/CPU has SuperMezz capabilities built into the module, and so does not support a SuperMezz card. The use of dual 8692 SF/CPU or 8895 SF/CPU modules enables a maximum switch bandwidth of 512 Gbit/s. Dual modules provide redundancy and load sharing between the modules. Split
January 2012
21
MultiLink Trunking (SMLT) in the core in a resilient cluster configuration (redundant switch with two 8692 or 8895 SF/CPU modules) can provide over 1 terabit per second (Tbit/s) of core switching capacity. You can install the 8692 or 8895 SF/CPU module in slots 5 or 6 of the 8006, 8010, or 8010co chassis. The 8692 and 8895 SF/CPU modules are supported in slot 3 of the 8003-R chassis. With dual SF/CPUs, you must install the same type of SF/CPU in both slots. You cannot install one type of SF/CPU in one slot, and a different type in the other slot. For example, you cannot install the 8692 SF/CPU in one slot and the 8895 SF/CPU in the other.
Important: Ensure that you are running software release 7.1 or later for the 8800 modules to operate properly. R and RS modules continue to be supported and you can install a mix of R/RS and 8800 modules in the same chassis. Important: You can only replace a module with another module of the same type. For example, you cannot replace a 48 port copper module with a fiber module. You can replace a copper module with another copper module, or a fiber module with another fiber module.
22
January 2012
Modules
Note: RS and 8800 I/O modules require a High Speed Cooling Module. If the High Speed Cooling Module is not installed in the chassis, these I/O modules will not power on. To help you configure Avaya Ethernet Routing Switch 8800/8600 Ethernet modules, see Avaya Ethernet Routing Switch 8800/8600 Configuration Ethernet Modules, (NN46205503). For module specifications and installation procedures, see Avaya Ethernet Routing Switch 8800/8600 Installation Modules, (NN46205304). For optical transceiver specifications and installation procedures, see Avaya Ethernet Routing Switch 8800/8600 Installation SFP, SFP+, XFP, and OADM Hardware Components, (NN46205320).
RS modules
RS modules include the 8648GTRS, the 8612XLRS, the 8634XGRS, and the 8648GBRS. RS modules provide support for a variety of technologies, interfaces, and feature sets and provide 10 Gbit/s port rates. RS modules require the high-speed cooling module and the 8895 SF/CPU or 8692 SF/CPU with SuperMezz. In chassis equipped with RS modules, you can use 8005AC, 8005DI AC, 8004AC, or 8004DC power supplies. RS modules are interoperable with R modules. The following figure shows typical uses for RS modules.
January 2012
23
The 8612XLRS, 8648GBRS, and 8634XGRS modules use a three-lane Distributed Processing Module (DPM) based on Route Switch Processor (RSP) 2.6 architecture. The 8648GTRS uses a two-lane DPM. The following table provides details about oversubscription rates for each module. Typical network designs use oversubscribed modules at the building distribution layer and nonoversubscribed links to core. Using oversubscribed modules at the distribution layer are cost-effective as long as the module provides strong built-in packet QoS capabilitiesRS modules do so. Table 1: RS module lane oversubscription
Module 8612XLRS Lane oversubscription 4:1 (each group of ports [14, 58, and 912] share a 10GE lane)
24
January 2012
Modules
Lane oversubscription 1.6:1 (each group of ports [116, 1732, and 3348] share a 10GE lane) Lane 1: 1.6:1 Lane 2: 1.6:1 Lane 3: 2:1 (each group of ports [116, 1732, and 3334] share a 10GE lane) 2.4:1 (both lanes) (each group of ports [124, and 2548] share a 10GE lane)
8648GTRS
The following XFPs are supported on the 8612XLRS module (DS1404097-E6): 10GBASE-SR 10GBASE-LR/LW 10GBASE-LRM 10GBASE-ER/EW 10GBASE-ZR/ZW 10GBASE DWDM For more information about XFP specifications, see Avaya Ethernet Routing Switch 8800/8600 Installation SFP, SFP+, XFP, and OADM Hardware Components (NN46205-320).
R modules
R modules provide support for a variety of technologies, interfaces, and feature sets and provide 1 and 10 Gbit/s port rates. The Avaya Ethernet Routing Switch 8800/8600 supports the following R modules, which require the use of the 8895 SF/CPU or 8692 SF/CPU with SuperMezz: 8630GBR30 port 1000BASE-X SFP baseboard 8648GTR48 port 10/100/1000BASE-T 8683XLR3 port 10GBASE-x XFP baseboard (LAN phy) 8683XZR3 port 10GBASE-x XFP baseboard (LAN/WAN phy) R modules are compatible with the 8010, 8010co, 8006, and 8003-R chassis. When installed in a standard slot, R modules offer increased port density. When installed in a high-performance slot or chassis, R modules offer increased port density as well as increased performance. R modules inserted in slots 2 to 4 and slots 7 to 9 of the 8010 10-slot chassis, and in slots 2 to 4 of the 8006 six-slot chassis, operate at high-performance. R modules inserted into slots 1 and 10 of the 8010 chassis, and slot 1 of the 8006 chassis, operate at standard performance. For information about relative performance by slot with two fabrics installed in the existing 8010 and 8006 chassis, see the following table.
January 2012
25
For maximum switch performance, Avaya recommends that you place R modules in chassis slots 2 to 4 or 7 to 9, as available. A chassis revision with an upgraded High-performance Backplane (HPB) compatible with R modules and supporting high-performance in all slots is available. You can identify the Highperformance Backplane by the chassis revision number. Use the command line interface (CLI) command show sys info or the ACLI command show sys-info to display the revision number. A revision number of 02 or higher in the H/W Config field indicates that the chassis is the high-performance chassis. Chassis Revision A indicates that the chassis is not a high performance chassis and must be upgraded.
8648GTR recommendations
Avaya supports the 8648GTR module in a high-performance slot only. Avaya does not support the 8648GTR in a standard slot. Release 4.1.1 and later allows MLT to run between ports between an 8648GTR and other module types. MLT ports must run at the same speed with the same interface type, even if using different Input/Output (I/O) module types.
26
January 2012
Modules
Carrier Sense Multiple Access with Collision Full-duplex only, no autonegotiation Detection (CSMA/CD) and full-duplex 802.3 Ethernet frame format (includes min/ max frame size) Carrier extension One physical interface Optical or copper media 8B/10B encoding 802.3 Ethernet frame format (includes min/ max frame size) Throttle MAC speed (rate adapt) LAN and WAN physical layer interfaces Optical media only 64B/66B encoding
The 8683 modules have three forwarding engine lanes and three bays for installing 10 Gigabit Small Form Factor Pluggable (XFP) transceivers. Each lane supports 10 Gbit/s bidirectional traffic. All three ports can run concurrently at 10 Gbit/s. Although the 10GBASE-LR, -ER, and -ZR XFPs support both LAN and WAN modes, the 8683XLR module supports only the LAN mode. The 8683XZR module supports both the LAN and WAN (SONET) modes. The 8683 modules supports the following XFPs: 10GBASE-SR 10GBASE-LR/LW 10GBASE-LRM 10GBASE-ER/EW 10GBASE-ZR/ZW 10GBASE DWDM
January 2012
27
For more information about XFP specifications, see Avaya Ethernet Routing Switch 8800/8600 Installation SFP, SFP+, XFP, and OADM Hardware Components (NN46205-320).
10 GbE clocking
Whether you use internal or line clocking depends on the application and configuration. Typically, the default internal clocking is sufficient. Use line clocking on both ends of a 10 GbE WAN connection (line-line) when using SONET/Synchronous Digital Hierarchy (SDH) AddDrop Multiplexing (ADM) products, such as the Optical Cross Connect DX. This allows the 10 GbE WAN modules to synchronize to a WAN timing hierarchy, and minimizes timing slips. Interworking 10 GbE WAN across an Add-Drop Multiplexer requires the use of an OC-192c/ VC-4-64c payload cross-connection device. When connecting 10 GbE modules back-to-back, or through metro (OM5200) or long haul (LH 1600G) dense Wavelength Division Multiplexing (DWDM) equipment, you can use the timing combinations of internal-internal, line-internal, or internal-line on both ends of the 10 GbE WAN connection. In these scenarios, at least one of the modules provides the reference clock. DWDM equipment does not typically provide sources for timing synchronization. For DWDM, Avaya recommends that you avoid using a line-line combination because it causes an undesired timing loop. The following table describes the recommended clock source settings for 10 GbE WAN interfaces. Use these clock settings to ensure accurate data recovery and to minimize SONETlayer errors. Table 4: Recommended 10GE WAN interface clock settings
Clock source at both ends of Back-to-back with dark the 10 GbE WAN link fiber or DWDM internal-internal internal-line line-internal line-line Yes Yes Yes No SONET/SDH WAN with ADM No No No Yes
28
January 2012
Modules
Maximum supported 8692SF with SuperMezz or 8895SF (R or RS series modules) MAC address table entries VLANs (port- protocol-, and IEEE 802.1Qbased) IP subnet-based VLANs Ports in Link Aggregation Group (LAG, MLT) Aggregation groups 802.3ad aggregation groups Multi Link Trunking (MLT) group SMLT links SLT (single link SMLT) VLANs on SMLT/IST link RSMLT per VLAN RSTP/MSTP (number of ports) MSTP instances Advanced Filters ACLs for each system ACEs for each system ACEs for each ACL ACEs for each port IP, IP VPN/MPLS, IP VPN Lite, VRF Lite IP interfaces (VLAN- and brouter-based) VRF instances ECMP routes VRRP interfaces IP forwarding table (Hardware) BGP/mBGP peers iBGP instances eBGP instances BGP forwarding routes BGP routing information base (RIB) BGP forwarding information base (FIB) 1972 255 5000 255 250 000 250 on GRT on 256 VRFs (including GRT) BGP FIB 250 000 BGP RIB 500 000 4000 1000 1000 2000: 500 inPort 500 inVLAN 500 outPort 500 outVLAN 64 000 32 000 when SMLT is used 4000 800 8 128 128 382 with Max VLAN feature enabled: 2000 32 SMLT links with RSMLT-enabled VLANs 384, with 224 active. Configure the remaining interfaces with Edge mode 32
January 2012
29
Maximum supported 8692SF with SuperMezz or 8895SF (R or RS series modules) IP VPN routes (total routes for each system) 180 000 IP VPN VRF instances Static ARP entries Dynamic ARP entries DHCP Relay instances (total for all VRFs) Static route entries OSPF instances for each switch OSPF areas for each switch OSPF adjacencies for each switch OSPF routes OSPF interfaces OSPF LSA packet maximum size RIP instances RIP interfaces RIP routes Multiprotocol Label Switching MPLS LDP sessions MPLS LDP LSPs MPLS RSVP static LSPs Tunnels IP Multicast DVMRP passive interfaces DVMRP active interfaces/neighbors DVMRP routes PIM instances PIM active interfaces PIM passive interfaces PIM neighbors Multicast streams: with SMLT/ without SMLT 1200 80 2500 64 500 (200 for all VRFs) 1972 (2000 for all VRFs) 80 (200 for all VRFs) 2000/4000 200 16 000 200 2500 255 2048 in a VRF 10 000 in the system 32 000 512 2000 in a VRF 10 000 in the system on 64 VRFs (including GRT) 5 in a VRF 24 in the system 80 200 in the system 20 000 in a VRF 50 000 in the system 238 500 in the system 3000 bytes 64 200 2500 in a VRF 10 000 in the system
30
January 2012
Maximum supported 8692SF with SuperMezz or 8895SF (R or RS series modules) Multicast streams per port IGMP reports/sec IPv6 IPv6 interfaces IPv6 tunnels IPv6 static routes OSPFv3 areas OSPFv3 adjacencies OSPFv3 routes 250 350 2000 5 80 5000 1000 250
Operations, Administration, and Maintenance IPFIX RMON alarms with 4000K memory RMON events with 250K memory RMON events with 4000K memory RMON Ethernet statistics with 250K memory RMON Ethernet statistics with 4000K memory 384 000 flows per chassis 2630 324 5206 230 4590
Avaya supports only 25 spanning tree groups (STG). Although you can configure up to 64 STGs, configurations of more than 25 STGs are not supported. If you need to configure more than 25 STGs, contact your Avaya Customer Support representative for more information.
January 2012
31
32
January 2012
January 2012
33
Maximum reach
Chromatic dispersion
After you have determined the value of the chromatic dispersion of the fiber, ensure that it is within the limits recommended by the International Telecommunications Union (ITU). ITU-T recommendations G.652, G.653, and G.655 specify the maximum chromatic dispersion coefficient. Assuming a zero-dispersion fiber at 1550 nanometers (nm) and an operating wavelength within 1525 to 1575 nm, the maximum allowed chromatic dispersion coefficient of the fiber is 3.5 ps/(nm-km). The total tolerable dispersion over a fiber span at 2.5 Gb/s is 16 000 ps, at 10 Gb/s it is 1000 ps, and at 40 Gb/s it is 60 ps. Using these parameters, one can estimate the achievable link length. Using a 50 nm-wide optical source at 10 Gbit/s, and assuming that the optical fiber is at the 3.5 ps/(nm-km) limit, the maximum link length is 57 km. To show how link length, dispersion, and spectral width are related, see the following tables. Table 7: Spectral width and link lengths assuming the maximum of 3.5 ps/(nm-km)
Spectral width (nm) 1 10 50 285 28.5 5.7 Maximum link length (km)
34
January 2012
Table 8: Spectral widths and link lengths assuming an average fiber of 1.0 ps/(nm-km)
Spectral width (nm) 1 10 50 1000 100 20 Maximum link length (km)
If your fiber chromatic dispersion is over the limit, you can use chromatic dispersion compensating devices, for example, dispersion compensating optical fiber.
The dispersion of a fiber can change over time and with temperature change. If you measure fiber dispersion, measure it several times at different temperatures to determine the worst-case value. If you do not consider dispersion in your network design, you may experience an increase in the BER of your optical links. If no PMD compensating devices are available and the proposed fiber is over the PMD limit, use a different optical fiber.
January 2012
35
100 m 500 m
100 m 100 m
36
January 2012
CANA
Port on A Full-duplex
Port on B Full-duplex
Autonegotiation cannot detect the identities of neighbors or shut down misconnected ports. These functions are performed by upper-layer protocols.
CANA
The R and RS modules support Custom Auto-Negotiation Advertisement (CANA). Use CANA to control the speed and duplex settings that the R and RS modules advertise during autonegotiation sessions between Ethernet devices. Links can only be established using these advertised settings, rather than at the highest common supported operating mode and data rate. Use CANA to provide smooth migration from 10/100 Mbit/s to 1000 Mbit/s on host and server connections. Using autonegotiation only, the switch always uses the fastest possible data rates. In scenarios where uplink bandwidth is limited, CANA provides control over negotiated access speeds, and thus improves control over traffic load patterns. CANA is supported on 10/100/1000 Mbit/s RJ-45 ports only. To use CANA, you must enable autonegotiation. Important: If a port belongs to a MultiLink Trunking (MLT) group and CANA is configured on the port (that is, an advertisement other than the default is configured), then you must apply the same configuration to all other ports of the MLT group (if they support CANA). If a 10/100/1000 Mbit/s port that supports CANA is in a MLT group that has 10/100BASETX ports, or any other port type that do not support CANA, then use CANA only if it does not conflict with MLT abilities.
January 2012
37
Extended CP-Limit
The Extended CP-Limit feature goes one step further than CP-Limit by adding the ability to read buffer congestion at the CPU as well as port level congestion on the I/O modules. This feature protects the CPU from any traffic hitting the CPU by shutting down the ports that are responsible for sending traffic to CPU at a rate greater than desired. To make use of Extended CP-Limit, configuration must take place at both the chassis and port level. The network administrator must predetermine the number of ports to be monitored when congestion occurs. Extended CP-Limit can be enabled on all ports in the chassis, but when congestion is detected, Extended CP-Limit monitors the most highly utilized ports in the
38
January 2012
Extended CP-Limit
chassis. The number of highly utilized ports monitored is configured in the MaxPorts parameter. When configuring Extended CP-Limit at the chassis level, the following parameters are available: MinCongTime (Minimum Congestion Time) sets the minimum time, in milliseconds, during which the CPU frame buffers can be oversubscribed before triggering the congestion algorithm. MaxPorts (Maximum Ports) sets the total number of ports that need to be analyzed from the may-go-down port list. PortCongTime (Port Congestion Time) sets the maximum time, in seconds, during which the bandwidth utilization on a port can exceed the threshold. When this timer is exceeded, the port is disabled this parameter is only used by SoftDown. TrapLevel Sets the manner in which a SNMP trap is sent if a port becomes disabled. Noneno traps are sent (default value) Normalsends a single trap if ports are disabled. Verbosesends a trap for each port that becomes disabled. When configuring ext-cp-limit at the port level, the following parameters are available: HardDown disables the port immediately after the CPU frame buffers are congested for a certain period of time. SoftDown monitors the CPU frame buffer congestion and the port congestion time for a specified time intervalthe ports are only disabled if the traffic does not subside after the time is exceeded. The network administrator can configure the maximum number of SoftDown ports to be monitored. CplimitUtilRate defines the percentage of link bandwidth utilization to set as the threshold for the PortCongTimethis parameter is only used by SoftDown. The following figures detail the flow logic of the HardDown and SoftDown operation of Extended CP-Limit.
January 2012
39
For information about using CP-Limit and Extended CP-Limit with SLPP and VLACP, see SLPP, Loop Detect, and Extended CP-Limit on page 109. For more information about CP-Limit and Extended CP-Limit, see Avaya Ethernet Routing Switch 8800/8600 Administration, NN46205-605 .
40
January 2012
January 2012
41
The Avaya optical routing system supports both ring and point-to-point configurations. The optical routing system includes the following parts: CWDM SFPs CWDM SFP+s Optical add/drop multiplexers (OADM) Optical multiplexer/demultiplexers (OMUX) Optical shelf to house the multiplexers OADMs drop or add a single wavelength from or to an optical fiber. The following table describes the parts of the optical routing system and the color matching used. The compatible optical shelf part number is AA1402001-E5. Table 12: Parts of the optical routing system
Multiplexer part number Wavelength 1470 nanometers (nm) Gray SFP/SFP+ part numbers AA1419025-E5, up to 40 km SFP AA1419033-E5, up to 70 km SFP AA1419053-E6, up to 40 km DDI SFP AA1419061-E6, up to 70 km DDI SFP AA1419026-E5, up to 40 km SFP AA1419034-E5, up to 70 km SFP AA1419054-E6, up to 40 km DDI SFP OADM AA1402002E5 OMUX-4 OMUX-8 AA1402010E5
1490 nm Violet
AA1402003E5
AA1402009E5
42
January 2012
Multiplexer part number Wavelength SFP/SFP+ part numbers AA1419062-E6, up to 70 km DDI SFP 1510 nm Blue AA1419027-E5, up to 40 km SFP AA1419035-E5, up to 70 km SFP AA1419055-E6, up to 40 km DDI SFP AA1419063-E6, up to 70 km DDI SFP AA1419028-E5, up to 40 km SFP AA1419036-E5, up to 70 km SFP AA1419056-E6, up to 40 km DDI SFP AA1419064-E6, up to 70 km DDI SFP AA1419029-E5, up to 40 km SFP AA1419037-E5, up to 70 km SFP AA1419057-E6, up to 40 km DDI SFP AA1419065-E6, up to 70 km DDI SFP AA1403013-E6, up to 40 km SFP+ AA1419030-E5, up to 40 km SFP AA1419038-E5, up to 70 km SFP AA1419058-E6, up to 40 km DDI SFP AA1419066-E6, up to 70 km DDI SFP AA1419031-E5, up to 40 km SFP AA1419039-E5, up to 70 km SFP AA1419059-E6, up to 40 km DDI SFP AA1419067-E6, up to 70 km DDI SFP AA1402004E5 OADM OMUX-4 OMUX-8
1530 nm Green
AA1402005E5
AA1402009E5
1550 nm Yellow
AA1402006E5
1570 nm Orange
AA1402007E5
AA1402009E5
1590 nm Red
AA1402008E5
January 2012
43
Multiplexer part number Wavelength 1610 nm Brown SFP/SFP+ part numbers AA1419032-E5, up to 40 km SFP AA1419040-E5, up to 70 km SFP AA1419060-E6, up to 40 km DDI SFP AA1419068-E6, up to 70 km DDI SFP OADM AA1402011E5 OMUX-4 AA1402009E5 OMUX-8
For more information about multiplexers, SFPs and SFP+s, including technical specifications and installation instructions, see Avaya Ethernet Routing Switch 8800/8600 Installation SFP, SFP+, XFP, and OADM Hardware Components, NN46205-320.
Multiplexer applications
Use OADMs to add and drop wavelengths to and from an optical fiber. Use multiplexers to combine up to eight wavelengths on a single fiber. This section describes common applications for the OADM and OMUX.
Navigation
OADM ring on page 44 Optical multiplexer in a point-to-point application on page 45 OMUX in a ring on page 46
OADM ring
The OADM removes (or adds) a specific wavelength from an optical ring and passes it to (or from) a transceiver (SFP/SFP+) of the same wavelength, leaving all other wavelengths on the ring undisturbed. OADMs are set to one of eight supported wavelengths. Important: The wavelength of the OADM and the corresponding transceiver must match. The following figure shows an example of two separate fiber paths in a ring configuration traveling in opposite (east/west) directions into the network.
44
January 2012
Multiplexer applications
For information about calculating network transmission distance, see Transmission distance on page 47.
January 2012
45
are installed in a chassis. The OMUX on the left is called the east path, and the OMUX on the right is called the west path.
OMUX in a ring
OMUXs are also used as the hub site in OMUX-based ring applications. (For more information, see Figure 7: OADM ring configuration example on page 45.) Two OMUXs are installed in the optical shelf at the central site to create an east and a west fiber path. The east OMUX terminates all the traffic from the east equipment port of each OADM on the ring, and the west OMUX terminates all of the traffic from the west equipment port of each OADM on the ring. In this configuration, the network remains viable even if the fiber is broken at any point on the ring.
46
January 2012
Transmission distance
Transmission distance
To ensure proper network operation, given your link characteristics, calculate the maximum transmission distance for your fiber link.
Navigation
Reach and optical link budget on page 47 Reach calculation examples on page 47
January 2012
47
SFP+, XFP, and OADM Hardware Components (NN46205-320). Multiplexer loss values include connector loss. Attenuation of 0.25 dB/km is used, but the typical attenuation at 1550 nm is about 0.20 dB/km. Ensure that you use the appropriate value for your network. Table 13: Assumptions used in calculating maximum transmission distance
Parameter Cable Repair margin Maximum link budget System margin Fiber attenuation Operating temperature CWDM OADM expected loss CWDM OMUX expected loss Value Single mode fiber (SMF) 0 dB 30 dB 3 dB (allowance for miscellaneous network loss) 0.25 dB/km 0 to 40C (32 to 104F) Use OADM specifications Use OMUX specifications
To calculate the maximum transmission distance for a proposed network configuration: Identify all points where signal strength is lost. Calculate, in dB, the expected loss for each point. Find the total passive loss by adding the expected losses together. Find the remaining signal strength by subtracting the passive loss and system margin from the total system budget. Find the maximum transmission distance by dividing the remaining signal strength by the expected fiber attenuation in dB/km.
48
January 2012
Transmission distance
The Ethernet switch does not have to be near the OMUX, and the OMUX does not regenerate the signal. Therefore, the maximum transmission distance is from transceiver to transceiver. The following table shows typical loss values used to calculate the transmission distance for the point-to-point network. Table 14: Point-to-point signal loss values
Parameter Loss budget OMUX-8 mux loss OMUX-8 demux loss System margin Fiber attenuation 30 dB 3.5 dB 4.5 dB 3.0 dB .25 dB/km Value (dB)
The equations and calculations used to determine maximum transmission distance for the point-to-point network example are: Passive loss = mux loss + demux loss Implied fiber loss = loss budget passive loss system margin Maximum transmission distance = implied fiber loss/attenuation In this case: Passive loss = 3.5 + 4.5 = 8.0 dB Implied fiber loss = 30 8 3 = 19 dB Maximum reach = (19 dB) / (0.25 dB/km) = 76 km
January 2012
49
As the signal passes from point A to point B (the most remote points in the mesh ring network example), the signal loses intensity in the fiber optic cable, and in each connection between the individual OADMs and transceivers. The following factors determine the mesh ring link budget and the transmission distance for the network: OADM insertion loss for Add port OADM insertion loss for Drop port OADM insertion loss for Through port at intermediate nodes Fiber attenuation of 0.25 dB/km The maximum transmission distance is from transceiver to transceiver. The number of OADMs that can be supported is based on loss budget calculations.
50
January 2012
Transmission distance
The following table shows the typical loss values used to calculate the transmission distance for the mesh ring network example. Table 15: Mesh ring signal loss values
Parameter Loss budget OADM insertion loss for Add port OADM insertion loss for Through port OADM insertion loss for Drop port System margin Fiber attenuation 30 dB 1.9 dB 2.0 dB 2.3 dB 3.0 dB 0.25 dB/km Value
The equations and calculations used to determine the maximum transmission distance for this network example are: Passthrough nodes = nodes 2 Passive loss = OADM add + OADM drop + (passthrough nodes*OADM passthrough loss) Implied fiber loss = loss budget passive loss system margin Maximum transmission distance = implied fiber loss/attenuation In this case: Passthrough nodes = 8 - 2 = 6 nodes Passive loss = 1.9 + 2.3 + (6*2.0)= 16.2 dB Implied fiber loss = 30 - 16.2 - 3 = 10.8 dB Maximum reach = (10.8 dB) / (0.25 dB/km) = 43.2 km
January 2012
51
As the signal passes from point A to point B (the most remote points), it loses intensity in the fiber optic cable, and in each connection between the individual OADMs, the OMUX-8, and the transceivers. The number of OADMs that can be supported is based on the loss budget calculations. The following table shows typical loss values used to calculate the transmission distance for the hub and spoke network. Table 16: Hub and spoke signal loss values
Parameter Loss budget OADM insertion loss for Add port OADM insertion loss for Through port OMUX-8 demux loss System margin Fiber attenuation 30 dB 1.9 dB 2.0 dB 4.5 dB 3.0 dB 0.25 dB/km Value
52
January 2012
Transmission distance
The equations and calculations used to determine maximum transmission distance for the network example are: Passthrough nodes = number of OADMs between first OADM and OMUX Passive loss = OADM add + OMUX-8 demux+ (passthrough nodes*OADM passthrough loss) Implied fiber loss = loss budget - passive loss - system margin Maximum transmission distance = implied fiber loss/attenuation In this case: Passthrough nodes = 7 nodes Passive loss = 1.9 + 4.5 + (67*2.0)= 20.4 dB Implied fiber loss = 30 20.4 3 = 6.6 dB Maximum reach = (6.6 dB) / (0.25 dB/km) = 26.4 km
January 2012
53
54
January 2012
Operational modes
With Release 7.0 and later, the Avaya Ethernet Routing Switch 8800/8600 operates in R mode only. You cannot configure the switch to run in M mode. Similarly, enhanced operational mode configuration is not applicable as the system always operates in enhanced mode. R mode supports up to 256 000 IP routes, 64 000 MAC entries, and 32 000 Address Routing Protocol (ARP) entries. This mode supports R and RS modules only. With Software Release 7.0 and later, R and RS modules support up to 128 MLT groups and up to eight ECMP routing paths. Release 5.0 and later supports up to 4000 VLANs with a default of 1972. VLAN scaling is reduced if you use multicast MAC filters.
January 2012
55
Software considerations
56
January 2012
January 2012
57
With Avaya-to-Avaya connections, to avoid loss of connectivity for devices that do not support FEFI, you can use VLACP as an alternative failure detection method. For more information, see End-to-end fault detection and VLACP on page 59.
SFFD recommendations
The Ethernet switching devices listed in the following table do not support autonegotiation on fiber-based Gigabit Ethernet ports. These devices are unable to participate in remote fault indication (RFI), which is a part of the autonegotiation specification. Without RFI, and in the event of a single fiber strand break, one of the two devices may not detect a fault, and continues to transmit data even though the far-end device does not receive it.
58
January 2012
If you must connect the switch to a device that does not support autonegotiation, you can use Single-fiber Fault Detection (SFFD). SFFD can detect single fiber faults and bring down faulty links immediately. If the port is part of a multilink trunk (MLT), traffic fails over to other links in the MLT group. Once the fault is corrected, SFFD brings the link up within 12 seconds. For SFFD to work properly, both ends of the fiber connection must have SFFD enabled and autonegotiation disabled. A better alternative to SFFD is VLACP (see End-to-end fault detection and VLACP on page 59).
VLACP operation
Virtual Link Aggregation Control Protocol (VLACP) is an extension to LACP used for end-toend failure detection. VLACP is not a link aggregation protocol, but rather a mechanism to periodically check the end-to-end health of a point-to-point connection. VLACP uses the Hello mechanism of LACP to periodically send Hello packets to ensure an end-to-end
January 2012
59
communication. When Hello packets are not received, VLACP transitions to a failure state, which indicates a service provider failure and that the port is disabled. The VLACP only works for port-to-port communications where there is a guarantee for a logical port-to-port match through the service provider. VLACP does not work for port-to-multiport communications where there is no guarantee for a point-to-point match through the service provider. You can configure VLACP on a port. VLACP can also be used with MLT to complement its capabilities and provide quick failure detection. VLACP is recommended for all SMLT access links when the links are configured as MLT to ensure both end devices are able to communicate. By using VLACP over SLT, enhanced failure detection is extended beyond the limits of the number of SMLT or LACP instances that can be created on an Avaya switch. VLACP trap messages are sent to the management stations if the VLACP state changes. If the failure is local, the only traps that are generated are port linkdown or port linkup. The Ethernet cannot detect end-to-end failures. Functions such as remote fault indication or far-end fault indication extend the Ethernet to detect remove link failures. A major limitation of these functions is that they terminate at the next Ethernet hop. They cannot determine failures on an end-to-end basis. For example, in Figure 13: Problem description (1 of 2) on page 60 when the Enterprise networks connect the aggregated Ethernet trunk groups through a service provider network connection (for example, through a VPN), far-end failures cannot be signaled with Ethernetbased functions that operate end-to-end through the service provider network. The multilink trunk (between Enterprise switches S1 and S2) extends through the Service Provider (SP) network. Figure 13: Problem description (1 of 2) on page 60 shows a MLT running with VLACP. VLACP can operate end-to-end, but can be used in a point-to-point link.
In the following figure, if the L2 link on S1 (S1/L2) fails, the link-down failure is not propagated over the SP network to S2 and S2 continues to send traffic over the failed S2/ L2 link.
60
January 2012
Use VLACP to detect far-end failures, which allows MLT to failover when end-to-end connectivity is not guaranteed for links in an aggregation group. VLACP prevents the failure scenario. When used in conjunction with SMLT, VLACP allows you to switch traffic around entire network devices before Layer 3 protocols detect a network failure, thus minimizing network outages.
January 2012
61
62
January 2012
Platform redundancy
VLACP configuration at the port level is consistentboth sides of the point-to-point connection should be either enabled or disabled. VLACP is configured by port. The port can be either an individual port or a MLT member. VLACPDUs are sent periodically on each port where VLACP is enabled. This allows the exchange of VLACPDUs from an end-to-end perspective. If VLACPDUs are not received on a particular link, that link is taken down after the expiry timeout occurs (timeout scale x periodic time). This implies that unless VLACP is enabled on the IST peer, the ports stay in a disabled state. When VLACP is enabled at the IST peer, the VLACPDU is received and the ports are reenabled. This behavior can be replicated despite the IST connectivity between the end-to-end peers. When you enable VLACP on the IST ports at one end of the IST, the ports are taken down along with the IST. However, the IST at the other end stays active until the expiry timeout occurs on the other end. As soon you enable VLACP at the other end, the VLACPDU is received by the peer and the ports are brought up at the software level.
Platform redundancy
Provide platform layer redundancy to ensure that faulty hardware does not cause a service interruption. Avaya recommends that you use the following mechanisms to achieve device-level redundancy: Redundant power supplies Employ N + 1 power supply redundancy, where N is the number of required power supplies to power the chassis and its modules. Connect the power supplies to an additional power supply line to protect against supply problems. To provide additional redundancy, you can use the 8005DI AC power supply, which is a dual AC input, 1170/1492 watts (W) AC-DC power supply. On the 8005DI AC power supply, the two AC input sources can be out of synchronization with each other, having a different voltage, frequency, phase rotation, and phase angle as long as the power characteristics for each separate input AC source remain within the range of the manufacturers specifications. The 8000 Series switch has two slots for fan trays or cooling modules, each with eight individual fans. Sensors are used to monitor board health. Input/output (I/O) port redundancy You can protect I/O ports using a link aggregation mechanism. MLT, which is compatible with 802.3ad static (Link Access Control Protocol [LACP] disabled), provides you with a load sharing and failover mechanism to protect against module, port, fiber or complete link failures. Switch fabric redundancy Avaya recommends that you use two SF/CPUs to protect against switch fabric failures. The two SF/CPUs load share and provide backup for each other. Using the 8006 or 8010
January 2012
63
chassis, full switching capacity is available with both SF/CPU modules. With two SF/ CPUs, you can use High Availability mode. For more information about High Availability (HA) mode, see High Availability mode on page 64. SF/CPU redundancy The CPU is the control plane of the switch. It controls all learning, calculates routes, and maintains port states. If the last SF/CPU in a system fails, the switch resets the I/O cards after a heartbeat timeout period of 3 seconds. To protect against CPU failures, Avaya has developed two different types of control plane (CPU) protection: Warm Standby mode In this mode, the Standby CPU is ready and the system image is loaded. High Availability mode (Hot Standby) Configuration and image redundancy You can define a primary, secondary, and tertiary configuration and system image file paths. This protects against system flash failures. For example, the primary path can point to system flash memory, the secondary path to the PCMCIA card, and the tertiary path to a network device. Both SF/CPU modules are identical and support flash and Personal Computer Memory Card International Association (PCMCIA) storage. If you enable the system flag called save to standby, it ensures that configuration changes are always saved to both CPUs. When you use SMLT, Avaya recommends that you use VLACP to avoid packet forwarding to a failed switch that cannot process them.
64
January 2012
Platform redundancy
feature, supports the synchronization of VLAN and Quality of Service (QoS) software parameters, static and default route records, ARP entries, and LAN virtual interfaces. Specifically, Layer 3 (L3) redundancy passes table information and Layer 3 protocol-specific control packets to the Standby CPU. When using L2/L3 redundancy, the bootconfig file is saved to both the Master and the Standby CPUs, and the Standby CPU is reset automatically. You must manually reset the Master CPU. The following tables lists feature support and synchronization information for HA in release 7.1. Table 18: Feature support for HA
Feature Modules Platform Layer 2 Layer 3 Multicast IPv6 Security R and RS only Yes Yes Yes (see Note 1) Yes but no PGM (see Note 1) Yes, Restart Yes TACACS+ DHCP snooping ARP Inspection IP Source Guard Release 7.1
Note 1 For Release 7.1, HA-CPU supports the following: Hot Standby mode: Shortest Path Bridging MAC (SPBM) platform configuration Layer 2 protocols: IGMP, STP, MLT, SMLT, ARP, LACP, VLACP Layer 3 protocols: RIP, OSPF, VRRP, RSMLT, VRF Lite Warm Standby mode: DVMRP, PIM-SM, and PIM-SSM BGP MPLS BFD IPv6 and all associated IPv6 protocols
January 2012
65
Synchronization of: Layer 2 VLAN parameters STP parameters RSTP/MSTP parameters SMLT parameters QoS parameters Layer 3 Virtual IP (VLANs) ARP entries Static and default routes VRRP RIP OSPF Layer 3 Filters; ACE/ACLs BGP DVMRP/PIM IGMP, PIM-SM, and PIM-SSM virtualization BFD IPv6 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Partial HA Yes Yes Yes Yes Yes
Release 7.0
For more information about configuring HA, see Avaya Ethernet Routing Switch 8800/8600 Administration, NN46205-605.
66
January 2012
Link redundancy
NN46205-523 and Avaya Ethernet Routing Switch 8800/8600 Configuration OSPF and RIP, NN46205-522. HA does not currently support the following protocols: PGM If you want to use High Availability (HA) mode, verify that the link speed and duplex mode for the CPU module are 100 Mbit/s and full-duplex. If the link is not configured in 100 Mbit/s and full-duplex mode, either you cannot synchronize the two CPUs, or the synchronization may take a long time. Error messages can appear on the console. In HA mode, Avaya recommends that you do not configure the OSPF hello timers for less than one second, and the dead router interval for less for than 15 seconds.
Link redundancy
Provide link layer redundancy to ensure that a faulty link does not cause a service interruption. The sections that follow explain design options that you can use to achieve link redundancy. These mechanisms provide alternate data paths in case of a link failure.
January 2012
67
MultiLink Trunking
MultiLink trunking is used to provide link layer redundancy. You can use MultiLink Trunking (MLT) to provide alternate paths around failed links. When you configure MLT links, consider the following information: Software Release 7.0 supports 128 MLT aggregation groups with up to 8 ports. Up to eight same-type ports can belong to a single MLT group. The same port type means that the ports operate on the same physical media, at the same speed, and in the same duplex mode. For Release 7.0, MLT ports can run between an 8648GTR and other module types. MLT ports must run at the same speed with the same interface type, even if using different I/ O module types.
MLT navigation
MLT/LACP groups and port speed on page 68 Switch-to-switch MLT link recommendations on page 68 Brouter ports and MLT on page 69 MLT and spanning tree protocols on page 69 MLT protection against split VLANs on page 70
68
January 2012
Link redundancy
the lower number port on one switch with the lower number port on the other switch. For example, to establish an MLT switch-to-switch link between ports 2/8 and 3/1 on switch A with ports 7/4 and 8/1 on switch B, do the following: Connect port 2/8 on switch A to port 7/4 on switch B. Connect port 3/1 on switch A to port 8/1 on switch B.
January 2012
69
ID as its root port (ignoring the aggregate rate of the links), Avaya recommends that the following methods be used when you define path costs: Use lower port numbers for multilink trunks so that the multilink trunks with the most active links gets the lowest port ID. Modify the default path cost so that non-MLT ports, or the MLT with the least active links, has a higher value than the MLT link with the most active ports. Withthe implementation of 802.1w (Rapid Spanning Tree ProtocolRSTP) and802.1s (Multiple Spanning Tree ProtocolMSTP), a new path cost calculationmethod is implemented. The following table describes the new pathcosts associated with each interface type: Table 20: New path cost for RSTP or MSTP mode
Link speed Less than or equal 100 Kbit/s 1 Mbit/s 10 Mbit/s 100 Mbit/s 1 Gbit/s 10 Gbit/s 100 Gbit/s 1 Tbit/s 10 Tbit/s 200 000 000 20 000 000 2 000 000 200 000 20 000 2000 200 20 2 Recommended path cost
70
January 2012
Link redundancy
January 2012
71
LACP and SMLT: Interoperability with servers (and potentially third-party switches)
To better serve interoperability with servers (and potentially certain third-party switches) in SMLT designs, the Avaya Ethernet Routing Switch 8800/8600 provides a system ID configuration option for Split MultiLink Trunk (SMLT). Prior to this enhancement, if the SMLT Core Aggregation Switches were unable to negotiate the system ID (for example, if the inter-switch trunk [IST] or one of the aggregate switches failed), the Ethernet Routing Switch 8800/8600 SMLT/LACP implementation modified the Link Aggregation Control Protocol (LACP) system ID to aa:aa:aa:aa:aa:xx (where xx is the LACP key). When SMLT-attached servers (and certain third-party wiring closet switches) received this new system ID, in some cases, ports moved to a different link aggregation group (LAG) resulting in data loss. To avoid this issue, the Avaya Ethernet Routing Switch 8800/8600 provides an option to configure a static system ID that is always used by the SMLT Core Aggregation Switches. In this way, the same LACP key is always used, regardless of the state of the SMLT Core Aggregation Switch neighbor (or the IST link). Therefore no change in LAGs occur on the attached device, be it a server or a third-party switch. This situation (and therefore this advanced configuration option) does not affect Avaya edge switches used in SMLT configurations. The actor system priority of LACP_DEFAULT_SYS_PRIO, the actor system ID configured by the user, and an actor key equal to the SMLT-ID or SLT-ID are sent to the wiring closet switch. Avaya recommends that you configure the system ID to be the base MAC address of one of the aggregate switches along with its SMLT-ID. You must ensure that the same value for system ID is configured on both of the SMLT Core Aggregation Switches. To configure the system ID, use the following CLI command: ERS8610:5# config lacp smlt-sys-id <MAC Address> OR Use the following ACLI command: ERS8610:5(config)# lacp smlt-sys-id <MAC Address> For more information about SMLT, see Switch Clustering using Split Multi-Link Trunking (SMLT) with ERS 8800, 8600, 8300, 5500 and 1600 Series Technical Configuration Guide (NN48500-518).
72
January 2012
Link redundancy
does not affect the operation of the LACP module. LACP data units (LACPDU) can be sent even if the port is in STP blocking state. Unlike legacy MLT, configuration changes (such as speed, duplex mode, and so on) made to a LAG member port are not applied to all the member ports of the MLT. Instead, the changed port is taken out of the LAG, and the corresponding aggregator and user is alerted. In contrast to MLT, IEEE 802.3ad-based link aggregation does not require BPDUs to be replicated over all ports in the trunk group. Therefore, use the CLI commandconfig stg <stg> ntstg disable to disable the parameter on the STG for LACP-based link aggregation. In the ACLI, the command is no spanning-tree stp <1-64> ntstp. This parameter applies to all trunk groups that are members of this STG. This parameter is necessary when interworking with devices that only send BPDUs out one port of the LAG.
January 2012
73
Operation
The Avaya Ethernet Routing Switch 8800/8600 uses one BFD session for all protocols with the same destination. For example, if a network runs OSPF and BGP across the same link
74
January 2012
Link redundancy
with the same peer, only one BFD session is established, and BFD shares session information with both routing protocols. You can enable BFD over data paths with specified OSPF neighbors, BGP neighbors, and static routing next-hop addresses. The Ethernet Routing Switch 8800/8600 supports BFD asynchronous mode, which sends BFD control packets between two systems to activate and maintain BFD neighbor sessions. To reach an agreement with its neighbor about how rapidly failure detection occurs, each system estimates how quickly it can send and receive BFD packets. A session begins with the periodic, slow transmission of BFD Control packets. When bidirectional communication is achieved, the BFD session comes up. The switch only declares a path as operational when two-way communication is established between systems. After the session is up, the transmission rate of Control packets can increase to achieve detection time requirements. If Control packets are not received within the calculated detection time, the session is declared down. After a session is down, Control packet transmission returns to the slow rate. If a session is declared down, it cannot come back up until the remote end signals that it is down (three-way handshake). A session can be kept administratively down by configuring the state of AdminDown.
BFD restrictions
The Avaya Ethernet Routing Switch 8800/8600 supports up to 256 BFD sessions, however, the number of BFD sessions plus the number of VLACP sessions cannot exceed 256. The Ethernet Routing Switch 8800/8600 does not support the following IETF BFD options: Echo packets BFD over IPv6 Demand mode authentication The Ethernet Routing Switch 8800/8600 does not support: BFD on a VRRP virtual interface High Availability (HA) for BFD The Ethernet Routing Switch 8800/8600 supports partial HA for BFD. The Ethernet Routing Switch 8800/8600 also supports the modification of transmit and receive intervals during an active BFD session.
Multihoming
Multihoming enables the Avaya Ethernet Routing Switch 8800/8600 to support clients or servers that have multiple IP addresses associated with a single MAC address.
January 2012
75
Multihomed hosts can be connected to port-based, policy-based, and IP subnet-based VLANs. The IP addresses that you associate with a single MAC address on a host must be located in the same IP subnet. The Ethernet Routing Switch 8800/8600 supports multihomed hosts with up to 16 IP addresses per MAC address. For more information about multihoming, see Avaya Ethernet Routing Switch 8800/8600 Configuration VLANs and Spanning Tree, NN46205-517.
Network redundancy
Provide network redundancy so that a faulty switch does not interrupt service. You can configure mechanisms that direct traffic around a malfunctioning switch. The sections that follow describe designs you can follow to achieve network redundancy.
76
January 2012
Network redundancy
Campus architecture
A three-tier campus architecture consists of an edge layer, a distribution layer, and a core layer. Edge layer: The edge layer provides direct connections to end user devices. These are normally the wiring closet switches that connect devices such as PCs, IP phones, and printers. Distribution layer: The distribution layer provides connections to the edge layer wiring closets in a three-tier architecture. This layer connects the wiring closets to the core. Core layer: The core layer is the center of the network. In a three-tier architecture, all distribution layer switches terminate in the core. In a two-tier architecture, the edge layer terminates directly in the core, and no distribution layer is required. Important: Avaya recommends that you do not directly connect servers and clients in core switches. If one IST switch fails, connectivity to the server is lost.
January 2012
77
Inmany cases, you can remove the distribution layer from the campusnetwork layout. This maintains functionality, but decreases cost,complexity, and network latency. The following figure shows a two-tieredarchitecture where the edge layer is connected directly into the core.
78
January 2012
Network redundancy
Figure 17: Two-tiered architecture with four-switch core plus data center
Figure 18: Two-tiered architecture with two-switch core plus data center
For specific design and configuration parameters, see Converged Campus Technical Solutions Guide, NN48500-516 and Switch Clustering using Split-Multilink Trunking (SMLT) Technical Configuration Guide, NN48500-518.
January 2012
79
Avaya recommends the network edge design shown in Figure 20: Recommended network edge design on page 80. This setup is simple to implement and maintain, yet still provides redundancy if one of the edge or distribution layer switches fails.
80
January 2012
Network redundancy
SMLT navigation
SMLT redundancy on page 81 SMLT and VLACP on page 83 SMLT and loop prevention on page 83 Interswitch Trunking recommendations on page 83 Dual MLTs in SMLT on page 84 SMLT ID recommendations on page 84 Single Link Trunking (SLT) on page 85 SMLT and Layer 2 traffic load sharing on page 85 SMLT and Layer 3 traffic Redundant Default Gateway: VRRP on page 86 SMLT failure and recovery on page 87 SMLT and IEEE 802.3ad interaction on page 88 SMLT and Spanning Tree Protocol on page 89 SMLT scalability on page 89 SMLT topologies on page 90 SMLT full-mesh recommendations with OSPF on page 92
SMLT redundancy
The following figure shows an SMLT configuration that contains a pair of Ethernet Routing Switch acting as aggregation switches (E and F). Four separate wiring closet switches are shown, labeled A, B, C, and D (MLT-compatible devices).
January 2012
81
B and C are connected to the aggregation switches through multilink trunks that are split between the two aggregation switches. For example, SMLT client switch B can use two parallel links for its connection to E, and two additional parallel links for its connection to F. This provides redundancy. The SMLT client switch C may have only a single link to both E and F. Switch A is configured for MLT, but the MLT terminates on only one switch in the network core. Switch D has a single connection to the core. Although you could configure both switch A and switch D to terminate across both of the aggregation switches using SMLT, neither switch would benefit from SMLT in this network configuration. The SMLT client switches are dual-homed to the two aggregation switches, yet they require no knowledge of whether they are connected to a single switch or to two switches. SMLT intelligence is required only on the aggregation switches. Logically, they appear as a single switch to the edge switches. Therefore, the SMLT client switches only require an MLT configuration. The connection between the SMLT aggregation switches and the SMLT client switches are called the SMLT links. The client switch can use any proprietary link aggregation protocol, such as MLT or EtherChannel, in addition to standards-based LACP. Figure 21: SMLT configuration with switches as aggregation switches on page 82 also includes end stations connected to each of the switches. End stations a, b1, b2, c1, c2, and d are typically hosts, while e and f may be hosts, servers, or routers. SMLT client switches B and C can use any method to determine which multilink trunk link to use to forward a packet, so long as the same link is used for a given Source/Destination address (SA/DA) pair (regardless of whether or not the DA is known by B or C). Packet over SONET (POS), and Ethernet interfaces are supported as operational SMLT links. Aggregation switches always send traffic directly to an SMLT client switch. They only use the interswitch trunk for traffic that they cannot forward in another, more direct way.
82
January 2012
Network redundancy
January 2012
83
route for non-IST traffic or routing traffic. One exception to this rule is the case of multicast traffic with PIM-SM. In this case, you must enable PIM-SM on the IST VLAN. Avaya also recommends that you use low slot number ports for the IST, for example ports 1/1 and 2/1, because the low number slots boot up first. Avaya recommends that you use an independent Virtual Local Area Network (VLAN) for the IST peer session. To avoid the dropping of IST control traffic, Avaya recommends that you use a nonblocking port for the ISTfor example, any R series module Gigabit Ethernet port. Avaya recommends that an interswitch multilink trunk contain at least two physical ports, although this is not a requirement. Avaya recommends that CP-Limit be disabled on all physical ports that are members of an IST multilink trunk. Disabling CP-Limit on IST MLT ports forces another, less-critical port to be disabled if the defined CP-Limit is exceeded. By doing this, you preserve network stability if a protection condition arises. Although it is likely that one SMLT MLT port (riser) is disabled in such a condition, traffic continues to flow through the remaining SMLT ports.
SMLT ID recommendations
SMLT links on both aggregation switches share an SMLT link ID called SmltId. The SmltId identifies all members of a split multilink trunk group. Therefore, you must terminate both sides of each SMLT having the same SmltId at the same SMLT client switch. For the exceptions to this rule, see Figure 22: SMLT square configuration on page 91 and Figure 23: SMLT fullmesh configuration on page 91.
84
January 2012
Network redundancy
The SMLT IDs can be, but are not required to be, identical to the MLT IDs. SmltId ranges are: 1 to 128 for MLT-based SMLTs 1 to 512 for SLTs Important: Avaya recommends to use SLT IDs of 129 to 512 and that you reserve the lower number IDs of 1 to 128 for SMLT only.
January 2012
85
Link Aggregation, MLT, and SMLT, NN46205-518 . Usually, the algorithm operates on a source/destination MAC address basis or a source/destination IP address basis. On the aggregation switch, SMLT achieves load sharing by sending all traffic destined for the SMLT client switch directly to the SMLT client, and not over the IST trunk. The IST trunk is never used to cross traffic to and from an SMLT dual-homed wiring closet. Traffic received on the IST by an aggregation switch is not forwarded to SMLT links (the other aggregation switch does this), thus eliminating the possibility of a network loop.
86
January 2012
Network redundancy
the IST to deliver frames destined for a default gateway. In a traditional VRRP implementation, this operates only on one of the aggregation switches. The BackupMaster switch routes all traffic received on the BackupMaster IP interface according to the switch routing table. The BackupMaster switch does not Layer 2-switch the traffic to the VRRP Master. You must ensure that both SMLT aggregation switches can reach the same destinations by using a routing protocol. Therefore, Avaya recommends that, for routing purposes, you configure per-VLAN IP addresses on both SMLT aggregation switches. Avaya further recommends that you introduce an additional subnet on the IST that has a shortest-route-path to avoid issuing Internet Control Message Protocol (ICMP) redirect messages on the VRRP subnets. (To reach the destination, ICMP redirect messages are issued if the router sends a packet back out through the same subnet on which it is received.)
January 2012
87
while functional, may not be optimal because the aggregation switches may not learn all MAC addresses, and the aggregation switches can flood traffic that would not normally be flooded.
88
January 2012
Network redundancy
An explanation of the importance of configuring the System ID is as follows. The LACP System ID is the base MAC address of the switch, which is carried in Link Aggregation Control Protocol Data Units (LACPDU). When two links interconnect two switches that run LACP, each switch knows that both links connect to the same remote device because the LACPDUs originate from the same System ID. If the links are enabled for aggregation using the same key, then LACP can dynamically aggregate them into a LAG (MLT). When SMLT is used between the two switches, they act as one logical switch. Both aggregation switches must use the same LACP System ID over the SMLT links so that the edge switch sees one logical LACP peer, and can aggregate uplinks towards the SMLT aggregation switches. This process automatically occurs over the IST connection, where the base MAC address of one of the SMLT aggregation switches is chosen and used by both SMLT aggregation switches. However, if the switch that owns that Base MAC address restarts, the IST goes down, and the other switch reverts to using its own Base MAC address as the LACP System ID. This action causes all edge switches that run LACP to think that their links are connected to a different switch. The edge switches stop forwarding traffic on their remaining uplinks until the aggregation can reform (which can take several seconds). Additionally, when the restarted switch comes back on line, the same actions occur, thus disrupting traffic twice. The solution to this problem is to statically configure the same SMLT System ID MAC address on both aggregation switches. For more information about configuring the LACP SMLT system ID, see Avaya Ethernet Routing Switch 8800/8600 Configuration Link Aggregation, MLT, and SMLT, NN46205-518.
SMLT scalability
To determine the maximum number of VLANs supported per device on an MLT/SMLT, use the following formulas. To calculate the total number of VLANs that you can configure with SMLT/IST with R series modules, use the following formula: (number of VLANs on regular ports or MLT ports) + (2 * number of VLANs on SMLT ports) = 1972
January 2012
89
The available VLANs in an SMLT setup are based on the following: If config sys set max-vlan-resource-reservation enable is enabled, then 2042 VLANs are available for SMLT. If config sys set multicast-resource-reservation <value> is configured (range of value: 64-4084), then the number of available VLANs on the SMLT switch is calculated as the configured value divided by 2 (VLANs available = <value>/2) In this case the number of available VLANs on SMLT switch is calculated by using the configured value and divided by 2 (value/2). A maximum of one IST MLT can exist on a switch. With R and RS modules, you can have a total of 127 MLT/SMLT groups (128 MLT groups minus 1 MLT group for the IST). SMLT IDs can be either MLT- or port-based. The maximum value for the Port/SMLT ID is 512, but in practice, this is limited by the number of available ports on the switch. Port/SMLT IDs allow only one port per switch to be a member of an SMLT ID; MLT/SMLT allows up to eight ports to be members of an SMLT ID per switch. When you use SMLT, the total number of supported MAC addresses (if all records are available for MAC address learning) is 64 000 for M, R, and RS modules. For more information about SMLT scalability and multicast routing, see Multicast network design on page 183. For more information about VLAN scalability, see Avaya Ethernet Routing Switch 8800/8600 Configuration VLANs and Spanning Tree, NN46205-517.
SMLT topologies
Several common network topologies are used in SMLT networks. These include the SMLT triangle, the SMLT square, and the SMLT full-mesh. A triangle design is an SMLT configuration in which you connect edge switches or SMLT clients to two aggregation switches. You connect the aggregation switches together with an interswitch trunk that carries all the SMLTs configured on the switches. Each switch pair can have up to 127 SMLT client switch connections, and up to 512 SLT connections. When you use the square design (Figure 22: SMLT square configuration on page 91), keep in mind that all links facing each other (denoted by the MLT ring on an aggregation pair) must use the same SMLT IDs.
90
January 2012
Network redundancy
You can configure an SMLT full-mesh configuration as shown in Figure 23: SMLT full-mesh configuration on page 91. In this configuration, all SMLT ports use the same SmltId (denoted by the MLT ring). The SMLT ID is of local significance only and must be the same on a cluster. For example, the top cluster could use SMLT ID 1 while the bottom cluster can use SMLT ID 2. Because the full-mesh configuration requires MLT-based SMLT, you cannot configure SLT in a full-mesh. In the following figure, the vertical and diagonal links emanating from any switch are part of an MLT.
R series modules, in Release 4.1 and later, and RS modules, in Release 5.0 and later, support up to 128 MLT groups of 8 ports. Within the network core, you can configure SMLT groups as shown in the following figure. Both sides of the links are configured for SMLT. No state information passes across the MLT link; both ends believe that the other is a single switch. The result is that no loop is introduced into the network. Any of the core switches or any of the connecting links between them may fail, but the network recovers rapidly. You can scale SMLT groups to achieve hierarchical network designs by connecting SMLT groups together. This allows redundant loop-free Layer 2 domains that fully use all network links without using an additional protocol.
January 2012
91
For more information about the SMLT triangle, square, and full-mesh designs, see Avaya Ethernet Routing Switch 8800/8600 Configuration Link Aggregation, MLT, and SMLT, NN46205-518. For more information about SMLT, see the Internet Draft draft-lapuh-network-smlt-06.txt available at www.ietf.org.
Routed SMLT
In many cases, core network convergence time depends on the length of time a routing protocol requires to successfully converge. Depending on the specific routing protocol, this convergence time can cause network interruptions ranging from seconds to minutes. Routed Split MultiLink Trunking (RSMLT) allows rapid failover for core topologies by providing an active-active router concept to core SMLT networks. RSMLT is supported on SMLT triangles, squares, and SMLT full-mesh topologies that have routing enabled on the core
92
January 2012
Network redundancy
VLANs. RSMLT provides redundancy as well: if a core router fails, RSMLT provides packet forwarding, which eliminates dropped packets during convergence. Routing protocols used to provide convergence can be any of the following: IP unicast static routes, RIPv1, RIPv2, OSPF, or BGP.
RSMLT navigation
SMLT and RSMLT operation on page 93 RSMLT router failure and recovery on page 95 RSMLT guidelines on page 95 RSMLT timer tuning on page 96 Example: RSMLT redundant network with bridged and routed edge VLANs on page 96 Example: RSMLT network with static routes at the access layer on page 97 IPv6 RSMLT on page 97
January 2012
93
The aggregation layer switches are routing-enabled and provide active-active default gateway functions through RSMLT. Routers R1 and R2 forward traffic for IP subnet A. RSMLT provides both router failover and link failover. For example, if the SMLT link in between R2 and R4 are broken, the traffic fails over to R1.
94
January 2012
Network redundancy
For IP subnet A, VRRP Backup-Master can provide the same functions as RSMLT, as long as an additional router is not connected to IP subnet A. RSMLT provides superior router redundancy in core networks (for example, IP subnet B) in which OSPF is used. Routers R1 and R2 provide router backup for each othernot only for the edge IP subnet A but also for the core IP subnet B. Similarly, routers R3 and R4 provide router redundancy for IP subnet C and also for core IP subnet B.
RSMLT guidelines
Because RSMLT is based on SMLT, all SMLT configuration rules apply. In addition, RSMLT is enabled on the SMLT aggregation switches on a per-VLAN basis. The VLAN must be a member of SMLT links and the IST trunk.
January 2012
95
The VLAN also must be routable (IP address configured). On all four routers in a square or full-mesh topology, an Interior Routing Protocol, such as OSPF, must be configured, although the protocol is independent from RSMLT. You can use any routing protocol, including static routes, with RSMLT. RSMLT pair switches provide backup for each other. As long as one of the two routers in an IST pair is active, traffic forwarding is available for both next-hops. For design examples using RSMLT, see the following sections and RSMLT redundant network with bridged and routed VLANs in the core on page 282.
Example: RSMLT redundant network with bridged and routed edge VLANs
Many Enterprise networks require the support of VLANs that span multiple wiring closets as in, for example, a Voice over IP (VoIP) VLAN. VLANs are often local to wiring closets and routed towards the core. The following figure shows VLAN-10, which has all IP phones as members and resides everywhere, while at the same time VLANs 20 and 30 are user VLANs that are routed through VLAN-40. A combination of SMLT and RSMLT provide sub-second failover for all VLANs bridged or routed. VLAN-40 is RSMLT enabled that provides for the required redundancy. You can use any unicast routing protocolssuch as RIP, OSPF, or BGPand routing convergence times do not impact the network convergence time provided by RSMLT.
96
January 2012
Network redundancy
IPv6 RSMLT
While Avayas Routed Split MultiLink Trunk (RSMLT) functionality originally provided subsecond failover for IPv4 forwarding only, the Avaya Ethernet Routing Switch 8800/8600
January 2012
97
extends RSMLT functionality to IPv6. The overall model for IPv6 RSMLT is essentially identical to that of IPv4 RSMLT. In short, RSMLT peers exchange their IPv6 configuration and track each others state by means of IST messages. An RSMLT node always performs IPv6 forwarding on the IPv6 packets destined to the peers MAC addresses thus preventing IPv6 data traffic from being sent over the IST. When an RSMLT node detects that its RSMLT peer is down, the node also begins terminating IPv6 traffic destined to the peer's IPv6 addresses. With RSMLT enabled, an SMLT switch performs IP forwarding on behalf of its SMLT peer thus preventing IP traffic from being sent over the IST. IPv6 RSMLT supports the full set of topologies and features supported by IPv4 RSMLT, including SMLT triangles, squares, and SMLT full-mesh topologies, with routing enabled on the core VLANs. With IPv6, you must configure the RSMLT peers using the same set of IPv6 prefixes. Supported routing protocols include the following: IPv6 Static Routes OSPFv3
Example network
The following figure shows a sample IPv6 RSMLT topology. It shows a typical redundant network example with user aggregation, core, and server access layers. To minimize the creation of many IPv6 prefixes, one VLAN (VLAN 1, IP prefix A) spans all wiring closets. RSMLT provides the loop-free topology. The aggregation layer switches are configured with routing enabled and provide active-active default gateway functionality through RSMLT.
98
January 2012
Network redundancy
In the VLAN 3 portion of the network shown in the preceding figure, routers R1 and R2 provide RSMLT-enabled IPv6 service to hosts H1 and H2. Router R1 can be configured as the default IPv6 router for H1 and R2 can be the default router for H2. R1 is configured with the link-local address of fe80::1, the global unicast address 2003::1, and the routing prefix of 2003::/64 (as a shorthand, the last two items are referred to as 2003::1/64). R2 is configured with fe80::2 and 2003::2/64. Host H1 sends its IPv6 traffic destined to VLAN 1 to R1s MAC address (after resolving the default router address fe80::1 to R1s MAC). H2 sends its traffic to R2s MAC. When an IPv6 packet destined to R1's MAC address is received at R2 on its SMLT links (which is the expected MLT behavior), R2 performs IPv6 forwarding on the packet and does not bridge it over the IST. The same behavior occurs on R1. At startup, R1 and R2 use the IST link to exchange full configuration information including MAC address for the IPv6 interfaces residing on SMLT VLAN 3.
January 2012
99
When R2 detects that the RSMLT in R1 transitions to the DOWN state (for example, if R1 itself is down, or its SMLT links are down, or the IST link is down) R2 takes over IPv6 termination and IPv6 Neighbor Discovery functionality on behalf or R1s IPv6 SMLT interface. Specifically: When the above event is detected, R2 transmits an unsolicited IPv6 Neighbor Advertisement for each IPv6 address configured on R1s SMLT link using R1s MAC address (fe80::1 and 2003::1 in this example). R2 also transmits an unsolicited Router Advertisement for each of R1s routing prefixes (unless R1s prefixes are configured as not advertised). R2 responds to Neighbor Solicitations and (if configuration allows) Router Advertisements on behalf of R1 R2 terminates IPv6 traffic (such as pings) destined to R1s SMLT IPv6 addresses When R1s RSMLT transitions back into the UP state and the HoldDown timer expires it resumes IPv6 forwarding and R2 ceases to terminate IPv6 traffic on R1s behalf. Note that IPv6 allows a rich set of configuration options for advertising IPv6 routing prefixes (equivalent to IPv4 subnets) and configuring hosts on a link. A prefix can be configured to be or not to be advertised, to carry various flags or lifetime. These parameters affect how hosts can (auto)configure their IPv6 addresses and select their default routers. Most relevant from the RSMLT perspective is that an RSMLT node fully impersonates its peers IPv6 configuration and behavior on the SMLT link whatever its configuration happens to be. The above network example illustrates one of the many possible deployment schemes for IPv6 routers and hosts on a VLAN. RSMLT provides both router failover and link failover. For example, if the Split MultiLink Trunk link between R2 and R4 is broken, the traffic fails over to R1 as well.
Router R1 recovery
After R1 reboots after a failure, it becomes active as a VLAN bridge first. Packets destined to R1 are switched, using the bridging forwarding table, to R2. R1 operates as a VLAN bridge for a period defined by the hold-down timer. After the hold-down time expires and the routing tables converge, R1 starts routing packets for itself and also for R2. Therefore, it does not matter which of the two routers is used as the next hop from R3 and R4 to reach IPv6 prefix 2003::/64. When an IPV6 RSMLT peer recovers, the peer installs a temporary default route in the IPv6 routing table to point all the IPv6 traffic to the IST peer IP address for the hold down time. (This is the same behavior as in IPv4 RSMLT.)
100
January 2012
For a given SMLT VLAN RSMLT is supported for any of the following scenarios: IPv4 Only: IPv4 is configured on the VLAN and IPv6 is not. RSMLT operation and logic remains unchanged from the current implementation. IPv6 Only: IPv6 is configured on the VLAN and IPv4 is not. IPv6 RSMLT operation follows that of IPv4 as described in this document. IPv4 and IPv6: Both IPv4 and IPv6 are configured on the VLAN. IPv4 RSMLT operation and logic remains unchanged from the current implementation and unaffected by IPv6. IPv6 operation follows that of IPv4 as described in this document.
January 2012
101
102
January 2012
Spanning tree
Spanning Tree prevents loops in switched networks. The Avaya Ethernet Routing Switch 8800/8600 supports several spanning tree protocols and implementations. These include the Spanning Tree Protocol (STP), Per-VLAN Spanning Tree Plus (PVST+), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). This section describes some issues to consider when you configure spanning tree. For more information about spanning tree protocols, see Avaya Ethernet Routing Switch 8800/8600 Configuration VLANs and Spanning Tree, NN46205-517.
January 2012
103
104
January 2012
Spanning tree
aware of the differences in STG support between the two types of devices. Some switches support only one STG, whereas the Avaya Ethernet Routing Switch 8800/8600 supports 25 STGs. In the following figure, all three devices are members of STG1 and VLAN1. Link Y is in a blocking state to prevent a loop, and links X and Z are in a forwarding state. With this configuration, congestion on link X is possible because it is the only link that forwards traffic between EthernetSwitchA and ERS8600C.
Figure 30: One STG between two Layer 3 devices and one Layer 2 device
To provide load sharing over links X and Y, create a configuration with multiple STGs that are transparent to the Layer 2 device and that divide the traffic over different VLANs. To ensure that the multiple STGs are transparent to the Layer 2 switch, the BPDUs for the two new STGs (STG2 and STG3) must be treated by the Ethernet Switch as regular traffic, not as BPDUs. In the configuration in Figure 31: Alternative configuration for STG and Layer 2 devices on page 106, the BPDUs generated by the two STGs (STG2 and STG3) are forwarded by the Ethernet Switch 8100. To create this configuration, you must configure STGs on the two Ethernet Routing Switch 8800/8600s, assign specific MAC addresses to the BPDUs created by the two new STGs, create VLANs 4002 and 4003 on the Layer 2 device, and create two new VLANs (VLAN 2 and VLAN 3) on all three devices.
January 2012
105
When you create STG2 and STG3, you must specify the source MAC addresses of the BPDUs generated by the STGs. With these MAC addresses, the Layer 2 switch does not process the STG2 and STG3 BPDUs as BPDUs, but forwards them as regular traffic. To change the MAC address, you must create the STGs and assign the MAC addresses as you create these STGs. You can change the MAC address by using the CLI command config stg <stgid> create [vlan <value>] [mac <value>]. In the ACLI, the command is spanning-tree stp <1-64> create. On the Ethernet Routing Switch 8800/8600s (A8600 and B8600), configure A8600 as the root of STG2 and B8600 as the root of STG3. On the Ethernet Switch 8100 (Layer 2), configure
106
January 2012
Spanning tree
A8600 as the root of STG1. Configure a switch to be the root of an STG by giving it the lowest root bridge priority. Configure the four VLANs on the Layer 2 switch to include the tagged ports connected to the Ethernet Routing Switch 8800/8600. To ensure that the BPDUs from STG2 and STG3 are seen by the Layer 2 switch as traffic for the two VLANs, and not as BPDUs, give two of the VLANs the IDs 4002 and 4003. Figure 32: VLANs on the Layer 2 switch on page 107 illustrates the four VLANs configured on the Ethernet Switch 8100 and the traffic associated with each VLAN. After you configure the Ethernet Switch 8100, configure VLAN 2 and VLAN 3 on the Ethernet Routing Switch 8800/8600s. The IDs of these two VLANs are important because they must have the same ID as the BPDUs generated from them. The BPDUs generated from these VLANs is tagged with a TaggedBpduVlanId that is derived by adding 4000 to the STG ID number. For example, for STG3 the TaggedBpduVlanId is 4003.
January 2012
107
108
January 2012
802.1w or 802.1s, new configuration files cannot be loaded if the flag is changed back to regular STP. For best interoperability results, contact your Avaya representative.
January 2012
109
such a configuration issue, whereas SLPP reacts and disables the malfunctioning links, minimizing the impact on the network. In addition to using SLPP for loop prevention, you can use the extended CP-Limit softdown feature to protect the SF/CPU against Denial of Service (DOS) attacks where required. The extended CP-Limit harddown option should only be used as a loop prevention mechanism in Software Release 3.7.x.
For the network shown in Figure 33: Untagged SMLT links on page 110, the configuration consists of the following: SLPP-Tx is enabled on SMLT VLAN-10. On switches A and B, SLPP-Rx is enabled on untagged access SMLT links. On switch A, the SLPP-Rx threshold is set to 5. In case of a network failure, to avoid edge isolation, the SLPP rx-threshold is set to 50 on SMLT switch B. This configuration detects loops and avoids edge isolation. For tagged data, consider the following configuration:
110
January 2012
The configuration is changed to: SLPP-Tx is enabled on SMLT VLANs 10, 20, and 30. A loop in any of these VLANs triggers an event and resolves the loop. On switches A and B, SLPP-Rx is enabled on tagged SMLT access links. On switch A, the SLPP Rx threshold is set to 5. On SMLT switch B, the SLPP Rx threshold is set to 50 to avoid edge isolation in case of a network failure. In this scenario, Avaya recommends that you enable the untagged-frames-discard parameter on the SMLT uplink ports.
January 2012
111
SLPP-PDUs are automatically forwarded VLAN ports configured for SLPP. The SLPP-PDU destination MAC address is the switch MAC address (with the multicast bit set) and the source MAC address is the switch MAC address. The SLPP-PDU is sent out as a multicast packet and is constrained to the VLAN on which it is sent. If an MLT port receives an SLPP-PDU the port goes down. The SLPP-PDU can be received by the originating CP or the peer SMLT CP. All other switches treat the SLPP-PDU as a normal multicast packet, and forward it to the VLAN. SLPP-PDU transmission and reception only operates on ports for which STP is in a forwarding state (if STP is enabled on one switch in the path). SLPP is port-based, so a port is disabled if it receives SLPP-PDU on one or more VLANs on a tagged port. For example, if the SLPP packet receive threshold is set to 5, a port is shut down if it receives 5 SLPP-PDU from one or more VLANs on a tagged port. The switch does not act on any other SLPP packet but those that it transmits. Enable SLPP-Rx only on SMLT edge ports, and never on core ports. Do not enable SLPPRx on SMLT IST ports or SMLT square or full-mesh core ports. In an SMLT Cluster, Avaya recommends an SLPP Packet-RX Threshold of 5 on the primary switch and 50 on the secondary switch. The administrator can tune network failure behavior by choosing how many SLPP packets must be received before a switch takes action. SLPP-Tx operationally disables ports that receive their own SLPP packet. The following table provides the Avaya recommended SLPP values. Table 21: SLPP recommended values
Setting Enable SLPP Access SMLT Access SLT Core SMLT IST Primary switch Packet Rx threshold Transmission interval Ethertype Secondary switch Packet Rx threshold Transmission interval 50 500 ms (default) 5 500 milliseconds (ms) (default) Default Yes Yes No No
112
January 2012
Extended CP-Limit
The Extended CP-Limit function protects the SF/CPU by shutting down ports that send traffic to the SF/CPU at a rate greater than desired through one or more ports. You can configure the Extended CP-Limit functionality to prevent overwhelming the switch with high traffic. To use the Extended CP-Limit functionality, configure CP-Limit at the chassis and port levels. Important: The Extended CP-Limit feature differs from the rate-limit feature by monitoring only packets that are sent to the SF/CPU (control plane), instead of all packets that are forwarded through the switch (data plane). The set of ports to check for a high rate of traffic must be predetermined, and configured as either SoftDown or HardDown. HardDown ports are disabled immediately after the SF/CPU is congested for a certain period of time. SoftDown ports are monitored for a specified time interval, and are only disabled if the traffic does not subside. The user configures the maximum number of monitored SoftDown ports. To enable this functionality and set its general parameters, configuration must take place at the chassis level first. After you enable this functionality at the chassis level, configure each port individually to make use of it. The following table provides the Avaya recommended Extended CP-Limit values. Table 22: Extended CP-Limit recommended values
Setting SoftDown use with 4.1 Maximum ports Minimum congestion time Port congestion time CP-Limit utilization rate HardDown use with 3.7 Maximum ports Minimum congestion time 5 P = 4000 ms S = 70000 ms T = 140 000 ms Q = 210 000 ms 5 3 seconds (default) 5 seconds (default) Dependent on network traffic Value
January 2012
113
Primary (P) primary target for convergence Secondary (S) secondary target for convergence Tertiary (T) third target for convergence Quarternary (Q) fourth target for convergence Avaya does not recommend the Ext CP-Limit HardDown option for software Release 4.1 or later. Only use this option if SLPP is not available.
Loop Detect
The Loop Detection feature is used at the edge of a network to prevent loops. It detects whether the same MAC address appears on different ports. This feature can disable a VLAN or a port. The Loop Detection feature can also disable a group of ports if it detects the same MAC address on two different ports five times in a configurable amount of time. On a individual port basis, the Loop Detection feature detects MAC addresses that are looping from one port to other ports. After a loop is detected, the port on which the MAC addresses were learned is disabled. Additionally, if a MAC address is found to loop, the MAC address is disabled for that VLAN.
ARP Detect
The ARP-Detect feature is an enhancement over Loop Detect to account for ARP packets on IP configured interfaces. For network loops involving ARP frames on routed interfaces, LoopDetect does not detect the network loop condition due to how ARP frames are copied to the SF/CPU . Use ARP-Detect on Layer 3 interfaces. The ARP-Detect feature supports only the vlan-block and port-down options.
VLACP
Although VLACP has already been discussed previously in this document, it is important to discuss this feature in the context of Loop Prevention and CPU protection of Switch Cluster networks. This feature provides an end-to-end failure detection mechanism which will help to prevent potential problems caused by misconfigurations in a Switch Cluster design. VLACP is configured on a per port basis and traffic can only be forwarded across the uplinks when VLACP is up and running correctly. The ports on each end of the link must be configured for VLACP. If one end of the link does not receive the VLACP PDUs, it logically disables that port and no traffic can pass. This insures that even if there is a link on the port at the other end, if it is not processing VLACP PDUs correctly, no traffic is sent. This alleviates potential black hole situations by only sending traffic to ports that are functioning properly.
114
January 2012
Note 1: SF/CPU protection mechanism; do not enable on IST links. Note 2: With Release 4.1.1.0 and later, Avaya recommends that you use the Soft Down option versus Hard Down. Note 3: Do not enable SLPP on IST links.
The following table provides the Avaya recommended CP-Limit values. Table 24: CP-Limit recommended values
CP-Limit Values Broadcast Aggressive Access SMLT/SLT Server Core SMLT Moderate Access SMLT/SLT Server Core SMLT Relaxed Access SMLT/SLT Server Core SMLT 4000 7000 10 000 4000 7000 10 000 2500 5000 9000 2500 5000 9000 1000 2500 7500 1000 2500 7500 Multicast
January 2012
115
116
January 2012
VRF Lite
Release 7.0 supports the Virtual Router Forwarding (VRF) Lite feature, which supports many virtual routers, each with its own routing domain. VRF Lite virtualizes the routing tables to form independent routing domains, which eliminates the need for multiple physical routers. To use VRF Lite, you must install the Premier Software License. VRF Lite fully supports the High Availability feature. Dynamic tables built by VRF Lite are synchronized. If failover occurs when HA is enabled, VRF Lite does not experience an interruption. For more information about VRF Lite, see Avaya Ethernet Routing Switch 8800/8600 Configuration IP Routing, NN46205-523 .
January 2012
117
Using VRF Lite, the switch performs the following: partitions traffic and data and represents an independent router in the network provides virtual routers that are transparent to end-users supports overlapping IP address spaces in separate VRFs supports addresses that are not restricted to the assigned address space given by host Internet Service Providers (ISP). supports SMLT/RSMLT supports Border Gateway Protocol IPv6 is supported on VRF 0 only.
The following figure shows how VRF Lite can be used in an SMLT topology. VRRP is used between the two bottom routers.
118
January 2012
VRF Lite
The following figure shows how VRF Lite can be used in an RSMLT topology.
Figure 37: Router redundancy for multiple routing instances (using RSMLT)
The following figure shows how VRFs can interconnect through an external firewall.
January 2012
119
Although customer data separation into Layer 3 virtual routing domains is usually a requirement, sometimes customers must access a common network infrastructure. For example, they want to access the Internet, data storage, VoIP-PSTN, or call signaling services. To interconnect VRF instances, you can use an external firewall that supports virtualization, or use inter-VRF forwarding for specific services. Using the interVRF solution, routing policies and static routes can be used to inject IP subnets from one VRF instance to another, and filters can be used to restrict access to certain protocols. The following figure shows inter-VRF forwarding. In this solution, routing policies can be used to leak IP subnets from one VRF to another. Filters can be used to restrict access to certain protocols. This enables hub-and-spoke network designs for, for example, VoIP gateways.
120
January 2012
VRRP navigation
VRRP guidelines on page 121 VRRP and STG on page 123 VRRP and ICMP redirect messages on page 124 IPv6 VRRP on page 125 VRRP versus RSMLT for default gateway resiliency on page 127
VRRP guidelines
VRRP provides another layer of resiliency to your network design by providing default gateway redundancy for end users. If a VRRP-enabled router connected to the default gateway fails, failover to the VRRP backup router ensures there is no interruption for end users attempting to route from their local subnet. Typically, only the VRRP Master router forwards traffic for a given subnet. The backup VRRP router does not route traffic destined for the default gateway. Instead, the backup router employs Layer 2 switching on the IST to deliver traffic to the VRRP master for routing. To allow both VRRP switches to route traffic, Avaya has created an extension to VRRP, BackupMaster, that creates an active-active environment for routing. With BackupMaster enabled on the backup router, the backup router no longer switches traffic to the VRRP Master. Instead the BackupMaster routes all traffic received on the BackupMaster IP interface according to the switch routing table. This prevents the edge switch traffic from unnecessarily utilizing the IST to reach the default gateway. The following figure shows a sample network topology that uses VRRP with BackupMaster.
January 2012
121
Avaya recommends that you use a VRRP BackupMaster configuration with any SMLT configuration that has an existing VRRP configuration. The VRRP BackupMaster uses the VRRP standardized backup switch state machine. Thus, VRRP BackupMaster is compatible with standard VRRP. When implementing VRRP, follow the Avaya recommended best practices: Do not configure the virtual address as a physical interface that is used on any of the routing switches. Instead, use a third address, for example: Interface IP address of VLAN a on Switch 1 = x.x.x.2 Interface IP address of VLAN a on Switch 2 = x.x.x.3 Virtual IP address of VLAN a = x.x.x.1 Set the VRRP hold down timer long enough such that the IGP routing protocol has time to converge and update the routing table. In some cases, setting the VRRP hold down
122
January 2012
timer to a minimum of 1.5 times the IGP convergence time is sufficient. For OSPF, Avaya recommends that you use a value of 90 seconds if using the default OSPF timers. Implement VRRP BackupMaster for an active-active configuration (BackupMaster works across multiple switches participating in the same VRRP domain. Configure VRRP priority as 200 to set VRRP Master. Stagger VRRP Masters between Ethernet Routing Switches in the core. Take care when implementing VRRP Fast as this creates additional control traffic on the network and also creates a greater load on the CPU. To reduce the convergence time of VRRP, the VRRP Fast feature allows the modification of VRRP timers to achieve subsecond failover of VRRP. Without VRRP Fast, normal convergence time is approximately 3 seconds. Ensure that both SMLT aggregation switches can reach the same destinations by using a routing protocol. For routing purposes, configure per-VLAN IP addresses on both SMLT aggregation switches. Introduce an additional subnet on the IST that has a shortest-route-path to avoid issuing Internet Control Message Protocol (ICMP) redirect messages on the VRRP subnets. (To reach the destination, ICMP redirect messages are issued if the router sends a packet back out through the same subnet on which it is received.) Do not use VRRP BackupMaster and critical IP at the same time. Use one or the other. When implementing VRRP on multiple VLANs between the same switches, Avaya recommends that you configure a unique VRID on each VLAN.
January 2012
123
In this figure, configuration A is optimal because VRRP convergence occurs within 2 to 3 seconds. In configuration A, three STGs are configured and VRRP runs on the link between the two routers (R). STG 2 is configured on the link between the two routers, which separates the link between the two routers from the STGs found on the other devices. All uplinks are active. In configuration B, VRRP convergence takes between 30 and 45 seconds because it depends on spanning tree convergence. After initial convergence, spanning tree blocks one link (an uplink), so only one uplink is used. If an error occurs on the uplink, spanning tree reconverges, which can take up to 45 seconds. After spanning tree reconvergence, VRRP can take a few more seconds to failover. Rather than configuring STG with VRRP, Avaya recommends that you enable SMLT with VRRP to simplify the network configuration and reduce the failover time. For more information about VRRP and SMLT, see SMLT and Layer 3 traffic Redundant Default Gateway: VRRP on page 86.
124
January 2012
Consider the network shown in the following figure. Traffic from the client on subnet 30.30.30.0, destined for the 10.10.10.0 subnet, is sent to routing switch 1 (VRRP Master). This traffic is then forwarded on the same subnet to routing switch 2 where it is routed to the destination. For each packet received, Routing switch 1 sends an ICMP redirect message to the client to inform it of a shorter path to the destination through routing switch 2.
To avoid excessive ICMP redirect messages if network clients do not recognize ICMP redirect messages, Avaya recommends the network design shown in the following figure. Ensure that the routing path to the destination through both routing switches has the same metric to the destination. One hop goes from 30.30.30.0 to 10.10.10.0 through routing switch 1 and routing switch 2. Do this by building symmetrical networks based on the network design examples presented in Redundant network design on page 57.
IPv6 VRRP
For IPv6 hosts on a LAN to learn about one or more default routers, IPv6-enabled routers send Router Advertisements using the IPv6 Neighbor Discovery (ND) protocol. The routers multicast these Router Advertisements every few minutes.
January 2012
125
The ND protocol includes a mechanism called Neighbor Unreachability Detection to detect the failure of a neighbor node (router or host) or the failure of the forwarding path to a neighbor. Nodes can monitor the health of a forwarding path by sending unicast ND Neighbor Solicitation messages to the neighbor node. To reduce traffic, nodes only send Neighbor Solicitations to neighbors to which they are actively sending traffic and only after the node receives no positive indication that the neighbors are up for a period of time. Using the default ND parameters, it takes a host approximately 38 seconds to learn that a router is unreachable before it switches to another default router. This delay is very noticeable to users and causes some transport protocol implementations to timeout. While you can decrease the ND unreachability detection period by modifying the ND parameters, the current lower limit that can be achieved is five seconds, with the added downside of significantly increasing ND traffic. This is especially so when there are many hosts all trying to determine the reachability of one of more routers. To provide fast failover of a default router for IPv6 LAN hosts, the Avaya Ethernet Routing Switch 8800/8600 supports the Virtual Router Redundancy Protocol (VRRP v3) for IPv6 (defined in draft-ietf-vrrp-ipv6-spec-08.txt). VRRPv3 for IPv6 provides a faster switchover to an alternate default router than is possible using the ND protocol. With VRRPv3, a backup router can take over for a failed default router in approximately three seconds (using VRRPv3 default parameters). This is accomplished without any interaction with the hosts and with a minimum amount of VRRPv3 traffic. The operation of Avaya's IPv6 VRRP implementation is similar to the IPv4 VRRP operation, including support for hold-down timer, critical IP, fast advertisements, and backup master. With backup master enabled, the backup switch routes all traffic according to its routing table. It does not Layer 2-switch the traffic to the VRRP master. New to the IPv6 implementation of VRRP, you must specify a link-local address to associate with the virtual router. Optionally, you can also assign global unicast IPv6 addresses to associate with the virtual router. Network prefixes for the virtual router are derived from the global IPv6 addresses assigned to the virtual router. With the current implementation of VRRP, one active master switch exists for each IPv6 network prefix. All other VRRP interfaces in a network are in backup mode. The following figure shows a sample IPv6 VRRP configuration with SMLT. Because the backup router is configured as the backup master, routing traffic is load-shared between the two devices.
126
January 2012
The backup master feature only supports the triangular SMLT topology. Important: Do not use VRRP backup master and critical IP at the same time. Use one or the other.
January 2012
127
RSMLT L2 Edge provides: Greater scalabilityVRRP scales to 255 instances, while RSMLT scales to the maximum number of VLANs. Simpler configurationSimply enable RSMLT on a VLAN; VRRP requires virtual IP configuration, along with other parameters. For connections in pure Layer 3 configurations (using a static or dynamic routing protocol), a Layer 3 RSMLT configuration is recommended over VRRP. In these instances, an RSMLT configuration provides faster failover than one with VRRP because the connection is a Layer 3 connection, not just a Layer 2 connection for default gateway redundancy. Both VRRP and RSMLT can provide default gateway resiliency for end stations. The configurations of these features are different, but both provide the same end result and are transparent to the end station. For more information about RSMLT, see Routed SMLT on page 92.
128
January 2012
learns its source IP address, the end-user traffic is appropriately classified into the subnetbased VLAN. The switch supports a maximum number of 200 subnet-based VLANs.
January 2012
129
This configuration uses indirect connections (users are attached to a Layer 2 switch) and direct connections (users are attached directly to the Ethernet Routing Switch 8800/8600). These connections are described in following sections. Both PPPoE and IP traffic flows through the network. Assumptions and configuration requirements include the following: PPPoE packets between users and the ISP are bridged. Packets received from the Layer 2 switch are tagged, whereas packets received from the directly connected user (User 3) are not tagged. IP packets between the user and the 8800/8600 are bridged, whereas packets between the Ethernet Routing Switch 8800/8600 and the routed network are routed. VLANs between the Layer 2 switch and the 8800/8600 are port-based. VLANS from the directly connected user (User 3) are protocol-based. The connection between the Ethernet Routing Switch 8800/8600 and the ISP is a single port connection. The connection between the Layer 2 switch and the Ethernet Routing Switch 8800/8600 can be a single port connection or a MultiLink Trunk (MLT) connection. Ethernet Routing Switch 8800/8600 ports connected to the user side (Users 1, 2, and 3) and the routed network are routed ports. Ethernet Routing Switch 8800/8600 ports connected to the ISP side are bridged (not routed) ports.
130
January 2012
Indirect connections
The following figure shows a switch using routable port-based VLANs for indirect connections. When configured in this way: Port P1 provides a connection to the Layer 2 switch. Port P1 is configured for tagging. All P1 ingress and egress packets are tagged (the packet type can be either PPPoE or IP). Port P2 provides a connection to the ISP network. Port P2 is configured for tagging. All P2 ingress and egress packets are tagged (the packet type is PPPoE). Port P3 provides a connection to the routed network. Port P3 can be configured for either tagging or nontagging (if untagged, the header does not carry any VLAN tagging information). All P3 ingress and egress packets are untagged (the packet type is IP). Ports P1 and P2 must be members of the same VLAN. The VLAN must be configured as a routable VLAN. Routing must be disabled on Port P2. VLAN tagging is preserved on P1 and P2 ingress and egress packets. Port P3 must be a member of a routable VLAN but cannot be a member of the same VLAN as Ports P1 and P2. VLAN tagging is not preserved on P3 ingress and egress packets. For indirect user connections, you must disable routing on port P2. This allows the bridging of traffic other than IP and routing of IP traffic outside of port number 2. In the latter case, port 1 has routing enabled and allows routing of IP traffic to port 3. By disabling IP routing on port P2, no IP traffic flows to this port.
January 2012
131
Direct connections
To directly connect to the Avaya Ethernet Routing Switch 8800/8600, a user must create two protocol-based VLANs on the port: one for PPPoE traffic and one for IP traffic (see the following figure). When configured in this way: Port P1 is an access port. Port P1 must belong to both the IP protocol-based VLAN and the PPPoE protocol-based VLAN. Port P2 provides a connection to the ISP network. P2 is configured for tagging to support PPPoE traffic to the ISP for multiple users. P2 ingress and egress packets are tagged (the packet type is PPPoE). Port P3 provides a connection to the Content Delivery Network. P3 can be configured for either tagging or nontagging (if untagged, the header does not carry any VLAN tagging information). P3 ingress and egress packets are untagged (the packet type is IP). Port P3 must be a member of a routable VLAN, but cannot be a member of the same VLAN as ports P1 and P2.
132
January 2012
For the direct connections, protocol-based VLANs (IP and PPPoE) are required to achieve traffic separation. The disabling of routing on each port is not required because routed IP VLANs are not configured on port 2 (they are for indirect connections).
January 2012
133
To use BGP, you must have Ethernet Routing Switch 8800/8600 software version 3.3 or later installed. BGP is supported on all interface modules. For large BGP environments, Avaya recommends that you use the 8692 SF/CPU. BGP Equal-Cost Multipath (ECMP) allows a BGP speaker to perform route balancing within an AS by using multiple equal-cost routes submitted to the routing table by OSPF or RIP. Load balancing is performed on a per-packet basis. To control route propagation and filtering, RFCs 1772 and 2270 recommends that multihomed, nontransit Autonomous Systems not run BGPv4. To address the load sharing and reliability requirements of a multihomed user, use BGP between them. For more information about BGP and a list of CLI BGP commands, see Avaya Ethernet Routing Switch 8800/8600 Configuration BGP Services, NN46205-510 .
BGP navigation
BGP scaling on page 134 BGP considerations on page 134 BGP and other vendor interoperability on page 135 BGP design examples on page 135 IPv6 BGP+ on page 139
BGP scaling
For information about BGP scaling numbers, see Table 5: Supported scaling capabilities on page 28 and Avaya Ethernet Routing Switch 8800/8600 Release Notes, NN46205-402. The Release Notes take precedence over this document.
BGP considerations
Be aware of the following BGP design considerations. Use the max-prefix parameter to limit the number of routes imported from a peer. This parameter prevents nonM mode configurations from accepting more routes than they can handle. Use a setting of 0 to accept an unlimited number of prefixes. BGP does not operate with an IP router in nonforwarding (host-only) mode. Thus, ensure that the routers which you want BGP to operate with are in forwarding mode. If you are using BGP for a multi-homed AS (one that contains more than a single exit point), Avaya recommends that you use OSPF for your IGP, and BGP for your sole exterior gateway protocol. Otherwise, use intra-AS IBGP routing.
134
January 2012
If OSPF is the IGP, use the default OSPF tag construction. The use of EGP or the modification of the OSPF tags makes network administration and proper configuration of BGP path attributes difficult. For routers that support both BGP and OSPF, you must set the OSPF router ID and the BGP identifier to the same IP address. The BGP router ID automatically uses the OSPF router ID. In configurations where BGP speakers reside on routers that have multiple network connections over multiple IP interfaces (the typical case for IBGP speakers), consider using the address of the circuitless (virtual) IP interface as the local peer address. In this way, you ensure that BGP is reachable as long as an active circuit exists on the router. By default, BGP speakers do not advertise or inject routes into their IGP. You must configure route policies to enable route advertisement. Coordinate routing policies among all BGP speakers within an AS so that every BGP border router within an AS constructs the same path attributes for an external path. Configure accept and announce policies on all IBGP connections to accept and propagate all routes. Make consistent routing policy decisions on external BGP connections. You cannot enable or disable the Multi-Exit Discriminator selection process. You cannot disable the aggregation when routes have different MEDs (MULTI_EXIT_DISC) or NEXT_HOP.
January 2012
135
In cases where the Internet connection is single-homed, to reduce the size of the routing table, Avaya recommends that you advertise Internet routes as the default route to the IGP.
136
January 2012
January 2012
137
In this figure, consider the following: The AS is divided into three regions that each run different and independent IGPs. Regions are logically interconnected via a full-mesh IBGP, which also provides Internet connectivity. Internal nonBGP routers in each region default to the BGP border router, which contains all routes. If the destination belongs to any other region, the traffic is directed to that region; otherwise, the traffic is sent to the Internet connections according to BGP policies. To set multiple policies between regions, represent each region as a separate AS. Then, implement EBGP between ASs, and implement IBGP within each AS. In such instances, each AS injects its IGP routes into BGP where they are propagated to all other regions and the Internet. The following figure shows the use of EBGP to join several ASs.
138
January 2012
You can obtain AS numbers from the Inter-Network Information Center (NIC) or use private AS numbers. If you use private AS numbers, be sure to design your Internet connectivity very carefully. For example, you can introduce a central, well-known AS to provide interconnections between all private ASs and/or the Internet. Before propagating the BGP updates, this central AS strips the private AS numbers to prevent them from leaking to providers. The following figure illustrates a design scenario in which you use multiple OSPF regions to peer with the Internet.
IPv6 BGP+
The Avaya Ethernet Routing Switch 8800/8600 extends the BGPv4 process to support the exchange of IPv6 routes using BGPv4 peering. BGP+ is an extension of BGPv4 for IPV6. Note that the Ethernet Routing Switch 8800/8600 BGP+ support is not an implementation of BGPv6. Native BGPv6 peering uses the IPv6 Transport layer (TCPv6 ) for establishing the
January 2012
139
BGPv6 peering, route exchanges, and data traffic. Native BGPv6 peering is not supported in Release 7.0. Ethernet Routing Switch 8800/8600 supports the exchange of BGP+ reachability information over IPv4 transport. To support BGP+, the Ethernet Routing Switch supports two BGP protocol extensions, standards RFC 4760 (multi-protocol extensions to BGP) and RFC 2545 (MP-BGP for IPv6). These extensions allow BGPv4 peering to be enabled with IPv6 address family capabilities. The Ethernet Routing Switch 8800/8600 implementation of BGP+ uses an existing TCPv4 stack to establish a BGPv4 connection. Optional, nontransitive BGP properties are used to transfer IPv6 routes over the BGPv4 connection. Any BGP+ speaker has to maintain at least one IPv4 address to establish a BGPv4 connection. Different from IPv4, IPv6 introduces scoped unicast addresses, identifying whether the address is global or link-local. When BGP+ is used to convey IPv6 reachability information for interdomain routing, it is sometimes necessary to announce a next hop attribute that consists of a global address and a link-local address. For BGP+, no distinction is made between global and site-local addresses. The BGP+ implementation includes support for BGPv6 policies, including redistributing BGPv6 into OSPFv3, and advertising OSPFv3, static, and local routes into BGPv6 (through BGP+). It also supports the aggregation of global unicast IPv6 addresses and partial HA. BGP+ does not support confederations. In this release, you can configure confederations for IPv4 routes only. The basic configuration of BGP+ is the same as BGPv4 with one additional parameter added and some existing commands altered to support IPv6 capabilities. You can enable and disable IPv6 route exchange by specifying the address family attribute as IPv6. Note that an IPv6 tunnel is required for the flow of IPv6 data traffic. BGP+ is only supported on the global VRF instance.
Limitations
IPv6 BGP convergence in case of SMLT scenarios cannot be guaranteed. Avaya does not recommend to configure BGP peers between SMLT core routers or in between the core router and any switch connecting through SMLT links for the failover scenarios.
140
January 2012
OSPF navigation
OSPF scaling guidelines on page 141 OSPF design guidelines on page 142 OSPF and CPU utilization on page 142 OSPF network design examples on page 142
N = 1 to the number of areas per switch AdjN = number of adjacencies per Area N LSA_CNTN = number of LSAs per Area N For example, assume that a switch has a configuration of three areas with a total of 18 adjacencies and 1000 routes. This includes: 3 adjacencies with an LSA_CNT of 500 (Area 1) 10 adjacencies with an LSA_CNT of 1000 (Area 2) 5 adjacencies with an LSA_CNT of 200 (Area 3) Calculate the number as follows: 3*500+10*1000+5*200=12.5K < 40K This configuration ensures that the switch operates within accepted scalability limits.
January 2012
141
142
January 2012
The routers in example 1 have the following settings: S1 has an OSPF router ID of 1.1.1.1, and the OSPF port is configured with an IP address of 192.168.10.1. S2 has an OSPF router ID of 1.1.1.2, and the OSPF port is configured with an IP address of 192.168.10.2. The general method used to configure OSPF on each routing switch is as follows: 1. Enable OSPF globally. 2. Verify that IP forwarding is enabled on the switch. 3. Configure the IP address, subnet mask, and VLAN ID for the port. 4. If RIP is not required on the port, disable it. 5. Enable OSPF for the port. After you configure S2, the two switches elect a designated router (DR) and a backup designated router (BDR). They exchange Hello packets to synchronize their link state databases.
January 2012
143
The routers in example 2 have the following settings: S1 has an OSPF router ID of 1.1.1.1, and the OSPF port is configured with an IP address of 192.168.10.1. S2 has an OSPF router ID of 1.1.1.2, and two OSPF ports are configured with IP addresses of 192.168.10.2 and 192.168.20.1. S3 has an OSPF router ID of 1.1.1.3, and the OSPF port is configured with an IP address of 192.168.20.2. The general method used to configure OSPF on each routing switch is: 1. Enable OSPF globally. 2. Insert IP addresses, subnet masks, and VLAN IDs for the OSPF ports on S1 and S3 and for the two OSPF ports on S2. The two ports on S2 enable routing and establish the IP addresses related to the two networks. 3. Enable OSPF for each OSPF port allocated with an IP address. When all three switches are configured for OSPF, they elect a DR and BDR for each subnet and exchange hello packets to synchronize their link state databases.
144
January 2012
The routers in scenario 3 have the following settings: S1 has an OSPF router ID of 1.1.1.1. The OSPF port is configured with an IP address of 192.168.10.1 which is in OSPF area 1. S2 has an OSPF router ID of 1.1.1.2. One port has an IP address of 192.168.10.2, which is in OSPF area 1. The second OSPF port on S2 has an IP address of 192.168.20.1 which is in OSPF area 2. S3 has an OSPF router ID of 1.1.1.3. The OSPF port is configured with an IP address of 192.168.20.2 which is in OSPF area 2. The general method used to configure OSPF for this three-switch network is: 1. On all three switches, enable OSPF globally. 2. Configure OSPF on one network. On S1, insert the IP address, subnet mask, and VLAN ID for the OSPF port. Enable OSPF on the port. On S2, insert the IP address, subnet mask, and VLAN ID for the OSPF port in area 1, and enable OSPF on the port. Both routable ports belong to the same network. Therefore, by default, both ports are in the same area. 3. Configure three OSPF areas for the network. 4. Configure OSPF on two additional ports in a second subnet. Configure additional ports and verify that IP forwarding is enabled for each switch to ensure that routing can occur. On S2, insert the IP address, subnet mask, and VLAN ID for the OSPF port in area 2, and enable OSPF on the port. On S3, insert the IP address, subnet mask, and VLAN ID for the OSPF port, and enable OSPF on the port. The three switches exchange Hello packets. In an environment with a mix of Cisco and Avaya switches/routers, you may need to manually modify the OSPF parameter RtrDeadInterval to 40 seconds.
January 2012
145
IPv6 navigation
IPv6 requirements on page 147 IPv6 design recommendations on page 147 Transition mechanisms for IPv6 on page 147 Dual-stack tunnels on page 147
146
January 2012
IPv6 requirements
To use IPv6, the switch requires at least one 8895 SF/CPU or 8692 SF/CPU module with Enterprise Enhanced CPU daughter card (SuperMezz)
Dual-stack tunnels
A manually configured tunnel (as per RFC 2893) is equivalent to a permanent link between two IPv6 domains over an IPv4 backbone. Use tunnels to provide stable, secure communication between two edge routers or between an end system and an edge router, or to provide a connection to remote IPv6 networks. Edge routers and end systems (at the end of the tunnel) must be dual-stack implementations. At each end of the tunnel, configure the IPv4 and IPv6 addresses of the dual-stack routing switch on the tunnel interface and identify the entry and exit (or source and destination) points using IPv4 addresses. For Enterprise networks, your ISP provides you with the appropriate IPv6 address prefix for your site. Your ISP also provides you with the required destination IPv4 address for the exit point of the tunnel. The following figure shows a manually-configured tunnel.
January 2012
147
For more information, see Avaya Ethernet Routing Switch 8800/8600 Configuration IPv6 Routing Operations, NN46205-504.
Because each tunnel exists between only two routing switches and is independently managed, additional tunnels are required whenever you add new routing switches. Each additional tunnel and switch increases management overhead. Network Address Translation (NAT), when applied to the outer IPv4 header, is allowed along the path of the tunnel only if the translation map is stable and preestablished.
148
January 2012
January 2012
149
IS-IS
SPBM eliminates the need for multiple overlay protocols in the core of the network by reducing the core to a single Ethernet-based, link-state protocol (IS-IS). IS-IS provides virtualization services, both layer 2 and layer 3, using a pure Ethernet technology base. SPBM also uses IS-IS to discover and advertise the network topology, which enables it to compute the shortest path to all nodes in the SPBM network. Spanning Tree is a topology protocol that prevents loops but does not scale very well. Because SPBM uses IS-IS, which has its own mechanisms to prevent loops, SPBM does not have to use Spanning Tree to provide a loop free Layer 2 domain. SPBM uses the IS-IS shortest path trees to populate forwarding tables for each participating node's individual Backbone MAC (B-MAC) addresses. Depending on the topology, SPBM supports as many equal cost multi path trees as there are Backbone VLAN IDs (B-VIDs) provisioned (with a maximum of 16 B-VIDs allowed by the standard and 2 allowed in ERS 8800 release 7.1) per IS-IS instance. IS-IS interfaces operate in point-to-point mode only, which means that for any given Ethernet or MLT interface where IS-IS has been enabled, there can be only one IS-IS adjacency across that interface.
B-MAC
An SPBM backbone includes Backbone Edge Bridges (BEB) and Backbone Core Bridges (BCB). A BEB performs the same functionality as a BCB, but it also terminates one or more Virtual Service Networks (VSN). A BCB does not terminate any VSNs and is unaware of the VSN traffic it transports. A BCB simply knows how to reach any other BEB in the SPBM backbone. To forward customer traffic across the service provider backbone, the BEB for the VSN encapsulates the customer Ethernet packet received at the edge into a Backbone MAC header using the 802.1ah MAC-in-MAC encapsulation. This encapsulation hides the Customer MAC (C-MAC) address in a Backbone MAC (B-MAC) address pair. MAC-in-MAC encapsulation defines a BMAC-DA and BMAC-SA to identify the backbone source and destination addresses. The originating node creates a MAC header that is used for delivery from end to end. Intermediate BCB nodes within the SPBM backbone perform packet forwarding using BMACDA alone. When the packet reaches the intended egress BEB, the Backbone MAC header is removed and the original customer packet is forwarded onwards.
150
January 2012
I-SID
SPBM introduces a service instance identifier called I-SID. SPBM uses I-SIDs to separate services from the infrastructure. Once you create an SPBM infrastructure, you can add additional services (such as VLAN extensions or VRF extensions) by provisioning the endpoints only. The SPBM endpoints are called Backbone Edge Bridges (BEBs), which mark the boundary between the core MAC-in-MAC SPBM domain and the edge customer 802.1Q domain. I-SIDs are provisioned on the BEBs to be associated with a particular service instance. In the SPBM core, the bridges are referred to as Backbone Core Bridges (BCBs). BCBs forward encapsulated traffic based on the BMAC-DA. The SPBM B-MAC header includes an I-SID with a length of 24 bits. I-SIDs identify and transmit virtualized traffic in an encapsulated SPBM frame. These I-SIDs are used in a Virtual Service Network (VSN) for VLANs or VRFs across the MAC-in-MAC backbone. With L2 VSN, the I-SID is associated with a customer VLAN, which is then virtualized across the backbone. L2 VSNs offer an any-any LAN service type. L2 VSNs associate one VLAN per I-SID. With L3 VSN, the I-SID is associated with a customer VRF, which is also virtualized across the backbone. L3 VSNs are always full-mesh topologies. L3 VSNs associate one VRF per I-SID. Encapsulating customer MAC addresses in backbone MAC addresses greatly improves network scalability (no end-user C-MAC learning required in the core) and also significantly improves network robustness (loops have no effect on the backbone infrastructure). The following figure shows the components of a basic SPBM architecture.
January 2012
151
SPBM provisioning
This section summarizes how to provision SPBM. For information on specific configuration commands, see Avaya Ethernet Routing Switch 8800/8600 Configuration Shortest Path Bridging MAC (SPBM) (NN46205525).
Infrastructure provisioning
Provisioning an SPBM core is as simple as enabling SPBM and IS-IS globally and on all the IS-IS core Ethernet links on all the BCB and BEB nodes. The IS-IS protocol operates at layer 2 so it does not need IP addresses configured on the links to form IS-IS adjacencies with neighboring switches (like OSPF does). Hence there is no need to configure any IP addresses on any of the core links. The encapsulation of customer MAC addresses in backbone MAC addresses greatly improves network scalability. There is no flooding and learning of end-user MACs in the backbone. This SPBM provisioning significantly improves network robustness, as customer-introduced network loops have no effect on the backbone infrastructure.
Service provisioning
Provision I-SIDs on a BEB to associate that BEB with a particular service instance. After you map the customer VLAN or VRF into an I-SID, any BEB that has the same I-SID configured can participate in the same L2 or L3 virtual services network (VSN). This same simplicity extends to provisioning the services to run above the SPBM backbone. To create an L2 VSN, associate an I-SID number with an edge VLAN. To create an L3 VSN, associate an I-SID number with a VRF and configure the desired IS-IS IP route redistribution within the newly created L3 VSN. Note: There is no service provisioning needed on the core BCB SPBM switches. This provides a robust carrier grade architecture where configuration on the core switches never needs to be touched when adding new services.
152
January 2012
Figure 59: SPBM support for campus and data center architecture
Within the SPBM architecture, you can implement multiple options. The following figure shows all the options that SPBM supports.
AIP Shortcut
IP Shortcuts forward standard IP packets over IS-IS. This option enables you to forward IP over the SPBM core, which is a simpler method than traditional IP routing or MPLS. SPBM nodes propagate Layer 3 reachability as leaf information in the IS-IS LSPs using Extended IP reachability TLV 135, which contains routing information such as neighbors and locally
January 2012
153
configured subnets. SPBM nodes receiving the reachability information use this information to populate the routes to the announcing nodes. All TLVs announced in the IS-IS LSPs are grafted onto the shortest path tree (SPT) as leaf nodes. An IP route lookup is only required once where the source BEB uses the GRT to identify the BEB closest to the destination subnet. All other nodes perform standard Ethernet switching based on the existing SPT. This allows for end to end IP-over-Ethernet forwarding without the need for ARP, flooding, or reverse learning. Because BCB SPBM nodes only forward on the MAC addresses that comprise the B-MAC header, and since unknown TLVs in IS-IS are relayed to the next hop but ignored locally, SPBM BCB nodes need not be aware of IP subnets to forward IP traffic. Only BEBs generate and receive Extended IP reachability TLV to build routing table in GRT; BCBs just relay the TLV to the next hop based on SPT. In fact, the Extended IP reachabilty TLV is ignored on BCBs. With IP Shortcuts there are only two IP routing hops (ingress BEB and egress BEB) as the SPBM backbone acts as a virtualized switching backplane. IP Shortcuts do not require any I-SID configuration. However, IP must be enabled on IS-IS and the IS-IS source address is configured to matched a circuitless/loopback IP address. In the figure above, node 8600G is acting as a BCB for the service, and has no IP configuration whatsoever.
BL2 VSN
An L2 Virtual Services Network (VSN) bridges customer VLANs (C-VLANs) over the SPBM core infrastructure. An L2 VSN associates a C-VLAN with an I-SID, which is then virtualized across the backbone. All VLANs in the network that share the same I-SID will be able to participate in the same VSN. If SMLT clusters are used or if you want IS-IS to distribute traffic across two equal cost paths then two backbone VLANs (B-VLAN) are required with a primary B-VLAN and a secondary B-VLAN. Otherwise, only a single B-VLAN is required. One of the key advantages of the SPBM L2 VSN is that network virtualization provisioning is achieved by configuring the edge of the network (BEBs) only. The intrusive core provisioning that other Layer 2 virtualization technologies require is not needed when new connectivity services are added to the SPBM network. For example, when new virtual server instances are created and need their own VLAN instances, they are provisioned at the network edge only and do not need to be configured throughout the rest of the network infrastructure. Based on its I-SID scalability, this solution can scale much higher than any 802.1Q tagging based solution. Also, due to the fact that there is no need for Spanning Tree in the core, this solution does not need any core link provisioning for normal operation. Redundant connectivity between the C-VLAN domain and the SPBM infrastructure can be achieved by operating two SPBM switches in Switch Clustering (SMLT) mode. This allows the dual homing of any traditional link aggregation capable device into an SPBM network In the figure above, nodes 8600C & 8600D act as BEBs for the VSN. Only these nodes have a MAC table/FDB for C-VLAN 10.
154
January 2012
DInter-VSN Routing
Inter-VSN Routing allows routing between Layer 2 VLANs with different I-SIDs. You can use Inter-VSN Routing to redistribute routes between L2 VLANs. This option allows effective networking of multiple Virtual Service Networks. Where L2 VSN with VLAN translation enabled you to interconnect VLANs. This option takes that concept one step further and allows you to interconnect VSNs. It also provides the ability to route IP traffic on L2-VSNs ingressing on NNI interfaces, which is especially useful for L2 edge solutions. As illustrated in the figure above, routing between VLANs 11 and 12 occurs on the SPBM core switch 8600G shown in the middle of the figure. With Inter-VSN Routing enabled, 8600G transmits traffic between VLAN 11 (I-SID 12990011) and VLAN 12 (I-SID 12990012) on the VRF instance configured. Note that for these VSNs, node 8600G is acting as a BEB.
EL3 VSN
L3 VSNs are very similar to L2 VSNs. The difference is that L2 VSNs associate I-SIDs with VLANs; L3 VSNs associate I-SIDs with VRFs. With the L3 VSN option, all VRFs in the network that share the same I-SID will be able to participate in the same VSN by advertising into IS-IS their reachable IP routes and install IP routes learnt from IS-IS. Suitable IP redistribution policies need to be defined to determine what IP routes a BEB will advertise to IS-IS. As illustrated in the figure above, the green VRF on 8600C is configured to advertise its local/ direct IP routes into IS-IS within I-SID 13990001; the VRF on node 8600D, which is also a member of the same I-SID, installs these IP routes in its VRF IP routing table with a next-hop B-MAC address of 8600C. Therefore, when the VRF on node 8600D needs to IP route traffic to the IP subnet off 8600C, it performs a lookup in its IP routing table and applies a MAC-inMAC encapsulation with B-MAC DA of 8600C. The SPBM core ensures delivery to the egress BEB 8600C where the encapsulation is removed and the packet is IP routed onwards. Note: Like the IP Shortcut service, there are only two IP routing hops (ingress BEB and egress BEB) as the SPBM backbone acts as a virtualized switching backplane.
FL3 VSN
The figure above shows two VRFs (green and red) to illustrate that the BEBs can associate ISIDs with multiple VRFs. The L3 VSN option provides IP connectivity over SPBM for all of your VRFs.
January 2012
155
To illustrate the versatility and robustness of SPBM even further, the following figure shows a logical view of multiple tenants in a ring topology. In this architecture, each tenant has their own domain where some users have VLAN requirements and are using L2 VSNs and others
156
January 2012
have VRF requirements and are using L3 VSNs. In all three domains, they can share data center resources across the SPBM network.
January 2012
157
Provisioning an SPBM core is as simple as enabling SPBM and IS-IS globally on all the nodes and on the core facing links. To migrate an existing edge configuration into an SPBM network is just as simple. The boundary between the MAC-in-MAC SPBM domain and the 802.1Q domain is handled by the Backbone Edge Bridges (BEBs). At the BEBs, VLANs or VRFs are mapped into I-SIDs based on the local service provisioning. Services (whether L2 or L3 VSNs) only need to be configured at the edge of the SPBM backbone (on the BEBs). There is no provisioning needed on the core SPBM nodes. The following figure illustrates an existing Edge connecting to an SPBM Core.
158
January 2012
For Layer 2 virtualized bridging (L2 VSN), identify all the VLANs that you want to migrate into SPBM and assign them to an I-SID on the BEB. For Layer 3 virtualized routing (L3 VSN), map IPv4-enabled VLANs to VRFs, create an IPVPN instance on the VRF, assign an I-SID to it, and then configure the desired IP redistribution of IP routes into IS-IS. All BEBs that have the same I-SID configured can participate in the same VSN. That completes the configuration part of the migration and all the traffic flows should be back to normal. The following kinds of traffic are supported by SPBM in the Release 7.1: Layer-2 bridged traffic (L2 VSN) IPv4 unicast routed traffic on the Global Router (IP Shortcuts) IPv4 unicast routed traffic using a VRF (L3 VSN) IPv4 Unicast routed traffic using an IPVPN-Lite over SPBM If your existing edge configuration uses SMLT, you can maintain that SMLT-based resiliency for services configured on the IST peer switches. SPBM requires that you upgrade both IST peer to 7.1 and identify two VLANs to be used as B-VLANs. SPBM then automatically creates a virtual backbone MAC for the IST pair and advertises it with IS-IS. By operating two SPBM switches in Switch Clustering (SMLT) mode, you can achieve redundant connectivity between the C-VLAN domain and the SPBM infrastructure. This allows the dual homing of any traditional link aggregation capable device into an SPBM network. Related topics: Campus architecture on page 160 Multicast architecture on page 163 Large data center architecture on page 163
January 2012
159
Campus architecture
For migration purposes, you can add SPBM to an existing network that has SMLT configured. In fact, if there are other protocols already running in the network such as OSPF, you can leave them in place too. SPBM uses IS-IS, and operates independently from other protocols. However, Avaya recommends that you eventually eliminate SMLT in the core and other unnecessary protocols. This reduces the complexity of the network and makes it much simpler to maintain and troubleshoot. Whether you configure SMLT in the core or not, the main point to remember is that SPBM separates services from the infrastructure. For example, in a large campus, a user may need access to other sites or data centers. SPBM enables you to grant that access by associating the user to a specific I-SID. This mechanism enables the user to do his work without getting access to another department's confidential information. The following figure depicts a topology where the BEBs in the Edge and Data Center Distribution nodes (blue icons) are configured in SMLT Clusters. Prior to implementing SPBM, the core nodes (yellow icons) would also have been configured as SMLT Clusters. When migrating SPBM onto this network design, it is important to note that you can deploy SPBM over the existing SMLT topology without any network interruption. Once the SPBM infrastructure is in place, you can create VSN services over SPBM (or migrate them from the previous end to end SMLT-based design). After migrating all services to SPBM, the customer VLANs (C-VLANs) will exist only on the BEB SMLT Clusters at the edge of the SPBM network (blue icons). The C-VLANs will be assigned to an I-SID instance and then associated with either a VLAN in an L2 VSN or terminated into a VRF in an L3 VSN. You can also terminate the C-VLAN into the default Global Routing Table (GRT), which uses IP Shortcuts to route over the SPBM core. In an SPBM network design, the only nodes where it makes sense to have an SMLT Cluster configuration is on the BEB nodes where VSN services terminate. These are the SPBM nodes where C-VLANs exist and these C-VLANs need to be redundantly extended to non-SPBM devices such as L2 edge stackable switches. On the BCB core nodes where no VSNs are terminated and no L2 edge stackables are connected, there is no longer any use for the SMLT Clustering functionality. Therefore, in the depicted SPBM design, the SMLT/IST configuration can be removed from the core nodes because they now act as pure BCBs that have no knowledge of the VSN they transport and the only control plane protocol they need to run is IS-IS. Since SMLT BEB nodes exist in this design (the edge BEBs) and it is desirable to use equal cost paths to load balance VSN traffic across the SPBM core, all SPBM nodes in the network are configured with the same two B-VIDs.
160
January 2012
Where the above figure shows the physical topology, the following two figures illustrate a logical rendition of the same topology. In both of the following figures, you can see that the core is almost identical. Why? Because the SPBM core just serves as a transport mechanism that transmits traffic to the destination BEB. All the provisioning is done at the edge. In the data center, VLANs are attached to Inter-VSNs that transmit the traffic across the SPBM core between the data center on the left and the data center on the right. A common application of this service is VMotion moving VMs from one data center to another. The first figure below uses IP Shortcuts that route VLANs in the GRT. There is no I-SID configuration and no Layer 3 virtualization between the Edge Distribution and the Core. This is normal IP forwarding to the BEB.
January 2012
161
The figure below uses L3 VSNs to route VRFs between the Edge Distribution and the Core. The VRFs are attached to I-SIDs and use Layer 3 virtualization.
162
January 2012
Multicast architecture
SPBM transports multicast streams, but SPBM does not support multicast routing in Release 7.1. However, you can keep a traditional SMLT/OSPF/PIM design operating in parallel to SPBM. SPBM uses L2 VSNs to tunnel multicast traffic between multicast routers. This means that SPBM transports multicast streams across the core, but there is no multicast routing until traffic reaches the edge switches.
January 2012
163
164
January 2012
A VM is a virtual server. When a VM is moved, the virtual server is moved as is. This means that the IP addresses of that server remain the same when the server is moved from one data center to the other. This in turn dictates that the same IP subnet (and hence VLAN) be present in both data centers. In the following figure, the VM (red device) moved from the data center on the left to the data center on the right. To ensure a seamless transition that is transparent to the user, the VM retains its network connections through the default gateway. This method works, but it adds more hops to all traffic. As you can see in the figure below, one VM move results in a convoluted traffic path. Multiply this with many moves and soon the network look like a tangled mess that is very inefficient, difficult to maintain, and almost impossible to troubleshoot.
January 2012
165
166
January 2012
In the traditional data center, we saw the chaos that resulted when a lot of VMs were moved. In an optimized data center as shown below, the incoming traffic enters the Layer 2 domain where an edge switch uses Inter-VSN Routing to attach an I-SID to a VLAN. The I-SID bridges traffic directly to the destination. With VRRP Backup Master, the traffic no longer goes through the default gateway; it takes the most direct route in and out of the network.
January 2012
167
Upgrade scenarios
The figures in this section illustrate how two networks with SMLT switch clusters can be upgraded to SPBM. The accompanying test results in the table below prove that SMLT can be successfully upgraded to SPBM with no loss of functionality. The Figure 73: Test bed for upgrading a data center to STP/SPBM on page 169 figure shows a network with an SMLT switch cluster configuration upgrading to an SPBM configuration. When SPBM is used with SMLT, a virtual backbone MAC is automatically created for the IST pair and is advertised by IS-IS. The gray-dashed line outlines all the devices included in the SMLT and STP network. The red-dashed line outlines all the devices included in the SPBM network. When you complete the configuration steps, this upgrade reduces the complexity of the network. For more information and a configuration example, see Shortest Path Bridging (802.1aq) for ERS 8600 / 8800 Technical Configuration Guide (NN48500-617).
168
January 2012
The following table shows how SPBM scales in a data center with an SMLT switch cluster. Table 25: Scaling capability for the STP/SPBM data center test bed
Service Maximum number tested in this scenario 500 Maximum number supported in all test scenarios 1500
January 2012
169
Service
Maximum number tested in this scenario 2000 20 64 2000 2000 500 2000
Maximum number supported in all test scenarios 6000 100 256 (including GRT) 8000 8000 1000 30 000
ARP entries with SPBM enabled on the switch VLAN entries with SPBM enabled on the switch VRF instances GRT routes VRF routes total L2 VPNs Number of MACs on VPNs
The Test bed for upgrading a network to STP/SPBM on page 171 figure is basically a subset of the figure above except this scenario has different scaling requirements. Again, the graydashed line outlines all the devices included in the SMLT and STP network and the red-dashed line outlines all the devices included in the SPBM network. In this figure, SPBM aggregates the local and remote C-MACs on the edge of the network and associates them to an I-SID. To transport them across the IS-IS network, remote C-MACs are referenced to an I-SID/NextHop pair. The NextHop will be either an I-SID/IS-IS SystemId-MAC or an I-SID/IS-IS Virtual-Mac. IS-IS advertises a unique Virtual MAC to support SMLT-UNI so that LSP re-advertising and remote C-MAC re-learning is unnecessary when SMLT-UNI link failures occur. IS-IS also supports two B-MAC instances.
170
January 2012
The following table shows how SPBM scales in a smaller configuration with SMLT.
January 2012
171
Table 26: STP/SPBM scaling capability for the small test bed
Service Maximum number tested in this scenario 1500 Maximum number supported in all test scenarios 1500
Multicast groups on nonSPBM VLANs when SPBM is enabled on the switch ARP entries with SPBM enabled on the switch VLAN entries with SPBM enabled on the switch VRF instances GRT routes VRF routes total L2 VPNs Number of MACs on VPNs
Greenfield scenarios
The two figures in this section show greenfield installations of SPBM. To streamline and simplify the networks, there are no SMLT switch clusters in the core of these configurations. The scenario shown in the Test bed for a greenfield MSTP/SPBM configuration on page 173 figure tests a square topology in the core and the red-dashed line outlines all the devices included in the SPBM network. This figure shows a network with an MSTP/SPBM configuration
172
January 2012
The following table shows how SPBM scales in a data center with MSTP. Table 27: Greenfield MSTP/SPBM scaling capability
Service Maximum number tested in this scenario 500 Maximum number supported in all test scenarios 1500
Multicast streams on nonSPBM VLANs when SPBM is enabled on the switch ARP entries with SPBM enabled on the switch
2000
6000
January 2012
173
Service
Maximum number supported in all test scenarios 100 256 (including GRT) 8000 8000 1000 30 000
VLAN entries with SPBM enabled on the switch VRF instances GRT routes VRF routes total L2 VPNs Number of MACs on VPNs
The scenario shown in the Test bed for a greenfield MSTP/SPBM ring configuration on page 175 figure tests a ring topology and the red-dashed line outlines all the devices included in the SPBM network. The focus of this test scenario is to verify the multicast scaling requirements for some customers. In this configuration, there are up to 1,500 multicast groups streaming data across the SPBM network.
174
January 2012
The following table shows how SPBM scales in a ring with MSTP. Table 28: Greenfield MSTP/SPBM ring scaling capability
Service Maximum number tested in this scenario 100 Maximum number supported in all test scenarios 1500
Multicast groups on nonSPBM VLANs when SPBM is enabled on the switch ARP entries with SPBM enabled on the switch VLAN entries with SPBM enabled on the switch VRF instances GRT routes VRF routes total L2 VPNs
January 2012
175
Service
IS-IS
Avaya recommends that you change the IS-IS system ID from the default B-MAC value to a recognizable address to easily identify a switch. This helps to recognize source and destination addresses for troubleshooting purposes. If you leave the system ID as the default value (safe practice as it ensures no duplication in the network), it can be difficult to recognize the source and destination B-MAC for troubleshooting purposes. If you do manually change the system ID, take the necessary steps to ensure there is no duplication in the network. Create two B-VLANs to allow load distribution over both B-VLANs. This is required when using SMLT. Even if SMLT is not used in the network, this is still good practice as adding a second B-VLAN to an existing configuration allows SPBM to load balance traffic across two equal cost multipaths if the physical topology grants it. In a ring topology with OSPF and IS-IS configured in the core, a core link break causes slow convergence that may lead to SPBM L2 traffic loss. If the last member link of an OSPF VLAN fails, it takes down the IP interface and OSPF has to reconverge. Keep in mind that while OSPF is reconverging, SPBM cannot get any CPU time so there is some traffic loss.
SPBM
Use a different, easily recognizable IS-IS nickname on each switch. If IP Shortcuts is enabled, you must configure an IS-IS IP source address on the switch.
IST
If the switch will be part of an SMLT cluster, you must create the IST prior to enabling IS-IS.
176
January 2012
SMLT
Each switch in the cluster must be configured to peer with its neighbor. If the IS-IS interface between them is the IST MLT (recommended, but not strictly required), traffic paths will generally be similar to existing behavior. A virtual B-MAC is automatically created based on the lowest system ID in the cluster plus one. Important: The virtual B-MAC or any System ID created must not conflict with any other System ID or virtual B-MAC in the network. Verify that there is no duplication of System IDs or virtual B-MACs anywhere in the network . A safe practice is to leave the lowest byte in the system ID as all zeroes. There is a consistency check in place to ensure that L2 VSN VLANs cannot be added to the IST.
CFM
The CFM Domain name must be the same on all switches in an IS-IS area. The Maintenance Association must be the same on all switches in an IS-IS area. To allow CFM testing over both B-VLANs, create two Maintenance Associations, one for each B-VLAN. The MIP can be configured the same on all switches in an IS-IS area or uniquely defined per switch. Important: The MIP must be configured at the same level as the MEP on all switches in the SPBM network.
January 2012
177
178
January 2012
Warning: This step will cause service interruption. Make the VLAN an L2 VSN using the config vlan vlanid i-sid <isidvalue> CLI command or the vlan i-sid vlanid isidvalue ACLI command. Use the same value of I-SID on all the switches. This step should restore service.
January 2012
179
STP/RSTP/MSTP
There is no SPBM support in RSTP mode. A C-VLAN-level loop across SPBM NNI ports cannot be detected and needs to be resolved at the provisional level. SPBM NNI ports are not part of the L2 VSN C-VLAN, and BPDUs are not transmitted over the SPBM tunnel. SPBM can only guarantee loop-free topologies consisting of the NNI ports. Avaya recommends that you always use SLPP in any SMLT environment. Note: Avaya recommends deploying SLPP on C-VLANs to detect loops created by customers in their access networks. However, SLPP is not required on B-VLANs, and it is not supported. The B-VLAN active topology is controlled by IS-IS that has loop mitigation and prevention capabilities built into the protocol. SPBM uses STG 63 (with Avaya STP enabled) or MSTI 62 (with MSTP enabled) for internal use. So STG 63 or MSTI 62 cannot be used by other VLAN/MSTI.
SBPM IS-IS
The current release supports IP over IS-IS using IP Shortcuts. However, the current release does not support RFC 1195. SPBM only uses level 1 IS-IS. Level 2 IS-IS is not support in this release. The IS-IS standard defines wide (32bit ) metrics and narrow (8 bits) metrics. Only the wide metric is supported in this release. SPBM supports full High Availability (HA). The SPBM and IS-IS configuration and dynamic information (such as adjacencies and LSPs) are all HA synced to the standby CPU to ensure seamless switchover. Since the Ethernet Routing Switch 8800/8600 HA framework cannot guarantee seamless switchover, there is a 6 to 7 seconds gap between the active CPU going down and the standby CPU coming up. To avoid IS-IS adjacencies bouncing during the switchover, the recommended hello interval is 9 seconds and the hello multiple is 3. Important: If the switch has a large number of MACs in the VLAN FDB entry table and the primary SF/CPU fails, it can take longer than 27 seconds for the secondary SF/CPU to become the new primary. In this scenario, the IS-IS adjacency goes down because the default hold time (27 seconds) is too short. To prevent this from happening, increase the Hello multiplier to allow more time for the HA failover.
Multicast
In this release, SPBM does not support enabling PIM or IGMP snooping on a C-VLAN.
VLACP
VLACP is generally used when a repeater or switch exists between connected Ethernet Routing Switch 8800/8600 switches to detect when a connection is down even when the link
180
January 2012
light is up. If you have VLACP configured on an SPBM link that is also an IST link, during a connection fail over (where the link lights stay up) the IS-IS hellos time out first (after 27 seconds, using default values) and take down the IS-IS adjacency. IS-IS then calculates the new shortest path and fails over the SPBM traffic. Then, 90 seconds after the connection failure (using default values), VLACP goes down but the IST link was already taken down by IS-IS. In this scenario, there is no data traffic impact since IS-IS can find another path in the SPBM network before VLACP goes down.
SNMP traps
On each SPBM peer, if the SPBM B-VLANs are configured using different VLAN IDs (for example, VLAN 10 and 20 on one switch and VLAN 30 and 40 on the second), no trap message is generated alerting of the mismatch because the two switches cannot receive control packets from one another. Be sure to configure the SPBM B-VLANs using matching VLAN IDs.
Others
C-VLAN and B-VLAN cannot be enabled on the same port. Filters are not supported on the B-VLAN NNI port. Filters are not supported on the C-VLAN port for egress traffic.
Legacy IS-IS
An SPBM node can form an adjacency with a legacy IS-IS router. This allows SPBM to be introduced into existing networks and provide for easy migration.
January 2012
181
182
January 2012
January 2012
183
Multicast virtualization provides support for: Virtualization of control and data plane Multicast routing tables managers (MRTM) Virtualized PIM-SM/SSM, IGMPv1/v2/v3 Support for overlapping multicast address spaces Support for Global Routing Table (VRF0) and 255 VRFs SMLT/RSMLT support for Multicast VRFs 64 instances of PIM-SM/SSM Total of 4000 multicast routes
Requirements
To support multicast virtualization, the Avaya Ethernet Routing Switch 8800/8600 must be equipped with the following: Release 5.1 (or later) software Premier Software License R/RS/8800 modules 8692 SF/CPU with SuperMezz CPU-Daughter card or 8895 SF/CPU
184
January 2012
January 2012
185
The following figure shows an example of multicast virtualization supporting an end-to-end triple play solution for an MSO/Large Enterprise.
186
January 2012
January 2012
187
188
January 2012
The multicast sources S1 to S4 are on different subnets; use different links for every set of sources to send their multicast data. In this case, S1 and S2 send their traffic on a common link (L1) and S3 and S4 use another common link (L2). These links can be MLT links. Unicast traffic is shared on the MLT links, whereas multicast traffic only uses one of the MLT links. Receivers can be located anywhere on the network. This design can be worked in parallel with unicast designs and, in the case of DVMRP, does not impact unicast routing. In this example, sources must be on the VLAN that interconnects the two switches. In more generic scenarios, you can design the network by changing the interface cost values to force some paths to be taken by multicast traffic.
January 2012
189
If link L1 goes down, the affected streams are distributed on links L2 and L3. However, with redistribution enabled, the unaffected streams (flowing on L2 and L3) also start distributing. Because the switch does not update the corresponding RPF (Reverse Path Forwarding) ports on switch R2 for these unaffected streams, this causes the activity check for these streams to fail (because of an incorrect RPF port). Then, the switch improperly prunes these streams. To avoid this issue, the activity check is set to 210 seconds. If the activity check fails when the (S,G) entry timer expires (210 seconds), the switch deletes the (S,G) entry. The (S,G) entry is recreated when packets corresponding to the (S,G) pair reach the switch again. There can be a short window of traffic interruption during this deletion-creation period.
190
January 2012
excessive hardware record use. By placing the source on the interconnected VLAN, traffic takes two paths to the destination, depending on the RPF checks and the shortest path to the source. For example, if a receiver is placed on VLAN 1 on switch S1 and another receiver is placed on VLAN 2 on this switch, traffic can be received from two different paths to the two receivers. This results in the use of two forwarding records. When the source on switch S2 is placed on a different VLAN than VLAN 3, traffic takes a single path to switch S1 where the receivers are located.
Use default timer values for PIM and DVMRP. When timers are decreased for faster convergence, they usually adversely affect scalability because control messages are sent more frequently. If faster network convergence is required, configure the timers with the same values on all switches in the network. Also, in most cases, you must perform baseline testing to achieve optimal values for timers versus required convergence times and scalability. For more information, see DVMRP timer tuning on page 203. For faster convergence, configure the Bootstrap and Rendezvous Point routers on a circuitless IP. For more information, see Circuitless IP for PIM-SM on page 217. For faster convergence, Avaya recommends using a static Rendezvous Point (RP) router.
January 2012
191
IANA has also reserved the range of 224.0.1.0 through 224.0.1.255 for well-known applications. These addresses are also assigned by IANA to specific network applications. For example, the Network Time Protocol (NTP) uses 224.0.1.1, and Mtrace uses 224.0.1.32. RFC 1700 contains a complete list of these reserved addresses. Multicast addresses in the 232.0.0.0/8 (232.0.0.0 to 232.255.255.255) range are reserved only for source-specific multicast (SSM) applications, such as one-to-many applications. (For more information, see draft-holbrook-ssm-00.txt). While this is the publicly reserved range for SSM applications, private networks can use other address ranges for SSM. Finally, addresses in the range 239.0.0.0/8 (239.0.0.0 to 239.255.255.255) are administratively scoped addresses; they are reserved for use in private domains and must not be advertised outside that domain. This multicast range is analogous to the 10.0.0.0/8, 172.16.0.0/20, and 192.168.0.0/16 private address ranges in the unicast IP space. A private network should only assign multicast addresses from 224.0.2.0 through 238.255.255.255 to applications that are publicly accessible on the Internet. Multicast applications that are not publicly accessible should be assigned addresses in the 239.0.0.0/8 range. Although you can use any multicast address you choose on your own private network, it is generally not good design practice to allocate public addresses to private network entities. Do not use public addresses for unicast host or multicast group addresses on private networks. To prevent private network addresses from escaping to a public network, you can use announce and accept policies as described in Announce and accept policy examples on page 203.
192
January 2012
Most Ethernet switches handle Ethernet multicast by mapping a multicast MAC address to multiple switch ports in the MAC address table. Therefore, when you design the group addresses for multicast applications, take care to efficiently distribute streams only to hosts that are receivers. The Avaya Ethernet Routing Switch 8800/8600 switches IP multicast data based on the IP multicast address, not the MAC address, and thus, does not have this issue. As an example, consider two active multicast streams using addresses 239.1.1.1 and 239.129.1.1. Suppose two Ethernet hosts, receiver A and receiver B, are connected to ports on the same switch and only want the stream addressed to 239.1.1.1. Suppose also that two other Ethernet hosts, receiver C and receiver D, are also connected to the ports on the same switch as receiver A and B and wish to receive the stream addressed to 239.129.1.1. If the switch utilizes the Ethernet multicast MAC address to make forwarding decisions, then all four receivers receive both streamseven though each host only wants one stream. This increases the load on both the hosts and the switch. To avoid this extra load, Avaya recommends that you manage the IP multicast group addresses used on the network. The switch does not forward IP multicast packets based on multicast MAC addresseseven when bridging VLANs at Layer 2. Thus, the switch does not encounter this problem. Instead, it internally maps IP multicast group addresses to the ports that contain group members. When an IP multicast packet is received, the lookup is based on the IP group address, regardless of whether the VLAN is bridged or routed. Be aware that while the Avaya Ethernet Routing Switch 8800/8600 does not suffer from the problem described in the previous example, other switches in the network, particularly pure Layer 2 switches, can. In a network that includes non-Ethernet Routing Switch 8800/8600 equipment, the easiest way to ensure that this issue does not arise is to use only a consecutive range of IP multicast addresses corresponding to the lower order 23 bits of that range. For example, use an address
January 2012
193
range from 239.0.0.0 through 239.127.255.255. A group address range of this size can still easily accommodate the needs of even the largest private enterprise.
194
January 2012
you do not configure the switch to downgrade the version of IGMP, the switch logs a warning.
A change in the accepted egress TTL value does not take effect dynamically on active streams. To change the TTL, disable DVMRP and then enable it again on the interface with a TTL of greater than 2. Use this workaround for an Ethernet Routing Switch 8800/8600 network that has a high number of multicast applications with no control on the hop count used by these applications. In all cases, an application should not send multicast data with a TTL lower than 2. Otherwise, all of that application traffic is dropped, and the load on the switch is increased. Enhanced
January 2012
195
modules (E, M, or R series modules), which provide egress mirroring, do not experience this behavior.
196
January 2012
Receive access policies are initiated when reports are received with addresses that match the filter criteria. Transmit access policies are applied when the first packet of a multicast stream is received by the switch. Multicast access policies can be applied to a DVMRP or PIM routed interface if IGMP reports the reception of multicast traffic. In the case of DVMRP routed interfaces where no IGMP reports are received, some access policies cannot be applied. The static receivers work properly on DVMRP or PIM switch-to-switch links. With the exception of the static receivers that work in these scenarios, and the other exceptions noted at the end of this section, Figure 86: Applying IP multicast access policies for DVMRP on page 197 illustrates where access policies can and cannot be applied. On VLAN 4, access policies can be applied and take effect because IGMP control traffic can be monitored for these access policies. The access policies do not apply on the ports connecting switches together on V1, V2, or V3 because multicast data forwarding on these ports depends on DVMRP or PIM and does not use IGMP.
The following rules and limitations apply to IGMP access policy parameters when used with IGMP versus DVMRP and PIM: The static member parameter applies to IGMP snooping, DVMRP, and PIM on both interconnected links and edge ports. The Static Not Allowed to Join parameter applies to IGMP snooping, DVMRP, and PIM on both interconnected links and edge ports. For multicast access control, the denyRx parameter applies to IGMP snooping, DVMRP, and PIM. The DenyTx and DenyBoth parameters apply only to IGMP snooping.
January 2012
197
the hosts on that subnet. The split-subnet problem applies to any type of traffic. However, it has a larger impact on a PIM-SM network. To avoid the split-subnet problem in PIM networks, ensure that the Rendezvous Point (RP) router is not located in a subnet that can become a split subnet. Also, avoid having receivers on this subnet. Because the RP is an entity that must be reached by all PIM-enabled switches with receivers in a network, placing the RP on a split-subnet can impact the whole multicast traffic flow. Traffic can be affected even for receivers and senders that are not part of the splitsubnet.
198
January 2012
For more information about IGMP snoop and proxy, see Avaya Ethernet Routing Switch 8800/8600 Configuration IP Multicast Routing Protocols (NN46205-501).
January 2012
199
provide services as normal, responding to queries and identifying receivers for the multicast traffic. To enable Layer 2 querier, you must configure an IP address for the querier, in order for it to receive forwarded report and leave messages. If a multicast router is present on the network, the Layer 2 querier is automatically disabled. In the Layer 2 multicast network, enable Layer 2 querier on one of the switches in the VLAN. Only one Layer 2 querier is supported in the same Layer 2 multicast domain. No querier election is available. You cannot enable MVR and Layer 2 querier on the same VLAN. For more information about IGMP Layer 2 querier, see Avaya Ethernet Routing Switch 8800/8600 Configuration IP Multicast Routing Protocols (NN46205-501).
200
January 2012
Example 2 If 1.6 MB of system memory is available for PGM, the number of sessions the switch can create is (1.6 MB/ 40 236) = 40 sessions. In this case, ensure that the window size of the application is low (usually below 100). The window size is related to client and server memory and affects the switch only when retransmission errors occur. In addition to window size, also limit the total number of PGM sessions to control the amount of memory that PGM uses. Specifically, ensure that PGM does not consume the memory required by the other protocols. The default value for the maximum number of sessions is 100.
DVMRP navigation
DVMRP scalability on page 201 DVMRP design guidelines on page 202 DVMRP timer tuning on page 203 DVMRP policies on page 203 DVMRP passive interfaces on page 207
DVMRP scalability
IP multicast scaling depends on several factors. Some limitations are related to the system itself (for example, CPU and memory resources); other limitations are related to your network design. Scaling information for DVMRP is based on test results for a large network under different failure conditions. Unit testing of such scaling numbers provides higher numbers, particularly for the number of IP multicast streams. The numbers specified in this section are recommended for general network design. No VLAN IDs restrictions exist as to what can be configured with DVMRP. You can configure up to 500 VLANs for DVMRP. If you configure more than 300 DVMRP interfaces, you require
January 2012
201
a CPU with suitable RAM memory. You can use the 8691 SF/CPU, which has 128 MB of RAM, or the 8692 SF/CPU, which can have up to 256 MB. You can also use the CPU Memory Upgrade Kit to upgrade to 256 MB. Software Release 4.1 and later supports up to 1200 DVMRP interfaces. Configure most interfaces as passive DVMRP interfaces and keep the number of active interfaces to under 80. If the number of DVMRP interfaces approaches the 1200 interface limit, Avaya recommends that you configure only a few interfaces as active DVMRP interfaces (configure the rest as passive). The number of DVMRP multicast routes can scale up to 2500 when deployed with other protocols, such as OSPF or RIP. With the proper use of DVMRP routing policies, your network can support a large number of routes. For more information about using policies, see DVMRP policies on page 203. The recommended maximum number of active multicast source/group pairs (S,G) is 2000. Avaya recommends that the number of source subnets multiplied by the number of receiver groups not exceed 500. If you need more than 500 active streams, group senders into the same subnets to achieve higher scalability. Give careful consideration to traffic distribution to ensure that the load is shared efficiently between interconnected switches. For more information, see Multicast and Multi-Link Trunking considerations on page 188. Important: In some DVMRP scaled configurations with more than one thousand streams, to avoid multicast traffic loss, you need to increase routing protocol timeouts (for example, the dead interval for OSPF). The scaling limits given in this section are not hard limits; they are a result of scalability testing with switches under load with other protocols running in the network. Depending on your network design, these numbers can vary.
202
January 2012
Avoid connecting senders and receivers to the subnets/VLANs that connect core switches. To connect servers that generate multicast traffic or act as multicast receivers to the core, connect them to VLANs different from the ones that connect the switches. As shown in Figure 86: Applying IP multicast access policies for DVMRP on page 197, V1, V2, and V3 connect the core switches, and the IP multicast senders or receivers are placed on VLAN V4, which is routed to other VLANs using DVMRP. The Avaya Ethernet Routing Switch 8800/8600 does not support DVMRP in SMLT full-mesh designs.
DVMRP policies
DVMRP policies include announce and accept, do not advertise self, and default route policies. By filtering routes that are not necessary to advertise, you can use policies to scale to very large DVMRP networks.
January 2012
203
use DVMRP for routing. The goal is to receive and distribute public multicast streams on the private network, while not forwarding private multicast streams to the public network. Given the topology, an appropriate solution is to use an announce policy on the public network interface of Router A. This prevents the public network from receiving the private multicast streams, while allowing Router A to still act as a transit router within the private network. Public multicast streams are forwarded to the private network as desired.
The following figure illustrates a similar scenario. As before, the goal is to receive and distribute public multicast streams on the private network, while not forwarding private multicast streams to the public network. This time, Router A has only one multicast-capable interface connected to the private network. Because one interface precludes the possibility of intradomain multicast transit traffic, private multicast streams do not need to be forwarded to Router A. In this case, it is inefficient to use an announce policy on the public interface because private streams are forwarded to Router A and then are dropped (and pruned) by Router A. In such circumstances, it is appropriate to use an accept policy on the private interface of Router A. Public multicast streams are forwarded to the private network as desired.
204
January 2012
Accept policies are useful when you cannot control routing updates on the neighboring router. For example, a service provider cannot directly control the routes advertised by its neighboring router, so the provider can configure an accept policy to only accept certain agreed-on routes. You can use an accept policy to receive a default route over an interface. If a neighbor supplies a default route, you can accept only that route and discard all others, which reduces the size of the routing table. In this situation, the default route is accepted and poison-reversed, whereas the more specific routes are filtered and not poison-reversed. You can also use announce or accept policies (or both) to implement a form of traffic engineering for multicast streams based on the source subnet. The following figure shows a network where multiple potential paths exist through the network. According to the default settings, all multicast traffic in this network follows the same path to the receivers. Load balancing can distribute the traffic to the other available links. To make the path between Routers B and D more preferable, use announce policies on Router A to increase the advertised metric of certain routes. Thus, traffic that originates from those subnets takes the alternate route between B and D.
January 2012
205
Because all multicast streams originate from the data center, Router C must advertise at least some of its local routes. Therefore, you cannot enable the do not advertise self feature on all interfaces. If certain local routes (that do not contain sources) should not be advertised, you can selectively enable do not advertise self policies on a per-interface basis or you can configure announce policies.
206
January 2012
Avaya recommends that you configure announce policies on Routers A and B to suppress the advertisement of all other routes to Router C. Alternatively, you can configure accept policies on Router C to prevent all routes from Router A and Router B, other than the default, from installation in the routing table.
January 2012
207
The passive interface feature is useful if you wish to use IGMP Snoop and DVMRP on the same switch. IGMP Snoop and Layer 3 IGMP (with DVMRP and PIM) operate independently of each other. If you configure DVMRP on interface 1 and IGMP Snoop on interface 2 on Switch A, multicast data with sources from interface 1 is not forwarded to the receivers learned on interface 2 (and vice versa). To overcome this communication problem, use a DVMRP passive interface. Configure passive interfaces only on interfaces that contain potential sources of multicast traffic. If the interfaces are connected to networks that only have receivers, Avaya recommends that you use a do not advertise self policy on those interfaces. Do not attempt to disable a DVMRP interface if multicast receivers exist on that interface. If you must support more than 512 potential sources on separate local interfaces, configure the vast majority as passive interfaces. Ensure that only 1 to 5 total interfaces are active DVMRP interfaces. You can also use passive interfaces to implement a measure of security on the network. For example, if an unauthorized DVMRP router is attached to the network, a neighbor relationship is not formed, and thus, no routing information from the unauthorized router is propagated across the network. This feature also has the convenient effect of forcing multicast sources to be directly attached hosts.
PIM-SM navigation
PIM-SM and PIM-SSM scalability on page 209 PIM general requirements on page 210 PIM and Shortest Path Tree switchover on page 212 PIM traffic delay and SMLT peer reboot on page 213 PIM-SM to DVMRP connection: MBR on page 213 Circuitless IP for PIM-SM on page 217 PIM-SM and static RP on page 217 Rendezvous Point router considerations on page 221
208
January 2012
PIM-SM receivers and VLANs on page 223 PIM network with non-PIM interfaces on page 224
January 2012
209
210
January 2012
January 2012
211
212
January 2012
January 2012
213
With the Avaya Ethernet Routing Switch 8800/8600 implementation you can place the RP anywhere in the network. The following figure shows a redundant MBR configuration, where two MBR switches connect a PIM to a DVMRP domain. This configuration is not a supported configuration; MBRs that connect two domains should not span the same VLAN on the links connected to the same domain.
214
January 2012
For a proper redundant configuration, ensure that the links use two separate VLANs (see the following figure). Ensure that the unicast routes and DVMRP routes always point to the same path.
January 2012
215
The following paragraphs describe a failure scenario possible with this configuration. Assume that switch A has a multicast sender, and switch C has a receiver. The RP is at D. Then, suppose that the unicast route on C allows data to reach source A through B, and that DVMRP tells upstream switch B to reach the source on A. If so, data flows from A to B to C and traffic that comes from D is discarded. If the link between C and B fails, the unicast route on switch C indicates that the path to reach the source is through D. If DVMRP has not yet learned the new route to the source, then it cannot create an mroute for the stream when traffic is received and the stream is discarded. Even after learning the route, DVMRP does not create an mroute for the stream. Thus, data is discarded. To resolve this issue, stop the affected streams until DVMRP ages out the entries. Another alternative is to reinitialize DVMRP (disable and reenable) and then restart the multicast streams.
216
January 2012
If you cannot disable DVMRP or the streams, lower the DVMRP timers for faster convergence. Then DVMRP learns its routes before PIM learns the new unicast routes and reroutes the stream. If DVMRP and unicast routes diverge while traffic flows, the same problem may occur. As a result, for safe MBR network operation, Avaya recommends that you use the simple design proposed in PIM-SM to DVMRP connection: MBR.
January 2012
217
possibly take over new multicast streams that would otherwise be distributed through an authorized RP. If security is important, static RP assignment may be preferable. You can use the static RP feature in a PIM environment with devices that run legacy PIM-SMv1 and auto-RP (a proprietary protocol that the Avaya Ethernet Routing Switch 8800/8600 does not support). For faster convergence, you can also use static RP in a PIM-SMv2 environment. If static RP is configured with PIM-SMv2, the BSR is not active.
218
January 2012
Because failover is determined by unicast routing behavior, carefully consider the unicast routing design, as well as the IP address you select for the RP. Static RP failover performance depends on the convergence time of the unicast routing protocol. For quick convergence, Avaya recommends that you use a link state protocol, such as OSPF. For example, if you are using RIP as the routing protocol, an RP failure may take minutes to detect. Depending on the application, this situation can be unacceptable. Static RP failover time does not affect routers that have already switched over to the SPT; failover time only affects newly-joining routers.
January 2012
219
Avaya recommends that you always enable the specific route option for any SMLT/RSMLT cluster running PIM-SM with static RPs because of the implementation of the internal-only default static route on the IST. This resolution applies only to static RP configurations, not to C-RP configurations.
Switches 10, 15, and 16 use Static RP, whereas Switch 2 uses dynamic RP. The source is at Switch 10, and the receivers are Switch 15 and 16. The RP is at Switch 15 locally. The Receiver on Switch 16 cannot receive packets because its SPT goes through Switch 2. Switch 2 is in a dynamic RP domain, so it cannot learn about the RP on Switch 15. However, (S, G) records are created and deleted on Switch 16 every 210 seconds.
220
January 2012
While still providing redundancy in the case of an RP failure, you can ensure that the optimal shared tree is used by using the following methods. Use the hash algorithm to proactively plan the group-address-to-RP assignment. Use this information to select the multicast group address for each multicast sender on the network and to ensure optimal traffic flows. This method is helpful for modeling more
January 2012
221
complex redundancy and failure scenarios, where each group address has three or more CRPs. Allow the hash algorithm to assign the blocks of addresses on the network and then view the results using the command show ip pim active-rp Use the command output to assign multicast group addresses to senders that are located near the indicated RP. The limitation to this approach is that while you can easily determine the current RP for a group address, the backup RP is not shown. If more than one backup for a group address exists, the secondary RP is not obvious. In this case, use the hash algorithm to reveal which of the remaining CRPs take over for a particular group address in the event of primary RP failure. The hash algorithm works as follows: 1. For each CRP router with matching group address ranges, a hash value is calculated according to the formula: Hash value [G, M, C(i)] = {1 103 515 245 * [(1 103 515245 * (G&M) +12 345) XOR C(i)] + 12 345} mod 2^31 The hash value is a function of the group address (G), the hash mask (M), and the IP address of the CRP C(i). The expression (G&M) guarantees that blocks of group addresses hash to the same value for each CRP, and that the size of the block is determined by the hash mask. For example, if the hash mask is 255.255.255.248, the group addresses 239.0.0.0 through 239.0.0.7 yield the same hash value for a given CRP. Thus, the block of eight addresses are assigned to the same RP. 2. The CRP with the highest resulting hash value is chosen as the RP for the group. In the event of a tie, the CRP with the highest IP address is chosen. This algorithm is run independently on all PIM-SM routers so that every router has a consistent view of the group-to-RP mappings.
Candidate RP considerations
The CRP priority parameter helps to determine an active RP for a group. The hash values for different RPs are only compared for RPs with the highest priority. Among the RPs with the highest priority value and the same hash value, the CRP with the highest RP IP address is chosen as the active RP. You cannot configure the CRP priority. Each RP has a default CRP priority value of 0, and the algorithm uses the RP if the group address maps to the grp-prefix that you configure for that RP. If a different router in the network has a CRP priority value greater than 0, the switch uses this part of the algorithm in the RP election process. Currently, you cannot configure the hash mask used in the hash algorithm. Unless you configure a different PIM BSR in the network with a nondefault hash mask value, the default
222
January 2012
hash mask of 255.255.255.252 is used. Static RP configurations do not use the BSR hash mask; they use the default hash mask. For example: RP1 = 128.10.0.54 and RP2 = 128.10.0.56. The group prefix for both RPs is 238.0.0.0/255.0.0.0. Hash mask = 255.255.255.252. The hash function assigns the groups to RPs in the following manner: The group range 238.1.1.40 to 238.1.1.51 (12 consecutive groups) maps to 128.10.0.56. The group range 238.1.1.52 to 238.1.1.55 (4 consecutive groups) maps to 128.10.0.54. The group range 238.1.1.56 to 238.1.1.63 (8 consecutive groups) maps to 128.10.0.56.
January 2012
223
IGMP reports sent by R are forwarded to the DR, and both A and B create (*,G) records. Switch A receives duplicate data through the path from C to A, and through the second path from C to B to A. Switch A discards the data on the second path (assuming the upstream source is A to C). To avoid this waste of resources, Avaya recommends that you do not place receivers on V1. This guarantees that no traffic flows between B and A for receivers attached to A. In this case, the existence of the receivers is only learned through PIM Join messages to the RP [for (*,G)] and of the source through SPT Joins.
224
January 2012
If the shortest path from C to the source is through switch B, and the interface between C and B does not have PIM-SM enabled, then C cannot switch to the SPT. C discards data that comes through the shared path tree (that is, through A). The simple workaround is to enable PIM on VLAN1 between C and B.
January 2012
225
226
January 2012
MSDP
One group in the SSM range can have a single source for a given SSM group. You can have different sources for the same group in the SSM range (different channels) if they are on different switches. Two different devices in a network may want to receive data from a physically closer server for the same group. Hence, receivers listen to different channels (still same group). For more information about PIM-SSM scaling, see PIM-SM and PIM-SSM scalability on page 209.
MSDP
Multicast Source Discovery Protocol (MSDP) allows rendezvous point (RP) routers to share source information across Protocol Independent Multicast Sparse-Mode (PIM-SM) domains. RP routers in different domains use MSDP to discover and distribute multicast sources for a group. MSDP-enabled RP routers establish MSDP peering relationships with MSDP peers in other domains. The peering relationship occurs over a TCP connection. When a source registers with the local RP, the RP sends out Source Active (SA) messages to all of its MSDP peers. The Source Active message identifies the address of the source, the multicast group address, and the address of the RP that originates the message. Each MSDP peer that receives the SA floods it to all MSDP peers that are downstream from the originating RP. To prevent loops, each receiving MSDP peer examines the BGP routing table to determine which peer is the next hop towards the RP that originated the SA. This peer is the Reverse Path Forwarding (RPF) peer. Each MSDP peer drops any SAs that are received on interfaces other than the one connecting to the RPF peer. MSDP is similar to BGP and in deployments it usually follows BGP peering. When receivers in a domain belong to a multicast group whose source is in a remote domain, the normal PIM-SM source-tree building mechanism delivers multicast data over an interdomain distribution tree. However, with MSDP, group members continue to obtain source information from their local RP. They are not directly dependent on the RPs in other domains. The following figure shows an example MSDP network.
January 2012
227
MSDP routers cache SA messages by default. The cache reduces join latency for new receivers and reduces storms by advertising from the cache at a period of no more than twice for the SA advertisement timer interval and not less than once for the SA advertisement period. The SA advertisement period is 60 seconds.
Peers
Configure neighboring routers as the MSDP peers of the local router to explicitly define the peer relationships. You must configure at least one peer. MSDP typically runs on the same router as the PIM-SM RP. In a peering relationship, the MSDP peer with the highest IP address listens for new TCP connections on port 639. The other side of the peer relationship makes an active connection to this port.
Default peers
Configure a default MSDP peer when the switch is not in a BGP-peering relationship with an MSDP peer. If you configure a default peer, the switch accepts all SA messages from that peer.
228
January 2012
Static mroute
Static mroute
The Avaya Ethernet Routing Switch 8800/8600 supports a static IP route table to separate the paths for unicast and multicast streams. Only multicast protocols use this table. Adding a route to this table does not affect the switching or routing of unicast packets. The entries in this table use the following attributes: IP prefix or IP maskthe destination network for the added route Reverse Path Forwarding (RPF) addressthe IP address of the RPF neighbor towards the rendezvous point (RP) or source route preferencethe administrative distance for the route If the unicast routing table and the multicast-static IP route table use different routes for the same destination network, the system compares the administrative distance with that of the protocol that contributed the route in the unicast routing table. route statusthe status, either enabled or disabled, of the route in the table The following figure shows an example of static mroute configured in a network.
January 2012
229
The system does not advertise or redistribute routes from the multicast-static IP route table. The system uses these routes only for RPF calculation. The system uses the following rules to determine RPF: Direct or local routes for a destination take precedence over a route for the same destination in the static route table. If a route exists in the static route table, and no route exists in the unicast routing table for the destination, the system uses the route in the static route table. If a route is available in both the unicast routing table and the static route table, the system uses the route from the static route table only if the administrative distance is less than or equal to that of the unicast route entry. If no route exists in the static route table for the destination, the system uses the route from the unicast routing table, if available. The system performs a longest prefix match during a lookup in the static route table. The lookup ignores routes that are administratively disabled. After the system performs a lookup within the static mroute table, if multiple routes exist for a matching prefix, the system chooses the route with the least preference. If multiple routes exist with a matching prefix and the same preference, the system chooses the route with the highest RPF address. This selection method only occurs within the static mroute table; the system still compares the selected route with a route from RTM, if one exists.
230
January 2012
January 2012
231
unicast routing protocols to build its routing table, so its paths are always linked to unicast paths. In DVMRP, multicast route policies can be applied regardless of any existing unicast route policies. PIM must follow unicast routing policies, which limits flexibility in tuning PIM routes. PIM-SM can scale to the unicast routing protocol limits (several thousand), whereas DVMRP has limited route scaling (two to three thousand) because of the nature of its RIPv2-based route exchange. This makes PIM-SM more scalable than DVMRP in large networks where the number of routes exceed the number supported by DVMRP (assuming DVMRP policies cannot be applied to reduce the number of routes).
232
January 2012
Switch C is not configured with any multicast ports (that is, is a nonmulticast router, or mrouter). If switch A is the querier, it becomes the mrouter (multicast router port) port for C. The receiver cannot receive data from source S because C does not forward data on the link between C and B. You can surmount this problem by using one of the following methods: Configure ports P1 and P2 as mrouter ports on the IGMP Snoop VLAN. Configure switches A, B, and C to run Multicast Router Discovery (MRDISC) on their common VLANs.
January 2012
233
MRDISC allows the Layer 2 switch to dynamically learn the location of switches A and B and thus, add them as mrouter ports. If you connect switches A and B together, no specific configuration is required because the issue does not arise.
234
January 2012
PIM-SSM over SMLT/RSMLT on page 239 Static-RP in SMLT using the same CLIP address on page 244
Client switches run IGMP Snoop or PIM-SM, and the aggregation switches run PIM-SM. This design is simple and, for the rest of the network, IP multicast routing is performed by means of PIM-SM. The aggregation switches are the queriers for IGMP, thus, an external querier is not required to activate IGMP membership. These switches also act as redundant switches for IP multicast. Multicast data flows through the IST link when receivers are learned on the client switch and senders are located on the aggregation switches, or when sourced data comes through the aggregation switches. This data is destined for potential receivers attached to the other side
January 2012
235
of the IST. The data does not reach the client switches through the two aggregation switches because only the originating switch forwards the data to the client switch receivers. Always place any multicast receivers and senders on the core switches on VLANs different from those that span the IST.
236
January 2012
In this example, the unicast route table on 8600A learns the BSR on 8600B through VLAN 102 via OSPF. The BSR is either not learned or does not provide the RP to 8600A. Another traffic issue can occur when the path to a source network on the aggregation switches is the same for both switches. When the path is the same, duplicate traffic can result. The following figure illustrates the issue and the solution.
January 2012
237
Figure 107: Multicast and SMLT design that avoids duplicate traffic
Assume that the source network is 10.10.10.0/24, switches A and B know the DVMRP metric for the IST interface, the interfaces towards NETWORK are all configured as 10, and the total cost to the source is the same. A has a DVMRP route 10.10.10.0 with a metric of 10 and an upstream neighbor through the interface connecting to NETWORK. B has a DVMRP route 10.10.10.0 with a metric of 10 and an upstream neighbor through the interface connecting to NETWORK. A and B learn the DVMRP route for the sender (S) network with the same metric: Assume that A is the querier for the interface connected to the IGMP Snoop-enabled switch. When receiver R sends an IGMP report, A learns the receiver on the SMLT port and forwards the IST-IGMP message to B. After B receives the message from A, B learns the receiver on its SMLT port connected to the IGMP switch. So, both A and B have local receivers on their SMLT port. S sends data that is received by both A and B through the interface connected to NETWORK. Because both A and B have a local receiver on the SMLT port, the IGMP switch receives data from both the routers, causing R to receive duplicate traffic.
238
January 2012
In this configuration, both A and B forward traffic to the IGMP SNOOP switch, and the receiver receives duplicate traffic. The solution to this issue is to configure the metrics on the DVMRP interfaces so that either A or B learns the source network route through the IST. In this way, the router that receives traffic from the IST blocks traffic from the SMLT (receiver) port so that the IGMP switch receives traffic from only one router. Configure the metric of the DVMRP interface towards NETWORK on either A or B. For example, configure Switch B so that the route metric through the DVMRP interface is greater than the metric through the IST interface. Therefore, the NETWORK interface metric on B should be greater than 2. If the metric of the NETWORK interface on B is configured to 3, B can learn route 10.10.10.0 through the NETWORK interface with a metric of 12 (because the metric is incremented by 2), and through the IST interface with a metric of 11. So B learns route 10.10.10.0 with a cost of 11 to the upstream neighbor through the IST link. With these metrics, traffic from S goes from A to B only on the IST link. Because traffic received on the IST cannot go to the SMLT link, the IGMP switch does not receive traffic from B. Therefore, R no longer receives duplicate traffic; it receives traffic from switch A only.
January 2012
239
Figure 108: Triangle topology with PIM-SSM in the core and at the edge
The following figure shows a similar triangle topology, with the Ethernet Routing Switch 8300 and the stackable Ethernet Routing Switches (5xxx/4500/2500) running PIM-SSM at the edge. In this case, however, the Ethernet Routing Switch 8800/8600s are running PIM-SM in the core. With the extended VLANs from the SSM edge to the SM core, the operating version of the interfaces in the core must be IGMPv2. Hence the querier for that VLAN sends out IGMPv2 queries. If there are receivers in the same extended VLAN from the edge to the core, they must only send IGMPv1/v2 reports because IGMPV3 reports are dropped by IGMPv2 interfaces.
240
January 2012
Figure 109: Triangle topology with PIM-SM in the core and PIM-SSM at the edge
The following figure shows a square or full mesh topology in which one Ethernet Routing Switch 8800/8600 IST pair is running PIM-SSM in the core, and the other IST pair is running Layer 2 IGMP. The Ethernet Routing Switch 8300 and the stackable Ethernet Routing Switches (5xxx/ 4500/2500) are also running Layer 2 IGMP at the edge.
January 2012
241
Figure 110: Square/full mesh topology with Layer 2 IGMP edge and PIM-SSM core
The following figure shows a square or full mesh topology in which both Ethernet Routing Switch 8800/8600 IST pairs are running PIM-SSM and RSMLT in the core. The Ethernet Routing Switch 8300 and the stackable Ethernet Routing Switches (5xxx/4500/2500) are running Layer 2 IGMP at the edge.
242
January 2012
Figure 111: Square/full mesh topology with Layer 2 IGMP edge and PIM-SSM core with RSMLT
The following figure shows a square or full mesh topology in which both Ethernet Routing Switch 8800/8600 IST pairs are running PIM-SSM and RSMLT in the core. The Ethernet Routing Switch 8300 and the stackable Ethernet Routing Switches (5xxx/4500/2500) are running PIM-SSM at the edge.
January 2012
243
Figure 112: Square/full mesh topology with PIM-SSM edge and PIM-SSM core with RSMLT
244
January 2012
In the preceding figure, the multicast traffic flows as follows: 1. The multicast server sends multicast data towards the Source DR (SDR) SW_A. 2. The SDR sends register messages with encapsulated multicast data towards the RP. 3. Once the client sends IGMP membership reports towards the multicast router, the multicast router creates a (*,G) entry 4. The RP sends joins towards the source on the reverse path. 5. When the SDR receives the joins, it sends native multicast traffic. 6. When SW_B or SW_D receive multicast traffic from upstream, they forward the traffic on the IST as well as on the SMLT link. However, on the other aggregation switches (SW_C and SW_E) multicast traffic is dropped at the egress side. (This is in accordance with the SMLT/RSMLT design to provide fast failover for multicast traffic.) Both aggregation switches SW_D and SW_E have similar (S,G) records. 7. In the case of SW_D (RP) failure, SW_B changes only the next-hop interface towards SW_E, and since the RP address is the same, it does not flush any (S,G) entries. In this way, this configuration achieves faster failover.
January 2012
245
Static routes
You can configure DVMRP static mroutes. This feature is useful in cases where streams must flow continuously and not become aged. Be careful in using this featureensure that the programmed entries do not remain on a switch when they are no longer necessary. You can also use IGMP static receivers for PIM static (S,G)s. The main difference between static mroutes and static (S,G) pairs is that static mroute entries only require the group address. You can use static receivers in edge configurations or on interconnected links between switches.
246
January 2012
Important: For IGMPv3, Avaya recommends that you ensure a Join rate of 250 per second or less. If the Avaya Ethernet Routing Switch 8800/8600 must process more than 250 Joins per second, users may have to resend Joins. When you use the IGMP proxy functionality in the Business Policy Switch 2000, you reduce the number of IGMP reports received by the Avaya Ethernet Routing Switch 8800/8600. This provides better overall performance and scalability.
Fast Leave
IGMP Fast Leave supports two modes of operation: Single User Mode and Multiple User Mode. In Single User Mode, if more than one member of a group is on the port and one of the group members leaves the group, everyone stops receiving traffic for this group. A Group-SpecificQuery is not sent before the effective leave takes place. Multiple User Mode allows several users on the same port/VLAN. If one user leaves the group and other receivers exist for the same stream, the stream continues. The switch achieves this by tracking the number of receivers that join a given group. For Multiple User Mode to operate properly, do not suppress reports. This ensures that the switch properly tracks the correct number of receivers on an interface. The Fast Leave feature is particularly useful in IGMP-based TV distribution where only one receiver of a TV channel is connected to a port. In the event that a viewer changes channels quickly, considerable bandwidth savings are obtained if Fast Leave is used. You can implement Fast Leave on a VLAN and port combination; a port that belongs to two different VLANs can have Fast Leave enabled on one VLAN (but not on the other). Thus, with the Fast Leave feature enabled, you can connect several devices on different VLANs to the same port. This strategy does not impact the traffic when one device leaves a group to which another device is subscribed. For example, you can use this feature when two TVs are connected to a port through two set-top boxes, even if you use the Single User Mode.
January 2012
247
if you assign a value that is too low, this can lead to a storm of membership reports if a large number of hosts are subscribed. Similarly, assigning a value that is too high can cause unwanted high-bandwidth stream propagation across the network if users change channels rapidly. Leave latency is also dependent on the robustness value, so a value of two equates to a leave latency of twice the LMQI. Determine the proper LMQI setting for your particular network through testing. If a very large number of users are connected to a port, assigning a value of three may lead to a storm of report messages when a group-specific query is sent. Conversely, if streams frequently start and stop in short intervals, as in a TV delivery network, assigning a value of ten may lead to frequent congestion in the core network. Another performance-affecting factor that you need to be aware of is the error rate of the physical medium. It also affects the proper choice of LMQI values. For links that have high packet loss, you may find it necessary to adjust the robustness variable to a higher value to compensate for the possible loss of IGMP queries and reports. In such cases, leave latency is adversely impacted as numerous group-specific queries are unanswered before the stream is pruned. The number of unanswered queries is equal to the robustness variable (default two). The assignment of a lower LMQI may counterbalance this effect. However, if you set it too low it may actually exacerbate the problem by inducing storms of reports on the network. Keep in mind that LMQI values of three and ten, with a robustness value of two, translate to leave latencies of six tenths of a second and two seconds, respectively. When you choose a LMQI, consider all of these factors to determine the best setting for the given application and network. Test that value to ensure that it provides the best performance. Important: In networks that have only one user connected to each port, Avaya recommends that you use the Fast Leave feature instead of LMQI, since no wait is required before the stream stops. Similarly, the robustness variable does not impact the Fast Leave feature, which is an additional benefit for links with high loss.
248
January 2012
The Avaya Ethernet Routing Switch 8800/8600 processes messages according to the following rules: On IGAP-enabled interfaces, the switch processes IGAP messages and ignores all other IGMP messages. On IGMP-enabled interfaces, the switch processes IGMP messages and ignores IGAP messages. IGAP operates with Fast Leave only and does not generate Group-Specific-Queries as IGMPv2 does. The Ethernet Routing Switch 8800/8600 supports the Single User and Multiple User Fast Leave modes for IGAP. For more information about IGAP, see Avaya Ethernet Routing Switch Configuration IGAP, NN46205-512.
January 2012
249
The following scenario shows how a potential traffic interruption can occur: 1. An authenticated IGAP member receives multicast traffic. Accounting starts. 2. R1 uses MLT1 to transfer data and accounting messages. 3. MLT1 goes down. Because the (S,G) entry is deleted, an Accounting Stop message is triggered. 4. MLT2 redistributes the traffic that exists on MLT1. Because a new (S,G) entry is created with a different session ID, an Accounting Start message is triggered. MLT1 is down, so both the Accounting Stop and Accounting Start messages are sent to the RADIUS server on MLT2. If the Accounting Stop message is sent before OSPF can recalculate the route change and send an Accounting Start message, the switch drops the User Datagram Protocol (UDP) packets. This scenario does not cause an accounting error because RADIUS uses the session ID to calculate accounting time. Even though the route loss and OSPF recalculation caused the packets to be sent out-of-sequence, IGAP and RADIUS process the events in the correct order.
250
January 2012
To avoid traffic loss if you must disable an MLT link, use the following workaround: Enable Equal Cost Multicast Protocol (ECMP) on the edge switch (R1) and on both of the CDN switches (R2 and R3). Set the route preference (path cost) of the alternative link (MLT2) to equal or higher than MLT1. With this workaround, the switchover is immediate. Traffic is not interrupted and accounting does not have to be stopped and restarted.
January 2012
251
252
January 2012
MPLS IP VPN
Beginning with Release 5.0, the Avaya Ethernet Routing Switch supports MPLS networking based on RFC 4364 (RFC 4364 obsoletes RFC 2547). RFC 4364 describes a method by which a Service Provider can use an IP backbone to provide IP Virtual Private Networks (VPNs) for its customers. This method uses a peer model, in which the customers edge routers (CE routers) send their routes to the service providers edge routers (PE routers). Data packets are tunneled through the backbone, so that the core routers (P routers) do not need to know the VPN routes. This means that the P routers can scale to an unlimited number of IP VPNs and also that no configuration change is required on the P nodes when IP VPN services are added or removed. VPN routes are exchanged between PE routers using Border Gateway Protocol (BGP) with Multiprotocol extensions (BGP-MP). There is no requirement for the CE routers at different sites to peer with each other or to have knowledge of IP Virtual Private Networks (VPNs) across the service providers backbone. The CE device can also be a Layer 2 switch connected to the PE router. RFC 4364 defines a framework for layer 3 VPNs over an IP backbone with BGP. It is commonly deployed over MPLS but can use IPSec or GRE tunnels. Avaya IP-VPN uses MPLS for transport.
MPLS overview
Multi-Protocol Label Switching (MPLS) (RFC3031) is primarily a service provider technology where IP traffic can be encapsulated with a label stack and then label switched across a network through Label Switched Routers (LSR) using Label Switched Paths (LSP). An LSP is an end-to-end unidirectional tunnel set up between MPLS-enabled routers. Data travels through the MPLS network over LSPs from the network ingress to the network egress. The LSP is determined by a sequence of labels, initiated at the ingress node. Packets that require
January 2012
253
the same treatment for transport through the network are grouped into a forwarding equivalence class (FEC). The following figure shows a sample MPLS network.
The FECs are identified by the destination subnet of the packets to be forwarded. All packets in the same FEC use the same LSP to travel across the network. Packets are classified once, as they enter the network; all subsequent forwarding decisions are based on the FEC to which each packet belongs (that is, each label corresponds to a FEC).
254
January 2012
Within a VPN, there can be no overlapping addresses. However, if two VPNs have no common sites, then they may have overlapping address spaces. To support this capability, the PE router must maintain separate forwarding routing tables. To provide multiple independent IPv4 routing and forwarding tables, the Ethernet Routing Switch 8800/8600 supports a default routing instance (VRF0) and up to 255 Virtual Routing and Forwarding (VRF) instances (VRF1 to VRF255). The PE router maintains separate route tables for each VRF and isolates the traffic into distinct VPNs. Each VRF is associated with one customer, connecting to one or more CE devices but all belonging to the same customer. As shown in the following figure, if the CE is a Layer 3 device, the VRFs exchange routes with the locally connected device using any suitable routing protocol (eBGP, OSPF, RIP, Static Routes). If the CE is a Layer 2 switch, then the customer routes are local (direct) routes configured directly on the relevant VRF of the PE node.
The PE nodes must exchange local VRF customer IPv4 routes with other remote PE nodes that are also configured with a VRF for the same customer (that is, the same IP VPN) while still ensuring that routes from different customers and IP VPNs are kept separate and any
January 2012
255
identical IPv4 routes originating from two different customers can both be advertised and kept separate. This is achieved through the use of iBGP peering between the PE nodes. These iBGP sessions are terminated on a single circuitless IP (CLIP) interface (belonging to the Backbone Global Routing Table (GRT) on the PE nodes. Because BGP runs over TCP, it can be run directly between the PE nodes across the backbone (there is no BGP requirement on the P nodes). A full iBGP peering mesh is required between all PEs. In order to scale to a large number of PE devices, BGP Route reflectors are recommended. Upon receiving traffic from a CE router, the PE router performs a route lookup in the corresponding VRF route table. If there is a match in the VRF route table with a BGP nexthop entry, the PE router adds the IP packet into an MPLS label stack consisting of an inner and outer label. The inner VPN label is associated with the customer VPN. The BGP next-hop is the circuitless IP (CLIP) address of the upstream PE router. The outer LDP tunnel label is used by the P routers to label switch the packet through the network to the appropriate upstream PE router. The P routers are unaware of the inner label. As shown in the following figure, upon receiving the packet, the upstream PE router removes the top LDP label and performs a lookup based on the VPN label to determine the outgoing interface associated with the corresponding VRF. The VPN label is removed and the packet is forwarded to the CE router.
The VPN-IPv4 routes are distributed by MPLS labels. The MPLS label switched paths are used as the tunneling mechanism. Hence, all nodes in the network must support Label Distribution Protocol (LDP) and in particular Downstream Unsolicited mode must be supported for Ethernet interfaces. LDP uses implicit routing, thus it relies on the underlying IGP protocol to determine the path between the various nodes in the network. Hence, LDP uses the same path as that selected by the IGP protocol used.
256
January 2012
Route distinguishers
Route distinguishers
PE routers use BGP to allow distribution of VPN routes to other PE routers. BGP Multiprotocol Extensions (BGP-MP) allows BGP to forward routes from multiple address families, in this case, VPN-IPv4 addresses. The BGP-MP address contains a 12-byte VPN-IPv4 address which in turn contains an 8-byte Route Distinguisher (RD) and a 4-byte IPv4 address. The Route Distinguisher makes the IPv4 address globally unique. As a result, each VPN can be distinguished by its own RD, and the same IPv4 address space can be used over multiple VPNs. The following figure shows the VPN-IPv4 address.
The RD is configured on each and every VRF created on the PE nodes and must be configured such that no other VRF on any other PE in the backbone has the same value. RDs are encoded as part of the Network Layer Reachability Information (NLRI) in the BGP Update messages. Please note that the RD is simply a number that you configure. It provides a means to identify a PE node which may contain one or more VRFs. It does not identify the origin of the route nor does it specify the set of VPNs or VRFs to which the routes are distributed. Its sole purpose is to provide a mechanism to support distinct routes to a common IPv4 address prefix. By allowing different RDs to support the same IPv4 addresses, overlapping addresses are supported.
Route targets
When an VPN-IPv4 route advertised from a PE router is learned by a given PE router, it is associated with one or more Route Target (RT) attributes. The RT, which is configured on the
January 2012
257
PE router as either import, export, or both, is the glue which determines whether a customer VPN-IPv4 route being advertised by one PE router can be accepted by another remote PE router resulting in the formation of a logical IP VPN end to end. These routes are accepted by a remote PE providing the remote PE has a matching import RT configured on one of its VRFs. A Route Target attribute can be thought of as identifying a set of sites, though it would be more precise to think of it as identifying a set of VRFs. Each VRF instance is associated with one or more Route Target (RT) attributes. Associating a particular Route Target attribute with a route allows that route to be placed in the VRFs that are used for routing traffic among the sites in that VPN. Note that a route can only have one RD, but it can have multiple Route Targets. RTs also enhance the PE scaling capability since a given PE node only accepts VPN-IPv4 routes for which it has local VRFs belonging to that IP VPN; any other VPN-IPv4 routes are not accepted. Each VPN-IPv4 route contains a route target extended community that is advertised or exported by the PE router export policy. Any PE router in the network configured with a matching route target in its import policy imports the route for that particular VRF. RTs must be configured in such a way as to be unique for each IP VPN. Since each VRF can be configured with any number of RTs (either as import, export or both) this allows each VRF to be part of any number of overlapping IP VPNs. The use of RT can also be exploited to achieve a number of different IP VPN topologies, from any-to-any (meshed) where all VRFs in the same IP VPN have the same import and export RT, to hub and spoke topologies where the hub nodes use one export RT (configured as import RT on spokes) and a different import RT (configured as export RT on the spokes). Topologies with multiple hub sites can also be achieved.
In terms of configuration both the RD and the RT are configured with the same format and are usually configured in the same VRF context on the PE device. The route target frame format is identical to the route distinguisher as shown in Figure 119: VPN-IPv4 Address on page 257.
258
January 2012
IP VPN prerequisites
Before you use IP VPN: Choose an Interior Gateway Protocol: OSPF and RIP are supported. Choose a Route Distinguisher (RD): a unique RD per VRF is supported. Select an access topology, an access routing protocol (static routes, RIP, OSPF, or EBGP, or a mix of these), and provide provider edge to customer edge router addressing. Define site backup and resiliency options (for example, dual access lines to a single provider edge (PE) router, dual access lines with dual PEs, dual access lines with two CEs and two PEs). Set up an Autonomous System Number (ASN). ASNs are usually allocated by service providers for customers that need to connect to the provider edge router using eBGP.
January 2012
259
260
January 2012
MPLS interoperability
MPLS interoperability
The Avaya Ethernet Routing Switch 8800/8600 MPLS implementation has been verified with: Cisco 7500 (with RSVP, Cisco cannot function as the RSVP egress LER when used with the Ethernet Routing Switch 8800/8600) Juniper M10
IP VPN Lite
With Avaya IP VPN-Lite, the Avaya Ethernet Routing Switch 8800/8600 can provide a framework for delivering RFC4364 IP VPNs over an IP backbone, rather than over MPLS. In terms of Data Plane packet forwarding across the same backplane, RFC 4364 defines an implementation based on MPLS where the backbone must be MPLS capable and a full mesh of MPLS Label Switched Paths (LSPs) must already be in place between the PE nodes. While still leveraging the same identical RFC 4364 framework at the control plane level, Avaya IP VPN-Lite delivers the same IP VPN capabilities over a IP routed backbone using simple IP in IP encapsulation with no requirement for MPLS and the complexities involved with running and maintaining an MPLS backbone. With IP VPN-Lite a second Circuitless IP (CLIP) address is configured on the PE nodes (in the Backbone GRT and re-advertised across the Backbone by the IGP). This second CLIP address is used to provide address space for the outer header of IP-in-IP encapsulation for all IP VPNs packets terminating to and originating from the PE. This second Circuitless address is therefore ideally configured as a network route (in other words, not as a 32 bit mask host route) with enough address space to accommodate every VRF configured on the PE. A 24 bit mask provides sufficient address space for 252 VRFs. Furthermore, as these networks only need to
January 2012
261
be routed within the provider backbone and no further, public address space can be used. When this second CLIP address is configured it must also be enabled for IP VPN services. With Avaya IP VPN-Lite, the RD is now used to convey one extra piece of information over and above its intended use within the RFC 4364 framework. In the RFC, the only purpose of the RD is to ensure that identical IPv4 routes from different customers are rendered unique so that BGP can treat them as separate VPN-IPv4 routes. With IP VPN-Lite, the RD is now also used to advertise to remote PE devices what IP address needs to be used as the outer IP-inIP encapsulation when those remote PE devices need to deliver a customer packet over the IP VPN back to the PE node which owns the destination route to which the packet is addressed. Therefore, when configuring RD for IP VPN-Lite, the RD must always be configured as Type 1 format (IPaddress:number), and the IP address configured in the RD must allocate one host IP address defined by the second CLIP interface for each VRF on the PE. Again, the RD must still be configured to ensure that no other VRF on any other PE has the same RD. In the following figure, the second CLIP interface is configured as a private address, with a 24 bit mask, where the third octet identifies the PE node-id and the fourth octet (the host portion) defines the VRF on that PE node. The number following the IP address is then simply allocated to uniquely identify the VPN-ID.
IP VPN-Lite can therefore easily be deployed on any enterprise existing IP routed network and automatically leverage the existing backbone architecture in terms of load balancing and subsecond failover resiliency. While MPLS struggles to achieve these goals and only does so by bringing in exponential complexity, Avaya IP VPN-Lite can simply leverage these capabilities from either a pure IP OSPF routed core where ECMP is enabled or a network core designed with Avaya SMLT/RSMLT clustering. Furthermore, PEs can be just as easily deployed with SMLT clustering towards the CE edge devices thus delivering a very attractive clustered PE solution. This is easily achievable whether the CE is a L2 device (using SMLT Clustering) or an L3 device (where the SMLT cluster needs to be RSMLT enabled).
262
January 2012
IP VPN Lite
Overall, IP VPN-Lite provides support for the following: 256 VPNs per each system filtering support (UNI side) overlapping addresses MP-BGP extensions BGP route refresh BGP route reflection peering to multiple route reflectors route reflection server (NNI side) full mesh and hub and spoke designs extended community Type 0 and 1 import and export route targets and route distinguishers IP-BGP extensions IEEE 802.3ad/MLT Split MultiLink Trunking (SMLT) and Routed Split MultiLink Trunking (RSMLT) for CE connectivity ECMP VRF-based ping and traceroute UNI packet classification (port, VLAN, IP, VRF, and VPN) VRF UNI routing protocols (RIP, OSPF, eBGP) An IP VPN-Lite PE device provides four functions: an IGP protocol, such as OSPF, across the core network to connect remote PE devices VRFs to provide traffic separation MP-BGP to exchange VPN routes and service IP addresses with remote PE devices the forwarding plane to encapsulate the customer IP packet into the revise IP header
January 2012
263
SMLT design
To meet the design requirements, an Avaya Ethernet Routing Switch 8800/8600 is deployed at each site. As shown in the following figure, the five Ethernet Routing Switch 8800/8600s are interconnected using 10 gigabit Ethernet links in an SMLT cluster configuration. The Ethernet Routing Switch 8800/8600s in the two main sites, which provide Internet connectivity to the network, are the SMLT cluster nodes (which logically act as one switch) and are interconnected by a DMLT IST connection. The remaining sites are connected as SMLT edge devices using an SMLT triangle topology. VLACP is enabled on all links using long timers on IST links and short timers on SMLT links. The maximum number of hops for traffic to reach a remote site is at most 2 hops and in some cases 1 hop only.
264
January 2012
With Avayas advanced packet processor architecture, the Avaya Ethernet Routing Switch 8800/8600 always hardware switches all traffic flows including IP VPN traffic used in this design. This means that if a nonblocking 10 gigabit hardware configuration is used (for example, using 8683XLR or 8683XZR 3-port 10GBASE-X LAN/WAN XFP modules), then full 10 gigabit bandwidth and extremely low latency is available from site to site. Furthermore, if 10 gigabit later becomes insufficient between any sites, you can increase the bandwidth in this design by adding additional 10 gigabit links to the existing MLTs. Important: To support the VRF and IP VPN functionalities used in this design, you must equip the Avaya Ethernet Routing Switch 8800/8600 with R or RS I/O Modules, 8692 SF/CPU with SuperMezzanine daughter card or 8895 SF/CPU, and the Premium Software License.
January 2012
265
Routing Switch 8800/8600 SMLT edge switches that require the VLANs. In this example, VLAN 12 is added to the SMLT IST cluster switches at sites 1 and 2 and then added at Sites 3 and 5. At sites 2, 3 and 5, Layer 2 VLAN 12 is also configured on one or more edge facing interfaces.
Figure 124: Layer 2 VPN example: VLAN ID 12 dropped off at sites 2, 3, and 5
As part of best design guidelines, do not use VLAN ID 1 (the default VLAN).
266
January 2012
Figure 125: GRT IGP VLAN running OSPF and full mesh of IBGP peerings
Each Avaya Ethernet Routing Switch 8800/8600 is configured with a Circuitless IP address (CLIP) host address using a 32-bit mask. From these CLIP interfaces, a full mesh of IBGP peerings is configured between the Ethernet Routing Switch 8800/8600s in each site. The IBGP peerings are enabled for VPNv4 and IP VPN Lite capability and are used to populate the IP routing tables within the VRF instances used to terminate the Layer 3 VPNs. To support a larger number of sites, Avaya recommends the use of BGP Route-Reflectors. This can be accomplished by making the Ethernet Routing Switch 8800/8600 at site 1 and site 2 redundant Route-Reflectors and every other site a Route-Reflector client.
January 2012
267
belong to one or more Layer 3 VPNs. This configuration is done by assigning an appropriate Route Distinguisher (RD) and import and export Route Targets (RT) to the VRF IP VPN configuration. The end result being that BGP automatically installs remote IP routes from remote VRFs belonging to the same VPN into the local VRF and vice versa. Furthermore each Layer 3 VPN can be created as any-any, hub-spoke or multihub-spoke by simple manipulation of the import and export RTs as per the RFC 4364 framework.
268
January 2012
For more information, see IP VPN-Lite for Ethernet Routing Switch 8800/8600 Technical Configuration Guide , NN48500-562.
January 2012
269
270
January 2012
Layer 1 examples
The following figures are a series of Layer 1 examples that illustrate the physical network layout.
January 2012
271
272
January 2012
Layer 2 examples
Layer 2 examples
The following figures are a series of Layer 2 network design examples that map VLANs over the physical network layout. Example 1 shows a redundant device network that uses one VLAN for all switches. To support multiple VLANs, 802.1Q tagging is required on the links with trunks.
January 2012
273
Example 2 depicts a redundant network using Split MultiLink Trunking (SMLT). This layout does not require the use of Spanning Tree Protocol: SMLT prevents loops and ensures that all paths are actively used. Each wiring closet (WC) can have up to 8 Gbit/s access to the core. This SMLT configuration example is based on a three-stage network.
274
January 2012
Layer 2 examples
January 2012
275
In Example 3, a typical SMLT ID setup is shown. Because SMLT is part of MLT, all SMLT links have an MLT ID. The SMLT and MLT ID can be the same, but this is not necessary.
276
January 2012
Layer 3 examples
Layer 3 examples
The following figures are a series of Layer 3 network design examples that show the routing instances that Avaya recommends you use to optimize IP for network redundancy.
January 2012
277
278
January 2012
Layer 3 examples
January 2012
279
280
January 2012
Layer 3 examples
January 2012
281
RSMLT redundant network with bridged and routed VLANs in the core
In some networks, it is required or desired that a VLAN be spanned through the core of a network (for example, a VoIP VLAN or guest VLAN) while routing other VLANs to reduce the amount of broadcasts or to provide separation. The following figure shows a redundant network design that can perform these functions.
In this figure, VLAN-10 spans the complete campus network, whereas VLAN 20, 30, 70, and 80 are routed at the wiring closet. VLANs 40, 50, and 60 are core VLANs with RSMLT enabled. These VLANs and their IP subnets provide subsecond failover for the routed edge VLANs. You
282
January 2012
RSMLT redundant network with bridged and routed VLANs in the core
can use Routing Information Protocol (RIP), Open Shortest Path First (OSPF) or Border Gateway Protocol (BGP) to exchange routing information. RSMLT and its protection mechanisms prevent the routing protocol convergence time from impacting network convergence time. All client stations that are members of a VLAN receive every broadcast packet. Each station analyzes each broadcast packet to decide whether the packet are destined for itself or for another node in the VLAN. Typical broadcast packets are Address Resolution Protocol (ARP) requests, RIP updates, NetBios broadcasts, or Dynamic Host Control Protocol (DHCP) requests. Broadcasts increase the CPU load of devices in the VLAN. To reduce this load, and to lower the impact of a broadcast storm (potentially introduced through a network loop), keep the number of VLAN members below 512 in a VLAN/IP subnet (you can use more clients per VLAN/IP subnet). Then, use Layer 3 routing to connect the VLANs/IP subnets. You can enable IP routing at the wiring-closet access layer in networks where many users connect to wiring-closets. Most late-model high-end access switches support Layer 3 routing in hardware. To reduce network convergence time in case of a failure in a network with multiple IP client stations, Avaya recommends that you distribute the ARP request/second load to multiple IP routers/switches. Enabling routing at the access layer distributes the ARP load, which reduces the IP subnet sizes. Figure 138: Redundant network design on page 282 shows how to enable routing at the access layer while keeping the routing protocol design robust and simple.
January 2012
283
284
January 2012
Navigation
DoS protection mechanisms on page 285 Damage prevention on page 288 Security and redundancy on page 291 Data plane security on page 292 Control plane security on page 298 For more information on page 308
January 2012
285
Network security
CP-Limit recommendations on page 286 ARP request threshold recommendations on page 288 Multicast Learning Limitation on page 288
CP-Limit recommendations
CP-Limit prevents the CPU from overload by excessive multicast or broadcast control or exception traffic. This ensures that broadcast storms do not impact the stability of the system.
286
January 2012
By default, CP-Limit protects the CPU from receiving more than 14 000 broadcast/multicast control or exception packets per second within a duration that exceeds 2 seconds. You can disable CP-Limit and instead, configure the amount of broadcast and/or multicast control or exception frames per second that are allowed to reach the CPU before the responsible interface is blocked and disabled. Based on your environment (severe corresponds to a high-risk environment), the recommended values are shown in the following figure. Table 29: CP Limit recommended values
CP Limit Values when using the 8895 SF/CPU Broadcast Severe Workstation (PC) Server NonIST Interconnection Moderate Workstation (PC) Server NonIST Interconnection Relaxed Workstation (PC) Server NonIST Interconnection 4000 7000 10 000 4000 7000 10 000 3000 3000 3000 3000 3000 3000 2500 5000 9000 2500 5000 9000 2500 3000 3000 2500 3000 3000 1000 2500 7500 1000 2500 6000 1000 2500 3000 1000 2500 3000 Multicast CP Limit Values when using the 8692 SF/CPU with SuperMezz Broadcast Multicast
Important: The 8692 SF/CPU with SuperMezz requires additional processing to send control packets from the CP to the SuperMezz and to program any hardware records in the I/O modules. Both operations now require an additional hop because they require CP involvement. To accommodate this additional processing, you must use the cp-limit broadcast-limit <value> and cp-limit multicast-limit <value> commands to lower the broadcast and multicast thresholds to 3000 packets per second.
January 2012
287
Network security
Damage prevention
To further reduce the chance that your network can be used to damage other existing networks, take the following actions: Prevent IP spoofing.
288
January 2012
Damage prevention
You can use the spoof-detect feature. Prevent your network from being used as a broadcast amplification site. Enable the hsecure flag (High Secure mode) to block illegal IP addresses. For more information, see High Secure mode on page 290 or Avaya Ethernet Routing Switch 8800/8600 Security, NN46205-601.
Packet spoofing
You can stop spoofed IP packets by configuring the switch to only forward IP packets that contain the correct source IP address of your network. By denying all invalid source IP addresses, you minimize the chance that your network is the source of a spoofed DoS attack. A spoofed packet is one that comes from the Internet into your network with a source address equal to one of the subnet addresses used on your network. Its source address belongs to one of the address blocks or subnets used on your network. To provide spoofing protection, you can use a filter that examines the source address of all outside packets. If that address belongs to an internal network or a firewall, the packet is dropped. To prevent DoS attack packets that come from your network with valid source addresses, you need to know the IP network blocks that are in use. You can create a generic filter that: permits valid source addresses denies all other source addresses To do so, configure an ingress filter that drops all traffic based on the source address that belongs to your network. If you do not know the address space completely, it is important that you at least deny Private (see RFC1918) and Reserved Source IP addresses. The following table lists the source addresses to filter.
January 2012
289
Network security
10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.168.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 255.255.255.255/32
You can also enable the spoof-detect feature on a port. For more information about the spoof-detect feature, see Avaya Ethernet Routing Switch 8800/8600 Configuration VLANs and Spanning Tree, NN46205-517. You can also use the predefined Access Control Template (ACT) for ARP spoof detection. For more information about this ACT, see Avaya Ethernet Routing Switch 8800/8600 Configuration QoS and IP Filtering for R and RS Modules, NN46205-507 .
290
January 2012
Spanning Tree Groups (STPG), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). With BPDU Filtering, the network administrator can achieve the following: Block an unwanted root selection process when an edge device (for example, a laptop running Linux and enabled with STP) is added to the network. This prevents unknown devices from influencing an existing spanning tree topology. Block the flooding of BPDUs from an unknown device. When a port has BPDU Filtering enabled and the port receives an STP BPDU, the following actions take place: The port is immediately put in the operational disabled state. A trap is generated and the following log message is written to the log: Ethernet <x> is shut down by BPDU Filter The port timer starts. The port stays in the operational disabled state until the port timer expires. If you disable the timer or reset the switch before the timer expires, the port remains in the disabled state. If you disable BPDU Filtering while the timer is running, the timer stops and the port remains in the disabled state. You must then manually enable the port to return it to the normal mode. The STP BPDU Filtering feature is not supported on MLT/IST/SMLT/RSMLT ports. For more information about BPDU Filtering, Avaya Ethernet Routing Switch 8800/8600 Configuration VLANs and Spanning Tree (NN46205-517).
January 2012
291
Network security
unicast dynamic routing protocols (RIPv1, RIPv2, OSPF, BGP-4) multicast dynamic routing protocols (DVMRP, PIM-SM, PIM-SSM) distribution of routing traffic along multiple paths (ECMP) router redundancy (VRRP) For a review of various security attacks that could occur in a Layer 2 network, and solutions, see Layer Security Solutions for ES and ERS Switches Technical Configuration Guide. This document is available on the Avaya Technical Support Web site in the Ethernet Routing Switch 8800/8600 documentation.
EAP
To protect the network from inside threats, the switch supports the 802.1x standard. EAP separates user authentication from device authentication. If EAP is enabled, end-users must securely logon to the network before obtaining access to any resource.
292
January 2012
configure them on a per-port basis. This adds additional security based on a logon and password. The Avaya Optivity Policy Server supports 802.1x EAP authentication against RADIUS and other authentication, authorization, and accounting (AAA) repositories. This support helps authenticate the user, grants access to specific applications, and provides real time policy provisioning capabilities to mitigate the penetration of unsecured devices. The following figure shows the interaction between 802.1x and Optivity Policy Server. First, the user initiates a logon from a user access point and receives a request/identify request from the switch (EAP access point). The user is presented with a network logon. Prior to DHCP, the user does not have network access because the EAP access point port is in EAP blocking mode. The user provides User/Password credentials to the EAP access point via Extensible Authentication Protocol Over LAN (EAPoL). The client PC is considered both a RADIUS peer user and an EAP supplicant.
Software support is included for the Preside (Funk) and Microsoft IAS RADIUS servers. Additional RADIUS servers that support the EAP standard should also be compatible with the Avaya Ethernet Routing Switch 8800/8600. For more information, contact your Avaya representative.
January 2012
293
Network security
DHCP snooping
Dynamic Host Configuration Protocol (DHCP) snooping provides security to the network by preventing DHCP spoofing. DHCP spoofing refers to an attackers ability to respond to DHCP requests with false IP information. DHCP snooping acts like a firewall between untrusted hosts and the DHCP servers so that DHCP spoofing cannot occur. The following figure shows a simplified DHCP snooping topology.
DHCP snooping classifies ports into two types: Untrusted: ports that are configured to receive messages from outside the network or firewall. Only DHCP requests are allowed. Trusted: ports, such as switch-to-switch and DHCP server ports, that are configured to receive messages only from within the network. All types of DHCP messages are allowed. To eliminate the capability to set up rogue DHCP servers on untrusted ports, the untrusted ports allow DHCP request packets only. DHCP replies and all other types of DHCP messages from untrusted ports are dropped.
294
January 2012
DHCP snooping verifies the source of DHCP packets as follows: When the switch receives a DHCP request on an untrusted port, DHCP snooping compares the source MAC address and the DHCP client hardware address. If the addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the packet. When the switch receives a DHCP release or DHCP decline broadcast message from a client, DHCP snooping verifies that the port on which the message was received matches the port information for the client MAC address in the DHCP binding table. If the port information matches, the switch forwards the DHCP packet. DHCP snooping supports MLT/SMLT ports as trusted ports only.
January 2012
295
Network security
DHCP snooping dynamically creates and maintains a binding table gathered from DHCP requests and replies. The MAC address from the DHCP request is paired with the IP address from the DHCP reply to create an entry in the DHCP binding table. When you enable Dynamic ARP inspection, ARP packets on untrusted ports are filtered based on the source MAC and IP addresses. The switch forwards an ARP packet when the source MAC and IP addresses match an entry in the address binding table. Otherwise, the ARP packet is dropped. Like DHCP snooping, Dynamic ARP Inspection supports MLT/SMLT ports as trusted ports only. For more information about Dynamic ARP Inspection, see Avaya Ethernet Routing Switch 8800/8600 Security (NN46205-601).
IP Source Guard
IP Source Guard is a security feature that validates IP packets by intercepting IP packets with invalid IP-to-MAC bindings. IP Source Guard works closely with DHCP snooping and prevents IP spoofing by allowing only IP addresses that are obtained through DHCP on a particular port. Initially, all IP traffic on the port is blocked except for the DHCP packets that are captured by DHCP snooping. When a client receives a valid IP address from the DHCP server, traffic on the port is permitted when the source IP and MAC addresses match a DCHP binding table entry for the port. Any IP traffic that does not match an entry in the DHCP binding table is filtered out. This filtering limits the ability of a host to attack the network by claiming a neighbor host's IP address. Important: For IP Source Guard to function, you must enable DHCP snooping and Dynamic ARP Inspection globally and at the VLAN level. To enable IP Source Guard on a port, the port must be configured as untrusted for DHCP snooping and untrusted for Dynamic ARP Inspection. IP Source Guard cannot be enabled on MLT/SMLT ports. For more information about IP Source Guard, see Avaya Ethernet Routing Switch 8800/8600 Security (NN46205-601).
Security at layer 2
At Layer 2, the Avaya Ethernet Routing Switch 8800/8600 provides the following security mechanisms: Filters
296
January 2012
The Avaya Ethernet Routing Switch 8800/8600 provides Layer 2 filtering based on the MAC destination and source addresses. This is available per-VLAN. Global MAC filters This feature eliminates the need for you to configure multiple per-VLAN filter records for the same MAC address. By using a Global MAC filter, you can discard ingress MAC addresses that match a global list stored in the switch. You can also apply global MAC filtering to any multicast MAC address. However, you cannot apply it to Local, Broadcast, BPDU MAC, TDP MAC, or All-Zeroes MAC addresses. Once a MAC address is added to this Global list, it cannot be configured statically or learned on any VLAN. In addition, no bridging or routing is performed on packets to or from this MAC address on any VLAN. For more information and configuration examples, see Release Notes for the Ethernet Routing Switch 8800/8600 Release 3.5.2. For more information about the Layer 2 MAC filter, see Avaya Ethernet Routing Switch 8800/8600 Configuration IP Multicast Routing Protocols, NN46205-501 . Unknown MAC Discard Unknown MAC Discard secures the network by learning allowed MAC addresses during a certain time interval. The switch locks these learned MAC addresses in the forwarding database (FDB) and does not accept any new MAC addresses on the port. Limited MAC learning This feature limits the number of FDB-entries learned on a particular port to a userspecified value. After the number of learned FDB-entries reaches the maximum limit, packets with unknown source MAC addresses are dropped by the switch. If the count drops below a configured minimum value due to FDB aging, learning is reenabled on the port. You can configure various actions like logging, sending traps, and disabling the port when the number of FDB entries reaches the configured maximum limit. For more information and configuration examples, see the Release Notes for the Ethernet Routing Switch 8800/8600 Release 3.5.2.
January 2012
297
Network security
Customer Support Bulletins (CSBs) are available on the Avaya Technical Support Web site to provide information and configuration examples about how to block some attacks.
298
January 2012
RADIUS authentication on page 302 TACACS+ on page 304 Encryption of control plane traffic on page 305 SNMP header network address on page 306 SNMPv3 support on page 307 Other security equipment on page 307
Management port
The Avaya Ethernet Routing Switch 8800/8600 provides an isolated management port on the switch fabric/CPU. This separates user traffic from management traffic in highly sensitive environments, such as brokerages and insurance agencies. By using this dedicated network (see the following figure) to manage the switches, and by configuring access policies (when routing is enabled), you can manage the switch in a secure fashion.
You can also use the terminal servers/modems to access the console/modems ports on the switch (see the following figure).
January 2012
299
Network security
When it is an absolute necessity for you to access the switch, Avaya recommends that you use this configuration. The switch is always reachable, even if an issue occurs with the in-band network management interface. Important: Connection of the Out-of-Band (OOB) Ethernet Management port to an In-Band I/O port is not recommended, as erroneous behavior on the network, such as a loop, can cause issues with the operation of the SF/CPU module. The most common issues seen are a loss of file management and inability to access the /pcmcia directory. To clear the condition, you must reboot or reset the SF/CPU. To maintain a true OOB management network, do not include the switch In-Band I/O ports as part of the management network design. Rather than connect the OOB port to an In-band I/O port, you can achieve the same desired functionality by creating a management VLAN and assigning a management IP address to the VLAN.
300
January 2012
Description Use this level to view switch configuration and status information and change only physical port parameters. Use this level to view and edit device settings related to Layer 2 (bridging) functionality. The Layer 3 settings (such as OSPF, DHCP) are not accessible. You cannot change the security and password settings. Use this level to view and edit device settings related to Layer 2 (bridging) and Layer 3 (routing). You cannot change the security and password settings. Use this level to view and edit most device settings. You cannot change the security and password settings. Use this level to do everything. You have all the privileges of read-write access and the ability to change the security settings. The security settings include access passwords and the Web-based management user names and passwords. Read-Write-All (RWA) is the only level from which you can modify user-names, passwords, and SNMP community strings, with the exception of the RWA community string, which cannot be changed. This level lets you logon to connect to and configure the SAM (SSL acceleration module). ssladmin users are granted a broad range of rights that incorporate the Ethernet Routing Switch 8800/8600 read/write access. Users with ssladmin access can also add, delete, or modify all configurations.
Read Write
ssladmin
January 2012
301
Network security
the network, you can build a full Layer 3 routed network and securely manage the switch with any of the in-band IP addresses attached to any one of the VLANs (see the following figure).
Avaya recommends that you use access policies for in-band management when securing access to the switch. By default, all services are accessible by all networks.
RADIUS authentication
You can enforce access control by utilizing RADIUS (Remote Authentication Dial-in User Service). RADIUS is designed to provide a high degree of security against unauthorized access and to centralize the knowledge of security access based on a client/server architecture. The database within the RADIUS server stores a list of pertinent information about client information, user information, password, and access privileges including the use of the shared secret. When the switch acts as a Network Access Server, it operates as a RADIUS client. The switch is responsible for passing user information to the designated RADIUS servers. Because the switch operates in a LAN environment, it allows user access through Telnet, rlogin, and Console logon. You can configure a list of up to 10 RADIUS servers on the client. If the first server is unavailable, the Avaya Ethernet Routing Switch 8800/8600 tries the second, and then attempts each server in sequence until it establishes a successful connection.
302
January 2012
You can use the RADIUS server as a proxy for stronger authentication (see the following figure), such as: SecurID cards KERBEROS other systems like TACACS/TACACS+
You must tell each RADIUS client how to contact its RADIUS server. When you configure a client to work with a RADIUS server, be sure to: Enable RADIUS. Provide the IP address of the RADIUS server. Ensure the shared secret matches what is defined in the RADIUS server. Provide the attribute value. Indicate the order of priority in which the RADIUS server is used. (Order is essential when more than one RADIUS server exists in the network.) Specify the UDP port that is used by the client and the server during the authentication process. The UDP port between the client and the server must have the same or equal value. For example, if you configure the server with UDP 1812, the client must have the same UDP port value. Other customizable RADIUS parameters require careful planning and consideration on your part, for example, switch timeout and retry. Use the switch timeout to define the number of seconds before the authentication request expires. Use the retry parameter to indicate the number of retries the server accepts before sending an authentication request failure. Avaya recommends that you use the default value in the attribute-identifier field. If you change the set default value, you must alter the dictionary on the RADIUS server with the new value. To configure the RADIUS feature, you require Read-Write-All access to the switch. For more information about RADIUS, see Avaya Ethernet Routing Switch 8800/8600 Security, NN46205-601.
January 2012
303
Network security
TACACS+
Terminal Access Controller Access Control System (TACACS+) is a security application implemented as a client/server-based protocol that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ provides management of users wishing to access a device through any of the management channels: Telnet, console, rlogin, SSHv1/v2, and Web management. TACACS+ also provides management of PPP user connections. PPP provides its own authentication protocols, with no authorization stage. TACACS+ support PPP authentication protocols, but moves the authentication from the local router to the TACACS+ server. Similar to the RADIUS protocol, TACACS+ provides the ability to centrally manage the users wishing to access remote devices. TACACS+ differs from RADIUS in two important ways: TACACS+ is a TCP-based protocol. TACACS+ uses full packet encryption, rather than just encrypting the password (RADIUS authentication request). Important: TACACS+ encrypts the entire body of the packet but uses a standard TACACS+ header. TACACS+ provides separate authentication, authorization and accounting services. During the log on process, the TACACS+ client initiates the TACACS+ authentication session with the server. The authentication session provides username/password functionality. After successful authentication, if TACACS+ authorization is enabled, the TACACS+ client initiates the TACACS+ authorization session with the server (see the following figure). The authorization session provides access level functionality, which enables you to limit the switch commands available to a user. The transition from TACACS+ authentication to the authorization phase is transparent to the user.
304
January 2012
After successful authentication, if TACACS+ accounting is enabled, the TACACS+ client sends accounting information to the TACACS+ server. When accounting is enabled, the NAS reports user activity to the TACACS+ server in the form of accounting records. Each accounting record contains accounting AV pairs. The accounting records are stored on the security server. The accounting data can then be analyzed for network management and auditing. The Avaya Ethernet Routing Switch 8800/8600 supports eight users logged in to the chassis simultaneously with TACACS+. For more information about TACACS+, see Avaya Ethernet Routing Switch 8800/8600 Security, NN46205-601.
January 2012
305
Network security
SSHv1/v2
SSH is used to conduct secure communications over a network between a server and a client. The switch supports only the server mode (supply an external client to establish communication). The server mode supports SSHv1 and SSHv2. The SSH protocol offers: Authentication SSH determines identities. During the logon process, the SSH client asks for a digital proof of the identity of the user. Encryption SSH uses encryption algorithms to scramble data. This data is rendered unintelligible except to the intended receiver. Integrity SSH guarantees that data is transmitted from the sender to the receiver without any alteration. If any third party captures and modifies the traffic, SSH detects this alteration. The Avaya Ethernet Routing Switch 8800/8600 supports: SSH version 1, with password and Rivest, Shamir, Adleman (RSA) authentication SSH version 2 with password and Digital Signature Algorithm (DSA) authentication Triple Digital Encryption Standard (3DES)
306
January 2012
SNMPv3 support
SNMP version 1 and version 2 are not secure because communities are not encrypted. Avaya recommends that you use SNMP version 3. SNMPv3 provides stronger authentication services and the encryption of data traffic for network management.
Use this configuration to redirect incoming and outgoing traffic to a group of firewalls and to automatic load balance across multiple firewalls. The WSM can also filter packets at the ingress port so that firewalls see only relevant packets.The benefits of such a configuration are: increased firewall performance reduced response time redundant firewalls ensure Internet access Virtual private networks (VPN) replace the physical connection between the remote client and access server with an encrypted tunnel over a public network. VPN technology employs IP Security (IPSec) and Secure Sockets Layer (SSL) services. Several Avaya products support IPSec and SSL. Contivity and the Services Edge Router support IPSEC. Contivity supports up to 5000 IPSEC tunnels, and scales easily to support operational requirements. The Services Edge Router can support up to 30 000 tunnels.
January 2012
307
Network security
For SSL needs, Avaya offers the Integrated Service Director (iSD) SSL Accelerator Module (SAM). The SAM is used by the Web Switching Module (WSM) to decrypt sessions and to make encrypted cookies and URLs visible to the WSM. The SAM offers: secure session content networking at wire speed offloading for Web servers for better performance optimized Web traffic for secure Web sites cost savings because fewer servers need to be enabled The Accelerator also terminates each client HTTPS session, performs hardware-assisted key exchange with the client, and establishes an HTTP session to the chosen Web server. On the return path, the SAM encrypts the server response according to the negotiated encryption rules and forewords the response to the requesting client using the established HTTPS session. You can load balance up to 32 iSD-SSL units transparently by using a WSM.
308
January 2012
QoS mechanisms
The Avaya Ethernet Routing Switch 8800/8600 has a solid, well-defined architecture to handle QoS in an efficient and effective manner. Several QoS mechanisms used by the Ethernet Routing Switch 8800/8600 are briefly described in the sections that follow.
January 2012
309
mode of operation is applied to trusted interfaces (core port mode) because the DSCP or 802.1p field is trusted to be correct, and the edge switch performs the mapping without any classification. In the second type of configuration, the interface classifies traffic as it enters the port, and marks the packet for further treatment as it traverses the Ethernet Routing Switch 8800/8600 network. This mode of operation is applied to untrusted interfaces (access port mode) because the DSCP or 802.1p field is not trusted to be correct. An internal QoS level is assigned to each packet that enters an Ethernet Routing Switch 8800/8600 port. Once the QoS level is set, the egress queue is determined and the packet is transmitted. The mapping of QoS levels to queue is a hard-coded 1-to-1 mapping. Table 32: ADSSC, DSCP, and 802.1p-bit mappings on page 310 shows the recommended configuration that a service provider should use for a packet classification scheme. Use the defaults as a starting point because the actual traffic types and flows are unknown. You can change the mapping scheme if the default is not optimal. However, Avaya recommends that you do not change the mappings. Table 32: ADSSC, DSCP, and 802.1p-bit mappings
ADSSC Critical Network Premium Platinum Gold Silver Bronze Standard Custom/best effort CS7 CS6 EF, CS5 AF4x, CS4 AF3x, CS3 AF2x, CS2 AF1x, CS1 DE, CS0 User Defined DSCP 7 7 6 5 4 3 2 0 1 802.1p
In this table, ADSSC denotes Avaya Data Solutions Service Class, CS denotes Class Selector, EF denotes Expedited Forwarding, AF denotes Assured Forwarding, and DE denotes Default forwarding. Important: If you must change the DSCP mappings, ensure that the values are consistent on all other Ethernet Routing Switches and devices in your network. Inconsistent mappings can result in unpredictable service. The Avaya QoS strategy simplifies QoS implementation by providing a mapping of various traffic types and categories to a Class of Service. These service classes are termed Avaya
310
January 2012
QoS mechanisms
Data Solutions Service Classes (ADSSC). The following table provides a summary of the mappings and their typical traffic types. Table 33: Traffic categories and ADSSC mappings
Traffic category Network Control Application example Alarms and heartbeats Routing table updates Real-Time, Delay Intolerant Real-Time, Delay Tolerant IP telephony, interhuman communication ADSSC Critical Network Premium
Video conferencing, interhuman Platinum communication. Audio and video on demand, human-host communication Gold Silver Bronze Standard
Interactive NonInteractive
eBusiness (B2B, B2C) transaction processing Email, store and forward FTP, best effort
You can select the ADSSC for a given device (or a group of devices) and then the network maps the traffic to the appropriate QoS level, marks the DSCP accordingly, sets the 802.1p bits, and sends the traffic to the appropriate egress queue.
January 2012
311
For more information about queue numbering and priority levels, see Avaya Ethernet Routing Switch 8800/8600 Configuration QoS and IP Filtering for R and RS Modules, NN46205-507.
312
January 2012
QoS mechanisms
Advanced filters
Advanced filters are provided through the use of Access Control Templates (ACT), Access Control Lists (ACL), and Access Control Entries (ACE), which are implemented in software. When using ACTs, consider the following: For pattern matching filters, three separate patterns per ACT are supported. After you configure an ACT, you must activate it. After it is activated, it cannot be modified; only deleted. You can only delete an ACT when no ACLs use that ACT. 4000 ACTs and 4000 ACLs are supported. The ACT and ACL IDs 4001 to 4096 are reserved for system-defined ACTs and ACLs. You can use these ACTs and ACLs, but you cannot modify them. When you configure a new ACT, choose only the attributes you plan to use when setting up the ACEs. For each additional attribute included in an ACT, an additional lookup must be performed. Therefore, to enhance performance, keep the ACT attribute set as small as possible. If too many attributes are defined, you may receive error messages about using up memory. For example, if you plan to filter on source and destination IP addresses and DSCP, only select these attributes. The number of ACEs within an ACL does not impact performance. For multiple ACEs that perform the same task, for example, deny or allow IP addresses or UDP/TCP-based ports, you can configure one ACE to perform the task with either multiple address entries or address ranges, or a combination of both. This strategy reduces the number of ACEs.
January 2012
313
You can configure a maximum of 1000 ACEsper port for ingress and egress. The Avaya Ethernet Routing Switch 8800/8600 supports a maximum of 4000 ACEs. For each ACL, a maximum of 500 ACEsare supported. When you configure Advanced filters, keep the following scaling limits in mind. Table 34: ACT, ACE, ACL scaling
Parameter ACLs for each switch ACEs for each switch ACEs for each ACL ACEs for each port 4000 4000 500 2000: 500 inPort 500 inVLAN 500 outPort 500 outVLAN. Maximum number
The following steps summarize the Advanced filter configuration process: 1. Determine your desired match fields. 2. Create your own ACT with the desired match fields. 3. Create an ACL and associate it with the ACT from step 2. 4. Create an ACE within the ACL. 5. Set the desired precedence, traffic type, and action. The traffic type is determined when you create an ingress or egress ACL. 6. Modify the fields for the ACE.
314
January 2012
the traffic rate from one department to give critical traffic unlimited access to the network. In a service provider network, you can control the amount of traffic customers send to ensure that they comply with their SLA. Policing ensures that users do not exceed their traffic contract for any given QoS level. Policing (or rate metering) gives the administrator the ability to limit the amount of traffic for a specific user in two ways: drop out-of-profile traffic remark out-of-profile traffic to a lower (or higher) QoS level when port congestion occurs Rate metering can only be performed on a Layer 3 basis. Traffic shapers buffer and delay violating traffic. These operations occur at the egress queue set level. The Ethernet Routing Switch 8800/8600 supports traffic shaping at the port level and at the per-transmit-queue level for outgoing traffic.
January 2012
315
Use the access port setting to control the classification and mapping of traffic for delivery through the network. Untrusted interfaces require you to configure filter sets to classify and remark ingress traffic. For untrusted interfaces in the packet forwarding path, the DSCP is mapped to an IEEE 802.1p user priority field in the IEEE 802.1Q frame, and both of these fields are mapped to an IP Layer 2 drop precedence value that determines the forwarding treatment at each network node along the path. Traffic entering an access port is remarked with the appropriate DSCP and 802.1p markings, and given an internal QoS level. This remarking is done based on the filters and traffic policies that you configure. The following figure shows access port actions.
316
January 2012
January 2012
317
access node. If packet classification is not required, use a Business Policy Switch 2000 to connect to the access node. In this case, the service provider configures the traffic classification functions in the Business Policy Switch 2000. At the egress access node, packets are examined to determine if their IEEE 802.1p or DSCP values must be remarked before leaving the network. Upon examination, if the packet is a tagged packet, the IEEE 802.1p tag is set based on the QoS level-to-IEEE 802.1p-bit mapping. For bridged packets, the DSCP is re-marked based on the QoS level.
318
January 2012
average-peak utilization does not exceed 80%. The network is expected to handle momentary peaks above 100% capacity, as mentioned previously.
Bridged traffic
When you bridge traffic over the core network, you keep customer VLANs separate (similar to a Virtual Private Network). Normally, a service provider implements VLAN bridging (Layer 2) and no routing. In this case, the 802.1p-bit marking determines the QoS level assigned to each packet. When DiffServ is active on core ports, the level of service received is based on the highest of the DiffServ or 802.1p settings. The following cases describe sample QoS design guidelines you can use to provide and maintain high service quality in an Avaya Ethernet Routing Switch 8800/8600 network.
January 2012
319
The following figure shows what happens inside an Ethernet Routing Switch 8800/8600 access node. Packets enter through a tagged or untagged access port, and exit through a tagged or untagged core port.
320
January 2012
The following figure shows what happens inside an Ethernet Routing Switch 8800/8600 core node. Packets enter through a tagged or untagged core port, and exit through a tagged or untagged core port.
January 2012
321
core switch ports that are configured as core/trunk ports. These ports preserve the DSCP marking and re-mark the 802.1p bit to match the 802.1p bit of the RPR. The following figure shows the actions performed on three different traffic flows (VoIP, video conference, and email) over an RPR core network.
Routed traffic
When you route traffic over the core network, VLANs are not kept separate. The following case describes QoS design guidelines you can use to provide and maintain high service quality in an Avaya Ethernet Routing Switch 8800/8600 network.
322
January 2012
customer device or the edge devices,such as the 8003 switch or the Business Policy Switch 2000(in this case, the 8003 switch treats ingress traffic as trusted). The following figure shows the actions performed on three different routed traffic flows (that is VoIP, video conference, and e-mail) at access and core ports throughout the network.
January 2012
323
324
January 2012
January 2012
325
Customer service
326
January 2012
Item Chassis 8010 chassis 8006 chassis 8010co chassis 8003-R chassis Switch fabric/CPU 8692 SF/CPU Switch Fabric/CPU with factoryinstalled Enterprise Enhanced CPU Daughter Card (SuperMezz). Switch fabric 10-slot chassis 6-slot chassis 10-slot chassis 3-slot chassis
4.1.0
DS1404066-E5
Enterprise Enhanced CPU Optional daughter card for Daughter Card the 8692 SF/CPU (SuperMezz) 8895 SF/CPU Power supplies 8004AC 8004DC 8005AC 850 W AC 850 W DC 1462 W AC Switch fabric
4.1.0
DS1411025-E5
7.0.0
DS1404120-E5
January 2012
327
Item 8005DI AC 8005DI DC 8005DC 1462 W Dual input AC 1462 W Dual input DC 1462 W DC
Part number
Module or component Ethernet R modules 8630GBR 8648GTR 8683XLR 8683XZR Ethernet RS modules 8612XLRS 8634XGRS 8648GBRS 8648GTRS 8800 series modules 8848GT 8848GB 8834XG 48-port 10Base-T/100BaseTX/1000Base-T 48-port 1000Base-X SFP 2-port XFP, 24-port 1000Base-X SFP, 8-port RJ-45 12-port 10 Gbit/s LAN, supports SFP+
30-port Gigabit Ethernet SFP 4.0.0 GBIC baseboard 48-port 10BASE-T/ 100BASE-TX/1000Base-T 3-port 10 Gbit/s LAN XFP baseboard 3-port 10 Gbit/s LAN/WAN XFP baseboard 4.0.0 4.0.0 4.1.0
12-port 10 GbE LAN module 5.0.0 Combination 2-port 10 GbE; 24-port SFP; 8-port RJ-45 48-port SFP baseboard 48-port 10BASE-T/ 100BASE-TX/1000BASE-T 5.0.0 5.0.0 5.0.0
8812XL SFPs
7.1.3
DS1404121-E6
328
January 2012
Module or component 1000BASE-XD CWDM 1000BASE-ZX CWDM 1000BASE-T 1000BASE-SX 1000BASE-LX 1000BASE-XD 1000BASE-XD 1000BASE-ZX 1000BASE-XD CWDM 1000BASE-ZX CWDM 1000BASE-BX 1000BASE-BX 1000BASE-BX 1000BASE-BX 1000BASE-EX SFP+s 10GBASE-LR 1470 nm to 1610 nm 1470 nm to 1610 nm CAT 5 UTP PAM-5 Up to 550 m, 850 nm DDI Up to 10 km, 1310 nm DDI Up to 40 km, 1310 nm DDI Up to 40 km, 1550 nm DDI Up to 70 km, 1550 nm DDI Up to 40 km, 1470 nm to 1610 nm DDI Up to 70 km, 1470 nm to 1610 nm DDI Up to 10 km, 1310 nm DDI Up to 10 km, 1490 nm DDI Up to 40 km, 1310 nm Up to 40 km, 1490 nm Up to 120 km, 1550 nm DDI
DDI requires 5.0.0 DDI requires 5.0.0 DDI requires 5.0.0 DDI requires 5.0.0 DDI requires 5.0.0 DDI requires 5.0.0 DDI requires 5.0.0 4.1.0 4.1.0 7.0 7.0 5.0.0
AA1419048-E6 AA1419049-E6 AA1419050-E6 AA1419051-E6 AA1419052-E6 AA1419053-E6 to AA1419060-E6 AA1419061-E6 to AA1419068-E6 AA1419069-E6 AA1419070-E6 AA1419076- E6 AA1419077- E6 AA1419071-E6
1310 nm single-mode fiber 7.1.3 (SMF). The range is up to 10 km. 1550 nm SMF. The range is up to 40 km. 850 nanometers (nm). The range is up to: 22 m using 62.5 micrometer (m), 160 megaHertz times km (MHz-km) MMF. 33 m using 62.5 m, 200 MHz-km MMF. 66 m using 62.5 m, 500 MHz-km MMF. 7.1.3 7.1.3
AA1403011E6
10GBASE-ER 10GBASE-SR
AA1403013E6 AA1403015E6
January 2012
329
Module or component 82 m using 50 m, 500 MHz-km MMF. 300 m using 50 m, 2000 MHz-km MMF. 10GBASE-LRM
Part number
1310 nm. 7.1.3 Up to 220 m reach over Fiber Distributed Data Interface (FDDI)-grade 62.5 m multimode fiber. Suited for campus LANs. 4-pair direct attach twinaxial copper cable to connect 10 Gb ports. The maximum range is 10 m. 4-pair direct attach twinaxial copper cable to connect 10 Gb ports. The maximum range is 3 m. 4-pair direct attach twinaxial copper cable to connect 10 Gb ports. The maximum range is 5 m. 7.1.3
AA1403017E6
10GBASE-CX
AA1403018E6
10GBASE-CX
7.1.3
AA1403019E6
10GBASE-CX
7.1.3
AA1403020E6
XFPs 10GBASE-LR 10GBASE-ER 10GBASE-SR 10GBASE-ZR 10GBASE-LRM DWDM XFPs 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 1530.33 nm (195.90 Terahertz [THz]) 1531.12 nm (195.80 THz) 1531.90 nm (195.70 THz) 1532.68 nm (195.60 THz) 1533.47 nm (195.50 THz) 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 NTK587AEE5 NTK587AGE5 NTK587AJE5 NTK587ALE5 NTK587ANE5 1310 nm LAN/WAN 1550 nm LAN/WAN 850 nm LAN 1550 nm LAN/WAN Up to 300 m DDI requires 5.0 DDI requires 5.0 DDI requires 5.0 AA1403001-E5 AA1403003-E5 AA1403005-E5
4.1.0; DDI requires AA1403006-E5 5.0 5.0.0; DDI requires AA1403007-E6 5.0
330
January 2012
Module or component 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 10GBASE DWDM 1534.25 nm (195.40 THz) 1535.04 nm (195.30 THz) 1535.82 nm (195.20 THz) 1536.61 nm (195.10 THZ) 1537.40 nm (195.0 THz) 1538.19 nm (194.9 THz) 1538.98 nm (194.8 THz) 1539.77 nm (194.7 THz) 1540.56 nm (194.6 THz) 1541.35 nm (194.5 THz) 1542.14 nm (194.4 THz) 1542.94 nm (194.3 THz) 1543.73 nm (194.2 THz) 1544.53 nm (194.1 THz) 1545.32 nm (194.0 THz)
Minimum software version 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0
Part number NTK587AQE5 NTK587ASE5 NTK587AUE5 NTK587AWE5 NTK587AYE5 NTK587BAE5 NTK587BCE5 NTK587BEE5 NTK587BGE5 NTK587BJE5 NTK587BLE5 NTK587BNE5 NTK587BQE5 NTK587BSE5 NTK587BUE5
January 2012
331
332
January 2012
IEEE standards
The following table lists supported IEEE standards. Table 37: Supported IEEE standards
Supported standard Description
EEE 802.1D (2001 standard) Spanning Tree Protocol IEEE 802.1p IEEE 802.1Q IEEE 802.1s IEEE 802.1w IEEE 802.1v IEEE 802.1x IEEE 802.3 IEEE 802.3ab IEEE 802.3ab IEEE 802.3ab IEEE 802.3ab IEEE 802.3ab IEEE 802.3ab IEEE 802.3ab IEEE 802.3ad IEEE 802.3ae IEEE 802.3i Priority Queues VLAN Tagging Multiple Spanning Tree Protocol (MSTP) Rapid Spanning Tree Protocol (RSTP) VLAN Classification by Protocol and Port Ethernet Authentication Protocol CSMA/CD Ethernet(ISO/IEC 8802-3) 1000BASE-T Ethernet 1000BASE-LX Ethernet 1000BASE-ZX Ethernet 1000BASE-CWDM Ethernet 1000BASE-SX Ethernet 1000BASE-XD Ethernet 1000BASE-BX Ethernet Link Aggregation Control Protocol (LACP) 10GBASE-X XFP 10BASE-TAutonegotiation
January 2012
333
Supported standard IEEE 802.3 IEEE 802.3u IEEE 802.3u IEEE 802.3u IEEE 802.3x IEEE 802.3z 10BASE-T Ethernet
Description
100BASE-TX Fast Ethernet (ISO/IEC 8802-3,Clause 25) 100BASE-FX Autonegotiation on Twisted Pair (ISO/IEC 8802-3,Clause 28) Flow Control on the Gigabit Uplink port Gigabit Ethernet 1000BASE-SX and LX
IETF RFCs
This section identifies the supported IETF RFCs.
334
January 2012
IETF RFCs
Supported standard RFC 951 / RFC 2131 RFC 1027 RFC 1058 RFC 1112 RFC 1253 RFC 1256 RFC 1305 RFC 1332 RFC 1340 RFC 1541 RFC 1542 RFC 1583 RFC 1587 RFC 1591 RFC 1723 RFC 1745 RFC 1771 / RFC 1772 RFC 1812 RFC 1866 RFC 1965 RFC 1966 RFC 1998 RFC 1997 RFC 2068 RFC 2131 RFC 2138 RFC 2139 RFC 2178 RFC 2205 BootP/DHCP
Description
Using ARP to implement transparent subnet gateways/ Avaya Subnet based VLAN RIPv1 Protocol IGMPv1 OSPF ICMP Router Discovery Network Time Protocol v3 Specification, Implementation and Analysis3 The PPP Internet Protocol Control Protocol (IPCP) Assigned Numbers Dynamic Host Configuration Protocol1 Clarifications and Extensions for the Bootstrap Protocol OSPFv2 The OSPF NSSA Option DNS Client RIP v2Carrying Additional Information BGP/OSPF Interaction BGP-4 Router Requirements HTMLv2 Protocol BGP-4 Confederations BGP-4 Route Reflectors An Application of the BGP Community Attribute in Multihome Routing BGP-4 Community Attributes Hypertext Transfer Protocol Dynamic Host Control Protocol (DHCP) RADIUS Authentication RADIUS Accounting OSPF MD5 cryptographic authentication/OSPFv2 Resource ReSerVation Protocol (RSVP)v1 Functional Specification
January 2012
335
Supported standard RFC 2210 RFC 2211 RFC 2236 RFC 2270 RFC 2283 RFC 2328 RFC 2338 RFC 2362 RFC 2385 RFC 2439 RFC 2453 RFC 2475 RFC 2547 RFC 2597 RFC 2598 RFC 2702 RFC 2765 RFC 2796 RFC 2819 RFC 2858 RFC 2918 RFC 2961 RFC 2992 RFC 3031 RFC 3032 RFC 3036 RFC 3037 RFC 3065 RFC 3210 RFC 3215
Description The Use of RSVP with IETF Integrated Services Specification of the Controlled-Load Network Element Service IGMPv2 for snooping BGP-4 Dedicated AS for sites/single provide Multiprotocol Extensions for BGP-4 OSPFv2 VRRP: Virtual Redundancy Router Protocol PIM-SM BGP-4 MD5 authentication BGP-4 Route Flap Dampening RIPv2 Protocol An Architecture for Differentiated Service BGP/MPLS VPNs Assured Forwarding PHB Group An Expedited Forwarding PHB Requirements for Traffic Engineering Over MPLS Stateless IP/ICMP Translation Algorithm (SIIT) BGP Route ReflectionAn Alternative to Full Mesh IBGP Remote Monitoring (RMON) Multiprotocol Extensions for BGP-4 Route Refresh Capability for BGP-4 RSVP Refresh Overhead Reduction Extensions Analysis of an Equal-Cost Multi-Path Algorithm Multiprotocol Label Switching Architecture MPLS Label Stack Encoding LDP Specification LDP Applicability Autonomous System Confederations for BGP Applicability Statement for Extensions to RSVP for LDP State Machine
336
January 2012
IETF RFCs
Supported standard RFC 3270 RFC 3376 RFC 3392 RFC 3443 RFC 3569 RFC 3917 RFC 4364 RFC 4379 draft-holbrook-idmr-igmpv3ssm-02.txt draft-ietf-bfd-v4v6-1hop-06
Description Multi-Protocol Label Switching (MPLS) Support of Differentiated Services Internet Group Management Protocol, v3 Capabilities Advertisement with BGP-4 LSP-Tunnels Time To Live (TTL) Processing in Multi-Protocol Label Switching (MPLS) Networks An overview of Source-Specific Multicast (SSM) Requirements for IP Flow Information Export (IPFIX) BGP/MPLS IP Virtual Private Networks (VPNs) Detecting Multi-Protocol Label Switched (MPLS) Data Plane Failures IGMPv3 for SSM IETF draft Bidirectional Forwarding Detection (BFD) for IPv4 and IPv6 (Single Hop)
IPv4 Multicast
The following table describes the supported IETF RFCs for IPv4 Multicast. Table 39: IPv4 Multicast RFCs
Supported standard RFC 1075 RFC 1112 RFC 1519 RFC 2236 RFC 2362 RFC 3446 DVMRP Protocol IGMP v1 for routing / snooping Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy IGMP v2 for routing / snooping + some PIM-SM v2 extensions (PIM-SM) Anycast Rendevous Point (RP) mechanism using Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) Multicast Source Discovery Protocol (MSDP) Virtual Router Redundancy Protocol (VRRP) Description
January 2012
337
IPv6
The following table describes the supported IETF RFCs for IPv6. Table 40: IPv6 RFCs
Supported standard RFC 1881 RFC 1886 RFC 1887 RFC 1981 RFC 2030 RFC 2373 RFC 2375 RFC 2460 RFC 2461 RFC 2462 RFC 2463 RFC 2464 RFC 2474 RFC 2526 RFC 2710 RFC 2740 RFC 2893 RFC 2893 RFC 3056 RFC 3363 RFC 3484 RFC 3513 RFC 3587 RFC 3596 Description IPv6 Address Allocation Management DNS Extensions to support IP version 6 An Architecture for IPv6 Unicast Address Allocation Path MTU Discovery for IP v6 Simple Network Time Protocol (SNTP) v4 for IPv4, IPv6 & OSI IPv6 Addressing Architecture IPv6 Multicast Address Assignments Internet Protocol, v6 (IPv6) Specification Neighbor Discovery IPv6 Stateless Address Autoconfiguration Internet Control Message Protocol (ICMPv6) for the Internet Protocol v6 (IPv6) Specification Transmission of IPv6 Packets over Ethernet Networks Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers Reserved IPv6 Subnet Anycast Addresses Multicast Listener Discovery (MLD) for IPv6 OSPF for IPv6 Configured Tunnels and Dual Stack Routing per port Transition Mechanisms for IPv6 Hosts and Routers Connection of IPv6 Domains via IPv4 Clouds Representing Internet Protocol Version 6 Addresses in DNS3 Default Address Selection for IPv6 Internet Protocol Version 6 (IPv6) Addressing Architecture IPv6 Global Unicast Address Format DNS Extensions to Support IP v6
338
January 2012
IETF RFCs
Supported standard RFC 3587 RFC 3590 RFC 3596 RFC 3810
Description IPv6 Global Unicast Address Format Source Address Selection for the Multicast Listener Discovery (MLD) Protocol DNS Extensions to support IP version 6 IPv6 Multicast capabilities SSH/SCP, Telnet, Ping, CLI, EDM support for IPv6
Platform
The following table describes the supported IETF platform RFCs. Table 41: Platform RFCs
Supported standard RFC 1305 RFC 1340 RFC 1350 Description (NTP client / unicast mode only) Assigned Numbers The TFTP Protocol (Revision 2)
Network Management
The following table describes the supported IETF RFCs for Network Management. Table 43: Network Management RFCs
Supported standard RFC 1155 SMI Description
January 2012
339
Supported standard RFC 1157 RFC 1215 RFC 1269 RFC 1271 RFC 1304 RFC 1354 RFC 1389 RFC 1565 RFC 1757 / RFC 2819 RFC 1907 RFC 1908 RFC 1930 RFC 2571 RFC 2572 RFC2573 RFC 2574 RFC 2575 RFC 2576 SNMP
Description
Convention for defining traps for use with the SNMP Definitions of Managed Objects for the Border Gateway Protocol: v3 Remote Network Monitoring Management Information Base Definitions of Managed Objects for the SIP Interface Type IP Forwarding Table MIB RIP v2 MIB Extensions Network Services Monitoring MIB RMON SNMPv2 Coexistence between v1 and v2 of the Internet-standard Network Management Framework Guidelines for creation, selection, and registration of an Autonomous System (AS) An Architecture for Describing SNMP Management Frameworks Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) SNMP Applications User-based Security Model (USM) for v3 of the Simple Network Management Protocol (SNMPv3) View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) Coexistence between v1, v2, & v3 of the Internetstandard Network Management Framework
340
January 2012
The following tables list the network management MIBs and standards that this release supports. Table 44: Standard IEEE MIBs
Protocol LACP EAPoL IEEE standard 802.3ad 802.1x File name ieee802-lag.mib ieee8021x.mib
RFC 1389 / RFC 1724 RIPv2 MIB extensions RFC 1398 RFC 1406 RFC 1414 RFC 1442 RFC 1447 RFC 1450 RFC 1472 RFC 1493 RFC 1525 RFC 1565 RFC 1573 RFC 1643 RFC 1650 RFC 1657 Definitions of Managed Objects for the Ethernet-Like Interface Types Definitions of Managed Objects for the DS1 and E1 Interface Types Identification MIB Structure of Management Information for version 2 of the Simple Network Management Protocol (SNMPv2) Party MIB for v2 of the Simple Network Management Protocol bytes) Management Information Base for v2 of the Simple Network Management Protocol (SNMPv2) The Definitions of Managed Objects for the Security Protocols of the Point-to-Point Protocol Bridge MIB Definitions of Managed Objects for Source Routing Bridges Network Services Monitoring MIB Interface MIB Ethernet MIB Definitions of Managed Objects for the Ethernet-like Interface Types using SMIv2 BGP-4 MIB using SMIv2
January 2012
341
RFC number RFC 1658 RFC 1696 RFC 1724 RFC 1850 RFC 2021 RFC 2037 RFC 2096 RFC 2233 RFC 2452 RFC 2454 RFC 2465 RFC 2466 RFC 2578 RFC 2613 RFC 2665 RFC 2668 RFC 2674 RFC 2787 RFC 2863 RFC 2925 RFC 2932 RFC 2933 RFC 2934 RFC 3019 RFC 3411 RFC 3412
MIB name Definitions of Managed Objects for Character Stream Devices using SMIv2.) Modem Management Information Base (MIB) using SMIv2 RIP v2 MIB Extension OSPF MIB RMON MIB using SMIv2 Entity MIB using SMIv2 IP Forwarding Table MIB Interfaces Group MIB using SMIv2 IPv6 MIB: TCP MIB IPv6 MIB: UDP MIB IPv6 MIB: IPv6 General group and textual conventions IPv6 MIB: ICMPv6 Group Structure of Management Information v2 (SMIv2) Remote Network Monitoring MIB Extensions for Switched Networks v1.0 Definitions of Managed Objects for the Ethernet-like Interface Types Definitions of Managed Objects for IEEE 802.3 Medium Attachment Units (MAUs) Bridges with Traffic MIB Definitions of Managed Objects for the Virtual Router Redundancy Protocol Interface Group MIB Remote Ping, Traceroute & Lookup Operations MIB IPv4 Multicast Routing MIB IGMP MIB PIM MIB IPv6 MIB: MLD Protocol An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)
342
January 2012
RFC number RFC 3416 RFC 3635 RFC 3636 RFC 3810 RFC 3811 RFC 3812 RFC 3813 RFC 3815 RFC 4022 RFC 4113 RFC 4624
MIB name v2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) Definitions of Managed Objects for the Ethernet-like Interface Types Definitions of Managed Objects for IEEE 802.3 Medium Attachment Units (MAUs) Multicast Listener Discovery v2 (MLDv2) for IPv6 Definitions of Textual Conventions (TCs) for Multiprotocol Label Switching (MPLS) Management Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) Management Information Base (MIB) Multiprotocol Label Switching (MPLS) Label Switching Router (LSR) Management Information Base (MIB) Definitions of Managed Objects for the Multiprotocol Label Switching (MPLS), Label Distribution Protocol (LDP) Management Information Base for the Transmission Control Protocol (TCP) 4087 IP Tunnel MIB Management Information Base for the User Datagram Protocol (UDP) Multicast Source Discovery Protocol (MSDP) MIB
January 2012
343
Proprietary MIB name Avaya PGM MIB The Definitions of Managed Objects for the Link Control Protocol of the Point-to-Point Protocol Avaya Proprietary The Definitions of Managed Objects for the IP Network Control Protocol of the Point-toPoint Protocol Avaya Proprietary wf_pgm.mib rfc1471rcc.mib
File name
rfc1473rcc.mib
The Definitions of Managed Objects for the rfc1474rcc.mib Bridge Network Control Protocol of the Pointto-Point Protocol Definitions of Managed Objects for the SONET/SDH Interface Type Avaya Proprietary OSPF Version 2 Management Information Base Avaya proprietary extensions Avaya IPv6 proprietary MIB definitions rfc1595rcc.mib
344
January 2012
Glossary
add/drop multiplexer (ADM) bit error rate (BER) coarse wavelength division multiplexing (CWDM) Custom AutoNegotiation Advertisement (CANA) A network element in which facilities are added, dropped, or passed directly through for transmission to other network elements. The ratio of the number of bit errors to the total number of bits transmitted in a given time interval. A technology that uses multiple optical signals with different wavelengths to simultaneously transmit in the same direction over one fiber, and then separates by wavelength at the distant end. An enhancement of the IEEE 802.3 autonegotiation process on the 10/100/1000 copper ports. Custom AutoNegotiation Advertisement offers improved control over the autonegotiation process. The system advertises all port capabilities that include, for tri-speed ports, 10 Mb/s, 100 Mb/s, 1000 Mb/s speeds, and duplex and half-duplex modes of operation. This advertisement results in autonegotiation between the local and remote end that settles on the highest common denominator. Custom AutoNegotiation Advertisement can advertise a user-defined subset of the capabilities that settle on a lower or particular capability. A database that maps a port for every MAC address. If a packet is sent to a specific MAC address, the switch refers to the forwarding database for the corresponding port number and sends the data packet through that port. A method of link aggregation that uses multiple Ethernet trunks aggregated to provide a single logical trunk. A multilink trunk provides the combined bandwidth of multiple links and the physical layer protection against the failure of a single link. A link-state routing protocol used as an Interior Gateway Protocol (IGP). A hot-swappable input and output enhancement component used with Avaya products to allow gigabit Ethernet ports to link with other gigabit Ethernet ports over various media types. An Avaya extension to IEEE 802.1AX (link aggregation), provides nodal and link failure protection and flexible bandwidth scaling to improve on the level of Layer 2 resiliency.
Open Shortest Path First (OSPF) small form factor pluggable (SFP) Split MultiLink Trunking (SMLT)
January 2012
345
346
January 2012