TSS VIRTUAL UPDATES SPRING 2022

AOS R8.8 UPDATES

Cristopher Maldonado
 • NEW HARDWARE 2022
AGENDA • NEW SOFTWARE FEATURES AOS 8.8R1 and R2
NEW HARDWARE 2022
 OmniSwitch: A STREAMLINED SWITCHING PORTFOLIO
CORE SWITCHING (L3) ADVANCED ACCESS SWITCHING (L3)

OS9900 OS6900 OS6860E/N OS6865

SPB Chassis Core/Edge SPB Core/ToR Switch SPB Edge Switch SPB Hardened Switch

Same OS running on all switches!

VALUE ACCESS SWITCHING (L2+)
OS2260/2360* OS6360 OS6560 OS6465 Mobile Data
MultiGig Edge Switch Hardened Switch Campus Center
Volume Switch Gig Edge Switch

Hardened SMB
Netwks Netwks

* Not available in the US

 SWITCHES ROADMAP 2022
Q1 Q2
(AOS 8.8R1) (AOS 8.8R2)
OS6465-P12 OS6360-PH48

OS6860N-P24M
OS6860N-P24Z

OS6900-C32E

OmniSwitch
VxLAN on all
OmniSwitch
6900s* & 6860N
SPB neighbors’
OmniSwitch scalability
Naas ready on
switches OmniSwitch
XGSPON SFP support
OmniSwitch for HPOL (6360/6560)
ERP and SPB
interworking
OS6860N FAMILY
Advanced MultiGig access switch

Full MultiGig Access w/ 100G Full MultiGig Access w/ 100G

uplink option & MACsec (all ports) uplink option & MACsec (all ports)

OS6860N Rationale:
OS6860N-P24M • 25G/100G Uplinks
Gig fiber w/ 25G uplink OS6860N-P48M • More MultiGig
Gig/MultiGig Access options (5G/10G)
Gig/MultiGig Access • MACsec
w/ 25G uplink w/ 25G uplink • 95W HPoE (IEEE
OS6860N-U28
802.3bt)
• Inline routing
• MPLS (future)
OS6860N-P24Z OS6860N-P48Z

95W PoE Full VxLAN,

DPI Multi-gig MACsec SPB Support
(802.3 BT)
Support
OS6860N-P24M OS6860N-P24Z

Port Configuration 24 x 100/1/2.5/5/10G, MACsec Port Configuration 12 x 100/1/2.5/5G

12 x 10/100/1G
PoE All ports 95W 802.3 bt PoE
PoE (802.3 bt) 60W, 12x 1G Ports
Uplinks Modular, MACsec 95W, 12x 5G m-gig ports
VC 2 x 100G Uplinks Fixed, 4 x1/10/25G MACsec
1588 Support All ports VC 2 x 100G
CPU Quad core @ 2.2 GHz 1588 Support All ports
Memory 4GB RAM; 16 GB SATA CPU Dual core @ 1.5 GHz
Model Type Premium Memory 4GB RAM; 16 GB SATA
Model Type Advanced

Built for Next-Generation L3 Access Networks suitable for Wi-Fi 6E

OS6465-P12 Enhanced Version
 New Orderable part number in eBuy/WWPL: OS6465H-P12
 HW identifiable by “ENH-240” on overlay
 Earlier version stopped shipping in April’22. Only new version will ship
 Enhancements:
 Higher PoE Budget: 240W at 70 °C (with new PS)
 Fast / Perpetual PoE Support
ENH-240
 24V signal detection
OS6465H-P12 illustration
o Support for connecting 24VDC 3rd party power source

 Dis-similar Power Supplies support

o Allows connecting power supplies with different output voltages (48/56V with 24V)
o Allows configuration of Primary & Backup PS

 New Power Supply OS6465-BPNX

 Qualified with new OS6465-P12 version only
 Limited Certifications. Refer to Power Supply Datasheet

OS6465-BPN-X (New PS)

9
OS6900: CORE/TOR SWITCHES

10G/25G Aggregation
10G Aggregation w/ MACsec
8.9 R1

OS6900-X48C6
48x 10G fiber ports OS6900-X48C4E OS6900 Rationale:
OS6900-X24C2 25G Aggregation
24x 10G fiber ports 6x 100G uplinks 40x 10G fiber ports • More link options
8x 10/25G (25G/100G)
2x 100G uplinks
4x 100G uplinks
• MACsec
10G Server 100G Core • SPB Inline routing
Connectivity OS6900-V48C8 • Switching capacity
48x 25G ports with • MPLS (future)
8.9 R1 8x 100G uplinks

OS6900-T48C6 OS6900-C32E
OS6900-T24C2 48x 10G-BaseT ports 6x 32x 100G ports
24x 10G-BaseT ports 100G uplinks
2x 100G uplinks

SPB High High Speed Virtual

VxLAN Capacity 100G Scalable
Chassis
L3VPN 6.4T
VC COMPATIBILITY CHART

VC Compatibility Matrix
OS6360 OS6560 OS6860E OS6860N OS6900 OS6900 OS6900 OS9900
X40/X20 X48 Chassis w/ CFM
T40/T20 T48 Chassis with CFM2
All models All models All models All models X48C4E
X72 V72/V48
C32/C32E

Only switches in the same column can do VC between them.

The OS6900-X48C4E currently cannot do a VC with any other OS6900 model, however in a
future release it will be compatible with the X48/T48/V48/V72/C32/C32E
Note: CFM and CFM2 cannot be mixed in the same OS9900 chassis
OS6900-C32E

Single ASIC with 3.2 Tbps I/O switching capacity.

Multicolored LED front panel data port configuration with 32 QSFP28 ports.
Flexible port configuration
32 ports with unpopulated QSFP28 that can operate at 100/40/4x25/4x10 GE speeds
Hardware capable for SPB, L3VPN, VXLAN, NVGRE
VC compatible with V72, C32, X48C6, T48C6, X48C4E, V48C6
No MACSec capability
Hardware characteristics: Front to Rear & Rear to Front fan trays, 1+1 redundant power supplies
Single-pass inline routing capability
Similar to X48C6/T48C6

Built for Next-Generation 100G Core

OS6900-X24C2 OVERVIEW

Single ASIC with 1.08 Tbps switching capacity.

Multicolored LED front panel port configuration with 24 x SFP+ and 2 x QSFP28 ports.
Flexible configuration:
24 unpopulated SFP+ user ports
2-port unpopulated QSFP28 interfaces.
SFP+ ports can operate at 1/10 GE speeds
- Virtual Chassis of 6
QSFP28 ports can operate at 100/40/4x25/4x10 GE speeds - Single-pass inline routing
Hardware capable for SPB, L3VPN, VXLAN, EVPN, MPLS* - Splitter port support

Mixed VC with X24C2, T24C2, X48C6, T48C6, V48C8, C32E

Hardware characteristics, same chassis as X48C6/T48C6:
Front to Rear & Rear to Front fan trays (same FTs as on X48C6/T48C6)
Dual redundant 400W power supplies (same PSU as on X48C6/T48C6)

Intelligent fabric 10G TOR switches with 100GE uplinks

OS6900-T24C2 OVERVIEW

Single ASIC with 1.08 Tbps switching capacity.

Multicolored LED front panel port configuration with 24 x 10G-BaseT and 2 x QSFP28 ports.
Flexible configuration:
24-port 10G-BaseT, and 2-port QSFP28 interfaces.
10G-BaseT ports can operate at 1/10 GE speeds - Virtual Chassis of 6
- Single-pass inline routing
10G Unpopulated SFP+ ports can operate at 1/10 GE speeds - Splitter port support
Unpopulated QSFP28 ports can operate at 100/40/4x25/4x10 GE speeds
Hardware capable for SPB, L3VPN, VXLAN, EVPN, MPLS*
Mixed VC with X24C2, T24C2, X48C6, T48C6, V48C8, C32E
Hardware characteristics, same chassis as X48C6/T48C6:
Front to Rear & Rear to Front fan trays (same FTs as on X48C6/T48C6)
Dual redundant 400W power supplies (same PSU as on X48C6/T48C6)

Intelligent fabric 10G TOR switches with 100GE uplinks

OS9907-CFM2
New high-capacity fabric card for OS9907 chassis

• Single ASIC with 6.4 Tbps switching capacity.

• Increases performance 5 times compared to current fabric card OS9907-CFM
(1.28 Tbps)
• Using dual fabric cards, chassis switching capacity on OS9907 will increase to
12.8 Tbps ingress/egress for total of 25.6 Tbps.
• Will work with all current line cards
• Enables 100G line card to become wire-rate

SPB High
VXLAN High Speed Virtual
L3VPN Capacity
EVPN* 100G Chassis
MPLS* 25T
OmniSwitch 9900
NOTE: Mix of CFM and CFM2 will not be allowed in same chassis SPB Chassis Core/Edge
SOFTWARE FEATURES AOS R8.8
ENTERPRISE SWITCHING MARKET TRENDS

Speeds & Feeds Vertical Mix Shift IoT Adoption Cloud Managed Virtualization Push
Services

• WiFi 6/6E adoption • Industrial, logistics • Carpeted Enterprise • Cloud Managed and • Competitive push from
driving 2.5/5G access growing more rapidly access port use associated software Cisco/HPE etc to
compared to other changing: More IoT services growing at a standardize VxLAN-
• Migration to 25G uplinks verticals devices & infra ports. robust 30% EVPN as Campus
in access Less user connectivity network fabric
• All competitors ports. • Move to cloud posing
• 100G in Campus core, launching hardened demands on high speed • Works well for
400G in DC continue to portfolios • New power configs for core customers already
grow at robust pace light & IoT familiar with it in their
DC
 Virtualization
MTU ISSUE IN MULTIPLE OVERLAY NETWORKS
Path MTU discovery doesn’t work well particularly when tunneled traffic is traversing over public/private cloud

Results in packet drop at intermediate routers/PE if MTU is more than what intermediate tunnel can support

F&R is not supported in OmniSwitches

MSS=1460

TCP Handshake MSS=1460, ok

ok

22 36*1 22*2 18*3 20 20 MSS = 1460 MTU = 1598

Data Packets Packet

Eth VxLAN SPB Eth IP TCP Payload
drop

VxLAN
TCP VxLAN VxLAN TCP
Service

IP SPB SPB SPB SPB IP

Eth Eth Eth Eth Eth Eth

MTU=1500
TCP MSS CLAMPING FOR SERVICE TUNNELS
Solution

• Intercept TCP-SYN and TCP-SYNACK packets at tunnel end-points

• Rewrite TCP MSS in packet to user-defined value & reinject the packet back
• If no MSS option in TCP packets, MSS option is inserted in the TCP header
• Software based solution.

• Configuration
>> service service_id sap {port chassis/slot/port[-port2] | linkagg agg_id[-agg_id2]} [sap_id] [description desc_info] [tcp-
mss {overlay-profile {spb | ethernet} | num}

• Currently supported for VxLAN underlay with Ethernet or SPB overlay.

Can be extended in future to other type of underlay/overlay

Supported Platforms

• OS6860N, OS6900-X48, OS6900-T48, OS6900-V48

Enables SPB tunnels traversing over intermediate cloud

 Virtualization
LEARNED PORT SECURITY ON SAP
• Port Security is well leveraged to control access port in enterprise and campus networks. The feature support
has been extended to service domain SAP in 88R1.
• LPS is supported on both static and dynamic SAP ports
• Existing LPS commands (port-security) at port level are extended to SAP level

Usage guidelines
• The SAP (both static & dynamic) and its service mapping should pre-exist before LPS can be configured on it
• The dynamic SAP must be created upfront through persistent profile-configuration on UN access port
• LPS on SAP port must be unconfigured before SAP port / persistent-profile
• Violation shutdown option not supported
o Port cannot be administratively disabled when port security violation is detected
o However, violation restrict option is supported to filter unauthorized traffic when port security
violation detected.

• Global level command “port-security chassis admin-state enable/disable” is not supported on SPB SAP
o Use port level command to control the port security admin-state

Platforms Supported

• All platforms that support a service domain : SPB, VxLAN, L2GRE. Is not supported on OS6360, OS6560 and
OS6465
PORT SECURITY ON SAP

Function Service SAP Vlan port

Port Security port Static and Dynamic UNP SAP Static vlan port and dynamic UNP

Static MAC and MAC range Yes Yes

Learning Window Yes Yes

Convert to Static Yes Yes

Maximum Allowed Yes Yes

Learn-trap-threshold Yes Yes

Max-filtering Yes Yes

Violation action Restrict/Recovery Shutdown/Restrict/Discard

/Recovery
Admin-state control Port and range of ports Chassis, port and range of ports

Augments the virtualization service offering with security option

 Virtualization

SPB SCALABILITY

1. Total number of nodes (BCBs & BEBs) – 1000

2. Total number of services – 1000 on OS6900 and 100 on OS6860E/N
3. Total number of BLVAN – 2
4. Total number of SPB-Adjacencies – 6. (Current max 70. AOS 8.8 R2 Target: 128)
5. Total number of BEB node per services – 500
6. Platforms: OS6900-X72, OS6860E/N, OS6865, OS6900-X48C6/V48
 OPEX
NAAS 2.0
What is NAAS "Network-As-A-Service” ?
• Offer customers a hybrid CapEx/OpEx model for their network infrastructure purchase needs.
• Hardware (HW) sold as CapEx model and include Hardware Limited Lifetime Warranty (HLLW). HW to be
purchased using special NaaS orderable part numbers
• Software sold as License in OpEx model. Software support included when license is active
Why do we need NAAS in AOS?
• AOS needs to enforce subscription licenses and needs to communicate with cloud-based License Activation
system to get updates on the subscriptions – renewals, revocation or change of subscription parameters.
• AOS cannot distinguish between NaaS HW and non-NaaS HW and needs to enforce both CAPEX and NAAS
licenses depending on the mode in which user is running the HW.
• A customer with an existing non-NaaS switch upgrading to 88R1 is not functionally impacted

Platforms Supported:
• OS6360, OS6465, OS6560, OS6860/E, OS6860N, OS6865, OS6900, OS9900, OS6900-C32, OS6900-
C32E, OS6900-T48C6, OS6900-X48C4E, OS6900-X48C6, OS6900-V48C8, OS6900-V72, OS6900-X72
• NaaS is not available for OS9900
 Security
THIN-CLIENT OMNISWITCH
What is it ?
A way to centrally administer/manage the network in a secure way without leaving any sensitive configuration information on
the site switch.
No configuration written to “vcboot.cfg” except minimal configuration for reachability to OVE
Any local config allowed on switch to be approved centrally. Configuration save via “write memory” is not allowed.

Why?
For security sensitive customers who do not want the switches to store / allow any configuration which may reveal details of
sensitive information .When the switch is in Thin-client mode, no configuration is saved in the vcboot.cfg file. Every time the
switch boots up it will contact OVE to retrieve its mode and the configuration to be operating with .

How ?
Switch does a call home at bootup to OVE over HTTPS.
If no DHCP server, a minimal configuration for network access to OVE must be done & is allowed on the switch
“Thin-Client” mode is configured from OV and Switch is centrally configured from OVE each time the switch boots up.
Works with OVE (OmniVista Enterprise) only. OVC support will come in a future release.
If the device is stolen/decommissioned, powered down or reset, there is no configuration information left on the switch
except minimal configuration for network connectivity to OVE .

Platforms Supported:
All omniswitch platforms

A secure way to centrally manage OmniSwitches in far-flung branch offices

 Security
USB BACKUP AND RESTORE ENHANCEMENTS
Enables a secure bootable USB to restore switches in field
BOOTABLE – ENCRYPTED USB BACKUP
Backs up the AOS images from certified and running directories on USB
Packs all files required for switch operation (along with directory path) in a tar file
Files are encrypted with a configured key/hash key to generate configuration.tar.enc and stored in
/uflash/<product-name> on USB
Key is encrypted and stored in a signature file signature.enc on USB

RESTORE
At bootup, if switch bootloader detects a USB with ALE generated signature file and AOS image, it will boot from
USB
Files required for switch operation are unencrypted and copied to the switch

Usage Guidelines
Encrypted backup/restore is supported on OS6465 only
Bootable option is available on OS6465 & OS6865
‘usb backup’ command is mutually exclusive with ‘usb auto-copy’ command
A secure way to restore / deploy switches in the field with minimal expertise
 Security
MORE SECURE “ENHANCED MODE”
• A new “secureadmin” user to invoke the enhanced mode at bootup automatically to ensure no tampering post
factory-shipment
• ASA enhanced mode has been augmented further to add P.O.S.T functions, integrity checks, critical process
monitoring etc.
• User has an option to login either as “secureadmin” or “admin” (current) at bootup. Login through any of the
admin accounts disables the other admin account permanently
• In SecureAdmin mode, AOS performs Hardware self test, process self test and critical software integrity
check on every bootup.
• Self tests and integrity checks can be invoked manually also by the user through cli
• All switch access services (FTP, Telnet, SSH etc) are disabled by default and have to be manually enabled
• Switch access services among others : Telnet, SSH, FTP, SFTP, HTTP/HTTPs, Radius, SNMP, NTP are part of
critical software list.
• Process ids of these services are monitored continuously and if found altered, switch is forced to reboot.
Prevents any user from loading any pre-compiled malicious binary (sshd) to the switch.
• AOS image & config integrity is checked at every bootup
• Critical commands such as rm, cp, rmdir, su etc are allowed only through console and not allowed to be run
through remoteAsessions
new security mode for critical infrastructure customers – Defense, Healthcare, Transport, FI
 HPOL
GPON/XGSPON SUPPORT ON OMNISWITCH

8.8R1 GPON 8.8R2 XGSPON

SFP: G-010S-A SFP: XS-010S-Q
Switch
(PN: 3FE46541AA) (PN: 3FE49327AA)
LT Card: FGLT-B LT Card: FWLT-B
OS6360-P10 PORTS 11-12 N/S

OS6360-P24 PORTS 25-28 PORTS 27-28

OS6360-PH24 PORTS 25-28 PORTS 27-28

OS6360-P48 PORTS 49-52 PORTS 51-52

OS6360-P24X PORTS 25-28 PORTS 25-28

OS6360-P48X PORTS 49-52 PORTS 49-52

OS6560-X10 PORTS 1-8 (8.7R1/R2) PORTS 1-8

OS6560-P48Z16 PORTS 49-52 (8.7R1/R2) PORTS 49-52

OS6560-P48X4 PORTS 49-54 (8.7R1/R2) PORTS 51-54

OS6560-P24Z24 PORTS 25-28 (8.7R1/R2) PORTS 25-28

• HPOL end to end solution with Stellar WLAN is in the scope of 89R1
 Virtualization
OTHER ENHANCEMENTS
VxLAN Support
• Support for VxLAN L2 functionality on OS6860N and OS6900-X48/T48/V48/X48C4E/C32E
• Support for LPS, Kerberos, Location Time Policies and User defined role on VxLAN is not supported n AOS 88R2
• OVSDB is not supported for platforms added in this release
• VxLAN implementation on existing OS6900 platforms remains unchanged in AOS 8.8R1

SPB inline routing - Multicast

• Multicast support for SPB inline routing – native, single-pass has been added on OS6860N and
OS6900-X48/T48/V48/X48C4E/C32E

ERP-SPB Interworking
• Allows seamless connectivity between an access ERP ring & an SPBM aggregation network
• Configurations supported: ERP ring connecting to a single BEB or to two different BEBs
• Platforms supported: OS9900, OS6900 (TD3), OS6860/E/N
OTHER ENHANCEMENTS
AOS Microservices Controller
redundancy
• Enables 1:1 redundancy for AMS controller
• Uses VRRP protocol
• Redundant controller configuration through DHCP VSO options or manually
• DHCP Server option 43 config:
>> option 43 140 IP-address=192.168.40.254 141 8883 142 “--primary-broker 192.168.40.2 ---secondary-broker 192.168.40.4 100

ISSU Upgrade
• Transition of ASIC-hardware programming to new methodologies in AOS 8.8R01 would mean that ISSU upgrades will not be
supported on some platforms. The change was necessitated by the discontinuation of support from vendor for pre-existing
methods. Following platforms are impacted :

OS6900-V72/C32
OS6900-X/T48C6
OS6900-X48C4E
OS6900-V48C8
OS6860N (All SKUs)
OTHER ENHANCEMENTS
RMON Support
• RMON support has been added on the OS6860N and OS6900-V72/C32/C32E/X48C6/T48C6/X48C4E/V48C8 models
in 8.8R2.

QoS – SP and WRR on Same Profile

• AOS release 8.8R2 allows configuration of strict priority (SP) and WRR schedulers as part of same QoS QSP
profile.

SPB Increase in Adjacencies

• The number of supported adjacencies has been increased from 70 to 128 in 8.8R2
Q&A
THANK YOU