9.2.1 Main Features of the Catalyst 6500 Shared Bus

The Cisco Catalyst 6500 shared switching bus employs two methods to achieve improved performance over the traditional shared bus: pipelining and burst mode.

9.3.1 Supervisor Engine 32 Architecture

The Supervisor Engine 32 has connectivity only to the 32 Gb/s shared bus and supports packet forwarding of up to 15 Mpps [CISCSUPENG32]. Unlike the Supervisor Engines 2 and 720, Supervisor Engine 32 does not provide connectivity to a crossbar switch fabric, as illustrated in Figures 9.3 and 9.4. As shown in these figures, Supervisor Engine 32 supports the PFC3B and MSFC2a as a default configuration.

The Supervisor Engine 32 comes in two versions:

• Supervisor Engine 32-8GE: This Supervisor Engine option supports 8  GbE Small Form-Factor Pluggable uplink ports (see Figure 9.3).
• Supervisor Engine 32-10GE: This Supervisor Engine option supports 2 × 10 GbE uplink ports (see Figure 9.4).

These Supervisor Engines also support an additional 10/100/1000TX front port and two USB ports on the front panel (type A and type B USB port). The type A USB port, which is designated for host use, can be used to plug in devices such as a laptop or PC. The type B is designated as a device port and can be used for attaching devices such as a Flash memory key.

A chassis that supports redundancy with two Supervisor Engine 32-8GE modules provides a total of 18 active Gigabit Ethernet ports (i.e., 2 × (8 +1) ports) to the user, where all ports on both the primary and secondary Supervisor Engines are active.

9.3.2 Multilayer Switch Feature Card 2a (MSFC2a)

The MSFC2a provides Layer 3 control plane functionality that enables the Supervisor Engine 32 to function as a full-fledged Layer 3 device. Without the MSFC2a, the Supervisor Engine 32 will function purely as a Layer 2 device. Forwarding using network topology-based forwarding tables and optimized lookup algorithms (called CEF (Cisco Express Forwarding)) is the forwarding architecture implemented in the Supervisor Engine 32. The MSFC2a and the MSFC2 used in the Supervisor Engine 2 (see Chapter 7) are functionality equivalent, except the MSFC2a uses a bigger DRAM.

In the Supervisor Engine 32, a Switch Processor CPU, as shown in Figures 9.3 and 9.4, is responsible for running all the Layer 2 control plane protocols, such as Spanning Tree Protocol (STP), IEEE 802.1AB Link Layer Discovery Protocol (LLDP), and VLAN Trunking Protocol (VTP). The Switch Processor is allocated its own (upgradeable) DRAM and nonvolatile RAM (NVRAM).

A route processor CPU on the MSFC2a (Figures 9.3 and 9.4) is responsible for running the Layer 3 routing protocols and ICMP, carrying out address resolution functions to map IP addresses to Layer 2 addresses, initializing and managing switched virtual interfaces (SVIs), and running and configuration of the Cisco IOS Software. An Ethernet out-of-band control bus (a full duplex, 1 Gb/s in-band connection) shown in Figures 9.3 and 9.4) enables the MSFC2a to communicate and exchange information with other entities on the Supervisor Engine 32 baseboard.

The MSFC2a communicates with its Layer 3 peers in a network (via the configured routing protocols (Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), border Gateway Protocol (BGP), etc.) and generates routing information about the network topology (which is maintained in the routing table). The MSFC2a then distills this routing information to generate a more compact forwarding table or FIB, which is then forwarded to the PFC3B.

The PFC3B stores the forwarding table in a FIB ternary content addressable memory (TCAM). As shown in Figures 9.3 and 9.4, the FIB TCAM is implemented on the PFC3B daughter card and is a very high-speed memory that allows the PFC3B to perform fast forwarding table lookups during packet forwarding. The Layer 3 features that are supported on a Supervisor Engine 32 are described in more detail in [CISCSUPENG32].

As with the Supervisor Engine 720, the Supervisor Engine 32 also implements hardware counters, registers, and control plane policing (CoPP) (of control plane traffic) to limit the effect of denial of service (DoS) attacks on the control plane. The hardware-based control plane policing allows a control plane quality of service (QoS) policy to be applied to the Supervisor Engine 32 in order to limit the total amount of traffic that is sent to its control plane.

9.3.3 Policy Feature Card 3B (PFC3B)

The PFC3B (Figures 9.3 and 9.4) supports hardware-based features that allow the Supervisor Engine 32 to perform more enhanced QoS and security operations. For example, to secure and prioritize data, the PFC3B provides hardware support for security and QoS-based ACLs using Layer 2, 3, and 4 classification criteria. The PFC3B also allows the Supervisor Engine 32 to support new hardware accelerated features such as ACL hit counters, port access control lists (PACLs), Enhanced Remote Switched Port Analyzer (ERSPAN), CPU rate limiters, IP Source Guard, and NetFlow capacities:

• ACL Hit Counters: ACL hit counters allow a network administrator to monitor how many times (i.e., hits) a specific access control entry (ACE) within an ACL has been applied as traffic pass through the device port or interface. The ACE hit patterns (number of hits) provide the user with additional information that can be used to fine-tune the ACLs to be more effective for the traffic the ACLs are applied to.
• Port ACLs (PACLs): A PACL is an ACL that can be applied at a single port on a Layer 2 switch within a VLAN (i.e., physical switch port or trunk port that belongs to a specific VLAN). It provides a functionality similar to a VLAN ACL (VACL), but unlike a VACL (which when applied, extends and covers an entire VLAN), the PACL is applied only to a single port within a VLAN. The PACL can be applied at the ingress of a switch port to screen ingress traffic and is processed before any VACLs that may be applied to the switch port.
• Enhanced Remote SPAN (ERSPAN): The switched port analyzer (SPAN) feature (also referred to as port mirroring or port monitoring) is a feature that can be applied to a switch port to copy or sample traffic to be examined and analyzed by a network traffic analyzer such as a Remote Monitoring (RMON) probe. ERSPAN allows a switch to forward a copy of traffic passing through a switch port to a destination SPAN port that may be located in another network reachable over multiple Layer 3 hops. For example, ERSPAN can be applied on a switch port located in one IP subnet while the destination SPAN port is located in another subnet. ERSPAN uses the tunneling protocol, generic routing encapsulation (GRE), to carry the traffic over the Layer 3 network to the destination SPAN port.
• CPU Rate Limiting: The control plane provides a critical set of functions to a switch, switch/router, or router. CPU rate limiters are rate-limiting mechanisms that can be applied to different traffic types sent to the control plane of the switch, switch/router, or router. The CPU rate limiters in Supervisor Engine 32 are designed to protect the performance of the Layer 3 control plane (or route processor) from being overwhelmed or overloaded with unnecessary or DoS traffic. From a performance perspective, implementing CPU rate limiters in hardware further strengthens the Supervisor Engine 32 from high-speed attacks that can compromise the performance of the system. The Layer 2, 3, and application rate limiters as well as unicast and multicast rate limiters are listed in [CISCSUPENG32].
• Bidirectional Protocol-Independent Multicast (BIDIR-PIM): BIDIR-PIM allows the network nodes involved in multicast traffic distribution to construct bidirectional multicast distribution trees, which support bidirectional traffic flow. BIDIR-PIM provides an alternative multicast distribution model to the other PIM distribution models (PIM Dense Mode (PIM-DM), PIM Sparse Mode (PIM-SM), PIM Source-Specific Multicast (PIM-SSM)) and is designed to support many-to-many multicast communications within a single PIM domain. BIDIR-PIM also reduces or lessens the amount of PIM forwarding state information that a multicast router must maintain (in its multicast forwarding table), a feature that is particularly important during many-to-many multicast transfers with many and widely spread out data senders and receivers. The BIDIR-PIM shared trees provide a valuable feature in that many multicast sources can transmit on the same shared tree without the multicast routers having to explicitly maintain state for each source. This feature also provides the added benefit of reduced processing load on the Supervisor Engine's CPU and memory.
• IP Source Guard: Spoofing attacks occur when a client that is unknown or untrusted floods a network with malicious packets that are intended to harm the operations of the network. Often the clients in these attacks utilize source IP address spoofing to hide the true source of the attack. Hackers often use spoofed packets to gain access into a network by changing their true source IP address to one that is recognized by the network as a genuine internal or secure address. IP Source Guard is a method that can be used to provide protection against spoofed packets. Using Dynamic Host Configuration Protocol (DHCP) snooping, IP Source Guard snoops on DHCP requests and constructs a dynamic PACL (Port ACL) that is applied to incoming traffic to deny all packets that do not match the assigned DHCP address. The PACL is applied at an interface of the device running the IP Source Guard feature.

Other QoS services supported on the PFC3B include ingress traffic policing and classification of incoming data. This allows the rewrite of IEEE 802.1p class of service (CoS) bits in the Ethernet header and IP Precedence/DSCP priority bits in the IPv4 header.

9.3.4 Supervisor Engine 32 as a “Classic” Module

The Supervisor Engine 32 is also referred to as a “Classic” module (see Chapter 7) because it supports connectivity only to the “Classic” 32 Gb/s shared switching bus that allows it to communicate with other line cards connected to the bus. The Supervisor Engine 32 also has no built-in crossbar switch fabric (as in other Supervisor Engines like Supervisor Engine 720), nor does it support connectivity to a separate crossbar switch fabric module (like in Supervisor Engine 2).

The support of only the Classic (32 Gb/s) shared bus thus dictate the type of line cards that can operate with the Supervisor Engine 32. Line cards that do not support connectivity over the Classic 32 Gb/s shared bus cannot be used with the Supervisor Engine 32.

A full list of the line card architectures supported with the Supervisor Engine 32 is given in [CISCSUPENG32]. As explained below, the Supervisor Engine 32 supports both the CEF256 and Classic line card architectures. Both of these line cards have a connector on the line card that provides connectivity to the Classic 32 Gb/s bus.

The 32 Gb/s shared bus allows all ports connected (on both the Supervisor Engine 32 and line cards) to exchange data. The DBus is 256 bits wide and is clocked at 62.5 MHz, which yields bandwidth of 16 Gb/s. The RBus also operates at 62.5 MHz and is 64 bits wide.

9.3.5 Fabric ASIC and Replication Engine

The Supervisor Engine 32 baseboard (Figures 9.3 and 9.4) has a number of onboard application-specific integrated circuits (ASICs) that enable the support of Layer 2, 3, and 4 services and also serves as an interface to the 32 Gb/s shared switching bus. One ASIC is used to connect the Supervisor Engine to the 32 Gb/s shared switching bus. This specialized ASIC (referred to as the Fabric ASIC and Replication Engine) is also used for multicast packet replication in the Supervisor Engine 32 and supports the SPAN functionality used for port mirroring.

The Supervisor Engine 32 via the Fabric ASIC and Replication Engine supports only ingress replication mode of multicast packets. As shown in Figures 9.3 and 9.4, the Fabric ASIC and Replication Engine also provides an interface to the multicast expansion table (MET), which supplies the Supervisor Engine 32 with the relevant information regarding the multicast group membership it serves. Another onboard port ASIC holds the port interface logic that provides connectivity to the 9  GbE ports (Figure 9.3) or the two 10  GbE ports (Figure 9.4).

9.4.1 Classic Line Card Architecture

The Classic line card (also called the nonfabric-enabled line card (see discussion in Chapter 7)) supports connectivity only to the 32 Gb/s shared switching bus. It has a shared bus connection only and no connection to a stand-alone or Supervisor Engine integrated crossbar switch fabric. Furthermore, it does not support packet forwarding locally in the line card (i.e., distributed forwarding).

All generations and versions of the Supervisor Engines, from the Supervisor Engine 1A through to the newer Supervisor Engine 720-3BXL, support the Classic line cards. A Classic line card when installed in a Cisco Catalyst 6500 chassis does not allow the line cards to operate in compact (switching) mode (see bus switching modes discussion below). Thus, with the presence of this line card, the centralized forwarding rate of the PFC3B reaches only 15 Mpps.

9.4.2 CEF256 Line Card Architecture

Figure 9.5 shows the architecture of the CEF256 line card. The CEF256 line card is a fabric-enabled line card and supports one connection to the 32 Gb/s shared switching bus and another connection to the crossbar switch fabric [CISCCAT6500]. The connection to the crossbar switch fabric is a single 8 Gb/s fabric channel.

The line card also supports a single internal 16 Gb/s local shared switching bus over which local packets are forwarded. The 16 Gb/s local shared switching bus has a similar function and operation as the main chassis 32 Gb/s shared bus. The chassis 32 Gb/s shared bus is the main bus that connects all shared switching bus capable line cards (i.e., the nonfabric-enabled and fabric-enabled line cards) in the Cisco Catalyst 6500 chassis.

The 16 Gb/s local switching bus on the CEF256 line card is utilized for forwarding packets that have port destinations local within the line card. Using this bus, a packet that is to be forwarded locally (utilizing an optional DFC or DFC3a to determine the forwarding destination) avoids being sent over the 32 Gb/s shared bus or the crossbar switch fabric. This local forwarding capability reduces the overall latency of forwarding packets and frees up the chassis 32 Gb/s shared bus or crossbar switch fabric capacity for those line cards that cannot forward packets locally.

As shown in Figure 9.5, the CEF256 line card supports internally a fabric Interface ASIC, which serves as the interface between the local ports on the line card and other modules connected to the crossbar switch fabric. The fabric Interface ASIC also allows line card to connect to the 32 Gb/s shared switching bus.

The CEF256 line cards will use the crossbar switch fabric for forwarding packets to other modules when it is installed in a chassis with a Supervisor Engine 720. However, if a Supervisor Engine 32 is installed, the system will fall back to using the 32 Gb/s shared switching bus since the Supervisor Engine 32 supports connectivity only to the 32 Gb/s shared switching bus.

9.5.1 Flow-Through Mode

The Flow-Through mode of operation is used by the CEF256 (fabric-enabled) line cards when a crossbar switch fabric is not present in the chassis. This mode enables CEF256 line cards to operate in the system and over only the 32 Gb/s shared bus as if they were Classic (nonfabric-enabled) line cards. This mode does not apply to the dCEF256, CEF720, and dCEF720 line cards because they do not support connectivity to the 32 Gb/s shared bus.

In this mode, the whole (original) packet (i.e., the original packet header and data) is forwarded by the CEF256 line card over the 32 Gb/s shared bus to the Supervisor Engine for forwarding table lookup and forwarding to the destination port. In the flow-through mode, the Catalyst 6500 achieves a centralized forwarding rate of up to 15 Mpps.

9.5.2 Compact Mode

For a system to operate in the compact mode, the system must support a crossbar switch fabric in addition to the 32 Gb/s shared switching bus. The crossbar switch fabric can be realized in the form of a stand-alone switch fabric module (installed in a chassis slot) or a Supervisor Engine 720 (which has an integrated crossbar switch fabric). The line cards in the chassis must all be fabric enabled (i.e., CEF256) for the system to run in compact mode.

Classic line cards (which do not have a crossbar switch fabric connection), when installed in the chassis, will not allow the system to operate in compact mode. Note that the dCEF256, CEF720, and dCEF720 line cards do not have connections to the 32 Gb/s shared bus.

In compact mode, a line card will send only the (original) packet header over the DBus of the 32 Gb/s shared bus to the Supervisor Engine for processing. To conserve DBus bandwidth and to allow for faster header transmission, the original packet header is compressed before to being transmitted on the DBus. The line card transmits the data portion of the packet over the crossbar switch fabric channels to the destination port. In this mode, the system achieves (independent of packet size) a centralized forwarding rate of up to 30 Mpps.

9.5.3 Truncated Mode

The truncated mode is used when the chassis has the following three module types present: a crossbar switch fabric, CEF256 and/or CEF720 line cards, and Classic line cards. When operating in this mode, the Classic line cards will forward over the DBus of the 32 Gb/s shared bus to the Supervisor Engine, the header, plus the data portion of the (original) packet. The CEF256 and CEF720 line cards, on the other hand, will forward the packet header over the DBus and the data portion over the crossbar switch fabric.

In the truncated mode, the system achieves a centralized forwarding rate up to 15 Mpps. Furthermore, in this mode, because the CEF256 and CEF720 line cards transmit the data portion of the packet over the crossbar switch fabric, the overall aggregate bandwidth achieved can be higher than the 32 Gb/s shared switching bus capacity. However, the performance of line cards that have the DFC feature is not affected by the truncated mode – the forwarding performance stays the same and does not change regardless of the line card mix in the system.

9.6.1 Uplink Port Queues and Buffering

The transmit side of each Gigabit Ethernet uplink port (see Figure 9.3) is assigned a single strict priority queue and three normal (lower priority) queues. Each of these normal transmit queues supports eight queue fill thresholds, which can be used with a port congestion management algorithm for congestion control. The receive side is assigned two normal queues, each with eight queue fill thresholds for congestion management. There receive side has no strict priority queue.

Each of the Ethernet uplink ports on the Supervisor Engine 32 Gigabit (Figure 9.3) is allocated 9.5 MB of per port buffering. The 10 GbE ports (Figure 9.4), on the other hand, are assigned 100 MB of per port buffering. The provision of large per port buffering is of particular importance when the switch is operating in networks that carry bursty applications or high data volume applications (e.g., long flow TCP sessions, network video, etc.). With large buffering per port, these applications can use the extra buffering should the data transfers become very bursty.

9.6.2 DSCP Transparency

Both the Supervisor Engine 32 and Supervisor Engine 720 support a feature called differentiated services code point (DSCP) transparency. DSCP transparency is a feature that allows the switch to maintain the integrity of the DSCP bits carried in a packet as it transits the switch. Let us consider the situation where a packet arrives on a switch port carrying traffic that is not trusted (an untrusted port) and the switch assigns a lower class-of-service (CoS) value to the packet.

From this incoming CoS value, the switch derives an internal priority value that is used to write the DSCP bits on egress. DSCP transparency prevents this situation, and similar ones, by not allowing the switch to use the internal priority to derive the egress DSCP value. Instead, the switch will simply write the ingress DSCP value on egress.

When DSCP transparency is not used, the DSCP field in an incoming packet will be modified by the switch, and the DSCP field in the outgoing packet will be modified based on the port QoS settings that may include the policing and marking policies configured, port trust level setting, and the DSCP-to-DSCP mutation map configured at the port.

On the other hand, if DSCP transparency is used, the DSCP field in the incoming packet will not be modified by the switch, and the DSCP field in the outgoing packet will not be modified and stays unchanged – The value is the same as that in the incoming packet. It is worth noting that regardless of whether DSCP transparency is used or not, the switch will still use an internal DSCP value for the packet, which it uses for internal traffic processing to generate a CoS value that reflects the priority of the traffic. The internal DSCP value is also used by the switch to select an egress queue and queue fill threshold for the outgoing packet.

9.6.3 Traffic Scheduling Mechanisms

Two important scheduling mechanisms that can be used on the Supervisor Engine 32 GbE uplink ports (Figure 9.3) are the shaped round-robin (SRR) and deficit weighted round-robin (DWRR) algorithms. SRR allows the maximum amount of bandwidth that each queue is allowed to use to be defined. SRR like DWRR requires a scheduling weight to be configured for each of the queues, but the weight values are used differently in SRR.

After the scheduling weights are assigned to all queues, the SRR algorithm normalizes the total of the weights to 1 (or equivalently, 100%). Then a maximum bandwidth value is derived from the normalized values and assigned to each queue. The flow of data out of the queue will then be shaped to not exceed this (maximum) bandwidth value. But unlike DWRR, each queue that is shaped will not be allowed to exceed the maximum bandwidth value computed from the normalized weights. With SRR, traffic in excess of the maximum bandwidth value will be buffered and scheduled resulting in the traffic appearing to have a smoothing output over a given period of time.

The DWRR algorithm, on the other hand, aims to provide a fairer allocation of bandwidth between the queues than when the ordinary weighted round-robin (WRR) is used. The weights in DWRR determine how much bandwidth each queue is allowed to use, but, in addition, the algorithm maintains a measure or count of excess bandwidth each queue has used.

To understand the DWRR algorithm, let us consider, for example, a queue that has used up all but 500 bytes of its allocation, but has another packet in the queue that is 1500 bytes in size. When this 1500 packet is scheduled, the queue has consumed 1000 bytes of bandwidth in excess of its allocation on that scheduling round. The DWRR algorithm works by recognizing that an extra 1000 bytes has been used and deducts this (excess bytes) from the queue's bandwidth allocation in the next scheduling round. When the operation of the DWRR algorithm is viewed over a period of time, all the queues will on average be served closer to their allocated portion of the overall bandwidth.