Guest

Cisco Catalyst 4500-X Series Switches

Cisco Catalyst 4500-X Series Switch for Campus Aggregation

  • Viewing Options

  • PDF (1.3 MB)
  • Feedback

Overview

The Cisco® Catalyst® 4500-X Series Switch is an enterprise-class borderless network fixed aggregation switch (seeFigures 1 and 2) that delivers best-in-class performance, scalability, resiliency, network virtualization, and integrated network services for space-constrained environments in campus networks. It meets business growth objectives with unprecedented scalability, provides high availability and is Virtual Switching System (VSS), simplifies virtualization with support for Virtual Routing and Forwarding Lite (VRF-Lite) and Easy Virtual Networks (EVNs), provides application visibility with Flexible NetFlow for optimal network application visibility and capacity planning, and enables emerging applications by integrating many network services.

Figure 1. Enterprise Campus Three-Layer Architecture

Figure 2. Enterprise Campus Collapsed Distribution and Core Architecture

The Cisco Catalyst 4500-X in a Virtual Switching System (VSS) deployment (see Figure 3) offers network resiliency, operational manageability, and increased system bandwidth capacity by activating all available bandwidth across redundant Cisco Catalyst 4500-X Series Switches.

Figure 3. Enterprise Campus Three-Layer Architecture with Virtual Switching System (VSS)

Introduction

The enterprise campus network has evolved over the last 20 years to become a primary element in business computing and communication infrastructure. An increased desire for mobility; the impetus for heightened security; and the need to accurately identify and segment users, devices, and networks are all being promoted by the changes in the way business partners work with other organizations. The list of requirements and challenges that the current generation of campus networks must address is highly diverse.

The aggregation/distribution-layer aggregates many access-layer switches and data center switches that provide various services. The aggregation layer might be the most critical layer in a campus network because of port density, oversubscription values, policy enforcement, CPU processing and various services that introduce unique requirements and challenges into the overall design. Performance, security, and availability of application and services are all primary metrics that must also be met to provide a successful aggregation layer. Thus the list of requirements and challenges that the current generation of aggregation-layer switches must address is highly diverse.

The Cisco Catalyst 4500-X Series offers the following primary innovations to address these requirements and to provide room for future growth:

Performance and Scalability: Delivers up to 800 Gbps of switching capacity with up to 250 Mpps of throughput, will be able to scale to 1.6-Tbps capacity with VSS. Future-proof investment with modular uplink and autodetect 10 Gigabit Ethernet/Gigabit Ethernet uplinks.

High Availability: Delivers the network availability demanded by business-critical enterprise applications through comprehensive network resiliency capabilities, including VSS, in addition to traditional control plane protocols such as First-Hop Resiliency Protocol (FHRP), Gateway Load Balancing Protocol (GLBP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF). Furthermore, device resiliency features such as redundant hot-swappable fans, power supplies, and AC to DC failover and vice versa remove single points of failure in the network.

Application Monitoring: Enhanced application monitoring through Flexible NetFlow, built-in Wireshark network sniffer capabilities and 8 ports of line-rate bidirectional Switched Port Analyzer/Remote Switched Port Analyzer (SPAN/RSPAN). Furthermore, medianet features such as mediatrace and video monitoring ensures quick troubleshooting and reporting of video traffic.

Security: Support for Cisco TrustSec®* security, providing Network Device Admission Control (NDAC) to authenticate connecting switch, line-rate Media Access Control Security (MACsec)* data link-layer encryption, and role-based access-control list (ACL) and policy enforcement. Storm control and robust control plane policing (CoPP) to address denial of service (DoS) attacks and Internet worms.

Network Virtualization: Support for Layer 3 segmentation using VRF and EVN.

Simplified Operations: Support for Smart Install Director, providing a single point of management enabling zero-touch deployment for new switches and stacks in in campus and branch networks

Cisco Catalyst 4500-X Switch Family

The Cisco Catalyst 4500-X Series provides scalable, fixed-campus aggregation solutions in space-constrained environments. The solution provides flexibility to build desired port density through two versions of base switches along with optional uplink module. Both the 32-port and 16-port versions can be configured with optional network modules and maintain similar features and scalability. The Small Form-Factor Pluggable Plus (SFP+) interface supports both 10 Gigabit Ethernet and Gigabit Ethernet ports, allowing customers to use their investment in Gigabit Ethernet SFP and upgrade to 10 Gigabit Ethernet when business demands change, without having to do a comprehensive upgrade of the existing deployment. The uplink module is hot swappable.

Following are primary offerings from this product family:

32 x 10 Gigabit Ethernet Port switch with optional uplink module slot (Figure 4)

16 x 10 Gigabit Ethernet Port switch with optional uplink module slot (Figure 5)

8 x 10 Gigabit Ethernet Port uplink module (Figure 6)

Figure 4. 32 x 10 Gigabit Ethernet Port Switch with Optional Uplink Module Slot

Figure 5. 16 x 10 Gigabit Ethernet Port Switch with Optional Uplink Module Slot

Figure 6. 8 x 10 Gigabit Ethernet Port Uplink Module

Performance and Scalability

The Cisco Catalyst 4500-X Series Switch offers 800 Gbps of backplane bandwidth with up to 250 Mpps switching capacity that provides up to 40 non-blocking 10 Gigabit Ethernet ports, with 32 ports on the baseboard and 8 ports on the optional expansion module.

When multiple of the access-layer switches are aggregated at the distribution layer, the demand for 10 Gigabit Ethernet port density grows rapidly. With the advent of new technologies such as Universal Power over Ethernet (UPoE) in Cisco Catalyst 4500E, not only IP phones and video phones but also personal Cisco TelePresence® systems such as Cisco TelePresence System EX60 and non-IT devices such as surveillance cameras are all becoming part of the network. UPoE also enables more and more virtual desktop infrastructure (VDI) deployments, which are completely dependent on network availability. All these changes demand more and more port density and bandwidth at the access layer, and switches such as the Cisco Catalyst 4500E Series are able to provide up to 384 ports in a single wiring closet switch with support for 4 or more 10 Gigabit Ethernet uplinks into the aggregation layer.

The Cisco Catalyst 4500-X Series Switch offers the performance and scalability required for today’s enterprise-class aggregation switch and provides room for future growth as well.

Ease of Network Migration

Gigabit Ethernet to 10 Gigabit Ethernet upstream with support for SFP and SFP+ optics

External USB and SD card support for flexible storage options

Ease of IPv4 to IPv6 Migration

Dual-stack IP Versions 4 and 6 (IPv4 and v6) support

IPv6 support in hardware, providing wire-rate forwarding for IPv6 networks

Dynamic hardware forwarding-table allocations for IPv4 and IPv6

Scalable and flexible routing (IPv4, IPv6, and multicast) tables and ACL and quality-of-service (QoS) entries

Scalable Hardware Entries and Enhanced Features

55K MAC addresses to support large Layer 2 domains

256K routing entries for high-end campus aggregation deployments

32K multicast routes for scalable multicast deployments

128K Flexible NetFlow entries in hardware that can be exported to multiple collectors

Policy-based routing (PBR) to customize the routing table and traffic flow

Advanced Quality of Service and Buffering

Advanced QoS with up to eight configurable queues per port and customizable queue size per queue

Active queue management through dynamic buffer limiting (DBL) to ensure bandwidth protection for low-rate critical and well-behaving flows such as voice traffic

32 mega bytes of centralized buffering optimized to handle bursty video traffic and server microbursts, helping make sure that business-critical packets are not lost because of insufficient buffering

The Cisco Catalyst 4500-X runs Cisco IOS® XE Software, the modular open application platform for virtualized borderless services. Network resiliency and device resiliency are integral parts of Cisco Catalyst 4500-X with the following:

Maximum resiliency with redundant components such as fans and power supplies

Network virtualization through VSS and Multi Chassis EtherChannel (MEC), FlexLinks, and multi-VRF technology for Layer 3 segmentation

Automation through Embedded Event Manager (EEM) and Cisco Smart Call Home for fast diagnosis, and reporting

Plug-and-play configuration and image-management of client and access switches with Smart Install Director support.

Furthermore, the Cisco Catalyst 4500-X offers optimized application performance through deep visibility with Flexible NetFlow supporting rich Layer 2/3/4 information (MAC, VLAN, TCP flags) and synthetic traffic generation with IP SLA Video Operation (VO), Medianet capabilities such as Mediatrace, Video monitoring and Media Services Proxy (MSP) to simplify video quality of service, monitoring, and security. (See Table 1 for more detailed performance and scalability features.)

Table 1. Cisco Catalyst 4500-X Switch Series Performance and Scalability Features

Product Number

Description

System

Base ports

Front-to-back airflow:

32 x 10 Gigabit Ethernet SFP+/SFP: WS-C4500X-32SFP+
16 x 10 Gigabit Ethernet SFP+/SFP: WS-C4500X-16SFP+ **

Back-to-front airflow:

32 x 10 Gigabit Ethernet SFP+/SFP: WS-C4500X-F-32SFP+
16 x 10 Gigabit Ethernet SFP+/SFP: WS-C4500X-F-16SFP+ **

Expansion Module (optional)

8 x 10 Gigabit Ethernet SFP+/SFP: C4KX-NM-8SFP+

Management port

10/100/1000 Base-T

USB port

Type A (storage and boot) up to 4 GB

Dual power supply

Yes

Field-replaceable fans

Yes (5 fans)

Fan redundancy

No performance effect with single fan failure

Scalability

System throughput

Up to 800 Gbps

IPv4 routing in hardware

Up to 250 Mpps

IPv6 routing in hardware

Up to 125 Mpps

L2 bridging in hardware

Up to 250 Mpps

Media Access Control (MAC) entries (1K=1024)

55K

Forwarding entries (1K=1024)

WS-C4500X-F-32SFP+: 256K IPv4, 128K IPv6

WS-C4500X-F-16SFP+**: 128K IPv4, 32K IPv6

Flexible NetFlow entries (1K=1024)

128K

Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN)

8 line-rate bidirectional sessions (ingress and egress)

Total VLANs

4094

Total switched virtual interfaces (SVIs)

4094

IGMP groups

32K

Multicast routes

32K

Dynamic Host Configuration Protocol (DHCP) snooping entries

4K (DHCP snooping bindings)

ARP entries

47K

Spanning Tree Protocol instances

10K

Jumbo frame support for bridged and routed packets

Up to 9216 bytes

High Availability and Resiliency

High Availability Solution

Virtual Switching System (VSS)

Number of stackable switches in VSS

Up to 2

VSS Throughput

Up to 1.6 Tbps

Virtual Switch Link

1GE or 10GE

Max number of Virtual Switch Links

8

In-Service Software Upgrade

Across the switches

Nonstop Forwarding with Stateful Switchover

Across the switches

CPU and Memory

Onboard memory (SRAM DDR-II)

4 GB default (max)

Port buffers

32-MB shared memory

CPU

Dual-core 1.5 GHz

NVRAM

2 GB

External memory (SD card)

2 GB

QoS Features

Port queues

8 queues/port

CPU queues

64

QoS entries (1K=1024)

128K (64K ingress and 64K in egress) shared with ACL

Aggregate rate limiting

Ingress port or VLAN and egress VLAN or Layer 3 port

Rate-limiting level types

Committed information rate (CIR), peak information rate (PIR)

Aggregate traffic rate-limiting policers (1K=1024)

16K

Flow-based rate-limiting method; number of rates

Supported using flow records in the classification criteria and policing action

QoS policy enforcement

Per port or per VLAN or per port, per VLAN granularity

Class of service (CoS)

Yes

Differentiated services code point (DSCP)

Yes

Weighted round robin (WRR) scheduler

Yes

Security Features

Port security

Yes

IEEE 802.1x and 802.1x extensions

Yes

VLAN, router, and port ACLs

Yes

Security ACL entries (1K=1024)

128K (64K ingress and 64K in egress) shared with QoS

Unicast Reverse Path Forwarding (URPF) check in hardware

Yes

CPU rate limiters (DoS protection) includes CoPP

Yes

Private VLANs

Yes

Microflow policer

Yes, supported using flow records in the class map

Cisco TrustSec support

Yes (802.1x, MACsec***, SGT***)

CPU HW rate limiters by packet per second (pps) and bit rate policers (bps)

Supported in hardware CoPP

CoPP for multicast

Yes

CoPP for exceptions: maximum transmission unit (MTU), time to live (TTL)

Software roadmap**

ACL labels

Yes

Port ACL

Yes

Traffic storm control (formally known as broadcast/multicast suppression)

Yes

Virtualization Features

VRF-Lite scalability

64

EVN scalability

32

Simplified Operations

Smart Install

Smart Install Director2

Managing Oversubscription

Typical campus networks are engineered with oversubscription. It is not generally practical to provide line rate for every port upstream from the access-to-distribution switch, the distribution-to-core switch, or even for core-to-core links.

The rule of thumb for oversubscription as recommended in Cisco’s “Campus Network for High Availability Design Guide” is 20:1 for access ports on the access-to-distribution uplink. The recommendation is 4:1 for the distribution-to-core links. In the data center, you might need a 1:1 ratio.

“Campus Network for High Availability Design Guide” http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/HA_campus_DG/hacampusdg.html.

The Cisco Catalyst 4500-X offers up to 40 x 10 Gigabit Ethernet ports, with 32 x 10 Gigabit Ethernet ports on the baseboard and 8 x 10 Gigabit Ethernet ports on the optional expansion module. With the preceding oversubscription ratio, these 32 x 10 Gigabit Ethernet ports on the baseboard can be used downlinks, to aggregate up to 32 access-layer switches or ~6000 end user devices on the access-to-distribution links with less than 20:1 oversubscription, and 8 x 10 Gigabit Ethernet ports can be used as uplink to provide 4:1 oversubscription for distribution-to-core links.

The Cisco Catalyst 4500-X offers up to 32 Mbytes of centralized shared buffer for packets to be stored during periods of network congestion. 32 Mbytes of buffering translates to ~250ms worth of buffering at Gigabit Ethernet oversubscription and ~25ms worth of buffering at 10 Gigabit Ethernet oversubscription. This large buffer offers more flexibility for administrators when choosing which queue needs more buffering such as mission-critical applications and which queue needs smaller buffering such as scavenger-class and noncritical applications.

Using the oversubscription ratios as mentioned earlier, congestion on the uplinks occurs by design (see Figure 7). When congestion does occur, QoS is required to protect important traffic such as mission-critical data applications, voice, and video. Additionally, you can use QoS to reduce the priority of unwanted traffic. For example, an Internet worm infection, such as Slammer, can cause congestion on many links in the network, and QoS can minimize the effect of this event.

Figure 7. Oversubscription Congestion

Quality of Service (QoS)

The Cisco Catalyst 4500-X offers advanced QoS tools such as bandwidth guarantee, shaping, priority queuing, up to eight configurable queues per port, customizable queue size per queue, and active queue management features such as Dynamic Buffer Limiting (DBL) in addition to basic QoS mechanisms such as classification, marking, and policing.

Using QoS in the campus network design makes sure that important traffic is placed in a queue that is properly configured so that it never runs out of memory for high-priority traffic. Under normal circumstances, the network should provide an adequate level of service for all network traffic, including lower priority best-effort traffic.

The aggregation-layer switch is a critical component to the network operations; any service disruption to the CPU or the control and management planes can result in business-impacting network outages. A DoS attack targeting the CPU, which can be perpetrated either inadvertently or maliciously, typically involves high rates of punted traffic that result in excessive CPU utilization.

The Cisco Catalyst 4500-X offers CPU protection mechanisms such as 64 CPU queues to differentiate traffic heading to CPU and service them by priority. Furthermore, the advanced CoPP feature allows administrators to configure a QoS filter that manages the traffic flow of control plane packets to protect the control plane against reconnaissance and DoS attacks. In this way, the control plane can help maintain packet forwarding and protocol states despite an attack or heavy traffic load.

High Availability

The principal service requirement from the campus network is the availability of the network. The Cisco Catalyst 4500-X offers several network resiliency features, with VSS. Device resiliency capabilities are provided through features such as redundant hot-swappable fans, power supplies, and AC to DC failover and vice versa that remove single points of failure in network.

Virtual Switching System (VSS)

The Cisco Catalyst 4500-X switch VSS is a clustering technology that integrates two Cisco Catalyst 4500-X switches into a single virtual switch. The end-to-end campus network enabled with VSS capability allows flexibility and availability. In a VSS, the data planes of both clustered switches are active at the same time in both chassis. VSS members are connected by virtual switch links (VSLs). VSLs use standard Gigabit Ethernet or 10 Gigabit Ethernet connections between the virtual switch members. VSLs can carry regular user traffic in addition to the control plane communication between the VSS members. Figure 8 illustrates the physical and logical connectivity to the VSS pair.

Figure 8. Physical and Logical Topology of VSS Pair

VSS reduces touchpoints with a single management and control plane between two physical switches (optimized for aggregation and core deployments). It also eliminates the need for spanning tree and offers a loop-free topology between the access and distribution with Layer 2 MEC. In addition, VSS simplifies and reduces network topology complexity by eliminating the need for first-hop redundancy protocols such as Hot Standby Router Protocol (HSRP), Gateway Load Balancing Protocol (GLBP), or Virtual Router Redundancy Protocol (VRRP).

Security Services

Security services are an integral part of any network design. There are two aspects of security at the aggregation layer. First, the infrastructure must be protected from intentional or accidental attack - making sure of the availability of the network and network services. Secondly, the infrastructure must provide information about the state of the network in order to aid in detection of an ongoing attack.

The Cisco Catalyst 4500-X offers advanced security capabilities with Cisco TrustSec*. Cisco TrustSec* is an intelligent and scalable access control solution that mitigates security access risks across the entire network. As part of Cisco TrustSec*, the Cisco Catalyst 4500-X provides advanced 802.1X features; Network Device Admission Control (NDAC) to authenticate the connecting switch; Security Group Tagging (SGT); policy enforcement using Security Group Access Control Lists (SGACLs); and MACsec, a data link layer encryption technology that makes sure of data integrity by encrypting the data traffic between switches (see Figure 9).

Furthermore, the Cisco Catalyst 4500-X offer advanced application-monitoring tools such as Flexible NetFlow, SPAN, and EEM that provide necessary information to detect any ongoing attack.

Figure 9. MACsec

Application Monitoring

Without the ability to monitor and observe what is happening in the network, it can be extremely difficult to detect the presence of unauthorized devices or malicious traffic flows.

The Cisco Catalyst 4500-X offers the following mechanisms to provide the necessary telemetry data required to detect and observe any anomalous or malicious activities:

Flexible NetFlow: Provides the ability to track each data flow that appears in the network.

SPAN/RSPAN: Provides the ability to capture and analyze packets.

Wireshark: Provides the ability to capture packets for quick troubleshooting.

Embedded Event Manager (EEM): EEM provides the ability to monitor system & network events and take actions such as execute a CLI, start a wireshark capture etc.

Simple Network Management Protocol (SNMP): Provides the ability to monitor critical system status, notify of any critical alarms, and so on in the network.

Syslog: Provides the ability to track system events.

In addition to utilizing Flexible NetFlow application and traffic monitoring, EEM, SPAN/RSPAN, and built-in sniffer capability such as Wireshark can be used together to provide an additional level of observation and mitigation capability. While Flexible NetFlow provides for a very scalable mechanism to detect and find anomalous traffic flows, SPAN and Wireshark can be used to provide visibility into the content of individual packets. All these telemetry mechanisms must be supported by the appropriate backend monitoring systems. Tools such as the Cisco Service Assurance Manager (SAM) should be used to provide a consolidated view of gathered data to allow for a more accurate overall view of any security outbreaks.

Flexible NetFlow

Cisco Catalyst 4500-X Flexible NetFlow is the next generation in flow technology, allowing optimization of the network infrastructure, reducing operation costs, and improving capacity planning and security incident detection with increased flexibility and scalability. Flexible NetFlow has many benefits over traditional NetFlow. Figure 10 shows a sample Flexible NetFlow collector screen from a Cisco Network Analysis Module. It shows an at-a-glance view of top talkers in the network by IP address, VLAN, applications, application groups, and QoS values.

Primary advantages to using Flexible NetFlow:

Flexibility, scalability of flow data beyond traditional NetFlow

The ability to monitor a wider range of packet information producing new information about network behavior not available today

Enhanced network anomaly and security detection

User-configurable flow information to perform customized traffic identification and the ability to focus and monitor specific network behavior

Convergence of multiple accounting technologies into one accounting mechanism

Figure 10. At-a-Glance View of Network and Application Performance

Network Virtualization

Network virtualization includes a series of technologies that span from Layer 2 to Layer 3 and above. Two primary pillars of network virtualization are VSS technology and Layer 3 network segmentation using VRF-Lite, EVN, and MPLS.

Cisco Catalyst 4500-X switch VSS technology adds a powerful new tool for IT managers to build resilient, highly available networks while optimizing traffic load balancing. VSS is discussed earlier as part of a high-availability solution in the “High Availability” section.

With the EVN feature, Cisco Catalyst 4500-X switches support multiple VPN VRFs for network segmentation. This technology does not need to use MPLS to support such instances; it relies instead on the configuration of Layer 3 interfaces on the interswitch links.

Easy Virtual Network (EVN)

The Cisco Catalyst 4500-X switch EVN is an IP-based virtualization technology that provides end-to-end virtualization of two or more Layer 3 networks. You can use a single IP infrastructure to provide separate virtual networks whose traffic paths remain isolated from each other.

EVN reduces network virtualization configuration significantly across the entire network infrastructure with the virtual network trunk without requiring the use of MPLS. The traditional VRF-Lite solution requires creating one interface per VRF on all switches and routers involved in the data path, creating a lot of burden in configuration management. EVN removes the need of per VRF interface by using the “vnet trunk” command. This helps reduce the amount of provisioning across the network infrastructure.

EVN is backward compatible with the VRF-Lite solution to enable transparent network migration from VRF-Lite to EVN. Figure 11 illustrates VRF-Lite and EVN.

Figure 11. VRF-Lite and EVN

Conclusion

Network architecture is evolving in response to a combination of new business requirements, technology changes, and growing end-user expectations. Choosing the right technology and right switches is crucial to a successful campus network design that will provide the balance of availability, security, flexibility, and operability required to meet current and future business and technological needs.

The Cisco Catalyst 4500-X Series Switch is an enterprise-class borderless network fixed aggregation switch that delivers best-in-class performance, scalability, resiliency, network virtualization, and integrated network services and is specially designed for space-constrained campus environments. It meets business growth objectives with unprecedented scalability, provides high availability with VSS, simplifies network virtualization with support for VRF-Lite and EVNs, provides application visibility with Flexible NetFlow for optimal network application visibility and capacity planning, and enables emerging applications by integrating many network services.

* To be enabled in a future software release.
** To be enabled in a future software release.
*** To be enabled in a future software release.