What You Will Learn
Cisco Catalyst® Instant Access creates a single network touch point and a single point of configuration across distribution and access layer switches, dramatically simplifying design, deployment, and operations for enterprise campus networks. This paper discusses the Cisco Catalyst Instant Access solution’s architecture, components, packet walks, and value proposition.
Cisco Catalyst Instant Access enables the merging of physical distribution and access layer switches into a single logical entity with a single point of configuration, management, and troubleshooting. The solution simplifies enterprise campus networks by bringing in provisioning and operational simplicity.
Benefits of Cisco Catalyst Instant Access include:
● Single point of configuration and management
● Single software image across distribution and access
● “Plug and play” provisioning of access switches
● Agile infrastructure at the access layer, with feature and hardware consistency
● Automatic uplink configuration at the access layer
● Automatic image provisioning of access switches
● Rich and consistent Catalyst 6500/6800 Series feature set across distribution and access layers
Figure 1 depicts a single touch point for a 21 access switch (1008 port) distribution block.
With the initial Cisco Catalyst OS Release 15.1(2)SY, the Instant Access solution will support 1008 host ports across 21 Instant Access clients. The Instant Access clients will support stacking up to three clients. The client stack size will be increased in future software releases.
Consider the following topology (Figure 2): A 4032-port campus network with four distribution blocks each consisting of 1008 ports (21 access switches of 48 ports each) with a VSS pair at the distribution and stacking technology at the access layer.
This campus requires:
● 29 devices for configuration management
● 29 devices for image management
● 48 trunks and port-channel configurations on access switches
● 29 separate configurations, including SNMP, NTP, TACACS/RADIUS, VLAN DB, management IP, gateway, and hostname
As shown in Figure 3, with Cisco Catalyst Instant Access, the same 4032-port campus would require only:
● Five total devices to manage
● No image management at access switches
● No uplink trunk configuration on access switches
● Five separate configurations for SNMP, NTP, TACACS, VLAN DB, management IP, hostname
Figure 2. Traditional Deployment
Figure 3. Instant Access Deployment
The Cisco Catalyst Instant Access solution has two components: the Instant Access parent and the Instant Access client (Figure 4).
Instant Access parent: The parent comprises a pair of Cisco Catalyst 6500E or 6800 Series chassis with Supervisor 2T configured in VSS or VSS Quad-Sup SSO1 mode and a WS-6904 40G/10G line card configured in 10G mode. Details on configuring in VSS and VSS Quad-Sup SSO mode can be found here. Details on 40G line cards operating in 10G mode can be found here.
Instant Access client: The client is a Cisco Catalyst 6848ia Switch operating exclusively in client mode with a Cisco Catalyst 6500E or 6800 Series Switch at the distribution layer. The Instant Access client supports 48 10/100/1000 interfaces and two 10Gbps uplink or fabric interface ports. The high-level features and capabilities of the Instant Access client are:
● 48 10/100/1000 BASE-T host ports with PoE+ or non-PoE options
● Two 10Gbps uplink ports
● 740W PoE Power:
- Full PoE (15W) across all 48 ports
- Full PoE+ (30W) across any 24 ports
● Stackable up to three clients
● 80 Gbps of Bi-directional stack bandwidth
● Operates in Instant Access client mode only with centralized packet switching on the Instant Access parent
More details are available here.
In addition to the parent and client, a fex-fabric link between the Instant Access parent and client supports short-reach, long-reach multimode, long-reach, and extended-reach optics with Cisco 10GBase SFP+ across fabric links. For more details, click here.
Cisco Catalyst Instant Access Architecture
The control plane implementation in the Instant Access solution allows for the logical grouping of all access switches into one entity. The control plane has four main components:
● Satellite Discovery Protocol (SDP). This link-based protocol runs on every link between the Instant Access parent and clients. It establishes, monitors, and maintains fabric link connectivity and allows for Multichassis EtherChannel connection across parent and client. SDP configures fabric uplinks at the client with no human intervention, providing zero-touch client installation.
● Satellite Registration Protocol (SRP). This protocol registers the Instant Access client and performs an image check and automatic upgrade of the client to match the image on the Instant Access parent. This occurs for both new clients and new client stack members as they are added to the stack. SRP provides the ability for online insertion and removal (OIR) and auto provisioning of the client. SRP removes the need for image management at the access layer, which provides the added benefit of Cisco IOS® Software feature consistency across the distribution and access layers.
● Satellite Configuration Protocol (SCP). This protocol handles configuration management, metrics, and status of Instant Access clients.
● InterCard Communications (ICC). ICC is used for infrastructure features like Syslog, QoS, remote login and POE+ across the Instant Access parent and client.
These control protocols run transparently and automatically in the background. No additional user configuration is required.
A 6-byte VNTAG header is encapsulated on every frame that traverses the fabric link between the Instant Access client and parent as shown in Figure 5. The VNTAG header enables the Instant Access client to behave like a remote line card, allowing client host ports to appear as logical interfaces at the parent switch. To differentiate between unicast packet and multicast packet P bit is used.
For an Instant Access client to operate as a remote line card to the parent, SRP associates each host port on the client with a unique virtual interface ID (VIF). The Instant Access parent assigns a VIF to each host port on the client during the provisioning process (Figure 6). Any packet that enters the client access switch is tagged with a VNTAG header before being sent to the parent over the fabric links. The VIF assigned to the ingress port is used as the source VIF in this VNTAG header. Conversely, for packets destined for a client switch, the parent uses the destination VIF in the VNTAG header to define the egress port on the client.
To understand unicast traffic flow in the Cisco Catalyst Instant Access solution, following is an example of a unicast packet walk (Figure 7).
1. A regular Ethernet frame arrives at the Instant Access client host port. For this example, we will refer to this host port as IF1 having VIF = VIF1.
2. The ingress Ethernet frame is encapsulated with a VNTAG header with source VIF = VIF1 and destination VIF = 0. (All packets that enter at the Instant Access client host port are sent upstream to the Instant Access parent with destination VIF =0.)
3. A packet with a VNTAG header arriving at the FEX interface at the Instant Access parent is de-encapsulated of the header. The MAC learning happens at the IA parent post VNTAG de-encapsulation. The original Ethernet frame is then processed by the forwarding engine of the parent Catalyst switch and switched like a regular Ethernet frame arriving on a native port.
4. For packets coming from the core layer toward the Instant Access client host port VIF1, the Instant Access parent does the table lookup (Figure 8). It identifies the outbound fabric link interface to be a FEX, encapsulates the frame with VNTAG header source VIF = 0 and destination VIF = VIF1, and sends it over the Fex-Fabric.
5. The Ethernet frame arriving on the Fex-Fabric at the Instant Access client is de-encapsulated of its VNTAG header and, based on the destination VIF, is switched to the corresponding interface VIF1.
This enables the simplicity of the Instant Access solution: The VNTAG is local to the fex-fabric link between the client and parent, and the rest of the network is unaware of it.
The Cisco Catalyst 6848ia includes intelligent multicast capabilities of local multicast replication in addition to all the multicast capabilities of the Catalyst 6500 and 6800X Series, such as Label Switched Multicast or Medianet capabilities. Figure 9 shows how Instant Access performs local multicast replication when multiple receivers are joined at Instant Access client host ports.
1. Multicast group receivers connected to Instant Access client interfaces IF1 and IF2 join multicast groups as part of (*,G)/ (S,G) entries at the Instant Access parent.
2. The Instant Access parent programs the Instant Access client for the group VIF table, which maintains the mapping of multicast group VIFs specific to the client’s group receiver interfaces.
3. A single copy of each multicast packet is sent over the Fex-Fabric toward the Instant Access client with destination VIF = group VIF of the multicast group and P bit set to 1 indicating it’s a multicast packet.
4. The Instant Access client receives the VNTAG-encapsulated packet with destination VIF = group VIF and the “P” bit set in the VNTAG header to indicate it’s a multicast packet. The Instant Access client looks up the group VIF to interface ID mapping table and performs local replication of the multicast packets before sending a copy of each packet to each interface (IF1 & IF2) connected to the receiver.
Operational simplicity: The Instant Access solution provides a single point of management across distribution and access switches. All the access host interfaces are represented logically at the Instant Access parent in a 4-level interface (Figure 10).
For example, a GigabitEthernet interface on Cat6848ia configured as FEX 111 stack member 2 will be logically represented at the Instant Access parent as:
Every physical host port on each Instant Access client is a logical interface that can be configured and managed locally at the Instant Access parent as shown in the following interface output.
Similarly, the complete configuration of an Instant Access client FEX ID 111 stack member 2 is logically centralized at the Instant Access parent, as shown in the following output.
Since each Instant Access client is treated like a line card to the Instant Access parent, it renders like a line card in the “show module” output.
With up to 21 48-port switches managed like a remote line card and all 1008 ports represented logically at the Instant Access parent, It enables a single point of configuration and management for the entire distribution block.
Automatic Provisioning of Access Clients
Instant access further simplifies the initial provisioning of the access layer by automatically provisioning the Instant Access clients as they connect to the fabric links of the Instant Access parent. The Instant Access parent discovers the Instant Access client and also performs the software image upgrade if the client image is not the same as that of the Instant Access parent. Both of these actions occur automatically, without any user intervention. The Instant Access client uses the FlexStacking-Plus stacking protocol to enable stacking between members with 80 Gbps of bi-directional stack bandwidth and up to three Instant Access clients in a stack. (A greater stacking density will be enabled in future software releases.) Just like FlexStack-Plus, the stack master is automatically elected and new stack members are discovered and provisioned automatically by the Instant Access parent--truly like a line card to the parent switch.
Pre-provisioning the Instant Access client switch configuration before physical installation is supported. Once an Instant Access client is connected, the pre-provisioned configurations are applied to the Instant Access client host ports automatically, further simplifying deployment: A network administrator can pre-provision Instant access clients from the network distribution layer and have the Instant access clients installed and cabled by anyone locally who does not need to be networking-savvy.
Following is an example where an Instant Access client (FEX 112) is pre-provisioned as a stack of two.
Once the client ID (FEX-ID 112) is pre-provisioned, the Instant Access client configuration for interface host ports will show up in the running-config at the Instant Access parent. This configuration can be checked by issuing the command “show run fex 112.”
As the new Instant Access client is physically connected, the control protocols automatically configures the client uplinks to the parent and then the pre-provisioned configuration is automatically applied to the client’s host port interfaces.
Simplified Software Management
The Cisco Catalyst 6500/6800 software image and Instant Access client image are bundled as a single image, truly like a line card image at the parent. Whenever a new Instant Access client boots up and is discovered by the Instant Access parent, it automatically checks if the Instant Access client image matches the software image on the Instant Access parent. If it doesn’t match, the client image is updated automatically by the Instant Access parent. This eliminates the need to perform software upgrades at the access layer and enables an agile infrastructure with consistent features across distribution and access layers.
The Instant Access solution provides multiple levels of resiliency. At the distribution layer, the Instant Access parent supports the Cisco Virtual Switching System (VSS) and quad supervisor VSS (Quad Sup VSS), providing high availability from any point of failure. With Quad Supervisor Stateful Switchover (SSO) at the distribution level, it would take three supervisor failures before you lose any network connectivity when Instant Access client stacks are dual-homed to the Instant Access parent (Figure 12).
The multiple fabric link connectivity bundled into one Multichassis EtherChannel connection between parent and client can scale up to 60 Gbps with six 10G links between the VSS pair and the client stack, providing fabric link redundancy. The fabric link can span across stack members, providing redundancy as well. The Instant Access parent and client support EtherChannel load sharing over the Fex-Fabric to provide a high level of redundancy across multiple Fex-Fabric links (Figure 13).
The Instant Access client supports host port EtherChannel. Up to eight host ports can be part of an EtherChannel. The EtherChannel can span across stack member (Figure 14).
Enhanced Fast Software Upgrade (eFSU)
The Cisco Catalyst 6500E and 6800X Series support enhanced Fast Software Upgrade (eFSU). This increases network availability by reducing the downtime caused by software upgrades across two supervisor’s in a VSS pair. It brings the active and standby supervisors into synchronous Stateful Switchover (SSO) mode across two supervisor running two different software versions. It maintains an active data plane on both switches in the VSS pair, providing increased network availability during the upgrade process.
eFSU is a four-step process:
Step 1. issu loadversion: The new software image is loaded onto the standby supervisor on the VSS pair.
Step 2. issu runversion: The new software is loaded onto the standby supervisor engine while the active supervisor engine continues to operate with the previous software version. As part of the upgrade, the standby supervisor reaches the SSO hot standby stage, a switchover occurs, and the standby becomes active, running the new software version.
Step 3. You can continue with the upgrade to load the new software onto the other processor with “issu acceptversion,” or you can abort the upgrade and resume operation with the old software with “issu abortversion.”
Step 4. issu commitversion completes the process of eFSU by loading the new software version on the standby supervisor. For more details on eFSU, click here.
eFSU capability is extended to support Instant Access client upgrades similar to how a line card is upgraded. The client software image is bundled with the Catalyst 6500/6800 software image. A new CLI is introduced, enabling AHupgrade of the Instant Access client stack (FEX-IDs), which in turn enables an upgrade of the Instant Access client’s software version before issu commitversion (step 4) of the eFSU process.
issu runversion [fex[range] <num | all >]
“issu runversion fex” initiates the upgrade of the Instant Access client’s move to new software version. A user can specify a set (or range) of FEX-IDs for the rolling upgrade and reload of Instant Access clients. Once all clients are upgraded, a user has the choice to abort the eFSU process and go back to the previous software version using or complete the eFSU process with issu commitversion. See Figure 16.
Quality of Service
The Instant Access solution provides up to 60 Gbps of fex-fabric uplink connectivity per stack (of three Instant Access clients) to the VSS pair offering the subscription ratio of 2.4 to 1.
Instant Access client fabric links support four queues (1P3Q3T), with one priority queue and three standard queues. The line card on the Instant Access parent supports eight (1P7Q4T) queues on the fabric link (Figure 17).
QoS over fabric link is strictly based on DSCP/CoS values of the ingress packets. The Instant Access parent and client maintain a default DSCP-to-Queue map and CoS-to-Queue map, which is the basis of queuing packets appropriately over priority queue or standard queue on fex-fabric interfaces.
As Figure 18 shows, any IP packet marked with COS=5 is queued over priority queue 1, and any IP packet marked with COS=3 is queued to standard queue 3. All Instant Access control traffic is also sent over the priority queue to ensure that communication between the Instant Access parent and client is not lost due to congestion.
Once IP packets arrive over the fabric link at the Instant Access parent., they can be marked, re-marked, classified, or policed.
Likewise, traffic downstream from the Instant Access parent over the fabric port that is heading toward the Instant Access client host port uses default DSCP/COS to queue maps and traffic in the appropriate queue.
Single Consistent Security
When it comes to building campus network, the number-one issue that comes to mind is usually security. Cisco Instant Access supports Cisco TrustSec® inheriting the Catalyst 6500/6800 capabilities.
Cisco Catalyst Instant Access provides a single consistent security policy across the enterprise campus network. The solution supports:
● Role-based access control with Security Group Tagging (SGT)
● Security Group Access List (SGACL)
● IP Subnet, VLAN and Port based SGT mapping
● Network Device Admission Control (NDAC)
● 802.1x, Web Auth and Mac Authentication Bypass (MAB) authentication for identity
All the security policies are applied at the IA parent only with no configuration at the access layer. Access lists are enforced at IA parent only. Any packet arriving at IA client host port are VNTaged and sent to IA parent which de-encapsulates the VNTag and enforces the access-list policies on it. (Figure 19)
Similarly, the packets arriving at IA parent and egressing the IA client host ports, the policies are applied at IA parent before the packet is switched over fex-fabric link to IA client. (Figure 20)
Similarly, IA parent acts as both Security Group Tag(SGT) imposition point and Security Group Access List (SGACL) enforcement point. Cisco ISE communicates with IA parent and enforces policies that are configured by network administrator in the Cisco ISE, IA parent also supports SGT & SGACL based policies based on the IP subnet, the VLAN, or the Layer 3 port in absence of Cisco ISE in the network.
IA supports Network Device authentication (NDAC) guaranteeing the physical infrastructure is secure. Network device authentication is done at IA parent only and is not required for IA clients thus reducing the overhead of NDAC authentication at access layer.
The IA Client is hardware capable of MacSec on fex-fabric links to IA parent and IA client-links and will supported in subsequent releases.
Instant Access support 802.1x, MAC authentication bypass, and Web-Auth port based identity services. IA parent communicates with Cisco ISE controlling the access to the network. Thus enabling single point of management and configuration for all security policies across the network.
Unified Application Visibility
Cisco Catalyst Instant Access provides a single point of application visibility and control for a complete distribution block. A single point of configuration and export at the Instant Access parent drastically reduces the complexity of multiple exports from individual access switches and multiple records at the NetFlow Collector. (See Figure 22.)
Consistent and Rich Features Across the Campus
Table 1 provides a brief list of features that are supported at the Instant Access client host port. For more details on Instant Access and features. Click here
Table 1. Summary Instant Access Features
PoE, PoE+, Multichassis EtherChannel, FlexStack
EtherChannel, PAgP, LLDP, (A)VPLS, GRE Tunneling, MPLS, MPLS-VPN
IPv6 First Hop Security, Multicast Routing, QoS, Stateless Auto Configuration
PBR, EVN, VRF-Lite, PIM SM, WCCPv2, Inter-VLAN Routing, ECMP, Layer 3 Routing Protocols
802.1x Guest VLAN, SXP, SGT, SGACL, IP Source Guard, DHCP Snooping, VACL, RACL, PACL, FnF
Policing, Marking, Rate Limiting, SRR
Mediatrace, Performance Monitoring
Cisco Catalyst Instant Access simplifies the deployment of the enterprise campus network by presenting a single point of configuration, management, troubleshooting, and unified application visibility across the distribution layer. Instant Access also provides consistent features across the campus. The single image management and “plug and play” provisioning of the access layer enables accelerated rollouts.
For More Information
For more information, refer to Cisco Catalyst Instant Access