Cisco IOS® Software Release 15.1(1)SY1 is the second converged software release for Cisco® Catalyst® 6500 Series Switches that supports Cisco Catalyst 6500 Series Supervisor Engine 2T (Sup 2T) and Cisco Catalyst 6500 Series Supervisor Engine 720 (Sup 720-3B and Sup 720-10G).
• Cisco Catalyst Virtual Switching System Quad-Supervisor Stateful Switchover (VS4O) brings further network resiliency to campus switching with support for four supervisors and replicated control plane in the two VSS switches. VS4O supports hot standby redundancy over four supervisors by introducing VSS active standby and in-chassis active standby roles to add complete control-plane redundancy for five-nines high availability. The functionality will be supported with Sup 2T hardware.
• Locator/ID Separation Protocol (LISP) is introduced on the Cisco Catalyst 6500 switch with this release. LISP is an evolutionary routing architecture designed for Internet scalability and global reach across organizations. In the campus core and distribution, LISP enables IPv6 transition, virtualization, and multihoming.
• Cisco TrustSec® security enhancements to improve end-to-end deployments such as security group tag (SGT) name export in NetFlow and security group access lists (SGACL) monitor mode. Cisco TrustSec is supported on 1 Gig interfaces with addition of 802.1AE MACsec encryption for end-to-end Cisco TrustSec on Cisco Catalyst platforms.
• Application visibility and control have new capabilities with Web Cache Communication Protocol (WCCP) v2 IPv6 support to enable customers to take advantage of WAN optimization for web security appliances that support IPv6. Quality of service (QoS) has new features such as egress microflow destination policing, global QoS policies, and policer rate increase.
• Routing and switching feature additions include Virtual Private LAN services (VPLS), Protocol Independent Multicast (PIM) and Internet Group Management Protocol (IGMP) snooping on LAN interfaces, Multiprotocol Label Switching Traffic Engineering (MPLS TE) support on bundle interfaces, and Dynamic Host Configuration Protocol (DHCP) v6 relay chaining.
Supervisor Engine 2T Hardware Support in Release 15.1(1)SY
• Supervisor Engine 2T support on 7606S chassis
Software Feature Highlights of Release 15.1(1)SY1
• VS4O: Cisco Catalyst 6500 VSS now supports quad supervisors in the switches part of the VSS pair. The four supervisors as assigned roles in the VSS and in-chassis domains as:
Redundancy is maintained between the corresponding active and standby supervisor cards during the normal boot-up and operation of switches. The standby supervisors are hot standby and have all the control-plane and protocol states synced up with the active supervisors. If there is a failure of the VSS active supervisor card, then there are two simultaneous failovers in the two domains that make sure the recovery is within 50 milliseconds, providing five-nines high availability in campus networks. The infrastructure is also used for Enhanced Fast Software Upgrade (EFSU) by loading the newer versions of the software in parallel, resulting in improved EFSU times. (See Figure 1.)
Figure 1. VSS Quad SUP SSO Overview
• Hot Standby Router Protocol (HSRP)-aware PIM: PIM has no inherent redundancy capabilities, and its operation is completely independent of HSRP group states. As a result, IP multicast traffic is forwarded not necessarily by the same device as is elected by HSRP. The HSRP-aware PIM feature provides consistent IP multicast forwarding in a redundant network with virtual routing groups enabled.
HSRP-aware PIM enables multicast traffic to be forwarded through the HSRP active router, allowing PIM to use HSRP redundancy, avoid potential duplicate traffic, and enable failover, depending on the HSRP states in the device. The PIM designated router runs on the same gateway as the HSRP active router and maintains mroute states. This vastly improves multicast performance when used with HSRP.
Routing and Switching
• LISP: LISP is a network architecture and protocol that implements the use of two namespaces instead of a single IP address:
– Endpoint identifiers (EIDs): assigned to end hosts.
– Routing locators (RLOCs): assigned to devices (primarily routers and switches) that make up the global routing system.
Splitting EID and RLOC functions yields several advantages, including improved routing system scalability and improved multihoming efficiency and ingress traffic engineering.
The Ingress Tunnel Router (ITR) encapsulates data from a LISP site to another LISP site, and the Egress Tunnel Router (ETR) decapsulates packet coming in from a LISP site. Similarly, the Proxy ITR (PITR) encapsulates the data from a non-LISP site to a LISP site. The Proxy ETR (PETR) decapsulates data from a LISP site and natively forwards packets to the non-LISP site. The Cisco Catalyst 6500 switch with Sup 2T and 6904/6908 line cards can function as ITR or ETR (xTR) in the campus networks. LISP map server and map resolver can be configured on the Cisco Catalyst 6500 switch:
– LISP shared virtualization support: LISP shared model virtualized EID space is created by binding VRFs associated with an EID space to instance IDs. A common shared locator space is used by all virtualized EIDs.
– LISP for IPv4 to IPv6 transition: Since LISP allows both IPv4 and IPv6 EIDs to be encapsulated in IPv4 RLOCS, it can be used to connect IPv6 LISP sites separated by an IPv4 network. It can therefore be used to transition islands into IPv6 and connect them over IPv4 networks. (See Figure 2.)
Figure 2. LISP on Catalyst 6500
• VPLS PIM and IGMP snooping: With Release 15.1(1)SY1, IGMP snooping and PIM snooping constrain VPLS multicast traffic, except with hierarchical VPLS or integrated routing and bridging (IRB). IGMP snooping is commonly deployed to make sure multicast traffic is not forwarded on ports without IGMP receivers. PIM snooping procedures are important to restrict multicast traffic to only the switches interested in receiving such traffic. This feature improves IP multicast bandwidth usage in the VPLS core by making sure traffic is replicated only to Provider Edge (PE) with member sites.
• MPLS TE bundled interface support: The MPLS TE bundled interface support feature enables MPLS TE tunnels over the bundle interfaces such as EtherChannel and Multilink Point-to-Point Protocol (MLPPP) for Sup 720. With this feature Resource Reservation Protocol (RSVP) notifies TE about bandwidth changes that occur when member links status changes or when links become active or inactive. TE notifies other nodes in the network using Interior Gateway Protocol (IGP) flooding. The fast reroute (FRR) feature is now supported on the bundled interfaces and gets activated when the interface goes down.
• DHCPv6 relay chaining for prefix delegation: The DHCPv6 relay agent notification for prefix delegation allows the switch working as a DHCPv6 relay agent to find prefix delegation options by reviewing the contents of a DHCPv6 reply packet that is transmitted by the relay agent to the client. When a prefix delegation option is found, the relay agent extracts the information about the prefix that is being delegated and inserts an IPv6 static route matching the prefix delegation information onto the relay agent.
Security and Virtualization
• Cisco TrustSec on 1 Gig interfaces: Support for 802.1AE MACsec encryption on 1 Gig interfaces is added for end-to-end Cisco TrustSec on Cisco Catalyst platforms. The 6904 line card with 4X Small Form-Factor Pluggable/Small Form-Factor Pluggable Plus (SFP/SFP+) adapter will support this feature.
• SGT name export in NetFlow: This feature allows flexible NetFlow to export Cisco TrustSec environmental data tables that map SGTs to security group names (SGNs).
• SGACL monitor mode: During the pre deployment phase of Cisco TrustSec, an administrator would use the monitor mode to test security policies without enforcing them to make sure the policies are what were originally intended. If there is something wrong with the security policy, the monitor mode provides a convenient way to roll back before enforcing it. This feature enables administrators to have increased visibility to the outcome of the policy actions before enforcement and confirmation that the subject policy meets the security need (deny access to resources if the individuals are not authorized). This feature also reduces the eventual deployment time for a Cisco TrustSec system.
• Cisco TrustSec diagnostic toolkits: packet trace: This feature brings in end-to-end debug ability in the campus network with the packet tracing utility turned on for SGT packets traversing the Cisco Catalyst 6500 Series Switch.
• SGA syslog messages: This feature converts existing SGA debug messages to formatted syslogs. This makes sure that critical messages during the authentication and negotiation are captured for subsequent debugging. New syslogs have been defined, and they also provide Simple Network Management Protocol (SNMP) support to trap syslogs.
• Conditional debugging: This feature allows users to define a debug condition and then turn on Cisco TrustSec debug, so that only debugs that meet the defined condition will be displayed. Currently there is no Cisco TrustSec conditional debug, and therefore Cisco TrustSec requires turning on all debug. This could adversely affect the network and is only to be turned on during a maintenance window. The conditional debugging takes away that restriction.
Application Visibility and Control
• WCCPv2 IPv6 support: This functionality enables customers to take advantage of WAN optimization for web security appliances that support IPv6. Multiple routers can use WCCPv2 to service a content engine cluster.
WCCP provides client local caching of content accessed using HTTP in order to:
– Accelerate access to HTTP-based content
– Conserve WAN bandwidth consumption by HTTP-based applications
– Operate transparently to clients and servers
• Egress microflow destination-only policing: This feature provides additional capabilities in the per-interface microflow policer. The mask dest-only keywords can be applied on the base flow identification (only on destination addresses), which applies the microflow policer to all traffic to each source address. Policy Feature Card (PFC) QoS supports the mask dest-only keywords for both IP traffic and MAC traffic.
• QoS policer rate increase to 256G: The maximum for the valid range of values for the peak rate: pir bits_per_second parameter is now increased to 256 gigabits per second.
• Global QoS policy: Global protocol packet policing is now supported with this feature, and protocol packet policing mechanism effectively protects the supervisor CPU against attacks such as line-rate Address Resolution Protocol (ARP) attacks. It polices both routing protocols and ARP packets to the switch and also polices traffic through the switch with less granularity than Control plane policy (CoPP).
• Interfaces MIB: SNMP context-based access: The SNMP support over VPNs context-based access control feature provides the infrastructure for multiple SNMP context support in Cisco software and VPN-aware MIB infrastructure using the multiple SNMP context support infrastructure. The SNMP notification support over VPNs feature allows the sending and receiving of SNMP notifications (traps and informs) using VPN routing and forwarding (VRF) instance tables. This feature extends the capabilities of the SNMP notification support for VPNs feature and enables SNMP to differentiate between incoming packets from different VPNs.
Table 1. 15.1(1)SY1 Feature and Supervisor Support
Table 2. Cisco IOS Software Release 15.1(1)SY Ordering Information
Product Management Contacts
Cisco IOS Software Center
For More Information