

# Catalyst C9500X and C9600X Deep Dive

Ninad Diwakar and Sai Zeya C9K Technical Marketing Team April 1, 2022

### Digital trends shaping the future of business



#### Hybrid work

Work from home | Work from anywhere | Work from office



#### Industry 4.0

Wireless | Automation | Internet of Things | AI/ML



#### Hybrid cloud

Private cloud | Hybrid cloud | Public cloud



#### and the network is the core engine of hybrid work

### Cisco Wi-Fi 6E and Catalyst 9000X

Enabling better business outcomes end-to-end with simplicity and choice



#### Cisco access networking stack

#### Catalyst 9000X – Expanding industry leadership Adding the "X factor" to the industry's leading switching family



# Introducing Cisco Silicon One<sup>™</sup>

# Cisco Silicon One<sup>™</sup>



 Low Latency extremely low hardware-based system latency (measured in Nanoseconds & Microseconds)

Streamlined Buffering

shallow buffering systems to reduce latency, with very high throughput  $% \mathcal{A}_{\mathrm{red}}$ 





deep buffers to accommodate different speeds, bursts and different flow patterns

#### Cisco Silicon One Bringing Switching and Routing convergence

# Introducing Cisco Silicon One<sup>™</sup>

One architecture, multiple devices



#### www.cisco.com/c/en/us/solutions/service-provider/innovation/silicon-one.html



- First network silicon to break the 10 Tbps barrier
- Comprehensive routing, with switching efficiency
- Flexible P4 NPL Programmable packet processing

- Multiple functions: system-on-chip, line card or fabric
- Multiple form-factors: fixed or modular
- Multiple segments: enterprise and service provider

# Cisco Silicon One<sup>™</sup> Q200

Industry leading Switching and Routing Silicon



12.8T BW



10M IPv4

or 5M IPv6

route scale

8G HBM for deep buffers



Fully P4 Programmable Pipeline



8.1 Bpps

Cisco Silicon ONE Q200

**Industry Leading** 12.8T System on Chip





**First 7nm ASIC providing lowest** watts/GE power consumption



Fully P4 programmable enabling feature velocity



Multi slice architecture for flexibility and scale

#### **Routing Capabilities with Switching Power and Performance**

#### Catalyst 9000 Series – Common Building Blocks



© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public

\* C9200 us es IOS XE Lite

## Extending Cisco Catalyst 9500 & 9600 Series

Powered by Cisco Silicon One<sup>™</sup> Q200 ASIC

#### C9500 & C9600-SUP1 (w/ UADP 3.0)

#### **Optimized for Features**

- ✓ Speed
- 1/10 & **25G SFP**
- 40 & 100G QSFP

#### ✓ Scale

- Upto 128K MACs
- Upto 256K Routes
- 108MB Buffers (3x 36MB)

#### ✓ Services

- L2/L3 Routing, MPLS
- LAN MACsec, Netflow, NAT
- Custom ASIC Templates
- Campus Fabric (SDA & EVPN)

# Extending Cisco Catalyst 9500 & 9600 Series

Powered by Cisco Silicon One<sup>™</sup> Q200 ASIC



# Introducing Catalyst 9500X

## Catalyst 9500 Series

Extending the Catalyst 9500 High-Performance Fixed Core



### C9500X-28C8D

Gen2 Fixed 1RU QSFP Switch - 36x 100G / 28x 100G + 8x 400G

- 1x Cisco SiliconOne Q200 ASIC
  - 6.0 Tbps System Throughput
  - 28x QSFP28 ports 40/100GE
  - 8x QSFPDD ports 100/200\*/400GE
- 1x 8C 2.4GHz x86 CPU with 2x 16GB (32GB) DDR4 DRAM
- 16GB Flash; Optional SSD (480G, 960G)
- 12x CDR5M PHYs
  - MACSec, WAN-MACSec, ClearTag v3.4
  - IEEE 1588 & PTPv2\*
- Various SFP Breakout & QSA support<sup>\*</sup>







### C9500X-28C8D Block Diagram







SFP Breakout & QSA\* Support



Maximum ports with breakout at FCS: 88 (56+32)

\* Roadmap (not committed). System can support up to 120x 10G/25G

### C9500X – Reversible Airflow



#### Back to Front Port-side Exhaust

0 0

- Color of Fan Unit handle/latch represents direction of airflow
- Different Fan PIDs for different airflow directions
  - Royal Blue Back to Front
  - Burgundy Front to Back
- All Fans must be the same color (direction) to work correctly



Single **1500W AC/DC PSU** with **Cisco Grey** latch for both airflow directions



#### Front to Back Port-side Intake





© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public

### C9500X and C9500 - Physical

· de de

| Cisco C9500X (S1 Q200)       |                                         | Cisco C9500 (UADP 3)        |       |                       |      |
|------------------------------|-----------------------------------------|-----------------------------|-------|-----------------------|------|
|                              | 28C8D                                   | 24Y4C                       | 48Y4C | 32QC                  | 32C  |
| Height <sup>(1.75" RU)</sup> | 1RU                                     |                             | 1     | ิรูป                  |      |
| CPU <sup>(number)</sup>      | 2.7GHz 8C Intel (BDW-NS)                | 2.0GHz 8C Intel (BDW)       |       |                       |      |
| DRAM <sup>(type)</sup>       | 32GB (DDR4)                             | 16GB (DDR4)                 |       |                       |      |
| ASIC <sup>(number)</sup>     | <b>Q200</b> (1x)                        | UADP3 <sup>(1x)</sup> UADP3 |       | UADP3 <sup>(2x)</sup> |      |
| Capacity                     | 6.0T                                    | 1.2T                        | 1.6T  | 1.6T                  | 3.2T |
| <b>10G</b> max               | <b>120</b> *^ (88 @ FCS)                | 24                          | 48    | 16^                   | 16^  |
| 25G max                      | <b>120</b> *^(88 @ FCS)                 | 24                          | 48    | 16^                   | 16^  |
| <b>50G</b> max               | <b>120</b> *^                           |                             |       |                       |      |
| <b>40G</b> max               | <b>28 + 32</b> <sup>^*</sup> (36 @ FCS) | 4                           | 4     | 32                    | 32   |
| <b>100G</b> max              | <b>28 + 32</b> <sup>^*</sup> (36 @ FCS) | 4                           | 4     | 16                    | 32   |
| <b>400G</b> max              | 8                                       |                             |       |                       |      |

#### C9500X and C9500 – Features and Scales

|                     | Cisco C9500X (S1 Q200) |                             | Cisco C9500 (UADP 3) |                             |
|---------------------|------------------------|-----------------------------|----------------------|-----------------------------|
|                     | Default                | Maximum <sup>(Custom)</sup> | Default              | Maximum <sup>(Custom)</sup> |
| MAC Addresses       | 128K                   | 256К                        | 80K                  | 128К                        |
| IP Host Routes      | 128K                   | 256К                        | 80K                  | 128К                        |
| Multicast L2 groups | 16K                    | 64K*                        | 16K                  | 48K                         |
| Multicast L3 routes | 32К                    | 64K*                        | 32К                  | 48K                         |
| IP LPM Routes       | 2M                     | 2M                          | 212К                 | 256K                        |
| MPLS Labels         | 256K                   | 512К                        | 32К                  | 64К                         |
| SGT/OG Labels       | 32К                    | 64К                         | 32К                  | 64К                         |
| NAT* Sessions       | 16K*                   | 128K*                       | ЗК                   | 16K                         |
| Sec ACL Entries     | 8K                     | 10K*                        | 12K                  | 27К                         |
| QoS ACL Entries     | 8K                     | 10K*                        | 8К                   | 21К                         |
| PBR* ACL Entries    | 8K*                    | 10K*                        | ЗК                   | 16K                         |

22

Introducing Catalyst 9600X

#### **Catalyst 9600 Series**

Extending Modular Core with a Performance-Optimized Supervisor 2



### C9600X-SUP-2

Gen2 Supervisor Module with Silicon One™ Q200

- 1x Cisco SiliconOne Q200 ASIC (12.8Tbps)
  - 3.2Tbps per Slot
  - Optimized for 10G to 400G
- 1x x86 2.7GHz CPU with 2x 16GB (32GB) DDR4 DRAM
- Management
  - 2x 10G SFP+ Mgmt ports to CPU (App Hosting)
  - 1x 10/100/1000M RJ45 Mgmt0 port
  - 1x RJ45 Console port, USB Type-B-Mini port
- Storage
  - 2x USB3.0 Type-A SSD ports
  - 480-960GB M.2 SATA Drive (optional)







### C9600X-SUP-2 Block Diagram



© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public

## C9600X: Introducing 1<sup>st</sup> 400G Line-Card in Campus



### C9600-LC-40YL4CD

Gen2 Combo Line-Card – 40xSFP56 + 2xQSFP56 + 2xQSFPDD

- 3.2 Tbps With Gen2 Sup
  - 40x SFP56 ports 10/25/50\*GE
  - 2x QSFP56 ports 40/100/200\*GE
  - 2x QSFPDD ports 40/100/200\*/400GE
- 1.2 Tbps With Gen1 Sup
  - 40x SFP28 ports 1/10/25GE
  - 2x QSFP28 ports 40/100GE
- 8x CDR5M PHYs
  - MACSec, WAN-MACSec, ClearTag v3.4
  - IEEE 1588 & PTPv2\*
  - Hitless MUX (HMUX)
- Various Breakout & QSA support (QSFP ports)\*







### C9600-LC-40YL4CD Ports and Speeds Support



#### **40**x 10/25/50<sup>\*</sup>GE + **2**x 40/100/200<sup>\*</sup>GE + **2**x 40/100/200<sup>\*</sup>/400GE

**40**× 1/10/25GE + **2**× 40/100GE







\* Roadmap (not committed).

IOS-XE 17.7.1

IOS-XE 17.8.1

## Gen1 Line-Cards Support with SUP2

#### **Centralized Architecture**

- Gen1 Line-Cards supported<sup>\*</sup>
- Only PHYs on the Line-Cards
- All forwarding on the Supervisor (ASIC)

#### Additional Bandwidth 🙂

- C9606 backplane traces support up to 56G PAM4
- Gen1 Line Cards now support up to 2.4T per Slot
  - 24 x 100G QSFP on LC-24C
  - 48 x 50G\*\* SFP on LC-48YL

#### No MACsec support ⊗

- Q200 does not have onboard Crypto engine
  - Gen2 LCs use newer CDR5M PHY for MACsec
- UADP has onboard MACsec engine
  - Gen1 LCs use older CDR4 PHY (not MACsec capable)









Supervisor

Line Card

### C9600 Line Card – Supervisor Support Matrix

|                  | SUP 1                                                | SUP 2                                                                                                                                    |
|------------------|------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
| C9600-LC-24C     | <b>2</b> 4x 40G or 12x 100G                          | 24x 40G & <b>100G</b><br>(No MACsec)                                                                                                     |
| C9600-LC-48YL    | <b>√</b><br>48x 1/10 & 25G                           | 48x 10/25 & <b>50G</b> *<br>(No MACsec, No 1G)                                                                                           |
| C9600-LC-48TX    | 48x 1/2.5/5 & 10G (mGig)<br>48x 1/2.5/5 & 10G (mGig) |                                                                                                                                          |
| C9600-LC-48S     | <b>48</b> × 1G SFP                                   | ×                                                                                                                                        |
| C9600-LC-40YL4CD | 40x 1/10 & 25G +<br>2x 40 & 100G                     | 40x 10/25 & <b>50G</b> * +<br>2x 40/100 & <b>200G</b> * +<br>2x 40/100 <b>/200</b> * & <b>400G</b><br>MACsec & <b>WAN-MACsec (No 1G)</b> |

TIP

SUP2 does not support 1GE or below speeds

If 1GE downlinks are required, position SUP1

### C9600X and C9600 - Physical

|                               | Cisco C9600X (S1 Q200)                   | Cisco C9600 (UADP 3)              |
|-------------------------------|------------------------------------------|-----------------------------------|
|                               | Sup2                                     | Sup1                              |
| CPU <sup>(number)</sup>       | 2.7GHz 8C Intel (BDW-NS)                 | 2.4GHz 8C Intel (BDW)             |
| DRAM <sup>(type)</sup>        | <b>32 GB</b> (DDR4)                      | 16 GB (DDR4)                      |
| ASIC <sup>(number)</sup>      | <b>Q200</b> <sup>(1x)</sup>              | UADP3 <sup>(3x)</sup>             |
| Capacity <sup>(chassis)</sup> | 12.8 Tbps (full-duplex)                  | 4.8 Tbps <sup>(full-duplex)</sup> |
| Capacity (perslot)            | 3.2 Tbps (full-duplex)                   | 1.2 Tbps <sup>(full-duplex)</sup> |
| <b>10G</b> max                | <b>256</b> (40x4 + 24x4^*)               | 192 <sup>(48x4)</sup>             |
| <b>25G</b> max                | <b>256</b> (40x4 + 24x4^*)               | 192 <sup>(48x4)</sup>             |
| <b>50G</b> max                | <b>256</b> (40x4 + 24x4^*)               |                                   |
| <b>40G</b> max                | <b>96</b> (Sup2 can support <b>128</b> ) | 96 <sup>(24x4)</sup>              |
| <b>100G</b> max               | <b>96</b> (Sup2 can support <b>128</b> ) | 48 <sup>(12x4)</sup>              |
| <b>400G</b> max               | <b>8</b> (4x2)                           |                                   |

#### C9600X and C9600 – Features and Scales

|                     | Cisco C9600X (S1 Q200) |                             | Cisco C9600 (UADP 3) |                             |
|---------------------|------------------------|-----------------------------|----------------------|-----------------------------|
|                     | Default                | Maximum <sup>(Custom)</sup> | Default              | Maximum <sup>(Custom)</sup> |
| MAC Addresses       | 128К                   | 256К                        | 80K                  | 128К                        |
| IP Host Routes      | 128К                   | 256К                        | 80K                  | 128К                        |
| Multicast L2 groups | 16K                    | 64K*                        | 16K                  | 48K                         |
| Multicast L3 routes | 32К                    | 64K*                        | 32К                  | 48K                         |
| IP LPM Routes       | 2M                     | 2M                          | 212К                 | 256К                        |
| MPLS Labels         | 256К                   | 512К                        | 32К                  | 64K                         |
| SGT/OG Labels       | 32К                    | 64К                         | 32К                  | 64K                         |
| NAT* Sessions       | 16K*                   | 128K*                       | ЗК                   | 16K                         |
| Sec ACL Entries     | 8К                     | 10K*                        | 12K                  | 27К                         |
| QoS ACL Entries     | 8К                     | 10K*                        | 8К                   | 21К                         |
| PBR* ACL Entries    | 8K*                    | 10K*                        | ЗК                   | 16K                         |

33

### C9600 and C6800 Scale

| Features                    | C9600– Sup2                        | C6K-Sup6T-XL                    | C9600– Sup1          | C6K-Sup6T                      |
|-----------------------------|------------------------------------|---------------------------------|----------------------|--------------------------------|
| Switching capacity          | 12.8T                              | 6T                              | 9.6T                 | 6Т                             |
| Forwarding rate (IPv4/IPv6) | 8 Bpps<br>8 Bpps                   | 780Mpps<br>390Mpps              | 3 Bpps<br>3 Bpps     | 780Mpps<br>390Mpps             |
| MAC addresses               | 256,000*                           | 128,000                         | 82,000*              | 128,000                        |
| LPM/host routes (IPv4/IPv6) | 2,000,000*<br>1,000,000*           | 1,000,000<br>500,000            | 212,000*<br>212,000* | 256,000<br>128,000             |
| Multicast routes            | 64,000*                            | 128,000                         | 32,000*              | 128,000                        |
| Security ACLs               | Shared with QoS & PBR<br>10,000*   | Shared with QoS<br>256,000      | 27,000*              | Shared with QoS<br>64,000      |
| QOS ACLs                    | Shared with Security & PBR 10,000* | Shared with Security<br>256,000 | 16,000*              | Shared with Security<br>64,000 |
| Flexible NetFlow (per ASIC) | 2,000,000 (Sampled)                | 1,000,000/ASIC                  | 96,000*              | 512,000                        |
| VLAN ID                     | 4,000                              | 4,000                           | 4,000                | 4,000                          |
| Spanning Tree instances     | 4,000                              | 4,000                           | 4,000*               | 4,000                          |

#### \* Depends on SDM template

# **Customizable SDM Template**

#### Switch Database Management (SDM) template

#### Default template

Maximizes system resources for Layer 3 unicast and multicast **routes**  **User-customizable template** Allows customizable ACL TCAM resources



#### **Custom template**

Provide flexibility for customizing TCAM space for specific requirements



## Silicon One Q200 SDM template – 17.7.1

| Features                             | Customizable | DEFAULT (core + edge)            | Custom (min to             | max @ step)      |
|--------------------------------------|--------------|----------------------------------|----------------------------|------------------|
| MAC addresses                        | 0            | 128,000                          | 32,000 to <b>256,000</b>   | @ 1000 step      |
| Host routes (ARP/NDP)                | 0            | 128,000/64,000                   | 32,000 to <b>256,000</b>   | @ 1000 step      |
| Layer 2 multicast entries (IGMP/MLD) | FCS+         | 16,000/8000                      | 0 to <b>64,000</b>         | @ 1000 step      |
| Layer 3 multicast routes (IPv4/IPv6) | FCS+         | 32,000/16,000                    | 0 to <b>64,000</b>         | @ 1000 step      |
| ACL compression (SGT, DGT, OGID/v6)  | ۵            | 32,000/16,000                    | 0 to <b>64,000</b>         | @ 1000 step      |
| MPLS labels                          |              | 256,000                          | 0 to <b>512,000</b>        | @ 1000 step      |
| Reserved (PBR/NAT)                   | FCS+         | 16,000/8,000                     | 0 to <b>256,000</b>        | @ 1000 step      |
|                                      | CEM          | 608,000 (288,000 for LPM)        |                            |                  |
| Layer 3 unicast routes (IPv4/IPv6)   | FCS+         | 2 million/<br>1 million          | 1 million to 2 million     | @ 1 million step |
| Features                             | Customizable | DEFAULT (core + edge)            | Custom (min to max @ step) |                  |
| Security ACL (IPv4/IPv6)             | FCS+         | 8000/4000 shared*                | 0 to 11,000/5000           | @ 1 step         |
| Quality of service (IPv4/IPv6)       | FCS+         | 8000/4000 shared*                | 0 to 11,000/5000           | @ 1 step         |
| Policy-based routing (IPv4/IPv6)     | FCS+         | 8000/4000 shared*                | 0 to 11,000/5000           | @ 1 step         |
| Lawful intercept (IPv4/IPv6)         | FCS+         | 1000 (2x 512) reserved           | 1000 to 5000/2500          | @ 1 tap (2 ACE)  |
| LPTS, EPC, FSPAN, NFL (IPv4/IPv6)    | FCS+         | 1000 (2x 512) reserved           | 1000                       | @ 1 step         |
|                                      | TCAM         | 10,000 <sup>(2000 for LPM)</sup> |                            |                  |

\* Shared is an unreserved space, first come, first served per feature.

### **FIB Allocation Examples**

| Feature                              | <b>Customer 1</b><br>(L2 focus) | <b>Customer 2</b><br>(L3 focus) |
|--------------------------------------|---------------------------------|---------------------------------|
| MAC addresses                        | 256К                            | 32К                             |
| Host routes (ARP/NDP)                | 32К                             | 256К                            |
| Layer 2 multicast entries (IGMP/MLD) | 64К                             | 16K                             |
| Layer 3 multicast routes (IPv4/IPv6) | 16K                             | 64K                             |
| ACL compression (SGT, DGT, OGID/v6)  | 64К                             | 64K                             |
| MPLS labels                          | 32К                             | 128К                            |
| Reserved (PBR/NAT)                   | 15К                             | 48K                             |
| Total Resources                      | 6                               | 08K                             |

| Layer 3 unicast routes (IPv4/IPv6) | 1M/500K | 2M/1M |
|------------------------------------|---------|-------|
|------------------------------------|---------|-------|

# **Application Hosting**

# Enhanced app-hosting infrastructure on Catalyst 9500



# Enhanced app-hosting infrastructure on Catalyst 9600



## **High Availability**

### High availability Protect business continuity



| Physical redundancy                                                            | Stateful Switchover (SSO)                                                                      | Non-Stop Forwarding (NSF)                   | In-Service Software<br>Upgrade (ISSU) | StackWise®-Virtual*                                                                            |
|--------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|---------------------------------------------|---------------------------------------|------------------------------------------------------------------------------------------------|
| Redundant hardware                                                             | Sub-second failover                                                                            | Resilient L3 topologies                     | Minimize upgrade downtime             | Infrastructure resilience                                                                      |
| <ul> <li>Redundant power<br/>supplies</li> <li>Redundant fan in the</li> </ul> | <ul> <li>Between supervisors within chassis (&lt;5ms)</li> <li>Between chassis with</li> </ul> | • NSF support for OSPF,<br>EIGRP, ISIS, BGP | • SMU<br>• ISSU*<br>• GIR*            | <ul> <li>Multi-chassis EtherChannel<br/>(MEC) provides hardware-<br/>based failover</li> </ul> |
| fan tray<br>• Redundant supervisors                                            | StackWise-Virtual*                                                                             |                                             |                                       |                                                                                                |

## Security & ACL



## Security Access Control List (ACL)

Hardware Pattern Matching





## Access Control List Terminology



## Traditional ACL vs Group-Based ACL



Traditional ACL: One TCAM entry per ACL entry

Free

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public

172.25.55.X



## Why OGACL/SGACL in Campus Core?

#### **Object-Group ACLs for IP**



#### **Object-Groups map IP/mask to Labels in CEM**

- User defines IP/masks to simple OG name
- OGID labels are stored in Exact Match table

#### OGACL ACEs take minimal space in ACL TCAM

- Only the Permit/Deny ACEs in TCAM
- OGACLs with same ACEs can reuse entries

#### Scalable-Groups for SDA



#### Scalable-Groups map IP/mask to Labels in CEM

- ISE/DNAC defines IP/masks to simple SG name
- SGT labels are stored in Exact Match table

#### SGACL ACEs take minimal space in ACL TCAM

- Only the Permit/Deny ACEs in TCAM
- SGACLs with same ACEs can reuse entries

### WAN MACsec overview and use cases Enabled in hardware on Catalyst 9000 Switches





## Catalyst 9000 Series

QoS & Buffering Technologies

## **QoS** Features

- Trust / Conditional Trust
- Classify Traffic
- Police Traffic
- Mark / Conditional Remark

## **Queuing Features**

- Prioritize strict traffic (SPQ)
- Schedule traffic based on weight (WRR)
- Shape the traffic rate (SRR)
- Manage congestion (WRED/WTD)
- Extra buffering for traffic bursts





#### S VoQ A:C Ingress 1: Traffic Ingress IngressA: Traffic Egress 1 Egress C W 100% of traffic goes to Egress 100% of traffic goes to Egress 1 1 Virtual Queues Т Traffic from Ingress 2 potentially dropped due to congestion С Η F А В VoQ B:D Ingress 2: Traffic Ingress B: Traffic R 50% of traffic goes to Egress 1 and 50% goes to Egress 2 50% of traffic goes to Egress 1 and 50% goes to Egress 2 С Backpressure due to congestion on Egress 1 causes Egress 2 to also drop traffic from Ingress 2

**VoQ Architecture** 

Head of line blocking



## Why VoQ QoS in Campus Core?

#### No Head-of-Line Blocking



#### Many Flows to a Single Uplink

- Common on (expensive) WAN/Edge uplinks
- Even if bandwidth available, buffers can fill up

#### Large Flow to Multiple Downlinks

- Common for Multicast & Broadcast traffic
- One slow receiver can penalize other ports

#### Local vs. HBM Buffers



#### Low-Latency Local Shared Memory Buffers

- Voice & Video are very latency-sensitive
- Multiple levels of Strict Priority Queuing

#### Deep High-Bandwidth Memory Buffers

- Guarantee delivery of session-oriented flows
- Reserve buffers to absorb occasional bursts

## S1 Q200 - Standalone SOC Architecture

#### **Generic Unicast Packet Walk**





## Netflow

### Silicon One vs UADP

#### Capabilities

#### Limitations vs UADP

#### • Filtering of traffic to be sampled

- Random sampling and selection of one out of N filtered packets
- Mirroring of the selected packets along with their NPU context to CP CPU.
- 1 dedicated CPU core for Netflow.

## • UADP builds and updates flow records in H/W cache.

- Entries moved from H/W to S/W cache for aggregation.
- Aggregated entries exports to collector.

### S1 Netflow Sampled Netflow. ASIC samples packets on configured interfaces. Selected packet passed to CP CPU for parsing. Parsed data populated in flow cache and exported in required format.



## S1 Q200 - Sampled FNF Collection

Flexible NetFlow data collection happens at configurable "sampling rate"

- Sampling rate:
  - 1 out of (2-16384). Default is 1:1024
  - Balance of Accuracy vs. CPU Load
- Sampling mode:
  - Deterministic a fixed packet within sample (e.g., always 10th)
  - Random a random packet within sample (e.g., 4, 13, 67, etc.)

#### Each flow checked during packet parsing

• Is it a new flow? If not new - within sample rate?

## **S1 Q200** sends a copy of the packet to a **dedicated X86 CPU Core**

IOSXE (CPP) software builds a FNF cache entry



FNF sampler rate 1:1024 @ ~10Tbps of 512B packets = ~2Mpps

## S1 Q200 - Sampled FNF Export

NetFlow data export is based on aging timers

**Dedicated X86 CPU Core** builds UDP packets for the FNF records that are aged-out

- Active timer
- Inactive timer

**Dedicated X86 CPU Core** sends the UDP packets to the configured Export IP address

- Up to 4 FNF flow exporters
- Support for NFv9 or IPFIX format
- Support for IPv4 or IPv6 exports



Same export process/method on all platforms!



## Silicon One sFlow

Overview

- Added capability on Catalyst 9500X and 9600X in addition to Sampled Netflow.
- Like Sampled Netflow, sFlow randomly samples one packet out of N packets on target interface.
- No cache associated with sFlow.
- Packet header for sampled packet along with packet metadata encoded into a datagram and sent collectors.
- Supported with DNA Advantage License

#### **Netflow Advantages**

- Per flow export.
- Consumes less data packet data parsed and sent.
- More options for configuration.
- Less load on collectors.

#### sFlow disadvantages

- Per packet export.
- Consumes more data full packet headers sent.
- Limited configurable options.
- More load on collectors.



Catalyst 9500X and 9600X will be the first IOS-XE based platforms to support sFlow



## Why Sampled FNF in Campus Core?

#### ID @ Access – Monitor @ Core



#### Detailed (1:1) flow identification at the Access

- Better to ID flows as they enter the network
- Full accounting of every client/flow (ETA/AVC)

#### Aggregate (1:1K) monitoring of flows at the Core

- Just need to monitor the overall network usage
- Adjust sample rates to balance scale & load

#### Campus-wide Scale



#### Low-Moderate scale at the Access

- Fewer number of connected clients/flows
- Average ~1K clients x ~32K flows per Access

#### Medium-High scale at the Core

- Need to aggregate all clients/flows (# Access x 32K)
- Adjust cache aging to increase overall scale

Catalyst 9500X & 9600X **Summary** 

## Catalyst 9500X & 9600X – Things to know





#### C9600X-SUP-2 + LC-40YL4CD



#### C9500X-28C8D



|   | Technology        | Brief Description                                                                                                                                                                                                                                                              | Diffs from UADP 3.0                                                                                                                   |  |
|---|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--|
| V | Large LPM Table   | <ul> <li>Up to 2M IPv4 or 1M IPv6 (hash efficiency is about 80%)</li> <li>Dedicated Memory for LPM</li> </ul>                                                                                                                                                                  | <ul> <li>Up to 256K IPv4/IPv6 with Custom SDM template</li> <li>LPM and other features share 416K ASIC memory</li> </ul>              |  |
| V | Large MAC Table   | <ul> <li>Up to 256K MAC entries Custom SDM template.</li> <li>Shared with other features</li> </ul>                                                                                                                                                                            | <ul> <li>Up to 128K MAC entries with Custom SDM template</li> <li>MAC shared with LPM, etc. in same 416K ASIC memory</li> </ul>       |  |
| Ý | VoQ QoS + HBM     | <ul> <li>Q200 has 80MB local (low-latency) + 8GB HBM (High Bandwidth Memory) buffer memory.</li> <li>Q200 uses a Virtual Output Queue (VoQ) architecture. All queuing and policing policies applied on Ingress.</li> </ul>                                                     | <ul> <li>Max 36MB unified buffer memory per ASIC</li> <li>Supports both Ingress/Egress queuing &amp; policing</li> </ul>              |  |
| Ý | OGACL& SGACL      | <ul> <li>8K IPv4, 4K IPv6 ACL TCAM entries.</li> <li>Object-Group &amp; Security-Group ACLs use CEM to map IP-to-Group label, TCAM only uses L4 ACEs.<br/>(OG/SG ACL design is optimal for layer 3 environment).</li> </ul>                                                    | <ul><li> 64K ACL TCAM entries per ASIC</li><li> Object-group expand into the TCAM space</li></ul>                                     |  |
| Ý | LAN & WAN-MACsec* | <ul> <li>Q200 does not have built-in crypto engine.</li> <li>C9500X &amp; C9600X-LC uses new CDR5M PHY (400Gbps Full-Duplex). CDR5M provides line-rate (8x 400G = 3.2T) 802.1ae (LAN) MACsec and WAN-MACsec.</li> </ul>                                                        | <ul> <li>UADP3 has built-in MACsec crypto (speed of ASIC)</li> <li>UADP3 only supports LAN MACsec (no WAN-MACsec)</li> </ul>          |  |
| V | Flexible NetFlow* | <ul> <li>Q200 does not have built-in Flow Cache memory (no hardware-based Netflow).</li> <li>C9500X &amp; C9600X uses new Software-based FNF (≤ 2M entries), with a dedicated CPU core (~2Mpps).<br/>FNF sampler rate 1:1000, ~10Tbps of 512-Byte packets = ~2Mpps.</li> </ul> | <ul> <li>UADP3 has built-in (HW) FNF, max 64K entries per ASIC</li> <li>FNF shared with LPM, etc. in same 416K ASIC memory</li> </ul> |  |

## Catalyst 9500 & 9600 Series Core Positioning

Next Generation Core + Edge Switching with Silicon One™ Q200

Feature Optimized C9500 & C9600-SUP-1



C9600-SUP-1

**C9500** 

- ✓ Best-in-class Enterprise Core feature set
- ✓ Low speeds (1G 40G) and port density
- ✓ Comprehensive MPLS, EVPN and SDA
- ✓ Ideal for Campus Core, Collapsed Core + Agg

#### Ideal for C6K non-XL deployment migration



#### C9600X-SUP-2

**C9500X** 

- ✓ Unmatched forwarding scale and performance
- ✓ High speeds (10G 400G) and port density
- ✓ Scaled MPLS and SDA, WAN-MACsec
- ✓ Ideal for Campus Core + Edge, or Centralized WLC

#### Ideal for C6K XL deployment migration

## C9600/X C9500/X - Place In Network (PIN)



Layer 3 Core

- Base L3 Routing
- High-BW, Port Density
- Simple ACL
- Simple QoS

#### Layer 3 Core + Edge



- L3 Core + Edge Services
- DCI, WAN, Internet
- Edge Security, VPN & OGAC
- Complex H-QoS



- L3 Core + VXLAN Fabric\*
- Border, Edge, CP/RR
- L2 & L3 VNI & SGACL
- App-based QoS



- L3 Core + Distribution
- L2 Services to Access
- First Hop Security
- Access QoS & AVC



3

#### © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public

## Campus + Edge Design



### Edge Catalyst<sup>®</sup> C9600X and 9500X for campus Edge. High-Scale Routing: Support for full IPv4 and IPv6 Internet + LAN + VRF routing Port speeds: Support port speed up to 400G **Flexible Transport Options :** Support for MPLS-VPN, SD-Access and BGP-EVPN\* with 4K VRFs Low-Latency: Support for local optimized low-latency shared memory **Deep buffer:** Support large buffers for micro-burst & congestion



## Catalyst 9000 Switching – New and Upcoming Features

# Reference

SECURE

#### IOS XE 17.7.1 Available on CCO

#### Enhanced Security Controls

- Single policy a pproach for Dynamic PVLAN
- IPSEC PBR Support
- ✤ AAA cache for dot1x for Catalyst 9000

#### Platform/Infra

- ✤ GIR on 9500H/9600
- xFSU Support for 9300X
- Increased virtual port scale (upto 30K) on 9400
- ✤ AES67 timing profile
- PTPv2/gPTP on 9600 w/o SSO
- Interface template cli Loop Detection Guard

#### **Flexibile Network Segmentation**

- Data MDT Support for L3 TRM- IPv4
- EVPN to Global IP Route Leaking
- Interface template based secure on boarding of devices from extended node

#### Programmability

- gNOI reset
- Leaflevel filtering for telemetry

#### IOS XE 17.8.1 Mar '22

#### **Enhanced Security Controls**

- Transparently pass MKA BPDUs on non-MACSEC interfaces
- VRF Aware Centralized Web Authentication (CWA)\*

#### **Platform/Infra**

- G8275.x Timing profile
- Catalyst 9300/9400: Dynamic Power consumption reporting

#### **Flexible Network Segmentation**

- EVPN-VxLAN over IPSEC
- IPSEC Multicast over SVTI
- Layer 2 IPv4/IPV6 TRM support with External RP

AUTOMATE

#### Programmability

- ZTP config through YANG
- Native CLI to XPATH conversion

SECURE

CONNECT

# **The bridge to possible**