The Cisco® Catalyst® 4500-X Series Switch is an enterprise-class borderless network fixed aggregation switch (see Figures 1 and 2) that delivers best-in-class performance, scalability, resiliency, network virtualization, and integrated network services for space-constrained environments in campus networks. It meets business growth objectives with unprecedented scalability, provides high availability and is Virtual Switching System (VSS), simplifies virtualization with support for Virtual Routing and Forwarding Lite (VRF-Lite) and Easy Virtual Networks (EVNs), provides application visibility with Flexible NetFlow for optimal network application visibility and capacity planning, and enables emerging applications by integrating many network services.
Figure 2. Enterprise Campus Collapsed Distribution and Core Architecture
The Cisco Catalyst 4500-X in a Virtual Switching System (VSS) deployment (see Figure 3) offers network resiliency, operational manageability, and increased system bandwidth capacity by activating all available bandwidth across redundant Cisco Catalyst 4500-X Series Switches.
Figure 3. Enterprise Campus Three-Layer Architecture with Virtual Switching System (VSS)
Introduction
The enterprise campus network has evolved over the last 20 years to become a primary element in business computing and communication infrastructure. An increased desire for mobility; the impetus for heightened security; and the need to accurately identify and segment users, devices, and networks are all being promoted by the changes in the way business partners work with other organizations. The list of requirements and challenges that the current generation of campus networks must address is highly diverse.
The aggregation/distribution-layer aggregates many access-layer switches and data center switches that provide various services. The aggregation layer might be the most critical layer in a campus network because of port density, oversubscription values, policy enforcement, CPU processing and various services that introduce unique requirements and challenges into the overall design. Performance, security, and availability of application and services are all primary metrics that must also be met to provide a successful aggregation layer. Thus the list of requirements and challenges that the current generation of aggregation-layer switches must address is highly diverse.
The Cisco Catalyst 4500-X Series offers the following primary innovations to address these requirements and to provide room for future growth:
• Performance and Scalability: Delivers up to 800 Gbps of switching capacity with up to 250 Mpps of throughput, will be able to scale to 1.6-Tbps capacity with VSS. Future-proof investment with modular uplink and autodetect 10 Gigabit Ethernet/Gigabit Ethernet uplinks.
• High Availability: Delivers the network availability demanded by business-critical enterprise applications through comprehensive network resiliency capabilities, including VSS, in addition to traditional control plane protocols such as First-Hop Resiliency Protocol (FHRP), Gateway Load Balancing Protocol (GLBP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF). Furthermore, device resiliency features such as redundant hot-swappable fans, power supplies, and AC to DC failover and vice versa remove single points of failure in the network.
• Application Monitoring: Enhanced application monitoring through Flexible NetFlow, built-in Wireshark network sniffer capabilities and 8 ports of line-rate bidirectional Switched Port Analyzer/Remote Switched Port Analyzer (SPAN/RSPAN). Furthermore, medianet features such as mediatrace and video monitoring ensures quick troubleshooting and reporting of video traffic.
• Security: Support for Cisco TrustSec®* security, providing Network Device Admission Control (NDAC) to authenticate connecting switch, line-rate Media Access Control Security (MACsec)* data link-layer encryption, and role-based access-control list (ACL) and policy enforcement. Storm control and robust control plane policing (CoPP) to address denial of service (DoS) attacks and Internet worms.
• Network Virtualization: Support for Layer 3 segmentation using VRF and EVN.
• Simplified Operations: Support for Smart Install Director, providing a single point of management enabling zero-touch deployment for new switches and stacks in in campus and branch networks
Cisco Catalyst 4500-X Switch Family
The Cisco Catalyst 4500-X Series provides scalable, fixed-campus aggregation solutions in space-constrained environments. The solution provides flexibility to build desired port density through two versions of base switches along with optional uplink module. Both the 32-port and 16-port versions can be configured with optional network modules and maintain similar features and scalability. The Small Form-Factor Pluggable Plus (SFP+) interface supports both 10 Gigabit Ethernet and Gigabit Ethernet ports, allowing customers to use their investment in Gigabit Ethernet SFP and upgrade to 10 Gigabit Ethernet when business demands change, without having to do a comprehensive upgrade of the existing deployment. The uplink module is hot swappable.
Following are primary offerings from this product family:
• 32 x 10 Gigabit Ethernet Port switch with optional uplink module slot (Figure 4)
• 16 x 10 Gigabit Ethernet Port switch with optional uplink module slot (Figure 5)
• 8 x 10 Gigabit Ethernet Port uplink module (Figure 6)
Figure 4. 32 x 10 Gigabit Ethernet Port Switch with Optional Uplink Module Slot
Figure 5. 16 x 10 Gigabit Ethernet Port Switch with Optional Uplink Module Slot
Figure 6. 8 x 10 Gigabit Ethernet Port Uplink Module
Performance and Scalability
The Cisco Catalyst 4500-X Series Switch offers 800 Gbps of backplane bandwidth with up to 250 Mpps switching capacity that provides up to 40 non-blocking 10 Gigabit Ethernet ports, with 32 ports on the baseboard and 8 ports on the optional expansion module.
When multiple of the access-layer switches are aggregated at the distribution layer, the demand for 10 Gigabit Ethernet port density grows rapidly. With the advent of new technologies such as Universal Power over Ethernet (UPoE) in Cisco Catalyst 4500E, not only IP phones and video phones but also personal Cisco TelePresence® systems such as Cisco TelePresence System EX60 and non-IT devices such as surveillance cameras are all becoming part of the network. UPoE also enables more and more virtual desktop infrastructure (VDI) deployments, which are completely dependent on network availability. All these changes demand more and more port density and bandwidth at the access layer, and switches such as the Cisco Catalyst 4500E Series are able to provide up to 384 ports in a single wiring closet switch with support for 4 or more 10 Gigabit Ethernet uplinks into the aggregation layer.
The Cisco Catalyst 4500-X Series Switch offers the performance and scalability required for today's enterprise-class aggregation switch and provides room for future growth as well.
Ease of Network Migration
• Gigabit Ethernet to 10 Gigabit Ethernet upstream with support for SFP and SFP+ optics
• External USB and SD card support for flexible storage options
Ease of IPv4 to IPv6 Migration
• Dual-stack IP Versions 4 and 6 (IPv4 and v6) support
• IPv6 support in hardware, providing wire-rate forwarding for IPv6 networks
• Dynamic hardware forwarding-table allocations for IPv4 and IPv6
• Scalable and flexible routing (IPv4, IPv6, and multicast) tables and ACL and quality-of-service (QoS) entries
Scalable Hardware Entries and Enhanced Features
• 55K MAC addresses to support large Layer 2 domains
• 256K routing entries for high-end campus aggregation deployments
• 32K multicast routes for scalable multicast deployments
• 128K Flexible NetFlow entries in hardware that can be exported to multiple collectors
• Policy-based routing (PBR) to customize the routing table and traffic flow
Advanced Quality of Service and Buffering
• Advanced QoS with up to eight configurable queues per port and customizable queue size per queue
• Active queue management through dynamic buffer limiting (DBL) to ensure bandwidth protection for low-rate critical and well-behaving flows such as voice traffic
• 32 mega bytes of centralized buffering optimized to handle bursty video traffic and server microbursts, helping make sure that business-critical packets are not lost because of insufficient buffering
The Cisco Catalyst 4500-X runs Cisco IOS® XE Software, the modular open application platform for virtualized borderless services. Network resiliency and device resiliency are integral parts of Cisco Catalyst 4500-X with the following:
• Maximum resiliency with redundant components such as fans and power supplies
• Network virtualization through VSS and Multi Chassis EtherChannel (MEC), FlexLinks, and multi-VRF technology for Layer 3 segmentation
• Automation through Embedded Event Manager (EEM) and Cisco Smart Call Home for fast diagnosis, and reporting
• Plug-and-play configuration and image-management of client and access switches with Smart Install Director support.
Furthermore, the Cisco Catalyst 4500-X offers optimized application performance through deep visibility with Flexible NetFlow supporting rich Layer 2/3/4 information (MAC, VLAN, TCP flags) and synthetic traffic generation with IP SLA Video Operation (VO), Medianet capabilities such as Mediatrace, Video monitoring and Media Services Proxy (MSP) to simplify video quality of service, monitoring, and security. (See Table 1 for more detailed performance and scalability features.)
Table 1. Cisco Catalyst 4500-X Switch Series Performance and Scalability Features
Product Number
Description
System
Base ports
Front-to-back airflow:
• 32 x 10 Gigabit Ethernet SFP+/SFP: WS-C4500X-32SFP+
• 16 x 10 Gigabit Ethernet SFP+/SFP: WS-C4500X-16SFP+**
Back-to-front airflow:
• 32 x 10 Gigabit Ethernet SFP+/SFP: WS-C4500X-F-32SFP+
• 16 x 10 Gigabit Ethernet SFP+/SFP: WS-C4500X-F-16SFP+**
Expansion Module (optional)
8 x 10 Gigabit Ethernet SFP+/SFP: C4KX-NM-8SFP+
Management port
10/100/1000 Base-T
USB port
Type A (storage and boot) up to 4 GB
Dual power supply
Yes
Field-replaceable fans
Yes (5 fans)
Fan redundancy
No performance effect with single fan failure
Scalability
System throughput
Up to 800 Gbps
IPv4 routing in hardware
Up to 250 Mpps
IPv6 routing in hardware
Up to 125 Mpps
L2 bridging in hardware
Up to 250 Mpps
Media Access Control (MAC) entries (1K=1024)
55K
Forwarding entries (1K=1024)
WS-C4500X-F-32SFP+: 256K IPv4, 128K IPv6
WS-C4500X-F-16SFP+**: 128K IPv4, 32K IPv6
Flexible NetFlow entries (1K=1024)
128K
Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN)
8 line-rate bidirectional sessions (ingress and egress)
Typical campus networks are engineered with oversubscription. It is not generally practical to provide line rate for every port upstream from the access-to-distribution switch, the distribution-to-core switch, or even for core-to-core links.
The rule of thumb for oversubscription as recommended in Cisco's "Campus Network for High Availability Design Guide" is 20:1 for access ports on the access-to-distribution uplink. The recommendation is 4:1 for the distribution-to-core links. In the data center, you might need a 1:1 ratio.
The Cisco Catalyst 4500-X offers up to 40 x 10 Gigabit Ethernet ports, with 32 x 10 Gigabit Ethernet ports on the baseboard and 8 x 10 Gigabit Ethernet ports on the optional expansion module. With the preceding oversubscription ratio, these 32 x 10 Gigabit Ethernet ports on the baseboard can be used downlinks, to aggregate up to 32 access-layer switches or ~6000 end user devices on the access-to-distribution links with less than 20:1 oversubscription, and 8 x 10 Gigabit Ethernet ports can be used as uplink to provide 4:1 oversubscription for distribution-to-core links.
The Cisco Catalyst 4500-X offers up to 32 Mbytes of centralized shared buffer for packets to be stored during periods of network congestion. 32 Mbytes of buffering translates to ~250ms worth of buffering at Gigabit Ethernet oversubscription and ~25ms worth of buffering at 10 Gigabit Ethernet oversubscription. This large buffer offers more flexibility for administrators when choosing which queue needs more buffering such as mission-critical applications and which queue needs smaller buffering such as scavenger-class and noncritical applications.
Using the oversubscription ratios as mentioned earlier, congestion on the uplinks occurs by design (see Figure 7). When congestion does occur, QoS is required to protect important traffic such as mission-critical data applications, voice, and video. Additionally, you can use QoS to reduce the priority of unwanted traffic. For example, an Internet worm infection, such as Slammer, can cause congestion on many links in the network, and QoS can minimize the effect of this event.
Figure 7. Oversubscription Congestion
Quality of Service (QoS)
The Cisco Catalyst 4500-X offers advanced QoS tools such as bandwidth guarantee, shaping, priority queuing, up to eight configurable queues per port, customizable queue size per queue, and active queue management features such as Dynamic Buffer Limiting (DBL) in addition to basic QoS mechanisms such as classification, marking, and policing.
Using QoS in the campus network design makes sure that important traffic is placed in a queue that is properly configured so that it never runs out of memory for high-priority traffic. Under normal circumstances, the network should provide an adequate level of service for all network traffic, including lower priority best-effort traffic.
The aggregation-layer switch is a critical component to the network operations; any service disruption to the CPU or the control and management planes can result in business-impacting network outages. A DoS attack targeting the CPU, which can be perpetrated either inadvertently or maliciously, typically involves high rates of punted traffic that result in excessive CPU utilization.
The Cisco Catalyst 4500-X offers CPU protection mechanisms such as 64 CPU queues to differentiate traffic heading to CPU and service them by priority. Furthermore, the advanced CoPP feature allows administrators to configure a QoS filter that manages the traffic flow of control plane packets to protect the control plane against reconnaissance and DoS attacks. In this way, the control plane can help maintain packet forwarding and protocol states despite an attack or heavy traffic load.
High Availability
The principal service requirement from the campus network is the availability of the network. The Cisco Catalyst 4500-X offers several network resiliency features, with VSS. Device resiliency capabilities are provided through features such as redundant hot-swappable fans, power supplies, and AC to DC failover and vice versa that remove single points of failure in network.
Virtual Switching System (VSS)
The Cisco Catalyst 4500-X switch VSS is a clustering technology that integrates two Cisco Catalyst 4500-X switches into a single virtual switch. The end-to-end campus network enabled with VSS capability allows flexibility and availability. In a VSS, the data planes of both clustered switches are active at the same time in both chassis. VSS members are connected by virtual switch links (VSLs). VSLs use standard Gigabit Ethernet or 10 Gigabit Ethernet connections between the virtual switch members. VSLs can carry regular user traffic in addition to the control plane communication between the VSS members. Figure 8 illustrates the physical and logical connectivity to the VSS pair.
Figure 8. Physical and Logical Topology of VSS Pair
VSS reduces touchpoints with a single management and control plane between two physical switches (optimized for aggregation and core deployments). It also eliminates the need for spanning tree and offers a loop-free topology between the access and distribution with Layer 2 MEC. In addition, VSS simplifies and reduces network topology complexity by eliminating the need for first-hop redundancy protocols such as Hot Standby Router Protocol (HSRP), Gateway Load Balancing Protocol (GLBP), or Virtual Router Redundancy Protocol (VRRP).
Security Services
Security services are an integral part of any network design. There are two aspects of security at the aggregation layer. First, the infrastructure must be protected from intentional or accidental attack - making sure of the availability of the network and network services. Secondly, the infrastructure must provide information about the state of the network in order to aid in detection of an ongoing attack.
The Cisco Catalyst 4500-X offers advanced security capabilities with Cisco TrustSec*. Cisco TrustSec* is an intelligent and scalable access control solution that mitigates security access risks across the entire network. As part of Cisco TrustSec*, the Cisco Catalyst 4500-X provides advanced 802.1X features; Network Device Admission Control (NDAC) to authenticate the connecting switch; Security Group Tagging (SGT); policy enforcement using Security Group Access Control Lists (SGACLs); and MACsec, a data link layer encryption technology that makes sure of data integrity by encrypting the data traffic between switches (see Figure 9).
Furthermore, the Cisco Catalyst 4500-X offer advanced application-monitoring tools such as Flexible NetFlow, SPAN, and EEM that provide necessary information to detect any ongoing attack.
Figure 9. MACsec
Application Monitoring
Without the ability to monitor and observe what is happening in the network, it can be extremely difficult to detect the presence of unauthorized devices or malicious traffic flows.
The Cisco Catalyst 4500-X offers the following mechanisms to provide the necessary telemetry data required to detect and observe any anomalous or malicious activities:
• Flexible NetFlow: Provides the ability to track each data flow that appears in the network.
• SPAN/RSPAN: Provides the ability to capture and analyze packets.
• Wireshark: Provides the ability to capture packets for quick troubleshooting.
• Embedded Event Manager (EEM): EEM provides the ability to monitor system & network events and take actions such as execute a CLI, start a wireshark capture etc.
• Simple Network Management Protocol (SNMP): Provides the ability to monitor critical system status, notify of any critical alarms, and so on in the network.
• Syslog: Provides the ability to track system events.
In addition to utilizing Flexible NetFlow application and traffic monitoring, EEM, SPAN/RSPAN, and built-in sniffer capability such as Wireshark can be used together to provide an additional level of observation and mitigation capability. While Flexible NetFlow provides for a very scalable mechanism to detect and find anomalous traffic flows, SPAN and Wireshark can be used to provide visibility into the content of individual packets. All these telemetry mechanisms must be supported by the appropriate backend monitoring systems. Tools such as the Cisco Service Assurance Manager (SAM) should be used to provide a consolidated view of gathered data to allow for a more accurate overall view of any security outbreaks.
Flexible NetFlow
Cisco Catalyst 4500-X Flexible NetFlow is the next generation in flow technology, allowing optimization of the network infrastructure, reducing operation costs, and improving capacity planning and security incident detection with increased flexibility and scalability. Flexible NetFlow has many benefits over traditional NetFlow. Figure 10 shows a sample Flexible NetFlow collector screen from a Cisco Network Analysis Module. It shows an at-a-glance view of top talkers in the network by IP address, VLAN, applications, application groups, and QoS values.
Primary advantages to using Flexible NetFlow:
• Flexibility, scalability of flow data beyond traditional NetFlow
• The ability to monitor a wider range of packet information producing new information about network behavior not available today
• Enhanced network anomaly and security detection
• User-configurable flow information to perform customized traffic identification and the ability to focus and monitor specific network behavior
• Convergence of multiple accounting technologies into one accounting mechanism
Figure 10. At-a-Glance View of Network and Application Performance
Network Virtualization
Network virtualization includes a series of technologies that span from Layer 2 to Layer 3 and above. Two primary pillars of network virtualization are VSS technology and Layer 3 network segmentation using VRF-Lite, EVN, and MPLS.
Cisco Catalyst 4500-X switch VSS technology adds a powerful new tool for IT managers to build resilient, highly available networks while optimizing traffic load balancing. VSS is discussed earlier as part of a high-availability solution in the "High Availability" section.
With the EVN feature, Cisco Catalyst 4500-X switches support multiple VPN VRFs for network segmentation. This technology does not need to use MPLS to support such instances; it relies instead on the configuration of Layer 3 interfaces on the interswitch links.
Easy Virtual Network (EVN)
The Cisco Catalyst 4500-X switch EVN is an IP-based virtualization technology that provides end-to-end virtualization of two or more Layer 3 networks. You can use a single IP infrastructure to provide separate virtual networks whose traffic paths remain isolated from each other.
EVN reduces network virtualization configuration significantly across the entire network infrastructure with the virtual network trunk without requiring the use of MPLS. The traditional VRF-Lite solution requires creating one interface per VRF on all switches and routers involved in the data path, creating a lot of burden in configuration management. EVN removes the need of per VRF interface by using the "vnet trunk" command. This helps reduce the amount of provisioning across the network infrastructure.
EVN is backward compatible with the VRF-Lite solution to enable transparent network migration from VRF-Lite to EVN. Figure 11 illustrates VRF-Lite and EVN.
Figure 11. VRF-Lite and EVN
Conclusion
Network architecture is evolving in response to a combination of new business requirements, technology changes, and growing end-user expectations. Choosing the right technology and right switches is crucial to a successful campus network design that will provide the balance of availability, security, flexibility, and operability required to meet current and future business and technological needs.
The Cisco Catalyst 4500-X Series Switch is an enterprise-class borderless network fixed aggregation switch that delivers best-in-class performance, scalability, resiliency, network virtualization, and integrated network services and is specially designed for space-constrained campus environments. It meets business growth objectives with unprecedented scalability, provides high availability with VSS, simplifies network virtualization with support for VRF-Lite and EVNs, provides application visibility with Flexible NetFlow for optimal network application visibility and capacity planning, and enables emerging applications by integrating many network services.
