Cisco’s MDS 9509

Director SAN switch gets top ratings in management and feature columns.

Cisco’s done it again. Packed with 112 ports of 2G bit/sec Fibre Channel, the latest version of Cisco’s MDS 9509 delivers a feature set, management interface and performance that earned it our Clear Choice designation.

We first viewed this Cisco storage-area network switch early last year (see here). The latest software (Version 1.3(3)) supports new quality-of-service (QoS) traffic classes and routing between virtual SAN (VSAN) groups. Additionally, new optional modules deliver storage virtualization and caching capabilities. The switch hardware base is the same and earned it a near-perfect performance score, although this rating dipped a bit because this round of testing was more extensive and a tad more critical.

Archive of Network World reviews

Subscribe to the Product Review newsletter

The 9509 remains a top performer in our high-end SAN switch tests. Cisco showed up, and all the other SAN switch marketplace leaders – including Brocade Communications and McData – stayed at home, in spite of our invitation to compete head-to-head with Cisco. Brocade and McData hinted at major new director-class architectures due out in the coming months, and we’ll test them when they deliver their new versions.

The 9509 supports an array of interface modules. Up to seven hot-swappable line cards can be any mixture of 16- or 32-port, 2G bit/sec Fibre Channel Switching Modules. Then there’s an eight-port Gigabit Ethernet IP Storage Module, which lets users directly integrate popular storage-over-IP connections with the Fibre Channel fabric. The module supports both iSCSI and Fibre Channel-over-IP links. This connectivity and conversion was not verified in the testing.

The Cisco switch also delivers the survivability users expect at the core of their SAN fabric. Each 9509 ships with redundant, hot-swappable management/fabric-control cards, called supervisors, and redundant power supplies.

There’s nothing quite like a good command-line interface (CLI) to manage a Cisco network device, unless there is an even better GUI. The 9509 has both. The CLI has the standard Cisco IOS look and feel. And the GUI delivers effective central management, featuring dynamic topology mapping.

The Cisco Fabric Manager GUI is impressive. Extensive configuration capabilities are accessible, which is helpful because these capabilities can seem imposing to a first-time user. The main GUI screen offers a directory tree on the left side for selecting the management topic, an auto-discovered fabric topology map on the right. Multiple tables for configuration and statistics are accessed through tabs at the top.

Most impressive is the copy-and-paste configuration, which lets the user select any configured switch and apply all the same settings to any other switch. Locating particular devices or links also has been simplified: If the IP address of a switch or label of an inter-switch link (ISL) is not enough, you can select the component you want from a configuration table, and its image is highlighted instantly in the fabric topology map.

The Fabric Manager also can readily push new software images out onto one or a group of switches. And we confirmed that new code could be loaded and activated under full operational load – without dropping a bit.

The 9509 brings a smorgasbord of features to the table.

Consider the capabilities offered for Fibre Channel diagnostics. The 9509 includes a built-in protocol analyzer, driven from the CLI, for control traffic, which is very effective for diagnosing Fibre Channel issues.

Cisco also supports a mirrored-port capability to which frames between any two ports in the fabric can be replicated, without disrupting ongoing traffic. Fibre Channel frames can be encapsulated into Ethernet frames, using the Cisco Port Analyzer Adapter, and captured in ‘libpcap’ format – a popular format for storing packet traffic. The resulting dump can be analyzed within Ethereal, a popular open source analyzer application, for which Cisco has developed a Fibre Channel decode plug-in.

Cisco also offers its proprietary storage equivalent to virtual LANs (VLAN) – VSANs. VSANs separate groups of ports into discrete “virtual fabrics,” up to 1,000 per switch. This isolates each VSAN group from the disruptive effects of fabric reconvergence that may occur in another VSAN. And, as with VLANs, routing is used to forward frames between initiator and target (SAN source and destination) pairs in different VSANs.

Cisco has integrated VLANs and VSANs effectively: The IP Storage Services Module, which extends the SAN fabric into an IP network, can map 802.1q VLAN tags to VSAN identifiers.

Cisco also offers an effective QoS solution that uses a traffic-distribution algorithm and four output queues. Three queues are assignable by the user for prioritizing traffic, while the fourth queue is reserved for Fibre Channel control traffic.

Storage virtualization is a buzzword in the SAN industry that implies storage volume management, mirroring and replication across physical locations, which is transparent to users and applications. Cisco offers two specialized module options that support these virtualization functions: The Advanced Services Module, produced jointly with Veritas Software, and the Caching Services Module (CSM), co-developed with IBM.

Commendable performance

Users seeking as close to wire-speed performance as they can get, under maximum load on all ports, will want to use only the 16-port modules in the 9509. That’s because the 32-port modules introduce over-subscription – a SAN euphemism for bottlenecks, a condition Cisco documents.

We ran the switch through both torturous and more typically realistic tests, all at 100% offered load. It performed nearly flawlessly – that is, delivering theoretical maximum throughput – except for a few worst-case load scenarios. For example, in the full-mesh test with a very small frame size – an absolutely worst-case scenario – the switch dropped to 54% of theoretical line rate. However, through every test, even with congestion, the switch maintained fair and evenly distributed throughput. We noted too that, in the absence of congestion, latency – the time it takes frames to move through the switch – ranged from 10 microsec to 250 microsec, depending on frame size. This is a normal and acceptable range, given variable-length frames traversing one or more modules and the internal switching fabric.

The 9509 also has a link-aggregation feature. We built a “port channel,” Cisco’s term for a group of aggregated ISLs connecting two 9509s, and we saw no degradation in throughput across the aggregated switch-to-switch trunk links, compared to the same load sent between ports on one switch. When we failed one of the ISLs in a trunk group, the switches dutifully reallocated streams from the failed link to the others in the group. The total time for this reconvergence, where throughput on affected streams is temporarily halted but no data was lost, was 115 millisec.

To abuse the switch, we pulled the active supervisor module and tried upgrading the software with all 112 ports transferring SAN traffic over 12,432 unique flows. Neither condition had any degrading effect on throughput performance because of the failover redundancy of the two supervisors. Boot time after a power failure was a very respectable 2 minutes, 32 seconds.

Cisco also provides an abundance of security features for its management and the SAN fabric. With the use of a RADIUS or Tacacs+ authentication servers, administrators can be assigned very tailorable access and configuration rights.

Additionally, IP-based Access Control Lists can be applied to management access, whether the administrator is accessing via an Ethernet management interface (out-of-band) or from another switch using IP over Fibre Channel (in-band).

What’s more, all management traffic is encrypted – using SNMPv3 for the GUI, Secure Shell for the CLI and secure file transfer for moving files to and from the supervisor.

The SAN fabric itself is secured through hardware-enforced zoning, which is performed at ingress, read-only zones, fixed port types and device authentication via the Fibre Channel Security Protocol.

The 9505 is a powerful director-class SAN switch that sets a high bar for the industry in terms of features and management. While we can’t call it perfect, we can say it’s the one the competition has to beat.