View
285
Download
11
Category
Tags:
Preview:
DESCRIPTION
Sécurité, performance, virtualisation, programmabilité, interconnexion de datacenters sont autant d'exemples de fonctions nécessaires sur les cœurs de réseau où, le BYOD, le Cloud et la vidéo exercent une pression. Dans cette présentation nous verrons comment la nouvelle famille Catalyst 6800 (6807-XL, 6880-X, 6800ia) répond aux nouveaux enjeux du backbone de l'entreprise.
Citation preview
Petit-déjeuner – 24 juin 2014 Catalyst 6800 – Nouveau cœur pour nouveaux usages
Jean-Louis TILLET
Vincent MAKOWSKI
Jérôme DURAND
http://reseauxblog.cisco.fr
http://ipv6blog.cisco.fr
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
9H30 – 10H – Nouveaux usages dans l’entreprise
10H – 10H45 – La nouvelle famille catalyst 6800
10H45 – 11H30 – Services avancés pour le cœur du réseau
11H30 – 12H – Démos Instant Access (dans le lounge)
Agenda
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jean-Louis TILLET
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
More Video Viewing
79% of All IP Traffic
Faster Broadband Speeds
2.6-Fold Speed Increase
More Devices
21 Billion Connections
More Internet Users
4 Billion Internet Users
Traffic & Service Adoption Drivers, 2013–2018
Growth Catalysts
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Global IP Traffic by Device Type By 2018, Non-PC Devices will Drive 57% of Global IP Traffic
Exabytes
per Month
0
20
40
60
80
100
120
140
2013 2014 2015 2016 2017 2018
Non-Smartphones (0.1%,0.1%)
Other Portable Devices (0.1%,0.4%)
M2M (0.4%,2.8%)
Tablets (2.2%,14.0%)
Smartphones (3.5%,16.3%)
TV (26.5%,23.6%)
PCs (67.2%,42.8%)
21% CAGR
* Figures (n) refer to 2013, 2018 device traffic share
Source: Cisco VNI Global Mobile Data Traffic Forecast, 2013–2018
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Average Global Traffic per Device (2013- 2018) / Month
= Tablet
Ultra High Definition TV
Laptop/PC
Internet Set-Top or Dongle
4.0 - 18 GB
= 22.9 – 26,3 GB*
22.7 – 39,2GB
= 8.0 GB …
* Includes IP VoD Traffic
Source: Cisco VNI Global IP Traffic Forecast, 2013–2018
=
= Smartphone 1.0 – 5,4 GB
= M2M Module 78 - 514 MB
Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Global IP Video Traffic Growth IP Video Will Account for 79% of Global IP Traffic by 2018
Source: Cisco VNI Global IP Traffic Forecast, 2013–2018
Petabytes
per Month
0
20 000
40 000
60 000
80 000
100 000
120 000
140 000
2013 2014 2015 2016 2017 2018
Gaming (0.05%, 0.09%)
File Sharing (13%, 6%)
Web/Data (21%, 15%)
IP VOD (23%, 19%)
Internet Video (42%, 60%)
21% CAGR 2013–2018
* Figures (n) refer to 2013, 2018 traffic share
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Network Effect of the Beautiful Game
Global IP streaming and digital broadcast of the World Cup is estimated to drive 4.3 Exabytes…
…Nearly 3X the amount of current monthly broadband traffic for Brazil
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
32 to 209
times
the
bandwidth
Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Proliferation
of Devices
Users/ Machines
VDI | IaaS
Private Cloud
Public/Hybrid Cloud
SaaS/IaaS
NETWORK THE
Storage
Database
How Application are Consumed How applications are Delivered Type of applications
Drastic Change in Application Type, Delivery, and Consumption
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Changing Role of IT
Business Implications
Technology Transitions
Agility & Speed Growth &
Innovation
Security & Privacy
Mobile New Breed
of Apps Cloud
New Business Models
Experience Expectations
Data & Analytics
Internet of Things
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Customer expectations are changing
Less time to deploy technology and
deliver new business capabilities 4X Deployment time advantage of
Salesforce Sales Cloud vs. Siebel
CIO function as a revenue
driver, not cost center 66% CIOs who cite business strategy and driving
business innovation as the top priority
Automation to improve productivity 51% CIOs prioritizing improving IT staff
productivity and operational efficiency as
top goal in next 3 years
Cisco Confidential 13 © 2013 Cisco and/or its affiliates. All rights reserved.
70-80%
Maintenance
IT Budgets
Funded
New
Projects
Missed Business
Opportunities
Today’s CIO Challenge Managing Growing Demand for IT Projects
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Source: A commissioned study conducted by Forrester Consulting for Cisco Systems, 2012
MONITORING, TROUBLESHOOTING
SECURITY CONFIGURATIONS
INITIAL INSTALL, CONFIGS, TESTING
UPGRADING EQUIPMENT
Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Services
Infrastructure
Platform
Applications
Application Interfaces
Infrastructure Interfaces
New Business Models Partner Ecosystem
Model for Next Generation IT
Cisco Confidential 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Vincent Makowski
Cisco Confidential 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
17
Rappel sur la famille 6500
6716 6716
6704 6708
Fiber 6724
6748
Copper 6748
NAM-3
ASA-SM
WiSM2
6503-E 6504-E 6506-E 6509-E 6509-V-E 6513-E
40G/Slo
t
6816
6816
6904
80G/Sl
ot
6908
CFP-LR4 CFP-SR4 CVR-4SFP
Fiber
6824
6848
Copper 6848
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
SUP720 SUP2T
96K 128K
L2 MAC Table 16K
TrustSec / SGT Bridge Domains Yes
VNET Trunk (EVN) – Yes
40G Interfaces – Yes
System Bandwidth 720 Gbps 2 Tbps
L3 Interfaces 4K 128K
NetFlow Table 128K/256K 512K/1M
Flexible NetFlow – Yes
Hitless ACL Updates 32K Yes
Medianet 2.2 Yes (low) Yes (high)
VPLS / A-VPLS Requires WAN
Module Yes (Native on PFC4)
VSS Quad Sup SSO – Yes
Sup2T Overiew
Scalability Enhancements BYOD and Collaboration with Supervisor 2T 4X Scalability
3X Performance
New PFC4 Featuring
Improved Levels of
Performance and Scalability
Along with New Enhanced
Hardware Features
USB-Based
Console Support
Connectivity Management
Processor (CMP)
New MSFC5 Supporting
Dual Core CUP and Single IOS
Image
Improved Switch Fabric
Providing 80G/Slot
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
…….. 2000 …….. 2005 …….. 2010 …….. 2015 …….. 2020+
Sup1A Maintain Support
Sup2 Maintain Support
Sup720-3B
Sup2T: Next-Generation Supervisor
EoS
EoS
12 years
12 years
Sup32
Sup720-10G (VSS Enabled)
EoL
EoL
Sup720-3A Maintain Support EoS EoL 12 years
EoS
EoL
End of Sale
End of Life
End of Support
Supervisor 2T FCS June 2011
Cisco Catalyst 6000 Supervisor Lifecycle to 2020+
Maintain Support
EoS
EoL 12 years
Maintain Support EoL 12 years
Cisco Confidential 20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Catalyst 6800
Catalyst 6807-XL, 6880-X, 6800ia
Next Gen 10/40/100G Backbone Services
INVESTMENT PROTECTION
Ré-utilisation des cartes du chassis 6500
INNOVATION
Densité 10G/40G/100Gbps*
jusqu’à 880G/Slot
Capacité Globale de 11.4 Tbps
SIMPLICITE
Instant Access
Carte de Services
Programmabilité via onePK (SDN) * Roadmap
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introduction au nouveau Chassis 6807-XL Modularité et Performance
7 Slots10 RU
Investment protection!
Compatible with Sup2T, 6700, 6800,
6900
and latest service modules
Backwards compatible backplane
connectors
Catalyst 6500 DNA
Low-power and noise
High-efficiency fans
Up to 4 (N+1) power supply
redundancy
3000W AC
Up to 880G/Slot capable
Next-generation ready
Side-to-side air flow
(redirectable via airflow baffles)
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
22
6500-E with Sup720 6500-E with Sup2T 6807-XL with Sup2T
6900 Series Cards
6800 Series Cards
WS-X6716-10G/T With WS-F6K-DFC4-E With WS-F6K-DFC4-E
WS-X6708-10G
WS-X6704-10GE (w/ DFC3) With WS-F6K-DFC4-E With WS-F6K-DFC4-E
6700 Series 1GE (w/ DFC3) With WS-F6K-DFC4-A With WS-F6K-DFC4-A
6700 Series w/ CFC
6100 POE Cards
Service Modules *
WAN Cards
Future 32x10G / 4x100G
Catalyst 6500-E and 6807-XL Support Matrix for Different Modular Platforms
* NAM-3, ASA-SM, WISM-2, ACE30
Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
WS-X6816-10G-2T WS-X6904-40G-2T WS-X6908-10G-2T
Max Throughput: 80G
Optics: X2
Egress Buffers/port: 256 MB
Features:
Full-feature L2/L3 module with
MPLS, VPLS. IPv4/IPv6
capabilities, 1M+ IPv4 Routes,
1M NetFlow
Additional Hardware
Features:
Large Buffers, SGT, MACSec,
LISP
Ideal for: Campus Aggregation and
Core
80G
CFP, SFP/SFP+
21 MB
Full-feature L2/L3 module with
MPLS, VPLS. IPv4/IPv6
capabilities, 1M+ IPv4 Routes,
1M NetFlow
10G flexibility, SGT, MACSec,
LISP, Dual Priority Queues, Two
Level Shaping, Instant Access
Campus Aggregation and
Core
40G
X2
90 MB
Full-feature L2/L3 module with
MPLS, VPLS. IPv4/IPv6
capabilities, 1M+ IPv4 Routes,
1M NetFlow
Campus Aggregation
Catalyst 6500 10G Portfolio Providing Deployment Options
Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Flexibilité 10G/40Gbps
WS-X6904-40G / 40GXL-2T dCEF2T – 80 Gig/slot 4 ports CFP 40GE ou 16 ports 10GE SFP+ 2 x 40Gb Connexions au Switch Fabric DFC4 / DFC4XL intégrées Supporte Cisco TrustSec sur tous les ports Supporte VSL sur tous les ports
Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
The New Catalyst 6880-X C6K-Based “Extensible” Fixed Platform
Up to eighty 1G/10G ports
or twenty 40G ports*
Fixed module sixteen
10/100/1000/10G
or up to four 40G X86 2 GHz CPU
4 GB DRAM
Sixteen 10/100M, 1/10G or up to
four 40G ports
MACsec, VSS, instant access,
MPLS, VPLS, LISP, SGT, 1588(*)
capable on every port
Low power
Low noise fans
Platinum EFF
Redundant AC and DC
PS
Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
26
Catalyst 6880-X Base Board & System Controller
* Under Investigation
16 x SFP+ Ports: VSS, IA (FEX),
LISP, MPLS, HQoS,
MACSEC, SGT,
1588 PTP & AVB*
available on Every Port
Enhanced Control-Plane Scale with new X86 2.0GHz Dual Core CPU
USB Host (Type A)
USB Console (Type B)
RJ-45 Console and
Management Ports
Two HW Options 6880-X-LE 6880-X
IPv4/v6 Routing Capability 256K/128K 2M/1M
Multicast Routes (IPv6) 64K 256K
Number of Adjacencies 256K 1M
MAC Addresses 128K 128K
L3 Interfaces 128K 128K
Security and QoS ACL 64K 256K
Flexible NetFlow 512K 1M
Microflow Policers 512 512
Aggregate Policers 8K 8K
Forwarding
Daughter Board
System
Base Board
* Roadmap
Cisco Confidential 27 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
27
16-port SFP+ Multi-rate Port Card Supports between 10Mbps – 40Gbps
Two Versions Standard (LE) Large Tables
FIB Table v4/v6 256K/128K 2M/1M
NetFlow Table 512K 1M
Security ACL Table 64K 256K
Port Buffering 24MB / Port 24MB / Port
Port Speed & Type Number of Ports
10/100/100 Mb/s Copper 16 (GLC-T SFP)
1 Gb/s Fiber 16 (SFP)
10 Gb/s Fiber 16 (SFP+)
40 Gb/s Fiber 4 (SFP-QSFP*)
MacSec, FEX, LISP, VSS, SGT, 1588 Capable on Every Port
Forwarding
Engine
Daughter Board
Port Card
Base Board
Port Card
Status LED
Port Card
ID LED 16 x 10/1G
SFP Ports
Port Status
LED
Ejector
Lever
* Roadmap
Cisco Confidential 28 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Catalyst Instant Access Client 6800ia
48 x 1G RJ45 Ports
Catalyst 6500 features at
access
2 x 10G SFP+
Uplink Ports Data and
PoE/PoE+ Options
Stackable up to
three members at
FCS
System and Status LEDs
RPS connector
Cisco Confidential 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
No More Repetitive Operations
IT Spends Most of Their Time in Repetitive Operational Actions for Access Switches
28% Monitoring,
troubleshooting
19% Security
configurations
18% Initial install,
configs, testing
14% Upgrading
equipment
Source: A commissioned study conducted by Forrester Consulting for Cisco Systems, 2012
Introducing
Instant Access
Simple Install & Connect
Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
SDP
SRP
SCP
Instant
Access
Client
Instant
Access
Client
VSL
LACP or
PAGP
LACP or
PAGP
Access
Switch Access
Switch
VSL
Access
Switch Access
Switch
LACP or
PAGP
Cisco Catalyst Instant Access
Cisco Confidential 31 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Benefits of Instant Access
SDP
SRP
SCP
Instant
Access
Client
Instant
Access
Client
VSL
Simplifies operations via single point of management,
configuration, troubleshooting across distribution and access block
Catalyst 6500 features at access
Consistent features and agile infrastructure across access layer
Cisco Confidential 32 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Fabric Link
Connect Switches STACKING POE+
Instant Access (IA) Satellite Capabilities Key Differences From Nexus FEX (Fabric Extender)
Spanning-tree bpduguard
Disable
Cisco Confidential 33 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Catalyst Instant Access Components
Supervisor 2T WS-X6904-40G 6880-X*
6500E 6807-XL*
• 10G uplink ports, POE+ Support • Integrated Stacking module
Catalyst 6800ia
* 6807-XL and 6880-X will be available in Q4CY13.
Catalyst 6800ia Catalyst 6800ia Catalyst 6800ia Catalyst 6800ia
Config on Parent
interface Port-channel4 fex associate 101 interface Port-channel5 fex associate 102 interface Port-channel6 fex associate 103 interface Gig 101/1/0/1 switchport mode access span-tree port fast span-tree bpduguard enable
Cisco Confidential 34 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enterprise Network – 3000 ports example C
ore
A
ggre
gation
A
ccess
Number of Managed Devices = 68
Access Devices = 60
Distribution Devices = 6
Core Devices = 2
Cisco Confidential 35 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enterprise Network – with stacking C
ore
A
ggre
gation
A
ccess
Number of Managed Devices = 28
Access Devices = 20
Distribution Devices = 6
Core Devices = 2
Cisco Confidential 36 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enterprise Network – With VSS and stacking C
ore
A
ggre
gation
A
ccess
Number of Managed Devices = 24
Access Devices = 20
Distribution Devices = 3
Core Devices = 1
Cisco Confidential 37 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enterprise Network – with Instant Access C
ore
A
ggre
gation
A
ccess
Number of Managed Devices = 4
Cisco Confidential 38 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Catalyst Instant Access Phase-1 Scalability
38
Maximum Client Node User Ports 1008
Maximum FEX ID’s 12
Maximum Client Switches 21
Maximum Clients in Stack 3
Maximum User Ports in Stack 144
Client Node ID is a single client or a stack. If using
individual clients max of 12 switches supported.
7 144 3 1008
10 96 2 960
5 192 2 960
3 288 3 864
12 48 0 576
Most optimum where
IDF has 96 or greater
Single Client IDF’s support
fewer overall ports
Cisco Confidential 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Catalyst Instant Access Fabric Link Connectivity Scenarios – Dual Homed to VSS Pair
39
Dual Homed to
VSS Pair
SiSi SiSi
Dual Homed across
Stack Members
SiSi SiSi
Up to 6 uplinks(60G) MEC across Client to Parent
SiSi SiSi
Recommended Design
Cisco Confidential 41 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Catalyst 6k – Une innovation inégalée sur le cœur
AutoQoS
BGP
DHCP EoMPLS
FHRP
Flexible Netflow
IPv6
MPLS LDP
VSS
Multicast
MPLS – TE, VPN
WCCP
HW based NAT
Object Group ACL
HW Based GRE
VRF Aware NAT
Mini Protocol Analyzer
Cisco Confidential 43 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
43
VSS Quad-Sup SSO Now Available on C6807-XL with Instant Access
VSS Switch 1
(SSO – Active)
In-Chassis Active
In-Chassis Standby
[Standby Hot
(Chassis)]
In-Chassis Standby
[Standby Hot
(Chassis)]
STANDBY HOT (CHASSIS) is a new redundancy mode created for the VSS ICS
Supervisor
STANDBY HOT (CHASSIS) mode allows the ICS Supervisor to operate in a separate RF/CF (SSO) Domain,
while maintaining the Traditional RF/CF (SSO) Domain between VSS chassis.
Instant Access support for VSS Quad-Sup SSO with 6807-XL was added in 15.1(2)SY2
VSS Switch 2
(SSO – Hot Standby)
In-Chassis Active
C6807-XL & Sup2T IA with 15.1(2)SY2
Cisco Confidential 44 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
44
IP FRR - LFA Process-independent IGP sub-second convergence
IP Fast Re-Route & Loop Free Alternate • Based on pre-selection of a backup path, other than the primary next hop
Provides local protection for unicast traffic (IP and MPLS/LDP) in the event of a single failure, whether Link, Node, or Shared-Risk Link-Group (SRLG)
FIB pre-installs the backup path in hardware Data-Plane • Traffic is redirected to the LFA immediately upon failure
An LFA takes forwarding decision without knowledge of the failure
Primary Path
Repair Path
Primary
Next-Hop
Calculating
Node
router ospf 1
router-id 10.1.1.1
fast-reroute per-prefix enable prefix-priority low
network 10.0.0.0 255.255.255.255 area 0
…
Router#sh ip route 10.7.7.7
Routing entry for 10.7.7.7/32
Known via ”ospf 1", distance 115, metric 12, type inter area
Redistributing via bgp 6800
Last update from 10.2.4.4 on Port-channel1, 1w0d ago
Routing Descriptor Blocks:
* 10.1.2.1, from 10.1.2.1, 1w0d ago, via Port-channel1
Route metric is 12, traffic share count is 1
Repair Path: 10.1.3.1, via Port-channel2
Router#
Cisco Confidential 47 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multicast only Fast Re-Route (MoFRR) Sub-Second Multicast Convergence
Source
M
Backup
Path
Primary
Path
M
M
J
J
J
J FAIL
J
J
J
J
M
M
M
M
M
RPF DROP
Primary
PIM Joins
Secondary
PIM Joins
Discard
Duplicates
Primary
Stream
Secondary
Stream
PIM
IGMP
MoFRR Operation
1 MoFRR sends PIM Joins on both
the Primary & Secondary ECMP
2 This builds a Primary & Secondary
Stream, and Duplicate Packets are
sent to LHR * over both Paths
3 LHR sends the Primary Stream,
and discards Duplicate Packets
from the Secondary Stream
4 If the Primary Path fails, MoFRR
begins sending Secondary Stream
for Immediate Convergence KEY BENEFITS
MoFRR can achieve
~200ms convergence by
prebuilding an alternate
Multicast tree
MoFRR convergence
is Independent
from Unicast Routing
convergence
MoFRR leverages Multicast S,G
Load-Balancing
Receivers
* LHR=Last-hop Router
IPv4 15.1(2)SY Sup2T
Cisco Confidential 48 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Address Translation NAT / PAT & MSR in Hardware
IOS Support for NAT / PAT & MSR with IPv4 & VRF
NAT64 & DNS64 with ASA-SM
Network / Port Address Translation
NAT /
PAT Web
Server
Inside
CAT6
K
ip nat pool NAT 64.16.10.1 64.16.10.63 prefix 24
ip nat inside source list 64 pool
!
access-list 64 permit 10.10.10.0 0.0.0.255
!
interface GigabitEthernet1/1
ip nat inside
!
interface GigabitEthernet1/2
ip nat inside
Public Unicast
Traffic
Private Unicast Traffic
interface
GigabitEthernet2/1
ip nat outside
Outside
LAN
10.10.10.1 ,
69.83.10.120
64.16.10.1 ,
69.83.10.120
Multicast Service Reflection
MSR
Web
Server
Inside
CAT6
K
interface Vif1
ip address 80.1.1.100 255.0.0.0
ip pim sparse-mode
ip service reflect destination 239.1.1.10 mask-len 32
ip igmp static-group 228.1.1.10 source 83.1.1.10
!
interface GigabitEthernet1/1
ip pim sparse-mode
!
interface GigabitEthernet1/2
ip pim sparse-mode
Public Unicast
Traffic
Private Unicast Traffic
interface
GigabitEthernet2/1
ip pim sparse-mode
Outside
LAN
80.1.1.100 , 239.1.1.10
83.1.1.10 , 228.1.1.10
Vif1
Cisco Confidential 50 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Segmentation The Challenge of Traditional Security Enforcement
Distribution
Core
Data Center
Identity Service Engine
Directory
Service
WLC
permit tcp 3.1.1.1 100.1.1.1 eq https
permit tcp 3.1.1.1 100.1.1.1 eq 8081
deny ip 3.1.1.1 200.1.1.2
permit tcp 2.1.1.1 150.1.1.1 eq https
permit tcp 2.1.1.1 150.1.1.1 eq 8081
permit tcp 2.1.1.1 150.1.1.1 eq 445
deny ip 2.1.1.1 200.1.1.2
permit tcp 3.1.1.1 100.1.1.1 eq https
permit tcp 3.1.1.1 100.1.1.1 eq 8081
deny ip 3.1.1.1 200.1.1.2
permit tcp 2.1.1.1 150.1.1.1 eq https
permit tcp 2.1.1.1 150.1.1.1 eq 8081
permit tcp 2.1.1.1 150.1.1.1 eq 445
deny ip 2.1.1.1 200.1.1.2
permit tcp 1.1.1.1 100.1.1.1 eq https
deny ip 1.1.1.1 100.1.1.2
permit tcp 1.1.1.1 100.1.1.2 eq https
deny ip 1.1.1.1 100.1.1.2
permit tcp 1.1.1.1 200.1.1.1 eq https
deny ip 1.1.1.1 200.1.1.1
permit tcp 1.1.1.1 100.1.1.1 eq https
deny ip 1.1.1.1 100.1.1.2
permit tcp 1.1.1.1 100.1.1.2 eq https
deny ip 1.1.1.1 100.1.1.2
permit tcp 1.1.1.1 200.1.1.1 eq https
deny ip 1.1.1.1 200.1.1.1
permit tcp any 200.1.1.1 eq https
permit tcp any 200.1.1.1 eq 8081
deny ip all
permit tcp any 150.1.1.1 eq https
permit tcp any 150.1.1.1 eq 8081
permit tcp any 150.1.1.1 eq 445
deny ip all
permit tcp any 100.1.1.1 eq https
deny ip all
Access Control with
IP Access Control Lists
• Topology-based
• Manual configurations
• Error prone
• Unscalable
• Difficult to maintain
VLAN 10 IT
3.1.1.1 VLAN 20 Finance
2.1.1.1 VLAN 30 Doctor
1.1.1.1 VLAN 99
Doctor or IT or
Finance ?
99.1.1.1
VLAN 99
Doctor or
IT or Finance ?
98.1.1.1 VPN
Cisco Confidential 51 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco TrustSec Domain
SGT SGT SGT SGT SGT
cts role-based permissions from 10 to 111 permit tcp dst eq 443 permit tcp dst eq 80 deny ip
SGACL Enforcement
Segmentation Security Group Tagging (SGT) and SGACL
Identity Service Engine
SG Tag Imposed to Incoming Traffic
Device-
Aware
1
1
Identity-
Aware Security
Group
Doctor
Doctor Corp PC Doctor
Personal PC Doctor
IP Phone NA Voice
SGA is ingress tagging and egress enforcement
Cisco Confidential 52 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Ethernet point-to-point and multi-point L2VPN services Supervisor2T supports VPLS, A-VPLS & H-VPLS natively
H-VPLS increase scalability of VPLS by partitioning the network
A-VPLS greatly simplifies VPLS deployment & management
NetFlow VPN Support Sup2T adds the VPN_ID as part of the Netflow Key.
MPLS, VPLS, VRF-LITE
VRF aware NetFlow
VRF aware NAT
LIF Benefits for VRF with EVN The same VLAN # can be reused on
different L3 sub-interfaces belonging
to different physical interfaces.
Sup2T Virtualization Enhancements
interface GigabitEthernet1/1.1
encapsulation dot1Q 11
ip vrf forwarding vrf1
ip address 10.1.1.2 255.255.255.0
…
interface GigabitEthernet1/2.1
encapsulation dot1Q 11
ip vrf forwarding vrf1
ip address 10.0.1.2 255.255.255.0
Cisco Confidential 53 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Transport Payload Feature names Target
Ethernet Layer 3 VRF-Lite
EVN
Campus
Small number of VPNs
MPLS
Layer 2 AToM (EoMPLS)
VPLS
Campus
DataCenter Interconnection
Layer 3 MPLS-VPN Large Number of VPNs
Campus and/or Providers
IP
Layer 2 L2VPNomGRE
VPLSoGRE DataCenter Interconnection
Layer 3 MPLS-VPN over mGRE
LISP Campus and/or Providers
Network Virtualization Options
Cisco Confidential 54 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Virtualization made simple EVN – Easy virtualization
• LAN Trunks
• Significant configuration simplification
• VRFs are pre-provisioned on Trunk
• Route Replication
• IGP based Shared Services / BGP not required
• Enhanced Troubleshooting and Usability
• routing-context, traceroute, debug condition, cisco-vrf-mib
VRF VRF
Global
VRF VRF
Global
802.1Q
Cisco Confidential 55 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
VRF-Lite Subinterface Config VNET Trunk Config interface TenGigabitEthernet1/1
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
logging event link-status
interface TenGigabitEthernet1/1.101
description Subinterface for Red VRF
encapsulation dot1Q 101
ip vrf forwarding red
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
logging event subif-link-status
interface TenGigabitEthernet1/1.102
description Subinterface for Green VRF
encapsulation dot1Q 102
ip vrf forwarding green
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
logging event subif-link-status
interface TenGigabitEthernet1/1
vnet trunk
ip address 10.122.5.2 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
logging event link-status
Global Config: vrf definition red
vnet tag 101
vrf definition green
vnet tag 102
Both Routers Have VRFs Defined VNET Router Has Tags
EVN VNET Trunk
Virtualization made simple EVN – Easy virtualization
Cisco Confidential 57 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
57
Cloud requires Application Visibility and Control
App Visibility
& Control
Flexible NetFlow (FnF)
Priority Queuing
Microflow Policing
Media Services (MSI & MSP)
Auto SmartPorts
SPAN, RSPAN, ERSPAN
Integrated Wire Shark
SGT & MACSEC
Example Challenges
• What is the average IPv4 TCP traffic load?
• Does this building use more L2 or L3 traffic?
• How do I identify who is watching Youtube?
• Can I easily create a Video QoS Policy?
• Will I be able to limit the amount of traffic?
AVC Solutions
• Monitor TCP & UDP with Flexible Netflow
• Build utilization graphs from Netflow Export
• NBAR can distinguish L7 application types
• Use Metadata to build QoS & FnF policies
• Traffic-Shaping & HQoS optimize resources
Flexible NetFlow (FnF)
Priority Queuing & LLQ
Aggregate Policing
Metadata QoS & FnF
AVC with WISM2
Mini Protocol Analyzer (MPA)
SPAN, RSPAN, ERSPAN
SGT & MACSEC
Flexible NetFlow (FnF)
Traffic Shaping & HQoS
Metadata QoS & FnF
Enhanced Object Tracking
NBAR2 with NAM-3
Mini Protocol Analyzer (MPA)
SPAN, RSPAN, ERSPAN
SGT & MACSEC
Cisco Confidential 58 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
58
WLAN Controllers Access Switches
Cisco Prime Infrastructure
NAM-3 Backbone Switches
Application Visibility and Control Offering Wired and Wireless Application Insight and Control
Cisco Confidential 59 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
59
Flexible NetFlow (FnF) How can it really help me?
Internet
NAM
Prime
Data Center Branch
IPv4 IPv6 L2
MAC
L2
VLAN
UDP
Flags
TCP
Flags MPLS Multicast …
DoS Attack
Anomaly Detect
Compliance
IP SLA
Capacity Planning
Flexible NetFlow
Collector Ecosystem
FnF Benefits
• Lower CapEx Better insight for capacity planning, network upgrades and compliance
• Lower OpEx Better service and user experience,
Increased IT staff productivity
FnF Capabilities
• Deep app visibility with L2 – L7 fields
• Flexible flow Monitors & Records
• Scalable flow Collection & Export
• Customizable policy action with EEM
• Simple to deploy with NAM3 & Prime
Campus
App Visibility
Cisco Confidential 60 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Catalyst 6500 Network Analysis Module (NAM-3) Software Release 6.0 & 6.1
Superior Service Delivery in the Campus
Network Clients
Client Network
Application Servers
NAM-3
APPLICATION AWARENESS L2-L7 Application Visibility (NBAR2)
NETWORK INTELLIGENCE CAPWAP, Trustsec SGT, LISP, …
PACKET ANALYTICS Event-based On-Demand
Captures
Advanced Packet Decoder
Performance Analytics
Application Intelligence
Cisco Confidential 61 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
61
6904 Support for two Level HQOS Policy (Replace SIP-400, ES+ 1G, 10G Ports with 6904)
To sub-rate traffic going to the cloud
Meet contracted rate with the SP
To limit traffic inter-site/Inter DC traffic
Limit the amount of traffic going to each site (EVPL case)
Allow SPs to offer dedicated bandwidth to Customers end to end over shared infrastructure
Different SLAs for different customers
Priority Level 1 % police
Priority Level 2 %
min-bw % or Shaper Aggregate
shaped
rate = x
Queues
HQOS Policy
w/ shaper
Physical port
Enterprise WAN or
Metro E Handoff
WAN /DC Edge/Core WAN Edge
Aggregation
Core
SiSiSiSi
SiSiSiSi
SiSiSiSi
police
min-bw % or Shaper
min-bw % or Shaper
Cisco Confidential 62 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Mini Protocol Analyzer (MPA) Built-In Packet Capture & Analyzer
• Packets switched in the hardware can be captured and examined by using SPAN or VACL capture functionality.
• Historically, an external Sniffer had to be connected to examine SPAN‘d packets.
• Capturing packets to an external Sniffer involves time, availability and possibly other unwanted complexities.
• The SPAN mini protocol analyzer (MPA) feature is an embedded packet capture tool.
• The MPA’s captured packets are saved to local memory and can be displayed or exported for post processing.
• Packets can be filtered using several mechanisms
• One SPAN ASIC session will be used for sending the traffic to the MPA program running on the Supervisor.
Cisco Confidential 64 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
64
Campus Leadership in IPv6
Visibility & Control Optimized IPv6 Delivery Special Technologies
Core
• EIGRPv6, OSPFv3, IS-IS
• IPv6 SSO / NSF, NSR
• Dual-Stack IPv4 / IPv6
• IPv6 PIM, Embedded RP
• IPv6 support for VSS
• IPv6 RACL
• ACL Hitless Commit / Dry Run
• IPv6 CoPP
• IPv6 uRPF
• IPv6 Flexible Netflow
• IPv6 ECMP • L3 LISP • BFDv6 • Traffic Shaping • IPv6 NAM3
• IPv6 GRE, DMVPNv6
• WCCPv6
• L3 LISP
• 6to4 Tunnels, 6PE/6VPE
• NAT64 with ASA-SM
• EIGRPv6, OSPFv3, IS-IS
• BGPv6
• IPv6 PBR
• IPv6 SSO / NSF, NSR
• Dual-Stack IPv4 / IPv6
• IPv6 IPsec
• IPv6 Firewall Security
• IPv6 IDS
• IPv6 ASA-SM Ed
ge
• EIGRPv6, OSPFv3, IS-IS
• IPv6 SSO / NSF, NSR
• Dual-Stack IPv4 / IPv6
• IPv6 PIM, BSR
• DHCPv6, Relay Agent
• HSRPv6, VRRPv6, GLBPv6
• IPv6 support for VSS
• IPv6 ECMP • L2 / L3 LISP*
• BFDv6 • Traffic Policing • IPv6 HQoS, PQ & LLQ • IPv6 WISM2
• IPv6 RACL, VACL
• ACL Hitless Commit / Dry Run
• IPv6 CoPP
• IPv6 uRPF
• L2 / L3 Flexible Netflow
Dis
trib
utio
n
• Auto Smart Ports, PnP
• RPSVT, MST
• 802.1Q Trunking
• VTP, VTPv3
• MLD, PIM Snooping
• IPv6 First Hop Security
• IPv6 PACL, RA Guard
• Port-Security, Storm-Control
• L2 Flexible Netflow
• FlexLinks • IPv6 HQoS, PQ • Vlan Translation • QinQ Trunking
Acce
ss
Internet
Data
Center Branch
Cisco Confidential 65 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introduction to SDN Traditional Approach
Traditional SDN Approach
Cisco Confidential 66 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
OpenFlow is just one piece of SDN
SDN is a bigger space
SDN does not equal OpenFlow
Cisco Confidential 67 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco APIC Enterprise Module Architecture
Abstracts Network Devices to Mask Complexity
Treat Network as a System
Exposes Network Intelligence
For Business Innovation Cisco APIC Enterprise Module
Cisco and Third Party Applications
Network Devices Catalyst, ASR, ISR
Network Info Database
Policy Infrastructure
Automation
REST API
CLI, OpenFlow, OnePK API
Security QoS Mobility
Cisco Confidential 68 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Catalyst 6k – Une innovation inégalée sur le cœur
AutoQoS
BGP
DHCP EoMPLS
FHRP
Flexible Netflow
IPv6
MPLS LDP
VSS
Multicast
MPLS – TE, VPN
WCCP
HW based NAT
Object Group ACL
HW Based GRE
VRF Aware NAT
Mini Protocol Analyzer
Recommended