Entrust Crypto Health Check and Crypto Governance Consulting
ASR 1000 System & Solution - clnv.s3.amazonaws.com · ESP t FECP QFP Crypto Assist. interconn. PPE...
Transcript of ASR 1000 System & Solution - clnv.s3.amazonaws.com · ESP t FECP QFP Crypto Assist. interconn. PPE...
ASR 1000 System & Solution Architectures
Jason Yang - CCIE #10467, Technical Marketing Engineer
BRKARC-2001
• Introducing the ASR 1000
• ASR 1000 System Architecture
• ASR 1000 Building Blocks
• ASR 1000 Software Architecture
• ASR 1000 Packet Flows
• Integrated Security on ASR 1000
• Applications & Solutions
Agenda
Introducing the ASR 1000
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 Aggregation Service RouterKey Design Principles
Ethernet
WAN and Provider
Edge Services
Voice and
Video
Services
(CUBE)
Security Services
(Firewall, VPN,
Encryption)
Multi-Service, Secure WAN Aggregation
Services
Application
Performance
Optimization
(AVC, PfR)
Best in Class
Availability
Enterprise IOS Features
with Modular OS and
Software Redundancy or
Hardware Redundancy
and ISSU
Best in Class ASIC
Technology
Quantum Flow Processor
(QFP) for high scale services
and sophisticated QoS with
minimum performance impact
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ASR 1000 Series Routers: Overview2.5 Gbps to 200Gbps – Designed today to scale up in the future
INSTANT ON
SERVICE DELIVERY BUSINESS-CRITICAL RESILIENCY
COMPACT,
POWERFUL ROUTER
• Scalable on-chip service enablement through software licensing
• Industry leading VPN/Crypto solutions
• Optimal user/app experience with AVC, PfRv3, and AppNav
• Software consumption model with CiscoONE
• Fully separated control and forwarding planes
• Hardware and software redundancy
• In-service software upgrades
• Inter and Intra-chassis redundancy
• DCI to support clustering across geographically dispersed DC
• Line-rate performance 2.5G to 200G
• Investment protection with modular engines, IOS CLI and SPAs for I/O
• Hardware assists for ACL, QoS, etc.
• Hardware-based QoS engine with up to 464k queues
• New Ethernet CC and 100GE EPA: ASR1000-MIP100, EPA-1x100GE
ASR 1004
ASR 1009-X
ASR 1001-HX
5 to 36
Gbps
10 to 40
Gbps
40 to 100
Gbps
40 to 200
Gbps
2.5 to 20
Gbps
ASR 1001-X
Fixed Chassis Modular ChassisIOS-XE
ASR 1013
40 to 200
Gbps
ASR 1006-X
ASR 1002-HX
44 to 100
Gbps
BRKARC-2001 6
ASR 1002-X
44 to 100
Gbps
20 to 100
Gbps
ASR 1006
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 Positioning
Perf
orm
ance a
nd S
cala
bility
Service Provider Edge Routers
ISR Series
ASR1000
2.5-200Gbps perSystem
Distributed PE, Firewall, IPsec
Route Reflector
CUBE/VoIP
Broadband
7600 Series
Up to 2 Tbps per system
Carrier Ethernet
IP RAN
Mobile Gateways
SBC/VoIP
Video Monitoring
Enterprise Edge and Managed Services Routers
Managed L2/L3 VPNs
Integrated SecurityApplication Recognition
ISR4000 Series
1-2 Gbps per System
Separate Services Planes for Continuity
Pay-As-You-Grow
850 Mbps per System
350 Mbps with Services
BRKARC-2001 7
ASR 9000
Up to 48 Tbps per system
Carrier Ethernet
IP RAN
L2/L3 VPNs
Vidmon
BNG
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 Enterprise ApplicationsFlexible WAN Services Edge & CPE
Mobile subscriber
Corporate office
High end branch
High Speed CPE
High-end Branch
Campus Edge
WAN aggregation
WAN Aggregation
IPSec VPN
L2 and L3 VPN
IWAN
DCI
Internet gateway
Cloud
Data Center Interconnect
Internet gateway
Cloud Services Edge
BRKARC-2001 8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 Service Provider ApplicationsA Wide Variety of Use Cases
CPE
Access and AggregationMobile Subscriber
Business
Residence
Wireless
Wire line
Cable
ISP
IP/MPLS Core
Edge
CGN
LNS
CPE
OLT
xPON
xDSLDSLAM
DOCSIS
ETTx
M-CMTS
PE
BNG
iWAG
VOD TV SIP
Content Farm
Peering
RR
L2/L3 VPNsIPsec/NAT/FWNBAR2
PPP or IP AggregationATM or EthernetIntelligent Services GatewayWiFi Access Gateway
BRKARC-2001 9
ASR 1000 System Architecture
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Midplane
ASR 1000 Building BlocksE
SP
act
FECP
QFPCrypto
Assist.
interconn.
PPE BQS
FECP
Crypto
Assist.
interconnect
RP
act
CPU
interconn GE switchS
IP
SPA SPA
IOCPAGG
ASIC
interconnect
RP
stb
y
CPU
interconn. GE switch
ES
Pstb
y
FECP
QFPCrypto
Assist.
interconn.
PPE BQS
FECP
Crypto
Assist.
interconnect
ELC
Built-in GE/10GEs
IOCPAGG
ASIC
interconnect
MIP
EPA EPA
IOCPAGG
ASIC
interconnect
BRKARC-2001 11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Midplane
ASR 1000 Building BlocksE
SP
act
FECP
QFPCrypto
Assist.
interconn.
PPE BQS
FECP
Crypto
Assist.
interconnect
RP
act
CPU
interconn GE switchS
IP
SPA SPA
IOCPAGG
ASIC
interconnect
RP
stb
y
CPU
interconn. GE switch
Embedded Service Processor
• Handles forwarding plane traffic
ES
Pstb
y
FECP
QFPCrypto
Assist.
interconn.
PPE BQS
FECP
Crypto
Assist.
interconnectRoute Processor
• Handle control plane
• Manages system
ELC
Built-in GE/10GEs
IOCPAGG
ASIC
interconnect
MIP
EPA EPA
IOCPAGG
ASIC
interconnect
SPA Interface Processor
• Houses Shared Port Adapter (SPA)
• Packets buffer
Ethernet Linecard
• Built-in GE/10GE ports
• Packets buffer
Modular Interface Processor
• Houses Ethernet Port Adapter (EPA)
• Packets buffer
BRKARC-2001 12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Midplane
ASR 1000 Building BlocksE
SP
act
FECP
QFPCrypto
Assist.
interconn.
PPE BQS
FECP
Crypto
Assist.
interconnect
RP
act
CPU
interconn GE switchS
IP
SPA SPA
IOCPAGG
ASIC
interconnect
RP
stb
y
CPU
interconn. GE switch
Embedded Service Processor
• Handles forwarding plane traffic
ES
Pstb
y
FECP
QFPCrypto
Assist.
interconn.
PPE BQS
FECP
Crypto
Assist.
interconnectRoute Processor
• Handle control plane
• Manages system
ELC
Built-in GE/10GEs
IOCPAGG
ASIC
interconnect
MIP
EPA EPA
IOCPAGG
ASIC
interconnect
SPA Interface Processor
• Houses Shared Port Adapter (SPA)
• Packets buffer
• Centralized Forwarding Architecture • All traffic flows through the active ESP,
standby is synchronized with all the states
• Distributed Control Architecture• All major system components have a
powerful control processor dedicated for control and management planes
Ethernet Linecard
• Built-in GE/10GE ports
• Packets buffer
Modular Interface Processor
• Houses Ethernet Port Adapter (EPA)
• Packets buffer
BRKARC-2001 13
ASR 1000 Building Blocks:Modular Chassis
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 Modular Chassis OverviewASR 1004 ASR 1006 ASR1006-X ASR 1009-X
AS
R 1
01
3
RP Slots 1 2 2 2 2
ESP Slots 1 2 2 2 (super) 2 (super)
SIP/MIP Slots 2 (SIP only) 3 (SIP only) 2 3 6
Built-In Ethernet N/A N/A N/A N/A N/A
Redundancy Software Hardware Hardware Hardware Hardware
Height 7” (4RU) 10.5” (6RU) 10.5” (6RU) 15.7” (9RU) 22.7” (13RU)
Bandwidth 10 – 40 Gbps 10 -100 Gbps 40 - 100 Gbps 40 - 200 Gbps 40 - 200 Gbps
Max Output Pwr 765W 1275W1100 power modules
N+1, Max 6
1100 power modules
N+1, Max 63200W
Airflow Front to back Front to back Front to back Front to back Front to back
BRKARC-2001 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1009-X
BRKARC-2001 19
System Management
RJ45 Console
Auxiliary Port
2x USB Ports
I/O Connectivity
12x SPA slots (SIP-40)
3x ELC slots
6x EPA (MIP-100)
BITS clocking
Stratum 3 built-in
Power Supply
Modular power supply with N+1 redundancy
High efficiency, Load sharing, Hot-swappable
AC (1100W) or DC (950W)
Control Plane
Support RP2 and RP3
8 - 64 GB Memory
FIPS-140-2 certification
Hardware Redundancy
Dual ESP and RP slots for data plane and control plane redundancy
ISSU
Forwarding Plane (ESP)
Up to 200Gbps per system
Supports ESP40, ESP100, ESP200 and future ESPs
Modular Fan Tray
Field Replaceable
30% improvement in airflow per slots vs integrated Fan module
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 Modular Chassis Compatibility Matrix
Chassis RP2 RP3 SIP40 ELC MIP100 ESP20 ESP40 ESP100 ESP200
ASR1004 Yes No Yes Yes No Yes Yes No No
ASR1006 Yes No Yes Yes No Yes Yes Yes No
ASR1013 Yes Yes Yes Yes Yes(2)(3) No Yes Yes Yes
ASR1006-X Yes(1) Yes Yes Yes Yes(3) No Yes Yes No
ASR1009-X Yes(1) Yes Yes Yes Yes(3) No Yes Yes Yes
*
(1)RP2 with new CPLD
(2)100G support in Slots 2&3; others at 40G
(3)ASR1000-MIP100 is not supported with ESP40
BRKARC-2001 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR1000-MIP100 (Modular Interface Processor)
1x100G
100G
100G Line rate
No oversubscription
1x100G
2 to 1 oversubscription
1x100G
10x10G
Line rate
No oversubscription
Mid
pla
ne
ESP100/200
MIP100
1006-X/1009-X with
ESP100/ESP200
BRKARC-2001 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
MIP100 ArchitectureRPs
GE, 1Gbps
I2C
EPA Control
ESI, 110 Gbps
Hypertransport, 10Gbps
Other
2 EPAs 2 EPAs
Standby ESP
SPA Agg.
Interface
Aggregation ASIC
Ingress
Scheduler
Egress
Buffer
Status
Ingress
Classifier
Egress
buffers
IOCP
…
Ingress
buffers
…
InterconnectDDRAM
Boot Flash
JTAG Ctrl
EEPROM
Temp Sensor
Reset / Pwr Ctrl
RPs
Chassis
management
Active ESPInput ref clocks
Netw
ork
clo
cks
2 EPAs 2 EPAs
RPs
Network
clock
distribution
Output ref clocks
BRKARC-2001 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ethernet Port Adapter (EPA)
EPA Modular Chassis with
MIP-100
ASR1002-HX Optics Modules
EPA-1x100GE XE 3.16.1
XE 16.2.1
XE 16.4.1
EPA-CPAK-2x40GE XE 3.16.2
XE 16.3.1
XE 16.4.1
EPA-10x10GE XE 3.16.4
XE 16.2.1
XE 16.3.1 (MACSec)
XE 16.3.1
XE 16.3.2
(MACSec)
SFP-10G-SR, SFP-10G-SR-X, SFP-10G-LR, SFP-
10G-LRM, SFP-10G-LR-X, SFP-10G-ER
EPA-18x1GE XE 16.2.1
XE 16.3.2 (MACSec)
XE 16.2.1
XE 16.3.1
(MACSec)
GLC-GE-100FX, GLC-SX-MMD, GLC-LH-SMD,
SFP-GE-T, GLC-BX-U, GLC-BX-D, GLC-TE, GLC-
SX-MM, GLC-LH-SM, GLC-EX-SMD, GLC-ZX-
SMD, CWDM-SFP, DWDM-SFP
CAB-MPO24-2XMPO12CPAK-100G-SR10 QSFP-40G-SR4
10 Metres
CPAK-100G-SR10 CPAK-100G-LR4
BRKARC-2001 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
RP2 RP3
CPU 2.66GHz Intel Xeon Dual-core 2.2GHz Intel Broadwell Quad-core
Default memory 8GB (4x2GB) – DDR2 8GB (2x4GB) – DDR4
Memory upgrade options 16GB (4x4GB) 16GB (2x8GB), 32GB (4x8GB); 64GB (4x16GB)
Built-In eUSB Bootflash 2GB 8GB
Storage80GB HDD
external USB
100GB SSD default, 200GB and 400GB upgrade options
external USB
IOS XE OS 64 bits 64 bits
Chassis Support
ASR 1004
ASR 1006
ASR 1013
ASR 1006-X
ASR 1009-X
ASR 1006-X
ASR 1009-X
ASR 1013
Modular Route Processors: RP2 & RP3
BRKARC-2001 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 RP3 ArchitectureHighly Scalable Control Plane Processor
ESPs
Output clocks
SIPs/MIPs
ESPs RP SIPs/MIPs
RPESPs SIPs/MIPs
SIPs/MIPs
Inputclocks
RP
CPU
2.2 GHz quad-core
I2C Chassis
Management Bus
Interconnect EOBC Switch
CPU Memory
8/16/32/64 GB
Management
EthernetUSBConsole
& Aux
NVRAM
Bootflash
Stratum-3 Network
clock circuit
BITS
(input & output)
RP
GE, 1Gbps
I2C
ESI, 11.2 Gbps
BRKARC-2001 28
SSD
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR1000 Embedded Services Processor (ESP) Centralized, programmable, multiprocessor forwarding engine providing full-packet processing
Packet Buffering and Queuing/Scheduling (BQS)
For output traffic to carrier cards/SPAs/EPAs
For special features such as traffic shaping, reassembly,replication, punt to RP, cryptography, etc.
5 levels of HQoS scheduling, up to 464K Queues,Priority Propagation
Dedicated crypto co-processor
Interconnect providing data path links (ESI) to/fromother cards over midplane
Transports traffic into and out of the CiscoQuantum Flow Processor (QFP)
Input scheduler for allocating QFP BW among ESIs
FECP CPU manages QFP, crypto device, midplane links, etc.
ESP40
ESP100
BRKARC-2001 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP Bandwidth
• Overall throughput is determined by the type of ESP and SIPs used in modular platforms.
• Modular platforms are rate limited by speed of bus from QFP complex to backplane ASIC
• Bandwidth is expressed in terms of aggregated throughput, use ESP100 as example:
50 Gbps 50 Gbps
50 Gbps50 Gbps
• 50G Unicast in each direction
• Total Output bandwidth 50+50=100
• 10G Multicast with 8X replication in one direction
• 20G unicast in the other direction
• Total Output bandwidth 80+20=100G
10G 80G
20G 20G
• 50Gbps Unicast in one direction and 70Gbps Unicast in the other direction
• Total output bandwidth (50+70=120) exceeds 100Gbps; only 100Gbps will be forwarded.
• 10Gbps Multicast with 10X replication in one direction• 10Gbps Unicast in the other direction• Total bandwidth (100+20=110) exceeds 100Gbps; only
100 Gbps will be forwarded
50 Gbps 50 Gbps 10G 100G
70 Gbps70 Gbps 20G20G
BRKARC-2001 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 Forwarding ProcessorQuantum Flow Processor (QFP) Drives Integrated Services & Performance
QFP complex
Crypto
FECPGE, 1Gbps
I2C
ESI
Hypertransport, 10Gbps
Other
RPs RPs RPsESP SIPs
TCAMResource
DRAM
Packet Buffer
DRAM
Dispatcher Packet Buffer
Memory
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4
PPE5 PPE6 PPE64
BQS
Chassis
Mgmt BusInterconnect
Bootflash
Memory
BRKARC-2001 31
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 ESPs in Modular ChassisESP20 ESP40 ESP100 ESP200
System bandwidth (IMIX) 18 Gbps 41 Gbps 130 Gbps 227 Gpbs
Performance (IMIX) 6 Mpps 14 Mpps 45 Mpps 78 Mpps
QFP cores 40 40 128 256
Clock Rate 1.2 GHz 1.2 GHz 1.5 GHz 1.5 GHz
Suite B support No No Yes Yes
Crypto BW (IMIX/1400B) 4/6 Gbps 7/10 Gbps 15/27 Gbps 45/70 Gbps
QFP Resource Mem 1GB 1GB 4GB2 GB / QFP
8GB total
Packet Buffer 256MB 256MB 1GB 2GB
Control CPUSingle core
1.2 GHzDual core
1.8 GHzDual core1.73 GHz
Dual core1.73 GHz
Control Memory 4 GB 8 GB 16 GB 32 GB
TCAM 40 Mb 40 Mb 80 Mb 2 x 80 Mb
Chassis SupportASR1004 ASR1006
ASR1004 ASR1006 ASR1013
ASR1006-X ASR1009-X
ASR1006 ASR1013
ASR1006-X ASR1009-X
ASR1013 ASR1009-X
BRKARC-2001 32
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Quantum Flow Processor (QFP)ASR1000 series innovation
• Five year design and continued evolution – now on 3rd generation
• Architected to scale to > 100Gbps
• Multiprocessor with 64 multi-threaded cores; 4 threads per core
• 256 processes per chip available to handle traffic
• High-priority traffic is prioritized
• Packet replication capabilities for Multicast
• Many H/W assists for accelerated processing
• 3rd generation QFP is capable for 70Gbps, 32Mpps processing
• Mesh-able: 1, 2 or 4 chips to build higher capacity ESPs
• Latency: tens of microseconds with features enabled
Cisco QFP
Packet Processor
Cisco QFP Traffic Manager
(Buffering, Queueing, Scheduling)
QFP Chip Set
BRKARC-2001 35
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Enterprise Routing NPU LeadershipContinuing Investment in Network Processor Technology
Increasing network intelligent and services requirements
Over 100
Patents
Awarded!
1st Gen QFP
20G
2nd Gen QFP
40G
3rd Gen QFP
200GLower Cost fully
integrated NPU
and IO device
4th Gen QFP
> 200G
linerate security
and high perf
intelligent WAN
Pe
rfo
rma
nce
20122008 2018
#cores: Number of Packet Processing Engines
#threads: concurrent, parallel threads processed
High Speed Backplane Aggregation ASIC
IO Oversubscription & Aggregation ASIC
NPU
BRKARC-2001 36
ASR 1000 Fixed Platforms
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1001-X ASR 1002-X ASR 1001-HX ASR 1002-HX
SPA Slots 1 3 N/A N/A
EPA Slots N/A N/A N/A 1
NIM Slots 1 N/A N/A 1
Built-In GE 6 6 8 8
Built-In TenGE 2 N/A 4 + 4 (configurable 10GE/GE) 8
CPU 2.0GHz quad-core 2.13GHz quad-core 2.5GHz quad-core 2.5GHz quad-core
Memory8GB; upgradable to
16GB
4GB; upgradable to
8GB/16GB8GB; upgradable to 16GB
16GB; upgradable to
32GB
StorageeUSB(8GB)
SSD (200GB, 400GB)
eUSB(8GB)
Optional HDD (160GB)eUSB(32GB)
eUSB(32GB)
SSD (200GB, 400GB)
IOS Redundancy Software Software Software Software
Height 1.75” (1RU) 3.5” (2RU) 1.75” (1RU) 3.5” (2RU)
Throughput 2.5 to 20Gbps 5 to 36Gbps 60Gbps 100Gbps
Maximum Output Power 250W 470W 360W 500W
Airflow Front to back Front to back Front to back Front to back
ASR 1000 Fixed Chassis Overview
BRKARC-2001 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi-Core Network Processor
60Gbps forwarding capacity
62 Cores
4 HW Threads / Core
248 simultaneous threads
Miscellaneous
RJ45 & mini-USB console
Secure Boot
ASR 1001-HX
Built in I/O
8x Gigabit Ethernet interfaces
8x TenGigabit Ethernet interfaces (4 configurable 10G/1G ports)
Multipoint MACSEC for linerate encryption (1G & 10G)
Pay as you go
License on built-in ports
4x TenGE+ 4xGE enabled by default
The remaining ports can be enabled in pairs
Control plane
CPU: Quad Core @ 2.5 GHz
Memory: 8GB DDR3 default memory, upgradeable to 16GB
Secure Boot + Image Signing
Crypto module
Field upgradeable
16 Gbps crypto throughput
Suite B support
BRKARC-2001 39
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• ASR 1001-HX can be ordered with or without the crypto module
• Crypto module can be installed in the field unit when it need the function
• Crypto bandwidth licensed from factory (default 8Gbps, upgradeable to 16Gbps on demand)
• 16Gbps crypto license unlocks crypto performance cap of 29Gbps (1400bytes)
ASR 1001-HX Crypto Module
BRKARC-2001 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi-Core Network Processor
100 Gbps forwarding capacity
124 Cores
4 HW Threads / Core
496 simultaneous threads
Miscellaneous
RJ45 & mini-USB console
eUSB: 32GB
Secure Boot
ASR 1002-HX
Network Interface Module
1 double wide or 1 single wide NIM
Ethernet Port Adapter
1x EPA slotBuilt in I/O
8x Gigabit Ethernet interfaces
8x TenGigabit Ethernet interfaces
Multipoint MACSEC for linerate encryption (1G & 10G)
Pay as you grow
License on built-in ports
4x TenGE+ 4xGE enabled by default
The remaining ports can be enabled in pairs
Power Supply & Fans
Modular PS, FRUable
Fan Tray
Crypto module
Field upgradeable
25 Gbps crypto throughput
Suite B support
Control plane
CPU: Quad Core @ 2.5 GHz
Memory: 16GB DDR3default memory,upgradeable to 32GB
Secure Boot + Image Signing
BRKARC-2001 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• ASR 1002-HX can be ordered with or without the crypto hardware
• Crypto module can be installed in the field unit when it need the function
• Crypto bandwidth licensed from factory (default 8Gbps, upgradeable to 16Gbps and 25Gbps on demand)
• 25Gbps crypto license unlocks crypto performance cap of 39Gbps (1400bytes)
• ASR 1002-HX must be powered down to install/remove crypto module
ASR 1002-HX Crypto Module
BRKARC-2001 42
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1002-HX Architecture
CPU
2.5 GHz Quad-core I2C Chassis
Management Bus
CPU Memory
Management
EthernetUSB
Console
& Aux NVRAM
Boot Flash
QFP1
TCAM
(80Mbit)
BQS
PPEs
PPE1 PPE2 PPE3
PPE4 PPE62
Crypto
8xGE8x10
GEEPANIM
Dispatcher
Pkt Buffer
QFP2
BQS
PPEs
PPE1 PPE2 PPE3
PPE4 PPE62
Dispatcher
Pkt Buffer
Interconnect
Interface Aggregation ASIC
75Gbps75Gbps
150Gbps
Resource
DRAM
(2GB)
Pkts Buffer
DRAM
(512MB)
Resource
DRAM
(2GB)
Pkts Buffer
DRAM
(512MB)
80Gbps 8Gbps11Gbps 120Gbps
75Gbps Memory
(4GB)
I2C
Serdes Interface
Hypertransport
BRKARC-2001 43
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 QFP in the Fixed Chassis
ASR 1001-X ASR 1002-X ASR 1001-HX ASR 1002-HX
System throughput (IMIX)
2.5 - 20Gbps 5 - 36Gbps 60Gbps 100Gbps
Performance
(64Bytes)19Mpps 34Mpps 43Mpps 78Mpps
QFP cores 31 62 62 124
Clock Rate 1.5 GHz 1.2 GHz 1.5 GHz 1.5 GHz
QFP Resource Mem 4GB (unified)
256MB
1GB 4GB 4GB
Packet Buffer 512MB 512MB 1GB
TCAM 10 Mb 40 Mb 40Mb 80 Mb
BRKARC-2001 46
Software Architecture
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• IOS XE = IOS + IOS XE Middleware + Platform Software
• Operational Consistency—same look and feel as IOS Router
• IOS runs as its own Linux process for control plane (Routing, SNMP, CLI etc.) 64-bit operation
• Linux kernel with multiple processes running in protected memory
• Fault containment
• Re-startability
• ISSU of individual SW packages
• ASR 1000 HA Innovations
• Zero packet loss with RP Failover
• <50ms ESP Failover
• Software redundancy
IOS XE Software architecture
ES
P
RP
IOS
active
Platform Adaptation Layer
(PAL)
Forwarding
manager SIP
/MIP
IOS
standby
Chassis
manager
Linux Kernel
Forwarding
managerChassis
manager
Linux Kernel
QFP client
QFP driver
Linux Kernel
Chassis
manager
SPA driverSPA driverSPA/EPA
driver
Control
messaging
BRKARC-2001 49
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Software Architecture – Modular Platform
ES
P
RP
IOS
Platform Adaptation Layer
(PAL)
Forwarding
manager SIP
/MIP
Chassis
manager
Linux Kernel
Forwarding
managerChassis
manager
Linux Kernel
QFP client / driver
QFP code
Linux Kernel
Chassis
manager
SPA driverSPA driverSPA/EPA
driver
Control
messaging
• Initialization of RP processes
• Initialization of installed cards
• Detects and manages OIR of cards
• Manages system status,
environments, power, EOBC
• Provides abstraction layer between
hardware & IOS
• Manages ESP redundancy
• Maintains copy of FIB and interface list
• Communicates FIB status to active &
standby ESP
• Runs Control Plane
• Generates configurations
• Maintains routing tables (RIB, FIB…)
• Communicates with forwarding
manager on RP
• Maintains copy of FIBs
• Provides interface to QFP client &
driver
• Programs QFP forwarding plane and
QFP DRAM
• Statistics collection & RP
communication
• Driver Software for SPA/EPA
interface
cards is loaded independently
• Failure or upgrade of driver
does not affect other
SPAs/EPAs in the chassis
BRKARC-2001 50
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Single Control CPU
• Quad-core
• 64 bit OS
• 8GB, 16GB, 32GB memory support
• Standard IOS XE Processes
• Running over a single Linux kernel
• High Availability
• IOS redundancy
• Fault Containment
• Process Restartability
• Operational Consistency
• Same look and feel as standard IOS
• Ethernet Out of Band Channel
• Method by which processes in different subsystems communicate
Software Architecture – Fixed Platform
Chassis Mgr.
Forwarding Mgr.IOSact
RP Subsystem
Kern
el (incl. u
tilit
ies)
Interface Mgr.
Chassis Mgr.
SPA driver
I/O Subsystem
Chassis Mgr.
Forwarding Mgr.QFP Client / Driver
ESP Subsystem
ASR1001-X Control Plane CPU
SPA driver SPA/EPA
driver
BRKARC-2001 51
IOSstby
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ES
P
RP
IOS
active
Platform Adaptation Layer
(PAL)
Forwarding
manager SIP
/MIP
IOS
standby
Chassis
manager
Linux Kernel
Forwarding
managerChassis
manager
Linux Kernel
QFP client
QFP driver
Linux Kernel
Chassis
manager
SPA driverSPA driverSPA/EPA
driver
Control
messaging
1. RPBase: RP Linux operating system
Upgrading of the OS will require reload to the RP and expect minimal changes
2. RPIOS: IOS executable
facilitates Software Redundancy feature
3. RPAccess (K9 & non-K9): Software required for Router access
Two versions available (with and without open SSH & SSL)
facilitates software packaging for export-restricted countries
4. RPControl : control plane processes for IOS / hardware interface
IOS XE Middleware
5. ESPBase: All ESP code
Any software upgrade of the ESP requires reload of the ESP
6. SIP/MIPBase: SIP/MIP OS & control processes
OS upgrade requires reload of the SIP/MIP
7. SIPSPA/MIPEPA: Intfs drivers and FPD
Facilitates SPA/EPA driver upgrade of specific SPA/EPA slots
Software Sub-packages
1
3
2
4
5
6
7
BRKARC-2001 52
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS XE Release and support timelines
FCS EoVS
PSIRT Phase
EoSMEoSales
Standard releases – twice a year (March, November) supported for 18 months
• 6 months of active bug-fix, 6 months of limited bug fix, and 6 months of PSIRT
• Rebuild Intervals: 3 + 3 + 6 + 6 (PSIRT build as needed)
3 months 6 months 6 months3 months.1S .2S .3S
Optional PSIRT build
.4S
FCS EoVS
Extended releases - Once a year (July) supported for 48 months
• 30 months of active bug-fix, 6 months of limited bug fix, and 12 months of PSIRT
• Rebuild Intervals: 3 + 3 + 4 + 4 + 4 + 6 + 6 + 6 + 6 + 6 (PSIRT builds as needed)
EoSMEoSalesEoSales
Notification
HPC
3 m 3 m 4 m 4 m 4 m 6 m 6 m 6 m 6 m 6 m
Optional PSIRT builds
.1S .2S .3S .4S .5S .6S .7S .8S .9S .10S
BRKARC-2001 53
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS XE 16
• Upgrade Impact on ASR 1000
Same IOS XE software infrastructure, feature, functionality, behavior and user experience (i.e. CLI, MIBs…)
Few HWs are not supported
ISSU incompatible, require ROMmon upgrade and reload.
Feature Parity between XE3.17 and XE16.3.1
• Release Numbering
16.3.1 Denali
Major Release Number
Feature Release Number
Build Number
Feature Release Name
Open & ExtensiblePlatform
App Hosting
Faster Innovation
Automate and Orchestrate
Model Driven
API’s
Reduce OPEX
Consistent Customer Experience
Patching
Device Management
Troubleshooting
Lower Cost
Physical and Virtual Infrastructure
Any Platform Any ASIC
BRKARC-2001 54
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What to expect – HW (1)
Supported Unsupported
Platforms ASR1001-X, ASR1002-X
ASR1001-HX, ASR1002-HX
ASR1004, ASR1006
ASR1013
ASR1006-X, ASR1009-X
ASR1001
ASR1002
Route Processors (RP) ASR1000-RP2, ASR1000-RP3 ASR1000-RP1
Forwarding Processors (ESP) ASR1000-ESP20
ASR1000-ESP40
ASR1000-ESP100
ASR1000-ESP200
ASR1000-ESP5
ASR1000-ESP10
Line cards ASR1000-SIP40
ASR1000-2T+20X1GE
ASR1000-6TGE
ASR1000-MIP100
ASR1000-SIP10
BRKARC-2001 55
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What to expect – HW (2)
Supported Unsupported
Ethernet Port
Adapters (EPA)
EPA-1X100GE
EPA-2x40GE
EPA-10X10GE
EPA-18X1GE
N/A
Shared Port
Adapters (SPA)
SPA-8XCHT1/E1-V2, SPA-4XCT3/DS0-V2, SPA-2XCT3/DS0-V2, SPA-2XT3/E3-V2,
SPA-4XT3/E3-V2, SPA-8XT3/E3, SPA-1CHSTM1/OC3V2, SPA-1XCHOC12/DS0, SPA-
4XT-SERIAL
SPA-4X1FE-TX-V2, SPA-8X1FE-TX-V2, SPA-2X1GE-V2, SPA-5X1GE-V2, SPA-8X1GE-
V2, SPA-10X1GE-V2, SPA-1X10GE-L-V2, SPA-1X10GE-WL-V2
SPA-2XOC3-POS-V2, SPA-4XOC3-POS-V2, SPA-8XOC3-POS, SPA-1XOC12-POS-V2,
SPA-2XOC12-POS, SPA-4XOC12-POS, SPA-8XOC12-POS, SPA-1XOC48POS/RPR,
SPA-2XOC48POS/RPR, SPA-4XOC48POS/RPR, SPA-OC192POS-XFP
SPA-1XOC3-ATM-V2, SPA-3XOC3-ATM-V2, SPA-1XOC12-ATM-V2
SPA-DSP
SPA-1CHOC3-CE-ATM, SPA-2CHT3-CE-ATM, SPA-24CHT1-CE-ATM
SPA-8XCHT1/E1,
SPA-4XCT3/DS0,
SPA-2XCT3/DS0,
SPA-2XT3/E3, SPA-
4XT3/E3, SPA-
1XCHSTM1/OC3
SPA-2XOC3-POS,
SPA-4XOC3-POS,
SPA-1XOC12-POS
SPA-2X1GE-SYNCE
SPA-WMA-K9
Network
Interface Module
(NIM)
NIM-1MFT-T1/E1, NIM-2MFT-T1/E1, NIM-4MFT-T1/E1, NIM-8MFT-T1/E1, NIM-
1CE1T1-PRI, NIM-2CE1T1-PRI, NIM-8CE1T1-PRI, NIM-SSD, SSD-SATA-200G, SSD-
SATA-400G
N/A
BRKARC-2001 56
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What to expect – Mimimum ROMmon
BRKARC-2001 57
IOS XE Denali
Release
RP2 RP3 ESP20 ESP40 ESP100 ESP200
16.3.1 15.2(1r)S 16.3(2r) XNC 15.0(1r)S 15.3(1r)S 15.3(1r)S
IOS XE Denali
Release
ASR1001-X ASR1002-X ASR1001-HX ASR1002-HX
16.3.1 15.4(2r)S 15.5(3r)S1 16.2(2r) 16.2(2r)
IOS XE Denali
Release
SIP40 MIP100 2T+20x1GE 6TGE
16.3.1 15.0(1r)S 15.5(3r)S1 15.5(3r)S1 15.4(2r)S
• For RP and ESP
• For Fixed Chassis
• For SIP/MIP/ELC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What to expect – image type
XE 3.x XE 16.x
ASR1001-X
ASR1002-X
Universal Image Universal Image
- All the licenses will continue to work as is
- No config changes are needed besides the boot image
RP2 based platforms Reformation Image Universal Image + License boot level
IP BASE W/O CRYPTO asr1000rp2-ipbase.* asr1000rpx86-universalk9.* ipbase
IP Base asr1000rp2-ipbasek9.* asr1000rpx86-universalk9_npe.* ipbase
ADVANCED ENTERPRISE
SERVICES W/O LI
asr1000rp2-adventerprisek9_noli.* asr1000rpx86-universalk9_noli.* adventerprise
ADVANCED ENTERPRISE W/O
CRYPTO
asr1000rp2-adventerprise.* asr1000rpx86-universalk9_npe.* adventerprise
ADVANCED ENTERPRISE
SERVICES
asr1000rp2-adventerprisek9.* asr1000rpx86-universalk9.* adventerprise
ADVANCED IP SERVICES W/O LI asr1000rp2-advipservicesk9_noli.* asr1000rpx86-universalk9_noli.* advipservices
ADVANCED IP SERVICES W/O
CRYPTO
asr1000rp2-advipservices.* asr1000rpx86-universalk9_npe.* advipservices
ADVANCED IP SERVICES asr1000rp2-advipservicesk9.* asr1000rpx86-universalk9.* advipservices
No
Change
• There is no more non-k9 universal images starting 16.2
BRKARC-2001 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What to expect – migrate procedure to 16.3.1
BRKARC-2001 59
ASR 1001-X, ASR1002-X
If the system meet the minimum ROMmon requirements – Install the 16.3.1 image / reload
If the system does not meet the minimum ROMmon requirements –upgrade ROMmon / reload / install the 16.3.1 image / reload
RP2
Install 16.3.1 universal image (add previous image as 2nd boot up image / reload
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
NETCONF RESTconf gRPC
Device Programmability
Device Features
Interface BGP QoS ACL …
SNMP
YANG Data Model
Open Native Open Native
Physical and Virtual Network Infrastructure
Configuration Operational
Programmable
Interfaces
BRKARC-2001 60
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Resources on GitHub & DevNet
BRKARC-2001 61
• https://github.com/YangModels/yang/tree/master/vendor/cisco/xe • https://developer.cisco.com/site/odp/
Demo
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Programmability Demo
1. Provision DMVPN Tunnels
2. Unprovision DMVPN Tunnels
3. Introduce an error in the provisioning to observe the transactional behavior and rollback
BRKARC-2001 63
HUB
Tunnel200: 192.99.99.1
Tunnel200: 192.99.99.3 Tunnel200: 192.99.99.2
Spoke1 Spoke2
LB: 2.2.2.2
LB: 1.1.1.1 LB: 3.3.3.3
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CLI Config converted to Yang Data ModelIOS XE Config Yang data model
interface Tunnel200
description ** DMVPN Tunnel over MPLS **
bandwidth 10000000
ip address 192.99.99.1 255.255.255.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication NhrpAuth
ip nhrp network-id 101
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/2
tunnel mode gre multipoint
tunnel key 101
tunnel vrf IWAN-PRIMARY
tunnel protection ipsec profile DMVPN-
PROFILE1
<?xml version="1.0" encoding="utf-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<native xmlns="http://cisco.com/ns/yang/ned/ios">
<interface>
<Tunnel>
<name>200</name>
<description>** DMVPN Tunnel over MPLS **</description>
<bandwidth>
<kilobits>10000</kilobits>
</bandwidth>
<ip>
<address>
<primary>
<address>192.99.99.3</address>
<mask>255.255.255.0</mask>
</primary>
</address>
<nhrp>
<authentication>NhrpAuth</authentication>
<map>
<dest-ipv4>
<dest-ipv4>192.99.99.1</dest-ipv4>
<nbma-ipv4>
<nbma-ipv4>98.99.130.6</nbma-ipv4>
</nbma-ipv4>
</dest-ipv4>
<multicast>
<ipv4>98.99.130.6</ipv4>
</multicast>
</map>
<network-id>101</network-id>
<nhs>
<ipv4>
<ipv4>192.99.99.1</ipv4>
</ipv4>
<cluster>
<clus-num>
<clus-num>0</clus-num>
<max-connections>1</max-connections>
</clus-num>
</cluster>
</nhs>
</nhrp>
<pim>
<sparse-mode>sparse-mode</sparse-mode>
<dr-priority>0</dr-priority>
</pim>
<redirects>false</redirects>
<tcp>
<adjust-mss>1360</adjust-mss>
</tcp>
<mtu>1400</mtu>
</ip>
<tunnel>
<source>GigabitEthernet0/0/1</source>
<key>101</key>
<mode>
<gre>
<multipoint/>
</gre>
</mode>
<protection>
<ipsec>
<profile>DMVPN-PROFILE1</profile>
</ipsec>
</protection>
<vrf>IWAN-PRIMARY</vrf>
</tunnel>
</Tunnel>
</interface>
</native>
</config>
</edit-config>
</rpc>
BRKARC-2001 61
Packet Flows – Data Plane
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SIP/MIP ingress data pathRPs
SPAs/EPAs SPAs/EPAs
SPA Agg.
Interface
Aggregation ASIC
Ingress
Scheduler
Egress
Buffer
Status
Ingress
Classifier
Egress
buffers
IOCP
…
Ingress
buffers
…
Interconnect
Active ESP1. SPA/EPA receives packet data from
its network interfaces and transfers
the packet to the SIP/MIP
2. Intf Aggregation ASIC classifies the
packet into H/L priority
3. SIP/MIP writes packet data to
external ingress buffers
4. Interface Agg ASIC selects among
ingress queues for next pkt to send
to ESP over ESI. It prepares the
packet for internal transmission
5. The interconnect transmits packet
data of selected packet over ESI to
active ESP.
BRKARC-2001 66
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP data processing path
QFP complex
Crypto
FECP
RPsESP SIPs/
MIPs
TCAMResource
DRAM
Packet
Buffer DRAM
Dispatcher Packet Buffer
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6 PPE7 PPE8 PPE40
BQS
InterconnectData
1. Packet arrives at ESP via interconnect
BRKARC-2001 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP data processing path
QFP complex
Crypto
FECP
RPsESP SIPs/
MIPs
TCAMResource
DRAM
Packet
Buffer DRAM
Dispatcher Packet Buffer
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6 PPE7 PPE8 PPE40
BQS
Interconnect
Data
1. Packet arrives at ESP via interconnect
2. Packet assigned to an available PPE a
by dispatcher
BRKARC-2001 68
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP data processing path
QFP complex
Crypto
FECP
RPsESP SIPs/
MIPs
TCAMResource
DRAM
Packet
Buffer DRAM
Dispatcher Packet Buffer
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6 PPE7 PPE8 PPE40
BQS
Interconnect
Data
1. Packet arrives at ESP via interconnect
2. Packet assigned to an available PPE a
by dispatcher
BRKARC-2001 69
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP data processing path
QFP complex
Crypto
FECP
RPsESP SIPs/
MIPs
TCAMResource
DRAM
Packet
Buffer DRAM
Dispatcher Packet Buffer
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6 PPE7 PPE8 PPE40
BQS
Interconnect
Data
1. Packet arrives at ESP via interconnect
2. Packet assigned to an available PPE a
by dispatcher
3. Input FIA invoked
• Netflow, MQC/NBAR Classify, FW, RPF,
WCCP…
BRKARC-2001 70
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP data processing path
QFP complex
Crypto
FECP
RPsESP SIPs/
MIPs
TCAMResource
DRAM
Packet
Buffer DRAM
Dispatcher Packet Buffer
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6 PPE7 PPE8 PPE40
BQS
Interconnect
Data
1. Packet arrives at ESP via interconnect
2. Packet assigned to an available PPE a
by dispatcher
3. Input FIA invoked
• Netflow, MQC/NBAR Classify, FW, RPF,
WCCP…
4. Potentially forward through BQS to
crypto
BRKARC-2001 71
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP data processing path
QFP complex
Crypto
FECP
RPsESP SIPs/
MIPs
TCAMResource
DRAM
Packet
Buffer DRAM
Dispatcher Packet Buffer
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6 PPE7 PPE8 PPE40
BQS
Interconnect
Data
1. Packet arrives at ESP via interconnect
2. Packet assigned to an available PPE a
by dispatcher
3. Input FIA invoked
• Netflow, MQC/NBAR Classify, FW, RPF,
WCCP…
4. Potentially forward through BQS to
crypto
BRKARC-2001 72
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP data processing path
QFP complex
Crypto
FECP
RPsESP SIPs/
MIPs
TCAMResource
DRAM
Packet
Buffer DRAM
Dispatcher Packet Buffer
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6 PPE7 PPE8 PPE40
BQS
Interconnect
Data
1. Packet arrives at ESP via interconnect
2. Packet assigned to an available PPE a
by dispatcher
3. Input FIA invoked
• Netflow, MQC/NBAR Classify, FW, RPF,
WCCP…
4. Potentially forward through BQS to
crypto
BRKARC-2001 73
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP data processing path
QFP complex
Crypto
FECP
RPsESP SIPs/
MIPs
TCAMResource
DRAM
Packet
Buffer DRAM
Dispatcher Packet Buffer
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6 PPE7 PPE8 PPE40
BQS
Interconnect
Data
1. Packet arrives at ESP via interconnect
2. Packet assigned to an available PPE a
by dispatcher
3. Input FIA invoked
• Netflow, MQC/NBAR Classify, FW, RPF,
WCCP…
4. Potentially forward through BQS to
crypto
5. Forwarding decision is made
• FIB lookup, MPLS, GRE, Multicast …
BRKARC-2001 74
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP data processing path
QFP complex
Crypto
FECP
RPsESP SIPs/
MIPs
TCAMResource
DRAM
Packet
Buffer DRAM
Dispatcher Packet Buffer
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6 PPE7 PPE8 PPE40
BQS
Interconnect
Data
1. Packet arrives at ESP via interconnect
2. Packet assigned to an available PPE a
by dispatcher
3. Input FIA invoked
• Netflow, MQC/NBAR Classify, FW, RPF,
WCCP…
4. Potentially forward through BQS to
crypto
5. Forwarding decision is made
• FIB lookup, MPLS, GRE, Multicast …
6. Egress FIA invoked
• Netflow, NAT, Police/Mark, Crypto…
BRKARC-2001 75
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP data processing path
QFP complex
Crypto
FECP
RPsESP SIPs/
MIPs
TCAMResource
DRAM
Packet
Buffer DRAM
Dispatcher Packet Buffer
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6 PPE7 PPE8 PPE40
BQS
Interconnect
Data
1. Packet arrives at ESP via interconnect
2. Packet assigned to an available PPE a
by dispatcher
3. IInput FIA invoked
• Netflow, MQC/NBAR Classify, FW, RPF,
WCCP…
4. Potentially forward through BQS to
crypto
5. Forwarding decision is made
• FIB lookup, MPLS, GRE, Multicast …
6. Egress FIA invoked
• Netflow, NAT, Police/Mark, Crypto…
7. Packet forwarded through BQS for
scheduling based on QoS and interface
bandwidth
BRKARC-2001 76
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP data processing path
QFP complex
Crypto
FECP
RPsESP SIPs/
MIPs
TCAMResource
DRAM
Packet
Buffer DRAM
Dispatcher Packet Buffer
…
Packet Processor Engines
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6 PPE7 PPE8 PPE40
BQS
Interconnect
Data
1. Packet arrives at ESP via interconnect
2. Packet assigned to an available PPE a
by dispatcher
3. Input FIA invoked
• Netflow, MQC/NBAR Classify, FW, RPF,
WCCP…
4. Potentially forward through BQS to
crypto
5. Forwarding decision is made
• FIB lookup, MPLS, GRE, Multicast …
6. Egress FIA invoked
• Netflow, NAT, Police/Mark, Crypto…
7. Packet forwarded through BQS for
scheduling based on QoS and interface
bandwidth
8. Packet leaves ESP via interconnectBRKARC-2001 77
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
RPs
SPAs/EPAs SPAs/EPAs
SPA Agg.
Interface
Aggregation ASIC
Ingress
Scheduler
Egress
Buffer
Status
Ingress
Classifier
Egress
buffers
IOCP
…
Ingress
buffers
…
Interconnect
Active ESP
SIP/MIP egress data path
1. Interconnect receives packet data
over ESI from the active ESPData
BRKARC-2001 78
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
RPs
SPAs/EPAs SPAs/EPAs
SPA Agg.
Interface
Aggregation ASIC
Ingress
Scheduler
Egress
Buffer
Status
Ingress
Classifier
Egress
buffers
IOCP
…
Ingress
buffers
…
Interconnect
Active ESP
SIP/MIP egress data path
1. Interconnect receives packet data
over ESI from the active ESP
2. Intf Aggregation ASIC receives the
packet and writes it to external
egress buffer memory
Data
BRKARC-2001 79
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
RPs
SPAs/EPAs SPAs/EPAs
SPA Agg.
Interface
Aggregation ASIC
Ingress
Scheduler
Egress
Buffer
Status
Ingress
Classifier
Egress
buffers
IOCP
…
Ingress
buffers
…
Interconnect
Active ESP
SIP/MIP egress data path
1. Interconnect receives packet data
over ESI from the active ESP
2. Intf Aggregation ASIC receives the
packet and writes it to external
egress buffer memory
3. Intf Aggregation ASIC selects and
transfers packet data from eligible
queues to SPA/EPA-SPI channel (Hi
queue are selected before Low)
Data
BRKARC-2001 80
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
RPs
SPAs/EPAs SPAs/EPAs
SPA Agg.
Interface
Aggregation ASIC
Ingress
Scheduler
Egress
Buffer
Status
Ingress
Classifier
Egress
buffers
IOCP
…
Ingress
buffers
…
Interconnect
Active ESP
SIP/MIP egress data path
1. Interconnect receives packet data
over ESI from the active ESP
2. Intf Aggregation ASIC receives the
packet and writes it to external
egress buffer memory
3. Intf Aggregation ASIC selects and
transfers packet data from eligible
queues to SPA/EPA-SPI channel (Hi
queue are selected before Low)
4. SPA/EPA transmits packet data on
network interface
Data BRKARC-2001 81
Integrated Security on ASR 1000
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Next Generation Encryption
Su
ite B
Key Establishment ECDH
Digital Signatures ECDSA
Hashing SHA-2
Authenticated
EncryptionAES-GCM
Authentication HMAC-SHA-2
Entropy SP800-90
ProtocolsTLSv1.2, IKEv2, IPsec,
MACSec
BRKARC-2001 83
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 Cryptography SupportImproved Octeon Crypto Processor on X-series Chassis
ASR 1001-X ASR 1002-X ASR 1001-HX ASR 1002-HX ESP100 ESP200
Number of Crypto
Processor
1 1 1 1 1 2
Cores per processor 10 6 22 32 22 32
Clock Rate 800MHz 800MHz 1100MHz 1200MHz 1100MHz 1100MHz
DRAM 1GB 1GB 2GB 4x1GB 2GB 2x4GB
Crypto Throughput
(SVTI @ IMIX)
6Gbps 4Gbps 15Gbps 24Gbps 15Gbps 45Gbps
Suite B
crypto
BRKARC-2001 84
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Protects against TCP SYN Flood to the FW Session
Database
SYN Cookie Protection
Per Zone
Per VRF
Per BoX
Conformance checking, state tracking, security checks with
granular policy control
Over 20 Inspection Engines:
UC: SIP, Skinny, H.323, RSTP…
Enterprise Apps: Voice/Soft phones
Core Protocols: FTP, FTP66, SNMP, DNS, POP3, …
Database & O/S: LDAP, NetBIOS, Microsoft RPC, …
Protects Firewall Session Table from attacks that could be
based on UDP, TCP and ICMP
Half Open Session Limits are configurable:
Per Box and VRF Level
Per Class supported initially
FW resources are managed effectively with half open session
limit configuration knobs
Logs are generated when limits are crossed
ASR 1000 Integrated Zone-Based Firewall ProtectionDoS, DDoS and Application Layer Detection and Prevention
Enables detection of possible threats, anomalies and
attacks per Zone
Monitors rate of pre-defined events in the system;
alerts sent to Sys/HSL logs
Report drops due to: Basic FW check failures, L4
inspection failures, and count of the # of dropped
SYNs
Application Layer Protocol Inspection
Basic Threat DetectionTCP SYN Attack Prevention
Half Open Session Limit
Strictly Cisco Confidential BRKARC-2001 85
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 Security Certifications
FIPS
140, Level 2
Common Criteria
EAL4NSA Suite B
Hardware Assist
Cisco ASR 1000 Series
BRKARC-2001 86
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 IPSec Performance & Scale
ASR
1001-X
ASR
1002-X
ASR
1001-HX
ASR
1002-HX
RP2|RP3
ESP20
RP2|RP3
ESP40
RP2|RP3
ESP100
RP2|RP3
ESP200
Encryption
Throughput w/ sVTI
(IMIX)
6Gbps 4Gbps 15Gbps 24Gbps 4Gbps 7Gbps 15Gbps 45Gbps
VRFs 8k 8k 8k 8k 8k 8k 8k 8k
Total Tunnels
(Site to Site IPSec)
8k 8k 8k 8k 8k 8k 8k 8k
Tunnel Setup Rate
(per second)
130 130 130 130 130 130 130 130
DMVPN / BGP
Adjacencies
4k 4k 4k 4k 6k 6k 6k 6k (RP2)
10k (RP3)
DMVPN / EIGRP
Adjacencies
4k 4k 4k 4k 4k 4k 4k 4k
FlexVPN
(IKEv2/DVTI)
10k 10k 10k 10k 10k 10k 10k 10k
BRKARC-2001 87
ASR 1000 Applications & Solutions
ASR 1000 APPLICATIONS:Carrier Ethernet & MPLS VPN
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS L3VPN Applications
• VRF-Lite/Multi-VRF CE
• Sub-interface per VRF for CE/PE
• Up to 8,000 VRFs
• MPLS VPN (RFC 2547)
• IPv4 & IPv6
• MPLS QoS
• MPLS over (m)GRE overlay for large enterprise VPN
• MPLS TE FRR
• FRR Link, Path & Node protection
• RSVP & BFD triggered FRR
• Multicast VPN
• Encapsulation: IP/GRE, LSM
• Core Tree Signalling: PIM, mLDP
• C-Multicast Signaling: PIM, BGP
• Service: IPv4, IPv6
Multicast VPN
PMSI Instance
PMSI Instance
Multicast
Receiver
Multicast
Source
Provider Network
PE
PE
PE
PE
SP IP Service
WestEast
North
WAN-PE
WAN-PE
WAN-PEGRE
MPLS VPN o GRE
BRKARC-2001 96
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR 1000 Carrier Ethernet Capabilities
• Support for Ethernet Virtual Circuit (EVC) infrastructure
• VLAN tags (single, double, ambiguous, untagged)
• 802.1ad S-VLANs
• Custom EtherType (e.g. IPv4/v6, PPPoE Discovery, PPPoE session)
• CoS Support
• Flexible EVC Forwarding Service
• Bridge Domain, Xconnect, Bridge Domain Interface, Pseudowire
• Ethernet OAM
• Link OAM, CFM, 802.1ag + Y.1731 extension, 802.3ah, Loopback, ELMI
• Support for E-Line, E-Lan, E-Tree
• Port/VLAN modes with interworking and local switching
• Strong UNI features
• HQoS, Security ACL, MAC Security
• Flexible Tag Matching and Manipulation
EF
Ps
Ports
MP
LS
BD BD
L2 Interworking
(not yet supported)
ATM/FREFPs
BD BDI
BD L2 VFI
L3/VRF
Routed
Pseudowire
Pseudowire
L2 MP Bridging
connect
(hair-pin)
connect
xconnect
Pseudowire
Ports
Ports
EF
Ps
EF
Ps
Ethernet Flow point (EFP) service
instance is a logical interface that
connects a bridge domain to a physical
port.
BRKARC-2001 97
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPLS Services
• VPLS Full-mesh, Hub/Spoke & H-VPLS Provider Edge
• 1M MAC Addresses
• Broadcast, Unknown Unicast and Multicast (BUM) control
• VPLS over GRE/IPSec
• VPLS Auto-discovery
• LDP Signal (RFC 6074)
• BGP Signal (RFC 4761)
• Inter-AS support
• Option A (BGP Signal)
• Option B, C (LDP Signal)
• U-PE dual-homing
• Multiple spanning tree with control pseudowire
• Routed Pseudowire
• VPLS circuit terminated on Bridge Domain Interface
N-PE
N-PE
N-PECE CE
U-PE/H-VPLS PE
Full mesh of
Targeted LDP
exchange VC lables
Attachment VCs
are port mode or
VLAN ID
CE: Customer Edge Device
N-PE: Network Facing Provider Edge
U-PE: User Facing Provider Edge
VSI/VFI: Virtual Switching/Forwarding Instance
Tunnel LSP
BRKARC-2001 99
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Segment RoutingSimplifying the Transport
• Source Routing: the source chooses a path and encodes it in the packet header as an ordered list of segment
• Segment: an identifier for any type of instructions: forwarding or service
• IGP only: no LDP, no RSVT-TE
• ECMP
• Interworking with LDP: ease of migration
• Topology independent 50msec FRR
• Support all existing VPN services
• Engineered for SDN
SR WAN
SR
IGP
VPN
VPN
pktvpn
16006
pkt
vpn
BRKARC-2001 100
Node segment to Z (16006)
TH
B C
N O
Adj
segm
en
t
to N
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Information Distribution: IGP (OSPF or IS-IS) SR extensions used to flood bandwidth information between routers & SR SIDs, SRGB
2. CSPF does Path Calculation on headend only – uses IGP advertisements to compute SRTE “constrained” paths
3. Forwarding traffic: Static route, auto route announce,.etc.
Segment Routing Traffic Engineering
Single IGP Domain
pktvpn
1600616001 24005
16006
2400516001
Headend
IGP Topology +
TE link attributes
+ SR SID + SRGB
= TED
TED
IGP Domain 1
PCC
IGP Domain 2
TED
LSP DB
RR RR
BGP Link State
Export TED
1. BGP-LS specify sets of TLV’s that define three objects: Nodes, Links and IP Prefixes in new NLRI type, the BGP-LS attribute encodes the properties of the objects, such as Node-names, IGP metric, TE-metric…
2. Path Compute Element (PCE) compute the network path or route based on a network graph and applying computational constraints
3. Path Compute Client (PCC) initiates LSP and delegates path computation to PCE
PCE
Headend
BRKARC-2001 101
Tail Tail
ASR 1000 APPLICATIONS:Internet Edge
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise Internet Edge Profile
TenG
ig3
TenG
ig4
ASR1013-2
switch2
TenG
ig4
Port-channelRG
ACT
RG
STD
Y
ISP1
LAN
VSS
Inet II
ISP3
IPv6ISP2
• Routing: up to 5 full ISP peerings
• HQoS, ACL, FNF, CoPP
• Services:
• NAT: NAT44/NAT64, VRF Aware, VASI
• ZBFW
• ALG
• AVC
• Stateful Inter-chassis redundancy
• Topology: LAN-WAN, LAN-LAN
• Platforms: ASR1001-X/ASR1002-X, RP2/ESP40
BRKARC-2001 103
ASR 1000 APPLICATIONS:Secure VPN
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Solutions Overview
DMVPN
Multipoint GRE Tunnels
NHRP
GETVPN
Crypto Map
GDOI
FlexVPN
Dynamic VTI
IKEv2
Easy VPN
Dynamic VTI
Crypto Map
IKEv1
SSLVPN
TLS
IKEv1/
IKEv2
IKEv1/
IKEv2
IPsec–based VPNs
BRKARC-2001 105
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Selection Criteria for Key Solutions
• The roadmap on VPN Services aligned with Cisco recommendation
Key Solutions DMVPN GETVPN FlexVPN
(dVTI, IKEv2)
SSLVPN
(TLS)
Easy VPN (IPsec
tunnels, IKEv1)
IPsec VPN (CM,
VTI, p-pGRE)
Remote Access
(SW Clients)
N/A N/A SR SR NR NR
IoT SR N/A SR N/A NR NR
IWAN 2.x SR N/A N/A N/A N/A N/A
DC WAN Edge N/A SR N/A N/A N/A NR
MPLS VPN over
MGRE
N/A SR N/A N/A N/A NR
SR = Supported and Recommended
NR = Supported but Not recommended
BRKARC-2001 106
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN MACSec Applications
• MKA based keying (IEEE 802.1X-2010)
• 802.1AE strong encryption
• 128/256 bits AES-GCM, NIST approved, line rate performance
• Vlan tag in clear option
• Point-to-point
• Port based E-LINE Service
• VLAN based E-LINE Service
• Point-to-Multipoint
• Port based E-LAN Service
• VLAN based E-LAN Service
• 32 peers on 10GE; 8 peers on GE
• Transporting SGT tag with WAN MACSec
DC1
DC2
MetroE-LINE
Building 3
Metro
E-LAN
Main Building 1
Building 2 Building 4
BRKARC-2001 107
Data Center Interconnect Connect large branch, regional aggregate site to DC
ASR 1000 APPLICATIONS:Datacenter Interconnect (DCI)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DCI with OTV
Security
• IPsec/GETVPN/MACSec
Use Cases
Datacenter maintenance/DR
workload mobility (i.e. Vmotion)
Active/Active Datacenters (HA
Clustering, i.e. MSCS, Vmware
Cluster)
Legacy Application (non-
IP/Routable apps, i.e. NetBios)
High Availability
• Built-in loop prevention
• Built-in multi-homing
• Preserve failure boundary
• All paths active
• FHRP
Connectivity
• IP Core (unicast & mcast)
• Optimal multicast replication
• +LISP for optimal routing
• 8 routers in most deployments
• Interop with N7k
• Support Fragmentation
MAC IF
MAC1 Eth1
MAC2 IP B
MAC3 IP B
Edge Device A
IP B
Edge Device B
Encap Decap
Ethernet Frame IP packet Ethernet Frame Ethernet Frame
MAC IF
MAC1 IP A
MAC2 Eth 1
MAC3 Eth 2ASR1K
ASR1K
IP Core
OTV Join Intf OTV Join Intf
ASR1K
Edge Device B
Edge Device C
BRKARC-2001 109
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VXLAN Enables Scale and Flexibility in the Datacenter
IP/MPLS coreuni or multicast
VxLAN (MAC in IP)
VXLAN L2 Gateway• VXLAN to 802.1q
VXLAN L3 Gateway• VXLAN to Routed
• VXLAN to L3 VRF mapping
Internet
Hypervisor
Scale
• 4,000 VXLAN Tunnel
Endpoints (VTEPs)
• Up to 16k VXLAN Network
Identifiers (VNIs)
• Up to 16k Bridge Domain
Interfaces (BDIs)
• Up to 1M MAC addresses
Use Cases
• VXLAN-VXLAN Interworking
• VLAN-VXLAN Interoperability
• VXLAN-VPLS Interoperability
• VXLAN-VRF Integration
Standard
• MAC-in-IP: RFC 7348
• Unicast (Ingress replication)
or Multicast (BiDir) for
peering and MAC
reachability
Connectivity
• Provides L2 connectivity between virtual switches in hypervisors, hardware switches and hardware routers
• VXLAN extends subnets to virtualized resources
BRKARC-2001 110
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EVPN L3 DCI – WAN Solution’GOLF’ Design
Spines
Leafs
WANBRANCH
DC Edge
PE
PE
PE
PE
Connecting to DC Edge from Spines (directly connected or IPN)
Single MP-BGP session to carry routes for multiple tenants (VRFs)
VXLAN handoff to DC Edge
DC can be
1. Standalone N9k fabric – ASR1k as a border leaf
2. ACI Mode – ASR1k as a border leaf using OpFlex
DC Edge WAN facing side can be
1. Back to back VRF-Lite with L3 sub-interfaces/tunnels
2. MPLS VPN PE or ASBR (IAS option B)
WAN – MPLS VPN(GETVPN), DMVPN, IWAN2.x
MP-BGP
= VXLAN Encap
VRF Green VRF Orange VRF Purple
BRKARC-2001 95
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI WAN Integration using OpFlex
WAN
OpFlex
Peering
VRF Green VRF Orange VRF Purple
OpFlex-PE
OpFlex-PR Establishing IP reachability for underlay
Instantiating on the WAN router an OpFlex framework to the ACI
fabric
One Time Manual Pre-Configuration, required for:
WAN side configuration on the WAN router is manual or
orchestrator driven
Fabric facing configuration created on APIC and dynamically
pushed via OpFlex
Recurring Tenants
Configurations
OpFlex is a communication protocol used
between fabric and DC Edge to enable fabric
facing tenant automation.
BRKARC-2001 96
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Trustsec Integration
Spines
Leafs
DC Edge | WAN Trustsec Border Router
MP-BGP
ISE pull EPG (ClassID, VNI)
for translation
Radius download the
translation table to ASR1k
Policy Plane
Exchange SGT/EPG
ACI Policy Domain Trustsec Policy Domain
Control Plane
BGP EVPN | OpFlex
Data Plane: VXLAN-GBP
SGT <-> EPG translation
SGT propagate over L3 Networks
BRKARC-2001 97
ASR 1000 APPLICATIONS:Intelligent WAN (IWAN)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intelligent WAN (IWAN) Architecture
10.3.3.0/24 10.4.4.0/24 10.5.5.0/24
DMVPNMPLS
DMVPNINET
BR31 BR41
10.1.0.0/16 10.2.0.0/16
BR51 BR52
IWAN POP1 IWAN POP2
DC1
DCIWAN Core
DC2
10.2.0.0/1610.0.0.0/8
10.1.0.0/1610.0.0.0/8
BRKCRS-2001 118
IWAN2.2
BR11 BR12 BR21 BR22
TransportIndependence
Simplified Hybrid WAN
Intelligent Path Control
Application Aware Routing
Application Optimization
Enhanced Application
Visibility and Performance
Secure Connectivity
Comprehensive
Threat Defense
Man
ag
em
en
t Au
tom
atio
n
Summary and Take away
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• ASR 1000 is the Swiss Army Knife to solve your tough network problems
• Reduce complexity in your network edge.
• ASR 1000 is well positioned for both Enterprise and Service Provider Architectures.
• ASR 1000 is at the heart of Cisco IWAN solutions
• Come see live at our WoS Booth!
Summary and Key Takeaways
BRKARC-2001 120
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Relevant Sessions at Cisco Live 2017
Breakout Sessions
• BRKCRS-3147 Advanced troubleshooting of the ASR1K and ISR 4451-X made easy
BRKARC-2001 121
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
122BRKARC-2001
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
123BRKARC-2001
Q & A
Thank You