Cisco Unified Access Roadshow Enterprise Backbone Technologies Enabling BYOD and Collaboration
description
Transcript of Cisco Unified Access Roadshow Enterprise Backbone Technologies Enabling BYOD and Collaboration
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 1
Cisco Unified Access Roadshow Enterprise Backbone Technologies Enabling BYOD and CollaborationVivek Baveja
Technical Marketing Engineer
Enterprise Networking Group
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Dis
tribu
tion
Acc
ess
Cor
eUse CasesBackbone Support for BYOD, Video, and Collaboration
How Do I Manage This
at an Enterprise
Level?
How Do I Monitor This at an Enterprise
Level?
How Do I Provide a
Consistent User
Experience?
Questions to Be
Answered
How Do I Secure my Device and
User Communities?
How Do I Build a Scalable, Secure,
Converged Wired/Wireless
Campus Network to Support These
Trends?
How Do I Bring Both Corporate and Employee
Owned Devices on to the Network?
What Services Do I Need to Enable the
Infrastructure?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Cisco Catalyst 6500Top Questions from Customers
When do I use Catalyst 6500 instead of Nexus 7000 ?
What is the future of the 6500 ?
How does 6500 with Sup2T fit into a BYOD infrastructure ?
How do I secure the campus for BYOD ?
How can Catalyst 6500 provide the necessary network visibility for my BYOD infrastructure?
Cisco Confidential 4© 2011 Cisco and/or its affiliates. All rights reserved.
Backbone Switching Strategy, Portfolio and Areas of Investment
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Lead with Catalyst 6500 Sup2T
Backbone
Lead with Catalyst 6500 Sup 2T
Distribution
Lead with Catalyst 4K / 3K
Access
Campus
Positioning the Correct SolutionCisco Catalyst in the Campus to Support BYOD and Collaboration
Engineering Investments and Roadmap Follows Positioning
Data Center
Lead with Nexus 7000
Backbone
Lead with Nexus 7000
Aggregation
Lead with Nexus 5000/2000
Access
Cisco Catalyst or Nexus?
Mobility/BYOD
Security
Video Workload Mobility VM
10G/Virtualization
EnergyEfficiency
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Switching Requirements Difference Between Campus and Data Center
CampusCatalyst Family - IOS
User Access Control / Segmentation802.1X / Easy Virtual Networks (EVN)
Video IntelligenceMedianet
Wired / Wireless ConvergenceWireless Controller Integration
Application VisibilityFlexible NetFlow, NAM-3 (NBAR2)
Power over EthernetUPOE, EnergyWise
Data Center / CloudNexus Family – NX-OS
Cloud Security and VM AwarenessNexus 1000v, VSG, ASA, 1000v
VM MobilityLISP, VXLAN, OTV
LAN / SAN ConvergenceUnified Ports, FCoE
Fabric Scale & ResilienceFabricPath, vPC, Wire Speed 10/40/100G
Data Center ConsolidationVDC, FEX, DCNM
Customer Requirements/Needs Ultimately Drive the Sale
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Price/Performance Virtualization, Simplified
Operations, and Change Management
The Network Services Platform for
Unified Access
Driving Next-Gen Ethernet in the Campus
1G » 10G » 40G » 100G
Innovation withInvestment Protection
Lower TCO
Differentiation
Transition
Cisco Catalyst 6500 Strategy and DirectionSupporting BYOD and Collaboration Trends
Innovation
Cisco Catalyst 6500 E-Series
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Cisco Catalyst 6500 Installed Base in PerspectiveDriving Future Investment Decisions
FY12 Cat 6500 Port Shareof Total Modular Industry*
*Assuming Dell’Oro as a baseline for industry total modular
25%
Cat 6500E
Rest of Market
Investment surrounding Sup2T development
Compare with Tesla Motor’s $150M investment for first fully electric sports car
$200+ Million
$200+ MillionInvestment planned over next 3 years
aloneRich network services, Ethernet evolution, Lower TCO,
Investment protection
750,000+ Chassis Shipped1.2 Million Supervisors Shipped110 Million Ports Shipped45,000+ Catalyst 6500 Customers
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Cisco Catalyst 6500 PortfolioHardware You Need to Support BYOD and Collaboration Trends
Sup2T
Services Modules
WiSM2
NAM-3
ASA-SM
1GbE Fiber and Copper
Fiber
High-Perf. Access
6824
6848
6848
614845AT
Copper Access
40 GbE Fiber
6904FourX LR4SR4
10GbE Fiber and Copper
40G/Slot
80G/Slot
6816 6816
69086904
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10Items in PURPLE are BYOD, Collaboration and Video enablers.
SUP720 SUP2TL2 MAC Table 96K 128K
Bridge Domains 4K 16K
TrustSec / SGT – Yes
VNET Trunk (EVN) – Yes
40G Interfaces – Yes
System Bandwidth 720 Gbps 2 Tbps
L3 Interfaces 4K 128K
NetFlow Table 128K/256K 512K/1M
Flexible NetFlow – Yes
Hitless ACL Updates 32K Yes
Medianet 2.2 – Yes
VPLS / A-VPLS Requires WAN Module
Yes (no WAN module)
VSS Quad Sup SSO – Yes
Sup2T Overiew
BYOD and Collaboration with Supervisor 2TScalability Enhancements 4X Scalability
3X Performance
Cisco Prime
New PFC4 FeaturingImproved Levels of Performance and Scalability Along with New Enhanced Hardware Features
USB-BasedConsole Support
Connectivity Management Processor (CMP)
New MSFC5 Supporting Dual Core CUP and Single IOS Image
Improved Switch FabricProviding 80G/Slot
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
BYOD and Collaboration with Supervisor 2TScalability Enhancements
6900 Series with DFC4 6800 Series with DFC4
• 40G/slot with integrated DFC4• 24 and 48 ports 1GbE fiber• 48 ports 10/100/1000 copper• 16 ports 10GbE fiber and 10GBASE-T • Available in standard and XL sizes
• Non-blocking 80G/slot performance• Wire rate MACsec• Virtual switching link (VSL)• Large packet buffers (256 MB/port)• X2 transceiver or SFP+ with adapter• Available in standard and XL sizes• LISP-ready
Distributed Forwarding Performance, at Central Forwarding Price
Doubled System Performance, with Distributed Forwarding
4P 40G$36,000
CFP-40G-SR4FourX
CFP-40G-LR4
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Sup2T
Supported
Special TMP Program for Upgrade
WS-F6K-DFC4-E
WS-F6K-DFC4-A
6148E, 6148A, 6148-SFP, 6196
NAM/-1/2/3, ACE20/30, WiSM-1/2FWSM, ASA-SM
Not Supported(Use Sup720-10G or ASR for WAN)
Not Supported (ASA-SM to get IPSEC VPN)
Sup720
BYOD and Collaboration with Supervisor 2TMake Your Catalyst 6500 Ready
6704, 6724, 6748 with CFC
6708-10G Fiber
6716-10G/10T with DFC3
6704, 6724, 6748 with DFC3
61xx Series
Service Modules
WAN Modules
VPN SPA
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
BYOD and Collaboration with Supervisor 2TService Modules Enable Key Capabilities
Next-GenerationWiSM Blade: WiSM-2
Next-GenerationNAM Blade: NAM-3
Next-GenerationFirewall Blade: ASA-SM
Monitoring Performance Up to 15 Gbps
Capture to External Disk Up to 5 Gbps
Deep Packet Inspection NBAR-2 Support
HW Filters/Packet Captures Rapid Troubleshooting
64 Gbps System Performance16 Gbps Performance/Service Mod.
10,000,000 Concurrent Sessions300,000 Connections per Second
250 Security Contexts1,000 VLANs
NE
W
Integrate Wired / Wireless Management
Performance 20 GbpsAccess Points 500–1,000
Clients 15,000
Concurrent AP Upgrade/Joins Up to 500
Mobility, Domain Size Up to 18,000 APs
NE
W
NE
W
Enhance Application Visibility
Deliver Robust, Integrated, Streamlined Security
OS / Feature Parity with Appliances
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Features
Sca
labi
lity
Feature Richness
Cisco Catalyst 3750-X
TrustsecMACsec, SGT, SGACL
AVCMedianetFlexible NetFlow
Cisco Catalyst 4500-X
TrustsecMACsec, SGT, SGACL,
EVN
AVCFlexible NetFlow/ EEM
integrationIntegrated Wireshark
ResiliencyVSS
Cisco Catalyst 4500E
TrustsecMACsec, SGT, SGACL,
EVN
ResiliencySup redundancy,
NSF/SSO, ISSU
AVCFlexible NetFlow/ EEM
integrationIntegrated Wireshark
Smart OperationsCopper/POE flexibility,
EEM, GOLD
Cisco Catalyst 6500E
TrustsecL3 SGTMACsec over EoMPLS, MPLS L3VPNVPLS / A-VPLS L2oMGRE6PE, 6VPE Advanced CoPPASA-SM AVCPIM Register in HW IGMPv3 / MLDv2 Snooping in HW Egress NetFlowPer-VRF NetFlow NAM-3WiSM-2
Resiliency
Quad Sup VSS*BGP PICEFSUBFD / Multicast BFDMulticast HAACL Hitless CommitACL Dry Run
Smart OpsEEMGOLDSmart Call HomeSmart Install DirectorLISPWCCPv3
*Roadmap
Modular
Fixed
BYOD and Collaboration with Supervisor 2TCatalyst 6500 for the BYOD Backbone
Cisco Confidential 15© 2011 Cisco and/or its affiliates. All rights reserved.
Differentiating Features to Support BYOD / Collaboration in the Backbone
Cisco Confidential 16© 2011 Cisco and/or its affiliates. All rights reserved.
Integrated Service Modules
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Simplified Manageability
• Managed as single entity with backplane integration
• Integrated application intelligence,traffic analysis, and performance troubleshooting
• Remote monitoring with RSPAN/ERSPAN
Advantages of Integrated SolutionSimplification, Scalability and Lower TCO
Increased Scalability
• Virtual Contexts to support virtualization for BYOD
• Service Modules Match Latest Appliance specifications speeds/feeds
Lower Total Cost of Ownership
• Reduced network footprint• No external connectors• Improved power management• Reduced rack space
utilization
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• Consistent Application VisibilityBranch to Data CenterAcross application delivery lifecycle - monitoring, troubleshooting, control and optimization
• Can work with Flexible NetFlow as a collector (local or external devices)
• Service-centric causal analysis across Application and Network Traffic Flows
• Application (L7) specific Packet Analysis (NBAR-2*)
• Wireless CAPWAP Decode
• Can be managed by Cisco Prime
*CYQ42012
NAM-3 L3-7 Application VisibilityProviding Better Insight for a BYOD Infrastructure
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
One device for converged Wireless and Wired Services supporting next-generation wiring closet infrastructures
Status LEDsSerial & USB Console Ports
Dedicated 12-Core Control Processor
20 Gb Backplane Channel
Dedicated 12-Core Data Processor
Reduced Operational Costs
• Scale1000 Access Points15,000 Clients
• Central MaintenanceSimultaneous AP UpgradeTroubleshooting
• Mobility36,000 AP in Mobility DomainFast Roaming
• Performance10 Gbps Throughput
• New FeaturesApplication Visibility and Control (AVC)NetFlow v9Bonjour supportNMSP Location ServicesStateful AP failover with VSS
WISM-2 GUI TOOLS
ISE
PRIME
Wireless Services with WISM-2Supporting Campus Wireless and BYOD
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 20
Room 203
printer-203
atv-203
Room 201
printer-201
atv-201
ID: JohnRole: StudentLocation: room201
What services can I use?
printer-201atv-201
What services can I use?
printer-201
Bonjour
Catalyst 6500w/WiSM-2
Catalyst 6500w/WiSM-2
Catalyst 6500w/WISM-2
AccessSwitch 1
AccessSwitch 2
AccessSwitch 3
AccessSwitch 4
CoreSwitch
AP
*Q4 CY2012
Catalyst WISM-2 as Bonjour Gateway* Improving Campus WLAN Performance for BYOD
ID: AdamRole: FacultyLocation: room201
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Security Service Processors• Multi-services capable• Dedicated 64-bit multicore processors• Future-proof hardware
Multigigabit Fabric• Chassis backplane• Virtualized interfaces• Module-to-module
communications
Dual-Crypto Accelerators• Hardware processing• Accelerated Virtual Private
Networking and Unified Communications encryption
Multiple Contexts (250)• High capacity• Memory for handling high
session counts• 24 GB of memory
NAT64, VPN Site-to-Site Services*
*Roadmap
Firewall Services with ASA-SMHigh Performance Platform with Security Directly in the Backbone
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Catalyst for a Secure CampusSecuring the BYOD Infrastructure at Multiple Layers
Protected Corporate resources
Campus Block
Internet
Visitor Conference
room
Employee Telepresence
room
Access
Catalyst 6500w/ASA-SM
Campus Core
Network Edge Authentication Topology
How do I extend security outside wiring closet ?
ACL Atomic Commit
How can I get zero Traffic disruption modifying ACLs ?
Integrated Firewall Module
How can I get DPI and stateful
connections ?
Control Plane Policing (CoPP) / HWRL
How do I insulate CPU from heavy protocol traffic ?
Access
Catalyst 6500w/ASA-SM
ASA ClusteringHow do I scale Campus firewall performance ?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Secure On-Boarding for BYODEasy Virtual Networks (EVN) and ASA-SM Segregate BYOD from Corporate Issued Devices
Trusted Devices
ACCESS CONTROL PATH ISOLATION
Untrusted Devices
ASA-SM Firewall IPS Services in
Backbone
SSID → Identity → Device Sensor → VLAN X → VRF X → Firewall Context X
BYOD Devices Need the Same Access as Corporate
DevicesGreater Inspection Required
for BYOD Devices
BYOD Devices Don’t Get Mandatory
Virus/Security Updates
Path Isolation Across Network to IPS or ASA-SM
to Maintain ComplianceHIPAA, PCI, FISMA
WISM2 ASA-SMNAM-3
Cisco Catalyst 6500 VSS 4T
SSID → Identity → Device Sensor → VLAN Y → VRF Y → Firewall Context Y
Cisco Confidential 24© 2011 Cisco and/or its affiliates. All rights reserved.
Security and Application Visibility Services
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
TrustSec
DomainTr
ustS
ec
Dom
ainSGT
SGT
SGT
SGT
192.168.10.1 192.168.20.1 192.168.30.1 192.168.200.1
Server
192.168.10.0/24
192.168.20.0/24
192.168.30.0/24
SGT10
SGT20
SGT30
192.168.200.0/24SGT30
SGACL Enforcement
Monitor SGACL Packet Drops with Flexible NetFlow
Non-TrustSec Domain
L3 SGTTransport
Manual or Dynamic Subnet Mapping
Identity Service Engine
Cisco Catalyst for Device Security Across Non-TrustSec Domains
Packets sent with “transport mode” ESP to carry SGT without encryption or data authentication
The packet overhead (42-45 bytes) impacts IP MTU/Fragmentation
Header Change
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• IPv6 NDP inspection• Prevents neighbor discovery
spoofing attacks
• IPv6 RA Guard• Stops false router
advertisement threats
• IPv6 PACL• Filter traffic on Layer 2 ports
• IPv6 device tracking• Revoke network access for
inactive devices
L2 Access
IPv6/IPv4 Dual Stack Hosts
Access Layer
Distribution Layer
Core Layer
IPv6 WAN
L3
IPv6: First-Hop Security and uRPF Prepare and Secure Your New IPv6 Wired and Wireless Network
WLC
• IPv6 uRPF • Blocks spoofed traffic in
hardware (16 paths)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Typical causes of poor application performance : Bandwidth/capacity bottleneck Unauthorized use of network resource Security Monitoring Monitor Non-Corporate Devices
Campus Building A
1
2
3
2
3
4
Internet
BYOD Requires More Traffic VisibilityThe Case for Flexible Netflow
Campus Building B
Campus Building C
1
1
2
2
3
4
Campus Core
2
Traffic Visibility with Flexible NetFlow
Flexible NetFlow provides the application visibility needed to answer questions on the “who, what, when, where, how” of network activities in order to:
Identify root cause easier, faster, more accurate Assign problem ownership Increase operational efficiency Lower TCO
NOC
3
4
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
BYOD Requires More Traffic VisibilityFlexible NetFlow for the Sup2T
FlexibleNetflow
Increased customization by selecting the fields to match and collect for both IPv4 and IPv6
CPU FriendlyExport
Optimal CPU utilization with Yielding Netflow Data Export, direct export from a module
Up to 13MFlows/System
Bigger tables mean more entries per system, up to 13 million entries with a 13 slot chassis, giving you better visibility in your network
SampledNetflow in Hardware
To optimize the Netflow tables utilization and minimize load on analyzers
EgressNetflow
Allow to use netflow after ingress lookup is done (NetFlow on CoPP)
Allow to account for multicast traffic per destination instead of per group
Sup2T Netflow
Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 29
BYOD Requires More Traffic VisibilitySup2T Can Monitor with Scale and CPU Protection
NDE increases export rate until threshold reached
Wait 5 seconds and thenstep up export rate again
When threshold reached, NDE quickly backs off export rate
CPU
30%
70%
Yielding NDE thresholdCPU before NDE begins
Protect CPU with CPU Yield Netflow Scale Netflow with Distributed Export
Netflow Collector
EOBC
Direct Export supported with Supervisor 2T and :
WS-X6716-10x upgraded with DFC4-E / DFC4-EXL
WS-X6816-10x-2T/2TXLWS-X6908-10G-2T/2TXLWS-X6904-40G-2T/2TXL
WS-X6848-TX-2T\2TXL
NetFlowData
WS-X6908-10G-2T\2TXL
NetFlowData
Supervisor
NetFlowData
NetFlowExport
Cisco Confidential 30© 2011 Cisco and/or its affiliates. All rights reserved.
Tying It All Together
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
40 Gbps with Two Level Shaping
SupportHD Video
DC BlockBorderless Campus
WiSM2 as MC/MTE
Firewall: ASA. Per VLAN, VRF Policies
802.1x EAP User
Authentication
Campus Backbone
Profiling to Identify Device
Posture of the Device
VLAN 10 VLAN 20
Internet Only
PolicyDecision
TroubleshootData, Voice and Video with FnF, NAM, Egress
NetFlowPolicy
Decision
Full or Partial Access Granted
Corporate Servers
VDI Infra
Guest Servers
VLAN 30
SXP Session
SGT
SGT
SGTSGT
SGT SGT SGT SGT
EVN Per VLAN/VRF Policies:Path Isolation
L3VPN over mGRE VRFs Across Sites
BGP PICFast
Convergence
SGACL Enforcement
Monitor SGACL Dropped Traffic
NAM-315+Gbps
Traffic Monitoring
Medianet 2.2 Performance Monitoring Mediatrace
SmartInstallDirector
Deploying a Unified Access ArchitectureTying Security, Mobility, and Virtualization for BYOD Campus
Employee Personal
Asset
Company Asset
Guest Personal
Asset
WiSM2 as Mobility Coordinator
Identity Service Engine
1
32
4
4
5
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
End-to-End OS Consistency: IOS 15.0Cisco Validated Designs for Campus Deployment
Cisco Catalyst Campus Value PropositionAddressing Campus Megatrends (BYOD, Video, Security)
ISE
Cisco Prime NCS
Cisco Catalyst 4500E, Cisco Catalyst 3750-X
End-to-End
IOS 15.0 ASR1000
Cloud ISR
WISM2ASA-SM
NAM-3
Cisco Catalyst 6500 VSS 4T
• Flexible NetFlow• Medianet 2.2
Services
• Microflow policing• NBAR2 with NAM-3• AVC with WISM-2
Application Visibility and Control
• SGT / SGACL• MACsec• NDAC
• CoPP• EVN / VRF-Lite• VPLS / A-VPLSTrustsec
• Smart Install• Virtual Switching
System
• Embedded Event Manager (EEM)
• GOLD• Cisco Prime
Smart Operations
• Quad Sup VSS SSO
• EFSU
• NSF / SSO• Multicast HA• BGP PICResiliency