Cisco Unified Access Roadshow Enterprise Backbone Technologies Enabling BYOD and Collaboration

Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco Unified Access Roadshow Enterprise Backbone Technologies Enabling BYOD and CollaborationVivek Baveja

Technical Marketing Engineer

Enterprise Networking Group

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Dis

tribu

tion

Acc

ess

Cor

eUse CasesBackbone Support for BYOD, Video, and Collaboration

How Do I Manage This

at an Enterprise

Level?

How Do I Monitor This at an Enterprise

Level?

How Do I Provide a

Consistent User

Experience?

Questions to Be

Answered

How Do I Secure my Device and

User Communities?

How Do I Build a Scalable, Secure,

Converged Wired/Wireless

Campus Network to Support These

Trends?

How Do I Bring Both Corporate and Employee

Owned Devices on to the Network?

What Services Do I Need to Enable the

Infrastructure?


Cisco Catalyst 6500Top Questions from Customers

When do I use Catalyst 6500 instead of Nexus 7000 ?

What is the future of the 6500 ?

How does 6500 with Sup2T fit into a BYOD infrastructure ?

How do I secure the campus for BYOD ?

How can Catalyst 6500 provide the necessary network visibility for my BYOD infrastructure?

Cisco Confidential 4© 2011 Cisco and/or its affiliates. All rights reserved.

Backbone Switching Strategy, Portfolio and Areas of Investment


Lead with Catalyst 6500 Sup2T

Backbone

Lead with Catalyst 6500 Sup 2T

Distribution

Lead with Catalyst 4K / 3K

Access

Campus

Positioning the Correct SolutionCisco Catalyst in the Campus to Support BYOD and Collaboration

Engineering Investments and Roadmap Follows Positioning

Data Center

Lead with Nexus 7000

Backbone

Lead with Nexus 7000

Aggregation

Lead with Nexus 5000/2000

Access

Cisco Catalyst or Nexus?

Mobility/BYOD

Security

Video Workload Mobility VM

10G/Virtualization

EnergyEfficiency


Switching Requirements Difference Between Campus and Data Center

CampusCatalyst Family - IOS

User Access Control / Segmentation802.1X / Easy Virtual Networks (EVN)

Video IntelligenceMedianet

Wired / Wireless ConvergenceWireless Controller Integration

Application VisibilityFlexible NetFlow, NAM-3 (NBAR2)

Power over EthernetUPOE, EnergyWise

Data Center / CloudNexus Family – NX-OS

Cloud Security and VM AwarenessNexus 1000v, VSG, ASA, 1000v

VM MobilityLISP, VXLAN, OTV

LAN / SAN ConvergenceUnified Ports, FCoE

Fabric Scale & ResilienceFabricPath, vPC, Wire Speed 10/40/100G

Data Center ConsolidationVDC, FEX, DCNM

Customer Requirements/Needs Ultimately Drive the Sale


Price/Performance Virtualization, Simplified

Operations, and Change Management

The Network Services Platform for

Unified Access

Driving Next-Gen Ethernet in the Campus

1G » 10G » 40G » 100G

Innovation withInvestment Protection

Lower TCO

Differentiation

Transition

Cisco Catalyst 6500 Strategy and DirectionSupporting BYOD and Collaboration Trends

Innovation

Cisco Catalyst 6500 E-Series


Cisco Catalyst 6500 Installed Base in PerspectiveDriving Future Investment Decisions

FY12 Cat 6500 Port Shareof Total Modular Industry*

*Assuming Dell’Oro as a baseline for industry total modular

25%

Cat 6500E

Rest of Market

Investment surrounding Sup2T development

Compare with Tesla Motor’s $150M investment for first fully electric sports car

$200+ Million

$200+ MillionInvestment planned over next 3 years

aloneRich network services, Ethernet evolution, Lower TCO,

Investment protection

750,000+ Chassis Shipped1.2 Million Supervisors Shipped110 Million Ports Shipped45,000+ Catalyst 6500 Customers


Cisco Catalyst 6500 PortfolioHardware You Need to Support BYOD and Collaboration Trends

Sup2T

Services Modules

WiSM2

NAM-3

ASA-SM

1GbE Fiber and Copper

Fiber

High-Perf. Access

6824

6848

6848

614845AT

Copper Access

40 GbE Fiber

6904FourX LR4SR4

10GbE Fiber and Copper

40G/Slot

80G/Slot

6816 6816

69086904

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10Items in PURPLE are BYOD, Collaboration and Video enablers.

SUP720 SUP2TL2 MAC Table 96K 128K

Bridge Domains 4K 16K

TrustSec / SGT – Yes

VNET Trunk (EVN) – Yes

40G Interfaces – Yes

System Bandwidth 720 Gbps 2 Tbps

L3 Interfaces 4K 128K

NetFlow Table 128K/256K 512K/1M

Flexible NetFlow – Yes

Hitless ACL Updates 32K Yes

Medianet 2.2 – Yes

VPLS / A-VPLS Requires WAN Module

Yes (no WAN module)

VSS Quad Sup SSO – Yes

Sup2T Overiew

BYOD and Collaboration with Supervisor 2TScalability Enhancements 4X Scalability

3X Performance

Cisco Prime

New PFC4 FeaturingImproved Levels of Performance and Scalability Along with New Enhanced Hardware Features

USB-BasedConsole Support

Connectivity Management Processor (CMP)

New MSFC5 Supporting Dual Core CUP and Single IOS Image

Improved Switch FabricProviding 80G/Slot


BYOD and Collaboration with Supervisor 2TScalability Enhancements

6900 Series with DFC4 6800 Series with DFC4

• 40G/slot with integrated DFC4• 24 and 48 ports 1GbE fiber• 48 ports 10/100/1000 copper• 16 ports 10GbE fiber and 10GBASE-T • Available in standard and XL sizes

• Non-blocking 80G/slot performance• Wire rate MACsec• Virtual switching link (VSL)• Large packet buffers (256 MB/port)• X2 transceiver or SFP+ with adapter• Available in standard and XL sizes• LISP-ready

Distributed Forwarding Performance, at Central Forwarding Price

Doubled System Performance, with Distributed Forwarding

4P 40G$36,000

CFP-40G-SR4FourX

CFP-40G-LR4


Sup2T

Supported

Special TMP Program for Upgrade

WS-F6K-DFC4-E

WS-F6K-DFC4-A

6148E, 6148A, 6148-SFP, 6196

NAM/-1/2/3, ACE20/30, WiSM-1/2FWSM, ASA-SM

Not Supported(Use Sup720-10G or ASR for WAN)

Not Supported (ASA-SM to get IPSEC VPN)

Sup720

BYOD and Collaboration with Supervisor 2TMake Your Catalyst 6500 Ready

6704, 6724, 6748 with CFC

6708-10G Fiber

6716-10G/10T with DFC3

6704, 6724, 6748 with DFC3

61xx Series

Service Modules

WAN Modules

VPN SPA


BYOD and Collaboration with Supervisor 2TService Modules Enable Key Capabilities

Next-GenerationWiSM Blade: WiSM-2

Next-GenerationNAM Blade: NAM-3

Next-GenerationFirewall Blade: ASA-SM

Monitoring Performance Up to 15 Gbps

Capture to External Disk Up to 5 Gbps

Deep Packet Inspection NBAR-2 Support

HW Filters/Packet Captures Rapid Troubleshooting

64 Gbps System Performance16 Gbps Performance/Service Mod.

10,000,000 Concurrent Sessions300,000 Connections per Second

250 Security Contexts1,000 VLANs

NE

W

Integrate Wired / Wireless Management

Performance 20 GbpsAccess Points 500–1,000

Clients 15,000

Concurrent AP Upgrade/Joins Up to 500

Mobility, Domain Size Up to 18,000 APs

NE

W

NE

W

Enhance Application Visibility

Deliver Robust, Integrated, Streamlined Security

OS / Feature Parity with Appliances


Features

Sca

labi

lity

Feature Richness

Cisco Catalyst 3750-X

TrustsecMACsec, SGT, SGACL

AVCMedianetFlexible NetFlow

Cisco Catalyst 4500-X

TrustsecMACsec, SGT, SGACL,

EVN

AVCFlexible NetFlow/ EEM

integrationIntegrated Wireshark

ResiliencyVSS

Cisco Catalyst 4500E

TrustsecMACsec, SGT, SGACL,

EVN

ResiliencySup redundancy,

NSF/SSO, ISSU

AVCFlexible NetFlow/ EEM

integrationIntegrated Wireshark

Smart OperationsCopper/POE flexibility,

EEM, GOLD

Cisco Catalyst 6500E

TrustsecL3 SGTMACsec over EoMPLS, MPLS L3VPNVPLS / A-VPLS L2oMGRE6PE, 6VPE Advanced CoPPASA-SM AVCPIM Register in HW IGMPv3 / MLDv2 Snooping in HW Egress NetFlowPer-VRF NetFlow NAM-3WiSM-2

Resiliency

Quad Sup VSS*BGP PICEFSUBFD / Multicast BFDMulticast HAACL Hitless CommitACL Dry Run

Smart OpsEEMGOLDSmart Call HomeSmart Install DirectorLISPWCCPv3

*Roadmap

Modular

Fixed

BYOD and Collaboration with Supervisor 2TCatalyst 6500 for the BYOD Backbone


Differentiating Features to Support BYOD / Collaboration in the Backbone


Integrated Service Modules


Simplified Manageability

• Managed as single entity with backplane integration

• Integrated application intelligence,traffic analysis, and performance troubleshooting

• Remote monitoring with RSPAN/ERSPAN

Advantages of Integrated SolutionSimplification, Scalability and Lower TCO

Increased Scalability

• Virtual Contexts to support virtualization for BYOD

• Service Modules Match Latest Appliance specifications speeds/feeds

Lower Total Cost of Ownership

• Reduced network footprint• No external connectors• Improved power management• Reduced rack space

utilization


• Consistent Application VisibilityBranch to Data CenterAcross application delivery lifecycle - monitoring, troubleshooting, control and optimization

• Can work with Flexible NetFlow as a collector (local or external devices)

• Service-centric causal analysis across Application and Network Traffic Flows

• Application (L7) specific Packet Analysis (NBAR-2*)

• Wireless CAPWAP Decode

• Can be managed by Cisco Prime

*CYQ42012

NAM-3 L3-7 Application VisibilityProviding Better Insight for a BYOD Infrastructure


One device for converged Wireless and Wired Services supporting next-generation wiring closet infrastructures

Status LEDsSerial & USB Console Ports

Dedicated 12-Core Control Processor

20 Gb Backplane Channel

Dedicated 12-Core Data Processor

Reduced Operational Costs

• Scale1000 Access Points15,000 Clients

• Central MaintenanceSimultaneous AP UpgradeTroubleshooting

• Mobility36,000 AP in Mobility DomainFast Roaming

• Performance10 Gbps Throughput

• New FeaturesApplication Visibility and Control (AVC)NetFlow v9Bonjour supportNMSP Location ServicesStateful AP failover with VSS

WISM-2 GUI TOOLS

ISE

PRIME

Wireless Services with WISM-2Supporting Campus Wireless and BYOD


Room 203

printer-203

atv-203

Room 201

printer-201

atv-201

ID: JohnRole: StudentLocation: room201

What services can I use?

printer-201atv-201

What services can I use?

printer-201

Bonjour

Catalyst 6500w/WiSM-2

Catalyst 6500w/WiSM-2

Catalyst 6500w/WISM-2

AccessSwitch 1

AccessSwitch 2

AccessSwitch 3

AccessSwitch 4

CoreSwitch

AP

*Q4 CY2012

Catalyst WISM-2 as Bonjour Gateway* Improving Campus WLAN Performance for BYOD

ID: AdamRole: FacultyLocation: room201


Security Service Processors• Multi-services capable• Dedicated 64-bit multicore processors• Future-proof hardware

Multigigabit Fabric• Chassis backplane• Virtualized interfaces• Module-to-module

communications

Dual-Crypto Accelerators• Hardware processing• Accelerated Virtual Private

Networking and Unified Communications encryption

Multiple Contexts (250)• High capacity• Memory for handling high

session counts• 24 GB of memory

NAT64, VPN Site-to-Site Services*

*Roadmap

Firewall Services with ASA-SMHigh Performance Platform with Security Directly in the Backbone


Catalyst for a Secure CampusSecuring the BYOD Infrastructure at Multiple Layers

Protected Corporate resources

Campus Block

Internet

Visitor Conference

room

Employee Telepresence

room

Access

Catalyst 6500w/ASA-SM

Campus Core

Network Edge Authentication Topology

How do I extend security outside wiring closet ?

ACL Atomic Commit

How can I get zero Traffic disruption modifying ACLs ?

Integrated Firewall Module

How can I get DPI and stateful

connections ?

Control Plane Policing (CoPP) / HWRL

How do I insulate CPU from heavy protocol traffic ?

Access

Catalyst 6500w/ASA-SM

ASA ClusteringHow do I scale Campus firewall performance ?


Secure On-Boarding for BYODEasy Virtual Networks (EVN) and ASA-SM Segregate BYOD from Corporate Issued Devices

Trusted Devices

ACCESS CONTROL PATH ISOLATION

Untrusted Devices

ASA-SM Firewall IPS Services in

Backbone

SSID → Identity → Device Sensor → VLAN X → VRF X → Firewall Context X

BYOD Devices Need the Same Access as Corporate

DevicesGreater Inspection Required

for BYOD Devices

BYOD Devices Don’t Get Mandatory

Virus/Security Updates

Path Isolation Across Network to IPS or ASA-SM

to Maintain ComplianceHIPAA, PCI, FISMA

WISM2 ASA-SMNAM-3

Cisco Catalyst 6500 VSS 4T

SSID → Identity → Device Sensor → VLAN Y → VRF Y → Firewall Context Y


Security and Application Visibility Services


TrustSec

DomainTr

ustS

ec

Dom

ainSGT

SGT

SGT

SGT

192.168.10.1 192.168.20.1 192.168.30.1 192.168.200.1

Server

192.168.10.0/24

192.168.20.0/24

192.168.30.0/24

SGT10

SGT20

SGT30

192.168.200.0/24SGT30

SGACL Enforcement

Monitor SGACL Packet Drops with Flexible NetFlow

Non-TrustSec Domain

L3 SGTTransport

Manual or Dynamic Subnet Mapping

Identity Service Engine

Cisco Catalyst for Device Security Across Non-TrustSec Domains

Packets sent with “transport mode” ESP to carry SGT without encryption or data authentication

The packet overhead (42-45 bytes) impacts IP MTU/Fragmentation

Header Change


• IPv6 NDP inspection• Prevents neighbor discovery

spoofing attacks

• IPv6 RA Guard• Stops false router

advertisement threats

• IPv6 PACL• Filter traffic on Layer 2 ports

• IPv6 device tracking• Revoke network access for

inactive devices

L2 Access

IPv6/IPv4 Dual Stack Hosts

Access Layer

Distribution Layer

Core Layer

IPv6 WAN

L3

IPv6: First-Hop Security and uRPF Prepare and Secure Your New IPv6 Wired and Wireless Network

WLC

• IPv6 uRPF • Blocks spoofed traffic in

hardware (16 paths)


Typical causes of poor application performance : Bandwidth/capacity bottleneck Unauthorized use of network resource Security Monitoring Monitor Non-Corporate Devices

Campus Building A

1

2

3

2

3

4

Internet

BYOD Requires More Traffic VisibilityThe Case for Flexible Netflow

Campus Building B

Campus Building C

1

1

2

2

3

4

Campus Core

2

Traffic Visibility with Flexible NetFlow

Flexible NetFlow provides the application visibility needed to answer questions on the “who, what, when, where, how” of network activities in order to:

Identify root cause easier, faster, more accurate Assign problem ownership Increase operational efficiency Lower TCO

NOC

3

4


BYOD Requires More Traffic VisibilityFlexible NetFlow for the Sup2T

FlexibleNetflow

Increased customization by selecting the fields to match and collect for both IPv4 and IPv6

CPU FriendlyExport

Optimal CPU utilization with Yielding Netflow Data Export, direct export from a module

Up to 13MFlows/System

Bigger tables mean more entries per system, up to 13 million entries with a 13 slot chassis, giving you better visibility in your network

SampledNetflow in Hardware

To optimize the Netflow tables utilization and minimize load on analyzers

EgressNetflow

Allow to use netflow after ingress lookup is done (NetFlow on CoPP)

Allow to account for multicast traffic per destination instead of per group

Sup2T Netflow


BYOD Requires More Traffic VisibilitySup2T Can Monitor with Scale and CPU Protection

NDE increases export rate until threshold reached

Wait 5 seconds and thenstep up export rate again

When threshold reached, NDE quickly backs off export rate

CPU

30%

70%

Yielding NDE thresholdCPU before NDE begins

Protect CPU with CPU Yield Netflow Scale Netflow with Distributed Export

Netflow Collector

EOBC

Direct Export supported with Supervisor 2T and :

WS-X6716-10x upgraded with DFC4-E / DFC4-EXL

WS-X6816-10x-2T/2TXLWS-X6908-10G-2T/2TXLWS-X6904-40G-2T/2TXL

WS-X6848-TX-2T\2TXL

NetFlowData

WS-X6908-10G-2T\2TXL

NetFlowData

Supervisor

NetFlowData

NetFlowExport


Tying It All Together


40 Gbps with Two Level Shaping

SupportHD Video

DC BlockBorderless Campus

WiSM2 as MC/MTE

Firewall: ASA. Per VLAN, VRF Policies

802.1x EAP User

Authentication

Campus Backbone

Profiling to Identify Device

Posture of the Device

VLAN 10 VLAN 20

Internet Only

PolicyDecision

TroubleshootData, Voice and Video with FnF, NAM, Egress

NetFlowPolicy

Decision

Full or Partial Access Granted

Corporate Servers

VDI Infra

Guest Servers

VLAN 30

SXP Session

SGT

SGT

SGTSGT

SGT SGT SGT SGT

EVN Per VLAN/VRF Policies:Path Isolation

L3VPN over mGRE VRFs Across Sites

BGP PICFast

Convergence

SGACL Enforcement

Monitor SGACL Dropped Traffic

NAM-315+Gbps

Traffic Monitoring

Medianet 2.2 Performance Monitoring Mediatrace

SmartInstallDirector

Deploying a Unified Access ArchitectureTying Security, Mobility, and Virtualization for BYOD Campus

Employee Personal

Asset

Company Asset

Guest Personal

Asset

WiSM2 as Mobility Coordinator

Identity Service Engine

1

32

4

4

5


End-to-End OS Consistency: IOS 15.0Cisco Validated Designs for Campus Deployment

Cisco Catalyst Campus Value PropositionAddressing Campus Megatrends (BYOD, Video, Security)

ISE

Cisco Prime NCS

Cisco Catalyst 4500E, Cisco Catalyst 3750-X

End-to-End

IOS 15.0 ASR1000

Cloud ISR

WISM2ASA-SM

NAM-3

Cisco Catalyst 6500 VSS 4T

• Flexible NetFlow• Medianet 2.2

Services

• Microflow policing• NBAR2 with NAM-3• AVC with WISM-2

Application Visibility and Control

• SGT / SGACL• MACsec• NDAC

• CoPP• EVN / VRF-Lite• VPLS / A-VPLSTrustsec

• Smart Install• Virtual Switching

System

• Embedded Event Manager (EEM)

• GOLD• Cisco Prime

Smart Operations

• Quad Sup VSS SSO

• EFSU

• NSF / SSO• Multicast HA• BGP PICResiliency

Cisco Unified Access Roadshow Enterprise Backbone Technologies Enabling BYOD and Collaboration

Documents

Transcript of Cisco Unified Access Roadshow Enterprise Backbone Technologies Enabling BYOD and Collaboration