Enterprise Architecture, Deployment and Positioning

1,252 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,252
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
37
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Enterprise Architecture, Deployment and Positioning

  1. 1. Enterprise Architecture, Deployment and Positioning Scott Hodgdon Senior Technical Marketing Engineer Enterprise Networking Group
  2. 2. Session Objectives At the end of the session, the participants will be able to:  Understand the characteristics of the various enterprise deployment models  Unified Access  Traditional Access  Converged Access  Instant Access  Understand which products are the lead platform for each deployment model – Understand individual product positioning  Customer requirements drive deployment mode decisions, (and hence product choice) – Understanding the customer current state and goals that drive deployment model preference – Understand considerations relative to each deployment model © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  3. 3. Agenda  Session Objectives Data Center Services Block  Key Services Overview  Design Options • Traditional Access – Multilayer – Routed – VSS • Converged Access • Instant Access  Summary Si Si Si Si Si Si Si Si Si Si Deployment Models © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  4. 4. Switching Requirements Campus/DC Catalyst 6500 / 6800 Nexus 7000 / 7700 Campus Optimized DC Optimized Campus Segmentation & Security Video 802.1X, ASA-SM, Easy Virtual Networks Video Intelligence Mobility/ BYOD DC Virtualization OTV, LISP, DFA, VXLAN* Workload Mobility LAN / SAN Convergence Medianet, Distributing Policing Wired / Wireless Convergence Multi-hop FCoE Fabric Scale & Resilience WiSM2, LISP FabricPath, vPC, Wire Speed 10/40/100G Security Campus Smart Operation 10G/ Virtualization Data Center Operation Smart Install, Instant Access © 2013 Cisco and/or its affiliates. All rights reserved. VDC, FEX, DCNM, OnePK Cisco Public Energy Efficiency VM
  5. 5. Campus Deployment Models Unified Access Cisco Prime Infrastructure One Policy Cisco ISE Distributed Wireless VSS Traditional Access VSS Si Distributed Wired Si Distributed Wired Si Centralized Wired  IA Centralized Wireless Instant Access © 2013 Cisco and/or its affiliates. All rights reserved. Si MA MA MA MA MA MA MA MA MA MA MA MA MA MA MA MA MA MA Converged Access Cisco Public Centralized Wired  VSS One Management
  6. 6. Unified Access What does it really mean? Cisco Prime Infrastructure Identity Services Engine LEAD Platforms Cisco Catalyst 6800/VSS WISM2/ WLC WLC KEY SERVICES FOR UNIFIED ACCESS DEPLOYMENT Secure Group Access to Simplify the Network and Enable Virtualized Data Center Services Application-Aware Networking to Enable Collaboration, Video, and Other Apps Cisco Catalyst 4500E, Cisco Catalyst 3850 Wireless APs Maximized Network Availability with Virtual Switching and Stateful Switch Over Reduce Operating Expenses and Improve Network Application and Service Delivery OS Consistency: IOS XE 3.x © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Validated Design 2.5 for Campus Deployment
  7. 7. Agenda  Session Objectives Data Center Services Block  Key Services Overview  Design Options • Traditional Access – Multilayer – Routed – VSS • Converged Access • Instant Access  Summary Si Si Si Si Si Si Si Si Si Si Deployment Models © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  8. 8. Cisco TrustSec Secure Group Access Simplifies Security Enforcement Email Server Financial Servers Patient Records IT Allow All SQL SQL Finance IMAP Web No Access Doctors IMAP No Access File Share Access Control with Secure Group Access • Role-based • Topology-independent • Scalable • Easy to administer • One Policy IT 3.1.1.1 Finance 2.1.1.1 Doctor 1.1.1.1 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  9. 9. Cisco TrustSec Security Group Tags (SGTs) in the Access ISE Maintains a Centralized View of Device Inventory and Policy Assignment SGACL Enforces Policy at Access, Campus Edge, or Data Center DeviceAware IdentityAware LocationAware Secure Group Permit Permit Patient Deny Permit Deny Voice Deny ACL_v Deny Doctor Personal Laptop Doctor Office Doctor Personal Laptop Patient Hotspot Patient Admin Office Admin IP Phone Permit Office N/A Office Voice N/A Conf. Room Video Facility Doctor Doctor TelePresence Internet Corp PC Smartphone 1 Patient Record SG Tag Imposed to Incoming Traffic 1 2 CDP LLDP DHCP MAC Security Group Access • 2 1 1 Simplifies ACL management • Uniformly enforces policy independent of topology or protocol • Fine-grained access control Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved.
  10. 10. Cisco TrustSec SGTs in the Backbone SGACL Enforcement Map VLANs or IP Subnets to SGT Values cts role-based sgt-map VLAN-list 110 sgt 1110 cts role-based sgt-map VLAN-list 120 sgt 1120 cts role-based sgt-map VLAN-list 130 sgt 1130 cts role-based sgt-map 192.168.10.0/24 sgt 10 cts role-based sgt-map 192.168.20.0/24 sgt 20 cts role-based sgt-map 192.168.30.0/24 sgt 30 SGT SGT SGT SGT cts role-based permissions from 1110 to 3200 permit tcp dst eq 443 permit tcp dst eq 80 SGT permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 138 permit tcp des eq 139 deny ip Cisco TrustSec Domain Identity Service Engine Can Forward Existing SGT Traffic or Map SGTs Manually Manual or Dynamic VLAN Mapping VLAN 110 VLAN 120 VLAN 130 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  11. 11. Application Visibility and Control Is BYOD a threat to your business applications? IT Challenges • Is my network ready for video? • How do I ensure high quality of user experience? • How can I troubleshoot and monitor effectively? Assessment • Enhanced Object Tracking • IP SLA • Built-in Traffic Simulator • Cisco CleanAir App Visibility / Control • Media Services • • • • • • • Proxy (MSP) Metadata Flexible NetFlow Device sensor Secure group tagging Quality of Service (QoS) AVC in Wireless Controller Mediastream Monitoring/ Troubleshooting • Performance Monitor • Mediatrace • Flexible NetFlow • Wireshark / Mini- Protocol Analyzer • Device sensor High Availability  L2/L3 Multicast: HA, Call Admissionreserved. Control (CAC),Cisco Public Multipath, Video Stream © 2013 Cisco and/or its affiliates. All rights
  12. 12. Catalyst Infrastructure Resiliency - Access Cisco StackWise+ Scale With Performance Si VSL Virtualized For Simplicity Simplified For Resiliency Si • Seamless Access Network • Centralized Control and • Distributed and Resilient Expansion • High-speed 64Gbps Bi-Directional Switching Stack-Ring • Single Logical Unit To Manage Nine Switches and 450 Ports Management Architecture • Reduces VLANs/Subnets • 9X Operational Simplicity Forwarding Architecture • Single Network Per Layer • Deterministic Network Operation With Non-Stop Forwarding © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  13. 13. Catalyst Infrastructure Resiliency - Backbone Cisco Virtual Switching System (VSS) Traditional Campus Design VSS Campus Design Optimized Network • Complex Network Design and Operation • Underutilize Network Resource • Sub-Optimal Application and Network Performance VSS Campus Design Simplified Operation • Optimized Network Design • Double Switching Capacity • Deterministic Application and Network Performance © 2013 Cisco and/or its affiliates. All rights reserved. • Simplified System Operation • Single Neighbor and Network Per Layer • Simplified and Highly Redundant Network Topologies Cisco Public
  14. 14. Catalyst Infrastructure Resiliency - Modular Cisco ISSU Delivers 99.999% Uptime Access Distribution / Core 4500E 6500E Mismatch IOS Version During Software Upgrade VSL eFSU ISSU • Dual-Supervisor Requires Software • eFSU Provides Real-Time Dual-Chassis Consistency • ISSU Provides Real-Time Single-Chassis Software Upgrade. Reduces MTBF • Protects Network Services, Capacity and Availability for Wired and WLAN End-Points Software Upgrade. Reduces MTBF • Protects Network Services and Availability At Access Layer with Redundant Paths • Network impact ~1sec for entire upgrade process © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  15. 15. Cisco Smart Operations Simplify Your Infrastructure Director Access Switches Smart Install Plug and Play for End Devices Automate Response to Events New Switch Is Connected • Embedded Event Manager Zero-Touch Deployments • Auto Smartports New End Device Attached Software image downloaded; configuration automatically applied Zero Touch Deployments, Upgrades and Replacements • Port configuration: Applied • QoS policy: Enforced • Security policy: Enforced • Simplifies management tasks Customize IOS Behavior © 2013 Cisco and/or its affiliates. All rights reserved. • User customizable • Change IOS behavior • Automatically fix network issues • Cisco Public Automate responses to commonly occurring events
  16. 16. Agenda  Session Objectives Data Center Services Block  Key Services Overview  Design Options • Traditional Access • • • Multilayer Routed VSS Si • Converged Access • Instant Access Si Si Si Si Si  Summary Si Si Si Si Deployment Models © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  17. 17. Traditional Access – Multilayer Design Backbone Core Considerations Wireless LAN Controller Distribution Highly Available Network Design Cisco Prime/LMS L2/L3 Protocol Tuning Required ISE Protocol Alignment Required Access Deployment Flexibility Well Understood Deployment CPE CAPWAP Tunnel MULTILAYER CAMPUS DESIGN © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  18. 18. Characteristics of Multilayer Deployment Model Benefits Challenges  Well understood and well documented design with many years worth of deployment history  Requires significant configuration tuning to achieve sub second network convergence  Uses industry standard protocols such as Rapid Spanning Tree Protocol  Requires significant complexity when adding VLAN or VRF segmentation  Cisco differentiating enhancements enable sub-second or near sub-second network convergence  All switches managed individually  Allows for multi-vendor environment  Flexible equipment costs from low to high end  Complex – Alignment of Spanning Tree, Routing, and Default Gateway Redundancy required  Spanning Tree Liability © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  19. 19. Traditional Access – Virtual Switching System Considerations Backbone Core Wireless LAN Controller Less Protocol Tuning Required Efficient Resource Utilization Cisco Prime/LMS Distribution Higher Resiliency with Quad Sup VSS Fewer Routing Peers ISE Access Some Customer prefer separate control plane CPE VSS CAMPUS DESIGN CAPWAP Tunnel © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  20. 20. Characteristics of VSS Deployment Model Benefits Challenges  Simplified network design with a single logical distribution layer device  Cisco proprietary solution, requires Cisco switches in the distribution layer  No First Hop Redundancy Protocol needed  Access switches managed individually  Ether channel based traffic load sharing across multiple uplinks  Allows for extending VLANs across multiple access layer switches without creating STP blocking links and liability  Supports sub-second convergence  Single control plane is concern for some customers  No Cisco differentiating enhancements required to achieve sub-second convergence  No Access Layer stickiness i.e. any access switch will work with VSS  Allows for multivendor access switches  Distribution Switches managed as One Entity © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  21. 21. Traditional Access – Routed Access Design Considerations Backbone Core Wireless LAN Controller Cisco Prime/LMS Distribution Single Control Plane Simplified Network Recovery Additional IP Address Usage ISE VLAN’s Constrained to WC Access Common Set of Troubleshooting Tools CPE MULTILAYER CAMPUS DESIGN CAPWAP Tunnel © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  22. 22. Characteristics of Routed Access Deployment Model Benefits Challenges  Single control plane = less complexity  Less protocol tuning required for sub-second convergence (protocol dependent)  Common set of troubleshooting tools  ECMP default behavior for efficient utilization of available links and fast convergence  Avoids flooding downstream  Requires additional IP address management and utilization  VLAN’s limited to wiring closet – can not span VLAN’s across closets  May require ECMP/CEF hash-tuning for most efficient path utilization (older hardware)  RSPAN not possible (ER-SPAN required)  No FHRP required  No trunking required  Permits VLAN ID reuse  Simplified multicast topology © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  23. 23. Lead Platforms for Traditional Access BACKBONE Catalyst 6807-XL 6880-X Catalyst 6500-E 3850 ACCESS Catalyst 4500-E Sup8E 3650 FIXED © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public MODULAROct’2013 Updated as per
  24. 24. Agenda  Session Objectives Data Center Services Block  Key Services Overview  Design Options • Traditional Access • • • Multilayer Routed VSS Si • Converged Access • Instant Access Si Si Si Si Si  Summary Si Si Si Si Deployment Models © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  25. 25. Converged Access Considerations Backbone Core MC/MO WiSM2,5508,8510*,3850, 3650*, 5760 Cisco Prime Distribution Single QoS Model for Wired/Wireless Complete visibility in to wireless traffic Consistent Services for wired/wireless ISE Access MA No external controller for up to 250 AP’s Future proof for 802.11ac CAPWAP Tunnel Multilayer, VSS, or Routed Access © 2013 Cisco and/or its affiliates. All rights reserved. Multilayer or Routed Access Supported Cisco Public
  26. 26. Characteristics of Converged Access Benefits  Can be deployed with existing traditional wireless architecture for ease of migration  3850/3650/4500E* can terminate CAPWAP as the Mobility Agent with existing 5508, WISM2, 3850, 3650*, 5760, 8510* acting as the Mobility Controller.  Single QOS model for Wired and Wireless on 3850/3650/4500E* Challenges  Multiple management and troubleshooting points for Wireless  Prime and WEBGUI lacking in functionality  Wired Migration blockers between between 3850 and 3750x  Wireless Migration blockers between AireOS & IOS  Provides Flexible Netflow across all ports for wired and wireless  Supports Multicast better based on how CAPWAP is terminated © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public *Roadmap
  27. 27. Wired Access Deployment Feature enhancements within FY14 3.2.2 (Yesterday) 3.6 (Q2 CY14) 9 member stacking, HSRP, Critical Voice VLAN, Sevices Discovery Gateway VRRPv3, IPv6 Routing/PBR/VRF SGT/SGACL on wired wireless (Macsec and FHS in future release) Wireshark Medianet (MSI/MSP) 3650 management with PI 2.0.1 Infra 3.3 (Today / October CY13) PI 2.1 Security Device Sensor AVC Management Certification IPv6, USGv6 FIPS, Common Criteria, UCAPL © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  28. 28. Converged Access Deployment Model Feature enhancements within FY14 3.2.2 (Yesterday) 3.3 MR (Q4 CY13) 3.6 (Q2 CY14) AP3600, AP2600, AP1600, AP1140, AP1260, AP3500 AP3700 & 802.11ac module on AP3600 AP700I, AP700W and 1532 BYOD Onboarding 802.11r/k/w, App Visibility, Bonjour AP SSO stack cable, CMX with PI 2.0 Policy Classification Engine(PCE) QOS on AVC, Bonjour Ph 2 MC support on 5508, WiSM2, 8500 with 8.0 Introduced WEBGUI to setup WLAN deployment Improved http performance Supports App Visibility, QOS, Bonjour, HA Better defaults, improved usability flows Improved https performance MC Management of MA New features e.g. PCE, Federal certs PI 2.0 Manages IOSE-XE 3.2.x and AireOS 7.4 MR PI 2.0.1 Manages IOSE-XE 3.3, and AireOS 7.6 with 7.4 MR features, 5508/WiSM2 as MC Device support for Switch 3650, 802.11ac and 9 member stack PI 2.1 Manages IOS-XE 3.6 and AireOS 8.0 Key feature support such as AVC, Bonjour, SSO AP Support Wireless Features WEBGUI PI © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  29. 29. Cisco Unified Access Wireless Deployment Modes WAN AIREOS FLEXCONNECT • • • • Position in wireless-only deals Position for multiple branches Up to 100 AP’s per site Position for 802.11ac, 802.11n Intranet Intranet • • • • AIREOS CENTRALIZED Position wireless-only deals Position for Campus Richest feature set Position for 802.11ac, 802.11n • • • • IOS CENTRALIZED IOS CONVERGED ACCESS Position for Greenfield campus Upgrade from AireOS 7.0 Two controllers per site IOS 3.3 / PI 2.0.1 • • • • Position as future-proof switch Position for SDN relevance IOS 3.3 / PI 2.01 = Up to 50 AP’s IOS 3.6 / PI 2.1 = Up to 250 AP’s Today: • Sell AireOS with 802.11ac • Sell the 3850/3650/4K(SUP8-E) as future-proof switches Converged Access deployment and Prime Infrastructure matures in FY14: • Branch and Small Campus ready in (Today) December with 802.11ac • Mixed AireOS & IOS deployments and Large campus ready in May 2014 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  30. 30. Branch Deployments with Converged Access DEPOYABLE TODAY A A RI N DMZ Prime ISE Multilayer or Routed Access 50 – 250 AP’s Single platform for wired and wireless Wired and wireless traffic visibility at every hop WAN Consistent security and QoS control INTEGRATED CONTROLLER Maximum resiliency with fast stateful recovery 3850/3650 Employee 31 Guest Scale with distributed wired and wireless data plane (480G Stack/40G wireless per switch) BRANCH © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  31. 31. Wireless deployments using 5760 and 3850 • ~350 customers booked ~1000 units of WLC-5760 • Majority Education & Healthcare (Campus) • ~400 customers booked ~40K licenses on 3850 & 5760 • Majority Professional Services (Small Sites) 5760 based successful deployments and trials 3850 based successful deployments and trials © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  32. 32. Lead Platforms for Converged Access BACKBONE Catalyst 6807-XL 6880-X Catalyst 6500-E 3850 ACCESS Catalyst 4500-E Sup8E 3650 FIXED © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public MODULAR
  33. 33. Agenda  Session Objectives Data Center Services Block  Key Services Overview  Design Options • Traditional Access • • • Multilayer Routed VSS Si • Converged Access • Instant Access Si Si Si Si Si  Summary Si Si Si Si Deployment Models © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  34. 34. Instant Access ISE Cisco Prime Managed Devices = 1 20+ Considerations Satellite device capable of Stacking, POE+ Single Point of Management, Configuration and Troubleshooting Simplified Network design for VLANs and port channels Agile Infrastructure to add new features uniformly across Access Layer A Single Image to deploy and manage across Distribution Block 1000 Port Campus Distribution Block © 2013 Cisco and/or its affiliates. All rights reserved. REDUCED TCO Cisco Public
  35. 35. Characteristics of Instant Access Benefits Challenges  Provides Single point of Management, Configuration and Troubleshooting for Distribution block  Currently limited to distribution block design of 1000 ports  Simplified distribution block design, eliminates configuration on the uplinks  Large amounts of east-west traffic would increase uplink bandwidth utilization (Over subscribed to start)  Simplified image management and qualification  Only supported with VSS configuration ( supported with single switch in VSS mode )  6K – IOS Feature Robustness available @ Access  Access Feature differences/lag between 6k and traditional access platforms 2k/3k/4k  Can be used with Traditional or CA  Converged Access not available in combination with Instant Access  Provides solution for customers who need MPLS in access layer © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  36. 36. Lead Platforms for Instant Access BACKBONE 6880-X Catalyst 6807-XL Catalyst 6500-E Not Applicable Catalyst 6800ia ACCESS FIXED © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public MODULAR
  37. 37. Agenda  Session Objectives Data Center Services Block  Key Services Overview  Design Options • Traditional Access • • • Multilayer Routed VSS Si • Converged Access • Instant Access Si Si Si Si Si  Summary Si Si Si Si Deployment Models © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  38. 38. Converged Access Mode – Guiding Principals Future Proof with Latest Hardware – Sell The Vision of CA Lead with Converged Access Products Customers who are considering Wired+ Wireless Refresh opportunities that Want to future proof their enterprise with the best possible Access Switch with 3850, 3650 & 4K with Sup8E (Advanced QoS, Visibility, UPOE) Want like-for-like replacements (3560 -> 3650, 3750 -> 3850, Sup7E -> Sup8E) Are interested in WLAN deployments in a small campus or branch (Large/Complex Deployments after CQ2-CY14) Want to provide full traffic visibility, advanced QoS, maximum resiliency and scale with single platform for wired & wireless Evaluate AireOS or other Deployment scenarios      Large Campus Deployments today (Planned Q2-CY14) Latest AireOS based controller features are required today (Planned Q4-CY13 and Q2-CY14) 802.11ac support is required today (Planned CQ4-2013) Flexconnect, Indoor or Outdoor Mesh, and Office Extend AP modes is a requirement (on radar) Fully managed AirOS + Converged Access deployments are required ( planned Q2-CY14) © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  39. 39. Instant Access – Guiding Principals 6800/6500 feature consistency & operational simplicity in access Customers who  Wants to extend 6500/6800 features and operational consistency in Access  Continue with Catalyst 6500/6800 features like MPLS, advanced segmentation EVN in access  Who have distribution blocks limited to 1000 user ports or less and have overlay wireless  Want to manage the campus with fewer touch points and/or limited technical staff  Want a simplified image management and qualification criteria in a distribution block Evaluate the other deployment scenarios  Already sold converged access vision     Already sold the value of new 3850/3650/sup8E in access To address growing mobility and application services needs Environments with more than 1000 access ports in a distribution/access domain Local switching is a must © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  40. 40. Guiding Principals: Traditional Access (Multilayer, RA, & VSS) Sell the BEST Switches on the Planet (You Don’t Have to Change Your Design) Lead with Latest Switching Solutions (4500/Sup8E, 3850, 3650) Customers who  Have a preference for the most common wired deployment model  Wants flexibility of centralized or distributed wireless model  Want the best possible Access Switch with 3850, 3650 & Sup8E (Advanced QoS, Visibility, UPOE)  Want like-for-like replacements (3560 -> 3650, 3750 -> 3850, Sup7E -> Sup8E)  Have multi-vendor wired and wireless environment Evaluate the other Deployment scenarios  Customer is sold on the vision of converged access and can wait for 6-12 months for large deployment  6500/6800 feature and operational simplicity with reduced touch points in access © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  41. 41. The Three Things you MUST know about the Customer Customer Priorities Deployment Mode © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Access Platforms

×