Catalyst 6800, nouveau cœur de réseau pour nouveaux usages

1,814 views

Published on

Sécurité, performance, virtualisation, programmabilité, interconnexion de datacenters sont autant d'exemples de fonctions nécessaires sur les cœurs de réseau où, le BYOD, le Cloud et la vidéo exercent une pression.

Dans cette présentation nous verrons comment la nouvelle famille Catalyst 6800 (6807-XL, 6880-X, 6800ia) répond aux nouveaux enjeux du backbone de l'entreprise.

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,814
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
54
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Catalyst 6800, nouveau cœur de réseau pour nouveaux usages

  1. 1. Petit-déjeuner – 24 juin 2014 Catalyst 6800 – Nouveau cœur pour nouveaux usages Jean-Louis TILLET Vincent MAKOWSKI Jérôme DURAND http://reseauxblog.cisco.fr http://ipv6blog.cisco.fr
  2. 2. Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.  9H30 – 10H – Nouveaux usages dans l’entreprise  10H – 10H45 – La nouvelle famille catalyst 6800  10H45 – 11H30 – Services avancés pour le cœur du réseau  11H30 – 12H – Démos Instant Access (dans le lounge) Agenda
  3. 3. Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved. Jean-Louis TILLET
  4. 4. Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved. More Video Viewing 79% of All IP Traffic Faster Broadband Speeds 2.6-Fold Speed Increase More Devices 21 Billion Connections More Internet Users 4 Billion Internet Users Traffic & Service Adoption Drivers, 2013–2018 Growth Catalysts
  5. 5. Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved. Global IP Traffic by Device Type By 2018, Non-PC Devices will Drive 57% of Global IP Traffic Exabytes per Month 0 20 40 60 80 100 120 140 2013 2014 2015 2016 2017 2018 Non-Smartphones (0.1%,0.1%) Other Portable Devices (0.1%,0.4%) M2M (0.4%,2.8%) Tablets (2.2%,14.0%) Smartphones (3.5%,16.3%) TV (26.5%,23.6%) PCs (67.2%,42.8%) 21% CAGR * Figures (n) refer to 2013, 2018 device traffic share Source: Cisco VNI Global Mobile Data Traffic Forecast, 2013–2018
  6. 6. Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved. Average Global Traffic per Device (2013- 2018) / Month =Tablet Ultra High Definition TV Laptop/PC Internet Set-Top or Dongle 4.0 - 18 GB = 22.9 – 26,3 GB* 22.7 – 39,2GB = 8.0 GB … * Includes IP VoD Traffic Source: Cisco VNI Global IP Traffic Forecast, 2013–2018 = =Smartphone 1.0 – 5,4 GB =M2M Module 78 - 514 MB
  7. 7. Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved. Global IP Video Traffic Growth IP Video Will Account for 79% of Global IP Traffic by 2018 Source: Cisco VNI Global IP Traffic Forecast, 2013–2018 Petabytes per Month 0 20 000 40 000 60 000 80 000 100 000 120 000 140 000 2013 2014 2015 2016 2017 2018 Gaming (0.05%, 0.09%) File Sharing (13%, 6%) Web/Data (21%, 15%) IP VOD (23%, 19%) Internet Video (42%, 60%) 21% CAGR 2013–2018 * Figures (n) refer to 2013, 2018 traffic share
  8. 8. Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved. The Network Effect of the Beautiful Game Global IP streaming and digital broadcast of the World Cup is estimated to drive 4.3 Exabytes… …Nearly 3X the amount of current monthly broadband traffic for Brazil
  9. 9. Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved. 32 to 209 times the bandwidth
  10. 10. Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved. Proliferation of Devices Users/ Machines VDI | IaaS Private Cloud Public/Hybrid Cloud SaaS/IaaS NETWORK THE Storage Database How Application are ConsumedHow applications are DeliveredType of applications Drastic Change in Application Type, Delivery, and Consumption
  11. 11. Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved. Changing Role of IT Business Implications Technology Transitions Agility & Speed Growth & Innovation Security & Privacy Mobile New Breed of Apps Cloud New Business Models Experience Expectations Data & Analytics Internet of Things
  12. 12. Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved. Customer expectations are changing Less time to deploy technology and deliver new business capabilities4X Deployment time advantage of Salesforce Sales Cloud vs. Siebel CIO function as a revenue driver, not cost center 66% CIOs who cite business strategy and driving business innovation as the top priority Automation to improve productivity 51%CIOs prioritizing improving IT staff productivity and operational efficiency as top goal in next 3 years
  13. 13. Cisco Confidential 13© 2013 Cisco and/or its affiliates. All rights reserved. 70-80% Maintenance IT Budgets Funded New Projects Missed Business Opportunities Today’s CIO Challenge Managing Growing Demand for IT Projects
  14. 14. Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved. Source: A commissioned study conducted by Forrester Consulting for Cisco Systems, 2012 MONITORING, TROUBLESHOOTING SECURITY CONFIGURATIONS INITIALINSTALL, CONFIGS,TESTING UPGRADING EQUIPMENT
  15. 15. Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved. Services Infrastructure Platform Applications Application Interfaces Infrastructure Interfaces New Business Models Partner Ecosystem Model for Next Generation IT
  16. 16. Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved. Vincent Makowski
  17. 17. Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved. 17 Rappel sur la famille 6500 6716 6716 6704 6708 Fiber 6724 6748 Copper 6748 NAM-3 ASA-SM WiSM2 6503-E 6504-E 6506-E 6509-E 6509-V-E6513-E 40G/Slo t 6816 6816 6904 80G/Sl ot 6908 CFP-LR4 CFP-SR4CVR-4SFP Fiber 6824 6848 Copper 6848
  18. 18. Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved. SUP720 SUP2T 96K 128K L2 MAC Table 16K TrustSec / SGT Bridge Domains Yes VNET Trunk (EVN) – Yes 40G Interfaces – Yes System Bandwidth 720 Gbps 2 Tbps L3 Interfaces 4K 128K NetFlow Table 128K/256K 512K/1M Flexible NetFlow – Yes Hitless ACL Updates 32K Yes Medianet 2.2 Yes (low) Yes (high) VPLS / A-VPLS Requires WAN Module Yes (Native on PFC4) VSS Quad Sup SSO – Yes Sup2T Overiew Scalability Enhancements BYOD and Collaboration with Supervisor 2T 4X Scalability 3X Performance New PFC4 Featuring Improved Levels of Performance and Scalability Along with New Enhanced Hardware Features USB-Based Console Support Connectivity Management Processor (CMP) New MSFC5 Supporting Dual Core CUP and Single IOS Image Improved Switch Fabric Providing 80G/Slot
  19. 19. Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved. …….. 2000 …….. 2005 …….. 2010 …….. 2015 …….. 2020+ Sup1A Maintain Support Sup2 Maintain Support Sup720-3B Sup2T: Next-Generation Supervisor EoS EoS 12 years 12 years Sup32 Sup720-10G (VSS Enabled) EoL EoL Sup720-3A Maintain SupportEoS EoL 12 years EoS EoL End of Sale End of Life End of Support Supervisor 2T FCS June 2011 Cisco Catalyst 6000 Supervisor Lifecycle to 2020+ Maintain Support EoS EoL 12 years Maintain Support EoL 12 years
  20. 20. Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Catalyst 6800 Catalyst 6807-XL, 6880-X, 6800ia Next Gen 10/40/100G Backbone Services INVESTMENT PROTECTION Ré-utilisation des cartes du chassis 6500 INNOVATION Densité 10G/40G/100Gbps* jusqu’à 880G/Slot Capacité Globale de 11.4 Tbps SIMPLICITE Instant Access Carte de Services Programmabilité via onePK (SDN) * Roadmap
  21. 21. Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved. Introduction au nouveau Chassis 6807-XL Modularité et Performance 7 Slots10 RU Investment protection! Compatible with Sup2T, 6700, 6800, 6900 and latest service modules Backwards compatible backplane connectors Catalyst 6500 DNA Low-power and noise High-efficiency fans Up to 4 (N+1) power supply redundancy 3000W AC Up to 880G/Slot capable Next-generation ready Side-to-side air flow (redirectable via airflow baffles)
  22. 22. Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved. 22 6500-E withSup720 6500-E withSup2T 6807-XLwithSup2T 6900 Series Cards 6800 Series Cards WS-X6716-10G/T With WS-F6K-DFC4-E With WS-F6K-DFC4-E WS-X6708-10G WS-X6704-10GE (w/ DFC3) With WS-F6K-DFC4-E With WS-F6K-DFC4-E 6700 Series 1GE (w/ DFC3) With WS-F6K-DFC4-A With WS-F6K-DFC4-A 6700 Series w/ CFC 6100 POE Cards Service Modules * WAN Cards Future 32x10G / 4x100G Catalyst 6500-E and 6807-XL Support Matrix for Different Modular Platforms * NAM-3, ASA-SM, WISM-2, ACE30
  23. 23. Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved. WS-X6816-10G-2TWS-X6904-40G-2TWS-X6908-10G-2T Max Throughput: 80G Optics: X2 Egress Buffers/port: 256 MB Features: Full-feature L2/L3 module with MPLS, VPLS. IPv4/IPv6 capabilities, 1M+ IPv4 Routes, 1M NetFlow Additional Hardware Features: Large Buffers, SGT, MACSec, LISP Ideal for: Campus Aggregation and Core 80G CFP, SFP/SFP+ 21 MB Full-feature L2/L3 module with MPLS, VPLS. IPv4/IPv6 capabilities, 1M+ IPv4 Routes, 1M NetFlow 10G flexibility, SGT, MACSec, LISP, Dual Priority Queues, Two Level Shaping, Instant Access Campus Aggregation and Core 40G X2 90 MB Full-feature L2/L3 module with MPLS, VPLS. IPv4/IPv6 capabilities, 1M+ IPv4 Routes, 1M NetFlow Campus Aggregation Catalyst 6500 10G Portfolio Providing Deployment Options
  24. 24. Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved. Flexibilité 10G/40Gbps WS-X6904-40G / 40GXL-2T  dCEF2T – 80 Gig/slot  4 ports CFP 40GE ou 16 ports 10GE SFP+  2 x 40Gb Connexions au Switch Fabric  DFC4 / DFC4XL intégrées  Supporte Cisco TrustSec sur tous les ports  Supporte VSL sur tous les ports
  25. 25. Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved. The New Catalyst 6880-X C6K-Based “Extensible” Fixed Platform Up to eighty 1G/10G ports or twenty 40G ports* Fixed module sixteen 10/100/1000/10G or up to four 40G X86 2 GHz CPU 4 GB DRAM Sixteen 10/100M, 1/10G or up to four 40G ports MACsec, VSS, instant access, MPLS, VPLS, LISP, SGT, 1588(*) capable on every port Low power Low noise fans Platinum EFF Redundant AC and DC PS
  26. 26. Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved. 26 Catalyst 6880-X Base Board & System Controller * Under Investigation 16 x SFP+ Ports: VSS, IA (FEX), LISP, MPLS, HQoS, MACSEC, SGT, 1588 PTP & AVB* available on Every Port Enhanced Control-Plane Scale with new X86 2.0GHz Dual Core CPU USB Host (Type A) USB Console (Type B) RJ-45 Console and Management Ports Two HW Options 6880-X-LE 6880-X IPv4/v6 Routing Capability 256K/128K 2M/1M Multicast Routes (IPv6) 64K 256K Number of Adjacencies 256K 1M MAC Addresses 128K 128K L3 Interfaces 128K 128K Security and QoS ACL 64K 256K Flexible NetFlow 512K 1M Microflow Policers 512 512 Aggregate Policers 8K 8K Forwarding Daughter Board System Base Board * Roadmap
  27. 27. Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved. 27 16-port SFP+ Multi-rate Port Card Supports between 10Mbps – 40Gbps Two Versions Standard (LE) Large Tables FIB Table v4/v6 256K/128K 2M/1M NetFlow Table 512K 1M Security ACL Table 64K 256K Port Buffering 24MB / Port 24MB / Port Port Speed & Type Number of Ports 10/100/100 Mb/s Copper 16 (GLC-T SFP) 1 Gb/s Fiber 16 (SFP) 10 Gb/s Fiber 16 (SFP+) 40 Gb/s Fiber 4 (SFP-QSFP*) MacSec, FEX, LISP, VSS, SGT, 1588 Capable on Every Port Forwarding Engine Daughter Board Port Card Base Board Port Card Status LED Port Card ID LED 16 x 10/1G SFP Ports Port Status LED Ejector Lever * Roadmap
  28. 28. Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved. Catalyst Instant Access Client 6800ia 48 x 1G RJ45 Ports Catalyst 6500 features at access 2 x 10G SFP+ Uplink PortsData and PoE/PoE+ Options Stackable up to three members at FCS System and Status LEDs RPS connector
  29. 29. Cisco Confidential 29© 2013-2014 Cisco and/or its affiliates. All rights reserved. No More Repetitive Operations IT Spends Most of Their Time in Repetitive Operational Actions for Access Switches 28% Monitoring, troubleshooting 19% Security configurations 18% Initial install, configs, testing 14% Upgrading equipment Source: A commissioned study conducted by Forrester Consulting for Cisco Systems, 2012 Introducing Instant Access Simple Install & Connect
  30. 30. Cisco Confidential 30© 2013-2014 Cisco and/or its affiliates. All rights reserved. SDP SRP SCP Instant Access Client Instant Access Client VSL LACP or PAGP LACP or PAGP Access Switch Access Switch VSL Access Switch Access Switch LACP or PAGP Cisco Catalyst Instant Access
  31. 31. Cisco Confidential 31© 2013-2014 Cisco and/or its affiliates. All rights reserved. Benefits of Instant Access SDP SRP SCP Instant Access Client Instant Access Client VSL Simplifies operationsvia single point of management, configuration, troubleshootingacross distribution and accessblock Catalyst 6500 features at access Consistentfeaturesand agile infrastructure acrossaccesslayer
  32. 32. Cisco Confidential 32© 2013-2014 Cisco and/or its affiliates. All rights reserved. Fabric Link Connect SwitchesSTACKING POE+ Instant Access (IA) Satellite Capabilities Key Differences From Nexus FEX (Fabric Extender) Spanning-tree bpduguard Disable
  33. 33. Cisco Confidential 33© 2013-2014 Cisco and/or its affiliates. All rights reserved. Catalyst Instant Access Components Supervisor 2T WS-X6904-40G 6880-X* 6500E 6807-XL* • 10G uplink ports, POE+ Support • Integrated Stacking module Catalyst 6800ia * 6807-XL and 6880-X will be available in Q4CY13. Catalyst 6800ia Catalyst 6800ia Catalyst 6800ia Catalyst 6800ia Config on Parent interface Port-channel4 fex associate 101 interface Port-channel5 fex associate 102 interface Port-channel6 fex associate 103 interface Gig 101/1/0/1 switchport mode access span-tree port fast span-tree bpduguard enable
  34. 34. Cisco Confidential 34© 2013-2014 Cisco and/or its affiliates. All rights reserved. Enterprise Network – 3000 ports example CoreAggregationAccess Number of Managed Devices = 68 Access Devices = 60 Distribution Devices = 6 Core Devices = 2
  35. 35. Cisco Confidential 35© 2013-2014 Cisco and/or its affiliates. All rights reserved. Enterprise Network – with stacking CoreAggregationAccess Number of Managed Devices = 28 Access Devices = 20 Distribution Devices = 6 Core Devices = 2
  36. 36. Cisco Confidential 36© 2013-2014 Cisco and/or its affiliates. All rights reserved. Enterprise Network – With VSS and stacking CoreAggregationAccess Number of Managed Devices = 24 Access Devices = 20 Distribution Devices = 3 Core Devices = 1
  37. 37. Cisco Confidential 37© 2013-2014 Cisco and/or its affiliates. All rights reserved. Enterprise Network – with Instant Access CoreAggregationAccess Number of Managed Devices = 4
  38. 38. Cisco Confidential 38© 2013-2014 Cisco and/or its affiliates. All rights reserved. Catalyst Instant Access Phase-1 Scalability 38 Maximum Client Node User Ports 1008 Maximum FEX ID’s 12 Maximum Client Switches 21 Maximum Clients in Stack 3 Maximum User Ports in Stack 144 ClientNodeIDis asingleclientora stack.If using individualclientsmaxof 12switchessupported. 7 144 3 1008 10 96 2 960 5 192 2 960 3 288 3 864 12 48 0 576 Most optimum where IDF has 96 or greater Single Client IDF’s support fewer overall ports
  39. 39. Cisco Confidential 39© 2013-2014 Cisco and/or its affiliates. All rights reserved. Catalyst Instant Access Fabric Link Connectivity Scenarios – Dual Homed to VSS Pair 39 Dual Homed to VSS Pair SiSi SiSi Dual Homed across Stack Members SiSi SiSi Up to 6 uplinks(60G) MEC across Client to Parent SiSi SiSi Recommended Design
  40. 40. Cisco Confidential 40© 2013-2014 Cisco and/or its affiliates. All rights reserved. Jérôme DURAND
  41. 41. Cisco Confidential 41© 2013-2014 Cisco and/or its affiliates. All rights reserved. Catalyst 6k – Une innovation inégalée sur le cœur AutoQoS BGP DHCP EoMPLS FHRP Flexible Netflow IPv6 MPLS LDP VSS Multicast MPLS – TE, VPN WCCP HW based NAT Object Group ACL HW Based GRE VRF Aware NAT Mini Protocol Analyzer
  42. 42. Cisco Confidential 42© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  43. 43. Cisco Confidential 43© 2013-2014 Cisco and/or its affiliates. All rights reserved. 43 VSS Quad-Sup SSO Now Available on C6807-XL with Instant Access VSS Switch 1 (SSO – Active) In-Chassis Active In-Chassis Standby [Standby Hot (Chassis)] In-Chassis Standby [Standby Hot (Chassis)] STANDBY HOT (CHASSIS) is a new redundancy mode created for the VSS ICS Supervisor STANDBY HOT (CHASSIS) mode allows the ICS Supervisor to operate in a separate RF/CF (SSO) Domain, while maintaining the Traditional RF/CF (SSO) Domain between VSS chassis. Instant Access support for VSS Quad-Sup SSO with 6807-XL was added in 15.1(2)SY2 VSS Switch 2 (SSO – Hot Standby) In-Chassis Active C6807-XL & Sup2T IA with 15.1(2)SY2
  44. 44. Cisco Confidential 44© 2013-2014 Cisco and/or its affiliates. All rights reserved. 44 IP FRR - LFA Process-independent IGP sub-second convergence IP Fast Re-Route & Loop Free Alternate • Based on pre-selection of a backup path, other than the primary next hop Provides local protection for unicast traffic (IP and MPLS/LDP) in the event of a single failure, whether Link, Node, or Shared-Risk Link-Group (SRLG) FIB pre-installs the backup path in hardware Data-Plane • Traffic is redirected to the LFA immediately upon failure An LFA takes forwarding decision without knowledge of the failure Primary Path Repair Path Primary Next-Hop Calculating Node router ospf 1 router-id 10.1.1.1 fast-reroute per-prefix enable prefix-priority low network 10.0.0.0 255.255.255.255 area 0 … Router#sh ip route 10.7.7.7 Routing entry for 10.7.7.7/32 Known via ”ospf 1", distance 115, metric 12, type inter area Redistributing via bgp 6800 Last update from 10.2.4.4 on Port-channel1, 1w0d ago Routing Descriptor Blocks: * 10.1.2.1, from 10.1.2.1, 1w0d ago, via Port-channel1 Route metric is 12, traffic share count is 1 Repair Path: 10.1.3.1, via Port-channel2 Router#
  45. 45. Cisco Confidential 46© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  46. 46. Cisco Confidential 47© 2013-2014 Cisco and/or its affiliates. All rights reserved. Multicast only Fast Re-Route (MoFRR) Sub-Second Multicast Convergence Source M Backup Path Primary Path M M J J J J FAIL J J J J M M M M M RPF DROP Primary PIM Joins Secondary PIM Joins Discard Duplicates Primary Stream Secondary Stream PIM IGMP MoFRR Operation 1 MoFRR sends PIM Joins on both the Primary & Secondary ECMP 2 This builds a Primary & Secondary Stream, and Duplicate Packets are sent to LHR * over both Paths 3 LHR sends the Primary Stream, and discards Duplicate Packets from the Secondary Stream 4 If the Primary Path fails, MoFRR begins sending Secondary Stream for Immediate Convergence KEY BENEFITS MoFRR can achieve ~200ms convergence by prebuilding an alternate Multicast tree MoFRR convergence is Independent from Unicast Routing convergence MoFRR leverages Multicast S,G Load-Balancing Receivers * LHR=Last-hop Router IPv4 15.1(2)SY Sup2T
  47. 47. Cisco Confidential 48© 2013-2014 Cisco and/or its affiliates. All rights reserved. Address Translation NAT / PAT & MSR in Hardware IOS Support for NAT / PAT & MSR with IPv4 & VRF NAT64 & DNS64 with ASA-SM Network / Port Address Translation NAT / PAT Web Server Inside CAT6 K ip nat pool NAT 64.16.10.1 64.16.10.63 prefix 24 ip nat inside source list 64 pool ! access-list 64 permit 10.10.10.0 0.0.0.255 ! interface GigabitEthernet1/1 ip nat inside ! interface GigabitEthernet1/2 ip nat inside Public Unicast Traffic Private Unicast Traffic interface GigabitEthernet2/1 ip nat outside Outside LAN 10.10.10.1 , 69.83.10.120 64.16.10.1 , 69.83.10.120 Multicast Service Reflection MSR Web Server Inside CAT6 K interface Vif1 ip address 80.1.1.100 255.0.0.0 ip pim sparse-mode ip service reflect destination 239.1.1.10 mask-len 32 ip igmp static-group 228.1.1.10 source 83.1.1.10 ! interface GigabitEthernet1/1 ip pim sparse-mode ! interface GigabitEthernet1/2 ip pim sparse-mode Public Unicast Traffic Private Unicast Traffic interface GigabitEthernet2/1 ip pim sparse-mode Outside LAN 80.1.1.100 , 239.1.1.10 83.1.1.10 , 228.1.1.10 Vif1
  48. 48. Cisco Confidential 49© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  49. 49. Cisco Confidential 50© 2013-2014 Cisco and/or its affiliates. All rights reserved. Segmentation The Challenge of Traditional Security Enforcement Distribution Core Data Center Identity Service Engine Directory Service WLC permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2 permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 200.1.1.2 permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2 permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 200.1.1.2 permit tcp 1.1.1.1 100.1.1.1 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1 permit tcp 1.1.1.1 100.1.1.1 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1 permit tcp any 200.1.1.1 eq https permit tcp any 200.1.1.1 eq 8081 deny ip all permit tcp any 150.1.1.1 eq https permit tcp any 150.1.1.1 eq 8081 permit tcp any 150.1.1.1 eq 445 deny ip all permit tcp any 100.1.1.1 eq https deny ip all Access Control with IP Access Control Lists • Topology-based • Manual configurations • Error prone • Unscalable • Difficult to maintain VLAN 10 IT 3.1.1.1 VLAN 20 Finance 2.1.1.1 VLAN 30 Doctor 1.1.1.1 VLAN 99 Doctor or IT or Finance ? 99.1.1.1 VLAN 99 Doctor or IT or Finance ? 98.1.1.1 VPN
  50. 50. Cisco Confidential 51© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco TrustSec Domain SGT SGT SGT SGT SGT cts role-based permissions from 10 to 111 permit tcp dst eq 443 permit tcp dst eq 80 deny ip SGACL Enforcement Segmentation Security Group Tagging (SGT) and SGACL Identity Service Engine SG Tag Imposed to Incoming Traffic Device- Aware 1 1 Identity- Aware Security Group Doctor DoctorCorp PC Doctor Personal PC Doctor IP Phone NA Voice SGA is ingress tagging and egress enforcement
  51. 51. Cisco Confidential 52© 2013-2014 Cisco and/or its affiliates. All rights reserved.  Ethernet point-to-point and multi-point L2VPN services  Supervisor2T supports VPLS, A-VPLS & H-VPLS natively  H-VPLS increase scalability of VPLS by partitioning the network  A-VPLS greatly simplifies VPLS deployment & management  NetFlow VPN Support  Sup2T adds the VPN_ID as part of the Netflow Key.  MPLS, VPLS, VRF-LITE  VRF aware NetFlow  VRF aware NAT  LIF Benefits for VRF with EVN The same VLAN # can be reused on different L3 sub-interfaces belonging to different physical interfaces. Sup2T Virtualization Enhancements interface GigabitEthernet1/1.1 encapsulation dot1Q 11 ip vrf forwarding vrf1 ip address 10.1.1.2 255.255.255.0 … interface GigabitEthernet1/2.1 encapsulation dot1Q 11 ip vrf forwarding vrf1 ip address 10.0.1.2 255.255.255.0
  52. 52. Cisco Confidential 53© 2013-2014 Cisco and/or its affiliates. All rights reserved. Transport Payload Feature names Target Ethernet Layer 3 VRF-Lite EVN Campus Small number of VPNs MPLS Layer 2 AToM (EoMPLS) VPLS Campus DataCenter Interconnection Layer 3 MPLS-VPN Large Number of VPNs Campus and/or Providers IP Layer 2 L2VPNomGRE VPLSoGRE DataCenter Interconnection Layer 3 MPLS-VPN over mGRE LISP Campus and/or Providers Network Virtualization Options
  53. 53. Cisco Confidential 54© 2013-2014 Cisco and/or its affiliates. All rights reserved. Virtualization made simple EVN – Easy virtualization • LAN Trunks • Significant configuration simplification • VRFs are pre-provisioned on Trunk • Route Replication • IGP based Shared Services / BGP not required • Enhanced Troubleshooting and Usability • routing-context, traceroute, debug condition, cisco-vrf-mib VRF VRF Global VRF VRF Global 802.1Q
  54. 54. Cisco Confidential 55© 2013-2014 Cisco and/or its affiliates. All rights reserved. VRF-Lite Subinterface Config VNET Trunk Config interface TenGigabitEthernet1/1 ip address 10.122.5.1 255.255.255.252 ip pim query-interval 1 ip pim sparse-mode logging event link-status interface TenGigabitEthernet1/1.101 description Subinterface for Red VRF encapsulation dot1Q 101 ip vrf forwarding red ip address 10.122.5.1 255.255.255.252 ip pim query-interval 1 ip pim sparse-mode logging event subif-link-status interface TenGigabitEthernet1/1.102 description Subinterface for Green VRF encapsulation dot1Q 102 ip vrf forwarding green ip address 10.122.5.1 255.255.255.252 ip pim query-interval 1 ip pim sparse-mode logging event subif-link-status interface TenGigabitEthernet1/1 vnet trunk ip address 10.122.5.2 255.255.255.252 ip pim query-interval 1 ip pim sparse-mode logging event link-status Global Config: vrf definition red vnet tag 101 vrf definition green vnet tag 102 Both Routers Have VRFs Defined VNET Router Has Tags EVNVNET Trunk Virtualization made simple EVN – Easy virtualization
  55. 55. Cisco Confidential 56© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  56. 56. Cisco Confidential 57© 2013-2014 Cisco and/or its affiliates. All rights reserved. 57 Cloud requires Application Visibility and Control App Visibility & Control Flexible NetFlow (FnF) Priority Queuing Microflow Policing Media Services (MSI & MSP) Auto SmartPorts SPAN, RSPAN, ERSPAN Integrated Wire Shark SGT & MACSEC Example Challenges • What is the average IPv4 TCP traffic load? • Does this building use more L2 or L3 traffic? • How do I identify who is watching Youtube? • Can I easily create a Video QoS Policy? • Will I be able to limit the amount of traffic? AVC Solutions • Monitor TCP & UDP with Flexible Netflow • Build utilization graphs from Netflow Export • NBAR can distinguish L7 application types • Use Metadata to build QoS & FnF policies • Traffic-Shaping & HQoS optimize resources Flexible NetFlow (FnF) Priority Queuing & LLQ Aggregate Policing Metadata QoS & FnF AVC with WISM2 Mini Protocol Analyzer (MPA) SPAN, RSPAN, ERSPAN SGT & MACSEC Flexible NetFlow (FnF) Traffic Shaping & HQoS Metadata QoS & FnF Enhanced Object Tracking NBAR2 with NAM-3 Mini Protocol Analyzer (MPA) SPAN, RSPAN, ERSPAN SGT & MACSEC
  57. 57. Cisco Confidential 58© 2013-2014 Cisco and/or its affiliates. All rights reserved. 58 WLAN ControllersAccess Switches Cisco Prime Infrastructure NAM-3Backbone Switches Application Visibility and Control Offering Wired and Wireless Application Insight and Control
  58. 58. Cisco Confidential 59© 2013-2014 Cisco and/or its affiliates. All rights reserved. 59 Flexible NetFlow (FnF) How can it really help me? Internet NAM Prime Data Center Branch IPv4 IPv6 L2 MAC L2 VLAN UDP Flags TCP Flags MPLS Multicast … DoS Attack Anomaly Detect Compliance IP SLA Capacity Planning Flexible NetFlow Collector Ecosystem FnF Benefits • Lower CapEx Better insight for capacity planning, network upgrades and compliance • Lower OpEx Better service and user experience, Increased IT staff productivity FnF Capabilities • Deep app visibility with L2 – L7 fields • Flexible flow Monitors & Records • Scalable flow Collection & Export • Customizable policy action with EEM • Simple to deploy with NAM3 & Prime Campus App Visibility
  59. 59. Cisco Confidential 60© 2013-2014 Cisco and/or its affiliates. All rights reserved. Catalyst 6500 Network Analysis Module (NAM-3) Software Release 6.0 & 6.1 Superior Service Delivery in the Campus Network Clients Client Network Application Servers NAM-3 APPLICATION AWARENESS L2-L7 Application Visibility (NBAR2) NETWORK INTELLIGENCE CAPWAP, Trustsec SGT, LISP, … PACKET ANALYTICS Event-based On-Demand Captures Advanced Packet Decoder Performance Analytics Application Intelligence
  60. 60. Cisco Confidential 61© 2013-2014 Cisco and/or its affiliates. All rights reserved. 61 6904 Support for two Level HQOS Policy (Replace SIP-400, ES+ 1G, 10G Ports with 6904)  To sub-rate traffic going to the cloud  Meet contracted rate with the SP  To limit traffic inter-site/Inter DC traffic  Limit the amount of traffic going to each site (EVPL case)  Allow SPs to offer dedicated bandwidth to Customers end to end over shared infrastructure  Different SLAs for different customers Priority Level 1 % police Priority Level 2 % min-bw % or Shaper Aggregate shaped rate = x Queues HQOS Policy w/ shaper Physical port Enterprise WAN or Metro E Handoff WAN /DC Edge/CoreWAN Edge Aggregation Core SiSiSiSi SiSiSiSi SiSiSiSi police min-bw % or Shaper min-bw % or Shaper
  61. 61. Cisco Confidential 62© 2013-2014 Cisco and/or its affiliates. All rights reserved. Mini Protocol Analyzer (MPA) Built-In Packet Capture & Analyzer • Packets switched in the hardware can be captured and examined by using SPAN or VACL capture functionality. • Historically, an external Sniffer had to be connected to examine SPAN‘d packets. • Capturing packets to an external Sniffer involves time, availability and possibly other unwanted complexities. • The SPAN mini protocol analyzer (MPA) feature is an embedded packet capture tool. • The MPA’s captured packets are saved to local memory and can be displayed or exported for post processing. • Packets can be filtered using several mechanisms • One SPAN ASIC session will be used for sending the traffic to the MPA program running on the Supervisor.
  62. 62. Cisco Confidential 63© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  63. 63. Cisco Confidential 64© 2013-2014 Cisco and/or its affiliates. All rights reserved. 64 Campus Leadership in IPv6 Visibility & ControlOptimized IPv6 Delivery Special Technologies Core • EIGRPv6, OSPFv3, IS-IS • IPv6 SSO / NSF, NSR • Dual-Stack IPv4 / IPv6 • IPv6 PIM, Embedded RP • IPv6 support for VSS • IPv6 RACL • ACL Hitless Commit / Dry Run • IPv6 CoPP • IPv6 uRPF • IPv6 Flexible Netflow • IPv6 ECMP • L3 LISP • BFDv6 • Traffic Shaping • IPv6 NAM3 • IPv6 GRE, DMVPNv6 • WCCPv6 • L3 LISP • 6to4 Tunnels, 6PE/6VPE • NAT64 with ASA-SM • EIGRPv6, OSPFv3, IS-IS • BGPv6 • IPv6 PBR • IPv6 SSO / NSF, NSR • Dual-Stack IPv4 / IPv6 • IPv6 IPsec • IPv6 Firewall Security • IPv6 IDS • IPv6 ASA-SM Edge • EIGRPv6, OSPFv3, IS-IS • IPv6 SSO / NSF, NSR • Dual-Stack IPv4 / IPv6 • IPv6 PIM, BSR • DHCPv6, Relay Agent • HSRPv6, VRRPv6, GLBPv6 • IPv6 support for VSS • IPv6 ECMP • L2 / L3 LISP* • BFDv6 • Traffic Policing • IPv6 HQoS, PQ & LLQ • IPv6 WISM2 • IPv6 RACL, VACL • ACL Hitless Commit / Dry Run • IPv6 CoPP • IPv6 uRPF • L2 / L3 Flexible Netflow Distribution • Auto Smart Ports, PnP • RPSVT, MST • 802.1Q Trunking • VTP, VTPv3 • MLD, PIM Snooping • IPv6 First Hop Security • IPv6 PACL, RA Guard • Port-Security, Storm-Control • L2 Flexible Netflow • FlexLinks • IPv6 HQoS, PQ • Vlan Translation • QinQ Trunking Access Internet Data Center Branch
  64. 64. Cisco Confidential 65© 2013-2014 Cisco and/or its affiliates. All rights reserved. Introduction to SDN Traditional Approach Traditional SDN Approach
  65. 65. Cisco Confidential 66© 2013-2014 Cisco and/or its affiliates. All rights reserved. OpenFlow is just one piece of SDN SDN is a bigger space SDN does not equal OpenFlow
  66. 66. Cisco Confidential 67© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco APIC Enterprise Module Architecture Abstracts Network Devices to Mask Complexity Treat Network as a System Exposes Network Intelligence For Business Innovation Cisco APIC Enterprise Module Cisco and Third Party Applications Network Devices Catalyst, ASR, ISR Network Info Database Policy Infrastructure Automation REST API CLI, OpenFlow, OnePK API Security QoS Mobility
  67. 67. Cisco Confidential 68© 2013-2014 Cisco and/or its affiliates. All rights reserved. Catalyst 6k – Une innovation inégalée sur le cœur AutoQoS BGP DHCP EoMPLS FHRP Flexible Netflow IPv6 MPLS LDP VSS Multicast MPLS – TE, VPN WCCP HW based NAT Object Group ACL HW Based GRE VRF Aware NAT Mini Protocol Analyzer
  68. 68. Thank you. http://reseauxblog.cisco.fr

×