网络无边界,思科有新意 Cisco Borderless Network新技术介绍 1

网络无边界,思科有新意
Cisco Borderless Network新技术介绍
© 2010 Cisco and/or its affiliates. All rights reserved.
1
策略和控制
协同
数据中心
媒体感知网络Medianet
绿色节能EnergyWise
网络弹性和控制
无边界网络服务
无边界
移动性
无边界
应用性能
无边界
网络安全
无边界用户体验
无边界管理
© 2010 Cisco and/or its affiliates. All rights reserved.
2
• 第二代集成业务路由器(ISR G2)
• 园区网交换机Catalyst 4500E/4900系列
• 全新高性能防火墙ASA5585-X
• Cisco CleanAir提升无线网络品质
© 2010 Cisco and/or its affiliates. All rights reserved.
3
第二代集成业务路由器介绍
© 2010 Cisco Systems, Inc. All rights reserved.
4
Performance and Services Density
3800 Series
2800 Series
1841
1800 Series
800 Series
高密度业务集成/高性能转发
集成高密度语音/视频/安全服务/数
据
集成无线/语音/安全/数据
The Integrated Services Router Portfolio
小型办公室及远
程工作室
小型企业分支机
构
© 2010 Cisco and/or its affiliates. All rights reserved.
中等规模分
支机构
中型-大型分支机构
5
Performance, Scalability, Availability
3925E, 3945E
2901, 2911,
2921, 2951
1921
3925, 3945
1941, 1941W
860, 880C,
890C
虚拟办公室
安全和移动性
无线办公覆盖
高性能
业务集成
高性能
富媒体业务
Enhancing the Customer Experience
© 2010 Cisco and/or its affiliates. All rights reserved.
6
 3900系列增强中端路由器竞争力
支持可升级引擎,性能超过7200,填补ISR到72/76的中端路
由器市场
 2900/1941性能超过市面上其它产品
ISR G2性能大幅提升,2900/1941可以满足以前销售
3800/2800的场合
高性价比的1921
是1841的理想升级选择
 全GE接口,适合用户需求
固定接口全部是千兆,最多4个,适合用户对千兆接口的需
求,全面超越其它厂家
© 2010 Cisco and/or its affiliates. All rights reserved.
7
Integrated Services Routers
3945
3925
SM Slots
4
2
ISM Slots
1
1
EHWIC Slots
4
4
Onboard DSP Slots
4
4
Field Upgradeable
Motherboards
SPE-150
SPE-100
Yes
Yes
3GE (2 SFP)
3GE (2 SFP)
Default Flash
256MB
256MB
Default DRAM
1 GB
1 GB
Form Factor
3RU
3RU
Integrated Redundant PS
Onboard WAN
© 2010 Cisco and/or its affiliates. All rights reserved.
Scalable Rich-media
Services Platform
o
高性能、可升级的服务性能引擎
(SRE),支持未来扩展
o
可配置的双集成冗余电源
o
2 倍默认内存
o
填补ISR到72/76之间的中端路由器市
场
8
高性价比中端路由器
Services Performance Engine 250
Services Performance Engine 200
3945E
3925E
3945
3925
4GE
(2 SFP)
4GE
(2 SFP)
3GE
(2 SFP)
3GE
(2 SFP)
SM Slots
4
2
4
2
ISM Slots
0
0
1
1
EHWIC Slots
3
3
4
4
Onboard DSP Slots
3
3
4
4
Field Upgradeable
Motherboards
SPE-250
SPE-200
SPE-150
SPE-100
Integrated
Redundant PS
Yes
Yes
Yes
Yes
Form Factor
3RU
3RU
3RU
3RU
Onboard WAN
© 2010 Cisco and/or its affiliates. All rights reserved.
高性能广域网汇聚
o
o
o
o
o
4个固定GE接口
转发性能达3Mpps
IPSec加密性能达1.5Gbps
2010年下半年推出CPOS接口
最高性价比中端路由器,全面升级
7200系列
9
Integrated Services Routers
2951
2921
2911
2901
SM Slots
2
1
1
0
ISM Slots
1
1
1
1
EHWIC Slots
4
4
4
4
Onboard DSP Slots
3
3
2
2
Onboard WAN Ports
3 GE
(1 SFP)
3 GE
(1 SFP)
3 GE
2 GE
Default Flash
256 MB
256 MB
256 MB
256 MB
Default DRAM
512 MB
512 MB
512 MB
512 MB
Form Factor
2RU
2RU
2RU
1RU
© 2010 Cisco and/or its affiliates. All rights reserved.
Secure
Collaboration Platform
o
性能达到3800/2800
o
全GE接口,推动GE组网方式
o
最多3个GE接口,适合用户需求
10
Integrated Services Routers
1941W
1941
1921
SM Slots
0
0
0
ISM Slots
Fixed
802.11n
Radio
1
0
EHWIC Slots
2
2
2
Onboard WAN
Ports
2 GE
2 GE
2 GE
Onboard DSP
Slots
0
0
0
Default Flash
256 MB
256 MB
256MB
Default DRAM
512 MB
512 MB
512 MB
fixed
Form Factor
2RU
2RU
1 RU
Internal
Internal
External
PoE
© 2010 Cisco and/or its affiliates. All rights reserved.
Secure Mobility Platform
o
性能提升,2个EHWIC接口
o
802.11n的无线AP
o
适合小型分支机构使用
11
Cisco 860 ISR
Cisco 880C ISR
Data, Security,
Wireless
Data, Security,
Wireless
Small
Business
Entry-level,
secure
routing solution
Enterprise
Teleworker and
Small
Businesssecure
Full-featured
Optional 802.11n
2.4 GHz
2.4 GHz
2.4 & 5 GHz
Dual WAN Links
No
Yes
Yes
3G Option
No
Yes
No
Unified Wireless
No
Yes
Yes
Security
Basic
Advanced
Advanced
POE Support
No
No
4 port
Managed FE LAN port
4 port
4 port
8 port
Routed GE Port
No
No
1 port
VLANs
2
8
14
© 2010 Cisco and/or its affiliates. All rights reserved.
router
Cisco 890C ISR
Data, Security,
Wireless, Applications
Small Business &
Small Branch Office
Full-featured, high
performance,
secure router
12
 880C/890C是为中国市场定制产品
•
•
•
•
中文面板
中文随机文档
中文网管软件(Cisco Configuration Professional)
适合国内网络的配置(3G HSUPA/EVDO)
 适用于企业小型分支机构或连锁企业
• 加油站
• 彩票销售网点
• 小型分支银行
• 银行ATM机
• 连锁零售业
• 连锁餐饮
•小型医疗机构
• 社区诊所
© 2010 Cisco and/or its affiliates. All rights reserved.
13
接口卡(WAN 或 LAN
)
内部模块,用于运行
不需要接口端口、
专用 CPU 和内存的
服务
用于托管服务的
独立 CPU 和内存或
高密度接口端口。
EHWIC
ISM
SM
PVDM3
Enhanced High Speed
WAN Interface Card
Internal Service
Module
Service
Module
Packet Voice/
Data Module
© 2010 Cisco and/or its affiliates. All rights reserved.
高密度富媒体语音
和视频 DSP 模块
示例:无线 LAN 控制器、
WAN 优化、Etherswitch 模
块
14
WIC
HWIC
EHWIC
Supports VIC,
VWIC
Supports WIC,
VWIC, VIC
Supports WIC,
VWIC, VIC
NM
NME,EVM
NME-X
Supports NM,
NME-X,NME-XD
AIM
SM
Supports NM,NME
NME
AIM
ISM
PVDM2
PVDM3
Supports PVDM2
Via Adapter Card
Pre-ISR
© 2010 Cisco and/or its affiliates. All rights reserved.
ISR
ISR G2
15
o 最大限度保护投资,同时支持平台演进
o 在产品平台上提供最大接口覆盖范围
NM to
SM Adapter
© 2010 Cisco and/or its affiliates. All rights reserved.
PVDM2 to PVDM3
Adapter
16
• 允许在服务和模块之间直接进行高性能连接,
ASIC
CPU
前面板端口
从而实现卓越的高性能
通过背板将 EHWIC、PVDM3、SM 和 ISM 连接起来
• 提供与内部模块的连接或服务间连接时分担
CPU 负载
SM
MGF
矩阵
SM
PVDM3
PVDM3
提供服务集成和流量重定向时无须 CPU 参与
WLAN
ISM
EHWIC
EHWIC
(1941)
GE Serdes
PCIe
HWIC DDR
注意:并未显示所有可能的模块
© 2010 Cisco and/or its affiliates. All rights reserved.
17
SRE 300 ISM
SRE 700 SM
SRE 900 SM
Intel Processor 1.066 GHz
(Single Core)
1.86 GHz Intel Core 2 Duo
(Single Core)
1.86 GHz Intel Core 2 Duo
(Dual Core)
最大内存
512 MB
2 GB
4 GB
最大存储
4 GB Compact Flash
500 GB SATA HDD
2 x 500 GB SATA







处理器
端口
2 Internal GE ports
安全
© 2010 Cisco and/or its affiliates. All rights reserved.
2 Internal GE ports
1 External GE port
1 External USB port
HDDs w/ RAID 0/1
2 Internal GE ports
1 External GE port
1 External USB port
Cavium Nitrox Security Coprocessor
18
Cisco ISR G2 Services Portfolio
Visibility and
Control
 NAM on SRE
On-demand visibility into branch
network and application traffic
 NetScout on SRE
Cost-effective application
performance monitoring
© 2010 Cisco and/or its affiliates. All rights reserved.
Acceleration and
Optimization
 WAAS Express
IOS-integrated L4 WAN
optimization
 WAAS on SRE
L4-L7 WAN optimization and
application acceleration
Infrastructure Agility
 SRE Service Modules
Hosting platform for on-demand
branch services
 UCS Express
Unified networking, computing
and virtualization platform
19
Operating System
Certificatio
ns
Microsoft Windows Server 2003 SP2 Standard (32-bit & 64bit)
WHQL, SVVP
Microsoft Windows Server 2003 SP2 Enterprise (32-bit &
64-bit)
WHQL, SVVP
Microsoft Windows Server 2008 R2 Standard
WHQL, SVVP
Microsoft Windows Server 2008 R2 Enterprise
WHQL, SVVP
SRE-V (vSphere Hypervisor)
SRE Hardware
ISR G2
© 2010 Cisco and/or its affiliates. All rights reserved.
20
Policy : 12 Hours on per Working
Day
PM
AM
Support Available in:
 ISM (SRE)
 SM (SRE—EtherSwitch)
 PVDM3
 EHWICs
Hours
Days
Hours
Total
ON
Working days
Mon-Fri
251 (x 12h)
3012
3012
OFF
Working days
Mon-Fri
251 (x 12h)
3012
OFF
Weekends
104 (x 24h)
2496
OFF
Holidays
10 (x 24h)
240
365
8760
Total
© 2010 Cisco and/or its affiliates. All rights reserved.
5748
66% of
the Time
It Could
Be Off
8760
21
原有软件封装
新软件封装
通用IOS软件
Advanced Enterprise
Services
Advanced IP
Services
Security
Enterprise
Services
U.C.
Data
IP Base
o 简化软件管理
Adv. Security
SP Services
IP Voice
Ent. Base
将随所有 ISR G2 平台
一起提供单一通用 IOS 映像
四个 IOS 可执行许可证实现以前在八个映像中提供的
全套功能
o 降低软件升级成本
IP Base
通过启用新的许可证密钥
即可进行 IOS 功能升级,减少到远程
办公室上门服务的需要
o 允许基于业务模型
部署新的软件
按需服务 — 经过思科许可购买
所需的升级
© 2010 Cisco and/or its affiliates. All rights reserved.
22
Cisco ISR
Cisco ISR G2
Up to 45 Mbps with Services
Single
X with 160GB
Voice Only
Fast Ethernet with PoE. Based
on Catalyst 3560/3750
Multiple
Hardware Coupled
Single Motherboard
EnergyWise
WAN Performance
Network processor
Service Module Performance
and Capacity
Onboard DSPs
Switch Modules
IOS Images
Up to 150 Mbps with Services
Multi-core
Up to 7X with Dual Core and 1TB
storage
Voice + Video
FE/Gigabit Ethernet with PoE+
Based on Catalyst 3560–E/2960
Single Universal IOS Image
Service Delivery
Virtual Services “On-demand”
Redundancy
Redundant power supplies.
Field-upgradeable motherboard
Energy Efficiency
EnergyWise with slot based
controls.
Up to 5X the Performance. Similar price points.
© 2010 Cisco and/or its affiliates. All rights reserved.
23
Catalyst 4500E/4900系列交换机新特性
© 2010 Cisco Systems, Inc. All rights reserved.
24
100M+ Ports Sold
650K+ Systems
70% PoE/PoEP Port share
50% GET Customers
70% Top Enterprise Customers
1st Catalyst to support;
48G/slot
FNF
IOS-XE
ISSU
EEE/60W PoE *
Cisco Borderless Network Campus Platform
© 2010 Cisco and/or its affiliates. All rights reserved.
25
Supervisor7-E
WS-X4748-RJ45V+E
848Gbps Switching Capacity
48G/slot
Rich hardware features
(FnF, TrustSec, Wireless, ERSPAN,
Tunneling, VRF-NG, VSS and more„
48p 10/100/1000 non-blocking
30W/port (PoE+) on all 48
ports
Cisco TrustSec in Hardware
Catalyst 4500E and 4500E+
Chassis
Forward and backward compatible
48G/slot
Lifecycle till year 2020
WS-X4712-SFP+E
12 PORT 10GE 2.5:1 Line Card
Cisco Trustsec in Hardware
SFP+ SR modules (Lower power
mode)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco IOS XE
12 Port 1GE Line CardModern OS to support multi-core CPU
IOS investment protection
12 port 1GE SFP Ports
Enabling
Open Service Platform
Wire-rate 1:1
26
Hardware Elements
2G DRAM
Dual Core
CPU
USB ports*
SD Memory
Card
Console and Management
Port
© 2010 Cisco and/or its affiliates. All rights reserved.
4 Uplinks
10GE with SFP+
1GE with SFP
*USB Type A is supported
USB Type B is not supported
27
System
Feature
Switching Capacity
Supervisor 7-E
Supervisor 6-E
Supervisor 6L-E
848Gbps
320 Gbps
280 Gbps
Throughput
250 Mpps ( 125 Mpps
for IPv6)
250 Mpps ( 125 Mpps
for IPv6)
225 Mpps ( 125 Mpps
for IPv6 )
Bandwidth / Slot
Upto 48G
Upto 24G
Upto 24G
CPU
Dual Core 1.5 GHz
Single Core 1.3 GHz
Single Core 1 GHz
SSO failover time
0-10 msec
0-50 msec
0-50 msec
DRAM
2G ( Upgradable to
4G)
512 MB ( Upgradable to
1G )
512 MB
Bootflash
1G
128 MB
128 MB
Number of 10/100/1000
ports
Upto 384 access
Upto 4 GE uplinks
Upto 384 access
Upto 4 GE uplinks
Upto 240 access
Upto 4 GE uplinks
Number of 10GE ports
Upto 96 on Line cards
Upto 4 on Supervisors
Upto 30 on Line cards
Upto 4 on Supervisors
Upto 30 on Line cards
Upto 2 on Supervisors
© 2010 Cisco and/or its affiliates. All rights reserved.
28
E Series chassis designed to support higher bandwidth per slot line cards
. The chassis provides 24G to 48G of bandwidth per slot with next
generation supervisor providing Investment Protection
WS-C4507R-E/+E
7 slot chassis
With Redundant
Supervisors
WS-C4503-E
3 slot chassis
With single
Supervisor
WS-C4510R-E/+E
10 slot chassis with
Redundant supervisors
WS-C4506-E
6 slot chassis
With Single
supervisor
 WS-C4507R+E and WS-C4510R+E chassis add support for 48G/slot
 Existing supervisors also support the E+ chassis
© 2010 Cisco and/or its affiliates. All rights reserved.
29
 Next gen campus performance, future proof with





PoE+, EEE, IPFIX etc
Enables converged wired and wireless
Next-gen collaboration with Medianet,
Trustpoint
HW enabled Cisco Trustsec security
Next generation virtualization with VRF-NG,
VSS
Lower TCO
无边界网络服务,基于下一代操作系统IOS XE的开放应用平台
Performance
848Gbps
48G/slot
100 10GE ports
384 10/100/100
Dual Core CPU
PoEP on all ports
Mobility
Converged wired &
Wireless*
Unified Guest
Access*
© 2010 Cisco and/or its affiliates. All rights reserved.
Collaboration
video
Flexible Netflow
WRED*
Medianet
Intelligent Media
TrustPoint*
Security
MACSec*
TrustSec SGT*
Integrated NAC
Profiler*
Lower TCO
VSS*
VRF NG*
ERSPAN*
EEE*
NAT*
GRE*
30
Drivers and Benefits
 Always on Network
(Negligible planned downtime)
 Ideal for new critical
services deployment
 PSIRT update made easy
Functionality
 Upgrade Software Images at
run time
 Subsecond upgrades(<10msec
with Catalyst 4500 Sup6 ,
Sup6L-E and Sup7-E
New Enhancement:
 Single-line ISSU greatly
simplifies the operational
tasks during ISSU
© 2010 Cisco and/or its affiliates. All rights reserved.
31
Image
on Standby
Supervisor
ActiveNew
Sup
Image
fails
changed
over
to on
Standby
Standby
using
firstStateful
Switch Over
1
issu changeversionImage
bootflash:image2
quick
Image 1
image 1
image21
image
Image 1
image2
Image 2
1
image2
Image 2
image2
After ISSU the Acitive/Standby order changes!
© 2010 Cisco and/or its affiliates. All rights reserved.
32
无与伦比的应用可视化
Day0 Attacks
Detect Anomaly
Visibili
ty
Compliance
SLA
Control
With EEM
Integration
App. M&T
Capacity Planning
Catalyst 4500E Flexible
NetFlow
IP, Ports
TCP
Flags
L2
MAC
L2
VLAN
UDP
Flags
IPv6
IP
Options
Multicast
„
Campus
Mobility, Unified Communications,
Branch Network Virtualization
Collector
Ecosystem
Benefits:
 Lower CAPEX
- Better insight for capacity
planning,
network upgrade
 Lower OPEX:
- Better service and user experience
- Increased IT staff productivity
© 2010 Cisco and/or its affiliates. All rights reserved.
Catalyst 4500E Capabilities:
 Unprecedented visibility w/ new L2~7
fields
 Scalable, flexible flow monitors
 On-box Customizable policy action w/
EEM
 Broad collector partner ecosystem
33
Fixed definition of flow
record globally
Traditional
NetFlow
Fixed 7 keys
SrcIf
Fa1/0
Fa1/0
Fa1/0
Fa1/0
SrcIPadd DstIf
173.100.21.2
Fa0/0
173.100.3.2
Fa0/0
173.100.20.2
Fa0/0
173.100.6.2
Fa0/0
DstIPadd Protocol
10.0.227.12
11
10.0.227.12
6
10.0.227.12
11
10.0.227.12
6
Export only to one collector
SrcPort DstPort
00A2
00A2
15
15
00A1
00A1
19
19
Export
NetFlow Cache
Flexible
NetFlow
Flow Monitor 1
Flow cache 1
DstIPadd
10.0.227.12
10.0.227.12
10.0.227.12
10.0.227.12
Protocol
11
6
11
6
TOS
80
40
80
40
Export
Destination 1
Export
Destination 2
IT team#1
Flow cache 2
Flow Monitor 2
Protocol
11
6
11
6
TOS
80
40
80
40
Flgs
10
0
10
0
Flow cache 3
Flow Monitor 3
SrcIf
Fa1/0
Fa1/0
Fa1/0
Fa1/0
SrcIPadd
173.100.21.2
173.100.3.2
173.100.20.2
173.100.6.2
DstIf
Fa0/0
Fa0/0
Fa0/0
Fa0/0
Export
Flexible definition of flow records applied
to selected interface or VLAN
© 2010 Cisco and/or its affiliates. All rights reserved.
Destination 3
Security
focused
analyzer
IT team#2
Ability to export flow information to
multiple collectors/analyzers
34
• Intelligent Customizable Events and Policies
 Quick
 Event-driven
Instant, on-board traffic anomaly detection and reaction
NF event detector triggers policies locally on network
 Detailed
devices instead
Granular view of flow info enables a wide range of
applications
 Flexible
Example
Malformed
Detection & Reporting
CustomI:
policies
written inPackets
CLI or TCL
TTL = 0 triggers an EEM event
Attacker sending
malformed pkts with
TTL=0
Netflow cache
srcIf
SrcIPadd
DstIf
DstIPadd
TLL
Fa1/0
173.1.1.2
Fa0/0
10.0.277.1
0
Fa1/0
173.1.1.2
Fa0/0
10.0.277.1
10
Fa1/0
173.1.1.2
Fa0/0
10.0.277.1
200
*MAR 29 2010 12:29:02.604 UTC:
%HA_EM-6-LOG: my-ttl-applet: flow
record with zero TTL
syslog message generated based
on pre-configured
policies
Example II : Anomaly Flow Detection and Mitigation
Compromised phone
sending traffic
with high rate
NetFlow ED triggers policies to monitor flow rate.
Typically, voice conversations are 64kbps
Netflow cache
srcIf
SrcIPadd
DstIf
DstIPadd
bytes
Fa1/0
173.1.1.2
Fa0/0
10.0.277.1
34346
Fa1/0
173.1.1.2
Fa0/0
10.0.277.1
300
Fa1/0
173.1.1.2
Fa0/0
10.0.277.1
1000
© 2010 Cisco and/or its affiliates. All rights reserved.
*Feb 18 01:24:30.455: %LINK-5CHANGED: Interface FastEthernet
1/0, changed state to
administratively down
interface Fa1/0 is shut down
when the flow rate exceeds
1Mbps
35
Encrypted links
Benefits
 Protect data integrity, confidentiality and
meet compliance needs
AAA
Campus
 Prevents man-in-the-middle attacks
Campus Deployment Scenarios
 Building-to-building encryption
 Host-to-Access switch: Prevent manin-the middle attacks
Why MACSec
 Standard-based L2 HW line rate
encryption (Sup7-E uplinks and 47xx
LCs)
 Hop-by hop encryption: Security
without impacting network services
(QoS, NetFlow etc)
© 2010 Cisco and/or its affiliates. All rights reserved.
36
Default Port
Automatic Port Provisioning
based on device intelligence
Digital Media player
macro
Security camera Macro
(QoS, VLAN)
• Upon endpoint connection,
access switch gathers device
intelligence via CDP, LLDP, MAC
OUI etc
CDP/LLDP/MAC OUI
device
identification
• Automatic port configuration
of pre-defined macro based on
device ID
• Reset the port to default
state upon endpoint
disconnection
• Built-in system macros and
customizable
•Cisco Digital Media Players ,
IP Surveillance Cameras , IP
phones , Access points
•Benefits:
© 2010 Cisco and/or its affiliates. All rights reserved.
 Lower TCO with plug-and-play
37
High Performance
 Forwarding in hardware at line rate
 Dual stack forwarding
Security
IPv4only
site
WAN
IPv4
IPv6
IPv6only
site
 Secure access perimeter with IPv6
First Hop Security
 IPv6 app. visibility with Flexible
NetFlow
IPv6 Migration Ready
Dual Stack
IPv4+IPv6 site
 Robust IPv6 Ready Infrastructure
OSPFv3, EIGRP, IS-IS, BGP, HSRPv6,
Fast Convergence*
 Optimized App & Video Delivery
IPv6 Qos, MLDv2/v3, PIM SM/SSM for
IPv6
 Management Plane Migration
SYSLOG, SNMP, Telnet, SSHv6, TACACS+*,
RADIUS*, TFTP*, FTP*, NTP* over IPv6
 IPv4 address depletion in 2011
 Endpoint IPv6 “on” &
“preferred”
© 2010 Cisco and/or its affiliates. All rights reserved.
*roadmap
 National IT Strategy
 Infrastructure Evolution
38
Access Switch
1G
Cisco Catalyst 4948E
1 RU, 48 10/100/1000 Server Links
4 x 1G/10G SFP/SFP+ uplinks
176Gbps Bandwidth










Non-blocking downlink and uplink ports
ACL, Routing and MAC table scalability
Line rate multicast
IPv6 in Hardware
Microburst Protection
8 line rate Bi-Dir SPAN/RSPAN
Front to back cooling
Option of AC and DC power
Redundant power
Depth optimized for integrated solutions










Non-blocking downlink and uplink ports
ACL, Routing and MAC table scalability
Line rate multicast
IPv6 in Hardware
8 line rate Bi-Dir SPAN/RSPAN
Choice of 1G/10G Copper and Fiber line Cards
Microburst Protection
Option of AC and DC power
Redundant power
Depth optimized for integrated solutions
10G
Access Switch
Cisco Catalyst 4900M
2RU, 16x10G Copper Server Links
8 x 10G X2 uplinks
320Gbps Bandwidth
© 2010 Cisco and/or its affiliates. All rights reserved.
39
GE Uplink
10GE Uplink
10 GE Access
GE Access
Cisco Catalyst 4900M
Cisco Catalyst 4948
• 1G / 10G modular flexibility
• Optimized for middle of the row
• Non blocking north to south
Cisco Catalyst 4948E New
• Datacenter grade
• Redundant power and cooling
• Full L2/3 features
• Line-rate Multicast
• Full featured 1Gig server access
• Double the uplink capacity
• Datacenter optimized airflow
• Netflow lite
Copper Access
Fiber Access
Cisco Catalyst 4900M
Cisco Catalyst 4900M
New
16X 10GE-T, 8X 10 GE Fiber
© 2010 Cisco and/or its affiliates. All rights reserved.
Bandwidth 320Gpbs
24X 10 GE
Bandwidth 320Gpbs
40
< 1000 Server Datacenter
Cat4900M
C4900M
10GbE
Cat4900M
> 1000 Server Datacenter
Nexus 7000
Nexus 7000
VDC 1
VDC 1
VDC 2
VDC 2
VDC 3
VDC 3
VDC 4
VDC 4
C4948E
1GbE
C4900M
C4948E
1GbE
10GbE
22
Servers
48
Servers
22
Servers
• L2/L3 boundary flexibility
• Supports large VM deployments
• Optimized for performance and availability
© 2010 Cisco and/or its affiliates. All rights reserved.
48
Servers
• 1/10GbE server deployments
41
最新高性能防火墙ASA 5585-X概述
© 2010 Cisco Systems, Inc. All rights reserved.
42
已正式发布
Performance, Scalability, Adaptivity
ASA 5585-S60P60
ASA 5585-S40P40
ASA 5585-S20P20
ASA 5585-S10P10
Scalable
Data Center
Solutions
Securing Internet-Edge & Campus
Networks
A
Branch
Campus
Data Center
Enhancing the Customer Experience
© 2010 Cisco and/or its affiliates. All rights reserved.
43
New
New
Network Location
New
New
Internet Edge /
Campus
ASA5585 SSP-20
Campus
/ Data Center
ASA5585 SSP-40
Data Center
ASA5585 SSP-60
4 Gbps
2 Gbps
1 Gbps
5000
10 Gbps
3 Gbps
1 Gbps
10,000
20 Gbps
5 Gbps
2 Gbps
10,000
35 Gbps
10 Gbps
2 Gbps
10,000
750,000
50,000
1,500,000
8 GE + 2 10 GE
16 GE + 4 10 GE
250
A/A and A/S
1,000,000
125,000
3,000,000
8 GE + 2 10 GE
16 GE + 4 10 GE
250
A/A and A/S
2,000,000
200,000
5,000,000
6 GE + 4 10GE
12 GE + 8 10GE
250
A/A and A/S
2,000,000
350,000
9,00,000
6 GE + 4 10GE
12 GE + 8 10GE
250
A/A and A/S
Internet Edge /
Campus
ASA5585 SSP-10
Performance
Max
Max
Max
Max
Firewall
IPS
IPSec VPN
IPSec/SSL VPN Peers
Platform Capabilities
Max Firewall Conns
Max Conns/Second
Packets/Second (64 byte)
Base I/O
Max I/O
VLANs Supported
HA Supported
© 2010 Cisco and/or its affiliates. All rights reserved.
44
2 RU Chassis
2 x Full-Slot Modules
1 x Full-Slot + 2 x
Half-Slot Modules
OIR capable
Redundant Hot
Swappable Power
Supply Units
Front to Back
Air Flow
Multi Gigabit
Fabric
GE Ports
Up to 8 x 10G SFP+ with OIR
support
Up to 16 x 1GbE Cu
SFP/SFP+ slots on all modules
Security Service Processors
Multi-Services Capable
Dedicated 64bit Multi-Core Processors
Future-Proof Hardware
© 2010 Cisco and/or its affiliates. All rights reserved.
Passive Backplane
Module to module
communications
Packet
prioritization
and shaping
eUSB
2 Gb Internal
Convenience storage
Security credentials
45
© 2010 Cisco and/or its affiliates. All rights reserved.
o
2 x 2.4Ghz Intel Hexa
Core processors with
Hyper-Threading
o
24 Gb of 1066 DDR3
RAM
o
4 x Cavium Nitrox
Crypto Security
Processors
46
© 2010 Cisco and/or its affiliates. All rights reserved.
o
2 x 2.4Ghz Intel
Hexa-Core processors
with Hyper-Threading
o
48 GB of 1066 DDR3
RAM
o
2 x Hardware Regex
Accelerator Daughter
Cards
47
• 字符串检测引擎,提供双向的
深层包检查技术

String-xl-tcp

String-xl-udp

String-xl-icmp
© 2010 Cisco and/or its affiliates. All rights reserved.
48
防火墙
ASA 5585 Chassis
Slot 1 (Empty)
Slot 0 (ASA-SSP
Module)
CPU
Complex
Fabric
Switch
PORTS
Firewall Only
 ASA-SSP Module processes all ingress/egress packets
© 2010 Cisco and/or its affiliates. All rights reserved.
49
防火墙和入侵防御
ASA 5585 Chassis
PORTS
Slot 1 (IPS-SSP Module)
Regex
Accelerator
CPU
Complex
Fabric
Switch
CPU
Complex
Fabric
Switch
Slot 0 (ASA-SSP Module)
PORTS
© 2010 Cisco and/or its affiliates. All rights reserved.
Firewall & IPS
50
市场领先的针对数据中心设计的Firewall、IPS与VPN网关
MultiScaleTM Performance
•
提高高达35 Gbps的防火墙吞吐量
•
扩展防火墙与IPS吞吐达到10 Gbps
•
支持高达10,000 个远程VPN用户接入
Investment Protection
•
可随业务增长的可扩展性设计
Industry-Leading Multi-Service Security
•
通过提供防僵尸网络与全球联动的硬件IPS提供高级威
胁防护能力;
•
通过思科AnyConnect客户端提供智能的VPN接入;
•
思科超过15年在安全领域领先技术的继续;
业界唯一的2U高度、低能耗的针对数据中心部署
的而设计的高性能防火墙、IPS、VPN接入网关
© 2010 Cisco and/or its affiliates. All rights reserved.
51
Cisco CleanAir 提升无线网络品质
© 2010 Cisco Systems, Inc. All rights reserved.
52
“
没有无线网络我无法
完成我的工作。
它必须一直运行。
对持续增长的 Wi-Fi 设备的依赖
© 2010 Cisco and/or its affiliates. All rights reserved.
“
”
VS
无线网络是一个“尽
力而为的”网络。我
无法保证高等级的服
务水平。
”
IT 人员缺乏对射频资源的专业性了解
53
非正式
普遍深入
富媒体
应用
关键
业务
CleanAir 包括:
• 3500 Series Access Points
• Wireless LAN Controller
• Mobility Services Engine (MSE)
热点
• Wireless Control System (WCS)
系统管理
系统容量
自愈和优化
© 2010 Cisco and/or its affiliates. All rights reserved.
保护802.11n无线网络的性能
54
有限的频谱资源
系统过载 !
性能
802.11n
技术支持成本
© 2010 Cisco and/or its affiliates. All rights reserved.
$
性能下降
$
技术支持成本增加
$
$
55
侦测和分类
定位
消除
思科
CleanAir
© 2010 Cisco and/or its affiliates. All rights reserved.
系统级功能,通过硅芯片提供的智能自动消除无线干
扰的影响,优化网络性能并降低故障排查的成本
56
侦测和分类
97
 识别和跟踪多个干扰源
100
 评估干扰对无线网络性能
的影响
63
90
 监视无线环境质量
20
35
思科
CleanAir
© 2010 Cisco and/or its affiliates. All rights reserved.
高分辨率的干扰检测和分类的逻辑电路内置到思科的
802.11n Wi-Fi芯片设计中,嵌入式的运行模式无需
CPU参与并对性能没有影响
57
定位
消除
WCS, MSE
Wireless LAN Controller
GOOD
POOR
 无线接入点完成干扰分类
处理
保持良好的无线环境质量
 干扰源数据实时发送到无
线控制器
 WCS 和 MSE 存储数据并提
供干扰源的定位,历史信
息和故障排查
思科
CleanAir
© 2010 Cisco and/or its affiliates. All rights reserved.
可视化和故障排查
CH 1
CH 11
思科 CleanAir 技术对干扰信息的集成从无线接入点扩展到整个系统
58
11
性能
无线环境质量
6
1
无线网络
控制器
© 2010 Cisco and/or its affiliates. All rights reserved.
射频资
源管理
RRM
优化的信道 11, 6 和 1部署提供最大化
的性能和最小化的干扰
59
11
性能
无线环境质量
6
1
无线网络
控制器
© 2010 Cisco and/or its affiliates. All rights reserved.
干扰在信道 6 发生。 无线环境质量受
到影响。射频资源管理(RRM)寻找可用信
扫描可用信道„
道列表解决冲突„
射频资
源管理
RRM
11
6
1
60
11
性能
无线环境质量
6
11
1
无线网络
控制器
© 2010 Cisco and/or its affiliates. All rights reserved.
冲突解决。消息发送到射频资源管理
(RRM)。产生冲突的信道被阻止在未来一
切换到信道 11
段时间内使用。
射频资
源管理
RRM
11
X6
1
61
思科
专门的芯片设计
高分辨率的信息
系统集成
© 2010 Cisco and/or its affiliates. All rights reserved.
获益
丰富的射频数据采集,监
控同时还能无阻塞的转发
数据
其它厂商
采用传输数据的 Wi-Fi
芯片,工作在监视模式并
无法转发数据。
对非Wi-Fi干扰进行智能的
智能分辨基本的
频谱分析,追踪干扰源并
Wi-Fi 数据
评估影响的严重性
自动优化,定位,历史
信息收集,射频取证和
报表生成
无法进行自动操作,缺
乏全系统的相关性
62
保护 802.11n 网络的性能
• CleanAir 技术采用无线接入点中内置
于硅芯片内的智能频谱特性改善无线
环境的质量
侦测和分类干扰源
定位问题根源
自动避免干扰
• 为用户带来的益处
自愈和优化
故障排查取证
无线安全
策略执行
© 2010 Cisco and/or its affiliates. All rights reserved.
CleanAir 组件:
• 3500 系列无线接入点
• 无线网络控制器
• 移动服务引擎 (MSE)
• 无线控制系统 (WCS)
63
Thank you.