网络无边界,思科有新意 Cisco Borderless Network新技术介绍 © 2010 Cisco and/or its affiliates. All rights reserved. 1 策略和控制 协同 数据中心 媒体感知网络Medianet 绿色节能EnergyWise 网络弹性和控制 无边界网络服务 无边界 移动性 无边界 应用性能 无边界 网络安全 无边界用户体验 无边界管理 © 2010 Cisco and/or its affiliates. All rights reserved. 2 • 第二代集成业务路由器(ISR G2) • 园区网交换机Catalyst 4500E/4900系列 • 全新高性能防火墙ASA5585-X • Cisco CleanAir提升无线网络品质 © 2010 Cisco and/or its affiliates. All rights reserved. 3 第二代集成业务路由器介绍 © 2010 Cisco Systems, Inc. All rights reserved. 4 Performance and Services Density 3800 Series 2800 Series 1841 1800 Series 800 Series 高密度业务集成/高性能转发 集成高密度语音/视频/安全服务/数 据 集成无线/语音/安全/数据 The Integrated Services Router Portfolio 小型办公室及远 程工作室 小型企业分支机 构 © 2010 Cisco and/or its affiliates. All rights reserved. 中等规模分 支机构 中型-大型分支机构 5 Performance, Scalability, Availability 3925E, 3945E 2901, 2911, 2921, 2951 1921 3925, 3945 1941, 1941W 860, 880C, 890C 虚拟办公室 安全和移动性 无线办公覆盖 高性能 业务集成 高性能 富媒体业务 Enhancing the Customer Experience © 2010 Cisco and/or its affiliates. All rights reserved. 6 3900系列增强中端路由器竞争力 支持可升级引擎,性能超过7200,填补ISR到72/76的中端路 由器市场 2900/1941性能超过市面上其它产品 ISR G2性能大幅提升,2900/1941可以满足以前销售 3800/2800的场合 高性价比的1921 是1841的理想升级选择 全GE接口,适合用户需求 固定接口全部是千兆,最多4个,适合用户对千兆接口的需 求,全面超越其它厂家 © 2010 Cisco and/or its affiliates. All rights reserved. 7 Integrated Services Routers 3945 3925 SM Slots 4 2 ISM Slots 1 1 EHWIC Slots 4 4 Onboard DSP Slots 4 4 Field Upgradeable Motherboards SPE-150 SPE-100 Yes Yes 3GE (2 SFP) 3GE (2 SFP) Default Flash 256MB 256MB Default DRAM 1 GB 1 GB Form Factor 3RU 3RU Integrated Redundant PS Onboard WAN © 2010 Cisco and/or its affiliates. All rights reserved. Scalable Rich-media Services Platform o 高性能、可升级的服务性能引擎 (SRE),支持未来扩展 o 可配置的双集成冗余电源 o 2 倍默认内存 o 填补ISR到72/76之间的中端路由器市 场 8 高性价比中端路由器 Services Performance Engine 250 Services Performance Engine 200 3945E 3925E 3945 3925 4GE (2 SFP) 4GE (2 SFP) 3GE (2 SFP) 3GE (2 SFP) SM Slots 4 2 4 2 ISM Slots 0 0 1 1 EHWIC Slots 3 3 4 4 Onboard DSP Slots 3 3 4 4 Field Upgradeable Motherboards SPE-250 SPE-200 SPE-150 SPE-100 Integrated Redundant PS Yes Yes Yes Yes Form Factor 3RU 3RU 3RU 3RU Onboard WAN © 2010 Cisco and/or its affiliates. All rights reserved. 高性能广域网汇聚 o o o o o 4个固定GE接口 转发性能达3Mpps IPSec加密性能达1.5Gbps 2010年下半年推出CPOS接口 最高性价比中端路由器,全面升级 7200系列 9 Integrated Services Routers 2951 2921 2911 2901 SM Slots 2 1 1 0 ISM Slots 1 1 1 1 EHWIC Slots 4 4 4 4 Onboard DSP Slots 3 3 2 2 Onboard WAN Ports 3 GE (1 SFP) 3 GE (1 SFP) 3 GE 2 GE Default Flash 256 MB 256 MB 256 MB 256 MB Default DRAM 512 MB 512 MB 512 MB 512 MB Form Factor 2RU 2RU 2RU 1RU © 2010 Cisco and/or its affiliates. All rights reserved. Secure Collaboration Platform o 性能达到3800/2800 o 全GE接口,推动GE组网方式 o 最多3个GE接口,适合用户需求 10 Integrated Services Routers 1941W 1941 1921 SM Slots 0 0 0 ISM Slots Fixed 802.11n Radio 1 0 EHWIC Slots 2 2 2 Onboard WAN Ports 2 GE 2 GE 2 GE Onboard DSP Slots 0 0 0 Default Flash 256 MB 256 MB 256MB Default DRAM 512 MB 512 MB 512 MB fixed Form Factor 2RU 2RU 1 RU Internal Internal External PoE © 2010 Cisco and/or its affiliates. All rights reserved. Secure Mobility Platform o 性能提升,2个EHWIC接口 o 802.11n的无线AP o 适合小型分支机构使用 11 Cisco 860 ISR Cisco 880C ISR Data, Security, Wireless Data, Security, Wireless Small Business Entry-level, secure routing solution Enterprise Teleworker and Small Businesssecure Full-featured Optional 802.11n 2.4 GHz 2.4 GHz 2.4 & 5 GHz Dual WAN Links No Yes Yes 3G Option No Yes No Unified Wireless No Yes Yes Security Basic Advanced Advanced POE Support No No 4 port Managed FE LAN port 4 port 4 port 8 port Routed GE Port No No 1 port VLANs 2 8 14 © 2010 Cisco and/or its affiliates. All rights reserved. router Cisco 890C ISR Data, Security, Wireless, Applications Small Business & Small Branch Office Full-featured, high performance, secure router 12 880C/890C是为中国市场定制产品 • • • • 中文面板 中文随机文档 中文网管软件(Cisco Configuration Professional) 适合国内网络的配置(3G HSUPA/EVDO) 适用于企业小型分支机构或连锁企业 • 加油站 • 彩票销售网点 • 小型分支银行 • 银行ATM机 • 连锁零售业 • 连锁餐饮 •小型医疗机构 • 社区诊所 © 2010 Cisco and/or its affiliates. All rights reserved. 13 接口卡(WAN 或 LAN ) 内部模块,用于运行 不需要接口端口、 专用 CPU 和内存的 服务 用于托管服务的 独立 CPU 和内存或 高密度接口端口。 EHWIC ISM SM PVDM3 Enhanced High Speed WAN Interface Card Internal Service Module Service Module Packet Voice/ Data Module © 2010 Cisco and/or its affiliates. All rights reserved. 高密度富媒体语音 和视频 DSP 模块 示例:无线 LAN 控制器、 WAN 优化、Etherswitch 模 块 14 WIC HWIC EHWIC Supports VIC, VWIC Supports WIC, VWIC, VIC Supports WIC, VWIC, VIC NM NME,EVM NME-X Supports NM, NME-X,NME-XD AIM SM Supports NM,NME NME AIM ISM PVDM2 PVDM3 Supports PVDM2 Via Adapter Card Pre-ISR © 2010 Cisco and/or its affiliates. All rights reserved. ISR ISR G2 15 o 最大限度保护投资,同时支持平台演进 o 在产品平台上提供最大接口覆盖范围 NM to SM Adapter © 2010 Cisco and/or its affiliates. All rights reserved. PVDM2 to PVDM3 Adapter 16 • 允许在服务和模块之间直接进行高性能连接, ASIC CPU 前面板端口 从而实现卓越的高性能 通过背板将 EHWIC、PVDM3、SM 和 ISM 连接起来 • 提供与内部模块的连接或服务间连接时分担 CPU 负载 SM MGF 矩阵 SM PVDM3 PVDM3 提供服务集成和流量重定向时无须 CPU 参与 WLAN ISM EHWIC EHWIC (1941) GE Serdes PCIe HWIC DDR 注意:并未显示所有可能的模块 © 2010 Cisco and/or its affiliates. All rights reserved. 17 SRE 300 ISM SRE 700 SM SRE 900 SM Intel Processor 1.066 GHz (Single Core) 1.86 GHz Intel Core 2 Duo (Single Core) 1.86 GHz Intel Core 2 Duo (Dual Core) 最大内存 512 MB 2 GB 4 GB 最大存储 4 GB Compact Flash 500 GB SATA HDD 2 x 500 GB SATA 处理器 端口 2 Internal GE ports 安全 © 2010 Cisco and/or its affiliates. All rights reserved. 2 Internal GE ports 1 External GE port 1 External USB port HDDs w/ RAID 0/1 2 Internal GE ports 1 External GE port 1 External USB port Cavium Nitrox Security Coprocessor 18 Cisco ISR G2 Services Portfolio Visibility and Control NAM on SRE On-demand visibility into branch network and application traffic NetScout on SRE Cost-effective application performance monitoring © 2010 Cisco and/or its affiliates. All rights reserved. Acceleration and Optimization WAAS Express IOS-integrated L4 WAN optimization WAAS on SRE L4-L7 WAN optimization and application acceleration Infrastructure Agility SRE Service Modules Hosting platform for on-demand branch services UCS Express Unified networking, computing and virtualization platform 19 Operating System Certificatio ns Microsoft Windows Server 2003 SP2 Standard (32-bit & 64bit) WHQL, SVVP Microsoft Windows Server 2003 SP2 Enterprise (32-bit & 64-bit) WHQL, SVVP Microsoft Windows Server 2008 R2 Standard WHQL, SVVP Microsoft Windows Server 2008 R2 Enterprise WHQL, SVVP SRE-V (vSphere Hypervisor) SRE Hardware ISR G2 © 2010 Cisco and/or its affiliates. All rights reserved. 20 Policy : 12 Hours on per Working Day PM AM Support Available in: ISM (SRE) SM (SRE—EtherSwitch) PVDM3 EHWICs Hours Days Hours Total ON Working days Mon-Fri 251 (x 12h) 3012 3012 OFF Working days Mon-Fri 251 (x 12h) 3012 OFF Weekends 104 (x 24h) 2496 OFF Holidays 10 (x 24h) 240 365 8760 Total © 2010 Cisco and/or its affiliates. All rights reserved. 5748 66% of the Time It Could Be Off 8760 21 原有软件封装 新软件封装 通用IOS软件 Advanced Enterprise Services Advanced IP Services Security Enterprise Services U.C. Data IP Base o 简化软件管理 Adv. Security SP Services IP Voice Ent. Base 将随所有 ISR G2 平台 一起提供单一通用 IOS 映像 四个 IOS 可执行许可证实现以前在八个映像中提供的 全套功能 o 降低软件升级成本 IP Base 通过启用新的许可证密钥 即可进行 IOS 功能升级,减少到远程 办公室上门服务的需要 o 允许基于业务模型 部署新的软件 按需服务 — 经过思科许可购买 所需的升级 © 2010 Cisco and/or its affiliates. All rights reserved. 22 Cisco ISR Cisco ISR G2 Up to 45 Mbps with Services Single X with 160GB Voice Only Fast Ethernet with PoE. Based on Catalyst 3560/3750 Multiple Hardware Coupled Single Motherboard EnergyWise WAN Performance Network processor Service Module Performance and Capacity Onboard DSPs Switch Modules IOS Images Up to 150 Mbps with Services Multi-core Up to 7X with Dual Core and 1TB storage Voice + Video FE/Gigabit Ethernet with PoE+ Based on Catalyst 3560–E/2960 Single Universal IOS Image Service Delivery Virtual Services “On-demand” Redundancy Redundant power supplies. Field-upgradeable motherboard Energy Efficiency EnergyWise with slot based controls. Up to 5X the Performance. Similar price points. © 2010 Cisco and/or its affiliates. All rights reserved. 23 Catalyst 4500E/4900系列交换机新特性 © 2010 Cisco Systems, Inc. All rights reserved. 24 100M+ Ports Sold 650K+ Systems 70% PoE/PoEP Port share 50% GET Customers 70% Top Enterprise Customers 1st Catalyst to support; 48G/slot FNF IOS-XE ISSU EEE/60W PoE * Cisco Borderless Network Campus Platform © 2010 Cisco and/or its affiliates. All rights reserved. 25 Supervisor7-E WS-X4748-RJ45V+E 848Gbps Switching Capacity 48G/slot Rich hardware features (FnF, TrustSec, Wireless, ERSPAN, Tunneling, VRF-NG, VSS and more„ 48p 10/100/1000 non-blocking 30W/port (PoE+) on all 48 ports Cisco TrustSec in Hardware Catalyst 4500E and 4500E+ Chassis Forward and backward compatible 48G/slot Lifecycle till year 2020 WS-X4712-SFP+E 12 PORT 10GE 2.5:1 Line Card Cisco Trustsec in Hardware SFP+ SR modules (Lower power mode) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco IOS XE 12 Port 1GE Line CardModern OS to support multi-core CPU IOS investment protection 12 port 1GE SFP Ports Enabling Open Service Platform Wire-rate 1:1 26 Hardware Elements 2G DRAM Dual Core CPU USB ports* SD Memory Card Console and Management Port © 2010 Cisco and/or its affiliates. All rights reserved. 4 Uplinks 10GE with SFP+ 1GE with SFP *USB Type A is supported USB Type B is not supported 27 System Feature Switching Capacity Supervisor 7-E Supervisor 6-E Supervisor 6L-E 848Gbps 320 Gbps 280 Gbps Throughput 250 Mpps ( 125 Mpps for IPv6) 250 Mpps ( 125 Mpps for IPv6) 225 Mpps ( 125 Mpps for IPv6 ) Bandwidth / Slot Upto 48G Upto 24G Upto 24G CPU Dual Core 1.5 GHz Single Core 1.3 GHz Single Core 1 GHz SSO failover time 0-10 msec 0-50 msec 0-50 msec DRAM 2G ( Upgradable to 4G) 512 MB ( Upgradable to 1G ) 512 MB Bootflash 1G 128 MB 128 MB Number of 10/100/1000 ports Upto 384 access Upto 4 GE uplinks Upto 384 access Upto 4 GE uplinks Upto 240 access Upto 4 GE uplinks Number of 10GE ports Upto 96 on Line cards Upto 4 on Supervisors Upto 30 on Line cards Upto 4 on Supervisors Upto 30 on Line cards Upto 2 on Supervisors © 2010 Cisco and/or its affiliates. All rights reserved. 28 E Series chassis designed to support higher bandwidth per slot line cards . The chassis provides 24G to 48G of bandwidth per slot with next generation supervisor providing Investment Protection WS-C4507R-E/+E 7 slot chassis With Redundant Supervisors WS-C4503-E 3 slot chassis With single Supervisor WS-C4510R-E/+E 10 slot chassis with Redundant supervisors WS-C4506-E 6 slot chassis With Single supervisor WS-C4507R+E and WS-C4510R+E chassis add support for 48G/slot Existing supervisors also support the E+ chassis © 2010 Cisco and/or its affiliates. All rights reserved. 29 Next gen campus performance, future proof with PoE+, EEE, IPFIX etc Enables converged wired and wireless Next-gen collaboration with Medianet, Trustpoint HW enabled Cisco Trustsec security Next generation virtualization with VRF-NG, VSS Lower TCO 无边界网络服务,基于下一代操作系统IOS XE的开放应用平台 Performance 848Gbps 48G/slot 100 10GE ports 384 10/100/100 Dual Core CPU PoEP on all ports Mobility Converged wired & Wireless* Unified Guest Access* © 2010 Cisco and/or its affiliates. All rights reserved. Collaboration video Flexible Netflow WRED* Medianet Intelligent Media TrustPoint* Security MACSec* TrustSec SGT* Integrated NAC Profiler* Lower TCO VSS* VRF NG* ERSPAN* EEE* NAT* GRE* 30 Drivers and Benefits Always on Network (Negligible planned downtime) Ideal for new critical services deployment PSIRT update made easy Functionality Upgrade Software Images at run time Subsecond upgrades(<10msec with Catalyst 4500 Sup6 , Sup6L-E and Sup7-E New Enhancement: Single-line ISSU greatly simplifies the operational tasks during ISSU © 2010 Cisco and/or its affiliates. All rights reserved. 31 Image on Standby Supervisor ActiveNew Sup Image fails changed over to on Standby Standby using firstStateful Switch Over 1 issu changeversionImage bootflash:image2 quick Image 1 image 1 image21 image Image 1 image2 Image 2 1 image2 Image 2 image2 After ISSU the Acitive/Standby order changes! © 2010 Cisco and/or its affiliates. All rights reserved. 32 无与伦比的应用可视化 Day0 Attacks Detect Anomaly Visibili ty Compliance SLA Control With EEM Integration App. M&T Capacity Planning Catalyst 4500E Flexible NetFlow IP, Ports TCP Flags L2 MAC L2 VLAN UDP Flags IPv6 IP Options Multicast „ Campus Mobility, Unified Communications, Branch Network Virtualization Collector Ecosystem Benefits: Lower CAPEX - Better insight for capacity planning, network upgrade Lower OPEX: - Better service and user experience - Increased IT staff productivity © 2010 Cisco and/or its affiliates. All rights reserved. Catalyst 4500E Capabilities: Unprecedented visibility w/ new L2~7 fields Scalable, flexible flow monitors On-box Customizable policy action w/ EEM Broad collector partner ecosystem 33 Fixed definition of flow record globally Traditional NetFlow Fixed 7 keys SrcIf Fa1/0 Fa1/0 Fa1/0 Fa1/0 SrcIPadd DstIf 173.100.21.2 Fa0/0 173.100.3.2 Fa0/0 173.100.20.2 Fa0/0 173.100.6.2 Fa0/0 DstIPadd Protocol 10.0.227.12 11 10.0.227.12 6 10.0.227.12 11 10.0.227.12 6 Export only to one collector SrcPort DstPort 00A2 00A2 15 15 00A1 00A1 19 19 Export NetFlow Cache Flexible NetFlow Flow Monitor 1 Flow cache 1 DstIPadd 10.0.227.12 10.0.227.12 10.0.227.12 10.0.227.12 Protocol 11 6 11 6 TOS 80 40 80 40 Export Destination 1 Export Destination 2 IT team#1 Flow cache 2 Flow Monitor 2 Protocol 11 6 11 6 TOS 80 40 80 40 Flgs 10 0 10 0 Flow cache 3 Flow Monitor 3 SrcIf Fa1/0 Fa1/0 Fa1/0 Fa1/0 SrcIPadd 173.100.21.2 173.100.3.2 173.100.20.2 173.100.6.2 DstIf Fa0/0 Fa0/0 Fa0/0 Fa0/0 Export Flexible definition of flow records applied to selected interface or VLAN © 2010 Cisco and/or its affiliates. All rights reserved. Destination 3 Security focused analyzer IT team#2 Ability to export flow information to multiple collectors/analyzers 34 • Intelligent Customizable Events and Policies Quick Event-driven Instant, on-board traffic anomaly detection and reaction NF event detector triggers policies locally on network Detailed devices instead Granular view of flow info enables a wide range of applications Flexible Example Malformed Detection & Reporting CustomI: policies written inPackets CLI or TCL TTL = 0 triggers an EEM event Attacker sending malformed pkts with TTL=0 Netflow cache srcIf SrcIPadd DstIf DstIPadd TLL Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 0 Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 10 Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 200 *MAR 29 2010 12:29:02.604 UTC: %HA_EM-6-LOG: my-ttl-applet: flow record with zero TTL syslog message generated based on pre-configured policies Example II : Anomaly Flow Detection and Mitigation Compromised phone sending traffic with high rate NetFlow ED triggers policies to monitor flow rate. Typically, voice conversations are 64kbps Netflow cache srcIf SrcIPadd DstIf DstIPadd bytes Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 34346 Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 300 Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 1000 © 2010 Cisco and/or its affiliates. All rights reserved. *Feb 18 01:24:30.455: %LINK-5CHANGED: Interface FastEthernet 1/0, changed state to administratively down interface Fa1/0 is shut down when the flow rate exceeds 1Mbps 35 Encrypted links Benefits Protect data integrity, confidentiality and meet compliance needs AAA Campus Prevents man-in-the-middle attacks Campus Deployment Scenarios Building-to-building encryption Host-to-Access switch: Prevent manin-the middle attacks Why MACSec Standard-based L2 HW line rate encryption (Sup7-E uplinks and 47xx LCs) Hop-by hop encryption: Security without impacting network services (QoS, NetFlow etc) © 2010 Cisco and/or its affiliates. All rights reserved. 36 Default Port Automatic Port Provisioning based on device intelligence Digital Media player macro Security camera Macro (QoS, VLAN) • Upon endpoint connection, access switch gathers device intelligence via CDP, LLDP, MAC OUI etc CDP/LLDP/MAC OUI device identification • Automatic port configuration of pre-defined macro based on device ID • Reset the port to default state upon endpoint disconnection • Built-in system macros and customizable •Cisco Digital Media Players , IP Surveillance Cameras , IP phones , Access points •Benefits: © 2010 Cisco and/or its affiliates. All rights reserved. Lower TCO with plug-and-play 37 High Performance Forwarding in hardware at line rate Dual stack forwarding Security IPv4only site WAN IPv4 IPv6 IPv6only site Secure access perimeter with IPv6 First Hop Security IPv6 app. visibility with Flexible NetFlow IPv6 Migration Ready Dual Stack IPv4+IPv6 site Robust IPv6 Ready Infrastructure OSPFv3, EIGRP, IS-IS, BGP, HSRPv6, Fast Convergence* Optimized App & Video Delivery IPv6 Qos, MLDv2/v3, PIM SM/SSM for IPv6 Management Plane Migration SYSLOG, SNMP, Telnet, SSHv6, TACACS+*, RADIUS*, TFTP*, FTP*, NTP* over IPv6 IPv4 address depletion in 2011 Endpoint IPv6 “on” & “preferred” © 2010 Cisco and/or its affiliates. All rights reserved. *roadmap National IT Strategy Infrastructure Evolution 38 Access Switch 1G Cisco Catalyst 4948E 1 RU, 48 10/100/1000 Server Links 4 x 1G/10G SFP/SFP+ uplinks 176Gbps Bandwidth Non-blocking downlink and uplink ports ACL, Routing and MAC table scalability Line rate multicast IPv6 in Hardware Microburst Protection 8 line rate Bi-Dir SPAN/RSPAN Front to back cooling Option of AC and DC power Redundant power Depth optimized for integrated solutions Non-blocking downlink and uplink ports ACL, Routing and MAC table scalability Line rate multicast IPv6 in Hardware 8 line rate Bi-Dir SPAN/RSPAN Choice of 1G/10G Copper and Fiber line Cards Microburst Protection Option of AC and DC power Redundant power Depth optimized for integrated solutions 10G Access Switch Cisco Catalyst 4900M 2RU, 16x10G Copper Server Links 8 x 10G X2 uplinks 320Gbps Bandwidth © 2010 Cisco and/or its affiliates. All rights reserved. 39 GE Uplink 10GE Uplink 10 GE Access GE Access Cisco Catalyst 4900M Cisco Catalyst 4948 • 1G / 10G modular flexibility • Optimized for middle of the row • Non blocking north to south Cisco Catalyst 4948E New • Datacenter grade • Redundant power and cooling • Full L2/3 features • Line-rate Multicast • Full featured 1Gig server access • Double the uplink capacity • Datacenter optimized airflow • Netflow lite Copper Access Fiber Access Cisco Catalyst 4900M Cisco Catalyst 4900M New 16X 10GE-T, 8X 10 GE Fiber © 2010 Cisco and/or its affiliates. All rights reserved. Bandwidth 320Gpbs 24X 10 GE Bandwidth 320Gpbs 40 < 1000 Server Datacenter Cat4900M C4900M 10GbE Cat4900M > 1000 Server Datacenter Nexus 7000 Nexus 7000 VDC 1 VDC 1 VDC 2 VDC 2 VDC 3 VDC 3 VDC 4 VDC 4 C4948E 1GbE C4900M C4948E 1GbE 10GbE 22 Servers 48 Servers 22 Servers • L2/L3 boundary flexibility • Supports large VM deployments • Optimized for performance and availability © 2010 Cisco and/or its affiliates. All rights reserved. 48 Servers • 1/10GbE server deployments 41 最新高性能防火墙ASA 5585-X概述 © 2010 Cisco Systems, Inc. All rights reserved. 42 已正式发布 Performance, Scalability, Adaptivity ASA 5585-S60P60 ASA 5585-S40P40 ASA 5585-S20P20 ASA 5585-S10P10 Scalable Data Center Solutions Securing Internet-Edge & Campus Networks A Branch Campus Data Center Enhancing the Customer Experience © 2010 Cisco and/or its affiliates. All rights reserved. 43 New New Network Location New New Internet Edge / Campus ASA5585 SSP-20 Campus / Data Center ASA5585 SSP-40 Data Center ASA5585 SSP-60 4 Gbps 2 Gbps 1 Gbps 5000 10 Gbps 3 Gbps 1 Gbps 10,000 20 Gbps 5 Gbps 2 Gbps 10,000 35 Gbps 10 Gbps 2 Gbps 10,000 750,000 50,000 1,500,000 8 GE + 2 10 GE 16 GE + 4 10 GE 250 A/A and A/S 1,000,000 125,000 3,000,000 8 GE + 2 10 GE 16 GE + 4 10 GE 250 A/A and A/S 2,000,000 200,000 5,000,000 6 GE + 4 10GE 12 GE + 8 10GE 250 A/A and A/S 2,000,000 350,000 9,00,000 6 GE + 4 10GE 12 GE + 8 10GE 250 A/A and A/S Internet Edge / Campus ASA5585 SSP-10 Performance Max Max Max Max Firewall IPS IPSec VPN IPSec/SSL VPN Peers Platform Capabilities Max Firewall Conns Max Conns/Second Packets/Second (64 byte) Base I/O Max I/O VLANs Supported HA Supported © 2010 Cisco and/or its affiliates. All rights reserved. 44 2 RU Chassis 2 x Full-Slot Modules 1 x Full-Slot + 2 x Half-Slot Modules OIR capable Redundant Hot Swappable Power Supply Units Front to Back Air Flow Multi Gigabit Fabric GE Ports Up to 8 x 10G SFP+ with OIR support Up to 16 x 1GbE Cu SFP/SFP+ slots on all modules Security Service Processors Multi-Services Capable Dedicated 64bit Multi-Core Processors Future-Proof Hardware © 2010 Cisco and/or its affiliates. All rights reserved. Passive Backplane Module to module communications Packet prioritization and shaping eUSB 2 Gb Internal Convenience storage Security credentials 45 © 2010 Cisco and/or its affiliates. All rights reserved. o 2 x 2.4Ghz Intel Hexa Core processors with Hyper-Threading o 24 Gb of 1066 DDR3 RAM o 4 x Cavium Nitrox Crypto Security Processors 46 © 2010 Cisco and/or its affiliates. All rights reserved. o 2 x 2.4Ghz Intel Hexa-Core processors with Hyper-Threading o 48 GB of 1066 DDR3 RAM o 2 x Hardware Regex Accelerator Daughter Cards 47 • 字符串检测引擎,提供双向的 深层包检查技术 String-xl-tcp String-xl-udp String-xl-icmp © 2010 Cisco and/or its affiliates. All rights reserved. 48 防火墙 ASA 5585 Chassis Slot 1 (Empty) Slot 0 (ASA-SSP Module) CPU Complex Fabric Switch PORTS Firewall Only ASA-SSP Module processes all ingress/egress packets © 2010 Cisco and/or its affiliates. All rights reserved. 49 防火墙和入侵防御 ASA 5585 Chassis PORTS Slot 1 (IPS-SSP Module) Regex Accelerator CPU Complex Fabric Switch CPU Complex Fabric Switch Slot 0 (ASA-SSP Module) PORTS © 2010 Cisco and/or its affiliates. All rights reserved. Firewall & IPS 50 市场领先的针对数据中心设计的Firewall、IPS与VPN网关 MultiScaleTM Performance • 提高高达35 Gbps的防火墙吞吐量 • 扩展防火墙与IPS吞吐达到10 Gbps • 支持高达10,000 个远程VPN用户接入 Investment Protection • 可随业务增长的可扩展性设计 Industry-Leading Multi-Service Security • 通过提供防僵尸网络与全球联动的硬件IPS提供高级威 胁防护能力; • 通过思科AnyConnect客户端提供智能的VPN接入; • 思科超过15年在安全领域领先技术的继续; 业界唯一的2U高度、低能耗的针对数据中心部署 的而设计的高性能防火墙、IPS、VPN接入网关 © 2010 Cisco and/or its affiliates. All rights reserved. 51 Cisco CleanAir 提升无线网络品质 © 2010 Cisco Systems, Inc. All rights reserved. 52 “ 没有无线网络我无法 完成我的工作。 它必须一直运行。 对持续增长的 Wi-Fi 设备的依赖 © 2010 Cisco and/or its affiliates. All rights reserved. “ ” VS 无线网络是一个“尽 力而为的”网络。我 无法保证高等级的服 务水平。 ” IT 人员缺乏对射频资源的专业性了解 53 非正式 普遍深入 富媒体 应用 关键 业务 CleanAir 包括: • 3500 Series Access Points • Wireless LAN Controller • Mobility Services Engine (MSE) 热点 • Wireless Control System (WCS) 系统管理 系统容量 自愈和优化 © 2010 Cisco and/or its affiliates. All rights reserved. 保护802.11n无线网络的性能 54 有限的频谱资源 系统过载 ! 性能 802.11n 技术支持成本 © 2010 Cisco and/or its affiliates. All rights reserved. $ 性能下降 $ 技术支持成本增加 $ $ 55 侦测和分类 定位 消除 思科 CleanAir © 2010 Cisco and/or its affiliates. All rights reserved. 系统级功能,通过硅芯片提供的智能自动消除无线干 扰的影响,优化网络性能并降低故障排查的成本 56 侦测和分类 97 识别和跟踪多个干扰源 100 评估干扰对无线网络性能 的影响 63 90 监视无线环境质量 20 35 思科 CleanAir © 2010 Cisco and/or its affiliates. All rights reserved. 高分辨率的干扰检测和分类的逻辑电路内置到思科的 802.11n Wi-Fi芯片设计中,嵌入式的运行模式无需 CPU参与并对性能没有影响 57 定位 消除 WCS, MSE Wireless LAN Controller GOOD POOR 无线接入点完成干扰分类 处理 保持良好的无线环境质量 干扰源数据实时发送到无 线控制器 WCS 和 MSE 存储数据并提 供干扰源的定位,历史信 息和故障排查 思科 CleanAir © 2010 Cisco and/or its affiliates. All rights reserved. 可视化和故障排查 CH 1 CH 11 思科 CleanAir 技术对干扰信息的集成从无线接入点扩展到整个系统 58 11 性能 无线环境质量 6 1 无线网络 控制器 © 2010 Cisco and/or its affiliates. All rights reserved. 射频资 源管理 RRM 优化的信道 11, 6 和 1部署提供最大化 的性能和最小化的干扰 59 11 性能 无线环境质量 6 1 无线网络 控制器 © 2010 Cisco and/or its affiliates. All rights reserved. 干扰在信道 6 发生。 无线环境质量受 到影响。射频资源管理(RRM)寻找可用信 扫描可用信道„ 道列表解决冲突„ 射频资 源管理 RRM 11 6 1 60 11 性能 无线环境质量 6 11 1 无线网络 控制器 © 2010 Cisco and/or its affiliates. All rights reserved. 冲突解决。消息发送到射频资源管理 (RRM)。产生冲突的信道被阻止在未来一 切换到信道 11 段时间内使用。 射频资 源管理 RRM 11 X6 1 61 思科 专门的芯片设计 高分辨率的信息 系统集成 © 2010 Cisco and/or its affiliates. All rights reserved. 获益 丰富的射频数据采集,监 控同时还能无阻塞的转发 数据 其它厂商 采用传输数据的 Wi-Fi 芯片,工作在监视模式并 无法转发数据。 对非Wi-Fi干扰进行智能的 智能分辨基本的 频谱分析,追踪干扰源并 Wi-Fi 数据 评估影响的严重性 自动优化,定位,历史 信息收集,射频取证和 报表生成 无法进行自动操作,缺 乏全系统的相关性 62 保护 802.11n 网络的性能 • CleanAir 技术采用无线接入点中内置 于硅芯片内的智能频谱特性改善无线 环境的质量 侦测和分类干扰源 定位问题根源 自动避免干扰 • 为用户带来的益处 自愈和优化 故障排查取证 无线安全 策略执行 © 2010 Cisco and/or its affiliates. All rights reserved. CleanAir 组件: • 3500 系列无线接入点 • 无线网络控制器 • 移动服务引擎 (MSE) • 无线控制系统 (WCS) 63 Thank you.