Cisco Unified Access Roadshow
Enterprise Backbone
Technologies Enabling
BYOD and Collaboration
Vivek Baveja
Technical Marketing Engineer
Enterprise Networking Group
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
Access
Distribution
Core
How Do I
Provide a
Consistent
User
Experience?
© 2012 Cisco and/or its affiliates. All rights reserved.
How Do I Bring
Both Corporate
and Employee
Owned Devices
on to the
Network?
Questions
to Be
Answered
What Services
Do I Need to
Enable the
Infrastructure?
How Do I Build a
Scalable, Secure,
Converged
Wired/Wireless
Campus Network
to Support These
Trends?
How Do I
Manage This
at an
Enterprise
Level?
How Do I
Secure my
Device and
User
Communities?
How Do I
Monitor This at
an Enterprise
Level?
Cisco Confidential
2
How does 6500 with Sup2T fit into a BYOD infrastructure ?
When do I use Catalyst 6500 instead of Nexus 7000 ?
What is the future of the 6500 ?
How do I secure the campus for BYOD ?
How can Catalyst 6500 provide the necessary network visibility for my
BYOD infrastructure?
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
Campus
Video
Mobility/
BYOD
Security
Cisco Catalyst
or Nexus?
Data Center
Backbone
Backbone
Lead with Catalyst 6500 Sup2T
Lead with Nexus 7000
Distribution
Aggregation
Lead with Catalyst 6500 Sup 2T
Lead with Nexus 7000
Access
Access
Lead with Catalyst 4K / 3K
Lead with Nexus 5000/2000
Workload
Mobility
VM
10G/
Virtualizatio
n
Energy
Efficiency
Engineering Investments and Roadmap Follows Positioning
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
Campus
Data Center / Cloud
Catalyst Family - IOS
Nexus Family – NX-OS
User Access Control / Segmentation
Cloud Security and VM Awareness
802.1X / Easy Virtual Networks (EVN)
Nexus 1000v, VSG, ASA, 1000v
VM Mobility
Video Intelligence
Medianet
Wired / Wireless Convergence
Wireless Controller Integration
LISP, VXLAN, OTV
LAN / SAN Convergence
Unified Ports, FCoE
Fabric Scale & Resilience
Application Visibility
Flexible NetFlow, NAM-3 (NBAR2)
Power over Ethernet
FabricPath, vPC, Wire Speed 10/40/100G
Data Center Consolidation
UPOE, EnergyWise
VDC, FEX, DCNM
Customer Requirements/Needs Ultimately Drive the Sale
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
Innovation
Differentiation
Innovation with
Investment Protection
The Network Services
Platform for
Unified Access
Transition
Lower TCO
Driving Next-Gen
Ethernet in the Campus
1G » 10G »
40G » 100G
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Catalyst
6500 E-Series
Price/Performance
Virtualization, Simplified
Operations, and
Change Management
Cisco Confidential
7
FY12 Cat 6500 Port Share
of Total Modular Industry*
$200+ Million
Investment surrounding Sup2T
development
Cat 6500E
25%
Rest of
Market
Compare with Tesla Motor’s $150M investment for first
fully electric sports car
$200+ Million
Investment planned over next 3 years
alone
*Assuming Dell’Oro as a baseline for industry total modular
© 2012 Cisco and/or its affiliates. All rights reserved.
Rich network services, Ethernet evolution, Lower TCO,
Investment protection
750,000+ Chassis Shipped
1.2 Million Supervisors Shipped
110 Million Ports Shipped
45,000+ Catalyst 6500 Customers
Cisco Confidential
8
Services Modules
40 GbE Fiber
6904
FourX
NAM-3
SR4
LR4
10GbE Fiber and Copper
40G/Slot
WiSM2
6816
6816
80G/Slot
Sup2T
6904
6908
ASA-SM
1GbE Fiber and Copper
6824
Fiber
6848
© 2012 Cisco and/or its affiliates. All rights reserved.
High-Perf.
Access
6848
Copper
Access
6148
45AT
Cisco Confidential
9
4X Scalability
3X Performance
Sup2T Overiew
Improved Switch Fabric
Providing 80G/Slot
New MSFC5 Supporting
Dual Core CUP and
Single IOS Image
New PFC4
Featuring
Improved Levels of
Performance and
Scalability Along
with New Enhanced
Hardware Features
USB-Based
Console Support
Connectivity Management
Processor (CMP)
Cisco Prime
SUP2T
SUP720
L2 MAC Table
96K
128K
Bridge Domains
4K
16K
TrustSec / SGT
–
Yes
VNET Trunk (EVN)
–
Yes
40G Interfaces
–
Yes
System Bandwidth
720 Gbps
2 Tbps
L3 Interfaces
4K
128K
NetFlow Table
128K/256K
512K/1M
Flexible NetFlow
–
Yes
Hitless ACL Updates
32K
Yes
Medianet 2.2
–
Yes
VPLS / A-VPLS
Requires WAN
Module
Yes (no WAN
module)
VSS Quad Sup SSO
–
Yes
Items in PURPLE are BYOD, Collaboration and Video enablers.
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
6900 Series with DFC4
•
•
•
•
•
•
•
6800 Series with DFC4
Non-blocking 80G/slot performance
Wire rate MACsec
Virtual switching link (VSL)
Large packet buffers (256 MB/port)
X2 transceiver or SFP+ with adapter
Available in standard and XL sizes
LISP-ready
4P 40G
$36,000
FourX
CFP-40G-SR4
CFP-40G-LR4
Doubled System Performance,
with Distributed Forwarding
© 2012 Cisco and/or its affiliates. All rights reserved.
•
•
•
•
•
40G/slot with integrated DFC4
24 and 48 ports 1GbE fiber
48 ports 10/100/1000 copper
16 ports 10GbE fiber and 10GBASE-T
Available in standard and XL sizes
Distributed Forwarding Performance,
at Central Forwarding Price
Cisco Confidential
11
Sup720
Sup2T
6704, 6724, 6748 with CFC
Supported
6704, 6724, 6748 with DFC3
WS-F6K-DFC4-A
6716-10G/10T with DFC3
WS-F6K-DFC4-E
6708-10G Fiber
Special TMP Program for Upgrade
61xx Series
6148E, 6148A, 6148-SFP, 6196
Service Modules
NAM/-1/2/3, ACE20/30, WiSM-1/2
FWSM, ASA-SM
VPN SPA
WAN Modules
© 2012 Cisco and/or its affiliates. All rights reserved.
Not Supported
(ASA-SM to get IPSEC VPN)
Not Supported
(Use Sup720-10G or ASR for WAN)
Cisco Confidential
12
Enhance Application Visibility
NEW
Next-Generation
WiSM Blade: WiSM-2
NEW
Integrate Wired / Wireless Management
Next-Generation
NAM Blade: NAM-3
Monitoring Performance Up to 15 Gbps
Performance 20 Gbps
Access Points 500–1,000
Capture to External Disk Up to 5 Gbps
Clients 15,000
Deep Packet Inspection NBAR-2 Support
Concurrent AP Upgrade/Joins Up to 500
HW Filters/Packet Captures Rapid Troubleshooting
Mobility, Domain Size Up to 18,000 APs
Next-Generation
Firewall Blade: ASA-SM
© 2012 Cisco and/or its affiliates. All rights reserved.
64 Gbps
16 Gbps
10,000,000
300,000
250
1,000
System Performance
Performance/Service Mod.
Concurrent Sessions
Connections per Second
Security Contexts
VLANs
NEW
Deliver Robust, Integrated, Streamlined Security
OS / Feature
Parity with
Appliances
Cisco Confidential
13
Fixed
Features
Scalability
Cisco Catalyst 6500E
Modular
*Roadmap
Cisco Catalyst 4500E
Cisco Catalyst 4500-X
Trustsec
Cisco Catalyst 3750-X
Trustsec
MACsec, SGT, SGACL,
EVN
AVC
Trustsec
MACsec, SGT, SGACL
AVC
Medianet
Flexible NetFlow
Flexible NetFlow/ EEM
integration
Integrated Wireshark
Resiliency
VSS
MACsec, SGT, SGACL,
EVN
Resiliency
Sup redundancy,
NSF/SSO, ISSU
AVC
Flexible NetFlow/ EEM
integration
Integrated Wireshark
Smart Operations
Copper/POE flexibility,
EEM, GOLD
Trustsec
Resiliency
L3 SGT
MACsec over
EoMPLS,
MPLS L3VPN
VPLS / A-VPLS
L2oMGRE
6PE, 6VPE
Advanced CoPP
ASA-SM
Quad Sup VSS*
BGP PIC
EFSU
BFD / Multicast BFD
Multicast HA
ACL Hitless Commit
ACL Dry Run
AVC
PIM Register in HW
IGMPv3 / MLDv2
Snooping in HW
Egress NetFlow
Per-VRF NetFlow
NAM-3
WiSM-2
Smart Ops
EEM
GOLD
Smart Call Home
Smart Install Director
LISP
WCCPv3
Feature Richness
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
Simplified Manageability
• Managed as single entity
with backplane integration
• Integrated application intelligence,
traffic analysis, and performance
troubleshooting
• Remote monitoring with
RSPAN/ERSPAN
Increased Scalability
• Virtual Contexts to support
virtualization for BYOD
• Service Modules Match Latest
Appliance specifications
speeds/feeds
Lower Total Cost of Ownership
• Reduced network footprint
• No external connectors
• Improved power management
• Reduced rack space
utilization
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
• Consistent Application Visibility
Branch to Data Center
Across application delivery lifecycle monitoring, troubleshooting, control and
optimization
• Can work with Flexible NetFlow as a
collector (local or external devices)
• Service-centric causal analysis across
Application and Network Traffic Flows
• Application (L7) specific Packet
Analysis (NBAR-2*)
• Wireless CAPWAP Decode
• Can be managed by Cisco Prime
*CYQ42012
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
One device for converged Wireless and Wired Services supporting
next-generation wiring closet infrastructures
Reduced Operational Costs
20 Gb Backplane Channel
• Scale
1000 Access Points
15,000 Clients
• Central Maintenance
Simultaneous AP Upgrade
Troubleshooting
• Mobility
36,000 AP in Mobility Domain
Fast Roaming
• Performance
10 Gbps Throughput
• New Features
Application Visibility and Control (AVC)
NetFlow v9
Bonjour support
NMSP Location Services
Stateful AP failover with VSS
© 2012 Cisco and/or its affiliates. All rights reserved.
Dedicated 12-Core
Control Processor
Dedicated 12-Core Data
Processor
PRIME
ISE
Status LEDs
Serial & USB
Console Ports
Cisco Confidential
19
Core
Switch
Room 201
Catalyst 6500
w/WiSM-2
Access Catalyst 6500
Switch 1
w/WISM-2
Access
Switch 3
Room 203
Catalyst 6500
w/WiSM-2
printer-201
atv-201
printer-203
Access
Switch 2
printer-201
atv-201
printer-201
What services
can I use?
Bonjour
© 2012 Cisco and/or its affiliates. All rights reserved.
AP
ID:
Role:
Location:
Adam
Faculty
room201
Access
Switch 4
atv-203
What services
can I use?
ID:
Role:
Location:
John
Student
room201
20
*Q4 CY2012
Cisco Confidential
Multigigabit Fabric
• Chassis backplane
NAT64, VPN
Site-to-Site
Services*
Multiple Contexts (250)
• Virtualized interfaces
• High capacity
• Module-to-module
• Memory for handling high
communications
session counts
• 24 GB of memory
Dual-Crypto
Accelerators
• Hardware processing
• Accelerated Virtual Private
Networking and Unified
Communications encryption
Security Service
Processors
• Multi-services capable
• Dedicated 64-bit multicore processors
• Future-proof hardware
*Roadmap
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
How do I extend
security outside
wiring closet ?
Campus Core
Access
Visitor
Conference
room
Campus
Block
Internet
Employee
Telepresence
room
© 2012 Cisco and/or its affiliates. All rights reserved.
ACL Atomic
Commit
How can I get DPI
Integrated
Protected Corporate
and stateful
Firewall Module
connectionsresources
?
Catalyst 6500
w/ASA-SM
Access
How can I get zero
Traffic disruption
modifying ACLs ?
Network Edge
Authentication
Topology
How do I insulate
CPU from heavy
protocol traffic ?
Control Plane
Policing (CoPP) /
HWRL
How do I scale
Campus firewall
performance ?
ASA Clustering
Catalyst 6500
w/ASA-SM
Cisco Confidential
22
ACCESS CONTROL
PATH ISOLATION
Trusted Devices
SSID → Identity → Device Sensor → VLAN X → VRF X → Firewall Context X
Cisco Catalyst 6500
VSS 4T
WISM2
ASA-SM
NAM-3
Untrusted Devices
SSID → Identity → Device Sensor → VLAN Y → VRF Y → Firewall Context Y
BYOD Devices Need the
Same Access as Corporate
Devices
Greater Inspection Required
for BYOD Devices
© 2012 Cisco and/or its affiliates. All rights reserved.
ASA-SM Firewall
IPS Services in
Backbone
BYOD Devices Don’t
Get Mandatory
Virus/Security Updates
Path Isolation Across
Network to IPS or ASA-SM
to Maintain Compliance
HIPAA, PCI, FISMA
Cisco Confidential
23
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
Non-TrustSec
Domain
L3 SGT
Transport
SGT
10
192.168.10.0/24
SGT
20
192.168.20.0/24
SGT
30
192.168.30.0/24
SGT
30
192.168.200.0/24
Monitor SGACL
Packet Drops with
Flexible NetFlow
Identity
Service
Engine
SGACL
Enforcement
Header Change
Manual or Dynamic Subnet Mapping
192.168.10.1 192.168.20.1 192.168.30.1
© 2012 Cisco and/or its affiliates. All rights reserved.

Packets sent with “transport mode”
ESP to carry SGT without encryption
or data authentication

The packet overhead (42-45 bytes)
impacts IP MTU/Fragmentation
Server
192.168.200.1
Cisco Confidential
25
• IPv6 device tracking
• Revoke network access for
IPv6/IPv4 Dual Stack Hosts
Access
Layer
inactive devices
• IPv6 PACL
• Filter traffic on Layer 2 ports
L2
Access
L3
• IPv6 RA Guard
• Stops false router
WLC
Distribution
Layer
advertisement threats
IPv6
WAN
• IPv6 NDP inspection
• Prevents neighbor discovery
spoofing attacks
Core Layer
• IPv6 uRPF
• Blocks spoofed traffic in
hardware (16 paths)
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
26
Campus Building A
Campus Building B
Typical causes of poor application
performance :
4
11
22
33
44
3
Campus
Core
Bandwidth/capacity bottleneck
Unauthorized use of network resource
Security Monitoring
Monitor Non-Corporate Devices
2
Traffic Visibility with Flexible NetFlow
3
Internet
NOC
1
Campus
Building C
2
2
© 2012 Cisco and/or its affiliates. All rights reserved.
Flexible NetFlow provides the application
visibility needed to answer questions on the “who,
what, when, where, how” of network activities in
order to:




Identify root cause easier, faster, more accurate
Assign problem ownership
Increase operational efficiency
Lower TCO
27
Cisco Confidential
Optimal CPU utilization
with Yielding Netflow
Data Export, direct
export from a
module
Flexible
Netflow
CPU Friendly
Export
Allow to use netflow
after ingress lookup is
done (NetFlow on
CoPP)
Allow to account for
multicast traffic per
destination instead of
per group
© 2012 Cisco and/or its affiliates. All rights reserved.
Increased customization by
selecting the fields to match and
collect for both IPv4 and IPv6
Egress
Netflow
Sup2T
Netflow
Up to 13M
Flows/
System
Sampled
Netflow in
Hardware
Bigger tables mean
more entries per
system, up to 13
million entries with a
13 slot chassis, giving
you better visibility in
your network
To optimize the Netflow
tables utilization and
minimize load on
analyzers
Cisco Confidential
28
Protect CPU with CPU Yield Netflow
NDE increases
export rate
until threshold
reached
When threshold
reached, NDE
quickly backs
off export rate
70%
Supervisor
EOBC
NetFlow
Export
NetFlow
Data
WS-X6848-TX-2T\2TXL
CPU
30%
Scale Netflow with Distributed Export
NetFlow
Data
Wait 5 seconds
and then
step up export
rate again
NetFlow
Data
WS-X6908-10G-2T\2TXL
Yielding NDE threshold
CPU before NDE begins
© 2012 Cisco and/or its affiliates. All rights reserved.
Netflow
Collector
Direct Export supported with
Supervisor 2T and :
WS-X6716-10x upgraded with
DFC4-E / DFC4-EXL
WS-X6816-10x-2T/2TXL
WS-X6908-10G-2T/2TXL
WS-X6904-40G-2T/2TXL
Cisco Confidential
29
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
Campus
Backbone
40 Gbps with Two
Level Shaping
Support
HD Video
SGT
L3VPN over
mGRE VRFs
Across Sites
SGT
SGT
NAM-3
15+Gbps
Traffic
Monitoring
WiSM2 as
Mobility
Coordinator
SGT
Policy
Decision
4
WiSM2 as
MC/MTE
SXP
Session
Firewall: ASA. Per
VLAN, VRF Policies
Internet
Only
Troubleshoot
Data, Voice and Video
Full or Partial
with FnF, NAM, Egress
Access Granted
NetFlow
EVN Per
VLAN/VRF
Policies:
Path Isolation
2
3
5
Profiling
to Identify
Device
Posture
of the Device
Identity
Service
Engine
4
Policy
Decision
SGACL
Enforcement
Monitor SGACL
Dropped Traffic
BGP PIC
Fast
Convergence
Medianet 2.2 Performance
Monitoring Mediatrace
1
802.1x EAP VLAN 10
User
Authentication
Employee
Personal
Asset
VLAN 20
VLAN 30
SmartInstall
Director
Guest
Company
Personal
Asset
Asset
Borderless Campus
© 2012 Cisco and/or its affiliates. All rights reserved.
Corporate
Servers
VDI
Guest
Infra Servers
DC Block
Cisco Confidential
31
Endto-End
IOS
15.0
Cloud
ISR
Trustsec
ASR1000
• SGT / SGACL
• MACsec
• NDAC
• CoPP
• EVN / VRF-Lite
• VPLS / A-VPLS
• Flexible NetFlow
• Medianet 2.2
• Microflow policing
• NBAR2 with NAM-3
• AVC with WISM-2
ISE
Cisco Catalyst 6500
VSS 4T
Cisco
Prime
NCS
WISM2
ASASM
NAM-3
Application
Visibility and
Control
Smart
Operations
Services
• Smart Install
• Virtual Switching
System
• Quad Sup VSS
Cisco Catalyst 4500E,
Cisco Catalyst 3750-X
Resiliency
SSO
• EFSU
• Embedded Event
Manager (EEM)
• GOLD
• Cisco Prime
• NSF / SSO
• Multicast HA
• BGP PIC
End-to-End OS Consistency: IOS 15.0
Cisco Validated Designs for Campus Deployment
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32