View
223
Download
1
Category
Preview:
Citation preview
© 2012 Cisco e/ou afiliadas. Todos os direitos reservados.
Arquitecturas Inovadoras de Campus e Branch
João Henriques
Enterprise Networks Systems Engineer
7 de Maio 2015
Instant Access
Unified Access
Multigigabit Ethernet
Intelligent WAN
Enterprise Networking Trends and Needs
Deliver an Uncompromised User Experience
on Any Workspace
I T R e q u i r e m e n t
Megatrends
Mobility • Seamless roaming
• Optimal client performance
• Cloud access/VXI
Video • Multicast streaming
• Video conferencing
• Reliable performance
BYOD • Secure access
• Customized experience
• Guest access
Early 2000 2002 2004 2006 2008 2010 2012 2014 …
CL
IEN
TS
/ B
AN
DW
IDT
H
Media Rich Applications Pervasive Mission Critical Nice to Have
10Gbps
11Mbps
802.11n
450 Mbps
802.11a, 802.11b
11 Mbps
802.11g
54 Mbps
802.11ac-1
1 Gbps
802.11ac-2
3.5 Gbps
Future
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Uncompromised User Experience on Any Workspace
U n i f i e d A c c e s s One Policy
One Management
One Network
Policy
Administration
Policy Decision ISE (Identity Services Engine) Prime Infrastructure
Context of
Policies Enterprise envirnoment
Personal Devices Non-user devices Identity of users
Policy
Information ,
Security Posture NAC/AnyConnect Agent
Profiling trough Cisco
Network
Information Stores
Policy
Enforcement Cisco Infrastructure: Switches, Controllers, Firewalls, Routers
CDP
LLDP
DHCP
MAC
CDP
LLDP
DHCP
MAC
DEVICE CLASSIFICATION
PRINTER Video Phone
Printer Policy
[place on VLAN X]
Video Phone Policy
[restricted access]
ISE
POLICY
Profiling for both wired and wireless devices
Collection—Switch collects
device related data and
sends report to ISE
Classification—ISE
classifies device, collects
flow information and provides device
usage report
Authorization—ISE executes
policy based on user and
device
The Solution Deployment Scenario with Cisco Device Sensor
Device Profiling
+ Device Sensor
Access
Point
USER Custom Location Type of Device Time Posture Acess Method
Integrated Wired/Wireless Lifecycle and Assurance Management
• Regulatory and best practice policies
• Automated audit and reporting
• Centralized remediation
Prime
Infrastructure
User Productivity
Regulatory & Operational Compliance
Operational Productivity User, Site & App Experience
• Application performance visibility
• User & site-level visibility
• Proactive monitoring
• Real-time troubleshooting
• “Prime 360” diagnostic views
Automated Best Practices
• Wired/wireless, Branch/WAN
• Integrated lifecycle
• Cisco best practices built in
• PnP Deployment
• “Day 1” device support
Deep Application Visibility and Control
Single View of Wired and Wireless Automated End-User
Troubleshooting
User and Device 360° View Integrated Best Practices
Prime Infrastructure Highlights – Application Experience Application Visibility Across the Enterprise
Prime Infra
Infrastructure
Cisco ASR
NBAR2, AVC, Medianet
NBAR2
SNMP/CLI Polling
WAAS
NBAR
MEDIANET
PA
SPAN/ ERSPAN
Netflow
Cisco 6800 & NAM Blade
Netflow, MediaNet
Wireless Controllers
NBAR2
Cisco ISR & NAM on SRE
NBAR2, PA, Medianet
Cisco Catalyst 3850-X w/ 3K-X 10G
Netflow, MediaNet
NAM Appliance (23XX) NBAR2, Voice, ART, SPAN,
ERSPAN
Netflow, NAM module
NGA 3240
Netflow, SPAN, ERSPAN
AP 3700
NBAR2
Wireless Control
System
Access Control
Server
LAN Mgmt
Solution
Identity
Mgmt
NAC
Profiler
Guest
Server
Cisco Wireless LAN Controller
Internal Resources
Cisco Firewall Cisco Access Point
Catalyst Switch
Corporate Network
Internet
One Management
Prime
One Policy
ISE
Converged Access Mode
• Integrated wireless controller
• Distributed wired/wireless data plane (CAPWAP termination on switch)
One Network
3850 or
3650
Bui l t on C isco ’s Innova t ive “UADP” ASIC
The In te l l i gen t Swi tch fo r the Wor ld Connec ted
Wireless CAPWAP Termination Up to 2000
Clients per Stack
40 Gbps Uplink Bandwidth
Line Rate on All Ports
FRU Fans, Power Supplies
Granular QoS/Flexible
NetFlow
Up to 100 Aps with 40G wireless termination per switch 2000 clients per stack
480 Gbps Stacking Bandwidth
Stackpower
SGT/SGACL*
Full POE+
Optional StackWise-160 9 member Stack
Dual FRU Power Supplies
FRU Fans
Full Netflow/QoS for wired/wireless
SGT/SGACL
Full POE+
40G Wireless Capacity Per Switch
Bui l t on C isco ’s Innova t ive “UADP” ASIC
The In te l l i gen t Swi tch fo r the Wor ld Connec ted
Fixed Uplinks 4 x 1G 2 x10G
4 x 10G*
EEE
MACsec HW Ready
Multi-Core CPU
Line Rate on All Ports
802.11n 802.11ac
50AP’s and 1000 Clients Per Stack
*4 X 10G uplinks are available only on 48-port switches
Known Deployment Model
The Wireless LAN Controller
• Wireless is an Overlay Network
• Software components within the WLC
today:
• Mobility Agent (MA) is responsible for: – AP CAPWAP termination
– Maintaining client database
– Policy enforcement
• Mobility Controller (MC) is responsible for: – Client Mobility
– Radio Resource Management (RRM)
– WiPS, Spectrum Management
Access Points
5508 5508
Inter--Controller EoIP/CAPWAP tunnel
AP-Contoller CAPWAP tunnel
ISE Prime
MC MA
ISE Prime
Access Points
Separation of MA and MC
• Traditional Controllers continue to play MA
and MC
• Catalyst 3850 can play the role of both MA
and MC • Valid for Branch and small-medium campus type
deployments
• Moving the MA only to the Catalyst 3850
(typically in large campus) helps with: • Improved Scalability – larger mobility domains
• Increased wireless bandwidth
• Uniform wired/wireless policy enforcement
AP Capwap Tunnels Mobility Tunnels
Catalyst 3750
5508 or WISM2 with SW Upgrade or new 5760
New Catalyst 3850
MC
MA
MC
MA
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Customer Problem / Impact / Benefit
Feature/Capabilities
• Granular Application Management: Hierarchical QoS provides rich granularity allowing for consistent prioritization of both wired and wireless traffic
• Decrease risks within Wireless: Existing wired features designed to “harden” access ports available directly at the AP’s connectivity point in the infrastructure
• Quality of Service (QoS) and Security: Features are now available in the wireless infrastructure by leveraging wired IOS feature sets
Per AP
Per Radio
Per SSID
Per Client
Per Application
Hierarchical QoS
802.11n ac
SSID
1
SSID
2
SSID
1
SSID
2
Jabber
Security
• Identity
• Device Profiling
• SGT/SGACL*
• Control Plane Policing
• MACSec
• Port Security
• DHCP Snooping and IP Source Guard
• Wireless Intrusion Prevention System (WiPS)
P e r f o r m a n c e & S c a l e
Works in all existing 4500-E chassis Up to 100 APs
2000 Clients
8 SFP+ 10G/1G Uplinks
LiSP Ready 888Gbps total capacity
Doppler daughtercard for wireless integration
Faster CPU
Modular Value Proposition
• Investment Protection to UA Arch
• In Service Software Upgrade for wired/wireless
Services
• Complete wired/wireless integration
• Application Visibility for Collaboration
Protocols
Scale
•100% more Uplink Bandwidth
• Uplink FPGA (LISP)
40G Wireless Capacity Per Switch
• Secure, reliable access
• Low TCO & energy-efficient
Competitive Feature Set at Compelling Prices
UNIFIED WORKSPACE
BYOD Video Mobility
Fe
atu
re
s
S c a l e
C o n v e r g e d W i r e d / W i r e l e s s A c c e s s
L e a d S t a c k a b l e S w i t c h L e a d M o d u l a r S w i t c h
• Upto 480G Stacking
• Upto 4x10G Uplinks
• Stackpower with 3850
• Supports up to 50AP’s
• Scale and Performance
• 928G Backplane
• 8 Modular 1/10G Uplinks
• Supports 50AP’s*
Fonte: http://www.gartner.com/technology/reprints.do?id=1-1WEP20F&ct=140630&st=sb
UNIFIED ACCESS
Centralized Wireless Distributed Wireless
MA MA MA
MA MA MA
MA MA MA
MA MA MA
MA MA MA
MA MA MA
ONE POLICY
Identity Services Engine
ONE MANAGEMENT
Cisco Prime Infrastructure
TRADITIONAL ACCESS INSTANT ACCESS CONVERGED ACCESS
CAPWAP TUNNEL
© 2014 Cisco and/or its affiliates. All rights reserved.
Reinventing the Backbone Experience with Instant Access
Source: A commissioned study conducted by Forrester Consulting for Cisco Systems, 2012
MONITORING,
TROUBLESHOOTING SECURITY
CONFIGURATIONS
INITIAL INSTALL,
CONFIGS, TESTING
UPGRADING
EQUIPMENT
1000 Port Campus Distribution Block
Benefits
Satellite device capable of Stacking, POE+
Single Point of Management, Configuration
and Troubleshooting
Simplified Network design for
VLANs and port channels
Agile Infrastructure to add new features
uniformly across Access Layer
A Single Image to deploy and manage
across Distribution Block
REDUCED TCO
Cisco Prime
Managed Devices = 20+ Managed Devices = 1
ISE
INSTANT ACCESS
SDP
SRP
SCP
Instant Access
Client
Instant Access
Client
VSL
LACP or
PAGP
LACP or
PAGP
Access Switch Access Switch
VSL
Access Switch Access Switch
LACP or
PAGP
Differences From Nexus FEX
Fabric Link
Spanning-tree bpduguard
Disable
7 Nodes of 144 ports each = 1008
Fabric Links Used = 7
Instant Access
FEX 101 FEX 102 FEX 103 FEX 104 FEX 105 FEX 106 FEX 107
12 Fabric Links
Access Ports = 12 x 48 = 576
FEX 102 FEX 103 FEX 104 FEX 105 FEX 106 FEX 107 FEX 108 FEX 109 FEX 110 FEX 111 FEX 101 FEX 112
15.1(2)SY (FCS) Feature 15.2(1)SY1 (Shipping)
Port Scale
Fabric Link
Stacking
Supervisor 2T
15.1(2)SY 15.2(1)SY (Shipping) Feature
Port Scale
Fabric Link
Stacking
6880-X
1,000
12
3
2,000
42
5
1,000
12
3
1,500
32
5
Supervisor 2T WS-X6904-40G 6880-X
6500-E 6807-XL
• 10G SFP+ Uplink Ports • POE & POE+ Support • Integrated Stacking Module
Catalyst 6800IA
Catalyst
6500/6800 VS
Catalyst 6800ia Catalyst 6800ia Catalyst 6800ia Catalyst 6800ia
Config on Parent:
interface Port-channel101 switchport mode fex-fabric fex associate 101 interface Port-channel102 switchport mode fex-fabric fex associate 102 interface GigabitEthernet101/1/0/1 switchport mode access switchport access vlan 101 interface GigabitEthernet102/1/0/1 ip address 102.1.1.1 255.255.255.0 ipv6 address 2013:102:1:1:1::1/96
FEX 101 FEX 102 FEX 103 FEX 104
Simplified Configurations
Integrated Fan Dual Mode (Standalone & IA) 10/1G Uplinks Options
Catalyst Instant Compact Switch C3560CX
2x 10G SFP+ Uplinks
2x 1G Copper Uplinks
8x 1G Copper OR
12x 1G Copper
PoE+ Option Available
Standalone Mode Instant Access Mode
6800 as IA Parent C3K/C4K as IA Parent*
Cisco Multigigabit Ethernet Switches Get Your Network Ready for 802.11ac Wave2 and Beyond
CL
IEN
TS
/ B
AN
DW
IDT
H
Early 2000 2002 2004 2006 2008 2010 2012 2014 2016
Wireless Standards – Past, Present, and Future
802.11n
450 Mbps
802.11ac-
Wave2
3.5 Gbps
6.9 Gbps
Futur
e
802.11ac
Wave1
1 Gbps
802.11g
54 Mbps 802.11a,
802.11b
11 Mbps
10Gbps
11Mbps
Pervasive Nice to
Have
Media Rich
Applications
Mission
Critical
The Problem - Gigabit Bottleneck
Existing Gigabit
infrastructure is insufficient to
handle .11ac growth beyond
1Gbps
Gigabit Ethernet has been
around since 1999 and has
now become the bottleneck
Market needs an innovative
technology to support >1Gbps
over existing cables
Limited to 1G!
Cat 5e Cables
WiFi @ 1G >1G
The Solution – Cisco Multigigabit Technology Powered by NBASE-T
Delivers up to 5X Speeds in Enterprise without replacing Cabling Infrastructure
2.5-5G!
Cat 5e Cables
WiFi > 1G
Multigigabit
Switch Multigigabit
Capable AP
Is a game-changing technology
allowing enterprise networks to
evolve beyond 1G
Enables 2.5 and 5 Gbps up to
100m on legacy cables
Supports all PoE standards
up to 60W
Cisco Multigigabit with
Why Not Use 10GBASE-T?
UTP Cable IEEE 10G Spec
CAT 5/5e N/A
CAT 6 55 meters
CAT 6A 100 meters
CAT 7 100 meters
>75% of WW installed base is Cat
5e/6 up to 100 meters
10GBASE-T cannot work over vast
majority of installed base Source: BSRIA data presented at IEEE 802.3
NGEABT SG Jan 2015
Cat 5e – 38%
Cat 6 – 53%
Cat 6A – 8%
Cat 7 – 1%
Enterprise Horizontal BASE-T Cabling
What About Pulling Second Cable?
Case Study
College Campus
1,000 Access Points Total Cable Upgrade
COST: $300k!!! Infrastructure upgrade involves
• New cable runs, including labor: average $300 per cable
• Link Aggregation issues
Cisco Multigigabit Ethernet Key Differentiators
Maintain Switch to AP Reach at Higher Speeds Adaptive Rate Technology (FE, 1G, 2.5G, 5G, and 10G) Future proofed for higher speeds
Infrastructure Investment Protection Supports 100m distance with Cat5e cabling up to 5G speeds for Brownfield
Supports Cat6a cabling for Greenfield deployments for higher speeds
POE/POE+/UPOE Cisco Innovation over 10GT Standard to support high end point power needs
Standards Compliant 1G and 10G BaseT IEEE standards, intermediate speeds WIP
Cisco Confidential 40 © 2015 Cisco and/or its affiliates. All rights reserved.
The New Catalyst 3850 Multigigabit Switches
Stackable with all other 3850 Switches (up-to 8 stack members)
Price-compelling 48-port Mgig High Performance 24-port 10Gb-T
# of mGig Ports
Port Capabilities
New uplink Modules
12 mGig ports 24 mGig ports
UPOE, EEE, MACsec UPOE, EEE, MACsec
New 2x40G and 8x10G (existing NM’s are supported)
New 2x40G and 8x10G (existing NM’s are supported)
Cisco Confidential 41 © 2015 Cisco and/or its affiliates. All rights reserved.
The New Catalyst 3850 Uplink Modules
All 3850 Uplinks Are Supported on mGig switches
2x40Gig, QSFP 8x10Gig, SFP/SFP+
Compatibility
80G Non Blocking 80G Non Blocking
Only work on mGig and 10G Fiber (24-port) Switches
Performance
Only work on mGig and 10G Fiber (24-port) Switches
Cisco Confidential 42 © 2015 Cisco and/or its affiliates. All rights reserved.
C4500E Multigigabit Line card
Innovation with Investment Protection Supported with Supervisor Engine 7 and 8 on all 4500-E chassis
Mode
1 mGig Lite Mode 48p 1GE UPOE (First 12p usable as mGig)
Mode
2
Mode
3
mGig Enhanced Mode 12p mGig UPOE + 24p 1GE UPOE
mGig Performance Mode 12p mGig UPOE
Catalyst 4500 Multi-Gig FCS
June 2015
Cisco Confidential 43 © 2015 Cisco and/or its affiliates. All rights reserved.
The New Multigigabit Compact Switch WS-C3560CX-8XPD-S
MULTIPLE USE CASES
6 x 1G/PoE+ 2 x mGig PoE+ 2 x 10G SFP+
Maintain Switch to AP Reach at Higher Speeds
Adaptive Rate Technology (FE, 1G, 2.5G, 5G, and 10G)
Future Proofed for Higher Speeds
Infrastructure Investment Protection
Supports 100m Distance with Cat5e Cabling up to 5G Speeds
for Brownfield
Supports Cat6a/6e Cabling for Greenfield Deployments for
Higher Speeds
POE+
Cisco Innovation Over 10GT Standard to Support High End
Point Power Needs
Standards Compliant
1G and 10G BaseT IEEE Standards
Expected
FCS
June 2015
mGig for 11ac AP Deployments
mGig as Uplinks Connected to
Access Switches (Cat 3K/4K)
© 2013 Cisco and/or its affiliates. All rights reserved. 44 Cisco Confidential 44 © 2013 Cisco and/or its affiliates. All rights reserved.
Right Size Your Network Without Compromise
© 2013 Cisco and/or its affiliates. All rights reserved. 45
Pressures on the WAN
The Application Landscape Is Changing
Applications are Moving to the DC and Cloud
Internet Edge Is Moving to the Branch
Cloud
SaaS, Google Docs, Office365 Guest WiFi, BYOD, App Updates
Cloud Mobility Apps
Video, VDI, Backup
Branch Data Centers
© 2013 Cisco and/or its affiliates. All rights reserved. 46
Time to Rethink your Branch-WAN Strategy
User Suffering Budget Bandwidth Demands
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
MPLS
Branch
3G/4G-LTE
AVC
Internet
Private Cloud
Virtual Private Cloud
Public Cloud WAAS PfR
Application Optimization
• Application visibility with
performance monitoring
• Application acceleration
and bandwidth
optimization
Secure Connectivity
• Certified strong encryption
• Comprehensive threat
defense
• Cloud Managed Security for
secure direct Internet access
Intelligent Path Control
• Dynamic Application best
path based on policy
• Load balancing for full
utilization of bandwidth
• Improved availability
Transport Independent
• Consistent operational model
• Simple provider migrations
• Scalable and modular design
• IPsec routing overlay design
Control & Management Automation
© 2013 Cisco and/or its affiliates. All rights reserved. 48
Inefficient Traffic Management over a Premium Connection
WAN/MPLS
BEFORE
Internet
Data Centers Branch
Backhaul Challenge: Growing WAN traffic from cloud
services and internet connectivity
© 2013 Cisco and/or its affiliates. All rights reserved. 49
Optimize Your WAN Investment with IWAN
WAN/MPLS
AFTER
Internet
Direct Internet Access
(DIA) from Branch;
Lower latency, lower
cost
Data Centers Branch
Internet VPN Used to
Connect Branch to HQ
DIA Benefit: Efficient access to SaaS
and offload guest traffic
© 2013 Cisco and/or its affiliates. All rights reserved. 50
Dual MPLS Hybrid Dual Internet
Highest Service Level (SLA)
x Inflexible for new services
x Expensive
Consistent VPN Overlay enables Security across Transition
Enable SaaS and/or high BW apps
Balanced Service Level (SLA)
Up to 99.999% Reliability
Best price/performance
IT Managed Service Levels
Up to 99.999% Reliability
Public Public Enterprise
Internet MPLS Internet Internet
Internet
MPLS MPLS
© 2013 Cisco and/or its affiliates. All rights reserved. 51
Redundancy and Path Availability Matter
* Typical MPLS and Business Grade Broadband Availability SLAs and Downtime per Year.
Single Router
Single Path
Single Router
Dual Paths
Dual Routers
Dual Paths
Downtime per Year
4 Hours
23 Minutes
Downtime per Year
24 Minutes Downtime per Year
5 Minutes
Downtime per Year
8 Hours
46 Minutes
99.998%
0:24 / yr
MPLS or Internet
MPLS or Internet
ISR-AX
99.999%
0:05 / yr
MPLS or Internet
MPLS or Internet
ISR-AX ISR -AX
Internet
99.90%
8:46 / yr *
ISR -AX
MPLS
99.95%
4:23 / yr *
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Tooling for Intelligent Path Control
DSL Cable
Branch MC+BR
BR BR
Data Center
MC
“Performance Routing (PfR) provides
additional intelligence to classic routing
technologies to track the performance of, or
verify the quality of, a path between two
devices over a Wide Area Networking
(WAN) infrastructure to determine the best
egress or ingress path for application
traffic....”
• Cisco IOS technology
• Two components: Master controller and border router
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
ASR1000-AX
L2-L3 Transport
L4-L7 Application
Services
IWAN Capabilities Embedded in the Router
Control
Optimization
Visibility
Transport Independent
Secure Routing
ISR-AX
Simplify Application
Delivery
One Network UNIFIED SERVICES
Cisco AX Routers 3900 | 2900 | 1900 | 800 | ISR4000-AX | ASR1000-AX
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
INTEGRATED IWAN SERVICES
APPLICATION CENTRIC
APPLIANCE LEVEL PERFORMANCE
IOS Firewall, VPN, IPSec, PfRV3, NBAR2, AVC, AppNav, VRF, MPLS
Scalable on-chip service provisioning
App/User policy-driven deployment
APIC_EM Automation: deploy in minutes
Pay-as-you-grow
Up-to-75% cost savings
Service-Aware Dataplane
Resilient Service Virtualization
Multi-gigabit Fabric
ISR4000 Series - IWAN AX Ready, Next Generation Branch
ISR4431
ISR 4351
ISR 4331
ISR4321
ISR4451
500Mbps/1Gbps
200/400Mbps
100/300Mbps
50/100Mbps
1-2Gbps
Cisco Confidential 57 C97-732524-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Links importantes
http://www.cisco.pt/maisvaliasen/
IWAN: http://www.cisco.com/go/iwan
Instant Access
http://www.cisco.com/c/en/us/solutions/enterprise-
networks/catalyst-instant-access-solution/index.html
Multigigabit Ethernet
http://www.cisco.com/c/en/us/solutions/enterprise-
networks/catalyst-multigigabit-switching/index.html
Thank you.
Recommended