Enterprise Architecture, Deployment and Positioning

Enterprise Architecture, Deployment and Positioning

Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

Session Objectives

At the end of the session, the participants will be able to:

Understand the characteristics of the various enterprise deployment models Unified Access Traditional Access

Converged Access

Instant Access

Understand which products are the lead platform for each deployment model– Understand individual product positioning

Customer requirements drive deployment mode decisions, (and hence product choice)– Understanding the customer current state and goals that drive deployment model preference

– Understand considerations relative to each deployment model


Agenda

4

Session Objectives

Key Services Overview

Design Options

• Traditional Access

– Multilayer

– Routed

– VSS

• Converged Access

• Instant Access

Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

Services

Block

Deployment

Models

SiSi SiSi SiSi


Catalyst 6500 / 6800Campus Optimized

Switching Requirements Campus/DC

Nexus 7000 / 7700DC Optimized

Campus Segmentation & Security

802.1X, ASA-SM, Easy Virtual

Networks

Video Intelligence

Medianet, Distributing Policing

Wired / Wireless Convergence

WiSM2, LISP

Campus Smart Operation

Smart Install, Instant Access

DC Virtualization

OTV, LISP, DFA, VXLAN*

LAN / SAN Convergence

Multi-hop FCoE

Fabric Scale & Resilience

FabricPath, vPC, Wire Speed

10/40/100G

Data Center Operation

VDC, FEX, DCNM, OnePK

Mobility/

BYOD

Security

VideoWorkload

MobilityVM

10G/

Virtualization

Energy

Efficiency


Unified Access

Campus Deployment Models

Centralized Wireless

SiSi SiSi

Traditional Access

Dis

trib

ute

d W

ire

d

Instant AccessC

entr

aliz

ed W

ire

d

IA

VSS

Cisco Prime Infrastructure

One Management Cisco ISE One Policy

Distributed Wireless

Converged Access

SiSi SiSi

Dis

trib

ute

d W

ired

Ce

ntr

aliz

ed W

ire

d

VS

S

VSS

MAMAMA

MAMAMA

MAMAMA

MAMAMA

MAMAMA

MAMAMA


WirelessAPs

Cisco Catalyst

6800/VSS

Cisco Catalyst 4500E, Cisco Catalyst 3850

WISM2/WLC

WLC

Identity Services Engine

Cisco Prime Infrastructure

Unified Access What does it really mean?

OS Consistency: IOS XE 3.x

Cisco Validated Design 2.5 for Campus Deployment

Secure Group Access to Simplify the Network and Enable Virtualized

Data Center Services

Reduce Operating Expenses and Improve Network Application and

Service Delivery

Maximized Network Availability with Virtual Switching and Stateful Switch

Over

Application-Aware Networking to Enable Collaboration, Video, and Other

Apps

KEY SERVICES FOR UNIFIED ACCESS DEPLOYMENT

LEAD Platforms


Agenda

8

Session Objectives


Design Options

• Traditional Access

– Multilayer

– Routed

– VSS


• Instant Access

Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

Services

Block

Deployment

Models

SiSi SiSi SiSi


Cisco TrustSecSecure Group Access Simplifies Security Enforcement

IT

3.1.1.1

Finance

2.1.1.1

Doctor

1.1.1.1

Access Control with

Secure Group Access

• Role-based

• Topology-independent

• Scalable

• Easy to administer

• One Policy

Email ServerFinancial Servers

Patient Records

Doctors IMAP No Access File Share

IT Allow All SQL SQL

Finance IMAP Web No Access


Cisco TrustSecSecurity Group Tags (SGTs) in the Access

1

2

1

2 11

Device-

Aware

Identity-

Aware

Location-

Aware

Corp PC Doctor Office

Personal Laptop Doctor Office

Personal Laptop Patient Hotspot

Smartphone Admin Office

IP Phone N/A Office

TelePresence N/A Conf. Room

Secure

Group

Doctor

Patient

Admin

Doctor

Video

Voice

Security Group Access

• Simplifies ACL management

• Uniformly enforces policy independent of topology or protocol

• Fine-grained access control

CDP

LLDP

DHCP

MAC

SGACL Enforces Policy at Access, Campus

Edge, or Data Center

SG Tag Imposed to Incoming Traffic

Patient

RecordInternet Facility

Doctor Permit Permit Permit

Patient Deny Permit Deny

Voice Deny ACL_v Deny

ISE Maintains a Centralized View of Device Inventory and Policy Assignment


Cisco

TrustSec Domain

SGT SGT SGT SGT SGT

cts role-based permissions from 1110 to 3200 permit tcp dst eq 443permit tcp dst eq 80permit tcp dst eq 22permit tcp dst eq 3389permit tcp dst eq 135permit tcp dst eq 136permit tcp dst eq 138permit tcp des eq 139deny ip

SGACL Enforcement

Manual or Dynamic VLAN Mapping

VLAN 110 VLAN 120 VLAN 130

cts role-based sgt-map VLAN-list 110 sgt 1110cts role-based sgt-map VLAN-list 120 sgt 1120cts role-based sgt-map VLAN-list 130 sgt 1130

cts role-based sgt-map 192.168.10.0/24 sgt 10cts role-based sgt-map 192.168.20.0/24 sgt 20cts role-based sgt-map 192.168.30.0/24 sgt 30

Map VLANs or IP Subnets to SGT Values

Can Forward Existing SGT Traffic or Map

SGTs Manually

Cisco TrustSecSGTs in the Backbone

Identity

Service

Engine


Application Visibility and ControlIs BYOD a threat to your business applications?

IT

Challenges

High Availability L2/L3

Multicast: HA, Call Admission Control (CAC), Multipath, Video Stream

• Is my network ready for video?

• How do I ensure high quality of user experience?

• How can I troubleshoot and monitor effectively?

Assessment

• Enhanced Object Tracking

• IP SLA

• Built-in Traffic Simulator

• Cisco CleanAir

App Visibility / Control

• Media Services Proxy (MSP)

• Metadata

• Flexible NetFlow

• Device sensor

• Secure group tagging

• Quality of Service (QoS)

• AVC in Wireless Controller

• Mediastream

Monitoring/Troubleshooting

• Performance Monitor

• Mediatrace

• Flexible NetFlow

• Wireshark / Mini-Protocol Analyzer

• Device sensor


Simplified For ResiliencyVirtualized For SimplicityScale With Performance

• Seamless Access Network Expansion

• High-speed 64Gbps Bi-Directional Switching Stack-Ring

• Single Logical Unit To Manage Nine Switches and 450 Ports

• Centralized Control and Management Architecture

• Reduces VLANs/Subnets

• 9X Operational Simplicity

• Distributed and Resilient Forwarding Architecture

• Single Network Per Layer

• Deterministic Network Operation With Non-Stop Forwarding

VSLSi Si

Catalyst Infrastructure Resiliency - AccessCisco StackWise+


VSS Campus Design

• Simplified System Operation

• Single Neighbor and Network Per Layer

• Simplified and Highly Redundant Network Topologies

VSS Campus Design

• Optimized Network Design

• Double Switching Capacity

• Deterministic Application and Network Performance

Traditional Campus Design

• Complex Network Design and Operation

• Underutilize Network Resource

• Sub-Optimal Application and Network Performance

Optimized

NetworkSimplified

Operation

Catalyst Infrastructure Resiliency - BackboneCisco Virtual Switching System (VSS)


Distribution / Core

• eFSU Provides Real-Time Dual-Chassis Software Upgrade. Reduces MTBF

• Protects Network Services and Availability At Access Layer with Redundant Paths

• Network impact ~1sec for entire upgrade process

VSL

Access

• Dual-Supervisor Requires Software Consistency

• ISSU Provides Real-Time Single-Chassis Software Upgrade. Reduces MTBF

• Protects Network Services, Capacity and Availability for Wired and WLAN End-Points

eFSU

Mismatch IOS

Version During

Software Upgrade

ISSU

4500E 6500E

Catalyst Infrastructure Resiliency - ModularCisco ISSU Delivers 99.999% Uptime


Cisco Smart OperationsSimplify Your Infrastructure

Director

Access Switches

New Switch Is Connected

• Software image downloaded;

configuration automaticallyapplied

• Zero Touch Deployments,

Upgrades and Replacements

Smart InstallZero-Touch Deployments

New End Device Attached

• Port configuration: Applied

• QoS policy: Enforced

• Security policy: Enforced

• Simplifies management tasks

• User customizable

Auto SmartportsPlug and Play for End Devices

Customize IOS Behavior

• Change IOS behavior

• Automatically fix network

issues

• Automate responses to

commonly occurring events

Embedded Event ManagerAutomate Response to Events


Agenda

17

Session Objectives


Design Options

• Traditional Access• Multilayer

• Routed

• VSS


• Instant Access

Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

Services

Block

Deployment

Models

SiSi SiSi SiSi


Traditional Access – Multilayer Design

MULTILAYER CAMPUS DESIGN

Wireless LAN Controller

Cisco Prime/LMS

CAPWAP

Tunnel

Considerations

Highly Available Network Design

L2/L3 Protocol Tuning Required

Protocol Alignment Required

Deployment Flexibility

Well Understood Deployment

Access

Distribution

Backbone

Core

CPE

ISE


Characteristics of Multilayer Deployment Model

Benefits

Well understood and well documented design with many years worth of deployment history

Uses industry standard protocols such as Rapid Spanning Tree Protocol

Cisco differentiating enhancements enable sub-second or near sub-second network convergence

Allows for multi-vendor environment

Flexible equipment costs from low to high end

Challenges

Requires significant configuration tuning to achieve sub second network convergence

Requires significant complexity when adding VLAN or VRF segmentation

All switches managed individually

Complex – Alignment of Spanning Tree, Routing, and Default Gateway Redundancy required

Spanning Tree Liability


Traditional Access – Virtual Switching System

VSS CAMPUS DESIGN

Cisco Prime/LMS

Considerations

Less Protocol Tuning Required

Efficient Resource Utilization

Higher Resiliency

with Quad Sup VSS

Access

Distribution

Backbone

Core

CPE

Fewer Routing Peers

CAPWAP

Tunnel

Some Customer prefer separate

control plane

ISE



Characteristics of VSS Deployment ModelBenefits

Simplified network design with a single logical distribution layer device

No First Hop Redundancy Protocol needed

Ether channel based traffic load sharing across multiple uplinks

Allows for extending VLANs across multiple access layer switches without creating STP blocking links and liability

Supports sub-second convergence

Allows for multivendor access switches

Distribution Switches managed as One Entity

Challenges

Cisco proprietary solution, requires Cisco switches in the distribution layer

Access switches managed individually

Single control plane is concern for some customers

No Cisco differentiating enhancements required to achieve sub-second convergence

No Access Layer stickiness i.e. any access switch will work with VSS


Traditional Access – Routed Access Design

MULTILAYER CAMPUS DESIGN

Cisco Prime/LMS

CAPWAP

Tunnel

Access

Distribution

Backbone

Core

CPE

Considerations

Single Control Plane

Simplified Network Recovery

Additional IP Address Usage

Common Set of Troubleshooting

Tools

VLAN’s Constrained to WC

ISE



Characteristics of Routed Access Deployment Model

Benefits

Single control plane = less complexity

Less protocol tuning required for sub-second convergence (protocol dependent)

Common set of troubleshooting tools

ECMP default behavior for efficient utilization of available links and fast convergence

Avoids flooding downstream

No FHRP required

No trunking required

Permits VLAN ID reuse

Simplified multicast topology

Challenges

Requires additional IP address management and utilization

VLAN’s limited to wiring closet – can not span VLAN’s across closets

May require ECMP/CEF hash-tuning for most efficient path utilization (older hardware)

RSPAN not possible (ER-SPAN required)


Lead Platforms for Traditional Access

FIXED MODULAR

BACKBONE

ACCESS

Catalyst 6500-E

Catalyst 6807-XL

Updated as per Oct’2013

Catalyst 4500-E Sup8E

6880-X

3850

3650


Agenda

25

Session Objectives


Design Options


• Routed

• VSS


• Instant Access

Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

Services

Block

Deployment

Models

SiSi SiSi SiSi


Converged Access

Multilayer, VSS, or Routed Access

WiSM2,5508,8510*,3850,

3650*, 5760

Cisco Prime

ISE

MA

MC/MO

Considerations

Single QoS Model for

Wired/Wireless

Complete visibility in to wireless

traffic

Consistent Services for

wired/wireless

No external controller for

up to 250 AP’s

Future proof for 802.11ac

Access

Distribution

Backbone

Core

CAPWAP

TunnelMultilayer or Routed Access

Supported


Characteristics of Converged Access

Benefits

Can be deployed with existing traditional wireless architecture for ease of migration

3850/3650/4500E* can terminate CAPWAP as the Mobility Agent with existing 5508, WISM2, 3850, 3650*, 5760, 8510* acting as the Mobility Controller.

Single QOS model for Wired and Wireless on 3850/3650/4500E*

Provides Flexible Netflow across all ports for wired and wireless

Supports Multicast better based on how CAPWAP is terminated

Challenges

Multiple management and troubleshooting points for Wireless

Prime and WEBGUI lacking in functionality

Wired Migration blockers between between 3850 and 3750x

Wireless Migration blockers between AireOS & IOS

*Roadmap


3.2.2

(Yesterday)

3.3

(Today / October CY13)

3.6

(Q2 CY14)

Infra9 member stacking, HSRP, Critical Voice VLAN,

Sevices Discovery Gateway

VRRPv3, IPv6 Routing/PBR/VRF

SecurityDevice Sensor SGT/SGACL on wired wireless (Macsec and FHS in future release)

AVC

Wireshark Medianet (MSI/MSP)

Management

3650 management with PI 2.0.1 PI 2.1

Certification

IPv6, USGv6 FIPS, Common Criteria, UCAPL

Wired Access DeploymentFeature enhancements within FY14


3.2.2

(Yesterday)

3.3 MR

(Q4 CY13)

3.6

(Q2 CY14)

AP Support

AP3600, AP2600, AP1600,

AP1140, AP1260, AP3500

AP3700 & 802.11ac module on AP3600 AP700I, AP700W and 1532

Wireless

Features

BYOD Onboarding 802.11r/k/w, App Visibility, Bonjour

AP SSO stack cable, CMX with PI 2.0

Policy Classification Engine(PCE)

QOS on AVC, Bonjour Ph 2

MC support on 5508, WiSM2, 8500 with 8.0

WEBGUI

Introduced WEBGUI to setup

WLAN deployment

Improved http performance

Supports App Visibility, QOS, Bonjour, HA

Better defaults, improved usability flows

Improved https performance

MC Management of MA

New features e.g. PCE, Federal certs

PI

PI 2.0 Manages IOSE-XE 3.2.x

and AireOS 7.4 MR

PI 2.0.1 Manages IOSE-XE 3.3, and AireOS

7.6 with 7.4 MR features, 5508/WiSM2 as MC

Device support for Switch 3650, 802.11ac and

9 member stack

PI 2.1 Manages IOS-XE 3.6 and AireOS 8.0

Key feature support such as AVC, Bonjour,

SSO

Converged Access Deployment Model Feature enhancements within FY14


Cisco Unified Access Wireless Deployment Modes

• Position as future-proof switch

• Position for SDN relevance

• IOS 3.3 / PI 2.01 = Up to 50 AP’s

• IOS 3.6 / PI 2.1 = Up to 250 AP’s

IOS CONVERGED ACCESS

Today:

• Sell AireOS with 802.11ac

• Sell the 3850/3650/4K(SUP8-E) as future-proof switches

Converged Access deployment and Prime Infrastructure matures in FY14:

• Branch and Small Campus ready in (Today) December with 802.11ac

• Mixed AireOS & IOS deployments and Large campus ready in May 2014

Intranet

• Position wireless-only deals

• Position for Campus

• Richest feature set

• Position for 802.11ac, 802.11n

AIREOS

CENTRALIZED

Intranet

• Position for Greenfield campus

• Upgrade from AireOS 7.0

• Two controllers per site

• IOS 3.3 / PI 2.0.1

IOS

CENTRALIZED

WAN

• Position in wireless-only deals

• Position for multiple branches

• Up to 100 AP’s per site

• Position for 802.11ac, 802.11n

AIREOS FLEXCONNECT


Branch Deployments with Converged Access ARIAN

DMZ

ISEPrime

3850/3650

31Employee Guest

BRANCH

WAN

INTEGRATED

CONTROLLER

Single platform for wired and wireless

Wired and wireless traffic visibility at every hop

Consistent security and QoS control

Maximum resiliency with fast stateful recovery

Scale with distributed wired and wireless data

plane (480G Stack/40G wireless per switch)

50 – 250

AP’s

Multilayer or

Routed

Access

DEPOYABLE

TODAY


Wireless deployments using 5760 and 3850

5760 based successful deployments and trials

3850 based successful deployments and trials

• ~350 customers booked ~1000 units of WLC-5760

• Majority Education & Healthcare (Campus)

• ~400 customers booked ~40K licenses on 3850 & 5760

• Majority Professional Services (Small Sites)


Lead Platforms for Converged Access

FIXED MODULAR

BACKBONE

ACCESSCatalyst 4500-E Sup8E

Catalyst 6500-E

Catalyst 6807-XL

6880-X

3650

3850


Agenda

34

Session Objectives


Design Options


• Routed

• VSS


• Instant Access

Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

Services

Block

Deployment

Models

SiSi SiSi SiSi


1000 Port Campus Distribution Block

Considerations

Satellite device capable of Stacking, POE+

Single Point of Management, Configuration

and Troubleshooting

Simplified Network design for

VLANs and port channels

Agile Infrastructure to add new features

uniformly across Access Layer

A Single Image to deploy and manage

across Distribution Block

REDUCED TCO

Cisco Prime

Managed Devices = 20+Managed Devices = 1

ISE

Instant Access


Characteristics of Instant Access

Benefits

Provides Single point of Management, Configuration and Troubleshooting for Distribution block

Simplified distribution block design, eliminates configuration on the uplinks

Simplified image management and qualification

6K – IOS Feature Robustness available @ Access

Can be used with Traditional or CA

Provides solution for customers who need MPLS in access layer

Challenges

Currently limited to distribution block design of 1000 ports

Large amounts of east-west traffic would increase uplink bandwidth utilization (Over subscribed to start)

Only supported with VSS configuration ( supported with single switch in VSS mode )

Access Feature differences/lag between 6k and traditional access platforms 2k/3k/4k

Converged Access not available in combination with Instant Access


Lead Platforms for Instant Access

FIXED MODULAR

BACKBONE

ACCESSCatalyst 6800ia

Not Applicable

Catalyst 6500-E

Catalyst 6807-XL6880-X


Agenda

38

Session Objectives


Design Options


• Routed

• VSS


• Instant Access

Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

Services

Block

Deployment

Models

SiSi SiSi SiSi


Converged Access Mode – Guiding PrincipalsFuture Proof with Latest Hardware – Sell The Vision of CA

Lead with Converged Access Products

Customers who are considering Wired+ Wireless Refresh opportunities thatWant to future proof their enterprise with the best possible Access Switch with 3850,

3650 & 4K with Sup8E (Advanced QoS, Visibility, UPOE)

Want like-for-like replacements (3560 -> 3650, 3750 -> 3850, Sup7E -> Sup8E)

Are interested in WLAN deployments in a small campus or branch (Large/Complex Deployments after CQ2-CY14)

Want to provide full traffic visibility, advanced QoS, maximum resiliency and scale with single platform for wired & wireless

Evaluate AireOS or other Deployment scenarios Large Campus Deployments today (Planned Q2-CY14)

Latest AireOS based controller features are required today (Planned Q4-CY13 and Q2-CY14)

802.11ac support is required today (Planned CQ4-2013)

Flexconnect, Indoor or Outdoor Mesh, and Office Extend AP modes is a requirement (on radar)

Fully managed AirOS + Converged Access deployments are required ( planned Q2-CY14)


Instant Access – Guiding Principals6800/6500 feature consistency & operational simplicity in access

Customers who

Wants to extend 6500/6800 features and operational consistency in Access

Continue with Catalyst 6500/6800 features like MPLS, advanced segmentation EVN in access

Who have distribution blocks limited to 1000 user ports or less and have overlay wireless

Want to manage the campus with fewer touch points and/or limited technical staff

Want a simplified image management and qualification criteria in a distribution block

Evaluate the other deployment scenarios

Already sold converged access vision

Already sold the value of new 3850/3650/sup8E in access

To address growing mobility and application services needs

Environments with more than 1000 access ports in a distribution/access domain

Local switching is a must


Guiding Principals: Traditional Access (Multilayer, RA, &

VSS)

Sell the BEST Switches on the Planet (You Don’t Have to Change Your Design)

Lead with Latest Switching Solutions (4500/Sup8E, 3850, 3650)

Customers who Have a preference for the most common wired deployment model

Wants flexibility of centralized or distributed wireless model

Want the best possible Access Switch with 3850, 3650 & Sup8E (Advanced QoS, Visibility, UPOE)

Want like-for-like replacements (3560 -> 3650, 3750 -> 3850, Sup7E -> Sup8E)

Have multi-vendor wired and wireless environment

Evaluate the other Deployment scenarios Customer is sold on the vision of converged access and can wait for 6-12 months for

large deployment

6500/6800 feature and operational simplicity with reduced touch points in access


The Three Things you MUST know about the Customer

Access PlatformsDeployment ModeCustomer Priorities

Technology

Enterprise Architecture, Deployment and Positioning