Upload
cisco-turkey
View
141
Download
3
Embed Size (px)
DESCRIPTION
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved. 1
Next Generation Campus Backbone Enabling BYOD and Collaboration Scott Hodgdon Technical Marketing Engineer
© 2012 Cisco and/or its affiliates. All rights reserved. 2
Application Performance Security Operational
Simplicity Multimedia Mobility IPv6 Cloud Connect
© 2012 Cisco and/or its affiliates. All rights reserved. 3
a
15 billion new networked mobile
devices by 2015
3/4 of employees uses
MULTIPLE DEVICES for work
56% of information workers
spend time working OUTSIDE THE OFFICE
© 2012 Cisco and/or its affiliates. All rights reserved. 4
5 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2012 Cisco and/or its affiliates. All rights reserved. 6
Lead with Catalyst 6500 Sup2T
Backbone
Lead with Catalyst 6500 Sup 2T
Distribution
Lead with Catalyst 4K / 3K
Access
Engineering Investments and Roadmap Follows Positioning
Lead with Nexus 7000
Backbone
Lead with Nexus 7000
Aggregation
Lead with Nexus 5000/2000
Access
Mobility/ BYOD
Security
Video Workload Mobility VM
10G/ Virtualization
Energy Efficiency
© 2012 Cisco and/or its affiliates. All rights reserved. 7
User Access Control / Segmentation 802.1X / Easy Virtual Networks (EVN)
Video Intelligence Medianet
Wired / Wireless Convergence Wireless Controller Integration
Application Visibility Flexible NetFlow, NAM-3 (NBAR2)
Power over Ethernet UPOE, EnergyWise
Cloud Security and VM Awareness Nexus 1000v, VSG, ASA, 1000v
VM Mobility LISP, VXLAN, OTV
LAN / SAN Convergence Unified Ports, FCoE
Fabric Scale & Resilience FabricPath, vPC, Wire Speed 10/40/100G
Data Center Consolidation VDC, FEX, DCNM
Customer Requirements/Needs Ultimately Drive the Sale
© 2012 Cisco and/or its affiliates. All rights reserved. 8
*Assuming Dell’Oro as a baseline for industry total modular
25%
Cat 6500E
Rest of Market
Investment surrounding Sup2T development
Compare with Tesla Motor’s $150M investment for first fully electric sports car
$200+ Million
$200+ Million Investment planned over next 3 years
alone Rich network services, Ethernet evolution, Lower TCO,
Investment protection
750,000+ Chassis Shipped 1.2 Million Supervisors Shipped 110 Million Ports Shipped 45,000+ Catalyst 6500 Customers
© 2012 Cisco and/or its affiliates. All rights reserved. 9
Sup2T
WiSM2
NAM-3
ASA-SM
Fiber
High-Perf. Access
6824
6848
6848
6148 45AT
Copper Access
6904 FourX LR4 SR4
40G/Slot
80G/Slot
6816 6816
6908 6904
© 2012 Cisco and/or its affiliates. All rights reserved. 10 Items in PURPLE are BYOD, Collaboration and Video enablers.
L2 MAC Table 96K 128K
Bridge Domains 4K 16K
TrustSec / SGT – Yes
VNET Trunk (EVN) – Yes
40G Interfaces – Yes
System Bandwidth 720 Gbps 2 Tbps
L3 Interfaces 4K 128K
NetFlow Table 128K/256K 512K/1M
Flexible NetFlow – Yes
Hitless ACL Updates 32K Yes
Medianet 2.2 – Yes
VPLS / A-VPLS Requires WAN Module
Yes (no WAN module)
VSS Quad Sup SSO – Yes
4X Scalability 3X Performance
Cisco Prime
New PFC4 Featuring Improved Levels of Performance and Scalability Along with New Enhanced Hardware Features
USB-Based Console Support
Connectivity Management Processor (CMP)
New MSFC5 Supporting Dual Core CUP and Single IOS Image
Improved Switch Fabric Providing 80G/Slot
© 2012 Cisco and/or its affiliates. All rights reserved. 11
Supported
Special TMP Program for Upgrade
WS-F6K-DFC4-E
WS-F6K-DFC4-A
6148E, 6148A, 6148-SFP, 6196
NAM/-1/2/3, ACE20/30, WiSM-1/2 FWSM, ASA-SM
Not Supported (Use Sup720-10G or ASR for WAN)
Not Supported (ASA-SM to get IPSEC VPN)
Al
6704, 6724, 6748 with CFC
6708-10G Fiber
6716-10G/10T with DFC3
6704, 6724, 6748 with DFC3
61xx Series
Service Modules
WAN Modules
VPN SPA
Consult the Catalyst 6500 IOS Release Notes for the latest hardware support
© 2012 Cisco and/or its affiliates. All rights reserved. 12
Next-Generation WiSM Blade: WiSM-2
Next-Generation NAM Blade: NAM-3
Next-Generation Firewall Blade: ASA-SM
Monitoring Performance Up to 15 Gbps
Capture to External Disk Up to 5 Gbps
Deep Packet Inspection NBAR-2 Support
HW Filters/Packet Captures Rapid Troubleshooting
64 Gbps System Performance 16 Gbps Performance/Service Mod.
10,000,000 Concurrent Sessions 300,000 Connections per Second
250 Security Contexts 1,000 VLANs
Performance 20 Gbps Access Points 500–1,000
Clients 15,000 Concurrent AP Upgrade/Joins Up to 500
Mobility, Domain Size Up to 18,000 APs
OS / Feature Parity with Appliances
13 © 2011 Cisco and/or its affiliates. All rights reserved.
14 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2012 Cisco and/or its affiliates. All rights reserved. 15
Monitoring and Troubleshooting
Security-Related Configuration
Initial Install, Config., and Testing
Upgrade of Older Equipment
Traffic Optimization
Other
0% 5% 10% 15% 20% 25% 30%
Source: The Total Economic Impact™ of Cisco Catalyst Access Switching, A Commissioned Study Conducted by Forrester Consulting on Behalf of Cisco Systems, January 2012.
On Average, How Do Your Network Administrators and Other Network IT Professionals Spend Their Time on Your Access (Edge) Switches?
© 2012 Cisco and/or its affiliates. All rights reserved. 16
Simple New Install Example
TFTP, DHCP servers
CDP DHCP TFTP
Client
Director
© 2012 Cisco and/or its affiliates. All rights reserved. 17
Automate End Device Installs • Access Points, IP cameras, printers
Uncommon devices • Cisco Best practices with built-in macros
Plug and Play for End Devices
Built-In Macros (with Best Practices) • IP phones • Access Points (LW and autonomous) • Switches • Routers • Digital media players • IP cameras Customizable for All Edge Devices • Laptop, desktop, badge reader,…
End Device Classified On: • CDP • LLDP • MAC OUI
© 2012 Cisco and/or its affiliates. All rights reserved. 18
ISE Classifies End Device Using: • CDP • LLDP • MAC OUI • DHCP options
ISE Dynamically Configures Edge Port • TLV to access switch with macro name
Built-In Macros • IP phones • Access Points (LW and autonomous) • Switches • Routers Digital media players • IP cameras
Plug and Play for End Devices
© 2012 Cisco and/or its affiliates. All rights reserved. 19
• Automate operational activities done manually Scanning syslogs looking for network errors Collecting CDP information
• Customize behavior of Catalyst switch Automatically apply workarounds (a.k.a. Fix bugs) e.g., Change interface configuration dynamically based on SFP type
• Proactively manage events e.g., Send email on temperature threshold crossing e.g., Detailed statistics capture on CPU threshold crossing
• It’s FREE !!
© 2012 Cisco and/or its affiliates. All rights reserved. 20
21 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2012 Cisco and/or its affiliates. All rights reserved. 22
Cisco Catalyst Switch
Network Device
IP Phones Authorized Users
Guests Tablets
Monitor Mode • Unobstructed access • No impact on productivity • Gain visibility Flexible Authentication Sequence • Enables single configuration for most use cases • Flexible fallback mechanism and policies
IP Telephony Support for Virtual Desktop Environments • Single host mode • Multihost mode • Multiauth mode • Multidomain authentication Critical Data/Voice Authentication • Business continuity in case of failure
© 2012 Cisco and/or its affiliates. All rights reserved. 23
Device Sensor Gleans into Protocol Data to Classify Endpoints Based on Device Type, User Identity, and Location
1
1
2 1 1
Corp PC Doctor Office
Personal Laptop Doctor Office
Personal Laptop Patient Hotspot
Smartphone Admin Office
IP Phone N/A Office
TelePresence N/A Conf. Room
© 2012 Cisco and/or its affiliates. All rights reserved. 24
Radius accounting
Radius Probe
ISE
1
1 Device connects to the network
2
2 Switch collects info from control packets (CDP, LLDP, DHCP, MAC OUI)
3
3 Switch transmits device info to ISE via RADIUS Accounting messages
Notification is sent only if a change in device info is detected
4
4 ISE analyzes the data and identifies device using profile library & conditions
5
5
Policy (ACL, VLAN, SGT etc.) downloaded to switch
CDP LLDP
MAC OUI DHCP
© 2012 Cisco and/or its affiliates. All rights reserved. 25
1
1
2 1 1
Corp PC Doctor Office
Personal Laptop Doctor Office
Personal Laptop Patient Hotspot
Smartphone Admin Office
IP Phone N/A Office
TelePresence N/A Conf. Room
Once Endpoints Are Profiled, ASP Applies Port Configuration Based on Predefined Rules
© 2012 Cisco and/or its affiliates. All rights reserved. 26
1
1
2 1 1
Corp PC Doctor Office
Personal Laptop Doctor Office
Personal Laptop Patient Hotspot
Smartphone Admin Office
IP Phone N/A Office
TelePresence N/A Conf. Room
VLAN100
VLAN200
VLAN300
VLAN100
ACL 500
VLAN10
• Does not require switch port ACL management
• Requires topology redesign (IP address change)
• Less disruptive to endpoints (no IP address change required)
• Larger ACL TCAMs in the newest hardware
VLAN300
VLAN10
VLAN100 Routed Interface
VLAN300 Routed Interface
CDP LLDP DHCP MAC
VLAN100 VLAN100 VLAN200
ACL 500 permit tcp <src> <dst> eq sip Permit udp <src> <dst>eq domain Permit udp <src> <dst> eq tftp Permit udp <ssrc> <dst> eq 8080 ….
VLAN10 Routed Interface
ISE Maintains a Centralized View of Device Inventory and Policy Assignment
© 2012 Cisco and/or its affiliates. All rights reserved. 27
• Topology-based • Manual configurations • Error prone • Unscalable • Difficult to maintain
IT 3.1.1.1
Finance 2.1.1.1
Doctor 1.1.1.1
permit tcp any 200.1.1.1 eq https permit tcp any 200.1.1.1 eq 8081 deny ip all
permit tcp any 150.1.1.1 eq https permit tcp any 150.1.1.1 eq 8081 permit tcp any 150.1.1.1 eq 445 deny ip all
permit tcp any 100.1.1.1 eq https deny ip all
permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2
permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 150.1.1.1 permit tcp 2.1.1.1 200.1.1.2 eq https deny ip 2.1.1.1 200.1.1.2
permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2
permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 150.1.1.1 permit tcp 2.1.1.1 200.1.1.2 eq https deny ip 2.1.1.1 200.1.1.2
permit tcp 1.1.1.1 100.1.1.1 eq https permit tcp 1.1.1.1 100.1.1.1 eq 8081 permit tcp 1.1.1.1 100.1.1.1 eq 445 deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 150.1.1.2 eq https deny ip 1.1.1.1 150.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1
permit tcp 1.1.1.1 100.1.1.1 eq https permit tcp 1.1.1.1 100.1.1.1 eq 8081 permit tcp 1.1.1.1 100.1.1.1 eq 445 deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 150.1.1.2 eq https deny ip 1.1.1.1 150.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1
© 2012 Cisco and/or its affiliates. All rights reserved. 28
IT 3.1.1.1
Finance 2.1.1.1
Doctor 1.1.1.1
• Role-based • Topology-independent • Scalable • Easy to administer • One Policy
Doctors IMAP No Access File Share
IT Allow All SQL SQL
Finance IMAP Web No Access
© 2012 Cisco and/or its affiliates. All rights reserved. 29
1
1
2 1 1
Corp PC Doctor Office
Personal Laptop Doctor Office
Personal Laptop Patient Hotspot
Smartphone Admin Office
IP Phone N/A Office
TelePresence N/A Conf. Room
Doctor
Patient
Admin
Doctor
Video
Voice
• Simplifies ACL management • Uniformly enforces policy independent
of topology or protocol • Fine-grained access control
CDP LLDP DHCP MAC
Patient Record Internet Facility
Doctor Permit Permit Permit
Patient Deny Permit Deny
Voice Deny ACL_v Deny
ISE Maintains a Centralized View of Device Inventory and Policy Assignment
© 2012 Cisco and/or its affiliates. All rights reserved. 30
Cisco TrustSec Domain
SGT SGT SGT SGT SGT
cts role-based permissions from 1110 to 3200 permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 138 permit tcp des eq 139 deny ip
Manual or Dynamic VLAN Mapping
VLAN 110 VLAN 120 VLAN 130
cts role-based sgt-map VLAN-list 110 sgt 1110
cts role-based sgt-map VLAN-list 120 sgt 1120 cts role-based sgt-map VLAN-list 130 sgt 1130
cts role-based sgt-map 192.168.10.0/24 sgt 10 cts role-based sgt-map 192.168.20.0/24 sgt 20 cts role-based sgt-map 192.168.30.0/24 sgt 30
Can Forward Existing SGT Traffic or Map
SGTs Manually
Identity Service Engine
31 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2012 Cisco and/or its affiliates. All rights reserved. 32
Typical causes of poor application performance : Bandwidth/capacity bottleneck Unauthorized use of network resource Security Monitoring Monitor Non-Corporate Devices
Campus Building A
1
2
3
2
3
4
Internet
Campus Building B
Campus Building C
1
1
2
2
3
4
Campus Core
2
Flexible NetFlow provides the application visibility needed to answer questions on the “who, what, when, where, how” of network activities in order to:
Identify root cause easier, faster, more accurate Assign problem ownership Increase operational efficiency Lower TCO
NOC
3
4
© 2012 Cisco and/or its affiliates. All rights reserved. 33
Flexible Netflow
Increased customization by selecting the fields to match and collect for both IPv4 and IPv6
CPU Friendly Export
Optimal CPU utilization with Yielding Netflow Data Export, direct export from a module
Up to 13M Flows/ System
Bigger tables mean more entries per system, up to 13 million entries with a 13 slot chassis, giving you better visibility in your network
Sampled Netflow in Hardware
To optimize the Netflow tables utilization and minimize load on analyzers
Egress Netflow
Allow to use netflow after ingress lookup is done (NetFlow on CoPP)
Allow to account for multicast traffic per destination instead of per group
Sup2T Netflow
© 2012 Cisco and/or its affiliates. All rights reserved. 34
• Each flow monitor can export to multiple collectors (flow export)
• Each flow monitor can be associate to one set of records (flow record)
• Flow monitor attachment to interface is uni-directional, i.e. to monitor bi-directional traffic, need to apply for both ‘in’ and ‘out’ directions
Interface
Monitor 1 (Dir = ‘in’)
Record Set A
Exporter 1
Exporter 2
Monitor 2 (Direction =
‘out’)
Record Set B
Exporter 1
Exporter 1 IP = 10.0.0.1
Exporter 2 IP = 192.168.0.1
Record Set A Record Set B
Exporter
Record
© 2012 Cisco and/or its affiliates. All rights reserved. 35
NDE increases export rate until threshold reached
Wait 5 seconds and then step up export rate again
When threshold reached, NDE quickly backs off export rate
CPU
30%
70%
Yielding NDE threshold CPU before NDE begins
Protect CPU with CPU Yield Netflow Scale Netflow with Distributed Export
Netflow Collector
EOBC
WS-X6848-TX-2T\2TXL
NetFlow Data
WS-X6908-10G-2T\2TXL
NetFlow Data
Supervisor
NetFlow Data
NetFlow Export
36 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2012 Cisco and/or its affiliates. All rights reserved. 37
• Seamless Access Network Expansion
• High-speed 64Gbps Bi-Directional Switching Stack-Ring
• Single Logical Unit To Manage Nine Switches and 450 Ports
• Centralized Control and Management Architecture
• Reduces VLANs/Subnets • 9X Operational Simplicity
• Distributed and Resilient Forwarding Architecture
• Single Network Per Layer • Deterministic Network
Operation With Non-Stop Forwarding
VSL
© 2012 Cisco and/or its affiliates. All rights reserved. 38
• All power supplies in the stack are used to form a common input power pool regardless their size, AC/DC source and location
• Redundant mode option allows 1+n protection of the largest power supply in the stack, by reserving a portion of the input power pool
• The remaining power pool is allocated to the power clients: the switches and PoE devices
• In case of power line failure, power supply failure or power supply replacement, the input power deficit is backed up by the reserved power, allowing continuity to the allocated power budget and non-stop business communication
Input Power Pool
2865W
Power Budget
Allocated
Reserved 1100W
350W
715W
350W
1100W
350W
Power Failure
Power Failure
Find out more on whitepaper: Calculating Power for Cisco StackPower
© 2012 Cisco and/or its affiliates. All rights reserved. 39
• Simplified System Operation • Single Neighbor and
Network Per Layer • Simplified and Highly
Redundant Network Topologies
• Optimized Network Design • Double Switching Capacity • Deterministic Application and
Network Performance
• Complex Network Design and Operation
• Underutilize Network Resource
• Sub-Optimal Application and Network Performance
© 2012 Cisco and/or its affiliates. All rights reserved. 40
Standalone Switch 1 (Coordinated Configuration)
! Enable 802.1d per VLAN spanning tree enhancements. spanning-tree mode pvst spanning-tree loopguard default no spanning-tree optimize bpdu transmission spanning-tree extend system-id spanning-tree uplinkfast spanning-tree backbonefast spanning-tree vlan 2,4,6,8,10 priority 24576!
! Define the Layer 3 SVI for each voice and data VLAN interface Vlan4 description Data VLAN ip address 10.120.4.3 255.255.255.0 no ip redirects no ip unreachables ! Reduce PIM query interval to 250 msec ip pim query-interval 250 msec ip pim sparse-mode load-interval 30 ! Define HSRP default gateway with 250/800 msec hello/hold standby 1 ip 10.120.4.1 standby 1 timers msec 250 msec 800 ! Set preempt delay large enough to allow network to stabilize before HSRP ! switches back on power on or link recovery standby 1 preempt delay minimum 180 ! Enable HSRP authentication standby 1 authentication cisco12
VSS (One Simplified Configuration)
! Enable 802.1d per VLAN spanning tree enhancements spanning-tree mode rapid-pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id spanning-tree vlan 2-11 priority 24576
! Define the Layer 3 SVI for each voice and data VLAN interface Vlan4 description Data VLAN ip address 10.120.2.1 255.255.255.0 no ip redirects no ip unreachables ip pim sparse-mode load-interval 30
Standalone Switch 2 (Coordinated Configuration)
! Enable 802.1d per VLAN spanning tree enhancements. spanning-tree mode pvst spanning-tree loopguard default no spanning-tree optimize bpdu transmission spanning-tree extend system-id spanning-tree uplinkfast spanning-tree backbonefast spanning-tree vlan 3,5,7,9,11 priority 24576!
! Define the Layer 3 SVI for each voice and data VLAN interface Vlan4 description Data VLAN ip address 10.120.4.3 255.255.255.0 no ip redirects no ip unreachables ! Reduce PIM query interval to 250 msec ip pim query-interval 250 msec ip pim sparse-mode load-interval 30 ! Define HSRP default gateway with 250/800 msec hello/hold standby 1 ip 10.120.4.1 standby 1 timers msec 250 msec 800 ! Set preempt delay large enough to allow network to stabilize before HSRP ! switches back on power on or link recovery standby 1 preempt delay minimum 180 ! Enable HSRP authentication standby 1 authentication cisco123
Spanning Tree Configuration
L3 SVI Configuration (sample for 1 VLAN)
© 2012 Cisco and/or its affiliates. All rights reserved. 41
10GE
Si Si
LACP or PagP LACP
Monitoring Server
Access Switch or ToR or Blades
10GE
Si Si
LACP or PagP LACP
Monitoring Server
Access Switch or ToR or Blades
Simplified Network Design • Spanning Tree and First-Hop
redundancy protocols eliminated • Single touchpoint manageability
Double Bandwidth Utilization
• With Active-Active Multichassis EtherChannel (LACP/ PagP)
• 1+1 Supervisor redundancy for dual-attached devices
© 2012 Cisco and/or its affiliates. All rights reserved. 42
• eFSU Provides Real-Time Dual-Chassis Software Upgrade. Reduces MTBF
• Protects Network Services and Availability At Access Layer with Redundant Paths
• Network impact ~1sec for entire upgrade process
VSL
• Dual-Supervisor Requires Software Consistency
• ISSU Provides Real-Time Single-Chassis Software Upgrade. Reduces MTBF
• Protects Network Services, Capacity and Availability for Wired and WLAN End-Points
eFSU
Mismatch IOS Version During
Software Upgrade
ISSU
4500E 6500E
43 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2012 Cisco and/or its affiliates. All rights reserved. 44