Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vivek Baveja Technical Marketing Engineer Enterprise Networking Group

Similar presentations

Presentation on theme: "Vivek Baveja Technical Marketing Engineer Enterprise Networking Group"— Presentation transcript:

1 Vivek Baveja Technical Marketing Engineer Enterprise Networking Group
Cisco Unified Access Roadshow Enterprise Backbone Technologies Enabling BYOD and Collaboration Vivek Baveja Technical Marketing Engineer Enterprise Networking Group

2 Use Cases Backbone Support for BYOD, Video, and Collaboration
How Do I Provide a Consistent User Experience? Core How Do I Manage This at an Enterprise Level? How Do I Bring Both Corporate and Employee Owned Devices on to the Network? Questions to Be Answered Distribution How Do I Secure my Device and User Communities? What Services Do I Need to Enable the Infrastructure? Access How Do I Monitor This at an Enterprise Level? How Do I Build a Scalable, Secure, Converged Wired/Wireless Campus Network to Support These Trends?

3 Cisco Catalyst 6500 Top Questions from Customers
How does 6500 with Sup2T fit into a BYOD infrastructure ? When do I use Catalyst 6500 instead of Nexus 7000 ? What is the future of the 6500 ? How do I secure the campus for BYOD ? BNP How can Catalyst 6500 provide the necessary network visibility for my BYOD infrastructure?

4 Backbone Switching Strategy, Portfolio and Areas of Investment

5 Cisco Catalyst or Nexus?
Positioning the Correct Solution Cisco Catalyst in the Campus to Support BYOD and Collaboration Cisco Catalyst or Nexus? Lead with Catalyst 6500 Sup2T Backbone Lead with Catalyst 6500 Sup 2T Distribution Lead with Catalyst 4K / 3K Access Campus Data Center Lead with Nexus 7000 Backbone Aggregation Lead with Nexus 5000/2000 Access Video Workload Mobility VM Mobility/ BYOD 10G/ Virtualization Inline with Company’s investments Security Energy Efficiency Engineering Investments and Roadmap Follows Positioning

6 Switching Requirements Difference Between Campus and Data Center
Campus Catalyst Family - IOS User Access Control / Segmentation 802.1X / Easy Virtual Networks (EVN) Video Intelligence Medianet Wired / Wireless Convergence Wireless Controller Integration Application Visibility Flexible NetFlow, NAM-3 (NBAR2) Power over Ethernet UPOE, EnergyWise Data Center / Cloud Nexus Family – NX-OS Cloud Security and VM Awareness Nexus 1000v, VSG, ASA, 1000v VM Mobility LISP, VXLAN, OTV LAN / SAN Convergence Unified Ports, FCoE Fabric Scale & Resilience FabricPath, vPC, Wire Speed 10/40/100G Data Center Consolidation VDC, FEX, DCNM Inline with Company’s investments Customer Requirements/Needs Ultimately Drive the Sale

7 Cisco Catalyst 6500 E-Series
Cisco Catalyst 6500 Strategy and Direction Supporting BYOD and Collaboration Trends Innovation Differentiation Innovation with Investment Protection The Network Services Platform for Unified Access Cisco Catalyst E-Series Transition Lower TCO Driving Next-Gen Ethernet in the Campus 1G » 10G » 40G » 100G Price/Performance Virtualization, Simplified Operations, and Change Management

8 Cisco Catalyst 6500 Installed Base in Perspective Driving Future Investment Decisions
FY12 Cat 6500 Port Share of Total Modular Industry* *Assuming Dell’Oro as a baseline for industry total modular Investment surrounding Sup2T development Compare with Tesla Motor’s $150M investment for first fully electric sports car $200+ Million $200+ Million Investment planned over next 3 years alone Rich network services, Ethernet evolution, Lower TCO, Investment protection 750,000+ Chassis Shipped 1.2 Million Supervisors Shipped 110 Million Ports Shipped 45,000+ Catalyst 6500 Customers

9 Cisco Catalyst 6500 Portfolio Hardware You Need to Support BYOD and Collaboration Trends
Services Modules WiSM2 NAM-3 ASA-SM 40 GbE Fiber 6904 FourX LR4 SR4 Sup2T 10GbE Fiber and Copper 40G/Slot 80G/Slot 6816 6908 6904 BNP 1GbE Fiber and Copper Fiber High-Perf. Access 6824 6848 6148 45AT Copper Access

10 BYOD and Collaboration with Supervisor 2T Scalability Enhancements
4X Scalability 3X Performance Sup2T Overiew SUP720 SUP2T L2 MAC Table 96K 128K Bridge Domains 4K 16K TrustSec / SGT Yes VNET Trunk (EVN) 40G Interfaces System Bandwidth 720 Gbps 2 Tbps L3 Interfaces NetFlow Table 128K/256K 512K/1M Flexible NetFlow Hitless ACL Updates 32K Medianet 2.2 VPLS / A-VPLS Requires WAN Module Yes (no WAN module) VSS Quad Sup SSO New PFC4 Featuring Improved Levels of Performance and Scalability Along with New Enhanced Hardware Features Improved Switch Fabric Providing 80G/Slot USB-Based Console Support New MSFC5 Supporting Dual Core CUP and Single IOS Image Connectivity Management Processor (CMP) Cisco Prime Items in PURPLE are BYOD, Collaboration and Video enablers.

11 BYOD and Collaboration with Supervisor 2T Scalability Enhancements
6900 Series with DFC4 6800 Series with DFC4 Non-blocking 80G/slot performance Wire rate MACsec Virtual switching link (VSL) Large packet buffers (256 MB/port) X2 transceiver or SFP+ with adapter Available in standard and XL sizes LISP-ready Comment on price perforamce of 68xx 4P 40G $36,000 40G/slot with integrated DFC4 24 and 48 ports 1GbE fiber 48 ports 10/100/1000 copper 16 ports 10GbE fiber and 10GBASE-T Available in standard and XL sizes FourX CFP-40G-SR4 CFP-40G-LR4 Doubled System Performance, with Distributed Forwarding Distributed Forwarding Performance, at Central Forwarding Price

12 BYOD and Collaboration with Supervisor 2T Make Your Catalyst 6500 Ready
Sup2T 6704, 6724, 6748 with CFC Supported 6704, 6724, 6748 with DFC3 WS-F6K-DFC4-A G/10T with DFC3 WS-F6K-DFC4-E G Fiber Special TMP Program for Upgrade 61xx Series 6148E, 6148A, 6148-SFP, 6196 Service Modules NAM/-1/2/3, ACE20/30, WiSM-1/2 FWSM, ASA-SM VPN SPA Not Supported (ASA-SM to get IPSEC VPN) WAN Modules Not Supported (Use Sup720-10G or ASR for WAN) © 2009, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

13 BYOD and Collaboration with Supervisor 2T Service Modules Enable Key Capabilities
Integrate Wired / Wireless Management Enhance Application Visibility Next-Generation WiSM Blade: WiSM-2 NEW Next-Generation NAM Blade: NAM-3 NEW Monitoring Performance Up to 15 Gbps Capture to External Disk Up to 5 Gbps Deep Packet Inspection NBAR-2 Support HW Filters/Packet Captures Rapid Troubleshooting Performance 20 Gbps Access Points 500–1,000 Clients 15,000 Concurrent AP Upgrade/Joins Up to 500 Mobility, Domain Size Up to 18,000 APs Deliver Robust, Integrated, Streamlined Security Next-Generation Firewall Blade: ASA-SM NEW OS / Feature Parity with Appliances 64 Gbps System Performance 16 Gbps Performance/Service Mod. 10,000,000 Concurrent Sessions 300,000 Connections per Second 250 Security Contexts 1,000 VLANs

14 BYOD and Collaboration with Supervisor 2T Catalyst 6500 for the BYOD Backbone
Cisco Catalyst 6500E Trustsec Resiliency L3 SGT Quad Sup VSS* MACsec over EoMPLS, BGP PIC EFSU MPLS L3VPN BFD / Multicast BFD VPLS / A-VPLS Multicast HA L2oMGRE ACL Hitless Commit 6PE, 6VPE ACL Dry Run Advanced CoPP ASA-SM Smart Ops EEM AVC GOLD PIM Register in HW Smart Call Home IGMPv3 / MLDv2 Snooping in HW Smart Install Director LISP Egress NetFlow WCCPv3 Per-VRF NetFlow NAM-3 WiSM-2 Fixed Modular Scalability Features *Roadmap Cisco Catalyst 4500E Trustsec MACsec, SGT, SGACL, EVN Resiliency Sup redundancy, NSF/SSO, ISSU AVC Flexible NetFlow/ EEM integration Integrated Wireshark Smart Operations Copper/POE flexibility, EEM, GOLD Cisco Catalyst 4500-X Trustsec MACsec, SGT, SGACL, EVN AVC Flexible NetFlow/ EEM integration Integrated Wireshark Resiliency VSS Cisco Catalyst 3750-X Trustsec MACsec, SGT, SGACL AVC Medianet Flexible NetFlow Feature Richness

15 Differentiating Features to Support BYOD / Collaboration in the Backbone

16 Integrated Service Modules

17 Advantages of Integrated Solution Simplification, Scalability and Lower TCO
Simplified Manageability Managed as single entity with backplane integration Integrated application intelligence, traffic analysis, and performance troubleshooting Remote monitoring with RSPAN/ERSPAN Increased Scalability Virtual Contexts to support virtualization for BYOD Service Modules Match Latest Appliance specifications speeds/feeds Lower Total Cost of Ownership Reduced network footprint No external connectors Improved power management Reduced rack space utilization Get to the packets right at the source over the backplane Provide additional services as part of the service switch in the DC Swiss army knife providing traffic analysis, application response time analysis, voice quality monitoring, packet capture troubleshooting 17

18 NAM-3 L3-7 Application Visibility Providing Better Insight for a BYOD Infrastructure
Consistent Application Visibility Branch to Data Center Across application delivery lifecycle - monitoring, troubleshooting, control and optimization Can work with Flexible NetFlow as a collector (local or external devices) Service-centric causal analysis across Application and Network Traffic Flows Application (L7) specific Packet Analysis (NBAR-2*) Wireless CAPWAP Decode Can be managed by Cisco Prime *CYQ42012 Link Utilization

19 Wireless Services with WISM-2 Supporting Campus Wireless and BYOD
WISM-2 GUI TOOLS Wireless Services with WISM-2 Supporting Campus Wireless and BYOD One device for converged Wireless and Wired Services supporting next-generation wiring closet infrastructures Reduced Operational Costs Scale 1000 Access Points 15,000 Clients Central Maintenance Simultaneous AP Upgrade Troubleshooting Mobility 36,000 AP in Mobility Domain Fast Roaming Performance 10 Gbps Throughput New Features Application Visibility and Control (AVC) NetFlow v9 Bonjour support NMSP Location Services Stateful AP failover with VSS 20 Gb Backplane Channel Dedicated 12-Core Data Processor Dedicated 12-Core Control Processor PRIME ISE WiSM2 is capable of MC/MTE. WISM Mobility Coordinator (MC) Mobility Tunnel Endpoint (MTE) Status LEDs Serial & USB Console Ports

20 Catalyst WISM-2 as Bonjour Gateway
Catalyst WISM-2 as Bonjour Gateway* Improving Campus WLAN Performance for BYOD Core Switch Room 201 printer-201 atv-201 Access Switch 1 Catalyst 6500 w/WISM-2 Catalyst 6500 w/WiSM-2 Access Switch 3 Room 203 printer-203 atv-203 Catalyst 6500 w/WiSM-2 Access Switch 2 Access Switch 4 printer-201 atv-201 printer-201 Apple Bonjour found its best use in home networks where only one subnet exists. Music folders on an ipad, etc. Corporate users expect similar experience with plug and play. IT groups see Bonjour traffic everywhere and congests the WLAN. Congestion due to this as it turns on and runs. People at home use it, but then at work no one turns it off. User is on their wireless iPAD They want print services and music, content WISM 2 builds a database with bonjour users and services What services can I use? What services can I use? AP ID: Adam Role: Faculty Location: room201 ID: John Role: Student Location: room201 Bonjour *Q4 CY2012

21 NAT64, VPN Site-to-Site Services*
Firewall Services with ASA-SM High Performance Platform with Security Directly in the Backbone NAT64, VPN Site-to-Site Services* Multigigabit Fabric Chassis backplane Virtualized interfaces Module-to-module communications Multiple Contexts (250) High capacity Memory for handling high session counts 24 GB of memory Multi-Gigabit Fabric: 20 Gig backplane connectivity for high performance communication between modules 24 Gigabytes Memory: Used for high session counts and VPN sessions including remote access VPN and Unified Communications proxy. (VPN and UC Proxy available in a future release) Dual Crypto Accelerators: VPN and UC Proxy features are hardware accelerated to maximize throughput. (VPN and UC Proxy available in a future release) Security Service Processors: Dual multi-core 64-bit processors with 24 cores allows for the high throughput, high connection rate, and feature flexibility for the future. Dual-Crypto Accelerators Hardware processing Accelerated Virtual Private Networking and Unified Communications encryption Security Service Processors Multi-services capable Dedicated 64-bit multicore processors Future-proof hardware *Roadmap

22 Protected Corporate resources
Catalyst for a Secure Campus Securing the BYOD Infrastructure at Multiple Layers Network Edge Authentication Topology How do I extend security outside wiring closet ? Campus Core Protected Corporate resources ACL Atomic Commit How can I get zero Traffic disruption modifying ACLs ? Campus Block Access Integrated Firewall Module How can I get DPI and stateful connections ? Visitor Conference room Catalyst 6500 w/ASA-SM Control Plane Policing (CoPP) / HWRL How do I insulate CPU from heavy protocol traffic ? ASA Clustering How do I scale Campus firewall performance ? Internet Access Employee Telepresence room Catalyst 6500 w/ASA-SM

23 Secure On-Boarding for BYOD Easy Virtual Networks (EVN) and ASA-SM Segregate BYOD from Corporate Issued Devices ACCESS CONTROL PATH ISOLATION Trusted Devices SSID → Identity → Device Sensor → VLAN X → VRF X → Firewall Context X Cisco Catalyst VSS 4T ASA-SM Firewall IPS Services in Backbone WISM2 ASA-SM NAM-3 Health Insurance Portability and Accountability Act of 1996 (HIPAA) Simplified Configuration Simplifies configuration: 10x+ config savings Pre-provision configuration Less prone to errors Backwards compatible with VRF-Lite for migration Enhanced Troubleshooting Routing Context for ease of operation inside a VRF Improved debug condition for virtualized environment Enhanced manageability with new Cisco VRF-MIB VRF traceroute Enterprise Focus Network Virtualization solution for the Enterprise Scaling to 32 segments Unique to industry Built on existing campus protocols Interoperate with existing WAN solutions Untrusted Devices SSID → Identity → Device Sensor → VLAN Y → VRF Y → Firewall Context Y BYOD Devices Need the Same Access as Corporate Devices Greater Inspection Required for BYOD Devices BYOD Devices Don’t Get Mandatory Virus/Security Updates Path Isolation Across Network to IPS or ASA-SM to Maintain Compliance HIPAA, PCI, FISMA

24 Security and Application Visibility Services

25 Cisco Catalyst for Device Security Across Non-TrustSec Domains
Monitor SGACL Packet Drops with Flexible NetFlow TrustSec Domain L3 SGT Transport TrustSec Domain SGT SGT /24 /24 /24 SGT 10 20 30 /24 Identity Service Engine SGACL Enforcement IN the main CTS slide, we saw an SXP session between access switch and distribution switch. SXP allows a non trustsec capable device to pass on IP to SGT mappings through the protocol so that the next trustsec capable switch can simply hardware tag packets based on bindings that come along the SXp messaging. In this slide, we show the IP to SGT mapping capability that is slightly different from SXP based one. Here, access layer consists of a legacy hardware that is not trustsec hardware or software cpable. In this case the mapping is done manually in the switches (distribution) and packets get tagged accordingly Packets sent with “transport mode” ESP to carry SGT without encryption or data authentication The packet overhead (42-45 bytes) impacts IP MTU/Fragmentation Header Change Manual or Dynamic Subnet Mapping Server

26 IPv6/IPv4 Dual Stack Hosts
IPv6: First-Hop Security and uRPF Prepare and Secure Your New IPv6 Wired and Wireless Network IPv6 device tracking Revoke network access for inactive devices IPv6/IPv4 Dual Stack Hosts Access Layer IPv6 PACL Filter traffic on Layer 2 ports WLC L2 Access L3 IPv6 RA Guard Stops false router advertisement threats Distribution Layer IPv6 WAN IPv6 NDP inspection Prevents neighbor discovery spoofing attacks IPv6 Device Tracking Revoke network access for inactive devices IPv6 PACL Filter traffic on Layer 2 ports IPv6 RA Guard Stops false router advertisements IPv6 NDP inspection Prevents spoofing attacks Core Layer IPv6 uRPF Blocks spoofed traffic in hardware (16 paths)

27 BYOD Requires More Traffic Visibility The Case for Flexible Netflow
Campus Building A Campus Building B Typical causes of poor application performance : Bandwidth/capacity bottleneck Unauthorized use of network resource Security Monitoring Monitor Non-Corporate Devices 4 1 1 2 2 3 3 4 4 3 Campus Core 2 Traffic Visibility with Flexible NetFlow 3 Internet NOC 1 Flexible NetFlow provides the application visibility needed to answer questions on the “who, what, when, where, how” of network activities in order to: Identify root cause easier, faster, more accurate Assign problem ownership Increase operational efficiency Lower TCO Campus Building C 2 2

28 BYOD Requires More Traffic Visibility Flexible NetFlow for the Sup2T
Increased customization by selecting the fields to match and collect for both IPv4 and IPv6 CPU Friendly Export Optimal CPU utilization with Yielding Netflow Data Export, direct export from a module Up to 13M Flows/ System Bigger tables mean more entries per system, up to 13 million entries with a 13 slot chassis, giving you better visibility in your network Sup2T Netflow Egress Netflow Allow to use netflow after ingress lookup is done (NetFlow on CoPP) Allow to account for multicast traffic per destination instead of per group Sampled Netflow in Hardware To optimize the Netflow tables utilization and minimize load on analyzers

29 Protect CPU with CPU Yield Netflow
BYOD Requires More Traffic Visibility Sup2T Can Monitor with Scale and CPU Protection Protect CPU with CPU Yield Netflow Scale Netflow with Distributed Export NDE increases export rate until threshold reached When threshold reached, NDE quickly backs off export rate Supervisor NetFlow Data Export EOBC Netflow Collector WS-X6848-TX-2T\2TXL NetFlow Data 70% WS-X G-2T\2TXL NetFlow Data CPU Wait 5 seconds and then step up export rate again The introduction of trusted and untrusted devices in the Campus BYOD architecture means that organizations must be more vigilant about the traffic in their network. The best way to do this is to use Flexible NetFlow to monitor traffic. With Supervisor 2T , not only can you scale up to 13 Million NetFlow entries in a single system, you can do it while maintaining CPU Protection thanks to the enhanced export capabilities built into the system. 30% Direct Export supported with Supervisor 2T and : WS-X x upgraded with DFC4-E / DFC4-EXL WS-X x-2T/2TXL WS-X G-2T/2TXL WS-X G-2T/2TXL Yielding NDE threshold CPU before NDE begins © 2009, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

30 Tying It All Together

31 802.1x EAP User Authentication
Deploying a Unified Access Architecture Tying Security, Mobility, and Virtualization for BYOD Campus DC Block Campus Backbone L3VPN over mGRE VRFs Across Sites WiSM2 as Mobility Coordinator NAM-3 15+Gbps Traffic Monitoring 40 Gbps with Two Level Shaping Support HD Video SGT SGT Policy Decision SGT Identity Service Engine 4 Firewall: ASA. Per VLAN, VRF Policies WiSM2 as MC/MTE Internet Only SXP Session EVN Per VLAN/VRF Policies: Path Isolation Troubleshoot Data, Voice and Video with FnF, NAM, Egress NetFlow Full or Partial Access Granted 4 2 5 Policy Decision BGP PIC Fast Convergence SGACL Enforcement Monitor SGACL Dropped Traffic 3 Profiling to Identify Device Posture of the Device PERFORMANCE MONITOR SAMPLE: Interface GigabitEthernet1/1 service-policy type performance-monitor inline input match dscp cs5 cs4 af41 ef flow monitor inline record default-rtp react 1 transport-packets-lost-rate threshold value gt 10.00 alarm severity error action syslog MONITOR RESULT: transport rtp jitter mean (usec) : 955 transport rtp jitter minimum (usec) : 0 transport rtp jitter maximum (usec) : 5225 transport event packet-loss counter : 0 Medianet 2.2 Performance Monitoring Mediatrace 1 802.1x EAP User Authentication VLAN 10 VLAN 20 VLAN 30 Corporate Servers Employee Personal Asset Company Asset Guest Personal Asset SmartInstall Director VDI Infra Guest Servers Borderless Campus

32 Cisco Catalyst 4500E, Cisco Catalyst 3750-X
Cisco Catalyst Campus Value Proposition Addressing Campus Megatrends (BYOD, Video, Security) End- to-End IOS 15.0 SGT / SGACL CoPP MACsec EVN / VRF-Lite NDAC VPLS / A-VPLS Trustsec Cloud ISR ASR1000 ISE Flexible NetFlow Microflow policing Medianet 2.2 Services NBAR2 with NAM-3 AVC with WISM-2 Application Visibility and Control Cisco Catalyst VSS 4T Cisco Prime NCS WISM2ASA-SM NAM-3 Smart Install Embedded Event Manager (EEM) Virtual Switching System GOLD Cisco Prime Smart Operations Some of these covered previously in the day Quad Sup VSS SSO NSF / SSO Multicast HA EFSU BGP PIC Resiliency Cisco Catalyst 4500E, Cisco Catalyst 3750-X End-to-End OS Consistency: IOS 15.0 Cisco Validated Designs for Campus Deployment

Download ppt "Vivek Baveja Technical Marketing Engineer Enterprise Networking Group"

Similar presentations

Ads by Google