1Vivek Baveja Technical Marketing Engineer Enterprise Networking Group Cisco Unified Access Roadshow Enterprise Backbone Technologies Enabling BYOD and CollaborationVivek BavejaTechnical Marketing EngineerEnterprise Networking Group
2Use Cases Backbone Support for BYOD, Video, and Collaboration How Do I Provide a Consistent User Experience?CoreHow Do I Manage This at an Enterprise Level?How Do I Bring Both Corporate and Employee Owned Devices on to the Network?Questions to Be AnsweredDistributionHow Do I Secure my Device and User Communities?What Services Do I Need to Enable the Infrastructure?AccessHow Do I Monitor This at an Enterprise Level?How Do I Build a Scalable, Secure, Converged Wired/Wireless Campus Network to Support These Trends?
3Cisco Catalyst 6500 Top Questions from Customers How does 6500 with Sup2T fit into a BYOD infrastructure ?When do I use Catalyst 6500 instead of Nexus 7000 ?What is the future of the 6500 ?How do I secure the campus for BYOD ?BNPHow can Catalyst 6500 provide the necessary network visibility for my BYOD infrastructure?
4Backbone Switching Strategy, Portfolio and Areas of Investment
5Cisco Catalyst or Nexus? Positioning the Correct Solution Cisco Catalyst in the Campus to Support BYOD and CollaborationCisco Catalyst or Nexus?Lead with Catalyst 6500 Sup2TBackboneLead with Catalyst 6500 Sup 2TDistributionLead with Catalyst 4K / 3KAccessCampusData CenterLead with Nexus 7000BackboneAggregationLead with Nexus 5000/2000AccessVideoWorkload MobilityVMMobility/BYOD10G/VirtualizationInline with Company’s investmentsSecurityEnergyEfficiencyEngineering Investments and Roadmap Follows Positioning
6Switching Requirements Difference Between Campus and Data Center Campus Catalyst Family - IOSUser Access Control / Segmentation802.1X / Easy Virtual Networks (EVN)Video IntelligenceMedianetWired / Wireless ConvergenceWireless Controller IntegrationApplication VisibilityFlexible NetFlow, NAM-3 (NBAR2)Power over EthernetUPOE, EnergyWiseData Center / Cloud Nexus Family – NX-OSCloud Security and VM AwarenessNexus 1000v, VSG, ASA, 1000vVM MobilityLISP, VXLAN, OTVLAN / SAN ConvergenceUnified Ports, FCoEFabric Scale & ResilienceFabricPath, vPC, Wire Speed 10/40/100GData Center ConsolidationVDC, FEX, DCNMInline with Company’s investmentsCustomer Requirements/Needs Ultimately Drive the Sale
7Cisco Catalyst 6500 E-Series Cisco Catalyst 6500 Strategy and Direction Supporting BYOD and Collaboration TrendsInnovationDifferentiationInnovation with Investment ProtectionThe Network Services Platform for Unified AccessCisco Catalyst E-SeriesTransitionLower TCODriving Next-Gen Ethernet in the Campus1G » 10G » 40G » 100GPrice/Performance Virtualization, Simplified Operations, and Change Management
8Cisco Catalyst 6500 Installed Base in Perspective Driving Future Investment Decisions FY12 Cat 6500 Port Shareof Total Modular Industry**Assuming Dell’Oro as a baseline for industry total modularInvestment surrounding Sup2T developmentCompare with Tesla Motor’s $150M investment for first fully electric sports car$200+ Million$200+ MillionInvestment planned over next 3 years aloneRich network services, Ethernet evolution, Lower TCO, Investment protection750,000+ Chassis Shipped1.2 Million Supervisors Shipped110 Million Ports Shipped45,000+ Catalyst 6500 Customers
9Cisco Catalyst 6500 Portfolio Hardware You Need to Support BYOD and Collaboration Trends Services ModulesWiSM2NAM-3ASA-SM40 GbE Fiber6904FourXLR4SR4Sup2T10GbE Fiber and Copper40G/Slot80G/Slot681669086904BNP1GbE Fiber and CopperFiberHigh-Perf. Access68246848614845ATCopper Access
10BYOD and Collaboration with Supervisor 2T Scalability Enhancements 4X Scalability3X PerformanceSup2T OveriewSUP720SUP2TL2 MAC Table96K128KBridge Domains4K16KTrustSec / SGT–YesVNET Trunk (EVN)40G InterfacesSystem Bandwidth720 Gbps2 TbpsL3 InterfacesNetFlow Table128K/256K512K/1MFlexible NetFlowHitless ACL Updates32KMedianet 2.2VPLS / A-VPLSRequires WAN ModuleYes (no WAN module)VSS Quad Sup SSONew PFC4 Featuring Improved Levels of Performance and Scalability Along with New Enhanced Hardware FeaturesImproved Switch Fabric Providing 80G/SlotUSB-Based Console SupportNew MSFC5 Supporting Dual Core CUP and Single IOS ImageConnectivity Management Processor (CMP)Cisco PrimeItems in PURPLE are BYOD, Collaboration and Video enablers.
11BYOD and Collaboration with Supervisor 2T Scalability Enhancements 6900 Series with DFC46800 Series with DFC4Non-blocking 80G/slot performanceWire rate MACsecVirtual switching link (VSL)Large packet buffers (256 MB/port)X2 transceiver or SFP+ with adapterAvailable in standard and XL sizesLISP-readyComment on price perforamce of 68xx4P 40G$36,00040G/slot with integrated DFC424 and 48 ports 1GbE fiber48 ports 10/100/1000 copper16 ports 10GbE fiber and 10GBASE-TAvailable in standard and XL sizesFourXCFP-40G-SR4CFP-40G-LR4Doubled System Performance, with Distributed ForwardingDistributed Forwarding Performance, at Central Forwarding Price
17Advantages of Integrated Solution Simplification, Scalability and Lower TCO Simplified ManageabilityManaged as single entity with backplane integrationIntegrated application intelligence, traffic analysis, and performance troubleshootingRemote monitoring with RSPAN/ERSPANIncreased ScalabilityVirtual Contexts to support virtualization for BYODService Modules Match Latest Appliance specifications speeds/feedsLower Total Cost of OwnershipReduced network footprintNo external connectorsImproved power managementReduced rack space utilizationGet to the packets right at the source over the backplaneProvide additional services as part of the service switch in the DCSwiss army knife providing traffic analysis, application response time analysis, voice quality monitoring, packet capture troubleshooting17
18NAM-3 L3-7 Application Visibility Providing Better Insight for a BYOD Infrastructure Consistent Application VisibilityBranch to Data CenterAcross application delivery lifecycle - monitoring, troubleshooting, control and optimizationCan work with Flexible NetFlow as a collector (local or external devices)Service-centric causal analysis across Application and Network Traffic FlowsApplication (L7) specific Packet Analysis (NBAR-2*)Wireless CAPWAP DecodeCan be managed by Cisco Prime*CYQ42012Link Utilization
19Wireless Services with WISM-2 Supporting Campus Wireless and BYOD WISM-2 GUI TOOLSWireless Services with WISM-2 Supporting Campus Wireless and BYODOne device for converged Wireless and Wired Services supporting next-generation wiring closet infrastructuresReduced Operational CostsScale1000 Access Points15,000 ClientsCentral MaintenanceSimultaneous AP UpgradeTroubleshootingMobility36,000 AP in Mobility DomainFast RoamingPerformance10 Gbps ThroughputNew FeaturesApplication Visibility and Control (AVC)NetFlow v9Bonjour supportNMSP Location ServicesStateful AP failover with VSS20 Gb Backplane ChannelDedicated 12-Core Data ProcessorDedicated 12-Core Control ProcessorPRIMEISEWiSM2 is capable of MC/MTE.WISMMobility Coordinator (MC)Mobility Tunnel Endpoint (MTE)Status LEDsSerial & USB Console Ports
20Catalyst WISM-2 as Bonjour Gateway Catalyst WISM-2 as Bonjour Gateway* Improving Campus WLAN Performance for BYODCoreSwitchRoom 201printer-201atv-201AccessSwitch 1Catalyst 6500w/WISM-2Catalyst 6500w/WiSM-2AccessSwitch 3Room 203printer-203atv-203Catalyst 6500w/WiSM-2AccessSwitch 2AccessSwitch 4printer-201atv-201printer-201Apple Bonjour found its best use in home networks where only one subnet exists.Music folders on an ipad, etc.Corporate users expect similar experience with plug and play.IT groups see Bonjour traffic everywhere and congests the WLAN.Congestion due to this as it turns on and runs.People at home use it, but then at work no one turns it off.User is on their wireless iPADThey want print services and music, contentWISM 2 builds a database with bonjour users and servicesWhat services can I use?What services can I use?APID: AdamRole: FacultyLocation: room201ID: JohnRole: StudentLocation: room201Bonjour*Q4 CY2012
21NAT64, VPN Site-to-Site Services* Firewall Services with ASA-SM High Performance Platform with Security Directly in the BackboneNAT64, VPN Site-to-Site Services*Multigigabit FabricChassis backplaneVirtualized interfacesModule-to-module communicationsMultiple Contexts (250)High capacityMemory for handling high session counts24 GB of memoryMulti-Gigabit Fabric: 20 Gig backplane connectivity for high performance communication between modules24 Gigabytes Memory: Used for high session counts and VPN sessions including remote access VPN and Unified Communications proxy. (VPN and UC Proxy available in a future release)Dual Crypto Accelerators: VPN and UC Proxy features are hardware accelerated to maximize throughput. (VPN and UC Proxy available in a future release)Security Service Processors: Dual multi-core 64-bit processors with 24 cores allows for the high throughput, high connection rate, and feature flexibility for the future.Dual-Crypto AcceleratorsHardware processingAccelerated Virtual Private Networking and Unified Communications encryptionSecurity Service ProcessorsMulti-services capableDedicated 64-bit multicore processorsFuture-proof hardware*Roadmap
22Protected Corporate resources Catalyst for a Secure Campus Securing the BYOD Infrastructure at Multiple LayersNetwork Edge Authentication TopologyHow do I extend security outside wiring closet ?Campus CoreProtected Corporate resourcesACL Atomic CommitHow can I get zero Traffic disruption modifying ACLs ?Campus BlockAccessIntegrated Firewall ModuleHow can I get DPI and stateful connections ?Visitor Conference roomCatalyst 6500w/ASA-SMControl Plane Policing (CoPP) / HWRLHow do I insulate CPU from heavy protocol traffic ?ASA ClusteringHow do I scale Campus firewall performance ?InternetAccessEmployee Telepresence roomCatalyst 6500w/ASA-SM
23Secure On-Boarding for BYOD Easy Virtual Networks (EVN) and ASA-SM Segregate BYOD from Corporate Issued DevicesACCESS CONTROLPATH ISOLATIONTrusted DevicesSSID → Identity → Device Sensor → VLAN X → VRF X → Firewall Context XCisco Catalyst VSS 4TASA-SM FirewallIPS Services in BackboneWISM2 ASA-SMNAM-3Health Insurance Portability and Accountability Act of 1996 (HIPAA)SimplifiedConfigurationSimplifies configuration: 10x+ config savingsPre-provision configurationLess prone to errorsBackwards compatible with VRF-Lite for migrationEnhancedTroubleshootingRouting Context for ease of operation inside a VRFImproved debug condition for virtualized environmentEnhanced manageability with new Cisco VRF-MIBVRF tracerouteEnterpriseFocusNetwork Virtualization solution for the EnterpriseScaling to 32 segmentsUnique to industryBuilt on existing campus protocolsInteroperate with existing WAN solutionsUntrusted DevicesSSID → Identity → Device Sensor → VLAN Y → VRF Y → Firewall Context YBYOD Devices Need the Same Access as Corporate DevicesGreater Inspection Required for BYOD DevicesBYOD Devices Don’t Get Mandatory Virus/Security UpdatesPath Isolation Across Network to IPS or ASA-SM to Maintain ComplianceHIPAA, PCI, FISMA
25Cisco Catalyst for Device Security Across Non-TrustSec Domains Monitor SGACL Packet Drops with Flexible NetFlowTrustSec DomainL3 SGTTransportTrustSec DomainSGTSGT/24/24/24SGT102030/24Identity Service EngineSGACL EnforcementIN the main CTS slide, we saw an SXP session between access switch and distribution switch. SXP allows a non trustsec capable device to pass on IP to SGT mappings through the protocol so that the next trustsec capable switch can simply hardware tag packets based on bindings that come along the SXp messaging.In this slide, we show the IP to SGT mapping capability that is slightly different from SXP based one. Here, access layer consists of a legacy hardware that is not trustsec hardware or software cpable. In this case the mapping is done manually in the switches (distribution) and packets get tagged accordinglyPackets sent with “transport mode” ESP to carry SGT without encryption or data authenticationThe packet overhead (42-45 bytes) impacts IP MTU/FragmentationHeader ChangeManual or Dynamic Subnet MappingServer
26IPv6/IPv4 Dual Stack Hosts IPv6: First-Hop Security and uRPF Prepare and Secure Your New IPv6 Wired and Wireless NetworkIPv6 device trackingRevoke network access for inactive devicesIPv6/IPv4 Dual Stack HostsAccess LayerIPv6 PACLFilter traffic on Layer 2 portsWLCL2 AccessL3IPv6 RA GuardStops false router advertisement threatsDistribution LayerIPv6WANIPv6 NDP inspectionPrevents neighbor discovery spoofing attacksIPv6 Device TrackingRevoke network access for inactive devicesIPv6 PACLFilter traffic on Layer 2 portsIPv6 RA GuardStops false router advertisementsIPv6 NDP inspectionPrevents spoofing attacksCore LayerIPv6 uRPFBlocks spoofed traffic in hardware (16 paths)
27BYOD Requires More Traffic Visibility The Case for Flexible Netflow Campus Building ACampus Building BTypical causes of poor application performance :Bandwidth/capacity bottleneckUnauthorized use of network resourceSecurity MonitoringMonitor Non-Corporate Devices4112233443CampusCore2Traffic Visibility with Flexible NetFlow3InternetNOC1Flexible NetFlow provides the application visibility needed to answer questions on the “who, what, when, where, how” of network activities in order to:Identify root cause easier, faster, more accurateAssign problem ownershipIncrease operational efficiencyLower TCOCampusBuilding C22
28BYOD Requires More Traffic Visibility Flexible NetFlow for the Sup2T Increased customization by selecting the fields to match and collect for both IPv4 and IPv6CPU FriendlyExportOptimal CPU utilization with Yielding Netflow Data Export, direct export from amoduleUp to 13MFlows/ SystemBigger tables mean more entries per system, up to 13 million entries with a 13 slot chassis, giving you better visibility in your networkSup2T NetflowEgress NetflowAllow to use netflow after ingress lookup is done (NetFlow on CoPP)Allow to account for multicast traffic per destination instead of per groupSampled Netflow inHardwareTo optimize the Netflow tables utilization and minimize load on analyzers