Северо-Западный Форум cisco...2010/10/08 · 02 Инновации cisco для...
TRANSCRIPT
Денис КоденцевИнженер-консультант, CCIE28 ноября 2019 г.
Маршрутизаторы и коммутаторы Cisco – универсальная платформа как для традиционных, так и для программных SD-Access/SD-WAN архитектур.
© 2019 Cisco and/or its affiliates. All rights reserved.
О чем пойдет речь?
01 Развитие коммутаторов Cisco для ЛВС
02 Инновации Cisco для LAN и SDN
03 Развитие маршрутизаторов Cisco для WAN/КСПД
04 Новости Cisco SD-WAN
© 2019 Cisco and/or its affiliates. All rights reserved.
Портфолио корпоративной коммутации Cisco
СерияCatalyst
9000
Cisco Catalyst 9400 Series
Cisco Catalyst 9300 Series
Cisco Catalyst3650/3850
Cisco Catalyst4500E Series
Cisco Catalyst 3850F/4500-X
Cisco Catalyst 6840-X/6880-X
Cisco Catalyst2960-X/XR
Cisco Catalyst 9200 Series
Cisco Catalyst 9500 Series
Cisco Catalyst 6500-E/6807-XL
Cisco Catalyst 9600 Series
Доступ Распределение-Ядро
NEW ‘9300L, -S, -B’
NEW ‘9200L mGig’
NEW ‘48x1G 90W LC’
NEW ‘48xmGig LC’
NEW ‘9300L mGig’
NEW ‘1G on 48YL LC ’
© 2019 Cisco and/or its affiliates. All rights reserved.
Ad
van
tag
eE
ssen
tial
s
Layer 2, Routed Access, Programmability
Bas
e A
uto
mat
ion
with
L2/
L3F
ull
Aut
om
aton
/Ass
ura
nce
,R
out
ing
an
d S
egm
enta
tion
Full Layer 3, Network Segmentation*
Base Automation & Base Assurance
Software Defined Access*
Encrypted Traffic Analysis, Embedded WLC, SD Bonjour, Application Hosting
Pla
tfor
m
Bu
ilt w
ith U
AD
P.
Sta
ckin
g,
Dua
l FR
U P
S,
FR
U F
an/
UL
Full PoE+, 10G ULHigh Density mGig, UPOE,
25/40G UL
NW
DN
AN
WD
NA
Catalyst 9200 Catalyst 9300 Catalyst 9400
Increased Scale, Increased Performance, Lower TCO
x86 CPU, Stackpower, MACSec 256
Advanced Assurance*
(*) Increased functionality and scale on 9400/9300
High Availability
Embedded CPU, MACSec 128
Open IOS-XE
Устройства уровня доступа - Catalyst 9200, 9300, 9400
© 2019 Cisco and/or its affiliates. All rights reserved.
Серия коммутаторов Cisco Catalyst 9200
Catalyst 9200 Series switching SKUs
9200 (Data/POE+) 9200L (Data/PoE+)
Data24 Ports
48 Ports
4 x 1G and 4 x 10G Uplinks
POE+
24 Ports
48 Ports
Data24 Ports
48 Ports
4 x 1G and 4 x 10G Uplinks
POE+
24 Ports
48 Ports
Modular Power Supplies available on all the SKUs
9© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Серия Cisco Catalyst 9200новые модели с поддержкой mGig
16X1G Ports
8XmGig Ports
4X10G/2x25GUplinks
36X1G Ports
12XmGig Ports
4X10G Uplinks
40X1G Ports
8XmGig Ports
2X25G Uplinks
New
Cisco Catalyst 9200L Series mGig models
(IOS-XE 16.11)
MultiGigabit Portfolio Across Catalyst 9000 Access
Full PoE+
© 2019 Cisco and/or its affiliates. All rights reserved.
Feature 9200 9200L 2960XR 2960X
Mo
der
n O
S
Model Driven Programmability ✓ ✓ ✘ ✘
Streaming telemetry ✓ ✓ ✘ ✘
Patching ✓ ✓ ✘ ✘
Ad
van
ced
Ro
uti
ng VRF Support ✓ ✓ ✘ ✘
ISIS ✓ ✓ ✘ ✘
EIGRP ✓ ✓ EIGRP Stub only EIGRP Stub only
OSPF ✓ ✓ ✓ ✓
Fab
ric
SDA Fabric Edge ✓ ✓ ✘ ✘
Sec
uri
ty
MACsec-128 ✓ ✓ ✘ ✘
Trustworthy System ✓ ✓ Limited Support Limited Support
SGT ✓ ✓ ✘ ✘
Vis
ibili
ty
Full Flexible Netflow ✓ ✓ Ingress Only Ingress Only
Qo
S QoS Model MQC MQC MLS MLS
Hierarchical QoS ✓ ✓ ✘ ✘
© 2019 Cisco and/or its affiliates. All rights reserved.
Catalyst 9200 – заказ в России• Специальные артикулы с буквой ”R” в артикуле
• Отключение всех видов шифрования пользовательского трафика (включая MacSec) – упрощенный ввоз
• Если нужен MacSec, то заказываются глобальные артикулы без ”R”. При этом потребуется оформление разрешения на ввоз.
C9200-24P-REC9200-48P-REC9200-48P-RAC9200-48T-REC9200-48T-RAC9200L-24P-4G-REC9200L-24P-4X-REC9200L-48P-4G-REC9200L-48P-4X-RE
C9200L-24T-4G-REC9200L-24T-4X-REC9200L-48T-4X-REC9200L-48T-4G-REC9200L-48PXG-4X-REC9200-24T-REC9200-24T-RAC9200-24P-RA
C9200L-24T-4G-RAC9200L-24P-4G-RAC9200L-48T-4G-RAC9200L-48P-4G-RAC9200L-24T-4X-RAC9200L-48T-4X-RAC9200L-24P-4X-RAC9200L-48P-4X-RA
C9200L-24PXG-4X-REC9200L-24PXG-4X-RAC9200L-24PXG-2Y-REC9200L-24PXG-2Y-RAC9200L-48PXG-4X-RAC9200L-48PXG-2Y-REC9200L-48PXG-2Y-RA
© 2019 Cisco and/or its affiliates. All rights reserved.
Серия Cisco Catalyst 9300LФиксированные 9300 – наследники Catalyst 3650
Modularfans
Optional Stack kitHigher-efficiency AC and
DC power supplies
Cisco Catalyst 9300 leadershipUADP 2.0
Cisco IOS® XE Software
SD-Access
x86 CPU and containers
Encrypted Traffic Analytics
MACsec-256 link encryption
Trustworthy solutions
Cisco StackWise®-320
IEEE1588 and AVB
NBAR2
Perpetual/Fast PoE
Model-driven programmability
Patching/GIRFull Flexible NetFlowstreaming telemetry
StackWise-320
350W AC 715W AC/DC 1100W AC
Platinumrated
Large Buffers & Scale
Data SKU’sPoE SKU’s
mGig/UPOE SKU’s
4 x 10G uplinks 4 x 1G uplinks 4 x 10G uplinks
4 x 1G uplinks
C9300L-24UX-4XC9300L-24UX-2Q
C9300L-48UX-2Q C9300L-48UX-4X
24/48 Port 1G 24/48 Port 1G 24/48 Port 1G
© 2019 Cisco and/or its affiliates. All rights reserved.
Серия Cisco Catalyst 9300-SМодели для оптической 1GE агрегации
8x 10G 2x 40G 4x Multigigabit 4x 1G 2x 25G 315W AC 715W AC/DC 1100W AC
Fiber to the desktop
Collapsed access
24-port – C9300-24S
48-port – C9300-48S
Modularfans
Modular uplinks Higher-efficiency AC and DC power supplies
• 24 and 48 port SFP SKUs
• Transition Catalyst 3850 1G SFP to Catalyst 9300 1G SFP
• Wire-speed, non-blocking performance
• Seamlessly integrates with Cisco Catalyst 9300 Series copper
• Supports same optics
• Common stacking – StackWise-480
• Common power stacking – StackPower
• Common uplink modules
• Common power supplies, fans, cables
1G fiber aggregation
© 2019 Cisco and/or its affiliates. All rights reserved.
Серия Cisco Catalyst 9600новое поколение коммутаторов уровня ядра и распределения
Extending Cisco Catalyst 6000 Series leadership in modular core• 7.5x throughput per slot
• 3x port density (40G), 4x CPU
• No Oversubscription
Cisco® Catalyst® 9600 Series leadership
Cisco UADP 3.0
Cisco IOS® XE Software
SD-Access
x86 CPU and containers
256 MACsec on all ports/speedat line rate
Cisco StackWise® Virtual*
Patching and GIR
Model-driven programmability
Streaming telemetry
Poweredby
UADP 3.0
6-slot (8RU) chassis : 25.6Tbps
Supervisor-1: 2.4 Tbps
Per Slot
Fiber line cards• 48 ports x 25G/10G/1G*
• 24 ports x 40G/12 ports x 100G
Copper line card• 48x Multigigabit copper*
(non-PoE)
Resiliency
Programmabilityand telemetry
Security
* Roadmap
Dual serviceable fan tray 2000W AC and DCpower supplies
240GB, 480GB, or960GB SSD storage
© 2019 Cisco and/or its affiliates. All rights reserved.
Поддержка кластера StackWise Virtual C9600
• A Distribution layer technology allowing stacking of 2 switches
• Supports flexible distances with support of all supported cables and optics
• SVL and DAD links are supported on any ports with 10G or higher speed, including QSA
• DAD support with 1G or higher speed from IOS-XE 16.12.2/17.1 (Q2FY20)
• SVL: StackWise Virtual Link• Same speed ports (10G or higher)• Up to 8 ports
• DAD: Dual Active Detection• Fast Hello
• Directly connected• Up to 4 links
• Enhanced PAgP• EtherChannel with PAgP• Up to 4 port-channels
• IOS-XE 16.12.x: 2nd Supervisor is not supported in the chassis and will be powered off if inserted in SVL Mode
StackWise Virtual is supported with IOS-XE 16.12.1 or later
SVL
DAD
IOS-XE 16.12
© 2019 Cisco and/or its affiliates. All rights reserved.
Но это еще не все…C9600 Quad SUP RPR – StackWise Virtual
StackWise-A
ICS
StackWise-S
ICS
RPR: Route Processor RedundancySSO: Stateful SwitchoverStackWise-A: StackWise Virtual ActiveStackWise-S: StackWise Virtual StandbyICS: In-chassis Warm Standby
Chassis-1 Chassis-2
StackWise-SICS StackWise-A
ICS
Chassis-2Chassis-1
SSO
RPR
• Active supervisor in chassis-2 become StackWise Active• Warm standby supervisor in chassis-1 continue the boot process to become StackWise standby
while the line cards in chassis-1 get reset
IOS-XE 17.1
© 2019 Cisco and/or its affiliates. All rights reserved.
Интерфейсный модуль с mGig портами Catalyst 9600
• 48 Ports mGig copper LC
• Full mGig on all ports
• Supported speeds: 100M/1G/2.5G/5G/10G
• No PoE/UPOE
C9600-LC-48TX
EFT Aug 2019
Copper Deployments Collapsed Core 1GE to 10GE Transition
В ближайших
планах
© 2019 Cisco and/or its affiliates. All rights reserved.
Новый модуль Catalyst 9400 90W UPOE+Первая модель с поддержкой UPOE+ 90W
Cat5e/6
Catalyst 9400
• Up to 260* x 90W concurrent power
• IEEE 802.3bt standards compliant
• 48 x 1G Ports per line card
• Up to 8 x 3200W AC/DC PSU
Investment Protection with 90W UPoE+
*10-slot chassis w/o power redundancy. Subject to available PoE power budget in chassis
C9400-LC-48H
IOS-XE 16.12
New 802.3bt* Type 4
90WUPOE+©
Cisco and partner cloud services for control
Large Video Displays
Network Powered
Light arrays
90 Watt devices
Wall switch
30 - 60 Watt devices
PTZ UHD Cameras HVAC VAV’s
New Devices
Cisco UPOE+©
(low voltage)
© 2019 Cisco and/or its affiliates. All rights reserved.
10/31/2019 10/31/2020 10/31/2025
АнонсОкончание
продажОкончаниеподдержки
Catalyst 3850 (excluding Fiber SKUs)
Catalyst 4500E (excluding Sup9-E)
Catalyst 4500X Series
Catalyst 6880 and 6840 Series
Catalyst 6500* (6/9/13 slots Chassis/Sup2T)
Catalyst 9300
Catalyst 9400
Catalyst 9500
Catalyst 9600
* Currently no plans to EoS Catalyst Modular C6800 Series
En
d o
f S
ale
in 2
020
© 2019 Cisco and/or its affiliates. All rights reserved.
НовостиIOS-XE 16.12 для корпоративной коммутации
29© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IOS-XE 16.12.1 новые возможности Вашего Catalyst 9000
Enhanced Security Controls
Flexible Network
Segmentation
High Availability
Platform / Infra
• Object Group ACL - C9300, C9400, C9500, C9600• MACsec- MKA High-Availability- C9300, C9400, C9500, C9600• Secure SVL support with SESA MACsec 128 - C9500, C9600• CoA support on VRF for IPv4 and IPv6 - All
• L3VPN over GRE – C9300, C9400, C9500, C9600• VPLSoGRE - C9300, C9400, C9500, C9600• EoMPLS over GRE - C9300, C9400, C9500, C9600• BGP-EVPN RT ASN rewrite • EVPN VXLAN MAC Aliasing for Distributed Anycast Gateway
• SVL - C9600• ISSU on SVL - C9600• Extended FSU– C9300 (Controlled Availability)• SVL on QSA- C9500 High Performance, C9600
• Native Docker support for application hosting – C9300• PM Bidir- C9300, C9400, C9500, C9600• Sub-interface Support - C9300, C9500• Support 802.3bt Type 3- C9300• Support 802.3bt Type 4- C9400• Flexlink+ – C9300, C9400, C9500• Guestshell – C9200
© 2019 Cisco and/or its affiliates. All rights reserved.
MPLS Over GRE• Static GRE Tunnels built over IP Core between MPLS PEs
• L2 VPN (EOMPLS and VPLS Support) & L3 VPN Services over GRE can be enabled
PE1
PE3
PE2
IP Core without MPLS
CE3
CE2
CE1
CE2
CE3
MPLS Edge
CE1
GRE Tunnel
MPLS Edge
L2/L3 L2/L3
GRE scale varies based on platform
GRE SRC
GRE DST
PE PE
P P
PE P
P PE
IOS-XE 16.12
© 2019 Cisco and/or its affiliates. All rights reserved.
MACsec over EoMPLS link
IOS-XE 17.1.1
PE-1
PE-2
MACsec Encrypted Link
Cat 9k Switch
CE-2
MPLS
PE-1
Targeted LDP
CE-1
Cat 9k Switch
Cat 9k Switch
Cat 9k Switch
EoMPLS
32© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Extended Fast Software Upgrade on Catalyst 9300
Data Plane
Control Plane
• xFSU provides a mechanism to independently update the control plane and data plane during the upgrade process
• Control plane is upgraded by leveraging Graceful Reload Infrastructure without impacting data plane traffic
• Data plane(ASIC) is re-programmed in less than 30 seconds by leveraging special cache memory which stores active forwarding entries
© 2019 Cisco and/or its affiliates. All rights reserved.
Скорость восстановления сервиса
Regular Upgrade
Bandwidth
Time
100%
50%
xFSU
Bandwidth
Time
100%
50%Standby and Members
< 30 seconds
Active
< 30 seconds
SSO
Stack is down
> 10 minutes
© 2019 Cisco and/or its affiliates. All rights reserved.
Distribution
Сетевая фабрика с Cisco Catalyst 9200-9600:SD-Access, MPLS или BGP EVPN
Классический дизайн MPLS SD-Access, BGP EVPN
• Reduced complexity, resiliency, and scale
• IPv4/IPv6, unicast and multicast; QoS and ACL scale
• Segmentation, scale, LAN/WAN consistency
• MPLS VPNs (L2 and L3), MPLS over GRE
• Turnkey solution for automation, segmentation, and policy: SD-Access border and CP
• DIY: BGP EVPN VxLAN
Site A
Border + Control
Edge
IoT Network
Edge
Employee Network
Other Sites
Clientaccess
Core
MPLS
Site 1
Site 2
Site 3
CE
CE
PE PE CE
Customer Managed MPLS Backbone
VRF’s
© 2019 Cisco and/or its affiliates. All rights reserved.
Зачем BGP EVPN VXLAN?
RR
Access/VTEP
L3L3 VXLAN Overlay
RR
• Advertise MAC and IP via MP-BGP Address families
• Enables IP/MAC Mobility with Anycast Gateway across the fabric
• BUM Traffic replicated by either Multicast or Ingress replication
• Support of Active-Active Multi-homing using StackWise-Virtual on VTEP
© 2019 Cisco and/or its affiliates. All rights reserved.
L3
Как устроена технлогия VXLAN BGP EVPN?
Core
Access
VXLAN Overlay
Edge/VTEPEdge/VTEP
Intermediate Nodes
Intermediate Nodes
External
Core/Spine/Border
Core/Spine/BorderRR RR
Роли и терминология
BGP
BGP Route Reflector/Border 9500H/9600
Intermediate/Edge Nodes C9300/9400/9500/9600
IOS-XE 16.12
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NCP
ISE NDP
Control-Plane Nodes – Система определения отношений между клиентом и сетевым устройством
Fabric Edge Nodes – Устройство фабрики(Access или Distribution) для проводного подключения клиентов к SDA фабрике
Identity Services – Система идентификации и NAC (ISE) для динамического применения групп и политик безопасности к клиентам
Fabric Border Nodes – Устройство фабрики (Core) для подключения внешних L3 сетей к SDA фабрике
Identity ServicesIdentity
Services
Intermediate Nodes (Underlay)
Intermediate Nodes (Underlay)
Fabric Border Nodes
Fabric Border Nodes
Fabric Edge Nodes
Fabric Edge Nodes
Cisco DNA Automation – обеспечение простого интерфейса GUI для управления, автоматизации (NCP) и обмена контекстом
Cisco DNA AutomationCisco DNA Automation
Cisco DNA Assurance – Сбор данных(NDP) и анализа потоков от клиентов и приложений, мониторинг состояния фабрики
Cisco DNA AssuranceCisco DNA Assurance
Control-PlaneNodes
Control-PlaneNodes
Fabric Wireless Controller – Устройство фабрики (WLC) для подключения APs и беспроводных клиентов к SDA фабрике
Fabric WirelessController
Fabric WirelessController
CampusFabric
B
C
B
Cisco DNA Center
SD-Access: АрхитектураРаспределение ролей в фабрике
© 2019 Cisco and/or its affiliates. All rights reserved.
Catalyst 9200, 9300L, 9300 in Cisco SD-AccessDNA & SDA 9200L 9200 9300L 9300
User VNs / VRFs supported for SDA 1 4 64 256
Application policy Limited Limited Yes(L2-L7) Yes(L2-L7)
Prescriptive L3 Underlay Yes Yes Yes Yes
Fabric Infra - Fabric Edge- VXLAN, Virtual Networks, LISP, SGT/SGACL Yes Yes Yes Yes
Fabric Multicast, Selective Flooding, IPv6 Host Yes Yes Yes Yes
Fabric Wireless No Yes Yes Yes
Embedded Wireless No No Yes Yes
Extended Node Support No No Yes (Beta) Yes (Beta)
Fabric Border, CP, Fabric-in-Box No No Yes Yes
Assurance- Client Health- Network Health- Fabric Assurance
Yes Yes Yes Yes
ERSPAN as destination No No Yes Yes
ETA No No Yes Yes
Ad
vant
age
© 2019 Cisco and/or its affiliates. All rights reserved.
IoT VNEmployee VN
CB
SD-Access Fabric
10.10.10.0/16
SD-Access Extranet для общих сетевых сервисов
Сегодня SD-Access Extranet
• SDA extranet Provides Native Support for Shared Services Access with Extranet
• Eliminate Fusion Router & manual config
• No Traffic Hair-pinning
• Fusion Router required to provide shared service access for all User VNs
• Complex config to leak routes to be maintained manually outside fabric
• Traffic Hair-pinning
Dest VN Src VN Permit?Shared Svc Employee YES
Shared Svc IoT YES
… .. …
Internet Employee YES
Internet IoT YES
42© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Совершенно новый интерфейс создания групповых политик в DNAC
Click to edit contract
© 2019 Cisco and/or its affiliates. All rights reserved.
Возможность использовать сторонние AAA
802.1x/MAB
Access Accept w/ Cisco AV cts:security-group-tag-0001-01 + Vlan ID
Policy Download
1
2
3
Policy Request
ISE
DNAC
SGTSGT
SRC:10.1.10.220DST: 10.1.100.52
Sample configuration:Using Group-Based Policies with 3rd party RADIUS
• Authentication and Authorization requests directed to 3rd party• SGT and VN assignments must be coordinated between 3rd party
AAA and DNAC
© 2019 Cisco and/or its affiliates. All rights reserved.
Новости Cisco SD-Access:безопасное подключение IoT устройств
Fabric Edge *
Secure Extended Node
SD-Accessфабрика
C
BBBBBB
Fabric Edges
Host 1
Extended Node
• The Secure Extended Node will have 802.1x/MAB Authentication enabled to talk to ISE and to download the right vlan and Secure Group Tag attributes to the end points.
• The Extended Node will have 802.1x/MAB Authentication enabled to talk to ISE and to download the right vlan for the end points.
• Secure Extended nodes gets provisioned with SGTs on the port channel interface(s) on which they are connected to Fabric Edge Switches
Vlan 100 SGT 100
Cisco ISE
SEN: IE3400, IE3400H EN: IE3300, IE4000,IE4010, IE5000,IE3400, IE3400H
© 2019 Cisco and/or its affiliates. All rights reserved.
FabricSite
B
C
SD-Access Secure Extension возможность подключения кольцевых топологий
VXLAN
SGT In-Line Taggingfor East/West Traffic
ISE
REP Ring*
* REP supported manuallyAutomation roadmap
E E E
B
© 2019 Cisco and/or its affiliates. All rights reserved.
SD-AccessГибкость использования:
Guest VNEmployee VN
E
BSD-AccessSite A
Local Break out Border capability provides local breakout
Site ResiliencyControl Plane capability ensures site-local communications
Fabric-in-a-Box
C
Internet
Embedded Wireless Embedded wireless option eliminates need for dedicated appliance or centralized wireless
SD-Access для малых и средних офисов (Фабрика-в-коробке)
© 2019 Cisco and/or its affiliates. All rights reserved.
SD-Access
Поддержка встроенного WLC на Catalyst 9300 для малых и средних офисов
APs
ASR
Users and Things
• Customers in small branch deployments might have a router such as ASR which they can use to configure as B+CP functionalities..
• Customers can add another switch such as Cat9k to the site and enable E with wireless capabilities on it.
E
CB
© 2019 Cisco and/or its affiliates. All rights reserved.
• SVL devices can be configured as edge and border roles.
• SVL configuration has to be done manually.
• Edge SVL will be available for host-onboarding.
SD-AccessПоддержка Stackwise Virtual на доступе и границе
SVL
© 2019 Cisco and/or its affiliates. All rights reserved.
FabricSite 1
CB
SD-AccessОбщие подсети для гео-распределенной ЛВС фабрики
FabricSite 2
CB
FabricSite 3
CB
Anchoring Guest VN
Anchoring IoT VNEmployee VN Employee VN
Employee VNAnchoring IoT VN
Anchoring Guest VN
Anchored IoT VNAnchoring Guest
VN
DMZ
CB FabricSite 4
Anchored Guest VN
Cat9800 Appliance Wireless Controller
Cat9800 Cloud Wireless Controller
© 2019 Cisco and/or its affiliates. All rights reserved.
Обзор решений Cisco для маршрутизации в WAN
© 2019 Cisco and/or its affiliates. All rights reserved.
Портфолио корпоративной маршрутизации Cisco
ASR 1000
• Hardware and software redundancy
• High-performance service with hardware assist
vEdge 5000
• Modular
• RPS
ISR 4000
• WAN and voice module flexibility
• Compute with UCS E
• Integrated Security stack
• WAN Optimization
vEdge 1000 & 2000
• Fixed/Pluggable Module
ISR 1000
vEdge 100
• 4G LTE & Wireless
• Integrated wired and wireless access
• PoE/PoE+
Branch Aggregation
Virtual and Cloud
• Service chaining virtual functions• Options for WAN connectivity• Open for 3rd party services & apps
Cisco ENCSCSR 1000V • Cisco DNA virtualization
• Extend enterprise routing, security & management to cloud
ISR 900
• Fixed and fanless• IOS Classic based
SD
-WA
N
© 2019 Cisco and/or its affiliates. All rights reserved.
Портфолио для малых и средних офисов
• Up to 250 Mbps • Fixed and fanless• Cisco IOS based• High performance VPN
ISR 900
ISR 1000
• Up to 350 Mbps • Cisco SD-WAN• Integrated wired and
wireless access• Cisco SD-WAN Security• 802.11AC WiFi
ISR 4000
• Up to 3 Gbps• WAN and voice module
flexibility• Cisco SD-WAN• Compute with UCS E-
Series• Cisco SD-WAN Security
© 2019 Cisco and/or its affiliates. All rights reserved.
Расширение серии Cisco ISR 1000
Cisco SD-WAN Ready
Новые25 моделей!
Multi-layered security SD-WAN capableISR 1161 is the fastest model in the ISR 1000
Series – 30% faster processor
Smaller formfactor for space-constrained deployments
Investment Protection with PIM slot[LTE CAT4/6/18 support]
ISR 1121 ISR 1126 ISR 1127 ISR 1128 ISR 1161Highest Perf. 1100
10 SKUs : Ethernet(with and without LTE Pluggable) ● ●
8 SKUs : Ethernet + Wi-Fi + LTEP(802.11ac wave-2) ●
7 SKUs : DSL ( with LTEP) ● ● ●25 Total SKUs 14 2 4 1 4
Модуль LTE - Category 18 для ISR1K
SMA antenna for LTE
Main/Diversity
SMA antenna for LTE
Main/Diversity
4 x 4 MIMO4 x 4 MIMO
2 micro-SIM cards2 micro-SIM cards
1.2Gbps/ 150Mbps1.2Gbps/ 150Mbps
Carrier Aggregation
Carrier Aggregation
Main Antenna
Main Antenna
Diversity Antenna
Diversity Antenna
Micro USB Modem Debug
Shipping
SD-WAN readySD-WAN ready
CBRS Band 46,48,66,71CBRS Band 46,48,66,71
© 2019 Cisco and/or its affiliates. All rights reserved.
USB-модуль LTE - Category 4 для ISR1K
Supported on ISR1K only*
Supported on ISR1K only*
Single Micro SIMSingle Micro SIM
75/50 Mbps75/50 Mbps
CAT 4 LTECAT 4 LTE
LTE Antenna
Modem Types Region Bands
D-LTE-GB Global Bands 1,3,7,8,20,28
D-LTE-AS ASEAN Bands 1,3,5,8,40,41
D-LTE-NA North America Bands 2,4,5,12,13,14,17
NEW
SD-WAN roadmapSD-WAN roadmap
*selected platforms only
© 2019 Cisco and/or its affiliates. All rights reserved.
Feature ISR 1000 ISR 900
Software OS IOS XE Cisco IOS
SD-WAN support Yes No
Centralized management
vManageCisco DNA Center Cisco DNA Center
Security stack SD-WAN Security Firewall, VPN
Cisco Umbrella Yes No
VPN throughput Up to 350 Mbps Up to 250 Mbps
DSL G.FAST, 35b, VADSL, G.SHDSL VADSL
LTE CAT6, CAT4 CAT4 (Single SIM)
Wifi 802.11AC Wave 2, Mobility Express No
Switch ports Up to 8 4
PoE/PoE+ Up to 4 POE or 2 POE+ No
ISR 900 vs ISR 1000
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco ISR 4461 – флагман серии ISR 4000
3 RU form factor3 RU form factor
DRAM – 8/16/32 GBDRAM – 8/16/32 GB
Internal: Dual AC/DC PSUInternal: Dual AC/DC PSU
Default throughputIP CEF – 1.5 GbpsCrypto – 250 Mbps
Default throughputIP CEF – 1.5 GbpsCrypto – 250 Mbps
3 x NIMs, 3 x SMs3 x NIMs, 3 x SMs
With Performance licensesIP CEF – 3 GbpsCrypto – 1.5 Gbps*
With Performance licensesIP CEF – 3 GbpsCrypto – 1.5 Gbps*
With Boost licensesIP CEF – 10 + GbpsCrypto – 7 Gbps*
With Boost licensesIP CEF – 10 + GbpsCrypto – 7 Gbps*
* Requires HSECK9 license to support more than 250 Mbps Crypto IPSec throughput.
Flash - 8/16/32 GBFlash - 8/16/32 GB
© 2019 Cisco and/or its affiliates. All rights reserved.
Портфолио маршрутизаторов для Cisco SD-WAN
ASR 1000
• High-performance service with hardware assist
• Modular ASR 1K is not supported
vEdge5000
ISR 4000
• WAN and voice module flexibility• Compute with UCS E• Container Architecture
• Slot Modularity, RPS
• 1GE, 10GE options
ISR 1000
• Integrated wired and wireless access
• LTE Advanced Pro• VDSL2,ADSL2/2+
Aggregation
Virtualized
• Service chaining virtual functions• Options for WAN connectivity
• Open for 3rd party services & apps
• NFVIS Hypervisor
Cisco ENCS CSR 1000V • Extend Enterprise routing, security & management to Cloud
• Cisco DNA virtualization
ISR1120 / 1160
XE
SD
-WA
NV
ipte
la O
S
ISR1100-6G
• 6 WAN ports (4GE and 2 SFP)
vEdge 2000 ISR1100-4G
• 4 GE WAN ports
ISR1100-4GLTE
• 4G LTE (CAT4)
• Smallest form-factor• WWAN pluggable
flexibility• PIM: 4G LTE
CAT4/6/18
• RPS, PIM options • Modularity, RPS
(New 25 SKUs)
Shipping
Oct 2019
Oct2019
Jan 2020
vEdge Cloud• Software Router Platform
• Can be deployed in private, public, and hybrid cloud
Branch
© 2019 Cisco and/or its affiliates. All rights reserved.
vEdge 1000
vEdge 100B
vEdge Series Next-Generation vEdge
• 4 Ethernet WAN ports
• 6 WAN ports (4GE and 2 SFP)
vEdge 100M
• 4 Ethernet WAN ports• Integrated LTE (CAT4)
ISR 1100-4G
ISR 1100-4GLTE$$**
ISR 1100-6G
Best in Class ISR platform
Built for “Cloud first Branch”
Аппаратная эволюция для vEdge
Day 1 Full feature parity with vEdge
** domain
Viptela OS 19.2
Jan2020
Oct2019
Oct2019
© 2019 Cisco and/or its affiliates. All rights reserved.
IR1101 – новое поколение индустриальных маршрутизаторов Cisco…
Edge computing enabled
SD-WAN ReadyXE SD-WAN 16.12.1
Compact form factor for cabinet installations
Modular LTE & 5G Ready*First IoT Router with IOS XEHigh-end security Programmability
Low average Power consumption of only 10W
* with future hardware Modem and software
Extended product life timeInvestment protection Lower TCO
Expansion modules for more interfaces
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN – архитектура решения
APIsAPIs
Внешняя интеграция
vManage
4GMPLS
INET
ЦОД CoLo Кампус ФилиалОблако
WAN Edge
• Программируемость• Распространение политик• Простота и высокая
масштабируемость
Управление
Передача данных
• Аппаратные или виртуализированные
• Zero Touch Provisioning• Частное или публичное
облако
vAnalytics• Единый интерфейс • Мониторинг и поиск
неисправностей• RBAC и API
Оркестрация и настройка Аналитика• Машинное обучение• Производительность• Прогнозирование
vSmartMultiCloudOnRamp
ApplicationQoE
Security(+Cloud)
© 2019 Cisco and/or its affiliates. All rights reserved.
Улучшено время загрузки ISR 1K/4K для SD-WAN
ISR 4000ISR 1000
Boot time for ISR 1K and ISR 4K is reducedto <3-4 min with or without startup configwith SD-WAN image
© 2019 Cisco and/or its affiliates. All rights reserved.
Laptop12671:123A::2/128FD6D:8D64:1235::/64FE80::C004:1DFF:FEE0:0
VPN 1GE 0/12671:123A::1/128FD6D:8D64:1234::/64FE80::C004:1DFF:FEE0:0
VPN 0GE 0/02001:123A::1/128
VPN 0 GE 0/02001:4F3A::1/128
VPN 1GE 0/12701:123A::1/128FD6D:8D64:3001::/64FE80::C006:1DFF:FEE0:0
Laptop22701:123A::2/128FD6D:8D64:3002::/64FE80::C005:1DFF:FEE0:0
Cisco SD-WANподдержка IPv6 – теперь везде
IPSec/GRE
Outer IPv6 Header
VPN 2Inner
IPv4/IPv6 Header
VPN 1
VPN 3
IPSEC
DATA TCP/UDP INNER IPv4/IPv6 GRE/IPSEC OUTER IPV6
© 2019 Cisco and/or its affiliates. All rights reserved.
IPSec/GRE
TLOCs
Cisco SD-WANПоддержка Loopback в качестве WAN-интерфейса
IPSec/GRE
IOS-XE SD-WAN
IOS-XE SD-WAN
SD-WAN control connections with loopback interfaces
Localized QoS policies are supported on loopback interface
IPv4 and IPv6 loopback interface supported
Data tunnels (IPSec/GRE) can terminate on loopback on WAN Edge
BFD support over loopback interface
App-route policy using loopback
DTLS/T
LS
DTLS/TLS
L0L0L0L0
SD-WAN Controllers
L1L1L1L1
TLOCs
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WANПоддержка L2 QoS в SD-WAN
CoS Marking using 802.1p for a Better Application Experience
Voice Highest Priority
Best-effort Lowest Priority
Campus
Devices group
Admin group
Medical StaffMetro
Ethernet
© 2019 Cisco and/or its affiliates. All rights reserved.
SD-WAN
WAN Edge Router BR1
UnreliableWAN Links
WAN Edge Router DC1
CriticalApplication
CriticalApplication
Cisco SD-WANРасширенная поддержка нестабильных каналов
Problem: transactional data over WAN links, which has few percent packet loss (up to 10-20%).
Main Goal: 0 packet loss on the application level.
Solution 1: Forward Error Correction (FEC) send additional parity packet for every 4 data packets, which will be used by the receiving router to reconstruct one lost packet.
Solution 2: Packet Duplication will duplicate packets for critical apps over both WAN links.
Доступно в версии16.12
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WANПоддержка устройств, использующих DHCP опции
DCHP Options enhancement - Support for multiple vendor options
1
1
1
1
cEdge running DHCP server
DHCP Request with vendor
specific option code
DHCP Offer with vendor specific options(tftp server etc)
DHCP Offer with vendor
specific options(tftp server etc)
Campus Devices
CUCM
TFTP Server
© 2019 Cisco and/or its affiliates. All rights reserved.
Совместное использование Cisco SD-WANи ГОСТ-криптографии
© 2019 Cisco and/or its affiliates. All rights reserved.
Совместное использование Cisco SD-WAN и ГОСТ шифрования
SD-WAN
S-Terra
SD-WAN туннели (GRE)
IPSEC + ГОСТ туннели (статические или динамические)
ЛВСЛВС
SD-WAN edge
S-Terra edge
S-Terra edge
SD-WAN edge
© 2019 Cisco and/or its affiliates. All rights reserved.
S-Terra Edge #1
S-Terra Edge #2
SD-WAN Edge #1
S-Terra Edge #3
Static crypto-tunnel
“DMVPN” crypto-tunnel “D
MVPN” c
rypt
o-tu
nnel
ISP
mGRE1:13.10.10.2/24mGRE0:12.10.10.2/24
mGRE0:12.10.10.100/24 mGRE0:13.10.10.100/24
11.0.0.14/8 SD-WAN Edge #2
11.0.0.18/8
10.1.8.0/24 10.2.8.0/24
10.8.10.0/24
SD-WAN Edge #3
GRE tunnel
GRE
tunn
el
GRE tunnel
11.0.0.10/8
SD-WANконтроллеры
1.1.1.0/24
© 2019 Cisco and/or its affiliates. All rights reserved.
Совместное использование Cisco SD-WAN и ГОСТ шифрования
• Протестировано в лаборатории Cisco• Доступно подробное описание и набор типовых
конфигураций крипто-шлюзов
• Сохраняет все основные возможности SD-WAN• Не требует дополнительных настроек со стороны SD-WAN
• Использует решение ГОСТ-шифрования от компании S-Terra• Требуется предварительная настройка крипто-шлюзов