Северо-Западный Форум cisco...2010/10/08 · 02 Инновации cisco для...

Северо-Западный Форум CISCOСанкт-Петербург | 28 ноября, 2019

Денис КоденцевИнженер-консультант, CCIE28 ноября 2019 г.

Маршрутизаторы и коммутаторы Cisco – универсальная платформа как для традиционных, так и для программных SD-Access/SD-WAN архитектур.

© 2019 Cisco and/or its affiliates. All rights reserved.

О чем пойдет речь?

01 Развитие коммутаторов Cisco для ЛВС

02 Инновации Cisco для LAN и SDN

03 Развитие маршрутизаторов Cisco для WAN/КСПД

04 Новости Cisco SD-WAN


Обзор решений Cisco для коммутации в ЛВС


Портфолио корпоративной коммутации Cisco

СерияCatalyst

9000

Cisco Catalyst 9400 Series


Cisco Catalyst3650/3850

Cisco Catalyst4500E Series

Cisco Catalyst 3850F/4500-X

Cisco Catalyst 6840-X/6880-X

Cisco Catalyst2960-X/XR



Cisco Catalyst 6500-E/6807-XL


Доступ Распределение-Ядро

NEW ‘9300L, -S, -B’

NEW ‘9200L mGig’

NEW ‘48x1G 90W LC’

NEW ‘48xmGig LC’

NEW ‘9300L mGig’

NEW ‘1G on 48YL LC ’


Ad

van

tag

eE

ssen

tial

s

Layer 2, Routed Access, Programmability

Bas

e A

uto

mat

ion

with

L2/

L3F

ull

Aut

om

aton

/Ass

ura

nce

,R

out

ing

an

d S

egm

enta

tion

Full Layer 3, Network Segmentation*

Base Automation & Base Assurance

Software Defined Access*

Encrypted Traffic Analysis, Embedded WLC, SD Bonjour, Application Hosting

Pla

tfor

m

Bu

ilt w

ith U

AD

P.

Sta

ckin

g,

Dua

l FR

U P

S,

FR

U F

an/

UL

Full PoE+, 10G ULHigh Density mGig, UPOE,

25/40G UL

NW

DN

AN

WD

NA

Catalyst 9200 Catalyst 9300 Catalyst 9400

Increased Scale, Increased Performance, Lower TCO

x86 CPU, Stackpower, MACSec 256

Advanced Assurance*

(*) Increased functionality and scale on 9400/9300

High Availability

Embedded CPU, MACSec 128

Open IOS-XE

Устройства уровня доступа - Catalyst 9200, 9300, 9400


Cisco Catalyst 9200


Серия коммутаторов Cisco Catalyst 9200

Catalyst 9200 Series switching SKUs

9200 (Data/POE+) 9200L (Data/PoE+)

Data24 Ports

48 Ports

4 x 1G and 4 x 10G Uplinks

POE+

24 Ports

48 Ports

Data24 Ports

48 Ports

4 x 1G and 4 x 10G Uplinks

POE+

24 Ports

48 Ports

Modular Power Supplies available on all the SKUs

9© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Серия Cisco Catalyst 9200новые модели с поддержкой mGig

16X1G Ports

8XmGig Ports

4X10G/2x25GUplinks

36X1G Ports

12XmGig Ports

4X10G Uplinks

40X1G Ports

8XmGig Ports

2X25G Uplinks

New

Cisco Catalyst 9200L Series mGig models

(IOS-XE 16.11)

MultiGigabit Portfolio Across Catalyst 9000 Access

Full PoE+


Feature 9200 9200L 2960XR 2960X

Mo

der

n O

S

Model Driven Programmability ✓ ✓ ✘ ✘

Streaming telemetry ✓ ✓ ✘ ✘

Patching ✓ ✓ ✘ ✘

Ad

van

ced

Ro

uti

ng VRF Support ✓ ✓ ✘ ✘

ISIS ✓ ✓ ✘ ✘

EIGRP ✓ ✓ EIGRP Stub only EIGRP Stub only

OSPF ✓ ✓ ✓ ✓

Fab

ric

SDA Fabric Edge ✓ ✓ ✘ ✘

Sec

uri

ty

MACsec-128 ✓ ✓ ✘ ✘

Trustworthy System ✓ ✓ Limited Support Limited Support

SGT ✓ ✓ ✘ ✘

Vis

ibili

ty

Full Flexible Netflow ✓ ✓ Ingress Only Ingress Only

Qo

S QoS Model MQC MQC MLS MLS

Hierarchical QoS ✓ ✓ ✘ ✘


Catalyst 9200 – заказ в России• Специальные артикулы с буквой ”R” в артикуле

• Отключение всех видов шифрования пользовательского трафика (включая MacSec) – упрощенный ввоз

• Если нужен MacSec, то заказываются глобальные артикулы без ”R”. При этом потребуется оформление разрешения на ввоз.

C9200-24P-REC9200-48P-REC9200-48P-RAC9200-48T-REC9200-48T-RAC9200L-24P-4G-REC9200L-24P-4X-REC9200L-48P-4G-REC9200L-48P-4X-RE

C9200L-24T-4G-REC9200L-24T-4X-REC9200L-48T-4X-REC9200L-48T-4G-REC9200L-48PXG-4X-REC9200-24T-REC9200-24T-RAC9200-24P-RA

C9200L-24T-4G-RAC9200L-24P-4G-RAC9200L-48T-4G-RAC9200L-48P-4G-RAC9200L-24T-4X-RAC9200L-48T-4X-RAC9200L-24P-4X-RAC9200L-48P-4X-RA

C9200L-24PXG-4X-REC9200L-24PXG-4X-RAC9200L-24PXG-2Y-REC9200L-24PXG-2Y-RAC9200L-48PXG-4X-RAC9200L-48PXG-2Y-REC9200L-48PXG-2Y-RA


Cisco Catalyst 9300


Серия Cisco Catalyst 9300LФиксированные 9300 – наследники Catalyst 3650

Modularfans

Optional Stack kitHigher-efficiency AC and

DC power supplies

Cisco Catalyst 9300 leadershipUADP 2.0

Cisco IOS® XE Software

SD-Access

x86 CPU and containers

Encrypted Traffic Analytics

MACsec-256 link encryption

Trustworthy solutions

Cisco StackWise®-320

IEEE1588 and AVB

NBAR2

Perpetual/Fast PoE

Model-driven programmability

Patching/GIRFull Flexible NetFlowstreaming telemetry

StackWise-320

350W AC 715W AC/DC 1100W AC

Platinumrated

Large Buffers & Scale

Data SKU’sPoE SKU’s

mGig/UPOE SKU’s

4 x 10G uplinks 4 x 1G uplinks 4 x 10G uplinks

4 x 1G uplinks

C9300L-24UX-4XC9300L-24UX-2Q

C9300L-48UX-2Q C9300L-48UX-4X

24/48 Port 1G 24/48 Port 1G 24/48 Port 1G


Серия Cisco Catalyst 9300-SМодели для оптической 1GE агрегации

8x 10G 2x 40G 4x Multigigabit 4x 1G 2x 25G 315W AC 715W AC/DC 1100W AC

Fiber to the desktop

Collapsed access

24-port – C9300-24S

48-port – C9300-48S

Modularfans

Modular uplinks Higher-efficiency AC and DC power supplies

• 24 and 48 port SFP SKUs

• Transition Catalyst 3850 1G SFP to Catalyst 9300 1G SFP

• Wire-speed, non-blocking performance

• Seamlessly integrates with Cisco Catalyst 9300 Series copper

• Supports same optics

• Common stacking – StackWise-480

• Common power stacking – StackPower

• Common uplink modules

• Common power supplies, fans, cables

1G fiber aggregation


Cisco Catalyst 9600


Серия Cisco Catalyst 9600новое поколение коммутаторов уровня ядра и распределения

Extending Cisco Catalyst 6000 Series leadership in modular core• 7.5x throughput per slot

• 3x port density (40G), 4x CPU

• No Oversubscription

Cisco® Catalyst® 9600 Series leadership

Cisco UADP 3.0

Cisco IOS® XE Software

SD-Access

x86 CPU and containers

256 MACsec on all ports/speedat line rate

Cisco StackWise® Virtual*

Patching and GIR

Model-driven programmability

Streaming telemetry

Poweredby

UADP 3.0

6-slot (8RU) chassis : 25.6Tbps

Supervisor-1: 2.4 Tbps

Per Slot

Fiber line cards• 48 ports x 25G/10G/1G*

• 24 ports x 40G/12 ports x 100G

Copper line card• 48x Multigigabit copper*

(non-PoE)

Resiliency

Programmabilityand telemetry

Security

* Roadmap

Dual serviceable fan tray 2000W AC and DCpower supplies

240GB, 480GB, or960GB SSD storage


Поддержка кластера StackWise Virtual C9600

• A Distribution layer technology allowing stacking of 2 switches

• Supports flexible distances with support of all supported cables and optics

• SVL and DAD links are supported on any ports with 10G or higher speed, including QSA

• DAD support with 1G or higher speed from IOS-XE 16.12.2/17.1 (Q2FY20)

• SVL: StackWise Virtual Link• Same speed ports (10G or higher)• Up to 8 ports

• DAD: Dual Active Detection• Fast Hello

• Directly connected• Up to 4 links

• Enhanced PAgP• EtherChannel with PAgP• Up to 4 port-channels

• IOS-XE 16.12.x: 2nd Supervisor is not supported in the chassis and will be powered off if inserted in SVL Mode

StackWise Virtual is supported with IOS-XE 16.12.1 or later

SVL

DAD

IOS-XE 16.12


Но это еще не все…C9600 Quad SUP RPR – StackWise Virtual

StackWise-A

ICS

StackWise-S

ICS

RPR: Route Processor RedundancySSO: Stateful SwitchoverStackWise-A: StackWise Virtual ActiveStackWise-S: StackWise Virtual StandbyICS: In-chassis Warm Standby

Chassis-1 Chassis-2

StackWise-SICS StackWise-A

ICS

Chassis-2Chassis-1

SSO

RPR

• Active supervisor in chassis-2 become StackWise Active• Warm standby supervisor in chassis-1 continue the boot process to become StackWise standby

while the line cards in chassis-1 get reset

IOS-XE 17.1


Интерфейсный модуль с mGig портами Catalyst 9600

• 48 Ports mGig copper LC

• Full mGig on all ports

• Supported speeds: 100M/1G/2.5G/5G/10G

• No PoE/UPOE

C9600-LC-48TX

EFT Aug 2019

Copper Deployments Collapsed Core 1GE to 10GE Transition

В ближайших

планах


Cisco UPOE+ (IEEE 802.3bt)


Новый модуль Catalyst 9400 90W UPOE+Первая модель с поддержкой UPOE+ 90W

Cat5e/6

Catalyst 9400

• Up to 260* x 90W concurrent power

• IEEE 802.3bt standards compliant

• 48 x 1G Ports per line card

• Up to 8 x 3200W AC/DC PSU

Investment Protection with 90W UPoE+

*10-slot chassis w/o power redundancy. Subject to available PoE power budget in chassis

C9400-LC-48H

IOS-XE 16.12

New 802.3bt* Type 4

90WUPOE+©

Cisco and partner cloud services for control

Large Video Displays

Network Powered

Light arrays

90 Watt devices

Wall switch

30 - 60 Watt devices

PTZ UHD Cameras HVAC VAV’s

New Devices

Cisco UPOE+©

(low voltage)


10/31/2019 10/31/2020 10/31/2025

АнонсОкончание

продажОкончаниеподдержки

Catalyst 3850 (excluding Fiber SKUs)

Catalyst 4500E (excluding Sup9-E)

Catalyst 4500X Series

Catalyst 6880 and 6840 Series

Catalyst 6500* (6/9/13 slots Chassis/Sup2T)

Catalyst 9300

Catalyst 9400

Catalyst 9500

Catalyst 9600

* Currently no plans to EoS Catalyst Modular C6800 Series

En

d o

f S

ale

in 2

020


НовостиIOS-XE 16.12 для корпоративной коммутации


IOS-XE 16.12.1 новые возможности Вашего Catalyst 9000

Enhanced Security Controls

Flexible Network

Segmentation

High Availability

Platform / Infra

• Object Group ACL - C9300, C9400, C9500, C9600• MACsec- MKA High-Availability- C9300, C9400, C9500, C9600• Secure SVL support with SESA MACsec 128 - C9500, C9600• CoA support on VRF for IPv4 and IPv6 - All

• L3VPN over GRE – C9300, C9400, C9500, C9600• VPLSoGRE - C9300, C9400, C9500, C9600• EoMPLS over GRE - C9300, C9400, C9500, C9600• BGP-EVPN RT ASN rewrite • EVPN VXLAN MAC Aliasing for Distributed Anycast Gateway

• SVL - C9600• ISSU on SVL - C9600• Extended FSU– C9300 (Controlled Availability)• SVL on QSA- C9500 High Performance, C9600

• Native Docker support for application hosting – C9300• PM Bidir- C9300, C9400, C9500, C9600• Sub-interface Support - C9300, C9500• Support 802.3bt Type 3- C9300• Support 802.3bt Type 4- C9400• Flexlink+ – C9300, C9400, C9500• Guestshell – C9200


MPLS Over GRE• Static GRE Tunnels built over IP Core between MPLS PEs

• L2 VPN (EOMPLS and VPLS Support) & L3 VPN Services over GRE can be enabled

PE1

PE3

PE2

IP Core without MPLS

CE3

CE2

CE1

CE2

CE3

MPLS Edge

CE1

GRE Tunnel

MPLS Edge

L2/L3 L2/L3

GRE scale varies based on platform

GRE SRC

GRE DST

PE PE

P P

PE P

P PE

IOS-XE 16.12


MACsec over EoMPLS link

IOS-XE 17.1.1

PE-1

PE-2

MACsec Encrypted Link

Cat 9k Switch

CE-2

MPLS

PE-1

Targeted LDP

CE-1

Cat 9k Switch

Cat 9k Switch

Cat 9k Switch

EoMPLS


Extended Fast Software Upgrade on Catalyst 9300

Data Plane

Control Plane

• xFSU provides a mechanism to independently update the control plane and data plane during the upgrade process

• Control plane is upgraded by leveraging Graceful Reload Infrastructure without impacting data plane traffic

• Data plane(ASIC) is re-programmed in less than 30 seconds by leveraging special cache memory which stores active forwarding entries


Скорость восстановления сервиса

Regular Upgrade

Bandwidth

Time

100%

50%

xFSU

Bandwidth

Time

100%

50%Standby and Members

< 30 seconds

Active

< 30 seconds

SSO

Stack is down

> 10 minutes


Сетевая виртуализация: BGP EVPN VXLAN


Distribution

Сетевая фабрика с Cisco Catalyst 9200-9600:SD-Access, MPLS или BGP EVPN

Классический дизайн MPLS SD-Access, BGP EVPN

• Reduced complexity, resiliency, and scale

• IPv4/IPv6, unicast and multicast; QoS and ACL scale

• Segmentation, scale, LAN/WAN consistency

• MPLS VPNs (L2 and L3), MPLS over GRE

• Turnkey solution for automation, segmentation, and policy: SD-Access border and CP

• DIY: BGP EVPN VxLAN

Site A

Border + Control

Edge

IoT Network

Edge

Employee Network

Other Sites

Clientaccess

Core

MPLS

Site 1

Site 2

Site 3

CE

CE

PE PE CE

Customer Managed MPLS Backbone

VRF’s


Зачем BGP EVPN VXLAN?

RR

Access/VTEP

L3L3 VXLAN Overlay

RR

• Advertise MAC and IP via MP-BGP Address families

• Enables IP/MAC Mobility with Anycast Gateway across the fabric

• BUM Traffic replicated by either Multicast or Ingress replication

• Support of Active-Active Multi-homing using StackWise-Virtual on VTEP


L3

Как устроена технлогия VXLAN BGP EVPN?

Core

Access

VXLAN Overlay

Edge/VTEPEdge/VTEP

Intermediate Nodes

Intermediate Nodes

External

Core/Spine/Border

Core/Spine/BorderRR RR

Роли и терминология

BGP

BGP Route Reflector/Border 9500H/9600

Intermediate/Edge Nodes C9300/9400/9500/9600

IOS-XE 16.12


Сетевая виртуализация:Cisco SD-Access


© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

NCP

ISE NDP

Control-Plane Nodes – Система определения отношений между клиентом и сетевым устройством

Fabric Edge Nodes – Устройство фабрики(Access или Distribution) для проводного подключения клиентов к SDA фабрике

Identity Services – Система идентификации и NAC (ISE) для динамического применения групп и политик безопасности к клиентам

Fabric Border Nodes – Устройство фабрики (Core) для подключения внешних L3 сетей к SDA фабрике

Identity ServicesIdentity

Services

Intermediate Nodes (Underlay)

Intermediate Nodes (Underlay)

Fabric Border Nodes

Fabric Border Nodes

Fabric Edge Nodes

Fabric Edge Nodes

Cisco DNA Automation – обеспечение простого интерфейса GUI для управления, автоматизации (NCP) и обмена контекстом

Cisco DNA AutomationCisco DNA Automation

Cisco DNA Assurance – Сбор данных(NDP) и анализа потоков от клиентов и приложений, мониторинг состояния фабрики

Cisco DNA AssuranceCisco DNA Assurance

Control-PlaneNodes

Control-PlaneNodes

Fabric Wireless Controller – Устройство фабрики (WLC) для подключения APs и беспроводных клиентов к SDA фабрике

Fabric WirelessController

Fabric WirelessController

CampusFabric

B

C

B

Cisco DNA Center

SD-Access: АрхитектураРаспределение ролей в фабрике


Catalyst 9200, 9300L, 9300 in Cisco SD-AccessDNA & SDA 9200L 9200 9300L 9300

User VNs / VRFs supported for SDA 1 4 64 256

Application policy Limited Limited Yes(L2-L7) Yes(L2-L7)

Prescriptive L3 Underlay Yes Yes Yes Yes

Fabric Infra - Fabric Edge- VXLAN, Virtual Networks, LISP, SGT/SGACL Yes Yes Yes Yes

Fabric Multicast, Selective Flooding, IPv6 Host Yes Yes Yes Yes

Fabric Wireless No Yes Yes Yes

Embedded Wireless No No Yes Yes

Extended Node Support No No Yes (Beta) Yes (Beta)

Fabric Border, CP, Fabric-in-Box No No Yes Yes

Assurance- Client Health- Network Health- Fabric Assurance

Yes Yes Yes Yes

ERSPAN as destination No No Yes Yes

ETA No No Yes Yes

Ad

vant

age


IoT VNEmployee VN

CB

SD-Access Fabric

10.10.10.0/16

SD-Access Extranet для общих сетевых сервисов

Сегодня SD-Access Extranet

• SDA extranet Provides Native Support for Shared Services Access with Extranet

• Eliminate Fusion Router & manual config

• No Traffic Hair-pinning

• Fusion Router required to provide shared service access for all User VNs

• Complex config to leak routes to be maintained manually outside fabric

• Traffic Hair-pinning

Dest VN Src VN Permit?Shared Svc Employee YES

Shared Svc IoT YES

… .. …

Internet Employee YES

Internet IoT YES


Совершенно новый интерфейс создания групповых политик в DNAC

Click to edit contract


Возможность использовать сторонние AAA

802.1x/MAB

Access Accept w/ Cisco AV cts:security-group-tag-0001-01 + Vlan ID

Policy Download

1

2

3

Policy Request

ISE

DNAC

SGTSGT

SRC:10.1.10.220DST: 10.1.100.52

Sample configuration:Using Group-Based Policies with 3rd party RADIUS

• Authentication and Authorization requests directed to 3rd party• SGT and VN assignments must be coordinated between 3rd party

AAA and DNAC


Новости Cisco SD-Access:безопасное подключение IoT устройств

Fabric Edge *

Secure Extended Node

SD-Accessфабрика

C

BBBBBB

Fabric Edges

Host 1

Extended Node

• The Secure Extended Node will have 802.1x/MAB Authentication enabled to talk to ISE and to download the right vlan and Secure Group Tag attributes to the end points.

• The Extended Node will have 802.1x/MAB Authentication enabled to talk to ISE and to download the right vlan for the end points.

• Secure Extended nodes gets provisioned with SGTs on the port channel interface(s) on which they are connected to Fabric Edge Switches

Vlan 100 SGT 100

Cisco ISE

SEN: IE3400, IE3400H EN: IE3300, IE4000,IE4010, IE5000,IE3400, IE3400H


FabricSite

B

C

SD-Access Secure Extension возможность подключения кольцевых топологий

VXLAN

SGT In-Line Taggingfor East/West Traffic

ISE

REP Ring*

* REP supported manuallyAutomation roadmap

E E E

B


SD-AccessГибкость использования:

Guest VNEmployee VN

E

BSD-AccessSite A

Local Break out Border capability provides local breakout

Site ResiliencyControl Plane capability ensures site-local communications

Fabric-in-a-Box

C

Internet

Embedded Wireless Embedded wireless option eliminates need for dedicated appliance or centralized wireless

SD-Access для малых и средних офисов (Фабрика-в-коробке)


SD-Access

Поддержка встроенного WLC на Catalyst 9300 для малых и средних офисов

APs

ASR

Users and Things

• Customers in small branch deployments might have a router such as ASR which they can use to configure as B+CP functionalities..

• Customers can add another switch such as Cat9k to the site and enable E with wireless capabilities on it.

E

CB


• SVL devices can be configured as edge and border roles.

• SVL configuration has to be done manually.

• Edge SVL will be available for host-onboarding.

SD-AccessПоддержка Stackwise Virtual на доступе и границе

SVL

https://community.cisco.com/t5/networking-documents/enabling-sd-access-with-any-radius-server/ta-p/3930041

https://community.cisco.com/t5/networking-documents/enabling-sd-access-with-any-radius-server/ta-p/3930041


FabricSite 1

CB

SD-AccessОбщие подсети для гео-распределенной ЛВС фабрики

FabricSite 2

CB

FabricSite 3

CB

Anchoring Guest VN

Anchoring IoT VNEmployee VN Employee VN

Employee VNAnchoring IoT VN

Anchoring Guest VN

Anchored IoT VNAnchoring Guest

VN

DMZ

CB FabricSite 4

Anchored Guest VN

Cat9800 Appliance Wireless Controller

Cat9800 Cloud Wireless Controller


Обзор решений Cisco для маршрутизации в WAN


Портфолио корпоративной маршрутизации Cisco

ASR 1000

• Hardware and software redundancy

• High-performance service with hardware assist

vEdge 5000

• Modular

• RPS

ISR 4000

• WAN and voice module flexibility

• Compute with UCS E

• Integrated Security stack

• WAN Optimization

vEdge 1000 & 2000

• Fixed/Pluggable Module

ISR 1000

vEdge 100

• 4G LTE & Wireless

• Integrated wired and wireless access

• PoE/PoE+

Branch Aggregation

Virtual and Cloud

• Service chaining virtual functions• Options for WAN connectivity• Open for 3rd party services & apps

Cisco ENCSCSR 1000V • Cisco DNA virtualization

• Extend enterprise routing, security & management to cloud

ISR 900

• Fixed and fanless• IOS Classic based

SD

-WA

N


ISR 900, 1000, 4000


Портфолио для малых и средних офисов

• Up to 250 Mbps • Fixed and fanless• Cisco IOS based• High performance VPN

ISR 900

ISR 1000

• Up to 350 Mbps • Cisco SD-WAN• Integrated wired and

wireless access• Cisco SD-WAN Security• 802.11AC WiFi

ISR 4000

• Up to 3 Gbps• WAN and voice module

flexibility• Cisco SD-WAN• Compute with UCS E-

Series• Cisco SD-WAN Security


Расширение серии Cisco ISR 1000

Cisco SD-WAN Ready

Новые25 моделей!

Multi-layered security SD-WAN capableISR 1161 is the fastest model in the ISR 1000

Series – 30% faster processor

Smaller formfactor for space-constrained deployments

Investment Protection with PIM slot[LTE CAT4/6/18 support]

ISR 1121 ISR 1126 ISR 1127 ISR 1128 ISR 1161Highest Perf. 1100

10 SKUs : Ethernet(with and without LTE Pluggable) ● ●

8 SKUs : Ethernet + Wi-Fi + LTEP(802.11ac wave-2) ●

7 SKUs : DSL ( with LTEP) ● ● ●25 Total SKUs 14 2 4 1 4

Модуль LTE - Category 18 для ISR1K

SMA antenna for LTE

Main/Diversity

SMA antenna for LTE

Main/Diversity

4 x 4 MIMO4 x 4 MIMO

2 micro-SIM cards2 micro-SIM cards

1.2Gbps/ 150Mbps1.2Gbps/ 150Mbps

Carrier Aggregation

Carrier Aggregation

Main Antenna

Main Antenna

Diversity Antenna

Diversity Antenna

Micro USB Modem Debug

Shipping

SD-WAN readySD-WAN ready

CBRS Band 46,48,66,71CBRS Band 46,48,66,71


USB-модуль LTE - Category 4 для ISR1K

Supported on ISR1K only*

Supported on ISR1K only*

Single Micro SIMSingle Micro SIM

75/50 Mbps75/50 Mbps

CAT 4 LTECAT 4 LTE

LTE Antenna

Modem Types Region Bands

D-LTE-GB Global Bands 1,3,7,8,20,28

D-LTE-AS ASEAN Bands 1,3,5,8,40,41

D-LTE-NA North America Bands 2,4,5,12,13,14,17

NEW

SD-WAN roadmapSD-WAN roadmap

*selected platforms only


Feature ISR 1000 ISR 900

Software OS IOS XE Cisco IOS

SD-WAN support Yes No

Centralized management

vManageCisco DNA Center Cisco DNA Center

Security stack SD-WAN Security Firewall, VPN

Cisco Umbrella Yes No

VPN throughput Up to 350 Mbps Up to 250 Mbps

DSL G.FAST, 35b, VADSL, G.SHDSL VADSL

LTE CAT6, CAT4 CAT4 (Single SIM)

Wifi 802.11AC Wave 2, Mobility Express No

Switch ports Up to 8 4

PoE/PoE+ Up to 4 POE or 2 POE+ No

ISR 900 vs ISR 1000


Cisco ISR 4461 – флагман серии ISR 4000

3 RU form factor3 RU form factor

DRAM – 8/16/32 GBDRAM – 8/16/32 GB

Internal: Dual AC/DC PSUInternal: Dual AC/DC PSU

Default throughputIP CEF – 1.5 GbpsCrypto – 250 Mbps

Default throughputIP CEF – 1.5 GbpsCrypto – 250 Mbps

3 x NIMs, 3 x SMs3 x NIMs, 3 x SMs

With Performance licensesIP CEF – 3 GbpsCrypto – 1.5 Gbps*

With Performance licensesIP CEF – 3 GbpsCrypto – 1.5 Gbps*

With Boost licensesIP CEF – 10 + GbpsCrypto – 7 Gbps*

With Boost licensesIP CEF – 10 + GbpsCrypto – 7 Gbps*

* Requires HSECK9 license to support more than 250 Mbps Crypto IPSec throughput.

Flash - 8/16/32 GBFlash - 8/16/32 GB


Развитие технологии Cisco SD-WAN


Портфолио маршрутизаторов для Cisco SD-WAN

ASR 1000

• High-performance service with hardware assist

• Modular ASR 1K is not supported

vEdge5000

ISR 4000

• WAN and voice module flexibility• Compute with UCS E• Container Architecture

• Slot Modularity, RPS

• 1GE, 10GE options

ISR 1000

• Integrated wired and wireless access

• LTE Advanced Pro• VDSL2,ADSL2/2+

Aggregation

Virtualized

• Service chaining virtual functions• Options for WAN connectivity

• Open for 3rd party services & apps

• NFVIS Hypervisor

Cisco ENCS CSR 1000V • Extend Enterprise routing, security & management to Cloud

• Cisco DNA virtualization

ISR1120 / 1160

XE

SD

-WA

NV

ipte

la O

S

ISR1100-6G

• 6 WAN ports (4GE and 2 SFP)

vEdge 2000 ISR1100-4G

• 4 GE WAN ports

ISR1100-4GLTE

• 4G LTE (CAT4)

• Smallest form-factor• WWAN pluggable

flexibility• PIM: 4G LTE

CAT4/6/18

• RPS, PIM options • Modularity, RPS

(New 25 SKUs)

Shipping

Oct 2019

Oct2019

Jan 2020

vEdge Cloud• Software Router Platform

• Can be deployed in private, public, and hybrid cloud

Branch


vEdge 1000

vEdge 100B

vEdge Series Next-Generation vEdge

• 4 Ethernet WAN ports

• 6 WAN ports (4GE and 2 SFP)

vEdge 100M

• 4 Ethernet WAN ports• Integrated LTE (CAT4)

ISR 1100-4G

ISR 1100-4GLTE$$**

ISR 1100-6G

Best in Class ISR platform

Built for “Cloud first Branch”

Аппаратная эволюция для vEdge

Day 1 Full feature parity with vEdge

** domain

Viptela OS 19.2

Jan2020

Oct2019

Oct2019


IR1101 – новое поколение индустриальных маршрутизаторов Cisco…

Edge computing enabled

SD-WAN ReadyXE SD-WAN 16.12.1

Compact form factor for cabinet installations

Modular LTE & 5G Ready*First IoT Router with IOS XEHigh-end security Programmability

Low average Power consumption of only 10W

* with future hardware Modem and software

Extended product life timeInvestment protection Lower TCO

Expansion modules for more interfaces


Новые возможности Cisco SD-WAN (19.1-19.2)


Cisco SD-WAN – архитектура решения

APIsAPIs

Внешняя интеграция

vManage

4GMPLS

INET

ЦОД CoLo Кампус ФилиалОблако

WAN Edge

• Программируемость• Распространение политик• Простота и высокая

масштабируемость

Управление

Передача данных

• Аппаратные или виртуализированные

• Zero Touch Provisioning• Частное или публичное

облако

vAnalytics• Единый интерфейс • Мониторинг и поиск

неисправностей• RBAC и API

Оркестрация и настройка Аналитика• Машинное обучение• Производительность• Прогнозирование

vSmartMultiCloudOnRamp

ApplicationQoE

Security(+Cloud)


Улучшено время загрузки ISR 1K/4K для SD-WAN

ISR 4000ISR 1000

Boot time for ISR 1K and ISR 4K is reducedto <3-4 min with or without startup configwith SD-WAN image


Laptop12671:123A::2/128FD6D:8D64:1235::/64FE80::C004:1DFF:FEE0:0

VPN 1GE 0/12671:123A::1/128FD6D:8D64:1234::/64FE80::C004:1DFF:FEE0:0

VPN 0GE 0/02001:123A::1/128

VPN 0 GE 0/02001:4F3A::1/128

VPN 1GE 0/12701:123A::1/128FD6D:8D64:3001::/64FE80::C006:1DFF:FEE0:0

Laptop22701:123A::2/128FD6D:8D64:3002::/64FE80::C005:1DFF:FEE0:0

Cisco SD-WANподдержка IPv6 – теперь везде

IPSec/GRE

Outer IPv6 Header

VPN 2Inner

IPv4/IPv6 Header

VPN 1

VPN 3

IPSEC

DATA TCP/UDP INNER IPv4/IPv6 GRE/IPSEC OUTER IPV6


IPSec/GRE

TLOCs

Cisco SD-WANПоддержка Loopback в качестве WAN-интерфейса

IPSec/GRE

IOS-XE SD-WAN

IOS-XE SD-WAN

SD-WAN control connections with loopback interfaces

Localized QoS policies are supported on loopback interface

IPv4 and IPv6 loopback interface supported

Data tunnels (IPSec/GRE) can terminate on loopback on WAN Edge

BFD support over loopback interface

App-route policy using loopback

DTLS/T

LS

DTLS/TLS

L0L0L0L0

SD-WAN Controllers

L1L1L1L1

TLOCs


Cisco SD-WANПоддержка L2 QoS в SD-WAN

CoS Marking using 802.1p for a Better Application Experience

Voice Highest Priority

Best-effort Lowest Priority

Campus

Devices group

Admin group

Medical StaffMetro

Ethernet


SD-WAN

WAN Edge Router BR1

UnreliableWAN Links

WAN Edge Router DC1

CriticalApplication

CriticalApplication

Cisco SD-WANРасширенная поддержка нестабильных каналов

Problem: transactional data over WAN links, which has few percent packet loss (up to 10-20%).

Main Goal: 0 packet loss on the application level.

Solution 1: Forward Error Correction (FEC) send additional parity packet for every 4 data packets, which will be used by the receiving router to reconstruct one lost packet.

Solution 2: Packet Duplication will duplicate packets for critical apps over both WAN links.

Доступно в версии16.12


Cisco SD-WANПоддержка устройств, использующих DHCP опции

DCHP Options enhancement - Support for multiple vendor options

1

1

1

1

cEdge running DHCP server

DHCP Request with vendor

specific option code

DHCP Offer with vendor specific options(tftp server etc)

DHCP Offer with vendor

specific options(tftp server etc)

Campus Devices

CUCM

TFTP Server


Совместное использование Cisco SD-WANи ГОСТ-криптографии


Совместное использование Cisco SD-WAN и ГОСТ шифрования

SD-WAN

S-Terra

SD-WAN туннели (GRE)

IPSEC + ГОСТ туннели (статические или динамические)

ЛВСЛВС

SD-WAN edge

S-Terra edge

S-Terra edge

SD-WAN edge


S-Terra Edge #1

S-Terra Edge #2

SD-WAN Edge #1

S-Terra Edge #3

Static crypto-tunnel

“DMVPN” crypto-tunnel “D

MVPN” c

rypt

o-tu

nnel

ISP

mGRE1:13.10.10.2/24mGRE0:12.10.10.2/24

mGRE0:12.10.10.100/24 mGRE0:13.10.10.100/24

11.0.0.14/8 SD-WAN Edge #2

11.0.0.18/8

10.1.8.0/24 10.2.8.0/24

10.8.10.0/24

SD-WAN Edge #3

GRE tunnel

GRE

tunn

el

GRE tunnel

11.0.0.10/8

SD-WANконтроллеры

1.1.1.0/24


Совместное использование Cisco SD-WAN и ГОСТ шифрования

• Протестировано в лаборатории Cisco• Доступно подробное описание и набор типовых

конфигураций крипто-шлюзов

• Сохраняет все основные возможности SD-WAN• Не требует дополнительных настроек со стороны SD-WAN

• Использует решение ГОСТ-шифрования от компании S-Terra• Требуется предварительная настройка крипто-шлюзов


Выводы…

Северо-Западный Форум cisco...2010/10/08 · 02 Инновации cisco для...

Documents