Transcript 用户可信 - 至顶网
思科中国无边界网络事业部
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
思科可信网络架构
什么是思科可信网络架构?
可信网络架构
网络的物理边界正在消失,客户需要更为安全、可靠的基础架构。思科
可信网络架构对所有接入网络的用户、设备按需进行灵活的身份认证,
能够智能识别各类非用户设备如IP话机、智能终端,并且依据灵活的安
全策略管理上述设备。思科可信网络架构也能实现基于二层的线速流量
加密功能,提供机密的数据传输平台。
用户可信
用户/设备鉴别
链路可信
出方向流量线速加密
多种组合条件
网络设备间双向身份认证
用户名:口令
RTW#(*J0$^&
*
解决方案对客户的价值
• 为客户提供安全的基础网络架构平台;
• 为客户提供灵活的网络准入授权策略;
• 为客户提供可视化的安全运维管理 ;
设备可信
接入时间
解决方案所包含组件:
• 思科ISE策略服务器;
• 思科交换机产品;
• 思科无线产品;
目标客户群?
• 对网络准入有着严格要求的企业;
• 需要有灵活、多样的网络准入策略的企业;
• 企业网络需要识别各类非用户终端设备如IP话机、IP打印机及各类智
能终端等,并且能够基于识别后设备类型来设置灵活的网络准入策略;
解决方案对思科的价值
• 充分展示思科在基础网络安全上的架构优势;
• 结合客户的实际需求,将纯产品竞争转换为解决方案竞争,为对手
设置较高的竞争门槛;
• 方案一旦被客户采用,将有利于锁定后续的升级项目;
数据传输为密文
接入位置
健康状态
思科可信基础网络平台
入方向流量线速解密
如何销售:
•在数据中心领域,可以从Macsec入手,强调思科交换机的二层线速加密功能;
•在园区网络领域,可以强调思科灵活的多因子网络准入授权策略(基于用户角色、
接入时间、接入位置等);
•在有线无线一体化领域;可以强调思科ISE对IP话机、IP打印机及各种智能终端设备
的智能识别及动态安全策略功能;
如何交付:
• 部署及配置文档: BU solution guide;
• SBA design guide;
想了解更多?:
External:
http://www.cisco.com/en/US/netsol/ns1051/index.html
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
用户接入网络时的身份认证,
确认用户可信;
根据规则(用户组、接入方式、接入时
间、接入位置)动态授予用户网络
资源访问权限;
用户网络资源访问记录审计;
用户可信
用户/设备鉴别
设备接入网络时的身份认证,
确认设备可信;
网络设备只接收来自受信任邻
居网络设备的流量;
非信任邻居网络设备的流量将
被丢弃;
设备可信
多种组合条件
链路可信
出方向流量线速加密
设备间认证
用户名:口令
RTW#(*J0$^&*
接入时间
设备之间经过“非信任”时
链路连接时,设备间线速流
量加密功能;
服务器/客户机与交换机之间
经过“非信任”链路时,具
备线速流量加密功能;
数据传输为密文
接入位置
健康状态
© 2011 Cisco and/or its affiliates. All rights reserved.
思科可信基础网络平台
入方向流量线速解密
Cisco Confidential
3
Security Group Tagging and forwarding
Sup2T上
的思科
TrustSec
Security Group Enforcement
MACSec Encryption
TrustSec Reflector
TrustSec on VSS
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
SGT Enforcement
SGT=7
IT Portal (SGT 4)
Users,
Endpoints
LWA
802.1X
Sup2T
Campus
Network
Sup2T
Sup2T
ACS v5.1
Active
Directory
MAB
Agent-less
Device
SGT Assignment
Public Portal (SGT 8)
Internal Portal (SGT 9)
Doctor (SGT 7)
IT Admin (SGT 5)
Untagged Frame
Patient Record DB (SGT 10)
Tagged Frame
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
802.1ae 线速数据加解密及完整性控制
从二层开始防止非法攻击
防嗅探
防篡改
防攻击
不影响其他包侦测特性
点到点部署, 可按链路情况控制
支持EoMPLS上的MacSec
保障全园区汇聚及核心网络链路层数据安全
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
Sup2T and 6513-E
69xx Series 单槽80Gbps
8p 10G全线速
4p 40G/16p 10G
Built-in DFC4
68xx/67xx
Series 单槽40Gbps
1GbE Fiber: 24p/48p
10/100/1000: 48p
10GBASE-T: 16p
10G Fiber: 16p
Built-in DFC4
服务模块
WiSM-2
ASA-SM
NAM-3
ACE-30
创新
Cat6500-E
投资保护
所有E-系列机框
© 2011 Cisco and/or its affiliates. All rights reserved.
从67xx 线卡轻松升级
所有61XX
POE/ POE+线卡
兼容旧款服务模块
Cisco Confidential
7
在所有E系列机框上支持80G/160G
6503-E
6504-E
6506-E
6509-E
6513-E
6509-V-E
34x10GE
96x1GE
50x10GE
82x10GE
130x10GE
180x10GE
130x10GE
144x1GE
240x1GE
384x1GE
528x1GE
384x1GE
8x40GE
150Mpps
12x40GE
210Mpps
20x40GE
330Mpps
32x40GE
510Mpps
44x40GE
720Mpps
32x40GE
510Mpps
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
Supervisor Engine Portfolio
VS-S2T-10G
VS-S2T-10G-XL
10-GE
Uplink
Service Module Portfolio
WiSM 1/2
NAM 2/3
10-GE Line-Card Portfolio
10
GE
Fiber
FWSM /
ASA-SM
ACE 30
WS-X6908-10G-2T
(XL)
WS-X6816-10G-2T
(XL)
WS-X6148A-GE-TX
WS-X6148E-GE-45AT
WS-X6816-10T-2T
(XL)
Nonblocking
Oversubscribed
Wiring Closet 10 / 100 /
1000 TX & PoE
10G Copper
Line-Card Portfolio
Power Supply
1
GE
WS-X6848-SFP-2T
(XL)
WS-X6824-SFP-2T
(XL)
Fiber
© 2011 Cisco and/or its affiliates. All rights reserved.
WS-X6848-TX-2T
(XL)
Copper
3000W AC, 4000W AC
6000W AC, 8700W AC
4000W DC, 6000W DC
Industry-Leading Power Efficiency
Cisco Confidential
9
迄今为止最强的Catalyst 6500平台
3X System Performance
4X Data Plane Scalability
4T Virtual Switching System
40 Gigabit Ethernet Ready
Up to 13M NetFlow Entries/system
1 million routes and 25k6 multicast groups
Large Packet Buffers
Catalyst平台上最丰富的无边界网络特性集合
Supported with
LMS 4.1 & DCNM
© 2011 Cisco and/or its affiliates. All rights reserved.
End to End Network Virtualization – MPLS, EoMPLS,
L2VPN/VPLS, VRF-Lite, Easy Virtual Networks (EVN)
Security with TrustSec, MACsec, Atomic ACL’s and ASA-SM
Application Visibility with NAM-3 and Flexible NetFlow
Unified Mobility with WiSM2
Comprehensive IPv6 Ready for Transition
Future Proof: 40G Ready, OTV Ready, TRILL Ready, LiSP Ready
Cisco Confidential
10
8端口 10G 全线速线卡
4端口 40G 线卡
• Two SKUs: regular and XL tables (DFC4)
• IEEE 802.3ba standard compliant
• X2 Transceiver or SFP+ w/ adapter
• Two SKUs: regular and XL tables (DFC4)
• Wire Rate MacSec (IEEE 802.1AE)
• CFP Transceiver for 40G, SFP+ for 10G
• Large packet buffers (256MB/port)
• Wire Rate MacSec (IEEE 802.1AE)
• Virtual Switch Link (for VSS)
• 10G mode via FourX adapter
• A-VPLS , OTV and LISP ready*
• Virtual Switch Link (for VSS)
• A-VPLS , OTV and LISP ready*
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
业界第一款40G以太交换模块
• 在Supercomputing中成功演示业
界第一款40G交换模块
40GE
• 在CRS-3上展示业界第一款
100GE模块
• 展示40G模块针对服务器及各种
线缆和模块的良好支持
10GE
10GE
Cisco
USC C200 M2
10GE
10GE
Cisco
USC C200 M2
Reference: http://www.ethernetalliance.org/files/static_page_files/2Ethernet_Alliance_Demonstration_at_SC10.pdf
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
新一代无线服务模块- WiSM-2
Performance
Access Points
Clients
Concurrent AP Upgrade/Joints
Mobility, Domain Size
10 Gbps
500
10,000
UP to 16 Gbps
Performance
Up to 6 Gbps
Compression
30,000
250
Virtual Context
Up to 18,000 APs
250
VLANs
Monitoring Performance
10 Gbps Plus
Capture to External Disk
Up to 5 Gbps
1588
Timestamps
新一代防火墙模块- ASA-SM
64 Gbps
16 G
10,000,000
300,000
250
HW Filters/ Pkt Captures
© 2011 Cisco and/or its affiliates. All rights reserved.
Transactions per Second
Up to 500
新一代流量分析模块- NAM-3
Performance Analytics
新一代负载均衡模块- ACE-30
1,000
Chassis Performance
Performance
Concurrent Sessions
Connections per Second
Security Contexts
VLANs
Cisco Confidential
14
Sup720
Sup2T
67xx Series w/ CFC
Supported
67xx Series 1GbE w/ DFC3
WS-F6K-DFC4-A
6704-10GE w/ DFC3
WS-F6K-DFC4-A
6716-10GE Fiber
WS-F6K-DFC4-E
6716-10GBASE-T
WS-F6K-DFC4-E
6708-10G Fiber
6908-10G Fiber (80G)
61xx Series
Supported
上一代服务模块
Supported
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
61xx
Line Cards
Legacy
Service Modules
Next Gen.
Service Modules
WS-X6148A-RJ-45
FWSM
ASA-SM *
WS-X6148A-45AF
ACE 20
ACE 30
WS-X6148-FE-SFP
WiSM
WiSM-2
WS-X6148A-GE-TX
NAM-1
NAM-3 *
WS-X6148A-GE-45AF
NAM-2
WS-X6148E-GE-AT
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
兼具性能和服务优势
4T VSS
40G 端口就绪
Tunnels, L3VPNomGRE
L3SGT For TrustSec Interoperability
OTV, Trill Ready
Flexible Netflow
VSS 4T
Next Gen
核心
Cat6k/Sup2T
4T VSS
Integrated NG Svcs (WisM2, ASA, NAM,
ACE-30), Multicast HA
Smart Install Director*
OTV, Trill Ready
Flexible Netflow, Egress Netflow
VSS 4T
Next Gen
汇聚
Cat6k/Sup2T
TrustSec
EnergyWise
NGPoE (60W) Ready
Flexible Netflow
IPv6 First Hop Sec.
Next Gen
Cat4k/ Sup7-E
Cat3k/ 3750X
Cat2K/2960S
接入
安全
弹性
© 2011 Cisco and/or its affiliates. All rights reserved.
健壮
虚拟化
简单
视频优化
VDI就绪
支持IPv6
Cisco Confidential
17
完整的核心网络特性集合
720
丰富的接入网络特性集合
2T
强大的核心矩阵
4T VSS
40G ready
L3VPN o mGRE
Sup32
WAN
720
2T
完善的PoE+ 能力
Smart Install*
EnergyWise
完整的虚拟化支持
Medianet
完善的高可用性
TrustSec Identity Kit
TrustSec Reflector
IPv6 First Hop Security
VRF-Lite, L3VPN, L2VPN, EVN*, LISP*
VSS Quad Sup SSO*
业界领先的IPv6和多播支持
Tunnels, URPF, 256K mcast Groups
业界领先的流量分析能力
Flexible Netflow, Egress, Sampled
完善的安全特性
TrustSec, L3 SGT,
性能卓越的新一代服务模块
WiSM2, ASA SM*, NAM*, ACE30
© 2011 Cisco and/or its affiliates. All rights reserved.
DHCP Snooping
Dynamic ARP Inspection
IP Source Guard
PACL
Autosecure
Smartports/Auto QoS
Auto Smartports*
OSPF Router Acces
Cisco Confidential
18
可扩展性
• 业界领先 Table Scalability: ACL, Netflow, IPv4/v6
• 业界领先 Packet Buffers: up to 256MB/10GbE port(业界最高)
• 业界领先 Multicast 转发能力
• 提升至 16K Bridge Domains 为云部署提供高扩展性
• 从1GbE 平滑过度 10GbE/40GbE
虚拟化
• 128K MAC Table (effective +50% vs. Sup720)
• VPLS in HW for L2 extension/VM Mobility
• Large L2 domains up to 1152 GbE ports/VSS for VM Mobility
• LISP and OTV ready
• 为服务器提供 10GBASE-T 接入
运维简化
丰富服务
© 2011 Cisco and/or its affiliates. All rights reserved.
• Simplify w/ VSS: no STP, no FHRP, 减少维护成本
• 一致性 IOS 方便用户升级
• 唯一一款带独立带外管理系统CMP的交换机
• 丰富的控制层保护CoPP, SPAN/RSPAN/ERSPAN/mini protocol analyzer…
• Open Manageability with XML/Web service API
• ASA-SM Firewall blade for up to 64 Gbps (Chassis Performance)
• ACE-30 Load Balancer for up to 16 Gbps
• Performance analytics and 1588 services with NAM-3
• Up to 13M Netflow entries w/ FNF, Sampled, Egress, Multicast…
• Full IPv6 Hardware parity with IPv4
Cisco Confidential
19
特性
每槽带宽
C6K-Sup2T
EX8200
A9500/A7500
C4500
N7000
80 G
80 G
60-120G/24-48G
48 G
230 G
虚拟交换系统
*
MPLS/VPLS
安全服务模块
无线服务模块
网络分析模块
可采样Netflow
灵活Netflow
ERSPAN/EEM/GOLD
TrustSec
路由表规模(IPv4)
1M
512K
256K
256K
1M
支持40G端口
LISP 就绪
EVN 就绪
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
核心
接入
© 2011 Cisco and/or its affiliates. All rights reserved.
Catalyst 6500
Sup2T
Catalyst
4500E
HP A12500/10500
Juniper EX8200
HW S12700
HP A9500
HW S9300
Juniper EX8200
HP A7500
Nexus 7000
Catalyst 6500
Sup2T-VSS
PERFORMANCE
汇聚
PRICE
Catalyst 6500
Sup2T-VSS
Catalyst 6500
Sup2T-VSS
Cisco Confidential
21
TrustSec
VSS 4T
Security ToolKit
Application
Performance and
Monitoring
Manageability
Energy
Sustainability
VSS 4T
Network
Virtualization
Robust Control Plane
IPv6
MediaNet
VSS4T
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
Next Generation
Linecards as
Well as 67XX
Flexible Netflow
Based Infrastructure
of 6500, so VSS 4T
Supports Standalone
Features and More
VSS 4T
TrustSec
Service Modules Support
L2 and L3 MEC Enhancements
Up to 4T bps on up to 388 TenGig Ports
VSS 1440
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
ACL Labels
What’s New with Sup2T?
• ACL “Dry Run”—test if the ACL will fit in the TCAM
Thousands
16
12
x4
8
4
before applying it
0
PFC3
Protect your control plane from unanticipated
disruption due to ACL programming
No traffic disruption when applying complex ACL
• Role-based ACL with SGACL
Security ACEs
200
Thousands
• ACL Atomic “Hitless” update
0
PFC3
• 1:1 ACL masking to maximize TCAM usage
• IPv4/IPv6 parity in ACL features
• Large Scale ACL
© 2011 Cisco and/or its affiliates. All rights reserved.
PFC4
Port ACLs
8
Thousands
Q-Q inner and outer CoS and Vlan
x6
100
Identity aware ACL
• New match criterias—DSCP, IP Prec, TTL, length,
PFC4
x4
4
0
PFC3
PFC4
Cisco Confidential
24
Protect Your Most Important CPUs of Your Infrastructure
Why it matters?
•
When under a DOS attack, you want to
avoid network meltdown, so you need to
keep control on your network
How it protects the CPU?
Control Plane Policing protects the Switch
Control Plane from being Compromised
from excessive traffic loads
•
Select and limit the traffic that
will hit your CPU
IPv6 NDP
•
Control Plane
Policing
What’s new with Sup2T?
Netflow on CoPP interface
Easy Provisioning
Sup2T’s
CoPP
Per byte / Per Packet accounting
More Granularity
Hardware Distributed Policing
Predictable Policing
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25
适用于高流量骨干网络
CPU优化
Optimal CPU utilization
with Yielding Netflow
Data Export, direct
export from
linecard
Flexible
Netflow
CPU Friendly
Export
支持出口方向NetFlow
Allow to use netflow
after ingress lookup is
done (ex: after DSCP
remarking is done)
Allow to account for
multicast traffic per
destination instead of
per group
© 2011 Cisco and/or its affiliates. All rights reserved.
灵活性及可自定义性
Increased flexibility and
customization by selecting the
fields to match and collect
Egress
Netflow
Sup2T
Netflow
Up to 13M
Flows/
System
Sampled
Netflow in
Hardware
更强flow处理能力
Bigger tables mean
more entries per DFC.
Up to 13 million entries
with a 13 slot chassis.
You can get better
visibility in your
network
优化硬件利用率
To optimize the Netflow
tables utilization and
minimize load on
analyzers
Cisco Confidential
26
Connectivity Management Processor (CMP)
Per Protocol (v4, v6, MPLS, VPN Interface)
Interfaces Statistics
Manageability
Over 2 million counters!
NEW on
Sup2T
Blue Beacon LEDs
Open Manageability XML API
Gold
EEM
Multi-Protocol Analyzer
© 2011 Cisco and/or its affiliates. All rights reserved.
Smart Call Home
ERSPAN
Comprehensive MIBs
Cisco Confidential
27
Sup720
Sup2T
MPLS
• 1000 VRF support
• MPLS TE, CSC
• Multicast VPN
• 4000 VRF support
• L3VPN o mGRE
• Label Switched Multicast (LSM)*
VRF-Lite
• Up to 8 VRFs
• Easy Virtual Networks (EVN)*
• 32 VRFs
VRF Services
• VRF aware ACLs, VACL, BFD,
HSRP, PBR, Syslog, TACACS,
Telnet, GLBP, VRRP
• VRF aware: WCCP, NTP, SSH,
FTP, IPv6 Tunnels
• VPLS on WAN linecards
• Advanced VPLS
• EoMPLS Native Ethernet
• Native VPLS any Ethernet port
• No multicast flooding on VPLS*
•
•
•
•
•
• MPLS interface counters
• MPLS aware Netflow P Router*
• Flexible Netflow for MPLS
L2VPN
Operations
© 2011 Cisco and/or its affiliates. All rights reserved.
Set syslog to a VRF loopback
MPLS egress Netflow
Call Home email in a VRF
NDE collector in a VRF
IP SLA Phase 1
Cisco Confidential
28
Performance
•
•
•
•
•
Microbursts
• Deep Packet Buffers 256MB/port WS-X6908
• Resiliency with VSS, Multicast High Availability
Compliance
• Multicast Flexible Netflow v9, SPAN, VACL,
• Replication Drop Counters
Security
• MD5 authentication, Router Guard, Multicast Group-Range,
Multicast Boundary, CoPP Multicast enhancements
Control
• PIM Registers and SPT switch in Hardware
• IEEE 1588 Timestamps (NAM-3)*
• PIM SM, PIM SSM, Bidir-PIM, IGMP v2/3
© 2011 Cisco and/or its affiliates. All rights reserved.
L3 and L2 Multicast Replication @880 Gbps
2 Terabit Fabric Bandwidth with 500+ ports
256,000 multicast routes in new mFIB
NAT in Hardware
IGMPv3/MLDv2 Snooping in Hardware
Cisco Confidential
29
Access
Distribution
Core
Edge
针对IPv6优化
针对IPv6安全性
• EIGRPv6, OSPFv3,
BGPv6
• IPv6 PBR*
•
•
•
•
•
•
•
•
• IPv6 CoPP
EIGRPv6, OSPFv3, IS-IS
IPv6 support for VSS
ECMP
OSPFv3 GR
• IPv6 PIM-SSM, MLDv2,
Embedded RP
• IPv6 QoS
• DHCPv6 Relay Agent
• HSRPv6/GLBPv6
• IPv6 support for VSS
• Stateless Auto configuration
• IPv6 management: SNMP,
Syslog, SSH, NTPv4,
Tacacs+
• IPv6 interface stats
© 2011 Cisco and/or its affiliates. All rights reserved.
IPv6 IPsec
IPv6 Firewall Security
IPv6 IDS
IPv6 ASA Service Module*
• IPv6 ACL
• IPv6 ACL Atomic
Commit/Dry Run
• uRPF
• IPv6 Ingress Netflow
• IPv6 Flexible Netflow
• IGMPv3/MLDv2 Snooping
• IPv6 First Hop Security
• IPv6 PACL/RA Guard
针对v4-v6迁移
• Dual Stack IPv4/IPv6
• V6 over v4 tunnels:
6vPE/6PE, L3VPNoMGRE,
DMVPNv6, Static tunnels
• 6 to 4 translation, LISP*
• NAT64 with ASA*
MPLS/ IPv4/
IPv6 Core
Internet
• Dual Stack IPv4/IPv6
• 6to4 tunneling, ISATAP
• LISP*
•
•
•
•
•
•
Dual Stack IPv4/IPv6
6vPE/6PE
6to4 tunneling
ISATAP tunnels
LISP*
Unified VRRP*
• Dual Stack IPv4/IPv6
• ISATAP and static
Tunnels
Cisco Confidential
30
Supervisor 2T 发布于2011七月
交换行业史无前例的超强生命力平台
Sup 2T—Next Generation Supervisor
Sup720-10G (VSS Enabled)
EOS
End of Sale
EOL
End of Life
End of Support
Sup32
Sup720-3B
Sup720-3A
EOS
EOS
Sup2
Sup 1A
2000
© 2011 Cisco and/or its affiliates. All rights reserved.
2005
EOS
EOL
Maintain Support
EOL
Maintain Support
EOL
Maintain Support
2010
12 years
12 years
12 years
2015
2020+
Cisco Confidential
32
“Video is a core technology at Apple; … The Supervisor
Engine 2T, with VSS implementation, expands the
existing, available bandwidth of all deployed E-Series
Catalyst 6500 chassis to 4 Terabits per second. This
compounded with 80 Gigabits per slot capacity and
scaled, hardware multicast route support ensures the
operational integrity of Apple’s network.”
– Patrick Millette, AM Apple
… BT, a long-time Catalyst customer, has
6500 switches deployed throughout the
network in IP Core, Data Center, Enterprise,
and Ethernet aggregation points. The Sup2T, in VSS
configuration, enables BT to leverage their extensive
existing infrastructure andd expand the current switch
bandwidth to 2-Terabit capacity and future-proof for 40G
readiness. ….”
– Jim Wicks, SE, BT
“We are excited to be working with Cisco to receive
some of the first shipments of the eagerly awaited
Supervisor 2T modules. Loughborough's IT service
provision requires the cutting edge technology these
new modules provide, complementing the new
functions on Cisco's IPv6 roadmap. We look forward to
working with Cisco for many years to come.”
– Matthew Cook, Network and Security Manager,
Loughborough University, IT Services
“For Penn State University, Bandwidth
is at the forefront of their core network
requirements. With Catalyst 6500 Switches
deployed through the core and into distribution,
Penn State is looking to the Supervisor Engine 2T to
expand the current bandwidth to 2-Terabit capacity and
future-proof the existing infrastructure for 40G
readiness. Flexible Netflow capability enables the
transition to IP-based statistics collection, driving
enhanced billback capabilities”
– Chris Sullivan, AM Penn State
“Rackspace is a long-standing Cisco customer with Catalyst 6500 switches deployed throughout their
network for various use cases; Internet Edge, IP Core, as well as L3 Aggregation utilizing VSS for
services applicable to both Cloud and Managed Hosted environments. … Rackspace is looking to the
Sup2T to provide more capacity; Control Plane scalability, bandwidth scalability at 80G per slot, and the
ability to utilize the larger Netflow tables are all key metrics. Sheer capacity is key for hosting
companies, and Flexible Netflow is ideal for Denial of Service mitigation techniques.
– Ellis Merworth, SE Rackspace,
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
33
Fast Forward To…
Scalability
Performance
Sup1A
Sup2
Sup2T
32 Gbps
256 Gbps
2048 Gbps
+180 10G ports
10 GbE Fiber/Copper
Netflow Table
32K
32K
1024K
ACL Scalability
16K
32K
256K
Bridge Domains
4K
4K
16K
-
256K
1M
FIB Table
+ 800%-3200%
+3200%
Configurable
Security/QoS
+ 400%
EEM/GOLD/Smart CH
Operations
NAM
ERSPAN
Flexible Netflow
Sampled Netflow
Per protocol stats
Per VPN stats
2M counters pkt/byte
Cisco Confidential
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Highly Confidential
34
Fast Forward To…
Sup1A
Sup2
Sup2T
CPU Rate Limiters
Control Plane Policing
Security
Enhance uRPF
NAT/PAT in HW
Role Base ACL
Atomic ACL
ACL “dry run”
MacSec (L2 encrypt.)
Netflow TCP flags
QoS
UBRL
Egress Policing
Distributed Policing
+pkt len/TTL
+IP opt v4/v6
Ingress/egress
Enhanced classificat.
Microflow policing
Cisco Confidential
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Highly Confidential
35
Fast Forward To…
Sup1A
Sup2
Sup2T
Virtualization
MPLS L3 VPN
VPLS and L2oMGRE
VRF-lite
Virtual Switching
GRE HW Tunneling
VPN aware Netflow
VPN aware NAT
Multicast in HW
Multicast
Egress Replication
Bidir PIM
Multicast VPN
Multicast IPv6
IGMPv3 (SSM)
PIM register in HW
Cisco Confidential
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Highly Confidential
36
Thank you.
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
37
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
38
INNOVATION
DIFFERENTIATION
Innovation with
Investment Protection
The Network Services
Platform for Unified
Access and Unified Fabric
TRANSITION
COMPETITIVE
LEADERSHIP
Driving Next-Gen
Ethernet
In the Campus
1G » 10G » 40G » 100G
© 2011 Cisco and/or its affiliates. All rights reserved.
CATALYST 6500
E-SERIES
Lead Core/Distribution
Platform in Industry
over HP (A7500/A9500)
and Juniper (EX8200)
Cisco Confidential
39
Fixed
Modular
Catalyst
Access
Aggregation
Catalyst 4500
Catalyst 3750
Catalyst 2960
Nexus
Core
Core
Aggregation
Catalyst 6500
Catalyst 4900
Access
Nexus 7K
N5K
Nexus 3K | Nexus 2K
Cisco Unified Access | Enterprise Campus Differentiation
Cisco Unified Fabric | Data Center Architectural Innovation
NGA 1.0 / NCS » EnergyWise
ISE » UPOE
Unified Ports » DCB / FCoE
Nexus 1000v » VDC
Unified Fabric = Nexus + NXOS
Cisco Unified Services | Cross Architecture Network Value
Unified
Access = CATALYST + IOS!
FabricPath » Medianet » LISP » FEX-link
OTV » Netflow v9 » TrustSec » VSS / vPC
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
40
Cisco TrustSec
E-OAM 3.0
Stateful EoMPLS
RBACL
IPSLA support for EVC
Etherchannel Enhancements
TrustSec Ingress/Egress reflector
802.1ag CFM Draft 8
Native VPLS
SGT Tagging and Filtering
Service Module Support
VRF aware SSH, FTP, NTP
Dry run for ACLs
On Board Failure Logging
DAI accelerated in HW
Atomic ACL Update
Netconf, Http, Soal, TCL… over IPv6
WCCP Closed group
Flexible Netflow
IPv6 uRPF
MQC Queuing policy for ingress/egress
Egress Netflow
PACL support for IPv6
DSCP classification
Sampling Netflow in HW
CMP
QoS ACL per policy class
Hardware CoPP
XML Programmatic interface
Per-protocol statistics
New level of IPv6 support
Web Service
PIM Registers in HW
Per VLAN broadcast statistics
Distributed Aggregate Policers
IP-Based IGMPv3 Snooping support
EEM v3.0
Bi-dir Enhancements
EVC 2.0
ACL/QoS scalability
uRPF + ACL
New ACL classifications Options
VPLS
NAT
TrustSec
FnF
QoS
MCast
MPLS
IPv6
ACL Enh.
CoPP Enh
CMP
XML API
Cisco IOS Software 12.2(33)SXI3 Features Set
…总计超过200项新特性支持!
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
41