Cisco Enterprise Silicon

Size: px

Start display at page:

Download "Cisco Enterprise Silicon"

Janice Summers
6 years ago
Views:

Jones BRKARC-3467 Distinguished System Engineer

2 Cisco Enterprise Silicon Delivering Innovation for Advanced Routing and Switching Dave Zacks Peter Jones BRKARC-3467 Distinguished System Engineer #HighBitRate

Install Spark or go directly to the space 4.

3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot#brkarc Cisco and/or its affiliates. All rights reserved. Cisco Public

define these projects and then assisting as they progress towards and through design, development, and solution introduction.

4 By Way of Introduction Dave is a Distinguished System Engineer, and has been with Cisco for 17 years. As a DSE within the Enterprise Networks Architecture team, Dave works primarily on capabilities and solutions that are anywhere from 12 to 36+ months out, helping to define these projects and then assisting as they progress towards and through design, development, and solution introduction. Dave has a strong background in, and focus on, customer requirements, and integrating these into the products and solutions Cisco builds. Dave has a special interest in Flexible Hardware and Fabric architectures. Dave Zacks Distinguished System Engineer

with the Catalyst 3850 / 3650 platform as well as the UADP ASIC.

5 By Way of Introduction Peter is a Software Principal Engineer, and has been with Cisco for over 10 years. Peter works on System Architecture (ASIC, hardware & software) for Cisco Campus switching, with extensive experience with the Catalyst 3850 / 3650 platform as well as the UADP ASIC. As well, Peter is heavily involved in the standardization of 2.5G / 5G BASE-T Ethernet as NBASE-T Alliance chair and in IEEE Peter Jones Principal Engineer

Cisco Enterprise Silicon Delivering Innovation for Advanced Routing and Switching BRKARC-3467 Session Overview and Objectives Come to this session to learn about the latest advances in Cisco

6 Cisco Enterprise Silicon Delivering Innovation for Advanced Routing and Switching BRKARC-3467 Session Overview and Objectives Come to this session to learn about the latest advances in Cisco Enterprise silicon development ASIC (Application Specific Integrated Circuit) hardware which provides a key foundational element of Cisco's Enterprise Networking portfolio, and which support key industry trends such as SDN. Attendees at this session will gain a greater insight into how ASICs are created showcasing the advanced capabilities and functionality delivered by two of Cisco's latest switching and routing silicon innovations UADP (Unified Access Data Plane) and QFP (QuantumFlow Processor). By developing custom silicon, and leveraging this advanced hardware within our Enterprise portfolio, Cisco has always provided differentiating capabilities and compelling customer value across many platforms. In this session, we will explore the capabilities and advantages provided by custom Cisco silicon, provide greater insight into the functionality delivered by existing Cisco Enterprise ASICs, and explore the new capabilities and solutions enabled by Cisco's latest generation of Enterprisefocused programmable switching and routing chipsets UADP and QFP. BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Agenda BRKARC-3467 Cisco Enterprise Silicon Delivering Innovation for Advanced Routing and Switching Need for Network Innovation Primer How ASICs are Designed & Built The Importance of Flexible Silicon UADP Flexible Switching Silicon QFP Flexible Routing Silicon APs Flexible Wireless Silicon Leveraging Flexible Silicon for Encrypted Traffic Analytics Leveraging Flexible Silicon for Software Defined Access and Summary Dave Dave Peter

This is an ambitious presentation BRKARC-3467 2017 Cisco

We are going to try to cover Cisco Innovation from The Gates to the GUI

No, I don t mean this Gates 2017 Cisco and/or

And Why These Innovations Matter BRKARC-3467 2017 Cisco

16 Overview The Need for Network Innovation

18 New Cisco DNA Introductions Built on Cisco Digital Network Architecture Open DNA Center Cloud Service Management Automation and Assurance Principles Automation Analytics Programmable SD-Access and Virtualization Assurance Security and Compliance API Driven Programmable Physical and Virtual infrastructure Catalyst 9000 Security Encrypted Traffic Analytics Insights and Experiences Software Subscription Licensing DNA Advisory, Technical, Support Services BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Team ASICs are a pillar of Cisco innovation BRKARC-3467 2017

19 David Goeckeler Cisco SVP, Security and Networking Cisco Live Las Vegas 2016 Innovation in the network EISG Architecture Team ASICs are a pillar of Cisco innovation BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

21 What is an ASIC? An Application Specific Integrated Circuit is an integrated circuit customized for a particular use, rather than intended for general purpose use BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

24 Hardware and Software Building on a Strong Foundation QFP QuantumFlow Processor Advanced, Multi-Core, Feature-Rich Routing Silicon IOS-XE The Evolution of IOS Taking the Proven Strengths of IOS to the Next Level UADP Unified Access Data Plane Flexible, Programmable, High-Performance Switching Silicon Fully Programmable Scalable Advanced on-chip QoS Secure Extensible Architecture Operational Uniformity New Foundational Capabilities Speed of Innovation Velocity Foundation for Virtualization Platform for the Future Fully Programmable Scalable Advanced on-chip QoS Secure Extensible Architecture People that are really serious about software should build their own hardware 100% Cisco-developed Flexible Silicon Unlocking the Power of DNA at Hardware Speeds 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

25 Quick Primer How Networking Silicon is Designed and Built

27 ASICs From Definition to Deployment Then, it starts with coding Verilog VHDL Synthesis Process Converts code into logical gate constructs (Netlist) BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

ASICs From Definition to Deployment Floor Planning &

planning Arrange and interconnect constructs, connect

code into logical gate constructs (Netlist) BRKARC-3467

28 ASICs From Definition to Deployment Floor Planning & Placement Then, it starts with coding Verilog VHDL Floor planning Arrange and interconnect constructs, connect power, minimize crosstalk, etc Synthesis Process Converts code into logical gate constructs (Netlist) BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

mostly used @ 22nm and above mostly used @ 16nm and below Discrete transistor MOSFET (metal oxide semiconductor field effect transistor) FinFET (fin field effect transistor) which, when we put

30 mostly 22nm and above mostly 16nm and below Discrete transistor MOSFET (metal oxide semiconductor field effect transistor) FinFET (fin field effect transistor) which, when we put millions of them together on a silicon die, produce a chip! NAND gate AND Gate XOR Gate Universal Gates OR Gate NOT Gate XNOR Gate which can be used to build any of the other logic gates NOR Gate BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

mostly used @ 28nm and above mostly used @ 22nm and below Discrete transistor MOSFET (metal oxide semiconductor field

1 191M gates NAND gate Catalyst 3850 mgig AND Gate XOR Gate Universal Gates UADP 2.

31 mostly 28nm and above mostly 22nm and below Discrete transistor MOSFET (metal oxide semiconductor field effect transistor) FinFET (fin field effect transistor) UADP M gates NAND gate Catalyst 3850 mgig AND Gate XOR Gate Universal Gates UADP M gates Catalyst 9300, 9400, 9500 OR Gate NOT Gate XNOR Gate which can be used to build any of the other logic gates NOR Gate BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

which was built from nothing but that 4100 ICs, each of

we put a man on the moon with less than 10,000

46 billion transistors to route your packets!

32 Fun Fact! Apollo Guidance Computer We put a man here using this which was built from nothing but that 4100 ICs, each of which contained a single 3-input NOR gate In other words we put a man on the moon with less than 10,000 transistors It takes 7.46 billion transistors to route your packets! With the appropriate security, segmentation, QoS, encryption, fragmentation, etc, etc BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 We are talking transistors and how many we can pack in an ASIC die Transistor Width measured in Nanometers Nanometer = One Billionth of a Meter The number of transistors incorporated into a chip will approximately double every months Moore s Law BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

35 Single human hair How SMALL is SMALL? ONE NANOMETER less than 1/4 th of an inch! about the same thickness as three pennies on this scale and then we come to this little pinprick over here Red blood cell (7,000 nm) rises to 10 th floor ~ 100,000 nm Empire State Building = 1454 feet to tip = 443 meters and we build transistors measured in nanometers BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

SiO2 layer Silicon substrate Photoresist Similar cycle repeated to

Projected light Mask Lens How Long Does It Take to Manufacture a

Metal connector New photoresist spun on wafer, steps 2 4 repeated

Doped region Exposed photoresist removed Exposed areas etched by

39 SiO2 layer Silicon substrate Photoresist Similar cycle repeated to lay down metal links between transistors Prepared silicon wafer Projected light Mask Lens How Long Does It Take to Manufacture a Wafer? Metal connector New photoresist spun on wafer, steps 2 4 repeated Ions shower etched areas, doping them Patterns projected onto wafer Doped region Exposed photoresist removed Exposed areas etched by gases About a month the same time it takes to make one of these BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

ASIC Re-Spin (if needed) BRKARC-3467 2017 Cisco

41 Catalyst 9300 / 9400 / ASICs From Definition to Deployment UADP 2.0: 7.46B transistors! 2,160,000 lines of code New! Catalyst 3850 Circa M transistors (Latest version: 3 BILLLION transistors) 1,490,000 lines of code Catalyst 3750 All Cisco-developed silicon Circa 2008 Catalyst 3550 Circa M transistors 86,220 lines of code Driving the benefits of vertical integration Hardware and software working together! 60M transistors 47,226 lines of code Just like some other famous examples BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Or Looked At Another Way UADP B Transistors UADP 1.1 3B Transistors UADP B Transistors One transistor for Everyone in the world! One transistor for everyone in India One transistor for everyone in India, China, US & Canada BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

44 Why Does Cisco Develop Our Own Silicon? Simpler Deployment Options Better Insight and Optimization Increased Security Most Appropriate Scalability Flexibility and Investment Protection via Programmability BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Traditional Fixed ASIC Processing Pipeline

Industry Trends SDN Evolution of Business Flexibility in Networking disconnect with traditional

The Big Question So where can Flexible ASICs help us?

50 Overview The Importance of Flexible Silicon

52 Flexible ASIC Processing Pipeline... we could probably handle it via the Programmable Pipeline! Flex Parser Flex Rewrite Stage 1 Stage 2 Stage 3 Stage n If IPv7 were invented tomorrow Flexible, Programmable Processing Pipeline Flex Counters Programmable ASICs IPv7 deliver IPv6 MPLS IPv4 VXLAN GRE FLEXIBILITY BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Flexible ASIC Processing Pipeline a task at which Cisco s Programmable, Flexible ASICs excel! Tunnelled traffic requires RECIRCULATION Flex Parser Flex Rewrite Stage 1 Stage 2 Stage 3 Flexible, Programmable Processing Pipeline Stage n VXLAN IPv4 High-performance, low-latency recirculation path Flex Counters Programmable ASICs provide support for IPv4 TUNNELLING BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Network Innovation Flexible Switching Silicon Unified Access Data Plane (UADP) Peter Jones

Flexibility in an Access Switch Excellent

protocols extremely flexible and capable

57 UADP Designed for Flexibility UADP provides an unparalleled degree of Flexibility in an Access Switch Excellent for encapsulations, which often need recirculation Parse depth of 256 Bytes Ability to handle current and future protocols extremely flexible and capable 15 programmable stages Up to 250 frames across stages at one time BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

VXLAN as a protocol had not even been invented when UADP 1.0 was designed Dest. MAC 48 Next-Hop MAC Address Src VTEP MAC Address Yet UADP forwards VXLAN in hardware, at high performance in IOS-XE 16.

Data Protocol 0x11 (UDP) 72 8 in Overlay UDP Header VXLAN Header Inner (Original) MAC Header Inner (Original) IP Header VXLAN is a complex Original Payload protocol Parse depth of 256 Bytes Source

58 VXLAN as a protocol had not even been invented when UADP 1.0 was designed Dest. MAC 48 Next-Hop MAC Address Src VTEP MAC Address Yet UADP forwards VXLAN in hardware, at high performance in IOS-XE thanks to Flexibility! Source MAC 48 Underlay Outer MAC Header Outer IP Header VLAN Type 0x8100 VLAN ID Ether Type 0x Bytes (4 Bytes Optional) IP Header Misc. Data Protocol 0x11 (UDP) 72 8 in Overlay UDP Header VXLAN Header Inner (Original) MAC Header Inner (Original) IP Header VXLAN is a complex Original Payload protocol Parse depth of 256 Bytes Source Port 16 VXLAN Port UDP Length Checksum 0x Bytes Header Checksum 20 Bytes programmable Src RLOC IP Address stages Source IP Dest. IP 16 UDP Dst RLOC IP Address Hash of inner L2/L3/L4 headers of original frame. Up to 250 frames across Enables entropy for ECMP load balancing. Allows 64K stages at one time VXLAN Flags RRRRIRRR 8 possible SGTs Segment ID 16 8 Bytes VN ID 24 Allows 16M possible VRFs Reserved Cisco and/or its affiliates. All rights reserved. Cisco Public 58

GRE ERSPAN CAPWAP MPLS VXLAN VXLAN-GPE*, NSH*,

Future, UADP Use Cases BRKARC-3467 2017 Cisco

1G/10G Ethernet 128 Bit Encryption 24K Netflow Records

0 240G Stacking Capacity 6MB Packet Buffer 56G Bandwidth

Catalyst 3650 Catalyst SFP Fiber First Flexible,

62 1G/10G Ethernet 128 Bit Encryption 24K Netflow Records UADP G Stacking Capacity 6MB Packet Buffer 56G Bandwidth First Generation of UADP ASIC Catalyst 3850 Copper Catalyst 3650 Catalyst SFP Fiber First Flexible, Programmable ASIC designed for Campus BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

Dual Core Running @ 500MHz 1G/10G/40G Ethernet 256 Bit MACSEC Encryption

1 1588 IEEE 240G Stacking Capacity 6MB x2 Packet Buffer 160GE Bandwidth

Multigigabit Catalyst 3850 SFP+ Catalyst 3650 Mini Catalyst 3650

63 Dual Core 500MHz 1G/10G/40G Ethernet 256 Bit MACSEC Encryption 24K x2 Netflow Records UADP IEEE 240G Stacking Capacity 6MB x2 Packet Buffer 160GE Bandwidth First Generation of UADP ASIC with Enhancements Catalyst 3850 Multigigabit Catalyst 3850 SFP+ Catalyst 3650 Mini Catalyst 3650 Multigigabit Enhanced Performance, Capabilities & Security BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 UADP Programmable ASIC Family UADP B Transistors UADP 1.1 3B Transistors UADP B Transistors 1G/10G Ethernet 24K Netflow 1G/10G/40G Ethernet Dual Core 500MHz Shared Lookup Up to 64K x2 Netflow Records 240G Stacking 56G Bandwidth 1588 IEEE 160GE Bandwidth Up to 2X to 4X Tables Up to 240GE Bandwidth BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 UADP 2.0 Next Generation of ASIC Innovation Investment Protection Flexible Pipeline Universal Deployments Adaptable Tables Enhanced Scale/Buffering Multicore resource share Up to 384K Flex Counters Shared Lookup Up to 240GE Bandwidth Up to 2X to 4X forwarding + TCAM Embedded Microcontrollers Up to 32MB Packet Buffer Up to 64K x2 Netflow Records BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 UADP 2.0 Turns Catalyst 9K into a Swiss Army Knife Role Specific ASIC Templates for Deployment Flexibility SRAM / TCAM 64K 16K 32K 32K 48K 8K 64K MAC IPv4/IPv6 VACL PACL RACL SGACL QoS NAT SPAN CoPP Client Scale Flexible ASIC Templates Core-Border Template L3 & Cross Domain Policy Aggregation Template Mix of L2/L3 Capabilities Collapsed Core- WAN Template L3 & NAT Customized table size for each function based on the place in the network FIB (48K) SGT (16K) Host (32K) SRAM MCAST (16K) IGMP (32K) Access-Edge Template MAC (80K) Internal Resources SEC ACL (18K) Tunnels (1K) Access-Edge Template TCAM QoS ACL (18K) LISP (1K) Others NAT (2K) Internal Resources FIB (64K) Host (32K) SRAM MCAST (48K) IGMP (16K) SGT (32K) MAC (32K) Internal Resources SEC ACL (18K) Tunnels (1K) Core-Border Template TCAM QoS ACL (3K) NAT (16K) Others LISP (1K) Internal Resources Table Sizes Can be Tailored to Support Multiple Use Cases 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

67 UADP 2.0 Ingress and Egress Processing Stages Final Decision on Packet s Future 17 Ingress Stages IGR Flex Parser Flex Parser 256 B Stage #17 Lookup Table Lookup Table Lookup Table Lookup Table Stage #1 Ingress Programmable Pipeline Stage #.. Stage #.. Lookup Table Lookup Table Lookup Table Lookup Table Lookup Table Lookup Table Lookup Table Lookup Table Stage #2 Stage #.. Egress Programmable Pipeline Stage #2 Stage #1 Flex Parser Lookup Table Lookup Table Lookup Table Lookup Table Lookup Table Lookup Table TCAM/ SRAM Lookup Table Lookup Table EGR Stage #.. Stage #N 8+ Egress Stages Flex Parser 256 B At each stage, 2 simultaneous lookups Final Decision on Packet s Future BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Catalyst 9K Family Introduction Catalyst 9400 Catalyst 9300 Catalyst 9500 Stackable Access Modular Access Fixed Aggregation Built on Cisco s Innovative UADP ASIC & Open IOS-XE BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 Network Innovation Flexible Routing Silicon QuantumFlow Processor (QFP)

74 40 PPEs (1 st Gen); 64 PPEs (2 nd Gen) Four hardware threads per PPE PPEs operate at 1.2GHz speed Extensive hardware assists: ACL, TBMlookup, WRED, Flow Locks BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Distributor Assigns Each Packet to a PPE / Context QFP is not doing flow-based loadbalancing among processors Distribution is to any eligible PPE/Context Hardware locks for ordering and mutual exclusion BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

High Performance Memory TCAM4: 200 M searches / second with QFP DRAM: 1.

77 Buffering, Queuing, and Scheduling (BQS) HQF/MQC compatible 128K queues Flexible allocation of schedule resources 5+ levels of scheduling hierarchy BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 QFP Platforms and Feature Velocity Over 2600 features QFP is the foundation for modern Enterprise Routing Aggregation and Policy infrastructures BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 Network Innovation Flexible Wireless Silicon Cisco Access Points, RF Capabilities

80 Self Optimizing Network With Radio Role Flexibility 2.4 GHz and 5 GHz on the same silicon Allows serving of either 2.4 GHz or 5 GHz channel Allows Serial scanning of all 2.4 and 5 GHz channels Role selection is manual or Automatic RRM 5GHz Serving 2.4GHz Serving 5GHz Serving 5GHz Serving BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 AP 2800 / 3800 Dual Band With Radio Role Flexibility Single 5 GHz cell 5GHz Serving 2.4GHz Serving Channel Utilization = 60% The further a client is from the AP, the lower the data rate will used -75 dbm -71 dbm Data Rate is a function of SNR -68 dbm -51 dbm -58 dbm The higher the SNR The higher the Data Rate will be -63 dbm Capacity is the sum of all clients within the cells Air Time -73 dbm -60 dbm -63 dbm = Client RSSI at AP BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 81

AP 2800 / 3800 Macro / Micro Cell Dual 5 GHz Creating two RF diverse 5 GHz cells Doubles the Air Time available Macro / Micro 5 GHz cell -75 dbm -71 dbm 5GHz Serving 5GHz Serving CU Chnl 36 = 20%!

82 AP 2800 / 3800 Macro / Micro Cell Dual 5 GHz Creating two RF diverse 5 GHz cells Doubles the Air Time available Macro / Micro 5 GHz cell -75 dbm -71 dbm 5GHz Serving 5GHz Serving CU Chnl 36 = 20%! CU Chnl 108 =24%! Optimizing Connections (Macro vs Micro) keeps like performing clients together, rather than have one drag down the other -68 dbm -63 dbm -51 dbm -58 dbm RRM will optimize, based on received RSSI -73 dbm -60 dbm Channel Utilization TOTAL = 44% a much more efficient use of spectrum! Less waiting, fewer retransmits, etc -63 dbm = Client RSSI at AP BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 82

Cisco Wireless Hardware Innovation Proven Results BRKARC-3467

84 Network Innovation Leveraging Flexible Silicon for Encrypted Traffic Analytics

Network Threats are Evolving to Leverage Encryption BRKARC-3467

86 Encrypted Traffic Analytics Malware Detection and Visibility without Decryption Malware in Encrypted Traffic Is the payload within the TLS session malicious? End to end confidentiality Channel integrity during inspection Adapts with encryption standards Cryptographic Compliance How much of my digital business uses strong encryption? Audit for TLS policy violations Passive detection of Ciphersuite vulnerabilities BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 Sequence of Packet Lengths and Times (SPLT) Malware Behavior Communication with command control server Write to the disk Network Behavior Sequence of packet lengths Time interval between packet BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 87

Initial Data Packet Client: I support crypto! Server: I support that crypto, and I m me! Client: Take this secret and let s encrypt! Server: Your secret looks good; let s encrypt!

88 Initial Data Packet Client: I support crypto! Server: I support that crypto, and I m me! Client: Take this secret and let s encrypt! Server: Your secret looks good; let s encrypt! Client/Server: encrypted data! TLS field (in ClientHello) Offered Cyphersuites Extensions Inference Browsers prefer heavy weight and more secure encryption algorithms, Mobile applications prefer efficient encryption BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 88

Page Refresh Data Exfiltration Self-Signed Certificate BRKARC-3467

89 Detecting Malware by Behavior SPLT, IDP, and Machine Learning Google Search Bestafera C2 Message Initial Page Load Autocomplete Page Refresh Data Exfiltration Self-Signed Certificate BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 Flexible Silicon A Strong Foundation for DNA

Cisco Programmable Hardware equals FLEXIBILITY ADAPTABILITY Enabling Network Evolution a critical

93 Leveraging Flexible Silicon for Next-Gen Network Architectures Software Defined Access Dave Zacks

94 Policy in Today s Networks Network Policy Enterprise Network QoS Security Redirect/copy Traffic engineering etc. SRC DST PAYLOAD DATA DSCP PROT IP SRC IP DST PORT PORT Policy is based on 5 Tuple Only Transitive information Survives end to end BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 What is the Problem? Policy in Today s Networks Network Policy access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 Enterprise Network access-list 102 permit tcp gt lt 4384 SRC DST PAYLOAD DATA DSCP PROT IP SRC IP DST PORT PORT IP ADDRESSES Locate you Identify you Drive treatment Constrain you IP Address meaning OVERLOAD VLAN 20 VLAN 30 SSID D SSID C User/device info? SSID A VLAN 10 VLAN 40 SSID B BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 95

L3 Switch Trunk WLAN 4. Implement Policy What Trunks if You Need to Add Another Define Group ACLs & Policy?

Implement VLANs/Subnets Create VLANs Define DHCP scope Create subnets and L3 interfaces Routing for new

96 What is the Problem? Group Policy Rollout Today Production Servers Developer Servers Multiple Steps and Touch Points LAN Core L3 Switch Trunk WLAN 4. Implement Policy What Trunks if You Need to Add Another Define Group ACLs & Policy? Apply ACLs L2 Switch One SSID AAA DHCP AD 1. Define Groups in AD 2. Define Policies VLAN/subnet based 3. Implement VLANs/Subnets Create VLANs Define DHCP scope Create subnets and L3 interfaces Routing for new subnets Map SSID to Interface/VLAN 5. Many different User Interfaces. AAA WLC Devices CLI BYOD Employee Contractor BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 96

97 But What If we could make the IP address just be a LOCATOR for you, and provide other ways to group users / devices to apply POLICY? Key Assertion If we could break the dependence between IP addressing and policy, we could greatly simplify networks and make networks much more functional. BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 97

98 You could build and run your network in a simpler way Apply Policy irrespectively of network constructs (VLAN, subnet, IP address) Easily implement Network Segmentation (w/o implementing MPLS) Provide L2 and L3 flexibility (w/o stretching VLANs) With a Fabric we could make the IP address just be a LOCATOR for you, and provide other ways to group users / devices to apply POLICY? Key Assertion If we could break the dependence between IP addressing and policy, we could greatly simplify networks and make networks much more functional. BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 98

99 What is a Fabric?

virtually connect devices, built on top of some arbitrary physical Underlay

An Overlay network often uses alternate forwarding attributes to provide

100 What Exactly is a Fabric? Network Overlays A Fabric is an Overlay An Overlay is a logical topology used to virtually connect devices, built on top of some arbitrary physical Underlay topology. An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay. Examples of Network Overlays GRE or mgre MPLS or VPLS IPSec or DMVPN CAPWAP LISP OTV DFA ACI BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 100

101 Why Use an Overlay? Separate the Forwarding Plane from the Services Plane IT Challenge (Business): Network Uptime IT Challenge (Employee): New Services The Boss YOU The User Simple Transport Forwarding Redundant Devices and Paths Keep It Simple and Manageable Optimize Packet Handling Maximize Network Reliability (HA) Flexible Virtual Services Mobility - Map Endpoints to Edges Services - Deliver using Overlay Scalability - Reduce Protocol State Flexible and Programmable BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 101

102 What Exactly is Campus Fabric? Key Components 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on TrustSec Key Differences L2 + L3 Overlay -vs- L2 or L3 Only Host Mobility with Anycast Gateway Adds VRF + SGT into Data-Plane Virtual Tunnel Endpoints (No Static) No Topology Limitations (Basic IP) BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 102

LISP in 30 Seconds Control Plane LISP Mapping System Software Control Plane The LISP Mapping System is analogous to a DNS lookup DNS resolves IP Addresses for a queried Name Answers the WHO IS

103 LISP in 30 Seconds Control Plane LISP Mapping System Software Control Plane The LISP Mapping System is analogous to a DNS lookup DNS resolves IP Addresses for a queried Name Answers the WHO IS question Host [ Who is lisp.cisco.com ]? [ Address is , 2610:D0:110C:1::3 ] DNS Server DNS Name -to- IP URL Resolution LISP resolves Locators for a queried Identity Answers the WHERE IS question LISP Router [ Where is 2610:D0:110C:1::3 ]? [ Locator is , ] LISP Map System LISP ID -to- Locator Map Resolution BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 103

104 What Exactly is a Fabric? Data Plane VXLAN 1. Control Plane based on LISP Hardware Data Plane 2. Data Plane based on VXLAN ETHERNET IP PAYLOAD ORIGINAL PACKET Supports L3 Overlay ETHERNET IP UDP LISP IP PAYLOAD PACKET IN LISP Supports L2 & L3 Overlay ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD PACKET IN VXLAN BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 104

105 What Exactly is a Fabric? Policy Plane VRF and SGT Transport 1. Control Plane based on LISP 2. Data Plane based on VXLAN 3. Policy Plane based on TrustSec VRF + SGT Virtual Routing & Forwarding Scalable Group Tagging Integrated Security ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 105

Cisco TrustSec in 30 Seconds Segmentation Based on Groups Integrated Security Enforcement Group Based Policies ACLs, Firewall Rules Shared Services Application Servers Propagation Carry Group context

106 Cisco TrustSec in 30 Seconds Segmentation Based on Groups Integrated Security Enforcement Group Based Policies ACLs, Firewall Rules Shared Services Application Servers Propagation Carry Group context through the network using only SGT Enforcement Enterprise Backbone DC Switch or Firewall ISE Classification Static or Dynamic SGT assignments Campus Switch Campus Switch DC switch receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN A VLAN B BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 106

107 Software Defined Access (SDA) Bringing It All Together

109 What is SD-Access? Campus Fabric + Automation & Assurance (DNAC) ISE / AD APIC-EM 1.X 2.0 DNA Center NDP / PI SD Access NEW! GUI approach provides automation of all Campus Fabric configurations, management and group-based policy. Leverages DNA Center to integrate external Service components, and orchestrate your entire LAN, WLAN and WAN network. B B Campus Fabric Shipping since 2016 Campus Fabric C CLI or API form of the new Overlay Fabric solution for your Enterprise Campus networks. CLI approach provides backwards compatibility and customization, Box-by-Box. API approach provides central automation via NETCONF. APIC-EM, ISE, NDP are all separate. BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 109

112 SD-Access Roles and Terminology Identity Services Fabric Border Nodes Intermediate Nodes (Underlay) Fabric Edge Nodes ISE B APIC-EM B Campus Fabric NDP C A Strong Foundation, Enabled by Cisco Flexible Silicon! DNA Controller Analytics Engine Fabric Wireless Controller Control-Plane Nodes DNA Controller Enterprise SDN Controller provides GUI management and abstraction via Service Apps, that share information Identity Services External ID Systems (e.g. ISE) are leveraged for dynamic Endpoint to Group mapping and Policy definition Analytics Engine External Data Collectors (e.g. NDP) are leveraged to analyze Endpoint to App flows and monitor fabric status Control-Plane Nodes Map System that manages Endpoint to Device relationships Fabric Border Nodes A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric Fabric Edge Nodes A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric Fabric Wireless Controller A Fabric device (WLC) that connects Wireless Endpoints to the SDA Fabric BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 112

113 SD-Access Platform Support Switching Routing Wireless Subtended NEW Catalyst 9400 NEW Catalyst 9300 ASR-1000-X AIR-CT5520 NEW NEW ASR-1000-HX AIR-CT8540 NEW CDB Catalyst 9500 AIR-CT3504 ISR 4430 Catalyst 4500E Catalyst 6K Nexus 7700 ISR 4450 Wave 2 APs (1800, 2800,3800) 3560-CX Catalyst 3850 and 3650 CSRv Wave 1 APs* (1700, 2700,3700) *with Caveats BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 113

Platform (NDP) Contextual Visibility and Troubleshooting SD-Access Fabric Stretched Subnets Group 1 Group 2 Employees

114 SD-Access Solution At a Glance Architecture for the Digital Enterprise Policy Mobility with no Topology Dependence Identity & Policy Identity Services Engine (ISE) Automation App Policy Infra Control (APIC-EM) Assurance Network Data Platform (NDP) Contextual Visibility and Troubleshooting SD-Access Fabric Stretched Subnets Group 1 Group 2 Employees Virtual Network Group 3 Group 4 IoT Virtual Network BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 114

115 SD-Access Fabric Wireless Integration Fabric Enabled WLC is integrated into Fabric for SDA Wireless clients Ctrl: CAPWAP Connects to Fabric via Border (Underlay) Data: VXLAN Fabric Enabled APs connect to the WLC (CAPWAP) via dedicated Host Pool (Overlay) Fabric Enabled APs connect to the Edge via VXLAN Known Networks B C B Unknown Networks Wireless Clients (SSIDs) use regular Host Pools for forwarding and policy (same as Wired) Fabric Enabled WLC registers Clients with the Control-Plane (connected to local Edge + AP) BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 115

Controllers Wireless APs BRKARC-3467 2017 Cisco

117 SD-Access DNA Center DNA Center Simple Workflows DESIGN PROVISION POLICY ASSURANCE DNA Center Identity Services Engine APIC-EM Network Data Platform Routers Switches Wireless Controllers Wireless APs BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 117

119 Software Defined Access Cisco Live Session Map Monday (June 26) Tuesday (June 27) Wednesday (June 28) Thursday (June 29) 8:00 10:00 AM 1:30-3:30 PM 4:00-5:30 PM 8:00 10:00 AM 1:30-3:30 PM 4:00-5:30 PM 8:00 10:00 AM 1:30-3:30 PM 4:00-5:30 PM 8:00 10:00 AM 1:00-2:30 PM 4:00-5:30 PM BRKEWN-2020 Wireless BRKDCN-2489 DC Integration BRKCRS-3811 Policy BRKCRS-2810 (1) Solution BRKCRS-2811 (1) External Connect BRKCRS-2810 (2) Solution BRKCRS-2811 (2) External Connect BRKCRS-2812 Migration BRKCRS-2813 Monitor & T shoot BRKCRS-2814 Assurance BRKARC

120 Cisco Flexible Silicon Summary

Critical Role of Flexible Silicon BRKARC-3467 2017 Cisco

DNA Flexible Infrastructure Supporting Fabric Evolution and Software Defined Access Separation of the Forwarding and Services Planes Overlay Overlay encapsulation

End-to-End Policy Underlay Fabric Underlay is the Forwarding Plane Connects Network Devices Leverages existing topologies Simple, best-practice deployment Cisco

122 DNA Flexible Infrastructure Supporting Fabric Evolution and Software Defined Access Separation of the Forwarding and Services Planes Overlay Overlay encapsulation Devices Overlay control plane Employee Supplier Fabric Overlay is the Services Plane Connects Users and Devices Leverages standard technologies Address Independent End-to-End Policy Underlay Fabric Underlay is the Forwarding Plane Connects Network Devices Leverages existing topologies Simple, best-practice deployment Cisco Flexible Silicon allows for Flexibility Key to Supporting the Evolution to Network Fabrics BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 122

Solution From the Gates to the GUI Cisco Innovations In Hardware, Software, and Solutions

123 Innovation All The Way Up The Stack Hardware, Software, and Solution to the Software and Protocols, with Integrated Security From the Hardware Integrated Security to the Whole Solution From the Gates to the GUI Cisco Innovations In Hardware, Software, and Solutions Tie It All Together BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 123

Cisco Flexible Silicon Want to Know More?

Peter Jones Cisco Live Berlin 2016 https://vimeo.

124 Cisco Flexible Silicon Want to Know More? Cisco Enterprise ASICs Discussion with Dave Zacks and Peter Jones Cisco Live Berlin Programmable ASICs for Cisco Catalyst Switches with Muhammad Imam Cisco Live Berlin BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 124

Cisco Flexible Silicon Information Sheet http://bit.

Cisco Enterprise Silicon Delivering Innovation for Advanced

and built of why Flexibility in ASIC Hardware is key and how

Don t Forget to fill out your evaluations!

126 Cisco Enterprise Silicon Delivering Innovation for Advanced Routing and Switching Did How We Achieve Did We Do? Our Objectives? Do You Have a Better Understanding of how ASICs are designed and built of why Flexibility in ASIC Hardware is key and how you can leverage Flexible ASICs in your own network designs? Don t Forget to fill out your evaluations! BRKARC Cisco 2017 Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. Cisco Public 126

Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.

127 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

128 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 128

129 Thank you

130

SD-Access Wireless: why would you care?

SD-Access Wireless: why would you care? CUWN Architecture - Centralized Overview Policy Definition Enforcement Point for Wi-Fi clients Client keeps same IP address while roaming WLC Single point of Ingress