Cisco's Cloud Services Router (CSR 1000V): Extending the Enterprise Network to the Cloud Ray Wong, Technical Marketing Engineer BRKVIR-2016

Transcription

1

2 Cisco's Cloud Services Router (CSR 1000V): Extending the Enterprise Network to the Cloud Ray Wong, Technical Marketing Engineer BRKVIR-2016

3 Housekeeping We value your feedback don t forget to complete your online session evaluations after each session Visit the World of Solutions and Meet the Engineer Please switch off your mobile phones Follow us on Twitter for real time updates of the #CLUS

4 Agenda CSR 1000V Overview and Architecture Licensing Use Cases CSR 1000V in Public Cloud Deployment and Management Performance and Scale Q&A

5 CSR 1000V Overview & Architecture

6 ASR 1K Architecture Embedded Services Processor (active) FECP Route Processor (active) RP Route Processor (standby) RP Embedded Services Processor (standby) FECP RP Handles control plane traffic Manages system Crypto assist QFP subsystem Interconn. Interconn. Crypto assist QFP subsystem ESP Handles forwarding plane traffic SPA Interface Processor Interconn. Interconn. Shared Port Adaptors provide interface connectivity Interconn. SPA Agg. IOCP Interconn. SPA Agg. IOCP Passive Midplane Interconn. SPA Agg. IOCP Centralized Forwarding Architecture Traffic flows through the active ESP Standby is synchronized with all flow state Distributed Control Architecture SPA SPA SPA SPA SPA SPA Dedicated control processors for major systems components

7 CSR 1000V: Take ASR 1001 and Remove Hardware RP CPU IOS Chassis Mgr. Forwarding Mgr. Kernel (incl. utilities) Interconn. ESP FECP QFP Client / Driver Chassis Mgr. Forwarding Mgr. Kernel (incl. utilities) Interconn. Interconn. QFP subsys-tem QFP code Crypto assist SIP Interconn. SPA Agg. IOCP SPA SPA SPA driver SPA driver driver driver Chassis Mgr. Kernel (incl. utilities) SPA SPA

8 CSR 1000V: Embed the Resulting Software in a VM RP IOS VSR 1000 (virtual IOS XE) Chassis Mgr. Forwarding Mgr. No crypto ASIC CSR 1000V leverages AES-NI No QFP CPU Memory ESP Lower forwarding performance No hardware accelerators FFP Client / Driver Less efficient feature processing Flash / Disk Kernel (incl. utilities) FFPcode Mgmt ENET Chassis Mgr. Forwarding Mgr. Console Ethernet vnics

9 Cisco Cloud Services Router (CSR 1000V) Cisco IOS XE Software in Virtualized Form-Factor App OS App OS Hypervisor Virtual Switch CSR 1000V IOS XE Cloud Edition Selected IOS XE features based on use cases Infrastructure Agnostic Supports any x86 server or vswitch Runs on ESXi, KVM, Hyper-V, Xen, Amazon AWS, Microsoft Azure* Throughput Elasticity Delivers 10Mbps to 20 Gbps throughput Server Virtualized Networking with Rapid Deployment and Flexibility * Available from June 2015 ** Available on AWS, Smart Licensing (CA) Multiple Licensing Models Term, Perpetual, Usage** Programmability RESTful APIs for automated management

10 Supported Hypervisors and vnics (IOS XE 3.15) Supported Versions Supported NIC Types Max. Number of vnics per VM vnic Hot Add/Remove Support SR-IOV Support VMWare ESXi KVM Microsoft Hyper-V 5.0, 5.1, 5.5 RHEL 6.6, Ubuntu Server LTS VMXNET3 ixgbevf/ixgbe VirtIO ixgbevf/ixgbe Windows Server 2012 R2 HV NETVSC Yes Yes No No Yes (since XE 3.13) Yes (since XE ) Yes (since XE 3.13) Citrix XenServer 6.2 VIF ixgbevf/ixgbe Yes (since XE )

11 CSR 1000V Architecture Virtualized IOS XE Forwarding Plane FFP Client / Driver Chassis Mgr. Forwarding Mgr. FFP code vcpu vmemory vdisk Control Plane IOS Chassis Mgr. Forwarding Mgr. Linux Container vnic Hypervisor (VMware / Citrix / KVM) CPU Memory Disk NIC Virtualized IOS XE Generalized to work on any x86 system Hardware specifics abstracted through a virtualization layer Forwarding (ESP) and Control (RP) mapped to vcpus Bootflash / NVRAM are mapped into memory from hard disk No dedicated crypto engine leveraged the Intel AES-NI instruction set to provide hardware crypto assist Boot loader functions implemented by GRUB Physical Hardware

12 CSR 1000V Architecture IOSd Forwarding Plane FFP Client / Driver Control Plane IOS Runs as a process under the Guest Linux Kernel IOS timing is governed by Linux Kernel scheduling Chassis Mgr. Chassis Mgr. Forwarding Mgr. Forwarding Mgr. FFP code vcpu vmemory vdisk vnic Hypervisor (VMware / Citrix / KVM) CPU Memory Disk NIC Provides virtualized management ports Managed by their respective software processes No direct hardware component access Runs Control plane features CLI and configuration processing SNMP handling Running routing protocols & computing routes Interfaces, tunnels and sessions management Processing of punted features (legacy protocols) Physical Hardware

13 CSR 1000V Architecture Hypervisor Interaction Blade Hypervisor Blade VM CSR vmem Tables vcpu vcpu VNIC port Vswitch VM CSR Scheduler VNIC port vcpu vcpu vmem Tables Hypervisor abstracts and shares physical hardware resources from / among multiple VMs Scheduling of vcpus onto physical cores can create nondeterministic behavior Scheduling of vnics onto physical ports can lead to packet losses / jitter CPU Core UCS Core CPU Core Core Phy i/f Phy i/f Memory ESXi Scheduler spreads the load across all physical cores intelligently according to a proportional share-based algorithm

14 CSR 1000V Architecture KVM Example Hypervisor virtualizes the NIC hardware to the multiple VMs Hypervisor scheduler responsible for ensuring that I/O processes are served One vhost/virtio thread used per configured interface (vnic) Each VM appears as a regular Linux process to the Host OS Linux schedulers generally time-share between processes Host-OS / KVM Guest-OS CSR Virtio-net Qemu / v-host tap x86 machine Qemu / v-host tap vswitch (OVS) / Linux bridge NIC driver NIC port Guest-OS CSR Virtio-net

15 CSR 1000V Architecture - vcpu allocation Control Plane Data Plane # vcpus Virtual Route Processor Virtual Forwarding Processor CSR 1000V Separation of control plane and data plane vcpu allocation is static and done during boot-up

16 CSR 1000V Architecture Network I/O Method Driver Performance Pros/Cons Supported Emulated E1000 Low Wide compatibility Worst performance NO Para-virtualized VMXNET3 VirtIO Excellent Virtualization aware High degree of interaction between guest OS and hypervisor para APIs YES - default Pass-through Depends on NIC type Best Direct access to HW high I/O Lose virtualization features such as vmotion YES only Intel NICs (ixgbevf / ixgbe drivers)

17 I/O Optimizations: SR-IOV with PCIe Pass-Through Allows a single PCIe device to appear to be multiple separate PCIe devices NIC supports virtualization Enables network traffic to bypass software switch layers Creates physical and virtual functions (PF/VF) PF: Controls sorter VF: Passes packets Requires support in BIOS/Hypervisor Intel VT-D / AMD IOMMU Guest-OS Guest-OS Guest-OS App App App App App App App App App Host-OS / KVM NIC VF driver VF driver VF driver VF VF VF PF layer-2 sorter / switch / classifier x86 machine SR-IOV Master Driver

18 I/O Optimizations: UCS VM-FEX UCS VM-FEX provides dedicated hardware resources to each VM vswitch and hypervisor virtualization layers are bypassed Virtualization performed in hardware One-to-one relationship between VM Can run in DirectPath or emulated mode Support for vmotion Requires dedicated cards (e.g. VIC1280)

19 Licensing

20 CSR 1000V Licensing Overview Since IOS XE 3.13, CSR 1000V package names are now: IPBase, Security, AppX and AX license boot level command adjusted accordingly Old CLI commands are hidden but still accepted ( [premium advanced standard] ) Smart Licensing available since 3.14 Evaluation licenses can be generated for 60 days using the demo portal ( Requires CSR 1000V UDI show license udi After evaluation period expires, throughput will be throttled to 100Kbps Refer to CSR SW Config Guide for license management details tml

21 CSR 1000V Licensing Key Concepts CSR license is tied to the UDI (Unique Device Identifier) UDI = Product ID (CSR1000V) + Serial Number. CSR internally generates its own random serial number on its first boot and stores it persistently in the image UDI will change when CSR is cloned, invalidating the license UDI will not change during vmotion or similar operations. License will remain valid

22 CSR 1000V Licensing Structure Pick one option from each column * CSR add-on license options not shown above Example: Technology Package (See next slide for details) IP Base Throughput 10 Mbps 50 Mbps License Type Perpetual IP Base 250 Mbps 1-Year 100 Mbps SEC AppX 250 Mbps 500 Mbps 1 Gbps Subscription (1-year or 3-year) 2.5 Gbps AX 5 Gbps 10 Gbps Usage (target date CY15)

23 CSR 1000V Technology Package Features Technology Package IP Base (formerly Standard) SEC (formerly Advanced) AppX / APP IOS-XE features Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS, PBR Multicast: IGMP, PIM High Availability: HSRP, VRRP, GLBP Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS Basic Security: ACL, AAA, RADIUS, TACACS+, SGT/TrustSec, VASI Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF IP Base plus Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN, SSLVPN, GETVPN High Availability: Box-to-box HA for FW and NAT IP Base plus Advanced Networking: L2TPv3, BFD, MPLS, VXLAN Unified Communications: CUBE-ENT Application Experience: WCCPv2, AppNav, NBAR2 / AVC, IP SLA Hybrid Cloud Connectivity: LISP, OTV, VPLS, EoMPLS Subscriber Management: PTA, LNS, ISG AX (formerly Premium) ALL FEATURES

24 CSR 1000V Performance-to-Footprint in XE 3.15 Throughput IP Base SEC AppX AX 10 Mbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 50 Mbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 100 Mbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 250 Mbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 500 Mbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 1 Gbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 2vCPU/4GB 2.5 Gbps 1vCPU/4GB 1vCPU/4GB 4vCPU/4GB 4vCPU/4GB 5 Gbps 1vCPU/4GB 2vCPU/4GB 8vCPU/4GB NA 10 Gbps 2vCPU/4GB NA NA NA For each throughput/technology-package combination, the minimum required vcpu and RAM is listed Performance results based on 1500 Byte packets and VMWare ESXi

25 CSR 1000V License Throughput Enforcement A shaper is implemented in the ESP data path at the root of the QoS hierarchy All egress traffic is subjected to the shaper Max. rate parameter (derived from license) is programmed into the shaper Throughput limits are checked globally, not on per-interface basis Without any interface QoS Configuration, each interface gets an equal available bandwidth share Shaper does not distinguish between different types of traffic To ensure high-priority traffic is not dropped by the license shaper, configure QoS E.g. LLQ on interfaces (leveraging priority propagation of the QoS Scheduler) Note that Control Plane Policing can be applied to also mark control plane packets! 15 Mbps G1 ESP G3 10 Mbps G1->G3: 15 G2->G4: 20 G3->G2: 10 G4->G3: 15 Total: 60 Mbps 20 Mbps G2 SHAPER (50) 10Mbps (60-50) G4 15 Mbps

26 CSR1000V Smart Licensing: Pooling Traditional Node-Lock Pooling License associated with specific device No easy means to move licenses from one device to another Full visibility to all assets across the company Central repository for all licenses Licenses are company account specific and can be used with any compatible device in your company London Device 1 Brisbane Device 2 Tokyo Device 3 Associate licenses with virtual accounts Smart Account (Pool) Advanced Security Licenses Use any compatible licenses from pool with devices London Device 1 Brisbane Device 2 Tokyo Device 3

27 Central Deployment Distributed Deployment Smart Software Licensing Overview How it works 1 Customer Places Order 2 Customer Activates and Uses Software Router Switch Firewall CSR 1000V Cisco Commerce Workspace Cisco Smart Software Manager Annuity Platform Entitlement Unified Communications Router Usage Distribution Switch Firewall Video Unified Communications Collectors *License Pooling is handled through the Cisco Smart Software Manager 3 Cisco Smart Software Manager Customer Manages Licenses Cisco Smart Software Manager Warning and Notifications -25 Insufficient licenses 25 needed to return to compliance License Quantity In Use Surplus / Shortage 50 Mbps SEC Mbps AX

28 CSR1000V Smart Licensing: Out-Compliance Scenarios Could not connect to smart licensing portal or collector after first install Operate in default mode (100Kbps, CSR-AX) Smart Licensing workflow Was able to register with smart licensing & activated CSR performs with configured feature set and performance Not able to report to smart portal or collector for 90 days in a row Operate in default mode CSR configured more than purchased feature set & performance CSR reports out of compliance for 90 days

29 Use Cases

30 CSR 1000V Secure VPN Gateway Enterprise Data Center ASR Branch Location Branch Location ISR ISR Internet WAN Router Cloud Provider Data Center Distribution and ToR Switches Servers CSR 1000V CSR 1000V Virtual Private Cloud Virtual Private Cloud VPN Challenges Integrating Enterprise & Cloud VPN policies Backhaul to data center increases latency Each cloud imposes different VPN type and scale limits VPN Solutions Common VPN Types: IPSec, DMVPN, GETVPN, EZVPN, FlexVPN Routing based VPNs and private addressing Firewall, ACLs, AAA CSR Benefits Direct, secure access. Avoids backhaul to data center. Familiar, reliable, and scalable VPN Compatible with existing management tools

31 SSL VPN on CSR 1000V IPv4 available since IOS XE and IOS-XE 3.13 IPv6 available since IOS XE 3.15 Supports Full Tunnel (Thick Client) AnyConnect client Clientless (browser based) and Thin Client ( port forwarding) modes not supported Amazon/AWS support IPsec and SSL can co-exist

32 Cloud CE/PE Router VPC/ vdc Tenant Scale VPC/ vdc MPLS PE WAN Router Servers DC Fabric CSR 1000V vce Segment A MPLS PE WAN Router Servers DC Fabric CSR 1000V vpe Segment A Segment B Segment B VLAN MPLS IPoVLAN, IPoIP, MPLSoVLAN, MPLSoIP (IP=GRE, VXLAN, etc.) MP-BGP Challenges Mapping tenant traffic from VRFs to VLANs Maximum 4,096 VLANs limits scalability Benefits More Tenants per Physical Infrastructure End-to-end Managed Connectivity and SLAs

33 VxLAN on CSR 1000V Ingress VXLAN packet on Orange segment CSR as VXLAN L3 Gateway Destination is in another segment. Packet is routed to the new segment VXLAN ORANGE BDI VXLAN BLUE VLAN 100 VLAN 200 VXLAN Router Egress interface chosen Uses EVC (Ethernet Virtual Circuits): BD (Bridge Domain L2) and BDI (Bridge Domain Interface L3) Unicast or Multicast (bidir-pm) control plane Supports VxLAN routing unique to CSR and ASR1K! Not yet available on merchant silicon HW platforms Supports VRF Aware VxLAN (multiple VTEP support)

34 Network Function Virtualization with CSR 1000V Mobile Subscriber Business Access & Aggregation Wireless WiFi Edge CGN vcgn LNS vlns ISP Peering A CPE Corporate vcpe Residence Wireline DSLAM xdsl OLT xpon vbng PE vpe vrr IP/MPLS Core HGW Cable DOCSIS Content Farm VOD TV SIP High Speed CPE WiFi Access Gateway BNG-LAC, PTA PE (L3VPN and L3VPN) LNS Route Reflector Internet Peering

35 CSR 1000V in Public Cloud

36 IOS XE Coverage for All Deployment Types CSR 1000V CSR 1000V ISR 4000 ASR 1000 Hypervisor Cloud Platform Enterprise Data Center

37 The Benefits of Bringing IOS XE into Public Clouds Extends Existing Routing Topology Integrates With Existing VPN Topology (Eg. DMVPN) Shares Existing Zone Based Firewall Policies Network Logging to Existing Tools Identifies Cloud Performance Problems IOS XE Supportable by Existing IT Staff Existing Monitoring Tools Existing Troubleshooting Steps

38 Q: Where can I find the CSR on AWS? A: In the AWS marketplace! 1. Search for Cisco 2. Pick a flavor

39 What are all the different CSR 1000V types listed? Cloud Services Router 1000V BYOL Can be any tech package and throughput level depending on license purchased from Cisco and installed on CSR (not all throughputs supported) Cloud Services Router 1000V Security Tech Package Includes features from the Security technology package. Performance based on AWS instance type selected (more or less vcpu/vmemory) Cloud Services Router 1000V AX Tech Package Includes features from the AX technology package. Performance based on AWS instance type selected (more or less vcpu/vmemory) Maximum Performance versions of the above three Enables SR-IOV enhanced networking for higher performance CSR Direct Connect 1 Gig and Multi-Gig Instances used for securing AWS Direct Connect circuits

40 CSR 1000V Licensing for AWS Two Options Bring Your Own License BYOL AWS Marketplace Billing Provision BYOL CSR instances from AWS Marketplace Only pay AWS for basic instance-type fees Purchase desired license from Cisco or Cisco Partner Install purchased license onto BYOL version of CSR you provisioned from the AWS Marketplace Scalable from 10 Mbps up to 2.5 Gbps (AWS has a 2 Gbps throughput limit) Provision hourly or annually billed CSR instances from AWS Marketplace Pay AWS for basic instance-type usage AND fees for CSR usage AWS pays Cisco for CSR usage fees they collect. You pay Cisco nothing directly. No license file to manage or install Choose EC2 instance type based on performance requirement

41 CSR 1000V Features Availability on AWS Technology Package IP Base (formerly Standard) SEC (formerly Advanced) AppX AX (formerly Premium) Features in Green will work only over a Tunnel interface IOS-XE Features Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS, PBR Multicast: IGMP, PIM High Availability: HSRP, VRRP, GLBP Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS Basic Security: ACL, AAA, RADIUS, TACACS+ Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF IP Base Plus Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN, SSLVPN, GETVPN High Availability: Box-to-box HA for FW and NAT IP Base Plus Advanced Networking: L2TPv3, BFD, MPLS, VRF, VXLAN Application Experience: WCCPv2, AppXNAV, NBAR2, AVC, IP SLA Hybrid Cloud Connectivity: LISP, OTV, VPLS, EoMPLS Subscriber Management: PTA, LNS, ISG ALL FEATURES Features in Red will not work in Amazon limitations of AWS infrastructure (lack of L2 support, Multicast not supported)

42 AWS VPC Networking 101 VPC = Logically isolated network own IP range, routes, security policies, etc. VPCs IP ranges can overlap VPC1 CIDR /16 Subnet A /24 AWS Internet Gateway provides external access in/out of VPC Public IP NAT or Overload NAT for outbound traffic (No true public IPs) AWS VPC Peering can route between VPCs (with limitations) Security Options: Network ACLs protect subnets Security Groups protect instances Internet Gateway Subnet B /24 AWS Route Tables route within the VPC (always first IP in subnet) All VPC subnets ALWAYS have a route to all other VPC subnets!

43 CSR 1000V Placement in the AWS Network NAT at the Internet GW Will break services that do not work over NAT, such as GET-VPN Tunnel source will be a private address Tunnel destination from the perspective of VPN peers will be a public address Assign EC2 elastic IP address so that address does not change if the CSR1K is shutdown Other VPCs see Elastic IP address unless using VPC peering Maps to AWS Elastic IP Internet IP 54.x.x.x Gi Gi Gi Gi CSR should be the default gateway for the application VMs

44 Interconnecting AWS VPCs Using the CSR 1000V virtual private cloud virtual private cloud US west region AWS cloud US east region No native AWS ability to connect two VPCs together, in same or different regions Even VPC Peering in AWS cannot span multiple regions Easily integrate multiple AWS regions into existing VPN topology as new sites Distribute applications across the globe, and keep the network simple

45 Securing AWS Direct Connect Circuits Cisco ISR/ASR Enterprise Subnets IPSec AWS Direct Connect Virtual Private Gateway CSR 1000V VPC Public Subnet Corporate Data Center VPC Private Subnets AWS Cloud Virtual Private Cloud (VPC) Encrypts Direct Connect traffic, for corporate security policy or regulatory compliance Powered the Test Drive area at Amazon re:invent 2014 Las Vegas

46 CSR 1000V High Availability in AWS No virtual IP as with HSRP, since AWS doesn t allow multicast AWS Route Tables for app subnets are re-pointed to opposite CSR Failure detection is automatic CSR itself calls AWS API to adjust AWS Route Table routes VPC CSR Subnet AWS EC2 Query API App Subnet A App Subnet B Before HA Failover After HA Failover

47 CSR 1000V on Microsoft Azure Availability Timeline May 4th-8th 2015: Official solution launch at Microsoft Ignite conference Early June 2015: Early Field Trials with selected customers Late June 2015: CSR 1000V available on Azure Marketplace with Bring-Your- Own-License (BYOL) 2nd Half 2015: Launch of hourly billing in Azure Marketplace

48 Deployment & Management

49 CSR 1000V VM Instantiation Overview CSR 1000V VM Instances can be instantiated using the following methods (with possible hypervisor dependencies) VMWare ESXi: vsphere KVM: OpenStack Public cloud: Amazon Marketplace, Microsoft Azure Image Management VMWare ESXi: vcloud Director KVM: OpenStack Glance Public cloud: Amazon Marketplace, MS System Center An new Configuration OVF Tool (COT) is also provided for Cisco VMs License management Smart licensing

50 CSR 1000V VMWare ESXi VM Deployment CSR 1000V can be installed and edited under VMWare ESXi using the vsphere tools Deploying an OVA in vsphere involves several steps to navigate through the vsphere GUI Deployment using an.iso format is also supported in vsphere Editing the properties of a VM can be done using vsphere vapp For more details, refer to on/csr1000vswcfg/installesxi.html

51 vcloud Director Integration CSR 1000V Bring-Up Install CSR OVA and create template in vcenter Import into vcloud Director Catalog and create vapp template Build new vapp from template and deploy Add vapp to the Catalog MASTER TEMPLATE CREATED

52 vcloud Director Integration: Automated Deployment Scale out with automated deployment of multiple customized CSR instances using the vapp Leverage vcloud Director REST API to configure IOS bootstrap parameters (IP address, credentials, etc) CSR now ready to talk to outside world network connectivity, credentials Further per-tenant CSR customization using REST API calls CSR REST API guide available Deploy vapp on vdc using data file. Map vcloud org networks to CSR interfaces Obtain Location of created instance Modify productse ctions with IOS parameters Power on the CSR instance Use CSR REST API for additional config CSR READY

53 CSR 1000V KVM VM Deployment CSR 1000V is supported under KVM with RHEL, RHEV and Ubuntu Deploying a CSR 1000V manually in KVM involves going through several steps in the console Based on the VM Manager Installation can be done using OpenStack (XE 3.12+) Based on Horizon GUI Based on the Openstack CLI tool by Creating a Nova flavor Creating a Glance image Using the Nova boot command For more details, refer to

54 OpenStack Conceptual Architecture

55 CSR 1000V and OpenStack CSR 1000V as Instance VM CSR 1000V replaces the default Neutron Router Need a CSR 1000V router service plugin and a cfg agent Multiple Plugins and using Service type framework for features Plugins for OpenStack Kilo Router-aaS FWaaS VPNaaS

56 REST Follows a Familiar Model REST = Representational State Transfer Stateless client-server model Uses URIs to identify resources of interest Uses JSON (JavaScript Object Notation) A light-weight, open standard, human readable data interchange format A more compact alternative to XML Benefits: Human readable Software friendly Large developer base Client libraries in many languages REST API {"ids":[ , , , , , ], "next_cursor":0, "next_cursor_str":"0", "previous_cursor":0, "previous_cursor_str":"0"} HTTP GET JSON/XML Describes data in a format applications can understand

57 REST API Client Authentication Global Banner, Hostname, Domain name, User name / password, Logging, Import / export running config, SNM, etc Licensing Call-home Smart Licensing DHCP server / relay Routing Protocols BGP / OSPF / EIGRP / static Display routing tables ACLs VRF-awareness: DNS, OSPF, BGP, EIGRP, Routing tables, NAT, DHCP, VPN QoS DNS NTP LISP Interface IP NAT (Static / dynamic) Zone-based firewall System Usage (Memory / CPU) VPN: svti, EzVPN See for details REST support typically lags behind official feature support on CSR 1000v

58 CSR 1000V RESTful API Architecture Client 1 Client 2 C1 REST API calls HTTPS C2 REST API calls Web Server REST API C2 Session OneP SDK TIPC (Transparent Inter-Process Commn.) OneP AL Client 3 C3 REST API calls OneP Python App LXC Container IOSd CSR 1000V

59 Performance & Scale

60 Factors Affecting CSR 1000V Performance Hypervisor Type (VMware, KVM, Hyper-V, Citrix XenServer) Numbers of cores / vcpu allocated to a CSR instance Features (CEF, IPsec, NAT, FW, Features combination) CPU type and settings Host processor clock speeds (GHz); Processor/chipset cache sizes L1, L2, L3 Hyper-Threading Processor Affinity BIOS settings (power mgmt.) I/O model and settings Para-virtualized drivers (default) Cisco VM-FEX; SR-IOV (Single Root I/O Virtualization) Definition of Non-drop (NDR) rate 0 packet loss or 5 packets lost or 0.01% packet loss VM Oversubscription

61 Loss Rate Interpretation Background Performance results vary depending on what acceptable frame loss is defined. Typical definitions for loss rates (FLR) range from Absolutely 0 packets lost -> Non-drop Rate 5 packets lost 0.01% of PPS lost 2vCPU: throughput of 670 Mbps at 0.01% acceptable traffic loss Sample Data only! Small relaxation of FLR definition can lead to significant higher throughput Typically FLR Test data reported for 5 packet loss (to account for warm up) with multiple consecutive 2 minute runs Unless stated otherwise 2vCPU: throughput of 384 Mbps at 0% acceptable traffic loss

62 Number of Packets Lost in Perspective At high-speed link rates, number of packets that may be lost may be substantial while still meeting the FLR Loss Tolerance Maximum Throughput at Line Rate Total Dropped Packets during Trial Duration Allowed by Loss Tolerance of 0.01% Dropped Packet Rate allowed by Loss Tolerance (PPS) Physical Media 10 Mbps Ethernet Mbps 1, GE 17, GE 178,571 1,488 Maximum Throughput at Physical Media Line Rate Total Dropped Packets during Trial Duration Allowed by Loss Tolerance of 0.1% 10 Mbps Ethernet 1, Mbps 17, GE 178,571 1,488 10GE 1,785,714 14,881 Dropped Packet Rate allowed by Loss Tolerance (PPS)

63 Aggregate Throughput Mbps Sample Performance with Multiple VMs with VMFEX Near linear performance increase as VMs are added due to VM-Fex with Direct Path 800% 700% 600% 500% Hypervisor CPU contention HV Oversubscription VM Oversubscription 400% 300% 200% 100% 0% vcpu VMs B200 M2 12 Cores, 2.67 Ghz VM/FEX & Direct Path ESXI 5.1 1VM standalone ~ 220 Mbps IP Packets CEF IMIX

64 KVM Performance Tuning Recommendations Use a Direct path I/O technology (SR-IOV w/ PCIe pass-through) with CPU tuning below! Otherwise the following configurations are recommended: Tuning Recommendation Details / Commands Disable Hyperthreading Can be done in BIOS CPU Pin vcpus sudo virsh vcpupin test 0 6 CPU Pin vhost processes Change vnet txqueue length to 4000 Turn off TSO, GSO, RSO, sudo taskset -pc 4 <process Number>, Where <process Number> is found using ps -ef grep vhost Default tx queue length is 500 sudo ifconfig vnet1 txqueuelen 4000 ethtool -K vnet1 tso off gso off gro off NOTE: these settings may impact the number of VMs that can be instantiated on a server / blade Tuning I/O I/O I/O

65 VM-FEX performance (ESXi IOS-XE 3.15, IMIX) High Performance with VM-FEX CEF ACL NAT FW Ipsec 1vCPU 2vCPU 4vCPU 8vCPU 20 Gbps+ Performance with Large Packets Test Parameters VM-FEX / VM Direct Path enabled. Hardware: Cisco UCSC-C240-M3S CPU: Intel Xeon E GHz

66 CSR Performance and Scale (IOS-XE 3.15) Feature Throughput (Mbps) IMIX Feature NAT 44 Scale 450K 2 vcpu 4 vcpu CEF Firewall IPSec (SHA, AES) FW + NAT FW + HQoS + NAT FW + NAT + IPSec + QoS Firewall Test parameters 256K IPsec 1200 IPv4 routes 600K IPv4 ACEs / system vrr 25M IPv4 Routes (w/ 16GB) 0.01 % pkt. loss, vswitch, UCS server with Intel Xeon 3.5 GHz, ESXi 5.5

67 Q&A

68 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

69 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings Related sessions

70 Thank you

71