Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Новая эра корпоративных сетей с Cisco Catalyst 9000 и другие инновации для маршрутизации и коммутации
1. The image part with relationship ID rId2 was not found in the file.
The image part with
relationship ID rId2
was not found in the
file.
Новая эра корпоративных сетей
с Cisco Catalyst 9000 и другие
инновации для маршрутизации
и коммутации.
Денис Коденцев
Инженер-консультант, CCIE
7. 7
Представляем Catalyst 9300
1G Data
mGig UPOE
1G UPOE/POE+
2.5G at the
Price of 1G
40G at the
Price of 10G
Новое решение для фиксированного доступа
24 Ports
Modular Power SuppliesModular UplinksModular Fans
UADP 2.0
Open IOS-XE
SD-Access
X86 CPU & Containers
Encrypted Traffic
Analytics (ETA)*
256 bit MACSEC*
Trustworthy
Systems
StackWise Virtual*
IEEE1588 & AVB*
NBAR2
Perpetual/Fast PoE
Model Driven
Programmability
Patching/GIR
Catalyst 9K Leadership
Streaming Telemetry*
48 Ports
8x10G 2x40G 4x mGig 4x1G 350W 715W 1100
W
*not available at FCS
Only
Stackable
Switch with 8X
10G Uplinks
Highest
2.5G/mGig
Density in the
Industry
8. Представляем Catalyst 9400
Новое решение для модульного доступа
4-Slot* 7-Slot 10-Slot
Power Supply
3200W AC
3200W DC*
2400W AC*
Core Linecards
24x 10G SFP+*
48x1G SFP*
24x1G SFP*
Access Linecards
24xmGig + 24xUPOE*
48xUPoE
48xPoE+*
48xData
Supervisor
Sup-1: 80G/Slot Access Optimized
Sup-1XL*: 120G/Slot Core
Optimized
Redundancy
is now
Table-stake
Industry’s
Highest PoE
Scale
9Tbps System
b/w UADP 2.0
Open IOS-XE
SD-Access
X86 CPU & Containers
Encrypted Traffic
Analytics*
256 bit MACSEC*
Trustworthy
Systems
StackWise Virtual*
IEEE1588 & AVB*
NBAR2
Perpetual PoE*
Model Driven
Programmability
Patching/GIR
Catalyst 9K Leadership
Streaming Telemetry*
*not available at FCS
9. Catalyst 9400- инновации и преимущества Extending Cat 4500E
Leadership in Modular
Access
Up to 1TB SATA Storage
Side-to-side
air flow
DualServiceable
Fan Tray
Mix AC & DC Power Supplies
N+1/N+N Modular Power Supply
UPOE Simultaneously on all ports
Native 25/10G & 40G Uplinks
4X Throughput
3X Client Scale
2X Wireless Scale
4X Power scale
3X Buffering
10X Bandwidth
4X Memory & Flash
Lower Power
Better Acoustics
Higher MTBF
MPLS VPN
While preserving ….
HA Architecture
Investment
Protection Story
Intel x86 CPU,
4 Core 2.4GHz
Rear accessible Fan
Tray for flexible cable
management
Ergonomic handles
for efficient weight
distribution
Up to 480Gbps/Slot
Fits non-standard
racks (16”)
Re-architected power
distribution for 10% higher
energy efficiency
Efficient Platinum Rated
Power Supplies
11. Catalyst 9400 – новый уровень надежности
Only Campus
Access platform
in the industry to
support ISSU
N+1 Power supply redundancy
Safeguard against power supply
failure
Dual Supervisors
with sub 50ms ISSU* & NSF/SSO
“Transparent” line card design
Minimal on-board components for
very high MTBF
Unique uplink redundancy
Uplinks of failed supervisor continue to
remain active
Redundant Fans
N+1 Fan redundancy within Fan-tray;
Up to 2 minutes of fan-less operation for
servicing fan-tray
N+N Power Supply Redundancy
Safeguard against power circuit failure
12. Catalyst 9400 – SUP1XL, SFP LCs
C9400-LC-24XS
24-Port SFP/SFP+C9400-LC-48S
48 Port SFP
Line rate on all ports
C9400-LC-24S
24 Port SFP
Line rate on all ports
Nov `17
Mar `18
Nov `17
Mar `18
C9400-SUP1XL
Up to 120G per slot
Sup1XL – Up to 120G
Per Slot
Distribution Template
with Sup1XL*
Fiber to the desktop
Collapsed Access
Distribution
SDA Border Template*
Note: 120G per slot on 7 Slot
Full Portfolio readiness in 7 and 10 Slot chassis for 4K Migration
13. Catalyst 9400 – mGig & PoE+
48x 10/100/1000 Data 48x 10/100/1000 UPoE
24x 1G + 24x mGig UPoE
48x 10/100/1000 PoE+
Shipping
24x mGig + 24x 1G
PoE+ for price neutral
transition
192 ports of mGig
Nov `17
Mar `18
Highest mGig Port Density in the Industry
15. Новые возможности по управлению Catalyst 9K
Ease of Serviceability with Blue
Beacons on each component
Ergonomic Design with Industry
standard Icons
Wireless Console Access with
Bluetooth
Mobil
e
Lapto
p
Icons
Inventory Management Efficiency
with Built-in RFID
17. 17
Надежного периметра уже недостаточно
Phishing
Email Link
Email attachment
Malware on
Personal device
Social Media Site with Malware
1
Initial Compromise
Malware Propagation2
Botnet creation /
Privilege Escalation
3
DDoS Attack /
Data Exfiltration
4
Perimeter Security
ineffective
18. Cryptographic Audits
Malware in Encrypted
Traffic
§ Netflow Data: SrcIP, DstIP, SrcPort, DstPort, Proto, #Bytes, #Packets
§ Intraflow Data: Sequence of Packet Lengths & Times (SPLT), Byte Distribution, …
§ TLS Metadata: Extensions, Ciphersuites, SNI, Certificate Strings, …
Специализированная телеметрия
Encrypted Traffic Analytics
Эксклюзивная поддержка на Catalyst 9K
Основная задача Вторичная задача
20. 1110110110000
0100011110011
1101001000100
001
Коммутатор
Catalyst 9K
Stealthwatch
NetFlow с
расширенной
телеметрией
на скорости
порта
Машинное
обучение
Обнаружение
вредоносов в
шифрованном
трафике
ISE
(Identity Services Engine)
Cognitive Analytics
Автоматическая
изоляция угрозы
Развитие решения Cisco «Сеть как Сенсор»
Обнаружение вредоносного ПО в зашифрованном трафике
Encrypted
Traffic Analytics
*Source : Identifying Encrypted Malware
Traffic with Contextual Flow Data, Oct 2016
точность
обнаружения угроз*
0.01%
ложных
срабатываний*
99%
21. 21
Поддержка ETA
ETA is NetFlow records are collected and exported at the Access/Fabric Edge
Campus / Branch
Wired Deployments
SD–Access Wired and
Wireless Deployments
C
BBCatalyst 9300
Sends ETA Data to
Flow Collectors
For SD-Wireless ETA is
deployed on VLANs
which correspond to
Wireless IP Pools
For Wired clients ETA
is applied directly to
interfaces
25. • StackWise Virtual technology is integrated platform
in DNA architecture
• Catalyst 9500 series StackWise Virtual can be Edge
Node (EN) or in Border Node (BN) in Fabric enabled
network
• StackWise Virtual helps building simplified underlay
IP infrastructure
• SDA support available starts from initial software
release
StackWise Virtual
Полная совместимость с SD-Access
B
SV
B
E E E
SV
SV SV
SV SV SV
27. Layer Platform Version FCS
Access/Distribution/
Core
3850/3650( All Models) 16.6.1 July 17
9300 ( All models ) 16.6.1 July 17
9500 ( All models ) 16.6.1 July’17
L2VPN EOMPLS / VPLS – где поддерживается?
VPLSEOMPLS
28. User
Devices
Service Discovery
Agent on Cat 9k
Policy Management
on DNA-Center
WAN
Bonjour Devices
(Apple TV, Printers)
Wide Area Bonjour
§ Enables Discovery and service distribution across
WAN
§ Group-Based Policies for access control
§ Simplified Controller Based Management
Traditional Bonjour
§ Single Gateway solution, cannot scale
across enterprises
§ No access control
§ Limited Management capabilities
Wide Area Bonjour Mar`18
29. Catalyst 9K: унификация функционала и лицензирования
Current-Gen - three-tier packaging
IP Services
Full L3 and Core Differentiators
IP Base
Routed Access and Access Differentiators
Lan Base
L2 Features and Competitive Parity
C9K - Simplified two-tier packaging
DNA Essentials
Simplified Network Operations Solution Package
DNA subscriptions required (min 3-year term) at time
of Cat 9K order
DNA Advantage
Software Defined Access, Assurance and ETA Solution
Package
Network Advantage
Full L3 with flexible Segmentation and Network Resiliency
Network Essentials
Competitive Parity with Full L2 and Routed Access
30. Catalyst 9K: сравнение Advantage и Essentials
Full Routing Functionality
BGP, HSRP, OSPF, ISIS, HSRP,GLBP
Flexible Network Segmentation
VRF, VXLAN, LISP, Trustsec,
Wireless Client and Guest, MPLS L3VPN
Enhanced Security Controls
MACSEC-256
IoT & Mobility
CoAP
Optimize Bandwidth
Utilization with Multicast
MSDP, mVPN, AutoRP, PIM-BIDIR
Software-defined Access
Policy-based Automation and
Assurance, SD-Wireless
Security & IoT
Encrypted Traffic Analytics,
mDNS GW, NAT/PAT
Telemetry & Visibility
ERSPAN, AVC, NBAR2
Network Advantage (Inclusive of Network Essentials)
DNA Advantage (Inclusive of DNA Essentials)
Assurance & Analytics
Network insights from analytics and
machine learning, clients and
applications covering on-boarding,
connectivity and performance
Essential Switch Capabilities
Layer 2, Routed Access, PIM Stub,
PVLAN, VRRP, PBR, CDP, QoS, FHS,
802.1x, Macsec-128, CoPP, Trustsec SXP,
IP SLA Responder, SSO
DevOps Integration
Programmability with Open
Models and Netconf/Restconf,
PnP Agent, ZTP
Telemetry & Visibility
Sampled NetFlow, SPAN, RSPAN
Basic Automation
Plug and Play,
Patch Management *,
EasyQOS Configuration*
Basic Monitoring Capabilities
EasyQOS Monitoring*, Client and Device
360, PSIRT Compliance*
Element Management
Image Management,
Topology and Discovery
Cisco Differentiators
Containers, Python, EEM, ANI,
Full NetFlow, Wireshark
DNA Essentials
Network Essentials
Perpetual
Perpetual
3,5,7YearTerms
3,5,7YearTerms
Advantage Essentials
High Availability & Resiliency
NSF, GIR, Stackwise Virtual, ISSU
Inclusive of Switch and DNA Center Capabilities
* Future
SD-
Access
Ready
Element Management
Patch Management
31. Routed Access –доступен везде!
2960L
Lan Lite
includes
Routed Access
§ Default-route
§ Static
§ RIP
2960X
Lan Base
includes
Routed Access
§ RIP
§ EIGRP Stub
§ OSPF(200 routes)
§ PBR
§ PIM Stub Multicast (up
to 200 routes)
3650/3850/4500E
Lan Base
includes
Routed Access
§ RIP
§ EIGRP Stub
§ OSPF (1000 routes)
§ PBR
§ PIM Stub Multicast (up
to 1000 routes)
3650/3850/4500E
IP Base
includes
Routed Access &
VRF
§ 3 Virtual Networks for
SD-Access
IOS 15.2(6)E IOS 15.2(6)E IOS XE 16.6/3.10E IOS XE 16.6/3.10E IOS XE 16.5
C9K
Network Essentials
includes
Routed Access
§ RIP
§ EIGRP Stub
§ OSPF (1000 routes)
§ PBR
§ PIM Stub Multicast (up
to 1000 routes)
35. • All ISR4000, IOS 16.7.1
• FCS Nov 2017
• Enforced License
• PAK is needed
• 60 day Boost Eval available.
• Once installed
• Unshackle the performance
• Container services not supported on 4331 & 4351 with Boost license
• Boost license is repurposing cores on 4331 & 4351
ISR 4000 - новая «Boost» лицензия
36. ISR 4000 Boost лицензия
Что можно ожидать в плане производительности?
Performance license
4451 2 Gbps @ 19% CPU
4431 1 Gbps @ 18% CPU
4351 400 Mbps @ 17% CPU
4331 300 Mbps @ 16% CPU
4321 100 Mbps @ 8% CPU
4221 75 Mbps @ 8% CPU
Boost license
4 Gbps @ 35% CPU
4 Gbps @ 62% CPU
2 Gbps @ 45% CPU
2 Gbps @ 53% CPU
2 Gbps @ 68% CPU
1.2 Gbps @ 94% CPU
IP Routing ( CEF )
UP results on uncapped platforms IOS 16.4
38. Cisco ISR 1100
cамый маленький маршрутизатор на базе IOS XE
§ FCS Starting Nov (depending on SKU)
§ Regions covered: US, Canada, EU, Japan and Australia
§ G.fast / Super-vectoring (35b) orderable in Jan -18
§ 800 Series product offering not affected by ISR 1100
Mobility Express LTE AdvancedSD-WAN ProgrammabilityUmbrella Security
48. Cisco SD-WAN – общая архитектура
4G/LTE
MPLSInternet
Private/Hosted/Managed
Cloud
vEdge Router
vSmart
ControllersvManage
Secure
SD-WAN Fabric
Secure
Control Plane
REST API
GUI
Data Center
Campus
Branch
Small Office
Home Office
Analytics
Multitenant, Cloud Delivered and Cloud Operated
Cloud Data Center
50. Zero Touch Provisioning (ZTP)
Control and Policy
Elements
* Factory default config
Assumption:
• DHCP on Transport Side (WAN)
• DNS to resolve ztp.viptela.com*
§ Delivered as-a-Service
Zero Touch Provisioning
Server
1
2
Full Registration and
Configuration
5
3
4
vEdge
52. Управление SD-WAN на основе политик
Policy Augmented Dynamic Routing
vEdge
WAN
router
Access Layer
Branch/DC
vSmart controller – Policy
Enforcement/Advertisement
Control Policy:
Routing and Services
vManage GUI – Policy Orchestration1
2
3
Data Policy:
Extensive Policy-based
Routing and Services
App-Route Policy:
App-Aware SLA-based
Routing
Combine and Apply per Site
Execute Control Policy
Advertise AAR/Data Policies to Sites
Execute AAR and Data Policy as received
Dynamic Routing and Policies Combine
to dictate behavior
53. Портфолио Viptela - vEdge
SOHO
SMB
(100 M)
Branch
(1 G)
Head-End
Aggregation
(10 G)
NFV, vCPE
(N x cores)
IaaS & Cloud
Interconnect
(Nx cores)
Dual LTE variant
back
Higher Capacity
Aggregation
(20 G+)
ARM
IOT /
Small Footprint