cisco community community live event · 2020. 6. 11. · june 11th 2020 deep dive on cisco ios xe...

June 11th 2020

Deep Dive on Cisco IOS XE Software Release 17.2.1r Single Image and PnP Flexibility for Enterprise Routing Platforms

Cisco Community

Community Live event

Sumant Mali

Technical Marketing Engineer

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

News &Upcoming events

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Ask Me Anything following the event

Now through Friday June 19th 2020

https://bit.ly/ama-IOsXE-jun11

With Sumant Mali

Sumant Mali Technical Marketing Engineer




Become an event Top Contributor!

Participate in Live Interactive Technical Events and much more

http://bit.ly/EventTopContributors

http://bit.ly/EventTopContributors

https://supportforums.cisco.com/t5/custom/page/page-id/hall-of-fame

https://supportforums.cisco.com/t5/custom/page/page-id/cisco-designated-vips


Rate content at the Cisco Community

Rate documents, Videos & blogs!

Help us to recognize the quality content in the community

Encourage and acknowledge people who generously share their

time and expertise


Cisco Community Expert

Sumant MaliTechnical Marketing Engineer


Question Managers

Pradeep ChaudhariTechnical Marketing Engineer

3x CCIE #28284

Kureli SankarManager Technical Marketing

CCIE #35505


Download Today’s Presentationhttps://bit.ly/CL-slides-jun11_2020

Thank You For

Joining Us Today!

https://bit.ly/CL-slides-jun11_2020

https://bit.ly/CL-slides-jun11_2020


Use the Q&A panel to submit your questions and the panel of experts will respond.

They will be answered eventually

Submit Your Questions Now!

Please take a moment to complete the survey at the end of the event


Branch Aggregation

ASR 1000 CSR 1000vISR 1000 ISR 4000

SD-WAN +

Services(IOS XE)

CSP 5000ENCS 5000

Virtualization

Cloud

vEdge5000vEdge 2000 vEdge 2000 vEdge 5000

ISR1100-4G/6G/LTE

SD-WAN(Viptela OS)

vEdge 100

vEdge 1000vEdgeCloud

• Integrated wired and wireless access; WWAN Pluggables

• VDSL2,ADSL2/2+

• WAN and voice module flexibility, Compute with UCS-E

• Slot Modularity, Redundant PSU

• Hardware and software redundancy• High-performance service with

hardware assist

• Extend Enterprise routing, security & management to Cloud

• Service chaining virtual functions

• Options for WAN connectivity

• Open for 3rd party services & apps

Shipping

Broad set of Infrastructure for Cloud Scale Networks

IBNG Routing Platform Technical MarketingJune 2020

IOS XE 17.2.1r Routing TDM

Sumant Mali


Agenda

IOS XE Release 17.21

2

3

4

New Platform Hardware

Single Image and PnP demo

Key Feature Summary

Other Features

5 Zero-Touch Home Office


PollingQuestion 1

What SD-WAN stage your network is at today?

A. Something we have implemented

B. Something we are considering

C. We have no need for this

D. I see the benefit that it provides need more information


New Platform Hardware

IOS XE Release 17.2


C1100TGTerminal Server


C1100TG Terminal Server

IOS XE based, 1RU terminal server with integrated ASYNC ports and optional built-in switch.

Simplified top of rack solution, no need for separate console server and management ethernet connectivity

Support for Advanced Access

•Secure tunnels at scale IPSEC/GRE/DMVPN

• LTE access on roadmap

C1100TG-1N32A

C1100TG-1N24P32A


C1100TG Terminal Server

Attribute C1100TG-1N32A C1100TG-1N24P32A C1100TGX-1N24P32A

Built-in ASYNC ports 32 ports plus optional 16 additional ports

Modularity 1 single wide NIM slot

Switch ports None 24

Memory – DRAM 2 GB 4 GB 8 GB

Memory - Flash 4 GB 8 GB

Minimum software level IOS XE 17.2

• Based on NIM-ES2 architecture

• Switch uses Third Party ASIC

• NGIO-lite access for switch to forwarding plane

• Async Cable: CAB-ASYNC-8

Important Points


Single Image and PnP


Single Image for IOS XE andIOS XE SD-WAN


IOS XE SD-WAN

IOS XESingle Image

Single Image for IOS XE and IOS XE SD-WAN

IOS XEIMAGE

universalk9

SINGLE IMAGE

universalk9

IOS XESD-WANIMAGEucmk9

Autonomous Mode

IOS XE ‘Autonomous’

mode

CONTROLLER mode

IOS XE SD-WAN

‘Controller’mode


Operational Mode Change

Change to Autonomous Mode

• Config lost, device in day-0

Change to Controller Mode

• Config lost, device in day-0

Router# controller-mode ?disable controller-mode disableenable controller-mode enable

IOS XEIOS XEIMAGE

IOS XE SD-WAN

IOS XESD-WANIMAGE

'enable' option prompts user to choose either Day-0 mode or restore old config


• Boot-up sequence:

• 1st boot in Autonomous mode

• Day-0 onboarding with PnP or manual CLI mode

• Boot-up sequence:

• 1st boot in Autonomous mode

• PnP/manual/bootstrap triggered mode change request

• 2nd boot in Controller mode

• Day-0 onboarding with PnP or manual CLI mode

Greenfield, Brownfield Image Upgrade Scenarios

• Seamless upgrade

• Direct boot in ‘Autonomous’ mode

• Configuration restored

• Seamless upgrade

• Direct boot in ‘Controller’ mode

• Configuration restored

IOS XE use-case IOS XE SD-WAN use-case


Controller Mode Software Downgrade

Downgrade of SD-WAN software to older version is disruptive

Configs are maintained on a per installed image basis

To keep the downgrade option open, make sure you do not delete previous software installation

Router# show sdwan softwareVERSION ACTIVE DEFAULT PREVIOUS CONFIRMED TIMESTAMP---------------------------------------------------------------------------------17.2.0.98221 true false false - 2020-10-06T05:12:56-00:0016.12.1d false true false - 2020-10-05T18:21:48-00:00

Total Space:387M Used Space:196M Available Space:186MRouter#


• Minimum 700MB should be available for first time ‘A’ → ‘C’ to create necessary SD-WAN install files

• Minimum 300MB should be available for new install or mode switch

Install Requirements

Maximum 2 Installs are Supported

Router# show platform software device-mode -------------------------------------Operating device-mode: Controller

Device-mode bootup status:-------------------------------------Success

Router#

Oct 22 18:02:22.543: %BOOT-5-OPMODE_LOG: R0/0: binos: System booted in CONTROLLER mode

Router# show version | inc operatingRouter operating mode: AutonomousRouter#

Router# show version | inc operatingRouter operating mode: Controller-Managed Router#


Current Mode

Mode Switch

ToPlatforms Configuration file and location

Controller Autonomous All supported platformsciscortr.cfgbootflash, usb

Autonomous ControllerCSR1000v, ISR1000v, ASR1002-X

ciscosdwan_cloud_init.cfgbootflash, usb

Autonomous ControllerAll supported platforms apart from mentioned in row 2 above

ciscosdwan.cfgbootflash, usb

Provisioning using Bootstrap Config File

• The bootstrap file is generated by Cisco vManage and has UUID, but no OTP. • For virtual platforms (CSR, ISRv), and OTP authenticated devices like ASR1002-X, use the

bootstrap file name as ciscosdwan_cloud_init.cfg. This file has OTP but no UUID validation.


Single Image: Exact Names and Platforms

Platform Image Category Image Type Changes with Single Image

CSR csr1000v-universalk9

✓ Two images per platform category are combined into one

✓ ASR 1000 Modular Platforms, SD-WAN is not supported

✓ Other image variations will remain the same way for IOS-XE use-cases• universalk9_npe• universalk9_noli• universalk9_npe_noli

ISR-1100 c1100-universalk9

ASR1001-HX, ASR1002-HX asr1000-universalk9

ISR 4451, ISR 4431 isr4400-universalk9

ISR 4461 isr4400v2-universalk9

ISR 4351, ISR 4331, ISR 4321 isr4300-universalk9

IR-1101 ir1101-universalk9

ISR-4221 isr4200-universalk9

ASR1002-X asr1002x-universalk9

ASR1001-X asr1001x-universalk9

ISRv isrv-universalk9


17.2.1r PnPProvisioning


Single Image: Boot Up SequenceDevice boot up in autonomous mode

Start PNPa

PNP redirect to vBond

Bootstrap USB/CDROM/bootflash

Redirect to DNAC/NSO

Non PNP Day-0 PNPa stopped

CISCOSDWAN.cfgCiscosdwan_cloud_

init.cfg

ControllerMode

AutonomousMode

Config Wizardor IOS CLI

write erase and reloadcontroller-mode reset

Yes

No


Cisco Commerce

Workspace

CCW Ordering and Edge On-boarding

Smart Account details

specified on order used for

Overlay creation

Smart Account Automation

Customer

Service Provider

Device list is passed to PnP

PnP Cloud

Service vBond

WAN Edge

vManage

End Customer

Add a vBond Controller

Profile and Associate

with Org-Name

Sync Smart Account Push Device List


Single Image: Day-0 Plug and Play

Device boots in Autonomous mode

PnP Connect

Mode change and reboot PNPPNPSD-WAN

PnP?

Device available for IOS CLI or non-PNP

workflows(Autonomous Mode)

PNP Complete Device Connected w/ vManage /

vSmart(Controller mode)

Yes

No

CCW vBond

Autonomous mode transitions

Controller mode transitions


Single Image: CCW ordering stays same ☺

→ CCO Software download experience should stay same as well.→ Both SD-WAN, non SD-WAN pages will download ‘universalk9’ image.


PollingQuestion 2

What are the PnP, ZTP Solutions you have used?

A. PnP using Cisco vManage

B. ZTP using Cisco DNA-C

C. ZTP using Cisco Network Services Orchestrator

D. Bootstrap provisioning using USB


Demo


LTE PnP demo: IOS XE SD-WANC1121X-8PLTEPWB, SN: FGL2401L7US

Add devices to Smart/Virtual Ac.

SA/VA: Attach SN to Controller

Profile

vManage: Sync Smart Account

vManage: Send to Controller

2nd boot Controller Mode, PnP

redirect

1st Autonomous Mode, PnP

redirect

Power ON edge with LTE SIM

Pre-provision Device Template

Successful LTE Edge Provisioning!

17.2.1r


Key Feature Summary

IOS XE Release 17.2


IOS XE 17.2.1r Key Features Summary

VPN

Supported Platforms

Security

MPLS ‘P’ node support for DMVPN ASR1k ISR4k ISR1k CSR1kv

GETVPN fail-close ‘revert’ option support ASR1k ISR4k ISR1k CSR1kv

6VPE over DMVPN over IPv6 Transport ASR1k ISR4k ISR1k CSR1kv

MACSec on Port Channel Interface ASR1k ISR4k

L2TPv3 on SVI interface ISR4k ISR1k

Layer Two Protocol Tunneling (L2PT) ISR4k ISR1kLayer 2

Voice DSP based CPA Algorithm Enhancement ISR4k

SNMP MIB for VxLAN per VRF, per VNI accounting ASR1k

TR-069 Partial Config Download, DSL CPE ISR4k ISR1k

Network Management

Layer 3 IP Multiplexing ISR4k

Transceivers QSFP-40/100-SRBD support on ASR 1000 ASR1k


VPNMPLS ‘P’ node support for DMVPN


• MPLS ‘P’ node supports DMVPN Hub or Spoke Configuration

MPLS ‘P’ node support for DMVPN

Key Use case:• Large scale VRF deployments with DMVPN

• Providing MPLS like (e.g. L3VPN) services over any IP Transport

• Extending MPLS islands over public WAN transports

• Extending the last mile for providing MPLS services

Hub as P/PE/RR

Spoke 1 (P/PE)

Spoke 2 (P/PE)

R1 - LAN side PE R2 - LAN side PE

INET

H1 H2

MP-BGP(VPNv4, transport Labels)

MP-BGP(VPNv4,Transport labels)

IGPIGP



Routes: 1. Summary 2 or RR


NHRP Labels

VPNv4 route + transport labeldistribution with NHRP


MPLS ‘P’ node support for DMVPN

• MPLS ‘P’ node support for DMVPN is added for direct Spoke-Spoke without next hop preservation

• NHRP redirect gets tag switched all the way to the far end PE behind the spoke

• NHRP learnt route/label are propagated back to the ingress PE

• Exchange of forwarding information between NHRP and BGP at the spokes.

Restrictions:

• Only IPv4 is supported

• NHRP refresh processes refreshes all entries for a given peer

• For scale and performance please refer Sales Connect Routing page.


Configuration Example

HUB (P/PE/RR)

interface Tunnel1ip address 1.2.0.100 255.255.255.128no ip redirectsip mtu 1392ip nhrp network-id 1010ip nhrp redirect timeout 30ip tcp adjust-mss 1300mpls mtu 1400mpls nhrp inspectmpls bgp forwardingmpls nhrpnhrp group G0bfd template VPNtunnel source Ethernet0/0tunnel mode gre multipointtunnel key 3578649859tunnel vrf CC-INTERNET

Hub as P/PE/RR

Spoke 1 (P/PE)

Spoke 2 (P/PE)

R1 - LAN side PE R2 - LAN side PE

INET

H1 H2



IGPIGP





NHRP Labels

VPNv4 route + transport labeldistribution with NHRP

SPOKE (P/PE)

interface Tunnel1 ip address 1.2.0.1 255.255.255.128 no ip redirects ip mtu 1392 ip nhrp network-id 1010 ip nhrp nhs 1.2.0.100 nbma1.0.0.5 multicast ip tcp adjust-mss 1300 mpls mtu 1400 mpls nhrp inspectmpls bgp forwardingmpls nhrpnhrp group G1 bfd template VPN tunnel source Loopback0 tunnel mode gre multipoint tunnel key 3578649859 tunnel vrf CC-INTERNET


VPNGETVPN fail-close revert


GETVPN fail-close with revert option

• When there is no rekey from KS and GM not able to re-register to KS, GM will drop packets after the SA expiry

Enhancements

• The new feature allows the GM to go back to operate in fail-closed mode with the fail-close policy locally configured fail-close ACL on GM after the SA expiry

• If no local policy is configured on GM, it operates in fail-open mode in this feature.

Challenges

Configuration:crypto gdoi group <NAME>client fail-close revert

Yang mode for this new CLI is supported.


GETVPN Fail Close with ‘revert’ option supportIf fail-close revert is configured, then

Before registration, GM uses local configured policy

After registration, GM uses the policy downloaded from the KS

When there is no rekey from the KS, GM deletes the policy downloaded from the KS and uses the local fail-close policy to handle the traffic after the SA expiry

If the re-registration is successful, the GM downloads the new policy from the KS and installs it

If there is no local fail-close policy configured on GM, it then operates in the fail-open default mode after the SA expiry


VPN6VPE over DMVPN over IPv6 Transport


6VPE over DMVPN over IPv6 Transport High Level Design

IPv6 Core Network

IPv6/IPv4 DMVPN Tunnel

Vrf REDipv4 10.0.0.2/24

Vrf BLUEipv4 11.0.0.2/24ipv6 2001:201::2/64

Vrf GREENipv6 2001:202::2/64

Vrf REDipv4 10.0.0.1/24

Vrf BLUEipv4 11.0.0.1/24ipv6 2001:201::1/64

Vrf GREENipv6 2001:202::1/64

• Allows IPv6 LAN prefixes over an IPv4 overlay neighborship created over an IPv6 DMVPN transport

→ No impact on existing MPLS/DMVPN performance→ For existing scale and performance please refer SalesConnect Routing


Configuration samples for Hub/Spoke

interface Tunnel1 ip address <ipv4 address> 255.255.255.0 ip nhrp network-id 1 ip nhrp holdtime 3600 ip nhrp nhs <ipv4 address> nbma <ipv6 address> multicast ip nhrp nhs <ipv4 address> nbma <ipv6 address> multicast ip nhrp nhs <ipv4 address> nbma<ipv6address> multicast load-interval 30 ipv6 mtu 1450 mpls nhrpif-state nhrptunnel source Loopback0 tunnel mode gre multipoint ipv6 tunnel key 1 tunnel protection ipsec profile DMVPNv6 shared

interface Tunnel2 no ip address ip nhrp holdtime 3600 load-interval 30 shutdown ipv6 address 2001:DB8:1::1/64 ipv6 mtu 1450 ipv6 nhrp network-id 2 ipv6 nhrp nhs <ipv6address> nbma<ipv6address> multicast ipv6 nhrp nhs <ipv6address> nbma<ipv6address> multicast ipv6 nhrp nhs <ipv6address> nbma<ipv6address> multicast mpls nhrpif-state nhrptunnel source Loopback0 tunnel mode gre multipoint ipv6 tunnel key 2 tunnel protection ipsec profile DMVPNv6 shared


SecurityMACSec on Port-Channel Interface


• Configure MACSec over all member-links, there is no MACSec configuration over port-channel.

Port-Channel, Member-link Config:

interface Port-channel2ip address 59.59.59.1 255.255.255.0bfd interval 750 min_rx 750 multiplier 5lacp min-bundle 1no shut!interface TenGigabitEthernet0/1/1no shutdown cdp enableno cdp tlv appmka policy policy1mka pre-shared-key key-chain key1macseclacp rate fastchannel-group 2 mode activeexit

MACSec on Port Channel InterfaceMACSec capable member-link Port-channels only

KEY Configuration Sample:key chain key1 macseckey 01cryptographic-algorithm aes-256-cmac akey-string 0101010101010101010101010101010101010101010101010101010101010101

MKA Policy Config Sample:mka policy policy1macsec-cipher-suite gcm-aes-128 gcm-aes-256


VoiceDSP based CPA Algorithm Enhancement


Motivation for the feature

• To improve detection of live calls, answering machines, SIT, Voicemail, etc.

• Avoid misclassification of voice streams due to background noise, silence.

• Avoid premature disconnection leading to high call failure rate.

• Enforced Agent productivity loss affecting business.

Feature Improvements:

• Enhanced DSP algorithm toencounter background noise

• Improved speech detection with live call SNR monitoring

• Better CPA detection rate by 4-5%

DSP based CPA Algorithm EnhancementBetter experience for DSP use-cases

• No new CLI commands have been implemented

• Changes to backend CPA algorithm


Layer 2L2TPv3 on SVI Interface


Today’s Challenges:

• L2TPv3 only supported on WAN ports

• Lack of support for L2TPv3 on SVI and Ethernet-internal interfaces on ISR 1000 and ISR 4000 Platforms

• Feature parity for migration from ISR 800 to ISR 1000

What’s Improving?

• Support for Layer 2 VPN pseudowire tunnelling over an IP network

• ISR 1000 built-in interfaces and ISR 4000 platform with

• NIM-ES2-4 or NIM-ES2-8

• SM-X-16S4M2X or SM-X-40S8M2X

L2TPv3 on SVI interfaceISR 1000, ISR 4000 CPE use-case


R1 Configurationpseudowire-class pcencapsulation l2tpv3ip local interface Loopback0interface Loopback0ip address 2.2.2.2 255.255.255.255interface GigabitEthernet0/0/0ip address 12.0.0.2 255.255.255.252interface GigabitEthernet0/1/0switchport access vlan 20switchport mode accessinterface Vlan20no ip addressxconnect <Peer Loopback IP> <Virtual Circuit ID> encapsulation l2tpv3 pw-class pcrouter ospf 1network 2.2.2.2 0.0.0.0 area 1network 12.0.0.2 0.0.0.0 area 1

R2 Configurationpseudowire-class pcencapsulation l2tpv3ip local interface Loopback0interface Loopback0ip address 1.1.1.1 255.255.255.255interface GigabitEthernet0/0/0ip address 12.0.0.1 255.255.255.252interface GigabitEthernet0/1/0switchport access vlan 30switchport mode accessinterface Vlan30xconnect <Peer Loopback IP> <Virtual Circuit ID> encapsulation l2tpv3 pw-class pcrouter ospf 1network 1.1.1.1 0.0.0.0 area 1network 12.0.0.1 0.0.0.0 area 1

L2TPv3 on SVI interfaceTopology, Sample Configuration

Peer1(G0/0/0) → (g0/1/0) R1 (g0/0/0) → (g0/0/0) R2 (g0/1/0) → (g0/0/0)Peer2

*R1 and R2 are ISR1K or ISR4K with supported NM/SM modules


• Tested Platform: C1118-8P

• ISR 4000 with SM-X.. and NIM-ES2.. cards, the performance results should align with the throughput of the respective platform

L2TPv3 on SVI interface, Scale and Performance

Test Scale Packet Size (bytes) Throughput (Mpps / Mbps) QFP Load

1 l2tpv3 session

64 0.195 / 135.7 98%

1400 0.169 /1920 89%

IMIX 0.192 / 585.3 96%

50 l2tpv3 sessions

68 0.193 / 128.3 99%

1400 0.170 / 1930 90%

IMIX 0.189 / 561.1 97%

200 l2tpv3 sessions

68 0.167 / 111.3 95%

1400 0.165 / 1870 95%

IMIX 0.169 / 503.2 95%


Layer 2Layer 2 Protocol Tunneling Support


Layer Two Protocol Tunneling (L2PT)

L2PT helps Layer 2 Control Packets to be sent to remote side transparently

Layer 2

Control Protocols

• mvrp, mmrp, elmi, link-oam, esmc, dtp

• protocols like R4, R5, R6, R8, R9, RA, RB, RC, RD, RF, stp, vtp, cdp, pagp, udld, lacp, dt,p lldp, ptppd, mvrp, mmrp, elmi, link-oam, esmc

0/0/1 0/0/1 0/1/00/1/0

Router 1 Router 2CE 1 CE21

End to end Layer 2 domain


interface GigabitEthernet0/1/0

switchport mode access vlan 100

switchport mode dot1q-tunnel

no cdp enable

l2protocol-tunnel vtp

interface vlan 100

no ip address

service instance 100 ethernet

encapsulation dot1q 100

interface GigabitEthernet0/0/1

no ip address

negotiation auto

service instance 100 ethernet

encapsulation default

bridge-domain 100

member GigabitEthernet0/0/1 service-instance 100

member Vlan100 service-instance 100

L2PT Sample Configurations


Layer 3IP Multiplexing


IP Multiplexing (IP MUX)

Optimize IP traffic for environments where bandwidth or processing is constrained by the packets-per-second limitation

Multiplex the smaller packets addressed to same destination into a single IP packet called as super-frame

The destination router de-multiplexes the super-frame into the original IP packet stream and routes them further


• New interface output feature like ACL, QoS.

• Transparent to applications, works at Layer 3

IP Multiplexing – Design considerations

• Works in Hub-Spoke topology, both end need to enable IP MUX.

• Support IPv4 and IPv6


IP Multiplexing (IP MUX)

Use-case Considerations

• Used for low speed, low throughput satellite link

• Complicated hold queue and flush mechanism

• Requires Policy to classify interested traffic and decide different hold queue profile for QoS

• Datapath extensive, can cause performance impact

Control Plane Work: Punt the interested traffic from data plane to IOS control plane and L2 inject back

Supported only on ISR 4000 platforms


IP Multiplexing: Configurations

Enable IP Multiplex on interface:[no] ip mux[no] ipv6 mux

ip mux profile <name>match-dscp 18match-dscp af11outbound-dscp 18

Configure Profile:[no] {ip | ipv6} mux profile <profile-name>

Configure ACL:[no] access-list {<1-199> | <1300-2699> | <name>}ip mux profile <profile-name>access-list <number>ipv6 mux profile <profile-name>access-list <number>

Super-frame Destination IP/IPv6 address:ip mux profile <profile-name>destination <ipv4 address>ipv6 mux profile <profile-name>destination <ipv6 address>

Super-frame Source IP/IPv6 address:ip mux profile <profile-name>source <ipv4 address>source <interface>ipv6 mux profile <profile-name>source <ipv6 address>

Optional configs under IP MUX profile:[no] holdtime <20-250>[no] maxlength <64-512>[no] mtu <256-1500>[no] ttl <1-255>[no] singlepacket


• The IP MUX test based on the VoIP packet with 200-byte

• 160 bytes of 20ms PCM voice frame plus 40 bytes of IPv4/UDP/RTP header, ignoring the MAC or link layer headers

IP Multiplexing Scale, Performance

Scale Tested Performance Tested

IP MUX profile: 50 (Hub),10(Spoke)Routes: 5K (Hub), 500 (Spoke)

PPS bidirectional: 5K (Hub)1K (Spoke)

• IP MUX is validated and supported only on ISR 4400 and 4300 platforms.


Network ManagementSNMP MIB for VxLAN per VRF, per VNI accounting


• ASR 1000 support functionality to access all VxLAN Per VRF perVNI/VNET accounting counters by SNMP.

• New MIB table calledcnvoVNetVrfStatsTable is added in CISCO-NETWORK-VIRTUALIZATION-OVERLAY-MIB to support this feature.

• New MIB view family names [cnvoVNetVrfStatsTable, cnvoVNetVrfEgressBytes, cnvoNetEgressPackets, cnvoVNetVrfIngressBytes, cnvoVNetVrfIngressPackets] can be added to SNMP view to allow SNMP client query these not writable OIDs.

SNMP MIB for VxLAN per VRF, per VNI accounting

1. Request VxLAN accounting counters in SNMP request

by querying related VxLAN OIDs

2.Reply VxLAN accounting counters in SNMP response

SNMP ClientASR 1000

SNMP Server


VxLAN Per VNI/VNET per VRF accounting OID

Request all IngressPackets counters under vrf vrf1snmpwalk -v 3 -u test -A testpassword -l authNoPriv -a md5 10.75.28.170 1.3.6.1.4.1.9.9.820.1.1.6.1.3.4.118.114.102.493:IngressPackets4: vrf name length118.114.102.49: vrf name

Request IngressPackets counters under vrf vrf1 vni 1snmpget -v 3 -u test -A testpassword -l authNoPriv -a md5 10.75.28.170 1.3.6.1.4.1.9.9.820.1.1.6.1.3.4.118.114.102.49.1

1: vni id

Request all counterssnmpwalk -v 3 -u test -A testpassword -l authNoPriv –amd5 10.75.28.170 1.3.6.1.4.1.9.9.820.1.1.6

Request all IngressPackets counterssnmpwalk -v 3 -u test -A testpassword -l authNoPriv –amd5 10.75.28.170 1.3.6.1.4.1.9.9.820.1.1.6.3


Router# show VxLAN static-route vni-stats all VRF: vrf1Vni Tx-Pkts Tx-Bytes Rx-Pkts Rx-Bytes 1 185 14430 185 14430 2 185 14430 185 14430 VRF: vrf2Vni Tx-Pkts Tx-Bytes Rx-Pkts Rx-Bytes 5 184 14352 184 14352 6 184 14352 184 14352

Router#show VxLAN static-route vni-stats vrf vrf1 vni 1 VRF: vrf1Vni Tx-Pkts Tx-Bytes Rx-Pkts Rx-Bytes 1 100 2000 100 20002 100 2000 100 2000

Router#show VxLAN static-route vni-stats all VRF: vrf1Vni Tx-Pkts Tx-Bytes Rx-Pkts Rx-Bytes 1 185 14430 185 14430 2 185 14430 185 14430 VRF: vrf2Vni Tx-Pkts Tx-Bytes Rx-Pkts Rx-Bytes 5 184 14352 184 14352 6 184 14352 184 14352

Router#show VxLAN static-route vni-stats all VRF: vrf1Vni Tx-Pkts Tx-Bytes Rx-Pkts Rx-Bytes 1 185 14430 185 14430 2 185 14430 185 14430 VRF: vrf2Vni Tx-Pkts Tx-Bytes Rx-Pkts Rx-Bytes 5 184 14352 184 14352 6 184 14352 184 14352


VxLAN accounting MIB

{ “cnvoNvoObjects”, HASHNEXT(“1.3.6.1.4.1.9.9.820.1.1”) },{ “cnvoVNetVrfStatsTable”, HASHNEXT(“1.3.6.1.4.1.9.9.820.1.1.6”) },{ “cnvoVNetVrfStatsEntry”, HASHNEXT(“1.3.6.1.4.1.9.9.820.1.1.6.1”) },{ “cnvoVNetVrfStatsVrfName”, HASHNEXT(“1.3.6.1.4.1.9.9.820.1.1.6.1.1”) } (Key1, not-accessible){ “cnvoVNetVrfStatsVni”, HASHNEXT(“1.3.6.1.4.1.9.9.820.1.1.6.1.2”) }, (Key2, not-accessible){ "cnvoVNetVrfIngressPackets", HASHNEXT("1.3.6.1.4.1.9.9.820.1.1.6.1.3") },{ "cnvoVNetVrfIngressBytes", HASHNEXT("1.3.6.1.4.1.9.9.820.1.1.6.1.4") },{ "cnvoVNetVrfEgressPackets", HASHNEXT("1.3.6.1.4.1.9.9.820.1.1.6.1.5") },{ "cnvoVNetVrfEgressBytes", HASHNEXT("1.3.6.1.4.1.9.9.820.1.1.6.1.6")


Configuration:snmp-server view <view-name> cnvoVNetVrfStatsTable included

For scale, use large snmp packet size.snmp-server packetsize 17892

https://snmp.cloudapps.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.820.1.1.6#oidContent


Network ManagementTR-069 Partial Config Download, DSL CPE Provisioning


TR-069 Partial Config DownloadDSL CPE Provisioning

Using Download RPC method, TR-069 server want to manage the configuration changes on CPE by applying only few lines of configuration.

TR-069 will send only partial configuration in a file to be applied on CPE using “Download RPC” method

A successful call of the Download RPC method to download File with Partial Configuration includes both downloading the file AND applying the configuration on CPE.


TransceiversQSFP-40/100-SRBD support


• Re-use existing 10GE cabling infrastructure when upgrading to 40GE/100GE

• LC connector type, Multimode Fiber (MMF) Cable

• Supported on EPA-1X40GE/EPA-2X40GE (40G mode only)

• Supported on EPA-QSFP-1X100GE (100G mode only)

Product Description Connector Type

SFP-10G-SR Cisco 10GBASE-SR SFP+ Module for MMF LC

QSFP-40/100-SRBD 100G and 40GBASE SR-BiDi QSFP Transceiver, LC, 100m OM4 MMF LC

QSFP-40G-SR4-S 40GBASE-SR4, 4 lanes, 850 nm MMF MPO

QSFP-100G-SR4-S 100GBASE SR4 QSFP Transceiver, MPO, 100m over OM4 MMF MPO

List of supported optics: https://tmgmatrix.cisco.com/

QSFP-40/100-SRBD

QSFP-40/100-SRBD support on ASR 1000

https://tmgmatrix.cisco.com/


Other Features

IOS XE Release 17.2


Sr. Feature Platforms Supported

1 CUBE support on ISR4461 ISR4461

2 ISR 1000 Platform Reset button functionality ISR1k

3 ISR 1000 Platform Enhanced BIOS Protection ISR1k

4 CiscoSSL 7.1.3 and OpenSSL 1.1.1c support ASR1k, ISR4k, ISR1k, CSR1kv

Other Features List


Cisco Unified Border Element support on ISR4461 enables:

• IP-IP calling with up to 10000(RTP)/9900(SRTP) max sessions at 55 CPS

• WebEx Local Gateway Support

• LTI Support (CUCM not required for Transcoding)

CUBE support on ISR4461

UC Capabilities on ISR 4000 IOS XE Analog Voice Gateway Features and Enhancements BYoPSTN for WebEx Calling


Todays Challenge:

• With "no service password-recovery" configuration on the router, if the customer pushes the reset button on a C1100 platform, the push event gets ignored.

Enhancement:

• With "service password-recovery” startup-config file gets deleted.

• With "no service password-recovery” IOS nvram partition is wiped out, startup-config gets erased.

• If there is a golden.cfg file in bootflash or IOS nvram, systems boots with it.

• If there is no golden.cfg file, the system boots with PnP.

ISR 1000 Platform Reset button functionality

Configuration:[no] service password-recovery


• The BIOS Protection feature prevents bootloader corruption

• Provides a secure upgrade method to validate the upgrade image

• The IOS ‘upgrade rom-monitor’ command remains the same

• With exception that the upgrade now occurs during the bootloader phase

ISR 1000 Platform Enhanced BIOS Protection

• The BIOS Protection feature is integrated into the ROMMON image and doesn’t require configuration.


• Prior to 17.2.1r - below 2 versions of CiscoSSL are distributed with the release.

• Ciscossl-1.0.2r.6.1.509

• Ciscossl-1.1.0j.7.0.275

• The feature supports latest hardened version

• CiscoSSL version 7.1.3

• OpenSSL version 1.1.1c

CiscoSSL 7.1.3 and OpenSSL 1.1.1c on IOS XE

• It is enabled by default hence no configuration is needed


PollingQuestion 3

Which solution would be most ideal for your enterprise?

A. PnP using Cisco vManage

B. ZTP using Cisco DNA-C

C. ZTP using Cisco Network Services Orchestrator

D. Bootstrap Provisioning using USB


Zero Touch Provisioning for Teleworker, Microbranch Offices

IOS XE Release 17.2


Secure, Automated Connectivity using Cisco

Providing remote teleworkers with on-demand internet

connection for high-quality voice, data and video

Remote Workers

Secure access in make-shift facilities connecting

quarantined individuals with family, using cloud apps over

Cellular

Quarantined Users

Cloud connectivity for pop-up medical facilities, health & relief camps, urgent care &

more

Pop-up Relief Camps


SD-WAN Use-case: Corp. Managed APPre-requisites

PnP

• CCW order will pre-populate device details to Smart Account

• Attach device SN to Controller Profile

vManage

• Sync Smart Account

• Send to Controllers

• Pre-provision device template

Router

• Insert LTE SIM and Power ON the device

• 1st boot in Autonomous Mode, 2nd boot Controller Mode, PnP successful

• Configs pushed from vManage

WLC

• Enable Data DTLS and OEAP for Access Point

• Provision Corporate SSID, Guest SSID on AP


PhoneLaptop PnP

Smart

Account

SD-WAN Use-case: Corp. Managed APPnP over LTE, Ethernet WAN

Route

r

Tablet

I want to…

Remote Worker Home Office

Data Center

Private Home Network

Laptop

Internet

IaaS, SaaS & Websites

Provide remote teleworkers with on-demand internet connection for high-quality voice, data and video.

• Router PnP provisioning

via vManage includes

WLC IP (DHCP Option 43)

• Corporate SSID via WLC

• Guest SSID by user config


Non SD-WAN Use-case: Managed APPre-requisites

PnP

• CCW order will pre-populate device details to Smart Account

• Attach device SN to Controller Profile

NSO

• Add ‘teleworker.txt’ file to NSO File System

• Create PnP mapping

Router

• Insert LTE SIM and Power ON the device

• Router boots in Autonomous Mode, PnP redirect successful

• Configs pushed from NSO Server

WLC

• Enable Data DTLS and OEAP for Access Point

• Provision Corporate SSID, Guest SSID on AP


Non SD-WAN Use-case: Corp. Managed APNSO PnP over LTE, Ethernet WAN

PhoneLaptop PnP

Smart

AccountRouter

Tablet

I want to…

Temporary Healthcare

Data Center


Laptop

Internet


Establish cloud connectivity for pop-up medical facilities

• Router PnP provisioning

via vManage includes

WLC IP (DHCP Option 43)

• Corporate SSID via WLC

• Guest SSID by user config


Non SD-WAN use-case: Pop Up/HotspotLTE WAN, bootstrap using USB config

USB• Copy Provisioning Config file ‘ciscortr.cfg’ to USB device

Router

• Power ON the device with USB, LTE SIM inserted

• Router boots in Autonomous Mode, configs pushed from USB/bootflash


PhoneLaptop

Router

Tablet

Quick, secure access configuring home router locally

Remote Worker Home Office

Data Center


Laptop

Internet


DMZ

SDP/ CAServer

Hubs

ISE (PKI-AAA, dot1x)

ManageExpressVirtual Office

I want to…

ciscortr.cfg

Non SD-WAN use-case: Pop Up/HotspotLTE WAN, bootstrap using USB config

• Router PnP provisioning via USB bootstrap config file

• User SSID auto

configuration via bootstrap

EEM


References


17.2.1r Release Blogs:

• Routing Update: https://community.cisco.com/t5/networking-blogs/cisco-ios-xe-amsterdam-17-2-1r-enterprise-routing-release-update/ba-p/4073564

• Single Image: https://community.cisco.com/t5/networking-blogs/ios-xe-17-2-1r-single-again-and-ready-to-mingle/ba-p/4072955

Release Notes:

• ASR 1000: https://www.cisco.com/c/en/us/td/docs/routers/asr1000/release/notes/xe-17-2/asr1000-rel-notes-xe-17-2.html

• ISR 4000: https://www.cisco.com/c/en/us/td/docs/routers/access/4400/release/xe-17-2/isr4k-rel-notes-xe-17-2.html

• ISR 1000: https://www.cisco.com/c/en/us/td/docs/routers/access/1100/release/17-2/isr1k-rel-notes-xe-17-2-x.html

• CSR 1000v: https://www.cisco.com/c/en/us/td/docs/routers/csr1000/release/notes/xe-17/csr1000v_rn-17-2.html

Install/Upgrade Guide: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/install-upgrade-17-2-later.html

References

https://community.cisco.com/t5/networking-blogs/cisco-ios-xe-amsterdam-17-2-1r-enterprise-routing-release-update/ba-p/4073564

https://community.cisco.com/t5/networking-blogs/ios-xe-17-2-1r-single-again-and-ready-to-mingle/ba-p/4072955

https://www.cisco.com/c/en/us/td/docs/routers/asr1000/release/notes/xe-17-2/asr1000-rel-notes-xe-17-2.html

https://www.cisco.com/c/en/us/td/docs/routers/access/4400/release/xe-17-2/isr4k-rel-notes-xe-17-2.html

https://www.cisco.com/c/en/us/td/docs/routers/access/1100/release/17-2/isr1k-rel-notes-xe-17-2-x.html

https://www.cisco.com/c/en/us/td/docs/routers/csr1000/release/notes/xe-17/csr1000v_rn-17-2.html

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/install-upgrade-17-2-later.html


• Step-by-step guide to setting up Popup ISR1K Single Box LTE/WiFi Hotspot Solution - XE SD-WAN: https://community.cisco.com/t5/networking-documents/popup-isr1k-single-box-lte-wifi-hotspot-solution-xe-sd-wan/ta-p/4049385

• Step-by-step guide to setting up Popup ISR1K Single Box LTE/WiFi Hotspot Solution – IOS-XE: https://community.cisco.com/t5/networking-documents/popup-isr1k-single-box-lte-wifi-hotspot-solution-ios-xe/ta-p/4046810

• ISR1K Configuration Guides: https://www.cisco.com/c/en/us/support/routers/1000-series-integrated-services-routers-isr/products-installation-and-configuration-guides-list.html

• SD-WAN Ordering Guide: https://www.cisco.com/c/dam/en/us/products/collateral/software/one-wan-subscription/guide-c07-740642.pdf

Resources for Teleworker/Microbranch Offers

https://community.cisco.com/t5/networking-documents/popup-isr1k-single-box-lte-wifi-hotspot-solution-xe-sd-wan/ta-p/4049385

https://community.cisco.com/t5/networking-documents/popup-isr1k-single-box-lte-wifi-hotspot-solution-ios-xe/ta-p/4046810

https://www.cisco.com/c/en/us/support/routers/1000-series-integrated-services-routers-isr/products-installation-and-configuration-guides-list.html

https://www.cisco.com/c/dam/en/us/products/collateral/software/one-wan-subscription/guide-c07-740642.pdf


Submit Your Questions Now!

Use the Q&A panel to submit your questions, our expert will respond


Ask Me Anything following the event

Now through Friday June 19th 2020


With Sumant Mali

Sumant Mali Technical Marketing Engineer




Twitter

• @Cisco_Support

http://bit.ly/csc-twitter

Facebook

• Cisco Community

http://bit.ly/csc-facebook

Collaborate within our Social Media

Learn About Upcoming Events

http://bit.ly/csc-facebook


We invite you to review ourSocial Media Channels

• Cisco Community

• http://bit.ly/csc-linked-in

LinkedIn

• Cisco Technical Support

App

Learn About Upcoming Events

• Cisco Community

• http://bit.ly/csc-youtube

YouTube

http://bit.ly/csc-linked-in

https://www.youtube.com/watch?v=LKW61EwIXNs

http://bit.ly/csc-youtube


Comunidade da Cisco Portuguese

Сообщество CiscoRussian

Comunidad de Cisco Spanish

シスココミュニティJapanese

思科服务支持社区Chinese

Cisco has support communities in other languages!If you speak Spanish, Portuguese, Japanese, Russian or Chinese we invite you to participate & collaborate

NEWCommunauté Cisco

French

https://community.cisco.com/t5/comunidade-da-cisco/ct-p/comunidade-portugues

https://community.cisco.com/t5/%D1%81%D0%BE%D0%BE%D0%B1%D1%89%D0%B5%D1%81%D1%82%D0%B2%D0%BE-cisco/ct-p/russian-community

https://community.cisco.com/t5/comunidad-de-cisco/ct-p/comunidad-espanol?lang=es

https://community.cisco.com/t5/japan/ct-p/japanese-community

http://www.csc-china.com.cn/

https://community.cisco.com/t5/communaut%C3%A9-cisco/ct-p/communaute-francais


More IT Training Videos and Technical Seminars on the Cisco Learning Network

View Upcoming Sessions Schedulehttps://cisco.com/go/techseminars

https://cisco.com/go/techseminars


Thank you for Your Time!

Please take a moment to complete the survey


Thank you for participating, you earned a discount!

Redeem your 35% discount offer by entering code: CSC when checking out.

http://bit.ly/Community-CiscoPress2020

Cisco Press

http://bit.ly/Community-CiscoPress2020

http://www.ciscopress.com/store/ccnp-and-ccie-enterprise-core-encor-350-401-official-9781587145230

https://www.ciscopress.com/store/transforming-campus-networks-to-intent-based-networking-9780135466339

https://www.ciscopress.com/store/ccnp-enterprise-advanced-routing-enarsi-300-410-official-9781587145254


Thanks For Joining today!

cisco community community live event · 2020. 6. 11. · june 11th 2020 deep dive on cisco ios xe...

Documents