virtualizing sp services - cisco...rich network services • routing, vpn, app visibility &...
TRANSCRIPT
Virtualizing SP Services
June 2016
Physical and Virtual Network Function Orchestration
VNF
Manager
Virtualised
Infrastructure
Manager
Orchestrator
NFV Management and
Orchestration (MANO)
VNF3 VNF2 VNF1
VNF1 VNF2 VNF3
EMS EMS EMS EMS
BSS/OSS
NFV INFRASTRUCTURE
(Compute, Storage, Network)
EMS EMS EMS
Network Domain Controllers
DC WAN CPE
2
vASA vNGIPS WSAv ESAv ISEv vFTD
Cisco VNF Spectrum
Security
vWAAS
WAN-O vRouter
CSR1Kv XRv9000
Multi-Services Router
CSR1Kv vNBAR
DPI
vWLC
Wifi
CSR 1000v
Cisco CSR 1000V – Virtual IOS XE Networking
Programmability
• RESTful APIs for Automated Management
Perpetual, Term, Usage-based Licenses
• Elastic Capacity (Throughput)
IOS XE Cloud Edition
• IOS XE features for Cloud and NfV Use Cases
Infrastructure Agnostic
• Server, Switch, Hypervisor
Rich Network Services
• Routing, VPN, App Visibility & Control, DC Interconnect, and more
Server
Hypervisor
Virtual Switch
VPC/ vDC
OS
App
OS
App
CSR 1000V
Rapid Deployment and Flexibility
(Virtual) Private Cloud / DC Public Cloud
Currently Deployed Virtualization Solutions
CSR
1000V
VPC/ vDC
ISR/ASR
WAN
CSR
1000V
Interne
t
Public Cloud
ISR/ASR
WAN
Interne
t
VPC1
VPC2 CSR
1000V
SP use cases & VNF
CPE
Access and Aggregation Mobile Subscriber
Business
Residence
Wireless
Wire line
Cable
ISP
IP/MPLS Core
Edge
CGN
LNS
CPE
OLT
xPON
xDSL
DSLAM
DOCSIS
ETTx
M-CMTS
PE
BNG
iW AG
VOD TV SIP
Content Farm
Peering
RR
vMS /
vCPE
vSP W iFi
vBNG
vPE
vRR
vLNS
vCGN
vVPN
(Virtual) Private Cloud / DC
CSR
1000V
vPE
PE WAN
Router
VPC/ vDC
MPLS
Servers
Segment A
Segment B
DC
Fabric
CSR
1000V
vCE PE WAN
Router
VPC/ vDC
MPLS
Servers
Segment A
Segment B
DC
Fabric
CSR
1000V
WAN
Router
Switches
Servers CSR
1000V
VPC/ vDC
VPC/ vDC
Cloud Provider’s Data Center
Public WAN VPN tunnel
ISR
ISR
ASR
DC
Branch
Branch
CSR
1000V
WAN
Router
Switches
Servers
CSR
1000V
VPC/ vDC
VPC/ vDC
Optimized TCP connection
Cloud Provider’s Data Center
vWAAS
HSRP
WAAS
WAAS
WAAS DC
ASR
ISR
ISR
Branch
Branch
Single Tenant WAN GW
Multi Tenant vPE
Secure VPN GW (IPSEC / SSL)
Traffic Control and Management (WAAS)
Public Cloud For AWS Marketplace For Azure Marketplace
Securely connect
Remote Sites
& Employees
Enterprise
Data Center
Public
Internet
CSR
• Cost Effective
• Route-based VPN topologies
• Same Cisco tools that IT uses for on-
prem routers
VPC
WAN/MPLS
• All cloud traffic goes through public Internet
• Latency reduction
• More cost effective connectivity
Interconnect Multiple VPCs
Remote Sites
& Employees
Enterprise
Data Center
Public
Internet
• Setting up multiple VPCs is as easy:
one CSR per VPC
• Operating multiple VPCs is cost
effective
• CSR interconnects multiple VPCs
AWS
Cloud
VPC2
WAN/MPLS
CSRs VPC1
VPC3
Application, Visibility, & Control
Remote Sites
& Employees
Enterprise
Data Center
Public
Internet
AWS
Cloud
VPC2
VPC1
WAN/MPLS
VPCs are part of enterprise network
End-to-end Cisco network (including AWS Cloud)
Application, Visibility, and Control
Load balancing
NFV Use-cases with the CSR 1000v
Virtual MS or
Virtual CPE
Virtual iWAG Virtual BNG Virtual PE
Virtual VPN GW
Virtual CGN Virtual LNS Virtual RR
CPE
Access and Aggregation Mobile Subscriber
Business
Residence
Wireless
Wire line
Cable
ISP
IP/MPLS Core
Edge
CGN
LNS
CPE
OLT
xPON
xDSL DSLAM
DOCSIS
ETTx
M-CMTS
PE
BNG
iWAG
VOD TV SIP
Content Farm
Peering
RR
vMS /
vCPE
vSP WiFi
vBNG
vPE vRR
vLNS
vCGN
VPN GW
CSR1000v supported vBNG Profiles
Profile vPTA / LAC vLNS vISG
Session Type PPPoEoVLAN PPPoVLANoL2TP IPoEoVLAN
Features* Input/output ACL,
ingress QoS (policing) /
egress QoS (shaping),
vrf-awareness, IPv4/IPv6
dual-stack, AAA, ANCP
IPv4/IPv6, HQoS,
Input/output ACL, dual-
stack service and TC
accounting, CoA Service
Push
DHCP, Unclassified
MAC, HQoS,
Input/output ACL, ISG
TC, L4R, PBHK,
Unauthenticated timeout
vCPU 2 vCPU
Memory 8 GB
Sessions 8.000 / 8.000 L2TP Tunnels ** 8.000 **
Max Throughput (large
packet) 2.5 Gbps ** 2.5 Gbps ** 5 Gbps **
* Refer to the embedded profiles at the corner for details
** RLS3.16 (July 2015), before: 4.000
vLNS & ESC Demo
• Creation of 32.000 PPP sessions at 20 sessions/second (26 minutes)
Demo begins with 4 CSR 1000v VMs, ends with 12 CSR 1000v VMs deployed
• Deletion of 32.000 PPP sessions (10 minutes)
End up back at initial state with 4 CSR 1000v VMs
• ESC Orchestration Functionality:
Day 0 Configuration of CSR 1000v
Provisioning & Configuration of the vLNS service
Monitoring of the service
Predefined & customized actions for overload/underload conditions
Service Recovery
• Customized FreeRadius Load-Balancing
Radius selects “best” LNS based on weighting and random selection
• Smart Licensing needed for bringing new CSR Instances and getting right feature set / throughput
• Demo Webex Recording: https://cisco.webex.com/ciscosales/lsr.php?RCID=f711f98e211f45549e328ca0684c0933
CSR1000v for Route Reflector
ASR1001 &
ASR1002-X
(8GB)
ASR1001 &
ASR1002-X
(16GB)
CSR1000v
(8GB)
CSR1000v
(16GB)
RP2 (8GB) RP2 (16GB)
ipv4 routes 7M 13M 8.5M 24.8M 8M 24M
vpnv4 routes 6M 12M 8.1M 23.9M 7M 18M
ipv6 routes 6M 11M 7.4M 21.9M 6M 17M
vpnv6 routes 6M 11M 7.3M 21.3M 6M 15M
BGP sessions 4000 4000 4000 4000 8000 8000
• CSR 1000v leverages IOS XE code-base from ASR 1000 Route Reflector features are thus part of the code base
VMs
SP Aggregation
Customer
Premise
SP Core
Data Center
vRR
13
Architecture (CSR 1000v) - virtualized IOS XE Virtualized IOS XE
Generalized to work on any x86 system
Hardware specifics abstracted through a virtualization layer
Control Plane and Data Plane mapped to vCPUs
Bootflash: NVRAM: are mapped into memory from hard disk
No dedicated crypto engine – we leverage the Intel AES-NI instruction set to provide hardware crypto assist.
Boot loader functions implemented by GRUB
Packet path within CSR 1000v
1. Ethernet driver (ingress)
2. Rx thread
3. PPE Thread (packet processing)
4. HQF Thread (egress queuing)
5. Ethernet driver (egress)
Control Plane Forwarding Plane
vNIC vCPU vMemory vDisk
Physical Hardware
CPU Memory Disk NIC
Hypervisor (VMware / Citrix / KVM / Microsoft)
Chassis Mgr.
Forwarding Mgr.
IOS
Chassis Mgr.
Forwarding Mgr.
FFP Client / Driver
FFP code Linux Container
14
CSR 1000V Licensing Structure
Technology Package (See next slide for details)
Throughput License Type
Pick one option from each column…
IP Base
10 Mbps
50 Mbps
100 Mbps
250 Mbps
500 Mbps
1 Gbps
2.5 Gbps
5 Gbps
Perpetual
Subscription
(1-year or 3-year)
Usage (target date Q1 CY15)
10 Gbps
SEC
AppX
AX
CSR 1000V Technology Package Features
Technology Package IOS-XE Features
IP Base (formerly Standard)
Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS
Multicast: IGMP, PIM
High Availability: HSRP, VRRP, GLBP
Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS
Basic Security: ACL, AAA, RADIUS, TACACS+
Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF
SEC (formerly Advanced)
IP Base Plus…
Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN, SSLVPN,
GETVPN
High Availability: Box-to-box HA for FW and NAT
AppX
IP Base Plus…
Advanced Networking: L2TPv3, BFD, MPLS, VRF, VXLAN
Application Experience: WCCPv2, AppXNAV, NBAR2, AVC, IP SLA
Hybrid Cloud Connectivity: LISP, OTV, VPLS, EoMPLS
Subscriber Management: PTA, LNS, ISG
AX (formerly Premium)
ALL FEATURES
CSR 1000V Performance-to-Footprint in IOS-XE 3.16
• For each throughput/technology-package combination, the minimum required vCPU and RAM is listed
• Performance results based on 1500 Byte packets and VMWare ESXi
Throughput IP Base SEC AppX AX
10 Mbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB
50 Mbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB
100 Mbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB
250 Mbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB
500 Mbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB
1 Gbps 1vCPU/4GB 1vCPU/4GB 1vCPU/4GB 2vCPU/4GB
2.5 Gbps 1vCPU/4GB 1vCPU/4GB 4vCPU/4GB 4vCPU/4GB
5 Gbps 1vCPU/4GB 2vCPU/4GB 8vCPU/4GB NA
10 Gbps 2vCPU/4GB NA NA NA
CSR 1000v IOS XE Threads to vCPU Associations • IOS XE processing threads in the Guest OS are statically mapped to vCPUs
threads
• vCPU threads in turn are allocated to physical cores by the hypervisor scheduler
CSR footprint Control Plane Data Plane PPE Data Plane HQF Data Plane Rx processing
1 vCPU 0
2 vCPU 0 vCPU 1
4 vCPU 0 vCPU 1 & 2 vCPU 3
8 vCPU 0 vCPU 1-5 vCPU 6 vCPU 7
NOTE: vCPU allocations subject to change without further notice
18
Release Enhancements
XE 3.9 • Removal of unnecessary locks
• Optimization of FW, IPSec, AVC Features, Destination Lookup
XE 3.10 • Vmxnet3 Netmap driver support – interrupt to event+poll mode
• Removal of packet copies
• Reduced soft IRQ load, Thread consolidation
XE 3.11 • Netmap driver optimization
XE 3.12 • Improved memory, lock infrastructure, hashing functions.
• Improve CEF Destination Lookup
• Packet batch processing
• Lock Optimizations – remove regular lock for 1 and 2 vCPUs
XE 3.13 • vCPU elasticity - multiple threads for 4/6/8 vCPU Footprint Support
• Thread reduction/optimization
• Improvements to distributor (multiple PPE configs)
• Optimization of NAT, ACL, IPSec, Destination Lookup
• Support for 10G interfaces
XE 3.14 • Per feature analysis and optimization for certain NAT, Firewall, and IPSec configurations
• System thread consolidation/optimization
• System packet buffer utilization improvements
XE 3.15 • Reduced packet buffer copies
• Traffic Manager optimization – Endian
• Packet buffer usage optimization (improved traffic burst behavior)
• Lock Optimization – improved performance of software locks
• Implemented higher performance hash API and converted most features to use new API
Highlights of Performance Enhancements Per Release
Performance Overview in XE3.16
CEF ACLIPSec(AES)
IPSec(3DES)
NAT L4 FWBasicQoS
BasicHQoS
1 vCPU 2507 2164 547 122 1405 1738 2361 1499
2 vCPU 2918 2790 784 156 2339 2687 3049 1811
4 vCPU 2216 2308 1112 231 2174 2394 2348 1373
0
500
1000
1500
2000
2500
3000
3500
Th
rou
gh
pu
t (M
bp
s)
ESXi / vSwitch / Single Feature / IMIX
CEF ACLIPSec(AES)
IPSec(3DES)
NAT L4 FWBasicQoS
BasicHQoS
1 vCPU 2969 2705 730 150 1896 2181 2620 2055
2 vCPU 2937 3012 757 153 1998 2334 2459 1678
4 vCPU 1974 2213 1041 229 1970 1950 2026 1547
0
500
1000
1500
2000
2500
3000
3500
Th
rou
gh
pu
t (M
bp
s)
KVM-REHL / vSwitch / Single Feature / IMIX
FW + NATFW + QoS
+ NAT
FW +HQoS +
NAT
IPSec +Basic QoS
IPSec +GRE +
Basic QoS
IPSec +FW +
Basic QoS+ NAT
IPSec +FW +
Basic QoS+ NAT +NBAR
1 vCPU 1058 850 946 201 181 288 279
2 vCPU 1495 1315 1297 219 217 378 362
4 vCPU 1534 1409 1380 975 951 619 521
0200400600800
10001200140016001800
Th
rou
gh
pu
t (M
bp
s)
ESXi / vSwitch / Multi-Features / IMIX
FW + NATFW + QoS +
NATIPSec +
Basic QoS
IPSec +GRE + Basic
QoS
IPSec + FW+ Basic QoS
+ NAT
IPSec + FW+ Basic QoS
+ NAT +NBAR
1 vCPU 1501 1156 161 201 308 267
2 vCPU 1560 1182 217 238 389 366
4 vCPU 1509 1336 506 398 585 472
0200400600800
10001200140016001800
Th
rou
gh
pu
t (M
bp
s)
KVM-REHL / vSwitch / Multi-Features / IMIX
Model Cisco Systems Inc UCSC-C240-M3S
Processor Type Intel® Xeon® CPU E5-2643 v2 @ 3.50GHz
ESXi Version VMWare ESXi 5.5.0
KVM Version Red Hat Enterprise Linux Server 6.6
XRv 9000
IOS-XRv 9000: Positioning Complementing the XR Edge Portfolio
2
8
32
128
512
2048
8192
32768
Gbps
IOS XRv 9000 ASR 9001 ASR 9006
ASR 9904
ASR 9010
ASR 9912 ASR 9922
VM
LXC LXC
XRv Linux Kernel WRL7 (3.14)
KVM, ESXi
VM
LXC
Admin
Plane
IOS XRv 9000 Architecture Control and data plane with LXC separation
24
Data
Plane
Admin
IOS XR
Control
Plane
• Single VM vRouter today
• Architected for distributed DP and
active/standby CP
• CP/DP Separation to support DP Scale
Out, Network Slicing
• LXC for lightweight virtualization, fault
isolation, resourcing boundaries,
AppHosting
• Fully Featured, High Speed, Elastic
Virtual data plane (based on DPDK)
• Modular/Lightweight Admin Plane
• In-Service Software patches (Software
Maintenance Updates – SMU)
Combined Route Processor (RP) & Linecard (LC)
IOS-XRv 9000: Hypervisor & Server Strategy
25
• IOS-XRv 9000 is technically hypervisor agnostic (KVM/QEMU, ESXi, XEN, Hyper-V).
• Current official support for KVM/QEMU hypervisor, VMWARE ESXi
• IOS-XRv 9000 is technically server agnostic as well
• Minimum CPU class and server configuration (CPU/memory/NIC) is a function of the scale/performance requirements of the specific use case
• Common Hardware platform (x86)
• Create new Routers in specific roles in seconds
• Wide range of applications
Virtual Routers The benefit and applications of Router Virtualization
26
Service Provider Edge
Access / Aggregation Core Service Provider
Data Center
Customer Premise
Virtual Enterprise
WAN Edge
Virtual
Peering
Virtual L3 VPN
PE
Virtual L2 VPN
PE
Virtual BGP
RR
Rapid Creation and Deployment of new Services
Common x86 Hardware Familiar IOS XR/XE
Easy Migration Cloud Orchestrated Single Tenant or Multi-Tenant
Core Internet / 3rd party
provider
Universal Forwarder Architecture – Common Code & Feature leverage
Access /
Aggregation
• 5000 peers
• 16M v4 Single Path
• 8M v6 Single Path
• Up to 40M paths
IOS XRv 9000 vRR BGP Route Reflector Scale and Performance
27
UCS E5-2667 v3 @ 3.2Ghz Using E1000, 8 core, 6 Control, 2 Data
vRR convergence
(after clear bgp *)
Time
IPv4 20M Paths
(2M Prefix, 500 Peers)
Last session up 0:00:51
BGP converged 0:02:33
IPv4 20M Paths
(2M Prefix, 5000 Peers)
Last session up 0:03:41
BGP converged 0:07:37
IPv6 20M Paths
(2M Prefix, 5000 Peers)
Last session up 0:06:40
BGP converged 0:18:34
IPv4+IPv6 40M Paths
(4M prefix, 5000 peers)
IPv4 AF Converged 0:18:40
IPv6 AF Converged 0:21:55
Internet IPv4 524k, IPv6 22k
500 peers
IPv4 AF Converged 0:01:22
IPv6 AF Converged 0:01:09
Server 1
Server 2
ASR 9000
VR
F
ASR 9000
VR
F
VR
F
IOS XRv 9000
VNF1
vNBAR VNF2
vNBAR VNF3
vASA
VPN Blue Traffic
BLUE VPN-site-A
BLUE VPN-site-B
GREEN VPN-site-A
GREEN VPN-site-B
VR
F
If “Application ID <Youtube>” drop traffic
If port “80 or 443” -> Service chain else
forward into L3VPN
Service Function Chaining with NSH* Use Case – Application Identification & Security Policy Enforcement
28
NSO (Powered by
tail-f NCS)
Network Services
Header *
LXC LXC
XRv Linux Kernel WRL7 (3.14)
KVM, ESXi (future: HyperV, AWS, bare metal, XEN,...)
VM
LXC
Linux
bridge
Admin
Plane
IOS XRv 9000 Architecture Details
29
Universal Virtual Forwarder
Dataplane
Admin
IOS XR Control
Plane (CP)
DP Agent
(DPA) Driver Driver Driver
VPP + DPDK
Ctrl
Eth
virtio
e1000
10G
10G
VF PF
vm
xnet3
Ctrl
Eth
IOS XR
LC CP
DP control (DPC)
IOS XR
RP CP
Ctrl
Eth
GE
Mgmt
Eth
IOS XRv 9000 Dataplane SW TCAM For ACL, QoS, LI Classification
30
Offset
Key
ACL ID
QOS ID Value / Mask / Result (VMR)
Simple Classification
Engine (SCE) Table
Value / Mask / Result (VMR) and Cut info
Value / Mask / Result
Value / Mask / Result
Value / Mask / Result
Value / Mask / Result
Value / Mask / Result
Skip
Skip
Value / Mask / Result
Linear search
For short ACLs
Linear / cut search
For long ACLs
Simple
Classification
SW Classification
Brute force linear value/mask
compare using x86 vector
instructions
Simple classification engine
(elaborates keys into direct
table access) for simple keys
DSCP, EXP, Precedence into
a simple table lookup
Heuristic based cuts algorithm
(compilation and search)
Supports logical super-key
format which maps to multiple
physical key formats, with
multiple target search
structures LI ID
IOS-XRv 9000: Efficient SW Traffic Manager Designed for high speed and scale
31
*also Policing, Marking on classes (not done in TM), with up to 128000 policers
2500 unique policy-maps
Up to 8 queues per subport, deep
buffering, 512k total queues/classes: 1
level strict priority, DWRR, WRED*
Up to 64k Subports, shaped (8Kbs to
100Gbs) with priority propagation
Up to 8 vPorts, shaped max rate (100Mbs
to 1000Gbs)
Child:
Classes & Queues
Parent:
shaped Subscriber
Subports
GrandParent:
Virtual Port
shaper
Up to 8 Ports GreatGrandParent:
Port
Q1
Q2
QN
Q1
Q2
QN
Q1
Q2
QN
NIC NIC
DPDK
Driver DPDK
Driver
Interface
Output
Ingress
Forwarding
And
Features
Traffic
Manager
(QoS)
Ethernet
Interface
Classification
RX
Processing
Egress
Forwarding
And
Features
Life of a packet
32
RX Worker TX
Transmit Thread Receive Thread
IOS XRv 9000 2 CP, 1 DPA, 1 DP
NIC
DPDK
Driver
DPDK
Driver
NIC
DPDK
Driver
DPDK
Driver
Load
Balance RX
Worker
Thread Traffic
Mgr
I/F
Output
Single Data plane core
Legend
Dedicated
CPU Core
DPDK
& NIC
Linux
Thread
DPA Stats
Collector
Interval
Timers
Admin XR
RP+LC
Single DPA Core
XR
RP+LC XR
RP+LC XR
RP+LC
Admin
Admin
2 x Control Plane Cores
33
Transmit Thread Receive Thread
IOS XRv 9000 2 CP, 1 DPA, 3 DP (Rx, WT, Tx)
NIC
DPDK
Driver
DPDK
Driver
NIC
DPDK
Driver
DPDK
Driver
Load
Balance
Worker
Thread Traffic
Mgr
I/F
Output
DPA Stats
Collector
Interval
Timers
Admin XR
RP+LC
Single DPA Core
XR
RP+LC XR
RP+LC XR
RP+LC
Admin
Admin
2 x Control Plane Cores 3 Data plane cores
Legend
Dedicated
CPU Core
DPDK
& NIC
Linux
Thread RX
34
Transmit Thread Receive Thread
IOS XRv 9000 2 CP, 1 DPA, 7 DP (Rx, 5xWT, Tx)
NIC
DPDK
Driver
DPDK
Driver
NIC
DPDK
Driver
DPDK
Driver
Load
Balance
Worker
Thread Worker
Thread Worker
Thread Worker
Thread Worker
Thread
Traffic
Mgr
I/F
Output
DPA Stats
Collector
Interval
Timers
Admin XR
RP+LC
Single DPA Core
XR
RP+LC XR
RP+LC XR
RP+LC
Admin
Admin
2 x Control Plane Cores 7 Data plane cores
Legend
Dedicated
CPU Core
DPDK
& NIC
Linux
Thread RX
35
Transmit Thread Receive Thread
IOS XRv 9000 2 CP, 1DPA, 11 DP (2xRx, 7xWT, 2xTx)
NIC
DPDK
Driver
DPDK
Driver
NIC
DPDK
Driver
DPDK
Driver
Load
Balance
Worker
Thread Worker
Thread Worker
Thread Worker
Thread Worker
Thread
Traffic
Mgr
I/F
Output
Receive Thread NIC
DPDK
Driver
DPDK
Driver
Load
Balance
Transmit Thread NIC
DPDK
Driver
DPDK
Driver
Traffic
Mgr
I/F
Output
Worker
Thread
Worker
Thread
DPA Stats
Collector
Interval
Timers
Admin XR
RP+LC
Single DPA Core
XR
RP+LC XR
RP+LC XR
RP+LC
Admin
Admin
2 x Control Plane Cores 11 Data plane cores
Legend
Dedicated
CPU Core
DPDK
& NIC
Linux
Thread
Today IOS XRv 9000 can go up to the socket boundary
(14c tested)
RX
RX
36
NFV on x86 - Elasticity with Scalability Scalable Up-down to Single/multi Core, Socket and Server
37
Single Core Multi-Core Multi-Socket Multi-Server
2015 2016+ 2014
Control plane and data plane separation architecture that supports scale up and down between single/multi core, socket
and server by leveraging the distributed XR architecture
IOS-XRv 9000 vPE Dataplane Performance – Internet access profile testing
38
Test case Total
Throughput
(Gbps)
IPv4
Internet : IPv4 (bi-directional)
Policing, shaping, Marking, HQoS
LI: 2 v4 tap - Intercepted traffic rate ~ 700Kbps
50K Bidir flows
39.8
Internet IPv4 (bi-directional)
Policing, shaping, Marking, HQoS
LI: 2 v4 tap - Intercepted traffic rate ~ 7.3Mbp
5K Bidir flows
38.0
IPv6
Internet: 6PE(bi-directional)
Policing, shaping, Marking, HQoS
LI: 1 v6 tap - Intercepted traffic rate ~ 600Kbps
50K Bidir flows
36.4
Internet : 6PE (bi-directional)
Policing, shaping, Marking, HQoS
LI: 1 v6 tap - Intercepted traffic rate ~ 5.6Mbps
5K Bidir flows
34.3
UUT-PE
3 Cores CP
9 Cores DP – 2 Rx, 5 WT, 2 Tx/TM
E5-2680 v3 @ 2.50GHz
Intel 82599ES with PCI pass-through
Average pkt size 620bytes
vWAAS – WAN Optimisation
WAAS: Application Optimization Cisco Wide Area Application Services (WAAS) Form Factors
Cisco
WAAS
WAAS Appliance Application acceleration
Scalable platforms for range of
deployments
200 – 150,000 optimized flows
ISR-WAAS Zero footprint integration on ISR 4000
Identical features and management as other WAAS options
Simple installation has you up and running in 7 minutes
Seamlessly add capacity with AppNav
Virtual WAAS on UCS-E
Ideal for hosting on UCS-E in ISR G2 or ISR 4K
with other apps
Flexible hardware options for WAAS & other apps
Software on-demand provisioning
No forklift upgrade
Virtual WAAS Application acceleration from private or virtual
private cloud
VMWare ESX/ESXi and Cisco UCS® deployments
Agile, elastic, multi-tenant deployment
Common management for physical and
virtual WAAS
Cisco WAAS: WAN Optimization Deployment
Data Center or
Private Cloud WAAS
Appliances
VMware ESXi
vWAAS
Appliances
Server VMs
AppNav +
WAAS
Regional Office ISR-WAAS
on ISR 4000
WAN
Internet
vWAAS Server
VMs
VMware ESXi Server
Nexus 1000v
UCS /x86 Server
FC SAN
Virtual Private Cloud
Regional Office WAAS
Appliance
Branch Office
WAAS
Appliance
Branch Office
WAAS
Service
Module/ UCSe
CSR1000v +
AppNav-XE
ASR1K +
AppNav-XE
Building Blocks of WAAS
bandwidth
object
cache
latency application behavior
DRE LZ TCP flow
optimization AO AO AO
SMB (includes print services)
Exchange Optimization
HTTP
HTTPS
NFS
Citrix ICA
Akamai Connect
• Available for ESX, Hyper-V and KVM (6.2)
• DAS or SAN for DRE
• Leverages Nexus 1000v and vPath (not required)
• Suited to Multi-tenancy & Elastic Provisioning
vWAAS Family P
erf
orm
an
ce
Scalability
vWAAS 750
vWAAS 6000
vWAAS 12000
vWAAS 200
vWAAS 50000
vWAAS 1300
vWAAS 2500
vNBAR2 vAVC
© 2014 Cisco and/or its affiliates. All rights reserved. PfRv3 Cisco Confidential
Deep Packet Inspection
• New DPI engine provides Advanced Application Classification and Field Extraction Capabilities
• Categorization to simplify application management
• Protocol Pack allows adding more applications without upgrading or reloading IOS
Next Generation NBAR (NBAR2)
45
NBAR2
1000+ Signatures
Advanced
Classification
Techniques
Native IPv4/IPv6
Classification Advanced Field
Extraction
• vNBAR2 under development
• vNBAR2 functionalities
• QoS provisioning
• NSH integration for service chaining
• Very High Performance
• 17-19 Gbps per one core
• Scales almost linearly with number of cores
Virtualized Future
Cisco Security solutions
Cisco Confidential 48 ©2014 Cisco and/or its affiliates. All rights reserved.
Comprehensive Virtual/Cloud Security Portfolio
NGIPS + FW
• FirePOWER Threat
Defense (FTD)
Web Security
• Cisco Virtual Web Security
Appliance (vWSA)
• Cisco Cloud Web Security
Firewall
• Cisco ASAv
Advanced Malware Protection
• FireAMP Virtual
NAC + Identity Services
• Cisco Virtual Identity
Services Engine (ISE)
Email Security
• Cisco Virtual Email Security
Appliance (vESA)
• Cisco Cloud Email Security
Routing, Per App, VPN
• Cisco ASAv
• CSR 1000v
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Security Services
Covering the Entire Attack Continuum
Firewall
NGFW
Secure Access + Identity Services
VPN
UTM
NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behavior Analysis
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
ASAv
Cisco ASAv 9.4 Firewall and Management Features
Cisco® ASA Feature Set
Cisco
ASAv
Removed clustering and
multiple-context mode
10 vNIC interfaces and VLAN tagging
Virtualization displaces multiple-context and clustering
Parity with all other Cisco ASA platform features
SDN (Cisco APIC) and traditional (Cisco ASDM and CSM)
management tools
Dynamic routing includes OSPF, EIGRP, and BGP
IPv6 inspection support, NAT66, and NAT46/NAT64
REST API for programmed configuration and monitoring
Cisco TrustSec® PEP with SGT-based ACLs
Zone-based firewall, Equal-Cost Multipath
Policy Based Routing, VxLAN Support (VTEP)
Failover Active/Standby HA model
Cisco ASAv RA-VPN Features
Branch-in-a-Box ASAv
Wired Wi-Fi
Cellular
or Wi-Fi
Mobile User Home Office Branch Office
HQ
Cisco AnyConnect™ client
Third-party client support with IKEv2 (RFC5996)
TLS 1.2 update (new ciphers)
Cisco TrustSec® SGT assignment
Cisco® ISE change of authorization
Note: All crypto features performed in software
Remote-Access Client Knox™
Browser-based SSL tunnels
Citrix and VMware VDI support
Cisco ASAv can proxy for Citrix XenApp and XenDesktop
Clientless VPN
* Lab Edition license is built in with 100-Kbps throughput and 100 total
connections allowed
Cisco ASAv Platforms
9.3.2
100 Mbps
1 Gbps
2 Gbps
Cisco®
ASAv5
Cisco®
ASAv10
Cisco®
ASAv30
Cisco ASAv Data Sheet - Performance and Scale
Data Sheet Metric Cisco® ASAv5 Cisco ASAv10 Cisco ASAv30
Stateful Inspection Throughput (Maximum) 100 Mbps 1 Gbps 2 Gbps
Stateful Inspection Throughput
(Multi-Protocol) 50 Mbps 500 Mbps 1 Gbps
3DES/AES VPN Throughput 30 Mbps 125 Mbps 300 Mbps
Connections per Second 8,000 20,000 60,000
Concurrent Sessions 50,000 100,000 500,000
VLANS 25 50 200
Bridge Groups (2 VLANs/BVI) 12 25 100
Cisco® Cloud Web Security Users 50 150 500
IPsec VPN Peers 50 250 750
Cisco AnyConnect® or
Clientless User Sessions 50 250 750
vCPU 1 1 4
RAM 1GB* 2GB 8GB
Cisco UCS® C260 M2
Cisco UCS B200 M3
Intel Xeon processor E5-2640
Tested on Hardware
9.4.1.200
* ASAv5 Changed from 2GB to 1GB
with 9.5.1.200
vIPS – Snort
Snort Introduction
What can Snort do
• Snort can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and much more.
• IPS systems work by having an engine with rules that match against exploit signatures which are regularly updated. It is the signature updates that are the real intelligence behind the systems.
History
• Created by Martin Roesch in 1998
• Most widely downloaded open source IDS software in the world.
• Commercialized in 2001 and SoureFire was born
It is an open source intrusion prevention system capable of real-time traffic analysis and packet logging
With over 4 million downloads and nearly 500,000 registered users, it is the most widely deployed intrusion prevention system in the world
Snort vs. FirePower
Snort FirePower NGIPS
IDS Yes Yes
IPS Yes Yes
Signature set Snort FirePower
Application Control and URL Filtering No Yes
Next Gen FW No Yes
SSL Traffic inspection No Yes, with the help of SSL
decryption appliance
Advanced Malware Protection No Yes
Centralized Management Cisco Prime / APIC EM IWAN App FireSight appliance
Centralized Monitoring Third-party tools FireSight appliance
Application/Endpoint visibility and profiling No Yes
Compute required 1 core CPU 4 vCPUs
Cisco Confidential 59 ©2014 Cisco and/or its affiliates. All rights reserved.
New Next Generation Firewall offering
Software Convergence
ASA
Firepower NGIPS
Zero-copy packet inspection
Achieving single-pane-of-glass management
Enabling single platform with multiple use cases
Firepower Threat Defense
L2-L4 Inspections
(ASA Technology)
Advanced Inspections (FirePOWER Technology)
Firepower Management Center
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 60 ©2014 Cisco and/or its affiliates. All rights reserved.
ESXi support available (version 6.0)
KVM support in July 2016 (version 6.1)
Device management interface: Firepower Management Center (FMC)
Multi-tenancy: supported through FMC since 6.0 (note that appliances NGIPSv, FTDv remain single context).
RAM : 8GB ; Storage : 50GB
Smart licensing
© 2015 Cisco and/or its affiliates. All rights reserved.
vWSA
Cisco Confidential 62 C97-732712-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Web Security Provides Strong Protection
WWW
Time of
Request
Time of
Response
Cisco® Talos
URL Filtering
Reputation Filter
Dynamic Content Analysis (DCA)
Signature-Based Anti-Malware Engines
Real-Time Sandbox Analysis
Block
WWW
Block
WWW
Block
WWW
Block
WWW
Allow
WWW Warn
WWW WWW Partial
Block
Block
WWW
Cisco Confidential 63 C97-732712-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Flexible Deployment Options On- and Off-Premises
On-Premises Cloud
Cloud Virtual Appliance
Deployment
Options
Implicit Explicit Implicit Explicit
Client
Options
Connectors/
Redirects
Firewall Router Roaming Roaming Appliance Firewall Router
Cisco Confidential 64 C97-732712-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Virtual Deployment
vESA
Cisco Confidential 66 ©2014 Cisco and/or its affiliates. All rights reserved.
Cisco Email Security Threat Defense Complete Inbound Protection
Before Discover
Enforce
Harden
During Detect
Block
Defend
After Scope
Contain
Remediate
Cisco® Talos SenderBase Reputation Filtering
Antispam
Outbreak Filters
Real-Time URL Analysis
Drop
Drop/Quarantine
Antivirus Drop/Quarantine
Advanced Malware Protection (AMP) Drop/Quarantine
Quarantine/Rewrite
Deliver Quarantine Rewrite URLs Drop
Graymail Detection Rewrite
Cisco Confidential 67 ©2014 Cisco and/or its affiliates. All rights reserved.
Before Discover
Enforce
Harden
During Detect
Block
Defend
After Scope
Contain
Remediate
URL Defense Integrated Email and Web Security
Email Contains URL
Cisco® Talos
URL Reputation and
Categorization
Replace
Defang/Block
Rewrite
Send to Cloud
BLOCKEDwww.playb
oy.comBLOCKED
BLOCKEDwww.proxy
.orgBLOCKED
“This URL is blocked by
policy”
Cisco Confidential 68 © 2015 Cisco and/or its affiliates. All rights reserved.
Email Security – is it still important? @Cisco
• 93% of all inbound mail dropped as SPAM by ESA reputation engine
• Additional blocks done inline with Cisco AMP (attachment scanning)
• All the major advanced attacks to hit Cisco have started via e-mail
• Everything is logged centrally for further incident investigation
Cisco Confidential 69 © 2015 Cisco and/or its affiliates. All rights reserved.
Flexible Deployment Options Industry-leading, Best of Breed Email Protection at the Gateway
Deployment
Options
Virtual Appliance
On-premises
Multi-device
Support
Desktop Tablet Laptop Mobile
Cloud Managed
Cloud
Hybrid Hybrid
Cisco Confidential 70 © 2015 Cisco and/or its affiliates. All rights reserved.
Virtual Deployment Leverage existing investments
Model Disk Memory Cores
C100v 200GB 6GB 2
C300v 500GB 8GB 4
C600v 500GB 8GB 8
ESX | ESXi Hypervisor
Cisco UCS
Consolidation | Automation | Virtualization
Other Hardware
• Quicker deployments
• Improved capacity planning
• Enhanced business continuity
• Deployment flexibility KVM support
under planning
