MPLS Enterprise Switching Product Update and Designs Sankar Venkat Product Manager Minhaj Uddin Technical Marketing Engineer Cisco Enterprise Networking Group

Session ID : BRKMPL-1102 Cisco Spark

Questions? Use Cisco Spark to chat with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

Cisco Spark spaces will be cs.co/ciscolivebot#BRKMPL-1102 available until July 3, 2017.

• Introduction

• Segmentation in Enterprise

• MPLS Designs for Enterprise

• MPLS Case Study

• MPLS Product Update

• Q&A

• Summary Session Goals

This session will focus on MPLS for Campus/Enterprise Switching network deployments.

At the end of the session, the participants should:

. Understand different Segmentation Options in Enterprise

. Understand the MPLS designs for L2 and L3 networks

. Understand different MPLS designs and use cases

. Understand the different product options for MPLS design

This session covers the MPLS switching and secure segmentation solutions for the Enterprise. It provides an overview of the most commonly deployed MPLS designs and use cases in campus. This session would also cover the various MPLS product options available on the latest Cisco Catalyst and Nexus product series including the NEW Catalyst 9000 Series, Catalyst 3850, Catalyst 6500/6800 and the Nexus 7k. Topics covered in this session include: 1. Segmentation Options in Enterprise 2. MPLS Design for Enterprise L2 and L3 networks 3. Use cases across Enterprise Verticals 4. MPLS product options in Cisco Enterprise Switching Portfolio Some basic knowledge of MPLS is expected from the attendees. Newcomers are expected to have attended BRKMPL-1100, ”Introduction to MPLS” prior to attending this session.

PE PE Data Center MPLS Core Backup B CE Data Center CE L2 VPN MPLS (L2 VPN)

Mirror Campus A DC Interconnect Mirror B Branch to DC Storage Connectivity

Enterprise Data Center

SP Network Internet Access Core Access

Bay Area DC AsiaPac DC Enterprise WAN (MPLS)

L2 L3 (MPLS) L2 Washington DC

Secure Enterprise L2 Segmentation Extensions

MPLS

Rich User Advanced Experience Features

Standards based end-to-end solution across LAN,WAN and Data Center BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Segmentation in Enterprise Why Network Segmentation ?

Sales Finance POS Medical Device HR Network Other Network Doctor Staff Partner

Line of business Payment Card Industry Hospital Network

INTERNET

Bring-Your-Own-Device (BYOD) Mergers and Acquisitions Multi-Tenancy

. Traffic isolation per application, group, service etc…

. Logically separate traffic using one physical infrastructure

Guest Access Merged Company Isolated Services

Virtual Network Virtual Network Virtual Network

Virtual “Private” Network

Actual Physical Infrastructure

Service Isolation Guest Access Merged Company Isolated Services . Telephony systems, badging, building control, surveillance

Virtual Network Virtual Network Virtual Network . Security policies are unique to each virtual group/service Low Security Medium Security High Security Meet Regulatory compliance requirements . HIPAA . PCI Actual Physical Infrastructure . SOX . etc…

VPN VPN VPN

Voice VLAN Data VLAN Guest VLAN VPN

Endpoints Endpoints VLAN Based Segmentation MPLS Based Segmentation • VLAN/VRF-Lite Based Segmentation • L2/L3 VPN Based Logical Segmentation • Policy enforcement is done using ACLs and Firewall rules • MPLS labels used to identify/create traffic isolation between groups • CLI based Manageability • CLI based Manageability

Cisco ISE

SGT SGT SGT SGT

SGT

Endpoints Trustsec Based Segmentation SD-Access Based Segmentation • User/Device Group Based Segmentation • User/Device Group Based Segmentation • Secure Group Tags (SGT) used to create user / device group policies • Secure Group Tags (SGT) used to create user / device group policies • Cisco ISE based Manageability • DNA Center based Manageability

Applications Enforcement access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 IP Based Policies - access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 ACLs, Firewall Rules access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 Propagation access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 Carry “Segment” access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 Enterprise access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 Backbone context through the network using VLAN, Aggregation Layer IP address, VRF-Lite Limitations of Traditional Segmentation VACL • Security Policy based on Topology Access Layer Classification • Not Scalable Static or Dynamic • Complex provisioning VLAN assignments • No notion of User/Device Group Non-Compliant Voice Employee Supplier BYOD

Quarantine Voice Data Guest BYOD VLAN VLAN VLAN VLAN VLAN

Enforcement Shared Application Group Based Policies Services Servers ACLs, Firewall Rules

Enforcement DC Switch or Firewall Propagation Carry “Group” context through the network Enterprise Backbone using only SGT ISE

Classification Static or Dynamic Campus Switch Campus Switch DC switch receives policy for only what is connected SGT assignments

Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag

VLAN A VLAN B

Simplified segmentation with single dashboard APIC-EM 1.X2.0

NDPISE NDP

DNA Center ISE DESIGN PROVISION POLICY ASSURANCE

B B

Solution Launched in this C Ciscolive 2017 !! SDA Campus Fabric

Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant

• Introduction ✓

• Segmentation in Enterprise ✓

• MPLS Designs for Enterprise

• MPLS Case Study

• MPLS Product Update

• Q&A

• Summary MPLS Designs for Enterprise MPLS Design Options for Enterprise

Secure Enterprise L2 Segmentation Extensions L3VPN-V4 L2VPN L3VPN-V6 EoMPLS/VPLS

MPLS

User Experience Advanced for Applications Features Multicast VPN Tunneling and High QoS, Netflow availability

PE/Distribution SITE C PE/Distribution CE/Access CE/Access

CE/Access CE/Access CE/Access P/Core P/Core

CE/Access SITE B SITE D CE/Access PE/Distribution MP-BGP PE/Distribution

. P (Provider) router = label switching router = core router (LSR) Switches MPLS-labeled packets . PE (Provider Edge) router = edge router (LSR) Imposes and removes MPLS labels . CE (Customer Edge) router Connects customer network to MPLS network BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 MPLS Label and Label Encapsulation

MPLS Label 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Label # – 20bits EXP S TTL-8bits

COS/EXP = Class of Service: 3 Bits; S = Bottom of Stack; TTL = Time to Live

MPLS Label Encapsulation PPP Header (Packet PPP Header Label Layer 2/L3 Packet over SONET/SDH) One or More Labels Appended to the Packet (Between L2/L3 packet header and link layer header)

LAN MAC Label Header MAC Header Label Layer 2/L3 Packet

Label Imposition ( Push) Label Swap Label Swap Label Disposition( PoP)

L2/L3 Packet L1 L1 L2 L2 L3 L3

CE/Access PE/Distribution PE/Distribution CE/Access

CE/Access CE/Access P/Core P/Core

CE/Access PE/Distribution PE/Distribution CE/Access . Label imposition (Push) By ingress PE router; classify and label packets

. Label swapping or switching By P router; forward packets using labels; indicates service class & destination . Label disposition (PoP) By egress PE router; remove label and forward original packet to destination CE © 2017 Cisco and/or its affiliates. All rights reserved.BRKMPL -Cisco1102 Public 22 Forwarding Equivalence Class

. Mechanism to map ingress layer-2/3 packets onto a Label Switched Path (LSP) by ingress PE router Part of label imposition (Push) operation . Variety of FEC mappings possible IP prefix/host address Groups of addresses/sites (VPN x) Used for L3VPNs Layer 2 circuit ID (ATM, FR, PPP, HDLC, Ethernet) Used for Pseudowires (L2VPNs) A bridge/switch instance (VSI) Used for VPLS (L2VPNs) Tunnel interface Used for MPLS traffic engineering (TE)

. MPLS nodes need to exchange label information with each other Ingress PE node (Push operation) Needs to know what label to use for a given FEC to send packet to neighbor Core P node (Swap operation) Needs to know what label to use for swap operation for incoming labeled packets Egress PE node (Pop operation) Needs to tell upstream neighbor what label to use for specific FEC type LDP used for exchange of label (mapping) information . Label Distribution Protocol (LDP) Defined in RFC 3035 and RFC3036; updated by RFC5036 LDP is a superset of the Cisco-specific Tag Distribution Protocol

. PE (Provider Edge) router – Imposes and removes MPLS labels MP-BGP – Runs an IGP, LDP and MP-BGP . P (Provider) router – Connects into the PE, Translates labels – Runs an IGP and LDP . CE (Customer Edge) router – Connects into the PE . Label Distribution Protocol (LDP) – IGP to label binding . Multi-Protocol BGP – Address-family support (IPv4, IPv6, multicast, etc…) – Used for VRF route exchange

. Route-Target – Identifier used for importing and exporting routes (64 bit) . Route Distinguisher – Route attribute used to uniquely identify prefixes among VPNs (64 bits) . VPN-IPv4 addresses – Includes the 64 bits Route Distinguisher and the 32 bits IP address . VPN-IPv6 addresses – Includes the 64 bits Route Distinguisher and the 128 bits IP address

Secure Enterprise/Campus Segmentation Layer-2 Extensions L3VPN-V4 L3VPN-V6 MPLS

User Experience Advanced for Applications Features

MPLS VPN

CE PE P P PE CE

Routing

MPLS VPN

Core P

Campus Switching Distribution PE

Access CE

PE/Distribution SITE C PE/Distribution CE/Access CE/Access

CE/Access CE/Access CE/Access P/Core P/Core

VPN CE/Access SITE B SITE D CE/Access PE/Distribution MP-BGP PE/Distribution

VRF Instance VRF Instance PE-CE link Connects customer network to MPLS network; either layer-2 or layer-3 VPN signalling ( VRF, Route Target, Route Distinguisher, and MP-iBGP Between PEs Exchange of VPN policies

• MPLS Layer-3 VPNs MPLS VPN Models • Peering relationship between CE and PE

• MPLS Layer-2 VPNs MPLS Layer-2 VPNs MPLS Layer-3 VPNs • Interconnect of layer-2 Attachment Circuits (ACs) • CE connected to PE via IP-based Point-to-Point Multi-Point connection (over any layer-2 type) Layer-2 VPNs Layer-2 VPNs – Static routing – PE-CE routing protocol; OSPF, • CE connected to • CEs peer with RIPv2, EIGRP PE via Ethernet each other (IP connection • CE routing has peering relationship routing) via p2p (VLAN) with PE router; PE routers are part layer-2 VPN of customer routing connection • CEs peer with each other via • PE routers maintain customer- • CE-CE routing; no fully/partial mesh specific routing tables and SP involvement Layer-2 VPN exchange customer-specific routing • L2 Extension connection information across the • L2 Extension campus locations across the campus locations

PE-CE Protocol MPLS Domain PE-CE Protocol

CE PE PE CE VRF Red VRF Red

VRF Blue

VRF Blue CE CE MP-BGP

. Typically one VRF created for each customer VPN on PE router . VRF associated with one or more customer interfaces . VRF has its own instance of routing table (RIB) and forwarding table (CEF) . VRF has its own instance for PE-CE configured routing protocols

P P Core IPV4 P P Core OSPF, ISIS PE PE MP-IBGP L3 VPN PE PE L3 VPN Distribution Distribution

CE CE CE EBGP, OSPF, RIPv2, Static CE Access Access

VRF Green VRF Green VRF Blue VRF Blue • IGP Protocols are used to exchange the routes between PE and CE Devices • MP-IBGP is used for exchanging VPNv4 routes between the PE Devices • MPLS or Label forwarding is configured between PE and P Devices

P P P

P P Core P P

L3 VPN L3 VPN Core

PE PE PE PE Distribution Distribution

CE CE IPV4/IPv6CE CE IPV4/IPv6 Access Access

VRF Green VRF Blue VRF Green VRF Blue

Core Core MPLS Backbone

PE Distribution Distribution PE

Default MDT for all groups Distribution Access PE Access CE CE

Access VRF Green VRF Blue CE VRF Green VRF Blue

VRF Green VRF Blue

MPLS Backbone

Core Core

Core

L3 VPN Distribution Distribution

L3 VPN

Access Access Access

L3 VPN

Standard Access Routed Access Collapsed Access

BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 L2 VPNs MPLS Design Options for Enterprise Secure Segmentation Enterprise L2 L3VPN-V4 Extensions L3VPN-V6 L2VPN EoMPLS/VPLS MPLS

User Experience Advanced for Applications Features

L2VPN Models

EOMPLS VPLS Virtual Private Wire Service Virtual Private LAN Service Point to Point Point to Multipoint

MPLS Core

Ethernet

interface Loopback0 ip address 192.168.0.2/32

MPLS Network

interface Loopback0 ip address 192.168.0.1/32 pseudowire

Ethernet MPLS Label MPLS Label Ethernet Payload Header PW-ID

interface Ethernet0/0 no ip address xconnect 192.168.0.2 123 encapsulation mpls

Core Core EOMPLS PE PE Distribution Distribution

Ethernet or VLAN Ethernet or VLAN

Access CE Access CE

VRF Green VRF Blue VRF Green VRF Blue

PE-2 PE-1 CE-2 CE-1

PE-3

• VPLS allows MPLS networks to offer Layer 2 Ethernet Services • It provided Multipoint Ethernet service as compared to EoMPLS which is Point to Point • Service Provider emulates an IEEE Ethernet bridge network. • No routing interaction between Customer and Service Provider networks • Virtual Bridges linked with virtual ports aka Pseudo Wires or PWs.

Core VPLS Core

PE Distribution PE Distribution

Ethernet/Vlan Access Distribution Access PE CE CE

Access VRF Green VRF Blue VRF Green VRF Blue CE

VRF Green VRF Blue

N-PE1 N-PE2 MPLS CORE U-PE2

U-PE1

.1q .1q N-PE3

.1q .1q DC2-CE DC3-CE DC1-CE

• Scales VPLS deployments • Use Cases : Campus/DC Interconnect, DCI

Ethernet MPLS IP Data . L2 Header Label(s) Header L2

. Point-to-point Ethernet MPLS IP Data Header Label(s) Header Tunnel – MPLS over GRE L3

. Multipoint – MPLS-VPN over mGRE – MPLS over DMVPN Campus MPLS L3 Transport

PE1

PE2 CE1 CE2¥ IP

IPv4 Route Exchange IPv4 Route Exchange

VRF VRF

GRE Header VPN Label

src add src add src add dst add dst add dst add

data data data

• VPN traffic forwarded by PEs using separate routing instance (VRFs) • GRE header and VPN label imposed on VPN traffic • Packets switched to egress PE based on GRE header • Egress PE uses VPN label to forward packet to remote CE

IPP 4 EXP 6 IPP 6 VPN Imposition Pop

ip packet EXP 6 EXP 6 IPP 4 IPP 4 EXP 6 IPP 4 EXP 6 IPP 4 EXP 6 IPP 6

Ingress Egress

CE PE P PE CE match ip prec 4 set mpls exp imp 6 mpls propagate-cos match mpls exp 6 match mpls exp 6 priority priority By default, IP ToS byte is unchanged. The use of “mpls propogate-cos” command will cause the EXP value to be copied down to the IP packet after a POP operation.

IPP 4 EXP 6 IPP 4 VPN Imposition Pop

ip packet EXP 6 EXP 6 IPP 4 IPP 4 EXP 6 IPP 4 EXP 6 IPP 4 EXP 6 IPP 4

Ingress Egress

CE PE P PE CE match ip prec 4 set mpls exp imp 6 match mpls exp 6 match mpls exp 6 priority priority

Egress classification based on IP DSCP Consistent policy in MPLS core not MPLS exp

IPP 4 EXP 6 IPP 4 VPN Imposition Pop

ip packet EXP 6 EXP 6 IPP 4 IPP 4 EXP 6 IPP 4 EXP 6 IPP 4 EXP 6 IPP 4

Ingress Egress

CE PE P PE CE match ip prec 4 set mpls exp imp 6 match mpls exp 6 match mpls exp 6 priority priority

Egress classification based on MPLS Ingress EXP not IP DSCP

Uniform Mode: This mode provides consistent QoS classification/marking throughout the network. This includes the CE and the Core routers. EXP marking is propagated to the underlying TOS byte on egress Short Pipe Mode: In this mode the QoS policies being implemented in the Core do NOT propagate to the packet TOS byte. The classification based on MPLS EXP ends at the customer facing egress PE interface and queuing is based on the IPP/DSCP values in the IP header (supported – default mode) Pipe Mode: Pipe Mode is similar to Short Pipe Mode except that at the egress PE, classification at the CE facing interface is done based on ingress EXP

BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 MPLS With SD-Access SD- Access Branch Deployment Options Branch Connectivity with MPLS * Border is a CE device CONTROL-PLANE LISP PE-CE MP-BGP PE-CE IGP/BGP

B B MPLS Domain

Campus

SXP Connection between the Border’s for SGT information exchange

VXLAN+SGT MPLS with SXP for SGT exchange IP/MPLS + SGT

DATA+POLICY PLANE BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 SD- Access Branch Deployment Options Branch Connectivity with MPLS * Border is a PE device CONTROL-PLANE LISP MP-BGP IGP/BGP

B B MPLS Domain

Campus

DMVPN or GRE Tunnel between the Border’s for SGT information exchange

VXLAN+SGT MPLS IP/MPLS + SGT

• Introduction ✓

• Segmentation in Enterprise ✓

• MPLS Designs for Enterprise ✓

• MPLS Case Study

• MPLS Product Update

• Q&A

• Summary Case Study 1: Traffic Separation with L3 VPN in Airport

Terminal A Logical Data Separation between Terminals/Airlines using shared physical infrastructure

Green Red Blue

VPN Green PE VPN Green Terminal B PE VPN Red

VPN Blue

MPLS Backbone Green Blue VPN Blue

Terminal C VPN Red

PE VPN Blue VRF Created for each group at PE Red Blue

Main Hospital Building Secure Segmentation and data privacy between Doctors, Staff and Patients Doctor Devices Staff Green Red Blue

VPN Green PE Branch Hospital PE VPN Green VPN Red

VPN Blue Doctor VPN Blue Staff MPLS Backbone Green Blue

VPN Blue Surgery Room

VPN Red

Doctor Devices Green PE Red VPN Green VRF Created for each group at PE

• Introduction ✓

• Segmentation in Enterprise ✓

• MPLS Designs for Enterprise ✓

• MPLS Case Study ✓

• MPLS Product Update

• Q&A

• Summary MPLS Product Update MPLS Product Portfolio Options TRADITIONAL NETWORKING NEW ERA OF NETWORKING

Data IoT Convergence

Video Security

Catalyst 6K Catalyst 3850 Voice Catalyst 3650 Mobility Nexus 7k

Catalyst 9000 Family

Software-Defined Access (SD-Access))

1 Choose the design – L2 or L3, Users/Hosts/Devices for Segmentation

2 3 Layer vs 2 Layer network, Unicast/Multicast, PE, P, CE devices

3 Fixed vs Modular Switches, Port densities, Price

4 Interface Types – PoE/Data/Fiber, Speeds – 1G/mGig/10G/40G/100G

5 Baseline Features, Scalability and Performance Metrics

6 Advanced Features – QoS, MacSec, Netflow, TE, FRR

Platform C3650 C3850 C9300 C9400 C3850XS C9500 C6840X C6807 N7K

Switch Type Fixed Fixed Fixed Modular Fixed Fixed Fixed Modular Modular

MPLS Role CE/PE CE/PE CE/PE CE/PE PE/P PE/P PE/P PE/P PE/P

Interface PoE/ PoE/ Data PoE/ Data PoE/ Data Fiber Fiber Fiber Fiber Fiber Types Data Interface 1G/ mGig 1G/ mGig 1G/ mGig 1G/ mGig 1G/10G 1G/10G/40G 1G/10G 1G/10G/ 10G/40G/ Speeds 40G 100G VRF/ VPN Low Low Medium Medium Low Medium High High High Route Scale

L3VPN/ L2VPN/          MVPN

Adv MPLS QoS, QoS, VPLS QoS, VPLS QoS, VPLS QoS, VPLS QoS, VPLS VPLS, VPLS, VPLS, features VPLS MPLS MPLS MPLS Netflow, Netflow, Netflow, TE-FRR TE-FRR TE-FRR

Catalyst 9400

Catalyst 9300

Catalyst 9500

Stackable Access Modular Access Fixed Aggregation

Built on Cisco’s Innovative UADP 2.0 ASIC & open IOS-XE

Multigigabit 4 x Multigigabit UPoE on All Ports UPoE

4 x 1G 8 x 10G 2 x 40G PoE+/UPoE

Stackpower Stackwise-480 Larger Buffers Zero Footprint 480Gbps & Scale Power Red.

Data

UADP 2.0 ASIC & open IOS-XE

7-Slot 10-Slot Up to 9 Tbps System Capacity

UADP 2.0 ASIC & open IOS-XE

1.44 Tbps UPoE 48 x 1G

Sup-1

Up to 80G per Slot Data 48 x 1G

40 x 10G

12 x 40G

24 x 40G

8 x 10G 2 x 40G 40G Optimized Enterprise Class Switch UADP 2.0 ASIC & open IOS-XE

Stackpower 480 Gbps Stacking Up to 100APs per stack, FRU Fans, Power Bandwidth Supplies and 40G per switch Wireless CAPWAP Up to 2000 Clients Termination per Stack

MPLS 40 Gbps Uplink Granular Bandwidth QoS/Flexible NetFlow

Line Rate on All Multigigabit Full POE+ and Ports (mGig) UPOE

MPLS on UADP powered Stackable Access Programmable Switches

48 Port Version 24 Port Version Downlinks: Downlinks: 36 x 1G LineRate 10/100/1000BASE-T, 12 x 24 x GE/mGig/10GT GE/mGig/10GT PoE/PoE+/UPoE, EEE, MACSec PoE/PoE+/UPoE, EEE, MACSec

Uplinks: Uplinks: 4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G 4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G SFP+ (NEW) SFP+ (NEW)

MPLS on Access with Multigigabit Ethernet

C3850-NM- 4x10G

C3850-NM- C3850-NM- C3850-NM- 4x10G 2x40G 8x10G

Converged 1+1 Power UADP ASIC StackWise-480 StackPower Line-Rate Access Redundancy

4 x QSFP Fixed 48 x SFP+ Fixed

Front-to-Back and New 750W AC Power Supplies Back-to-Front Fan options 1+1 Power Supply Redundancy

*No StackWise or StackPower on 48p SKU

Converged Front-to-Back & Back-to-Front 1+1 Power UADP ASIC Line-Rate No Stacking Access Fans and Power Supplies Redundancy

BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Cisco Catalyst 3650 Switch Dual FRU Power Supplies Optional StackWise-160 9 member Stack FRU Fans 802.11n 802.11ac Multi-Core CPU

MACsec 50 AP’s and 1000 Clients Per Stack MPLS 40G Wireless Capacity Per EEE Switch Fixed Uplinks Full Netflow/QoS 4 x 1G for wired/wireless 2 x10G 4 x 10G Line Rate POE+ 2 x 40G (New) on All Ports 8 x 10G (new) Multigigabit (mGig) New

MPLS on UADP powered Stackable Access Programmable Switches

7 Slots 10 RU

Up to 880G/Slot capable Side-to-side air flow (redirectable via airflow baffles) Catalyst 6500 DNA

Next-generation ready Investment Protection! Compatible with Sup2T, 6700, 6800, 6900 Series and latest Service Modules Low-power and noise High-efficiency fans Backwards compatible backplane connectors

Up to 4 (N+1) power supply redundancy

3000W AC

Taking Catalyst 6800 to a New Level 1M IPv4 Route High-Scale Control Plane 1M NetFlow with X86 CPU 256K QoS / ACL

2 x 40G QSFP and 8 x 10G SFP+ uplinks

Improved Fabric Provides 440G/Slot in the 6807-XL

Fiber & Copper VSS, LISP, SGT, Management and MACSEC, HQoS, on all Console Ports Ports

Feature Parity with Sup2T 3500+ Features

32 ports of SFP/SFP+ or up to 8 ports of QSFP* 1M IPv4 Routes 160G Throughput, 10/100/1000M GLC-T 2M NetFlow Performance mode for line rate 100M FX 256K QoS & ACL

250MB per Port Feature Rich MPLS VSS, SGT, MACSec, LISP, 500MB per Port in HQoS Performance Mode

* With CVR-4SFP-QSFP Adapter Not Every Port is Created Equal!

BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Cisco Catalyst 6840-X 256K IPv4 Routes 16, 24, 32 or 40 SFP+ Uplinks 2 models with 2 QSFP Uplinks 1.5M NetFlow Convert 4 x SFP+ to QSFP* Convert 4 x SFP+ to QSFP* 64K QoS / ACL

Height: 2RU

Depth: 21.8”

High-Scale Control 750W or 1100W Power VSS, MPLS, LISP, SGT, Plane with 2.0GHz CPU Redundant AC / DC MACSEC, HQoS, etc. Higher Scale for IA Front-to-Back Airflow

All Catalyst 6800 Features in a Smaller Fixed Form Factor

Nexus 7700 M3 Series Nexus M2 Series Modules 10G & 40G Modules

NEW . Large Table Size & Packet Buffers -

. 2M FIB (1M @ FCS), 128K ACL/QoS

. 384K MAC (128K @ FCS)

. MACSEC 256-bit AES

. Deep Buffers N7K-M202CF-22L N7K-M206FQ-23L

N7K-M224XP-23L 48x 1/10G SFP+ Ports 24x 40G QSFP Ports

12x 100G Ports

Nexus F3 Series Modules

Nexus 7700 F3 10G Nexus 7700 F3 40G Nexus 7700 F3 100G

Cisco Nexus 7000/7700 Nexus 7000 F3 100G Nexus 7000 F3 10G Nexus 7000 F3 40G

MPLS MPLS MPLS

C9500/ C6840- Core C9500/ C6840- Core Core X X C9500/ C3850XS

C9500/ Distribution C9500/ Distribution C3850XS C3850XS C9300/ C3850/ C3650 Access + Distribution

C9300/ C3850/ Access C9300/ C3850/ Access C3650 C3650

Standard Access Routed Access Collapsed Access

MPLS MPLS

C6K/N7K C6K/N7K Core

C9500/ C3850/ C9500/ C3850/ C6K/N7K C6K/N7K

Distribution

Access

Catalyst 9300/9400/3850/3650/4500E Catalyst 9300/9400/3850/3650 Standard Access Routed Access

Key Design factors: VRF/Route Scale, Port Density, MPLS features, Fixed vs. Modular in Access/Backbone

MPLS MPLS

C6K/N7K C6K/N7K Core

C9500/ C3850/ C9500/ C3850/ C6K/N7K C6K/N7K Stackwise Virtual

Stackwise Virtual Distribution

Stackwise-480

Access

Catalyst 9300/9400/3850/3650/4500E Catalyst 9300/9400/3850/3650

Building 1 1000 Ports Standard Access Routed Access

Key Design factors: VRF/Route Scale, Port Density, MPLS features, Fixed vs. Modular in Access/Backbone

MPLS MPLS

C6K/N7K C6K/N7K Core

C9500/ C3850/ MacSec C9500/ C3850/ MacSec C6K/N7K C6K/N7K

Distribution

MacSec

Access

Catalyst 9300/9400/3850/3650/4500E Catalyst 9300/9400/3850/3650 Standard Access Routed Access

Key Design factors: VRF/Route Scale, Port Density, MPLS features, Fixed vs. Modular in Access/Backbone

• Introduction ✓

• Segmentation in Enterprise ✓

• MPLS Designs for Enterprise ✓

• MPLS Case Study ✓

• MPLS Product Update ✓

• Q&A

• Summary Key Takeaways Session Summary

1. Secure Standards based Segmentation across LAN, WAN and Data Center 2. L3 VPN, MVPN are commonly deployed in Enterprise Networks 3. Cisco offers a wide range of product options for MPLS deployments 4. The NEW Catalyst 9000 series of switches support MPLS across the family on the programmable UADP 2.0 ASIC running open IOS-XE

Terminology Description AC Attachment Circuit. An AC Is a Point-to-Point, Layer 2 Circuit Between a CE and a PE. AS Autonomous System (a Domain) CoS Class of Service ECMP Equal Cost Multipath IGP Interior Gateway Protocol LAN Local Area Network LDP Label Distribution Protocol, RFC 3036. LER Label Edge Router. An Edge LSR Interconnects MPLS and non-MPLS Domains. LFIB Labeled Forwarding Information Base LSP Label Switched Path LSR Label Switching Router NLRI Network Layer Reachability Information P Router An Interior LSR in the Service Provider's Autonomous System

PE Router An LER in the Service Provider Administrative Domain that Interconnects the Customer Network and the Backbone Network.

PSN Tunnel Packet Switching Tunnel

Terminology Description Pseudo-Wire A Pseudo-Wire Is a Bidirectional “Tunnel" Between Two Features on a Switching Path. PWE3 Pseudo-Wire End-to-End Emulation QoS Quality of Service RD Route Distinguisher RIB Routing Information Base RR Route Reflector RT Route Target RSVP-TE Resource Reservation Protocol based Traffic Engineering VPN Virtual Private Network VFI Virtual Forwarding Instance VLAN Virtual Local Area Network VPLS Virtual Private LAN Service VPWS Virtual Private WAN Service VRF Virtual Route Forwarding Instance VSI Virtual Switching Instance

• http://www.cisco.com/go/mpls

• http://www.ciscopress.com

• MPLS and VPN Architectures — Cisco Press® • Jim Guichard, Ivan Papelnjak

• Traffic Engineering with MPLS — Cisco Press® • Eric Osborne, Ajay Simha

• Layer 2 VPN Architectures — Cisco Press® • Wei Luo, Carlos Pignataro, Dmitry Bokotey, and Anthony Chan

• MPLS QoS — Cisco Press ® • Santiago Alvarez

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. • Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

R&S Related Cisco Education Offerings

Course Description Cisco Certification

CCIE R&S Advanced Workshops (CIERS-1 & Expert level trainings including: instructor led workshops, self CCIE® Routing & Switching CIERS-2) plus assessments, practice labs and CCIE Lab Builder to prepare candidates Self Assessments, Workbooks & Labs for the CCIE R&S practical exam.

• Implementing Cisco IP Routing v2.0 Professional level instructor led trainings to prepare candidates for the CCNP® Routing & Switching • Implementing Cisco IP Switched CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in Networks V2.0 self study eLearning formats with Cisco Learning Labs. • Troubleshooting and Maintaining Cisco IP Networks v2.0

Interconnecting Cisco Networking Devices: Configure, implement and troubleshoot local and wide-area IPv4 and IPv6 CCNA® Routing & Switching Part 2 (or combined) networks. Also available in self study eLearning format with Cisco Learning Lab.

Interconnecting Cisco Networking Devices: Installation, configuration, and basic support of a branch network. Also CCENT® Routing & Switching Part 1 available in self study eLearning format with Cisco Learning Lab.

For more details, please visit: http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth