MPLS Enterprise Switching Product Update and Designs Sankar Venkat Product Manager Minhaj Uddin Technical Marketing Engineer Cisco Enterprise Networking Group
Session ID : BRKMPL-1102 Cisco Spark
Questions? Use Cisco Spark to chat with the speaker after the session
How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/ciscolivebot#BRKMPL-1102 available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda
• Introduction
• Segmentation in Enterprise
• MPLS Designs for Enterprise
• MPLS Case Study
• MPLS Product Update
• Q&A
• Summary Session Goals
This session will focus on MPLS for Campus/Enterprise Switching network deployments.
At the end of the session, the participants should:
. Understand different Segmentation Options in Enterprise
. Understand the MPLS designs for L2 and L3 networks
. Understand different MPLS designs and use cases
. Understand the different product options for MPLS design
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Session Pre-requisites
This session covers the MPLS switching and secure segmentation solutions for the Enterprise. It provides an overview of the most commonly deployed MPLS designs and use cases in campus. This session would also cover the various MPLS product options available on the latest Cisco Catalyst and Nexus product series including the NEW Catalyst 9000 Series, Catalyst 3850, Catalyst 6500/6800 and the Nexus 7k. Topics covered in this session include: 1. Segmentation Options in Enterprise 2. MPLS Design for Enterprise L2 and L3 networks 3. Use cases across Enterprise Verticals 4. MPLS product options in Cisco Enterprise Switching Portfolio Some basic knowledge of MPLS is expected from the attendees. Newcomers are expected to have attended BRKMPL-1100, ”Introduction to MPLS” prior to attending this session.
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Network Virtualization with MPLS
A
PE PE Data Center MPLS Core Backup B CE Data Center CE L2 VPN MPLS (L2 VPN)
Mirror Campus A DC Interconnect Mirror B Branch to DC Storage Connectivity
Enterprise Data Center
SP Network Internet Access Core Access
Bay Area DC AsiaPac DC Enterprise WAN (MPLS)
L2 L3 (MPLS) L2 Washington DC
L3 (MPLS) L3 (MPLS) L3 (MPLS) Enterprise WAN Edge Service Provider BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Why MPLS in Enterprise ?
Secure Enterprise L2 Segmentation Extensions
MPLS
Rich User Advanced Experience Features
Standards based end-to-end solution across LAN,WAN and Data Center BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Segmentation in Enterprise Why Network Segmentation ?
Sales Finance POS Medical Device HR Network Other Network Doctor Staff Partner
Line of business Payment Card Industry Hospital Network
INTERNET
Bring-Your-Own-Device (BYOD) Mergers and Acquisitions Multi-Tenancy
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Factors for Network Segmentation . Unique security policies per logical domain
. Traffic isolation per application, group, service etc…
. Logically separate traffic using one physical infrastructure
Guest Access Merged Company Isolated Services
Virtual Network Virtual Network Virtual Network
Virtual “Private” Network
Actual Physical Infrastructure
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Network Segmentation Benefits
Service Isolation Guest Access Merged Company Isolated Services . Telephony systems, badging, building control, surveillance
Virtual Network Virtual Network Virtual Network . Security policies are unique to each virtual group/service Low Security Medium Security High Security Meet Regulatory compliance requirements . HIPAA . PCI Actual Physical Infrastructure . SOX . etc…
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Segmentation Options in Enterprise
VPN VPN VPN
Voice VLAN Data VLAN Guest VLAN VPN
Endpoints Endpoints VLAN Based Segmentation MPLS Based Segmentation • VLAN/VRF-Lite Based Segmentation • L2/L3 VPN Based Logical Segmentation • Policy enforcement is done using ACLs and Firewall rules • MPLS labels used to identify/create traffic isolation between groups • CLI based Manageability • CLI based Manageability
Cisco ISE
SGT SGT SGT SGT
SGT
Endpoints Trustsec Based Segmentation SD-Access Based Segmentation • User/Device Group Based Segmentation • User/Device Group Based Segmentation • Secure Group Tags (SGT) used to create user / device group policies • Secure Group Tags (SGT) used to create user / device group policies • Cisco ISE based Manageability • DNA Center based Manageability
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 VLAN Based Segmentation
Applications Enforcement access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 IP Based Policies - access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 ACLs, Firewall Rules access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 Propagation access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 Carry “Segment” access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 Enterprise access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 Backbone context through the network using VLAN, Aggregation Layer IP address, VRF-Lite Limitations of Traditional Segmentation VACL • Security Policy based on Topology Access Layer Classification • Not Scalable Static or Dynamic • Complex provisioning VLAN assignments • No notion of User/Device Group Non-Compliant Voice Employee Supplier BYOD
Quarantine Voice Data Guest BYOD VLAN VLAN VLAN VLAN VLAN
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Cisco TrustSec Segmentation Simplified segmentation with Group Based Policy
Enforcement Shared Application Group Based Policies Services Servers ACLs, Firewall Rules
Enforcement DC Switch or Firewall Propagation Carry “Group” context through the network Enterprise Backbone using only SGT ISE
Classification Static or Dynamic Campus Switch Campus Switch DC switch receives policy for only what is connected SGT assignments
Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag
VLAN A VLAN B
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 SD-Access Segmentation
Simplified segmentation with single dashboard APIC-EM 1.X2.0
NDPISE NDP
DNA Center ISE DESIGN PROVISION POLICY ASSURANCE
B B
Solution Launched in this C Ciscolive 2017 !! SDA Campus Fabric
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Agenda
• Introduction ✓
• Segmentation in Enterprise ✓
• MPLS Designs for Enterprise
• MPLS Case Study
• MPLS Product Update
• Q&A
• Summary MPLS Designs for Enterprise MPLS Design Options for Enterprise
Secure Enterprise L2 Segmentation Extensions L3VPN-V4 L2VPN L3VPN-V6 EoMPLS/VPLS
MPLS
User Experience Advanced for Applications Features Multicast VPN Tunneling and High QoS, Netflow availability
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 MPLS Network Overview MPLS Domain
PE/Distribution SITE C PE/Distribution CE/Access CE/Access
CE/Access CE/Access CE/Access P/Core P/Core
CE/Access SITE B SITE D CE/Access PE/Distribution MP-BGP PE/Distribution
. P (Provider) router = label switching router = core router (LSR) Switches MPLS-labeled packets . PE (Provider Edge) router = edge router (LSR) Imposes and removes MPLS labels . CE (Customer Edge) router Connects customer network to MPLS network BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 MPLS Label and Label Encapsulation
MPLS Label 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Label # – 20bits EXP S TTL-8bits
COS/EXP = Class of Service: 3 Bits; S = Bottom of Stack; TTL = Time to Live
MPLS Label Encapsulation PPP Header (Packet PPP Header Label Layer 2/L3 Packet over SONET/SDH) One or More Labels Appended to the Packet (Between L2/L3 packet header and link layer header)
LAN MAC Label Header MAC Header Label Layer 2/L3 Packet
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 MPLS Label Operations
Label Imposition ( Push) Label Swap Label Swap Label Disposition( PoP)
L2/L3 Packet L1 L1 L2 L2 L3 L3
CE/Access PE/Distribution PE/Distribution CE/Access
CE/Access CE/Access P/Core P/Core
CE/Access PE/Distribution PE/Distribution CE/Access . Label imposition (Push) By ingress PE router; classify and label packets
. Label swapping or switching By P router; forward packets using labels; indicates service class & destination . Label disposition (PoP) By egress PE router; remove label and forward original packet to destination CE © 2017 Cisco and/or its affiliates. All rights reserved.BRKMPL -Cisco1102 Public 22 Forwarding Equivalence Class
. Mechanism to map ingress layer-2/3 packets onto a Label Switched Path (LSP) by ingress PE router Part of label imposition (Push) operation . Variety of FEC mappings possible IP prefix/host address Groups of addresses/sites (VPN x) Used for L3VPNs Layer 2 circuit ID (ATM, FR, PPP, HDLC, Ethernet) Used for Pseudowires (L2VPNs) A bridge/switch instance (VSI) Used for VPLS (L2VPNs) Tunnel interface Used for MPLS traffic engineering (TE)
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Label Distribution Protocol
. MPLS nodes need to exchange label information with each other Ingress PE node (Push operation) Needs to know what label to use for a given FEC to send packet to neighbor Core P node (Swap operation) Needs to know what label to use for swap operation for incoming labeled packets Egress PE node (Pop operation) Needs to tell upstream neighbor what label to use for specific FEC type LDP used for exchange of label (mapping) information . Label Distribution Protocol (LDP) Defined in RFC 3035 and RFC3036; updated by RFC5036 LDP is a superset of the Cisco-specific Tag Distribution Protocol
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 MPLS-VPN Terminology PE P P PE LDP LDP LDP
. PE (Provider Edge) router – Imposes and removes MPLS labels MP-BGP – Runs an IGP, LDP and MP-BGP . P (Provider) router – Connects into the PE, Translates labels – Runs an IGP and LDP . CE (Customer Edge) router – Connects into the PE . Label Distribution Protocol (LDP) – IGP to label binding . Multi-Protocol BGP – Address-family support (IPv4, IPv6, multicast, etc…) – Used for VRF route exchange
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 MPLS-VPN Terminology
. Route-Target – Identifier used for importing and exporting routes (64 bit) . Route Distinguisher – Route attribute used to uniquely identify prefixes among VPNs (64 bits) . VPN-IPv4 addresses – Includes the 64 bits Route Distinguisher and the 32 bits IP address . VPN-IPv6 addresses – Includes the 64 bits Route Distinguisher and the 128 bits IP address
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 MPLS VPN MPLS Design Options for Enterprise
Secure Enterprise/Campus Segmentation Layer-2 Extensions L3VPN-V4 L3VPN-V6 MPLS
User Experience Advanced for Applications Features
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 MPLS-VPN - Routing and Switching
MPLS VPN
CE PE P P PE CE
Routing
MPLS VPN
Core P
Campus Switching Distribution PE
Access CE
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 MPLS VPN Network Overview MPLS Domain
PE/Distribution SITE C PE/Distribution CE/Access CE/Access
CE/Access CE/Access CE/Access P/Core P/Core
VPN CE/Access SITE B SITE D CE/Access PE/Distribution MP-BGP PE/Distribution
VRF Instance VRF Instance PE-CE link Connects customer network to MPLS network; either layer-2 or layer-3 VPN signalling ( VRF, Route Target, Route Distinguisher, and MP-iBGP Between PEs Exchange of VPN policies
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 MPLS VPN Models Technology Options
• MPLS Layer-3 VPNs MPLS VPN Models • Peering relationship between CE and PE
• MPLS Layer-2 VPNs MPLS Layer-2 VPNs MPLS Layer-3 VPNs • Interconnect of layer-2 Attachment Circuits (ACs) • CE connected to PE via IP-based Point-to-Point Multi-Point connection (over any layer-2 type) Layer-2 VPNs Layer-2 VPNs – Static routing – PE-CE routing protocol; OSPF, • CE connected to • CEs peer with RIPv2, EIGRP PE via Ethernet each other (IP connection • CE routing has peering relationship routing) via p2p (VLAN) with PE router; PE routers are part layer-2 VPN of customer routing connection • CEs peer with each other via • PE routers maintain customer- • CE-CE routing; no fully/partial mesh specific routing tables and SP involvement Layer-2 VPN exchange customer-specific routing • L2 Extension connection information across the • L2 Extension campus locations across the campus locations
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Virtual Routing and Forwarding Instance
PE-CE Protocol MPLS Domain PE-CE Protocol
CE PE PE CE VRF Red VRF Red
VRF Blue
VRF Blue CE CE MP-BGP
. Typically one VRF created for each customer VPN on PE router . VRF associated with one or more customer interfaces . VRF has its own instance of routing table (RIB) and forwarding table (CEF) . VRF has its own instance for PE-CE configured routing protocols
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 L3VPN – IPv4 MPLS VPN Protocols P P P
P P Core IPV4 P P Core OSPF, ISIS PE PE MP-IBGP L3 VPN PE PE L3 VPN Distribution Distribution
CE CE CE EBGP, OSPF, RIPv2, Static CE Access Access
VRF Green VRF Green VRF Blue VRF Blue • IGP Protocols are used to exchange the routes between PE and CE Devices • MP-IBGP is used for exchanging VPNv4 routes between the PE Devices • MPLS or Label forwarding is configured between PE and P Devices
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 L3VPN – IPv6 IPv6 VPN
P P P
P P Core P P
L3 VPN L3 VPN Core
PE PE PE PE Distribution Distribution
CE CE IPV4/IPv6CE CE IPV4/IPv6 Access Access
VRF Green VRF Blue VRF Green VRF Blue
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Multicast VPN (MVPN)
Core Core MPLS Backbone
PE Distribution Distribution PE
Default MDT for all groups Distribution Access PE Access CE CE
Access VRF Green VRF Blue CE VRF Green VRF Blue
VRF Green VRF Blue
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 MPLS L3 VPN Campus Segmentation Use Cases End to End Network Virtualization
MPLS Backbone
Core Core
Core
L3 VPN Distribution Distribution
L3 VPN
Access Access Access
L3 VPN
Standard Access Routed Access Collapsed Access
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 L2 VPNs MPLS Design Options for Enterprise Secure Segmentation Enterprise L2 L3VPN-V4 Extensions L3VPN-V6 L2VPN EoMPLS/VPLS MPLS
User Experience Advanced for Applications Features
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 L2VPN Options
L2VPN Models
EOMPLS VPLS Virtual Private Wire Service Virtual Private LAN Service Point to Point Point to Multipoint
MPLS Core
Ethernet
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 L2-VPN Basics interface Ethernet0/0 no ip address xconnect 192.168.0.1 123 encapsulation mpls
interface Loopback0 ip address 192.168.0.2/32
MPLS Network
interface Loopback0 ip address 192.168.0.1/32 pseudowire
Ethernet MPLS Label MPLS Label Ethernet Payload Header PW-ID
interface Ethernet0/0 no ip address xconnect 192.168.0.2 123 encapsulation mpls
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 MPLS L2VPN L2VPN Protocols
Core Core EOMPLS PE PE Distribution Distribution
Ethernet or VLAN Ethernet or VLAN
Access CE Access CE
VRF Green VRF Blue VRF Green VRF Blue
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Virtual Private Lan Services (VPLS)
PE-2 PE-1 CE-2 CE-1
PE-3
• VPLS allows MPLS networks to offer Layer 2 Ethernet Services • It provided Multipoint Ethernet service as compared to EoMPLS which is Point to Point • Service Provider emulates an IEEE Ethernet bridge network. • No routing interaction between Customer and Service Provider networks • Virtual Bridges linked with virtual ports aka Pseudo Wires or PWs.
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 MPLS L2VPN L2VPN Protocols
Core VPLS Core
PE Distribution PE Distribution
Ethernet/Vlan Access Distribution Access PE CE CE
Access VRF Green VRF Blue VRF Green VRF Blue CE
VRF Green VRF Blue
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Hierarchical VPLS(H-VPLS) for VPLS Scaling
N-PE1 N-PE2 MPLS CORE U-PE2
U-PE1
.1q .1q N-PE3
.1q .1q DC2-CE DC3-CE DC1-CE
• Scales VPLS deployments • Use Cases : Campus/DC Interconnect, DCI
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Other MPLS Transport Options
Ethernet MPLS IP Data . L2 Header Label(s) Header L2
. Point-to-point Ethernet MPLS IP Data Header Label(s) Header Tunnel – MPLS over GRE L3
. Multipoint – MPLS-VPN over mGRE – MPLS over DMVPN Campus MPLS L3 Transport
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 MPLS-VPN over mGRE MPLS VPN over mGRE Ties MPLS VRFs across sites with IP multi-point GRE tunnel over IP Core
PE1
PE2 CE1 CE2¥ IP
IPv4 Route Exchange IPv4 Route Exchange
VRF VRF
GRE Header VPN Label
src add src add src add dst add dst add dst add
data data data
• VPN traffic forwarded by PEs using separate routing instance (VRFs) • GRE header and VPN label imposed on VPN traffic • Packets switched to egress PE based on GRE header • Egress PE uses VPN label to forward packet to remote CE
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 MPLS QoS MPLS QoS – Uniform Mode Propagate EXP Markings
IPP 4 EXP 6 IPP 6 VPN Imposition Pop
ip packet EXP 6 EXP 6 IPP 4 IPP 4 EXP 6 IPP 4 EXP 6 IPP 4 EXP 6 IPP 6
Ingress Egress
CE PE P PE CE match ip prec 4 set mpls exp imp 6 mpls propagate-cos match mpls exp 6 match mpls exp 6 priority priority By default, IP ToS byte is unchanged. The use of “mpls propogate-cos” command will cause the EXP value to be copied down to the IP packet after a POP operation.
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 MPLS QoS – Short Pipe Mode
IPP 4 EXP 6 IPP 4 VPN Imposition Pop
ip packet EXP 6 EXP 6 IPP 4 IPP 4 EXP 6 IPP 4 EXP 6 IPP 4 EXP 6 IPP 4
Ingress Egress
CE PE P PE CE match ip prec 4 set mpls exp imp 6 match mpls exp 6 match mpls exp 6 priority priority
Egress classification based on IP DSCP Consistent policy in MPLS core not MPLS exp
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 MPLS QoS –Pipe Mode
IPP 4 EXP 6 IPP 4 VPN Imposition Pop
ip packet EXP 6 EXP 6 IPP 4 IPP 4 EXP 6 IPP 4 EXP 6 IPP 4 EXP 6 IPP 4
Ingress Egress
CE PE P PE CE match ip prec 4 set mpls exp imp 6 match mpls exp 6 match mpls exp 6 priority priority
Egress classification based on MPLS Ingress EXP not IP DSCP
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 MPLS QoS Options Summary Uniform, Pipe and Short Pipe Modes
Uniform Mode: This mode provides consistent QoS classification/marking throughout the network. This includes the CE and the Core routers. EXP marking is propagated to the underlying TOS byte on egress Short Pipe Mode: In this mode the QoS policies being implemented in the Core do NOT propagate to the packet TOS byte. The classification based on MPLS EXP ends at the customer facing egress PE interface and queuing is based on the IPP/DSCP values in the IP header (supported – default mode) Pipe Mode: Pipe Mode is similar to Short Pipe Mode except that at the egress PE, classification at the CE facing interface is done based on ingress EXP
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 MPLS With SD-Access SD- Access Branch Deployment Options Branch Connectivity with MPLS * Border is a CE device CONTROL-PLANE LISP PE-CE MP-BGP PE-CE IGP/BGP
B B MPLS Domain
Campus
SXP Connection between the Border’s for SGT information exchange
VXLAN+SGT MPLS with SXP for SGT exchange IP/MPLS + SGT
DATA+POLICY PLANE BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 SD- Access Branch Deployment Options Branch Connectivity with MPLS * Border is a PE device CONTROL-PLANE LISP MP-BGP IGP/BGP
B B MPLS Domain
Campus
DMVPN or GRE Tunnel between the Border’s for SGT information exchange
VXLAN+SGT MPLS IP/MPLS + SGT
DATA+POLICY PLANE BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Agenda
• Introduction ✓
• Segmentation in Enterprise ✓
• MPLS Designs for Enterprise ✓
• MPLS Case Study
• MPLS Product Update
• Q&A
• Summary Case Study 1: Traffic Separation with L3 VPN in Airport
Terminal A Logical Data Separation between Terminals/Airlines using shared physical infrastructure
Green Red Blue
VPN Green PE VPN Green Terminal B PE VPN Red
VPN Blue
MPLS Backbone Green Blue VPN Blue
Terminal C VPN Red
PE VPN Blue VRF Created for each group at PE Red Blue
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Case Study 2: Secure Segmentation in Hospital
Main Hospital Building Secure Segmentation and data privacy between Doctors, Staff and Patients Doctor Devices Staff Green Red Blue
VPN Green PE Branch Hospital PE VPN Green VPN Red
VPN Blue Doctor VPN Blue Staff MPLS Backbone Green Blue
VPN Blue Surgery Room
VPN Red
Doctor Devices Green PE Red VPN Green VRF Created for each group at PE
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Agenda
• Introduction ✓
• Segmentation in Enterprise ✓
• MPLS Designs for Enterprise ✓
• MPLS Case Study ✓
• MPLS Product Update
• Q&A
• Summary MPLS Product Update MPLS Product Portfolio Options TRADITIONAL NETWORKING NEW ERA OF NETWORKING
Data IoT Convergence
Video Security
Catalyst 6K Catalyst 3850 Voice Catalyst 3650 Mobility Nexus 7k
Catalyst 9000 Family
Software-Defined Access (SD-Access))
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 What product option do I choose… MPLS Design – Key Product Considerations
1 Choose the design – L2 or L3, Users/Hosts/Devices for Segmentation
2 3 Layer vs 2 Layer network, Unicast/Multicast, PE, P, CE devices
3 Fixed vs Modular Switches, Port densities, Price
4 Interface Types – PoE/Data/Fiber, Speeds – 1G/mGig/10G/40G/100G
5 Baseline Features, Scalability and Performance Metrics
6 Advanced Features – QoS, MacSec, Netflow, TE, FRR
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Enterprise MPLS - Product Consideration Matrix Layer Access Distribution/Aggregation Core Collapsed or Small Core
Platform C3650 C3850 C9300 C9400 C3850XS C9500 C6840X C6807 N7K
Switch Type Fixed Fixed Fixed Modular Fixed Fixed Fixed Modular Modular
MPLS Role CE/PE CE/PE CE/PE CE/PE PE/P PE/P PE/P PE/P PE/P
Interface PoE/ PoE/ Data PoE/ Data PoE/ Data Fiber Fiber Fiber Fiber Fiber Types Data Interface 1G/ mGig 1G/ mGig 1G/ mGig 1G/ mGig 1G/10G 1G/10G/40G 1G/10G 1G/10G/ 10G/40G/ Speeds 40G 100G VRF/ VPN Low Low Medium Medium Low Medium High High High Route Scale
L3VPN/ L2VPN/ MVPN
Adv MPLS QoS, QoS, VPLS QoS, VPLS QoS, VPLS QoS, VPLS QoS, VPLS VPLS, VPLS, VPLS, features VPLS MPLS MPLS MPLS Netflow, Netflow, Netflow, TE-FRR TE-FRR TE-FRR
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 MPLS Portfolio – The NEW Catalyst 9000 Series Introducing The NEW Catalyst 9000 Family
Catalyst 9400
Catalyst 9300
Catalyst 9500
Stackable Access Modular Access Fixed Aggregation
Built on Cisco’s Innovative UADP 2.0 ASIC & open IOS-XE
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 Catalyst 9300 - Overview
Multigigabit 4 x Multigigabit UPoE on All Ports UPoE
4 x 1G 8 x 10G 2 x 40G PoE+/UPoE
Stackpower Stackwise-480 Larger Buffers Zero Footprint 480Gbps & Scale Power Red.
Data
UADP 2.0 ASIC & open IOS-XE
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Catalyst 9400 - Overview
7-Slot 10-Slot Up to 9 Tbps System Capacity
UADP 2.0 ASIC & open IOS-XE
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 Catalyst 9400 – Supervisor & Line Cards
1.44 Tbps UPoE 48 x 1G
Sup-1
Up to 80G per Slot Data 48 x 1G
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Catalyst 9500 - Overview Up to 1.9 Tbps
40 x 10G
12 x 40G
24 x 40G
8 x 10G 2 x 40G 40G Optimized Enterprise Class Switch UADP 2.0 ASIC & open IOS-XE
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 MPLS Portfolio – Catalyst 3K Catalyst 3850 Series
Stackpower 480 Gbps Stacking Up to 100APs per stack, FRU Fans, Power Bandwidth Supplies and 40G per switch Wireless CAPWAP Up to 2000 Clients Termination per Stack
MPLS 40 Gbps Uplink Granular Bandwidth QoS/Flexible NetFlow
Line Rate on All Multigigabit Full POE+ and Ports (mGig) UPOE
MPLS on UADP powered Stackable Access Programmable Switches
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Cisco Catalyst 3850 Multigigabit Ethernet
48 Port Version 24 Port Version Downlinks: Downlinks: 36 x 1G LineRate 10/100/1000BASE-T, 12 x 24 x GE/mGig/10GT GE/mGig/10GT PoE/PoE+/UPoE, EEE, MACSec PoE/PoE+/UPoE, EEE, MACSec
Uplinks: Uplinks: 4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G 4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G SFP+ (NEW) SFP+ (NEW)
MPLS on Access with Multigigabit Ethernet
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Catalyst 3850 10G: 12 and 24 Port
C3850-NM- 4x10G
C3850-NM- C3850-NM- C3850-NM- 4x10G 2x40G 8x10G
Converged 1+1 Power UADP ASIC StackWise-480 StackPower Line-Rate Access Redundancy
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Catalyst 3850 10G: 48 Port UADP ASIC
4 x QSFP Fixed 48 x SFP+ Fixed
Front-to-Back and New 750W AC Power Supplies Back-to-Front Fan options 1+1 Power Supply Redundancy
*No StackWise or StackPower on 48p SKU
Converged Front-to-Back & Back-to-Front 1+1 Power UADP ASIC Line-Rate No Stacking Access Fans and Power Supplies Redundancy
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Cisco Catalyst 3650 Switch Dual FRU Power Supplies Optional StackWise-160 9 member Stack FRU Fans 802.11n 802.11ac Multi-Core CPU
MACsec 50 AP’s and 1000 Clients Per Stack MPLS 40G Wireless Capacity Per EEE Switch Fixed Uplinks Full Netflow/QoS 4 x 1G for wired/wireless 2 x10G 4 x 10G Line Rate POE+ 2 x 40G (New) on All Ports 8 x 10G (new) Multigigabit (mGig) New
MPLS on UADP powered Stackable Access Programmable Switches
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 MPLS Portfolio – Catalyst 6K Cisco Catalyst 6807-XL Taking Catalyst 6K Up to 880G/Slot
7 Slots 10 RU
Up to 880G/Slot capable Side-to-side air flow (redirectable via airflow baffles) Catalyst 6500 DNA
Next-generation ready Investment Protection! Compatible with Sup2T, 6700, 6800, 6900 Series and latest Service Modules Low-power and noise High-efficiency fans Backwards compatible backplane connectors
Up to 4 (N+1) power supply redundancy
3000W AC
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 Cisco Catalyst Supervisor 6T
Taking Catalyst 6800 to a New Level 1M IPv4 Route High-Scale Control Plane 1M NetFlow with X86 CPU 256K QoS / ACL
2 x 40G QSFP and 8 x 10G SFP+ uplinks
Improved Fabric Provides 440G/Slot in the 6807-XL
Fiber & Copper VSS, LISP, SGT, Management and MACSEC, HQoS, on all Console Ports Ports
Feature Parity with Sup2T 3500+ Features
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 Cisco Catalyst 6800 Multi-Rate Line Cards
32 ports of SFP/SFP+ or up to 8 ports of QSFP* 1M IPv4 Routes 160G Throughput, 10/100/1000M GLC-T 2M NetFlow Performance mode for line rate 100M FX 256K QoS & ACL
250MB per Port Feature Rich MPLS VSS, SGT, MACSec, LISP, 500MB per Port in HQoS Performance Mode
* With CVR-4SFP-QSFP Adapter Not Every Port is Created Equal!
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Cisco Catalyst 6840-X 256K IPv4 Routes 16, 24, 32 or 40 SFP+ Uplinks 2 models with 2 QSFP Uplinks 1.5M NetFlow Convert 4 x SFP+ to QSFP* Convert 4 x SFP+ to QSFP* 64K QoS / ACL
Height: 2RU
Depth: 21.8”
High-Scale Control 750W or 1100W Power VSS, MPLS, LISP, SGT, Plane with 2.0GHz CPU Redundant AC / DC MACSEC, HQoS, etc. Higher Scale for IA Front-to-Back Airflow
All Catalyst 6800 Features in a Smaller Fixed Form Factor
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 MPLS Portfolio – Nexus 7K Cisco Nexus 7K - M Series
Nexus 7700 M3 Series Nexus M2 Series Modules 10G & 40G Modules
NEW . Large Table Size & Packet Buffers -
. 2M FIB (1M @ FCS), 128K ACL/QoS
. 384K MAC (128K @ FCS)
. MACSEC 256-bit AES
. Deep Buffers N7K-M202CF-22L N7K-M206FQ-23L
N7K-M224XP-23L 48x 1/10G SFP+ Ports 24x 40G QSFP Ports
12x 100G Ports
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Cisco Nexus 7K - F3 Series
Nexus F3 Series Modules
Nexus 7700 F3 10G Nexus 7700 F3 40G Nexus 7700 F3 100G
Cisco Nexus 7000/7700 Nexus 7000 F3 100G Nexus 7000 F3 10G Nexus 7000 F3 40G
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 MPLS Product Design… … Putting it all together MPLS Deployment Options – Small to Medium Campus
MPLS MPLS MPLS
C9500/ C6840- Core C9500/ C6840- Core Core X X C9500/ C3850XS
C9500/ Distribution C9500/ Distribution C3850XS C3850XS C9300/ C3850/ C3650 Access + Distribution
C9300/ C3850/ Access C9300/ C3850/ Access C3650 C3650
Standard Access Routed Access Collapsed Access
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 MPLS Deployment Options – Medium to Large Campus
MPLS MPLS
C6K/N7K C6K/N7K Core
C9500/ C3850/ C9500/ C3850/ C6K/N7K C6K/N7K
Distribution
Access
Catalyst 9300/9400/3850/3650/4500E Catalyst 9300/9400/3850/3650 Standard Access Routed Access
Key Design factors: VRF/Route Scale, Port Density, MPLS features, Fixed vs. Modular in Access/Backbone
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 MPLS Deployment with Stackwise-480 and Stackwise Virtual
MPLS MPLS
C6K/N7K C6K/N7K Core
C9500/ C3850/ C9500/ C3850/ C6K/N7K C6K/N7K Stackwise Virtual
Stackwise Virtual Distribution
Stackwise-480
Access
Catalyst 9300/9400/3850/3650/4500E Catalyst 9300/9400/3850/3650
Building 1 1000 Ports Standard Access Routed Access
Key Design factors: VRF/Route Scale, Port Density, MPLS features, Fixed vs. Modular in Access/Backbone
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 MPLS Deployment with MacSec
MPLS MPLS
C6K/N7K C6K/N7K Core
C9500/ C3850/ MacSec C9500/ C3850/ MacSec C6K/N7K C6K/N7K
Distribution
MacSec
Access
Catalyst 9300/9400/3850/3650/4500E Catalyst 9300/9400/3850/3650 Standard Access Routed Access
Key Design factors: VRF/Route Scale, Port Density, MPLS features, Fixed vs. Modular in Access/Backbone
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 Agenda
• Introduction ✓
• Segmentation in Enterprise ✓
• MPLS Designs for Enterprise ✓
• MPLS Case Study ✓
• MPLS Product Update ✓
• Q&A
• Summary Key Takeaways Session Summary
1. Secure Standards based Segmentation across LAN, WAN and Data Center 2. L3 VPN, MVPN are commonly deployed in Enterprise Networks 3. Cisco offers a wide range of product options for MPLS deployments 4. The NEW Catalyst 9000 series of switches support MPLS across the family on the programmable UADP 2.0 ASIC running open IOS-XE
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Terminology Reference Acronyms Used in MPLS Reference Architecture
Terminology Description AC Attachment Circuit. An AC Is a Point-to-Point, Layer 2 Circuit Between a CE and a PE. AS Autonomous System (a Domain) CoS Class of Service ECMP Equal Cost Multipath IGP Interior Gateway Protocol LAN Local Area Network LDP Label Distribution Protocol, RFC 3036. LER Label Edge Router. An Edge LSR Interconnects MPLS and non-MPLS Domains. LFIB Labeled Forwarding Information Base LSP Label Switched Path LSR Label Switching Router NLRI Network Layer Reachability Information P Router An Interior LSR in the Service Provider's Autonomous System
PE Router An LER in the Service Provider Administrative Domain that Interconnects the Customer Network and the Backbone Network.
PSN Tunnel Packet Switching Tunnel
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93 Terminology Reference Acronyms Used in MPLS Reference Architecture (cont.)
Terminology Description Pseudo-Wire A Pseudo-Wire Is a Bidirectional “Tunnel" Between Two Features on a Switching Path. PWE3 Pseudo-Wire End-to-End Emulation QoS Quality of Service RD Route Distinguisher RIB Routing Information Base RR Route Reflector RT Route Target RSVP-TE Resource Reservation Protocol based Traffic Engineering VPN Virtual Private Network VFI Virtual Forwarding Instance VLAN Virtual Local Area Network VPLS Virtual Private LAN Service VPWS Virtual Private WAN Service VRF Virtual Route Forwarding Instance VSI Virtual Switching Instance
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 Further Reading MPLS References at Cisco Press and cisco.com
• http://www.cisco.com/go/mpls
• http://www.ciscopress.com
• MPLS and VPN Architectures — Cisco Press® • Jim Guichard, Ivan Papelnjak
• Traffic Engineering with MPLS — Cisco Press® • Eric Osborne, Ajay Simha
• Layer 2 VPN Architectures — Cisco Press® • Wei Luo, Carlos Pignataro, Dmitry Bokotey, and Anthony Chan
• MPLS QoS — Cisco Press ® • Santiago Alvarez
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95 Complete Your Online Session Evaluation
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. • Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 Thank you
R&S Related Cisco Education Offerings
Course Description Cisco Certification
CCIE R&S Advanced Workshops (CIERS-1 & Expert level trainings including: instructor led workshops, self CCIE® Routing & Switching CIERS-2) plus assessments, practice labs and CCIE Lab Builder to prepare candidates Self Assessments, Workbooks & Labs for the CCIE R&S practical exam.
• Implementing Cisco IP Routing v2.0 Professional level instructor led trainings to prepare candidates for the CCNP® Routing & Switching • Implementing Cisco IP Switched CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in Networks V2.0 self study eLearning formats with Cisco Learning Labs. • Troubleshooting and Maintaining Cisco IP Networks v2.0
Interconnecting Cisco Networking Devices: Configure, implement and troubleshoot local and wide-area IPv4 and IPv6 CCNA® Routing & Switching Part 2 (or combined) networks. Also available in self study eLearning format with Cisco Learning Lab.
Interconnecting Cisco Networking Devices: Installation, configuration, and basic support of a branch network. Also CCENT® Routing & Switching Part 1 available in self study eLearning format with Cisco Learning Lab.
For more details, please visit: http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth
BRKMPL-1102 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100