Cisco Catalyst 9000 a New Era of Intent-Based Networking

Bob Sayle Dave Zacks Cisco Catalyst 9000 Dimitar Hristov Fabrizio Maccioni A new era of Ivor Diedricks Jay Yoo Kenny Lei intent-based networking Mahesh Nagireddy Minhaj Uddin Muhammad Imam Sai Zeya Shawn Wargo Cisco Catalyst 9000 A New Era of Networking Cisco Catalyst 9000

A new era of intent-based networking

Preface 7 Authos

Ackoledgeets

Ogaizatio of this Book

Iteded Audiece

Book Witig Methodolog

Introduction 13 Eecutie Sua

Idust Teds

Busiess Use Cases

Catalyst 9000 Family 23 Oeie

Catalst

G ad G - Eablig Highe Speeds i Etepise

Packagig, Licesig ad Suppot ASICs - The Power of Programmable Silicon 50 What is a ASIC?

Wh Pogaable ASICs?

UADP - Pogaable ASIC Silico

The UADP Fail

Cisco IOS XE 68 IOS Eolutio

Cisco IOS XE Achitectue

Cisco IOS XE Beets

High Availability 77 Oeie

High Aailabilit o the Catalst

Stackise Vitual

Gaceful Isetio ad Reoal

Patchig Cisco IOS XE Security and Identity 102 Oeie

Ecpted Tafc Aaltics

Tustoth Sstes

MACsec

QoS and Queuing 116 Oeie

Buffes ad Queues

QoS ad Queuig i the UADP ASIC

Hieachical QoS

QoS fo Stackise Vitual

QoS fo Oela Techologies

Application Visibility & Control 137 Oeie

Applicatio Recogitio

Applicatio Cotol IoT 143 Oeie

Poe oe Etheet Ioatios

AVB - Audio Video Bidgig

DNA Seice fo Bojou

User Centric Platform Design 152 Oeie

RFID

Blue Beaco

Bluetooth Cosole

WebUI

Fleible Teplates

Programmability and Automation 161 Oeie

Deice Poisioig

Ope Pogaable Deice APIs

Data Models

Deice API Potocols

Model-Die Teleet

Sciptig

Coguatio Maageet Tools

Cisco DeNet Application Hosting 183 Applicatio Hostig Opeatio

Hadae Resouces

Campus Network Design 187 Oeie

Phsical Ifastuctue

Multi-Lae Capus

Collapsed Coe

Routed Access

Capus MPLS

Capus Wieless

Softae-Deed Access

Appendix 212 Refeeces

Acos

Preface Peface 8

Authors

This book epesets a collaboatie effot betee Techical Maketig, Poduct Maageet, Egieeig, ad Sales teas duig a eek-log itesie sessio at Cisco Headuates i Sa Jose, CA.

• Bob Sale - Sales • Dae Zacks - Techical Maketig • Diita Histo - Techical Maketig • Fabizio Maccioi - Techical Maketig • Io Diedicks - Poduct Maageet • Ja Yoo - Egieeig • Ke Lei - Techical Maketig • Mahesh Nagiedd - Techical Maketig • Mihaj Uddi - Techical Maketig • Muhaad Ia - Techical Maketig • Sai Zea - Techical Maketig • Sha Wago - Techical Maketig Peface 9

Acknowledgements

A special thaks to Cisco’s Etepise Netokig Busiess Poduct Maageet, Egieeig, ad Sales teas ho suppoted the ealizatio of this book. Thaks to Cal Solde ad Muide Sabi fo suppotig this effot. We ould also like to thak Cthia Resedez fo he eceptioal esouce ogaizatio ad suppot thoughout ou joue, ad Sehjug Hah fo his help ith plaig ad logistics.

We ae also geuiel appeciatie to ou Book Spits . bookspits.et tea:

• Ada Hde Foude • Babaa Rühlig CEO ad Facilitato • Heik a Leeue Illustato • Jua Calos Gutiéez Baueo Techical Suppot • Agathe Baëz Book Poduce • Rae Whte ad Susa Teae Poofeades • Babaa ad the tea ceated a eablig eioet that alloed us to eecise ou collaboatie ad techical skills to poduce this techical publicatio to eet a goig dead. Peface 10

Organization of this Book

This book is best ead i the ode peseted. Hoee, based o the oles of the eade ad thei iteests, soe chaptes ca be eieed out of seuece. This book is ogaized ito sectios, ith each sectio haig ultiple chaptes.

This book itoduces the Catalst fail, eies the busiess dies fo etepises, ad illustates ho the Catalst addesses the challeges faced b etepise IT. Folloig this, the achitectual foudatios of the Catalst platfo, both fo a hadae pespectie ith Cisco's ioatie Uied Access Data Plae UADP ASIC, as ell as the cuttig-edge capabilities poided b Cisco IOS XE softae, ae eploed. These foudatioal eleets eable the Catalst fail to addess the a deads placed o etepise etoks toda.

Ho the Catalst platfos eet these deads is outlied i the et sectios coeig High Aailabilit, Secuit, Qualit of Seice, Applicatio Visibilit ad Cotol, IoT ad Use-Cetic Platfo Desig. Cisco IOS XE softae bigs a ope, stadad ad odel-based appoach to etok aageet itefaces, ad these capabilities ae eieed i the Pogaabilit ad Autoatio sectio. The a eaiatio of Applicatio Hostig o the Catalst is poided. Fiall, this book eaies the peset state ad futue eolutio of etok desig, ad ho Catalst leads the a toads the ogoig tasfoatio of etepise etok achitectues. Peface 11

Intended Audience

Netok adiistatos, egiees, ad achitects ae alas ude pessue to eet the busiess eeds of thei ogaizatios. This book focuses o Cisco's e ad ioatie Catalst fail of sitches, ad ho the help to sole the a challeges that etokig pofessioals face toda. The Catalst poides state- of-the-at techologies die b ope, eible, ad poeful hadae ad softae. Netokig pofessioals ill be able to utilize this book to udestad the Catalst fail, dele deep ito its achitectue, ad udestad ho it poides a stog foudatio fo et-geeatio etoks.

This book assists etok pofessioals, IT aages, eecuties, ad aoe ith a iteest i the latest ad geatest etokig techologies to udestad ad ebace the e ea of intent-based etokig that the Catalst eables. Preface 12

Book Writing Methodology

Fix your eyes on perfection and you make almost everything speed towards it - W.E. Channing

Simplicity, consistency, and performance have been overriding themes in designing the Catalyst 9000 family. The idea of this book is to present readers with the current challenges in enterprise networking and explore how the Catalyst 9000 platform solves those challenges. The Catalyst 9000 provides cutting-edge hardware and software capabilities, easily adapting to future protocols and network architectures without losing sight of simplicity. This book explores this powerful new networking platform - the basis for the new era of networking.

A group of twelve Cisco Engineers from diverse backgrounds accepted the challenge of writing a book about a platform that changes the paradigm of enterprise networking. At the end of day one, the task seemed even more daunting, given the breadth of capabilities that Catalyst 9000 brings to networks. However the team persisted, and after hundreds of hours of diligent penmanship, this book was born! The Book Sprints (www.booksprints.netwww.booksprints.net) methodology captured each of our unique strengths, fostered a team-oriented environment, and accelerated the overall time to completion.

#NetworkIntuitive #NewEraOfNetworking Introduction Itoductio 14

Executive Summary

The old is apidl chagig due to the dead of eolig IoT, ubiuitous obilit, cloud adoptio, ad apidl adacig secuit theats. Etepises of all sizes aoud the old ae eplacig legac sstes ith digital techologies fo copetitie adatage, highe poductiit, ad loe opeatig costs. As oe busiesses ebace this chage, etoks hae to adapt. Busiess caot build etoks the sae a the hae fo the past eas. Ogaizatios eed to ceate daic etoks that ca costatl lea, adapt, potect, ad eole.

The Netok. Ituitie.

Cisco's Digital Netok Achitectue DNA ad Softae-Deed Access SD-Access help ogaizatios ulock oppotuities, ehace secuit, be oe agile, ad opeate oe efcietl. Desiged to be ituitie, the etok ecogizes itet, itigates theats though segetatio ad ecptio, leas ad adapts oe tie. Cisco's Catalst sitches ae the et geeatio i the legeda Catalst fail of etepise LAN access, distibutio ad coe sitches. These ae the st pupose-built platfos desiged to take adatage of DNA ad SD-Access.

The e Cisco Catalst fail of sitches has bee desiged as the foudatio fo a etiel e ea of etokig - "The Netok. Ituitie." This book eploes the Catalst fail of sitches ad eaies ho these platfos eet the ee- chagig eeds of the etepise etok, toda ad ell ito the futue.

Fo the st tie i the idust, a sigle fail of ed, stackable ad odula sitches ca u a sigle softae iage ith a coo ASIC acoss ee platfo i capus ad bach etoks. Desig cosideatios ca o be focused etiel o the scale euieets fo diffeet places i the etok. This poides sigicat eductio i Total Cost of Oeship TCO fo etepise etoks. Itoductio 15

The Catalst seies is based o to foudatioal aspects:

• Coo hadae - built ith a eible, pogaable ASIC ad CPU achitectue.

• Coo softae - built ith a ope, Liu-based, odula opeatig sste, ith siple featue liceses.

The Catalst fail is built o a coo ASIC achitectue poeed b Uiﬁed Access Data Plae UADP ASIC. This sees as a ioatie, pogaable ad eible silico foudatio fo the platfo. UADP eables etok ifastuctues to adapt to e techologies, teds, ad busiess eeds oe tie. Catalst platfos ae also built o a stadad ulti-coe -bit CPU achitectue. A coo CPU achitectue poides pedictable softae pocessig ad cotol-plae aageet, poidig the hosepoe to tackle et-geeatio etok achitectues ad akig it easie to diagose ad esole issues hile poidig a platfo fo applicatio hostig.

Ee Catalst platfo us o the ope ad odula Iteet Opeatig Sste Cisco IOS XE. This ipoes potabilit acoss Cisco etepise platfos icludig Catalst sitches, ISR/ASR outes, ad Wieless LAN Cotolles. It iceases featue deelopet elocit, ipoes High Aailabilit, ad akes it easie to cosistetl Itoductio 16 deplo featues acoss the Capus etok. Cisco IOS XE poides a ell-deed set of APIs, ipoig aageet ad siplifig autoatio ad pogaabilit.

ᄂthe bottom line Catalyst 9000, built on common hardware and software powered by Cisco's innovative UADP ASIC, x86 CPU and Cisco IOS XE software, is the foundation for the new era of networking. Itoductio 17

Industry Trends

The coo teds see i the idust toda fall ito fou ai categoies - IoT, obilit, cloud ad secuit.

IoT teds ad cosideatios

The digital tasfoatio of busiess pocesses ad opeatios icludes coectig e deices, sesos, ad achies i a effot to ipoe poductiit, educe isk, ad icease secuit. Billios of achie-to-achie coectios ill eege oe the et seeal eas that euie achie leaig itelligece based o aaltics ad busiess polic. Etepise capus etoks ill be euied to suppot this iu of achie coectiit.

Cisco's Iteet of Thigs: Wokloads ad Ke Pojects sue pedicts ogaizatios ill udetake IoT data aggegatio, lteig, ad aalsis at the etok edge. The pia dies fo pocessig IoT data at the etok edge ae to ipoe secuit ad speed up data aalsis. The etok eeds to eole to suppot the cuet ad futue deads of IoT.

Mobilit teds ad cosideatios

Wieless ad obilit ae diig the etepise etok ifastuctue aket. BYOD ad obile applicatios ake it possible fo okes to access copoate data fo satphoes, tablets, ad pesoal laptops, ceatig challeges fo back-ed IT ifastuctues ad geate dead fo etepise obilit aog okes. Mobilit is o a stategic asset. It is the pedoiat a okes ad isitos access the copoate etok ad the Iteet. Mobilit ust be a itegal pat of the futue etepise etok.

Cloud teds ad cosideatios

Etepises ae augetig iteal IT ith cloud seices, be it o-peises o collocated piate cloud, o public cloud seices. Cloud ifastuctues i itual ad Itoductio 18 phsical eleets, ith okloads oig betee o-peises ad off-peises esouces. Capus etoks hae to ot ol iteface ith off-peise ad public clouds but esue the sae applicatio pefoace, secuit, ad polic adheece fo those okloads as if the ee still o-peises.

Secuit teds ad cosideatios

All of these e coectios ope up pofoud secuit iplicatios. Each e coectio is a potetial attack ecto. Attacks ae becoig oe ad oe sophisticated, ad ose, the ae ofte obscued ia ecptio. Capus etoks ust be able to secue these e coectios b detectig aoalies ad ecogizig potetiall alicious behaios ad pattes i eal-tie at scale. Itoductio 19

Business Use Cases

Catalst sitches eted Cisco's etokig leadeship ith beakthough ioatios i IoT, obilit, cloud ad secuit.

Eablig the IoT Use Case

Thee ae a e deices beig coected to the etok such as sesos, ala sstes, HVAC sstes, badge eades, ad so o that hae ot taditioall bee coected o hae bee usig popieta potocols. The Catalst platfos, togethe ith Cisco Idetit Seices Egie ISE, ae able to autoaticall pole these deices, poide secuit ad segetatio, ad appl policies to the.

Deices ae statig to adetise thei seices usig the Bojou DNS potocol. DNA Seice fo Bojou delies isibilit to these seices acoss locatios ad segets of the etok, assigs polic based o these seices, ad ochestates all of this fo a cetalized poit ith DNA Cete.

Soe IoT deices, such as LED lightig, euie alas-o poe. The Catalst suppots Pepetual PoE ad Fast PoE to keep the lights o hile the sitch eloads.

I ode to suppot pofessioal edia ad audio applicatios, Catalst suppots Audio Video Bidgig AVB ad IEEE tiig.

ᄂthe bottom line The Catalyst 9000 is the ideal platform for connecting the Internet of Things.

Eablig the Mobilit Use Case

Wied ad ieless etoks hae histoicall bee built ad opeated b diffeet teas. Catalst ith SD-Access delies cetal ochestatio ad the assuace Itoductio 20 of a sigle, itegated ied ad ieless etok. This allos the etok to scale sealessl ithout bottleecks as oe ieless cliets ae added to the etok. The APs coect diectl to the Catalst sitches fo data plae foadig diectl i hadae.

The policies fo ied ad ieless ae the sae i this etok achitectue. Netok segetatio ad goup-based policies ae cosistet betee ied ad ieless tafc, akig opeatios siple.

The SD-Access achitectue delies siplied ad sealess oaig fo deices acoss the etok.

The Catalst delies the idust's highest Gig ad PoE capacit alloig custoes to build the desest ieless eioets, leeagig .ac Wae ad futue ieless ioatios.

ᄂthe bottom line Catalyst 9000 oers the optimal foundation for converging wired and wireless access.

Eablig the Cloud Use Case

I ode to ake deploet ad opeatio of the etok oe agile, Cisco has added a pogaatic faeok ad tools to die use of autoatio though NETCONF, RESTCONF, ad gNMI APIs ith YANG odels.

Steaig teleet facilitates ea-eal-tie isibilit to opeatioal data.

The Catalst suppots applicatio hostig ith local stoage eablig fog coputig ad etok fuctio itualizatio. This suppots distibuted itelliget agets ifused ito the etok fo aaltics, assuace, secuit, ad cloud-coected Itoductio 21 applicatios. Custoes ae able to host thid-pat applicatios o the Catalst platfos, akig this the ost eible platfo i the idust.

ᄂthe bottom line Catalyst 9000 is an open and fully programmable platform for enabling the move to cloud.

Eablig the Secuit Use Case

Thee ae a diese ad goig set of deices coectig to etepise etoks. Netok segetatio a be used to costai deices ad uses so that couicatio is ol possible oce alloed. Catalst platfos suppot ueous segetatio capabilities at a aco etok seget ad ico use o deice goup leel ith suppot i hadae fo SD-Access, MPLS, VRF-Lite, ad TustSec.

As oe etok tafc is becoig ecpted, it is citical that these theats ae detected ad itigated at the poit hee it coects to the etok. The Catalst detects ad itigates alae hidig i ecpted tafc usig Ecpted Tafc Aaltics ETA. Ee bette, ETA detects aoalies i ecpted tafc ithout decptig it.

The platfos collect etadata i hadae about all the os taesig the etok, usig full Fleible Neto. Cobiig this ith Cisco Secuit solutios, such as Cisco Stealthatch, poides detectio of deial-of-seice attacks ad othe alicious actiit.

With the Catalst , the liks betee sitches ca be ecpted usig up to - bit AES MACsec, opeatig at lie ate. This ecptio ca also be used fo coectios betee the sitch ad edpoits. Itoductio 22

Fiall, Cisco Tustoth Sstes secuit solutio potects the etok sitches theseles. A holistic appoach poides copehesie eicatio of hadae ad softae itegit b secuig the deice, etok couicatios, ad hosted applicatios.

ᄂthe bottom line Catalyst 9000 provides the most secure switching environment in the network industry. Catalyst 9000 Family Catalst Fail 24

Overview

The e Cisco Catalst sitchig platfo is the et geeatio i the Cisco Catalst fail of etepise LAN access, distibutio, ad coe sitches. It is the st pupose-built platfo desiged to take adatage of Cisco DNA ad SD-Access. This e sitchig sste eteds Cisco's etokig leadeship ith beakthough ioatios i obilit, IoT, the cloud, ad secuit. Leeagig the UADP ASIC, the Cisco Catalst platfo delies uch highe pefoace ad adds a host of e featues ad fuctioalit.

DIAGRAM Catalyst 9000 Switches

The Catalst sitchig platfos ae built o a coo ad stog hadae ad softae foudatio. The cooalit ad cosistec big siplicit ad ease of opeatios fo etok egiees ad adiistatos, educig total opeatioal cost, ad ceatig a bette epeiece. Catalst Fail 25

Coo Hadae

The hadae has a coo desig, both iteall ad eteall. Iteall the hadae uses a coo ASIC, the Uied Access Data Plae UADP ASIC, poidig eibilit fo packet hadlig. The hadae also has aothe coo copoet, ael, the sitch CPU. Fo the st tie i the histo of Catalst sitches, thee is a -based CPU oboad, alloig it to host additioal applicatios beod those oall possible o a etok sitch.

Eteall the hadae is desiged b oe of the best desiges of the old - Piifaia, desige of the faous Feai. This leel of idustial desig bigs a ehaced use epeiece fo the Catalst fail. It poides egooic desig ad coo attibutes that siplif deice opeatios. Moe details ae poided i Chapte Use-Cetic Platfo Desig.

Coo Softae

The Catalst fail of sitches u the eact sae bia iage of Cisco IOS XE. Cisco IOS XE is a ehaced, ope ad pogaable OS. With a ea histo behid it ad thousads of featues, Cisco IOS XE is aguabl the ost featue-ich OS i the etokig idust. Haig a sigle bia iage shaed acoss Catalst platfos eables ed-to-ed featue suppot ad allos featue pait at a poit i the etok. This also helps ith ualifig softae eleases as ol a sigle iage is eeded to be tested fo the etie capus etok.

The stog hadae ad softae foudatio of Catalst eables it to face the challeges of etepise etoks toda. At the sae tie, it bigs cosistec ad siplicit fo custoes. The Catalst fail has thee ebes - Catalst stackable, Catalst odula chassis, ad Catalst ed-coguatio coe. These platfos ae discussed i futhe detail i the folloig chaptes. Catalst Fail 26

Catalyst 9300

The Cisco Catalst Seies is Cisco’s lead stackable etepise ed sitchig platfo. At Gbps of stackig badidth ad ith up to eight deices i a stack, it is the idust’s highest-desit stackig badidth solutio.

DIAGRAM Catalyst 9300

Platfo Oeie

All odels of Catalst ae RU high ith dual poe supplies ad edudat fas. Diffeet odels offe a aiet of coectiit ad scale. These odels ca be ogaized ito fou sub-failies. Ee sub-fail has -pot ad -pot coppe odels:

Data-ol odels - Optiized fo deices such as desktops ad pites that just eed data coectiit fo Mbps to Gbps. PoE/PoE+ odels - Poide the sae capabilit as the data odels plus added suppot fo W of Poe oe Etheet PoE+. All the pots suppot PoE / PoE+ ad all pots ca be actie siultaeousl ith PoE+. Catalst Fail 27

UPoE odels - These odels poide the sae capabilit as the PoE+ odels ith the added suppot of W of PoE. A of the pots ca be cogued ith UPoE, but the aiu aailable total PoE poe pe sitch is W.

Gig odels - Poide coectiit at ultiple speeds up to Gbps o Gig pots. Wieless access poits suppotig .ac Wae ae the ost coo deices euiig Gig coectiit, but ied coectios to desktops ca also beet. All pots o these odels suppot UPoE, but the total aailable PoE pe sitch is W. Thee ae to diffeet odels i this sub-fail:

• pot Gig: All pots suppot Mbps, Gbps, . Gbps, Gbps, ad Gbps. • pot ied Gig: The st pots suppot Mbps, Gbps, ad . Gbps. The last pots suppot the full age of Gig speeds.

Netok Modules

All Catalst sitches hae a optioal slot fo uplik etok odules. Thee ae fou aiats of uplik odules. I additio, the pots o these odules ae ot liited to uplik coectiit; the ca be used to coect to hosts as ell.

G RJ- pots suppots Mbps, Mbps, ad Gbps. Gig pots o PoE. G SFP+ / SFP pots. G QSFP+ pots. G SFP pots.

Catalst sitches ae copatible ith Catalst upliks odules. Hoee, Catalst upliks odules ae ot copatible ith Catalst . Catalst Fail 28

Achitectue

The o-Gig odels of the Catalst ae poeed b a sigle UADP . ASIC. The Gig odels ae euipped ith to UADP . ASICs. All pots o the Catalst opeate at lie ate fo all packet sizes.

DIAGRAM Catalyst 9300 Architecture

Stackise-

Catalst poides the abilit to stack up to eight sitches, cobiig the togethe to opeate as a sigle, logical sitch. This allos etok egiees to aage, cogue ad toubleshoot the stack of sitches as oe. Chapte High Aailabilit poides additioal details o the opeatio of StackWise-.

Poe Suppl ad Fa

Catalst sitches suppot dual edudat poe supplies. These poe supplies ae aailable i W AC, W AC, W AC, ad W DC optios. The poe supplies ca be ied i a cobiatio, fo eaple, AC ad DC. Catalst Fail 29

Catalst sitches ae euipped ith thee eld-eplaceable fas. These fas ae opeated i a N+ edudat ode.

StackPoe

The Catalst poides the abilit to ceate a shaed pool of poe usig dedicated stack poe cables. I the eet of poe suppl failue o oe PoE poe da, the sitch ca utilize the poe fo the shaed pool to suppot the eta load. Stack poe ca be deploed i to odes: poe-shaig ad edudat ode. Additioal details ae poided i Chapte High Aailabilit. Catalst Fail 30

Catalyst 9400

The Cisco Catalst Seies is Cisco’s leadig odula etepise sitchig access platfo. It poides upaalleled iestet potectio ith a chassis achitectue capable of suppotig up to Tbps of sste badidth. It also offes uatched poe delie fo high-desit PoE deploets, delieig W Poe oe Etheet to edpoits. The Seies delies state-of-the-at High Aailabilit ith capabilities such as dual supeisos ad N+/N+N poe suppl edudac. The platfo is etepise-optiized ith a ioatie dual-seiceable fa ta desig ad side-to-side aio ad is closet-fiedl ith a ~-ich depth. A sigle sste ca scale up to access pots.

DIAGRAM Catalyst 9400 Family

Platfo Oeie

Catalst sitches poide up to G pe slot badidth. Thee ae thee odels that offe diffeet desities to t diffeet size euieets: slot, slot, ad slot chassis. All thee chassis optios poide dual supeiso slots fo aiu aailabilit. The chassis is desiged to suppot oe tha G of badidth betee the to Catalst Fail 31 supeiso slots, hich ill eable a futue supeiso to suppot ultiple G pots. With the goig eed fo iceased Poe oe Etheet, the chassis has the capabilit of poidig oe tha ,W of PoE poe pe slot.

Achitectue

The Catalst is based o a cetalized achitectue, hich eas all foadig, seices, ad ueuig ae doe o the supeiso hile the lie cads ae cosideed taspaet, cotaiig ol stub ASICs ad PHYs. The siplicit of this cetalized desig allos eas upgade of featues b just upgadig the supeiso hile keepig the eistig lie cads. This poides sigicat iestet potectio.

DIAGRAM Catalyst 9400 Architecture

Supeisos

Thee ae cuetl to esios of supeiso aailable fo the Catalst : Sup- ad Sup-XL. Both supeisos ae poeed b UADP . XL ASICs. The thee ASICs Catalst Fail 32 ae itecoected though a G ASIC itecoect fo packets passig betee the ASICs.

The Sup- poides Gbps of badidth pe slot fo all chassis odels ad is optiized fo access deploets.

Sup-XL poides Gbps of badidth pe slot i the -slot chassis, Gbps of badidth pe slot fo the -slot chassis, ad Gbps pe slot fo the -slot chassis. Sup-XL also adds suppot fo diffeet eible teplates to accoodate aious deploet odels such as access, distibutio, coe, SD-Access, o NAT.

UADP has Sitch Lik Itefaces SLIs coectig lie cad stub deices though the backplae. Each SLI, uig at G ate ith Sup-/Sup-XL, aggegates a goup of fot pael pots, ko as a SLI pot goup. Futue supeisos ca u the SLIs at a highe speed ad poide oe badidth fo the eistig lie cads. This poides additioal iestet potectio fo the eistig lie cads.

DIAGRAM Catalyst 9400 Supervisor-1XL Architecture

Supeiso Upliks

Both Sup- ad Sup-XL hae SFP / SFP+ pots ad QSPF+ pots o the fot. The achitectue of Sup- ad Sup-XL poides G total uplik badidth ad suppots G / G / G itefaces. Itefaces - suppot G / G SFP / SFP+, ad itefaces ad suppot G QSFPs. Catalst Fail 33

Lie Cads

Catalst sitches offe Gig, Cisco UPoE, data ad G lie cads fo diffeet coectiit euieets.

• Coppe RJ- odules:

-pot data lie cad: All pots o this odule suppot Mbps, Mbps, ad Gbps. -pot PoE+/PoE lie cad: All featues suppoted o the data lie cad ith added suppot fo PoE+ W ad PoE .W. -pot UPoE lie cad: All featues suppoted o PoE+/PoE lie cad ith added suppot of UPoE W. All pots ithi the slot ca poide UPoE siultaeousl. -pot Gig lie cad: The st pots ae the taditioal // coppe RJ- pots ad the last pots ae Gig pots that suppot Mbps, Gbps, . Gbps, Gbps ad Gbps. All pots o this odule suppot UPoE W, PoE+ W ad PoE W. All pots ithi the slot ca poide UPoE siultaeousl.

• Fibe SFP/SFP+ odules:

-pot SFP lie cad: Suppots Mbps ad Gbps speeds. -pot SFP lie cad: Double the desit copaed to the -pot SFP lie cad. -pot SFP+/SFP lie cad: Suppots Mbps, Gbps, ad Gbps. These pots poide coectiit to G hosts as ell as to uplik deices.

Lie Cad Slot Badidth

The thee diagas belo illustate ho the Sup-XL badidth is beig utilized fo lie cad suppot i the -slot, -slot, ad -slot chassis ad also shos the distibutio of the ube of SLIs to each lie cad. Catalst Fail 34

DIAGRAM 4 Slot Chassis

slot chassis: SLIs ae actie fo each lie cad slot. Each UADP seices lie cad.

DIAGRAM 7 Slot Chassis

slot chassis: SLIs ae actie fo each lie cad slot. Each UADP seices lie cads. Catalst Fail 35

DIAGRAM 10 Slot Chassis

slot chassis: SLIs ae actie fo each lie cad slot. Each UADP seices lie cads.

Lie Cad Oesubsciptio

All aiats of G lie cads opeate at lie ate fo all packet sizes. The G be lie cad ad Gig lie cads ae oesubscibed ith Supeiso- ad -XL. Also ipotat to ote is that lie cads ae desiged to take adatage of highe pe-slot badidth ith futue supeisos b uig oe ube of SLIs at a highe speed.

Lie Cad Pefoace ode

With the oesubscibed G odules, if G lie ate pefoace is eeded, both the -pot SFP / SFP+ ad Gig lie cad ca be eabled fo aiu pefoace. Whe pefoace ode is eabled, the sste uses ol oe G pot i each SLI pot goup.

The folloig diaga shos the SLI pot goup appigs fo the G be lie cad ith the -slot ad -slot chassis. Catalst Fail 36

DIAGRAM 7-slot and 10-slot SLI Port Groups

Stateful Sitchoe SSO

Catalst suppots edudat supeisos ith SSO. I SSO ode, the edudat supeiso egie is full schoized ith coguatio o the actie supeiso. It subseuetl aitais states fo diffeet potocols ad iiizes the tie the sitch is uaailable duig a supeiso failue o sitchoe. Additioal details ae poided i Chapte High Aailabilit.

I-Seice Softae Upgade ISSU

ISSU is a upgade pocess aailable o the Catalst to allo upgadig supeiso softae hile tafc foadig cotiues. This pocess is built o top of Stateful Sitchoe. ISSU iceases etok aailabilit ad educes dotie caused b plaed softae upgades. Additioal details ae poided i Chapte High Aailabilit.

Poe Suppl

The poe supplies fo the Catalst coe i sall fo facto hile poidig high capacit ad efciet output. The -slot ad -slot chassis poide eight poe Catalst Fail 37 suppl bas hile the -slot chassis poides fou poe suppl bas. The Catalst cobies N+, ad N+N edudat optios fo poe supplies. Additioal details ae poided i Chapte High Aailabilit.

Fa Ta

The fa ta of the Catalst cotais ultiple idiidual fas opeatig i a N+ edudat ode. Fas opeate at aiable speeds based o the sste tepeatue ad altitudes. This akes efciet use of the poe ad poides loe oise leels. The fa ta o the Catalst ca be eplaced fo the fot o the ea of the chassis. This is a teedous help ith opeatios ad educes dotie sice the cable aageet fo iig i a tpical iig closet could ake it uield to eoe the cables fo the fot of the chassis to seice the fa ta.

DIAGRAM Catalyst 9400 Fan Tray Catalst Fail 38

Catalyst 9500

Catalst Seies sitches ae the idust’s st pupose-built ed -RU coe ad distibutio lae sitches. These sitches delie eceptioal table scales MAC / oute / ACL ad buffeig capabilities. This platfo delies up to . teabits pe secod of sitchig capacit ad up to billio packets pe secod of foadig pefoace. The platfo offes o-blockig Gigabit Etheet QSFP, Gigabit Etheet QSFP+, Gigabit Etheet SFP ad Gigabit Etheet SFP+ sitches ith gaula pot desities.

DIAGRAM Catalyst 9500

Platfo Oeie

The Cisco Catalst platfo cosists of ed coguatio sitches based o the Cisco Uied Access Data Plae UADP ASIC achitectue. The platfo us o the Cisco IOS XE opeatig sste that suppots odel-die pogaabilit, has the capacit to host cotaies, ad u d-pat applicatios ad scipts atiel ithi the sitch. The platfo also suppots all the foudatioal high-aailabilit capabilities icludig dual edudat poe supplies ad aiable-speed highl efciet edudat fas.

Gigabit Etheet Sitches

• C-C - Cisco Catalst Seies high-pefoace sitch ith GE pots ad UADP . ASICs. Catalst Fail 39

• C-QC - Cisco Catalst Seies high-pefoace sitch ith GE o GE pots ad UADP . ASICs.

Gigabit Etheet Sitches

• C-Q - Cisco Catalst Seies sitch ith GE pots ad UADP . ASICs. • C-Q - Cisco Catalst Seies sitch ith GE pots ad UADP . ASICs.

Gigabit Etheet Sitches

• C-YC - Cisco Catalst Seies high-pefoace sitch ith GE + / GE pots ad UADP . ASIC. • C-YC - Cisco Catalst Seies high-pefoace sitch ith GE + / GE pots ad UADP . ASIC.

Gigabit Etheet Sitches

• C-X - Cisco Catalst Seies sitch ith /GE pots ad UADP . ASICs. • C-X - Cisco Catalst Seies sitch ith /GE pots ad UADP . ASIC.

Achitectue

The Catalst sitches opeate at lie ate ad offe coguable sste esouces to optiize suppot fo specic featues. The sitch achitectue cosists of thee ai copoets:

• UADP ASIC, • CPU cople, ad • ASIC itecoect. Catalst Fail 40

UADP ASIC

The Catalst fail of sitches ae built o to aiats of UADP ASIC: UADP . ad UADP .. The achitectue of both ASICs ae siila, but the diffe i sitchig capacit, pot desit, pot speeds, buffeig capabilit ad foadig scalabilit.

UADP . ASIC is built usig -aoete techolog ith to coes, ith each coe capable of suppotig up to Gbps of badidth fo a total of Gbps suppotig a aiu foadig capacit of M packets pe secod. Sitches euipped ith the UADP . ASIC suppot a total of up to K IP / K IP hadae tables, up to K of secuit ACL TCAM, ad MB of shaed buffe.

UADP . ASIC is built o -aoete techolog usig to coes, ith each coe capable of suppotig up Gbps of badidth fo a total of . Tbps suppotig a aiu foadig capacit of B packets pe secod. Sitches euipped ith the UADP . ASIC suppot a total of up to K fo IP / IP hadae tables eties, up to K of secuit ACL TCAM, ad MB of uied buffe.

X CPU Cople

The Catalst seies sitches ae all euipped ith the sae CPU, sste eo, ad ash stoage. Catalst seies sitches coe ith a . Ghz uad coe CPU, GB DDR RAM, ad GB of iteal ash stoage. Fo applicatio hostig o geeal pupose stoage, these sitches suppot USB . SSD stoage, ad odels euipped ith UADP . suppot up to GB M SATA SSD stoage optios.

ASIC Itecoect

Catalst sitches use high-speed ASIC itecoect liks fo ite-ASIC couicatio. UADP . has up to Gbps of itecoect badidth ad UADP . has up to Gbps of itecoect badidth betee to ASICs. Packets destied to local pots ithi the ASIC do ot use ASIC itecoect liks. Catalst Fail 41

DIAGRAM Cisco Catalyst 9500 Switch Block Diagram - UADP 2.0 Catalst Fail 42

DIAGRAM Cisco Catalyst 9500 High-Performance Switch Block Diagram - UADP 3.0

Netok Modules

The Cisco Catalst Seies suppots optioal etok odules fo uplik pots o the C-X ad C-X sitch odels. The default sitch coguatio does ot iclude the etok odules. All pots o the etok odule ae lie ate ad all softae featues suppoted o sitch dolik pots ae also suppoted o etok odule pots. These sitches suppot Olie Isetio ad Reoal OIR of the etok odules. Catalst Fail 43

DIAGRAM Catalyst 9500 Network Modules

Poe Suppl

The Catalst sitch suppots up to to AC o DC sall fo facto platiu ated poe suppl uits fo a total sste capacit up to W, W & W. Poe supplies ca be istalled i the folloig cobiatios: to AC, to DC o a i of AC ad DC poe supplies. The poe supplies ok togethe i edudat load-shaig ode, i hich each poe suppl opeates at appoiatel pecet of its capacit. If oe poe suppl fails, the othe poe suppl ca poide poe fo the etie sste. These sitches suppot OIR fo poe supplies.

Fa ad Fa-Ta

Cisco Catalst sitches hae a total of e idepedet fas o dual fa tas depedig o the SKU. Each idiidual fa opeates at aiable speeds. The hadae is capable of accoodatig a failue of up to oe idiidual fa o fa ta. The eaiig fas ill autoaticall icease thei RPM to copesate ad aitai sufciet coolig. These sitches suppot OIR of the fas o fa tas fo up to secods. Catalst Fail 44

25G and 100G - Enabling Higher Speeds in Enterprise

Cisco has bee pioeeig seeal iitiaties to big e Etheet techologies to aket. These iclude GBASE Quad Sall Fo Facto Pluggable QSFP ad GBASE Sall Fo Facto Pluggable SFP. The GBASE optios iclude dual-ate optics G ad G suppotig etepise capus distaces to facilitate et- geeatio etok speed ad achitectue tasfoatios. These ioatios eable eible optios ad backad copatibilit to die etok speeds beod the cuet G ad G capabilities hile iiizig cost ad eal estate chages.

Cisco Catalst G & G Sitch Potfolio

Catalst sitches ae the foudatio fo the et-geeatio G ad G- eabled high-speed etepise capus etok. To suppot these ee speeds i coe ad distibutio, Cisco offes a full suite of sitch optios ith idust-leadig pot desit ad eibilit.

Cisco G Optics Potfolio

The Cisco GBASE SFP potfolio offes custoes a ide aiet of high-desit ad lo-poe Gigabit Etheet coectiit optios fo the eolig capus etok.

Featues ad Beeﬁts of Cisco G Optics

• Suppot fo dual ate optics i etepise etokig to poide usupassed iestet potectio • Iteopeable ith othe IEEE-copliat G itefaces hee applicable • Cetiﬁed ad tested fo supeio pefoace, ualit, ad eliabilit • High-speed electical iteface copliat to IEEE .b

Fo oe ifoatio, efe to CiscoCisco GBASEGBASE SFPSFP opticsoptics adad coppercopper odulesodules Catalst Fail 45

Cisco G Optics Potfolio

The Cisco GBASE QSFP potfolio offes custoes a ide aiet of high-desit ad lo-poe Gigabit Etheet coectiit optios fo etepise coe ad distibutio laes. I a -tie capus etok, as the distibutio lae oes to G o G, it is desiable to hae a G-eabled coe. It is ipotat to ote that fo factos of G ad G optics ae copatible.

Featues ad Beeﬁts of Cisco QSFP Optics

• Hot-sappable iput/output deice that plugs ito a G Gigabit Etheet Cisco QSFP pot.

• Iteopeable ith othe IEEE-copliat GBASE itefaces hee applicable. • Cetiﬁed ad tested fo supeio pefoace, ualit, ad eliabilit. • High-speed electical iteface copliat to IEEE .b.

Fo oe ifoatio, efe to CiscoCisco GBASEGBASE QSFPQSFP opticsoptics adad coppercopper odulesodules Catalst Fail 46

Packaging, Licensing and Support

Catalst has a e siple licesig odel. The peious geeatio of sitches had diffeet licese tpes LAN Base, IP Base, IP Seices, ad Etepise Seices ith the added copleit that the ee ot the sae acoss the ultiple Catalst sitch failies. The Catalst fail uses the sae softae packagig ad licesig odel acoss all platfos.

The e odel poides the folloig beets:

• siplies the packagig of featues, • delies a oe cost-effectie solutio fo cosuig featues, ad • loes up-fot costs b addig oe featues ad suppot

Softae Packages ad Liceses

The Catalst offes to softae packages:

• Essetials - poides the baselie etok fuctioalit used to opeate a etok.

• Adatage - icludes all the fuctioalit i the Essetials package ad adds adaced capabilities such as adaced secuit, aailabilit, autoatio, ad assuace.

Each softae package coes ith to liceses: a pepetual licese that stas ith the hadae fo the life of the deice ad a subsciptio licese that is eeable at the ed of its te. The to softae licese tpes ae:

• Netok - eables a base set of etok fuctios pepetuall. • DNA - eables a set of uiue platfo ad solutio capabilities fo a te of thee, e o see eas. Catalst Fail 47

A package is the cobiatio of liceses, ith a featue leel:

• Essetials package = etork-essetials licese + da-essetials licese • Adatage package = etork-adatage licese + da-adatage licese

Whe puchasig a Catalst sitch, oe of these to softae packages ust be selected. As oted, the packages tightl couple the to liceses. The liceses a ot be bought idiiduall.

A high-leel goupig of fuctioalit i each package is sho i the folloig diaga:

DIAGRAM Advantage and Essentials Packages

Advantage Package Essentials Package

DNA Advantage (Includes DNA Essentials) 3,5,7 Year Terms DNA Essentials 3,5,7 Year Terms

Advanced Automation Assurance & Analytics Basic Automation Basic Assurance • SD-Access • Global Insights, Trends, • PnP Application • Health Dashboards – Network, • Application Policy • Compliance, Custom Reports • LAN Automation Client, Application • Encrypted Traffic Analytics • Switch 360 & Wired Client 360 • Embedded Event Manager • Basic Switch & Wired Client • DNA Service for Bonjour • SD-Access and Switch Insights Health Monitoring • Third-party App Hosting • Application Health, Application 360,

DNA License DNA Performance (Loss, Latency, Jitter)

Element Management Telemetry & Visibility Element Management Telemetry • Patch Lifecycle Management • ERSPAN • Software Image Management • Full Flexible NetFlow • AVC (NBAR2) • Discovery, Inventory, Topology • Wireshark

Network Advantage (Includes Network Essentials) Perpetual Network Essentials Perpetual

Enhanced Security Controls Flexible Network Segmentation Essential Switch Capabilities DevOps Integration • MACSEC-256 • VRF, VXLAN, LISP, SGT, MPLS • Layer 2, • Netconf, Restconf, gRPC Routed Access(RIP, EIGRP Stub, • Yang Data Models IoT & Mobility High Availability & Resiliency OSPF (1000 routes)), • GuestShell (On-Box Python) • CoAP, AVB, PTP • NSF, GIR, Stackwise Virtual*, PBR, PIM Stub Multicast (1000 routes) • PnP Agent, ZTP ISSU/FSU, Patching (CLI) Full Routing Functionality PVLAN, VRRP, PBR, CDP, QoS, FHS, • BGP, HSRP, OSPF, ISIS,GLBP Optimize Bandwidth Utilization with 802.1x, Macsec-128, CoPP, SXP, Telemetry & Visibility

Network License Network Multicast IP SLA Responder • Model-driven Telemetry • MSDP, mVPN, AutoRP, PIM-BIDIR SSO • Sampled NetFlow • SPAN,RSPAN

Note Not all fuctioalit is aailable acoss all platfos.

Fo a coplete list of the featues of each package, use the CiscoCiscoCisco FeatureFeatureFeature NaigatorNaigatorNaigator. Catalst Fail 48

Techical Support

Techical suppot fo the Catalst fail coes both the hadae ad the featue packagig just discussed. Fo techical assistace toubleshootig hadae pobles ad poidig eplaceet copoets o chassis, Cisco poides the folloig geeal optios:

• A Ehaced Liited-Lifetie Waat coeig:

- das of Techical Suppot begiig o the date of iitial puchase fo Cisco's Techical Assistace Cete TAC. - Hadae toubleshootig ad eplaceet hooed fo the life of the sitch

For ters ad coditios, please refer to Ehaced Ehaced Liited-Lifetie Liited-Lifetie Warraty Warraty o .cisco.co.

• Peiu seices aailable though Cisco o a Cisco pate iclude both techical suppot ad hadae eplaceet.

- Cosult ou Cisco o Pate sales teas fo aailable offes.

Softae suppot coes i the folloig fos:

• The sitch base fuctioalit eabled b its etok licese is alid fo the deice's lifetie. Softae updates fo etok licesed copoets ae pepetual. • das of Techical Suppot fo the sitch base fuctioalit begiig o the date of iitial puchase fo Cisco's Techical Assistace Cete TAC.

For ters ad coditios, please refer to Ehaced Ehaced Liited-Lifetie Liited-Lifetie Warraty Warraty o .cisco.co.

• Softae suppot fo those featues eabled though a sitch's DNA Essetials o DNA Adatage licese is icluded hile the subsciptio is alid. Suppot fo these featues eds oce the subsciptio epies. Catalst Fail 49

Note that ee though DNA licese subsciptios ae te-based, oce the epie, a featues ulocked b the licese ill cotiue to fuctio. Hoee, oce the licese te epies, all techical suppot fo featues suppoted b the epied DNA liceses also ed. ASICs - The Power of Programmable Silicon ASICs - The Poe of Pogaable Silico 51

What is an ASIC?

A Applicatio Specic Itegated Cicuit o ASIC is a silico icochip desiged fo a specic task e.g. bidgig o outig packets, athe tha beig used fo geeal- pupose pocessig such as a CPU. ASICs ae fudaetal to ho a Etheet sitch oks.

ASICs ae custo-desiged fo the poducts the ae pat of ad the solutios the suppot. I a etok sitch, a ASIC hadles packet ecogitio, aipulatio ad L/L foadig at eteel high speeds tes o hudeds of gigabits pe secod, tedig toads teabits pe secod, hile also alloig a ich set of seices fo the tafc, such as pioitizatio e.g. QoS, accoutig e.g. NetFlo, segetatio e.g. VRFs ad SGTs, tafc lteig ad efoceet e.g. ACLs, path selectio e.g. PBR, ad uch oe.

ASIC icochips ae easued i aoetes billioths of a ete. This is the size of the aious copoets, such as tasistos, that the ASIC is built fo. The thee ai adatages of salle ASICs ae:

• iceased speed electos hae shote distaces to tael. • loe poe cosuptio ad less eeg asted as heat. • loe cost ipoed chip ield b deceasig the chace of hittig a silico defect.

Mode ASICs ae geeall aufactued at sizes agig fo to aoetes ith soe ee odels as sall as aoetes. ASICs - The Poe of Pogaable Silico 52

DIAGRAM Microchip Packaging

Wh Do We Need ASICs?

A geeic CPU is too slo fo foadig tafc i a sitch. While a geeal-pupose CPU a be fast at uig ado access applicatios o a laptop o see, aipulatig ad foadig etok tafc is a diffeet atte. Tafc hadlig euies costat lookups agaist lage eo tables e.g. L tables fo MAC addesses, L tables fo IP outes, L ACLs fo Secuit ad QoS, etc

I a geeic CPU, all of these tables ae held i off-chip eoies ot located o the CPU itself ad icu sigicat pefoace pealties fo feuet eo access. Thee ae also liited data paths ad buffes to hadle icoig packets eebe, this is illios o ee billios of packets pe secod. Oce packets hae bee eceied ad ueued, the CPU ust pefo the actual pocessig fuctios, dig destiatio lookups, eitig packet foats, etc. Fo these easos, a CPU is ot ell-suited fo this pupose. ASICs - The Poe of Pogaable Silico 53

DIAGRAM Traditional CPU - More Flexibility, Less Performance, Cost Neutral

ᄂthe bottom line CPUs are exible but slow. ASICs are necessary to meet the requirements of enterprise networks.

The folloig chaptes eaie both taditioal tpes of etok ASICs ad the latest state-of-the-at pogaable ASICs. Adiistatos ill discoe ot ol h ASICs ae cetal to ho a sitch opeates but also ho ode ASICs fo the foudatio of the etepise etok, o ad i the futue. ASICs - The Poe of Pogaable Silico 54

Why Programmable ASICs?

Taditioal ASICs

Ma ASICs hae bee used i Cisco sitches ad outes oe the eas. Each of these ASICs as desiged ad deeloped fo the specic featues ad scale eeded fo diffeet oles i the capus etok. Each also has diffeet capabilities, speeds, ad scalig popeties suitable fo thei oles i the etok.

Hoee, the all hae soethig i coo: this class of etokig ASICs is ko as ed ASICs. All aspects of these ASICs behaio, speed, scale, etc. ae 'baked ito' the as pat of the aufactuig pocess ad caot be chaged ithout ceatig a hole e esio of the ASIC.

Aothe easo the ae called ed ASICs is thei pocessig behaio. As the ae suggests, all icoig packets ae subject to a ed seies of steps ko as a pocessig pipelie. The tpical ed ASIC pocessig pipelie stages ae ostl siila to the folloig:

Pase icoig packets eaie heades. Lae pocessig e.g. MAC lookup. Lae pocessig e.g. IP lookup. Polic pocessig e.g. ACL lookup. Packet eite ad tafc coutes. Queue schedulig ad tasissio. ASICs - The Poe of Pogaable Silico 55

DIAGRAM Traditional ASIC - Processing Pipeline

It is also oth otig that due to the a ed ASICs ae desiged ad aufactued, alog ith the tie to itegate the ASIC ito a etok sitch, ca ofte euie a eas befoe delieig the al poduct. Fied ASICs ae e cost-effectie ad efciet but ae ot eible o adaptable. The ae ol able to hadle the tpes of packets that the chip is had-ied to pocess.

DIAGRAM Traditional ASIC - More Performance, Less Flexibility, Cost Neutral

Netok ad Potocol Eolutio

Wh do ASICs eed to chage? To poide a eaple, the ASIC i Catalst ca ol foad IP ad IP packets i hadae. It as desiged befoe VXLAN as deeloped, so it caot hadle VXLAN i hadae. Sice it is a ed ASIC, it is ot ASICs - The Poe of Pogaable Silico 56 possible to chage the pocessig pipelie to hadle e potocols such as VXLAN. A etiel e ASIC ould eed to be ceated.

This lack of eibilit a hae bee acceptable he etoks, ad the elated potocols, did ot chage uch. I the e ea of etokig, hoee, eethig is "Softae-Deed", ith ee-eolig potocols ad scale euieets. This euies ASICs to suppot e packet foats ad ecapsulatios such as VXLAN-GPO, GPE, ad NSH.

ᄂthe bottom line Traditional xed ASIC architecture, and thus the network itself, requires hardware replacement to adopt advanced and innovative capabilities that our new software-dened world demands.

Pogaable ASICs

Ho to get the best of both olds? Ho to get the speed e eed fo ulti-gigabit o ulti-teabit etok deices ad also the eibilit to keep pace ith e etok ioatios? These uestios led to the cocept of pogaable ASICs - eible etok icochips desiged to adapt to e capabilities as the eed eeges, et still offe the pefoace etoks dead.

Eal attepts led to the deelopet of the Field Pogaable Gate Aa FPGA. These ae essetiall siplied ASICs, ith epogaable logic gates, that ca chage the oigial behaio afte aufactuig. Although FPGAs do poide a leel of eibilit, the ae actuall e epesie to deelop ad suppot. The ae ot built fo a paticula task ad hae little o o oboad eo euiig othe chips to poide eo access.

These liitatios tpicall elegate FPGAs to a special-pupose ole i ost etok deices. A FPGA a be used to auget the packet foadig capabilities of a ed ASIC fo that 'oe special featue' the ed chip does ot hae. Fo eaple, the Catalst Supeiso- uses a FPGA to poide VXLAN ecapsulatio, hich the sitch ASIC does ot suppot. It is usuall too epesie to use FPGAs as the pia foadig egie fo a sitch desig ad aufactuig costs, boad space, heat, ad ASICs - The Poe of Pogaable Silico 57 poe. Ultiatel, this aises the total cost of a sitch usig cobied FPGA ad ASIC desigs to achiee eibilit.

DIAGRAM FPGA - More Cost, Moderate Flexibility, Moderate Performance

I sua, CPUs ae eible but do ot scale fo high-speed foadig; ed ASICs ae fast ad scalable but ieible, ad FPGAs ae eible ad scalable but e epesie. What is the ase?

Cisco sa this eed coig seeal eas ago, ad as a esult of that foesight, desiged ad deeloped the eible, pogaable Uiﬁed Access Data Plae UADP ASIC.

The UADP ASIC cobies the eibilit eeded to addess e ad eegig etokig potocols ad ecapsulatios, ith the speed of a ed ASIC, ad the appopiate cost ad scalabilit to addess ultiple diffeet aeas of the capus etok: coe, distibutio, ad access. With UADP, Cisco has tul begu a etiel e ea of etokig.

The folloig chaptes eploe the Uied Access Data Plae ASIC, hich is at the heat of the Catalst fail of sitches. ASICs - The Poe of Pogaable Silico 58

UADP - Programmable ASIC Silicon

UADP - Cisco's Fleible, Pogaable Sitchig ASIC

The Uied Access Data Plae UADP ASIC fos the heat of the Catalst fail of sitches. Moe specicall, the Catalst sitches ae based o the latest geeatio of UADP ASIC hich ae eoled fo ealie esios used i the Catalst /.

Fleibilit is the ke attibute that akes UADP the ideal foudatio fo the old's ost adaced sitches. This eables the Catalst fail to:

• hadle e fae ecapsulatios, alloig e featues ad potocols. • epoga thei eo tables, alloig sitches to adapt to chagig eeds. • suppot ultiple iteface tpes ad chassis coguatios, to addess eolig etok desigs. • aitai cosistet high pefoace, to addess a goig diesit of applicatios. • poide a ich, itegated set of eible tafc hadlig ad accoutig seices.

Fleibilit At Ee Stage

Fleibilit has bee desiged ito ee aspect of UADP fo the begiig. I UADP, alost ee pocessig stage that ould be peset i a ed-coguatio chip has eplaced ith a eible coutepat.

The job of the pase stage is to ecogize packet tpes ad heades ad aalze the fo futhe pocessig i the ASIC pipelie. I taditioal ASICs, the pase stage is ed, akig it ipossible to upgade the ed ASIC to ecogize o pocess e packet tpes ad heades i hadae. The UADP cotais a epogaable FlePase that ca pase a packet fo diffeet tpes of heades. ASICs - The Poe of Pogaable Silico 59

Ulike the taditioal ed-pocessig pipelie, the UADP ulti-stage eible pipelie L/L Foadig, Polic, Reite, Queuig, etc is also copletel epogaable ia ae icocode. Thee is a igess pipelie ad a egess pipelie, hich is ot aailable i ost ed ASICs.

DIAGRAM Programmable UADP - Processing Pipeline

Packet Reciculatio

Tafc tuelig is a coo desig i ode etoks. GRE, MPLS, ad VXLAN ae cosideed tuels because the add a additioal heade to the oute potio of a packet he sedig ko as ecapsulatio, ad eoe the heade he the packet is eceied ko as decapsulatio. A tie packets eed to be tueled i a ASIC, the oigial packet eeds to be pocessed oe tha oce ko as eciculatio to add the additioal heades.

A uick eie of hat happes duig tuelig eeals h. Whe a packet aies ad the ASIC decides based o the sitch coguatio that the packet eeds to be set though a tuel e.g. VXLAN, a e tuel heade eeds to be added i fot of the oigial packet ith the souce IP of the local side of the tuel, ad the destiatio IP of the eote side of the tuel. Sice the destiatio IP addess has o chaged to that of the eote side of the tuel, the packet eeds to be eciculated though the pocessig pipelie to foad to this e destiatio, alog ith all of the policies that a appl to the tuel. ASICs - The Poe of Pogaable Silico 60

DIAGRAM Programmable UADP - Packet Recirculation

I UADP, a packet ca be eciculated i appoiatel aosecods o half a icosecod. I the eet that tuelig is euied, the ipact to foadig pefoace is iial. A packet ca be eciculated up to ties, hile ol to passes ae oall euied. The badidth aailable fo eciculatio is eible, eaig packet eciculatio ca also use the spae badidth ot cuetl beig used b the fot-pael sitch pots.

This abilit to eciculate packets a ties, if ecessa, eables ee cople use- cases to be accoodated ia the UADP eible pipelie achitectue. No that tafc tuelig is cooplace, it is appaet that UADP as built ad optiized fo tuelig.

Itegated Mico-Egies

Cetai adaced fuctios eecuted b UADP a be e pocessig-itesie. Seeal tasks, such as fagetatio ad ecptio, ae based o ell-ko ed algoiths, ad it a ot ake sese to aste ccles ithi the UADP pipelie. I such cases, a o-chip ico-egie is aailable that ca pocess these ell-ko fuctios i paallel, thus saig the aluable UADP pipelie pefoace fo othe fuctios. ASICs - The Poe of Pogaable Silico 61

Soe eaples of ico-egie fuctios built ito UADP iclude:

Ecptio ad Decptio - Secuit ad data codetialit ae paaout i ode etoks. Ee UADP coes ith to leels of hadae ecptio built i. The st, opeatig at the pot leel at lie ate o all UADP pots, is MACsec .AE. MACsec poides lik-leel ecptio to guaatee data codetialit, eaig packets ae ecpted duig tasissio to, ad decpted he eceied fo, a MACsec-eabled lik.

UADP also poides a Dataga Taspot Lae Secuit DTLS ico-egie hich ca ecpt tafc based o packet foats such as CAPWAP ad VXLAN. This ca see as the basis fo ecptio of tuel oela tafc. The UADP hadae also allos these to fuctios MACsec ad DTLS to be cobied o tasit if desied. Both use the AES ecptio algoith ith up to -bit kes, usig Galois Coute Mode AES--GCM.

Fagetatio - A tie the Maiu Tasissio Uit MTU size of a lik is eceeded i the etok, the oigial packet a eed to be fageted, ad the eassebled at the othe side. Fo eaple, he tafc is tueled ad the output iteface MTU is too sall to accoodate the tuel heade plus the oigial packet. UADP ca hadle fagetatio actios i hadae, ulike a othe ASICs. This abilit is ipotat i eioets hee MTUs a ot be easil adjusted ed-to- ed, ad ith the goig use of tafc tuelig.

Itegated NetFlo - Accoutig fo all tafc oig though the etok is ipotat fo ultiple use cases. The ost obious is fo etok baseliig ad capacit plaig. Usig NetFlo, the etie state of the ed-to-ed sessio TCP o UDP is tacked b the sitch, alloig ipotat ifoatio about the etie packet o to be etacted ad aalzed. UADP ipleets full Fleible NetFlo FNF collectio capabilit i hadae. This Catalst seies is capable of collectig NetFlo statistics fo ee packet tasitig the sitch, as a iheet pat of oeall packet hadlig.

Cisco Ecpted Tafc Aaltics ETA utilizes the NetFlo capabilit ad ispects os to etact ital ifoatio about the such as the Iitial Data Packet IDP ASICs - The Poe of Pogaable Silico 62 echage, as ell as ifoatio about the Seuece of Packet Legths ad Ties SPLT fo ecpted tasactios. B itegatig this ith Cisco Stealthatch ad cloud-based achie leaig capabilities usig Cogitie Theat Aaltics, a high- accuac etok 'gepit' aalsis ca be pefoed to deteie if the ecpted o epesets 'oal' Iteet-boud tafc, o hethe it a epeset a theat posed b ecpted alae.

Polic ad ACL - Usig itegated Tea Cotet Addessable Meo TCAM blocks located o-chip fo aiu pefoace, the UADP ASIC poides ultiple optios fo tafc classicatio ad polic efoceet. TCAM atchig poides the abilit to atch tafc os usig IP o IP addesses, special tags such as Vitual Netok VN ID ad Scalable Goup Tag SGT, QoS, CoS, o DSCP alues, o othe packet akigs. UADP ca appl the appopiate policies cogued b the etok adiistato. Eaples iclude peit/de, QoS eakig, path selectio, packet cop, ad othe actios. The UADP eible pipelie ca efeece up to to packet atches fo ultiple paallel actios, ithout degadig pefoace.

Packet Replicatio - Cetai applicatio tafc tpes a euie packet eplicatio ceatio of ultiple copies. Fo eaple, a igess ulticast stea a euie eplicatio to ultiple eceies o the sitch. The UADP achitectue is optiized fo eplicatio, because each packet is held i a cetal buffe eo duig pocessig, ad the a sigle o ultiple copies ca be tasitted to all eceies. This is a e efciet eplicatio appoach that iiizes latec ad space-cosuig eo- to-eo packet copies.

Itegated Stackig Capabilit

UADP is a e poeful ad eible ASIC. I a cases, based o pot tpes ad desities, a etie sitch a be built aoud a sigle UADP ASIC.

Hoee, it a be ecessa to coect ultiple UADP ASICs togethe ito a itegated sste. UADP suppots the folloig ite-ASIC coectio optios:

• stackig ultiple sitches togethe ia eteal cables, to build a sigle itegated stack; • likig ultiple ASICs togethe o the baseboad, i a ed sitch; o ASICs - The Poe of Pogaable Silico 63

• likig ultiple ASICs togethe o a Supeiso odule, i a odula sitch.

UADP as desiged ith a dedicated high-speed ASIC Itecoect iteface, i additio to the fot-pael sitch pots, to poide these eible desig optios.

Pogaig UADP ith Micocode

Cisco IOS XE uses ultiple laes of softae. Soe of these softae laes ae oe closel associated ith the hadae tha othes. Fo eaple, featues that a use iteacts ith e.g. ia the CLI ae tpicall at a highe lae ad less depedet o the hadae. Hadae dies ad othe ifastuctue pieces of the softae ko as icocode diectl iteact ith the hadae. This icocode lae of the softae actuall pogas the ASIC. Please efe to Chapte Cisco IOS XE fo oe details o the achitectue of Cisco IOS XE. ASICs - The Poe of Pogaable Silico 64

The UADP Family

The histo of UADP ASIC bega i he Cisco itoduced the Catalst sitch. As discussed, the ASIC desig ad aufactuig pocess is e cople ad ca take seeal eas fo a idiidual copoet o poduct. Seeal eas of ioatie ok et ito deelopig UADP.

UADP . took loge to desig tha ost othe ed ASICs at the tie as a copoets ee etiel e ad desiged to be eible. UADP . as the st esio of a fail of UADP ASICs hich all shae a coo achitectue. UADP . as built o a aoete pocess, hile the latest UADP . as built o . UADP has pogessed sigicatl i tes of ASIC techolog ad has icopoated oe tasistos ith each geeatio. Each additioal tasisto eas additioal pefoace, scalabilit, featues, ad fuctioalities ca be built ito the ASIC.

UADP ./.

UADP . is a sigle coe ASIC ith . billio tasistos, capable of Gbps of aggegate badidth. It as the st to delie a of the pogaable featues discussed i peious sectios. Due to its eible atue, UADP . as oe of the st ASICs to eable suppot fo diffeet, eible tpes of packet ecapsulatios. The st geeatio of Catalst ad used UADP ..

B , a ee esio of the sae ASIC desig esio . as itoduced. The coe eleet ad the achitectue of the ASIC eaied essetiall the sae, but ith soe ipotat e additios. The ke diffeece betee UADP . ad . is the use of a dual-coe achitectue iside the ASIC.

Ulike UADP ., the UADP . has to ASIC coes ith billio tasistos. The esult is siila to usig to UADP . chips i a sigle ASIC package. UADP . also poides highe aggegate badidth ad pefoace of up to Gbps Gbps pe coe, as ell as soe e ad updated ico-egies. Soe of the e featues that UADP . ASICs - The Poe of Pogaable Silico 65 suppots iclude IEEE tiestaps ad MACsec -bit ecptio AES-- GCM. The secod geeatio of MultiGigabit ad SFP+ esios of Catalst ad use UADP ..

UADP .

Catalst s ae built o the et geeatios of UADP - the UADP . ad . ASICs.

The UADP . is a dual-coe ASIC siila to UADP . ith . billio tasistos to poide ee highe aggegate badidth up to Gbps. UADP . also has lage, oe eible eo tables that ca be epogaed, giig the optio to deplo the sae deice i ultiple etok aeas, as discussed i Chapte Capus Netok Desig.

DIAGRAM Comparison of UADP 1.0, 1.1, 2.0, and 3.0

UADP . ASICs hae to aiats: UADP . ad UADP . XL. Both hae the sae achitectue, but the aggegate badidth, table scale ad oeall pefoace of UADP . has bee optiized fo Access lae deices. Catalst platfos utilize UADP ..

UADP . XL has bee optiized fo odula access ad/o distibutio lae sitches. It has lage eo table sizes hece the XL desigatio ith geate aggegate ASICs - The Poe of Pogaable Silico 66 badidth ad oeall pefoace to suppot the pot speeds ad desit of these oles. UADP . XL also has dual data paths of Gbps ite-ASIC coectiit, akig it oe suitable fo platfos hee ultiple ASICs a be euied. The st Catalst platfos ad the Catalst Supeiso- ad Supeiso-XL use UADP . XL.

TABLE UADP 2.0 and 2.0 XL Comparison

UADP 2.0 UADP 2.0 XL

Total Bandwidth Up to 160G Up to 240G Table Sizes Standard XL Tables TCAM Entries 20K 54K Buers 16MB 32MB Stack Bandwidth 240G 720G Stack Ring 1 2

UADP .

The eed fo etok speed is ee-edig, die b e ieless speeds, the iceasig ube of attached deices IoT ad high-deitio ideo cofeecig. Ne techologies ae appeaig ee da ad diig e euieets fo etok pefoace ad scale.

The UADP . is a dual-coe ASIC ith . billio tasistos, to poide a aggegate badidth up to .Tbps. UADP . is the ost ecet esio of UADP, desiged to addess the challeges bought o b e iteface speeds e.g. G ad G ad e etok desigs ad solutios. A sigle UADP . ASIC is capable of pots of G lie ate.

I additio to iceased badidth, UADP . also icopoates seeal e ipoeets to ake it the ideal ASIC fo capus coe ad distibutio. UADP . has lage shaed packet buffes MB to suppot the iteface speed iceases. It has ASICs - The Poe of Pogaable Silico 67 lage double-ide eo table sizes to stoe both IP bit ad IP bit addesses i a sigle et. Ma othe ASICs ad peious geeatios of UADP ol suppot sigle-idth tables, euiig a additioal lookup ccle to suppot IP. The st poducts aailable ith the e UADP . ASIC ae the e ///G Catalst platfos. Cisco IOS XE Cisco IOS XE 69

IOS Evolution

The histo of the Iteetok Opeatig Sste IOS goes back to Cisco’s st poduct, the AGS Multi-Potocol Routes lauched i . At the tie IOS as a pett udieta, oolithic Opeatig Sste OS. It as oe of the e st etok opeatig sstes i the idust. Thousads of featues hae sice bee added to IOS ad oe the last eas ad as the idust has goe though diffeet tasitios, IOS has eoled ito a oe featue ich OS.

Oe tie, IOS has also bached out ito a diffeet esios fo diffeet poducts, ith a ide aiet of aiatios. At the sae tie, Cisco's poduct potfolio has epaded ito sitches ad outes of aious kids. Pupose-built etok aeas hae eoled, such as data cetes ad seice poides ad e opeatig sstes ee itoduced fo these aeas, such as NX OS ad IOS XR.

A fe eas ago, Cisco itoduced IOS XE, desiged to estuctue the oolithic code of IOS ito a oe odula ad ode softae achitectue. With Cisco IOS XE, the OS as subdiided ito ultiple copoets to achiee odulait ad potabilit of the featues. A lo-leel Liu Keel as itoduced to poide CPU load- balacig, eo aageet, ad ehaced hadae esouce aageet. IOS o us as a odula pocess o top of the Liu keel ko as IOSd. This appoach allos othe odula fuctios to be itoduced, such as Wieshak ad a Wieless LAN Cotolle WLC. Moe applicatios ill be ebedded o Cisco IOS XE i the futue, folloig a siila appoach.

Cisco IOS XE is cotiuall eolig. With e applicatios cotiuall appeaig, the established odels fo coguatio ad oitoig, such as CLI ad SNMP, ae begiig to be eplaced b stadadized APIs fo coguatio ad oitoig data odels. Cisco IOS XE 70

DIAGRAM Classic IOS to IOS XE comparison

The latest Cisco IOS XE softae ca addess ke custoe eeds:

• poidig a coo OS fo etepise etoks, • apid itoductio of e featues ad techologies, • a secue OS to potect the etok, • odulait ad high aailabilit, • pogaabilit ad autoatio.

Cosideig these euieets, Cisco IOS XE . as itoduced o the Catalst / sitches hich use the pogaable UADP . ASIC. Sice the, othe etepise etok platfos hae also adopted Cisco IOS XE as it has the desied softae eibilit ad scalabilit fo custoe eeds. This uied OS softae elease bigs ultiple adatages:

• fee softae iages to aage, • faste ceticatio of softae featues, • uied, cosistet epeiece acoss platfos, • abilit to u a featue ahee.

I additio, if thee is a eed to big a featue fo a coe lae platfo to a access lae platfo, this is uch easie due to the use of a uied code elease. I ost Cisco IOS XE 71 cases, ipotig the featue fo oe platfo to aothe ol euies platfo depedet code chages.

Catalst switches has take this oe step futhe. The etie Catalst poduct fail us ot ol the sae softae elease esio but also uses the sae bia softae iage. Custoes do ot hae to o about aagig ultiple bia les fo diffeet platfos e.g. Catalst , ad ad ca doload the sigle bia le fo oe of the Catalst s ad u it o all the. This poides added alue ad sigicat siplicatio fo softae iage selectio, deploet, ad use. Cisco IOS XE 72

Cisco IOS XE Architecture

Cisco IOS XE is built o top of Liu OS. Vaious copoets of Cisco IOS XE u as idiidual sub-pocesses ad shae a coo ifoatio database that stoes the opeatioal state of all the featues i a cosistet foat. This odula OS achitectue ot ol poides ke featues such as pocess estatabilit ad patchig but also eables the use of Liu Cotaies o Vitual Machies VMs fo hostig Cisco ad thid-pat applicatios.

The Cisco IOS XE achitectue has thee sigicat ehaceets:

• IOS odulait,

• Cisco IOS XE database, • VMs ad cotaies.

Modula OS With Cisco IOS XE, the classic IOS code is diided ito ultiple odules. The ajoit of the base IOS code is hosted as a daeo IOSd hich is copised of taditioal IOS featues ad copoets such as sitchig ad outig potocols.

IOSd is futhe diided ito ultiple IOS subsstes, poidig the capabilit to seice oe of the sub-sstes ithout affectig the eaiig IOSd code. IOSd also poides esiliec i case of idiidual subsste failue as it is copletel segeted fo the eaiig IOS code.

This paticula OS odulaizatio helps ith updatig IOS b applig softae patches ko as Softae Maiteace Upgades, o SMUs, ithout affectig the uig sste. Cisco IOS XE 73

DIAGRAM Cisco IOS XE

Cisco IOS XE Database Peiousl, IOS stoed all sitchig ad outig potocol state ad elated foadig ifoatio i a distibuted ae. The pocess state ifoatio as stoed i a diffeet pats of eo, i diffeet foats, akig it o-optial o cosuable outside the sitch.

The Cisco IOS XE achitectue decouples the data fo the code. A e featue i the OS is the IOS XE database that stoes the coguatio ad opeatioal state of the sste. The stoed data is i a stadadized foat. Majo beets of stoig the state ifoatio i a cetalized database iclude beig able to shae ifoatio easil betee diffeet copoets of IOS XE.

This stadad IOS XE database akes sste data easie to epess as data odels. IOS XE has a iteface to coet the database to coo data odels such as YANG, ad poides efciet epot usig Model Die Teleet MDT. MDT is eplaied i geate detail i Chapte Pogaabilit ad Autoatio. Cisco IOS XE 74

Cotaies & VMs

Cisco IOS XE suppots LXC cotaies ad VMs hostig capabilit o the Catalst . Please efe to Chapte Applicatio Hostig. Cisco IOS XE 75

Cisco IOS XE Benets

With the ode ee-chagig softae-deed eioet, it is ipeatie that the OS softae foudatio of Catalst be ope, eas to use, eible, ad secue. Cisco IOS XE is a ope ad odula Opeatig Sste coo acoss ultiple etepise etok poducts ad bigs a ube of beets to custoes. Cisco IOS XE's odulait, stadad database, object-based odels, ad cotaies poide ke capabilities that help etok adiistatos ad egiees ith opeatioal tasks ad educe opeatioal costs.

Beets iclude a sigle softae iage acoss Catalst sitches, siplifig etok adiistatio ad ipoig softae lifeccle aageet. This poides a cosistet foat ad epeiece, ith cosistet poisioig itefaces acoss all deices. A "u a featue ahee" appoach eas that featues ca be poted e uickl to othe platfos. Recet eaples of softae ipoted to Catalst platfos i a shot aout of tie ae MPLS, NAT, ad NBAR.

Soe additioal ke beets iclude Cisco IOS XE Istall ode, a e WebUI, ad Cisco Tustoth Sstes.

Cisco IOS XE Istall Mode cosues less eo because the packages ae alead etacted fo the .bi le. With istall ode, Catalst sitches boot IOS faste copaed to budle ode. Istall ode is the ecoeded ode, ad adaced high aailabilit featues such as ISSU, Patchig, ad FSU ae ol suppoted ith istall ode.

Cisco IOS XE WebUI as itoduced to help custoes aigate the deice though a stadad Web bose. Uses ca pefo siple coguatios, toubleshootig, ad oitoig high leels of CPU ad eo utilizatio. Uses ca also cogue adaced featue such as AVC to oito the aious applicatios.

Cisco built the Catalst family of sitches to be tustoth to help peet attacks agaist a etok. As a tustoth sste, the Catalst fail eies the autheticit of the platfo, peets alicious code eecutio, establishes u- Cisco IOS XE 76 tie defeses, ad secues couicatio. Fo oe ifoatio, please efe to Chapte . Tustoth Sstes. High Availability High Aailabilit 78

Overview

Buildig etoks ad etok euipet ith high-aailabilit HA is essetial to esuig busiess cotiuit. Catalst switches offes seeal taditioal techiues fo achieig HA ad ee itoduces soe e oes. This sectio eploes these techiues:

• high-aailabilit o the Catalst - Stackig, Poe, Fast Softae Upgade; • high-aailabilit o the Catalst - Chassis, Supeisos, Poe, ISSU; • high -aailabilit o the Catalst - Stackise Vitual, ISSU; • Gaceful Isetio ad Reoal,

• Cisco IOS XE patchig.

Catalst switches utilizes to HA techiues:

Stateful Sitchoe

Stateful sitchoe SSO offes iial disuptio to Lae sessios fo edudat deice coguatio. SSO eplicates foadig tables ad both the uig ad statup coguatio betee a actie ad a stadb copoet. I the eet that the actie deice fails, the sste iediatel sitches cotol oe to the stadb deice.

No-Stop Foadig

Usuall, he a etokig deice estats, all outig pees of that deice detect that it et do ad the cae back up. This tasitio esults i hat is called a outig ap, hich could spead acoss ultiple outig doais. Routig aps caused b estats ceate outig istabilities, hich ae detietal to the oeall etok pefoace. No-Stop Foadig NSF helps to suppess outig aps i SSO- eabled deices. NSF allos fo the foadig of data packets to cotiue alog ko High Aailabilit 79

outes hile the outig potocol ifoatio is beig estoed folloig a sitchoe. With NSF, pee etokig deices do ot epeiece outig aps.

The sub-sectios i this chapte eplai ho each sitch fail utilizes SSO ad NSF i slightl diffeet as fo high-aailabilit. High Aailabilit 80

High Availability on the Catalyst 9300

The Catalst delies access lae edudac ith featues such as Stackise- , StackPoe ad Fast Softae Upgades FSU.

Catalst Sitch Stacks

The ed coguatio Cisco Catalst seies sitches iclude stackig to epad pot desit, sitchig capacit, ad eable edudac i iig closets. Moeoe, stackig delies opeatioal siplicit b cobiig ultiple sitches togethe to fo a sigle logical sitch.

Cisco IOS XE o Catalst s suppots ied stackig betee a odels fo up to eight ebes. The ae phsicall coected i a ig ith special stackig cables coected to the back of each sitch usig thei stackig pots.

Catalst stacks delie deteiistic ad o-blockig sitchig pefoace fo up to pots. The sitchig pefoace delies hadae-acceleated, itegated etok seices such as:

• PoE up to .W, • PoE+ up to W, • Uiesal PoE up to W, • Qualit of Seice, • Access cotol lists, • Fleible Neto.

Note All sitches i a stack ust u the sae esio of Cisco IOS XE ad licesig. High Aailabilit 81

Stackise- Achitectue

Catalst sitches eable stackig usig a stack-ig fabic ko as Stackise- . Stackise- efes to the total aailable stack capacit: Gbps. The fabic cosists of si coute-otatig igs Gbps/ig, ad the sste's thoughput is a fuctio of the aggegated thoughput of these igs Gbps. Thoughput doubles b eploig spatial euse o the stack's igs. Spatial euse is eabled b destiatio packet-stippig. Noall, ithi ig achitectues, packet stippig fo the ig happes o the souce sitch hee the packet oigiated ad he ig ebes ae pocessig a packet, o othe data a be passed ito the ig. Spatial euse, hoee, allos ultiple os to co-eist. Spatial euse fees aailable badidth o the ig as the destiatio sitch stips the packet destied to itself alloig isetio of additioal packets oto the ig b othe stack ebes.

DIAGRAM Stackwise-480 Architecture

Stackise- ceates a uied cotol ad aageet plae b electig oe sitch i the stack as a actie sitch ad aothe sitch as a hot-stadb. Reaiig sitches becoe stack ebes. The actie sitch is esposible fo all Lae ad Lae etok cotol pocessig ad fo schoizig all state ifoatio ith the hot-stadb. The actie sitch uies aageet fo the etie stack; adiistatos pefo all coguatio ad oitoig ia the actie sitch.

The foadig achitectue is desiged to poide distibuted sitchig acoss all ebe sitches i the stack. Each sitch i the stack optiizes data plae High Aailabilit 82 pefoace b utilizig its local hadae esouces. This icludes foadig tasks ad etok seices such as QoS ad ACLs. Distibutig stack pocessig delies ie-speed pefoace, iceases oeall sste esouce capacit, peets oeloadig of the actie sitch pocesso ad optiizes stack-ig badidth capacit.

Stackise- SSO/NSF Suppot

Catalst sitches suppot a ide age of Lae ad Lae stateful capabilities to poide o-stop etok couicatio. The actie sitch i a stack schoizes the potocol state achies, softae foadig tables, ad sste coguatio to the stack's stadb sitch. Suppoted potocols ae listed i the table belo:

TABLE Stackwise-480 Stateful Protocol Support

Layer HA-Aware Protocols

STP, VLAN, VTP, DTP, CDP, UDLD, SPAN and RSPAN, 802.1x, PAgP Layer 2 and LACP, IGMP Snooping Layer 3 – IPv4 ARP, EIGRP, OSPF, IS-IS, BGP, MPLS LDP Layer 3 – IPv6 EIGRPv6, OSPFv3, IS-ISv3, BGPv6, ICMPv6

Services QoS, ACL, PBR, NetFlow, Port Security

StackPoe

Cisco StackPoe aggegates all of the aailable poe ithi a sitch stack ito oe coo poe pool ad shaes poe aog stack ebes. Up to fou sitches ca be cogued i a poe stack. It euies the use of Cisco StackPoe cables coected to a special pot o the back of each sitch. Stackise- ust st be eabled befoe StackPoe a be used. Thus, if thee is a -ebe data stack, the to poe stacks of fou sitches each ca be cogued to utilize the coplete - ebe stack. High Aailabilit 83

Cisco StackPoe educes the ube of poe supplies euied pe sitch stack ad the ube of outlets euied i the iig closet. Additioal saigs accue fo iiizig eeg asted due to iefciet poe-suppl opeatio at loe loads ad fo the eductio i coolig ithi a iig closet. The techolog also eliiates the eed fo eteal poe sheles, thus feeig up additioal space ad poe outlets i the iig closet.

StackPoe Opeatioal Modes

Cisco StackPoe has to odes of opeatio: shaed ad edudat.

I shaig ode, the default, all iput poe is aailable fo use ahee i the stack. The total aailable poe is used fo poe budgetig decisios. If a poe suppl fails, the the eaiig aailable poe fo the budget is utilized ad thee is o ipact o eithe the sste copoets o the POE Deices. If thee is ot eough poe i the budget the POE deices could be shut do, folloed b the sitches based o the pioit. B default, load sheddig ode is as follos:

Lo pioit pots, High pioit pots, Sitches.

Poe pioit is coguable. B default, all pots i the sste ae cosideed lo pioit.

I edudat ode, poe fo the lagest poe suppl is subtacted fo the poe budget. This educes the total aailable poe, but it allos backup poe to be aailable i the eet of poe suppl failue. High Aailabilit 84

DIAGRAM Comparing Sharing and Redundant StackPower Modes

StackPoe also esees W i case a e sitch is added to the stack.

Cisco StackPoe also allos deploet of lage poe pools b usig a Cisco Epadable Poe Sste XPS . This sste shaes poe ith up to eight sitches.

Fast Softae Upgade

Duig a egula softae upgade o a Catalst stadaloe sitch o stacked sitch, use tafc is disupted util the e iage is full loaded. This is due to the cotol plae ad data plae beig eset siultaeousl hile the upgaded softae is udea.

The Fast Softae Upgade FSU featue decouples updatig cotol plae ad data plae fuctios so that sste upgades hae less ipact. Via this pocess, tafc cotiues to o uipeded hile the sitch updates its cotol plae. The FSU pocess ol ipacts foadig he the data plae is upgaded. FSU educes upgade dotie b alost half he copaed to the egula upgade pocess. High Aailabilit 85

The FSU featue is suppoted o both stackig ad stadaloe sstes. Futhe, it ca be used to aage sitch eloads as ell as softae upgades. High Aailabilit 86

High Availability on the Catalyst 9400

The Cisco Catalst Seies poides seeal featues to iiize outages:

• Dual supeiso stateful sitchoe ith No-Stop Foadig, • Supeiso egie uplik edudac, • I-Seice Softae Upgade, • Poe suppl edudac, • Poe pioit.

Dual Supeiso Stateful Sitchoe ith No-Stop Foadig

Supeiso egie edudac is eabled b default he a secod supeiso odule is iseted ito the chassis. The edudat supeiso egie is autoaticall sced ith the actie supeiso's uig ad statup coguatio. The sitch's cuet foadig state is also eplicated to the edudat supeiso ad is cotiuousl updated. Stateful sitchoe SSO is tiggeed if the actie supeiso egie fails. If No-Stop Foadig NSF is cogued alog ith SSO, the outig is ot ipacted duig the sitchoe; otheise, ol Lae sitchig is uaffected.

Supeiso Egie Uplik Redudac

DIAGRAM Supervisor Uplink Port Groups High Aailabilit 87

Refeig to the pictue aboe, each supeiso has GE itefaces ad GE itefaces. Itefaces - ae GE itefaces, ad pots ad ae GE itefaces. The supeiso futhe cobies these itefaces ito to pot goups: itefaces - ad belog to the st pot goup ad itefaces - ad belog to the secod.

Each pot goup suppots a aiu of Gbps of tafc. The supeiso poides eibilit of usig those Gbps ith eithe GE itefaces o GE iteface.

The supeiso is capable of suppotig ied iteface tpes. The etok adiistato ca choose to coect the fou GE itefaces i oe pot goup ad also coect the GE iteface o the othe pot goup.

DIAGRAM Dual Supervisor Uplink Congurations

Whe a Catalst has dual-supeisos istalled, the sitch autoaticall disables the secod pot goup o both supeisos. Whe thee is a supeiso sitchoe, the actie uplik pots o the ebootig supeiso cotiue to foad tafc ithout iteuptio. High Aailabilit 88

DIAGRAM Uplinks Stay Active During a Stateful Switchover

I-Seice Softae Upgade

I-Seice Softae Upgade ISSU allos custoes to eliiate plaed outages fo full featue softae upgades. It poides upgade, dogade ad ollback of the Cisco IOS XE softae ithout icuig a outage. ISSU techolog uses SSO ad NSF as auilia featues.

ISSU is a adiistatie pocess ipleeted though a set of eec-leel CLI coads issued i a specic ode.

ISSU Peeuisites

Befoe a ISSU ca be pefoed o a Cisco Catalst sitch, the folloig ust be eied:

• The sitch ust be usig a edudat supeiso egie of the sae odel. • The actie supeiso ust hae access to the e Cisco IOS XE iage o pe- load it ito ash. High Aailabilit 89

• NSF is ot euied but is ecoeded if the sitch is uig outig potocols. • The sste ust be uig i the istall ode.

ISSU Process

The ISSU pocess has ﬁe steps:

A adiistato stats ISSU. The e iage is epaded o both the actie ad stadb supeisos. The stadb supeiso eloads ith the e iage. The sitch pefos a auto-sitchoe to the stadb supeiso, hich o becoes the actie supeiso. The the othe supeiso eloads the e iage, ad it tasitios ito the stadb ole. Oce the ISSU pocess copletes successfull, the upgade is coitted. If ot, the the ISSU pocess autoaticall olls back to the peious iage. At this poit, ISSU is copleted.

The diaga belo poides futhe details o ho the ISSU pocess oks:

DIAGRAM ISSU Process Details High Aailabilit 90

Note Duig supeiso sitchoe, thee ill be a sub-secod tafc ecoegece.

Poe Redudac Mode

The Cisco Catalst Seies -slot chassis has fou poe suppl bas ad the -slot ad -slot odels hae eight bas. The poe supplies ca opeate i a cobied o edudat ode.

Cobied ode is the default. I this ode, all poe supplies ae actie ad shaig the sste's load. If a poe suppl fails, the eaiig poe supplies pick up the load.

Redudat ode suppots to coguatios: N+ ad N+N. N+ poides potectio agaist a sigle poe suppl failue. N+N poides potectio agaist ultiple suppl failues as ell as a poe iput cicuit failue.

N+ Poe Redudac Mode

This is a use-cogued ode hich allos the use to desigate a oe of the poe supplies as a backup. The desigated backup poe suppl eais i a stadb ode. If a oe of the actie poe supplies fail, the backup poe suppl is actiated.

DIAGRAM N+1 Power Redundancy Mode

N+N Poe Redudac Mode

This is also a use-cogued ode. Hee, a opeato diides the poe supplies ito to goups: actie ad backup. The poe supplies i the actie goup shae the sste High Aailabilit 91 load ad the backup poe supplies eai i stadb ode. The to goups ca be coected to the sae o diffeet iput cicuits. If the pia iput souce fails, o a oe of the actie poe supplies fails, all backup poe supplies ae actiated.

DIAGRAM N+N Power Redundancy Mode

Poe Pioit

The Catalst seies suppots poe pioit fo lie cad slots. If the sste euies oe poe tha the aailable sste poe, due to additioal PoE da o sudde failues, the sste begis sheddig poe. Supeisos ad fa ta alas hae the highest pioit, ad this caot be odied. B default, the sitch tus off lie cads statig ith the botto slots ad the oks its a up to the top. Each lie cad's poe pioit, hoee, ca be idiiduall cogued. High Aailabilit 92

Stackwise Virtual

The Cisco Catalst seies Stackise Vitual featue allos the egig of to phsical sitches togethe ito a sigle, logical sitch. The to sitches opeate as oe; the shae the sae coguatio ad foadig state. This is aalogous to the itual sitch sste VSS featue i the peious geeatio of the Catalst sitchig lie.

Note Both Catalst sitches eed to use idetical hadae, softae ad licese leel fo Stackise Vitual to ok.

Stackise Vitual geatl siplies the desig of a capus etok. It eables the ceatio of a loop-fee topolog because the to sitches opeate as oe. Thus, the spaig tee doai teats a Stackise Vitual pai as oe bidge ode istead of to.

Stackise Vitual also icopoates high-aailabilit featues such as stateful sitchoe, o-stop foadig ad I-Seice Softae Upgade, hich poides Deice-Leel Redudac ad eliiates the eed fo Lae Redudac Potocols such as HSRP ad VRRP. It also suppots MultiChassis EtheChael MEC, hich poides both lik edudac ad iceased badidth.

DIAGRAM Benets of transitioning from Traditional Architecture to Stackwise Virtual High Aailabilit 93

Stackise Vitual Achitectue

Withi a Stackise Vitual pai, oe deice is desigated as the actie itual sitch; the othe, the stadb itual sitch. The actie itual sitch aages all cotol plae fuctios ad distibutes the sste's cuet state to its stadb pee:

• Maageet e.g. uig cog, statup cog, SNMP, Telet, SSH; • Lae Potocols e.g. BPDU, LACP; • Lae Potocols e.g. EIGRP, OSPF, BGP, LDP.

DIAGRAM A Stackwise Virtual Domain

Fo the data plae o tafc foadig pespectie, both sitches i a Stackise Vitual pai actiel foad tafc. The each pefo local foadig decisios ad, he ecessa, foad tafc to eighboig sitches ia L/L MEC o though Lae eual cost ulti-pathig ECMP.

Stackise Vitual Copoets

Stackise Vitual is foed b leeagig the folloig copoets:

Stackise Vitual Lik, Dual-Actie Detectio lik, MultiChassis EtheChael. High Aailabilit 94

Stackise Vitual Lik

The Stackise Vitual Lik SVL is a ital pat of foig a Stackise Vitual doai. It poides the sigallig path used fo schoizig the to sitch cotol plaes, ad it sees as the data path fo a use data tafc hich eeds to pass betee the to sitches. The SVL is a EtheChael ad ca be cogued usig a /G itefaces. Stackise Vitual suppots up to eight itefaces to fo a SVL. Cisco ecoeds usig oe tha oe lik i a SVL fo edudac betee the to sitches ad to icease coss-sitch badidth i the eet that a uplik o dolik fails o oe of the pees.

Dual-Actie Detectio

If the SVL lik fails fo soe easo, the couicatio is boke betee the Stackise Vitual pai. This could cause a dual-actie sceaio i hich both sitches assue the actie ole thus causig adese effects to both foadig ad etok topolog. To aoid a dual-actie sceaio, Cisco ecoeds coguig Dual-Actie Detectio DAD. DAD detects the dual-actie sceaio ad the disables pots o oe sitch to peet blackholig tafc. This sae sitch is ebooted to esole the dual- actie state. Dual-Actie Detectio ca be deploed usig eithe a dedicated lik o a //G itefaces o it a be cogued usig ePAgP. Up to fou itefaces a be used fo a DAD lik, ad it is ecoeded to hae oe tha oe fo edudac puposes.

Note The aageet iteface a ot be used fo DAD.

MultiChassis EtheChael

MultiChassis EtheChael MEC siplies the coectio betee Stackise Vitual sitches ad eighboig sitches b alloig dual-hoed coectios to be cogued as EtheChael liks as opposed to idiidual liks. MEC poides eithe Lae o Lae ultipathig esultig i iceased badidth ad phsical lik edudac. Stackise Vitual suppots MECs ad it ca be cogued usig ode "ON", LACP, o PAgP. High Aailabilit 95

DIAGRAM The Stackwise Virtual Components

Stackise Vitual High-Aailabilit

I the eet of a failue o the actie Stackise Vitual sitch, the stadb sitch iediatel becoes actie ad cotiues foadig tafc. Stackise Vitual leeages NSF ad SSO to achiee a sitchoe ithi sub-secods.

Note NSF should be eabled eplicitl fo the outig potocols

Stackise Vitual I-Seice Softae Upgades

Stackise Vitual suppots I-Seice Softae Upgades. ISSU helps etok adiistatos aoid a etok outage he pefoig a Cisco IOS XE softae upgade o a Stackise Vitual pai. ISSU suppots upgades, dogades, ad ollbacks. High Aailabilit 96

ISSU Pe-euisites

Befoe a ISSU ca be pefoed o a Catalst Stackise Vitual sitch, the folloig ust be eied:

• The actie sitch ust hae access to the e Cisco IOS XE iage o pe-load it ito ash.

• The sitch ust be uig i istall ode. • NSF should be eabled.

ISSU Pocess

The ISSU pocess has e steps:

A adiistato stats ISSU. The e iage is epaded o both the actie ad stadb sitches. The stadb sitch eloads ith the e iage. The stadb sitch becoes the e actie sitch ith Auto-sitchoe. The the othe sitch loads the e iage, ad it tasitios ito the stadb ole. Oce the ISSU pocess copletes successfull, it coits the upgade. If ot, the the ISSU pocess autoaticall olls back to the peious iage. At this poit, ISSU is copleted.

The diaga belo poides futhe details o ho the ISSU pocess oks. High Aailabilit 97

DIAGRAM The ISSU Process

Note Duig the sitchoe, thee ill be a sub-secod tafﬁc coegece High Aailabilit 98

Graceful Insertion and Removal

Oce a sitch is foadig tafc, thee is o siple a to eoe it fo the etok ithout ipactig its actie os. This pesets a poble to adiistatos ho eed to pefo aiteace such as hadae eplaceet, softae upgades, ad toubleshootig. Gaceful Isetio ad Reoal GIR, soles this poble. GIR leeages edudat paths ad eistig outig potocols to gacefull isolate a deice ithout ipactig actie os. Coesel, GIR also gacefull eisets the deice back ito seice he the ok is coplete.

Essetiall, GIR allos the etok adiistato to easil aipulate the outig ad st-hop gatea etics of a etok deice that is about to udego aiteace to ake it a e uattactie path. It does this b iatig etics o sedig essages to idicate to pees that this deice is o loge the best path fo tafc. Oce tafc oes aa fo the deice, aiteace actios ca be udetake. Oce the aiteace is coplete, etuig these etics to thei foe alues the soothl estoes oal tafc o. Belo is the saple outed access topolog hee S is put ito aiteace ode ad all the tafc is dieted gacefull to the edudat path:

DIAGRAM Graceful Insertion and Removal in Action High Aailabilit 99

Note GIR is iteded fo use i the coe ad distibutio laes.

GIR offes a to-step coad stuctue to hat ould otheise euie a ulti- step, aual ad isk pocess to achiee the sae esults. The GIR coad stuctue is siple. The startmaintenance coad eoes a sitch fo opeatio ad the stop maintenance coad etus it to seice.

GIR uses to poles, aiteace-ode pole ad oal-ode pole, to aage eoal ad isetio, espectiel. The aiteace-ode pole cotais all the coads that ae eecuted to oe a sitch ito aiteace ode. The oal- ode pole, o the othe had, houses all the CLI coads to eiset the sitch ito the etok.

The folloig potocols ae cuetl suppoted b GIR fo both IP ad IP:

TABLE GIR Protocols and Removal and Insertion Methods

Protocol Graceful Removal Graceful Insertion

ISIS Refresh LSPs with Overload bit = 1 Refresh LSPs with Overload bit = 0 OSPF Send LSAs with max metric Refresh LSAs with original metric

HSRP Advertise the resign message Advertise the Hello Message VRRP Advertise Priority 0 Restore the original priority

Catalst sitches also poide the eibilit to dee custo aiteace poles i ode to set site-specic ethods fo pefoig eoal o isetio. Fo eaple, if the deice has VRRP o HSRP cogued, b default the GIR aiteace shuts do the Lae pots coectig to the access lae hile chagig the actie/stadb oles. With a custoized teplate, hoee, a use ca dee the isolatio of just the HSRP/VRRP ad ot shut do the Lae pots.

Catalst seies sitches also poide sste-geeated sapshots to ecod the state of a sitch befoe ad afte aiteace. Sapshots ae useful fo eifig that a sitch is opeatig coectl he it etus to seice. High Aailabilit 100

Patching Cisco IOS XE

Softae defects happe. It is a upleasat tuth. Whe a sitch ecoutes a opeatig sste defect, it affects the etok's behaio ad, coseuetl, the busiess opeatios. Fiig a defect ca be just as dautig as ecouteig the. Ofte, eistig code ust be eualied to esue the poble is tul esoled as ell as to poe that the e code does ot itoduce e issues. I additio, distibutig e softae acoss a etok ifastuctue, ad applig it, geeall esults i eedig to coodiate sste dotie.

Cisco IOS XE itoduces patchig to sole this poble. Beig a odula opeatig sste, Cisco IOS XE allos poit es ithi the softae ithout haig to upgade the etie iage. This eas bugs ad secuit uleabilities ca be esoled ithout haig to eualif a etiel e iage ad potetiall ithout haig to eset a sitch ad icu dotie.

Patchig is also efeed to as Softae Maiteace Upgade SMU. The diaga belo shos the oko. Whe applig a SMU, a adiistato st uploads the patch oto the sitch. The, the patch is actiated so that the sitch udestads a e patch is aailable. Actiatig the patch applies it. At this poit, the patch is actie, but if ecessa, a adiistato ca ollback b deactiatig it ad the eoe it to delete the SMU fo local stoage. If hoee, the is acceptable, the adiistato the coits the patch, hich akes it pesistet acoss sste eloads. High Aailabilit 101

DIAGRAM Sofware Maintenance Upgrade Workow

To tpes of patchig ae aailable: cold ad hot. Applicatio of a cold patch euies eloadig the sitch i ode to the issue. Hot patches, hoee, do ot euie a sste eload. Istead, the sitch ol eeds to estat the pocess beig patched.

SMU patches ca be deploed ia ultiple ethods. The sitch coad lie iteface ca be utilized o a sitch-b-sitch basis b a adiistato. Fo distibutig patches acoss a lage ifastuctue, Cisco ecoeds usig scipts that leeage the Catalst APIs o Cisco DNA Cete ad this icludes a softae iage aageet utilit. Security and Identity Secuit ad Idetit 103

Overview

This sectio focuses solel o the e secuit fuctioalit uiue to the Catalst platfos. Secuit featues fo pio Catalst sitchig failies hae bee caied foad ito Catalst platfos. Secuit ad Idetit 104

Encrypted Trac Analytics

The apid ise of ecpted tafc is chagig the theat ladscape. Fo eaple betee ad , ecpted tafc eal doubled, goig fo % to %. B , Gate pedicts that % of all eb tafc ill be ecpted. The bad gus ko this, ad the ae usig it to thei adatage b akig use of ecptio to eade detectio ad hide aleolet actiit.

Befoe the itoductio of the Catalst seies, detectig attacks that hide iside ecpted sessios euied uield ad epesie easues. I shot, it eat istallig decptio hadae i the iddle of ecpted os. Such sstes ca hide a use's epeiece b itoducig uecessa latec, ad the techiue eposes a copa to additioal legal obligatios ad piac issues.

Cisco soles this poble b delieig Ecpted Tafc Aaltics ETA o Catalst sitches. ETA ideties alae couicatios i ecpted tafc ia passie oitoig: o eta euipet is euied ad uatual tafc ediectio eed ot be pefoed. ETA achiees this ith the etactio of eleat data eleets ad b eploig achie leaig techiues that iclude cloud-based, global secuit data.

ETA stats fo a tied-ad-tue oitoig techolog: Fleible NetFlo FNF. FNF us locall o a Catalst sitch ad tacks ee coesatio, o o, that passes though it. It collects a age of ifoatio about these echages i a o ecod. Coo ecod alues iclude souce ad destiatio addesses, pots, ad bte couts.

ETA itoduces e o etadata to help it idetif alicious actiit hidig ithi a ecpted o. These ae the Iitial Data Packet IDP ad the Seuece of Packet Legth ad Ties SPLT. Secuit ad Idetit 105

Iitial Data Packet

Iitial data packets IDP ae the st packets betee to hosts. I the case of ETA, the occu duig the hadshake used to set up a secue sessio. Ee fo a ecpted sessio, the iitial taspot lae secuit TLS echage betee to edpoits is passed i clea tet. The ETA pocess ca see the TLS hadshake ad epot hat it leas, such as hich TLS esio is beig used o hich applicatio is caig the ecpted sessio. This ca be e helpful ifoatio he pefoig a secuit audit.

Seuece of Packet Legths ad Ties

The seuece of packet legths ad ties SPLT is the legth ad iteaial tie betee packets i a o. Legth is easued i btes ad iteaial tie i illisecods. The SPLT poides ETA isibilit beod the st packets of a ecpted o. ETA atches each o's SPLT easueets agaist ko alicious behaio i ode to idetif a attack. Fo eaple, coside the pictue belo.

DIAGRAM Comparison of SPLTs Between Normal and Malicious Behavior

The to gaphs sho copae SPLT easueets betee a coo bose seach o Google ad a Bestafea attack. Bestafea is alae that acts as a toja hose o Widos achies. I both eaples, the souce sc is a use's PC. I the Google seach eaple, the destiatio dst is oe of Google's seach egies, ad o the ight, it is a bad gu's achie. The lie betee each souce ad destiatio pai Secuit ad Idetit 106

epesets tie. The etical lies aboe the tielie sho the aout of data set fo the use to eithe Google o the hacke, ad belo the tielie is the aout of data doloaded to the use's PC.

The SPLT tace i the Google page seach tells the sto of a use bosig to the site. The use the tpes i a seach te hich tigges Google's autocoplete fuctio. Upo selectig the desied seach stig, the page eloads ith the seach's esults. The Bestafea gaph, b copaiso, shos soethig uch diffeet. Hee, hile uig o the use's achie, the Bestafea poga eaches out to its coad ad cotol see ad doloads a digital ceticate. With the ceticate i had, the alae opes a ecpted chael ad eltates sesitie data fo its icti. It the sits idle ad peiodicall checks-i oe a coad ad cotol C chael fo futhe istuctios.

Cisco Cogitie Aaltics

ETA itegates ith Cisco Stealthatch ad Cisco's Cogitie Aaltics, a cloud-based seice, to appl achie leaig itelligece to ETA's etadata. Cogitie pocesses IDP ad SPLT o data as peiousl descibed ad the it copaes the esults to Cisco's Theat Itelligece Map. The theat itelligece ap feeds Cogitie Aaltics' egie ith secuit data collected oldide b Cisco Talos, Cisco's secuit eseach diisio. Cogitie uses the data to odel diffeet featues acoss illio ko o isk edpoits o the Iteet. The al esult is a oe accuate assesset of a paticula o as beig o alicious.

Cptogaphic Copliace

ETA also ideties the ecptio capabilities used b ee etok coesatio. It epots o the diffeet cptogaphic paaetes i use such as the TLS esio, ke echage techiue, ad the autheticatio algoith used. This allos a secuit audito to get a clea pictue of hich cptogaphic algoiths ad paaetes ae i use o the etok to eif ogaizatioal ecptio policies. Secuit ad Idetit 107

ETA o a Catalst Sitch

Catalst sitches ae the ideal platfos fo suppotig ETA because the collect full eible NetFlo ifoatio. The collectio is pefoed i hadae diectl i the UADP ASIC ithout a etok pefoace degadatio. Additioall, Catalst sitches leeage thei o-boad ulti-coe CPU to deal ith the additioal oehead eeded fo collectig IDP ad SPLT data. Secuit ad Idetit 108

Trustworthy Systems

Thee ae attacks agaist the etok ifastuctue. Netokig euipet ca eithe be hijacked though the istallatio of uauthoized softae o b eploitig deciecies i the uig opeatig sste. Ee ose, a coutefeit deice costucted fo eas iltatio b a hacke could ukoigl be istalled b a adiistato. Whe these eets happe, the etok ode becoes a poit hee a adesa ca itecept piate couicatios, eltate sesitie data, ad lauch othe attacks agaist hosts, sees, o the etok itself. To help peet attacks agaist a etok, Cisco built the Catalst seies of sitches to be tustoth.

Cisco Tust Acho

All Catalst sitches eplo a local Cisco Tust Acho CTA. The CTA is a speciall-desiged, tape-esistat chip used to poe a deice's built-i potectios. If this chip is eoed, the sitch ill ot opeate. The CTA poides a fe techologies that die o-bo secuit.

Rado Nube Geeato

Rado ube geeatos RNG ae fudaetal to ecptio. The CTA eplos a NIST-copliat NIST SP -A ad B cetiable ado ube geeato that etacts etop fo a tue ado souce fo ithi the chip itself.

Secue Uiue Deice Idetiﬁe

The sitch has a secue uiue deice idetie SUDI, a X. ceticate. It is geeated ad istalled duig aufactuig ad it is chaied to a publicl idetiable oot ceticate authoit. The SUDI's elds cotai the sitch's poduct idetie ad its seial ube. Icludig these to elds uiuel bids the SUDI to the sitch so that the deice ca be eied to be authetic Cisco hadae. Secuit ad Idetit 109

The CTA stoes the SUDI ceticate, its associated ke pai, ad its etie ceticate chai. Futheoe, each SUDI public-piate ke pai is cptogaphicall boud to a specic CTA chip. That piate ke is ee epoted.

Secue Stoage

A Catalst 's CTA additioall poides a highl secue, o-chip stoage aea. Coo ites placed hee iclude ecptio kes, passods, LSC ad LDeID.

Cisco Tust Acho Techologies

B buildig upo the CTA's coe copoets, the Catalst seies poides hadae autheticatio, OS itegit ad a secue boot pocess.

Authetic Hadae Check

Ee etok odule o supeiso has its o CTA fo hadae autheticit. Whe a odule is iseted, a special liba is used to ead the odule's local CTA ad eif its autheticit. Usig this akes it ipossible to istall coutefeit odules ito a sitch.

Iage Itegit

Poidig iage itegit eas a use ca be assued that the code the ae about to u has ot bee odied. It is a citical step i establishig tust i a softae eecutable. The itegit pocess ioles ceatig a uiue digital sigatue fo the eecutable ith a hashig algoith. If the itegit check succeeds, the the code is alid ad ca be tusted.

Secue Boot

Catalst sitches follo a secue boot pocess. It begis b st establishig a oot of tust, a secue statig poit. The CTA is the oot of tust ad is used as the basis to establish a tusted chai of alid softae duig the boot ccle. Secuit ad Idetit 110

Ru-Tie Defeses

With a tusted opeatig sste loaded, potectig the ae hile it us is the last step i settig the sitch's tustothiess. Rutie defeses fo the Cisco IOS XE hae bee eteded i a ube of as:

Addess space laout adoizatio ASLR techolog has bee added to adoize the locatios i eo hee diffeet code o data ae loaded. That disables the attackig poga's abilit to ko hee to jup to iject code o to steal secets.

Whe buildig the Cisco IOS XE code, Cisco used the Safe C Liba. Cisco softae egiees leeaged soe of the folloig featues fo this alteatie to libc: • Bouds-checkig eo ad stig fuctios as ell as object size checkig. • Eta copile tie aigs to stop deelopes fo ijectig secuit isks. • Isetio of utie checks that detect buffe ad itege oeos. • Adaced keel potectio easues. Secuit ad Idetit 111

MACsec

Wh as MACsec deeloped?

A idiidual ith a itetio to ha the etok could add a tap o Lae / deice betee to diectl coected etok deices, ad the etok adiistato ight just see a lik discoect ad ecoect - but ight ot ee d the added deice. The itude ould o be able to liste to the etie data that is set oe the lik ad use this data fo a haful pupose. To peet a possible itusio o liks, Media Access Cotol Secuit MACsec as deeloped. MACsec poides alue b giig potectio agaist:

• deial of seice attacks, • a i the iddle, • passie ietappig, • plaback attacks, • asueadig.

DIAGRAM Intruder Steals Data on Wire

MACsec, hich is ipleeted i Catalst sitches, is full copliat ith IEEE .AE ad .X- stadads ad opeates at Lae i the OSI stack. Lae deploet as used as it ioles alost ee packet that is tasitted o the lik ithout copoisig etok pefoace. Secuit ad Idetit 112

To establish a MACsec sessio betee to diectl coected Lae pees, egotiatio of kes eeds to happe. Thee ae to Sessio Ke Echage potocols that ca fo the sessio - MACsec Ke Ageeet MKA ad Secuit Associatio Potocol SAP.

Toda, MACsec is eabled betee sitch-to-sitch, use o see host to sitches, o oute to sitches, to esue data is potected.

Topologies

Host to Sitch - usuall these ae fot pael pots.

A host is euied to u Cisco Acoect Cliet to do softae Ecptio/Decptio o the host. Toda Acoect suppots up to AES Bit ecptio.

DIAGRAM Host to Switch MACsec

Host to Sitch Topolog:

• does ot suppot aual Ke Echage. • suppots DotX ke echage ACS/ISE is euied ad poides lage scale. • suppots pe-use Autheticatio/Ecptio.

Sitch to Sitch -usuall uses the etok odule uplik pots o Supeiso upliks i Catalst chassis Secuit ad Idetit 113

DIAGRAM Switch to Switch MACsec

Sitch to Sitch Topolog:

• suppots aual Ke Echage cog. • does ot suppot DotX ke echage ia RADIUS. • suppots EAP-TLS fo MKA hee dot supplicat is eabled o ee sitch ad . ceticates ae used istead of shaed kes.

Suppoted Platfos

MACsec euies hadae suppot o the sitches to pocess ecptio/decptio at lie ate. The Catalst fail has a itegated block i the UADP ASIC hich does lie ate MACsec ecptio ad decptio at a speed. Secuit ad Idetit 114

TABLE MACsec Support per Platform

MACSec Cat 9300 Cat 9400 Cat 9500

128 Bits SAP Line rate HW ready Line rate Switch to Switch 128 Bits MKA Line rate HW ready Line rate 256 Bits MKA Line rate HW ready Line rate

128 Bits MKA Line rate HW ready Line rate Host to Switch 256 Bits MKA HW ready HW ready HW ready

The easo MACsec suppot eeds to hae hadae suppot coes fo the e packet fae foat hich is used to establish the MACsec sessio. MACsec uses a e Ethetpe e to diffeetiate these packets.

DIAGRAM MACsec Frame Format

• Autheticatio – uses ol AE Heade btes. • Ecptio – uses AE Heade ad ICV + btes. • No ipact to IP MTU/fagetatio. • All the elds afte the destiatio ad souce MAC ae ecpted, hich icludes MPLS o dotQ tags. Secuit ad Idetit 115

• Thee is o ipact o dotQ Cos o MPLS EXP Makig as the ae used afte decptio ad pio to ecptio. • The Lie Rate calculatio eeds to eclude the added Oehead Heade elds fo packets. The Bit ate fo pot is ot chaged as it does ot deped o the packet size. • "ie shi heade" is btes ad is a costat. • Lie Rate pe Pot = packet size + ie shi heade / packet size + ie shi heade + oehead. • Lie ate i case of Autheticatio ad packet btes: + btes / + + btes = % of the badidth. • Lie ate i case of Ecptio ad packet btes: + btes / + + btes = % of the badidth. QoS and Queuing QoS ad Queuig 117

Overview

What is Cogestio?

Cogestio is a situatio hee the destiatio pot is uable to foad packets, ad as a esult, soe packets beig set ae dopped o delaed oe tha epected.

Wh Do We Cae about Cogestio?

At ties of cogestio, packets a be dopped if the hadae buffes ae uable to hadle additioal icoig packets. Whe packets ae dopped, cliet applicatios ust etasit. With a applicatio etasissios, etok pefoace a actuall decease, because the etasissios ill also epeiece cogestio, ad the pocess cotiues util the cogestio is esoled.

Sipl addig oe hadae buffes ill ot ecessail alleiate cogestio pobles sice latec-sesitie tafc eeds to be foaded to its destiatio as uickl as possible.

QoS ad Cogestio Maageet i the Catalst

Catalst sitches use a odula QoS CLI MQC odel to cogue polices, shapes ad tafc eakig.

Modula QoS Model

Catalst sitches use the MQC odel because of folloig alues:

• delies a cosistet QoS coguatio odel. • based o policies, classes ad tpes. QoS ad Queuig 118

• suppots to-leel hieachical policies. • tafc ca be classied b class, ueue, pot o VLAN. • suppots class-based policig ad shapig

Fo oe ifoatio o Cisco MQCMQC o Catalst , please efe to Cisco.co.

QoS Makig

Thee ae thee stadad tpes of QoS akig, depedig o the tpe of potocol:

• L COS/Use Pioit – bits fo -. • MPLS EXP – bits fo -. • L DSCP, ToS fo IP Tafc Class fo IP – bits to .

Fo oe ifoatio o QoSQoS arkigarkig, please efe to Cisco.co. QoS ad Queuig 119

Buers and Queues

The UADP ASIC poides a shaed PBC buffe eo. The UADP . coes each use sepaate o split buffe eo ad a iteal data path fo packets betee coes. The UADP . suppots a e uied packet buffe betee its to coes fo faste eo access ad to icease bust absoptio sice a sigle packet buffe is aailable to all pots o the ASIC.

TABLE Buer Scale Information

UADP 2.0 UADP 2.0 XL UADP 3.0

Buer MB per Core 8 16 36 Buer MB per ASIC 16 32 36

Hadae Buffe Allocatio

Taditioall, hadae buffes ae staticall allocated fo each ueue; hoee, this ca lead to isufciet buffes fo all ueues i the eet of bustig. To eed this, the Catalst platfos use Daic Theshold Scalig DTS.

The hadae buffe is split ito ultiple segets:

• Igess buffes % ae used fo packets scheduled toads the stack ad ASIC itefaces. • Egess stack buffes % ae used to eceie tafc fo the stack pots.

- The buffe is sized to accoodate up to eight stack ebes. QoS ad Queuig 120

• Egess pot buffes % ae the lagest buffes ad ae used fo the pot ueue stuctues.

- These buffes ca be shaed betee diffeet ueues ad pots usig DTS.

DTS Shared Pools

DTS ceates a shaed, daic pool of uused buffes. Buffes fo the shaed pool ca be daicall assiged to a pot that eeds oe buffe space due to bustig o cogestio.

DIAGRAM DTS Shared Pools

DTS poides the folloig: • Pe-pot buffes ae split ito dedicated had ad shaed soft categoies: - Shaed buffes ae good fo absobig packet busts. - Dedicated buffes ae good fo pedictable pefoace. QoS ad Queuig 121

• Dedicated buffes ae used st, folloed b the shaed buffes: - Daic Theshold Algoith DTA is used to aage the shaed buffes.

• The assiget of buffe sizes is eible acoss dedicated ad shaed: - Thee is a coguable dedicated theshold pe pot/ueue. - Thee is a coguable global aiu shaed theshold. - The shaed pool is autoaticall adjusted b the DTS algoith.

DTS Paraeters

The paaetes used to tue DTS ae:

• SoftMi - Miiu shaed buffe space gie pe pot. • SoftMa - Maiu shaed buffe that a pot ca cosue fo the shaed pool. • Pot Soft Stat - Tie he the SoftMa stats to decease. • Pot Soft Ed - Tie he the SoftMi ad SoftMa ae eual.

DIAGRAM DTS Parameters in Use

Fo oe ifoatio o DTS bufferDTS buffer coguatio, please efe to Cisco.co. QoS ad Queuig 122

Hardare Queues

B default, the Catalst seies ipleets a -ueue stuctue ith Stict pioit ueue hich atches DSCP , , , , ad Noal ueue hich atches all othe DSCP alues.

Uses a e-cogue hadae ueuig up to eight ueues ith thee thesholds pe ueue. To ueues a be used fo diffeetiated pioit ueuig. Each pot o a Catalst a hae its o egess ueuig polic. The sitch uses Weighted Roud-Robi WRR to schedule egess tafc fo its tasit ueues.

Cogestio Maageet

The Catalst seies adds the Weighted Rado Eal Discad WRED algoith to its ueuig pocess. WRED helps iiize the ipact of doppig high pioit tafc duig cogestio. O a pot, up to fou ueues a use WRED.

Note The pioit ueue caot use WRED. QoS ad Queuig 123

QoS and Queuing in the UADP ASIC

This sectio descibes ho the aious QoS ad ueuig pocesses ae applied to a packet as it taeses the UADP.

The packet alk fo QoS ca be split ito fou ai pats:

Igess classicatio, policig ad akig. Queueig to the stack iteface. Egess ueueig ad schedulig. Egess classicatio, policig ad akig.

The diaga belo depicts these fou pats, ad the eaide of this sectio eploes each step i detail.

DIAGRAM UADP ASIC QoS and QueuingPacket Walk QoS ad Queuig 124

Igess Classiﬁcatio, Policig ad Makig

This subsectio efes to the st pocessig block i the QoS ad ueuig packet alk diaga aboe.

QoS pocessig begis he a pot eceies a packet ad checks its akigs. Igess packet akes ae tusted b default. If the default tust behaio is udesied, the UADP ca classif the packet ad appl policig o eakig at lie ate.

The table belo highlights the default tust ad ueueig behaio.

TABLE Default Trust and Queuing Behavior

Incoming Outgoing Trust Behavior Queuing Behavior Packet Packet

Layer 3 Layer 3 Preserve DSCP/Precedence Based on DSCP Layer 2 Layer 2 Not applicable Based on CoS Based on DSCP (trust Tagged Tagged Preserve DSCP and CoS DSCP takes precedence) Layer 3 Tagged Preserve DSCP, CoS is set to 0 Based on DSCP

The Catalst fail of sitches classies tafc based o the tpes belo ad ca use logical costucts, i.e. AND o OR, betee ultiple classicatio paaetes:

• ACLs • DSCP • IP Pecedece • COS • EXP • TCP/UDP Pots • NBAR potocols • Pe VLAN QoS ad Queuig 125

Polices ad Bust Rates

Rate ad Bust ae the to ke paaetes hich ae used iplicitl i the policig coguatio. With a sigle-ate to-colo police, the ate, also efeed to as the Coitted Ifoatio Rate CIR, is deed as the aiu aout of data that ca be foaded i a gie iteal. The bust is a idicatio of ho uch of a CIR ca be eceeded. A dual-ate thee-colo police a also specif Peak Ifoatio Rate PIR, hich is the peak ate alloed aboe CIR. The a bust is a idicatio of ho uch PIR ca eceed.

The Catalst seies suppots both RC ad RC polices.

DIAGRAM Catalyst 9000 Policer Types

UADP ASIC Itecoect Queuig

This subsectio efes to the secod pocessig block i the QoS ad ueuig packet alk diaga aboe.

The UADP ASIC itecoect is a poit-to-poit coectio betee ultiple UADP ASICs. These coectios ca be o the sae sitch o to a stack cable leadig to a sepaate sitch. A igess ueuig schedule IQS pefos cogestio aageet QoS ad Queuig 126 ad poides schedulig ad ueuig fo packets destied to othe UADP ASICs. Packets ith pioit labels ae eueued st o to ASIC Itecoect.

Egess Queueig ad Schedulig

This subsectio efes to the thid pocessig block i the QoS ad ueuig packet alk diaga aboe.

As discussed ealie, Schedule is a fuctio of the EQS block hich poides ultiple pot ueues, buffes ad thesholds allocated to the ueues.

Pot Queues

With Catalst sitches, each pot suppots up to eight egess ueues, to of hich ca be cogued as pioit ueues. Weighted Roud Robi WRR techiues ae eploed to ept the tasit ueue i popotio to the assiged eights. The Catalst aages buffes ad cogestio usig DTS ad WRED, espectiel, as descibed i the peious sectio.

DIAGRAM Port Queuing Parameters QoS ad Queuig 127

Queue Buffes Each ueue eeds to cosue a cetai aout of buffe eo space to stoe the tasit data. The deepe the ueue, the oe tafc it ca hold. Usage of buffes iduces latec sice the ae ueuig the packets to be tasitted.

Queue Thesholds Thesholds ae abita iteal leels assiged b the sitch pot that dee utilizatio poits i the ueue at hich the cogestio aageet algoith ca stat doppig data. The pioit of the packet deteies hich data is eligible to be dopped he a theshold is eached. DSCP o COS ae used to assig tafc to each theshold. I this a, he the theshold is eceeded, the cogestio aageet algoith iediatel kos hich packets ith hich pioit alues ae eligible to be dopped. O the Catalst pots, each ueue has thee coguable theshold alues.

Shapes Shapes tpicall dela ecess tafc usig a buffe o ueueig echais to hold packets ad shape the o he the data ate of the souce is highe tha epected. I cotast, polices ill dop the tafc ight aa hile shapes ill t to buffe it st. Shapes ae applied o the hadae ueues i the Catalst .

Egess Classiﬁcatio, Policig ad Makig

This subsectio efes to the fouth pocessig block i the QoS ad ueuig packet alk diaga aboe.

Egess classicatio, policig ad akig ae eactl the sae as igess pocessig ith oe ke diffeece: the oigial heade ca be used ol if the igess path has ot odied the heade's QoS ake; otheise, the igess akig is used. QoS ad Queuig 128

Hierarchical QoS

Hieachical QoS HQoS allos to polic leels to be cogued fo QoS thus alloig fo geate polic gaulait. Hieachical policies ca be ieed as a paet polic at the top leel ad a child at the botto leel. Adiistatos ca use HQoS to:

• Allo a paet class to shape ultiple ueues i a child polic. • Appl specic polic ap actios to the aggegate tafc. • Appl class-specic polic ap actios.

Oe of the ke adatages of Catalst sitches is the suppot fo HQoS i hadae.

The Catalst suppots fou HQoS cobiatios:

Pot shape. Aggegate police. Pe-pot, pe-VLAN polic. Paet usig shape.

Pot Shape

A HQoS pot shape applies a shape to all egess tafc usig class-default. Withi this shaped badidth, additioal child policies ca be specied.

The folloig CLI eaple deostates a HQoS pot shape coguatio: policy-map PARENT class class-default shape average percent 10 service-policy CHILD QoS ad Queuig 129 policy-map CHILD class VOICE priority level 1 police rate percent 20 class C1 bandwidth remaining percent 10 class C2 bandwidth remaining percent 20 class C3 bandwidth remaining percent 70

Notes on HQoS port shapers:

• Ol the class-default class ca be used i the paet polic. • Ol oe o to pioit ueues ae alloed i the child polic. • Diffeet badidth pe class i the child polic is peitted.

Aggegate Police

A HQoS aggegate police applies to all egess tafc usig class-default. Withi this policed badidth, additioal child policies ca be specied.

The folloig CLI eaple deostates a HQoS aggegate police coguatio: policy-map PARENT class class-default police cir percent 30 service-policy CHILD policy-map CHILD class C1 set dscp 10 class C2 set dscp 20 class C3 set dscp 30

Notes on the HQoS aggregate policer: A table-ap ca be used as a set actio i the child polic. QoS ad Queuig 130

Pe-pot, pe-VLAN Polic

Multiple HQoS paet polices ae applied ith each police atchig a VLAN as its classie. Withi each VLAN's idiidual policed badidth, additioal child policies a be applied.

The folloig CLI eaple deostates a HQoS pe-pot, pe-VLAN coguatio: policy-map PARENT class vlan10 police rate percent 10 service-policy CHILD class vlan20 police rate percent 20 service-policy CHILD class vlan30 police rate percent 30 service-policy CHILD policy-map CHILD class C1 set dscp 10

Notes on the HQoS per-port, per-VLAN policy:

• A table-ap ca be used as a set actio i the child polic. • Multiple classes ude a paet polic ae peitted. • Shapig ca be used istead of pe-VLAN classicatio.

Paet Usig Shape

Multiple HQoS shapes ae applied ude the paet polic, ith each shape atchig a tafc class. Withi each idiiduall-shaped badidth, additioal child policies a be applied. QoS ad Queuig 131

The folloig CLI eaple deostates a HQoS Paet usig Shape coguatio: policy-map PARENT class C1 shape average percent 10 service-policy CHILD class C3 shape average percent 20 service-policy CHILD class class-default shape average percent 30 service-policy CHILD policy-map CHILD class C1 police rate percent 10 set dscp 10

Notes on the HQoS parent using shaper: Table-ap ca be used as a set actio i the child polic. QoS ad Queuig 132

QoS for Stackwise Virtual

Catalst seies sitches uig Stackise Vitual follo the sae ules as a stadaloe sitch, ecept fo the special pots used to fo the Stackise Vitual Lik SVL. The SVL is teated as a iteal sste lik. As a esult, its coguatio, ode of opeatio, esiliec, Qualit of Seice QoS ad load shaig, all follo a special set of ules. The SVL pot QoS ad ueuig echais ae had-coded. The SVL pot ill ot appl a custo QoS o ueuig polic.

The folloig diaga illustates the default polic applied o the SVL.

DIAGRAM Stackwise Virtual Link QoS

Fo oe ifoatio o QoSQoS forfor StackiseStackise VirtualVirtual, efe to cisco.co. QoS ad Queuig 133

QoS for Overlay Technologies

Mode sitchig etoks use itual etok oelas to suppot obilit, segetatio, ad pogaabilit at scale. Oelas ae a ke eable of SD-Access.

GRE ad VXLAN QoS

GRE ad VXLAN ae oela techologies hich ecapsulate the oigial IP packet / fae ith a oute IP packet heade ad ithout odifig the oigial paload.

GRE ad VXLAN Ecapsulatio i UADP ASIC

I GRE ecapsulatio, the oigial IP packet is ecapsulated ith the e IP ad GRE heade ad the ToS bte alue fo the ie IP heade is copied to the oute IP heade. GRE itefaces do ot suppot QoS policies o igess.

I VXLAN ecapsulatio, the oigial L fae is ecapsulated ith e IP ad VXLAN Heade ad the ToS bte alue fo the ie IP heade, hich is pat of the oigial L fae, is copied to the oute IP heade.

The egess ueuig is based o the oigial copied heade alues. QoS ad Queuig 134

DIAGRAM QoS Marking for GRE / VXLAN Overlay Encapsulation

Note The ueueig actios ae applied befoe egess policig / akig actios. Refe to the ealie sectios fo oe detail o egess QoS behaio i UADP.

GRE ad VXLAN Decapsulatio i UADP ASIC

I both cases, he a QoS polic is applied o igess iteface hee packets aie ecapsulated, ol the oute heade is used fo classicatio ad QoS ol affects the oute heade. The ie packet ill ot be chaged ad etais the oigial akig. The actual GRE/VXLAN tuel itefaces do ot suppot QoS Policies o egess.

Whe a QoS polic is applied o egess iteface hee the oigial [decapsulated] packet leaes, the polic ill affect the oigial packet. QoS ad Queuig 135

DIAGRAM QoS marking for GRE / VXLAN Overlay Decapsulation

Fo oe ifoatio o QoQoSS oo GREGRE oeroerlaslaslas RFCRFC , please efe to cisco.co.

Fo oe ifoatio o QoQoSS oo VVXLANXLAN oeroerlaslaslas RFCRFC , please efe to cisco.co.

MPLS QoS MPLS oelas use the MPLS epeietal bits EXP eld i the MPLS heade fo QoS teatet. I a IP etok, the DSCP -bit eld dees a class ad dop pecedece. The EXP bits ca be used to ca soe of the ifoatio ecoded i the IP DSCP ad ca also be used to ecode the doppig pecedece.

B default, Cisco IOS XE copies the thee ost sigicat bits of the DSCP o the ToS eld of the IP packet to the EXP eld i the MPLS heade. Hoee, ou ca also set the EXP eld b deig a appig betee the DSCP o ToS ad the EXP bits.

Thee ae thee odes used to ap DSCP o ToS to EXP:

• Uifo ode default – has ol oe lae of QoS, ed-to-ed.

The igess PE oute copies the DSCP fo the icoig IP packet ito the MPLS EXP bits of the iposed labels. As the EXP bits tael though the coe, the bits a o a ot be odied b iteediate P outes. I case of odicatio, the e EXP alue is copied back to DSCP bits of the IP Packet. QoS ad Queuig 136

• Full Pipe ode – uses to laes of QoS - a udelig QoS fo the data, hich eais uchaged he taesig the ASIC coe; ad pe-hop QoS, hich is applied to the oute heade, sepaate fo the udelig IP packets.

Whe a IP packet eaches the edge of the MPLS etok, the egess PE oute classies the el eposed IP packets fo outboud ueuig based o the EXP bits fo the eoed MPLS label. The ie IP packet DSCP bits ae ot odied.

Belo is a bief desciptio of the aious MPLS QoS odes:

TABLE MPLS QoS Modes

Tunneling Mode IP to Label Label to Label Label to IP

Copy ToS/DSCP into MPLS EXP MPLS EXP copied to IP Uniform (may be changed ToS/DSCP by SP also) Original ToS/DSCP MPLS EXP may preserved Pipe be changed (egress queuing based by SP QoS policy MPLS EXP set by on MPLS EXP) Short-Pipe SP QoS policy Original ToS/DSCP (Note: not preserved supported on (egress queuing based Catalyst 9000) in ToS/DSCP)

Fo oe ifoatio o MPLSMPLS QoSQoS RFCRFC , please efe to cisco.co. Application Visibility & Control Applicatio Visibilit & Cotol 138

Overview

Netok egiees ae asked to efoce ed-to-ed busiess-aliged policies to achiee taget pefoace as ell as uickl isolate ad esole applicatio pefoace pobles. Netok egiees eed detailed oesight of the diffeet tpes of applicatios uig o the etok to optiize busiess-eleat tafc pefoace.

The Cisco Catalst Sitches suppot the Applicatio Visibilit ad Cotol AVC solutio hich tul offes ioatie ad poeful capabilities fo applicatio aaeess fo busiess-citical applicatios i etepise etoks. The Cisco AVC solutio leeages ultiple techologies to ecogize, aalze, ad cotol oe tha applicatios, icludig oice ad ideo, eail, le shaig, gaig, pee-to-pee PP, ad cloud-based applicatios.

Cisco AVC has thee ai fuctios:

• ecogitio fo gaula detectio of applicatios i the etok beod Lae , • abilit to pioitize busiess-eleat esus busiess ieleat tafc, ad • cotol b pioitizig applicatio badidth, especiall fo busiess-eleat tafc. Applicatio Visibilit & Cotol 139

Application Recognition

The techolog used i AVC to idetif applicatios is et-geeatio Netok-Based Applicatio Recogitio NBAR.

NBAR

NBAR poides atie stateful deep packet ispectio DPI capabilities, ehacig the applicatio ecogitio egie to suppot oe applicatios icludig ecpted applicatios.

NBAR poides poeful capabilities, icludig:

• Categoizig applicatios, such as catego, sub-catego, ad applicatio goup. • Field etactio of data such as HTTP URL, SIP doai, ad ail see. • Custoized deitio of applicatios, based o pots, paload alues, o HTTP URL/Host. • Custoizable attibutes fo each potocol.

AVC ca be cogued o ied access pots fo both stadaloe ad stacked sitches. Catalst sitches use pefoace-optiized NBAR i hich ol a fe packets ae eeded to idetif the applicatio, educig the ipact o the sitch CPU. I a Catalst stack, NBAR detectio us o each stack ebe, scalig the solutio as oe ebes ae added.

NBAR ca be actiated fo applicatio isibilit eplicitl o a iteface b eablig potocol discoe, ad fo applicatio polic b attachig a QoS polic that cotais a atch potocol classie. Applicatio Visibilit & Cotol 140

Applicatio Moitoig

Moitoig of applicatios is aailable though the CLI o WebUI.

The CLI poides accuulated statistics oe tie.

- The CLI coad is: sho ip bar protocol-discoer top-

The Sitch WebUI poides statistics fo up to the last hous i -iute gaulait.

DIAGRAM Catalyst 9000 WebUI

AVC oitoig ith Fleible Neto.

Fleible NetFlo FNF ca be cogued o a iteface to poide applicatio statistics fo the iteface. The AVC solutio is copatible ith NetFlo ad IPFIX. Applicatio Visibilit & Cotol 141

FNF eables custoizig tafc aalsis paaetes accodig to specic euieets.

I Catalst sitches, FNF collectio is pefoed i hadae ith the UADP ASIC. I a Catalst stack of sitches, FNF collectio us o each ebe of the stack, scalig the solutio as oe ebes ae added. Applicatio Visibilit & Cotol 142

Application Control

Cisco Qualit of Seice QoS poides pioitizatio, shapig, ad ate-liitig of tafc hich is used b the cotol potio of AVC.

QoS ca place desigated applicatios ito specic QoS classes/ueues. This eables:

• Placig high pioit, latec-sesitie tafc ito a pioit ueue. • Guaateeig a iiu badidth fo a idiidual applicatio o fo a goup of applicatios ithi a QoS tafc class.

QoS ca use applicatio ifoatio poided b NBAR i aagig etok tafc. The QoS class-ap stateets eable atchig to NBAR-suppoted applicatios ad L applicatio elds such as HTTP URL o Host, as ell as to NBAR attibutes. Class- ap stateets ca coeist ith all othe taditioal QoS atch attibutes, such as IP, subet, ad DSCP.

I Catalst sitches, QoS efoceet is pefoed i hadae ith the UADP ASIC. IoT IoT 144

Overview

The Iteet of Thigs is oe of the fastest goig idust teds ad it is diig ipotat ioatios i eistig techologies such as Poe oe Etheet PoE as ell as e techologies ad solutios such as Audio Video Bidgig AVB, DNA Seice fo Bojou, ad Applicatio Hostig. Applicatio Hostig is coeed i a dedicated sectio.

Fo oe ifoatio o IoT, please isit .cisco.co/go/iot.cisco.co/go/iot fo oe details. IoT 145

Power over Ethernet Innovations

Poe oe Etheet PoE is used ubiuitousl i etok deploets toda.PoE sees as a foudatioal techolog i a ode etok deploets, alloig deices such as IP Phoes, Access Poits, IP-based caeas, ad othe deices. PoE ot ol poides data coectiit oe thei Etheet coectig cable, but also ith the poe alloig the deice to opeate. PoE eoes the eed fo all sockets to poe each PoE-eabled deice ad eliiates the cost of additioal electical cablig ad cicuits.

Fo the oigial Cisco popieta Ilie Poe ILP ipleetatio, hich as liited to atts W of aiu PoE poe, PoE has o bee stadadized as IEEE .af tpicall ko sipl as "PoE", suppotig up to .W ad IEEE .at ko as "PoE+", suppotig up to W. The icease i total aailable PoE poe, as ell as the stadadizatio of the PoE appoach, has alloed the polifeatio of a lage ad thiig ecosste of PoE-poeed deices.

Toda, PoE poe is tpicall used thoughout all etepise etok eioets, big ad sall. The coeiece that PoE poides fo deice attachet ad use, alog ith the esiliec it ceates fo the poeed deice ifastuctue. Fo eaple, oe UPS backup poe suppl i a cetal iig closet o potects all dostea poeed deices fo iteuptio.

Catalst ad sitches suppot both PoE ad PoE+. Depedig o the capacit ad desit of poe supplies i use, these leels of poe a be aailable o all o a subset of the pots. Cisco's ioatio ith StackPoe i the Catalst platfo also allos fo shaig PoE poe acoss ultiple stackable sitches. This poides a sigicat beet i the ube of poeed deices ad high aailabilit o the etok.

Cuet deelopets ith PoE - UPoE

Cisco has pioeeed PoE sice its iceptio, diig e adaces to the stadad ad settig the stage fo the et phase of PoE ioatio. As poeed deice euieets IoT 146 push beod the W aiu poe deed b .at, Cisco has led the a ith the deitio ad deploet of UPoE Uiesal PoE. UPoE poides fo up to W of PoE poe. While UPoE is a Cisco-popieta solutio, it eetheless is a e useful ioatio fo poeed deices that euie oe PoE poe, such as itual desktop teials, IP tuets, copact sitches, buildig aageet gateas, LED lights, ieless access poits, ad IP phoes.

Both Catalst sitches ad Catalst lie cad odels that suppot UPoE poe optios ae aailable. Cisco poides fo PoE, PoE+, ad UPoE poe optios, ot just o G coppe sitch pots but also o Gig pots, alloig deices to be accoodated that eed both highe thoughput ad a highe leel of PoE poe.

Fo oe details o PoE, please isit .cisco.co/go/poe.cisco.co/go/poe fo oe details.

Note The PoE hadae o the Catalst sitches ad Catalst ae .bt capable.

Ne Ioatios - Fast PoE ad Pepetual PoE

As the use of PoE has polifeated, so hae the uses cases i hich it is used. Oe of the ee ad oe ioatie uses of PoE is actuall to poe buildig lightig tues. Fo eaple, usig PoE+ o UPoE pots as the sigle poe souce fo coecial ad idustial lightig.

Wh ould oe do this esus the taditioal ethod of poidig poe fo lights?

• Loe-poeed lightig tues ca opeate oe efcietl usig W UPoE poe tha taditioal lightig sstes • PoE-delieed poe uses lo-cost Cate//a cablig as copaed to oe epesie taditioal electical iig • PoE-delieed DC poe is oe efciet fo use ith a e electical tues copaed ith AC-delieed poe IoT 147

Additioal uses to hich PoE is beig used iclude poeig IoT deices i buildig sstes, such as buildig cotols, theostats, HVAC cotol sstes, doo locks, badge eades, ad a siila ites of citical buildig ifastuctue.

To suppot these busiess citical deploets, Cisco has ceated to e deploet odes fo PoE - Fast PoE ad Pepetual PoE.

The goal of Fast PoE is to poide PoE poe apidl duig the sitch boot up pocess. Rathe tha aitig fo the etie Cisco IOS XE cotol plae to load, Fast PoE ais to poide PoE poe to attached deices ithi less tha secods afte poe is applied to the sitch. This is especiall ipotat to help big IoT ad othe siila deices olie as uickl as possible afte a poe outage, athe tha aitig seeal iutes fo a full eload of the sitch to coplete.

Pepetual PoE has a siila but slightl diffeet goal. The ai of Pepetual PoE is to keep PoE poe aailable to dostea deices ee duig a Cisco IOS XE cotol plae eload, esuig cotiuit of poe fo attached deices. Fo eaple, if the sitch as to be eloaded as duig a softae upgade, it is udesiable to poe do citical attached deices such as lightig tues duig the eload ccle. IoT 148

AVB - Audio Video Bridging

I the past, audio ad ideo AV deploets hae taditioall elied o aalog, poit- to-poit ifastuctues fo ipleetatio ad deploet. With the igatio of AV to digital tasissio, these ifastuctues hae lagel etaied thei poit-to-poit atue. This deploet odel has taditioall esulted i e cubesoe ad epesie deploets that ceated sigicat opeatioal challeges. Poposed solutios to these digital ipleetatio issues ee ofte o-stadad, epesie, ad cae ith a sigicat opeatioal bude.

Etheet as idel ieed as a e a foad fo AV ipleetatio - oe that could offe a coo ediu fo digital AV data itechage, ad do so eibl ad iepesiel. Etheet as ot, hoee, desiged fo the lo-latec, pedictable, lossless euieets of digital AV.

This is the geesis of the Audio Video Bidgig AVB set of stadads. These cosist of the folloig ajo aeas:

• IEEE .Qat: Stea Reseatio Potocol SRP / Multiple Stea Reseatio Potocol MSRP. These poide a ed-to-ed adissio cotol sste euied fo the caiage of AV steas, esuig the aailabilit of esouces such as badidth ad latec.

• IEEE .Qa: Foadig ad Queuig fo Tie-Sesitie Steas FQTSS. Poides a AV tafc schedulig echais.

• IEEE .AS: Geealized Pecisio Tie Potocol gPTP. Poides schoizatio ad tiig fo tie-sesitie applicatios o L deices. gPTP is based o the IEEE Pecisio Tie Potocol PTP stadad.

• IEEE .BA: Dees poles fo featues, optios, coguatios, defaults, potocols, ad pocedues fo AVB deices.

Fo oe ifoatio o AVB, please isit .cisco.co/go/ab.cisco.co/go/ab fo oe details. IoT 149

The AVB stadad is suppoted o Catalst seies sitches, as ell as the Catalst ad platfos. With a AVB-capable edpoit ad sitch, aalog AV sigals ae aggegated at AVB edpoits ad tasitted o the Catalst-based ifastuctue. As a sste, AVB is a cost-effectie ad eible solutio to collapse AV ifastuctues oto eliable, siple Etheet edia.

AVB is a ipotat pat of the futue of digital edia poductio, ad the Catalst seies offes suppot fo this ipotat set of stadads. IoT 150

DNA Service for Bonjour

The Apple Bojou potocol is idel used i capus eioets such as educatio ad etail fo deice discoe ad siplied coectiit to etok seices. Based o the Multicast DNS DNS stadad, Bojou is idel used ith a deices ad seice tpes, icludig, fo eaple, a Apple deices, to poide eas discoe of deices ad siplied deice attachet.

The Bojou potocol is optiized fo "plug ad pla" use i hoe ad sall ofce deploets, ad alost too siple fo etepise use. The DNS potocol uses lik- lae ulticast fo deice ad seices discoe, ad is iheetl ot outable, beig liited to the local L boadcast doai i.e. oe hop ol. This, of couse, liits the deploabilit ad use of the Bojou potocol i lage etepise etoks, hich ae iheetl based o outed ifastuctues.

Fo oe ifoatio o Bojou ad DNS, please isit ...ciscocisco...coco/go/go//dsds fo oe details.

To addess this challege, Cisco itoduced Seice Discoe Gatea also ko as Bojou Gatea seices ito aious sitchig ad outig platfos ith Cisco IOS XE. The goal of the Seice Discoe Gatea capabilit o these platfos is to allo eachabilit to Bojou-aouced seices, ee he the Bojou cliet ad the offeed seice ae located i diffeet L IP subets o the sae etok deice.

To eted this, DNA Seice fo Bojou scales this capabilit up to etok-ide applicatio that us o DNA Cete, ad citicall, poides polic-based access to Bojou seices acoss the etie etepise etok. Oe of the sigicat challeges that ust be addessed is liitig adetiseet of the a aious seices ad deices, based o polic. Fo eaple, i a public school, it a be desiable fo the teache to hae the abilit to coect to a Apple TV deice to displa classoo cotet, hile also esuig that studets attached to the sae etok do ot hae this capabilit. IoT 151

Note Polic-based lteig of Bojou DNS adetiseet is ot suppoted b the atie Bojou potocol o its o.

Hoee, b cobiig Cisco's Seice Discoe Gatea ad DNA Seice fo Bojou uig o DNA Cete, a adiistato ca eable scalable Bojou seices acoss thei etie etepise eioet, ith a poeful set of polic-based access cotols to Bojou-aouced esouces. User Centric Platform Design Use Cetic Platfo Desig 153

Overview

I the Catalst fail, the usabilit of the platfos has bee a ke desig cosideatio. This is e ipotat sice the cost of opeatig the etok is uch highe tha the costs of the iitial puchase of the poducts. Catalst adds usabilit ipoeets o the hadae side such as RFID, Blue Beaco, ad Bluetooth Cosole, ad softae ipoeets such as WebUI ad Fleible Teplates. Use Cetic Platfo Desig 154

RFID

Ieto aageet fo a lage ube of sitches is tie-cosuig. Labelig/taggig each sitch ad auall eteig all the ifoatio ito a ieto database ca dela the poisioig of the deice.

Keepig tack of etok deices ad thei copoets has o bee ade uch easie ith the Catalst . Cisco has fot-facig UHF Radio Feuec Ideticatio RFID techolog to poide the latest auto-ID capabilities fo asset aageet, locatio, ad tackig. The RFID tag does ot eed to be isible to be ead ith a scae as log as the tag is ithi ft fo the scae.

The Catalst fail is itegated ith passie Seialized Global Tade Ite Nube SGTIN- bit ecoded RFID tags. O Catalst , ee copoet, such as supeiso egies, lie cads, poe supplies ad fa ta, has RFID tags. Sice Catalst RFID tags ae passie tags, a additioal poe souce is ot euied. The pocess is poeed b the sigal fo the RFID eade ad ultiple tags ca be ead siultaeousl.

The RFID tags cotai the euied deice ifoatio fo ieto aageet, icludig seial ube, Poduct ID ad aufactuig date, etc. The Cisco RFIDs poide a use patitio, hee the ieto aages ca stoe thei o custo data ith passod-potectio. Cisco IOS XE caot ead o chage a ifoatio i the RFID tag, hich is ol aageable b a RFID sste.

Please efe to the RFIDRFID hitehite paperpaper o Cisco.co fo oe details. Use Cetic Platfo Desig 155

Blue Beacon

Whe toubleshootig, coguig, o oig euipet i a lage etepise, it ight be difcult to locate a paticula deice. To help idetif the deice, Cisco has placed a blue beaco LED o the Catalst fail. This blue beaco ca be tued o ad off, eithe ia Coad-Lie Iteface CLI o auall ia a butto o the deice. Ee tie the blue beaco is tued o/off, the deice ill geeate a Sslog essage.

O Catalst seies, blue beaco LEDs ae located o both fot ad back. Whe Catalst sitches ae stacked, the blue beaco fo ee ebe ca be aaged idiiduall.

O Catalst seies, thee is ol oe blue beaco LED, located o the fot of the chassis.

O Catalst seies, the fa ta, supeisos, lie-cad odules, ad poe supplies each hae thei o addessable blue beaco.

DIAGRAM Blue Beacon on Catalyst 9400 Use Cetic Platfo Desig 156

Bluetooth Console

Netok adiistatos ofte use a cosole cable fo osite coguatio. Hoee, a cosole cable has distace liitatios ad is ot coeiet to use.

The Catalst seies has itoduced optioal Bluetooth cosole fuctioalit to poide ieless cosole access. A Bluetooth dogle eeds to be coected ia the fot pael USB pot to eable a ieless iteface hich has the sae capabilities as the ied Etheet aageet iteface. Bluetooth ca be used fo CLI access ia SSH o Telet, coguatio ia the WebUI, o to tasfe iages o cog les. Use Cetic Platfo Desig 157

WebUI

WebUI is a Gaphical Use Iteface deice-aageet tool that poides the abilit to cogue ad oito a deice. The WebUI tool is ebedded i the sste iage at a licese leel. To eable WebUI o a deice, cogue the HTTP/S see ad local o eteal see autheticatio.

DIAGRAM Catalyst 9000 WebUI Use Cetic Platfo Desig 158

Flexible Templates

Fleible teplates gie Catalst sitches a optio to be positioed i diffeet oles i the etok desig. The UADP ASIC has capabilities to optiize its hadae table fo specic etok oles i the etok. Fo eaple, it is possible to educe the eties fo Secuit ACLs ad use it fo QoS ACLs istead. Fleible teplates ae epeseted i Cisco IOS XE as Sitchig Database Maage SDM teplates.

Note Catalst suppots ol oe default teplate optiized fo the access lae. Use Cetic Platfo Desig 159

Sho belo ae the SDM teplates aailable o Catalst usig Sup-XL ad Catalst usig UADP . XL.

TABLE SDM Templates available per platform

Access / Core SDA NAT Distribution

Maximizes Maximizes Maximizes system Maximizes system system resources for system resources resources Layer 3 and NAT Purpose resources for for unicast to support to support MAC and and fabric collapsed core security multicast deployment WAN routing deployments Longest Prex Match 64,000 / 64,000 / 64,000 / 64,000 / 32,000 (v4 / v6) 32,000 32,000 32,000 Up to Up to Up to 96,000 / 144,000 / Up to 112,000 / Host routes (v4 / v6) 112,000 / Up to Up to Up to 56,000 Up to 56,000 48,000 72,000

16,000 / 32,000 / 16,000 / Multicast (v4 / v6) 32,000 /16,000 8,000 16,000 8,000 MAC address 64,000 16,000 16,000 16,000 QoS ACL 18,000 18,000 18,000 3,000 PBR / NAT 2,000 2,000 2,000 16,000 Use Cetic Platfo Desig 160

Sho belo ae the SDM teplates aailable o Catalst usig UADP ..

TABLE SDM Templates available per platform

Distribution Core SDA NAT

Maximizes Maximizes Maximizes system Maximizes system system resources for Layer system resources resources 3 and NAT to Purpose resources for for unicast to support support collapsed MAC and and fabric core WAN security multicast deployment deployments routing Longest Prex Match / Host 114,000 212,000 212,000 212,000 routes (IPv4 and IPv6) Multicast (IPv4 16,000 32,000 32,000 32,000 and IPv6) MAC address 80,000 32,000 32,000 32,000 QoS ACL 16,000 16,000 16,000 8,000

Security ACL 27,000 27,000 27,000 20,000 PBR / NAT 3,000 3,000 2,000 15,500 Programmability and Automation Pogaabilit ad Autoatio 162

Overview

The folloig factos iuece decisio akig fo a coguatio ad opeatioal poit of ie:

• Netok ifastuctues ae goig apidl i tes of the ube of deices ad applicatios. • Thee is a eed fo oe apid ioatio. • Thee is a euieet to educe OPEX ad to icease poductiit. • Thee ca be a lack of codece that chages ill be successful, usuall due to isufciet testig. • Thee ae too a aual pocesses.

All these factos lead to a goig eed fo autoatio at ee leel, fo deice poisioig to full autoated coguatio, aageet, oitoig, ad toubleshootig of etok deices ad etok ifastuctues.

Pogaabilit is a e loosel-deed te that aied he Softae Deed Netokig SDN as itoduced seeal eas ago. I this book, the te pogaabilit, ad specicall etok deice pogaabilit, is deed as the set of featues poided b the etok deice Opeatig Sste to eable autoatio.

Cisco Solutio s Do-It-Youself DIY

The pogaabilit featues of Cisco IOS XE ae e eible ad ca be used i thee ai aeas:

• Cisco Solutios: as outlied elsehee, Cisco DNA Cete ad SD-Access poide a tuke solutio to autoate ad assue a etie capus etok of ied ad ieless deices. Cisco itself akes etesie use of pogaabilit i DNA Cete. Pogaabilit ad Autoatio 163

• d-pat itegatios: d-pat softae edos ca build thei o etok aageet tools ad sstes usig the aailable ope data odels, APIs, ad tools ithout diect iteactio ith Cisco.

• Do-It-Youself DIY: custoes o pates ca diectl access the etok deice to build thei o custo solutio to autoate ee phase of deice lifeccle. Pogaabilit ad Autoatio 164

Device Provisioning

Cisco IOS XE poides seeal optios fo autoatic, accuate, cosistet, epeatable poisioig pocess at a loe opeatig cost, ad i a shote deploet tie tha a taditioal aual pocess:

• Peboot Eecutio Eioet PXE. • Zeo Touch Poisioig ZTP. • Cisco Netok Plug ad Pla PP.

Peboot Eecutio Eioet

Peboot Eecutio Eioet PXE is a e coo poisioig pocess used b sste adiistatos to poisio sees based o stadad potocols such as BOOTP, DHCP, ad TFTP. Whe the deice boots up, istead of usig the pe-loaded iage, it seds a DHCP euest to look fo a PXE see. The PXE see ill sed a iage to the deice ad the deice boots up usig the iage just doloaded.

Cisco IOS XE poides PXE based o iPXE. iPXE is a Ope Souce esio of the PXE ceated to suppot additioal potocols such as HTTP. It ca u o both ied ad ieless coectios. The PXE pocess is feuetl descibed as Netok Boot.

Zeo Touch Poisioig

Whe a deice that suppots Zeo Touch Poisioig ZTP boots up ad fails to d the statup coguatio duig da zeo istall o afte easig the coguatio ad ebootig, the deice etes the ZTP ode. The deice locates a DHCP see, hich poides the folloig details:

• IP addess ad Gatea. • DNS see. Pogaabilit ad Autoatio 165

• IP addess o URL of a TFTP o HTTP see usig DCHP optio . • Ptho scipt ae usig DCHP optio .

The deice bootstaps itself usig the IP addess poided ad eables Guestshell. The deice the doloads the Ptho scipt fo the TFTP o HTTP see, to cogue the deice. Guestshell poides the eioet fo the Ptho scipt to u.

The poisioig logic ipleeted i the doloaded Ptho scipt is eible ad allos patial o full coguatio of the deices i oe o seeal phases, as ell as iage upgade, patch aageet etc. Usig this optio, ou ca oll out hudeds of sitches hich ae full custoizable, ithout a aual coguatio.

Cisco Netok Plug ad Pla

Cisco Netok Plug ad Pla PP is the deice poisioig tu-ke solutio itegated ith a Cisco poducts ad solutios such as APIC-EM ad DNA Cete.

The Cisco PP poides a siple, secue, uied, ad itegated solutio fo etepise etok custoes to ease e bach o capus deice ollouts, o fo poisioig updates to a eistig etok Cisco outes, sitches, ad ieless deices ith a zeo-touch deploet epeiece.

The Cisco PP achitectue ad boot seuece ae siila to ZTP, but istead of doloadig a custoized Ptho scipt, the coguatio, iage upgades, ad patches ae aaged usig the poided GUI i APIC-EM o DNA Cete. The etie pocess is full autoated. Pogaabilit ad Autoatio 166

Open Programmable Device APIs

Oe the eas, custoes hae bee tig to build leels of autoatio based o the Coad Lie Iteface CLI usig diffeet sciptig laguages such as Pel ad TCL. CLI sciptig has seeal liitatios, icludig lack of tasactio aageet, o stuctued eo aageet, ad a ee-chagig stuctue ad sta of coads that ake scipts fagile ad costl to aitai. These ae all side-effects of the fact that CLIs ae desiged to be used b huas ad ae ot a pogaatic iteface.

SNMP as desiged to oecoe the dabacks of autoatio based o CLI ad as eat to be used fo both coguatio ad opeatios, but i pactice, it is used ostl fo deice oitoig ol. This is because the lack of a deed discoe pocess akes it had to d the coect MIB odules. Thee ae also a lack of MIBs ith ite peissios, liitatios iheet i the use of the UDP potocol, ad o useful stadad secuit ad coit echaiss.

I copute pogaig, a Applicatio Pogaig Iteface API is a set of suboutie deitios, potocols, ad tools fo buildig applicatio softae. A good API akes it easie to deelop a copute poga b poidig all the buildig blocks, hich ae the put togethe b the pogae. Softae edos ad custoes ae lookig fo APIs hich ca poide ke featues such as stuctued data, eo hadlig, ad a aiet of API aageet tools.

Netok edos such as Cisco hae tied to itoduce a diffeet APIs oe the eas, fo the e st NETCONF ipleetatio i , to WSMA, oePK, NX-API, ad othes. These APIs hae ot bee idel adopted b custoes fo a diffeet easos, picipall that the ae edo-popieta.

These ae the ke easos h Cisco has decided to build e APIs based o ope stadads like NETCONF ad YANG data odels fo all of the ai Opeatig Sstes - Cisco IOS XE, Cisco NX-OS ad Cisco IOS XR. Pogaabilit ad Autoatio 167

The diaga belo illustates a ope stadad API, ith a coo YANG data odel ifastuctue, built o top of the deice-leel featues, to dee both the deice coguatio ad opeatioal state. Diffeet potocols such as NETCONF, RESTCONF, ad gNMI ca be used to iteface ith eteal autoatio softae toolchais.

DIAGRAM Open Programmable Device APIs Pogaabilit ad Autoatio 168

Data Models

A data odel is oe of the ost ipotat copoets of ope pogaable APIs. It pecisel dees the data stuctue, sta ad seatics of a gie featue ad is eat to sole the issue of ustuctued data poided b CLIs.

YANG

Yet Aothe Net-Geeatio YANG is a data odelig laguage deeloped b the IETF to eable the euse of data odels acoss euipet fo diffeet etok edos. It is idel used b etok opeatos to autoate the coguatio ad oitoig of etok deices. YANG is deed i RFCRFC .

DIAGRAM YANG Models Example

As sho aboe, YANG data odels ca be cosideed as teplates. YANG odels eed actual data i ode to build opeatios that ca be echaged ith a etok deice, i ode to etiee o chage the deice coguatio o state. Pogaabilit ad Autoatio 169

Data Model Tpes

Note The IETF stadads ake a distictio betee coguatio ad opeatioal data odels.

A coguatio data odel is the set of itable data euied to tasfo a sste fo its iitial default state ito its cuet state. Essetiall a coguatio data odel istucts the deice to do cetai thigs ad ca be easil apped to the uig coguatio of a Cisco IOS XE deice.

A opeatioal data odel is the set of ead-ol data status ifoatio ad statistics o a deice. The opeatioal data odel is copised of hat the deice is actuall doig ad is apped to the ifoatio taditioall poided b sho coads.

Both coguatio ad opeatioal data odels ca be futhe classied as eithe atie o ope data odels.

Natie data odels ae deed b etokig edos such as Cisco ad ae specic to a Opeatig Sste. Fo eaple, thee ae atie odels fo Cisco IOS XE ad atie odels fo Cisco NX-OS.

Ope odels ae deed b stadads bodies such as IEEE ad IETF o b okig goups such as OpeCog. A big adatage of usig ope odels is that the ae coo acoss diffeet Opeatig Sstes ad edos, poidig a cosistet a to aage all deices.

Ope odels ae a subset of atie odels. That is because the pocess of deig a ope odel is tpicall sloe tha the sae pocess fo atie odels. The ai easo fo this is that i ode to dee a ope odel, a paties eed to agee upo the cotet ad odel stuctue, heeas edos hae eibilit to dee atie odels as the ish.

The appoach folloed b Cisco IOS XE is to poide a copehesie list of IOS XE atie data odels ad also poide ope odels as the becoe aailable. Ope odels i Cisco IOS XE ae apped to coespodig IOS XE atie odels. Theefoe Cisco Pogaabilit ad Autoatio 170 custoes ae fee to decide hethe to use the ope o the atie odel to aage a gie featue.

Aog the aious ope data odels i eistece, OpeCog data odels hae ecetl becoe popula. OpeCog is a ifoal okig goup of big etok opeatos, led b Google, shaig the sae goals of autoatig thei etoks.

Cisco publishes YANG data odels i a coo GitHGitHubub RepositorRepositor hich is updated ee tie a e elease becoes aailable.

I additio to doloadig the data odels fo the GitHub eposito, Cisco IOS XE o Catalst allos ou to doload the diectl fo the deice as ell. This featue is e useful, especiall if the data odels hae bee updated o the deice usig the patchig pocess descibed i Chapte High Aailabilit.

Tools, SDKs, Resouces

Buildig API opeatios b had is possible, but ot e pactical. This is h a tools hae bee ceated to aigate though the data odels, alidate the, ad to build API opeatios.

These ae soe of the ost coo tools aailable toda:

• PYANGPPYANGYANG: Ptho liba to alidate, aigate ad autoaticall build docuetatio.

• YangExplorerYangExplorer: ope souce tool to easil stat eploig the odel ad autoate sall tasks.

• KYDKYDYDK YANG Deelopet Kit: softae deelopet kit that poides a abstactio lae of the API odeled i YANG.

• YangYang CatalogCatalog: a efeece fo all YANG odules aailable i the idust. Pogaabilit ad Autoatio 171

Device API Protocols

The aious iteface potocols suppoted b Cisco IOS XE o Catalst deices shae a coo data odel ifastuctue. Fo a puel techical poit of ie, all of the potocols ca be used to aage the sae YANG data odel, but of couse, that is ot a eas-to-aitai appoach.

The diaga belo shos the ai diffeeces betee the aious API potocols at each lae of the stack, statig ith the Taspot SSH s HTTP s HTTP, the diffeet ecodig foats used fo the Reote Pocedue Calls RPCs, as ell as diffeet sets of opeatios.

DIAGRAM Comparison of Device API Protocols

Note The YANG data odel ifastuctue is coo acoss all of the Cisco IOS XE API Potocols Pogaabilit ad Autoatio 172

Ecodig Foats

All of the API potocols use Reote Pocedue Calls RPCs fo couicatio. A cliet uig o a eteal see seds a RPC essage to the etok deice ad the etok deice eplies ith a RPC-epl essage. The data paload of both RPC ad RPC-epl is ecoded usig a foat deed b the potocol. The ost coo ecodig foats ae:

• Etesible Makup Laguage XML is a tet-based, hua-eadable foat hee the ifoatio echaged is edeed usig tags. It is e siila to HTML but hile HTML is used to build eb pages, XML is used to descibe data. NETCONF uses XML.

• JaaScipt Object Notatio JSON is a alteatie to XML. It is also tet-based ad hua-eadable, but istead of usig tags, it uses pais hich ake the data easie to pase. That is the easo JSON is usuall pefeed oe XML. RESTCONF suppots both JSON ad XML.

• Google Reote Pocedue Call gRPC is the ope souce esio of the ecodig foat deed b Google fo thei o applicatios.It is poe to be e efciet ad scalable. It is a bia foat, akig it o-hua eadable. It elies o potocol buffes to ecode o the cliet side ad decode o the see side. While gNMI suppots a aiet of ecodig foats, gRPC is the suggested ad ost used foat. Pogaabilit ad Autoatio 173

DIAGRAM RPC Encoding Formats

NETCONF

NETCONF is a popula etok coguatio potocol deed b the IETF to help etok opeatos to aage thei etoks. While ost people thik it is a e potocol, it has actuall bee aoud fo a log tie ad Cisco stated suppotig NETCONF i IOS oe tha a decade ago.

Sice the, NETCONF has eoled cosideabl ith the deitio of a e set of IETF Reuests Fo Coets RFC. RFC-RFC- dees the basics of NETCONF, ad itoduced the cocept of optioal etesios. Eaples of NETCONF etesios ae the YANG data odel laguage RFC-RFC- ad Noticatios RFC-RFC-.

The NETCONF stack icludes SSH taspot, essages i the fo of geeic RPCs ad ecoded usig the XML foat.

The ai NETCONF opeatios ae:

• : to etiee uig coguatio ad deice state ifoatio. Ca be easil apped to a IOS XE "sho" coad.

• : to etiee all o pat of a specied coguatio. Siila to a IOS XE "sho u" coad. Pogaabilit ad Autoatio 174

• : to chage all o pat of a coguatio. Has the sae behaio as usig Cisco IOS XE cog teial ode.

RESTCONF

RESTCONF is a etok coguatio potocol like NETCONF deed b the IETF i the RFC-RFCRFC--.

The RESTCONF stack icludes HTTP/HTTPS taspot, essages i the fo of geeic RPCs like NETCONF ad ecoded usig eithe XML o the JSON foat.

The RESTCONF opeatios ae deed b the REST faeok ad ca be easil apped to the coespodig opeatios i NETCONF:

• GET: to etiee a esouce. Siila to a NETCONF , . • POST: to ceate a e esouce. Siila to a ith opeatio=ceate optio.

• PUT : to ceate o odif a esouce. Siila to a ith opeatio=ceate/eplace.

• DELETE: to delete a esouce. Siila to a ith opeatio=delete.

The taget esouce i all opeatios is deed usig a stadad URL, cool used to efeece eb pages o the Iteet. gNMI

The Google Netok Maageet Iteface gNMI is a alteatie potocol to NETCONF ad RESTCONF fo accessig YANG odels. Pogaabilit ad Autoatio 175

While both NETCONF ad RESTCONF ae stadads-based potocols deed b the IETF, gNMI is a ope souce etok aageet potocol deeloped b Google. gNMI opeatios ae:

• CAP: set to the etok deice o st coect to discoe deice capabilities. • GET: to etiee the deice coguatio o state. Icludes attibutes such as Pe, Paths ad Data Tpe Ope, Cog, All.

• SET: to chage the deice coguatio. Has the sae attibutes as GET ecept fo Tpe Update, Replace, Delete. Pogaabilit ad Autoatio 176

Model-Driven Telemetry

Netok oitoig challeges

Autoatio solutios based o CLI ad SNMP hae, oe tie, poe to be icoplete, iefciet, ad had to scale ad aitai. Ne euieets i tes of speed, scale, fault isolatio, foesic aalsis, ad ea eal-tie data aailabilit, ae akig legac oitoig solutios isufciet fo ost ogaizatios.

The e paadig

Model-Die Teleet MDT has bee desiged to oecoe the dabacks ad shotcoigs of legac oitoig solutios descibed aboe. MDT poides stuctued data i the fo of the sae YANG data odels deed i Chapte . Ope Pogaable Deice APIs, i a scalable ad efciet ae ith a lo ipact o the etok deice.

MDT poides a e appoach fo etok oitoig i hich opeatioal data is steaed cotiuousl fo etok deices to a eteal collecto ad poides eal- tie access to statistics fo oitoig the etok. The data ca be steaed o- chage, o at a peiodic tie iteal.

Copaed to a SNMP get euest, hich is a pull echais, MDT uses a push echais.

The Cisco IOS XE MDT ipleetatio o Catalst is based o the stadad IETF PUB/SUB publicatio/subsciptio.

To eceie steaig data fo the deice, a eteal collecto ust set up a subsciptio to a data set i a YANG odel. This ca be ceated ia a RPC subsciptio essage. Oce eabled o the deice, it cotiuousl seds data fo the lifetie of that Pogaabilit ad Autoatio 177 subsciptio. Publicatio is b steaig data to a destiatio usig peiodic o o- chage oticatios.

Fo peiodic oticatios, the data is steaed out to the destiatio at the cogued iteal. The peiod is the tie epessed i / of secods betee updates. This is a siila cocept to SNMP "get" euests, but ith all the beets of the MDT push- based odel at a uch highe ate. Data that is epected to chage at a high feuec is best cosued ia peiodic publicatios, such as iteface coutes ad CPU utilizatio.

Fo o-chage oticatios, the data is published ol he a chage occus. O- chage publicatio is best utilized fo data that is ot epected to chage at a high feuec ad hee it is ipotat to ko iediatel he a chage has occued.

DIAGRAM Periodic vs. On-Change Subscriptions

A siila appoach is used b Cisco DNA Cete Assuace to collect steaig data fo MDT-capable deices ad coelate ith othe data souces.

Deelopig a DIY data collecto is a cople task, but custoes illig to build thei o collecto ca ake use of Ope Souce tools such as TCollecto, collectd ad the Elastic Stack cool ko as the ELK stack as ell as essagig bokes such as Apache Kafka, ActieMQ ad RabbitMQ. Pogaabilit ad Autoatio 178

Scripting

Scipts hae bee used fo ages to uickl ad easil autoate sall tasks. Oe the eas, soe sciptig laguages hae becoe oe popula tha othes, such as Pel, TCL, ad JaaScipt. I ecet eas, Ptho becae the ost popula sciptig laguage. Oe of the ai easos fo its ee-goig populait is that Ptho is eas to get stated ith. It poides a iteactie shell, alloig a uick a to eecute scipts lie b lie ad is oe hua-eadable tha ost of the othe sciptig laguages.

Mabe the ost ipotat easo is the e etesie list of publicl aailable Ptho libaies fo ost of the Opeatig Sstes ad ease of istallig, updatig ad uistallig the libaies usig the Ptho package aage pip. Thee is also a Ptho itual eioet, that helps ith the aageet of applicatio liba depedecies.

Off-bo s O-bo Ptho

Ptho scipts ca be used to autoate a Catalst uig Cisco IOS XE i to diffeet as, cool aed off-bo ad o-bo sciptig. Pogaabilit ad Autoatio 179

DIAGRAM Cisco IOS XE O-Box and On-Box Python

• With Off-bo, the Ptho scipt is eecuted i a eteal see ad it coects to the Cisco IOS XE deice usig a SSH coectio fo CLI based autoatio o ia the ope APIs NETCONF/RESTCONF/gNMI.

• With O-bo, the Ptho scipt is eecuted iside the Catalst i a built-i Liu cotaie aed Guestshell. Fo the Guestshell eioet, Ptho scipts ca access the udelig Cisco IOS XE usig the sae echais used b off-bo Ptho sciptig.

B poidig off-bo ad o-bo sciptig optios, the Catalst is a pefect t fo cetalized ad distibuted Ptho-based applicatio achitectues. Pogaabilit ad Autoatio 180

Conguration Management Tools

Coguatio aageet tools autoate sstes ad applicatios i a cosistet fashio at scale. Such tools hae bee used b sste adiistatos fo oe tha a decade. Latel, a iceasig ube of custoes ae usig o cosideig coguatio aageet tools to autoate thei etoks as ell. Coguatio aageet tools eable a aiet of adatages:

• A cosistet appoach acoss diffeet edos ad Opeatig Sstes. • Eas itegatio ith esio cotol sstes. • A siple a to collect hadae ad softae deice facts • Poides a itet-based coguatio appoach. • No chages ae ade if the sste, applicatio, o deice is alead i the desied state.

I the etokig space, coguatio aageet tools iitiall ee used to autoate data cete etoks ol, but o etepise etoks ae statig usig the as ell. Aog othes, Asible ad Puppet ae the ost popula tools. Coguatio aageet tools ca be classied ito to goups, based o thei achitectue: aget-based o aget-less. Aget-based achitectues euie a softae aget to be istalled o the aaged deice, heeas aget-less achitectues do ot eed oe. This is a ke diffeece, paticulal i the etepise space hee custoes ted to be oe coseatie about istallig d-pat softae o deices.

Asible is based o a aget-less achitectue hich has bee a ke facto i its success. Asible alead suppots Cisco deices, such as Catalst sitches uig Cisco IOS XE ad poides itet-based odules to cogue itefaces, VLANs, VRFs, uses, etc as ell as CLI ad NETCONF-based coguatios.

Puppet taditioall euies a aget o the aaged deice aget-based achitectue but Puppet is cuetl deelopig a aget-less achitectue specicall Pogaabilit ad Autoatio 181 fo etok deices. It ill also suppot Cisco deices uig Cisco IOS XE, ad it ill be based o the NETCONF APIs.

Coguatio Maageet Tools ae a ke copoet of aothe eegig ted aog a custoes ebacig the DeOps ad NetOps cultue: Cotiuous Itegatio ad Cotiuous Deploet o CI/CD.

DIAGRAM Cisco Catalyst 9000 CI/CD with Puppet

CI/CD is a e coguatio aageet pactice ceated to educe the tie eeded to deplo e chages i poductio ad to icease the codece that chages ill be successful. It eables this though a autoated testig pocess ad itegatio ith souce cotol sstes fo a eas ollback i case failues do occu. Custoes ipleetig CI/CD faeoks hae epeieced loe deelopet ccles, faste pace of ioatio, ad a loe total IT cost. Pogaabilit ad Autoatio 182

Cisco DevNet

Cisco DeNet is a iitiatie ceated to allo custoes ad pates to easil stat leaig the latest pogaabilit techologies poided b the ai Cisco Opeatig Sstes. Cisco DeNet poides self-eplaato leaig labs, ideo couses, deice sadbo to test the pogaabilit techologies o siulated deices ad/o eal hadae, alog ith API docuetatio, couit suppot ad oe.

DIAGRAM Cisco DevNet

Cisco DeNetDeNet is copletel fee - custoes ad pates just eed to sig up ad stat leaig. Application Hosting Applicatio Hostig 184

Application Hosting Operation

Applicatios ae used i etepise etoks fo a aiet of busiess eleat use cases. Eaples of etepise applicatios iclude adiistatie tools such as pefoace oitos ad potocol aalzes ad secuit toolsets such as itusio detectio seices. Taditioall, such applicatios ould opeate o a eteal phsical o itual see.

Cisco built the Cisco Applicatio Faeok CAF to aage cotaieized applicatios uig o a etok deice. CAF is also ko as Cisco IO. Oigiall ceated to host Iteet of Thigs IoT applicatios, the Catalst leeages IO fo etepise applicatios ithi a capus eioet.

Cisco IO o a Catalst suppots applicatios cotaieized i KVM-based itual achies ad LXC Liu cotaies. While atie Docke cotaies ae ot et suppoted, Docke tools ca be used to easil build IO applicatios i LXC foat. Cisco IO epoes opeatos to deplo a cotaieized applicatio o thei etok deices.

Though Cisco ill peiodicall publish cetai seices fo applicatio hostig, Cisco ecouages ad suppots the deploet of a KVM-based VM o Liu LXC that ts ithi the IO faeok.

The Catalst poides seeal optios to aage hosted applicatios:

• Cisco DNA Cete: Cisco's SDN cotolle used to u all LAN, WAN ad WLAN etepise deices.

• IO Cliet: a Ptho-based tool capable of buildig ad aagig IO applicatios.

• WebUI: the Cisco IOS XE GUI to cogue ad oito the deice, suppot IO applicatios as ell.

• Coad Lie Iteface: a set of Cisco IOS XE cosole coads fo aagig IO ad IO applicatios. Applicatio Hostig 185

DIAGRAM Catalyst 9000 Application Hosting Framework

Aato of a IO Applicatio

A IO applicatio is packaged i a stadad Liu ta achie foat cotaiig seeal les, icludig the applicatio descipto, oe o oe disk iages, ad, optioall, ceticate les ad othe auilia les. The applicatio descipto is a le, itte i YAML foat, that icludes:

• Applicatio ifoatio: ae, desciptio, esio, ad autho. • Applicatio tpe: LXC o VM. • Hadae esouces euied: CPU, eo ad stoage. • A list of itual etok itefaces used b the applicatio. • The disk iage les used to load the applicatio itself. • Statup tasks o pe-eecutio scipts.

Step-b-step istuctios o ho to build IOIOIO applicatiosapplicatiosapplicatios ae aailable o the Cisco DeNet ebsite. Applicatio Hostig 186

Hardware Resources

Cisco IOS XE uig o the Catalst esees dedicated eo ad CPU esouces fo applicatio hostig. B eseig eo ad CPU esouces, the sitch poides a sepaate eecutio space fo use applicatios. It potects the sitch's IOS XE u-tie pocesses esuig both its itegit ad pefoace.

Applicatios ust eside i oe of the eteal SSD stoage USB o M SATA optios poided b the Catalst . Applicatios hae o access to the iteal deice ash stoage, hich is eseed fo IOS XE fo itegit easos.

Note The eteal SSD stoage is shaed ot eseed betee Cisco IOS XE ad hosted applicatios.

TABLE Catalyst 9000 Application Hosting Resources

Platform Memory CPU USB Storage M2 SATA (GB) (cores) (GB) Storage (GB)

USB USB 2.0 3.0 Front Back

Catalyst 9300 2 1 x 1.8GHz 16 120 N/A Catalyst 9400 8 1 x 2.4GHz 16 N/A 960 Catalyst 9500 8 1 x 2.4GHz 16 120 N/A (with UADP 2.0) Catalyst 9500 8 1 x 2.4GHz N/A N/A 960 (with UADP 3.0) Campus Network Design Capus Netok Desig 188

Overview

Netok desig is ipotat because idiidual deices ust ok togethe cohesiel to optiize a etok. While each platfo has uiue capabilities, ad a capabilities ae siila, the a aious platfos ae cobied togethe ca esult i optial o sub-optial etok behaio. It is theefoe ipotat to choose the best platfo fo a specic pupose. Cisco poides seeal diffeet Catalst seies odels to addess a age of eeds.

A capus etok focuses ail o ho huas ad thei deices couicate ith each othe, ad ith seices i the data cete, piate o public cloud seices, ad the Iteet. Capus etoks also ted to be geogaphicall diese, ith a aiet of uiue euieets. The ube ad tpes of uses ad deices, as ell as thei geogaphic diesit, iuece optial etok desig.

ᄂthe bottom line Select the Right Platform for the Right Job.

Cisco has eas of epeiece desigig capus eioets. Oe that peiod, Cisco has deeloped ad igoousl tested aious desigs fo hich e distict capus desig odels hae eeged:

• Multi-Lae - a ulti-tie desig that uses outig betee coe ad distibutio, ith a sitchig access.

• Collapsed Coe - a to-tie desig fo sall sites, ith a outed coe ad a sitched access.

• Routed Access - a ulti-tie desig, hich utilizes outig ed-to-ed though all laes.

• Capus MPLS - a ulti-tie desig, usig MPLS o top of a outed doai to poide segeted seices.

• Softae-Deﬁed Access - a ulti-tie etok fabic based o the desigs aboe, autoated ad assued b a cotolle. Capus Netok Desig 189

While each desig odel has eoled to addess a specic set of euieets, all shae a coo set of chaacteistics. The coo chaacteistics of capus desigs iclude:

• Hieach - stuctued desig hich allocates deed oles to each lae, ad follos a stuctued cablig plat.

• Redudac - icludig phsical edudac liks, chassis, poe, data plae edudac, cotol plae edudac.

• Badidth - sufciet capacit at each etok tie to suppot the aggegate sste load.

• Pot Desit - sufciet itefaces at each etok tie to suppot all its coected eighbos.

• Scalabilit - sufciet hadae ad softae esouces to suppot all itecoectios ad etok seices.

• Wieless LAN - sufciet ied ifastuctue ad featues to suppot obilit acoss the capus.

While each of the Catalst platfos is desiged to addess oe o oe desig odel, all shae a coo set of capabilities:

• Catalst seies - Fied fo facto, ith //G SFP ad /G QSFP oboad ad odule pots.

- Built ith sufciet ASIC badidth ad table scale to suppot ediu to lage-sized capus coes ad distibutio desigs.

• Catalst seies - Modula fo facto, ith ///Gig RJ, /G SFP odules ad G QSFP Supeiso pots.

- Built fo high-desit use access ith sufciet ASIC badidth ad table scale to suppot lage capus access desigs o ediu-sized distibutio desigs. Capus Netok Desig 190

• Catalst seies - Fied, stackable fo facto, ith ///Gig RJ ad //G SFP o G QSFP odule pots.

- Built fo high-desit use access ith sufciet ASIC badidth ad table scalabilit to suppot lage capus access desigs.

ᄂthe bottom line Catalyst 9000 switches are the most exible, highest scaling, and resilient platforms for the new era of networking

While ost of this book focuses o the specic details of idiidual Catalst platfos, the folloig chaptes ae dedicated to ho a ed-to-ed Catalst seies solutio ca siplif ad optiize oeall etok desig. Capus Netok Desig 191

Physical Infrastructure

This sectio discusses citical desig cosideatios fo the phsical ifastuctue, i ode to poide sufciet badidth ad pot desit fo a optial capus etok.

The Need fo Speed

It is epected that IP tafc ill go at a Copoud Aual Goth Rate CAGR of up to % fo to . As discussed ealie, iceasig deploets of high-speed ieless techologies, the polifeatio of IoT deices ad sesos, ad poeful e edpoits that hadle high olue data, ae focig etok egiees to edesig thei phsical ifastuctue. Cliet access speeds ae iceasig fo Gigabit pe secod Gbps to . Gbps, Gbps ad potetiall Gbps. These e cliet access speed euieets dead etok ifastuctue speeds geate tha G.

Hoee, oig to highe speeds ca big additioal challeges. Fo istace, chagig fo eistig G Sall Fo facto Pluggable SFP pots to G Quad Sall Fo facto Pluggable QSFP caies sigicat costs tasceies ad cables. While a alteatie fo lik-aggegatio is oe appoach, achieig effectie load shaig ith ultiple G liks depeds o the hashig algoith ad tafc pattes.

Backads copatibilit fo easie igatio is aothe ke cosideatio fo e speed adoptio i capus etoks. It is beecial to use a coo tasceie fo facto, such as SFP ad QSFP. Mode G SFP+ ad the e G SFP itefaces suppot backad copatibilit ith M ad G SFP. Siilal, the e G QSFP itefaces suppot backad copatibilit ith G QSFP.

Note Cisco G SFP tasceies suppot dual-ate optics to opeate at both G o G speed.

Fo eaple, upgadig access to distibutio lae liks fo G to G is a staightfoad igatio. Sipl eoe the G SFP+ tasceie ad istall a e Capus Netok Desig 192

G SFP tasceie usig the sae cable. If the eote side is still usig a G SFP+ tasceie, the lik ill opeate at G. Oce a coespodig G SFP tasceie is istalled o the eote side, the lik ill opeate at G.

Use Case : Speed tasitio ith siila Cable Distaces

As access lae badidth iceases fo //M to .G, capus backboes should tasitio fo /G speeds to /G speeds. Custoes eed ee optics to suppot cablig distaces siila to thei eistig eioet.

ᄂthe bottom line The use of innovative Cisco SFP-10/25G-CSR-S transceivers supports traditional cable lengths of up to 300/400m over OM3/4 MMF (depending upon ber quality) to achieve speeds of 25G.

DIAGRAM Speed transition with similar Cable Distance Capus Netok Desig 193

Use Case : Speed Migatio ith Dual-Rate Optics

The Cisco G potfolio poides backad copatibilit to G ith tasceies built ith dual-ate optics. Cisco dual-ate optics ill auto-egotiate to the highest speed suppoted. Fo eaple, if the eote deice is ol capable of Gbps, the to deices ill opeate at Gbps speed.

ᄂthe bottom line There is no requirement to upgrade the infrastructure to 25G. Transceivers can operate at 10G and be upgraded as part of regular refresh cycles.

DIAGRAM Speed transition with Dual-Rate Optics

Use Case : Speed tasitio ith siila Oesubsciptio Ratios

I the past, the ule-of-thub desig ecoedatio fo oesubsciptio as ~: fo the access to distibutio, ~: fo distibutio to coe, ad ~: o : fo the coe lae. As access lae badidth iceases e.g. .G, thee is a coespodig eed to upgade the ite-sitch coectios to pesee the ecoeded oesubsciptio atios. Capus Netok Desig 194

ᄂthe bottom line 25G and 100G are natural successors to 10G and 40G, with at least 2.5X bandwidth increase.

DIAGRAM Speed transition with similar Oversubscription Ratios

Use Case : Copaig Highe speed s. Load shaig

Speed upgades hae outpaced the efesh ccles fo cablig. To satisf goig badidth euieets, thee ae to basic appoaches:

• oe upliks ca be added ith lik-aggegatio o ECMP • eplace eistig cablig ad tasceies to suppot highe speeds

Thee ae sigicat challeges ad cost iplicatios to both. Addig additioal liks icus the copleit of achieig effectie load-shaig, as ell as soe QoS Capus Netok Desig 195 iplicatio. While upgadig to highe lik speeds does ot euie cople load- shaig o QoS challeges, it a euie eplacig tasceies ad/o cablig.

ᄂthe bottom line Catalyst 9000 platforms support a common set of port types and transceivers, with exible port speeds. This greatly simplies upgrading existing infrastructure to higher speeds.

DIAGRAM Comparing Higher speed vs. Load sharing Capus Netok Desig 196

Multi-Layer Campus

A Multi-Lae LAN deploet is the ost cool-deploed desig odel. It cosists of thee laes: coe, distibutio ad access.

DIAGRAM Multi-Layer Campus Design

The coe i a Multi-Lae capus desig is based upo Lae IP outig ad fuctios as a high-speed itecoectio poit to othe etok laes e.g. DC, WAN, Bach, etc. The distibutio lae cosists of IP outig upstea to the coe ad Lae sitchig dostea to the access lae. Distibutio blocks fuctio as a aggegatio poit fo cliet tafc taelig to the est of the etok; the see as tasitio poits betee sitched iig closets ito the outed coe. The pia Capus Netok Desig 197

ole of the access lae is sipl to coect ed-poits ad sitch thei tafc ito the est of the etok.

Thee ae seeal ai adatages to this desig:

• It is a tied-ad-tue desig ipleeted idel duig its tet-ea histo. • The hieach of laes assigs specic oles ad esposibilities to each coectio block. • It is scalable ad odula. Blocks ca be added o eoed i a lae ithout ajo ipact o the desig of othe laes. • It dees a sepaatio of duties to LAN sitches that achitects use to ealuate poducts ad build etok policies. • It allos fo spaig VLANs Lae doais acoss ultiple access iig closets if eeded, poidig desig eibilit.

Thee ae soe disadatages, hoee, to this desig. The distibutio lae, i paticula, itoduces copleit because of its ole as a L/L itechage. L etoks ae cosideed ood doais fo BUM tafc boadcast, uko uicast, ulticast ad subject to loops duig lik failues ad ecoegece. If ot tued coectl, L etoks sipl fail he BUM tafc cosues pocessig esouces o a etok loop blocks os as paticipatig sitches eoptiize a path.

Tools such as Rapid Pe-VLAN Spaig Tee RPVST, Spaig Tee Potocol STP guads, IGMP soopig ad sto-cotol ae used to hadle these situatios, but adiistatos ae euied to eable ad oito these featues. A siila situatio eists he passig tafc acoss the access lae sitched bode to the outed etok. Sub-optial paths ad asetic os ith coseuet tafc oodig ca occu i the ulti-lae desig if Spaig Tee sitchig isatches IP outig i.e. if the L ad L topologies ae icoguet. Adiistatos eed to cogue sitches so that STP oot sitches ae also the IP default gatea, usig a Fist-Hop Routig Potocol FHRP, ee i the eet of a sitch failue.

Note Catalst seies sitches cotiue to suppot ulti-lae etoks, ad thei uiue featues ae optiized fo oles of each lae, usig esouce teplates. Capus Netok Desig 198

The Catalst /G odels ae based o UADP . ad use the distibutio SDM teplate, b default, to set the optial ASIC table allocatio fo a distibutio lae ole. I additio, the Catalst ///G odels ae based o UADP ., ad eplo the coe SDM teplate b default, poidig the optial ASIC table allocatio fo a coe sitch.

ᄂthe bottom line The Catalyst 9500 Series platforms are optimized for the core and distribution layers.

The Catalst ad seies sitches both eplo UADP . foadig egies, ad ipleet the access SDM teplate to set the optial ASIC table allocatio fo sitched access ole. The Catalst , haig a stackable ed-fo facto is ideal fo poidig sitch-leel edudac. The Catalst , b cotast, is a odula sitch poidig the highest leels of etok aailabilit b delieig supeiso, lie- cad ad poe edudac i a chassis. Both sitchig lies poide capabilities to suppot sall, ediu ad lage iig closets.

ᄂthe bottom line The Catalyst 9300 and 9400 Series platforms are optimized for the access layer. Capus Netok Desig 199

Collapsed Core

A collapsed coe desig is based o the sae piciples of a ulti-lae LAN fo i a sall capus etok, ith the coe ad distibutio laes collapsed ito each othe.

DIAGRAM 2-Tier Collapsed Topology

All of the adatages of a ulti-lae desig also appl to a collapsed coe, hich euies less etok ifastuctue ad is, theefoe, a ight-sized ad cost-effectie solutio fo sall sites.

The sae dabacks of the ulti-lae also appl to this desig. I this case, the distibutio lae copleit descibed peiousl has added ito the coe. Capus Netok Desig 200

The Catalst seies odels use the UADP pogaable ASIC i a ed-fo facto desig. The diffeece betee odels is a atte of pot speed ad desit, but i all cases the ca use the distibutio SDM teplate to optiize foadig tables fo use as a collapsed coe sitch.

ᄂthe bottom line The Catalyst 9500 Series platforms are optimized for the collapsed core layer.

Thee ae o chages to the access lae i this desig, ad the ecoedatios fo usig the Catalst ad i these oles still appl.

ᄂthe bottom line The Catalyst 9300 and 9400 Series platforms are optimized for the access layer. Capus Netok Desig 201

Routed Access

The outed access desig uses the sae phsical etok topolog as a taditioal ulti-lae achitectue. This is tue egadless of hethe a full thee-tie achitectue o the collapsed coe ethod is eploed. The diffeece is the placeet of the Lae ad Lae boudaies. As the ae iplies, i a outed access desig the L bouda oes do to the access lae, ad VLANs ae locall cotaied ithi each access lae sitch. These sitches the coect upstea to the capus etok usig outed upliks.

DIAGRAM Routed Access Design Capus Netok Desig 202

The use of a outed access desig affods a ube of beets:

• It educes deploet ad aageet copleit sice all etok liks ae outed coectios ith cosistet coguatios. • It eliiates the eed to cogue .Q tuks o tue Spaig Tee ad st-hop outig potocols betee laes. • It siplies etok opeatio ad toubleshootig sice a sigle cotol potocol aages the etok's behaio. • It sigicatl educes failue doais, b oig L doais to the access lae ad isolatig STP doais to idiidual sitches. • This desig allos bette utilizatio of all aailable etok paths. Routed access etoks do ot ipose STP blockig ad istead use eual-cost ultipathig ECMP to autoaticall distibute os acoss all coectios fo the access lae upstea.

Routed access etoks do hae soe dabacks. It is ot possible to spa VLANs acoss a capus etok i a outed access desig odel. Although best pactice capus desig seeks to eliiate lage L doais because of the isk the pose to etok stabilit, thee ae ties he it is ecessa to itecoect sstes that opeate i the MAC-lae ol. Aothe daback of outed access desig is that if ACLs ae ipleeted, the ust be distibuted to the access lae, athe tha cetall at the distibutio lae i the hieachical desig.

A outed access etok utilizes the sae topolog as a hieachical oe. Coseuetl, the positioig of Catalst seies platfos eais the sae. Catalst sitches see best as ed-fo distibutio ad coe, ad Catalst s ad s ae best suited as access lae sitches. I additio to a SDM teplate that optiizes a o as a L sitch, thee is also a teplate that epogas the to be optiized fo L access.

ᄂthe bottom line All Catalyst 9000 switches are optimized for routed access networks. Capus Netok Desig 203

Campus MPLS

The capus MPLS desig builds upo the peious etok desigs ad delies itual sepaatio of outig doais. This euies oelaig MPLS-VPN techolog o top of all outed poits ithi the etok. Fo a ulti-lae capus, MPLS eteds fo the distibutio blocks though the etok coe; i a Routed Access desig, MPLS spas the etie LAN.

DIAGRAM Campus MPLS

The ai adatage of MPLS-VPN ito capus desigs is to poide aco-leel etok segetatio. MPLS-VPNs use Vitual Routig ad Foadig VRF istaces i ode to sepaate outig doais, fo eaple, to keep guest tafc fo beig able to each a piate copoate segets. Capus MPLS etoks also allo etok adiistatos to aipulate MPLS potocols, fo eaple, to ipoe the efciec of Capus Netok Desig 204 label sitchig oe basic outig, ad the abilit to stee tafc though a etok called MPLS-TE o tafc egieeig to optiize aailable paths.

Hoee, MPLS adds copleit o top of a IP etok as it euies a additioal cotol plae based o Multi-Potocol BGP i ode to echage the ecessa VRF ifoatio betee Poide Edge PE deices i the MPLS achitectue. Ceatig ad aagig ultiple, itual outig doais euies appopiate desig b achitects, as ell as aageet epetise of opeatos. Duig the desig phase, euipet selected fo the LAN ust be ealuated fo its abilit to hadle L, L, ad also MPLS potocols. Duig opeatios, etok adiistatos ust udestad MPLS potocols ad thei ules, ad be able to toubleshoot ultiple, cocuet outig plaes.

A siplied esio of a segeted etok appoach that uses VRFs, ithout MPLS taggig, ca be achieed b usig a VRF-Lite ed-to-ed deploet. VRF-Lite leeages . tuks ad VLAN IDs betee sitches to taspot ad diffeetiate tafc esidig i diffeet VRFs. While possible o a sall scale, VRF-Lite apidl becoes too difcult to aage at a scale aboe - VRFs. Ogaizatios ishig to poide segetatio ithi thei capus o WAN, ad eedig to scale beod this ube of VRFs, ould taditioall opt fo the oe cople but scalable MPLS-VPN solutio.

The etepise euieets fo segetatio ae becoig oe stiget. Although MPLS-VPN fuishes aco-segetatio, it does ot addess ico-segetatio usig access cotol policies. Secuit teas o dead polic efoceet betee hosts ithi the sae outig doais. The abilit to cobie aco-segetatio usig VRFs ad ico-segetatio usig Scalable Goup Tags [SGTs] is discussed futhe i Chapte . Softae-Deed Access.

The etie Catalst seies suppots capus MPLS. The sae ecoedatios appl as ith a outed access etok, ith the additio of MPLS featue suppot. The Catalst platfos ae desiged fo coe ad distibutio lae seices, but the Catalst ad sitchig lies ae best suited as access deices.

ᄂthe bottom line All Catalyst 9000 switches are optimized for Campus MPLS networks. Capus Netok Desig 205

Campus Wireless

Catalst sitches poide a aiet of uiue capabilities ad ioatios to delie both ied LAN access ad optial ieless access.

. ieless LANs also ko as Wi-Fi ae a access lae techolog. Wi-Fi is fast becoig the default choice fo uses to coect thei cliet achies. People at to oe about ad take thei coputes ad phoes ith the, so the ca get ok doe faste. Fo uses, obilit is a poeful tool fo poductiit ad efciec.

Mode ieless deploets ca o offe lik speeds copaable to, o ee i ecess of, hat a be aailable o the ied ifastuctue. Wieless deploets usig .ac Wae ad i futue .a o poide ulti-Gigabit ieless lik speeds.

DIAGRAM Wired and Wireless Evolution

Busiesses ecogize these obilit teds ad ae tasitioig to ieless-ol ofces, ot ol to eet the eeds of thei obile okfoce but also to optiize thei Capus Netok Desig 206 budgets ad achiee the ight balace betee obile ad ed edpoits. Busiesses ust also ealize that this ted to ieless access also euies a oe eible ied ifastuctue.

ᄂthe bottom line As 802.11ac Wave 2 adoption grows, switches must support higher connection speeds such as mGig, 25G or 100G.

I a ulti-laeed capus desig, a cetalized ieless etok uses a Wieless LAN Cotolle WLC. WLCs usuall coect at eithe the capus distibutio o coe lae, i a seice block coected to the coe, o ee a eote data cete. Wieless Access Poits APs coect to the access lae sitches, oall usig PoE ad high-speed coppe Etheet.

I this desig, the WLC becoes the cetal poit-of-aageet. All coguatio ad oitoig of ieless APs takes place o the WLC. APs the tuel all data tafc the eceie to the WLC, euiig it to ake all foadig ad polic decisios. I othe ods, the WLC becoes the L ieless access bouda, hich is coected to a local L outig bode. This techiue allos ieless cliets to L oa betee APs but appea to the etok as if the ae coected ithi the sae L subet. Capus Netok Desig 207

DIAGRAM Centralized WLAN Design

A cetalized ieless etok desig eables etok adiistatos to cogue hudeds of APs fo a sigle aageet poit. The cetalized desig also soles the oaig challeges of . etoks. Istead of etedig ieless etoks acoss outed boudaies, a WLC cosolidates the at a sigle poit i the etok.

Oe challege ith this appoach is that ieless LANs ae still aaged sepaatel fo the est of the ied etok. Ideall, etok adiistatos should be able to dee a sigle polic fo all edpoits ad fo the polic to be efoced the sae a, egadless of the access ediu. This sepaatio causes uecessa duplicatio of effot ad potetial coguatio eos.

Aothe shotcoig deals ith etok scalabilit. Whe APs foad all data to cetal WLCs, the cotolles ust be able to hadle the etie tafc load. This has ot bee a poble he WLCs ae coected usig ultiple o Gbps liks, ad APs ae coectig a sall ube of cliets at o Mbps ates. With the adoptio of .ac Wae , WLCs ill eed to suppot ultiple Gbps liks i ode to keep up Capus Netok Desig 208

ith hudeds of cliets that ca coect at oe tha Gbps ates. This euies highe badidth ad geate pot desit of the sitches coected to the WLC.

ᄂthe bottom line All Catalyst 9000 switches are optimized for Campus Wireless networks.

Softae-Deed Access SD-Access offes a ioatie e appoach fo both ied ad ieless LAN deploets. SD-Access etais the beets of cetalized aageet hile addig coo polic ad addessig scale. Capus Netok Desig 209

Software-Dened Access

Cisco's Softae-Deed Access o SD-Access solutio is a pogaable etok achitectue that poides softae-based polic ad segetatio fo the edge of the etok to the applicatios. SD-Access is ipleeted ia Cisco Digital Netok Achitectue Cete DNA Cete hich poides desig settigs, polic deitio ad autoated poisioig of the etok eleets, as ell as assuace aaltics fo a itelliget ied ad ieless etok.

DIAGRAM SD-Access Solution Overview Capus Netok Desig 210

SD-Access ceates a logical oela fabic etok to poide the beets of host obilit, segetatio, ad goup-based polic egadless of thei locatio o capus, full autoated ad assued b Cisco DNA Cete.

The Catalst seies platfos paticipate i the phsical ad etok laes of Cisco SD-Access. The SD-Access etok lae o fabic is copised of to ai copoets:

• Netok Udela - is aalogous to a eistig Lae outed hieachical etok, but ith a siplied focus o taspotig data packets betee etok deices fo the fabic oela. Fo a desig pespectie, this is the euialet of a Routed Access desig.

• Fabic Oela - is a piail a logical tueled etok, that ituall itecoects all of the etok deices to fo a fabic. The fabic oela ceates a itual eioet to eable aco ad ico-leel segetatio, goup-based secuit ad applicatio polic, as ell as daic host obilit seices fo ied ad ieless cliets.

SD-Access Wieless

SD-Access teats ieless data eactl the sae as ied data. This appoach eables a coo polic acoss both edius. The cotol plae of the ieless etok eais cetalized. But fo the ieless data plae, SD-Access oes foadig to a local, distibuted foadig odel ia the sitch ifastuctue. Istead of tuelig all cliet tafc to the cotolle, each access poit costucts a VXLAN tuel diectl to the fabic edge sitch to hich it attaches. The sitch teiates this tafc ad the poides full teatet fo the ieless tafc just as it ould fo a ied host, icludig goup-based polic stuctued aoud VNs ad SGTs.

Soe of the ke SD-Access ieless beets ae:

• Cetalized cotol plae - Wieless ifastuctue opeatios occu ithi a cetalized ieless etok such as AP aageet, RRM, cliet oboadig ad oaig. Capus Netok Desig 211

• Distibuted data plae - Wieless data tafc is distibuted to the fabic edge sitches fo optial pefoace ad scalabilit.

• Sealess L oaig - Cliets ca oa sealessl ithi VNs stetched acoss a capus hile etaiig the sae IP addess ad goup polic.

• Polic sipliﬁcatio - SD-Access beaks the depedec betee polic ad etok costucts ad abstacts it fo applicatio acoss ied ad ieless ed-poits.

Fo oe ifoatio o Cisco SD-Access, please isit .cisco.co/go/sdaccess .cisco.co/go/sdaccess.cisco.co/go/sdaccess fo oe details.

Sice SD-Access ceates a oela, the etok deices eed to suppot e ecapsulatios ad potocols, such as LISP, VXLAN ad SGT.

The Catalst seies ca be cogued to use the SDA SDM teplate, hich poides the optial ASIC table allocatio fo a SD-Access Fabic Bode ole. The eible UADP ASIC poides VXLAN-GPO fae ecapsulatio ad itegated SGT- based ACL classicatio ad efoceet, as ell as a eolig SD-Access capabilities.

ᄂthe bottom line The Catalyst 9500 Series platforms are optimized for the SD-Access Fabric Border role.

The Catalst ad seies ca be cogued to use the SDA SDM teplate hich poides the optial ASIC table allocatio fo a SD-Access Fabic Edge ole. The eible UADP ASIC poides VXLAN-GPO fae ecapsulatio ad itegated SGT- based ACL classicatio ad efoceet, icludig diect AP VXLAN tuels fo SD- Access Wieless.

ᄂthe bottom line The Catalyst 9300 and 9400 Series platforms are optimized for the SD-Access Fabric Edge role. Appendix Appedi 213

References

Additioal ebsites hich offe oe details ifoatio about the Catalst fail ad its capabilities:

Oeie of the Cisco Catalst fail: https://.cisco.co/c/e/us/products/sitches/catalst-.htlhttps://.cisco.co/c/e/us/products/sitches/catalst-.htl

Oeie of Cisco Catalst Seies sitches: https://.cisco.co/c/e/us/products/sitches/catalst--series-https://.cisco.co/c/e/us/products/sitches/catalst--series- sitches/ide.htlsitches/ide.htlsitches/ide.htl https://.cisco.co/c/e/us/products/sitches/catalst--series-https://.cisco.co/c/e/us/products/sitches/catalst--series- sitches/ide.htlsitches/ide.htlsitches/ide.htl https://.cisco.co/c/e/us/products/sitches/catalst--series-https://.cisco.co/c/e/us/products/sitches/catalst--series- sitches/ide.htlsitches/ide.htlsitches/ide.htl

Cisco Catalst Seies sitches hite pape: https://.cisco.co/c/e/us/products/sitches/catalst--series-https://.cisco.co/c/e/us/products/sitches/catalst--series- sitches/hite-paper-listig.htlsitches/hite-paper-listig.htlsitches/hite-paper-listig.htl https://.cisco.co/c/e/us/products/sitches/catalst--series-https://.cisco.co/c/e/us/products/sitches/catalst--series- sitches/hite-paper-listig.htlsitches/hite-paper-listig.htlsitches/hite-paper-listig.htl https://.cisco.co/c/e/us/products/sitches/catalst--series-https://.cisco.co/c/e/us/products/sitches/catalst--series- sitches/hite-paper-listig.htlsitches/hite-paper-listig.htlsitches/hite-paper-listig.htl

Cisco Lie O-Dead Liba: https://.ciscolie.co/global/o-dead-librar/?#/https://.ciscolie.co/global/o-dead-librar/?#/

Seach fo the sessio IDs sho belo: BRKARC-: The Catalst Sitch Fail – A Achitectual Vie BRKARC-: Cisco Etepise Silico - Delieig Ioatio fo Adaced Routig ad Sitchig BRKARC-: Catalst Sitchig Achitectue BRKARC-: Catalst Sitchig Achitectue BRKCRS-: IOS XE: Eablig the Digital Netok Achitectue Appedi 214

Additioal ebsites hich offe oe details ifoatio about pogaabilit ad autoatio o Catalst fail:

DeNet, the Cisco Deelopes Netok: https://deeloper.cisco.co/https://deeloper.cisco.co/ https://deeloper.cisco.co/site/ios-ehttps://deeloper.cisco.co/site/ios-e

Cisco Lie O-Dead Liba: https://.ciscolie.co/global/o-dead-librar/?#/https://.ciscolie.co/global/o-dead-librar/?#/

Seach fo the sessio IDs sho belo: BRKCRS-: Itoductio to Catalst Pogaabilit BRKCRS-: Sciptig Catalst sitches—tools ad techiues beod the basics BRKCRS-: Applicatio Hostig ad Model-Die Teleet o Ope IOS XE Appedi 215

Acronyms

CAPWAP - Cotol Ad Poisioig of AAA - Autheticatio, Authoizatio ad Wieless Access Poits Accoutig CDP - Cisco Discoe Potocol ACK - ackoledget CEF - Cisco Epess Foadig ACL - Access Cotol List CI/CD - Cotiuous Itegatio, AES - Adaced Ecptio Stadad Cotiuous Delie AOC - Actie Optical Cables CLI - Coad Lie Iteface API - Applicatio Pogaig Iteface CoS - Class of Seice AQM - Actie Queue Maageet CPU - Cetal Pocessig Uit AR - Augeted Realit CSMA/CD - Caie Sese Multiple ARP - Addess Resolutio Potocol Access ith Collisio Detectio

ASIC - Applicatio-Specic Itegated CTA - Cisco Tust Acho Cicuit CTA - Cogitie Theat Aaltics AVB - Audio Video Bidgig CoA - Chage of Authoizatio AVC - Applicatio Visibilit ad Cotol DAC - Diect Attach Coppe BGP - Bode Gatea Potocol DAD - Dual-Actie Detectio Lik BOOTP - Bootstap Potocol DHCP - Daic Host Coguatio BPDU - Bidge Potocol Data Uits Potocol

BUM - Boadcast Uko uicast DIY - Do-It-Youself Multicast DMZ - Deilitaized Zoe BYOD - Big You O Deice DNA – Digital Netok Achitectue CAF - Cisco Applicatio Faeok DNS - Doai Nae Sste Appedi 216

DNS-AS - DNS as Authoitatie Souce FIB - Foadig Ifoatio Base

DPI - Deep Packet Ispectio FIFO - Fist I Fist Out

DSCP - Diffeetiated Seices Code FNF - Fleible NetFlo Poit FPGA - Field Pogaable Gate Aa DTLS - Dataga Taspot Lae FSU - Fast Softae Upgade Secuit FTP - File Tasfe Potocol DTP - Daic Tuk Potocol GIR - Gaceful Isetio ad Reoal DTS - Daic Theshold Schedule gNMI- google Netok Maageet EAP - ECC - Eo-Coectig Code Iteface EAPoL - Etesible Autheticatio GPE - Geeic Potocol Etesio Potocol oe LAN GPO - Goup Polic Object EARL - Ecoded Addess Recogitio Logic GRE - Geeic Routig Ecapsulatio

ECMP - Eual-Cost Multipathig gRPC – google Reote Pocedue Call

ECN - Eplicit Cogestio Noticatio Gbps - Gigabits pe secod

EFC - Egess Foadig Cotolle HA - High Aailabilit

EGR - Egess Global Resolutio HQoS - Hieachical QoS

EIGRP - Ehaced Iteio Gatea HSRP - Hot Stadb Route Potocol Routig Potocol HTTP - Hpetet Tasfe Potocol ELLW - Ehaced Liited-Lifetie Waat HVAC - Heatig Vetilatio ad Ai Coditioig EQS - Egess Queuig Schedule HW - Hadae ERSPAN - Ecapsulated Reote Sitched Pot Aalze IBNS - Idetit-Based Netokig Seices ETA - Ecpted Tafc Aaltics IDP - Iitial Data Packet Appedi 217

IEEE - Istitute of Electical ad LXC - LiuX Cotaie Electoics Egiees MAB - MAC Autheticatio Bpass IETF - Iteet Egieeig Task Foce MAC - Media Access Cotol IFC - Igess Foadig Cotolle MACsec - Media Access Cotol secuit IGMP - Iteet Goup Maageet MDT - Model Die Teleet Potocol MEC - Multi-Chassis EtheChael IGR - Igess Global Resolutio IPsec - Iteet Potocol secuit MFIB - Multicast Foadig Ifoatio Base ILP - Ilie Poe GIG - ultigigabit IPFIX - IP Flo Ifoatio Epot MKA - MACsec Ke Ageeet IPTV - Iteet Potocol Teleisio MLD - Multicast Listee Discoe IQS - Igess Queuig Schedule MMF - Multi-Mode Fibe IS-IS - Iteediate Sste to Iteediate Sste MPLS - Multipotocol Label Sitchig

ISE - Idetit Seices Egie MSB - Most Sigicat Bits

ISSU - I-Seice Softae Upgade MTU - Maiu Tasissio Uit

IoT - Iteet of Thigs Mbps - Megabits pe secod

JSON - JaaScipt Object Notatio NAT - Netok Addess Taslatio

KVM - Keel-based Vitual Machie NBAR - Netok-Based Applicatio Recogitio LACP - Lik Aggegatio Cotol Potocol NSF - No-Stop Foadig

LAN - Local Aea Netok NSH - Netok Seices Heades

LDP - Label Distibutio Potocol NSO – Netok Seice Ochestato

LED - Light-Eittig Diode OIR - Olie Isetio ad Reoal

LISP - Locato/ID Sepaatio Potocol OM - Optical Multiode Appedi 218 oePK - Oe Platfo Kit RED - Rado Eal Discad

OS - Opeatig Sste REST - REpesetatioal State Tasfe

OSI - Ope Sstes Itecoectio RFC - Reuest fo Coets odel RFID - Radio-Feuec IDeticatio OSPF - Ope Shotest Path Fist RNG - Rado ube geeatos PP - pee-to-pee RPC – Reote Pocedue Call PAgP - Pot Aggegatio Potocol RPM - RPM Package Maage PBC - Packet Buffe Cople p - Reolutios pe iute PBR - Polic-Based Routig RSPAN - Reote Sitched Pot ANalze PDU - Potocol Data Uit SAP - Secuit Associatio Potocol PE - Poide Edge oute SATA - Seial AT Attachet PHY - PHYsical lae SD-Access - Softae Deed Access PMK - Pai-ise Maste Ke SDK - Softae Deelopet Kit POE - Poe oe Etheet SDM - Sitch Database Maage pps - packets pe secod SFP - Sall Fo-facto Pluggable PSU - Poe Suppl Uit SGACL - Scalable Goup Access Cotol PXE - Peboot Eecutio Eioet List

PP - Netok Plug ad Pla SGFW - Secuit Goup Fieall

QSA - QSFP to SFP Adapte SGT - Scalable Goup Tag

QSFP - Quad Sall Fo-facto SGTIN - Seialized Global Tade Ite Pluggable Nube

QoS - Qualit of Seice SIP - Sessio Iitiatio Potocol

RADIUS - Reote Autheticatio Dial-I SKU - Stock Keepig Uit Use Seice SLI - Sitch Lik Iteface Appedi 219

SMC - Stealthatch Maageet TCP - Tasissio Cotol Potocol Cosole TFTP - Tiial File Tasfe Potocol SMF - Sigle Mode Fibe TLS - Taspot Lae Secuit SMU - Softae Maiteace Update TTL - Tie to Lie SNMP - Siple Netok Maageet ToS - Tpe of Seice Potocol UADP - Uied Access Data Plae SPAN - Sitched Pot Aalze UDLD - Uidiectioal Lik Detectio SPLT - Seuece of Packet Legths ad Ties UDP - Use Dataga Potocol

SQS - Stack Queue Schedule UHF - Ulta High Feuec

SRAM - Static Rado-Access Meo UI - Use Iteface

SRP - Spatial Reuse Potocol UPoE - Uiesal Poe Oe Etheet

SSD - Solid-State Die URL - Uifo Resouce Locato

SSH - Secue SHell USB - Uiesal Seial Bus

SSO - Stateful Sitchoe VLAN - Vitual LAN

ST - Seice Teplate VM - Vitual Machie

STP - Spaig Tee Potocol VN - Vitual Netok

SUDI - Secue Uiue Deice Idetie VR - Vitual Realit

SVL - Stackise Vitual Lik VRF - Vitual Routig ad Foadig

SW - Softae VRRP - Vitual Route Redudac Potocol SXP - SGT Echage Potocol VTP - VLAN Tuk Potocol TAC - Techical Assistace Cete VXLAN - Vitual eXtesible LAN TCAM - Tea Cotet Addessable Meo WAN - Wide Aea Netok

TTCOTCOCO - - T TotalTotalotal CostCCostost ofooff OeshipOOwnershipwnership Appedi 220

WLC - Wieless LAN Cotolle XFP - Gigabit Sall Fo Facto Pluggable WRED - Weighted Rado Eal Discad XML - Etesible Makup Laguage WRR - Weighted Roud Robi YANG - Yet Aothe Net Geeatio WSMA - Web Seices Maageet Aget YDK -YANG Deelopet Kit

WTD - Weighted Tail Dop ZTP - Zeo Touch Poisioig Bob Sayle Dave Zacks Cisco Catalyst 9000 Dimitar Hristov Fabrizio Maccioni A New Era of Networking Ivor Diedricks Jay Yoo Kenny Lei Mahesh Nagireddy Minhaj Uddin Muhammad Imam Sai Zeya Shawn Wargo Cisco Catalyst 9000 A New Era of Networking