hawaii tech day - routing platform update
TRANSCRIPT
Peyton Schouest - Solutions Architect
Routing Platform Update Hawaii Tech Day Feb 2017
[email protected] @Net20234
Cisco Digital Network Architecture
AutomationAbstraction and Policy Control
from Core to Edge
Open and Programmable | Standards-Based
Open APIs | Developers Environment
Cloud Service ManagementPolicy | Orchestration
VirtualizationPhysical and Virtual Infrastructure | App Hosting
AnalyticsNetwork Data,
Contextual Insights
Insights and Experiences
Automationand Assurance
Security and Compliance
Network-enabled Applications
Cloud-enabled | Software-delivered
Principles
Cisco ONE Software Delivered
Cisco Confidential 3
ISR Series
• End-of-Sale Announced on Sep 9th, 2016 (15 month notice.
• Actual End-of-Sale on Dec 9th, 2017• ISR G1 End of Support October 2016
• EoS Announcement for Cisco 2900 Series ISR• EoS Announcement for Cisco 3900 Series ISR
End-of-Sale Announcement for 2900 and 3900 Series
Important Note: No changes for the 1900 series
Cisco Confidential 5
ISR Series: New Products4221
ISR 4221
• USB file storage• RJ45 Console & Aux
combo
• 1 RJ45 GE WAN• 1 RJ45 + 1 SFP
• External AC Power• Rack & Wall mounts
35 – 75 Mbps
2 NIM slots
4G, DSL, Serial, T1,
GE LAN + WAN
IOS-XESnort IPS
1 RU Desktop
13.5” wide
4 GB RAM8 GB Flash
Intel Rangeley 1.25GHz 4 core Atom SoC
Polaris Linux Kernel
CPP SW Data plane
RP IOS Control Plane
LXC onService Plane
CPU Core
CPU Core
CPU Core
CPU Core
4221 System Architecture
Generic KVM container not supported
ISR4221
ISR4321
ISR4221 vs. ISR4321 I/O Design13.50” / 343 mm
14.55” / 370mm
Platform Comparison1921 4221 1941 4321
Performance Positioning 15 Mbps 35 – 75 Mbps 25 Mbps 50 – 100 Mbps
Maximum throughput with popular services (FW, NAT, QoS) 50 Mbps 75 Mbps 80 Mbps 100 Mbps
RU 1 RU Desktop 1 RU Desktop 2 RU Desktop 1 RU Desktop
EHWIC / NIM slots 2 2 2 2
GE / SFP 2 / 0 2 / 1 2 / 0 2 / 1
Power Supply Internal External Internal External
ISC (DSP) slot No No No Yes
Power supply 150 W 90 W 190 W 260 W
PoE support 80 W No 80 W 120 W
CPU Cavium 2-core Intel 4-core Cavium 2-core Intel 4-core
RAM 512 MB 4 GB 512 MB, 2.5 GB 4 GB, 8 GB
DIMM slot No No 1 1
Flash 1 (Internal USB) 1 (eMMC) 2 (External CF) 1 (Internal eUSB)
Disk No No No Optional mSATA, NIM
USB 1 1 2 1
Management Port (GE) 0 0 0 1
Cisco Confidential 10
ISR 4k Modules General Roadmap
• Targeted for Terminal Server use • Two versions
• NIM-16A and NIM-24A
• New serial cable to accommodate both 16 ports and 24 ports SKUs• NIM-16A
• Use existing G2 cables for both 8-port connectors.• NIM-24A
• Use existing G2 cables for both 8-port connectors.• New cable needed for 3rd port
NIM-Async FCS Target: Oct 2016IOS Release: XE: 16.3
Cisco ISR 4000 Family Modules (1 of 2)Category Type Name Available
LANSM-X Ethernet Switches: 16, 24 & 48 ports Yes
NIM Ethernet Switches: 4 & 8 ports Yes
UCS E-SeriesSM-X CPU: 2, 4, 6 & 8 cores Yes
NIM CPU: 4 cores Yes
Voice
NIM T1/E1: 1, 2, 4 & 8 ports Yes
NIM FXS/FXO: 2 & 4 ports. Also, 4FXS+2FXO combo NIM. Yes
NIM E/M & BRI Voice Yes
PVDM PVDM4: 32, 64, 128 & 256 channels Yes
SM-X High-density DSP farm Yes
WAN EthernetSM-X 1GE: 4 ports OR 1-port 10GE Yes
SM-X 1GE: 6 ports Yes
NIM 1GE: 1 & 2 ports Yes
WAN 4G / LTE
NIM USA, Canada, Europe, Australia Yes
NIM LATAM / APAC (Incl. Band 28 for Australia and LTE TDD for China/India) XE 16.3.2
ISR G2 -EHWIC and
800BBLATAM / APAC (Incl. Band 28 for Australia and LTE TDD for China/India) 15.6(2)T1
For YourReference
Cisco ISR 4000 Family Modules (2 of 2)
Category Type Name Available
WAN T3/E3 SM-X T3/E3: 1-port Yes
WAN T1/E1NIM T1/E1: 1 & 2 ports Yes
NIM T1/E1: 8 ports Yes
WAN xDSL NIM Multi-mode VDSL2 / ADSL Annex A, B & M Yes
WAN SerialNIM Synchronous Serial: 1, 2 & 4 ports Yes
NIM Asynchronous Serial: 16 & 24 ports + new cable for 24 port version Oct 2016
StorageNIM Dual SSD carrier. Each SSD may be 200G or 400G. Yes
mSATA 200G SSD Yes
NIM Adaptor SM-X Converts SM-X slot to 1 NIM slot Yes
NIM-ISDN BRI-DataCC / Target release 16.6
NIM-G.SHDSLCC / EC pending / Timeline TBD
For YourReference
Single Wide High Density Analog module for the ISR4K • Feature parity
• Feature Parity with Venom (EVM modules on ISRG2)
• Compatible with CUCM (MGCP/H323/SCCP)
• Support FXS fall back to SRST or FXS registered to CME
• Enhancement: Direct FXO bypass (FXO Failover)
• Enhancement: Support Long loop length for FXS Ports(FXS-E)
• Cost Parity• Cost Parity with ISRG2 Modules
• DSP on board
VG350SM-D-72FXS /48FXS-E
SM-X-72FXSFIXED / Only for ISR4K
• Feature parity (with VG350)• Long Loop Length (FXS-E)
• Compatible with CUCM (MGCP/H323/SCCP)
• Energy wise feature
• Cost parity • Cost Parity with Palestrina (VG350)
• DSP on board
Double Wide High Density Analog modules for the ISR4K
EVM-ISRG28FXS MB, FXS/FXO DB
SM-X-24FXS/4FXOFIXED / Only for ISR4K
SM-X-8FXS/12FXOFIXED / Only for ISR4K
SM-X-16FXS/2FXOFIXED / Only for ISR4K
Cisco Confidential 15
Security
Cisco Leadership – ISR 4000 Series
Platform Integrity
Protects the Network
Counterfeit Protections
OS Validation
Secure Boot
ModernCrypto
Hardware Trust
Anchor
Runtime Defenses
Incident Response
Firepower
ISE ManagerPacket
AnalysisAgent
Stealthwatch Learning Network License
Firepower Management
Center
SecurityCulture
PSIRT Advisories
Security Training
Product Security Baseline
Threat Modeling
Open Source Registration
Supply Chain Management
Internet
Direct Internet Access (DIA)
CorporateNetwork
v Secure WAN Transportv Leverage Local Internet Pathv Threat Detection Techniquesv Improve Application Performancev Reduce WAN Bandwidth Consumption
Branch PublicDirect Internet
Access
IPsec VPN
IPS
Firewall
Firewall
Branch DIA use casesUse Case Security requirements Security Technology Visibility
PCI and Regulatory Compliance
FW, IPS ZBFW, Snort IPS
Guest User Wi-fi FW, Web Security, IPS (optional)
ZBFW, Cisco Umbrella Branch (OpenDNS), Snort IPS
Partial Direct Internet Access (Public Cloud, Partner Sites)
FW, IPS, Web Security ZBFW, Snort IPS, Cisco Umbrella Branch (OpenDNS) or Firepower Threat Defense
Full Direct Internet Access
FW, IPS, Web Security, Malware Protection, AVC
Firepower Threat Defense
Stea
lthw
atch
Lear
ning
N
etw
ork
Lice
nse
Snort IDS/IPS
Cisco ISR 4000 Series
SnortNow
Orderable!
Helps meet PCI compliance mandate at the Branch Office
Threat protection built into ISR 4000 branch routers
Complement ISR 4000 Integrated Security
Lightweight Threat Defense with low TCO and automated signature updates
Splunk monitoring available
Ø Over 4 million downloadsØ 500,000 registered usersØ Widely deployed IPS in the worldØ Solution requires:
Ø SEC licenseØ Signature updates term subscriptions (1Y or 3Y)
Cisco Umbrella Branch (a.k.a OpenDNS)Your first layer of defense at branch offices
Cisco Umbrella Branch208.67.222.222
Devices on branch network
• Visibility & enforcement at the DNS-layer
• Block requests to malicious domains and IPs
• Predictive intelligence: uncover current & emergent threats
• Protect all devices on your branch network against:o Malwareo Phishingo C2 callbacks
MALWARE
C2 CALLBACKSPHISHING
Block
Cisco ISR
OpenDNS - Endpoint security
INBOUND
OUTBOUND
PREVENTSMALWARE
CONTAINSBOTNETS
BLOCKS PHISHING ATTEMPTS & INAPPROPRIATE USAGE
CONTENT
THE INTERNET YOUR CUSTOMERS
ANY PORT &ANY PROTOCOL
Branch Office
Headquarters
Guests
Employees
VPN
SECURITY• Prevent guest or corporate users from
connecting to malicious domains & IPs
• Prevent already-infected devices from connecting to C&C
ACCESS CONTROL• Guest: Inappropriate content• Corporate: Loss of productivity
ISR4k
INTRANETTRAFFIC
Protecting Branch Guest and Corporate Internet Traffic
Cisco Umbrella Branch
Internet
Direct to Internet Access
WAN
SEC license required + term subscription for OpenDNS cloud services (1Y or 3Y)
Cisco Firepower Threat Defense for ISR
• Capitalize on DIA Without Compromising Security
• Industry-Leading Threat Protection for Branch and Remote Offices
• Consolidated Footprint Frees Revenue-Generating Square Footage
• Centralized Management with Clearly Divided Roles and Responsibilities
• Lower Total Cost of Ownership
Network Visibility
Granular App Control
Modern Threat Control
NGIPS
Security Intelligence
URL Filtering
BEFOREDiscover EnforceHarden
DURINGDetect Block
Defend
AFTERScope
ContainRemediate
Attack Continuum
Firepower Threat Defense
Visibility and Automation
Advanced Malware Protection
Retrospective Security
IoCs/Incident Response
Stealthwatch Learning Network License (SLNL)
Brings self-learning attributes to the Cisco 4000 ISR
Needs no programming of firewall rules, malware signatures, or access control lists (ACLs)
Uses machine learning, network context, and packet capture to determine what’s normal and what’s not
Uses advanced analytics and models to identify and block true anomalies
Adapts as conditions change
ISR ISR
Headquarters
Branch 1 Branch 2
Learning Network Agents
Learning Network Manager
DLA DLA
Integrated Security Offerings in One Box
The Ultimate Converged Branch – No More Appliances
Native, Service virtualization, AVC, WAN Opt, UC
Security for regulatory complianceThreat Centric Advanced security
Network, Computeand Storage
VPN ZBFW Snort IPSUmbrella Branch
(OpenDNS)
StealthwatchLearning Network
Firepower
Delivering true multi-layer security
Integrated Cloud Security for Managed ServicesShifting deployments from on-prem to the cloud
Internet
SP Cloud
Eliminate security appliance at the customer premise
Any IPsec capable CPE can be deployed at the customer premiseSecurity intelligence moves to the cloud. Stack available on CSR1000V:• IPsec VPN• SSL VPN• ZBFW• Snort IPS• Web FilteringLow footprint: 100 Mbps of combined throughput @2vCPUCloud Management
Data Traffic
Cisco Confidential 27
WAAS
O365 and Single Sided SSL
FCS6.2.1 May 20166.2.3 July 2016
• Office 365 optimization support• SMART-SSL acceleration for YouTube• SMART-SSL HTTPS content caching from
the branch• Full SMBv3 optimization and
prepositioning with signing and encryption• Akamai Connect connection counts scale
beyond 6,000 connections.• Prepositioning proxy and User Agent
Support• Redhat/CentOS KVM Support
WAN
Branch
DC
Branch
DIA
Azure/Managed cloud
DIA
WAAS is available on Azure Marketplace• Supported on release 6.2.x• Optimize IaaS and SaaS (O365)
applications• Hourly licensing• 200,750,1300, 2500, 6000 and 12000• D2_v2 and D3_v2 VM• Only routed and PBR redirection
supported (Azure doesn’t support GRE) • One click solution template for easy
deployment
Cisco Confidential 30
Polaris Feature Update
Manageability Support (ASR1K and ISR4K)• TR111 Support• TR069 Support
Security Support (ASR1K and ISR 4K)• NAT HA + VASI• Snort IPS Enhancements & integrations (logging, signatures)• Flex VPN and IKEv2 fast Convergence• ESON Support (Scheduled Rekey, Policy & Monitoring)• DMVPN (with Tunnel Sub-Interface, Native Multicast, per-Tunnel support)• VMS Cloud UTM• CWS (FQDN Enhancements, Active Identity integration)• SVTI-Multi Security Association (SA)
Data Center Interconnect (ASR1K)• ACI L3 DCI and TrustSec Integration:• ACI L3 DCI EVPN with iVXLAN and SGT• LISP and VXLAN GPO on WAN• NSH with Service Chaining
Voice Support for Federal Customer• SHA1_80 on ISR4K SIP IP TDM (PRI/BRI) • Support for Smart Licensing
ISR4K Feature Parity• DDR Support• Broadband Support for ISR 4000 Series (PPPoE, ISDN PRI integration,
QoS, MLPPP etc)• Ethernet over GRE
ASR Specific Features• Segment Routing• Security (ARP/NDP cache entries, ACL, punt policing)• Static IPoE session roaming, with Parameterized QoS,
Framed Route• Software Technology Re-Package for ASR
New Software Features Areas IOS XE 16.4.1 (Nov 2016) and 16.5.1 (March 2017)
Elements / Features
VPN BGP QoS Others
enconf tInterface en0 Ip addressScript CLI
BGP CfgState
QoS CfgState
VPN CfgState
Data-Model A
BGP QOSVPN
Data-Model B
BGP QOSVPN
Platform BPlatform A
Manual ConfigurationState & Config stored
per Feature
Inconsistent Data Models
Physical and Virtual Infrastructure
Platform
Automation Systems
OSS/BSS SDN Controllers Configuration Management Tools
Programmatic InterfacesRESTConf, NETConf, OpenFlow
Network
DevOps
IOS-XE16Programmability (NETConf and YANG)
Software Patches: SMU
In-service bug-fixesLess downtime with reduced reboots
IOS-XE16IOS-XE Now enables Emergency Point Fixes through Patching
OSPF OSPF
System UpgradeIn Place UpgradeConfig Preserved
asr1k.iso OSPFasr1k.iso
Feature Upgrade*Upgrade Single Feature
Installed like SMUBGP 6.0 OSPFBGP 6.1
Not available for all features*
What is Patching
• Emergency Point Fix positioned for Expedited delivery
• Addresses a Network problem that brings Business to a Standstill
Benefits of Patching• Reduce time to resolution in your
network.• Simplify Network Operations for
defect resolution and code qualification.
Cisco Confidential 34
ISR 4KOpen Services Containers
What is a Service Container?A Service Container is a virtual machine running within the network itself. Service Containers use virtualization technology (LXC and KVM) to provide a hosting environment on Cisco routers/switches for applications.
Use Case Cisco Virtual Services:• Lightweight Application Hosting• Example: ISR-WAAS ( KVM )• Example: SNORT ( LXC )
Use Case Third Party Services:• KVM Hosted Applications
Container
Network OS
Virtual Service
Now AvailableIOS Release: XE: 16.3.1
(Polaris)
Common Service Container Use CasesGeneral purpose virtual machine with custom and open-source troubleshooting tools. (Wireshark, Speedtest, IXIA etc.)
Troubleshooting VM
Common network functions such as Print Server, Domain Controller, File Storage, etc.
Network Functions
Network Analysis and Application Performance Monitoring without a dedicated probe.
Analytics
Augment the capabilities of the host platform in some way. (Custom encryption, business-based routing, specialized API interface)
Device Customization
Cisco Confidential 37
Web GUI
• First release is 16.2 (March 2016)• Come with the image - nothing needs to be installed• All is needed is to enable the http or https server• Access via http://<router-ip>/webui • Features in the March 2016 release:
1. Monitoring dashboard with device stats: CPU and memory utilization
2. Monitoring dashboard with AVC – show layer 7 application visibility for up to 48 hours usage
3. Configure AVC interfaces4. Configure physical and logical interfaces5. Configure static routes, DHCP, DNS6. Enable smart call home7. View active licenses8. View syslog9. Send exec and configuration commands
WebUI for ISR4K, ASR1K, CSR1000v
WebUI Dashboard16.3(1)
CPU / Mem Utilization
What’s being sent through the router
Define AVC Policies –out of the box we support the 1300+ NBAR 2 Apps
Custom Apps support URL, Server/Port, Protocol, DSCP
Configuration
Cisco Confidential 44
CSR Update
Packaged for NFVISBranch-Specific FeaturesBranch-Specific PricingLook-and-feel of an ISR 4000Not available separately
Cloud and VDC DeploymentsAggregation Use-CasesFlexible Pricing & PackagingVirtual ASR 1000 SeriesAvailable on multiple platforms
ISRv and CSR – 16.3.1
Integrated Services Router - Virtual Cloud Services Router
Cisco Confidential 46
UCS E-Series Updates
UCS E-Series PortfolioSc
alab
ility
Performance
UCS-E160D
6-core, 2.0 GHz, 96 GB RAM
UCS-E180D
8-core, 1.8 GHz, 96 GB RAM
6-core, 1.9 GHz, 32 GB RAM
M1 blades will be EOS by Q1 FY16
UCS-E140S
4-core, 1.8 GHz, 16 GB RAM
UCS-E160S
2-core, 2.0 GHz, 16 GB RAM
UCS-EN140N
4-core, 1.0 GHz, 8 GB RAM
UCS-EN120S
Shipping New
UCS-E160S-M3/K96-core, 32 GB, 2 Disks
Up to 4TB SATA StorageDual External 10G USB 3.0 port for external device
connectivity
6-core, Intel Broadwell, 2.0 GHz
Dual EMMC Storage with RAID
Available NowOnly on ISR 4K
Up to 32 GB DRAM options
Upgraded LSI controller for higher performance
Cisco Confidential 49
Enterprise NFV
What is Enterprise NFV?
Freedom of ChoiceHardware Platform
Add Software Intelligence to the HardwareVirtualization Layer
Consistent, trusted network services across all the platformsVirtual Network Functions (VNFs)
Central and Prescriptive AutomationOrchestration and Management
Option 2a
Cisco 4000 Series ISR + UCS® E-Series
Cisco® UCS C-Series
Enterprise Network Compute System(ENCS)
Network Functions Virtualization Infrastructure Software (NFVIS)
Cisco Enterprise Service Automation (ESA) on APIC-EMNetwork Services Orchestrator (NSO)
Introducing Cisco Enterprise NFVNetwork Services in Minutes, on Any Platform
Virtual Router(ISRv)
Virtual Firewall(ASAv)
Virtual WAN Optimization
(vWAAS)
Virtual Wireless LAN Controller
(vWLC)Third-Party VNFs
Packaged for Branch Network ServicesEnterprise NFV Infrastructure Software (NFVIS)
Network HypervisorEnables segmentation of
virtual networksAbstract CPU, memory,
storage resources
Zero Touch DeploymentAutomatic connection to PnP server
Secure connection to the orchestration system
Easy day 0 provisioning
Life Cycle ManagementProvisioning and launch of VNFsFailure and recovery monitoring
Stop and restart services
Dynamically add and remove services
Service ChainingNo hardware offload with UCS
External connectivity and to other services
Multiple service access options
Open APIProgrammable API for service orchestration
REST and NETCONF API
ASAv vWAAS vWLCISRv
Best-of-breed Trusted Services from CiscoConsistent software across physical and virtual
High PerformanceRich Features
End-to-end Support
Proven Software
Leader in Gartner MQ#1 Unit Shipped
Superior Caching with Akamai Connect
Survivability & ScaleConsistency across the
Data Center and Switches
Built for small and medium branches
Comprehensive ProtectionFull DC-class Featured
Functionality
Designed for NFV Cost-effective with NFV
Freedom of ChoiceCisco Intelligent Branch
Virtual RouterVirtual Services
ENCS
License Portability
Services Consistency
Business Continuity
Enterprise NFV
Physical RouterVirtual Services
ISR 4000 Series + UCS E-Series
Traditional
Physical Router
ISR 4000 Series
Centralized ServicesFixed Integrated Services
Conservative
Upgradable H/WDeterministic Routing Performance
Late Adopter
Elastic Routing and Services PerformanceEarly Adopter
ENCS 5400 Series - BezelNew Industrial Design
First platform with new Cisco design languageIntended to create a common look across Cisco products
Status Indicators using Universal Icons
LED Backlit LogoRounded Corners Aluminum Bezel with “Logo” Vents
Raised Bezel Edge
ENCS 5400 Series
6, 8, or 12-Core Intel Xeon-D
8 - 64 GB DRAM
8 Integrated LAN Portswith Optional POE
Network Interface Module for LTE & legacy WAN
Dedicated Board Management Controller
2 HDD or SSDRAID 0 & 1
InternalM.2 Storage
USB 3.0 Storage
2 Onboard Gigabit Ethernet ports
with SFP
Optional Hardware RAID Controller
Integrated Power Supply
Optional Hardware Crypto Module
Hardware Acceleration for VM Traffic
ENCS 5400 Portfolio - Chassis Options
ENCS541212-CoreENCS5408
8-CoreENCS54066-Core
ENCS5406 ENCS5408 ENCS5412
CPU 6-core, 1.9GHz 8-core, 2.0GHz 12-core, 1.5GHz
Base List Price $4,000 $6,000 $8,000
PoE No 200W 200W
Capacity Guidance ISRv + 2 VNFs ISRv + 3 VNFs ISRv + 5 VNFs
Cisco Solutions for Digital Branch
Customer Experience
AVC & NBAR2, PrimeWAAS with Akamai ConnectUC: CUBE, CME/SRST, Voice Gateway
Branch Automation
IWAN App on APIC-EMPrime: Lifecycle | Assurance | Compliance Plug-n-Play Automation
Pervasive Security
Network: Stealthwatch Learning Network, MACSecBranch: FirePower, Snort IPS, VPNDIA: OpenDNS, CWS
Platform Independence: Virtualize Any App, Anywhere
PHYSICALISR 4000 Series , ASR 1K Series
CONVERGEDUCS E-Series on ISR 4000
VIRTUALKVM VM on IOS XE
VNFs: ISRv, ASAv, vWAAS, vWLC
Dynamic Multipoint VPN
WAAS VRF, ZBFW Intelligent Path Control (PfR)
Software Defined WAN and Beyond
Cisco Confidential 59
ASR Series
Up to 78Gbps Crypto capacityMore flexible power supply configurationSupport for up to 200 Gbps in every slot with ESP200-X and upHardware redundancy
ASR1000 Product Family Evolution
ASR1002-X
ASR1006-X
ASR1009-X
ASR1013
ASR1001-X 2.5 - 20 Gbps5 - 36 Gbps
40 – 200+ Gb/sec
ASR1002-HX
EPA
100 Gbps for slots 2 and 3Hardware redundancy
40 - 200 Gb/secEPA
ESP100-X, ESP200-X and ESP400-X on roadmap with line rate crypto
More power flexibility200 Gbps in everyHardware redundancy
40 - 100 GbpsEPA
RP3
RP3
High performance control plane with crypto assist.
RP3
RP3
ESPX
ASR1001-HXUp to 39Gbps crypto40 – 100 GbpsEPA
8 or 20Gbps crypto60 Gbps
ASR 1006-X and 1009-X Chassis
Power Shelf
ASR 1009-X
ASR 1006-XASR 1006-X
(Modular Redundant )ASR 1009-X
(Modular Redundant)
Timeline Available Now Available Now
Height 6RU 9RURP Slots 2 2ESP Slots 2 (regular) 2 (super)SIP/MIP Slots (I/O Slots) 2 (SIP40/MIP100) 3 (SIP40/MIP100)SPA Slots 8 12EPA Slots 4 6NIM Slots N/A N/ABuilt-In GE N/A N/ASlot Bandwidth 100G(Future 200G) 100G(Future 200G)Forwarding Bandwidth (based on current QFP) 40 to 100G 40 to 200G
Forwarding Bandwidth (with Next-Gen QFP) Up to 200G (Future) Up to 400G (Future)
Maximum Output Power
1100W power modulesN+1, Max 6
1100W power modules N+1, Max 6
Available Now!
Available Now!
ASR1006-X – Next-Gen 6RU with 100G per Slot
Forwarding Plane (ESP)§ Up to 100Gbps per system§ Supports ESP40, ESP100 and
future ESPs
Control Plane§ Supports RP2 and RP3 (future) § Default 8G memory (max. 16G)§ FIPS-140-3 certification
I/O Connectivity§ 8x SPA slots (with SIP40)§ 4x EPA slots (with MIP100)§ 100 Gbps I/O slot bandwidth
System Management§ RJ45 Console§ Auxiliary Port§ 2x USB Ports
Power Supply§ Modular power supply with N+1 redundancy§ High efficiency, Load sharing, Hot-swappable§ AC (1100W) or DC (950W)
BITS clocking§ Stratum 3 built-in
Modular Fan Tray§ Field Replaceable without
the need to replace power supplies
Cryptography§ Up to 29/16 Gbps
(1400B/IMIX) crypto throughput using ESP100
§ Suite-B crypto support
Hardware Redundancy§ Dual ESP and RP slots for
data plane and control plane redundancy
§ ISSU
Available Now!
ASR1009-X – Power Efficient 9RU with 100G per Slot
Forwarding Plane (ESP)§ Up to 200Gbps per system§ Supports ESP40, ESP100,
ESP200 and future ESPs
Control Plane§ Supports RP2 and RP3 (future)§ 8G – 64G DDR3 memory (RP3)§ FIPS-140-3 certification
I/O Connectivity§ 12x SPA slots§ 6x EPA slots§ 100 Gbps I/O slot bandwidth
with ASR1000-MIP100
System Management§ RJ45 Console§ Auxiliary Port§ 2x USB Ports
Power Supply§ Modular power supply with N+1
redundancy§ High efficiency, Load sharing, Hot-
swappable§ AC (1100W) or DC (950W)
BITS clocking§ Stratum 3 built-in
Modular Fan Tray§ Field Replaceable§ 30% improvement in
airflow per slot vs integrated Fan module
Cryptography§ Up to 78/59 Gbps
(1400B/IMIX) crypto throughput using ESP 200
§ Suite-B crypto support
Hardware Redundancy§ Dual ESP and RP slots for
data plane and control plane redundancy
§ ISSU
Available Now!
Multi-Core Network Processor§ 124 Cores§ 4 Packet Threads / Core§ 496 simultaneous threadsMiscellaneous§ RJ45 & mini-USB console§ SSD§ Secure Boot
ASR 1002-HX (Kahuna) 100G Fixed
Network Interface Module§ 1 double wide NIM slot or§ 2 single wide NIM slots§ NIM - Compatibility with
ISR4400 and ASR1001-X
EPA - Ethernet Port Adapter§ 1x EPA slot
Built in I/O§ 8x TenGigabit Ethernet interfaces enabled
by license§ 8x Gigabit Ethernet interfaces in base§ Multipoint MACSEC for linerate
encryption (1G & 10G)
Pay as you go§ 50 Gbps base performance§ Max performance of 120 Gbps,
licensed
Application level service performance§ 58M Packets Per Second§ Up to 25G Crypto IMIX w/ Suite B§ Diverse VPN security solutions, 25G IMIX§ 13M Firewall and traditional NAT Sessions
Control plane§ CPU: Quad Core @ 2.5 GHz§ Memory: 16GB DDR3
default memory,upgradeable to 32GB
System management§ Cisco Prime§ Glue Networks
Crypto module§ Field upgradeable
Available Now!
• Crypto capacity up to 39Gbps
• Base version of 1002-HX can be delivered without the crypto hardware • Upgrade crypto performance on fielded units…on demand, without truck roll• Upgrade only the fielded units that really needs to support Crypto • Order units to be upgraded in the factory prior to shipment.
ASR1002-HX Crypto Module
ASR1002-HX – Capability ComparisonPlatform ISR4451-X ASR1001-X ASR1002-X ASR1002-HX
PAYG Bandwidth 1-2G 2.5-20G 5-36G 44G-100G
PPS Performance 1-2 Mbps 11 Mpps 30Mpps 58Mpps
IPv4 Routes 500K (4G)/IM (8G/16G)
1M (8G)/ 3.5M (16G) 500K (4G)/1M (8G)/ 3.5M (16G)
500K (4G)/1M (8G)/ 3.5M (16G)
Built-in I/O 4x1GE 6x1GE; 2x10GE 6x1GE 8x1GE, 8x10GE
Extensible I/O 3XNIM,2XSM 1x SPA, 1x NIM 3x SPA 1x EPA, 1x NIM
Encryption Throughput
1.4G(IMIX) 5G (IMIX) 4G (IMIX) 25G (IMIX)
MACsec Point to Point Point to Multipoint N/A Point to Multipoint
ZB Firewall Sessions 500K (200K FW+K2) 2M 2M 6M
NAT Sessions 500K 2M 2M 6M
AVC 1G 5G 18G 52G
CUBE(Ent) 8K 10K Subscribers 10K subscribers 10K subscribers
BB N/A 10K subscribers 29K subscribers 58K subscribers
QoS (Queues) TBD 16K 116K 232K
MACsec Yes (128-bits only) Yes N/A Yes
Suite-B Yes Yes Yes Yes
High Availability No Yes (Redundant IOS)
Yes (RedundantIOS)
Yes (RedundantIOS)
Clocking Yes ( In Future) Yes (SyncE) Yes (SyncE, GPS, BITS)
Yes (SyncE,BITS)
TCAM Software 10Mbits 40Mbits 80Mbits
ASR1000 ForwardingWhere does ASR1002-HX fit in Performance and Throughput?
Jackpot ESP-10G ASR1001-X ESP-20G ASR1002-
X ESP-40G ESP-100G ASR1002-HX ESP-200
System Bandwidth*
2.5 - 5 Gbps 10 Gbps 2.5 – 20
Gbps 20 Gbps 5 – 36 Gbps 40 Gbps 100 Gbps 44-100
Gbps 200G
Performance 3 - 8 Mpps 17 Mpps 11 Mpps 23 Mpps 23 Mpps 30 Mpps 58 Mpps 58 Mpps 130 Mpps
# of Processors 20 40 31 40 64 40 128 128 256
Clock Rate 900 MHz 900 MHz 1.5 GHz 1.2 GHz 1.2 Ghz 1.2 GHz 1.5 GHz 1.5 GHz 1.5 GHz
Crypto Engine BW (1400 Bytes)
1 Gbps 4.4 Gbps 8 Gbps 8.5 Gbps 4 Gbps 11 Gbps 29 Gbps 39 Gbps 78 Gbps
QFP Resource Memory
256MB 512 MB4 GB
(Unified)1 GB 1 GB 1 GB 4 GB 4 GB 8 GB
Packet Buffer 64 MB 128 MB512 MB
(Unified)256 MB 512 MB 256 MB 1 GB 1 GB 2 GB
Control CPUDual
core* 2.13 GHz
800 MHzQuad Core*
2.0GHz1.2GHz Quad core*
2.1 GHzDual core 1.86 GHz
Dual core 1.73 GHz
Quad core* 2.5 GHz
Dual core 1.73 GHz
TCAM 5 Mbits 10 Mbits 10 Mbits 40 Mbits 40 Mbits 40 Mbits 80 Mbits 80 Mbits 2x 80 Mbits
Chassis Support ASR 1001
ASR 1002, 1004, 1006
ASR 1001-X
ASR 1004, 1006
ASR 1002-X
ASR 1004, 1006 1006-X, 1009-X,
1013
ASR 1006, 1006-X, 1009-X,
1013
ASR 1002-HX
ASR1009-X, 1013
Ø * For non-modular systems (1001 & 1002) the “Control CPU” is also the Route Processor CPU and requires more processing capability
ASR 1001-HX 60G Fixed
System Management§ RJ45 GE Ethernet
§ 2x USB Ports
§ 8x 1GE Ports§ MACSec enabled
§ 4x 10GE Ports +§ 4x configurable 10GE / 1GE Ports
enabled by license§ MACSec enabled
Power Supplies§ 2x AC or DC
Memory§ 2x DIMM slots
(8GB each)
Crypto module§ Field upgradeable (8
or 16Gbps)
6x Fans
System Management§ Console§ AUX
Multi-Core Network Processor§ 62 Cores§ 4 Packet Threads / Core§ 248 simultaneous threads
Control plane§ CPU: Quad Core @ 2.5 GHz§ Memory: 8GB DDR3
default memory,upgradeable to 16GB
Pay as you go§ 60 Gbps system performance§ 16 Built-in 10GE/1GE ports enabled via
software license
Application level service performance§ 30M+ Packets Per Second§ Up to 20G Crypto IMIX w/ Suite B for diverse VPN
security solutions§ 6M Firewall and traditional NAT Sessions
High Density Modular Ethernet –MIP100 Carrier Card + EPAs
100G Carrier Card + 2xEthernet Port AdaptersPossible EPA
options• 1x100GE • 2x40GE via breakout cable from 1x100GE • 10x10GE • 18X1GE• 2x40GE native ports (not EC’ed yet)
Throughput • 200G I/0 with up to 100G1 throughput per line card
Key Features • Feature Parity to 2x10GE+20xGE Plus
• WAN-PHY for 10GE (post-FCS)• 256-bit MACSEC & TAGS in the clear (post-FCS)
RP • RP2 + FutureESP • ESP100 + Future
• ESP200 + Future
Chassis Slots BW1013 Slots 2 & 3 100G1013 Slots 0,1,4&5 40G1006-X All Slots 100G1009-X All Slots 100GASR1002-HX Integrated CC 100G
1x100G 10x10GE 18x1GE
ASR1000-MIP100
1Max Bandwidth per slot for EPAs (ESP100 and ESP200)
2x40GE
2No MACsec 2No MACsec3Breakout cable from 1x100GE
2 2,3
Available now!
RP3 – Next Gen Route Processor§ Positioned to help customers migrate from RP1s & RP2s
§ Investment protection – Supports most of existing and all planned ESPs (ESP100-X, ESP200-X, ESP400-X), interface cards (SIP40, MIP100) and modular chassis (ASR1013, ASR1006-X and ASR1009-X)
§ Higher maximum DRAM capacity - 8G default, expandable to 64GB
§ Built-in SSD drive - 100GB default, upgradeable to 400GB+ for log / core /data collection and for running container apps in the future
§ Larger Flash memory - 8G default for NVRAM contents
§ Dedicated Crypto Assist chip for better crypto performance and scale (CPS)
USB
Solid state drive
BITS clocking
DRAM
Management Enet
Console/Aux
RP3 Customer BenefitsHigher Performance and Scale
• Average 20-30% faster than RP2
• Up to 64GB on RP3 for highest IOS XE scale
• SSD instead of HDD
• Crypto assist chip for up to 2X faster IPsec tunnel CPS
Lower TCO
• Savings from power and cooling
• Support HA and ISSU through redundant ESP/RP
• Futureproof to support new forwarding engines and I/O cards
Familiar Look and Feel
• Supported on ASR1006-X, ASR1009-X and ASR1013
• Same faceplate as RP2
• Same SW and licenses as RP2
• Easy upgrade from RP2
ASR1000 Route ProcessorsRP1 (EOS) RP2 RP3
CPU General Purpose CPU Based on 1.5GHz Processor
Intel Dual-core Wolfdale 2.66GHz
Intel Quad-coreBroadwell 2.2GHz
Memory 4GB 8, 16GB 8, 16, 32, 64GB
Built-inBoot flash 1GB 2GB 8GB
Storage 40GB HDD,External USB
80GB HDD,External USB
100 – 400 GB SSD,External USB
Chassis Support
ASR1004ASR1006
ASR1004ASR1006
ASR1006-XASR1009-XASR1013
ASR1006-XASR1009-XASR1013
Cisco Confidential 73
Q & A
Cisco Confidential 74
Thank You