Enterprise Architecture, Deployment and Positioning

Enterprise Architecture, Deployment and
Positioning
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking Group

Session Objectives
At the end of the session, the participants will be able to:
 Understand the characteristics of the various enterprise deployment models
 Unified Access
 Traditional Access
 Converged Access
 Instant Access

 Understand which products are the lead platform for each deployment model
– Understand individual product positioning

 Customer requirements drive deployment mode decisions, (and hence product
choice)
– Understanding the customer current state and goals that drive deployment model preference
– Understand considerations relative to each deployment model

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Agenda
 Session Objectives

Data Center

Services
Block

 Key Services Overview
 Design Options
• Traditional Access
–
Multilayer
–
Routed
–
VSS
• Converged Access
• Instant Access

 Summary

Si

Si

Si

Si

Si

Si

Si

Si

Si

Si

Deployment
Models

Cisco Public

4

Switching Requirements Campus/DC
Catalyst 6500 / 6800

Nexus 7000 / 7700

Campus Optimized

DC Optimized

Campus Segmentation & Security
Video

802.1X, ASA-SM, Easy Virtual
Networks

Video Intelligence
Mobility/
BYOD

DC Virtualization
OTV, LISP, DFA, VXLAN*

Workload
Mobility

LAN / SAN Convergence

Medianet, Distributing Policing

Wired / Wireless Convergence

Multi-hop FCoE

Fabric Scale & Resilience

WiSM2, LISP

FabricPath, vPC, Wire Speed
10/40/100G

Security

Campus Smart Operation

10G/
Virtualization

Data Center Operation

Smart Install, Instant Access


VDC, FEX, DCNM, OnePK

Cisco Public

Energy
Efficiency

VM

Campus Deployment Models
Unified Access
Cisco Prime
Infrastructure

One Policy

Cisco ISE

Distributed Wireless

VSS

Traditional Access

VSS
Si

Distributed Wired

Si

Distributed Wired

Si

Centralized Wired  IA

Centralized Wireless

Instant Access

Si

MA

MA

MA

MA

MA

MA

MA

MA

MA

MA

MA

MA

MA

MA

MA

MA

MA

MA

Converged Access
Cisco Public

Centralized Wired  VSS

One
Management

Unified Access
What does it really mean?
Cisco Prime
Infrastructure

Identity
Services Engine

LEAD Platforms
Cisco
Catalyst
6800/VSS

WISM2/
WLC

WLC

KEY SERVICES FOR UNIFIED ACCESS
DEPLOYMENT

Secure Group Access to Simplify the Network and Enable Virtualized
Data Center Services

Application-Aware Networking to Enable Collaboration, Video, and Other
Apps

Cisco Catalyst 4500E,
Cisco Catalyst 3850
Wireless
APs

Maximized Network Availability with Virtual Switching and Stateful Switch
Over

Reduce Operating Expenses and Improve Network Application and
Service Delivery

OS Consistency: IOS XE 3.x
Cisco Public
Cisco Validated Design 2.5 for Campus Deployment

Agenda

Data Center

Services
Block

 Design Options
–
Multilayer
–
Routed
–
VSS
• Instant Access

 Summary

Si

Si

Si

Si

Si

Si

Si

Si

Si

Si

Deployment
Models

Cisco Public

8

Cisco TrustSec
Secure Group Access Simplifies Security Enforcement
Email Server

Financial
Servers

Patient Records

IT

Allow All

SQL

SQL

Finance

IMAP

Web

No Access

Doctors

IMAP

No Access

File Share

Access Control with
Secure Group Access
• Role-based
• Topology-independent
• Scalable
• Easy to administer
• One Policy

IT
3.1.1.1

Finance
2.1.1.1

Doctor
1.1.1.1

Cisco Public

Cisco TrustSec
Security Group Tags (SGTs) in the Access
ISE Maintains a Centralized View of Device Inventory and Policy Assignment
SGACL Enforces Policy
at Access, Campus
Edge, or Data Center

DeviceAware

IdentityAware

LocationAware

Secure
Group

Permit

Permit

Patient

Deny

Permit

Deny

Voice

Deny

ACL_v

Deny

Doctor

Personal Laptop

Doctor

Office

Doctor

Personal Laptop

Patient

Hotspot

Patient

Admin

Office

Admin

IP Phone

Permit

Office

N/A

Office

Voice

N/A

Conf. Room

Video

Facility

Doctor

Doctor

TelePresence

Internet

Corp PC

Smartphone

1

Patient
Record

SG Tag Imposed to
Incoming Traffic

1
2

CDP
LLDP
DHCP
MAC

Security Group Access
•

2

1

1

Simplifies ACL management

•

Uniformly enforces policy independent
of topology or protocol

•

Fine-grained access control
Cisco Public


Cisco TrustSec
SGTs in the Backbone
SGACL Enforcement

Map VLANs or IP Subnets
to SGT Values
cts role-based sgt-map VLAN-list 110 sgt 1110
cts role-based sgt-map 192.168.10.0/24 sgt 10

SGT

SGT

SGT

SGT

cts role-based permissions from 1110 to 3200
permit tcp dst eq 443
SGT
permit tcp des eq 139
deny ip

Cisco
TrustSec Domain

Identity
Service
Engine

Can Forward Existing
SGT Traffic or Map
SGTs Manually

Manual or Dynamic VLAN Mapping

VLAN 110

VLAN 120

VLAN 130


Cisco Public

Application Visibility and Control
Is BYOD a threat to your business applications?
IT
Challenges

• Is my network ready for video?
• How do I ensure high quality of user experience?
• How can I troubleshoot and monitor effectively?
Assessment
• Enhanced Object

Tracking
• IP SLA
• Built-in Traffic
Simulator
• Cisco CleanAir

App Visibility / Control
• Media Services

•
•
•
•
•
•
•

Proxy (MSP)
Metadata
Flexible NetFlow
Device sensor
Secure group tagging
Quality of Service (QoS)
AVC in Wireless Controller
Mediastream

Monitoring/
Troubleshooting
• Performance Monitor
• Mediatrace
• Flexible NetFlow
• Wireshark / Mini-

Protocol Analyzer
• Device sensor

High Availability  L2/L3
Multicast: HA, Call Admissionreserved.
Control (CAC),Cisco Public
Multipath, Video Stream
© 2013 Cisco and/or its affiliates. All rights

Catalyst Infrastructure Resiliency - Access
Cisco StackWise+

Scale With Performance
Si

VSL

Virtualized For Simplicity

Simplified For Resiliency

Si

• Seamless Access Network

• Centralized Control and

• Distributed and Resilient

Expansion
• High-speed 64Gbps
Bi-Directional Switching
Stack-Ring
• Single Logical Unit To Manage
Nine Switches and 450 Ports

Management Architecture
• Reduces VLANs/Subnets
• 9X Operational Simplicity

Forwarding Architecture
• Single Network Per Layer
• Deterministic Network
Operation With Non-Stop
Forwarding


Cisco Public

Catalyst Infrastructure Resiliency - Backbone
Cisco Virtual Switching System (VSS)
Traditional Campus Design

VSS Campus Design

Optimized
Network

• Complex Network Design

and Operation
• Underutilize Network
Resource
• Sub-Optimal Application and
Network Performance

VSS Campus Design

Simplified
Operation

• Optimized Network Design
• Double Switching Capacity
• Deterministic Application and

Network Performance

• Simplified System Operation
• Single Neighbor and

Network Per Layer
• Simplified and Highly
Redundant Network
Topologies
Cisco Public

Catalyst Infrastructure Resiliency - Modular
Cisco ISSU Delivers 99.999% Uptime
Access

Distribution / Core

4500E

6500E

Mismatch IOS
Version During
Software Upgrade

VSL
eFSU

ISSU

• Dual-Supervisor Requires Software

• eFSU Provides Real-Time Dual-Chassis

Consistency
• ISSU Provides Real-Time Single-Chassis
Software Upgrade. Reduces MTBF
• Protects Network Services, Capacity and
Availability for Wired and WLAN End-Points

Software Upgrade. Reduces MTBF
• Protects Network Services and Availability At
Access Layer with Redundant Paths
• Network impact ~1sec for entire upgrade
process


Cisco Public

Cisco Smart Operations
Simplify Your Infrastructure
Director

Access Switches

Smart Install

Plug and Play for End Devices

Automate Response to Events

New Switch Is Connected

•

Embedded Event Manager

Zero-Touch Deployments

•

Auto Smartports
New End Device Attached

Software image downloaded;
configuration automatically
applied

Zero Touch Deployments,
Upgrades and Replacements

•

Port configuration: Applied

•

QoS policy: Enforced

•

Security policy: Enforced

•

Simplifies management tasks

Customize IOS Behavior

• User customizable

•

Change IOS behavior

•

Automatically fix network
issues

•
Cisco Public

Automate responses to
commonly occurring events

Agenda

Data Center

Services
Block

 Design Options
•
•
•

Multilayer
Routed
VSS

Si

• Instant Access

Si

Si

Si

Si

Si

 Summary
Si

Si

Si

Si

Deployment
Models

Cisco Public

17

Traditional Access – Multilayer Design
Backbone
Core

Considerations
Wireless LAN
Controller

Distribution

Highly Available Network Design

Cisco Prime/LMS
L2/L3 Protocol Tuning Required

ISE

Protocol Alignment Required

Access

Deployment Flexibility

Well Understood Deployment
CPE

CAPWAP
Tunnel

MULTILAYER CAMPUS DESIGN

Cisco Public

Characteristics of Multilayer Deployment Model
Benefits

Challenges

 Well understood and well documented
design with many years worth of
deployment history

 Requires significant configuration tuning
to achieve sub second network
convergence

 Uses industry standard protocols such
as Rapid Spanning Tree Protocol

 Requires significant complexity when
adding VLAN or VRF segmentation

 Cisco differentiating enhancements
enable sub-second or near sub-second
network convergence

 All switches managed individually

 Allows for multi-vendor environment

 Flexible equipment costs from low to
high end

 Complex – Alignment of Spanning Tree,
Routing, and Default Gateway
Redundancy required
 Spanning Tree Liability


Cisco Public

Traditional Access – Virtual Switching System
Considerations

Backbone
Core

Wireless LAN
Controller

Less Protocol Tuning Required

Efficient Resource Utilization
Cisco Prime/LMS

Distribution

Higher Resiliency
with Quad Sup VSS
Fewer Routing Peers

ISE
Access

Some Customer prefer separate
control plane

CPE

VSS CAMPUS DESIGN

CAPWAP
Tunnel


Cisco Public

Characteristics of VSS Deployment Model
Benefits

Challenges

 Simplified network design with a single
logical distribution layer device

 Cisco proprietary solution, requires Cisco
switches in the distribution layer

 No First Hop Redundancy Protocol
needed

 Access switches managed individually

 Ether channel based traffic load
sharing across multiple uplinks
 Allows for extending VLANs across
multiple access layer switches without
creating STP blocking links and liability
 Supports sub-second convergence

 Single control plane is concern for some
customers
 No Cisco differentiating enhancements
required to achieve sub-second
convergence
 No Access Layer stickiness i.e. any
access switch will work with VSS

 Allows for multivendor access switches
 Distribution Switches managed as One
Entity


Cisco Public

Traditional Access – Routed Access Design
Considerations

Backbone
Core

Wireless LAN
Controller
Cisco Prime/LMS
Distribution

Single Control Plane

Simplified Network Recovery

Additional IP Address Usage
ISE
VLAN’s Constrained to WC

Access

Common Set of Troubleshooting
Tools

CPE

MULTILAYER CAMPUS DESIGN

CAPWAP
Tunnel


Cisco Public

Characteristics of Routed Access Deployment
Model
Benefits

Challenges

 Single control plane = less complexity

 Less protocol tuning required for sub-second
convergence (protocol dependent)
 Common set of troubleshooting tools

 ECMP default behavior for efficient utilization
of available links and fast convergence
 Avoids flooding downstream

 Requires additional IP address management
and utilization
 VLAN’s limited to wiring closet – can not span
VLAN’s across closets
 May require ECMP/CEF hash-tuning for most
efficient path utilization (older hardware)
 RSPAN not possible (ER-SPAN required)

 No FHRP required
 No trunking required
 Permits VLAN ID reuse

 Simplified multicast topology

Cisco Public

Lead Platforms for Traditional Access
BACKBONE

Catalyst 6807-XL

6880-X
Catalyst 6500-E

3850
ACCESS

Catalyst 4500-E Sup8E
3650

FIXED


Cisco Public

MODULAROct’2013
Updated as per

Agenda

Data Center

Services
Block

 Design Options
•
•
•

Multilayer
Routed
VSS

Si

• Instant Access

Si

Si

Si

Si

Si

 Summary
Si

Si

Si

Si

Deployment
Models

Cisco Public

25

Converged Access
Considerations

Backbone
Core
MC/MO

WiSM2,5508,8510*,3850,
3650*, 5760

Cisco Prime
Distribution

Single QoS Model for
Wired/Wireless

Complete visibility in to wireless
traffic
Consistent Services for
wired/wireless

ISE
Access

MA

No external controller for
up to 250 AP’s
Future proof for 802.11ac
CAPWAP
Tunnel

Multilayer, VSS, or Routed Access

Multilayer or Routed Access
Supported
Cisco Public

Characteristics of Converged Access
Benefits
 Can be deployed with existing
traditional wireless architecture for
ease of migration

 3850/3650/4500E* can terminate
CAPWAP as the Mobility Agent with
existing 5508, WISM2, 3850, 3650*,
5760, 8510* acting as the Mobility
Controller.
 Single QOS model for Wired and
Wireless on 3850/3650/4500E*

Challenges
 Multiple management and
troubleshooting points for Wireless
 Prime and WEBGUI lacking in
functionality
 Wired Migration blockers between
between 3850 and 3750x

 Wireless Migration blockers between
AireOS & IOS

 Provides Flexible Netflow across all
ports for wired and wireless
 Supports Multicast better based on
how CAPWAP is terminated © 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

*Roadmap

Wired Access Deployment
Feature enhancements within FY14
3.2.2
(Yesterday)

3.6
(Q2 CY14)

9 member stacking, HSRP, Critical Voice VLAN,
Sevices Discovery Gateway

VRRPv3, IPv6 Routing/PBR/VRF

SGT/SGACL on wired wireless

(Macsec and FHS in future release)

Wireshark

Medianet (MSI/MSP)

3650 management with PI 2.0.1

Infra

3.3
(Today / October CY13)

PI 2.1

Security
Device Sensor

AVC

Management

Certification
IPv6, USGv6

FIPS, Common Criteria, UCAPL

Cisco Public

Converged Access Deployment Model
Feature enhancements within FY14
3.2.2
(Yesterday)

3.3 MR
(Q4 CY13)

3.6
(Q2 CY14)

AP3600, AP2600, AP1600,
AP1140, AP1260, AP3500

AP3700 & 802.11ac module on AP3600

AP700I, AP700W and 1532

BYOD Onboarding

802.11r/k/w, App Visibility, Bonjour
AP SSO stack cable, CMX with PI 2.0

Policy Classification Engine(PCE)
QOS on AVC, Bonjour Ph 2
MC support on 5508, WiSM2, 8500 with 8.0

Introduced WEBGUI to setup
WLAN deployment

Improved http performance
Supports App Visibility, QOS, Bonjour, HA
Better defaults, improved usability flows

Improved https performance
MC Management of MA
New features e.g. PCE, Federal certs

PI 2.0 Manages IOSE-XE 3.2.x
and AireOS 7.4 MR

PI 2.0.1 Manages IOSE-XE 3.3, and AireOS
7.6 with 7.4 MR features, 5508/WiSM2 as MC
Device support for Switch 3650, 802.11ac and
9 member stack

PI 2.1 Manages IOS-XE 3.6 and AireOS 8.0
Key feature support such as AVC, Bonjour,
SSO

AP Support

Wireless
Features

WEBGUI

PI


Cisco Public

Cisco Unified Access
Wireless Deployment Modes
WAN

AIREOS FLEXCONNECT
•
•
•
•

Position in wireless-only deals
Position for multiple branches
Up to 100 AP’s per site
Position for 802.11ac, 802.11n

Intranet

Intranet

•
•
•
•

AIREOS
CENTRALIZED

Position wireless-only deals
Position for Campus
Richest feature set
Position for 802.11ac, 802.11n

•
•
•
•

IOS
CENTRALIZED

IOS CONVERGED ACCESS

Position for Greenfield campus
Upgrade from AireOS 7.0
Two controllers per site
IOS 3.3 / PI 2.0.1

•
•
•
•

Position as future-proof switch
Position for SDN relevance
IOS 3.3 / PI 2.01 = Up to 50 AP’s
IOS 3.6 / PI 2.1 = Up to 250 AP’s

Today:
• Sell AireOS with 802.11ac
• Sell the 3850/3650/4K(SUP8-E) as future-proof switches
Converged Access deployment and Prime Infrastructure matures in FY14:
• Branch and Small Campus ready in (Today) December with 802.11ac
• Mixed AireOS & IOS deployments and Large campus ready in May 2014

Cisco Public

Branch Deployments with Converged Access

DEPOYABLE
TODAY

A A
RI N

DMZ
Prime

ISE

Multilayer or
Routed
Access

50 – 250
AP’s

Single platform for wired and wireless
Wired and wireless traffic visibility at every hop

WAN

Consistent security and QoS control
INTEGRATED
CONTROLLER

Maximum resiliency with fast stateful recovery

3850/3650

Employee
31

Guest

Scale with distributed wired and wireless data
plane (480G Stack/40G wireless per switch)

BRANCH


Cisco Public

Wireless deployments using 5760 and 3850
• ~350 customers booked ~1000 units of WLC-5760
• Majority Education & Healthcare (Campus)
• ~400 customers booked ~40K licenses on 3850 & 5760
• Majority Professional Services (Small Sites)

5760 based successful deployments and trials

3850 based successful deployments and trials


Cisco Public

Lead Platforms for Converged Access
BACKBONE

Catalyst 6807-XL

6880-X
Catalyst 6500-E

3850
ACCESS

Catalyst 4500-E Sup8E
3650

FIXED


Cisco Public

MODULAR

Agenda

Data Center

Services
Block

 Design Options
•
•
•

Multilayer
Routed
VSS

Si

• Instant Access

Si

Si

Si

Si

Si

 Summary
Si

Si

Si

Si

Deployment
Models

Cisco Public

34

Instant Access
ISE

Cisco Prime

Managed Devices = 1
20+

Considerations
Satellite device capable of Stacking, POE+
Single Point of Management, Configuration
and Troubleshooting
Simplified Network design for
VLANs and port channels
Agile Infrastructure to add new features
uniformly across Access Layer
A Single Image to deploy and manage
across Distribution Block

1000 Port Campus Distribution Block

REDUCED TCO
Cisco Public

Characteristics of Instant Access
Benefits

Challenges

 Provides Single point of Management,
Configuration and Troubleshooting for
Distribution block

 Currently limited to distribution block design
of 1000 ports

 Simplified distribution block design, eliminates
configuration on the uplinks

 Large amounts of east-west traffic would
increase uplink bandwidth utilization (Over
subscribed to start)

 Simplified image management and
qualification

 Only supported with VSS configuration (
supported with single switch in VSS mode )

 6K – IOS Feature Robustness available @
Access

 Access Feature differences/lag between 6k
and traditional access platforms 2k/3k/4k

 Can be used with Traditional or CA

 Converged Access not available in
combination with Instant Access

 Provides solution for customers who need
MPLS in access layer


Cisco Public

Lead Platforms for Instant Access
BACKBONE

6880-X

Catalyst 6807-XL

Catalyst 6500-E

Not Applicable
Catalyst 6800ia

ACCESS

FIXED


Cisco Public

MODULAR

Agenda

Data Center

Services
Block

 Design Options
•
•
•

Multilayer
Routed
VSS

Si

• Instant Access

Si

Si

Si

Si

Si

 Summary
Si

Si

Si

Si

Deployment
Models

Cisco Public

38

Converged Access Mode – Guiding Principals
Future Proof with Latest Hardware – Sell The Vision of CA

Lead with Converged Access Products
Customers who are considering Wired+ Wireless Refresh opportunities that
Want to future proof their enterprise with the best possible Access Switch with 3850,
3650 & 4K with Sup8E (Advanced QoS, Visibility, UPOE)
Want like-for-like replacements (3560 -> 3650, 3750 -> 3850, Sup7E -> Sup8E)
Are interested in WLAN deployments in a small campus or branch (Large/Complex
Deployments after CQ2-CY14)
Want to provide full traffic visibility, advanced QoS, maximum resiliency and scale with
single platform for wired & wireless

Evaluate AireOS or other Deployment scenarios






Large Campus Deployments today (Planned Q2-CY14)
Latest AireOS based controller features are required today (Planned Q4-CY13 and Q2-CY14)
802.11ac support is required today (Planned CQ4-2013)
Flexconnect, Indoor or Outdoor Mesh, and Office Extend AP modes is a requirement (on radar)
Fully managed AirOS + Converged Access deployments are required ( planned Q2-CY14)


Cisco Public

Instant Access – Guiding Principals
6800/6500 feature consistency & operational simplicity in access
Customers who
 Wants to extend 6500/6800 features and operational consistency in Access
 Continue with Catalyst 6500/6800 features like MPLS, advanced segmentation EVN in
access
 Who have distribution blocks limited to 1000 user ports or less and have overlay wireless
 Want to manage the campus with fewer touch points and/or limited technical staff
 Want a simplified image management and qualification criteria in a distribution block
Evaluate the other deployment scenarios
 Already sold converged access vision





Already sold the value of new 3850/3650/sup8E in access
To address growing mobility and application services needs
Environments with more than 1000 access ports in a distribution/access domain
Local switching is a must


Cisco Public

Guiding Principals: Traditional Access (Multilayer, RA, &
VSS)
Sell the BEST Switches on the Planet (You Don’t Have to Change Your Design)

Lead with Latest Switching Solutions (4500/Sup8E, 3850, 3650)

Customers who
 Have a preference for the most common wired deployment model
 Wants flexibility of centralized or distributed wireless model
 Want the best possible Access Switch with 3850, 3650 & Sup8E (Advanced QoS,
Visibility, UPOE)
 Want like-for-like replacements (3560 -> 3650, 3750 -> 3850, Sup7E -> Sup8E)
 Have multi-vendor wired and wireless environment

Evaluate the other Deployment scenarios
 Customer is sold on the vision of converged access and can wait for 6-12 months for
large deployment
 6500/6800 feature and operational simplicity with reduced touch points in access


Cisco Public

The Three Things you MUST know about the
Customer
Customer Priorities

Deployment Mode


Cisco Public

Access Platforms

Enterprise Architecture, Deployment and Positioning

More Related Content

What's hot (20)

Similar to Enterprise Architecture, Deployment and Positioning (20)

More from Cisco Russia (20)

Recently uploaded (20)

Enterprise Architecture, Deployment and Positioning