16 APR 2009

Solution S.E (whchoi@cisco.com)

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Integrated .
iPod

Integrated

Mobile Phone

E-Mail

Web Service

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Integrated .
Firewall Service Module

Integrated

Guard/Detector Module

Application Control Engine

Network Analysis Module

VPN Service Port Adapter

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Catalyst 6500 Switch Service Module

Firewall Service Module

Guard/Detector Module

Application Control Engine Network Analysis Module

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential


Internet

VPN L7 S.W SVR S.W FW

Router

Server Farm

Internet Router
Firewall

WAN

L7 S.W SVR S.W FW

BB Switch

Server Farm

Backbone

Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Branch Office &

6

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Catalyst Service Module

Internet

Server Farm

ACE L7 S.W SVR S.W FW Detector

VPN VPN SPA Guard

Router

Internet Router
Firewall

WAN

ACE Detector SVR S.W FW L7 S.W FWSM NAM

BB Switch

Server Farm

Backbone

Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Branch Office &

8

Cisco Service Module

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

10

Cisco Service Module Anti-DDoS Service Module Guard & Detector

Internet
Detector Module Guard Module
VPN SPA Guard Router

Server Farm

ACE Detector SVR S.W

Internet Router

WAN

ACE Detector SVR S.W

FWSM NAM

BB Switch

Server Farm

Backbone

Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Branch Office &

11

 DDoS

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

12

 DDoS

DDoS

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

13

 DDoS
DDoS

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

14

 DDoS ?

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

15

Cisco Guard&Detector DDoS

Internet

Guard

Guard
Core Router

MVP

6
3

Host IP Backbone Switch Detector

2
Detector

1
..

Server Network

..

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

16

Cisco Guard/Detector Overview

Guard / Detector

Out Of Path

16G / 512Gbps - Active/Active . << Cisco Guard/Detector >>

Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

TCP/UDP/ICMP/DNS/SIP
17

Cisco Guard/Detector DDoS .

Fragmentation Attacks
IP/UDP IP/ICMP IP/TCP

Flood Attacks
TCP, UDP, ICMP SYN Flood SYN Flood

HTTP Attacks
Connection Flood (Client attack) http errors 404 etc. http half connections http cache control attack

UDP Flood
FIN, SYNACK Flood ( , ) Ping Flood

Smurf Flood
Combined UDP/TCP/ICMP

BGP Attacks DNS Attacks

SIP Attack

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

18

Cisco Guard/Detector
ADM (Anomaly Detector Module)
Service Module Type

AGM (Anomaly Guard Module)

Service Module

Physical Port

Cisco 7600 / Catalyst 6500 VACL , Port Mirroring 2Gbps

Cisco 7600 / Catalyst 6500 Static, BGP, GRE, MPLS 3Gbps Clustering 16G 512G 500 Zone 50 Zone 10

Performance

Clustering 10G

Zone Zombie

500 Zone X

Presentation_ID 2008 Cisco Systems, Inc. All rights reserved.

X
Cisco Confidential

1msec
19

Cisco Guard/Detector ADM (Anomaly Detector Module)

2Gbps

Learning Based

500 Zone Policy 7GB DDRAM, 1GB Compact Flash

Flexibility High Availability

Spoofed, Non-Spoofed Packet TCP Attack Flag Based( Syns, Syn-acks, acks, fins, fragments) UDP Attack Random port Flood, Fragment ICMP Attack Unreachable , echo, Fragment DNS Attack HTTP Attack BGP Attack

ADM (Anomaly Detection Module)

Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

20

Cisco Guard/Detector AGM (Anomaly Guard Module)

3Gbps / 4.5 Mpps

Multistage Verification Flexibility High Availability

150K Dynamic Filter 500 Zone 50 Zone 7GB DDRAM, 1GB Compact Flash

Spoofed, Non-Spoofed Packet TCP Attack Flag Based( Syns, Syn-acks, acks, fins, fragments) UDP Attack Random port Flood, Fragment ICMP Attack Unreachable , echo, Fragment DNS Attack HTTP Attack

SIP Attack
BGP Attack

AGM (Anomaly Guard Module)

Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

21

Why Cisco Guard&Detector

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

22

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

23

Cisco Service Module Firewall Service Module

Internet
Firewall Service Module

Server Farm

ACE Detector SVR S.W

VPN SPA Guard

Router

Internet Router

WAN

ACE Detector SVR S.W

FWSM NAM

BB Switch

Server Farm

Backbone

Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Branch Office &

24

xGbps CPS H.W

Presentation_ID

Network Integration Service

OS Technical Market Leadership

L4 Deep Inspection Multimedia Multimedia Inspection

IT IPv6

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

25

Cisco FWSM (Fire Wall Service Module)

5.5Gbps ( 4 20Gbps)

High Performance

2.8Mpps / 1M / 100K CPS 1000 Vlan 1 Routed Mode 256 Vlan ACL 100K / NAT 256K 250 ( 3 )

Intelligent Service Service Virtualization

L2/L3(Transparent,Routed Mode) Dynamic/ Multicast Routing OSPF,RIPv1/2, PIM Sparse Mode v2, IGMPv2, EIGRP, BGP Deep Inspection Core Internet Protocol, DB/OS Service, Multimedia/VoIP Active/Standby, Active/Active DDoS Attack - Syn Cookie , Src Rate limit

FWSM (Fire Wall Service Module)

Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

CC EAL 4+ ,
26

Cisco FWSM

A B

Network Cat6500 250

/ /

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

27

Cisco FWSM
Network Service
D V D D D D V D

V D

V D

V D

D V

D D

D D

Processor QoS CPU QoS

QoS Processor Processor

QoS H.W Processor CPU Voice QoS

BGP OSPF Static

? ?

? ?

BGP OSPF Static

BGP OSPF

BGP OSPF Static

Static

QoS , QoS

Cat6500 QoS QoS Voice QoS Network Protocol BGP,OSPF

Network Protocol

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

28

Cisco FWSM /
1 vs Link
150msec

Session Loss Session 802.1s RSTP

2 1

2 FWSM
1Sec Session Loss Session

FWSM Stateful Failover

3
1Sec

Session Loss Session

FWSM Stateful Failover & RSTP

4 Uplink
1Sec

FWSM
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Session Loss Session

Routing & RSTP
29

Cisco FWSM

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

30

Enterprise I /Campus
/Campus Internet
FWSM Network Campus Network Design

Appliance

, DMZ
Zone ,
DMZ DMZ

One Click , , Mgmt Overhead

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

31

Enterprise II /Campus
Backbone/Dist Switch Internet
, FWSM , ,

Network Segment
Segment

FWSM

FWSM

Group A

Group B

Group C

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

32

Why Cisco FWSM?

5.5 Gbps 100 10 CPS

Catalyst 6500

1 , Multimedia Inspection CC EAL 4

L7 Inspection Voice , Multimedia Traffic

, IPv6
33

Routing & QoS

1Sec

IBM4GS3
Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

34

Cisco Service Module L7 Switching ACE Module

ACE Module

Internet

Router SVR S.W

Server Farm

Internet Router

WAN

SVR S.W

BB Switch

Server Farm

Backbone

Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Branch Office &

35

Cisco ACE Contents Delivery Challenges

Contents /

Contents
Application Vendor, Point Product

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

36

Cisco ACE
Virtualization Role-Based

Active/Active LB SLB, FLB, Web ,

H.W NAT/ACL , Protocol Application DDoS

Presentation_ID 2008 Cisco Systems, Inc. All rights reserved.

ACE/ ACE TCP Optimization SSL Termination

Cisco Confidential

37

Cisco ACE Overview ACE (Application Control Engine)

16Gbps/8Gbps/4Gbps (Fabric Enabled)

Content Switching

6.5Mpps / 4M / 348K CPS 4000 Vlan/Probe ACL 256K / NAT 1M Virtual Context 250( 5 )

Security SSL Offload

SLB
Adaptive response, Least loaded, Least bandwidth, Least connections, Round-robin, Hash address, Hash cookie, Hash header, Hash URL

Role Based Access Control / Checkpoint Reflexive ACL, TCP/IP normalization, DDoS

ACE (Application Control Engine)

Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Server Health Check HTTP Deep Inspection / SSL Offload

38

Cisco ACE Application

SLB Switch

50%

20%

20%

10%

Single Config File Single Routing Table Roll Resource Box

A
ACE
39

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Cisco ACE Application

Contents
Bridge Mode(L2) / Routed Mode(L3 )

Context Admin
Mgmt Console

Context A Web Zone Gold Service Resource 15%

Context B App Zone

Silver Service Resource 10%

Context C DB Zone Bronze Service Resource 5%

Context D New App Zone Silver Service Resource 10%

ANM
/
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

40

Cisco ACE

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

41

 Application

Inter Chassis Failover

Intra Chassis Failover

SLB S.W Active/Standby Failover Tracking

HSRP, Interface Up/Down Probe Priority

A
Presentation_ID

Fully Stateful Failover

42

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Cisco ACE ANM ACE

Role-Based Access Control Config GUI/CLI Programmatic configuration XML Programing API

SNMP agent ACE , SYSLOG messages

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

43

Cisco ACE TCP Optimize

TCP Connection 1 Req-C1 Res-C1 Req-C3 Res-C3 TCP Connection 2 Req-C2 Res-C2

Req Client1 Req Client2 Req Client3 Cisco ACE

Server

TCP Reuse Server TCP Overhead TCP Offload

Client TCP Reuse Connection .

Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

44

Cisco ACE DataCenter

Context #5

Context #4

Context #3

Context #2

Context #1

Front network

Front network N-Tire App

N-Tire App
Web App DB

Web

App

DB

Mgmt Overhed -

Resource Limitation
45

/
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Why Cisco ACE?

16 Gbps/6.5Mpps 4M

ACL 256K H.W NAT 1M H.W TCP Normalization DDoS

348K CPS
SSL 4Gbps/10K TPS

L2/L3
TCP

Active/Standby Active/Active Take Over

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

46

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

47

VPN

DataCenter

Data Center

Branch

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

48

Cisco Service Module VPN SPA

Internet
VPN SPA

Router SVR S.W

Server Farm

Internet Router

WAN

SVR S.W

BB Switch

Server Farm

Backbone

Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Branch Office &

49

Cisco VPN SPA Overview VSPA (VPN Service Port Adapter)

VPN SPA AES 8Gbps

High Performance

10 VPN SPA (80Gbps) 16K Tunnel

Scalability Security

Advanced IPSec DES, 3DES, ASE(128, 192, 256 bit Key) Pre-Encryption QoS Aggregate Shaper , LLQ sVTI IPv6 Encryption Engine Sharing VRF Aware IPSec WS-SSC-600 SCC multicast egress buffer

VSPA(VPN Service Port Adapter)

Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

GET VPN / Trust Sec Ready Sup 32 , Sup 720

50

Cisco VPN SPA Overview DC Interconnect

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

51

Cisco VPN SPA Overview IPv6 Secure Network Interconnect

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

52

Why Cisco VPN SPA?

IPv6 VPN VPN

VSPA 8Gbps 80Gbps VPN 16K Tunnel

CEF/ECMP QoS MPLS VPN VRF Aware IPSec

S2S, DMVPN, RA VPN

10 VSPA

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

53

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

54

Mission Critical Application - Voice, Video Internet Business Application

- , , App

- Interface, Device

Trend - ,Group ,App

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

55

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

56

Cisco Service Module Network NAM Module

Internet

NAM Module

Router SVR S.W

Server Farm

Internet Router

WAN

SVR S.W

BB Switch

Server Farm

Backbone

Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Branch Office &

57

Cisco NAM
Network NAM Module

2GB RAM

Easy Deploy&Use

250GB HDD / 500MB Capture Buffer 1Gbps

Monitoring & Virtualized

Enhanced Traffic Analyzed

Real Time / Historical Application Monitoring Response Time Monitoring Packet Capture/Decoding Video, VoIP, QoS Monitoring SCCP, RTP/RTCP, MGCP, SIP Host , Application , Conversation Vlan Traffic URL , Application

NAM II (Network Analysis Module) E-mail, FTP Forwarding

Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Threshold, Alarm

58

Cisco NAM
Traffic Overview
Port Application

Traffic

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

59

Cisco NAM
Traffic Overview - Voice
Voice Monitoring
Packet loss report Jitter report Active Call Call report

Phone
Protocol - SCCP, H.323, MGCP, SIP, RTP streams

Monitoring

RMON1 and 2
Application Response-Time (ART) Call
Manager

Differentiated Services (DSMON)

Voice,Video Traffic DSCP Marking

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

60

Cisco NAM
Traffic Overview - Voice

RTP streams Src,Dst IP Filtering Video Broadcast issues

video RTP packet count , packet loss Packet Loss

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

61

Cisco NAM

Traffic Overview ART(Application Response Time)

NAM

NAM

NAM Latency

Server Latency
Network Flight Time = Total Time Server Latency Total Time
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Presentation_ID

62

Cisco NAM
Traffic Overview Packet

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

63

Cisco NAM

Traffic Overview MPLS

VPN-B VRF

VPN-A VRF

B A

NAM

A B

VPN-A VRF

VPN-B VRF

B
VPN-B VRF VPN-A VRF

NAM MPLS Monitoring

VRF
VC Label,VC,VRF In/Out Pkt,bps
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Presentation_ID

64

Cisco NAM

Traffic Overview Catalyst 6500

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

65

Why Cisco NAM?

Catalyst 6500

SPAN, ERSPAN, RSPAN

VACL

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

66

Why Cisco Service Module

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

67

Presentation_ID

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

68