Sunteți pe pagina 1din 67

BRKARC-2005

Cisco 1100 Series


Integrated Services
Router : Product Overview
and architecture
Shambhu Nath Mishra
CSE , Cisco Systems
Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKARC-2005

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• Introduction
• ISR 1100 Portfolio
Introduction
• Platform Overview
Agenda • Software Overview
• Basic Troubleshooting
• Solution Overviews
• Key Takeaways
• Q&A

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Introduction and
Use cases The ISR 1100 Series combines
WAN, comprehensive security,
wired and wireless access in a
single, high-performance
platform.

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco 1100 Series Integrated Services Routers
Foundation for the digital branch

WAN and Application Assurance High Performance


IWAN App over APIC-EM and Cisco DNA-C High WAN-WAN and LAN-WAN performance
Application Visibility and Link Optimization High Performance VPN and Security
VPN and Security

Advanced Mobility Proactive Security


LTE Advanced Secure connectivity
Mobility Express Branch threat defense
Visibility and analytics

Physical Manageability
Connectivity APIC-EM WebUI
Cisco 1100
Integrated
Services Router Cisco DNA
LTE 802.11ac Prime
Ethernet xDSL Center
Advanced Wave 2

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco Enterprise Routing Portfolio
Cloud Branch WAN Edge
ISR 800 ISR 1100 ISR 4000 ASR 1100

CSR 1100V
• 10 Mbps to 10 Gbps • Up to 100 Mbps • Up to 350 Mbps • Up to 2 Gbps • 2.5-200Gbps
• Cisco DNA • Fixed and fanless • Fixed and fanless • Modular • High-performance
Virtualization • Enterprise-class • Integrated wired & • Integrated container service w/hardware
• Extend enterprise branch routing with wireless access assist
security applications
routing, security & • Hardware & software
• Compute with UCS E
management to cloud redundancy

vEdge Cloud vEdge 100 vEdge 1100 vEdge 2000


• 10 Mbps to 100
Mbps
• Extend overlay to • 100 Mbps • Up to 1 Gbps • 10 Gbps
public cloud
• 4G LTE & Wireless • Fixed • Modular

Virtual
ISRv • 50 Mbps to 2.5 Gbps Cisco ENCS • Service chaining virtual functions
• Virtual enterprise-class networking • Modular WAN connectivity
• Run on x86 compute platform • Open for 3rd party services & apps
• ENFV orchestration & management

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
From ISR 800 to ISR 1000
C880 C890 C111x8P/ C111x-4P C1101-4P

Cisco SD-WAN No Yes


SD-WAN Security No Yes

Operating System IOS Classic IOS XE IOS XE IOS XE

Dual Ethernet WAN No Yes Yes Yes 1

LTE Advanced No No Yes Yes Yes


SFP/SFP+ No Yes/No Yes/Yes Yes/No No

VDSL2 Yes Yes Yes Yes No


ADSL2/2+ Yes Yes Yes Yes No
G.SHDSL Yes Yes Yes No No

G.FAST/VDSL2 35b No No Yes No No

802.11ac Wave 2 No No Yes Yes Yes

LAN Ports 4 FE 8 GE 8GE 4 GE 4 GE


VLAN 25 25 32 32 32
Internal PoE Option 2 PoE 4 PoE 2 PoE+ / 4 PoE 1 PoE+ / 2 PoE No

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
ISR 890 versus ISR 1100
ISR 1100 is an extension to the ISR fixed router portfolio

Branch Needs Features ISR 890 ISR 1100 Benefits


Up to 100 Up to 350
Throughput Up to 10 times performance increase
Mbps Mbps

Separate data and Minimal performance impact as network services


control planes are added and throughput increases

Connectivity & Scale Next-gen WAN Faster connectivity with LTE Advanced
w/High Performance

Cisco IOS® XE Programmable operating system

Wireless Faster wireless access with 802.11ac Wave 2

Security VPN acceleration Better performance for encrypted traffic

Costs & Business Ability to buy what you need today and upgrade
Pay-as-you-grow
Agility anytime with no equipment upgrades

• Boot Protections
Trustworthy Assurance and peace of mind with hardware and
• Runtime Defenses
Systems • H/W & S/W Security
operating system integrity

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Trustworthy Systems of Untrustworthy World!!
Attack 1 :
In the year 2011-12, a malware was identified which was seen installing a modified version of IOS file on the host system(2800 and 3800 routers) and targeted
the DH key exchange in IPsec. With this new modified image, attacker were able to decrypt IPsec tunnel data easily.

Solution : Signed Binary and Trust anchor

Attack 2:
Another incident was noticed in the year 2013 on 7600 devices where attacker has gained access to the device with the help of compromised admin credentials
and modified in-memory(DRAM) code to send particular packet to attacker defined destinations, also to gain access to the network with some NAT rules written
to help attacker. Since this was in-memory, this attack would not survive reload of the device.

Solution : Strong password policy

Attack 3:
The very recent was the SYNful Knock which was noticed in the year 2015. This has changed the image sitting in flash and installed it on the router. since this malware
used TCP for command and control communication hence named SYN(from TCP)ful attack.

Solution : Having singed image from trusted source can prevent this.

Authentic hardware and Run-


Secure storage Secure passwords Secure and signed images
time defense

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
ISR 890 vs ISR 1100

ISR 890

2 IPsec
Dual 25 IOS
LTE PoE Wireless 802.11n SFP 100
Core VLANs Classic
Domains Mbps+
10 IPsec
LTE 802.11ac Quad 32
PoE+ Wireless SFP+ 250 IOS XE
Advanced Wave 2 Core VLANs
Domains Mbps+

ISR 1100

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Wireless WAN Overview
• LTE-Advanced Wireless
UE Category
Maximum data rate
Specification (DL/UL) (Mbps)
• 300 Mbps DL & 50 Mbps UL
• Carrier aggregation Category 1 10/5
• 3GPP Release 10
Category 2 50/25
• Modem information
• Category 6 Qualcomm MDM9230 LTE (3.9G) Category 3 100/50

• Dual Micro SIM


Category 4 150/50

• Auto SIM switching


Category 5 300/75

• Mobile IP - PMIPv6
Category 6 300/50

• Support for TDD & FDD LTE Advanced


Category 7 300/150
(4G)

Category 8 1200/600

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Mobility Express
Embeds an advanced, virtual WLAN controller into
Cisco ISR 1100’s built in access point Mobility Express
Enables simple and fast initial setup – in
less than 10 minutes.

Manages up to 50 client APs


(Aironet 700, 1540, 1560, 1600, 1700, 1815, 1830, 1850, 2600, 2700,
2800, 3600, 3700, 3800)

Uses 802.11ac Wave 2 technology Simple yet


sophisticated deployment
Supports WLAN controller features with no price premium

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Wireless LAN Hardware Overview
• WLAN Module based on the Cisco Aironet 1815i 4MB
1GB 128MB
Boot
• 1GB DRAM, 128MB Flash, 4MB Boot Flash Memory Flash
Flash
• 802.11ac Wave 2 Dual Radio (2.4GHz & 5GHz)

• 2x2, 2 SS MU-MIMO

• Max throughput of 870Mbps PHY layer

• Internal antenna
2.4GHz
WLAN 5GHz
• Console access via the router console Module
• 1Gbps uplink to the host CPU

1Gbps

Switching Module

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Mobility Express Setup on PC

Step 1 Step 2 Step 3


1) Open a web browser, and
1) Power up the router access 1) Connect another AP in the
2) From PC, connect to SSID http://mobilityexpress.cisco/screens/day0- same L2 domain.
“CiscoAirProvision” config.html 2) The new AP will join the
3) Password is “password” 2) Go through the setup wizard Master AP as a subordinate
3) Confirm the setting, and AP.
Mobility Express Controller 3) Monitor and control
will reboot wirelessly by connecting to
the Master AP

Please follow the link for more details:


https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_cisco_mobility_express_8_5.html

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
The Network. Intuitive
Powered by Intent. Informed by Context.
LEARNING

Cisco DNA-
Center

Policy Automation Analytics

INTENT CONTEXT

Intent-based
Network Infrastructure

SECURITY
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Platform Overview • Open and programmable
operating system IOS® XE
• Multi-core hardware architecture
• Fanless
• Option of four or eight switch
ports
• Optional 802.11ac Wave 2
• Optional LTE Advanced
• Optional DSL

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Hardware Overview
• Two major HW Variations

o C1100-4: 2 WAN + 4 LAN Ports

o C1100-8: 2 WAN + 8 LAN Ports

• Quad Core CPU Architecture

o Dedicated cores for Data Plane and Control Plane

o A separate Crypto Engine for ciphering and hashing operation

• PoE

o C1100-4P: 2 PoE or 1 PoE+

o C1100-8P: 4 PoE or 2 PoE+

• Fanless

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Naming Convention

C1111-8PLTEEA C1101-4PLTEPWX*
C1101-4PLTEP

Standard Product ID (PID) 8 LAN ports


prefix
LTE For Europe, America, Canada, Middle East

Two GE WAN interface

•“WE” = -E Wireless Domain


• “WB” = -B Wireless Domain
• “WA” = -A Wireless Domain
• “WZ” = -Z Wireless Domain
• “1111” = Two GE WAN interfaces • “WN” = -N Wireless Domain
• “WQ” = -Q Wireless Domain
• “1112” = One GE WAN Interface and One DSL Interface with G.FAST/VDSL2 35b/VDSL2 /ADSL2+ Annex B & J over ISDN
• “WH” = -H Wireless Domain
• “1113” = One GE WAN Interface and One DSL Interface with G.FAST/VDSL2 35b/VDSL2/ADSL2 + Annex A or M over POTS
• “1116” = One GE WAN Interface and One DSL Interface with VDSL/ ADSL2+ Annex B & J over ISDN • “WR” = -R Wireless Domain
• “WF” = -F Wireless Domain
• “1117” = One GE WAN Interface and One DSL with VDSL/ADSL2 + Annex A or M over POTS
• “WD” = -D Wireless Domain

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
C1100-4P/8P Front Panel

GPS LTE
DATA/SIM

Illuminated Cisco logo

VPN LTE
PWR RSSI/Mode

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
C1100-8P Ethernet + LTE + WLAN: Back Panel

LTE LTE
Antenna Antenna

GPS
Antenna

RESET PWR PWR Micro USB Console/ KENSINGTON


POE SFP USB3.0 uSIM*2 LTE Debug
SWITCH Connector GE LAN GE0 GE 1 Micro USB SLOT
LED

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
LTE
C1110-4P Ethernet + DSL + LTE LTE
Antenna
Back Panel Antenna

GPS Antenna

uSIM*2 Console/
KENSINGTON
Micro USB Micro USB
RESET PWR PWR GE 0 SFP USB3.0 SLOT
POE LTE Debug
SWITCH Connector GE LAN DSL
LED

22

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SKU Detail

C1101-4P Compact format

C1101-4P - Front view C1101-4PLTEP With pluggable LTE

C1101-4PLTEPWX With pluggable LTE and embedded


802.11 ac WiFi

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
C1101-4PLTEP - Back Panel

LTE
Antenna

GPS Antenna
GE LAN Micro
USB 3.0
USB
GE console
Power button WAN

Pluggable LTE
module

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
C1109-4PLTE2P – Front View

LTE Antenna

Dual pluggable
LTE Modules

C1109 - Back Panel

SKU Detail

C1109-2PLTEXX Compact form factor, Embedded LTE Cat4


, temperature range 0-50C

C1109-4PLTE2P Dual LTE pluggable slots


Temp range -15-55C

C1109-4PLTE2PWX Dual pluggable LTE and embedded 802.11


ac WiFi, Temp range -15-55C

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Pluggable LTE Module for C1101/C1109

Dual SIM slots

LTE Antenna
Connector

LTE Micro USB


console debug
GPS Connector
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
ISR 1100 Performance
Function C1100-4P with HSEC C1100-8P with HSEC

CPU Frequency 800MHz 1200MHz

4xGE LAN w/ 1Gbps uplink


8xGE LAN w/2.5Gbps uplink
Ethernet Switch 2-port POE+
4-port POE+

Generic traffic throughput Un-throttled Un-throttled

50Mbps (Default)
50Mbps (Default)
Crypto traffic throughput 150 Mbps
250 Mbps

HSEC license support Support beyond 150 Mbps Support beyond 250 Mbps

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
ISR 1100 Performance

Traffic Profiles C1100-4P with HSEC C1100-8P with HSEC

CEF IMIX 1,252 Mbps 1,750 Mbps

IPsec (AES256) IMIX 230 Mbps 335 Mbps

NAT IMIX 660 Mbps 960 Mbps

HQoS IMIX 650 Mbps 910 Mbps

ACL+NAT+HQoS 330 Mbps 510 Mbps

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
C1100 Hardware Diagram

4GB DRAM 4-Core SoC WLAN AP

CP Future
1Gbps
4GB Flash Use
Crypto
Connection
Engine
WAN GE Phy DP1 DP2
Ethernet
PoE
WAN GE Phy Switch

• C1100-8P: 2.5 Gbps


VDSL LTE • C1100-4P: 1 Gbps
SoC Modem

FPGA

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
ISR 1100 Licensing and packaging model
Smart Licensing
Call Home Cisco Licensing cloud

Router (config)# license smart enable IP Security Performance


(Optional Add on License)
HSEC9* Security License Mandatory
1100 Series 4 Port: 100 Mbps upgrade
1100 Series 8 Port: 200 Mbps upgrade

Application Experience Security


(Optional Add on License) (Optional Add on License)

MPLS, PfR, AVC,NBAR, IP SLA Probe… VPN ( DMVPN, GETVPN, Flex VPN..), Firewall, Open DNS Connector… 50
Mbps Crypto Throughput Default

IP Base
(Default)
Routing Protocols, ACL, NAT, QoS, BFD…
* Available with IOS XE 16.7.1

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Licensing Packaging Details
Licensing Package Features Use case

IP Base NAT, DHCP, BGP, QoS Basic internet connectivity

IP Base + APP MPLS, IP SLA Probes, PfR, AVC Branch on MPLS

IP Base + SEC IPSec, DMVPN, ZBFW Branch over the internet

IP Base + SEC + Performance Faster IPsec throughput up to 250 Mbps VDSL2 or higher internet connection

IP Base + SEC+ APP IWAN Dual WAN with application load-balancing

IP Base + SEC + APP + Performance IWAN throughput up to 250 Mbps IWAN branch with high throughput

IP Base + SEC + HSEC IPsec throughput beyond 250 Mbps Branch with Ethernet or Fiber

IP Base + SEC + APP + HSEC IWAN throughput beyond 250 Mbps IWAN branch with ultrafast throughput

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
C1100 Crypto/Ipsec License
Since HSEC-K9 license support is also included in 16.7.1 and
later releases, the throughput limits refer to the “encrypted
In 16.6.x releases, the throughput limits refer to the “clear traffic”
traffic” rate
rate.

• Default limit is 50 Mbps Starting 16.7.1 Un-throttled crypto throughput limit is supported

• Limit is 250 Mbps for C1111-8P Three levels of throughput supported with default being 50 Mbps
Un-throttled crypto throughput level implies the router is uncapped
• Limit is 150 Mbps for C1111-4P from crypto perspective. Un-throttled throughput level CLI option
only visible when HSECK9 license is installed.
R1(Confg)#platform hardware throughput crypto <limit_value> CLI to
set the limit Upon installation of HSECK9 license, in config mode:
Reload the device to take it effect R1(Confg)# platform hardware throughput crypto un-throttled
#show platform hardware throughput crypto
Save and reload the router for the new crypto throughput level to
take effect

#show platform hardware throughput crypto

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Software Overview
Software Architecture
Linux kernel
Control Plane
IOSd

Control Messaging
Platform Adaptive layer

Chassis manager Forwarding manager

Data Plane
Forwarding Engine Client
Forwarding Engine Driver
FP- Forwarding manager

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
• Packet Flow
• Hardware and software
health check
• Packet capture tools

Basic • WebUI Introduction

Troubleshooting

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Packet Flow C1111-4PL#show interfaces gigabitEthernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Hardware is C1111-2x1GE, address is 4c77.6d2d.bc80 (bia
4c77.6d2d.bc80)
Internet address is 10.10.10.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255

Data

Data plane I/O Plane


I/O Plane QFP

C1111-4PL#show platform hardware subslot 0/1 backplane statistics


rx_byte: 10738
rx_frames: 97
rx_unicast: 6
rx_mcast: 89
rx_bcast: 2
tx_byte: 5166
tx_frames: 17
<---output SNIP-

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Packet Flow… Data C1111-4PL# show platform hardware qfp active interface if-name cellular 0/2/0
statistics

I/O Plane Data Plane I/O Plane


Platform Handle 12
----------------------------------------------------------------
Receive Stats Packets Octets
----------------------------------------------------------------
Ipv4 15 1569
Ipv6 0 0
Tag 0 0
C1111-4PL#show platform hardware qfp active statistics drop McastIpv4 0 0
------------------------------------------------------------------- McastIpv6 0 0
------ FragIpv4 0 0
Global Drop Stats Packets Octets FragIpv6 0 0
------------------------------------------------------------------- ReassIpv4 0 0
------ ReassIpv6 0 0
Disabled 423 134893 Other 0 0
ForUs 991 178649
Ipv4NoAdj 20379 6521280 ----------------------------------------------------------------
Transmit Stats Packets Octets
----------------------------------------------------------------
Ipv4 16 1626
Ipv6 0 0
Tag 0 0
McastIpv4 0 0
McastIpv6 0 0
FragmentsIpv4 0 0
FragmentsIpv6 0 0
FragmentedIpv4 0 0
FragmentedIpv6 0 0
Other 0 0
C1111-4PL#show platform hardware qfp active infrastructure punt statistics type ?
global-drop Show aggregate drop statistics ------<SNIP>-----
inject-drop Show aggregate inject drop statistics
per-cause Show aggregate per cause punt statistics
punt-drop Show aggregate punt drop statistics
punt-intf-drop Show aggregate punt-intf drop statistics
queue-stats Show que stats for internal interfaces

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Packet Flow…
Data
I/O Plane Data Plane
I/O Plane

C1111-4PL#show platform software infrastructure punt


LSMPI interface internal stats:
enabled=0, disabled=0, throttled=0, unthrottled=0, state is ready
Input Buffers = 12362 C1111-4PL#show platform software infrastructure inject
Output Buffers = 11482
rxdone count = 12362 Statistics for L3 injected packets:
txdone count = 11481
Rx no particletype count = 0
CPU 4628 total inject pak, 29 failed
0 sent, 0 prerouted
Tx no particletype count = 0 0 non-CEF capable, 0 non-unicast
Txbuf from shadow count = 0 3963 IP, 29 IPv6
No start of packet = 0 0 MPLS, 0 Non-IP Tunnel
No end of packet = 0 0 UDLR tunnel, 0 P2MP replicated mcast
Punt drop stats:
Bad version 0 Data 0 Non-IP Fastswitched over Tunnel, 636 legacy pak
path
Bad type 0 0 Other packet
Had feature header 0 0 IP fragmented
Had platform header 0 3963 normal, 0 nexthop
Feature header missing 0 0 adjacency, 0 feature
Common header mismatch 0 Crypto 0 undefined
Bad total length 0 assist 0 pak find no adj, 0 no adj-id
-----SNIP---- 29 sb alloc, 3992 sb local
-----SNIP------>

Data

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Health-Check-Control Plane
Router#show platform software status control-processor
brief
Load Average
Slot Status 1-Min 5-Min 15-Min
Router#show platform RP0 Healthy 1.56 1.61 0.99
Chassis type: C1111-8P
Memory (kB)
Slot Type State Insert time (ago) Slot Status Total Used (Pct) Free (Pct) Committed (Pct)
--------- ------------------- --------------------- ----------------- RP0 Healthy 3446320 2188804 (64%) 1257516 (36%) 1934740 (56%)
0 C1111-8P ok 00:03:16
0/0 C1111-2x1GE ok 00:01:07 CPU Utilization
0/1 C1111-ES-8 ok 00:01:07 Slot CPU User System Nice Idle IRQ SIRQ IOwait
R0 C1111-8P ok, active 00:03:16 RP0 0 1.11 1.52 0.00 97.36 0.00 0.00 0.00
F0 C1111-8P ok, active 00:03:16 1 0.81 1.52 0.00 97.65 0.00 0.00 0.00
P0 PWR-12V ok 00:02:52 2 1.58 5.19 0.00 93.22 0.00 0.00 0.00
3 9.01 29.79 0.00 61.18 0.00 0.00 0.00
Slot CPLD Version Firmware Version
--------- ------------------- ---------------------------------------
0 17100501 16.6(1r)
R0 17100501 16.6(1r)
F0 17100501 16.6(1r)

Router# show platform diag

Router# show facility-alarm status critical Chassis type: C1117-4PLTEEA


system Totals Critical: 4 Major: 0 Minor: 0
Source Time Severity Description [Index] Slot: 0, C1117-4PLTEEA
------ ------ -------- ------------ ------- Running state : ok
GigabitEthernet0/1/0 Jul 12 2017 22:27:25 CRITICAL Physical Port Link Down [1] Internal state : online
GigabitEthernet0/1/1 Jul 12 2017 22:27:25 CRITICAL Physical Port Link Down [1] Internal operational state : ok
GigabitEthernet0/1/2 Jul 12 2017 22:27:25 CRITICAL Physical Port Link Down [1] Physical insert detect time : 00:01:52 (09:02:14 ago)
GigabitEthernet0/1/3 Jul 12 2017 22:27:25 CRITICAL Physical Port Link Down [1] Software declared up time : 00:03:12 (09:00:54 ago)
CPLD version : 17100501
Firmware version : 16.6(1r)RC3

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Health Check Continue- Data Plane
C1100#show platform hardware throughput level C1100#sh platform hardware qfp active datapath utilization
The current throughput level is unthrottled CPP 0: Subdev 0 5 secs 1 min 5 min 60 min
Input: Priority (pps) 0 0 0 0
C1100#show platform hardware throughput crypto (bps) 0 0 0 0
The current crypto level is 50000 kb/s Non-Priority (pps) 1 2 2 0
(bps) 1080 1576 1280 104
Total (pps) 1 2 2 0
C1100#sh platform hardware throughput-monitor parameters (bps) 1080 1576 1280 104
Throughput monitor parameters Output: Priority (pps) 0 0 0 0
(bps) 304 392 440 32
Throughput monitor threshold: 95 percent Non-Priority (pps) 1 1 1 0
Throughput monitor interval: 300 seconds (bps) 2816 8272 6928 576
Throughput monitor status: enabled Total (pps) 1 1 1 0
(bps) 3120 8664 7368 608
Processing: Load (pct) 0 0 2 0
C1100#show platform hardware qfp active infrastructure exmem statistics
QFP exmem statistics
Type: Name: DRAM, QFP: 0
Total: 134217728 C1100#sh platform hardware qfp active statistics drop
InUse: 15271936 -------------------------------------------------------------------------
Free: 118945792 Global Drop Stats Packets Octets
Lowest free water mark: 118556672 -------------------------------------------------------------------------
Type: Name: IRAM, QFP: 0 L2ESInputInvalidSvi 1 90
Total: 2097152
InUse: 211968
Free: 1885184
Lowest free water mark: 1885184
Type: Name: SRAM, QFP: 0 Session update : Advanced
Total: 0
InUse: 0 troubleshooting of the ASR1K and ISR
Free: 0
Lowest free water mark: 0 (IOS-XE) made easy - BRKCRS-3147
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Packet Capture Tools : Packet-Trace
• Discussion on C1100 is incomplete without this fabulous feature.
• Packet trace provides alternative to all the troubleshooting approach we know….
• Packet capture tool + Debugger
• FIA steals the show

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Sample packet trace config
debug platform condition interface Gig 0/0/1 ingress
debug platform condition start
debug platform packet-trace packet 1024 fia-trace
debug platform packet-trace copy packet input size 2048
debug platform packet-trace enable

Verification commands :
Show platform packet-trace summary
Show platform packet-trace statistics
Show platform packet-trace packet <packet-number>
Show platform condition
clear platform packet-trace statistics

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Packet Capture Tools : EPC
Device> enable
Device# monitor capture mycap access-list v4acl
Device# monitor capture mycap limit duration 1000
Device# monitor capture mycap interface GigabitEthernet 0/0/1 both
Device# monitor capture mycap buffer circular size 10
Device# monitor capture mycap start
Device# monitor capture mycap export tftp://10.1.88.9/mycap.pcap
Device# monitor capture mycap stop
Device# end

Session on packet capture : Overview of Packet Capturing Tools in Cisco Switches


and Routers - BRKARC-2011

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
WebUI Introduction

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
WebUI Introduction

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
WebUI Introduction

transport-map type persistent webui <NAME>


server
!
ip http server
ip http authentication local
!
transport type persistent webui input <NAME>
!

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Solutions and feature
Overview
SD-WAN Fabric
vManage

Orchestration Plane vOrchestrator


vSmart
vBond

MANAGEMEN ISR1K
T
API
Management Plane ISR4K/
(Multi-tenant or Dedicated) ANALYTICS ASR1K
ORCHESTRATION

Control Plane
(Containers or VMs)
CONTROL

INTERNET MPLS 4G

Data Plane
(Physical or Virtual)

Data Center Campus Branch Home Office

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
VxLAN Support from 16.9.1 XE release

BGP/MPLS..

VxLAN Overlay
Configuration guidelines

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Encrypted Traffic Analytics (ETA) 99.99 %
ACCURACY

What Traffic Looks Like to ETA – Google Search Example


Client-to-Server

Bestafera(Trojan)
Keystrokes
Server –to-Client

C2 Message
Data Exfiltration
Initial Page Load
Page Refresh
Autocomplete Self-Signed Certificate
Attempts to collect a user’s online banking
data and sends out information to a Control
server – known for keylogging and data
exfiltration
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
50
Encrypted traffic Analysis(ETA) Device(config)# et-analytics
Device(config-et-analytics)# ip flow-record destination
192.168.10.1 2055
Device(config-et-analytics)# exit
Device(config)# interface gigabitethernet 0/0/1
Device(config-if)# et-analytics enable
Device(config-if)# end

Device#show pla hardware qfp active feature et-analytics


datapath stats export
ET-Analytics 192.168.10.1:2055 Stats:
Export statistics:
Total records exported : 388
Total packets exported : 243
Total bytes exported : 237992
Total dropped records :0
Total dropped packets :0
Total dropped bytes :0
Total IDP records exported :
initiator->responder : 83
responder->initiator : 81
Total SPLT records exported:
initiator->responder : 83
responder->initiator : 81
Total SALT records exported:
initiator->responder : 0
responder->initiator : 0
Total BD records exported :
initiator->responder : 0
responder->initiator : 0
Total TLS records exported :
initiator->responder : 0

Network as a security sensor responder->initiator : 0

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Few well known Applications for
DNS tunneling:
Umbrella Branch • Iodine
• Dns2tcp
• DnsCat
• VPNoverDNS

Few Well known Attacks


• Morto
• Feederbot
• FrameworkPOS
• BernhardPOS

• EDNS(Extended DNS ) records added to the DNS query.


• Query is sent to the Cisco umbrella cloud.
• Query can be categorized in three ways.
1. Whitelist
2. Black list
3. Grey list
https://learn-umbrella.cisco.com/solution-briefs/dns-tunneling
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Umbrella Branch
 Visibility and enforcement at the DNS layer
Block
 Block requests to malicious domains
MALWARE
and IP addresses
C2 CALLBACKS
 Predictive intelligence: Uncover current and
PHISHING
emergent threats
 Protect all devices on your branch network
against: Cisco® Umbrella Branch
- Malware
- Phishing
- Command and control (C2) callbacks
Cisco ISR
 Reputation-based URL filtering

 Static URL filtering

Devices on Branch Network

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Umbrella on ISR 1100 vs ISR 800

ISR 1100 ISR 800

OpenDNS Connector Supported Not Supported

Secured Tunnel to DNS Server Yes No

Multiple policies under the same One policy per network under the
Security Policy
public IP address same public IP address

Static URL Filtering Supported Supported

Reputation URL Filtering Supported Supported

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
References: Software Feature Set Overview
C1100 Additional License C1100 Additional License
RIPv1/v2  Easy VPN  SEC License
EIGRP

Security
 GETVPN/DMVPN  SEC License
Protocols
Routing

BGP  Firewall  SEC License


OSPF  OpenDNS
 SEC License
IPv6  Connector

PfR  App License Snort IPS -

VLANs 
DMVPN  SEC License
Storm Control -
PfR  AppX License
SPAN 
AVC  AppX License
Switching

SD-WAN
PoE/PoE+ 
ZBFW  SEC License
MAC Filtering 
NETCONF/YANG From IOS XE 16.9
802.1x 
Snort IPS -
Port Security 
WAAS Express /
-
Protected Port  ISR-WAAS

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
References: Software Feature Set Overview
C1100 Additional License
Autonomous / Unified Mode 
Wireless

802.11ac Wave 2 
Mobility Express 

Carrier Aggregation 
LTE

PMIPv6  App License

EEM
Management


Embedded

IP SLA Initiator  App License


Flexible NetFlow 

WFQ/CBWFQ 
LLQ 
HQoS 
QoS

RSVP 
NBAR  App License
DiffServ 

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
References: What Does XE-SDWAN Offer Today ?
Feature XE-SDWAN
Routing & Infra BGP, OSPF Supported

VRRP Supported

4G-LTE Supported

DSL Supported
ZBF Supported

DHCP/DNS/AAA/Syslog Supported

QoS Supported

Core SD-WAN ZTP Supported

Segmentation Supported

BFD Supported

NAT-DIA Supported

DPI Supported

TLOC Extension Supported - L2/L3

Security Umbrella-DNS redirect Supported

Application Experience App aware policy Supported

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
References: SDWAN Roadmap
Feature XE-SDWAN
Routing & Infra IPv6 Transport-16.11.1 (March 2019)
Service side-16.10.1 (November 2018)

Service side-NAT Roadmap

Standard IPSEC Tunnel (Service VPN) 16.10.1 (November 2018)

EIGRP March 2019

Core Cross-domain SDA-SDWAN Integration 16.11.1 (March 2019)


SD-WAN Integration

Cloud Cloud On Ramp - IAAS (AWS & Azure) 16.10.1 (November 2018)
Networking Cloud On Ramp -IAAS (Google Cloud) 16.11.1 (March 2019)

SAAS Cloud On Ramp - SAAS Roadmap

Cloud Proxy IPSEC/GRE Tunnel -VPN0 Roadmap

Security App based firewall 16.10.1 (November 2018)

IPS/IDS 16.10.1 (November 2018)

URL Filtering 16.10.1 (November 2018)

Application Experience SD-AVC 16.10.1 (November 2018)


(AppQoE) FEC/Packet Duplication 16.11.2 (May 2019)

TCP Opt - BBR 16.11.2 (May 2019) / 2HCY2019

SSL Proxy / TCP session persistency 2HCY2019

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
References:

Datasheet
Trustworthy Systems
Umbrella
SYNful knock
Trust Anchor
BRKCRS-2901

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Enhanced performance, Easy
to manage and deploy.
• Future proof device with the
current market needs
• Easy and elaborate
Troubleshooting steps
Key Takeaways

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
• Introduction
• ISR 1100 Portfolio
Introduction
• Platform Overview
• Software Overview
Agenda Review • Basic Troubleshooting
• Solution Overviews
• Key Takeaways
• Q&A

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Questions

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKARC-2005

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations

Don’t forget: Cisco Live sessions will be available for viewing


on demand after the event at ciscolive.cisco.com

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Continue Your Education

Demos in Meet the Related


Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings

BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Thank you

S-ar putea să vă placă și