Professional Documents
Culture Documents
Matt Falkner
Technical Marketing SRTG
January 2012
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
• ASR 1000 Software
Architecture
• Packet Flow Example
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Route Processor
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
• Runs Control Plane
• Generates configurations RP CPU
• Populates and maintains routing tables (RIB, FIB…) Chassis Mgr.
IOS Forwarding Mgr.
• Provides abstraction layer between hardware and IOS
(manages ESP redundancy)
• Maintains copy of FIB and interface list Kernel Kernel
(incl. utilities)
(incl. utilities)
• Communicates FIB status to active & standby ESP (or
bulk-download state info in case of restart) Interconn.
SPA … SPA
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
RP
CPU
Chassis Mgr.
IOS Forwarding Mgr.
Interconn.
QFP subsys-tem
Interconn.
QFP
code
Interconn. OIR / Chassis
Crypto assist
messages
Forwarding
Control
SIP
messages IOCP
Chassis Mgr.
Interconn. SPA
SPA
SPA
driv
driv SPA
driv
erer
driver
er
SPA
ESI, 10/40Gbps IPC Messages
Agg. Kernel (incl. utilities)
SPA-SPI, 11.2Gbps GE, 1Gbps
Hypertransport, 10Gbps I2C
Other SPA Control
SPA Bus
© 2011 Cisco and/or its affiliates. All rights reserved. SPA … SPA Cisco Confidential 6
• Feature processing follows a pre-defined executing sequence, e.g.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
ESPs
1. SPA receives packet data from its network
interfaces and transfers the packet to the SIP
QoS • HQF support • 256 class Maps • ATM service policies (VP/VC)
• 2PQs, 128K queues • 4-level hierarchical scheduling • NBAR
• MQC: classification, marking, action • Bandwidth remaining ratio • FPM
• Egress traffic shaping • Policies aggregation
• dual/single rate 3 color policing • ATM shaping per VP/VC
• 4K policy Maps • Egress classification on QoS group
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Security • hardware assisted IPSec • Control Plane Policing • VRF-aware IPSec
• IPSec VPN 3DES/AES • FIPS compliance • VRF-aware Zone-based FW
• DMVPN • IPv6 IPSec static VI
• GETVPN • VRF-aware zone-based
• Zone-based Firewall Firewall
• NAT • VRF-aware NAT
• RTSP Firewall ALG • DMVPN Hierarchical Hub
EF
AF4
AF1 VLAN
default
Physical
Interface
EF
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
1. Ingress packets are temporarily
Cisco QFP Engine ESP10 stored in small internal pkt
buffer until processed
PPE0
PPE0 PPE0
PPE0
Resource PPE0 PPE0
PPE2 PPE0
PPE0 PPE3
Memory PPE0
PPE1 2. Free QFP Engine is allocated for this
3
packet and SW begins processing
Buffer, queue,
Ciscoqueue,
QFP Traffic packet (MAC classification, QOS
Buffer,
schedule(BQS)
(BQS)
TCAM4
PPE0
PPE0
PPE0
PPE5
… PPE0
PPE0
PPE0
PPE40
schedule
Manager 5 Packet classification, ACL’s, forwarding
2 Buffer lookup, police, WRED, etc.) including
Memory modifying packet contents
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• ASR 1000 offers fantastic HA support
Redundant ESP / RP on ASR 1006 and ASR 1013
ASR 1006
Software Redundancy on ASR 1001, ASR 1002, ASR
1004
Active Standby
Standby Zero
• Zero packet loss on RP Fail-over! RP fails
Route Becomes
Route Packet
Processor
HW or SW Processor
Active Loss
• Full support for ISSU
• Intra-chassis SSO support for
Configuration Active Standby
Forwarding Forwarding
Protocols: FR, ML(PPP), HDLC, VLAN , IS-IS, BGP, CEF, Processor Processor
SNMP, MPLS, MPLS VPN, LDP, VRF-lite
Stateful features: PPPoX, AAA, DHCP, IPSec, NAT,
Firewall
SPA SPA SPA SPA SPA SPA
• IOS XE also provides full support for Network SPA Carrier Card SPA Carrier Card SPA Carrier Card
Resiliency
SPA SPA SPA SPA SPA SPA
NSF/GR for BGP, OSPFv2/v3, IS-IS, EIGRP, LDP
IP Event Dampening
BFD (BGP, IS-IS, OSPF)
GLBP, HSRP, VRRP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
• Ability to perform software upgrade of the IOS image on the single-engine systems
• Support for in-service software downgrade
• “In Service” component upgrades (SIP-Base, SIP-SPA, ESP-Base) without requiring reboot to the
system
• Hitless upgrade of some of the software packages in a single engine system
• Hitless upgrade of some software packages in the active RP of a redundant engine system
• Pre-provisioning Capability
• RP Portability - installing & configuring hardware that are physically not present in the chassis
This allows the user to configure an RP in one system i.e. a 4RU and then move it to another system i.e. a fully
populated 6RU
Software Release
3.1.0 3.1.1 3.1.2 3.2.1 3.2.2
From \ To
3.1.0 N/A SSO Tested SSO SSO via 3.1.2 SSO via 3.1.2
3.1.1 SSO Tested N/A SSO Tested SSO via 3.1.2 SSO via 3.1.2
3.2.1 SSO via 3.1.2 SSO via 3.1.2 SSO Tested N/A SSO Tested
3.2.2 SSO via 3.1.2 SSO via 3.1.2 SSO Tested SSO Tested N/A
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Procedure Intended Use Prerequisites (what to High Level Procedure Impact1
do/know before you
start)
Consolidated Easy upgrade • Homogen Build / 1. ISSU loadversion standby RP 100sec traffic loss
package mode of a redundant Stby’s HOT 2. ISSU runversion
6RU • 6RU w/ red. h/w & 3. ISSU acceptversion (optional)
new supers in both 4. ISSU commitversion
active/standby RPs 5. hw-module slot RP-slot reload
Sub-package Sliding • Homogen Build / 1. Upgrade all standby RP sub- 1. 0 traffic loss
mode 1 Minimum Stby’s HOT pkgs 2. 100sec traffic loss per SIP
disruption to • RPs booted in sub- 2. Rolling upgrade of SIP slots 3. 50ms traffic loss
redundant pkg mode & new 3. Rolling upgrade of ESPs 4. 0 traffic loss
6RU chassis supers expanded 4. Upgrade active RP & switchover
Sub-package SPA FIRST • Homogen Build / 1. Upgrade selective SPA 1. 30sec traffic loss
mode 2 Upgrade to Stby’s HOT 2. Rolling upgrade of ESPs 2. 50ms traffic loss
redundant • RPs booted in sub- 3. Rolling upgrade of SIP slots 3. 100sec traffic loss per SIP
6RU chassis pkg mode & new 4. Upgrade all standby RP sub- 4. 0 traffic loss
supers expanded pkgs 5. 0 traffic loss
5. Upgrade active RP & switchover
Sub-package PSIRT • Homogen Build / 1. Upgrade standby RPIOS sub-pkg 1. 0 packet loss
mode 3 upgrade of Stby’s HOT Switchover (End here)
RPIOS only on • Booted in sub-pkg
any chassis mode
type
1 Times indicated in this column denotes the total time for the specific module to be ready to process packets.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• Software failure
– Software redundancy helps when there is a RP-IOS failure/crash; the active process will
switchover to the standby, while forwarding continues with zero packet loss
– Other software crashes (example: SIP or ESP) cannot benefit from Software redundancy
• Software upgrade
– The software upgrade procedure for ASR1002/ASR1004 allows customers to upgrade the RP-IOS
package only as the first step of the software upgrade procedure and defer all the other steps to a
later time – example: Maintenance window
– This allows customers to take advantage of any bug fixes of RP-IOS (or in the case of a PSIRT)
available in the next rebuild while maintaining the router in service.
– The heterogeneous configuration of RP-IOS in one version vs the rest of the sub-packages in a
different version is a supported configuration. It is however required that the configuration
become homogeneous (i.e all sub-packages in the same version) before upgrading to the next
software version.
Sub-package Sliding • Homogen Build / 1. Upgrade standby ‘bay’ & 1. 0 traffic loss
mode 1 Minimum Stby’s HOT switchover 2. 100sec traffic loss per SIP
disruption to • RP booted in sub-pkg 2. Rolling upgrade of SIPs (if 3. 100sec traffic loss
s/w redundant mode & new super possible) 4. X sec – depends on configuration
2/4RU chassis’ expanded 3. Upgrade ESP (you take a hit)
4. Upgrade remaining RP sub-pkgs
Sub-package PSIRT upgrade • Homogen Build / 1. Upgrade standby bay RPIOS sub- 1. 0 packet loss
mode 2 of RPIOS only Stby’s HOT pkg & Switchover (End here)
on any chassis • Booted in sub-pkg
type mode
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• Existing ISSU procedure is a multiple step process. This enhancement greatly simplifies the
ISSU process by a single CLI which will execute the multiple steps
• CLI: request platform software package install node file <filename> sip-delay <1-172800>
Sip-delay will allow delay for each SIP upgrade in the sub=package mode
• When this command is executed, it will automatically be adapted to ‘consolidated mode’ or ‘sub-
package mode’ running in the system
• In sub-package mode, this CLI will execute the step-by-step procedure documented in
CISCO.COM
• This table summarizes the support matrix of one shot ISSU in terms of ASR 1000 platform and
package mode running in the system
Consolidated package Sub-packages
ASR 1013 Support Support
ASR 1006 Support Support
ASR 1004 N/A Support
ASR 1002 N/A Support
ASR 1001 N/A Not Supported
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• Support for Any-transport-over-MPLS,
including EoMPLS
EVC Infrastructure
Port/VLAN/.1q modes with interworking and local
switching! connect
(hair-pin)
MPLS
Pseud
802.1ad S-VLANs o
wire
• VPLS Support
Available TBD
• Ethernet OAM Support
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
•Prepaid services, Per subscriber Firewall, Portal integration for self-
Feature richness & services support provisioning, Policy server solutions, Services accounting within a
session, Integrated DPI (roadmap) etc
•LNS
Wholesale Broadband Deployment •PW based backhaul
•RA-MPLS
•PPPoEoA
Legacy Broadband Migration options •PPPoA
•RBE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• ESP-embedded Crypto ASIC enables high- • VRF-aware IPSec
performant encryption services
With Dynamic crypto maps or dVTI
Up to 11 Gbps with ESP40
Up to 8000 site-site IPSec CM tunnels MPLS VPN or IEEE 802.1q
Up to 4000 sVTI, dVTI, GRE/TP tunnels
• Multi-SA for dVTI to enable connection with
• QFP processing-to-completion using the FIA non-Cisco VPN routers
allows for IPSec computation in combination Enables simple migration from crypto-maps to VTI
with other features (QoS, MPLS, GRE…)
• Remote-access, site-to-site VPN services • IKEv2 Site to site VPN & Windows client
GETVPN, DMVPN, Easy VPN w/ or w/o dVTI support
support for VPN mobility extension
• VASI Including Remote access VPN with Windows native
clients
Enables services such as FW/NAT to be applied to traffic
going across different VRFs
• IPV6 support: IPv6oIPv4/GRE with encryption,
v6 sVTI, VASI, NAT64, ACLs, USGv6
compliance (phase 1)
2 3 4
GigabitEthernet0/2/0 GigabitEthernet0/3/0
VRF Blue VRF Red
1
VasiLeft1 VasiRight1
VRF Blue VRF Red
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
I’m a contractor.
Aggregation or Data Center
My group is HR.
SXP (TCP) connection between ISR and ASR 1000
Finance (SGT=4)
WAN
HR (SGT=10)
ISR
802.1X/MAB/Web Auth. Contactor
ASR
& HR SGACL
SGT = 100
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Class-map match-all business-critical
• ASR 1000 Architecture ideally suited to match protocol citrix
perform deep-packet inspection match access-group 101
QFP has full visibility into each packet payload class-map match-any browsing
match protocol attribute category browsing
• DPI enabled via the Application
class-map match-any internal-browsing
Visibility and Control (AVC) match protocol http url “*myserver.com*”
infrastructure
NBAR2 + Reporting + FNF
© 2011 Cisco and/or its affiliates. All rights reserved. SPA … SPA Cisco Confidential 32
Optional Features
Cisco ASR1000 Series
RP1 Advanced Enterprise
Cisco ASR 1000 Series Services
(SASR1R1-AESK9)
Feature Licenses Cisco ASR1000 Series
RP1 Advanced Enterprise
Services w/o Crypto •Legacy – IPX,
• SW Redundancy (SASR1R1-AES) Appletalk, DecNet, etc
• SBC
• IPSec •Legacy – IPX, • Broadband
Appletalk, DecNet, etc
• Firewall • L2 & L3 VPN
• Flexible Packet • Broadband • MPLS
Inspection • IPv6
• L2 & L3 VPN
• MPLS • ATOM, VPLS
Cisco ASR1000 • PfR
Series IP Base • IPv6
(SASR1R1-IPBK9) • ATOM, VPLS • Security, LI
Cisco ASR1000 Series
IP Base w/o Crypto • PfR • Multicast
(SASR1R1-IPB)
• Multicast • SBC
•SSL, SSH
• SBC •SSL, SSH
• BGP, EIGRP, ISIS, • BGP, EIGRP, ISIS,
OSPF, RIP OSPF, RIP • BGP, EIGRP, ISIS, • BGP, EIGRP, ISIS,
• ACL • ACL OSPF, RIP OSPF, RIP
• HSRP/VRRP • HSRP/VRRP • ACL • ACL
• HA: BFD, ISSU • HA: BFD, ISSU • HSRP/VRRP • HSRP/VRRP
• NAT • NAT • NAT • NAT
• Netflow • Netflow • HA: BFD, ISSU • HA: BFD, ISSU
• QoS, WCCPv2 • QoS, WCCPv2 • Netflow • Netflow
• IPv6 (rls5) • IPv6 (rls5) • QoS, WCCPv2 • QoS, WCCPv2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Optional Features
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
For the equivalent feature set on ASR To order In Technology Package
1000 Series Universal Software Combination License Part Number
(Cisco ASR 1002-F, ASR1002, ASR1004, Image Part Number With
ASR1006, ASR1013)
IP Base without crypto (IPB) SASR1001U + SLASR1-IPB
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Frequency of Extended release is still under
BU discussion:
Option a: every 3 releases (12/12/48)?
Option b: every 4 releases (12/12/12/48)?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
Legend
Initial CCO
S1 S2 S3 S4 S5 S6 S7 S8 S9 PSIRT Standard
throttle rebuild
15.2(4)S Extended
IOS XE 3.7S S1 S2 S3 PSIRT throttle rebuild
IOS 15.3(3)S
IOS XE 3.10S
S1 S2 S3 S4 S5 S6 S7
IOS 15.3(4)S
IOS XE 3.11S S1 S2 S3 PSIRT
IOS 15.4(1)S
IOS XE 3.12S S1 S2 S3 PSIRT
IOS 15.4(2)S
IOS XE 3.13S S1 S2 S3 PSIRT
IOS 15.4(3)S
S1 S2 S3 S4
IOS XE 3.14S
IOS 15.4(4)S
IOS XE 3.15S
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
MCP_Dev
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Cross Architecture
Support- Seamless Best in Class
Interconnect with Availability
Service Provider and
Services Resiliency
Support for Enterprise IOS
Service Provider Features with Modular
IP NGN OS and Software
Architecture and Redundancy or
Enterprise Hardware Redundancy
Borderless and ISSU
Network,
Collaboration and
Data Center Best in Class ASIC
Architectures Technology
Quantam Flow
Processor (QFP)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38