Professional Documents
Culture Documents
Brkarc 2005
Brkarc 2005
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKARC-2005
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• Introduction
• ISR 1100 Portfolio
Introduction
• Platform Overview
Agenda • Software Overview
• Basic Troubleshooting
• Solution Overviews
• Key Takeaways
• Q&A
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Introduction and
Use cases The ISR 1100 Series combines
WAN, comprehensive security,
wired and wireless access in a
single, high-performance
platform.
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco 1100 Series Integrated Services Routers
Foundation for the digital branch
Physical Manageability
Connectivity APIC-EM WebUI
Cisco 1100
Integrated
Services Router Cisco DNA
LTE 802.11ac Prime
Ethernet xDSL Center
Advanced Wave 2
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco Enterprise Routing Portfolio
Cloud Branch WAN Edge
ISR 800 ISR 1100 ISR 4000 ASR 1100
CSR 1100V
• 10 Mbps to 10 Gbps • Up to 100 Mbps • Up to 350 Mbps • Up to 2 Gbps • 2.5-200Gbps
• Cisco DNA • Fixed and fanless • Fixed and fanless • Modular • High-performance
Virtualization • Enterprise-class • Integrated wired & • Integrated container service w/hardware
• Extend enterprise branch routing with wireless access assist
security applications
routing, security & • Hardware & software
• Compute with UCS E
management to cloud redundancy
Virtual
ISRv • 50 Mbps to 2.5 Gbps Cisco ENCS • Service chaining virtual functions
• Virtual enterprise-class networking • Modular WAN connectivity
• Run on x86 compute platform • Open for 3rd party services & apps
• ENFV orchestration & management
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
From ISR 800 to ISR 1000
C880 C890 C111x8P/ C111x-4P C1101-4P
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
ISR 890 versus ISR 1100
ISR 1100 is an extension to the ISR fixed router portfolio
Connectivity & Scale Next-gen WAN Faster connectivity with LTE Advanced
w/High Performance
Costs & Business Ability to buy what you need today and upgrade
Pay-as-you-grow
Agility anytime with no equipment upgrades
• Boot Protections
Trustworthy Assurance and peace of mind with hardware and
• Runtime Defenses
Systems • H/W & S/W Security
operating system integrity
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Trustworthy Systems of Untrustworthy World!!
Attack 1 :
In the year 2011-12, a malware was identified which was seen installing a modified version of IOS file on the host system(2800 and 3800 routers) and targeted
the DH key exchange in IPsec. With this new modified image, attacker were able to decrypt IPsec tunnel data easily.
Attack 2:
Another incident was noticed in the year 2013 on 7600 devices where attacker has gained access to the device with the help of compromised admin credentials
and modified in-memory(DRAM) code to send particular packet to attacker defined destinations, also to gain access to the network with some NAT rules written
to help attacker. Since this was in-memory, this attack would not survive reload of the device.
Attack 3:
The very recent was the SYNful Knock which was noticed in the year 2015. This has changed the image sitting in flash and installed it on the router. since this malware
used TCP for command and control communication hence named SYN(from TCP)ful attack.
Solution : Having singed image from trusted source can prevent this.
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
ISR 890 vs ISR 1100
ISR 890
2 IPsec
Dual 25 IOS
LTE PoE Wireless 802.11n SFP 100
Core VLANs Classic
Domains Mbps+
10 IPsec
LTE 802.11ac Quad 32
PoE+ Wireless SFP+ 250 IOS XE
Advanced Wave 2 Core VLANs
Domains Mbps+
ISR 1100
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Wireless WAN Overview
• LTE-Advanced Wireless
UE Category
Maximum data rate
Specification (DL/UL) (Mbps)
• 300 Mbps DL & 50 Mbps UL
• Carrier aggregation Category 1 10/5
• 3GPP Release 10
Category 2 50/25
• Modem information
• Category 6 Qualcomm MDM9230 LTE (3.9G) Category 3 100/50
• Mobile IP - PMIPv6
Category 6 300/50
Category 8 1200/600
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Mobility Express
Embeds an advanced, virtual WLAN controller into
Cisco ISR 1100’s built in access point Mobility Express
Enables simple and fast initial setup – in
less than 10 minutes.
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Wireless LAN Hardware Overview
• WLAN Module based on the Cisco Aironet 1815i 4MB
1GB 128MB
Boot
• 1GB DRAM, 128MB Flash, 4MB Boot Flash Memory Flash
Flash
• 802.11ac Wave 2 Dual Radio (2.4GHz & 5GHz)
• 2x2, 2 SS MU-MIMO
• Internal antenna
2.4GHz
WLAN 5GHz
• Console access via the router console Module
• 1Gbps uplink to the host CPU
1Gbps
Switching Module
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Mobility Express Setup on PC
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
The Network. Intuitive
Powered by Intent. Informed by Context.
LEARNING
Cisco DNA-
Center
INTENT CONTEXT
Intent-based
Network Infrastructure
SECURITY
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Platform Overview • Open and programmable
operating system IOS® XE
• Multi-core hardware architecture
• Fanless
• Option of four or eight switch
ports
• Optional 802.11ac Wave 2
• Optional LTE Advanced
• Optional DSL
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Hardware Overview
• Two major HW Variations
• PoE
• Fanless
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Naming Convention
C1111-8PLTEEA C1101-4PLTEPWX*
C1101-4PLTEP
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
C1100-4P/8P Front Panel
GPS LTE
DATA/SIM
VPN LTE
PWR RSSI/Mode
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
C1100-8P Ethernet + LTE + WLAN: Back Panel
LTE LTE
Antenna Antenna
GPS
Antenna
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
LTE
C1110-4P Ethernet + DSL + LTE LTE
Antenna
Back Panel Antenna
GPS Antenna
uSIM*2 Console/
KENSINGTON
Micro USB Micro USB
RESET PWR PWR GE 0 SFP USB3.0 SLOT
POE LTE Debug
SWITCH Connector GE LAN DSL
LED
22
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SKU Detail
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
C1101-4PLTEP - Back Panel
LTE
Antenna
GPS Antenna
GE LAN Micro
USB 3.0
USB
GE console
Power button WAN
Pluggable LTE
module
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
C1109-4PLTE2P – Front View
LTE Antenna
Dual pluggable
LTE Modules
SKU Detail
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Pluggable LTE Module for C1101/C1109
LTE Antenna
Connector
50Mbps (Default)
50Mbps (Default)
Crypto traffic throughput 150 Mbps
250 Mbps
HSEC license support Support beyond 150 Mbps Support beyond 250 Mbps
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
ISR 1100 Performance
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
C1100 Hardware Diagram
CP Future
1Gbps
4GB Flash Use
Crypto
Connection
Engine
WAN GE Phy DP1 DP2
Ethernet
PoE
WAN GE Phy Switch
FPGA
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
ISR 1100 Licensing and packaging model
Smart Licensing
Call Home Cisco Licensing cloud
MPLS, PfR, AVC,NBAR, IP SLA Probe… VPN ( DMVPN, GETVPN, Flex VPN..), Firewall, Open DNS Connector… 50
Mbps Crypto Throughput Default
IP Base
(Default)
Routing Protocols, ACL, NAT, QoS, BFD…
* Available with IOS XE 16.7.1
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Licensing Packaging Details
Licensing Package Features Use case
IP Base + SEC + Performance Faster IPsec throughput up to 250 Mbps VDSL2 or higher internet connection
IP Base + SEC + APP + Performance IWAN throughput up to 250 Mbps IWAN branch with high throughput
IP Base + SEC + HSEC IPsec throughput beyond 250 Mbps Branch with Ethernet or Fiber
IP Base + SEC + APP + HSEC IWAN throughput beyond 250 Mbps IWAN branch with ultrafast throughput
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
C1100 Crypto/Ipsec License
Since HSEC-K9 license support is also included in 16.7.1 and
later releases, the throughput limits refer to the “encrypted
In 16.6.x releases, the throughput limits refer to the “clear traffic”
traffic” rate
rate.
• Default limit is 50 Mbps Starting 16.7.1 Un-throttled crypto throughput limit is supported
• Limit is 250 Mbps for C1111-8P Three levels of throughput supported with default being 50 Mbps
Un-throttled crypto throughput level implies the router is uncapped
• Limit is 150 Mbps for C1111-4P from crypto perspective. Un-throttled throughput level CLI option
only visible when HSECK9 license is installed.
R1(Confg)#platform hardware throughput crypto <limit_value> CLI to
set the limit Upon installation of HSECK9 license, in config mode:
Reload the device to take it effect R1(Confg)# platform hardware throughput crypto un-throttled
#show platform hardware throughput crypto
Save and reload the router for the new crypto throughput level to
take effect
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Software Overview
Software Architecture
Linux kernel
Control Plane
IOSd
Control Messaging
Platform Adaptive layer
Data Plane
Forwarding Engine Client
Forwarding Engine Driver
FP- Forwarding manager
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
• Packet Flow
• Hardware and software
health check
• Packet capture tools
Troubleshooting
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Packet Flow C1111-4PL#show interfaces gigabitEthernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Hardware is C1111-2x1GE, address is 4c77.6d2d.bc80 (bia
4c77.6d2d.bc80)
Internet address is 10.10.10.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Data
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Packet Flow… Data C1111-4PL# show platform hardware qfp active interface if-name cellular 0/2/0
statistics
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Packet Flow…
Data
I/O Plane Data Plane
I/O Plane
Data
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Health-Check-Control Plane
Router#show platform software status control-processor
brief
Load Average
Slot Status 1-Min 5-Min 15-Min
Router#show platform RP0 Healthy 1.56 1.61 0.99
Chassis type: C1111-8P
Memory (kB)
Slot Type State Insert time (ago) Slot Status Total Used (Pct) Free (Pct) Committed (Pct)
--------- ------------------- --------------------- ----------------- RP0 Healthy 3446320 2188804 (64%) 1257516 (36%) 1934740 (56%)
0 C1111-8P ok 00:03:16
0/0 C1111-2x1GE ok 00:01:07 CPU Utilization
0/1 C1111-ES-8 ok 00:01:07 Slot CPU User System Nice Idle IRQ SIRQ IOwait
R0 C1111-8P ok, active 00:03:16 RP0 0 1.11 1.52 0.00 97.36 0.00 0.00 0.00
F0 C1111-8P ok, active 00:03:16 1 0.81 1.52 0.00 97.65 0.00 0.00 0.00
P0 PWR-12V ok 00:02:52 2 1.58 5.19 0.00 93.22 0.00 0.00 0.00
3 9.01 29.79 0.00 61.18 0.00 0.00 0.00
Slot CPLD Version Firmware Version
--------- ------------------- ---------------------------------------
0 17100501 16.6(1r)
R0 17100501 16.6(1r)
F0 17100501 16.6(1r)
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Health Check Continue- Data Plane
C1100#show platform hardware throughput level C1100#sh platform hardware qfp active datapath utilization
The current throughput level is unthrottled CPP 0: Subdev 0 5 secs 1 min 5 min 60 min
Input: Priority (pps) 0 0 0 0
C1100#show platform hardware throughput crypto (bps) 0 0 0 0
The current crypto level is 50000 kb/s Non-Priority (pps) 1 2 2 0
(bps) 1080 1576 1280 104
Total (pps) 1 2 2 0
C1100#sh platform hardware throughput-monitor parameters (bps) 1080 1576 1280 104
Throughput monitor parameters Output: Priority (pps) 0 0 0 0
(bps) 304 392 440 32
Throughput monitor threshold: 95 percent Non-Priority (pps) 1 1 1 0
Throughput monitor interval: 300 seconds (bps) 2816 8272 6928 576
Throughput monitor status: enabled Total (pps) 1 1 1 0
(bps) 3120 8664 7368 608
Processing: Load (pct) 0 0 2 0
C1100#show platform hardware qfp active infrastructure exmem statistics
QFP exmem statistics
Type: Name: DRAM, QFP: 0
Total: 134217728 C1100#sh platform hardware qfp active statistics drop
InUse: 15271936 -------------------------------------------------------------------------
Free: 118945792 Global Drop Stats Packets Octets
Lowest free water mark: 118556672 -------------------------------------------------------------------------
Type: Name: IRAM, QFP: 0 L2ESInputInvalidSvi 1 90
Total: 2097152
InUse: 211968
Free: 1885184
Lowest free water mark: 1885184
Type: Name: SRAM, QFP: 0 Session update : Advanced
Total: 0
InUse: 0 troubleshooting of the ASR1K and ISR
Free: 0
Lowest free water mark: 0 (IOS-XE) made easy - BRKCRS-3147
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Packet Capture Tools : Packet-Trace
• Discussion on C1100 is incomplete without this fabulous feature.
• Packet trace provides alternative to all the troubleshooting approach we know….
• Packet capture tool + Debugger
• FIA steals the show
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Sample packet trace config
debug platform condition interface Gig 0/0/1 ingress
debug platform condition start
debug platform packet-trace packet 1024 fia-trace
debug platform packet-trace copy packet input size 2048
debug platform packet-trace enable
Verification commands :
Show platform packet-trace summary
Show platform packet-trace statistics
Show platform packet-trace packet <packet-number>
Show platform condition
clear platform packet-trace statistics
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Packet Capture Tools : EPC
Device> enable
Device# monitor capture mycap access-list v4acl
Device# monitor capture mycap limit duration 1000
Device# monitor capture mycap interface GigabitEthernet 0/0/1 both
Device# monitor capture mycap buffer circular size 10
Device# monitor capture mycap start
Device# monitor capture mycap export tftp://10.1.88.9/mycap.pcap
Device# monitor capture mycap stop
Device# end
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
WebUI Introduction
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
WebUI Introduction
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
WebUI Introduction
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Solutions and feature
Overview
SD-WAN Fabric
vManage
MANAGEMEN ISR1K
T
API
Management Plane ISR4K/
(Multi-tenant or Dedicated) ANALYTICS ASR1K
ORCHESTRATION
Control Plane
(Containers or VMs)
CONTROL
INTERNET MPLS 4G
Data Plane
(Physical or Virtual)
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
VxLAN Support from 16.9.1 XE release
BGP/MPLS..
VxLAN Overlay
Configuration guidelines
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Encrypted Traffic Analytics (ETA) 99.99 %
ACCURACY
Bestafera(Trojan)
Keystrokes
Server –to-Client
C2 Message
Data Exfiltration
Initial Page Load
Page Refresh
Autocomplete Self-Signed Certificate
Attempts to collect a user’s online banking
data and sends out information to a Control
server – known for keylogging and data
exfiltration
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
50
Encrypted traffic Analysis(ETA) Device(config)# et-analytics
Device(config-et-analytics)# ip flow-record destination
192.168.10.1 2055
Device(config-et-analytics)# exit
Device(config)# interface gigabitethernet 0/0/1
Device(config-if)# et-analytics enable
Device(config-if)# end
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Few well known Applications for
DNS tunneling:
Umbrella Branch • Iodine
• Dns2tcp
• DnsCat
• VPNoverDNS
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Umbrella on ISR 1100 vs ISR 800
Multiple policies under the same One policy per network under the
Security Policy
public IP address same public IP address
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
References: Software Feature Set Overview
C1100 Additional License C1100 Additional License
RIPv1/v2 Easy VPN SEC License
EIGRP
Security
GETVPN/DMVPN SEC License
Protocols
Routing
VLANs
DMVPN SEC License
Storm Control -
PfR AppX License
SPAN
AVC AppX License
Switching
SD-WAN
PoE/PoE+
ZBFW SEC License
MAC Filtering
NETCONF/YANG From IOS XE 16.9
802.1x
Snort IPS -
Port Security
WAAS Express /
-
Protected Port ISR-WAAS
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
References: Software Feature Set Overview
C1100 Additional License
Autonomous / Unified Mode
Wireless
802.11ac Wave 2
Mobility Express
Carrier Aggregation
LTE
EEM
Management
Embedded
WFQ/CBWFQ
LLQ
HQoS
QoS
RSVP
NBAR App License
DiffServ
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
References: What Does XE-SDWAN Offer Today ?
Feature XE-SDWAN
Routing & Infra BGP, OSPF Supported
VRRP Supported
4G-LTE Supported
DSL Supported
ZBF Supported
DHCP/DNS/AAA/Syslog Supported
QoS Supported
Segmentation Supported
BFD Supported
NAT-DIA Supported
DPI Supported
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
References: SDWAN Roadmap
Feature XE-SDWAN
Routing & Infra IPv6 Transport-16.11.1 (March 2019)
Service side-16.10.1 (November 2018)
Cloud Cloud On Ramp - IAAS (AWS & Azure) 16.10.1 (November 2018)
Networking Cloud On Ramp -IAAS (Google Cloud) 16.11.1 (March 2019)
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
References:
Datasheet
Trustworthy Systems
Umbrella
SYNful knock
Trust Anchor
BRKCRS-2901
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Enhanced performance, Easy
to manage and deploy.
• Future proof device with the
current market needs
• Easy and elaborate
Troubleshooting steps
Key Takeaways
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
• Introduction
• ISR 1100 Portfolio
Introduction
• Platform Overview
• Software Overview
Agenda Review • Basic Troubleshooting
• Solution Overviews
• Key Takeaways
• Q&A
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Questions
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKARC-2005
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Continue Your Education
BRKARC-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Thank you