LET'S BUILD TOMORROW TODAY
ASR1000 System & Solution Architectures

Steven Wood - Principal Engineer, Enterprise Network Group

BRKARC-2001
Many Service Provider and Enterprise customers are looking to converge their network edge architectures. On the Service Provider side, firewall, security or deep-packet inspection functionality is being integrated into Provider Edge or BNG systems. Similarly, on the Enterprise side multiple functionalities are activated in a converged WAN edge router, thus yielding operational savings and efficiencies.

The Cisco ASR 1000 takes this convergence to the next level. Based on the Cisco Quantum Flow Processor, the ASR 1000 enables the integration of voice, firewall, security or deep packet inspection services in a single system, with exceptional performance and high-availability support. The processing power of the Quantum Flow Processor allows this integration without the need for additional service modules. This technical seminar describes the system architecture of the ASR 1000. The different hardware modules (route processor, forwarding processor, interface cards) and Cisco IOS XE software modules are described in detail. Examples of how different packets flows traverse and ASR 1000 illustrate how the hard and software modules work in conjunction. The session also discusses the expected performance characteristics in converged service deployments. Particular attention is also given to sample use cases on how the ASR 1000 can be deployed in different Service Provider and Enterprise architectures in a converged services role. The session is targeted for network engineers and network architects who seek to gain an in-depth understanding of the ASR 1000 system architecture for operational or design purposes. Attendees from both the Service Provider as well as Enterprise market segments are welcome.
<table>
<thead>
<tr>
<th>Glossary Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>AAA</td>
<td>Authentication, authorization and Accounting</td>
</tr>
<tr>
<td>ACL</td>
<td>Access Control List</td>
</tr>
<tr>
<td>ACT</td>
<td>Active; referring to ESP or RP in an ASR 1006</td>
</tr>
<tr>
<td>AF1</td>
<td>Assured Forwarding Per Hop behaviour class 1</td>
</tr>
<tr>
<td>AF2</td>
<td>Assured Forwarding Per Hop behaviour class 2</td>
</tr>
<tr>
<td>AF3</td>
<td>Assured Forwarding Per Hop behaviour class 3</td>
</tr>
<tr>
<td>AF4</td>
<td>Assured Forwarding Per Hop behaviour class 4</td>
</tr>
<tr>
<td>ALG</td>
<td>Application Layer Gateway</td>
</tr>
<tr>
<td>ASR</td>
<td>As in ASR1000; Aggregation Services Router</td>
</tr>
<tr>
<td>B2B</td>
<td>Business to Business in the context of WebEx or Telepresence</td>
</tr>
<tr>
<td>BB</td>
<td>Broadband</td>
</tr>
<tr>
<td>BGP</td>
<td>Border Gateway Protocol</td>
</tr>
<tr>
<td>BITS</td>
<td>Building Integrated Timing Supply</td>
</tr>
<tr>
<td>BNG</td>
<td>Broadband Network Gateway</td>
</tr>
<tr>
<td>BOS</td>
<td>Buffer, Queuing and Scheduling chip on the QFP</td>
</tr>
<tr>
<td>BRAS</td>
<td>Broadband remote Access Server</td>
</tr>
<tr>
<td>BW</td>
<td>Bandwidth</td>
</tr>
<tr>
<td>CAC</td>
<td>Connection Admission Control</td>
</tr>
<tr>
<td>CCO</td>
<td>Cisco Connection Online (<a href="http://www.cisco.com">www.cisco.com</a>)</td>
</tr>
<tr>
<td>CDR</td>
<td>Call Detail Records</td>
</tr>
<tr>
<td>CF</td>
<td>Checkpointing Facility</td>
</tr>
<tr>
<td>CLI</td>
<td>Command Line Interface</td>
</tr>
<tr>
<td>CM</td>
<td>Chassis Manager</td>
</tr>
<tr>
<td>CPE</td>
<td>Customer Premise Equipment</td>
</tr>
<tr>
<td>CPU</td>
<td>Central Processing Unit</td>
</tr>
<tr>
<td>CRC</td>
<td>Cyclic Redundancy Check</td>
</tr>
<tr>
<td>Ctrl</td>
<td>Control</td>
</tr>
<tr>
<td>DBE</td>
<td>Data Border Element (in Session Border Controller)</td>
</tr>
<tr>
<td>DMVPN</td>
<td>Dynamic Multipoint Virtual Private Network</td>
</tr>
<tr>
<td>DPI</td>
<td>Deep Packet Inspection</td>
</tr>
<tr>
<td>DPI</td>
<td>Deep Packet Inspection (see also AF, EF)</td>
</tr>
<tr>
<td>DSCP</td>
<td>DiffServ Code Point (see also AF, EF)</td>
</tr>
<tr>
<td>DSLAM</td>
<td>Digital subscriber Line Access Multiplexer</td>
</tr>
<tr>
<td>DST</td>
<td>Destination</td>
</tr>
<tr>
<td>EF</td>
<td>Expedited Forwarding (see also DSCP)</td>
</tr>
<tr>
<td>EOBC</td>
<td>Ethernet out-of-band control channel on the ASR 1000</td>
</tr>
<tr>
<td>ESI</td>
<td>Enhanced SerDes Interface</td>
</tr>
<tr>
<td>ESP</td>
<td>Embedded Services Processor on the ASR 1000</td>
</tr>
<tr>
<td>FECP</td>
<td>Forwarding Engine (ESP) Control Processor</td>
</tr>
<tr>
<td>FH</td>
<td>Full Height (SPA)</td>
</tr>
<tr>
<td>FIB</td>
<td>Forwarding Information Base</td>
</tr>
<tr>
<td>FM</td>
<td>Forwarding Manager</td>
</tr>
<tr>
<td>FPM</td>
<td>Flexible Packet Matching</td>
</tr>
<tr>
<td>FR-DE</td>
<td>Frame Relay Discard Eligible</td>
</tr>
<tr>
<td>GigE</td>
<td>Gigabit Ethernet</td>
</tr>
<tr>
<td>GRE</td>
<td>Generic Route Encapsulation</td>
</tr>
<tr>
<td>HA</td>
<td>High Availability</td>
</tr>
<tr>
<td>HDTV</td>
<td>High Definition TV</td>
</tr>
<tr>
<td>HH</td>
<td>Half-height (SPA)</td>
</tr>
<tr>
<td>H-QoS</td>
<td>Hierarchical Quality of Service</td>
</tr>
<tr>
<td>I2C</td>
<td>Inter-Integrated Circuit</td>
</tr>
<tr>
<td>I2CP</td>
<td>input output Control Processor</td>
</tr>
<tr>
<td>IOS XE</td>
<td>Internet Operating system XE (on the ASR 1000)</td>
</tr>
<tr>
<td>IPC</td>
<td>Inter-process communication</td>
</tr>
<tr>
<td>IPS</td>
<td>Intrusion Prevention System</td>
</tr>
<tr>
<td>ISG</td>
<td>Intelligent Services Gateway</td>
</tr>
<tr>
<td>ISP</td>
<td>Internet Service Provider</td>
</tr>
<tr>
<td>ISSU</td>
<td>In-service software upgrade</td>
</tr>
<tr>
<td>L2TP CC</td>
<td>Layer 2 Transport Protocol Control connection</td>
</tr>
<tr>
<td>LAC</td>
<td>L2TP access concentrator</td>
</tr>
<tr>
<td>Glossary Item</td>
<td>Definition</td>
</tr>
<tr>
<td>---------------</td>
<td>------------</td>
</tr>
<tr>
<td>LNS</td>
<td>L2TP network Server</td>
</tr>
<tr>
<td>MFIB</td>
<td>Multicast FIB</td>
</tr>
<tr>
<td>mGRE</td>
<td>multipoint GRE</td>
</tr>
<tr>
<td>MPLS</td>
<td>Multiprotocol label switching</td>
</tr>
<tr>
<td>MPLS-EXP</td>
<td>MPLS Exp bits in the MPLS header</td>
</tr>
<tr>
<td>MPV Video</td>
<td>Multipoint GRE</td>
</tr>
<tr>
<td>MQC</td>
<td>Modular QoS CLI</td>
</tr>
<tr>
<td>mVPN</td>
<td>multicast VPN</td>
</tr>
<tr>
<td>NAPT</td>
<td>Network address port translation</td>
</tr>
<tr>
<td>NAT</td>
<td>network address translation</td>
</tr>
<tr>
<td>NBAR</td>
<td>network based application recognition</td>
</tr>
<tr>
<td>Nr</td>
<td>receive sequence number (field in TCP header)</td>
</tr>
<tr>
<td>Ns</td>
<td>send sequence number (field in TCP header)</td>
</tr>
<tr>
<td>Nr</td>
<td>receive sequence number (field in TCP header)</td>
</tr>
<tr>
<td>NF</td>
<td>Netflow</td>
</tr>
<tr>
<td>NSF</td>
<td>non-stop forwarding</td>
</tr>
<tr>
<td>OBFL</td>
<td>on board failure logging</td>
</tr>
<tr>
<td>OIR</td>
<td>online insertion and removal</td>
</tr>
<tr>
<td>OLT</td>
<td>optical line termination</td>
</tr>
<tr>
<td>P1</td>
<td>Priority 1 queue</td>
</tr>
<tr>
<td>P2</td>
<td>priority 2 queue</td>
</tr>
<tr>
<td>PAL</td>
<td>Platform Adaption layer (middleware in the ASR 1000)</td>
</tr>
<tr>
<td>PE</td>
<td>Provider Edge</td>
</tr>
<tr>
<td>POST</td>
<td>Power on self test</td>
</tr>
<tr>
<td>POTS</td>
<td>Plain old telephony system</td>
</tr>
<tr>
<td>PQ</td>
<td>priority queue</td>
</tr>
<tr>
<td>PSTN</td>
<td>public switched telephone network</td>
</tr>
<tr>
<td>PTA</td>
<td>PPP termination and aggregation</td>
</tr>
<tr>
<td>PWR</td>
<td>power</td>
</tr>
<tr>
<td>QFP</td>
<td>Quantum Flow Processor</td>
</tr>
<tr>
<td>QFP-PPE</td>
<td>QFP packet Processing elements</td>
</tr>
<tr>
<td>QFP-TM</td>
<td>QFP traffic Manager (see also BQS)</td>
</tr>
<tr>
<td>QoS</td>
<td>Quality of Service</td>
</tr>
<tr>
<td>RACS</td>
<td>Resource and admission control subsystem</td>
</tr>
<tr>
<td>RA-MPLS</td>
<td>Remote access into MPLS</td>
</tr>
<tr>
<td>RF</td>
<td>redundancy facility (see also CF)</td>
</tr>
<tr>
<td>RIB</td>
<td>routing information base</td>
</tr>
<tr>
<td>RP</td>
<td>Route processor</td>
</tr>
<tr>
<td>RP1</td>
<td>1st generation RP on the ASR 1000</td>
</tr>
<tr>
<td>RP2</td>
<td>2nd generation RP on the ASR 1000</td>
</tr>
<tr>
<td>SBC</td>
<td>session border controller</td>
</tr>
<tr>
<td>SBE</td>
<td>signaling border element (of an SBC)</td>
</tr>
<tr>
<td>SBY</td>
<td>standby</td>
</tr>
<tr>
<td>SDTV</td>
<td>standard definition TV (see also HDTV)</td>
</tr>
<tr>
<td>SBC</td>
<td>session border controller</td>
</tr>
<tr>
<td>SPA</td>
<td>shared port adapter</td>
</tr>
<tr>
<td>SPA SPI</td>
<td>SPA Serial Peripheral Interface</td>
</tr>
<tr>
<td>SRC</td>
<td>Source</td>
</tr>
<tr>
<td>SSL</td>
<td>Secure Socket Layer</td>
</tr>
<tr>
<td>SSO</td>
<td>stateful switch over</td>
</tr>
<tr>
<td>SW</td>
<td>software</td>
</tr>
<tr>
<td>TC</td>
<td>traffic class (field in the IPv6 header)</td>
</tr>
<tr>
<td>TCAM</td>
<td>Ternary content addressable memory</td>
</tr>
<tr>
<td>TOS</td>
<td>Type of service (field in the IPv4 header)</td>
</tr>
<tr>
<td>VAI</td>
<td>virtual access interface</td>
</tr>
<tr>
<td>VLAN</td>
<td>virtual local area network</td>
</tr>
<tr>
<td>VOD</td>
<td>video on demand</td>
</tr>
<tr>
<td>VOD</td>
<td>video on demand</td>
</tr>
<tr>
<td>VOD</td>
<td>video on demand</td>
</tr>
<tr>
<td>VOD</td>
<td>video on demand</td>
</tr>
<tr>
<td>VOD</td>
<td>weighted random early discard</td>
</tr>
</tbody>
</table>
Agenda

- Introducing the ASR1000
- ASR1000 System Architecture
- ASR 1000 Building Blocks
- ASR 1000 Software Architecture
- ASR 1000 Packet Flows
- QoS on the ASR 1000
- High-Availability on the ASR 1000
- Applications & Solutions

Companion Session:
BRKARC-2019 - Operating an ASR1000
Introducing the ASR1000
ASR1000 Integrated Services Router
Key Design Principles

- **Best in Class ASIC Technology**
  - Quantum Flow Processor (QFP) for high scale services and sophisticated QoS with minimum performance impact

- **Security Services**
  - Firewall, VPN, Encryption

- **Multi-Service, Secure WAN Aggregation Services**

- **Application Performance Optimization (AVC, PfR)**

- **Voice and Video Services (CUBE)**

- **Best in Class Availability**
  - Enterprise IOS Features with Modular OS and Software Redundancy or Hardware Redundancy and ISSU
Cisco ASR 1000 Series Routers: Overview
2.5 Gbps to 200Gbps Range—Designed Today for up to 400 Gbps in the Future

COMPACT, POWERFUL ROUTERS

- Line-rate performance 2.5G to 200G+ with services enabled
- Investment protection with modular engines, IOS CLI and SPAs and Ethernet Line Cards for I/O
- Hardware-based QoS engine with up to 464K queues

BUSINESS-CRITICAL RESILIENCY

- Resilient, high performance services router
- Fully separated control and forwarding planes
- Hardware and software redundancy
- In-service software upgrades

INSTANT ON SERVICE DELIVERY

- Integrated firewall, VPN, encryption, Application Visibility and Control, Session Border Controller
- Scalable on-chip service provisioning through software licensing
ASR1000 Positioning

Enterprise Edge and Managed Services Routers

Performance and Scalability

**ASR1000**
- Up to 2 Tbps per system
- Carrier Ethernet
- IP RAN
- Mobile Gateways
- SBC/VoIP
- Broadband
- Video Monitoring
- Distributed PE
- Firewall, IPSec
- SBC/VoIP

**ISR4000 Series**
- 2.5-200Gbps per System
- Broadband
- Route Reflector
- Separate Services Planes for Continuity
- Pay-As-You-Grow

**ISR Series**
- 850 Mbps per System
- 350 Mbps with Services

**ASR 9000**
- Up to 48 Tbps per system
- Carrier Ethernet
- IP RAN
- L2/L3 VPNs
- IPSec
- BNG

**7600 Series**
- Up to 2 Tbps per system
- Carrier Ethernet
- IP RAN
- Mobile Gateways
- SBC/VoIP
- Broadband
- Video Monitoring
- Distributed PE
- Firewall, IPSec
- SBC/VoIP

**Service Provider Edge Routers**

---

BRKARC-2001  © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
ASR1000 Enterprise Applications
Flexible WAN Services Edge & CPE

Mobile Worker

Corporate office

High end branch

High Speed CPE
High-end Branch
Campus Edge

WAN aggregation

WAN Aggregation
IPSec VPN
L2 and L3 VPN
IWAN

DCI

Internet gateway

Cloud

Data Center Interconnect
Internet gateway
Zone-Based Firewall
Cloud Services Edge
ASR1000 Service Provider Applications
A Wide Variety of Use Cases

Mobile Subscriber
Access and Aggregation
Wireless

Business
Wire line
ETTx
xDSL
xPON

Residence
Cable
DOCSIS
M-CMTS

Edge
L2/L3 VPNs
Firewall/NAT/IPSec
SBC—SIP Trunking/IPSec
NBAR2

ISP
Peering
LNS

IP/MPLS Core
RR

Content Farm
VOD
TV
SIP

PPP or IP Aggregation
ATM or Ethernet
Intelligent Services Gateway
WiFi Access Gateway
ASR1000 SYSTEM ARCHITECTURE
ASR 1000 Series Building Blocks

- Centralized Forwarding Architecture
  All traffic flows through the active ESP, standby is synchronized with all flow state with a dedicated 10-Gbps link

- Distributed Control Architecture
  All major system components have a powerful control processor dedicated for control and management planes

- Route Processor (RP)
  Handles control plane traffic
  Manages system

- Embedded Service Processor (ESP)
  Handles forwarding plane traffic

- SPA Interface Processor (SIP)
  Shared Port Adapters provide interface connectivity

- ESI, (Enhanced Serdes) 11.5Gbps
- SPA-SPI, 11.2Gbps
- HyperTransport, 10Gbps
Enhanced SerDes Interconnect (ESI) links – high speed serial communication
- ESIs can run at 11.5Gbps or 23Gbps

ESIs run over midplane and carry
- Packets between ESP and the other cards (SIPs, RP and other ESP)
- Network traffic to/from SPA SIPs
- Punt/inject traffic to/from RP (e.g. network control pkts)
- State synchronization to/from standby ESP

Two ESIs between ESPs and to every card in the system
- Additional full set of ESI links to/from standby ESP
- CRC protection of packet contents
- ESP-10G: 1 x 11.5G ESI to each SIP slot
- ESP-20G: 2 x 11.5G ESI to two SIP slots; 1 x 11.5G to third SIP slot
- ESP-40G/100G/200G: 2 x 23G ESI to all SIP slots
ASR 1000 Control Plane Links

- Ethernet out-of-band Channel (EOBC)
  - Run between ALL components
  - Indication if cards are installed and ready
  - Loading images, stats collection
  - State information exchange for L2 or L3 Protocols

- I²C
  - Monitor health of hardware components
  - Control resets
  - Communicate active/standby, Real time presence and ready indicators
  - Control the other RP (reset, power-down, interrupt, report Power-supply status, signal ESP active/standby)
  - EEPROM access

- SPA control links
  - Run between IOCP and SPAs
  - Detect SPA OIR
  - Reset & Power control for SPAs (via I²C)
  - Read EEPROMs
ASR1000 Building Blocks: Under the Hood
## ASR1000 Modular Systems Overview

<table>
<thead>
<tr>
<th>Feature</th>
<th>ASR 1004</th>
<th>ASR 1006</th>
<th>ASR 1013</th>
</tr>
</thead>
<tbody>
<tr>
<td>SPA Slots</td>
<td>8-slot</td>
<td>12-slot</td>
<td>24-slot</td>
</tr>
<tr>
<td>RP Slots</td>
<td>1</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>ESP Slots</td>
<td>1</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>SIP Slots</td>
<td>2</td>
<td>3</td>
<td>6</td>
</tr>
<tr>
<td>Redundancy</td>
<td>Software</td>
<td>Hardware</td>
<td>Hardware</td>
</tr>
<tr>
<td>Height</td>
<td>7” (4RU)</td>
<td>10.5” (6RU)</td>
<td>22.7” (13RU)</td>
</tr>
<tr>
<td>Bandwidth</td>
<td>10 to 40 Gbps</td>
<td>10 to 100 Gbps</td>
<td>40-200+ Gbps</td>
</tr>
<tr>
<td>Maximum Output Power</td>
<td>765W</td>
<td>1695W</td>
<td>3390W</td>
</tr>
<tr>
<td>Airflow</td>
<td>Front to back</td>
<td>Front to back</td>
<td>Front to back</td>
</tr>
</tbody>
</table>
ASR1000 Series SPA Interface Processor
SIP10 and SIP40

- Physical termination of SPA
- 10 or 40 Gbps aggregate throughput options
- Supports up to 4 SPAs
  - 4 half-height, 2 full-height, 2 HH+1FH
  - full OIR support
- Does not participate in forwarding
- Limited QoS
  - Ingress packet classification – high/low
  - Ingress over-subscription buffering (low priority) until ESP can service them.
  - Up to 128MB of ingress oversubscription buffering
- Capture stats on dropped packets
- Network clock distribution to SPAs, reference selection from SPAs
- IOCP manages Midplane links, SPA OIR, SPA drivers
ASR1000 SIP40 and SIP10
Major Functional Differences

- Sustained throughput of 40Gbps vs 10Gbps for SIP10
- Different ESI modes depending on the ESP being used (1x10G vs 2x20G)
- Packet classification enhancements to support more L2 transport types (e.g. PPP, HDLC, FR, ATM…)
- Support for more queues (96 vs 64), allows up to 12 Ethernet ports per half-height SPA
- 3-level priority scheduler (Strict, Min, Excess) vs 2-level (Min, Excess)
- Addition of per-port and per-VLAN/VC ingress policers
- Network clocking support
  - DTI clock distribution to SPAs
  - Timestamp and time-of-day clock distribution
SIP40 Block Diagram

ESI Links:
2x 20G to each ESP
(2x10G for SIP10)

IO Control (IOCP)
Processor Complex

128MB Ingress Buffering

HW-based
3-priority
Scheduler Strict,
Min, Excess
SIP10: Min, Excess only

Enhanced Classifier
(Eth, PPP, HDLC,
ATM, FR)

Card Infrastructure

Memory

Boot Flash (OBFL, …)

IOCP

Ingress Scheduler
Egress Buffer Status

ESI Links:
2x 20G to each ESP
(2x10G for SIP10)

IO Control (IOCP)
Processor Complex

128MB Ingress Buffering

HW-based
3-priority
Scheduler Strict,
Min, Excess
SIP10: Min, Excess only

Enhanced Classifier
(Eth, PPP, HDLC,
ATM, FR)

Card Infrastructure

Memory

Boot Flash (OBFL, …)

IOCP

Ingress Scheduler
Egress Buffer Status

ESI Links:
2x 20G to each ESP
(2x10G for SIP10)

IO Control (IOCP)
Processor Complex

128MB Ingress Buffering

HW-based
3-priority
Scheduler Strict,
Min, Excess
SIP10: Min, Excess only

Enhanced Classifier
(Eth, PPP, HDLC,
ATM, FR)
## Shared Port Adapters (SPA) and SFPs

<table>
<thead>
<tr>
<th>Optics</th>
<th>Optics</th>
<th>POS SPA</th>
<th>Serial/Channelized/ Clear Channel SPA</th>
<th>Ethernet SPA</th>
</tr>
</thead>
<tbody>
<tr>
<td>SFP-OC3-MM</td>
<td>SFP-GE-S / GLC-SX-MMD</td>
<td>SPA-2XOC3-POS</td>
<td>SPA-4XT-Serial</td>
<td>SPA-4X1FE-TX-V2</td>
</tr>
<tr>
<td>SFP-OC3-SR</td>
<td>SFP-GE-L / GLC-LH-SMD</td>
<td>SPA-4XOC3-POS</td>
<td>SPA-8XCHT1/E1</td>
<td>SPA-8X1FE-TX-V2</td>
</tr>
<tr>
<td>SFP-OC3-IR1</td>
<td>SFP-GE-Z</td>
<td>SPA-8XOC3-POS</td>
<td>SPA-4XCT3/DS0</td>
<td>SPA-2X1GE-V2</td>
</tr>
<tr>
<td>SFP-OC3-LR1</td>
<td>SFP-GE-T</td>
<td>SPA-1XOC12-POS</td>
<td>SPA-2XCT3/DS0</td>
<td>SPA-5X1GE-V2</td>
</tr>
<tr>
<td>SFP-OC3-LR2</td>
<td>CWDM</td>
<td>SPA-2XOC12-POS</td>
<td>SPA-1XCHST1/OC3</td>
<td>SPA-8X1GE-V2</td>
</tr>
<tr>
<td>SFP-OC12-MM</td>
<td>XFP-10GLR-OC192SR / XFP10GLR-192SR-L</td>
<td>SPA-4XOC12-POS</td>
<td>SPA-1XCHOC12/DS0</td>
<td>SPA-10X1GE-V2</td>
</tr>
<tr>
<td>SFP-OC12-SR</td>
<td>XFP-10GER-192IR+ / XFP10GER-192IR-L</td>
<td>SPA-8XOC12-POS</td>
<td>SPA-2XT3/E3</td>
<td>SPA-1X10GE-L-V2</td>
</tr>
<tr>
<td>SFP-OC12-IR1</td>
<td>XFP-10GZR-OC192LR</td>
<td>SPA-1XOC48-POS/RPR</td>
<td>SPA-4XT3/E3</td>
<td>SPA-1X10GE-WL-V2</td>
</tr>
<tr>
<td>SFP-OC12-LR1</td>
<td>XFP-10G-MM-SR</td>
<td>SPA-4XOC48POS/RPR</td>
<td></td>
<td>SPA-2X1GE-SYNCE</td>
</tr>
<tr>
<td>SFP-OC12-LR2</td>
<td>GLC-GE-100FX</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>SFP-OC48-SR</td>
<td>GLC-BX-U</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>SFP-OC48-IR1</td>
<td>GLC-BX-D</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>SFP-OC48-LR2</td>
<td>DWDM-XFP</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>XFP-10GLR-OC192SR</td>
<td>32 fixed channels</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>XFP-10GER-OC192IR</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>XFP-10GZR-OC192LR</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

| ATM SPA           |                                       |                                       |                                       |                                       |
| SPA-1XOC3-ATM-V2  |                                       |                                       |                                       |                                       |
| SPA-3XOC3-ATM-V2  |                                       |                                       |                                       |                                       |
| SPA-1XOC12-ATM-V2 |                                       |                                       |                                       |                                       |
| SPA-2CHT3-CE-ATM  |                                       |                                       |                                       |                                       |

| Service SPA       |                                       |                                       |                                       |                                       |
| SPA-WMA-K9        |                                       |                                       |                                       |                                       |
| SPA-DSP           |                                       |                                       |                                       |                                       |

| CEOP SPA          |                                       |                                       |                                       |                                       |
| SPA-1CHOC3-CE-ATM |                                       |                                       |                                       |                                       |
| SPA-24CHT1-CE-ATM |                                       |                                       |                                       |                                       |
Route Processors: RP1, RP2 and ASR1001 RP

Two Generations of ASR1000 Route Processor

- **First Generation**
  - 1.5GHz PowerPC architecture
  - Up to 4GB IOS Memory
  - 1GB Bootflash
  - 33MB NVRAM
  - 40GB Hard Drive

- **Second Generation:**
  - 2.66Ghz Intel dual-core architecture
  - **64-bit IOS XE**
  - Up to 16GB IOS Memory
  - 2GB Bootflash (eUSB)
  - 33MB NVRAM
  - Hot swappable 80GB Hard Drive
ASR 1000 Route Processor Architecture
Highly Scalable Control Plane Processor

- Manages all chassis functions
- Runs IOS

CPU
(1.5/2.66 GHz Dual-core)

ESI
Interconnect

GE Switch

Input clocks
Output clocks

SIPs
ESP
RP
Misc Ctrl

System Logging
Core Dumps

USB
Mgmt
ENET
Console and Aux

Hard disk

nvram
Bootdisk

BITS
(input & output)

BitS
(input & output)

CPU Memory

Card Infrastructure

Chassis Mgmt
Bus

RP1: 1GB
RP2: 2GB

33MB

SIPs
ESP
RP

Runs IOS, Linux OS
Manages board and Chassis functions

IOS Memory: RIB, FIB & Other Processes
Determines Route Scale
RP1: 4GB
RP2: 8 & 16GB

Runs IOS, Linux OS
Manages board and Chassis functions

CPU (1.5/2.66 GHz Dual-core)

Mgmt

Stratum-3 Network clock circuit

Not a traffic interface!
Mgmt only
### Route Processors (RP)

<table>
<thead>
<tr>
<th></th>
<th>ASR1001-X</th>
<th>ASR1002-X</th>
<th>RP1</th>
<th>RP2</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>CPU</strong></td>
<td>Built-in Dual-Core 2.0GHz Processor</td>
<td>Built-in Quad-Core 2.13GHz Processor</td>
<td>General Purpose CPU Based on 1.5GHz Processor</td>
<td>Dual-Core Processor, 2.66GHz</td>
</tr>
<tr>
<td><strong>Memory</strong></td>
<td>8GB default (4x2GB) 16GB maximum (4x4GB)</td>
<td>4GB default 8GB 16GB</td>
<td>2GB default (2x1GB) 4GB maximum (2x2GB)</td>
<td>8GB default (4x2GB) 16GB maximum (4x4GB)</td>
</tr>
<tr>
<td><strong>Built-In eUSB Bootflash</strong></td>
<td>8GB</td>
<td>8GB</td>
<td>1GB (8GB on ASR 1002)</td>
<td>2GB</td>
</tr>
<tr>
<td><strong>Storage</strong></td>
<td>SSD (200G or 400G)</td>
<td>160GB HDD (optional) &amp; External USB</td>
<td>40GB HDD and External USB</td>
<td>80GB HDD and External USB</td>
</tr>
<tr>
<td><strong>Cisco IOS XE Operating System</strong></td>
<td>64 bit</td>
<td>64 bit</td>
<td>32 bit</td>
<td>64 bit</td>
</tr>
<tr>
<td><strong>Chassis Support</strong></td>
<td>Integrated in ASR1001-X chassis</td>
<td>Integrated in ASR1002-X chassis</td>
<td>ASR1002 (integrated), ASR1004, and ASR1006</td>
<td>ASR1004, ASR1006, and ASR1013</td>
</tr>
</tbody>
</table>
ASR1000 GE Management Port Design

• ASR 1000 has a dedicated, out-of-band GE management port attached to the RP

• Interface (GigE0) is in a VRF (mgmt-intf) but it is not tied to general MPLS VPNs
  • has its own dedicated routing and FIB tables.
  • can be associated with connected, static and dynamic routing

• Designed to prevent any routing/forwarding between RP and ESP.

• No other interfaces can join the Mgmt VRF.

• Many management features must be configured with vrf options or use GigE0 as source interface. (eg: tftp, ntp, snmp, syslog, tacacs/radius)
Embedded Services Processors (ESP)
Scalable Bandwidth from 5Gbps to 200Gbps+

- Centralized, programmable, multiprocessor forwarding engine providing full-packet processing
- Packet Buffering and Queuing/Scheduling (BQS)
  - For output traffic to carrier cards/SPAs
  - For special features such as input shaping, reassembly, replication, punt to RP, etc.
  - 5 levels of HQoS scheduling, up to 464K Queues, Priority Propagation
- Dedicated Crypto Co-processor
- Interconnect providing data path links (ESI) to/from other cards
  - Transports traffic into and out of the Cisco Quantum Flow Processor (QFP)
  - Input scheduler for allocating QFP BW among ESIs
- FECP CPU managing QFP, crypto device, midplane links, etc.
ESP40: 40 Gbps Services Processor
The choice for many Enterprise and SP-edge Applications

- Centralized, programmable forwarding engine (i.e. QFP subsystem (PPE) and crypto engine) providing full-packet processing
- Packet buffering and queuing/scheduling (BQS)
- 40G total throughput
- 13Gbps crypto throughput Max (1400B packets)
- Support up to two ESI links to each SIP slot
  - 1 x 11G to a SIP10
  - 2 x 23G to a SIP40
- FECP CPU (1.86GHz dual core CPU with 8GB memory) managing QFP, crypto device, midplane links, etc
ASR 1000 Forwarding Processor
Quantum Flow Processor (QFP) Drives Integrated Services & Scalability

- Class/Policy Maps: QoS, DPI, FW
- ACL/ACE storage
- IPSec Security Association class groups, classes, rules
- NAT Tables

- Runs Linux
- Performs board management
- Program QFP & Crypto
- Stats collection

- Memory for FECP
- QFP client / driver
- OBFL
- QoS Class maps
- FM FP
- Statistics
- ACL ACEs copy
- NAT config objects
- IPSec/IKE SA
- NF config data
- ZB-FW config objects

QFP

- QoS Mark/Police
- NAT sessions
- IPSec SA
- Netflow Cache

- FW hash tables
- Per session data (FW, NAT, Netflow, SBC)

- QoS Queuing
- NAT VFR re-assembly
- IPSec headers

- System Bandwidth
- 5, 10, 20, 40, 100, 200 Gbps

NF: Netflow
ZBFW: Zone-based Firewall
FW: Firewall
SA: Security Association
VFR: Virtual Fragmentation Reassembly
OBFL: On-board Failure Logs
ESP100G and ESP 200G
Larger Enterprise Aggregation and Service Provider Edge

**ESP-100G**

- **Total Bandwidth**: 100 Gbps
- **Performance**: Up to 32 Mpps
- **QuantumFlow Processors**
  - TCAM
  - Packet Buffer
  - 2
  - 80 Mb
  - 1024 MB
- **Control CPU**
  - Memory
  - Dual-core 1.73Ghz CPU
  - 16 GB
- **Broadband**
  - QoS
  - IPSec Bandwidth (1400 B)
  - Up to 58 K sessions
  - Up to 232 K queues
  - 25 Gbps
  - 6 M sessions
- **Chassis**
  - Route Processor
  - ASR 1006, ASR 1013
  - RP2 + Future

**ESP-200G**

- **Total Bandwidth**: 200 Gbps
- **Performance**: Up to 64 Mpps
- **QuantumFlow Processors**
  - TCAM
  - Packet Buffer
  - 4
  - 2 x 80 Mb
  - 2048 MB
- **Control CPU**
  - Memory
  - Dual-core 1.73 Ghz CPU
  - 32 GB
- **Broadband**
  - QoS
  - IPSec Bandwidth (1400 B)
  - Up to 128 K sessions
  - Up to 464 K queues
  - 50 Gbps
  - 13 M sessions
- **Chassis**
  - Route Processor
  - ASR 1013
  - RP2 + Future

**Cisco live!**

NSA “Suite-B” Security
# Embedded Services Processors (ESP)

Based on Quantum Flow Processor (QFP)

<table>
<thead>
<tr>
<th></th>
<th>ESP-2.5G</th>
<th>ESP-5G</th>
<th>ESP-10G</th>
<th>ESP-20G</th>
<th>ASR1001-X ESP</th>
<th>ASR1002-X ESP</th>
<th>ESP-40G</th>
<th>ESP-100G</th>
<th>ESP-200G</th>
</tr>
</thead>
<tbody>
<tr>
<td>System Bandwidth</td>
<td>2.5 Gbps</td>
<td>5 Gbps</td>
<td>10 Gbps</td>
<td>20 Gbps</td>
<td>2.5/5/10/20 Gbps</td>
<td>5/10/20/36 Gbps</td>
<td>40 Gbps</td>
<td>100 Gbps</td>
<td>200 Gbps</td>
</tr>
<tr>
<td>Performance</td>
<td>3 Mpps</td>
<td>8 Mpps</td>
<td>17 Mpps</td>
<td>24 Mpps</td>
<td>13 Mpps</td>
<td>30 Mpps</td>
<td>24 Mpps</td>
<td>58 Mpps</td>
<td>130 Mpps</td>
</tr>
<tr>
<td># of Processors</td>
<td>10</td>
<td>20</td>
<td>40</td>
<td>40</td>
<td>31</td>
<td>8/16/32/62</td>
<td>40</td>
<td>128</td>
<td>256</td>
</tr>
<tr>
<td>Clock Rate</td>
<td>900 MHz</td>
<td>900 MHz</td>
<td>900 MHz</td>
<td>1.2 GHz</td>
<td>1.5 GHz</td>
<td>1.2 GHz</td>
<td>1.2 GHz</td>
<td>1.5 GHz</td>
<td>1.5 GHz</td>
</tr>
<tr>
<td>Crypto Engine BW</td>
<td>1 Gbps</td>
<td>1.8 Gbps</td>
<td>4.4 Gbps</td>
<td>8.5 Gbps</td>
<td>8 Gbps</td>
<td>4 Gbps</td>
<td>11 Gbps</td>
<td>29 Gbps</td>
<td>78 Gbps</td>
</tr>
<tr>
<td>(1400 bytes)</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>QFP Resource Memory</td>
<td>256MB</td>
<td>256MB</td>
<td>512MB</td>
<td>1GB</td>
<td>4 GB</td>
<td>1GB</td>
<td>1GB</td>
<td>4GB</td>
<td>8GB</td>
</tr>
<tr>
<td>Packet Buffer</td>
<td>64MB</td>
<td>64MB</td>
<td>128MB</td>
<td>256MB</td>
<td>512MB</td>
<td>512MB</td>
<td>256MB</td>
<td>1GB</td>
<td>2GB</td>
</tr>
<tr>
<td>Control CPU</td>
<td>Single core 800 MHz</td>
<td>Single core 800 MHz</td>
<td>Single core 1.2 GHz</td>
<td>Quad core* 2.0 GHz</td>
<td>Quad core 2.13 GHz</td>
<td>Dual core 1.8 GHz</td>
<td>Dual core 1.73 GHz</td>
<td>Dual core 1.73 GHz</td>
<td></td>
</tr>
<tr>
<td>Control Memory</td>
<td>1 GB</td>
<td>1 GB</td>
<td>2 GB</td>
<td>4 GB</td>
<td>8 GB</td>
<td>4/8/16 GB</td>
<td>8 GB</td>
<td>16 GB</td>
<td>32 GB</td>
</tr>
<tr>
<td>TCAM</td>
<td>5 Mb</td>
<td>5 Mb</td>
<td>10 Mb</td>
<td>40 Mb</td>
<td>10 Mb</td>
<td>40 Mb</td>
<td>40 Mb</td>
<td>80 Mb</td>
<td>2 x 80 Mb</td>
</tr>
<tr>
<td>Chassis Support</td>
<td>ASR 1001 (Integrated)</td>
<td>ASR 1001 (integrated), ASR 1002</td>
<td>ASR 1002, 1004, 1006</td>
<td>ASR 1004, 1006</td>
<td>ASR 1001-X</td>
<td>ASR1002-X</td>
<td>ASR 1004, 1006, 1013</td>
<td>ASR 1006, 1006X, 1009X, 1013</td>
<td>ASR 1006X, 1009X, ASR 1013</td>
</tr>
</tbody>
</table>

For Your Reference
Cisco Quantum Flow Processor (QFP)
ASR1000 Series Innovation

- Five year design and continued evolution – now on 3rd generation
- Architected to scale to >100Gbit/sec
- Multiprocessor with 64 multi-threaded cores; 4 threads per core
- 256 processes per chip available to handle traffic
- High-priority traffic is prioritised
- Packet replication capabilities for Multicast
- Many H/W assists for accelerated processing
- 3rd generation QFP is capable of 70Gbit/sec, 32Mpps processing
- Mesh-able: 1, 2 or 4 chips to build higher capacity ESPs
- Latency: tens of microseconds with features enabled
Cisco Enterprise Routing NPU Leadership
Continuing Investment in Networking Processor Technology

Over 100 Patents Awarded!

Cisco Enterprise Routing NPU Leadership
Continuing Investment in Networking Processor Technology

Increasing Branch and Network Edge Requirements

NPU #cores: Number of Packet Processing Engines
#Threads: Concurrent, parallel threads processed

High Speed Backplane Aggregation ASIC
IO Oversubscription & Aggregation ASIC

Next-Gen: Emphasis on Line-Rate Security and Advanced Feature Processing

Gen4 > 200G

2005
Gen1 20G
Gen2 40G
Gen3 200G

2010
QFP1 family
QFP2 family
QFP3 family
QFP4 family

2015
Gen4 > 200G

Lower Cost fully integrated NPU and IO device

#cores: > 800
#Threads: > 3200

Performance
ASR1000 Fixed Platforms
ASR1002-X
5Gbps to 36Gbps Soft-upgradable 2RU platform

System Management
- RJ45 Console
- Auxiliary Port
- 2x USB Ports
- RJ45 GE Ethernet

Memory
- 4 GB default
- 8/16 GB optional

Shared Port Adapter
- 3x SPA slot

Multi-Core QFP
- 62 cores
- 248 simultaneous threads
- 40 Mb TCAM

BITS clocking
- GPS input
- Stratum 3 built-in

Built-in I/O
- 6x1GE
- SyncE

Control Plane
- Quad cores clocked at 2.13G Hz
- 4G/8G/16G Memory options
- Secure Boot. FIPS-140-3 certification

Cryptography
- 4 Gbps crypto throughput
- SuiteB crypto support

Pay As You Grow
- 5 Gbps Default
- Upgradeable to 10, 20, or 36 Gbps
- 4 Gbps crypto throughput

Optional
- 160 GB hard disk

Cryptography
- 4 Gbps crypto throughput
- SuiteB crypto support
ASR 1001-X
5Gbps to 20Gbps Soft-Upgradable 1RU Platform with built-in 10GE

Management/USB Ports
- RJ45 Management GE
- 2x USB Ports

System Management
- Auxiliary Port
- RJ45 Console

Pay As You Grow
- 2.5G Default
- Upgradeable to 5G, 10G, and 20G
- Up to 8G Crypto Throughput

Control Plane
- Quad Cores; 2.0GHz
- 8G/16G memory options

Built-in I/O
- 2x10G
- 6x1G
- Multipoint MACsec Capable

Network Interface Modules
- SSD Drive
- ISR 4K Modules

Multi-Core Network Processor
- 32 Cores
- 4 Packet Processing Engines / Core
- 128 processing threads
- 10 Mb TCAM

Shared Port Adapter
- 1x SPA slot

Mini Console
- 1x Mini USB Console

Cisco Live!
### GE+10GE

**Fixed Ethernet Line card for ASR1k**

<table>
<thead>
<tr>
<th>Port Density</th>
<th>2x10GE+20x1GE</th>
</tr>
</thead>
<tbody>
<tr>
<td>Throughput</td>
<td>40G</td>
</tr>
</tbody>
</table>
| Key Features       | Feature parity with SIP40 + GE/10GE SPA  
|                    | SyncE, Y.1731, IEEE 1588 capable (future)  
|                    | No SIP needed |
| Chassis            | ASR1004, ASR1006, ASR1013 |
| RP                 | RP2           |
| ESP                | ESP40, ESP100, ESP200 |

### High Density 10GE:

**Fixed Ethernet Line card for ASR1k**

<table>
<thead>
<tr>
<th>Port Density</th>
<th>6x10GE</th>
</tr>
</thead>
<tbody>
<tr>
<td>Throughput</td>
<td>60G I/O with 40G Throughput</td>
</tr>
</tbody>
</table>
| Key Features       | Feature parity with SIP40 + 10GE SPA  
|                    | Exception: MDR not supported  
|                    | No SIP Needed |
| Chassis            | ASR1004, ASR1006, ASR1013 |
| RP                 | RP2    |
| ESP                | ESP40, ESP100, ESP200 |
## New ASR Modular Chassis

### High Performance Chassis Upgrades

<table>
<thead>
<tr>
<th></th>
<th>ASR 1006-X</th>
<th>ASR 1009-X</th>
</tr>
</thead>
<tbody>
<tr>
<td>Height</td>
<td>6RU</td>
<td>9RU</td>
</tr>
<tr>
<td>RP Slots</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>ESP Slots</td>
<td>2 (regular)</td>
<td>2 (super)</td>
</tr>
<tr>
<td>SIP/MIP Slots</td>
<td>2 (SIP40)</td>
<td>3 (SIP40)</td>
</tr>
<tr>
<td>SPA Slots</td>
<td>8</td>
<td>12</td>
</tr>
<tr>
<td>EPA Slots</td>
<td>4</td>
<td>6</td>
</tr>
<tr>
<td>NIM Slots</td>
<td>None</td>
<td>None</td>
</tr>
<tr>
<td>Slot Bandwidth</td>
<td>200G</td>
<td>200G</td>
</tr>
<tr>
<td>Forwarding Bandwidth (based on current QFP)</td>
<td>40 to 100G+</td>
<td>40 to 200G+</td>
</tr>
<tr>
<td>Maximum Output Power</td>
<td>1100W power modules N+1, Max 6</td>
<td>1100W power modules N+1, Max 6</td>
</tr>
</tbody>
</table>
ASR 1000 System Oversubscription

Key Oversubscription Points

- Total bandwidth of the system is determined by the following factors
  1. Type of ESP: eg. ESP10->200
  2. Type of SIP: SIP10 or SIP40 (Link BW between one SIP and the ESP)

- Step 1: SPA-to-SIP Oversubscription
  - Up to 4 x 10Gbps SPAs per SIP 10 = 4:1 Oversubscription Max
  - No over subscription for SIP-40 = 1:1

- Step 2: SIP-to-ESP Oversubscription
  - Up to 2, 3 or 6 SIPs share the ESP bandwidth, depending on the ASR1000 chassis used

- Total Oversubscription = Step1 x Step2
SIP to ESP Oversubscription

Important Exceptions

ESP have a different Interconnect ASIC with different numbers of ESI ports. There are some rules:

• ESP-10G: 10G to all slots
• ESP-20G: 20G to all slots except ASR1006 slot 3
  • 10G only to SIP Slot 3
• ESP-40G: 40G to all slots except ASR1013 slots 4 and 5
  • 20G only to SIP slots 4 & 5
• ESP-100G: 40G to all slots
• ESP-200: 40G to all slots
• Keep these exceptions in mind when planning I/O capacity
### ASR 1000 System Oversubscription Example

<table>
<thead>
<tr>
<th>Chassis Version</th>
<th>ESP Version</th>
<th>SIP Version</th>
<th>SIP Slots</th>
<th>Max. Bandwidth per IP Slot (Gbps)</th>
<th>SPA to SIP Oversubscription</th>
<th>Bandwidth on ESP (Gbps)</th>
<th>SIP to ESP Oversubscription</th>
<th>I/O to ESP Oversubscription</th>
</tr>
</thead>
<tbody>
<tr>
<td>ASR 1001</td>
<td>ESP2.5</td>
<td>n.a.</td>
<td>n.a.</td>
<td>2:1</td>
<td>2.5</td>
<td>5.6:1</td>
<td>5.6:1</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ESP5</td>
<td>n.a.</td>
<td>n.a.</td>
<td>4:1</td>
<td>5</td>
<td>6.8:1</td>
<td>6.8:1</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ESP10</td>
<td>n.a.</td>
<td>n.a.</td>
<td>4:1</td>
<td>10</td>
<td>3.4:1</td>
<td>3.4:1</td>
<td></td>
</tr>
<tr>
<td>ASR 1002-X</td>
<td>ESP40</td>
<td>SIP40</td>
<td>n.a.</td>
<td>9:10</td>
<td>36</td>
<td>1:1</td>
<td>9:10</td>
<td></td>
</tr>
<tr>
<td>ASR 1004</td>
<td>ESP10</td>
<td>SIP10</td>
<td>2</td>
<td>4:1</td>
<td>10</td>
<td>2:1</td>
<td>8:1</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ESP20</td>
<td>SIP10</td>
<td>2</td>
<td>4:1</td>
<td>20</td>
<td>1:1</td>
<td>4:1</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ESP40</td>
<td>SIP10</td>
<td>2</td>
<td>4:1</td>
<td>40</td>
<td>1:2</td>
<td>4:1</td>
<td></td>
</tr>
<tr>
<td>ASR 1006</td>
<td>ESP10</td>
<td>SIP10</td>
<td>3</td>
<td>4:1</td>
<td>10</td>
<td>3:1</td>
<td>12:1</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ESP20</td>
<td>SIP10</td>
<td>3</td>
<td>4:1</td>
<td>20</td>
<td>3:2</td>
<td>6:1</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ESP40</td>
<td>SIP10</td>
<td>3</td>
<td>4:1</td>
<td>40</td>
<td>3:4</td>
<td>4:1</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ESP40</td>
<td>SIP40</td>
<td>3</td>
<td>1:1</td>
<td>40</td>
<td>3:1</td>
<td>3:1</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ESP100</td>
<td>SIP40</td>
<td>3</td>
<td>1:1</td>
<td>100</td>
<td>6:5</td>
<td>6:5</td>
<td></td>
</tr>
<tr>
<td>ASR 1013</td>
<td>ESP40</td>
<td>SIP10</td>
<td>6</td>
<td>4:1</td>
<td>40</td>
<td>3:2</td>
<td>6:1</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ESP40</td>
<td>SIP40</td>
<td>40</td>
<td>1:1</td>
<td>40</td>
<td>9:2</td>
<td>6:1</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ESP100</td>
<td>SIP40</td>
<td>6</td>
<td>1:1</td>
<td>100</td>
<td>12:5</td>
<td>12:5</td>
<td></td>
</tr>
</tbody>
</table>

**Example:**

1. 4x10G SPAs max per SIP
2. 3 SIPS max per ESP
3. 12x10G SPAs max per ESP
SOFTWARE ARCHITECTURE
Software Architecture—IOS XE

- IOS XE = IOS + IOS XE Middleware + Platform Software. **Not a new OS!**

- Operational Consistency—same look and feel as IOS Router

- IOS runs as a Linux process for control plane (Routing, SNMP, CLI etc.) 64-bit operation

- Linux kernel with multiple processes running in protected memory for
  - Fault containment
  - Re-startability
  - ISSU of individual SW packages

- ASR 1000 HA Innovations
  - Zero-packet-loss RP Failover
  - <50ms ESP Failover
  - “Software Redundancy”
ASR 1000 Software Architecture

- Initialization and boot of RP Processes
- Detects OIR of other cards and coordinates initialization
- Manages system/card status, Environmental, Power ctrl, EOBC

- Runs Control Plane
- Generates configurations
- Populates and maintains routing tables (RIB, FIB...)

- Provides abstraction layer between hardware and IOS
- Manages ESP redundancy
- Maintains copy of FIB and interface list
- Communicates FIB status to active & standby ESP (or bulk-download state info in case of restart)

- Maintains copy of FIBs
- Programs QFP forwarding plane and QFP DRAM
- Statistics collection and communication to RP

- Communicates with Forwarding manager on RP
- Provides interface to QFP Client / Driver

- Implements forwarding plane
- Programs PPEs with feature processing information

- Driver Software for SPA interface cards. Loaded separately and independently
- Failure or upgrade of driver does not affect other SPAs in same or different SIPs
Software Sub-packages

1. **RPBase**: RP OS
   Why?: Upgrading of the OS will require reload to the RP and expect minimal changes

2. **RPIOS**: IOS
   Why?: Facilitates Software Redundancy feature

3. **RPAccess (K9 & non-K9)**: Software required for Router access; 2 versions available. One that contains open SSH & SSL and one without
   Why?: To facilitate software packaging for export-restricted countries

4. **RPCControl**: Control Plane processes that interface between IOS and the rest of the platform
   Why?: IOS XE Middleware

5. **ESPBase**: ESP OS + Control processes + QFP client/driver/ucode:
   Why?: Any software upgrade of the ESP requires reload of the ESP

6. **SIPBase**: SIP OS + Control processes
   Why?: OS upgrade requires reload of the SIP

7. **SIPSPA**: SPA drivers and FPD (SPA FPGA image)
   Why?: Facilitates SPA driver upgrade of specific SPA slots
Standard Release Timeline (XE 3.12 example)

Standard releases are supported for 18 months
6 months active bug-fix, 6 months limited bug fix, and 6 months PSIRT as needed
Rebuilds will be done at 3-3-6-6 month intervals
Two standard releases per year

EoSA – End of Sale Announcement
EoS – End of Sale
EoSM – End of SW Maintenance
EoVS: End of Vulnerability & Security

EoL Milestones

Release Schedule

<table>
<thead>
<tr>
<th>Mo 1-4</th>
<th>Mo 5-8</th>
<th>Mo 9-12</th>
<th>Mo 1-4</th>
<th>Mo 5-8</th>
<th>Mo 9-12</th>
<th>Mo 1-4</th>
<th>Mo 5-8</th>
<th>Mo 9-12</th>
<th>Mo 1-4</th>
<th>Mo 5-8</th>
<th>Mo 9-12</th>
</tr>
</thead>
<tbody>
<tr>
<td>Year-1 2013</td>
<td>Year-2 2014</td>
<td>Year-3 2015</td>
<td></td>
<td></td>
<td>Year-4 2016</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
IOS XE Extended Release (XE 3.13 example)

Extended throttle release with up to 48 months support
10 rebuilds over lifetime, last two are PSIRT as needed
Rebuilds will be done at 3-3-4-4-6-6-6-6 month intervals
One extended release per year (every 3rd release is extended)

EoS – End of Sale
EoSA – End of Sale Announcement
EoSM – End of SW Maintenance
EoVS: End of Vulnerability & Security

Release Schedule

<table>
<thead>
<tr>
<th>EoL Milestones</th>
<th>EoSA</th>
<th>EoS</th>
<th>EoSM</th>
<th>EoVS</th>
</tr>
</thead>
<tbody>
<tr>
<td>Mo 1-4</td>
<td>Year-1 2014</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Mo 5-8</td>
<td>Year-2 2015</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Mo 9-12</td>
<td>Year-3 2016</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Mo 1-4</td>
<td>Year-4 2017</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Mo 5-8</td>
<td>Year-4 2018</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Mo 9-12</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
Packet Flows – Data Plane
Data Packet Flow: From SPA Through SIP

1. SPA receives packet data from its network interfaces and transfers the packet to the SIP.

2. SPA Aggregation ASIC classifies the packet into H/L priority.

3. SIP writes packet data to external 128MB memory (at 40Gbps from 4 full-rate SPAs).

4. Ingress buffer memory is carved into 96 queues on SIP40 (64 queues for SIP10). The queues are arranged by SPA-SPI channel and optionally H/L. Channels on “channelized” SPAs share the same queue.

5. SPA ASIC selects among ingress queues for next pkt to send to ESP over ESI. It prepares the packet for internal transmission.

6. The interconnect transmits packet data of selected packet over ESI to active ESP at up to 11.5 Gbps.

7. Active ESP can backpressure SIP via ESI ctl message to slow pkt transfer over ESI if overloaded (provides separate backpressure for Hi vs. Low priority pkt data).
Data Packet Flow: Through ESP40

1. Packet arrives on QFP
2. Packet assigned to a PPE thread.
3. The PPE thread processes the packet in a feature chain similar to 12.2S IOS (very basic view of a v4 use case):
   - **Input Features applied**
     - NetFlow, MQC/NBAR Classify, FW, RPF, Mark/Police, NAT, WCCP etc.
   - **Forwarding Decision is made**
     - Ipv4 FIB, Load Balance, MPLS, MPLSoGRE, Multicast etc.
   - **Output Features applied**
     - NetFlow, FW, NAT, Crypto, MQC/NBAR Classify, Police/Mark etc.
   - **Finished**
4. Packet released from on-chip memory to Traffic Manager (Queued)
5. The Traffic Manager schedules which traffic to send to which SIP interface (or RP or Crypto Chip) based on priority and what is configured in MQC
6. SIP can independently backpressure ESP via ESI control message to pace the packet transfer if overloaded
Data Packet Flow: Through SIP to SPA

1. Interconnect receives packet data over ESI from the active ESP at up to 46 Gbps.
2. SPA Aggregation ASIC receives the packet and writes it to external egress buffer memory.
3. Egress buffer memory is carved into 64/96 queues. The queues are arranged by egress SPA-SPI channel and H/L. Channels on “channelized” SPAs share the same queue.
4. SPA Aggregation ASIC selects and transfers packet data from eligible queues to SPA-SPI channel (Hi queue are selected before Low).
5. SPA can backpressure transfer of packet data burst independently for each SPA-SPI channel using SPI FIFO status.
6. SPA transmits packet data on network interface.
ASR1000 QoS
ASR 1000 Forwarding Path

QoS View

1. SPA classification
2. Ingress SIP packet buffering
3. Port rate limiting & weighting for forwarding to ESP
4. Advanced classification
5. Ingress MQC based QoS
6. Egress MQC based QoS
7. Hierarchical packet scheduling & queuing
8. Egress SIP packet buffering
ASR 1000 ESP QoS

QFP Processing

• The following QoS functions are handled by PPEs:
  • Classification
  • Marking
  • Policing
  • WRED

• QoS functions (along with other packet forwarding features such as NAT, Netflow, etc.) are handled by QFP

• Packet is sent to the QFP Traffic Manager for queueing & scheduling

• All ESP QoS functions are configured using MQC CLI
ASR 1000 QoS
The QFP Traffic Manager (BQS) performs all packet scheduling decisions.

- Cisco QFP Traffic Manager implements a 3 parameter scheduler which gives advanced flexibility. Only 2 parameters can be configured at any level (min/max or max/excess)
  - Minimum - bandwidth
  - Excess - bandwidth remaining
  - Maximum - shape

- Priority propagation ensures that high priority packets are forwarded first without loss

- Packet memory is one large pool. Interfaces do not reserve a specific amount of memory.

- Out of resources memory exhaustion conditions
  - Non-priority user data dropped at 85% packet memory utilization
  - Priority user data dropped at 97% packet memory utilization
  - Selected IOS control plane packets and internal control packets dropped at 100% memory utilization
ASR 1000 QoS
Queuing Hierarchy

• Multilayer hierarchies (5 layers in total)
  • SIP, Interface, 3 layers of MQC QoS
• Two levels of priority traffic (1 and 2)
• Strict and conditional priority rate limiting
• 3 parameter scheduler (min, max, & excess)
• Priority propagation for no loss priority forwarding via minimum parameter
• Shaping average and peak options, burst parameters are accepted but not used
• Backpressure mechanism between hardware components to deal with external flow control
ASR 1000 QoS
Classification and Marking

• Classification
  • IPv4 precedence/DSCP, IPv6 precedence/DSCP, MPLS EXP, FR-DE, ACL, packet-length, ATM CLP, COS, inner/outer COS (QinQ), vlan, input-interface, qos-group, discard-class
  • QFP is assisted in hardware by TCAM

• Marking
  • IPv4 precedence/DSCP, IPv6 precedence/DSCP, MPLS EXP, FR-DE, discard-class, qos-group, ATM CLP, COS, inner/outer COS

• Enhanced match and marker stats may be enabled with a global configuration option
  • platform qos marker-statistics
  • platform qos match-statistics per-filter
ASR 1000 Policing and Congestion Avoidance

- **Policing**
  - 1R2C – 1 rate 2 color
  - 1R3C – 1 rate 3 color
  - 2R2C – 2 rate 2 color
  - 2R3C – 2 rate 3 color
  - color blind and aware in XE 3.2 and higher software
    - supports RFC 2697 and RFC 2698
  - explicit rate and percent based configuration
  - dedicated policer block in QFP hardware

- **WRED**
  - precedence (implicit MPLS EXP), dscp, and discard-class based
  - ECN marking
  - byte, packet, and time based CLI
  - packet based configurations limited to exponential constant values 1 through 6
  - dedicated WRED block in QFP hardware
INTEGRATED SECURITY ON ASR1000
ASR1000 Cryptography Support

Improved Octeon-II Crypto Processor on X-series Chassis

- **ESP-100 / 200**
  - 24 core processor
  - 800MHz clock frequency
  - 2GB DDR3 SDRAM
  - Up to 60Gbps (512B packets)

- **ASR 1002-X**
  - 6 core processor
  - 1.1 GHz clock frequency
  - Up to 4Gbps (512B packets)

- **ASR 1001-X**
  - Up to 4 Gbps Crypto

- **Crypto support:**
  - AES, SHA-1, ARC4, DES, 3-DES
  - IKEv1 or IKEv2

- **Next Gen “Suite B” crypto support**
  - Encryption: AES-128-GCM
  - Authentication: HMAC-SHA-256
  - Hashing: SHA-256
  - Protocol: IKEv2

- **NOTE:** In-Box High Availability ASR1006 configuration:
  ESP to ESP - stateful
  RP to RP – stateless
ASR 1000 Forwarding Processor

IPSec Processing is done with Crypto Co-processor Assist

- IPSec SA Database
- IKE SA Database
- Crypto-map
- DH key pairs

- IPSec SA class groups
- Classes
- Rules (ACE or IPSec SA)

- Anti-replay check
- Encryption / decryption (Diffie-Helman)
- NAT Traversal
- Traffic-based lifetime expiry

- Outbound packet classification
- Formatting of packets to Crypto chip (internal header)
- Receiving packets from crypto chip
- Removal of internal crypto header
- Re-assembly of fragmented IPSec packets

CiscoLive!
ASR 1000 IPSec Software Architecture

Function Partitioning

- Creation of IPSec Security Associations (SA)
- IKE Control Plane (IKE negotiation, expiry, tunnel setup)
- Communicates FIB status to active & standby ESP (or bulk-download state info in case of restart)
- Communicates with Forwarding manager on RP
- Provides interface to QFP Client / Driver
- Copy of IPSec SAs
- Copy of IKE SAs
- Synchronization of SA Databases with standby ESP
- Punting of Encrypted packets to the Crypto Assist
- Encryption / Decryption of packets

For Your Reference
ASR Integrated Zone-based Firewall Protection
DoS, DDoS and Application Layer Detection and Prevention

TCP SYN Attack Prevention

- Protects against TCP SYN Flood Attack to the FW Session Database
- SYN Cookie Protection:
  - Per Zone
  - Per VRF
  - Per Box

Half Open Session Limit

- Protects Firewall Session Table from attacks that could be based on UDP, TCP and ICMP
- Half Open Session Limits are configurable:
  - Per Box and VRF Level
  - Per Class supported initially
- FW resources are managed effectively with half open session limit configuration knobs
- Logs are generated when limits are crossed

Application Layer Protocol Inspection

- Conformance checking, state tracking, security checks with granular policy control
- Over 20 Inspection Engines:
  - UC: SIP, Skinny, H323, RSTP...
  - Enterprise Apps: Video/Soft phones, H.323, FTP64
  - Core Protocols: FTP, SNMP, DNS, POP3, ...
  - Database & O/S: LDAP, NetBIOS, Microsoft RPC, ...

Basic Threat Detection

- Enables detection of possible threats, anomalies and attacks per Zone
- Monitors rate of pre-defined events in the system; alerts sent to Sys/HSL logs
- Report drops due to: Basic FW check failures, L4 inspection failures, and count of the # of dropped SYNs

CiscoLive!
Cisco Router Security Certifications

<table>
<thead>
<tr>
<th></th>
<th>FIPS 140-2, Level 2</th>
<th>Common Criteria EAL4</th>
<th>NSA Suite B Hardware Assist</th>
</tr>
</thead>
<tbody>
<tr>
<td>Cisco ISR 890 Series</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td>Cisco ISR 1900 Series</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td>Cisco ISR 2900 Series</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td>Cisco ISR 3900 Series</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td>Cisco ISR 3900E Series</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td>Cisco ASR 1000 Series</td>
<td>✓</td>
<td>✓</td>
<td>✓**</td>
</tr>
</tbody>
</table>

** RP2 is only supported in ASR1004, ASR1006, and ASR1013
## ASR 1000 IPSec Performance & Scale

<table>
<thead>
<tr>
<th>Supported Chassis</th>
<th>ASR 1001</th>
<th>ASR 1001-X</th>
<th>ASR 1002-X</th>
<th>ASR 1002</th>
<th>ESP5</th>
<th>ESP10</th>
<th>ESP20</th>
<th>ESP40</th>
<th>ESP100</th>
<th>ESP200</th>
</tr>
</thead>
<tbody>
<tr>
<td>Encryption Throughput (Max/IMIX)</td>
<td>1.8/1 Gbps</td>
<td>8/5.8Gbps</td>
<td>4/4Gbps</td>
<td>1.8/1 Gbps</td>
<td>3.5/2.5Gbps</td>
<td>9.2/6.3 Gbps</td>
<td>12.9/7.4 Gbps</td>
<td>29/16 Gbps</td>
<td>78/59 Gbps</td>
<td></td>
</tr>
<tr>
<td>VRFs (RP2/RP1)</td>
<td>4000</td>
<td>4000</td>
<td>8000</td>
<td>1000</td>
<td>1000</td>
<td>8000/1000</td>
<td>8000/1000</td>
<td>8000</td>
<td>8000</td>
<td></td>
</tr>
<tr>
<td>Total Tunnels</td>
<td>4000</td>
<td>8000</td>
<td>8000</td>
<td>4000</td>
<td>4000</td>
<td>8000</td>
<td>8000</td>
<td>8000</td>
<td>8000</td>
<td></td>
</tr>
<tr>
<td>Tunnel Setup Rate w/ RP2 (IPSec, per sec)</td>
<td>130</td>
<td>130</td>
<td>130</td>
<td>N/A</td>
<td>130</td>
<td>130</td>
<td>130</td>
<td>130</td>
<td>130</td>
<td></td>
</tr>
<tr>
<td>Tunnel Setup Rate w/ RP1 (IPSec, per sec)</td>
<td>N/A</td>
<td>N/A</td>
<td>N/A</td>
<td>90</td>
<td>90</td>
<td>90</td>
<td>90</td>
<td>90</td>
<td>N/A</td>
<td></td>
</tr>
<tr>
<td>DMVPN / BGP Adjacencies (RP2/RP1, 5 routes per peer)</td>
<td>3500</td>
<td>4000</td>
<td>4000</td>
<td>3000</td>
<td>3000</td>
<td>4000</td>
<td>4000</td>
<td>4000</td>
<td>4000</td>
<td></td>
</tr>
<tr>
<td>DMVPN / EIGRP Adjacencies (RP2/RP1, 5 routes per peer)</td>
<td>3500</td>
<td>4000</td>
<td>4000</td>
<td>3000</td>
<td>3000</td>
<td>4000</td>
<td>4000</td>
<td>4000</td>
<td>4000</td>
<td></td>
</tr>
<tr>
<td>FlexVPN + dVTI</td>
<td>10,000</td>
<td>10,000</td>
<td>10,000</td>
<td>10,000</td>
<td>10,000</td>
<td>10,000</td>
<td>10,000</td>
<td>10,000</td>
<td>10,000</td>
<td></td>
</tr>
</tbody>
</table>

*RP2 is not recommended with ESP10; RP1 is not recommended with ESP20
HIGH AVAILABILITY
High-Availability on the ASR 1000
ASR1000 Built for Carrier-grade HA

- Redundant ESP / RP on ASR 1006 and ASR 1013
- Software Redundancy on ASR 1001, ASR 1002, ASR 1004
- Zero packet loss on RP Fail-over! Max 100ms loss for ESP fail-over
- Intra-chassis Stateful Switchover (SSO) support for
  - Protocols: FR, ML(PPP), HDLC, VLAN, IS-IS, BGP, CEF, SNMP, MPLS, MPLS VPN, LDP, VRF-lite
  - Stateful features: PPPoX, AAA, DHCP, IPSec, NAT, Firewall
- IOS XE also provides full support for Network Resiliency
  - NSF/GR for BGP, OSPFv2/v3, IS-IS, EIGRP, LDP
  - IP Event Dampening; BFD (BGP, IS-IS, OSPF)
  - GLBP, HSRP, VRRP
- Support for ISSU
- Stateful inter-chassis redundancy available for NAT, Firewall, SBC
Software Redundancy – IOS XE
ASR1002 and ASR1004

- IOS runs as its own Linux process for control plane (Routing, SNMP, CLI etc.)
- Linux kernel runs IOS process in protected memory for:
  - Fault containment
  - Restart-ability of individual SW processes
- Software redundancy helps when there is a RP-IOS failure
- Active process will switchover to the standby, while forwarding continues with zero packet loss
- Can be used for ISSU of RP-IOS package for control-plane bug fixes and PSIRTs
- Other software upgrades (example: SIP or ESP) cannot benefit from Software redundancy
ASR 1006 High Availability Infrastructure

Infrastructure for Stateful Redundancy

- Provides hitless or near hitless switchover
- Reliable IPC transport used for synchronization
- HA operates in a similar manner to other protocols on the ASR 1000
ASR 1000 In-Service Software Upgrade

- Ability to perform upgrade of the IOS image on the single-engine systems
- Support for upgrade or downgrade
- One-shot ISSU procedure available for H/W redundant platforms

- Hitless upgrade of some software packages
- “In Service” component upgrades (SIP-Base, SIP-SPA, ESP-Base)
- RP Portability - installing & configuring hardware that are physically not present in the chassis

<table>
<thead>
<tr>
<th>Software Release From \ To</th>
<th>3.1.0</th>
<th>3.1.1</th>
<th>3.1.2</th>
<th>3.2.1</th>
<th>3.2.2</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1.0</td>
<td>N/A</td>
<td>SSO Tested</td>
<td>SSO</td>
<td>SSO via 3.1.2</td>
<td>SSO via 3.1.2</td>
</tr>
<tr>
<td>3.1.1</td>
<td>SSO Tested</td>
<td>N/A</td>
<td>SSO Tested</td>
<td>SSO via 3.1.2</td>
<td>SSO via 3.1.2</td>
</tr>
<tr>
<td>3.1.2</td>
<td>SSO</td>
<td>SSO Tested</td>
<td>N/A</td>
<td>SSO Tested</td>
<td>SSO Tested</td>
</tr>
<tr>
<td>3.2.1</td>
<td>SSO via 3.1.2</td>
<td>SSO via 3.1.2</td>
<td>SSO Tested</td>
<td>N/A</td>
<td>SSO Tested</td>
</tr>
<tr>
<td>3.2.2</td>
<td>SSO via 3.1.2</td>
<td>SSO via 3.1.2</td>
<td>SSO Tested</td>
<td>SSO Tested</td>
<td>N/A</td>
</tr>
</tbody>
</table>
ASR1000 APPLICATIONS
ASR1000 Network Applications

Routing, PE, Broadband, WiFi
- IPv4 / IPv6 Routing, Transition
- BGP, RIP, IS-IS, OSPF, Static routes
- GRE, MPLSoGRE, EoMPLSoGREoIPSec, ATMoMPLS
- MPLS L3 VPN
- L2VPN (ATM, Circuit Emulation)
- VPLS, H-VPLS PE; Carrier Ethernet Services
- Route Reflector, Internet Peering
- Internet & WAN Edge
- Broadband & WiFi Aggregation
- Subscriber Management

Multicast
- IPv4 / IPv6 Multicast Router
- MVPN (GRE, mLDP), MVPN Extranet
- IGMPv2/v3
- NAT & CAC

Multicast
- IPv4 / IPv6 Multicast Router
- MVPN (GRE, mLDP), MVPN Extranet
- IGMPv2/v3
- NAT & CAC

Secure WAN and PE
- IPSec VPN – DES, 3DES, AES-128-GCM
- DMVPN, GETVPN, FLEXVPN
- Secure group tagging (SGT)
- VRF-lite, MPLS-VPN, over DMVPN
- IOS Zone-based Firewall, many ALGs
- Carrier Grade NAT
- VRF-aware
- Hardware accelerated (Crypto + TCAM)

Application Layer Services
- SBC: CUBE Enterprise, CUBE SP (HCS, CTX)
- SIP, NAPT, Megaco/H.248, Topology Hiding
- AppNav – Advanced WAAS redirection
- AVC: NBAR2, hardware accelerated DPI
- Application-aware QoS Policy

2700+ Features!
ASR1000 Unified Communications Applications

Session Border Controller
- Cisco Unified Border Element (ENT) (CUBE(ENT))
- Full trunk-side SBC functionality
- Session Mgmt, Demarcation, Security, Interworking
- Connect CUCM to SIP trunks
- Connect 3rd party IP BPX to SIP trunks
- DSP-based transcoding up to 9000 calls with DSP SPA module; Noise cancellation.
- Hi density Media forking
- UC Service API
- 3rd Party API for call control
- SRTP Encryption HW (ESP)
- Line Side SBC functionality for voice endpoints

Cisco Unified Call Manager (CUCM)
- Software Media Termination Point (MTP)
- Scales to 5000 Sessions

Media Performance Aware
- Performance aware statistics based on media traffic analysis
- Packet loss, Jitter, Delay, Metadata for media flows
- Media trace (traceroute for media flows)
- Class Specific threshold crossing alerts
- Netflow and SNMP/MIB based reporting
- Compatible with Cisco Media architecture and equipment

Routing Baseline
- IPv4 / IPv6 Routing, Transition
- BGP, RIP, IS-IS, OSPF, Static routes
- MPLS L3 VPN, L2VPN, GRE, IPSec
- VPLS, H-VPLS PE; Carrier Ethernet Services
- IPv4 / IPv6 Multicast Router
- MVVPN (GRE, mLDP), IGMPv2/v3
- Rich connectivity options
ASR1000 Applications: Carrier Ethernet & MPLS VPN
MPLS L3 VPN Applications
Extensive MPLS feature set

- **VRF-lite/Multi-VRF CE**
  - Sub-interface per VRF for CE/PE Interface
  - Up to 4000 VRFs

- **MPLS VPN (RFC-2547)**
  - IPv4 & IPv6
  - 6PE/6VPE Support
  - MPLS over GRE overlay for large Enterprise VPN

- **MPLS TE/FRR**
  - FRR Link, Path & Node protection
  - RSVP & BFD triggered FRR
  - Path first tunnel computation

- **Multicast VPN**
  - Per-VRF Unicast and Multicast Forwarding
  - PIM or BGP customer signalling; PIM, MLDP or P2MP TE core
MPLS VPN Multi-Service Edge

Layer 3 Routing Protocols Available on PE-CE—Static, RIP, OSPF, EIGRP, eBGP

IP Services Can Be Configured on per-VPN Basis on the PE Router

Traffic Engineering for Bandwidth Protection and Restoration

Layer 3 VPNs, L2VPNs, Traffic Engineering, QoS + IP Services Coexist on a Single Infrastructure

QoS: HQoS and Policing at CE and PE Routers

Layer 2 Circuits Available Ethernet ATM CRoMPLS (VP and VC mode) ATM AAL5, Frame Relay

Legend

Internet Gateway

Internet

CE

PE

IP/MPLS Backbone

CE

PE

CE

CE

CE

Legend

Layer 3 VPN
Layer 2 VPN
Traffic Engineering
Carrier Ethernet Applications
Optimized for 40-Gbps to 200-Gbps Requirements

- Mobile
- Residential
- Business

Access
- MSPP
- Cable
- L2 Point-to-Point
- L2 Multipoint, Bridged
- L2 Multipoint VPLS
- L3 Routed

Aggregation
- Untagged
- Single-tagged
- Double-tagged
- 802.1q
- 802.1ad

Core Network
- IP/MPLS
- LAN
- Provider Edge
- Integration
- L2 L3 Routed
- Untagged
- Single-tagged
- Double-tagged
- 802.1q
- 802.1ad

Edge
- BRAS
- DPI
- SR/PE

Service Edge Integration

Content Farm
- VOD
- TV
- SIP
- Core Network
- MSPP
- Cable
ASR 1000 Carrier Ethernet Capabilities

- Support for EVC infrastructure
  - VLAN tags (single, double, ambiguous, untagged)
  - 802.1ad S-VLANs
  - Custom EtherType (e.g. IPv4/v6, PPPoE Discovery, PPPoE Session)
  - CoS Support (802.1p bits)

- Flexible EVC forwarding services
  - Pseudowire Headend, Bridge Domain Interface

- Ethernet OAM Support
  - Link OAM, CFM, 802.1ag + Y.1731 extensions, 802.3ah, Loopback, ELMI

- Support for E-Line, E-Lan, E-Tree
  - Port/VLAN/1q modes with interworking and local switching!

- Strong UNI features
  - HQoS, Security ACL, MAC Security
  - Flexible Tag Matching and Manipulation

* EVC = Ethernet Virtual Circuit
* UNI = User to Network Interface
Can ASR1000 Be a Layer 2 Switch?

**Yes!**
- EVC Addresses Flexible Ethernet Edge requirements
- Flexible VLAN manipulation
- Virtual interface (BDI) similar to SVI on a switch
- Supports Spanning tree protocols (MST, PVST, RPVST+)
- Supports Various Ethernet encapsulations (802.1Q, 802.1ad, Q-in-Q, 802.1ah)
- VLAN to Forwarding Service (L3/BDI, P2P, P2MP)
- Support E-OAM capabilities (CFM, Y1731, Link EOAM, etc...)

**No!**
- LAN Switch port density
- Lowest cost per port
- Rich IOS LAN switch functionality & Capability

**Answer:**
Handy solution to absorb a switch/trunk in some situations especially for integrated L3 edge applications.
ASR1000 VPLS Services

- VPLS Full-mesh, Hub/Spoke & H-VPLS Provider Edge (PE)
  - 128K MAC Addresses, Broadcast Storm Control
  - VPLS over GRE +IPSec
- VPLS Auto-discovery
  - LDP Signalled (RFC-6074)
  - BGP Signalled (RFC-4761)
- Inter-AS support
  - Option A (BGP signalled)
  - Option B,C (LDP signalled)
- U-PE Dual-homing
  - Multiple Spanning Tree with Control Pseudowire
- Routed Pseudowire
  - VPLS circuit terminated on Bridge Domain Interface

Acronyms:
- CE Customer Edge Device
- n-PE Network Facing Provider Edge
- u-PE User facing Provider Edge
- VSI/VFI Virtual Switching/Forwarding Instance
ASR1000 Applications:
Secure VPN
IPSec VPN Applications

- **GETVPN**
  - MPLS-VPN, VRF-lite, SP Multicast replication
  - Group Key Mgmt, Centralized Key Server

- **DMVPN**
  - RFC-2547oDMVPN, VRF-aware DMVPN,
  - Supports BGP, EIGRP & per tunnel QoS

- **FlexVPN**
  - Remote Access VPN with Policy control
  - User or device security policy through AAA
  - Great for SPs!

- **VRF-awareness**
- **NSA Suite-B Cryptography**
Dynamic Multipoint VPN (DMVPN)
Site-to-Site, Dynamic Full Mesh VPN

- Highly scalable VPN overlay over any transport network. Ideal for Hybrid MPLS/Internet
- Branch spoke sites establish an IPsec tunnel to and register with the hub site
- IP routing exchanges prefix information for each site. BGP or EIGRP for scale.
- With WAN interface IP address as the tunnel address, provider network does not need to route customer internal IP prefixes
- Data traffic flows over the DMVPN tunnels
- When traffic flows between spoke sites, dynamic site-to-site tunnels are established
- Per-tunnel QOS is applied to prevent hub site oversubscription of spoke sites
ASR1000 WAN

Applications: Performance Routing (PfR)
What is Performance Routing (PfR)? Tooling for Intelligent Path Control

“Performance Routing (PfR) provides additional intelligence to classic routing technologies to track the performance of, or verify the quality of, a path between two devices over a Wide Area Networking (WAN) infrastructure to determine the best egress or ingress path for application traffic.”

- Cisco IOS technology
- Two components: Master controller and border router
Performance Routing—Components

The Policy Controller: Domain Controller (DC)
- Discover Site Peers and Connected Networks
- Advertise policy and services; Discover topology and prefixes
- One per domain, Collocated with MC.

The Decision Maker: Master Controller (MC)
- Discover BRs, collect statistics
- Apply policy, verification, reporting
- No packet forwarding/inspection required

The Forwarding Path: Border Router (BR)
- Gain network visibility in forwarding path (Learn, measure)
- Enforce MC’s decision (path enforcement)
- Does all packet forwarding
Intelligent Path Control with PfR
Voice and video use case

- PfR monitors network performance and routes applications based on application performance policies
- PfR load balances traffic based upon link utilization levels to efficiently utilize all available WAN bandwidth

VOICE/VIDEO take the best delay, jitter, and/or loss path
OTHER TRAFFIC is load balanced to maximize bandwidth
VOICE/VIDEO will be rerouted if the current path degrades below policy thresholds
ASR1000 and Cisco Intelligent WAN (IWAN)

IWAN Sessions this week:
BRKARC-2000 IWAN Architecture
BRKCRS-2002 IWAN Design and Deployment Workshop
BRKRST-2514 Application Optimization and Provisioning the Intelligent WAN (IWAN)
BRKNMS-2845 - IWAN and AVC Management with Cisco Prime Infrastructure
BRKRST-2362 - Implementing Next Generation Performance Routing – PfRv3
BRKRST-2041 - WAN Architecture and Design Principles
BRKRST-2042 - Highly Available Wide-Area Network Design
Intelligent WAN: Leveraging the Internet
Secure WAN Transport and Internet Access

- Secure WAN transport for private and virtual private cloud access
- Leverage Local Internet path for public cloud and Internet access
- Increased WAN transport capacity; and cost effectively!
- Improve application performance (right flows to right places)
Intelligent WAN Solution Components

Transport Independent
- Consistent operational model
- Simple provider migrations
- Scalable and modular design
- DMVPN IPsec overlay design

Intelligent Path Control
- Application best path based on delay, loss, jitter, path preference
- Load balancing for full utilization of all bandwidth
- Improved network availability
- Performance Routing (PfR)

Application Optimization
- Akamai Caching and Best Path selection
- Performance Monitoring with Application Visibility and Control (AVC)
- Acceleration and bandwidth savings with WAAS

Secure Connectivity
- Certified strong encryption
- Comprehensive threat defense with ASA and IOS firewall/IPS
- Cloud Web Security (CWS) for scalable secure direct Internet access
SD-WAN Automation with IWAN

- APIC-EM Centralized Policy expression & distribution
- Distributed Policy Enforcement
- Automated Application & Topology discovery
- Application & Network performance monitoring
- Adaptive path selection and QoS to sustain policy
- Performance analytics collected network-wide and reported centrally
IWAN Automated Secure VPN

- **Secure Boot Strap**
- **Automatic Configuration and Trust Establishment**
- **Dynamic VPN Establishment**
- **Automatic Session Key Refresh (IKEv2)**
- **Trust Revocation**

**Key and Certificate Controller**

- **Configuration Orchestration**

**Optional External Certificate Authority**

- **1H2015**

**IWAN App, Prime, 3rd Party**

**Deploy, Search, Retrieve, Revoke**
Start with Cisco AX Routers
Embedded IWAN Capabilities: 3900 | 2900 | 1900 | 890 | 4000 | ASR1000
SUMMARY
Summary and Key Takeaways

• ASR 1000 is the Swiss Army Knife to solve your tough network problems

• Reduce complexity in your network edge

• ASR 1000 is positioned for both Service Provider and Enterprise Architectures

• ASR1000 is at the heart of Cisco IWAN for SP and Enterprise Applications
  One IOS-XE everywhere with ISR4000

• Come see live at our WOS Booth!
Participate in the “My Favorite Speaker” Contest

Promote Your Favorite Speaker and You Could Be a Winner

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include
  • Your favorite speaker’s Twitter handle: @swood0214
  • Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
Continue Your Education

- Demos in the Cisco campus
- Walk-in Self-Paced Labs
- Table Topics
- Meet the Engineer 1:1 meetings
- Related sessions
TOMORROW starts here.