Enterprises that maintain their own networks demand intelligent routing products and cutting-edge technology for high-performance, secure, feature-rich, and affordable connectivity between headquarters and the Internet through a service provider network.
This deployment is different from WAN aggregation or private WAN, former connects the Enterprise to a public network which brings with it all the requirements for the infrastructure to be very secure, service aware and highly available.
Selecting a product for this place in the network comes with many challenges. An ideal device needs to be flexible with regard to features and variety of interfaces, and it must be able to scale without involving a complete system upgrade. Another critical attribute is High Availability, whereby applications should remain available in case of software or hardware failure that causes a data- or control-plane problem.
Internet Gateway Router Requirements
Below is the table that captures the requirements for Internet gateway deployments.
Table 1. Various requirements for this place in the network
Internet Gateway Router
Basic features
Network Address Translation (NAT)
Access control list (ACL)
Firewall
Application availability
Network Accounting/
Management
Scale
5-20 Gbps with services turned on
Converged Device requiring no services module for basic services
Routing and Forwarding Plane Redundancy
Non-Stop Routing(NSR)
High Availability
Nonstop Forwarding with Stateful Switchover (NSF/SSO)
Scalable and modular control plane
Routing- and forwarding-plane redundancy
Performance based Routing
Extensive Network Flow Monitoring
High-touch services
NAT, VPN, and Firewall with application awareness
IPv6 and related features
Stateful NAT and Firewall
Performance-based routing
Extensive network flow monitoring
Interface diversity
OC-3 and
OC-12
Fast Ethernet and Gigabit Ethernet
10 Gigabit Ethernet
DS-3 and DS-1
Infrastructure security
Denial-of-service (DoS) and distributed DoS (DDoS) mitigation
Control-plane protection
Total separation of control, data, and I/O planes
Internet Gateway Topologies
Consider the common topologies that are used today for this deployment (Figures 1 and 2).
Usual deployment at the head-end uses a WAN router along with several network appliances to achieve Firewall and VPN functions.
Figure 1. Single Internet Gateway Router Deployment
Figure 2. Dual Internet Gateway Router Deployment
The router portfolio for the Cisco® Internet Gateway solution, deployed in the largest and most demanding enterprise networks worldwide, offers a wide range of connectivity options, multiprotocol support, and software features for network intelligence at high performance. Cisco Internet gateway routers have the flexibility, scalability, and feature richness to facilitate new applications and services while delivering security, resilience, lower total cost of ownership, and ease of deployment and management.
Cisco supercharges the industry's most comprehensive class of midrange routers by introducing a new carrier-class platform of routers: the Cisco ASR 1000 Series Aggregation Services Routers. This platform brings new features and functions to the Internet gateway of the future by integrating services at 5 to 20 Gbps while at the same time increasing connectivity options.
Cisco ASR 1000 Series Routers
Cisco ASR 1000 Series Aggregation Services Routers are next-generation, modular, services-integrated routing platforms designed with the flexibility to support a wide range of 4- to 16-Mpps packet forwarding, 5- to 20-Gbps system bandwidths, performance, and scaling.
Key System Innovations
Cisco ASR 1000 Series Routers bring many innovations to the routing industry, including:
• Extremely modular, flexible, and integrated design to meet changing requirements in today's networks
• First revolutionary Cisco QuantumFlow Processor technology-based platform that facilitates various services up to 20 Gbps
• True carrier-class system design with In Service Software Upgrade (ISSU) that results in nonstop router operation
• Complete logical and physical separation of system routing, forwarding, and I/O planes, resulting in a system that is highly robust yet flexible to meet always-increasing performance needs
• Ability to store full Internet routing table on Cisco ASR 1000 Series Route Processor 1 (RP1)
• Software modularity to minimize the effects of software upgrades in the system and lower operating expenses (OpEx)
• Highly sophisticated system software and hardware design to boost application availability, even during system oversubscription
• System that reuses the investment made in network I/O by way of shared port adapters (SPAs)
Cisco ASR 1000 System Brief Overview
The Cisco ASR 1000 Series Routers address the performance gap between Cisco 7200 and Cisco 7600 Routers. This platform is fully modular from both hardware and software perspectives and has all the elements of a true carrier-class routing product serving both enterprise and service provider networks.
The Cisco ASR 1000 Series product line includes various packaging options differentiated by the number of I/O slots, capacity, redundancy, and power. A common hardware and software architecture and common components are used across these routers to support the various modular and nonmodular chassis configurations (ranging from 2 to 6 rack units). The following chassis options are available:
• Cisco ASR 1002 (2-rack-unit [2RU] chassis with the modular Cisco ASR 1000 Series Embedded Services Processor [ESP] and fixed Cisco ASR 1000 Series RP1 and Cisco ASR 1000 Series SPA Interface Processor [SIP] with 4 built-in Gigabit Ethernet ports)
• Cisco ASR 1004 (4RU chassis with modular ESP, route processor, and SIPs)
• Cisco ASR 1006 (6RU chassis with modular and redundant ESPs, route processor, and SIPs for SPA connectivity)
Two ESPs (5-Gbps Cisco ASR 1000 Series ESP [ESP5] and 10-Gbps Cisco ASR 1000 Series ESP [ESP10]; part numbers ESP-5G and ESP-10G] are available), providing 5- and 10-Gbps of system bandwidth, respectively.
The performance and scaling of the Cisco ASR 1000 Series Routers for a forwarding plane-bounded feature are dictated by the capability of their central forwarding engine in the form of an ESP card. Different ESP options are provided for all the chassis to give you cost, performance, and scaling choices.
For enterprises, the Cisco ASR 1000 is intended as the midsize aggregation and gateway product, typically residing in a regional WAN or WAN edge or large branch office and providing throughput in the 5- to 10-Gbps range with various services turned on.
High-Level System Architecture and Partitioning
The Cisco ASR 1000 Series Router from a very high level can be partitioned into three elements: network control (route processor), data-plane forwarding (ESP), and network I/O (SIP). Figure 1 shows the Cisco ASR 1006 Router with two route processors, two ESPs, and three SIPs.
One of the key differentiators of the platform is the logical and physical isolation of these planes in the system for nonstop operation and various types of resilience. For example, the routing plane is completely isolated from the forwarding plane (in fact, they are separate cards), hence loading of one does not affect the other.
Figure 3. Cisco ASR 1006 Router with Two Route Processors, Two ESPs, and Three SIPs
With Cisco ASR 1000 Series Routers, multiple high-touch services and functions can actually be collapsed into one device.
Figure 4. Multi-service edge deployment that can collapse WAN Aggregation and Internet Gateway function on single Cisco ASR 1000 series router
In most of the scenarios, single Cisco ASR 1006 Router should be able to achieve the desired High Availability, resilience, and redundancy for both WAN aggregation and Internet Gateway function on one sheet metal.
The following sections discuss each of the gateway router requirements and how the Cisco ASR 1000 Series Routers not just meet but exceed them.
Basic Features and High Availability
Cisco ASR 1000 Series Routers provide multigigabit Network Address Translation (NAT) and Port Address Translation (PAT) performance up to 20 Gbps to meet the mid- to high-end requirements for Internet gateway functions. NAT application awareness for protocols includes Skinny Client Control Protocol (SCCP), Session Initiation Protocol User Datagram Protocol (SIP UDP), H.323, Domain Name System (DNS), etc.
Cisco ASR 1000 Series Routers also bring innovations to the existing implementation to enhance the High Availability and resilience aspects.
• Stateful ESP to ESP NAT/FW/IPsec HA is available to maintain non-stop NAT/FW operation in case of a data plane hit when one ESP goes down. Every completed NAT/FW session gets replicated to the standby ESP in the same chassis to achieve this behavior.
• Cisco QuantumFlow Processor (QFP) provides the complete NAT session setup processing including Application Layer Gateways (ALGs). All Layer 4 to Layer 7 zone-based firewall session processing takes place inside the QFP, hence achieving up to 5, 10, and 20Gbps performance. This also frees up Route Processor in the system to continue control plane processing.
• High Speed NAT/FW translation logging is available via High Speed Logger (HSL). HSL uses NetFlow v9 templates to log binary syslog to HSL collectors. This allows not only using NAT at multi-gigabit rates, but also be able to record NAT/FW session creation/teardown records at this speed!
• Cisco IOS Embedded Event Manager (EEM) is a powerful ally for device and system management available at FCS. EEM enables customers to harness the network intelligence intrinsic to Cisco IOS and customize the behavior based on real network events as they happen.
• SNMP v1, v2c, and v3 all are supported at FCS for robust and backward compatible network management operations
• An extensive IPv6 feature set is supported at FCS. It includes global unicast, global multicast, link local addresses, v6-to-v4 tunnels, v6 multicast, OSPFv3 and MIB support.
Feature navigator can be used to get details of all NAT/FW-related features for the Cisco ASR 1000 Series Router.
Scale
Cisco ASR 1000 Series Routers provide various price-to-performance options for scaling NAT up to 20 Gbps.
NAT performance is a function of the Cisco ASR 1000 ESP in the system, and the ESP is available to all chassis options as a fully modular, field-replaceable unit (FRU) component. This setup results in an Internet gateway design adapted for future requirements where you can start with ESP5 and eventually scale up by just upgrading the ESP.
The ESP10G supports up to 500,000 concurrent NAT sessions and up to 20,000 sessions per second.
Table 2. FW/NAT/IPsec performance and scale across ESPs
Feature
ESP-5G
ESP-10G
NAT
250K concurrent sessions
Up to 20K sessions/sec
500K concurrent sessions
Up to 40K sessions/sec
Firewall
Up to 5 Gbps
Up to 10 Gbps
NetFlow
500K flow records
1M flow records
IPsec
5K tunnels
Up to 50 tunnels/sec
10K tunnels
Up to 50 tunnels/sec
High-Touch Services
Cisco ASR 1000 Series Routers accelerate most of the high-touch services using the ESP. Relevant services at this place in the network include:
• Firewall
• IPsec
• QoS
• NBAR (Network Based Application Recognition)
• GRE
• Full and Sampled NetFlow
QoS is supported at multigigabit rates without any significant degradation to other data plane-bounded functions, and no degradation to control plane-related features.
Cisco ASR 1000 Series Routers set a new benchmark with the integrating of security and routing and many more services into single router data plane, hence resulting in an extremely service rich router family with a 10Gbps footprint even at 2 rack units.
Interface Diversity
Cisco ASR 1000 Series Routers support almost all the widely used interfaces, and speeds up to OC-192 in all chassis options from the Cisco ASR 1002 Router to the Cisco ASR 1006 Router.
Following is the complete list of SPAs that are supported at platform first customer shipment (FCS):
• 8-port Gigabit Ethernet
• 1-port 10 Gigabit Ethernet
• 2-, 5-, and 10-port Gigabit Ethernet
• 8-port Fast Ethernet
• 8-port T1/E1
• 2- and 4-port T3/E3
• 2- and 4-port OC-3/STM-1 Packet over SONET/SDH (PoS)
• 1-port OC-12/STM-4 PoS
• 2- and 4 -port Channelized T3
• 4-port serial (12-in-1)
Further SPA support will come in later software releases.
Infrastructure Security
Cisco ASR 1000 Series Routers are built to enhance the security of the routing infrastructure.
Following are a few platform-related features that provide security to thwart denial-of-service (DoS) and distributed DoS (DDoS) attacks:
• True isolation of control and data planes: Every transit packet going through the router is forwarded by way of the system data plane; hence control-plane cycles are spent only for traffic that needs route-processor attention.
• Every punt packet (a packet that ends up going to the route processor for processing) has to go through the ESP first, facilitating effective Control Plane Policing (CoPP) performance for all traffic going into the route processor. Because policing in the platform is done in ESP hardware, this process does not result in loading of the route processor.
• Cisco IOS Software Zone-Based Policy Firewall is also supported to further secure the platform and the network users behind it.
• Cisco ASR 1000 Series Routers also allow oversubscription of the platform data plane. You can classify priority traffic to be in the "fast lane" throughout the system (that is, ingress SIP, ESP, and egress SIP) as long as it does not exceed the total system bandwidth (5 Gbps for ESP5G and 10 Gbps for ESP10G).
Sensitive to TCO (Total Cost of Ownership)
TCO takes into account the indirect costs of a network - money spent on system design, installation, administration, and support - along with intangibles such as lost revenue resulting from the failure of mission-critical network functions. Figuring indirect costs allows a company to take into account the price tag on lost productivity suffered from system crashes, ineffective repairs, and recurring problems.
Cisco ASR 1000 series routers exceed the expectations on all fronts relating to TCO. This platform is designed ground up to avoid downtime by using various forms of software and hardware redundancies. In addition to that, Cisco ASR 1000 runs 12.2SR based IOS and brings with it various familiar troubleshooting and maintenance, and instrumentation tools to provide continuous operation. This also results in shorter qualification cycles (by using existing scripts and procedures to measure the box performance) and virtually eliminates the retraining requirements for platform configuration and deployment.
Conclusion
The Cisco ASR 1000 Series Routers offer true carrier-class system Internet gateway functions consisting of both routing and forwarding-plane redundant components, High Availability, ISSU for Cisco IOS Software with NSF/SSO, and SPA drivers. These routers take advantage of the flexibility and faster services delivery based on the Cisco QuantumFlow starting at 5 and 10 Gbps.
