Cisco ISR 1100 and ISR 1100X Series Branch Platforms Architecture White Paper
Available Languages
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
What makes the Cisco ISR 1100 and ISR 1100X Series branch platforms best-in-class enterprise branch routing platforms?
Cisco launched the 1100 Series Integrated Services Router (ISR 1100) platforms in November 2019. These platforms were purpose-built as migration platforms for the Cisco vEdge 100 and vEdge 1000 routers and supported only the Viptela OS. Cisco also launched the 1100X Series (ISR 1100X) platforms in January 2021 and brought in support for Cisco IOS XE SD-WAN on the existing ISR 1100 and the new ISR 1100X Series platforms. These platforms address a multitude of deployment use cases, such as multilayer security with accelerated SD-WAN services, multicloud access, Application Quality of Experience (AppQoE), and Secure Access Service Edge (SASE). This white paper provides an in-depth look at the architecture and key building blocks of the ISR 1100 and ISR 1100X Series platforms. The information provided here will enable you to design best-in-class networks using these platforms.
Introduction to the ISR 1100 and ISR 1100X Series platforms
The Cisco ISR 1100 and ISR 1100X Series branch platforms come in a fixed form factor for small to medium-sized branch deployments. Five models are available:
● ISR 1100-4G (1 RU migration platform for vEdge 100B)
● ISR 1100-4GLTE (1 RU migration platform for vEdge 100M)
● ISR 1100-6G (1RU migration platform for vEdge 1000)
● ISR 1100X-4G (1RU migration platform for vEdge 100B; supports full SD-WAN security stack)
● ISR 1100X-6G (1RU migration platform for vEdge 1000; supports full SD-WAN security stack and on-box storage of the URL filtering database)
The ISR 1100 and ISR 1100X Series platforms support both Viptela OS and Cisco IOS XE SD-WAN software starting with Cisco IOS XE Release 17.4.1a and Viptela Release 20.4.1. This enables seamless migration for customers currently running Viptela OS on ISR 1100 Series platforms to Cisco IOS XE SD-WAN starting with Cisco IOS XE Release 17.4.1a.
The ISR 1100 and ISR 1100X Series branch platforms are built on an x86 SoC multicore CPU system architecture and come with four built-in WAN ports. The ISR 1100-6G and ISR 1100X-6G come with an additional two 1 Gigabit Ethernet (1G) Small Form-Factor Pluggable (SFP) ports for fiber connectivity.
The Intel Data Plane Development Kit (DPDK) framework and Quick Assist Technology (QAT) engine enable improved performance for crypto IPsec traffic and other data plane features.
The ISR 1100X Series platforms support dynamic core allocation capability, one of the key data path innovations in System-on-a-Chip (SoC) architecture platforms. This enables flexibility for productively using the CPU cores based on the needs of service-focused or data plane-focused deployment models.
The ISR 1100-4G platform includes the following components:
● Four 1G WAN ports
● Fixed 4 GB DRAM
● Fixed 8 GB eMMC flash
● One USB 3.0 port (Type A)
● Nonredundant AC or DC power supply
● Removable fan assembly
● One RJ-45 serial console
ISR 1100-4G model
The ISR 1100-4GLTE platform includes the following components:
● Four 1G WAN ports
● Fixed 4 GB DRAM
● Fixed 8 GB eMMC flash
● Integrated CAT-4 LTE with two LTE antenna SMA connectors on the left and right side of the platform
● LTE micro-USB debug port
● Received Signal Strength Indicator (RSSI) LED
● One micro-SIM slot
● SIM LED
● One USB 3.0 port (Type A)
● Nonredundant AC or DC power supply
● Removable fan assembly
● One RJ-45 serial console
ISR 1100-4GLTE model
The ISR 1100-6G platform includes the following components:
● Four 1G WAN ports
● Two 1G SFP ports
● Fixed 4 GB DRAM
● Fixed 8 GB eMMC flash
● One USB 3.0 port (Type A)
● Nonredundant AC or DC power supply
● Removable fan assembly
● One RJ-45 serial console
ISR 1100-6G model
The ISR 1100X-4G platform includes the following components:
● Four 1G WAN ports
● Fixed 8 GB DRAM
● Fixed 8 GB eMMC flash
● One USB 3.0 port (Type A)
● Nonredundant AC or DC power supply
● Removable fan assembly
● One RJ-45 serial console
ISR 1100X-4G model
The ISR1100X-6G platform includes the following components:
● Four 1G WAN ports
● Fixed 8 GB DRAM
● Fixed 16 GB eMMC flash
● One USB 3.0 port (Type A)
● Nonredundant AC or DC power supply
● Removable fan assembly
● One RJ-45 serial console
ISR 1100X-6G model
The Cisco ISR 1100 and ISR 1100X Series are best-in-class platforms delivering WAN connectivity for secure SD-WAN branch deployments, with security either deployed on-premises or delivered in the cloud. The ISR 1100X Series platforms also accelerate critical TCP sessions and minimize the impact of high WAN latency with AppQoE to provide a much better application experience for your SaaS applications or your business-critical applications hosted in the data center or by any of the cloud providers.
When powered by Viptela OS, the routers bring pure-play SD-WAN support, and when powered by Cisco IOS XE SD-WAN, they bring feature-rich SD-WAN. Cisco IOS XE SD-WAN enables a fully programmable architecture with analytics and telemetry and an automation that is unmatched in the industry. Zero-touch provisioning enables deployment at scale while migrating workloads to the cloud.
Table 1. Minimum software versions supported
|
|
Cisco IOS XE SD-WAN Minimum software version supported |
Viptela OS Minimum software version supported |
| ISR 1100-4G |
17.4.1a |
19.2 |
| ISR 1100-4GLTE |
17.4.1a |
19.2 |
| ISR 1100-6G |
17.4.1a |
19.2 |
| ISR 1100X-4G |
17.4.1a |
20.4 |
| ISR 1100X-6G |
17.4.1a |
20.4 |
The figure below depicts feature capabilities differences between Viptela OS and Cisco IOS XE SD-WAN on these platforms.
Comparison of Cisco IOS XE SD-WAN and Viptela OS for the ISR 1100 and ISR 1100X Series branch platforms
Security is built into every aspect of our products. A comprehensive layered security approach is built into both our hardware and software.
All our Cisco IOS XE based platforms, including the ISR 1100 and ISR 1100X Series branch platforms, have built-in hardware and software security functions called Cisco Trustworthy Solutions.
This built-in security feature validates the hardware and software using Cisco digital signatures or certificates when a device first boots up, and if any of the digital checks fail, the device will not let the software boot, in order to prevent malicious code from running.
A second layer of hardware authenticity checks involves the Trust anchor module (Tam) chipset. It performs a crypto check using a Secure Unique Device Identifier (SUDI) certificate that is unique to every Cisco device. This preinstalled, unique Cisco digital certificate brings authenticity and integrity to the ISR 1100 and ISR 1100X Series platforms to protect against any attacks.
In the figure below, you can see that there are six different layers of security with different aspects that help ensure that the hardware and software are authentic before the device boots up and is operational for handling network traffic
Components of Cisco Trustworthy Solutions
The ISR 1100 and ISR 1100X Series branch platforms are built on x86 SoC multicore CPUs. The dynamic core allocation feature is available only on the ISR 1100X Series, which supports 8 GB DRAM.
These are 4-core systems with the default service plane optimized mode on the ISR 1100X Series platforms.
Dynamic Core Allocation allows a variable distribution of cores depending on whether the router is in the service plane optimized or data plane optimized mode.
The figure below depicts the allocation of CPU cores on the ISR 1100X-4G and ISR 1100X-6G platforms in service plane-optimized (default) and data plane-optimized modes.
Dynamic core allocation in the ISR 1100X-4G and ISR 1100X-6G platforms
The Cisco x86 SoC CPU architecture includes the following principal components:
The dynamic core allocation feature is one of the key building blocks on the ISR 1100X Series platforms. There are four cores available on these platforms, with one core allocated to the control plane and the rest of allocated between the data plane and service plane functions. For example, if your intention is to run application services as hosted services within the router, you can let the system boot up in the default service optimized mode, but if you do not have hosted services in your deployment, you can repurpose the service cores to data plane operations, thus allocating more cores for feature processing and improving the performance of the data plane features. This flexibility is achieved by a single command line executed directly on the platform terminal or from a centralized orchestration platform such as vManage.
Some of the services and applications that can be run inside the platform Cisco IOx containers are:
● Unified Threat Defense (UTD), which includes intrusion prevention, URL filtering, Cisco Secure Endpoint, and Cisco Secure Malware Analytics
● AppQoE features such as TCP optimization, Forward Error Correction (FEC), and packet duplication
Packet Processing Engine (PPE): The Packet Processing Engine (PPE) is an important part of the data plane core architecture. The main functionality of PPE is packet processing. In a 4-core system there are two or three cores dedicated for PPE functionality based on whether the service or data plane mode of operation is enabled on the platform. These PPEs provide a massive amount of parallel processing, and the assigned PPE is responsible for the packet for its entire life in on-chip memory before it is sent to the traffic manager for scheduling. Each PPE has access to an array of hardware-assist functions such as Layer 1 and Layer 2 cache for feature acceleration of network address and prefix lookups, hash lookups, Weighted Random Early Detection (WRED), traffic policers, range lookups, advanced classification, and access control lists. In situations where flows need to be controlled, a lock manager assures the proper packet ordering for flows. Another key resource for the data plane is the off-chip cryptographic engine (QAT engine), which is accessible from each PPE to speed up the cryptographic encryption and decryption packet processing.
Data Plane Development Kit (DPDK)
The ISR 1100 and ISR 1100X Series Branch Platforms have leveraged new DPDK (Data Path Development Kit) libraries to grant user processes access to the network interface controller I/O entities. The Polling-Mode Drivers (PMDs) enable the feature execution without the need for a system-call.
Intel Quick Assist Technology (Intel QAT)
The Cisco ISR 1100 and ISR 1100X Series branch platforms have enabled Quick Assist Technology (QAT) in the multicore x86 implementation. This technology has dramatically boosted the security and compression acceleration to improve crypto performance on these platforms.
The control plane implementations of the ISR 1100 and ISR 1100X Series branch platforms are responsible for the following functions:
● Running the router control plane, including network control packets and connection setup
● Managing the Routing Information Base (RIB or routing table)
● Code storage, management, and upgrade
● On-Board Failure Logging (OBFL)
● Downloading of operational code for interface control blocks
● Command-Line Interface (CLI), alarm, network management, logging, and statistics aggregation
● Punt path to the data plane cores for packet processing
● Configuration repository along with logging system statistics, CLI, records, events, errors, and dumps and the management interfaces of the platform, including the console port
● Chassis management, image management and distribution, logging facilities, distribution of user configuration information, and alarm control
● Control signals for monitoring the health of the overall system
Let us have a look at high-level block diagrams for the ISR 1100X-4G and ISR 1100X-6G branch platforms.
ISR 1100X-4G system block diagram
The major difference between the ISR 1100X-4G and ISR 1100X-6G are the two front-panel SFP ports and 16 GB flash.
ISR 1100X-6G system block diagram
The important hardware entities within the ISR 1100X system are:
● Single-core control plane on the x86 processor, which runs IOSd and other required system processes.
● Two or three cores for data plane feature processing.
● Intel’s Data Plane Development Kit (DPDK) for a fast packet-processing ecosystem that operates in Linux user space. This framework provides a set of libraries that enable a general abstraction layer for packet buffers, system memory allocation and deallocation, hash algorithms for longest prefix match, and more.
● Intel QAT engine for cryptographic and compression acceleration for faster encryption and decryption by offloading it from the data plane cores.
● Two additional SFP ports on the ISR 1100X-6G for fiber connectivity.
● USB 3.0 interface for Cat4 USB LTE dongle support.
● 8 GB DRAM support for services and application hosting and higher feature scale.
The ISR 1100 and ISR 1100X Series branch platforms come with an x86 SoC multicore architecture and a data plane that makes all the forwarding decisions by synchronizing the routing information from the control plane Routing Information Base (RIB) and building a forwarding table called the Forwarding Information Base (FIB).
The following steps elaborate on the details of the packet flow:
1. Layer 1 checks at the interface PHY are processed at the built-in interface receive (Rx) path, and the packets then get handed over to the data plane, which also handles the DPDK framework.
2. Layer 2 packet validations, such as Cyclic Redundancy Check (CRC), Maximum Transmission Unit (MTU), and runt errors, are checked on the integrated MAC on the PHY itself.
3. When the packets are received on the front-panel GE ports, they will arrive at the kernel-space GE drivers. DPDK PMD drivers will directly poll packets to the data plane Rx processes, which enqueue them for distribution.
4. Packets are stored in the packet buffer queue and then dispatched to the PPEs for feature processing and forwarding.
5. If the packet needs to be encrypted or decrypted (IPsec), it gets handed over to the crypto engine (QAT) prior to further processing.
6. The crypto operation is done entirely within the crypto engine, which is equipped with dedicated compute and memory for cipher and digest algorithm application.
7. After the ingress features are applied on the packet, FIB lookup happens to figure out the egress path. The packets are then enqueued for an egress operation based on the configured Feature Invocation Arrays (FIAs).
8. After egress FIA processing, the packet gets copied to the packet buffer memory for further queuing and scheduling.
9. The assigned core schedules the packets based on QoS configurations; the packets are enqueued in the output buffers.
10. The Layer 2 processing will happen in the data plane for egress processing at the MAC layer and sends the packet toward the exit interface.
11. Post-Layer 1 processing is done at the egress interface; the packet exits toward the next hop.
The Cisco IOS XE modular implementation at the control and data plane level, from Layer 2 to Layer 7 feature processing, makes sure that the packets are treated based on the configuration and that the services get applied one by one. At every stage, required flow control makes sure congestion situations are handled gracefully, treating high-priority traffic ahead of low-priority traffic.
The ISR 1100-6G and ISR 1100X-6G provide support for two additional SFP ports for fiber connectivity.
SFP support on the ISR 1100-6G and ISR 1100X-6G
The ISR 1100 and ISR 1100X Series platforms provide a USB 3.0 port for a Cat4 USB dongle to enable LTE connectivity. This USB dongle is supported on all the SKUs except for the ISR 1100-4GLTE, which comes with an integrated Cat4 LTE option.
Cat4 USB dongle support for ISR 1100 and ISR 1100X Series platforms
The ISR 1100 Series branch platforms are equipped with nonupgradable 4 GB of DRAM for control plane operation, whereas the ISR 1100X Series platforms are equipped with nonupgradable 8 GB of DRAM. All the SKUs in the product family come with nonupgradable 8 GB of boot flash for internal storage except for the ISR 1100X-6G, which comes with 16 GB of boot flash. The higher boot flash on the ISR 1100X-6G enables local lookups for the URL-F use case.
The ISR 1100 and ISR 1100X Series platforms have a nonredundant external power supply system for AC and DC power sources
The Cisco ISR 1100 and ISR 1100X Series branch platforms are driven by an x86 SoC architecture. DPDK and QAT engines improve performance for different features and crypto functions, and with support for Cisco IOS XE SD-WAN on these platforms starting with Release 17.4.1a, they enable seamless migration from Viptela OS to Cisco IOS XE SD-WAN with better performance and scale.
These platforms offer best-in-class hardware with rich software features for a multitude of SD-WAN use cases for small to medium-sized branch deployments.
Learn more
To learn more about the capabilities of the ISR 1100 and ISR 1100X Series branch platforms, visit the following:
● ISR 1100 and ISR 1100X Series data sheet
● Blog: ISR 1100 and ISR 1100X Series routers for SD-WAN Branch