Cisco ISR 1100 and ISR 1100X Series Branch Platforms Architecture White Paper

White Paper

Available Languages

Download Options

  • PDF
    (1.3 MB)
    View with Adobe Reader on a variety of devices
Updated:March 2, 2022

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (1.3 MB)
    View with Adobe Reader on a variety of devices
Updated:March 2, 2022
 

 

What makes the Cisco ISR 1100 and ISR 1100X Series branch platforms best-in-class enterprise branch routing platforms?

Cisco launched the 1100 Series Integrated Services Router (ISR 1100) platforms in November 2019. These platforms were purpose-built as migration platforms for the Cisco vEdge 100 and vEdge 1000 routers and supported only the Viptela OS. Cisco also launched the 1100X Series (ISR 1100X) platforms in January 2021 and brought in support for Cisco IOS XE SD-WAN on the existing ISR 1100 and the new ISR 1100X Series platforms. These platforms address a multitude of deployment use cases, such as multilayer security with accelerated SD-WAN services, multicloud access, Application Quality of Experience (AppQoE), and Secure Access Service Edge (SASE). This white paper provides an in-depth look at the architecture and key building blocks of the ISR 1100 and ISR 1100X Series platforms. The information provided here will enable you to design best-in-class networks using these platforms.

Introduction to the ISR 1100 and ISR 1100X Series platforms

The Cisco ISR 1100 and ISR 1100X Series branch platforms come in a fixed form factor for small to medium-sized branch deployments. Five models are available:

      ISR 1100-4G (1 RU migration platform for vEdge 100B)

      ISR 1100-4GLTE (1 RU migration platform for vEdge 100M)

      ISR 1100-6G (1RU migration platform for vEdge 1000)

      ISR 1100X-4G (1RU migration platform for vEdge 100B; supports full SD-WAN security stack)

      ISR 1100X-6G (1RU migration platform for vEdge 1000; supports full SD-WAN security stack and on-box storage of the URL filtering database)

The ISR 1100 and ISR 1100X Series platforms support both Viptela OS and Cisco IOS XE SD-WAN software starting with Cisco IOS XE Release 17.4.1a and Viptela Release 20.4.1. This enables seamless migration for customers currently running Viptela OS on ISR 1100 Series platforms to Cisco IOS XE SD-WAN starting with Cisco IOS XE Release 17.4.1a.

The ISR 1100 and ISR 1100X Series branch platforms are built on an x86 SoC multicore CPU system architecture and come with four built-in WAN ports. The ISR 1100-6G and ISR 1100X-6G come with an additional two 1 Gigabit Ethernet (1G) Small Form-Factor Pluggable (SFP) ports for fiber connectivity.

The Intel Data Plane Development Kit (DPDK) framework and Quick Assist Technology (QAT) engine enable improved performance for crypto IPsec traffic and other data plane features.

The ISR 1100X Series platforms support dynamic core allocation capability, one of the key data path innovations in System-on-a-Chip (SoC) architecture platforms. This enables flexibility for productively using the CPU cores based on the needs of service-focused or data plane-focused deployment models.

The ISR 1100-4G platform includes the following components:

      Four 1G WAN ports

      Fixed 4 GB DRAM

      Fixed 8 GB eMMC flash

      One USB 3.0 port (Type A)

      Nonredundant AC or DC power supply

      Removable fan assembly

      One RJ-45 serial console

ISR 1100-4G model

Figure 1.            

ISR 1100-4G model

The ISR 1100-4GLTE platform includes the following components:

      Four 1G WAN ports

      Fixed 4 GB DRAM

      Fixed 8 GB eMMC flash

      Integrated CAT-4 LTE with two LTE antenna SMA connectors on the left and right side of the platform

      LTE micro-USB debug port

      Received Signal Strength Indicator (RSSI) LED

      One micro-SIM slot

      SIM LED

      One USB 3.0 port (Type A)

      Nonredundant AC or DC power supply

      Removable fan assembly

      One RJ-45 serial console

ISR 1100-4GLTE model

Figure 2.            

ISR 1100-4GLTE model

The ISR 1100-6G platform includes the following components:

      Four 1G WAN ports

      Two 1G SFP ports

      Fixed 4 GB DRAM

      Fixed 8 GB eMMC flash

      One USB 3.0 port (Type A)

      Nonredundant AC or DC power supply

      Removable fan assembly

      One RJ-45 serial console

ISR 1100-6G model

Figure 3.            

ISR 1100-6G model

The ISR 1100X-4G platform includes the following components:

      Four 1G WAN ports

      Fixed 8 GB DRAM

      Fixed 8 GB eMMC flash

      One USB 3.0 port (Type A)

      Nonredundant AC or DC power supply

      Removable fan assembly

      One RJ-45 serial console

ISR 1100X-4G model

Figure 4.            

ISR 1100X-4G model

The ISR1100X-6G platform includes the following components:

      Four 1G WAN ports

      Fixed 8 GB DRAM

      Fixed 16 GB eMMC flash

      One USB 3.0 port (Type A)

      Nonredundant AC or DC power supply

      Removable fan assembly

      One RJ-45 serial console

ISR 1100X-6G model

Figure 5.            

ISR 1100X-6G model

The Cisco ISR 1100 and ISR 1100X Series are best-in-class platforms delivering WAN connectivity for secure SD-WAN branch deployments, with security either deployed on-premises or delivered in the cloud. The ISR 1100X Series platforms also accelerate critical TCP sessions and minimize the impact of high WAN latency with AppQoE to provide a much better application experience for your SaaS applications or your business-critical applications hosted in the data center or by any of the cloud providers.

When powered by Viptela OS, the routers bring pure-play SD-WAN support, and when powered by Cisco IOS XE SD-WAN, they bring feature-rich SD-WAN. Cisco IOS XE SD-WAN enables a fully programmable architecture with analytics and telemetry and an automation that is unmatched in the industry. Zero-touch provisioning enables deployment at scale while migrating workloads to the cloud.

Table 1.        Minimum software versions supported

 

Cisco IOS XE SD-WAN

Minimum software version supported

Viptela OS

Minimum software version supported

ISR 1100-4G

17.4.1a

19.2

ISR 1100-4GLTE

17.4.1a

19.2

ISR 1100-6G

17.4.1a

19.2

ISR 1100X-4G

17.4.1a

20.4

ISR 1100X-6G

17.4.1a

20.4

Only Controller mode deployment is supported on ISR 1100 and ISR 1100X Series platforms.

The figure below depicts feature capabilities differences between Viptela OS and Cisco IOS XE SD-WAN on these platforms.

Comparison of Cisco IOS XE SD-WAN and Viptela OS for the ISR 1100 and ISR 1100X Series branch platforms

Figure 6.            

Comparison of Cisco IOS XE SD-WAN and Viptela OS for the ISR 1100 and ISR 1100X Series branch platforms

Cisco Trustworthy Solutions

Security is built into every aspect of our products. A comprehensive layered security approach is built into both our hardware and software.

All our Cisco IOS XE based platforms, including the ISR 1100 and ISR 1100X Series branch platforms, have built-in hardware and software security functions called Cisco Trustworthy Solutions.

This built-in security feature validates the hardware and software using Cisco digital signatures or certificates when a device first boots up, and if any of the digital checks fail, the device will not let the software boot, in order to prevent malicious code from running.

A second layer of hardware authenticity checks involves the Trust anchor module (Tam) chipset. It performs a crypto check using a Secure Unique Device Identifier (SUDI) certificate that is unique to every Cisco device. This preinstalled, unique Cisco digital certificate brings authenticity and integrity to the ISR 1100 and ISR 1100X Series platforms to protect against any attacks.

In the figure below, you can see that there are six different layers of security with different aspects that help ensure that the hardware and software are authentic before the device boots up and is operational for handling network traffic

Components of Cisco Trustworthy Solutions

Figure 7.            

Components of Cisco Trustworthy Solutions

Data plane architecture

The ISR 1100 and ISR 1100X Series branch platforms are built on x86 SoC multicore CPUs. The dynamic core allocation feature is available only on the ISR 1100X Series, which supports 8 GB DRAM.

These are 4-core systems with the default service plane optimized mode on the ISR 1100X Series platforms.

Dynamic Core Allocation allows a variable distribution of cores depending on whether the router is in the service plane optimized or data plane optimized mode.

The figure below depicts the allocation of CPU cores on the ISR 1100X-4G and ISR 1100X-6G platforms in service plane-optimized (default) and data plane-optimized modes.

Dynamic core allocation in the ISR 1100X-4G and ISR 1100X-6G platforms

Figure 8.            

Dynamic core allocation in the ISR 1100X-4G and ISR 1100X-6G platforms

The Cisco x86 SoC CPU architecture includes the following principal components:

The dynamic core allocation feature is one of the key building blocks on the ISR 1100X Series platforms. There are four cores available on these platforms, with one core allocated to the control plane and the rest of allocated between the data plane and service plane functions. For example, if your intention is to run application services as hosted services within the router, you can let the system boot up in the default service optimized mode, but if you do not have hosted services in your deployment, you can repurpose the service cores to data plane operations, thus allocating more cores for feature processing and improving the performance of the data plane features. This flexibility is achieved by a single command line executed directly on the platform terminal or from a centralized orchestration platform such as vManage.

Some of the services and applications that can be run inside the platform Cisco IOx containers are:

      Unified Threat Defense (UTD), which includes intrusion prevention, URL filtering, Cisco Secure Endpoint, and Cisco Secure Malware Analytics

      AppQoE features such as TCP optimization, Forward Error Correction (FEC), and packet duplication

Packet Processing Engine (PPE): The Packet Processing Engine (PPE) is an important part of the data plane core architecture. The main functionality of PPE is packet processing. In a 4-core system there are two or three cores dedicated for PPE functionality based on whether the service or data plane mode of operation is enabled on the platform. These PPEs provide a massive amount of parallel processing, and the assigned PPE is responsible for the packet for its entire life in on-chip memory before it is sent to the traffic manager for scheduling. Each PPE has access to an array of hardware-assist functions such as Layer 1 and Layer 2 cache for feature acceleration of network address and prefix lookups, hash lookups, Weighted Random Early Detection (WRED), traffic policers, range lookups, advanced classification, and access control lists. In situations where flows need to be controlled, a lock manager assures the proper packet ordering for flows. Another key resource for the data plane is the off-chip cryptographic engine (QAT engine), which is accessible from each PPE to speed up the cryptographic encryption and decryption packet processing.

Data Plane Development Kit (DPDK)

The ISR 1100 and ISR 1100X Series Branch Platforms have leveraged new DPDK (Data Path Development Kit) libraries to grant user processes access to the network interface controller I/O entities. The Polling-Mode Drivers (PMDs) enable the feature execution without the need for a system-call.

Intel Quick Assist Technology (Intel QAT)

The Cisco ISR 1100 and ISR 1100X Series branch platforms have enabled Quick Assist Technology (QAT) in the multicore x86 implementation. This technology has dramatically boosted the security and compression acceleration to improve crypto performance on these platforms.

Control plane architecture

The control plane implementations of the ISR 1100 and ISR 1100X Series branch platforms are responsible for the following functions:

      Running the router control plane, including network control packets and connection setup

      Managing the Routing Information Base (RIB or routing table)

      Code storage, management, and upgrade

      On-Board Failure Logging (OBFL)

      Downloading of operational code for interface control blocks

      Command-Line Interface (CLI), alarm, network management, logging, and statistics aggregation

      Punt path to the data plane cores for packet processing

      Configuration repository along with logging system statistics, CLI, records, events, errors, and dumps and the management interfaces of the platform, including the console port

      Chassis management, image management and distribution, logging facilities, distribution of user configuration information, and alarm control

      Control signals for monitoring the health of the overall system

System architecture

Let us have a look at high-level block diagrams for the ISR 1100X-4G and ISR 1100X-6G branch platforms.

ISR 1100X-4G system block diagram

Figure 9.            

ISR 1100X-4G system block diagram

The major difference between the ISR 1100X-4G and ISR 1100X-6G are the two front-panel SFP ports and 16 GB flash.

ISR 1100X-6G system block diagram

Figure 10.         

ISR 1100X-6G system block diagram

The important hardware entities within the ISR 1100X system are:

      Single-core control plane on the x86 processor, which runs IOSd and other required system processes.

      Two or three cores for data plane feature processing.

      Intel’s Data Plane Development Kit (DPDK) for a fast packet-processing ecosystem that operates in Linux user space. This framework provides a set of libraries that enable a general abstraction layer for packet buffers, system memory allocation and deallocation, hash algorithms for longest prefix match, and more.

      Intel QAT engine for cryptographic and compression acceleration for faster encryption and decryption by offloading it from the data plane cores.

      Two additional SFP ports on the ISR 1100X-6G for fiber connectivity.

      USB 3.0 interface for Cat4 USB LTE dongle support.

      8 GB DRAM support for services and application hosting and higher feature scale.

Life of a packet

The ISR 1100 and ISR 1100X Series branch platforms come with an x86 SoC multicore architecture and a data plane that makes all the forwarding decisions by synchronizing the routing information from the control plane Routing Information Base (RIB) and building a forwarding table called the Forwarding Information Base (FIB).

The following steps elaborate on the details of the packet flow:

1.     Layer 1 checks at the interface PHY are processed at the built-in interface receive (Rx) path, and the packets then get handed over to the data plane, which also handles the DPDK framework.

2.     Layer 2 packet validations, such as Cyclic Redundancy Check (CRC), Maximum Transmission Unit (MTU), and runt errors, are checked on the integrated MAC on the PHY itself.

3.     When the packets are received on the front-panel GE ports, they will arrive at the kernel-space GE drivers. DPDK PMD drivers will directly poll packets to the data plane Rx processes, which enqueue them for distribution.

4.     Packets are stored in the packet buffer queue and then dispatched to the PPEs for feature processing and forwarding.

5.     If the packet needs to be encrypted or decrypted (IPsec), it gets handed over to the crypto engine (QAT) prior to further processing.

6.     The crypto operation is done entirely within the crypto engine, which is equipped with dedicated compute and memory for cipher and digest algorithm application.

7.     After the ingress features are applied on the packet, FIB lookup happens to figure out the egress path. The packets are then enqueued for an egress operation based on the configured Feature Invocation Arrays (FIAs).

8.     After egress FIA processing, the packet gets copied to the packet buffer memory for further queuing and scheduling.

9.     The assigned core schedules the packets based on QoS configurations; the packets are enqueued in the output buffers.

10.  The Layer 2 processing will happen in the data plane for egress processing at the MAC layer and sends the packet toward the exit interface.

11.  Post-Layer 1 processing is done at the egress interface; the packet exits toward the next hop.

The Cisco IOS XE modular implementation at the control and data plane level, from Layer 2 to Layer 7 feature processing, makes sure that the packets are treated based on the configuration and that the services get applied one by one. At every stage, required flow control makes sure congestion situations are handled gracefully, treating high-priority traffic ahead of low-priority traffic.

SFP support

The ISR 1100-6G and ISR 1100X-6G provide support for two additional SFP ports for fiber connectivity.

SFP support on the ISR 1100-6G and ISR 1100X-6G

Figure 11.         

SFP support on the ISR 1100-6G and ISR 1100X-6G

USB dongle support

The ISR 1100 and ISR 1100X Series platforms provide a USB 3.0 port for a Cat4 USB dongle to enable LTE connectivity. This USB dongle is supported on all the SKUs except for the ISR 1100-4GLTE, which comes with an integrated Cat4 LTE option.

Cat4 USB dongle support for ISR 1100 and ISR 1100X Series platforms

Figure 12.         

Cat4 USB dongle support for ISR 1100 and ISR 1100X Series platforms

Memory and storage

The ISR 1100 Series branch platforms are equipped with nonupgradable 4 GB of DRAM for control plane operation, whereas the ISR 1100X Series platforms are equipped with nonupgradable 8 GB of DRAM. All the SKUs in the product family come with nonupgradable 8 GB of boot flash for internal storage except for the ISR 1100X-6G, which comes with 16 GB of boot flash. The higher boot flash on the ISR 1100X-6G enables local lookups for the URL-F use case.

Power supply

The ISR 1100 and ISR 1100X Series platforms have a nonredundant external power supply system for AC and DC power sources

Conclusion

The Cisco ISR 1100 and ISR 1100X Series branch platforms are driven by an x86 SoC architecture. DPDK and QAT engines improve performance for different features and crypto functions, and with support for Cisco IOS XE SD-WAN on these platforms starting with Release 17.4.1a, they enable seamless migration from Viptela OS to Cisco IOS XE SD-WAN with better performance and scale.

These platforms offer best-in-class hardware with rich software features for a multitude of SD-WAN use cases for small to medium-sized branch deployments.

Learn more

To learn more about the capabilities of the ISR 1100 and ISR 1100X Series branch platforms, visit the following:

      ISR 1100 and ISR 1100X Series data sheet

      Blog: ISR 1100 and ISR 1100X Series routers for SD-WAN Branch

      Migration guide

 

 

 

 

Learn more