Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseño

Cisco Networkers Colombia 2008
2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Multilayer Campus Architecture and Design Principles

BRKCAM-2001
Presentation_ID
Cisco Confidential
Housekeeping
1.Please turn off your mobile phones, blackberries and laptops 2.We value your feedback- don't forget to complete your session evaluation form & hand it to the room monitor / the materials pickup area at registration 3.Please remember this is a 'non-smoking' venue!
Cisco Public
Enterprise-Class Availability
Resilient Campus Communication Fabric Campus Systems Approach to High Availability
1. Network-level redundancy 2. System-level resiliency 3. Enhanced management 4. Human ear notices the difference in voice within 150200 msec10 consecutive G711 packet loss 5. Video loss is even more noticeable 6. 200 msec end-to end-campus convergence
Ultimate Goal..100%
Next-Generation Apps Video conf., Unified Messaging, Global Outsourcing, E-Business, Wireless Ubiquity
Mission Critical Apps. Databases, Order-Entry, CRM, ERP
Desktop Apps E-mail, File & Print
APPLICATIONS DRIVE REQUIREMENTS FOR HIGH AVAILABILITY NETWORKING

Cisco Public
Next Generation Campus Design

Unified Communications Evolution
1. VoIP is now a mainstream technology 2. Ongoing evolution to the full spectrum of Unified Communications 3. High-Definition Executive Communication Application requires stringent Service-Level Agreement (SLA)
Reliable ServiceHigh Availability Infrastructure Application Service ManagementQoS
Cisco Public
Agenda
1.Multilayer Campus Design Principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations 5.QoS Considerations 6.Security Considerations 7.Putting It All Together 8.Summary
Si Si Si Si
Data Center
Services Block
Si Si
Si
Si
Si
Si
Si
Distribution Blocks
Cisco Public
High-Availability Campus Design Structure, Modularity, and Hierarchy

Access Distribution Core Distribution Access
Si Si Si Si Si Si Si Si Si
Si
Si
Si
Si
Si
WAN
Data Center
Cisco Public
Internet
7
Hierarchical Campus Network

Structure, Modularity and Hierarchy
Not This!!
Si Si Si
Si
Si
Si
Si Si Si
Si
Si
Si
Server Farm WAN

Internet
Cisco Public
PSTN
8
Hierarchical Network Design

Without a Rock Solid Foundation the Rest Doesnt Matter
Access
Offers hierarchyeach layer has specific role Modular topologybuilding blocks Easy to grow, understand, and troubleshoot Creates small fault domains clear demarcations and isolation
Si Si
Distribution
Core
Promotes load balancing and redundancy Promotes deterministic traffic patterns Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both Utilizes Layer 3 routing for load balancing, fast convergence, scalability, and control
Si
Si
Distribution
Si
Si
Access
Building Block
Cisco Public
Access Layer
Feature Rich Environment
1. Its not just about connectivity 2. Layer 2/Layer 3 feature rich environment; convergence, HA, application intelligence, security, QoS, IP multicast, etc. 3. Intelligent network services: QoS, trust boundary, broadcast suppression, IGMP snooping, 4. Intelligent network services: PVST+, Rapid PVST+, EIGRP, OSPF, DTP, PAgP/LACP, UDLD, FlexLink, etc. 5. Cisco Catalyst integrated security features IBNS (802.1x), (CISF): port security, DHCP snooping, DAI, IPSG; Deep packet inspection security 6. Automatic phone discovery, conditional trust boundary, power over Ethernet, auxiliary VLAN, etc. 7. Spanning tree toolkit: PortFast, UplinkFast, BackboneFast, LoopGuard, BPDU Guard, BPDU Filter, RootGuard, etc.
Core
Si Si
Distribution
Si Si
Access
Cisco Public
10
Distribution Layer
Policy, Convergence, QoS, and High Availability
1. Availability, load balancing, QoS and provisioning are the important considerations at this layer 2. Aggregates wiring closets (access layer) and uplinks to core 3. Protects core from high density peering and problems in access layer 4. Route summarization, fast convergence, redundant path load sharing 5. HSRP or GLBP to provide first hop redundancy
Core
Si Si
Distribution
Si Si
Access
Cisco Public
11
Core Layer
Scalability, High Availability, and Fast Convergence
1. Backbone for the networkconnects network building blocks
Si Si
Core
2. Performance and stability vs. complexity less is more in the core 3. Aggregation point for distribution layer 4. Separate core layer helps in scalability during future growth 5. Keep the design technology-independent
Distribution
Si Si
Access
Cisco Public
12
Do I Need a Core Layer?

Its Really a Question of Scale, Complexity, and Convergence
No Core
1. Fully meshed distribution layers 2. Physical cabling requirement 3. Routing complexity Second Building Block4 New Links
4th Building Block 12 New Links 24 Links Total 8 IGP Neighbors
3rd Building Block 8 New Links 12 Links Total 5 IGP Neighbors
Cisco Public
13
Do I Need a Core Layer?

Its Really a Question of Scale, Complexity, and Convergence
Dedicated Core Switches
1. 2. 3. 4. Easier to add a module Fewer links in the core Easier bandwidth upgrade Routing protocol peering reduced 5. Equal cost Layer 3 links for best convergence
2nd Building Block 8 New Links
4th Building Block 4 New Links 16 Links Total 3 IGP Neighbors
3rd Building Block 4 New Links 12 Links Total 3 IGP Neighbors
Cisco Public
14
Design Alternatives Come Within a Building (or Distribution) Block

Layer 2 Access Routed Access Virtual Switching System
Access Distribution Core Distribution Access

Si Si Si Si Si Si Si
Si
Si
Si
Si
Si
WAN
Data Center
Cisco Public
Internet
15
Layer 3 Distribution Interconnection

Layer 2 AccessNo VLANs Span Access Layer
1. Tune CEF load balancing 2. Match CatOS/IOS EtherChannel settings and tune load balancing 3. Summarize routes towards core 4. Limit redundant IGP peering 5. STP Root and HSRP primary tuning or GLBP to load balance on uplinks 6. Set trunk mode on/no-negotiate 7. Disable EtherChannel unless needed 8. Set port host on access layer ports:
Disable Trunking Disable EtherChannel Enable PortFast
Si
Si
Core
Layer 3
Si
Point to Point Link
Distribution
Si
Access
VLAN 20 Data 10.1.20.0/24 VLAN 120 Voice 10.1.120.0/24
9. RootGuard or BPDU-Guard 10.Use security features
Cisco Public
16

Layer 2 AccessSome VLANs Span Access Layer
1. Tune CEF load balancing 2. Match CatOS/IOS EtherChannel settings and tune load balancing 3. Summarize routes towards core 4. Limit redundant IGP peering 5. STP Root and HSRP primary or GLBP and STP port cost tuning to load balance on uplinks 6. Set trunk mode on/no-negotiate 7. Disable EtherChannel unless needed 8. RootGuard on downlinks 9. LoopGuard on uplinks 10.Set port host on access Layer ports:
Si Si
Core
Layer 2
Si Si
Distribution
Trunk
11.RootGuard or BPDU-Guard 12.Use security features
VLAN 20 Data VLAN 40 Data 10.1.20.0/24 10.1.40.0/24 VLAN 120 Voice VLAN 140 Voice 10.1.120.0/24 10.1.140.0/24 VLAN 250 WLAN 10.1.250.0/24
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Access
17
Routed Access and Virtual Switching System

Evolutions of and Improvements to Existing Designs
Si Si Si Si
Core
VSS Link
Si
Layer 3
P-t-P Link
Si
New Concept
Distribution
VLAN 20 Data 10.1.20.0/24 VLAN 40 Data 10.1.40.0/24 VLAN 120 Voice 10.1.120.0/24 VLAN 140 Voice 10.1.140.0/24 VLAN 250 WLAN 10.1.250.0/24
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Access
18
Virtual Switch
Virtual Switching System 1440 (VSS)
1. 2. 3. 4. Virtual Switching System consists of two Cisco Catalyst 6500 Series defined as members of the same virtual switch domain Single control plane with dual active forwarding planes Design to increase forwarding capacity while increasing availability by eliminating STP loops Reduced operational complexity by simplifying configuration Virtual Switch Domain
Virtual Switch Link
Si
Si
Switch 1
Switch 2
VSS Single Logical Switch

Cisco Public
19
Virtual Switching System

Single Control Plane
1. Uses one supervisor in each chassis with inter-chassis Stateful Switchover (SSO) method in with one supervisor is ACTIVE and other in HOT_STANDBY mode Active/standby supervisors run in synchronized mode (boot-env, runningconfiguration, protocol state, and line cards status gets synchronized) ACTIVE supervisor manages the control plane functions such as protocols (routing, EtherChannel, SNMP, telnet, etc.) and hardware control (OIR, port management) Switchover to STANDBY_HOT supervisor occurs when ACTIVE supervisor fails providing subsecond protocol and data forwarding recovery
CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards
2. 3.
4.
VSL
PFC
CFC or DFC Line Cards
SF
RP
SF
RP
PFC
Active Supervisor
CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards
Standby HOT Supervisor

CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards
SF: Switch Fabric RP: Route Processor PFC: Policy Forwarding Card
CFC: Centralize Forwarding Card DFC: Distributed Forwarding Card

Cisco Public
20

Dual Active Forwarding Planes
1. 2. Virtual Switch operates with a single active supervisor from a control plane perspective but with dual active forwarding plane Supervisor ports and all the line card in both chassis including Distributed Forwarding Engines (DFCs) are actively forwarding
VSS-Router#show switch virtual redundancy My Switch Id = 1 Peer Switch Id = 2 Switch 1 Slot 5 Processor Information : ----------------------------------------------Current Software state = ACTIVE <snip> Configuration register = 0x2 Fabric State = ACTIVE Control Plane State = ACTIVE Switch 2 Slot 5 Processor Information : ----------------------------------------------Current Software state = STANDBY HOT (switchover target) <snip> Configuration register = 0x2 Fabric State = ACTIVE Control Plane State = STANDBY
Si
Si
Data Plane Active
Data Plane Active
Cisco Public
21

Multichassis EtherChannel (MEC)
1. MEC is an advanced EtherChannel technology extending link aggregation to two separate physical switches MEC enables the VSS appear as single logical device to devices connected to VSS, thus significantly simplifying campus topology Traditionally spanning VLANs over multiple closets would create STP looped topology, MEC with VSS eliminates these loops in the campus topology MEC replaces spanning tree as the means to provide link redundancy and thus doubling bandwidth available from access MEC is supported only with VSS
2.
Physical Topology
Logical Topology
Multichassis EtherChannel
L2
Si Si
3.
4.
VLAN 30
Non-MEC
VLAN 30
MEC
5.
BW Capacity in Non-MEC and MEC Topology

Cisco Public
22
Agenda
1.Multilayer Campus Design Principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations
Si Si
Data Center
Services Block
5.QoS Considerations 6.Security Considerations

Si Si Si Si
7.Putting It All Together 8.Summary

Si Si Si Si
Distribution Blocks
Cisco Public
23
Foundation Services
1.Layer 1 physical things 2.Layer 2 redundancyspanning tree 3.Layer 3 routing protocols 4.Trunking protocols(ISL/.1q) 5.Unidirectional link detection 6.Load balancing
EtherChannel link aggregation CEF equal cost load balancing HSRP Spanning Tree
24
Load Balancing
ing Trunk
GLBP
7.First hop redundancy protocols

VRRP, HSRP, and GLBP
Routing
Cisco Public
Best Practices Layer 1 Physical Things

1.Use point-to-point interconnectionsno L2 aggregation points between nodes
Si Si Si Si Si Si
2.Use fiber for best convergence (debounce timer) 3.Tune carrier delay timer 4.Use configuration on the physical interface not VLAN/SVI when possible
Layer 3 Equal Cost Links

Si Si
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Public
25
Redundancy and Protocol Interaction

Link Neighbour Failure Detection
1. Indirect link failures are harder to detect 2. With no direct HW notification of link loss or topology change convergence times are dependent on SW notification 3. Indirect failure events in a bridged environment are detected by Spanning Tree Hellos 4. In certain topologies the need for TCN updates or dummy multicast flooding (uplink fast) is necessary for convergence 5. You should not be using hubs in a high availability design
Hellos
Si
Si
Hub
Si
BPDUs
Si
Si
Hub
Si
26

Link Redundancy and Failure Detection
1. Direct point-to-point fiber provides for fast failure detection 2. IEEE 802.3z and 802.3ae link negotiation define the use of Remote Fault Indicator and Link Fault Signaling mechanisms 3. Bit D13 in the Fast Link Pulse (FLP) can be set to indicate a physical fault to the remote side 4. Do not disable auto-negotiation on GigE and 10GigE interfaces 5. The default debounce timer on GigE and 10GigE fiber linecards is 10 msec 6. The minimum debounce for copper is 300 msec 7. Carrier-Delay
3560, 3750 and 45000 msec 6500leave it set at default
Cisco IOS Throttling: Carrier Delay Timer
Linecard Throttling: Debounce Timer
1
Si
Remote IEEE Fault Detection Mechanism
Si
27

Layer 2 and 3Why Use Routed Interfaces
1. Configuring L3 routed interfaces provides for faster convergence than an L2 switch port with an associated L3 SVI
L3
Si Si Si
L2
Si
1. Link Down 2. Interface Down 3. Routing Update ~ 8 msec loss

21:38:37.042 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/1, changed state to down 21:38:37.050 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet3/1, changed state to down 21:38:37.050 UTC: IP-EIGRP(Default-IP-RoutingTable:100): Callback: route_adjust GigabitEthernet3/1
1. 2. 3. ~ 150-200 msec loss 4. 5.
Link Down Interface Down Autostate SVI Down Routing Update
21:32:47.813 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/1, changed state to down 21:32:47.821 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet2/1, changed state to down 21:32:48.069 UTC: %LINK-3-UPDOWN: Interface Vlan301, changed state to down 21:32:48.069 UTC: IP-EIGRP(Default-IP-RoutingTable:100): Callback: route, adjust Vlan301
Cisco Public
28
Best Practices Spanning Tree Configuration

1. Only span VLAN across multiple access layer switches when you have to! 2. Use Rapid PVST+ for best convergence 3. More common in the data center 4. Required to protect against user side loops 5. Required to protect against operational accidents (misconfiguration or hardware failure) 6. Take advantage of the spanning tree toolkit
Same VLAN Same VLAN Same VLAN
Layer 2 Loops
Si Si Si Si Si Si

Si

Si
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Public
29
Multilayer Network Design

Layer 2 Access with Layer 3 Distribution
Si
Si
Si
Si
Vlan 10
Vlan 20
Vlan 30
Vlan 30
Vlan 30
Vlan 30
1. Each access switch has unique VLANs 2. No layer 2 loops 3. Layer 3 link between distribution 4. No blocked links
1. At least some VLANs span multiple access switches 2. Layer 2 loops 3. Layer 2 and 3 running over link between distribution 4. Blocked links
Cisco Public
30
Optimizing L2 Convergence
PVST+, Rapid PVST+ or MST
1. Rapid-PVST+ greatly improves the restoration times for any VLAN that requires a topology convergence due to link UP 2. Rapid-PVST+ also greatly improves convergence time over backbone fast for any indirect link failures
Traditional spanning tree implementation Time to Restore Data Flows (sec)
3. PVST+ (802.1d)
35 30 25 20 15 10 5 0 Upstream Downstream
4. Rapid PVST+ (802.1w)

Scales to large size (~10,000 logical ports) Easy to implement, proven, scales
5. MST (802.1s)
Permits very large scale STP implementations (~30,000 logical ports) Not as flexible as Rapid PVST+
PVST+
Cisco Public
Rapid PVST+
31
Layer 2 Hardening
Spanning Tree Should Behave the Way You Expect
1. Place the root where you want it
Root primary/secondary macro STP Root LoopGuard
2. The root bridge should stay where you put it

RootGuard LoopGuard UplinkFast UDLD RootGuard LoopGuard
Si
Si
3. Only end-station traffic should be seen on an edge port

BPDU Guard RootGuard PortFast Port-security
UplinkFast
BPDU Guard or RootGuard PortFast Port Security

32
Best Practices Layer 3 Routing Protocols

1. Typically deployed in distribution to core, and core to core interconnections 2. Used to quickly re-route around failed node/links while providing load balancing over redundant paths 3. Build triangles not squares for deterministic convergence 4. Only peer on links that you intend to use as transit 5. Insure redundant L3 paths to avoid black holes 6. Summarize distribution to core to limit EIGRP query diameter or OSPF LSA propagation 7. Tune CEF L3/L4 load balancing hash to achieve maximum utilization of equal cost paths (CEF polarization)
Si
Si
Si
Si
Si
Si

Si Si
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Public
33
Best Practice Build Triangles Not Squares

Deterministic vs. Non-Deterministic
Triangles: Link/Box Failure Does NOT Require Routing Protocol Convergence Squares: Link/Box Failure Requires Routing Protocol Convergence
Si
Si
Si
Si
Si
Si
Si
Si
Model A
Model B
1. Layer 3 redundant equal cost links support fast convergence 2. Hardware basedfast recovery to remaining path 3. Convergence is extremely fast (dual equal-cost paths: no need for OSPF or EIGRP to recalculate a new path)
34
Best Practice Passive Interfaces for IGP

Limit OSPF and EIGRP Peering Through the Access Layer
1. Limit unnecessary peering using passive interface:
Four VLANs per wiring closet 12 adjacencies total Memory and CPU requirements increase with no real benefit Creates overhead for IGP OSPF Example: Router(config)#routerospf 1 Router(config-router)#passiveinterfaceVlan 99 Router(config)#routerospf 1 Router(config-router)#passiveinterface default Router(config-router)#no passiveinterface Vlan 99
Distribution
Si
Si
Routing Updates
Access EIGRP Example: Router(config)#routereigrp 1 Router(config-router)#passiveinterfaceVlan 99 Router(config)#routereigrp 1 Router(config-router)#passiveinterface default Router(config-router)#no passiveinterface Vlan 99
Cisco Public
35
Why You Want to Summarize at the Distribution

Limit EIGRP Queries and OSPF LSA Propagation
1. It is important to force summarization at the distribution towards the core 2. For return path traffic an OSPF or EIGRP re-route is required 3. By limiting the number of peers an EIGRP router must query or the number of LSAs an OSPF peer must process we can optimize this re-route 4. EIGRP example:
interface Port-channel1 description to Core#1 ip address 10.122.0.34 255.255.255.252 ip hello-interval eigrp 100 1 ip hold-time eigrp 100 3 ip summary-address eigrp 100 10.1.0.0 255.255.0.0 5
No Summaries Queries Go Beyond the Core Rest of Network
Core
Si
Si
T D raff Unroppeic Co til I d nve GP rge s

Si Si
Distribution
Access
10.1.1.0/24
10.1.2.0/24
Cisco Public
36
Why You Want to Summarize at the Distribution

Reduce the Complexity of IGP Convergence
1. It is important to force summarization at the distribution towards the core 2. For return path traffic an OSPF or EIGRP re-route is required 3. By limiting the number of peers an EIGRP router must query or the number of LSAs an OSPF |peer must process we can optimize his re-route 4. For EIGRP if we summarize at the distribution we stop queries at the core boxes for an access layer flap 5. For OSPF when we summarize at the distribution (area border or L1/L2 border) the flooding of LSAs is limited to the distribution switches; SPF now deals with one LSA not three
Summaries Stop Queries at the Core Rest of Network
Core
Si
Si
Summary: 10.1.0.0/16
T D raff Unroppeic Co til I d nve GP rge s
Distribution
Si
Si
Access
10.1.1.0/24
10.1.2.0/24
Cisco Public
37
Best Practice Summarize at the Distribution

GotchaDistribution-to-Distribution Link Required
1. Best practicesummarize at the distribution layer to limit EIGRP queries or OSPF LSA propagation 2. Gotcha:
Upstream: HSRP on left distribution takes over when link fails Return path: old router still advertises summary to core Return traffic is dropped on right distribution switch
Si
Core
Si Si
Summary: 10.1.0.0/16
Distribution
Si w
3. Summarizing requires a link between the distribution switches 4. Alternative design: Use the access layer for transit
Tra f ith fic D No rop Ro ped ute
Access
10.1.1.0/24 10.1.2.0/24
Cisco Public
38
Provide Alternate Paths

1. What happens if 2. No route to the core anymore? 3. Allow the traffic to go through the access?
Do you want to use your access switches as transit nodes? How do you design for scalability if the access used for transit traffic?
fails?
Si Si
Core
Single Path to Core
T wit raffi hN cD o rop CoRout ped re e to
Si
Distribution
Si
4. Install a redundant link to the core 5. Best practice: install redundant link to core and utilize L3 link between distribution Layer
Access A B
Cisco Public
39
EIGRP Design Rules in the Campus

Leverage the Tools Provided
1. The greatest advantages of EIGRP are gained when the network has a structured addressing plan that allows for use of summarization and stub routers when appropriate 2. EIGRP provides the ability to implement multiple tiers of summarization and route filtering 3. Minimize the number and time for query response to speed up convergence 4. Summarize distribution block routes upstream to the core 5. If routing in the access configure all access switches as EIGRP stub routers 6. If routing in the access layer filter routes sent down to access switches
10.10.0.0/16
Si
Si
10.10.0.0/17
10.10.128.0/17
Si
Si
Si
Si
40
OSPF Design Rules in the Campus

Where Are the Areas?
1. Area design based on address summarization 2. Area boundaries should define buffers between fault domains 3. Summarize routes from the distribution block upstream into the core 4. Minimize the number of LSAs and routes in the core 5. Reduce the need for SPF calculations due to internal distribution block changes 6. ABR for a regular area forwards
Summary LSAs (Type 3) ASBR summary (Type 4) Specific externals (Type 5)
Si
Area 100
Area 110
Area 120
Si
Si
Si
Si
Si
Si
Area 0
Si Si
Si Si Si
Si
Si
7. Stub area ABR forwards

Summary LSAs (Type 3) Summary default (0.0.0.0)
8. A totally stubby area ABR forwards

Summary default (0.0.0.0)
WAN
Data Center
Internet
Cisco Public
41
Equal Cost Multi-Path

Optimizing CEF Load-Sharing
1. Depending on the traffic flow patterns and IP Addressing in use one algorithm may provide better load-sharing results than another 2. Be careful not to introduce polarization in a multitier design by changing the default to the same thing in all tiers/layers of the network
Catalyst 4500 Load-Sharing Options
Original Universal* Include Port Src IP + Dst IP Src IP + Dst IP + Unique ID Src IP + Dst IP + (Src or Dst Port) + Unique ID
Si Si
30% of Flows
Si
70% of Flows
Load-Sharing Simple
Si
Si
Catalyst 6500 PFC3** Load-Sharing Options

Default* Full Full Exclude Port Simple Full Simple Src IP + Dst IP + Unique ID Src IP + Dst IP + Src Port + Dst Port Src IP + Dst IP + (Src or Dst Port) Src IP + Dst IP Src IP + Dst IP + Src Port + Dst Port
Load-Sharing Full Simple
Si
Si
* = Default Load-Sharing Mode ** = PFC3 in Sup720 and Sup32 Supervisors

Load-Sharing Simple
Si
Cisco Public
42
CEF Load Balancing

Avoid Underutilizing Redundant Layer 3 Paths
Redundant Paths Ignored
1. CEF polarization: without some tuning CEF will select the same path left/left or right/right 2. Imbalance/overload could occur 3. Redundant paths are ignored/underutilized 4. The default CEF hash input is L3
Distribution Default L3 Hash
Si
Si
L
Core Default L3 Hash
Si
R
Si
Distribution Default L3 Hash
L R
Si Si
5. We can change the default to use L3 + L4 information as input to the hash derivation
Cisco Public
43
CEF Load Balancing

Avoid Underutilizing Redundant Layer 3 Paths
All Paths Used
Distribution L3/L4 Hash
Si
Si
1. The default will for Sup720/32 and latest hardware (unique ID added to default). However, depending on IP addressing, and flows imbalance could occur 2. Alternating L3/L4 hash and L3 hash will give us the best load balancing results 3. Use simple in the core and full simple in the distribution to add L4 information to the algorithm at the distribution and maintain differentiation tier-to-tier
Cisco Public
L R
Core Default L3 Hash
Si
L R
Si
Distribution L3/L4 Hash
L
Si
R
Si
44
Best PracticesTrunk Configuration

1. Typically deployed on interconnection between access and distribution layers 2. Use VTP transparent mode to decrease potential for operational error 3. Hard set trunk mode to on and encapsulation negotiate off for optimal convergence 4. Change the native VLAN to something unused to avoid VLAN hopping 5. Manually prune all VLANS except those needed 6. Disable on host ports:
CatOS: set port host Cisco IOS: switchport host
802.1q Trunks
Si Si Si Si Si Si

Si Si
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Public
45
VTP Virtual Trunk Protocol

1. Centralized VLAN management 2. VTP server switch propagates VLAN database to VTP client switches 3. Runs only on trunks 4. Four modes:
Server: updates clients and servers Client: receive updates cannot make changes Transparent: let updates pass through Off: ignores VTP updates
Set VLAN 50
Trunk
F
Server Transparent
Pass Through Update
Trunk
Ok, I Just Learnt VLAN 50! Client
Trunk
Ok, I Just Learnt VLAN 50!
Client
Trunk
Drop VTP Updates Off
C
46
DTP Dynamic Trunk Protocol

1. Automatic formation of trunked switch-to-switch interconnection
On: always be a trunk Desirable: ask if the other side can/will Auto: if the other sides asks I will Off: dont become a trunk
Si
On/On Trunk
Si
Si
Auto/Desirable Trunk
Si
2. Negotiation of 802.1Q or ISL encapsulation

ISL: try to use ISL trunk encapsulation 802.1q: try to use 802.1q encapsulation Negotiate: negotiate ISL or 802.1q encapsulation with peer Non-negotiate: always use encapsulation that is hard set
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved.
Si
Off/Off NO Trunk
Si
Si
Si
Off/On, Auto, Desirable NO Trunk

Cisco Public
47
Optimizing Convergence: Trunk Tuning

Trunk Auto/Desirable Takes Some Time
1.DTP negotiation tuning improves link up convergence time
CatOS> (enable) set trunk <port> nonegotiate dot1q <vlan> IOS(config-if)# switchport mode trunk IOS(config-if)# switchport nonegotiate
2.5
Time to Converge in Seconds
2 1.5 1 0.5
Voice Data
Si
Two Seconds of Delay/Loss Tuned Away
Trunking Desirable
Trunking Nonegotiate
48
Trunking/VTP/DTPQuick Summary
1. VTP Transparent should be used; there is a trade off between administrative overhead and the temptation to span existing VLANS across multiple access layer switches 2. Emerging technologies that do VLAN assignment by name (IBNS, NAC, etc.) require a unique VLAN database per access layer switch if the rule: A VLAN = A Subnet = AN access layer switch is going to be followed 3. One can consider a configuration that uses DTP ON/ON and NO NEGOTIATE; there is a trade off between performance/HA impact and maintenance and operations implications 4. An ON/ON and NO NEGOTIATE configuration is faster from a link up (restoration) perspective than a desirable/desirable alternative. However, in this configuration DTP is not actively monitoring the state of the trunk and a misconfigured trunk is not easily identified. 5. Its really a balance between fast convergence and your ability to manage configuration and change control
49
Best PracticesUDLD Configuration

1.Typically deployed on any fiberoptic interconnection
Si Si Si Si Si Si
2.Use UDLD aggressive mode for best protection 3.Turn on in global configuration to avoid operational error/misses 4.Config example
Cisco IOS: udld aggressive
WAN
Fiber Interconnections
Si Si
Si
Si Si Si
Si
Si
Data Center
Internet
Cisco Public
50
Unidirectional Link Detection

Protecting Against One Way Communication
1. Highly-available networks require UDLD to protect against one-way communication or partially failed links and the effect that they could have on protocols like STP and RSTP 2. Primarily used on fiberoptic links where patch panel errors could cause link up/up with mismatched transmit/receive pairs 3. Each switch port configured for UDLD will send UDLD protocol packets (at L2) containing the ports own device/port ID, and the neighbors device/port IDs seen by UDLD on that port 4. Neighboring ports should see their own device/port ID (echo) in the packets received from the other side 5. If the port does not see its own device/port ID in the incoming UDLD packets for a specific duration of time, the link is considered unidirectional and is shutdown
Si
Are You Echoing My Hellos?
Si
Cisco Public
51
UDLD Aggressive and UDLD Normal
Si
Si
1. Timers are the same15 second hellos by default 2. Aggressive Modeafter aging on a previously bi-directional link tries 8 times (once per second) to reestablish connection then err-disables port 3. UDLDNormal ModeOnly err-disable the end where UDLD detected other end just sees the link go down 4. UDLDAggressiveerr-disable BOTH ends of the connection due to err-disable when aging and re-establishment of UDLD communication fails
52
Best Practices EtherChannel Configuration

1. Typically deployed in distribution to core, and core to core interconnections 2. Used to provide link redundancywhile reducing peering complexity 3. Tune L3/L4 load balancing hash to achieve maximum utilization of channel members 4. Deploy in powers of 2 (2, 4, or 8) 5. Match CatOS and Cisco IOS PAgP settings 6. 802.3ad LACP for interop if you need it 7. Disable unless needed
CatOS: set port host Cisco IOS: switchport host
Si
Si
Si
Si
Si
Si

Si Si
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Public
53
Understanding EtherChannel
Link Negotiation OptionsPAgP and LACP
Packet Aggregation Protocol Link Aggregation Protocol
Si
Si
On/On Channel
Si Si
Si
On/On Channel
Si
On/Off No Channel
Si
On/Off No Channel
Si
Si
Auto/Desirable Channel
Si
Si
Active/Passive Channel
Si
Si
Si
Si
Si
Off/On, Auto, Desirable No Channel On: always be a channel/bundle member Desirable: ask if the other side can/will Auto: if the other side asks I will Off: dont become a member of a channel/bundle
Passive/Passive No Channel On: always be a channel/bundle member Active: ask if the other side can/will Passive: if the other side asks I will Off: dont become a member of a channel/bundle
Cisco Public
54
EtherChannels or Equal Cost Multipath

10/100/1000 How Do You Aggregate It?
Core
Typical 4:1 Data OverOverSubscription 10GE and 10GE channels
Si
Si
Distribution
Si Si
Typical 20:1 Data OverOverSubscription
Access
Cisco Public
55

Reduce Complexity/Peer Relationships
1. More links = more routing peer relationships and associated overhead
Si Si Si Si Si Si
2. EtherChannels allow you to reduce peers by creating single logical interface to peer over 3. On single link failure in a bundle
OSPF running on an IOS-based switch will reduce link cost and re-route traffic OSPF running on a hybrid switch will not change link cost and may overload remaining links

Si Si
Si
Si Si Si
Si
Si
EIGRP may not change link cost and may overload remaining links
WAN
Data Center
Internet
56

Why 10-Gigabit Interfaces
1. More links = more routing peer relationships and associated overhead
Si Si Si Si Si Si
2. EtherChannels allow you to reduce peers by creating single logical interface to peer over 3. However, a single link failure is not taken into consideration by routing protocols. Overload possible. 4. Single 10-Gigabit links address both problems. Increased bandwidth without increasing complexity or compromising routing protocols ability to select best path.
Cisco Public

Si Si
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
57
EtherChannelsQuick Summary
1. For Layer-2 EtherChannels: Desirable/Desirable is the recommended configuration so that PAgP is running across all members of the bundle insuring that an individual link failure will not result in an STP failure 2. For Layer-3 EtherChannels: One can consider a configuration that uses ON/ON. There is a trade-off between performance/HA impact and maintenance and operations implications. 3. An ON/ON configuration is faster from a link-up (restoration) perspective than a Desirable/Desirable alternative. However, in this configuration PAgP is not actively monitoring the state of the bundle members and a misconfigured bundle is not easily identified. 4. Routing protocols may not have visibility into the state of an individual member of a bundle. LACP and the minimum links option can be used to bring the entire bundle down when the capacity is diminished.
OSPF has visibility to member loss (best practices pending investigation). EIGRP does not
5. When used to increase bandwidthno individual flow can go faster than the speed of an individual member of the link 6. Best used to eliminate single points of failure (i.e. link or port) dependencies from a topology
58
Best PracticesFirst Hop Redundancy

1. Used to provide a resilient default gateway/first hop address to end-stations 2. HSRP, VRRP, and GLBP alternatives 3. VRRP, HSRP and GLBP provide millisecond timers and excellent convergence performance 4. VRRP if you need multivendor interoperability 5. GLBP facilitates uplink load balancing 6. Preempt timers need to be tuned to avoid black-holed traffic
Si Si Si Si Si Si
1st Hop Redundancy

Si Si Si Si

Si Si
Si
Si
WAN
Data Center
Cisco Public
Internet
59
First Hop Redundancy with VRRP

IETF Standard RFC 2338 (April 1998)
R1Master, Forwarding Traffic; R2,Backup
1. A group of routers function as one virtual router by sharing one virtual IP address and one virtual MAC address 2. One (master) router performs packet forwarding for local hosts 3. The rest of the routers act as back up in case the master router fails 4. Backup routers stay idle as far as packet forwarding from the client side is concerned
VRRP ACTIVE
IP: 10.0.0.254 MAC: 0000.0c12.3456 vIP: 10.0.0.10 vMAC: 0000.5e00.0101
VRRP BACKUP
IP: 10.0.0.253 MAC: 0000.0C78.9abc vIP: vMAC:
R1
Si Si
R2
Distribution-A VRRP Active

Access-a
Distribution-B VRRP Backup
IP: 10.0.0.1 MAC: aaaa.aaaa.aa01 GW: 10.0.0.10 ARP: 0000.5e00.0101

Cisco Public

60
First Hop Redundancy with HSRP

RFC 2281 (March 1998)
1. A group of routers function as one virtual router by sharing one virtual IP address and one virtual MAC address 2. One (active) router performs packet forwarding for local hosts 3. The rest of the routers provide hot standby in case the active router fails 4. Standby routers stay idle as far as packet forwarding from the client side is concerned
R1Active, Forwarding Traffic; R2Hot Standby, Idle
HSRP ACTIVE
IP: 10.0.0.254 MAC: 0000.0c12.3456 vIP: 10.0.0.10 vMAC: 0000.0c07.ac00
HSRP STANDBY
IP: 10.0.0.253 MAC: 0000.0C78.9abc vIP: vMAC:
R1
Si Si
R2
Distribution-A HSRP Active

Access-a
Distribution-B HSRP Backup
IP: 10.0.0.1 MAC: aaaa.aaaa.aa01 GW: 10.0.0.10 ARP: 0000.0c07.ac00

Cisco Public

61
Why You Want HSRP Preemption

1. Spanning Tree Root and HSRP Primary aligned 2. When Spanning Tree Root is re-introduced, traffic will take a two-hop path to HSRP Active
Spanning Tree Root HSRP HSRP Preempt Active
Si Si Si Si
Core
HSRP Active Spanning Tree Root
Distribution
3. HSRP Preemption will allow HSRP to follow Spanning Tree topology
Access
Without Preempt Delay HSRP Can Go Active Before Box Completely Ready to Forward Traffic: L1 (Boards), L2 (STP), L3 (IGP Convergence)
Cisco Networkers Colombia standby 1 preempt delay2008 2008 Cisco Systems, Inc. All rights reserved. minimum 180 Cisco Public
62
First Hop Redundancy with GLBP

Cisco Designed, Load Sharing, Patent Pending
1. All the benefits of HSRP plus load balancing of default gateway utilizes all available bandwidth 2. A group of routers function as one virtual router by sharing one virtual IP address but using multiple virtual MAC addresses for traffic forwarding 3. Allows traffic from a single common subnet to go through multiple redundant gateways using a single virtual IP address
R1- AVG; R1, R2 Both Forward Traffic
GLBP AVG/AVF, SVF
IP: 10.0.0.254 MAC: 0000.0c12.3456 vIP: 10.0.0.10 vMAC: 0007.b400.0101
GLBP AVF, SVF

IP: 10.0.0.253 MAC: 0000.0C78.9abc vIP: 10.0.0.10 vMAC: 0007.b400.0102
R1
Si Si
Distribution-A GLBP AVG/ AVF, SVF

Access-a
Distribution-B GLPB AVF, SVF
IP: 10.0.0.1 IP: 10.0.0.2 IP: 10.0.0.3 MAC: aaaa.aaaa.aa01 MAC: aaaa.aaaa.aa02 MAC: aaaa.aaaa.aa03 GW: 10.0.0.10 GW: 10.0.0.10 GW: 10.0.0.10 ARP: 0007.B400.0101 ARP: 0007.B400.0102 ARP: 0007.B400.0101
63
First Hop Redundancy with Load Balancing

Cisco Gateway Load Balancing Protocol (GLBP)
1. Each member of a GLBP redundancy group owns a unique virtual MAC address for a common IP address/default gateway 2. When end-stations ARP for the common IP address/default gateway they are given a load balanced virtual MAC address 3. Host A and host B send traffic to different GLBP peers but have the same default gateway
GLBP 1 ip 10.88.1.10 vMAC 0000.0000.0001 .1
R1
vIP 10.88.1.10
ARP Reply
R2 .2
GLBP 1 ip 10.88.1.10 vMAC 0000.0000.0002 10.88.1.0/24
.4
ARPs for 10.88.1.10 Gets MAC 0000.0000.0001
.5 A
ARPs for 10.88.1.10 Gets MAC 0000.0000.0002

Cisco Public
64
Optimizing Convergence: VRRP, HSRP, GLBP

Mean, Max, and MinAre There Differences?
1. VRRP not tested with sub-second timers and all flows go through a common VRRP peer; mean, max, and min are equal 2. HSRP has sub-second timers; however all flows go through same HSRP peer so there is no difference between mean, max, and min 3. GLBP has sub-second timers and distributes the load amongst the GLBP peers; so 50% of the clients are not affected by an uplink failure
Si Si
Distribution to Access Link Failure Access to Server Farm

Time in Seconds to Converge
1.2 1 0.8 0.6 0.4 0.2 0
VRRP
HSRP
GLBP
50% of Flows Have ZERO Loss W/ GLBP GLBP Is 50% Better
Longest
Shortest
Average
65
If You Span VLANS, Tuning Required

By Default, Half the Traffic Will Take a Two-Hop L2 Path
1. Both distribution switches act as default gateway 2. Blocked uplink caused traffic to take less than optimal path
Core Layer 3 Distribution Layer 2/3
Core Distribution-A GLBP Virtual MAC 1 Distribution-B GLBP Virtual MAC 2
Si
Si
Access Layer 2
F: Forwarding B: Blocking
Access-a VLAN 2
Access-b VLAN 2
Cisco Public
F 2
F2
B2
66
Best Practice Operational Management

1. Modular IOS
Robust Modular Patchable / Rollback
Management Throughout
Fault tolerant
Core
Si Si
2. Embedded Event Manager (EEM)

Event driven Automation Instant reaction
Distribution
Si Si
3. Cisco Generic Online Diagnostics (GOLD)

Power up Schedule On demand
4. Smart Call Home

Automatically open TAC case Initiate RMA cycle
Access
Cisco Public
67
Service Availability Focus Catalyst with Cisco IOS Software Modularity

INNOVATION
Cisco IOS Software Modularity
IOS-Base Routing INETD EEM UDP CDP TCP FTP
BENEFITS
High Availability Infrastructure Network Optimized Microkernel Catalyst 6500 Data Plane
etc
Minimize Unplanned Downtime Simplify Software Changes Automated Policy Control

MPLS, IPv6, BFD now modular Full HW and SW parity with native IOS
Memory protection Fault containment Stateful process restarts Subsystem ISSU

Cisco Public
68
Generic Online Diagnostics

How does GOLD work?
1. Diagnostic packet switching tests verify that the system is operating correctly:
Is the supervisor control plane and forwarding plane functioning properly? Is the standby supervisor ready to take over? Are linecards forwarding packets properly? Are all ports working? Is the backplane connection working?
Forwarding Engine
Line card Fabric Forwarding Engine CPU
Active Supervisor
Standby Supervisor
2. Other types of diagnostics tests including memory and error correlation tests are also available
Line card
Cisco Public
69
Embedded Event Manager

EEM Application Example
Upon matching the provided SYSLOG message LINK-3-UPDOWN, the switch performs the following actions: Display counter error statistics for the link that has gone down Start a GOLD Loopback test Send the results using a provided template to a user-configurable address
Interface error counters
Interface down
EEM GOLD
Loopback test
Send results in email alert

70
What Is Smart Call Home?

Interactive Technical Services
Customer
Internet
Customer Notification Device and Message Reports Exceptions/Fault Analysis
TAC
3
Secure Transport Messages Received:
Diagnostics Environmental Syslog Inventory and Configuration
Automated Diagnosis Capability
Service Request Tracking System
Call Home
IOS 12.2(33)SXH
Call Home DB
Enables Cisco Catalyst Switches to send diagnostic information directly to Cisco TAC, significantly reduces the time to solve minor hardware problems and RMA cycle
71
Agenda
1.Multilayer Campus Design principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations 5.QoS Considerations 6.Security Considerations 7.Putting It All Together
Si Si Si Si
Data Center
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Distribution Blocks
Cisco Public
72
Daisy Chaining Access Layer Switches

Avoid Potential Black Holes
Return Path Traffic Has a 50/50 Chance of Being Black Holed
Core Layer 3
Si
Si
Layer 3 Link
50% Chance That Traffic Will Go Down Path with No Connectivity
Distribution Layer 2/3
Distribution-A
Si
Distribution-B
Si
Access Layer 2
Access-a VLAN 2
Dr Tra o f N ppe fic De o Pa d wit sti th t h na o tio n
Access-n VLAN 2
Access-c VLAN 2
73
Daisy Chaining Access Layer Switches

New Technology Addresses Old Problems
1. Stackwise/Stackwise-Plus technology eliminates the concern
Loopback links not required No longer forced to have L2 link in distribution
2. If you use modular (chassis-based) switches, these problems are not a concern
Forwarding
Si
HSRP Active
Layer 3
Forwarding
Si
3750-E
HSRP Standby
Cisco Public
74
What Happens if You Dont Link the Distributions?

1. STPs slow convergence can cause considerable periods of traffic loss 2. STP could cause non-deterministic traffic flows/link load engineering 3. STP convergence will cause Layer 3 convergence 4. STP and Layer 3 timers are independent 5. Unexpected Layer 3 convergence and re-convergence could occur 6. Even if you do link the distribution switches dependence on STP and link state/connectivity can cause HSRP irregularities and unexpected state transitions
STP Secondary Root and HSRP Standby
Core
STP Root and HSRP Active

Si
Dr Tra o f HS pped fic RP U Ac Go ntil tiv es e
Hellos
Si
2 F
F 2 Access-a VLAN 2
Traffic Dropped Until Transition to Forwarding; As much as 50 Seconds
B 2
Access-b VLAN 2
Traffic Dropped Until MaxAge Expires Then Listening and Learning
Cisco Public
75
What if You Dont?

Black Holes and Multiple Transitions
Core Layer 3
Si
Core
Hellos
Si
S ped fic ARP G Un Backbone fast limits cti o til ve s timee(30 seconds) HSRP Active to event #2 (Temporarily) Even with Rapid PVST+ at least one second before event #2
Aggressive HSRP timers limit black Dr hole #1 op Tra

H f
Access Layer 2
F 2
F2
B F
2
MaxAge Seconds Before Failure Is Detected Then Listening and Learning
F 2
Access-a VLAN 2
Access-b VLAN 2
1. Blocking link on access-b will take 50 seconds to move to forwarding traffic black hole until HSRP goes active on standby HSRP peer 2. After MaxAge expires (or backbone fast or Rapid PVST+) converges HSRP preempt causes another transition 3. Access-b used as transit for access-as traffic
76
What if You Dont?

Return Path Traffic Black Holed
Core Layer 3
Core
802.1d: up to 50 seconds PVST+: backbone fast 30 seconds Rapid PVST+: address by the protocol (one second)

Si
Hellos
Si
Access Layer 2
Access-a VLAN 2
Access-b VLAN 2
1. Blocking link on access-b will take 50 seconds to move to forwarding return traffic black hole until then
F 2
F2
F B
2 2
Dr Tr op af p fi Ex Ma ed Uc Lis pire xAg nt te s e il Le ning The arn an n ing d
F 2
77
Asymmetric Routing (Unicast Flooding)

1. Affects redundant topologies with shared L2 access 2. One path upstream and two paths downstream 3. CAM table entry ages out on standby HSRP 4. Without a CAM entry packet is flooded to all ports in the VLAN
Asymmetric Equal Cost Return Path CAM Timer Has Aged out on Standby HSRP Downstream Packet Flooded
Si
Si
Upstream Packet Unicast to Active HSRP
VLAN 2
VLAN 2
VLAN 2
VLAN 2
Cisco Public
78
Best Practices Prevent Unicast Flooding

1. Assign one unique data and voice VLAN to each access switch 2. Traffic is now only flooded down one trunk 3. Access switch unicasts correctly; no flooding to all ports 4. If you have to:
Tune ARP and CAM aging timers; CAM timer exceeds ARP timer Bias routing metrics to remove equal cost routes VLAN 3
Asymmetric Equal Cost Return Path
Downstream Packet Flooded on Single Port
Si
Si
Upstream Packet Unicast to Active HSRP
VLAN 4
VLAN 5
VLAN 2
Cisco Public
79
Agenda
1.Multilayer Campus Design Principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations 5.QoS Considerations 6.Security Considerations 7.Putting It All Together
Si Si Si Si
Data Center
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Distribution Blocks
80
Building a Converged Campus Network

Infrastructure Integration, QoS, and Availability
1. Access layer
Auto phone detection Inline power QoS: scheduling, trust boundary and classification Fast convergence
Access
Si
Si
Si
Si
Si
Si
2. Distribution layer
High availability, redundancy, fast convergence Policy enforcement QoS: scheduling, trust boundary and classification
Distribution
Core
Si
Si
3. Core
High availability, redundancy, fast convergence QoS: scheduling, trust boundary
Distribution
Si
Si Si Si
Si
Si
Access
WAN
Data Center
Cisco Public
Internet
81
Infrastructure Integration
Extending the Network Edge
Switch Detects IP Phone and Applies Power
CDP Transaction Between Phone and Switch IP Phone Placed in Proper VLAN DHCP Request and Call Manager Registration
1.Phone contains a three-port switch that is configured in conjunction with the access switch and CallManager
Power negotiation VLAN configuration 802.1x interoperation QoS configuration DHCP and CallManager registration
82
Enhanced Power Negotiation

802.3af Plus Bi-Directional CDP (Cisco 7970)
PSEPower Source Equipment Cisco 6500,4500, 3750, 3560
PD Plugged in Switch Detects IEEE PD PD Is Classified Power Is Applied
Phone Transmits a CDP Power Negotiation Packet Listing Its Power Mode Switch Sends a CDP Response with a Power Request Based on Capabilities Exchanged Final Power Allocation Is Determined
PDPowered Device Cisco 7970
1.Using bi-directional CDP exchange exact power requirements are negotiated after initial power-on
83
Design Considerations for PoE

Power Management
1. Switch manages power by what is allocated not by what is currently used 2. Device power consumption is not constant 3. A 7960G requires 7W when the phone is ringing at maximum volume and requires 5W on or off hook 4. Understand the power behavior of your PoE devices 5. Utilize static power configuration with caution
Dynamic allocation: power inline auto max 7200 Static allocation: power inline static max 7200
6. Use power calculator to determine power requirements

http://www.cisco.com/go/powercalculator
Discover Cisco Enhanced PoE at the World of Solutions

84
Infrastructure Integration: Next Steps

VLAN, QoS and 802.1x Configuration
Phone VLAN = 110 (VVID) PC VLAN = 10 (PVID)
802.1Q encapsulation with 802.1p Layer 2 CoS
Native VLAN (PVID) No Configuration Changes Needed on PC
1. During initial CDP exchange phone is configured with a Voice VLAN ID (VVID) 2. Phone also supplied with QoS configuration via CDP TLV fields 3. Additionally switch port currently bypasses 802.1x authentication for VVID if detects Cisco phone
85
Agenda
Si Si Si Si
Data Center
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Distribution Blocks
Cisco Public
86
Best PracticesQuality of Service

1. Must be deployed end-toend to be effective; all layers play different but equal roles 2. Ensure that mission critical applications are not impacted by link or transmit queue congestion 3. Aggregation and rate transition points must enforce QoS policies 4. Multiple queues with configurable admission criteria and scheduling are required
End to End QoS

Si Si Si Si Si Si

Si Si
Si
Si Si Si
Si
Si
WAN
Data Center
Cisco Public
Internet
87
Transmit Queue Congestion

10/100m Queued 128k Uplink
WAN Router
100 Meg in 128 Kb/S outPackets Serialize in Faster than They Serialize out Packets Queued as They Wait to Serialize out Slower Link
1 Gig Link
Queued
100 Meg Link
Distribution Switch
Access Switch
1 Gig In 100 Meg outPackets Serialize in Faster than They Serialize out Packets Queued as They Wait to Serialize out Slower Link
88
Auto QoS VoIPMaking It Easy

Configures QoS for VoIP on Campus Switches
Access-Switch(config-if)#auto qos voip ? cisco-phone Trust the QoS marking of Cisco IP Phone cisco-softphone Trust the QoS marking of Cisco IP SoftPhone trust Trust the DSCP/CoS marking Access-Switch(config-if)#autoqosvoipcisco-phone Access-Switch(config-if)#exit
! interface FastEthernet1/0/21 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 Mls qos trust device cisco-phone Mls qos trust cos auto qosvoipcisco-phone end
89
Real-time Application Visibility with Network Based Application Recognition

Campus
NBAR Protocol Discovery
Protocol Discovery: discover what apps are running on your network and provide realtime statistics Per-interface, per-protocol, bi-directional statistics bit rate (bps); packet count; byte count SNMP accessible for centralized monitoring Supported by Partner products (Concord|CA, InfoVista, Micromuse|IBM) and MRTG
E-mail Backup, etc. Best Effort = 25% RealTime = 33%
Voice
P2P Bulk
InteractiveVideo
Critical Data Routing Call-Signaling Mission-Critical
StreamingVideo Net Mgmt Transactional
Link Utilization
Cisco Public
90
Agenda
Si Si Si Si
Data Center
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Distribution Blocks
91
Best PracticesCampus Security

1. New stuff that we will cover!
Catalyst Integrated Security Feature Set! Dynamic Port Security, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard
End-to-End Security
Si Si Si Si Si Si
2. Things you already know we wont cover

Use SSH to access devices instead of Telnet Enable AAA and roles-based access control (RADIUS/TACACS+) for the CLI on all devices Enable SYSLOG to a server. Collect and archive logs When using SNMP use SNMPv3 Disable unused services: no service tcp-small-servers no service udp-small-servers Use FTP or SFTP (SSH FTP) to move images and configurations aroundavoid TFTP when possible Install VTY access-lists to limit which addresses can access management and CLI services Enable control plane protocol authentication where it is available (EIGRP, OSPF, BGP, HSRP, VTP, etc.) Apply basic protections offered by implementing RFC2827 filtering on external edge inbound interfaces
Si
Si
Si
Si Si Si
Si
Si
WAN
Internet
For More Details, See BRKSEC-2002 Session, Understanding and Preventing Layer 2 Attacks
92
Securing Layer 2 from Surveillance Attacks

Cutting off MAC-Based Attacks
00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb Only 3 MAC Addresses Allowed on the Port: Shutdown
250,000 Bogus MACs per Second
SOLUTION: PROBLEM:
Script Kiddie Hacking Tools Enable Attackers Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a Hub and Eliminating Privacy Switch CAM Table Limit Is Finite Number of Mac Addresses
Port Security Limits MAC Flooding Attack and Locks down Port and Sends an SNMP Trap
switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security maximum 10 violation restrict aging time 2 aging type inactivity
Cisco Public
93
DHCP Snooping
Protection Against Rogue/Malicious DHCP Server
1
D Re HCP qu est
s gu P e Bo HC ns D po s Re
DHCP Server
1000s of DHCP Requests to Overrun the DHCP Server
1. DHCP requests (discover) and responses (offer) tracked 2. Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP server 3. Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server
94
Securing Layer 2 from Surveillance Attacks

Protection Against ARP Poisoning 1. Dynamic ARP inspection
protects against ARP poisoning (ettercap, dsnif, arpspoof) 2. Uses the DHCP snooping binding table 3. Tracks MAC to IP from DHCP transactions 4. Rate-limits ARP requests from client ports; stop port scanning 5. Drop BOGUS gratuitous ARPs; stop ARP poisoning/MIM attacks
Gateway = 10.1.1.1 MAC=A
Si
Gratuitous ARP 10.1.1.50=MAC_B Gratuitous ARP 10.1.1.1=MAC_B
Attacker = 10.1.1.25 MAC=B

Victim = 10.1.1.50 MAC=C

95
IP Source Guard
Protection Against Spoofed IP Addresses 1.IP source guard protects against Gateway = 10.1.1.1 MAC=A spoofed IP addresses 2.Uses the DHCP snooping binding table 3.Tracks IP address to port associations
Hey, Im 10.1.1.50 !
Si
4.Dynamically programs port ACL to drop traffic not originating from IP address assigned via DHCP
Attacker = 10.1.1.25
Cisco Public
Victim = 10.1.1.50
96
Catalyst Integrated Security Features

Summary Cisco IOS
IP Source Guard Dynamic ARP Inspection DHCP Snooping Port Security ipdhcp snooping ipdhcp snooping vlan 2-10 iparp inspection vlan 2-10 ! interface fa3/1 switchport port-security switchport port-security max 3 switchport port-security violation restrict
1. Port security prevents MAC flooding attacks 2. DHCP snooping prevents client attack on the switch and server 3. Dynamic ARP Inspection adds security to ARP using DHCP snooping table 4. IP source guard adds security to IP source address using DHCP snooping table
switchport port-security aging time 2 switchport port-security aging type inactivity iparp inspection limit rate 100 ipdhcp snooping limit rate 100 ip verify source vlandhcp-snooping ! Interface gigabit1/1 ipdhcp snooping trust iparp inspection trust
97
PISA Flexible Packet Matching

Multi-Gig Deep Packet Inspection Performance Rapid Response to New and Emerging Attacks
Network managers require tools to filter Day Zero attacks e.g. prior to IPS signatures being available Traditional ACLs take a shotgun approach legitimate traffic could be blocked FPM delivers flexible, granular Layer 2-7 matching Useful for CERT-like teams within Service Providers and Enterprise customers
Flexible Classification and Flexible Classification and Rapid Response Rapid Response
Goes beyond static Goes beyond static attributes specify arbitrary attributes specify arbitrary bits/bytes at any offset bits/bytes at any offset within the payload or header within the payload or header Classify on multiple Classify on multiple attributes within a packet attributes within a packet String match and regex String match and regex Set up custom filters rapidly Set up custom filters rapidly using XML-based policy using XML-based policy language language
0111111010101010000111000100111110010001000100100010001001
Match Pattern And
Or
Cisco.com/go/fpm
Cisco Public
Not
98
Sup 32 PISA Deployment

Campus Access Layer
Mark Business-critical applications real-time as GOLD service Police non-priority applications Block worms like Slammer using Flexible Packet Matching Detect and Rate-limit undesired Peer to Peer Traffic
Link Utilization
Printer
PCs
Citrix Netshow Oracle FTP HTTP
25% 15% 10% 30% 20%

PCs
Cisco Public
99
Agenda
Data Center
Si Si Si Si
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Distribution Blocks
Cisco Public
100
Hierarchical Campus
Access
Si
Si
Si
Si
Si
Si
Distribution
Core
Si Si
Si
Si Si Si
Si
Si
Distribution
Access
WAN Data Center
Internet
Cisco Public
101

Layer 2 AccessNo VLANs Span Access Layer
1. Tune CEF load balancing 2. Match CatOS/IOS EtherChannel settings and tune load balancing 3. Summarize routes towards core 4. Limit redundant IGP peering 5. STP Root and HSRP primary tuning or GLBP to load balance on uplinks 6. Set trunk mode on/nonegotiate 7. Disable EtherChannel unless needed 8. Set port host on access layer ports:
Si
Si
Core
Layer 3
Si
Point to Point Link
Distribution
Si
Access
9. RootGuard or BPDU-Guard 10.Use security features

Cisco Public
102

Layer 2 AccessSome VLANs Span Access Layer
1. Tune CEF load balancing 2. Match CatOS/IOS EtherChannel settings and tune load balancing 3. Summarize routes towards core 4. Limit redundant IGP peering 5. STP Root and HSRP primary or GLBP and STP port cost tuning to load balance on uplinks 6. Set trunk mode on/nonegotiate 7. Disable EtherChannel unless needed 8. RootGuard on downlinks 9. LoopGuard on uplinks 10.Set port host on access Layer ports:
Si Si
Core
Layer 2
Si Si
Distribution
Trunk
11.RootGuard or BPDU-Guard 12.Use security features
VLAN 20 Data VLAN 40 Data 10.1.20.0/24 10.1.40.0/24 VLAN 120 Voice VLAN 140 Voice 10.1.120.0/24 10.1.140.0/24 VLAN 250 WLAN 10.1.250.0/24
Access
103
Routed Access and Virtual Switching System

Evolutions of and Improvements to Existing Designs
Si Si Si Si
Core
VSS Link
Si
Layer 3
P-t-P Link
Si
New Concept
Distribution
VLAN 20 Data 10.1.20.0/24 VLAN 40 Data 10.1.40.0/24 VLAN 120 Voice 10.1.120.0/24 VLAN 140 Voice 10.1.140.0/24 VLAN 250 WLAN 10.1.250.0/24
Access
See RST-3035Advanced Enterprise Campus Design Alternatives: Routed Access and Virtual Switch System (VSS)
104
Agenda
Data Center
Si Si Si Si
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Distribution Blocks
Cisco Public
105
Summary
1. Offers hierarchyeach layer has specific role 2. Modular topology building blocks 3. Easy to grow, understand, and troubleshoot 4. Creates small fault domains Clear demarcations and isolation 5. Promotes load balancing and redundancy 6. Promotes deterministic traffic patterns 7. Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both 8. Utilizes Layer 3 Routing for load balancing, fast convergence, scalability, and control
Si Si Si Si Si Si
Access
Distribution
Si
Si
Core
Si
Si Si Si
Si
Si
Distribution
Access
WAN Data Center Internet
Cisco Public 2008 Cisco Systems, Inc. All rights reserved.
106
Q and A
Cisco Public
107
Recommended Reading
1. Continue your Cisco Networkers learning experience with further reading from Cisco Press 2. Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store

108
Complete Your Session Evaluation

1. Please give us your feedback, your comments are important to us 2. Dont forget to complete the overall event evaluation form included in your registration kit 3. This is session BRKCAM-2001
Cisco Public
109
Cisco Public
110

Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseño

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseño

Hochgeladen von

Copyright:

Verfügbare Formate

Cisco Networkers Colombia 2008

2008 Cisco Systems, Inc. All rights reserved.

Multilayer Campus Architecture and Design Principles

2008 Cisco Systems, Inc. All rights reserved.

Cisco Networkers Colombia 2008

2008 Cisco Systems, Inc. All rights reserved.

Mission Critical Apps. Databases, Order-Entry, CRM, ERP

Desktop Apps E-mail, File & Print

APPLICATIONS DRIVE REQUIREMENTS FOR HIGH AVAILABILITY NETWORKING

2008 Cisco Systems, Inc. All rights reserved.

Next Generation Campus Design

Cisco Networkers Colombia 2008

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

High-Availability Campus Design Structure, Modularity, and Hierarchy

2008 Cisco Systems, Inc. All rights reserved.

Hierarchical Campus Network

Server Farm WAN

2008 Cisco Systems, Inc. All rights reserved.

Hierarchical Network Design

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

Do I Need a Core Layer?

4th Building Block 12 New Links 24 Links Total 8 IGP Neighbors

3rd Building Block 8 New Links 12 Links Total 5 IGP Neighbors

Cisco Networkers Colombia 2008

2008 Cisco Systems, Inc. All rights reserved.

Do I Need a Core Layer?

2nd Building Block 8 New Links

4th Building Block 4 New Links 16 Links Total 3 IGP Neighbors

3rd Building Block 4 New Links 12 Links Total 3 IGP Neighbors

Cisco Networkers Colombia 2008

2008 Cisco Systems, Inc. All rights reserved.

Design Alternatives Come Within a Building (or Distribution) Block

Access Distribution Core Distribution Access

2008 Cisco Systems, Inc. All rights reserved.

Layer 3 Distribution Interconnection

Point to Point Link

9. RootGuard or BPDU-Guard 10.Use security features

VLAN 40 Data 10.1.40.0/24 VLAN 140 Voice 10.1.140.0/24

2008 Cisco Systems, Inc. All rights reserved.

Layer 2 Distribution Interconnection

11.RootGuard or BPDU-Guard 12.Use security features

Cisco Networkers Colombia 2008

Routed Access and Virtual Switching System

VLAN 20 Data 10.1.20.0/24 VLAN 120 Voice 10.1.120.0/24

VLAN 40 Data 10.1.40.0/24 VLAN 140 Voice 10.1.140.0/24

VSS Single Logical Switch

2008 Cisco Systems, Inc. All rights reserved.

Virtual Switching System

CFC or DFC Line Cards

Standby HOT Supervisor

CFC: Centralize Forwarding Card DFC: Distributed Forwarding Card

2008 Cisco Systems, Inc. All rights reserved.

Virtual Switching System

Data Plane Active

Data Plane Active

Cisco Networkers Colombia 2008

2008 Cisco Systems, Inc. All rights reserved.

Virtual Switching System

BW Capacity in Non-MEC and MEC Topology