Beruflich Dokumente
Kultur Dokumente
Cisco Public
Presentation_ID
Cisco Confidential
Housekeeping
1.Please turn off your mobile phones, blackberries and laptops 2.We value your feedback- don't forget to complete your session evaluation form & hand it to the room monitor / the materials pickup area at registration 3.Please remember this is a 'non-smoking' venue!
Cisco Public
Enterprise-Class Availability
Resilient Campus Communication Fabric Campus Systems Approach to High Availability
1. Network-level redundancy 2. System-level resiliency 3. Enhanced management 4. Human ear notices the difference in voice within 150200 msec10 consecutive G711 packet loss 5. Video loss is even more noticeable 6. 200 msec end-to end-campus convergence
Cisco Networkers Colombia 2008
Ultimate Goal..100%
Next-Generation Apps Video conf., Unified Messaging, Global Outsourcing, E-Business, Wireless Ubiquity
Cisco Public
Agenda
1.Multilayer Campus Design Principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations 5.QoS Considerations 6.Security Considerations 7.Putting It All Together 8.Summary
Si Si Si Si
Data Center
Services Block
Si Si
Si
Si
Si
Si
Si
Distribution Blocks
Cisco Networkers Colombia 2008
Cisco Public
Si
Si
Si
Si
Si
WAN
Cisco Networkers Colombia 2008
Data Center
Cisco Public
Internet
7
Not This!!
Si Si Si
Si
Si
Si
Si Si Si
Si
Si
Si
Internet
Cisco Public
PSTN
8
Distribution
Core
Promotes load balancing and redundancy Promotes deterministic traffic patterns Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both Utilizes Layer 3 routing for load balancing, fast convergence, scalability, and control
Cisco Networkers Colombia 2008
Si
Si
Distribution
Si
Si
Access
Building Block
Cisco Public
Access Layer
Feature Rich Environment
1. Its not just about connectivity 2. Layer 2/Layer 3 feature rich environment; convergence, HA, application intelligence, security, QoS, IP multicast, etc. 3. Intelligent network services: QoS, trust boundary, broadcast suppression, IGMP snooping, 4. Intelligent network services: PVST+, Rapid PVST+, EIGRP, OSPF, DTP, PAgP/LACP, UDLD, FlexLink, etc. 5. Cisco Catalyst integrated security features IBNS (802.1x), (CISF): port security, DHCP snooping, DAI, IPSG; Deep packet inspection security 6. Automatic phone discovery, conditional trust boundary, power over Ethernet, auxiliary VLAN, etc. 7. Spanning tree toolkit: PortFast, UplinkFast, BackboneFast, LoopGuard, BPDU Guard, BPDU Filter, RootGuard, etc.
Cisco Networkers Colombia 2008
Core
Si Si
Distribution
Si Si
Access
Cisco Public
10
Distribution Layer
Policy, Convergence, QoS, and High Availability
1. Availability, load balancing, QoS and provisioning are the important considerations at this layer 2. Aggregates wiring closets (access layer) and uplinks to core 3. Protects core from high density peering and problems in access layer 4. Route summarization, fast convergence, redundant path load sharing 5. HSRP or GLBP to provide first hop redundancy
Cisco Networkers Colombia 2008
Core
Si Si
Distribution
Si Si
Access
Cisco Public
11
Core Layer
Scalability, High Availability, and Fast Convergence
1. Backbone for the networkconnects network building blocks
Si Si
Core
2. Performance and stability vs. complexity less is more in the core 3. Aggregation point for distribution layer 4. Separate core layer helps in scalability during future growth 5. Keep the design technology-independent
Cisco Networkers Colombia 2008
Distribution
Si Si
Access
Cisco Public
12
Cisco Public
13
Cisco Public
14
Si
Si
Si
Si
Si
WAN
Cisco Networkers Colombia 2008
Data Center
Cisco Public
Internet
15
Si
Si
Core
Layer 3
Si
Distribution
Si
Access
VLAN 20 Data 10.1.20.0/24 VLAN 120 Voice 10.1.120.0/24
Cisco Networkers Colombia 2008
Cisco Public
16
Core
Layer 2
Si Si
Distribution
Trunk
VLAN 20 Data VLAN 40 Data 10.1.20.0/24 10.1.40.0/24 VLAN 120 Voice VLAN 140 Voice 10.1.120.0/24 10.1.140.0/24 VLAN 250 WLAN 10.1.250.0/24
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Access
17
Core
VSS Link
Si
Layer 3
P-t-P Link
Si
New Concept
Distribution
VLAN 20 Data 10.1.20.0/24 VLAN 40 Data 10.1.40.0/24 VLAN 120 Voice 10.1.120.0/24 VLAN 140 Voice 10.1.140.0/24 VLAN 250 WLAN 10.1.250.0/24
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Access
18
Virtual Switch
Virtual Switching System 1440 (VSS)
1. 2. 3. 4. Virtual Switching System consists of two Cisco Catalyst 6500 Series defined as members of the same virtual switch domain Single control plane with dual active forwarding planes Design to increase forwarding capacity while increasing availability by eliminating STP loops Reduced operational complexity by simplifying configuration Virtual Switch Domain
Virtual Switch Link
Si
Si
Switch 1
Switch 2
Cisco Networkers Colombia 2008
19
2. 3.
4.
VSL
PFC
SF
RP
SF
RP
PFC
Active Supervisor
CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards
SF: Switch Fabric RP: Route Processor PFC: Policy Forwarding Card
Cisco Networkers Colombia 2008
20
VSS-Router#show switch virtual redundancy My Switch Id = 1 Peer Switch Id = 2 Switch 1 Slot 5 Processor Information : ----------------------------------------------Current Software state = ACTIVE <snip> Configuration register = 0x2 Fabric State = ACTIVE Control Plane State = ACTIVE Switch 2 Slot 5 Processor Information : ----------------------------------------------Current Software state = STANDBY HOT (switchover target) <snip> Configuration register = 0x2 Fabric State = ACTIVE Control Plane State = STANDBY
Si
Si
Cisco Public
21
2.
Physical Topology
Logical Topology
Multichassis EtherChannel
L2
Si Si
3.
4.
VLAN 30
Non-MEC
VLAN 30
MEC
5.
22
Agenda
1.Multilayer Campus Design Principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations
Si Si
Data Center
Services Block
Distribution Blocks
Cisco Networkers Colombia 2008
Cisco Public
23
Foundation Services
1.Layer 1 physical things 2.Layer 2 redundancyspanning tree 3.Layer 3 routing protocols 4.Trunking protocols(ISL/.1q) 5.Unidirectional link detection 6.Load balancing
EtherChannel link aggregation CEF equal cost load balancing HSRP Spanning Tree
24
Load Balancing
ing Trunk
GLBP
Routing
Cisco Public
2.Use fiber for best convergence (debounce timer) 3.Tune carrier delay timer 4.Use configuration on the physical interface not VLAN/SVI when possible
Cisco Networkers Colombia 2008
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Public
25
Hellos
Si
Si
Hub
Si
BPDUs
Si
Si
Hub
Si
26
1
Si
Si
27
L2
Si
21:32:47.813 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/1, changed state to down 21:32:47.821 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet2/1, changed state to down 21:32:48.069 UTC: %LINK-3-UPDOWN: Interface Vlan301, changed state to down 21:32:48.069 UTC: IP-EIGRP(Default-IP-RoutingTable:100): Callback: route, adjust Vlan301
Cisco Public
28
Layer 2 Loops
Si Si Si Si Si Si
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Public
29
Si
Si
Si
Si
Vlan 10
Vlan 20
Vlan 30
Vlan 30
Vlan 30
Vlan 30
1. Each access switch has unique VLANs 2. No layer 2 loops 3. Layer 3 link between distribution 4. No blocked links
Cisco Networkers Colombia 2008
1. At least some VLANs span multiple access switches 2. Layer 2 loops 3. Layer 2 and 3 running over link between distribution 4. Blocked links
Cisco Public
30
Optimizing L2 Convergence
PVST+, Rapid PVST+ or MST
1. Rapid-PVST+ greatly improves the restoration times for any VLAN that requires a topology convergence due to link UP 2. Rapid-PVST+ also greatly improves convergence time over backbone fast for any indirect link failures
Traditional spanning tree implementation Time to Restore Data Flows (sec)
3. PVST+ (802.1d)
35 30 25 20 15 10 5 0 Upstream Downstream
5. MST (802.1s)
Permits very large scale STP implementations (~30,000 logical ports) Not as flexible as Rapid PVST+
Cisco Networkers Colombia 2008
PVST+
Cisco Public
Rapid PVST+
31
Layer 2 Hardening
Spanning Tree Should Behave the Way You Expect
1. Place the root where you want it
Root primary/secondary macro STP Root LoopGuard
Si
Si
UplinkFast
32
Si
Si
Si
Si
Si
Si
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Public
33
Si
Si
Si
Si
Si
Si
Si
Si
Model A
Model B
1. Layer 3 redundant equal cost links support fast convergence 2. Hardware basedfast recovery to remaining path 3. Convergence is extremely fast (dual equal-cost paths: no need for OSPF or EIGRP to recalculate a new path)
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
34
Distribution
Si
Si
Routing Updates
Access EIGRP Example: Router(config)#routereigrp 1 Router(config-router)#passiveinterfaceVlan 99 Router(config)#routereigrp 1 Router(config-router)#passiveinterface default Router(config-router)#no passiveinterface Vlan 99
Cisco Public
35
Core
Si
Si
Distribution
Access
10.1.1.0/24
10.1.2.0/24
Cisco Public
36
Core
Si
Si
Summary: 10.1.0.0/16
Distribution
Si
Si
Access
10.1.1.0/24
10.1.2.0/24
Cisco Public
37
Core
Si Si
Summary: 10.1.0.0/16
Distribution
Si w
3. Summarizing requires a link between the distribution switches 4. Alternative design: Use the access layer for transit
Cisco Networkers Colombia 2008
Access
10.1.1.0/24 10.1.2.0/24
Cisco Public
38
fails?
Si Si
Core
Single Path to Core
T wit raffi hN cD o rop CoRout ped re e to
Si
Distribution
Si
4. Install a redundant link to the core 5. Best practice: install redundant link to core and utilize L3 link between distribution Layer
Cisco Networkers Colombia 2008
Access A B
Cisco Public
39
10.10.0.0/16
Si
Si
10.10.0.0/17
10.10.128.0/17
Si
Si
Si
Si
40
Area 100
Area 110
Area 120
Si
Si
Si
Si
Si
Si
Area 0
Si Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Public
41
30% of Flows
Si
70% of Flows
Load-Sharing Simple
Si
Si
Si
Si
Load-Sharing Simple
Si
Cisco Public
42
1. CEF polarization: without some tuning CEF will select the same path left/left or right/right 2. Imbalance/overload could occur 3. Redundant paths are ignored/underutilized 4. The default CEF hash input is L3
Si
Si
L
Core Default L3 Hash
Si
R
Si
L R
Si Si
5. We can change the default to use L3 + L4 information as input to the hash derivation
Cisco Public
43
Si
Si
1. The default will for Sup720/32 and latest hardware (unique ID added to default). However, depending on IP addressing, and flows imbalance could occur 2. Alternating L3/L4 hash and L3 hash will give us the best load balancing results 3. Use simple in the core and full simple in the distribution to add L4 information to the algorithm at the distribution and maintain differentiation tier-to-tier
Cisco Public
L R
Core Default L3 Hash
Si
L R
Si
L
Si
R
Si
44
802.1q Trunks
Si Si Si Si Si Si
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Public
45
Set VLAN 50
Trunk
F
Server Transparent
Trunk
Ok, I Just Learnt VLAN 50! Client
Trunk
Client
Trunk
Drop VTP Updates Off
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
C
46
On/On Trunk
Si
Si
Auto/Desirable Trunk
Si
Si
Off/Off NO Trunk
Si
Si
Si
47
2.5
Time to Converge in Seconds
2 1.5 1 0.5
Voice Data
Si
Trunking Desirable
Cisco Networkers Colombia 2008
Trunking Nonegotiate
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
48
Trunking/VTP/DTPQuick Summary
1. VTP Transparent should be used; there is a trade off between administrative overhead and the temptation to span existing VLANS across multiple access layer switches 2. Emerging technologies that do VLAN assignment by name (IBNS, NAC, etc.) require a unique VLAN database per access layer switch if the rule: A VLAN = A Subnet = AN access layer switch is going to be followed 3. One can consider a configuration that uses DTP ON/ON and NO NEGOTIATE; there is a trade off between performance/HA impact and maintenance and operations implications 4. An ON/ON and NO NEGOTIATE configuration is faster from a link up (restoration) perspective than a desirable/desirable alternative. However, in this configuration DTP is not actively monitoring the state of the trunk and a misconfigured trunk is not easily identified. 5. Its really a balance between fast convergence and your ability to manage configuration and change control
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
49
2.Use UDLD aggressive mode for best protection 3.Turn on in global configuration to avoid operational error/misses 4.Config example
Cisco IOS: udld aggressive
WAN
Fiber Interconnections
Layer 3 Equal Cost Links
Si Si
Si
Si Si Si
Si
Si
Data Center
Internet
Cisco Public
50
Si
Si
Cisco Public
51
Si
Si
1. Timers are the same15 second hellos by default 2. Aggressive Modeafter aging on a previously bi-directional link tries 8 times (once per second) to reestablish connection then err-disables port 3. UDLDNormal ModeOnly err-disable the end where UDLD detected other end just sees the link go down 4. UDLDAggressiveerr-disable BOTH ends of the connection due to err-disable when aging and re-establishment of UDLD communication fails
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
52
Si
Si
Si
Si
Si
Si
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Public
53
Understanding EtherChannel
Link Negotiation OptionsPAgP and LACP
Packet Aggregation Protocol Link Aggregation Protocol
Si
Si
On/On Channel
Si Si
Si
On/On Channel
Si
On/Off No Channel
Si
On/Off No Channel
Si
Si
Auto/Desirable Channel
Si
Si
Active/Passive Channel
Si
Si
Si
Si
Si
Off/On, Auto, Desirable No Channel On: always be a channel/bundle member Desirable: ask if the other side can/will Auto: if the other side asks I will Off: dont become a member of a channel/bundle
Cisco Networkers Colombia 2008
Passive/Passive No Channel On: always be a channel/bundle member Active: ask if the other side can/will Passive: if the other side asks I will Off: dont become a member of a channel/bundle
Cisco Public
54
Si
Si
Distribution
Si Si
Access
Cisco Public
55
2. EtherChannels allow you to reduce peers by creating single logical interface to peer over 3. On single link failure in a bundle
OSPF running on an IOS-based switch will reduce link cost and re-route traffic OSPF running on a hybrid switch will not change link cost and may overload remaining links
Si
Si Si Si
Si
Si
EIGRP may not change link cost and may overload remaining links
WAN
Data Center
Internet
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
56
2. EtherChannels allow you to reduce peers by creating single logical interface to peer over 3. However, a single link failure is not taken into consideration by routing protocols. Overload possible. 4. Single 10-Gigabit links address both problems. Increased bandwidth without increasing complexity or compromising routing protocols ability to select best path.
Cisco Public
Si
Si Si Si
Si
Si
WAN
Data Center
Internet
Cisco Networkers Colombia 2008
57
EtherChannelsQuick Summary
1. For Layer-2 EtherChannels: Desirable/Desirable is the recommended configuration so that PAgP is running across all members of the bundle insuring that an individual link failure will not result in an STP failure 2. For Layer-3 EtherChannels: One can consider a configuration that uses ON/ON. There is a trade-off between performance/HA impact and maintenance and operations implications. 3. An ON/ON configuration is faster from a link-up (restoration) perspective than a Desirable/Desirable alternative. However, in this configuration PAgP is not actively monitoring the state of the bundle members and a misconfigured bundle is not easily identified. 4. Routing protocols may not have visibility into the state of an individual member of a bundle. LACP and the minimum links option can be used to bring the entire bundle down when the capacity is diminished.
OSPF has visibility to member loss (best practices pending investigation). EIGRP does not
5. When used to increase bandwidthno individual flow can go faster than the speed of an individual member of the link 6. Best used to eliminate single points of failure (i.e. link or port) dependencies from a topology
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
58
Si
Si
WAN
2008 Cisco Systems, Inc. All rights reserved.
Data Center
Cisco Public
Internet
59
1. A group of routers function as one virtual router by sharing one virtual IP address and one virtual MAC address 2. One (master) router performs packet forwarding for local hosts 3. The rest of the routers act as back up in case the master router fails 4. Backup routers stay idle as far as packet forwarding from the client side is concerned
VRRP ACTIVE
IP: 10.0.0.254 MAC: 0000.0c12.3456 vIP: 10.0.0.10 vMAC: 0000.5e00.0101
VRRP BACKUP
IP: 10.0.0.253 MAC: 0000.0C78.9abc vIP: vMAC:
R1
Si Si
R2
HSRP STANDBY
IP: 10.0.0.253 MAC: 0000.0C78.9abc vIP: vMAC:
R1
Si Si
R2
Core
Distribution
Access
Without Preempt Delay HSRP Can Go Active Before Box Completely Ready to Forward Traffic: L1 (Boards), L2 (STP), L3 (IGP Convergence)
Cisco Networkers Colombia standby 1 preempt delay2008 2008 Cisco Systems, Inc. All rights reserved. minimum 180 Cisco Public
62
R1
Si Si
IP: 10.0.0.1 IP: 10.0.0.2 IP: 10.0.0.3 MAC: aaaa.aaaa.aa01 MAC: aaaa.aaaa.aa02 MAC: aaaa.aaaa.aa03 GW: 10.0.0.10 GW: 10.0.0.10 GW: 10.0.0.10 ARP: 0007.B400.0101 ARP: 0007.B400.0102 ARP: 0007.B400.0101
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
63
R1
vIP 10.88.1.10
ARP Reply
R2 .2
.4
ARPs for 10.88.1.10 Gets MAC 0000.0000.0001
.5 A
Cisco Networkers Colombia 2008
64
VRRP
HSRP
GLBP
50% of Flows Have ZERO Loss W/ GLBP GLBP Is 50% Better
Longest
Cisco Networkers Colombia 2008
Shortest
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Average
65
Si
Access Layer 2
F: Forwarding B: Blocking
Access-a VLAN 2
Cisco Networkers Colombia 2008
Access-b VLAN 2
Cisco Public
F 2
F2
B2
66
Management Throughout
Fault tolerant
Core
Si Si
Distribution
Si Si
Access
Cisco Public
67
BENEFITS
High Availability Infrastructure Network Optimized Microkernel Catalyst 6500 Data Plane
etc
Cisco Public
68
Forwarding Engine
Active Supervisor
Standby Supervisor
2. Other types of diagnostics tests including memory and error correlation tests are also available
Cisco Networkers Colombia 2008
Line card
Cisco Public
69
Interface down
EEM GOLD
Loopback test
70
Customer
Internet
TAC
3
Secure Transport Messages Received:
Diagnostics Environmental Syslog Inventory and Configuration
Call Home
IOS 12.2(33)SXH
Call Home DB
Enables Cisco Catalyst Switches to send diagnostic information directly to Cisco TAC, significantly reduces the time to solve minor hardware problems and RMA cycle
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
71
Agenda
1.Multilayer Campus Design principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations 5.QoS Considerations 6.Security Considerations 7.Putting It All Together
Si Si Si Si
Data Center
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Cisco Networkers Colombia 2008
Distribution Blocks
Cisco Public
72
Core Layer 3
Si
Si
Layer 3 Link
Distribution-A
Si
Distribution-B
Si
Access Layer 2
Access-a VLAN 2
Cisco Networkers Colombia 2008
Access-n VLAN 2
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Access-c VLAN 2
73
2. If you use modular (chassis-based) switches, these problems are not a concern
Forwarding
Si
HSRP Active
Layer 3
Forwarding
Si
3750-E
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved.
HSRP Standby
Cisco Public
74
Core
Hellos
Si
2 F
F 2 Access-a VLAN 2
Traffic Dropped Until Transition to Forwarding; As much as 50 Seconds
B 2
Access-b VLAN 2
Traffic Dropped Until MaxAge Expires Then Listening and Learning
Cisco Public
75
Core
STP Root and HSRP Active
Hellos
Si
S ped fic ARP G Un Backbone fast limits cti o til ve s timee(30 seconds) HSRP Active to event #2 (Temporarily) Even with Rapid PVST+ at least one second before event #2
Access Layer 2
F: Forwarding B: Blocking
F 2
F2
B F
2
MaxAge Seconds Before Failure Is Detected Then Listening and Learning
F 2
Cisco Networkers Colombia 2008
Access-a VLAN 2
Access-b VLAN 2
1. Blocking link on access-b will take 50 seconds to move to forwarding traffic black hole until HSRP goes active on standby HSRP peer 2. After MaxAge expires (or backbone fast or Rapid PVST+) converges HSRP preempt causes another transition 3. Access-b used as transit for access-as traffic
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
76
Core
802.1d: up to 50 seconds PVST+: backbone fast 30 seconds Rapid PVST+: address by the protocol (one second)
Hellos
Si
Access Layer 2
F: Forwarding B: Blocking
Access-a VLAN 2
Access-b VLAN 2
1. Blocking link on access-b will take 50 seconds to move to forwarding return traffic black hole until then
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
F 2
F2
F B
2 2
F 2
77
Si
Si
VLAN 2
Cisco Networkers Colombia 2008
VLAN 2
VLAN 2
VLAN 2
Cisco Public
78
Si
Si
VLAN 4
VLAN 5
VLAN 2
Cisco Public
79
Agenda
1.Multilayer Campus Design Principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations 5.QoS Considerations 6.Security Considerations 7.Putting It All Together
Si Si Si Si
Data Center
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Distribution Blocks
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
80
Access
Si
Si
Si
Si
Si
Si
2. Distribution layer
High availability, redundancy, fast convergence Policy enforcement QoS: scheduling, trust boundary and classification
Distribution
Core
Si
Si
3. Core
High availability, redundancy, fast convergence QoS: scheduling, trust boundary
Distribution
Si
Si Si Si
Si
Si
Access
WAN
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved.
Data Center
Cisco Public
Internet
81
Infrastructure Integration
Extending the Network Edge
Switch Detects IP Phone and Applies Power
CDP Transaction Between Phone and Switch IP Phone Placed in Proper VLAN DHCP Request and Call Manager Registration
1.Phone contains a three-port switch that is configured in conjunction with the access switch and CallManager
Power negotiation VLAN configuration 802.1x interoperation QoS configuration DHCP and CallManager registration
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
82
Phone Transmits a CDP Power Negotiation Packet Listing Its Power Mode Switch Sends a CDP Response with a Power Request Based on Capabilities Exchanged Final Power Allocation Is Determined
1.Using bi-directional CDP exchange exact power requirements are negotiated after initial power-on
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
83
84
1. During initial CDP exchange phone is configured with a Voice VLAN ID (VVID) 2. Phone also supplied with QoS configuration via CDP TLV fields 3. Additionally switch port currently bypasses 802.1x authentication for VVID if detects Cisco phone
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
85
Agenda
1.Multilayer Campus Design principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations 5.QoS Considerations 6.Security Considerations 7.Putting It All Together
Si Si Si Si
Data Center
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Cisco Networkers Colombia 2008
Distribution Blocks
Cisco Public
86
Si
Si Si Si
Si
Si
WAN
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved.
Data Center
Cisco Public
Internet
87
100 Meg in 128 Kb/S outPackets Serialize in Faster than They Serialize out Packets Queued as They Wait to Serialize out Slower Link
1 Gig Link
Queued
Distribution Switch
Access Switch
1 Gig In 100 Meg outPackets Serialize in Faster than They Serialize out Packets Queued as They Wait to Serialize out Slower Link
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
88
! interface FastEthernet1/0/21 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 Mls qos trust device cisco-phone Mls qos trust cos auto qosvoipcisco-phone end
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
89
Protocol Discovery: discover what apps are running on your network and provide realtime statistics Per-interface, per-protocol, bi-directional statistics bit rate (bps); packet count; byte count SNMP accessible for centralized monitoring Supported by Partner products (Concord|CA, InfoVista, Micromuse|IBM) and MRTG
Cisco Networkers Colombia 2008
Voice
P2P Bulk
InteractiveVideo
Link Utilization
Cisco Public
90
Agenda
1.Multilayer Campus Design principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations 5.QoS Considerations 6.Security Considerations 7.Putting It All Together
Si Si Si Si
Data Center
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Distribution Blocks
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
91
End-to-End Security
Si Si Si Si Si Si
Si
Si
Si
Si Si Si
Si
Si
WAN
Internet
For More Details, See BRKSEC-2002 Session, Understanding and Preventing Layer 2 Attacks
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
92
SOLUTION: PROBLEM:
Script Kiddie Hacking Tools Enable Attackers Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a Hub and Eliminating Privacy Switch CAM Table Limit Is Finite Number of Mac Addresses
Cisco Networkers Colombia 2008
Port Security Limits MAC Flooding Attack and Locks down Port and Sends an SNMP Trap
switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security maximum 10 violation restrict aging time 2 aging type inactivity
Cisco Public
93
DHCP Snooping
Protection Against Rogue/Malicious DHCP Server
1
D Re HCP qu est
s gu P e Bo HC ns D po s Re
DHCP Server
1. DHCP requests (discover) and responses (offer) tracked 2. Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP server 3. Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
94
Si
IP Source Guard
Protection Against Spoofed IP Addresses 1.IP source guard protects against Gateway = 10.1.1.1 MAC=A spoofed IP addresses 2.Uses the DHCP snooping binding table 3.Tracks IP address to port associations
Hey, Im 10.1.1.50 !
Si
4.Dynamically programs port ACL to drop traffic not originating from IP address assigned via DHCP
Cisco Networkers Colombia 2008
Attacker = 10.1.1.25
Cisco Public
Victim = 10.1.1.50
96
1. Port security prevents MAC flooding attacks 2. DHCP snooping prevents client attack on the switch and server 3. Dynamic ARP Inspection adds security to ARP using DHCP snooping table 4. IP source guard adds security to IP source address using DHCP snooping table
Cisco Networkers Colombia 2008
switchport port-security aging time 2 switchport port-security aging type inactivity iparp inspection limit rate 100 ipdhcp snooping limit rate 100 ip verify source vlandhcp-snooping ! Interface gigabit1/1 ipdhcp snooping trust iparp inspection trust
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
97
0111111010101010000111000100111110010001000100100010001001
Match Pattern And
Cisco Networkers Colombia 2008
Or
Cisco.com/go/fpm
Cisco Public
Not
98
Link Utilization
Printer
PCs
Cisco Public
99
Agenda
Data Center
1.Multilayer Campus Design principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations 5.QoS Considerations 6.Security Considerations 7.Putting It All Together
Si Si Si Si
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Cisco Networkers Colombia 2008
Distribution Blocks
Cisco Public
100
Hierarchical Campus
Access
Si
Si
Si
Si
Si
Si
Distribution
Core
Si Si
Si
Si Si Si
Si
Si
Distribution
Access
WAN Data Center
Cisco Networkers Colombia 2008
Internet
Cisco Public
101
Si
Si
Core
Layer 3
Si
Distribution
Si
Access
VLAN 20 Data 10.1.20.0/24 VLAN 120 Voice 10.1.120.0/24
2008 Cisco Systems, Inc. All rights reserved.
102
Core
Layer 2
Si Si
Distribution
Trunk
VLAN 20 Data VLAN 40 Data 10.1.20.0/24 10.1.40.0/24 VLAN 120 Voice VLAN 140 Voice 10.1.120.0/24 10.1.140.0/24 VLAN 250 WLAN 10.1.250.0/24
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Access
103
Core
VSS Link
Si
Layer 3
P-t-P Link
Si
New Concept
Distribution
VLAN 20 Data 10.1.20.0/24 VLAN 40 Data 10.1.40.0/24 VLAN 120 Voice 10.1.120.0/24 VLAN 140 Voice 10.1.140.0/24 VLAN 250 WLAN 10.1.250.0/24
Access
See RST-3035Advanced Enterprise Campus Design Alternatives: Routed Access and Virtual Switch System (VSS)
Cisco Networkers Colombia 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
104
Agenda
Data Center
1.Multilayer Campus Design principles 2.Foundation Services 3.Campus Design Best Practices 4.IP Telephony Considerations 5.QoS Considerations 6.Security Considerations 7.Putting It All Together
Si Si Si Si
Services Block
Si Si
Si
Si
Si
Si
Si
8.Summary
Cisco Networkers Colombia 2008
Distribution Blocks
Cisco Public
105
Summary
1. Offers hierarchyeach layer has specific role 2. Modular topology building blocks 3. Easy to grow, understand, and troubleshoot 4. Creates small fault domains Clear demarcations and isolation 5. Promotes load balancing and redundancy 6. Promotes deterministic traffic patterns 7. Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both 8. Utilizes Layer 3 Routing for load balancing, fast convergence, scalability, and control
Cisco Networkers Colombia 2008
Si Si Si Si Si Si
Access
Distribution
Si
Si
Core
Si
Si Si Si
Si
Si
Distribution
Access
WAN Data Center Internet
Cisco Public 2008 Cisco Systems, Inc. All rights reserved.
106
Q and A
Cisco Public
107
Recommended Reading
1. Continue your Cisco Networkers learning experience with further reading from Cisco Press 2. Check the Recommended Reading flyer for suggested books
108
Cisco Public
109
Cisco Public
110