BRKCRS 2663

Next Generation Campus Architectures
BRKCRS-2663
BRKCRS-2663
2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Enterprise-Class Availability
Resilient Campus Communication Fabric
Network-level redundancy System-level resiliency
Ultimate Goal..100%
Next-Generation Apps Video Conf., Unified Messaging, Global Outsourcing, E-Business, Wireless Ubiquity Mission Critical Apps. Databases, Order-Entry, CRM, ERP
Operational resiliency
Human ear notices the difference in voice within 150 200 msec Video loss is even more noticeable 200-msec end-to-end campus convergence
BRKCRS-2663
Desktop Apps E-mail, File and Print
APPLICATIONS DRIVE REQUIREMENTS FOR HIGH AVAILABILITY NETWORKING
Cisco Public
Agenda
Multilayer Campus Design Principles
Data Centre Services Block
Foundation Services
Campus Design Best Practices
Si
Si
Virtualisation techniques
Security considerations Whats next. Summary
BRKCRS-2663
Si
Si
Si
Si
Si
Si
Si
Si
Distribution Blocks
2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
High-Availability Campus Design

Structure, Modularity, and Hierarchy
Access Distribution
Si Si Si Si Si Si
Core Distribution
Access
BRKCRS-2663
Si Si
Si
Si
Si
Si
Si
Si
WAN
Data Centre
Cisco Public
Internet
5
Hierarchical Network Design

Without a Rock Solid Foundation the Rest Doesnt Matter
Offers hierarchy - each layer has specific role Modular topology - building blocks Easy to grow, understand, and troubleshoot Creates small fault domains - clear demarcations and isolation
Si Si
Building Block
Access
Distribution Core
Distribution Access
BRKCRS-2663
Promotes load balancing and redundancy

Promotes deterministic traffic patterns Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both
Si Si
Si
Si
Utilises Layer 3 routing for load balancing, fast convergence, scalability, and control
Hierarchical Campus Network

Structure, modularity and hierarchy
Not This!!
Si Si Si
Si
Si
Si
Si Si Si
Si
Si
Si
Server Farm
WAN
BRKCRS-2663 2013 Cisco and/or its affiliates. All rights reserved.
Internet
Cisco Public
PSTN
7
Access Layer
Feature rich environment
Its not just about connectivity Layer 2/Layer 3 feature rich environment: convergence, HA, security, multicast Intelligent network services: QoS, trust boundary, broadcast suppression, IGMP snooping Intelligent network services: PVST+, Rapid PVST+, EIGRP, OSPF, DTP, PAgP/LACP, UDLD, FlexLink, etc. Cisco Catalyst integrated security features IBNS (802.1x), (CISF): port security, DHCP snooping, DAI, IPSG, etc. Automatic phone discovery, conditional trust boundary, PoE, auxiliary VLAN, etc. Spanning tree toolkit: PortFast, UplinkFast, BackboneFast, LoopGuard, BPDU Guard, BPDU Filter, RootGuard, etc.
Core
Si Si
Si
Si
Distribution
Access
BRKCRS-2663
Cisco Public
Distribution Layer
Policy, convergence, QoS and high availability
Availability, load balancing, QoS and provisioning are the important considerations at this layer Aggregates wiring closets (access layer) and uplinks to core Protects core from high density peering and problems in access layer Route summarisation, fast convergence, redundant path load sharing HSRP or GLBP to provide first hop redundancy
Si Si
Core
Si Si
Distribution
Access
BRKCRS-2663
Cisco Public
Core Layer
Scalability, high availability and fast convergence
Backbone for the networkconnects network building blocks Performance and stability vs. complexity less is more in the core Aggregation point for distribution layer
Si Si
Core
Distribution
Si Si
Separate core layer helps in scalability during future growth

Keep the design technologyindependent
Access
BRKCRS-2663
Cisco Public
10
Do I Need a Core Layer?

Its really a question of scale, complexity and convergence
No Core Fully-meshed distribution layers
Physical cabling requirement

Routing complexity
Second Building Block 4 New Links
4th Building Block 12 New Links 24 Links Total 7 IGP Neighbours
3rd Building Block 8 New Links 12 Links Total 5 IGP Neighbours
BRKCRS-2663
Cisco Public
Do I Need a Core Layer?

Its really a question of scale, complexity and convergence
Dedicated Core Switches
Easier to add a module Fewer links in the core Easier bandwidth upgrade Routing protocol peering reduced Equal cost Layer 3 links for best convergence
2nd Building Block 8 New Links
4th Building Block 4 New Links 16 Links Total

3 IGP Neighbours
3rd Building Block 4 New Links 12 Links Total

3 IGP Neighbours
BRKCRS-2663
Cisco Public
Design Alternatives Within a Building Block Layer 2 Access Routed Access Virtual Switching System
Access Distribution
Si Si Si Si
Core Distribution
Access
BRKCRS-2663
Si Si
Si
Si
Si
Si
Si
Si
WAN
Data Centre
Cisco Public
Internet
13
Layer 3 Distribution Interconnection

Layer 2 Access No VLANs span access layer
Tune CEF load balancing Summarise routes towards core Limit redundant IGP peering STP Root and HSRP primary tuning or GLBP to load balance on uplinks Set trunk mode on/no-negotiate Disable EtherChannel unless needed Set port host on access layer ports:
Disable trunking Disable EtherChannel Enable PortFast
Si Si
Core
Layer 3
Si
Point-toPoint Link
Si
Distribution
RootGuard or BPDU-Guard Use security features
VLAN 20 Data 10.1.20.0/24 VLAN 120 Voice 10.1.120.0/24
Access
BRKCRS-2663
Cisco Public
14
Layer 2 Distribution Interconnection

Layer 2 Access Some VLANs span access layer
Tune CEF load balancing Summarise routes towards core Limit redundant IGP peering STP Root and HSRP primary or GLBP and STP port cost tuning to load balance on uplinks Set trunk mode on/no-negotiate Disable EtherChannel unless needed RootGuard on downlinks LoopGuard on uplinks Set port host on access layer ports:
Disable trunking Disable EtherChannel Enable PortFast
Si Si
Core
Layer 2
Si Si
Trunk
Distribution
RootGuard or BPDU-Guard Use security features

BRKCRS-2663
VLAN 250 WLAN 10.1.250.0/24
Access
Cisco Public
15
Routed Access and VSS

Evolutions and improvements to existing designs
Si Si Si Si
Core
Layer 3
Si
VSS
Si
P-to-P Link
Distribution
VLAN 20 Data VLAN 40 Data VLAN 120 Voice AN 40 Data VLAN 140 Voice 10.1.120.0/24 10.1.40.0/24 VLAN 250 WLAN 10.1.140.0/24 10.1.250.0/24
Access
BRKCRS-2663
Cisco Public
16
Agenda
Foundation Services
Si
Si
BRKCRS-2663
Si Si Si Si
Si
Si
Si
Si
Distribution Blocks
Foundation Services
Layer 1 physical things Layer 2 redundancy spanning tree Layer 3 routing protocols Trunking protocols(ISL/.1q) Unidirectional link detection Load balancing
EtherChannel link aggregation CEF equal cost load balancing
HSRP Routing
Cisco Public
First hop redundancy protocols

VRRP, HSRP, and GLBP
Spanning Tree
18
Best Practices
Layer 1 Physical Things
Use point-to-point interconnectionsno L2 aggregation points between nodes Use fibre for best convergence
Si
Si
Si
Si
Si
Si
Layer 3 Equal Cost Links
Si
Si
Tune carrier delay timer

Use configuration on the physical interface not VLAN/SVI when possible
BRKCRS-2663
Si
Si Si Si
Si
Si
WAN
Data Centre
Internet
Cisco Public
19
Redundancy and Protocol Interaction

Link Neighbour Failure Detection
Indirect link failures are harder to detect

With no direct HW notification of link loss or topology change convergence times are dependent on SW notification Indirect failure events in a bridged environment are detected by spanning tree hellos You should not be using hubs in a highavailability design
Hellos
Si
Si
Hub
Si
BPDUs
Si
Si
Hub
Si
Cisco Public
20

Link redundancy and failure detection
Direct point-to-point fibre provides for fast failure detection

Do not disable auto-negotiation on GigE and 10GigE interfaces
Cisco IOS Throttling: Carrier Delay Timer
Linecard Throttling: Debounce Timer
The default debounce timer on GigE and 10GigE fibre linecards is 10 msec The minimum debounce for copper is 300 msec
Si
1 1
Remote IEEE Fault Detection Mechanism
Cisco Public
Si
BRKCRS-2663
21

Layer 2 and 3 Why use routed interfaces over SVIs?
Configuring L3 routed interfaces provides for faster convergence than an L2 switch port with an associated L3 SVI
L3
Si Si Si
L2 SVI
Si
1. Link Down 2. Interface Down 3. Routing Update
~ 8 msec loss
21:38:37.042 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/1, changed state to down 21:38:37.050 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet3/1, changed state to down 21:38:37.050 UTC: IP-EIGRP(Default-IP-RoutingTable:100): Callback: route_adjust GigabitEthernet3/1
BRKCRS-2663
~ 150200 msec loss
1. 2. 3. 4. 5.
Link Down Interface Down Autostate SVI Down Routing Update
21:32:47.813 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/1, changed state to down 21:32:47.821 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet2/1, changed state to down 21:32:48.069 UTC: %LINK-3-UPDOWN: Interface Vlan301, changed state to down 21:32:48.069 UTC: IP-EIGRP(Default-IP-Routing-Table:100): Callback: route, adjust Vlan301
Cisco Public
Best Practices
Spanning Tree Configuration
Same VLAN
Same VLAN Same VLAN
Only span VLAN across multiple access layer switches when you have to! Use Rapid PVST+ Required to protect against operational accidents (misconfiguration or hardware failure) Take advantage of the spanning tree toolkit
BRKCRS-2663
Layer 2 Loops
Si Si Si Si Si Si
Si
Si
Si
Si Si Si
Si
Si
WAN
Data Centre
Internet
Cisco Public
23
Multilayer Network Design

L2 access with L3 distribution
Si
Si
Si
Si
Vlan 10
Vlan 20
Vlan 30
Vlan 30
Vlan 30
Vlan 30
Each access switch has unique VLANs No Layer 2 loops Layer 3 link between distribution No blocked links
BRKCRS-2663
At least some VLANs span multiple access switches
Layer 2 loops, blocked links

Layer 2 and 3 running over link between distribution
Cisco Public
Optimising L2 Convergence
PVST+, Rapid PVST+ or MST
Rapid-PVST+ greatly improves the restoration times for any VLAN that requires a topology convergence due to link UP
Rapid-PVST+ also greatly improves convergence time over backbone fast for any indirect link failures
Time to Restore Data Flows
PVST+ (802.1d)
Traditional spanning tree implementation
35 30 25 20 15 10
Upstream Downstream
Rapid PVST+ (802.1w)

Scales to large size (~10,000 logical ports) Easy to implement, proven, scales
MST (802.1s)
Permits very large scale STP implementations (~30,000 logical ports) Not as flexible as rapid PVST+
5 0
PVST+
Cisco Public
Rapid PVST+
25
BRKCRS-2663
Layer 2 Hardening
Spanning Tree should behave the way you expect
LoopGuard
Place the root where you want it The root bridge should stay where you put it
RootGuard LoopGuard UplinkFast UDLD
STP Root
Si
Si
RootGuard LoopGuard
Only end-station traffic should be seen on an edge port

BPDU Guard RootGuard PortFast, PortSecurity
BRKCRS-2663 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
BPDU Guard or RootGuard PortFast Port Security
26
Best Practices
Layer 3 Routing Protocols
Typically deployed in distribution to core, and core-to-core interconnections Used to quickly reroute around failed node/links while providing load balancing over redundant paths Build triangles not squares for deterministic convergence Summarise distribution to core to limit EIGRP query diameter or OSPF LSA propagation Tune CEF L3/L4 load balancing hash to achieve maximum utilisation of equal cost paths (CEF polarisation)
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si Si
Si
Si
WAN
Data Centre
Internet
BRKCRS-2663
Cisco Public
27
Best Practice
Build Triangles not Squares
Triangles: Link/Box failure does not require routing protocol convergence
Deterministic vs. Non-Deterministic

Squares: Link/Box failure requires routing protocol convergence
Si
Si
Si
Si
Si
Si
Si
Si
Model A
Model B
Layer 3 redundant equal cost links support fast convergence Hardware basedfast recovery to remaining path Convergence is extremely fast (dual equal-cost paths: no need for OSPF or EIGRP to recalculate a new path)
BRKCRS-2663 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Summarise at the Distribution

Limit EIGRP queries and OSPF LSA propagation
It is important to force summarisation at the distribution towards the core For return path traffic an OSPF or EIGRP re-route is required By limiting the number of peers an EIGRP router must query or the number of LSAs an OSPF peer must process we can optimise this reroute EIGRP example:
interface Port-channel1 description to Core#1 ip address 10.122.0.34 255.255.255.252 ip hello-interval eigrp 100 1 ip hold-time eigrp 100 3 ip summary-address eigrp 100 10.1.0.0 255.255.0.0 5
Si Si
Rest of Network
Si
Si
Core
Distribution
Access
10.1.1.0/24 10.1.2.0/24
Cisco Public 29
BRKCRS-2663

Reduce the complexity of IGP convergence
Summaries stop queries at the core
It is important to force summarisation at the distribution towards the core For return path traffic an OSPF or EIGRP re-route is required By limiting the number of peers an EIGRP router must query or the number of LSAs an OSPF peer must process we can optimise his reroute For EIGRP if we summarise at the distribution we stop queries at the core boxes for an access layer flap For OSPF when we summarise at the distribution (area border or L1/L2 border) the flooding of LSAs is limited to the distribution switches; SPF now deals with one LSA not three
Si Si
Rest of Network
Si
Core
Summary: 10.1.0.0/16
Distribution
Si
Acces Access
10.1.1.0/24 10.1.2.0/24
Cisco Public 30
BRKCRS-2663

Gotcha Distribution to distribution link required
Best practice - summarise at the distribution layer to limit EIGRP queries or OSPF LSA propagation Gotcha:
Upstream: HSRP on left distribution takes over when link fails Return path: old router still advertises summary to core Return traffic is dropped on right distribution switch
Si Si
Core
Summary: 10.1.0.0/16
Si
Si
Distribution
Summarising requires a link between the distribution switches

10.1.1.0/24 10.1.2.0/24
Access
BRKCRS-2663
Cisco Public
31
Equal-Cost Multipath
Optimising CEF load sharing
Si Si
Depending on the traffic flow patterns and IP addressing in use, one algorithm may provide better load-sharing results than another Be careful not to introduce polarisation in a multi-tier design by changing the default to the same thing in all tiers/layers of the network
Catalyst 4500 Load-Sharing Options
Original Universal* Include Port Src IP + Dst IP Src IP + Dst IP + Unique ID Src IP + Dst IP + (Src or Dst Port) + Unique ID
30% of flows
Si
70% of Flows
Load-Sharing Simple Load-Sharing Full Simple Load-Sharing Simple
Si
Si
Catalyst 6500 Load-Sharing Options

Default* Full Full Exclude Port Simple Full Simple Src IP + Dst IP + Unique ID Src IP + Dst IP + Src Port + Dst Port Src IP + Dst IP + (Src or Dst Port) Src IP + Dst IP Src IP + Dst IP + Src Port + Dst Port
Si
Si
Si
Si
* = Default Load-Sharing Mode

CEF Load Balancing

Avoid underutilising redundant L3 paths
Redundant Paths Ignored
CEF polarisation: without some tuning CEF will select the same path left/left or right/right
Distribution Default L3 Hash
Core Default L3 Hash Distribution Default L3 Hash
Si Si
Imbalance/overload could occur Redundant paths are ignored/underutilised The default CEF hash input is L3 We can change the default to use L3 + L4 information as input to the hash derivation
Cisco Public
L
Si Si
R R
L
Si
Si
BRKCRS-2663
CEF Load Balancing

Avoid underutilising redundant L3 paths
All Paths Used
Depending on IP addressing and flows, imbalance could occur

Si
Distribution L3/L4 Hash

Core Default L3 Hash Distribution L3/L4 Hash
Si
L R
Si
L R
Si
Alternating L3/L4 hash and L3 hash will give us the best load balancing results
Si
LR
Si
Use simple in the core and full simple in the distribution to add L4 information to the algorithm at the distribution and maintain differentiation tier-to-tier
BRKCRS-2663
Cisco Public
Best Practices
Trunk configuration
Typically deployed on interconnection between access and distribution layers Use VTP transparent mode to decrease potential for operational error Hard set trunk mode to on and encapsulation negotiate off for optimal convergence Change the native VLAN to something unused to avoid VLAN hopping Manually prune all VLANS except those needed
802.1q Trunks
Si Si Si Si Si Si
Si
Si
Si
Si Si Si
Si
Si
WAN
Data Centre
Internet
BRKCRS-2663
Cisco Public
35
VTP Virtual Trunk Protocol

Centralised VLAN management VTP server switch propagates VLAN database to VTP client switches Runs only on trunks Four modes:
Server: updates clients and servers Client: receive updates - cannot make changes Transparent: let updates pass through Off: ignores VTP updates
Off Drop VTP Updates
Set VLAN 50 Trunk
F
Transparent
Pass Through Update
Server
Trunk
Ok, I Just Learned VLAN 50!
Trunk
Ok, I Just Learned VLAN 50!
Client
Client
Trunk
BRKCRS-2663
Cisco Public
36
DTP Dynamic Trunk Protocol

Automatic formation of trunked switch-toswitch interconnection
On: always be a trunk
Desirable: ask if the other side can/will Auto: if the other sides asks I will Off: dont become a trunk
Si Si
On/On Trunk
Si
Auto/Desirable Trunk
Si
Negotiation of 802.1Q or ISL encapsulation

ISL: try to use ISL trunk encapsulation 802.1q: try to use 802.1q encapsulation Negotiate: negotiate ISL or 802.1q encapsulation with peer Non-negotiate: always use encapsulation that is hard set
Si Si Si
Off/Off NO Trunk
Si
Off/On, Auto, Desirable NO Trunk

Cisco Public 37
BRKCRS-2663
Optimising Convergence: Trunk Tuning

Trunk Auto/Desirable Takes Some Time
DTP negotiation tuning improves link up convergence time

IOS(config-if)# switchport mode trunk IOS(config-if)# switchport nonegotiate
2.5
Time to Converge in Seconds
2 1.5 1 0.5 0
3550 (Cisco IOS) 4006 (CatOS) 4507 (Cisco IOS) 6500 (CatOS)
Two Seconds of Delay/Loss Tuned Away

Trunking Desirable Trunking Nonegotiate
BRKCRS-2663
Cisco Public
38
Best Practices
UDLD Configuration
Typically deployed on any fibre optic interconnection

Use UDLD aggressive mode for most aggressive protection
Si
Si
Si
Si
Si
Si
Fibre Interconnections
Si Si
Turn on in global configuration to avoid operational error/misses

Config example
IOS (config)# udld aggressive
Si
Si Si Si
Si
Si
WAN
Data Centre
Internet
BRKCRS-2663
Cisco Public
39
Unidirectional Link Detection

Protecting against one-way communication
Protects against one-way communication or partially failed links and their effects on protocols like STP and RSTP Primarily used on fibre optic links where patch panel errors could cause link up/up with mismatched transmit/receive pairs Each switch port configured for UDLD will send UDLD protocol packets (at L2) containing the ports own device/port ID, and the neighbours device/port IDs seen by UDLD on that port Neighbouring ports should see their own device/port ID (echo) in the packets received from the other side If the port does not see its own device/port ID in the incoming UDLD packets for a specific duration of time, the link is considered unidirectional and is shutdown
Si
Are You Echoing My Hellos?
Si
Cisco Public 40
UDLD Modes: Aggressive and Normal
Si
Si
Timers are the same - 15-second hellos by default UDLD Normal Mode - only err-disable the end where UDLD detected. The other end just sees the link go down UDLD Aggressive Mode - err-disable both ends of the connection. Could lead to complete loss of connectivity to remote site
BRKCRS-2663
Cisco Public
41
Best Practices
EtherChannel Configuration
Typically deployed in distribution to core, and core to core interconnections Used to provide link redundancy, while reducing peering complexity Tune L3/L4 load balancing hash to achieve maximum utilisation of channel members Deploy in powers of two (two, four, or eight) Match CatOS and Cisco IOS PAgP settings
BRKCRS-2663
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si Si
Si
Si
WAN
Data Centre
Internet
Cisco Public
42
Understanding EtherChannel
Link Negotiation OptionsPAgP and LACP
Port Aggregation Protocol
Si
Link Aggregation Control Protocol

Si
On/On Channel On/Off No Channel Auto/Desirable Channel
Si
On/On Channel On/Off No Channel Active/Passive Channel Passive/Passive No Channel
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Off/On, Auto, Desirable No Channel
Si
Si
Si
On: always be a channel/bundle member Desirable: ask if the other side can/will Auto: if the other side asks I will Off: dont become a member of a channel/bundle
On: always be a channel/bundle member Active: ask if the other side can/will Passive: if the other side asks I will Off: dont become a member of a channel/bundle
Cisco Public 43
PAgP/LACP Tuning
Configuration mismatches
Matching EtherChannel configuration on both sides improves link restoration convergence times
CatOS-switch# set port channel <mod/port> off
Time to Converge in Seconds
6 5 4 3 2 1 0 PAgP Mismatch
As Much As Seven Seconds of Delay/Loss Tuned Away
6500 (CatOS) 4506 (CatOS)
PAgP Off
Cisco Public 44
BRKCRS-2663
EtherChannel link load sharing

L3 Hash
Link 0 load 68%
Si
Si
Default L3 (src/dst IP) hash determines which link to use in etherchannel

Can lead to unbalanced utilisation
Link 1 load 32%
L3/4 Hash
Link 0 load 52%
Si Si
Change default to include L4 information

Configured globally or on individual
etherchannels.
Link 1 load 48%
Switch(config)# port-channel load-balance src-dst-port

Best Practices
First Hop Redundancy
Used to provide a resilient default gateway to end-stations HSRP, VRRP, and GLBP alternatives VRRP, HSRP, and GLBP provide millisecond timers and excellent convergence performance
Si Si
1st Hop Redundancy

Si Si Si Si
Si
Si
VRRP if you need multivendor interoperability

GLBP facilitates uplink load balancing
Si
Si Si Si
Si
Si
Preempt timers need to be tuned to avoid black-holed traffic

BRKCRS-2663
WAN
Data Centre
Internet
Cisco Public
46
First Hop Redundancy with VRRP

R1Master, Forwarding Traffic, R2Backup
A group of routers function as one virtual router by sharing one virtual IP and MAC One (master) router performs packet forwarding for local hosts The rest of the routers act as back up in case the master router fails Backup routers stay idle as far as packet forwarding from the client side is concerned
BRKCRS-2663
VRRP ACTIVE
IP: 10.0.0.254 MAC: 0000.0c12.3456 vIP: 10.0.0.10 vMAC: 0000.5e00.0101
VRRP BACKUP
IP: 10.0.0.253 MAC: 0000.0C78.9abc vIP: vMAC:
R1
Si Si
R2
Distribution-A VRRP Active

Access-a
Distribution-B VRRP Backup
IP: MAC: GW: ARP:
10.0.0.1 aaaa.aaaa.aa01 10.0.0.10 0000.5e00.0101
IP: MAC: GW: ARP:
10.0.0.2 aaaa.aaaa.aa02 10.0.0.10 0000.5e00.0101
IP: MAC: GW: ARP:
10.0.0.3 aaaa.aaaa.aa03 10.0.0.10 0000.5e00.0101
Cisco Public
47
First Hop Redundancy with HSRP

R1Active, Forwarding Traffic, R2Hot Standby, Idle
A group of routers function as one virtual router by sharing one virtual IP and MAC One (active) router performs packet forwarding for local hosts The rest of the routers provide hot standby in case the active router fails Standby routers stay idle as far as packet forwarding from the client side is concerned
BRKCRS-2663
HSRP ACTIVE
IP: 10.0.0.254 MAC: 0000.0c12.3456 vIP: 10.0.0.10 vMAC: 0000.0c07.ac00
HSRP STANDBY
IP: 10.0.0.253 MAC: 0000.0C78.9abc vIP: vMAC:
R1
Si Si
R2
Distribution-B HSRP Backup
Access-a
Distribution-A HSRP Active
IP: MAC: GW: ARP:
10.0.0.1 aaaa.aaaa.aa01 10.0.0.10 0000.0c07.ac00
IP: MAC: GW: ARP:
10.0.0.2 aaaa.aaaa.aa02 10.0.0.10 0000.0c07.ac00
IP: MAC: GW: ARP:
10.0.0.3 aaaa.aaaa.aa03 10.0.0.10 0000.0c07.ac00
Cisco Public
48
Why You Want HSRP Preemption

Spanning tree root and HSRP primary aligned When spanning tree root is re-introduced, traffic will take a twoSpanning Tree Root hop path to HSRP HSRP active HSRP Preempt Active HSRP preemption will allow HSRP to follow spanning tree topology
Si Si
Core
Spanning Tree Root

Si Si
HSRP Active
Distribution
Access
Without preempt delay HSRP can go active before box completely ready to forward traffic due to L1 (Boards), L2 (STP), L3 (IGP Convergence) IOS (config-if)# standby 1 preempt delay minimum 30
First Hop Redundancy with GLBP

Cisco Proprietary, load sharing
All the benefits of HSRP plus load balancing of default gateway, utilises all available bandwidth A group of routers function as one virtual router by sharing one virtual IP address but using multiple virtual MAC addresses for traffic forwarding Allows traffic from a single common subnet to go through multiple redundant gateways using a single virtual IP address
R1, R2 Both Forward Traffic
IP: 10.0.0.254 MAC: 0000.0c12.3456 vIP: 10.0.0.10 vMAC: 0007.b400.0101 IP: 10.0.0.253 MAC: 0000.0C78.9abc vIP: 10.0.0.10 vMAC: 0007.b400.0102
R1
Si
Si
R2
Access-a
IP: MAC: GW: ARP:
10.0.0.1 aaaa.aaaa.aa01 10.0.0.10 0007.B400.0101
IP: MAC: GW: ARP:
10.0.0.2 aaaa.aaaa.aa02 10.0.0.10 0007.B400.0102
IP: MAC: GW: ARP:
10.0.0.3 aaaa.aaaa.aa03 10.0.0.10 0007.B400.0101
BRKCRS-2663
Cisco Public
50
If You Span VLANS, Tuning Required

By Default, Half the Traffic Will Take a Two-Hop L2 Path Both distribution switches act as default gateway Blocked uplink caused traffic to take less than optimal path Core Layer 3 Distribution Layer 2/3
Distribution-A GLBP Virtual MAC 1
Si Si
Core
Distribution-B GLBP Virtual MAC 2
Access Layer 2
Access-a VLAN 2
F: Forwarding B: Blocking
Access-b VLAN 2
Cisco Public
BRKCRS-2663
Optimising Convergence:
VRRP, HSRP, GLBP
VRRP flows go through a common VRRP peer; mean, max, and min are equal HSRP has sub-second timers; however all flows go through same HSRP peer so there is no difference between mean, max, and min GLBP has sub-second timers and distributes the load amongst the GLBP peers; so 50% of the clients are not affected by an uplink failure Distribution to access link failure, access to server farm
50% of Flows Have ZERO Loss W/ GLBP GLBP Is 50% Better
Si Si
BRKCRS-2663
Cisco Public
Agenda
Foundation Services
Si
Si
BRKCRS-2663
Si Si Si Si
Si
Si
Si
Si
Distribution Blocks
Daisy Chaining Access Layer Switches

Avoid potential black holes
Return Path Traffic Has a 50/50 Chance of Being Black Holed
Core Layer 3
Si
Si
50% Chance That Traffic Will Go Down Path with No Connectivity
Distribution Layer 2/3
Layer 3 Link
Distribution-A
Si Si
Distribution-B
Access Layer 2
Access-a
Access-n
Access-c
VLAN 2
BRKCRS-2663
VLAN 2
Cisco Public
VLAN 2
54
Daisy Chaining Access Layer Switches

New technology addresses old problems
Stackwise/Stackwise-Plus technology eliminates the concern

Loopback links not required No longer forced to have L2 link in distribution
HSRP Active Layer 3

Si
HSRP Standby
Si
Distribution Layer 2/3
Forwarding
Forwarding
If you use modular (chassisbased) switches, these problems are not a concern
3750-E
Access Layer 2
What if you dont link the distributions?

Black holes and multiple transitions
Core Layer 3 Distribution Layer 2/3
STP Root and HSRP Active
Core
STP Secondary Root and HSRP Standby
Aggressive HSRP timers limit black hole #1
Hellos
Si Si
Backbone fast limits HSRP Active time (30 seconds) (Temporarily) to event #2 Even with rapid PVST+ at least one second before event #2 MaxAge Seconds Before Failure Is Detected Then Listening and Learning
Access Layer 2

Access-a Access-b
VLAN 2
VLAN 2
Blocking link on access-b will take 50 seconds to move to forwarding traffic black hole until HSRP goes active on standby HSRP peer After MaxAge expires (or backbone fast or Rapid PVST+) converges HSRP preempt causes another transition Access-b used as transit for Access-as traffic
What if you dont link the distributions?

Return path traffic black-holed
Core Layer 3 Distribution Layer 2/3
STP Root and HSRP Active
Core
STP Secondary Root and HSRP Standby
802.1d: up to 50 seconds PVST+: backbone fast 30 seconds Rapid PVST+: address by the protocol (one second)
Hellos
Si Si
Access Layer 2 Access Layer 2

Access-a
Access-b
VLAN 2
VLAN 2
Blocking link on access-b will take 50 seconds to move to forwarding return traffic black hole until then
Asymmetric Routing
Affects redundant topologies with shared L2 access
One path upstream and two paths downstream CAM table entry ages out on standby HSRP
Asymmetric Equal Cost Return Path CAM Timer Has Aged Out on Standby HSRP Downstream Packet Flooded Upstream Packet Unicast to Active HSRP
Si
Si
Without a CAM entry packet is flooded to all ports in the VLAN
VLAN 2
VLAN 2
VLAN 2
VLAN 2
58
BRKCRS-2663
Cisco Public
Asymmetric Routing
Best practice to prevent excessive flooding
Assign one unique data and voice VLAN to each access switch
Traffic is now only flooded down one trunk Access switch unicasts correctly; no flooding to all ports If you have to:
Tune ARP and CAM aging timers; CAM timer exceeds ARP timer Bias routing metrics to remove equal cost routes
VLAN 3 VLAN 4 VLAN 5 Asymmetric equal cost return path Upstream Packet Unicast to Active HSRP
Si
Si
Downstream Packet Flooded on Single Port
VLAN 2
BRKCRS-2663
Cisco Public
59
Agenda
Foundation Services
Si
Si
BRKCRS-2663
Si Si Si Si
Si
Si
Si
Si
Distribution Blocks
Why Virtualise?
Creates Logical Partitions
Allows the use of unique security policies per logical domain Provides traffic isolation per application, group, service etc The logical separation of traffic using one physical infrastructure
Guest Access Merged Company Isolated Service(s)
Virtual Network
Virtual Network
Virtual Network
Actual Physical Infrastructure

Network Virtualisation
Components
Service
Access Control
Branch Campus
Path Isolation
WAN MAN Campus
Services Edge
Data Centre Internet Edge
GRE GRE
MPLS MPLS
Data Centre
VRFs 802.1q
Internet
Functions
Authenticate client (user, device, app) attempting to gain network access Authorise client into a partition (VLAN) Deny access to unauthenticated clients
BRKCRS-2663
Maintain traffic partitioned over Layer 3 infrastructure Transport traffic over isolated Layer 3 partitions Map Layer 3 isolated path to VLANs / VRFs in access and services edge
Cisco Public
Provide access to services

Shared Dedicated
Apply policy per partition Isolate application environments if necessary

62
VRF-Lite and GRE Tunnels

Requires GRE tunnel, loopback and client side interface per VRF Easy configuration, but limited scale
20 Byte IP Header
BRKCRS-2663
GRE Header 4/8 Bytes
Original Packet
GRE encapsulation represent 24 extra bytes or 28 if a key is present

VRF-Lite End-to-End
Packets processed per VRF Unique control plane and data plane Requires sub-interfaces on L3 trunks (not supported on 4500)
802.1q
BRKCRS-2663
Cisco Public
65
EVN End-to-End
Packets processed per VRF Unique control plane and data plane Automatic configuration of trunks
Cat6500 (on Sup2T), ASR and Cat4500 support
802.1q
BRKCRS-2663
Cisco Public
66
Trunk configuration comparison

vrf definition RED address-family ipv4 vrf definition GREEN address-family ipv4 Vrf definition BLUE address-family ipv4 ! interface GigabitEthernet0/0 description Trunk interface ! interface GigabitEthernet0/0.100 vrf forwarding RED encapsulation dot1Q 100 ip address 10.100.1.1 255.255.255.0 ! interface GigabitEthernet0/0.101 vrf forwarding GREEN encapsulation dot1Q 101 ip address 10.101.1.1 255.255.255.0 ! interface GigabitEthernet0/0.102 vrf forwarding BLUE encapsulation dot1Q 102 ip address 10.102.1.1 255.255.255.0
BRKCRS-2663
VRF-lite end-to-end example
vrf definition RED vnet tag 100 address-family ipv4 vrf definition GREEN vnet tag 101 address-family ipv4 vrf definition BLUE vnet tag 102 ! interface GigabitEthernet0/0 description Trunk interface ip address 10.1.1.1 255.255.255.0 vnet trunk
EVN example
New command
Automatically creates subinterfaces for each VRF. show derived-config gig0/0.100 will show sub-interface config.
Cisco Public
67
Virtualised network
Access
Si Si Si Si Si Si
Distribution
Core
Si Si
Si
Si Si Si
Si
Si
Distribution
Access
WAN
BRKCRS-2663
Data Centre
Internet
Cisco Public 68
Agenda
Foundation Services
Si
Si
BRKCRS-2663
Si Si Si Si
Si
Si
Si
Si
Distribution Blocks
Best PracticesCampus Security

Things you already know
Use SSH to access devices instead of Telnet Enable AAA and roles-based access control (RADIUS/TACACS+) for the CLI on all devices Enable SYSLOG to a server. Collect and archive logs When using SNMP use SNMPv3 Disable unused services:
Si Si
End-to-End Security
Si Si Si Si
No service tcp-small-servers No service udp-small-servers

Use FTP or SFTP (SSH FTP) to move images and configurations aroundavoid TFTP when possible Install VTY access-lists to limit which addresses can access management and CLI services Enable control plane protocol authentication where it is available (EIGRP, OSPF, BGP, HSRP, VTP, etc.) WAN
Si Si
Si
Si
Si Si Si
Si
Internet
For More Details, See BRKSEC-2202 Session, Understanding and Preventing Layer 2 Attacks
BPDU Guard
Problem:
Users can plug a switch in at STP Loop their desk that tries to become Formed BPDU Guard root
Multiple Windows XP machines can create a loop in the wired VLAN via the WLAN
Disables Port BPDU Guard Disables Port
Solution:
BPDU Guard configured on all end-station switch ports will prevent loop from forming
BRKCRS-2663
BPDU Generated
Win XP Bridging Enabled

Cisco Public
Win XP Bridging Enabled

71
Securing Layer 2 from Surveillance Attacks Cutting Off MAC-Based Attacks

00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb
250,000 bogus MACs per second
Only three MAC addresses allowed on the port: Shutdown
Problem:
Script Kiddie hacking tools enable attackers to flood switch CAM tables with bogus MACs; turning the VLAN into a hub and eliminating privacy Switch CAM table limit is finite number of MAC addresses
BRKCRS-2663
Solution:
Port Security limits MAC flooding attack by locking down port and sends an SNMP trap
switchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity
Cisco Public 72
DHCP Snooping
Protection Against Rogue/Malicious DHCP Server
1
1000s of DHCP requests to overrun the DHCP server
DHCP Server 2
DHCP requests (discover) and responses (offer) tracked

Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP server Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server
Dynamic ARP Inspection

Protection Against ARP Poisoning Dynamic ARP inspection protects against ARP poisoning (ettercap, dsnif, arpspoof) Uses the DHCP snooping binding table Tracks MAC to IP from DHCP transactions Rate-limits ARP requests from client ports; stop port scanning Drop bogus gratuitous ARPs; stop ARP poisoning/MIM attacks
Attacker = 10.1.1.25 MAC=B
Gateway = 10.1.1.1 MAC=A
Si
Gratuitous ARP 10.1.1.50=MAC_B
Gratuitous ARP 10.1.1.1=MAC_B
Victim = 10.1.1.50 MAC=C

74
IP Source Guard
Protection Against Spoofed IP Addresses
IP source guard protects against spoofed IP addresses Uses the DHCP snooping binding table Tracks IP address to port associations Dynamically programs port ACL to drop traffic not originating from IP address assigned via DHCP
Gateway = 10.1.1.1 MAC=A
Si
Hey, Im 10.1.1.50 !
Attacker = 10.1.1.25
Victim = 10.1.1.50
75
Catalyst Integrated Security Features

IP Source Guard Dynamic ARP Inspection DHCP Snooping Port Security
Port security prevents MAC flooding attacks DHCP snooping prevents client attack on the switch and server Dynamic ARP Inspection addssecurity to ARP using DHCP snooping table IP source guard adds security to IP source address using DHCP snooping table
BRKCRS-2663
ip dhcp snooping ip dhcp snooping vlan 2-10 ip arp inspection vlan 2-10 ! interface FastEthernet3/1 switchport port-security switchport port-security max 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity ip arp inspection limit rate 100 ip dhcp snooping limit rate 100 ip verify source vlan dhcp-snooping ! interface GigabitEthernet1/1 ip dhcp snooping trust ip arp inspection trust
Cisco Public 76
Agenda
Foundation Services
Si
Si
BRKCRS-2663
Si Si Si Si
Si
Si
Si
Si
Distribution Blocks
Reduction in Control Plane

Less management points
VSS
Available now on 6500-E, 4500-X and 4500-E

Useful in distribution layer
Si
Si
VSS
BRKCRS-2663
Cisco Public
78
Reduction in Control Plane

Less management points
Director
VSS
Available now on 6500-E, 4500-X and 4500-E

Useful in distribution layer Smart Install Zero-touch install of new devices Automatic SW updates Utilises DHCP to find new switches
Si
Si
VSS
BRKCRS-2663
Cisco Public
79
SmartPorts - Predefined Configurations

Access-Switch# show parser macro brief default global : cisco-global default interface: cisco-desktop default interface: cisco-phone default interface: cisco-switch default interface: cisco-router default interface: cisco-wireless
Access-Switch(config-if)#$ macro apply cisco-phone $access_vlan 20 $voice_vlan 10
Si Si Si Si
Access-Switch# show run int fa1/0/19 ! interface FastEthernet1/0/19 switchport access vlan 20 switchport mode access switchport voice vlan 10 switchport port-security maximum 2 switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 mls qos trust device cisco-phone mls qos trust cos macro description cisco-phone auto qosvoipcisco-phone spanning-tree portfast spanning-tree bpduguard enable end
Unified Access
Localised wired and wireless connectivity
Centralised wireless controller
All traffic trunked up to core
Wireless controller
Si Si
Wireless controller
VLAN 250 WLAN 10.1.250.0/24
BRKCRS-2663
Cisco Public
81
Unified Access
All traffic trunked up to core Local wireless termination

Reduce spanning of VLANs across access layer
Wireless controller
Si Si
Wireless controller
Wireless controller
Wireless controller
VLAN 250 WLAN 10.1.250.0/24
Wireless controller
BRKCRS-2663
Cisco Public
82
Unified Access
All traffic trunked up to core

Si Si
Local wireless termination

Reduce spanning of VLANs across access layer
L3
Wireless controller
Wireless VLAN 100
Wireless controller
Wireless VLAN 110
Wireless controller
Wireless VLAN 120
BRKCRS-2663
Cisco Public
83
Agenda
Foundation Services
Si
Si
BRKCRS-2663
Si Si Si Si
Si
Si
Si
Si
Distribution Blocks
Summary
Offers hierarchyeach layer has specific role Offers hierarchyeach layer has Modular topology specific role building blocks Easy to grow, understand, Modular topologybuilding and troubleshoot Creates small fault domains Clear blocks demarcations and isolation Easy to grow, understand, and Promotes load balancing and redundancy troubleshoot Promotes deterministic traffic patterns Creates small fault domains Incorporates balance of clear isolation both Layer 2 anddemarcations Layer 3 technology, and leveraging the strength of both Layer Promotes Utilises 3 routing load balancing and for load balancing, fast convergence, scalability, redundancy and control
Access
Si Si Si Si Si Si
Distribution
Si
Si

Si Si
Core
Promotes deterministic traffic patterns
Si
Si Si Si
Incorporates balance of both Layer 2 and Layer 3 technology Utilises Layer 3 routing for load balancing, fast convergence, scalability, and control
BRKCRS-2663
Distribution
Access
WAN Data Centre Internet
Cisco Public 85
Hierarchical Network Design

Without a Rock Solid Foundation the Rest Doesnt Matter
Building Block
Access
Si Si
Distribution
Si Si
Core
Si Si
Distribution Access
BRKCRS-2663
HSRP
Routing Spanning Tree
Cisco Public 86
Q&A
Complete Your Online Session Evaluation

Give us your feedback and receive a Cisco Live 2013 Polo Shirt!
Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile Visit any Cisco Live Internet Station located throughout the venue Polo Shirts can be collected in the World of Solutions on Friday 8 March 12:00pm-2:00pm
Dont forget to activate your Cisco Live 365 account for access to all session material, communities, and on-demand and live activities throughout the year. Log into your Cisco Live portal and click the "Enter Cisco Live 365" button. www.ciscoliveaustralia.com/portal/login.ww
Cisco Public 88
BRKCRS-2663
BRKCRS-2663
Cisco Public

BRKCRS 2663

Uploaded by

Copyright:

Available Formats

BRKCRS 2663

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS 2663

Uploaded by

Copyright:

Available Formats

Next Generation Campus Architectures

2013 Cisco and/or its affiliates. All rights reserved.

Network-level redundancy System-level resiliency

Desktop Apps E-mail, File and Print

APPLICATIONS DRIVE REQUIREMENTS FOR HIGH AVAILABILITY NETWORKING

2013 Cisco and/or its affiliates. All rights reserved.

High-Availability Campus Design

Hierarchical Network Design

Promotes load balancing and redundancy

Hierarchical Campus Network

2013 Cisco and/or its affiliates. All rights reserved.

2013 Cisco and/or its affiliates. All rights reserved.

Separate core layer helps in scalability during future growth

2013 Cisco and/or its affiliates. All rights reserved.

Do I Need a Core Layer?

Physical cabling requirement

Second Building Block 4 New Links

4th Building Block 12 New Links 24 Links Total 7 IGP Neighbours

3rd Building Block 8 New Links 12 Links Total 5 IGP Neighbours

2013 Cisco and/or its affiliates. All rights reserved.

Do I Need a Core Layer?

4th Building Block 4 New Links 16 Links Total

3rd Building Block 4 New Links 12 Links Total

2013 Cisco and/or its affiliates. All rights reserved.

Layer 3 Distribution Interconnection

RootGuard or BPDU-Guard Use security features

VLAN 20 Data 10.1.20.0/24 VLAN 120 Voice 10.1.120.0/24

VLAN 40 Data 10.1.40.0/24 VLAN 140 Voice 10.1.140.0/24

2013 Cisco and/or its affiliates. All rights reserved.

Layer 2 Distribution Interconnection

RootGuard or BPDU-Guard Use security features

VLAN 20 Data 10.1.20.0/24 VLAN 120 Voice 10.1.120.0/24

VLAN 250 WLAN 10.1.250.0/24

VLAN 40 Data 10.1.40.0/24 VLAN 140 Voice 10.1.140.0/24

2013 Cisco and/or its affiliates. All rights reserved.

Routed Access and VSS

VLAN 20 Data 10.1.20.0/24 VLAN 120 Voice 10.1.120.0/24

VLAN 40 Data 10.1.40.0/24 VLAN 140 Voice 10.1.140.0/24

2013 Cisco and/or its affiliates. All rights reserved.

First hop redundancy protocols

Layer 3 Equal Cost Links

Layer 3 Equal Cost Links

Tune carrier delay timer

2013 Cisco and/or its affiliates. All rights reserved.

Redundancy and Protocol Interaction

Indirect link failures are harder to detect

Redundancy and Protocol Interaction

Direct point-to-point fibre provides for fast failure detection

Cisco IOS Throttling: Carrier Delay Timer

Linecard Throttling: Debounce Timer

2013 Cisco and/or its affiliates. All rights reserved.

Redundancy and Protocol Interaction

1. Link Down 2. Interface Down 3. Routing Update

~ 150200 msec loss

Link Down Interface Down Autostate SVI Down Routing Update

2013 Cisco and/or its affiliates. All rights reserved.

Layer 3 Equal Cost Links

Layer 3 Equal Cost Links

2013 Cisco and/or its affiliates. All rights reserved.