Helpful 2031

Enterprise Campus Design
Multilayer Architectures and Design Principles
Marcin Hamróz, Principal Architect

Jarosław Gawron, Principal Engineer
BRKENS-2031
Cisco Krakow
Marcin Hamroz Jaroslaw (Jaro) Gawron
Principal Architect Principal Engineer

• At Cisco since 2012 • In TAC from 2012
• Based out of Cisco Krakow • Based out of Cisco Krakow
• Focused on Software Defined Access • Focused on Software Defined Access & Catalyst
• CCIE R&S / SP Platforms
• Father of three • CCIE R&S / SP
• Passionate about aviation and football • Father of three
• Fan of StarTrek and sailing
BRKENS-2031 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
The goal of this session:
• Present the universal principles of Enterprise
campus design
• Explain the most fundament aspect of the
hierarchal approach for L2 and L3 networks (back
to basics)
• Focus mainly on the wired campus
This is session is NOT:

• Covering SD-Access/ DNAC/ EVPN/ Cloud
• Product specific
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

until February 24, 2023.
• Introduction
• Campus Vision & Strategy
• Multilayer Campus Design Principles
Agenda • Foundation services
• Campus Design Best Practices
• Conclusion
Campus Vision &
Strategy
Our Vision and Strategy
Vision Strategy
Help Customers connect,
Change the way the world
secure and automate to
works, lives, plays, and learns
accelerate their digital agility in
a cloud-first world
Today’s Network Must Drive Digital Transformation
Bandwidth and Latency Sensitive Complexity and Extreme-Scale Increased Risk
Computationally Intensive Mobile and Hybrid Environments No Clear perimeters
WAN WAN WAN

Data Center
7.3TB 60% 3x 92% 29.3B 600%
and Cloud
New Apps Protocols Mobility Cloud IoT Security

8K video and 60% of IoT Mobile speeds 92% of 29.3B 600% rise in
virtual and devices connect will more than Enterprises networked malicious
augmented via non-WiFi triple by 2023 have adopted a devices and emails during
reality protocols (cellular and Multicloud connections pandemic4
WiFi)1 strategy2 will exist by
20233
1 2020 Cisco Annual Internet Report

2 2018 MultiCloud in the New Normal
3 2020 Cisco Annual Internet Report
4 McAfee Report/Business Insider
Business Impact
Inefficiency Complexity Security
Up to 80% of 3X spend on
network changes performed 6 months to
network operations detect breach
manually
Growth of Shadow Slow and Error Unconstrained

IT Services Prone Operations Attack Surface
Cisco’s Enterprise SDN Strategy
Policy and Intent to Unlock the Power of your Distributed System
Unlock the Power that

Leverage the Enable Network Wide
Exists
Power of Existing Fidelity to an Expressed
in the Network through
Distributed Systems Intent (Policy)
Abstraction, Automation,
and Policy Enforcement
Cisco’s Intent Based Networking Solutions
Cloud Edge
SD-WAN
Securely connect and protect workloads
Segment your network and secure user
moving into the cloud and between clouds
access from the edge to the cloud
Learning
Intent
Context
SD-Access Intent Based DataCenter

Optimize and secure application Run any traditional or cloud native
performance over any connection to the application across any environment to
cloud. meet evolving Developer needs
Built on Cisco Digital Network Architecture
Cloud Service Management Automation

Open and Assurance
Automation Analytics
Security and
Principles Programmable
Virtualization Compliance
Programmable Physical and Virtual infrastructure

API Driven Insights and
Experiences
Security
Multilayer Campus Design
Principles
Building your own house…
“.. If you fail to plan
- you plan to fail”
Benjamin Franklin
High-Availability Campus Design
Access
Distribution
Core
Distribution
Access
Data Center
WAN DC Internet
High-Availability Campus Design
Not This!!
Data Center
WAN Internet PSTIN
Hierarchical Network Design
Without a Rock Solid Foundation the Rest Doesn’t Matter
Access o Offers hierarchy—each layer has specific role

o Modular topology—building blocks
Distribution
o Easy to grow, understand, and troubleshoot
o Creates small fault domains— clear
demarcations and isolation
Core
o Promotes load balancing and redundancy
o Promotes deterministic traffic patterns
Distribution o Incorporates balance of both Layer 2 and Layer
3 technology, leveraging the strength of both
Access
o Utilizes Layer 3 routing for load balancing, fast
convergence, scalability, and control
Building Blocks
Access Layer
Feature Rich Environment
o It’s not just about connectivity
o Layer 2/Layer 3 feature-rich environment; convergence, HA,

Core
security, QoS, IP multicast, etc.
o Intelligent network services: QoS, trust boundary, broadcast

suppression, IGMP snooping
Distributio
o Intelligent network services: PVST+, Rapid PVST+, EIGRP, n
OSPF, DTP, PAgP/LACP, UDLD, FlexLink, etc.
o Cisco Catalyst® integrated security features IBNS (802.1x),

(CISF): port security, DHCP snooping, DAI, IPSG, etc.
Access
o Automatic phone discovery, conditional trust boundary, power
over Ethernet, auxiliary VLAN, etc.
o Spanning tree toolkit: PortFast, UplinkFast, BackboneFast,

LoopGuard, BPDU Guard, BPDU Filter, RootGuard, etc.
Distribution Layer
Policy, Convergence, QoS and High Availability
o Availability, load balancing, QoS and provisioning are

the important considerations at this layer Core
o Aggregates wiring closets (access layer) and uplinks to
core
o Protects core from high-density peering and problems Distributio

in access layer n
o Route summarization, fast convergence, redundant path
load sharing
o HSRP or GLBP to provide first-hop redundancy Access
Core Layer
Scalability, High Availability, and Fast Convergence
o Backbone for the network—connects network Core

building blocks
o Performance and stability vs. complexity— less

is more in the core Distributio
n
o Aggregation point for distribution layer
o Separate core layer helps in scalability during

future growth Access
o Keep the design technology-independent
Do I need a Core Layer?
It's Really a Question of Scale, Complexity, and Convergence
Second Building Block– 4 New Links
4th Building Block 3rd Building Block

o 12 New Links o 8 New Links
o 24 Links Total o 12 Links Total
o 8 IGP o 5 IGP
Neighbors Neighbors
o No Core
o Fully-meshed distribution layers
o Physical cabling
requirement
o Routing complexity
Do I need a Core Layer?
It's Really a Question of Scale, Complexity, and Convergence
Second Building Block– 4 New Links
4th Building Block 3rd Building Block

o 4 New Links o 4 New Links
o 24 Links Total o 12 Links Total
o 3 IGP o 3 IGP
o Dedicated Core Switches Neighbors Neighbors
o Easier to add a module
o Fewer links in the core
o Easier bandwidth upgrade
o Routing protocol peering reduced
o Equal cost Layer 3 links for best
convergence
Design Alternatives Come Within a Building
(or Distribution) Block
Layer2 Access Routed Access StackWise
Virtual
Access
Distribution
Core
Distribution
Access
Data Center
WAN DC Internet
Layer 2 Distribution Interconnection
Layer 2 Access—No VLANs Span Access Layer
• Summarize routes towards core
Core • STP Root and HSRP primary tuning or Core
• GLBP to load balance on uplinks

• Set trunk mode on/no-negotiate
• Set port host on access layer ports:
Distributio • Disable trunking Distribution
n • Disable Ether Channel Layer 3

• Enable PortFast
• RootGuard or BPDU-Guard
Access
• Use security features
Access
VLAN 20 Data VLAN 40 Data

10.1.20.0/24 10.1.40.0/24
VLAN 120 Voice VLAN 140 Voice

10.1.120.0/24 10.1.140.0/24
Layer 3 Distribution Interconnection
Layer 2 Access - Some VLANs Span Access Layer
• Summarize routes towards core Core
Core • STP Root and HSRP primary or GLBP

and STP port cost tuning to load
balance on uplinks
• Set trunk mode on/no-negotiate Distribution
Layer 2
• RootGuard on downlinks
Distribution
• LoopGuard on uplinks
• Set port host on access layer ports:
Access
• Disable trunking
• Disable Ether Channel
Access • Enable PortFast
• RootGuard or BPDU-Guard VLAN 20 Data VLAN 40 Data
10.1.20.0/24 10.1.40.0/24
• Use security features
VLAN 120 Voice VLAN 140 Voice
10.1.120.0/24 10.1.140.0/24
VLAN 250 WLAN 10.1.250.0/24
StackWise Virtual and Virtual Stacking
L2 without a STP Liability
• Summarize routes towards core
Core
Core • Limit redundant IGP peering
• Set trunk mode on/no-negotiate
• MUST Ether Channel else blocked
ports
Distribution
• Set port host on access
Distribution
Layer ports:
• Disable trunking
• Disable Ether Channel Access
• Enable PortFast
Access • RootGuard or BPDU-Guard
• Use security features VLAN 20 Data 10.1.20.0/24
VLAN 120 Voice 10.1.120.0/24
VLAN 140 Voice 10.1.140.0/24
VLAN 40 Data 10.1.40.0/24
Routed Access and Virtual Switching System
Evolutions of and Improvements to Existing Designs
Advantages:
• Ease of implementation, less to get right Core
• No matching of STP/HSRP/GLBP priority
• No L2/L3 Multicast topology inconsistencies
• Single Control Plane and well-known toolset
• traceroute, show ip route, show ip eigrp neighbor,
Distribution
etc.
• Catalyst 9k platform fully supports L3 switching Layer 3
• EIGRP converges in < 200 msec
• OSPF with sub-second tuning converges in < 200 msec
• RPVST+ convergence times dependent on GLBP / HSRP Access
tuning
Considerations:
• Do you have any L2 VLAN adjacency requirements VLAN 20 Data VLAN 40 Data
10.1.20.0/24 10.1.40.0/24
between access switches
• IP addressing – Do you have enough address space and VLAN 120 Voice VLAN 140 Voice
10.1.120.0/24
the allocation plan to support a routed access design 10.1.140.0/24
Campus Fabric – The Foundation for SDA
Architecture for the Digital Enterprise
Stretched No Spanning Tree ECMP

Subnets
Distributed Anycast
Default Gateway + No STP
No HSRP/VRRP
+ Equal Cost Multi-Path
Routed Access
Limit Broadcast Domain
Stretched Subnets
Building Management Employees
Virtual Network Virtual Network
Campus Fabric – The Foundation for SDA
Architecture for the Digital Enterprise Cisco ISE Cisco DNA Center
Stretched Subnets
Building Management Employees
Virtual Network Virtual Network
Foundation
services
Foundation Services
• Layer 1 physical things
• Layer 2 redundancy
• STP
• Trunks
• UDLD
• Layer 3 routing protocols HSRP

• Ether Channels
• BFD Spanning
Routing
Tree
• FHRP
Best Practices - Layer 1 Physical Things
• Review Link Debounce and Carrier- DC ISP
WAN
Delay
• Use point-to-point interconnections -
no L2 aggregation points between Core
nodes
• Use configuration on the physical
interface not VLAN/SVI when possible Distribution
Access
MDF 1
Link Debounce and Carrier-Delay
Can be adjusted on Cat9500 & Cat9600
• When tuning the campus for optimal convergence, it C9500-32QC-1-4#show interfaces debounce
is important to review the status of the link debounce Port Debounce time Value(ms)
and carrier delay configuration Fo1/0/1
Fo1/0/2
disable
disable
Fo1/0/3 disable
• By default GigE and 10GigE+ interfaces operate with a Fo1/0/4
Fo1/0/5
disable
disable
10 msec debounce timer which provides for optimal Fo1/0/6 disable
link failure detection

• In the current Cisco IOS levels, the default behavior interface GigabitEthernet1/1
description Uplink to Distribution 1
for Catalyst switches is to use a default value of 0 dampening
ip address 10.120.0.205 255.255.255.254
msec on all Ethernet interfaces for the carrier-delay. ip pim sparse-mode
ip ospf dead-interval minimal hello- multiplier 4
ip ospf priority 0
• It is still recommended as best practice to hard code logging event link-status
load-interval 30
the carrier-delay value on critical interfaces with a carrier-delay msec 0
<snip>
value of 0 msec to ensure the desired behavior.
Redundancy and Protocol Interaction
Layer 2 and 3 - Why Use Routed Interfaces
Configuring L3 routed interfaces provides for faster convergence than
an L2 switch port with an associated L3 SVI
L3 L2
1. Link Down
1. Link Down
2. Interface Down
2. Interface Down
3. Autostate
3. Routing Update
4. SVI Down
~ 8 msec loss 5. Routing Update ~ 150–200 msec loss
21:38:37.042 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface 21:32:47.813 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet3/1, changed state to down GigabitEthernet2/1, changed state to down
21:38:37.050 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet3/1, 21:32:47.821 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet2/1,
changed state to down changed state to down
21:38:37.050 UTC: IP-EIGRP(Default-IP-Routing-Table:100): 21:32:48.069 UTC: %LINK-3-UPDOWN: Interface Vlan301, changed state
Callback: route_adjust GigabitEthernet3/1 to down
21:32:48.069 UTC: IP-EIGRP(Default-IP-Routing-Table:100): Callback:
route, adjust Vlan301
Best Practices - Spanning Tree Configuration
• Only span VLAN across multiple access DC ISP
WAN
layer switches when you have to!
• Use rapid RSTP for best convergence
• Required to protect against user side
loops
• Required to protect against operational
accidents (misconfiguration or hardware
failure)
• Take advantage of the spanning tree
toolkit MDF 1
Multilayer Network Design
Layer 2 Access with Layer 3 Distribution
VLAN 10 VLAN 20 VLAN 30

• Each access switch has unique VLANs • At least some VLANs span multiple access
switches
• No Layer 2 loops
• Layer 2 loops
• Layer 3 link between distribution
• Layer 2 and 3 running over
• No blocked links link between distribution
• Blocked links
Optimizing L2 Convergence
PVST+, Rapid PVST+ or MST
• Rapid-PVST+ greatly improves the restoration times for any
VLAN that requires a topology convergence due to link UP
Time to restore Data Flows (sec)
• Rapid-PVST+ also greatly improves convergence time over 35
backbone fast for any indirect link failures 30
• PVST+ (802.1d) 25
• Traditional spanning tree Upstream
implementation 20
• Rapid PVST+ (802.1w)

15 Downstream
• Scales to large size 10
(~10,000 logical ports)
5
• Easy to implement, proven, scales
0
• MST (802.1s) PVST+ Rapid PVST+
• Permits very large scale STP implementations
(~30,000 logical ports)
Layer 2 Hardening
Spanning Tree Should Behave the Way You Expect
• Place the root where you want it LoopGuard
Root primary/secondary macro
STP Root
• The root bridge should stay where you put it
• RootGuard RootGuard
• LoopGuard
LoopGuard
• UplinkFast
• UDLD
• Only end-station traffic should be seen on

an edge port BPDU Guard RootGuard
• BPDU Guard
PortFast
• RootGuard
• PortFast Port Security
• Port-security
Best Practices - Trunk Configuration
• Typically deployed on interconnection
DC ISP
between WAN
access and distribution layers

• Use VTP transparent mode to decrease
potential for operational error
• Hard set trunk mode to on and encapsulation
negotiate off for optimal convergence
• Manually prune all VLANS except those
needed
802.1q TRUNKS
• Disable on host ports MDF 1
Optimizing Convergence: Trunk Tuning
Trunk Auto/Desirable Takes Some Time
• DTP negotiation tuning improves link up convergence time
• IOS(config-if)# switchport mode trunk
• IOS(config-if)# switchport nonegotiate
2.5
Time to Converge in
2
Seconds
1.5
0.5
0
Trunking Trunking
Desirable Nonegotiate
Best practices – UDLD Configuration
DC WAN ISP
• Typically deployed on any fiber

optic interconnection
• Use UDLD aggressive mode for Fiber Interconnections
most aggressive protection
• Turn on in global configuration to
avoid operational error/misses
MDF 1
UDLD Aggressive and UDLD Normal
• Timers are the same—15-second hellos by default

• Aggressive Mode—after aging on a previously bi-directional link—tries eight times
(once per second) to reestablish connection then err-disables port
• UDLD—Normal Mode—only err-disable the end where UDLD detected other end just
sees the link go down
• UDLD—Aggressive—err-disable both ends of the connection
due to err-disable when aging and re-establishment of UDLD communication fails
Best Practices - Ether Channel Configuration
• Typically deployed in distribution to
core, and core
to core interconnections
• Used to provide link redundancy—while
reducing peering complexity
• Tune L3/L4 load balancing hash to
achieve maximum utilization of channel
members
• Deploy in powers of two (two, four, or
eight)
• 802.3ad LACP for interop if you need it
Ether Channel load balancing
Use as much information as possible L3 HASH
Link 0 – load 68%

• Cisco switches let you tune the hashing algorithm
used to select the specific EtherChannel link.
Link 1 – load 32%
• You can use the default source/destination IP

information, or you can add an additional level of load
balancing to the process by adding the L4 TCP/IP port
L4 HASH
Link 0 – load 52%

information as an input to the algorithm.
switch(config)#port-channel load-balance ? Link 1 – load 48%
dst-ip Dst IP Addr
dst-mac Dst Mac Addr
dst-mixed-ip-port Dst IP Addr and TCP/UDP Port 80%
dst-port Dst TCP/UDP Port
extended Extended Load Balance Methods 60%
src-dst-ip Src XOR Dst IP Addr 68%
src-dst-mac Src XOR Dst Mac Addr 40% 52%
src-dst-mixed-ip-port Src XOR Dst IP Addr and TCP/UDP Port 48%
src-dst-port Src XOR Dst TCP/UDP Port 20% 32%
src-ip Src IP Addr
src-mac Src Mac Addr 0%
src-mixed-ip-port Src IP Addr and TCP/UDP Port
src-port Src TCP/UDP Port L3 Hash L4 Hash
Link 0 Load Link 1 Load
EtherChannels
Reduce Complexity/Peer Relationships
• More links = more routing peer
relationships and associated overhead
• EtherChannels allow you to reduce peers
by creating single logical interface to peer
over
• On single link failure in a bundle
• OSPF running on a Cisco
IOS-based switch will reduce link cost and
reroute traffic
• EIGRP may not change link cost and may
overload remaining links
EtherChannels
1G/10G/20G/40G/100G How do you aggregate it ?
Typical 4:1
Data Over-
Distribution-layer
Subscription Switch
2x10G Uplinks
Typical 20:1 Access-layer

48 Port switch
Switch
Data Over- (12 mGig to 10 Gbps
+ 36 1 Gbps ports)
Subscription
MDF 1
Maximum oversubscription
7,8:1
Best Practices
Layer 3 Routing Protocols
DC WAN ISP
• Typically deployed in distribution
to core, and core-to-core
interconnections
• Used to quickly reroute
around failed node/links while providing
load balancing over redundant paths
• Build triangles not squares for
deterministic convergence
• Only peer on links that you intend to
use as transit MDF 1
Best Practice - Build Triangles not Squares
Deterministic vs. Non-Deterministic
Squares: Link/Box Failure Requires Triangles: Link/Box Failure Does not
Routing Protocol Convergence Require Routing Protocol Convergence
• Layer 3 redundant equal cost links support fast convergence

• Hardware based—fast recovery to remaining path
• Convergence is extremely fast (dual equal-cost paths: no need for OSPF or EIGRP to recalculate a new
path)
Best Practice - Passive Interfaces for IGP
Limit IGP Peering Through the Access Layer
• Limit unnecessary peering using passive
interface:
• Four VLANs per wiring closet
• 12 adjacencies total BLOCK BLOCK BLOCK BLOCK BLOCK
• Memory and CPU requirements increase

with no real benefit
• Creates overhead for IGP
OSPF Example: EIGRP Example:

Router(config)#router ospf 1 Router(config)#router eigrp 1
Router(config-router)#passive-interfaceVlan 99 Router(config-router)#passive-interfaceVlan 99
Router(config)#router ospf 1 Router(config)#router eigrp 1

Router(config-router)#passive-interface default Router(config-router)#passive-interface default
Router(config-router)#no passive-interface Vlan 99 Router(config-router)#no passive-interface Vlan 99
Why You Want to Summarize at the Distribution
Limit EIGRP Queries and OSPF LSA Propagation
• It is important to force summarization at the WAN
distribution towards the core

• For return path traffic an OSPF or EIGRP re-route
is required Core
• By limiting the number of peers an EIGRP router

must query or the number of LSAs an OSPF peer
must process we can optimize this reroute
Distribution Traffic
Dropped
Until IGP
EIGRP Example: Converges
interface Port-channel1
description to Core#1 Access
ip address 10.122.0.34 255.255.255.252
ip hello-interval eigrp 100 1
ip hold-time eigrp 100 3
10.1.1.0/24 10.1.2.0/24
Why You Want to Summarize at the Distribution
Limit EIGRP Queries and OSPF LSA Propagation
• It is important to force summarization at the WAN
distribution towards the core

• For return path traffic an OSPF or EIGRP re-route
is required Core
• By limiting the number of peers an EIGRP router

must query or the number of LSAs an OSPF peer
must process we can optimize this reroute
Distribution
EIGRP Example:
interface Port-channel1
description to Core#1 Access
ip address 10.122.0.34 255.255.255.252
ip hello-interval eigrp 100 1
ip hold-time eigrp 100 3
ip summary-address eigrp 100 10.1.0.0 255.255.0.0 5
10.1.1.0/24 10.1.2.0/24
Bidirectional Forwarding Detection (BFD)
• Detect faults between 2 routers
The official recommendation for
• Fast (reaction time in milliseconds) Catalyst 9000 switches
• 250ms x3 for physical interfaces
• Let the upper routing protocols (ISIS, BGP, OSFP, Static) • 750ms x3 for SVI
that a link is down faster than the DEAD timer of that RP
realize it
BFD
• Works on directly connected routers, as well as routers
separated by a L2 cloud (Metro Ethernet, MPLS,VPLS,
Pseudowire, …)
• Uses fast exchange of IP/UDP packets
• port 3784 for control interface Gig1/0/1
ip address 1.1.1.1 255.255.255.0
• port 3785 for echo bfd interval 300 min_rx 300 multiplier 3
ip ospf 1 area 0
• Supports single-hop and multi-hop router ospf 1

bfd all-interfaces
First Hop Redundancy with HSRP
R1 – Active , Forwarding traffic
R2 – Hot Standby, Idle
• A group of routers function as one virtual router by
IP: 10.0.0.254
sharing one virtual IP address and one MAC: 0000.0c12.3456
IP:
MAC:
10.0.0.253
0000.0c78.9abc
virtual MAC address vIP:
vMAC:
10.0.0.1
0000.0c07.ac00
vIP:
vMAC:
• One (active) router performs packet forwarding for R1 R2

local hosts
• The rest of the routers provide hot standby Distribution-A Distribution-B
HSRP Active HSRP Backup
in case the active router fails
• Standby routers stay idle as far as packet
forwarding from the client side
is concerned
IP: 10.0.0.10 IP: 10.0.0.11 IP: 10.0.0.12

MAC: aaaa.aaaa.aaa1 MAC: aaaa.aaaa.aaa2 MAC: aaaa.aaaa.aaa3
GW: 10.0.0.1 GW: 10.0.0.1 GW: 10.0.0.1
ARP: 0000.0c07.ac00 ARP: 0000.0c07.ac00 ARP: 0000.0c07.ac00
First Hop Redundancy with Load Balancing
Cisco Gateway Load Balancing Protocol (GLBP)
• Each member of a GLBP redundancy
group owns a unique virtual MAC
address GLBP 1ip :10.0.0.1 GLBP 1ip :10.0.0.1
for a common IP address/default vMAC: :0000.0000.0001 vIP:10.0.0.1 vMAC: :0000.0000.0002
gateway R1 R2
• When end-stations ARP for the common ARP

IP address/default gateway they are Reply
given a load-balanced virtual MAC

address
• Host A and host B send traffic to
different GLBP peers but have the same ARPs for 10.0.0.1 ARPs for 10.0.0.1
default gateway MAC: 0000.0000.0001 MAC: 0000.0000.0002
Optimizing Convergence: VRRP, HSRP, GLBP
Mean, Max, and Min—Are There Differences?
• HSRP has sub-second timers; however all flows go through same HSRP peer so there
is no difference between mean, max, and min
• GLBP has sub-second timers and distributes the load amongst the GLBP peers; so
50% of the clients are not affected by an uplink failure
50% of Flows
GLBP Is
Have ZERO Loss
1.2 50% Better
W/ GLBP
1
0.8
0.6
0.4
0.2
0
Longest Shortest Avarage
VRRP HSRP GLBP
If You Span VLANS, Tuning Required
By Default, Half the Traffic Will Take a Two-Hop L2 Path
• Distribution switches act as default gateway
• Blocked uplink caused traffic to take less than optimal path
Core
CORE
Layer 3
Distribution Distribution-A Distribution-B

Layer 2/3 GLBP vMAC1 GLBP vMAC2
Access Blocking
Layer 2
Blocking
VLAN 2 VLAN 2
Campus Best
Design Practices
Daisy Chaining Access Layer Switches
Avoid Potential Black Holes
• Return Path Traffic Has a 50/50 Chance of Being ‘Black Holed’
50% chance that the

traffic will go down the
path with no connectivity
Traffic Dropped
with no Path to
the destination
Daisy Chaining Access Layer Switches
Cisco StackWise technology
• Allows up to a maximum of 8 switches to be stacked
together physically in a ring topology to form a single,
unified, virtual stack system.
• Unified control and management plane by electing
one switch in the stack as the active switch and Active
another switch as the hot-standby. Remaining Standby
switches become stack members
Member
• Multichassis EtherChannel (MEC) and cross-stack Member

EtherChannel extend traditional EtherChannel by
allowing Ethernet ports to be aggregated towards
different physical chassis Single Unified Virtual Stack System
Cisco StackWise technology
• Catalyst 9200 Series StackWise-160/80
• Catalyst 9200 Series switches enable stacking of up to 8 switches
and 416 ports
• StackWise-160 is supported on Catalyst 9200 switch models
• StackWise-80 is supported on Catalyst 9200L switch models
• Catalyst 9300 Series StackWise-480/360

and 448 ports
• StackWise-480 is supported on Catalyst 9300 switch models Distribution
Layer 2/3
• StackWise-360 is supported on Catalyst 9300L switch models
• Catalyst 9300X Series StackWise-1T

and 448 ports Access
Layer 2
VLAN 2
StackWise Virtual Technology
• StackWise Virtual technology combines two Catalyst 9000
Series switches into a single logical network entity from the
network control plane and management perspectives.
SVL
• To neighboring devices a StackWise Virtual domain appears

as a single logical switch or router DAD
Active Standby
• All control plane functions are centrally managed by the
active switch. From the data-plane and traffic-forwarding Single Unified Virtual Stack System
perspectives, both switches actively forward traffic.

• To facilitate this information exchange, a dedicated link –
the StackWise Virtual link (SVL) – is used to transfer both
data and control traffic between the peer switches. The
SVL is formed as an EtherChannel interface of up to eight
physical port members.
StackWise Virtual Technology
• Meant for Distribution and Core layer
• Formed using front panel ports
• Dual-homed connections
Core Core
Layer 3 Layer 3
• Simplify Operations by
L3 Active L3 Stb Eliminating STP, FHRP and
Multiple Touch-Points
• Double Bandwidth & Reduce
Distribution Distribution Latency with Active-Active
Layer 2/3 HSRP/ Layer 2/3 Multi-chassis EtherChannel
GLBP
(MEC)
L2 Active Stb • Minimizes Convergence with
Sub-second Stateful and
L2 Graceful Recovery (SSO/NSF)
Access Access
Layer 2 Layer 2
Asymmetric Routing (Unicast Flooding)
Affects redundant topologies with shared L2 access
• One path upstream and two paths
downstream
• CAM table entry ages out on
standby HSRP Asymmetric
Equal Cost
Return Path
• Without a CAM entry packet is

flooded to all ports in the VLAN
TCAM Timer Has Upstream Packet
Aged out on Unicast to Active
Standby HSRP HSRP
Downstream
Packet Flood !
Best Practices Prevent Unicast Flooding
• Assign one unique data and voice VLAN to each
access switch
• Traffic is now only flooded down
one trunk Asymmetric
Equal Cost
Return Path
• Access switch unicasts correctly;

no flooding to all ports
TCAM Timer Has Upstream Packet
Aged out on Unicast to Active
Standby HSRP HSRP
• If you have to: Downstream

• Tune ARP and CAM aging timers Packet Flood on
single port!
• Bias routing metrics to remove equal cost routes
VLAN 1 VLAN 2 VLAN 3 VLAN 4
Routing in the Access
Pros: Cons:
• Improved convergence • A different set of VLANs on different access switches
• Simplified multicast configuration • Lower flexibility
• Dynamic traffic load balancing • Overhead in additional IP subnetting planning
• Single set of troubleshooting tools
(for example, ping and traceroute)
• Ease migration towards SDA/EVPN
Core CORE
Core CORE
Layer 3
Layer 3
Distribution Distribution
Layer 2/3 Layer 3
Blocking The ability to reduce

Access
Access convergence times to a
Layer 2
Layer 2/3
sub-200 msec range
VLAN 2 VLAN 2 VLAN 10 VLAN 11

Transmit Queue Congestion
The Case for Campus QoS
Interface speed
• The primary role of QoS in campus differences
networks is to manage packet loss 10G 40G
• In campus networks, it takes only a

few milliseconds of congestion to Oversubscription
cause drops
10G
• Rich media applications are extremely

sensitive to packet drops 10G 10G
10G
QoS End-to-End
• Prepare your strategy – what are the Critical/ Business relevant/Default applications?
• Understand QoS capabilities of used platforms
• Match the strategy against the platform capabilities
• Always build bidirectional and End-to-End policy
Usage Cisco Catalyst 9000 models

simplify the QOS strategy in campus
2P6Q3T 1P7Q4T 4Q1T
1P3Q3T
DNA-C QoS Automation with Application Policy
Network Operators express
high-level business-intent
to Application Policy Southbound APIs translate
business-intent to
platform-specific configurations
DeviceSTATIC
SpecificQoS
Config
Conclusions
Without a Rock Solid Foundation
- the Rest Doesn’t Matter
Access
Distribution
Core
Distribution
Access
Data Center
WAN DC Internet
Summary
• Hierarchy — each layer has a specific role
• Modular topology — building blocks
• Easy to grow, understand, and troubleshoot
• Creates small fault domains— clear

demarcations and isolation
• Promotes load balancing and redundancy
• Promotes deterministic traffic patterns
• Incorporates balance of both Layer 2 and

Layer 3 technology, leveraging the strength of
both
“.. If you fail to plan
- you plan to fail”
Benjamin Franklin
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-catalog.html
Continue
Agenda Your Education
Visit the Cisco Showcase for related demos.
Book your one-on-one Meet the Engineer meeting.
Attend any of the related sessions at the DevNet,

Capture the Flag, and Walk-in Labs zones.
Visit the On-Demand Library for more sessions

at ciscolive.com/on-demand.
Thank you

Helpful 2031

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Helpful 2031

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Helpful 2031

Uploaded by

Copyright:

Available Formats

Enterprise Campus Design

Multilayer Architectures and Design Principles

Marcin Hamróz, Principal Architect

Marcin Hamroz Jaroslaw (Jaro) Gawron

Principal Architect Principal Engineer

This is session is NOT:

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

WAN WAN WAN

New Apps Protocols Mobility Cloud IoT Security

1 2020 Cisco Annual Internet Report

Inefficiency Complexity Security

Growth of Shadow Slow and Error Unconstrained

Unlock the Power that

SD-Access Intent Based DataCenter

Cloud Service Management Automation

Programmable Physical and Virtual infrastructure

WAN Internet PSTIN

Access o Offers hierarchy—each layer has specific role

o It’s not just about connectivity

o Layer 2/Layer 3 feature-rich environment; convergence, HA,

o Intelligent network services: QoS, trust boundary, broadcast

o Cisco Catalyst® integrated security features IBNS (802.1x),

o Spanning tree toolkit: PortFast, UplinkFast, BackboneFast,

o Availability, load balancing, QoS and provisioning are

o Protects core from high-density peering and problems Distributio

o HSRP or GLBP to provide first-hop redundancy Access

o Backbone for the network—connects network Core

o Performance and stability vs. complexity— less

o Separate core layer helps in scalability during

o Keep the design technology-independent

4th Building Block 3rd Building Block

4th Building Block 3rd Building Block

• GLBP to load balance on uplinks

n • Disable Ether Channel Layer 3

VLAN 20 Data VLAN 40 Data

VLAN 120 Voice VLAN 140 Voice

Core • STP Root and HSRP primary or GLBP

VLAN 250 WLAN 10.1.250.0/24

VLAN 120 Voice 10.1.120.0/24

VLAN 140 Voice 10.1.140.0/24

VLAN 40 Data 10.1.40.0/24

Stretched No Spanning Tree ECMP

• Layer 3 routing protocols HSRP

link failure detection

VLAN 10 VLAN 20 VLAN 30

• Rapid PVST+ (802.1w)

• Only end-station traffic should be seen on

access and distribution layers

• Typically deployed on any fiber

• Timers are the same—15-second hellos by default

Link 0 – load 68%

• You can use the default source/destination IP

Link 0 – load 52%

Link 0 Load Link 1 Load

Typical 20:1 Access-layer

• Layer 3 redundant equal cost links support fast convergence

• Memory and CPU requirements increase

OSPF Example: EIGRP Example: