Campus_Multilayer_Arch_Design_Guide

1© 2005 Cisco Systems, Inc. All rights reserved.

RST-203211208_05_2005_c2

CAMPUS NETWORK MULTILAYER ARCHITECTURE AND DESIGN GUIDELINESSESSION RST-2032


RST-203211208_05_2005_c2

High-Availability Networking in the Campus

Reinforced Network Infrastructure:Infrastructure Security HardeningDevice-Level and Software Resiliency

Real World Network Design:Hierarchical Network Design—Structured Modular Foundation

Network Operations:Best Practices

Real-Time Network Management:Best Practices

Best-in-Class Support:TAC, CA, Etc.


RST-203211208_05_2005_c2

What Is High Availability?

DPM—Defects per Million

Availability Downtime Per Year (24x365)

99.000%

99.500%

99.900%

99.950%

99.990%

99.999%

99.9999%

3 Days

1 Day

53 Minutes

5 Minutes

30 Seconds

15 Hours

19 Hours

8 Hours

4 Hours

36 Minutes

48 Minutes

46 Minutes

23 Minutes

DPM

10000

5000

1000

500

100

10

1

“High Availability”


RST-203211208_05_2005_c2

What If You Could…Reduce Cost Through Diminished Risk of Downtime

• Costs for downtime are highOne day cost of lost productivity = $1,644 per employee

100 person office = $164K per day

• More than just a datanetwork outage

• More than just revenue impacted

Revenue lossProductivity lossImpaired financial performanceDamaged reputationRecovery expenses

Source: Meta Group444

$ 205$1,010,536Average

$ 107$ 668,586Transportation

$ 244$1,107,274Retail

$ 370$1,202,444Insurance

$1,079$1,495,134Financial Institution

$ 134$1,610,654Manufacturing

$ 186$2,066,245Telecommunications

$ 569$2,817,846Energy

Revenue/ Employee-

HourRevenue/HourIndustry Sector


RST-203211208_05_2005_c2

Agenda

• Multilayer Campus Design Principals

• Foundation Services

• Campus Design Best Practices

• Security Considerations

• Putting It All Together

• Summary


RST-203211208_05_2005_c2

SiSi SiSi

SiSiSiSi

SiSi SiSi

Multilayer Network DesignWithout a Rock Solid Foundation the Rest Doesn’t Matter

Data CenterAccess

Distribution

Core

Distribution

Access• Offers hierarchy – each layer has specific

role

• Modular topology - building blocks

• Easy to grow, understand, and troubleshoot

• Creates small fault domains – Clear demarcations and isolation

• Promotes load balancing and redundancy

• Promotes deterministic traffic patterns

• Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both

• Utilizes Layer 3 Routing for load balancing, fast convergence, scalability, and control


RST-203211208_05_2005_c2

Defining the Access Layer

• Aggregates network end-points• Layer 2/Layer 3 feature rich

environment; convergence, HA, security, QoS, IP multicast, etc

• Intelligent network services: QoS, trust boundary, broadcast suppression, IGMP snooping

• Intelligent network services: PVST+, Rapid PVST+, EIGRP, OSPF, DTP, PAgP/LACP, UDLD, etc.

• Catalyst® integrated security features IBNS (802.1x), (CISF): port security, DHCP snooping, DAI, IPSG, etc.

• Automatic phone discovery, conditional trust boundary, power over Ethernet, auxiliary VLAN, etc.

• Spanning tree toolkit: Portfast, UplinkFast, BackboneFast, LoopGuard, BPDUGuard, BPDUFilter, RootGuard, etc.

To Core

SiSi SiSi

Access

Distribution


RST-203211208_05_2005_c2

Defining the Distribution Layer

• Availability, load balancing, QoS and provisioning are the important considerations at this layer

• Aggregates wiring closets (access layer) and uplinks to core

• Use Layer 3 switching in the distribution layer

• Protects core from high density peering and problems in access layer

• Spanning tree features:Only if you need them:setting STP Root, Root GuardRapid PVST+—Per VLAN 802.1w

• Route summarization, fast convergence, redundant pathload sharing

• HSRP or GLBP to provide first hop redundancy

SiSiSiSi SiSi SiSi

Access

Distribution


RST-203211208_05_2005_c2

Defining the Core Layer

• Backbone for the network—connects network building blocks

• Performance and stability vs. complexity—less is more in the core

• Aggregation point for distribution layer

• Separate core layer helps in scalability during future growth

• Keep the design technology-independent

Access

Distribution

Core


RST-203211208_05_2005_c2

Do I Need a Core Layer?For Optimum Convergence—Yes

No Core• Fully meshed

distribution layers• Aggregation point for distribution

layer• Core layer is required to scale

campus networksPhysical cabling requirementsRouting complexity

Dedicated Core Switches• Easier to add a module• Fewer links in the core• Easier bandwidth upgrade• Routing protocol peering reduced• Equal cost Layer 3 links for best

convergence

Distribution 2

Dis

trib

uti

on

1

Distrib

utio

n 3

Distribution 2D

istr

ibu

tio

n 1 D

istribu

tion

3


RST-203211208_05_2005_c2

Optimal RedundancyWhen Is More Less?

• Core and distribution engineered with redundant nodesand links toprovide maximum redundancy and optimal convergence

• Network bandwidth and capacity engineered to withstand nodeor link failure

• 120–200ms to converge around most events

Access

Distribution

Core

Distribution

Access

Data CenterWAN Internet

SiSi SiSi SiSi SiSi SiSi SiSi

SiSi SiSi

SiSi SiSiSiSi SiSi

SiSi SiSi

RedundantNodes


RST-203211208_05_2005_c2

Single Points of TerminationSSO/NSF Avoiding Total Network Outage

• The access layer is candidate for supervisor redundancy• L2 access layer SSO• L3 access layer SSO and NSF• Network outage until physical replacement or reload vs

one to three seconds

Core

Distribution

Access


SiSi SiSi

L2 = SSOL3 = SSO/NSF


RST-203211208_05_2005_c2

Agenda






• Summary


RST-203211208_05_2005_c2

ESE Campus Solution Test BedVerified Design Recommendations



SiSi SiSi

SiSi SiSiSiSi SiSi

SiSi SiSi

Total of 68 Access Switches, 2950, 2970, 3550, 3560, 3750, 4507 SupII+, 4507SupIV, 6500

Sup2, 6500 Sup32, 6500 Sup720 and 40 APs (1200)

6500 with Redundant Sup720s

Three Distribution Blocks6500 with Redundant Sup720

4507 with Redundant SupV

Three Distribution Blocks6500 with Redundant Sup720s

7206VXR NPEG1

4500 SupII+, 6500 Sup720, FWSM, WLSM, IDSM2, MWAM


RST-203211208_05_2005_c2

Foundation Services

• Layer 3 routing protocols

• Layer 2 redundancy—spanning treePVST+ - STP (802.1D-1998)

Rapid PVST+ - RSTP (802.D-2004)

• Unidirectional link detection

• Trunking protocols—(isl/.1q)

• Load balancingEtherchannel link aggregation

CEF equal cost load balancing

• First hop redundancy protocolsVRRP, HSRP, and GLBP

• Quality of service SpanningTreeRouting

HSRP

GLBP

Trunking

LoadBalancing


RST-203211208_05_2005_c2

Best Practices—Layer 3 Routing Protocols

• Typically deployed in distribution to core, and core to core interconnections

• Used to quickly re-route around failed node/links while providing load balancing over redundant paths

• Build triangles not squares for deterministic convergence

• Only peer on links that you intend to use as transit

• Insure redundant L3 paths to avoid black holes

• Summarize distribution to core to limit EIGRP query diameter or OSPF LSA propagation

• Tune CEF L3/L4 load balancing hash to achieve maximum utilization of equal cost paths (CEF polarization)


Layer 3 Equal Cost Link’s



SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

Best Practice—Build Triangles Not SquaresDeterministic vs. Non-Deterministic

• Layer 3 redundant equal cost links support fast convergence

• Hardware based—fast recovery to remaining path • Convergence is extremely fast (dual equal-cost paths: no need for

OSPF or EIGRP to recalculate a new path)

Triangles: Link/Box Failure Does NOT Require Routing Protocol Convergence

Model A

Squares: Link/Box Failure Requires Routing Protocol Convergence

Model B

SiSi

SiSiSiSi

SiSi SiSi

SiSiSiSi

SiSi


RST-203211208_05_2005_c2

Best Practice—Passive Interfaces for IGPLimit OSPF and EIGRP Peering Through the Access Layer

Limit unnecessary peeringWithout passive interface:

• Four VLANs per wiring closet,

• 12 adjacencies total

• Memory and CPU requirements increase with no real benefit

• Creates overhead for IGP

RoutingUpdates

OSPF Example:

Router(config)#router ospf 1Router(config-router)#passive-interface Vlan 99

Router(config)#router ospf 1Router(config-router)#passive-interface defaultRouter(config-router)#no passive-interface Vlan 99

EIGRP Example:

Router(config)#router eigrp 1Router(config-router)#passive-interface Vlan 99

Router(config)#router eigrp 1Router(config-router)#passive-interface defaultRouter(config-router)#no passive-interface Vlan 99

Distribution

Access

SiSiSiSi


RST-203211208_05_2005_c2

Provide Alternate Paths

• What happens if fails?

• No route to the core anymore?

• Allow the traffic to go through the access?

Do you want to use your access switches as transit nodes?

How do you design for scalability if the access usedfor transit traffic?

• Install a redundant link to the core

• Best practice: install redundant link to core and utilize L3 link between distribution Layer (summarization—coming)

Single Pathto Core

A B

SiSiSiSi

SiSiSiSi

Traffic Dropped

with No Route to Core

Access

Distribution

Core


RST-203211208_05_2005_c2

10.1.1.a/2410.1.1.b/24

Why You Want to Summarize at the DistributionLimit EIGRP Queries and OSPF LSA Propagation

• It is important to force summarization at the distribution towards the core

• For return path traffic an OSPF or EIGRP re-route is required

• By limiting the number of peers an EIGRP router must query or the number of LSA’san OSPF peer must process we can optimize this re-route

• EIGRP example:

SiSiSiSi

SiSi SiSi

Traffic Dropped

Until IGP Converges

No SummariesQueries Go Beyond the Core

Rest of Network

interface Port-channel1description to Core#1ip address 10.122.0.34 255.255.255.252ip hello-interval eigrp 100 1ip hold-time eigrp 100 3ip summary-address eigrp 100 10.1.0.0 255.255.0.0 5

Access

Distribution

Core


RST-203211208_05_2005_c2

Why You Want to Summarize at the DistributionReduce the Complexity of IGP Convergence

• It is important to force summarization at the distribution towards the core

• For return path traffic an OSPF or EIGRP re-route is required

• By limiting the number of peersan EIGRP router must query orthe number of LSA’s an OSPF|peer must process we canoptimize his re-route

• For EIGRP if we summarize at the distribution we stop queries at the core boxes for an accesslayer ‘flap’

• For OSPF when we summarize at the distribution (area border or L1/L2 border) the floodingof LSA’s is limited to the distribution switches; SPF now deals with one LSA not three

10.1.1.a/2410.1.1.b/24

SummariesStop Queries at the Core

Rest of Network

SiSiSiSi

SiSi SiSi

Traffic Dropped

Until IGP Converges

Summary:10.1.0.0/16

Access

Distribution

Core


RST-203211208_05_2005_c2

Best Practice—Summarize at the DistributionGotcha—Distribution to Distribution Link Required

• Best practice—summarize at the distribution layer to limit EIGRP queries or OSPF LSA propagation

• Gotcha:Upstream: HSRP on leftdistribution takes over whenlink failsReturn path: old router still advertises summary to coreReturn traffic is dropped on right distribution switch

• Summarizing requires a link between the distribution switches

• Alternative design: Use the access layer for transit 10.1.1.a/2410.1.1.b/24

Summary:10.1.0.0/16

SiSiSiSi

SiSi SiSi

Traffic Dropped

with No Route

Access

Distribution

Core


RST-203211208_05_2005_c2

CEF Load BalancingAvoid Underutilizing Redundant Layer 3 Paths

• CEF polarization: without some tuning CEF will select the same path left/left or right/right

• Imbalance/overloadcould occur

• Redundant paths are ignored/underutilized

• The default CEF hash ‘input’ is L3

• We can change the default to use L3 + L4 information as ‘input’ to the hash derivation

SiSiSiSi

SiSi SiSi

SiSi SiSi

L

L

R

R

Redundant Paths Ignored

DistributionDefault L3 Hash

CoreDefault L3 Hash

DistributionDefault L3 Hash


RST-203211208_05_2005_c2

CEF Load BalancingChange the Input—Get Different Output

• CEF uses a multi-step process to make final forwarding decision

• First it determines the longest path match for the destination address viaan hardware lookup

• Each specific index is associated with a next hop adjacencies table

• Default: using the packet source and destination IP address one of the possible adjacencies is selected via a HW hash

• Tweak: using the packet source and destination IP address and port information one of the possible adjacencies is selected via a HW hash

• New MAC address is attached and packet is forwarded

• If you change the input to the hash you will change the output

• Changing the default from L3 to L3/L4 causes different hashes to be derived

Src IP| Dst IP | Src Port | Dst Port

Hardware Lookup

HashSelect

Specific Adjacency Based on

Hash

Src IP| Dst IP | Src Port | Dst PortMAC Re-Write Src IP| Dst IP | Src Port | Dst PortMAC Re-Write


RST-203211208_05_2005_c2

CEF Load BalancingAvoid Underutilizing Redundant Layer 3 Paths

• Without some tuning CEF will select the same path left/left or right/right and imbalance/ overload could occur (redundant paths ignored)

• Alternating L3/L4 hash and default L3 hash will give us the best load balancing results

• The default is L3 hash—no modification required in core

• In the distribution switches use:

mls ip cef load-sharing full

to achieve better distribution and avoid underutilization of redundant L3 paths

SiSiSiSi

SiSi SiSi

SiSi SiSi

RL

RL

RL

All Paths Used

DistributionL3/L4 Hash

CoreDefault L3 Hash

DistributionL3/L4 Hash


RST-203211208_05_2005_c2

Spanning Tree

• Highly available environments require redundant paths to ensure connectivity in the event of a node or link failure

• Spanning tree ensures a loop-free topology and provides backup links when there are redundant paths in the network

A

B

802.1D-1998: Classic Spanning Tree Protocol (STP)

802.1D-2004: Rapid Spanning Tree Protocol (RSTP—Was 802.1w)

802.1s: Multiple Spanning TreeProtocol (MST)

802.1t: 802.1d Maintenance 802.1Q: VLAN Tagging (Trunking)


RST-203211208_05_2005_c2

PVST+ and Rapid PVST+, MSTSpanning Tree Toolkit, 802.1d, 802.1s, 802.1w

• PVST+: an instance of STP (802.1d) per VLAN + Portfast, Uplinkfast, BackboneFast, BPDUGuard, BPDUFilter, RootGuard, and LoopGuard

• Rapid PVST+: an instance of RSTP (802.1w) per VLAN + Portfast, BPDUGuard, BPDUFilter, RootGuard, and LoopGuard

• MST (802.1s): up to 16 instances of RSTP (802.1w); combining many VLANS with the same physical and logical topology into a common RSTP instance; additionally Portfast, BPDUGuard, BPDUFilter, RootGuard, and LoopGuard are supportedwith MST


RST-203211208_05_2005_c2

Spanning Tree Toolkit

• PortFast*: Bypass listening-learning phase for access port

• UplinkFast: Three to five seconds convergence after link failure

• BackboneFast: Cuts convergence time by Max_Age for indirect failure

• LoopGuard*: Prevents alternate or root port to become designated in absence of BPDUs

• RootGuard*: Prevents external switches from becoming root

• BPDUGuard*: Disable PortFast enabled port if a BPDU is received

• BPDUFilter*: Do not send or receive BPDUs on PortFast enabled ports

Wiring ClosetSwitch

DistributionSwitches

Root

F

F

F F

F

XB

SiSi SiSi

* Also Supported with MST and Rapid PVST+


RST-203211208_05_2005_c2

Best Practices—Spanning Configuration

• ONLY when you have to!• More common in the

data center

• Required when a VLAN spans access layer switches

• Required to protect against ‘user side’ loops

• Use Rapid PVST+ for best convergence

• Take advantage of the Spanning Tree Toolkit

RootGuard to keep rogue switch from becoming rootBPDUGuard to keep rogue switch from participating in STP topologyLoopGuard to partition the network in the event of an STP failure (loss of BPDU’s)




Layer2 Loops

Same VLAN Same VLAN Same VLAN


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

0

5

10

15

20

25

30

35

Tim

ed t

o C

onve

rge

in

Sec

onds

PVST+ Rapid PVST+

To Access To Server Farm

Optimizing Convergence: PVST+ or Rapid PVST+802.1d + Extensions or 802.1s + Extensions

• Rapid-PVST+ greatly improves the restoration times for any VLAN that requires a topology convergence due to link UP

• Rapid-PVST+ also greatly improves convergence time over Backbone fast for any indirect link failures

30 Seconds of Delay/Loss

Tuned Away


RST-203211208_05_2005_c2

Best Practices—UDLD Configuration

• Typically deployed on any fiber optic interconnection

• Use UDLD aggressive mode for best protection

• Turn on in global configuration to avoid operational error/“misses”

• Config exampleCisco IOS: udldaggressive

CatOS: set udld enableset udld aggressive-mode enable <mod/port>




Fiber Interconnections


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

Unidirectional Link DetectionProtecting Against One Way Communication

• Highly available networks require UDLD to protect against one way communication or partially failed links and the effect that they could have on protocols like STP and RSTP

• Primarily used on fiber optic links where patch panel errors could cause link up/up with miss matched transmit/receive pairs

• Each switch port configured for UDLD will send UDLD protocol packets (at L2) containing the port's own device/port ID, and the neighbor's device/port IDs seen by UDLD on that port

• Neighboring ports should see their own device/port ID (echo) in the packets received from the other side

• If the port does not see its own device/port ID in the incoming UDLD packets for a specific duration of time, the link is considered unidirectional and is shutdown

Are You ‘Echoing’

My Hellos?

SiSi

SiSi


RST-203211208_05_2005_c2

Best Practices—Trunk Configuration

• Typically deployed on interconnection between access and distribution layers

• Use VTP transparent mode to decrease potential for operational error

• Hard set trunk mode to on and encapsulation negotiate off for optimal convergence

• Change the native VLAN to something unused to avoid VLAN hopping

• Manually prune all VLANS except those needed

• Disable on host ports:CatOS: set port hostCisco IOS: switchport host




802.1q Trunks


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

VTP Virtual Trunk Protocol

• Centralized VLAN management

• VTP server switch propagates VLAN database to VTPclient switches

• Runs only on trunks

• Four modes:Server: updates clientsand servers

Client: receive updates—cannot make changes

Transparent: let updates pass through

Off: ignores VTP updates

FServer

Set VLAN 50

Trunk

Trunk Trunk

Client

Off

Trunk

A

B

C

Client

Transparent

Ok, I Just Learnt

VLAN 50!

Drop VTP

Updates

Pass Through Update

Ok, I Just Learnt

VLAN 50!


RST-203211208_05_2005_c2

DTP Dynamic Trunk Protocol

• Automatic formation of trunked switch to switch interconnection

On: always be a trunk

Desirable: ask if the other side can/will

Auto: if the other sides asks I will

Off: don’t become a trunk

• Negotiation of 802.1Q or ISL encapsulation

ISL: try to use ISL trunk encapsulation

802.1q: try to use 802.1q encapsulation

Negotiate: negotiate ISL or 802.1q encapsulation with peer

Non-negotiate: always use encapsulation that is hardset

On/OnTrunk

Auto/DesirableTrunk

Off/OffNO Trunk

Off/On, Auto, DesirableNO Trunk

SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSiSiSi


RST-203211208_05_2005_c2

0

0.5

1

1.5

2

2.5

Tim

e to

Con

verg

e in

Sec

onds

Trunking Desirable Trunking Nonegotiate

3550 (Cisco IOS)4006 (CatOS)4507 (Cisco IOS)6500 (CatOS)

Optimizing Convergence: Trunk TuningTrunk Auto/Desirable Takes Some Time

• DTP negotiation tuning improves link up convergence timeCatOS> (enable) set trunk <port> nonegotiate dot1q <vlan>

IOS(config-if)# switchport mode trunk

IOS(config-if)# switchport nonegotiate

Voice Data

Two Seconds of Delay/Loss Tuned Away

SiSi


RST-203211208_05_2005_c2

Best Practices—EtherChannel Configuration

• Typically deployed in distribution to core, and coreto core interconnections

• Used to provide link redundancy—while reducing peering complexity

• Tune L3/L4 load balancing hash to achieve maximum utilization of channel members

• Match CatOS and Cisco IOS PAgP settings

• 802.3ad LACP for interop if you need it

• Disable unless neededCatOS: set port host

Cisco IOS: switchport hostData CenterWAN Internet




SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

EtherChannel Load BalancingAvoid Underutilizing Redundant Layer 2 Paths

• Network did not load balance using default L3 load balancing hash

Common IP addressing scheme

72 access subnets addressed uniformly from 10.120.x.10 to 10.120.x.215

• Converted to L4 load balancing hash and achieved better load sharing

cr2-6500-1(config)#port-channel load-balance src-dst-port

Link 0 load—68%

Link 1 load—32%

Link 0 load—52%

Link 1 Load—48%

L3 Hash

L4 Hash

SiSi

SiSiSiSi

SiSi


RST-203211208_05_2005_c2

PAgP Port Aggregation Protocol

• Automatic formation of bundled redundant switch to switch interconnection

On: always be a channel/bundle member

Desirable: ask if the other side can/will

Auto: if the other sidesasks I will

Off: don’t become a member of a channel/bundle

On/OnChannel

On/OffNo Channel

Auto/DesirableChannel

Off/On, Auto, DesirableNO Channel

SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSiSiSi


RST-203211208_05_2005_c2

PAgP TuningPAgP Default Mismatches

Matching EtherChannel Configuration on Both Sides Improves Link Restoration Convergence Timesset port channel <mod/port> off

0

1

2

3

4

5

6

7

Tim

e to

Co

nve

rge

in

Sec

on

ds

PAgP Mismatch PAgP Off

6500 (CatOS)4506 (CatOS)

As Much As Seven Seconds of Delay/Loss Tuned Away


RST-203211208_05_2005_c2

Best Practices—First Hop Redundancy

• Used to provide a resilient default gateway/first hop address to end stations

• HSRP, VRRP, and GLBP alternatives

• VRRP, HSRP and GLBPprovide millisecond timersand excellent convergence performance

• VRRP if you need multi-vendor interoperability

• GLBP facilitates uplink load balancing

• Preempt timers need tobe tuned to avoid black-holed traffic Data CenterWAN Internet



1st Hop Redundancy


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

First Hop Redundancy with VRRPIETF Standard RFC 2338 (April 1998)

• A group of routers function as one virtual router by sharing ONE virtual IP address and one virtual MAC address

• One (master) router performs packet forwarding for local hosts

• The rest of the routers act as “back up” in case the master router fails

• Backup routers stay idle as far as packet forwarding from the client side is concerned

R1—Master, Forwarding Traffic; R2,—BackupVRRP ACTIVE VRRP BACKUP

IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0000.5e00.0101

IP: 10.0.0.253MAC: 0000.0C78.9abcvIP:vMAC:

IP: 10.0.0.1MAC: aaaa.aaaa.aa01GW: 10.0.0.10ARP: 0000.5e00.0101



SiSiSiSi

Access-a

Distribution-AVRRP Active

Distribution-BVRRP Backup

R1 R2


RST-203211208_05_2005_c2

First Hop Redundancy with HSRPCisco Informational RFC 2281 (March 1998)

• A group of routers function as one virtual router by sharing ONE virtual IP address and one virtual MAC address

• One (active) router performs packet forwarding for local hosts

• The rest of the routers provide “hot standby”in case the activerouter fails

• Standby routers stayidle as far as packet forwarding from theclient side is concerned

IP: 10.0.0.1MAC: aaaa.aaaa.aa01GW: 10.0.0.10ARP: 0000.0c07.ac00

SiSiSiSi

Access-a

Distribution-AVRRP Active

Distribution-BVRRP Backup

R1

VRRP ACTIVE VRRP STANDBYIP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0000.0c07.ac00

IP: 10.0.0.253MAC: 0000.0C78.9abcvIP:vMAC:



R1—Active, Forwarding Traffic; R2—Hot Standby, Idle

R2


RST-203211208_05_2005_c2

Optimizing Convergence: HSRP TimersHSRP Millisecond Convergence

• HSRP = default gateway redundancy; effects trafficout of the access layerinterface Vlan5description Data VLAN for 6k-accessip address 10.1.5.3 255.255.255.0ip helper-address 10.5.10.20no ip redirectsip pim query-interval 250 msecip pim sparse-modelogging event link-statusstandby 1 ip 10.1.5.1standby 1 timers msec 200 msec 750standby 1 priority 150standby 1 preemptstandby 1 preempt delay minimum 180




Layer 2 Link’s


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

0

5

10

15

20

25

30

Tim

e to

Co

nve

rge

in S

eco

nd

s

No Preempt Delay Prempt Delay Tuned

3550 (Cisco IOS)2950 (Cisco IOS)4506 (CatOS)4507 (Cisco IOS)6500 (CatOS)6500 (Cisco IOS)

Optimizing Convergence: HSRP Preempt DelayPreempt Delay Needs to Be Longer Than Box Boot Time

More Than 30 Seconds of

Delay/Loss Tuned Away

Without Increased Preempt Delay HSRP Can Go Active Before Box Completely Ready to Forward Traffic L1 (Boards), L2 (STP), L3 (IGP Convergence)standby 1 preempt delay minimum 180

Test Tool Timeout—30 Seconds


RST-203211208_05_2005_c2

First Hop Redundancy with GLBPCisco Designed, Load Sharing, Patent Pending

• All the benefits of HSRP plus load balancing of default gateway à utilizes all available bandwidth

• A group of routers function as one virtual router by sharing one virtual IP address but using multiple virtual MAC addresses for traffic forwarding

• Allows traffic from a single common subnet to go through multiple redundant gateways using a single virtual IP address

GLBP AVG/AVF,SVF GLBP AVF,SVF

R1- AVG; R1, R2 Both Forward Traffic

IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0007.b400.0101

IP: 10.0.0.253MAC: 0000.0C78.9abcvIP: 10.0.0.10vMAC: 0007.b400.0102

IP: 10.0.0.1MAC: aaaa.aaaa.aa01GW: 10.0.0.10ARP: 0007.B400.0101



SiSiSiSi

Access-a

Distribution-AGLBP AVG/AVF, SVF

Distribution-BGLPB AVF,SVF

R1


RST-203211208_05_2005_c2

First Hop Redundancy with Load BalancingCisco Gateway Load Balancing Protocol (GLBP)

• Each member of a GLBP redundancy group owns a unique virtual MACaddress for a common IP address/default gateway

• When end stations ARP for the common IP address/default gateway they are given a load balanced virtual MAC address

• Host A and host B send traffic to different GLBP peers but have the same default gateway

10.88.1.0/24

.5.4

.1 .2

vIP10.88.1.10

GLBP 1 ip 10.88.1.10vMAC 0000.0000.0001

GLBP 1 ip 10.88.1.10vMAC 0000.0000.0002

ARPs for 10.88.1.10Gets MAC 0000.0000.0001

ARPs for 10.88.1.10Gets MAC 0000.0000.0002

A B

R1 R2ARP

Reply


RST-203211208_05_2005_c2

0

0.2

0.4

0.6

0.8

1

1.2

Longest Shortest AverageTim

e in

Sec

on

ds

to C

on

verg

e

VRRP HSRP GLBP

SiSiSiSi

50% of Flows Have ZERO

Loss W/ GLBP

Optimizing Convergence: VRRP, HSRP, GLBP Mean, Max, and Min—Are There Differences?

• VRRP does not have sub-second timers and all flows go through a common VRRP peer; mean, max, and min are equal

• HSRP has sub-second timers; however all flows go through same HSRP peer so there is no difference between mean, max, and min

• GLBP has sub-second timers and distributes the load amongstthe GLBP peers; so 50% of the clients are not effected by anuplink failure

GLBP Is 50% Better

Distribution to Access Link FailureAccess to Server Farm


RST-203211208_05_2005_c2

• Both distribution switches act as default gateway• Blocked uplink caused traffic to take less than optimal path

VLAN 3VLAN 2

F 2

F 2

B 2B 2 F: Forwarding

B: Blocking

Access-b

SiSiSiSi

Core

Access-a

Distribution-AGLBP Virtual MAC 1

If You Span VLANS Tuning RequiredBy Default Half the Traffic Will Take a 2 Hop L2 Path

Distribution-BGLBP Virtual MAC 2

AccessLayer 2AccessLayer 2

DistributionLayer 2/3

CoreLayer 3


RST-203211208_05_2005_c2

VLAN 2VLAN 2

Access-b

SiSiSiSi

Core

Access-a

Distribution-AGLBP Virtual MAC 1

Distribution-BGLBP Virtual MAC 2

B x STP Port Cost

Increased

GLBP + STP turningChange Port Cost to Change the Blocking Interfaces

Force STP to Block the Interface Between the Distribution Switches



CoreLayer 3


RST-203211208_05_2005_c2

Best Practices—Quality of Service

• Must be deployed end-to-end to be effective; all layers play different but equal roles

• Ensure that mission critical applications are not impacted by link or transmit queue congestion

• Aggregation and rate transition points must enforce QoS policies

• Multiple queues with configurable admission criteria and schedulingare required




End to End QoS


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

Transmit Queue Congestion

WAN

Router

128k Uplink10/100m Queued

Access Switch

100 Meg Link1 Gig Link Queued

Distribution Switch

100 Meg in 128 Kb/S out—Packets Serialize in Faster Than They Serialize outPackets Queued as They Wait to Serialize out Slower Link

1 Gig In 100 Meg out—Packets Serialize in Faster Than They Serialize outPackets Queued as They Wait to Serialize out Slower Link


RST-203211208_05_2005_c2

SiSi

SiSi TX

RX

RX

RX

RX

Enabling QoS in the Campus Scheduling in the Campus

• Scavenger traffic is assigned it’s own queue/threshold

• Scavenger queue is shallow with a large burst to penalize sustained loads

• Multiple queues are the only way to “guarantee”voice quality, protect mission critical and throttle abnormal sources

• Cisco switches have multiple queues

Gold

Data

Scavenger

Voice

Police and Mark Anomalies

Scavenger Queue

Aggressive Drop

Voice Put into Delay/Drop

Sensitive Queue

Throttle

RST-2501: Campus QoS Design


RST-203211208_05_2005_c2

Agenda






• Summary


RST-203211208_05_2005_c2

Campus Design Best Practices

• Daisy chaining dangers

• A note on asymmetric routing and unicast flooding

• Where’s your Layer 2/3 boundary?

• What L2/3 protocols do run where and why?

Access

Distribution

Core

Distribution

Access

SiSi SiSi

SiSiSiSi

SiSi SiSi


RST-203211208_05_2005_c2

VLAN 2VLAN 2

Distribution-A Distribution-B

Access-cAccess-a

Layer 3 Link

Access-n

VLAN 2

50% Chance That Traffic Will Go Down Path with

No Connectivity

Traffic Dropped with

No Path to

Destination

Daisy Chaining Access Layer SwitchesAvoid Potential Black Holes

Return Path Traffic Has a 50/50 Chance of Being ‘Black Holed’

SiSiSiSi

SiSiSiSi



CoreLayer 3


RST-203211208_05_2005_c2

Daisy Chaining Access Layer SwitchesNew Technology Addresses Old Problems

• Stackwise technology eliminates the concernLoopback links not requiredNo longer forced to have L2 link in distribution

• If you use modular (chassis based) switches these problems are not a concern

HSRP Active

HSRP Standby

Forwarding

Forwarding

3750

SiSi

SiSi

Layer 3


RST-203211208_05_2005_c2






Access

Distribution

Core

Distribution

Access

SiSi SiSi

SiSiSiSi

SiSi SiSi


RST-203211208_05_2005_c2

VLAN 2VLAN 2

Asymmetric Routing (Unicast Flooding)

• Affects redundant topologies with shared L2 access

• One path upstream and two paths downstream

• CAM table entry ages out on standby HSRP

• Without a CAM entry packet is flooded to all ports in the VLAN

DownstreamPacket

Flooded

Upstream PacketUnicast to Active

HSRP

AsymmetricEqual CostReturn Path

CAM Timer Has Aged out on

Standby HSRP

VLAN 2 VLAN 2

SiSiSiSi


RST-203211208_05_2005_c2

VLAN 2

Best Practices Prevent Unicast Flooding

• Assign one unique data and voice VLAN to each access switch

• Traffic is now only flooded downone trunk

• Access switch unicasts correctly;no flooding toall ports

• If you have to:Tune ARP and CAM aging timers; CAM timer exceeds ARP timerBias routing metrics to remove equal cost routes

DownstreamPacket

Flooded on Single Port

Upstream PacketUnicast to Active

HSRP

AsymmetricEqual CostReturn Path

SiSiSiSi

VLAN 3 VLAN 4 VLAN 5


RST-203211208_05_2005_c2

SiSi SiSi

SiSiSiSi

SiSi SiSi






Access

Distribution

Core

Distribution

Access


RST-203211208_05_2005_c2

Keep Redundancy Simple

“If Some Redundancy Is Good, More Redundancy Is NOT Better”

• Root placement?

• How many blocked links?

• Convergence?

• Complex fault resolution


RST-203211208_05_2005_c2

But Don’t Go Too Far…What Happens if You Don’t Link the Distributions?

• STP’s slow convergence can cause considerable periods of traffic loss

• STP could cause non-deterministic traffic flows/link load engineering

• STP convergence will causeLayer 3 convergence

• STP and Layer 3 timers are independent

• Unexpected Layer 3 convergence and re-convergence could occur

• Even if you do link the distribution switches dependence on STP and link state/connectivity can cause HSRP irregularities and unexpected state transitions


RST-203211208_05_2005_c2

What If You Don’t?Black Holes and Multiple ‘Transitions’…


RST-203211208_05_2005_c2

What If You Don’t?Return Path Traffic Black Holed…


RST-203211208_05_2005_c2

Layer2 Distribution InterconnectionRedundant Link from Access Layer Is Blocked

• Use only if Layer 2 VLAN spanning flexibility required

• STP convergence required for uplink failure/recovery

• More complex as STP root and HSRP should match

• Distribution to distribution link required for route summarization

Trunk

Layer 2

VLAN 20 DataVLAN 120 Voice

10.1.20.010.1.120.0


10.1.40.010.1.140.0

HSRP Activeand STP RootVLAN 20,140

HSRP Activeand STP RootVLAN 40,120

STP Model

Layer 2 Links

Layer 2 Links

SiSiSiSi

Access

Distribution


RST-203211208_05_2005_c2

Layer3 Distribution InterconnectionNo Spanning Tree—All Links Active

• Recommended ‘best practice’—tried and true

• No STP convergence required for uplink failure/recovery

• Distribution to distribution link required for route summarization

• Map L2 vlan number to L3 subnet for ease of use/management

Layer 3


10.1.20.010.1.120.0


10.1.40.010.1.140.0

HSRP ActiveVLAN 20,140

HSRP ActiveVLAN 40,120

HSRP Model

Layer 2 Links

Layer 2 Links

SiSiSiSi

Access

Distribution


RST-203211208_05_2005_c2

Layer3 Distribution InterconnectionGLBP Gateway Load Balancing Protocol

• Fully utilize uplinks via GLBP

• Distribution to distribution required for route summarization

• No STP convergence required for uplink failure/recovery

Layer 3


10.1.20.010.1.120.0


10.1.40.010.1.140.0

GLBP Model

Layer 2 Links

Layer 2 Links

SiSiSiSi

GLBP ActiveVLAN 20,120,40,140

GLBP ActiveVLAN 20,120, 40, 140

Access

Distribution


RST-203211208_05_2005_c2

Layer 3


10.1.20.010.1.120.0


10.1.40.010.1.140.0

Routed Model

Layer 3 Equal Cost

Links

Layer 3 Equal Cost

Links

SiSiSiSi

Layer3 Access to Distribution InterconnectionAll Links Are Routed

• Best option for FAST convergence• Equal cost L3 load balancing on all links • No spanning tree required for convergence• No HSRP/GLBP configuration required• Not widely deployed/no VLAN spanning possible

Access

Distribution


RST-203211208_05_2005_c2

RST-2031: Deploying a Fully Routed Enterprise Campus Network

PVST+, Rapid PVST+, or a Routing ProtocolSTP vs. Equal Cost Layer3 Links and Routing

• When comparing the traditional design to a routed access layer we found some interesting things to investigate:

OSPF SPF timer when failing distribution to access link

OSPF default route when restoring distribution switch

ARP resolution/scaling when restoring distribution switch





SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

0123456789

10

PVST+ Rapid PVST+ EIGRP OSPF

2950 (Cisco IOS) 3550 (Cisco IOS) 4507 (CatOS)

4507 (Cisco IOS) 6500 (CatOS) 6500 (Cisco IOS)

0123456789

10




Server Farm to Access

Access to Server Farm

Distribution to Access Link Failure

Tim

e in

Sec

onds

to

Co

nve

rge

Tim

e in

Sec

onds

to

Co

nve

rge

A B

SiSiSiSi

SiSiSiSi

All Sub-Second

All Sub-Second Approaching SONET Speeds



RST-203211208_05_2005_c2

05

101520

2530

354045




05

101520

2530

354045




Zero Packet Loss

As Much as 40 Seconds

of Loss

Four Seconds of Loss

SiSiSiSi

SiSiSiSi

Server Farm to Access

Access to Server Farm

Distribution to Access Link Failure

Tim

e in

Sec

onds

to

Co

nve

rge

Tim

e in

Sec

onds

to

Co

nve

rge


A B


RST-203211208_05_2005_c2

EIGRP vs. OSPF as Your IGPFeasible Successor vs. LSA’s and SPF’s

• Within the campus environment EIGRP provides for faster convergence and greater flexibility

• EIGRP provides for multiple levels of route summarization and route filtering which map to the multiple tiers of the campus

• OSPF implements throttles on LSA generation and SPF calculations which limit convergence times

• When routes are summarized and filtered only the distribution peers in an EIGRP network need to calculate new routes in event of link or node failure





SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

interface GigabitEthernet1/1ip hello-interval eigrp 100 1ip hold-time eigrp 100 3

router eigrp 100eigrp stub connected

EIGRP to the Edge Design Rules

• EIGRP in the distribution block is similar to EIGRP in the branch but tuned for speed

• Limit scope of queries to a single neighbor

• Summarize to campus core at the distribution layer

• Control route propagation to edge switch via distribute lists

• Configure all edge switches to use EIGRP ‘stub’

• Set hello and dead timers to ‘1’and ‘3’





SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

interface GigabitEthernet1/1ip ospf dead-interval minimal hello-multiplier 4

router ospf 100area 120 stub no-summarytimers throttle spf 10 100 5000timers throttle lsa all 10 100 5000timers lsa arrival 80

OSPF to the Edge Design Rules

• OSPF in the distribution block is similar to OSPF in the branch but tuned for speed

• Control number of routes and routers in each area

• Configure each distribution block as a separate totally stubby OSPF area

• Do not extend area 0 to theedge switch

• Tune OSPF millisecond hello, dead-interval, SPF, and LSA throttle timers





SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


RST-203211208_05_2005_c2

Agenda






• Summary


RST-203211208_05_2005_c2

Unauthorized Switch

Enterprise Server

Unauthorized Switch

Cisco SecureACS

Enterprise Server

PROBLEM: SOLUTION:

Mitigating Plug and PlayersProtecting Against Well-Intentioned Users

• Well intentioned users place unauthorized network devices on the network possibly causing instability

• Catalyst switches support rogue BPDU filtering: BPDU Guard, Root Guard

Incorrect STP Info

BPDU Guard

Network Instability

Authorized Switch

Authorized Switch

Root Guard


RST-203211208_05_2005_c2

BPDU GuardPrevent Loops via WLAN (Windows XP Bridging)

• WLAN AP’s do notforward BPDU’s

• Multiple Windows XPmachines can create aloop in the wired VLANvia the WLAN

• BPDU Guard configuredon all end station switch ports will prevent loopfrom forming

Win XPBridgingEnabled

Win XPBridgingEnabled

BPDU GuardDisables Port

STP LoopFormed

BPDUGenerated

BPDUDiscarded

PROBLEM:

SOLUTION:


RST-203211208_05_2005_c2

Problem: Prevalence of Rogue AP’sExample: 59 APs in Seven Miles in SJ Commute

• The majority of WLAN deployments are unauthorized by well intended employees (rogue APs)—many are insecure

• A daily drive to work taken within the car at normal speeds with an IPAQ running a freeware application (mix of residences and enterprises)

• Insecure enterprise rogueAP’s are a result of:

Well intentioned staff install dueto absence of sanctioned WLAN deployment

An infrastructure that is not “wireless ready” to protectagainst rogue AP’s

59 APs Found

InsecureAPs

War Chalking


RST-203211208_05_2005_c2

Basic 802.1x Access ControlControlling When and Where AP’s Are Connected

Authorized AP

Rogue AP

D on Authorized WLAN AP Ports

802.1x Enabled on “user” Facing

Ports

Authorized User

Who Are You?

I Am Joe Cisco

Who Are You?

CatOS Configuration Exampleset dot1x system-auth-control enableset dot1x guest-vlan 250set radius server 10.1.125.1 auth-port 1812 primaryset radius key cisco123set port dot1x 3/1-48 port-control auto

Cisco IOS Configuration Exampleradius-server host 10.1.125.1radius-server key cisco123aaa new-modelaaa authentication dot1x default group radiusaaa authorization default group radiusaaa authorization config-commandsdot1x system-auth-control

Cisco IOS Per-Port configurationint range fa3/1 - 48dot1x port-control auto

Disabled

SEC-2005: Understanding Identity-Based Networking Services

No 802.1xHere


RST-203211208_05_2005_c2

Securing Layer 2 from Surveillance AttacksCutting off MAC-Based Attacks

Port Security Limits MAC Flooding Attack and Locks down Port and

Sends an SNMP Trap

00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb

“Script Kiddie” Hacking Tools Enable Attackers Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a “Hub”

and Eliminating Privacy

Switch CAM Table Limit Is Finite Number of Mac Addresses

Only 3 MAC Addresses Allowed on

the Port: Shutdown

250,000 Bogus MAC’sper Second

PROBLEM: SOLUTION:

switchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity


RST-203211208_05_2005_c2

DHCP SnoopingProtection Against Rogue/Malicious DHCP Server

• DHCP requests (discover) and responses (offer) tracked

• Rate-limit requests on trusted interfaces; limits DOS attacks on DHCP server

• Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server

DHCP Server

1000s of DHCP Requests to Overrun the DHCP Server

1

2

DHCP RequestBog

us

DHCP

Respo

nse


RST-203211208_05_2005_c2

Securing Layer 2 from Surveillance AttacksProtection Against ARP Poisoning

• Dynamic ARP inspectionprotects against ARP poisoning (ettercap, dsnif, arpspoof)

• Uses the DHCP snooping binding table

• Tracks MAC to IP from DHCP transactions

• Rate-limits ARP requests from client ports; stop port scanning

• Drop BOGUS gratuitous ARP’s; stop ARP poisoning/MIM attacks

SiSiGateway = 10.1.1.1

MAC=A

Attacker = 10.1.1.25MAC=B

Victim = 10.1.1.50MAC=C

Gratuitous ARP10.1.1.1=MAC_B

Gratuitous ARP10.1.1.50=MAC_B


RST-203211208_05_2005_c2

IP Source GuardProtection Against Spoofed IP Addresses

• IP source guard protects against spoofed IP addresses

• Uses the DHCP snooping binding table

• Tracks IP address to port associations

• Dynamically programs port ACL to drop traffic not originating from IP address assigned via DHCP

SiSiGateway = 10.1.1.1

MAC=A

Attacker = 10.1.1.25 Victim = 10.1.1.50

Hey, I’m 10.1.1.50 !


RST-203211208_05_2005_c2

Catalyst Integrated Security FeaturesSummary Cisco IOS

• Port security prevents MAC flooding attacks

• DHCP snooping prevents client attack on the switch and server

• Dynamic ARP Inspection adds security to ARP using DHCP snooping table

• IP source guard adds security to IP source address using DHCP snooping table

ip dhcp snoopingip dhcp snooping vlan 2-10ip arp inspection vlan 2-10!interface fa3/1switchport port-securityswitchport port-security max 3switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivityip arp inspection limit rate 100ip dhcp snooping limit rate 100!Interface gigabit1/1ip dhcp snooping trustip arp inspection trust

IP Source Guard

Dynamic ARP Inspection

DHCP Snooping

Port Security

SEC-2002: Understanding and Preventing Layer 2 Attacks


RST-203211208_05_2005_c2

Agenda






• Summary


RST-203211208_05_2005_c2

VLAN 120 Voice10.1.120.0/24

Layer3 Distribution InterconnectionReference Design—No VLANs Span Access Layer

• Tune CEF load balancing

• Match CatOS/IOS Etherchannelsettings and tune load balancing

• Summarize routestowards core

• Limit redundant IGP peering

• STP Root and HSRP primary tuning or GLBP to load balance on uplinks

• Set trunk mode on/nonegotiate

• Disable Etherchannelunless needed

• Set Port Host on access layer ports:

Disable TrunkingDisable EtherchannelEnable PortFast

• RootGuard or BPDU-Guard

• Use security features

P-t-P Link

Layer 3

VLAN 20 Data10.1.20.0/24

VLAN 140 Voice10.1.140.0/24

VLAN 40 Data10.1.40.0/24

SiSi SiSi

SiSi SiSi

Access

Distribution

Core


RST-203211208_05_2005_c2

VLAN 250 WLAN10.1.250.0/24

Layer 2 Distribution InterconnectionSome VLANs Span Access Layer

• Tune CEF load balancing• Match CatOS/IOS Etherchannel

settings and tune load balancing• Summarize routes towards core• Limit redundant IGP peering• STP Root and HSRP primary or GLBP

and STP port cost tuning to load balance on uplinks

• Set trunk mode on/nonegotiate• Disable Etherchannel unless needed• RootGuard on downlinks• LoopGuard on uplinks• Set port host on access

Layer ports:Disable trunkingDisable EtherchannelEnable PortFast


• Use security featuresVLAN 120 Voice

10.1.120.0/24

Trunk

VLAN 20 Data10.1.20.0/24

VLAN 140 Voice10.1.140.0/24

VLAN 40 Data10.1.40.0/24

SiSi SiSi

SiSi SiSi

Layer 2

Access

Distribution

Core


RST-203211208_05_2005_c2

Routed AccessNo VLANs Span Access Layer

• Tune CEF load balancing

• Match CatOS/IOS Etherchannel settingsand tune load balancing

• Summarize routestowards core

• Filter routes towardsthe access

• Disable Etherchannelunless needed

• Set port host on access layer ports:

Disable TrunkingDisable EtherchannelEnable PortFast


• Use security featuresVLAN 120 Voice

10.1.120.0/24

P-t-P Link

Layer 3

VLAN 20 Data10.1.20.0/24

VLAN 140 Voice10.1.140.0/24

VLAN 40 Data10.1.40.0/24

SiSi SiSi

SiSi SiSi

Access

Distribution

Core


RST-203211208_05_2005_c2

Agenda






• Summary


RST-203211208_05_2005_c2

SiSi SiSi

SiSiSiSi

SiSi SiSi


Access

Distribution

Core

Distribution

Access

Data Center

• Offers hierarchy – each layer has specific role

• Modular topology - building blocks

• Easy to grow, understand, and troubleshoot

• Creates small fault domains – Clear demarcations and isolation

• Promotes load balancing and redundancy

• Promotes deterministic traffic patterns

• Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both

• Utilizes Layer 3 Routing for load balancing, fast convergence, scalability, and control


RST-203211208_05_2005_c2

SiSi SiSi

SiSiSiSi

SiSi SiSi

Access

Distribution

Core

Distribution

Access

• Build triangles not squares to take advantage of equal cost redundant paths for best/deterministic convergence

• Utilize equal cost redundant connections to Core for fastest convergence and to avoid black holes

• Link distribution to distribution to facilitate summarization and L2 spanning where required

• Utilize GLBP/HSRP mili-second timers• Tune GLBP/HSRP preempt delay to avoid

black holes• Tune Etherchannel and CEF load balancing

to insure optimum utilization of redundant/equal cost links

• Limit VLAN’s to a single closet when ever possible to limit STP boundaries.

• If STP required utilize rapid PVST+• Set trunks to ON/ON no-negotiate• Match PaGP settings CatOS/Cisco IOS• Consider EIGRP/routing in the access

Optimizing Convergence

Q and A


RST-203211208_05_2005_c2


RST-203211208_05_2005_c2


SpanningTreeRouting

HSRP

GLBP

Trunking

LoadBalancing

Access

Distribution

Core

Distribution

Access

SiSi SiSi

SiSiSiSi

SiSi SiSi

Data Center


RST-203211208_05_2005_c2

Reference Materials

http://www.cisco.com/go/srnd

• High Availability Campus Design Guide

• High Availability Campus Convergence Analysis

• High Availability Campus Design Guide – Routed Access EIGRP (soon)

• High Availability Campus Design Guide – Routed Access OSPF (soon)


RST-203211208_05_2005_c2

Recommended Reading

• Continue your Networkerslearning experience with further reading for this session from Cisco Press

• Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


RST-203211208_05_2005_c2

Documents

Campus_Multilayer_Arch_Design_Guide