Upload
nelson-rodriguez
View
2.923
Download
0
Embed Size (px)
Citation preview
1© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
CAMPUS NETWORK MULTILAYER ARCHITECTURE AND DESIGN GUIDELINESSESSION RST-2032
222© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
High-Availability Networking in the Campus
Reinforced Network Infrastructure:Infrastructure Security HardeningDevice-Level and Software Resiliency
Real World Network Design:Hierarchical Network Design—Structured Modular Foundation
Network Operations:Best Practices
Real-Time Network Management:Best Practices
Best-in-Class Support:TAC, CA, Etc.
333© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
What Is High Availability?
DPM—Defects per Million
Availability Downtime Per Year (24x365)
99.000%
99.500%
99.900%
99.950%
99.990%
99.999%
99.9999%
3 Days
1 Day
53 Minutes
5 Minutes
30 Seconds
15 Hours
19 Hours
8 Hours
4 Hours
36 Minutes
48 Minutes
46 Minutes
23 Minutes
DPM
10000
5000
1000
500
100
10
1
“High Availability”
444© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
What If You Could…Reduce Cost Through Diminished Risk of Downtime
• Costs for downtime are highOne day cost of lost productivity = $1,644 per employee
100 person office = $164K per day
• More than just a datanetwork outage
• More than just revenue impacted
Revenue lossProductivity lossImpaired financial performanceDamaged reputationRecovery expenses
Source: Meta Group444
$ 205$1,010,536Average
$ 107$ 668,586Transportation
$ 244$1,107,274Retail
$ 370$1,202,444Insurance
$1,079$1,495,134Financial Institution
$ 134$1,610,654Manufacturing
$ 186$2,066,245Telecommunications
$ 569$2,817,846Energy
Revenue/ Employee-
HourRevenue/HourIndustry Sector
555© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Agenda
• Multilayer Campus Design Principals
• Foundation Services
• Campus Design Best Practices
• Security Considerations
• Putting It All Together
• Summary
666© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
SiSi SiSi
SiSiSiSi
SiSi SiSi
Multilayer Network DesignWithout a Rock Solid Foundation the Rest Doesn’t Matter
Data CenterAccess
Distribution
Core
Distribution
Access• Offers hierarchy – each layer has specific
role
• Modular topology - building blocks
• Easy to grow, understand, and troubleshoot
• Creates small fault domains – Clear demarcations and isolation
• Promotes load balancing and redundancy
• Promotes deterministic traffic patterns
• Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both
• Utilizes Layer 3 Routing for load balancing, fast convergence, scalability, and control
777© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Defining the Access Layer
• Aggregates network end-points• Layer 2/Layer 3 feature rich
environment; convergence, HA, security, QoS, IP multicast, etc
• Intelligent network services: QoS, trust boundary, broadcast suppression, IGMP snooping
• Intelligent network services: PVST+, Rapid PVST+, EIGRP, OSPF, DTP, PAgP/LACP, UDLD, etc.
• Catalyst® integrated security features IBNS (802.1x), (CISF): port security, DHCP snooping, DAI, IPSG, etc.
• Automatic phone discovery, conditional trust boundary, power over Ethernet, auxiliary VLAN, etc.
• Spanning tree toolkit: Portfast, UplinkFast, BackboneFast, LoopGuard, BPDUGuard, BPDUFilter, RootGuard, etc.
To Core
SiSi SiSi
Access
Distribution
888© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Defining the Distribution Layer
• Availability, load balancing, QoS and provisioning are the important considerations at this layer
• Aggregates wiring closets (access layer) and uplinks to core
• Use Layer 3 switching in the distribution layer
• Protects core from high density peering and problems in access layer
• Spanning tree features:Only if you need them:setting STP Root, Root GuardRapid PVST+—Per VLAN 802.1w
• Route summarization, fast convergence, redundant pathload sharing
• HSRP or GLBP to provide first hop redundancy
SiSiSiSi SiSi SiSi
Access
Distribution
999© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Defining the Core Layer
• Backbone for the network—connects network building blocks
• Performance and stability vs. complexity—less is more in the core
• Aggregation point for distribution layer
• Separate core layer helps in scalability during future growth
• Keep the design technology-independent
Access
Distribution
Core
101010© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Do I Need a Core Layer?For Optimum Convergence—Yes
No Core• Fully meshed
distribution layers• Aggregation point for distribution
layer• Core layer is required to scale
campus networksPhysical cabling requirementsRouting complexity
Dedicated Core Switches• Easier to add a module• Fewer links in the core• Easier bandwidth upgrade• Routing protocol peering reduced• Equal cost Layer 3 links for best
convergence
Distribution 2
Dis
trib
uti
on
1
Distrib
utio
n 3
Distribution 2D
istr
ibu
tio
n 1 D
istribu
tion
3
111111© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Optimal RedundancyWhen Is More Less?
• Core and distribution engineered with redundant nodesand links toprovide maximum redundancy and optimal convergence
• Network bandwidth and capacity engineered to withstand nodeor link failure
• 120–200ms to converge around most events
Access
Distribution
Core
Distribution
Access
Data CenterWAN Internet
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSiSiSi SiSi
SiSi SiSi
RedundantNodes
121212© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Single Points of TerminationSSO/NSF Avoiding Total Network Outage
• The access layer is candidate for supervisor redundancy• L2 access layer SSO• L3 access layer SSO and NSF• Network outage until physical replacement or reload vs
one to three seconds
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
L2 = SSOL3 = SSO/NSF
131313© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Agenda
• Multilayer Campus Design Principals
• Foundation Services
• Campus Design Best Practices
• Security Considerations
• Putting It All Together
• Summary
141414© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
ESE Campus Solution Test BedVerified Design Recommendations
Data CenterWAN Internet
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSiSiSi SiSi
SiSi SiSi
Total of 68 Access Switches, 2950, 2970, 3550, 3560, 3750, 4507 SupII+, 4507SupIV, 6500
Sup2, 6500 Sup32, 6500 Sup720 and 40 APs (1200)
6500 with Redundant Sup720s
Three Distribution Blocks6500 with Redundant Sup720
4507 with Redundant SupV
Three Distribution Blocks6500 with Redundant Sup720s
7206VXR NPEG1
4500 SupII+, 6500 Sup720, FWSM, WLSM, IDSM2, MWAM
151515© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Foundation Services
• Layer 3 routing protocols
• Layer 2 redundancy—spanning treePVST+ - STP (802.1D-1998)
Rapid PVST+ - RSTP (802.D-2004)
• Unidirectional link detection
• Trunking protocols—(isl/.1q)
• Load balancingEtherchannel link aggregation
CEF equal cost load balancing
• First hop redundancy protocolsVRRP, HSRP, and GLBP
• Quality of service SpanningTreeRouting
HSRP
GLBP
Trunking
LoadBalancing
161616© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Best Practices—Layer 3 Routing Protocols
• Typically deployed in distribution to core, and core to core interconnections
• Used to quickly re-route around failed node/links while providing load balancing over redundant paths
• Build triangles not squares for deterministic convergence
• Only peer on links that you intend to use as transit
• Insure redundant L3 paths to avoid black holes
• Summarize distribution to core to limit EIGRP query diameter or OSPF LSA propagation
• Tune CEF L3/L4 load balancing hash to achieve maximum utilization of equal cost paths (CEF polarization)
Data CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
171717© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Best Practice—Build Triangles Not SquaresDeterministic vs. Non-Deterministic
• Layer 3 redundant equal cost links support fast convergence
• Hardware based—fast recovery to remaining path • Convergence is extremely fast (dual equal-cost paths: no need for
OSPF or EIGRP to recalculate a new path)
Triangles: Link/Box Failure Does NOT Require Routing Protocol Convergence
Model A
Squares: Link/Box Failure Requires Routing Protocol Convergence
Model B
SiSi
SiSiSiSi
SiSi SiSi
SiSiSiSi
SiSi
181818© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Best Practice—Passive Interfaces for IGPLimit OSPF and EIGRP Peering Through the Access Layer
Limit unnecessary peeringWithout passive interface:
• Four VLANs per wiring closet,
• 12 adjacencies total
• Memory and CPU requirements increase with no real benefit
• Creates overhead for IGP
RoutingUpdates
OSPF Example:
Router(config)#router ospf 1Router(config-router)#passive-interface Vlan 99
Router(config)#router ospf 1Router(config-router)#passive-interface defaultRouter(config-router)#no passive-interface Vlan 99
EIGRP Example:
Router(config)#router eigrp 1Router(config-router)#passive-interface Vlan 99
Router(config)#router eigrp 1Router(config-router)#passive-interface defaultRouter(config-router)#no passive-interface Vlan 99
Distribution
Access
SiSiSiSi
191919© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Provide Alternate Paths
• What happens if fails?
• No route to the core anymore?
• Allow the traffic to go through the access?
Do you want to use your access switches as transit nodes?
How do you design for scalability if the access usedfor transit traffic?
• Install a redundant link to the core
• Best practice: install redundant link to core and utilize L3 link between distribution Layer (summarization—coming)
Single Pathto Core
A B
SiSiSiSi
SiSiSiSi
Traffic Dropped
with No Route to Core
Access
Distribution
Core
202020© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
10.1.1.a/2410.1.1.b/24
Why You Want to Summarize at the DistributionLimit EIGRP Queries and OSPF LSA Propagation
• It is important to force summarization at the distribution towards the core
• For return path traffic an OSPF or EIGRP re-route is required
• By limiting the number of peers an EIGRP router must query or the number of LSA’san OSPF peer must process we can optimize this re-route
• EIGRP example:
SiSiSiSi
SiSi SiSi
Traffic Dropped
Until IGP Converges
No SummariesQueries Go Beyond the Core
Rest of Network
interface Port-channel1description to Core#1ip address 10.122.0.34 255.255.255.252ip hello-interval eigrp 100 1ip hold-time eigrp 100 3ip summary-address eigrp 100 10.1.0.0 255.255.0.0 5
Access
Distribution
Core
212121© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Why You Want to Summarize at the DistributionReduce the Complexity of IGP Convergence
• It is important to force summarization at the distribution towards the core
• For return path traffic an OSPF or EIGRP re-route is required
• By limiting the number of peersan EIGRP router must query orthe number of LSA’s an OSPF|peer must process we canoptimize his re-route
• For EIGRP if we summarize at the distribution we stop queries at the core boxes for an accesslayer ‘flap’
• For OSPF when we summarize at the distribution (area border or L1/L2 border) the floodingof LSA’s is limited to the distribution switches; SPF now deals with one LSA not three
10.1.1.a/2410.1.1.b/24
SummariesStop Queries at the Core
Rest of Network
SiSiSiSi
SiSi SiSi
Traffic Dropped
Until IGP Converges
Summary:10.1.0.0/16
Access
Distribution
Core
222222© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Best Practice—Summarize at the DistributionGotcha—Distribution to Distribution Link Required
• Best practice—summarize at the distribution layer to limit EIGRP queries or OSPF LSA propagation
• Gotcha:Upstream: HSRP on leftdistribution takes over whenlink failsReturn path: old router still advertises summary to coreReturn traffic is dropped on right distribution switch
• Summarizing requires a link between the distribution switches
• Alternative design: Use the access layer for transit 10.1.1.a/2410.1.1.b/24
Summary:10.1.0.0/16
SiSiSiSi
SiSi SiSi
Traffic Dropped
with No Route
Access
Distribution
Core
232323© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
CEF Load BalancingAvoid Underutilizing Redundant Layer 3 Paths
• CEF polarization: without some tuning CEF will select the same path left/left or right/right
• Imbalance/overloadcould occur
• Redundant paths are ignored/underutilized
• The default CEF hash ‘input’ is L3
• We can change the default to use L3 + L4 information as ‘input’ to the hash derivation
SiSiSiSi
SiSi SiSi
SiSi SiSi
L
L
R
R
Redundant Paths Ignored
DistributionDefault L3 Hash
CoreDefault L3 Hash
DistributionDefault L3 Hash
242424© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
CEF Load BalancingChange the Input—Get Different Output
• CEF uses a multi-step process to make final forwarding decision
• First it determines the longest path match for the destination address viaan hardware lookup
• Each specific index is associated with a next hop adjacencies table
• Default: using the packet source and destination IP address one of the possible adjacencies is selected via a HW hash
• Tweak: using the packet source and destination IP address and port information one of the possible adjacencies is selected via a HW hash
• New MAC address is attached and packet is forwarded
• If you change the input to the hash you will change the output
• Changing the default from L3 to L3/L4 causes different hashes to be derived
Src IP| Dst IP | Src Port | Dst Port
Hardware Lookup
HashSelect
Specific Adjacency Based on
Hash
Src IP| Dst IP | Src Port | Dst PortMAC Re-Write Src IP| Dst IP | Src Port | Dst PortMAC Re-Write
252525© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
CEF Load BalancingAvoid Underutilizing Redundant Layer 3 Paths
• Without some tuning CEF will select the same path left/left or right/right and imbalance/ overload could occur (redundant paths ignored)
• Alternating L3/L4 hash and default L3 hash will give us the best load balancing results
• The default is L3 hash—no modification required in core
• In the distribution switches use:
mls ip cef load-sharing full
to achieve better distribution and avoid underutilization of redundant L3 paths
SiSiSiSi
SiSi SiSi
SiSi SiSi
RL
RL
RL
All Paths Used
DistributionL3/L4 Hash
CoreDefault L3 Hash
DistributionL3/L4 Hash
262626© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Spanning Tree
• Highly available environments require redundant paths to ensure connectivity in the event of a node or link failure
• Spanning tree ensures a loop-free topology and provides backup links when there are redundant paths in the network
A
B
802.1D-1998: Classic Spanning Tree Protocol (STP)
802.1D-2004: Rapid Spanning Tree Protocol (RSTP—Was 802.1w)
802.1s: Multiple Spanning TreeProtocol (MST)
802.1t: 802.1d Maintenance 802.1Q: VLAN Tagging (Trunking)
272727© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
PVST+ and Rapid PVST+, MSTSpanning Tree Toolkit, 802.1d, 802.1s, 802.1w
• PVST+: an instance of STP (802.1d) per VLAN + Portfast, Uplinkfast, BackboneFast, BPDUGuard, BPDUFilter, RootGuard, and LoopGuard
• Rapid PVST+: an instance of RSTP (802.1w) per VLAN + Portfast, BPDUGuard, BPDUFilter, RootGuard, and LoopGuard
• MST (802.1s): up to 16 instances of RSTP (802.1w); combining many VLANS with the same physical and logical topology into a common RSTP instance; additionally Portfast, BPDUGuard, BPDUFilter, RootGuard, and LoopGuard are supportedwith MST
282828© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Spanning Tree Toolkit
• PortFast*: Bypass listening-learning phase for access port
• UplinkFast: Three to five seconds convergence after link failure
• BackboneFast: Cuts convergence time by Max_Age for indirect failure
• LoopGuard*: Prevents alternate or root port to become designated in absence of BPDUs
• RootGuard*: Prevents external switches from becoming root
• BPDUGuard*: Disable PortFast enabled port if a BPDU is received
• BPDUFilter*: Do not send or receive BPDUs on PortFast enabled ports
Wiring ClosetSwitch
DistributionSwitches
Root
F
F
F F
F
XB
SiSi SiSi
* Also Supported with MST and Rapid PVST+
292929© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Best Practices—Spanning Configuration
• ONLY when you have to!• More common in the
data center
• Required when a VLAN spans access layer switches
• Required to protect against ‘user side’ loops
• Use Rapid PVST+ for best convergence
• Take advantage of the Spanning Tree Toolkit
RootGuard to keep rogue switch from becoming rootBPDUGuard to keep rogue switch from participating in STP topologyLoopGuard to partition the network in the event of an STP failure (loss of BPDU’s)
Data CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
Layer2 Loops
Same VLAN Same VLAN Same VLAN
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
303030© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
0
5
10
15
20
25
30
35
Tim
ed t
o C
onve
rge
in
Sec
onds
PVST+ Rapid PVST+
To Access To Server Farm
Optimizing Convergence: PVST+ or Rapid PVST+802.1d + Extensions or 802.1s + Extensions
• Rapid-PVST+ greatly improves the restoration times for any VLAN that requires a topology convergence due to link UP
• Rapid-PVST+ also greatly improves convergence time over Backbone fast for any indirect link failures
30 Seconds of Delay/Loss
Tuned Away
313131© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Best Practices—UDLD Configuration
• Typically deployed on any fiber optic interconnection
• Use UDLD aggressive mode for best protection
• Turn on in global configuration to avoid operational error/“misses”
• Config exampleCisco IOS: udldaggressive
CatOS: set udld enableset udld aggressive-mode enable <mod/port>
Data CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
Fiber Interconnections
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
323232© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Unidirectional Link DetectionProtecting Against One Way Communication
• Highly available networks require UDLD to protect against one way communication or partially failed links and the effect that they could have on protocols like STP and RSTP
• Primarily used on fiber optic links where patch panel errors could cause link up/up with miss matched transmit/receive pairs
• Each switch port configured for UDLD will send UDLD protocol packets (at L2) containing the port's own device/port ID, and the neighbor's device/port IDs seen by UDLD on that port
• Neighboring ports should see their own device/port ID (echo) in the packets received from the other side
• If the port does not see its own device/port ID in the incoming UDLD packets for a specific duration of time, the link is considered unidirectional and is shutdown
Are You ‘Echoing’
My Hellos?
SiSi
SiSi
333333© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Best Practices—Trunk Configuration
• Typically deployed on interconnection between access and distribution layers
• Use VTP transparent mode to decrease potential for operational error
• Hard set trunk mode to on and encapsulation negotiate off for optimal convergence
• Change the native VLAN to something unused to avoid VLAN hopping
• Manually prune all VLANS except those needed
• Disable on host ports:CatOS: set port hostCisco IOS: switchport host
Data CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
802.1q Trunks
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
343434© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
VTP Virtual Trunk Protocol
• Centralized VLAN management
• VTP server switch propagates VLAN database to VTPclient switches
• Runs only on trunks
• Four modes:Server: updates clientsand servers
Client: receive updates—cannot make changes
Transparent: let updates pass through
Off: ignores VTP updates
FServer
Set VLAN 50
Trunk
Trunk Trunk
Client
Off
Trunk
A
B
C
Client
Transparent
Ok, I Just Learnt
VLAN 50!
Drop VTP
Updates
Pass Through Update
Ok, I Just Learnt
VLAN 50!
353535© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
DTP Dynamic Trunk Protocol
• Automatic formation of trunked switch to switch interconnection
On: always be a trunk
Desirable: ask if the other side can/will
Auto: if the other sides asks I will
Off: don’t become a trunk
• Negotiation of 802.1Q or ISL encapsulation
ISL: try to use ISL trunk encapsulation
802.1q: try to use 802.1q encapsulation
Negotiate: negotiate ISL or 802.1q encapsulation with peer
Non-negotiate: always use encapsulation that is hardset
On/OnTrunk
Auto/DesirableTrunk
Off/OffNO Trunk
Off/On, Auto, DesirableNO Trunk
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSiSiSi
363636© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
0
0.5
1
1.5
2
2.5
Tim
e to
Con
verg
e in
Sec
onds
Trunking Desirable Trunking Nonegotiate
3550 (Cisco IOS)4006 (CatOS)4507 (Cisco IOS)6500 (CatOS)
Optimizing Convergence: Trunk TuningTrunk Auto/Desirable Takes Some Time
• DTP negotiation tuning improves link up convergence timeCatOS> (enable) set trunk <port> nonegotiate dot1q <vlan>
IOS(config-if)# switchport mode trunk
IOS(config-if)# switchport nonegotiate
Voice Data
Two Seconds of Delay/Loss Tuned Away
SiSi
373737© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Best Practices—EtherChannel Configuration
• Typically deployed in distribution to core, and coreto core interconnections
• Used to provide link redundancy—while reducing peering complexity
• Tune L3/L4 load balancing hash to achieve maximum utilization of channel members
• Match CatOS and Cisco IOS PAgP settings
• 802.3ad LACP for interop if you need it
• Disable unless neededCatOS: set port host
Cisco IOS: switchport hostData CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
383838© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
EtherChannel Load BalancingAvoid Underutilizing Redundant Layer 2 Paths
• Network did not load balance using default L3 load balancing hash
Common IP addressing scheme
72 access subnets addressed uniformly from 10.120.x.10 to 10.120.x.215
• Converted to L4 load balancing hash and achieved better load sharing
cr2-6500-1(config)#port-channel load-balance src-dst-port
Link 0 load—68%
Link 1 load—32%
Link 0 load—52%
Link 1 Load—48%
L3 Hash
L4 Hash
SiSi
SiSiSiSi
SiSi
393939© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
PAgP Port Aggregation Protocol
• Automatic formation of bundled redundant switch to switch interconnection
On: always be a channel/bundle member
Desirable: ask if the other side can/will
Auto: if the other sidesasks I will
Off: don’t become a member of a channel/bundle
On/OnChannel
On/OffNo Channel
Auto/DesirableChannel
Off/On, Auto, DesirableNO Channel
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSiSiSi
404040© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
PAgP TuningPAgP Default Mismatches
Matching EtherChannel Configuration on Both Sides Improves Link Restoration Convergence Timesset port channel <mod/port> off
0
1
2
3
4
5
6
7
Tim
e to
Co
nve
rge
in
Sec
on
ds
PAgP Mismatch PAgP Off
6500 (CatOS)4506 (CatOS)
As Much As Seven Seconds of Delay/Loss Tuned Away
414141© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Best Practices—First Hop Redundancy
• Used to provide a resilient default gateway/first hop address to end stations
• HSRP, VRRP, and GLBP alternatives
• VRRP, HSRP and GLBPprovide millisecond timersand excellent convergence performance
• VRRP if you need multi-vendor interoperability
• GLBP facilitates uplink load balancing
• Preempt timers need tobe tuned to avoid black-holed traffic Data CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
1st Hop Redundancy
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
424242© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
First Hop Redundancy with VRRPIETF Standard RFC 2338 (April 1998)
• A group of routers function as one virtual router by sharing ONE virtual IP address and one virtual MAC address
• One (master) router performs packet forwarding for local hosts
• The rest of the routers act as “back up” in case the master router fails
• Backup routers stay idle as far as packet forwarding from the client side is concerned
R1—Master, Forwarding Traffic; R2,—BackupVRRP ACTIVE VRRP BACKUP
IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0000.5e00.0101
IP: 10.0.0.253MAC: 0000.0C78.9abcvIP:vMAC:
IP: 10.0.0.1MAC: aaaa.aaaa.aa01GW: 10.0.0.10ARP: 0000.5e00.0101
IP: 10.0.0.2MAC: aaaa.aaaa.aa02GW: 10.0.0.10ARP: 0000.5e00.0101
IP: 10.0.0.3MAC: aaaa.aaaa.aa03GW: 10.0.0.10ARP: 0000.5e00.0101
SiSiSiSi
Access-a
Distribution-AVRRP Active
Distribution-BVRRP Backup
R1 R2
434343© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
First Hop Redundancy with HSRPCisco Informational RFC 2281 (March 1998)
• A group of routers function as one virtual router by sharing ONE virtual IP address and one virtual MAC address
• One (active) router performs packet forwarding for local hosts
• The rest of the routers provide “hot standby”in case the activerouter fails
• Standby routers stayidle as far as packet forwarding from theclient side is concerned
IP: 10.0.0.1MAC: aaaa.aaaa.aa01GW: 10.0.0.10ARP: 0000.0c07.ac00
SiSiSiSi
Access-a
Distribution-AVRRP Active
Distribution-BVRRP Backup
R1
VRRP ACTIVE VRRP STANDBYIP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0000.0c07.ac00
IP: 10.0.0.253MAC: 0000.0C78.9abcvIP:vMAC:
IP: 10.0.0.2MAC: aaaa.aaaa.aa02GW: 10.0.0.10ARP: 0000.0c07.ac00
IP: 10.0.0.3MAC: aaaa.aaaa.aa03GW: 10.0.0.10ARP: 0000.0c07.ac00
R1—Active, Forwarding Traffic; R2—Hot Standby, Idle
R2
444444© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Optimizing Convergence: HSRP TimersHSRP Millisecond Convergence
• HSRP = default gateway redundancy; effects trafficout of the access layerinterface Vlan5description Data VLAN for 6k-accessip address 10.1.5.3 255.255.255.0ip helper-address 10.5.10.20no ip redirectsip pim query-interval 250 msecip pim sparse-modelogging event link-statusstandby 1 ip 10.1.5.1standby 1 timers msec 200 msec 750standby 1 priority 150standby 1 preemptstandby 1 preempt delay minimum 180
Data CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
Layer 2 Link’s
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
454545© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
0
5
10
15
20
25
30
Tim
e to
Co
nve
rge
in S
eco
nd
s
No Preempt Delay Prempt Delay Tuned
3550 (Cisco IOS)2950 (Cisco IOS)4506 (CatOS)4507 (Cisco IOS)6500 (CatOS)6500 (Cisco IOS)
Optimizing Convergence: HSRP Preempt DelayPreempt Delay Needs to Be Longer Than Box Boot Time
More Than 30 Seconds of
Delay/Loss Tuned Away
Without Increased Preempt Delay HSRP Can Go Active Before Box Completely Ready to Forward Traffic L1 (Boards), L2 (STP), L3 (IGP Convergence)standby 1 preempt delay minimum 180
Test Tool Timeout—30 Seconds
464646© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
First Hop Redundancy with GLBPCisco Designed, Load Sharing, Patent Pending
• All the benefits of HSRP plus load balancing of default gateway à utilizes all available bandwidth
• A group of routers function as one virtual router by sharing one virtual IP address but using multiple virtual MAC addresses for traffic forwarding
• Allows traffic from a single common subnet to go through multiple redundant gateways using a single virtual IP address
GLBP AVG/AVF,SVF GLBP AVF,SVF
R1- AVG; R1, R2 Both Forward Traffic
IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0007.b400.0101
IP: 10.0.0.253MAC: 0000.0C78.9abcvIP: 10.0.0.10vMAC: 0007.b400.0102
IP: 10.0.0.1MAC: aaaa.aaaa.aa01GW: 10.0.0.10ARP: 0007.B400.0101
IP: 10.0.0.2MAC: aaaa.aaaa.aa02GW: 10.0.0.10ARP: 0007.B400.0102
IP: 10.0.0.3MAC: aaaa.aaaa.aa03GW: 10.0.0.10ARP: 0007.B400.0101
SiSiSiSi
Access-a
Distribution-AGLBP AVG/AVF, SVF
Distribution-BGLPB AVF,SVF
R1
474747© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
First Hop Redundancy with Load BalancingCisco Gateway Load Balancing Protocol (GLBP)
• Each member of a GLBP redundancy group owns a unique virtual MACaddress for a common IP address/default gateway
• When end stations ARP for the common IP address/default gateway they are given a load balanced virtual MAC address
• Host A and host B send traffic to different GLBP peers but have the same default gateway
10.88.1.0/24
.5.4
.1 .2
vIP10.88.1.10
GLBP 1 ip 10.88.1.10vMAC 0000.0000.0001
GLBP 1 ip 10.88.1.10vMAC 0000.0000.0002
ARPs for 10.88.1.10Gets MAC 0000.0000.0001
ARPs for 10.88.1.10Gets MAC 0000.0000.0002
A B
R1 R2ARP
Reply
484848© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
0
0.2
0.4
0.6
0.8
1
1.2
Longest Shortest AverageTim
e in
Sec
on
ds
to C
on
verg
e
VRRP HSRP GLBP
SiSiSiSi
50% of Flows Have ZERO
Loss W/ GLBP
Optimizing Convergence: VRRP, HSRP, GLBP Mean, Max, and Min—Are There Differences?
• VRRP does not have sub-second timers and all flows go through a common VRRP peer; mean, max, and min are equal
• HSRP has sub-second timers; however all flows go through same HSRP peer so there is no difference between mean, max, and min
• GLBP has sub-second timers and distributes the load amongstthe GLBP peers; so 50% of the clients are not effected by anuplink failure
GLBP Is 50% Better
Distribution to Access Link FailureAccess to Server Farm
494949© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
• Both distribution switches act as default gateway• Blocked uplink caused traffic to take less than optimal path
VLAN 3VLAN 2
F 2
F 2
B 2B 2 F: Forwarding
B: Blocking
Access-b
SiSiSiSi
Core
Access-a
Distribution-AGLBP Virtual MAC 1
If You Span VLANS Tuning RequiredBy Default Half the Traffic Will Take a 2 Hop L2 Path
Distribution-BGLBP Virtual MAC 2
AccessLayer 2AccessLayer 2
DistributionLayer 2/3
CoreLayer 3
505050© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
VLAN 2VLAN 2
Access-b
SiSiSiSi
Core
Access-a
Distribution-AGLBP Virtual MAC 1
Distribution-BGLBP Virtual MAC 2
B x STP Port Cost
Increased
GLBP + STP turningChange Port Cost to Change the Blocking Interfaces
Force STP to Block the Interface Between the Distribution Switches
AccessLayer 2AccessLayer 2
DistributionLayer 2/3
CoreLayer 3
515151© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Best Practices—Quality of Service
• Must be deployed end-to-end to be effective; all layers play different but equal roles
• Ensure that mission critical applications are not impacted by link or transmit queue congestion
• Aggregation and rate transition points must enforce QoS policies
• Multiple queues with configurable admission criteria and schedulingare required
Data CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
End to End QoS
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
525252© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Transmit Queue Congestion
WAN
Router
128k Uplink10/100m Queued
Access Switch
100 Meg Link1 Gig Link Queued
Distribution Switch
100 Meg in 128 Kb/S out—Packets Serialize in Faster Than They Serialize outPackets Queued as They Wait to Serialize out Slower Link
1 Gig In 100 Meg out—Packets Serialize in Faster Than They Serialize outPackets Queued as They Wait to Serialize out Slower Link
535353© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
SiSi
SiSi TX
RX
RX
RX
RX
Enabling QoS in the Campus Scheduling in the Campus
• Scavenger traffic is assigned it’s own queue/threshold
• Scavenger queue is shallow with a large burst to penalize sustained loads
• Multiple queues are the only way to “guarantee”voice quality, protect mission critical and throttle abnormal sources
• Cisco switches have multiple queues
Gold
Data
Scavenger
Voice
Police and Mark Anomalies
Scavenger Queue
Aggressive Drop
Voice Put into Delay/Drop
Sensitive Queue
Throttle
RST-2501: Campus QoS Design
545454© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Agenda
• Multilayer Campus Design Principals
• Foundation Services
• Campus Design Best Practices
• Security Considerations
• Putting It All Together
• Summary
555555© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Campus Design Best Practices
• Daisy chaining dangers
• A note on asymmetric routing and unicast flooding
• Where’s your Layer 2/3 boundary?
• What L2/3 protocols do run where and why?
Access
Distribution
Core
Distribution
Access
SiSi SiSi
SiSiSiSi
SiSi SiSi
565656© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
VLAN 2VLAN 2
Distribution-A Distribution-B
Access-cAccess-a
Layer 3 Link
Access-n
VLAN 2
50% Chance That Traffic Will Go Down Path with
No Connectivity
Traffic Dropped with
No Path to
Destination
Daisy Chaining Access Layer SwitchesAvoid Potential Black Holes
Return Path Traffic Has a 50/50 Chance of Being ‘Black Holed’
SiSiSiSi
SiSiSiSi
AccessLayer 2AccessLayer 2
DistributionLayer 2/3
CoreLayer 3
575757© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Daisy Chaining Access Layer SwitchesNew Technology Addresses Old Problems
• Stackwise technology eliminates the concernLoopback links not requiredNo longer forced to have L2 link in distribution
• If you use modular (chassis based) switches these problems are not a concern
HSRP Active
HSRP Standby
Forwarding
Forwarding
3750
SiSi
SiSi
Layer 3
585858© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Campus Design Best Practices
• Daisy chaining dangers
• A note on asymmetric routing and unicast flooding
• Where’s your Layer 2/3 boundary?
• What L2/3 protocols do run where and why?
Access
Distribution
Core
Distribution
Access
SiSi SiSi
SiSiSiSi
SiSi SiSi
595959© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
VLAN 2VLAN 2
Asymmetric Routing (Unicast Flooding)
• Affects redundant topologies with shared L2 access
• One path upstream and two paths downstream
• CAM table entry ages out on standby HSRP
• Without a CAM entry packet is flooded to all ports in the VLAN
DownstreamPacket
Flooded
Upstream PacketUnicast to Active
HSRP
AsymmetricEqual CostReturn Path
CAM Timer Has Aged out on
Standby HSRP
VLAN 2 VLAN 2
SiSiSiSi
606060© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
VLAN 2
Best Practices Prevent Unicast Flooding
• Assign one unique data and voice VLAN to each access switch
• Traffic is now only flooded downone trunk
• Access switch unicasts correctly;no flooding toall ports
• If you have to:Tune ARP and CAM aging timers; CAM timer exceeds ARP timerBias routing metrics to remove equal cost routes
DownstreamPacket
Flooded on Single Port
Upstream PacketUnicast to Active
HSRP
AsymmetricEqual CostReturn Path
SiSiSiSi
VLAN 3 VLAN 4 VLAN 5
616161© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
SiSi SiSi
SiSiSiSi
SiSi SiSi
Campus Design Best Practices
• Daisy chaining dangers
• A note on asymmetric routing and unicast flooding
• Where’s your Layer 2/3 boundary?
• What L2/3 protocols do run where and why?
Access
Distribution
Core
Distribution
Access
626262© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Keep Redundancy Simple
“If Some Redundancy Is Good, More Redundancy Is NOT Better”
• Root placement?
• How many blocked links?
• Convergence?
• Complex fault resolution
636363© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
But Don’t Go Too Far…What Happens if You Don’t Link the Distributions?
• STP’s slow convergence can cause considerable periods of traffic loss
• STP could cause non-deterministic traffic flows/link load engineering
• STP convergence will causeLayer 3 convergence
• STP and Layer 3 timers are independent
• Unexpected Layer 3 convergence and re-convergence could occur
• Even if you do link the distribution switches dependence on STP and link state/connectivity can cause HSRP irregularities and unexpected state transitions
646464© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
What If You Don’t?Black Holes and Multiple ‘Transitions’…
656565© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
What If You Don’t?Return Path Traffic Black Holed…
666666© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Layer2 Distribution InterconnectionRedundant Link from Access Layer Is Blocked
• Use only if Layer 2 VLAN spanning flexibility required
• STP convergence required for uplink failure/recovery
• More complex as STP root and HSRP should match
• Distribution to distribution link required for route summarization
Trunk
Layer 2
VLAN 20 DataVLAN 120 Voice
10.1.20.010.1.120.0
VLAN 40 DataVLAN 140 Voice
10.1.40.010.1.140.0
HSRP Activeand STP RootVLAN 20,140
HSRP Activeand STP RootVLAN 40,120
STP Model
Layer 2 Links
Layer 2 Links
SiSiSiSi
Access
Distribution
676767© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Layer3 Distribution InterconnectionNo Spanning Tree—All Links Active
• Recommended ‘best practice’—tried and true
• No STP convergence required for uplink failure/recovery
• Distribution to distribution link required for route summarization
• Map L2 vlan number to L3 subnet for ease of use/management
Layer 3
VLAN 20 DataVLAN 120 Voice
10.1.20.010.1.120.0
VLAN 40 DataVLAN 140 Voice
10.1.40.010.1.140.0
HSRP ActiveVLAN 20,140
HSRP ActiveVLAN 40,120
HSRP Model
Layer 2 Links
Layer 2 Links
SiSiSiSi
Access
Distribution
686868© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Layer3 Distribution InterconnectionGLBP Gateway Load Balancing Protocol
• Fully utilize uplinks via GLBP
• Distribution to distribution required for route summarization
• No STP convergence required for uplink failure/recovery
Layer 3
VLAN 20 DataVLAN 120 Voice
10.1.20.010.1.120.0
VLAN 40 DataVLAN 140 Voice
10.1.40.010.1.140.0
GLBP Model
Layer 2 Links
Layer 2 Links
SiSiSiSi
GLBP ActiveVLAN 20,120,40,140
GLBP ActiveVLAN 20,120, 40, 140
Access
Distribution
696969© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Layer 3
VLAN 20 DataVLAN 120 Voice
10.1.20.010.1.120.0
VLAN 40 DataVLAN 140 Voice
10.1.40.010.1.140.0
Routed Model
Layer 3 Equal Cost
Links
Layer 3 Equal Cost
Links
SiSiSiSi
Layer3 Access to Distribution InterconnectionAll Links Are Routed
• Best option for FAST convergence• Equal cost L3 load balancing on all links • No spanning tree required for convergence• No HSRP/GLBP configuration required• Not widely deployed/no VLAN spanning possible
Access
Distribution
707070© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
RST-2031: Deploying a Fully Routed Enterprise Campus Network
PVST+, Rapid PVST+, or a Routing ProtocolSTP vs. Equal Cost Layer3 Links and Routing
• When comparing the traditional design to a routed access layer we found some interesting things to investigate:
OSPF SPF timer when failing distribution to access link
OSPF default route when restoring distribution switch
ARP resolution/scaling when restoring distribution switch
Data CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
717171© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
0123456789
10
PVST+ Rapid PVST+ EIGRP OSPF
2950 (Cisco IOS) 3550 (Cisco IOS) 4507 (CatOS)
4507 (Cisco IOS) 6500 (CatOS) 6500 (Cisco IOS)
0123456789
10
PVST+ Rapid PVST+ EIGRP OSPF
2950 (Cisco IOS) 3550 (Cisco IOS) 4507 (CatOS)
4507 (Cisco IOS) 6500 (CatOS) 6500 (Cisco IOS)
Server Farm to Access
Access to Server Farm
Distribution to Access Link Failure
Tim
e in
Sec
onds
to
Co
nve
rge
Tim
e in
Sec
onds
to
Co
nve
rge
A B
SiSiSiSi
SiSiSiSi
All Sub-Second
All Sub-Second Approaching SONET Speeds
PVST+, Rapid PVST+, or a Routing ProtocolSTP vs. Equal Cost Layer3 Links and Routing
727272© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
05
101520
2530
354045
PVST+ Rapid PVST+ EIGRP OSPF
2950 (Cisco IOS) 3550 (Cisco IOS) 4507 (CatOS)
4507 (Cisco IOS) 6500 (CatOS) 6500 (Cisco IOS)
05
101520
2530
354045
PVST+ Rapid PVST+ EIGRP OSPF
2950 (Cisco IOS) 3550 (Cisco IOS) 4507 (CatOS)
4507 (Cisco IOS) 6500 (CatOS) 6500 (Cisco IOS)
Zero Packet Loss
As Much as 40 Seconds
of Loss
Four Seconds of Loss
SiSiSiSi
SiSiSiSi
Server Farm to Access
Access to Server Farm
Distribution to Access Link Failure
Tim
e in
Sec
onds
to
Co
nve
rge
Tim
e in
Sec
onds
to
Co
nve
rge
PVST+, Rapid PVST+, or a Routing ProtocolSTP vs. Equal Cost Layer3 Links and Routing
A B
737373© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
EIGRP vs. OSPF as Your IGPFeasible Successor vs. LSA’s and SPF’s
• Within the campus environment EIGRP provides for faster convergence and greater flexibility
• EIGRP provides for multiple levels of route summarization and route filtering which map to the multiple tiers of the campus
• OSPF implements throttles on LSA generation and SPF calculations which limit convergence times
• When routes are summarized and filtered only the distribution peers in an EIGRP network need to calculate new routes in event of link or node failure
Data CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
747474© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
interface GigabitEthernet1/1ip hello-interval eigrp 100 1ip hold-time eigrp 100 3
router eigrp 100eigrp stub connected
EIGRP to the Edge Design Rules
• EIGRP in the distribution block is similar to EIGRP in the branch but tuned for speed
• Limit scope of queries to a single neighbor
• Summarize to campus core at the distribution layer
• Control route propagation to edge switch via distribute lists
• Configure all edge switches to use EIGRP ‘stub’
• Set hello and dead timers to ‘1’and ‘3’
Data CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
757575© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
interface GigabitEthernet1/1ip ospf dead-interval minimal hello-multiplier 4
router ospf 100area 120 stub no-summarytimers throttle spf 10 100 5000timers throttle lsa all 10 100 5000timers lsa arrival 80
OSPF to the Edge Design Rules
• OSPF in the distribution block is similar to OSPF in the branch but tuned for speed
• Control number of routes and routers in each area
• Configure each distribution block as a separate totally stubby OSPF area
• Do not extend area 0 to theedge switch
• Tune OSPF millisecond hello, dead-interval, SPF, and LSA throttle timers
Data CenterWAN Internet
Layer 3 Equal Cost Link’s
Layer 3 Equal Cost Link’s
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
767676© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Agenda
• Multilayer Campus Design Principals
• Foundation Services
• Campus Design Best Practices
• Security Considerations
• Putting It All Together
• Summary
777777© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Unauthorized Switch
Enterprise Server
Unauthorized Switch
Cisco SecureACS
Enterprise Server
PROBLEM: SOLUTION:
Mitigating Plug and PlayersProtecting Against Well-Intentioned Users
• Well intentioned users place unauthorized network devices on the network possibly causing instability
• Catalyst switches support rogue BPDU filtering: BPDU Guard, Root Guard
Incorrect STP Info
BPDU Guard
Network Instability
Authorized Switch
Authorized Switch
Root Guard
787878© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
BPDU GuardPrevent Loops via WLAN (Windows XP Bridging)
• WLAN AP’s do notforward BPDU’s
• Multiple Windows XPmachines can create aloop in the wired VLANvia the WLAN
• BPDU Guard configuredon all end station switch ports will prevent loopfrom forming
Win XPBridgingEnabled
Win XPBridgingEnabled
BPDU GuardDisables Port
STP LoopFormed
BPDUGenerated
BPDUDiscarded
PROBLEM:
SOLUTION:
797979© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Problem: Prevalence of Rogue AP’sExample: 59 APs in Seven Miles in SJ Commute
• The majority of WLAN deployments are unauthorized by well intended employees (rogue APs)—many are insecure
• A daily drive to work taken within the car at normal speeds with an IPAQ running a freeware application (mix of residences and enterprises)
• Insecure enterprise rogueAP’s are a result of:
Well intentioned staff install dueto absence of sanctioned WLAN deployment
An infrastructure that is not “wireless ready” to protectagainst rogue AP’s
59 APs Found
InsecureAPs
War Chalking
808080© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Basic 802.1x Access ControlControlling When and Where AP’s Are Connected
Authorized AP
Rogue AP
D on Authorized WLAN AP Ports
802.1x Enabled on “user” Facing
Ports
Authorized User
Who Are You?
I Am Joe Cisco
Who Are You?
CatOS Configuration Exampleset dot1x system-auth-control enableset dot1x guest-vlan 250set radius server 10.1.125.1 auth-port 1812 primaryset radius key cisco123set port dot1x 3/1-48 port-control auto
Cisco IOS Configuration Exampleradius-server host 10.1.125.1radius-server key cisco123aaa new-modelaaa authentication dot1x default group radiusaaa authorization default group radiusaaa authorization config-commandsdot1x system-auth-control
Cisco IOS Per-Port configurationint range fa3/1 - 48dot1x port-control auto
Disabled
SEC-2005: Understanding Identity-Based Networking Services
No 802.1xHere
818181© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Securing Layer 2 from Surveillance AttacksCutting off MAC-Based Attacks
Port Security Limits MAC Flooding Attack and Locks down Port and
Sends an SNMP Trap
00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb
“Script Kiddie” Hacking Tools Enable Attackers Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a “Hub”
and Eliminating Privacy
Switch CAM Table Limit Is Finite Number of Mac Addresses
Only 3 MAC Addresses Allowed on
the Port: Shutdown
250,000 Bogus MAC’sper Second
PROBLEM: SOLUTION:
switchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity
828282© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
DHCP SnoopingProtection Against Rogue/Malicious DHCP Server
• DHCP requests (discover) and responses (offer) tracked
• Rate-limit requests on trusted interfaces; limits DOS attacks on DHCP server
• Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server
DHCP Server
1000s of DHCP Requests to Overrun the DHCP Server
1
2
DHCP RequestBog
us
DHCP
Respo
nse
838383© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Securing Layer 2 from Surveillance AttacksProtection Against ARP Poisoning
• Dynamic ARP inspectionprotects against ARP poisoning (ettercap, dsnif, arpspoof)
• Uses the DHCP snooping binding table
• Tracks MAC to IP from DHCP transactions
• Rate-limits ARP requests from client ports; stop port scanning
• Drop BOGUS gratuitous ARP’s; stop ARP poisoning/MIM attacks
SiSiGateway = 10.1.1.1
MAC=A
Attacker = 10.1.1.25MAC=B
Victim = 10.1.1.50MAC=C
Gratuitous ARP10.1.1.1=MAC_B
Gratuitous ARP10.1.1.50=MAC_B
848484© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
IP Source GuardProtection Against Spoofed IP Addresses
• IP source guard protects against spoofed IP addresses
• Uses the DHCP snooping binding table
• Tracks IP address to port associations
• Dynamically programs port ACL to drop traffic not originating from IP address assigned via DHCP
SiSiGateway = 10.1.1.1
MAC=A
Attacker = 10.1.1.25 Victim = 10.1.1.50
Hey, I’m 10.1.1.50 !
858585© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Catalyst Integrated Security FeaturesSummary Cisco IOS
• Port security prevents MAC flooding attacks
• DHCP snooping prevents client attack on the switch and server
• Dynamic ARP Inspection adds security to ARP using DHCP snooping table
• IP source guard adds security to IP source address using DHCP snooping table
ip dhcp snoopingip dhcp snooping vlan 2-10ip arp inspection vlan 2-10!interface fa3/1switchport port-securityswitchport port-security max 3switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivityip arp inspection limit rate 100ip dhcp snooping limit rate 100!Interface gigabit1/1ip dhcp snooping trustip arp inspection trust
IP Source Guard
Dynamic ARP Inspection
DHCP Snooping
Port Security
SEC-2002: Understanding and Preventing Layer 2 Attacks
868686© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Agenda
• Multilayer Campus Design Principals
• Foundation Services
• Campus Design Best Practices
• Security Considerations
• Putting It All Together
• Summary
878787© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
VLAN 120 Voice10.1.120.0/24
Layer3 Distribution InterconnectionReference Design—No VLANs Span Access Layer
• Tune CEF load balancing
• Match CatOS/IOS Etherchannelsettings and tune load balancing
• Summarize routestowards core
• Limit redundant IGP peering
• STP Root and HSRP primary tuning or GLBP to load balance on uplinks
• Set trunk mode on/nonegotiate
• Disable Etherchannelunless needed
• Set Port Host on access layer ports:
Disable TrunkingDisable EtherchannelEnable PortFast
• RootGuard or BPDU-Guard
• Use security features
P-t-P Link
Layer 3
VLAN 20 Data10.1.20.0/24
VLAN 140 Voice10.1.140.0/24
VLAN 40 Data10.1.40.0/24
SiSi SiSi
SiSi SiSi
Access
Distribution
Core
888888© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
VLAN 250 WLAN10.1.250.0/24
Layer 2 Distribution InterconnectionSome VLANs Span Access Layer
• Tune CEF load balancing• Match CatOS/IOS Etherchannel
settings and tune load balancing• Summarize routes towards core• Limit redundant IGP peering• STP Root and HSRP primary or GLBP
and STP port cost tuning to load balance on uplinks
• Set trunk mode on/nonegotiate• Disable Etherchannel unless needed• RootGuard on downlinks• LoopGuard on uplinks• Set port host on access
Layer ports:Disable trunkingDisable EtherchannelEnable PortFast
• RootGuard or BPDU-Guard
• Use security featuresVLAN 120 Voice
10.1.120.0/24
Trunk
VLAN 20 Data10.1.20.0/24
VLAN 140 Voice10.1.140.0/24
VLAN 40 Data10.1.40.0/24
SiSi SiSi
SiSi SiSi
Layer 2
Access
Distribution
Core
898989© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Routed AccessNo VLANs Span Access Layer
• Tune CEF load balancing
• Match CatOS/IOS Etherchannel settingsand tune load balancing
• Summarize routestowards core
• Filter routes towardsthe access
• Disable Etherchannelunless needed
• Set port host on access layer ports:
Disable TrunkingDisable EtherchannelEnable PortFast
• RootGuard or BPDU-Guard
• Use security featuresVLAN 120 Voice
10.1.120.0/24
P-t-P Link
Layer 3
VLAN 20 Data10.1.20.0/24
VLAN 140 Voice10.1.140.0/24
VLAN 40 Data10.1.40.0/24
SiSi SiSi
SiSi SiSi
Access
Distribution
Core
909090© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Agenda
• Multilayer Campus Design Principals
• Foundation Services
• Campus Design Best Practices
• Security Considerations
• Putting It All Together
• Summary
919191© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
SiSi SiSi
SiSiSiSi
SiSi SiSi
Multilayer Network DesignWithout a Rock Solid Foundation the Rest Doesn’t Matter
Access
Distribution
Core
Distribution
Access
Data Center
• Offers hierarchy – each layer has specific role
• Modular topology - building blocks
• Easy to grow, understand, and troubleshoot
• Creates small fault domains – Clear demarcations and isolation
• Promotes load balancing and redundancy
• Promotes deterministic traffic patterns
• Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both
• Utilizes Layer 3 Routing for load balancing, fast convergence, scalability, and control
929292© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
SiSi SiSi
SiSiSiSi
SiSi SiSi
Access
Distribution
Core
Distribution
Access
• Build triangles not squares to take advantage of equal cost redundant paths for best/deterministic convergence
• Utilize equal cost redundant connections to Core for fastest convergence and to avoid black holes
• Link distribution to distribution to facilitate summarization and L2 spanning where required
• Utilize GLBP/HSRP mili-second timers• Tune GLBP/HSRP preempt delay to avoid
black holes• Tune Etherchannel and CEF load balancing
to insure optimum utilization of redundant/equal cost links
• Limit VLAN’s to a single closet when ever possible to limit STP boundaries.
• If STP required utilize rapid PVST+• Set trunks to ON/ON no-negotiate• Match PaGP settings CatOS/Cisco IOS• Consider EIGRP/routing in the access
Optimizing Convergence
Q and A
939393© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
949494© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Multilayer Network DesignWithout a Rock Solid Foundation the Rest Doesn’t Matter
SpanningTreeRouting
HSRP
GLBP
Trunking
LoadBalancing
Access
Distribution
Core
Distribution
Access
SiSi SiSi
SiSiSiSi
SiSi SiSi
Data Center
959595© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Reference Materials
http://www.cisco.com/go/srnd
• High Availability Campus Design Guide
• High Availability Campus Convergence Analysis
• High Availability Campus Design Guide – Routed Access EIGRP (soon)
• High Availability Campus Design Guide – Routed Access OSPF (soon)
969696© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2
Recommended Reading
• Continue your Networkerslearning experience with further reading for this session from Cisco Press
• Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
979797© 2005 Cisco Systems, Inc. All rights reserved.
RST-203211208_05_2005_c2