Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseño

8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo

1/110

2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 1


2/110

2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2

Multilayer CampusArchitecture

and Design Princ iplesBRKCAM-2001


3/110


Housekeeping

1.Please turn off your mobile phones, blackberries andlaptops

2.We value your feedback- don't forget to complete yoursession evaluation form & hand it to the room monitor /the materials pickup area at registration

3.Please remember this is a 'non-smoking' venue!


4/110


Enterprise-Class AvailabilityResilient Campus Communication Fabric

1.Network-level redundancy

2.System-level resiliency

3.Enhanced management

4.Human ear notices thedifference in voice within150200 msec10consecutive G711 packet loss

5.Video loss is even morenoticeable

6.200 msec end-to end-campus

convergence

Next-Generation AppsVideo conf., Unified Messaging,Global Outsourcing,E-Business, Wireless Ubiquity

Mission Critical Apps.Databases, Order-Entry,CRM, ERP

Desktop AppsE-mail, File & Print

Ultimate Goal..100%

APPLICATIONS DRIVE REQUIREMENTSFOR HIGH AVAILABILITY NETWORKING

Campus Systems Approach to High Availability


5/110


Next Generation Campus DesignUnified Communications Evolution

1.VoIP is now a mainstream technology

2.Ongoing evolution to the full spectrum of Unified Communications

3.High-Definition Executive Communication Application requiresstringent Service-Level Agreement (SLA)

Reliable ServiceHigh Availability Infrastructure

Application Service ManagementQoS


6/110


Agenda

1.Multilayer CampusDesign Principles

2.Foundation Services

3.Campus DesignBest Practices

4.IP Telephony

Considerations

5.QoS Considerations

6.SecurityConsiderations

7.Putting It All Together

8.Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

ServicesBlock

Distribution Blocks

SiSi SiSi SiSi


7/110


Data CenterWAN Internet

SiSi SiSi SiSi SiSi SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSiSiSi

Access

Core

Distribution

Distribution

Access

High-Availability Campus DesignStructure, Modularity, and Hierarchy


8/110


Hierarchical Campus Network

Server Farm

WAN Internet PSTN

SiSi

SiSi

SiSi SiSi

SiSi SiSi SiSi

SiSi

SiSi SiSi SiSi

SiSi

Not This!!

Structure, Modularity and Hierarchy


9/110


SiSi SiSi

SiSiSiSi

SiSi SiSi

Hierarchical Network Design

Building BlockAccess

Distribution

Core

Distribution

Access Offers hierarchyeach layer hasspecific role

Modular topologybuilding blocks

Easy to grow, understand, andtroubleshoot

Creates small fault domainsclear demarcations and isolation

Promotes load balancing andredundancy

Promotes deterministic traffic patterns

Incorporates balance of both Layer 2and Layer 3 technology, leveragingthe strength of both

Utilizes Layer 3 routing for load

balancing, fast convergence,scalability, and control

Without a Rock Solid Foundation the Rest Doesnt Matter


10/110


Access Layer

1. Its not just about connectivity

2. Layer 2/Layer 3 feature rich environment;convergence, HA, application intelligence,security, QoS, IP multicast, etc.

3. Intelligent network services: QoS,trust boundary, broadcast suppression, IGMPsnooping,

4. Intelligent network services: PVST+,Rapid PVST+, EIGRP, OSPF, DTP,

PAgP/LACP, UDLD, FlexLink, etc.

5. Cisco Catalyst integrated securityfeatures IBNS (802.1x), (CISF):port security, DHCP snooping,DAI, IPSG; Deep packet inspection security

6. Automatic phone discovery,conditional trust boundary,power over Ethernet, auxiliaryVLAN, etc.

7. Spanning tree toolkit: PortFast,

UplinkFast, BackboneFast, LoopGuard, BPDUGuard, BPDU Filter, RootGuard, etc.

Access

Distribution

CoreSiSiSiSi

SiSi SiSi

Feature Rich Environment


11/110


SiSiSiSi

Distribution Layer

1. Availability, load balancing,QoS and provisioning are theimportant considerations atthis layer

2. Aggregates wiring closets(access layer) and

uplinks to core3. Protects core from high

density peering andproblems in access layer

4. Route summarization, fastconvergence, redundantpath load sharing

5. HSRP or GLBP to provide

first hop redundancy

SiSi SiSi

Access

Distribution

Core

Policy, Convergence, QoS, and High Availability


12/110


13/110


Do I Need a Core Layer?

No Core

1. Fully meshed distribution layers

2. Physical cablingrequirement

3. Routing complexity

Its Really a Question of Scale, Complexity, and Convergence

4th Building Block12 New Links24 Links Total

8 IGP Neighbors

3rd Building Block8 New Links

12 Links Total

5 IGP Neighbors

Second BuildingBlock4 New Links


14/110


Do I Need a Core Layer?

Dedicated Core Switches1. Easier to add a module

2. Fewer links in the core

3. Easier bandwidth upgrade

4. Routing protocol peeringreduced

5. Equal cost Layer 3 linksfor best convergence

Its Really a Question of Scale, Complexity, and Convergence

4th Building Block4 New Links

16 Links Total

3 IGP Neighbors

3rd Building Block4 New Links

12 Links Total

3 IGP Neighbors

2nd Building Block8 New Links


15/110



SiSi SiSi SiSi SiSi

SiSi SiSi

SiSi SiSiSiSi Si

SiSiSi

SiSi

Access

Core

Distribution

Distribution

Access

Design Alternatives Come Withina Building (or Distribution) Block

Layer 2 Access Routed Access Virtual Switching System


16/110


VLAN 120 Voice10.1.120.0/24

Layer 3 Distribution Interconnection

1. Tune CEF load balancing

2. Match CatOS/IOS EtherChannelsettings and tune load balancing

3. Summarize routes towards core

4. Limit redundant IGP peering

5. STP Root and HSRP primarytuning or GLBP to load balance

on uplinks6. Set trunk mode on/no-negotiate

7. Disable EtherChannelunless needed

8. Set port host on accesslayer ports:

Disable TrunkingDisable EtherChannelEnable PortFast

9. RootGuard or BPDU-Guard

10.Use security features

Pointto

PointLink

Layer 3

VLAN 20 Data10.1.20.0/24

VLAN 140 Voice10.1.140.0/24

VLAN 40 Data10.1.40.0/24

SiSi SiSi

SiSi SiSi

Access

Distribution

Core

Layer 2 AccessNo VLANs Span Access Layer


17/110


VLAN 250 WLAN10.1.250.0/24






5. STP Root and HSRP primary orGLBP and STP port cost tuning toload balance on uplinks

6. Set trunk mode on/no-negotiate


8. RootGuard on downlinks

9. LoopGuard on uplinks

10.Set port host on accessLayer ports:


11.RootGuard or BPDU-Guard


VLAN 120 Voice10.1.120.0/24

Trunk

VLAN 20 Data10.1.20.0/24

VLAN 140 Voice10.1.140.0/24

VLAN 40 Data10.1.40.0/24

SiSi SiSi

SiSi SiSi

Layer 2

Layer 2 AccessSome VLANs Span Access Layer

Access

Distribution

Core


18/110


VLAN 20 Data10.1.20.0/24

Routed Access andVirtual Switching System

VLAN 120 Voice

10.1.120.0/24

P-t-P Link

Layer 3

VLAN 20 Data10.1.20.0/24

VLAN 140 Voice

10.1.140.0/24

VLAN 40 Data10.1.40.0/24

SiSi SiSi

SiSi SiSi

Evolutions of and Improvements to Existing Designs

Access

Distribution

Core

NewConcept

VLAN 40 Data10.1.40.0/24

SiSi SiSi

VSS Link

VLAN 120 Voice10.1.120.0/24

VLAN 140 Voice10.1.140.0/24VLAN 250 WLAN10.1.250.0/24


19/110


Virtual SwitchVirtual Switching System 1440 (VSS)

1. Virtual Switching System consists of two Cisco Catalyst 6500 Series defined asmembers of the same virtual switch domain

2. Single control plane with dual active forwarding planes

3. Design to increase forwarding capacity while increasing availability by eliminatingSTP loops

4. Reduced operational complexity by simplifying configuration

VSS Single

Logical Switch=Switch 1 + Switch 2

Virtual Switch Domain

Virtual Switch Link

SiSi SiSi


20/110


Virtual Switching SystemSingle Control Plane

1. Uses one supervisor in each chassis with inter-chassis Stateful Switchover(SSO) method in with one supervisor is ACTIVE and other in HOT_STANDBYmode

2. Active/standby supervisors run in synchronized mode (boot-env, running-configuration, protocol state, and line cards status gets synchronized)

3. ACTIVE supervisor manages the control plane functions such as protocols(routing, EtherChannel, SNMP, telnet, etc.) and hardware control (OIR, portmanagement)

4. Switchover to STANDBY_HOT supervisor occurs when ACTIVE supervisor failsproviding subsecond protocol and data forwarding recovery

SF: Switch FabricRP: Route Processor

PFC: Policy Forwarding Card

CFC: Centralize Forwarding Card

DFC: Distributed Forwarding Card

Active Supervisor

SF RP PFC

CFC or DFC Line Cards





Standby HOT Supervisor

SF RP PFC

VSLCFC or DFC Line Cards








21/110


Virtual Switching SystemDual Active Forwarding Planes

VSS-Router#show switch virtual redundancy

My Switch Id = 1

Peer Switch Id = 2

Switch 1 Slot 5 Processor Information :-----------------------------------------------

Current Software state = ACTIVE

Configuration register = 0x2

Fabric State = ACTIVE

Control Plane State = ACTIVE

Switch 2 Slot 5 Processor Information :

-----------------------------------------------

Current Software state = STANDBY HOT (switchover target)

Configuration register = 0x2

Fabric State = ACTIVEControl Plane State = STANDBY

DataPlaneActive

DataPlaneActive

1. Virtual Switch operates with a single active supervisor from a control planeperspective but with dual active forwarding plane

2. Supervisor ports and all the line card in both chassis including DistributedForwarding Engines (DFCs) are actively forwarding

SiSiSiSi


22/110


Virtual Switching SystemMultichassis EtherChannel (MEC)

1. MEC is an advanced EtherChanneltechnology extending link aggregationto two separate physical switches

2. MEC enables the VSS appear assingle logical device to devicesconnected to VSS, thus significantlysimplifying campus topology

3. Traditionally spanning VLANs overmultiple closets would create STPlooped topology, MEC with VSSeliminates these loops in the campustopology

4. MEC replaces spanning tree as themeans to provide link redundancy andthus doubling bandwidth available

from access5. MEC is supported only with VSS

Multichassis EtherChannel

L2

VLAN 30

BW Capacity in Non-MEC and MEC Topology

VLAN 30

Non-MEC MEC

Physical Topology Logical Topology

SiSi SiSi


23/110


Agenda




4.IP Telephony

Considerations5.QoS Considerations



8.Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

ServicesBlock

Distribution Blocks

SiSi SiSi SiSi


24/110


Foundation Services

1.Layer 1 physical things

2.Layer 2 redundancyspanning tree

3.Layer 3 routing protocols

4.Trunking protocols(ISL/.1q)

5.Unidirectional link detection

6.Load balancing

EtherChannel link aggregation

CEF equal cost load balancing

7.First hop redundancy protocols

VRRP, HSRP, and GLBPSpanning

TreeRouting

HSRP

GLBP

Trunking

LoadBalancing


25/110


Best PracticesLayer 1 Physical Things

1.Use point-to-pointinterconnectionsnoL2 aggregation pointsbetween nodes

2.Use fiber for bestconvergence

(debounce timer)3.Tune carrier

delay timer

4.Use configuration onthe physical interfacenot VLAN/SVI whenpossible


Layer 3 EqualCost Links



SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


26/110


Redundancy and ProtocolInteraction

Link Neighbour Failure Detection1. Indirect link failures are harder

to detect

2.With no direct HW notification of linkloss or topology change convergencetimes are dependent on SW notification

3. Indirect failure events in a bridged

environment are detected by SpanningTree Hellos

4. In certain topologies the need for TCNupdates or dummy multicast flooding(uplink fast) is necessary forconvergence

5.You should not be using hubs in a high

availability design

SiSi

SiSi

SiSi

BPDUs

Hub

SiSi

SiSi

SiSi

Hub

Hellos


27/110



Link Redundancy and Failure Detection1. Direct point-to-point fiber provides for fast

failure detection

2. IEEE 802.3z and 802.3ae link negotiationdefine the use of Remote Fault Indicator andLink Fault Signaling mechanisms

3. Bit D13 in the Fast Link Pulse (FLP) canbe set to indicate a physical fault to the

remote side4. Do not disable auto-negotiation on GigE and

10GigE interfaces

5. The default debounce timer on GigE and10GigE fiber linecards is 10 msec

6. The minimum debounce for copper is300 msec

7. Carrier-Delay

3560, 3750 and 45000 msec6500leave it set at default

1

2

3

LinecardThrottling:Debounce Timer

Remote IEEEFault DetectionMechanism

Cisco IOS Throttling:Carrier Delay Timer

SiSi SiSi

1


28/110



Layer 2 and 3Why Use Routed Interfaces1.Configuring L3 routed interfaces provides for faster convergencethan an L2 switch port with an associated L3 SVI

21:32:47.813 UTC: %LINEPROTO-5-UPDOWN: Line

protocol on Interface GigabitEthernet2/1, changed stateto down

21:32:47.821 UTC: %LINK-3-UPDOWN: InterfaceGigabitEthernet2/1, changed state to down

21:32:48.069 UTC: %LINK-3-UPDOWN: Interface Vlan301,

changed state to down21:32:48.069 UTC: IP-EIGRP(Default-IP-Routing-Table:100): Callback: route, adjust Vlan301

1. Link Down

2. Interface Down

3. Autostate

4. SVI Down

5. Routing Update

21:38:37.042 UTC: %LINEPROTO-5-UPDOWN: Line

protocol on Interface GigabitEthernet3/1, changed

state to down21:38:37.050 UTC: %LINK-3-UPDOWN: Interface

GigabitEthernet3/1, changed state to down

21:38:37.050 UTC: IP-EIGRP(Default-IP-Routing-

Table:100): Callback: route_adjustGigabitEthernet3/1

SiSiSiSi

L2

SiSiSiSi

L3

1. Link Down

2. Interface Down

3. Routing Update

~ 8 msecloss

~ 150-200msec loss


29/110


Best PracticesSpanning Tree Configuration

1.Only span VLAN acrossmultiple access layerswitches when you have to!

2.Use Rapid PVST+ for bestconvergence

3.More common in thedata center

4.Required to protect againstuser side loops

5.Required to protect againstoperational accidents(misconfiguration orhardware failure)

6.Take advantage of thespanning tree toolkit




Layer 2 Loops

Same VLAN Same VLAN Same VLAN


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


30/110


Multilayer Network Design

SiSi SiSi SiSi SiSi

Vlan 10 Vlan 20 Vlan 30 Vlan 30 Vlan 30Vlan 30

Layer 2 Access with Layer 3 Distribution

1. Each access switch hasunique VLANs

2. No layer 2 loops

3. Layer 3 link between distribution

4. No blocked links

1. At least some VLANs spanmultiple access switches

2. Layer 2 loops

3. Layer 2 and 3 running over

link between distribution4. Blocked links


31/110


32/110


Layer 2 Hardening

1. Place the root where youwant it

Root primary/secondary macro

2. The root bridge should staywhere you put it

RootGuardLoopGuard

UplinkFast

UDLD

3. Only end-station trafficshould be seen onan edge port

BPDU Guard

RootGuard

PortFast

Port-security

SiSiSiSi

BPDU Guard or

RootGuard

PortFast

Port Security

RootGuard

UplinkFast

STP Root

Spanning Tree Should Behavethe Way You Expect

LoopGuard

LoopGuard


33/110


Best PracticesLayer 3 Routing Protocols

1. Typically deployed in distributionto core, and core to coreinterconnections

2. Used to quickly re-routearound failed node/links whileproviding load balancing overredundant paths

3. Build triangles not squares fordeterministic convergence

4. Only peer on links that you intendto use as transit

5. Insure redundant L3 paths toavoid black holes

6. Summarize distribution to coreto limit EIGRP query diameter orOSPF LSA propagation

7. Tune CEF L3/L4 load balancinghash to achieve maximum

utilization of equal cost paths(CEF polarization)





SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


34/110


35/110


Best PracticePassive Interfaces for IGP

1. Limit unnecessary peering usingpassive interface:

Four VLANs per wiring closet

12 adjacencies total

Memory and CPU requirementsincrease with no real benefit

Creates overhead for IGP

Routing

Updates

OSPF Example:

Router(config)#routerospf 1

Router(config-router)#passive-interfaceVlan 99

Router(config)#routerospf 1

Router(config-router)#passive-interface default

Router(config-router)#no passive-interface Vlan 99

EIGRP Example:

Router(config)#routereigrp 1

Router(config-router)#passive-interfaceVlan 99

Router(config)#routereigrp 1

Router(config-router)#passive-interface default

Router(config-router)#no passive-interface Vlan 99

Distribution

Access

SiSiSiSi

Limit OSPF and EIGRP PeeringThrough the Access Layer


36/110


10.1.2.0/2410.1.1.0/24

Why You Want to Summarizeat the Distribution

1. It is important to forcesummarization at thedistribution towards the core

2. For return path traffic anOSPF or EIGRP re-routeis required

3. By limiting the number of peersan EIGRP router must query orthe number of LSAs an OSPF

peer must process we canoptimize this re-route

4. EIGRP example:

SiSiSiSi

SiSi SiSi

TrafficDroppedUntilIGP

Converges

No SummariesQueries Go Beyond the Core

Rest of Network

interface Port-channel1description to Core#1ip address 10.122.0.34255.255.255.252ip hello-interval eigrp 100 1ip hold-time eigrp 100 3

ip summary-address eigrp 10010.1.0.0 255.255.0.0 5

Access

Distribution

Core

Limit EIGRP Queries and OSPF LSA Propagation


37/110


Why You Want to Summarizeat the Distribution

1. It is important to forcesummarization at the distributiontowards the core

2. For return path traffic an OSPFor EIGRP re-route is required

3. By limiting the number of peersan EIGRP router must query orthe number of LSAs an OSPF|peer must process we can

optimize his re-route4. For EIGRP if we summarize at

the distribution we stop queriesat the core boxes for an accesslayer flap

5. For OSPF when we summarizeat the distribution (area borderor L1/L2 border) the flooding ofLSAs is limited to the distributionswitches; SPF now deals with

one LSA not three

10.1.2.0/2410.1.1.0/24

Rest of Network

SiSiSiSi

SiSi SiSi

TrafficDroppedUntilIGP

Converges

Summary:10.1.0.0/16

Access

Distribution

Core

Reduce the Complexity of IGP ConvergenceSummaries

Stop Queries at the Core


38/110


Best PracticeSummarize at the Distribution

1. Best practicesummarize atthe distribution layer to limitEIGRP queries or OSPFLSA propagation

2. Gotcha:

Upstream: HSRP on leftdistribution takes over when

link fails

Return path: old router stilladvertises summary to core

Return traffic is dropped onright distribution switch

3. Summarizing requires a linkbetween the distribution switches

4. Alternative design:

Use the access layer for transit 10.1.2.0/2410.1.1.0/24

Summary:10.1.0.0/16

SiSiSiSi

SiSi SiSi

TrafficDropped

withNoRoute

Access

Distribution

Core

GotchaDistribution-to-Distribution Link Required


39/110


Provide Alternate Paths

1. What happens if fails?

2. No route to the coreanymore?

3. Allow the traffic to gothrough the access?

Do you want to use your accessswitches as transit nodes?

How do you design forscalability if the access usedfor transit traffic?

4. Install a redundant linkto the core

5. Best practice: installredundant link to coreand utilize L3 link

between distribution Layer

Single Pathto Core

A B

SiSiSiSi

SiSiSiSi

TrafficDropped

withN

oRoutetoCore

Access

Distribution

Core


40/110


EIGRP Design Rules in the CampusLeverage the Tools Provided

1. The greatest advantages of EIGRP aregained when the network has astructured addressing plan that allowsfor use of summarization and stubrouters when appropriate

2. EIGRP provides the ability toimplement multiple tiers ofsummarization and route filtering

3. Minimize the number and time forquery response to speed upconvergence

4. Summarize distribution block routesupstream to the core

5. If routing in the access configureall access switches as EIGRPstub routers

6. If routing in the access layer filterroutes sent down to access switches

10.10.0.0/17 10.10.128.0/17

10.10.0.0/16

SiSiSiSi

SiSi SiSi

SiSiSiSi


41/110


OSPF Design Rules in the CampusWhere Are the Areas?

1. Area design based on addresssummarization

2. Area boundaries should define buffersbetween fault domains

3. Summarize routes from the distributionblock upstream into the core

4. Minimize the number of LSAs androutes in the core

5. Reduce the need for SPF calculations

due to internal distribution blockchanges

6. ABR for a regular area forwardsSummary LSAs (Type 3)

ASBR summary (Type 4)

Specific externals (Type 5)

7. Stub area ABR forwardsSummary LSAs (Type 3)

Summary default (0.0.0.0)

8. A totally stubby area ABR forwardsSummary default (0.0.0.0) Data CenterWAN Internet

SiSi SiSi

SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi

Area 100 Area 110 Area 120

Area 0

SiSi SiSi SiSi SiSi


42/110


SiSi

Load-Sharing

Simple

Default* Src IP + Dst IP + Unique ID

Full Src IP + Dst IP + Src Port + Dst Port

Full Exclude Port SrcIP + Dst IP + (Srcor Dst Port)

Simple Src IP + Dst IP

Full Simple SrcIP + Dst IP + SrcPort + Dst Port

Catalyst 6500 PFC3** Load-Sharing Options

Equal Cost Multi-Path

1. Depending on the traffic flow patterns and IPAddressing in use one algorithm may providebetter load-sharing results than another

2. Be careful not to introduce polarization in a multi-tier design by changing the default to the samething in all tiers/layers of the network

SiSiSiSi

SiSi

30%of

Flows

70%of

Flows

SiSiSiSi

SiSiSiSiLoad-Sharing

Simple

Load-SharingFull Simple

Optimizing CEF Load-Sharing

Original Src IP + Dst IPUniversal* SrcIP + DstIP + Unique ID

IncludePort

Src IP + Dst IP + (Srcor Dst Port) + Unique ID

Catalyst 4500 Load-Sharing Options

* = Default Load-Sharing Mode

** = PFC3 in Sup720 and Sup32 Supervisors


43/110


CEF Load Balancing

1.CEF polarization: withoutsome tuning CEF will selectthe same path left/left orright/right

2. Imbalance/overloadcould occur

3.Redundant paths areignored/underutilized

4.The default CEF hashinput is L3

5.We can change the default touse L3 + L4 information as

input to the hash derivation

SiSiSiSi

SiSi SiSi

SiSi SiSi

L

L

R

R

Redundant Paths Ignored

DistributionDefault L3 Hash

Core

Default L3 Hash

DistributionDefault L3 Hash

Avoid Underutilizing Redundant Layer 3 Paths


44/110


CEF Load Balancing

1.The default will forSup720/32 and latesthardware (unique ID added todefault). However, dependingon IP addressing, and flowsimbalance could occur

2.Alternating L3/L4 hash and L3hash will give us the best loadbalancing results

3.Use simple in the core andfull simple in the distributionto add L4 information to thealgorithm at the distributionand maintain differentiation

tier-to-tier

SiSiSiSi

SiSi SiSi

SiSi SiSi

RL

RL

RL

All Paths UsedAvoid Underutilizing Redundant Layer 3 Paths

DistributionL3/L4 Hash

Core

Default L3 Hash

DistributionL3/L4 Hash


45/110


Best PracticesTrunk Configuration

1. Typically deployed oninterconnection betweenaccess and distribution layers

2. Use VTP transparent modeto decrease potential foroperational error

3. Hard set trunk mode to on and

encapsulation negotiate off foroptimal convergence

4. Change the native VLAN tosomething unused to avoidVLAN hopping

5. Manually prune all VLANSexcept those needed

6. Disable on host ports:CatOS: set port host

Cisco IOS: switchport hostData CenterWAN Internet



802.1q Trunks


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


46/110


47/110


DTP Dynamic Trunk Protocol

1.Automatic formation oftrunked switch-to-switchinterconnection

On: always be a trunk

Desirable: ask if the other side can/will

Auto: if the other sides asks I will

Off: dont become a trunk2.Negotiation of 802.1Q or

ISL encapsulation

ISL: try to use ISL trunk encapsulation

802.1q: try to use 802.1qencapsulation

Negotiate: negotiate ISL or 802.1qencapsulation with peer

Non-negotiate: always useencapsulation that is hard set

On/OnTrunk

Auto/Desirable

Trunk

Off/OffNO Trunk

Off/On, Auto, DesirableNO Trunk

SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSiSiSi


48/110


49/110


50/110


Best PracticesUDLD Configuration

1.Typically deployedon any fiberopticinterconnection

2.Use UDLD aggressivemode for best protection

3.Turn on in globalconfiguration toavoid operationalerror/misses

4.Config example

Cisco IOS:udld aggressive




Fiber Interconnections


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


51/110


52/110


53/110


Best PracticesEtherChannel Configuration

1. Typically deployed indistribution to core, and coreto core interconnections

2. Used to provide linkredundancywhile reducingpeering complexity

3. Tune L3/L4 load balancinghash to achieve maximum

utilization of channel members

4. Deploy in powers of 2 (2, 4, or 8)

5. Match CatOS and Cisco IOSPAgP settings

6. 802.3ad LACP for interopif you need it

7. Disable unless neededCatOS: set port host

Cisco IOS: switchport host Data CenterWAN Internet




SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


54/110


Understanding EtherChannelLink Negotiation OptionsPAgP and LACP

On/On

Channel

On/Off

No Channel

Auto/Desirable

Channel

Off/On, Auto, Desirable

No Channel

SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSiSiSi

On/On

Channel

On/Off

No Channel

Active/Passive

Channel

Passive/Passive

No Channel

SiSi

SiSi SiSi

SiSi SiSi

SiSiSiSi

SiSi

Packet Aggregation Protocol Link Aggregation Protocol

On: always be a channel/bundle memberActive: ask if the other side can/will

Passive: if the other side asks I willOff: dont become a member of achannel/bundle

On: always be a channel/bundle memberDesirable: ask if the other side can/will

Auto: if the other side asks I willOff: dont become a member of achannel/bundle


55/110


EtherChannels or Equal Cost Multipath

SiSi SiSi

SiSiSiSi

Access

Distribution

Core10GE and10GE and

10GE channels10GE channels

Typical 20:1Typical 20:1

Data OverData Over--

SubscriptionSubscription

Typical 4:1Typical 4:1

Data OverData Over--

SubscriptionSubscription

10/100/1000 How Do You Aggregate It?


56/110



1. More links = more routingpeer relationships andassociated overhead

2. EtherChannels allow you toreduce peers by creating singlelogical interface to peer over

3. On single link failure in a bundle

OSPF running on an IOS-based switchwill reduce link cost and re-route traffic

OSPF running on a hybrid switch willnot change link cost and may overloadremaining links

EIGRP may not change link cost andmay overload remaining links

Data CenterWANWAN InternetInternet



SiSiSiSi


SiSiSiSi

SiSi SiSiSiSiSiSi

Reduce Complexity/Peer Relationships


57/110



1. More links = more routing peerrelationships and associatedoverhead

2. EtherChannels allow you toreduce peers by creating singlelogical interface to peer over

3. However, a single link failure isnot taken into consideration byrouting protocols. Overloadpossible.

4. Single 10-Gigabit links addressboth problems. Increasedbandwidth without increasingcomplexity or compromising

routing protocols ability to selectbest path.Data CenterWANWAN InternetInternet



SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


Why 10-Gigabit Interfaces


58/110


EtherChannelsQuick Summary

1. For Layer-2 EtherChannels: Desirable/Desirable is the recommendedconfiguration so that PAgP is running across all members of the bundleinsuring that an individual link failure will not result in an STP failure

2. For Layer-3 EtherChannels: One can consider a configuration that usesON/ON. There is a trade-off between performance/HA impact andmaintenance and operations implications.

3. An ON/ON configuration is faster from a link-up (restoration) perspectivethan a Desirable/Desirable alternative. However, in this configuration PAgPis not actively monitoring the state of the bundle members and amisconfigured bundle is not easily identified.

4. Routing protocols may not have visibility into the state of an individualmember of a bundle. LACP and the minimum links option can be used tobring the entire bundle down when the capacity is diminished.

OSPF has visibility to member loss (best practices pending investigation). EIGRP does not

5. When used to increase bandwidthno individual flow can go faster than thespeed of an individual member of the link

6. Best used to eliminate single points of failure (i.e. link or port) dependenciesfrom a topology


59/110


Best PracticesFirst Hop Redundancy

1. Used to provide a resilientdefault gateway/first hopaddress to end-stations

2. HSRP, VRRP, andGLBP alternatives

3. VRRP, HSRP and GLBPprovide millisecond timersand excellent convergenceperformance

4. VRRP if you needmultivendor interoperability

5. GLBP facilitates uplinkload balancing

6. Preempt timers need

to be tuned to avoidblack-holed trafficData CenterWAN Internet



1st Hop Redundancy


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


60/110


First Hop Redundancy with VRRP

1. A group of routers functionas one virtual router bysharing one virtualIP address and onevirtual MAC address

2. One (master) routerperforms packet

forwarding for local hosts3. The rest of the routers

act as back up in casethe master router fails

4. Backup routers stay idleas far as packet forwardingfrom the client sideis concerned

R1Master, Forwarding Traffic; R2,BackupVRRP ACTIVE VRRP BACKUP

IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0000.5e00.0101

IP: 10.0.0.253MAC: 0000.0C78.9abcvIP:vMAC:

IP: 10.0.0.1MAC: aaaa.aaaa.aa01

GW: 10.0.0.10ARP: 0000.5e00.0101


GW: 10.0.0.10ARP: 0000.5e00.0101


GW: 10.0.0.10ARP: 0000.5e00.0101

SiSiSiSi

Access-a

Distribution-A

VRRP Active

Distribution-BVRRP Backup

R1 R2

IETF Standard RFC 2338 (April 1998)


61/110


First Hop Redundancy with HSRP

1. A group of routers functionas one virtual router bysharing one virtualIP address and onevirtual MAC address

2. One (active) routerperforms packetforwarding for local hosts

3. The rest of the routersprovide hot standby incase the active router fails

4. Standby routers stay idleas far as packet forwardingfrom the client side isconcerned


GW: 10.0.0.10ARP: 0000.0c07.ac00

SiSiSiSi

Access-a

Distribution-A

HSRP Active

Distribution-BHSRP Backup

R1

HSRP ACTIVE HSRP STANDBY

IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0000.0c07.ac00

IP: 10.0.0.253MAC: 0000.0C78.9abcvIP:vMAC:


GW: 10.0.0.10ARP: 0000.0c07.ac00


GW: 10.0.0.10ARP: 0000.0c07.ac00

R1Active, Forwarding Traffic;R2Hot Standby, Idle

R2

RFC 2281 (March 1998)


62/110


Why You Want HSRP Preemption

1. Spanning Tree Root andHSRP Primary aligned

2. When Spanning Tree Rootis re-introduced, traffic willtake a two-hop path toHSRP Active

3. HSRP Preemption willallow HSRP to followSpanning Tree topology

SiSiSiSi

SiSiSiSi

Access

Distribution

Core

Spanning TreeRoot HSRPActive

HSRPActive Spanning Tree

RootHSRP Preempt

Without Preempt Delay HSRP Can Go Active Before Box Completely Ready toForward Traffic: L1 (Boards), L2 (STP), L3 (IGP Convergence)

standby 1 preempt delay minimum 180


63/110


First Hop Redundancy with GLBP

1. All the benefits of HSRPplus load balancing ofdefault gateway utilizesall available bandwidth

2. A group of routers functionas one virtual router by sharingone virtual IP address butusing multiple virtual MAC

addressesfor traffic forwarding

3. Allows traffic from a singlecommon subnet to go throughmultiple redundant gatewaysusing a single virtual IPaddress

GLBP AVG/AVF, SVF GLBP AVF, SVF

R1- AVG; R1, R2 Both Forward Traffic

IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0007.b400.0101

IP: 10.0.0.253MAC: 0000.0C78.9abcvIP: 10.0.0.10vMAC: 0007.b400.0102


GW: 10.0.0.10ARP: 0007.B400.0101


GW: 10.0.0.10ARP: 0007.B400.0102


GW: 10.0.0.10ARP: 0007.B400.0101

SiSiSiSi

Access-a

Distribution-AGLBP AVG/

AVF, SVF

Distribution-BGLPB AVF, SVF

R1

Cisco Designed, Load Sharing, Patent Pending


64/110


First Hop Redundancy withLoad Balancing

1. Each member of a GLBP redundancy group owns a unique virtual MAC addressfor a common IP address/default gateway

2. When end-stations ARP for the common IP address/default gateway they aregiven a load balanced virtual MAC address

3. Host A and host B send traffic to different GLBP peers but have the samedefault gateway

10.88.1.0/24

.5.4

.1 .2

vIP10.88.1.10

GLBP 1 ip 10.88.1.10vMAC 0000.0000.0001

GLBP 1 ip 10.88.1.10vMAC 0000.0000.0002

ARPs for 10.88.1.10Gets MAC 0000.0000.0001

ARPs for 10.88.1.10Gets MAC 0000.0000.0002A B

R1 R2ARP

Reply

Cisco Gateway Load Balancing Protocol (GLBP)


65/110


0

0.2

0.4

0.6

0.8

1

1.2

Longest Shortest AverageTimeinSecondstoConverge

VRRP HSRP GLBP

SiSiSiSi

50% of FlowsHave ZERO

Loss W/ GLBP

Optimizing Convergence:VRRP, HSRP, GLBP

1. VRRP not tested with sub-second timers and all flows go througha common VRRP peer; mean, max, and min are equal

2. HSRP has sub-second timers; however all flows go through sameHSRP peer so there is no difference between mean, max, and min

3. GLBP has sub-second timers and distributes the load amongstthe GLBP peers; so 50% of the clients are not affected by anuplink failure

GLBP Is 50%Better

Distribution to Access Link FailureAccess to Server Farm

Mean, Max, and MinAre There Differences?


66/110


If You Span VLANS, Tuning Required

1.Both distribution switches act as default gateway

2.Blocked uplink caused traffic to take less than optimal path

VLAN 2VLAN 2

F 2F

2B2

B2 F: Forwarding

B: Blocking

Access-b

SiSiSiSi

Core

Access-a

Distribution-AGLBP VirtualMAC 1

Distribution-BGLBP Virtual

MAC 2

AccessLayer 2

AccessLayer 2

Distribution

Layer 2/3

CoreLayer 3

By Default, Half the Traffic Will Take a Two-Hop L2 Path


67/110


68/110


Service Availability Focus

Catalyst with Cisco IOS Software ModularityBENEFITSBENEFITS

Automated Policy ControlAutomated Policy Control

Simplify Software ChangesSimplify Software Changes

Minimize Unplanned DowntimeMinimize Unplanned Downtime

INNOVATIONINNOVATION

Catalyst 6500 Data PlaneCatalyst 6500 Data Plane

Network Optimized MicrokernelNetwork Optimized Microkernel

IOS-Base

IOS-Base

Routing

Routing

TCP

TCP

UDP

UDP

EEM

EEM

FTP

FTP

CDP

CDP

INETD

INETD

etcetc

High Availability InfrastructureHigh Availability Infrastructure

Cisco IOS Software ModularityCisco IOS Software Modularity

Memory protection

Fault containment

Stateful process restarts

Subsystem ISSU

Memory protection

Fault containment

Stateful process restarts

Subsystem ISSU

MPLS, IPv6, BFD now modular

Full HW and SW parity with native IOS


69/110


Generic Online DiagnosticsHow does GOLD work?

1. Diagnostic packet switching testsverify that the system is operatingcorrectly:

Is the supervisor control plane andforwarding plane functioningproperly?

Is the standby supervisor ready to take

over?Are linecards forwarding packets

properly?

Are all ports working?

Is the backplane connection working?

2. Other types of diagnostics testsincluding memory and errorcorrelation tests are also available

CPUForwardingEngine

Fabric

ForwardingEngine

Active Supervisor

Standby Supervisor

Line

card

Linecard


70/110


Embedded Event ManagerEEM Application Example

Send results in email alert

Interface down

Loopback test

GOLD

EEM

Upon matching the provided SYSLOG message LINK-3-UPDOWN, the switchperforms the following actions:

Display counter error statistics for the link that has gone downStart a GOLD Loopback testSend the results using a provided template to a user-configurable address

Interface error counters


71/110


72/110


Agenda

1.Multilayer CampusDesign principles



4.IP TelephonyConsiderations




8.Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

ServicesBlock

Distribution Blocks

SiSi SiSi SiSi


73/110


VLAN 2VLAN 2

Distribution-A Distribution-B

Access-cAccess-a

Layer 3 Link

Access-n

VLAN 2

50% Chance That TrafficWill Go Down Path with

No Connectivity

Traffic

Droppedwith

NoPathto

Destination

Daisy Chaining Access Layer Switches

Return Path Traffic Has a 50/50 Chance of Being Black Holed

SiSiSiSi

SiSiSiSi

AccessLayer 2

AccessLayer 2

DistributionLayer 2/3

CoreLayer 3

Avoid Potential Black Holes


74/110


Daisy Chaining Access Layer Switches

1.Stackwise/Stackwise-Plus technology eliminates the concern

Loopback links not required

No longer forced to have L2 link in distribution

2. If you use modular (chassis-based) switches, these problemsare not a concern

HSRPActive

HSRPStandby

Forwarding

Forwarding

3750-E

SiSi

SiSi

Layer 3

New Technology Addresses Old Problems


75/110


VLAN 2VLAN 2

What Happens if You DontLink the Distributions?

1. STPs slow convergence cancause considerable periodsof traffic loss

2. STP could causenon-deterministic trafficflows/link load engineering

3. STP convergence willcause Layer 3 convergence

4. STP and Layer 3 timersare independent

5. Unexpected Layer 3 convergenceand re-convergence could occur

6. Even if you do link the distributionswitches dependence on STPand link state/connectivity cancause HSRP irregularities andunexpected state transitions

F 2 F2 B 2

STP SecondaryRoot and HSRP

Standby

F 2

Access-b

SiSiSiSi

Core

Hellos

Traffic

DroppedUntil

HSRPGoesActive

Access-a

STP Root andHSRP Active

TrafficDropped Until

MaxAgeExpires ThenListening and

Learning

TrafficDropped UntilTransition toForwarding;

As much as 50Seconds


76/110


Aggressive HSRPtimers limit blackhole #1

Backbone fast limitstime (30 seconds)to event #2

Even with RapidPVST+ at leastone secondbefore event #2

VLAN 2VLAN 2

What if You Dont?

1. Blocking link on access-b will take 50 seconds to move to forwarding traffic black hole until HSRPgoes active on standby HSRP peer

2. After MaxAge expires (or backbone fast or Rapid PVST+) converges HSRP preempt causes another

transition3. Access-b used as transit for access-as traffic


F 2F

2B2

STPSecondaryRoot and

HSRP Standby

F2

HSRP Active(Temporarily)

MaxAgeSeconds BeforeFailure IsDetectedThen Listeningand Learning

F: Forwarding

B: Blocking

Access-b

SiSiSiSi

Core

Hellos

Traffic

DroppedUntil

HSRPGoesActive

F2

Access-a

AccessLayer 2

AccessLayer 2

Distribution

Layer 2/3

CoreLayer 3

Black Holes and Multiple Transitions


77/110


802.1d: up to50 seconds

PVST+: backbonefast 30 seconds

Rapid PVST+:address by theprotocol (onesecond)

VLAN 2VLAN 2

What if You Dont?

1. Blocking link on access-b will take 50 seconds to move to forwarding return traffic black hole until then

F 2F

2B2

F2 F: Forwarding

B: Blocking

Core

Hellos

Traffic

DroppedUntil

MaxAge

ExpiresThen

Listeningand

Learning

F2


Access-b

STPSecondaryRoot and

HSRP Standby

SiSiSiSi

AccessLayer 2

AccessLayer 2

Distribution

Layer 2/3

CoreLayer 3

Return Path Traffic Black Holed

Access-a


78/110


79/110


VLAN 2

Best Practices Prevent Unicast Flooding

1. Assign one uniquedata and voice VLANto each access switch

2. Traffic is now onlyflooded downone trunk

3. Access switchunicasts correctly;no flooding toall ports

4. If you have to:

Tune ARP and CAMaging timers; CAMtimer exceedsARP timer

Bias routing metricsto remove equalcost routes

Downstream

Packet

Flooded on

Single Port

Upstream PacketUnicast to

Active HSRP

AsymmetricEqual Cost

Return Path

VLAN 3 VLAN 4 VLAN 5

SiSi SiSi


80/110


Agenda




4.IP Telephony

Considerations




8.Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

ServicesBlock

Distribution Blocks

SiSi SiSi SiSi


81/110


Building a Converged Campus Network

1. Access layerAuto phone detection

Inline power

QoS: scheduling,trust boundary andclassification

Fast convergence

2. Distribution layerHigh availability,redundancy,

fast convergencePolicy enforcement

QoS: scheduling,trust boundaryand classification

3. CoreHigh availability,redundancy,fast convergence

QoS: scheduling,trust boundary


Layer 3Equal Cost

Links

Layer 3Equal Cost

Links


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi

Access

Distribution

Core

Distribution

Access

Infrastructure Integration, QoS, and Availability


82/110


Infrastructure Integration

1.Phone contains a three-port switch that is configured in conjunctionwith the access switch and CallManager

Power negotiation

VLAN configuration

802.1x interoperation

QoS configuration

DHCP and CallManager registration

Switch Detects IP Phone and Applies Power

CDP Transaction Between Phone and Switch

IP Phone Placed in Proper VLAN

DHCP Request and Call Manager Registration

Extending the Network Edge


83/110


Enhanced Power Negotiation

1.Using bi-directional CDP exchange exact powerrequirements are negotiated after initial power-on

PD Plugged in

Phone Transmits a CDP Power NegotiationPacket Listing Its Power Mode

Switch Sends a CDP Response

with a Power Request

Based on Capabilities Exchanged

Final Power Allocation Is Determined

Switch Detects IEEE PD

PD Is Classified

Power Is Applied

PDPoweredDevice Cisco 7970

PSEPowerSource EquipmentCisco 6500,4500,

3750, 3560

802.3af Plus Bi-Directional CDP (Cisco 7970)


84/110


Design Considerations for PoE

1. Switch manages power by what is allocated not by what is currently used

2. Device power consumption is not constant

3. A 7960G requires 7W when the phone is ringing at maximum volume andrequires 5W on or off hook

4. Understand the power behavior of your PoE devices

5. Utilize static power configuration with caution

6. Use power calculator to determine power requirements

http://www.cisco.com/go/powercalculator

Dynamic allocation:

power inline auto max 7200

Static allocation:power inline static max 7200

Power Management

Discover Cisco Enhanced PoE at the World of Solutions


85/110


Infrastructure Integration: Next Steps

1.During initial CDP exchange phone is configured with a VoiceVLAN ID (VVID)

2.Phone also supplied with QoS configuration via CDP TLV fields

3.Additionally switch port currently bypasses 802.1x authenticationfor VVID if detects Cisco phone

PC VLAN = 10(PVID)

Phone VLAN = 110(VVID)

Native VLAN (PVID) NoConfiguration Changes

Needed on PC

802.1Q encapsulationwith 802.1pLayer 2 CoS

VLAN, QoS and 802.1x Configuration


86/110


Agenda








8.Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

ServicesBlock

Distribution Blocks

SiSi SiSi SiSi


87/110


Best PracticesQuality of Service

1. Must be deployed end-to-end to be effective; all layersplay different but equal roles

2. Ensure that mission criticalapplications are notimpacted by link or transmitqueue congestion

3. Aggregation and ratetransition points mustenforce QoS policies

4. Multiple queues withconfigurable admissioncriteria and schedulingare required




End to End QoS


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi


88/110


Transmit Queue Congestion

WAN

Router

128k Uplink10/100m Queued

Access Switch

100 Meg Link1 Gig Link Queued

Distribution Switch

100 Meg in 128 Kb/S outPackets Serialize in Faster than They Serialize out

Packets Queued as They Wait to Serialize out Slower Link

1 Gig In 100 Meg outPackets Serialize in Faster than They Serialize out

Packets Queued as They Wait to Serialize out Slower Link


89/110


Configures QoS for VoIP on Campus Switches

Auto QoS VoIPMaking It Easy

!

interface FastEthernet1/0/21

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

Mls qos trust device cisco-phone

Mls qos trust cos

auto qosvoipcisco-phone

end

Access-Switch(config-if)#auto qos voip ?

cisco-phone Trust the QoS marking of Cisco IP Phone

cisco-softphone Trust the QoS marking of Cisco IP SoftPhone

trust Trust the DSCP/CoS marking

Access-Switch(config-if)#autoqosvoipcisco-phone

Access-Switch(config-if)#exit


90/110


NBAR Protocol Discovery

Campus

Protocol Discovery: discover what apps arerunning on your network and provide real-time statistics

Per-interface, per-protocol, bi-directionalstatistics

bit rate (bps); packet count; byte count

SNMP accessible for centralized monitoring

Supported by Partner products(Concord|CA, InfoVista, Micromuse|IBM) andMRTG

Link Utilization

Voice

P2P

E-mail

Backup,etc.

Bulk

Streaming-Video

Mission-Critical

Routing

Interactive-Video

Call-SignalingNet Mgmt

Transactional

Real-Time= 33%

CriticalData

BestEffort= 25%

Real-time Application Visibility with Network Based ApplicationRecognition


91/110


Agenda




4.IP Telephony

Considerations5.QoS Considerations



8.Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

ServicesBlock

Distribution Blocks

SiSi SiSi SiSi


92/110


Best PracticesCampus Security

1. New stuff that we will cover!

Catalyst Integrated Security Feature Set!

Dynamic Port Security, DHCP Snooping,Dynamic ARP Inspection, IP Source Guard

2. Things you already knowwe wont cover

Use SSH to access devices instead of Telnet

Enable AAA and roles-based access control(RADIUS/TACACS+) for the CLI on all devices

Enable SYSLOG to a server. Collect andarchive logs

When using SNMP use SNMPv3

Disable unused services:

no service tcp-small-serversno service udp-small-servers

Use FTP or SFTP (SSH FTP) to move imagesand configurations aroundavoid TFTPwhen possible

Install VTY access-lists to limit which addressescan access management and CLI services

Enable control plane protocol authenticationwhere it is available (EIGRP, OSPF, BGP,HSRP, VTP, etc.)

Apply basic protections offered by implementingRFC2827 filtering on external edge inboundinterfaces WAN Internet

End-to-End Security


SiSiSiSi

SiSiSiSi

SiSi SiSiSiSiSiSi

For More Details, See BRKSEC-2002 Session, Understanding and Preventing Layer 2 Attacks


93/110


Port Security Limits MAC FloodingAttack and Locks down Port and

Sends an SNMP Trap

00:0e:00:aa:aa:aa

00:0e:00:bb:bb:bb

Script Kiddie Hacking ToolsEnable Attackers Flood Switch CAM

Tables with Bogus Macs; Turningthe VLAN into a Hub and

Eliminating Privacy

Switch CAM Table Limit Is FiniteNumber of Mac Addresses

Only 3 MACAddresses

Allowed on

the Port:

Shutdown250,000Bogus MACsper Second

PROBLEM:SOLUTION:

switchport port-securityswitchport port-security maximum 10switchport port-security violation restrictswitchport port-security aging time 2

switchport port-security aging type inactivity

Cutting off MAC-Based Attacks

Securing Layer 2 fromSurveillance Attacks


94/110


DHCP Snooping

1.DHCP requests (discover) and responses (offer) tracked

2.Rate-limit requests on trusted interfaces; limits DoS attacks onDHCP server

3.Deny responses (offers) on non trusted interfaces; stop maliciousor errant DHCP server

DHCPServer

1000s of DHCPRequests toOverrun the

DHCP Server

1

2

DHCPRequest

Bogus

DHCP

Response

Protection Against Rogue/Malicious DHCP Server


95/110


Securing Layer 2 fromSurveillance Attacks

1.Dynamic ARP inspectionprotects against ARPpoisoning (ettercap,dsnif, arpspoof)

2.Uses the DHCP snoopingbinding table

3.Tracks MAC to IP fromDHCP transactions

4.Rate-limits ARP requestsfrom client ports; stop portscanning

5.Drop BOGUS gratuitousARPs; stop ARPpoisoning/MIM attacks

SiSiGateway = 10.1.1.1

MAC=A

Attacker = 10.1.1.25MAC=B Victim = 10.1.1.50MAC=C

Gratuitous ARP10.1.1.1=MAC_B

Gratuitous ARP

10.1.1.50=MAC_B

Protection Against ARP Poisoning


96/110


97/110


Catalyst Integrated Security Features

1. Port security prevents MACflooding attacks

2. DHCP snooping prevents clientattack on the switch and server

3. Dynamic ARP Inspection addssecurity to ARP using DHCPsnooping table

4. IP source guard adds securityto IP source address usingDHCP snooping table

ipdhcp snooping

ipdhcp snooping vlan 2-10

iparp inspection vlan 2-10

!

interface fa3/1

switchport port-security

switchport port-security max 3

switchport port-security violation

restrictswitchport port-security aging time 2

switchport port-security aging typeinactivity

iparp inspection limit rate 100

ipdhcp snooping limit rate 100

ip verify source vlandhcp-snooping

!

Interface gigabit1/1

ipdhcp snooping trustiparp inspection trust

IP Source Guard

Dynamic ARP Inspection

DHCP Snooping

Port Security

Summary Cisco IOS


98/110


PISA Flexible Packet Matching

Network managers require tools tofilter Day Zero attacks e.g. prior to IPSsignatures being available

Traditional ACLs take a shotgunapproach legitimate traffic could beblocked

FPM delivers flexible, granular Layer2-7 matching

Useful for CERT-like teams withinService Providers and Enterprisecustomers

0111111010101010000111000100111110010001000100100010001001

Match Pattern And Or NotCisco.com/go/fpm

Flexible Classification andRapid Response

Goes beyond staticattributes specify arbitrarybits/bytes at any offsetwithin the payload or header

Classify on multiple

attributes within a packet

String match and regex

Set up custom filters rapidlyusing XML-based policylanguage

Flexible Classification andRapid Response

Goes beyond staticattributes specify arbitrarybits/bytes at any offsetwithin the payload or header

Classify on multiple

attributes within a packet String match and regex

Set up custom filters rapidlyusing XML-based policylanguage

Multi-Gig Deep Packet Inspection PerformanceRapid Response to New and Emerging Attacks


99/110


Printer

PCs

PCs

Mark Business-critical

applications real-time as

GOLD service

Police non-priority

applications

Block worms like Slammer

using Flexible Packet Matching Detect and Rate-limit

undesiredPeer to Peer Traffic

Sup 32 PISA DeploymentCampus Access Layer

Citrix 25%Netshow 15%Oracle 10%FTP 30%HTTP 20%

Link Utilization


100/110


101/110


Hierarchical Campus

Data CenterWAN InternetAccess

Distribution

Core

Distribution

Access


SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi


102/110


VLAN 120 Voice10.1.120.0/24






5. STP Root and HSRP primarytuning or GLBP to load balanceon uplinks

6. Set trunk mode on/nonegotiate


8. Set port host on accesslayer ports:


9. RootGuard or BPDU-Guard


PointtoPointLink

Layer 3

VLAN 20 Data10.1.20.0/24

VLAN 140 Voice10.1.140.0/24

VLAN 40 Data10.1.40.0/24

SiSi SiSi

SiSi SiSi

Access

Distribution

Core

Layer 2 AccessNo VLANs Span Access Layer


103/110


VLAN 250 WLAN10.1.250.0/24






5. STP Root and HSRP primary orGLBP and STP port cost tuning to loadbalance on uplinks

6. Set trunk mode on/nonegotiate


8. RootGuard on downlinks

9. LoopGuard on uplinks

10.Set port host on accessLayer ports:


11.RootGuard or BPDU-Guard


VLAN 120 Voice10.1.120.0/24

Trunk

VLAN 20 Data10.1.20.0/24

VLAN 140 Voice10.1.140.0/24

VLAN 40 Data10.1.40.0/24

SiSi SiSi

SiSi SiSi

Layer 2

Layer 2 AccessSome VLANs Span Access Layer

Access

Distribution

Core


104/110


VLAN 20 Data10.1.20.0/24

Routed Access andVirtual Switching System

VLAN 120 Voice10.1.120.0/24

P-t-P Link

Layer 3

VLAN 20 Data10.1.20.0/24

VLAN 140 Voice10.1.140.0/24

VLAN 40 Data10.1.40.0/24

SiSi SiSi

SiSi SiSi

Evolutions of and Improvements to Existing Designs

Access

Distribution

Core

See RST-3035Advanced Enterprise Campus Design Alternatives: Routed Access and Virtual Switch System (VSS)

NewConcept

VLAN 40 Data10.1.40.0/24

SiSi SiSi

VSS Link

VLAN 120 Voice10.1.120.0/24VLAN 140 Voice10.1.140.0/24VLAN 250 WLAN10.1.250.0/24


105/110


Agenda






6.Security Considerations


8.Summary

SiSiSiSi

SiSiSiSi

SiSi

Data Center

SiSi SiSi

ServicesBlock

Distribution Blocks

SiSi SiSi SiSi


106/110


Summary


Layer 3Equal Cost

Links

Layer 3Equal Cost

Links

Access

Distribution

Core

Distribution

Access


SiSi SiSi

SiSi SiSi

SiSi SiSi

SiSi SiSi

1. Offers hierarchyeach layerhas specific role

2. Modular topologybuilding blocks

3. Easy to grow, understand,and troubleshoot

4. Creates small fault domainsClear demarcations andisolation

5. Promotes load balancingand redundancy

6. Promotes deterministictraffic patterns

7. Incorporates balance ofboth Layer 2 and Layer 3technology, leveragingthe strength of both

8. Utilizes Layer 3 Routingfor load balancing, fast

convergence, scalability,and control


107/110


Q and A


108/110


Recommended Reading

1. Continue your Cisco Networkerslearning experience with furtherreading from Cisco Press

2. Check the Recommended Readingflyer for suggested books

Available Onsite at the Cisco Company Store


109/110


Complete YourSession Evaluation

1.Please give us your feedback, yourcomments are important to us

2.Dont forget to complete the overallevent evaluation form included inyour registration kit

3.This is session BRKCAM-2001


110/110


Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseño

Documents

Transcript of Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseño