-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
1/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 1
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
2/110
2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Multilayer CampusArchitecture
and Design Princ iplesBRKCAM-2001
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
3/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 3
Housekeeping
1.Please turn off your mobile phones, blackberries andlaptops
2.We value your feedback- don't forget to complete yoursession evaluation form & hand it to the room monitor /the materials pickup area at registration
3.Please remember this is a 'non-smoking' venue!
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
4/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 4
Enterprise-Class AvailabilityResilient Campus Communication Fabric
1.Network-level redundancy
2.System-level resiliency
3.Enhanced management
4.Human ear notices thedifference in voice within150200 msec10consecutive G711 packet loss
5.Video loss is even morenoticeable
6.200 msec end-to end-campus
convergence
Next-Generation AppsVideo conf., Unified Messaging,Global Outsourcing,E-Business, Wireless Ubiquity
Mission Critical Apps.Databases, Order-Entry,CRM, ERP
Desktop AppsE-mail, File & Print
Ultimate Goal..100%
APPLICATIONS DRIVE REQUIREMENTSFOR HIGH AVAILABILITY NETWORKING
Campus Systems Approach to High Availability
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
5/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 5
Next Generation Campus DesignUnified Communications Evolution
1.VoIP is now a mainstream technology
2.Ongoing evolution to the full spectrum of Unified Communications
3.High-Definition Executive Communication Application requiresstringent Service-Level Agreement (SLA)
Reliable ServiceHigh Availability Infrastructure
Application Service ManagementQoS
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
6/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 6
Agenda
1.Multilayer CampusDesign Principles
2.Foundation Services
3.Campus DesignBest Practices
4.IP Telephony
Considerations
5.QoS Considerations
6.SecurityConsiderations
7.Putting It All Together
8.Summary
SiSiSiSi
SiSiSiSi
SiSi
Data Center
SiSi SiSi
ServicesBlock
Distribution Blocks
SiSi SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
7/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 7
Data CenterWAN Internet
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSiSiSi
Access
Core
Distribution
Distribution
Access
High-Availability Campus DesignStructure, Modularity, and Hierarchy
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
8/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 8
Hierarchical Campus Network
Server Farm
WAN Internet PSTN
SiSi
SiSi
SiSi SiSi
SiSi SiSi SiSi
SiSi
SiSi SiSi SiSi
SiSi
Not This!!
Structure, Modularity and Hierarchy
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
9/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 9
SiSi SiSi
SiSiSiSi
SiSi SiSi
Hierarchical Network Design
Building BlockAccess
Distribution
Core
Distribution
Access Offers hierarchyeach layer hasspecific role
Modular topologybuilding blocks
Easy to grow, understand, andtroubleshoot
Creates small fault domainsclear demarcations and isolation
Promotes load balancing andredundancy
Promotes deterministic traffic patterns
Incorporates balance of both Layer 2and Layer 3 technology, leveragingthe strength of both
Utilizes Layer 3 routing for load
balancing, fast convergence,scalability, and control
Without a Rock Solid Foundation the Rest Doesnt Matter
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
10/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 10
Access Layer
1. Its not just about connectivity
2. Layer 2/Layer 3 feature rich environment;convergence, HA, application intelligence,security, QoS, IP multicast, etc.
3. Intelligent network services: QoS,trust boundary, broadcast suppression, IGMPsnooping,
4. Intelligent network services: PVST+,Rapid PVST+, EIGRP, OSPF, DTP,
PAgP/LACP, UDLD, FlexLink, etc.
5. Cisco Catalyst integrated securityfeatures IBNS (802.1x), (CISF):port security, DHCP snooping,DAI, IPSG; Deep packet inspection security
6. Automatic phone discovery,conditional trust boundary,power over Ethernet, auxiliaryVLAN, etc.
7. Spanning tree toolkit: PortFast,
UplinkFast, BackboneFast, LoopGuard, BPDUGuard, BPDU Filter, RootGuard, etc.
Access
Distribution
CoreSiSiSiSi
SiSi SiSi
Feature Rich Environment
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
11/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 11
SiSiSiSi
Distribution Layer
1. Availability, load balancing,QoS and provisioning are theimportant considerations atthis layer
2. Aggregates wiring closets(access layer) and
uplinks to core3. Protects core from high
density peering andproblems in access layer
4. Route summarization, fastconvergence, redundantpath load sharing
5. HSRP or GLBP to provide
first hop redundancy
SiSi SiSi
Access
Distribution
Core
Policy, Convergence, QoS, and High Availability
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
12/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
13/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 13
Do I Need a Core Layer?
No Core
1. Fully meshed distribution layers
2. Physical cablingrequirement
3. Routing complexity
Its Really a Question of Scale, Complexity, and Convergence
4th Building Block12 New Links24 Links Total
8 IGP Neighbors
3rd Building Block8 New Links
12 Links Total
5 IGP Neighbors
Second BuildingBlock4 New Links
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
14/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 14
Do I Need a Core Layer?
Dedicated Core Switches1. Easier to add a module
2. Fewer links in the core
3. Easier bandwidth upgrade
4. Routing protocol peeringreduced
5. Equal cost Layer 3 linksfor best convergence
Its Really a Question of Scale, Complexity, and Convergence
4th Building Block4 New Links
16 Links Total
3 IGP Neighbors
3rd Building Block4 New Links
12 Links Total
3 IGP Neighbors
2nd Building Block8 New Links
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
15/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 15
Data CenterWAN Internet
SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSiSiSi Si
SiSiSi
SiSi
Access
Core
Distribution
Distribution
Access
Design Alternatives Come Withina Building (or Distribution) Block
Layer 2 Access Routed Access Virtual Switching System
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
16/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 16
VLAN 120 Voice10.1.120.0/24
Layer 3 Distribution Interconnection
1. Tune CEF load balancing
2. Match CatOS/IOS EtherChannelsettings and tune load balancing
3. Summarize routes towards core
4. Limit redundant IGP peering
5. STP Root and HSRP primarytuning or GLBP to load balance
on uplinks6. Set trunk mode on/no-negotiate
7. Disable EtherChannelunless needed
8. Set port host on accesslayer ports:
Disable TrunkingDisable EtherChannelEnable PortFast
9. RootGuard or BPDU-Guard
10.Use security features
Pointto
PointLink
Layer 3
VLAN 20 Data10.1.20.0/24
VLAN 140 Voice10.1.140.0/24
VLAN 40 Data10.1.40.0/24
SiSi SiSi
SiSi SiSi
Access
Distribution
Core
Layer 2 AccessNo VLANs Span Access Layer
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
17/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 17
VLAN 250 WLAN10.1.250.0/24
Layer 2 Distribution Interconnection
1. Tune CEF load balancing
2. Match CatOS/IOS EtherChannelsettings and tune load balancing
3. Summarize routes towards core
4. Limit redundant IGP peering
5. STP Root and HSRP primary orGLBP and STP port cost tuning toload balance on uplinks
6. Set trunk mode on/no-negotiate
7. Disable EtherChannelunless needed
8. RootGuard on downlinks
9. LoopGuard on uplinks
10.Set port host on accessLayer ports:
Disable TrunkingDisable EtherChannelEnable PortFast
11.RootGuard or BPDU-Guard
12.Use security features
VLAN 120 Voice10.1.120.0/24
Trunk
VLAN 20 Data10.1.20.0/24
VLAN 140 Voice10.1.140.0/24
VLAN 40 Data10.1.40.0/24
SiSi SiSi
SiSi SiSi
Layer 2
Layer 2 AccessSome VLANs Span Access Layer
Access
Distribution
Core
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
18/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 18
VLAN 20 Data10.1.20.0/24
Routed Access andVirtual Switching System
VLAN 120 Voice
10.1.120.0/24
P-t-P Link
Layer 3
VLAN 20 Data10.1.20.0/24
VLAN 140 Voice
10.1.140.0/24
VLAN 40 Data10.1.40.0/24
SiSi SiSi
SiSi SiSi
Evolutions of and Improvements to Existing Designs
Access
Distribution
Core
NewConcept
VLAN 40 Data10.1.40.0/24
SiSi SiSi
VSS Link
VLAN 120 Voice10.1.120.0/24
VLAN 140 Voice10.1.140.0/24VLAN 250 WLAN10.1.250.0/24
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
19/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 19
Virtual SwitchVirtual Switching System 1440 (VSS)
1. Virtual Switching System consists of two Cisco Catalyst 6500 Series defined asmembers of the same virtual switch domain
2. Single control plane with dual active forwarding planes
3. Design to increase forwarding capacity while increasing availability by eliminatingSTP loops
4. Reduced operational complexity by simplifying configuration
VSS Single
Logical Switch=Switch 1 + Switch 2
Virtual Switch Domain
Virtual Switch Link
SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
20/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 20
Virtual Switching SystemSingle Control Plane
1. Uses one supervisor in each chassis with inter-chassis Stateful Switchover(SSO) method in with one supervisor is ACTIVE and other in HOT_STANDBYmode
2. Active/standby supervisors run in synchronized mode (boot-env, running-configuration, protocol state, and line cards status gets synchronized)
3. ACTIVE supervisor manages the control plane functions such as protocols(routing, EtherChannel, SNMP, telnet, etc.) and hardware control (OIR, portmanagement)
4. Switchover to STANDBY_HOT supervisor occurs when ACTIVE supervisor failsproviding subsecond protocol and data forwarding recovery
SF: Switch FabricRP: Route Processor
PFC: Policy Forwarding Card
CFC: Centralize Forwarding Card
DFC: Distributed Forwarding Card
Active Supervisor
SF RP PFC
CFC or DFC Line Cards
CFC or DFC Line Cards
CFC or DFC Line Cards
CFC or DFC Line Cards
CFC or DFC Line Cards
Standby HOT Supervisor
SF RP PFC
VSLCFC or DFC Line Cards
CFC or DFC Line Cards
CFC or DFC Line Cards
CFC or DFC Line Cards
CFC or DFC Line Cards
CFC or DFC Line Cards
CFC or DFC Line Cards
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
21/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 21
Virtual Switching SystemDual Active Forwarding Planes
VSS-Router#show switch virtual redundancy
My Switch Id = 1
Peer Switch Id = 2
Switch 1 Slot 5 Processor Information :-----------------------------------------------
Current Software state = ACTIVE
Configuration register = 0x2
Fabric State = ACTIVE
Control Plane State = ACTIVE
Switch 2 Slot 5 Processor Information :
-----------------------------------------------
Current Software state = STANDBY HOT (switchover target)
Configuration register = 0x2
Fabric State = ACTIVEControl Plane State = STANDBY
DataPlaneActive
DataPlaneActive
1. Virtual Switch operates with a single active supervisor from a control planeperspective but with dual active forwarding plane
2. Supervisor ports and all the line card in both chassis including DistributedForwarding Engines (DFCs) are actively forwarding
SiSiSiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
22/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 22
Virtual Switching SystemMultichassis EtherChannel (MEC)
1. MEC is an advanced EtherChanneltechnology extending link aggregationto two separate physical switches
2. MEC enables the VSS appear assingle logical device to devicesconnected to VSS, thus significantlysimplifying campus topology
3. Traditionally spanning VLANs overmultiple closets would create STPlooped topology, MEC with VSSeliminates these loops in the campustopology
4. MEC replaces spanning tree as themeans to provide link redundancy andthus doubling bandwidth available
from access5. MEC is supported only with VSS
Multichassis EtherChannel
L2
VLAN 30
BW Capacity in Non-MEC and MEC Topology
VLAN 30
Non-MEC MEC
Physical Topology Logical Topology
SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
23/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 23
Agenda
1.Multilayer CampusDesign Principles
2.Foundation Services
3.Campus DesignBest Practices
4.IP Telephony
Considerations5.QoS Considerations
6.SecurityConsiderations
7.Putting It All Together
8.Summary
SiSiSiSi
SiSiSiSi
SiSi
Data Center
SiSi SiSi
ServicesBlock
Distribution Blocks
SiSi SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
24/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 24
Foundation Services
1.Layer 1 physical things
2.Layer 2 redundancyspanning tree
3.Layer 3 routing protocols
4.Trunking protocols(ISL/.1q)
5.Unidirectional link detection
6.Load balancing
EtherChannel link aggregation
CEF equal cost load balancing
7.First hop redundancy protocols
VRRP, HSRP, and GLBPSpanning
TreeRouting
HSRP
GLBP
Trunking
LoadBalancing
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
25/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 25
Best PracticesLayer 1 Physical Things
1.Use point-to-pointinterconnectionsnoL2 aggregation pointsbetween nodes
2.Use fiber for bestconvergence
(debounce timer)3.Tune carrier
delay timer
4.Use configuration onthe physical interfacenot VLAN/SVI whenpossible
Data CenterWAN Internet
Layer 3 EqualCost Links
Layer 3 EqualCost Links
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
26/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 26
Redundancy and ProtocolInteraction
Link Neighbour Failure Detection1. Indirect link failures are harder
to detect
2.With no direct HW notification of linkloss or topology change convergencetimes are dependent on SW notification
3. Indirect failure events in a bridged
environment are detected by SpanningTree Hellos
4. In certain topologies the need for TCNupdates or dummy multicast flooding(uplink fast) is necessary forconvergence
5.You should not be using hubs in a high
availability design
SiSi
SiSi
SiSi
BPDUs
Hub
SiSi
SiSi
SiSi
Hub
Hellos
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
27/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 27
Redundancy and ProtocolInteraction
Link Redundancy and Failure Detection1. Direct point-to-point fiber provides for fast
failure detection
2. IEEE 802.3z and 802.3ae link negotiationdefine the use of Remote Fault Indicator andLink Fault Signaling mechanisms
3. Bit D13 in the Fast Link Pulse (FLP) canbe set to indicate a physical fault to the
remote side4. Do not disable auto-negotiation on GigE and
10GigE interfaces
5. The default debounce timer on GigE and10GigE fiber linecards is 10 msec
6. The minimum debounce for copper is300 msec
7. Carrier-Delay
3560, 3750 and 45000 msec6500leave it set at default
1
2
3
LinecardThrottling:Debounce Timer
Remote IEEEFault DetectionMechanism
Cisco IOS Throttling:Carrier Delay Timer
SiSi SiSi
1
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
28/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 28
Redundancy and ProtocolInteraction
Layer 2 and 3Why Use Routed Interfaces1.Configuring L3 routed interfaces provides for faster convergencethan an L2 switch port with an associated L3 SVI
21:32:47.813 UTC: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet2/1, changed stateto down
21:32:47.821 UTC: %LINK-3-UPDOWN: InterfaceGigabitEthernet2/1, changed state to down
21:32:48.069 UTC: %LINK-3-UPDOWN: Interface Vlan301,
changed state to down21:32:48.069 UTC: IP-EIGRP(Default-IP-Routing-Table:100): Callback: route, adjust Vlan301
1. Link Down
2. Interface Down
3. Autostate
4. SVI Down
5. Routing Update
21:38:37.042 UTC: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet3/1, changed
state to down21:38:37.050 UTC: %LINK-3-UPDOWN: Interface
GigabitEthernet3/1, changed state to down
21:38:37.050 UTC: IP-EIGRP(Default-IP-Routing-
Table:100): Callback: route_adjustGigabitEthernet3/1
SiSiSiSi
L2
SiSiSiSi
L3
1. Link Down
2. Interface Down
3. Routing Update
~ 8 msecloss
~ 150-200msec loss
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
29/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 29
Best PracticesSpanning Tree Configuration
1.Only span VLAN acrossmultiple access layerswitches when you have to!
2.Use Rapid PVST+ for bestconvergence
3.More common in thedata center
4.Required to protect againstuser side loops
5.Required to protect againstoperational accidents(misconfiguration orhardware failure)
6.Take advantage of thespanning tree toolkit
Data CenterWAN Internet
Layer 3 EqualCost Links
Layer 3 EqualCost Links
Layer 2 Loops
Same VLAN Same VLAN Same VLAN
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
30/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 30
Multilayer Network Design
SiSi SiSi SiSi SiSi
Vlan 10 Vlan 20 Vlan 30 Vlan 30 Vlan 30Vlan 30
Layer 2 Access with Layer 3 Distribution
1. Each access switch hasunique VLANs
2. No layer 2 loops
3. Layer 3 link between distribution
4. No blocked links
1. At least some VLANs spanmultiple access switches
2. Layer 2 loops
3. Layer 2 and 3 running over
link between distribution4. Blocked links
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
31/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
32/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 32
Layer 2 Hardening
1. Place the root where youwant it
Root primary/secondary macro
2. The root bridge should staywhere you put it
RootGuardLoopGuard
UplinkFast
UDLD
3. Only end-station trafficshould be seen onan edge port
BPDU Guard
RootGuard
PortFast
Port-security
SiSiSiSi
BPDU Guard or
RootGuard
PortFast
Port Security
RootGuard
UplinkFast
STP Root
Spanning Tree Should Behavethe Way You Expect
LoopGuard
LoopGuard
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
33/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 33
Best PracticesLayer 3 Routing Protocols
1. Typically deployed in distributionto core, and core to coreinterconnections
2. Used to quickly re-routearound failed node/links whileproviding load balancing overredundant paths
3. Build triangles not squares fordeterministic convergence
4. Only peer on links that you intendto use as transit
5. Insure redundant L3 paths toavoid black holes
6. Summarize distribution to coreto limit EIGRP query diameter orOSPF LSA propagation
7. Tune CEF L3/L4 load balancinghash to achieve maximum
utilization of equal cost paths(CEF polarization)
Data CenterWAN Internet
Layer 3 EqualCost Links
Layer 3 EqualCost Links
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
34/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
35/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 35
Best PracticePassive Interfaces for IGP
1. Limit unnecessary peering usingpassive interface:
Four VLANs per wiring closet
12 adjacencies total
Memory and CPU requirementsincrease with no real benefit
Creates overhead for IGP
Routing
Updates
OSPF Example:
Router(config)#routerospf 1
Router(config-router)#passive-interfaceVlan 99
Router(config)#routerospf 1
Router(config-router)#passive-interface default
Router(config-router)#no passive-interface Vlan 99
EIGRP Example:
Router(config)#routereigrp 1
Router(config-router)#passive-interfaceVlan 99
Router(config)#routereigrp 1
Router(config-router)#passive-interface default
Router(config-router)#no passive-interface Vlan 99
Distribution
Access
SiSiSiSi
Limit OSPF and EIGRP PeeringThrough the Access Layer
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
36/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 36
10.1.2.0/2410.1.1.0/24
Why You Want to Summarizeat the Distribution
1. It is important to forcesummarization at thedistribution towards the core
2. For return path traffic anOSPF or EIGRP re-routeis required
3. By limiting the number of peersan EIGRP router must query orthe number of LSAs an OSPF
peer must process we canoptimize this re-route
4. EIGRP example:
SiSiSiSi
SiSi SiSi
TrafficDroppedUntilIGP
Converges
No SummariesQueries Go Beyond the Core
Rest of Network
interface Port-channel1description to Core#1ip address 10.122.0.34255.255.255.252ip hello-interval eigrp 100 1ip hold-time eigrp 100 3
ip summary-address eigrp 10010.1.0.0 255.255.0.0 5
Access
Distribution
Core
Limit EIGRP Queries and OSPF LSA Propagation
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
37/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 37
Why You Want to Summarizeat the Distribution
1. It is important to forcesummarization at the distributiontowards the core
2. For return path traffic an OSPFor EIGRP re-route is required
3. By limiting the number of peersan EIGRP router must query orthe number of LSAs an OSPF|peer must process we can
optimize his re-route4. For EIGRP if we summarize at
the distribution we stop queriesat the core boxes for an accesslayer flap
5. For OSPF when we summarizeat the distribution (area borderor L1/L2 border) the flooding ofLSAs is limited to the distributionswitches; SPF now deals with
one LSA not three
10.1.2.0/2410.1.1.0/24
Rest of Network
SiSiSiSi
SiSi SiSi
TrafficDroppedUntilIGP
Converges
Summary:10.1.0.0/16
Access
Distribution
Core
Reduce the Complexity of IGP ConvergenceSummaries
Stop Queries at the Core
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
38/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 38
Best PracticeSummarize at the Distribution
1. Best practicesummarize atthe distribution layer to limitEIGRP queries or OSPFLSA propagation
2. Gotcha:
Upstream: HSRP on leftdistribution takes over when
link fails
Return path: old router stilladvertises summary to core
Return traffic is dropped onright distribution switch
3. Summarizing requires a linkbetween the distribution switches
4. Alternative design:
Use the access layer for transit 10.1.2.0/2410.1.1.0/24
Summary:10.1.0.0/16
SiSiSiSi
SiSi SiSi
TrafficDropped
withNoRoute
Access
Distribution
Core
GotchaDistribution-to-Distribution Link Required
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
39/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 39
Provide Alternate Paths
1. What happens if fails?
2. No route to the coreanymore?
3. Allow the traffic to gothrough the access?
Do you want to use your accessswitches as transit nodes?
How do you design forscalability if the access usedfor transit traffic?
4. Install a redundant linkto the core
5. Best practice: installredundant link to coreand utilize L3 link
between distribution Layer
Single Pathto Core
A B
SiSiSiSi
SiSiSiSi
TrafficDropped
withN
oRoutetoCore
Access
Distribution
Core
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
40/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 40
EIGRP Design Rules in the CampusLeverage the Tools Provided
1. The greatest advantages of EIGRP aregained when the network has astructured addressing plan that allowsfor use of summarization and stubrouters when appropriate
2. EIGRP provides the ability toimplement multiple tiers ofsummarization and route filtering
3. Minimize the number and time forquery response to speed upconvergence
4. Summarize distribution block routesupstream to the core
5. If routing in the access configureall access switches as EIGRPstub routers
6. If routing in the access layer filterroutes sent down to access switches
10.10.0.0/17 10.10.128.0/17
10.10.0.0/16
SiSiSiSi
SiSi SiSi
SiSiSiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
41/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 41
OSPF Design Rules in the CampusWhere Are the Areas?
1. Area design based on addresssummarization
2. Area boundaries should define buffersbetween fault domains
3. Summarize routes from the distributionblock upstream into the core
4. Minimize the number of LSAs androutes in the core
5. Reduce the need for SPF calculations
due to internal distribution blockchanges
6. ABR for a regular area forwardsSummary LSAs (Type 3)
ASBR summary (Type 4)
Specific externals (Type 5)
7. Stub area ABR forwardsSummary LSAs (Type 3)
Summary default (0.0.0.0)
8. A totally stubby area ABR forwardsSummary default (0.0.0.0) Data CenterWAN Internet
SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
Area 100 Area 110 Area 120
Area 0
SiSi SiSi SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
42/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 42
SiSi
Load-Sharing
Simple
Default* Src IP + Dst IP + Unique ID
Full Src IP + Dst IP + Src Port + Dst Port
Full Exclude Port SrcIP + Dst IP + (Srcor Dst Port)
Simple Src IP + Dst IP
Full Simple SrcIP + Dst IP + SrcPort + Dst Port
Catalyst 6500 PFC3** Load-Sharing Options
Equal Cost Multi-Path
1. Depending on the traffic flow patterns and IPAddressing in use one algorithm may providebetter load-sharing results than another
2. Be careful not to introduce polarization in a multi-tier design by changing the default to the samething in all tiers/layers of the network
SiSiSiSi
SiSi
30%of
Flows
70%of
Flows
SiSiSiSi
SiSiSiSiLoad-Sharing
Simple
Load-SharingFull Simple
Optimizing CEF Load-Sharing
Original Src IP + Dst IPUniversal* SrcIP + DstIP + Unique ID
IncludePort
Src IP + Dst IP + (Srcor Dst Port) + Unique ID
Catalyst 4500 Load-Sharing Options
* = Default Load-Sharing Mode
** = PFC3 in Sup720 and Sup32 Supervisors
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
43/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 43
CEF Load Balancing
1.CEF polarization: withoutsome tuning CEF will selectthe same path left/left orright/right
2. Imbalance/overloadcould occur
3.Redundant paths areignored/underutilized
4.The default CEF hashinput is L3
5.We can change the default touse L3 + L4 information as
input to the hash derivation
SiSiSiSi
SiSi SiSi
SiSi SiSi
L
L
R
R
Redundant Paths Ignored
DistributionDefault L3 Hash
Core
Default L3 Hash
DistributionDefault L3 Hash
Avoid Underutilizing Redundant Layer 3 Paths
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
44/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 44
CEF Load Balancing
1.The default will forSup720/32 and latesthardware (unique ID added todefault). However, dependingon IP addressing, and flowsimbalance could occur
2.Alternating L3/L4 hash and L3hash will give us the best loadbalancing results
3.Use simple in the core andfull simple in the distributionto add L4 information to thealgorithm at the distributionand maintain differentiation
tier-to-tier
SiSiSiSi
SiSi SiSi
SiSi SiSi
RL
RL
RL
All Paths UsedAvoid Underutilizing Redundant Layer 3 Paths
DistributionL3/L4 Hash
Core
Default L3 Hash
DistributionL3/L4 Hash
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
45/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 45
Best PracticesTrunk Configuration
1. Typically deployed oninterconnection betweenaccess and distribution layers
2. Use VTP transparent modeto decrease potential foroperational error
3. Hard set trunk mode to on and
encapsulation negotiate off foroptimal convergence
4. Change the native VLAN tosomething unused to avoidVLAN hopping
5. Manually prune all VLANSexcept those needed
6. Disable on host ports:CatOS: set port host
Cisco IOS: switchport hostData CenterWAN Internet
Layer 3 EqualCost Links
Layer 3 EqualCost Links
802.1q Trunks
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
46/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
47/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 47
DTP Dynamic Trunk Protocol
1.Automatic formation oftrunked switch-to-switchinterconnection
On: always be a trunk
Desirable: ask if the other side can/will
Auto: if the other sides asks I will
Off: dont become a trunk2.Negotiation of 802.1Q or
ISL encapsulation
ISL: try to use ISL trunk encapsulation
802.1q: try to use 802.1qencapsulation
Negotiate: negotiate ISL or 802.1qencapsulation with peer
Non-negotiate: always useencapsulation that is hard set
On/OnTrunk
Auto/Desirable
Trunk
Off/OffNO Trunk
Off/On, Auto, DesirableNO Trunk
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSiSiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
48/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
49/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
50/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 50
Best PracticesUDLD Configuration
1.Typically deployedon any fiberopticinterconnection
2.Use UDLD aggressivemode for best protection
3.Turn on in globalconfiguration toavoid operationalerror/misses
4.Config example
Cisco IOS:udld aggressive
Data CenterWAN Internet
Layer 3 EqualCost Links
Layer 3 EqualCost Links
Fiber Interconnections
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
51/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
52/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
53/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 53
Best PracticesEtherChannel Configuration
1. Typically deployed indistribution to core, and coreto core interconnections
2. Used to provide linkredundancywhile reducingpeering complexity
3. Tune L3/L4 load balancinghash to achieve maximum
utilization of channel members
4. Deploy in powers of 2 (2, 4, or 8)
5. Match CatOS and Cisco IOSPAgP settings
6. 802.3ad LACP for interopif you need it
7. Disable unless neededCatOS: set port host
Cisco IOS: switchport host Data CenterWAN Internet
Layer 3 EqualCost Links
Layer 3 EqualCost Links
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
54/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 54
Understanding EtherChannelLink Negotiation OptionsPAgP and LACP
On/On
Channel
On/Off
No Channel
Auto/Desirable
Channel
Off/On, Auto, Desirable
No Channel
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSiSiSi
On/On
Channel
On/Off
No Channel
Active/Passive
Channel
Passive/Passive
No Channel
SiSi
SiSi SiSi
SiSi SiSi
SiSiSiSi
SiSi
Packet Aggregation Protocol Link Aggregation Protocol
On: always be a channel/bundle memberActive: ask if the other side can/will
Passive: if the other side asks I willOff: dont become a member of achannel/bundle
On: always be a channel/bundle memberDesirable: ask if the other side can/will
Auto: if the other side asks I willOff: dont become a member of achannel/bundle
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
55/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 55
EtherChannels or Equal Cost Multipath
SiSi SiSi
SiSiSiSi
Access
Distribution
Core10GE and10GE and
10GE channels10GE channels
Typical 20:1Typical 20:1
Data OverData Over--
SubscriptionSubscription
Typical 4:1Typical 4:1
Data OverData Over--
SubscriptionSubscription
10/100/1000 How Do You Aggregate It?
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
56/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 56
EtherChannels or Equal Cost Multipath
1. More links = more routingpeer relationships andassociated overhead
2. EtherChannels allow you toreduce peers by creating singlelogical interface to peer over
3. On single link failure in a bundle
OSPF running on an IOS-based switchwill reduce link cost and re-route traffic
OSPF running on a hybrid switch willnot change link cost and may overloadremaining links
EIGRP may not change link cost andmay overload remaining links
Data CenterWANWAN InternetInternet
Layer 3 EqualCost Links
Layer 3 EqualCost Links
SiSiSiSi
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
Reduce Complexity/Peer Relationships
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
57/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 57
EtherChannels or Equal Cost Multipath
1. More links = more routing peerrelationships and associatedoverhead
2. EtherChannels allow you toreduce peers by creating singlelogical interface to peer over
3. However, a single link failure isnot taken into consideration byrouting protocols. Overloadpossible.
4. Single 10-Gigabit links addressboth problems. Increasedbandwidth without increasingcomplexity or compromising
routing protocols ability to selectbest path.Data CenterWANWAN InternetInternet
Layer 3 EqualCost Links
Layer 3 EqualCost Links
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
SiSi SiSi SiSi SiSi SiSi SiSi
Why 10-Gigabit Interfaces
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
58/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 58
EtherChannelsQuick Summary
1. For Layer-2 EtherChannels: Desirable/Desirable is the recommendedconfiguration so that PAgP is running across all members of the bundleinsuring that an individual link failure will not result in an STP failure
2. For Layer-3 EtherChannels: One can consider a configuration that usesON/ON. There is a trade-off between performance/HA impact andmaintenance and operations implications.
3. An ON/ON configuration is faster from a link-up (restoration) perspectivethan a Desirable/Desirable alternative. However, in this configuration PAgPis not actively monitoring the state of the bundle members and amisconfigured bundle is not easily identified.
4. Routing protocols may not have visibility into the state of an individualmember of a bundle. LACP and the minimum links option can be used tobring the entire bundle down when the capacity is diminished.
OSPF has visibility to member loss (best practices pending investigation). EIGRP does not
5. When used to increase bandwidthno individual flow can go faster than thespeed of an individual member of the link
6. Best used to eliminate single points of failure (i.e. link or port) dependenciesfrom a topology
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
59/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 59
Best PracticesFirst Hop Redundancy
1. Used to provide a resilientdefault gateway/first hopaddress to end-stations
2. HSRP, VRRP, andGLBP alternatives
3. VRRP, HSRP and GLBPprovide millisecond timersand excellent convergenceperformance
4. VRRP if you needmultivendor interoperability
5. GLBP facilitates uplinkload balancing
6. Preempt timers need
to be tuned to avoidblack-holed trafficData CenterWAN Internet
Layer 3 EqualCost Links
Layer 3 EqualCost Links
1st Hop Redundancy
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
60/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 60
First Hop Redundancy with VRRP
1. A group of routers functionas one virtual router bysharing one virtualIP address and onevirtual MAC address
2. One (master) routerperforms packet
forwarding for local hosts3. The rest of the routers
act as back up in casethe master router fails
4. Backup routers stay idleas far as packet forwardingfrom the client sideis concerned
R1Master, Forwarding Traffic; R2,BackupVRRP ACTIVE VRRP BACKUP
IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0000.5e00.0101
IP: 10.0.0.253MAC: 0000.0C78.9abcvIP:vMAC:
IP: 10.0.0.1MAC: aaaa.aaaa.aa01
GW: 10.0.0.10ARP: 0000.5e00.0101
IP: 10.0.0.2MAC: aaaa.aaaa.aa02
GW: 10.0.0.10ARP: 0000.5e00.0101
IP: 10.0.0.3MAC: aaaa.aaaa.aa03
GW: 10.0.0.10ARP: 0000.5e00.0101
SiSiSiSi
Access-a
Distribution-A
VRRP Active
Distribution-BVRRP Backup
R1 R2
IETF Standard RFC 2338 (April 1998)
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
61/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 61
First Hop Redundancy with HSRP
1. A group of routers functionas one virtual router bysharing one virtualIP address and onevirtual MAC address
2. One (active) routerperforms packetforwarding for local hosts
3. The rest of the routersprovide hot standby incase the active router fails
4. Standby routers stay idleas far as packet forwardingfrom the client side isconcerned
IP: 10.0.0.1MAC: aaaa.aaaa.aa01
GW: 10.0.0.10ARP: 0000.0c07.ac00
SiSiSiSi
Access-a
Distribution-A
HSRP Active
Distribution-BHSRP Backup
R1
HSRP ACTIVE HSRP STANDBY
IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0000.0c07.ac00
IP: 10.0.0.253MAC: 0000.0C78.9abcvIP:vMAC:
IP: 10.0.0.2MAC: aaaa.aaaa.aa02
GW: 10.0.0.10ARP: 0000.0c07.ac00
IP: 10.0.0.3MAC: aaaa.aaaa.aa03
GW: 10.0.0.10ARP: 0000.0c07.ac00
R1Active, Forwarding Traffic;R2Hot Standby, Idle
R2
RFC 2281 (March 1998)
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
62/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 62
Why You Want HSRP Preemption
1. Spanning Tree Root andHSRP Primary aligned
2. When Spanning Tree Rootis re-introduced, traffic willtake a two-hop path toHSRP Active
3. HSRP Preemption willallow HSRP to followSpanning Tree topology
SiSiSiSi
SiSiSiSi
Access
Distribution
Core
Spanning TreeRoot HSRPActive
HSRPActive Spanning Tree
RootHSRP Preempt
Without Preempt Delay HSRP Can Go Active Before Box Completely Ready toForward Traffic: L1 (Boards), L2 (STP), L3 (IGP Convergence)
standby 1 preempt delay minimum 180
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
63/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 63
First Hop Redundancy with GLBP
1. All the benefits of HSRPplus load balancing ofdefault gateway utilizesall available bandwidth
2. A group of routers functionas one virtual router by sharingone virtual IP address butusing multiple virtual MAC
addressesfor traffic forwarding
3. Allows traffic from a singlecommon subnet to go throughmultiple redundant gatewaysusing a single virtual IPaddress
GLBP AVG/AVF, SVF GLBP AVF, SVF
R1- AVG; R1, R2 Both Forward Traffic
IP: 10.0.0.254MAC: 0000.0c12.3456vIP: 10.0.0.10vMAC: 0007.b400.0101
IP: 10.0.0.253MAC: 0000.0C78.9abcvIP: 10.0.0.10vMAC: 0007.b400.0102
IP: 10.0.0.1MAC: aaaa.aaaa.aa01
GW: 10.0.0.10ARP: 0007.B400.0101
IP: 10.0.0.2MAC: aaaa.aaaa.aa02
GW: 10.0.0.10ARP: 0007.B400.0102
IP: 10.0.0.3MAC: aaaa.aaaa.aa03
GW: 10.0.0.10ARP: 0007.B400.0101
SiSiSiSi
Access-a
Distribution-AGLBP AVG/
AVF, SVF
Distribution-BGLPB AVF, SVF
R1
Cisco Designed, Load Sharing, Patent Pending
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
64/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 64
First Hop Redundancy withLoad Balancing
1. Each member of a GLBP redundancy group owns a unique virtual MAC addressfor a common IP address/default gateway
2. When end-stations ARP for the common IP address/default gateway they aregiven a load balanced virtual MAC address
3. Host A and host B send traffic to different GLBP peers but have the samedefault gateway
10.88.1.0/24
.5.4
.1 .2
vIP10.88.1.10
GLBP 1 ip 10.88.1.10vMAC 0000.0000.0001
GLBP 1 ip 10.88.1.10vMAC 0000.0000.0002
ARPs for 10.88.1.10Gets MAC 0000.0000.0001
ARPs for 10.88.1.10Gets MAC 0000.0000.0002A B
R1 R2ARP
Reply
Cisco Gateway Load Balancing Protocol (GLBP)
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
65/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 65
0
0.2
0.4
0.6
0.8
1
1.2
Longest Shortest AverageTimeinSecondstoConverge
VRRP HSRP GLBP
SiSiSiSi
50% of FlowsHave ZERO
Loss W/ GLBP
Optimizing Convergence:VRRP, HSRP, GLBP
1. VRRP not tested with sub-second timers and all flows go througha common VRRP peer; mean, max, and min are equal
2. HSRP has sub-second timers; however all flows go through sameHSRP peer so there is no difference between mean, max, and min
3. GLBP has sub-second timers and distributes the load amongstthe GLBP peers; so 50% of the clients are not affected by anuplink failure
GLBP Is 50%Better
Distribution to Access Link FailureAccess to Server Farm
Mean, Max, and MinAre There Differences?
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
66/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 66
If You Span VLANS, Tuning Required
1.Both distribution switches act as default gateway
2.Blocked uplink caused traffic to take less than optimal path
VLAN 2VLAN 2
F 2F
2B2
B2 F: Forwarding
B: Blocking
Access-b
SiSiSiSi
Core
Access-a
Distribution-AGLBP VirtualMAC 1
Distribution-BGLBP Virtual
MAC 2
AccessLayer 2
AccessLayer 2
Distribution
Layer 2/3
CoreLayer 3
By Default, Half the Traffic Will Take a Two-Hop L2 Path
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
67/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
68/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 68
Service Availability Focus
Catalyst with Cisco IOS Software ModularityBENEFITSBENEFITS
Automated Policy ControlAutomated Policy Control
Simplify Software ChangesSimplify Software Changes
Minimize Unplanned DowntimeMinimize Unplanned Downtime
INNOVATIONINNOVATION
Catalyst 6500 Data PlaneCatalyst 6500 Data Plane
Network Optimized MicrokernelNetwork Optimized Microkernel
IOS-Base
IOS-Base
Routing
Routing
TCP
TCP
UDP
UDP
EEM
EEM
FTP
FTP
CDP
CDP
INETD
INETD
etcetc
High Availability InfrastructureHigh Availability Infrastructure
Cisco IOS Software ModularityCisco IOS Software Modularity
Memory protection
Fault containment
Stateful process restarts
Subsystem ISSU
Memory protection
Fault containment
Stateful process restarts
Subsystem ISSU
MPLS, IPv6, BFD now modular
Full HW and SW parity with native IOS
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
69/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 69
Generic Online DiagnosticsHow does GOLD work?
1. Diagnostic packet switching testsverify that the system is operatingcorrectly:
Is the supervisor control plane andforwarding plane functioningproperly?
Is the standby supervisor ready to take
over?Are linecards forwarding packets
properly?
Are all ports working?
Is the backplane connection working?
2. Other types of diagnostics testsincluding memory and errorcorrelation tests are also available
CPUForwardingEngine
Fabric
ForwardingEngine
Active Supervisor
Standby Supervisor
Line
card
Linecard
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
70/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 70
Embedded Event ManagerEEM Application Example
Send results in email alert
Interface down
Loopback test
GOLD
EEM
Upon matching the provided SYSLOG message LINK-3-UPDOWN, the switchperforms the following actions:
Display counter error statistics for the link that has gone downStart a GOLD Loopback testSend the results using a provided template to a user-configurable address
Interface error counters
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
71/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
72/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 72
Agenda
1.Multilayer CampusDesign principles
2.Foundation Services
3.Campus DesignBest Practices
4.IP TelephonyConsiderations
5.QoS Considerations
6.SecurityConsiderations
7.Putting It All Together
8.Summary
SiSiSiSi
SiSiSiSi
SiSi
Data Center
SiSi SiSi
ServicesBlock
Distribution Blocks
SiSi SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
73/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 73
VLAN 2VLAN 2
Distribution-A Distribution-B
Access-cAccess-a
Layer 3 Link
Access-n
VLAN 2
50% Chance That TrafficWill Go Down Path with
No Connectivity
Traffic
Droppedwith
NoPathto
Destination
Daisy Chaining Access Layer Switches
Return Path Traffic Has a 50/50 Chance of Being Black Holed
SiSiSiSi
SiSiSiSi
AccessLayer 2
AccessLayer 2
DistributionLayer 2/3
CoreLayer 3
Avoid Potential Black Holes
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
74/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 74
Daisy Chaining Access Layer Switches
1.Stackwise/Stackwise-Plus technology eliminates the concern
Loopback links not required
No longer forced to have L2 link in distribution
2. If you use modular (chassis-based) switches, these problemsare not a concern
HSRPActive
HSRPStandby
Forwarding
Forwarding
3750-E
SiSi
SiSi
Layer 3
New Technology Addresses Old Problems
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
75/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 75
VLAN 2VLAN 2
What Happens if You DontLink the Distributions?
1. STPs slow convergence cancause considerable periodsof traffic loss
2. STP could causenon-deterministic trafficflows/link load engineering
3. STP convergence willcause Layer 3 convergence
4. STP and Layer 3 timersare independent
5. Unexpected Layer 3 convergenceand re-convergence could occur
6. Even if you do link the distributionswitches dependence on STPand link state/connectivity cancause HSRP irregularities andunexpected state transitions
F 2 F2 B 2
STP SecondaryRoot and HSRP
Standby
F 2
Access-b
SiSiSiSi
Core
Hellos
Traffic
DroppedUntil
HSRPGoesActive
Access-a
STP Root andHSRP Active
TrafficDropped Until
MaxAgeExpires ThenListening and
Learning
TrafficDropped UntilTransition toForwarding;
As much as 50Seconds
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
76/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 76
Aggressive HSRPtimers limit blackhole #1
Backbone fast limitstime (30 seconds)to event #2
Even with RapidPVST+ at leastone secondbefore event #2
VLAN 2VLAN 2
What if You Dont?
1. Blocking link on access-b will take 50 seconds to move to forwarding traffic black hole until HSRPgoes active on standby HSRP peer
2. After MaxAge expires (or backbone fast or Rapid PVST+) converges HSRP preempt causes another
transition3. Access-b used as transit for access-as traffic
STP Root andHSRP Active
F 2F
2B2
STPSecondaryRoot and
HSRP Standby
F2
HSRP Active(Temporarily)
MaxAgeSeconds BeforeFailure IsDetectedThen Listeningand Learning
F: Forwarding
B: Blocking
Access-b
SiSiSiSi
Core
Hellos
Traffic
DroppedUntil
HSRPGoesActive
F2
Access-a
AccessLayer 2
AccessLayer 2
Distribution
Layer 2/3
CoreLayer 3
Black Holes and Multiple Transitions
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
77/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 77
802.1d: up to50 seconds
PVST+: backbonefast 30 seconds
Rapid PVST+:address by theprotocol (onesecond)
VLAN 2VLAN 2
What if You Dont?
1. Blocking link on access-b will take 50 seconds to move to forwarding return traffic black hole until then
F 2F
2B2
F2 F: Forwarding
B: Blocking
Core
Hellos
Traffic
DroppedUntil
MaxAge
ExpiresThen
Listeningand
Learning
F2
STP Root andHSRP Active
Access-b
STPSecondaryRoot and
HSRP Standby
SiSiSiSi
AccessLayer 2
AccessLayer 2
Distribution
Layer 2/3
CoreLayer 3
Return Path Traffic Black Holed
Access-a
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
78/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
79/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 79
VLAN 2
Best Practices Prevent Unicast Flooding
1. Assign one uniquedata and voice VLANto each access switch
2. Traffic is now onlyflooded downone trunk
3. Access switchunicasts correctly;no flooding toall ports
4. If you have to:
Tune ARP and CAMaging timers; CAMtimer exceedsARP timer
Bias routing metricsto remove equalcost routes
Downstream
Packet
Flooded on
Single Port
Upstream PacketUnicast to
Active HSRP
AsymmetricEqual Cost
Return Path
VLAN 3 VLAN 4 VLAN 5
SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
80/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 80
Agenda
1.Multilayer CampusDesign Principles
2.Foundation Services
3.Campus DesignBest Practices
4.IP Telephony
Considerations
5.QoS Considerations
6.SecurityConsiderations
7.Putting It All Together
8.Summary
SiSiSiSi
SiSiSiSi
SiSi
Data Center
SiSi SiSi
ServicesBlock
Distribution Blocks
SiSi SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
81/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 81
Building a Converged Campus Network
1. Access layerAuto phone detection
Inline power
QoS: scheduling,trust boundary andclassification
Fast convergence
2. Distribution layerHigh availability,redundancy,
fast convergencePolicy enforcement
QoS: scheduling,trust boundaryand classification
3. CoreHigh availability,redundancy,fast convergence
QoS: scheduling,trust boundary
Data CenterWAN Internet
Layer 3Equal Cost
Links
Layer 3Equal Cost
Links
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
Access
Distribution
Core
Distribution
Access
Infrastructure Integration, QoS, and Availability
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
82/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 82
Infrastructure Integration
1.Phone contains a three-port switch that is configured in conjunctionwith the access switch and CallManager
Power negotiation
VLAN configuration
802.1x interoperation
QoS configuration
DHCP and CallManager registration
Switch Detects IP Phone and Applies Power
CDP Transaction Between Phone and Switch
IP Phone Placed in Proper VLAN
DHCP Request and Call Manager Registration
Extending the Network Edge
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
83/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 83
Enhanced Power Negotiation
1.Using bi-directional CDP exchange exact powerrequirements are negotiated after initial power-on
PD Plugged in
Phone Transmits a CDP Power NegotiationPacket Listing Its Power Mode
Switch Sends a CDP Response
with a Power Request
Based on Capabilities Exchanged
Final Power Allocation Is Determined
Switch Detects IEEE PD
PD Is Classified
Power Is Applied
PDPoweredDevice Cisco 7970
PSEPowerSource EquipmentCisco 6500,4500,
3750, 3560
802.3af Plus Bi-Directional CDP (Cisco 7970)
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
84/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 84
Design Considerations for PoE
1. Switch manages power by what is allocated not by what is currently used
2. Device power consumption is not constant
3. A 7960G requires 7W when the phone is ringing at maximum volume andrequires 5W on or off hook
4. Understand the power behavior of your PoE devices
5. Utilize static power configuration with caution
6. Use power calculator to determine power requirements
http://www.cisco.com/go/powercalculator
Dynamic allocation:
power inline auto max 7200
Static allocation:power inline static max 7200
Power Management
Discover Cisco Enhanced PoE at the World of Solutions
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
85/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 85
Infrastructure Integration: Next Steps
1.During initial CDP exchange phone is configured with a VoiceVLAN ID (VVID)
2.Phone also supplied with QoS configuration via CDP TLV fields
3.Additionally switch port currently bypasses 802.1x authenticationfor VVID if detects Cisco phone
PC VLAN = 10(PVID)
Phone VLAN = 110(VVID)
Native VLAN (PVID) NoConfiguration Changes
Needed on PC
802.1Q encapsulationwith 802.1pLayer 2 CoS
VLAN, QoS and 802.1x Configuration
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
86/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 86
Agenda
1.Multilayer CampusDesign principles
2.Foundation Services
3.Campus DesignBest Practices
4.IP TelephonyConsiderations
5.QoS Considerations
6.SecurityConsiderations
7.Putting It All Together
8.Summary
SiSiSiSi
SiSiSiSi
SiSi
Data Center
SiSi SiSi
ServicesBlock
Distribution Blocks
SiSi SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
87/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 87
Best PracticesQuality of Service
1. Must be deployed end-to-end to be effective; all layersplay different but equal roles
2. Ensure that mission criticalapplications are notimpacted by link or transmitqueue congestion
3. Aggregation and ratetransition points mustenforce QoS policies
4. Multiple queues withconfigurable admissioncriteria and schedulingare required
Data CenterWAN Internet
Layer 3 EqualCost Links
Layer 3 EqualCost Links
End to End QoS
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
88/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 88
Transmit Queue Congestion
WAN
Router
128k Uplink10/100m Queued
Access Switch
100 Meg Link1 Gig Link Queued
Distribution Switch
100 Meg in 128 Kb/S outPackets Serialize in Faster than They Serialize out
Packets Queued as They Wait to Serialize out Slower Link
1 Gig In 100 Meg outPackets Serialize in Faster than They Serialize out
Packets Queued as They Wait to Serialize out Slower Link
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
89/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 89
Configures QoS for VoIP on Campus Switches
Auto QoS VoIPMaking It Easy
!
interface FastEthernet1/0/21
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
Mls qos trust device cisco-phone
Mls qos trust cos
auto qosvoipcisco-phone
end
Access-Switch(config-if)#auto qos voip ?
cisco-phone Trust the QoS marking of Cisco IP Phone
cisco-softphone Trust the QoS marking of Cisco IP SoftPhone
trust Trust the DSCP/CoS marking
Access-Switch(config-if)#autoqosvoipcisco-phone
Access-Switch(config-if)#exit
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
90/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 90
NBAR Protocol Discovery
Campus
Protocol Discovery: discover what apps arerunning on your network and provide real-time statistics
Per-interface, per-protocol, bi-directionalstatistics
bit rate (bps); packet count; byte count
SNMP accessible for centralized monitoring
Supported by Partner products(Concord|CA, InfoVista, Micromuse|IBM) andMRTG
Link Utilization
Voice
P2P
E-mail
Backup,etc.
Bulk
Streaming-Video
Mission-Critical
Routing
Interactive-Video
Call-SignalingNet Mgmt
Transactional
Real-Time= 33%
CriticalData
BestEffort= 25%
Real-time Application Visibility with Network Based ApplicationRecognition
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
91/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 91
Agenda
1.Multilayer CampusDesign principles
2.Foundation Services
3.Campus DesignBest Practices
4.IP Telephony
Considerations5.QoS Considerations
6.SecurityConsiderations
7.Putting It All Together
8.Summary
SiSiSiSi
SiSiSiSi
SiSi
Data Center
SiSi SiSi
ServicesBlock
Distribution Blocks
SiSi SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
92/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 92
Best PracticesCampus Security
1. New stuff that we will cover!
Catalyst Integrated Security Feature Set!
Dynamic Port Security, DHCP Snooping,Dynamic ARP Inspection, IP Source Guard
2. Things you already knowwe wont cover
Use SSH to access devices instead of Telnet
Enable AAA and roles-based access control(RADIUS/TACACS+) for the CLI on all devices
Enable SYSLOG to a server. Collect andarchive logs
When using SNMP use SNMPv3
Disable unused services:
no service tcp-small-serversno service udp-small-servers
Use FTP or SFTP (SSH FTP) to move imagesand configurations aroundavoid TFTPwhen possible
Install VTY access-lists to limit which addressescan access management and CLI services
Enable control plane protocol authenticationwhere it is available (EIGRP, OSPF, BGP,HSRP, VTP, etc.)
Apply basic protections offered by implementingRFC2827 filtering on external edge inboundinterfaces WAN Internet
End-to-End Security
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
For More Details, See BRKSEC-2002 Session, Understanding and Preventing Layer 2 Attacks
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
93/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 93
Port Security Limits MAC FloodingAttack and Locks down Port and
Sends an SNMP Trap
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
Script Kiddie Hacking ToolsEnable Attackers Flood Switch CAM
Tables with Bogus Macs; Turningthe VLAN into a Hub and
Eliminating Privacy
Switch CAM Table Limit Is FiniteNumber of Mac Addresses
Only 3 MACAddresses
Allowed on
the Port:
Shutdown250,000Bogus MACsper Second
PROBLEM:SOLUTION:
switchport port-securityswitchport port-security maximum 10switchport port-security violation restrictswitchport port-security aging time 2
switchport port-security aging type inactivity
Cutting off MAC-Based Attacks
Securing Layer 2 fromSurveillance Attacks
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
94/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 94
DHCP Snooping
1.DHCP requests (discover) and responses (offer) tracked
2.Rate-limit requests on trusted interfaces; limits DoS attacks onDHCP server
3.Deny responses (offers) on non trusted interfaces; stop maliciousor errant DHCP server
DHCPServer
1000s of DHCPRequests toOverrun the
DHCP Server
1
2
DHCPRequest
Bogus
DHCP
Response
Protection Against Rogue/Malicious DHCP Server
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
95/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 95
Securing Layer 2 fromSurveillance Attacks
1.Dynamic ARP inspectionprotects against ARPpoisoning (ettercap,dsnif, arpspoof)
2.Uses the DHCP snoopingbinding table
3.Tracks MAC to IP fromDHCP transactions
4.Rate-limits ARP requestsfrom client ports; stop portscanning
5.Drop BOGUS gratuitousARPs; stop ARPpoisoning/MIM attacks
SiSiGateway = 10.1.1.1
MAC=A
Attacker = 10.1.1.25MAC=B Victim = 10.1.1.50MAC=C
Gratuitous ARP10.1.1.1=MAC_B
Gratuitous ARP
10.1.1.50=MAC_B
Protection Against ARP Poisoning
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
96/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
97/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 97
Catalyst Integrated Security Features
1. Port security prevents MACflooding attacks
2. DHCP snooping prevents clientattack on the switch and server
3. Dynamic ARP Inspection addssecurity to ARP using DHCPsnooping table
4. IP source guard adds securityto IP source address usingDHCP snooping table
ipdhcp snooping
ipdhcp snooping vlan 2-10
iparp inspection vlan 2-10
!
interface fa3/1
switchport port-security
switchport port-security max 3
switchport port-security violation
restrictswitchport port-security aging time 2
switchport port-security aging typeinactivity
iparp inspection limit rate 100
ipdhcp snooping limit rate 100
ip verify source vlandhcp-snooping
!
Interface gigabit1/1
ipdhcp snooping trustiparp inspection trust
IP Source Guard
Dynamic ARP Inspection
DHCP Snooping
Port Security
Summary Cisco IOS
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
98/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 98
PISA Flexible Packet Matching
Network managers require tools tofilter Day Zero attacks e.g. prior to IPSsignatures being available
Traditional ACLs take a shotgunapproach legitimate traffic could beblocked
FPM delivers flexible, granular Layer2-7 matching
Useful for CERT-like teams withinService Providers and Enterprisecustomers
0111111010101010000111000100111110010001000100100010001001
Match Pattern And Or NotCisco.com/go/fpm
Flexible Classification andRapid Response
Goes beyond staticattributes specify arbitrarybits/bytes at any offsetwithin the payload or header
Classify on multiple
attributes within a packet
String match and regex
Set up custom filters rapidlyusing XML-based policylanguage
Flexible Classification andRapid Response
Goes beyond staticattributes specify arbitrarybits/bytes at any offsetwithin the payload or header
Classify on multiple
attributes within a packet String match and regex
Set up custom filters rapidlyusing XML-based policylanguage
Multi-Gig Deep Packet Inspection PerformanceRapid Response to New and Emerging Attacks
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
99/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 99
Printer
PCs
PCs
Mark Business-critical
applications real-time as
GOLD service
Police non-priority
applications
Block worms like Slammer
using Flexible Packet Matching Detect and Rate-limit
undesiredPeer to Peer Traffic
Sup 32 PISA DeploymentCampus Access Layer
Citrix 25%Netshow 15%Oracle 10%FTP 30%HTTP 20%
Link Utilization
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
100/110
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
101/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 101
Hierarchical Campus
Data CenterWAN InternetAccess
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
102/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 102
VLAN 120 Voice10.1.120.0/24
Layer 3 Distribution Interconnection
1. Tune CEF load balancing
2. Match CatOS/IOS EtherChannelsettings and tune load balancing
3. Summarize routes towards core
4. Limit redundant IGP peering
5. STP Root and HSRP primarytuning or GLBP to load balanceon uplinks
6. Set trunk mode on/nonegotiate
7. Disable EtherChannelunless needed
8. Set port host on accesslayer ports:
Disable TrunkingDisable EtherChannelEnable PortFast
9. RootGuard or BPDU-Guard
10.Use security features
PointtoPointLink
Layer 3
VLAN 20 Data10.1.20.0/24
VLAN 140 Voice10.1.140.0/24
VLAN 40 Data10.1.40.0/24
SiSi SiSi
SiSi SiSi
Access
Distribution
Core
Layer 2 AccessNo VLANs Span Access Layer
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
103/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 103
VLAN 250 WLAN10.1.250.0/24
Layer 2 Distribution Interconnection
1. Tune CEF load balancing
2. Match CatOS/IOS EtherChannelsettings and tune load balancing
3. Summarize routes towards core
4. Limit redundant IGP peering
5. STP Root and HSRP primary orGLBP and STP port cost tuning to loadbalance on uplinks
6. Set trunk mode on/nonegotiate
7. Disable EtherChannelunless needed
8. RootGuard on downlinks
9. LoopGuard on uplinks
10.Set port host on accessLayer ports:
Disable TrunkingDisable EtherChannelEnable PortFast
11.RootGuard or BPDU-Guard
12.Use security features
VLAN 120 Voice10.1.120.0/24
Trunk
VLAN 20 Data10.1.20.0/24
VLAN 140 Voice10.1.140.0/24
VLAN 40 Data10.1.40.0/24
SiSi SiSi
SiSi SiSi
Layer 2
Layer 2 AccessSome VLANs Span Access Layer
Access
Distribution
Core
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
104/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 104
VLAN 20 Data10.1.20.0/24
Routed Access andVirtual Switching System
VLAN 120 Voice10.1.120.0/24
P-t-P Link
Layer 3
VLAN 20 Data10.1.20.0/24
VLAN 140 Voice10.1.140.0/24
VLAN 40 Data10.1.40.0/24
SiSi SiSi
SiSi SiSi
Evolutions of and Improvements to Existing Designs
Access
Distribution
Core
See RST-3035Advanced Enterprise Campus Design Alternatives: Routed Access and Virtual Switch System (VSS)
NewConcept
VLAN 40 Data10.1.40.0/24
SiSi SiSi
VSS Link
VLAN 120 Voice10.1.120.0/24VLAN 140 Voice10.1.140.0/24VLAN 250 WLAN10.1.250.0/24
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
105/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 105
Agenda
1.Multilayer CampusDesign principles
2.Foundation Services
3.Campus DesignBest Practices
4.IP TelephonyConsiderations
5.QoS Considerations
6.Security Considerations
7.Putting It All Together
8.Summary
SiSiSiSi
SiSiSiSi
SiSi
Data Center
SiSi SiSi
ServicesBlock
Distribution Blocks
SiSi SiSi SiSi
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
106/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 106
Summary
Data CenterWAN Internet
Layer 3Equal Cost
Links
Layer 3Equal Cost
Links
Access
Distribution
Core
Distribution
Access
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSi
1. Offers hierarchyeach layerhas specific role
2. Modular topologybuilding blocks
3. Easy to grow, understand,and troubleshoot
4. Creates small fault domainsClear demarcations andisolation
5. Promotes load balancingand redundancy
6. Promotes deterministictraffic patterns
7. Incorporates balance ofboth Layer 2 and Layer 3technology, leveragingthe strength of both
8. Utilizes Layer 3 Routingfor load balancing, fast
convergence, scalability,and control
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
107/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 107
Q and A
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
108/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 108
Recommended Reading
1. Continue your Cisco Networkerslearning experience with furtherreading from Cisco Press
2. Check the Recommended Readingflyer for suggested books
Available Onsite at the Cisco Company Store
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
109/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 109
Complete YourSession Evaluation
1.Please give us your feedback, yourcomments are important to us
2.Dont forget to complete the overallevent evaluation form included inyour registration kit
3.This is session BRKCAM-2001
-
8/6/2019 Arquitecturas de Redes LAN Empresarial Multicapa y Principios de Diseo
110/110
2008 Cisco Systems, Inc. All rights reserved. Cisco PublicCisco NetworkersColombia 2008 110