Campus Architectures

Transcription

1 Campus Architectures Designing Campus Networks 2

2 Objective Learn how to design and implement Scalable Campus Networks Update on New Campus Technologies (10/100/1000, 10ge, Routing in the Access) Session Objective: This is a Level 2 Session focusing on the Cisco Multilayer design model for Campus Networks; it will cover Best Practices, Implementation specifics and Common design pitfalls A working understanding of common LAN Switching and routing protocols is assumed; for more background information, please see: 3 Agenda Multilayer Campus Design Understanding Campus Topologies and Design Alternatives Foundation Services Design Pitfalls 4

3 Multilayer Network Design Access Distribution Core Access Layer 3 Capabilities (ACL s, QoS, etc) Layer 2 Capabilities (advanced STP features, PVST+, Rapid PVST+) Convergence Features: Conditional Trust Boundary, Inline Power, Voice VLANS Capable of supporting an advanced IGP (EIGRP, OSPF) High Availability Distribution Layer 3 Switching, Advanced IGP (EIGRP, OSPF) Utilizes IGP for benefits such as load balancing, fast convergence and scalability Provide first-hop redundancy/resilience Aggregates the Access Layer elements Distribution Access Core Layer 3 Switching in the backbone for load balancing, fast convergence and scalability Requires high speed service with no policy enforcement WAN Server Farm Internet 5 Multilayer - Hierarchical Design Offers hierarchy each layer has specific role Modular topology made out of building blocks Easier to grow, understand and troubleshoot the network Promotes load balancing and redundancy Follows consistent and deterministic traffic pattern Multilayer model is built upon a modular design 6

4 Multilayer Design Guidelines Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both Utilizes IGP for benefits such as load balancing, fast convergence, scalability and control Uses Layer 3+ switching in distribution and backbone Uses Layer 2+ switching in wiring closet L3 aware wiring closet switches can enforce QoS, access control, classify traffic and extend intelligent features to access layer 7 Defining the Access Layer To Core Distribution Switches Access Switches Aggregates user end stations, IP Phones and servers Connects to distribution layer Switches All uplinks can actively forward traffic (Layer 3 distribution) Layer 2 device With Layer 3 intelligence (Security, QoS, IP Multicast etc) Use Intelligent Network Services for establishing the Trust Boundary 8

5 Access Layer Features Aggregates user end stations, IP Phones and servers Layer 2/3 device With Layer 3 intelligence (Security, QoS, IP Multicast etc) IP Telephony Feature Set: Automatic Phone Discovery, Conditional Trust Boundary, Inline Power, Auxiliary VLAN, etc Spanning Tree Protocols PVST+, and Rapid PVST+ Spanning Tree Features Portfast, UplinkFast, BackboneFast, LoopGuard, BPDUGuard, BPDUFilter, RootGuard, Intelligent Network Services Quality of Service, Traffic classification and policing, Access Control, Inline Power, Voice VLAN, Broadcast suppression, Multicast control Routing protocols like EIGRP, OSPF Access Layer Access Layer Wiring Closet Wiring Closet 9 Defining the Distribution Layer Distribution Switches Access Switches Aggregates wiring closets (Access Layer) and uplinks to Core Protects Core from high density peering Availability, Load balancing, QoS and Provisioning are the important considerations at this layer Use Layer 3 Switching in the Distribution Layer HSRP and HSRP-Tracking insure First Hop Redundancy 10

6 Distribution Layer Features Aggregates wiring closets (Access Layer) and uplinks to Core Protects Core from high density peering Availability, Load balancing, QoS and Provisioning are the important considerations at this layer Use Layer 3 Switching in the Distribution Layer HSRP and HSRP-Tracking ensure First Hop Redundancy Spanning Tree Features Setting STP Root, Root Guard Rapid PVST+ - Per VLAN 802.1w Layer 3 Routing HSRP Route summarization, fast convergence, equal cost load balancing HSRP: First hop redundancy HSRP Timers: Reduce fail-over HSRP Track: Optimal routing Distribution Layer Distribution Layer Enterprise Wiring Closet Enterprise Server Farm 11 Do I Need a Core Layer? Distribution 2 Distribution 1 No Core Near Fully Meshed Distribution Layers Aggregation point for Distribution Layer Core Layer is required to scale campus networks Physical cabling requirements Routing complexity Distribution 3 Distribution 2 Distribution 1 Dedicated Core Switches Easier to add a module Fewer links in the core Easier bandwidth upgrade Distribution 3 Routing protocol peering reduced Core Layer Optional for Small Networks 12

7 Defining the Core Layer Core Distribution Access Backbone for the network connects network building blocks Aggregation point for Distribution Layer Separate Core Layer helps in Scalability during future growth Keep the design technology-independent FastE, GigE, 10GigE, CWDM, ATM, Sonet, DPT, etc. 13 New and Emerging Technologies 10GbE & CWDM for Aggregation 10/100/1000 at the desktop 14

8 Gigabit to the Desktop What we are seeing: Today s driver for Gigabit Ethernet to the Desktop is not a single application but the simultaneous use of multiple applications Product availability from Cisco, Dell, Foundry, Extreme, 3Com with more coming soon Gig enabled PCs/Workstations (LOM) Dell, HP/Compaq, Apple, Sun, many Linux hardware manufacturers Cisco 10/100/1000 port sales +328% CY01 vs. CY02 15 Gigabit Solutions Improve the end-user experience Increased throughput with 10/100/1000 Ethernet and 10 GE interfaces Reduce wire time, buffer congestion & relieve flow control mechanisms Elimination of far-end congestion Convergence of applications at the desktop requires increased throughput end-to-end Gigabit to the Desktop (GTTD) End-to-end Intelligent Network Services: QoS, Security, High Availability, Manageability 16

9 Network Response Improvements Intuitive but look it s faster - 10/100/ hours of network time at 10mbps 47 minutes of network time at 100mbps 27 minutes of network time at 1000mbps At gig speed we spend 88% less time on the network than 10mbps and 44% less than 100mbps Over All Time in minutes 17 Network Response Improvements Intuitive but look it s faster - 10/100/ hours of network time at 10mbps 47 minutes of network time at 100mbps 27 minutes of network time at 1000mbps At gig speed we spend 88% less time on the network than 10mbps and 44% less than 100mbps M File Transfer Clarify Ariba Outlook GB Backup Time in Seconds 18

10 Gigabit Intelligent Campus Network Design Access Distribution Gigabit Ethernet Gigabit EtherChannel Gigabit EtherChannel 10 Gigabit Ethernet 10 Gigabit Ethernet 10 Gigabit EtherChannel QoS trust-boundary Rate-limiting Port-security ACLs STP Extensions Identity (802.1x) High Availability Core Distribution Access Throughput High Availability IP Services Rate-limiting ACLs High Availability IP Services STP Extensions CWDM GBIC Data Center Internet Firewall Services VPN/IPSec Services Intrusion Detection Load Balancing SSL Offload 19 Agenda Multilayer Campus Design Understanding Campus Topologies and Design Alternatives Foundation Services Design Pitfalls 20

11 Understanding Campus Topologies and Design Alternatives Cisco Traditional Design Advantages Design Caveats Adding in some Spanning VLANS Advantages Design Caveats Adding RSTP / Rapid PVSTP Advantages Design Caveats Routing in the Wiring Access Advantages Expensive Routing Convergence Design Caveats 21 Campus Design Best Practices Map Layer 2 VLANs to Layer 3 IP Subnets Avoid Campus Wide VLANs Design a Campus with Layer 3 Protocols Daisy chaining dangers Take advantage of equal cost routes Leave escape routes Oversubscription and performance implications 22

12 Map Layer 2 VLANs to Layer 3 Subnets HSRP Active VLAN 20,140 Layer 3 HSRP Active VLAN 40,120 HSRP Active & STP Root VLAN 20,140 Layer 2 Trunk HSRP Active & STP Root VLAN 40,120 Model A Model B VLAN 20 Data VLAN 120 Voice VLAN 40 Data VLAN 140 Voice VLAN 20 Data VLAN 120 Voice VLAN 40 Data VLAN 140 Voice Map Layer 2 domain to a Layer 3 subnet with an understandable VLAN to IP Subnet numbering scheme For example, Data VLAN 20 and Voice VLAN 120 in Building 1 can correspond to x/24 and x/24 Good addressing scheme helps summarizing routes and eases troubleshooting 23 Avoid Campus-Wide VLANs Large and overlapping Spanning Tree domain Propagates problems (potential failure domain) Slows convergence Modern routers are not network bottlenecks DHCP and Mobile IP address Client Mobility 24

13 Keep L2 Redundancy Simple If Some Redundancy Is Good, More Redundancy Is NOT Better Root placement? How many blocked links? Convergence? Complex fault resolution 25 L2 Daisy Chaining Backup Root VLAN X STP Root HSRP Active Layer 2 Link VLAN X Standby Root HSRP Standby STP Root HSRP Active No UplinkFast Slow STP convergence Discontinuous subnets: Traffic is black holed (both routers claim they can reach VLAN x) Install Layer 2 link between the two distribution switches 26

14 Layer 3 Dual-Path Core 1 Distribution 1 Cost=X Cost=X Cost=X Access Layer Cost=X Core 2 Distribution 2 Layer 3 load balancing preserves bandwidth Unlike L1 and L2 redundancy (blocked ports) Fast recovery to remaining path Convergence is extremely fast (dual equal-cost paths: no need for OSPF or EIGRP to recalculate a new path) 27 Leave Escape Routes What happens if No route to the core anymore? fails? Access L2 A B Un-passive wiring closet links for backup routes? GE/GEC But is this really what the access layer is for? No it is not. Distribution What about scalability? No it will not scale. Single Path to Core Install a Link between Distribution Layer Core L3 28

15 Understand Performance and Oversubscription Characteristics Most networks are built with Oversubscription Performance usually limited not by the box but by the uplink Use QoS to protect real-time flows at congested points Oversubscription rules of thumb work well 20:1 max at wiring closet Less in distribution (4:1) and server farm (from 4:1 to 1:1) BaseT 20:1 GE Distribution L3 Dual-Link GEC Core L3 Use Non-Blocking Switches Access L2 8 Uplinks 4:1 29 Over Subscription 1:1, 4:1, 8:1, 20:1 designs True traffic patterns are random and bursty in nature Large data transfers happen much faster minimizing traffic overlap and congestion eg. 9 seconds vs 85 seconds for 1 GbE v 100GbE Most mission-critical business applications and most Web transactions use TCP TCP is adaptive, rate based, and connectionoriented; it is a well behaved protocol especially when oversubscribed. TCP applications run as fast as they can, but gracefully back down when faced with congestion. 30

16 Passive Interfaces for IGP Limit unnecessary peering Without passive interface: 4 VLANs per wiring closet, 12 adjacencies total Memory and CPU requirements increase with no real benefit Creates overhead for IGP Distribution Access Routing Updates Router(config)#router ospf 1 Router(config-router)#passive-interface Vlan 1 Router(config)#router ospf 1 Router(config-router)#passive-interface default Router(config-router)#no passive-interface Vlan 1 Router(config)#router eigrp 1 Router(config-router)#passive-interface Vlan 1 Router(config)#router eigrp 1 Router(config-router)#passive-interface default Router(config-router)#no passive-interface Vlan 1 31 Agenda Multilayer Campus Design Understanding Campus Topologies and Design Alternatives Foundation Services Design Pitfalls 32

17 Foundation Services High Availability Route Processor Redundancy (+) HSRP/VRRP/GLBP QoS Simple Security IP Multicast Management 33 Redundancy 34

18 Redundancy Layer 1 Redundancy Provides an alternate physical path through the network Layer 2/3 Redundancy Spanning-Tree, Routing Protocol, EtherChannel for alternate path awareness and fast- convergence Stability Ensure a stable network through proper physical, STP and routing design to reduce human errors Application Availability The application server and client processes must support failover for maximum availability Platform Redundancy 35 First Hop Redundancy Protocols Hot Standby Router Protocol (HSRP) Cisco informational RFC 2281 ( March 1998) Virtual Router Redundancy Protocol (VRRP) IETF Standard RFC 2338 (April 1998) Gateway Load Balancing Protocol (GLBP) Cisco designed, load sharing, patent pending Feature Navigator provides platform specific feature support information 36

19 HSRP A group of routers function as one virtual router by sharing ONE virtual IP address and One virtual MAC address One (Active) router performs packet forwarding for local hosts The rest of the routers provide hot standby in case the active router fails Standby routers stay idle as far as packet forwarding from the client side is concerned 37 First Hop Redundancy with HSRP R1- Active, forwarding traffic; R2, R3 - hot standby, idle HSRP ACTIVE HSRP STANDBY HSRP LISTEN IP: MAC: c vip: vmac : c07ac00 IP: MAC: C78.9abc vip: vmac : IP: MAC: cde.f123 vip: vmac : R1 R2 R3 Gateway routers Clients CL1 CL2 CL3 IP: MAC: aaaa.aaaa.aa01 GW: ARP: c07.ac00 IP: MAC: aaaa.aaaa.aa02 GW: ARP: c07.ac00 IP: MAC: aaaa.aaaa.aa03 GW: ARP: c07.ac00 38

20 VRRP Very similar to HSRP A group of routers function as one virtual router by sharing ONE virtual IP address and One virtual MAC address One (master) router performs packet forwarding for local hosts The rest of the routers act as back up in case the master router fails Backup routers stay idle as far as packet forwarding from the client side is concerned 39 First Hop Redundancy with VRRP R1- Master, forwarding traffic; R2, R3 - backup VRRP ACTIVE VRRP BACKUP VRRP BACKUP IP: MAC: c vip: vmac : c07ac00 IP: MAC: C78.9abc vip: vmac : IP: MAC: cde.f123 vip: vmac : R1 R2 R3 Gateway routers Clients CL1 CL2 CL3 IP: MAC: aaaa.aaaa.aa01 GW: ARP: c07.ac00 IP: MAC: aaaa.aaaa.aa02 GW: ARP: c07.ac00 IP: MAC: aaaa.aaaa.aa03 GW: ARP: c07.ac00 40

21 HSRP While HSRP or VRRP provide gateway resiliency, standby members of the redundancy group are under utilized along with their upstream bandwidth VIP: MAC: c VMAC: c07ac00 Active VIP: MAC: c78.9abc Stand-by GW.1 GW.1 GW.1 zzzzz snore /24 41 First Hop Redundancy With Load Balancing Cisco Gateway Load Balancing Protocol (GLBP) All the benefits of HSRP plus load balancing of default gateway utilizes all available bandwidth glbp 1 ip vmac ARPs for Gets MAC vip R R2.1 ARP.2.4 Reply /24.5 glbp 1 ip vmac A B ARPs for Gets MAC

22 GLBP A group of routers function as one virtual router by sharing one virtual IP address but using multiple virtual MAC addresses for traffic forwarding Traffic is shared over multiple upstream links, improving throughput and reducing congestion when no failure state exists Allows traffic from a single common subnet to go through multiple redundant gateways using a single virtual IP address 43 First Hop Redundancy with GLBP GLBP AVG/AVF,SVF GLBP AVF,SVF GLBP AVF,SVF IP: MAC: c vip: vmac : 0007.b R1- AVG; R1, R2, R3 all forward traffic IP: MAC: C78.9abc vip: vmac : 0007.b IP: MAC: cde.f123 vip: vmac : 0007.b R1 R2 R3 Gateway routers Clients CL1 CL2 CL3 IP: MAC: aaaa.aaaa.aa01 GW: ARP: 0007.B IP: MAC: aaaa.aaaa.aa02 GW: ARP: 0007.B IP: MAC: aaaa.aaaa.aa03 GW: ARP: 0007.B

23 HSRP Tracking Avoids Black Holes Tracked Core 0/1 Layer 3 Distribution Access Failure of Uplink to Core and Layer 3 link will black hole traffic Use HSRP Tracking with Preempt option 45 Spanning Tree Toolkit PortFast: Bypass listening-learning phase for Access Port UplinkFast: 3 to 5 seconds convergence after link failure BackboneFast: Cuts convergence time by Max_Age for indirect failure LoopGuard: Prevents alternate or root port to become designated in absence of BPDUs RootGuard: Prevents external switches from becoming root BPDU Guard: Disable PortFast enabled port if a BPDU is received BPDU Filter: Do not send BPDUs on PortFast enabled Ports Root F F Distribution Switches F X B F F Wiring Closet Switch 46

24 Spanning Tree Purpose: Ensure a loop-free topology and provide backup links when there are redundant paths in the network A B 47 Demystifying D: MAC Bridges (Spanning Tree Protocol) 802.1w: Rapid Spanning Tree Protocol (RSTP) 802.1s: Multiple Spanning Tree Protocol (MST) 802.1t: 802.1d Maintenance 802.1Q: VLAN Tagging (trunking) 48

25 802.1D Defaults 802.1D was designed with conservative logic Ports exchange only BPDUs for first 30 seconds after linkup to avoid loops downside Slow convergence Blocking LinkUp 20 seconds (max-age) Listening 802.1D (STP) 15 seconds (fwd-delay) Learning State Transition 15 seconds Forwarding Hello Time between sending BPDUs by Root (2 Sec) Forward delay Duration of listening and learning state (15 Sec) Maximum age Time BPDU stores (20 sec) D (STP) 802.1D is a timer-based aging protocol Event #1 New node Default is 30 seconds for STP to ensure loop-free connection Root F F 3 F F Event #2 Uplink failure 2 Default is 30 seconds for STP to find alternate path F X B Event #3 Indirect failure Default is 50 seconds for STP to find alternate path 1 50

26 802.1w (RSTP) Purpose: Still a loop prevention protocol like 802.1D but offers very fast convergence because it s not timer-based Root Event #1 New node 1 second for RSTP to ensure loop-free connection Event #2 Uplink failure 1 second for RSTP to find alternate path Event #3 Indirect failure 1 second for RSTP to find alternate path 1 F F F 3 2 X B F F w highlights New port roles and port states New BPDU format and processing New bridge-bridge handshake for rapid transition Built-in Cisco s 802.1D extensions like Backbonefast, Uplinkfast and Portfast Different topology change notification scheme Compatible with 802.1D running bridges Computes same final topology like 802.1D IEEE standard 52

27 802.1s (MST) Purpose: Allows VLANs to share a spanning tree instance (active topology) Only 2 unique topologies PVST (Per VLAN STP) MST More bandwidth and CPU resources consumed to maintain 4 active topologies VLANs mapped to one of the two topologies Saves bandwidth and CPU resources Simpler implementation and troubleshooting B B VLAN 10 VLAN 20 VLAN 30 VLAN 40 B B B:Blocking 53 Understanding MST MST Region A group of switches with common identifiers: Configuration name VLAN to Instance mapping Revision number MST Instance Logical spanning tree active topology Cisco supports 16 Instances (instance 0-15) Instance 0 is known as IST (Internal Spanning Tree), used for interacting with the outside region IST carries legacy timers for interoperability 54

28 IST Details IST (instance 0) exists on all ports, regardless of vlan mapping Vlan 20 (instance 1) Vlan 10 1 A Vlan 10 (instance 0) 2 B Vlan Instance 0 real topology A B No connectivity between host A & B, why? Avoid mapping user VLANs to IST 55 MST Interacting with PVST+ PVST+, Switch-Z sends BPDUs on VLANs 1-3 Boundary ports on Switch- X and Switch-Y will replicate IST BPDUs on VLANs 1-3 of the trunk to be compatible with the neighbor Interaction based on 802.1D BPDU Recommendation: Make IST the root for all VLANs. Result: 0/10 blocking on Switch-Z Boundary Port (4/4) Switch-X MST Region IST & MST Root Trunk VLAN 1-3 0/9 Switch-Y Switch-Z 802.1D (PVST+) Simulate PVST root (STP Root) inside MST region Trunk VLAN 1-3 0/10 Boundary Port (4/4) 56

29 Rapid-PVST+ Interacting with MST MST interacts with Rapid-PVST+ switch in the same way as MST interacts with PVST+ switch Boundary ports on Switch-X and Switch-Y will replicate IST BPDUs on VLANs 1-3 of the trunk to be compatible with the neighbor Interaction based on 802.1D BPDU Recommendation: Make IST the root for all VLANs. Result: 0/10 blocking on Switch-Z Boundary Port (4/4) Switch-X MST Region IST & MST Root Trunk VLAN 1-3 0/9 Switch-Y Switch-Z Trunk VLAN 1-3 0/ w (Rapid-PVST+) Boundary Port (4/4) 57 Neighbor Protocol Detection RSTP or MST reverts to 802.1D BPDUs and TCN on a segment if it detects presence of legacy switch Migration-delay timer (4 seconds) acts as protocol state lock until neighbors state is detected RSTP Switch A RSTP Switch B BPDU RSTP 802.1D BPDU RSTP 802.1D BPDU 802.1D C 802.1D Switch After A and B still continue to use 802.1D! 58

30 MST and RSTP Support Matrix Cisco s current implementation requires running RSTP with MST Rapid-Per VLAN STP currently only on Cat6K MST and RSTP Software availability table Platform Catalyst 6x00 SUP 1/2 Catalyst 4000 SUP 3/4 Catalyst 4000 SUP 1/2 Catalyst 3550 Catalyst 2950 Native IOS 12.1(12c)EW CatOS (9)EA1 Release Native IOS 12.1(11b)EX1 CatOS 7.1 Native IOS 12.1(13)E1 CatOS 7.5(1) Ridgeway, Q2 CY03 CatOS 7.5(1) Q2 CY03 Rapid-PVST+ 59 Spanning Tree Extension 802.1D extensions are supported in Cisco s MST and Rapid-PVST+ implementation Portfast (edge status lost on receiving BPDU) BPDU Guard BPDU Filter BPDU Filtering Loop Guard Root Guard 60

31 Trunk Most LAN topologies consist of multiple VLANs How to carry multiple VLANs on a single physical link, while maintaining isolation? Trunking Protocols: IEEE 802.1q ISL (Cisco Proprietary)? X 10 VLANS 61 VTP (VLAN Trunking Protocol) Centralized VLAN management VTP Server Switch Propagates VLAN awareness to VTP Client Switches Runs only on trunks Four modes: Server: Updates Clients/Servers Client: Receive updates cannot make changes Transparent: Let updates pass through Off: Ignores VTP updates 62

32 VTP Example A Set VLAN 50 F SERVER trunk F Transparent Pass through update Ok, I just learnt VLAN 50! trunk CLIENT trunk CLIENT Ok, I just learnt VLAN 50! B Drop VTP Updates trunk OFF C 63 EtherChannel Protocol A logical aggregation of similar links (up to 8) - 10/100/1000/10GE ports Operates between switches, routers, and certain vendors NICs Channel always point-topoint and viewed as one logical link by protocols TWO FLAVORS: Cisco s PAgP and IEEE 802.3ad we support both EtherChannel 64

33 EtherChannel Load Balancing How does it load share? Layer 2 devices Source/destination MAC Layer 3 devices Source/destination IP Server NICs Source/destination MAC Catalyst 6000 family can be switched between MAC, IP or L4 Port Layer 3 Switch or Router Layer 2 Switch Server 65 Port Access Control Port Security Restrict MAC addresses learnt on a port Prevent filling up of CAM table CAM filter can restrict traffic to and from a host CatOS (enable) set port security 5/1 enable CatOS (enable) set port security 5/1 enable b CatOS (enable) set port security 5/1 maximum 10 CatOS (enable) set cam static filter <vlan> !Feature not available in Native IOS for 6500/7600 Platform Switch # configure terminal Switch (config)# interface fastethernet 0/5 Switch (config-if)# switchport port-security? aging Port-security aging commands mac-address Secure mac address maximum Max secure addrs violation Security Violation Mode 66

34 Port Access Control (Cont.) 802.1x Describes a standard link layer protocol used for transporting higher-level authentication protocols. Maintains backend communication to an Authentication (RADIUS) Server Refer to SEC-203: Understanding Identity and Network Policy Management Disable CDP on ports not connecting to other Cisco devices 67 Protecting Spanning Tree BPDU Guard Shutdown PortFast enabled port if it receives a BPDU; prevents unauthorized BPDUs on Access ports Root Guard Block a Port if it receives superior BPDUs; prevents unauthorized device from being the root bridge or being in path to the root bridge 68

35 A PVLAN Isn t a Firewall! Private VLAN provides Layer-2 isolation between isolated ports; if host X on an isolated port unconditionally directs its IP traffic to the router s MAC address, then that router will forward the traffic to host Z Use Router Access-Lists to prevent this behavior Dst_MAC R Src_MAC X Dst_IP Src_IP Isolated Port MAC X Configure Access Lists Denying such hosts (RACL) MAC R MAC Z 69 Protecting VLAN 1 VLAN 1 Used by Control Protocols like VTP, DTP etc Goes over Trunks by default Un-configured ports should not be part of VLAN 1 Remove VLAN 1 from Trunks, if possible Disable unused Ports Prevents unauthorized devices from plugging in 70

36 802.1Q Trunk Configuration Recommendations Frame.1Q.1Q Frame.1Q Frame Trunk Access Port VLAN Blue Native VLAN Blue Access Port VLAN Red Double Encapsulated 802.1q Frame Set Native VLAN on Trunks to be different from Access VLAN number Alternative: Tag all Frames Change Trunk status of non-trunking ports from Auto to Off Prevents a host from becoming a trunk port and receiving traffic that would normally reside on a trunk port 71 Campus WLAN 802.1x EAP Security Model APs on dedicated access-layer VLAN Minimal change 2 RADIUS servers AP blocks all non-authentication traffic until auth. complete EAP-Cisco uses existing windows userid/pw database TKIP and Dynamic per session, per user, time limited keys Cisco NICS or Windows XP(EAP-TLS) Si Cisco ACS Si Si Si Si Si Si Si Cisco ACS 72

37 Campus WLAN VPN with AP Filters DMZ Complex filters on APs and edge routers 3DES/OTP supported by VPN Si Si Si Si Clients must support VPN stack Broadcast and multicast traffic not supported Si Si Si Si CNR DMZ Carefully analyze any network changes for impact to WLAN security VPN Concentrator 73 Is Quality of Service (QoS) Needed in the Campus? Just throw more bandwidth at it. That will solve the problem! Maybe, Maybe Not; Campus Congestion Is a Buffer Management Issue 74

38 Enabling QoS in the Campus Congestion Scenario: TCP Traffic Burst + VoIP Typical 4:1 Data Over- Subscription Core Distribution Si Si Instantaneous Interface Congestion Si Si Typical 20:1 Data Over- Subscription Access = Data = Voice 75 Tips on IP Multicast PIM Sparse-mode Sparse-mode good, Densemode bad. Keep Dense-mode off of the network. Build a fault-tolerant design AutoRP provides ease of administration and multiple C-RPs can take over when failure occurs. Anycast RP provides the fastest failover and allows for more scalable design. More complex configuration. Understand the Application With Tibco IPmc, all receivers can also be sources. Research extensions to PIM (Bi-Dir and SSM) Refer to RST-260: Deploying IP Multicast 76

39 Layer 2 IP Multicast IGMP Snooping IGMP Snooping ON by default IGMP packets intercepted in Hardware without performance penalty Switch examines contents of IGMP messages to determine which ports want what traffic IGMP membership reports + leave messages Without IGMP Switching: Switches process ALL Layer 2 multicast packets Admin. load increases with multicast traffic load, resulting in excessive flooding CGMP Runs on both the Switches and the router Router sends CGMP multicast packets to the Switches at a well known multicast MAC address: cdd.dddd CGMP packet contains: Type field Join or Leave MAC address of the IGMP client Multicast address of the group Switch uses CGMP packet info to add or remove a Layer-2 entry for a particular multicast MAC address 2900/3500 CGMP 2950/3550 IGMP Snooping 4003 CGMP 6500/4006 IGMP Snooping 77 Agenda Multilayer Campus Design Understanding Campus Topologies and Design Alternatives Foundation Services Design Pitfalls 78

40 Design Pitfalls Summarization CEF Polarization Addressing Scheme s 79 Design Pitfalls HSRP Tracking gotcha Daisy Chaining side effect Route summarization pitfall Asymmetric routing side effect Potential slow convergence problem 80

41 CEF Polarization Server Farm HA VLAN With out some tuning CEF will select the same way-out Left/Left or Right/Right and imbalance/overload could occur Hash Left Hash Left Hash Right Hash Right Wireless VLAN Voice Data Guest VLAN Voice Data 81 HSRP Tracking Gotcha Access HSRP Tracking unreliable HSRP Active L3 Link Distribution HSRP Standby Layer 2 UP but Layer 3 down Core Install a Layer 3 link between Distribution Switches to get routed around a Layer 2 up but Layer 3 down condition on distribution Alternative Dual attach distribution to Core 82

42 Daisy Chaining Loopback cable prevents Discontinuous subnet Failure of a stack cable or middle Switch will result in discontinuous subnet if there is a Layer 3 connection between Distribution layer HSRP Active HSRP Active Layer 3 HSRP Standby HSRP Active Loopback Cable 83 Daisy Chaining (Cont.) Utilize Cross Stack UplinkFast feature for Stackables Transitions redundant blocking link directly to forwarding if link to Root fails Root Port Layer 2 Blocking Redundant Link HSRP Active STP Root Primary STP Root Secondary HSRP Standby 84

43 Route Summarization Pitfall HSRP on Right Distribution takes over upon link failure But old router still advertises summary to core Return traffic is dropped on left distribution Switch Summarizing requires a L3 link between the distribution Switches Alternative design: impassive 2 access VLAN interfaces, cumbersome Access Distribution Summary: /16 Core a/ b/24 85 Route Summarization (Cont.) A B If Distribution is not summarizing Access Subnets then there is no need for a Layer 3 link between the Distribution Switches Traffic from Core, diverted to Right Distribution Access Distribution Core 86

44 Asymmetric Routing Cost x links Distribution 1 Cost y links Core 1 Cost=Z A HSRP Active Core 2 Distribution 2 Cost=Q IGP Table Before!Assume Cost to A from Distribution = y IGP Table After!Cost Changed A via Distribution 1 = x + y A via Distribution 2 = x + y Therefore, Load-balance between Distribution 1 and Distribution 2 to reach A A via Distribution 1 = x + Z A via Distribution 2 = x + Q If Q < Z, then go through Distribution 2 to reach A 87 Asymmetric Routing (Cont.) Asymmetric routing produces unnecessary flooding Solution: Adjust IGP access VLAN interfaces cost or Adjust ARP timer to be the same as CAM aging timer Adjust interface cost on non-hsrp active Distribution Layer Router 88

45 PortFast on Trunks I can reach /16 No, you can t Router Layer 2 Trunk Link up will trigger router to advertise network However STP is still transitioning on the Switch Enable PortFast on Trunks connected to Routers MSFC Autostate feature Switch Network /16 Does not allow a Layer 3 VLAN interface to come up/up until STP transitions the VLAN to forwarding 89 Layer 2 Between Distribution? Distribution Layer 2/3 STP Root & HSRP Active Hellos STP Secondary Root & HSRP Standby HSRP Active (Temporarily) Access Layer 2 F 2 F F 2 2 F: Forwarding B: Blocking 2B 2 F 2 B 2 Access-b MaxAge seconds before failure is detected.then Listening and Learning 2 2 Blocking link on Access-b will take 50 seconds to move to forwarding -> traffic black hole until then If a VLAN spans multiple Access Switches then install a Layer 2 link between Distribution Switches 90

46 What Questions Do You Have? 91 Summary Multilayer Campus Design Understanding Campus Topologies and Design Alternatives Foundation Services Design Pitfalls 92

47 Recommended Reading Top-Down Network Design ISBN: Cisco Internetwork Design ISBN: High Availability Network Fundamentals ISBN: Available on-site at the Cisco Company Store 93 Please Complete Your Evaluation Form Session 94

48 95