Building A Resilient Campus: Fundamentals and Best Practices

Similar documents
Massimiliano Sbaraglia

Building Cisco Multilayer Switched Networks (BCMSN)

Cisco EXAM Cisco ADVDESIGN. Buy Full Product.

Enterprise Multilayer and Routed Access Campus Design. Yaman Hakmi Systems Engineer

Design of High-Availability Resilient Converged Enterprise Networks. (C) Petr Grygárek

CCNP SWITCH (22 Hours)

Implementing Cisco IP Switched Networks (SWITCH)

Question No : 1 Which three options are basic design principles of the Cisco Nexus 7000 Series for data center virtualization? (Choose three.

Next Generation Campus Architectures

Campus Networking Workshop. Layer 2 engineering Spanning Tree and VLANs

SWITCH Implementing Cisco IP Switched Networks

Implementing Cisco IP Routing ( )

NETLOGIC TRAINING CENTER

Integrated Switch Technology

MS425 SERIES. 40G fiber aggregation switches designed for large enterprise and campus networks. Datasheet MS425 Series

Configuring Optional Spanning-Tree Features

Multilayer Campus Architectures and Design Principles BRKCRS-2031

CCNP (Routing & Switching and T.SHOOT)

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Chapter 1: Enterprise Campus Architecture. Course v6 Chapter # , Cisco Systems, Inc. All rights reserved. Cisco Public

Cisco Certified Network Professional (CCNP)

Cisco ME 6524 Ethernet Switch

CCNA Routing and Switching (NI )

CCNP Switch Questions/Answers Cisco Enterprise Campus Architecture

3. What could you use if you wanted to reduce unnecessary broadcast, multicast, and flooded unicast packets?

PrepKing. PrepKing

Internetwork Expert s CCNP Bootcamp. Hierarchical Campus Network Design Overview

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

Cisco Certdumps Questions & Answers - Testing Engine

TEXTBOOK MAPPING CISCO COMPANION GUIDES

Pass-Through Technology

Configuring StackWise Virtual

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

PrepKing. PrepKing

Top-Down Network Design

Syllabus. Cisco Certified Design Professional. Implementing Cisco IP Routing

Cisco Certified Network Associate ( )

Multilayer Campus Architecture and Design Principals

Enterprise Campus Design: Multilayer Architectures and Design Principles

CCNA 3 (v v6.0) Chapter 3 Exam Answers % Full

Implementing Cisco IP Switched Networks (SWITCH) v2.0

Copyright 2014 CertificationKits LLC. All Rights Reserved. 2

Cisco Systems Korea Cisco Systems, Inc. All rights reserved. 1

VSS-Enabled Campus Design

Reference Architectures for Industrial Automation and Control systems

CUDN PoP Switch Changes 2018

Spanning Tree Protocol(STP)

Overview. Information About High Availability. Send document comments to CHAPTER

Chapter 10: Review and Preparation for Troubleshooting Complex Enterprise Networks

Index. Numerics. Index p priority (QoS) definition Q VLAN standard w as a region 5-54

Question No: 1 What is the maximum number of switches that can be stacked using Cisco StackWise?

Number: Passing Score: 800 Time Limit: 120 min File Version: 9.0. Cisco Questions & Answers

Unified Access Network Design and Considerations

CCNA. The knowledge and skills that a learner must have before attending this course are as follows:

Introduction to OSPF

Configuring Virtual Port Channels

MS355 SERIES. Multi-Gigabit access switches with 40G uplinks, designed for high performance enterprise and campus networks

Exam Topics Cross Reference

Community College LAN Design Considerations

Top-Down Network Design, Ch. 7: Selecting Switching and Routing Protocols. Top-Down Network Design. Selecting Switching and Routing Protocols

Configuring Optional STP Features

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco IP Switched Networks. Version: Demo

Introducing Campus Networks

ActualTest v by-VA

CISCO CCNP Cisco Certified Network Professional v2.0

CCNA Practice test. 2. Which protocol can cause high CPU usage? A. NTP B. WCCP C. Telnet D. SNMP Answer: D

Multilayer Campus Architectures and Design Principles BRKCRS-2031

Configuring STP and Prestandard IEEE 802.1s MST

A Gigabit Ethernet core network or aggregation layer with high availability as well as scalability

Borderless Campus Design and Deployment Models

Configuring Virtual Port Channels

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

MS225 SERIES. Stackable access switches with 10G SFP+ uplinks, designed for the branch and campus. Datasheet MS225 Series Switches

Enterprise Campus Design: Routed Access

Configuring Rapid PVST+

Campus Architectures

Data Center Network Infrastructure

Troubleshooting and Maintaining Cisco IP Networks v2 ( )

SEVENMENTOR TRAINING PVT.LTD

Cisco. Exam Questions SWITCH Implementing Cisco IP Switched Networks. Version:Demo

Catalyst 4500 Series IOS Commands

CCNA. Course Catalog

Network-Level High Availability

Symbols. Numerics INDEX

Index. Numerics. Index 1

Configuring Virtual Port Channels

Q&As Implementing Cisco IP Switched Networks (SWITCH v2.0)

CERTIFICATE CCENT + CCNA ROUTING AND SWITCHING INSTRUCTOR: FRANK D WOUTERS JR. CETSR, CSM, MIT, CA

Cisco Exam Questions & Answers

Huawei Enterprise S6700 Series 10G Switches

Authorized CCNP. Student. LabManual SWITCH.

Data Center Interconnect Solution Overview

Layer 2 Engineering Spanning Tree

Understanding Multiple Spanning Tree Protocol (802.1s)

XS26DS. L2/L3 10 G Optic Fiber Aggregation Switches. Features. Overview. XS26DS L3 10 G Optic Fiber Aggregation Switches

CCIE Route & Switch Written (CCIERSW) 1.0

Prostředky návrhu a zajištění dostupné LAN sítě

ZXR A Series L3 Intelligent Ethernet Switch

Top-Down Network Design

Overview. Features CHAPTER

Transcription:

Building A Resilient Campus: Fundamentals and Best Practices Chara Kontaxi Systems Engineer, ckontaxi@cisco.com 1

The Resilient Enterprise Campus High-Availability Design Requirements Campus network design is evolving in response to multiple drivers User Expectations: Always ON Access to communications Business Requirements: Globalization means true 7x24x365 Technology Requirements: Unified Communications Unexpected Requirements: Worms, Viruses, Designing for availability is no longer just concerned with simple component failures Campus design needs to evolve to a resilient model Global Enterprise Availability Collaboration and Real-Time Communication Requires a Structured and Resilient Design Security 2

Agenda Data Center Services Block Multilayer Campus Design principles Campus Design Best Practices Hardening the Campus Network Design Summary Distribution Blocks 3

High-Availability Campus Design Structure, Modularity, and Hierarchy Access Distribution Core Distribution Access WAN Data Center Internet 4

Hierarchical Campus Network Structure, Modularity and Hierarchy Not This!! Server Farm WAN Internet PSTN 5

Hierarchical Network Design Without a Rock Solid Foundation the Rest Doesn t Matter Access Distribution Core Distribution Access Offers hierarchy each layer has specific role Modular topology building blocks Easy to grow, understand, and troubleshoot Creates small fault domains clear demarcations and isolation Promotes load balancing and redundancy Promotes deterministic traffic patterns Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both Utilizes Layer 3 routing for load balancing, fast convergence, scalability, and control Building Block 6

Access Layer Feature Rich Environment Not JUST connectivity Layer 2/Layer 3 feature rich environment; convergence, HA, security, QoS, IP multicast, etc. Intelligent network services: PVST+, Rapid PVST+, EIGRP, OSPF, PAgP/LACP, UDLD, etc. Intelligent network services: QoS, broadcast suppression, IGMP snooping Integrated security features IBNS (802.1x), port security, DHCP snooping, DAI, IPSG, etc. Automatic phone discovery, power over Ethernet, auxiliary VLAN, etc. Spanning tree toolkit: PortFast, UplinkFast, BackboneFast, LoopGuard, BPDU Guard, BPDU Filter, RootGuard, etc. Core Distribution Access 7

Distribution Layer Policy, Convergence, QoS, and High Availability Availability, load balancing, QoS and provisioning are the important considerations at this layer Core Aggregates wiring closets (access layer) and uplinks to core Protects core from high density peering and problems in access layer Distribution Route summarization, fast convergence, redundant path load sharing Access HSRP, VRRP or GLBP to provide first hop redundancy 8

Core Layer Scalability, High Availability, and Fast Convergence Backbone for the network connects network building blocks Core Performance and stability vs. complexity less is more in the core Distribution Aggregation point for distribution layer Separate core layer helps in scalability during future growth Access 9

Do I Need a Core Layer? It s Really a Question of Scale, Complexity, and Convergence No Core Fully meshed distribution layers Physical cabling requirement Routing complexity Second Building Block 4 New Links 4th Building Block 12 New Links 24 Links Total 7 IGP Neighbors 3rd Building Block 8 New Links 12 Links Total 5 IGP Neighbors 10

Do I Need a Core Layer? It s Really a Question of Scale, Complexity, and Convergence Dedicated Core Switches Easier to add a module Fewer links in the core Easier bandwidth upgrade Routing protocol peering reduced Equal cost Layer 3 links for best convergence 2nd Building Block 8 New Links 4th Building Block 4 New Links 16 Links Total 3 IGP Neighbors 3rd Building Block 4 New Links 12 Links Total 3 IGP Neighbors 11

Agenda Data Center Services Block Multilayer Campus Design principles Campus Design Best Practices Hardening the Campus Network Design Summary Distribution Blocks 12

Best Practices Layer 1 Physical Things Use point-to-point interconnections - no L2 aggregation points (Hubs) between nodes as HW detection and recovery is both faster and more deterministic Use fiber for best convergence (default debounce timer on GE and 10GE fiber linecards is 10 msec while minimum debounce for copper is 300 msec) Layer 3 Equal Cost Links Layer 3 Equal Cost Links Use configuration on the physical interface not VLAN/SVI when possible WAN Data Center Internet 13

Best Practices Spanning Tree Configuration Required to protect against user side loops Required to protect against operational accidents (misconfiguration or hardware failure) Only span VLAN across multiple access layer switches when you have to! Use Rapid PVST+ for best convergence Take advantage of the spanning tree toolkit Layer 3 Equal Cost Links Same VLAN Same VLAN Same VLAN Layer 2 Loops Layer 3 Equal Cost Links WAN Data Center Internet 14

Multilayer Network Design Layer 2 Access with Layer 3 Distribution Vlan 10 Vlan 20 Vlan 30 Vlan 30 Vlan 30 Vlan 30 Each access switch has unique VLANs No layer 2 loops Layer 3 link between distribution No blocked links At least some VLANs span multiple access switches Layer 2 loops Layer 2 and 3 running over link between distribution Blocked links 15

Optimizing L2 Convergence PVST+, Rapid PVST+ or MST Rapid-PVST+ greatly improves the restoration times for any VLAN that requires a topology convergence due to link UP PVST+ (802.1d) Traditional spanning tree implementation Rapid PVST+ (802.1w) Scales to large size (~10,000 logical ports) Easy to implement, proven, scales MST (802.1s) Permits very large scale STP implementations (~30,000 logical ports) Not as flexible as Rapid PVST+ Time to Restore Data Flows (sec) 35 30 25 20 15 10 5 0 PVST+ Upstream Downstream Rapid PVST+ 16

Layer 2 Hardening Spanning Tree Should Behave the Way You Expect Place the root where you want it The root bridge should stay where you put it RootGuard LoopGuard UplinkFast Only end-station traffic should be seen on an edge port BPDU Guard RootGuard PortFast STP Root RootGuard LoopGuard UplinkFast LoopGuard BPDU Guard or RootGuard PortFast 17

Daisy Chaining Access Layer Switches Avoid Potential Black Holes Return Path Traffic Has a 50/50 Chance of Being Black Holed Core Layer 3 Distribution Layer 2/3 Distribution-A Layer 3 Link Distribution-B 50% Chance That Traffic Will Go Down Path with No Connectivity Access Layer 2 Access-a Traffic Dropped with No Path to Destination Access-n Access-c VLAN 2 VLAN 2 VLAN 2 18

Daisy Chaining Access Layer Switches New Technology Addresses Old Problems Stackwise/Stackwise-Plus technology eliminates the concern Loopback links not required No longer forced to have L2 link in distribution If you use modular (chassis-based) switches, these problems are not a concern Forwarding HSRP Active Layer 3 3750-E Forwarding HSRP Standby 19

Intelligent Switching Availability and Resiliency - VSS Virtual Switch: Physical redundancy with a single logical control plane Catalyst 6500 Virtual Switch System - VSS Extension of control and management planes across chassis Active-Active data plane Stateful switchovers across chassis ngle point of configuration and management Multichassis Etherchannel (MEC) between Virtual Switch and all neighbors Eliminates L2 loops All links forwarding doubling effective bandwidth Reduce number of L3 routing neighbors 20

Best Practices Layer 3 Routing Protocols Typically deployed in distribution to core, and core to core interconnections Used to quickly re-route around failed node/links while providing load balancing over redundant paths Build triangles not squares for deterministic convergence Only peer on links that you intend to use as transit Insure redundant L3 paths to avoid black holes Summarize distribution to core to limit EIGRP query diameter or OSPF LSA propagation Layer 3 Equal Cost Links Layer 3 Equal Cost Links WAN Data Center Internet 21

Best Practice Build Triangles Not Squares Deterministic vs. Non-Deterministic Triangles: Link/Box Failure Does NOT Require Routing Protocol Convergence Squares: Link/Box Failure Requires Routing Protocol Convergence Model A Model B Layer 3 redundant equal cost links support fast convergence Hardware based fast recovery to remaining path Convergence is extremely fast (dual equal-cost paths: no need for OSPF or EIGRP to recalculate a new path) 22

Provide Alternate Paths What happens if fails? No route to the core anymore? Allow the traffic to go through the access? Do you want to use your access switches as transit nodes? ngle Path to Core Traffic Dropped with No Route to Core Core How do you design for scalability if the access used for transit traffic? Distribution Install a redundant link to the core Best practice: install redundant link to core and utilize L3 link between distribution Layer (summarization coming) A B Access 23

Why You Want to Summarize at the Distribution Reduce the Complexity of IGP Convergence It is important to force summarization at the distribution towards the core For return path traffic an OSPF or EIGRP re-route is required By limiting the number of peers an EIGRP router must query or the number of LSAs an OSPF peer must process we can optimize its re-route For EIGRP if we summarize at the distribution we stop queries at the core boxes for an access layer flap Summaries Stop Queries at the Core Rest of Network For OSPF when we summarize at the distribution (area border or L1/L2 border) the flooding of LSAs is limited to the distribution switches; SPF now deals with one LSA not three 10.1.1.0/24 10.1.2.0/24 Summary: 10.1.0.0/16 Traffic Dropped Until IGP Converges Core Distribution Access 24

Best Practice Unidirectional Link Detection Protecting Against One Way Communication Typically deployed on any fiber optic interconnection Detects partially failed links and that could impact protocols like STP and RSTP Primarily used on fiberoptic links where patch panel errors could cause link up/up with mismatched transmit/receive pairs Layer 3 Equal Cost Links Fiber Interconnections Layer 3 Equal Cost Links WAN Data Center Internet 25

Best Practices EtherChannel Configuration Typically deployed in distribution to core, and core to core interconnections Used to provide link redundancy while reducing peering complexity Deploy in powers of 2 (2, 4, or 8) Layer 3 Equal Cost Links Layer 3 Equal Cost Links 802.3ad LACP for interoperability if you need it WAN Data Center Internet 26

Best Practices First Hop Redundancy Used to provide a resilient default gateway/first hop address to end-stations HSRP, VRRP, and GLBP alternatives VRRP, HSRP and GLBP provide millisecond timers and excellent convergence performance VRRP if you need multivendor interoperability GLBP facilitates uplink load balancing Layer 3 Equal Cost Links WAN 1 st Hop Redundancy Data Center Layer 3 Equal Cost Links Internet 27

Best Practices - Quality of Service Must be deployed end-toend to be effective; all layers play different but equal roles End to End QoS Ensure that mission critical applications are not impacted by link or transmit queue congestion Aggregation and rate transition points must enforce QoS policies Layer 3 Equal Cost Links Layer 3 Equal Cost Links Multiple queues with configurable admission criteria and scheduling are required WAN Data Center Internet 28

Intelligent Switching Optimized Delivery Congestion Avoidance mechanisms preserve forwarding continuance and bandwidth availability Policing and rate-limiting provide bandwidth limit enforcement for variable traffic types, and action due for violating assigned thresholds. Traffic Classification allows to distinguish (and therefore aids in prioritizing) one kind of traffic from another by examining variable packet fields Traffic Shaping provides control of outgoing traffic rate to ensure it conforms to allowed thresholds Internet Intranet 29

Agenda Data Center Services Block Multilayer Campus Design principles Campus Design Best Practices Hardening the Campus Network Design Summary Distribution Blocks 30

Hardening the Edge Catalyst Integrated Security Features IP Source Guard Dynamic ARP Inspection DHCP Snooping Port Security Switch Email acts like a hub Server 132,000 Bogus MACs X Use this IP Address! 00:0e:00:aa:aa:aa DHCP 00:0e:00:bb:bb:bb Server 00:0e:00:aa:aa:cc 00:0e:00:bb:bb:dd etc Your Email Passwd Is joecisco! Man in the Middle Port security prevents CAM attacks and DHCP Starvation attacks DHCP Snooping prevents Rogue DHCP Server attacks Dynamic ARP Inspection prevents current ARP attacks IP Source Guard prevents IP/MAC Spoofing 31

Harden the Network Links Protect the Good and Punish the Bad QoS does more than just protect voice and video For best-effort traffic an implied good faith commitment that there are at least some network resources available is assumed Need to identify and potentially punish out of profile traffic (potential worms, DDOS, etc.) Scavenger class is an Internet-2 Draft Specification CS1/CoS1 Voice Access Distribution Voice Core Data Data Scavenger Scavenger 32

Hardening the Switches Control Plane Protection CEF protects against system overload due to flow flooding System CPU still has to be able to process certain traffic BPDUs, CDP, EIGRP, OSPF Telnet, SSH, SNMP, ARP, ICMP, IGMP System needs to provide throttling on CPU-bound traffic IOS Based SW Rate Limiters Multiple CPU queues on 4500 & 3750 Hardware Rate Limiters on 6500 Hardware Control Plane Policing (CoPP) on 6500 & 4500 Second tier software Control Plane Policing on 6500 MGMT SNMP, Telnet ICMP Software Protection Hardware Protection Routing IP Updates Options Traffic to the CPU 33

Intelligent Switching Integrated Security Control Plane Policing applies Hardware QoS policies to traffic punted to the CPU to preserve CPU survivability. Network Admission Control integration provides Policy Compliance and Remediation Broadcast and multicast Storm control prevents service disruption caused by errors in protocol-stack implementation or network configuration that result in flooding, creating excessive traffic and degrading network performance. 34

Agenda Data Center Services Block Multilayer Campus Design principles Campus Design Best Practices Hardening the Campus Network Design Summary Distribution Blocks 35

Summary Offers hierarchy each layer has specific role Modular topology building blocks Access Easy to grow, understand, and troubleshoot Creates small fault domains Clear demarcations and isolation Distribution Promotes load balancing and redundancy Promotes deterministic traffic patterns Layer 3 Equal Cost Links Layer 3 Equal Cost Links Core Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both Distribution Utilizes Layer 3 Routing for load balancing, fast convergence, scalability, and control WAN Data Center Internet Access 36

37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback