Chapter 1: Campus Network Design........................4 Chapter 2: VLAN Implementation...........................12 Chapter 3: Spanning Tree........................................29 CCNP SWITCH 642-813 Quick Reference Chapter 4: InterVLAN Routing ................................49 Chapter 5: Implementing High Availability............59 Chapter 6: First Hop Redundancy ..........................72 Denise Donohue Chapter 7: Campus Network Security...................
[2] CCNP SWITCH 642-813 Quick Reference by Denise Donohue About the Author Denise Donohue, CCIE No. 9566, is a senior solutions architect for ePlus Technology. She consults with companies to design updates or additions to their data and VOIP networks. Prior to this role, she was a systems engineer for the data consulting arm of SBC/AT&T. Denise has been a Cisco instructor and course director for Global Knowledge and did network consulting for many years. Her CCIE is in Routing and Switching.
[3] CCNP SWITCH 642-813 Quick Reference by Denise Donohue Icons Used Router Route/Switch Processor Multilayer Switch Workgroup Switch PC © 2010 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 112 for more details.
[4] CCNP SWITCH 642-813 Quick Reference CHAPTER 1 by Denise Donohue Campus Network Design Chapter 1 Campus Network Design An enterprise campus generally refers to a network in a specific geographic location. It can be within one building or span multiple buildings near each other. A campus network also includes the Ethernet LAN portions of a network outside the data center. Large enterprises have multiple campuses connected by a WAN.
[5] CCNP SWITCH 642-813 Quick Reference CHAPTER 1 by Denise Donohue Campus Network Design n n Distribution: Aggregation point for access switches. Provides availability, QoS, fast path recovery, and load balancing. n High availability through redundant distribution layer switches providing dual paths to the access switches and to core switches. Use of FHRP protocols to ensure connectivity if one distribution switch is removed.
[6] CCNP SWITCH 642-813 Quick Reference CHAPTER 1 by Denise Donohue Campus Network Design Small Campus Design In a small campus, the core and distribution can be combined into one layer. Small is defined as fewer than 200 end devices. In very small networks, one multilayer switch might provide the functions of all three layers. Figure 1-1 shows a sample small network with a collapsed core.
[7] CCNP SWITCH 642-813 Quick Reference CHAPTER 1 by Denise Donohue Campus Network Design FIGURE 1-2 Building Access Layer A Medium-Sized Campus Network Building Access Layer Building Distribution Layer Building Distribution Layer Core Layer Data Center Data Center Design The core layer connects end users to the data center devices.
[8] CCNP SWITCH 642-813 Quick Reference CHAPTER 1 by Denise Donohue Campus Network Design Network Traffic Flow The need for a core layer and the devices chosen for the core also depend on the type of network traffic and traffic flow patterns. Modern converged networks include different traffic types, each with unique requirements for security, QoS, transmission capacity, and delay.
[9] CCNP SWITCH 642-813 Quick Reference CHAPTER 1 by Denise Donohue Campus Network Design n Client-Enterprise Edge applications are located on servers at the WAN edge, reachable from outside the company. These can include email and web servers, or e-commerce servers, for example. Access to these servers must be secure and highly available.
[ 10 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 1 by Denise Donohue Campus Network Design FIGURE 1-3 The SONA Model Application Layer Business Applications Collaboration Applications Application Delivery/Application-Oriented Networking Infrastructure Services Layer Infrastructure Layer Collaboration Layer Infrastructure Services Network—Campus, Branch, Data Center, Enterprise Edge, WAN, MAN, Teleworker Servers Clients Storage Planning a Network Implementation It is important to use a struc
[ 11 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 1 by Denise Donohue Campus Network Design Network engineers at the CCNP level will likely be involved at the implementation and following phases. They can also participate in the design phase. It is important to create a detailed implementation plan that includes test and verification procedures and a rollback plan.
[ 12 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation Chapter 2 VLAN Implementation VLANs are used to break large campus networks into smaller pieces. The benefit of this is to minimize the amount of broadcast traffic on a logical segment. VLAN Overview A virtual LAN (VLAN) is a logical LAN, or a logical subnet. It defines a broadcast domain. A physical subnet is a group of devices that shares the same physical wire.
[ 13 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation FIGURE 2-1 End-to-End VLANs HR Department IT Department 4th Floor 3rd Floor 2nd Floor 1st Floor FIGURE 2-2 HR Department Local VLANs IT Department 4th Floor 3rd Floor 2nd Floor 1st Floor © 2010 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 112 for more details.
[ 14 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation When planning a VLAN structure, consider traffic flows and link sizing. Take into account the entire traffic pattern of applications found in your network. For instance, IP voice media traffic travels directly between phones, but signaling traffic must pass to the Unified Communications Manager. Multicast traffic must communicate back to the routing process and possibly call upon a Rendezvous Point.
[ 15 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation Creating a VLAN and Assigning Ports VLANs must be created before they can be used. Creating VLANs is easy—in global configuration mode just identify the VLAN number and optionally name it! (config)# vlan 12 (config-vlan)# name MYVLAN Delete a VLAN by using the same command with no in front of it. There is no need to include the name when deleting.
[ 16 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation Other verification commands include: n show running-config interface interface no: Use the following to verify the VLAN membership of the port: ASW# show run interface fa0/5 Building configuration... Current configuration 64 bytes interface FastEthernet 0/5 switchport access vlan 20 switchport mode access n show mac address-table interface interface-no.
[ 17 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Protected: false Unknown unicast blocked: false Unknown multicast blocked: false Broadcast Suppression Level: 100 Multicast Suppression Level: 100 Unicast Suppression Level: 100 VLAN Trunking A trunk is a link that carr
[ 18 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation in either the ISL encapsulation or the 802.1Q tag. The switch on the other end of the trunk removes the ISL or 802.1Q information, checks the VLAN of the frame, and adds the internal tag. If the exit port is a user port, the original frame is sent out unchanged, making the use of VLANs transparent to the user. If a nontrunking port receives an ISL-encapsulated packet, the port cannot remove the ISL header.
[ 19 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation Configure a port for trunking at the interface configuration mode: (config-if)#switchport mode {dynamic {auto | desirable} | trunk} If dynamic mode is used, DTP negotiates the trunking state and encapsulation.
[ 20 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation Using the trunk keyword with the show interfaces command gives information about the trunk link: # show interfaces fastethernet 0/1 trunk Port Mode Encapsulation Status Fa0/1 desirable Port Vlans allowed on trunk Fa0/1 n-802.1q trunking Native vlan 1 1-150 Best Practices for Trunking n Change the Native VLAN to one not assigned to any users.
[ 21 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation VTP works by using Configuration Revision numbers and VTP advertisements: n All switches send out VTP advertisements every five minutes or when there is a change to the VLAN database (when a VLAN is created, deleted, or renamed). n VTP advertisements contain a Configuration Revision number. This number is increased by one for every VLAN change.
[ 22 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation The two versions of VTP are Version 1 and Version 2. To use Version 2, all switches in the domain must be capable of using it. Configure one server for Version 2, and the information is propagated through VTP. Version 2 has the following added features: n It supports Token Ring VLANs. n Transparent switches pass along messages from both versions of VTP.
[ 23 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation Verifying and Monitoring VTP To get basic information about the VTP configuration, use show vtp status.
[ 24 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation EtherChannels An EtherChannel is a way of combining several physical links between switches into one logical connection. Normally, Spanning Tree blocks redundant links; EtherChannels get around that and enable load balancing across those links. Traffic is balanced between the channel links on the basis of such things as source or destination MAC address or IP address.
[ 25 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation Configuring an EtherChannel Basically, you should configure the logical interface and then put the physical interfaces into the channel group: (config)# interface port-channel number ![any additional configuration, such as trunking for a Layer 2 EtherChannel] For a Layer 3 EtherChannel, add the following: (config-if)# no switchport (config-if)# ip address address mask Then, at each port that is part of the Ether
[ 26 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation Link Aggregation Control Protocol (LACP) is an IEEE standard protocol, IEEE 802.3ad, which does the same thing. LACP modes follow: n On: The port channels without using LACP negotiation. The port on the other side must also be set to On. n Active: Port actively negotiates channeling with the port on the other end of the link. A channel forms if the other side is Passive or Active.
[ 27 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation Troubleshooting VLAN Issues Configuration problems can arise when user traffic must traverse several switches. The following sections list some common configuration errors. But before you begin troubleshooting, create a plan. Check the implementation plan for any changes recently made, and determine likely problem areas.
[ 28 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 2 by Denise Donohue VLAN Implementation Troubleshooting VTP The following are some common things to check when troubleshooting problems with VTP: n Make sure you are trunking between the switches. VTP is sent only over trunk links. n Make sure the domain name matches on both switches. (The name is case sensitive.) n If the switch is not updating its database, make sure it is not in transparent mode. n If using passwords, make sure they all match.
[ 29 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree Chapter 3 Spanning Tree Ethernet network design balances two separate imperatives. First, Ethernet has no capacity for detecting circular paths. If such paths exist, traffic loops around and accumulates until new traffic is shut out. (This is called a broadcast storm.) Second, having secondary paths is good preparation for inevitable link failure.
[ 30 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree Spanning Tree Protocol (STP) works by selecting a root bridge and then selecting one loop-free path from the root bridge to every other switch. (STP uses the term bridge because it was written before there were switches.) Consider the following switched network (see Figure 3-1). FIGURE 3-1 A 000c.1111.0011 Example Switched Topology 100 Mbps 10 Mbps 1000 Mbps B 000c.2678.1010 C 000c.321a.
[ 31 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree Spanning Tree Election Criteria Spanning Tree builds paths out from a central point along the fastest available links. It selects paths according to the following criteria: n Lowest root bridge ID (BID) n Lowest path cost to the root n Lowest sender bridge ID n Lowest sender port ID (PID) When reading the path selection criteria, remember the following: n Bridge ID: Bridge priority: Bridge MAC address.
[ 32 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree Table 3-1 Spanning Tree Costs Link Speed Previous IEEE Specification Current IEEE Specification 10 Mb/s 100 100 100 Mb/s 10 19 1 Gbps 1 4 10 Gbps 1 2 The STP Election Spanning Tree builds paths out from a starting point, the “root” of the tree. The first step in selecting paths is to identify this root device.
[ 33 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree Root Port Election The root port is the port that leads back to the root. Continuing with Figure 3-1, when A is acknowledged as the root, the remaining bridges sort out their lowest cost path back to the A: n Switch B: Uses the link to A with a cost of 19 (link speed of 100 Mb/s).
[ 34 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree FIGURE 3-2 A The Active Topology After Spanning Tree Is Complete B C D E Bridge Protocol Data Units Switches exchange Bridge Protocol Data Units (BPDU). The two types of BPDUs are Configuration and Topology Change Notification(TCN). Configuration BPDUs are sent every two seconds from the root toward the downstream switches.
[ 35 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree TCN BPDUs are sent by a downstream switch toward the root when: n There is a link failure. n A port starts forwarding, and there is already a designated port. n The switch receives a TCN from a neighbor. When a switch receives a TCN BPDU, it acknowledges that with a configuration BPDU that has the TCN Acknowledgment bit set.
[ 36 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree Spanning Tree Port States When a port is first activated, it transitions through the following stages shown in Table 3-2.
[ 37 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree Configuring Spanning Tree To change the STP priority value, use the following: Switch (config)# spanning-tree vlan vlan_no. priority value To configure a switch as root without manually changing priority values, use the following: Switch (config)# spanning-tree vlan vlan_no.
[ 38 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree Portfast Portfast is a Cisco-proprietary enhancement to Spanning Tree that helps speed up network convergence. It is for access (user) ports only. Portfast causes the port to transition directly to forwarding, bypassing the other STP states. Connecting a switch to a Portfast port can cause loops to develop.
[ 39 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree RSTP Port Roles RSTP also defines different Spanning Tree roles for ports: n Root port: The best path to the root (same as STP) n Designated port: Same role as with STP n Alternate port: A backup to the root port n Backup port: A backup to the designated port n Disabled port: Not used in the Spanning Tree n Edge port: Connected only to an end user BPDU Differences in RSTP In regular STP, BPDUs are originated
[ 40 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree n Link type: If you connect two switches through a point-to-point link and the local port becomes a designated port, it exchanges a handshake with the other port to quickly transition to forwarding. Full-duplex links are assumed to be point-to-point; half-duplex links are assumed to be shared.
[ 41 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree (config-mst)# revision number (config-mst)# instance number vlan vlan_range (config-mst)# end # show spanning-tree mst To be compatible with 802.1Q trunking, which has one common Spanning Tree (CST) for all VLANs, MST runs one instance of an Internal Spanning Tree (IST). The IST appears as one bridge to a CST area and is MST instance number 0.
[ 42 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree UplinkFast UplinkFast is for speeding convergence when a direct link to an upstream switch fails. The switch identifies backup ports for the root port. (These are called an uplink group.) If the root port fails, one of the ports in the uplink group is unblocked and transitions immediately to forwarding; it bypasses the listening and learning stages.
[ 43 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree Configure this command on all switches in the network: (config)# spanning-tree backbonefast BPDU Guard BPDU Guard prevents loops if another switch is attached to a Portfast port. When BPDU Guard is enabled on an interface, it is put into an error-disabled state (basically, shut down) if a BPDU is received on the interface.
[ 44 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree Root Guard Root Guard is meant to prevent the wrong switch from becoming the Spanning Tree root. It is enabled on ports other than the root port and on switches other than the root. If a Root Guard port receives a BPDU that might cause it to become a root port, the port is put into “root-inconsistent” state and does not pass traffic through it. If the port stops receiving these BPDUs, it automatically reenables itself.
[ 45 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree To control UDLD on a specific fiber port, use the following command: (config-if)# udld port {aggressive | disable} To reenable all interfaces shut by UDLD, use the following: # udld reset To verify UDLD status, use the following: # show udld interface Loop Guard Loop Guard prevents loops that might develop if a port that should be blocking inadvertently transitions to the forwarding state.
[ 46 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree To enable Loop Guard on a specific interface, use the following: (config-if)# spanning-tree guard loop Loop Guard automatically reenables the port if it starts receiving BPDUs again. Troubleshooting STP Some common things to look for when troubleshooting Spanning Tree Protocol include: n Duplex mismatch: When one side of a link is half-duplex and the other is full-duplex. This causes late collisions and FCS errors.
[ 47 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree Identifying a Bridging Loop Suspect a loop if you see the following: n You capture traffic on a link and see the same frames multiple times. n All users in a bridging domain have connectivity problems at the same time. n There is abnormally high port utilization. To remedy a loop quickly, shut redundant ports and then enable them one at a time. Some switches enable debugging of STP to help in diagnosing problems.
[ 48 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 3 by Denise Donohue Spanning Tree n Tune STP using the tools detailed in this section. n Enable UDLD aggressive mode on all fiber interfaces. n Design STP domains that are as simple and contained as possible by using multilayer switches and routed links. n Use PVRST+ or MST for the fastest convergence times. Confused by all the acronyms and STP features? Figure 3-3 shows the STP tools you might use in your network and where you might use them.
[ 49 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 4 by Denise Donohue InterVLAN Routing Chapter 4 InterVLAN Routing VLANs divide the network into smaller broadcast domains but also prohibit communication between domains. To enable communication between those groups–without also passing broadcasts–routing is used. InterVLAN Routing Using an External Router A Layer 2 switch can connect to a router to provide reachability between VLANs.
[ 50 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 4 by Denise Donohue InterVLAN Routing encapsulation dot1Q 20 ip address 10.1.20.1 255.255.255.0 ! interface FastEthernet0/1.99 description Native VLAN encapsulation dot1Q 99 native ip address 10.1.99.1 255.255.255.0 ! interface FastEthernet0/1.120 description Data VLAN encapsulation dot1Q 120 ip address 10.1.120.1 255.255.255.
[ 51 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 4 by Denise Donohue InterVLAN Routing Input 1. Receive frame 2. Verify frame integrity 3. Apply inbound VLAN ACL (VLAN Access Control List) 4. Look up destination MAC (Media Address Code) Output 1. Apply outbound VLAN ACL 2. Apply outbound QoS ACL 3. Select output port 4. Place in port queue 5. Rewrite 6. Forward A multilayer switch does Layer 3 forwarding when the destination MAC address is one of the switch’s own addresses.
[ 52 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 4 by Denise Donohue InterVLAN Routing Routing 1. Apply input ACL 2. Switch if entry is in CEF cache 3. Identify exit interface and next-hop address using routing table 4. Apply output ACL Output 1. Apply outbound VLAN ACL. 2. Apply outbound QoS ACL. 3. Select output port. 4. Place in interface queue. 5. Rewrite source and destination MAC, IP checksum and frame check sequence, and decrement TTL (Time to Live field in the IP header). 6. Forward.
[ 53 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 4 by Denise Donohue InterVLAN Routing In comparison, Multilayer Switching (MLS) uses aa Ternary Content Addressable Memory (TCAM) table to store information needed by Layer 3 and higher processing. This might include QoS and ACLs. Values in the TCAM table include ternary values (0, 1, or wildcard). An exact match is not required—the longest match is considered a hit.
[ 54 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 4 by Denise Donohue InterVLAN Routing An SVI is considered “up” as long as at least one port in its associated VLAN is active and forwarding. If all ports in the VLAN are down, the interface goes down to avoid creating a routing black hole. You might not want the status of a particular port (one not connected to a host) to affect the SVI’s status. Some Cisco switches enable you to use the following command on that interface.
[ 55 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 4 by Denise Donohue InterVLAN Routing To verify your configuration, use the commands show ip interface brief, show interface, or show running-config interface int-#. Understanding Switch Forwarding Architectures Packets entering a router or multilayer switch are handled by one of three types of switching: n Process Switching: Each packet must be examined by the CPU and handled in software. Slowest method, used in routers only.
[ 56 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 4 by Denise Donohue InterVLAN Routing FIGURE 4-1 Cisco Express Forwarding BGP Table IP Routing Table FIB Table (CEF Cache) Adjacency Table Address 10.0.0.0 ... Protocol BGP OSPF Conn. Prefix /8 ... Address 10.0.0.0 1.2.3.0 1.5.4.0 Address 10.0.0.0 ... Prefix /8 ... IP Address 1.5.4.1 ... AS-Path 42 13 ... Prefix /8 /24 /24 Next-Hop 1.2.3.4 ... Next-Hop 1.2.3.4 1.5.4.1 — Adjacency Pointer 1.5.4.1 ... Layer 2 Header MAC Header ...
[ 57 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 4 by Denise Donohue InterVLAN Routing n 802.3 (IPX) or other unsupported encapsulation types n Packets with an expiring TTL n Packets that must be fragmented Configuring and Troubleshooting CEF By default, CEF is on and supports per destination load sharing. To disable CEF n 4500: Use (config)# no ip cef. n 3500/3700: On each interface, use (config)# no ip route-cache cef.
[ 58 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 4 by Denise Donohue InterVLAN Routing Troubleshoot CEF drops with the following: # show cef drop Troubleshoot CEF adjacencies with the following: # show adjacency © 2010 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 112 for more details.
[ 59 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability Chapter 5 Implementing High Availability A highly available network is the goal of every network engineer. Having a highly available network makes the job easier because it helps to prevent network outages and minimize downtime. Components of High Availability There are five components to high availability: redundancy, technology, people, processes, and tools.
[ 60 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability Technology Some of the technologies found in Cisco routers and Layer 3 switches enhance availability by providing routing continuity, fast failure detection to trigger a failover, and fast routing convergence.
[ 61 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability n Communication and documentation: There should be good communication between teams responsible for the network, security, servers, and applications. There should also be communication with users. Good documentation, readily available, is critical to understanding how the network is designed and how it should behave during a failure.
[ 62 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability n Disaster recovery and business continuity plans n Evaluating the security impact of a proposed change Tools A well-designed, highly available network can have a failure without it being noticed by users. It is important to have tools in place to monitor the network and send alerts when a failover occurs.
[ 63 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability Network Level Resiliency Redundant links were discussed in Chapter 2. STP blocks a redundant link by default so that they are in an active/backup configuration. Etherchannels enables multiple links to be active. If a failure occurs they distribute traffic across the remaining links. Configure your devices for fast convergence to avoid traffic drops when a link fails. RSTP is preferred over 802.
[ 64 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability Optimizing Redundancy You should be aware that redundancy does not always equal resiliency. Too much redundancy can increase the network complexity to a point that it becomes harder to troubleshoot and actually leads to a less-available network. There are too many paths for the data to follow, so it becomes less deterministic. The cost is much higher, also.
[ 65 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability Designing for Redundancy Figure 5-1 shows where you would typically use redundancy within a campus network. Access switches are either chassis-based with dual Supervisor engines and dual power supplies or are stackable switches. They have redundant, fully meshed links to redundant distribution switches, which, in turn, have redundant links to redundant core switches.
[ 66 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability FIGURE 5-2 Layer 2 Access Switches with Distributed VLANs L2 Trunk L3 Distribution HSRP Active and STP Root STP Blocked Links L2 Access VLAN 10 VLAN 10 There must be a physical link between distribution switches, and it should be a L2 trunk. Without that link, any traffic between switches must go through an access switch.
[ 67 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability FIGURE 5-3 Layer 2 Access Switches with Local VLANs L3 Distribution HSRP Active and STP Root, VLAN 20 L3 Link HSRP Active and STP Root, VLAN 10 L2 Access RSTP VLAN 10 VLAN 20 In Figure 5-4 the access switches are L3. This gives the faster convergence and is easiest to implement. All links between switches are L3.
[ 68 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability Using Nonchassis Based Access Switches Using more than one stand-alone switch, such as the Cisco 3560 or 3750, in an access closet requires special design consideration. You can either daisy-chain the switches or use the Cisco Stackwise technology. When you daisy-chain switches, the top and bottom members of the chain typically uplink to one distribution switch each.
[ 69 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability Syslog Cisco devices produce system logging (or syslog) messages that can be output to the device console, VTY connection, system buffer, or remote syslog server. If sent to a syslog server, messages are sent on UDP port 514. You are probably familiar with the syslog message %SYS-5-CONFIG_I: Configured from console by console, for instance.
[ 70 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability SNMP An SNMP manager collects information from SNMP agents residing on network devices, either through regular polling or by event-generated traps. The information is stored on the local device in a Management Information Base (MIB). Access to the MIB is controlled by SNMP community strings. Access can be read-only (RO) or read-write(RW). There are three versions of SNMP.
[ 71 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 5 by Denise Donohue Implementing High Availability called a responder. IP SLA probes can simulate various types of traffic, such as HTTP, FTP, DHCP, UDP jitter, UDP echo, HTTP, TCP connect, ICMP echo, ICMP path echo, ICMP path jitter, and DNS, and can report statistics such as path jitter. It has highly granular application configuration options such as TCP/UDP port numbers, TOS byte, and IP prefix bits.
[ 72 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 6 by Denise Donohue First Hop Redundancy Chapter 6 First Hop Redundancy Specifying a default gateway leads to a single point of failure. Proxy Address Resolution Protocol (ARP) is one method for hosts to dynamically discover gateways, but it has issues in a highly available environment. With Proxy ARP: n Hosts ARP for all destinations, even remote. n Router responds with its MAC. n Problem: Slow failover because ARP entries take minutes to timeout.
[ 73 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 6 by Denise Donohue First Hop Redundancy The Active router forwards traffic. The Standby is backup. The standby monitors periodic hellos (multicast to 224.0.0.2, UDP port 1985) to detect a failure of the active router. On failure, the standby device starts answering messages sent to the IP and MAC addresses of the virtual router. The active router is chosen because it has the highest HSRP priority (default priority is 100).
[ 74 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 6 by Denise Donohue First Hop Redundancy Configuring HSRP To begin configuring HSRP, use the standby group-number ip virtual-IP-address command in interface configuration mode. Routers in the same HSRP group must belong to the same subnet/virtual LAN (VLAN.) Give this command under the interface connecting to that subnet or VLAN. For instance, use the following to configure the router as a member of HSRP group 39 with virtual router IP address 10.0.0.
[ 75 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 6 by Denise Donohue First Hop Redundancy Tracking an interface can trigger an election if the active router is still up but a critical interface (such as the one to the Internet) is down. In the following, if serial 1/0/0 is down, the router’s HSRP priority is decremented by 100 (the default value to decrement is 10): Router(config-if)# standby 39 track s1/0/0 100 Another way to track an indirect connection is to use IP SLA (described in Chapter 5).
[ 76 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 6 by Denise Donohue First Hop Redundancy The VRRP Master router forwards traffic. The master is chosen because it owns the real address, or it has the highest priority. (The default is 100.) If a real address is supported, the owner of real address must be master. A Backup router takes over if the master fails, and there can be multiple backup routers. They monitor periodic hellos multicast by the master to 224.0.0.
[ 77 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 6 by Denise Donohue First Hop Redundancy To change the timers on the backup routers, use the following command because they hear the hellos from the master: Router(config-if)# vrrp 39 timers learn VRRP cannot track interfaces but can track IP SLA object groups. GLBP One issue with both HSRP and VRRP is that only the primary router is in use; the others must wait for the primary to fail before they are used.
[ 78 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 6 by Denise Donohue First Hop Redundancy The actual router used by a host is its Active Virtual Forwarder (AVF). GLBP group members multicast hellos every 3 seconds to IP address 224.0.0.102, UDP port 3222. If one router goes down, another router answers for its MAC address. Configure GLBP with the interface command glbp group-number ip virtual-IP-address, as shown: Router(config-if)# glbp 39 ip 10.0.0.
[ 79 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security Chapter 7 Campus Network Security Attention has traditionally been paid to network perimeter security, such as firewall, and to mitigating Layer 3 attacks. However, networks must be protected against Layer 2 attacks, too. These are launched from devices inside the network by either a rogue device or a legitimate device that has been compromised.
[ 80 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security MAC Address-Based Attacks Common MAC address-based attacks rely on flooding the CAM table and can be mitigated by using port security and port-based authentication. MAC Address Flooding In a MAC address flooding attack, the attacker fills the switch’s Content Addressable Memory (CAM) table with invalid MAC addresses.
[ 81 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security TABLE 7-1 Command Port Security Commands Description switchport port-security Enables port security on that interface. switchport port-security maximum value Specifies the max MAC addresses allowed on this port. Default is 1.
[ 82 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security Maximum MAC Addresses : 2 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0 Port-Based Authentication 802.1x authentication requires a computer (called a client) to be authenticated before it is allowed access to the LAN.
[ 83 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security Table 7-2 Configuring 802.1x Port Authentication Command Description (config-if)#dot1x port- control [auto | force-authorized | force-unauthorized] Enables 802.1x authentication on an interface of the switch and sets default port state show dot1x Verifies 802.1x authentication VLAN-Based Attacks VLAN-based attacks include VLAN hopping, in which a station can access a VLAN other than its own.
[ 84 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security 802.1Q Double-Tagging A double-tagging attack is possible because 802.1Q trunking does not tag frames from the native VLAN. In this attack, the attacking computer negotiates a trunk port between itself and the switch and then generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port, and the second matches the VLAN of a host it wants to attack, as shown in Figure 7-1.
[ 85 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security VACLs Cisco switches support of various kinds of ACLs: n Traditional Router ACL (RACL) n QoS ACL n VACL VLAN access control lists (VACL) are similar to route-maps because they are composed of statements that contain match and set conditions. In a VACL, the “set” conditions are called “actions.” Actions include forward, drop, and redirect. Like route-maps, VACL statements are numbered for ordering.
[ 86 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security Private VLANs Private VLANs (PVLAN) enable large companies or service providers to isolate users into separate multiaccess domains. Using a VLAN for each group is not scalable. For instance, the switch’s maximum VLANs would limit the number of customers an ISP can have. Each VLAN requires a separate IP subnet, which could also be a limiting factor.
[ 87 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security Table 7-3 Configuring Private VLANs Command Description private-vlan association secondary_vlan_list Associates secondary VLANs with the primary one. Separate the secondary VLAN numbers with a comma, no spaces. switchport mode private-vlan {host | promiscuous} Configures a port as either a host port (for community or isolated) or a promiscuous port.
[ 88 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security Spoof Attacks Spoof attacks include DHCP spoofing, MAC address spoofing, and ARP spoofing. DHCP Spoofing Note: DHCP snooping configuration is user impacting because the switch drops all DHCP requests until the ports are configured. You should do this during off hours or during a maintenance window.
[ 89 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security Enable IP Source Guard for both IP and MAC addresses on host access interfaces with the command ip verify source port-security. ARP Spoofing In an ARP spoofing attack, the attacker sends out gratuitous (unsolicited) ARP messages giving the IP address of the local default gateway, with its own MAC address as the Layer 2 address.
[ 90 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 7 by Denise Donohue Campus Network Security n Use SSH instead of Telnet. n Physically secure access to the device. n Use banners that warn against unauthorized access. n Remove unused services, such as finger, the TCP and UDP small servers, service config, and HTTP server. n Set up and monitor Syslog. n Disable automatic trunking on all nontrunk ports. n Disable CDP on ports where it is not needed. © 2010 Pearson Education, Inc.
[ 91 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 8 by Denise Donohue Voice and Video in a Campus Network Chapter 8 Voice and Video in a Campus Network Voice over IP (VoIP) has become common in the business world, and now Video over IP is becoming more integrated into networks. Neither should be added to a network without advance planning to ensure good voice and video quality.
[ 92 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 8 by Denise Donohue Voice and Video in a Campus Network Data requirements typically include high bandwidth, but delay and jitter are not crucial. A highly available network is needed, but PoE is not. Data security should be high, with medium management levels.
[ 93 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 8 by Denise Donohue Voice and Video in a Campus Network FIGURE 8-1 Unity Server Some Components of a VoIP System UCM Server Video Conferencing Camera WAN User PC IP Phone Power over Ethernet Switch Voice and WAN Gateway PSTN VoIP traffic consists of two types: voice bearer and call control signaling. Voice bearer traffic is carried over the UDPbased Real Time Protocol (RTP).
[ 94 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 8 by Denise Donohue Voice and Video in a Campus Network n Electrical power for the IP phones: Use either PoE from Catalyst switch or power inline module, or a power brick. n Bandwidth: Commit no more than 75 percent of bandwidth. Consider all types of traffic: voice, video, and data. Have more than enough bandwidth if possible. Include both voice and call-control traffic in your planning.
[ 95 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 8 by Denise Donohue Voice and Video in a Campus Network Cisco IP phones have a small internal switch that places an 802.1q tag on voice traffic and marks the Class of Service (CoS) bits in the tag. Data traffic is sent untagged over the native VLAN. The switch port does not actually become a trunk and still can be configured as an access port. It is considered a multi-VLAN access port.
[ 96 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 8 by Denise Donohue Voice and Video in a Campus Network n Allows service to be tailored to network needs n Allows mission-critical applications to share the network with other data People sometimes think that there is no need for QoS strategies in a LAN.
[ 97 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 8 by Denise Donohue Voice and Video in a Campus Network n Dropping: Normally interface queues accept packets until they are full and then drop everything after that. You can implement prioritized dropping so that less important packets are dropped before more important ones, such as with Weighted Random Early Detection (WRED). DSCP Values Differentiated services provide levels of service based on the value of certain bits in the IP header or the 802.
[ 98 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 8 by Denise Donohue Voice and Video in a Campus Network Voice bearer traffic uses an Expedited Forwarding value of DSCP 46 to give it higher priority within the network. Trust Boundaries When IP traffic comes in already marked, the switch has some options about how to handle it. It can: n Trust the DSCP value in the incoming packet, if present. n Trust the IP Precedence value in the incoming packet, if present.
[ 99 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 8 by Denise Donohue Voice and Video in a Campus Network 4. Fast Convergency: To enhance high availability, tune the routing and HSRP/VRRP/GLBP timers. 5. Test Plan: Test the voice implementation thoroughly before converting users to it. Check that both the phone and PC get the correct IP addresses, that the phone registers with the UCM, and that calls to and from the phone succeed.
[ 100 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 8 by Denise Donohue Voice and Video in a Campus Network Using AutoQoS When AutoQoS is enabled, the switch configures its interfaces based on a best-practices template. AutoQoS has the following benefits: n Automatic discovery and classification of network applications. n Creates QoS policies for those applications. n Configures the switch to support Cisco IP phones and network applications. Manual configuration can also be done afterward.
[ 101 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 8 by Denise Donohue Voice and Video in a Campus Network Video over IP Video traffic roughly falls into one of three categories: many-to-many, many-to-few, and few-to-many. Many-to-many includes interactive video, such as Telepresence, Webex, desktop video conferencing, and other peer-topeer video and collaboration applications. The data flow is client-to-client, or MCU-to-client.
[ 102 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 9 by Denise Donohue Wireless LANs in a Campus Network Chapter 9 Wireless LANs in a Campus Network Wireless LANs (WLAN) transmit and receive data using radio or infrared signals, sent through an access point (AP), and are not usually required to have radio frequency (RF) licenses. WLANs are local to a building or a campus and are an extension of the wired network.
[ 103 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 9 by Denise Donohue Wireless LANs in a Campus Network The Cisco Compatible Extensions Program tests other vendors’ devices for compatibility with Cisco wireless products. Using products certified by this program ensures full functionality of Cisco enhancements and proprietary extensions. Characteristics of Wireless LANs WLANs function similarly to Ethernet LANs with the access point providing connectivity to the rest of the network as would a switch.
[ 104 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 9 by Denise Donohue Wireless LANs in a Campus Network Service Set Identifiers (SSID) An SSID maps to a VLAN and can be used to segment users into groups requiring different security or QoS treatment. SSIDs can be broadcast by the access point or statically configured on the client, but the client must have the same SSID as the AP to register with it. SSID names are case sensitive.
[ 105 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 9 by Denise Donohue Wireless LANs in a Campus Network Client Connectivity Clients associate with an access point as follows: Access points send out beacons announcing information such as SSID, unless configured not to. Step 1. The client sends a probe request and listens for beacons and probe responses. Step 2. The AP sends a probe response. Step 3. The client initiates an association to the AP. 802.
[ 106 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 9 by Denise Donohue Wireless LANs in a Campus Network Cisco Wireless Network Components Cisco supports two types of wireless solutions: one using autonomous access points, and one using lightweight (or “dumb”) access points in combination with WLAN controllers. The wired network infrastructure is the same for both types: switches and routers.
[ 107 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 9 by Denise Donohue Wireless LANs in a Campus Network Lightweight Access Points Lightweight APs divide the 802.11 processing between the AP and a Cisco Wireless LAN Controller (WLC). This is sometimes called “split MAC,” because they split the functions of the MAC layer, Layer 2. Their management components also include the Wireless Control System (WCS) and a location-tracking appliance. Redundancy consists of multiple WLCs.
[ 108 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 9 by Denise Donohue Wireless LANs in a Campus Network Step 3. The WLCs respond with an LWAPP or CAPWAP Discovery Response that includes the number of APs currently associated to it. Step 4. The AP sends a Join Request to the WLC with the fewest APs associated to it. Step 5. The WLC responds with a Join Response message; the AP and the controller mutually authenticate each other and derive encryption keys to be used with future control messages.
[ 109 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 9 by Denise Donohue Wireless LANs in a Campus Network Wireless LAN Controllers Cisco WLAN controllers can be either an appliance, a module, or integrated into a 3750G switch. In the appliance line, the 5500 series is meant for large deployments and, as of this writing, supports up to 250 APs. The 4400 series is for medium-sized deployments and supports from 12 APs to 100 APs. The 2100 series is for small deployments and supports from 6 APs to 25 APs.
[ 110 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 9 by Denise Donohue Wireless LANs in a Campus Network Integrating Wireless into the LAN This section covers configuring your switches for wireless APs and controllers, and planning your installation. Switch Configuration When the switch port connects to a stand-alone AP, configure it as an access port if the AP has only one VLAN and a trunk port if it has multiple VLANs. Trust CoS if the link is a trunk.
[ 111 ] CCNP SWITCH 642-813 Quick Reference CHAPTER 9 by Denise Donohue Wireless LANs in a Campus Network Planning for a Wireless Implementation In planning a wireless implementation, first gather requirements.
CCNP SWITCH Quick Reference Feedback Information Denise Donohue At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members of the professional technical community. Copyright © 2010 Pearson Education, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA All rights reserved.
