Campus Wired LAN Technology Design Guide April 2014
Table of Contents Preface.........................................................................................................................................1 CVD Navigator..............................................................................................................................2 Use Cases................................................................................................................................... 2 Scope...........................................................
Distribution Layer........................................................................................................................39 Design Overview........................................................................................................................ 39 Traditional Distribution Layer Design...................................................................................... 40 Routed Access Distribution Layer Design..................................................................
Preface Cisco Validated Designs (CVDs) provide the foundation for systems design based on common use cases or current engineering system priorities. They incorporate a broad set of technologies, features, and applications to address customer needs. Cisco engineers have comprehensively tested and documented each CVD in order to ensure faster, more reliable, and fully predictable deployment.
CVD Navigator The CVD Navigator helps you determine the applicability of this guide by summarizing its key elements: the use cases, the scope or breadth of the technology covered, the proficiency or experience recommended, and CVDs related to this guide. This section is a quick reference only. For more details, see the Introduction.
Proficiency This guide is for people with the following technical proficiencies—or equivalent experience: • CCNA Routing and Switching—1 to 3 years installing, configuring, and maintaining routed and switched networks CVD Navigator April 2014 3
Introduction The Campus Wired LAN Technology Design Guide describes how to design a wired network access with ubiquitous capabilities that scale from small environments (for instance, those environments with one to just a few LAN switches) to a large, campus-size LAN. Resiliency, security, and scalability are included to provide a robust communications environment.
This design guide enables the following network capabilities when connecting wired devices to an organization’s network: • Consistent end user and network administrator experience—Uses consistent design methodology in order to allow small remote sites with just a few Ethernet connections to be able to use the same access switch configurations as large campus Ethernet designs • Network security—Protects the network and users from malicious attacks by applying security using Catalyst Infrastructure Security F
Use Case: Enhancing LAN Capacity and Functionality As the needs of an organization change, the network should be able to be refreshed easily to adapt and support the new requirements for LAN capacity and functionality delivered.
A hierarchical LAN design includes the following three layers: • Access layer—Provides endpoints and users direct access to the network. • Distribution layer—Aggregates access layers and provides connectivity to services. • Core layer—Provides connections between distribution layers for large environments. Figure 1 - LAN hierarchical design Core Distribution 1002 Client Access Each layer—access, distribution, and core—provides different functionality and capability to the network.
Access Layer The access layer is where user-controlled devices, user-accessible devices, and other end-point devices are connected to the network. The access layer provides both wired and wireless connectivity and contains features and services that ensure security and resiliency for the entire network. Device Connectivity The access layer provides high-bandwidth device connectivity. Once expensive options, high-bandwidth access technologies like Gigabit Ethernet and 802.11n and 802.
Distribution Layer The distribution layer supports many important services for the LAN. The primary function is to serve as an aggregation point for multiple access layer switches in a given location or campus, and serve as the demarcation between the layer-2 switching and layer-3 routing functions in this design.
Flexible Design The distribution layer provides connectivity to network-based services, to the WAN, and to the Internet edge, either with directly connected or connected through a core layer. Network-based services can include and are not limited to Wide Area Application Services (WAAS) and wireless LAN controllers.
Larger LAN designs require a dedicated distribution layer for network-based services versus sharing connectivity with access layer devices. As the density of WAN routers, WAAS controllers, Internet edge devices, and wireless LAN controllers grows, the ability to connect to a single distribution layer switch becomes hard to manage.
In environments where multiple distribution layer switches exist in close proximity and where fiber optics provide the ability for high-bandwidth interconnect, a core layer reduces the network complexity, as shown in the following two figures. Figure 6 - LAN topology with a core layer 2088 Core 2089 Figure 7 - LAN topology without a core layer The core layer of the LAN is a critical part of the scalable network, and yet it is one of the simplest by design.
Quality of Service (QoS) Real-time communication traffic is very sensitive to delay and drop.The network must ensure that this type of traffic is handled with priority so that the stream of audio or video is not interrupted. QoS is the technology that answers this need. QoS allows an organization to define different traffic types and to create more deterministic handling for realtime traffic.
Access Layer Design Overview The access layer is the point at which user-controlled and user-accessible devices are connected to the network and it is the one architecture component that is found in every LAN. Infrastructure Security Features Because the access layer is the connection point between network-based services and client devices, it plays an important role in protecting other users, the application resources, and the network itself from human error and malicious attacks.
Figure 8 - DHCP snooping and Dynamic ARP inspection 1/1 1/2 1/24 AA DD EE 10.4.10.10 10.4.10.20 10.4.200.10 Trusted Interface to DHCP Server (10.4.200.10) DHCP ACK or Bad Source IP to Interface Binding Untrusted IP:10.4.10.10 MAC:AA Untrusted IP:10.4.10.20 MAC:DD 2090 DHCP Snooping Binding Table Port MAC IP DAI uses the data generated by the DHCP snooping feature and intercepts and validates the IP-to-MAC address relationship of all ARP packets on untrusted interfaces.
To support the increasing requirements of devices powered by the network, all of the access layer devices support the IEEE 802.3at standard, also known as PoE+. The devices, and or line cards support all the previous implementations of PoE up to 15 watts per port as well as the new IEEE 802.3at implementation of up to 30 watts per port.
Cisco Catalyst 2960-S Series and 2960-X Series are fixed-configuration, stackable, 10/10/1000 Ethernet switches, with PoE+ and non-power-supplying versions designed for entry-level enterprise, midmarket, and remote site networks. • Cisco FlexStack is implemented by adding a stacking module to the Cisco Catalyst 2960-S Series Switch. This enables up to four Catalyst 2960-S Series Switches to be stacked together.
Cisco Catalyst 4500E Series are modular switches that support multiple Ethernet connectivity options, including 10/100/1000 Ethernet, 100-Megabit fiber, Gigabit fiber, and 10-Gigabit fiber. The Catalyst 4500E Series Switches also have an upgradable supervisor module that enables future functionality to be added with a supervisor module upgrade while maintaining the initial investment in the chassis and the modules.
Table 1 - IP addressing for Campus Wired LAN Technology Design Guide Address block Access VLAN IP addressing Usage Distribution #1 10.4.0.0/20 100 10.4.0.0/24 Data-Access Switch 1 101 10.4.1.0/24 Voice-Access Switch 1 102 10.4.2.0/24 Data-Access Switch 2 103 10.4.3.0/24 Voice-Access Switch 2 Continue through 113 10.4.4.0/24—.13.0/24 alternate Data and Voice 115 10.4.15.0/25 Management None 10.4.15.128/32— 10.4.15.255/32 Loopback Interfaces 164 10.4.64.
PROCESS Configuring the Access Layer 1. Configure the platform 2. Configure LAN switch universal settings 3. Configure access switch global settings 4. Configure client connectivity 5. Connect to distribution or WAN router Procedure 1 Configure the platform Some platforms require a one-time initial configuration prior to configuring the features and services of the switch. If you do not have a platform listed in the following steps, you can skip those steps.
Step 2: If you are configuring a stack, run the stack-mac persistent timer 0 command. This ensures that the original stack master MAC address is used by any switch in the stack that takes the stack master role after a switchover. This command does not apply to the Cisco Catalyst 3560-X Series Switch. Switch(config)#stack-mac persistent timer 0 The default behavior when the stack master switch fails is for the newly active stack master switch to assign a new stack MAC address.
class-map match-any SCAVENGER-QUEUE match dscp cs1 ! policy-map 2P6Q3T class PRIORITY-QUEUE priority level 1 percent 30 class CONTROL-MGMT-QUEUE bandwidth remaining percent 10 queue-limit dscp cs2 percent 80 queue-limit dscp cs3 percent 90 queue-limit dscp cs6 percent 100 class MULTIMEDIA-CONFERENCING-QUEUE bandwidth remaining percent 10 queue-buffers ratio 10 class MULTIMEDIA-STREAMING-QUEUE bandwidth remaining percent 10 queue-buffers ratio 10 class TRANSACTIONAL-DATA-QUEUE bandwidth remaining percent 10
Option 3: Configure the Cisco Catalyst 4507R+E platform Step 1: For each platform, define two macros that you will use in later procedures to apply the platform-specific QoS configuration. This makes consistent deployment of QoS easier.
Step 2: When a Cisco Catalyst 4507R+E is configured with two Supervisor Engine 7L-E, 7-E, or 8-E modules, configure the switch to use Stateful Switchover (SSO) when moving the primary supervisor functionality between modules. SSO synchronizes active process information as well as configuration information between supervisor modules, which enables a fast transparent data plane failover.
Although this architecture is built without any Layer 2 loops, you should still enable spanning tree with the most up-to-date network safeguards. By enabling spanning tree, you ensure that if any physical or logical loops are accidentally configured, no actual layer 2 loops occur. spanning-tree mode rapid-pvst Step 4: Enable Unidirectional Link Detection (UDLD) as the default for fiber ports.
Step 8: Enable Simple Network Management Protocol (SNMP) in order to allow the network infrastructure devices to be managed by a Network Management System (NMS), and then configure SNMPv2c both for a read-only and a read-write community string. snmp-server community [SNMP RO name] RO snmp-server community [SNMP RW name] RW Step 9: If your network operational support is centralized, you can increase network security by using an access list to limit the networks that can access your device.
TACACS+ is the primary protocol used to authenticate management logins on the infrastructure devices to the AAA server. A local AAA user database is also defined on each network infrastructure device to provide a fallback authentication source in case the centralized TACACS+ server is unavailable. tacacs server TACACS-SERVER-1 address ipv4 10.4.48.
Step 1: Configure VLANs on the switch. Configure the data, voice, and management VLANs on the switch so that connectivity to clients, IP phones, and the in-band management interfaces can be configured. These are the most common examples, and organizations can reduce or increase VLANs for access segmentation as needed to support security systems, IP cameras, Wireless LANs, etc.
Step 4: Configure ARP inspection on the data and voice VLANs. ip arp inspection vlan [data vlan],[voice vlan] Step 5: Configure the Bridge Protocol Data Unit (BPDU) Guard global setting to protect PortFast-enabled interfaces. spanning-tree portfast bpduguard default This automatically disables any PortFast-enabled interface if it receives BPDUs protecting against an accidental topology loop which could cause data packet looping and disrupt switch and network operation.
Step 3: Enable QoS by applying the access edge QoS macro that was defined in the platform configuration procedure. This macro generates a QoS configuration appropriate for the platform. macro apply AccessEdgeQoS All client-facing interfaces allow for an untrusted PC and/or a trusted Cisco IP phone to be connected to the switch and automatically set QoS parameters.
Step 8: Configure DHCP snooping and ARP inspection on the interface to process 100 packets per second of traffic on the port. ip arp inspection limit rate 100 ip dhcp snooping limit rate 100 The packets per second rate that you choose is an arbitrary rate. You may tune this value to fit your environment. Step 9: Configure IP Source Guard on the interface. IP Source Guard is a means of preventing IP spoofing.
switchport port-security aging type inactivity switchport port-security violation restrict ip arp inspection limit rate 100 ip dhcp snooping limit rate 100 ip verify source ! mls qos queue-set output 1 threshold 3 100 100 100 3200 VLAN 64 Wired Data VLAN VLAN 69 Wired Voice VLAN IP: 10.5.64.
Procedure 5 Connect to distribution or WAN router Access layer devices can be one component of a larger LAN and connect to a distribution switch, or, in the case of a small remote site, might be the only LAN device and connect directly to a WAN device. Unless the access layer device is a single fixed configuration switch connecting to a WAN router, Layer 2 EtherChannels are used to interconnect the devices in the most resilient method possible.
Cisco Catalyst 2960-S and 2960-X Series Switches do not require the switchport command, and the Cisco Catalyst 4500 does not use the logging event bundle-status command.
There is a remote possibility that an attacker can create a double 802.1Q encapsulated packet. If the attacker has specific knowledge of the 802.1Q native VLAN, a packet could be crafted that when processed, the first or outermost tag is removed when the packet is switched onto the untagged native VLAN. When the packet reaches the target switch, the inner or second tag is then processed and the potentially malicious packet is switched to the target VLAN.
Option 2: Configure EtherChannel to WAN router If your access layer switch is a single fixed configuration switch connecting to a single remote-site router without using EtherChannel, you can skip Step 1. Step 1: Configure EtherChannel member interfaces. When connecting to a network infrastructure device that does not support LACP, like a router, set the channelgroup mode to be forced on.
Step 3: Save the running configuration that you have entered so it will be used as the startup configuration file when your switch is reloaded or power-cycled. copy running-config startup-config Step 4: If you have configured your access layer Cisco Catalyst 2960-S or Cisco Catalyst 3750-X switch stack for EtherChannel to the WAN router, reload your switch stack now to ensure proper operation of EtherChannel.
Example: Procedure 5, Option 2 VLAN 64 Wired Data VLAN VLAN 69 Wired Voice VLAN Remote Site WAN Router VLAN 64 Management Interface 2100 802.1Q Trunk VLANs 64, 69 interface GigabitEthernet 1/0/24 description Link to WAN Router macro apply EgressQoS switchport trunk encapsulation dot1q switchport trunk allowed vlan 64,69 switchport mode trunk ip arp inspection trust ip dhcp snooping trust spanning-tree portfast trunk no shutdown Example: Procedure 5, Option 2 with EtherChannel 802.
Distribution Layer Design Overview The primary function of the distribution layer is to aggregate access layer switches in a given building or campus. The distribution layer provides a boundary between the Layer 2 domain of the access layer and the Layer 3 domain that provides a path to the rest of the network. This boundary provides two key functions for the LAN. On the Layer 2 side the distribution layer creates a boundary for Spanning Tree Protocol limiting propagation of Layer 2 faults.
Traditional Distribution Layer Design Traditional LAN designs use a multitier approach with Layer 2 from the access layer to the distribution layer, where the Layer 3 boundary exists. The connectivity from the access layer to the distribution layer can result in either a loop-free or looped design. In the traditional network design, the distribution layer has two standalone switches for resiliency.
Figure 16 - Traditional looped design with VLANs spanning access switches VL 30 VLAN 30 VLAN 30 VLAN 30 30 VL AN AN Interface Blocked 2104 Interface Blocked Routed Access Distribution Layer Design In another approach to access and distribution layer design, you can use Layer 3 all the way to the access layer. The benefits of this design are that you eliminate spanning tree loops and reduce protocols because the IP gateway is now the access switch.
AN 3 2106 30 AN VL VL 0 Figure 18 - Simplified design with VLANs spanning access switches EtherChannel is a logical interface that can use a control plane protocol to manage the physical members of the bundle. It is better to run a channel protocol instead of using forced-on mode because a channel protocol performs consistency checks for interfaces programmed to be in the channel and provides protection to the system from inconsistent configurations.
Figure 19 - Two-tier collapsed LAN core design Servers Firewall Switch Stack Server Room Wireless LAN Controller WAN Routers WAN Distribution Switch Collapsed LAN Core Firewall Internet LAN Access 2086 Client Access Switches In larger LAN locations where the access layer density along with the number of network-service devices and WAN routers exceeds platform density or operational complexity additional distribution layer modules can break up the design.
Figure 20 - Network services distribution layer LAN Core LAN Distribution Layer Wireless LAN Controller Network Services Distribution Layer Firewall Client Access Switches Internet 2087 WAN Whether the distribution layer role in your network design is serving as purely LAN access aggregation, a collapsed core, or network-services aggregation, the distribution layer configuration provides the processes and procedures to prepare this layer of the LAN for your application.
Cisco Catalyst 6500-E and 6807-XL VSS The Cisco Catalyst 6500-E and 6807-XL chassis with the Supervisor Engine 2T are the premier distribution layer platforms. Although the validation of the current release of the design includes the Cisco Catalyst 6807-XL platform in the core, the Catalyst 6500-E platform is highlighted here, with the additional validation testing for the 6807-XL in the distribution to be completed in the next release.
Cisco Catalyst 6880-X VSS • Cisco Catalyst 6880-X VSS uses Cisco Catalyst 6880-X Series extensible fixed aggregation switch, with the Cisco Catalyst 6500 feature set in a small form factor. • The Cisco Catalyst 6800-X Series is a resilient chassis offering N+1 redundant fans and 1+1 resilient power supplies, along with the capability for two switches to be paired into a resilient single logical Virtual Switching System.
Cisco Catalyst 3750-X Stack • Cisco Catalyst 3750-X is configured as a single unit, but has independent load-sharing power supplies and processor for each switch in the StackWise Plus stack. The LAN architecture uses a pair of stacked 3750X-12S-E switches that provide Layer 2 and Layer 3 switching. The switches use Small FormFactor Pluggable (SFP) transceivers for a port-by-port option of copper or fiber optic Gigabit Ethernet EtherChannel uplinks to access closets.
Option 1: Configure Cisco Catalyst 6500-E Virtual Switching System and 6880-X Virtual Switching System Cisco Catalyst 6500-E Virtual Switching System merges two physical 6500 switches together as a single logical switch, using a single or optionally dual Cisco Supervisor Engine 2T modules in each physical switch. Cisco Catalyst 6880-X Virtual Switching System clusters two physical 6880-X switches together as a single logical switch.
Table 4 - Example VSS connections, connecting Cisco Catalyst 6880-X chassis pair VSS connection VSS Switch 1 Port (PortChannel) VSS Switch 2 Port (PortChannel) 10-Gbps, VSL 1 Ten5/5 (Po63) Ten5/5 (Po64) 10-Gbps, VSL 2 Ten5/13 (Po63) Ten5/13 (Po64) 1-Gbps, Fast-Hello Ten5/14 (1000-Mbps) Ten5/14 (1000-Mbps) Tech Tip The ports chosen for the VSL on the Cisco Catalyst 6880-X reflect a base chassis pair with no Extensible Port Cards installed.
To form a VSS pair, each switch in the pair must have a matching domain ID assigned. To support the interconnection of multiple VSS pairs, the domain ID selected for the pair should be unique. In this example, the domain number is 100. Each switch is also given a unique identifier within the domain, switch 1 or switch 2.
At this point you should be able to see that port-channel 63 and 64 are up, and both links are active on standalone switch #1 and standalone switch #2 respectively. The switches are not in VSS mode yet. VSS-Sw1# show etherchannel 63 port VSS-Sw2# show etherchannel 64 port The previous two commands show the same output below.
A critical aspect of the Cisco Catalyst VSS is the control plane and data plane operating models. From a control plane standpoint the VSS uses an active-standby operating model. This means that supervisor hardware on one chassis becomes the active control plane for the entire VSS while the other supervisor hardware on the paired chassis becomes the standby. The control plane handles protocol operations like IP routing, peering, route table updates, and spanning tree BPDUs.
Step 6: Configure the system virtual MAC address. By default, the VSS system uses the default chassis-based MAC-address pool assigned to the switch that is resolved to be the active switch when the switches initialize. As a result of events such as stateful switchover, the MAC may change. Set a virtual MAC address for the VSS system so that either active supervisor will use the same MAC address pool, regardless of which supervisor is active, even across a system reload.
class-map type lan-queuing match-any MULTIMEDIA-STREAMING-QUEUE match dscp af31 af32 af33 class-map type lan-queuing match-any TRANSACTIONAL-DATA-QUEUE match dscp af21 af22 af23 match cos 2 class-map type lan-queuing match-any BULK-DATA-QUEUE match dscp af11 af12 af13 class-map type lan-queuing match-any SCAVENGER-QUEUE match dscp cs1 match cos 1 ! policy-map type lan-queuing 1P7Q4T class PRIORITY-QUEUE priority class CONTROL-MGMT-QUEUE bandwidth remaining percent 14 queue-buffers ratio 10 random-detect dsc
random-detect dscp 14 percent 70 80 random-detect dscp 12 percent 80 90 random-detect dscp 10 percent 90 100 class SCAVENGER-QUEUE bandwidth remaining percent 2 queue-buffers ratio 10 random-detect dscp-based random-detect dscp 8 percent 80 100 class class-default queue-buffers ratio 25 random-detect dscp-based random-detect dscp 0 percent 80 100 random-detect dscp 1 percent 80 100 random-detect dscp 2 percent 80 100 random-detect dscp 3 percent 80 100 random-detect dscp 4 percent 80 100 random-detect dscp
random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect dscp dscp dscp dscp dscp dscp dscp dscp 55 57 58 59 60 61 62 63 percent percent percent percent percent percent percent percent 80 80 80 80 80 80 80 80 100 100 100 100 100 100 100 100 ! table-map cos-discard-class-map map from 0 to 0 map from 1 to 8 map from 2 to 16 map from 3 to 24 map from 4 to 32 map from 5 to 46 map from 6 to 48 map from 7 to 56 ! macro name EgressQoS service-policy type
random-detect cos 7 percent 90 100 class BULK-DATA-SCAVENGER bandwidth remaining percent 10 queue-buffers ratio 20 random-detect cos-based random-detect cos 1 percent 80 100 class class-default queue-buffers ratio 25 random-detect cos-based random-detect cos 0 percent 80 100 ! macro name EgressQoSOneGig service-policy type lan-queuing output 1P3Q8T @ Option 2: Configure Cisco Catalyst 4500E VSS and 4500-X VSS platforms The Cisco Catalyst 4500E and the Cisco Catalyst 4500-X Virtual Switching Systems merge t
To form a VSS pair, each switch in the pair must have a matching domain ID assigned. To support the interconnection of multiple VSS pairs, the domain ID selected for the pair should be unique. In this example, the domain number is 105. Each switch is also given a unique identifier within the domain, switch 1 or switch 2.
The switches are not in VSS mode yet. Verify port-channel configuration on standalone switch #1. VSS-Sw1# show etherchannel 63 sum The command output includes output similar to the output below. … Group Port-channel Protocol Ports ------+-------------+-----------+--------------------63 Po63(SD) — Te1/30(w) Te1/31(w) Verify port-channel configuration on standalone switch #1. VSS-Sw2# show etherchannel 64 sum The command output includes output similar to the output below.
A critical aspect of the Cisco Catalyst VSS is the control plane and data plane operating models. From a control plane standpoint the VSS uses an active-standby operating model. This means that supervisor hardware on one chassis becomes the active control plane for the entire VSS while the other supervisor hardware on the paired chassis becomes the standby. The control plane handles protocol operations like IP routing, peering, route table updates, and spanning tree BPDUs.
Tech Tip By default, at the time of virtual domain configuration, the Cisco Catalyst 4500 VSS system uses a virtual MAC address for the VSS system so that either active supervisor will use the same MAC address pool, regardless of which supervisor is active, even across a system reload.
class PRIORITY-QUEUE priority class CONTROL-MGMT-QUEUE bandwidth remaining percent 10 class MULTIMEDIA-CONFERENCING-QUEUE bandwidth remaining percent 10 class MULTIMEDIA-STREAMING-QUEUE bandwidth remaining percent 10 class TRANSACTIONAL-DATA-QUEUE bandwidth remaining percent 10 dbl class BULK-DATA-QUEUE bandwidth remaining percent 4 dbl class SCAVENGER-QUEUE bandwidth remaining percent 1 class class-default bandwidth remaining percent 25 dbl ! macro name EgressQoS service-policy output 1P7Q1T @ Step 7: Save
Step 3: To make consistent deployment of QoS easier, each distribution platform defines a macro that will be used in later procedures to apply the platform specific QoS configuration. Since AutoQoS might not be configured on this device, manually configure the global QoS settings by running the following commands.
Procedure 2 Configure LAN switch universal settings In this design, there are features and services that are common across all LAN switches, regardless of the type of platform or role in the network. These are system settings that simplify and secure the management of the solution. This procedure provides examples for some of those settings. The actual settings and values will depend on your current network configuration.
of problems, including spanning-tree loops, black holes, and non-deterministic forwarding. In addition, UDLD enables faster link failure detection and quick reconvergence of interface trunks, especially with fiber, which can be susceptible to unidirectional failures. udld enable Step 6: Set EtherChannels to use the traffic source and destination IP address when calculating which link to send the traffic across.
Step 10: If your network operational support is centralized, you can increase network security by using an access list to limit the networks that can access your device. In this example, only devices on the 10.4.48.0/24 network will be able to access the device via SSH or SNMP. access-list 55 permit 10.4.48.0 0.0.0.
Step 13: Configure a synchronized clock by programming network devices to synchronize to a local NTP server in the network. The local NTP server typically references a more accurate clock feed from an outside source. Configure console messages, logs, and debug output to provide time stamps on output, which allows crossreferencing of events in a network. ntp server 10.4.48.
Step 3: Configure the system processes to use the loopback interface address for optimal resiliency: snmp-server trap-source Loopback 0 ip ssh source-interface Loopback 0 ip pim register-source Loopback 0 ip tacacs source-interface Loopback 0 ntp source Loopback 0 Procedure 4 Configure IP unicast routing The single logical distribution layer design, when configured with VSS, uses Stateful Switchover and Nonstop Forwarding to provide subsecond failover in the event of a supervisor data or control plane fa
eigrp router-id [ip address of loopback 0] eigrp stub summary nsf exit-address-family Cisco Catalyst 6500 Series Switches do not require the ip routing command because it is enabled by default on that platform. Option 2: Configure OSPF unicast routing Open Shortest Path First (OSPF) can be used instead of EIGRP for networks where OSPF is required for compatibility. If you configured EIGRP in the previous procedure, you can skip this option.
Figure 25 - Rendezvous point placement in the network Rendezvous Point WAN 2109 Multicast Source in the Data Center This design is based on sparse mode multicast operation. Step 1: Configure IP Multicast routing on the platforms in the global configuration mode. ip multicast-routing Cisco Catalyst 3750 Series Switches instead require the ip multicast-routing distributed command. Step 2: Configure the switch to discover the IP Multicast RP.
passive-interface exit-af-interface network 10.4.0.0 0.1.255.255 eigrp router-id 10.4.15.254 eigrp stub summary nsf exit-address-family ! Example: Procedures 3-5 with OSPF spanning-tree portfast bpduguard default ! interface Loopback 0 ip address 10.4.15.254 255.255.255.255 ip pim sparse-mode ! snmp-server trap-source Loopback 0 ip ssh source-interface Loopback 0 ip pim register-source Loopback 0 ip tacacs source-interface Loopback 0 ntp source Loopback 0 ! ip routing ! router ospf 100 router-id 10.4.15.
Procedure 6 Configure IP Multicast RP (Optional) In networks without a core layer, the RP function can be placed on the distribution layer. If a core layer does exist, follow the IP Multicast Procedure 4 in the core layer section to configure the RP function. Every Layer 3 switch and router must know the address of the IP Multicast RP, including the core switches that are serving as the RP. This design uses AutoRP to announce candidate RPs, which are the core switches, to the rest of the network.
Procedure 7 Connect to access layer The resilient, single, logical, distribution layer switch design is based on a hub-and-spoke or star design. The links to access layer switches and connected routers are Layer 2 EtherChannels. Links to other distribution layers, and the optional core are Layer 3 links or Layer 3 EtherChannels. When using EtherChannel, the member interfaces should be on different switches in the stack or different modules in the modular switch for the highest resiliency.
Connect the access layer EtherChannel uplinks to separate switches in the distribution layer Virtual Switching System or stack. Also, apply the egress QoS macro that was defined in the platform configuration procedure to ensure traffic is prioritized appropriately. Cisco Catalyst 4500 and 4500-X Series Switches do not use the logging event bundle-status command.
If the interface type is not portchannel, then the additional command macro apply EgressQoS must also be configured on the interface. Next, mitigate VLAN hopping on the trunk for switch-to-switch connections. There is a remote possibility that an attacker can create a double 802.1Q encapsulated packet. If the attacker has specific knowledge of the 802.1Q native VLAN, they could create a packet that when processed, removes the first or outermost tag when the packet is switched onto the untagged native VLAN.
If you configured the IOS DHCP server function on this distribution layer switch in Step 2 of this procedure, the ip helper-address is not needed on the VLAN interface. Example: Access switch VLAN deployment VLAN 100 Data VLAN VLAN 101 Voice VLAN VLAN 115 Management VLAN LAN Distribution Switch 2099 802.
no shutdown ! interface vlan 100 ip address 10.4.0.1 255.255.255.0 ip helper-address 10.4.48.10 ip pim sparse-mode ! interface vlan 101 ip address 10.4.1.1 255.255.255.0 ip helper-address 10.4.48.10 ip pim sparse-mode ! interface vlan 115 ip address 10.4.15.1 255.255.255.128 ip pim sparse-mode Procedure 8 Connect to LAN core or WAN router Any links to connected WAN routers or a LAN core layer should be Layer 3 links or Layer 3 EtherChannels.
If the interface type is not a port-channel, then an additional command macro apply EgressQoS must also be configured on the interface. Step 2: If the routing protocol you are using is OSPF, you add the router neighbor authentication configuration to the interface. The chosen password must match the neighbor peer, and you do additional OSPF authentication configuration in a later step.
Step 4: Configure IP address summarization on the links to the core. As networks grow, the number of IP subnets or routes in the routing tables grows as well. You configure IP summarization on links where logical boundaries exist in order to reduce the amount of bandwidth, processor speed, and memory necessary to carry large route tables and to reduce convergence time around a link failure.
Step 6: Save the running configuration that you have entered so it will be used as the startup configuration file when your switch is reloaded or power-cycled. copy running-config startup-config Example: Distribution to Core PortChannel configuration—EIGRP Distribution Core 2110 Port channel interface Port-channel 30 description EtherChannel Link to Core Switch no switchport ip address 10.4.40.10 255.255.255.
Example: Distribution to Core PortChannel configuration—OSPF Distribution Core 2110 Port channel interface Port-channel 30 description EtherChannel Link to Core Switch no switchport ip address 10.4.40.10 255.255.255.
Core Layer Design Overview The core layer of the LAN is a critical part of the scalable network, yet by design, is one of the simplest. Like the distribution layer aggregates connectivity for multiple access layer switches, the core layer aggregates connectivity when there are multiple distribution blocks. As networks grow beyond three distribution blocks in a single location, a core layer should be used to optimize the design.
In large modular and scalable LAN designs, a core layer is used to aggregate multiple user connectivity distribution layer blocks and network-services distribution layer blocks. In designs with a colocated data center, the core provides high bandwidth fan-out connectivity to the rest of the network. The core layer also serves as the connection between the Wide Area Network (WAN) and Internet edge distribution layer blocks.
• The Supervisor Engine 2T supports DFC4-A based line cards, including the WS-X6824 and WS-X6848, to provide gigabit Ethernet ports. The WS-X6724 and WS-X6748 gigabit Ethernet cards are also supported when installed with CFC or DFC4-A modules. • The Cisco Supervisor Engine 2T-based switch enhances support for Cisco TrustSec (CTS) by providing MacSec encryption and role-based access control lists (RBACL), and delivers improved control plane policing to address denial-of-service attacks.
The following configuration example shows you how to convert two standalone Cisco Catalyst 6500 or 6807-XL switches to a Virtual Switching System (VSS). If you are migrating your switches from an existing in-service dual chassis role to a VSS system, go to www.cisco.com and search on “Migrate Standalone Cisco Catalyst 6500 Switch to Cisco Catalyst 6500 Virtual Switching System” for information that describes how to do this migration.
Reader Tip The supported code used for this configuration and validation of all devices is listed in the appendix of this guide. Step 2: If you are using a Cisco Catalyst 6800 or 6500 Series chassis with the Cisco Catalyst 6900 Series 40-Gigabit Ethernet Interface Module with FourX adapters to convert CFP ports into four 10-Gigabit Ethernet ports, configure the switch to enable the line card to use 10-Gigabit Ethernet functionality for the associated port-group.
On the standalone switch #1: VSS-Sw1(config)#switch virtual domain 101 VSS-Sw1(config-vs-domain)# switch 1 VSS-Sw1(config-vs-domain)# exit VSS-Sw1(config)# On the standalone switch #2: VSS-Sw2(config)#switch virtual domain 101 VSS-Sw2(config-vs-domain)# switch 2 VSS-Sw2(config-vs-domain)# exit VSS-Sw2(config)# Step 4: Configure the Virtual Switch Link (VSL). The VSL is a critical component of the Virtual Switching System.
The previous two commands show the same output below. Ports in the group: ------------------Port: Te5/4 -----------Port state = Up Mstr In-Bndl … Port: Te5/5 -----------Port state = Up Mstr In-Bndl … Step 5: Enable virtual switch mode operation. Now that a port-channel has been established between the switches, convert each switch to virtual mode operation. At the enable prompt (that is, not in configuration mode) on each switch, enter the following commands for each switch.
The VSL allows the switches to communicate and stay in synchronization. The VSS uses the Stateful Switchover (SSO) redundancy facility to keep the control plane synchronized between the two switches. As a result, the VSS appears to devices in adjoining layers as a single switch with a single MAC address. Step 6: Configure dual-active detection mechanism.
Step 7: Configure the system virtual MAC address. By default, the VSS system uses the default chassis-based MAC-address pool assigned to the switch that is resolved to be the active switch when the switches initialize. As a result of events such as stateful switchover, the MAC may change. Set a virtual MAC address for the VSS system so that either active supervisor will use the same MAC address pool, regardless of which supervisor is active, even across a system reload.
match cos 5 class-map type lan-queuing match-any CONTROL-MGMT-QUEUE match dscp cs7 match dscp cs6 match dscp cs3 match dscp cs2 match cos 3 6 7 class-map type lan-queuing match-any MULTIMEDIA-CONFERENCING-QUEUE match dscp af41 af42 af43 match cos 4 class-map type lan-queuing match-any MULTIMEDIA-STREAMING-QUEUE match dscp af31 af32 af33 class-map type lan-queuing match-any TRANSACTIONAL-DATA-QUEUE match dscp af21 af22 af23 match cos 2 class-map type lan-queuing match-any BULK-DATA-QUEUE match dscp af11 af12
random-detect dscp-based random-detect dscp 30 percent 70 80 random-detect dscp-based random-detect dscp 28 percent 80 90 random-detect dscp-based random-detect dscp 26 percent 90 100 class TRANSACTIONAL-DATA-QUEUE bandwidth remaining percent 14 queue-buffers ratio 10 random-detect dscp-based random-detect dscp 22 percent 70 80 random-detect dscp-based random-detect dscp 20 percent 80 90 random-detect dscp-based random-detect dscp 18 percent 90 100 class BULK-DATA-QUEUE bandwidth remaining percent 6 queue-b
random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect random-detect dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp dscp
Step 11: If you are using Gigabit Ethernet cards supported in VSS mode on Cisco Catalyst 6500 Supervisor Engine 2T based switches, configure an additional QoS policy for the Gigabit Ethernet ports. A separate egress QoS policy is configured to accommodate the Gigabit Ethernet cards which use a 1P3Q8T queuing architecture. This policy does not apply to the Cisco Catalyst 6880-X platforms.
Procedure 2 Configure LAN switch universal settings In this design, there are features and services that are common across all LAN switches, regardless of the type of platform or role in the network. These are system settings that simplify and secure the management of the solution. This procedure provides examples for some of these settings. The actual settings and values depend on your current network configuration.
Step 5: Set EtherChannels to use the traffic source and destination IP address when calculating which link to send the traffic across. This normalizes the method in which traffic is load-shared across the member links of the EtherChannel. EtherChannels are used extensively in this design because of their resiliency capabilities. port-channel load-balance src-dst-ip Step 6: Configure DNS for host lookup.
Caution If you configure an access-list on the vty interface, you may lose the ability to use ssh to log in from one device to the next for hop-by-hop troubleshooting. Step 10: Configure local login and password. The local login account and password provides basic device access authentication to view platform operation. The enable password secures access to the device configuration mode. By enabling password encryption, you prevent the use of plain text passwords when viewing configuration files.
Step 12: Configure a synchronized clock by programming network devices to synchronize to a local NTP server in the network. The local NTP server typically references a more accurate clock feed from an outside source. Configure console messages, logs, and debug output to provide time stamps on output, which allows crossreferencing of events in a network. ntp server 10.4.48.
EIGRP Unicast Routing Enable EIGRP for the IP address space that the network will be using. If needed for your network, you can enter multiple network statements. The Loopback 0 IP address is used for the EIGRP router ID to ensure maximum resiliency. You enable router authentication for all neighbors of the core. This allows all layer-3 devices attached to the core to form routing neighbor relationships.
Step 1: Enable IP Multicast routing on the platform in the global configuration mode. ip multicast-routing Step 2: Configure a second loopback interface for RP functions on the core VSS switch. All routers point to this IP address on loopback 1 for the RP. You configure the RP address from the core IP address space. Creating the RP on a second loopback interface allows for flexibility for potential RP migrations using Anycast RP operation.
Step 1: Configure the Layer 3 interface. When using an EtherChannel to connect to a distribution layer platform, the interface type will be portchannel and the number must match the channel-group number you will configure in Step 2. When configuring a Layer 3 EtherChannel the logical port-channel interface is configured prior to configuring the physical interfaces associated with the EtherChannel.
macro apply EgressQoS channel-protocol lacp channel-group [number] mode active logging event link-status logging event trunk-status logging event bundle-status no shutdown Step 4: Save the running configuration that you have entered so it will be used as the startup configuration file when your switch is reloaded or power-cycled.
exit-af-interface ! topology base exit-af-topology network 10.4.0.0 0.1.255.255 eigrp router-id 10.4.40.254 nsf exit-address-family ! Example: Core to distribution port-channel configuration—OSPF Distribution Core 2110 Port channel interface Port-channel 30 description EtherChannel Link to Distribution Switch no switchport ip address 10.4.40.9 255.255.255.
Appendix A: Product List LAN Access Layer Functional Area Product Description Part Numbers Software Modular Access Layer Switch Cisco Catalyst 4500E Series 4507R+E 7-slot Chassis with 48Gbps per slot WS-C4507R+E Cisco Catalyst 4500E Supervisor Engine 8-E, Unified Access, 928Gbps WS-X45-SUP8-E 3.3.0XO(15.1.1XO) IP Base license Cisco Catalyst 4500E 12-port 10GbE SFP+ Fiber Module WS-X4712-SFP+E Cisco Catalyst 4500E 48-Port 802.
LAN Distribution Layer Functional Area Product Description Part Numbers Software Modular Distribution Layer Virtual Switch Pair Cisco Catalyst 6500 Series 6506-E 6-Slot Chassis WS-C6506-E Cisco Catalyst 6500 VSS Supervisor 2T with 2 ports 10GbE and PFC4 VS-S2T-10G Cisco Catalyst 6500 4-port 40GbE/16-port 10GbE Fiber Module w/DFC4 WS-X6904-40G-2T 15.
Appendix B: Device Configuration Files To view the configuration files from the CVD lab devices that we used to test this guide, please see the following: http://cvddocs.com/fw/215-14.
Appendix C: Changes This appendix summarizes the changes Cisco made to this guide since its previous edition. • We updated the validated software of all devices to the versions shown in the product list.
Feedback Please use the feedback form to send comments and suggestions about this guide. Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
