design__day_presentation.ppt

© 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 1
Evolving Your
Business To Unified
Communications

UC Commercial 2
8:00 Registration
8:30 Welcome Introduction
8:45 Capabilities Discussion of your existing network
9:00 Network Requirements for Unified Communications
Business Resiliency with HA
Securing the Network Infrastructure and Demo
11:00 Break
Quality of Service
12:00 Lunch Break
12:45 High Availability Demonstration
Ensure the additional demands for UC uptime
1:45 Deployment Models for Unified Communications
2:20 Break
2:30 Example Unified Communications Networks
Taking the next step, Walk through the integration of UC
4:00 Meet the Experts
Whiteboard scenarios and questions
AGENDA

UC Commercial 3
Growth of Converged Applications
Switches Must Scale to New Evolving Levels of Service
Telephony
IP
Digital
Imaging
Storage
Networking
Conferencing
Video
Communications
Web Apps
Wireless
Resources
Higher
Performance

UC Commercial 4
Voice Data
Video
In response to current business forces, businesses are
already naturally taking an “evolutionary” approach to
advancing their business. They are looking to continuously
and incrementally improve their business.
Evolution, NOT Revolution

UC Commercial 5
Evolving Solutions for Evolving Business
• Modular Has Greater Lifetime
• Only Software or Supervisor needs Upgrade
• Evolving Platform
• Smartports
• Single Chassis
• Free CNA GUI
• Various Chassis
• Power Supplies
• Supervisors
• Line Cards

UC Commercial 6
Chassis = 12%
Dual AC Power = 5%
Supervisor II = 15%
6 Port GBIC = 7%
2*48-port 10/100 = 24%
2*48 port 10/100/1000 = 27%
8 GBICs = 10%
Initial Investment = 100%
Why Investment Protection Matters
Architecture Designed to Evolve as Technology Evolves
In this example, Supervisor II
represents only 15% of the
Original Purchase Price Catalyst 4506 with
Supervisor II
Supervisor II-
Plus
Upgrade ONLY the
Supervisor to upgrade
the capabilities
of ALL Ports
85% of initial
investment is
maintained!

UC Commercial 7
Catalyst Modular
Fixed/Low Cost
Competitors
FEATURES / TIME
COST
$
Platform
Upgrade
Costs
Capex
Savings with
Modular
L2
1999
L3
2001
10/100/1000
2002
802.3AF
2003
10GE
2004
Effective Investments Today Provide Greater
Long-term Value
Why Platform Flexibility and Lifetime Matters
Maximize Your Investment

UC Commercial 8
Why Total Cost of Ownership (TCO) Matters
 Capital Expenditure is ONE element of the total cost of a system
 Operational and Opportunity Costs outweigh Capital Expenditures
Capital Expenditures*
(20%)
Operational Costs*
(80%)
Troubleshooting
Maintenance
Upgrading software
Skilled Technical Staff
Facilities
Lost Opportunity Costs
Missed or Delayed Business
Opportunities Due to
Unavailable Technologies
* Source: Momenta Research, 2003

UC Commercial 9
Scalability
Value in a Switch Today
Far More Than Speeds and Feeds
Driver: High
Cost of Security
Breaches and
Downtime
Driver: Growing
Unified
Communications
Deployments
Driver: Network
Demands
Growing Faster
Than IT Staff
Driver: Higher
Network ROI
Requirements
Value in a
Switch

UC Commercial 10
Cisco Catalyst 4500 & 6500 Series
The Industry-Leading Modular Switching Platforms
Delivering
Maximum
Value
Leading
Scalability
• Maximum Operational Efficiency
• Enables Faster Response to
Evolving Business Opportunities

UC Commercial 11
Catalyst
4500 Series
Scalable Architecture
Integrated
Voice/Video
/Data
Predictable
Performance
Catalyst 4500 Series
Mid-Range, Layer 2-4 Modular Switching Platform
Layer 2/3/4
Standard
Manageability
PSTN
High-Density
10/100/1000
Fiber or Copper
IP Phones
QOS/Traffic
Management
Metro
Ethernet
Access
Security
Integrated
Resiliency
10GE
connectivity

UC Commercial 12
Catalyst 4500 Series Milestones & Innovations
Aug 1998 -Invented Patented TCAM Technology
Jan 1999 -Catalyst 4000 Layer 2 Switch
May 2000 -Cisco Pre-Standard PoE
Nov 2001 -Industry’s First High Density 10/100/1000 LC
Jan 2002 -Second Generation IOS Based Supervisor
Jun 2003 -Patented Catalyst Integrated Security Features
Feb 2004 -IEEE PoE
Sept 2004 -Enhanced HA with SSO
Dec 2004 -Line Rate L3 10 GE Supervisor V-10GE
Mar 2005 -Catalyst 4900 Series for Top of Rack
Dec 2005 -Line Rate L2 10 GE Supervisor II-10GE
Oct 2006 -In Service Software Upgrades (ISSU)
Pioneer
Award
Pioneer
Award
Pioneer
Award

UC Commercial 13
Award-Winning
Cisco Catalyst 4500 and 4948 Series
“Best Enterprise Switch 2006”
“Best in Test 2006”
NETWORKWORLD

UC Commercial 14
Catalyst 4003/4006 End of Support
Milestone Definition Date
End of Cat OS Software
Maintenance Releases
The last date that Cisco Engineering
may release any final software
maintenance releases or bug fixes.
After this date, Cisco Engineering
will NO LONGER develop, repair,
maintain, or test CAT OS
May 3, 2006
End of Routine Failure
Analysis
The last possible date a routine failure
analysis may be performed to determine
the cause of product failure or defect.
May 3, 2006
End of New Service
Attachment
For equipment and software that is not
covered by a service-and-support
contract, this is the last date to order a
new service-and-support contract or add
the equipment and/or software to an
existing service-and-support contract.
May 3, 2006
http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_eol_notice0900aecd80324aee.html

UC Commercial 15
Catalyst 4000/4500
Recommended Transition
= EOS
(No new feature development) = Strategic Direction of Platform
Chassis Transition/Positioning Supervisor Transition/Positioning
WS-C4507R
LOW-END
INSTALLED BASE/
HIGH-END
WS-X4014
LOW-END
INSTALLED
BASE/HIGH-END
WS-C4003 WS-X4012
WS-X4013
WS-X4516
WS-X4013+
WS-X4013+10GE
WS-X4013+TS
WS-C4510R WS-X4516-10GE
Milestones Cat4006 and Sup II Cat4003, Sup I, Sup III
Internal EoS Announcement 3/22/2004 12/15/2003
External EoS Announcement 5/3/2004 1/26/2004
End of Orderability 5/3/2005 7/26/2004
End of SW Maintenance 5/3/2006 7/26/2005
End of Support 5/3/2010 7/26/2009
WS-C4506
WS-C4006
WS-C4503
WS-X4515

UC Commercial 16
Catalyst 4500:
Innovation and Investment Protection
Layer
2
PoE L2/3/4
10/100/1000
10-GbE
SSO
1999 2004
2002 2007 2012
Development
SAME LINE CARDS
NAC
NSF
CoPP
ISSU
Forward/Backward Compatibility

UC Commercial 17
Ethernet Modules WAN Modules
Service Modules
Comm. Media Network
Analysis
Wireless LAN
App Control Engine Firewall IPSec
Chassis Options
Supervisor Options
Sup 32 PFC’s Sup 720
Gigabit Ethernet
10 Gigabit Ethernet
96-port 10/100 TX
Field-upgradeable
802.3af PoE
10/100/1000 TX
100BASE-X
(FX, BX, LX)
3, 4, 6, 9, 13-slots
Flagship, Layer 2 – 7 Modular Switching
Enhanced FlexWAN
(DS0 to OC-3)
Optical Service Modules
(OC-3 to OC-48)
Shared Port Adapters (SPAs)
(DS0 to OC-192)

UC Commercial 18
Catalyst 6500 EOS - Update
Product
Announcement
Date
EOS Effective
Date
Replacement
Product
WS-X6K-SUP1A-2GE
WS-X6K-SUP1A-PFC
WS-X6K-S1A-MSFC2 9/24/04 3/25/05
WS-SUP320-GE-3B
WS-SUP32-10GE-3B
WS-C6503 11/1/05 11/1/06
WS-C6503-E, WS-
C6504-E
WS-C6506 11/1/05 11/1/06 WS-C6506-E
WS-X6509 11/1/05 11/1/06 WS-C6509-E
WS-CDC-1300W 4/15/06 10/14/06 PWR-4000-DC
WS-X6K-S2-PFC2
3/1/06 3/1/07
WS-SUP32-GE-3B,
WS-SUP32-10GE-3B,
WS-SUP720-3B
WS-X6K-S2-MSFC2
WS-X6K-S2U-MSFC2
WS-X6500-SFM2
WS-X6024-10FL-MT 12/15/05 6/15/06 WS-X6148-FE-SFP
WS-X6324-100FX-MM 12/15/05 6/15/06 WS-X6148-FE-SFP
WS-X6324-100FX-SM 12/15/05 6/15/06 WS-X6148-FE-SFP

UC Commercial 19
Evolutionary Architecture
Introduced
Catalyst 6500
with
Supervisor
Engine 1
Distributed
Forwarding
Cards
Supervisor
Engine 32 with
8x1G and
2x10G uplink
options
Service
Modules
PFC3B and
3BXL with
MPLS
support in
HW
Supervisor
Engine 2 with
Switch Fabric
Module
scaling to
256G
2003
1999 2000 2001 2002 2004 2005 2006 2007 2008 2009 2010
Supervisor
Engine 720
with IPv6, GRE,
NAT, and Bi-dir
PIM in HW
New 67xx
linecards
Continued innovation
and support
8x10G line card
Application
Control Engine
Cisco IOS
Software
Modularity

UC Commercial 20
Why Invest in a Modular Platform?
Delivering a
Higher Value!
Optimal Platform for
Unified Communications
Higher
Availability
Higher
Security
Ease of Use
Management
Quality of Service

UC Commercial 21
Building a Unified Communications Network
Modular Infrastructure, HA, Security, and QoS
 Access layer
Auto phone detection
Inline power
QoS: scheduling,
trust boundary and
classification
Fast convergence
 Distribution layer
High availability,
redundancy, fast
convergence
Policy enforcement
QoS: scheduling,
trust boundary and
classification
 Core
High availability,
redundancy, fast
convergence
QoS: scheduling,
trust boundary
Data Center
WAN Internet
Layer 3
Equal Cost
Links
Layer 3
Equal Cost
Links
Si
Si Si
Si Si
Si Si
Si Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
Si
Si
Si
Si
Access
Distribution
Core
Distribution
Access

UC Commercial 22
Network Design
Seminar for
Unified
Communications
Unified Communications Infrastructure
High Availability & Security

UC Commercial 23
Infrastructure Integration, HA, Security, and QoS
Physical
Data Link
Network
Transport
Session
Presentation
Application
 Campus network design is evolving
in response to multiple drivers
User Expectations: Always ON
Access to communications
Business Requirements:
Globalization means true 7x24x365
Technology Requirements: Unified
Communications
Unexpected Requirements: Worms,
Viruses, …
 Campus design needs to evolve to a
‘resilient’ model leveraging an
integrated approach to
High Availability
Security
Quality of Service
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 24
UC integrated with Network QoS, Security and HA
 Phone contains a 3 port switch that is dynamically configured
by the access switch and Call Manager
1. Power negotiation
2. VLAN configuration
3. 802.1x interoperation
4. QoS configuration
5. DHCP
6. CallManager registration
Switch Detects IP Phone and Applies Power
CDP Transaction Between Phone and Switch
IP Phone Placed in Proper VLAN
DHCP Request and Call Manager Registration
Si
Si
UC endpoints dynamically
participate in the overall
Network QoS, Security
and core HA infrastructure

UC Commercial 25
It’s more than having all three services configured
QoS
Unified
Comm
High
Availability
Embedded
Security
 High Availability, Quality of
Service and Security are all
necessary elements
 A Unified Communications
Network requires all three
implemented in a
consistent fashion
 A Resilient Unified
Communications Network
requires all three
implemented to reinforce
and supplement each other

UC Commercial 26
ESE Campus Solution Test Bed
Verified Design Recommendations
Data Center
WAN Internet
Si
Si Si
Si Si
Si Si
Si Si
Si Si
Si
Si
Si Si
Si
Si
Si Si
Si
Si
Si Si
Si
Si
Si
Si
Si
Total of 68 Access Switches,
2950, 2970, 3550, 3560, 3750,
4507 SupII+, 4507SupIV, 6500
Sup2, 6500 Sup32, 6500 Sup720
and 40 APs (1200)
6500 with Redundant Sup720s
Three Distribution Blocks
6500 with Redundant Sup720
4507 with Redundant SupV
Three Distribution Blocks
6500 with Redundant Sup720s
7206VXR NPEG1
4500 SupII+, 6500 Sup720,
FWSM, WLSM, IDSM2, MWAM
8400 Simulated Hosts
3k-10k Routes
End-to-End Flows:
TCP, UDP, RTP, IPmc

UC Commercial 27
Unified Communications Network
Agenda
 Resilient Network Design
Network Resiliency
High Availability Design Principles
Redundancy in the Distribution Block
Redundancy and Routing Design
Switch Resiliency
NSF/SSO
ISSU & IOS Modularity
GOLD & EEM
Hardening the Network
Layer 2 Security
 Quality of Service
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 28
Data Center
WAN Internet
Si
Si Si
Si Si
Si Si
Si Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
Si
Si
Si
Si
High Availability Campus Design
Structure, Modularity and Hierarchy
 Optimize the interaction of
the physical redundancy
with the network protocols
Provide the necessary amount
of redundancy
Pick the right protocol for the
requirement
Optimize the tuning of the
protocol
 The network looks like this
so that we can map the
protocols onto the physical
topology
 We want to build networks
that look like this
Redundant
Switches
Redundant
Supervisor
Layer 3 Equal
Cost Link’s
Redundant
Links
Layer 2 or
Layer 3

UC Commercial 29
Hierarchical Campus Network
Structure, Modularity and Hierarchy
Server Farm
WAN Internet PSTN
Si
Si
Si
Si
Si
Si Si
Si
Si
Si Si
Si Si
Si
Si
Si
Si
Si Si
Si
Si
Si
Si
Si
Not This !!

UC Commercial 30
Do I Need a Core Layer?
No Core
 Fully meshed distribution layers
 Physical cabling requirement
 Routing complexity
4th Building Block
12 new links
24 links total
8 IGP Neighbors
Third Building Block
– 8 new links
12 links total
5 IGP Neighbors
Second Building
Block – 4 new links

UC Commercial 31
4th Building Block
4 new links
16 links total
3 IGP Neighbors
Dedicated Core Switches
 Easier to add a module
 Fewer links in the core
 Easier bandwidth upgrade
 Routing protocol peering reduced
 Equal cost Layer 3 links for best
convergence
2nd Building Block
8 new links
3rd Building Block
4 new links
12 links total
3 IGP Neighbors
Do I Need a Core Layer?

UC Commercial 32
Foundations for optimal convergence
Layer 1
 Direct point to point fiber provides for fast
failure detection
 IEEE 802.3z and 802.3ae link negotiation
define the use of Remote Fault Indicator &
Link Fault Signaling mechanisms
 Bit D13 in the Fast Link Pulse (FLP) can be
set to indicate a physical fault to the
remote side
 Do not disable auto-negotiation on GigE
and 10GigE interfaces
 Carrier-Delay
3560, 3750 & 4500 - 0 msec
6500 – leave it at default 50 msec
 The default debounce timer on GigE and
10GigE fiber linecards is 10 msec.
 The minimum debounce for copper is 300
msec
1
2
3
Linecard
Throttling:
Debounce Timer
Remote IEEE
Fault Detection
Mechanism
Cisco IOS Throttling:
Carrier Delay Timer
Si
Si Si
Si
1

UC Commercial 33
Layer 2 & Layer 3
 With routed interfaces a physical
interface state change results in
direct notification of the routing
processes
 In event of a logical L3 interface
(e.g. SVI) physical events trigger L2
spanning tree changes first which
then trigger RP notification
 Indirect failures require a SW
process to detect the failure
 To improve failure detection
Use routed interfaces between
L3 switches
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Hello’s
L2 Switch or
VLAN Interface
SVI Interface—
L2 Link Down Then L3
Interface Down

UC Commercial 34
CEF Equal Cost Path Recovery
 In the recommended design the
recovery from most component
failures is based on L3 CEF
equal cost path recovery
 Time to restore traffic flows is
based on
Time to detect link failure
Process the removal of the lost
routes from the SW FIB
Update the HW FIB
 No dependence on external
events (no routing protocol
convergence required)
 Behavior is deterministic
Equal Cost Links: Link/Box Failure
Does Not Require Multi-Box Interaction
Si
Si
Si
Si
Si
Si
Si
Si

UC Commercial 35
Catalyst Switch
Redundancy and Protocol Interaction
Time to Recovery CEF paths
Link failure detection
Software Routing Table (RIB)
Prefix Next Hop Interface
10.255.0.0/16 10.10.1.1 gig 1/1
10.20.1.1 gig 1/2
Cisco IOS Software
CEF Tables
FIB Table
Prefix Adjacency Ptr
10.255.0.0/16 Adj1 (gig 1/1)
Adj2 (gig 1/2)
Adjacency Table
Rewrite Information
AA.AA.AA.AA.AA, VLAN
BB.BB.BB.BB.BB, VLAN
Hardware Tables
FIB Table
Prefix Adjacency Ptr
10.255.0.0/16 Adj1 (gig 1/1)
Adj2 (gig 1/2)
Adjacency Table
Rewrite Information
AA.AA.AA.AA.AA, VLAN
BB.BB.BB.BB.BB, VLAN
Removal of the entries in the
routing table
Update of the software CEF table
to reflect to loss of the next hop
adjacencies
Update of the hardware tables
1
Si
Si
2
3
4
1
2
3
4
Routing Protocol
Process
5
Routing protocol notification and
reconvergence
5
Si
Si
Si
Si

UC Commercial 36
Equal Cost Multi-Path
Optimizing CEF Load-Sharing
 Up to eight equal cost CEF paths are
supported in HW today
 Depending on the traffic flow patterns,
one algorithm may provide better load-
sharing results than another
Si
Si
Si
Si
Si
Si
30%
of
Flows
70%
of
Flows
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Load-sharing
simple
Load-sharing
full simple
Load-sharing
simple
Catalyst 4500 Load-Balancing Options
Src IP + Dst IP
Src IP + Dst IP + Unique ID
Original
Universal
Src IP + Dst IP + (Src ‘or’ Dst Port) + Unique ID
Include Port
Catalyst 6500 PFC3* Load-Balancing Options
Src IP + Dst IP + Unique ID
Src IP + Dst IP + Src Port + Dst Port + opt.
Default
Full
Src IP + Dst IP + (Src ‘or’ Dst Port)
Full Exclude Port
Src IP + Dst IP
Full Simple Src IP + Dst IP + Src Port + Dst Port
Simple

UC Commercial 37
Agenda
Network Resiliency
Switch Resiliency
NSF/SSO
GOLD & EEM
Layer 2 Security
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 38
Multilayer Network Design
Layer 2 Access with Layer 3 Distribution
 Each access switch has
unique VLAN’s
 No layer 2 loops
 Layer 3 link between
distribution
 No blocked links
 At least some VLAN’s span
multiple access switches
 Layer 2 loops
 Layer 2 and 3 running over link
between distribution
 Blocked links
Si
Si Si
Si Si
Si Si
Si
Vlan 10 Vlan 20 Vlan 30 Vlan 30 Vlan 30 Vlan 30

UC Commercial 39
3/2 3/2
3/1 3/1
Switch 1 Switch 2
DST MAC 0000.0000.4444
DST MAC 0000.0000.4444
0000.0000.3333
Layer 2 Access
Layer 2 Loops and Spanning Tree
 Implement physical L2 loops only when you have to
 Spanning tree protocol is very, very rarely the problem
 L2 has no native mechanism to dampen down a problem
 Utilize Rapid PVST+ for best convergence
 Take advantage of the
Spanning Tree Toolkit to
help prevent a problem
UDLD
Loopguard
Rootguard
BPDUguard
 Limit the size of the L2
domain

UC Commercial 40
Layer 2 Loops and Spanning Tree
Spanning Tree Should Behave the Way You Expect
 The root bridge should stay
where you put it
Loopguard and rootguard
UDLD
 Only end station traffic should
be seen on an edge port
BPDU guard
Port-Security
 There is a reasonable limit
to B-Cast and M-Cast
traffic volumes
On 4500 and 6500 configure storm
control on backup links to
aggressively rate limit B-Cast and M-
Cast
Utilize Sup720 rate limiters or
SupIV/V with HW queuing structure
Si
Si
Si
Si
BPDU Guard or
Rootguard
PortFast Port
Security
Rootguard
Loopguard
STP Root
Loopguard
Storm Control

UC Commercial 41
0
5
10
15
20
25
30
35
PVST+ Rapid PVST+
Upstream
Downstream
Optimizing L2 Convergence
PVST+, Rapid PVST+ or MST
 Rapid-PVST+ greatly improves the restoration times for any VLAN that
requires a topology convergence due to link UP
 Rapid-PVST+ also greatly improves convergence time over Backbone
fast for any indirect link failures
 PVST+ (802.1d)
Traditional Spanning Tree
Implementation
 Rapid PVST+ (802.1w)
Scales to large size (~10,000
logical ports)
Easy to implement, proven,
scales
 MST (802.1s)
Permits very large scale STP
implementations (~30,000 logical
ports)
Not as flexible as Rapid PVST+
Time
to
Restore
Data
Flows
(sec)

UC Commercial 42
UDLD
Protecting Against One Way Communication
 While 802.3z and 802.3ae link negotiation
provides for L1 fault detection HW ASIC
failures can still occur
 UDLD provides an L2 based keep-alive
mechanism that confirms bi-directional L2
connectivity
 Each switch port configured for UDLD will
send UDLD protocol packets (at L2)
containing the port's own device/port ID,
and the neighbor's device/port IDs seen by
UDLD on that port
 If the port does not see its own device/port
ID echoed in the incoming UDLD packets
the link is considered unidirectional and is
shutdown
Si
Si
Si
Si
Tx
Tx
Rx
Rx

UC Commercial 43
Trunk Design Considerations
Native VLAN - 802.1q
 802.1q does not encapsulate the
native VLAN
 Two potential problems
Security vulnerability—with the right knowledge of
the network it is possible to ‘VLAN hop’
Misconfiguration of the native VLAN can result in
traffic black-holing
 Using DTP and auto-negotiating all trunks
prevents mis-configuration but does not fix
the security vulnerability
 Use ‘dummy’ native VLAN’s ‘or’
 Enable encapsulation of the native VLAN
on 6500
Si
Si
Si
Si
VLAN 10
VLAN 20
Switch(config)#vlan dot1q tag native
10.1.10.200
10.1.20.200

UC Commercial 44
Phones & Switch Ports
Auxiliary VLAN
 During initial CDP exchange phone is configured with a Voice VLAN
ID (VVID) on a multi-vlan access port
 IMPORTANT: multi-vlan access ports (MVAP) are NOT trunk ports,
even though the hardware is enabled to receive dot1q frames
 MVAP port are access ports with access and NOT trunk port features
 This is includes support for 3rd party phones on MVAP ports
PC VLAN = 10
(PVID)
Phone VLAN = 110
(VVID)
Native VLAN (PVID) No
Configuration Changes
Needed on PC
802.1Q encapsulation
with 802.1p Layer 2
CoS
Si
Si

UC Commercial 45
EtherChannel
Link Capacity and Redundancy
 EtherChannel creates a logical link by bundling
multiple physical links
PAgP Port Aggregation Protocol
LACP (802.3ad) Aggregation Protocol
 Failure of a link in a bundle will affect the spanning
tree link cost and may result in a topology change
 Failure of a link in a bundle ‘may’ trigger a Layer 3
re-route
OSPF running on a Cisco IOS based switch will reduce link
cost and re-route traffic
OSPF running on a hybrid switch will not change link cost
and may overload remaining links
EIGRP may not change link cost and may overload remaining
links
 In an L3 environment single 10 Gigabit Links
address both problems. Increased bandwidth
without routing challenges
Si
Si
Si
Si

UC Commercial 46
EtherChannel Design Considerations
Static vs Dynamic EtherChannel
 Statically configuring members of an
EtherChannel bundle improves convergence
but . . .
 In an Layer 2 environment it is possible for
mis-configuration to create a semi-loop
between two switches
 This is a problem during physical add move
and change process not triggered by network
failover events
Traffic received on an EtherChannel bundle is
not reflected back down the link
802.1w requires bidirectional exchange
of BPDU’s
Loopguard will detect the loss of BPDU’s on an
existing working connection
 Recommendation is auto/desirable for L2
 Recommendation is on/on for L3 links
Si
Si
Si
Si
On
On
Off Off

UC Commercial 47
EtherChannel Load Balancing
Avoid Underutilizing Redundant Paths
 Network may not load balance
using default L3 load balancing
hash
 How random are your SRC & DST
IP addresses?
 Recommendation to utilize L4
Hash
 In order to optimize the load
balancing of traffic over multiple
links deploy in powers of two (two,
four, or eight)
 Single fat link (10GE) simplifies all
of this
Link 0 load—68%
Link 1 load—32%
Link 0 load—52%
Link 1 Load—48%
L3 Hash
L4 Hash
Si
Si
Si
Si
Si
Si
Si
Si
Sup720(config)# port-channel load-balance src-dst-port

UC Commercial 48
Si
Si
Si
Si
First Hop Redundancy (FHRP)
Layer 2 Access
 HSRP, GLBP and VRRP are used to
provide a resilient default gateway/
first hop address to end stations
 A group of routers act as a single
logical router providing first hop
router redundancy
 Protect against multiple failures
Distribution switch failure
Uplink failure
 HSRP, GLBP and VRRP provide
millisecond timers and excellent
convergence performance
 VRRP if you need multi-vendor
interoperability
 GLBP facilitates uplink load balancing
Si
Si Si
Si
Failure of
Active GW or
Link to GW
New Active
GW Provides
Alternate Path

UC Commercial 49
First Hop Redundancy
Sub-second Timers & Preempt Delay
FHRP Active FHRP Standby
Si
Si
Si
Si
Access-a
R1 R2
interface Vlan4
ip address 10.120.4.2 255.255.255.0
standby 1 ip 10.120.4.1
standby 1 timers msec 250 msec 750
standby 1 priority 150
standby 1 preempt
standby 1 preempt delay minimum 180
interface Vlan4
ip address 10.120.4.2 255.255.255.0
glbp 1 ip 10.120.4.1
glbp 1 timers msec 250 msec 750
glbp 1 priority 150
glbp 1 preempt
glbp 1 preempt delay minimum 180
interface Vlan4
ip address 10.120.4.1 255.255.255.0
ip helper-address 10.121.0.5
no ip redirects
vrrp 1 description Master VRRP
vrrp 1 ip 10.120.4.1
vrrp 1 timers advertise msec 250
vrrp 1 preempt delay minimum 180
HSRP Config
GLBP Config
VRRP Config
•Preempt delay avoids black holing traffic
when ACTIVE gateway recovers and
preempt the backup, as upstream routing
and link may not be active
•Recommendation: Do not use sub-
second timers if >150 VLAN’s (6500)

UC Commercial 50
First Hop Redundancy with Load Balancing
Gateway Load Balancing Protocol (GLBP)
 Each member of a GLBP redundancy group owns a unique virtual MAC
address for a common IP address/default gateway
 When end stations ARP for the common IP address/default gateway they are
given a load balanced virtual MAC address
 Host A and host B send traffic to different GLBP peers but have the same
default gateway
10.88.1.0/24
.5
.4
.1 .2
vIP
10.88.1.10
GLBP 1 ip 10.88.1.10
vMAC 0000.0000.0001
GLBP 1 ip 10.88.1.10
vMAC 0000.0000.0002
ARPs for 10.88.1.10
Gets MAC 0000.0000.0001
ARPs for 10.88.1.10
Gets MAC 0000.0000.0002
A B
R1 R2
ARP
Reply

UC Commercial 51
Routing to the Edge
Layer 3 Distribution with Layer 3 Access
 Move the Layer 2/3 demarcation to the network edge
 Upstream convergence times triggered by hardware detection
of light lost from upstream neighbor
 Beneficial for the right environment
10.1.20.0
10.1.120.0
VLAN 20 Data
VLAN 120 Voice
VLAN 40 Data
VLAN 140 Voice
10.1.40.0
10.1.140.0
EIGRP/OSPF EIGRP/OSPF
GLBP Model
Si
Si
Si
Si
Layer 3
Layer 2
Layer 3
Layer 2
EIGRP/OSPF EIGRP/OSPF

UC Commercial 52
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2
RPVST+ OSPF
12.2S
EIGRP
Upstream
Downstream
Routing to the Edge
Advantages, Yes in the Right Environment
 Ease of implementation, less to
get right
No matching of STP/HSRP/
GLBP priority
No L2/L3 multicast topology
inconsistencies
 Single control plane and well
known tool set
traceroute, show ip route, show ip
eigrp neighbor, etc.
 Most Cisco Catalysts support
L3 switching today
 EIGRP converges in <200 msec
 OSPF with sub-second tuning
converges in <200 msec
 RPVST+ convergence times
dependent on GLBP/
HSRP tuning
Both L2 and L3 Can Provide Sub-
Second Convergence

UC Commercial 53
Agenda
Network Resiliency
Switch Resiliency
NSF/SSO
GOLD & EEM
Layer 2 Security
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 54
Multilayer Network Design
Core and Distribution Routing Design
 Managing the number of routes in the network is important
 Both EIGRP and OSPF need summarization
 Map the protocol to the topology
Number or Routes in Stub Area – Sup720
Si
Si
Si
Si
Si
Si
Si
Si
Time
to
Restore
Voice
(Sec.)
0
0.5
1
1.5
2
2.5
3
800 1000 3000 6000 9000 12000

UC Commercial 55
EIGRP Design Rules for HA Campus
High-Speed Campus Convergence
 EIGRP convergence is largely dependent on
query response times
 Minimize the number and time for query
response to speed up convergence
 Summarize distribution block routes upstream
to the core
 Configure all access switches as EIGRP stub
routers
 Filter routes sent down to access switches
Si
Si
Si
Si
Si
Si
Si
Si
router eigrp 100
network 10.0.0.0
eigrp stub connected
interface TenGigabitEthernet 4/1
ip summary-address eigrp 100 10.120.0.0 255.255.0.0 5
router eigrp 100
network 10.0.0.0
distribute-list Default out <mod/port>
ip access-list standard Default
permit 0.0.0.0

UC Commercial 56
Si
Si
Si
Si
Si
Si
Si
Si
OSPF Design Rules for HA Campus
High Speed Campus Convergence
 OSPF convergence is
dependent on a number of
factors
 Summarization will decrease
the load and often the need for
SPF calculations
Upstream from the distribution
block upstream into the core
Downstream from the core into
the distribution block
router ospf 100
area 120 stub no-summary
area 120 range 10.120.0.0 255.255.0.0 cost 10
network 10.120.0.0 0.0.255.255 area 120
network 10.122.0.0 0.0.255.255 area 0

UC Commercial 57
OSPF Design Rules for HA Campus
High Speed Campus Convergence
 OSPF convergence is
also dependent on tuning
of the OSPF timers
Sub-second hellos
IP Dampening mechanism
Back-off algorithm for LSA
generation
Exponential SPF backoff
router ospf 100
timers throttle spf 10 100 5000
timers throttle lsa all 10 100 5000
timers lsa arrival 80
interface GigabitEthernet1/1
dampening
ip address 10.120.0.205 255.255.255.254
ip ospf network point-to-point
ip ospf dead-interval minimal hello-multiplier 4
0
1
2
3
4
5
6
Default
Convergence
10 msec. SPF 10 msec. SPF
and LSA
Time
to
Restore
Voice
Flows
(msec.)

UC Commercial 58
Agenda
Network Resiliency
Switch Resiliency
NSF/SSO
GOLD & EEM
Layer 2 Security
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 59
System Level Resiliency
Comprehensive Physical Redundancy
 Catalyst 6500 and 4500 highly
redundant Modular systems
Redundant hot swappable
Supervisors
Redundant hot swappable Power
Supplies
N+1 redundant fans with hot
swappable fan trays
Hot swappable line cards
Passive data backplane
Redundant system clock modules

UC Commercial 60
System Level Resiliency
NSF/SSO, IOS Modularity and ISSU
 Catalyst 6500 and 4500 Supervisor
hardware redundancy (1+1) will
leverage four key mechanisms to
improve network resiliency and
provide for enhanced operational
change processes
SSO—Stateful Switchover
NSF—NonStop Forwarding
IOS Modularity
ISSU—In Service Software Upgrade
 Catalyst 3750 stack switch
redundancy leverages two
mechanisms to improve network
resiliency
Stackwise and StackwisePlus
NSF supported as of 12.2(35)SE
Stateful Switchover (SSO)
L2, L3 & L4 Protocols
NonStop Forwarding
(NSF) L3
IOS Modularity &
ISSU
Redundant Supervisors

UC Commercial 61
Supervisor Processor Redundancy
Stateful Switch Over (SSO)
 Active/standby supervisors
run in synchronized mode
 Redundant supervisor is in
‘hot-standby’ mode
 Switch processors
synchronize L2 port state
information, (e.g., STP, 802.1x,
802.1q)
 Switching HW synchronizes
L2/L3 FIB, NetFlow and ACL
tables
 Provides for complete system
recovery in under 1 sec
Active Supervisor
SP RP PFC
Standby Supervisor
Line Card—DFC
Line Card—DFC
Line Card—DFC
SP RP PFC

UC Commercial 62
Switch#sh mod
Chassis Type : WS-C4507R
Power consumed by backplane : 40 Watts
Mod Ports Card Type Model Serial No.
---+-----+--------------------------------------+------------------+-----------
1 2 Supervisor IV 1000BaseX (GBIC) WS-X4515 JAB0627065V
2 2 Supervisor IV 1000BaseX (GBIC) WS-X4515 JAB064907TY
3 24 10/100/1000BaseT (RJ45) WS-X4424-GB-RJ45 JAB052406EF
<snip>
Mod Redundancy role Operating mode Redundancy status
----+-------------------+-------------------+-------------------
1 Active Supervisor SSO Active
2 Standby Supervisor SSO Standby hot
Supervisor Processor Redundancy
Stateful Switch Over (SSO)
Switch(config)#redundancy
Switch(config-red)#mode ?
rpr Route Processor Redundancy
sso Stateful Switchover

UC Commercial 63
 Non-Stop Forwarding enhancements
to OSPF, EIGRP, IS-IS and BGP
 An NSF-capable router continuously
forwards packets during router
recovery after an SSO processor or
ION process recovery
 NSF-aware and NSF-capable routers
provide for transparent routing
protocol recovery
Graceful restart extensions enable
neighbor recovery without resetting
adjacencies
Routing database re-synchronization
occurs in the background
NSF-Aware,
NSF-Capable
NSF-Aware
Si
Si
Si
Si
Si
Si Si
Si
NSF-Aware
System Resiliency
NSF Recovery (Routing Protocol Recovery)

UC Commercial 64
System Resiliency
NSF OSPF Example
No Route Flaps During Recovery
Si
Si
Si
Si
Si
Si Si
Si
Switch#*Aug 11 15:37:49: %OSPF-5-ADJCHG: Process 100, Nbr
100.1.1.1 on Vlan608 from LOADING to FULL, Loading Done
Switch#show ip ospf
<snip>
Non-Stop Forwarding enabled, last NSF restart 00:00:23
ago (took 31 secs)
<snip>
Switch#show ip ospf neighbor detail
Neighbor 100.1.1.1, interface address 172.26.197.67
<snip>
LLS Options is 0x1 (LR), last OOB-Resync 00:00:41 ago
Dead timer due in 00:00:33
<snip>
 OSPF-ADJCHG messages
appear on the switches after a
switchover even though no
routes flaps occur during an
NSF switchover

UC Commercial 65
Switch(config)#router ospf 100
Switch(config-router)#nsf
Switch(config-router)#nsf ?
enforce Cancel NSF restart when non-NSF-aware neighbors detected
System Resiliency
NSF Configuration
Switch(config)#router eigrp 100
Switch(config-router)#nsf
Switch(config-router)#timers nsf ?
converge EIGRP time limit for convergence after switchover
route-hold EIGRP hold time for routes learned from nsf peer
signal EIGRP time limit for signaling NSF restart
Switch(config-router)#bgp graceful-restart ?
restart-time Set the max time needed to restart and come back up
stalepath-time Set the max time to hold onto restarting peer's stale paths
<cr>
Switch(config-router)#bgp graceful-restart
Switch(config)#router isis level2
Switch(config-router)#nsf cisco
‘or’
Switch(config)#router isis level2
Switch(config-router)#nsf ietf

UC Commercial 66
Design Considerations for NSF/SSO
Supervisor Uplinks
 Cisco Catalyst 4500: supervisor
uplink ports are active and
forward traffic as long as the
supervisor is fully inserted
Uplink ports do not go down when a
supervisor is reset.
 Cisco Catalyst 6500: both the
active supervisor and the standby
supervisor uplink ports are active
as long as the supervisors are up
and running
Uplink ports go down when the
supervisor is reset
Best Practice when using uplinks on
redundant supervisors is to utilize
Etherchannel, e.g. bundle 5/1 & 6/1
• Catalyst 6500 Supervisors: all ports
are active
1/1 1/3 1/4 1/5 1/6
1/2
2/1 2/3 2/4 2/5 2/6
2/2
1/1 1/2
2/1 2/2
• Catalyst 4500 Supervisor II+, Supervisor
IV: 2 x GigE ports are active
• Catalyst 4500 Supervisor II+10GE: 2 x
10GE and 4 x GigE ports are active

UC Commercial 67
0
1
2
3
4
5
6
Si
Si
Si
Si
Where Does It Make Sense?
Si
Si Si
Si
 Redundant topologies with equal cost
paths provide sub-second convergence
 NSF/SSO provides superior availability
in environments with non-redundant
paths
Node
Failure
NSF/SSO
Link
Failure
OSPF
Convergence
RP Convergence Is
Dependent
on IGP and Tuning
Seconds
of
Lost
Voice
?
Si
Si

UC Commercial 68
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Non SSO aware HSRP SSO aware HSRP
Si
Si
Si
Si
Si
Si Si
Si
 Not all IOS features are SSO aware
 As of 12.2(31)SG Catalyst 4500 supports SSO
aware HSRP
 6500 will support in H107
 HSRP doesn’t flap on Supervisor SSO
switchover
Seconds
of
Lost
Voice
?

UC Commercial 69
0
1
2
3
4
5
6
7
8
9
10
NSF-Enabled Optimal NSF-Enabled Maximum
Seconds
of
Lost
Voice
 Access switch is the single point of failure
in best practices HA campus design
 Supervisor failure is most common cause of
access switch service outages
 Recommended design NSF/SSO provides
for sub 600 msec recovery of voice and data
traffic
Si
Si
Si
Si
Si
Si Si
Si
?

UC Commercial 70
Agenda
Network Resiliency
Switch Resiliency
NSF/SSO
GOLD & EEM
Layer 2 Security
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 71
System Resiliency
IOS Modularity and In Service Software Upgrade
 In redundant topology
standard maintenance
practice is to shut down
devices during upgrade
and let the network converge
 IOS Modularity and ISSU
provide the ability to patch or
upgrade software in place
without having to shut down
 In the access layer or
any other single point
of failure this can be a
significant improvement in
operational practices
ISSU—All Paths
and Switches Active
During Upgrade
Scheduled
Maintenance—
Half Capacity
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si

UC Commercial 72
System Resiliency
In Service Software Upgrade (ISSU)
• Full image upgrade
• New features and
patches
• Selective maintenance
• Patch a component
• Component Upgrade
• Add new features to
existing base

UC Commercial 73
Cisco IOS Software Modularity
Catalyst 6500
 Combines a network optimized
microkernel with the feature
subsystems and functions
enterprise and metro Ethernet
customers depend on:
20+ independent processes
Remaining feature subsystems live
in Cisco IOS Base process
Retains support for Cisco IOS
features
 Whole system benefits from
integrated HA infrastructure which
determines best action to take for
improved resiliency
 Preserves Cisco Catalyst 6500
Series benefits:
Separate Control and Data Planes
NSF and GOLD
Hardware Acceleration
Scalability
Routing IPFS TCP UDP
CDP EEM INETD IOS-
BASE
High Availability Infrastructure
Network Optimized Microkernel
…
…
Catalyst 6500 Hardware Data Plane

UC Commercial 74
Cisco IOS Software Modularity Benefits
Minimize Unplanned Downtime
If an Error Occurs in a
Modular Process
 HA subsystem determines
the best recovery action
Restart a modular process
Switchover to standby
supervisor
Remove the system from
the network
 Process restarts with no
impact on the data plane
Utilizes Nonstop Forwarding
(NSF) even with a single
Supervisor with NSF-Aware
neighbors
State checkpointing allows
quick process recovery
Traffic Forwarding Continues During
Unplanned Process Restarts
TCP
Routing IPFS UDP
CDP EEM INETD IOS-
BASE
High Availability Infrastructure
Network Optimized Microkernel
…
…
Catalyst 6500 Hardware Data Plane

UC Commercial 75
Cisco IOS Software Modularity
Subsystem ISSU – Software Patching
1. Install the patch
Does not change anything on the
running version of code
Can be performed for multiple patches
before next step
Verifies patch dependencies
2. Activate the patch
All patches that are pending for install
are activated at the same time
Copy of previous code is retained for
rollback purposes
Flash
Memory
Step 1
install file
Step 2
install activate
Catalyst 6500
Server
(FTP, TFTP)
Patching is always a two steps
process:
Patches downloaded from CCO
http://www.cisco.com/go/pn

UC Commercial 76
Line Card
Line Card
Line Card
Line Card
Line Card
Active Supervisor
Standby Supervisor
In Service Software Upgrade
Catalyst 4500
Active Supervisor
Standby Supervisor
12.2(xw)SG
12.2(xy)SG
 Full image ISSU provides a
mechanism to perform
software upgrades and
downgrades without taking
the switch out of service
 Leverages the capabilities of
NSF and SSO to allow the
switch to forward traffic
during supervisor IOS
upgrade (or downgrade)
 Network does not re-route
and no active links are taken
out of service

UC Commercial 77
In Service Software Upgrade
ISSU Stages
12.2(xy)SG
12.2(xw)SG
loadversion
12.2(31)SGA
12.2(31)SGA
12.2(31)SGA
12.2(31)SGA1
12.2(31)SGA
12.2(31)SGA1
12.2(31)SGA
12.2(31)SGA1
12.2(31)SGA1
12.2(31)SGA1
runversion acceptversion commitversion
abortversion
 ISSU upgrade is a 4 step process
 Possible to rollback (abort) up until you complete the 4th step
(commit to final state)
 Leverages NSF/SSO to implement supervisor transition
 Requires that the two images are compatible for
upgrade/downgrade processing
Initial
state
Final
state

UC Commercial 78
Agenda
Network Resiliency
Switch Resiliency
NSF/SSO
GOLD & EEM
Layer 2 Security
Understanding UC Requirements
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 79
Memory Corruption
Software Inconsistency
System Faults
Enhanced System
Stability
Generic Online Diagnostics
HW/SW state, Memory
LC module, Temperature,
Power supply, Fan tray
Power-on Diagnostics
Supervisor, Backplane, L2
ASIC, L3 ASIC, Memory,
Port
Enhanced Network
Stability
Systems Resiliency
Proactive Fault Detection and Notification
Detect
and
Isolate
Improved physical redundancy is not enough,
intelligent system failure detection is key

UC Commercial 80
How Does GOLD Work?
 GOLD: Check the health of hardware
components and verify proper
operation of the system data plane
and control plane at run-time and
boot-time
 Diagnostic packet switching tests
verify that the system is operating
correctly:
Is the supervisor control plane and
forwarding plane functioning properly?
Is the standby supervisor ready to take
over?
Are linecards forwarding packets
properly?
Are all ports working?
Is the backplane connection working?
 Other types of diagnostics tests
including memory and error
correlation tests are also available
CPU
Forwarding
Engine
Fabric
Forwarding
Engine
Active Supervisor
Standby Supervisor
Line
Card
Line
Card

UC Commercial 81
Switch(config)#diagnostic monitor module 5 test 2
Switch(config)#diagnostic monitor interval module 5 test 2
00:00:15
Switch(config)#diagnostic bootup level complete
Switch#diagnostic start module 4 test 8
Module 4: Running test(s) 8 may disrupt normal
system operation
Do you want to continue? [no]: y
Switch#diagnostic stop module 4
Switch(config)#diagnostic schedule module 4
test 1 port 3 on Jan 3 2005 23:32
Switch(config)#diagnostic schedule module 4
test 2 daily 14:45
On-Demand
Health-Monitoring
Scheduled
Run During System Bootup, Line
Card OIR or Supervisor Switchover
Makes Sure Faulty Hardware Is
Taken out of Service
Non-Disruptive Tests Run
in the Background
Serves as HA Trigger
All Diagnostics Tests Can Be Run
on Demand, for Troubleshooting
Purposes. It Can Also Be Used As
A Pre-deployment Tool
Schedule Diagnostics Tests, for
Verification and Troubleshooting
Purposes
Boot-Up Diagnostics
Runtime Diagnostics
Diagnostic Operation

UC Commercial 82
Using Diagnostics as a Pre-Deployment Tool
Cat-6500#diagnostic start module 6 test all
Module 6: Running test(s) 8 will require resetting the line card after the test has completed
Module 6: Running test(s) 1-2,5-9 may disrupt normal system operation
Do you want to continue? [no]: yes
<snip>
*Mar 25 22:43:16: SP: ******************************************************************
*Mar 25 22:43:16: SP: * WARNING:
*Mar 25 22:43:16: SP: * ASIC Memory test on module 6 may take up to 2hr 30min.
*Mar 25 22:43:16: SP: * During this time, please DO NOT perform any packet switching.
*Mar 25 22:43:16: SP: ******************************************************************
<snip> . . .
Cat-6500#diagnostic start system test all
****************************************************************
* WARNING: *
* Diagnostic System Test will disrupt normal system *
* operation and also system required RESET after system *
* test is done prior to normal use. *
<snip> . . .
• Run diagnostics first on linecards, then on supervisors
• Run packet switching tests first, run memory tests after
• Simplified CLI for system test correctly orders diagnostics - 12.2(33)SXH
Note: The Order in Which Tests Are Run Matters

UC Commercial 83
Embedded Event Manager
Proactive Fault Detection and Notification
Event Detectors
 EEM is a Cisco IOS technology that runs on the control plane. It is a
combination of processes designed to monitor key system
parameters such as CPU utilization, interface errors, counters, SNMP
and SYSLOG events, and act on specific events or thresholds/
counters that are exceeded

UC Commercial 84
EEM Application Example
 Display error statistics for the link that has gone down
 Start a Time Domain Reflectometry (TDR) test
 Start a GOLD Loopback test
 Send the results using a provided template
to a user-configurable address
Interface Down
Cable
Fault
P
O
R
T
P
O
R
T
TDR Test
Loopback Test
GOLD
EEM
Upon Matching the Provided SYSLOG Message ‘LINK-3-UPDOWN’,
the Switch Performs the Following Actions:
Interface Error Counters
Send Results in Email Alert

UC Commercial 85
Embedded Event Manager (EEM) Scripting Community
 Cisco IOS Embedded Event
Manager (EEM)
Automation
Event driven scripts
 Cisco Beyond, an EEM
scripting community
For customers, partners,
and Cisco to share EEM
scripts and get best-
practice examples
EEM and Cisco Beyond
http://cisco.com/go/eem
http://forums.cisco.com/eforum/servlet/EEM?page=main

UC Commercial 86
Agenda
Network Resiliency
Switch Resiliency
NSF/SSO
GOLD & EEM
Layer 2 Security
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 87
Network Infrastructure Integration
Understanding Edge Security & L2 attacks
 Phone contains a 3 port switch that is configured in conjunction
with the access switch and CallManager
5. DHCP
Si
Si
Phone interaction with
infrastructure edge security

UC Commercial 88
Attack: Mac Flooding
CAM Table overflow
MAC A
MAC B
MAC C
Port 1
Port 2
Port 3
MAC Port
A 1
B 2
C 3 Y Is on Port 3
Z Is on Port 3
Y 3
Z 3
Traffic A -> B
I See Traffic to B!
Once the CAM table on the switch is
full, traffic without a CAM entry is
flooded out every port on that VLAN

UC Commercial 89
Attack: Mac Flooding
CAM Table overflow
 Macof sends random source MAC and IP addresses
 Much more aggressive if you run the command
“macof -i eth1 2> /dev/null”
macof (part of dsniff)—http://monkey.org/~dugsong/dsniff/
 Yersinia – Flavor of the month attack tool
macof –i eth1
36:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 > 0.0.0.0.49492: S 1094191437:1094191437(0) win 512
16:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 > 0.0.0.0.47523: S 446486755:446486755(0) win 512
18:2a:de:56:38:71 33:af:9b:5:a6:97 0.0.0.0.20086 > 0.0.0.0.6728: S 105051945:105051945(0) win 512
e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 > 0.0.0.0.24898: S 1838062028:1838062028(0) win 512
62:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 > 0.0.0.0.7723: S 1792413296:1792413296(0) win 512
c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.0.0.19784 > 0.0.0.0.57433: S 1018924173:1018924173(0) win 512
88:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 > 0.0.0.0.11466: S 727776406:727776406(0) win 512
b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 > 0.0.0.0.11324: S 605528173:605528173(0) win 512
e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 > 0.0.0.0.55700: S 2128143986:2128143986(0) win 512

UC Commercial 90
Countermeasures for MAC Attacks
 Number is not to control access, it is to protect the switch from attack
 Depending on security policy, disabling the port might be preferred, even with VoIP
 Aging time of two and aging type inactivity to allow for phone CDP of one minute
IOS®
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
If Violation Error-Disable, the Following Log Message Will Be Produced: 4w6d: %PM-4-
ERR_DISABLE: Psecure-Violation Error Detected on Gi3/2, Putting Gi3/2 in Err-Disable State
Will enable voice
To work under attack
Port Security limits the number of MAC’s learned
on an interface

UC Commercial 91
Countermeasures for MAC Attacks
With IP Phones
 Phones can use 2 or 3
depending on the switch
hardware and software
Some switches look at the CDP
traffic and some don’t, if they
don’t, they need 2, if they do
they need 3
Some hardware (3550) will
always need 3
 Default config is disable port,
might want to restrict for VoIP
 This feature is to protect that
switch, you can make the
number anything you like as
long as you don’t overrun the
CAM table
Could use 2 or 3
MAC Addresses
Allowed on the
Port: Shutdown
Note: When Using the Restrict
Feature of Port Security, if the
Switch Is Under Attack, You Will
See a Performance Hit on the
CPU

UC Commercial 92
Building the Layers
Catalyst Integrated Security Features
 Port security prevents CAM attacks and DHCP Starvation
attacks
IP Source Guard
Port Security
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
00:0e:00:aa:aa:cc
00:0e:00:bb:bb:dd
etc
132,000
Bogus MACs
Switch
acts like
a hub

UC Commercial 93
Attack: DHCP Starvation
Gobbler
 Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all
of the DHCP addresses available in the DHCP scope
DHCP Discovery (Broadcast) x (Size of Scope)
Client
Gobbler DHCP
Server
IOS
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
 Gobbler uses a new
MAC address to
request a new DHCP
lease
 Restrict the number of
MAC addresses on
a port

UC Commercial 94
Attack: Rogue DHCP Server
DHCP
Server
DHCP Discovery (Broadcast)
DHCP Offer (Unicast)
from Rogue Server
 What can the attacker do if he is the DHCP server?
IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Routers: 10.10.10.140
DNS Servers: 10.10.10.140
Lease Time: 10 days
Wrong Default Gateway—Attacker is the gateway
Wrong DNS server—Attacker is DNS server
Wrong IP Address—Attacker does DOS with incorrect IP

UC Commercial 95
Countermeasures for DHCP Attacks
Rogue DHCP Server = DHCP Snooping
 By default all ports in the VLAN are untrusted
Client
DHCP
Server
Rogue Server
Trusted
Untrusted
Untrusted
DHCP Snooping Enabled
DHCP Snooping Untrusted Client
Interface Commands
no ip dhcp snooping trust (Default)
ip dhcp snooping limit rate 10 (pps)
IOS
Global Commands
ip dhcp snooping vlan 4,104
no ip dhcp snooping information option
ip dhcp snooping
DHCP Snooping Trusted Server
or Uplink
BAD DHCP
Responses:
offer, ack, nak
OK DHCP
Responses:
offer, ack, nak
Interface Commands
ip dhcp snooping trust

UC Commercial 96
Rogue DHCP Server = DHCP Snooping
 Table is built by “Snooping” the DHCP reply to the client
 Entries stay in table until DHCP lease time expires
 If you have a mobile work environment, reduce the lease time to
make sure the binding entries will be removed
Client
DHCP
Server
Rogue Server
Trusted
Untrusted
Untrusted
DHCP Snooping Enabled
BAD DHCP
Responses:
offer, ack, nak
OK DHCP
Responses:
offer, ack, nak
DHCP Snooping Binding Table
sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18

UC Commercial 97
DHCP Option 82: Upstream Modifications
 DHCP Snooping modifies the DHCP Discovery packet by adding an
option 82 field
 Identifies the ‘circuit-id’ (switch port) that the DCHP discovery packet
originated on; defined in RFC 3046
 Necessary to configure the distribution switch to trust modified
DHCP Discovery packets
DCHP Request Opt 82
DCHP Request
DHCP Server
Trusted DHCP Relay Trusts Downstream
DHCP Relay Agents
Opt 82
DCHP Request giaddr
! Distribution Switch -
! Trust DHCP packets modified by Access Switch with option 82
ip dhcp relay information trust-all
Si
Si

UC Commercial 98
Building The Layers
attacks
 DHCP Snooping prevents Rogue DHCP Server attacks
IP Source Guard
DHCP
Snooping
Port Security
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
00:0e:00:aa:aa:cc
00:0e:00:bb:bb:dd
etc
132,000
Bogus MACs
Switch
acts like
a hub
DHCP Server
“Use this IP
Address !”
X

UC Commercial 99
Attack: ARP
ARP Function Review
 Before a station can talk to another station it must
do an ARP request to map the IP address to the
MAC address
This ARP request is broadcast using protocol 0806
 All computers on the subnet will receive and
process the ARP request; the station that matches
the IP address in the request will send an ARP reply
Who Is
10.1.1.4?
I Am
10.1.1.4
MAC A

UC Commercial 100
Attack: ARP
ARP Function Review
 According to the ARP RFC, a client is allowed to
send an unsolicited ARP reply; this is called a
gratuitous ARP; other hosts on the same subnet
can store this information in their ARP tables
 Anyone can claim to be the owner of any IP/MAC
address they like
 ARP attacks use this to redirect traffic
I Am
10.1.1.1
MAC A
You Are
10.1.1.1
MAC A
You Are
10.1.1.1
MAC A
You Are
10.1.1.1
MAC A

UC Commercial 101
Attack: ARP
ARP Attack Tools
 Many tools on the Net for ARP man-in-the-middle
attacks
Dsniff, Cain & Abel, ettercap, Yersinia, etc...
 ettercap - http://ettercap.sourceforge.net/index.php
Some are second or third generation of ARP attack tools
Most have a very nice GUI, and is almost point and click
Packet Insertion, many to many ARP attack
 Cain - www.oxid.it/cain.html
 All of them capture the traffic/passwords of
applications
FTP, Telnet, SMTP, HTTP, POP, NNTP, IMAP, SNMP, LDAP,
RIP, OSPF, PPTP, MS-CHAP, SOCKS, X11, IRC, ICQ, AIM,
SMB, Microsoft SQL, etc…

UC Commercial 102
Catalyst
4500
Attack: ARP
ettercap, CAIN, …
IP Address: 10.1.1.3
Mac Address: 00-0D-60-7A-25-02
Mac Address: 00-0F-8F-7A-2C-3F
Mac Address: 00-15-58-2D-08-2A
ARP CACHE
ARP CACHE
ARP CACHE of Hacker PC
User PC
Hacker PC
Vlan 10
ARP CACHE
ARP CACHE

UC Commercial 103
Is This Is My
Binding
Table?
NO!
None
Matching
ARP’s in the
Bit Bucket
Countermeasures to ARP Attacks
Dynamic ARP Inspection (DAI)
 Uses the DHCP
Snooping Binding
table information
 Dynamic ARP
Inspection
All ARP packets must
match the IP/MAC
Binding table entries
If the entries do not
match, throw them in
the bit bucket
10.1.1.1
MAC A
10.1.1.2
MAC B
10.1.1.3
MAC C
ARP 10.1.1.1
Saying
10.1.1.2 is MAC C
ARP 10.1.1.2
Saying
10.1.1.1 is MAC C
DHCP Snooping
Enabled Dynamic
ARP Inspection
Enabled

UC Commercial 104
Dynamic ARP Inspection
 Uses the information from the DHCP Snooping Binding table
 Looks at the MacAddress and IpAddress fields to see if the
ARP from the interface is in the binding, it not, traffic is
blocked
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21
 No entry in the binding table—no traffic!
 Wait until all devices have new leases before turning on
 Entrees stay in table until the lease runs out
 All switches have a binding size limit
4500 switches – 3000 entrees (6000 for the SupV-10GE)
6500 switches – 16,000 entrees

UC Commercial 105
IOS
Global Commands
ip dhcp snooping
ip arp inspection vlan 4,104
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
Interface Commands
no ip dhcp snooping trust
no ip arp inspection trust
ip arp inspection limit rate 100
 DAI is configured on a per VLAN basis
 You can trust an interface like DHCP Snooping
 Suggested for voice is to set the DAI rate limit above the
default if you feel dial tone is important

UC Commercial 106
Non DHCP Devices
 Can use Static bindings in the DHCP Snooping Binding
table
IOS
Global Commands
ip source binding 0000.0000.0001 vlan 4 10.0.10.200 interface fastethernet 3/1
IOS
Show Commands
show ip source binding
 Show static and dynamic entries in the DHCP Snooping
Binding table is different

UC Commercial 107
Security Demo

UC Commercial 108
Building The Layers
attacks
 Dynamic ARP Inspection prevents current ARP attacks
IP Source Guard
Dynamic ARP
Inspection
DHCP
Snooping
Port Security
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
00:0e:00:aa:aa:cc
00:0e:00:bb:bb:dd
etc
132,000
Bogus MACs
Switch
acts like
a hub
DHCP Server
“Use this IP
Address !”
X
Email
Server
“Your Email
Passwd Is
‘joecisco’ !”
Man in the Middle

UC Commercial 109
Is This Is My
Binding
Table?
NO!
Non Matching
Traffic
Dropped
Attack: IP and MAC Spoofing
IP Source Guard
 Uses the DHCP
Snooping Binding
Table Information
 IP Source Guard
Operates just like
Dynamic ARP
Inspection, but looks
at every packet, not
just ARP Packet
10.1.1.1
MAC A
10.1.1.2
MAC B
10.1.1.3
MAC C
Received Traffic
Source IP
10.1.1.2
Mac B
10.1.1.3
MAC C
Traffic Sent with
IP 10.1.1.3
Mac B
Traffic Sent with
IP 10.1.1.2
Mac C
DHCP Snooping
Enabled Dynamic
ARP Inspection
Enabled IP Source
Guard Enabled

UC Commercial 110
Countermeasures to Spoofing Attacks:
IP Source Guard
 Uses the information from the DHCP Snooping Binding table
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21
 DHCP Snooping had to be configured so the binding table it
built
 IP Source Guard is configured by port
 IP Source Guard with MAC does not learn the MAC from the
device connected to the switch, it learns it from the DHCP
Offer

UC Commercial 111
Countermeasures to Spoofing Attacks
IP Source Guard
IOS
Global Commands
ip dhcp snooping information option
ip dhcp snooping
Interface Commands
ip verify source vlan dhcp-snooping
port-security
IP Source Guard Configuration
IP/MAC Checking Only (Opt 82)
IOS
Global Commands
ip dhcp snooping
Interface Commands
ip verify source vlan dhcp-snooping
IP Source Guard Configuration
IP Checking Only (no Opt 82)
 MAC and IP checking can be turned on separately or together
For IP: Will work with the information in the binding table
For MAC: Must have an Option 82 enabled DHCP server
(Microsoft does not support option 82)
Have to Change bootp-helper router configuration to support Option
82 – ‘dhcp relay information trust’
Note: There are at least two DHCP servers that support Option 82 Field Cisco Network
Registrar® and Avaya

UC Commercial 112
Building The Layers
attacks
 Dynamic ARP Inspection prevents current ARP attacks
 IP Source Guard prevents IP/MAC Spoofing
IP Source Guard
Dynamic ARP
Inspection
DHCP
Snooping
Port Security
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
00:0e:00:aa:aa:cc
00:0e:00:bb:bb:dd
etc
132,000
Bogus MACs
Switch
acts like
a hub
DHCP Server
“Use this IP
Address !”
X
Email
Server
“Your Email
Passwd Is
‘joecisco’ !”
Man in the Middle

UC Commercial 113
Si
Si
Attack: VLAN Hoping
Avoid the use of the native VLAN on trunks
 Double-encapsulated
packets allow a
compromised server
to join default or
native VLAN and then
“Hop” VLANs
 Configure an unused
dummy VLAN as the
native VLAN
 Alternative on 6500 is
configure
encapsulation of
native VLAN
Compromised server
server2
VLAN 20
Tunnel (e.g. netcat)
802.1q, 802.1q
Data
VLAN10 VLAN20
Traffic jumps
From 10 to 20
First tag removed
and packet forwarded
attacker
6500(config)#vlan dot1q tag native

UC Commercial 114
Matrix for Security Features
Feature/
Platform
6500/
Catalyst OS
6500/Cisco IOS
4500/
Catalyst OS
4500/Cisco IOS
Dynamic Port
Security
7.6(1) 12.1(13)E 5.1(1) 12.1(13)EW
DHCP Snooping 8.5(6) 12.2(18)SXF N/A
12.1(12c)EW
**
DAI 8.5(6) 12.2(18)SXF N/A
12.1(19)EW
**
IP Source Guard 8.5(6) 12.2(33)SXH N/A
12.1(19)EW
**
Requires Sup720—Sup32 DHCP Snooping and DAI
** For the Catalyst 4500/IOS-Based Platforms, This Requires Sup2+, Sup3, Sup4, Sup 5.
These Sups Are Supported on the Catalyst 4006, 4503, 4506, and 4507R Chassis
NOTE: There Are No Plans to Support These Features for any Catalyst 4000/4500 Platform
Running Catos
IOS Feature Finder—http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

UC Commercial 115
Agenda
Network Resiliency
Switch Resiliency
NSF/SSO
GOLD & EEM
Layer 2 Security
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 116
Hardening The Network
Direct and Collateral Damage
Availability of Networking Resources Impacted by
the Propagation of the Worm
Access
Distribution
Core
Si
Si
Si
Si
Si
Si
Si
Si
System
Under
Attack
Network Links
Overloaded
• High packet loss
• Mission critical
applications
impacted
Routers
Overloaded
• High CPU
• Instability
• Loss of mgmt
End Systems
Overloaded
• High CPU
• Applications
impacted
Infected
Source

UC Commercial 117
Access
Distribution
Core
Infected
Source
Si
Si
Si
Si
Si
Si Si
Si
Mitigating the Impact
Preventing and Limiting the Pain
Allow the Network to Do What You Designed It to Do
but Not What You Didn’t
Protect the End Systems
• Cisco Security Agent
Protect the Links
• QoS
• Scavenger Class
Protect the Switches
• CEF
• Rate Limiters
• CoPP
Prevent the Attack
• NAC and IBNS
• ACLs and NBAR
System
Under
Attack

UC Commercial 118
Worms Are Only One Problem
Other Sources of Pain
 Internet worms are not the only type of
network anomaly
 Multiple things can either go wrong or be
happening that you want to prevent and/or
mitigate
Spanning Tree Loops
NICs spewing garbage
Distributed Denial of Service (DDoS)
TCP Splicing, ICMP Reset attacks
Man-in-the-Middle (M-in-M) attacks
…
 Security best practices ‘are’ HA best
practices in the resilient design
 HA best practices ‘are’ security best
practices in the resilient design
Si
Si Si
Si
Si
Si Si
Si
Si
Si Si
Si

UC Commercial 119
QoS is a key component of Resiliency
Protect the Good and Punish the Bad
 QoS does more than just protect voice and video
 For “best-effort” traffic an implied “good faith” commitment that
there are at least some network resources available is assumed
 Need to identify and potentially punish out of profile traffic
(potential worms, DDOS, etc.)
 Scavenger class is an Internet-2 Draft Specification  CS1/CoS1
Access Distribution
Voice
Data
Core
Scavenger
Voice
Data
Scavenger

UC Commercial 120
Si
Si Si
Si
Si
Si Si
Si
Si
Si Si
Si
Resilient Network Design
Stick to Your Principles
 Develop an architecture and stick to it
Ease operational support
Consistent deployment
 Balance OPeX and CapEX
Remember you will have to live with this for a long time
Requirements will change
 Plan for evolution
The one thing that doesn’t change is that there will be
change
 Understand change
How your environments are changing
How the network equipment is evolving to meet that
change
Data Center

UC Commercial 121
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2
L2 Access
OSPF Core*
L2 Access
EIGRP Core
OSPF
Access*
EIGRP
Access
L2 Access (Rapid PVST+ HSRP) L3 Access
Resilient Network Design
This Is What You Can Expect
Worst Case Convergence for Any Campus Failure Event
Seconds
until
Restoration
of
VoIP
*OSPF Results Require Sub-Second Timers

UC Commercial 122
Campus, Data Center & UC Design Guidance
Where to go for more information
http://www.cisco.com/go/srnd

UC Commercial 123
BREAK

UC Commercial 124
Network Design
Seminar for
Unified
Communications
Network Infrastructure
Quality of Service

UC Commercial 125
Agenda
QoS Best Practices Review
Campus QoS Design
Catalyst 4500 QoS Design
Control Plane Policing
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 126
 Latency ≤ 150 ms
 Jitter ≤ 30 ms
 Loss ≤ 1%
One-Way Requirements
 Smooth
 Benign
 Drop sensitive
 Delay sensitive
 UDP priority
Voice
Bandwidth per Call
Depends on Codec,
Sampling-Rate,
and Layer 2 Media
 Bursty
 Greedy
 Drop sensitive
 Delay sensitive
 UDP priority
Video-Conf
 Latency ≤ 150 ms
 Jitter ≤ 30 ms
 Loss ≤ 1%
One-Way Requirements
IP/VC has the Same
Requirements as VoIP,
but Has Radically Different
Traffic Patterns (BW Varies
Greatly)
 Smooth/bursty
 Benign/greedy
 Drop insensitive
 Delay insensitive
 TCP retransmits
Data
Data Classes:
Mission-Critical Apps
Transactional/Interactive Apps
Bulk Data Apps
Best Effort Apps (Default)
Traffic patterns for
Data Vary Among
Applications
Enabling QoS in the Campus
Traffic Profiles and Requirements

UC Commercial 127
G.729A: 25 ms
CODEC
Variable
(Can Be Reduced
Using LLQ)
Queuing
Variable
(Can Be Reduced
Using LFI)
Serialization
6.3 µs/Km +
Network Delay
(Variable)
Propagation
and Network
20–50 ms
Jitter Buffer
Enabling QoS
Elements that Affect End-to-End Delay
IP WAN
Campus Branch Office
Cisco
CallManager
Cluster
SRST
Router
PSTN
End-to-End Delay (Should Be < 150 ms)

UC Commercial 128
UC & Network Infrastructure Integration
Quality of Service
 Phone contains a 3 port switch that is configured in conjunction
with the access switch and CallManager
5. DHCP
Si
Si
UC interaction with
infrastructure QoS

UC Commercial 129
Classification & Marking
How should it be done?
QoS is implemented in Hardware on the modular
switching platforms and may be split across Supervisor
and linecards…
Actual QoS features are
dependent on the
specific forwarding
engine and/or Linecard
hardware version…

UC Commercial 130
Classification & Marking
Where should it be done?
Classification and marking should be performed as close as technically
feasible to the sources so that prioritization may be implemented at congestion
points throughout the network. DSCP should be used wherever possible…
Core
Distribution
Access
Classify and mark
traffic at the
physical port.
Queue on uplinks
to Distribution
Subsequent points
in the network can
now “trust” the
marked values and
queue based on
these baseline
values outlined
below

UC Commercial 131
Application
L3 Classification
DSCP
PHB
IPP CoS
Transactional Data 18
AF21
2 2
Call Signaling 24
CS3*
3 3
Streaming Video 32
CS4
4 4
Video Conferencing 34
AF41
4 4
Voice 46
EF
5 5
Network Management 16
CS2
2 2
L2
Bulk Data 10
AF11
1 1
Scavenger 8
CS1
1 1
Routing 48
CS6
6 6
Mission-Critical Data 26
AF31*
3 3
Best Effort 0
0
0 0
Classification and Marking
QoS Baseline Marking Recommendations

UC Commercial 132
Application
L3 Classification
DSCP
PHB RFC
Low-Latency Data 18
AF21 RFC 2597
Broadcast Video 24
CS3 RFC 2474
Real-Time Interactive 32
CS4 RFC 2474
Call Signaling 40
CS5 RFC 2474
VoIP Telephony 46
EF RFC 3246
OAM 16
CS2 RFC 2474
IETF
High-Throughput Data 10
AF11 RFC 2597
Low-Priority Data 8
CS1 RFC 3662
Network Control 48
CS6 RFC 2474
Multimedia Streaming 26
AF31 RFC 2597
Best Effort 0
DF RFC 2474
Multimedia Conferencing 34
AF41 RFC 2597
Classification and Marking Design
RFC 4594 Configuration Guidelines

UC Commercial 133
Policing Design Principles
Where and How Should Policing Be Done?
Policing applied to offending traffic classes to ‘mark
down’ rather than drop traffic to CS1 (Scavenger)
Queuing will then queue traffic
uplink to Distribution/Core where
CS1 will occupy minimal
bandwidth…
Policing shall be applied as close to the traffic source as possible. In general it
should be applied at the ingress point to the network (Access Layer) at the
same time as the classification process…

UC Commercial 134
Queuing Design Principles
Where should it be done?
Queuing should be performed wherever there may be potential for congestion
(even if a rare occurrence), ensuring consistency between Campus/WAN/VPN
networks…
Core
Distribution
Access
Recommended
Guidelines:
1) 25% allocated to
Best Effort (BE)
Class
2) Priority Queue
(PQ) given
maximum of 33%
3) Scavenger
should be provided
with minimum (5%)
bandwidth
4) Congestion
Management
enabled on non-PQ

UC Commercial 135
Campus Queuing Design
Realtime, Best Effort, and Scavenger Queuing Rules
Real-Time ≤
33%
Critical Data
Best Effort
≥ 25%
Scavenger/Bulk
≤ 5%

UC Commercial 136
Agenda
 Network Resiliency
 Layer 2 Security
Campus QoS Design
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 137
Campus QoS Considerations
Establishing Trust Boundaries
1
2
3
Optimal Trust Boundary: Trusted Endpoint
Suboptimal Trust Boundary
Optimal Trust Boundary: Untrusted Endpoint
Si
Si
Endpoints Access Distribution Core WAN Aggregators
Trust Boundary
1
2
3
Si
Si
Si
Si
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si

UC Commercial 138
Access-Edge Trust Models
Endpoints and Endpoint Categories
Endpoints
• Analog gateways
• IP-conferencing stations
• Videoconferencing
gateways and systems
• Video surveillance units
• Wireless access points
• Wireless IP phones
• Servers
• Client PCs
Endpoint Categories
• Trusted endpoints
• Untrusted endpoints
• Conditionally-trusted
endpoints

UC Commercial 139
Phone VLAN = 110
Trust Boundary Extension and Operation
1 So I Will Trust Your CoS”
“I See You’re an IP Phone,
Trust Boundary
PC VLAN = 10
“Voice = 5, Signaling = 3”
2
All PC Traffic Is Reset to CoS 0 PC Sets CoS to Five for All Traffic
3
“CoS 5 = DSCP 46”
4
Switch and Phone Exchange CDP; Trust Boundary Is Extended to IP Phone
1
Phone Sets CoS to Five for VoIP and to Three for Call-Signaling Traffic
2
Phone Rewrites CoS from PC Port to Zero
3
Switch Trusts CoS from Phone and Maps CoS  DSCP for Output Queuing
4

UC Commercial 140
Trusted Endpoint Model
 DSCP from endpoint is accepted and admitted
onto the network unaltered
 Policing is optional
Transmit Packet with
DSCP Unaltered
Optional
Policing
Trust
DSCP
Start

UC Commercial 141
AutoQoS—VoIP Model
VVLAN +
DSCP CS3
Yes
DVLAN
ANY
Remark to DSCP 0 and Transmit
No
VVLAN +
DSCP EF
Yes
Trust and Transmit
Start
No
Trust and Transmit

UC Commercial 142
IP Phone + PC + Scavenger (Basic) Model
VVLAN +
DSCP CS3
≤ 32 kbps
Yes
Yes
No
DVLAN
ANY
≤ 5 Mbps
Yes
Yes
No
VVLAN
ANY
≤ 32 kbps
Yes
Yes
No
Remark to DSCP 0
and Transmit
Remark to DSCP 0
and Transmit
No
No
VVLAN +
DSCP EF ≤ 128 kbps
Yes
Yes
No
Trust and Transmit
Drop
Remark to DSCP CS1
and Transmit
Remark to DSCP CS1
and Transmit
Remark to DSCP CS1
and Transmit
Remark to DSCP CS3
and Transmit
Start
No

UC Commercial 143
Typical Campus Oversubscription Ratios
Campus networks are always designed with oversubscription in mind to take
advantage of the bursty nature of traffic and the assumption that not all users
are requiring bandwidth simultaneously…
Core
Distribution
Access
Typically 20:1
Ratio
Typically 4:1
Ratio

UC Commercial 144
Campus QoS Design Considerations
Catalyst Hardware Queuing
Normal Queue
Drop
Threshold 1
Drop
Threshold 2
All Catalyst switches have hardware based-based queues and differ depending on the
module or port ASIC used. They are depicted using the notation of 1PxQyT, where x
represents the number of normal Queues and T represents number of thresholds within
those normal Queues…
1p3q8t = 1 Priority Queue with 3 Normal Queues, each containing 8
Drop Thresholds

UC Commercial 145
FastEthernet
GigabitEthernet
Ten GigabitEthernet
Where Is QoS Required Within the Campus?
No Trust + Policing
+ Queuing
Conditional Trust +
Policing + Queuing
Trust DSCP + Queuing
Per-User Microflow
Policing + CoPP
WAN Aggregator
Cisco Catalyst 6500 PFC3
Server Farms IP Phones + PCs IP Phones + PCs

UC Commercial 146
Agenda
Campus QoS Design
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 147
QoS on the Catalyst 4500
Classify
RX
Queue 1
Queue 2
Queue 3
Queue 4
Ingress/
Egress
Police
Shaping
Sharing
Scheduling
TX
NFL2
(Enhanced
QoS)
Dynamic
Buffer
Limiting
QoS Actions at
Supervisor Forwarding ASIC
QoS Actions
at Scheduling ASIC
Enters
Fabric
Leaves
Fabric
FWD
ASIC
Sched
ASIC
NFL TCAM
TCAM
DBL
 Catalyst 4500 implements a sophisticated
suite of QoS features
 These QoS features are implemented with
three major components
TCAMs (Policers)
Netflow Feature (UBRL on SupV-10GE)
Dynamic Buffer Limiting (DBL)

UC Commercial 148
Cisco Catalyst 4500 QoS Design
Enabling QoS Globally
CAT4500#show qos
QoS is disabled globally ! By default QoS is disabled
IP header DSCP rewrite is enabled
CAT4500#conf term
Enter configuration commands, one per line. End with CNTL/Z.
CAT4500(config)#qos ! Enables QoS globally for the Cat4500
CAT4500(config)#end
CAT4500#
CAT4500#show qos
QoS is enabled globally ! Verifies that QoS is enabled globally
IP header DSCP rewrite is enabled
CAT4500#

UC Commercial 149
Access-Layer QoS Design Options
Access-Edges
Uplinks to
Distribution Layer
Trust-
DSCP
1P3Q1T
Queuing +
DBL
Gobally Enable
QoS + CoPP
IP Phone + PC +
Scavenger (Basic) Model
AutoQoS—VoIP Model
Trusted-Endpoint
Model
1P3Q1T
Queuing + DBL
1P3Q1T
Queuing + DBL
Global
Commands

UC Commercial 150
Cisco Catalyst 4500
Trusted Endpoint
Cisco IOS Trust:
CAT4500-IOS(config)#interface FastEthernet3/1
CAT4500-IOS(config-if)#qos trust dscp

UC Commercial 151
Cisco Catalyst 4500
AutoQoS: VoIP Model
Options:
auto qos voip cisco-phone
auto qos voip trust
!
qos
qos dbl
qos map cos 3 to 26
qos map cos 5 to 46
qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4
qos map dscp 32 33 34 35 36 37 38 39 to tx-queue 4
!
policy-map autoqos-voip-policy
class class-default
dbl
!
Interface GigabitEthernet0/1
qos trust device cisco-phone
qos trust cos
tx-queue 3
priority high
shape percent 33
bandwidth percent 33
!
CAT4500(config-if)#auto qos voip cisco-phone

UC Commercial 152
Distribution and/or Core-Layer QoS Design
Uplinks from Access-Layer Only
Interswitch-Links
1P3Q1T
Queuing + DBL
Globally Enable
QoS + CoPP
Optional (SupV-10GE Only):
User-Based Rate-Limiting (UBRL)
Trust-
DSCP
1P3Q1T
Queuing + DBL
Globally Enable
QoS + CoPP
Trust-
DSCP
Interswitch-Links
Distribution Layer
Core Layer

UC Commercial 153
Q3 (30%)
Priority Queue
1P3Q1T
Queue 1 (5%)
Queue 4 (40%)
Queue 2
(25%)
0
CS3/AF31/AF32/AF33
CS2/AF21/AF22/AF23
CS4/AF41/AF42/AF43
CS6/CS7
CS1/AF11
EF
Queuing Design (1P3Q1T + DBL)
Network Management
Call Signaling
Streaming Video
Transactional Data
Interactive Video
Voice
Application
Bulk Data
AF21
CS3
CS4
AF41
EF
CS2
AF11
Scavenger CS1
Best Effort 0
Internetwork Control CS6
Mission-Critical Data AF31
DSCP
Network Control (CS7)

UC Commercial 154
CAT4500-SUP4(config)#qos dbl
! Globally enables DBL
CAT4500-SUP4(config)#qos dbl exceed-action ecn
! Optional: Enables DBL to mark RFC 3168 ECN bits in the IP ToS Byte
CAT4500-SUP4(config)#
CAT4500-SUP4(config)#qos map dscp 0 to tx-queue 2
! Maps DSCP 0 (Best Effort) to Q2
CAT4500-SUP4(config)#qos map dscp 8 10 12 14 to tx-queue 1
! Maps DSCP CS1 (Scavenger) and AF11/AF12/AF13 (Bulk) to Q1
! Maps DSCP CS2 (Net-Mgmt) and AF21/AF22/AF23 (Transactional) to Q4
! Maps DSCP CS3 (Call-Signaling) and AF31/AF32/AF33 (MC Data) to Q4
! Maps DSCP CS4 (Str-Video) and AF41/AF42/AF43 (Int-Video) to Q4
CAT4500-SUP4(config)#qos map dscp 46 to tx-queue 3
! Maps DSCP EF (VoIP) to Q3 (PQ)
CAT4500-SUP4(config)#qos map dscp 48 56 to tx-queue 4
! Maps DSCP CS6 (Internetwork) and CS7 (Network) Control to Q4
CAT4500-SUP4(config)#policy-map DBL
CAT4500-SUP4(config-pmap)#class class-default
CAT4500-SUP4(config-pmap-c)# dbl ! Enables DBL on all traffic flows
CAT4500-SUP4(config-pmap-c)# end
CAT4500-SUP4#

UC Commercial 155
CAT4500-SUP4(config)#interface range FastEthernet2/1 - 48
CAT4500-SUP4(config-if-range)# service-policy output DBL
CAT4500-SUP4(config-if-range)# tx-queue 3
CAT4500-SUP4(config-if-tx-queue)# priority high ! Enables Q3 as PQ
CAT4500-SUP4(config-if-tx-queue)# shape percent 30 ! Shapes PQ to 30%
CAT4500-SUP4(config-if-tx-queue)# exit
CAT4500-SUP4(config-if-range)#exit
CAT4500-SUP4(config)#interface range GigabitEthernet1/1 - 2
CAT4500-SUP4(config-if-range)# service-policy output DBL
CAT4500-SUP4(config-if-range)# tx-queue 1
CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 5 ! Q1 gets 5%
CAT4500-SUP4(config-if-tx-queue)# tx-queue 2
CAT4500-SUP4(config-if-tx-queue)# priority high ! Enables Q3 as PQ
CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 30 ! PQ gets 30%
CAT4500-SUP4(config-if-tx-queue)# shape percent 30 ! Shapes PQ to 30%
CAT4500-SUP4(config-if-tx-queue)#end
CAT4500-SUP4#

UC Commercial 156
C4500 (SupV-10GE) QoS Design
User-Based Rate Limiting (UBRL)
CAT4500-SUPV-10GE(config)#qos map dscp policed 0 24 46 to dscp 8
! Excess DVLAN & VVLAN traffic will be marked down to Scavenger (CS1)
CAT4500-SUPV-10GE(config)#class-map match-all UBRL—BY-SOURCE-IP
CAT4500-SUPV-10GE(config-cmap)#match flow ip source-address
CAT4500-SUPV-10GE(config)#policy-map UBRL-TO-5MBPS-SCAVENGER
CAT4500-SUPV-10GE(config-pmap)#class UBRL-BY-SOURCE-IP
CAT4500-SUPV-10GE(config-pmap-c)# police 5 mbps 8000 byte exceed-action
policed-dscp-transmit
! Out-of-profile data traffic is marked down to Scavenger (CS1)
CAT4500-SUPV-10GE(config-pmap-c)# exit
CAT4500-SUPV-10GE(config-pmap)#exit
CAT4500-SUPV-10GE(config)#
CAT4500-SUPV-10GE(config)#interface GigabitEthernet2/1
CAT4500-SUPV-10GE(config-if)# service-policy input UBRL-TO-5MPBS-SCAVENGER
! Applies the UBRL policy to the uplink from the Access-Layer
CAT4500-SUPV-10GE(config-if)# end
CAT4500-SUPV-10GE#
Distribution-Layer
Cisco Catalyst 4500
SupV-10GE

UC Commercial 157
Agenda
Campus QoS Design
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si

UC Commercial 158
Catalyst 6500 QoS
QoS Flow through the 6500
Queue
RX ARB
Priority Q
INGRESS
Classify
&
Police
EGRESS
Classify
&
Police
Rewrite
Queue
Queue
Queue
Priority Q
WRR
ARB
TX
Incoming
encap can
be ISL,
802.1Q or
None
Scheduling: Queue and
Threshold - select based
on received CoS through
configurable MAP I/F -
CoS can be overwritten if
port untrusted
Police via ACLs - Police
actions include Forward,
Mark and Drop.
Based on Burst (Token
Bucket) and Byte Rate
Rewrite
TOS field
in IP
Header
and
802.1p/ISL
CoS field
Each queue
has
configurable
thresholds -
some have
WRED
(except PQ)
Outgoing
encap can be
ISL, 802.1Q
or None
Scheduling:
Queue and
Threshold
selected based
on CoS through
a Map
De-queue uses
WRR or SRR
between the
round robin
queues
DSCP based classification
based on “trusted port” and
layer 2 info with ACL, layer 3
info with ACL and layer 4 info
with ACL

UC Commercial 159
Globally Enabling QoS
CAT6500-IOS(config)# mls qos
CAT6500-IOS(config)#end
CAT6500-IOS#
CAT6500-IOS# show mls qos
QoS is enabled globally
Microflow policing is enabled globally
Vlan or Portchannel(Multi-Earl) policies supported: Yes
----- Module [2] -----
QoS global counters:
Total packets: 65
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 0
IP packets with COS changed by policing: 0
Non-IP packets with COS changed by policing: 0
CAT6500-IOS#

UC Commercial 160
Access-Layer Cisco Catalyst 6500 QoS Design Options
Access-Edges
Uplinks to
Distribution Layer
IP Phone + PC +
Scavenger (Basic) Model
AutoQoS—VoIP
Model
Trusted-Endpoint
Model
Globally
Enable QoS
+ CoPP
Trust-
DSCP
Globally-Defined
Linecard-Dependent
Queuing + Dropping
Global Commands
Control Plane Policing (CoPP) is only supported on PFC3

UC Commercial 161
Trusted Endpoint Examples
Cisco IOS Trust:
CAT6500-IOS(config)#interface FastEthernet3/1
CAT6500-IOS(config-if)#mls qos trust dscp
TRUST set to TRUST DSCP

UC Commercial 162
Cisco Catalyst 6500
AutoQoS VoIP (coming in 12.2(33)SXH release)
Options:
autoqos voip cisco-phone
autoqos voip ciscosoftphone
auto qos voip trust
mls qos
mls qos map cos-dscp 0 10 18 26 34 46 48 56
Interface fastethernet 2/3
wrr-queue cos-map 1 1 0
wrr-queue cos-map 2 1 1 2 3 4
wrr-queue cos-map 2 2 5 6 7
wrr-queue queue-limit 80 20
wrr-queue bandwidth 100 255
wrr-queue threshold 1 100 100
wrr-queue threshold 2 80 100
rcv-queue cos map 1 1 0
rcv-queue cos map 1 3 1 2 3 4
rcv-queue cos map 1 4 5 6 7
rcv-queue threshold 1 50 60 80 100
CAT6500(config-if)#auto qos voip cisco-phone

UC Commercial 163
Distribution and/or Core-Layer QoS Design
Uplinks from Access-Layer Only
Interswitch-Links
Interface-Group
Linecard-Dependent
Queuing + Dropping
Globally
Enable
QoS + CoPP
Optional (PFC3 Only):
Per-User Microflow
Policing
Trust-
DSCP
Interface-Group
Linecard-Dependent
Queuing + Dropping
Globally
Enable QoS +
CoPP
Trust-
DSCP
Interswitch-Links
Distribution Layer
Core Layer
Control Plane Policing (CoPP) is only supported on PFC3

UC Commercial 164
1P3Q8T
Queue 3
(70%)
Queue 1 (5%)
Queue 2
(25%)
CoS 0
CoS 1
Q2T1
Q1T1
Q4
Priority Queue
CoS 5
CoS 4
Q3T1
Q3T2
Q3T3
Q3T4
Q3T5
CoS 3
CoS 6
CoS 7
CoS 2
Queuing Design (1P3Q8T)
Network Management
Call Signaling
Streaming Video
Transactional Data
Interactive Video
Voice
Application
Bulk Data
AF21
CS3
CS4
AF41
EF
CS2
AF11
Scavenger CS1
Best Effort 0
Internetwork Control CS6
Mission-Critical Data AF31
DSCP
Network Control –
CoS 2
CoS 3
CoS 4
CoS 4
CoS 5
CoS 2
CoS 1
CoS 1
0
CoS 6
CoS 3
CoS
CoS 7

UC Commercial 165
CAT6500-IOS(config)# interface range GigabitEthernet1/1 - 48
CAT6500-IOS(config-if)# wrr-queue queue-limit 5 25 40
! Allocates 5% for Q1, 25% for Q2 and 40% for Q3
CAT6500-IOS(config-if)# wrr-queue bandwidth 5 25 70
! Sets the WRR weights for 5:25:70 (Q1:Q2:Q3) bandwidth servicing
CAT6500-IOS(config-if-range)# wrr-queue random-detect 1 ! Enables WRED on Q1
CAT6500-IOS(config-if)#
CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 1 80
100 100 100 100 100 100 100
! Sets Min WRED Threshold for Q1T1 to 80% and all others to 100%
CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 1 100
100 100 100 100 100 100 100
! Sets Max WRED Threshold for Q1T1 to 100% and all others to 100%
CAT6500-IOS(config-if)#
100 100 100 100 100 100 100
! Sets Min WRED Threshold for Q2T1 to 80% and all others to 100%
100 100 100 100 100 100 100
! Sets Max WRED Threshold for Q2T1 to 100% and all others to 100%

UC Commercial 166
60 70 80 90 100 100 100
! Sets Min WRED Threshold for Q3T1 to 50%, Q3T2 to 60%, Q3T3 to 70%
! Q3T4 to 80%, Q3T5 to 90% and all others to 100%
70 80 90 100 100 100 100
! Sets Max WRED Threshold for Q3T1 to 60%, Q3T2 to 70%, Q3T3 to 80%
! Q3T4 to 90%, Q3T5 to 100% and all others to 100%
CAT6500-IOS(config-if)# wrr-queue cos-map 1 1 1
! Maps Scavenger/Bulk to Q1 WRED Threshold 1
! Maps Best Effort to Q2 WRED Threshold 1
! Maps Video to Q3 WRED Threshold 1
! Maps Net-Mgmt and Transactional Data to Q3 WRED T2
! Maps Call-Signaling and Mission-Critical Data to Q3 WRED T3
! Maps Internetwork-Control (IP Routing) to Q3 WRED T4
! Maps Network-Control (Spanning Tree) to Q3 WRED T5
CAT6500-IOS(config-if)# priority-queue cos-map 1 5
! Maps VoIP to the PQ (Q4)
CAT6500-IOS(config-if)#end
CAT6500-IOS#

UC Commercial 167
C6500 (PFC3) QoS Design
PFC3 Per-User Microflow Policing
CAT6500-IOS(config)#mls qos map policed-dscp normal 0 24 26 34 36 to 8
! Excess traffic marked 0,CS3,AF31,AF41 or AF42 will be remarked to CS1
CAT6500-IOS(config)#class-map match-any VVLAN-TRAFFIC
CAT6500-IOS(config-cmap)# match ip dscp ef
CAT6500-IOS(config-cmap)# match ip dscp cs3
CAT6500-IOS(config-cmap)#class-map match-all DLVAN-TRAFFIC
CAT6500-IOS(config-cmap)# match ip dscp 0
CAT6500-IOS(config-cmap)#policy-map PER-USER-POLICING
CAT6500-IOS(config-pmap)# class VLAN-TRAFFIC
CAT6500-IOS(config-pmap-c)# police flow mask src-only 160000 8000
conform-action transmit exceed-action drop
! Traffic from any VVLAN source (IP Phones) in excess of 160 kbps is dropped
CAT6500-IOS(config-pmap-c)# class BEST-EFFORT
CAT6500-IOS(config-pmap-c)# police flow mask src-only 5000000 8000
conform-action transmit exceed-action policed-dscp-transmit
! Traffic from any DVLAN source (PCs) in excess of 5 Mbps is remarked to CS1
CAT6500-IOS(config-pmap-c)# exit
Distribution-Layer
Cisco Catalyst 6500
Sup720

design__day_presentation.ppt

Recommandé

Recommandé

Contenu connexe

Similaire à design__day_presentation.ppt

Similaire à design__day_presentation.ppt (20)

Plus de biruktesfaye27

Plus de biruktesfaye27 (20)

Dernier

Dernier (20)

design__day_presentation.ppt