Soumettre la recherche
Mettre en ligne
design__day_presentation.ppt
•
Télécharger en tant que PPT, PDF
•
0 j'aime
•
10 vues
B
biruktesfaye27
Suivre
Hhshdi jdjidjbdbd
Lire moins
Lire la suite
Économie & finance
Signaler
Partager
Signaler
Partager
1 sur 311
Télécharger maintenant
Recommandé
Dcna technology update
Dcna technology update
Ramana Rongala
PROACT SYNC 2013 - Breakout - End to End uitleg over Cisco UCS
PROACT SYNC 2013 - Breakout - End to End uitleg over Cisco UCS
Proact Netherlands B.V.
Oracle Database Consolidation with FlexPod on Cisco UCS
Oracle Database Consolidation with FlexPod on Cisco UCS
NetApp
transforming_datacenter_core_with_dce_cisco_nexus.ppt
transforming_datacenter_core_with_dce_cisco_nexus.ppt
BalanjaneyaPrasad
Cisco UCS - CA World 2013
Cisco UCS - CA World 2013
Ranjit Nayak
Presentation cisco unified fabric
Presentation cisco unified fabric
xKinAnx
Implementing Cisco IP Switched Networks
Implementing Cisco IP Switched Networks
Archana Parameshwari
Comstor: Cisco BE6000
Comstor: Cisco BE6000
Veronika Mištová
Recommandé
Dcna technology update
Dcna technology update
Ramana Rongala
PROACT SYNC 2013 - Breakout - End to End uitleg over Cisco UCS
PROACT SYNC 2013 - Breakout - End to End uitleg over Cisco UCS
Proact Netherlands B.V.
Oracle Database Consolidation with FlexPod on Cisco UCS
Oracle Database Consolidation with FlexPod on Cisco UCS
NetApp
transforming_datacenter_core_with_dce_cisco_nexus.ppt
transforming_datacenter_core_with_dce_cisco_nexus.ppt
BalanjaneyaPrasad
Cisco UCS - CA World 2013
Cisco UCS - CA World 2013
Ranjit Nayak
Presentation cisco unified fabric
Presentation cisco unified fabric
xKinAnx
Implementing Cisco IP Switched Networks
Implementing Cisco IP Switched Networks
Archana Parameshwari
Comstor: Cisco BE6000
Comstor: Cisco BE6000
Veronika Mištová
Cisco_data_center_solution_for_HondaTH
Cisco_data_center_solution_for_HondaTH
Predee Kajonpai
Presentation data center virtualization –setting the foundation
Presentation data center virtualization –setting the foundation
xKinAnx
Cisco MEM-C6K-CPTFL256M
Cisco MEM-C6K-CPTFL256M
savomir
Avaya data networking campus solutions may26
Avaya data networking campus solutions may26
IP10 TECNOLOGIA
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0
solarisyougood
Cisco: Solutions for Industrial IT
Cisco: Solutions for Industrial IT
Rockwell Automation
Apresentação ccna en_SWITCH_v6_Ch01.pptx
Apresentação ccna en_SWITCH_v6_Ch01.pptx
rodrigomateus007
E s switch_v6_ch01
E s switch_v6_ch01
gon77gonzalez
L'azienda è più agile? Tutto merito del Data Center
L'azienda è più agile? Tutto merito del Data Center
SMAU
Ciscounifiedcomputingsystemucschangingtheeconomicsdatacenter 130514165541-php...
Ciscounifiedcomputingsystemucschangingtheeconomicsdatacenter 130514165541-php...
Salman Shaikh ヅ
Cisco connect winnipeg 2018 gain insight and programmability with cisco dc ...
Cisco connect winnipeg 2018 gain insight and programmability with cisco dc ...
Cisco Canada
Plan with confidence: Route to a successful Do178c multicore certification
Plan with confidence: Route to a successful Do178c multicore certification
Massimo Talia
TechWiseTV Workshop: Cisco ONE
TechWiseTV Workshop: Cisco ONE
Robb Boyd
Presentation cisco service oriented infrastructure
Presentation cisco service oriented infrastructure
xKinAnx
MadhusudhanTE_9Years_pasa
MadhusudhanTE_9Years_pasa
Madhusudhan Thirumalachetty
Cisco Centro de Datos de proxima generación, Cisco Data Center Nex Generation
Cisco Centro de Datos de proxima generación, Cisco Data Center Nex Generation
Suministros Obras y Sistemas
Cisco SFPOC48SR
Cisco SFPOC48SR
savomir
Presentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualisering
xKinAnx
TechWiseTV Workshop: Cisco Catalyst 9800 Series Wireless Controller
TechWiseTV Workshop: Cisco Catalyst 9800 Series Wireless Controller
Robb Boyd
Cisco data center training for ibm
Cisco data center training for ibm
Christian Silva Espinoza
is an essential element for human life since.pptx
is an essential element for human life since.pptx
biruktesfaye27
is an essential element for human life since.pptx
is an essential element for human life since.pptx
biruktesfaye27
Contenu connexe
Similaire à design__day_presentation.ppt
Cisco_data_center_solution_for_HondaTH
Cisco_data_center_solution_for_HondaTH
Predee Kajonpai
Presentation data center virtualization –setting the foundation
Presentation data center virtualization –setting the foundation
xKinAnx
Cisco MEM-C6K-CPTFL256M
Cisco MEM-C6K-CPTFL256M
savomir
Avaya data networking campus solutions may26
Avaya data networking campus solutions may26
IP10 TECNOLOGIA
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0
solarisyougood
Cisco: Solutions for Industrial IT
Cisco: Solutions for Industrial IT
Rockwell Automation
Apresentação ccna en_SWITCH_v6_Ch01.pptx
Apresentação ccna en_SWITCH_v6_Ch01.pptx
rodrigomateus007
E s switch_v6_ch01
E s switch_v6_ch01
gon77gonzalez
L'azienda è più agile? Tutto merito del Data Center
L'azienda è più agile? Tutto merito del Data Center
SMAU
Ciscounifiedcomputingsystemucschangingtheeconomicsdatacenter 130514165541-php...
Ciscounifiedcomputingsystemucschangingtheeconomicsdatacenter 130514165541-php...
Salman Shaikh ヅ
Cisco connect winnipeg 2018 gain insight and programmability with cisco dc ...
Cisco connect winnipeg 2018 gain insight and programmability with cisco dc ...
Cisco Canada
Plan with confidence: Route to a successful Do178c multicore certification
Plan with confidence: Route to a successful Do178c multicore certification
Massimo Talia
TechWiseTV Workshop: Cisco ONE
TechWiseTV Workshop: Cisco ONE
Robb Boyd
Presentation cisco service oriented infrastructure
Presentation cisco service oriented infrastructure
xKinAnx
MadhusudhanTE_9Years_pasa
MadhusudhanTE_9Years_pasa
Madhusudhan Thirumalachetty
Cisco Centro de Datos de proxima generación, Cisco Data Center Nex Generation
Cisco Centro de Datos de proxima generación, Cisco Data Center Nex Generation
Suministros Obras y Sistemas
Cisco SFPOC48SR
Cisco SFPOC48SR
savomir
Presentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualisering
xKinAnx
TechWiseTV Workshop: Cisco Catalyst 9800 Series Wireless Controller
TechWiseTV Workshop: Cisco Catalyst 9800 Series Wireless Controller
Robb Boyd
Cisco data center training for ibm
Cisco data center training for ibm
Christian Silva Espinoza
Similaire à design__day_presentation.ppt
(20)
Cisco_data_center_solution_for_HondaTH
Cisco_data_center_solution_for_HondaTH
Presentation data center virtualization –setting the foundation
Presentation data center virtualization –setting the foundation
Cisco MEM-C6K-CPTFL256M
Cisco MEM-C6K-CPTFL256M
Avaya data networking campus solutions may26
Avaya data networking campus solutions may26
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0
Cisco: Solutions for Industrial IT
Cisco: Solutions for Industrial IT
Apresentação ccna en_SWITCH_v6_Ch01.pptx
Apresentação ccna en_SWITCH_v6_Ch01.pptx
E s switch_v6_ch01
E s switch_v6_ch01
L'azienda è più agile? Tutto merito del Data Center
L'azienda è più agile? Tutto merito del Data Center
Ciscounifiedcomputingsystemucschangingtheeconomicsdatacenter 130514165541-php...
Ciscounifiedcomputingsystemucschangingtheeconomicsdatacenter 130514165541-php...
Cisco connect winnipeg 2018 gain insight and programmability with cisco dc ...
Cisco connect winnipeg 2018 gain insight and programmability with cisco dc ...
Plan with confidence: Route to a successful Do178c multicore certification
Plan with confidence: Route to a successful Do178c multicore certification
TechWiseTV Workshop: Cisco ONE
TechWiseTV Workshop: Cisco ONE
Presentation cisco service oriented infrastructure
Presentation cisco service oriented infrastructure
MadhusudhanTE_9Years_pasa
MadhusudhanTE_9Years_pasa
Cisco Centro de Datos de proxima generación, Cisco Data Center Nex Generation
Cisco Centro de Datos de proxima generación, Cisco Data Center Nex Generation
Cisco SFPOC48SR
Cisco SFPOC48SR
Presentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualisering
TechWiseTV Workshop: Cisco Catalyst 9800 Series Wireless Controller
TechWiseTV Workshop: Cisco Catalyst 9800 Series Wireless Controller
Cisco data center training for ibm
Cisco data center training for ibm
Plus de biruktesfaye27
is an essential element for human life since.pptx
is an essential element for human life since.pptx
biruktesfaye27
is an essential element for human life since.pptx
is an essential element for human life since.pptx
biruktesfaye27
How to Effectively Launch a new product_2.ppt
How to Effectively Launch a new product_2.ppt
biruktesfaye27
presentamjgfj hgydtrg gffdf gftion1-.pdf
presentamjgfj hgydtrg gffdf gftion1-.pdf
biruktesfaye27
jhgdf.pdfdlfri orjr ethiopian food and drufo
jhgdf.pdfdlfri orjr ethiopian food and drufo
biruktesfaye27
birsjdhfhfm v fhfnf adbanced thcontrol-.ppt
birsjdhfhfm v fhfnf adbanced thcontrol-.ppt
biruktesfaye27
costs .pptx
costs .pptx
biruktesfaye27
lifetime costs .pptx
lifetime costs .pptx
biruktesfaye27
Wing.pptx
Wing.pptx
biruktesfaye27
Product Wing.pptx
Product Wing.pptx
biruktesfaye27
Reasons s.pptx
Reasons s.pptx
biruktesfaye27
Folics.pptx
Folics.pptx
biruktesfaye27
Folic Plus.pptx
Folic Plus.pptx
biruktesfaye27
fOLIc slide.pptx
fOLIc slide.pptx
biruktesfaye27
4441564759967.pptx
4441564759967.pptx
biruktesfaye27
IC-Competitive-Analysis-Presentation-9212_PowerPoint (1).pptx
IC-Competitive-Analysis-Presentation-9212_PowerPoint (1).pptx
biruktesfaye27
+ Business_Ethics_&_Professional_Responsibility.ppt
+ Business_Ethics_&_Professional_Responsibility.ppt
biruktesfaye27
Chapter 1.pptx
Chapter 1.pptx
biruktesfaye27
NewantibioticdevelopmentsforVAP_MNiederman_6JunFINAL (1).PPT
NewantibioticdevelopmentsforVAP_MNiederman_6JunFINAL (1).PPT
biruktesfaye27
jupiter_.ppt
jupiter_.ppt
biruktesfaye27
Plus de biruktesfaye27
(20)
is an essential element for human life since.pptx
is an essential element for human life since.pptx
is an essential element for human life since.pptx
is an essential element for human life since.pptx
How to Effectively Launch a new product_2.ppt
How to Effectively Launch a new product_2.ppt
presentamjgfj hgydtrg gffdf gftion1-.pdf
presentamjgfj hgydtrg gffdf gftion1-.pdf
jhgdf.pdfdlfri orjr ethiopian food and drufo
jhgdf.pdfdlfri orjr ethiopian food and drufo
birsjdhfhfm v fhfnf adbanced thcontrol-.ppt
birsjdhfhfm v fhfnf adbanced thcontrol-.ppt
costs .pptx
costs .pptx
lifetime costs .pptx
lifetime costs .pptx
Wing.pptx
Wing.pptx
Product Wing.pptx
Product Wing.pptx
Reasons s.pptx
Reasons s.pptx
Folics.pptx
Folics.pptx
Folic Plus.pptx
Folic Plus.pptx
fOLIc slide.pptx
fOLIc slide.pptx
4441564759967.pptx
4441564759967.pptx
IC-Competitive-Analysis-Presentation-9212_PowerPoint (1).pptx
IC-Competitive-Analysis-Presentation-9212_PowerPoint (1).pptx
+ Business_Ethics_&_Professional_Responsibility.ppt
+ Business_Ethics_&_Professional_Responsibility.ppt
Chapter 1.pptx
Chapter 1.pptx
NewantibioticdevelopmentsforVAP_MNiederman_6JunFINAL (1).PPT
NewantibioticdevelopmentsforVAP_MNiederman_6JunFINAL (1).PPT
jupiter_.ppt
jupiter_.ppt
Dernier
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Pooja Nehwal
Top Rated Pune Call Girls Aundh ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Aundh ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Call Girls in Nagpur High Profile
From Luxury Escort Service Kamathipura : 9352852248 Make on-demand Arrangemen...
From Luxury Escort Service Kamathipura : 9352852248 Make on-demand Arrangemen...
From Luxury Escort : 9352852248 Make on-demand Arrangements Near yOU
(Vedika) Low Rate Call Girls in Pune Call Now 8250077686 Pune Escorts 24x7
(Vedika) Low Rate Call Girls in Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...
VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...
dipikadinghjn ( Why You Choose Us? ) Escorts
(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7
(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
Webinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech Belgium
FinTech Belgium
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Call Girls in Nagpur High Profile
Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...
Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...
priyasharma62062
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
dipikadinghjn ( Why You Choose Us? ) Escorts
Call Girls Service Pune ₹7.5k Pick Up & Drop With Cash Payment 9352852248 Cal...
Call Girls Service Pune ₹7.5k Pick Up & Drop With Cash Payment 9352852248 Cal...
roshnidevijkn ( Why You Choose Us? ) Escorts
Solution Manual for Principles of Corporate Finance 14th Edition by Richard B...
Solution Manual for Principles of Corporate Finance 14th Edition by Richard B...
ssifa0344
Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...
jeffreytingson
VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...
VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...
dipikadinghjn ( Why You Choose Us? ) Escorts
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
dollysharma2066
Enjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort Service
Delhi Call girls
Top Rated Pune Call Girls Shikrapur ⟟ 6297143586 ⟟ Call Me For Genuine Sex S...
Top Rated Pune Call Girls Shikrapur ⟟ 6297143586 ⟟ Call Me For Genuine Sex S...
Call Girls in Nagpur High Profile
Top Rated Pune Call Girls Lohegaon ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...
Top Rated Pune Call Girls Lohegaon ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...
Call Girls in Nagpur High Profile
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
ssifa0344
Dernier
(20)
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Top Rated Pune Call Girls Aundh ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Aundh ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
From Luxury Escort Service Kamathipura : 9352852248 Make on-demand Arrangemen...
From Luxury Escort Service Kamathipura : 9352852248 Make on-demand Arrangemen...
(Vedika) Low Rate Call Girls in Pune Call Now 8250077686 Pune Escorts 24x7
(Vedika) Low Rate Call Girls in Pune Call Now 8250077686 Pune Escorts 24x7
VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...
VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...
(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7
(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7
Webinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech Belgium
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...
Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
Call Girls Service Pune ₹7.5k Pick Up & Drop With Cash Payment 9352852248 Cal...
Call Girls Service Pune ₹7.5k Pick Up & Drop With Cash Payment 9352852248 Cal...
Solution Manual for Principles of Corporate Finance 14th Edition by Richard B...
Solution Manual for Principles of Corporate Finance 14th Edition by Richard B...
Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...
VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...
VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
Enjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort Service
Top Rated Pune Call Girls Shikrapur ⟟ 6297143586 ⟟ Call Me For Genuine Sex S...
Top Rated Pune Call Girls Shikrapur ⟟ 6297143586 ⟟ Call Me For Genuine Sex S...
Top Rated Pune Call Girls Lohegaon ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...
Top Rated Pune Call Girls Lohegaon ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
design__day_presentation.ppt
1.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 1 Evolving Your Business To Unified Communications
2.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 2 8:00 Registration 8:30 Welcome Introduction 8:45 Capabilities Discussion of your existing network 9:00 Network Requirements for Unified Communications Business Resiliency with HA Securing the Network Infrastructure and Demo 11:00 Break Quality of Service 12:00 Lunch Break 12:45 High Availability Demonstration Ensure the additional demands for UC uptime 1:45 Deployment Models for Unified Communications 2:20 Break 2:30 Example Unified Communications Networks Taking the next step, Walk through the integration of UC 4:00 Meet the Experts Whiteboard scenarios and questions AGENDA
3.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 3 Growth of Converged Applications Switches Must Scale to New Evolving Levels of Service Telephony IP Digital Imaging Storage Networking Conferencing Video Communications Web Apps Wireless Resources Higher Performance
4.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 4 Voice Data Video In response to current business forces, businesses are already naturally taking an “evolutionary” approach to advancing their business. They are looking to continuously and incrementally improve their business. Evolution, NOT Revolution
5.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 5 Evolving Solutions for Evolving Business • Modular Has Greater Lifetime • Only Software or Supervisor needs Upgrade • Evolving Platform • Smartports • Single Chassis • Free CNA GUI • Various Chassis • Power Supplies • Supervisors • Line Cards
6.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 6 Chassis = 12% Dual AC Power = 5% Supervisor II = 15% 6 Port GBIC = 7% 2*48-port 10/100 = 24% 2*48 port 10/100/1000 = 27% 8 GBICs = 10% Initial Investment = 100% Why Investment Protection Matters Architecture Designed to Evolve as Technology Evolves In this example, Supervisor II represents only 15% of the Original Purchase Price Catalyst 4506 with Supervisor II Supervisor II- Plus Upgrade ONLY the Supervisor to upgrade the capabilities of ALL Ports 85% of initial investment is maintained!
7.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 7 Catalyst Modular Fixed/Low Cost Competitors FEATURES / TIME COST $ Platform Upgrade Costs Capex Savings with Modular L2 1999 L3 2001 10/100/1000 2002 802.3AF 2003 10GE 2004 Effective Investments Today Provide Greater Long-term Value Why Platform Flexibility and Lifetime Matters Maximize Your Investment
8.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 8 Why Total Cost of Ownership (TCO) Matters Capital Expenditure is ONE element of the total cost of a system Operational and Opportunity Costs outweigh Capital Expenditures Capital Expenditures* (20%) Operational Costs* (80%) Troubleshooting Maintenance Upgrading software Skilled Technical Staff Facilities Lost Opportunity Costs Missed or Delayed Business Opportunities Due to Unavailable Technologies * Source: Momenta Research, 2003
9.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 9 Scalability Value in a Switch Today Far More Than Speeds and Feeds Driver: High Cost of Security Breaches and Downtime Driver: Growing Unified Communications Deployments Driver: Network Demands Growing Faster Than IT Staff Driver: Higher Network ROI Requirements Value in a Switch
10.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 10 Cisco Catalyst 4500 & 6500 Series The Industry-Leading Modular Switching Platforms Delivering Maximum Value Leading Scalability • Maximum Operational Efficiency • Enables Faster Response to Evolving Business Opportunities
11.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 11 Catalyst 4500 Series Scalable Architecture Integrated Voice/Video /Data Predictable Performance Catalyst 4500 Series Mid-Range, Layer 2-4 Modular Switching Platform Layer 2/3/4 Standard Manageability PSTN High-Density 10/100/1000 Fiber or Copper IP Phones QOS/Traffic Management Metro Ethernet Access Security Integrated Resiliency 10GE connectivity
12.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 12 Catalyst 4500 Series Milestones & Innovations Aug 1998 -Invented Patented TCAM Technology Jan 1999 -Catalyst 4000 Layer 2 Switch May 2000 -Cisco Pre-Standard PoE Nov 2001 -Industry’s First High Density 10/100/1000 LC Jan 2002 -Second Generation IOS Based Supervisor Jun 2003 -Patented Catalyst Integrated Security Features Feb 2004 -IEEE PoE Sept 2004 -Enhanced HA with SSO Dec 2004 -Line Rate L3 10 GE Supervisor V-10GE Mar 2005 -Catalyst 4900 Series for Top of Rack Dec 2005 -Line Rate L2 10 GE Supervisor II-10GE Oct 2006 -In Service Software Upgrades (ISSU) Pioneer Award Pioneer Award Pioneer Award
13.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 13 Award-Winning Cisco Catalyst 4500 and 4948 Series “Best Enterprise Switch 2006” “Best in Test 2006” NETWORKWORLD Catalyst 4500 Series Catalyst 4948 Series
14.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 14 Catalyst 4003/4006 End of Support Milestone Definition Date End of Cat OS Software Maintenance Releases The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will NO LONGER develop, repair, maintain, or test CAT OS May 3, 2006 End of Routine Failure Analysis The last possible date a routine failure analysis may be performed to determine the cause of product failure or defect. May 3, 2006 End of New Service Attachment For equipment and software that is not covered by a service-and-support contract, this is the last date to order a new service-and-support contract or add the equipment and/or software to an existing service-and-support contract. May 3, 2006 http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_eol_notice0900aecd80324aee.html
15.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 15 Catalyst 4000/4500 Recommended Transition = EOS (No new feature development) = Strategic Direction of Platform Chassis Transition/Positioning Supervisor Transition/Positioning WS-C4507R LOW-END INSTALLED BASE/ HIGH-END WS-X4014 LOW-END INSTALLED BASE/HIGH-END WS-C4003 WS-X4012 WS-X4013 WS-X4516 WS-X4013+ WS-X4013+10GE WS-X4013+TS WS-C4510R WS-X4516-10GE Milestones Cat4006 and Sup II Cat4003, Sup I, Sup III Internal EoS Announcement 3/22/2004 12/15/2003 External EoS Announcement 5/3/2004 1/26/2004 End of Orderability 5/3/2005 7/26/2004 End of SW Maintenance 5/3/2006 7/26/2005 End of Support 5/3/2010 7/26/2009 WS-C4506 WS-C4006 WS-C4503 WS-X4515
16.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 16 Catalyst 4500: Innovation and Investment Protection Layer 2 PoE L2/3/4 10/100/1000 10-GbE SSO 1999 2004 2002 2007 2012 Development SAME LINE CARDS NAC NSF CoPP ISSU Forward/Backward Compatibility
17.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 17 Ethernet Modules WAN Modules Service Modules Comm. Media Network Analysis Wireless LAN App Control Engine Firewall IPSec Chassis Options Supervisor Options Sup 32 PFC’s Sup 720 Gigabit Ethernet 10 Gigabit Ethernet 96-port 10/100 TX Field-upgradeable 802.3af PoE 10/100/1000 TX 100BASE-X (FX, BX, LX) 3, 4, 6, 9, 13-slots Catalyst 6500 Series Flagship, Layer 2 – 7 Modular Switching Enhanced FlexWAN (DS0 to OC-3) Optical Service Modules (OC-3 to OC-48) Shared Port Adapters (SPAs) (DS0 to OC-192)
18.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 18 Catalyst 6500 EOS - Update Product Announcement Date EOS Effective Date Replacement Product WS-X6K-SUP1A-2GE WS-X6K-SUP1A-PFC WS-X6K-S1A-MSFC2 9/24/04 3/25/05 WS-SUP320-GE-3B WS-SUP32-10GE-3B WS-C6503 11/1/05 11/1/06 WS-C6503-E, WS- C6504-E WS-C6506 11/1/05 11/1/06 WS-C6506-E WS-X6509 11/1/05 11/1/06 WS-C6509-E WS-CDC-1300W 4/15/06 10/14/06 PWR-4000-DC WS-X6K-S2-PFC2 3/1/06 3/1/07 WS-SUP32-GE-3B, WS-SUP32-10GE-3B, WS-SUP720-3B WS-X6K-S2-MSFC2 WS-X6K-S2U-MSFC2 WS-X6500-SFM2 WS-X6024-10FL-MT 12/15/05 6/15/06 WS-X6148-FE-SFP WS-X6324-100FX-MM 12/15/05 6/15/06 WS-X6148-FE-SFP WS-X6324-100FX-SM 12/15/05 6/15/06 WS-X6148-FE-SFP
19.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 19 Catalyst 6500 Series Evolutionary Architecture Introduced Catalyst 6500 with Supervisor Engine 1 Distributed Forwarding Cards Supervisor Engine 32 with 8x1G and 2x10G uplink options Service Modules PFC3B and 3BXL with MPLS support in HW Supervisor Engine 2 with Switch Fabric Module scaling to 256G 2003 1999 2000 2001 2002 2004 2005 2006 2007 2008 2009 2010 Supervisor Engine 720 with IPv6, GRE, NAT, and Bi-dir PIM in HW New 67xx linecards Continued innovation and support 8x10G line card Application Control Engine Cisco IOS Software Modularity
20.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 20 Why Invest in a Modular Platform? Delivering a Higher Value! Optimal Platform for Unified Communications Higher Availability Higher Security Ease of Use Management Quality of Service
21.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 21 Building a Unified Communications Network Modular Infrastructure, HA, Security, and QoS Access layer Auto phone detection Inline power QoS: scheduling, trust boundary and classification Fast convergence Distribution layer High availability, redundancy, fast convergence Policy enforcement QoS: scheduling, trust boundary and classification Core High availability, redundancy, fast convergence QoS: scheduling, trust boundary Data Center WAN Internet Layer 3 Equal Cost Links Layer 3 Equal Cost Links Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Access Distribution Core Distribution Access
22.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 22 Network Design Seminar for Unified Communications Unified Communications Infrastructure High Availability & Security
23.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 23 Building a Unified Communications Network Infrastructure Integration, HA, Security, and QoS Physical Data Link Network Transport Session Presentation Application Campus network design is evolving in response to multiple drivers User Expectations: Always ON Access to communications Business Requirements: Globalization means true 7x24x365 Technology Requirements: Unified Communications Unexpected Requirements: Worms, Viruses, … Campus design needs to evolve to a ‘resilient’ model leveraging an integrated approach to High Availability Security Quality of Service Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
24.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 24 Building a Unified Communications Network UC integrated with Network QoS, Security and HA Phone contains a 3 port switch that is dynamically configured by the access switch and Call Manager 1. Power negotiation 2. VLAN configuration 3. 802.1x interoperation 4. QoS configuration 5. DHCP 6. CallManager registration Switch Detects IP Phone and Applies Power CDP Transaction Between Phone and Switch IP Phone Placed in Proper VLAN DHCP Request and Call Manager Registration Si Si UC endpoints dynamically participate in the overall Network QoS, Security and core HA infrastructure
25.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 25 Building a Unified Communications Network It’s more than having all three services configured QoS Unified Comm High Availability Embedded Security High Availability, Quality of Service and Security are all necessary elements A Unified Communications Network requires all three implemented in a consistent fashion A Resilient Unified Communications Network requires all three implemented to reinforce and supplement each other
26.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 26 ESE Campus Solution Test Bed Verified Design Recommendations Data Center WAN Internet Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Total of 68 Access Switches, 2950, 2970, 3550, 3560, 3750, 4507 SupII+, 4507SupIV, 6500 Sup2, 6500 Sup32, 6500 Sup720 and 40 APs (1200) 6500 with Redundant Sup720s Three Distribution Blocks 6500 with Redundant Sup720 4507 with Redundant SupV Three Distribution Blocks 6500 with Redundant Sup720s 7206VXR NPEG1 4500 SupII+, 6500 Sup720, FWSM, WLSM, IDSM2, MWAM 8400 Simulated Hosts 3k-10k Routes End-to-End Flows: TCP, UDP, RTP, IPmc
27.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 27 Unified Communications Network Agenda Resilient Network Design Network Resiliency High Availability Design Principles Redundancy in the Distribution Block Redundancy and Routing Design Switch Resiliency NSF/SSO ISSU & IOS Modularity GOLD & EEM Hardening the Network Layer 2 Security Quality of Service Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
28.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 28 Data Center WAN Internet Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si High Availability Campus Design Structure, Modularity and Hierarchy Optimize the interaction of the physical redundancy with the network protocols Provide the necessary amount of redundancy Pick the right protocol for the requirement Optimize the tuning of the protocol The network looks like this so that we can map the protocols onto the physical topology We want to build networks that look like this Redundant Switches Redundant Supervisor Layer 3 Equal Cost Link’s Redundant Links Layer 2 or Layer 3
29.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 29 Hierarchical Campus Network Structure, Modularity and Hierarchy Server Farm WAN Internet PSTN Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Not This !!
30.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 30 Hierarchical Campus Network Do I Need a Core Layer? No Core Fully meshed distribution layers Physical cabling requirement Routing complexity 4th Building Block 12 new links 24 links total 8 IGP Neighbors Third Building Block – 8 new links 12 links total 5 IGP Neighbors Second Building Block – 4 new links
31.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 31 4th Building Block 4 new links 16 links total 3 IGP Neighbors Dedicated Core Switches Easier to add a module Fewer links in the core Easier bandwidth upgrade Routing protocol peering reduced Equal cost Layer 3 links for best convergence 2nd Building Block 8 new links 3rd Building Block 4 new links 12 links total 3 IGP Neighbors Hierarchical Campus Network Do I Need a Core Layer?
32.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 32 Foundations for optimal convergence Layer 1 Direct point to point fiber provides for fast failure detection IEEE 802.3z and 802.3ae link negotiation define the use of Remote Fault Indicator & Link Fault Signaling mechanisms Bit D13 in the Fast Link Pulse (FLP) can be set to indicate a physical fault to the remote side Do not disable auto-negotiation on GigE and 10GigE interfaces Carrier-Delay 3560, 3750 & 4500 - 0 msec 6500 – leave it at default 50 msec The default debounce timer on GigE and 10GigE fiber linecards is 10 msec. The minimum debounce for copper is 300 msec 1 2 3 Linecard Throttling: Debounce Timer Remote IEEE Fault Detection Mechanism Cisco IOS Throttling: Carrier Delay Timer Si Si Si Si 1
33.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 33 Foundations for optimal convergence Layer 2 & Layer 3 With routed interfaces a physical interface state change results in direct notification of the routing processes In event of a logical L3 interface (e.g. SVI) physical events trigger L2 spanning tree changes first which then trigger RP notification Indirect failures require a SW process to detect the failure To improve failure detection Use routed interfaces between L3 switches Si Si Si Si Si Si Si Si Si Si Hello’s L2 Switch or VLAN Interface SVI Interface— L2 Link Down Then L3 Interface Down
34.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 34 Foundations for optimal convergence CEF Equal Cost Path Recovery In the recommended design the recovery from most component failures is based on L3 CEF equal cost path recovery Time to restore traffic flows is based on Time to detect link failure Process the removal of the lost routes from the SW FIB Update the HW FIB No dependence on external events (no routing protocol convergence required) Behavior is deterministic Equal Cost Links: Link/Box Failure Does Not Require Multi-Box Interaction Si Si Si Si Si Si Si Si
35.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 35 Catalyst Switch Redundancy and Protocol Interaction Time to Recovery CEF paths Link failure detection Software Routing Table (RIB) Prefix Next Hop Interface 10.255.0.0/16 10.10.1.1 gig 1/1 10.20.1.1 gig 1/2 Cisco IOS Software CEF Tables FIB Table Prefix Adjacency Ptr 10.255.0.0/16 Adj1 (gig 1/1) Adj2 (gig 1/2) Adjacency Table Rewrite Information AA.AA.AA.AA.AA, VLAN BB.BB.BB.BB.BB, VLAN Hardware Tables FIB Table Prefix Adjacency Ptr 10.255.0.0/16 Adj1 (gig 1/1) Adj2 (gig 1/2) Adjacency Table Rewrite Information AA.AA.AA.AA.AA, VLAN BB.BB.BB.BB.BB, VLAN Removal of the entries in the routing table Update of the software CEF table to reflect to loss of the next hop adjacencies Update of the hardware tables 1 Si Si 2 3 4 1 2 3 4 Routing Protocol Process 5 Routing protocol notification and reconvergence 5 Si Si Si Si
36.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 36 Equal Cost Multi-Path Optimizing CEF Load-Sharing Up to eight equal cost CEF paths are supported in HW today Depending on the traffic flow patterns, one algorithm may provide better load- sharing results than another Si Si Si Si Si Si 30% of Flows 70% of Flows Si Si Si Si Si Si Si Si Si Si Load-sharing simple Load-sharing full simple Load-sharing simple Catalyst 4500 Load-Balancing Options Src IP + Dst IP Src IP + Dst IP + Unique ID Original Universal Src IP + Dst IP + (Src ‘or’ Dst Port) + Unique ID Include Port Catalyst 6500 PFC3* Load-Balancing Options Src IP + Dst IP + Unique ID Src IP + Dst IP + Src Port + Dst Port + opt. Default Full Src IP + Dst IP + (Src ‘or’ Dst Port) Full Exclude Port Src IP + Dst IP Full Simple Src IP + Dst IP + Src Port + Dst Port Simple
37.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 37 Unified Communications Network Agenda Resilient Network Design Network Resiliency High Availability Design Principles Redundancy in the Distribution Block Redundancy and Routing Design Switch Resiliency NSF/SSO ISSU & IOS Modularity GOLD & EEM Hardening the Network Layer 2 Security Quality of Service Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
38.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 38 Multilayer Network Design Layer 2 Access with Layer 3 Distribution Each access switch has unique VLAN’s No layer 2 loops Layer 3 link between distribution No blocked links At least some VLAN’s span multiple access switches Layer 2 loops Layer 2 and 3 running over link between distribution Blocked links Si Si Si Si Si Si Si Si Vlan 10 Vlan 20 Vlan 30 Vlan 30 Vlan 30 Vlan 30
39.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 39 3/2 3/2 3/1 3/1 Switch 1 Switch 2 DST MAC 0000.0000.4444 DST MAC 0000.0000.4444 0000.0000.3333 Layer 2 Access Layer 2 Loops and Spanning Tree Implement physical L2 loops only when you have to Spanning tree protocol is very, very rarely the problem L2 has no native mechanism to dampen down a problem Utilize Rapid PVST+ for best convergence Take advantage of the Spanning Tree Toolkit to help prevent a problem UDLD Loopguard Rootguard BPDUguard Limit the size of the L2 domain
40.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 40 Layer 2 Loops and Spanning Tree Spanning Tree Should Behave the Way You Expect The root bridge should stay where you put it Loopguard and rootguard UDLD Only end station traffic should be seen on an edge port BPDU guard Port-Security There is a reasonable limit to B-Cast and M-Cast traffic volumes On 4500 and 6500 configure storm control on backup links to aggressively rate limit B-Cast and M- Cast Utilize Sup720 rate limiters or SupIV/V with HW queuing structure Si Si Si Si BPDU Guard or Rootguard PortFast Port Security Rootguard Loopguard STP Root Loopguard Storm Control
41.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 41 0 5 10 15 20 25 30 35 PVST+ Rapid PVST+ Upstream Downstream Optimizing L2 Convergence PVST+, Rapid PVST+ or MST Rapid-PVST+ greatly improves the restoration times for any VLAN that requires a topology convergence due to link UP Rapid-PVST+ also greatly improves convergence time over Backbone fast for any indirect link failures PVST+ (802.1d) Traditional Spanning Tree Implementation Rapid PVST+ (802.1w) Scales to large size (~10,000 logical ports) Easy to implement, proven, scales MST (802.1s) Permits very large scale STP implementations (~30,000 logical ports) Not as flexible as Rapid PVST+ Time to Restore Data Flows (sec)
42.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 42 UDLD Protecting Against One Way Communication While 802.3z and 802.3ae link negotiation provides for L1 fault detection HW ASIC failures can still occur UDLD provides an L2 based keep-alive mechanism that confirms bi-directional L2 connectivity Each switch port configured for UDLD will send UDLD protocol packets (at L2) containing the port's own device/port ID, and the neighbor's device/port IDs seen by UDLD on that port If the port does not see its own device/port ID echoed in the incoming UDLD packets the link is considered unidirectional and is shutdown Si Si Si Si Tx Tx Rx Rx
43.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 43 Trunk Design Considerations Native VLAN - 802.1q 802.1q does not encapsulate the native VLAN Two potential problems Security vulnerability—with the right knowledge of the network it is possible to ‘VLAN hop’ Misconfiguration of the native VLAN can result in traffic black-holing Using DTP and auto-negotiating all trunks prevents mis-configuration but does not fix the security vulnerability Use ‘dummy’ native VLAN’s ‘or’ Enable encapsulation of the native VLAN on 6500 Si Si Si Si VLAN 10 VLAN 20 Switch(config)#vlan dot1q tag native 10.1.10.200 10.1.20.200
44.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 44 Phones & Switch Ports Auxiliary VLAN During initial CDP exchange phone is configured with a Voice VLAN ID (VVID) on a multi-vlan access port IMPORTANT: multi-vlan access ports (MVAP) are NOT trunk ports, even though the hardware is enabled to receive dot1q frames MVAP port are access ports with access and NOT trunk port features This is includes support for 3rd party phones on MVAP ports PC VLAN = 10 (PVID) Phone VLAN = 110 (VVID) Native VLAN (PVID) No Configuration Changes Needed on PC 802.1Q encapsulation with 802.1p Layer 2 CoS Si Si
45.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 45 EtherChannel Link Capacity and Redundancy EtherChannel creates a logical link by bundling multiple physical links PAgP Port Aggregation Protocol LACP (802.3ad) Aggregation Protocol Failure of a link in a bundle will affect the spanning tree link cost and may result in a topology change Failure of a link in a bundle ‘may’ trigger a Layer 3 re-route OSPF running on a Cisco IOS based switch will reduce link cost and re-route traffic OSPF running on a hybrid switch will not change link cost and may overload remaining links EIGRP may not change link cost and may overload remaining links In an L3 environment single 10 Gigabit Links address both problems. Increased bandwidth without routing challenges Si Si Si Si
46.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 46 EtherChannel Design Considerations Static vs Dynamic EtherChannel Statically configuring members of an EtherChannel bundle improves convergence but . . . In an Layer 2 environment it is possible for mis-configuration to create a semi-loop between two switches This is a problem during physical add move and change process not triggered by network failover events Traffic received on an EtherChannel bundle is not reflected back down the link 802.1w requires bidirectional exchange of BPDU’s Loopguard will detect the loss of BPDU’s on an existing working connection Recommendation is auto/desirable for L2 Recommendation is on/on for L3 links Si Si Si Si On On Off Off
47.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 47 EtherChannel Load Balancing Avoid Underutilizing Redundant Paths Network may not load balance using default L3 load balancing hash How random are your SRC & DST IP addresses? Recommendation to utilize L4 Hash In order to optimize the load balancing of traffic over multiple links deploy in powers of two (two, four, or eight) Single fat link (10GE) simplifies all of this Link 0 load—68% Link 1 load—32% Link 0 load—52% Link 1 Load—48% L3 Hash L4 Hash Si Si Si Si Si Si Si Si Sup720(config)# port-channel load-balance src-dst-port
48.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 48 Si Si Si Si First Hop Redundancy (FHRP) Layer 2 Access HSRP, GLBP and VRRP are used to provide a resilient default gateway/ first hop address to end stations A group of routers act as a single logical router providing first hop router redundancy Protect against multiple failures Distribution switch failure Uplink failure HSRP, GLBP and VRRP provide millisecond timers and excellent convergence performance VRRP if you need multi-vendor interoperability GLBP facilitates uplink load balancing Si Si Si Si Failure of Active GW or Link to GW New Active GW Provides Alternate Path
49.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 49 First Hop Redundancy Sub-second Timers & Preempt Delay FHRP Active FHRP Standby Si Si Si Si Access-a R1 R2 interface Vlan4 ip address 10.120.4.2 255.255.255.0 standby 1 ip 10.120.4.1 standby 1 timers msec 250 msec 750 standby 1 priority 150 standby 1 preempt standby 1 preempt delay minimum 180 interface Vlan4 ip address 10.120.4.2 255.255.255.0 glbp 1 ip 10.120.4.1 glbp 1 timers msec 250 msec 750 glbp 1 priority 150 glbp 1 preempt glbp 1 preempt delay minimum 180 interface Vlan4 ip address 10.120.4.1 255.255.255.0 ip helper-address 10.121.0.5 no ip redirects vrrp 1 description Master VRRP vrrp 1 ip 10.120.4.1 vrrp 1 timers advertise msec 250 vrrp 1 preempt delay minimum 180 HSRP Config GLBP Config VRRP Config •Preempt delay avoids black holing traffic when ACTIVE gateway recovers and preempt the backup, as upstream routing and link may not be active •Recommendation: Do not use sub- second timers if >150 VLAN’s (6500)
50.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 50 First Hop Redundancy with Load Balancing Gateway Load Balancing Protocol (GLBP) Each member of a GLBP redundancy group owns a unique virtual MAC address for a common IP address/default gateway When end stations ARP for the common IP address/default gateway they are given a load balanced virtual MAC address Host A and host B send traffic to different GLBP peers but have the same default gateway 10.88.1.0/24 .5 .4 .1 .2 vIP 10.88.1.10 GLBP 1 ip 10.88.1.10 vMAC 0000.0000.0001 GLBP 1 ip 10.88.1.10 vMAC 0000.0000.0002 ARPs for 10.88.1.10 Gets MAC 0000.0000.0001 ARPs for 10.88.1.10 Gets MAC 0000.0000.0002 A B R1 R2 ARP Reply
51.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 51 Routing to the Edge Layer 3 Distribution with Layer 3 Access Move the Layer 2/3 demarcation to the network edge Upstream convergence times triggered by hardware detection of light lost from upstream neighbor Beneficial for the right environment 10.1.20.0 10.1.120.0 VLAN 20 Data VLAN 120 Voice VLAN 40 Data VLAN 140 Voice 10.1.40.0 10.1.140.0 EIGRP/OSPF EIGRP/OSPF GLBP Model Si Si Si Si Layer 3 Layer 2 Layer 3 Layer 2 EIGRP/OSPF EIGRP/OSPF
52.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 52 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 RPVST+ OSPF 12.2S EIGRP Upstream Downstream Routing to the Edge Advantages, Yes in the Right Environment Ease of implementation, less to get right No matching of STP/HSRP/ GLBP priority No L2/L3 multicast topology inconsistencies Single control plane and well known tool set traceroute, show ip route, show ip eigrp neighbor, etc. Most Cisco Catalysts support L3 switching today EIGRP converges in <200 msec OSPF with sub-second tuning converges in <200 msec RPVST+ convergence times dependent on GLBP/ HSRP tuning Both L2 and L3 Can Provide Sub- Second Convergence
53.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 53 Unified Communications Network Agenda Resilient Network Design Network Resiliency High Availability Design Principles Redundancy in the Distribution Block Redundancy and Routing Design Switch Resiliency NSF/SSO ISSU & IOS Modularity GOLD & EEM Hardening the Network Layer 2 Security Quality of Service Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
54.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 54 Multilayer Network Design Core and Distribution Routing Design Managing the number of routes in the network is important Both EIGRP and OSPF need summarization Map the protocol to the topology Number or Routes in Stub Area – Sup720 Si Si Si Si Si Si Si Si Time to Restore Voice (Sec.) 0 0.5 1 1.5 2 2.5 3 800 1000 3000 6000 9000 12000
55.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 55 EIGRP Design Rules for HA Campus High-Speed Campus Convergence EIGRP convergence is largely dependent on query response times Minimize the number and time for query response to speed up convergence Summarize distribution block routes upstream to the core Configure all access switches as EIGRP stub routers Filter routes sent down to access switches Si Si Si Si Si Si Si Si router eigrp 100 network 10.0.0.0 eigrp stub connected interface TenGigabitEthernet 4/1 ip summary-address eigrp 100 10.120.0.0 255.255.0.0 5 router eigrp 100 network 10.0.0.0 distribute-list Default out <mod/port> ip access-list standard Default permit 0.0.0.0
56.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 56 Si Si Si Si Si Si Si Si OSPF Design Rules for HA Campus High Speed Campus Convergence OSPF convergence is dependent on a number of factors Summarization will decrease the load and often the need for SPF calculations Upstream from the distribution block upstream into the core Downstream from the core into the distribution block router ospf 100 area 120 stub no-summary area 120 range 10.120.0.0 255.255.0.0 cost 10 network 10.120.0.0 0.0.255.255 area 120 network 10.122.0.0 0.0.255.255 area 0
57.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 57 OSPF Design Rules for HA Campus High Speed Campus Convergence OSPF convergence is also dependent on tuning of the OSPF timers Sub-second hellos IP Dampening mechanism Back-off algorithm for LSA generation Exponential SPF backoff router ospf 100 timers throttle spf 10 100 5000 timers throttle lsa all 10 100 5000 timers lsa arrival 80 interface GigabitEthernet1/1 dampening ip address 10.120.0.205 255.255.255.254 ip ospf network point-to-point ip ospf dead-interval minimal hello-multiplier 4 0 1 2 3 4 5 6 Default Convergence 10 msec. SPF 10 msec. SPF and LSA Time to Restore Voice Flows (msec.)
58.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 58 Unified Communications Network Agenda Resilient Network Design Network Resiliency High Availability Design Principles Redundancy in the Distribution Block Redundancy and Routing Design Switch Resiliency NSF/SSO ISSU & IOS Modularity GOLD & EEM Hardening the Network Layer 2 Security Quality of Service Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
59.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 59 System Level Resiliency Comprehensive Physical Redundancy Catalyst 6500 and 4500 highly redundant Modular systems Redundant hot swappable Supervisors Redundant hot swappable Power Supplies N+1 redundant fans with hot swappable fan trays Hot swappable line cards Passive data backplane Redundant system clock modules
60.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 60 System Level Resiliency NSF/SSO, IOS Modularity and ISSU Catalyst 6500 and 4500 Supervisor hardware redundancy (1+1) will leverage four key mechanisms to improve network resiliency and provide for enhanced operational change processes SSO—Stateful Switchover NSF—NonStop Forwarding IOS Modularity ISSU—In Service Software Upgrade Catalyst 3750 stack switch redundancy leverages two mechanisms to improve network resiliency Stackwise and StackwisePlus NSF supported as of 12.2(35)SE Stateful Switchover (SSO) L2, L3 & L4 Protocols NonStop Forwarding (NSF) L3 IOS Modularity & ISSU Redundant Supervisors
61.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 61 Supervisor Processor Redundancy Stateful Switch Over (SSO) Active/standby supervisors run in synchronized mode Redundant supervisor is in ‘hot-standby’ mode Switch processors synchronize L2 port state information, (e.g., STP, 802.1x, 802.1q) Switching HW synchronizes L2/L3 FIB, NetFlow and ACL tables Provides for complete system recovery in under 1 sec Active Supervisor SP RP PFC Standby Supervisor Line Card—DFC Line Card—DFC Line Card—DFC SP RP PFC
62.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 62 Switch#sh mod Chassis Type : WS-C4507R Power consumed by backplane : 40 Watts Mod Ports Card Type Model Serial No. ---+-----+--------------------------------------+------------------+----------- 1 2 Supervisor IV 1000BaseX (GBIC) WS-X4515 JAB0627065V 2 2 Supervisor IV 1000BaseX (GBIC) WS-X4515 JAB064907TY 3 24 10/100/1000BaseT (RJ45) WS-X4424-GB-RJ45 JAB052406EF <snip> Mod Redundancy role Operating mode Redundancy status ----+-------------------+-------------------+------------------- 1 Active Supervisor SSO Active 2 Standby Supervisor SSO Standby hot Supervisor Processor Redundancy Stateful Switch Over (SSO) Switch(config)#redundancy Switch(config-red)#mode ? rpr Route Processor Redundancy sso Stateful Switchover
63.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 63 Non-Stop Forwarding enhancements to OSPF, EIGRP, IS-IS and BGP An NSF-capable router continuously forwards packets during router recovery after an SSO processor or ION process recovery NSF-aware and NSF-capable routers provide for transparent routing protocol recovery Graceful restart extensions enable neighbor recovery without resetting adjacencies Routing database re-synchronization occurs in the background NSF-Aware, NSF-Capable NSF-Aware Si Si Si Si Si Si Si Si NSF-Aware System Resiliency NSF Recovery (Routing Protocol Recovery)
64.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 64 System Resiliency NSF OSPF Example No Route Flaps During Recovery Si Si Si Si Si Si Si Si Switch#*Aug 11 15:37:49: %OSPF-5-ADJCHG: Process 100, Nbr 100.1.1.1 on Vlan608 from LOADING to FULL, Loading Done Switch#show ip ospf <snip> Non-Stop Forwarding enabled, last NSF restart 00:00:23 ago (took 31 secs) <snip> Switch#show ip ospf neighbor detail Neighbor 100.1.1.1, interface address 172.26.197.67 <snip> LLS Options is 0x1 (LR), last OOB-Resync 00:00:41 ago Dead timer due in 00:00:33 <snip> OSPF-ADJCHG messages appear on the switches after a switchover even though no routes flaps occur during an NSF switchover
65.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 65 Switch(config)#router ospf 100 Switch(config-router)#nsf Switch(config-router)#nsf ? enforce Cancel NSF restart when non-NSF-aware neighbors detected System Resiliency NSF Configuration Switch(config)#router eigrp 100 Switch(config-router)#nsf Switch(config-router)#timers nsf ? converge EIGRP time limit for convergence after switchover route-hold EIGRP hold time for routes learned from nsf peer signal EIGRP time limit for signaling NSF restart Switch(config-router)#bgp graceful-restart ? restart-time Set the max time needed to restart and come back up stalepath-time Set the max time to hold onto restarting peer's stale paths <cr> Switch(config-router)#bgp graceful-restart Switch(config)#router isis level2 Switch(config-router)#nsf cisco ‘or’ Switch(config)#router isis level2 Switch(config-router)#nsf ietf
66.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 66 Design Considerations for NSF/SSO Supervisor Uplinks Cisco Catalyst 4500: supervisor uplink ports are active and forward traffic as long as the supervisor is fully inserted Uplink ports do not go down when a supervisor is reset. Cisco Catalyst 6500: both the active supervisor and the standby supervisor uplink ports are active as long as the supervisors are up and running Uplink ports go down when the supervisor is reset Best Practice when using uplinks on redundant supervisors is to utilize Etherchannel, e.g. bundle 5/1 & 6/1 • Catalyst 6500 Supervisors: all ports are active 1/1 1/3 1/4 1/5 1/6 1/2 2/1 2/3 2/4 2/5 2/6 2/2 1/1 1/2 2/1 2/2 • Catalyst 4500 Supervisor II+, Supervisor IV: 2 x GigE ports are active • Catalyst 4500 Supervisor II+10GE: 2 x 10GE and 4 x GigE ports are active
67.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 67 0 1 2 3 4 5 6 Si Si Si Si Design Considerations for NSF/SSO Where Does It Make Sense? Si Si Si Si Redundant topologies with equal cost paths provide sub-second convergence NSF/SSO provides superior availability in environments with non-redundant paths Node Failure NSF/SSO Link Failure OSPF Convergence RP Convergence Is Dependent on IGP and Tuning Seconds of Lost Voice ? Si Si
68.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 68 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Non SSO aware HSRP SSO aware HSRP Si Si Si Si Design Considerations for NSF/SSO Where Does It Make Sense? Si Si Si Si Not all IOS features are SSO aware As of 12.2(31)SG Catalyst 4500 supports SSO aware HSRP 6500 will support in H107 HSRP doesn’t flap on Supervisor SSO switchover Seconds of Lost Voice ?
69.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 69 Design Considerations for NSF/SSO Where Does It Make Sense? 0 1 2 3 4 5 6 7 8 9 10 NSF-Enabled Optimal NSF-Enabled Maximum Seconds of Lost Voice Access switch is the single point of failure in best practices HA campus design Supervisor failure is most common cause of access switch service outages Recommended design NSF/SSO provides for sub 600 msec recovery of voice and data traffic Si Si Si Si Si Si Si Si ?
70.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 70 Unified Communications Network Agenda Resilient Network Design Network Resiliency High Availability Design Principles Redundancy in the Distribution Block Redundancy and Routing Design Switch Resiliency NSF/SSO ISSU & IOS Modularity GOLD & EEM Hardening the Network Layer 2 Security Quality of Service Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
71.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 71 System Resiliency IOS Modularity and In Service Software Upgrade In redundant topology standard maintenance practice is to shut down devices during upgrade and let the network converge IOS Modularity and ISSU provide the ability to patch or upgrade software in place without having to shut down In the access layer or any other single point of failure this can be a significant improvement in operational practices ISSU—All Paths and Switches Active During Upgrade Scheduled Maintenance— Half Capacity Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
72.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 72 System Resiliency In Service Software Upgrade (ISSU) • Full image upgrade • New features and patches • Selective maintenance • Patch a component • Component Upgrade • Add new features to existing base
73.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 73 Cisco IOS Software Modularity Catalyst 6500 Combines a network optimized microkernel with the feature subsystems and functions enterprise and metro Ethernet customers depend on: 20+ independent processes Remaining feature subsystems live in Cisco IOS Base process Retains support for Cisco IOS features Whole system benefits from integrated HA infrastructure which determines best action to take for improved resiliency Preserves Cisco Catalyst 6500 Series benefits: Separate Control and Data Planes NSF and GOLD Hardware Acceleration Scalability Routing IPFS TCP UDP CDP EEM INETD IOS- BASE High Availability Infrastructure Network Optimized Microkernel … … Catalyst 6500 Hardware Data Plane
74.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 74 Cisco IOS Software Modularity Benefits Minimize Unplanned Downtime If an Error Occurs in a Modular Process HA subsystem determines the best recovery action Restart a modular process Switchover to standby supervisor Remove the system from the network Process restarts with no impact on the data plane Utilizes Nonstop Forwarding (NSF) even with a single Supervisor with NSF-Aware neighbors State checkpointing allows quick process recovery Traffic Forwarding Continues During Unplanned Process Restarts TCP Routing IPFS UDP CDP EEM INETD IOS- BASE High Availability Infrastructure Network Optimized Microkernel … … Catalyst 6500 Hardware Data Plane
75.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 75 Cisco IOS Software Modularity Subsystem ISSU – Software Patching 1. Install the patch Does not change anything on the running version of code Can be performed for multiple patches before next step Verifies patch dependencies 2. Activate the patch All patches that are pending for install are activated at the same time Copy of previous code is retained for rollback purposes Flash Memory Step 1 install file Step 2 install activate Catalyst 6500 Server (FTP, TFTP) Patching is always a two steps process: Patches downloaded from CCO http://www.cisco.com/go/pn
76.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 76 Line Card Line Card Line Card Line Card Line Card Active Supervisor Standby Supervisor In Service Software Upgrade Catalyst 4500 Active Supervisor Standby Supervisor 12.2(xw)SG 12.2(xy)SG Full image ISSU provides a mechanism to perform software upgrades and downgrades without taking the switch out of service Leverages the capabilities of NSF and SSO to allow the switch to forward traffic during supervisor IOS upgrade (or downgrade) Network does not re-route and no active links are taken out of service
77.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 77 In Service Software Upgrade ISSU Stages 12.2(xy)SG 12.2(xw)SG loadversion 12.2(31)SGA 12.2(31)SGA 12.2(31)SGA 12.2(31)SGA1 12.2(31)SGA 12.2(31)SGA1 12.2(31)SGA 12.2(31)SGA1 12.2(31)SGA1 12.2(31)SGA1 runversion acceptversion commitversion abortversion ISSU upgrade is a 4 step process Possible to rollback (abort) up until you complete the 4th step (commit to final state) Leverages NSF/SSO to implement supervisor transition Requires that the two images are compatible for upgrade/downgrade processing Initial state Final state
78.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 78 Unified Communications Network Agenda Resilient Network Design Network Resiliency High Availability Design Principles Redundancy in the Distribution Block Redundancy and Routing Design Switch Resiliency NSF/SSO ISSU & IOS Modularity GOLD & EEM Hardening the Network Layer 2 Security Understanding UC Requirements Quality of Service Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
79.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 79 Memory Corruption Software Inconsistency System Faults Enhanced System Stability Generic Online Diagnostics HW/SW state, Memory LC module, Temperature, Power supply, Fan tray Power-on Diagnostics Supervisor, Backplane, L2 ASIC, L3 ASIC, Memory, Port Enhanced Network Stability Systems Resiliency Proactive Fault Detection and Notification Detect and Isolate Improved physical redundancy is not enough, intelligent system failure detection is key
80.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 80 Generic Online Diagnostics How Does GOLD Work? GOLD: Check the health of hardware components and verify proper operation of the system data plane and control plane at run-time and boot-time Diagnostic packet switching tests verify that the system is operating correctly: Is the supervisor control plane and forwarding plane functioning properly? Is the standby supervisor ready to take over? Are linecards forwarding packets properly? Are all ports working? Is the backplane connection working? Other types of diagnostics tests including memory and error correlation tests are also available CPU Forwarding Engine Fabric Forwarding Engine Active Supervisor Standby Supervisor Line Card Line Card
81.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 81 Switch(config)#diagnostic monitor module 5 test 2 Switch(config)#diagnostic monitor interval module 5 test 2 00:00:15 Switch(config)#diagnostic bootup level complete Switch#diagnostic start module 4 test 8 Module 4: Running test(s) 8 may disrupt normal system operation Do you want to continue? [no]: y Switch#diagnostic stop module 4 Switch(config)#diagnostic schedule module 4 test 1 port 3 on Jan 3 2005 23:32 Switch(config)#diagnostic schedule module 4 test 2 daily 14:45 On-Demand Health-Monitoring Scheduled Run During System Bootup, Line Card OIR or Supervisor Switchover Makes Sure Faulty Hardware Is Taken out of Service Non-Disruptive Tests Run in the Background Serves as HA Trigger All Diagnostics Tests Can Be Run on Demand, for Troubleshooting Purposes. It Can Also Be Used As A Pre-deployment Tool Schedule Diagnostics Tests, for Verification and Troubleshooting Purposes Boot-Up Diagnostics Runtime Diagnostics Generic Online Diagnostics Diagnostic Operation
82.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 82 Generic Online Diagnostics Using Diagnostics as a Pre-Deployment Tool Cat-6500#diagnostic start module 6 test all Module 6: Running test(s) 8 will require resetting the line card after the test has completed Module 6: Running test(s) 1-2,5-9 may disrupt normal system operation Do you want to continue? [no]: yes <snip> *Mar 25 22:43:16: SP: ****************************************************************** *Mar 25 22:43:16: SP: * WARNING: *Mar 25 22:43:16: SP: * ASIC Memory test on module 6 may take up to 2hr 30min. *Mar 25 22:43:16: SP: * During this time, please DO NOT perform any packet switching. *Mar 25 22:43:16: SP: ****************************************************************** <snip> . . . Cat-6500#diagnostic start system test all **************************************************************** * WARNING: * * Diagnostic System Test will disrupt normal system * * operation and also system required RESET after system * * test is done prior to normal use. * <snip> . . . • Run diagnostics first on linecards, then on supervisors • Run packet switching tests first, run memory tests after • Simplified CLI for system test correctly orders diagnostics - 12.2(33)SXH Note: The Order in Which Tests Are Run Matters
83.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 83 Embedded Event Manager Proactive Fault Detection and Notification Event Detectors EEM is a Cisco IOS technology that runs on the control plane. It is a combination of processes designed to monitor key system parameters such as CPU utilization, interface errors, counters, SNMP and SYSLOG events, and act on specific events or thresholds/ counters that are exceeded
84.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 84 Embedded Event Manager EEM Application Example Display error statistics for the link that has gone down Start a Time Domain Reflectometry (TDR) test Start a GOLD Loopback test Send the results using a provided template to a user-configurable address Interface Down Cable Fault P O R T P O R T TDR Test Loopback Test GOLD EEM Upon Matching the Provided SYSLOG Message ‘LINK-3-UPDOWN’, the Switch Performs the Following Actions: Interface Error Counters Send Results in Email Alert
85.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 85 Embedded Event Manager Embedded Event Manager (EEM) Scripting Community Cisco IOS Embedded Event Manager (EEM) Automation Event driven scripts Cisco Beyond, an EEM scripting community For customers, partners, and Cisco to share EEM scripts and get best- practice examples EEM and Cisco Beyond http://cisco.com/go/eem http://forums.cisco.com/eforum/servlet/EEM?page=main
86.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 86 Unified Communications Network Agenda Resilient Network Design Network Resiliency High Availability Design Principles Redundancy in the Distribution Block Redundancy and Routing Design Switch Resiliency NSF/SSO ISSU & IOS Modularity GOLD & EEM Hardening the Network Layer 2 Security Quality of Service Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
87.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 87 Network Infrastructure Integration Understanding Edge Security & L2 attacks Phone contains a 3 port switch that is configured in conjunction with the access switch and CallManager 1. Power negotiation 2. VLAN configuration 3. 802.1x interoperation 4. QoS configuration 5. DHCP 6. CallManager registration Switch Detects IP Phone and Applies Power CDP Transaction Between Phone and Switch IP Phone Placed in Proper VLAN DHCP Request and Call Manager Registration Si Si Phone interaction with infrastructure edge security
88.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 88 Attack: Mac Flooding CAM Table overflow MAC A MAC B MAC C Port 1 Port 2 Port 3 MAC Port A 1 B 2 C 3 Y Is on Port 3 Z Is on Port 3 Y 3 Z 3 Traffic A -> B I See Traffic to B! Once the CAM table on the switch is full, traffic without a CAM entry is flooded out every port on that VLAN
89.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 89 Attack: Mac Flooding CAM Table overflow Macof sends random source MAC and IP addresses Much more aggressive if you run the command “macof -i eth1 2> /dev/null” macof (part of dsniff)—http://monkey.org/~dugsong/dsniff/ Yersinia – Flavor of the month attack tool macof –i eth1 36:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 > 0.0.0.0.49492: S 1094191437:1094191437(0) win 512 16:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 > 0.0.0.0.47523: S 446486755:446486755(0) win 512 18:2a:de:56:38:71 33:af:9b:5:a6:97 0.0.0.0.20086 > 0.0.0.0.6728: S 105051945:105051945(0) win 512 e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 > 0.0.0.0.24898: S 1838062028:1838062028(0) win 512 62:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 > 0.0.0.0.7723: S 1792413296:1792413296(0) win 512 c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.0.0.19784 > 0.0.0.0.57433: S 1018924173:1018924173(0) win 512 88:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 > 0.0.0.0.11466: S 727776406:727776406(0) win 512 b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 > 0.0.0.0.11324: S 605528173:605528173(0) win 512 e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 > 0.0.0.0.55700: S 2128143986:2128143986(0) win 512
90.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 90 Countermeasures for MAC Attacks Number is not to control access, it is to protect the switch from attack Depending on security policy, disabling the port might be preferred, even with VoIP Aging time of two and aging type inactivity to allow for phone CDP of one minute IOS® switchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity If Violation Error-Disable, the Following Log Message Will Be Produced: 4w6d: %PM-4- ERR_DISABLE: Psecure-Violation Error Detected on Gi3/2, Putting Gi3/2 in Err-Disable State Will enable voice To work under attack Port Security limits the number of MAC’s learned on an interface
91.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 91 Countermeasures for MAC Attacks With IP Phones Phones can use 2 or 3 depending on the switch hardware and software Some switches look at the CDP traffic and some don’t, if they don’t, they need 2, if they do they need 3 Some hardware (3550) will always need 3 Default config is disable port, might want to restrict for VoIP This feature is to protect that switch, you can make the number anything you like as long as you don’t overrun the CAM table Could use 2 or 3 MAC Addresses Allowed on the Port: Shutdown Note: When Using the Restrict Feature of Port Security, if the Switch Is Under Attack, You Will See a Performance Hit on the CPU
92.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 92 Building the Layers Catalyst Integrated Security Features Port security prevents CAM attacks and DHCP Starvation attacks IP Source Guard Port Security 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb 00:0e:00:aa:aa:cc 00:0e:00:bb:bb:dd etc 132,000 Bogus MACs Switch acts like a hub
93.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 93 Attack: DHCP Starvation Gobbler Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scope DHCP Discovery (Broadcast) x (Size of Scope) Client Gobbler DHCP Server IOS switchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity Gobbler uses a new MAC address to request a new DHCP lease Restrict the number of MAC addresses on a port
94.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 94 Attack: Rogue DHCP Server DHCP Server DHCP Discovery (Broadcast) DHCP Offer (Unicast) from Rogue Server What can the attacker do if he is the DHCP server? IP Address: 10.10.10.101 Subnet Mask: 255.255.255.0 Default Routers: 10.10.10.140 DNS Servers: 10.10.10.140 Lease Time: 10 days Wrong Default Gateway—Attacker is the gateway Wrong DNS server—Attacker is DNS server Wrong IP Address—Attacker does DOS with incorrect IP
95.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 95 Countermeasures for DHCP Attacks Rogue DHCP Server = DHCP Snooping By default all ports in the VLAN are untrusted Client DHCP Server Rogue Server Trusted Untrusted Untrusted DHCP Snooping Enabled DHCP Snooping Untrusted Client Interface Commands no ip dhcp snooping trust (Default) ip dhcp snooping limit rate 10 (pps) IOS Global Commands ip dhcp snooping vlan 4,104 no ip dhcp snooping information option ip dhcp snooping DHCP Snooping Trusted Server or Uplink BAD DHCP Responses: offer, ack, nak OK DHCP Responses: offer, ack, nak Interface Commands ip dhcp snooping trust
96.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 96 Countermeasures for DHCP Attacks Rogue DHCP Server = DHCP Snooping Table is built by “Snooping” the DHCP reply to the client Entries stay in table until DHCP lease time expires If you have a mobile work environment, reduce the lease time to make sure the binding entries will be removed Client DHCP Server Rogue Server Trusted Untrusted Untrusted DHCP Snooping Enabled BAD DHCP Responses: offer, ack, nak OK DHCP Responses: offer, ack, nak DHCP Snooping Binding Table sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
97.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 97 Countermeasures for DHCP Attacks DHCP Option 82: Upstream Modifications DHCP Snooping modifies the DHCP Discovery packet by adding an option 82 field Identifies the ‘circuit-id’ (switch port) that the DCHP discovery packet originated on; defined in RFC 3046 Necessary to configure the distribution switch to trust modified DHCP Discovery packets DCHP Request Opt 82 DCHP Request DHCP Server Trusted DHCP Relay Trusts Downstream DHCP Relay Agents Opt 82 DCHP Request giaddr ! Distribution Switch - ! Trust DHCP packets modified by Access Switch with option 82 ip dhcp relay information trust-all Si Si
98.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 98 Building The Layers Catalyst Integrated Security Features Port security prevents CAM attacks and DHCP Starvation attacks DHCP Snooping prevents Rogue DHCP Server attacks IP Source Guard DHCP Snooping Port Security 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb 00:0e:00:aa:aa:cc 00:0e:00:bb:bb:dd etc 132,000 Bogus MACs Switch acts like a hub DHCP Server “Use this IP Address !” X
99.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 99 Attack: ARP ARP Function Review Before a station can talk to another station it must do an ARP request to map the IP address to the MAC address This ARP request is broadcast using protocol 0806 All computers on the subnet will receive and process the ARP request; the station that matches the IP address in the request will send an ARP reply Who Is 10.1.1.4? I Am 10.1.1.4 MAC A
100.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 100 Attack: ARP ARP Function Review According to the ARP RFC, a client is allowed to send an unsolicited ARP reply; this is called a gratuitous ARP; other hosts on the same subnet can store this information in their ARP tables Anyone can claim to be the owner of any IP/MAC address they like ARP attacks use this to redirect traffic I Am 10.1.1.1 MAC A You Are 10.1.1.1 MAC A You Are 10.1.1.1 MAC A You Are 10.1.1.1 MAC A
101.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 101 Attack: ARP ARP Attack Tools Many tools on the Net for ARP man-in-the-middle attacks Dsniff, Cain & Abel, ettercap, Yersinia, etc... ettercap - http://ettercap.sourceforge.net/index.php Some are second or third generation of ARP attack tools Most have a very nice GUI, and is almost point and click Packet Insertion, many to many ARP attack Cain - www.oxid.it/cain.html All of them capture the traffic/passwords of applications FTP, Telnet, SMTP, HTTP, POP, NNTP, IMAP, SNMP, LDAP, RIP, OSPF, PPTP, MS-CHAP, SOCKS, X11, IRC, ICQ, AIM, SMB, Microsoft SQL, etc…
102.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 102 Catalyst 4500 Attack: ARP ettercap, CAIN, … IP Address: 10.1.1.3 Mac Address: 00-0D-60-7A-25-02 IP Address: 10.1.1.1 Mac Address: 00-0F-8F-7A-2C-3F IP Address: 10.1.1.2 Mac Address: 00-15-58-2D-08-2A ARP CACHE IP Address: 10.1.1.1 Mac Address: 00-15-58-2D-08-2A ARP CACHE IP Address: 10.1.1.3 Mac Address: 00-15-58-2D-08-2A ARP CACHE of Hacker PC IP Address: 10.1.1.1 Mac Address: 00-0F-8F-7A-2C-3F IP Address: 10.1.1.3 Mac Address: 00-0D-60-7A-25-02 User PC Hacker PC Vlan 10 ARP CACHE IP Address: 10.1.1.1 Mac Address: 00-0F-8F-7A-2C-3F ARP CACHE IP Address: 10.1.1.3 Mac Address: 00-0D-60-7A-25-02
103.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 103 Is This Is My Binding Table? NO! None Matching ARP’s in the Bit Bucket Countermeasures to ARP Attacks Dynamic ARP Inspection (DAI) Uses the DHCP Snooping Binding table information Dynamic ARP Inspection All ARP packets must match the IP/MAC Binding table entries If the entries do not match, throw them in the bit bucket 10.1.1.1 MAC A 10.1.1.2 MAC B 10.1.1.3 MAC C ARP 10.1.1.1 Saying 10.1.1.2 is MAC C ARP 10.1.1.2 Saying 10.1.1.1 is MAC C DHCP Snooping Enabled Dynamic ARP Inspection Enabled
104.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 104 Countermeasures to ARP Attacks Dynamic ARP Inspection Uses the information from the DHCP Snooping Binding table Looks at the MacAddress and IpAddress fields to see if the ARP from the interface is in the binding, it not, traffic is blocked sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18 00:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21 No entry in the binding table—no traffic! Wait until all devices have new leases before turning on Dynamic ARP Inspection Entrees stay in table until the lease runs out All switches have a binding size limit 4500 switches – 3000 entrees (6000 for the SupV-10GE) 6500 switches – 16,000 entrees
105.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 105 Countermeasures to ARP Attacks Dynamic ARP Inspection IOS Global Commands ip dhcp snooping vlan 4,104 no ip dhcp snooping information option ip dhcp snooping ip arp inspection vlan 4,104 ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 1024 interval 10 Interface Commands no ip dhcp snooping trust no ip arp inspection trust ip arp inspection limit rate 100 DAI is configured on a per VLAN basis You can trust an interface like DHCP Snooping Suggested for voice is to set the DAI rate limit above the default if you feel dial tone is important
106.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 106 Non DHCP Devices Can use Static bindings in the DHCP Snooping Binding table IOS Global Commands ip source binding 0000.0000.0001 vlan 4 10.0.10.200 interface fastethernet 3/1 IOS Show Commands show ip source binding Show static and dynamic entries in the DHCP Snooping Binding table is different
107.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 107 Security Demo
108.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 108 Building The Layers Catalyst Integrated Security Features Port security prevents CAM attacks and DHCP Starvation attacks DHCP Snooping prevents Rogue DHCP Server attacks Dynamic ARP Inspection prevents current ARP attacks IP Source Guard Dynamic ARP Inspection DHCP Snooping Port Security 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb 00:0e:00:aa:aa:cc 00:0e:00:bb:bb:dd etc 132,000 Bogus MACs Switch acts like a hub DHCP Server “Use this IP Address !” X Email Server “Your Email Passwd Is ‘joecisco’ !” Man in the Middle
109.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 109 Is This Is My Binding Table? NO! Non Matching Traffic Dropped Attack: IP and MAC Spoofing IP Source Guard Uses the DHCP Snooping Binding Table Information IP Source Guard Operates just like Dynamic ARP Inspection, but looks at every packet, not just ARP Packet 10.1.1.1 MAC A 10.1.1.2 MAC B 10.1.1.3 MAC C Received Traffic Source IP 10.1.1.2 Mac B 10.1.1.3 MAC C Traffic Sent with IP 10.1.1.3 Mac B Traffic Sent with IP 10.1.1.2 Mac C DHCP Snooping Enabled Dynamic ARP Inspection Enabled IP Source Guard Enabled
110.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 110 Countermeasures to Spoofing Attacks: IP Source Guard Uses the information from the DHCP Snooping Binding table sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18 00:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21 DHCP Snooping had to be configured so the binding table it built IP Source Guard is configured by port IP Source Guard with MAC does not learn the MAC from the device connected to the switch, it learns it from the DHCP Offer
111.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 111 Countermeasures to Spoofing Attacks IP Source Guard IOS Global Commands ip dhcp snooping vlan 4,104 ip dhcp snooping information option ip dhcp snooping Interface Commands ip verify source vlan dhcp-snooping port-security IP Source Guard Configuration IP/MAC Checking Only (Opt 82) IOS Global Commands ip dhcp snooping vlan 4,104 no ip dhcp snooping information option ip dhcp snooping Interface Commands ip verify source vlan dhcp-snooping IP Source Guard Configuration IP Checking Only (no Opt 82) MAC and IP checking can be turned on separately or together For IP: Will work with the information in the binding table For MAC: Must have an Option 82 enabled DHCP server (Microsoft does not support option 82) Have to Change bootp-helper router configuration to support Option 82 – ‘dhcp relay information trust’ Note: There are at least two DHCP servers that support Option 82 Field Cisco Network Registrar® and Avaya
112.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 112 Building The Layers Catalyst Integrated Security Features Port security prevents CAM attacks and DHCP Starvation attacks DHCP Snooping prevents Rogue DHCP Server attacks Dynamic ARP Inspection prevents current ARP attacks IP Source Guard prevents IP/MAC Spoofing IP Source Guard Dynamic ARP Inspection DHCP Snooping Port Security 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb 00:0e:00:aa:aa:cc 00:0e:00:bb:bb:dd etc 132,000 Bogus MACs Switch acts like a hub DHCP Server “Use this IP Address !” X Email Server “Your Email Passwd Is ‘joecisco’ !” Man in the Middle
113.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 113 Si Si Attack: VLAN Hoping Avoid the use of the native VLAN on trunks Double-encapsulated packets allow a compromised server to join default or native VLAN and then “Hop” VLANs Configure an unused dummy VLAN as the native VLAN Alternative on 6500 is configure encapsulation of native VLAN Compromised server server2 VLAN 20 Tunnel (e.g. netcat) 802.1q, 802.1q Data VLAN10 VLAN20 Traffic jumps From 10 to 20 First tag removed and packet forwarded attacker 6500(config)#vlan dot1q tag native
114.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 114 Matrix for Security Features Feature/ Platform 6500/ Catalyst OS 6500/Cisco IOS 4500/ Catalyst OS 4500/Cisco IOS Dynamic Port Security 7.6(1) 12.1(13)E 5.1(1) 12.1(13)EW DHCP Snooping 8.5(6) 12.2(18)SXF N/A 12.1(12c)EW ** DAI 8.5(6) 12.2(18)SXF N/A 12.1(19)EW ** IP Source Guard 8.5(6) 12.2(33)SXH N/A 12.1(19)EW ** Requires Sup720—Sup32 DHCP Snooping and DAI ** For the Catalyst 4500/IOS-Based Platforms, This Requires Sup2+, Sup3, Sup4, Sup 5. These Sups Are Supported on the Catalyst 4006, 4503, 4506, and 4507R Chassis NOTE: There Are No Plans to Support These Features for any Catalyst 4000/4500 Platform Running Catos IOS Feature Finder—http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
115.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 115 Unified Communications Network Agenda Resilient Network Design Network Resiliency High Availability Design Principles Redundancy in the Distribution Block Redundancy and Routing Design Switch Resiliency NSF/SSO ISSU & IOS Modularity GOLD & EEM Hardening the Network Layer 2 Security Quality of Service Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
116.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 116 Hardening The Network Direct and Collateral Damage Availability of Networking Resources Impacted by the Propagation of the Worm Access Distribution Core Si Si Si Si Si Si Si Si System Under Attack Network Links Overloaded • High packet loss • Mission critical applications impacted Routers Overloaded • High CPU • Instability • Loss of mgmt End Systems Overloaded • High CPU • Applications impacted Infected Source
117.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 117 Access Distribution Core Infected Source Si Si Si Si Si Si Si Si Mitigating the Impact Preventing and Limiting the Pain Allow the Network to Do What You Designed It to Do but Not What You Didn’t Protect the End Systems • Cisco Security Agent Protect the Links • QoS • Scavenger Class Protect the Switches • CEF • Rate Limiters • CoPP Prevent the Attack • NAC and IBNS • ACLs and NBAR System Under Attack
118.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 118 Worms Are Only One Problem Other Sources of Pain Internet worms are not the only type of network anomaly Multiple things can either go wrong or be happening that you want to prevent and/or mitigate Spanning Tree Loops NICs spewing garbage Distributed Denial of Service (DDoS) TCP Splicing, ICMP Reset attacks Man-in-the-Middle (M-in-M) attacks … Security best practices ‘are’ HA best practices in the resilient design HA best practices ‘are’ security best practices in the resilient design Si Si Si Si Si Si Si Si Si Si Si Si
119.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 119 QoS is a key component of Resiliency Protect the Good and Punish the Bad QoS does more than just protect voice and video For “best-effort” traffic an implied “good faith” commitment that there are at least some network resources available is assumed Need to identify and potentially punish out of profile traffic (potential worms, DDOS, etc.) Scavenger class is an Internet-2 Draft Specification CS1/CoS1 Access Distribution Voice Data Core Scavenger Voice Data Scavenger
120.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 120 Si Si Si Si Si Si Si Si Si Si Si Si Resilient Network Design Stick to Your Principles Develop an architecture and stick to it Ease operational support Consistent deployment Balance OPeX and CapEX Remember you will have to live with this for a long time Requirements will change Plan for evolution The one thing that doesn’t change is that there will be change Understand change How your environments are changing How the network equipment is evolving to meet that change Data Center
121.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 121 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 L2 Access OSPF Core* L2 Access EIGRP Core OSPF Access* EIGRP Access L2 Access (Rapid PVST+ HSRP) L3 Access Resilient Network Design This Is What You Can Expect Worst Case Convergence for Any Campus Failure Event Seconds until Restoration of VoIP *OSPF Results Require Sub-Second Timers
122.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 122 Campus, Data Center & UC Design Guidance Where to go for more information http://www.cisco.com/go/srnd
123.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 123 BREAK
124.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 124 Network Design Seminar for Unified Communications Network Infrastructure Quality of Service
125.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 125 Unified Communications Network Agenda Resilient Network Design Quality of Service QoS Best Practices Review Campus QoS Design Catalyst 4500 QoS Design Catalyst 6500 QoS Design Control Plane Policing Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
126.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 126 Latency ≤ 150 ms Jitter ≤ 30 ms Loss ≤ 1% One-Way Requirements Smooth Benign Drop sensitive Delay sensitive UDP priority Voice Bandwidth per Call Depends on Codec, Sampling-Rate, and Layer 2 Media Bursty Greedy Drop sensitive Delay sensitive UDP priority Video-Conf Latency ≤ 150 ms Jitter ≤ 30 ms Loss ≤ 1% One-Way Requirements IP/VC has the Same Requirements as VoIP, but Has Radically Different Traffic Patterns (BW Varies Greatly) Smooth/bursty Benign/greedy Drop insensitive Delay insensitive TCP retransmits Data Data Classes: Mission-Critical Apps Transactional/Interactive Apps Bulk Data Apps Best Effort Apps (Default) Traffic patterns for Data Vary Among Applications Enabling QoS in the Campus Traffic Profiles and Requirements
127.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 127 G.729A: 25 ms CODEC Variable (Can Be Reduced Using LLQ) Queuing Variable (Can Be Reduced Using LFI) Serialization 6.3 µs/Km + Network Delay (Variable) Propagation and Network 20–50 ms Jitter Buffer Enabling QoS Elements that Affect End-to-End Delay IP WAN Campus Branch Office Cisco CallManager Cluster SRST Router PSTN End-to-End Delay (Should Be < 150 ms)
128.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 128 UC & Network Infrastructure Integration Quality of Service Phone contains a 3 port switch that is configured in conjunction with the access switch and CallManager 1. Power negotiation 2. VLAN configuration 3. 802.1x interoperation 4. QoS configuration 5. DHCP 6. CallManager registration Switch Detects IP Phone and Applies Power CDP Transaction Between Phone and Switch IP Phone Placed in Proper VLAN DHCP Request and Call Manager Registration Si Si UC interaction with infrastructure QoS
129.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 129 Classification & Marking How should it be done? QoS is implemented in Hardware on the modular switching platforms and may be split across Supervisor and linecards… Actual QoS features are dependent on the specific forwarding engine and/or Linecard hardware version…
130.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 130 Classification & Marking Where should it be done? Classification and marking should be performed as close as technically feasible to the sources so that prioritization may be implemented at congestion points throughout the network. DSCP should be used wherever possible… Core Distribution Access Classify and mark traffic at the physical port. Queue on uplinks to Distribution Subsequent points in the network can now “trust” the marked values and queue based on these baseline values outlined below
131.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 131 Application L3 Classification DSCP PHB IPP CoS Transactional Data 18 AF21 2 2 Call Signaling 24 CS3* 3 3 Streaming Video 32 CS4 4 4 Video Conferencing 34 AF41 4 4 Voice 46 EF 5 5 Network Management 16 CS2 2 2 L2 Bulk Data 10 AF11 1 1 Scavenger 8 CS1 1 1 Routing 48 CS6 6 6 Mission-Critical Data 26 AF31* 3 3 Best Effort 0 0 0 0 Classification and Marking QoS Baseline Marking Recommendations
132.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 132 Application L3 Classification DSCP PHB RFC Low-Latency Data 18 AF21 RFC 2597 Broadcast Video 24 CS3 RFC 2474 Real-Time Interactive 32 CS4 RFC 2474 Call Signaling 40 CS5 RFC 2474 VoIP Telephony 46 EF RFC 3246 OAM 16 CS2 RFC 2474 IETF High-Throughput Data 10 AF11 RFC 2597 Low-Priority Data 8 CS1 RFC 3662 Network Control 48 CS6 RFC 2474 Multimedia Streaming 26 AF31 RFC 2597 Best Effort 0 DF RFC 2474 Multimedia Conferencing 34 AF41 RFC 2597 Classification and Marking Design RFC 4594 Configuration Guidelines
133.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 133 Policing Design Principles Where and How Should Policing Be Done? Policing applied to offending traffic classes to ‘mark down’ rather than drop traffic to CS1 (Scavenger) Queuing will then queue traffic uplink to Distribution/Core where CS1 will occupy minimal bandwidth… Policing shall be applied as close to the traffic source as possible. In general it should be applied at the ingress point to the network (Access Layer) at the same time as the classification process…
134.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 134 Queuing Design Principles Where should it be done? Queuing should be performed wherever there may be potential for congestion (even if a rare occurrence), ensuring consistency between Campus/WAN/VPN networks… Core Distribution Access Recommended Guidelines: 1) 25% allocated to Best Effort (BE) Class 2) Priority Queue (PQ) given maximum of 33% 3) Scavenger should be provided with minimum (5%) bandwidth 4) Congestion Management enabled on non-PQ
135.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 135 Campus Queuing Design Realtime, Best Effort, and Scavenger Queuing Rules Real-Time ≤ 33% Critical Data Best Effort ≥ 25% Scavenger/Bulk ≤ 5%
136.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 136 Unified Communications Network Agenda Network Resiliency Layer 2 Security Quality of Service QoS Best Practices Review Campus QoS Design Catalyst 4500 QoS Design Catalyst 6500 QoS Design Control Plane Policing Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
137.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 137 Campus QoS Considerations Establishing Trust Boundaries 1 2 3 Optimal Trust Boundary: Trusted Endpoint Suboptimal Trust Boundary Optimal Trust Boundary: Untrusted Endpoint Si Si Endpoints Access Distribution Core WAN Aggregators Trust Boundary 1 2 3 Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
138.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 138 Access-Edge Trust Models Endpoints and Endpoint Categories Endpoints • Analog gateways • IP-conferencing stations • Videoconferencing gateways and systems • Video surveillance units • Wireless access points • Wireless IP phones • Servers • Client PCs Endpoint Categories • Trusted endpoints • Untrusted endpoints • Conditionally-trusted endpoints
139.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 139 Phone VLAN = 110 Campus QoS Considerations Trust Boundary Extension and Operation 1 So I Will Trust Your CoS” “I See You’re an IP Phone, Trust Boundary PC VLAN = 10 “Voice = 5, Signaling = 3” 2 All PC Traffic Is Reset to CoS 0 PC Sets CoS to Five for All Traffic 3 “CoS 5 = DSCP 46” “CoS 3 = DSCP 24” “CoS 0 = DSCP 0” 4 Switch and Phone Exchange CDP; Trust Boundary Is Extended to IP Phone 1 Phone Sets CoS to Five for VoIP and to Three for Call-Signaling Traffic 2 Phone Rewrites CoS from PC Port to Zero 3 Switch Trusts CoS from Phone and Maps CoS DSCP for Output Queuing 4
140.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 140 Access-Edge Trust Models Trusted Endpoint Model DSCP from endpoint is accepted and admitted onto the network unaltered Policing is optional Transmit Packet with DSCP Unaltered Optional Policing Trust DSCP Start
141.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 141 Access-Edge Trust Models AutoQoS—VoIP Model VVLAN + DSCP CS3 Yes DVLAN ANY Remark to DSCP 0 and Transmit No VVLAN + DSCP EF Yes Trust and Transmit Start No Trust and Transmit
142.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 142 Access-Edge Trust Models IP Phone + PC + Scavenger (Basic) Model VVLAN + DSCP CS3 ≤ 32 kbps Yes Yes No DVLAN ANY ≤ 5 Mbps Yes Yes No VVLAN ANY ≤ 32 kbps Yes Yes No Remark to DSCP 0 and Transmit Remark to DSCP 0 and Transmit No No VVLAN + DSCP EF ≤ 128 kbps Yes Yes No Trust and Transmit Drop Remark to DSCP CS1 and Transmit Remark to DSCP CS1 and Transmit Remark to DSCP CS1 and Transmit Remark to DSCP CS3 and Transmit Start No
143.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 143 Campus QoS Considerations Typical Campus Oversubscription Ratios Campus networks are always designed with oversubscription in mind to take advantage of the bursty nature of traffic and the assumption that not all users are requiring bandwidth simultaneously… Core Distribution Access Typically 20:1 Ratio Typically 4:1 Ratio
144.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 144 Campus QoS Design Considerations Catalyst Hardware Queuing Normal Queue Drop Threshold 1 Drop Threshold 2 All Catalyst switches have hardware based-based queues and differ depending on the module or port ASIC used. They are depicted using the notation of 1PxQyT, where x represents the number of normal Queues and T represents number of thresholds within those normal Queues… 1p3q8t = 1 Priority Queue with 3 Normal Queues, each containing 8 Drop Thresholds
145.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 145 FastEthernet GigabitEthernet Ten GigabitEthernet Campus QoS Considerations Where Is QoS Required Within the Campus? No Trust + Policing + Queuing Conditional Trust + Policing + Queuing Trust DSCP + Queuing Per-User Microflow Policing + CoPP WAN Aggregator Cisco Catalyst 6500 PFC3 Server Farms IP Phones + PCs IP Phones + PCs
146.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 146 Unified Communications Network Agenda Network Resiliency Layer 2 Security Quality of Service QoS Best Practices Review Campus QoS Design Catalyst 4500 QoS Design Catalyst 6500 QoS Design Control Plane Policing Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
147.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 147 QoS on the Catalyst 4500 Classify RX Queue 1 Queue 2 Queue 3 Queue 4 Ingress/ Egress Police Shaping Sharing Scheduling TX NFL2 (Enhanced QoS) Dynamic Buffer Limiting QoS Actions at Supervisor Forwarding ASIC QoS Actions at Scheduling ASIC Enters Fabric Leaves Fabric FWD ASIC Sched ASIC NFL TCAM TCAM DBL Catalyst 4500 implements a sophisticated suite of QoS features These QoS features are implemented with three major components TCAMs (Policers) Netflow Feature (UBRL on SupV-10GE) Dynamic Buffer Limiting (DBL)
148.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 148 Cisco Catalyst 4500 QoS Design Enabling QoS Globally CAT4500#show qos QoS is disabled globally ! By default QoS is disabled IP header DSCP rewrite is enabled CAT4500#conf term Enter configuration commands, one per line. End with CNTL/Z. CAT4500(config)#qos ! Enables QoS globally for the Cat4500 CAT4500(config)#end CAT4500# CAT4500#show qos QoS is enabled globally ! Verifies that QoS is enabled globally IP header DSCP rewrite is enabled CAT4500#
149.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 149 Cisco Catalyst 4500 QoS Design Access-Layer QoS Design Options Access-Edges Uplinks to Distribution Layer Trust- DSCP 1P3Q1T Queuing + DBL Gobally Enable QoS + CoPP IP Phone + PC + Scavenger (Basic) Model AutoQoS—VoIP Model Trusted-Endpoint Model 1P3Q1T Queuing + DBL 1P3Q1T Queuing + DBL Global Commands
150.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 150 Cisco Catalyst 4500 Trusted Endpoint Cisco IOS Trust: CAT4500-IOS(config)#interface FastEthernet3/1 CAT4500-IOS(config-if)#qos trust dscp
151.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 151 Cisco Catalyst 4500 AutoQoS: VoIP Model Options: auto qos voip cisco-phone auto qos voip trust ! qos qos dbl qos map cos 3 to 26 qos map cos 5 to 46 qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4 qos map dscp 32 33 34 35 36 37 38 39 to tx-queue 4 ! policy-map autoqos-voip-policy class class-default dbl ! Interface GigabitEthernet0/1 qos trust device cisco-phone qos trust cos tx-queue 3 priority high shape percent 33 bandwidth percent 33 ! CAT4500(config-if)#auto qos voip cisco-phone
152.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 152 Cisco Catalyst 4500 QoS Design Distribution and/or Core-Layer QoS Design Uplinks from Access-Layer Only Interswitch-Links 1P3Q1T Queuing + DBL Globally Enable QoS + CoPP Optional (SupV-10GE Only): User-Based Rate-Limiting (UBRL) Trust- DSCP 1P3Q1T Queuing + DBL Globally Enable QoS + CoPP Trust- DSCP Interswitch-Links Distribution Layer Core Layer
153.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 153 Q3 (30%) Priority Queue 1P3Q1T Queue 1 (5%) Queue 4 (40%) Queue 2 (25%) 0 CS3/AF31/AF32/AF33 CS2/AF21/AF22/AF23 CS4/AF41/AF42/AF43 CS6/CS7 CS1/AF11 EF Cisco Catalyst 4500 QoS Design Queuing Design (1P3Q1T + DBL) Network Management Call Signaling Streaming Video Transactional Data Interactive Video Voice Application Bulk Data AF21 CS3 CS4 AF41 EF CS2 AF11 Scavenger CS1 Best Effort 0 Internetwork Control CS6 Mission-Critical Data AF31 DSCP Network Control (CS7)
154.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 154 Cisco Catalyst 4500 QoS Design Queuing Design (1P3Q1T + DBL) CAT4500-SUP4(config)#qos dbl ! Globally enables DBL CAT4500-SUP4(config)#qos dbl exceed-action ecn ! Optional: Enables DBL to mark RFC 3168 ECN bits in the IP ToS Byte CAT4500-SUP4(config)# CAT4500-SUP4(config)#qos map dscp 0 to tx-queue 2 ! Maps DSCP 0 (Best Effort) to Q2 CAT4500-SUP4(config)#qos map dscp 8 10 12 14 to tx-queue 1 ! Maps DSCP CS1 (Scavenger) and AF11/AF12/AF13 (Bulk) to Q1 CAT4500-SUP4(config)#qos map dscp 16 18 20 22 to tx-queue 4 ! Maps DSCP CS2 (Net-Mgmt) and AF21/AF22/AF23 (Transactional) to Q4 CAT4500-SUP4(config)#qos map dscp 24 26 28 30 to tx-queue 4 ! Maps DSCP CS3 (Call-Signaling) and AF31/AF32/AF33 (MC Data) to Q4 CAT4500-SUP4(config)#qos map dscp 32 34 36 38 to tx-queue 4 ! Maps DSCP CS4 (Str-Video) and AF41/AF42/AF43 (Int-Video) to Q4 CAT4500-SUP4(config)#qos map dscp 46 to tx-queue 3 ! Maps DSCP EF (VoIP) to Q3 (PQ) CAT4500-SUP4(config)#qos map dscp 48 56 to tx-queue 4 ! Maps DSCP CS6 (Internetwork) and CS7 (Network) Control to Q4 CAT4500-SUP4(config)# CAT4500-SUP4(config)#policy-map DBL CAT4500-SUP4(config-pmap)#class class-default CAT4500-SUP4(config-pmap-c)# dbl ! Enables DBL on all traffic flows CAT4500-SUP4(config-pmap-c)# end CAT4500-SUP4#
155.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 155 Cisco Catalyst 4500 QoS Design Queuing Design (1P3Q1T + DBL) CAT4500-SUP4(config)#interface range FastEthernet2/1 - 48 CAT4500-SUP4(config-if-range)# service-policy output DBL CAT4500-SUP4(config-if-range)# tx-queue 3 CAT4500-SUP4(config-if-tx-queue)# priority high ! Enables Q3 as PQ CAT4500-SUP4(config-if-tx-queue)# shape percent 30 ! Shapes PQ to 30% CAT4500-SUP4(config-if-tx-queue)# exit CAT4500-SUP4(config-if-range)#exit CAT4500-SUP4(config)# CAT4500-SUP4(config)#interface range GigabitEthernet1/1 - 2 CAT4500-SUP4(config-if-range)# service-policy output DBL CAT4500-SUP4(config-if-range)# tx-queue 1 CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 5 ! Q1 gets 5% CAT4500-SUP4(config-if-tx-queue)# tx-queue 2 CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 25 ! Q2 gets 25% CAT4500-SUP4(config-if-tx-queue)# tx-queue 3 CAT4500-SUP4(config-if-tx-queue)# priority high ! Enables Q3 as PQ CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 30 ! PQ gets 30% CAT4500-SUP4(config-if-tx-queue)# shape percent 30 ! Shapes PQ to 30% CAT4500-SUP4(config-if-tx-queue)# tx-queue 4 CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 40 ! Q4 gets 40% CAT4500-SUP4(config-if-tx-queue)#end CAT4500-SUP4#
156.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 156 C4500 (SupV-10GE) QoS Design User-Based Rate Limiting (UBRL) CAT4500-SUPV-10GE(config)#qos map dscp policed 0 24 46 to dscp 8 ! Excess DVLAN & VVLAN traffic will be marked down to Scavenger (CS1) CAT4500-SUPV-10GE(config)#class-map match-all UBRL—BY-SOURCE-IP CAT4500-SUPV-10GE(config-cmap)#match flow ip source-address CAT4500-SUPV-10GE(config)#policy-map UBRL-TO-5MBPS-SCAVENGER CAT4500-SUPV-10GE(config-pmap)#class UBRL-BY-SOURCE-IP CAT4500-SUPV-10GE(config-pmap-c)# police 5 mbps 8000 byte exceed-action policed-dscp-transmit ! Out-of-profile data traffic is marked down to Scavenger (CS1) CAT4500-SUPV-10GE(config-pmap-c)# exit CAT4500-SUPV-10GE(config-pmap)#exit CAT4500-SUPV-10GE(config)# CAT4500-SUPV-10GE(config)#interface GigabitEthernet2/1 CAT4500-SUPV-10GE(config-if)# service-policy input UBRL-TO-5MPBS-SCAVENGER ! Applies the UBRL policy to the uplink from the Access-Layer CAT4500-SUPV-10GE(config-if)# end CAT4500-SUPV-10GE# Distribution-Layer Cisco Catalyst 4500 SupV-10GE
157.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 157 Unified Communications Network Agenda Network Resiliency Layer 2 Security Quality of Service QoS Best Practices Review Campus QoS Design Catalyst 4500 QoS Design Catalyst 6500 QoS Design Control Plane Policing Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si Si
158.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 158 Catalyst 6500 QoS QoS Flow through the 6500 Queue RX ARB Priority Q INGRESS Classify & Police EGRESS Classify & Police Rewrite Queue Queue Queue Priority Q WRR ARB TX Incoming encap can be ISL, 802.1Q or None Scheduling: Queue and Threshold - select based on received CoS through configurable MAP I/F - CoS can be overwritten if port untrusted Police via ACLs - Police actions include Forward, Mark and Drop. Based on Burst (Token Bucket) and Byte Rate Rewrite TOS field in IP Header and 802.1p/ISL CoS field Each queue has configurable thresholds - some have WRED (except PQ) Outgoing encap can be ISL, 802.1Q or None Scheduling: Queue and Threshold selected based on CoS through a Map De-queue uses WRR or SRR between the round robin queues DSCP based classification based on “trusted port” and layer 2 info with ACL, layer 3 info with ACL and layer 4 info with ACL
159.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 159 Cisco Catalyst 6500 QoS Design Globally Enabling QoS CAT6500-IOS(config)# mls qos CAT6500-IOS(config)#end CAT6500-IOS# CAT6500-IOS# show mls qos QoS is enabled globally Microflow policing is enabled globally Vlan or Portchannel(Multi-Earl) policies supported: Yes ----- Module [2] ----- QoS global counters: Total packets: 65 IP shortcut packets: 0 Packets dropped by policing: 0 IP packets with TOS changed by policing: 0 IP packets with COS changed by policing: 0 Non-IP packets with COS changed by policing: 0 CAT6500-IOS#
160.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 160 Cisco Catalyst 6500 QoS Design Access-Layer Cisco Catalyst 6500 QoS Design Options Access-Edges Uplinks to Distribution Layer IP Phone + PC + Scavenger (Basic) Model AutoQoS—VoIP Model Trusted-Endpoint Model Globally Enable QoS + CoPP Trust- DSCP Globally-Defined Linecard-Dependent Queuing + Dropping Global Commands Control Plane Policing (CoPP) is only supported on PFC3
161.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 161 Cisco Catalyst 6500 QoS Design Trusted Endpoint Examples Cisco IOS Trust: CAT6500-IOS(config)#interface FastEthernet3/1 CAT6500-IOS(config-if)#mls qos trust dscp TRUST set to TRUST DSCP
162.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 162 Cisco Catalyst 6500 AutoQoS VoIP (coming in 12.2(33)SXH release) Options: autoqos voip cisco-phone autoqos voip ciscosoftphone auto qos voip trust mls qos mls qos map cos-dscp 0 10 18 26 34 46 48 56 Interface fastethernet 2/3 wrr-queue cos-map 1 1 0 wrr-queue cos-map 2 1 1 2 3 4 wrr-queue cos-map 2 2 5 6 7 wrr-queue queue-limit 80 20 wrr-queue bandwidth 100 255 wrr-queue threshold 1 100 100 wrr-queue threshold 2 80 100 rcv-queue cos map 1 1 0 rcv-queue cos map 1 3 1 2 3 4 rcv-queue cos map 1 4 5 6 7 rcv-queue threshold 1 50 60 80 100 CAT6500(config-if)#auto qos voip cisco-phone
163.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 163 Cisco Catalyst 6500 QoS Design Distribution and/or Core-Layer QoS Design Uplinks from Access-Layer Only Interswitch-Links Interface-Group Linecard-Dependent Queuing + Dropping Globally Enable QoS + CoPP Optional (PFC3 Only): Per-User Microflow Policing Trust- DSCP Interface-Group Linecard-Dependent Queuing + Dropping Globally Enable QoS + CoPP Trust- DSCP Interswitch-Links Distribution Layer Core Layer Control Plane Policing (CoPP) is only supported on PFC3
164.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 164 1P3Q8T Queue 3 (70%) Queue 1 (5%) Queue 2 (25%) CoS 0 CoS 1 Q2T1 Q1T1 Q4 Priority Queue CoS 5 CoS 4 Q3T1 Q3T2 Q3T3 Q3T4 Q3T5 CoS 3 CoS 6 CoS 7 CoS 2 Cisco Catalyst 6500 QoS Design Queuing Design (1P3Q8T) Network Management Call Signaling Streaming Video Transactional Data Interactive Video Voice Application Bulk Data AF21 CS3 CS4 AF41 EF CS2 AF11 Scavenger CS1 Best Effort 0 Internetwork Control CS6 Mission-Critical Data AF31 DSCP Network Control – CoS 2 CoS 3 CoS 4 CoS 4 CoS 5 CoS 2 CoS 1 CoS 1 0 CoS 6 CoS 3 CoS CoS 7
165.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 165 Cisco Catalyst 6500 QoS Design Queuing Design (1P3Q8T) CAT6500-IOS(config)# interface range GigabitEthernet1/1 - 48 CAT6500-IOS(config-if)# wrr-queue queue-limit 5 25 40 ! Allocates 5% for Q1, 25% for Q2 and 40% for Q3 CAT6500-IOS(config-if)# wrr-queue bandwidth 5 25 70 ! Sets the WRR weights for 5:25:70 (Q1:Q2:Q3) bandwidth servicing CAT6500-IOS(config-if-range)# wrr-queue random-detect 1 ! Enables WRED on Q1 CAT6500-IOS(config-if-range)# wrr-queue random-detect 2 ! Enables WRED on Q2 CAT6500-IOS(config-if-range)# wrr-queue random-detect 3 ! Enables WRED on Q3 CAT6500-IOS(config-if)# CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 1 80 100 100 100 100 100 100 100 ! Sets Min WRED Threshold for Q1T1 to 80% and all others to 100% CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100 ! Sets Max WRED Threshold for Q1T1 to 100% and all others to 100% CAT6500-IOS(config-if)# CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 2 80 100 100 100 100 100 100 100 ! Sets Min WRED Threshold for Q2T1 to 80% and all others to 100% CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 2 100 100 100 100 100 100 100 100 ! Sets Max WRED Threshold for Q2T1 to 100% and all others to 100%
166.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 166 Cisco Catalyst 6500 QoS Design Queuing Design (1P3Q8T) CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 3 50 60 70 80 90 100 100 100 ! Sets Min WRED Threshold for Q3T1 to 50%, Q3T2 to 60%, Q3T3 to 70% ! Q3T4 to 80%, Q3T5 to 90% and all others to 100% CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 3 60 70 80 90 100 100 100 100 ! Sets Max WRED Threshold for Q3T1 to 60%, Q3T2 to 70%, Q3T3 to 80% ! Q3T4 to 90%, Q3T5 to 100% and all others to 100% CAT6500-IOS(config-if)# wrr-queue cos-map 1 1 1 ! Maps Scavenger/Bulk to Q1 WRED Threshold 1 CAT6500-IOS(config-if)# wrr-queue cos-map 2 1 0 ! Maps Best Effort to Q2 WRED Threshold 1 CAT6500-IOS(config-if)# wrr-queue cos-map 3 1 4 ! Maps Video to Q3 WRED Threshold 1 CAT6500-IOS(config-if)# wrr-queue cos-map 3 2 2 ! Maps Net-Mgmt and Transactional Data to Q3 WRED T2 CAT6500-IOS(config-if)# wrr-queue cos-map 3 3 3 ! Maps Call-Signaling and Mission-Critical Data to Q3 WRED T3 CAT6500-IOS(config-if)# wrr-queue cos-map 3 4 6 ! Maps Internetwork-Control (IP Routing) to Q3 WRED T4 CAT6500-IOS(config-if)# wrr-queue cos-map 3 5 7 ! Maps Network-Control (Spanning Tree) to Q3 WRED T5 CAT6500-IOS(config-if)# priority-queue cos-map 1 5 ! Maps VoIP to the PQ (Q4) CAT6500-IOS(config-if)#end CAT6500-IOS#
167.
© 2007 Cisco
Systems, Inc. All rights reserved. UC Commercial 167 C6500 (PFC3) QoS Design PFC3 Per-User Microflow Policing CAT6500-IOS(config)#mls qos map policed-dscp normal 0 24 26 34 36 to 8 ! Excess traffic marked 0,CS3,AF31,AF41 or AF42 will be remarked to CS1 CAT6500-IOS(config)#class-map match-any VVLAN-TRAFFIC CAT6500-IOS(config-cmap)# match ip dscp ef CAT6500-IOS(config-cmap)# match ip dscp cs3 CAT6500-IOS(config-cmap)#class-map match-all DLVAN-TRAFFIC CAT6500-IOS(config-cmap)# match ip dscp 0 CAT6500-IOS(config-cmap)#policy-map PER-USER-POLICING CAT6500-IOS(config-pmap)# class VLAN-TRAFFIC CAT6500-IOS(config-pmap-c)# police flow mask src-only 160000 8000 conform-action transmit exceed-action drop ! Traffic from any VVLAN source (IP Phones) in excess of 160 kbps is dropped CAT6500-IOS(config-pmap-c)# class BEST-EFFORT CAT6500-IOS(config-pmap-c)# police flow mask src-only 5000000 8000 conform-action transmit exceed-action policed-dscp-transmit ! Traffic from any DVLAN source (PCs) in excess of 5 Mbps is remarked to CS1 CAT6500-IOS(config-pmap-c)# exit Distribution-Layer Cisco Catalyst 6500 Sup720
Télécharger maintenant