Cisco Catalyst 2960-X Series Switching Architecture

Cisco Catalyst 2960-X Series
Switching Architecture
Sunil Kumar Guduru – Technical Marketing Engineer
BRKARC-1009

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
“ The goal of this session is to help
you understand the platform, to
solve your business needs beyond
simple network connectivity”
BRKARC-1009 3

•  Understand Catalyst 2960 Series Portfolio
•  What is inside Catalyst 2960-X
•  High Availability with Stacking – FlexStack-Plus
•  Secure Network from Access Layer
•  Quality of Service Model
•  Simplify Day to Day Operations
Agenda
BRKARC-1009 4

Catalyst 2960-S
10G/1G SFP+/SFP
40G FlexStack
Full PoE, PoE+
IPv6 FHS
Advanced Layer 2
STACKABLE
Catalyst 2960-XR
2960-X Features plus:
IP Lite – L3/Routing
Redundant PSU
Advanced Layer 2/3
STACKABLE + RESILIENT
The New Catalyst 2960 Family
Feature Leadership and Cisco Quality at Competitive Prices
EASE-OF-USE
ROBUST
SECURITY
ENHANCED
LIFETIME WARRANTY
ENERGY
EFFICIENCY
LOWER
TCO
Catalyst 2960
1G SFP/BASE-T Uplinks
802.3af PoE
Layer 2
Stand-alone
Catalyst 2960-Plus
1G SFP/BASE-T Uplinks
802.3af PoE
Layer 2
Stand-alone
Catalyst 2960-X
10G/1G SFP+/SFP
80G FlexStack+
Full PoE, PoE+
IPv6 FHS
NetFlow Lite
Advanced Layer 2
STACKABLE
Catalyst 2960-SF
1G SFP Uplinks
40G FlexStack
Full PoE, PoE+
IPv6 FHS
Advanced Layer 2
STACKABLE
F a s t E t h e r n e t G i g a b i t E t h e r n e t
EOS
Nov, 2015

FlexStack+
80Gbps stacking
NetFlow Lite
on all ports
4 or 8
queues
per port
EEE downlinks
Redundant
FRU PS option
(2960-XR)
Dual-Core
CPU
MACsec Ready
4 MB of
Buffers
Power Saving
Switch Hibernation
2 x10G or
4 x 1G
Signed
IOS images
Cisco Catalyst 2960-X & 2960-XR
Mac based VLAN
BRKARC-1009 6
CoPP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKARC-1009
Cisco Catalyst 2960-X - Greenest Catalyst Switch
http://miercom.com/pdf/reports/20131112.pdf

Cisco Catalyst 2960 GE model Comparison
Capability
2960-S
(LAN Base)
2960-X
(LAN Base)
2960-XR
(IP Lite)
CPU
Single Core
@400MHz
Dual Core
@600MHz
Dual Core
@600MHz
Stacking Technology FlexStack FlexStack-Plus FlexStack-Plus
Stacking BW/ Members 40Gbps / 4 80Gbps / 8 80Gbps / 8
Power Supply Single Fixed Single Fixed Dual FRU
Flash On board 64MB 128MB 128MB
DRAM 128MB 512MB 512MB
EEE downlinks No Yes Yes
Switch Hibernation Mode No Yes Yes
NetFlow-Lite No Yes Yes
For Your
Reference
BRKARC-1009 8

Cisco Catalyst 2960 GE model Comparison
Capability
2960-S
(LAN Base)
2960-X
(LAN Base)
2960-XR
(IP Lite)
Active VLANs 255 1k 1k
STP Instances 128 128 128
Etherchannel Groups 6 24 48
Queues per port 4
4 / 8*
(configurable)
4 / 8*
(configurable)
Ingress Policers 64 256 256
Egress Buffer 2MB 4MB 4MB
SPAN sessions 2 4 4
NetFlow-Lite No Yes Yes
For Your
Reference
*available in standalone mode only
BRKARC-1009 9

2960-X Fan Less Model
Silent Operation : co-locate with end users (WS-C2960X-24PSQ-L)
First 8 ports PoE/PoE+
(110W PoE Budget)
4 uplink ports
2 * SFP + 2 * 1G BT
LAN Base only Non-Stackable
Front Vents
Heat Sinks
Top Vents
BRKARC-1009 10

Redundant Inline Power with 2960-XR
Field-replaceable Power Supplies for Resilient Switching & PoE
Non-stop power in 1 RU
Optional power redundancy with dual supplies
Easy field replacement
Of failed PSU or integrated fans
Standby Mode
PoE budget does not increase with second PS
3 F R U P S U o p t i o n s
Non-PoE 370W PoE 740W PoE
250 W
AC
640 W
AC
1025 W
AC
BRKARC-1009 11

2960-X Power Redundancy – RPS 2300
•  Protection against device Power Supply Failure
•  Seamless Failover < 600-µs
•  Increases availability of data and PoE
•  RPS 2300 can power up to two attached devices
22 Pin connector
RPS 2300
C2960-X
CAB-RPS2300-E=
BRKARC-1009 12

Energy Efficient 2960-X & 2960-XR
PID
AC Power (W)
100% traffic
AC Power (W)
HW Sleep
% Saving
C2960X-48FP 66.7 26.0 61%
C2960X-48LP 62.0 23.1 63%
C2960X-24P 53.1 22.6 58%
C2960X-48T 47.8 8.7 82%
C2960X-24T 33.1 6.4 81%
Switch Hibernation Mode
Powers down components
EnergyWise
Switch and endpoint monitoring and control
Energy Efficient Ethernet
Reduced power draw on downlinks
Efficient Power Supply
less power usage - energy savings
BRKARC-1009 13

Switch Hibernation Mode
•  When the switch is not in use, Switch Hibernation Mode can be scheduled to
save power.
•  Power off CPU Cores , ASIC and Connected PoE devices.
•  DRAM is in refresh mode, keeping data intact
•  Power to most components is off except DRAM, FANs and MCU.
•  Wake on Mode Button trigger
•  Wake on Scheduled Real Time Clock alarm / Interrupt
•  Mode Button trigger has precedence over all other wake on events.
•  On wake up alarm, The CPU Cores are powered on and DRAM is put out of self
refresh.
BRKARC-1009 14

2960-X / 2960-XR Front Panel
System Management Interfaces
System LEDs
10/100 Out of Band Ethernet
Management interface
RJ45 Console Interface
USB Console (type B)
USB Flash (type A)Mode Button
BRKARC-1009 15

Console Access
•  C2960-X Supports USB (type B) console and traditional RJ45 console
•  Each member can have 1 active media (RJ45 or USB)
•  Stack member console automatically redirected to Master console
•  Only active media will accept input
•  Both Console media will echo output.
•  USB console accepts input when both RJ45 & USB are connected
•  RJ45 echo output only
•  USB console timeout can be configured. “usb-inactivity-timeout”
•  Prevents blocking of RJ45 media due to forgotten USB
BRKARC-1009 16

Dynamic Routing with 2960-XR
New IP Lite Feature Set Delivers basic Layer-3 Functionality
LAN Lite LAN Base IP Lite IP Base IP Services
Basic L2 Complete L2 Basic L3
Complete
L3 + CA
Advanced
L3 + CA
2960-plus /
2960-SF
2960-X ✔
2960-XR
3650 /
3850
BRKARC-1009 17

IP Lite - Basic L3 features in Catalyst 2960 Series
IP Base
IP Lite
Lan Base
Lan Lite
IP Lite L3 features
•  RIPv1, RIPv2
•  OSPF Routed Access
•  EIGRP Stub Routing (IPv4)
•  Policy Based Routing
•  Host Standby Router Protocol (HSRP)
•  VRRP
•  PIM Stub (SM, DM, SDM)
•  IPv6 PIM (SM, SSM)
IP Lite is subset of IP Base features
BRKARC-1009 18

Service Element Enhanced Limited Lifetime Warranty
Software Policy
Duration of Coverage
Unregistered access onlyOnline Support/ Web Access
Next business day**
Advance Hardware
Replacement
Lifetime for switches- As long as the
original customer owns the product
Limited Lifetime
Warranty
Lifetime for switches- As long as the
original customer owns the product
Unregistered access only
10 Business Days
Lifetime for fans & power supplies for
new and existing switches
Lifetime for fans and power supplies
for new and existing switches
2960X Series - Enhanced Lifetime Warranty
** Where next business day delivery is available, Cisco will use commercially reasonable efforts to ship a replacement for next business day delivery provided Cisco’s determination of the hardware failure has been made before 3
p.m. depot time. If a request is made after 3 p.m. depot time, Cisco will ship the advance replacement on the next business day. Actual delivery times may vary depending on Customer location.
Business hours
access for 90-days only
Cisco Technical Assistance
Center (TAC) Support
Award
Winning
No
Unlimited maintenance updates (LAN Lite, LAN Base, and IP Lite)
BRKARC-1009 19

2960 FE model Comparison
Capability
2960
(LAN Base)
2960-plus
(LAN Base)
2960-SF
(LAN Base)
Stacking Technology Not Supported Not Supported FlexStack-Plus
Stacking Bandwidth N/A N/A 40Gbps
Max Stack members N/A N/A 4
PoE/ PoE+ PoE PoE PoE+
Max PoE 370W 370W 740W
Flash On board 32MB 64MB 64MB
DRAM 64MB 128MB 128MB
Uplinks
SFP/
1000Base -T
SFP/
1000Base-T
SFP
IPv6 Forwarding No No Static Routing
For Your
Reference
BRKARC-1009 20

How to read the PID
WS-C2960X-48FPD-L
Switch Type Options:
X = X series
Port Type Options:
F = Full Inline Power (740W)
L = Partial Inline Power (370W)
P = Inline Power Model
T = Non-Inline Power model
L = LAN Base
LL = LAN Lite
Number of Downlink
ports
D = 10Gig SFP+ uplink
S = 1Gig SFP uplink
Q = Quad / Four uplinks
BRKARC-1009 21

•  ASIC Architecture
•  Packet Walk
•  Quality of Service from Access Layer
Agenda
BRKARC-1009 22

Many options to choose - What to look for?
•  How many switching ASICs are present? Check for per port resources
•  How are the ASICs interconnected in standalone mode? Check for bottle necks
•  How are the ASICs interconnected when stacked?
•  Ease of stacking and stack convergence time
•  Cross stack features and their functionality
•  How are the port buffers shared?
•  How are the TCAM resources shared among different features.
•  How Multicast replication works
Architecture Check List

Slice 1
Data Path1
Slice 1
Data Path2
Shared
Fwd Ctlr
Stack portsOctal
Phy
Octal
Phy
Octal
Phy
2960-X Architecture
Slice 2
Data Path1
Slice 2 Data
Path2
Shared
Fwd Ctlr
Universal Packet Buffer (UPB) 4MB
2 * 10G SFP+/
4 * 1G SFP
Octal
Phy
Octal
Phy
Octal
Phy
Forwarding
ASIC
PoE 24 Ports PoE 24 Ports
EDC
Phy
BRKARC-1009 24

How to check ASIC to port mapping
BRKARC-1009 25

Within the ASIC – Single Data Path
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
Ingress Path
Egress Path
Universal Packet Buffer (UPB)
(Shared for all 4 Data paths)
BRKARC-1009 26

Switch Database Management (SDM) Templates
•  Flexibility to configure system resources
•  Optimize system resources for various deployments – Switching, Routing
SDM Template Default VLAN IPv4
L2 - MAC 16K 32K 16K
L3 - Routes 5.25K 0.5K 24K
Multicast (v4/v6) 1K / 1K 1K / 1K 1K / 0
QoS ACE (v4/v6) 500 / 250 500 / 500 500 / 0
Security ACE (v4/v6) 1K / 500 1K / 500 875 / 60
2960-XR SDM templates
BRKARC-1009 27

Packet walk - Ingress
On the way in
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
1
1
Packets entering the
switch are received by
the Receive FIFO after
VLAN de-capsulation
BRKARC-1009 28

On the way in
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
2
2
The whole packet is sent
to UPB
Copy of the first 200
bytes is sent into the
Forwarding Controller for
processing (forwarding,
ACL, QOS lookups)
BRKARC-1009 29

On the way in
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
3 4
Search Engine in the
Forwarding Controller
does Learning lookup in
TCAM and receives the
index
The Forwarding
Controller queries the
SRAM with the index to
get the L2 Address table
info for learning .
3
4
BRKARC-1009 30

On the way in
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
5
S e a r c h E n g i n e i n
does QOS and ACL Look
up in TCAM. Index
returned
queries the SRAM for the
respective Ingress ACL
and QOS response
6
5 6
BRKARC-1009 31

On the way in
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
7
Policing information
returned
8
7 8
Look up to the policer.
How much policing to do?
BRKARC-1009 32

On the way in
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
9
Update the NetFlow
result table entry pointed
by the Index
10
9 10
Look up to the NetFlow
record. Index retuned
BRKARC-1009 33

On the way in
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
11
Search Engine in
does L2/L3 Forwarding
Look up in TCAM. Index
returned
sends Index to the SRAM
for destination details.
Destination information
returned
12
11 12
BRKARC-1009 34

On the way in
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
13
Descriptor
13
Descriptor with lookup
results is appended to the
original packet and stored
in UPB
Native
Packet
Descriptor
BRKARC-1009 35

Within the ASIC – Single Data Path
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAMEgress Path
BRKARC-1009 36

Packet walk - Egress
On the way Out
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
1 2
Pointer to the frame is
placed on targeted
Transmit Queue
1
2
Native
Packet
Descriptor
Frame data from UPB is
transferred to Transmit
FIFO
BRKARC-1009 37

On the way Out
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
Packets egresses and is
stored in the Transmit
F I F O f o r e g r e s s
processing
3
3
BRKARC-1009 38

On the way Out
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
4
4
F i r s t 2 0 0 b y t e s &
descriptor sent to the
Forwarding Controller for
egress processing
BRKARC-1009 39

On the way Out
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
5
S e a r c h E n g i n e i n
s e n d s D e s t i n a t i o n
Lookup to TCAM. Index
returned.
6
uses index to get the L2/
L3 forwarding info
5 6
BRKARC-1009 40

On the way Out
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
7
8
7
Packet Header prepared
i n t h e F o r w a r d i n g
Controller
8
sends the header info to
the TXT FIFO where the
final packet is assembled
BRKARC-1009 41

On the way Out
MAC
Port 1
MAC
Port 2
MAC
Port 4
MAC
Port 3
MAC
Port 24
TXT
Queues
Forwarding
Controller
RCV
FIFO
TXT
FIFO
To
CPU MAC
Port 5
TCAM SRAM
9
9
Final packet sent to the
egress port.
BRKARC-1009 42

•  High Availability with Stacking
•  FlexStack-Plus Architecture
•  FlexStack-Plus Packet flow examples
Agenda
BRKARC-1009 43

FlexStack-Plus Stack Module –2960X/2960XR
•  FlexStack-Plus module provides an option for stacking
•  FlexStack-Plus module are Hot Swappable – Plug & Play
•  Powered using the switch-based power supply
•  Stack bandwidth of 80Gbps bi-directional traffic
•  FlexStack-Plus Supports stacking up to 8 members
•  FlexStack-Plus Technology is backward compatible with
FlexStack.
•  FlexStack-Plus and FlexStack modules are not inter
changeable.
BRKARC-1009 44

Why FlexStack or FlexStack-Plus?
•  Manages all the switches as single virtual switch
•  Allows access to all switches with a single IP address
•  Automatic Master selection & backup 1:N redundancy
•  Automatic IOS versioning and Update!
•  Automatic configuration of new members
•  Automatic unit replacement (configuration of old switch retained)
•  Stateful switch over in case of master failures
•  Sub-millisecond Master failover
•  Smart Multicast – Local Replication of multicast packets
•  Cross-stack features (Etherchannel and QoS)
BRKARC-1009 45

Stack Master Election Criteria
•  The stack (or switch) whose master has the higher user configurable mastership
priority 1–15
Switch (config)# switch 3 priority 15
•  The stack (or switch) whose master is not using the default configuration
•  The stack (or switch) whose master has the longest uptime
•  The switch or stack whose master has the lowest MAC address
BRKARC-1009 46

FlexStack-Plus Architecture Overview
•  Both Stack Links are active and Forwarding
•  Not a Ring Architecture – hop by hop
•  Local switching support
•  Packet path determined using “SPF”
•  Destination Stripping
•  No load balancing on stack ports
•  All members see flooded packets once
•  Passive link prevent Broadcast storm
•  38 byte stack header – contains the ingress member
BRKARC-1009 47

C2960-X FlexStack-Plus Packet Flow, Unicast
Member 1
Member 2
Member 3
Member 4
Takes the shortest path
Unicast Packet
Ingresses member 1
Egressing member 2
Whole Packet is transmitted
No load balancing on stack ports
Destination stripping
BRKARC-1009 48

C2960-X FlexStack-Plus Packet Flow, Unicast
Member 1
Member 2
Member 3
Member 4
Unicast Packet
Ingresses member 1
Egressing member 3
Packet traverses Hop by Hop
Ingress Look-ups ignored if received on stack port
Egress Loop-ups ignored if sent out of stack port
Stack Port 1Stack Port 2
Shortest Path Conflict – Use Stack Port 1
BRKARC-1009 49

C2960-X FlexStack-Plus Packet Flow, BCAST
Member 1
Member 2
Member 3
Member 4
Passive Link prevents
Fwd of packet between
members 3 & 4
Bcast Packet ingresses member 1
BCAST packet egresses on all
interfaces FWDing on that vlan for all
members
BRKARC-1009 50

C2960-X FlexStack-Plus
4 Member Stack Link Neighbor Table
4
3
2
1
2
2
2
2
1
1
1
1
C2960X#show switch neighbors
Switch # Port 1 Port 2
-------- ------ ------
1 2 4
2 3 1
3 4 2
4 1 3
Stage 1 : Stack Neighbor Discovery
Stage 2 : Topology Discovery
BRKARC-1009 51

C2960-X Drop Table “Passive Link”
Ingress
stack
port
1 2 3 4
1-1 BLK
1-2 BLK
2-1 BLK
2-2 BLK
3-1
BLK
3-2 BLK
4-1 BLK
4-2 BLK
C2960X#show platform dtm drop-table
Stack Port 1 Drop Tables:
Node ID BLOCK/FORWARD
1 FORWARD
2 FORWARD
3 FORWARD
4  BLOCK
1 FORWARD
2 FORWARD
3 BLOCK
4 FORWARD
Members have complete stack topology
Member builds the drop table to prevent loops in stack topology
BRKARC-1009 52

4
3
2
1
2
2
2
1
1
1
C2960-X Passive Link Example: BCAST
•  Use drop table to determine stack passive link
•  Passive link is different for each member
Member 1 2 3 4
1-1 BLK
1-2 BLK
2-1 BLK
2-2 BLK
3-1 BLK
3-2 BLK
4-1 BLK
4-2 BLK
2
1
BRKARC-1009 53

C2960-X FlexStack-Plus Fast Convergence
•  Even if one stack link is down, all Stack interfaces forward to all members.
•  The data path converges in less than 100ms
•  Control plane convergence is done by Software and takes 1-2 secs
2
4
3
2
1
2
2
2
1
1
1
1
C2960-X # show platform dtm drop-table
1 FORWARD
2 FORWARD
3 FORWARD
4  FORWARD
1 FORWARD
2 FORWARD
3 FORWARD
4  FORWARD
BRKARC-1009 54

C2960-X Drop Table - 2 Member stack
•  2 member stack – special case
•  Stack port 1 on both members forward data packets.
•  Effective stack bandwidth decreases to 40Gbps
•  Stack port 2 unused except for FlexStack protocol packets
C2960X# show platform dtm drop-table
1 FORWARD
2  BLOCK
1 FORWARD
2  BLOCK
Member 1 drop table
2
1
2
2
1
1
BRKARC-1009 55

Mix Stack - Stacking 2960-S & 2960-X
2960-S/SF
LAN Base
2960-X
LAN Base
2960-XR
IP Lite
2960-S/SF
LAN Base
2960-X
LAN Base
2960-XR
IP Lite
•  Reduce the Stack speed on 2960-X
Switch(config)#switch stack port-speed 10
•  Same SDM template on all switches
•  Capabilities & features limited to 2960-S
•  2960-S or 2960-X can be master
BRKARC-1009 56

•  Catalyst Integrated Security Features
•  Netflow-Lite
Agenda
BRKARC-1009 57

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKARC-1009
Cisco 2960-X Series Control Plane Policing
Hardware CoPP - Protects CPU from DOS attacks
IOS 15.2(4)
LAN Base,
IP Lite
mls qos copp protocol cdp police pps 3434
mls qos copp protocol lldp police bps 908900
58

Cisco 2960-X Series support PVLAN
PLVAN provides L2 isolation between ports within the same private VLAN
IOS 15.2(4)
LAN Base,
IP Lite
Isolated
Ports

No You’re
Not!
IP Source Guard
Dynamic ARP Inspection
DHCP Snooping
Port Security
Catalyst Integrated Security Features
Attack Catalyst Feature
MAC Address Flooding Port Security
DHCP Rogue Server for Default
Gateway Interception
DHCP Snooping
ARP Spoofing or ARP Poisoning Dynamic ARP Inspection
IP Spoofing or MAC Spoofing IP Source Guard
BRKARC-1009 60

Problem
Port Security
Campus LAN
132,000
Bogus
MACs
Catalyst Integrated Security
“Script Kiddie” hacking tools enable
attackers to flood switch CAM tables
with bogus macs; turning the VLAN
into a “hub” and eliminating privacy
Campus LAN
Only One MAC
Address
Allowed on the
Port: Shutdown
if Exceeds
Solution
Catalyst Security Toolkit recognizes
MAC flooding attack and locks down
the port and sends an SNMP trap
BRKARC-1009 61

Solution
The DHCP snooping feature filters
messages and rate limits rogue
DHCP traffic from untrusted sources
& builds DHCP binding table
Protected
Resources
Rogue DHCP Server
10.1.1.1
TRUSTED
PORT
UNTRUSTED PORT
UNTRUSTED PORT
ip dhcp snooping
DHCP
Server
Problem
Rogue DHCP servers are often used
in man-in-the-middle or denial of
service attacks for malicious
purposes
DHCP Snooping
DHCP
Server
Protected
Resources
DHCP DISCOVER
Rogue DHCP Server
IP: 10.1.1.1
DHCP DISCOVER
DHCPREQ
DHCPACK
IP: 10.1.1.2
DG: 10.1.1.1
DHCPOFFER
DG:10.1.1.1
Attacker Gains Visibility
DHCP DISCOVERDHCP DISCOVER
OFFER/ACK/NACK
DATA
BRKARC-1009 62

DHCP Snooping
Switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:0C:29:3D:75:B2 172.20.100.1 370008 dhcp-snooping 100 GigabitEthernet1/1
Protected
Resources
Rogue DHCP Server
10.1.1.1
TRUSTED
PORT
UNTRUSTED PORT
UNTRUSTED PORT
ip dhcp snooping
DHCP
Server
DHCP DISCOVERDHCP DISCOVER
OFFER/ACK/NACK
•  Table is built by
“snooping” the
DHCP reply to the
client
•  Entries stay in the
table until DHCP
lease time expires
BRKARC-1009 63

DHCP snooping Binding Database
•  Database can have up to 8K bindings
•  Data is stored in the switch memory
•  the DHCP snooping database agent prevents loosing the bindings when the
switch reloads
•  The database agent stores the bindings in a file at a configured location
•  At the time of reload, the switch reads the binding file to build the DHCP
snooping binding database
•  Needs to keep in sync with the DHCP server database by dumping to TFTP
(default every 300 seconds). No secure version available!
BRKARC-1009 64

Solution
Dynamic ARP inspection (DAI)
prevents ARP attacks by interception
all ARP requests and responses at
the access
Campus LAN
IP: 10.1.1.3
MAC: 0001:0002:00AA
MAC: 0001.0002.00BB
IP: 10.1.1.2
DG: 10.1.1.1
ARP Cache
10.1.1.1 = 0001.0002.1111
ARP Cache
10.1.1.2 = 0001.0002.00BB
Campus LAN
CISF: Dynamic ARP Inspection (DAI)
IP: 10.1.1.1
MAC: 0002.0001.1111
Problem
Attackers can poison the ARP cache
on the destination devices and
engineer the network traffic to gain
visibility into it
IP: 10.1.1.3
MAC: 0001:0002:00AA
Attacker Gains Visibility
DATAMAC: 0001.0002.00BB
IP: 10.1.1.2
DG: 10.1.1.1
ARP Cache
10.1.1.1 = 0001.0002.00AA
ARP Cache
10.1.1.2 = 0001.0002.00AA
ARP10.1.1.1/0001.0002.00AA
IP: 10.1.1.1
MAC: 0002.0001.1111
ip dhcpsnooping
ip arp inspection
DHCP Snooping Table
10.1.1.2 = 0001.0002.00BB
BRKARC-1009 65

Dynamic ARP Inspection (DAI)
•  Basic idea is to intercept and validate ARP requests and responses for correct IP
<-> MAC binding before relaying the ARP packets to other ports in the same
subnet
•  Verify Sanity of ARP requests
•  Logs and discards ARP packets with invalid IP to MAC address binding
•  A binding table containing IP-address and MAC-address associations is
dynamically populated using DHCP Snooping
•  Can also use ARP ACLs to deny and optionally log all invalid IP/MAC binding
attempts for non-DHCP assigned IP Addresses (static address)
•  Prevents Man-in-the-middle attacks
•  Supported in Lan Base image & disabled by default
•  Supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports
BRKARC-1009 66

Rate Limiting of ARP Packets
•  By default the number of incoming ARP packets is rate-limited
•  The rate for un-trusted interfaces is 15 packets per second
•  change this setting by using the ip arp inspection limit interface configuration
command
•  If the rate of incoming ARP packets exceeds the configured list, the port is
placed in “error-disabled”state
•  Log, and System message gets generated when switch drops a packet
•  Each log entry contains flow information, such as the receive VLAN, the port
number, the source and destination IP addresses, and the source and
destination MAC addresses
BRKARC-1009 67

Solution
IPSG Automatically configures a Port
ACL for IP address and adds a MAC
address to port security based on
DHCP snooping binding table. Rouge
traffic is blocked
Campus LAN
IP: 10.1.1.3
MAC: 0001:0002:00AA
MAC: 0001.0002.00BB
IP: 10.1.1.2
IP: 10.1.1.1
MAC:
0002.0001.1111
Gi1/1
Gi1/2
MAC: 0001.0002.00BB
IP: 10.1.1.2
IP Source Guard
Campus LAN
IP: 10.1.1.1
MAC: 0002.0001.1111
Problem
Illegitimate hosts can spoof IP
addresses and MAC addresses of
authorized hosts and gain illegal
access into the network
IP: 10.1.1.3
MAC: 0001:0002:00AA
ip dhcp snooping
ip arp inspection
(if) ip verify
source DHCP Snooping Table
10.1.1.2 = 0001.0002.00BB
Gi1/1
Spoofed IP
BRKARC-1009 68

Auto Secure
•  1 Line – ‘auto security’ applies 3 simple
security features
•  DHCP Snooping
•  Dynamic ARP Inspection
•  Port Security
•  Global Config enables on all ports as well
•  Based on port mode – access OR trunk, it
applies host config or uplink config
BRKARC-1009 69

Auto Secure – Actual Config & show Commands
auto security
!
interface GigabitEthernet3/3
description Connected to wired PC
switchport access vlan 11
switchport mode access
auto security-port host
!
interface TenGigabitEthernet1/1
description Trunk Port
switchport mode trunk
auto security-port uplink
Switch#sh auto security configuration
%AutoSecure provides a single CLI config 'auto secure'
to enable Base-line security Features like
DHCP snooping, ARP inspection and Port-Security
Auto Secure CLIs applied globally:
---------------------------------
ip dhcp snooping
ip dhcp snooping vlan 2-1005
no ip dhcp snooping information option
ip arp inspection vlan 2-1005
ip arp inspection validate src-mac dst-mac ip
Auto Secure CLIs applied on Access Port:
----------------------------------------
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
Auto Secure CLIs applied on Trunk Port:
--------------------------------------
ip dhcp snooping trust
ip arp inspection trust
Switch#sh auto security
Auto Secure is Enabled globally
AutoSecure is Enabled on below
interface(s):
-----------------------------------
---------
TenGigabitEthernet1/1
GigabitEthernet3/1
GigabitEthernet3/3
GigabitEthernet3/4
GigabitEthernet3/5
GigabitEthernet3/6
Switch#
2K-X
15.2(2)E
BRKARC-1009 70

HELP
DESK
CORPORATE RESOURCES
!
FAILURE
802.1x
!
MAC Address
00:18:F8:46:53:D7
Productivity Loss
User Downtime
SiSi SiSi
SiSi SiSi
DENIED
Authorized Access
Deployment Hurdles with 802.1X
Failed Access due to non
802.1X client, supplicant
variation etc.
User contacts help desk for
assistance
Troubleshooting
problem results in loss
of productivity
Implement
Identity-Based
Access Control
Deploy Access Control
The Challenge Typical Deployment Scenario
BRKARC-1009 71

Authorized Access
Zero Downtime When Implementing 802.1X with Monitor Mode
Discovery—Allows
connection regardless
of device types
Correct —View failed reports on
ACS or ISE; troubleshoot and
resolve issues; ensure future
authorization
Add Authorization—
Block unauthorized access; add
policy for restricted resources
Deploy Access
Control
The Solution Deployment Scenario—Cisco Access Switch
Implement in
Monitor Mode
! !
FAILURE
MAC Address
00:18:F8:46:53:D7
802.1x
CONNECTED
MAC Address
00:18:F8:46:60:D7
802.1x
CORPORATE RESOURCES
REPORT ANALYSIS
ALLOW
ALLOW
ALLOW
ISE
ALLOWED
POLICY
SiSi
SiSi SiSi
SiSi
2K-X
15.0(2)EX
BRKARC-1009 72

802.1X Is Not Just a Check Box
Cisco Simplifies 802.1X Deployments
Deployment Hurdle Feature
How do you support non 802.1X clients and Guest users/
devices?
•  Guest VLAN
•  MAC Authentication Bypass, Web Authentication
•  Monitor Mode
How do you handle failed access?
•  Failed Authentication VLAN
•  Monitor Mode
How do you support multiple users or devices on the
same port?
•  Multi domain Authentication
•  Multi-Authentication
•  MAC based VLAN assignment
How do you support various kinds of devices with
different authentication mechanisms?
•  Flexible Authentication via Automated 802.1X, MAB, web Auth
•  Different Supplicant types for different Client Operating Systems
•  Wake On LAN
•  IOS Sensor
How do you handle devices moving in your network? •  MAC Move/Replace
How do you handle Device proliferation?
• IOS Sensor
•  Monitor Mode
Cisco Has Many Features to Enhance 802.1x and Make Identity
Networking Truly Deployable, Not Just a Check-Box
BRKARC-1009 73

Multi-Auth - MAC based VLAN Assignment

2960-X Access Switch
Access VLAN 10
Ethernet HubPC
0011-5678-1111 Campus
Network
AAA Server ADC
DHCP, DNS
Deployment Cases
•  LAN extension beyond wiring closet
•  Differentiated host access
•  Segmentation of virtual machines
If PC, Then data VLAN 5
If IP Phone, Then voice VLAN 200
If Telepresence, Then video VLAN 100
MAC VLAN
0011-5678-1111 5
0022-5678-2222 200
0033-5678-3333 100
IP Phone
0022-5678-2222
Telepresence
0033-5678-3333
VLAN 5
VLAN 200
VLAN 100
BRKARC-1009 74

Probably Time to Think About Ipv6 in Your Network
Your Host
•  IPv4 is protected by your favorite personal firewall...
•  IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)
Dual Stack with IPv6 Enabled by Default
Your Network •  Does not run IPv6
Your Assumption •  I’m safe
Reality
•  You are not safe
•  Attacker sends Router Advertisements
•  Your host configures silently to IPv6
•  You are now under IPv6 attack
IPv6 First Hop Security
BRKARC-1009 75

First Hop Security: RA Guard
HOST
Device-role
RA
RA
RA
RA
RA
ROUTER
Device-role
Identify “Trusted” Ports – where router will reside
Only allow Route Advertisements from that Port
Protection against DOS Attacks
•  On Address Configuration
•  On Duplicate Address Detection
•  Flooding attacks
IPv6 First Hop Security
BRKARC-1009 76

IPv6 FHS – DHCPv6 Guard
Prevent Rogue DHCP responses from misleading the client
Provisioning
Infrastructure
Configuration
Server
DHCP Server
Time Server
Certificate
Server
Hosts
L2/link
Infrastructure
Internet
BRKARC-1009 77

IPv6 FHS – Binding Integrity Guard
Creates and maintains a v6 binding table to ensure rogue users cannot spoof or steal
addresses
vlan 100SWITCH
INTRUDER
HOST ROUTER+
DHCP server
PEER
BRKARC-1009 78

SXP
BRKARC-1009 79

SGT/ SGACL
BRKARC-1009 80

VLAN100
VLAN200
Doctor (SGT 7)
IT Admin (SGT 5)
MAB
LWA
Agent-less
Device
Campus
Network
Untagged Frame Tagged Frame
SGT=7 SGT Enforcement
IP-to-SGT Binding Info Exchange using SXP
Catalyst 2960-X
LanBase
802.1X
Users,
Endpoints
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10)
10.1.200.100
10.1.200.20010.1.200.10
IT Portal (SGT 4)
10.1.100.10
Catalyst 3850 Nexus® 7000
Distribution
ISE 1.1Catalyst
2960-XR
Active
Directory
IP Address SGT Source
10.1.10.102 5 LOCAL
10.1.10.110 14 LOCAL
10.1.99.100 12 LOCAL
SXP
10.1.100.10 4 CLI
10.1.200.10 8 CLI
10.1.200.100 10 CLI
10.1.200.200 9 CLI
SXP
Speaker
Speaker
Listener Listener
Statically configured
Locally Learned
If the switch supports SXP, switch can send
IP-to-SGT binding table to SGT capable
device (e.g. Catalyst 3850 / Nexus 7000)
81

VLAN100
VLAN200
Doctor (SGT 7)
IT Admin (SGT 5)
MAB
LWA
Agent-less
Device
Campus
Network
SGT=7 SGT Enforcement
SGT Tagging
Catalyst®2960-X802.1X
Users,
Endpoints
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10)
10.1.200.100
10.1.200.20010.1.200.10
IT Portal (SGT 4)
10.1.100.10
Catalyst 3750-
X
Nexus® 7000
Distribution
ISE 1.1
When SGT capable device receives packet, it
looks up SGT value in table, insert SGT tag to
frame when it exits egress port
Active
Directory
10.1.10.102 5 SXP
10.1.10.110 14 SXP
10.1.99.100 12 SXP
Untagged Frame Tagged Frame
SRC=10.1.10.102
IP-to-SGT Binding Table
SGT=5
Catalyst®
2960-XR
82

NetFlow Lite
BRKARC-1009 83

NetFlow Lite with 2960-X & -XR
Built-in Sampled NetFlow
Flexible NetFlow Export
Configurable key fields including L2, L3, L4
ASIC-based capture
At line-rate with minimal CPU impact
Covers all ports
North-South and East-West traffic
Detect anomalies
Identify top users and
applicationsCatalyst 2960-X
NetFlow Lite
•  v9 Export
•  16K flows
•  Sampled
• Random
• Deterministic
from 1:1022 to 1:32
BRKARC-1009 84

NetFlow-Lite Characteristics on 2960-X Series
•  NetFlow-Lite is supported on LAN Base and IP Lite SKUs only.
•  NetFlow-Lite is supported in Mixed Stack, on 2960-X series ports only.
•  Only Sampled NetFlow is supported.
•  Ingress flows are only monitored.
•  Flows are monitored on Physical Ports and VLAN Interfaces(SVI).
•  One monitor per interface is supported.
•  NetFlow Version 9 is supported for Exporter.
•  Deterministic Sampler is not shared. Every attachment with same Deterministic
Sampler uses up one free sampler.
•  Random Sampler is shared. Only one sampler is used when Random Sampler
is attached to different Ports or SVIs.
BRKARC-1009 85

NetFlow-Lite Configurations
flow record record1
match ipv4 protocol
match ipv4 destination address
match transport destination-port
collect flow sampler
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow exporter exporter1
destination 10.0.101.254
transport udp 9994
!
flow monitor monitor1
record record1
exporter exporter1
cache timeout active 60
statistics packet protocol
sampler rdm_sampler
mode random 1 out-of 32
!
sampler det_sampler
mode deterministic 1 out-of 55
!
interface GigabitEthernet1/0/1
ip flow monitor monitor1 sampler rdm_sampler input
!
!
interface Vlan23
ip flow monitor monitor1 sampler det_sampler input
ip address 10.64.71.77 255.255.255.128
BRKARC-1009 86

Agenda
BRKARC-1009 87

Network
Interface
Catalyst 2K - QoS Model
Trust
Status
Service-
Policy
Policer/
ReMarker
Output Q
Map
Q1
Q2
Q3
Q4
WTD
WTD
WTD
WTD
SRR
(Shaped/
Shared)
1P3Q3T/
4Q3T
Universal
Packet
Buffer
(UPB)
BRKARC-1009 88

C2960-X(config)#int gig1/0/2
C2960-X(config-if)#auto qos voip cisco-phone
C2960-X(config-if)#do sh run int gig1/0/2
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
service-po
Trust, Classification & Marking
Trust
Status
Service-
Policy
Policer/
ReMarker
QoS Label
•  Markings trusted by default – ‘no mls qos’
•  ‘mls qos’ enabled – all markings are set to BE
•  Trust Config
-  Trust COS/DSCP
-  Conditional Trust
-  Mark without trust
C2960-X(config)#no mls qos
C2960-X(config)#
C2960-X(config)#mls qos
C2960-X(config)#interface GigabitEthernet1/0/11
C2960-X(config)#mls qos trust dscp
C2960-X(config)#mls qos trust dscp
C2960-X(config)#mls qos trust device cisco-phone
C2960-X(config)#mls qos cos 5
C2960-X(config)#mls qos cos override
C2960-X(config)#access-list 101 permit tcp any eq www any
C2960-X(config)#class-map match-all http
C2960-X(config-cmap)#match access-group 101
C2960-X(config-cmap)#policy-map web-server
C2960-X(config-pmap)#class http
C2960-X(config-pmap-c)#police 500000 8000 exceed-act drop
C2960-X(config-pmap-c)#int gig1/0/11
C2960-X(config-if)#service-policy input web-server
BRKARC-1009 89

Egress Queuing & Scheduling
Output Q
Map
Q1
Q2
Q3
WTD
WTD
WTD
SRR
(Shaped/
Shared)
•  Queuing
–  Default Four egress queues/port
–  Configurable Eight egress queues/port
–  Queues assigned based on QoS label
–  2 Queue-sets – 2 Queue configurations
•  Dropping
–  WTD used for congestion avoidance
•  Scheduling
–  Per Interface configuration
–  Strict Priority
–  SRR used to manage the queues
WTD
1P3Q3T/
4Q3T Q4
BRKARC-1009 90
Threshold 1
Threshold 2
Threshold 3

A4
Q2
Weight
2
Q1
Weight
1
Q3
Weight
3
Q4
Weight
4
Q2
Weight
2
Q1
Weight
1
Q3
Weight
3
Q4
Weight
4
WRR vs. SRR
SRR is an evolution of WRR that protects against overwhelming buffers with
huge bursts of traffic by using a smoother round-robin (SRR) mechanism
A
B
D
A
B
C
A
B
C
3
3
2
2
2
1
1
15 WRR SRR
SRR
WRR
Packet Order
SRR has a more even traffic flow – Low Priority traffic won’t starve!
Each queue empties
immediately as it is weighted
Each queue empties
a weighted number of packets
over a given period of time
BRKARC-1009 91

DSCP to Egress Queue & Threshold Mapping
C2960-X #sh mls qos maps dscp-output-q
Dscp-outputq-threshold map:
d1 :d2 0 1 2 3 4 5 6 7 8 9
------------------------------------------------------------
0 : 04-03 04-03 04-03 04-03 04-03 04-03 04-03 04-03 04-01 04-02
1 : 04-02 04-02 04-02 04-02 04-02 04-02 03-03 03-03 03-03 03-03
...
4 : 01-03 01-03 01-03 01-03 01-03 01-03 01-03 01-03 02-03 02-03
5 : 02-03 02-03 02-03 02-03 02-03 02-03 02-03 02-03 02-03 02-03
6 : 02-03 02-03 02-03 02-03
C2960-X(conf) # mls qos srr-queue output dscp-map queue 1 threshold 3 46
C2960-X(conf) # mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
BRKARC-1009 92

COS to Egress Queue & Threshold Mapping
C2960-X # show mls qos maps cos-output-q
Cos-outputq-threshold map:
cos: 0 1 2 3 4 5 6 7
------------------------------------------------------------------
queue-threshold: 3-3 4-3 2-1 2-2 1-3 1-3 2-3 2-3
C2960-X(conf) # mls qos srr-queue output cos-map queue 1 threshold 3 4
C2960-X(conf) # mls qos srr-queue output cos-map queue 2 threshold 3 6 7
BRKARC-1009 93

Egress Buffers Allocation
Q1
Universal
Packet Buffer
4 MB/ASIC
1 Buffer = 256B
16384 Buffers
Q2
Q3
Q4
Q1
Q2
Gig1/0/1
Gig1/0/2
140 KB
Common PoolReserved Pool CPU Pool
Downlinks
Uplinks
Stack Ports
•  Every Port has reserved egress buffers
•  10G uplinks reserved buffers = ~ 4 * 1G downlink reserved buffers
•  Dedicated Common pool for uplink & Stack ports
BRKARC-1009 94

Queue Sets & Thresholds
C2960-X#show mls qos queue-set 1
Queueset: 1
Queue : 1 2 3 4
----------------------------------------------
buffers : 15 25 40 20
threshold1: 50 125 100 60
threshold2: 100 125 100 150
reserved : 50 100 100 50
maximum : 200 400 400 200
C2960-X#show mls qos queue-set 2
Queueset: 2
Queue : 1 2 3 4
----------------------------------------------
buffers : 25 25 25 25
threshold1: 100 100 100 100
threshold2: 100 100 100 100
reserved : 50 50 50 50
maximum : 400 400 400 400
C2960-X(conf) # mls qos queue-set output 1 buffers 15 25 40 20
C2960-X(conf) # mls qos queue-set output 1 threshold 4 60 150 50 200
BRKARC-1009 95

A
Q2
Weight
2
Q1
Weight
1
Q3
Weight
3
Q4
Weight
4
Shaped SRR vs. Shared SRR
B
B
A
B
A A
Shaped Shared
Q2
Weight
2
Q1
Weight
1
Q3
Weight
3
Q4
Weight
4
A
B
A A
Shared Queuing drains queues more efficiently!
SRR Non-shared
SRR Shared
Packet Order
Wait Wait Wait
BB
CCD
A
Room for more traffic, draining the buffers!SRR Shared
Lesser weight queues sit idle
and wait to transmit, even if
higher weight queues are empty
If higher weight queues are empty,
lesser weight queues can continue
to send while the higher weight
queues are empty
BRKARC-1009 96

Shaped SRR vs. Shared SRR
•  Either Shaped SRR or Shared SRR is Good!
•  Shared SRR is used to get the maximum efficiency out of a queuing system,
because unused time slots can be reused by busier queues; Unlike standard
WRR.
•  Shaped SRR is used when one wants to shape a queue or set a hard limit on
how much bandwidth a queue can use. Shaping provides a more even flow of
traffic over time and reduces the peaks and valleys of bursty traffic.
BRKARC-1009 97

Queue level Bandwidth Allocation
C2960-X#sh mls qos int gig1/0/3 queueing
GigabitEthernet1/0/3
Egress Priority Queue : enabled
Shaped queue weights (absolute) : 25 0 0 0
Shared queue weights : 10 10 60 20
The port bandwidth limit : 85 (Operational Bandwidth:
100.0)
The port is mapped to qset : 2
C2960-X#sh mls qos int gig1/0/1 queueing
GigabitEthernet1/0/1
Egress Priority Queue : disabled
Shaped queue weights (absolute) : 3 0 0 0
Shared queue weights : 1 70 25 5
The port bandwidth limit : 100 (Operational Bandwidth:
100.0)
The port is mapped to qset : 1
C2960-X(config) # interface GigabitEthernet 1/0/1
C2960-X(config-if)# srr-queue bandwidth share 1 70 25 5
! Q2 gets 70% of remaining BW; Q3 gets 25% and Q4 gets 5%
C2960-X(config-if)# srr-queue bandwidth shape 3 0 0 0
! Q1 is limited to 33% (1/3) of the total available BW
C2960-X(config) # interface GigabitEthernet 1/0/3
C2960-X(config-if)#priority-queue out
BRKARC-1009 98

C2960XR#show mls qos queue-set 1
Queueset: 1
Queue : 1 2 3 4
----------------------------------------------
buffers : 25 25 25 25
threshold1: 100 200 100 100
threshold2: 100 200 100 100
reserved : 50 50 50 50
maximum : 400 400 400 400
Four Egress Queues
Default Configuration - map 12 traffic classes
Output Q
Map
Q1
Q2
Q3
WTD
WTD
WTD
SRR
(Shaped/
Shared)
Q4
WTD
1P3Q3T/
4Q3T
C2960XR#configure terminal
C2960XR(config)#mls qos srr-queue output queues 8
BRKARC-1009 99

Eight Egress Queues
Configurable - map 24 traffic classes
Output Q
Map
Q1
Q2
Q3
WTD
WTD
WTDSRR
(Shaped/
Shared)
Q4
WTD
1P7Q3T/
8Q3T
Q5
Q7
Q6
Q8
WTD
WTD
WTD
WTD
Only on Standalone*
* Roadmap to support eight queues in stack BRKARC-1009 100

Eight Egress Queues
Configurable - map 24 traffic classes
Output Q
Map
Q1
Q2
Q3
WTD
WTD
WTDSRR
(Shaped/
Shared)
Q4
WTD
1P7Q3T/
8Q3T
Q5
Q7
Q6
Q8
WTD
WTD
WTD
WTD
C2960XR#show mls qos queue-set 1
Queueset: 1
Queue : 1 2 3 4 5 6 7 8
---------------------------------------------------------------------------
buffers : 10 30 10 10 10 10 10 10
threshold1: 100 1600 100 100 100 100 100 100
threshold2: 100 2000 100 100 100 100 100 100
reserved : 100 100 100 100 100 100 100 100
maximum : 400 2400 400 400 400 400 400 400
Only on Standalone*
* Roadmap to support eight queues in stack BRKARC-1009 101

C2960-X Stack Port Queue Set
•  Stack Port Queue Set
-  Buffers per Stack ports is fixed
-  Buffers to Queues is configurable
•  Applies to all stack ports in stack.
•  Separate Common buffer pool for stack ports
C2960XR#show mls qos stack-qset
Queueset: Stack
Queue : 1 2 3 4
----------------------------------------------
buffers : 25 25 25 25
C2960XR#configure terminal
C2960XR(config)#mls qos stack-qset buffers 10 60 20 10
BRKARC-1009 102

Automation with Cisco AutoQoS Switch Platforms
•  Single command at the interface level configures interface and global QoS
•  Support for Cisco IP Phone & Cisco IP Soft Phone
•  Support for Cisco Telepresence, IP video surveillance camera & Media Player
•  Trust Boundary is disabled when IP Phone is moved / relocated
•  Buffer Allocation & Egress Queuing dependent on interface type (GE/FE)
•  Supported on Static, dynamic-access, voice VLAN access, and trunk ports
•  CDP must be enabled for AutoQoS to function properly
•  Cisco Catalyst 2960 supports SRR, Strict Priority Scheduling, and Strict Priority
Queuing
BRKARC-1009 103

!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
interface GigabitEthernet0/1
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust device cisco-phone
mls qos trust cos
!
C2960-X(config-if)#auto qos voip cisco-phone
Cisco Catalyst 2960-X
AutoQoS VoIP Model Example
Options:
auto qos voip cisco-softphone
auto qos voip trust
auto qos video cts
auto qos video ip-camera
auto qos video media-player
BRKARC-1009 104

Cisco Catalyst 2960-X Supports APIC-EM Easy-QoS
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 3650
Trust Boundary
PEP
2P6Q3T
Catalyst 4500
1P7Q1T
Catalyst 6500
1P3Q4T
1P7Q4T
2P6Q4T
…
Nexus 7700
F3: 1P7Q1T
WLC
PEP
ASR/ISRs
MQC
Catalyst 2960-X
Trust Boundary
PEP
1P3Q3T
Wireless AP
Trust Boundary
PEP
4Q (WMM)
EM
Applications can interact with APIC-EM via Northbound
APIs, informing the network of application-specific and
dynamic QoS requirements
Southbound APIs translate
business-intent to platform-
specific configurations
Network Operators express high-level
business-intent to APIC-EM EasyQoS
BRKARC-1009 105

Easy-QoS Simplifies QoS Policy for new Applications
Example: QoS video classification enables Enterprise wide Jabber

•  Plug & Play
•  AutoConf & Interface templates
Agenda
BRKARC-1009 107

Network Admin
Remotely Monitors
Status of Install
While in Progress
Booting Devices
Call Out to PnP
Server, Requesting
Instructions
Pre Provision
Projects/Sites
•  Policies
•  Match Rules
•  Configs/Image
•  IP Addressing
NETWORK
ADMIN
PnP Server
Campus,
Bldg-2
Smart Install-ClientPnP Agent
PnP Agent PnP Agent
PnP Agent Smart Install Proxy
APIC EM
Remote Installer
•  Mount and cable
devices
•  Power-on
INSTALLER
UNSKILLED
INSTALLER
GUI
BASED
CONSISTENT FOR
DEVICES AND PIN
(CAMPUS/BRANCH)
SECURE
GREENFIELD
AND BROWNFIELD
RMA USE
CASE
Network Plug-N-Play with APIC-EM Automates
Switch Deployment & Configuration

Network PnP – Components
PnP Agent
Automates Deployment Process
Runs on Cisco Switches and Routers
PnP Server
Manages Sites, Devices, Images,
Licenses
Central Server – APIC-EM
Provides north bound REST APIs
PnP Protocol
Open Schema
Runs between Agent and Server
PnP Helper App
Status/Troubleshooting checks
Deliver Boot Strap
BRKARC-1009 109

PID Serial # Hostname IP address
ISR-2951 FOX23zxcd ISR-main 192.168.15.1
ISR-2951 FOX23zxcb ISR-bakcup 192.168.15.2
C3650 FOC123dfg Dist1 192.168.16.3
C2960-XR FOC443asd ACC-sw1 192.168.16.4
C2960X FOC443asa ACC-sw2 192.168.16.5
C3560C FOC443asg ACC-sw3 192.168.16.6
C3560C FOC443asx AC-sw4 192.168.16.7
Network PnP - Use Case: Branch Deployment
Pre Provision Site in
APIC EM
•  Serial Number based
match rule
•  Config and/or Image
•  Installer IDNetwork
Admin
Installer
Step 1
Step 2 Step 3
APIC/PnP
Server
Network Admin
Internet
Deliver
bootstrap*
IT Admin can remotely
monitor status of install
PnP Server/Site Updates
Installer on site with PnP
mobile application
•  Rack and Stack
devices
•  Power-on
•  Start Deployment
•  Check Status and/or
troubleshoot (optional)
New devices
contact PnP
Server to get
provisioned
HTTP
Proxy
BRKARC-1009 110

Network PnP - Installer Application
Runs on iPad/iPhone, Used by remote
installer
-  Deliver bootstrap configuration
-  Status of PnP devices
-  Notes for installer
-  Register a device for a site
-  Troubleshooting device install
Not Deployed: not started
or in progress
Deployed Devices:
Completed install process
Installer get details on device as
its installed
•  Device details
•  Log of install events/msgs
App has detailed site install notes.
Configured by Admin in ‘Site’ workflow
BRKARC-1009 111

Network PnP – Server Discovery Options
1.  DHCP Options
DHCP Server configured with IP address of the PnP in Options 60 & 43, Consistent with Cisco
LWAPP
2.  Domain Name
Uses customer Domain Name returned by DHCP server. PnP Agent adds pre-defined hostname
“pnpserver.localdomainname” eg. pnpserver.cisco.com
3.  Neighbor Assisted Provisioning (NAPP)
When no DHCP, a NAP server which is one of the devices already up using PnP, acts as proxy for
new devices
BRKARC-1009 112

Image Install Service Workflow
•  PnP server sends image location based on the UDI of the device
•  PnP agent
ü  Checks if the path is valid
ü  Calculates disk space on the destination, if not finds an alternate disk space on the
device
ü  downloads the image to the right destination where enough space is available
ü  Checks the integrity of the image
ü  Installs the image to all the applicable hardware (Standalone unit, HA unit, Stacked
unit)
ü  Notifies the server that image installation was successful
ü  Reloads the device
ü  If any error occurs in between the process of Image installation, the agent aborts and
reports back to the server on the error
BRKARC-1009 113

Auto Configuration & Interface templates
BRKARC-1009 114

AutoConf and Interface Templates
Current Challenges
Port-Based Only Usability/Bloated Config Inflexible
Next-Gen Auto Smartports
Simplified running-config
Parsed at definition time
Built-in templates
Config rollback
Precedence management
Integrated with session-aware networking
Lower TCO
Easy to Use
and Intuitive
BRKARC-1009 115

Interface Templates
Benefits Overview
-  Configuration file Readability and Manageability
-  Smaller Configuration files
-  Built-in Interface Templates for ease of use
-  All Interface Templates are Customizable
Advantages over Auto Smart Ports
ü  Templates updates immediately ripple to interfaces
ü  Per session or Per port templates
ü  No change to running-config
ü  Full rollback and precedence management
ü  Compatible with AutoConf
Switch# show template interface brief
Template-Name Source
------------------------ ---------
AP_INTERFACE_TEMPLATE Built-in
DMP_INTERFACE_TEMPLATE Built-in
IP_CAMERA_INTERFACE_TEMPLATE Built-in
IP_PHONE_INTERFACE_TEMPLATE Built-in
LAP_INTERFACE_TEMPLATE Built-in
MSP_CAMERA_INTERFACE_TEMPLATE Built-in
MSP_VC_INTERFACE_TEMPLATE Built-in
PRINTER_INTERFACE_TEMPLATE Built-in
ROUTER_INTERFACE_TEMPLATE Built-in
SWITCH_INTERFACE_TEMPLATE Built-in
TP_INTERFACE_TEMPLATE Built-in
11 Built-in Templates based on common end devices
BRKARC-1009 116

AutoConf
Device Classification
[CDP, LLDP, DHCP, MAC OUI]
Interface Templates
[Built-In or User Defined]
AutoConf
Templates are
the foundation
for AutoConf
Templates can work
without AutoConf
AutoConf
requires
templates
AutoConf
Templates
BRKARC-1009 117

AutoConf: Use Case
Interface Templates
Activated on interfaces
Auto-conf the network device (one per port),
e.g., switch or AP
Template impacts all the traffic via
that interface
Service Templates
Activated on network sessions
Template impacts only the control or data
packets to the session
No impact on other sessions sharing port
Stays ON as long as activated
Stays ON as long as the session exists
switchport trunk encapsulation dot1q
switchport trunk allowed vlan ALL
switchport nonegotiate
auto qos voip trust
mls qos trust cos
srr-queue bandwidth limit $LIMIT
Interface-Template
auto qos voip trust
switchport trunk encapsulation
dot1q
switchport trunk allowed vlan ALL
Interface-Template
P1
P4
P2
Service-Template
vlan 200
access-group corp
service-policy corp
Service-Template
S1, S2, S3
Access
Switch
S4
vlan 100
access-group corp
inactivity 300
Compact
Switch
Phone
Access
Point
BRKARC-1009 118

AutoConf In Action
Dynamic Binding to Interface 2960X# show run interface gi1/0/2
Current configuration : 38 bytes
!
source template IP_PHONE_INTERFACE_TEMPLATE
End
Gig1/0/2
2960X# show derived int gi1/0/2
Derived configuration : 616 bytes
!
switchport block unicast
switchport port-security maximum 2 vlan access
switchport port-security aging time 1
switchport port-security aging type inactivity
load-interval 30
priority-queue out
mls qos trust cos
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 15
end
2960X# show template interface binding all
Template-Name Source Method Interface
------------- ------ ------ ---------
IP_PHONE_INTERFACE_TEMPLATE Built-in dynamic Gi1/0/2
2960X# show template binding target gi1/0/2
Interface Templates
===================
Interface: Gi1/0/2
Method Source Template-Name
------ ------ -------------
dynamic Built-in IP_PHONE_INTERFACE_TEMPLATE
No change in
run-config
Full Configuration
displayed with
derived command
What template is
bound to interface?
BRKARC-1009 119

Wrap up
BRKARC-1009 120

Catalyst 2960-X Series Access Switches
Next Generation Catalyst 2960 Access Switches
Most Deployed Switch Just Got Better
2xDoubling Everything
Stack units, bandwidth & more
Investment Protection
Stack with Existing 2960-S/SF
Application
Visibility & Control
Layer 3
Routing
Greenest
Switch Ever
Future-Proof
Scalable Smart
Intelligent & Green
Simple
Reduce TCO
Secure
One Policy
BRKARC-1009 121

Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
•  Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
•  Complete your session surveys
through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
BRKARC-1009 122

Continue Your Education
•  Demos in the Cisco campus
•  Walk-in Self-Paced Labs
•  Lunch & Learn
•  Meet the Engineer 1:1 meetings
•  Related sessions
BRKARC-1009 123

Cisco Catalyst 2960-X Series Switching Architecture

Cisco Catalyst 2960-X Series Switching Architecture

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cisco Catalyst 2960-X Series Switching Architecture

Similar to Cisco Catalyst 2960-X Series Switching Architecture (20)

Recently uploaded

Recently uploaded (20)

Cisco Catalyst 2960-X Series Switching Architecture