More Related Content Similar to design__day_presentation.ppt
Similar to design__day_presentation.ppt (20) More from biruktesfaye27 (20) design__day_presentation.ppt1. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 1
Evolving Your
Business To Unified
Communications
2. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 2
8:00 Registration
8:30 Welcome Introduction
8:45 Capabilities Discussion of your existing network
9:00 Network Requirements for Unified Communications
Business Resiliency with HA
Securing the Network Infrastructure and Demo
11:00 Break
Quality of Service
12:00 Lunch Break
12:45 High Availability Demonstration
Ensure the additional demands for UC uptime
1:45 Deployment Models for Unified Communications
2:20 Break
2:30 Example Unified Communications Networks
Taking the next step, Walk through the integration of UC
4:00 Meet the Experts
Whiteboard scenarios and questions
AGENDA
3. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 3
Growth of Converged Applications
Switches Must Scale to New Evolving Levels of Service
Telephony
IP
Digital
Imaging
Storage
Networking
Conferencing
Video
Communications
Web Apps
Wireless
Resources
Higher
Performance
4. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 4
Voice Data
Video
In response to current business forces, businesses are
already naturally taking an “evolutionary” approach to
advancing their business. They are looking to continuously
and incrementally improve their business.
Evolution, NOT Revolution
5. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 5
Evolving Solutions for Evolving Business
• Modular Has Greater Lifetime
• Only Software or Supervisor needs Upgrade
• Evolving Platform
• Smartports
• Single Chassis
• Free CNA GUI
• Various Chassis
• Power Supplies
• Supervisors
• Line Cards
6. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 6
Chassis = 12%
Dual AC Power = 5%
Supervisor II = 15%
6 Port GBIC = 7%
2*48-port 10/100 = 24%
2*48 port 10/100/1000 = 27%
8 GBICs = 10%
Initial Investment = 100%
Why Investment Protection Matters
Architecture Designed to Evolve as Technology Evolves
In this example, Supervisor II
represents only 15% of the
Original Purchase Price Catalyst 4506 with
Supervisor II
Supervisor II-
Plus
Upgrade ONLY the
Supervisor to upgrade
the capabilities
of ALL Ports
85% of initial
investment is
maintained!
7. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 7
Catalyst Modular
Fixed/Low Cost
Competitors
FEATURES / TIME
COST
$
Platform
Upgrade
Costs
Capex
Savings with
Modular
L2
1999
L3
2001
10/100/1000
2002
802.3AF
2003
10GE
2004
Effective Investments Today Provide Greater
Long-term Value
Why Platform Flexibility and Lifetime Matters
Maximize Your Investment
8. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 8
Why Total Cost of Ownership (TCO) Matters
Capital Expenditure is ONE element of the total cost of a system
Operational and Opportunity Costs outweigh Capital Expenditures
Capital Expenditures*
(20%)
Operational Costs*
(80%)
Troubleshooting
Maintenance
Upgrading software
Skilled Technical Staff
Facilities
Lost Opportunity Costs
Missed or Delayed Business
Opportunities Due to
Unavailable Technologies
* Source: Momenta Research, 2003
9. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 9
Scalability
Value in a Switch Today
Far More Than Speeds and Feeds
Driver: High
Cost of Security
Breaches and
Downtime
Driver: Growing
Unified
Communications
Deployments
Driver: Network
Demands
Growing Faster
Than IT Staff
Driver: Higher
Network ROI
Requirements
Value in a
Switch
10. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 10
Cisco Catalyst 4500 & 6500 Series
The Industry-Leading Modular Switching Platforms
Delivering
Maximum
Value
Leading
Scalability
• Maximum Operational Efficiency
• Enables Faster Response to
Evolving Business Opportunities
11. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 11
Catalyst
4500 Series
Scalable Architecture
Integrated
Voice/Video
/Data
Predictable
Performance
Catalyst 4500 Series
Mid-Range, Layer 2-4 Modular Switching Platform
Layer 2/3/4
Standard
Manageability
PSTN
High-Density
10/100/1000
Fiber or Copper
IP Phones
QOS/Traffic
Management
Metro
Ethernet
Access
Security
Integrated
Resiliency
10GE
connectivity
12. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 12
Catalyst 4500 Series Milestones & Innovations
Aug 1998 -Invented Patented TCAM Technology
Jan 1999 -Catalyst 4000 Layer 2 Switch
May 2000 -Cisco Pre-Standard PoE
Nov 2001 -Industry’s First High Density 10/100/1000 LC
Jan 2002 -Second Generation IOS Based Supervisor
Jun 2003 -Patented Catalyst Integrated Security Features
Feb 2004 -IEEE PoE
Sept 2004 -Enhanced HA with SSO
Dec 2004 -Line Rate L3 10 GE Supervisor V-10GE
Mar 2005 -Catalyst 4900 Series for Top of Rack
Dec 2005 -Line Rate L2 10 GE Supervisor II-10GE
Oct 2006 -In Service Software Upgrades (ISSU)
Pioneer
Award
Pioneer
Award
Pioneer
Award
13. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 13
Award-Winning
Cisco Catalyst 4500 and 4948 Series
“Best Enterprise Switch 2006”
“Best in Test 2006”
NETWORKWORLD
Catalyst 4500 Series
Catalyst 4948 Series
14. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 14
Catalyst 4003/4006 End of Support
Milestone Definition Date
End of Cat OS Software
Maintenance Releases
The last date that Cisco Engineering
may release any final software
maintenance releases or bug fixes.
After this date, Cisco Engineering
will NO LONGER develop, repair,
maintain, or test CAT OS
May 3, 2006
End of Routine Failure
Analysis
The last possible date a routine failure
analysis may be performed to determine
the cause of product failure or defect.
May 3, 2006
End of New Service
Attachment
For equipment and software that is not
covered by a service-and-support
contract, this is the last date to order a
new service-and-support contract or add
the equipment and/or software to an
existing service-and-support contract.
May 3, 2006
http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_eol_notice0900aecd80324aee.html
15. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 15
Catalyst 4000/4500
Recommended Transition
= EOS
(No new feature development) = Strategic Direction of Platform
Chassis Transition/Positioning Supervisor Transition/Positioning
WS-C4507R
LOW-END
INSTALLED BASE/
HIGH-END
WS-X4014
LOW-END
INSTALLED
BASE/HIGH-END
WS-C4003 WS-X4012
WS-X4013
WS-X4516
WS-X4013+
WS-X4013+10GE
WS-X4013+TS
WS-C4510R WS-X4516-10GE
Milestones Cat4006 and Sup II Cat4003, Sup I, Sup III
Internal EoS Announcement 3/22/2004 12/15/2003
External EoS Announcement 5/3/2004 1/26/2004
End of Orderability 5/3/2005 7/26/2004
End of SW Maintenance 5/3/2006 7/26/2005
End of Support 5/3/2010 7/26/2009
WS-C4506
WS-C4006
WS-C4503
WS-X4515
16. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 16
Catalyst 4500:
Innovation and Investment Protection
Layer
2
PoE L2/3/4
10/100/1000
10-GbE
SSO
1999 2004
2002 2007 2012
Development
SAME LINE CARDS
NAC
NSF
CoPP
ISSU
Forward/Backward Compatibility
17. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 17
Ethernet Modules WAN Modules
Service Modules
Comm. Media Network
Analysis
Wireless LAN
App Control Engine Firewall IPSec
Chassis Options
Supervisor Options
Sup 32 PFC’s Sup 720
Gigabit Ethernet
10 Gigabit Ethernet
96-port 10/100 TX
Field-upgradeable
802.3af PoE
10/100/1000 TX
100BASE-X
(FX, BX, LX)
3, 4, 6, 9, 13-slots
Catalyst 6500 Series
Flagship, Layer 2 – 7 Modular Switching
Enhanced FlexWAN
(DS0 to OC-3)
Optical Service Modules
(OC-3 to OC-48)
Shared Port Adapters (SPAs)
(DS0 to OC-192)
18. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 18
Catalyst 6500 EOS - Update
Product
Announcement
Date
EOS Effective
Date
Replacement
Product
WS-X6K-SUP1A-2GE
WS-X6K-SUP1A-PFC
WS-X6K-S1A-MSFC2 9/24/04 3/25/05
WS-SUP320-GE-3B
WS-SUP32-10GE-3B
WS-C6503 11/1/05 11/1/06
WS-C6503-E, WS-
C6504-E
WS-C6506 11/1/05 11/1/06 WS-C6506-E
WS-X6509 11/1/05 11/1/06 WS-C6509-E
WS-CDC-1300W 4/15/06 10/14/06 PWR-4000-DC
WS-X6K-S2-PFC2
3/1/06 3/1/07
WS-SUP32-GE-3B,
WS-SUP32-10GE-3B,
WS-SUP720-3B
WS-X6K-S2-MSFC2
WS-X6K-S2U-MSFC2
WS-X6500-SFM2
WS-X6024-10FL-MT 12/15/05 6/15/06 WS-X6148-FE-SFP
WS-X6324-100FX-MM 12/15/05 6/15/06 WS-X6148-FE-SFP
WS-X6324-100FX-SM 12/15/05 6/15/06 WS-X6148-FE-SFP
19. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 19
Catalyst 6500 Series
Evolutionary Architecture
Introduced
Catalyst 6500
with
Supervisor
Engine 1
Distributed
Forwarding
Cards
Supervisor
Engine 32 with
8x1G and
2x10G uplink
options
Service
Modules
PFC3B and
3BXL with
MPLS
support in
HW
Supervisor
Engine 2 with
Switch Fabric
Module
scaling to
256G
2003
1999 2000 2001 2002 2004 2005 2006 2007 2008 2009 2010
Supervisor
Engine 720
with IPv6, GRE,
NAT, and Bi-dir
PIM in HW
New 67xx
linecards
Continued innovation
and support
8x10G line card
Application
Control Engine
Cisco IOS
Software
Modularity
20. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 20
Why Invest in a Modular Platform?
Delivering a
Higher Value!
Optimal Platform for
Unified Communications
Higher
Availability
Higher
Security
Ease of Use
Management
Quality of Service
21. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 21
Building a Unified Communications Network
Modular Infrastructure, HA, Security, and QoS
Access layer
Auto phone detection
Inline power
QoS: scheduling,
trust boundary and
classification
Fast convergence
Distribution layer
High availability,
redundancy, fast
convergence
Policy enforcement
QoS: scheduling,
trust boundary and
classification
Core
High availability,
redundancy, fast
convergence
QoS: scheduling,
trust boundary
Data Center
WAN Internet
Layer 3
Equal Cost
Links
Layer 3
Equal Cost
Links
Si
Si Si
Si Si
Si Si
Si Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
Si
Si
Si
Si
Access
Distribution
Core
Distribution
Access
22. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 22
Network Design
Seminar for
Unified
Communications
Unified Communications Infrastructure
High Availability & Security
23. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 23
Building a Unified Communications Network
Infrastructure Integration, HA, Security, and QoS
Physical
Data Link
Network
Transport
Session
Presentation
Application
Campus network design is evolving
in response to multiple drivers
User Expectations: Always ON
Access to communications
Business Requirements:
Globalization means true 7x24x365
Technology Requirements: Unified
Communications
Unexpected Requirements: Worms,
Viruses, …
Campus design needs to evolve to a
‘resilient’ model leveraging an
integrated approach to
High Availability
Security
Quality of Service
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
24. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 24
Building a Unified Communications Network
UC integrated with Network QoS, Security and HA
Phone contains a 3 port switch that is dynamically configured
by the access switch and Call Manager
1. Power negotiation
2. VLAN configuration
3. 802.1x interoperation
4. QoS configuration
5. DHCP
6. CallManager registration
Switch Detects IP Phone and Applies Power
CDP Transaction Between Phone and Switch
IP Phone Placed in Proper VLAN
DHCP Request and Call Manager Registration
Si
Si
UC endpoints dynamically
participate in the overall
Network QoS, Security
and core HA infrastructure
25. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 25
Building a Unified Communications Network
It’s more than having all three services configured
QoS
Unified
Comm
High
Availability
Embedded
Security
High Availability, Quality of
Service and Security are all
necessary elements
A Unified Communications
Network requires all three
implemented in a
consistent fashion
A Resilient Unified
Communications Network
requires all three
implemented to reinforce
and supplement each other
26. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 26
ESE Campus Solution Test Bed
Verified Design Recommendations
Data Center
WAN Internet
Si
Si Si
Si Si
Si Si
Si Si
Si Si
Si
Si
Si Si
Si
Si
Si Si
Si
Si
Si Si
Si
Si
Si
Si
Si
Total of 68 Access Switches,
2950, 2970, 3550, 3560, 3750,
4507 SupII+, 4507SupIV, 6500
Sup2, 6500 Sup32, 6500 Sup720
and 40 APs (1200)
6500 with Redundant Sup720s
Three Distribution Blocks
6500 with Redundant Sup720
4507 with Redundant SupV
Three Distribution Blocks
6500 with Redundant Sup720s
7206VXR NPEG1
4500 SupII+, 6500 Sup720,
FWSM, WLSM, IDSM2, MWAM
8400 Simulated Hosts
3k-10k Routes
End-to-End Flows:
TCP, UDP, RTP, IPmc
27. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 27
Unified Communications Network
Agenda
Resilient Network Design
Network Resiliency
High Availability Design Principles
Redundancy in the Distribution Block
Redundancy and Routing Design
Switch Resiliency
NSF/SSO
ISSU & IOS Modularity
GOLD & EEM
Hardening the Network
Layer 2 Security
Quality of Service
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
28. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 28
Data Center
WAN Internet
Si
Si Si
Si Si
Si Si
Si Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
Si
Si
Si
Si
High Availability Campus Design
Structure, Modularity and Hierarchy
Optimize the interaction of
the physical redundancy
with the network protocols
Provide the necessary amount
of redundancy
Pick the right protocol for the
requirement
Optimize the tuning of the
protocol
The network looks like this
so that we can map the
protocols onto the physical
topology
We want to build networks
that look like this
Redundant
Switches
Redundant
Supervisor
Layer 3 Equal
Cost Link’s
Redundant
Links
Layer 2 or
Layer 3
29. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 29
Hierarchical Campus Network
Structure, Modularity and Hierarchy
Server Farm
WAN Internet PSTN
Si
Si
Si
Si
Si
Si Si
Si
Si
Si Si
Si Si
Si
Si
Si
Si
Si Si
Si
Si
Si
Si
Si
Not This !!
30. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 30
Hierarchical Campus Network
Do I Need a Core Layer?
No Core
Fully meshed distribution layers
Physical cabling requirement
Routing complexity
4th Building Block
12 new links
24 links total
8 IGP Neighbors
Third Building Block
– 8 new links
12 links total
5 IGP Neighbors
Second Building
Block – 4 new links
31. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 31
4th Building Block
4 new links
16 links total
3 IGP Neighbors
Dedicated Core Switches
Easier to add a module
Fewer links in the core
Easier bandwidth upgrade
Routing protocol peering reduced
Equal cost Layer 3 links for best
convergence
2nd Building Block
8 new links
3rd Building Block
4 new links
12 links total
3 IGP Neighbors
Hierarchical Campus Network
Do I Need a Core Layer?
32. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 32
Foundations for optimal convergence
Layer 1
Direct point to point fiber provides for fast
failure detection
IEEE 802.3z and 802.3ae link negotiation
define the use of Remote Fault Indicator &
Link Fault Signaling mechanisms
Bit D13 in the Fast Link Pulse (FLP) can be
set to indicate a physical fault to the
remote side
Do not disable auto-negotiation on GigE
and 10GigE interfaces
Carrier-Delay
3560, 3750 & 4500 - 0 msec
6500 – leave it at default 50 msec
The default debounce timer on GigE and
10GigE fiber linecards is 10 msec.
The minimum debounce for copper is 300
msec
1
2
3
Linecard
Throttling:
Debounce Timer
Remote IEEE
Fault Detection
Mechanism
Cisco IOS Throttling:
Carrier Delay Timer
Si
Si Si
Si
1
33. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 33
Foundations for optimal convergence
Layer 2 & Layer 3
With routed interfaces a physical
interface state change results in
direct notification of the routing
processes
In event of a logical L3 interface
(e.g. SVI) physical events trigger L2
spanning tree changes first which
then trigger RP notification
Indirect failures require a SW
process to detect the failure
To improve failure detection
Use routed interfaces between
L3 switches
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Hello’s
L2 Switch or
VLAN Interface
SVI Interface—
L2 Link Down Then L3
Interface Down
34. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 34
Foundations for optimal convergence
CEF Equal Cost Path Recovery
In the recommended design the
recovery from most component
failures is based on L3 CEF
equal cost path recovery
Time to restore traffic flows is
based on
Time to detect link failure
Process the removal of the lost
routes from the SW FIB
Update the HW FIB
No dependence on external
events (no routing protocol
convergence required)
Behavior is deterministic
Equal Cost Links: Link/Box Failure
Does Not Require Multi-Box Interaction
Si
Si
Si
Si
Si
Si
Si
Si
35. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 35
Catalyst Switch
Redundancy and Protocol Interaction
Time to Recovery CEF paths
Link failure detection
Software Routing Table (RIB)
Prefix Next Hop Interface
10.255.0.0/16 10.10.1.1 gig 1/1
10.20.1.1 gig 1/2
Cisco IOS Software
CEF Tables
FIB Table
Prefix Adjacency Ptr
10.255.0.0/16 Adj1 (gig 1/1)
Adj2 (gig 1/2)
Adjacency Table
Rewrite Information
AA.AA.AA.AA.AA, VLAN
BB.BB.BB.BB.BB, VLAN
Hardware Tables
FIB Table
Prefix Adjacency Ptr
10.255.0.0/16 Adj1 (gig 1/1)
Adj2 (gig 1/2)
Adjacency Table
Rewrite Information
AA.AA.AA.AA.AA, VLAN
BB.BB.BB.BB.BB, VLAN
Removal of the entries in the
routing table
Update of the software CEF table
to reflect to loss of the next hop
adjacencies
Update of the hardware tables
1
Si
Si
2
3
4
1
2
3
4
Routing Protocol
Process
5
Routing protocol notification and
reconvergence
5
Si
Si
Si
Si
36. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 36
Equal Cost Multi-Path
Optimizing CEF Load-Sharing
Up to eight equal cost CEF paths are
supported in HW today
Depending on the traffic flow patterns,
one algorithm may provide better load-
sharing results than another
Si
Si
Si
Si
Si
Si
30%
of
Flows
70%
of
Flows
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Load-sharing
simple
Load-sharing
full simple
Load-sharing
simple
Catalyst 4500 Load-Balancing Options
Src IP + Dst IP
Src IP + Dst IP + Unique ID
Original
Universal
Src IP + Dst IP + (Src ‘or’ Dst Port) + Unique ID
Include Port
Catalyst 6500 PFC3* Load-Balancing Options
Src IP + Dst IP + Unique ID
Src IP + Dst IP + Src Port + Dst Port + opt.
Default
Full
Src IP + Dst IP + (Src ‘or’ Dst Port)
Full Exclude Port
Src IP + Dst IP
Full Simple Src IP + Dst IP + Src Port + Dst Port
Simple
37. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 37
Unified Communications Network
Agenda
Resilient Network Design
Network Resiliency
High Availability Design Principles
Redundancy in the Distribution Block
Redundancy and Routing Design
Switch Resiliency
NSF/SSO
ISSU & IOS Modularity
GOLD & EEM
Hardening the Network
Layer 2 Security
Quality of Service
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
38. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 38
Multilayer Network Design
Layer 2 Access with Layer 3 Distribution
Each access switch has
unique VLAN’s
No layer 2 loops
Layer 3 link between
distribution
No blocked links
At least some VLAN’s span
multiple access switches
Layer 2 loops
Layer 2 and 3 running over link
between distribution
Blocked links
Si
Si Si
Si Si
Si Si
Si
Vlan 10 Vlan 20 Vlan 30 Vlan 30 Vlan 30 Vlan 30
39. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 39
3/2 3/2
3/1 3/1
Switch 1 Switch 2
DST MAC 0000.0000.4444
DST MAC 0000.0000.4444
0000.0000.3333
Layer 2 Access
Layer 2 Loops and Spanning Tree
Implement physical L2 loops only when you have to
Spanning tree protocol is very, very rarely the problem
L2 has no native mechanism to dampen down a problem
Utilize Rapid PVST+ for best convergence
Take advantage of the
Spanning Tree Toolkit to
help prevent a problem
UDLD
Loopguard
Rootguard
BPDUguard
Limit the size of the L2
domain
40. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 40
Layer 2 Loops and Spanning Tree
Spanning Tree Should Behave the Way You Expect
The root bridge should stay
where you put it
Loopguard and rootguard
UDLD
Only end station traffic should
be seen on an edge port
BPDU guard
Port-Security
There is a reasonable limit
to B-Cast and M-Cast
traffic volumes
On 4500 and 6500 configure storm
control on backup links to
aggressively rate limit B-Cast and M-
Cast
Utilize Sup720 rate limiters or
SupIV/V with HW queuing structure
Si
Si
Si
Si
BPDU Guard or
Rootguard
PortFast Port
Security
Rootguard
Loopguard
STP Root
Loopguard
Storm Control
41. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 41
0
5
10
15
20
25
30
35
PVST+ Rapid PVST+
Upstream
Downstream
Optimizing L2 Convergence
PVST+, Rapid PVST+ or MST
Rapid-PVST+ greatly improves the restoration times for any VLAN that
requires a topology convergence due to link UP
Rapid-PVST+ also greatly improves convergence time over Backbone
fast for any indirect link failures
PVST+ (802.1d)
Traditional Spanning Tree
Implementation
Rapid PVST+ (802.1w)
Scales to large size (~10,000
logical ports)
Easy to implement, proven,
scales
MST (802.1s)
Permits very large scale STP
implementations (~30,000 logical
ports)
Not as flexible as Rapid PVST+
Time
to
Restore
Data
Flows
(sec)
42. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 42
UDLD
Protecting Against One Way Communication
While 802.3z and 802.3ae link negotiation
provides for L1 fault detection HW ASIC
failures can still occur
UDLD provides an L2 based keep-alive
mechanism that confirms bi-directional L2
connectivity
Each switch port configured for UDLD will
send UDLD protocol packets (at L2)
containing the port's own device/port ID,
and the neighbor's device/port IDs seen by
UDLD on that port
If the port does not see its own device/port
ID echoed in the incoming UDLD packets
the link is considered unidirectional and is
shutdown
Si
Si
Si
Si
Tx
Tx
Rx
Rx
43. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 43
Trunk Design Considerations
Native VLAN - 802.1q
802.1q does not encapsulate the
native VLAN
Two potential problems
Security vulnerability—with the right knowledge of
the network it is possible to ‘VLAN hop’
Misconfiguration of the native VLAN can result in
traffic black-holing
Using DTP and auto-negotiating all trunks
prevents mis-configuration but does not fix
the security vulnerability
Use ‘dummy’ native VLAN’s ‘or’
Enable encapsulation of the native VLAN
on 6500
Si
Si
Si
Si
VLAN 10
VLAN 20
Switch(config)#vlan dot1q tag native
10.1.10.200
10.1.20.200
44. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 44
Phones & Switch Ports
Auxiliary VLAN
During initial CDP exchange phone is configured with a Voice VLAN
ID (VVID) on a multi-vlan access port
IMPORTANT: multi-vlan access ports (MVAP) are NOT trunk ports,
even though the hardware is enabled to receive dot1q frames
MVAP port are access ports with access and NOT trunk port features
This is includes support for 3rd party phones on MVAP ports
PC VLAN = 10
(PVID)
Phone VLAN = 110
(VVID)
Native VLAN (PVID) No
Configuration Changes
Needed on PC
802.1Q encapsulation
with 802.1p Layer 2
CoS
Si
Si
45. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 45
EtherChannel
Link Capacity and Redundancy
EtherChannel creates a logical link by bundling
multiple physical links
PAgP Port Aggregation Protocol
LACP (802.3ad) Aggregation Protocol
Failure of a link in a bundle will affect the spanning
tree link cost and may result in a topology change
Failure of a link in a bundle ‘may’ trigger a Layer 3
re-route
OSPF running on a Cisco IOS based switch will reduce link
cost and re-route traffic
OSPF running on a hybrid switch will not change link cost
and may overload remaining links
EIGRP may not change link cost and may overload remaining
links
In an L3 environment single 10 Gigabit Links
address both problems. Increased bandwidth
without routing challenges
Si
Si
Si
Si
46. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 46
EtherChannel Design Considerations
Static vs Dynamic EtherChannel
Statically configuring members of an
EtherChannel bundle improves convergence
but . . .
In an Layer 2 environment it is possible for
mis-configuration to create a semi-loop
between two switches
This is a problem during physical add move
and change process not triggered by network
failover events
Traffic received on an EtherChannel bundle is
not reflected back down the link
802.1w requires bidirectional exchange
of BPDU’s
Loopguard will detect the loss of BPDU’s on an
existing working connection
Recommendation is auto/desirable for L2
Recommendation is on/on for L3 links
Si
Si
Si
Si
On
On
Off Off
47. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 47
EtherChannel Load Balancing
Avoid Underutilizing Redundant Paths
Network may not load balance
using default L3 load balancing
hash
How random are your SRC & DST
IP addresses?
Recommendation to utilize L4
Hash
In order to optimize the load
balancing of traffic over multiple
links deploy in powers of two (two,
four, or eight)
Single fat link (10GE) simplifies all
of this
Link 0 load—68%
Link 1 load—32%
Link 0 load—52%
Link 1 Load—48%
L3 Hash
L4 Hash
Si
Si
Si
Si
Si
Si
Si
Si
Sup720(config)# port-channel load-balance src-dst-port
48. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 48
Si
Si
Si
Si
First Hop Redundancy (FHRP)
Layer 2 Access
HSRP, GLBP and VRRP are used to
provide a resilient default gateway/
first hop address to end stations
A group of routers act as a single
logical router providing first hop
router redundancy
Protect against multiple failures
Distribution switch failure
Uplink failure
HSRP, GLBP and VRRP provide
millisecond timers and excellent
convergence performance
VRRP if you need multi-vendor
interoperability
GLBP facilitates uplink load balancing
Si
Si Si
Si
Failure of
Active GW or
Link to GW
New Active
GW Provides
Alternate Path
49. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 49
First Hop Redundancy
Sub-second Timers & Preempt Delay
FHRP Active FHRP Standby
Si
Si
Si
Si
Access-a
R1 R2
interface Vlan4
ip address 10.120.4.2 255.255.255.0
standby 1 ip 10.120.4.1
standby 1 timers msec 250 msec 750
standby 1 priority 150
standby 1 preempt
standby 1 preempt delay minimum 180
interface Vlan4
ip address 10.120.4.2 255.255.255.0
glbp 1 ip 10.120.4.1
glbp 1 timers msec 250 msec 750
glbp 1 priority 150
glbp 1 preempt
glbp 1 preempt delay minimum 180
interface Vlan4
ip address 10.120.4.1 255.255.255.0
ip helper-address 10.121.0.5
no ip redirects
vrrp 1 description Master VRRP
vrrp 1 ip 10.120.4.1
vrrp 1 timers advertise msec 250
vrrp 1 preempt delay minimum 180
HSRP Config
GLBP Config
VRRP Config
•Preempt delay avoids black holing traffic
when ACTIVE gateway recovers and
preempt the backup, as upstream routing
and link may not be active
•Recommendation: Do not use sub-
second timers if >150 VLAN’s (6500)
50. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 50
First Hop Redundancy with Load Balancing
Gateway Load Balancing Protocol (GLBP)
Each member of a GLBP redundancy group owns a unique virtual MAC
address for a common IP address/default gateway
When end stations ARP for the common IP address/default gateway they are
given a load balanced virtual MAC address
Host A and host B send traffic to different GLBP peers but have the same
default gateway
10.88.1.0/24
.5
.4
.1 .2
vIP
10.88.1.10
GLBP 1 ip 10.88.1.10
vMAC 0000.0000.0001
GLBP 1 ip 10.88.1.10
vMAC 0000.0000.0002
ARPs for 10.88.1.10
Gets MAC 0000.0000.0001
ARPs for 10.88.1.10
Gets MAC 0000.0000.0002
A B
R1 R2
ARP
Reply
51. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 51
Routing to the Edge
Layer 3 Distribution with Layer 3 Access
Move the Layer 2/3 demarcation to the network edge
Upstream convergence times triggered by hardware detection
of light lost from upstream neighbor
Beneficial for the right environment
10.1.20.0
10.1.120.0
VLAN 20 Data
VLAN 120 Voice
VLAN 40 Data
VLAN 140 Voice
10.1.40.0
10.1.140.0
EIGRP/OSPF EIGRP/OSPF
GLBP Model
Si
Si
Si
Si
Layer 3
Layer 2
Layer 3
Layer 2
EIGRP/OSPF EIGRP/OSPF
52. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 52
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2
RPVST+ OSPF
12.2S
EIGRP
Upstream
Downstream
Routing to the Edge
Advantages, Yes in the Right Environment
Ease of implementation, less to
get right
No matching of STP/HSRP/
GLBP priority
No L2/L3 multicast topology
inconsistencies
Single control plane and well
known tool set
traceroute, show ip route, show ip
eigrp neighbor, etc.
Most Cisco Catalysts support
L3 switching today
EIGRP converges in <200 msec
OSPF with sub-second tuning
converges in <200 msec
RPVST+ convergence times
dependent on GLBP/
HSRP tuning
Both L2 and L3 Can Provide Sub-
Second Convergence
53. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 53
Unified Communications Network
Agenda
Resilient Network Design
Network Resiliency
High Availability Design Principles
Redundancy in the Distribution Block
Redundancy and Routing Design
Switch Resiliency
NSF/SSO
ISSU & IOS Modularity
GOLD & EEM
Hardening the Network
Layer 2 Security
Quality of Service
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
54. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 54
Multilayer Network Design
Core and Distribution Routing Design
Managing the number of routes in the network is important
Both EIGRP and OSPF need summarization
Map the protocol to the topology
Number or Routes in Stub Area – Sup720
Si
Si
Si
Si
Si
Si
Si
Si
Time
to
Restore
Voice
(Sec.)
0
0.5
1
1.5
2
2.5
3
800 1000 3000 6000 9000 12000
55. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 55
EIGRP Design Rules for HA Campus
High-Speed Campus Convergence
EIGRP convergence is largely dependent on
query response times
Minimize the number and time for query
response to speed up convergence
Summarize distribution block routes upstream
to the core
Configure all access switches as EIGRP stub
routers
Filter routes sent down to access switches
Si
Si
Si
Si
Si
Si
Si
Si
router eigrp 100
network 10.0.0.0
eigrp stub connected
interface TenGigabitEthernet 4/1
ip summary-address eigrp 100 10.120.0.0 255.255.0.0 5
router eigrp 100
network 10.0.0.0
distribute-list Default out <mod/port>
ip access-list standard Default
permit 0.0.0.0
56. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 56
Si
Si
Si
Si
Si
Si
Si
Si
OSPF Design Rules for HA Campus
High Speed Campus Convergence
OSPF convergence is
dependent on a number of
factors
Summarization will decrease
the load and often the need for
SPF calculations
Upstream from the distribution
block upstream into the core
Downstream from the core into
the distribution block
router ospf 100
area 120 stub no-summary
area 120 range 10.120.0.0 255.255.0.0 cost 10
network 10.120.0.0 0.0.255.255 area 120
network 10.122.0.0 0.0.255.255 area 0
57. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 57
OSPF Design Rules for HA Campus
High Speed Campus Convergence
OSPF convergence is
also dependent on tuning
of the OSPF timers
Sub-second hellos
IP Dampening mechanism
Back-off algorithm for LSA
generation
Exponential SPF backoff
router ospf 100
timers throttle spf 10 100 5000
timers throttle lsa all 10 100 5000
timers lsa arrival 80
interface GigabitEthernet1/1
dampening
ip address 10.120.0.205 255.255.255.254
ip ospf network point-to-point
ip ospf dead-interval minimal hello-multiplier 4
0
1
2
3
4
5
6
Default
Convergence
10 msec. SPF 10 msec. SPF
and LSA
Time
to
Restore
Voice
Flows
(msec.)
58. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 58
Unified Communications Network
Agenda
Resilient Network Design
Network Resiliency
High Availability Design Principles
Redundancy in the Distribution Block
Redundancy and Routing Design
Switch Resiliency
NSF/SSO
ISSU & IOS Modularity
GOLD & EEM
Hardening the Network
Layer 2 Security
Quality of Service
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
59. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 59
System Level Resiliency
Comprehensive Physical Redundancy
Catalyst 6500 and 4500 highly
redundant Modular systems
Redundant hot swappable
Supervisors
Redundant hot swappable Power
Supplies
N+1 redundant fans with hot
swappable fan trays
Hot swappable line cards
Passive data backplane
Redundant system clock modules
60. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 60
System Level Resiliency
NSF/SSO, IOS Modularity and ISSU
Catalyst 6500 and 4500 Supervisor
hardware redundancy (1+1) will
leverage four key mechanisms to
improve network resiliency and
provide for enhanced operational
change processes
SSO—Stateful Switchover
NSF—NonStop Forwarding
IOS Modularity
ISSU—In Service Software Upgrade
Catalyst 3750 stack switch
redundancy leverages two
mechanisms to improve network
resiliency
Stackwise and StackwisePlus
NSF supported as of 12.2(35)SE
Stateful Switchover (SSO)
L2, L3 & L4 Protocols
NonStop Forwarding
(NSF) L3
IOS Modularity &
ISSU
Redundant Supervisors
61. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 61
Supervisor Processor Redundancy
Stateful Switch Over (SSO)
Active/standby supervisors
run in synchronized mode
Redundant supervisor is in
‘hot-standby’ mode
Switch processors
synchronize L2 port state
information, (e.g., STP, 802.1x,
802.1q)
Switching HW synchronizes
L2/L3 FIB, NetFlow and ACL
tables
Provides for complete system
recovery in under 1 sec
Active Supervisor
SP RP PFC
Standby Supervisor
Line Card—DFC
Line Card—DFC
Line Card—DFC
SP RP PFC
62. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 62
Switch#sh mod
Chassis Type : WS-C4507R
Power consumed by backplane : 40 Watts
Mod Ports Card Type Model Serial No.
---+-----+--------------------------------------+------------------+-----------
1 2 Supervisor IV 1000BaseX (GBIC) WS-X4515 JAB0627065V
2 2 Supervisor IV 1000BaseX (GBIC) WS-X4515 JAB064907TY
3 24 10/100/1000BaseT (RJ45) WS-X4424-GB-RJ45 JAB052406EF
<snip>
Mod Redundancy role Operating mode Redundancy status
----+-------------------+-------------------+-------------------
1 Active Supervisor SSO Active
2 Standby Supervisor SSO Standby hot
Supervisor Processor Redundancy
Stateful Switch Over (SSO)
Switch(config)#redundancy
Switch(config-red)#mode ?
rpr Route Processor Redundancy
sso Stateful Switchover
63. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 63
Non-Stop Forwarding enhancements
to OSPF, EIGRP, IS-IS and BGP
An NSF-capable router continuously
forwards packets during router
recovery after an SSO processor or
ION process recovery
NSF-aware and NSF-capable routers
provide for transparent routing
protocol recovery
Graceful restart extensions enable
neighbor recovery without resetting
adjacencies
Routing database re-synchronization
occurs in the background
NSF-Aware,
NSF-Capable
NSF-Aware
Si
Si
Si
Si
Si
Si Si
Si
NSF-Aware
System Resiliency
NSF Recovery (Routing Protocol Recovery)
64. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 64
System Resiliency
NSF OSPF Example
No Route Flaps During Recovery
Si
Si
Si
Si
Si
Si Si
Si
Switch#*Aug 11 15:37:49: %OSPF-5-ADJCHG: Process 100, Nbr
100.1.1.1 on Vlan608 from LOADING to FULL, Loading Done
Switch#show ip ospf
<snip>
Non-Stop Forwarding enabled, last NSF restart 00:00:23
ago (took 31 secs)
<snip>
Switch#show ip ospf neighbor detail
Neighbor 100.1.1.1, interface address 172.26.197.67
<snip>
LLS Options is 0x1 (LR), last OOB-Resync 00:00:41 ago
Dead timer due in 00:00:33
<snip>
OSPF-ADJCHG messages
appear on the switches after a
switchover even though no
routes flaps occur during an
NSF switchover
65. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 65
Switch(config)#router ospf 100
Switch(config-router)#nsf
Switch(config-router)#nsf ?
enforce Cancel NSF restart when non-NSF-aware neighbors detected
System Resiliency
NSF Configuration
Switch(config)#router eigrp 100
Switch(config-router)#nsf
Switch(config-router)#timers nsf ?
converge EIGRP time limit for convergence after switchover
route-hold EIGRP hold time for routes learned from nsf peer
signal EIGRP time limit for signaling NSF restart
Switch(config-router)#bgp graceful-restart ?
restart-time Set the max time needed to restart and come back up
stalepath-time Set the max time to hold onto restarting peer's stale paths
<cr>
Switch(config-router)#bgp graceful-restart
Switch(config)#router isis level2
Switch(config-router)#nsf cisco
‘or’
Switch(config)#router isis level2
Switch(config-router)#nsf ietf
66. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 66
Design Considerations for NSF/SSO
Supervisor Uplinks
Cisco Catalyst 4500: supervisor
uplink ports are active and
forward traffic as long as the
supervisor is fully inserted
Uplink ports do not go down when a
supervisor is reset.
Cisco Catalyst 6500: both the
active supervisor and the standby
supervisor uplink ports are active
as long as the supervisors are up
and running
Uplink ports go down when the
supervisor is reset
Best Practice when using uplinks on
redundant supervisors is to utilize
Etherchannel, e.g. bundle 5/1 & 6/1
• Catalyst 6500 Supervisors: all ports
are active
1/1 1/3 1/4 1/5 1/6
1/2
2/1 2/3 2/4 2/5 2/6
2/2
1/1 1/2
2/1 2/2
• Catalyst 4500 Supervisor II+, Supervisor
IV: 2 x GigE ports are active
• Catalyst 4500 Supervisor II+10GE: 2 x
10GE and 4 x GigE ports are active
67. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 67
0
1
2
3
4
5
6
Si
Si
Si
Si
Design Considerations for NSF/SSO
Where Does It Make Sense?
Si
Si Si
Si
Redundant topologies with equal cost
paths provide sub-second convergence
NSF/SSO provides superior availability
in environments with non-redundant
paths
Node
Failure
NSF/SSO
Link
Failure
OSPF
Convergence
RP Convergence Is
Dependent
on IGP and Tuning
Seconds
of
Lost
Voice
?
Si
Si
68. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 68
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Non SSO aware HSRP SSO aware HSRP
Si
Si
Si
Si
Design Considerations for NSF/SSO
Where Does It Make Sense?
Si
Si Si
Si
Not all IOS features are SSO aware
As of 12.2(31)SG Catalyst 4500 supports SSO
aware HSRP
6500 will support in H107
HSRP doesn’t flap on Supervisor SSO
switchover
Seconds
of
Lost
Voice
?
69. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 69
Design Considerations for NSF/SSO
Where Does It Make Sense?
0
1
2
3
4
5
6
7
8
9
10
NSF-Enabled Optimal NSF-Enabled Maximum
Seconds
of
Lost
Voice
Access switch is the single point of failure
in best practices HA campus design
Supervisor failure is most common cause of
access switch service outages
Recommended design NSF/SSO provides
for sub 600 msec recovery of voice and data
traffic
Si
Si
Si
Si
Si
Si Si
Si
?
70. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 70
Unified Communications Network
Agenda
Resilient Network Design
Network Resiliency
High Availability Design Principles
Redundancy in the Distribution Block
Redundancy and Routing Design
Switch Resiliency
NSF/SSO
ISSU & IOS Modularity
GOLD & EEM
Hardening the Network
Layer 2 Security
Quality of Service
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
71. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 71
System Resiliency
IOS Modularity and In Service Software Upgrade
In redundant topology
standard maintenance
practice is to shut down
devices during upgrade
and let the network converge
IOS Modularity and ISSU
provide the ability to patch or
upgrade software in place
without having to shut down
In the access layer or
any other single point
of failure this can be a
significant improvement in
operational practices
ISSU—All Paths
and Switches Active
During Upgrade
Scheduled
Maintenance—
Half Capacity
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
72. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 72
System Resiliency
In Service Software Upgrade (ISSU)
• Full image upgrade
• New features and
patches
• Selective maintenance
• Patch a component
• Component Upgrade
• Add new features to
existing base
73. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 73
Cisco IOS Software Modularity
Catalyst 6500
Combines a network optimized
microkernel with the feature
subsystems and functions
enterprise and metro Ethernet
customers depend on:
20+ independent processes
Remaining feature subsystems live
in Cisco IOS Base process
Retains support for Cisco IOS
features
Whole system benefits from
integrated HA infrastructure which
determines best action to take for
improved resiliency
Preserves Cisco Catalyst 6500
Series benefits:
Separate Control and Data Planes
NSF and GOLD
Hardware Acceleration
Scalability
Routing IPFS TCP UDP
CDP EEM INETD IOS-
BASE
High Availability Infrastructure
Network Optimized Microkernel
…
…
Catalyst 6500 Hardware Data Plane
74. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 74
Cisco IOS Software Modularity Benefits
Minimize Unplanned Downtime
If an Error Occurs in a
Modular Process
HA subsystem determines
the best recovery action
Restart a modular process
Switchover to standby
supervisor
Remove the system from
the network
Process restarts with no
impact on the data plane
Utilizes Nonstop Forwarding
(NSF) even with a single
Supervisor with NSF-Aware
neighbors
State checkpointing allows
quick process recovery
Traffic Forwarding Continues During
Unplanned Process Restarts
TCP
Routing IPFS UDP
CDP EEM INETD IOS-
BASE
High Availability Infrastructure
Network Optimized Microkernel
…
…
Catalyst 6500 Hardware Data Plane
75. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 75
Cisco IOS Software Modularity
Subsystem ISSU – Software Patching
1. Install the patch
Does not change anything on the
running version of code
Can be performed for multiple patches
before next step
Verifies patch dependencies
2. Activate the patch
All patches that are pending for install
are activated at the same time
Copy of previous code is retained for
rollback purposes
Flash
Memory
Step 1
install file
Step 2
install activate
Catalyst 6500
Server
(FTP, TFTP)
Patching is always a two steps
process:
Patches downloaded from CCO
http://www.cisco.com/go/pn
76. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 76
Line Card
Line Card
Line Card
Line Card
Line Card
Active Supervisor
Standby Supervisor
In Service Software Upgrade
Catalyst 4500
Active Supervisor
Standby Supervisor
12.2(xw)SG
12.2(xy)SG
Full image ISSU provides a
mechanism to perform
software upgrades and
downgrades without taking
the switch out of service
Leverages the capabilities of
NSF and SSO to allow the
switch to forward traffic
during supervisor IOS
upgrade (or downgrade)
Network does not re-route
and no active links are taken
out of service
77. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 77
In Service Software Upgrade
ISSU Stages
12.2(xy)SG
12.2(xw)SG
loadversion
12.2(31)SGA
12.2(31)SGA
12.2(31)SGA
12.2(31)SGA1
12.2(31)SGA
12.2(31)SGA1
12.2(31)SGA
12.2(31)SGA1
12.2(31)SGA1
12.2(31)SGA1
runversion acceptversion commitversion
abortversion
ISSU upgrade is a 4 step process
Possible to rollback (abort) up until you complete the 4th step
(commit to final state)
Leverages NSF/SSO to implement supervisor transition
Requires that the two images are compatible for
upgrade/downgrade processing
Initial
state
Final
state
78. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 78
Unified Communications Network
Agenda
Resilient Network Design
Network Resiliency
High Availability Design Principles
Redundancy in the Distribution Block
Redundancy and Routing Design
Switch Resiliency
NSF/SSO
ISSU & IOS Modularity
GOLD & EEM
Hardening the Network
Layer 2 Security
Understanding UC Requirements
Quality of Service
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
79. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 79
Memory Corruption
Software Inconsistency
System Faults
Enhanced System
Stability
Generic Online Diagnostics
HW/SW state, Memory
LC module, Temperature,
Power supply, Fan tray
Power-on Diagnostics
Supervisor, Backplane, L2
ASIC, L3 ASIC, Memory,
Port
Enhanced Network
Stability
Systems Resiliency
Proactive Fault Detection and Notification
Detect
and
Isolate
Improved physical redundancy is not enough,
intelligent system failure detection is key
80. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 80
Generic Online Diagnostics
How Does GOLD Work?
GOLD: Check the health of hardware
components and verify proper
operation of the system data plane
and control plane at run-time and
boot-time
Diagnostic packet switching tests
verify that the system is operating
correctly:
Is the supervisor control plane and
forwarding plane functioning properly?
Is the standby supervisor ready to take
over?
Are linecards forwarding packets
properly?
Are all ports working?
Is the backplane connection working?
Other types of diagnostics tests
including memory and error
correlation tests are also available
CPU
Forwarding
Engine
Fabric
Forwarding
Engine
Active Supervisor
Standby Supervisor
Line
Card
Line
Card
81. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 81
Switch(config)#diagnostic monitor module 5 test 2
Switch(config)#diagnostic monitor interval module 5 test 2
00:00:15
Switch(config)#diagnostic bootup level complete
Switch#diagnostic start module 4 test 8
Module 4: Running test(s) 8 may disrupt normal
system operation
Do you want to continue? [no]: y
Switch#diagnostic stop module 4
Switch(config)#diagnostic schedule module 4
test 1 port 3 on Jan 3 2005 23:32
Switch(config)#diagnostic schedule module 4
test 2 daily 14:45
On-Demand
Health-Monitoring
Scheduled
Run During System Bootup, Line
Card OIR or Supervisor Switchover
Makes Sure Faulty Hardware Is
Taken out of Service
Non-Disruptive Tests Run
in the Background
Serves as HA Trigger
All Diagnostics Tests Can Be Run
on Demand, for Troubleshooting
Purposes. It Can Also Be Used As
A Pre-deployment Tool
Schedule Diagnostics Tests, for
Verification and Troubleshooting
Purposes
Boot-Up Diagnostics
Runtime Diagnostics
Generic Online Diagnostics
Diagnostic Operation
82. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 82
Generic Online Diagnostics
Using Diagnostics as a Pre-Deployment Tool
Cat-6500#diagnostic start module 6 test all
Module 6: Running test(s) 8 will require resetting the line card after the test has completed
Module 6: Running test(s) 1-2,5-9 may disrupt normal system operation
Do you want to continue? [no]: yes
<snip>
*Mar 25 22:43:16: SP: ******************************************************************
*Mar 25 22:43:16: SP: * WARNING:
*Mar 25 22:43:16: SP: * ASIC Memory test on module 6 may take up to 2hr 30min.
*Mar 25 22:43:16: SP: * During this time, please DO NOT perform any packet switching.
*Mar 25 22:43:16: SP: ******************************************************************
<snip> . . .
Cat-6500#diagnostic start system test all
****************************************************************
* WARNING: *
* Diagnostic System Test will disrupt normal system *
* operation and also system required RESET after system *
* test is done prior to normal use. *
<snip> . . .
• Run diagnostics first on linecards, then on supervisors
• Run packet switching tests first, run memory tests after
• Simplified CLI for system test correctly orders diagnostics - 12.2(33)SXH
Note: The Order in Which Tests Are Run Matters
83. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 83
Embedded Event Manager
Proactive Fault Detection and Notification
Event Detectors
EEM is a Cisco IOS technology that runs on the control plane. It is a
combination of processes designed to monitor key system
parameters such as CPU utilization, interface errors, counters, SNMP
and SYSLOG events, and act on specific events or thresholds/
counters that are exceeded
84. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 84
Embedded Event Manager
EEM Application Example
Display error statistics for the link that has gone down
Start a Time Domain Reflectometry (TDR) test
Start a GOLD Loopback test
Send the results using a provided template
to a user-configurable address
Interface Down
Cable
Fault
P
O
R
T
P
O
R
T
TDR Test
Loopback Test
GOLD
EEM
Upon Matching the Provided SYSLOG Message ‘LINK-3-UPDOWN’,
the Switch Performs the Following Actions:
Interface Error Counters
Send Results in Email Alert
85. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 85
Embedded Event Manager
Embedded Event Manager (EEM) Scripting Community
Cisco IOS Embedded Event
Manager (EEM)
Automation
Event driven scripts
Cisco Beyond, an EEM
scripting community
For customers, partners,
and Cisco to share EEM
scripts and get best-
practice examples
EEM and Cisco Beyond
http://cisco.com/go/eem
http://forums.cisco.com/eforum/servlet/EEM?page=main
86. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 86
Unified Communications Network
Agenda
Resilient Network Design
Network Resiliency
High Availability Design Principles
Redundancy in the Distribution Block
Redundancy and Routing Design
Switch Resiliency
NSF/SSO
ISSU & IOS Modularity
GOLD & EEM
Hardening the Network
Layer 2 Security
Quality of Service
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
87. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 87
Network Infrastructure Integration
Understanding Edge Security & L2 attacks
Phone contains a 3 port switch that is configured in conjunction
with the access switch and CallManager
1. Power negotiation
2. VLAN configuration
3. 802.1x interoperation
4. QoS configuration
5. DHCP
6. CallManager registration
Switch Detects IP Phone and Applies Power
CDP Transaction Between Phone and Switch
IP Phone Placed in Proper VLAN
DHCP Request and Call Manager Registration
Si
Si
Phone interaction with
infrastructure edge security
88. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 88
Attack: Mac Flooding
CAM Table overflow
MAC A
MAC B
MAC C
Port 1
Port 2
Port 3
MAC Port
A 1
B 2
C 3 Y Is on Port 3
Z Is on Port 3
Y 3
Z 3
Traffic A -> B
I See Traffic to B!
Once the CAM table on the switch is
full, traffic without a CAM entry is
flooded out every port on that VLAN
89. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 89
Attack: Mac Flooding
CAM Table overflow
Macof sends random source MAC and IP addresses
Much more aggressive if you run the command
“macof -i eth1 2> /dev/null”
macof (part of dsniff)—http://monkey.org/~dugsong/dsniff/
Yersinia – Flavor of the month attack tool
macof –i eth1
36:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 > 0.0.0.0.49492: S 1094191437:1094191437(0) win 512
16:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 > 0.0.0.0.47523: S 446486755:446486755(0) win 512
18:2a:de:56:38:71 33:af:9b:5:a6:97 0.0.0.0.20086 > 0.0.0.0.6728: S 105051945:105051945(0) win 512
e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 > 0.0.0.0.24898: S 1838062028:1838062028(0) win 512
62:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 > 0.0.0.0.7723: S 1792413296:1792413296(0) win 512
c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.0.0.19784 > 0.0.0.0.57433: S 1018924173:1018924173(0) win 512
88:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 > 0.0.0.0.11466: S 727776406:727776406(0) win 512
b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 > 0.0.0.0.11324: S 605528173:605528173(0) win 512
e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 > 0.0.0.0.55700: S 2128143986:2128143986(0) win 512
90. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 90
Countermeasures for MAC Attacks
Number is not to control access, it is to protect the switch from attack
Depending on security policy, disabling the port might be preferred, even with VoIP
Aging time of two and aging type inactivity to allow for phone CDP of one minute
IOS®
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
If Violation Error-Disable, the Following Log Message Will Be Produced: 4w6d: %PM-4-
ERR_DISABLE: Psecure-Violation Error Detected on Gi3/2, Putting Gi3/2 in Err-Disable State
Will enable voice
To work under attack
Port Security limits the number of MAC’s learned
on an interface
91. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 91
Countermeasures for MAC Attacks
With IP Phones
Phones can use 2 or 3
depending on the switch
hardware and software
Some switches look at the CDP
traffic and some don’t, if they
don’t, they need 2, if they do
they need 3
Some hardware (3550) will
always need 3
Default config is disable port,
might want to restrict for VoIP
This feature is to protect that
switch, you can make the
number anything you like as
long as you don’t overrun the
CAM table
Could use 2 or 3
MAC Addresses
Allowed on the
Port: Shutdown
Note: When Using the Restrict
Feature of Port Security, if the
Switch Is Under Attack, You Will
See a Performance Hit on the
CPU
92. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 92
Building the Layers
Catalyst Integrated Security Features
Port security prevents CAM attacks and DHCP Starvation
attacks
IP Source Guard
Port Security
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
00:0e:00:aa:aa:cc
00:0e:00:bb:bb:dd
etc
132,000
Bogus MACs
Switch
acts like
a hub
93. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 93
Attack: DHCP Starvation
Gobbler
Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all
of the DHCP addresses available in the DHCP scope
DHCP Discovery (Broadcast) x (Size of Scope)
Client
Gobbler DHCP
Server
IOS
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
Gobbler uses a new
MAC address to
request a new DHCP
lease
Restrict the number of
MAC addresses on
a port
94. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 94
Attack: Rogue DHCP Server
DHCP
Server
DHCP Discovery (Broadcast)
DHCP Offer (Unicast)
from Rogue Server
What can the attacker do if he is the DHCP server?
IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Routers: 10.10.10.140
DNS Servers: 10.10.10.140
Lease Time: 10 days
Wrong Default Gateway—Attacker is the gateway
Wrong DNS server—Attacker is DNS server
Wrong IP Address—Attacker does DOS with incorrect IP
95. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 95
Countermeasures for DHCP Attacks
Rogue DHCP Server = DHCP Snooping
By default all ports in the VLAN are untrusted
Client
DHCP
Server
Rogue Server
Trusted
Untrusted
Untrusted
DHCP Snooping Enabled
DHCP Snooping Untrusted Client
Interface Commands
no ip dhcp snooping trust (Default)
ip dhcp snooping limit rate 10 (pps)
IOS
Global Commands
ip dhcp snooping vlan 4,104
no ip dhcp snooping information option
ip dhcp snooping
DHCP Snooping Trusted Server
or Uplink
BAD DHCP
Responses:
offer, ack, nak
OK DHCP
Responses:
offer, ack, nak
Interface Commands
ip dhcp snooping trust
96. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 96
Countermeasures for DHCP Attacks
Rogue DHCP Server = DHCP Snooping
Table is built by “Snooping” the DHCP reply to the client
Entries stay in table until DHCP lease time expires
If you have a mobile work environment, reduce the lease time to
make sure the binding entries will be removed
Client
DHCP
Server
Rogue Server
Trusted
Untrusted
Untrusted
DHCP Snooping Enabled
BAD DHCP
Responses:
offer, ack, nak
OK DHCP
Responses:
offer, ack, nak
DHCP Snooping Binding Table
sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
97. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 97
Countermeasures for DHCP Attacks
DHCP Option 82: Upstream Modifications
DHCP Snooping modifies the DHCP Discovery packet by adding an
option 82 field
Identifies the ‘circuit-id’ (switch port) that the DCHP discovery packet
originated on; defined in RFC 3046
Necessary to configure the distribution switch to trust modified
DHCP Discovery packets
DCHP Request Opt 82
DCHP Request
DHCP Server
Trusted DHCP Relay Trusts Downstream
DHCP Relay Agents
Opt 82
DCHP Request giaddr
! Distribution Switch -
! Trust DHCP packets modified by Access Switch with option 82
ip dhcp relay information trust-all
Si
Si
98. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 98
Building The Layers
Catalyst Integrated Security Features
Port security prevents CAM attacks and DHCP Starvation
attacks
DHCP Snooping prevents Rogue DHCP Server attacks
IP Source Guard
DHCP
Snooping
Port Security
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
00:0e:00:aa:aa:cc
00:0e:00:bb:bb:dd
etc
132,000
Bogus MACs
Switch
acts like
a hub
DHCP Server
“Use this IP
Address !”
X
99. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 99
Attack: ARP
ARP Function Review
Before a station can talk to another station it must
do an ARP request to map the IP address to the
MAC address
This ARP request is broadcast using protocol 0806
All computers on the subnet will receive and
process the ARP request; the station that matches
the IP address in the request will send an ARP reply
Who Is
10.1.1.4?
I Am
10.1.1.4
MAC A
100. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 100
Attack: ARP
ARP Function Review
According to the ARP RFC, a client is allowed to
send an unsolicited ARP reply; this is called a
gratuitous ARP; other hosts on the same subnet
can store this information in their ARP tables
Anyone can claim to be the owner of any IP/MAC
address they like
ARP attacks use this to redirect traffic
I Am
10.1.1.1
MAC A
You Are
10.1.1.1
MAC A
You Are
10.1.1.1
MAC A
You Are
10.1.1.1
MAC A
101. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 101
Attack: ARP
ARP Attack Tools
Many tools on the Net for ARP man-in-the-middle
attacks
Dsniff, Cain & Abel, ettercap, Yersinia, etc...
ettercap - http://ettercap.sourceforge.net/index.php
Some are second or third generation of ARP attack tools
Most have a very nice GUI, and is almost point and click
Packet Insertion, many to many ARP attack
Cain - www.oxid.it/cain.html
All of them capture the traffic/passwords of
applications
FTP, Telnet, SMTP, HTTP, POP, NNTP, IMAP, SNMP, LDAP,
RIP, OSPF, PPTP, MS-CHAP, SOCKS, X11, IRC, ICQ, AIM,
SMB, Microsoft SQL, etc…
102. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 102
Catalyst
4500
Attack: ARP
ettercap, CAIN, …
IP Address: 10.1.1.3
Mac Address: 00-0D-60-7A-25-02
IP Address: 10.1.1.1
Mac Address: 00-0F-8F-7A-2C-3F
IP Address: 10.1.1.2
Mac Address: 00-15-58-2D-08-2A
ARP CACHE
IP Address: 10.1.1.1
Mac Address: 00-15-58-2D-08-2A
ARP CACHE
IP Address: 10.1.1.3
Mac Address: 00-15-58-2D-08-2A
ARP CACHE of Hacker PC
IP Address: 10.1.1.1
Mac Address: 00-0F-8F-7A-2C-3F
IP Address: 10.1.1.3
Mac Address: 00-0D-60-7A-25-02
User PC
Hacker PC
Vlan 10
ARP CACHE
IP Address: 10.1.1.1
Mac Address: 00-0F-8F-7A-2C-3F
ARP CACHE
IP Address: 10.1.1.3
Mac Address: 00-0D-60-7A-25-02
103. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 103
Is This Is My
Binding
Table?
NO!
None
Matching
ARP’s in the
Bit Bucket
Countermeasures to ARP Attacks
Dynamic ARP Inspection (DAI)
Uses the DHCP
Snooping Binding
table information
Dynamic ARP
Inspection
All ARP packets must
match the IP/MAC
Binding table entries
If the entries do not
match, throw them in
the bit bucket
10.1.1.1
MAC A
10.1.1.2
MAC B
10.1.1.3
MAC C
ARP 10.1.1.1
Saying
10.1.1.2 is MAC C
ARP 10.1.1.2
Saying
10.1.1.1 is MAC C
DHCP Snooping
Enabled Dynamic
ARP Inspection
Enabled
104. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 104
Countermeasures to ARP Attacks
Dynamic ARP Inspection
Uses the information from the DHCP Snooping Binding table
Looks at the MacAddress and IpAddress fields to see if the
ARP from the interface is in the binding, it not, traffic is
blocked
sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
00:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21
No entry in the binding table—no traffic!
Wait until all devices have new leases before turning on
Dynamic ARP Inspection
Entrees stay in table until the lease runs out
All switches have a binding size limit
4500 switches – 3000 entrees (6000 for the SupV-10GE)
6500 switches – 16,000 entrees
105. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 105
Countermeasures to ARP Attacks
Dynamic ARP Inspection
IOS
Global Commands
ip dhcp snooping vlan 4,104
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 4,104
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
Interface Commands
no ip dhcp snooping trust
no ip arp inspection trust
ip arp inspection limit rate 100
DAI is configured on a per VLAN basis
You can trust an interface like DHCP Snooping
Suggested for voice is to set the DAI rate limit above the
default if you feel dial tone is important
106. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 106
Non DHCP Devices
Can use Static bindings in the DHCP Snooping Binding
table
IOS
Global Commands
ip source binding 0000.0000.0001 vlan 4 10.0.10.200 interface fastethernet 3/1
IOS
Show Commands
show ip source binding
Show static and dynamic entries in the DHCP Snooping
Binding table is different
107. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 107
Security Demo
108. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 108
Building The Layers
Catalyst Integrated Security Features
Port security prevents CAM attacks and DHCP Starvation
attacks
DHCP Snooping prevents Rogue DHCP Server attacks
Dynamic ARP Inspection prevents current ARP attacks
IP Source Guard
Dynamic ARP
Inspection
DHCP
Snooping
Port Security
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
00:0e:00:aa:aa:cc
00:0e:00:bb:bb:dd
etc
132,000
Bogus MACs
Switch
acts like
a hub
DHCP Server
“Use this IP
Address !”
X
Email
Server
“Your Email
Passwd Is
‘joecisco’ !”
Man in the Middle
109. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 109
Is This Is My
Binding
Table?
NO!
Non Matching
Traffic
Dropped
Attack: IP and MAC Spoofing
IP Source Guard
Uses the DHCP
Snooping Binding
Table Information
IP Source Guard
Operates just like
Dynamic ARP
Inspection, but looks
at every packet, not
just ARP Packet
10.1.1.1
MAC A
10.1.1.2
MAC B
10.1.1.3
MAC C
Received Traffic
Source IP
10.1.1.2
Mac B
10.1.1.3
MAC C
Traffic Sent with
IP 10.1.1.3
Mac B
Traffic Sent with
IP 10.1.1.2
Mac C
DHCP Snooping
Enabled Dynamic
ARP Inspection
Enabled IP Source
Guard Enabled
110. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 110
Countermeasures to Spoofing Attacks:
IP Source Guard
Uses the information from the DHCP Snooping Binding table
sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
00:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21
DHCP Snooping had to be configured so the binding table it
built
IP Source Guard is configured by port
IP Source Guard with MAC does not learn the MAC from the
device connected to the switch, it learns it from the DHCP
Offer
111. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 111
Countermeasures to Spoofing Attacks
IP Source Guard
IOS
Global Commands
ip dhcp snooping vlan 4,104
ip dhcp snooping information option
ip dhcp snooping
Interface Commands
ip verify source vlan dhcp-snooping
port-security
IP Source Guard Configuration
IP/MAC Checking Only (Opt 82)
IOS
Global Commands
ip dhcp snooping vlan 4,104
no ip dhcp snooping information option
ip dhcp snooping
Interface Commands
ip verify source vlan dhcp-snooping
IP Source Guard Configuration
IP Checking Only (no Opt 82)
MAC and IP checking can be turned on separately or together
For IP: Will work with the information in the binding table
For MAC: Must have an Option 82 enabled DHCP server
(Microsoft does not support option 82)
Have to Change bootp-helper router configuration to support Option
82 – ‘dhcp relay information trust’
Note: There are at least two DHCP servers that support Option 82 Field Cisco Network
Registrar® and Avaya
112. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 112
Building The Layers
Catalyst Integrated Security Features
Port security prevents CAM attacks and DHCP Starvation
attacks
DHCP Snooping prevents Rogue DHCP Server attacks
Dynamic ARP Inspection prevents current ARP attacks
IP Source Guard prevents IP/MAC Spoofing
IP Source Guard
Dynamic ARP
Inspection
DHCP
Snooping
Port Security
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
00:0e:00:aa:aa:cc
00:0e:00:bb:bb:dd
etc
132,000
Bogus MACs
Switch
acts like
a hub
DHCP Server
“Use this IP
Address !”
X
Email
Server
“Your Email
Passwd Is
‘joecisco’ !”
Man in the Middle
113. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 113
Si
Si
Attack: VLAN Hoping
Avoid the use of the native VLAN on trunks
Double-encapsulated
packets allow a
compromised server
to join default or
native VLAN and then
“Hop” VLANs
Configure an unused
dummy VLAN as the
native VLAN
Alternative on 6500 is
configure
encapsulation of
native VLAN
Compromised server
server2
VLAN 20
Tunnel (e.g. netcat)
802.1q, 802.1q
Data
VLAN10 VLAN20
Traffic jumps
From 10 to 20
First tag removed
and packet forwarded
attacker
6500(config)#vlan dot1q tag native
114. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 114
Matrix for Security Features
Feature/
Platform
6500/
Catalyst OS
6500/Cisco IOS
4500/
Catalyst OS
4500/Cisco IOS
Dynamic Port
Security
7.6(1) 12.1(13)E 5.1(1) 12.1(13)EW
DHCP Snooping 8.5(6) 12.2(18)SXF N/A
12.1(12c)EW
**
DAI 8.5(6) 12.2(18)SXF N/A
12.1(19)EW
**
IP Source Guard 8.5(6) 12.2(33)SXH N/A
12.1(19)EW
**
Requires Sup720—Sup32 DHCP Snooping and DAI
** For the Catalyst 4500/IOS-Based Platforms, This Requires Sup2+, Sup3, Sup4, Sup 5.
These Sups Are Supported on the Catalyst 4006, 4503, 4506, and 4507R Chassis
NOTE: There Are No Plans to Support These Features for any Catalyst 4000/4500 Platform
Running Catos
IOS Feature Finder—http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
115. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 115
Unified Communications Network
Agenda
Resilient Network Design
Network Resiliency
High Availability Design Principles
Redundancy in the Distribution Block
Redundancy and Routing Design
Switch Resiliency
NSF/SSO
ISSU & IOS Modularity
GOLD & EEM
Hardening the Network
Layer 2 Security
Quality of Service
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
116. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 116
Hardening The Network
Direct and Collateral Damage
Availability of Networking Resources Impacted by
the Propagation of the Worm
Access
Distribution
Core
Si
Si
Si
Si
Si
Si
Si
Si
System
Under
Attack
Network Links
Overloaded
• High packet loss
• Mission critical
applications
impacted
Routers
Overloaded
• High CPU
• Instability
• Loss of mgmt
End Systems
Overloaded
• High CPU
• Applications
impacted
Infected
Source
117. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 117
Access
Distribution
Core
Infected
Source
Si
Si
Si
Si
Si
Si Si
Si
Mitigating the Impact
Preventing and Limiting the Pain
Allow the Network to Do What You Designed It to Do
but Not What You Didn’t
Protect the End Systems
• Cisco Security Agent
Protect the Links
• QoS
• Scavenger Class
Protect the Switches
• CEF
• Rate Limiters
• CoPP
Prevent the Attack
• NAC and IBNS
• ACLs and NBAR
System
Under
Attack
118. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 118
Worms Are Only One Problem
Other Sources of Pain
Internet worms are not the only type of
network anomaly
Multiple things can either go wrong or be
happening that you want to prevent and/or
mitigate
Spanning Tree Loops
NICs spewing garbage
Distributed Denial of Service (DDoS)
TCP Splicing, ICMP Reset attacks
Man-in-the-Middle (M-in-M) attacks
…
Security best practices ‘are’ HA best
practices in the resilient design
HA best practices ‘are’ security best
practices in the resilient design
Si
Si Si
Si
Si
Si Si
Si
Si
Si Si
Si
119. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 119
QoS is a key component of Resiliency
Protect the Good and Punish the Bad
QoS does more than just protect voice and video
For “best-effort” traffic an implied “good faith” commitment that
there are at least some network resources available is assumed
Need to identify and potentially punish out of profile traffic
(potential worms, DDOS, etc.)
Scavenger class is an Internet-2 Draft Specification CS1/CoS1
Access Distribution
Voice
Data
Core
Scavenger
Voice
Data
Scavenger
120. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 120
Si
Si Si
Si
Si
Si Si
Si
Si
Si Si
Si
Resilient Network Design
Stick to Your Principles
Develop an architecture and stick to it
Ease operational support
Consistent deployment
Balance OPeX and CapEX
Remember you will have to live with this for a long time
Requirements will change
Plan for evolution
The one thing that doesn’t change is that there will be
change
Understand change
How your environments are changing
How the network equipment is evolving to meet that
change
Data Center
121. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 121
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2
L2 Access
OSPF Core*
L2 Access
EIGRP Core
OSPF
Access*
EIGRP
Access
L2 Access (Rapid PVST+ HSRP) L3 Access
Resilient Network Design
This Is What You Can Expect
Worst Case Convergence for Any Campus Failure Event
Seconds
until
Restoration
of
VoIP
*OSPF Results Require Sub-Second Timers
122. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 122
Campus, Data Center & UC Design Guidance
Where to go for more information
http://www.cisco.com/go/srnd
123. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 123
BREAK
124. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 124
Network Design
Seminar for
Unified
Communications
Network Infrastructure
Quality of Service
125. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 125
Unified Communications Network
Agenda
Resilient Network Design
Quality of Service
QoS Best Practices Review
Campus QoS Design
Catalyst 4500 QoS Design
Catalyst 6500 QoS Design
Control Plane Policing
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
126. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 126
Latency ≤ 150 ms
Jitter ≤ 30 ms
Loss ≤ 1%
One-Way Requirements
Smooth
Benign
Drop sensitive
Delay sensitive
UDP priority
Voice
Bandwidth per Call
Depends on Codec,
Sampling-Rate,
and Layer 2 Media
Bursty
Greedy
Drop sensitive
Delay sensitive
UDP priority
Video-Conf
Latency ≤ 150 ms
Jitter ≤ 30 ms
Loss ≤ 1%
One-Way Requirements
IP/VC has the Same
Requirements as VoIP,
but Has Radically Different
Traffic Patterns (BW Varies
Greatly)
Smooth/bursty
Benign/greedy
Drop insensitive
Delay insensitive
TCP retransmits
Data
Data Classes:
Mission-Critical Apps
Transactional/Interactive Apps
Bulk Data Apps
Best Effort Apps (Default)
Traffic patterns for
Data Vary Among
Applications
Enabling QoS in the Campus
Traffic Profiles and Requirements
127. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 127
G.729A: 25 ms
CODEC
Variable
(Can Be Reduced
Using LLQ)
Queuing
Variable
(Can Be Reduced
Using LFI)
Serialization
6.3 µs/Km +
Network Delay
(Variable)
Propagation
and Network
20–50 ms
Jitter Buffer
Enabling QoS
Elements that Affect End-to-End Delay
IP WAN
Campus Branch Office
Cisco
CallManager
Cluster
SRST
Router
PSTN
End-to-End Delay (Should Be < 150 ms)
128. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 128
UC & Network Infrastructure Integration
Quality of Service
Phone contains a 3 port switch that is configured in conjunction
with the access switch and CallManager
1. Power negotiation
2. VLAN configuration
3. 802.1x interoperation
4. QoS configuration
5. DHCP
6. CallManager registration
Switch Detects IP Phone and Applies Power
CDP Transaction Between Phone and Switch
IP Phone Placed in Proper VLAN
DHCP Request and Call Manager Registration
Si
Si
UC interaction with
infrastructure QoS
129. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 129
Classification & Marking
How should it be done?
QoS is implemented in Hardware on the modular
switching platforms and may be split across Supervisor
and linecards…
Actual QoS features are
dependent on the
specific forwarding
engine and/or Linecard
hardware version…
130. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 130
Classification & Marking
Where should it be done?
Classification and marking should be performed as close as technically
feasible to the sources so that prioritization may be implemented at congestion
points throughout the network. DSCP should be used wherever possible…
Core
Distribution
Access
Classify and mark
traffic at the
physical port.
Queue on uplinks
to Distribution
Subsequent points
in the network can
now “trust” the
marked values and
queue based on
these baseline
values outlined
below
131. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 131
Application
L3 Classification
DSCP
PHB
IPP CoS
Transactional Data 18
AF21
2 2
Call Signaling 24
CS3*
3 3
Streaming Video 32
CS4
4 4
Video Conferencing 34
AF41
4 4
Voice 46
EF
5 5
Network Management 16
CS2
2 2
L2
Bulk Data 10
AF11
1 1
Scavenger 8
CS1
1 1
Routing 48
CS6
6 6
Mission-Critical Data 26
AF31*
3 3
Best Effort 0
0
0 0
Classification and Marking
QoS Baseline Marking Recommendations
132. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 132
Application
L3 Classification
DSCP
PHB RFC
Low-Latency Data 18
AF21 RFC 2597
Broadcast Video 24
CS3 RFC 2474
Real-Time Interactive 32
CS4 RFC 2474
Call Signaling 40
CS5 RFC 2474
VoIP Telephony 46
EF RFC 3246
OAM 16
CS2 RFC 2474
IETF
High-Throughput Data 10
AF11 RFC 2597
Low-Priority Data 8
CS1 RFC 3662
Network Control 48
CS6 RFC 2474
Multimedia Streaming 26
AF31 RFC 2597
Best Effort 0
DF RFC 2474
Multimedia Conferencing 34
AF41 RFC 2597
Classification and Marking Design
RFC 4594 Configuration Guidelines
133. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 133
Policing Design Principles
Where and How Should Policing Be Done?
Policing applied to offending traffic classes to ‘mark
down’ rather than drop traffic to CS1 (Scavenger)
Queuing will then queue traffic
uplink to Distribution/Core where
CS1 will occupy minimal
bandwidth…
Policing shall be applied as close to the traffic source as possible. In general it
should be applied at the ingress point to the network (Access Layer) at the
same time as the classification process…
134. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 134
Queuing Design Principles
Where should it be done?
Queuing should be performed wherever there may be potential for congestion
(even if a rare occurrence), ensuring consistency between Campus/WAN/VPN
networks…
Core
Distribution
Access
Recommended
Guidelines:
1) 25% allocated to
Best Effort (BE)
Class
2) Priority Queue
(PQ) given
maximum of 33%
3) Scavenger
should be provided
with minimum (5%)
bandwidth
4) Congestion
Management
enabled on non-PQ
135. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 135
Campus Queuing Design
Realtime, Best Effort, and Scavenger Queuing Rules
Real-Time ≤
33%
Critical Data
Best Effort
≥ 25%
Scavenger/Bulk
≤ 5%
136. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 136
Unified Communications Network
Agenda
Network Resiliency
Layer 2 Security
Quality of Service
QoS Best Practices Review
Campus QoS Design
Catalyst 4500 QoS Design
Catalyst 6500 QoS Design
Control Plane Policing
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
137. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 137
Campus QoS Considerations
Establishing Trust Boundaries
1
2
3
Optimal Trust Boundary: Trusted Endpoint
Suboptimal Trust Boundary
Optimal Trust Boundary: Untrusted Endpoint
Si
Si
Endpoints Access Distribution Core WAN Aggregators
Trust Boundary
1
2
3
Si
Si
Si
Si
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
138. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 138
Access-Edge Trust Models
Endpoints and Endpoint Categories
Endpoints
• Analog gateways
• IP-conferencing stations
• Videoconferencing
gateways and systems
• Video surveillance units
• Wireless access points
• Wireless IP phones
• Servers
• Client PCs
Endpoint Categories
• Trusted endpoints
• Untrusted endpoints
• Conditionally-trusted
endpoints
139. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 139
Phone VLAN = 110
Campus QoS Considerations
Trust Boundary Extension and Operation
1 So I Will Trust Your CoS”
“I See You’re an IP Phone,
Trust Boundary
PC VLAN = 10
“Voice = 5, Signaling = 3”
2
All PC Traffic Is Reset to CoS 0 PC Sets CoS to Five for All Traffic
3
“CoS 5 = DSCP 46”
“CoS 3 = DSCP 24”
“CoS 0 = DSCP 0”
4
Switch and Phone Exchange CDP; Trust Boundary Is Extended to IP Phone
1
Phone Sets CoS to Five for VoIP and to Three for Call-Signaling Traffic
2
Phone Rewrites CoS from PC Port to Zero
3
Switch Trusts CoS from Phone and Maps CoS DSCP for Output Queuing
4
140. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 140
Access-Edge Trust Models
Trusted Endpoint Model
DSCP from endpoint is accepted and admitted
onto the network unaltered
Policing is optional
Transmit Packet with
DSCP Unaltered
Optional
Policing
Trust
DSCP
Start
141. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 141
Access-Edge Trust Models
AutoQoS—VoIP Model
VVLAN +
DSCP CS3
Yes
DVLAN
ANY
Remark to DSCP 0 and Transmit
No
VVLAN +
DSCP EF
Yes
Trust and Transmit
Start
No
Trust and Transmit
142. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 142
Access-Edge Trust Models
IP Phone + PC + Scavenger (Basic) Model
VVLAN +
DSCP CS3
≤ 32 kbps
Yes
Yes
No
DVLAN
ANY
≤ 5 Mbps
Yes
Yes
No
VVLAN
ANY
≤ 32 kbps
Yes
Yes
No
Remark to DSCP 0
and Transmit
Remark to DSCP 0
and Transmit
No
No
VVLAN +
DSCP EF ≤ 128 kbps
Yes
Yes
No
Trust and Transmit
Drop
Remark to DSCP CS1
and Transmit
Remark to DSCP CS1
and Transmit
Remark to DSCP CS1
and Transmit
Remark to DSCP CS3
and Transmit
Start
No
143. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 143
Campus QoS Considerations
Typical Campus Oversubscription Ratios
Campus networks are always designed with oversubscription in mind to take
advantage of the bursty nature of traffic and the assumption that not all users
are requiring bandwidth simultaneously…
Core
Distribution
Access
Typically 20:1
Ratio
Typically 4:1
Ratio
144. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 144
Campus QoS Design Considerations
Catalyst Hardware Queuing
Normal Queue
Drop
Threshold 1
Drop
Threshold 2
All Catalyst switches have hardware based-based queues and differ depending on the
module or port ASIC used. They are depicted using the notation of 1PxQyT, where x
represents the number of normal Queues and T represents number of thresholds within
those normal Queues…
1p3q8t = 1 Priority Queue with 3 Normal Queues, each containing 8
Drop Thresholds
145. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 145
FastEthernet
GigabitEthernet
Ten GigabitEthernet
Campus QoS Considerations
Where Is QoS Required Within the Campus?
No Trust + Policing
+ Queuing
Conditional Trust +
Policing + Queuing
Trust DSCP + Queuing
Per-User Microflow
Policing + CoPP
WAN Aggregator
Cisco Catalyst 6500 PFC3
Server Farms IP Phones + PCs IP Phones + PCs
146. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 146
Unified Communications Network
Agenda
Network Resiliency
Layer 2 Security
Quality of Service
QoS Best Practices Review
Campus QoS Design
Catalyst 4500 QoS Design
Catalyst 6500 QoS Design
Control Plane Policing
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
147. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 147
QoS on the Catalyst 4500
Classify
RX
Queue 1
Queue 2
Queue 3
Queue 4
Ingress/
Egress
Police
Shaping
Sharing
Scheduling
TX
NFL2
(Enhanced
QoS)
Dynamic
Buffer
Limiting
QoS Actions at
Supervisor Forwarding ASIC
QoS Actions
at Scheduling ASIC
Enters
Fabric
Leaves
Fabric
FWD
ASIC
Sched
ASIC
NFL TCAM
TCAM
DBL
Catalyst 4500 implements a sophisticated
suite of QoS features
These QoS features are implemented with
three major components
TCAMs (Policers)
Netflow Feature (UBRL on SupV-10GE)
Dynamic Buffer Limiting (DBL)
148. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 148
Cisco Catalyst 4500 QoS Design
Enabling QoS Globally
CAT4500#show qos
QoS is disabled globally ! By default QoS is disabled
IP header DSCP rewrite is enabled
CAT4500#conf term
Enter configuration commands, one per line. End with CNTL/Z.
CAT4500(config)#qos ! Enables QoS globally for the Cat4500
CAT4500(config)#end
CAT4500#
CAT4500#show qos
QoS is enabled globally ! Verifies that QoS is enabled globally
IP header DSCP rewrite is enabled
CAT4500#
149. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 149
Cisco Catalyst 4500 QoS Design
Access-Layer QoS Design Options
Access-Edges
Uplinks to
Distribution Layer
Trust-
DSCP
1P3Q1T
Queuing +
DBL
Gobally Enable
QoS + CoPP
IP Phone + PC +
Scavenger (Basic) Model
AutoQoS—VoIP Model
Trusted-Endpoint
Model
1P3Q1T
Queuing + DBL
1P3Q1T
Queuing + DBL
Global
Commands
150. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 150
Cisco Catalyst 4500
Trusted Endpoint
Cisco IOS Trust:
CAT4500-IOS(config)#interface FastEthernet3/1
CAT4500-IOS(config-if)#qos trust dscp
151. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 151
Cisco Catalyst 4500
AutoQoS: VoIP Model
Options:
auto qos voip cisco-phone
auto qos voip trust
!
qos
qos dbl
qos map cos 3 to 26
qos map cos 5 to 46
qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4
qos map dscp 32 33 34 35 36 37 38 39 to tx-queue 4
!
policy-map autoqos-voip-policy
class class-default
dbl
!
Interface GigabitEthernet0/1
qos trust device cisco-phone
qos trust cos
tx-queue 3
priority high
shape percent 33
bandwidth percent 33
!
CAT4500(config-if)#auto qos voip cisco-phone
152. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 152
Cisco Catalyst 4500 QoS Design
Distribution and/or Core-Layer QoS Design
Uplinks from Access-Layer Only
Interswitch-Links
1P3Q1T
Queuing + DBL
Globally Enable
QoS + CoPP
Optional (SupV-10GE Only):
User-Based Rate-Limiting (UBRL)
Trust-
DSCP
1P3Q1T
Queuing + DBL
Globally Enable
QoS + CoPP
Trust-
DSCP
Interswitch-Links
Distribution Layer
Core Layer
153. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 153
Q3 (30%)
Priority Queue
1P3Q1T
Queue 1 (5%)
Queue 4 (40%)
Queue 2
(25%)
0
CS3/AF31/AF32/AF33
CS2/AF21/AF22/AF23
CS4/AF41/AF42/AF43
CS6/CS7
CS1/AF11
EF
Cisco Catalyst 4500 QoS Design
Queuing Design (1P3Q1T + DBL)
Network Management
Call Signaling
Streaming Video
Transactional Data
Interactive Video
Voice
Application
Bulk Data
AF21
CS3
CS4
AF41
EF
CS2
AF11
Scavenger CS1
Best Effort 0
Internetwork Control CS6
Mission-Critical Data AF31
DSCP
Network Control (CS7)
154. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 154
Cisco Catalyst 4500 QoS Design
Queuing Design (1P3Q1T + DBL)
CAT4500-SUP4(config)#qos dbl
! Globally enables DBL
CAT4500-SUP4(config)#qos dbl exceed-action ecn
! Optional: Enables DBL to mark RFC 3168 ECN bits in the IP ToS Byte
CAT4500-SUP4(config)#
CAT4500-SUP4(config)#qos map dscp 0 to tx-queue 2
! Maps DSCP 0 (Best Effort) to Q2
CAT4500-SUP4(config)#qos map dscp 8 10 12 14 to tx-queue 1
! Maps DSCP CS1 (Scavenger) and AF11/AF12/AF13 (Bulk) to Q1
CAT4500-SUP4(config)#qos map dscp 16 18 20 22 to tx-queue 4
! Maps DSCP CS2 (Net-Mgmt) and AF21/AF22/AF23 (Transactional) to Q4
CAT4500-SUP4(config)#qos map dscp 24 26 28 30 to tx-queue 4
! Maps DSCP CS3 (Call-Signaling) and AF31/AF32/AF33 (MC Data) to Q4
CAT4500-SUP4(config)#qos map dscp 32 34 36 38 to tx-queue 4
! Maps DSCP CS4 (Str-Video) and AF41/AF42/AF43 (Int-Video) to Q4
CAT4500-SUP4(config)#qos map dscp 46 to tx-queue 3
! Maps DSCP EF (VoIP) to Q3 (PQ)
CAT4500-SUP4(config)#qos map dscp 48 56 to tx-queue 4
! Maps DSCP CS6 (Internetwork) and CS7 (Network) Control to Q4
CAT4500-SUP4(config)#
CAT4500-SUP4(config)#policy-map DBL
CAT4500-SUP4(config-pmap)#class class-default
CAT4500-SUP4(config-pmap-c)# dbl ! Enables DBL on all traffic flows
CAT4500-SUP4(config-pmap-c)# end
CAT4500-SUP4#
155. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 155
Cisco Catalyst 4500 QoS Design
Queuing Design (1P3Q1T + DBL)
CAT4500-SUP4(config)#interface range FastEthernet2/1 - 48
CAT4500-SUP4(config-if-range)# service-policy output DBL
CAT4500-SUP4(config-if-range)# tx-queue 3
CAT4500-SUP4(config-if-tx-queue)# priority high ! Enables Q3 as PQ
CAT4500-SUP4(config-if-tx-queue)# shape percent 30 ! Shapes PQ to 30%
CAT4500-SUP4(config-if-tx-queue)# exit
CAT4500-SUP4(config-if-range)#exit
CAT4500-SUP4(config)#
CAT4500-SUP4(config)#interface range GigabitEthernet1/1 - 2
CAT4500-SUP4(config-if-range)# service-policy output DBL
CAT4500-SUP4(config-if-range)# tx-queue 1
CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 5 ! Q1 gets 5%
CAT4500-SUP4(config-if-tx-queue)# tx-queue 2
CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 25 ! Q2 gets 25%
CAT4500-SUP4(config-if-tx-queue)# tx-queue 3
CAT4500-SUP4(config-if-tx-queue)# priority high ! Enables Q3 as PQ
CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 30 ! PQ gets 30%
CAT4500-SUP4(config-if-tx-queue)# shape percent 30 ! Shapes PQ to 30%
CAT4500-SUP4(config-if-tx-queue)# tx-queue 4
CAT4500-SUP4(config-if-tx-queue)# bandwidth percent 40 ! Q4 gets 40%
CAT4500-SUP4(config-if-tx-queue)#end
CAT4500-SUP4#
156. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 156
C4500 (SupV-10GE) QoS Design
User-Based Rate Limiting (UBRL)
CAT4500-SUPV-10GE(config)#qos map dscp policed 0 24 46 to dscp 8
! Excess DVLAN & VVLAN traffic will be marked down to Scavenger (CS1)
CAT4500-SUPV-10GE(config)#class-map match-all UBRL—BY-SOURCE-IP
CAT4500-SUPV-10GE(config-cmap)#match flow ip source-address
CAT4500-SUPV-10GE(config)#policy-map UBRL-TO-5MBPS-SCAVENGER
CAT4500-SUPV-10GE(config-pmap)#class UBRL-BY-SOURCE-IP
CAT4500-SUPV-10GE(config-pmap-c)# police 5 mbps 8000 byte exceed-action
policed-dscp-transmit
! Out-of-profile data traffic is marked down to Scavenger (CS1)
CAT4500-SUPV-10GE(config-pmap-c)# exit
CAT4500-SUPV-10GE(config-pmap)#exit
CAT4500-SUPV-10GE(config)#
CAT4500-SUPV-10GE(config)#interface GigabitEthernet2/1
CAT4500-SUPV-10GE(config-if)# service-policy input UBRL-TO-5MPBS-SCAVENGER
! Applies the UBRL policy to the uplink from the Access-Layer
CAT4500-SUPV-10GE(config-if)# end
CAT4500-SUPV-10GE#
Distribution-Layer
Cisco Catalyst 4500
SupV-10GE
157. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 157
Unified Communications Network
Agenda
Network Resiliency
Layer 2 Security
Quality of Service
QoS Best Practices Review
Campus QoS Design
Catalyst 4500 QoS Design
Catalyst 6500 QoS Design
Control Plane Policing
Si
Si Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si Si
Si
158. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 158
Catalyst 6500 QoS
QoS Flow through the 6500
Queue
RX ARB
Priority Q
INGRESS
Classify
&
Police
EGRESS
Classify
&
Police
Rewrite
Queue
Queue
Queue
Priority Q
WRR
ARB
TX
Incoming
encap can
be ISL,
802.1Q or
None
Scheduling: Queue and
Threshold - select based
on received CoS through
configurable MAP I/F -
CoS can be overwritten if
port untrusted
Police via ACLs - Police
actions include Forward,
Mark and Drop.
Based on Burst (Token
Bucket) and Byte Rate
Rewrite
TOS field
in IP
Header
and
802.1p/ISL
CoS field
Each queue
has
configurable
thresholds -
some have
WRED
(except PQ)
Outgoing
encap can be
ISL, 802.1Q
or None
Scheduling:
Queue and
Threshold
selected based
on CoS through
a Map
De-queue uses
WRR or SRR
between the
round robin
queues
DSCP based classification
based on “trusted port” and
layer 2 info with ACL, layer 3
info with ACL and layer 4 info
with ACL
159. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 159
Cisco Catalyst 6500 QoS Design
Globally Enabling QoS
CAT6500-IOS(config)# mls qos
CAT6500-IOS(config)#end
CAT6500-IOS#
CAT6500-IOS# show mls qos
QoS is enabled globally
Microflow policing is enabled globally
Vlan or Portchannel(Multi-Earl) policies supported: Yes
----- Module [2] -----
QoS global counters:
Total packets: 65
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 0
IP packets with COS changed by policing: 0
Non-IP packets with COS changed by policing: 0
CAT6500-IOS#
160. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 160
Cisco Catalyst 6500 QoS Design
Access-Layer Cisco Catalyst 6500 QoS Design Options
Access-Edges
Uplinks to
Distribution Layer
IP Phone + PC +
Scavenger (Basic) Model
AutoQoS—VoIP
Model
Trusted-Endpoint
Model
Globally
Enable QoS
+ CoPP
Trust-
DSCP
Globally-Defined
Linecard-Dependent
Queuing + Dropping
Global Commands
Control Plane Policing (CoPP) is only supported on PFC3
161. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 161
Cisco Catalyst 6500 QoS Design
Trusted Endpoint Examples
Cisco IOS Trust:
CAT6500-IOS(config)#interface FastEthernet3/1
CAT6500-IOS(config-if)#mls qos trust dscp
TRUST set to TRUST DSCP
162. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 162
Cisco Catalyst 6500
AutoQoS VoIP (coming in 12.2(33)SXH release)
Options:
autoqos voip cisco-phone
autoqos voip ciscosoftphone
auto qos voip trust
mls qos
mls qos map cos-dscp 0 10 18 26 34 46 48 56
Interface fastethernet 2/3
wrr-queue cos-map 1 1 0
wrr-queue cos-map 2 1 1 2 3 4
wrr-queue cos-map 2 2 5 6 7
wrr-queue queue-limit 80 20
wrr-queue bandwidth 100 255
wrr-queue threshold 1 100 100
wrr-queue threshold 2 80 100
rcv-queue cos map 1 1 0
rcv-queue cos map 1 3 1 2 3 4
rcv-queue cos map 1 4 5 6 7
rcv-queue threshold 1 50 60 80 100
CAT6500(config-if)#auto qos voip cisco-phone
163. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 163
Cisco Catalyst 6500 QoS Design
Distribution and/or Core-Layer QoS Design
Uplinks from Access-Layer Only
Interswitch-Links
Interface-Group
Linecard-Dependent
Queuing + Dropping
Globally
Enable
QoS + CoPP
Optional (PFC3 Only):
Per-User Microflow
Policing
Trust-
DSCP
Interface-Group
Linecard-Dependent
Queuing + Dropping
Globally
Enable QoS +
CoPP
Trust-
DSCP
Interswitch-Links
Distribution Layer
Core Layer
Control Plane Policing (CoPP) is only supported on PFC3
164. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 164
1P3Q8T
Queue 3
(70%)
Queue 1 (5%)
Queue 2
(25%)
CoS 0
CoS 1
Q2T1
Q1T1
Q4
Priority Queue
CoS 5
CoS 4
Q3T1
Q3T2
Q3T3
Q3T4
Q3T5
CoS 3
CoS 6
CoS 7
CoS 2
Cisco Catalyst 6500 QoS Design
Queuing Design (1P3Q8T)
Network Management
Call Signaling
Streaming Video
Transactional Data
Interactive Video
Voice
Application
Bulk Data
AF21
CS3
CS4
AF41
EF
CS2
AF11
Scavenger CS1
Best Effort 0
Internetwork Control CS6
Mission-Critical Data AF31
DSCP
Network Control –
CoS 2
CoS 3
CoS 4
CoS 4
CoS 5
CoS 2
CoS 1
CoS 1
0
CoS 6
CoS 3
CoS
CoS 7
165. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 165
Cisco Catalyst 6500 QoS Design
Queuing Design (1P3Q8T)
CAT6500-IOS(config)# interface range GigabitEthernet1/1 - 48
CAT6500-IOS(config-if)# wrr-queue queue-limit 5 25 40
! Allocates 5% for Q1, 25% for Q2 and 40% for Q3
CAT6500-IOS(config-if)# wrr-queue bandwidth 5 25 70
! Sets the WRR weights for 5:25:70 (Q1:Q2:Q3) bandwidth servicing
CAT6500-IOS(config-if-range)# wrr-queue random-detect 1 ! Enables WRED on Q1
CAT6500-IOS(config-if-range)# wrr-queue random-detect 2 ! Enables WRED on Q2
CAT6500-IOS(config-if-range)# wrr-queue random-detect 3 ! Enables WRED on Q3
CAT6500-IOS(config-if)#
CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 1 80
100 100 100 100 100 100 100
! Sets Min WRED Threshold for Q1T1 to 80% and all others to 100%
CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 1 100
100 100 100 100 100 100 100
! Sets Max WRED Threshold for Q1T1 to 100% and all others to 100%
CAT6500-IOS(config-if)#
CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 2 80
100 100 100 100 100 100 100
! Sets Min WRED Threshold for Q2T1 to 80% and all others to 100%
CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 2 100
100 100 100 100 100 100 100
! Sets Max WRED Threshold for Q2T1 to 100% and all others to 100%
166. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 166
Cisco Catalyst 6500 QoS Design
Queuing Design (1P3Q8T)
CAT6500-IOS(config-if)# wrr-queue random-detect min-threshold 3 50
60 70 80 90 100 100 100
! Sets Min WRED Threshold for Q3T1 to 50%, Q3T2 to 60%, Q3T3 to 70%
! Q3T4 to 80%, Q3T5 to 90% and all others to 100%
CAT6500-IOS(config-if)# wrr-queue random-detect max-threshold 3 60
70 80 90 100 100 100 100
! Sets Max WRED Threshold for Q3T1 to 60%, Q3T2 to 70%, Q3T3 to 80%
! Q3T4 to 90%, Q3T5 to 100% and all others to 100%
CAT6500-IOS(config-if)# wrr-queue cos-map 1 1 1
! Maps Scavenger/Bulk to Q1 WRED Threshold 1
CAT6500-IOS(config-if)# wrr-queue cos-map 2 1 0
! Maps Best Effort to Q2 WRED Threshold 1
CAT6500-IOS(config-if)# wrr-queue cos-map 3 1 4
! Maps Video to Q3 WRED Threshold 1
CAT6500-IOS(config-if)# wrr-queue cos-map 3 2 2
! Maps Net-Mgmt and Transactional Data to Q3 WRED T2
CAT6500-IOS(config-if)# wrr-queue cos-map 3 3 3
! Maps Call-Signaling and Mission-Critical Data to Q3 WRED T3
CAT6500-IOS(config-if)# wrr-queue cos-map 3 4 6
! Maps Internetwork-Control (IP Routing) to Q3 WRED T4
CAT6500-IOS(config-if)# wrr-queue cos-map 3 5 7
! Maps Network-Control (Spanning Tree) to Q3 WRED T5
CAT6500-IOS(config-if)# priority-queue cos-map 1 5
! Maps VoIP to the PQ (Q4)
CAT6500-IOS(config-if)#end
CAT6500-IOS#
167. © 2007 Cisco Systems, Inc. All rights reserved.
UC Commercial 167
C6500 (PFC3) QoS Design
PFC3 Per-User Microflow Policing
CAT6500-IOS(config)#mls qos map policed-dscp normal 0 24 26 34 36 to 8
! Excess traffic marked 0,CS3,AF31,AF41 or AF42 will be remarked to CS1
CAT6500-IOS(config)#class-map match-any VVLAN-TRAFFIC
CAT6500-IOS(config-cmap)# match ip dscp ef
CAT6500-IOS(config-cmap)# match ip dscp cs3
CAT6500-IOS(config-cmap)#class-map match-all DLVAN-TRAFFIC
CAT6500-IOS(config-cmap)# match ip dscp 0
CAT6500-IOS(config-cmap)#policy-map PER-USER-POLICING
CAT6500-IOS(config-pmap)# class VLAN-TRAFFIC
CAT6500-IOS(config-pmap-c)# police flow mask src-only 160000 8000
conform-action transmit exceed-action drop
! Traffic from any VVLAN source (IP Phones) in excess of 160 kbps is dropped
CAT6500-IOS(config-pmap-c)# class BEST-EFFORT
CAT6500-IOS(config-pmap-c)# police flow mask src-only 5000000 8000
conform-action transmit exceed-action policed-dscp-transmit
! Traffic from any DVLAN source (PCs) in excess of 5 Mbps is remarked to CS1
CAT6500-IOS(config-pmap-c)# exit
Distribution-Layer
Cisco Catalyst 6500
Sup720