Implementing Cisco IPSwitched Networks(SWITCH) Foundation Learning Guide
Richard Froom, CCIE No. 5102
Balaji Sivasubramanian
Erum Frahim, CCIE No. 7549
Cisco Press
800 East 96th Street
Indianapolis, IN 46240
Implementing Cisco IP Switched Networks (SWITCH)
Foundation Learning Guide
Richard Froom, CCIE No. 5102
Balaji Sivasubramanian
Erum Frahim, CCIE No. 7549
Copyright© 2010 Cisco Systems, Inc.
Published by:Cisco Press800 East 96th Street Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying, recording, or by any information storage and retrievalsystem, without written permission from the publisher, except for the inclusion of brief quotations in areview.
Printed in the United States of America
Fifth Printing: August 2012
Library of Congress Cataloging-in-Publication data is on file.
ISBN-13: 978-1-58705-884-4
ISBN-10: 1-58705-884-7
Warning and Disclaimer
This book is designed to provide information about the Implementing Cisco IP Switched Networks(SWITCH) course in preparation for taking the SWITCH 642-813 exam. Every effort has been made tomake this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall haveneither liability nor responsibility to any person or entity with respect to any loss or damages arising from theinformation contained in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriatelycapitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of aterm in this book should not be regarded as affecting the validity of any trademark or service mark.
ii Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Corporate and Government Sales
The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or spe-cial sales, which may include electronic versions and/or custom covers and content particular to your busi-ness, training goals, marketing focus, and branding interests. For more information, please contact: U.S.Corporate and Government Sales 1-800-382-3419 [email protected]
For sales outside the United States, please contact: International Sales [email protected]
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each bookis crafted with care and precision, undergoing rigorous development that involves the unique expertise ofmembers from the professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how wecould improve the quality of this book, or otherwise alter it to better suit your needs, you can contact usthrough e-mail at [email protected]. Please make sure to include the book title and ISBN in yourmessage.
We greatly appreciate your assistance.
iii
Publisher: Paul Boger
Associate Publisher: Dave Dusthimer
Executive Editor: Mary Beth Ray
Managing Editor: Sandra Schroeder
Development Editor: Andrew Cupp
Senior Project Editor: Tonya Simpson
Editorial Assistant: Vanessa Evans
Book Designer: Louisa Adair
Cover Designer: Sandra Schroeder
Composition: Mark Shirar
Indexer: Tim Wright
Cisco Representative: Erik Ullanderson
Cisco Press Program Manager: Anand Sundaram
Technical Editors: Geoff Tagg, Sonya Coker,Jeremy Creech, Rick Graziani, David Kotfila,Wayne Lewis, Jim Lorenz, Snezhy Neshkova, Allan Reid, Bob Vachon
Copy Editor: Apostrophe Editing Services
Proofreader: Sheri Cain
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the
Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step,
Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers,
Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and
the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Americas HeadquartersCisco Systems, Inc.
San Jose, CA
Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.
Singapore
Europe HeadquartersCisco Systems International BV
Amsterdam, The Netherlands
iv Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
About the Authors
Richard E. Froom, CCIE No. 5102, attended Clemson University where he majored incomputer engineering. While attending Clemson, Richard held positions at differenttimes for the university network team, IBM, and Scientific Research Corporation. Aftergraduation, Richard joined Cisco. Richard’s first role within Cisco was as a TAC engineersupporting Cisco Catalyst switches. After several years in the TAC, Richard moved into atesting role supporting Cisco MDS and SAN technologies. In 2009, Richard moved intothe Enhanced Customer Aligned Testing Services (ECATS) organization within Cisco as atest manager of a team focused on testing customer deployments of UCS and Nexus.
Balaji Sivasubramanian is a product line manager in the Cloud Services and SwitchingTechnology Group focusing on upcoming products in the cloud services and Data Center vir-tualization area. Before this role, Balaji was a senior product manager for the Catalyst 6500switches product line, where he successfully launched the Virtual Switching System (VSS)technology worldwide. He started his Cisco career in Cisco Technical Assistant Center work-ing in the LAN switching products and technologies. Balaji has been a speaker at variousindustry events such as Cisco Live and VMworld. Balaji has a Master of Science degree incomputer engineering from the University of Arizona and a Bachelor of Engineering degree inelectrical and electronics from the College of Engineering, Guindy, Anna University (India).
Erum Frahim, CCIE No. 7549, is a technical leader working for Enhanced CustomerAligned Testing Services (ECATS) at Cisco. In her current role, Erum is leading efforts to testDatacenter solutions for several Cisco high-profile customers. Prior to this, Erum managedthe Nexus platform escalation group and served as a team lead for Datacenter SAN Test labunder the Cisco Datacenter Business Unit. Erum joined Cisco in 2000 as a technical supportengineer. Erum has a Master of Science degree in electrical engineering from Illinois Instituteof Technology and also holds a Bachelor of Engineering degree from NED University,Karachi Pakistan. Erum also authors articles in Certification Magazine and Cisco.com.
About the Technical ReviewersGeoff Tagg runs a small U.K. networking company and has worked in the networkingindustry for nearly 30 years. Before that, he had 15 years of experience with systems pro-gramming and management on a wide variety of installations. Geoff has clients rangingfrom small local businesses to large multinationals and has combined implementationwith training for most of his working life. Geoff’s main specialties are routing, switching,and networked storage. He lives in Oxford, England, with his wife, Christine, and familyand is a visiting professor at nearby Oxford Brookes University.
Sonya Coker has worked in the Cisco Networking Academy program since 1999 when shestarted a local academy. She has taught student and instructor classes locally and interna-tionally in topics ranging from IT Essentials to CCNP. As a member of the CiscoNetworking Academy development team she has provided subject matter expertise on newcourses and course revisions.
Jeremy Creech is a learning and development manager for Cisco with more than 13 yearsexperience in researching, implementing, and managing data and voice networks.Currently, he is a curriculum development manager for the Cisco Networking Academy
Program leveraging his experience as the content development manager for CCNPCertification exams. He has recently completed curriculum development initiatives forROUTE, SWITCH, TSHOOT, and CCNA Security.
Rick Graziani teaches computer science and computer networking courses at CabrilloCollege in Aptos, California. Rick has worked and taught in the computer networking andinformation technology field for almost 30 years. Prior to teaching Rick worked in IT forvarious companies including Santa Cruz Operation, Tandem Computers, and LockheedMissiles and Space Corporation. He holds a Master of Arts degree in computer scienceand systems theory from California State University Monterey Bay. Rick also does con-sulting work for Cisco and other companies. When Rick is not working, he is most likelysurfing. Rick is an avid surfer who enjoys surfing at his favorite Santa Cruz breaks.
David Kotfila, CCNA, CCDA, CCNP, CCDP, CCSP, CCVP, CCAI, teaches in the comput-er science department at Rensselaer Polytechnic Institute, Troy, New York. More than550 of his students have received their CCNA, 200 have received their CCNP, and 14have received their CCIE. David likes to spend time with his wife Kate, his daughterCharis, and his son Chris. David enjoys hiking, kayaking, and reading.
Dr. Wayne Lewis has been a faculty member at Honolulu Community College sincereceiving a Ph.D. in math from the University of Hawaii at Manoa in 1992, specializing infinite rank torsion-free modules over a Dedekind domain. Since 1992, he served as a mathinstructor, as the state school-to-work coordinator, and as the legal main contact for theCisco Academy Training Center (CATC). Dr. Lewis manages the CATC for CCNA, CCNP,and Security, based at Honolulu Community College, which serves Cisco Academies atuniversities, colleges, and high schools in Hawaii, Guam, and American Samoa. Since1998, he has taught routing, multilayer switching, remote access, troubleshooting, net-work security, and wireless networking to instructors from universities, colleges, and highschools in Australia, Britain, Canada, Central America, China, Germany, Hong Kong,Hungary, Indonesia, Italy, Japan, Korea, Mexico, Poland, Singapore, Sweden, Taiwan, andSouth America both onsite and at Honolulu Community College.
Jim Lorenz is an instructor and curriculum developer for the Cisco Networking AcademyProgram. Jim has co-authored Lab Companions for the CCNA courses and the textbooks forthe Fundamentals of UNIX course. He has more than 25 years of experience in informationsystems, ranging from programming and database administration to network design and proj-ect management. Jim has developed and taught computer and networking courses for bothpublic and private institutions. As the Cisco Academy Manager at Chandler-Gilbert College inArizona, he was instrumental in starting the Information Technology Institute (ITI) and devel-oped a number of certificates and degree programs. Jim co-authored the CCNA Discoveryonline academy courses, Networking for Home and Small Businesses and Introducing
Routing and Switching in the Enterprise, with Allan Reid. Most recently, he developed thehands-on labs for the CCNA Security course and the CCNPv6 Troubleshooting course.
Snezhy Neshkova, CCIE No. 11931, has been a Cisco Certified Internetwork Expert since2003. She has more than 20 years of networking experience, including IT field services andsupport, management of information systems, and all aspects of networking education.Snezhy has developed and taught CCNA and CCNP networking courses to instructors from
v
universities, colleges, and high schools in Canada, the United States, and Europe. Snezhy’s pas-sion is to empower students to become successful and compassionate lifelong learners. Snezhyholds a Master of Science degree in computer science from Technical University, Sofia.
Allan Reid, CCNA, CCNA-W, CCDA, CCNP, CCDP, CCAI, MLS, is a professor in infor-mation and communications engineering technology and the lead instructor at theCentennial College CATC in Toronto, Canada. He has developed and taught networkingcourses for both private and public organizations and has been instrumental in the devel-opment and implementation of numerous certificate, diploma, and degree programs innetworking. Outside his academic responsibilities, Allan has been active in the computerand networking fields for more than 25 years and is currently a principal in a companyspecializing in the design, management, and security of network solutions for small andmedium-sized companies. Allan is a curriculum and assessment developer for the CiscoNetworking Academy Program and has authored several Cisco Press titles.
Bob Vachon, CCNP, CCNA-S, CCAI, is a professor in the computer systems technologyprogram at Cambrian College and has more than 20 years of experience in the networkingfield. In 2001 he began collaborating with the Cisco Networking Academy on various cur-riculum development projects including CCNA, CCNA Security, and CCNP courses. For 3years Bob was also part of an elite team authoring CCNP certification exam questions. In2007, Bob co-authored the Cisco Press book CCNA Exploration: Accessing the WAN.
DedicationsThis book is dedicated to my wife Beth and my son Nathan. I appreciate their support forthe extra time that went into completing this book. —Richard
This book is dedicated to my wife Swapna, who has been very supportive and encourag-ing in me writing this book. —Balaji
This book is dedicated to my husband Faraz and my dearest daughter Alisha, who werevery supportive as I wrote this book. I would like to say extra thanks to my mom andgrandmother for remembering me in their prayers. I would also like to dedicate this bookto my niece and nephew Shayan and Shiza and a very new member Zayan, who are thelove of my life, and finally, my siblings, sister-in-law, and father, who are always there tohelp me out in any situation. —Erum
Acknowledgments
Richard: I’d like to give special recognition to the entire Cisco Press team for the patienceand support in producing this title.
Balaji: I would like to acknowledge Mary Beth and Andrew from the Cisco Press team fortheir patience and support during the development of the book.
Erum: I would like to give my thanks to Cisco Press—especially to Mary Beth for beingunderstanding during the development of the book. In addition, I would like to acknowl-edge all the reviewers who helped make the book more valuable.
vi Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Contents at a Glance
Introduction xxiii
Chapter 1 Analyzing the Cisco Enterprise Campus Architecture 1
Chapter 2 Implementing VLANs in Campus Networks 51
Chapter 3 Implementing Spanning Tree 119
Chapter 4 Implementing Inter-VLAN Routing 183
Chapter 5 Implementing High Availability and Redundancy in a Campus Network 243
Chapter 6 Securing the Campus Infrastructure 333
Chapter 7 Preparing the Campus Infrastructure for Advanced Services 419
Appendix A: Answers to Chapter Review Questions 503
Index 509
vii
Contents
Introduction xxiii
Chapter 1 Analyzing the Cisco Enterprise Campus Architecture 1
Introduction to Enterprise Campus Network Design 2
Regulatory Standards Driving Enterprise Architectures 4
Campus Designs 5
Legacy Campus Designs 5
Hierarchical Models for Campus Design 6
Impact of Multilayer Switches on Network Design 7
Ethernet Switching Review 7
Layer 2 Switching 8
Layer 3 Switching 10
Layer 4 and Layer 7 Switching 11
Layer 2 Switching In-Depth 12
Layer 3 Switching In-Depth 12
Understanding Multilayer Switching 14
Introduction to Cisco Switches 15
Cisco Catalyst 6500 Family of Switches 15
Cisco Catalyst 4500 Family of Switches 15
Cisco Catalyst 4948G, 3750, and 3560 Family
of Switches 16
Cisco Catalyst 2000 Family of Switches 16
Nexus 7000 Family of Switches 16
Nexus 5000 and 2000 Family of Switches 17
Hardware and Software-Switching Terminology 17
Campus Network Traffic Types 18
Peer-to-Peer Applications 21
Client/Server Applications 21
Client-Enterprise Edge Applications 23
Overview of the SONA and Borderless Networks 25
Enterprise Campus Design 27
Access Layer In-Depth 29
Distribution Layer 29
Core Layer 31
The Need for a Core Layer 32
Campus Core Layer as the Enterprise Network Backbone 33
Small Campus Network Example 33
Medium Campus Network Example 34
viii Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Large Campus Network Design 34
Data Center Infrastructure 35
PPDIOO Lifecycle Approach to Network Design and Implementation 37
PPDIOO Phases 37
Benefits of a Lifecycle Approach 38
Planning a Network Implementation 39
Implementation Components 40
Summary Implementation Plan 40
Detailed Implementation Plan 42
Summary 43
Review Questions 43
Chapter 2 Implementing VLANs in Campus Networks 51
Implementing VLAN Technologies in a Campus Network 52
VLAN Segmentation Model 53
End-to-End VLAN 54
Local VLAN 55
Comparison of End-to-End VLANs and Local VLANs 56
Mapping VLANs to a Hierarchical Network 57
Planning VLAN Implementation 58
Best Practices for VLAN Design 59
Configuring VLANs 60
VLAN Ranges 60
Verifying the VLAN Configuration 63
Troubleshooting VLANs 67
Troubleshooting Slow Throughput 67
Troubleshooting Communication Issues 68
Implementing Trunking in Cisco Campus Network 68
Trunking Protocols 69
Understanding Native VLAN in 802.1Q Trunking 71
Understanding DTP 72
Cisco Trunking Modes and Methods 72
VLAN Ranges and Mappings 73
Best Practices for Trunking 73
Configuring 802.1Q Trunking 74
Verifying Trunking Configurations 76
Troubleshooting Trunking 77
VLAN Trunking Protocol 78
VTP Pruning 81
VTP Versions 82
ix
VTP Versions 1 and 2 82
VTP Version 3 83
VTP Messages Types 83
Summary Advertisements 83
Subset Advertisements 84
Advertisement Requests 84
VTP Authentication 84
Best Practices for VTP Implementation 84
Configuring VTP 85
Verifying the VTP Configuration 85
Troubleshooting VTP 87
Private VLANs 87
Private VLANs Overview 88
Private VLANs and Port Types 88
Private VLAN Configuration 90
Configuring Private VLANs in Cisco IOS 91
Verifying Private VLAN 92
Private VLAN Configuration Example 93
Single Switch Private Configuration 93
Private VLAN Configuration Across Switches 94
Port Protected Feature 97
Configuring Link Aggregation with EtherChannel 97
Describe EtherChannel 98
PAgP and LACP Protocols 101
PAgP Modes 101
LACP Modes 103
Configure Port Channels Using EtherChannel 105
Guidelines for Configuring EtherChannel 105
Layer 2 EtherChannel Configuration Steps 106
Verifying EtherChannel 108
EtherChannel Load Balancing Options 110
Summary 112
Review Questions 113
Chapter 3 Implementing Spanning Tree 119
Evolution of Spanning Tree Protocols 119
Spanning Tree Protocol Basics 121
STP Operation 122
Rapid Spanning Tree Protocol 125
x Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
RSTP Port States 126
RSTP Port Roles 127
Rapid Transition to Forwarding 129
RSTP Topology Change Mechanism 132
Bridge Identifier for PVRST+ 136
Compatibility with 802.1D 137
Cisco Spanning Tree Default Configuration 137
PortFast 138
Configuring the PortFast Feature 138
Configuring the Basic Parameters of PVRST+ 140
Multiple Spanning Tree 141
MST Regions 143
Extended System ID for MST 144
Configuring MST 145
Spanning Tree Enhancements 150
BPDU Guard 152
BPDU Filtering 153
Root Guard 155
Preventing Forwarding Loops and Black Holes 158
Loop Guard 158
UDLD 161
Comparison Between Aggressive Mode UDLD and Loop Guard 165
Flex Links 166
Recommended Spanning Tree Practices 168
Troubleshooting STP 171
Potential STP Problems 171
Duplex Mismatch 172
Unidirectional Link Failure 172
Frame Corruption 173
Resource Errors 173
PortFast Configuration Error 174
Troubleshooting Methodology 174
Develop a Plan 175
Isolate the Cause and Correct an STP Problem 175
Document Findings 177
Summary 178
References 179
Review Questions 179
xi
Chapter 4 Implementing Inter-VLAN Routing 183
Describing Inter-VLAN Routing 184
Introduction to Inter-VLAN Routing 184
Inter-VLAN Routing Using an External Router (Router-on-a-Stick) 186
External Router: Advantages and Disadvantages 189
Inter-VLAN Routing Using Switch Virtual Interfaces 190
SVI: Advantages and Disadvantages 192
Routing with Routed Ports 192
Routed Port: Advantage and Disadvantages 193
L2 EtherChannel Versus L3 EtherChannel 194
Configuring Inter-VLAN Routing 194
Inter-VLAN Configuration with External Router 195
Implementation Planning 195
Inter-VLAN Configuration with SVI 197
Implementation Plan 197
Switch Virtual Interface Configuration 198
SVI Autostate 199
Configuring Routed Port on a Multilayer Switch 200
Verifying Inter-VLAN Routing 201
Troubleshooting Inter-VLAN Problems 204
Example of a Troubleshooting Plan 205
Configuration of Layer 3 EtherChannel 206
Routing Protocol Configuration 208
Verifying Routing Protocol 208
Implementing Dynamic Host Configuration Protocol in a Multilayer Switched Environment 210
DHCP Operation 211
Configuring DHCP and Verifying DHCP 212
Configure DHCP on the Multilayer Switch 212
Configure DHCP Relay 213
Verifying DHCP Operation 214
Deploying CEF-Based Multilayer Switching 215
Multilayer Switching Concepts 215
Explaining Layer 3 Switch Processing 216
CAM and TCAM Tables 217
Distributed Hardware Forwarding 220
Cisco Switching Methods 221
Route Caching 222
xii Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Topology-Based Switching 223
CEF Processing 225
CEF Operation and Use of TCAM 227
CEF Modes of Operation 227
Address Resolution Protocol Throttling 228
Sample CEF-Based MLS Operation 230
CEF-Based MLS Load Sharing 231
Configuring CEF and Verifying CEF Configuration 232
CEF-Based MLS Configuration 232
CEF-Based MLS Verification 232
Troubleshooting CEF 236
Summary 237
Review Questions 237
Chapter 5 Implementing High Availability and Redundancy in a
Campus Network 243
Understanding High Availability 244
Components of High Availability 244
Redundancy 245
Technology 246
People 246
Processes 247
Tools 248
Resiliency for High Availability 249
Network-Level Resiliency 249
High Availability and Failover Times 249
Optimal Redundancy 251
Provide Alternate Paths 252
Avoid Too Much Redundancy 253
Avoid Single Point of Failure 253
Cisco NSF with SSO 254
Routing Protocols and NSF 255
Implementing High Availability 255
Distributed VLANs on Access Switches 256
Local VLANs on Access Switches 256
Layer 3 Access to the Distribution Interconnection 257
Daisy Chaining Access Layer Switches 257
StackWise Access Switches 259
Too Little Redundancy 260
xiii
Implementing Network Monitoring 262
Network Management Overview 262
Syslog 263
Syslog Message Format 265
Configuring Syslog 267
SNMP 269
SNMP Versions 270
SNMP Recommendations 272
Configuring SNMP 272
IP Service Level Agreement 273
IP SLA Measurements 273
IP SLA Operations 275
IP SLA Source and Responder 275
IP SLA Operation with Responder 275
IP SLA Responder Timestamps 277
Configuring IP SLA 277
Implementing Redundant Supervisor Engines in Catalyst Switches 280
Route Processor Redundancy 281
Route Processor Redundancy Plus 282
Configuring and Verifying RPR+ Redundancy 283
Stateful Switchover (SSO) 284
Configuring and Verifying SSO 285
NSF with SSO 286
Configuring and Verifying NSF with SSO 287
Understanding First Hop Redundancy Protocols 288
Introduction to First Hop Redundancy Protocol 288
Proxy ARP 289
Static Default Gateway 290
Hot Standby Router Protocol (HSRP) 291
HSRP States 294
HSRP State Transition 295
HSRP Active Router and Spanning Tree Topology 296
Configuring HSRP 296
HSRP Priority and Preempt 297
HSRP Authentication 298
HSRP Timer Considerations and Configuration 299
HSRP Versions 301
HSRP Interface Tracking 302
xiv Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
HSRP Object Tracking 304
HSRP and IP SLA Tracking 305
Multiple HSRP Groups 306
HSRP Monitoring 307
Virtual Router Redundancy Protocol 309
VRRP Operation 311
VRRP Transition Process 312
Configuring VRRP 312
Gateway Load Balancing Protocol 315
GLBP Functions 316
GLBP Features 317
GLBP Operations 318
GLBP Interface Tracking 318
GLBP Configuration 322
GLBP with VLAN Spanning Across Access Layer Switches 322
Cisco IOS Server Load Balancing 324
Cisco IOS SLB Modes of Operation 325
Configuring the Server Farm in a Data Center with Real Servers 326
Configuring Virtual Servers 328
Summary 330
Review Questions 331
Chapter 6 Securing the Campus Infrastructure 333
Switch Security Fundamentals 334
Security Infrastructure Services 334
Unauthorized Access by Rogue Devices 336
Layer 2 Attack Categories 337
Understanding and Protecting Against MAC Layer Attack 339
Suggested Mitigation for MAC Flooding Attacks 341
Port Security 341
Port Security Scenario 1 341
Port Security Scenario 2 342
Configuring Port Security 343
Caveats to Port Security Configuration Steps 344
Verifying Port Security 345
Port Security with Sticky MAC Addresses 347
Blocking Unicast Flooding on Desired Ports 348
Understanding and Protecting Against VLAN Attacks 349
VLAN Hopping 349
xv
VLAN Hopping with Double Tagging 350
Mitigating VLAN Hopping 351
VLAN Access Control Lists 352
Configuring VACL 353
Understanding and Protecting Against Spoofing Attacks 355
Catalyst Integrated Security Features 355
DHCP Spoofing Attack 356
DHCP Snooping 358
ARP Spoofing Attack 361
Preventing ARP Spoofing Through Dynamic ARP Inspection 362
IP Spoofing and IP Source Guard 368
Configuring IPSG 370
Securing Network Switches 372
Neighbor Discovery Protocols 372
Cisco Discovery Protocol 373
Configuring CDP 373
Configuring LLDP 375
CDP Vulnerabilities 375
Securing Switch Access 376
Telnet Vulnerabilities 377
Secure Shell 377
VTY ACLs 378
HTTP Secure Server 379
Authentication Authorization Accounting (AAA) 380
Security Using IEEE 802.1X Port-Based Authentication 387
Configuring 802.1X 389
Switch Security Considerations 390
Organizational Security Policies 391
Securing Switch Devices and Protocols 391
Configuring Strong System Passwords 392
Restricting Management Access Using ACLs 392
Securing Physical Access to the Console 393
Securing Access to vty Lines 393
Configuring System Warning Banners 393
Disabling Unneeded or Unused Services 394
Trimming and Minimizing Use of CDP/LLDP 395
Disabling the Integrated HTTP Daemon 395
Configuring Basic System Logging 396
xvi Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Securing SNMP 396
Limiting Trunking Connections and Propagated VLANs 396
Securing the Spanning-Tree Topology 396
Mitigating Compromises Launched Through a Switch 397
Troubleshooting Performance and Connectivity 398
Techniques to Enhance Performance 398
Monitoring Performance with SPAN and VSPAN 400
Using SPAN to Monitor the CPU Interface of Switches 403
Monitoring Performance with RSPAN 404
Monitoring Performance with ERSPAN 408
Monitoring Performance Using VACLs with the Capture Option 410
Troubleshooting Using L2 Traceroute 412
Enhancing Troubleshooting and Recovery Using Cisco IOS EmbeddedEvent Manager 413
Performance Monitoring Using the Network Analysis Module in theCatalyst 6500 Family of Switches 414
Summary 415
Review Questions 416
Chapter 7 Preparing the Campus Infrastructure for Advanced Services 419
Planning for Wireless, Voice, and Video Application in the Campus Network 420
The Purpose of Wireless Network Implementations in the Campus Network 420
The Purpose of Voice in the Campus Network 421
The Purpose of Video Deployments in the Campus Network 423
Planning for the Campus Network to Support Wireless Technologies 423
Introduction to Wireless LANs (WLAN) 423
Cisco WLAN Solutions as Applied to Campus Networks 426
Comparing and Contrasting WLANs and LANs 428
Standalone Versus Controller-Based Approaches to WLAN
Deployments in the Campus Network 429
Controller-Based WLAN Solution 430
Traffic Handling in Controller-Based Solutions 433
Traffic Flow in a Controller-Based Solution 434
Hybrid Remote Edge Access Points (HREAP) 435
Review of Standalone and Controller-Based
WLAN Solutions 436
Gathering Requirements for Planning a Wireless Deployment 436
Planning for the Campus Network to Support Voice 437
xvii
Introduction to Unified Communications 438
Campus Network Design Requirements for Deploying VoIP 439
Planning for the Campus Network to Support Video 440
Voice and Video Traffic 441
Video Traffic Flow in the Campus Network 442
Design Requirements for Voice, Data, and Video in the
Campus Network 444
Understanding QoS 444
QoS Service Models 446
AutoQoS 447
Traffic Classification and Marking 448
DSCP, ToS, and CoS 448
Classification 449
Trust Boundaries and Configurations 450
Marking 451
Traffic Shaping and Policing 451
Policing 452
Congestion Management 453
FIFO Queuing 453
Weighted Round Robin Queuing 453
Priority Queuing 455
Custom Queuing 455
Congestion Avoidance 455
Tail Drop 456
Weighted Random Early Detection 456
Implementing IP Multicast in the Campus Network 458
Introduction to IP Multicast 459
Multicast IP Address Structure 462
Reserved Link Local Addresses 463
Globally Scoped Addresses 463
Source-Specific Multicast Addresses 463
GLOP Addresses 464
Limited-Scope Addresses 464
Multicast MAC Address Structure 464
Reverse Path Forwarding 465
Multicast Forwarding Tree 466
Source Trees 467
Shared Trees 468
xviii Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Comparing Source Trees and Shared Trees 469
IP Multicast Protocols 470
PIM 470
Automating Distribution of RP 474
Auto-RP 474
Bootstrap Router 475
Comparison and Compatibility of PIM Version 1 and Version 2 476
Configuring Internet Group Management Protocol 478
IGMPv1 478
IGMPv2 478
IGMPv3 479
IGMPv3 Lite 479
IGMP Snooping 480
Preparing the Campus Infrastructure to Support Wireless 484
Wireless LAN Parameters 484
Configuring Switches to Support WLANs 484
Preparing the Campus Network for Integration of a Standalone WLAN
Solution 484
Preparing the Campus Network for Integration of a Controller-Based
WLAN Solution 485
Preparing the Campus Infrastructure to Support Voice 487
IP Telephony Components 487
Configuring Switches to Support VoIP 488
Voice VLANs 488
QoS for Voice Traffic from IP Phones 490
Power over Ethernet 491
Additional Network Requirements for VoIP 493
Preparing the Campus Infrastructure to Support Video 494
Video Components 494
Configuring Switches to Support Video 495
Summary 496
Review Questions 497
Appendix A: Answers to Chapter Review Questions 503
Index 509
xix
Icons Used in This Book
xx Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Router
MultilayerSwitch
ServerSwitch
PCNetwork Cloud
Laptop
IP PhoneAccessServer
PIX Firewall
RelationalDatabase
WirelessRouter
Web Server
Serial LineConnection
EthernetConnection
Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventionsused in the IOS Command Reference. The Command Reference describes these conven-tions as follows:
■ Boldface indicates commands and keywords that are entered literally as shown. Inactual configuration examples and output (not general command syntax), boldfaceindicates commands that are manually input by the user (such as a show command).
■ Italic indicates arguments for which you supply actual values.
■ Vertical bars (|) separate alternative, mutually exclusive elements.
■ Square brackets ([ ]) indicate an optional element.
■ Braces ({ }) indicate a required choice.
■ Braces within brackets ([{ }]) indicate a required choice within an optional element.
Introduction
Over the past several years, switching has evolved from simple Layer 3 switches toswitches supporting Layer 4 through Layer 7 features, such as server load balancing, URLinspection, firewalls, VPNs, access-based control, and so on, with large port densities.The multilayer switch has become an all-in-one component of the network infrastructure.As a result of this evolution, enterprise and service providers are deploying multilayerswitches in place of multiple network components, such as routers and network appli-ances. Switching is no longer a part of the network infrastructure; it is now the networkinfrastructure, with wireless as the latest evolution.
As enterprises, service providers, and even consumers deploy multilayer switching, theneed for experienced and knowledgeable professionals to design, configure, and supportthe multilayer switched networks has grown significantly. CCNP and CCDP certificationsoffer the ability for network professionals to prove their competency.
CCNP and CCDP are more than résumé keywords. Individuals who complete the CCNPand CCDP certifications truly prove their experience, knowledge, and competency in net-working technologies. A CCNP certification demonstrates an individual’s ability toinstall, configure, and operate LAN, WAN, and dial access services for midsize to largenetworks deploying multiple protocols. A CCDP certification demonstrates an individ-ual’s ability to design high-performance, scalable, and highly available routed andswitched networks involving LAN, WAN, wireless, and dial access services.
Both the CCNP and CCDP certification tracks require you to pass the SWITCH 642-813exam. For the most up-to-date information about Cisco certifications, visit the followingwebsite: www.cisco.com/web/learning/le3/learning_career_certifications_and_learning_paths_home.html.
Objectives and Methods
This book’s content is based on the Cisco SWITCH course that has recently been intro-duced as part of the CCNP curriculum; it provides knowledge and examples in the areaof implementing Cisco switched networks. It is assumed that the reader possesses asmuch Cisco background as is covered in the Cisco ROUTE and TSHOOT courses. Thecontent of this book is enough to prepare the reader for the SWITCH exam, too. Notethat the e-learning content of the Cisco SWITCH course has been integrated into thisbook.
To accomplish these tasks, this text includes in-depth theoretical explanations ofSWITCH topics and provides illustrative design and configuration examples. The theoret-ical explanations of SWITCH topics include background information, standards refer-ences, and document listings from Cisco.com. This book goes beyond just presenting thenecessary information found on the certification exam and in the SWITCH course. Thisbook attempts to present topics, theory, and examples in such a way that you trulyunderstand the topics that are necessary to build multilayer switched networks in today’sdemanding networks. The examples and questions found in the chapters of this book
xxi
make you contemplate and apply concepts found in each chapter. The goal is to have youunderstand the topics and then apply your understanding when you attempt the certifica-tion exam or take the SWITCH course.
Chapter review questions help readers evaluate how well they absorbed the chapter con-tent. The questions are also an excellent supplement for exam preparation.
Who Should Read This Book?
Those individuals who want to learn about modern switching techniques and want to seeseveral relevant examples will find this book very useful. This book is most suitable forthose who have some prior routing and switching knowledge but would like to learn orenhance their switching skill set. Readers who want to pass the Cisco SWITCH exam canfind all the content they need to successfully do so in this book. The Cisco NetworkingAcademy CCNP SWITCH course students use this book as their official book.
Cisco Certifications and Exams
Cisco offers four levels of routing and switching certification, each with an increasinglevel of proficiency: Entry, Associate, Professional, and Expert. These are commonlyknown by their acronyms CCENT (Cisco Certified Entry Networking Technician), CCNA(Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), andCCIE (Cisco Certified Internetworking Expert). There are others, too, but this bookfocuses on the certifications for enterprise networks.
For the CCNP certification, you must pass exams on a series of CCNP topics, includingthe SWITCH, ROUTE, and TSHOOT exams. For most exams, Cisco does not publish thescores needed for passing. You need to take the exam to find that out for yourself.
To see the most current requirements for the CCNP certification, go to Cisco.com andclick Training and Events. There you can find out other exam details such as exam topicsand how to register for an exam.
The strategy you use to prepare for the SWITCH exam might differ slightly from strate-gies used by other readers, mainly based on the skills, knowledge, and experience youhave already obtained. For instance, if you have attended the SWITCH course, you mighttake a different approach than someone who learned switching through on-the-job train-ing. Regardless of the strategy you use or the background you have, this book helps youget to the point where you can pass the exam with the least amount of time required.
xxii Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
How This Book Is Organized
This book is organized such that the fundamentals of multilayer switched network designare covered in the first chapters. Thereafter, the book continues with a discussion ofimplementation of the design features such as VLAN, Spanning Tree, and inter-VLANrouting in the multilayer switched environment. This book is organized as follows:
■ Chapter 1, “Analyzing the Cisco Enterprise Campus Architecture”—This chapteropens with a brief introdution to Cisco campus network architectures and designs.The chapter continues with a brief review of switching terminology for campus net-works, followed by an introduction to Cisco switches. The chapter then continueswith a of discussion of campus design fundamentals. Lastly, the chapter closes byintroducting the PPDIOO Lifecycle Approach to Network Design andImplementation.
■ Chapter 2, “Implementing VLANs in Campus Networks”—This chapter coversimplemenation of virtual LANs (VLAN) in a given campus network, including dis-cussions on private VLANs, VTP, and 802.1Q trunking. In addition, this chapter cov-ers implementation of EtherChannel in an enterpruse network.
■ Chapter 3, “Implementing Spanning Tree”—This chapter discusses the variousSpanning Tree protocols, such as PVRST+ and MST, with overview and configurationsamples. This chapter also continues the discussion with advanced Cisco STPenhancements and spanning-tree troubleshooting methodology.
■ Chapter 4, “Implementing Inter-VLAN Routing”—This chapter transitions into dis-cussing Layer 3 switching by covering inter-VLAN routing. The chapter then contin-ues with the discussion on Dynamic Host Configuration Protocol (DHCP). In addi-tion, it discusses Cisco Express Forwarding (CEF)–based multilayer switching.
■ Chapter 5, “Implementing High Availability and Redundancy in a CampusNetwork”—This chapter covers the introduction to high availability in campus net-works, followed by methodology on how to build resilient networks. This chaptercontinues to describe the tools available to monitor high availability such as SNMPand IP Service Level Agreement (SLA). This chapter concludes with available highavailability options for switch supervisor engine and gateway redundancy protocolssuch as Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol(VRRP), and Gateway Load Balancing Protocol (GLBP).
■ Chapter 6, “Securing the Campus Infrastructure”—This chapter covers the poten-tial campus security risks and how to mitigate them through features such as DCHPsnooping, Dynamic ARP Inspection (DAI), and IP Source Guard. The chapter thencontinues to cover how to secure the switch device, and troubleshooting tools andtechniques such as Switched Port Analyzer (SPAN) and Remote SPAN.
xxiii
■ Chapter 7, “Preparing the Campus Infrastructure for Advanced Services”—Thischapter discusses the application of advanced services to Cisco switches. The threemain services discussed in this chapter are IP telephony (voice), video, and wireless.Moreover, because these advanced services require additional switch features forimplementation, topics such as QoS and IP multicast are also discussed.
■ Appendix A, “Answers to Chapter Review Questions”—This appendix providesanswers for the review questions that appear at the end of each chapter.
xxiv Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Chapter 1
Analyzing the Cisco EnterpriseCampus Architecture
This chapter covers the following topics:
■ Introduction to Enterprise Campus Network Design
■ Enterprise Campus Design
■ PPDIOO Lifecycle Approach to Network Design and Implementation
Over the last half century, businesses have achieved improving levels of productivity andcompetitive advantages through the use of communication and computing technology.The enterprise campus network has evolved over the last 20 years to become a key ele-ment in this business computing and communication infrastructure. The interrelated evo-lution of business and communications technology is not slowing, and the environment iscurrently undergoing another stage of evolution. The complexity of business and net-work requirements creates an environment where a fixed model no longer completelydescribes the set of capabilities and services that comprise the enterprise campus net-work today.
Nevertheless, designing an enterprise campus network is no different than designing anylarge, complex system—such as a piece of software or even something as sophisticated asthe international space station. The use of a guiding set of fundamental engineering prin-ciples serves to ensure that the campus design provides for the balance of availability,security, flexibility, and manageability required to meet current and future business andtechnological needs. This chapter introduces you to the concepts of enterprise campusdesigns, along with an implementation process that can ensure a successful campus net-work deployment.
2 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Introduction to Enterprise Campus Network Design
Cisco has several different design models to abstract and modularize the enterprise net-work. However, for the content in this book the enterprise network is broken down intothe following sections:
■ Core Backbone
■ Campus
■ Data Center
■ Branch/WAN
■ Internet Edge
Figure 1-1 illustrates at a high level a sample view of the enterprise network.
The campus, as a part of the enterprise network, is generally understood as that portionof the computing infrastructure that provides access to network communication servicesand resources to end users and devices spread over a single geographic location. It mightspan a single floor, a building, or even a large group of buildings spread over an extendedgeographic area. Some networks have a single campus that also acts as the core or back-bone of the network and provides interconnectivity between other portions of the overallnetwork. The campus core can often interconnect the campus access, the data center, andWAN portions of the network. In the largest enterprises, there might be multiple campussites distributed worldwide with each providing both end-user access and local backboneconnectivity. Figure 1-1 depicts the campus and the campus core as separate functionalareas. Physically, the campus core is generally self contained. The campus itself may be
Campus
Core
Data Center Internet Edge
WAN
Branch
Teleworker
Internet
Figure 1-1 High-Level View of the Enterprise Network
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 3
physically spread out through an enterprise to reduce the cost of cabling. For example, itmight be less expensive to aggregate switches for end-user connectivity in wiring closetsdispersed throughout the enterprise.
The data center, as a part of the enterprise network, is generally understood to be a facili-ty used to house computing systems and associated components. Examples of comput-ing systems are servers that house mail, database, or market data applications.Historically, the data center was referred to as the server farm. Computing systems in thedata center are generally used to provide services to users in the campus, such as algorith-mic market data. Data center technologies are evolving quickly and imploring new tech-nologies centered on virtualization. Nonetheless, this book focuses exclusively on thecampus network of the enterprise network; consult Cisco.com for additional detailsabout the Cisco data center architectures and technologies.
Note The campus section of the enterprise network is generally understood as that por-tion of the computing infrastructure that provides access to network communication serv-ices and resources to end users and devices spread over a single geographic location.
The data center module of the enterprise network is generally understood to be a facilityused to house computing systems and associated components.
Note For the remainder of this text, the term enterprise campus network is referred toas simply campus network. The remainder of this text implies that all campus referencesare related to enterprise networks.
The branch/WAN portion of the enterprise network contains the routers, switches, andso on to interconnect a main office to branch offices and interconnect multiple mainsites. Keep in mind, many large enterprises are composed of multiple campuses and datacenters that interconnect. Often in large enterprise networks, connecting multiple enter-prise data centers requires additional routing features and higher bandwidth links to inter-connect remote sites. As such, Cisco designs now partition these designs into a groupingknown as Data Center Interconnect (DCI). Branch/WAN and DCI are both out of scopeof CCNP SWITCH and this book.
Internet Edge is the portion of the enterprise network that encompasses the routers,switches, firewalls, and network devices that interconnect the enterprise network to theInternet. This section includes technology necessary to connect telecommuters from theInternet to services in the enterprise. Generally, the Internet Edge focuses heavily on net-work security because it connects the private enterprise to the public domain.Nonetheless, the topic of the Internet Edge as part of the enterprise network is outsidethe scope of this text and CCNP SWITCH.
4 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Tip The terms design and architecture are used loosely in most published texts. In this
text, the term architecture implies a model. Consequently, the term design implies the
actual network topology designed by a person or persons.
In review, the enterprise network is composed of five distinct areas: core backbone, cam-
pus, data center, branch/WAN, and Internet edge. These areas can have subcomponents,
and additional areas can be defined in other publications or design documents. For the
purpose of CCNP SWITCH and this text, focus is only the campus section of the enter-
prise network. The next section discusses regulatory standards that drive enterprise net-
works designs and models holistically, especially the data center. This section defines
early information that needs gathering before designing a campus network.
Regulatory Standards Driving Enterprise Architectures
Many regulatory standards drive enterprise architectures. Although most of these regula-
tory standards focus on data and information, they nonetheless drive network architec-
tures. For example, to ensure that data is as safe as the Health Insurance Portability and
Accountability Act (HIPAA) specifies, integrated security infrastructures are becoming
paramount. Furthermore, the Sarbanes-Oxley Act, which specifies legal standards for
maintaining the integrity of financial data, requires public companies to have multiple
redundant data centers with synchronous, real-time copies of financial data.
Because the purpose of this book is to focus on campus design applied to switching,
additional detailed coverage of regulatory compliance with respect to design is not cov-
ered. Nevertheless, regulatory standards are important concepts for data centers, disaster
recovery, and business continuance. In designing any campus network, you need to review
any regulatory standards applicable to your business prior to beginning your design. Feel
free to review the following regulatory compliance standards as additional reading:
■ Sarbanes-Oxley (http://www.sarbanes-oxley.com)
■ HIPAA (http://www.hippa.com)
■ SEC 17a-4, “Records to Be Preserved by Certain Exchange Members, Brokers and
Dealers”
Moreover, the preceding list is not an exhaustive list of regulatory standards but instead a
list of starting points for reviewing compliance standards. If regulatory compliance is
applicable to your enterprise, consult internally within your organization for further
information about regulatory compliance before embarking on designing an enterprise
network. The next section describes the motivation behind sound campus designs.
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 5
Campus Designs
Properly designed campus architectures yield networks that are module, resilient, andflexible. In other words, properly designed campus architectures save time and money,make IT engineers’ jobs easier, and significantly increase business productivity.
To restate, adhering to design best-practices and design principles yield networks withthe following characteristics:
■ Modular: Campus network designs that are modular easily support growth andchange. By using building blocks, also referred to as pods or modules, scaling the net-work is eased by adding new modules instead of complete redesigns.
■ Resilient: Campus network designs deploying best practices and proper high-avail-ability (HA) characteristics have uptime of near 100 percent. Campus networksdeployed by financial services might lose millions of dollars in revenue from a simple1-second network outage.
■ Flexibility: Change in business is a guarantee for any enterprise. As such, these busi-ness changes drive campus network requirements to adapt quickly. Following campusnetwork designs yields faster and easier changes.
The next section of this text describes legacy campus designs that lead to current genera-tion campus designs published today. This information is useful as it sets the groundwork for applying current generation designs.
Legacy Campus Designs
Legacy campus designs were originally based on a simple flat Layer-2 topology with arouter-on-a-stick. The concept of router-on-a-stick defines a router connecting multipleLAN segments and routing between them, a legacy method of routing in campus networks.
Nevertheless, simple flat networks have many inherit limitations. Layer 2 networks arelimited and do not achieve the following characteristics:
■ Scalability
■ Security
■ Modularity
■ Flexibility
■ Resiliency
■ High Availability
A later section, “Layer 2 Switching In-Depth” provides additional information about thelimitations of Layer 2 networks.
6 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
One of the original benefits of Layer 2 switching, and building Layer 2 networks, wasspeed. However, with the advent of high-speed switching hardware found on CiscoCatalyst and Nexus switches, Layer 3 switching performance is now equal to Layer 2switching performance. As such, Layer 3 switching is now being deployed at scale.Examples of Cisco switches that are capable of equal Layer 2 and Layer 3 switching per-formance are the Catalyst 3000, 4000, and 6500 family of switches and the Nexus 7000family of switches.
Note With current-generation Cisco switches, Layer 3 switching performance is equal toLayer 2 switching performance in terms of throughput.
Note The Nexus families of switches are relatively new switches targeted for deploymentin the data center. As such, these switches support high bandwidth in hundreds of gigabitsper second. In addition, Nexus switches optionally offer low-latency switching for marketdata applications, Fibre Channel over Ethernet (FCOE), and advanced high-availability fea-tures. Unfortunately, because Nexus switches are targeted for data centers, they lack somefeatures found in Catalyst switches, such as support for inline power for IP phones.
Since Layer 3 switching performance of Cisco switches allowed for scaled networks, hier-archical designs for campus networks were developed to handle this scale effectively. Thenext section introduces, briefly, the hierarchical concepts in the campus. These conceptsare discussed in more detail in later sections; however, a brief discussion of these topicsis needed before discussing additional campus designs concepts.
Hierarchical Models for Campus Design
Consider the Open System Interconnection (OSI) reference model, which is a layeredmodel for understanding and implementing computer communications. By using layers,the OSI model simplifies the task required for two computers to communicate.
Cisco campus designs also use layers to simplify the architectures. Each layer can befocused on specific functions, thereby enabling the networking designer to choose theright systems and features for the layer. This model provides a modular framework thatenables flexibility in network design and facilitates implementation and troubleshooting.The Cisco Campus Architecture fundamentally divides networks or their modular blocksinto the following access, distribution, and core layers with associated characteristics:
■ Access layer: Used to grant the user, server, or edge device access to the network. Ina campus design, the access layer generally incorporates switches with ports that pro-vide connectivity to workstations, servers, printers, wireless access points, and so on.In the WAN environment, the access layer for telecommuters or remote sites mightprovide access to the corporate network across a WAN technology. The access layeris the most feature-rich section of the campus network because it is a best practice to
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 7
apply features as close to the edge as possible. These features that include security,access control, filters, management, and so on are covered in later chapters.
■ Distribution layer: Aggregates the wiring closets, using switches to segment work-groups and isolate network problems in a campus environment. Similarly, the distri-bution layer aggregates WAN connections at the edge of the campus and provides alevel of security. Often, the distribution layer acts as a service and control boundarybetween the access and core layers.
■ Core layer (also referred to as the backbone): A high-speed backbone, designed toswitch packets as fast as possible. In current generation campus designs, the corebackbone connects other switches a minimum of 10 Gigabit Ethernet. Because thecore is critical for connectivity, it must provide a high level of availability and adapt tochanges quickly. This layer’s design also provides for scalability and fast convergence
This hierarchical model is not new and has been consistent for campus architectures forsome time. In review, the hierarchical model is advantageous over nonhierarchical modesfor the following reasons:
■ Provides modularity
■ Easier to understand
■ Increases flexibility
■ Eases growth and scalability
■ Provides for network predictability
■ Reduces troubleshooting complexity
Figure 1-2 illustrates the hierarchical model at a high level as applied to a modeled cam-pus network design.
The next section discusses background information on Cisco switches and begins thediscussion of the role of Cisco switches in campus network design.
Impact of Multilayer Switches on Network Design
Understanding Ethernet switching is a prerequisite to building a campus network. Assuch, the next section reviews Layer 2 and Layer 3 terminology and concepts before dis-cussing enterprise campus designs in subsequent sections. A subset of the material pre-sented is a review of CCNA material.
Ethernet Switching Review
Product marketing in the networking technology field uses many terms to describe prod-uct capabilities. In many situations, product marketing stretches the use of technologyterms to distinguish products among multiple vendors. One such case is the terminology
8 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Core
Distribution
Access
Si Si
Si Si
Figure 1-2 High-Level Example of the Hierarchical Model as Applied to a CampusNetwork
The Layers 2, 3, 4, and 7 switching terminology correlates switching features to the OSIreference model. Figure 1-3 illustrates the OSI reference model and its relationship to pro-tocols and network hardware.
The next section provides a CCNA review of Layer 2 switching. Although this section isa review, it is a critical subject for later chapters.
Layer 2 Switching
Product marketing labeling a Cisco switch as either as a Layer 2 or as a Layer 3 switchingis no longer black and white because the terminology is not consistent with productcapabilities. In review, Layer 2 switches are capable of switching packets based only onMAC addresses. Layer 2 switches increase network bandwidth and port density withoutmuch complexity. The term Layer 2 switching implies that frames forwarded by theswitch are not modified in any way; however, Layer 2 switches such as the Catalyst 2960are capable of a few Layer 3 features, such as classifying packets for quality of service(QoS) and network access control based on IP address. An example of QoS marking atLayer 4 is marking the differentiated services code point (DSCP) bits in the IP headerbased on the TCP port number in the TCP header. Do not be concerned with understand-ing the QoS technology at this point as highlighted in the proceeding sentence in thischapter; this terminology is covered in more detail in later chapters. To restate, Layer 2-only switches are not capable of routing frames based on IP address and are limited to
of Layers 2, 3, 4, and 7 switching. These terms are generally exaggerated in the network-ing technology field and need careful review.
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 9
Application
Presentation
Session
Transport
Network
Data Link
Physical
ProtocolExample
OSI Model Network ComponentExample
Cookie: Webshopper
TCP Port: 80 (http)
IP Address:192.168.100.1255.255.255.0
MAC Address:0000.0c00.0001
Content-Intelligence onRouters and Switches
Server Load Balancing andLayer 4–Capable Switches
Layer 3 Switches and Routers
Layer 2 Switches
Repeaters
Figure 1-3 OSI Layer Relationship to Protocols and Networking Hardware
Legacy Layer 2 switches are limited in network scalability due to many factors.Consequently, all network devices on a legacy Layer 2 switch must reside on the samesubnet and, as a result, exchange broadcast packets for address resolution purposes.Network devices grouped together to exchange broadcast packets constitute a broadcastdomain. Layer 2 switches flood unknown unicast, multicast, and broadcast trafficthroughout the entire broadcast domain. As a result, all network devices in the broadcastdomain process all flooded traffic. As the size of the broadcast domain grows, its net-work devices become overwhelmed by the task of processing this unnecessary traffic.This caveat prevents network topologies from growing to more than a few legacy Layer 2switches. Lack of QoS and security features are other features that can prevent the use oflow-end Layer 2 switches in campus networks and data centers.
However, all current and most legacy Cisco Catalyst switches support virtual LANs(VLAN), which segment traffic into separate broadcast domains and, as a result, IP subnets.VLANs overcome several of the limitations of the basic Layer 2 networks, as discussed inthe previous paragraph. This book discusses VLANs in more detail in the next chapter.
Figure 1-4 illustrates an example of a Layer 2 switch with workstations attached. Becausethe switch is only capable of MAC address forwarding, the workstations must reside onthe same subnet to communicate.
forwarding frames only based on MAC address. Nonetheless, Layer 2 switches mightsupport features that read Layer 3 information of a frame for specific features.
10 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Layer 3 Switching
Layer 3 switches include Layer 3 routing capabilities. Many of the current-generationCatalyst Layer 3 switches can use routing protocols such as BGP, RIP, OSPF, and EIGRPto make optimal forwarding decisions. A few Cisco switches that support routing proto-cols do not support BGP because they do not have the memory necessary for large rout-ing tables. These routing protocols are reviewed in later chapters. Figure 1-5 illustrates aLayer 3 switch with several workstations attached. In this example, the Layer 3 switchroutes packets between the two subnets.
Note Layer 2 switching:
■ Switching based on MAC address
■ Restricts scalability to a few switches in a domain
■ May support Layer 3 features for QoS or access-control
Layer 3 switching:
■ Switching based on IP address
■ Interoperates with Layer 2 features
■ Enables highly scalable designs
Workstation 1MAC: 0000.0c00.0001
IP: 192.168.1.1
Workstation 2MAC: 0000.0c00.0002
IP: 192.168.1.2
Catalyst 2960G
192.168.1.0/24 Subnet
Figure 1-4 Layer 2 Switching
Workstation 1MAC: 0000.0c00.0001
IP: 192.168.1.1
Workstation 2MAC: 0000.0c00.0002
IP: 192.168.2.2
Catalyst 3560E
192.168.1.0/24Subnet
192.168.2.0/24Subnet
Workstation 3MAC: 0000.0c00.0003
IP: 192.168.2.3
Figure 1-5 Layer 3 Switching
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 11
Layer 4 and Layer 7 Switching
Layers 4 and 7 switching terminology is not as straightforward as Layers 2 and 3 switch-ing terminology. Layer 4 switching implies switching based on protocol sessions. In otherwords, Layer 4 switching uses not only source and destination IP addresses in switchingdecisions, but also IP session information contained in the TCP and User DatagramProtocol (UDP) portions of the packet. The most common method of distinguishing traf-fic with Layer 4 switching is to use the TCP and UDP port numbers. Server load balanc-ing, a Layer 4 to Layer 7 switching feature, can use TCP information such as TCP SYN,FIN, and RST to make forwarding decisions. (Refer to RFC 793 for explanations of TCPSYN, FIN, and RST.) As a result, Layer 4 switches can distinguish different types of IPtraffic flows, such as differentiating the FTP, Network Time Protocol (NTP), HTTP,Secure HTTP (S-HTTP), and Secure Shell (SSH) traffic.
Layer 7 switching is switching based on application information. Layer 7 switching capa-bility implies content-intelligence. Content-intelligence with respect to web browsingimplies features such as inspection of URLs, cookies, host headers, and so on. Content-intelligence with respect to VoIP can include distinguishing call destinations such as localor long distance.
Table 1-1 summarizes the layers of the OSI model with their respective protocol dataunits (PDU), which represent the data exchanged at each layer. Note the differencebetween frames and packets and their associated OSI level. The table also contains a col-umn illustrating sample device types operating at the specified layer.
Table 1-1 PDU and Sample Device Relationship to the OSI Model
OSI Level OSI Layer PDU Type Device Example Address
1 Physical Electrical signals Repeater, transceiver None
2 Data link Frames Switches MAC address
3 Network Packet Router, multilayerswitches
IP address
4 Transport TCP or UDP datasegments
Multilayer switch loadbalancing based onTCP port number
TCP or UDP portnumbering
7 Application Embedded applica-tion information indata payload
Multilayer switchusing Network-BasedApplicationRecognition (NBAR)to permit or deny traf-fic based on datapassed by an applica-tion
Embedded infor-mation in datapayload
12 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Layer 2 Switching In-Depth
Layer 2 switching is also referred to as hardware-based bridging. In a Layer 2-only switch,ASICs handle frame forwarding. Moreover, Layer 2 switches deliver the ability to increasebandwidth to the wiring closet without adding unnecessary complexity to the network.At Layer 2, no modification is required to the frame content when going between Layer 1interfaces, such as Fast Ethernet to 10 Gigabit Ethernet.
In review, the network design properties of current-generation Layer 2 switches includethe following:
■ Designed for near wire-speed performance
■ Built using high-speed, specialized ASICs
■ Switches at low latency
■ Scalable to a several switch topology without a router or Layer 3 switch
■ Supports Layer 3 functionality such as Internet Group Management Protocol (IGMP)snooping and QoS marking
■ Offers limited scalability in large networks without Layer 3 boundaries
Layer 3 Switching In-Depth
Layer 3 switching is hardware-based routing. Layer 3 switches overcome the inadequaciesof Layer 2 scalability by providing routing domains. The packet forwarding in Layer 3switches is handled by ASICs and other specialized circuitry. A Layer 3 switch performseverything on a packet that a traditional router does, including the following:
■ Determines the forwarding path based on Layer 3 information
■ Validates the integrity of the Layer 3 packet header via the Layer 3 checksum
■ Verifies and decrements packet Time-To-Live (TTL) expiration
■ Rewrites the source and destination MAC address during IP rewrites
■ Updates Layer 2 CRC during Layer 3 rewrite
■ Processes and responds to any option information in the packet such as the InternetControl Message Protocol (ICMP) record
■ Updates forwarding statistics for network management applications
■ Applies security controls and classification of service if required
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 13
Layer 3 routing requires the ability of packet rewriting. Packet rewriting occurs on anyrouted boundary. Figure 1-6 illustrates the basic packet rewriting requirements of Layer 3routing in an example in which two workstations are communicating using ICMP.
Address Resolution Protocol (ARP) plays an important role in Layer 3 packet rewriting.When Workstation A in Figure 1-6 sends five ICMP echo requests to Workstation B, thefollowing events occur (assuming all the devices in this example have yet to communicate,use static addressing versus DHCP, and there is no event to trigger a gratuitous ARP):
1. Workstation A sends an ARP request for its default gateway. Workstation A sends thisARP to obtain the MAC address of the default gateway. Without knowing the MACaddress of the default gateway, Workstation A cannot send any traffic outside the lo-cal subnet. Note that, in this example, Workstation A’s default gateway is the Cisco2900 router with two Ethernet interfaces.
2. The default gateway, the Cisco 2900, responds to the ARP request with an ARPreply, sent to the unicast MAC address and IP address of Workstation A, indicatingthe default gateway’s MAC address. The default gateway also adds an ARP entry forWorkstation A in its ARP table upon receiving the ARP request.
3. Workstation A sends the first ICMP echo request to the destination IP address ofWorkstation B with a destination MAC address of the default gateway.
4. The router receives the ICMP echo request and determines the shortest path to thedestination IP address.
5. Because the default gateway does not have an ARP entry for the destination IPaddress, Workstation B, the default gateway drops the first ICMP echo request fromWorkstation A. The default gateway drops packets in the absence of ARP entries to
Workstation AMAC: 0000.0c00.0001
IP: 192.168.1.2Gateway: 192.168.1.1
Workstation BMAC: 0000.0c00.0002
IP: 192.168.2.2Gateway: 192.168.2.1
Cisco 2900 Router
MAC: 0000.0cbb.000aIP: 192.168.1.1
MAC: 0000.0cbb.000bIP: 192.168.2.1
Packet at Location A:Source MAC: 0000.0c00.0001Destination MAC: 000.0cbb.000aSource IP: 192.168.1.2Destination IP: 192.168.2.2
Packet at Location B:Source MAC: 0000.0cbb.000bDestination MAC: 0000.0c00.0002Source IP: 192.168.1.2Destination IP: 192.168.2.2
Figure 1-6 Layer 3 Packet Rewriting
14 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
avoid storing packets that are destined for devices without ARP entries as defined bythe original RFCs governing ARP.
6. The default gateway sends an ARP request to Workstation B to get Workstation B’sMAC address.
7. Upon receiving the ARP request, Workstation B sends an ARP response with itsMAC address.
8. By this time, Workstation A is sending a second ICMP echo request to the destina-tion IP of Workstation B via its default gateway.
9. Upon receipt of the second ICMP echo request, the default gateway now has anARP entry for Workstation B. The default gateway in turn rewrites the source MACaddress to itself and the destination MAC to Workstation B’s MAC address, and thenforwards the frame to Workstation B.
10. Workstation B receives the ICMP echo request and sends an ICMP echo reply to theIP address of Workstation A with the destination MAC address of the default gateway.
Figure 1-6 illustrates the Layer 2 and Layer 3 rewriting at different places along the pathbetween Workstation A and B. This figure and example illustrate the fundamental opera-tion of Layer 3 routing and switching.
The primary difference between the packet-forwarding operation of a router and Layer 3switching is the physical implementation. Layer 3 switches use different hardware compo-nents and have greater port density than traditional routers.
These concepts of Layer 2 switching, Layer 3 forwarding, and Layer 3 switching areapplied in a single platform: the multilayer switch. Because it is designed to handle high-performance LAN traffic, a Layer 3 switch is locatable when there is a need for a routerand a switch within the network, cost effectively replacing the traditional router androuter-on-a-stick designs of the past.
Understanding Multilayer Switching
Multilayer switching combines Layer 2 switching and Layer 3 routing functionality.Generally, the networking field uses the terms Layer 3 switch and multilayer switch inter-changeably to describe a switch that is capable of Layer 2 and Layer 3 switching. In spe-cific terms, multilayer switches move campus traffic at wire speed while satisfying Layer3 connectivity requirements. This combination not only solves throughput problems butalso helps to remove the conditions under which Layer 3 bottlenecks form. Moreover,multilayer switches support many other Layer 2 and Layer 3 features besides routing andswitching. For example, many multilayer switches support QoS marking. Combining bothLayer 2 and Layer 3 functionality and features allows for ease of deployment and simpli-fied network topologies.
Moreover, Layer 3 switches limit the scale of spanning tree by segmenting Layer 2, whicheases network complexity. In addition, Layer 3 routing protocols enable load-balancing,fast convergence, scalability, and control compared to traditional Layer 2 features.
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 15
In review, multilayer switching is a marketing term used to refer to any Cisco switchcapable of Layer 2 switching and Layer 3 routing. From a design perspective, all enter-prise campus designs include multilayer switches in some aspect, most likely in the coreor distribution layers. Moreover, some campus designs are evolving to include an optionfor designing Layer 3 switching all the way to the access layer with a future option ofsupporting Layer 3 network ports on each individual access port. Over the next fewyears, the trend in the campus is to move to a pure Layer 3 environment consisting ofinexpensive Layer 3 switches.
Note The remainder of this text uses the term multilayer switch and Layer 3 switch
interchangeably.
Introduction to Cisco Switches
Cisco has a plethora of Layer 2 and Layer 3 switch models. For brevity, this section high-lights a few popular models used in the campus, core backbone, and data center. For acomplete list of Cisco switches, consult product documentation at Cisco.com.
Cisco Catalyst 6500 Family of Switches
The Cisco Catalyst 6500 family of switches are the most popular switches Cisco everproduced. They are found in a wide variety of installs not only including campus, datacenter, and backbone, but also found in deployment of services, WAN, branch, and so onin both enterprise and service provider networks. For the purpose of CCNP SWITCHand the scope of this book, the Cisco Catalyst 6500 family of switches are summarizedas follows:
■ Scalable modular switch up to 13 slots
■ Supports up to 16 10-Gigabit Ethernet interfaces per slot in an over-subscription model
■ Up to 80 Gbps of bandwidth per slot in current generation hardware
■ Supports Cisco IOS with a plethora of Layer 2 and Layer 3 switching features
■ Optionally supports up to Layer 7 features with specialized modules
■ Integrated redundant and high-available power supplies, fans, and supervisor engineers
■ Supports Layer 3 Non-Stop Forwarding (NSF) whereby routing peers are maintainedduring a supervisor switchover.
■ Backward capability and investment protection have lead to a long life cycle
Cisco Catalyst 4500 Family of Switches
The Cisco Catalyst 4500 family of switches is a vastly popular modular switch found inmany campus networks at the distribution layer or in collapsed core networks of small tomedium-sized networks. Collapsed core designs combine the core and distribution layers
16 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
into a single area. The Catalyst 4500 is one step down from the Catalyst 6500 but doessupport a wide array of Layer 2 and Layer 3 features. In summary, the Cisco Catalyst4500 family of switches are summarized as follows:
■ Scalable module switch with up to 10 slots
■ Supports multiple 10 Gigabit Ethernet interfaces per slot
■ Supports Cisco IOS
■ Supports both Layer 2 switching and Layer 3 switching
■ Optionally supports integrated redundant and high-available power supplies and su-pervisor engines
Cisco Catalyst 4948G, 3750, and 3560 Family of Switches
The Cisco Catalyst 4948G, 3750, and 3560 family of switches are popular switches usedin campus networks for fixed-port scenarios, most often the access layer. These switchesare summarized as follows:
■ Available in a variety of fixed port configurations with up to 48 1-Gbps access layerports and 4 10-Gigabit Ethernet interfaces for uplinks to distribution layer
■ Supports Cisco IOS
■ Supports both Layer 2 and Layer 3 switching
■ Not architected with redundant hardware
Cisco Catalyst 2000 Family of Switches
The Cisco Catalyst 2000 family of switches are Layer 2-only switches capable of fewLayer 3 features aside from Layer 3 routing. These features are often found in the accesslayer in campus networks. These switches are summarized as follows:
■ Available in a variety of fixed port configurations with up to 48 1-Gbps access layerports and multiple 10-Gigabit Ethernet uplinks
■ Supports Cisco IOS
■ Supports only Layer 2 switching
■ Not architected with redundant hardware
Nexus 7000 Family of Switches
The Nexus 7000 family of switches are the Cisco premier data center switches. The prod-uct launch in 2008; and thus, the Nexus 7000 software does not support all the featuresof Cisco IOS yet. Nonetheless, the Nexus 7000 is summarized as follows:
■ Modular switch with up to 18 slots
■ Supports up to 230 Gbps per slot
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 17
■ Supports Nexus OS (NX-OS)
■ 10-slot chassis is built on front-to-back airflow
■ Supports redundant supervisor engines, fans, and power supplies
Nexus 5000 and 2000 Family of Switches
The Nexus 5000 and 2000 family of switches are low-latency switches designed fordeployment in the access layer of the data center. These switches are Layer 2-onlyswitches today but support cut-through switching for low latency. The Nexus 5000switches are designed for 10-Gigabit Ethernet applications and also support FibreChannel over Ethernet (FCOE).
Hardware and Software-Switching Terminology
This book refers to the terms hardware-switching and software-switching regularlythroughout the text. The industry term hardware-switching refers to the act of process-ing packets at any Layers 2 through 7, via specialized hardware components referred to asapplication-specific integrated circuits (ASIC). ASICs can generally reach throughput atwire speed without performance degradation for advanced features such as QoS marking,ACL processing, or IP rewriting.
Note Other terms used to describe hardware-switching are in-hardware, using ASICs,and hardware-based. These terms are used interchangeably throughout the text. Multilayerswitching (MLS) is another term commonly used to describe hardware-switching. Theterm MLS can be confusing; for example, with the Catalyst 5500, the term MLS describeda legacy hardware-switching method and feature. With today’s terminology, MLSdescribes the capability to route and switch frames at line-rate (the speed of all portssending traffic at the same time, full-duplex, at the maximum speed of the interface) withadvanced features such as Network Address Translation (NAT), QoS, access controls, andso on using ASICs.
Switching and routing traffic via hardware-switching is considerably faster than the tradi-tional software-switching of frames via a CPU. Many ASICs, especially ASICs for Layer 3routing, use specialized memory referred to as ternary content addressable memory(TCAM) along with packet-matching algorithms to achieve high performance, whereasCPUs simply use higher processing rates to achieve greater degrees of performance.Generally, ASICs can achieve higher performance and availability than CPUs. In addition,ASICs scale easily in switching architecture, whereas CPUs do not. ASICs integrate notonly on Supervisor Engines, but also on individual line modules of Catalyst switches tohardware-switch packets in a distributed manner.
ASICs do have memory limitations. For example, the Catalyst 6500 family of switchescan accommodate ACLs with a larger number of entries compared to the Catalyst 3560E
18 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
family of switches due to the larger ASIC memory on the Catalyst 6500 family of switch-es. Generally, the size of the ASIC memory is relative to the cost and application of theswitch. Furthermore, ASICs do not support all the features of the traditional Cisco IOS.For instance, the Catalyst 6500 family of switches with a Supervisor Engine 720 and anMSFC3 (Multilayer Switch Feature Card) must software-switch all packets requiringNetwork Address Translation (NAT) without the use of specialized line modules. Asproducts continue to evolve and memory becomes cheaper, ASICs gain additional memo-ry and feature support.
For the purpose of CCNP SWITCH and campus network design, the concepts in this sec-tion are overly simplified. Use the content in this section as information for sections thatrefer to the terminology. The next section changes scope from switching hardware andtechnology to campus network types.
Campus Network Traffic Types
Campus designs are significantly tied to network size. However, traffic patterns and traf-fic types through each layer hold significant importance on how to shape a campusdesign. Each type of traffic represents specific needs in terms of bandwidth and flowpatterns. Table 1-2 lists several different types of traffic that might exist on a campus net-work. As such, indentifying traffic flows, types, and patterns is a prerequisite to design-ing a campus network.
Table 1-2 highlights common traffic types with a description, common flow patterns, anda denotation of bandwidth (BW). The BW column highlights on a scale of low to veryhigh the common rate of traffic for the corresponding traffic type for comparison pur-poses. Note: This table illustrates common traffic types and common characteristics; it isnot uncommon to find scenarios of atypical traffic types.
For the purpose of enterprise campus design, note the traffic types in your network,particularly multicast traffic. Multicast traffic for servers-centric applications is generallyrestricted to the data center; however, whatever multicast traffics spans into the campusneeds to be accounted for because it can significantly drive campus design. The nextsections delve into several types of applications in more detail and their traffic flowcharacteristics.
Note IP multicast traffic requirements in the campus need careful review prior to anycampus network design because of its high-bandwidth requirements.
Figure 1-7 illustrates a sample enterprise network with several traffic patterns highlightedas dotted lines to represent possible interconnects that might experience heavy trafficutilization.
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 19
Traffic Type Description Traffic Flow BW
Network Management
Many different types of network managementtraffic may be present on the network. Examplesinclude bridge protocol data units (BPDU), CiscoDiscovery Protocol (CDP) updates, Simple NetworkManagement Protocol (SNMP), Secure Shell (SSH),and Remote Monitoring (RMON) traffic. Somedesigners assign a separate VLAN to the task of car-rying certain types of network management trafficto make network troubleshooting easier.
Traffic isfound flowing in alllayers.
Low
Voice (IPTelephony)
There are two types of voice traffic: signaling infor-mation between the end devices (for example, IPphones and soft switches, such as CiscoCallManager) and the data packets of the voice con-versation itself. Often, the data to and from IPphones is configured on a separate VLAN for voicetraffic because the designer wants to apply QoSmeasures to give high priority to voice traffic.
Traffic gener-ally movesfrom accesslayer toservers incore layer ordata center.
Low
IP Multicast IP multicast traffic is sent from a particular sourceaddress to group MAC addresses. Examples ofapplications that generate this type of traffic arevideo such as IP/TV broadcasts and market dataapplications used to configure analysis tradingmarket activities. Multicast traffic can produce alarge amount of data streaming across the network.Switches need to be configured to keep this trafficfrom flooding to devices that have not requested it,and routers need to ensure that multicast traffic isforwarded to the network areas where it isrequested.
Market dataapplicationsare usuallycontainedwithin thedata center.Other trafficsuch as IP/TVand user dataflows fromaccess layer tocore layers andto the datacenter.
VeryHigh
Table 1-2 Common Traffic Types
continues
20 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Network Traffic Types
DepartmentalSwitch Block 1
MulticastServer
Cisco UnifiedCall Manager
Server Farm
Scavenger
DepartmentalSwitch Block
IP Telephony
1 Gbps
Types of Traffic to Consider:• Network management• IP telephony• IP multicast• Normal data• Scavenger class
Figure 1-7 Network Traffic Types
Traffic Type Description Traffic Flow BW
Normal Data This is typical application traffic related to file andprint services, email, Internet browsing, databaseaccess, and other shared network applications. Youmay need to treat this data the same or in differentways in different parts of the network, based on thevolume of each type. Examples of this type oftraffic are Server Message Block, Netware CoreProtocol (NCP), Simple Mail Transfer Protocol (SMTP),Structured Query Language (SQL), and HTTP.
Traffic usual-ly flows fromthe accesslayer to corelayer and tothe datacenter.
Low toMid
Scavenger class Scavenger class includes all traffic with protocols orpatterns that exceed their normal data flows. It isused to protect the network from exceptional trafficflows that might be the result of malicious programsexecuting on end-system PCs. Scavenger class is alsoused for less than best-effort type traffic, such aspeer-to-peer traffic.
Traffic pat-terns vary.
Mid toHigh
Table 1-2 Common Traffic Types (continued)
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 21
• Instant messaging• File sharing• IP phone calls• Video conference systems
Peer-to-Peer Applications
Figure 1-8 High-Level Peer-to-Peer Application
Peer-to-Peer Applications
Some traffic flows are based on a peer-to-peer model, where traffic flows between end-points that may be far from each other. Peer-to-peer applications include applicationswhere the majority of network traffic passes from one end device, such as a PC or IPphone, to another through the organizational network. (See Figure 1-8.) Some traffic flowsare not sensitive to bandwidth and delay issues, whereas some others require real-timeinteraction between peer devices. Typical peer-to-peer applications include the following:
■ Instant messaging: Two peers establish communication between two end systems.When the connection is established, the conversation is direct.
■ File sharing: Some operating systems or applications require direct access to data onother workstations. Fortunately, most enterprises are banning such applicationsbecause they lack centralized or network-administered security.
■ IP phone calls: The network requirements of IP phone calls are strict because of theneed for QoS treatment to minimize jitter.
■ Video conference systems: The network requirements of video conferencing aredemanding because of the bandwidth consumption and class of service (CoS) re-quirements.
Client/Server Applications
Many enterprise traffic flows are based on a client/server model, where connections tothe server might become bottlenecks. Network bandwidth used to be costly, but today, itis cost-effective compared to the application requirements. For example, the cost ofGigabit Ethernet and 10 Gigabit is advantageous compared to application bandwidthrequirements that rarely exceed 1 Gigabit Ethernet. Moreover, because the switch delay is
22 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Client-Server Farm Applications
Building Access
Server Farm
Building Distribution/Campus Core
Typical applications:• Mail servers• File servers• Database servers
Access to applications:• Fast• Reliable• Controlled (security)
Figure 1-9 Client/Server Traffic Flow
insignificant for most client/server applications with high-performance Layer 3 switches,locating the servers centrally rather than in the workgroup is technically feasible andreduces support costs. Latency is extremely important to financial and market data appli-cations, such as 29 West and Tibco. For situations in which the lowest latency is neces-sary, Cisco offers low-latency modules for the Nexus 7000 family of switches and theNexus 5000 and 2000 that are low-latency for all variants. For the purpose of this bookand CCNP SWITCH, the important take-away is that data center applications for finan-cials and market trade can require a low latency switch, such as the Nexus 5000 family ofswitches.
Figure 1-9 depicts, at a high level, client/server application traffic flow.
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 23
In large enterprises, the application traffic might cross more than one wiring closet orLAN to access applications to a server group in a data center. Client-server farm applica-tions apply the 20/80 rule, in which only 20 percent of the traffic remains on the localLAN segment, and 80 percent leaves the segment to reach centralized servers, theInternet, and so on. Client-server farm applications include the following:
■ Organizational mail servers
■ Common file servers
■ Common database servers for organizational applications such as human resource, in-ventory, or sales applications
Users of large enterprises require fast, reliable, and controlled access to critical applica-tions. For example, traders need access to trading applications anytime with goodresponse times to be competitive with other traders. To fulfill these demands and keepadministrative costs low, the solution is to place the servers in a common server farm in adata center. The use of server farms in data centers requires a network infrastructure thatis highly resilient and redundant and that provides adequate throughput. Typically, high-end LAN switches with the fastest LAN technologies, such as 10 Gigabit Ethernet, aredeployed. For Cisco switches, the current trend is to deploy Nexus switches while thecampus deploys Catalyst switches. The use of the Catalyst switches in the campus andNexus in the data center is a market transition from earlier models that used Catalystswitches throughout the enterprise. At the time of publication, Nexus switches do notrun the traditional Cisco IOS found on Cisco routers and switch. Instead, these switchesrun Nexus OS (NX-OS), which was derived from SAN-OS found on the Cisco MDS SANplatforms.
Nexus switches have a higher cost than Catalyst switches and do not support telephony,inline power, firewall, or load-balancing services, and so on. However, Nexus switches dosupport higher throughput, lower latency, high-availability, and high-density 10-GigabitEthernet suited for data center environments. A later section details the Cisco switcheswith more information.
Client-Enterprise Edge Applications
Client-enterprise edge applications use servers on the enterprise edge to exchange databetween the organization and its public servers. Examples of these applications includeexternal mail servers and public web servers.
The most important communication issues between the campus network and the enter-prise edge are security and high availability. An application that is installed on the enter-prise edge might be crucial to organizational process flow; therefore, outages can resultin increased process cost.
The organizations that support their partnerships through e-commerce applications alsoplace their e-commerce servers in the enterprise edge. Communications with the servers
24 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
located on the campus network are vital because of two-way data replication. As a result,high redundancy and resiliency of the network are important requirements for theseapplications.
Figure 1-10 illustrates traffic flow for a sample client-enterprise edge application withconnections through the Internet.
Recall from earlier sections that the client-enterprise edge applications in Figure 1-10 passtraffic through the Internet edge portion of the Enterprise network.
In review, understanding traffic flow and patterns of an enterprise are necessary prior todesigning a campus network. This traffic flow and pattern ultimately shapes scale, fea-tures, and use of Cisco switches in the campus network. Before further discussion ondesigning campus networks, the next section highlights two Cisco network architecturemodels that are useful in understanding all the elements that make a successful networkdeployment.
Client-Enterprise Edge Applications
BuildingAccess
BuildingAccess
Building Distribution/Campus Core
Server Farm Enterprise Edge
Typical applications:
• Internet applications – Mail servers – Web servers – Public Internet servers
• E-commerce applications
Figure 1-10 Client-Enterprise Edge Application Traffic Flow
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 25
Overview of the SONA and Borderless Networks
Proper network architecture helps ensure that business strategies and IT investments arealigned. As the backbone for IT communications, the network element of enterprisearchitecture is increasingly critical. Service-Oriented Network Architecture (SONA) is theCisco architectural approach to designing advanced network capabilities.
Figure 1-11 illustrates SONA pictorially from a marketing perspective.
BusinessApplications
App
licat
ion
Laye
r
Col
labo
ratio
nLa
yer
Advanced Analytics and Decision Support
Network Infrastructure Virtualization
Infrastructure Management
Application Delivery
Ser
vice
s V
irtu
aliz
atio
n
Ser
vice
s M
anag
emen
t
Inte
ract
ive
Ser
vice
s La
yer Security Services
Voice andCollaboration Services
Compute Services
Ada
ptiv
e M
anag
emen
t Ser
vice
s
Net
wor
ked
Infr
astr
uctu
re L
ayer
Campus Branch Data CenterEnterprise
EdgeWAN and
MANTeleworker
Identity Services
Mobility Services
Storage Services
InfrastructureServices
Application-Oriented Networking
InstantMessaging
Overview of Cisco SONA
Cisco UnifiedContact Center
CiscoIP Phone
VideoDelivery
UnifiedMessaging
Cisco UnifiedMeeting Place
Figure 1-11 SONA Overview
SONA provides guidance, best practices, and blueprints for connecting network servicesand applications to enable business solutions. The SONA framework illustrates the con-cept that the network is the common element that connects and enables all componentsof the IT infrastructure. SONA outlines these three layers of intelligence in the enter-prise network:
■ The Networked Infrastructure Layer: Where all the IT resources are interconnectedacross a converged network foundation. The IT resources include servers, storage, andclients. The network infrastructure layer represents how these resources exist in
26 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
different places in the network, including the campus, branch, data center, WAN,metropolitan-area network (MAN), and telecommuter. The objective for customers inthis layer is to have anywhere and anytime connectivity.
■ The Interactive Services Layer: Enables efficient allocation of resources to applica-tions and business processes delivered through the networked infrastructure.
■ The Application Layer: Includes business applications and collaboration applica-tions. The objective for customers in this layer is to meet business requirements andachieve efficiencies by leveraging the interactive services layer.
The common thread that links the layers is SONA embeds application-level intelligenceinto the network infrastructure elements so that the network can recognize and bettersupport applications and services.
Deploying a campus design based on the Cisco SONA framework yields several benefits:
■ Convergence, virtualization, intelligence, security, and integration in all areas ofthe network infrastructure: The Cisco converged network encompasses all IT tech-nologies, including computing, data, voice, video, and storage. The entire networknow provides more intelligence for delivering all applications, including voice andvideo. Employees are more productive because they can use a consistent set ofUnified Communications tools from almost anywhere in the world.
■ Cost savings: With the Cisco SONA model, the network offers the power and flexi-bility to implement new applications easily, which reduces development and imple-mentation costs. Common network services are used on an as-needed basis by voice,data, and video applications.
■ Increased productivity: Collaboration services and product features enable employ-ees to share multiple information types on a rich-media conferencing system. Forexample, agents in contact centers can share a Web browser with a customer during avoice call to speed up problem resolution and increase customer knowledge using atool such as Cisco WebEX. Collaboration has enabled contact center agents toreduce the average time spent on each call, yet receive higher customer satisfactionratings. Another example is cost saving associated with hosting virtual meetingsusing Cisco WebEx.
■ Faster deployment of new services and applications: Organizations can betterdeploy services for interactive communications through virtualization of storage,cloud computing, and other network resources. Automated processes for provision-ing, monitoring, managing, and upgrading voice products and services help Cisco ITachieve greater network reliability and maximize the use of IT resources. Cloud com-puting is the next wave of new technology to be utilized in enterprise environments.
■ Enhanced business processes: With the SONA, IT departments can better supportand enhance business processes and resilience through integrated applications and in-telligent network services. Examples include change-control processes that enable99.999 percent of network uptimes.
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 27
Keep in mind, SONA is strictly a model to guide network designs. When designing thecampus portion of the enterprise network, you need to understand SONA only from ahigh level as most of the focus of the campus design is centered on features and func-tions of Cisco switching.
Cisco.com contains additional information and readings on SONA for persons seekingmore details.
In October 2009, Cisco launched a new enterprise architecture called BorderlessNetworks. As with SONA, the model behind Borderless Networks enables businesses totranscend borders, access resources anywhere, embrace business productivity, and lowerbusiness and IT costs. One enhancement added to Borderless Networks over SONA isthat the framework focuses more on growing enterprises into global companies, noted inthe term “borderless.” In terms of CCNP SWITCH, focus on a high-level understandingof SONA because Borderless Networks is a new framework. Consult Cisco.com for addi-tional information on Borderless Networks.
In review, SONA and Borderless Networks are marketing architectures that form high-level frameworks for designing networks. For the purpose of designing a campus net-work, focus on terms from building requirements around traffic flow, scale, and generalrequirements. The next section applies a life-cycle approach to campus design and delvesinto more specific details about the campus designs.
Enterprise Campus Design
The next subsections detail key enterprise campus design concepts. The access, distribu-tion, and core layers introduced earlier in this chapter are expanded on with appliedexamples. Later subsections of this chapter define a model for implementing andoperating a network.
The tasks of implementing and operating a network are two components of the CiscoLifecycle model. In this model, the life of the network and its components are taughtwith a structural angle, starting from the preparation of the network design to the opti-mization of the implemented network. This structured approach is key to ensure that thenetwork always meets the requirements of the end users. This section describes the CiscoLifecycle approach and its impact on network implementation.
The enterprise campus architecture can be applied at the campus scale, or at the buildingscale, to allow flexibility in network design and facilitate ease of implementation andtroubleshooting. When applied to a building, the Cisco Campus Architecture naturallydivides networks into the building access, building distribution, and building core layers,as follows:
■ Building access layer: This layer is used to grant user access to network devices. In anetwork campus, the building access layer generally incorporates switched LAN de-vices with ports that provide connectivity to workstations and servers. In the WAN
28 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Data Center
Core
DistributionBuilding 1 Building 2
Access
Enterprise Campus Architecture
Figure 1-12 Enterprise Network with Applied Hierarchical Design
environment, the building access layer at remote sites can provide access to the cor-porate network across WAN technology.
■ Building distribution layer: Aggregates the wiring closets and uses switches to seg-ment workgroups and isolate network problems.
■ Building core layer: Also known as the campus backbone, this is a high-speed back-bone designed to switch packets as fast as possible. Because the core is critical forconnectivity, it must provide a high level of availability and adapt to changes quickly.
Figure 1-12 illustrates a sample enterprise network topology that spans multiple buildings.
The enterprise campus architecture divides the enterprise network into physical, logical,and functional areas. These areas enable network designers and engineers to associatespecific network functionality on equipment based upon its placement and function inthe model.
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 29
Access Layer In-Depth
The building access layer aggregates end users and provides uplinks to the distribution layer.With the proper use of Cisco switches, the access layer may contain the following benefits:
■ High availability: The access layer is supported by many hardware and software fea-tures. System-level redundancy using redundant supervisor engines and redundantpower supplies for critical user groups is an available option within the Cisco switchportfolio. Moreover, additional software features of Cisco switches offer access todefault gateway redundancy using dual connections from access switches to redun-dant distribution layer switches that use first-hop redundancy protocols (FHRP) suchas the hot standby routing protocol (HSRP). Of note, FHRP and HSRP features aresupported only on Layer 3 switches; Layer 2 switches do not participate in HSRP andFHRP and forwarding respective frames.
■ Convergence: Cisco switches deployed in an access layer optionally support inlinePower over Ethernet (PoE) for IP telephony and wireless access points, enabling cus-tomers to converge voice onto their data network and providing roaming WLANaccess for users.
■ Security: Cisco switches used in an access layer optionally provide services for additionalsecurity against unauthorized access to the network through the use of tools such as portsecurity, DHCP snooping, Dynamic Address Resolution Protocol (ARP) Inspection, andIP Source Guard. These features are discussed in later chapters of this book.
Figure 1-13 illustrates the use of access layer deploying redundant upstream connectionsto the distribution layer.
To Core
Access
Distribution
Figure 1-13 Access Layer Depicting Two Upstream Connections
Distribution Layer
Availability, fast path recovery, load balancing, and QoS are the important considerationsat the distribution layer. High availability is typically provided through dual paths fromthe distribution layer to the core, and from the access layer to the distribution layer.Layer 3 equal-cost load sharing enables both uplinks from the distribution to the corelayer to be utilized.
30 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
The distribution layer is the place where routing and packet manipulation are performedand can be a routing boundary between the access and core layers. The distribution layerrepresents a redistribution point between routing domains or the demarcation betweenstatic and dynamic routing protocols. The distribution layer performs tasks such as con-trolled-routing decision making and filtering to implement policy-based connectivity andQoS. To improve routing protocol performance further, the distribution layer summarizesroutes from the access layer. For some networks, the distribution layer offers a defaultroute to access layer routers and runs dynamic routing protocols when communicatingwith core routers.
The distribution layer uses a combination of Layer 2 and multilayer switching to segmentworkgroups and isolate network problems, preventing them from affecting the core layer.The distribution layer is commonly used to terminate VLANs from access layer switches.The distribution layer connects network services to the access layer and implements poli-cies for QoS, security, traffic loading, and routing. The distribution layer provides defaultgateway redundancy by using an FHRP such as HSRP, Gateway Load Balancing Protocol(GLBP), or Virtual Router Redundancy Protocol (VRRP) to allow for the failure orremoval of one of the distribution nodes without affecting endpoint connectivity to thedefault gateway.
In review, the distribution layer provides the following enhancements to the campus net-work design:
■ Aggregates access layer switches
■ Segments the access layer for simplicity
■ Summarizes routing to access layer
■ Always dual-connected to upstream core layer
■ Optionally applies packet filtering, security features, and QoS features
Figure 1-14 illustrates the distribution layer interconnecting several access layer switches.
To Core To Core
Distribution
Access
Figure 1-14 Distribution Layer Interconnecting the Access Layer
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 31
Core
Distribution
Access
Figure 1-15 Core Layer Aggregating Distribution and Access Layers
Core Layer
The core layer is the backbone for campus connectivity and is the aggregation point for theother layers and modules in the enterprise network. The core must provide a high level ofredundancy and adapt to changes quickly. Core devices are most reliable when they canaccommodate failures by rerouting traffic and can respond quickly to changes in the networktopology. The core devices must be able to implement scalable protocols and technologies,alternative paths, and load balancing. The core layer helps in scalability during future growth.
The core should be a high-speed, Layer 3 switching environment utilizing hardware-accelerated services in terms of 10 Gigabit Ethernet. For fast convergence around a link ornode failure, the core uses redundant point-to-point Layer 3 interconnections in the corebecause this design yields the fastest and most deterministic convergence results. Thecore layer should not perform any packet manipulation in software, such as checkingaccess-lists and filtering, which would slow down the switching of packets. Catalyst andNexus switches support access lists and filtering without effecting switching performanceby supporting these features in the hardware switch path.
Figure 1-15 depicts the core layer aggregating multiple distribution layer switches andsubsequently access layer switches.
In review, the core layer provides the following functions to the campus and enterprisenetwork:
■ Aggregates multiple distribution switches in the distribution layer with the remainderof the enterprise network
■ Provides the aggregation points with redundancy through fast convergence and highavailability
■ Designed to scale as the distribution and consequently the access layer scale withfuture growth
32 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
The Need for a Core Layer
Without a core layer, the distribution layer switches need to be fully meshed. This designis difficult to scale and increases the cabling requirements because each new building dis-tribution switch needs full-mesh connectivity to all the distribution switches. This full-mesh connectivity requires a significant amount of cabling for each distribution switch.The routing complexity of a full-mesh design also increases as you add new neighbors.
In Figure 1-16, the distribution module in the second building of two interconnectedswitches requires four additional links for full-mesh connectivity to the first module. Athird distribution module to support the third building would require eight additionallinks to support connections to all the distribution switches, or a total of 12 links. Afourth module supporting the fourth building would require 12 new links for a total of 24links between the distribution switches. Four distribution modules impose eight interiorgateway protocol (IGP) neighbors on each distribution switch.
As a recommended practice, deploy a dedicated campus core layer to connect three ormore physical segments, such as building in the enterprise campus or four or more pairsof building distribution switches in a large campus. The campus core helps make scalingthe network easier when using Cisco switches with the following properties:
■ 10-Gigabit and 1-Gigabit density to scale
■ Seamless data, voice, and video integration
■ LAN convergence optionally with additional WAN and MAN convergence
Second BuildingBlock–4 New Links
Fourth BuildingBlock
12 New Links24 Links Total
8 IGP Neighbors
Third BuildingBlock
8 New Links12 Links Total
6 IGP Neighbors
Figure 1-16 Scaling Without Distribution Layer
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 33
Campus Core Layer as the Enterprise Network Backbone
The core layer is the backbone for campus connectivity and optionally the aggregationpoint for the other layers and modules in the enterprise campus architecture. The coreprovides a high level of redundancy and can adapt to changes quickly. Core devices aremost reliable when they can accommodate failures by rerouting traffic and can respondquickly to changes in the network topology. The core devices implement scalable proto-cols and technologies, alternative paths, and load balancing. The core layer helps in scala-bility during future growth. The core layer simplifies the organization of network deviceinterconnections. This simplification also reduces the complexity of routing betweenphysical segments such as floors and between buildings.
Figure 1-17 illustrates the core layer as a backbone interconnecting the data center andInternet edge portions of the enterprise network. Beyond its logical position in the enter-prise network architecture, the core layer constituents and functions depend on the sizeand type of the network. Not all campus implementations require a campus core.Optionally, campus designs can combine the core and distribution layer functions at thedistribution layer for a smaller topology. The next section discusses one such example.
Small Campus Network Example
A small campus network or large branch network is defined as a network of fewer than200 end devices, whereas the network servers and workstations might be physically con-nected to the same wiring closet. Switches in small campus network design might notrequire high-end switching performance or future scaling capability.
Data CenterVLAN G
VLAN A DataVLAN B Voice
VLAN C DataVLAN D Voice
VLAN E DataVLAN F Voice
VLAN H
Layer 3 Interfaces(HSRP)
Data and VoiceVLAN Trunks
(Stackable/Modular)
Campus Backbone
Building Access(Stackable/Modular)
Figure 1-17 Core Layer as Interconnect for Other Modules of Enterprise Network
34 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
In many cases with a network of less than 200 end devices, the core and distribution lay-ers can be combined into a single layer. This design limits scale to a few access layerswitches for cost purposes. Low-end multilayer switches such as the Cisco Catalyst3560E optionally provide routing services closer to the end user when there are multipleVLANs. For a small office, one low-end multilayer switch such as the Cisco Catalyst2960G might support the Layer 2 LAN access requirements for the entire office, whereasa router such as the Cisco 1900 or 2900 might interconnect the office to thebranch/WAN portion of a larger enterprise network.
Figure 1-17 depicts a sample small campus network with campus backbone that intercon-nects the data center. In this example, the backbone could be deployed with Catalyst3560E switches, and the access layer and data center could utilize the Catalyst 2960Gswitches with limited future scalability and limited high availability.
Medium Campus Network Example
For a medium-sized campus with 200 to 1000 end devices, the network infrastructure istypically using access layer switches with uplinks to the distribution multilayer switchesthat can support the performance requirements of a medium-sized campus network. Ifredundancy is required, you can attach redundant multilayer switches to the buildingaccess switches to provide full link redundancy. In the medium-sized campus network, itis best practice to use at least a Catalyst 4500 series or Catalyst 6500 family of switchesbecause they offer high availability, security, and performance characteristics not foundin the Catalyst 3000 and 2000 family of switches.
Figure 1-18 shows a sample medium campus network topology. The example depictsphysical distribution segments as buildings. However, physical distribution segmentsmight be floors, racks, and so on.
Large Campus Network Design
Large campus networks are any installation of more than 2000 end users. Because there isno upper bound to the size of a large campus, the design might incorporate many scalingtechnologies throughout the enterprise. Specifically, in the campus network, the designsgenerally adhere to the access, distribution, and core layers discussed in earlier sections.Figure 1-17 illustrates a sample large campus network scaled for size in this publication.
Large campus networks strictly follow Cisco best practices for design. The best practiceslisted in this chapter, such as following the hierarchical model, deploying Layer 3 switch-es, and utilizing the Catalyst 6500 and Nexus 7000 switches in the design, scratch onlythe surface of features required to support such a scale. Many of these features are stillused in small and medium-sized campus networks but not to the scale of large campusnetworks.
Moreover, because large campus networks require more persons to design, implement,and maintain the environment, the distribution of work is generally segmented. Thesections of the enterprise network previously mentioned in this chapter, campus, data
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 35
Medium Campus Network
Data Center
VLAN M VLAN N VLAN O
VLAN A DataVLAN B Voice
VLAN C DataVLAN D Voice
VLAN E DataVLAN F Voice
VLAN G DataVLAN H Voice
VLAN I DataVLAN J Voice
VLAN K DataVLAN L Voice
Campus Backbone
Building Distribution
BuildingAccess
Building 1 Building n
Trunk
Campus backboneaggregates many buildingdistribution submodules.
District buildingdistribution andcampus backbone.
Figure 1-18 Sample Medium Campus Network Topology
Data Center Infrastructure
The data center design as part of the enterprise network is based on a layered approachto improve scalability, performance, flexibility, resiliency, and maintenance. There arethree layers of the data center design:
■ Core layer: Provides a high-speed packet switching backplane for all flows going inand out of the data center.
■ Aggregation layer: Provides important functions, such as service module integra-tion, Layer 2 domain definitions, spanning tree processing, and default gatewayredundancy.
■ Access layer: Connects servers physically to the network.
center, branch/WAN and Internet edge, are the first-level division of work among net-work engineers in large campus networks. Later chapters discuss many of the featuresthat might be optionally for smaller campuses that become requirements for largernetworks. In addition, large campus networks require a sound design and implementa-tion plans. Design and implementation plans are discussed in upcoming sections of thischapter.
36 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Data CenterAggregation
Data Center Access
Data Center Infrastructure Overview
Layer 2 Clusteringand NIC Teaming
Blade Chassiswith Pass-Through
Blade Chassiswith Integrated
Switch
Mainframewith OSA
Layer 3Access
ServiceModules
Data Center Core
Campus Core
Figure 1-19 Data Center Topology
Multitier HTTP-based applications supporting web, application, and database tiers ofservers dominate the multitier data center model. The access layer network infrastructurecan support both Layer 2 and Layer 3 topologies, and Layer 2 adjacency requirements ful-filling the various server broadcast domain or administrative requirements. Layer 2 in theaccess layer is more prevalent in the data center because some applications support low-latency via Layer 2 domains. Most servers in the data center consist of single and dualattached one rack unit (RU) servers, blade servers with integrated switches, blade serverswith pass-through cabling, clustered servers, and mainframes with a mix of oversubscrip-tion requirements. Figure 1-19 illustrates a sample data center topology at a high level.
Multiple aggregation modules in the aggregation layer support connectivity scaling fromthe access layer. The aggregation layer supports integrated service modules providingservices such as security, load balancing, content switching, firewall, SSL offload, intru-sion detection, and network analysis.
As previously noted, this book focuses on the campus network design of the enterprisenetwork exclusive to data center design. However, most of the topics present in this textoverlap with topics applicable to data center design, such as the use of VLANs. Data cen-ter designs differ in approach and requirements. For the purpose of CCNP SWITCH,focus primarily on campus network design concepts.
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 37
The next section discusses a lifecycle approach to network design. This section does notcover specific campus or switching technologies but rather a best-practice approach todesign. Some readers might opt to skip this section because of its lack of technical con-tent; however, it is an important section for CCNP SWITCH and practical deployments.
PPDIOO Lifecycle Approach to Network Design and
Implementation
PPDIOO stands for Prepare, Plan, Design, Implement, Operate, and Optimize. PPDIOO is aCisco methodology that defines the continuous life-cycle of services required for a network.
PPDIOO Phases
The PPDIOO phases are as follows:
■ Prepare: Involves establishing the organizational requirements, developing a net-work strategy, and proposing a high-level conceptual architecture identifying tech-nologies that can best support the architecture. The prepare phase can establish a fi-nancial justification for network strategy by assessing the business case for theproposed architecture.
■ Plan: Involves identifying initial network requirements based on goals, facilities, userneeds, and so on. The plan phase involves characterizing sites and assessing anyexisting networks and performing a gap analysis to determine whether the existingsystem infrastructure, sites, and the operational environment can support the pro-posed system. A project plan is useful for helping manage the tasks, responsibilities,critical milestones, and resources required to implement changes to the network. Theproject plan should align with the scope, cost, and resource parameters established inthe original business requirements.
■ Design: The initial requirements that were derived in the planning phase drive theactivities of the network design specialists. The network design specification is acomprehensive detailed design that meets current business and technical require-ments, and incorporates specifications to support availability, reliability, security,scalability, and performance. The design specification is the basis for the implemen-tation activities.
■ Implement: The network is built or additional components are incorporated accord-ing to the design specifications, with the goal of integrating devices without disrupt-ing the existing network or creating points of vulnerability.
■ Operate: Operation is the final test of the appropriateness of the design. The opera-tional phase involves maintaining network health through day-to-day operations,including maintaining high availability and reducing expenses. The fault detection,correction, and performance monitoring that occur in daily operations provide theinitial data for the optimization phase.
38 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
■ Optimize: Involves proactive management of the network. The goal of proactive man-agement is to identify and resolve issues before they affect the organization. Reactivefault detection and correction (troubleshooting) is needed when proactive manage-ment cannot predict and mitigate failures. In the PPDIOO process, the optimizationphase can prompt a network redesign if too many network problems and errors arise,if performance does not meet expectations, or if new applications are identified tosupport organizational and technical requirements.
Note Although design is listed as one of the six PPDIOO phases, some design elementscan be present in all the other phases. Moreover, use the six PPDIOO phases as a model orframework; it is not necessary to use it exclusively as defined.
Benefits of a Lifecycle Approach
The network lifecycle approach provides several key benefits aside from keeping thedesign process organized. The main documented reasons for applying a lifecycleapproach to campus design are as follows:
■ Lowering the total cost of network ownership
■ Increasing network availability
■ Improving business agility
■ Speeding access to applications and services
The total cost of network ownership is especially important into today’s business cli-mate. Lower costs associated with IT expenses are being aggressively assessed by enter-prise executives. Nevertheless, a proper network lifecycle approach aids in lowering costsby these actions:
■ Identifying and validating technology requirements
■ Planning for infrastructure changes and resource requirements
■ Developing a sound network design aligned with technical requirements and busi-ness goals
■ Accelerating successful implementation
■ Improving the efficiency of your network and of the staff supporting it
■ Reducing operating expenses by improving the efficiency of operational processesand tools
Network availability has always been a top priority of enterprises. However, networkdowntime can result in a loss of revenue. Examples of where downtime could cause lossof revenue is with network outages that prevent market trading during a surprise interestrate cut or the inability to process credit card transactions on black Friday, the shoppingday following Thanksgiving. The network lifecycle improves high availability of networksby these actions:
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 39
■ Assessing the network’s security state and its capability to support the proposed design
■ Specifying the correct set of hardware and software releases, and keeping themoperational and current
■ Producing a sound operations design and validating network operations
■ Staging and testing the proposed system before deployment
■ Improving staff skills
■ Proactively monitoring the system and assessing availability trends and alerts
■ Proactively identifying security breaches and defining remediation plans
Enterprises need to react quickly to changes in the economy. Enterprises that executequickly gain competitive advantages over other businesses. Nevertheless, the networklifecycle gains business agility by the following actions:
■ Establishing business requirements and technology strategies
■ Readying sites to support the system that you want to implement
■ Integrating technical requirements and business goals into a detailed design anddemonstrating that the network is functioning as specified
■ Expertly installing, configuring, and integrating system components
■ Continually enhancing performance
Accessibility to network applications and services is critical to a productive environment.As such, the network lifecycle accelerates access to network applications and services bythe following actions:
■ Assessing and improving operational preparedness to support current and plannednetwork technologies and services
■ Improving service-delivery efficiency and effectiveness by increasing availability,resource capacity, and performance
■ Improving the availability, reliability, and stability of the network and the applica-tions running on it
■ Managing and resolving problems affecting your system and keeping software appli-cations current
Note The content of this book focuses on the prepare phase, plan phase, and designphases of the PPDIOO process as applied to building an enterprise campus network.
Planning a Network Implementation
The more detailed the implementation plan documentation is, the more likely theimplementation will be a success. Although complex implementation steps usuallyrequire the designer to carry out the implementation, other staff members can complete
40 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
well-documented detailed implementation steps without the direct involvement of thedesigner. In practical terms, most large enterprise design engineers rarely perform thehands-on steps of deploying the new design. Instead, network operations or implementationengineers are often the persons deploying a new design based on an implementation plan.
Moreover, when implementing a design, you must consider the possibility of a failure,even after a successful pilot or prototype network test. You need a well-defined, but sim-ple, process test at every step and a procedure to revert to the original setup in case thereis a problem.
Note It is best-practice to lay out implementation steps in a tabular form and reviewthose steps with your peers
Implementation Components
Implementation of a network design consists of several phases (install hardware, config-ure systems, launch into production, and so on). Each phase consists of several steps, andeach step should contain, but be not limited to, the following documentation:
■ Description of the step
■ Reference to design documents
■ Detailed implementation guidelines
■ Detailed roll-back guidelines in case of failure
■ Estimated time needed for implementation
Summary Implementation Plan
Table 1-3 provides an example of an implementation plan for migrating users to new cam-pus switches. Implementations can vary significantly between enterprises. The look andfeel of your actual implementation plan can vary to meet the requirements of your organ-ization.
Each step for each phase in the implementation phase is described briefly, with referencesto the detailed implementation plan for further details. The detailed implementation plansection should describe the precise steps necessary to complete the phase.
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 41
Phase Date, Time Description Implementation
Details
Completed
Phase 3 12/26/20101:00 a.m. EST
Installs new campusswitches
Section 6.2.3 Yes
Step 1 Installs new modules incampus backbone to sup-port new campus switches
Section 6.2.3.1 Yes
Step 2 Interconnects new campusswitches to new modulesin campus backbone
Section 6.2.3.2 Yes
Step 3 Verifies cabling Section 6.2.3.3
Step 4 Verifies that interconnectshave links on respectiveswitches
Section 6.2.3.4
Phase 4 12/27/20101:00 a.m.EST
Configures new campusswitches and new modulesin campus backbone
Section 6.2.4.1
Step 1 Loads standard configura-tion file into switches fornetwork management,switch access, and so on
Section 6.2.4.2
Step 2 Configures Layer 3 inter-faces for IP address androuting configuration onnew modules in campusbackbone
Section 6.2.4.3
Step 3 Configures Layer 3 inter-faces for IP address androuting info on new cam-pus switches
Section 6.2.4.4
Step 4 Configures Layer 2 fea-tures such as VLAN, STP,and QoS on new campusswitches
Section 6.2.4.5
continues
Table 1-3 Sample Summary Implementation Plan
42 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
Phase Date, Time Description Implementation
Details
Completed
Step 5 Tests access layer ports onnew campus switches bypiloting access for a fewenterprise applications
Section 6.2.4.6
Phase 5 12/28/20101:00 a.m.EST
Production implementa-tion
Section 6.2.5
Step 1 Migrate users to newcampus switches
Section 6.2.5.1
Step 2 Verifies migrated worksta-tions can access enterpriseapplications
Section 6.2.5.2
Detailed Implementation Plan
A detailed implementation plan describes the exact steps necessary to complete theimplementation phase. It is necessary to includes steps to verify and check the work ofthe engineers implementing the plan. The following list illustrates a sample networkimplementation plan:
Section 6.2.4.6, “Configure Layer 2 features such as VLAN, STP, and QoS on newcampus switches”
■ Number of switches involved: 8
■ Refer to Section 1.1 for physical port mapping to VLAN
■ Use configuration template from Section 4.2.3 for VLAN configuration
■ Refer to Section 1.2 for physical port mapping to spanning-tree configuration
■ Use configuration template from Section 4.2.4 for spanning-tree configuration
■ Refer to Section 1.3 for physical port mapping to QoS configuration
■ Use configuration template from Section 4.2.5 for QoS configuration
■ Estimate configuration time to be 30 minutes per switch
■ Verify configuration preferable by another engineer
This section highlighted the key concepts around PPDIOO. Although this topic is not atechnical one, the best practices highlighted will go a long way with any network design
Table 1-3 Sample Summary Implementation Plan (continued)
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 43
and implementation plan. Poor plans will always yield poor results. Today’s networks aretoo critical for business operations not to plan effectively. As such, reviewing and utiliz-ing the Cisco Lifecycle will increase the likelihood of any network implementation.
Summary
Evolutionary changes are occurring within the campus network. One example is themigration from a traditional/Layer 2 access-switch design (with its requirement to spanVLANs and subnets across multiple access switches) to a virtual switch-based design.Another is the movement from a design with subnets contained within a single accessswitch to the routed-access design. This evolvement requires careful planning and deploy-ments. Hierarchical design requirements along with other best practices are detailedthroughout the remainder of this book to ensure a successful network.
As the network evolves, new capabilities are added, such as virtualization of services ormobility. The motivations for introducing these capabilities to the campus design aremany. The increase in security risks, the need for a more flexible infrastructure, and thechange in application data flows have all driven the need for a more capable architecture.However, implementing the increasingly complex set of business-driven capabilities andservices in the campus architecture can be challenging if done in a piece meal fashion.Any successful architecture must be based on a foundation of solid design theory andprinciples. For any enterprise business involved in the design and operation of a campusnetwork, the adoption of an integrated approach based on solid systems design princi-ples, is a key to success.
Review Questions
Use the questions here to review what you learned in this chapter. The correct answersare found in Appendix A, “Answers to Chapter Review Questions.”
1. The following statement describes which part of the enterprise network that isunderstood as the portion of the network infrastructure that provides access to serv-ices and resources to end users and devices that are spread over a single geographiclocation?
a. Campus
b. Data center
c. Branch/WAN
d. Internet Edge
44 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
2. The following statement describes which part of the enterprise network that is gener-ally understood to be the facility used to house computing systems and associatedcomponents and was original referred to as the server farm?
a. Campus
b. Data center
c. Branch/WAN
d. Internet Edge
3. This area of the enterprise network was originally referred to as the server farm.
a. Campus
b. Data center
c. Branch/WAN
d. Internet Edge
4. Which of the following are characteristics of a properly designed campus network?
a. Modular
b. Flexible
c. Scalable
d. Highly available
5. Layer 2 networks were originally built to handle the performance requirements ofLAN interconnectivity, whereas Layer 3 routers could not accommodate multipleinterfaces running at near wire-rate speed. Today, Layer 3 campus LAN networks canachieve the same performance of Layer 2 campus LAN networks due to the follow-ing technology change:
a. Layer 3 switches are now built using specialized components that enable similarperformance for both Layer 2 and Layer 3 switching.
b. Layer 3 switches can generally switch packets faster than Layer 2 switches.
c. Layer 3 switches are now built using multiple virtual routers enabling higherspeed interfaces.
6. Why are Layer 2 domains popular in data center designs?
a. Data centers do not require the same scalability as the campus network.
b. Data centers do not require fast convergence.
c. Data centers place heavier emphasis on low-latency, whereas some applicationsoperate at Layer 2 in an effort to reduce Layer 3 protocol overhead.
d. Data centers switches such as the Nexus 7000 are Layer 2-only switches.
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 45
7. In the content of CCNP SWITCH and this book, what number of end devices orusers quantifies as a small campus network?
a. Up to 200 users
b. Up to 2000 users
c. Between 500 to 2500 users
d. Between 1000 to 10,000 users
8. In the context of CCNP SWITCH and this book, what number of end devices oruser quantifies a medium-sized campus network?
a. A message digest encrypted with the sender’s private key
b. Up to 200 users
c. Up to 2000 users
d. Between 500 to 2500 users
e. Between 1000 to 10,000 users
9. Why are hierarchical designs used with layers as an approach to network design?
a. Simplification of large-scale designs.
b. Reduce complexity of troubleshooting analysis.
c. Reduce costs by 50 percent compared to flat network designs.
d. Packets that move faster through layered networks reduce latency for applications.
10. Which of the following is not a Layer 2 switching feature? You might need to con-sult later chapters for guidance in answering this question; there might be more thanone answer.
a. Forwarding based upon the destination MAC address
b. Optionally supports frame classification and quality of service
c. IP routing
d. Segmenting a network into multiple broadcast domains using VLANs
e. Optionally applies network access security
11. Which of the following switches support(s) IP routing?
a. Catalyst 6500
b. Catalyst 4500
c. Catalyst 3750, 3560E
d. Catalyst 2960G
e. Nexus 7000
f. Nexus 5000
46 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
12. Which of the following switches support(s) highly available power via integratedredundant power?
a. Catalyst 6500
b. Catalyst 4500
c. Catalyst 3750, 3560E
d. Catalyst 2960G
e. Nexus 7000
f. Nexus 5000
13. Which of the following switches support(s) redundant supervisor/routing engines?
a. Catalyst 6500
b. Catalyst 4500
c. Catalyst 3750, 3560E
d. Catalyst 2960G
e. Nexus 7000
f. Nexus 5000
14. Which of the following switches use(s) a modular architecture for additional scalabil-ity and future growth?
a. Catalyst 6500
b. Catalyst 4500
c. Catalyst 3750, 3560E
d. Catalyst 2960G
e. Nexus 7000
f. Nexus 5000
15. Which of the following traffic generally utilizes more network bandwidth than othertraffic types?
a. IP telephony
b. Web traffic
c. Network Management
d. Apple iPhone on Wi-Fi campus network
e. IP multicast
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 47
16. Which of the following are examples of peer-to-peer applications?
a. Video conferencing
b. IP phone calls
c. Workstation-to-workstation file sharing
d. Web-based database application
e. Inventory management tool
17. Which of the following are examples of client-server applications?
a. Human resources user tool
b. Company wiki
c. Workstation-to-workstation file sharing
d. Web-based database application
e. Apple iTunes media sharing
18. A small-sized campus network might combine which two layers of the hierarchicalmodel?
a. Access and distribution
b. Access and core
c. Core and distribution
19. In a large-sized enterprise network, which defined layer usually interconnects thedata center, campus, Internet edge, and branch/WAN sections.
a. Specialized access layer
b. Four fully meshed distribution layers
c. Core backbone
20. Which layer of the campus network are Layer 2 switches most likely to be found in amedium-sized campus network if at all?
a. Core layer
b. Distribution layer
c. Access layer
21. SONA is an architectural framework that guides the evolution of _____?
a. Enterprise networks to integrated applications
b. Enterprise networks to a more intelligent infrastructure
c. Commercial networks to intelligent network services
48 Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide
d. Enterprise networks to intelligent network services
e. Commercial networks to a more intelligent infrastructure
22. SONA Which are the three layers of SONA?
a. Integrated applications layer
b. Application layer
c. Interactive services layer
d. Intelligent services layer
e. Networked infrastructure layer
f. Integrated transport layer
23. Which of the following best describe the core layer as applied to the campus network?
a. A fast, scalable, and high-available Layer 2 network that interconnects the differ-ent physical segments such as buildings of a campus
b. A point to multipoint link between the headquarters and the branches, usuallybased on a push technology
c. A fast, scalable, and high-available Layer 3 network that interconnects the differ-ent physical segments such as buildings of a campus
d. The physical connections between devices, also known as the physical layer
24. Which of the following best describes the relationship between the data center andthe campus backbone?
a. The campus backbone interconnects the data center to the campus core layer.
b. The data center devices physically connect directly to the EnterpriseDistribution Layer switches.
c. The data center devices physically connect to access switches.
d. The data center devices connection model is different from the Layer 3 modelused for the rest of the enterprise network
25. List the phases of the Cisco Lifecycle approach in the correct order.
a. Propose
b. Implement
c. Plan
d. Optimize
e. Prepare
f. Inquire
Chapter 1: Analyzing the Cisco Enterprise Campus Architecture 49
g. Design
h. Document
i. Operate
26. Which three are considered to be technical goals of the Cisco Lifecycle approach?
a. Improving security
b. Simplifying network management
c. Increasing competitiveness
d. Improving reliability
e. Increasing revenue
f. Improving customer support
27. When implementing multiple complex components, which of the following is themost-efficient approach per the PPDIOO model?
a. Implement each component one after the other, test to verify at each step.
b. Implement all components simultaneously for efficiency reasons.
c. Implement all components on a per physical location approach.
This page intentionally left blank
Index
Numerics
802.1Q Frame, 70802.1Q trunking, 70–72
configuring, 74–752000 series Catalyst switches, 164500 series Catalyst switches, 166500 series Catalyst switches, 15
A
AAA, 380accounting, 382–387authentication, 381–384authorization, 381–386
access layer (data center design), 7, 36access layer switches
daisy chaining, 257–259insufficient redundancy, 260–261StackWise technology, 259
access ports, assigning to VLANs, 63access switches, implementing VLAN
high availability, 256accounting, 382–387address structure, IP multicast,
462–463globally scoped addresses, 463GLOP addresses, 464limited scope addresses, 464MAC addresses, 464–465
reserved local link addresses, 463source–specific multicast
addresses, 463advertisement requests, VTP message
types, 84aggregation layer (data center
design), 36Aggressive mode (UDLD), 162
versus Loop Guard, 165–166alternate paths, providing
redundancy, 252alternate port (RSTP), 128Application layer (SONA), 26APs (access points), HREAP,
435–436ARP, 13–14ARP spoofing attacks, protecting
against, 361–368ARP throttling, 228–229ASICs, 17assigning access ports to
VLANs, 63AT (adjacency table), 226attacks
ARP spoofing attacks, protectingagainst, 361–368
DHCP spoofing attacks, protectingagainst, 356–358
IP spoofing attacks, protectingagainst, 368–372
Layer 2, 337MAC layer attacks, 339, 341spoofing attacks, 338–339switch device attacks, 339
VLAN hopping, 349mitigating, 351–352protecting against, 350with double tagging, 350–351
authentication, 381configuring, 383–384HSRP, 298IEEE 802.X, 387–390VTP, 84
authorization, 381–386Auto-RP, 474–475automating RP distribution, 474AutoQoS, 447–448autostate exclude feature (SVIs), 200AVPs (attribute-value pairs), 382
B
backbone, 7campus core layer, 33
backup port (RSTP), 128best practices
STP operation, 168, 170trunking, 73–74VLAN design, 59–60VTP, 84
best-effort service, 446bidir-PIM, 473–474black holes, preventing, 162–163blocking state (STP), 123Borderless Networks, 27BPDU Filtering, 153–155BPDU Guard, 151–153branch WAN, 3bridge identifier (PVRST+), 136–137broadcast transmission, 459BSR (bootstrap router), 475–476building layers in Cisco Campus
Architecture access layer, 27–29core layer, 28distribution layer, 28
BVI (bridge virtual interface), 186
C
CAM tables, 217–219campus, 2campus networks, 3
Cisco Campus Architecture, 6–7access layer, 29core layer, 31–33distribution layer, 29–30
Cisco Unified Wireless Network,426–427
implementing VLAN technologies,52–53
IP multicast, 459–461address structure, 462–464group membership, 461MAC address structure,
464–465PIM, 470–478RPF, 465–466shared trees, 468–470source trees, 467–468
large campus network example,34–35
legacy designs, 5–6medium campus network
example, 34planning VLAN implementation,
58–59QoS, 445
congestion avoidance, 455–457congestion management,
453–455for voice traffic from IP phones,
configuring, 490–491marking, 451policing, 451–453service models, 446traffic shaping, 451–453
small campus network example,33–34
traffic types, 18–20trunking, 68–69video
design requirements, 444planning for, 440–441
510 attacks
purpose of, 423support, planning for, 494–495switch support, configuring,
495–496traffic flow, 442–443traffic profiles, 441–442
voiceCisco Unified
Communications, 438–439purpose of, 421–423support for, planning,
437–438VoIP, design requirements,
439–440wireless implementation, purpose
of, 420–421WLANs
controller-based solutions,433–435
HREAP, 435–436requirements gathering,
436–437CAPWAP (Control and Provisioning
of Wireless Access Points), 433Catalyst switches. See Cisco Catalyst
switchesCDP (Cisco Discovery Protocol)
configuring, 373–374vulnerabilities, 375–376
CEF (Cisco Express Forwarding), 222ARP throttling, 228–229example, 230–231MLS load sharing, 231–232modes of operation, 227and TCAM, 227troubleshooting, 236
CEF-based MLS, deploying, 215central CEF mode, 227Cisco AutoQoS, 447–448Cisco Campus Architecture, 6–7
building access layer, 29core layer, 31
as backbone, 33need for, 32
distribution layer, 29–30in large campus networks, 34–35
in medium campus networks, 34in small campus networks, 33–34layers, 27
Cisco Catalyst 2000 switches, 16Cisco Catalyst 3560 switches, 16Cisco Catalyst 3750 switches, 16Cisco Catalyst 4500 switches, 16Cisco Catalyst 4948G switches, 16Cisco Catalyst 6500 switches, 15
NAM module, performancemonitoring, 414–415
Cisco Catalyst Integrated Security, 355
Cisco Catalyst switchesCPU interface, monitoring with
SPAN, 403–404DHCP snooping, enabling, 358–361inter-VLAN routing support, 186IP multicast, configuring, 482–483port security, 341
configuring, 344–345implementing, 341–342sticky MAC address feature,
347–348verifying, 345–346
Supervisor Engine, implementingredundancy, 280–288
unicast flooding, blocking on desiredports, 348–349
VLAN support matrix, 60Voice VLAN feature, configuring,
488–490Cisco Enterprise Architecture,
security best practices, 335–336Cisco inline power (PoE), 492Cisco IOS
Private VLANs, configuring, 91–92SLB, 324–330
Cisco IP Phones, VoIP requirements,493–494
Cisco Lifecycle model, 27PDIOO, 37–39
Cisco NSFand routing protocols, 255with SSO, 254
Cisco NSF 511
Cisco Unified Communications,438–439
Cisco Unified Wireless Network,426–427
classification, 449–450client-enterprise edge applications,
traffic, 23–24client/server applications, traffic,
21–23commands
port-channel load-balance, 110show etherchannel summary, 108show interfaces, 65show ip route, 209show vlan, 63show vtp counters, 86show vtp status, 85switchport, 63switchport host, 74verifying trunking configurations, 76
communication issues, troubleshootingVLANs, 68
community Private VLANs, 88–89comparing
end-to-end VLANs and local VLANs,56–57
LANs and WLANs, 428–429PIM versions, 476–478source and shared trees, 469–470standalone and controller-based
WLAN deployments, 429–436components of high availability
people, 246–247processes, 247–248redundancy, 245–246technology, 246tools, 248
configuring802.1Q trunking, 74–75AAA accounting, 386–387AAA authentication, 383–384AAA authorization, 384–386Catalyst switches, video support,
495–496CDP, 373–374
CEF, 232–236Cisco IOS SLB
server farms, 326–328virtual servers, 328–330
DAI, 365–368DHCP in multilayer switched
environment, 210–215DHCP snooping, 358–361EtherChannel
guidelines for, 105–106Layer 2, 106–107
Flex Links, 166–167GLBP, 322–324HSRP, 296–301IEEE 802.1X, 389–390IGMP snooping, 481–482inter-VLAN routing
verifying configuration,201–203
with external router, 195–197with SVI, 197–200
IP multicast on Catalyst switches,482–483
IP SLA, 277–280IP Source Guard, 370–372L3 EtherChannel, 206–208link aggregation with EtherChannel,
97–98MST, 145–150NSF with SSO, 287–288PIM
sparse mode, 483sparse-dense mode, 483–484
port channels with EtherChannel, 105port security, 344–345PortFast, 138–139Private VLANs, 90–91
in Cisco IOS, 91–92PVRST+, 140–141QoS for voice traffic from IP phones,
490–491routed ports, 193
on multilayer switches, 200–201RPR+, 283SNMP, 272–273
512 Cisco Unified Communications
SSO, 285–286STP, 137
Loop Guard, 160syslog, 267–268UDLD, 164–165VACLs, 353–354VLANs, 60–63VoIP
switch support, 488Voice VLANs, 488–490
VRRP, 312, 315VTP, 85–86WLANs, controller-based, 484–486
congestion avoidance, 455tail drop, 456WRED, 456–457
congestion management, 453FIFO queuing, 453priority queuing, 455weighed round robin queuing,
453–455controller-based WLAN deployment
comparing to standalone deployment,429–433, 436
traffic flow, 434–435traffic handling, 433
controller-based WLANsswitch support, configuring,
484–486core layercore layer (Cisco Campus
Architecture), 7, 31, 36as backbone, 33need for, 32
CoS, trust boundaries, 450CoS bits, 448CPU interface (switches), monitoring
with SPAN, 403–404CQ (Custom Queuing), 455CST (Common Spanning Tree), 120
D
DAI (Dynamic ARP Inspection)ARP spoofing attacks, protecting
against, 362–368
configuring, 365–368daisy chaining access layer switches,
257–259data center, 3, 35–36dCEF mode, 228DEC STP, 120default gateways, 290delay, 445deleting VLAN global configuration
model, 62Dense Mode (PIM), 471–472deploying CEF-based MLS, 215Design phase (PDIOO), 37design requirements for campus
networksvoice, data and video, 444VoIP, 439–440
designated port (RSTP), 123, 127DHCP (Dynamic Host Configuration
Protocol), configuring inmultilayer switched environment, 210–215
DHCP snooping, enabling, 358–361
DHCP spoofing attacks, protectingagainst, 356, 358
DiffServ, 446directed mode (Cisco IOS SLB), 326disabled port (RSTP), 128disabled state (STP), 124discarding state (RSTP), 126dispatched mode (Cisco IOS
SLB), 326displaying
information about interfaceconfiguration, 65
MAC address table information, 66port information for trunking, 76switch port information,
66, 76trunk information for ports, 77
Distributed Forwarding Cards (DFC), 224
distributed hardware forwarding,220–221
distributed switching, 224
distributed switching 513
distributed VLANs on accessswitches, implementing highavailability, 256
distribution layer (Cisco CampusArchitecture), 7, 29–30
distribution treesshared trees, 468–470source trees, 467–468
drop adjacencies, 226DSCP, trust boundaries, 450DSCP bits, 448DTP (Dynamic Trunking Protocol)
trunking modes, 72–73VLAN ranges and mappings, 73
duplex mismatches, troubleshooting,172
E
edge ports, 131EEM (Embedded Event Manager) as
troubleshooting tool, 413–414end-to-end VLAN, 54–55
versus local VLANs, 56–57enhanced PoE, 492enhancements to STP, 150–151
BPDU Filtering, 153–155BPDU Guard, 152–153Root Guard, 155–157
enhancing performance, 398–399enterprise networks
branch/WAN, 3campus, 3campus networks
Cisco Campus Architecture,6–7, 29–33
large campus network example,34–35
legacy designs, 5–6medium campus network
example, 34small campus network example,
33–34traffic types, 18, 20
Cisco Lifecycle model, 27core backbone, 2
data center, 3, 35–36Internet Edge, 3–4regulatory standards, 4SONA architecture, 25–27
ERSPAN performance, monitoring,408–410
EtherChannel, 98–101configuring
guidelines, 105–106Layer 2, 106–107link aggregation, 97–98port channels, 105
L2 versus L3, 194L3, configuring, 206–208LACP, 101–104load balancing options, 110–112PAgP (Port Aggregation Protocol),
101–102verifying, 108–110
evolution of STP, 119–121exact-match region (TCAM), 219example of CEF operation, 230–231excessive redundancy, avoiding, 253EXCLUDE mode (IGMPv3), 479external routers, inter-VLAN routing,
186–190configuring, 195–197
F
failover time of high-availabilityprotocols, 249–250
fast switching, 222FCOE (Fibre Channel over Ethernet), 6FIB, 226FIFO queuing, 453first hop redundancy protocols
default gateways, 290GLBP, 315–318
configuring, 322–324interface tracking, 318–322
HSRP, 291–293authentication, 298configuring, 296–301interface tracking, 302–304IP SLA tracking, 305
514 distributed VLANs on access switches, implementing high availability
monitoring, 307–309multiple groups, 306–307object tracking, 304–305spanning-tree topology, 296state transition, 295states, 294versions, 301
Proxy ARP, 289–290VRRP, 309–312
configuring, 312, 315transition processes, 312
first-match region (TCAM), 220Flex Links, 166–167forwarding loops, preventing with
Loop Guard, 158–161forwarding state
RSTP, 126STP, 124
frame corruption, troubleshooting,173
G
Get Bulk Requests (SNMP), 271GLBP, 315–317
configuring, 322–324interface tracking, 318–322
global configuration mode, deletingVLANs, 62
globally scoped addresses, 463GLOP addresses, 464
H
hardware-switching, 17hierarchical campus design models,
Cisco Campus Architecture, 6–7hierarchical networks, mapping
VLANs to, 57–58high availability
access layer switchesdaisy chaining, 257–259insufficient redundancy,
260–261StackWise technology, 259
distributed VLANs on accessswitches, 256
failover times, 249–250local VLANs on access
switches, 256people, 246–247processes, 247–248redundancy, 245–246, 251
alternate paths, providing, 252Cisco NSF with SSO, 254excessive, avoiding, 253in Catalyst switch Supervisor
Engines, 280–288single points of failover,
avoiding, 253resiliency, 249technology, 246tools, 248
HIPAA (Health Insurance Portabilityand Accountability Act), 4
HREAP (Hybrid Remote Edge AccessPoints), 435–436
HSRP (Hot Standby RoutingProtocol), 291–293
authentication, 298configuring, 296–301interface tracking, 302–304IP SLA tracking, 305monitoring, 307–309multiple groups, 306–307object tracking, 304–305spanning-tree topology, 296state transition, 295states, 294versions, 301
HTTPS, 379–380
I
IANA (Internet Assigned NumbersAuthority), 462
IEEE 802.1w. See RSTP (Rapid STP)IEEE 802.1X standard, 387–390
configuring, 389–390IEEE 802.3af standard, 492
IEEE 802.3af standard 515
IGMP snooping, 480–482IGMPv1, 478IGMPv2, 478IGMPv3, 479IGMPv3 Lite, 479–480Implement phase (PDIOO), 37implementing
inter-VLAN troubleshooting plans,205–206
port security, scenarios, 341–342
VLANs in campus networks, 52–53
implementing network design, 39example, 40–43
INCLUDE mode (IGMPv3), 479Inform Requests (SNMP), 271inline PoE, 492–493insufficient redundancy,
260–261Inter-Switch Link (ISL), 53inter-VLAN routing, 184–186
support for on Catalyst switches, 186troubleshooting, 205–206verifying configuration, 201–203with external router, configuring,
195–197with external routers, 186–190with routed ports, 192–193with SVIs, 190–192
configuring, 197–200Interactive Services layer
(SONA), 26interface config, displaying
information, 65interface tracking
GLBP, 318–322HSRP, 302–304
Internet Edge, 3–4IntServ, 446IP multicast, 459–461
address structure, 462–463globally scoped addresses, 463GLOP addresses, 464limited-scope addresses, 464
reserved local link addresses,463
source-specific multicastaddresses, 463
configuring on Catalyst switches,482–483
distribution treesshared trees, 468–470source trees, 467–468
group membership, 461IGMP, 478–480IGMP snooping, 480–482MAC address structure, 464–465PIM, 470
Auto-RP, 474–475automatic RP distribution, 474bidir-PIM, 473–474BSR, 475–476PIM-DM, 471–472PIM-SM, 472–473sparse mode, configuring, 483sparse-dense mode, 473sparse-dense mode,
configuring, 483–484versions, comparing, 476–478
RPF, 465–466traffic, 19
IP phonesvoice traffic, configuring QoS,
490–491VoIP requirements, 493–494
IP SLAs, 273–274configuring, 277–280responder timestamps, 277responders, 275–276tracking, HSRP, 305
IP Source Guardconfiguring, 370–372IP spoofing attacks, protecting
against, 368–372IP telephony components, 487–488IPSs, 401ISL (Inter-Switch Link), 53ISM (Industrial, Scientific, and
Medical) bands, 424isolated Private VLANs, 88–89
516 IGMP snooping
J-K-L
jitter, 445
L2 EtherChannel configuring, 106–107versus L3, 194
L2 traceroute as troubleshooting tool,412–413
L3 EtherChannelconfiguring, 206–208versus L2, 194
L3 packet forwardingCEF, 222, 225–227
and TCAM, 227ARP throttling, 228–229modes of operation, 227
fast switching, 222process switching, 221
L3 switching, distributed hardwareforwarding, 220–221
LACP, 101–104LANs, 425
comparing to WLANs, 428–429large campus network example,
34–35Layer 2 attack categories, 337
MAC layer attacks, 339–341spoofing attacks, 338–339switch device attacks, 339
Layer 2 forwarding in MLSenvironment, 215
Layer 2 switching, 8–9, 12Layer 3 forwarding in MLS
environment, 216Layer 3 switch processing, 216–217Layer 3 switches
packet rewriting, 13–14route caching, 222topology-based switching, 223–224
Layer 3 switching, 10, 12Layer 4 switching, 11Layer 7 switching, 11learning state (RSTP), 126learning state (STP), 124
legacy campus designs, 5–6lifecycle approach to network design,
PDIOO, 37–39limitations of ASICs, memory, 17limited scope addresses, 464link aggregation
configuring with EtherChannel, 97–98listening state (STP), 124load balancing
EtherChannel, 110–112SLB, 324–325
configuring, 326–328virtual servers, configuring,
328–330load sharing, CEF-based MLS load
sharing, 231–232local VLANs, 55–56
on access switches, implementinghigh availability, 256
versus end-to-end VLANs, 56–57longest-match region (TCAM), 220Loop Guard, 158–161
versus UDLD Aggressive mode,165–166
loop prevention, STPbest practices, 168–170troubleshooting, 171–178
M
MAC address structureIP multicast, 464–465table information, displaying, 66
MAC layer attacks, protectingagainst, 339–341
MANs, 425mapping VLANs to hierarchical
networks, 57–58, 73marking, 451measuring performance, IP SLAs,
273–275configuring, 277–280responder timestamps, 277responders, 275–276
medium campus network example, 34memory, ASIC limitations, 17
memory, ASIC limitations 517
messagesSNMP, 270syslog, 265–267VTP, 83
advertisement requests, 84subset advertisements, 84summary advertisements, 83
mitigatingLayer 2 attacks, 337–341switch compromises, 397VLAN hopping, 351–352
MLS (multilayer switching), 17CAM tables, 217–219CEF-based
configuring, 232deploying, 215example, 230–231load sharing, 231–232troubleshooting, 236verifying configuration,
232–236distributed hardware forwarding,
220–221Layer 2 forwarding, 215Layer 3 forwarding, 216Layer 3 switch processing, 216–217Layer 3 switches
route caching, 222topology-based switching,
223–224TCAM tables, 217–219
protocol regions, 220modular security, Cisco Enterprise
Architecture, 335–336monitoring
HSRP, 307–309performance, 400–403
with ERSPAN, 408–410with NAM, 414–415with RSPAN, 404–407with VACLs, 410–412
SNMP, 269–270configuring, 272–273messages, 270security levels, 271versions, 270
switch CPU interface with SPAN,403–404
syslog, 263configuring, 267–268messages, 265–267severity levels, 264–265
MST (Multiple Spanning Tree), 120,141–143
configuring, 145–150regions, 143–144
multicast, 459–461address structure, 462–463
globally scoped addresses, 463GLOP addresses, 464limited scope addresses, 464reserved local link addresses,
463source-specific multicast
addresses, 463distribution trees
shared trees, 468–470source trees, 467–468
group membership, 461IGMP, 478–480IGMP snooping, 480–482IP multicast, configuring on Catalyst
switches, 482–483MAC address structure,
464–465PIM, 470
Auto-RP, 474–475automatic RP distribution, 474bidir-PIM, 473–474BSR, 475–476PIM-DM, 471–472PIM-SM, 472–473sparse-dense mode, 473versions, comparing, 476–478
RPF, 465–466multilayer switches, verifying routing
protocol operation, 208–210multilayer switching, 14–15
DHCP, configuring, 210–215routed ports, configuring, 200–201
multiple HSRP groups, 306–307
518 messages
N
NAM (Network Analysis Module),performance monitoring, 414–415
native VLAN, 72NDP (Neighbor Discovery Protocols),
CDP, 373configuring, 373–374vulnerabilities, 375–376
negotiating trunking, 72Network Infrastructure layer
(SONA), 25network management
SNMP, 269configuring, 272–273messages, 270security levels, 271versions, 270
syslog, 263configuring, 267–268messages, 265–267severity levels, 264–265
traffic, 19network-level resiliency, 249Nexus 2000 switches, 17Nexus 5000 switches, 17Nexus 7000 switches, 16nondesignated port, 123normal data traffic, 20Normal mode (UDLD), 162NSF with SSO, configuring in
Catalyst switch SupervisorEngines, 286–288
null adjacencies, 226
O
object tracking, HSRP, 304–305Operate phase (PDIOO), 37Optimize phase (PDIOO), 38organizational security policies, 391OSI model, 6–11
P
packet loss, 445packet rewriting, 13–14PACLs, 353PAgP (Port Aggregation Protocol),
101–102PANs, 425PPDIOO lifecycle, 37–39PDUs, 11peer-to-peer application traffic, 21people as component of high
availability, 246–247performance
enhancing, 398–399measuring with IP SLAs, 273–280monitoring, 400–403
with ERSPAN, 408–410with NAM, 414–415with RSPAN, 404–407with VACLs, 410–412
PIM (Protocol IndependentMulticast), 470
Auto-RP, 474–475automatic RP distribution, 474bidir-PIM, 473–474BSR, 475–476PIM-DM, 471–472PIM-SM, 472–473sparse mode, configuring on Cisco
IOS, 483sparse-dense mode, 473,
483–484versions, comparing, 476–478
PIM-DM, 471–472PIM-SM, 472–473Plan phase (PDIOO), 37planning
video services in campus networks,440–441design requirements, 444traffic flow, 442–443traffic profiles, 441–442
VLAN implementationcampus networks, 58–59
planning 519
voice services in campus networks,437–438Cisco Unified
Communications, 438–439design requirements, 439–440
planning network implementation, 39–43
PoE (Power over Ethernet), 491enhanced PoE, 492inline PoE, 492–493
policies, organizational securitypolicies, 391
policing, 451–453port channels, configuring with
EtherChannel, 105port costs (STP), 124–125port information, trunking, 76port protected feature, PVLANs, 97port roles, RSTP, 127–128port security, 341
configuring, 344–345implementation scenario, 341–342sticky MAC address feature,
347–348verifying, 345–346
port statesRSTP, 126–127STP, 123
port types, Private VLANs, 88–90port-based access control, IEEE
802.1X, 387–390port-channel load-balance, 110PortFast, 138–139ports
displaying trunk information for, 77switching to previously created
VLANs, 63Prepare phase (PPDIOO), 37preventing routing loops, STP
operation, 122primary Private VLAN, 89priority queuing, 455Private VLANs, 87
configuring, 90–91across switches, 94–97in Cisco IOS, 91–92
overview, 88port types and, 88–90single switch private configuration,
93–94trunk configuration, 96verifying, 92–93
process switching, 221processes as component of high
availability, 247–248promiscuous ports, 88protocol regions (TCAM), 220protocols
LACP, 101–104PAgP (Port Aggregation Protocol),
101–102trunking, 69–72VTP, 78–81
modes of operation, 79pruning, 81version 3, 83versions 1 and 2, 82
Proxy ARP, 289–290pruning, VTP, 81punt adjacencies, 226PVRST+ (Per VLAN Spanning Tree
Plus), 120–121bridge identifier, 136–137configuring, 140–141
Q
QoS, 445Cisco AutoQoS, 447–448classification, 449–450congestion avoidance, 455
tail drop, 456WRED, 456–457
congestion management, 453CQ, 455FIFO queuing, 453priority queuing, 455weighted round robin queuing,
453–455DSCP, trust boundaries, 450for voice traffic from IP phones,
configuring, 490–491
520 planning
marking, 451policing, 451–453service models, 446TelePresence requirements, 495traffic classification and marking,
448traffic shaping, 451–453
queuing mechanismsCQ, 455FIFO, 453priority queuing, 455weighed round robin, 453–455
R
RACLs, 353rapid transition to forwarding (RSTP),
129–130synch mechanism, 131–132
redundancy, 245–246, 251alternate paths, providing, 252Cisco NSF
and routing protocols, 255with SSO, 254
excessive, avoiding, 253first hop redundancy protocols
default gateways, 290GLBP, 315–324HSRP, 291–309Proxy ARP, 289–290VRRP, 309–315
in Catalyst switch SupervisorEngines, 280NSF with SSO, 286–288RPR, 281–282RPR+, 282–283SSO, 284–286
single points of failure, avoiding, 253regulatory standards for enterprise
architectures, 4requirements
for VoIP, 493–494for WLAN implementations,
436–437reserved local link addresses, 463resiliency, network-level, 249resource errors, troubleshooting, 173
responder timestamps (IP SLAs), 277responders (IP SLAs), 275–276rogue access, protecting against,
336–337Root Guard, 152, 155–157root port, 123root port (RSTP), 127route caching, 222routed ports, 186
configuring, 193inter-VLAN routing, 192–193on multilayer switches, configuring,
200–201router-on-a-stick, 5, 186
inter-VLAN routing, 186–190,195–197
routing loop prevention, STPenhancements to, 150–157operation, 122port costs, 124–125port states, 123
routing protocols, verifyingoperation, 208–210
RP (rendezvous point), 468RPF (Reverse Path Forwarding),
465–466RPR (Route Processor Redundancy)
in Catalyst switch SupervisorEngines, 281–282
RPR+ (Route Processor RedundancyPlus) in Catalyst switch SupervisorEngines, 282–283
RPsAuto-RP, 474–475automating distribution of, 474
RSPAN performance, monitoring,404–407
RSTP (Rapid STP), 120, 125–126compatibility with 802.1D, 137edge ports, 129–131port roles, 127–128port states, 126–127rapid transition to forwarding,
129–132topology change mechanism,
133–136
RSTP (Rapid STP) 521
S
Sarbanes-Oxley Act, 4scavenger class traffic, 20secondary Private VLAN, 89security
AAA, 380accounting, 382–383accounting, configuring,
386–387authentication, 381authorization, 381–386configuring, 383–384
ARP spoofing attacks, protectingagainst, 361–368
attacksmitigating, 351–352VLAN hopping, 349–352VLAN hopping with double
tagging, 350–351authentication, IEEE 802.1X,
387–390on Cisco Catalyst switches, blocking
unicast flooding on desired ports,348–349
Cisco Enterprise Architecture, bestpractices, 335–336
DHCP snooping, enabling, 358–361DHCP spoofing attacks, protecting
against, 356–358HTTPS, 379–380IP spoofing attacks, protecting
against, 368–372Layer 2 attack categories, 337
MAC layer attacks, 339–341spoofing attacks, 338–339switch device attacks, 339
organizational security policies, 391port security, 341
configuring, 344–345implementing, 341–342sticky MAC address feature,
347–348verifying, 345–346
rogue access, protecting against,336–337
SSH, 377–378switches, securing best practices,
391–397VACLs, 352–354VTY ACLs, 378
security levels, SNMP, 271server farms, configuring Cisco IOS
SLB, 326–328shared trees, 468
comparing to source trees, 469–470show etherchannel summary
command, 108show interfaces command, 65show ip route command, 209show running-config interface
command, 109show vlan command, 63show vtp counters, 86show vtp status command, 85single points of failure, avoiding, 253single switch private configuration,
Private VLANs, 93–94SLB (server load balancing), 324–325
configuring, 326–328virtual servers, configuring, 328–330
slow throughput, troubleshootingVLANs, 67
small campus network example, 33–34SNAP (Subnetwork Access
Protocol), 78SNMP (Simple Network Management
Protocol), 269–270configuring, 272–273messages, 270security levels, 271versions, 270
SONA (Service-Oriented NetworkArchitecture), 25–27
source trees, 467–468comparing to shared trees, 469–470
source-specific multicast addresses, 463
SPAN (Switched Port Analyzer)performance, monitoring, 400–403switch CPU interface, monitoring,
403–404
522 Sarbanes-Oxley Act
spanning-tree topology, HSRP, 296sparse mode (PIM), 472–473
configuring on Cisco IOS, 483sparse-dense mode, configuring on
Cisco IOS, 473, 483–484split MAC, 432spoofing attacks, 338–339
ARP spoofing attacks, protectingagainst, 361–368
DHCP spoofing attacks, protectingagainst, 356–358
IP spoofing attacks, protectingagainst, 368–372
spread spectrum wireless, 424SPT (shortest path tree), 467SSH (secure shell), 377–378SSO in Catalyst switch Supervisor
Engines, 284–286StackWise technology, access layer
switches, 259standalone WLAN deployments,
comparing to controller-baseddeployment, 429–430, 432–433,436
state transition, HSRP, 294–295sticky learning, 341sticky MAC address feature (port
security), 347–348STP (Spanning Tree Protocol)
best practices, 168–170configuring, 137enhancements, 150–151
BPDU Filtering, 153–155BPDU Guard, 152–153Root Guard, 155–157
evolution of, 119–121Loop Guard, 158–161
versus Aggressive mode UDLD,165–166
MST, 141–143configuring, 145–150regions, 143–144
operation, 122port costs, 124–125port states, 123PortFast, 138–139
PVRST+bridge identifier, 136–137configuring, 140–141
RSTP, 125–126compatibility with 802.1D, 137edge ports, 129, 131port roles, 127–128port states, 126–127rapid transition to forwarding,
129–132topology change mechanism,
133–136troubleshooting, 171–178UDLD, 161–165
subset advertisements, VTP messagetypes, 84
summary advertisements, VTPmessage types, 83
Supervisor Engine redundancy, 280NSF with SSO, 286–288RPR, 281–282RPR+, 282–283SSO, 284–286
SVI (switch virtual interfaces), 186autostate exclude feature, 200inter-VLAN routing, 190–192,
197–200switch device attacks, 339switch port information,
displaying, 66switches
CEF, 222, 225, 227ARP throttling, 228–229modes of operation, 227and TCAM, 227
compromises, mitigating, 397Private VLANs, 94–97securing, best practices,
391–397Voice VLAN feature, configuring,
488–490VoIP support, configuring, 488
switching methodsfast switching, 222process switching, 221
switching methods 523
switching ports to previously createdVLANs, 63
switchport command, 63switchport host, 74switchport information, displaying
for trunking, 76syslog, 263
configuring, 267–268messages, 265–267severity levels, 264–265
T
table lookups, 218tail drop, 456TCAM (ternary content addressable
memory), 17and CEF, 227protocol regions, 220
TCAM tables, 217–219technology, 246TelePresence, 423, 495Telnet, 377TLV (Type-Length-Value), 82tools as component of high
availability, 248topology change mechanism (RSTP),
133–136topology-based switching,
222–224ToS bits, 448traffic
congestion avoidance, 455tail drop, 456WRED, 456–457
congestion management, 453CQ, 455FIFO queuing, 453priority queuing, 455weighted round robin queuing,
453–455traffic classification and marking,
448–450traffic flow
in controller-based WLANdeployments, 434–435
of video in campus networks,
442–443traffic handling in controller-based
WLAN deployments, 433traffic profiles of video in campus
networks, 441–442traffic shaping, 451–453traffic types
client-enterprise edge applications,23–24
client/server applications, 21–23
peer-to-peer applications, 21transition processes, VRRP, 312troubleshooting
CEF, 236inter-VLAN routing, 205–206STP, 171–178trunking, 77VLANs, 67
communication issues, 68slow throughput, 67
VTP, 87with EEM, 413–414with L2 traceroute, 412–413
trunking802.1Q trunking, configuring,
74–75best practices, 73–74campus networks, 68–69displaying port information,
76–77DTP, 72–73negotiating, 72Private VLANs, 96protocols, 69–72troubleshooting, 77verifying configurations, 76–77
trust boundaries, 450Type-Length-Value (TLV), 82
U
UDLD (Unidirectional LinkDetection), 151, 161–163
Aggressive mode versus Loop Guard,165–166
524 switching ports to previously created VLANs
configuring, 164–165unauthorized rogue access, protecting
against, 336–337unicast flooding, blocking on desired
ports, 348–349unicast transmission, 459unidirectional link failures,
troubleshooting, 172–173UNII (Unlicensed National Information
Infrastructure) band, 424–425
V
VACLs, 352configuring, 353–354performance, monitoring, 410–412
verifyingCEF configuration, 232–236EtherChannel, 108–110inter-VLAN routing configuration,
201–203port security, 345–346Private VLANs, 92–93routing protocol operation, 208–210trunking configurations, 76–77VLAN configuration, 63–66VTP configuration, 85
versionsof HSRP, 301of IGMP, 478–480of PIM, comparing, 476–478of SNMP, 270
videoin campus networks
design requirements, 444planning for, 440–441purpose of, 423support, preparing, 494–495traffic flow, 442–443traffic profiles, 441–442
switch support, configuring,495–496
virtual servers, configuring Cisco IOSSLB, 328–330
VLANVLAN design
best practices, 59–60VLAN hopping, 349
mitigating, 351–352protecting against, 350with double tagging
protecting against, 350–351VLAN ranges, 60VLAN segmentation model, 53
comparing end-to-end VLANS andlocal VLANs, 56–57
end-to-end VLAN, 54–55local VLANs, 55–56mapping VLANs to hierarchical
networks, 57–58VLANs
access layer switchesdaisy chaining, 257–259insufficient redundancy,
260–261StackWise technology, 259
access ports, assigning, 63campus network implementation,
52–53configuring, 60–63
verifying, 63–66VLAN ranges, 60
distributed VLANs on accessswitches, implementing highavailability, 256
global configuration mode, 62inter-VLAN routing, 184–186
configuring with externalrouter, 195–197
configuring with SVI, 197–200
support for on Catalystswitches, 186
troubleshooting, 205–206verifying configuration,
201–203with external routers,
186–190with routed ports, 192–193with SVIs, 190–192
local VLANs on access switches,implementing high availability,256
VLANs 525
planning implementation for campusnetworks, 58–59
private. See Private VLANsranges and mappings, 73troubleshooting, 67
communication issues, 68slow throughput, 67
Voice VLANs, 488–490voice
in campus networksCisco Unified
Communications, 438–439design requirements, 439–440planning for, 437–438purpose of, 421–423traffic profiles, 441–442
IP telephony components, 487–488
traffic, 19Voice VLANs, 488–490åVoIP (Voice over IP)
in campus networksCisco Unified Communications,
438–439design requirements, 439–440planning for, 437–438
PoE, 491–493requirements, 493–494switch support, configuring, 488Voice VLAN feature, configuring,
488–490VRRP, 309–310
configuring, 312, 315transition processes, 312
VSPAN, performance monitoring,400–403
VTP (VLAN trunking protocol),78–81
authentication, 84best practices, 84CLI configuration, 85configuring, 85–86message types
advertisement requests, 84subset advertisements, 84
summary advertisements, 83troubleshooting, 87verifying configuration, 85version 3, 83versions 1 and 2, 82modes of operation, 79
VTP pruning, 81VTY ACLs, 378vulnerabilities
of CDP, 375–376of Telnet, 377
W-X-Y-Z
WANs, 426weighted round robin queuing,
453–455wireless in campus networks, purpose
of, 420–421WLANs, 423
Cisco Unified Wireless Network,426–427
comparing to LANs, 428–429controller-based
HREAP, 435–436switch support, configuring,
484–486controller-based deployments
traffic flow, 434–435traffic handling, 433
planning requirements gathering,436–437
spread spectrum, 424standalone deployments, comparing
to controller-based, 429–433,436
WLC (Wireless LAN Controller), 431WLSE (Cisco Wireless LAN Solution
Engine), 429WRED (weighted random early
detection), 456–457
526 VLANs