Chapter 1 Analyzing the Cisco Enterprise Campus Architecture
Introduction to Enterprise Campus Network Design 2
Regulatory Standards Driving Enterprise Architectures 4
Campus Designs 5
Legacy Campus Designs 5
Hierarchical Models for Campus Design 6
Impact of Multilayer Switches on Network Design 7
Ethernet Switching Review 7
Layer 2 Switching 8
Layer 3 Switching 10
Layer 4 and Layer 7 Switching 11
Layer 2 Switching In-Depth 12
Layer 3 Switching In-Depth 12
Understanding Multilayer Switching 14
Introduction to Cisco Switches 15
Cisco Catalyst 6500 Family of Switches 15
Cisco Catalyst 4500 Family of Switches 15
Cisco Catalyst 4948G, 3750, and 3560 Family of Switches 16
Cisco Catalyst 2000 Family of Switches 16
Nexus 7000 Family of Switches 16
Nexus 5000 and 2000 Family of Switches 17
Hardware and Software-Switching Terminology 17
Campus Network Traffic Types 18
Peer-to-Peer Applications 21
Client/Server Applications 21
Client-Enterprise Edge Applications 23
Overview of the SONA and Borderless Networks 25
Enterprise Campus Design 27
Access Layer In-Depth 29
Distribution Layer 29
Core Layer 31
The Need for a Core Layer 32
Campus Core Layer as the Enterprise Network Backbone 33
Small Campus Network Example 33
Medium Campus Network Example 34
Large Campus Network Design 34
Data Center Infrastructure 35
PPDIOO Lifecycle Approach to Network Design and Implementation 37
PPDIOO Phases 37
Benefits of a Lifecycle Approach 38
Planning a Network Implementation 39
Implementation Components 40
Summary Implementation Plan 40
Detailed Implementation Plan 42
Summary 43
Review Questions 43
Chapter 2 Implementing VLANs in Campus Networks 51
Implementing VLAN Technologies in a Campus Network 52
VLAN Segmentation Model 53
End-to-End VLAN 54
Local VLAN 55
Comparison of End-to-End VLANs and Local VLANs 56
Mapping VLANs to a Hierarchical Network 57
Planning VLAN Implementation 58
Best Practices for VLAN Design 59
Configuring VLANs 60
VLAN Ranges 60
Verifying the VLAN Configuration 63
Troubleshooting VLANs 67
Troubleshooting Slow Throughput 67
Troubleshooting Communication Issues 68
Implementing Trunking in Cisco Campus Network 68
Trunking Protocols 69
Understanding Native VLAN in 802.1Q Trunking 71
Understanding DTP 72
Cisco Trunking Modes and Methods 72
VLAN Ranges and Mappings 73
Best Practices for Trunking 73
Configuring 802.1Q Trunking 74
Verifying Trunking Configurations 76
Troubleshooting Trunking 77
VLAN Trunking Protocol 78
VTP Pruning 81
VTP Versions 82
VTP Versions 1 and 2 82
VTP Version 3 83
VTP Messages Types 83
Summary Advertisements 83
Subset Advertisements 84
Advertisement Requests 84
VTP Authentication 84
Best Practices for VTP Implementation 84
Configuring VTP 85
Verifying the VTP Configuration 85
Troubleshooting VTP 87
Private VLANs 87
Private VLANs Overview 88
Private VLANs and Port Types 88
Private VLAN Configuration 90
Configuring Private VLANs in Cisco IOS 91
Verifying Private VLAN 92
Private VLAN Configuration Example 93
Single Switch Private Configuration 93
Private VLAN Configuration Across Switches 94
Port Protected Feature 97
Configuring Link Aggregation with EtherChannel 97
Describe EtherChannel 98
PAgP and LACP Protocols 101
PAgP Modes 101
LACP Modes 103
Configure Port Channels Using EtherChannel 105
Guidelines for Configuring EtherChannel 105
Layer 2 EtherChannel Configuration Steps 106
Verifying EtherChannel 108
EtherChannel Load Balancing Options 110
Summary 112
Review Questions 113
Chapter 3 Implementing Spanning Tree 119
Evolution of Spanning Tree Protocols 119
Spanning Tree Protocol Basics 121
STP Operation 122
Rapid Spanning Tree Protocol 125
RSTP Port States 126
RSTP Port Roles 127
Rapid Transition to Forwarding 129
RSTP Topology Change Mechanism 132
Bridge Identifier for PVRST+ 136
Compatibility with 802.1D 137
Cisco Spanning Tree Default Configuration 137
PortFast 138
Configuring the PortFast Feature 138
Configuring the Basic Parameters of PVRST+ 140
Multiple Spanning Tree 141
MST Regions 143
Extended System ID for MST 144
Configuring MST 145
Spanning Tree Enhancements 150
BPDU Guard 152
BPDU Filtering 153
Root Guard 155
Preventing Forwarding Loops and Black Holes 158
Loop Guard 158
UDLD 161
Comparison Between Aggressive Mode UDLD and Loop Guard 165
Flex Links 166
Recommended Spanning Tree Practices 168
Troubleshooting STP 171
Potential STP Problems 171
Duplex Mismatch 172
Unidirectional Link Failure 172
Frame Corruption 173
Resource Errors 173
PortFast Configuration Error 174
Troubleshooting Methodology 174
Develop a Plan 175
Isolate the Cause and Correct an STP Problem 175
Document Findings 177
Summary 178
References 179
Review Questions 179
Chapter 4 Implementing Inter-VLAN Routing 183
Describing Inter-VLAN Routing 184
Introduction to Inter-VLAN Routing 184
Inter-VLAN Routing Using an External Router (Router-on-a-Stick) 186
External Router: Advantages and Disadvantages 189
Inter-VLAN Routing Using Switch Virtual Interfaces 190
SVI: Advantages and Disadvantages 192
Routing with Routed Ports 192
Routed Port: Advantage and Disadvantages 193
L2 EtherChannel Versus L3 EtherChannel 194
Configuring Inter-VLAN Routing 194
Inter-VLAN Configuration with External Router 195
Implementation Planning 195
Inter-VLAN Configuration with SVI 197
Implementation Plan 197
Switch Virtual Interface Configuration 198
SVI Autostate 199
Configuring Routed Port on a Multilayer Switch 200
Verifying Inter-VLAN Routing 201
Troubleshooting Inter-VLAN Problems 204
Example of a Troubleshooting Plan 205
Configuration of Layer 3 EtherChannel 206
Routing Protocol Configuration 208
Verifying Routing Protocol 208
Implementing Dynamic Host Configuration Protocol in a Multilayer Switched Environment 210
DHCP Operation 211
Configuring DHCP and Verifying DHCP 212
Configure DHCP on the Multilayer Switch 212
Configure DHCP Relay 213
Verifying DHCP Operation 214
Deploying CEF-Based Multilayer Switching 215
Multilayer Switching Concepts 215
Explaining Layer 3 Switch Processing 216
CAM and TCAM Tables 217
Distributed Hardware Forwarding 220
Cisco Switching Methods 221
Route Caching 222
Topology-Based Switching 223
CEF Processing 225
CEF Operation and Use of TCAM 227
CEF Modes of Operation 227
Address Resolution Protocol Throttling 228
Sample CEF-Based MLS Operation 230
CEF-Based MLS Load Sharing 231
Configuring CEF and Verifying CEF Configuration 232
CEF-Based MLS Configuration 232
CEF-Based MLS Verification 232
Troubleshooting CEF 236
Summary 237
Review Questions 237
Chapter 5 Implementing High Availability and Redundancy in a Campus Network 243
Understanding High Availability 244
Components of High Availability 244
Redundancy 245
Technology 246
People 246
Processes 247
Tools 248
Resiliency for High Availability 249
Network-Level Resiliency 249
High Availability and Failover Times 249
Optimal Redundancy 251
Provide Alternate Paths 252
Avoid Too Much Redundancy 253
Avoid Single Point of Failure 253
Cisco NSF with SSO 254
Routing Protocols and NSF 255
Implementing High Availability 255
Distributed VLANs on Access Switches 256
Local VLANs on Access Switches 256
Layer 3 Access to the Distribution Interconnection 257
Daisy Chaining Access Layer Switches 257
StackWise Access Switches 259
Too Little Redundancy 260
Implementing Network Monitoring 262
Network Management Overview 262
Syslog 263
Syslog Message Format 265
Configuring Syslog 267
SNMP 269
SNMP Versions 270
SNMP Recommendations 272
Configuring SNMP 272
IP Service Level Agreement 273
IP SLA Measurements 273
IP SLA Operations 275
IP SLA Source and Responder 275
IP SLA Operation with Responder 275
IP SLA Responder Timestamps 277
Configuring IP SLA 277
Implementing Redundant Supervisor Engines in Catalyst Switches 280
Route Processor Redundancy 281
Route Processor Redundancy Plus 282
Configuring and Verifying RPR+ Redundancy 283
Stateful Switchover (SSO) 284
Configuring and Verifying SSO 285
NSF with SSO 286
Configuring and Verifying NSF with SSO 287
Understanding First Hop Redundancy Protocols 288
Introduction to First Hop Redundancy Protocol 288
Proxy ARP 289
Static Default Gateway 290
Hot Standby Router Protocol (HSRP) 291
HSRP States 294
HSRP State Transition 295
HSRP Active Router and Spanning Tree Topology 296
Configuring HSRP 296
HSRP Priority and Preempt 297
HSRP Authentication 298
HSRP Timer Considerations and Configuration 299
HSRP Versions 301
HSRP Interface Tracking 302
HSRP Object Tracking 304
HSRP and IP SLA Tracking 305
Multiple HSRP Groups 306
HSRP Monitoring 307
Virtual Router Redundancy Protocol 309
VRRP Operation 311
VRRP Transition Process 312
Configuring VRRP 312
Gateway Load Balancing Protocol 315
GLBP Functions 316
GLBP Features 317
GLBP Operations 318
GLBP Interface Tracking 318
GLBP Configuration 322
GLBP with VLAN Spanning Across Access Layer Switches 322
Cisco IOS Server Load Balancing 323
Cisco IOS SLB Modes of Operation 325
Configuring the Server Farm in a Data Center with Real Servers 326
Configuring Virtual Servers 328
Summary 330
Review Questions 331
Chapter 6 Securing the Campus Infrastructure 333
Switch Security Fundamentals 334
Security Infrastructure Services 334
Unauthorized Access by Rogue Devices 336
Layer 2 Attack Categories 337
Understanding and Protecting Against MAC Layer Attack 339
Suggested Mitigation for MAC Flooding Attacks 341
Port Security 341
Port Security Scenario 1 341
Port Security Scenario 2 342
Configuring Port Security 343
Caveats to Port Security Configuration Steps 344
Verifying Port Security 345
Port Security with Sticky MAC Addresses 347
Blocking Unicast Flooding on Desired Ports 348
Understanding and Protecting Against VLAN Attacks 349
VLAN Hopping 349
VLAN Hopping with Double Tagging 350
Mitigating VLAN Hopping 351
VLAN Access Control Lists 352
Configuring VACL 353
Understanding and Protecting Against Spoofing Attacks 355
Catalyst Integrated Security Features 355
DHCP Spoofing Attack 356
DHCP Snooping 358
ARP Spoofing Attack 361
Preventing ARP Spoofing Through Dynamic
ARP Inspection 362
IP Spoofing and IP Source Guard 368
Configuring IPSG 370
Securing Network Switches 372
Neighbor Discovery Protocols 372
Cisco Discovery Protocol 373
Configuring CDP 373
Configuring LLDP 375
CDP Vulnerabilities 375
Securing Switch Access 376
Telnet Vulnerabilities 377
Secure Shell 377
VTY ACLs 378
HTTP Secure Server 379
Authentication Authorization Accounting (AAA) 380
Security Using IEEE 802.1X Port-Based Authentication 387
Configuring 802.1X 389
Switch Security Considerations 390
Organizational Security Policies 391
Securing Switch Devices and Protocols 391
Configuring Strong System Passwords 392
Restricting Management Access Using ACLs 392
Securing Physical Access to the Console 393
Securing Access to vty Lines 393
Configuring System Warning Banners 393
Disabling Unneeded or Unused Services 394
Trimming and Minimizing Use of CDP/LLDP 395
Disabling the Integrated HTTP Daemon 395
Configuring Basic System Logging 396
Securing SNMP 396
Limiting Trunking Connections and Propagated VLANs 396
Securing the Spanning-Tree Topology 396
Mitigating Compromises Launched Through a Switch 397
Troubleshooting Performance and Connectivity 398
Techniques to Enhance Performance 398
Monitoring Performance with SPAN and VSPAN 400
Using SPAN to Monitor the CPU Interface of Switches 403
Monitoring Performance with RSPAN 404
Monitoring Performance with ERSPAN 408
Monitoring Performance Using VACLs with the Capture Option 410
Troubleshooting Using L2 Traceroute 412
Enhancing Troubleshooting and Recovery Using Cisco IOS Embedded Event Manager 413
Performance Monitoring Using the Network Analysis Module in the Catalyst 6500 Family of Switches 414
Summary 415
Review Questions 416
Chapter 7 Preparing the Campus Infrastructure for Advanced Services 419
Planning for Wireless, Voice, and Video Application in the Campus Network 420
The Purpose of Wireless Network Implementations in the Campus Network 420
The Purpose of Voice in the Campus Network 421
The Purpose of Video Deployments in the Campus Network 423
Planning for the Campus Network to Support Wireless Technologies 423
Introduction to Wireless LANs (WLAN) 423
Cisco WLAN Solutions as Applied to Campus Networks 426
Comparing and Contrasting WLANs and LANs 428
Standalone Versus Controller-Based Approaches to WLAN
Deployments in the Campus Network 429
Controller-Based WLAN Solution 430
Traffic Handling in Controller-Based Solutions 433
Traffic Flow in a Controller-Based Solution 434
Hybrid Remote Edge Access Points (HREAP) 435
Review of Standalone and Controller-Based WLAN Solutions 436
Gathering Requirements for Planning a Wireless Deployment 436
Planning for the Campus Network to Support Voice 437
Introduction to Unified Communications 438
Campus Network Design Requirements for Deploying VoIP 439
Planning for the Campus Network to Support Video 440
Voice and Video Traffic 441
Video Traffic Flow in the Campus Network 442
Design Requirements for Voice, Data, and Video in the Campus Network 444
Understanding QoS 444
QoS Service Models 446
AutoQoS 447
Traffic Classification and Marking 448
DSCP, ToS, and CoS 448
Classification 449
Trust Boundaries and Configurations 450
Marking 451
Traffic Shaping and Policing 451
Policing 452
Congestion Management 453
FIFO Queuing 453
Weighted Round Robin Queuing 453
Priority Queuing 455
Custom Queuing 455
Congestion Avoidance 455
Tail Drop 456
Weighted Random Early Detection 456
Implementing IP Multicast in the Campus Network 458
Introduction to IP Multicast 459
Multicast IP Address Structure 462
Reserved Link Local Addresses 463
Globally Scoped Addresses 463
Source-Specific Multicast Addresses 463
GLOP Addresses 464
Limited-Scope Addresses 464
Multicast MAC Address Structure 464
Reverse Path Forwarding 465
Multicast Forwarding Tree 466
Source Trees 467
Shared Trees 468
Comparing Source Trees and Shared Trees 469
IP Multicast Protocols 470
PIM 470
Automating Distribution of RP 474
Auto-RP 474
Bootstrap Router 475
Comparison and Compatibility of PIM Version 1 and Version 2 476
Configuring Internet Group Management Protocol 478
IGMPv1 478
IGMPv2 478
IGMPv3 479
IGMPv3 Lite 479
IGMP Snooping 480
Preparing the Campus Infrastructure to Support Wireless 484
Wireless LAN Parameters 484
Configuring Switches to Support WLANs 484
Preparing the Campus Network for Integration of a Standalone WLAN Solution 484
Preparing the Campus Network for Integration of a Controller-Based WLAN Solution 485
Preparing the Campus Infrastructure to Support Voice 487
IP Telephony Components 487
Configuring Switches to Support VoIP 488
Voice VLANs 488
QoS for Voice Traffic from IP Phones 490
Power over Ethernet 491
Additional Network Requirements for VoIP 493
Preparing the Campus Infrastructure to Support Video 494
Video Components 494
Configuring Switches to Support Video 495
Summary 496
Review Questions 497
Appendix A 503
9781587058844 TOC 5/20/2010