Professional Documents
Culture Documents
Campus High
Availability
BRKCAM-3005
Michael Herbert
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
HOUSEKEEPING
We value your feedback, don’t forget to complete your online session
evaluations after each session and complete the Overall Conference
Evaluation which will be available online from Friday.
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
High Availability Campus Design
The Resilient Network
Viruses, …
Network
Designing for availability is no
longer just concerned with simple Data Link
component failures
Campus design needs to evolve to a Physical
‘resilient’ model
Si Si Si Si
Hardware
Sources of Network Downtime * Power Failure Other
Failure 12% 8%
14%
7206VXR NPEG1
Resiliency
NSF/SSO
ISSU & IOS Modularity
System Management Resiliency
GOLD & EEM
Design
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 6
High Availability Campus Design
Structure, Modularity and Hierarchy
Redundant
Optimize the interaction of Supervisor
the physical redundancy
Layer 2 or
with the network protocols Layer 3
Provide the necessary amount
of redundancy Si Si Si Si Si Si
topology Si Si
Not This !!
Si
Si
Si
Si Si
Si
Si
Si Si
Si Si Si
Server Farm
Direct point to point fiber provides for fast Cisco IOS Throttling:
Carrier Delay Timer
failure detection 3
IEEE 802.3z and 802.3ae link negotiation
define the use of Remote Fault Indicator &
Link Fault Signaling mechanisms 2 Linecard
Throttling:
Bit D13 in the Fast Link Pulse (FLP) can be Debounce Timer
set to indicate a physical fault to the
remote side
Do not disable auto-negotiation on GigE
and 10GigE interfaces
1
Carrier-Delay
3560, 3750 & 4500 - 0 msec
6500 – leave it at default 50 msec
1
The default debounce timer on GigE and
10GigE fiber linecards is 10 msec.
Remote IEEE
The minimum debounce for copper is 300 Si
Fault Detection
Si
msec Mechanism
notified directly
SVI Interface—
In event of a logical L3 interface (e.g.
L2 Link Down Then L3
SVI) physical events trigger L2 Interface Down
spanning tree changes first which
then trigger RP notification
Hello’s
Indirect failures require a SW
process to detect the failure
Si
To improve failure detection
Use routed interfaces between Si
L3 switches
Decrease interface carrier-delay to 0s L2 Switch or Si
In the recommended
distribution block design
recovery of access to
distribution link failures is
accomplished based on L2 Si Si
L3 Packet
L3 Packet
Hash Result
Switch#show mls cef exact-route 10.77.17.8 10.100.20.199
Interface: Gi1/1, Next Hop: 10.10.1.2, Vlan: 1019, Destination Mac: 0030.f272.31fe
Switch#show mls cef exact-route 10.44.91.111 10.100.20.199
Interface: Gi2/2, Next Hop: 10.40.1.2, Vlan: 1018, Destination Mac: 000d.6550.a8ea
supported in HW today
30%
Depending on the traffic flow patterns, of
70%
of
one algorithm may provide better load- Flows Flows
Si
sharing results than another
Catalyst 4500 Load-Balancing Options
Original Src IP + Dst IP Load-sharing
Universal Src IP + Dst IP + Unique ID simple Si Si
Resiliency
NSF/SSO
ISSU & IOS Modularity
System Management Resiliency
GOLD & EEM
Design
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 18
Multilayer Network Design
Layer 2 Access with Layer 3 Distribution
Si Si Si Si
Loopguard
The root bridge should stay
where you put it
STP Root
Loopguard and rootguard
UDLD
Si Si
Only end station traffic should
be seen on an edge port Rootguard
BPDU guard
Loopguard
Port-Security
1 10 Mbps, 10/100 Mbps, and 100 Mbps switching modules support a maximum of 1,200 logical
interfaces per module
interface gigabitethernet1/0/1
switchport trunk encapsulation dot1q Si Si
switchport mode trunk
switchport backup interface gigabitethernet1/0/2
interface gigabitethernet1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
in an ECMP design
Upstream traffic for all
VLAN’s will pass through
the same distribution switch
Si Si
Use HSRP not GLBP
HSRP Active for voice and data HSRP Active
need to be on the same switch
interface Vlan4
ip address 10.120.4.2 255.255.255.0
standby 1 ip 10.120.4.1
standby 1 timers msec 250 msec 750
standby 1 priority 150
standby 1 preempt
standby 1 preempt delay minimum 180
EIGRP/OSPF EIGRP/OSPF
Layer 3
Si Si Layer 3
Layer 2
EIGRP/OSPF GLBP Model EIGRP/OSPF
Layer 2
Resiliency
NSF/SSO
ISSU & IOS Modularity
System Management Resiliency
GOLD & EEM
Design
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 34
Multilayer Network Design
Core and Distribution Routing Design
Si Si
3
Time to Restore Voice (Sec.)
2.5
Si Si
1.5
0.5
0
800 1000 3000 6000 9000 12000
forwards
Summary default (0.0.0.0)
Time [ms]
SPF Calculations
Up Interface State
interface GigabitEthernet1/1
description Uplink to Distribution 1
dampening Down
ip address 10.120.0.205 255.255.255.254
ip pim sparse-mode
ip ospf network point-to-point
ip ospf dead-interval minimal hello-multiplier 4 Interface State Perceived by OSPF
logging event link-status Up
load-interval 30
carrier-delay msec 0
mls qos trust dscp Down
interface Vlan4
Si
dampening
ip address 10.122.0.26 255.255.255.254
bfd interval 100 min_rx 100 multiplier 3
bfd neighbor 10.122.0.27 Si
VLAN Interface
*Verify Cisco IOS Release Availability, ESE does not yet
have specific configuration guidance
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 44
Routing Protocol Convergence
EtherChannel and L3 links
In an L3 environment single 10
Gigabit Links address both
problems. Increased bandwidth
without routing challenges
Si
Si
Sup720(config)# interface range gig 3/1 – 4
Sup720(config-if)#channel-protocol lacp
Sup720(config-if)#channel-group 5 mode on
Resiliency
NSF/SSO
ISSU & IOS Modularity
System Management Resiliency
GOLD & EEM
Design
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 47
System Level Resiliency
Comprehensive Physical Redundancy
Active/standby supervisors
SP RP PFC run in synchronized mode
Redundant supervisor is in
Active Supervisor ‘hot-standby’ mode
Switch processors
synchronize L2 port state
SP RP PFC information, (e.g., STP,
802.1x, 802.1q)
Standby Supervisor Switching HW synchronizes
L2/L3 FIB, NetFlow and ACL
tables
Line Card—DFC
DFCs are populated with
Line Card—DFC L2/L3 FIB, NetFlow, and
ACL tables
Line Card—DFC
Switch#sh mod
Chassis Type : WS-C4507R
<snip>
3—Slave
OSPF-ADJCHG messages
appear on the switches after a
switchover even though no
routes flaps occur during an No Route Flaps During Recovery
NSF switchover
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 54
System Resiliency
NSF Configuration
Switch(config)#router eigrp 100
Switch(config-router)#nsf
Switch(config-router)#timers nsf ?
converge EIGRP time limit for convergence after switchover
route-hold EIGRP hold time for routes learned from nsf peer
signal EIGRP time limit for signaling NSF restart
Switch(config-router)#nsf ?
enforce Cancel NSF restart when non-NSF-aware neighbors detected
Switch(config-router)#bgp graceful-restart ?
restart-time Set the max time needed to restart and come back up
stalepath-time Set the max time to hold onto restarting peer's stale paths
<cr>
Switch(config-router)#bgp graceful-restart
System Bus
2
Seconds of
Lost Voice
1.5
0.5
0
Distributed Systems Access Distribution/Core Multicast MMLS Control Plane
Local L2/L3 Switch L2/L3 Switch L2/L3 NSF/SSO L2/L3 Recovery*
Recovery Recovery Recovery Recovery
*The Time to Recover the Control Plane Is Calculated Based on the Ability of the Route Processor to Send ICMP Echo Reply Packets
convergence time
The problem is solved in the software release
12.2(18)SXF5
Bundling Supervisor uplinks into Etherchannel
links is still consider best practice design for Sup
uplinks
These recommendations do not apply to the Cisco
Catalyst 4500
5
Seconds of Lost Voice
RP Convergence Is
4 Dependent Si Si
on IGP and Tuning
3
1 Si
0
Link Node NSF/SSO OSPF
Failure Failure Convergence
2.5
Seconds of Voice Loss
2 ECMP
NSF/SSO Si Si
1.5
0.5
Si
0
1000 3000 6000 9000 12000
Number of Routes - Sup720B
0.9 Si Si
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
Non SSO aware HSRP SSO aware HSRP
10
Seconds of Lost Voice
9 Si Si
8
7
6
5
4
3
2
1 ?
0
NSF-Enabled NSF-Enabled Non-NSF Non-NSF
Optimal Maximum Optimal Maximum
Resiliency
NSF/SSO
ISSU & IOS Modularity
System Management Resiliency
GOLD & EEM
Design
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 66
System Resiliency
IOS Modularity and In Service Software Upgrade
In redundant topology
standard maintenance Si Si Si Si
practice is to shut down
devices during upgrade
and let the network converge
IOS Modularity and ISSU
provide the ability to patch or
Si Si Si Si
upgrade software in place
without having to shut down
In the access layer or
Si Si
any other single point
of failure this can be a
significant improvement in Scheduled ISSU—All Paths
operational practices Maintenance— and Switches Active
Half Capacity During Upgrade
Redundant Chassis
components in a single supervisor Si Si
system and is well suited to dual
switch configurations (e.g. typical
Distribution and Core
environments)
Full image ISSU requires a dual
Si Si
supervisor environment and is
well suited to single points of
failure (e.g. Access layer
Supervisor
Redundant
environments)
IOS Modularity is also supported
in dual supervisor access
environments
If an Error Occurs in a
Routing IPFS TCP UDP
Modular Process
…
HA subsystem determines
the best recovery action
CDP EEM INETD IOS- Restart a modular process
… BASE
Switchover to standby
High Availability Infrastructure supervisor
Network Optimized Microkernel
Remove the system from
Catalyst 6500 Hardware Data Plane the network
Process restarts with no
impact on the data plane
Utilizes Nonstop Forwarding
(NSF) even with a single
Supervisor with NSF-Aware
Traffic Forwarding Continues During
neighbors
Unplanned Process Restarts
State checkpointing allows
quick process recovery
[DONE]
Indicates What Process(es)
this Patch Will Affect
Swmod#install activate disk0:/sys
Determining processes to restart at location s72033_rp - Slot 2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!...
Step 2: Activate the
The following processes will be restarted:
iprouting.iosproc pending changes
Do you want to continue with activating this change set...?
[yes/no]: yes
Proceeding with activation, writing installer meta-data ...
Step 1 - loadversion
Slot = 2
RP State = Standby
ISSU State = Init
Boot Variable = bootflash:cat4500-entservicesk9-mz.122-31.SGA.bin,12;
Slot = 2
RP State = Standby
ISSU State = Load Version
Boot Variable = bootflash:cat4500-entservicesk9-mz.122-31.SGA.bin,12
Step 2 - runversion
Slot = 1
RP State = Standby
ISSU State = Run Version
Boot Variable = bootflash:cat4500-entservicesk9-mz.122-31.SGA.bin,12
Switch#sh version
. . .
cisco WS-C4507R (MPC8540) processor (revision 10) with 524288K bytes of memory.
Step 3 - acceptversion
Switch#issu acceptversion 2
% Rollback timer stopped. Please issue the commitversion command.
Switch#show bootvar
BOOT variable = bootflash:cat4500-entservicesk9-mz.122-31.SGA.bin,12
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102
Step 4 - commitversion
Switch#$issu commitversion 1 slavebootflash:cat4500-entservicesk9-mz.122-31.SGA1.bin
Slot = 1
RP State = Standby
ISSU State = Init
Boot Variable = bootflash:cat4500-entservicesk9-mz.122-31.SGA1.bin,12;
bootflash:cat4500-entservicesk9-mz.122-31.SGA.bin,12;
Switch#show bootvar
BOOT variable = bootflash:cat4500-entservicesk9-mz.122-31.SGA1.bin,12;
bootflash:cat4500-entservicesk9-mz.122-31.SGA.bin,12;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102
Resiliency
NSF/SSO
ISSU & IOS Modularity
System Management Resiliency
GOLD & EEM
Design
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 80
Systems Resiliency
Proactive Fault Detection and Notification
Enhanced System
Memory Corruption Stability
Detect
Software Inconsistency
and
System Faults Isolate Enhanced Network
Stability
correctly: Fabric
Forwarding
Is the supervisor control plane and Engine CPU
forwarding plane functioning properly?
Is the standby supervisor ready to take Active Supervisor
over?
Are linecards forwarding packets Standby Supervisor
properly?
Are all ports working?
Is the backplane connection working?
Other types of diagnostics tests Line
Card
including memory and error
correlation tests are also available
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 82
Generic Online Diagnostics
An Example: LoopbackTest - Linecard Data Path Coverage
PFC3
MSFC Test is disruptive for the tested
Port RP CPU port (subseconds)
L3/4
ASIC
Engine
SP CPU Verifies the tested port
L2 Engine Fabric
Switch Fabric functionality and the datapath
Interface between the supervisor and the
loopbacked port
DBUS Newer linecards support non-
RBUS
16 Gbps EOBC
disruptive loopback tests: ten
Bus consecutive failures are treated
as fatal and will result in port
Classic
being error-disabled
Module Port Port
ASIC ASIC
On-Demand
Switch#diagnostic start module 4 test 8
Module 4: Running test(s) 8 may disrupt normal
system operation All Diagnostics Tests Can Be Run
Do you want to continue? [no]: y
Switch#diagnostic stop module 4 on Demand, for Troubleshooting
Purposes. It Can Also Be Used As
Scheduled A Pre-deployment Tool
Switch(config)#diagnostic schedule module 4
test 1 port 3 on Jan 3 2005 23:32
Switch(config)#diagnostic schedule module 4
Schedule Diagnostics Tests, for
test 2 daily 14:45 Verification and Troubleshooting
Purposes
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 84
Generic Online Diagnostics
Using Diagnostics as a Pre-Deployment Tool
The Order in Which Tests Are Run Matters
• Run diagnostics first on linecards, then on supervisors
• Run packet switching tests first, run memory tests after
Event Detectors
RF Event Detector
IOS IDB’s
IOS CLI
RIB
OIR
SYSLOG
HA
Routing
Counters
Memory
EEM Policy
TDR Test
Cable
P P
O O
Interface Down R R
T T
EEM Fault
Loopback Test
GOLD
http://cisco.com/go/eem
http://forums.cisco.com/eforum/servlet/EEM?page=main
Resiliency
NSF/SSO
ISSU & IOS Modularity
System Management Resiliency
GOLD & EEM
Design
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 91
Impact of an Internet Worm
Direct and Collateral Damage
System Si
Under Si
Attack Si Infected
Source
Core
Si
Distribution Routers
Overloaded
Access Network Links • High CPU
End Systems Overloaded • Instability
Overloaded • High packet loss • Loss of mgmt
• Mission critical
• High CPU applications
• Applications impacted
impacted
System Si
Under
Attack Si Si Infected
Source
Core
Si
Data Data
Scavenger Scavenger
Scavenger Bandwidth
During ‘normal’ traffic conditions
Network Entry Points network is operating within
designed capacity
During ‘abnormal’ worm traffic
conditions traffic marked as
Scavenger is aggressively
dropped—second order detection
Priority queuing ensuring low
latency and jitter for VoIP
Stations not generating abnormal
traffic volumes continue to receive
network service
Aggregation Points
BRKCAM-3006 - Advanced Campus QoS
Design
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 97
Control Plane Protection
Hardening the Switches
Software Protection
IP Priority
Process Level Queues
IP Normal Queue
Queue
Software Control Plane
Control-Plane
Policing
Policing
Control-Plane Policing
Hardware Control Plane
Policing
Hardware Rate Limiter Hardware Rate limiters
Storm Control
ACL
QoS
Traffic to the CPU
...
packets receive priority
These 16 processor queues are
Q15 Telnet IP ICMP IP IP IP
not configurable
STP, OSPF and inter-CPU packets on
separate queues CPU Bridge Queues
The 3750 stack ring reserves
bandwidth for priority traffic
Bandwidth reservations on the ring ensure
the CPU communication is not effected by Hardware Forwarding
data traffic IP BPDU ESMP
Data Plane
Special PFC3/DFC3
Cases Hardware Special SP
Traffic Rate-Limiters Case
to CPU Traffic CPU
Software
“CoPP”
RP
80 0.7
0.6
60 0.5
0.4
40 0.3
20 0.2
0.1
0 0
00
00
0
00
00
00
00
00
00
00
00
00
00
00
00
00
00
10
50
10
15
20
25
30
35
40
45
50
55
60
65
70
75
DoS Rate (pps)
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 104
Resilient Network Design
Stick to Your Principles
Remember you will have to live with this for a long time
Requirements will change
Understand change Si Si
2
1.8
1.6
1.4
1.2
1
0.8
0.6
0.4
0.2
0
L2 Access L2 Access OSPF EIGRP
OSPF Core* EIGRP Core Access* Access
http://www.cisco.com/go/srnd
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. 107
Meet the Experts
Campus and Wireless Evolution
Mark Montanez
Corporate Dev Consulting Engineer
Tim Szigeti
Technical Leader
Sujit Ghosh
Technical Mktg Eng
Victor Moreno
Technical Leader
Mike Herbert
Technical Leader
BRKCAM-3005 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 108
Questions
control-plane
service-policy input copp-policy
Switch#sh access-list
Step 3: Adjust Extended IP access list coppacl-bgp
10 permit tcp host 192.168.1.1 host 10.1.1.1 eq bgp
20 permit tcp host 192.168.1.1 eq bgp host 10.1.1.1
Classification, and Apply Extended IP access list coppacl-critical-app
10 permit ip any host 224.0.0.1
liberal CoPP policies for 20 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
30 permit udp host 10.2.2.8 eq bootps any eq bootps
each class of traffic Extended IP access list coppacl-igp
10 permit ospf any host 224.0.0.5 (64062 matches)
show ip access-lists 20 permit ospf any host 224.0.0.6
30 permit ospf any any (17239 matches)
provides packet count Extended IP access list coppacl-management
10 permit tcp host 10.2.1.1 host 10.1.1.1 established
statistics per ACE. Absence 20 permit tcp 10.2.1.0 0.0.0.255 host 10.1.1.1 eq 22
30 permit tcp 10.86.183.0 0.0.0.255 any eq telnet
of any hits on an entry 40 permit udp host 10.2.2.2 host 10.1.1.1 eq snmp
indicate lack of traffic 50 permit udp host 10.2.2.3 host 10.1.1.1 eq ntp
Extended IP access list coppacl-monitoring
matching the ACE criteria— 10 permit icmp any any ttl-exceeded (120 matches)
20 permit icmp any any port-unreachable
the rule might be rewritten 30 permit icmp any any echo-reply (17273 matches)
40 permit icmp any any echo (5 matches)
Hardware ACL hit counters Extended IP access list coppacl-reporting
10 permit icmp host 10.2.2.4 host 10.1.1.1 echo
are available in PFC3B/BXL Extended IP access list coppacl-undesirable
for security ACL TCAM only 10 permit udp any any eq 1434
Other considerations:
No HW CoPP for PFC3A with egress QoS policy
HW CoPP processing only for packets where HW FIB or HW ingress ACL
determines punting. HW egress ACL punts do not pass through CoPP.
HW CoPP classes can only match what IP ACLs can handle in hardware
HW CoPP supports only IPv4 and IPv6 (starting 12.2(18)SXE) unicast traffic
No support for ARP ACLs, MAC ACLs…
CoPP rates on Sup720 are bps—pps is not possible. However, HWRL rates
are in pps
CoPP is supported in ingress only (no support for silent mode)
Not supported today:
–SNMP support for CoPP
–ACL Log keyword support for CoPP
–SP/RP inband SPAN support
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper0900aecd802ca5d6.shtml
cr39-4507-1(config)#qos
1. Enable QoS globally
cr39-4507-1(config)#macro global apply system-cpp 2. Apply the predefined
system-cpp macro
cr39-4507-2#sh run
! Defines class-map Statements
class-map match-all system-cpp-cdp for All the Control Plane
match access-group name system-cpp-cdp
class-map match-all system-cpp-pim Traffic Types
match access-group name system-cpp-pim
. . .
class-map match-all system-cpp-cgmp
match access-group name system-cpp-cgmp Defines the CoPP Policy Map
!
policy-map system-cpp-policy (‘no’ Policing Actions Defined
class system-cpp-dot1x by Default)
class system-cpp-bpdu-range
. . .
class system-cpp-dhcp-ss
! Applies the Policy Map to the
control-plane CPU Interface
service-policy input system-cpp-policy
cr39-4507-2(config)#policy-map system-cpp-policy
cr39-4507-2(config-pmap)#class system-cpp-dhcp-cs
cr39-4507-2(config-pmap-c)#police 32000 1000 conform-action transmit exceed-action drop
cr39-4507-2(config)#class-map Network-Operations
cr39-4507-2(config-cmap)#match access-group 140
cr39-4507-2(config-cmap)#exit
cr39-4507-2(config)#policy-map system-cpp-policy
cr39-4507-2(config-pmap)#class Network-Operations
cr39-4507-2(config-pmap-c)#police 80000 1000 conform-action transmit exceed-action drop