Professional Documents
Culture Documents
Deployment Using
Cisco Validated Designs
BRKCRS-1500
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Scroll to the bottom and click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Distribution Layer Deployment
• Core Layer Deployment
• Software-Defined Access
• Conclusion
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Distribution Layer Deployment
• Core Layer Deployment
• Software-Defined Access
• Conclusion
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
The challenge…
Platform choices
On time
Within budget
Best practices
Manageable
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco Validated Designs
…provide a framework for design and
deployment guidance based on common use cases.
Solution Design Guides + Prescriptive Deployment Guides
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
LAN deployment principles
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Hierarchical network design
High availability using modularity, hierarchy, and structure
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
How do I choose what to build?
• Principles:
Ease of deployment; flexibility, scalability; security; etc.
• Hierarchical model:
resiliency, modularity, load balancing, etc.
• What devices?
• What capabilities?
• What connectivity and resiliency?
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Campus wired LAN design
Option 1: Traditional multilayer campus (BRKCRS-2031)
Physical
topology:
2 core
2 dist./acc.
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Campus wired LAN design
Option 1: Traditional multilayer campus (BRKCRS-2031)
Layer 2
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Simplification with routed access design
After: Layer 3 distribution with Layer 3 access
IGP IGP
Layer 2
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Why isn’t routed access deployed everywhere?
Routed access design constraints
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Campus wired LAN design
Option 2: Layer 3 routed access (BRKCRS-3036)
Physical
topology:
2 core
2 dist./acc.
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Campus wired LAN design
Option 2: Layer 3 routed access (BRKCRS-3036)
Logical
• Leading campus design for easy configuration
topology— and operation when using stacking or similar
L3: technology (VSS, StackWise Virtual)
core/dist. • Flexibility to support Layer 2 services within
L2:
dist./acc.
distribution blocks, without FHRPs.
• Easy to scale and manage
Physical
topology:
2 core
2 dist./acc.
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Campus wired LAN design
Option 3: Layer 2 access with “simplified” distribution (BRKCRS-1500)
Logical
• Leading campus design for easy configuration
topology— and operation when using stacking or similar
L3: technology (VSS, StackWise Virtual)
core/dist. • Flexibility to support Layer 2 services within
L2:
dist./acc.
distribution blocks, without FHRPs.
• Easy to scale and manage
Survives device and link failures
• Enables:
• Host mobility
• Network segmentation Edge Edge
Nodes Nodes
• Role-based access
control
Logical Layer 2 Overlay Logical Layer 3 Overlay
• It is an overlay network
to the network underlay
• Control plane based on LISP
• Data plane based on VXLAN
• Policy plane based on TrustSec Physical Topology
Logical
• Uses advantages of a routed access physical
topology— design, with Layer 2 capable logical overlay
L2/L3: design
flexible OR • Provisioning and policy automation
overlays • Integrates wireless into the same policy
• Requires automation to simplify configuration
Physical
topology:
2 core
2 dist./acc.
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Campus wired LAN design
Option 4: Cisco Software-Defined Access (BRKCRS-1501, many others)
Logical
• Uses advantages of a routed access physical
topology— design, with Layer 2 capable logical overlay
L2/L3: design
flexible OR • Provisioning and policy automation
overlays • Integrates wireless into the same policy
• Requires automation to simplify configuration
Survives device and link failures
Logical
topology OR
Physical
topology:
2 core
2 dist./acc.
On-line library at ciscolive.com BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
What we are trying to avoid!
Multiple
single points of
failure
Poor performance
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
How do I get there?
Successful deployments… …start with a plan.
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Access layer design
Wireless Distribution
Uniform deployment in the network Access Point Switch
OR
• A common deployment method Access Remote
is used for all access layer devices User IP Phone Router
Switch
in the design
• Whether they are located in the headquarters or at a remote site.
• A single interface configuration is used for a standalone computer, an IP phone, or an IP
phone with an attached computer.
• The LAN access layer is configured as a Layer 2
• All Layer 3 services provided by directly connected distribution layer switch or router.
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Cisco Catalyst 9000 Series–switching transitions
Greater flexibility from small remote site to mission critical campus core.
Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst
2960-X/XR 3850 copper 4500-E 3850F/4500-X 6840-X/6880-X 6807-XL/6500-E
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Attributes and platform choices
• Platform-specific configurations
• Global options
• Client-facing interfaces
• Uplinks to distribution layer
• Stack Master provides central control over multiple 2960 Series switches configured
in a stack
• To increase resiliency in a 2960 stack of three or more switches:
Configure the Stack Master Ensure that the original Stack Master MAC
on a switch that does not address remains the stack MAC address
have uplinks configured after a failure to prevent protocol restart
Creates
double failure
MASTER MASTER
MAC=00:BB:AA:CC:DD:FF
S1 S2 S3
S1 S2 S3
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Catalyst 9300 Series
Cisco StackWise-480
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Cisco StackWise-480: Stack Ring
Example: 4x Catalyst 9300 Series switches
ASIC Stack Interface
• 6 rings in total
• 3 rings clockwise
• 3 rings counter/anti-
clockwise
• Each ring is 40Gbs
• Total Stack BW =
240Gbs
• With Spatial Reuse =
480Gbs
Stack Interface
Packets are segmented/reassembled in HW
(256 byte segments)
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
SSO and show switch command output
Stack MAC follows
Active initially
Switch# show switch
Switch/Stack Mac Address : 2037.06cf.0e80
H/W Current
Switch# Role Mac Address Priority Version State
------------------------------------------------------------ Active
*1 Active 2037.06cf.0e80 10 V01 Ready
2 Standby 2037.06cf.3380 8 V00 Ready
3 Member 2037.06cf.1400 6 V00 Ready Standby
4 Member 2037.06cf.3000 4 V00 Ready
Member
* Indicates which member is providing the “stack identity” (aka “stack MAC”)
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Stateful Switchover
Catalyst 9000 Series and 3x50 stacks, also 4500, 6500, 6800 Modular
• Modular chassis with dual supervisors offers Stateful Switchover (SSO) configuration
• Redundant chassis with StackWise, StackWise Virtual, or Virtual Switching System
(VSS) also provides SSO
• Traffic loss minimized for failure of active control plane
Hot-Standby
Switch
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
CLI-based quality of service (QoS) deployment
Macros to ease the deployment process for platform-specific commands Reference
Complex Simplified
BRKCRS-2501:
Campus QoS Design Simplified
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Attributes and platform choices
• Platform-specific configurations
• Global options
• Client-facing interfaces
• Uplinks to distribution layer
• Rapid PVST+ – improved topology change detection over classic STP Layer 2 loop detection
• BPDUguard default – detect spanning tree BPDUs on portfast-enabled ports for L2 loop prevention
• UDLD – detect and protect against unidirectional links caused by incorrect physical interconnects
that can cause spanning tree loops
• Error disable recovery – allows recovery without intervention of automatically disabled ports, post-
event
• VTP transparent – ignore VTP updates to avoid accidental outages from unplanned VLAN changes
• Load-interval – reduce time to compute interface load for better visibility to traffic bursts
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Enabling device management
Global LAN switch configuration
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Device management authentication
Global LAN switch configuration
• Use AAA to control management access to network infrastructure devices (SSH and HTTPS)
• Centralized/easy control of password expiration—rapidly revoke access for employee departure
• TACACS+ primary protocol to the AAA server for management authentication to infrastructure devices
• Local AAA users defined on network infrastructure devices provide a fallback authentication source
New Method
enable secret [enable password]
service password-encryption Local Traditional Method
! username and
username admin secret [admin password] password for enable secret [enable password]
aaa new-model fallback service password-encryption
tacacs server TACACS-SERVER-1 !
address ipv4 10.4.48.15 username admin password [admin password]
key [tacacs key] Define tacacs+ aaa new-model
! server and aaa authentication login default group tacacs+ local
aaa group server tacacs+ TACACS-SERVERS secret key aaa authorization exec default group tacacs+ local
server name TACACS-SERVER-1 aaa authorization console
! ip http authentication aaa
aaa authentication login default group TACACS-SERVERS local tacacs-server host 10.4.48.15 key [tacacs key]
aaa authorization exec default group TACACS-SERVERS local
aaa authorization console
ip http authentication aaa
Use tacacs+ first,
fallback to local
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Synchronize the clock on all devices
Global LAN switch configuration
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Access layer virtual LANs
Access switch configuration Network
Management
Station
• Data VLAN provides access to the network for all attached Uplink Interfaces
devices other than IP Phones
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
In-band management
Access switch configuration
Network
Configure the switch with an IP address so that Management
it can be managed via in-band connectivity. Station
IP default gateway
for management VLAN
Note: Do not use the ip default-gateway command on the Catalyst 4500 since it has ip
routing enabled by default and the “ip default-gateway” command will not have any
effect.
Instead use the following command on the Catalyst 4500.
ip route 0.0.0.0 0.0.0.0 [default router]
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Attributes and platform choices
• Platform-specific configurations
• Global options
• Client-facing interfaces
• Uplinks to distribution layer
The host interface configuration supports PCs, phones, or wireless access points.
• Use a single port profile for all access ports
interface range [interface type] [port number]–[port number]
switchport access vlan [data vlan]
switchport mode access Wireless
switchport voice vlan [voice vlan] Access Point
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Access layer – hardening the edge
IP Source Guard The Cisco Validated Design uses
Dynamic ARP
Inspection
Catalyst Integrated Security
DHCP Features to protect your network
Snooping
from intentional and unintentional
Port Security
attacks
+ IPv6 RA Guard
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Port security
client-facing interface configuration
Advertises MAC
Client 00:10:10:10:10:10
00:10:10:10:10:11
00:10:10:10:10:12
00:10:10:10:10:13
00:10:10:10:10:14
00:10:10:10:10:15
00:10:10:10:10:16
Configure on the client interface:
00:10:10:10:10:17 switchport port-security
00:10:10:10:10:18 switchport port-security maximum 11
00:10:10:10:10:19
00:10:10:10:10:1A
switchport port-security aging time 2
00:10:10:10:10:1B switchport port-security aging type inactivity
switchport port-security violation restrict
Exceeds Maximum
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
DHCP snooping
client-facing interface configuration
DHCP Reply
Client DHCP
MAC=00:50:56:BA:13:DB
IP Addr=10.4.80.10 Server
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
DHCP snooping
client-facing interface configuration
DHCP Reply
Client DHCP
MAC=00:50:56:BA:13:DB
IP Addr=10.4.80.10 Server
Example DHCP Snooping Binding Table
MAC Address IP Address VLAN Interface
00:50:56:BA:13:DB 10.4.80.10 10 GigabitEthernet2/0/1
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
ARP inspection
client-facing interface configuration
Untrusted
Advertises MAC
Client 00:10:10:10:10:10
Does Not Match
Example DHCP Snooping Binding Table
MAC Address IP Address VLAN Interface
00:50:56:BA:13:DB 10.4.80.10 10 GigabitEthernet2/0/1
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
IP source guard
client-facing interface configuration
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
IPv6 router advertisement guard
client-facing interface configuration
Define policy in the global configuration: Attach policy configuration to the client interface:
ipv6 nd raguard policy HOST_POLICY ipv6 nd raguard attach-policy HOST_POLICY
device-role host
▪ If a port device role is configured as host, IPv6 First Hop Security (FHS)
RA Guard drops all IPv6 Router Advertisement messages
▪ Useful even for IPv4-only networks
▪ Other port device role options include: monitor, router, and switch
BRKSEC-2003: IPv6 Security Threats and Mitigations; BRKSEC-3003: Advanced IPv6 Security in the LAN
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Attributes and platform choices
• Platform-specific configurations
• Global options
• Client-facing interfaces
• Uplinks to distribution layer
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Trunk configuration
Uplink interface configuration
• When using EtherChannel the interface type will be port-channel and the number must match
channel-group configured on the member interfaces.
interface port-channel 10
switchport trunk encapsulation dot1q
switchport trunk allowed vlan [data],[voice],[mgmt]
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
logging event link-status
no shutdown
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Distribution Layer Deployment
• Attributes and platform choices
• Platform-specific configuration
• Global options
• Connectivity to access and core layers
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Cisco Catalyst 9000 Series–switching transitions
Greater flexibility from small remote site to mission critical campus core.
Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst
2960-X/XR 3850 copper 4500-E 3850F/4500-X 6840-X/6880-X 6807-XL/6500-E
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Campus LAN distribution layer attributes
• Primary function is access layer aggregation for a building or geographic area.
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Alternative distribution layer attributes
LAN distribution layer
Large LAN services block
Collapsed core: • Connection point for services
Two tier main campus LAN and WAN core WAN
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Simplified distribution layer design
LAN distribution layer
Traditional two box design
Multiple Boxes
• Traditional two box distribution layer to manage
-FHRP-
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Traditional design compared to simplified design
LAN distribution layer
Preferred
Traditional designs:
• Looped design with spanned VLANs Permits both→
– Relies on STP to block loops
– Reduces available bandwidth
VLAN 30 VLAN 30 VLAN 30 VLAN 10 VLAN 20 VLAN 30
• Loop free design
– Can increase bandwidth
Preferred—simplified design:
– Still relies on FHRP
• EtherChannel - resilient links, all links
– Multiple distribution layer boxes to configure
forwarding
Si Si
• No FHRP - single default IP gateway
Si Si
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
“How can I simplify my distribution?”
Catalyst 9000 Series and Catalyst 3850 - StackWise Virtual
• Cisco StackWise Virtual: an evolution of Catalyst Virtual Switching System technology
• Both StackWise Virtual members must have consistent Cisco IOS-XE and license
• Check software release notes for versions, supported platforms, and additional uplink/line
card hardware
Access
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Cisco StackWise Virtual (SWV) setup
LAN distribution layer
Note: Maximum of 8 SVL member links and 4 dual active detection links
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Distribution Layer Deployment
• Attributes and platform choices
• Platform-specific configuration
• Global options
• Connectivity to access and core layers
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
In-band management interface
LAN distribution layer
• The loopback interface is the preferred way to manage when using in-band access
• Logical interface
• Always available as long as device is operational
• Commonly a host address (32-bit address mask)
• Bind SNMP, SSH, TACACS and PIM processes to loopback
interface address for optimal resiliency
interface loopback 0
ip address 10.1.1.1 255.255.255.255
!
snmp-server trap-source loopback 0
ip ssh source-interface loopback 0
ip pim register-source loopback 0
ip tacacs source-interface loopback 0
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Distribution layer IP unicast routing – EIGRP
LAN distribution layer
EIGRP was chosen for… Single logical distribution layer design
simplicity, scalability, and flexibility
• Uses stateful switchover (SSO) and
• Named mode configuration non-stop forwarding (NSF)
• Tie EIGRP router-id to loopback 0 for max stability • SSO provides sub-second failover to
• Enable all routed links to be passive by default redundant supervisor
• Enable EIGRP for address space • NSF maintains packet forwarding while
control plane recovers
• Each distribution is a stub network
L3
router eigrp [NAME] NSF aware
address-family ipv4 unicast autonomous-system [AS] •Nothing to enable.
af-interface default •Only need IOS version that supports NSF for EIGRP
passive-interface
exit-af-interface
network [network] [inverse mask] NSF capable
eigrp router-id [ip address of loopback 0] •Works on dual supervisor system
L2
eigrp stub summary •Signals peer of SSO and to delay adjacency timeout
nsf •Once control plane recovers, re-establishes peering
exit-address-family
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Distribution layer IP unicast routing – OSPF
LAN distribution layer
OSPF is available for… Single logical distribution layer design
compatibility • Uses stateful switchover (SSO) and
non-stop forwarding (NSF)
• Tie OSPF router-id to loopback 0 for max
stability • SSO provides sub-second failover to
redundant supervisor
• Enable all routed links to be passive by
default • NSF maintains packet forwarding while
control plane recovers
• Enable OSPF for address space
L3
• Each distribution is a stub area and ABR NSF aware
•Nothing to enable.
router ospf [process] •Only need IOS version that supports NSF for OSPF
router-id [ip address of loopback 0]
nsf
area [area number] stub no-summary NSF capable
passive-interface default •Works on dual supervisor system
L2
•Signals peer of SSO and to delay adjacency timeout
network [network] [inv. mask] area [area #]
•Once control plane recovers, re-establishes peering
network [network] [inverse mask] area 0
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Distribution layer IP multicast routing
LAN distribution layer
WAN
• IP multicast allows a single IP data stream to be replicated by
the infrastructure (routers and switches)
• More efficient than multiple IP Unicast streams
Rendezvous
• Beneficial for IPT music on hold and IP broadcast video streams Point
• IP PIM sparse-mode
• Sparse-mode uses a rendezvous point (RP) to allow IP multicast
receivers to find IP multicast sources
• Place IP multicast RP in the center or core of the network
• On every Layer 3 switch and router
• Configure ip pim autorp listener to enable
discovery across sparse mode links ip multicast-routing
• Enable pim sparse-mode on all Layer 3 interfaces ip pim autorp listener
!
interface GigabitEthernet 1/0/1
ip pim sparse-mode
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Distribution Layer Deployment
• Attributes and platform choices
• Platform-specific configuration
• Global options
• Connectivity to access and core layers
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
SWV/VSS: connecting distribution to access layer
Resilient connectivity
• Alternatively…
With StackWise distribution layer, home EtherChannel uplinks to multiple switches in stack
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Layer 2 connectivity to access layer
LAN distribution layer
• Configure Layer 2
• With hub-and-spoke design, no STP loops, still enable RPVST+
• Configure VLANs servicing access layer
• Set distribution layer to be STP root for access layer VLANs
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Layer 3 connectivity to core layer
– interface configuration
LAN distribution layer
WAN
• If no core layer, links to WAN routers are Layer 3 links
• Links from distribution layer to core are Layer 3 links
• Configure Layer 3 EtherChannel interface
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Layer 3 connectivity to core layer
– EIGRP routing configuration
LAN distribution layer
Summary
• Enable authentication of neighbor routing protocol
communication on interface to the core
key chain EIGRP-KEY
key 1
key-string [KEY STRING]
!
router eigrp [NAME]
address-family ipv4 unicast autonomous-
system [AS]
af-interface port-channel 20
authentication mode md5
authentication key-chain EIGRP-KEY
no passive-interface • As networks grow, IP address summarization is used
summary-address [network] [mask] • To reduce bandwidth required for routing
exit-af-interface
exit-address-family
updates
• To reduce convergence time around a link failure
• Enable EIGRP for the core-facing interface • Summarize all subnets in the distribution layer to
(disable passive-interface) the rest of the network
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Layer 3 connectivity to core layer
– OSPF routing configuration
LAN distribution layer
Summary
• Enable authentication of neighbor routing protocol
communication on interface to the core
interface Port-channel 20
ip ospf message-digest-key [key id] md5 [key]
!
router ospf 100
area 0 authentication message-digest
area [area number] range [address range] [mask]
no passive-interface Port-channel 20
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Distribution Layer Deployment
• Core Layer Deployment
• Attributes and platform
• Global options
• Software-Defined Access
• Conclusion
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Core layer attributes
LAN core layer Do I need a core layer?
• Primary function is distribution layer aggregation for large or
geographically dispersed LAN deployment
• Lowers the complexity and cost of a fully meshed
distribution layer
• Layer 3 transport
• No spanning tree convergence or blocking
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Cisco Catalyst 9000 Series–switching transitions
Greater flexibility from small remote site to mission critical campus core.
Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst
2960-X/XR 3850 copper 4500-E 3850F/4500-X 6840-X/6880-X 6807-XL/6500-E
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Cisco StackWise Virtual – Catalyst 9600
• SVL: StackWise Virtual Link
• same speed ports (10G or higher)
SVL
• Up to 8 ports
• DAD: Dual Active Detection:
• Fast Hello
DAD • Directly connected
• Up to 4 links
• Enhanced PAgP
Cisco StackWise Virtual for • EtherChannel with PAgP
Catalyst 9600 is supported with • Up to 4 port-channels
IOS-XE 16.12.1 or later. • In SVL mode, 2nd Supervisor is not supported
Check release notes for in the chassis and will be powered off if
hardware / software constraints. inserted.
• Typically a distribution layer technology, allowing “stacking” of 2 switches
• Supports flexible distances with support of all supported cables and optics
• SVL and DAD are supported on any port with 10G or high speed, including QSA.
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Quad-Supervisor RPR StackWise Virtual
SSO
• Software-Defined Access
• Conclusion
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
In-band management interface
LAN core layer
• The loopback interface is the preferred way to manage when using in-band access
• Logical interface
• Always available as long as device is operational
• Commonly a host address (32-bit address mask)
• Bind SNMP, SSH, TACACS and PIM processes to loopback interface address for
optimal resiliency
interface loopback 0
ip address 10.1.1.1 255.255.255.255
!
snmp-server trap-source loopback 0
ip ssh source-interface loopback 0
ip pim register-source loopback 0
ip tacacs source-interface loopback 0
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Core layer IP unicast routing - EIGRP
LAN core layer
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Core layer IP unicast routing - OSPF
LAN core layer
• Remember to…
• Enable authentication of neighbor routing protocol
communication
• Enable NSF
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Resilient IP multicast routing – SWV/VSS core
LAN core layer
WAN
• IP multicast allows a single IP data stream to be replicated Data
Center
by the infrastructure (routers and switches) Rendezvous
Point
• IP PIM sparse-mode
• Every Layer 3 switch and router points to the rendezvous pont (RP)
• RP placed centrally in the network (core)
• Auto-RP used for dynamic RP announcement to network devices
• RP resiliency is critical to IP
multicast operation
• SSO ensures RP availability interface loopback 1
ip address 10.1.1.2 255.255.255.255
ip pim sparse-mode
!
access-list 10 permit 239.1.0.0 0.0.255.255
Announce “I (10.1.1.2) will be an RP” ip pim send-rp-announce Loopback1 scope 32 group-list 10
Discovers RPs and tells best to AutoRP listeners ip pim send-rp-discovery Loopback1 scope 32
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Resilient IP multicast RP – two-box core
LAN core layer Reference
• When the core isn’t a single logical platform (such as Nexus) WAN
Data
• IP multicast allows a single IP data stream to be replicated Center
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Anycast RP operation & configuration
Resilient IP multicast Reference
Source Source
Data Center
X
10.1.1.1 10.1.1.1
SA SA interface loopback 0
interface loopback 0
ip address 10.1.1.3 255.255.255.255
ip address 10.1.1.2 255.255.255.255
ip pim sparse-mode
ip pim sparse-mode
interface loopback 1
interface loopback 1
ip address 10.1.1.1 255.255.255.255
ip address 10.1.1.1 255.255.255.255
!
!
ip msdp peer 10.1.1.2 connect-source loopback 0
ip msdp peer 10.1.1.3 connect-source loopback 0
ip msdp originator-id loopback 0
ip msdp originator-id loopback 0
!
!
access-list 10 permit 239.1.0.0 0.0.255.255
access-list 10 permit 239.1.0.0 0.0.255.255
ip pim send-rp-announce Loopback1 scope 32 group-list 10
ip pim send-rp-announce Loopback1 scope 32 group-list 10
!
!
ip pim send-rp-discovery Loopback0 scope 32
ip pim send-rp-discovery Loopback0 scope 32
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Layer 3 connectivity to distribution layer
LAN core layer
• Links from core layer are Layer 3 links (no SVIs) WAN
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Distribution Layer Deployment
• Core Layer Deployment
• Software-Defined Access
• Conclusion
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
What’s different in your network today versus a
decade ago? How does it affect your network?
Cyber
Mobility IoT Security
Bring Your Own Device Auto-detect non-user devices Networking and security
Devices in the Workspace Devices everywhere Advanced threats
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Key challenges for traditional networks
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
What is the problem?
Policy model today
Network Policy
Enterprise Network
SRC DST
PAYLOAD DATA DSCP PROT IP SRC IP DST
PORT PORT
• QoS
• Security
Policy is based on “5 Tuple”
• Redirect/copy
• Traffic engineering
• etc. Where is the information about the user to apply policy?
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Cisco Software-Defined Access
Automated
Network Fabric
Single Fabric for Wired & Wireless
with Workflow-based Automation
Insights
User Mobility & Telemetry
Analytics and insights into
Policy stays with user user and application behavior
Employee Network
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Cisco DNA Center
—deploying Cisco Software-Defined Access
Cisco DNA Center:
Simple Workflows
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Components of SD-Access
Cisco DNA Center
Network Hierarchy Network Settings – Network Settings Network Settings - Address Pools
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
SD-Access Deployment: SD-Access Workflow
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Distribution Layer Deployment
• Core Layer Deployment
• Software-Defined Access
• Conclusion
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Would you build this?
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
You now have the tools to build this! (and more)
WAN
WAN
Router
WAN
Distribution
Internet
Data
Client
Access Center
Client
Switches
Access
Switches
LAN
Core Layer
Remote Building
Cluster High Density Guest
LAN Distribution LAN Distribution WLC
Module Network-Services
Module Distribution
Module
Firewall
WAA
S
Client
Access
Switches
WAN
Internet
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Summary
• Cisco Validated Designs provide a design framework for the wired
campus (and other solutions also) with step-by-step deployment based
on the cumulative Cisco leading practices
• Access layer
• Consistent LAN access layer across the network (small site to large campus)
• Supports both layer 2 and layer 3 application needs
• Secure boundary and ready for advanced technologies
• Distribution layer
• Simplified single logical platform with resilient and scalable design
• Etherchannel for resiliency and scalability
• Core layer
• Scalable, resilient Layer 3 core for simplified topology and configuration
Resiliency, scalability, and flexibility – easily deployed throughout the network.
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Design and deployment guidance available
https://cisco.com/go/cvd and https://cs.co/en-cvds
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Continue your education
Demos in the
Walk-in labs
Cisco campus
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
TUE WED THU FRI
Campus
Customer Keynote
Appreciation 19:00 17:00
Cisco Switching
Campus/Switch Breakouts
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
TUE WED THU FRI
BRKCRS-2818 BRKCRS-2819
Build a Software Defined 08:30 Creating multi-domain 09:00
BRKCRS-2815 Enterprise with Cisco SDWAN architecture using Cisco SD-
Keynote 09:00 Cisco SD-Access – 08:30 & SD-Access Access
Connecting Multiple Sites
in a Single Fabric BRKCRS-2830 BRKCRS-3811
Cisco SD-Access – Lessons 09:45 Cisco SD-Access – Policy 09:00
BRKCRS-2810 learned from Design & Driven Manageability
Cisco SD-Access - A 11:00
BRKCRS-2821 Deployment.
Cisco SD-Access – 11:00
Look Under the Hood
Connecting to the DC,
BRKCRS-2812
FW, WAN and more!
BRKCRS-2502 Cisco SD-Access – Integrating 11:30
BRKCRS-1400 Best Practices for Design and 11:15 with your existing network
Recipe for transforming Deployment of Cisco SD-
14:30
Enterprise Networks BRKCRS-2832 Access BRKARC-2020
with IBN Extending Cisco 11:00 Cisco SD Access - 11:30
SD-Access beyond BRKCRS-2825 Troubleshooting the fabric
Enterprise walls Cisco SD-Access - Scaling 11:15
BRKCRS-2811 the Fabric to 100s of Sites BRKCRS-2824
Cisco SD-Access – 17:00
Connecting the Fabric to BRKCRS-2823 BRKCRS-2823 Intuitive Zero-Trust Design, 11:30
Cisco SD-Access – 16:45 14:45 Migration When Securing the
External Networks Cisco SD-Access deep dive
Firewall Integration SD-Access Workplace
Customer Keynote
Appreciation 18:30 17:00
SD-Access
Cisco SD-Access Breakouts
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you
www.cisco.com/go/cvd