BRKCRS 1500

Introduction to Campus Wired LAN
Deployment Using
Cisco Validated Designs
Dana Daum, Solutions Architect

CCIE#5060, CCDE#20160024
BRKCRS-1500
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Scroll to the bottom and click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction to the Campus LAN CVDs
• LAN Design and Options
• Access Layer Deployment
• Distribution Layer Deployment
• Core Layer Deployment
• Software-Defined Access
• Conclusion
Agenda
• Conclusion
The challenge…
“I need to design and deploy a network.”
Future ready Design options
Platform choices
On time
Within budget
Best practices
Manageable
Cisco Validated Designs
…provide a framework for design and
deployment guidance based on common use cases.
Solution Design Guides + Prescriptive Deployment Guides
Design Zone: cisco.com/go/cvd/campus

Cisco Community: https://cs.co/en-cvds
Agenda
• Conclusion
LAN deployment principles
Ease of deployment Easy to manage Flexibility and scalability
Resiliency Security Advanced technology ready
Hierarchical network design
High availability using modularity, hierarchy, and structure
• Each layer in hierarchy has a

Access specific role
• Modular topology—building blocks
Distribution • Modularity makes it easy to grow,
understand, and troubleshoot
• Structure creates small fault
Core
domains and predictable network
behavior—clear demarcations and
isolation
Distribution
• Promotes load balancing
and resilience
Access
Building Block
How do I choose what to build?
• Principles:
Ease of deployment; flexibility, scalability; security; etc.
• Hierarchical model:
resiliency, modularity, load balancing, etc.
• What devices?
• What capabilities?
• What connectivity and resiliency?
Campus wired LAN design
Option 1: Traditional multilayer campus (BRKCRS-2031)
• Common design since the 1990’s

Logical
topology— • Complex configurations (prone to human error)
L3: related to spanning-tree, load balancing,
core/dist. unicast and multicast routing
L2: • Requires heavy performance tuning resulting
dist./acc.
from reliance on FHRPs (HSRP, VRRP, GLBP)
Physical
topology:
2 core
2 dist./acc.
Option 1: Traditional multilayer campus (BRKCRS-2031)
• Common design since the 1990’s

Logical
topology— • Complex configurations (prone to human error)
L3: related to spanning-tree, load balancing,
core/dist. unicast and multicast routing
L2: • Requires heavy performance tuning resulting
dist./acc.
from reliance on FHRPs (HSRP, VRRP, GLBP)
Survives device and link failures
Easy mitigation of Layer 2 looping concerns
Rapid detection/recovery from failures

Physical
Layer 2 across all access blocks within distribution
topology:
2 core Device-level CLI configuration simplicity
2 dist./acc.
Automated network and policy provisioning included
Transforming multilayer campus
Before: Layer 3 distribution with Layer 2 access
IGP IGP Layer 3
Layer 2
Simplification with routed access design
After: Layer 3 distribution with Layer 3 access
IGP IGP Layer 3
IGP IGP
Layer 2
• Move the Layer 2 / 3 demarcation to the network edge

• Leverages Layer 2 only on the access ports, but builds a Layer 2 loop-free network
• Design Motivations – Simplified control plane, ease of troubleshooting, highest availability
Why isn’t routed access deployed everywhere?
Routed access design constraints
• VLANs don’t span across multiple wiring

closet switches/switch stacks
Does this impact your requirements?
• IP addressing changes: more DHCP scopes L3

and subnets of smaller sizes increase
management and operational complexity
L3 L3 L3 L3
• Deployed access platforms must be able
to support routing features
Option 2: Layer 3 routed access (BRKCRS-3036)
• Complexity reduced for Layer 2

Logical
topology— (STP, trunks, etc.)
L3: • Elimination of FHRP and associated timer
everywhere tuning
L2: • Requires more Layer 3 subnet planning; might
edge only
not support Layer 2 adjacency requirements
Physical
topology:
2 core
2 dist./acc.
Option 2: Layer 3 routed access (BRKCRS-3036)
• Complexity reduced for Layer 2

Logical
topology— (STP, trunks, etc.)
L3: • Elimination of FHRP and associated timer
everywhere tuning
L2: • Requires more Layer 3 subnet planning; might
edge only
not support Layer 2 adjacency requirements

Physical
topology:
2 dist./acc.
Option 3: Layer 2 access with “simplified” distribution (BRKCRS-1500)
Logical
• Leading campus design for easy configuration
topology— and operation when using stacking or similar
L3: technology (VSS, StackWise Virtual)
core/dist. • Flexibility to support Layer 2 services within
L2:
dist./acc.
distribution blocks, without FHRPs.
• Easy to scale and manage
Physical
topology:
2 core
2 dist./acc.
Option 3: Layer 2 access with “simplified” distribution (BRKCRS-1500)
Logical
• Leading campus design for easy configuration
topology— and operation when using stacking or similar
L3: technology (VSS, StackWise Virtual)
core/dist. • Flexibility to support Layer 2 services within
L2:
dist./acc.
distribution blocks, without FHRPs.
• Easy to scale and manage

Physical
topology:
2 dist./acc.
What if you could do this?
Cisco Software-Defined Access
Border Border
Nodes Nodes
• Enables:
• Host mobility
• Network segmentation Edge Edge
Nodes Nodes
• Role-based access
control
Logical Layer 2 Overlay Logical Layer 3 Overlay
• It is an overlay network
to the network underlay
• Control plane based on LISP
• Data plane based on VXLAN
• Policy plane based on TrustSec Physical Topology
Software-Defined Access Soluton Design Guide

https://cs.co/sda-sdg
Option 4: Cisco Software-Defined Access (BRKCRS-1501, many others)
Logical
• Uses advantages of a routed access physical
topology— design, with Layer 2 capable logical overlay
L2/L3: design
flexible OR • Provisioning and policy automation
overlays • Integrates wireless into the same policy
• Requires automation to simplify configuration
Physical
topology:
2 core
2 dist./acc.
Option 4: Cisco Software-Defined Access (BRKCRS-1501, many others)
Logical
• Uses advantages of a routed access physical
topology— design, with Layer 2 capable logical overlay
L2/L3: design
flexible OR • Provisioning and policy automation
overlays • Integrates wireless into the same policy
• Requires automation to simplify configuration

Physical
topology:
2 dist./acc.
Campus wired LAN design options—summary
Traditional Layer 3 L2 Access / SD-Access /
Multilayer Routed Simplified Fabric for
Campus Access Distribution Campus
BRKCRS-2031 BRKCRS-3036 BRKCRS-1500 BRKCRS-1501
(and many others)
Logical
topology OR
Design Protocols / L3 Planning Flexible, Easy, Flexible, Tools to

notes Tuning Limited L2 Scalable Simplify
Physical
topology:
2 core
2 dist./acc.
On-line library at ciscolive.com BRKCRS-1500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
What we are trying to avoid!
No hierarchy Hard to troubleshoot
Multiple
single points of
failure
Poor performance
How do I get there?
Successful deployments… …start with a plan.
Photos showing Basílica i Temple Expiatori de la Sagrada Família

Agenda
• Attributes and platform choices
• Platform-specific configurations
• Global options
• Client-facing interfaces
• Uplinks to distribution layer

• Conclusion
Access layer attributes
• Ethernet network access
• Wired 10/100/1000(802.3z)/mGig(802.3bz)
• Supports Wireless LAN 802.11a/b/g/n/ac access APs
• Simplified and flexible design

• Layer 2 edge for applications that require spanned vlans
• Avoid Spanning Tree loops for resiliency
• Policy enforcement point

• Secure network and applications from malicious attacks
• Packet marking for QoS
• Advanced Technologies support

• Deliver PoE services: 802.3af(PoE), 802.3at(PoE+), and Cisco Universal POE (UPOE)
– 60watts per port
• QoS enforcement to protect multimedia applications
Access layer design
Wireless Distribution
Uniform deployment in the network Access Point Switch
OR
• A common deployment method Access Remote
is used for all access layer devices User IP Phone Router
Switch
in the design
• Whether they are located in the headquarters or at a remote site.
• A single interface configuration is used for a standalone computer, an IP phone, or an IP
phone with an attached computer.
• The LAN access layer is configured as a Layer 2
• All Layer 3 services provided by directly connected distribution layer switch or router.
Cisco Catalyst 9000 Series–switching transitions
Greater flexibility from small remote site to mission critical campus core.
Cisco Catalyst Cisco

Cisco UADP 3.0
Cisco Catalyst 9600 Series ~20B transistors
Catalyst
9500 Series
9400 Series 16-nm tech
Cisco Cisco Catalyst
Catalyst 9300 Series
9200 Series
Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst Cisco Catalyst
2960-X/XR 3850 copper 4500-E 3850F/4500-X 6840-X/6880-X 6807-XL/6500-E
Access switching Core switching
Agenda
• Global options

• Conclusion
“Classic” Catalyst 2960-X stack resiliency
• Stack Master provides central control over multiple 2960 Series switches configured
in a stack
• To increase resiliency in a 2960 stack of three or more switches:
Configure the Stack Master Ensure that the original Stack Master MAC
on a switch that does not address remains the stack MAC address
have uplinks configured after a failure to prevent protocol restart
Creates
double failure
MASTER MASTER
MAC=00:BB:AA:CC:DD:FF
S1 S2 S3
S1 S2 S3
Single Logical Switch Single Logical Switch
switch [switch number] priority 15 stack-mac persistent timer 0
Cisco StackWise-480
Cisco StackWise-480: Stack Ring
Example: 4x Catalyst 9300 Series switches
ASIC Stack Interface
• 6 rings in total
• 3 rings clockwise
• 3 rings counter/anti-
clockwise
• Each ring is 40Gbs
• Total Stack BW =
240Gbs
• With Spatial Reuse =
480Gbs
Stack Interface
Packets are segmented/reassembled in HW
(256 byte segments)
SSO and show switch command output
Stack MAC follows
Active initially
Switch# show switch
Switch/Stack Mac Address : 2037.06cf.0e80
H/W Current
Switch# Role Mac Address Priority Version State
------------------------------------------------------------ Active
*1 Active 2037.06cf.0e80 10 V01 Ready
2 Standby 2037.06cf.3380 8 V00 Ready
3 Member 2037.06cf.1400 6 V00 Ready Standby
4 Member 2037.06cf.3000 4 V00 Ready
Member
* Indicates which member is providing the “stack identity” (aka “stack MAC”)
Stateful Switchover
Catalyst 9000 Series and 3x50 stacks, also 4500, 6500, 6800 Modular
• Modular chassis with dual supervisors offers Stateful Switchover (SSO) configuration
• Redundant chassis with StackWise, StackWise Virtual, or Virtual Switching System
(VSS) also provides SSO
• Traffic loss minimized for failure of active control plane
Modular Chassis C9300/C3x50 Stack

Active
Active
Supervisor
Switch
Hot-Standby
Supervisor
Hot-Standby
Switch
CLI-based quality of service (QoS) deployment
Macros to ease the deployment process for platform-specific commands Reference
Macros used later in the

deployment process:
1. AccessEdgeQoS macro
Applied on all client-facing interfaces
+ Conditional Trust
+ AutoQoS 2. EgressQoS macro
Applied on all other interfaces
Complex Simplified
Using macros to deploy quality of service…

• Removes the platform specific QoS configuration from the day to day repetitive configuration
tasks
• Eases the deployment process and allows for easier creation of deployment templates
Initial configuration defines macros and platform-specific global settings
Recommendation for QoS
Cisco DNA Center Application Policy
• Application Policy can be used to implement QoS

“Under the hood”
• Goes beyond default policies by deploying policies
based on the “intent” of an organization
BRKCRS-2501:
Campus QoS Design Simplified
Agenda
• Global options

• Conclusion
Resiliency features for LAN switches
Global LAN switch configuration
• Rapid PVST+ – improved topology change detection over classic STP Layer 2 loop detection
• BPDUguard default – detect spanning tree BPDUs on portfast-enabled ports for L2 loop prevention
• UDLD – detect and protect against unidirectional links caused by incorrect physical interconnects
that can cause spanning tree loops
• Error disable recovery – allows recovery without intervention of automatically disabled ports, post-
event
• VTP transparent – ignore VTP updates to avoid accidental outages from unplanned VLAN changes
• Load-interval – reduce time to compute interface load for better visibility to traffic bursts
Protection across the LAN

spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
udld enable
errdisable recovery cause all
vtp mode transparent
load-interval 30
Enabling device management
Enable secure management of all LAN devices

• Enabled through encrypted protocols SSH, HTTPS, and SCP
• Less secure protocols, telnet and HTTP, should be turned off
ip domain-name cisco.local SSH requires domain-name
no ip http server Disables HTTP
ip http secure-server Enables HTTPS and creates default modulus crypto key
ip ssh version 2
ip scp server enable Enables secure copy for file management
line vty 0 15
transport input ssh Enables only SSH for IP access to console
transport preferred none Eliminate annoying long wait for mistyped commands
Use SNMP to manage network devices by a

Restrict vty and SNMPv2c access
Network Management System.
access-list 55 permit 10.4.48.0 0.0.0.255
‒ SNMP(v2c) should be configured for both a line vty 0 15
read-only and a read-write community string. access-class 55 in
!
snmp-server community [SNMP RO] RO snmp-server community [SNMP RO] RO 55
snmp-server community [SNMP RW] RW snmp-server community [SNMP RW] RW 55
Device management authentication
• Use AAA to control management access to network infrastructure devices (SSH and HTTPS)
• Centralized/easy control of password expiration—rapidly revoke access for employee departure
• TACACS+ primary protocol to the AAA server for management authentication to infrastructure devices
• Local AAA users defined on network infrastructure devices provide a fallback authentication source
New Method
enable secret [enable password]
service password-encryption Local Traditional Method
! username and
username admin secret [admin password] password for enable secret [enable password]
aaa new-model fallback service password-encryption
tacacs server TACACS-SERVER-1 !
address ipv4 10.4.48.15 username admin password [admin password]
key [tacacs key] Define tacacs+ aaa new-model
! server and aaa authentication login default group tacacs+ local
aaa group server tacacs+ TACACS-SERVERS secret key aaa authorization exec default group tacacs+ local
server name TACACS-SERVER-1 aaa authorization console
! ip http authentication aaa
aaa authentication login default group TACACS-SERVERS local tacacs-server host 10.4.48.15 key [tacacs key]
aaa authorization exec default group TACACS-SERVERS local
aaa authorization console
ip http authentication aaa
Use tacacs+ first,
fallback to local
Synchronize the clock on all devices
• Troubleshooting a network event requires correlation across

multiple devices (switches and routers) NTP Server
IP Addr: 10.4.48.17
• Network devices should be programmed to synchronize time to
a local NTP server in the network.
• allows event log timestamps from multiple devices to be correlated
• Configure console messages, logs, and debug output to provide

time stamps
ntp server 10.4.48.17 Update hardware clock on
ntp update-calendar
Catalyst 6500 and 4500
!
clock timezone PST -8 Set local timezone,
clock summer-time PDT recurring offset from UTC
!
service timestamps debug datetime msec localtime Timestamp output with local
service timestamps log datetime msec localtime
NTP synchronized time
Access layer virtual LANs
Access switch configuration Network
Management
Station
• Data VLAN provides access to the network for all attached Uplink Interfaces
devices other than IP Phones
• Voice VLAN for IP Phone network access

• Management VLAN for in-band access to the network for the Mgmt VLAN 30
switches management interface
Voice VLAN 20
vlan 10
name Data
vlan 20
Data VLAN 10
name Voice
vlan 30
name Management
client-facing Interfaces
Note: The management VLAN is never
configured on user facing interfaces
In-band management
Access switch configuration
Network
Configure the switch with an IP address so that Management
it can be managed via in-band connectivity. Station
IP default gateway
for management VLAN
interface vlan [management vlan]

ip address [ip address] [mask]
no shutdown
ip default-gateway [default router]
Note: Do not use the ip default-gateway command on the Catalyst 4500 since it has ip
routing enabled by default and the “ip default-gateway” command will not have any
effect.
Instead use the following command on the Catalyst 4500.
ip route 0.0.0.0 0.0.0.0 [default router]
Agenda
• Global options

• Conclusion
Client-facing interfaces
Access switch configuration
The host interface configuration supports PCs, phones, or wireless access points.
• Use a single port profile for all access ports
interface range [interface type] [port number]–[port number]
switchport access vlan [data vlan]
switchport mode access Wireless
switchport voice vlan [voice vlan] Access Point
• Apply configuration supporting end-user devices Access

User IP Phone Switch
switchport host
This single command does the following:

- removes any channel-group configuration (incompatible with access mode)
- enables switchport access mode (disables trunk negotiation, enables VLAN participation)
- enables PortFast (faster connect with interface directly into spanning-tree forwarding mode)
• To enable QoS, use a macro (if you’re not using Application Policy or EasyQoS):
macro apply AccessEdgeQoS
Access layer – hardening the edge
IP Source Guard The Cisco Validated Design uses
Dynamic ARP
Inspection
Catalyst Integrated Security
DHCP Features to protect your network
Snooping
from intentional and unintentional
Port Security
attacks
+ IPv6 RA Guard
▪ Port security prevents CAM attacks and DHCP Starvation attacks

▪ DHCP Snooping prevents Rogue DHCP Server attacks
▪ Dynamic ARP Inspection prevents current ARP attacks
▪ IP source guard prevents IP/MAC Spoofing
▪ IPv6 router advertisement guard prevents IPv6 Man-in-the-Middle attacks
Port security
client-facing interface configuration
Protect your switch from CAM table overflow attacks.
Advertises MAC
Client 00:10:10:10:10:10
00:10:10:10:10:11
00:10:10:10:10:12
00:10:10:10:10:13
00:10:10:10:10:14
00:10:10:10:10:15
00:10:10:10:10:16
Configure on the client interface:
00:10:10:10:10:17 switchport port-security
00:10:10:10:10:18 switchport port-security maximum 11
00:10:10:10:10:19
00:10:10:10:10:1A
switchport port-security aging time 2
00:10:10:10:10:1B switchport port-security aging type inactivity
switchport port-security violation restrict
Exceeds Maximum
DHCP snooping
DHCP Reply
DHCP Request Untrusted DHCP Request Trusted DHCP Reply
Client DHCP
MAC=00:50:56:BA:13:DB
IP Addr=10.4.80.10 Server
DHCP snooping
DHCP Reply
DHCP Request Untrusted DHCP Request Trusted DHCP Reply
Client DHCP
MAC=00:50:56:BA:13:DB
IP Addr=10.4.80.10 Server
Example DHCP Snooping Binding Table
MAC Address IP Address VLAN Interface
00:50:56:BA:13:DB 10.4.80.10 10 GigabitEthernet2/0/1
Configure in the global configuration: Configure on the client interface:

ip dhcp snooping vlan [data vlan], [voice vlan] ip dhcp snooping limit rate 100
no ip dhcp snooping information option
ip dhcp snooping
ARP inspection
Untrusted
Advertises MAC
Client 00:10:10:10:10:10
Does Not Match
Configure in the global configuration: Configure on the client interface:

ip arp inspection vlan [data vlan], [voice vlan] ip arp inspection limit rate 100
IP source guard
IP Pkt Source Addr

Client 10.4.80.22
Does Not Match
Configure on the client interface:

ip verify source
On the Catalyst 4500 configure on the interface:

ip verify source vlan dhcp-snooping
IPv6 router advertisement guard
Define policy in the global configuration: Attach policy configuration to the client interface:
ipv6 nd raguard policy HOST_POLICY ipv6 nd raguard attach-policy HOST_POLICY
device-role host
“I am an IPv6 router.” “No you are not.”

IPv6 Stack
Router Advertisement
▪ If a port device role is configured as host, IPv6 First Hop Security (FHS)
RA Guard drops all IPv6 Router Advertisement messages
▪ Useful even for IPv4-only networks
▪ Other port device role options include: monitor, router, and switch
BRKSEC-2003: IPv6 Security Threats and Mitigations; BRKSEC-3003: Advanced IPv6 Security in the LAN
Agenda
• Global options

• Conclusion
EtherChannel member interfaces
Uplink interface configuration
• Layer 2 EtherChannels are used to interconnect

the switch to upstream devices.
• Member interfaces should be on different switches or linecards for resiliency.
• Configure the physical interfaces before configuring the

logical portchannel interface.
• Uses LACP for EtherChannel protocol
• Add egress QoS macro for trust inbound traffic and queue outbound
(if not using Application Policy or EasyQoS)
interface range [type] [port], [type] [port] Note: ISR routers do not support LACP. Therefore,
switchport when connecting a remote site access switch to an
channel-protocol lacp ISR router with an EtherChannel you must configure
channel-group 10 mode active the switch with mode forced on.
macro apply EgressQoS interface range [type] [port], [type] [port]
logging event link-status switchport
logging event trunk-status channel-group 10 mode on
logging event bundle-status macro apply EgressQoS
Trunk configuration
Uplink interface configuration
• When using EtherChannel the interface type will be port-channel and the number must match
channel-group configured on the member interfaces.
interface port-channel 10
switchport trunk encapsulation dot1q
switchport trunk allowed vlan [data],[voice],[mgmt]
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
logging event link-status
no shutdown
• An 802.1Q trunk is used for the connection to the upstream device

– Allows upstream device to provide the Layer 3 services to all the VLANs defined on the access
layer switch.
– VLANs allowed on the trunk are pruned to only the VLANs that are active on the access switch.
– DHCP snooping and ARP Inspection are set to trust.
Agenda
• Platform-specific configuration
• Global options
• Connectivity to access and core layers

• Conclusion

Cisco Catalyst 9600 Series
Catalyst
9500 Series
9400 Series
9200 Series
Campus LAN distribution layer attributes
• Primary function is access layer aggregation for a building or geographic area.
• Resilient design to reduce failure impact
• Layer 2 boundary for access layer

• Spanning tree protocol boundary
• Broadcast packet boundary
• Provides load balancing to access layer
• Layer 3 features and functions

• Default IP gateway for L2 access layer
• IP routing summarization to rest of network
• Efficient IP multicast
• Provides load balancing to core layer
• QoS to manage congestion caused by many to few links
Alternative distribution layer attributes
LAN distribution layer
Large LAN services block
Collapsed core: • Connection point for services
Two tier main campus LAN and WAN core WAN
• Drives modular building block

• LAN access layer aggregation
design
• Central connect point for all
services
Two tier remote site:

• Aggregates LAN access layer
Internet
and connects to WAN routers
Simplified distribution layer design
Traditional two box design
Multiple Boxes
• Traditional two box distribution layer to manage
-FHRP-
has many points to manage

First Hop Spanning Tree
• Preferred distribution layer Redundancy Protocol for
Resilient IP
Loop Avoidance
uses a “single box design” Default Gateway
• Two switches acting as a single logical switch

SWV – StacWise Virtual
(StackWise Virtual or Virtual Switching System)
VSS – Virtual Switching System
• A multiple member switch stack
acting as a single logical switch
• Simplified design benefits
• Fewer boxes to manage Switch stack
• Simplified configuration
• Logical hub-and-spoke topology
Traditional design compared to simplified design
Preferred
Traditional designs:
• Looped design with spanned VLANs Permits both→
– Relies on STP to block loops
– Reduces available bandwidth
VLAN 30 VLAN 30 VLAN 30 VLAN 10 VLAN 20 VLAN 30
• Loop free design
– Can increase bandwidth
Preferred—simplified design:
– Still relies on FHRP
• EtherChannel - resilient links, all links
– Multiple distribution layer boxes to configure
forwarding
Si Si
• No FHRP - single default IP gateway
Si Si
• Works with VLAN per closet or few

VLANs spanned designs
• Logical hub-and-spoke topology
VLAN 30 VLAN 30 VLAN 30 VLAN 10 VLAN 20 VLAN 30 • Reduced dependence on spanning tree
- keep RPVST+ for edge protection
Agenda
• Global options

• Conclusion
“How can I simplify my distribution?”
Catalyst 9000 Series and Catalyst 3850 - StackWise Virtual
• Cisco StackWise Virtual: an evolution of Catalyst Virtual Switching System technology
• Fixed switch hardware architecture with distributed forwarding architecture
• StackWise Virtual Link (SVL) between two nodes (10Gb or 40Gb)
• Both StackWise Virtual members must have consistent Cisco IOS-XE and license
• Check software release notes for versions, supported platforms, and additional uplink/line
card hardware
StackWise Virtual Pair

WS-3850-48XS WS-3850-48XS SVL
Fast
Distribution
Hello
Access
Cisco StackWise Virtual (SWV) setup
1) Prepare standalone switches for SWV3850-D13850-D1

3850-D2 1) Prepare standalone switches for SWV
3850-D2#conf t
3850-D1#conf t SVL 3850-D2(config)# stackwise-virtual
3850-D1(config)# stackwise-virtual
3850-D2(config-stackwise-vir)# domain <1-255>
3850-D1(config-stackwise-vir)# domain <1-255>
2) Configure StackWise Virtual links 2) Configure StackWise Virtual links

*Automatically creates EtherChannel (128) *Automatically creates EtherChannel (128)
3850-D1(config)# interface range FortyG x/y/z – x/y/z 3850-D2(config)# interface range FortyG x/y/z – x/y/z
3850-D1(config-if)# stackwise-virtual link 1 3850-D2(config-if)# stackwise-virtual link 1
3) Configure dual-active detection 3) Configure dual-active detection

(fast hello) (fast hello)
3850-D1(config)# interface range TenG x/y/z – x/y/z 3850-D2(config)# interface range TenG x/y/z – x/y/z
3850-D1(config)# stackwise-virtual dual-active-detection 3850-D2(config)# stackwise-virtual dual-active-detection
4) Save and reload to convert 4) Save and reload to convert

3850-D1# copy run start 3850-D2# copy run start
3850-D1# reload 3850-D2# reload
Note: Maximum of 8 SVL member links and 4 dual active detection links
Agenda
• Global options

• Conclusion
In-band management interface
• The loopback interface is the preferred way to manage when using in-band access
• Logical interface
• Always available as long as device is operational
• Commonly a host address (32-bit address mask)
• Bind SNMP, SSH, TACACS and PIM processes to loopback
interface address for optimal resiliency
interface loopback 0
ip address 10.1.1.1 255.255.255.255
!
snmp-server trap-source loopback 0
ip ssh source-interface loopback 0
ip pim register-source loopback 0
ip tacacs source-interface loopback 0
Distribution layer IP unicast routing – EIGRP
EIGRP was chosen for… Single logical distribution layer design
simplicity, scalability, and flexibility
• Uses stateful switchover (SSO) and
• Named mode configuration non-stop forwarding (NSF)
• Tie EIGRP router-id to loopback 0 for max stability • SSO provides sub-second failover to
• Enable all routed links to be passive by default redundant supervisor
• Enable EIGRP for address space • NSF maintains packet forwarding while
control plane recovers
• Each distribution is a stub network
L3
router eigrp [NAME] NSF aware
address-family ipv4 unicast autonomous-system [AS] •Nothing to enable.
af-interface default •Only need IOS version that supports NSF for EIGRP
passive-interface
exit-af-interface
network [network] [inverse mask] NSF capable
eigrp router-id [ip address of loopback 0] •Works on dual supervisor system
L2
eigrp stub summary •Signals peer of SSO and to delay adjacency timeout
nsf •Once control plane recovers, re-establishes peering
exit-address-family
Distribution layer IP unicast routing – OSPF
OSPF is available for… Single logical distribution layer design
compatibility • Uses stateful switchover (SSO) and
non-stop forwarding (NSF)
• Tie OSPF router-id to loopback 0 for max
stability • SSO provides sub-second failover to
redundant supervisor
• Enable all routed links to be passive by
default • NSF maintains packet forwarding while
control plane recovers
• Enable OSPF for address space
L3
• Each distribution is a stub area and ABR NSF aware
•Nothing to enable.
router ospf [process] •Only need IOS version that supports NSF for OSPF
router-id [ip address of loopback 0]
nsf
area [area number] stub no-summary NSF capable
passive-interface default •Works on dual supervisor system
L2
•Signals peer of SSO and to delay adjacency timeout
network [network] [inv. mask] area [area #]
•Once control plane recovers, re-establishes peering
network [network] [inverse mask] area 0
Distribution layer IP multicast routing
WAN
• IP multicast allows a single IP data stream to be replicated by
the infrastructure (routers and switches)
• More efficient than multiple IP Unicast streams
Rendezvous
• Beneficial for IPT music on hold and IP broadcast video streams Point
• IP PIM sparse-mode
• Sparse-mode uses a rendezvous point (RP) to allow IP multicast
receivers to find IP multicast sources
• Place IP multicast RP in the center or core of the network
• On every Layer 3 switch and router
• Configure ip pim autorp listener to enable
discovery across sparse mode links ip multicast-routing
• Enable pim sparse-mode on all Layer 3 interfaces ip pim autorp listener
!
interface GigabitEthernet 1/0/1
ip pim sparse-mode
Agenda
• Global options

• Conclusion
SWV/VSS: connecting distribution to access layer
Resilient connectivity
• Use EtherChannel for link resiliency and load sharing
• With SWV/VSS, use multi-chassis EtherChannel and home to each switch
• Alternatively…
With StackWise distribution layer, home EtherChannel uplinks to multiple switches in stack
Layer 2 connectivity to access layer
• Configure Layer 2
• With hub-and-spoke design, no STP loops, still enable RPVST+
• Configure VLANs servicing access layer
• Set distribution layer to be STP root for access layer VLANs
• Configure EtherChannel member interfaces

• Uses LACP for EtherChannel protocol vlan 10,20,30
spanning-tree vlan 1-4094 root primary
• For Layer 2 EtherChannel, configure physical !
Interface range gigabit 1/1/1, gigabit 2/1/1
interfaces prior to logical interface macro apply EgressQoS
• Apply egress QoS macro channel-protocol lacp
channel-group 10 mode active
(if not using Application Policy or EasyQoS) !
• Configure 802.1Q trunk on EtherChannel switchport trunk encapsulation dot1q
switchport trunk allowed 10,20,30
logical port (port-channel) interface switchport trunk native vlan 999
switchport mode trunk
Layer 3 connectivity for access layer
DHCP Server(s)
IP Addr: 10.2.2.1
• Configure Layer 3 for access layer VLANs

• Configure a VLAN interface(SVI) for every access layer VLAN
• SVI is the IP default gateway for the access layer hosts in the VLAN
• Configure ip-helper address on each SVI

• IP helper forwards DHCP requests from hosts in the VLAN to the DHCP server
• IP helper-address points to the DHCP server for the VLAN
• If more than one DHCP server, you can list multiple ip-helper commands
• Configure ip pim sparse-mode

• Enables IP multicast packets to flow to hosts on the VLAN
interface vlan [number]
ip helper-address 10.2.2.1
ip pim sparse-mode
Layer 3 connectivity to core layer
– interface configuration
WAN
• If no core layer, links to WAN routers are Layer 3 links
• Links from distribution layer to core are Layer 3 links
• Configure Layer 3 EtherChannel interface
• When creating L3 EtherChannel,

create the logical (port-channel) interface first
• Configure EtherChannel Member Interfaces
• Configure the physical interfaces interface port-channel 20
to tie to the logical port-channel no switchport
ip pim sparse-mode
!
interface range teng1/1/8 , teng2/1/8 , teng1/2/8 , teng2/2/8
channel-protocol lacp
macro apply EgressQoS
– EIGRP routing configuration
Summary
• Enable authentication of neighbor routing protocol
communication on interface to the core
key chain EIGRP-KEY
key 1
key-string [KEY STRING]
!
router eigrp [NAME]
address-family ipv4 unicast autonomous-
system [AS]
af-interface port-channel 20
authentication mode md5
authentication key-chain EIGRP-KEY
no passive-interface • As networks grow, IP address summarization is used
summary-address [network] [mask] • To reduce bandwidth required for routing
exit-af-interface
exit-address-family
updates
• To reduce convergence time around a link failure
• Enable EIGRP for the core-facing interface • Summarize all subnets in the distribution layer to
(disable passive-interface) the rest of the network
– OSPF routing configuration
Summary
communication on interface to the core
interface Port-channel 20
ip ospf message-digest-key [key id] md5 [key]
!
router ospf 100
area 0 authentication message-digest
area [area number] range [address range] [mask]
no passive-interface Port-channel 20
•As networks grow, IP address summarization is used

• To reduce bandwidth required for routing
updates
• Enable OSPF for the core-facing interface • To reduce convergence time around a link failure
(disable passive-interface) • The OSPF area range command allows you to
summarize all subnets in the distribution layer to
the rest of the network
Agenda
• Attributes and platform
• Global options
• Conclusion
Core layer attributes
LAN core layer Do I need a core layer?
• Primary function is distribution layer aggregation for large or
geographically dispersed LAN deployment
• Lowers the complexity and cost of a fully meshed
distribution layer
• Must be highly resilient

– no single points of failure in design
• No high touch/high complexity services
• Avoid constant tuning or configuration changes
• Layer 3 transport
• No spanning tree convergence or blocking

Cisco Catalyst 9600 Series
Catalyst
9500 Series
9400 Series
9200 Series
Cisco StackWise Virtual – Catalyst 9600
• SVL: StackWise Virtual Link
• same speed ports (10G or higher)
SVL
• Up to 8 ports
• DAD: Dual Active Detection:
• Fast Hello
DAD • Directly connected
• Up to 4 links
• Enhanced PAgP
Cisco StackWise Virtual for • EtherChannel with PAgP
Catalyst 9600 is supported with • Up to 4 port-channels
IOS-XE 16.12.1 or later. • In SVL mode, 2nd Supervisor is not supported
Check release notes for in the chassis and will be powered off if
hardware / software constraints. inserted.
• Typically a distribution layer technology, allowing “stacking” of 2 switches
• Supports flexible distances with support of all supported cables and optics
• SVL and DAD are supported on any port with 10G or high speed, including QSA.
Quad-Supervisor RPR StackWise Virtual
SSO
StackWise-A StackWise-S ICS StackWise-A

RPR ICS ICS StackWise-S ICS
Chassis-1 Chassis-2 Chassis-1 Chassis-2
• Initially on Catalyst 9600 (Limited Availability)

• Active supervisor in chassis-2: RPR: Route Processor Redundancy
becomes StackWise ACTIVE SSO: Stateful Switchover
StackWise-A: StackWise Virtual ACTIVE
• Warm standby supervisor in chassis-1: StackWise-S: StackWise Virtual STANDBY-HOT
continues the boot process ICS: In-chassis Warm Standby
to become StackWise STANDBY-HOT while 9600 IOS-XE 17.1
the line cards in chassis-1 get reset Limited Availability
Agenda
• Attributes and platform
• Global options
• Conclusion
In-band management interface
LAN core layer
• The loopback interface is the preferred way to manage when using in-band access
• Logical interface
• Always available as long as device is operational
• Commonly a host address (32-bit address mask)
• Bind SNMP, SSH, TACACS and PIM processes to loopback interface address for
optimal resiliency
ip address 10.1.1.1 255.255.255.255
!
snmp-server trap-source loopback 0
ip ssh source-interface loopback 0
ip pim register-source loopback 0
ip tacacs source-interface loopback 0
Core layer IP unicast routing - EIGRP
LAN core layer
• Enable EIGRP for address space in use for core

– just as was done in the distribution
• However…
key chain EIGRP-KEY
key 1
• No passive interfaces in core key-string [key]
– route to everything from the core router eigrp LAN
address-family ipv4 unicast autonomous-system 100
network [network] [inverse mask]
• Remember to… eigrp router-id [ip address of loopback 0]
nsf
• Enable authentication of neighbor exit-address-family
af-interface default
routing protocol communication authentication mode md5
authentication key-chain EIGRP-KEY
• Enable NSF exit-af-interface
Core layer IP unicast routing - OSPF
LAN core layer
• Enable OSPF for address space in use for core

– just as was done in the distribution
interface [interface]
• Core is OSPF Area 0 ip ospf message-digest-key [key id] md5 [key]
router ospf 100
• However… router-id [ip address of loopback 0]
nsf
area 0 authentication message-digest
• No passive interfaces in core network [network] [inverse mask] area 0
– route to everything from the core
• Remember to…
communication
• Enable NSF
Resilient IP multicast routing – SWV/VSS core
LAN core layer
WAN
• IP multicast allows a single IP data stream to be replicated Data
Center
by the infrastructure (routers and switches) Rendezvous
Point
• IP PIM sparse-mode
• Every Layer 3 switch and router points to the rendezvous pont (RP)
• RP placed centrally in the network (core)
• Auto-RP used for dynamic RP announcement to network devices
• RP resiliency is critical to IP
multicast operation
• SSO ensures RP availability interface loopback 1
ip address 10.1.1.2 255.255.255.255
ip pim sparse-mode
!
Announce “I (10.1.1.2) will be an RP” ip pim send-rp-announce Loopback1 scope 32 group-list 10
Discovers RPs and tells best to AutoRP listeners ip pim send-rp-discovery Loopback1 scope 32
Resilient IP multicast RP – two-box core
LAN core layer Reference
• When the core isn’t a single logical platform (such as Nexus) WAN
Data
• IP multicast allows a single IP data stream to be replicated Center
by the infrastructure (Routers and Switches)

• IP PIM sparse-mode is used Rendezvous
Point
• Sparse-mode uses a rendezvous point (RP) to allow
IP multicast receivers to find IP multicast sources
• Place IP multicast RP in the center or core of the network
• Auto-RP used for dynamic RP announcement to network devices
• RP resiliency is critical to IP multicast operation

• Multiple RP redundancy methods
• Anycast RP used for simplicity and fast failover
Anycast RP operation & configuration
Resilient IP multicast Reference
Source Source
Data Center
ip pim auto-rp listener ip pim auto-rp listener
RP1 MSDP RP2
X
10.1.1.1 10.1.1.1
SA SA interface loopback 0
ip address 10.1.1.3 255.255.255.255
ip address 10.1.1.2 255.255.255.255
ip pim sparse-mode
ip pim sparse-mode
ip address 10.1.1.1 255.255.255.255
ip address 10.1.1.1 255.255.255.255
!
!
ip msdp peer 10.1.1.2 connect-source loopback 0
ip msdp peer 10.1.1.3 connect-source loopback 0
ip msdp originator-id loopback 0
ip msdp originator-id loopback 0
!
!
ip pim send-rp-announce Loopback1 scope 32 group-list 10
ip pim send-rp-announce Loopback1 scope 32 group-list 10
!
!
ip pim send-rp-discovery Loopback0 scope 32
ip pim send-rp-discovery Loopback0 scope 32
ip pim auto-rp listener

Discovers RP and tells AutoRP listeners Discovers RP and tells AutoRP listeners
Announce “I will be an RP (10.1.1.1)” Receiver Receiver Announce “I will be an RP (10.1.1.1)”
Layer 3 connectivity to distribution layer
LAN core layer
• Links from core layer are Layer 3 links (no SVIs) WAN
• Use MEC to SWV/VSS in distribution layer
• Configure Layer 3 EtherChannel interface

• When creating L3 EtherChannel, create the logical (port-channel) interface first
• Configure EtherChannel Member Interfaces
• Configure the physical interfaces to tie to the logical port-channel
• Dual home to WAN or data center to core
no switchport
ip pim sparse-mode
interface range teng1/1/8 , teng2/1/8 , teng1/2/8 , teng2/2/8
channel-protocol lacp
macro apply EgressQoS
no shutdown
Agenda
• Conclusion
What’s different in your network today versus a
decade ago? How does it affect your network?
Cyber
Mobility IoT Security
Bring Your Own Device Auto-detect non-user devices Networking and security
Devices in the Workspace Devices everywhere Advanced threats
Key challenges for traditional networks
Difficult to segment Complex to manage Slower issue resolution
Ever increasing number of Multiple steps, Separate user policies for

users and endpoint types user credentials, complex wired and wireless networks
interactions
Ever increasing number of Unable to find users
VLANs and IP Subnets Multiple touch-points when troubleshooting
Traditional networks cannot keep up!
What is the problem?
Policy model today
Network Policy
Enterprise Network
SRC DST
PAYLOAD DATA DSCP PROT IP SRC IP DST
PORT PORT
• QoS
• Security
Policy is based on “5 Tuple”
• Redirect/copy
• Traffic engineering
• etc. Where is the information about the user to apply policy?
Cisco Software-Defined Access
Cisco DNA Center Identity-based

Policy & Segmentation
Decoupled security policy
Policy Automation Analytics definition from VLAN and IP
Address
Automated
Network Fabric
Single Fabric for Wired & Wireless
with Workflow-based Automation
Insights
User Mobility & Telemetry
Analytics and insights into
Policy stays with user user and application behavior
Employee Network
Cisco DNA Center
—deploying Cisco Software-Defined Access
Cisco DNA Center:
Simple Workflows
DESIGN PROVISION POLICY ASSURANCE
Cisco DNA Center
Identity Services Engine Cisco DNA Appliance
Routers Switches Wireless AP WLC
Components of SD-Access
Cisco DNA Center
Control Plane Nodes

• LISP Map
Cisco ISE DHCP Server/Resolver
Enterprise • EID to RLOC Mapping
Network Fabric Border Nodes
“Fusion” Routers
• Internal Border
Border Nodes Control Plane • External Border
Fabric Edge Nodes

Intermediate • Host Registration
Nodes Campus • Host Resolution
Fabric • Host Mobility
- Dynamic EID
Edge Nodes
Identity Services Engine (ISE)
• AAA/Radius
• 802.1x/MAB
• TrustSec (SGT)
SD-Access Deployment: Design – Policy workflow
Network Hierarchy Network Settings – Network Settings Network Settings - Address Pools
Policy – Micro Segmentation Policy – Macro Segmentation Network Settings - Wireless
SD-Access Deployment: SD-Access Workflow
Provision Devices to Site

Fabric Provision – Fabric Provision Host Onboarding
Transit and Fabric Sites Default Authentication Template
Address Pool Assignment
Fabric Provision Host On-boarding Fusion Configuration

Fabric Network Port Assignment
SD-Access deployment
Decisions, decisions, decisions…
• Are you ready for L3 access?

This is the deployment model described in the Deployment CVD, as implemented by Cisco
DNA Center.
• Underlay protocol - Will you integrate with your existing IGP, or will you redistribute a
different IGP process?
Deployment CVD shows unique IS-IS IGP underlay.
• Virtualization - Are there requirements for multiple Virtual Networks (VRFs)?
Deployment CVD configures support for multiple virtual networks, and ability to access
common/shared services via a “fusion” router setup.
• Additional items:
Security Policy – Are you incorporating this? Ready for ISE?
Edge/Border/Control Plane node placement
Addressing: Loopbacks, Redistribution, Underlay/Overlay, DHCP Scopes, etc.
Agenda
• Conclusion
Would you build this?
You now have the tools to build this! (and more)
Two-tier remote-site LAN Two-tier collapsed LAN core

Server Room
WAN
WAN
Router
WAN
Distribution
Three-tier LAN design

Distribution IPS Switch
Firewall
Switch
Internet
Data
Client
Access Center
Client
Switches
Access
Switches
LAN
Core Layer
Remote Building
Cluster High Density Guest
LAN Distribution LAN Distribution WLC
Module Network-Services
Module Distribution
Module
Firewall
WAA
S
Client
Access
Switches
WAN
Internet
Summary
• Cisco Validated Designs provide a design framework for the wired
campus (and other solutions also) with step-by-step deployment based
on the cumulative Cisco leading practices
• Access layer
• Consistent LAN access layer across the network (small site to large campus)
• Supports both layer 2 and layer 3 application needs
• Secure boundary and ready for advanced technologies
• Distribution layer
• Simplified single logical platform with resilient and scalable design
• Etherchannel for resiliency and scalability
• Core layer
• Scalable, resilient Layer 3 core for simplified topology and configuration
Resiliency, scalability, and flexibility – easily deployed throughout the network.
Design and deployment guidance available
https://cisco.com/go/cvd and https://cs.co/en-cvds
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
TUE WED THU FRI
Keynote 09:00 BRKCRS-3863

Catalyst 9000 Series Access 08:30
Switching Architecture
BRKCRS-1500 11:00 BRKARC-2035 BRKCRS-2501

Introduction to Campus The Catalyst 9000 Switch 08:30 Campus QoS Design- 08:30
Wired LAN Deployment
Using Cisco Validated
Family - An Architectural
View
Simplified. BRKARC-3190
Troubleshooting Cisco Catalyst 09:00
Designs
9000 Series Switches
BRKCRS-2901
BRKARC-2011 14:30 BRKCRS-2031
Cisco Silicon - The Importance 11:15
Overview of Packet of Hardware in a Software-
Capturing Tools in Cisco Enterprise Campus 14:45 Defined World
Switches and Routers Design: Multilayer
Architectures and Design BRKCRS-2650
Principles Enterprise Network Next 14:45
Generation High Availability
Campus
Customer Keynote
Appreciation 19:00 17:00
Cisco Switching
Campus/Switch Breakouts
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
TUE WED THU FRI
BRKCRS-2818 BRKCRS-2819
Build a Software Defined 08:30 Creating multi-domain 09:00
BRKCRS-2815 Enterprise with Cisco SDWAN architecture using Cisco SD-
Keynote 09:00 Cisco SD-Access – 08:30 & SD-Access Access
Connecting Multiple Sites
in a Single Fabric BRKCRS-2830 BRKCRS-3811
Cisco SD-Access – Lessons 09:45 Cisco SD-Access – Policy 09:00
BRKCRS-2810 learned from Design & Driven Manageability
Cisco SD-Access - A 11:00
BRKCRS-2821 Deployment.
Cisco SD-Access – 11:00
Look Under the Hood
Connecting to the DC,
BRKCRS-2812
FW, WAN and more!
BRKCRS-2502 Cisco SD-Access – Integrating 11:30
BRKCRS-1400 Best Practices for Design and 11:15 with your existing network
Recipe for transforming Deployment of Cisco SD-
14:30
Enterprise Networks BRKCRS-2832 Access BRKARC-2020
with IBN Extending Cisco 11:00 Cisco SD Access - 11:30
SD-Access beyond BRKCRS-2825 Troubleshooting the fabric
Enterprise walls Cisco SD-Access - Scaling 11:15
BRKCRS-2811 the Fabric to 100s of Sites BRKCRS-2824
Cisco SD-Access – 17:00
Connecting the Fabric to BRKCRS-2823 BRKCRS-2823 Intuitive Zero-Trust Design, 11:30
Cisco SD-Access – 16:45 14:45 Migration When Securing the
External Networks Cisco SD-Access deep dive
Firewall Integration SD-Access Workplace
Customer Keynote
Appreciation 18:30 17:00
SD-Access
Cisco SD-Access Breakouts
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you
www.cisco.com/go/cvd

BRKCRS 1500

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS 1500

Uploaded by

Copyright:

Available Formats

Introduction to Campus Wired LAN

Dana Daum, Solutions Architect

“I need to design and deploy a network.”

Future ready Design options

Design Zone: cisco.com/go/cvd/campus

Ease of deployment Easy to manage Flexibility and scalability

Resiliency Security Advanced technology ready

• Each layer in hierarchy has a

• Common design since the 1990’s

• Common design since the 1990’s

Easy mitigation of Layer 2 looping concerns

Rapid detection/recovery from failures

IGP IGP Layer 3

IGP IGP Layer 3

• Move the Layer 2 / 3 demarcation to the network edge

• VLANs don’t span across multiple wiring

Does this impact your requirements?

• IP addressing changes: more DHCP scopes L3

• Complexity reduced for Layer 2

• Complexity reduced for Layer 2

Easy mitigation of Layer 2 looping concerns

Rapid detection/recovery from failures

Easy mitigation of Layer 2 looping concerns

Rapid detection/recovery from failures

Software-Defined Access Soluton Design Guide

Easy mitigation of Layer 2 looping concerns

Rapid detection/recovery from failures

Design Protocols / L3 Planning Flexible, Easy, Flexible, Tools to

No hierarchy Hard to troubleshoot

Photos showing Basílica i Temple Expiatori de la Sagrada Família

• Distribution Layer Deployment

• Simplified and flexible design

• Policy enforcement point

• Advanced Technologies support

Cisco Catalyst Cisco

Access switching Core switching

• Distribution Layer Deployment

Single Logical Switch Single Logical Switch

switch [switch number] priority 15 stack-mac persistent timer 0

Modular Chassis C9300/C3x50 Stack

Macros used later in the

Using macros to deploy quality of service…

• Application Policy can be used to implement QoS

• Distribution Layer Deployment

Protection across the LAN

Enable secure management of all LAN devices

Use SNMP to manage network devices by a

• Troubleshooting a network event requires correlation across

• Configure console messages, logs, and debug output to provide

• Voice VLAN for IP Phone network access

interface vlan [management vlan]

• Distribution Layer Deployment

• Apply configuration supporting end-user devices Access

This single command does the following:

▪ Port security prevents CAM attacks and DHCP Starvation attacks

Protect your switch from CAM table overflow attacks.

DHCP Request Untrusted DHCP Request Trusted DHCP Reply

DHCP Request Untrusted DHCP Request Trusted DHCP Reply

Configure in the global configuration: Configure on the client interface:

Configure in the global configuration: Configure on the client interface:

IP Pkt Source Addr

Configure on the client interface:

On the Catalyst 4500 configure on the interface: