Campus Wired LANTechnology Design GuideApril 2014
Introduction April 20147A hierarchical LAN design includes the following three layers:• Access layer—Provides endpoints and users direct access to th
Core Layer April 201497If you configure an access-list on the vty interface, you may lose the ability to use ssh to log in from one device to the next
Core Layer April 201498Step 12: Configure a synchronized clock by programming network devices to synchronize to a local NTP server in the network. Th
Core Layer April 201499EIGRP Unicast RoutingEnable EIGRP for the IP address space that the network will be using. If needed for your network, you can
Core Layer April 2014100Step 1: Enable IP Multicast routing on the platform in the global configuration mode.ip multicast-routingStep 2: Configure a
Core Layer April 2014101Step 1: Configure the Layer 3 interface.When using an EtherChannel to connect to a distribution layer platform, the interface
Core Layer April 2014102 macro apply EgressQoS channel-protocol lacp channel-group [number] mode active logging event link-status logging event t
Core Layer April 2014103 exit-af-interface ! topology base exit-af-topology network 10.4.0.0 0.1.255.255 eigrp router-id 10.4.40.254 nsf exit-a
Appendix A: Product List April 2014104Appendix A: Product ListLAN Access LayerFunctional Area Product Description Part Numbers SoftwareModular Access
Appendix A: Product List April 2014105LAN Distribution LayerFunctional Area Product Description Part Numbers SoftwareModular Distribution Layer Virtua
Appendix B: DeviceCongurationFiles April 2014106Appendix B: DeviceCongurationFilesTo view the configuration files from the CVD lab devices that
Introduction April 20148Access LayerThe access layer is where user-controlled devices, user-accessible devices, and other end-point devices are connec
Appendix C: Changes April 2014107Appendix C: ChangesThis appendix summarizes the changes Cisco made to this guide since its previous edition.• We upd
Americas HeadquartersCisco Systems, Inc.San Jose, CA Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.SingaporeEurope HeadquartersCisco Systems
Introduction April 20149Distribution LayerThe distribution layer supports many important services for the LAN. The primary function is to serve as an
Introduction April 201410Flexible DesignThe distribution layer provides connectivity to network-based services, to the WAN, and to the Internet edge,
Introduction April 201411Larger LAN designs require a dedicated distribution layer for network-based services versus sharing connectivity with access
Introduction April 201412In environments where multiple distribution layer switches exist in close proximity and where fiber optics provide the abilit
Introduction April 201413Quality of Service (QoS)Real-time communication traffic is very sensitive to delay and drop.The network must ensure that this
Access Layer April 201414Access LayerDesign OverviewThe access layer is the point at which user-controlled and user-accessible devices are connected t
Access Layer April 201415Figure 8 - DHCP snooping and Dynamic ARP inspection2090UntrustedIP:10.4.10.10MAC:AAIP:10.4.10.20MAC:DDUntrustedTrusted Interf
Access Layer April 201416To support the increasing requirements of devices powered by the network, all of the access layer devices support the IEEE 80
Table of ContentsTable of ContentsPreface ...
Access Layer April 201417Cisco Catalyst 2960-S Series and 2960-X Series are fixed-configuration, stackable, 10/10/1000 Ethernet switches, with PoE+ an
Access Layer April 201418Cisco Catalyst 4500E Series are modular switches that support multiple Ethernet connectivity options, including 10/100/1000 E
Access Layer April 201419Table 1 - IP addressing for Campus Wired LAN Technology Design GuideAddress block Access VLAN IP addressing UsageDistributio
Access Layer April 201420Configuring the Access Layer1. Configure the platform2. Configure LAN switch universal settings3. Configure access switch
Access Layer April 201421Step 2: If you are configuring a stack, run the stack-mac persistent timer 0 command. This ensures that the original stack m
Access Layer April 201422class-map match-any SCAVENGER-QUEUE match dscp cs1!policy-map 2P6Q3T class PRIORITY-QUEUE priority level 1 percent 30 cla
Access Layer April 201423Option 3: Congure the Cisco Catalyst 4507R+E platformStep 1: For each platform, define two macros that you will use in lat
Access Layer April 201424Step 2: When a Cisco Catalyst 4507R+E is configured with two Supervisor Engine 7L-E, 7-E, or 8-E modules, configure the swit
Access Layer April 201425Although this architecture is built without any Layer 2 loops, you should still enable spanning tree with the most up-to-date
Access Layer April 201426Step 8: Enable Simple Network Management Protocol (SNMP) in order to allow the network infrastructure devices to be managed
Table of ContentsDistribution Layer ...
Access Layer April 201427TACACS+ is the primary protocol used to authenticate management logins on the infrastructure devices to the AAA server. A loc
Access Layer April 201428Step 1: Configure VLANs on the switch.Configure the data, voice, and management VLANs on the switch so that connectivity to
Access Layer April 201429Step 4: Configure ARP inspection on the data and voice VLANs.ip arp inspection vlan [data vlan],[voice vlan]Step 5: Configu
Access Layer April 201430Step 3: Enable QoS by applying the access edge QoS macro that was defined in the platform configuration procedure. This macr
Access Layer April 201431Step 8: Configure DHCP snooping and ARP inspection on the interface to process 100 packets per second of traffic on the port
Access Layer April 201432 switchport port-security aging type inactivity switchport port-security violation restrict ip arp inspection limit rate
Access Layer April 201433Procedure 5 Connect to distribution or WAN routerAccess layer devices can be one component of a larger LAN and connect to a
Access Layer April 201434Cisco Catalyst 2960-S and 2960-X Series Switches do not require the switchport command, and the Cisco Catalyst 4500 does not
Access Layer April 201435There is a remote possibility that an attacker can create a double 802.1Q encapsulated packet. If the attacker has specific k
Access Layer April 201436Option 2: Congure EtherChannel to WAN routerIf your access layer switch is a single fixed configuration switch connecting t
Preface April 20141PrefaceCisco Validated Designs (CVDs) provide the foundation for systems design based on common use cases or current engineering sy
Access Layer April 201437Step 3: Save the running configuration that you have entered so it will be used as the startup configuration file when your
Access Layer April 201438Example: Procedure 5, Option 22100VLAN 64Wired DataVLANVLAN 69Wired VoiceVLAN802.1Q TrunkVLANs 64, 69VLAN 64ManagementInterfa
Distribution Layer April 201439Distribution LayerDesign OverviewThe primary function of the distribution layer is to aggregate access layer switches i
Distribution Layer April 201440Traditional Distribution Layer DesignTraditional LAN designs use a multitier approach with Layer 2 from the access laye
Distribution Layer April 201441Figure 16 - Traditional looped design with VLANs spanning access switches2104VLAN 30InterfaceBlockedInterfaceBlockedVL
Distribution Layer April 201442Figure 18 - Simplified design with VLANs spanning access switches2106VLAN 30VLAN 30EtherChannel is a logical interface
Distribution Layer April 201443Figure 19 - Two-tier collapsed LAN core design2086LANAccessCollapsedLAN CoreServerRoomClientAccessSwitchesDistributionS
Distribution Layer April 201444Figure 20 - Network services distribution layerWAN2087LANDistributionLayerClientAccessSwitchesLANCoreInternetNetwork Se
Distribution Layer April 201445Cisco Catalyst 6500-E and 6807-XL VSSThe Cisco Catalyst 6500-E and 6807-XL chassis with the Supervisor Engine 2T are th
Distribution Layer April 201446Cisco Catalyst 6880-X VSS• Cisco Catalyst 6880-X VSS uses Cisco Catalyst 6880-X Series extensible fixed aggregation sw
CVD Navigator April 20142CVD NavigatorThe CVD Navigator helps you determine the applicability of this guide by summarizing its key elements: the use c
Distribution Layer April 201447Cisco Catalyst 3750-X Stack• Cisco Catalyst 3750-X is configured as a single unit, but has independent load-sharing po
Distribution Layer April 201448Option 1: Congure Cisco Catalyst 6500-E Virtual Switching System and 6880-X Virtual Switching SystemCisco Catalyst 65
Distribution Layer April 201449Table 4 - Example VSS connections, connecting Cisco Catalyst 6880-X chassis pairVSS connectionVSS Switch 1 Port (Port
Distribution Layer April 201450To form a VSS pair, each switch in the pair must have a matching domain ID assigned. To support the interconnection of
Distribution Layer April 201451At this point you should be able to see that port-channel 63 and 64 are up, and both links are active on standalone swi
Distribution Layer April 201452A critical aspect of the Cisco Catalyst VSS is the control plane and data plane operating models. From a control plane
Distribution Layer April 201453Step 6: Configure the system virtual MAC address.By default, the VSS system uses the default chassis-based MAC-address
Distribution Layer April 201454class-map type lan-queuing match-any MULTIMEDIA-STREAMING-QUEUE match dscp af31 af32 af33class-map type lan-queuing ma
Distribution Layer April 201455 random-detect dscp 14 percent 70 80 random-detect dscp 12 percent 80 90 random-detect dscp 10 percent 90 100 class
Distribution Layer April 201456 random-detect dscp 55 percent 80 100 random-detect dscp 57 percent 80 100 random-detect dscp 58 percent 80 100 ran
CVD Navigator April 20143ProciencyThis guide is for people with the following technical proficiencies—or equivalent experience:• CCNA Routing and Sw
Distribution Layer April 201457 random-detect cos 7 percent 90 100 class BULK-DATA-SCAVENGER bandwidth remaining percent 10 queue-buffers ratio 20
Distribution Layer April 201458To form a VSS pair, each switch in the pair must have a matching domain ID assigned. To support the interconnection of
Distribution Layer April 201459The switches are not in VSS mode yet. Verify port-channel configuration on standalone switch #1.VSS-Sw1# show etherchan
Distribution Layer April 201460A critical aspect of the Cisco Catalyst VSS is the control plane and data plane operating models. From a control plane
Distribution Layer April 201461By default, at the time of virtual domain configuration, the Cisco Catalyst 4500 VSS system uses a virtual MAC address
Distribution Layer April 201462 class PRIORITY-QUEUE priority class CONTROL-MGMT-QUEUE bandwidth remaining percent 10 class MULTIMEDIA-CONFERENC
Distribution Layer April 201463Step 3: To make consistent deployment of QoS easier, each distribution platform defines a macro that will be used in l
Distribution Layer April 201464Procedure 2 Configure LAN switch universal settingsIn this design, there are features and services that are common acr
Distribution Layer April 201465of problems, including spanning-tree loops, black holes, and non-deterministic forwarding. In addition, UDLD enables fa
Distribution Layer April 201466Step 10: If your network operational support is centralized, you can increase network security by using an access list
Introduction April 20144IntroductionThe Campus Wired LAN Technology Design Guide describes how to design a wired network access with ubiquitous capabi
Distribution Layer April 201467Step 13: Configure a synchronized clock by programming network devices to synchronize to a local NTP server in the net
Distribution Layer April 201468Step 3: Configure the system processes to use the loopback interface address for optimal resiliency:snmp-server trap-s
Distribution Layer April 201469 eigrp router-id [ip address of loopback 0] eigrp stub summary nsf exit-address-familyCisco Catalyst 6500 Series Swi
Distribution Layer April 201470Figure 25 - Rendezvous point placement in the network2109Multicast Sourcein the Data CenterRendezvous PointWANThis desi
Distribution Layer April 201471 passive-interface exit-af-interface network 10.4.0.0 0.1.255.255 eigrp router-id 10.4.15.254 eigrp stub summary
Distribution Layer April 201472Procedure 6 Configure IP Multicast RP(Optional)In networks without a core layer, the RP function can be placed on the
Distribution Layer April 201473Procedure 7 Connect to access layerThe resilient, single, logical, distribution layer switch design is based on a hub-
Distribution Layer April 201474Connect the access layer EtherChannel uplinks to separate switches in the distribution layer Virtual Switching System o
Distribution Layer April 201475If the interface type is not portchannel, then the additional command macro apply EgressQoS must also be configured on
Distribution Layer April 201476If you configured the IOS DHCP server function on this distribution layer switch in Step 2 of this procedure, the ip he
Introduction April 20145This design guide enables the following network capabilities when connecting wired devices to an organization’s network:• Con
Distribution Layer April 201477 no shutdown!interface vlan 100 ip address 10.4.0.1 255.255.255.0 ip helper-address 10.4.48.10 ip pim sparse-mode!i
Distribution Layer April 201478If the interface type is not a port-channel, then an additional command macro apply EgressQoS must also be configured o
Distribution Layer April 201479Step 4: Configure IP address summarization on the links to the core.As networks grow, the number of IP subnets or rout
Distribution Layer April 201480Step 6: Save the running configuration that you have entered so it will be used as the startup configuration file when
Distribution Layer April 201481Example: Distribution to Core PortChannel configuration—OSPF2110Port channelCoreDistributioninterface Port-channel 30
Core Layer April 201482Core LayerDesign OverviewThe core layer of the LAN is a critical part of the scalable network, yet by design, is one of the sim
Core Layer April 201483In large modular and scalable LAN designs, a core layer is used to aggregate multiple user connectivity distribution layer bloc
Core Layer April 201484• The Supervisor Engine 2T supports DFC4-A based line cards, including the WS-X6824 and WS-X6848, to provide gigabit Ethernet
Core Layer April 201485The following configuration example shows you how to convert two standalone Cisco Catalyst 6500 or 6807-XL switches to a Virtua
Core Layer April 201486The supported code used for this configuration and validation of all devices is listed in the appendix of this guide.Reader Tip
Introduction April 20146Use Case: Enhancing LAN Capacity and FunctionalityAs the needs of an organization change, the network should be able to be ref
Core Layer April 201487On the standalone switch #1:VSS-Sw1(config)#switch virtual domain 101VSS-Sw1(config-vs-domain)# switch 1VSS-Sw1(config-vs-domai
Core Layer April 201488The previous two commands show the same output below. Ports in the group: -------------------Port: Te5/4---------
Core Layer April 201489The VSL allows the switches to communicate and stay in synchronization. The VSS uses the Stateful Switchover (SSO) redundancy f
Core Layer April 201490Step 7: Configure the system virtual MAC address.By default, the VSS system uses the default chassis-based MAC-address pool as
Core Layer April 201491 match cos 5class-map type lan-queuing match-any CONTROL-MGMT-QUEUE match dscp cs7 match dscp cs6 match dscp cs3 match
Core Layer April 201492 random-detect dscp-based random-detect dscp 30 percent 70 80 random-detect dscp-based random-detect dscp 28 percent 80 90
Core Layer April 201493 random-detect dscp 23 percent 80 100 random-detect dscp 25 percent 80 100 random-detect dscp 27 percent 80 100 random-dete
Core Layer April 201494Step 11: If you are using Gigabit Ethernet cards supported in VSS mode on Cisco Catalyst 6500 Supervisor Engine 2T based switc
Core Layer April 201495Procedure 2 Configure LAN switch universal settingsIn this design, there are features and services that are common across all
Core Layer April 201496Step 5: Set EtherChannels to use the traffic source and destination IP address when calculating which link to send the traffic
Commentaires sur ces manuels