Scribd
Upload
89 views88 pages

Brkens 1500

The document provides an overview of designing and deploying a campus wired LAN using Cisco Validated Designs. It discusses starting with understanding what constitutes a campus LAN and using Cisco Validated Designs as frameworks. It then covers the key aspects of campus LAN design including the access, distribution and core layers as well as design options, security best practices, high availability and supported platforms.

Uploaded by

lakshmi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
89 views88 pages

Brkens 1500

The document provides an overview of designing and deploying a campus wired LAN using Cisco Validated Designs. It discusses starting with understanding what constitutes a campus LAN and using Cisco Validated Designs as frameworks. It then covers the key aspects of campus LAN design including the access, distribution and core layers as well as design options, security best practices, high availability and supported platforms.

Uploaded by

lakshmi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 88

#CiscoLive

Introduction to Campus
Wired LAN Deployment
Using Cisco Validated Designs

Jakub Matela, Technical Solutions Architect


BRKENS-1500

#CiscoLive
Cisco Webex App

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated


by the speaker until June 9, 2023. https://ciscolive.ciscoevents.com/ciscolivebot/#BRKENS-1500

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
for your
reference
• Where do I start?
• Design Fundamentals
Agenda • Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
• Where do I start?
• What is a Campus LAN?
• Cisco Validated Designs
• Planning for the Future

• Design Fundamentals
• Access Layer
• Distribution Layer

Agenda
• Core Layer
• Design Options
• Security Best Practices
• LAN High Availability
• Supported Platform Choice

• Summary
BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Best practices don’t hurt but HELP!

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
• Where do I start?
• What is a Campus LAN?
• Cisco Validated Designs
• Planning for the Future

Agenda • Design Fundamentals


• Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Where do I start?
What is a CAMPUS LAN? - definition

Campus network design concepts include small networks that


use a single LAN switch, up to very large networks with
thousands of connections.

You create a campus network by interconnecting a group


of LANs that are spread over a local geographic area.

The campus wired LAN enables communications between


devices in a building or group of buildings, as well as
interconnection to the WAN and Internet edge at the network
core.

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
• Where do I start?
• What is a Campus LAN?
• Cisco Validated Designs
• Planning for the Future

Agenda • Design Fundamentals


• Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Where do I start? BRKENS-
Cisco Validated Designs 1501

…provide a framework for design and


deployment guidance based on common use cases.

Design Zone: www.cisco.com/go/designzone


Design Zone for Campus: www.cisco.com/go/cvd/campus
#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
• Where do I start?
• What is a Campus LAN?
• Cisco Validated Designs
• Planning for the Future

Agenda • Design Fundamentals


• Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Where do I start?
Planning for the Future - LAN Deployment principles

Ease of Deployment Easy to Manage Flexibility and Scalability

Resiliency Security Advanced Technology Ready


#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
• Where do I start?
• Design Fundamentals
• Access Layer
• Distribution Layer
• Core Layer
• Design Options
Agenda • Security Best Practices
• LAN High Availability
• Supported Platform Choice

• Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Design Fundamentals
Hierarchical design model

❖ Each layer has specific role


❖ Modular topology—building
Core blocks
❖ Easy to grow, understand,
and troubleshoot
Distribution
❖ Creates small fault domains— CHAIN OF
clear demarcations and isolation COMMAND!
Access ❖ Promotes load balancing
and resilience

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Design Fundamentals
Hierarchical design model

Core

Distribution

CHAIN OF
Access COMMAND!

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Design Fundamentals
Hierarchical design model - scalability

Core

Core/Distribution Distribution

SCALE
Client
Client
Access
Access

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
• Where do I start?
• Design Fundamentals
• Access Layer
• Distribution Layer
• Core Layer
• Design Options
Agenda • Security Best Practices
• LAN High Availability
• Supported Platform Choice

• Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Design Fundamentals
Access Layer

Wireless Distribution
Access Point Switch

OR

Access Remote
User IP Phone Switch Router

Provides endpoints and users direct access to the network (wired and wireless)

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Design Fundamentals
Access Layer - attributes
❖ Ethernet network access
• Wired 10/100/1000(802.3z)/mGig(802.3bz)
• Supports Wireless LAN 802.11a/b/g/n/ac/ax access APs

❖ Simplified and flexible design


• Layer 2 edge for applications that require spanned Vlans
• Avoid Spanning Tree loops for resiliency

❖ Policy enforcement point


• Secure network and applications from malicious attacks
• Packet marking for QoS

❖ Advanced Technologies support


• Deliver PoE services:
PoE+, Cisco UPOE / 802.3bt Type 3, and Cisco UPOE+ / 802.3bt Type 4

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Design Fundamentals
Access Layer - Oversubscription ratios
Soft recommendation for Access to
Distribution < 20:1

Uplink BW: 40 Gbps


Distribution Layer
StackWise Virtual
Max potential BW usage:
48 x 10 Gbps
4x10G uplinks spread across two
switches in the stack + 144 x 1 Gbps
-----------------------
SUM: 624 Gbps
4x 48 Port Switches in Stack
Each = 12mGig ports to 10Gbps + 36x 1Gbps

Oversubcription ratio:
15,6 : 1

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Design Fundamentals
Access Layer - Queuing

Hope for the best and prepare for the worst!

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Design Fundamentals BRKENS-
2096
Access Layer - Queuing [UADP ASIC]

Catalyst 9k Switches with UADP


ASICs leverage Modular QoS CLI
(MQC)

❖ QoS enabled

❖ All ports trust at layer2 and layer3

❖ Two queues (neither set as priority)

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Design Fundamentals
Access Layer - Queuing with Cisco DNA Center Appliaction Policy

❖ Application Policy can be used to


implement QoS

❖ Goes beyond default policies by


deploying policies based on the “intent”
of an organization

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Design Fundamentals
Access Layer - Queuing with Cisco DNA Center Queueing Profile

❖ Application Policies and


Queueing Profiles can be
custom and could be defined
per site/group of sites

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
• Where do I start?
• Design Fundamentals
• Access Layer
• Distribution Layer
• Core Layer
• Design Options
Agenda • Security Best Practices
• LAN High Availability
• Supported Platform Choice

• Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Design Fundamentals
Distribution Layer attributes

❖ Aggregation for a building or geographic area.

❖ Resilient design to reduce failure impact

❖ Layer 2 boundary for access layer


• Spanning Tree Protocol boundary
• Broadcast packet boundary
• Provides load balancing to access layer

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Design Fundamentals
Distribution Layer attributes

❖ Layer 3 features and functions


• Default IP Gateway for L2 access layer
• IP Routing summarization to rest of network
• Efficient IP Multicast
• Provides load balancing to core layer

❖ QoS to manage congestion caused by many to


few links

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Design Fundamentals
Distribution Layer - different setups
Two tier remote site: Collapsed Core: Large LAN Services Block:
• Aggregates LAN Access Two tier campus LAN and WAN Core • Connection point for services
Layer and connects to • LAN Access Layer aggregation • Drives modular building block
WAN routers • Central connect point for all design
services

WAN

Internet

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Design Fundamentals
Distribution Layer - simplified design “Single Box Design”
VSS – Virtual Switching System
or
Traditional two box design SWV - StackWise Virtual

Multiple Boxes
to manage
-FHRP-

First Hop Spanning Tree


Redundancy Protocol for Loop Avoidance
Resilient IP Switch Stack
Default Gateway

Traditional two box distribution layer:


• Many points to manage
• Spanning Tree Simplified Design Benefits:
• Loop Avoidance • Fewer boxes to manage
• FHRP for Resilient IP Default Gateway • Simplified configuration
• Logical hub-and-spoke topology

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Design Fundamentals
Distribution Layer - Oversubscription ratios
Soft recommendation for Distribution
to Core < 4:1

2x40G uplinks Distribution Uplink BW: 80 Gbps

Distribution Layer 32x25G uplinks from access switches From Access Layer:
StackWise Virtual connected to the distribution layer switches
4 x 2 x 4 x 25 Gbp
4x25G uplinks spread across two SUM: 800 Gbps
switches in the stack

Oversubcription ratio:
Access Layer
Switch Stacks
4x Floors
10 : 1
2x stacks per foor
4x 48 Port Switches in Stack
Each = 12mGig ports to 10Gbps + 36x 1Gbps

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Design Fundamentals BRKENS-2096
BRKARC-2092
Distribution/Core Layer - Queueing

Catalyst 9000 Switches with Silicon


One Q200 ASIC:

❖ QoS enabled

❖ All ports trust at layer2 and Layer3

❖ Two queues (traffic-class 7 and traffic-


class 0, traffic- class7 is priority level 1)

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
• Where do I start?
• Design Fundamentals
• Access Layer
• Distribution Layer
• Core Layer
• Design Options
Agenda • Security Best Practices
• LAN High Availability
• Supported Platform Choice

• Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Design Fundamentals
Core Layer attributes

❖ Aggregation for a large or geographically dispersed


LAN deployment
❖ Lowers the complexity and cost of a fully meshed
distribution layer
❖ Must be highly resilient – no single points of failure in
design
❖ No high touch/high complexity services
• Avoid constant tuning or configuration changes

❖ Layer 3 Transport
• No Spanning Tree convergence or blocking

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Design Fundamentals
Core Layer - do I need it?
❖ Is it easy to configure and manage such mesh?

❖ No aggregation of uplinks from Distribution


Layer
❖ Implementing a change to routing protocol is
challenging/involves many peers
❖ Resiliency is not there

❖ But totally doable!

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
• Where do I start?
• Design Fundamentals
• Access Layer
• Distribution Layer
• Core Layer
• Design Options
Agenda • Security Best Practices
• LAN High Availability
• Supported Platform Choice

• Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Design Options
Option 1: Traditional multilayer campus
❖ Common design since the 1990’s
Logical ❖ Complex configurations (prone to human error)
topology—
related to spanning-tree, load balancing, unicast and
L3: multicast routing
core/dist.
L2: ❖ Requires heavy performance tuning resulting from
dist./acc. reliance on FHRPs (HSRP, VRRP, GLBP)

Physical
topology:
2 core
2 dist./acc.

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Design Options
Option 1: Traditional multilayer campus
❖ Common design since the 1990’s
Logical ❖ Complex configurations (prone to human error)
topology—
related to spanning-tree, load balancing, unicast and
L3: multicast routing
core/dist.
L2: ❖ Requires heavy performance tuning resulting from
dist./acc. reliance on FHRPs (HSRP, VRRP, GLBP)

Survives device and link failures

Easy mitigation of Layer 2 looping concerns

Rapid detection/recovery from failures


Physical
Layer 2 across all access blocks within distribution
topology:
2 core Device-level CLI configuration simplicity
2 dist./acc.
Automated network and policy provisioning included
#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Design Options
Transforming multilayer campus: Layer 3 distribution with Layer 2 access

IGP IGP Layer 3

Layer 2

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Design Options
Simplification with routed access design: Layer 3 distribution with Layer 3 access

IGP IGP Layer 3

IGP IGP

Layer 2
❖ Move the Layer 2 / 3 demarcation to the network edge
❖ Leverages Layer 2 only on the access ports, but builds a Layer 2 loop-free network
❖ Design Motivations – Simplified control plane, ease of troubleshooting, highest availability

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Design Options
Routed access design constraints

Why isn’t routed access deployed


everywhere?!
❖ VLANs don’t span across multiple wiring closet
switches/switch stacks
L3

Does this impact your requirements?

L3 L3 L3 L3
❖ IP addressing changes: more DHCP scopes and
subnets of smaller sizes increase management
and operational complexity
❖ Deployed access platforms must be able to
support routing features

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Design Options
Option 2: Layer 3 routed access
❖ Complexity reduced for Layer 2 (STP, trunks, etc.)
Logical ❖ Elimination of FHRP and associated timer tuning
topology—
❖ Requires more Layer 3 subnet planning; might not
L3: support Layer 2 adjacency requirements
everywhere
L2:
edge only

Physical
topology:
2 core
2 dist./acc.

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Design Options
Option 2: Layer 3 routed access
❖ Complexity reduced for Layer 2 (STP, trunks, etc.)
Logical ❖ Elimination of FHRP and associated timer tuning
topology—
❖ Requires more Layer 3 subnet planning; might not
L3: support Layer 2 adjacency requirements
everywhere
L2:
edge only
Survives device and link failures

Easy mitigation of Layer 2 looping concerns

Rapid detection/recovery from failures

Physical Layer 2 across all access blocks within distribution


topology: Device-level CLI configuration simplicity
2 core
2 dist./acc. Automated network and policy provisioning included

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Design Options
Option 3: Layer 2 access with “simplified” distribution
❖ Leading campus design for easy configuration and
Logical
topology—
operation when using stacking or similar technology
(VSS, StackWise Virtual)
L3:
❖ Flexibility to support Layer 2 services within
core/dist.
L2: distribution blocks, without FHRPs.
dist./acc. ❖ Easy to scale and manage

Physical
topology:
2 core
2 dist./acc.

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Design Options
Option 3: Layer 2 access with “simplified” distribution
❖ Leading campus design for easy configuration and
Logical
topology—
operation when using stacking or similar technology
(VSS, StackWise Virtual)
L3:
❖ Flexibility to support Layer 2 services within
core/dist.
L2: distribution blocks, without FHRPs.
dist./acc. ❖ Easy to scale and manage
Survives device and link failures

Easy mitigation of Layer 2 looping concerns

Rapid detection/recovery from failures

Physical Layer 2 across all access blocks within distribution


topology: Device-level CLI configuration simplicity
2 core
2 dist./acc. Automated network and policy provisioning included

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Design Options BRKENS-2502

How about something else? Software-Defined Access

❖ Enables: Border Border


Nodes Nodes
• Host mobility
• Network segmentation
• Role-based access Edge Edge
control Nodes Node
s
❖ It is an overlay network Logical Layer 2 Logical Layer 3
to the network underlay Overlay Overlay

• Control plane based on LISP


• Data plane based on VxLAN
• Policy plane based on TrustSec
Physical
Topology

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Design Options
Option 4: Cisco Software-Defined Access
❖ Uses advantages of a routed access physical
Logical
topology—
design, with Layer 2 capable logical overlay design
❖ Provisioning and policy automation
L2/L3:
OR ❖ Integrates wireless into the same policy
flexible
overlays ❖ Requires automation to simplify configuration

Physical
topology:
2 core
2 dist./acc.

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Design Options BRKENS-1852
BRKENS-2502

Option 4: Cisco Software-Defined Access


❖ Uses advantages of a routed access physical
Logical
topology—
design, with Layer 2 capable logical overlay design
❖ Provisioning and policy automation
L2/L3:
OR ❖ Integrates wireless into the same policy
flexible
overlays ❖ Requires automation to simplify configuration

Survives device and link failures

Easy mitigation of Layer 2 looping concerns

Rapid detection/recovery from failures

Layer 2 across all access blocks within distribution


Physical
topology: Device-level CLI configuration simplicity
2 core
2 dist./acc. Automated network and policy provisioning included

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Design Options BRKENS-
Summary 2031

Traditional Layer 3 L2 Access / SD-Access /


Multilayer Routed Simplified Fabric for
Campus Access Distribution Campus

Logical
topology OR

Design Protocols / L3 Planning Flexible, Easy, Flexible, Tools to


notes Tuning Limited L2 Scalable Simplify

Physical
topology:
2 core
2 dist./acc.

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
• Where do I start?
• Design Fundamentals
• Access Layer
• Distribution Layer
• Core Layer
• Design Options
Agenda • Security Best Practices
• LAN High Availability
• Supported Platform Choice

• Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Security Best Practices

Cisco Umbrella ➢ uses DNS as a security tool to identify and block threats

802.1x ➢ forces users to authenticate before allowing them on network

IP Source Guard / IPv6 RA Guard ➢ prevents IP/MAC Spoofing and IPv6 Man-in-the-Middle attacks

Dynamic ARP Inspection ➢ prevents current ARP attacks

DHCP Snooping ➢ prevents Rogue DHCP Server attacks

Port Security ➢ prevents CAM attacks and DHCP Starvation attacks

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Security Best Practices
Port Security Protect your switch from CAM table overflow attacks
(Content Addressable Memory)

Cisco Umbrella

802.1x
Advertises MAC
Client 00:10:10:10:10:10
00:10:10:10:10:11
IP Source Guard / IPv6 RA Guard 00:10:10:10:10:12
00:10:10:10:10:13
00:10:10:10:10:14

Dynamic ARP Inspection


00:10:10:10:10:15
00:10:10:10:10:16
Configure on the client interface:
00:10:10:10:10:17 switchport port-security
00:10:10:10:10:18 switchport port-security maximum 11
00:10:10:10:10:19
DHCP Snooping 00:10:10:10:10:1A
switchport port-security aging time 2
00:10:10:10:10:1B switchport port-security aging type inactivity
switchport port-security violation restrict
Port Security
Exceeds Maximum

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Security Best Practices
DHCP Snooping

DHCP Reply
Cisco Umbrella
DHCP Request Untrusted DHCP Request Trusted DHCP Reply

802.1x
Client DHCP
MAC=00:50:56:BA:13:DB
IP Source Guard / IPv6 RA Guard IP Addr=10.4.80.10 Server

Dynamic ARP Inspection

DHCP Snooping

Port Security

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Security Best Practices
DHCP Snooping

DHCP Reply
Cisco Umbrella
DHCP Request Untrusted DHCP Request Trusted DHCP Reply

802.1x
Client DHCP
MAC=00:50:56:BA:13:DB
IP Source Guard / IPv6 RA Guard IP Addr=10.4.80.10 Server
Example DHCP Snooping Binding Table
Dynamic ARP Inspection MAC Address IP Address VLAN Interface
00:50:56:BA:13:DB 10.4.80.10 10 GigabitEthernet2/0/1
DHCP Snooping
Configure in the global configuration: Configure on the client interface:
ip dhcp snooping vlan [data vlan], [voice vlan] ip dhcp snooping limit rate 100
Port Security no ip dhcp snooping information option
ip dhcp snooping

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Security Best Practices
Dynamic ARP Inspection

Untrusted
Cisco Umbrella
Advertises MAC
Client 00:10:10:10:10:10
802.1x Does Not Match
Example DHCP Snooping Binding Table
IP Source Guard / IPv6 RA Guard MAC Address IP Address VLAN Interface
00:50:56:BA:13:DB 10.4.80.10 10 GigabitEthernet2/0/1
Dynamic ARP Inspection
Configure in the global configuration:
DHCP Snooping ip arp inspection vlan [data vlan], [voice vlan]

Port Security Configure on the client interface:


ip arp inspection limit rate 100

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Security Best Practices
IP Source Guard

Cisco Umbrella
IP Pkt Source Addr
Client 10.4.80.22
802.1x Does Not Match
Example DHCP Snooping Binding Table
IP Source Guard / IPv6 RA Guard
MAC Address IP Address VLAN Interface
00:50:56:BA:13:DB 10.4.80.10 10 GigabitEthernet2/0/1
Dynamic ARP Inspection

Configure on the client interface:


DHCP Snooping ip verify source

Port Security

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Security Best Practices Define policy in the global configuration:
IPv6 Router Advertisement Guard ipv6 nd raguard policy HOST_POLICY
device-role host

Attach policy configuration to the client interface:


Cisco Umbrella
ipv6 nd raguard attach-policy HOST_POLICY

802.1x

IP Source Guard / IPv6 RA Guard “I am an IPv6 router.” “No you are not.”
IPv6 Stack
Router Advertisement
Dynamic ARP Inspection
❖ If a port device role is configured as host, IPv6 First Hop Security
DHCP Snooping
(FHS) RA Guard drops all IPv6 Router Advertisement messages
❖ Useful even for IPv4-only networks
Port Security
❖ Other port device role options are: monitor, router, and switch

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Security Best Practices
IEEE 802.1x
Endpoint Network Device AAA Server
(Supplicant/Client) (Authenticator) (Authentication Server) Identity Store(s)

Credentials:
- Certificate
- Password
Cisco Umbrella
EAP-Start
RADIUS
- Token
ISE
802.1x
EAP: Extensible Authentication Protocol

EAP Tunnel EAP


EAP
IP Source Guard / IPv6 RA Guard

EAP EAP
Dynamic ARP Inspection
802.1X RADIUS

DOMAIN\bob
RADIUS: ACCESS-REQUEST
DHCP Snooping RADIUS SERVICE-TYPE: FRAMED
EAP: EAP-RESPONSE-IDENTITY

Port Security

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Security Best Practices
IEEE 802.1x

Cisco Umbrella

802.1x

IP Source Guard / IPv6 RA Guard

Dynamic ARP Inspection

DHCP Snooping

Port Security

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Security Best Practices
IEEE 802.1x

Cisco Umbrella

802.1x

IP Source Guard / IPv6 RA Guard

Dynamic ARP Inspection

DHCP Snooping

Port Security

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Security Best Practices
IEEE 802.1x
Endpoint Network Device AAA Server
(Supplicant/Client) (Authenticator) (Authentication Server) Identity Store(s)

RADIUS
Port-Authorized
ISE
Port-Unauthorized

EAP Tunnel
EAP EAP
802.1X RADIUS

RADIUS: ACCESS-ACCEPT
VSA: Airespace-ACL = Employee-ACL
EAP: EAP-SUCCESS

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Security Best Practices
Cisco Umbrella

Cisco Umbrella

802.1x

IP Source Guard / IPv6 RA Guard

Dynamic ARP Inspection

DHCP Snooping

Port Security

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Security Best Practices Cisco Umbrella
Cisco Umbrella - DNS Protection
208.67.222.222 Your policy
Enforce all security settings for
67.215.87.11
Cisco Umbrella
Internet gateway
802.1x Network egress IP
67.215.87.11

IP Source Guard / IPv6 RA Guard

Dynamic ARP Inspection Internal DNS Server


Server IP
10.1.1.1
External DNS resolution
DHCP Snooping 208.67.222.222

Port Security
Laptop IP
10.1.1.3

YOUR NETWORK
#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
• Where do I start?
• Design Fundamentals
• Access Layer
• Distribution Layer
• Core Layer
• Design Options
Agenda • Security Best Practices
• LAN High Availability
• Supported Platform Choice

• Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
LAN High Availability
Options

❖ Supervisor Redundancy
❖ Stateful Switchover (SSO)
❖ Non-Stop Forwarding (NSF)
❖ Switch Stacks & Cisco StackWise Technology BRKENS-2095
• Catalyst 9200 Series StackWise-160/80
• Catalyst 9300 Series StackWise-480/360
• Catalyst 9300X Series StackWise-1T/480
❖ In-Service Software Upgrades (ISSUs)
❖ Power Redundancy
❖ Software Maintenance Upgrades (SMUs)
❖ Extended Fast Software Upgrade (xFSU)

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
LAN High Availability
Stateful Switchover (SSO), Supervisor Redundancy and Non-Stop Forwarding (NSF)

❖ Stateful switchover (SSO) synchronizes active process information and configuration information,
between active and standby supervisors / active and standby switches in a switch stack
❖ Traffic loss minimized for primary supervisor/active switch failure

❖ NSF allows for graceful restart of L3 routing protocols

Modular Chassis C9200/C9300 Stack


Active Active
Supervisor Switch
Hot-Standby
Supervisor

Hot-Standby
Switch

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
LAN High Availability
Switch Stacking

A
Centralized Control Plane
S

Distributed Data Plane


Up to
8 Members 1+1 Stateful Redundancy
with Active & Standby

Stateful Switchover
SSO/NSF
StackWise - 80/160/360/480/1T* *StackWise speeds vary depending on platform choice

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
LAN High Availability
StackWise Virtual

Traditional StackWise Virtual - Physical StackWise Virtual - Logical ❖ In SWV active switch
HSRP/
responsible for:
VRRP • Management
SVL • L2 protocols
• L3 protocols
STP • Software data path
STP
LACP/ LACP/
MEC MEC
PAGP PAGP

Access Access Access Access Access Access

Both Active and Standby switches take active part in data plane and traffic-forwarding actions.

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
LAN High Availability
SWV/VSS: connecting distribution to access layer
❖ Use EtherChannel for link resiliency and load sharing

❖ With SWV/VSS, use multi-chassis EtherChannel and home to each switch

❖ Alternatively…
With StackWise distribution layer, home EtherChannel uplinks to multiple switches in stack

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
LAN High Availability Stby
V2 V2
Active
In-Service Softwar Upgrade (ISSU) in SWV SVL

❖ ISSU provides a mechanism to perform 2nd Sub-second


software upgrades without taking the convergence
system out of service V1 -> V2 V2
3
❖ Leverages the capabilities of NSF and Stby
SVL
Active

SSO to allow the switch to forward


traffic during software upgrade X
❖ Key technology is the ISSU Infrastructure
1st Sub-second
convergence 2
V1 V1 V1 V1 -> V2
Active Stby Active Stby
SVL SVL

1 X

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
LAN High Availability
Power HA - StackPower

Flexible
HA with Zero 1+N Power
Footprint RPS
and
Redundancy Resiliency
Efficient

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
LAN High Availability StackPower
715 W
Power HA - StackPower - How it works?

❖ Pools Power from All PS 715 W 1100W


DataStack

❖ All Switches in StackPower share the


available Power in Pool
1100
❖ Each Switch is given their Minimum Power 715 W
Budget W
715
W

Total Input Power 2530W

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
LAN High Availability
Software Maintenance Upgrades (SMUs)

Prerequisite

SMU DevTest and Commit


Developeme
nt and
Release

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
LAN High Availability
Extended Fast Software Upgrade (xFSU) on Stack

#Install add file image activate reloadfast commit

Install
1. Install the images on all switches
S
A
SSO 2. Fast reload the standby and member switches
A
S Install
3. Fast reload the active switch only
Single
Console/Management 4. Standby becomes the new active
M Install
5. Old Active switch becomes the new standby

M Install

Traffic Impact during the complete upgrade is less than 30 seconds

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
LAN High Availability
Summary of Options
Platform Switch Stacking Supervisor NSF / EtherChannel ISSU SMUs GIR Power Redundancy
Redundancy SSO
Cisco Catalyst StackWise-160/80 — Yes Cross-Stack No Yes No Up to 2 hot-swappable power supplies
9200 Series with Active / Standby EtherChannel per switch. PoE models operate in
Combined mode. Non-PoE models
operate in 1:1 redundancy mode.

Cisco Catalyst StackWise-480/360 — Yes Cross-Stack No. Yes Yes StackPower (up to 4 switches per stack)
9300 Series with Active / Standby EtherChannel Supports Fast operating in shared or redundant mode.
Software Cisco XPS 2200 for stacks of up to 8
For Cat 9300X: Upgrade (FSU) switches
Stackwise-1T (480G and Extended
when stacking with FSU (xFSU).
Catalyst 9300 model)
Cisco Catalyst — Single chassis 1:1 Yes Multichassis Yes Yes Yes Hot-swappable power supplies in N+N
9400 Series or cross chassis EtherChannel or N+1 power redundancy modes
StackWise Virtual with StackWise
Virtual
Cisco Catalyst — Cross chassis Yes Multichassis Yes Yes Yes Dual 1+1 redundant power supplies.
9500 Series StackWise Virtual EtherChannel
with StackWise
Virtual
Cisco Catalyst — Single chassis 1:1 Yes Multichassis Yes Yes Yes Four power supplies which can operate
9600 Series or cross chassis EtherChannel in Combined or N+1 redundancy modes.
StackWise Virtual with StackWise
Virtual

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
• Where do I start?
• Design Fundamentals
• Access Layer
• Distribution Layer
• Core Layer
• Design Options
Agenda • Security Best Practices
• LAN High Availability
• Supported Platform Choice

• Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Catalyst 9000 – Expanding Industry Leadership BRKARC
-2035
Adding The ‘X’ Factor to the Industry’s Leading Switching Family
400G, Deep buffers, Internet scale, WAN-MACsec,
VoQ Architecture, Coherent DWDM optics
IPsec, 1T stacking, 100G 480G/slot, 100G
uplinks, uplinks
Enhanced App hosting

Catalyst
9600X
Catalyst Catalyst Catalyst
9200CX Catalyst 9400X 9500X
9300X
Catalyst
9000 Catalyst
Catalyst 9600 Series
Switching 9500 Series
Catalyst
Catalyst 9400 Series Platform
Catalyst 9300 Series
9200 Series

Cisco Open
ASIC IOS XE

Catalyst Catalyst Catalyst Catalyst Catalyst Catalyst


2960-X/XR 3650/3850 4500-E Series 3850-XS/4500-X 6840-X/6880-X 6500-E/6807-XL

Access Switching Core Switching

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
• Where do I start?
• Design Fundamentals
Agenda • Summary

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Summary 1/2
❖CVDs provide a design framework for the wired campus with step-by-
step deployment based on the cumulative Cisco leading practices
❖Access layer
❖ Consistent LAN access layer across the network (small site to large campus)
❖ Supports both layer 2 and layer 3 application needs
❖ Secure boundary and ready for advanced technologies

❖Distribution layer
❖ Simplified single logical platform with resilient and scalable design
❖ EtherChannel for resiliency and scalability

❖Core layer
❖ Scalable, resilient Layer 3 core for simplified topology and configuration

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Summary 2/2
❖ Wired Campus LAN Design based on Modularity and Hierarchy

❖ SD-Access is an viable option and requires preparation

❖ Don’t forget about Securing your network from THREATS (inside and outside)

❖ High-Availability should be your top of mind! (choose what’s best for you)

❖ Catalyst Switching Product Family has all it takes for you to be successful!

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Published design guides
cisco.com/go/cvd and cs.co/en-cvds

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Best practices don’t hurt but HELP!

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Fill out your session surveys!

Attendees who fill out a minimum of four session


surveys and the overall event survey will get
Cisco Live-branded socks (while supplies last)!

Attendees will also earn 100 points in the


Cisco Live Challenge for every survey completed.

These points help you get on the leaderboard and increase your chances of winning daily and grand prizes

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
• Visit the Cisco Showcase
for related demos

• Book your one-on-one


Meet the Engineer meeting

• Attend the interactive education


with DevNet, Capture the Flag,
Continue and Walk-in Labs

your education • Visit the On-Demand Library


for more sessions at
www.CiscoLive.com/on-demand

BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Thank you

#CiscoLive
#CiscoLive
Gamify your Cisco Live experience!
Get points for attending this session!

How:
1 Open the Cisco Events App.

2 Click on 'Cisco Live Challenge’ in the side menu.

3 Click on View Your Badges at the top.

4 Click the + at the bottom of the screen and scan the QR code:

#CiscoLive BRKENS-1500 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

You might also like