borderless networks foundation – best practices mark williamson ([email protected])

Borderless NetworksFoundation – Best Practices

Mark Williamson ([email protected])

© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-592794-00 2

Blurring the Borders:Consumer ↔ Workforce Employee ↔ PartnerPhysical ↔ Virtual

Mobility WorkplaceExperience Video

1.3 Billion New Networked Mobile Devices in theNext Three Years

Changing How We WorkVideo projected to quadruple IP traffic by 2014 to 767 exabytes*

Mobile Devices

IT Resources

Anyone, Anything, Anywhere, Anytime

Borderless NetworksMarket Transitions and What’s Next

© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-592794-00 3

Borderless NetworksComponents

Foundation

Midsize Networks Enterprise Networks

Wireless

Web Security

Access

Email Security

CleanAir (Wireless)

Resilient Core

Security

3 G Branch

© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4

FoundationPreparing the infrastructure

Ready for Advanced Technologies

and Emerging Technologies

Security and Reliability

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Hardware and Software VPN

Teleworker/Mobile Worker

Branch

Branch Router With IDS and Application Acceleration

Branch Switch

Wireless Access Point

Wireless Access Point

Server Room

Core

Access

Client Access Switch Client Access

Switch Stack

ServersUnified Commu-nications Manage-ment HostServer

Room Stack

Server Room Switch

Wireless LAN Controller

Core Switch Stack

Campus Router

Firewall

Application Acceleration

Headquarters

Internet

WAN

PSTN

Collaboration toolsVideo SurveillanceAccess Controls / HVACVirtualizationRich Media apps

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 5

LAN Recommendations

© 2008 Cisco Systems, Inc. All rights reserved. 6

Hierarchical Design Model

Reliability, Speed

Traffic Control

Security, QoS, PoE


Access LayerTechnology Overview

Device Connectivity

Resiliency & Security Services

Catalyst Infrastructure Security Features (CISF)

Port Security

DHCP Snooping

IP Source Guard

Dynamic Arp Inspection

All devices support 10/100/1000 Ethernet with options for Gigabit and 10-Gigabit Uplinks

Features to support the deployment of voice and video

Power over Ethernet (802.3af and 802.3at)

Quality of Service

Multicast Support


LAN Access LayerLAN Switch Universal Configuration

Configure Device Hostname

VTP Mode Transparent

Rapid PVST+

VLAN Hopping Protection (prune unused VLANs & no auto trunk mode on interfaces)

UDLD Aggressive

Port Channel Load Balancing Algorithm

SSH and HTTPS

SNMPv3

AAA via Radius and Local Database

Local Enable Password

NTP Server

Timezone and Timestamps

Configure Resiliency Features

Configure Management Protocols

Configure Secure User Authentication

Configure a Synchronized Clock


LAN Access LayerAccess Switch Global Configuration

Configure VLANs

Configure In-Band Management

Configure DHCP Snooping and Dynamic ARP Inspection

Configure:vlan [voice vlan], [data vlan], [mgmt vlan]

Configure:interface vlan [mgmt vlan] DON’T USE VLAN 1 ip address [ip address] [mask] no shutdownip default-gateway [default router]

Configure:

ip dhcp snooping vlan [data vlan], [voice vlan]ip dhcp snooping trust (Server and uplinks)

ip arp inspection vlan [data vlan], [voice vlan]


LAN Access LayerClient Connectivity Configuration

Configure to Support Clients and IP Phones

Configure Port Security

DHCP Requests and ARP denial of service protection

Configure IP Source Guard

Configure BPDU Guard

Configure:interface range [type] [number] – [number] switchport access vlan [data vlan] switchport voice vlan [voice vlan] spanning-tree portfast switchport host auto qos trust / voip / video

switchport port-security maximum 3 switchport port-security aging time 20 switchport port-security aging type inactivity switchport port-security violation restrict (other option is shutdown)

ip arp inspection rate limit 100 ip dhcp snooping rate limit 100

ip verify source

spanning-tree bpduguard enable


LAN Access LayerInfrastructure Connectivity Configuration

EtherChannel Member Interface Configuration

EtherChannel Member Interface QoS Configuration

Trunk Configuration

Configure:interface range [type] [port1], type [port2] channel-protocol lacp channel-group [number] mode active

mls qos trust dscp queue-set 2 srr-queue bandwidth share 10 10 60 20 priority-queue out

interface [type] [number] switchport trunk encapsulation dot1q switchport trunk allowed vlan [data], [voice], [mgmt] switchport mode trunk ip arp inspection trust ip dhcp snooping trust no shutdown

SmartPorts Configures Global and InterfaceVLAN, QoS, Security


• Modular Uplinks and Upgradeable IOS

• Redundant Power, Replaceable fans

• StackPower

• Up to 9 switches in a stack

• Subsecond uplink failure recovery

Catalyst 2960-S Catalyst 3750-X Catalyst 4500-E

• Fixed-configuration

• Stack Module Required

• Up to 4 switches in a stack

• Uplink failure recovery between 1 -2 seconds

• Multiple Ethernet Connectivity options

• Modular switch • 1:1 redundancy for all

critical systems (supervisors, power supplies, fans)

• Stateful switchover provides subsecond supervisor recovery

• In-Service Software Upgrades

Access LayerPlatforms

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 13

WAN Recommendations


WANWAN Routers Universal Configuration

Basic Configuration

SSH and HTTPS

SNMPv3

AAA via Radius and Local Database

Local Enable Password

NTP Server

Timezone

Logging Timestamps

Configure Management Protocols

Configure Secure User Authentication

Configure a Synchronized Clock

Hostname

Domain Name

Loopback (RID, tunnels, encryption, bind voice)


WANWAN Routers QOS Configuration

QOS Class-Map

Configuration

class-map match-any DATA

match ip dscp af21

class-map match-any INTERACTIVE-VIDEO

match dscp cs4 af41

class-map match-any CRITICAL-DATA

match dscp cs3 af31

class-map match-any VOICE

match dscp ef

class-map match-any SCAVENGER

match ip dscp cs1 af11

class-map match-any NETWORK-CRITICAL

match ip dscp cs2 cs6



QOS Policy-Map

Configuration

policy-map WAN

class VOICE

priority percent 10

class INTERACTIVE-VIDEO

priority percent 23

class CRITICAL-DATA

bandwidth percent 15

random-detect dscp-based

class DATA


random-detect dscp-based



QOS Policy-Map

Configuration

class SCAVENGER

bandwidth percent 5

class NETWORK-CRITICAL

bandwidth percent 3

class class-default


random-detect

Or, use Auto QoS:autoqos-enterpriseautoqos-voip

IP address 192.168.50.101 255.255.255.252WAN Int Gi0/2

Service Policy Apply Service Policy:service-policy output WAN


WANWAN Routers Configuration

DHCP Pools

Example

ip dhcp excluded-address 192.168.8.1 192.168.8.10

ip dhcp excluded-address 192.168.80.4

ip dhcp excluded-address 192.168.80.1

ip dhcp pool WVDE_Data

network 192.168.8.0 255.255.255.0

dns-server 24.154.1.6 24.154.1.7 24.154.1.9

domain-name k12.wv.us.com

default-router 192.168.8.1

lease 8

!

ip dhcp pool WVDE_Voice

network 192.168.80.0 255.255.255.0

dns-server 24.154.1.6 24.154.1.7 24.154.1.9

domain-name k12.wv.us.com

default-router 192.168.80.1

option 150 ip 192.168.80.1

lease 8


Resources

www.cisco.com/go/designzone

www.cisco.com/go/sba

www.cisco.com/go/qos

www.cisco.com/go/cna

http://www.cisco.com/go/designzone

http://www.cisco.com/go/sba

http://www.cisco.com/go/qos

http://www.cisco.com/go/cna

borderless networks foundation – best practices mark williamson ([email protected])

Documents

cisco andor

cisco systems

cisco confidentialc97

cisco confidentialpresentation

vlan voice vlan

poe slide

g branch slide

data vlan