borderless networks foundation – best practices mark williamson ([email protected])
Post on 19-Dec-2015
218 views
TRANSCRIPT
Borderless NetworksFoundation – Best Practices
Mark Williamson ([email protected])
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-592794-00 2
Blurring the Borders:Consumer ↔ Workforce Employee ↔ PartnerPhysical ↔ Virtual
Mobility WorkplaceExperience Video
1.3 Billion New Networked Mobile Devices in theNext Three Years
Changing How We WorkVideo projected to quadruple IP traffic by 2014 to 767 exabytes*
Mobile Devices
IT Resources
Anyone, Anything, Anywhere, Anytime
Borderless NetworksMarket Transitions and What’s Next
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97-592794-00 3
Borderless NetworksComponents
Foundation
Midsize Networks Enterprise Networks
Wireless
Web Security
Access
Email Security
CleanAir (Wireless)
Resilient Core
Security
3 G Branch
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
FoundationPreparing the infrastructure
Ready for Advanced Technologies
and Emerging Technologies
Security and Reliability
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Hardware and Software VPN
Teleworker/Mobile Worker
Branch
Branch Router With IDS and Application Acceleration
Branch Switch
Wireless Access Point
Wireless Access Point
Server Room
Core
Access
Client Access Switch Client Access
Switch Stack
ServersUnified Commu-nications Manage-ment HostServer
Room Stack
Server Room Switch
Wireless LAN Controller
Core Switch Stack
Campus Router
Firewall
Application Acceleration
Headquarters
Internet
WAN
PSTN
Collaboration toolsVideo SurveillanceAccess Controls / HVACVirtualizationRich Media apps
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 5
LAN Recommendations
© 2008 Cisco Systems, Inc. All rights reserved. 6
Hierarchical Design Model
Reliability, Speed
Traffic Control
Security, QoS, PoE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Access LayerTechnology Overview
Device Connectivity
Resiliency & Security Services
Catalyst Infrastructure Security Features (CISF)
Port Security
DHCP Snooping
IP Source Guard
Dynamic Arp Inspection
All devices support 10/100/1000 Ethernet with options for Gigabit and 10-Gigabit Uplinks
Features to support the deployment of voice and video
Power over Ethernet (802.3af and 802.3at)
Quality of Service
Multicast Support
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
LAN Access LayerLAN Switch Universal Configuration
Configure Device Hostname
VTP Mode Transparent
Rapid PVST+
VLAN Hopping Protection (prune unused VLANs & no auto trunk mode on interfaces)
UDLD Aggressive
Port Channel Load Balancing Algorithm
SSH and HTTPS
SNMPv3
AAA via Radius and Local Database
Local Enable Password
NTP Server
Timezone and Timestamps
Configure Resiliency Features
Configure Management Protocols
Configure Secure User Authentication
Configure a Synchronized Clock
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
LAN Access LayerAccess Switch Global Configuration
Configure VLANs
Configure In-Band Management
Configure DHCP Snooping and Dynamic ARP Inspection
Configure:vlan [voice vlan], [data vlan], [mgmt vlan]
Configure:interface vlan [mgmt vlan] DON’T USE VLAN 1 ip address [ip address] [mask] no shutdownip default-gateway [default router]
Configure:
ip dhcp snooping vlan [data vlan], [voice vlan]ip dhcp snooping trust (Server and uplinks)
ip arp inspection vlan [data vlan], [voice vlan]
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
LAN Access LayerClient Connectivity Configuration
Configure to Support Clients and IP Phones
Configure Port Security
DHCP Requests and ARP denial of service protection
Configure IP Source Guard
Configure BPDU Guard
Configure:interface range [type] [number] – [number] switchport access vlan [data vlan] switchport voice vlan [voice vlan] spanning-tree portfast switchport host auto qos trust / voip / video
switchport port-security maximum 3 switchport port-security aging time 20 switchport port-security aging type inactivity switchport port-security violation restrict (other option is shutdown)
ip arp inspection rate limit 100 ip dhcp snooping rate limit 100
ip verify source
spanning-tree bpduguard enable
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
LAN Access LayerInfrastructure Connectivity Configuration
EtherChannel Member Interface Configuration
EtherChannel Member Interface QoS Configuration
Trunk Configuration
Configure:interface range [type] [port1], type [port2] channel-protocol lacp channel-group [number] mode active
mls qos trust dscp queue-set 2 srr-queue bandwidth share 10 10 60 20 priority-queue out
interface [type] [number] switchport trunk encapsulation dot1q switchport trunk allowed vlan [data], [voice], [mgmt] switchport mode trunk ip arp inspection trust ip dhcp snooping trust no shutdown
SmartPorts Configures Global and InterfaceVLAN, QoS, Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
• Modular Uplinks and Upgradeable IOS
• Redundant Power, Replaceable fans
• StackPower
• Up to 9 switches in a stack
• Subsecond uplink failure recovery
Catalyst 2960-S Catalyst 3750-X Catalyst 4500-E
• Fixed-configuration
• Stack Module Required
• Up to 4 switches in a stack
• Uplink failure recovery between 1 -2 seconds
• Multiple Ethernet Connectivity options
• Modular switch • 1:1 redundancy for all
critical systems (supervisors, power supplies, fans)
• Stateful switchover provides subsecond supervisor recovery
• In-Service Software Upgrades
Access LayerPlatforms
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 13
WAN Recommendations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
WANWAN Routers Universal Configuration
Basic Configuration
SSH and HTTPS
SNMPv3
AAA via Radius and Local Database
Local Enable Password
NTP Server
Timezone
Logging Timestamps
Configure Management Protocols
Configure Secure User Authentication
Configure a Synchronized Clock
Hostname
Domain Name
Loopback (RID, tunnels, encryption, bind voice)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
WANWAN Routers QOS Configuration
QOS Class-Map
Configuration
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
WANWAN Routers QOS Configuration
QOS Policy-Map
Configuration
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
WANWAN Routers QOS Configuration
QOS Policy-Map
Configuration
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
Or, use Auto QoS:autoqos-enterpriseautoqos-voip
IP address 192.168.50.101 255.255.255.252WAN Int Gi0/2
Service Policy Apply Service Policy:service-policy output WAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
WANWAN Routers Configuration
DHCP Pools
Example
ip dhcp excluded-address 192.168.8.1 192.168.8.10
ip dhcp excluded-address 192.168.80.4
ip dhcp excluded-address 192.168.80.1
ip dhcp pool WVDE_Data
network 192.168.8.0 255.255.255.0
dns-server 24.154.1.6 24.154.1.7 24.154.1.9
domain-name k12.wv.us.com
default-router 192.168.8.1
lease 8
!
ip dhcp pool WVDE_Voice
network 192.168.80.0 255.255.255.0
dns-server 24.154.1.6 24.154.1.7 24.154.1.9
domain-name k12.wv.us.com
default-router 192.168.80.1
option 150 ip 192.168.80.1
lease 8
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Resources
www.cisco.com/go/designzone
www.cisco.com/go/sba
www.cisco.com/go/qos
www.cisco.com/go/cna