Borderless Networks Foundation – Best Practices Mark Williamson ([email protected]) Borderless Networks Market Transitions and What’s Next Mobility 1.3 Billion New Networked Mobile Devices in the Next Three.
Download
Report
Transcript Borderless Networks Foundation – Best Practices Mark Williamson ([email protected]) Borderless Networks Market Transitions and What’s Next Mobility 1.3 Billion New Networked Mobile Devices in the Next Three.
Borderless Networks
Foundation – Best Practices
Mark Williamson ([email protected])
Borderless Networks
Market Transitions and What’s Next
Mobility
1.3 Billion New Networked
Mobile Devices in the
Next Three Years
Mobile Devices
Workplace
Experience
Video
Blurring the Borders:
Changing How We Work
Consumer ↔ Workforce
Employee ↔ Partner
Physical ↔ Virtual
Video projected to quadruple IP
traffic by 2014 to 767 exabytes*
Anyone, Anything,
Anywhere, Anytime
IT Resources
C97-592794-00
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Borderless Networks
Components
Resilient
Core
Access
Wireless
Security
Email
Security
Web
Security
3G
Branch
Foundation
Midsize Networks
C97-592794-00
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
CleanAir
(Wireless)
Enterprise Networks
3
Foundation
Preparing the infrastructure
Ready for Advanced Technologies
Headquarters
and Emerging Technologies
Servers
Security and Reliability
Server
Room Switch
Server Room
Branch Router With IDS and
Application Acceleration
Branch Switch
Wireless Access
Point
Application
Acceleration
WAN
PSTN
Internet
Campus
Router
Core Switch
Stack
Firewall
Client Access
Switch
Presentation_ID
Wireless
LAN
Controller
Core
Branch
Collaboration tools
Video Surveillance
Access Controls / HVAC
Virtualization
Rich Media apps
Server
Room
Stack
Unified
Communications
Management Host
Client Access
Switch Stack
Hardware and
Software VPN
Teleworker/
Mobile Worker
2010
Cisco
and/or its affiliates.
All rights reserved.
© 2010 Cisco Systems, Inc.©All
rights
reserved.
Cisco Confidential
Wireless Access Point
Access
Cisco Confidential
4
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
Hierarchical Design Model
Security, QoS, PoE
Traffic Control
Reliability, Speed
© 2008 Cisco Systems, Inc. All rights reserved.
6
Technology Overview
Device
Connectivity
Resiliency &
Security
Services
All devices support 10/100/1000 Ethernet with options
for Gigabit and 10-Gigabit Uplinks
Catalyst Infrastructure Security Features (CISF)
Port Security
DHCP Snooping
IP Source Guard
Dynamic Arp Inspection
Features to
support the
deployment of
voice and video
© 2010 Cisco and/or its affiliates. All rights reserved.
Power over Ethernet (802.3af and 802.3at)
Quality of Service
Multicast Support
Cisco Confidential
7
LAN Switch Universal Configuration
Configure Device
Hostname
Configure
Resiliency Features
VTP Mode Transparent
Rapid PVST+
VLAN Hopping Protection (prune unused VLANs & no
auto trunk mode on interfaces)
UDLD Aggressive
Port Channel Load Balancing Algorithm
Configure
Management
Protocols
SSH and HTTPS
Configure Secure
User Authentication
AAA via Radius and Local Database
Configure a
Synchronized Clock
NTP Server
© 2010 Cisco and/or its affiliates. All rights reserved.
SNMPv3
Local Enable Password
Timezone and Timestamps
Cisco Confidential
8
Access Switch Global Configuration
Configure VLANs
Configure:
vlan [voice vlan], [data vlan], [mgmt vlan]
Configure In-Band
Management
Configure:
interface vlan [mgmt vlan] DON’T USE VLAN 1
ip address [ip address] [mask]
no shutdown
ip default-gateway [default router]
Configure DHCP
Snooping and
Dynamic ARP
Inspection
Configure:
ip dhcp snooping vlan [data vlan], [voice vlan]
ip dhcp snooping trust (Server and uplinks)
ip arp inspection vlan [data vlan], [voice vlan]
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
Client Connectivity Configuration
Configure to
Support Clients
and IP Phones
Configure Port
Security
DHCP Requests
and ARP denial of
service protection
Configure IP Source
Guard
Configure BPDU
Guard
© 2010 Cisco and/or its affiliates. All rights reserved.
Configure:
interface range [type] [number] – [number]
switchport access vlan [data vlan]
switchport voice vlan [voice vlan]
spanning-tree portfast
switchport host
auto qos trust / voip / video
switchport
switchport
switchport
switchport
port-security maximum 3
port-security aging time 20
port-security aging type inactivity
port-security violation restrict
(other option is shutdown)
ip arp inspection rate limit 100
ip dhcp snooping rate limit 100
ip verify source
spanning-tree bpduguard enable
Cisco Confidential
10
Infrastructure Connectivity Configuration
EtherChannel
Member Interface
Configuration
EtherChannel
Member Interface
QoS Configuration
Trunk Configuration
SmartPorts
© 2010 Cisco and/or its affiliates. All rights reserved.
Configure:
interface range [type] [port1], type [port2]
channel-protocol lacp
channel-group [number] mode active
mls qos trust dscp
queue-set 2
srr-queue bandwidth share 10 10 60 20
priority-queue out
interface [type] [number]
switchport trunk encapsulation dot1q
switchport trunk allowed vlan [data], [voice],
[mgmt]
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
no shutdown
Configures Global and Interface
VLAN, QoS, Security
Cisco Confidential
11
Platforms
Catalyst 2960-S
•
Fixed-configuration
•
Stack Module Required
•
Up to 4 switches in a stack
•
Uplink failure recovery
between 1 -2 seconds
Catalyst 3750-X
•
Modular Uplinks and
Upgradeable IOS
•
Redundant Power,
Replaceable fans
•
StackPower
•
Up to 9 switches in a
stack
•
© 2010 Cisco and/or its affiliates. All rights reserved.
Subsecond uplink
failure recovery
Catalyst 4500-E
•
•
•
•
•
Multiple Ethernet
Connectivity options
Modular switch
1:1 redundancy for all
critical systems
(supervisors, power
supplies, fans)
Stateful switchover
provides subsecond
supervisor recovery
In-Service Software
Upgrades
Cisco Confidential
12
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
WAN Routers Universal Configuration
Basic
Configuration
Hostname
Domain Name
Loopback (RID, tunnels, encryption, bind voice)
Configure
Management
Protocols
SSH and HTTPS
Configure Secure
User Authentication
AAA via Radius and Local Database
Configure a
Synchronized Clock
NTP Server
SNMPv3
Local Enable Password
Timezone
Logging Timestamps
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
WAN Routers QOS Configuration
QOS Class-Map
Configuration
class-map match-any DATA
match ip dscp af21
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any VOICE
match dscp ef
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
WAN Routers QOS Configuration
QOS Policy-Map
Configuration
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
WAN Routers QOS Configuration
QOS Policy-Map
Configuration
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
class class-default
bandwidth percent 25
random-detect
WAN Int Gi0/2
Service Policy
IP address 192.168.50.101 255.255.255.252
Apply Service Policy:
service-policy output WAN
Or, use Auto QoS:
autoqos-enterprise
autoqos-voip
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
WAN Routers Configuration
DHCP Pools
Example
© 2010 Cisco and/or its affiliates. All rights reserved.
ip dhcp excluded-address 192.168.8.1 192.168.8.10
ip dhcp excluded-address 192.168.80.4
ip dhcp excluded-address 192.168.80.1
ip dhcp pool WVDE_Data
network 192.168.8.0 255.255.255.0
dns-server 24.154.1.6 24.154.1.7 24.154.1.9
domain-name k12.wv.us.com
default-router 192.168.8.1
lease 8
!
ip dhcp pool WVDE_Voice
network 192.168.80.0 255.255.255.0
dns-server 24.154.1.6 24.154.1.7 24.154.1.9
domain-name k12.wv.us.com
default-router 192.168.80.1
option 150 ip 192.168.80.1
lease 8
Cisco Confidential
18
www.cisco.com/go/designzone
www.cisco.com/go/sba
www.cisco.com/go/qos
www.cisco.com/go/cna
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19