Borderless Networks Foundation – Best Practices Mark Williamson ([email protected]) Borderless Networks Market Transitions and What’s Next Mobility 1.3 Billion New Networked Mobile Devices in the Next Three.
Download ReportTranscript Borderless Networks Foundation – Best Practices Mark Williamson ([email protected]) Borderless Networks Market Transitions and What’s Next Mobility 1.3 Billion New Networked Mobile Devices in the Next Three.
Borderless Networks Foundation – Best Practices Mark Williamson ([email protected]) Borderless Networks Market Transitions and What’s Next Mobility 1.3 Billion New Networked Mobile Devices in the Next Three Years Mobile Devices Workplace Experience Video Blurring the Borders: Changing How We Work Consumer ↔ Workforce Employee ↔ Partner Physical ↔ Virtual Video projected to quadruple IP traffic by 2014 to 767 exabytes* Anyone, Anything, Anywhere, Anytime IT Resources C97-592794-00 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 Borderless Networks Components Resilient Core Access Wireless Security Email Security Web Security 3G Branch Foundation Midsize Networks C97-592794-00 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential CleanAir (Wireless) Enterprise Networks 3 Foundation Preparing the infrastructure Ready for Advanced Technologies Headquarters and Emerging Technologies Servers Security and Reliability Server Room Switch Server Room Branch Router With IDS and Application Acceleration Branch Switch Wireless Access Point Application Acceleration WAN PSTN Internet Campus Router Core Switch Stack Firewall Client Access Switch Presentation_ID Wireless LAN Controller Core Branch Collaboration tools Video Surveillance Access Controls / HVAC Virtualization Rich Media apps Server Room Stack Unified Communications Management Host Client Access Switch Stack Hardware and Software VPN Teleworker/ Mobile Worker 2010 Cisco and/or its affiliates. All rights reserved. © 2010 Cisco Systems, Inc.©All rights reserved. Cisco Confidential Wireless Access Point Access Cisco Confidential 4 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Hierarchical Design Model Security, QoS, PoE Traffic Control Reliability, Speed © 2008 Cisco Systems, Inc. All rights reserved. 6 Technology Overview Device Connectivity Resiliency & Security Services All devices support 10/100/1000 Ethernet with options for Gigabit and 10-Gigabit Uplinks Catalyst Infrastructure Security Features (CISF) Port Security DHCP Snooping IP Source Guard Dynamic Arp Inspection Features to support the deployment of voice and video © 2010 Cisco and/or its affiliates. All rights reserved. Power over Ethernet (802.3af and 802.3at) Quality of Service Multicast Support Cisco Confidential 7 LAN Switch Universal Configuration Configure Device Hostname Configure Resiliency Features VTP Mode Transparent Rapid PVST+ VLAN Hopping Protection (prune unused VLANs & no auto trunk mode on interfaces) UDLD Aggressive Port Channel Load Balancing Algorithm Configure Management Protocols SSH and HTTPS Configure Secure User Authentication AAA via Radius and Local Database Configure a Synchronized Clock NTP Server © 2010 Cisco and/or its affiliates. All rights reserved. SNMPv3 Local Enable Password Timezone and Timestamps Cisco Confidential 8 Access Switch Global Configuration Configure VLANs Configure: vlan [voice vlan], [data vlan], [mgmt vlan] Configure In-Band Management Configure: interface vlan [mgmt vlan] DON’T USE VLAN 1 ip address [ip address] [mask] no shutdown ip default-gateway [default router] Configure DHCP Snooping and Dynamic ARP Inspection Configure: ip dhcp snooping vlan [data vlan], [voice vlan] ip dhcp snooping trust (Server and uplinks) ip arp inspection vlan [data vlan], [voice vlan] © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Client Connectivity Configuration Configure to Support Clients and IP Phones Configure Port Security DHCP Requests and ARP denial of service protection Configure IP Source Guard Configure BPDU Guard © 2010 Cisco and/or its affiliates. All rights reserved. Configure: interface range [type] [number] – [number] switchport access vlan [data vlan] switchport voice vlan [voice vlan] spanning-tree portfast switchport host auto qos trust / voip / video switchport switchport switchport switchport port-security maximum 3 port-security aging time 20 port-security aging type inactivity port-security violation restrict (other option is shutdown) ip arp inspection rate limit 100 ip dhcp snooping rate limit 100 ip verify source spanning-tree bpduguard enable Cisco Confidential 10 Infrastructure Connectivity Configuration EtherChannel Member Interface Configuration EtherChannel Member Interface QoS Configuration Trunk Configuration SmartPorts © 2010 Cisco and/or its affiliates. All rights reserved. Configure: interface range [type] [port1], type [port2] channel-protocol lacp channel-group [number] mode active mls qos trust dscp queue-set 2 srr-queue bandwidth share 10 10 60 20 priority-queue out interface [type] [number] switchport trunk encapsulation dot1q switchport trunk allowed vlan [data], [voice], [mgmt] switchport mode trunk ip arp inspection trust ip dhcp snooping trust no shutdown Configures Global and Interface VLAN, QoS, Security Cisco Confidential 11 Platforms Catalyst 2960-S • Fixed-configuration • Stack Module Required • Up to 4 switches in a stack • Uplink failure recovery between 1 -2 seconds Catalyst 3750-X • Modular Uplinks and Upgradeable IOS • Redundant Power, Replaceable fans • StackPower • Up to 9 switches in a stack • © 2010 Cisco and/or its affiliates. All rights reserved. Subsecond uplink failure recovery Catalyst 4500-E • • • • • Multiple Ethernet Connectivity options Modular switch 1:1 redundancy for all critical systems (supervisors, power supplies, fans) Stateful switchover provides subsecond supervisor recovery In-Service Software Upgrades Cisco Confidential 12 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 WAN Routers Universal Configuration Basic Configuration Hostname Domain Name Loopback (RID, tunnels, encryption, bind voice) Configure Management Protocols SSH and HTTPS Configure Secure User Authentication AAA via Radius and Local Database Configure a Synchronized Clock NTP Server SNMPv3 Local Enable Password Timezone Logging Timestamps © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 WAN Routers QOS Configuration QOS Class-Map Configuration class-map match-any DATA match ip dscp af21 class-map match-any INTERACTIVE-VIDEO match dscp cs4 af41 class-map match-any CRITICAL-DATA match dscp cs3 af31 class-map match-any VOICE match dscp ef class-map match-any SCAVENGER match ip dscp cs1 af11 class-map match-any NETWORK-CRITICAL match ip dscp cs2 cs6 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 WAN Routers QOS Configuration QOS Policy-Map Configuration policy-map WAN class VOICE priority percent 10 class INTERACTIVE-VIDEO priority percent 23 class CRITICAL-DATA bandwidth percent 15 random-detect dscp-based class DATA bandwidth percent 19 random-detect dscp-based © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 WAN Routers QOS Configuration QOS Policy-Map Configuration class SCAVENGER bandwidth percent 5 class NETWORK-CRITICAL bandwidth percent 3 class class-default bandwidth percent 25 random-detect WAN Int Gi0/2 Service Policy IP address 192.168.50.101 255.255.255.252 Apply Service Policy: service-policy output WAN Or, use Auto QoS: autoqos-enterprise autoqos-voip © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 WAN Routers Configuration DHCP Pools Example © 2010 Cisco and/or its affiliates. All rights reserved. ip dhcp excluded-address 192.168.8.1 192.168.8.10 ip dhcp excluded-address 192.168.80.4 ip dhcp excluded-address 192.168.80.1 ip dhcp pool WVDE_Data network 192.168.8.0 255.255.255.0 dns-server 24.154.1.6 24.154.1.7 24.154.1.9 domain-name k12.wv.us.com default-router 192.168.8.1 lease 8 ! ip dhcp pool WVDE_Voice network 192.168.80.0 255.255.255.0 dns-server 24.154.1.6 24.154.1.7 24.154.1.9 domain-name k12.wv.us.com default-router 192.168.80.1 option 150 ip 192.168.80.1 lease 8 Cisco Confidential 18 www.cisco.com/go/designzone www.cisco.com/go/sba www.cisco.com/go/qos www.cisco.com/go/cna © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19