Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
IMPACT OF EMERGING
TECHNOLOGIES ON CAMPUS DESIGN
SESSION RST-3479
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 1
Campus Design
A Multitude of Design Options and Challenges
convergence times
• Adoption of Advanced Technologies (voice,
segmentation, security, wireless) all introduce
specific requirements and changes Si
Si Si
Si
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 5
Campus Solution Test Bed
Verified Design Recommendations
• Access layer
Auto phone Access
detection
Inline power
QoS: scheduling,
trust boundary and Si Si Si Si Si Si
classification Distribution
Fast convergence
• Distribution layer
High availability, Layer 3 Layer 3
redundancy, fast Core Equal Cost Equal Cost
convergence Si
Links Si
Links
Policy enforcement
QoS: scheduling,
trust boundary and
classification Distribution Si Si Si Si
• Core Si Si
High availability,
redundancy, fast
convergence
Access
QoS: scheduling,
trust boundary WAN Data Center Internet
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 8
Infrastructure Integration
Extending the Network Edge
Minimum Power
Maximum Power Levels at the
Class Usage Levels Output at the
Powered Device
PSE
0 Default 15.4W 0.44 to 12.95W
1 Optional 4.0W 0.44 to 3.84W
Power Is Applied
Dynamic allocation:
power inline auto max 7200
Static allocation:
power inline static max 7200
http://www.cisco.com/go/powercalculator
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 13
Infrastructure Integration: Next Steps
VLAN, QoS and 802.1x Configuration
Data Data
Scavenger Scavenger
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 15
Campus QoS Design Considerations
Classification and Scheduling in the Campus
Classify Throttle
• Edge traffic classification
scheme is mapped to
upstream queue Si
configuration
• Voice needs to be
assigned to the HW
Scavenger
priority queue Gold Queue
• Scavenger traffic needs RX Aggressive Drop
to be assigned its own Data
queue/threshold RX
• Scavenger configured
with low threshold to
trigger aggressive drops
Scavenger
RX Si TX
Layer 3
• Use a 802.1Q trunk for
Layer 2 switch to AP connection
• Different WLAN
authentication/encryption
methods require
Voice Data Voice Data
Wireless
new/distinct VLANs
VLANs • Layer-2 roaming requires
spanning at least 2 VLANs
between wiring closet
switches
Fast Roam Using L2 1. Common ‘Trunk’ or native
VLAN for APs to
communicate to WDS
2. The Wireless Voice VLAN
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 18
Controller-Based WLAN
The Architectural Shift
WLSM/WDS Controller
• Wireless LAN Switching
Module (WLSM) provides a
virtualized centralized Layer
2 domain for each WLAN
Layer 3
• Cisco wireless controller
provides for a centralized
point to bridge all traffic into
the Campus
Voice Data Wireless Voice Data
VLANs • AP VLANs are local to the
access switch
• No longer a need to span a
VLAN between closets
• No spanning tree loops
Fast Roam with No STP
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 19
Wireless LAN Switching Module (WLSM)
Traffic Flows
Traffic
Routed • All traffic from mobile user 1 to
Si
mobile user 2 will traverse the
GRE tunnel to the Sup720
• Sup720 forwards de-
encapsulated packets in HW
• The packet is switched and sent
back to the GRE tunnel
connected to other AP
• When mobile nodes associate
to the same AP traffic still flows
via the WSLM/Sup720
• Broadcast traffic either proxied
by AP (ARPs) or forwarded to
Sup720 (DHCP)
• Traffic to non-APs is routed to
the rest of the network
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 20
Cisco Wireless Controller
Traffic Flows
Traffic
Bridged • Data is tunneled to the Controller in
Light Weight Access Point Protocol
(LWAPP) transport layer
• AP and Controller operate in
“Split-MAC” mode dividing the
802.11 functions
• The packet bridged onto the wired
network uses the MAC address of
the original wireless frame
• Layer 2 LWAPP is in an Ethernet
frame (Ethertype 0xBBBB)
• Layer 3 LWAPP is in a UDP / IP
frame
Control traffic uses source port 1024 and
destination port 12223
Data traffic uses source port 1024 and
destination 12222
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 21
The Architectural Shift: WLSM
Network-ID Replaces the “VLAN”
Interface Tun172
Mobility Network-ID Sup720 • A Mobility Group is
Si
172 identified by mapping a SSID
to a network-ID
WLSM
• It replaces the mapping of
SSID to a wired VLAN
• Define the same SSID
SSID ENG SSID ENG
Network-ID 172
Network-ID pair on all APs
Network-ID 172
Vlan 10 Vlan 20 where mobility is required
• One mGRE tunnel interface
is created for each Mobility
Group on Sup720
• One SSID/Network-ID =
one subnet
SSID=ENG/Network-ID=172
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 22
The Architectural Shift: Controller
Controllers Virtualize the “VLAN”
LWAPP
Sup720 L3 Tunnel • There must be ‘no’ NAT between
WLSM/WDS and the APs
Si • If WLSM behind a Firewall open
WLSM WLCCP (UDP 2887) and GRE (47)
172.26.100.1
Default GW • The default gateway for all
wireless endpoints when using
Si 172.26.200.1
a WLSM Controller is the
Default GW
WLSM Switch
• The default gateway for all
wireless endpoints when using
10.10.0.0/16 a Cisco Controller is the
adjacent Catalyst® switch
• The wireless mobile node
endpoints are addressed out of
the summary range as defined
by the location of the controller
or the WLSM switch
172.26.100.0/24 172.26.200.0/24
Subnet • Communication between a
Subnet wired client on an access
switch and a wireless client is
via the core
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 25
Design Considerations
Location of Controllers
Si Si Si Si
Si Si Si Si
Service Distribution
Module
WAN Internet
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 26
Agenda
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 28
Routing to the Edge
Layer 3 Distribution with Layer 3 Access
EIGRP/OSPF EIGRP/OSPF
Layer 3
Si Si Layer 3
Layer 2
EIGRP/OSPF GLBP Model EIGRP/OSPF
Layer 2
interface GigabitEthernet5/2
ip address 10.120.100.1 255.255.255.254
ip ospf dead-interval minimal hello-multiplier 4
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 32
EIGRP vs. OSPF as Your Campus IGP
DUAL vs. Dijkstra
0.2 • Scalability:
Both protocols can scale to support
0
very large Enterprise Network
OSPF OPSF 12.2S EIGRP topologies
NSF/SSO
Layer 3 • Overall availability of the
for Non-Redundant infrastructure is dependent on
Topologies the weakest link
• NSF/SSO provides improved
availability for single points
of failure
Si Si
• SSO provides enhanced
redundancy for traditional
Layer 2 edge designs
• NSF/SSO provides enhanced
L2/L3 redundancy for routed to
Intelligent the edge designs
Stackable
Layer 2/3 Access • 3750 Stackable provides
SSO
improved redundancy for L2
Layer 2 Access
NSF/SSO and L3 edge designs
Layer 3 Access
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 35
Supervisor Processor Redundancy
Stateful Switch Over (SSO)
• Active/standby supervisors
Sup MSFC PFC run in synchronized mode
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 38
Design Considerations for NSF/SSO
NSF and Hello Timer Tuning?
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 39
Design Considerations for NSF/SSO
Supervisor Uplinks
Supervisor Failure
Port Failure
• During recovery FIB is frozen but uplink port
is gone
• PFC tries to forwarded out a non-existent link
Si Si
• Bundling Supervisor uplinks into Etherchannel
links improves convergence
• Optimal NSF/SSO convergence requires the use
of DFC enabled line cards
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 40
Design Considerations for NSF/SSO
Where Does It Make Sense?
6
Seconds of Lost Voice
Si Si
5
RP Convergence Is
4 Dependent
on IGP and Tuning
3
0
Link Node NSF/SSO OSPF
RST-3479 Failure Failure Convergence
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 41
Design Considerations for NSF/SSO
Where Does It Make Sense?
1.8
Si Si
1.6
1.4
1.2
1
0.8
0.6
0.4
0.2
0
4500 - SSO 6500 NSF/SSO (L3)
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 42
Device High Availability
3750 Stackwise
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 43
Design Considerations
Chassis vs. Stackable?
Si Si
RST-3479
0
4500 SSO
Layer 2
6500
NSF/SSO
Layer 3
3750
Layer 2
3750
Layer 3 ???
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 44
Agenda
Network
• Understand and mitigate the
threats at each layer of Data Link
the network Si
Si Si
Si
Physical
• Protect network resources
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 46
Impact of an Internet Worm
Direct and Collateral Damage
System Si
Under
Attack Si Si
Infected
Source
Core
Si
Routers
Distribution Overloaded
Access Network Links • High CPU
End Systems Overloaded • Instability
Overloaded • Loss of Mgmt
• High Packet Loss
• High CPU • Mission Critical
• Applications Applications
Impacted Impacted
System Si
Under
Attack Si Si
Infected
Source
Core
Si
and/or mitigate
Spanning Tree Loops
NICs spewing garbage
Distributed Denial of Service (DDoS) Si
Si Si
Si
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 49
Catalyst Integrated Security Features
Hardening Layer 2/3
IP Source Guard
ip dhcp snooping
ip dhcp snooping vlan 2-10
Dynamic ARP Inspection
ip arp inspection vlan 2-10
!
DHCP Snooping
interface fa3/1
Port Security switchport port-security
switchport port-security max 3
switchport port-security violation
• Port Security prevents MAC restrict
flooding attacks switchport port-security aging time 2
• DHCP Snooping prevents client switchport port-security aging type
inactivity
attack on the switch and server
ip arp inspection limit rate 100
• Dynamic ARP Inspection adds ip dhcp snooping limit rate 100
security to ARP using DHCP !
snooping table
interface gigabit1/1
• IP Source Guard adds security ip dhcp snooping trust
to IP source address using ip arp inspection trust
DHCP snooping table
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 50
Catalyst Integrated Security Features
Hardening Layer 2/3
Port Security
Switch 00:0e:00:aa:aa:aa
• Plugging all of the Layer 2
Acts Like 00:0e:00:bb:bb:bb
00:0e:00:aa:aa:cc
security holes also serves to
a Hub 00:0e:00:bb:bb:dd prevent a whole suite of
etc
132,000 other attack vectors
Bogus
MACs • Port security mitigates
against most Layer 2 based
CPU DoS attacks
IP Source Guard • In addition to preventing M-i-
M attacks IP source guard
Email
Server prevents
DDoS attacks which utilize a
spoofed source address, e.g.
“Your Email
Passwd Is
TCP SYN Floods, Smurf
‘joecisco’ !” TCP splicing and RST attacks
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 51
IP Source Guard vs. uRPF
Preventing Layer 3 Spoofing Attacks
80
Conservative Max storm-control multicast
level 1.0
70 Sup720 CPU Load
60
50
40
30
20
10
0
0.1 0.05 1 1.5 2 2.5 3
RST-3479
Percentage of Broadcast Traffice
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 54
Harden the Network Links—QoS
Scavenger-Class QoS
Si
Best Effort
Data Queue
Voice Put into
Priority Queue
• Scavenger traffic is
assigned it’s own queue or
queue/threshold
• Scavenger queue is
configured for
aggressive drop
Si TX
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 57
Catalyst Cisco Express Forwarding
CEF: Topology-Based Switching
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 58
Mitigating the Impact: CEF
Worm Propagation Impacts Stability
Worm Simulation CPU Impact
Percentage of CPU Utilization
120
100
Flow Based Switch CEF Based Switch
• Aggressive scanning of
80
<3% CPU on CEF- network by worm will
Based Switch after
60 Adding 40th 99% CPU on Flow- overload flow-based
40 Infected Server Based Switch switching
after Adding 4 th
20 Infected Server • CPU resources consumed
0
5 10 15 20 25 30 35 40
and unable to process BPDU
Number of Infected Hosts and routing updates
Traffic Receive Rate • High CPU results in network
120 instability
CEF Based Switch Flow Based Switch
100
<1% Traffic
Throughput
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 60
DoS Protection: Control Plane Protection
Catalyst 6500 Rate Limiting and CoPP
Special
cases
Hardware Special
Traffic Rate-Limiters Case Traffic
to CPU
Software
“Control- CPU
Plane”
Matches Hardware
Policy “Control-Plane”
Software
CPU
“Control-
Plane”
DBL
Switching
Fabric SDRAM
0.7
CPU Usage
80
0.6
60 0.5
0.4
40 0.3
0.2
20
0.1
0 0
00
00
0
00
00
00
00
00
00
00
00
00
00
00
00
00
00
10
50
10
15
20
25
30
35
40
45
50
55
60
65
70
75
DoS Rate (pps)
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 64
Finding the Worm: Sink Hole Routers
Monitoring for Network Worms
accounting or Netflow
• Net mgmt scripts look for Mgmt Station
Monitors for Si Si
common sources sending Anomalies
Si
Si Si
Si
to random addresses
• Does not work when
default routing to Internet
WAN Data Center Internet
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 65
Finding the Worm: NetFlow
Scalable Monitoring for Network Worms
possible in order to
maximize detection
accuracy Si Si
Si Si
Si Si
Distribution switches
WAN aggregation
Internet DMZ Mgmt Station
WAN Data Center Internet
Monitors for
RST-3479 Anomalies
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 66
Worm Containment: Reactive
PACLs, RACLs, VACLs, and CAR
PACL Blocks
• Hardware access control lists Infected Source
at Edge
can be utilized at multiple tiers
in the network
• Port ACLs allow L3/L4 ACLs to
be applied to a L2 port
• Utilize a PACL to block VACL Blocks
Si Si Si Si Si Si
Si Si
as your routing protocol
• Recommended Sup720B to
support; require Sup720
WAN Data Center Internet
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 68
Blackholing Infected Sources
Unicast RPF Loose Check
3550 (IOS) 3750 IOS 4507 (IOS) 6500 (IOS) • 90 P4 GigE servers
5 • Simultaneous attacks
Simulated Slammer
Mean Opinion Score
4 Macof—L2 DoS
Smurf—L3 DoS
3
• 6500 with Sup720a in
the distribution
2
• Network
remained stable
1
• Mean opinion score for
0 G.711 voice flows
Normal Network Under unchanged from
Conditions Attack normal conditions
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 70
Agenda
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 72
802.1x and NAC Operation
EAP, EAPoL, RADIUS, and HCAP
LDAP
802.1x/EAPoL RADIUS
802.1x (IBNS)
HCAP
802.1x/EAPoL RADIUS
or EAPoUDP
VLAN Assignment
• 802.1x defines an access
method for LAN switch ports
• You can permit or deny access
based on authorization
behavior
• Using RADIUS AV-Pairs we can Attribute 81 = ‘Engineering’
supply additional policy options
for the switch port
• VLAN assignment utilizes
AV-Pairs Guest VLAN
[64] Tunnel-Type—“VLAN” (13)
[65] Tunnel-Medium-Type—“802” (6)
[81] Tunnel-Private-Group-ID—
<VLAN name>
• In the absence of an EAPoL EAPOL-Request
response from the client the (Identity)
switch can assign the port to a D = 01.80.c2.00.00.03
locally configured ‘Guest’ or
Timeout after
default VLAN Three attempts
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 74
802.1x and NAC
Gateway IP (NAC Version1)
Gateway IP
• NAC posture assessment at the
first Layer 3 hop (default GW) ACL to Be
Applied
• Cisco IOS ‘Intercept ACL’ will
intercept interesting traffic ACL
generated by end station and
initiate an EAP/UDP session
EAP/UDP
• Based on response from Posture
RADIUS/Policy server will apply an
ACL to permit or control access
• If used 802.1x authentication Gateway IP
occurs prior and independently of and 802.1x
NAC posture assessment
ACL to Be
• Gateway IP is not currently Applied
supported on any Catalyst Switch
ACL
(Cisco IOS Router only)
• Not currently applicable to the
Campus today EAPoL 802.1x Policy
Identity
EAP/UDP
Posture
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 75
802.1x and NAC in the Campus
LAN Port dot1x and LAN Port IP
LAN Port IP
• NAC posture assessment at the
Port ACL
first Layer 2 hop (switch port)
Assignment
• LAN Port IP triggers an EAP PACL
posture session when first ARP Si
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 78
Campus Design Considerations for 802.1x
VTP, CDP and 802.1x Interaction
Internet
• 802.1x and NAC LAN Port
802.1x Basic both control
network access based on VLAN
assignment
• Once they are assigned to a
specific VLAN the network
infrastructure needs to keep the
traffic isolated Si Si
• Potential Solutions
ACLs
PBR with GRE
VRF with GRE Engineering
VRF-Lite Marketing
MPLS Guest (Contractor)
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 81
Campus Segmentation
Policy Control—ACLs
• Cons:
ACL ACL
Distributed static
configuration Si Si Si
Si
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 82
Segmentation and Virtualization
GRE and PBR Guest and Remediation
interface Vlan250
description Guest_VLAN Si Si
interface Loopback0
ip address 10.1.250.5 255.255.255.255 Si Si Si
Si
PBR PBR
interface Tunnel0 PBR PBR
ip address 10.1.250.9 255.255.255.252
tunnel source Loopback0
tunnel destination 10.1.250.10
ip access-list extended Guest-VLAN-to-DMZ
permit ip any any WAN Data Center Internet
route-map Guest-VLAN-to-DMZ permit 10
match ip address Guest-VLAN-to-DMZ
set interface Tunnel0
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 83
Virtualized Devices and Data Paths
VRF (Virtual Routing and Forwarding)
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 84
Segmentation and Virtualization
GRE and VRF Guest and Remediation
ip vrf GuestAccess
rd 10:10
interface loopback100
ip address 10.1.4.3
Si Si
interface tunnel 0
ip vrf forwarding GuestAccess
ip address 192.168.100.2 255.255.255.0
ip mtu 1416 Si Si Si
Si
ip address 10.100.1.4
ip vrf forwarding GuestAccess
router eigrp 200
address-family ipv4 vrf GuestAccess
network 10.0.0.0
no auto-summary WAN Data Center Internet
exit-address-family
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 87
Virtualized Devices and Data Paths
VRF with MPLS Tag Switching
ip vrf Red
rd 100:33 Si Si Si Si Si Si
address-family vpnv4
neighbor 1.1.1.5 activate
neighbor 1.1.1.5 send-community extended
address-family ipv4 vrf Red
network 10.20.4.0 mask 255.255.255.0 WAN Data Center Internet
RST-3479
11221_05_2005_c2 © 2005 Cisco Systems, Inc. All rights reserved. 89
Multilayer Campus Design
Leveraging Advanced Technologies