You are on page 1of 376

Medium Enterprise Design Profile Reference Guide

Last Updated: July 8, 2010

Building Architectures to Solve Business Problems

ii Medium Enterprise Design Profile Reference Guide

About Cisco Validated Design (CVD) Program

The CVD program consists of systems and solutions designed, tested, and documented
to facilitate faster, more reliable, and more predictable customer deployments. For more
information visit www.cisco.com/gohttps://www.scribd.com/designzone.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY,
"DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DIS-
CLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FIT-
NESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR
ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION,
LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE
DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAM-
AGES.

THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR
THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER
PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR
OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING
ON FACTORS NOT TESTED BY CISCO.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and
Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and
Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink,
Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime
Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase,
SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not
imply a partnership relationship between Cisco and any other company. (0809R)

© 2010 Cisco Systems, Inc. All rights reserved

Medium Enterprise Design Profile Reference Guide iii

About the Authors

Solution Authors

Martin Pueblas, CCIE#2133, CISSP#40844—Technical Leader, CMO Enterprise
Solutions Engineering (ESE), Cisco Systems
Martin is the lead system architect of the Cisco SAFE Security Reference Architecture. He is a network security expert
with over 17 years of experience in the networking industry. He obtained his CCIE certification in 1996 and CISSP in
2004. Martin joined Cisco in 1998 and has held a variety of technical positions. Started as a Customer Support Engi-
neer in Cisco’s Technical Assistance Center (TAC) in Brussels, Belgium. In 1999 moved to the United States where
soon became technical leader for the Security Team. Martin’s primary job responsibilities included acting as a primary
escalation resource for the team and delivering training for the support organization. At the end of 2000, he joined the
Advanced Engineering Services team as a Network Design Consultant, where he provided design and security con-
Martin Pueblas
sulting services to large corporations and Service Providers. During this period, Martin has written a variety of techni-
cal documents including design guides and white papers that define Cisco’s best practices for security and VPNs.
Martin joined Cisco’s Central Marketing Organization in late 2001, where as a Technical Marketing Engineer, he
focused on security and VPN technologies. In late 2004, he joined his current position acting as a security technical
leader. As part of his current responsibilities, Martin is leading the development of security solutions for enterprises.

Steve Gyurindak, CCIE#9057, CISSP#61046—Solutions Architect, Enterprise
Solutions Engineering (ESE), Cisco Systems
Steve is a solutions architect with over 15 years of industry experience. He joined Cisco in 2000 and worked the first 8
and a half years as a Systems Engineer covering the Service Provider, North Florida/Alabama Commercial, Georgia
Enterprise and US Channels sales markets. Steve has been recognized for his work with some of Cisco's most influ-
ential customers as well as for his work in South America and Europe. Steve joined ESE in 2009 to lead the develop-
ment of customer-focused architectures and designs for the Education Market. Steve has a Bachelor of Science
degree in Telecommunications from the State University of New York at Buffalo, and is currently pursuing a Master's of
Steve Gyurindak Science degree in Network Telecommunications at New York University. In addition to a CCIE in Routing and Switch-
ing, Steve holds the following certifications: CISSP, CCNP, CCDP, CCNA, CCDA, MCSE, and MCNE.

John Strika, Technical Marketing Engineer, CMO Enterprise Solutions Engineering
(ESE), Cisco Systems
John is a Technical Marketing Engineer in Cisco's Public Sector ESE team, with expertise in the areas of mobility and
location-based services. He has coauthored documents on enterprise mobility and Wi-Fi location-based services. As
a member of Cisco's Enterprise Architecture Board, he helps maintain Cisco's vision and architectural direction and
define Cisco's roadmap for context-aware and presence solutions. Previously, John was Cisco's first mobility consult-
ing systems engineer, responsible for architecting creative wireless solutions for large enterprise customers. His 28
years of experience spans network design and implementation, applications development, facilities planning and
management, consulting, and general management. His past roles have included mission-critical telecommunications
design and development at AT&T and systems programming and data communications management with Wall Street
brokerages and commercial banks. Prior to joining Cisco, Strika was at Telxon Corporation (parent of Cisco's Aironet
wireless acquisition) for nine years, reaching the position of Southern Division Vice President of Wireless Technolo-
John Strika
gies and Services. He is a member of the IEEE and has held several Federal Communications Commission licenses in
the use and modification of amateur and commercial radio. His educational background is in electrical engineering
and computer applications programming from Columbia University and in finance from Fordham University's College
of Business Administration, and he holds a masters of communications technology certificate from the American Insti-
tute. He was a charter Novell Certified Netware Engineer in the greater New York City area. Always seeking opportuni-

iv Medium Enterprise Design Profile Reference Guide

About the Authors

Solution Authors

ties to use his mobility and advanced communications knowledge to improve public safety as well as
the safety of our public servants, John has served in volunteer search and rescue as well as a
Reserve Deputy.

Rahul Kachalia, CCIE#11740—Technical Marketing Engineer, CMO
Enterprise Solutions Engineering (ESE), Cisco Systems
Rahul is a technical marketing engineer in Cisco's Enterprise Solution Engineering group,
helping to create the design guidance that will help build the 21st century school network
infrastructure. Rahul has more than 14 years of broad engineering experience, primarily in
service provider core and edge focused products and technologies including broad-
band, MPLS, VPN and managed services. He has led many assurance projects to develop
Rahul Kachalia solutions that can deliver design guidance and accelerate deployments from traditional
WAN infrastructure to next-generation IP/MPLS managed core networks. In the Enterprise
Solution Engineering group he has also worked on designing next-generation unified vir-
tual campus networks for large enterprise customers. In addition to CCIE, Rahul holds
CCNP, CCNA, MCSE, MCP, and CNE. He holds a bachelor's degree from Mumbai Univer-
sity, India.

Dan Hamilton, CCIE #4080 —Technical Leader, CMO Enterprise Solu-
tions Engineering (ESE), Cisco Systems
Dan has over 15 years experience in the networking industry. He has been with Cisco for 9 years. He
joined Cisco in 2000 as a Systems Engineer supporting a large Service Provider customer. In 2004,
he became a Technical Marketing Engineer in the Security Technology Group (STG) supporting IOS
security features such as infrastructure security, access control and Flexible Packet Matching (FPM)
on the Integrated Security Routers (ISRs), mid-range routers and the Catalyst 6500 switches. He
moved to a Product Manager role in STG in 2006, driving the development of new IOS security fea-
tures before joining the ESE Team in 2008. Prior to joining Cisco, Dan was a network architect for a
Dan Hamilton large Service Provider, responsible for designing and developing their network managed service
offerings. Dan has a Bachelor of Science degree in Electrical Engineering from the University of Flor-
ida.

Srinivas Tenneti, CCIE#10483—Technical Marketing Engineer, CMO
Enterprise Solutions Engineering (ESE), Cisco Systems
Srinivas is a Technical Marketing Engineer for WAN and branch architectures in Cisco's ESE team.
Prior to joining the ESE team, Srinivas worked two years in Commercial System Engineering team
where he worked on producing design guides, and SE presentations for channel partners and SEs.
Before that, he worked for 5 years with other Cisco engineering teams. Srinivas has been at Cisco for
8 years.

Srinivas Tenneti

Medium Enterprise Design Profile Reference Guide v

C O N T E N T S

CHAPTER 1 Medium Enterprise Design Profile (MEDP)—Service Fabric Design Considerations 1-1

Service Fabric Design 1-1
Main and Large Site Design 1-2
Medium Site Design 1-3
Small Site Design 1-3
Building Profiles 1-3
Large Building Design 1-3
Medium Building Design 1-3
Small Building Design 1-3
Extra Small Building Design 1-4
Access Devices 1-4
LAN/WAN Design Considerations 1-4
LAN Design Considerations 1-4
Routing Protocol Selection Criteria 1-4
High Availability Design Considerations 1-5
Access Layer Design Considerations 1-5
LAN Service Fabric Foundational Services 1-6
WAN Design Considerations 1-6
WAN Transport 1-6
WAN Service Fabric Foundational Services 1-7
Security Design Considerations 1-7

Mobility 1-7

Unified Communications 1-8
Call Processing Considerations 1-8
Gateway Design Considerations 1-8
Dial Plan Considerations 1-9
Survivability Considerations 1-9

CHAPTER 2 Medium Enterprise Design Profile (MEDP)—LAN Design 2-1

LAN Design 2-1

LAN Design Principles 2-4

Medium Enterprise LAN Design Models 2-7
Main Site Network Design 2-9

Medium Enterprise Design Profile Reference Guide
i

Contents Remote Large Campus Site Design 2-10 Remote Medium Campus Site Design 2-11 Remote Small Campus Network Design 2-12 Multi-Tier LAN Design Models for Medium Enterprise 2-13 Campus Core Layer Network Design 2-13 Core Layer Design Option 1—Cisco Catalyst 6500-E-Based Core Network 2-14 Core Layer Design Option 2—Cisco Catalyst 4500-E-Based Campus Core Network 2-15 Core Layer Design Option 3—Cisco Catalyst 4500-E-Based Collapsed Core Campus Network 2-17 Campus Distribution Layer Network Design 2-18 Distribution Layer Design Option 1—Cisco Catalyst 6500-E Based Distribution Network 2-19 Distribution Layer Design Option 2—Cisco Catalyst 4500-E-Based Distribution Network 2-21 Distribution Layer Design Option 3—Cisco Catalyst 3750-X StackWise-Based Distribution Network 2-22 Campus Access Layer Network Design 2-23 Access Layer Design Option 1—Modular/StackWise Plus/FlexStack Access Layer Network 2-24 Access Layer Design Option 2—Fixed Configuration Access Layer Network 2-24 Deploying Medium Enterprise Network Foundation Services 2-25 Implementing LAN Network Infrastructure 2-25 Deploying Cisco Catalyst 6500-E in VSS Mode 2-26 Deploying Cisco Catalyst 4500-E 2-34 Deploying Cisco Catalyst 3750-X StackWise Plus 2-38 Deploying Cisco Catalyst 3560-X and 2960-S FlexStack 2-41 Designing EtherChannel Network 2-41 Network Addressing Hierarchy 2-49 Network Foundational Technologies for LAN Design 2-50 Designing the Core Layer Network 2-50 Designing the Campus Distribution Layer Network 2-56 Designing the Multilayer Network 2-56 Spanning-Tree in Multilayer Network 2-59 Designing the Routed Access Network 2-60 Multicast for Application Delivery 2-64 Multicast Addressing Design 2-64 Multicast Routing Design 2-65 Designing PIM Rendezvous Point 2-66 Dynamic Group Membership 2-73 Designing Multicast Security 2-74 QoS for Application Performance Optimization 2-75 Medium Enterprise LAN QoS Framework 2-76 Medium Enterprise Design Profile Reference Guide ii .

Contents Designing Medium Enterprise LAN QoS Trust Boundary and Policies 2-79 Medium Enterprise LAN QoS Overview 2-80 Deploying QoS in Campus LAN Network 2-84 QoS in Catalyst Fixed Configuration Switches 2-84 QoS in Cisco Modular Switches 2-85 Deploying Access-Layer QoS 2-87 Deploying Network-Layer QoS 2-105 High-Availability in LAN Network Design 2-119 Medium Enterprise High-Availability Framework 2-119 Baselining Campus High Availability 2-120 Network Resiliency Overview 2-121 Device Resiliency Overview 2-122 Operational Resiliency Overview 2-124 Design Strategies for Network Survivability 2-126 Implementing Network Resiliency 2-127 Implementing Device Resiliency 2-130 Implementing Operational Resiliency 2-141 Summary 2-150 CHAPTER 3 Medium Enterprise Design Profile (MEDP)—WAN Design 3-1 WAN Design 3-1 WAN Transport 3-3 Private WAN Service 3-3 Internet Service 3-4 Metro Service 3-4 Leased-Line Service 3-7 WAN Aggregation Platform Selection in the Medium Enterprise Design Profile 3-7 Main Site WAN Aggregation Platform Selection 3-8 Large Remote Site WAN Aggregation Platform Selection 3-10 Medium Remote Site WAN Aggregation Platform Selection 3-10 Small Remote Site WAN Aggregation Platform Selection 3-11 Implementation of WAN Reference Design 3-11 WAN Infrastructure Design 3-11 Leased-Line Service 3-12 Routing Design 3-13 QoS 3-19 QoS Implementation 3-21 QoS Implementation at WAN Aggregation Router 1 3-22 Implementation Steps for QoS Policy at WAN Aggregation Router 1 3-24 Medium Enterprise Design Profile Reference Guide iii .

Contents QoS Policy Implementation for WAN Aggregation Router 2 3-26 QoS Policy Between the Main Site and Large Remote Site 3-29 QoS Policy Between the Main Site and Medium Remote Site Location 3-30 QoS Policy Between Main Site and Small Remote Site Location 3-32 QoS Policy Implementation Between the Main Site and Core 3-33 QoS Policy Between Large Remote Site and Main Site Location 3-34 QoS Policy Between Remote Medium Site and Main Site Location 3-36 QoS Policy Implementation Between Small Remote Site and Main Site Location 3-37 Redundancy 3-38 Multicast 3-43 Summary 3-46 CHAPTER 4 Medium Enterprise Design Profile (MEDP)— Mobility Design 4-1 Mobility Design 4-1 Accessibility 4-5 WLAN Controller Location 4-7 WLAN Controller Connectivity 4-8 Controller Connectivity to the Wired Network 4-8 Controller Connectivity to Wireless Devices 4-10 Access Points 4-19 Usability 4-26 Quality-of-Service 4-26 Guest Access 4-27 Manageability 4-32 Reliability 4-35 Controller Link Aggregation 4-35 Controller Redundancy 4-38 AP Controller Failover 4-40 Wireless LAN Controller Configuration 4-40 WLAN Controller and Wired Network Connections 4-41 Remote Site 4-43 Mobility Groups 4-43 WLAN Configuration 4-45 Staff Data WLAN 4-45 Staff Voice WLAN 4-46 Guest Access WLAN 4-46 WLAN QoS 4-49 Access Point Configuration 4-50 AP 1520 Configuration 4-51 Medium Enterprise Design Profile Reference Guide iv .

Contents Adding the AP1520 MAC Address to the WLAN Controller 4-52 Configuring the AP1520 as a Root Access Point (RAP) 4-52 WCS Configuration 4-54 WCS Users and User Groups 4-54 WCS Virtual Domains 4-55 Reference Documents 4-57 CHAPTER 5 Medium Enterprise Design Profile (MEDP)—Network Security Design 5-1 Security Design 5-1 Network Foundation Protection 5-6 Internet Perimeter Protection 5-8 Internet Border Router Security 5-10 Internet Firewall 5-10 Cisco ASA Botnet Traffic Filter 5-11 Intrusion Prevention 5-13 Cisco IPS Global Correlation 5-14 E-Mail Security Guidelines 5-17 Web Security Guidelines 5-22 Data Center Protection 5-26 Network Access Security and Control 5-28 Cisco Catalyst Integrated Security Features 5-29 Cisco Unified Wireless Network (CUWN) Integrated Security Features 5-29 Cisco Identity-Based Network Services (IBNS) 5-30 IEEE 802.1X Protocol 5-30 802.1X and EAP 5-31 Impacts of 802.1X in Medium Enterprise Networks 5-32 Cisco NAC Appliance 5-32 NAC Appliance Components 5-33 NAC Appliance Modes and Positioning 5-35 NAC Deployment in the Medium Enterprise Design Profile 5-39 Secure Mobility 5-44 Threats Mitigated 5-46 Medium Enterprise Network Security Deployment Guidelines 5-47 Internet Border Router Edge ACL Deployment 5-47 Module 1—Implement Anti-spoofing Denies 5-47 Module 2—Implement Explicit Permits 5-48 Module 3—Implement Explicit Deny to Protect Infrastructure 5-48 Module 4—Implement Explicit Permit for Traffic to the Enterprise Public Subnet 5-48 Medium Enterprise Design Profile Reference Guide v .1X on the Network 5-31 802.

Contents Internet Firewall Deployment 5-48 Firewall Hardening and Monitoring 5-50 Network Address Translation (NAT) 5-52 Firewall Access Policies 5-52 Firewall Redundancy 5-55 Routing 5-56 Botnet Traffic Filter 5-57 Intrusion Prevention Deployment 5-61 Deploying IPS with the Cisco ASA 5-61 IPS Global Correlation Deployment 5-61 Web Security Deployment 5-66 Initial System Setup Wizard 5-67 Interface and Network Configuration 5-67 WCCP Transparent Web Proxy 5-71 Web Access Policies 5-74 Catalyst Integrated Security Features Deployment 5-75 NAC Appliance Deployment 5-76 NAC Deployment for Wired Clients 5-76 NAC Deployment for Wireless Clients 5-89 Additional Information 5-98 APPENDIX A Reference Documents A-1 Medium Enterprise Design Profile Reference Guide vi .

represented by sites and buildings of varying sizes (see Figure 1-2). The service fabric is made up of four distinct components local and wide area network (LAN/WAN). To do that a modular design is used. When Medium Enterprise Design Profile Reference Guide 1-1 . it must be aware of what is type of traffic is transversing and treat each application or service with the right priority based on the needs and importance of that application. Figure 1-1 Service Fabric Foundation Network Network Foundation Cisco SAFE Security Architecture Guidance Guidance Enterprise Design Profiles Mobility Collaboration Services Guidance Guidance 229341 Service Fabric Design The model used for the Medium Enterprise Design Profile service fabric is based around the desire to represent as many medium enterprise environments as possible. as well as access flexibility. all applications. CH A P T E R 1 Medium Enterprise Design Profile (MEDP)—Service Fabric Design Considerations The service fabric is the foundational network that all enterprise services. the service fabric must be constructed in a fashion that supports all the applications and services that will ride on it. security. and solutions use to interact and communicate with one another. Each of these critical foundation components must be carefully designed and tuned to allow for a secure environment that provides business continuity. depending on the site size profile. The sites are made up of one or more building. service awareness and differentiation. applications. The service fabric is the most important component of the Medium Enterprise Design Profile. solutions. Additionally. See Figure 1-1. If it fails. Like the foundation of a house. and technologies deployed in the Medium Enterprise Design Profile will also fail. buildings are also sized with the determining factor being the number of users or connections to the network in that building as well as physical size. mobility. and unified communications.

The core will also connect to a serverfarm design and service block. This approach allows the network architect to essentially build their own medium enterprise environment by mixing the different site and building profiles provided. Medium Enterprise Design Profile Reference Guide 1-2 . Additionally. with the exception that the main site is connected to outside entities such as the Internet using the Internet edge components. Chapter 1 Medium Enterprise Design Profile (MEDP)—Service Fabric Design Considerations Service Fabric Design representing a working room. The buildings will connect back to the resilient core via multiple 10Gb Ethernet links. Figure 1-2 Medium Enterprise Design Profile Overview Main Large Site Large Building Medium Building Small Building Extra Small Building IP IP IP IP Secure Service Block Mobility Wireless LAN NAC QFP Internet WAE Controller Server Data Center www SensorBase Cisco Security V Web Intelligence M Security Operation Cisco SRST/Video Cisco ACS NAC Video Surveillance Email Web QFP Security Email UCM Gateway Appliance Manager Media Server Core Server Server Internet Edge MetroE HDLC Service Block Core Core Service Block Small Data Center Small Data Center Service Block Serverfarm IP IP IP IP IP IP 229343 Large Building Medium Building Small Building Medium Building Small Building Small Building Remote Large Site Remote Medium Site Remote Small Site Main and Large Site Design The main and large site designs are meant to represent significantly sized sites containing the largest user populations. The main site and large site are almost identical. The profile of the main/large site is made up of six buildings. an average size of 35 users per work area is used. it is expected that half of all network can be accessed via wireless. the buildings range in size from large to extra small. The large site will connect to the main site via a 1Gb Metro Ethernet link. and will also have all other sites within the enterprise connecting to it.

There are 40 wireless access points using the IEEE 802. each floor having 400 access ports. Small Building Design The small building is designed for 200 Ethernet access ports ranging in bandwidth from 100mb to 1Gb. The ports are distributed over two different floors.1 ABGN standards. The buildings also have distribution switches that connect the access switches together as well as connect the building itself to the core network. there are 20 access points per floor. additionally. Small Site Design The small site profile represents a site made up of just one building. additionally. This link interconnects the medium site to the other sites as well as external networks such as the Internet. The medium site is connected to the main site via a 100mb Metro Ethernet link. there are 2 outdoor mesh access points to cover the outdoor skirt of the building. in this case. additionally. The ports are all located on one floor. Medium Enterprise Design Profile Reference Guide 1-3 . and extra small.1 ABGN standards. there are 6 outdoor mesh access points to cover the outdoor skirt of the building. there are 20 access points per floor. The medium building is made up of designed for 80 phones. the core and distribution networks are collapsed into one. medium. There are 10 wireless access points using the IEEE 802. The ports are distributed over four different floors. The small building is designed for 30 phones. This link interconnects the small site to the other sites as well as external networks such as the Internet. Medium Building Design The medium building was designed for 800 Ethernet access ports ranging in bandwidth from 100mb to 1Gb. The large building designed for 160 phones. The small site is connected to the main site via a fractional DS3 with a 20mb bandwidth rating. and the core will also connect to a small serverfarm and service block. Large Building Design The large building is designed for 1600 Ethernet access ports ranging in bandwidth from 100mb to 1Gb. Building Profiles There are four building profiles: large. The buildings will connect to the medium site core via multiple 10Gb links. small.11 ABGN standards. Chapter 1 Medium Enterprise Design Profile (MEDP)—Service Fabric Design Considerations Service Fabric Design Medium Site Design The medium site design is targeted at enterprise sites that have approximately 3 buildings ranging in size from medium to small. All buildings have access switches that connect users. each floor having 400 access ports. there are four outdoor mesh access points to cover the outdoor skirt of the building. There are 80 wireless access points using the IEEE 802.

• Distribution layer—The distribution layer uses a combination of Layer-2 and Layer-3 switching to provide for the appropriate balance of policy and access controls. there is 1 outdoor mesh access point to cover the outdoor skirt of the building. additionally. Routing Protocol Selection Criteria Routing protocols are essential for any network. etc). Access Devices The devices that connect to the Medium Enterprise Design Profile network include phones. The sections below provide a brief description of each of these components. Medium Enterprise Design Profile Reference Guide 1-4 . The extra small building designed for up of 10 phones. The service fabric consists of four major components. and personal devices (iPod. The ports are all located on one floor. availability. • Scalability—Routing protocol function must be network and system efficient that operates with a minimal number of updates. • Access layer—Demarcation point between network infrastructure and access devices. Half of all the devices are expected to connect to the network using 802. cameras.11 ABGN wireless access. displays. MP3.1 ABGN standards. recomputation independent of number of routes in the network. application-aware network with flexible access. Designed for critical network edge functionality to provide intelligent application and device aware services. mobile phones. and flexibility in subnet allocation and VLAN usage. because they allow for the routing of information between buildings and sites. desktops. There are 3 wireless access points using the IEEE 802. Chapter 1 Medium Enterprise Design Profile (MEDP)—Service Fabric Design Considerations LAN/WAN Design Considerations Extra Small Building Design The extra small building is designed for 48 100mb Ethernet access ports. LAN/WAN Design Considerations The service fabric LAN/WAN is made up of routers and switches deployed in a three-tier hierarchical model that use Cisco IOS to provide foundational network technologies needed to provide a highly available. Network architects must consider all the following critical design factors when selecting the right routing protocol to be implemented throughout the internal network: • Network design—Proven protocol that can scale in full-mesh site network designs and can optimally function in hub-and-spoke WAN network topologies. Selecting the right routing protocol can vary based on the end-to-end network infrastructure. laptops. The service fabric routers and switches support many different routing protocols that will work medium enterprise environments. LAN Design Considerations Hierarchical network design model components: • Core layer—The site backbone consisting of a Layer-3 core network interconnecting to several distributed networks and the shared services block to access local and global information.

Depending on the network system tier.e. it comes at some cost in administration.. and the layer of communication used here must be considered in any design. and network service type the appropriate resiliency option should be deployed: • Link resiliency—Provides redundancy during physical link failures (i. The switch that the client connects to will ultimately connect up to the network distribution. and timely resiliency. and allows for the use of well known end-to-end troubleshooting tools. Network reconvergence also varies based on network design. Medium Enterprise Design Profile Reference Guide 1-5 . etc. configuration. it is important to identify network fault domains and define rapid recovery plans to minimize the application impact during minor and major network outages. configuration. incorrect cablings. Implementing a Layer 3 access-layer in lieu of the traditional Layer 2 access replaces the required Layer 2 trunks with a single point-to-point Layer 3 link. The service fabric design must ensure network survivability by following three major resiliency methods pertaining to most types of failures. providing complete network availability even during planned network outage conditions. fiber cut.e.) • Device resiliency—Protects network during abnormal node failure triggered by hardware or software (i. management. and troubleshooting. The implementing of a Layer 3 access does not require any physical or logical link reconfiguration or changes.. Traditional Layer 2 connectivity is prevalent in most networks today. role. software crashes. Pushing Layer 3 function one tier down on Layer 3 access switches changes traditional multilayer network topology and the forwarding path. Access Layer Design Considerations The access layer represents the entry into the network.) • Operational resiliency—Enables higher level resiliency capabilities. optimizes distribution performances. non-responsive supervisor etc. High Availability Design Considerations To ensure business continuity and prevent catastrophic network failure during unplanned network outage. Chapter 1 Medium Enterprise Design Profile (MEDP)—Service Fabric Design Considerations LAN/WAN Design Considerations • Rapid convergence—Link state versus DUAL recomputation and synchronization. See Figure 1-3. bad transceivers. and a multitude of other factors which are beyond the routing protocol. consisting of wired and wireless access from the client to the network. Performing the routing function in the access-layer simplifies configuration. commonly referred to as routed-access. The emerging method of connectivity is a Layer 3 connection. • Operational considerations—Simplified network and routing protocol design that can ease the complexities of configuration. however.

as well as identify and prioritize different applications traffic based on their requirements. the speed of the connection. Some of the key foundational services discussed include the following: • Multicast routing protocol design considerations • Designing QoS in site network WAN Design Considerations WAN Transport In order for sites to communicate with one another and/or to communicate outside the medium enterprise network. Chapter 1 Medium Enterprise Design Profile (MEDP)—Service Fabric Design Considerations LAN/WAN Design Considerations Figure 1-3 Control Function in Multi-Layer and Routed-Access Network Design VSL VSL Core Core Routing Routing VSL Layer 3 VSL Layer 3 Distribution Distribution STP Routing Layer 2 Access Access Layer 2 Admin Library Arts Admin Library Arts VLAN VLAN VLAN VLAN VLAN VLAN 10 20 30 10 20 30 Multi-Layer Network Routed-Access Network 228467 At the network edge. and the distance of the connection. Designing the foundational services in a manner consistent with the needs of the medium enterprise is paramount. Layer 3 access switches provides an IP gateway function and becomes a Layer-2 demarcation point to locally connected endpoints that could be logically segmented in multiple VLANs. The service fabric design model covers the following WAN transport design considerations: • MPLS/VPN • Internet • Metro Ethernet Medium Enterprise Design Profile Reference Guide 1-6 . the network traffic must traverse over a WAN. WAN transport differs greatly from LAN transport due to the variables such as the type of connection used. LAN Service Fabric Foundational Services The service fabric uses essential foundational services to efficiently disseminate information that are used by multiple clients.

the WAN must deploy essential foundational services to ensure the proper transport and prioritization of medium enterprise services. malware. The service fabric was developed with the following security design considerations: • Network Foundation Protection (NFP)—Ensuring the availability and integrity of the network infrastructure. Each of these security design considerations are discussed in further detail in Chapter 5. • Network endpoint protection—Protecting servers and enterprise-controlled systems (desktops. the WAN Service Fabric Foundation Services considered are as follows: • Routing protocol design • Quality-of-service (QoS) • WAN resiliency • Multicast Security Design Considerations Security of the Medium Enterprise Design Profile service fabric is essential. medium enterprise solutions. Additionally. In designing the mobility portion of the service fabric. Chapter 1 Medium Enterprise Design Profile (MEDP)—Service Fabric Design Considerations Security Design Considerations WAN Service Fabric Foundational Services Similar to the LAN. Protecting users from harmful content. at lunch with colleagues in the site cafeteria. “Medium Enterprise Design Profile (MEDP)—Network Security Design. other devices will also rely on the mobile network. visiting colleagues. secure guest access to guests such as temporary workers. or shut down. or simply enjoying a breath of fresh air outside a site building. manipulated. and services are open to be compromised. Enforcing E-mail and web browsing policies. Protecting the confidentiality and privacy of users. laptops. • Data center protection—Ensuring the availability and integrity of centralized applications and systems. botnets. Without it. Enforcing E-mail and web browsing policies for enterprise users. and other malicious software. Most users will connect wirelessly to site networks. etc. the following design criteria were used: • Accessibility—Enables enterprise users and guests to be accessible and productive. Provide easy. • Internet perimeter protection— Ensuring safe connectivity to the Internet. Ensuring systems are up-to-date and in compliance with the medium enterprises’ network security policies. • Network access security and control—Securing the access edges. and other malicious software. Enforcing authentication and role-based access for users residing at the main and remote sites. regardless of whether they are meeting in a conference room. viruses. protecting the control and management planes. contractors.” Mobility Mobility is an essential part of the enterprise environment. Medium Enterprise Design Profile Reference Guide 1-7 . vendors and other visitors. and external (extranets) networks and protecting internal resources and users from malware. applications.) from viruses.

• Security—Segment authorized users and block unauthorized users.1x and Extensible Authentication Protocol (EAP). helping to ensure that video and audio information arrives on time. Several considerations for gateways include the following: • PSTN trunk sizing • Traffic patterns • Interoperability with the call processing system Medium Enterprise Design Profile Reference Guide 1-8 . and so forth • Performance—The call rate • Resilience—The amount of redundancy Gateway Design Considerations Gateways provide a number of methods for connecting an IP telephony network to the Public Switched Telephone Network (PSTN). This gives preferential treatment to real-time traffic. locations. medium and large sites within the enterprise with the same level of wireless LAN management scalability. Ensure that wireless LAN accessibility is maintained for users and visitors in the event of common failures. guidance on designing scalable and resilient call processing systems is essential for deploying a unified communications system. operate. gateways. A single.11n technology. Some of the considerations include the following: • Scale—The number of users. easy to understand WLAN management framework is desired to provide small. latency sensitive applications (such as IP telephony and video-conferencing) are supported over the WLAN using appropriately applied QoS. Extend the services of the network safely to authorized parties. and manage hundreds of access points within multiple enterprise site deployments. Enterprise users enjoy rapid and reliable authentication through IEEE 802. Chapter 1 Medium Enterprise Design Profile (MEDP)—Service Fabric Design Considerations Unified Communications • Usability—In addition to extremely high WLAN transmission speeds made possible by the current generation of IEEE 802. reliability and ease of deployment that is demanded by very large enterprise business customers. Enforce security policy compliance on all devices seeking to access network computing resources. • Manageability—Enterprise network administrators must be able to easily deploy. Unified Communications Call Processing Considerations How calls are processed in the medium enterprise environment is an important design consideration. with all information sent and received on the WLAN being encrypted. applications. • Reliability—Provide adequate capability to recover from a single-layer fault of a WLAN accessibility component or controller wired link.

Specifically. Chapter 1 Medium Enterprise Design Profile (MEDP)—Service Fabric Design Considerations Unified Communications Dial Plan Considerations The dial plan is one of the key elements of an unified communications system. Generally. and an integral part of all call processing agents. the dial plan performs the following main functions: • Endpoint addressing • Path selection • Calling privileges • Digit manipulation • Call coverage Survivability Considerations Voice communications are a critical service that must be maintained in the event of a network outage for this reason the service fabric must take survivability into consideration. the dial plan is responsible for instructing the call processing agent on how to route calls. Medium Enterprise Design Profile Reference Guide 1-9 .

Chapter 1 Medium Enterprise Design Profile (MEDP)—Service Fabric Design Considerations Unified Communications Medium Enterprise Design Profile Reference Guide 1-10 .

as shown in Figure 2-1. where a campus consists of multiple buildings and services at each location. CH A P T E R 2 Medium Enterprise Design Profile (MEDP)—LAN Design LAN Design The Medium Enterprise LAN design is a multi-campus design. Medium Enterprise Design Profile Reference Guide 2-1 .

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design LAN Design Figure 2-1 Medium Enterprise LAN Design Large Building Medium Building Small Building Extra Small Building Services Block Data Center Internet Main Site Edge WAN PSTN Internet Services Services Block Block Services Block Data Data Center Center Data Center Remote Small Site Large Building Medium Building Small Building Medium Building Small Building 229353 Remote Large Site Remote Medium Site Figure 2-2 shows the service fabric design model used in the medium enterprise LAN design. Medium Enterprise Design Profile Reference Guide 2-2 .

capacity. This section also provides guidance on designing network-differentiated services that can be used to customize the allocation of network resources to improve user experience and application performance. data center. and so on. and to protect the network against unmanaged devices and applications. such as endpoints. including networking role. and unified communications (UC) can be integrated into the overall design. WAN. The LAN design interconnects several other components. • Considerations of a multi-tier LAN design model for medium enterprises—Provides guidance for the enterprise campus LAN network as a platform with a wide range of next-generation products and technologies to integrate applications and solutions seamlessly. • Designing network foundation services for LAN designs in medium enterprise—Provides guidance on deploying various types of Cisco IOS technologies to build a simplified and highly available network design to provide continuous network operation. security. Medium Enterprise Design Profile Reference Guide 2-3 . which becomes a common framework along with critical network technologies to deliver the foundation for the service fabric design. This chapter is divided into following sections: • LAN design principles—Provides proven design choices to build various types of LANs. The LAN component consists of the LAN framework and network foundation technologies that provide baseline routing and switching guidelines. to provide a foundation on which mobility. This LAN design provides guidance on building the next-generation medium enterprise network. and infrastructure demands. • LAN design model for the medium enterprise—Leverages the design principles of the tiered network design to facilitate a geographically dispersed enterprise campus network made up of various elements.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design LAN Design Figure 2-2 Medium Enterprise LAN Design Service Fabric Design Model Unified Mobility Security Communications Local Area Wide Area Network (LAN) Network (WAN) 228469 This chapter focuses on the LAN component of the overall design. size.

This chapter provides design guidelines that are built upon the following principles to allow a medium enterprise network architect to build enterprise campuses that are located in different geographical locations: • Hierarchical – Facilitates understanding the role of each device at every tier – Simplifies deployment. flexibility. and flexible network required by medium enterprises today. In addition. Designing the medium enterprise LAN building blocks in a hierarchical fashion creates a flexible and resilient network foundation that allows network architects to overlay the security. modular. time-tested hierarchical design frameworks for LAN networks are the three-tier layer and the two-tier layer models. as shown in Figure 2-3. security. Figure 2-3 Three-Tier and Two-Tier LAN Design Models Three-Tier Two-Tier LAN Design LAN Design Core Distribution Collapsed Core/Distribution 228470 Access Access Medium Enterprise Design Profile Reference Guide 2-4 . resilient. and manageability required to meet current and future advanced and emerging technology needs. and UC features essential to the service fabric design model. The two proven. understanding how each principle fits in the context of the others is critical in delivering a hierarchical. operation. mobility. The successful design and implementation of a campus network requires an understanding of how each of these principles applies to the overall design. and management – Reduces fault domains at every tier • Modularity—Allows the network to grow on an on-demand basis • Resiliency—Satisfies user expectations for keeping network always on • Flexibility—Allows intelligent traffic load sharing by using all network resources These are not independent principles. The use of a guiding set of fundamental engineering design principles serves to ensure that the LAN design provides for the balance of availability. as well as providing an interconnect point for the WAN aspect of the network. Designing the LAN component of the overall medium enterprise LAN service fabric design model is no different than designing any large networking system. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design LAN Design Principles LAN Design Principles Any successful design or system is based on a foundation of solid design theory and principles.

such as the following: – Aggregating and terminating Layer 2 broadcast domains – Aggregating Layer 3 routing boundaries – Providing intelligent switching. as well as providing differentiated services to various classes of service applications at the edge of network • Core layer The core layer is the network backbone that connects all the layers of the LAN design. distribution and core. and network access policy functions to access the rest of the network – Providing high availability through redundant distribution layer switches to the end-user and equal cost paths to the core. and ties the campus together with the rest of the network. routing. and security. providing for connectivity between end devices. Traditionally. the primary function of an access layer switch is to provide network access to the user. but now provide intelligent services to various types of endpoints at the network edge. The core layer serves as the aggregator for all the other campus blocks. and securely. To meet network application and end-user demands.html. Note For more information on each of these layers. optimally. • Access layer The access layer represents the network edge.cisco. distribution.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design LAN Design Principles The key layers are access. Each layer can be seen as a well-defined structured module with specific roles and functions in the LAN network. Introducing modularity in the LAN hierarchical design further ensures that the LAN network remains resilient and flexible to provide critical network services as well as to allow for growth and changes that may occur in a medium enterprise.com/en/US/docs/solutions/Enterprise/Campus/campover. Cisco recommends building an extended-star physical network topology from a centralized building location to all other buildings on the same campus. quality of service (QoS). where traffic enters or exits the campus network. the next-generation Cisco Catalyst switching platforms no longer simply switch packets. Access layer switches connect to the distribution layer switches to perform network foundation technologies such as routing. • Distribution layer The distribution layer interfaces between the access layer and the core layer to provide many key functions. cost-effective. Figure 2-4 shows a sample three-tier LAN network design for medium enterprises where the access. and services within the network. Medium Enterprise Design Profile Reference Guide 2-5 . To build a simplified. and core are all separate layers. Building intelligence into access layer switches allows them to operate more efficiently. and efficient physical cable layout design. computing and data storage services located within the data center and other areas. see the enterprise class network framework at the following URL: http://www.

or other parts of the network. providing for more flexible design options when needed. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design LAN Design Principles Figure 2-4 Three-Tier LAN Network Design Example Building B – Marketing Building C – and Sales Engineering Access Distribution Building A – Core Management Distribution Access Building D – Building E – Building F – 229354 Research and Information Data Center Development Technology The primary purpose of the core layer is to provide fault isolation and backbone connectivity. and printers) and those that affect the data center. Medium Enterprise Design Profile Reference Guide 2-6 . or switching hardware than the rest of the campus. because of either physical or network scalability. In smaller locations where there are less users accessing the network or in campus sites consisting of a single building. If necessary. a separate core layer can use a different transport technology. having separate distribution and core layers is not required. routing protocols. Isolating the distribution and core into separate layers creates a clean delineation for change control between activities affecting end stations (laptops. also known as the collapsed core network design. phones. WAN. separate core and distribution layers are not needed. A core layer also provides for flexibility in adapting the campus design to meet physical cabling and geographical challenges. In this scenario. Cisco recommends the two-tier LAN network design. In some cases. Figure 2-5 shows a two-tier LAN network design example for a medium enterprise LAN where the distribution and core layers are collapsed into a single layer.

As shown in Figure 2-6. operation. and management. • Resilient—Sub-second network recovery during abnormal network failures or even network upgrades. Medium Enterprise Design Profile Reference Guide 2-7 . the enterprise network architect must understand the network and application demands so that this design ensures a hierarchical. • Simplicity—Reduced operational and troubleshooting cost via the use of network-wide configuration. • Cost-effectiveness—Integrated specific network components that fit budgets without compromising performance. modular. resilient. Platforms chosen are cost-effective and provide investment protection to upgrade network as demand increases.multiple campuses can co-exist within a single medium enterprise system that offers various academic programs. Medium Enterprise LAN Design Models Both LAN design models (three-tier and two-tier) have been developed with the following considerations: • Scalability—Based on Cisco enterprise-class high-speed 10G core switching platforms for seamless integration of next-generation applications required for medium enterprises. and flexible LAN network.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Medium Enterprise LAN Design Models Figure 2-5 Two-Tier Network Design Example Access Floor 6 – Research and Development Floor 5 – Engineering WAN Floor 4 – Serverfarm PSTN Floor 3 – Information Technology Collapsed Distribution/ Core 229274 Floor 2 – Management If using the small-scale collapsed campus core design.

Campus network designs for the remote campus may require adjusting based on overall campus capacity. The WAN design is discussed in greater detail in the next chapter. Medium Enterprise Design Profile Reference Guide 2-8 . Using high-speed WAN technology. as discussed in more detail in the following section. the number of employees and the networked devices in remote campuses may be equal to or less than the main site. all the remote medium enterprise campuses interconnect to a centralized main site that provides shared services to all the employees independent of their physical location. Collapsing the LAN and WAN functionality into a single Cisco platform can provide all the needed requirements for a particular remote site as well as provide reduced cost to the overall design. but it is worth mentioning in the LAN section because some remote sites may integrate LAN and WAN functionality into a single platform. Table 2-1 shows a summary of the LAN design models as they are applied in the overall medium enterprise network design. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Medium Enterprise LAN Design Models Figure 2-6 Medium Enterprise LAN Design Model HDTV IP Main Large Site Large Building Medium Building Small Building Extra Small Building Cisco 6500 Cisco 4500 Cisco 4500 Cisco 3750 VSS Stackwise CUCM/Unitity Core ACS/CSA-MC Cisco 6500 VSS DMZ Service NAC Mgr DC Block WCS VSOM/VSMS WAE DMM/CVP ACNS ESA WLC Web/Email DHCP/DNS NTTP/FTP NAC www WSA NTP Internet Edge ASR Cisco 3800 ASR GigaPOP MetroE HDLC PSTN Internet NLR HDLC Cisco 375ME Cisco 2800 Cisco 2800 Cisco 3800 VSOM/VSMS VSOM/VSMS VSOM/VSMS WAE/ACNS DHCP/DNS WAE/ACNS DHCP/DNS WAE/ACNS DHCP/DNS Cisco 4500 NTTP/FTP/NTP WLC/NAC NTTP/FTP/NTP WLC/NAC NTTP/FTP/NTP WLC/NAC Appliance Appliance Appliance DC Cisco 6500 DC DC Block Block Block VSS Cisco 6500 VSS Cisco 4500 Cisco 4500 Cisco 4500 Cisco 4500 Cisco 4500 Large Building Medium Building Small Building Medium Building Small Building Small Building Remote Large Site Remote Medium Site Remote Small Site 229355 HDTV HDTV IP IP Depending on the remote campus office facility.

and includes end users. as shown in Figure 2-8. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Medium Enterprise LAN Design Models Table 2-1 Medium Enterprise Recommended LAN Design Model Medium Enterprise Location Recommended LAN Design Model Main campus Three-tier Remote large campus Three-tier Remote medium campus Three-tier with collapsed WAN edge Remote small campus Two-tier Main Site Network Design The main site in the medium enterprise design consists of a centralized hub campus location that interconnects several sizes of remote campuses to provide end-to-end shared network access and services. as shown in Figure 2-7. Figure 2-7 Main Site Reference Design Large Medium Small Extra Small Building Building Building Building Access Distribution Data Center Block Core DMZ Service Block WAN PSTN Internet Edge QFP Gateway QFP Edge WAN PSTN GigaPOP Internet NLR 229356 The main site typically consists of various sizes of building facilities and various organization department groups. IP-enabled endpoints. Medium Enterprise Design Profile Reference Guide 2-9 . The network scale factor in the main site is higher than the remote campus site. and security and network edge devices. servers. Multiple buildings of various sizes exist in one location.

and network services. Medium Enterprise Design Profile Reference Guide 2-10 . Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Medium Enterprise LAN Design Models Figure 2-8 Main Site Reference Design Large Medium Small Building Building Building Access Distribution Data Center Block Core Service Block WAN PSTN Edge QFP Gateway 228475 WAN PSTN The three-tier LAN design model for the main site meets all key technical aspects to provide a well-structured and strong network foundation. To enforce external network access policy for each end user. “Medium Enterprise Design Profile (MEDP)—WAN Design. with the same common types of applications. the remote large site is not much different from the main site. as shown in Figure 2-9. Similar to the main site. and keeps all network elements protected and available. WAN design is discussed in more detail in Chapter 3. Similar to the main site. endpoints. The modularity and flexibility in a three-tier LAN design model allows easier expansion and integration in the main site network. Cisco recommends the three-tier LAN design model for the remote large site campus. the three-tier model also provides external gateway services to the employees for accessing the Internet. given the size and number of employees at this location. separate WAN devices are recommended to provide application delivery and access to the main site. Geographically. because it requires a separate WAN device that connects to the three-tier LAN model. The remote large site can also be considered as an alternate campus to the main campus site. it can be distant from the main campus site and requires a high-speed WAN circuit to interconnect both campuses. users. Note The WAN design is a separate element in this location.” Remote Large Campus Site Design From the location size and network scale perspective.

and in addition. A remote medium campus may have a fewer number of network users and endpoints. the platform chosen in the core layer also serves as the WAN edge. the need for a separate WAN device may not be necessary. All the LAN benefits are achieved in a three-tier design model as in the main and remote large site campus. Medium Enterprise Design Profile Reference Guide 2-11 . thereby reducing the need to build a similar campus network to that recommended for main and large campuses. Figure 2-10 shows the remote medium campus in more detail. thus collapsing the WAN and core LAN functionality into a single platform. Because there are fewer employees and networked devices at this site as compared to the main or remote large site campus sites. A remote medium campus network is designed similarly to a three-tier large campus LAN design. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Medium Enterprise LAN Design Models Figure 2-9 Remote Large Campus Site Reference Design Medium Small Building Building Access Distribution Data Center Block Core Service Block WAN PSTN Edge Gateway 228476 WAN PSTN Remote Medium Campus Site Design Remote medium campus locations differ from a main or remote large site campus in that there are less buildings with distributed organization departments.

However. WAN bandwidth requirements must be assessed appropriately for this remote small campus network design. the WAN functionality is also collapsed into the LAN functionality. Although the network scale factor is reduced compared to other larger campus locations. and WAN traffic and application needs must be considered. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Medium Enterprise LAN Design Models Figure 2-10 Remote Medium Campus Site Reference Design Access Data Center Block Distribution/Core Service Block WAN PSTN Edge Gateway 228477 WAN PSTN Remote Small Campus Network Design The remote small campus is typically confined to a single building that spans across multiple floors with different academic departments. The network scale factor in this design is reduced compared to other large campuses. Figure 2-11 shows the remote small campus in more detail. Similar to the remote medium campus location. sufficient WAN link capacity is needed to deliver consistent network services to employees. Medium Enterprise Design Profile Reference Guide 2-12 . the distribution and core layer functions can collapse into the two-tier LAN model without compromising basic network demands. Before deploying a collapsed core and distribution layer in the remote small campus network. considering all the scale and expansion factors prevents physical network re-design. A single Cisco platform can provide collapsed core and distribution LAN layers. This design model is recommended only in smaller locations. In such smaller scale campus network deployments. the application and services demands are still consistent across the medium enterprise locations. and improves overall network efficiency and manageability.

Three core layer design models are available. the core layer becomes a high-speed intermediate transit point between distribution blocks in different premises and other devices that interconnect to the data center. Campus Core Layer Network Design As discussed in the previous section. Similarly to choosing a LAN design model based on a location within the medium enterprise design. Figure 2-12 shows the three core layer design models. security. Each design recommendation is optimized to keep the network simplified and cost-effective without compromising network scalability. distribution. Each LAN design model for a medium enterprise location is based on the key LAN layers of core. choosing a core layer design also depends on the size and location within the design. This section provides more detailed design guidance for each tier in the LAN design model. Medium Enterprise Design Profile Reference Guide 2-13 . WAN. and Internet edge. each of which is based on either the Cisco Catalyst 6500-E Series or the Cisco Catalyst 4500-E Series Switches. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise Figure 2-11 Remote Small Campus Site Reference Design Medium Small Building Building Access Distribution Data Center Block Core Service Block WAN PSTN Edge Gateway 228476 WAN PSTN Multi-Tier LAN Design Models for Medium Enterprise The previous section discussed the recommended LAN design model for each medium enterprise location. and resiliency. and access.

The following sections provide detailed design and deployment guidance for each model as well as where they fit within the various locations of the medium enterprise design. and network scalability. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise Figure 2-12 Core Layer Design Models for Medium Enterprises Core Design Core Design Core Design Option – 1 Option – 2 Option – 3 Switch-1 Switch-2 VSL Collapsed Core Core Core/Distribution 228478 Cisco Catalyst 6500 Cisco Catalyst 4500 Cisco Catalyst 4500 Each design model offers consistent network services. high availability. high-speed and low-latency applications (such as Cisco TelePresence). and management dramatically. Using VSS to virtualize the core layer into a single logical system remains transparent to each network device that interconnects to the VSS-enabled core. and the overall network scale capacity is common in both sites and thus. Building a VSS-based network changes network design. which is a software technology that builds a single logical core system by clustering two redundant core systems in the same tier. the core layer interconnects several other network systems that are implemented in different roles and service blocks. similar core design principles are required. point-to-point connection that develops a simplified network topology and builds distributed forwarding tables to fully use all resources. Core Layer Design Option 1—Cisco Catalyst 6500-E-Based Core Network Core layer design option 1 is specifically intended for the main and remote large site campus locations. Core layer design option 1 is based on Cisco Catalyst 6500 Series switches using the Cisco Virtual Switching System (VSS). operation. Medium Enterprise Design Profile Reference Guide 2-14 . It is assumed that the number of network users. cost. expansion flexibility. Figure 2-14 shows a reference VSS-enabled core network design for the main campus site. The single logical connection between core and the peer network devices builds a reliable. Figure 2-13 VSS Physical and Operational View Virtual Switch Domain VSL 228479 Switch-1 Switch-2 VSS – Single Logical Switch To provide end-to-end network access. Figure 2-13 shows the physical and operational view of VSS.

core layer design option 2 was developed to provide a cost-effective alternative while providing the same functionality as core layer design option 1. Core Layer Design Option 2—Cisco Catalyst 4500-E-Based Campus Core Network Core layer design option 2 is intended for a remote medium-sized campus and is built on the same principles as for the main and remote large site campus locations. and it is assumed that this location contains distributed building premises within the remote medium campus design. a fully redundant. Medium Enterprise Design Profile Reference Guide 2-15 . Figure 2-15 shows the remote medium campus core design option in more detail. VSS-based core layer design may not be necessary. Because this site is smaller in comparison to the main and remote large site campus locations. see the Campus 3. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise Figure 2-14 VSS-Enabled Core Network Design Large Medium Small Extra Small Building Building Building Building Access Distribution Internet Edge Block Data Center Block VSL DMZ Core Service Block WAN PSTN Edge QFP Gateway QFP WAN PSTN Gigapop Internet NLR 229357 Note For more detailed VSS design guidance.0 Virtual Switching System Design Guide at the following URL: http://www. The size of this remote site may not be large.html. Therefore.com/en/US/docs/solutions/Enterprise/Campus/VSS30dg/campusVSS_DG.cisco.

Figure 2-16 Highly Redundant Single Core Design Using the Cisco Catalyst 4500-E Platform Redundant Supervisor Core Redundant Line Cards Redundant Power Cycle Diversed Fiber Paths Distribution 228482 Medium Enterprise Design Profile Reference Guide 2-16 . Instead of a redundant node in the same tier. Although a fully redundant. This cost-effective core network design provides protection against various types of hardware and software failure and offers sub-second network recovery. the redundant supervisors and line cards of the Cisco Catalyst 4500-E provide adequate redundancy for smaller locations within a single platform. Figure 2-16 shows the redundancy of the Cisco Catalyst 4500-E Series in more detail. especially when network scale factor is not too high. The Cisco Catalyst 4500-E Series modular platform is a one-size platform that helps enable the high-speed core backbone to provide uninterrupted network access within a single chassis. a single Cisco Catalyst 4500-E Series Switch can be deployed in the core role and bundled with 1+1 redundant in-chassis network components. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise Figure 2-15 Remote Medium Campus Core Network Design Medium Small Building Building Access Distribution Shared Service Block Data Center Block Core Service Block WAN PSTN Edge Gateway 228481 WAN PSTN The cost of implementing and managing redundant systems in each tier may introduce complications in selecting the three-tier model. two-chassis design using VSS as described in core layer option 1 provides the greatest redundancy for large-scale locations.

and helps retain the original network topology and the management operation.based network. high availability. Remote small campus locations have consistent design guidance and best practices defined for main. The remote small campus is considered to be confined within a single multi-story building that may span academic departments across different floors. The future expansion from a single core to a dual VSS-based core system becomes easier to deploy. As discussed in the previous section. security. and management cost for the medium-sized campus network design. An EtherChannel-based campus network offers similar benefits to an Multi-chassis EtherChannel (MEC). and cost-effectiveness in the small campus network design must not be compromised. • Cost-effectiveness—A single core system in the core layer helps reduce capital. resiliency. for platform selection. so the role of the core system is merged with the distribution layer. The cost-effective supervisor version supports key technologies such as robust QoS. Core Layer Design Option 3—Cisco Catalyst 4500-E-Based Collapsed Core Campus Network Core layer design option 3 is intended for the remote small campus network that has consistent network services and applications service-level requirements but at reduced network scale. To provide consistent services and optimal network performance. remote large site. operational. such as the VSS-enabled campus design. and a WAN edge router. the single core system must be equipped with redundant system components such as supervisor. making it an ideal solution for small-scale network designs. • Resiliency—Because hardware or software failure conditions may create catastrophic results in the network. Medium Enterprise Design Profile Reference Guide 2-17 . The Layer 3 network ports must be bundled into a single point-to-point logical EtherChannel to simplify the network. This cost-effective single resilient core system for a medium-size enterprise network meets the following four key goals: • Scalability—The modular Cisco Catalyst 4500-E chassis enables flexibility for core network expansion with high throughput modules and port scalability without compromising network performance. a shared service block. the remote medium campus core layer design must be leveraged to build this two-tier campus core. line card. and remote medium-sized campus cores. However. and power supplies. simplification. Figure 2-17 shows the remote small campus core design in more detail. • Simplicity—The core network can be simplified with redundant network modules and diverse fiber connections between the core and other network devices. Single highly resilient Cisco Catalyst 4500-E switches with a Cisco Sup6L-E supervisor must be deployed in a centralized collapsed core and distribution role that interconnects to wiring closet switches. and much more at a lower scale. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise This core network design builds a network topology that has similar common design principles to the VSS-based campus core in core layer design option 1. scalability. the remote small campus has a two-tier LAN design model. Implementing redundant components increases the core network resiliency during various types of failure conditions using Non-Stop Forwarding/Stateful Switch Over (NSF/SSO) and EtherChannel technology.

application demands. and network scalability. The following the core layer design options in different campus locations. as shown in Figure 2-18. depending on network scale. Medium Enterprise Design Profile Reference Guide 2-18 . and cost. the distribution layer design provides consistent network operation and configuration tools to enable various network services. expansion flexibility. Three simplified distribution layer design options can be deployed in main or remote campus locations. Each design model offers consistent network services. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise Figure 2-17 Core Layer Option 3 Collapsed Core/Distribution Network Design in Remote Small Campus Location Medium Small Building Building Access Distribution Shared Service Block Data Center Block Core Service Block WAN PSTN Edge Gateway 228481 WAN PSTN Campus Distribution Layer Network Design The distribution or aggregation layer is the network demarcation boundary between wiring-closet switches and the campus core network. the distribution layer has a vital role in consolidating networks and enforcing network edge policies. To build a strong campus network foundation with the three-tier model. The framework of the distribution layer system in the medium enterprise design is based on best practices that reduce network complexities and accelerate reliability and performance. high availability.

Medium Enterprise Design Profile Reference Guide 2-19 . Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise Figure 2-18 Distribution Layer Design Model Options Design Option – 1 Design Option – 2 Design Option – 3 Switch-1 Switch-2 VSL Distribution Distribution Distribution Access Access Access 228484 Distribution Layer Design Option 1—Cisco Catalyst 6500-E Based Distribution Network Distribution layer design option 1 is intended for main campus and remote large site campus locations. Figure 2-19 VSS-Enabled Distribution Layer Network Design Conferencing Rooms Engineering Lab Lobby Access Switch-1 Switch-2 VSL Distribution 229358 The distribution block and core network operation changes significantly when redundant Cisco Catalyst 6500-E Series switches are deployed in VSS mode in both the distribution and core layers. Clustering redundant distribution switches into a single logical system with VSS introduces the following technical benefits: • A single logical system reduces operational. such as spanning-tree loop. which eliminates traditional protocol limitations and enables the network to operate at full capacity. as shown in Figure 2-19. Hot Standby Routing Protocol (HSRP)/Gateway Load Balancing Protocol (GLBP)/Virtual Router Redundancy Protocol (VRRP). • A single logical IP gateway develops a unified point-to-point network topology in the distribution block. maintenance. • Implementing the distribution layer in VSS mode eliminates or reduces several deployment barriers. and control plane overhead. and is based on Cisco Catalyst 6500-E Series switches using the Cisco VSS. and ownership cost.

• Core/distribution layer interconnection option 2—A single physical link between each core switch with the corresponding distribution switch. predictable network recovery. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise • Cisco VSS introduces unique inter-chassis traffic engineering to develop a fully-distributed forwarding design that helps in increased bandwidth. Figure 2-20 shows five unique VSS domain interconnect options. Each variation builds a unique network topology that has a direct impact on steering traffic and network recovery. • Core/distribution layer interconnection option 3—Two physical links between each core switch with the corresponding distribution switch. Deploying VSS mode in both the distribution layer switch and core layer switch provides numerous technology deployment options that are not available when not using VSS. Cisco recommends deploying this option because it provides higher redundancy and simplicity compared to any other deployment option. but each link is logically grouped to appear as one single link between the core and distribution layers. • Core/distribution layer interconnection option 5—This provides the most redundancy between the VSS-enabled core and distribution switches as well as the most simplified configuration. load balancing. Designing a common core and distribution layer option using VSS provides greater redundancy and is able to handle the amount of traffic typically present in the main and remote large site campus locations. Also these links are logically grouped to appear like option 1 but with greater redundancy. and network stability. The additional link provides greater redundancy in case of link failover. because it appears as if there is only one logical link between the core and the distribution. Figure 2-20 Core/Distribution Layer Interconnection Design Considerations Design Option – 1 Design Option – 2 Design Option – 3 Design Option – 4 Design Option – 5 Switch-1 Switch-2 Switch-1 Switch-2 Switch-1 Switch-2 Switch-1 Switch-2 Switch-1 Switch-2 Distribution VSL VSL VSL VSL VSL VSS Domain ID : 1 Switch-1 Switch-2 Switch-1 Switch-2 Switch-1 Switch-2 Switch-1 Switch-2 Switch-1 Switch-2 Access VSL VSL VSL VSL VSL VSS 228486 Domain ID : 2 The various core/distribution layer interconnects offer the following: • Core/distribution layer interconnection option 1—A single physical link between each core switch with the corresponding distribution switch. Medium Enterprise Design Profile Reference Guide 2-20 . There is one link direction between each switch as well as one link connecting to the other distribution switch. This design creates four equal cost multi-path (ECMP) with multiple control plane adjacency and redundant path information. Multiple links provide greater redundancy in case of link failover. • Core/distribution layer interconnection option 4—Two physical links between each core switch with the corresponding distribution switch.

Alternatively. A single Catalyst 4500-E with multiple redundant system components can be deployed to offer 1+1 in-chassis redundancy. as shown in Figure 2-22. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise Distribution Layer Design Option 2—Cisco Catalyst 4500-E-Based Distribution Network Two cost-effective distribution layer models have been designed for the medium-sized and small-sized buildings within each campus location that interconnect to the centralized core layer design option and distributed wiring closet access layer switches. This distribution layer network design provides protection against various types of hardware and software failure. Both distribution layer design options use a cost-effective single and highly resilient Cisco Catalyst 4500-E as an aggregation layer system that offers consistent network operation like a VSS-enabled distribution layer switch. Medium Enterprise Design Profile Reference Guide 2-21 . The two Cisco Catalyst 4500-E-based distribution layer options are shown in Figure 2-21. Figure 2-21 Two Cisco Catalyst 4500-E-Based Distribution Layer Options Distribution Design 1 – Distribution Design 2 – Hybrid Distribution Block Multi-Layer Distribution Block Conferencing Conferencing Rooms Engineering Rooms Engineering Lab Lab Lobby Lobby Access Distribution 229359 Cisco Catalyst 4500-E – Sup6-E Cisco Catalyst 4500-E – Sup6E-L The hybrid distribution block must be deployed with the next-generation supervisor Sup6-E module. and can deliver consistent sub-second network recovery. Both models are based on a common physical LAN network infrastructure and can be chosen based on overall network capacity and distribution block design. The Cisco Catalyst 4500-E Series provides the same technical benefits of VSS for a smaller network capacity within a single Cisco platform. This cost-effective and resilient distribution design option leverages core layer design option 2 to take advantage of all the operational consistency and architectural benefits. which can handle a medium-sized enterprise distribution block. the multilayer distribution block option requires the Cisco Catalyst 4500-E Series Switch with next-generation supervisor Sup6L-E deployed. Implementing redundant Sup6-Es in the distribution layer can interconnect access layer switches and core layer switches using a single point-to-point logical connection. The Sup6L-E supervisor is a cost-effective distribution layer solution that meets all network foundation requirements and can operate at moderate capacity.

such as supervisor. Distribution Layer Design Option 3—Cisco Catalyst 3750-X StackWise-Based Distribution Network Distribution layer design option 3 is intended for a very small building with a limited number of wiring closet switches in the access layer that connects remote classrooms or and office network with a centralized core. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise Figure 2-22 Highly Redundant Single Distribution Design Conferencing Rooms Engineering Lab Lobby Access Redundant Supervisor Redundant Distribution Line Cards 229360 Redundant Power Cycle Distribution layer design option 2 is intended for the remote medium-sized campus locations. • Resiliency—The single distribution system must be equipped with redundant system components. The single IP gateway design develops a unified point-to-point network topology in the distribution block to eliminate traditional protocol limitations. and is based on the Cisco Catalyst 4500-E Series switches. operational. • Cost-effectiveness—The single distribution system in the core layer helps reduce capital. and power supplies. the remote medium campus location is smaller and may not need a VSS-based redundant design. Although the remote medium and the main and remote large site campus locations share similar design principles. • Simplicity—This cost-effective design simplifies the distribution block similarly to a VSS-enabled distribution system. as shown in Figure 2-23. and ownership cost for the medium-sized campus network design. network upgrades and expansion become easier to deploy using distribution layer option 2. which helps retain the original network topology and the management operation. Distribution layer design option 2 meets the following goals: • Scalability—The modular Cisco Catalyst 4500-E chassis provides the flexibility for distribution block expansion with high throughput modules and port scalability without compromising network performance. Fortunately. Medium Enterprise Design Profile Reference Guide 2-22 . Implementing redundant components increases network resiliency during various types of failure conditions using NSF/SSO and EtherChannel technology. line card. enabling the network to operate at full capacity.

such as IP phones and wireless access points (APs). multiple Catalyst 3750-X can be stacked into a high-speed backplane stack ring to logically build as a single large distribution system. fixed-configuration environments. make the access layer one of the most feature-rich parts of the campus network. It is a 1:N form of redundancy where any member can become the master. The challenge for the network architect is determining how to implement a design that meets this wide variety of requirements. where end devices such as PCs. as shown in Figure 2-24. any member of the stack can take over as a master and continue the same services. The wide variety of possible types of devices that can connect and the various services and dynamic configuration mechanisms that are necessary. and so on attach to the wired portion of the campus network. This distribution layer design option recommends using the Cisco Catalyst 3750-X StackWise Plus Series platform for the distribution layer switch. The fixed-configuration Cisco Catalyst 3750-X Series switch is a multilayer platform that supports Cisco StackWise Plus technology to simplify the network and offers flexibility to expand the network as it grows. and include IT-managed devices such as Cisco TelePresence and non-IT-managed devices such as employee laptops. each designed with unique hardware and software capability to function in a specific role. a number of network users and IT-managed remote endpoints can be limited in this building. The next-generation Cisco Catalyst switching portfolio includes a wide range of fixed and modular switching platforms. The campus network infrastructure resources operate in shared service mode. in which member chassis replicate the control functions with each member providing distributed packet forwarding. It is also the place where devices that extend the network out one more level. Cisco StackWise Plus supports up to nine switches into single stack ring for incremental network upgrades. Enterprise campuses may deploy a wide range of network endpoints. The chassis redundancy is achieved via stacking. the need for various levels of mobility. Thus. the access layer switch must provide network protection so that unauthorized users or applications do not enter the network. the need for a cost-effective and flexible operations environment. With Cisco StackWise Plus technology. and increases effective throughput capacity up to 64 Gbps. while being able to provide the appropriate balance of security and availability expected in more traditional. printers. Cisco TelePresence. Not only does the access layer switch allow users to access the network. Medium Enterprise Design Profile Reference Guide 2-23 . Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise Figure 2-23 Cisco StackWise Plus-enabled Distribution Layer Network Design Utilities Storage S/H Department Department Department Access 228489 Distribution While providing consistent network services throughout the campus. Based on several endpoint factors such as function and network demands and capabilities. when failover occurs. This is achieved by stacked group members acting as a single virtual Catalyst 3750-X switch. are attached. The logical switch is represented as one switch by having one stack member act as the master switch. cameras. This distribution layer design option is ideal for the remote small campus location. Campus Access Layer Network Design The access layer is the first tier or edge of the campus. two access layer design options can be deployed with campus network edge platforms.

Increasing aggregated Medium Enterprise Design Profile Reference Guide 2-24 . Following to the Catalyst 3750-X StackWise Plus success. the FlexStack design is currently supported on Layer-2 Catalyst 2960-S Series switches. Implementing a modular. high performance. The Catalyst 2960-S with FlexStack technology is Cisco's latest innovation in access-layer tier. The Cisco Catalyst 4500-E with supervisor Sup6E-L can be deployed to protect devices against access layer network failure. However the architecture of FlexStack on Catalyst 2960-S series platform differs from StackWise Plus. Access Layer Design Option 2—Fixed Configuration Access Layer Network This entry-level access layer design option is widely chosen for enterprise environments. and a constant network availability switching infrastructure. and so on. The Cisco Catalyst 3750-X Series is the alternate Cisco switching platform in this design option. Based on StackWise Plus architecture. The FlexStack module must be installed on each Catalyst 2960-S switches that are intended to be deployed in stack-group. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Multi-Tier LAN Design Models for Medium Enterprise Figure 2-24 Access Layer Design Models Access Design Option 1 – Access Design Option 2 – Modular/Stackable Fix Configuration Access Cisco Cisco Cisco Cisco Cisco Catalyst 4500-E Catalyst 3750-X Catalyst 2960-S Catalyst 3560-X Catalyst 2960 229361 Sup6E-L StackWise Plus FlexStack Access Layer Design Option 1—Modular/StackWise Plus/FlexStack Access Layer Network Access layer design option 1 is intended to address the network scalability and availability for the IT-managed critical voice and video communication network edge devices. increased port-density with unified single control-plane and management to reduce the cost for small enterprise network. the Catalyst 3560-X must be deployed with an internal or external redundant power supply solution using the Cisco RPS 2300. The Cisco FlexStack is comprised with hardware module and software capabilities. The fixed configuration Cisco Catalyst switching portfolio supports a wide range of access layer technologies that allow seamless service integration and enable intelligent network management at the edge. For non-stop network operation during power outages. Cisco StackWise Plus and latest Cisco's innovation FlexStack-capable platform provides flexibility to increase network scale in the densely populated campus network edge. Cisco Catalyst 4500-E Series platforms offer consistent and predictable sub-second network recovery using NSF/SSO technology to minimize the impact of outages on enterprise business and IT operation. To accelerate user experience and campus physical security protection. the Catalyst 2960-S model offers high availability. The next-generation fixed configuration Cisco Catalyst 3560-X and Catalyst 2960 Series is a commonly deployed platform for wired network access that can be in a mixed configuration with critical devices such as Cisco IP Phones and non-mission critical endpoints such as library PCs. printers. Cisco FlexStack module is hot-swappable module providing flexibility to deploy FlexStack without impacting business network operation. Cisco StackWise Plus technology provides flexibility and availability by clustering multiple Cisco Catalyst 3750-X Series Switches into a single high-speed stack ring that simplifies operation and allows incremental access layer network expansion. these devices require low latency. The Cisco Catalyst 3750-X Series leverages EtherChannel technology for protection during member link or stack member switch failure.

the network must be designed to provide a consistent user experience independent of the geographical location of the application. intelligently provide differentiated services to various class-of-service traffic. this design reduces network congestion and latency to significantly improve application performance. scalability. the next step for the medium enterprise design is to establish key network foundation services. The Medium Enterprise Reference network is designed with consistency to build simplified network topology for easier operation. Depending on network size. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services power capacity allows flexibility to scale with enhanced power-over-Ethernet (PoE+) on a per-port basis. and secured network access to trusted and untrusted endpoints. Both design options offer consistent network services at the campus edge to provide differentiated. The Cisco Catalyst must leverage the 1G dual uplink ports to interconnect the distribution system for increased bandwidth capacity and network availability. The distribution options recommended in the previous section can accommodate both access layer design options. the Cisco Catalyst 2960-S supports critical network control services to secure the network edge.E • Cisco Catalyst 3750-X Stackwise and Catalyst 2960-S FlexStack • Cisco Catalyst 3560-X and 2960 Medium Enterprise Design Profile Reference Guide 2-25 . and capacity. With its wire-speed 10G uplink forwarding capacity. Implementing LAN Network Infrastructure The preceding sections provided various design options for deploying the Cisco Catalyst platform in multi-tier centralized main campus and remote campus locations. For a campus network. Regardless of the application function and requirements that medium enterprises demand. the Cisco Catalyst 3560-X is an alternate switching solution for the multilayer distribution block design option discussed in the previous section. The following network foundation design principles or services must be deployed in each campus location to provide resiliency and availability for all users to obtain and use the applications the medium enterprise offers: • Implementing LAN network infrastructure • Network addressing hierarchy • Network foundation technologies for LAN designs • Multicast for applications delivery • QoS for application performance optimization • High availability to ensure user experience even with a network failure Design guidance for each of these six network foundation services are discussed in the following sections. the Medium Enterprise Reference design applies the following common set of Cisco Catalyst platforms in different campus network layers: • Cisco Catalyst 6500-E in VSS mode • Cisco Catalyst 4500. management. the campus location. To provide a consistent end-to-end enhanced user experience. as well as simplified management. intelligent. including where they are deployed in each tier of the LAN design model. and reliability requirements. Deploying Medium Enterprise Network Foundation Services After each tier in the model has been designed. The Cisco Catalyst 3560-X Series Switches offer limited software feature support that can function only in a traditional Layer 2 network design. and troubleshooting independent of campus location.

it will create single large system. The switch ID value is 1 or 2. each physical chassis must be uniquely configure switch-ID to successfully deploy VSS. Virtual Switch Domain (VSD) is comprised with two physical switches and they must be configured with common domain ID. therefore.shtml This subsection is divided into the following categories that provide guidance for deploying mandatory steps and procedure in implementing VSS and its components in campus distribution and core. all the distributed physical interfaces between two chassis are automatically appended with the switch ID (i. Post VSS migration when two physical chassis is clustered. and management.e.. Refer to the following document for step-by-step migration procedure: http://www.cisco. Medium Enterprise Design Profile Reference Guide 2-26 . • VSS Identifiers • Virtual Switch Link • Unified Control-Plane • Multi-Chassis EtherChannel • VSL Dual-Active Detection and Recovery VSS Identifiers This is the first premigration step to be implemented on two standalone Cisco Catalyst 6500-E in the same campus tier that are planned to be clustered into a single logical entity. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services This subsection focuses on building the initial LAN network infrastructure setup to bring the network up to the stage to start establishing network protocol communication with the peer devices. Cisco VSS defines the following two types of physical node identifiers to distinguish remote node within the logical entity as well as to set logical VSS domain identity to uniquely identify beyond the single VSS domain boundary. Within VSD. the unique domain ID between different VSS pair will prevent network protocol conflicts and allow simplified network operation. from the control-plane and management plane perspective.com/en/US/products/ps9336/products_tech_note09186a0080a7c74c. Switch ID In current software version. When implementing VSS in multi-tier campus network design. Migrating VSS from the standalone Catalyst 6500-E system requires multiple pre and post-migration steps to deploy virtual-system that includes building virtual-system itself and migrating the existing standalone network configuration to operate in virtual-system environment. Deploying Cisco Catalyst 6500-E in VSS Mode All the VSS design principles and foundational technologies defined in this subsection remains consistent when the Cisco Catalyst 6500-E is deployed in VSS mode at campus core or distribution layer. Prior to enabling the Cisco Catalyst 6500-E in VSS mode. troubleshooting. The domain ID value ranges from 1 to 255. Advanced network services implementation and deployment guidelines will be explained in subsequent section. The deployment and configuration guidelines remain consistent for each recommended Catalyst platform independent of their network role. Domain ID Defining the domain identifier (ID) is the initial step in creating a VSS with two physical chassis. each VSD supports up to two physical switches to build a logical virtual switch. enterprise network administrator must adhere to Cisco recommended best practices to take complete advantage of virtualized system and minimize the network operation downtime when migration is required in a production network.

Cisco recommends deploying both virtual-switch nodes with identical hardware and software to take full advantage of distributed forwarding architecture with centralized control and management plane. Modifying the default switch priority is an optional setting since either of the virtual-switch can provide transparent operation to network and the user. Medium Enterprise Design Profile Reference Guide 2-27 . the switch priority is negotiated between both virtual switches to determine the control-plane ownership. the Cisco VSS technology enables the capability to extend various types of single-chassis internal system components to multi-chassis level. Each virtual-switch must be deployed with the direct physical links and extend the backplane communication boundary over the special links known as Virtual-Switch Link (VSL). The control-plane operation is identical on either of the virtual-switch nodes. Virtual Switch Link To cluster two physical chassis into single a logical entity. the lower switch ID is a tie-breaker when both virtual-switch node are deployed with default settings. The significance of the switch ID remains within VSD and all the interfaces ID associated to the switch ID will be retained independent of control-plane ownership. Figure 2-25 VSS Domain and Switch ID Domain 20 SW1 SW2 Core Domain 10 SW1 SW2 Distribution 228955 Access The following simple configuration shows how to configure VSS domain ID and switch ID: Standalone Switch 1: VSS-SW1(config)# switch virtual domain 20 VSS-SW1(config-vs-domain)# switch 1 Standalone Switch 2: VSS-SW2(config)# switch virtual domain 20 VSS-SW2(config-vs-domain)# switch 2 Switch Priority During both virtual-switch bootup processes. The default switch priority is 100. See Figure 2-25. Virtual-switch configured with high priority takes the control-plane ownership while the low priority switch boots up in redundant mode. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services <switch-id>/<slot#>/<port#> or TenGigabitEthernet 1/1/1.

IGMP. UDLD. PagP+. – Integrated service-module with centralized forwarding architecture (i. The strategy for reliable VSL design requires the following three categories of planning: • VSL Links Diversification • VSL Bandwidth Capacity • VSL QoS Medium Enterprise Design Profile Reference Guide 2-28 .1x. – Virtual Switch Link Protocol (VSLP) —LMP and RRP control-link packets. DTP. Ten 5/4 VSS-SW1(config-if)# channel-group 1 mode on Standalone Switch 2: VSS-SW2(config)# interface Port-Channel 2 VSS-SW2(config-if)# switch virtual link 2 VSS-SW2(config)# interface range Ten 1/1 . • Network Control Traffic – Layer 2 Protocols —STP BPDU. The following sample configuration shows how to configure VSL EtherChannel: Standalone Switch 1: VSS-SW1(config)# interface Port-Channel 1 VSS-SW1(config-if)# switch virtual link 1 VSS-SW1(config)# interface range Ten 1/1 . the VSL links cannot establish network protocol adjacencies and are excluded when building the network topology tables. IPC. availability. MPLS LDP. PIM. Ten 5/4 VSS-SW2(config-if)# channel-group 2 mode on VSL Design Consideration Implementing VSL EtherChannel is a simple task. FWSM) – Remote SPAN Using EtherChannel technology.e. EIGRP. LLDP. LACP. BGP. CDP. With the customized traffic engineering on VSL. • Data Traffic – End-user data application traffic in single-home network designs. etc. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services VSL can be considered as Layer 1 physical links between two virtual-switch nodes and is designed to not operate any network control protocols. and optimized. BFD. however. – Layer 3 Protocols—ICMP. 802. the VSS software design provides the flexibility to increase on-demand VSL bandwidth capacity and to protect the network stability during the VSL link failure or malfunction. the VSL design may require proper design with high reliability. it is tailored to carry the following major traffic categories: • Inter-Switch Control Traffic – Inter-Chassis Ethernet Out Band Channel (EOBC) traffic— Serial Communication Protocol (SCP). Deploying VSL requires careful planning to keep system virtualization intact during VSS system component failure on either virtual-switch node. Therefore. OSPF. etc. and ICC..

• Reduces the single point-of-failure chances as triggering multiple hardware faults on diversified cables. and user data traffic. GBIC and hardware modules are rare conditions. VSL can be bundled up to 80G of bandwidth capacity. it is possible to minimize traffic losses during system initialization process. This software design is required to initialize VSL protocols and communication during bootup process.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services VSL Links Diversification Complete VSL link failure may break the system virtualization and create network instability during VSL link failure. • Use 10G ports from VSL-capable WS-X6708 or WS-X6716 linecard module to protect against any abnormal failure on supervisor uplink port (i. Therefor. VSL EtherChannel can bundle 10G member-links with any of following next-generate hardware modules: • Sup720-10G • WS-X6708 • WS-X6716 (must be deployed in performance mode to enable VSL capability) Figure 2-26 shows an example of how to build VSL EtherChannel with multiple diverse physical fiber paths from supervisor 10G uplink ports and the VSL-capable 10G hardware modules. • Designing the network with single-homed devices connectivity (no MEC) will force at least half of the downstream traffic to flow over the VSL link.e. VSL EtherChannel can bundle up to 8 physical member-links. the requirement on exact capacity may truly depend on number of the following factors: • Aggregated network uplink bandwidth capacity on per virtual-switch node basis. 2 x 10GE diversified to same remote peer system.. • VSL-enabled 10G module boot up rapidly than other installed modules in system. GBIC failure). hence VSL protocols is not designed to operate all Catalyst 6500-E supported linecard module. For example. This type of connectivity is highly discouraged. VSL Bandwidth Capacity From each virtual-switch node. Medium Enterprise Design Profile Reference Guide 2-29 . If the same 10G module is shared to connect other network devices. The next-generation specialized Catalyst 6500-E 10G based supervisor and linecard modules are fully capable and equipped with modern hardware ASICs to build VSL communication. Designing VSL link redundancy through diverse physical paths on both systems prevents network instability. network control. All the traffic traverses over the VSL are encoded with special encapsulation header. reduces single point of failure conditions and optimizes bootup process. then depending on the network module type and slot bootup order. • Use 4 class built-in QoS model on each VSL member-links to optimize inter-chassis communication traffic. Figure 2-26 Recommended VSL Links Design Sup720-10GE VSL Sup720-10GE Ten5/4 Ten5/4 6708/6716 6708/6716 228956 SW1 Ten1/1 Ten1/1 SW2 Deploying VSL with multiple diversified VSL-link design offers the following benefits: • Leverage 10G port from supervisor and use remaining available ports for other network connectivity.

Medium Enterprise Design Profile Reference Guide 2-30 . Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services • Remote SPAN from one switch member to other. Capacity planning for each of the supported services blades is beyond the scope of this design guide. it is recommended to bundle VSL member-link in the power of 2 (i. Adding a link increases the chance of distributing the normal traffic that was hashed on the same link carrying the SPAN traffic. the VSL member-links are automatically configured with system generated QoS settings to protect different class of applications. thus the traffic hashes only over a single VSL link that can lead to oversubscription of a particular link.). Even if only one 10G port used as VSL link. and 8). the inter-switch VSLP protocols the QoS settings are fine tuned to protect high priority traffic with different thresholds even during VSL link congestion. Independent of global QoS settings. thus minimizing the need to implement 10G-only mode and using all 1G ports for other network connectivities (i. etc.e. If any 10-Gbps port is used for the VSL link.. To retain system stability. Primary benefit in implementing 10G-only mode is to deploy VSL port in non-blocking mode to dedicate complete 10G bandwidth on port. For an optimal traffic load-sharing between VSL member-links. however. The SPANed traffic is considered as a single flow. if an active supervisor fails. As a result. • Non-blocking (10G-only mode)—In this mode. VSL QoS The network infrastructure and the application demands of next-generation enterprise networks have tremendous amount of dependencies on the strong and resilient network for constant network availability and on-demand bandwidth allocation to provide services compromising performance. Unified Control-Plane Deploying redundant supervisor with common hardware and software components into single standalone Cisco Catalyst 6500-E platform automatically enables the Stateful Switch Over (SSO) capability to provide in-chassis supervisor redundancy in highly redundant network environment. it may be carried over the VSL. forwarding information. the remaining ports (10 Gbps or 1Gbps) follow the same CoS-mode of queuing for any other non-VSL connectivity because VSL only allows class of service (CoS)-based queuing.. restricted VSL QoS prevents reassigning different class-of-service traffic in different queues. Deploying VSS network based on Cisco’s recommendation significantly reduces VSL link utilization. a hot-standby supervisor takes over control-plane ownership and initializes protocol graceful-recovery with peer devices. During network protocol graceful-recovery process the forwarding information remains non-disrupted to continue nonstop packet switching in hardware. all ports must follow a single queuing mode. out-of-band network management port). The SSO operation on active supervisor holds control-plane ownership and communicates with remote Layer 2 and Layer 3 neighbors to build distributed forwarding information.). • If the VSS is carrying the services hardware (such as FWSM. which may then be sent over a different link. WiSM. Implementing 10G mode may assist in increasing the number of transmit and receive queue depth level. SSO-enabled active supervisor is tightly synchronized with standby supervisor with several components (protocol state-machine.e. still both 10-Gbps ports are restricted to CoS-based trust model. Cisco VSS is designed with application intelligence and automatically enables QoS on VSL interface to provide bandwidth and resource allocation for different class-of-service traffic. The only way to improve the probability of traffic distribution is to have an additional VSL link. 4. then depending on the service module forwarding design. The QoS implementation on VSL EtherChannel operates in restricted mode as it carries critical inter-chassis backplane traffic. the Sup720-10G uplink ports can be configured in one of the following two QoS modes: • Default (Non-10G-only mode)—In this mode. etc. 2. configuration. as the entire supervisor module operates in a non-blocking mode. all 1-Gbps ports are disabled. To deploy VSL in non-blocking mode and increase the queue depth.

See Figure 2-27. the following criteria must match between both virtual-switch node: • Identical software version • Consistent VSD and VSL interface configuration • Power mode and VSL-enabled module power settings • Global PFC Mode • SSO and NSF-enabled During the bootup process. network control plane and user data traffic. the SSO synchronization checks all the above criteria with remote virtual-system. The state machine of the unified control-plane protocols and distributed forwarding entries gets dynamically synchronized between the two virtual-switch nodes. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Leveraging the same SSO and NSF technology. The role of the hot-standby switch is to assume the active role as soon as it detects a loss of communication with its peer via all VSL links without the operational state information of the remote active peer node. Entire virtual-switch node gets reset during abnormal active or hot-standby virtual-switch node failure. Cisco VSS uses VSL EtherChannel as a backplane path to establish SSO communication between active and hot-standby supervisor deployed in separate physical chassis. the Cisco VSS supports inter-chassis SSO redundancy by extending the supervisor redundancy capability from single-chassis to multi-chassis level. Any fault triggered on VSL component leads to a catastrophic instability in VSS domain and beyond. The virtual-switch member that assumes the role of hot-standby keeps constant communication with the active switch. Figure 2-27 Inter-Chassis SSO Operation in VSS Switch-1 Switch-2 CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards Active VSL Standby Virtual SF RP PFC SF RP PFC Virtual Switch Active Supervisor Standby HOT Supervisor Switch CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards SF: Switch Fabric CFC: Centralized Forwarding Card 228957 RP: Route Processor DFC: Distributed Forwarding Card PFC: Policy Forwarding Card To successfully establish SSO communication between two virtual-switch nodes. it will force the virtual-switch node to boot in RPR or cold-standby state that cannot synchronize protocol and forwarding information. where both virtual switches get split with common configuration and takes Medium Enterprise Design Profile Reference Guide 2-31 . VSL Dual-Active Detection and Recovery The preceding section described VSL EtherChannel functions as extended backplane link that enables system virtualization by transporting inter-chassis control traffic. Such network condition is known an dual-active. If any of the criteria fails to match.

Independent of routing protocols and network topology. – Fast-Hello supersedes BFD-based detection mechanism. Figure 2-28 Single Active and Dual-Active Campus Topology Single Active Network State Dual-Active Network State Active Hot_Standby Active Active SW1 SW2 SW1 SW2 228958 The system virtualization gets impacted during the dual-active network state and splits the single virtual system into two identical Layer 2/3 system. Dual-Active Fast-Hello (Fast-Hello) and Bidirectional Forwarding Decision (BFD) protocols are specifically designed to detect the dual-active condition and protect network malfunction. and to retain application performance intact. Cisco VSS introduces the following two methods to rapidly detect dual-active condition and recover the situation by isolating the old active virtual-switch from network operation before the network gets destabilized: • Direct Detection Method—This method requires extra physical connection between both virtual-switch nodes. to minimize network topology instability. All dual-active detection protocol and methods can be implemented in parallel. Cisco recommends deploying Fast-Hello in lieu of BFD for the following reasons: – Fast-Hello can rapidly detects dual-active condition and trigger recovery procedure. VSS allows configuring up to four dual-active fast-hello links between virtual-switch nodes. Most of the Cisco Catalyst switching platforms can be used as trusted PAgP+ partner to deploy indirect detection method. For additional redundancy. – Fast-Hello optimize protocol communication procedure without reserving higher system CPU and link overheads. – Fast-Hello enables the ability to implement dual active detection in multi-vendor campus or data-center network environments. All VSS supported Ethernet media and module can be used to deploy this methods. Cisco extended the capability of PAgP protocol with extra TLVs to signal the dual-active condition and initiate recovery procedure. To prevent such network instability. • Indirect Detection Method—This method relies on intermediate trusted L2/L3 MEC Cisco Catalyst remote platform to detect the failure and notify to old-active switch about the dual-active detection. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services control plane ownership. As depicted in Figure 2-29. Cisco recommends deploying Fast-Hello and PAgP+ methods for rapid detection. The network protocols detect inconsistency and instability when VSS peering devices detect two split systems claiming the same addressing and identifications. Medium Enterprise Design Profile Reference Guide 2-32 . Figure 2-28 depicts the state of campus topology in a single active-state and during dual-active state. Fast-Hello offers faster network recovery. This condition that can destabilize the campus network communication with two split system advertising duplicate information. in a VSS network deployment peering with Cisco Catalyst platforms.

%VSDA-SW1_SP-5-LINK_UP: Interface Gi1/5/1 is now dual-active detection capable %VSDA-SW2_SPSTBY-5-LINK_UP: Interface Gi2/5/1 is now dual-active detection capable cr23-VSS-Core#show switch virtual dual-active fast-hello Fast-hello dual-active detection enabled: Yes Fast-hello dual-active interfaces: Port Local StatePeer Port Remote State ----------------------------------------------------------------------------- Gi1/5/1 Link up Gi2/5/1 Link up • PAgP+ Enabling or disabling dual-active trusted mode on L2/L3 MEC requires MEC to be in administration shutdown state. Prior to implementing trust settings.102 cr23-VSS-Core(config-if-range)#no shutdown cr23-VSS-Core#show switch virtual dual-active pagp PAgP dual-active detection enabled: Yes PAgP dual-active version: 1. network administrator must plan for downtime to provision PAgP+-based dual-active configuration settings: cr23-VSS-Core(config)#int range Port-Channel 101 .102 cr23-VSS-Core(config-if-range)#shutdown cr23-VSS-Core(config)#switch virtual domain 20 cr23-VSS-Core(config-vs-domain)#dual-active detection pagp trust channel-group 101 cr23-VSS-Core(config-vs-domain)#dual-active detection pagp trust channel-group 102 cr23-VSS-Core(config)#int range Port-Channel 101 .1 Medium Enterprise Design Profile Reference Guide 2-33 .Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-29 Recommended Dual-Active Detection Method Single Active Network State Active Hot_Standby SW1 SW2 Fast-Hello Link Dual-Active Po101 Trusted MEC 228959 The following sample configuration illustrates implementing both methods: • Dual-Active Fast-Hello cr23-VSS-Core(config)#interface range Gig1/5/1 . Gig2/5/1 cr23-VSS-Core(config-if-range)# dual-active fast-hello ! Following logs confirms fast-hello adjacency is established on ! both virtual-switch nodes.

regardless of the boot order. it is recommended to deploy single highly redundant Cisco Catalyst 4500-E Series platform in the different campus network tiers-access. will experience traffic disruption until the MAC address of the default gateway/interface is refreshed or timed out. This takes advantage of the virtual-switch domain identifier to form the MAC address. The MAC addresses of the VSS domain remain consistent with the usage of virtual MAC addresses.1 Te1/3/3 Yes cr24-4507e-MB Te3/1 1. which will trigger gratuitous ARP updates to all Layer-2 and Layer-3 interfaces.1 Te2/3/3 Yes cr24-4507e-MB Te3/2 1. Any networking device connected one hop away from the VSS (and any networking device that does not support gratuitous ARP). Cisco Catalyst 4500-E Series switches is a multi-slots modular and scalable and high-speed resilient platform. However. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Channel group 101 dual-active detect capability w/nbrs Dual-Active trusted group: Yes Dual-Active Partner Partner Partner Port Detect Capable Name Port Version Te1/1/2 Yescr22-6500-LB Te2/1/2 1. distribution. the network administrators must consider Catalyst 4507R-E or 4510R-E slot chassis to accommodate redundant supervisors and use remaining for LAN network modules.1 Te2/1/2 Yes cr22-6500-LB Te1/1/2 1. This means tat the interface will inherit a new MAC address.1 Te2/3/2 Yes cr22-6500-LB Te1/1/4 1. For Catalyst 4500-E in-chassis supervisor redundancy. if both chassis are rebooted at the same time and the order of the active switch changes (the old hot-standby switch comes up first and becomes active).1 Channel group 102 dual-active detect capability w/nbrs Dual-Active trusted group: Yes Dual-Active Partner Partner Partner Port Detect Capable Name Port Version Te1/1/3 Yes cr24-4507e-MB Te4/2 1. This avoids gratuitous ARP updates (MAC address changed for the same IP address) from devices connected to VSS. The following configuration illustrates how to configure virtual routed MAC address for Layer 3 interface under switch-virtual configuration mode: cr23-VSS-Core(config)#switch virtual domain 20 cr23-VSS-Core(config-vs-domain)#mac-address use-virtual Deploying Cisco Catalyst 4500-E In a mid-size medium enterprise campus network.1 Virtual Routed MAC The MAC address allocation for the interfaces does not change during a switchover event when the hot-standby switch takes over as the active switch. core. then the entire VSS domain will use that switch's MAC address pool. Medium Enterprise Design Profile Reference Guide 2-34 . To avoid such a disruption. Single Catalyst 4500-E Series platform in medium enterprise design is build with multiple redundant hardware components to develop consistent network topology as Catalyst 6500-E VSS based large network design. Cisco recommends using the configuration option provided with the VSS in which the MAC address for Layer-2 and Layer-3 interfaces is derived from the reserved pool.1 Te1/3/2 Yes cr22-6500-LB Te2/1/4 1.1 Te2/1/3 Yes cr24-4507e-MB Te4/1 1.

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

Cisco Catalyst 4500-E Series supports wide-range of supervisor modules designed for high-performance
Layer 2 and Layer 3 network. This reference design recommends deploying next-generation Sup6E and
Sup6L-E that supports next-generation hardware switching capabilities, scalability, and performance for
various types application and services deployed in campus network.

Implementing Redundant Supervisor

Cisco Catalyst 4507R-E supports intra-chassis or single-chassis supervisor redundancy with
dual-supervisor support. Implementing single Catalyst 4507R-E in highly resilient mode at various
campus layer with multiple redundant hardware components will protect against different types of
abnormal failures. This reference design guide recommends deploying redundant Sup6E or Sup6L-E
supervisor module to deploy full high-availability feature parity. Mid-size core or distribution layer
Cisco Catalyst 4507R-E Series platform currently do not support inter-chassis supervisor and node
redundancy with VSS technology. Therefore, implementing intra-chassis supervisor redundancy and
initial network infrastructure setup will be simplified for medium and small size campus network.
Figure 2-30 illustrates Cisco Catalyst 4500-E-based intra-chassis SSO and NSF capability.

Figure 2-30 Intra-Chassis SSO Operation

Cisco Catalyst 4507R-E/4510R-E

Line Card
Stub Linecards Line Card
Line Card
Line Card
PP FE CPU FPGA
Active Supervisor
Sup6E/Sup6L-E
Standby Supervisor
PP FE CPU FPGA
Line Card

PP: Packet Processor
FE: Forwarding Engine
228960

CPU: Control-Plane Processing
FPGA: Hardware Based Forwarding Information

During bootup process, the SSO synchronization checks various criteria to assure both supervisors can
provide consistent and transparent network services during failure event. If any of the criteria fails to
match, it forces the standby supervisor to boot in RPR or cold-standby state which cannot synchronize
protocol and forwarding information from active supervisor. The following sample configuration
illustrates how to implement SSO mode on Catalyst 4507R-E and 4510R-E chassis deployed with Sup6E
and Sup6L-E redundant supervisors:
cr24-4507e-MB#config t
cr24-4507e-MB (config)#redundancy
cr24-4507e-MB (config-red)#mode sso

cr24-4507e-MB#show redundancy states
my state = 13 - ACTIVE
peer state = 8 - STANDBY HOT
< snippet >

Medium Enterprise Design Profile Reference Guide
2-35

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

Sup6L-E Enhancement

Starting in IOS Release 12.2(53)SG, Cisco introduced new Catalyst 4500 – Sup6L-E supervisor module
that is designed and built on the next-generation supervisor Sup6E architecture. As a cost-effective
solution, the Sup6L-E supervisor is built with reduced system resources, but also addresses several types
of key business and technical challenges for mid- to small-scale size Layer-2 network design.
Initial IP-based IOS Release for Sup6L-E supports SSO capability for multiple types of Layer 2
protocols. To extend its high availability and enterprise-class Layer 3 feature-parity support on Sup6L-E
supervisor, it is recommended to deploy IOS Release 12.2(53)SG2 software version with Enterprise
license.

Note This validated design guide provides the Sup6L-E supervisor deployment guidance and validated test
results based on the above recommended software version.

Deploying Supervisor Uplinks

Every supported supervisor module in Catalyst 4500-E supports different types of uplink ports for core
network connectivity. Each Sup6E and Sup6L-E supervisor module supports up two 10G or can
deployed as four different 1G uplinks using Twin-Gigabit converters. To build high speed low-latency
campus backbone network, it is recommended to leverage and deploy 10G uplinks to accommodate
various types of bandwidth demanding network application operating in the network.
Cisco Catalyst 4500-E Series supervisors are designed with unique architecture to provide constant
network availability and reliability during supervisor reset. Even during supervisor switchover or
administrative reset events, the state-machines of all deployed uplinks remains operation and with
centralized forwarding architecture it continue to switch packets without impacting any time-sensitive
application like Cisco TelePresence. Such unique architecture protects bandwidth capacity while
administrative supervisor switchover is to upgrade IOS software or during abnormal software triggers
supervisor reset.

Sup6E Uplink Port Design

Non-Redundant Mode
In non-redundant mode, there is a single supervisor module deployed in Catalyst 4500-E chassis. In
non-redundant mode, by default both uplink physical ports can be deployed in 10G or 1G with
Twin-Gigabit converters. Each port operates in non-blocking state and can switch traffic at the wire-rate
performance.

Redundant Mode
In recommended redundant mode, Catalyst 4507R-E chassis is deployed with dual supervisor. To
provide wire-rate switching performance, by default port-group 1 from active and hot-standby
supervisor are in active mode and put port-group 2 in the in-active state. The default configuration can
be modified by changing Catalyst 4500-E backplane settings to sharing mode. The shared backplane
mode enables operation of port-group 2 of both supervisors. Note that sharing the 10G backplane ASIC
between two 10G port do not increase switching capacity, it creates 2:1 oversubscription. If the upstream
device is deployed with chassis-redundancy (i.e., Catalyst 6500-E VSS), then it is highly recommended
to deploy all four uplink ports for the following reasons:
• Helps developing full-mesh or V shape physical network topology from each supervisor module.
• Increases high availability in the network during individual link, supervisor, or other hardware
component failure event.

Medium Enterprise Design Profile Reference Guide
2-36

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

• Reduces latency and network congestion during rerouting traffic through non-optimal path.
Figure 2-31 summarizes the uplink port support on Sup6E model depends on non-redundant and
redundant deployment scenario.

Figure 2-31 Catalyst 4500-E Sup6E Uplink Mode

Non-Redundant Mode Redundant Mode Redundant Mode
(Shared Backplace Mode)
Port Group Port Group Port Group
1 2 1 2 1 2
UPLINKS
“E”
WS-X45-Sup6-E SUPERVISOR ENGINE 6-E SERIES
UPLINKS
“E”
UPLINKS
“E”
WS-X45-Sup6-E SUPERVISOR ENGINE 6-E WS-X45-Sup6-E SUPERVISOR ENGINE 6-E
USB
SERIES SERIES
X2 10GbE UPLINK X2 10GbE UPLINK
1 2
10/100/1000 X2 10GbE UPLINK X2 10GbE UPLINK USB X2 10GbE UPLINK X2 10GbE UPLINK USB
CONSOLE 1 2
10/100/1000
1 2
10/100/1000
TX
10GB A SF - 1 X4
TX
10GB ASF - 1 X4 MGT CONSOLE CONSOLE
RX RX
TX
10GB A SF - 1 X4
TX
10GB ASF - 1 X4 MGT TX
10GBASF - 1 X4
TX
10GB A SF - 1 X4 MGT
RX RX RX RX
RESET COMPACT FLASH ACTIVE ACTIVE
UTILIZATION COMPACT FLASH COMPACT FLASH
ACTIVE RESET UTILIZATION ACTIVE ACTIVE RESET UTILIZATION ACTIVE ACTIVE
SUPERVISOR SFP 10GbE SFP 10GbE ACTIVE ACTIVE
STATUS SUPERVISOR SUPERVISOR
1% 100%
EJECT 3 4 5 6
STATUS SFP 10GbE SFP 10GbE
STATUS SFP 10GbE SFP 10GbE

1% 100%
EJECT 3 4 5 6
1% 100%
EJECT 3 4 5 6

UPLINKS
“E”
UPLINKS
“E”
WS-X45-Sup6-E SUPERVISOR ENGINE 6-E SERIES WS-X45-Sup6-E SUPERVISOR ENGINE 6-E SERIES

X2 10GbE UPLINK X2 10GbE UPLINK USB X2 10GbE UPLINK X2 10GbE UPLINK USB
1 2 1 2
10/100/1000 10/100/1000
CONSOLE CONSOLE
TX
10GB A SF - 1 X4
TX
10GB ASF - 1 X4 MGT TX
10GBASF - 1 X4
TX
10GB A SF - 1 X4 MGT
RX RX RX RX

RESET COMPACT FLASH ACTIVE ACTIVE RESET COMPACT FLASH ACTIVE ACTIVE
UTILIZATION UTILIZATION
ACTIVE ACTIVE
SUPERVISOR SFP 10GbE SFP 10GbE SUPERVISOR SFP 10GbE SFP 10GbE
STATUS STATUS
1% 100% EJECT 3 4 5 6
1% 100% EJECT 3 4 5 6

228961
Active
Active In-Active Active Active

The following sample configuration provides guideline to modify default backplane settings on Catalyst
4507R-E platform deployed with Sup6E supervisors in redundant mode. The new backplane settings will
be effective only after complete chassis gets reset; therefore, it is important to plan the downtime during
this implementation:
cr24-4507e-MB#config t
cr24-4507e-MB(config)#hw-module uplink mode shared-backplane

!A 'redundancy reload shelf' or power-cycle of chassis is required
! to apply the new configuration

cr24-4507e-MB#show hw-module uplink
Active uplink mode configuration is Shared-backplane

cr24-4507e-MB#show hw-module mod 3 port-group
Module Port-group ActiveInactive
----------------------------------------------------------------------
3 1 Te3/1-2Gi3/3-6

cr24-4507e-MB#show hw-module mod 4 port-group
Module Port-group ActiveInactive
----------------------------------------------------------------------
4 1 Te4/1-2Gi4/3-6

Sup6L-E Uplink Port Design

The Sup6L-E uplink port function same as Sup6E in non-redundant mode. However, in redundant mode
the hardware design of Sup6L-E differs from Sup6E—currently does not support shared backplane mode
that allow using all uplink ports actively. The Catalyst 4507R-E deployed with Sup6L-E may use 10G
uplink of port group 1 from active and standby supervisor when the upstream device is a single, highly
redundant Catalyst 4507R-E chassis. If the upstream device is deployed with chassis-redundancy, (i.e.,
Cisco VSS), then it is recommended to build full-mesh network design between each supervisor and
virtual-switch node. For such design, the network administrator must leverage the existing WS-4606
Series 10G linecard to build full-mesh uplink. Figure 2-32 illustrates the deployment guideline for
highly resilient Catalyst 4507R-E-based Sup6L-E uplink.

Medium Enterprise Design Profile Reference Guide
2-37

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

Figure 2-32 Catalyst 4500-E Sup6L-E Uplink Mode

Non-Redundant Mode Redundant Mode

Port Group Port Group
1 2 1 2
UPLINKS
“E”
WS-X45-Sup6-E SUPERVISOR ENGINE 6-E SERIES
UPLINKS
“E”
WS-X45-Sup6-E SUPERVISOR ENGINE 6-E
USB
SERIES
X2 10GbE UPLINK X2 10GbE UPLINK
1 2
10/100/1000 X2 10GbE UPLINK X2 10GbE UPLINK USB
CONSOLE 1 2
10/100/1000
TX
10GB A SF - 1 X4
TX
10GB ASF - 1 X4 MGT CONSOLE
RX RX
TX
10GB A SF - 1 X4
TX
10GB ASF - 1 X4 MGT
RX RX
RESET COMPACT FLASH ACTIVE ACTIVE
UTILIZATION COMPACT FLASH
ACTIVE RESET UTILIZATION ACTIVE ACTIVE
SUPERVISOR SFP 10GbE SFP 10GbE ACTIVE
STATUS SUPERVISOR
1% 100%
EJECT 3 4 5 6
STATUS SFP 10GbE SFP 10GbE

1% 100%
EJECT 3 4 5 6

UPLINKS
“E”
WS-X45-Sup6-E SUPERVISOR ENGINE 6-E SERIES

X2 10GbE UPLINK X2 10GbE UPLINK USB
1 2
10/100/1000
CONSOLE
TX
10GB A SF - 1 X4
TX
10GB ASF - 1 X4 MGT
RX RX

RESET COMPACT FLASH ACTIVE ACTIVE
UTILIZATION
ACTIVE
SUPERVISOR SFP 10GbE SFP 10GbE
STATUS
1% 100% EJECT 3 4 5 6

Active
Active In-Active
“E”
WS-X4606-X2-E SERIES

X2 10GbE X2 10GbE
1 2 3 4 5 6

STATUS
SFP
GbE
TX
10GBASF - 1 X4
RX TX
10GB A SF - 1 X4

9 10
RX TX
10GBA SF - 1 X4

11 12
RX

SFP
GbE

13 14 15 16
WS-4606

228962
Active Active

Deploying Cisco Catalyst 3750-X StackWise Plus
The next-generation Cisco Catalyst 3750-X switches can be deployed in StackWise mode using special
stack cable that develops bidirectional physical ring topology. Up to nine switches can be integrated into
a single stack ring that offers robust distributed forwarding architecture and unified single control and
management plane. Device level redundancy in StackWise mode is achieved via stacking multiple
switches using the Cisco StackWise Plus technology. Single switch from the stack ring is selected in
master role that manages centralized control-plane process while keeping all member switches in
member role. Cisco StackWise Plus solution is designed based on 1:N redundancy option. Master switch
election in stack ring is determined based on internal protocol negotiation. During the active master
switch failure, the new master is selected based on reelection process that takes place internally through
the stack ring. See Figure 2-33.

Figure 2-33 Cisco StackWise Plus Switching Architecture

Master Slave
Stack Ring
Catalyst Catalyst
3750-X 3750-X
229362

Member Member
Switch-1 Switch-2
Single Virtual Switch

Since Cisco StackWise Plus solution is developed with high redundancy, it offers unique centralized
control and management plane with forwarding architecture design. To logically appear as a single
virtual switch, the master switch manages complete management-plane and Layer-3 control-plane
operations (i.e., IP Routing, CEF, PBR, etc.). Depending on the implemented network protocols, the
master switch communicates with rest of the Layer 3 network through stack ring and dynamically
develops the best path global routing and updates local hardware with forwarding information.
Unlike centralized Layer-3 management function on master switch, the Layer-2 network topology
development is completely based on distributed design. Each member switch in the stack ring
dynamically discovers MAC entry from the local port and use internal stack ring network to synchronize
MAC address table on each member switch in the stack ring. Table 2-2 lists the network protocols that
are designed to operate in centralized versus distributed model in Cisco StackWise Plus architecture.

Medium Enterprise Design Profile Reference Guide
2-38

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

Table 2-2 Cisco StackWise Plus Centralized and Distributed Control-Plane

Protocols Function
Layer 2 Protocols MAC Table Distributed
Spanning-Tree Protocol Distributed
CDP Centralized
VLAN Database Centralized
EtherChannel - LACP Centralized
Layer 3 Protocols Layer 3 Management Centralized
Layer 3 Routing Centralized

Using stack ring as a backplane communication path, master switch updates the Layer-3 forwarding
information base (FIB) to each member-switch in the stack ring. Synchronizing common FIB in member
switch will develop distributed forwarding architecture. Each member switch performs local forwarding
physical path lookup to transmit the frame instead of having master switch performing forwarding path
lookup, which may cause traffic hair-pinning problem.

SSO Operation in 3750-EX StackWise Plus

Cisco StackWise Plus solution offers network and device resiliency with distributed forwarding, but the
control plane is not designed like 1+1 redundant design. This is because Cisco Catalyst 3750-X
StackWise switch is not an SSO-capable platform that can synchronize control-plane state-machines to
a standby switch in the ring. However, it can be configured in NSF-capable mode to gracefully recover
from the network during master switch failure. Therefore, when the master switch failure occurs, all the
Layer 3 function that is primarily deployed on the uplink ports may get disrupted until new master
election occurs and reforms Layer 3 adjacency. Although the new master switch in the stack ring
identification is done in range of 0.7 to 1 second, the amount of time for rebuilding the network and
forwarding topology depends on the protocol function and scalability.
To prevent Layer 3 disruption in the network caused by master switch failure, the determined master
switch with the higher switch priority can be isolated from the uplink Layer 3 EtherChannel bundle path
and use physical ports from switches in member role. With the Non-Stop Forwarding (NSF) capabilities
in the Cisco StackWise Plus architecture, this network design helps to decrease major network downtime
during master switch failure.

Implementing StackWise Mode

As described earlier, Cisco Catalyst 3750-E switch dynamically detects and provision member-switches
in the stack ring without any extra configuration. For planned deployment, network administrator can
pre-provision the switch in the ring with the following configuration in global configuration mode:

cr36-3750x-xSB(config)#switch 3 provision WS-C3750E-48PD

cr36-3750x-xSB#show running-config | include interface GigabitEthernet3/
interface GigabitEthernet3/0/1
interface GigabitEthernet3/0/2

Medium Enterprise Design Profile Reference Guide
2-39

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

Switch Priority

The centralized control-plane and management plane is managed by the master switch in the stack. By
default, the master switch selection within the ring is performed dynamically by negotiating several
parameters and capabilities between each switch within the stack. Each StackWise-capable
member-switch is by default configured with switch priority 1.
cr36-3750x-xSB#show switch
Switch/Stack Mac Address : 0023.eb7b.e580
H/W Current
Switch#Role Mac AddressPriorityVersion State
------------------------------------------------------------------------------------------
---------------
* 1 Master 0023.eb7b.e58010 Ready
2 Member 0026.5284.ec80 1 0 Ready

As described in previous section, the Cisco StackWise architecture is not SSO-capable. This means all
the centralized Layer-3 functions must be reestablished with the neighbor switch during a master-switch
outage. To minimize the control-plane impact and improve network convergence, the Layer 3 uplinks
should be diverse, originating from member switches, instead of the master switch. The default switch
priority must be increased manually after identifying the master switch and switch number. The new
switch priority becomes effective after switch reset.

cr36-3750x-xSB (config)#switch 1 priority 15
Changing the Switch Priority of Switch Number 1 to 15
cr36-3750x-xSB (config)#switch 2 priority 14
Changing the Switch Priority of Switch Number 2 to 14

cr36-3750x-xSB # show switch
Switch/Stack Mac Address : 0023.eb7b.e580

H/W Current
Switch#Role Mac AddressPriority Version State
------------------------------------------------------------------------------------------
----------
1 Master 0023.eb7b.e580150Ready
* 2 Member 0026.5284.ec80140Ready

Stack-MAC Address

To provide a single unified logical network view in the network, the MAC addresses of Layer-3
interfaces on the StackWise (physical, logical, SVIs, port channel) are derived from the Ethernet MAC
address pool of the master switch in the stack. All the Layer-3 communication from the StackWise
switch to the endpoints (like IP phone, PC, servers, and core network system) is based on the MAC
address pool of the master switch.
cr36-3750x-xSB#show switch
Switch/Stack Mac Address : 0023.eb7b.e580
H/W Current
Switch#Role Mac AddressPriority Version State
------------------------------------------------------------------------------------------
----------
1 Master 0023.eb7b.e580150Ready
* 2 Member 0026.5284.ec80140Ready

cr36-3750s-xSB #show version
. . .
Base ethernet MAC Address : 00:23:EB:7B:E5:80
. . .

Medium Enterprise Design Profile Reference Guide
2-40

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

To prevent network instability, the old MAC address assignments on Layer-3 interfaces can be retained
even after the master switch fails. The new active master switch can continue to use the MAC addresses
assigned by the old master switch, which prevents ARP and routing outages in the network. The default
stack-mac timer settings must be changed in Catalyst 3750-X StackWise switch mode using the global
configuration CLI mode as shown below:
cr36-3750x-xSB (config)#stack-mac persistent timer 0
cr36-3750x-xSB #show switch
Switch/Stack Mac Address : 0026.5284.ec80
Mac persistency wait time: Indefinite
H/W Current
Switch#Role Mac AddressPriority Version State
------------------------------------------------------------------------------------------
----------
1 Master 0023.eb7b.e580150Ready
* 2 Member 0026.5284.ec80140Ready

Deploying Cisco Catalyst 3560-X and 2960-S FlexStack
The Medium Enterprise Reference design recommends deploying fixed configuration Cisco Catalyst
3560-X and 2960 Series platform at the campus network edge. The hardware architecture of access-layer
fixed configuration is standalone and non-modular in design. These switches are designed to go above
traditional access-layer switching function to provide robust next-generation network services (i.e., edge
security, PoE+ EnergyWise, etc.).
Cisco Catalyst 3560-X and 2960 Series platform do not support StackWise technology, therefore, these
platforms are ready to deploy with a wide-range of network services at the access-layer. All
recommended access-layer features and configuration will be explained in following relevant sections.
The access-layer Cisco Catalyst 2960-S Series switches can be stacked using Cisco FlexStack
technology that allows stacking up to four switches into single stack ring using special properietary
cable. Cisco FlexStack leverages several architecture components from Cisco Catalyst 3750-X
StackWise Plus. However it offers flexibility to upgrade hardware capability in standalone Cisco
Catalyst 2960-S series platform to support FlexStack with hot-swappable FlexStack module. The
FlexStack module supports dual on-board StackPort each design to support upto 10G switching capacity.
The StackPorts on FlexStack module is not a network ports hence it does not run any Layer 2 network
protocols, i.e. STP, to develop virtual-switch environment each participating Cisco Catalyst 2960-S in
stack-ring runs FlexStack protocol to keep protocols, ports and forwarding information synchronized
within the ring. The port configuration and QoS configuration StackPorts are preset and cannot be
modified by user, it is design to minimize the network impact due to misconfiguration. From an
operational perspective Cisco Catalyst 2960-S FlexStack technology is identical as Cisco Catalyst
3750-X StackWise Plus. Therefore, all the deployment guidelines and best practices defined in
“Deploying Cisco Catalyst 3750-X StackWise Plus” section on page 2-38 must be leverage to deploy
Cisco Catalyst 2960-S FlexStack in the campus access-layer.

Designing EtherChannel Network
In this reference design, multiple parallel physical paths are recommended to build highly scalable and
resilient medium enterprise network design. Without optimizing the network configuration, by default
each interfaces requires network configuration, protocol adjacencies and forwarding information to
load-share traffic and provide network redundancy.

Medium Enterprise Design Profile Reference Guide
2-41

Depending on the network applications. redundant (dual-supervisor) or virtual systems (Cisco VSS and StackWise Plus. it is highly recommended to interconnect all network systems with full-mesh diverse physical paths. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services The reference architecture of medium enterprise network is design is built upon small. Figure 2-34 demonstrates recommended deployment physical network design model for various Catalyst platforms. Medium Enterprise Design Profile Reference Guide 2-42 .to mid-size enterprise-class network. Cisco recommends building full-mesh fiber path between each Layer 2 or Layer 3 operating in standalone. this design principle is applicable to all systems across campus network. and performance requirement. Each campus network design offers the following set of operation benefits: • Common network topologies and configuration (all campus network design) • Simplifies network protocols (eases network operations) • Increase network bandwidth capacity with symmetric forwarding paths • Delivers deterministic network recovery performance Diversified EtherChannel Physical Design As a general best practice to build resilient network designs. platform and technology deployment options in different campus locations and building premises. Independent of network tier and platform role. scalability. Deploying single physical connection from a standalone single system to separate redundant upstream systems creates a “V” shape physical network design instead non-recommended partial-mesh “square” network design. it offers wide-range of campus network designs. Such network design automatically creates multiple parallel paths to provide load-sharing capabilities and path redundancy during network fault events.

Figure 2-35 demonstrates the default network design with redundant and complex control-plane operation with under-utilized forwarding plane design.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-34 Designing Diverse Full-mesh Network Topology Redundant Mode Stackwise Master Slave Standalone Catalyst 4507R-E VSS SW1 SW2 VSS SW1 SW2 228964 Deploying diverse physical network design with redundant mode standalone or the virtual-system running single control-plane will require extra network design tuning to gain all EtherChannel benefits. Such network design cannot leverage distributed forwarding architecture and increase operational and troubleshooting complexities. Without designing the campus network with EtherChannel technology. the individual redundant parallel paths will create network operation state depicted in Figure 2-35. Medium Enterprise Design Profile Reference Guide 2-43 .

point-to-point topology that helps to eliminate all protocol-driven forwarding restrictions and program hardware for distributed forwarding to fully use all network resources. such network topologies cannot fully use all the network resources as well as it creates non-optimal and asymmetric traffic forwarding design. It develops Equal Cost Multi Path (ECMP) symmetric forwarding paths between same Layer 3 peers and offers network scale-dependent Cisco CEF-based network recovery. It also uses more system resources like CPU and memory to store redundant dynamic-routing information with different Layer-3 next-hop addresses connected to same router.. the STP blocks the non-preferred individual link path from forwarding state. • VSL Link Utilization—In a Cisco VSS-based distribution network. With the single STP root virtual-switch. Implementing campus wide MEC or EtherChannel across all the network platforms is the solution for all of the above challenges. To build loop-free network topology. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-35 Non-optimized Campus Network Design VLAN VLAN VLAN VLAN 10 20 10 20 Access Access Per Physical Per Physical Port Layer 3 Port Layer 2 IGP Adjacency STP Operation STP STP Primary SW1 SW2 Distribution Primary SW1 SW2 Distribution Root Root Per Physical Port Layer 3 IGP Adjacency VSS SW1 SW2 Core VSS SW1 SW2 Core Layer 2 Trunk Port Bi-Directional Traffic Port Layer 3 Routed Port Asymmetric Traffic Port 228965 STP Block Port Non-Forwarding Port The design in Figure 2-35 suffers from the following challenges for different network modes: • Layer 3—Multiple routing adjacencies between two Layer-3 systems. single-home connection or STP block port). Medium Enterprise Design Profile Reference Guide 2-44 . • Layer 2—Multiple parallel Layer-2 paths between STP Root (distribution) and the access switch will build the network loop. As described in “Deploying Cisco Catalyst 4500-E” section on page 2-34. it is highly recommended to prevent the condition where it creates hardware or network protocol-driven asymmetric forwarding design (i. Bundling multiple parallel paths into single logical connection builds single loop-free. VSL is not regular network port.e. it is a special inter-chassis backplane connection used to build virtual system and the network must be designed to switch traffic across VSL-only as a last-resort. This configuration doubles or quadruples the control-plane load between each of the Layer-3 devices.

• Simplifies network control-plane. All the key network devices in the Medium Enterprise Reference design support EtherChannel technology. Implementing EtherChannel In a standalone EtherChannel mode. multiple and diversified member-links are physically connected in parallel between two same physical systems. multiple and diversified member-links are physically connected in parallel between two same physical systems. WAN/Internet edge. • Ensure compliance with aggregation requirements. • Independent of network scalability. • Increases network reliability by eliminating single point-of-failure limitation compare to traditional EtherChannel technology. Medium Enterprise Design Profile Reference Guide 2-45 . Multi-Chassis EtherChannel Fundamentals Cisco’s Multi-Chassis EtherChannel (MEC) technology is a breakthrough innovation that lifts up barrier to create logical point-to-point EtherChannel by distributing physical connection to each highly resilient virtual-switch node in the VSS domain. Independent of campus location and the network layer—campus. Implementing these protocols provides the following additional benefits: • Ensure link aggregation parameters consistency and compatibility between two systems. topology. MEC provides deterministic hardware-based subsecond network recovery. all the EtherChannel fundamentals and configuration guideline described in this section remain consistent. All the key network devices in the medium enterprise network design support EtherChannel technology. the distributed forwarding architecture in MEC helps increasing network bandwidth capacity. and system resources with single logical bundled interface instead multiple individual parallel physical paths. all the EtherChannel fundamentals and configuration guideline described in this section remain consistent. • MEC technology which remains transparent operation to remote peer devices. • Dynamically react to runtime changes and failures on local and remote Etherchannel systems. Port-Aggregation Protocols The member-links of EtherChannel must join the port-channel interface using Cisco PAgP+ or industry standard LACP port-aggregation protocols. data center. • Detect and remove unidirectional links and multidrop connections from the Etherchannel bundle. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services EtherChannel Fundamentals In a standalone EtherChannel mode. Independent of campus location and the network layer-campus. Both protocols are designed to provide identical benefits. WAN/Internet edge. Deploying Layer 2 or Layer 3 MEC with VSS introduces the following benefits: • In addition to all EtherChannel benefits. data center.

The implementation guidelines to deploy EtherChannel and MEC in Layer 2 or Layer 3 mode are simple and consistent. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-36 Network-Wide Port-Aggregation Protocol Deployment Guidelines Catalyst Catalyst 4507R-E 4507R-E Catalyst 3750-X/2960-S StackWise/FlexStack Catalyst 3560-X/2960 Access PAgP+ PAgP+ LACP LACP VSL Catalyst Catalyst Distribution Catalyst 4507-E 4507-E 3750-X Sup6E Sup6L-E StackWise Catalyst PAgP+ PAgP+ 6500-E PAgP+ LACP Core Catalyst LACP VSL LACP 3750-X Service StackWise Catalyst Block 3750-X LACP ON StackWise Internet Edge WAN PSTN Edge QFP Gateway 229363 ASR 1006 Cisco 3800 Port-aggregation protocol support varies on various types of Cisco platforms. network administrator must implement static mode port-channel with special attention that assures no configuration in-compatibility between bundling member-link ports.254 ! Bundling single MEC diversed physical ports and module on per node basis. Cisco recommends deploying the port-channel settings specified in Table 2-3. None or Static Mode EtherChannel configuration must be deployed in exceptional cases when remote node do not support either of the port-aggregation protocols.125. The following sample configuration provides a guidance to implement single point-to-point Layer-3 MEC from diverse physical ports in different module slots that physically resides in two virtual-switch chassis to a single redundant mode. Table 2-3 MEC Port-Aggregation Protocol Recommendation Port-Agg Protocol Local Node Remote Node Bundle State PAgP+ Desirable Desirable Operational LACP Active Active Operational None 1 ON ON Operational 1.255.255. standalone Catalyst 4507R-E system: • MEC—VSS-Core cr23-VSS-Core(config)#interface Port-channel 102 cr23-VSS-Core(config-if)# ip address 10. therefore. Medium Enterprise Design Profile Reference Guide 2-46 .14 255. depending on each end of EtherChannel device types. To prevent network instability.0.

0000. Ten2/3/3 cr23-VSS-Core(config-if-range)#channel-protocol pagp cr23-VSS-Core(config-if-range)#channel-group 102 mode desirable cr23-VSS-Core#show etherchannel 102 summary | inc Te 102 Po102(RU) PAgP Te1/1/3(P) Te1/3/3(P) Te2/1/3(P) Te2/3/3(P) cr23-VSS-Core#show pagp 102 neighbor | inc Te Te1/1/3 cr24-4507e-MB 0021.d8f5.255.d8f5. especially when the network is provided as a common platform for business operation.45c0 Te4/2 27s SC 10001 Te1/3/3 cr24-4507e-MB 0021.45c0 Te3/2 11s SC 10001 • EtherChannel—Catalyst 4507R-E Distribution cr24-4507e-MB (config)#interface Port-channel 1 cr24-4507e-MB (config-if)# ip address 10.0000. EtherChannel load-balancing method supports varies on Cisco Catalyst platforms.45c0 Te3/1 28s SC 10001 Te2/1/3 cr24-4507e-MB 0021. For each traffic flow.0014 Te2/1/3 25s SC 660001 Te4/2 cr23-VSS-Core 0200.d8f5.15 255. Layer 2 to Layer 4).2 cr24-4507e-MB (config-if-range)#channel-protocol pagp cr24-4507e-MB (config-if-range)#channel-group 1 mode desirable cr24-4507e-MB #show etherchannel 101 summary | inc Te 1 Po1 (RU) PAgP Te3/1(P) Te3/2(P) Te4/1(P) Te4/2(P) cr24-4507e-MB#show pagp 1 neighbor | inc Te Te3/1 cr23-VSS-Core 0200.45c0 Te4/1 11s SC 10001 Te2/3/3 cr24-4507e-MB 0021. Ten2/1/3 .. Ten1/3/3 .0014 Te1/1/3 11s SC 660001 EtherChannel Load-Sharing The numbers of applications and their function in campus network design becomes highly variable.254 ! Bundling single EtherChannel diversed on per physical ports and per supervisor basis.0014 Te1/3/3 26s SC 660001 Te3/2 cr23-VSS-Core 0200. Ten4/1 .0014 Te2/3/3 15s SC 660001 Te4/1 cr23-VSS-Core 0200. such tuning optimizes the egress path-selection procedure with multiple levels of variable information that are originated by the source host (i. It becomes important for the network to become more intelligence-aware with deep packet-inspection and load-share the traffic by fully using all network resources.255.0000.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr23-VSS-Core(config)#interface range Ten1/1/3 . Table 2-4 summarizes the currently supported EtherChannel load-balancing methods.2 .d8f5.125. Fine tuning EtherChannel and MEC add an extra computing intelligence in the network to make protocol-aware egress forwarding decision between multiple local member-links paths. campus security and open accessibility to the users. cr24-4507e-MB (config)#interface range Ten3/1 .0000.0.e. Medium Enterprise Design Profile Reference Guide 2-47 .

load sharing is done based on source XOR destination address or port from Layer 2 to 4 header and ports. 3xxx-X. each node in VSD uses same polymorphic algorithm to load-share egress Layer 2 or Layer 3 traffic across different member-links from local chassis. an EtherChannel can intelligently load-share egress traffic using different algorithms. 6500 dst-port src-dst-port IP XOR L3 and L4 src-dst-mixed-ip-port 6500 (recommended) Implementing EtherChannel Load-Sharing EtherChannel load-sharing is based on a polymorphic algorithm. 35xx. All Cisco Catalyst 29xx-S. 6500 dst-mac src-dst-mac IP Layer 3 src-ip dst-ip src-dst-ip (recommended) IP Layer 4 src-port 4500. src-mac 4500. Independent of virtual-switch role. On per-protocol basis. and 4500-E switching must be tuned with optimal EtherChannel load-sharing capabilities similar to the following sample configuration: cr24-4507e-MB(config)#port-channel load-balance src-dst-ip cr24-4507e-MB#show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-ip Implementing MEC Load-Sharing The next-generation Catalyst 6500-E Sup720-10G supervisor introduces more intelligence and flexibility to load-share traffic with upto 13 different traffic patterns. For the higher granularity and optimal utilization of each member-link port. 3750. It is recommended to implement the following MEC load-sharing configuration in the global configuration mode: cr23-VSS-Core(config)#port-channel load-balance src-dst-mixed-ip-port cr23-VSS-Core#show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-mixed-ip-port vlan included Medium Enterprise Design Profile Reference Guide 2-48 . each virtual-switch node includes local physical ports of MEC instead remote switch ports. this customized load-sharing is design to prevent traffic reroute over the VSL. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Table 2-4 EtherChannel Load Balancing Support Matrix Supported Cisco Packet Type Classification Layer Load Balancing Mechanic Catalyst Platform Non-IP Layer 2 src-dst-mac 29xx. When computing the load-sharing hash.

and stable network design. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Note MEC load-sharing becomes effective only when each virtual-switch node have more than one physical path in same bundle interface. Cisco Catalyst 6500-E system in VSS mode assigns 8 bits to every MEC. – In non-contiguous addressing. which may not allow the network administrator to use the complete address block. 8-bit can be represented as 100 percent switching load. the 8-bit hash is computed and allocated to each port for optimal load-sharing result. Traffic-load share is defined based on number of internal bits allocated to each local member-link ports. scalable. The following are key benefits of using hierarchical IP addressing: • Efficient address allocation – Hierarchical addressing provides the advantage of grouping all possible addresses contiguously. Identifying an IP addressing strategy for the network for the entire medium enterprise network design is essential. a network can create addressing conflicts and overlapping problems. Note This section does not explain the fundamentals of TCP/IP addressing. VSS supports the following EtherChannel hash algorithms: • Fixed—Default setting. for more details. Like standalone network design. it is recommended to modify default MEC hash algorithm from default settings as shown in the following sample configuration: cr23-VSS-Core(config)#port-channel hash-distribution adaptive Modifying MEC hash algorithm to adaptive mode requires the system to internally reprogram hash result on each MEC. see the many Cisco Press publications that cover this topic. When deploying full-mesh V-shape network VSS-enabled campus core network. the hash algorithm is computed independently by each virtual-switch to perform load share via its local physical ports. plan for additional downtime to make new configuration effective. Depending on number of local member-link ports in an MEC bundle. • Improved routing efficiencies Medium Enterprise Design Profile Reference Guide 2-49 . Therefore. • Adaptive—Best practice is to modify to adaptive hash method if each virtual-switch node has greater than or equal to two physical ports in the same L2/L3 MEC. Keep it default if each virtual-switch node has single local member-link port bundled in same L2/L3 MEC (total 2 ports in MEC). MEC Hash Algorithm Like MEC load sharing. cr23-VSS-Core(config)#interface Port-channel 101 cr23-VSS-Core(config-if)#shutdown cr23-VSS-Core(config-if)#no shutdown cr23-VSS-Core#show etherchannel 101 detail | inc Hash Last applied Hash Distribution Algorithm: Adaptive Network Addressing Hierarchy Developing a structured and hierarchical IP address plan is as important as any other design aspect of the medium enterprise network to create an efficient.

Both routing and switching fundamentals need to be applied. The recommended routing or switching scheme of each layer is discussed in the following sections. provide identity-based network access to protected data and resources. The following applies to the three layers in a LAN design model: • Core layer—Because this is a Layer 3 network that interconnects several remote locations and shared devices across the network. – Helps in overall network and system stability. Choosing a routing protocol is essential. it is also essential to determine which areas of the medium enterprise design are Layer 2 or Layer 3 to determine whether routing or switching fundamentals need to be applied. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services – Building centralized main and remote campus site networks with contiguous IP addresses provides an efficient way to advertise summarized routes to neighbors. Designing the Core Layer Network Because the core layer is a Layer 3 network. – Improves overall routing protocol performance by flooding less messages and improves network convergence time. and to optimize and secure network edge ports. This subsection provides design guidance to enable various types of Layer 1 to 3 intelligent services. and routing design principles and routing protocol selection criteria are discussed in the following subsections. choosing a routing protocol is essential at this layer. • Access layer—This layer is the demarcation point between network infrastructure and computing devices. • Improved system performance – Reduces the memory needed to hold large-scale discontiguous and non-summarized route entries. – Becomes easier to manage and troubleshoot. to set the trust boundary to distinguish applications. Network Foundational Technologies for LAN Design In addition to a hierarchical IP addressing scheme. Medium Enterprise Design Profile Reference Guide 2-50 . and flexibility in subnet allocation and VLAN usage. – Reduce higher CPU power to re-compute large-scale routing databases during topology change events. • Distribution layer—The distribution block uses a combination of Layer 2 and Layer 3 switching to provide for the appropriate balance of policy and access controls. – Route summarization simplifies the routing database and computation during topology change events. This is designed for critical network edge functions to provide intelligent application and device-aware services. – Reduces network bandwidth utilization used by routing protocols. and more. routing principles must be applied. provide physical infrastructure services to reduce greenhouse emission. availability.

link type. Other technical factors must be considered when implementing OSPF in the network.and system-efficient and operate with a minimal number of updates and re-computation. For an optimized routing design. and Intermediate System-to-Intermediate System (IS-IS). Routing Protocol Selection Criteria The criteria for choosing the right protocol vary based on the end-to-end network infrastructure. designated router (DR)/backup designated router (BDR) priority. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Routing Design Principles Although enabling routing functions in the core is a simple task. the routing blueprint must be well understood and designed before implementation. maximum transmission unit (MTU) considerations. optimal. because it provides the end-to-end reachability path of the enterprise network. such as Routing Information Protocol (RIP) v1/2. configuration. However. The OSPF area function depends on the network connectivity model and the role of each OSPF router in the domain. • Rapid convergence—Link-state versus DUAL re-computation and synchronization. • Scalability—The routing protocol function must be network. and above all is simple to operate and manage. Medium Enterprise Design Profile Reference Guide 2-51 . Open Shortest Path First (OSPF). OSPF can scale higher but the operation. OSPF is popular link-state protocol for large-scale enterprise and service provider networks. independent of scale: • Hierarchical network addressing—Structured IP network addressing in the medium enterprise LAN and/or WAN design is required to make the network scalable. OSPF enforces hierarchical routing domains in two tiers by implementing backbone and non-backbone areas. which improves overall network resource use and re-convergence. This document provides design guidance for using simplified EIGRP in the medium enterprise campus and WAN network infrastructure. and resilient. and a multitude of other factors that may be more than a specific routing protocol can handle. and troubleshooting. • Routing protocol—Cisco IOS supports a wide range of Interior Gateway Protocols (IGPs). Cisco recommends using EIGRP or OSPF for this network design. • Hierarchical routing domain—Routing protocols must be designed in a hierarchical model that allows the network to scale and operate with greater stability. network architects must consider all the following critical design factors when selecting the right routing protocol to be implemented throughout the internal network: • Network design—Requires a proven protocol that can scale in full-mesh campus network designs and can optimally function in hub-and-spoke WAN network topologies. The best convergence time can be achieved from a routing protocol if the network is designed to the strengths of the protocol. Cisco IOS supports a wide range of routing protocols. and so on. Although all the routing protocols that Cisco IOS currently supports can provide a viable solution. • Operational—A simplified routing protocol that can provide ease of configuration. and management might become too complex for the medium enterprise LAN network infrastructure. offers rapid network convergence. Enhanced Interior Gateway Routing Protocol (EIGRP). independent of the number of routes in the network. management. configuration. Building a routing boundary and summarizing the network minimizes the topology size and synchronization procedure. EIGRP is a popular version of an Interior Gateway Protocol (IGP) because it has all the capabilities needed for small to large-scale networks. Network re-convergence also varies based on network design. the following three routing components must be identified and designed to allow more network growth and provide a stable network. such as OSPF router type. Cisco recommends deploying a single routing protocol across the medium enterprise network infrastructure.

see the following URL: http://www. as shown in Figure 2-37. Cisco recommends considering the following three critical design tasks before implementing EIGRP in the medium enterprise LAN core layer network: • EIGRP autonomous system—The Layer 3 LAN and WAN infrastructure of the medium enterprise design must be deployed in a single EIGRP AS. and other problems that may occur because of misconfiguration.com/en/US/docs/solutions/Enterprise/Campus/routed-ex. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Note For detailed information on EIGRP and OSPF.cisco. Figure 2-37 illustrates end-to-end single EIGRP Autonomous network design in medium enterprise network. Designing an End-to-End EIGRP Routing Network EIGRP is a balanced hybrid routing protocol that builds neighbor adjacency and flat routing topology on a per autonomous system (AS) basis.html. A single EIGRP AS reduces operational tasks and prevents route redistribution. Medium Enterprise Design Profile Reference Guide 2-52 . loops.

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-37 Sample End-to-End EIGRP Routing Design in Medium Enterprise LAN Network Main Site EIGRP AS 100 VSL VSL QFP EIGRP AS 100 WAN VSL VSL EIGRP EIGRP EIGRP AS 100 AS 100 AS 100 229364 Remote Remote Remote Large Site Medium Site Small Site Implementing EIGRP Routing Protocol The following sample configuration provides deployment guideline for implement EIGRP routing protocol on all Layer-3 network devices into a single Autonomous System (AS): cr23-VSS-Core(config)#router eigrp 100 cr23-VSS-Core(config-router)# network 10.0.0.0 Medium Enterprise Design Profile Reference Guide 2-53 .

17 Po103 11 3d16h 1 200 0 52 … cr23-VSS-Core#show ip route eigrp | inc /16|/20|0.0.125.0.0.13 Po101 12 3d16h 1 200 0 62 0 10.126.0/0 [170/515072] via 10. Port-channel101 D 10.0. Medium Enterprise Design Profile Reference Guide 2-54 .125.0. Port-channel103 D 10. 41 subnets.0/16 is a summary.0. 08:33:16.125. Figure 2-38 shows an example of the EIGRP topology for the medium enterprise LAN design.96. and convergence by hiding the fault of an individual network that requires each router in the network to synchronize the routing topology. This recommended best practice must be enabled on all the EIGRP Layer 3 systems in the network: cr23-VSS-Core(config)#key chain eigrp-key cr23-VSS-Core(config-keychain)# key 1 cr23-VSS-Core(config-keychain-key)#key-string <password> cr23-VSS-Core(config)#interface range Port-Channel 101 . Each aggregating device must summarize a large number of networks into a single summary route.125. This recommended best practice must be enabled on all the EIGRP Layer 3 systems in the network: cr23-VSS-Core(config)#router eigrp 100 cr23-VSS-Core(config-router)# passive-interface default cr23-VSS-Core(config-router)# no passive-interface Port-channel101 cr23-VSS-Core(config-router)# no passive-interface Port-channel102 <snippet> – Network security—Each EIGRP neighbor in the LAN/WAN network must be trusted by implementing and validating the Message-Digest algorithm 5 (MD5) authentication method on each EIGRP-enabled system in the network.125. Port-channel108 • EIGRP adjacency protection—This increases network infrastructure efficiency and protection by securing the EIGRP adjacencies with internal systems. stability.0.128.254 cr23-VSS-Core(config-router)# no auto-summary cr23-VSS-Core#show ip eigrp neighbors EIGRP-IPv4 neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 7 10.0.0/8 is variably subnetted.125.200.0.0.EIGRP devices in the network.0.108 cr23-VSS-Core(config-if-range)# ip authentication mode eigrp 100 md5 cr23-VSS-Core(config-if-range)# ip authentication key-chain eigrp 100 eigrp-key • Optimizing EIGRP topology—EIGRP allows network administrators to summarize multiple individual and contiguous networks into a single summary network before advertising to the neighbor.0. 08:41:12.0/20 [90/3072] via 10. Route summarization helps improve network performance. This task involves two subset implementation tasks on each EIGRP-enabled network devices: – Increases system efficiency—Blocks EIGRP processing with passive-mode configuration on physical or logical interfaces connected to non.125.23.125.0. 08:33:20. Null0 … D*EX 0. 08:33:18.0/20 [90/3072] via 10.0/16 [90/3072] via 10.17.13.125.0. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr23-VSS-Core(config-router)# eigrp router-id 10.125. The best practice helps reduce CPU utilization and secures the network with unprotected EIGRP adjacencies with untrusted devices.27.15 Po102 10 3d16h 1 200 0 503 1 10. Port-channel106 D 10. such as PCs.125.0 10. 08:33:15.0. 5 masks D 10. The following sample configuration provide guidelines to enable EIGRP protocol communication on trusted interface and block on all system interfaces. Following recommended EIGRP MD5 adjacency authentication configuration must on each non-passive EIGRP interface to establish secure communication with remote neighbors.

125.0 Medium Enterprise Design Profile Reference Guide 2-55 .0 255.96.255.240. EIGRP route summarization must be implemented on upstream logical port-channel interface to announce single prefix from each block. cr22-6500-LB(config)#interface Port-channel100 cr22-6500-LB(config-if)# ip summary-address eigrp 100 10.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-38 EIGRP Route Aggregator Design Main Site Access VSL Aggregator Distribution VSL Core Aggregator QFP WAN Edge WAN Aggregator Aggregator VSL Aggregator Aggregator VSL Aggregator 229365 The following configuration must be applied on each EIGRP route aggregator system as depicted in Figure 2-38.

• Hybrid—A hybrid logical network design segments VLAN workgroups that do not span different access layer switches. Independent of which implemented distribution layer design model is deployed.96. and rely on the distribution layer aggregation switch to perform intelligent Layer 3 forwarding and to set policies and access control. and also helps reduce the number of subnets used.0/20 for Port-channel100 <snippet> cr22-6500-LB#s ip route | inc Null0 D 10.96. The access layer switches interconnect to distribution switches with the Layer 2 trunk. The access layer switches in the campus network edge interface with various types of endpoints and provide intelligent Layer 1/2 services. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr22-6500-LB#show ip protocols … Address Summarization: 10. In this network design. 3d16h. Null0 • EIGRP Timers—By default. Medium Enterprise Design Profile Reference Guide 2-56 .125. simple. and may require extra attention to protect the network against misconfiguration and miswiring that can create spanning-tree loops and de-stabilize the network. performance. and security challenges. Because the distribution layer can be deployed with both Layer 2 and Layer 3 technologies. All network communication between various enterprise and administrative groups passes through the routing and forwarding policies defined at the distribution layer.0/20 is a summary. regardless of network scale. the deployment guidelines remain consistent in all designs.125. the following two network designs are recommended: • Multilayer • Routed access Designing the Multilayer Network A multilayer network is a traditional. Figure 2-39 shows the three design variations for the multilayer network. EIGRP speakers transmit Hello packets every 5 seconds. and widely deployed scenario. and allows certain VLANs (for example. • Segmented—Provides a unique VLAN for different organization divisions and enterprise business function segments to build a per-department logical network. The multilayer network design provides the flexibility to build a single large broadcast domain with an extended star topology. Designing the Campus Distribution Layer Network This section provides design guidelines for deploying various types of Layer 2 and Layer 3 technology in the distribution layer. and terminates EIGRP adjacency if the neighbor fails to receive it within 15 seconds of hold-down time. Such flexibility introduces scalability. all variations must be deployed in a V-shape physical network design and must be built to provide a loop-free topology: • Flat—Certain applications and user access requires that the broadcast domain design span more than a single wiring closet switch. that net management VLAN) to span across the access-distribution block. There are the following three design variations to build a multilayer network. Cisco recommends retaining default EIGRP Hello and Hold timers on all EIGRP-enabled platforms. The hybrid network design enables flat Layer 2 communication without impacting the network.

and renaming of VLANs on a network-wide basis. client. and transparent. and span a few VLANs that require such flexibility. All the configuration and best practices remains consistent and can deployed independent of Layer 2 platform type and campus location: VTP VLAN Trunking Protocol (VTP) is a Cisco proprietary Layer -messaging protocol that manages the addition. Cisco's VTP simplifies administration in a switched network. VTP can be configured in three modes—server. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-39 Multilayer Design Variations Multi-Layer – Flat Network Multi-Layer –Segmented VLAN Multi-Layer – Hybrid Network Single Root VSL VSL VSL Bridge V-Shape Network Single Loop-free Etherchannel Marketing Sales Engineering Marketing Sales Engineering Marketing Sales Engineering VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN 10 10 10 10 20 30 10 20 30 Network Mangement 229366 VLAN 900 Cisco recommends that the hybrid multilayer access-distribution block design use a loop-free network topology. such as the management VLAN. It is recommended to deploy VTP in transparent mode. set the VTP domain name and change the mode to the transparent mode as follows: cr22-3750-LB(config)#vtp domain CCVE-LB cr22-3750-LB(config)#vtp mode transparent cr22-3750-LB(config)#vtp version 2 cr22-3750-LB#show vtp status VTP Version capable:1 to 3 VTP version running:2 VTP Domain Name:CCVE-LB VLAN cr22-3750-LB(config)#vlan 101 cr22-3750-LB(config-vlan)#name Untrusted_PC_VLAN cr22-3750-LB(config)#vlan 102 cr22-3750-LB(config-vlan)#name Lobby_IP_Phone_VLAN cr22-3750-LB(config)#vlan 900 cr22-3750-LB(config-vlan)#name Mgmt_VLAN cr22-3750-LB#show vlan | inc 101|102|900 101 Untrusted_PC_VLANactive Gi1/0/1 Medium Enterprise Design Profile Reference Guide 2-57 . deletion. The following sample configuration provides guideline to deploy several types of multilayer network components for hybrid multilayer access-distribution block.

to improve the rapid link bring-up performance. The following is the configuration example to implement Layer-2 trunk. and cannot be disabled or removed from VLAN database. configure VLAN 801 in the access-switch and in the distribution switch. With a VLAN-hopping attack it is possible to attack a system which does not reside in VLAN 1.. VLAN tag is added to maintain logical separation between VLANS across the trunk. Best practice to mitigate this security risk is to implement a unused and unique VLAN ID as a native VLAN on the Layer-2 trunk between the access and distribution switch.. Allowing only assigned VLANs on a trunk port automatically filters rest. filter VLAN list and configure the native-VLAN to prevent attacks and optimize port channel interface. The native VLAN remains active on all access switches Layer 2 ports.1q trunking 801 Port Vlans allowed on trunk Po1 101-110. Hence it is important to limit traffic on Layer-2 trunk ports by statically allowing the active VLANS to ensure efficient and secure network performance.900 Medium Enterprise Design Profile Reference Guide 2-58 . For example. a single access switch will be deployed with more than singleVLAN. the access-layer switch may receive traffic flood destined to another access switch. It is recommended to implement 802. VLAN 801 must not be used anywhere for any purpose in the same access-distribution block. Gig1/0/49 and Gig1/0/50): Access-Layer cr22-3750-LB(config)#vlan 801 cr22-3750-LB(config-vlan)#name Hopping_VLAN cr22-3750-LB(config)#interface Port-channel1 cr22-3750-LB(config-if)#description Connected to cr22-6500-LB cr22-3750-LB(config-if)#switchport cr22-3750-LB(config-if)#switchport trunk encapsulation dot1q cr22-3750-LB(config-if)#switchport trunk native vlan 801 cr22-3750-LB(config-if)#switchport trunk allowed vlan 101-110. they are automatically inherited on each bundled member-link (i.e. When the following configurations are applied on port-channel interface (i. Thereafter. The Layer-2 network connection between the distribution and access device is a trunk interface. The default native VLAN must be properly configured to avoid several security risks—Attack. the native VLAN on each Layer 2 trunk port is VLAN 1.900 cr22-3750-LB(config-if)#switchport mode trunk cr22-3750-LB#show interface port-channel 1 trunk Port Mode Encapsulation Status Native vlan Po1 on 802. for example a Data VLAN and a Voice VLAN. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services 102 Lobby_IP_Phone_VLANactive Gi1/0/2 900 Mgmt_VLANactive Implementing Layer 2 Trunk In a typical campus network design.e. By default on Cisco Catalyst switches. Then change the default native VLAN setting in both the switches. Enabling the Layer-2 trunk on a port-channel automatically enables communication for all of the active VLANs between the access and distribution.1Q trunk encapsulation in static mode instead of negotiating mode. Port-Channel 1). This may create an adverse impact in the large scale network. Any malicious traffic originated in VLAN 1 will span across the access-layer network. worm and virus or data theft.

1s-MST—Provides up to 16 instances of RSTP (802.1w) and combines many VLANs with the same physical and logical topology into a common RSTP instance. In this point-to-point network design. Figure 2-40 shows an example of enabling various STP extensions on distribution and access layer switches in all campus sites. it will be assigned automatically in forwarding state. proven in large scale networks that support up to 3000 logical ports and greatly improves network restoration time. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Port Vlans allowed and active in management domain Po1 101-110. Cisco has developed several STP extensions to protect against network malfunctions.900 Port Vlans in spanning tree forwarding state and not pruned Po1 101-110.1D STP for each active VLAN in the network. the STP operation is done on a logical port. the STP protocols have evolved into the following versions: • Per-VLAN Spanning Tree Plus (PVST+)—Provides a separate 802. and to increase stability and availability. The following is the example configuration for enabling STP in multilayer network: Distribution-Layer cr22-6500-LB(config)#spanning-tree mode rapid-pvst cr22-6500-LB #show spanning-tree summary | inc mode !Switch is in rapid-pvst mode Access-Layer cr22-3750-LB(config)#spanning-tree mode rapid-pvst Hardening Spanning-Tree Toolkit Ensuring a loop-free topology is critical in a multilayer network design.1w-Rapid PVST+—Provides an instance of RSTP (802. It is easy to implement.1w) per VLAN. All Cisco Catalyst LAN switching platforms support the complete STP toolkit suite that must be enabled globally on individual logical and physical ports of the distribution and access layer switches. Figure 2-40 Protecting Multilayer Network with Cisco STP Toolkit Medium Enterprise Design Profile Reference Guide 2-59 . Spanning-Tree Protocol (STP) dynamically develops a loop-free multilayer network topology that can compute the best forwarding path and provide redundancy.900 Spanning-Tree in Multilayer Network Spanning Tree (STP) is a Layer-2 protocol that prevents logical loops in switched networks with redundant links. Over the years. The medium enterprise LAN network design uses Etherchannel or MEC (point-to-point logical Layer-2 bundle) connection between access-layer and distribution switch which inherently simplifies the STP topology and operation. it is not optimally designed to mitigate network instability caused by hardware miswiring or software misconfiguration. • IEEE 802. Although STP behavior is deterministic. therefore. • IEEE 802.

com/en/US/tech/tk389/tk621/tsd_technology_support_troubleshooting_technotes_list . see the following URL: http://www. Designing the Routed Access Network Routing functions in the access layer network simplify configuration. Pushing Layer 3 functions one tier down on Layer 3 access switches changes the traditional multilayer network topology and forwarding development path. Figure 2-41 shows the differences between the multilayer and routed access network designs. the access-distribution block can be used. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services VSL STP Root Bridge Root Guard UDLD UDLD BPDU Guard Root Guard PortFast 228967 Edge Port Layer 2 Trunk Port Note For additional STP information. and provide end-to-end troubleshooting tools. and is as resilient as in the multilayer network design.html. Implementing Layer 3 functions in the access switch does not require any physical or logical link reconfiguration. Medium Enterprise Design Profile Reference Guide 2-60 . Implementing Layer 3 functions in the access layer replaces Layer 2 trunk configuration to a single point-to-point Layer 3 interface with a collapsed core system in the aggregation layer.cisco. as well as where the Layer 2 and Layer 3 boundaries exist in each network design. optimize distribution performances.

the STP toolkit must be hardened at the access layer. • EIGRP adjacency protection—EIGRP processing must be enabled on uplink Layer 3 EtherChannels. Although Cisco VSS and a single redundant distribution design are simplified with a single point-to-point EtherChannel. • Improves overall collapsed core and distribution resource utilization. • Bandwidth efficiency—Improves Layer 3 uplink network bandwidth efficiency by suppressing Layer 2 broadcasts at the edge port. The Layer 3 access switches makes more intelligent. Access switches must establish secured EIGRP adjacency using the MD5 hash algorithm with the aggregation system. multi-function and policy-based routing and switching decision like distribution-layer switches. • Shrinks the Layer 2 fault domain. Enabling Layer 3 functions in the access-distribution block must follow the same core network designs as mentioned in previous sections to provide network security as well as optimize the network topology and system resource utilization: • EIGRP autonomous system—Layer 3 access switches must be deployed in the same EIGRP AS as the distribution and core layer systems. As a best practice. Medium Enterprise Design Profile Reference Guide 2-61 . and must block remaining Layer 3 ports by default in passive mode. thus minimizing the number of denial-of-service (DoS)/ distributed denial-of-service (DDoS) attacks. the benefits in implementing the routed access design in medium enterprises are as follows: • Eliminates the need for implementing STP and the STP toolkit on the distribution system. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-41 Layer 2 and Layer 3 Boundaries for Multilayer and Routed Access Network Design VSL VSL Core Core Routing Routing VSL Layer 3 VSL Layer 3 Distribution Distribution STP Routing Layer 2 Access Access Layer 2 Marketing Sales Engineering Marketing Sales Engineering VLAN VLAN VLAN VLAN VLAN VLAN 10 20 30 10 20 30 Multi-Layer Network Routed-Access Network 229367 Routed-access network design enables Layer 3 access switches to perform Layer 2 demarcation point and provide Inter-VLAN routing and gateway function to the endpoints.

0. K2=0. K4=0. the routing design on the Layer 3 access switch can be optimized with the following two techniques to improve performance and network reconvergence in the access-distribution block. the WAN edge. and so on. K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 EIGRP NSF-aware route hold timer is 240 EIGRP NSF enabled NSF signal timer is 20s NSF converge timer is 120s Time since last restart is 2w2d EIGRP stub. as shown in Figure 2-42: • Deploying the Layer 3 access switch in EIGRP stub mode EIGRP stub router in Layer-3 access-switch can announce routes to a distribution-layer router with great flexibility.1 Po101 13 3d18h 4 2000 98 Version 4. Refer to EIGRP routing configuration and best practices defined in Designing End-to-End EIGRP Network section to routing function in access-layer switches. Prefixes: 6 Topology-ids from peer . the Layer 3 access switch must always have single physical or logical forwarding to a distribution switch. EIGRP creates and maintains a single flat routing topology network between EIGRP peers. The Layer 3 access switches must be deployed in EIGRP stub mode for a concise network view. K3=1. Retrans: 0.or two-tier deployment models. no configuration changes are required in the distribution system: • Access layer cr22-4507-LB(config)#router eigrp 100 cr22-4507-LB(config-router)# eigrp stub connected cr22-4507-LB#show eigrp protocols detailed Address Family Protocol EIGRP-IPv4:(100) EIGRP metric weight K1=1.125.0 Stub Peer Advertising ( CONNECTED ) Routes Suppressing queries Medium Enterprise Design Profile Reference Guide 2-62 . The following is an example configuration to enable EIGRP stub routing in the Layer-3 access-switch. Building a single routing domain in a large-scale campus core design allows for complete network visibility and reachability that may interconnect multiple campus components. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services • EIGRP network boundary—All EIGRP neighbors must be in a single AS to build a common network topology.0. Because the distribution switch provides a gateway function to rest of the network. Implementing Routed Access in Access-Distribution Block Cisco IOS configuration to implement Layer 3 routing function on the Catalyst access-layer switch remains consistent. connected Topologies : 0(base) • Distribution layer cr22-6500-LB#show ip eigrp neighbors detail port-channel 101 EIGRP-IPv4 neighbors for process 100 H Address Interface Hold UptimeSRTT RTO Q Seq (sec) (ms) Cnt Num 2 10.0/3. Retries: 0. services blocks. In the three. the data center. such as distribution blocks. The Layer 3 access switch dynamically develops the forwarding topology pointing to a single distribution switch as a single Layer 3 next hop.

124.0/16 cr22-6500-LB(config)# ip prefix-list EIGRP_STUB_ROUTES seq 25 permit 10.0/16 cr22-6500-LB(config)#router eigrp 100 cr22-6500-LB(config-router)#distribute-list route-map EIGRP_STUB_ROUTES out Port-channel101 cr22-6500-LB(config-router)#distribute-list route-map EIGRP_STUB_ROUTES out Port-channel102 cr22-6500-LB(config-router)#distribute-list route-map EIGRP_STUB_ROUTES out Port-channel103 cr22-6500-LB#show ip protocols Outgoing update filter list for all interfaces is not set Port-channel101 filtered by Port-channel102 filtered by Medium Enterprise Design Profile Reference Guide 2-63 .0/16 cr22-6500-LB(config)# ip prefix-list EIGRP_STUB_ROUTES seq 30 permit 10.0.122. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services • Summarizing the network view with a default route to the Layer 3 access switch for intelligent routing functions Figure 2-42 Designing and Optimizing EIGRP Network Boundary for the Access Layer EIGRP Stub Network Summarized EIGRP Route Advertisment VSL VSL EIGRP AS-100 VSL VSL Summarized Aggregator Network Summarized Network Non-Summarized + Default Network Connected Network EIGRP EIGRP Stub AS-100 Mode Marketing Sales Engineering Marketing Sales Engineering VLAN VLAN VLAN VLAN VLAN VLAN 10 20 30 10 20 30 Routed-Access Network Routed-Access Network 229368 The following sample configuration demonstrate the procedure to implement route filtering at the distribution layer that allows summarized and default-route advertisement to build concise network topology at the access layer: • Distribution layer cr22-6500-LB(config)# ip prefix-list EIGRP_STUB_ROUTES seq 5 permit 0.0/16 cr22-6500-LB(config)# ip prefix-list EIGRP_STUB_ROUTES seq 20 permit 10.0.0.0.0.126.125.0/16 cr22-6500-LB(config)# ip prefix-list EIGRP_STUB_ROUTES seq 15 permit 10.0.0.123.0/0 cr22-6500-LB(config)# ip prefix-list EIGRP_STUB_ROUTES seq 10 permit 10.

while the destination address of IP multicast traffic is in the multicast group range.0/16 [90/64000] via 10. Port-channel1 Multicast for Application Delivery Because unicast communication is based on the one-to-one forwarding model.0.0.125. Similar to the unicast methods.0.122. Layer 3 addresses in multicast communications operate differently.125. Multicast addresses are assigned in various pools for well-known multicast-based network protocols or inter-domain multicast communications.0.0/8 is variably subnetted.0. 07:49:13. All multicast group addresses fall in the range from 224.0 – 238.0. 07:49:13.0.255.0/16 [90/3840] via 10. Table 2-5 Multicast Address Range Assignments Application Address Range Reserved—Link local network protocols.0/0 [170/515584] via 10. as listed in Table 2-5. 224.0/16 [90/768] via 10.123.0. and to switch traffic.125.125.255. 01:42:22.0/24 Global scope—Group communication between an 224.0/16 [90/3840] via 10.0/8 one-to-many unidirectional multicast communication. 07:49:11.0. IP multicast delivers source traffic to multiple receivers using the least amount of network resources as possible without placing an additional burden on the source or the receivers.0. the source IP address is always in the unicast address range. Port-channel1 D 10.0. determine the egress path by scanning forwarding tables. Medium Enterprise Design Profile Reference Guide 2-64 .0 through 239. 12 subnets.0. Multicast packet replication in the network is done by Cisco routers and switches enabled with Protocol Independent Multicast (PIM) as well as other multicast routing protocols. Source Specific Multicast (SSM)—PIM extension for 232.255.0. In the unicast routing and switching technologies discussed in the previous section.0.0. 07:49:11.124. Port-channel1 D 10.0/16 [90/3584] via 10. it becomes easier in routing and switching decisions to perform destination address lookup.0. Port-channel1 D *EX 0.0.0.0.0.125.0.255. 07:49:11.255.0.0.0.125.255 organization and the Internet. the network may need to be made more efficient by allowing certain applications where the same content or application must be replicated to multiple users. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Port-channel103 filtered by • Access layer cr22-4507-LB#show ip route eigrp 10. multicast requires the following design guidelines: • Choosing a multicast addressing design • Choosing a multicast routing protocol • Providing multicast security regardless of the location within the medium enterprise design Multicast Addressing Design The Internet Assigned Numbers Authority (IANA) controls the assignment of IP multicast addresses.0. A range of class D address space is assigned to be used for IP multicast applications.126. Port-channel1 D 10.1.0. Port-channel1 D 10.0.0.125. 4 masks D 10.

with its root at the source and branches forming a tree through the network to the receivers. it is also referred to as a shortest path tree (SPT). and other organizations. A primary goal in distribution trees construction is to ensure that no more than one copy of each packet is forwarded on each branch of the tree. as might be the case for most multicasts over the WAN. Because this tree uses the shortest path through the network. The medium enterprise LAN design must be able to build packet distribution trees that specify a unique forwarding path between the subnet of the source and each subnet containing members of the multicast group.0/8 reserved global AS.0. • Sparse mode (SM)—Assumes that relatively few routers in the network are involved in each multicast. Cisco recommends deploying PIM-SM because it is efficient and intelligent in building multicast distribution tree. To enable communication. PIM in DM mode builds distribution trees by initially flooding the entire network and then pruning back the small number of paths without receivers. education. Therefore.0. PIM-SM begins with an empty distribution tree and adds branches only as the result of explicit Internet Group Management Protocol (IGMP) requests to join the distribution. Limited scope—Administratively scoped address that 239. Multicast develops the forwarding table differently than the unicast routing and switching model. All the recommended platforms in this design support PIM-SM mode on physical or logical (switched virtual interface [SVI] and EtherChannel) interfaces.0. medium enterprise network architects must select a range of multicast sources from the limited scope pool (239/8). The two basic types of multicast distribution trees are as follows: • Source trees—The simplest form of a multicast distribution tree is a source tree. During the multicast network design phase. Based on the multicast scale factor and centralized source deployment design for one-to-many multicast communication in medium enterprise LAN infrastructures. PIM-SM mode is ideal for a network without dense receivers and multicast transport over WAN environments. Medium Enterprise Design Profile Reference Guide 2-65 . The hosts belonging to the group are widely dispersed. The PIM protocol is divided into the following two modes to support both types of multicast distribution trees: • Dense mode (DM)—Assumes that almost all routers in the network need to distribute multicast traffic for each multicast group (for example. multicast requires specific multicast routing protocols and dynamic group membership.0/8 remains constrained within a local organization or AS. each intermediate system between the multicast receiver and source must support the multicast feature. Multicast Routing Design To enable end-to-end dynamic multicast operation in the network. • Shared trees—Unlike source trees that have their root at the source. Commonly deployed in enterprise. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Table 2-5 Multicast Address Range Assignments (continued) GLOP—Inter-domain multicast group assignment with 233. almost all hosts on the network belong to each multicast group).0. shared trees use a single common root placed at a selected point in the network. and it adjusts its behavior to match the characteristics of each receiver group. Selecting the PIM mode depends on the multicast applications that use various mechanisms to build multicast distribution trees. This shared root is called a rendezvous point (RP).

the RP mapping agent router must be designated in the network to receive RP group announcements and to arbitrate conflicts. See Figure 2-43. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Designing PIM Rendezvous Point The following sections discuss best practices in designing and deploying the PIM-SM Rendezvous Point. Medium Enterprise Design Profile Reference Guide 2-66 . Figure 2-43 Distributed PIM-SM RP Placement Main Site PIM-SM RP Data VSL Center Core Multicast Source VSL PIM-SM PIM-SM PIM-SM RP RP RP Data Data Data Center Center Center Multicast Multicast Multicast Source Source Source Remote Remote Remote 229369 Large Site Medium Site Small Site PIM-SM RP Mode PIM-SM supports RP deployment in the following three modes in the network: • Static—In this mode. • Auto-RP—This mode is a dynamic method for discovering and announcing the RP in the network. PIM-SM RP Placement It is assumed that each medium enterprise site has a wide range of local multicast sources in the data center for distributed medium enterprise IT-managed media and employee research and development applications. RP must be statically identified and configured on each PIM router in the network. Cisco recommends deploying PIM RP on each site for wired or wireless multicast receivers and sources to join and register at the closest RP. and on the collapsed core/distribution system in the two-tier campus design model. The Medium Enterprise Reference design recommends PIM-SM RP placement on a VSS-enabled and single resilient core system in the three-tier campus design. To prevent network reconfiguration during a change. Auto-RP implementation is beneficial when there are multiple RPs and groups that often change in the network. In such a distributed multicast network design. as part of the PIM version 1 specification. RP load balancing and redundancy can be achieved using anycast RP.

and is part of the PIM version 2 specification.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services • BootStrap Router (BSR)—This mode performs the same tasks as Auto-RP but in a different way. Static RP implementation offers RP redundancy and load sharing. Cisco recommends designing the medium enterprise LAN multicast network using the static PIM-SM mode configuration. static RP configuration is recommended over the other modes. Medium Enterprise Design Profile Reference Guide 2-67 . Auto-RP and BSR cannot co-exist or interoperate in the same network.to mid-sized multicast network. and an additional simple access control list (ACL) can be applied to deploy RP without compromising multicast network security. In a small. See Figure 2-44.

• Core layer cr23-VSS-Core(config)#ip multicast-routing cr23-VSS-Core(config)#interface Loopback100 Medium Enterprise Design Profile Reference Guide 2-68 . static PIM-SM RP configuration must be identical across the campus LAN network and on each PIM-SM RP routers. To provide transparent PIM-SM redundancy. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-44 PIM-SM Network Design in Medium Enterprise Network Main Site PIM-SM Access VSL PIM-SM Distribution PIM-SM RP VSL Core PIM-SM PIM-SM QFP WAN Edge WAN PIM-SM PIM-SM PIM-SM RP VSL PIM-SM RP PIM-SM PIM-SM RP VSL PIM-SM Remote Remote Remote 229370 Large Site Medium Site Small Site The following is an example configuration to deploy PIM-SM RP on all PIM-SM running systems.

100. 00:16:56/00:03:20 (10.100.100.100. RP: 10.21 Outgoing interface list: Port-channel101. 00:16:54/00:03:20 cr23-VSS-Core#show ip mroute active Active IP Multicast Sources .51.125.100.100.100.1.40. Forward/Sparse.100.100. next RP-reachable in 00:00:34 Group: 239.0.15 … cr23-VSS-Core#show ip mroute sparse (*.100 255.100.192.1.192.100. RP: 10.125.51.100. uptime 00:10:42. 4239 kbps(last 30 secs). (?) Source: 10.100. 239.8). Forward/Sparse.100.100.0.2.100. uptime 3d22h.100.192.0.125.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr23-VSS-Core(config-if)#description Anycast RP Loopback cr23-VSS-Core(config-if)#ip address 10. expires never Group: 239.100.12 Port-channel101 v2/S 1 30 1 10.51. 00:16:54/00:02:54 Port-channel101.125.100.0.100 cr23-VSS-Core#show ip pim rp Group: 239.51.125.100.100.100 cr23-6500-LB(config)#interface range Port-channel 100 – 103 cr22-6500-LB(config-if-range)#ip pim sparse-mode cr23-6500-LB(config)#interface range Vlan 101 – 120 cr22-6500-LB(config-if-range)#ip pim sparse-mode cr22-6500-LB#show ip pim rp Group: 239.255.255 cr23-VSS-Core(config)#ip pim rp-address 10.51.125.100.13 Medium Enterprise Design Profile Reference Guide 2-69 .0.13Port-channel100v2/S 1 30 1 10.0.192.1.192.192.100.8).147.100.14 Port-channel102 v2/S 1 30 1 10.2.192. RP: 10. uptime 00:10:41. uptime 00:10:42.255.192. RP: 10.0.3.0.0. RP: 10.1. RP 10. flags: A Incoming interface: Port-channel105.100.100. RP: 10. 3d22h/00:03:20.51.sending >= 4 kbps Group: 239. flags: S Incoming interface: Null.100.51.153 (?) Rate: 2500 pps/4240 kbps(1sec). RP: 10.125. next RP-reachable in 00:00:34 cr23-VSS-Core#show ip pim interface Address Interface Ver/ Nbr Query DR DR Mode Count Intvl Prior 10.3.100.51. RPF nbr 10.125.125. RPF nbr 0.31.31.0 Outgoing interface list: Port-channel105.51. 00:16:54/00:02:35. 239. Forward/Sparse.0.100. next RP-reachable in 00:00:34 Group: 239. expires never cr22-6500-LB#show ip pim interface Address Interface Ver/ Nbr QueryDR DR Mode Count IntvlPrior 10.100. 12 kbps(life avg) • Distribution layer cr23-6500-LB(config)#ip multicast-routing cr23-6500-LB(config)#ip pim rp-address 10. expires never Group: 239.13 10.192. expires never Group: 224.

100 cr23-3560-LB(config)#interface range Vlan 101 – 110 cr22-3560-LB(config-if-range)#ip pim sparse-mode cr22-3560-LB#show ip pim rp Group: 239.0. 00:06:08/00:02:09 Vlan110. Forward/Sparse.100.125.1 … 10.100 cr11-asr-we(config)#interface range Port-channel1 .5 10.101.192. Forward/Sparse.100. uptime 5w5d.0. Forward/Sparse.51.65 cr22-3560-LB#show ip mroute sparse (*. 00:13:27/00:03:06. expires never Group: 239.100.100.0Port-channel101v2/S 1 30 1 10.103.0. Gig0/2/0 .102 cr11-asr-we(config-if-range)#ip pim sparse-mode cr11-asr-we(config)#interface Ser0/3/0 cr11-asr-we(config-if)#ip pim sparse-mode Medium Enterprise Design Profile Reference Guide 2-70 . uptime 00:01:36.2.1. expires never cr22-3560-LB#show ip pim interface Address Interface Ver/ Nbr Query DR DR Mode Count Intvl Prior 10.125.0.192.192.100.100. 4240 kbps(last 10 secs).100. Forward/Sparse. 00:14:23/00:02:17.125.100.103. H Port-channel101.125.125.125. RP 10. 00:14:23/00:03:21.125.0.1).sending >= 4 kbps Group: 239.125. uptime 00:01:36.100.51.192. H cr22-6500-LB#show ip mroute active Active IP Multicast Sources .125.0.129 … cr22-6500-LB#show ip mroute sparse (*.1.100. flags: SC Incoming interface: Port-channel100.103. Forward/Sparse.100.100.192.0. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services 10. RP: 10. expires never Group: 239.51.0. H Vlan110.100. flags: SC Incoming interface: Port-channel1. 00:06:06/00:02:05 • WAN edge layer cr11-asr-we(config)#ip multicast-routing distributed cr11-asr-we(config)#ip pim rp-address 10.5 Port-channel1 v2/S 1 30 1 10.51.40. 00:14:20/00:02:55. 00:06:06/00:02:59. uptime 00:01:36. 00:14:23/00:03:10. RP: 10. 239.100.0. H Vlan120. 00:14:02/00:02:13.129Vlan101v2/S 0 30 1 10. expires never Group: 224. RP: 10.65 Vlan110 v2/S 0 30 1 10.51. H Port-channel103.100.100.1 Vlan101 v2/S 0 30 1 0.125.100. RP 10. RPF-MFD Outgoing interface list: Port-channel102. Forward/Sparse.12.51.100.192.4 Outgoing interface list: Vlan101. RPF nbr 10. 4011 kbps(life avg) • Access layer cr23-3560-LB(config)#ip multicast-routing distributed cr23-3560-LB(config)#ip pim rp-address 10.125.100. RP: 10.3. RPF nbr 10.100.1). Gig0/2/1.100.0 … 10. Forward/Sparse. 239.103. (?) RP-tree: Rate: 2500 pps/4240 kbps(1sec).100.1.

RP: 10. but does enable RPs to forward traffic between domains.100.3. (?) Source: 10. 00:24:08/00:03:07. Inter-Site PIM Anycast RP MSDP allows PIM RPs to share information about the active sources.0.sending >= 4 kbps Group: 239.100.100. uptime 00:23:16. Because VSS is logically a single system and provides node protection.192. The medium enterprise LAN multicast network must be designed with Anycast RP.2.100.57. while the multicast source can be in a local or remote network domain. flags: T Incoming interface: Port-channel1.192.100.156. Large networks typically use Anycast RP for configuring a PIM-SM network to meet fault tolerance requirements within a single multicast domain.1. RP: 10.31.192. uptime 00:23:16.125. RP 10. there is no need to implement Anycast RP and MSDP on a VSS-enabled PIM-SM RP. PIM-SM is used to forward the traffic between the multicast domains.156 (?) Rate: 625 pps/1130 kbps(1sec).192.100. 1130 kbps(last 40 secs). In the non-VSS-enabled network design. PIM-SM RPs discover local receivers through PIM join messages.100.0. MSDP allows each multicast domain to maintain an independent RP that does not rely on other multicast domains. PIM-SM uses Anycast RP and Multicast Source Discovery Protocol (MSDP) for node failure protection. the dynamically discovered group-to-RP entries are fully synchronized to the standby switch. RP: 10.100. Anycast RP is a useful application of MSDP. expires never Group: 239.100.125. Combining NSF/SSO capabilities with IPv4 multicast reduces the network recovery time and retains the user and application performance at an optimal level. 872 kbps(life avg) PIM-SM RP Redundancy PIM-SM RP redundancy and load sharing becomes imperative in the medium enterprise LAN design.192. PIM-SM RP at the main or the centralized core must establish an MSDP session with RP on each remote site to exchange distributed multicast source information and allow RPs to join SPT to active sources as needed. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr11-asr-we#show ip pim rp Group: 239. MSDP used with Anycast RP is an intradomain feature that provides redundancy and load sharing capabilities. because each recommended core layer design model provides resiliency and simplicity. Figure 2-45 shows an example of a medium enterprise LAN multicast network design.100.1. Originally developed for interdomain multicast applications. In the Cisco Catalyst 6500 VSS-enabled core layer. Medium Enterprise Design Profile Reference Guide 2-71 . RPF nbr 10.57.192. expires never cr11-asr-we#show ip mroute sparse (*.31. 00:24:08/stopped.22 Outgoing interface list: Serial0/3/0.22 Outgoing interface list: Null (10. 239. PIM-SM redundancy and load sharing is simplified with the Cisco VSS-enabled core.1). RPF nbr 10.125.100.57.57. flags: SP Incoming interface: Port-channel1. Forward/Sparse.125.57.57. 239. 00:24:08/00:02:55 cr11-asr-we#show ip mroute active Active IP Multicast Sources .100. expires never Group: 239. uptime 00:23:16.1).

100.2 connect-source Loopback0 cr23-VSS-Core(config)#ip msdp description 10. Connection source: Loopback0 (10.200.1 connect-source Loopback0 cr23-VSS-Core(config)#ip msdp description 10.125.123.200.100.1/32 Loopback0 : 10.100.125.122.200. Connection source: Loopback0 (10.122.254) MSDP Peer 10.1 (?).100/32 Loopback Loopback Loopback Implementing MSDP Anycast RP Main Campus cr23-VSS-Core(config)#ip msdp peer 10.200.100/32 Anycast RP : 10.2 ANYCAST-PEER-4k-RemoteSmlCampus cr23-VSS-Core(config)#ip msdp cache-sa-state cr23-VSS-Core(config)#ip msdp originator-id Loopback0 cr23-VSS-Core#show ip msdp peer | inc MSDP Peer|State MSDP Peer 10.100/32 Anycast RP : 10.200.200.123.124.124.125.125. AS ? State: Up.200.2 (?).100/32 Loopback PIM-SM RP MSDP Peering PIM-SM Anycast RP VSL PIM-SM RP PIM-SM RP PIM-SM RP Remote Remote Remote Large Site Medium Site Small Site Loopback0 : 10.254/32 Anycast RP : 10.1 ANYCAST-PEER-4k-RemoteMedCampus cr23-VSS-Core(config)#ip msdp peer 10. AS ? State: Up.125. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-45 Medium Enterprise Inter-Site Multicast Network Design Main Site VSL Loopback0 : 10. AS ? State: Up.2/32 229371 Anycast RP : 10.2 (?).2 connect-source Loopback0 cr23-VSS-Core(config)#ip msdp description 10.2 ANYCAST-PEER-6k-RemoteLrgCampus cr23-VSS-Core(config)#ip msdp peer 10.100.200.200.200.123. Resets: 0. Resets: 0.200.124. Resets: 0.254) MSDP Peer 10.123.100.200.200. Connection source: Loopback0 (10.100.2/32 Loopback0 : 10.200.200.200.100.122.254 ANYCAST-PEER-6k-MainCampus cr14-6500-RLC(config)#ip msdp cache-sa-state Medium Enterprise Design Profile Reference Guide 2-72 .100.124.200.125.122.254 connect-source Loopback0 cr14-6500-RLC(config)#ip msdp description 10.254) Remote Large Campus cr14-6500-RLC(config)#ip msdp peer 10.200.

PIM-SM must be enabled at the Layer 3 access switch to communicate with RPs in the network.125. Medium Enterprise Design Profile Reference Guide 2-73 . Layer 2 access switches flood the traffic on all ports. AS ? State: Up. Connection source: Loopback0 (10. Without IGMP.200.125.125. Because multilayer access switches do not run PIM. it becomes complex to make forwarding decisions out of the receiver port.125.125.200.2) SAs learned from this peer: 94 Remote Medium Campus cr11-4507-RMC(config)#ip msdp peer 10. IGMP operates between a multicast receiver host in the access layer and the Layer 3 router at the distribution layer. and is globally enabled by default for all the VLANs.254 (?). Connection source: Loopback0 (10.254 ANYCAST-PEER-6k-MainCampus cr11-4507-RMC(config)#ip msdp cache-sa-state cr11-4507-RMC(config)#ip msdp originator-id Loopback0 cr11-4507-RMC#show ip msdp peer | inc MSDP Peer|State|SAs learned MSDP Peer 10. the network is forced to flood rather than multicast the transmissions for each group.200.254 connect-source Loopback0 cr11-4507-RMC(config)#ip msdp description 10.125.200. The IGMP snooping and multicast router detection functions on a per-VLAN basis.123.200. which is enabled by default and is recommended to not be disabled. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr14-6500-RLC(config)#ip msdp originator-id Loopback0 cr14-6500-RLC#show ip msdp peer | inc MSDP Peer|State|SAs learned MSDP Peer 10.200. The multicast system role changes when the access layer is deployed in the multilayer and routed access models. In addition to the unicast routing protocol.200. IGMP communication is limited between a receiver host and the Layer 3 access switch. Implementing IGMP By default.124.254 (?). AS ? State: Up.200. AS ? State: Up. Resets: 0.200.2) SAs learned from this peer: 94 Dynamic Group Membership Multicast receiver registration is done via IGMP protocol signaling.200.1) SAs learned from this peer: 94 Remote Small Campus cr14-4507-RSC(config)#ip msdp peer 10. Because the Layer 3 boundary is pushed down to the access layer.122.125. In such a situation. Resets: 0. Connection source: Loopback0 (10.254 ANYCAST-PEER-6k-MainCampus cr14-4507-RSC(config)#ip msdp cache-sa-state cr14-4507-RSC(config)#ip msdp originator-id Loopback0 cr14-4507-RSC#show ip msdp peer | inc MSDP Peer|State|SAs learned MSDP Peer 10. IGMP is an integrated component of an IP multicast framework that allows the receiver hosts and transmitting sources to be dynamically added to and removed from the network. This multilayer limitation in access switches is solved by using the IGMP snooping feature.254 connect-source Loopback0 cr14-4507-RSC(config)#ip msdp description 10. IGMP is still required when a Layer 3 access layer switch is deployed in the routed access network design. Resets: 0.254 (?). the Layer-2 access-switch dynamically detects IGMP hosts and multicast-capable Layer-3 PIM routers in the network.

239. Flags Interface *.------- 110 Po1(dynamic) Layer 3 Access cr22-3560-LB#show ip igmp membership Channel/Group Reporter Uptime Exp. and provide a snooped Layer-2 uplink port-channel which is connected to the collapsed core router.51.40 10.51.103.0. The following output from a Layer-3 switch verifies that the local multicast ports are in router mode.224.1.0. The drawback with this method of source filtering is that with the pim accept-register command on the RP.1 10. Po1 cr22-3750-LB#show ip igmp snooping mrouter Vlan ports ------.125. multicast router detection process is eliminated. because the pim accept-register command works on the control plane of the RP.51. Po1 110 239.239.0.2 igmp v2 Gi1/0/20. If the source is not listed in the accept-register filter list (configured on the RP).106 00:52:36 02:09 2A Vl110 *.224. two key concerns are preventing a rogue source and preventing a rogue PIM-RP. for multicast routing: The IGMP configuration can be validated using the following show command on the Layer-2 and Layer-3 access-switch: Layer 2 Access cr22-3750-LB#show ip igmp snooping groups Vlan Group Type Version Port List ----------------------------------------------------------------------- 110 239. This can result in traffic reaching receivers local to the source and located between the source and the RP. this can be used to overload the RP with fake register messages and possibly cause a DoS condition.1.G) state and sends a PIM source register message to the RP. Furthermore. the first-hop router (DR) creates the (S.192. the PIM-SM (S. PIM operation is performed at the access layer.4 3d22h 02:04 2A Po1 *. Preventing Rogue Source In a PIM-SM network.101.192. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Multicast routing function changes when the access-switch is deployed in routed-access mode.2 10.125.51.1 igmp v2 Gi1/0/20. When the source traffic hits the first-hop router.192.103.125.3 10.125.192.109 00:52:35 02:16 2A Vl110 *.103. therefore.129 4w4d 02:33 2LA Vl103 cr22-3560-LB#show ip igmp snooping mrouter Vlan ports ------.51. Medium Enterprise Design Profile Reference Guide 2-74 .40 10.192.------ 103 Router 106 Router 110 Router Designing Multicast Security When designing multicast security in the medium enterprise LAN design.239.3 igmp v2 Gi1/0/20.G) state is still created on the first-hop router of the source. an unwanted traffic source can be controlled with the pim accept-register command.125. Po1 110 239.107 00:52:36 02:12 2A Vl110 *.192.51. the RP rejects the register and sends back an immediate Register-Stop message to the DR.

It is also possible to filter the source and the group using of an extended ACL on the RP: cr23-VSS-Core(config)#ip access-list extended PERMIT-SOURCES cr23-VSS-Core(config-ext-nacl)# permit ip 10. The following is the sample configuration that must be applied to each PIM-enabled router in the campus network.0. By Medium Enterprise Design Profile Reference Guide 2-75 .100.100.0.0. Media applications. as well as an infinite array of data-oriented applications. Business drivers behind this media application growth include remote learning.100 Allowed_MCAST_Groups override QoS for Application Performance Optimization The function and guaranteed low latency bandwidth expectation of network users and endpoints has evolved significantly over the past few years.0 0. Media applications are generally bandwidth-intensive and bursty (as compared to VoIP).31. High-definition media is transitioning from the desktop to conference rooms. high-definition room-based conferencing applications.0. as well as leveraging the network as a platform to build an energy-efficient network to minimize cost and go "green".255 cr23-VSS-Core(config-std-nacl)# deny any cr23-VSS-Core(config)#ip pim rp-address 10.0.255 239.40 cr23-VSS-Core(config-std-nacl)# permit 239.0.255.192.0 0.1.255. Application and device awareness has become a key tool in providing differentiated service treatment at the campus LAN edge. any router can be misconfigured or can maliciously advertise itself as a multicast RP in the network with the valid multicast group address.255 cr23-VSS-Core(config-ext-nacl)# deny ip any any cr23-VSS-Core(config)#ip pim accept-register list PERMIT-SOURCES Preventing Rogue PIM-RP Like the multicast source.192. Besides internal and enterprise research applications. digital signage applications. and many different types of media applications exist. and particularly video-oriented media applications.0 0. and social networking phenomena are crossing over into enterprise settings. are evolving as the enterprise networks enters the digital era of doing business.39 cr23-VSS-Core(config-std-nacl)# permit 224.7. media applications are fueling a new wave of IP convergence. in addition to IP telephony. Converging media applications onto an IP network is much more complex than converging voice over IP (VoIP) alone. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services The following is the sample configuration with a simple ACL that has been applied to the RP to filter only on the source address. applications can include live and on-demand streaming media applications. With a static RP configuration. requiring the ongoing development of converged network designs. to accept PIM announcements only from the static RP and ignore dynamic multicast group announcement from any other RP: cr23-VSS-Core(config)#ip access-list standard Allowed_MCAST_Groups cr23-VSS-Core(config-std-nacl)# permit 224. Integrating video applications in the medium enterprise LAN network exponentially increases bandwidth utilization and fundamentally shifts traffic patterns. each PIM-enabled router in the network can be configured to use static RP for the multicast source and override any other Auto-RP or BSR multicast router announcement from the network.1.120. as well as the increased campus network and asset security requirements.0.

Cisco recommends following relevant industry standards and guidelines whenever possible. Deploying QoS technologies in the campus allows different types of traffic to contend inequitably for network resources. and to keep the network protected from threats. compatibility. To this end. The policy for providing network resources to an internal application is further complicated when interactive video and real-time VoIP applications are converged over the same network that is switching mid-to-low priority data traffic. the medium enterprise LAN QoS framework is developed based on RFC4594 that follows industry standard and guidelines to function consistently in heterogeneous network environment. Medium Enterprise Design Profile Reference Guide 2-76 . interactive. The medium enterprise LAN infrastructure must set the administrative policies to provide differentiated forwarding services to the network applications. to provide best-effort services for external traffic. as well as how should these individual classes should be implemented to deliver differentiated services consistently in main and remote campus sites. so that policies can be defined that allow network resources to be used for internal applications. The characteristic of network services and applications must be well understood. The medium enterprise LAN network architect may need to determine the number of classes for various applications. respectively). modifications can be made to these recommendations as specific needs or constraints require. However. users and endpoints to prevent contention. Medium Enterprise LAN QoS Framework Each group of managed and un-managed applications with unique traffic patterns and service level requirements requires a dedicated QoS class to provision and guarantee these service level requirements. namely the switching of call-signaling and broadcast video markings (to CS3 and CS5. Enterprise organizations and service providers are encouraged to adopt these marking and provisioning recommendations. to extend the effectiveness of your QoS policies beyond your direct administrative control. with the aim of improving QoS consistency. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services embracing media applications as the next cycle of convergence. and interoperability. Real-time applications such as voice. because these guidelines are not standards. to meet specific business requirements. and develop a network-wide strategy to ensure high quality end-user experiences. Cisco has made a minor modification to its adoption of RFC 4594. as shown in Figure 2-46. RFC 4594 outlines twelve classes of media applications that have unique service level requirements. but not to the point that data applications are starving for bandwidth. With minor changes. These guidelines are to be viewed as industry best-practice recommendations. medium enterprise IT departments can think holistically about their network design and its readiness to support the coming tidal wave of media applications. and physical security video can be given priority or preferential services over generic data applications.

and similar inelastic streaming video flows. Whenever technically possible and administratively feasible. OSPF. • Real-time interactive—This service class is intended for (inelastic) room-based. Traffic in this class should be marked CS4 and may be provisioned with an EF PHB. • Multimedia conferencing—This service class is intended for desktop software multimedia collaboration applications and is intended primarily for voice and video components of these applications.323 CS3 BW Queue Ops/Admin/Mgmt (OAM) SNMP. Whenever technically possible and administratively feasible. which are highly drop sensitive and have no retransmission and/or flow control capabilities. Admission to this class should be controlled. Backup AF1 BW Queue + DSCP WRED Best Effort Default Class DF Default Queue + RED 228497 Scavenger YouTube. The EF PHB-defined in RFC 3246 is a strict-priority queuing service and. • Broadcast video—This service class is intended for broadcast TV. Enterprise TV CS5 Required (Optional) PQ Real-Time Interactive Cisco TelePresence CS4 Required (Optional) PQ Multimedia Conferencing Cisco CUPC. and Cisco IP Video Surveillance. SSH. live events. Traffic in this class should be marked assured forwarding (AF) Class 4 (AF41) and should be provisioned with a guaranteed bandwidth queue with Differentiated Services Code Point (DSCP)-based Weighted Random Early Detection (WRED) enabled. H. Examples of this traffic include live Cisco Digital Media System (DMS) streams to desktops or to Cisco Digital Media Players (DMPs). CRM Apps AF2 BW Queue + DSCP WRED Bulk Data E-mail. admission to this class should be controlled. IP/TV AF3 Recommended BW Queue + DSCP WRED Network Control EIGRP. live Cisco Enterprise TV (ETV) streams. Traffic in this class should be marked class selector 5 (CS5) and may be provisioned with an EF PHB. Medium Enterprise Design Profile Reference Guide 2-77 . Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-46 Campus 12-Class QoS Policy Recommendation Admission Application Class Media Application Examples PHB Queuing and Dropping Control VoIP Telephony Cisco IP Phone EF Required Priority Queue (PQ) Broadcast Video Cisco IPVS. video surveillance flows. P2P CS1 Min BW Queue The twelve classes are as follows: • VoIP telephony—This service class is intended for VoIP telephony (bearer-only) traffic (VoIP signaling traffic is assigned to the call-signaling class). SIP. as such. IKE CS6 BW Queue Call-Signaling SCCP. WebEx AF4 Required BW Queue + DSCP WRED Multimedia Streaming Cisco DMS. admission to this class should be controlled (admission control is discussed in the following section).711 and G. This class is provisioned with expedited forwarding (EF) per-hop behavior (PHB).729a. Gaming. Traffic assigned to this class should be marked EF. as such. Syslog CS2 BW Queue Transactional Data ERP Apps. data sub-components of this class can be separated out and assigned to the transactional data traffic class. data sub-components of this class can be separated out and assigned to the transactional data traffic class. FTP. HSRP. high-definition interactive video applications and is intended primarily for voice and video components of these applications. Examples of this type of traffic include G. A sample application is Cisco TelePresence. admission to this class should be controlled. as such.

database applications. which is required for reliable operation of the enterprise network. WRED should not be enabled on this class. Traffic in this class is marked default forwarding (DF or DSCP 0) and should be provisioned with a dedicated queue. but dedicated) guaranteed bandwidth queue. The vast majority of applications will continue to default to this best-effort service class. because call-signaling traffic should not be dropped (if this class is experiencing drops. Sample applications include Cisco Unified Personal Communicator. H. administration. Traffic in this class should be marked CS3 and provisioned with a (moderate. • Network control—This service class is intended for network control plane traffic. and the Cisco Unified IP Phone 7985G. Sample applications include Cisco Digital Media System VoD streams. because OAM traffic should not be dropped (if this class is experiencing drops. excessive latency directly impacts user productivity). OSPF. Admission control is recommended on this traffic class (though not strictly required) and this class may be subject to policing and re-marking. • Transactional data (or low-latency data)—This service class is intended for interactive. and so on. and so on. video and content distribution. Sample traffic includes Secure Shell (SSH). WRED is recommended to be enabled on this class. WRED should not be enabled on this class. Traffic in this class should be marked AF Class 2 (AF21) and should be provisioned with a dedicated bandwidth queue with DSCP-WRED enabled. which. Cisco Unified Video Advantage. Sample traffic includes EIGRP. Traffic in this class should be marked CS2 and provisioned with a (moderate. the bandwidth allocated to it should be re-provisioned). Sample traffic includes Skinny Call Control Protocol (SCCP). “foreground” data applications (foreground refers to applications from which users are expecting a response via the network to continue with their tasks. • Best effort (or default class)—This service class is the default class. Session Initiation Protocol (SIP). Traffic in this class should be marked AF Class 3 (AF31) and should be provisioned with a guaranteed bandwidth queue with DSCP-based WRED enabled. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services additionally. Simple Network Management Protocol (SNMP). the bandwidth allocated to it should be re-provisioned). This traffic class may be subject to policing and re-marking. this default class should be adequately provisioned. and so on. the bandwidth allocated to it should be re-provisioned). Traffic in this class should be marked AF Class 1 (AF11) and should be provisioned with a dedicated bandwidth queue with DSCP-WRED enabled. excessive latency in response times of background applications does not directly impact user productivity). but dedicated) guaranteed bandwidth queue. and so on. This class is critical to the ongoing maintenance and support of the network. FTP/SFTP transfers. are more elastic than broadcast/live streaming flows. and management traffic. • Operations/administration/management (OAM)—This service class is intended for network operations. in general. • Bulk data (or high-throughput data)—This service class is intended for non-interactive “background” data applications (background refers to applications from which users are not awaiting a response via the network to continue with their tasks. and so on. WRED should not be enabled on this class. Internet Key Exchange (IKE). • Multimedia streaming—This service class is intended for video-on-demand (VoD) streaming video flows. Border Gateway Protocol (BGP). Medium Enterprise Design Profile Reference Guide 2-78 . because network control traffic should not be dropped (if this class is experiencing drops. • Call-signaling—This service class is intended for signaling traffic that supports IP voice and video telephony. but dedicated) guaranteed bandwidth queue. traffic in this class may be subject to policing and re-marking. Syslog. Customer Relationship Management (CRM) applications. This traffic class may be subject to policing and re-marking. Traffic in this class should be marked CS6 and provisioned with a (moderate. Sample applications include data components of multimedia collaboration applications. Enterprise Resource Planning (ERP) applications. Sample applications include E-mail. as such.323. backup operations. HSRP.

Figure 2-47 shows the QoS trust model setting that sets the QoS implementation guidelines in medium enterprise campus networks. and data applications. iTunes. BitTorrent. classifying a set of trusted applications. These applications are permitted on enterprise networks. Designing Medium Enterprise LAN QoS Trust Boundary and Policies To build an end-to-end QoS framework that offers transparent and consistent QoS service without compromising performance. devices. To retain the marking set by access layer switches. political compromise. Traffic in this class should be marked CS1 and should be provisioned with a minimal bandwidth queue that is the first to starve should network congestion occur. Bi-directional network communication between applications. Medium Enterprise Design Profile Reference Guide 2-79 . this class is the first to be penalized and aggressively dropped. such as data or video applications that are entertainment and/or gaming-oriented. Xbox Live/360 movies. QoS settings applied at the LAN network edge sets the ingress rule based on deep packet classification and marks the traffic before it is forwarded inside the campus core. as long as resources are always available for business-critical voice. However. it is important that other LAN network devices in the campus trust the marking and apply the same policy to retain the QoS settings and offer symmetric treatment. endpoints. Sample traffic includes YouTube. and forwarding paths. and then define common QoS policy settings independent of how QoS is implemented within the system. The trust or un-trust model simplifies the rules for defining bi-directional QoS policy settings. or other network devices requires the same treatment when traffic enters or leaves the network. video. and so on. it is important to create an blueprint of the network. The approach of a less-than Best-Effort service class for non-business applications (as opposed to shutting these down entirely) has proven to be a popular. as soon as the network experiences congestion. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services • Scavenger (or low-priority data)—This service class is intended for non-business-related traffic flows. and must be taken into account when designing the trust model between network endpoints and core and edge campus devices.

as determined by their roles in the network infrastructure. end-to-end QoS policies can be designed for each device and interface. a few succinct design principles can help simplify strategic QoS deployments. and as such do not tax their main CPUs to administer QoS policies. which places incremental loads on the CPU. Marking. depending on the complexity and functionality of the policy. Marking and Trust Queueing Queueing and WTD Trust Trust. Hardware versus Software QoS A fundamental QoS design principle is to always enable QoS policies in hardware rather than software whenever possible. because the Cisco QoS toolset provides many QoS design and deployment options. Cisco Catalyst switches. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-47 Campus LAN QoS Trust and Policies VSL Classification. Policing Queueing and WTD and Queueing IP Trusted. perform QoS in dedicated hardware application-specific integrated circuits (ASICs) on Ethernet-based ports. However. This allows complex policies to be applied at line rates even up to Gigabit or 10-Gigabit speeds. Medium Enterprise Design Profile Reference Guide 2-80 . Marking and Queueing Trust VSL Classification. Classification. Conditional-Trusted or Un-Trusted Endpoints 228498 QoSTrust Boundary Ingress QoS Ploicy Egress QoS Ploicy Medium Enterprise LAN QoS Overview With an overall application strategy in place. as discussed in the following sections. on the other hand. Cisco IOS routers perform QoS in software.

For example. video. if an EF PHB has been provisioned over the network. Following this rule. if medium enterprise network administrator controls are in place that centrally administer PC QoS markings. 802. Excessive volume attack traffic can destabilize network systems. congestion management policies. and inter-class relative priority (such as RFC 2597 Assured Forwarding Drop Preference markdown) is not supported. the need for interoperability and complementary QoS markings is critical. This principle promotes end-to-end differentiated services and PHBs. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Classification and Marking When classifying and marking traffic. should be configured to drop AFx3 more aggressively than AFx2. Cisco recommends policing traffic flows as close to their sources as possible. Because the medium enterprise voice. Such abuse can easily ruin the service quality of realtime applications throughout the campus. thus hijacking network priority queues to service non-realtime traffic. Cisco recommends following the IETF standards-based DSCP PHB markings to ensure interoperability and future expansion. On the other hand. Medium Enterprise Design Profile Reference Guide 2-81 . Layer 2 markings are lost when the media changes (such as a LAN-to-WAN/VPN edge).1P supports only three bits (values 0-7). Layer 3-based DSCP markings allow for up to 64 classes of traffic. As the network border blurs between enterprise network and service providers. a recommended design principle is to classify and mark applications as close to their sources as technically and administratively feasible. and more extensible than Layer 2 markings. where oversubscription ratios create the greater potential for network congestion. which provides more flexibility and is adequate in large-scale deployments and for future requirements. and campus interswitch links. Enabling outbound queuing in each network tier provides end-to-end service guarantees during potential network congestion. This common principle applies to campus-to-WAN/Internet edges. Queuing and Dropping Critical media applications require uncompromised performance and service guarantees regardless of network conditions. only up to eight classes of traffic can be supported at Layer 2. excess traffic marked to AFx1 should be marked down to AFx2 (or AFx3 whenever dual-rate policing such as defined in RFC 2698 is supported). For example. a PC user can easily configure all their traffic to be marked to EF. where speed mismatches are most pronounced. such as DSCP-based WRED. Policing and Markdown There is little reason to forward unwanted traffic that gets policed and drop by a subsequent tier node. which can result in outages. and data applications marking recommendations are standards-based. especially when unwanted traffic is the result of DoS or worm attacks in the enterprise network. as previously discussed. as does Multiprotocol Label Switching Experimental (MPLS EXP). because these are end-to-end. it may be possible and advantageous to trust these. This principle applies also to legitimate flows. In general. Such excesses should be monitored at the source and marked down appropriately. markdown should be done according to standards-based rules. more granular. medium enterprises can easily adopt these markings to interface with service provider classes of service. For example. because worm-generated traffic can masquerade under legitimate. Following such markdowns. because users can easily abuse provisioned QoS policies if permitted to mark their own traffic. it is not recommended to trust markings that can be set by users on their PCs or other similar devices. Whenever supported. it is recommended to use DSCP markings whenever possible. well-known TCP/UDP ports and cause extreme amounts of traffic to be poured into the network infrastructure. such as RFC 2597 (AF PHB). which in turn should be dropped more aggressively than AFx1. Therefore. There is also less marking granularity at Layer 2.

specifically as follows: • Realtime queue (to support a RFC 3246 EF PHB service) • Guaranteed-bandwidth queue (to support RFC 2597 AF PHB services) • Default queue (to support a RFC 2474 DF service) • Bandwidth-constrained queue (to support a RFC 3662 scavenger service) Additional queuing recommendations for these classes are discussed next. Assuming that both systems are configured to support full high definition. all non-realtime applications are suddenly contending for less than 33 percent of the link. so each must be bounded by a limited number of hardware or service provider queues. No fewer than four queues are required to support QoS policies for various types of applications. When realtime applications dominate a link. both for latency. Remember that the goal of convergence is to enable voice. video. Before the TelePresence calls are placed. In such cases. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Because each application class has unique service level requirements. any traffic assigned to a strict-priority queue should be governed by an admission control mechanism. the overall effect is a dampening of QoS functionality. However. TCP windowing takes effect and many applications hang. And finally. A wide range of platforms in varying roles exist in medium enterprise networks. and data applications to transparently co-exist on a single medium enterprise network infrastructure. the medium enterprise network administrator must provision according to their detailed requirements and constraints. The amount of bandwidth assigned to the realtime queuing class is variable.and jitter-sensitive realtime applications (contending with each other within the FIFO priority queue). if the majority of bandwidth is provisioned with strict priority queuing (which is effectively a FIFO queue). after these TelePresence calls are established. depending on the instantaneous amount of traffic being serviced by the priority queue). Note As previously discussed. destroying the transparency of the converged network. which usually translates into users calling the IT help desk to complain about the network (which happens to be functioning properly. timeout. each should be assigned optimally a dedicated queue. to simplify the example. For example. In such a multiple LLQ context. each such call requires 15 Mbps of strict-priority queuing. non-realtime applications have access to 100 percent of the bandwidth on the link. Cisco IOS software allows the abstraction (and thus configuration) of multiple strict priority LLQs. However. assume there are no other realtime applications on this link. both on other realtime flows and also on non-realtime-application response times. this design principle applies to the sum of all LLQs to be within one-third of link capacity. There may be cases where specific business objectives cannot be met while holding to this recommendation. albeit in a poorly-configured manner). consider a 45 Mbps DS3 link configured to support two Cisco TelePresence CTS-3000 calls with an EF PHB service. Medium Enterprise Design Profile Reference Guide 2-82 . it is important to recognize the tradeoffs involved with over-provisioning strict priority traffic and its negative performance impact. It is vitally important to understand that this strict priority queuing rule is simply a best practice design recommendation and is not a mandate. non-realtime applications fluctuate significantly in their response times. or become stuck in a non-responsive state. and also for non-realtime applications (because these may periodically receive significant bandwidth allocation fluctuations. However. Strict-Priority Queuing The realtime or strict priority class corresponds to the RFC 3246 EF PHB.

Therefore. adequate bandwidth must be provisioned for this class as a whole to handle the number and volume of applications that default to it. These queuing rules are summarized in Figure 2-48. Only if an application has been selected for preferential/deferential treatment is it removed from the default class. or because only a limited amount of hardware queues exist. Figure 2-48 Compatible 4-Class and 12-Class Queuing Models VoIP Telephony Best Effort Broadcast Video Best > Effort Realtime Realtime Scavenger Scavenger Interactive Bulk Data Guaranteed BW Transactional Multimedia Data Conferencing OAM 228499 Signaling Network Multimedia Control Streaming Medium Enterprise Design Profile Reference Guide 2-83 . Cisco recommends reserving at least 25 percent of link bandwidth for the default best effort class. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Best Effort Queuing The best effort class is the default class for all traffic that has not been explicitly assigned to another application-class queue. Scavenger Class Queuing Whenever the scavenger queuing class is enabled. such as 1 percent. or whatever the minimal bandwidth allocation that the platform supports. queuing distinctions between bulk data and scavenger traffic flows cannot be made. On some platforms. Because most medium enterprises may have several types of applications running in networks. In such cases. precluding the use of separate dedicated queues for each of these two classes. where the inner pie chart represents a hardware or service provider queuing model that is limited to four queues and the outer pie chart represents a corresponding. it should be assigned a minimal amount of link bandwidth capacity. more granular queuing model that is not bound by such constraints. such as 5 percent. either because queuing assignments are determined by class of service (CoS) values (and both of these application classes share the same CoS value of 1). the scavenger/bulk queue can be assigned a moderate amount of bandwidth.

jitter. The Cisco Catalyst switches allow users to create policy-maps by classifying incoming traffic (Layer 2 to Layer 4). marking. To prevent switch fabric and egress physical port congestion. and 3750-X Series switches are similar to one another. delay and jitter parameters. There is no difference in the ingress or egress packet classification. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Deploying QoS in Campus LAN Network All Layer 2 and Layer 3 systems in IP-based networks forward traffic based on a best-effort. All ingress traffic from edge ports passes through the switch fabric and move to the egress ports. QoS accomplishes this by creating a more application-aware Layer 2 and Layer 3 network to provide differentiated services to network applications and traffic. refer to the Enterprise QoS Design Guide at the following URL: http://www. This creates a common QoS policy that may be used in multiple networks. Figure 2-49 QoS Implementation in Cisco Catalyst Switches Egress Policer Marker Internal Queues Ring Ingress Q1 Policer Marker Queues Normal-Q Q2 Receive Transmit Classify SRR SRR Priority-Q Q3 Policer Marker Q4 Policer Marker 228973 Ingress QoS Egress QoS Medium Enterprise Design Profile Reference Guide 2-84 . This model works well for TCP-based data applications that adapt gracefully to variations in latency. where congestion may occur. Congestion in access-layer switches can be prevented by tuning queuing scheduler and Weighted Tail Drop (WTD) drop parameters. 3560-X.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoS-SRND-Bo ok. the ingress QoS policing structure can strictly filter excessive traffic at the network edge. For a detailed discussion of QoS. This section discusses the internal switching architecture and the differentiated QoS structure on a per-hop-basis.cisco. Cisco quality-of-service (QoS) is a collection of features and hardware capabilities that allow the network to intelligently dedicate the network resources for higher priority real-time applications. and loss. See Figure 2-49. For an optimal user-experience the real time applications (such as voice. queuing and scheduling implementation among these Catalyst platforms. QoS in Catalyst Fixed Configuration Switches The QoS implementation in Cisco Catalyst 2960.html While the QoS design principles across the network are common. but offers no guarantee of delivery. providing no differentiated services between different class-of-service network applications. while reserving sufficient network resources to service medium to lower non-real-time traffic. The routing protocol forwards packets over the best low-metric or delay path. The medium enterprise LAN and WAN is a multi-service network designed to supports a wide-range of low-latency voice and high bandwidth video with critical and non-critical data traffic over a single network infrastructure. the QoS implementation in hardware and software-based switching platforms vary due to internal system design. and then attaching the policy-map to an individual physical port or to logical interfaces (SVI or port-channel). video) require packets delivered within specified loss.

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services The main difference between these platforms is the switching capacity that ranges from 1G to 10G. The next-generation Cisco Catalyst 2960-S Series platform introduces modified QoS architecture. buffer and bandwidth sharing function remain consistent as Catalyst 2960 platform. All other ingress and egress queuing. resilient switches for large scale networks. there is a flexibility to assign different buffer size on egress queue of StackPort. This buffer allocation is static and cannot be modified by the user. To reduce the latency and improve application performance. therefore. when Catalyst 2960-S is deployed in FlexStack configuration mode. The following are some important differences to consider when selecting an access switch: • The Cisco Catalyst 2960 does not support multilayer switching and does not support per-VLAN or per-port/per-VLAN policies. Both Catalyst platforms are modular in design. Each physical ports including StackPort have 2 MB buffer capacity to prevent traffic drop during congestion. However. • The Cisco Catalyst 2960 can police to a minimum rate of 1 Mbps. Medium Enterprise Design Profile Reference Guide 2-85 . all other switches including next-generation Cisco Catalyst 2960-S Series within this product family can police to a minimum rate of 8 kbps. The medium enterprise LAN network design uses both platforms across the network. • Only the Cisco Catalyst 3560-X and 3750-X support policing on 10-Gigabit Ethernet interfaces. • Only the Cisco Catalyst 3560-X and 3750-X support IPv6 QoS. all the QoS recommendations in this section for these platforms will remain consistent. however. the new 2960-S platform do not support ingress queueing and buffer function in harware. there are significant internal hardware architecture differences between the two platforms that impact the QoS implementation model. The switching architecture and some of the internal QoS structure also differs between these switches. Figure 2-50 illustrates QoS architecture on Catalyst 2960-S Series platform Figure 2-50 QoS Implementation in Catalyst 2960-S Switches Egress Policer Marker Queues Q1 Policer Marker Q2 Receive Transmit Classify SRR Q3 Policer Marker Q4 Policer Marker 229372 Ingress QoS Egress QoS QoS in Cisco Modular Switches The Cisco Catalyst 4500-E and 6500-E are high-density. • Only the Cisco Catalyst 3560-X and 3750-X support SRR shaping weights on 10-Gigabit Ethernet interfaces.

The following are some of the key QoS features that differentiate the Sup-6E versus classic supervisors: • Trust and Table-Map—MQC-based QoS implementation offers a number of implementation and operational benefits over classic supervisors that rely on the Trust model and internal Table-map as a tool to classify and mark ingress traffic. For example. The QoS implementation in Sup-6E and Sup6L-E supports the Modular QoS CLI (MQC) as implemented in IOS-based routers that enhances QoS capabilities and eases implementation and operations. with next-generation hardware and software capabilities designed to deliver innovative. This design guide recommends deploying the next-generation supervisor Sup6E and Sup6L-E that offers a number of technical benefits that are beyond QoS. The Cisco Catalyst 6500-E can be deployed as a service-node in the campus Medium Enterprise Design Profile Reference Guide 2-86 . DSCP 46 can be classified with ACL and can be matched in PQ class-map of an MQC in Sup-6E and Sup6L-E. • Internal DSCP—The queue placement in Sup-6E and Sup6L-E is simplified by leveraging the MQC capabilities to explicitly map DSCP or CoS traffic in a hard-coded egress queue structure. the Sup6-E and Sup6L-E provides sequential classification rather than parallel. New QoS capabilities in the Sup-6E and Sup6L-E enable administrators to take advantage of hardware-based intelligent classification and take action to optimize application performance and network availability. • Sequential vs Parallel Classification—With MQC-based QoS classification. converged network services regardless of its place in the network. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Catalyst 4500-E QoS The Cisco Catalyst 4500-E Series platform are widely deployed with classic and next-generation supervisors. Figure 2-51 Catalyst 4500—Supervisor 6-E and 6L-E QoS Architecture Ingress QoS Policer Marking Receive Forwarding Classify Lookup Unconditional Marking Egress QoS Q1 Q2 Policer Marking Q3 Queueing/ Transmit Classify DBL Q4 Shaping Unconditional Q5 Marking Q6 Q7 228974 Q8 Catalyst 6500-E QoS The Cisco Catalyst 6500-E Series are enterprise-class switches. secure. The sequential classification method allows network administrators to classify traffic at the egress based on the ingress markings. The Cisco Catalyst 4500 with next generation Sup-6E and Sup6L-E (see Figure 2-51) are designed to offer better differentiated and preferential QoS services for various class-of-service traffic.

. The Catalyst 6500-E provides leading-edge Layer 2-Layer 7 services. which enables the DFCs to support the same QoS features that the PFC supports. as well as various Distributed Feature Cards (DFCs) that serve to scale policies and processing. These supervisors leverage various featured daughter cards. DWRR.e. drop Deploying Access-Layer QoS The campus access switches provide the entry point to the network for various types of end devices managed by medium enterprise IT department or employee's personal devices (i. robust. laptop etc. Medium Enterprise Design Profile Reference Guide 2-87 . intelligent application and network awareness services. PQ Action – policy-map Scheduler queue Queueing Mode: CoS Trust – DSCP. IP Prec. This is determined by the QoS policies. the PFC sends a copy of the QoS policies to the DFC to provide local support for the QoS policies.). Sup720 and Sup32. and the trust model with which the endpoint is deployed. Depending on the network services and application demands of the Cisco Catalyst 6500-E. as well as integrated Power-over-Ethernet (PoE). the Policy Feature Card (PFC) that serves as the primary QoS engine. the platform can be deployed with different types of Supervisor modules—Sup720-10GE. Since Cisco VSS is designed with a distributed forwarding architecture. which is built with next-generation hardware allowing administrators to build virtual-network-systems in the enterprise LAN network. Figure 2-52 provides internal PFC based QoS architecture. including the Multilayer Switch Feature Card (MSFC) that serves as the routing engine. The access switch must decide whether to accept the QoS markings from each endpoint. MPLS EXP and threshold are Mark – set internal DSCP configurable 228975 Police – rate limit. the PFC and DFC functions are enabled and active on active and hot-standby virtual-switch nodes. Specifically relating to QoS. SP • IP Prec • DSCP Internal Final internal DSCP • MPLS EXP DSCP map is mapped to CoS Q1 Classification SP Incoming Q1 Outgoing Q2 ToS Policy Result DSCP CoS WRR Q2 Scheduler rewrite CoS Q3 DWRR CoS set on Q4 trunk port DSCP set Ingress Port PFC/DFC Egress Port for IP Scheduling Rules: WRR. virtualization. allowing for maximum flexibility in virtually any role within the campus. including rich high availability. or whether to change them. and QoS feature sets. IP) • DSCP • IP Prec Port Trust State • MPLS EXP Scheduler operation on • CoS • Class-map WRR. Figure 2-52 Cisco Catalyst 6500-E PFC QoS Architecture Identify traffic based on match criteria: • ACL (L2. This design guide uses the Sup720-10GE supervisor. manageability. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services network to offer a high performance. security.

These deployment scenarios require hybrid QoS policy that intelligently distinguishes and applies different QoS policy to the trusted and untrusted endpoints that are connected to the same port. QoS policies must still be enforced to classify traffic and assign it to the appropriate queue to provide bandwidth assurance and proper treatment during network congestion. Developing the trust model. Medium Enterprise Design Profile Reference Guide 2-88 . • Trusted—Devices that passes through network access security policies and are managed by network administrator. Packets with 802. but it is possible that the untrusted user behind the endpoint may or may not be secure (for example. Access-layer switches communicate with devices that are beyond the network boundary and within the internal network domain. This includes defining trust points and determining which policies to enforce at each device within the network. Otherwise. Figure 2-53 illustrates several types of devices in the network edge. The trusted endpoints are still managed by the network administrator. Even when these devices are network administrator maintained and secured. Figure 2-53 Campus LAN QoS Trust Boundary Access Catalyst 3560 SERIES PoE-48 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 1X 15X 17X 31X 33X 47X SYST RPS 1 3 STAT DUPLX SPEED 2 4 POE 2X 16X 18X 32X 34X 48X MODE IP IP UnTrusted Cisco IP Trusted Secured Phone + Printer Cisco Cisco Cisco Cisco UC PC Phone PC Server UnTrusted TelePresence Wireless IP Video + Mobile PC Access Surveillance PC Point Camers 228976 Trusted Device Conditionally-Trusted Device UnTrusted Device Enterprise network administrator must identify and classify each of this device type into one of three different trust models. it is possible for an unsecured user to take away network bandwidth that may impact network availability and security for other users. and hence are classified as trusted devices.1p or DSCP marking set by untrusted endpoints are reset to default by the access-layer switch at the edge. WLC) within the internal network boundary are managed by the system administrator. The devices (routers. • Conditionally-trusted—A single physical connection with one trusted endpoint and an indirect untrusted endpoint must be deployed as conditionally-trusted model. each with its own unique security and QoS policies to access the network: • Untrusted—An unmanaged device that does not pass through the network security policies. employee-owned PC or network printer. guides policy implementations for each device. Cisco Unified IP Phone + PC). QoS trust boundary at the access-layer communicates with various devices that could be deployed in different trust models (trusted. or untrusted). For example. conditional-trusted. switches. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services QoS Trust Boundary QoS needs to be designed and implemented considering the entire network.

The following sample DSCP-based trust configuration must be enabled on the access-switch ports connecting to trusted or conditionally-trusted endpoints. like VoIP traffic. Catalyst switches set each port in untrusted mode when QoS is enabled. Ingress queuing architecture assures real-time applications. The network administrator must explicitly enable the trust settings on the physical port where trusted or conditionally trusted endpoints are connected. to ensure the bandwidth of an egress queue is not completely consumed by one application. all approved traffic is queued into priority or non-priority ingress queue. since this is the trust boundary. the access-layer switch limits the amount of inbound traffic up to its maximum setting. all physical ports are assigned untrusted mode. classification. Marking traffic with the appropriate DSCP value is important to ensure traffic is mapped to the appropriate internal queue. The following sample QoS configuration must be enabled on all the access-layer switches deployed in campus network LAN network. This classification determines the priority the traffic will receive in the network. simplifies the classification process and improves application and network performance. the QoS marking is set at the edge before approved traffic enters through the access-layer switching fabric. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services The ingress QoS policy at the access switches needs to be established. Best practice is to deploy DSCP-based trust mode on all the trusted and conditionally-trusted endpoints. The following ingress QoS techniques are applied to provide appropriate service treatment and prevent network congestion: • Trust—After classifying the endpoint the trust settings must be explicitly set by a network administrator. Access-Layer 29xx and 3xxx (Multilayer or Routed Access) cr24-2960-S-LB(config)#mls qos cr24-2960-S-LB#show mls qos QoS is enabled QoS ip packet dscp rewrite is enabled Note QoS function on Catalyst 4500-E with Sup6E and Sup6L-E is enabled with the policy-map attached to the port and do not require any additional global configuration. The QoS configuration is the same for a multilayer or routed-access deployment. • Marking—Based on trust model. Using the IETF standard. • Queuing—To provide differentiated services internally in the Catalyst 29xx and 3xxx switching fabric. and treated with the appropriate priority. Upon enabling QoS in the Catalyst switches. • Classification—IETF standard has defined a set of application classes and provides recommended DSCP settings. • Policing—To prevent network congestion. This offers a higher level of classification and marking granularity than other methods.1P (CoS-based). where traffic enters the network. QoS is disabled on all Catalyst 29xx and 3xxx Series switches and must be explicitly enabled in global configuration mode. and policer settings. The Catalyst switches can trust the ingress packets based on 802. Additional policing can be applied for known applications. ToS (ip-prec-based) or DSCP (DSCP-based) values. are given appropriate priority (eg transmitted before data traffic). By default. Medium Enterprise Design Profile Reference Guide 2-89 . Enabling QoS By default.

CAMERA cr22-3560-LB(config-if)# mls qos trust dscp cr22-3560-LB#show mls qos interface Gi0/5 GigabitEthernet0/5 trust state: trust dscp trust mode: trust dscp trust enabled flag: ena COS override: dis default COS: 0 DSCP Mutation Map: Default DSCP Mutation Map Trust device: none qos mode: port-based • 4500-E-Sup6LE (Multilayer or Routed Access) By default all the Sup6E and Sup6L-E ports are in trusted mode. Refer to the “Implementing Ingress QoS Policing” section on page 2-94 for further details. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services QoS Trust Mode (Multilayer or Routed-Access) Trusted Port • 29xx and 3xxx (Multilayer or Routed Access) cr22-3560-LB(config)#interface GigabitEthernet0/5 cr22-3560-LB(config-if)# description CONNECTED TO IPVS 2500 . such configuration leverages internal DSCP mapping table to automatically classify QoS bit settings from incoming traffic and place it to appropriate to queue based on mapping table. Conditionally-Trusted Port cr22-3560-LB(config)#interface Gi0/4 cr22-3560-LB(config-if)# description CONNECTED TO PHONE+PC cr22-3560-LB(config-if)# mls qos trust device cisco-phone cr22-3560-LB(config-if)# mls qos trust dscp cr22-3560-LB#show mls qos interface Gi0/4 GigabitEthernet0/4 trust state: not trusted trust mode: trust dscp trust enabled flag: dis COS override: dis default COS: 0 DSCP Mutation Map: Default DSCP Mutation Map Trust device: cisco-phone qos mode: port-based • 4500-E-Sup6LE (Multilayer or Routed Access) cr22-4507-LB(config)#interface GigabitEthernet3/3 cr22-4507-LB(config-if)# qos trust device cisco-phone cr22-4507-LB#show qos interface Gig3/3 Operational Port Trust State: Trusted Trust device: cisco-phone Default DSCP: 0 Default CoS: 0 Appliance trust: none Medium Enterprise Design Profile Reference Guide 2-90 . To appropriate network policy the default settings must be modified by implementing ingress QoS policy-map.

the network administrator needs to consider what applications are present at the access edge (in the ingress direction) and whether these applications are sourced from trusted or untrusted endpoints. etc. the following show command verifies current trust state and mode: • 29xx and 3xxx (Multilayer or Routed Access) cr22-3560-LB#show mls qos interface Gi0/1 GigabitEthernet0/1 trust state: not trusted trust mode: not trusted trust enabled flag: ena COS override: dis default COS: 0 DSCP Mutation Map: Default DSCP Mutation Map Trust device: none qos mode: port-based • 4500-E-Sup6LE (Multilayer or Routed Access) QoS trust function on Cisco Catalyst 4500-E with Sup6E and Sup6L-E is enabled by default and must be modified with the policy-map attached to the port. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services UnTrusted Port As described earlier. cr22-4507-LB#show qos interface GigabitEthernet3/1 Operational Port Trust State: Trusted Trust device: none Default DSCP: 0 Default CoS: 0 Appliance trust: none Implementing Ingress QoS Classification When creating QoS classification policies. Without explicit trust configuration on Gi0/1 port. Administration and Management—Primarily generated by network devices (routers. the default trust mode is untrusted when globally enabling QoS function. Voice traffic is primarily sourced from Cisco IP telephony devices residing in the voice VLAN (VVLAN). it is not necessary to provision the following application classes at the access-layer: • Network Control—It is assumed that access-layer switch will not transmit or receive network control traffic from endpoints. Voice communication may also be sourced from PCs with soft-phone applications. switches) and collected by management stations which are typically deployed in the trusted data center network. thus PCs are considered untrusted endpoints for the remainder of this document. is present in the ingress direction at the access edge. These are trusted devices. and should be classified with multimedia conferencing streams. this is not the case. Medium Enterprise Design Profile Reference Guide 2-91 . or a network control center. See Figure 2-54. as shown in Figure 2-54. then endpoint PCs may be considered trusted endpoints. as defined in the Cisco-modified RFC 4594-based model. • Broadcast Video—Broadcast video and multimedia streaming server can be distributed across the campus network which may be broadcasting live video feed using multicast streams must be originated from trusted distributed data center servers. hence this class is not implemented. therefore. • Operation. Not every application class. like Cisco Unified Personal Communicator (CUPC).) to the same port. All applications present at the access edge need to be assigned a classification. In most deployments. or conditionally trusted (if users also attach PCs. If PC endpoints are secured and centrally administered. Since such applications share the same UDP port range as multimedia conferencing traffic (UDP/RTP ports 16384-32767) this soft-phone VoIP traffic is indistinguishable.

FTP. SSH. The following sample configuration creates an extended access-list for each application and then applies it under class-map configuration mode. YouTube. Backups Yes Untrusted Best Effort DF Best Effort Default Class BestYes Effort Best Effort Untrusted 228977 Best Effort Scavenger DF CS1 BestGaming. WebEx Yes Untrusted Multimedia Streaming AF3 Cisco DMS.323 Yes Trusted Transactional Data AF2 ERP Apps. HSRP. SIP. OSPF. Syslog Bulk Data AF1 Email. IKE VoIP EF Cisco IP Phone Yes Trusted Broadcast Video Cisco IPVS. CRM Apps Yes Untrusted OAM CS2 SNMP. Enterprise TV Realtime Interactive CS4 Cisco TelePresence Yes Trusted Multimedia Conferencing AF4 Cisco CUPC. Effort P2P BestYes Effort Best Effort Untrusted Modular QoS MQC offers scalability and flexibility in configuring QoS to classify all 8-application classes by using match statements or an extended access-list to match the exact value or range of Layer-4 known ports that each application uses to communicate on the network. H. • Catalyst 29xx. IP/TV Signaling CS3 SCCP. 3xxx and 4500-E (MultiLayer and Routed Access) cr22-4507-LB(config)#ip access-list extended MULTIMEDIA-CONFERENCING cr22-4507-LB(config-ext-nacl)# remark RTP cr22-4507-LB(config-ext-nacl)# permit udp any any range 16384 32767 cr22-4507-LB(config-ext-nacl)#ip access-list extended SIGNALING cr22-4507-LB(config-ext-nacl)# remark SCCP cr22-4507-LB(config-ext-nacl)# permit tcp any any range 2000 2002 cr22-4507-LB(config-ext-nacl)# remark SIP cr22-4507-LB(config-ext-nacl)# permit tcp any any range 5060 5061 cr22-4507-LB(config-ext-nacl)# permit udp any any range 5060 5061 cr22-4507-LB(config-ext-nacl)#ip access-list extended TRANSACTIONAL-DATA cr22-4507-LB(config-ext-nacl)# remark HTTPS cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 443 cr22-4507-LB(config-ext-nacl)# remark ORACLE-SQL*NET cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 1521 cr22-4507-LB(config-ext-nacl)# permit udp any any eq 1521 cr22-4507-LB(config-ext-nacl)# remark ORACLE cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 1526 cr22-4507-LB(config-ext-nacl)# permit udp any any eq 1526 cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 1575 cr22-4507-LB(config-ext-nacl)# permit udp any any eq 1575 cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 1630 Medium Enterprise Design Profile Reference Guide 2-92 . Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-54 Ingress QoS Application Model Application PHB Application Examples Present at Campus Trust Access-Edge Boundary (Ingress)? Network Control CS6 EIGRP.

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr22-4507-LB(config-ext-nacl)#ip access-list extended BULK-DATA cr22-4507-LB(config-ext-nacl)# remark FTP cr22-4507-LB(config-ext-nacl)# permit tcp any any eq ftp cr22-4507-LB(config-ext-nacl)# permit tcp any any eq ftp-data cr22-4507-LB(config-ext-nacl)# remark SSH/SFTP cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 22 cr22-4507-LB(config-ext-nacl)# remark SMTP/SECURE SMTP cr22-4507-LB(config-ext-nacl)# permit tcp any any eq smtp cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 465 cr22-4507-LB(config-ext-nacl)# remark IMAP/SECURE IMAP cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 143 cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 993 cr22-4507-LB(config-ext-nacl)# remark POP3/SECURE POP3 cr22-4507-LB(config-ext-nacl)# permit tcp any any eq pop3 cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 995 cr22-4507-LB(config-ext-nacl)# remark CONNECTED PC BACKUP cr22-4507-LB(config-ext-nacl)# permit tcp any eq 1914 any cr22-4507-LB(config-ext-nacl)#ip access-list extended DEFAULT cr22-4507-LB(config-ext-nacl)# remark EXPLICIT CLASS-DEFAULT cr22-4507-LB(config-ext-nacl)# permit ip any any cr22-4507-LB(config-ext-nacl)#ip access-list extended SCAVENGER cr22-4507-LB(config-ext-nacl)# remark KAZAA cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 1214 cr22-4507-LB(config-ext-nacl)# permit udp any any eq 1214 cr22-4507-LB(config-ext-nacl)# remark MICROSOFT DIRECT X GAMING cr22-4507-LB(config-ext-nacl)# permit tcp any any range 2300 2400 cr22-4507-LB(config-ext-nacl)# permit udp any any range 2300 2400 cr22-4507-LB(config-ext-nacl)# remark APPLE ITUNES MUSIC SHARING cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 3689 cr22-4507-LB(config-ext-nacl)# permit udp any any eq 3689 cr22-4507-LB(config-ext-nacl)# remark BITTORRENT cr22-4507-LB(config-ext-nacl)# permit tcp any any range 6881 6999 cr22-4507-LB(config-ext-nacl)# remark YAHOO GAMES cr22-4507-LB(config-ext-nacl)# permit tcp any any eq 11999 cr22-4507-LB(config-ext-nacl)# remark MSN GAMING ZONE cr22-4507-LB(config-ext-nacl)# permit tcp any any range 28800 29100 Creating class-map for each application services and applying match statement: cr22-4507-LB(config)#class-map match-all VVLAN-SIGNALING cr22-4507-LB(config-cmap)# match ip dscp cs3 cr22-4507-LB(config-cmap)#class-map match-all VVLAN-VOIP cr22-4507-LB(config-cmap)# match ip dscp ef cr22-4507-LB(config-cmap)#class-map match-all MULTIMEDIA-CONFERENCING cr22-4507-LB(config-cmap)# match access-group name MULTIMEDIA-CONFERENCING cr22-4507-LB(config-cmap)#class-map match-all SIGNALING cr22-4507-LB(config-cmap)# match access-group name SIGNALING cr22-4507-LB(config-cmap)#class-map match-all TRANSACTIONAL-DATA cr22-4507-LB(config-cmap)# match access-group name TRANSACTIONAL-DATA cr22-4507-LB(config-cmap)#class-map match-all BULK-DATA cr22-4507-LB(config-cmap)# match access-group name BULK-DATA cr22-4507-LB(config-cmap)#class-map match-all DEFAULT cr22-4507-LB(config-cmap)# match access-group name DEFAULT Medium Enterprise Design Profile Reference Guide 2-93 .

In addition to policing. based on codec. The exceed-action for each class must be carefully designed based on the nature of application to provide best-effort service based on network bandwidth availability. It is important to police high-priority application traffic which is assigned to the high-priority queue. and application performance capacities. The rate-limit value may differ based on several factors—end-to-end network bandwidth capacity. • Trusted or Conditionally-Trusted Port Policer cr22-2960-LB(config)#policy-map Phone+PC-Policy cr22-2960-LB(config-pmap)# class VVLAN-VOIP cr22-2960-LB(config-pmap-c)# police 1000000 8000 exceed-action drop cr22-2960-LB(config-pmap-c)# class VVLAN-SIGNALING cr22-2960-LB(config-pmap-c)# police 1000000 8000 exceed-action drop cr22-2960-LB(config-pmap-c)# class MULTIMEDIA-CONFERENCING cr22-2960-LB(config-pmap-c)# police 5000000 8000 exceed-action drop cr22-2960-LB(config-pmap-c)# class SIGNALING cr22-2960-LB(config-pmap-c)# police 1000000 8000 exceed-action drop cr22-2960-LB(config-pmap-c)# class TRANSACTIONAL-DATA Medium Enterprise Design Profile Reference Guide 2-94 . etc. Catalyst 2960 can only police to a minimum rate of 1 Mbps. Table 2-6 provides best practice policing guidelines for different classes to be implemented for trusted and conditional-trusted endpoints at the network edge. Rate varies based on several factors as defined earlier. • Bandwidth Security—Well-known applications like Cisco IP telephony. the rate-limit function also provides the ability to take different actions on the excess incoming traffic which exceeds the established limits. end-station. otherwise it could consume too much overall network bandwidth and impact other application performance. each physical port at the trust boundary must be rate-limited. This table depicts sample rate-limiting value Catalyst 29xx As described earlier. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr22-4507-LB(config-cmap)#class-map match-all SCAVENGER cr22-4507-LB(config-cmap)# match access-group name SCAVENGER Implementing Ingress QoS Policing It is important to limit how much bandwidth each class may use at the ingress to the access-layer for two primary reasons: • Bandwidth Bottleneck—To prevent network congestion. use a fixed amount of bandwidth per device. Table 2-6 Access-Layer Ingress Policing Guidelines Application Policing Rate Conform-Action Exceed-Action VoIP Signaling <32 kbps Pass Drop VoIP Bearer <128 kbps Pass Drop 1 Multimedia Conferencing <5Mbps Pass Drop Signaling <32 kbps Pass Drop 1 Transactional Data <10 Mbps Pass Remark to CS1 Bulk Data <10 Mbps 1 Pass Remark to CS1 1 Best Effort <10 Mbps Pass Remark to CS1 1 Scavenger <10 Mbps Pass Drop 1. all other platforms including next-generation Cisco Catalyst 2960-S within this switch-product family can police to a minimum rate of 8 kbps.

and improves the hardware efficiency. All classified and policed traffic must be explicitly marked using the policy-map configuration based on an 8-class QoS model as shown in Figure 2-59. 3xxx and 4500-E (Multilayer and Routed-Access) • UnTrusted Port Policer All ingress traffic (default class) from untrusted endpoint be must be policed without explicit classification that requires differentiated services. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr22-2960-LB(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit cr22-2960-LB(config-pmap-c)# class BULK-DATA cr22-2960-LB(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit cr22-2960-LB(config-pmap-c)# class SCAVENGER cr22-2960-LB(config-pmap-c)# police 10000000 8000 exceed-action drop cr22-2960-LB(config-pmap-c)# class DEFAULT cr22-2960-LB(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Catalyst 2960-S. 3xxx and 4500-E (Multilayer and Routed-Access) • Trusted or Conditionally-Trusted Port Policer cr22-4507-LB(config)#policy-map Phone+PC-Policy cr22-4507-LB(config-pmap)# class VVLAN-VOIP cr22-4507-LB(config-pmap-c)# police 128000 8000 exceed-action drop cr22-4507-LB(config-pmap-c)# class VVLAN-SIGNALING cr22-4507-LB(config-pmap-c)# police 32000 8000 exceed-action drop cr22-4507-LB(config-pmap-c)# class MULTIMEDIA-CONFERENCING cr22-4507-LB(config-pmap-c)# police 5000000 8000 exceed-action drop cr22-4507-LB(config-pmap-c)# class SIGNALING cr22-4507-LB(config-pmap-c)# police 32000 8000 exceed-action drop cr22-4507-LB(config-pmap-c)# class TRANSACTIONAL-DATA cr22-4507-LB(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit cr22-4507-LB(config-pmap-c)# class BULK-DATA cr22-4507-LB(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit cr22-4507-LB(config-pmap-c)# class SCAVENGER cr22-4507-LB(config-pmap-c)# police 10000000 8000 exceed-action drop cr22-4507-LB(config-pmap-c)# class DEFAULT cr22-4507-LB(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Catalyst 29xx. The following sample configuration shows how to implement explicit marking for multiple classes on trusted and conditionally-trusted ingress ports in access-layer switches: Trusted or Conditionally-Trusted Port • Catalyst 29xx. with the use of an explicit (seemingly redundant) marking command. A trust statement in a policy map requires multiple hardware entries. The best practice is to use a explicit marking command (set dscp) even for trusted application classes (like VVLAN-VOIP and VVLAN-SIGNALING). rather than a trust policy-map action. 3xxx and 4500-E (Multilayer and Routed-Access) cr22-3750-LB(config)#policy-map Phone+PC-Policy Medium Enterprise Design Profile Reference Guide 2-95 . The following sample configuration shows how to deploy policing on untrusted ingress ports in access-layer switches: cr22-2960-LB(config)#policy-map UnTrusted-PC-Policy cr22-2960-LB(config-pmap)# class class-default cr22-2960-LB(config-pmap-c)# police 10000000 8000 exceed-action drop Implementing Ingress Marking Accurate DSCP marking of ingress traffic at the access-layer switch is critical to ensure proper QoS service treatment as traffic traverses through the network.

Per-Port/Per-VLAN-based QoS create a nested hierarchical policy-map that operates on a trunk interface. Cisco Catalyst switches offers three simplified methods to apply service-policies. depending on the deployment model either of the methods can be implemented: • Port-Based QoS—Applying the service-policy on per physical port basis will force traffic to pass-through the QoS policies before entering in to the campus network. Medium Enterprise Design Profile Reference Guide 2-96 . See Figure 2-55. • Per-Port / Per-VLAN-Based QoS—This is not supported on all the Catalyst platforms and the configuration commands are platform-specific. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr22-3750-LB(config-pmap)# class VVLAN-VOIP cr22-3750-LB(config-pmap-c)# set dscp ef cr22-3750-LB(config-pmap-c)# class VVLAN-SIGNALING cr22-3750-LB(config-pmap-c)# set dscp cs3 cr22-3750-LB(config-pmap-c)# class MULTIMEDIA-CONFERENCING cr22-3750-LB(config-pmap-c)# set dscp af41 cr22-3750-LB(config-pmap-c)# class SIGNALING cr22-3750-LB(config-pmap-c)# set dscp cs3 cr22-3750-LB(config-pmap-c)# class TRANSACTIONAL-DATA cr22-3750-LB(config-pmap-c)# set dscp af21 cr22-3750-LB(config-pmap-c)# class BULK-DATA cr22-3750-LB(config-pmap-c)# set dscp af11 cr22-3750-LB(config-pmap-c)# class SCAVENGER cr22-3750-LB(config-pmap-c)# set dscp cs1 cr22-3750-LB(config-pmap-c)# class DEFAULT cr22-3750-LB(config-pmap-c)# set dscp default All ingress traffic (default class) from an untrusted endpoint must be marked without a explicit classification. A different policy-map can be applied on each logical SVI interface that is associated to same physical port. The following sample configuration shows how to implement explicit DSCP marking: Untrusted Port • Catalyst 29xx. Port-Based QoS discretely functions on a per-physical port basis even if it is associated with a logical VLAN which is applied on multiple physical ports. 3xxx and 4500-E (Multilayer and Routed-Access) cr22-3750-LB(config)#policy-map UnTrusted-PC-Policy cr22-3750-LB(config-pmap)# class class-default cr22-3750-LB(config-pmap-c)# set dscp default Applying Ingress Policies After creating complete a policy-map on all the Layer 2 and Layer 3 access-switches with QoS policies defined. the service-policy must be applied on the edge interface of the access-layer to enforce the QoS configuration. Every physical port associated to VLAN requires an extra configuration to ensure all traffic to passes through the QoS policies defined on an logical interface. • VLAN-Based QoS—Applying the service-policy on a per VLAN bas requires the policy-map to be attached to a logical Layer 3 SVI interface.

The Catalyst 3750-X family of switches supports the weighted tail drop (WTD) congestion avoidance mechanism. all the packets that meet the specified policy are forwarded to the switching fabric for egress switching. Cisco Catalyst 2960-S Series platform do not support ingress queueing and buffer allocation. Two of the three thresholds are configurable (explicit) and one is not (implicit). Medium Enterprise Design Profile Reference Guide 2-97 . WTD drops packets from the queue. The ingress queue inspects the DSCP value on each incoming frame and assigns it to either the normal or priority queue. WTD is implemented on queues to manage the queue length. like DSCP EF marked packets. and the associated threshold. High priority traffic. Cisco Catalyst 2960 and 3xxx platforms support two internal ingress queues: normal queue and priority queue. 3xxx and 4500-E (Multilayer and Routed-Access) cr22-2960-LB(config)#interface FastEthernet0/1 cr22-2960-LB(config-if)# service-policy input UnTrusted-PC-Policy cr22-2960-LB#show mls qos interface FastEthernet0/1 FastEthernet0/1 Attached policy-map for Ingress: UnTrusted-PC-Policy trust state: not trusted trust mode: not trusted trust enabled flag: ena COS override: dis default COS: 0 DSCP Mutation Map: Default DSCP Mutation Map Trust device: none qos mode: port-based Applying Ingress Queuing Fixed configuration Cisco Catalyst switches (2960 and 3xxx) not only offer differentiated services on the network ports. Figure 2-56 depicts how different class-of-service applications are mapped to the Ingress Queue structure (1P1Q3T) and how each queue is assigned a different WTD threshold. Each queue has three threshold values. Note. The aggregate bandwidth from all edge ports may exceed the switching fabric bandwidth and cause internal congestion. but also internally on the switching fabric. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-55 Depicts all three QoS implementation method Per-Port/Per-VLAN Port-Based QoS VLAN-Based QoS Based QoS VLAN Interface VLAN Interface VLAN Interface WLAN 10 WLAN 20 VLAN 10 VLAN 20 VLAN 10 VLAN 20 DVLAN 100 DVLAN 200 Physical Ports 228978 Physical port attached Single Logical port attached Multiple Logical ports attached with single service-policy with single service-policy with different service-policy The following sample configuration provides guideline to deploy port-based QoS on the access-layer switches in campus network: • Catalyst 29xx. The internal DSCP determines which of the three threshold values is applied to the frame. After enabling QoS and attaching inbound policies on the physical ports. based on DSCP value. This last threshold corresponds to the tail of the queue (100 percent limit). the switch drops the packet. are placed in the priority queue and switched before processing the normal queue. If the threshold is exceeded for a given internal DSCP value.

CS5 and EF are mapped to ingress Q2T3 (the tail of the PQ) cr22-3750-LB#show mls qos input-queue Medium Enterprise Design Profile Reference Guide 2-98 . Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-56 Catalyst 2960 and 3xxx Ingress Queuing Model Application PHB Ingress Queue 1P1Q3T Network Control CS7 EF Q2 Internetwork Control CS6 CS5 Priority Queue VoIP EF CS4 Broadcast Video CS5 CS7 Q1T3 Multimedia Conferencing AF4 CS6 CS3 Q1T2 Realtime Interactive CS4 AF4 Q1T1 Multimedia Streaming AF3 AF3 Signaling CS3 Queue 1 Transactional Data AF2 AF2 Normal Queue Network Management CS2 CS2 Bulk Data AF1 AF1 Best Effort DF DF 228979 Best Effort Scavenger DF CS1 CS1 • Catalyst 2960 and 3xxx (Multilayer and Routed-Access) cr22-3750-LB(config)#mls qos srr-queue input priority-queue 2 bandwidth 30 ! Q2 is enabled as a strict-priority ingress queue with 30% BW cr22-3750-LB (config)#mls qos srr-queue input bandwidth 70 30 ! Q1 is assigned 70% BW via SRR shared weights ! Q1 SRR shared weight is ignored (as it has been configured as a PQ) cr22-3750-LB (config)#mls qos srr-queue input threshold 1 80 90 ! Q1 thresholds are configured at 80% (Q1T1) and 90% (Q1T2) ! Q1T3 is implicitly set at 100% (the tail of the queue) ! Q2 thresholds are all set (by default) to 100% (the tail of Q2) ! This section configures ingress DSCP-to-Queue Mappings cr22-3750-LB (config)# mls qos srr-queue input dscp-map queue 1 threshold 1 0 8 10 12 14 ! DSCP DF. CS1 and AF1 are mapped to ingress Q1T1 cr22-3750-LB (config)# mls qos srr-queue input dscp-map queue 1 threshold 1 16 18 20 22 ! DSCP CS2 and AF2 are mapped to ingress Q1T1 cr22-3750-LB (config)# mls qos srr-queue input dscp-map queue 1 threshold 1 26 28 30 34 36 38 ! DSCP AF3 and AF4 are mapped to ingress Q1T1 cr22-3750-LB (config)#mls qos srr-queue input dscp-map queue 1 threshold 2 24 ! DSCP CS3 is mapped to ingress Q1T2 cr22-3750-LB(config)#mls qos srr-queue input dscp-map queue 1 threshold 3 48 56 ! DSCP CS6 and CS7 are mapped to ingress Q1T3 (the tail of Q1) cr22-3750-LB(config)#mls qos srr-queue input dscp-map queue 2 threshold 3 32 40 46 ! DSCP CS4.

Unlike the Ingress QoS model. • The default queue should be at least 25 percent of the link's bandwidth. the following queues would be considered a minimum: • Realtime queue (to support a RFC 3246 EF PHB service) • Guaranteed bandwidth queue (to support RFC 2597 AF PHB services) • Default queue (to support a RFC 2474 DF service) • Bandwidth constrained queue (to support a RFC 3662 scavenger service) As a best practice. Medium Enterprise Design Profile Reference Guide 2-99 . • The bulk/scavenger queue should not exceed 5 percent of the link's bandwidth. Catalyst 2960 and 3xxx Egress QoS Cisco Catalyst 29xx and 3xxx Series platform supports four egress queues that are required to support the variable class QoS policies for the medium enterprise campus LAN network. each physical or logical interfaces must be deployed with IETF recommended bandwidth allocations for different class-of-service applications: • The real-time queue should not exceed 33 percent of the link's bandwidth. specifically. the egress QoS model must provide optimal queuing policies for each class and set the drop thresholds to prevent network congestion and prevent an application performance impact. With egress queuing in DSCP mode. the Cisco Catalyst switching platforms are bounded by a limited number of hardware queues. Figure 2-57 illustrates the egress bandwidth allocation best practices design for different classes. Implementing Access-Layer Egress QoS The QoS implementation of egress traffic towards network edge devices on access-layer switches are much simplified compared to ingress traffic which requires stringent QoS policies to provide differentiated services and network bandwidth protection. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Queue: 12 ---------------------------------------- buffers :9010 bandwidth :7030 priority :030 threshold1:80100 threshold2:90100 cr22-3750-LB#show mls qos maps dscp-input-q Dscp-inputq-threshold map: d1 :d2 0 1 2 3 4 5 6 7 8 9 -------------------------------------------------------------------------------------- 0 : 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 1 : 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 2 : 01-01 01-01 01-01 01-01 01-02 01-01 01-01 01-01 01-01 01-01 3 : 01-01 01-01 02-03 01-01 01-01 01-01 01-01 01-01 01-01 01-01 4 : 02-03 02-01 02-01 02-01 02-01 02-01 02-03 02-01 01-03 01-01 5 : 01-01 01-01 01-01 01-01 01-01 01-01 01-03 01-01 01-01 01-01 6 : 01-01 01-01 01-01 01-01 Note The ingress queuing function on Catalyst 4500-E Sup6E and Sup6L-E is not supported as described in Figure 2-51.

in the respective order they are listed (such that control plane protocols receive the highest level of QoS within a given queue). these may be enabled to provide inter-queue QoS to drop scavenger traffic ahead of bulk data. Congestion avoidance mechanisms (i. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-57 Class-of-Service Egress Bandwidth Allocations Given these minimum queuing requirements and bandwidth allocation recommendations. signaling. can be enabled on this class. the following application classes can be mapped to the respective queues: • Realtime Queue—Voice. these may be enabled to provide intra-queue QoS to these application classes. furthermore. selective dropping tools). multimedia conferencing.e. • Guaranteed Queue—Network/internetwork control. • Default Queue—Best-effort traffic can be mapped to the default queue. Medium Enterprise Design Profile Reference Guide 2-100 . the egress queuing must be similar designed to map with four egress queues. multimedia streaming. A campus egress QoS model example for a platform that supports DSCP-to-queue mapping with a 1P3Q8T queuing structure is depicted in Figure 2-58. if configurable drop thresholds are supported on the platform. network management. and transactional data can be mapped to the guaranteed bandwidth queue.. such as WRED. • Scavenger/Bulk Queue—Bulk data and scavenger traffic can be mapped to the bandwidth-constrained queue and congestion avoidance mechanisms can be enabled on this class. If configurable drop thresholds are supported on the platform. congestion avoidance mechanisms can be enabled on this class. and realtime interactive may be mapped to the realtime queue (per RFC 4594). Like the ingress queuing structure that maps various applications based on DSCP value into two ingress queues. broadcast video. The DSCP-to-queue mapping for egress queuing must be mapped to each egress queues as stated above which allows better queuing-policy granularity.

CS5 and EF are mapped to egress Q1T3 (tail of the PQ) cr22-3750-LB(config)# mls qos srr-queue output dscp-map queue 2 threshold 1 16 18 20 22 ! DSCP CS2 and AF2 are mapped to egress Q2T1 cr22-3750-LB(config)# mls qos srr-queue output dscp-map queue 2 threshold 1 26 28 30 34 36 38 ! DSCP AF3 and AF4 are mapped to egress Q2T1 Medium Enterprise Design Profile Reference Guide 2-101 . ! Q3 Maximum (Overflow) Threshold is set to 400% cr22-3750-LB (config)#mls qos queue-set output 1 threshold 4 60 100 100 400 ! Q4T1 is set to 60%. ! Q2 Reserve Threshold is set to 100%.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-58 1P3Q3T Egress QoS Model on Catalyst 29xx and 3xxx platforms Application PHB Egress Queue 1P3Q3T Network Control CS7 AF1 Queue 4 Q4T2 CS1 (5%) Q4T1 Internetwork Control CS6 VoIP EF Queue 3 DF (35%) Broadcast Video CS5 CS7 Q2T3 Multimedia Conferencing AF4 CS6 Realtime Interactive CS4 CS3 Q2T2 Multimedia Streaming AF3 Queue 2 AF4 (30%) Q2T1 Signaling CS3 AF3 Transactional Data AF2 AF2 Network Management CS2 CS2 Bulk Data AF1 EF Queue 1 Best Effort DF Priority Queue CS5 228981 (30%) Best Effort Scavenger DF CS1 CS4 DSCP marked packets are assigned to the appropriate queue and each queue is configured with appropriate WTD threshold as defined in Figure 2-58. 2960-S and 3xxx (Multilayer and Routed-Access) cr22-3750-LB(config)#mls qos queue-set output 1 buffers 15 30 35 20 ! Queue buffers are allocated cr22-3750-LB (config)#mls qos queue-set output 1 threshold 1 100 100 100 100 ! All Q1 (PQ) Thresholds are set to 100% cr22-3750-LB (config)#mls qos queue-set output 1 threshold 2 80 90 100 400 ! Q2T1 is set to 80%. Egress queuing settings are common between all the trust-independent network edge ports as well as on the Layer 2 or Layer 3 uplink connected to internal network. as all packets are marked the same weight in Q3 ! Q3 Reserve Threshold is set to 100%. Q4T2 is set to 100% ! Q4 Reserve Threshold is set to 100%. ! Q2 Maximum (Overflow) Threshold is set to 400% cr22-3750-LB (config)#mls qos queue-set output 1 threshold 3 100 100 100 400 ! Q3T1 is set to 100%. The following egress queue configuration entered in global configuration mode must be enabled on every access-layer switch in the network. • Catalyst 2960. Q2T2 is set to 90%. ! Q4 Maximum (Overflow) Threshold is set to 400% cr22-3750-LB(config)# mls qos srr-queue output dscp-map queue 1 threshold 3 32 40 46 ! DSCP CS4.

Figure 2-59 8 Class-of-Service Egress Bandwidth Allocations The Cisco Catalyst 4500-E Sup-6E and Sup6L-E supervisor supports platform-specific congestion avoidance algorithms to provide Active Queue Management (AQM). and flexibilities to provide for a well diverse queuing structure for multiple class-of-service traffic types. as it will be configured as a PQ cr22-3750-LB(config-if-range)# priority-queue out ! Q1 is enabled as a strict priority queue cr22-3750-LB#show mls qos interface GigabitEthernet1/0/27 queueing GigabitEthernet1/0/27 Egress Priority Queue : enabled Shaped queue weights (absolute) : 25 0 0 0 Shared queue weights : 1 30 35 5 The port bandwidth limit : 100 (Operational Bandwidth:100. DBL drops packets or sets the Explicit Congestion Notification (ECN) bits in the TCP Medium Enterprise Design Profile Reference Guide 2-102 . When the queue length of a flow exceeds its limit. namely Dynamic Buffer Limiting (DBL). capabilities. Deploying the next-generation Sup-6E and Sup6L-E in the campus network provides more QoS granularity to map the 8-class traffic types to hardware-based egress-queues as illustrated in Figure 2-59. DBL tracks the queue length for each traffic flow in the switch.0) The port is mapped to qset : 1 • Catalyst 4500-E Sup6E and Sup6L-E Egress QoS The enterprise-class 4500-E switch with next-generation supervisor hardware architecture are designed to offers better egress QoS techniques. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr22-3750-LB(config)#mls qos srr-queue output dscp-map queue 2 threshold 2 24 ! DSCP CS3 is mapped to egress Q2T2 cr22-3750-LB(config)#mls qos srr-queue output dscp-map queue 2 threshold 3 48 56 ! DSCP CS6 and CS7 are mapped to egress Q2T3 cr22-3750-LB(config)#mls qos srr-queue output dscp-map queue 3 threshold 3 0 ! DSCP DF is mapped to egress Q3T3 (tail of the best effort queue) cr22-3750-LB(config)#mls qos srr-queue output dscp-map queue 4 threshold 1 8 ! DSCP CS1 is mapped to egress Q4T1 cr22-3750-LB(config)# mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14 ! DSCP AF1 is mapped to Q4T2 (tail of the less-than-best-effort queue) ! This section configures edge and uplink port interface with common egress queuing parameters cr22-3750-LB(config)#interface range GigabitEthernet1/0/1-48 cr22-3750-LB(config-if-range)# queue-set 1 ! The interface(s) is assigned to queue-set 1 cr22-3750-LB(config-if-range)# srr-queue bandwidth share 1 30 35 5 ! The SRR sharing weights are set to allocate 30% BW to Q2 ! 35% BW to Q3 and 5% BW to Q4 ! Q1 SRR sharing weight is ignored.

Based on Figure 2-60. the queuing function using MQC must be applied on per member-link of the EtherChannel interface. To take advantage of hardware-based QoS egress. the bandwidth distribution for different classes change. the following configuration use the new egress policy-map with queuing and DBL function implemented on the Catalyst 4500-E deployed with a Sup6E and SupL-E supervisor module. Recommended DSCP markings for each traffic class can be classified in a different class-map for egress QoS functions.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services packet headers. Therefore. Implementing QoS policies on Sup-6E-based Catalyst 4500 platform follows the IOS (MQC) based configuration model instead of the Catalyst OS-based QoS model. load-sharing egress per-flow traffic across EtherChannel links offers the advantage to optimally use distributed hardware resources. Figure 2-60 provides the new recommended bandwidth allocation. Figure 2-60 1P7Q1T Egress QoS Model on Catalyst 4500-E with Sup6E and Sup6L-E Application PHB Egress Queue 1P7Q1T (+DBL) Network Control CS7 EF Priority Queue Internetwork Control CS6 CS5 (30%) VoIP EF CS4 Broadcast Video CS5 CS7 & CS6 Q7 (10%) CS3 & CS2 Multimedia Conferencing AF4 Realtime Interactive CS4 AF4 Q6 (10%) Multimedia Streaming AF3 AF3 Q5 (10%) Signaling CS3 Transactional Data AF2 AF2 Q4 (10%) Network Management CS2 AF1 Q3 (4%) Bulk Data AF1 Best Effort Scavenger DF CS1 CS1 Q2 (1%) 228983 Best Effort DF DF Q1 (25%) The QoS architecture and implementation procedure are identical between Sup-6E and Sup6L-E modules. • Catalyst 4500 Sup-6E and SupL-E (MultiLayer and Routed-Access) ! Creating class-map for each classes using match dscp statement as marked by edge systems cr22-4507-LB(config)#class-map match-all PRIORITY-QUEUE cr22-4507-LB(config-cmap)# match dscp ef cr22-4507-LB(config-cmap)# match dscp cs5 cr22-4507-LB(config-cmap)# match dscp cs4 cr22-4507-LB(config-cmap)#class-map match-all CONTROL-MGMT-QUEUE cr22-4507-LB(config-cmap)# match dscp cs7 cr24-4507-LB(config-cmap)# match dscp cs6 cr24-4507-LB(config-cmap)# match dscp cs3 cr24-4507-LB(config-cmap)# match dscp cs2 Medium Enterprise Design Profile Reference Guide 2-103 . With 8 egress (1P7Q1T) queues and DBL capability in the Sup-6E-based supervisor. All network edge port and core-facing uplink ports must use a common egress policy-map.

Ten Gi1/1 . Ten5/4. it is recommended to implement an additional policy-map to rate-limit the priority class traffic and must be attached on the EtherChannel to govern the aggregated egress traffic limits. Ten5/1 . Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr24-4507-LB(config-cmap)#class-map match-all MULTIMEDIA-CONFERENCING-QUEUE cr24-4507-LB(config-cmap)# match dscp af41 af42 af43 cr24-4507-LB(config-cmap)#class-map match-all MULTIMEDIA-STREAMING-QUEUE cr24-4507-LB(config-cmap)# match dscp af31 af32 af33 cr24-4507-LB(config-cmap)#class-map match-all TRANSACTIONAL-DATA-QUEUE cr24-4507-LB(config-cmap)# match dscp af21 af22 af23 cr24-4507-LB(config-cmap)#class-map match-all BULK-DATA-QUEUE cr24-4507-LB(config-cmap)# match dscp af11 af12 af13 cr24-4507-LB(config-cmap)#class-map match-all SCAVENGER-QUEUE cr24-4507-LB(config-cmap)# match dscp cs1 ! Creating policy-map and configure queueing for class-of-service cr22-4507-LB(config)#policy-map EGRESS-POLICY cr22-4507-LB(config-pmap)# class PRIORITY-QUEUE cr22-4507-LB(config-pmap-c)# priority cr22-4507-LB(config-pmap-c)# class CONTROL-MGMT-QUEUE cr22-4507-LB(config-pmap-c)# bandwidth remaining percent 10 cr22-4507-LB(config-pmap-c)# class MULTIMEDIA-CONFERENCING-QUEUE cr22-4507-LB(config-pmap-c)# bandwidth remaining percent 10 cr22-4507-LB(config-pmap-c)# class MULTIMEDIA-STREAMING-QUEUE cr22-4507-LB(config-pmap-c)# bandwidth remaining percent 10 cr22-4507-LB(config-pmap-c)# class TRANSACTIONAL-DATA-QUEUE cr22-4507-LB(config-pmap-c)# bandwidth remaining percent 10 cr22-4507-LB(config-pmap-c)# dbl cr22-4507-LB(config-pmap-c)# class BULK-DATA-QUEUE cr22-4507-LB(config-pmap-c)# bandwidth remaining percent 4 cr22-4507-LB(config-pmap-c)# dbl cr22-4507-LB(config-pmap-c)# class SCAVENGER-QUEUE cr22-4507-LB(config-pmap-c)# bandwidth remaining percent 1 cr22-4507-LB(config-pmap-c)# class class-default cr22-4507-LB(config-pmap-c)# bandwidth remaining percent 25 cr22-4507-LB(config-pmap-c)# dbl ! Attaching egress service-policy on all physical member-link ports cr24-4507-DO(config)#int range Ten3/1 . To mitigate this challenge. Te4/1 . The hardware-based priority-queue implementation on the Catalyst 4500-E does not support a built-in policer to restrict traffic during network congestion. The following additional policy-map must be created to classify priority-queue class traffic and rate-limit up to 30 percent egress link capacity: cr22-4507-LB(config)#class-map match-any PRIORITY-QUEUE cr22-4507-LB (config-cmap)# match dscp ef cr22-4507-LB (config-cmap)# match dscp cs5 cr22-4507-LB (config-cmap)# match dscp cs4 cr22-4507-LB (config)#policy-map PQ-POLICER cr22-4507-LB (config-pmap)# class PRIORITY-QUEUE cr22-4507-LB (config-pmap-c)# police cir 300 m conform-action transmit exceed-action drop cr22-4507-LB (config)#interface range Port-Channel 1 cr22-4507-LB (config-if-range)#service-policy output PQ-POLICER Medium Enterprise Design Profile Reference Guide 2-104 .6 cr24-4507-DO(config-if-range)# service-policy output EGRESS-POLICY Policing Priority-Queue EtherChannel is an aggregated logical bundle of interfaces that do not perform queuing and rely on individual member-links to queue egress traffic by using hardware-based queuing.

Medium Enterprise Design Profile Reference Guide 2-105 . switching. Servers etc Model Phone Trusted Trust Yes Yes Yes Yes Phone + Mobile PC Conditionally-Tru Trust Yes Yes Yes Yes sted IP Video surveillance Trusted Trust No No No Yes Camera Digital Media Player Trusted Trust No No No Yes Core facing Uplinks Trusted Trust No No No Yes 1. None None Yes Yes printers etc Default. printers etc UnTrusted None Yes Yes Managed secured devices. UnTrusted Don’t Trust. QoS. Servers etc Trusted None Yes Yes Phone Trusted None Yes Yes Phone + Mobile PC Conditionally-Truste None Yes Yes d IP Video surveillance Camera Trusted None Yes Yes Digital Media Player Trusted None Yes Yes Core facing Uplinks Trusted Yes (PQ Policer) Yes Yes Deploying Network-Layer QoS Campus network systems at the main site and remote campus are managed and maintained by the enterprise IT administration to provide key network foundation services such as routing. these systems must be implemented with the recommended configuration to provide differentiated network services on per-hop basis. To allow for consistent application delivery through the network. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Table 2-7 Summarized Access-Layer Ingress QoS Deployment Guidelines Trust Ingress End-Point Model DSCP Trust Classification Marking Policing Queuing 1 Unmanaged devices. Managed secured Trusted Trust 8 Class Yes Yes Yes devices. and virtualization. it is recommended to implement bidirectional QoS policies on distribution and core layer systems. In a best practice network environment. Catalyst 29xx and 3xxx only Table 2-8 Summarized Access-Layer Egress QoS Deployment Guidelines Classification / Trust Marking / Egress Bandwidth End-Point Model Policing Queuing Share Unmanaged devices.

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services QoS Trust Boundary All medium enterprise IT managed campus LAN and WAN network systems can be classified as trusted device and must follow same QoS best practices recommended in previous subsection. the internal campus core network must be considered to be trusted. The campus core and distribution network devices should rely on the access-layer switches to implement QoS classification and marking based on a wide-range of applications and IP-based devices deployed at the network edge. and egress. based on the platform capabilities and resources. This will change how each various class-of-service traffic will be handled in different directions: ingress. The next-generation Cisco Catalyst access-layer platform must be deployed with more application-aware and intelligence at the network edge. Cisco Catalyst access-layer switches must classify the application and device type to marks DSCP value based on the trust model with deep packet inspection using access-lists (ACL) or protocol-based device discovery. switching fabric. the hardware architecture of each switching platform is different. The campus distribution and core layers can trust DSCP markings from access-layer and provide QoS transparency without modifying the original parameters unless the network is congested. the Catalyst 4500-E deployed with either a Sup6E or Sup6L-E supervisor module in the distribution or core layer will automatically sets the physical ports in the trust mode. The network administrator must manually enable QoS globally on the switch and explicitly enable DSCP trust mode on each logical EtherChannel and each member-link interface connected to upstream and downstream devices. Distribution-Layer Catalyst 3750-X and 6500-E • 3750-X and 6500-E (Multilayer or Routed Access) cr22-6500-LB(config)#mls qos cr22-6500-LB#show mls qos Medium Enterprise Design Profile Reference Guide 2-106 . the ingress QoS configuration also becomes more simplified and manageable. The following sample QoS configuration must be enabled on all the distribution and core layer switches deployed in campus LAN network. there is no need to reclassify the same class-of-service at the campus distribution and core layer. As mentioned in the previous section. Based on global network QoS policy each class-of-service applications get common treatment. This subsection provides common ingress QoS deployment guidelines for the campus distribution and core for all locations: QoS Trust Mode As described earlier. To provide consistent and differentiated QoS services on per-hop basis across the network. It is recommended to avoid deploying trusted or untrusted endpoints directly to the campus distribution and core layer systems. This medium enterprise LAN network design recommends deploying a broad-range of Layer-3 Catalyst switching platforms in the campus distribution and core layer. Based on the simplified internal network trust model. The Catalyst 4500-E by default will perform DSCP-CoS or CoS-DSCP mappings to transmit traffic transparently without any QoS bits rewrites. the distribution and core network must be deployed to trust incoming pre-marked DSCP traffic from the downstream Layer 2 or Layer 3 network device. therefore. Implementing Network-Layer Ingress QoS As described earlier. The distribution layer QoS trust configuration is the same for a multilayer or routed-access deployment. Independent of enterprise network tier—LAN/WAN. However the default QoS function on campus distribution or core platforms like the Catalyst 3750-X and 6500-E Series switches is disabled. platform type and their capabilities— each devices in the network will protect service quality and enable communication across the network without degrading the application performance.

then depending on the DSCP and CoS markings it can queue the traffic prior sending it to the switching fabric in a FIFO manner. Refer to the “Applying Ingress Queuing” section on page 2-97 for implementation detail. Ten2/0/1 . cr36-3750x-xSB(config)#interface range Ten1/0/1 . therefore. network administrator must apply this command on each bundled member-links.2 .2 cr36-3750x-xSB(config-if-range)# description Connected to cr23-VSS-Core cr36-3750x-xSB(config-if-range)# mls qos trust dscp cr36-3750x-xSB#show mls qos interface Ten1/0/1 TenGigabitEthernet1/0/1 trust state: trust dscp trust mode: trust dscp … Applying Ingress Queuing When Cisco Catalyst 3750-X and 6500-E switching platforms receive various class-of-service requests from different physical ports. The Cisco Catalyst 4500-E deployed with a Sup6E or a Sup6L-E supervisor module does not support ingress queuing. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services QoS is enabled globally … Implement DSCP Trust Mode • Catalyst 6500-E (Multilayer or Routed Access) cr22-6500-LB(config)#interface Port-channel100 cr22-6500-LB(config-if)# description Connected to cr22-4507-LB cr22-6500-LB(config-if)# mls qos trust dscp Catalyst 6500-E will automatically replicate “mls qos trust dscp” command from port-channel interface to each bundled member-links. cr22-6500-LB#show queueing interface Ten1/1/2 | inc QoS|Trust Port QoS is enabled Trust boundary disabled Trust state: trust DSCP Catalyst 3750-X (Multilayer or Routed Access) Catalyst 3750-X does not support mls qos trust dscp command on port-channel interface. Implementing Catalyst 6500-E Ingress Queuing There are two main considerations relevant to ingress queuing design on the Catalyst 6500/6500-E: • The degree of oversubscription (if any) of the linecard • Whether the linecard requires trust-CoS to be enabled to engage ingress queuing Medium Enterprise Design Profile Reference Guide 2-107 . Both Catalyst platforms support up to two ingress queues but how they are implemented differs. For consistent QoS within the campus network. the core and access layers should map DSCP-marked traffic into ingress queues the same way. Implementing Catalyst 3750-X Ingress Queuing The ingress queuing function in the distribution-layer Catalyst 3750-X StackWise Plus must be deployed to differentiate and place the normal versus high-priority class traffic in separate ingress queue before forwarding it to the switching fabric.

it is often more cost-effective to use linecards that have a degree of oversubscription within the campus network. 8Q8T CoS or DSCP Not Required GE based (4 x 10GE ports) WS-6708-10 80 Gbps 2:1 8Q4T CoS or DSCP Use DSCP-based GE based 8Q4T ingress (8 x 10GE ports) queuing WS-6716-10 160 Gbps (16 x 4:1 8Q4T / CoS or DSCP Use DSCP-based GE 10GE ports) 1P7Q2T* based 1P7Q2T ingress queuing Note The Catalyst WS-X6716-10GE can be configured to operate in Performance Mode (with an 8Q4T ingress queuing structure) or in Oversubscription Mode (with a 1P7Q2T ingress queuing structure). 1P3Q8T CoS based Not Required P (24 x GE ports) (2 x 20 Gbps) WS-6704-10 40 Gbps . it is recommended to enable 1P7Q2T DSCP-based ingress queuing on this linecard in Oversubscription Mode. Table 2-9 summarizes recommended linecards consideration by listing and oversubscription ratios and whether the ingress queuing models are CoS or DSCP-based. if this design choice has been made. Additional details on these WS-X6716-10GE operational modes can be found at the following URL: http://www. Therefore. rather.1Q/p model. limit such linecards and deploy either non-oversubscribed linecards and/or linecards supporting DSCP-based queuing at the distribution and core layers of the campus network. only one port in every group of four is operational (while the rest are administratively shut down).com/en/US/prod/collateral/switches/ps5718/ps708/qa_cisco_catalyst_6500_series_1 6port_10gigabit_ethernet_module. Since such a scenario is extremely unlikely. In Oversubscription Mode (the default mode). However. a second important consideration that many Catalyst 6500-E linecards only support CoS-based ingress queuing models that reduces classification and marking granularity—limiting the administrator to an 8-class 802. it is important for network administrators to recognize the potential for drops due to oversubscribed linecard architectures. Table 2-9 Catalyst 6500-E Switch Module Ingress Queuing Architecture Maximum Ingress Switch Output (To Oversubscription Queuing CoS / DSCP Ingress Queuing Module Maximum Input Backplane) Ratio Structure Based Recommendations WS-6724-SF 24 Gbps 40 Gbps . DSCP values are overwritten (via the CoS-to-DSCP mapping table) and application classes sharing the same CoS values are longer distinguishable from one another. all ports are operational and the maximum oversubscription ratio is 4:1.cisco. Once CoS is trusted. ingress queuing models may be enabled. While the presence of oversubscribed linecard architectures may be viewed as the sole consideration as to enabling ingress queuing or not. In Performance mode. it is not recommended to enable CoS-based ingress queuing on the Catalyst 6500-E. To manage application-class service levels during such extreme scenarios.html Medium Enterprise Design Profile Reference Guide 2-108 . which eliminates any oversubscription on this linecard and as such ingress queuing is not required (as only 4 x 10GE ports are active in this mode and the backplane access rate is also at 40 Gbps). Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Some linecards may be designed to support a degree of oversubscription that theoretically offers more traffic to the linecard than the sum of all GE/10GE switch ports than can collectively access the switching backplane at once. given this classification and marking limitation and the fact that the value of enabling ingress queuing is only achieved in extremely rare scenarios. Therefore.

25% to Q2. 10% to Q7 and 15% to Q8 cr22-vss-core(config-if-range)# rcv-queue bandwidth 1 25 4 10 10 10 10 30 ! Allocates 1% BW to Q1. 10% to Q6. 2/1/2-8 cr22-vss-core(config-if-range)# mls qos queue-mode mode-dscp ! Enables DSCP-to-Queue mapping ! This section configures the receive queues BW and limits cr22-vss-core(config-if-range)# rcv-queue queue-limit 10 25 10 10 10 10 10 15 ! Allocates 10% to Q1. Figure 2-61 Catalyst 6500-E Ingress Queuing Model Application phb Ingress Queue 1P7Q4T Network Control CS7 EF Priority Queue CS5 Q8 (30%) Internetwork Control CS6 CS4 VoIP EF CS7 Broadcast Video CS5 CS6 Q7 (10%) CS3 Realtime Interactive CS4 CS2 Multimedia Conferencing AF4 AF4 Q6 (10%) Multimedia Streaming AF3 AF3 Q5 (10%) Signaling CS3 Transactional Data AF2 AF2 Q4 (10%) Network Management CS2 AF1 Q3 (4%) Bulk Data AF1 Best Effort Scavenger DF CS1 CS1 Q2 (1%) 228984 Best Effort DF DF Q1 (25%) The corresponding configuration for 8Q8T (DSCP-to-Queue) ingress queuing on a Catalyst 6500-E VSS in distribution and core layer is shown below. 25% BW to Q2. 10% BW to Q6. 10% BW to Q4.8 . Figure 2-61 depicts how different class-of-service applications are mapped to the Ingress Queue structure (8Q4T) and how each queue is assigned a different WTD threshold. PFC function is active on active and hot-standby virtual-switch nodes. ingress queuing must be configured on each distributed member-links of Layer 2 or Layer 3 MEC. ! Allocates 10% BW to Q5. 10% BW to Q7 & 30% BW to Q8 ! This section enables WRED on all queues except Q8 cr22-vss-core(config-if-range)# rcv-queue random-detect 1 ! Enables WRED on Q1 cr22-vss-core(config-if-range)# rcv-queue random-detect 2 Medium Enterprise Design Profile Reference Guide 2-109 .Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services If 6708 and 6716 linecards (with the latter operating in oversubscription mode) are used in the distribution and core layers of the campus network. ! Allocates 10% to Q5. 10% to Q4. then 8Q4T DSCP-based ingress queuing and 1P7Q2T DSCP-based ingress queuing (respectively) are recommended to be enabled. 4% BW to Q3. • Distribution and Core-Layer Catalyst 6500-E in VSS mode ! This section configures the port for DSCP-based Ingress queuing cr22-vss-core(config)#interface range TenGigabitEthernet 1/1/2 . therefore. These queuing models are detailed in the following sections. 10% to Q3.

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

! Enables WRED on Q2
cr22-vss-core(config-if-range)# rcv-queue random-detect 3
! Enables WRED on Q3
cr22-vss-core(config-if-range)# rcv-queue random-detect 4
! Enables WRED on Q4
cr22-vss-core(config-if-range)# rcv-queue random-detect 5
! Enables WRED on Q5
cr22-vss-core(config-if-range)# rcv-queue random-detect 6
! Enables WRED on Q6
cr22-vss-core(config-if-range)# rcv-queue random-detect 7
! Enables WRED on Q7
cr22-vss-core(config-if-range)# no rcv-queue random-detect 8
! Disables WRED on Q8

! This section configures WRED thresholds for Queues 1 through 7
cr22-vss-core(config-if-range)# rcv-queue random-detect max-threshold 1 100 100 100 100
! Sets all WRED max thresholds on Q1 to 100%
cr22-vss-core(config-if-range)# rcv-queue random-detect min-threshold 1 80 100 100 100
! Sets Q1T1 min WRED threshold to 80%
cr22-vss-core(config-if-range)# rcv-queue random-detect min-threshold 2 80 100 100 100
! Sets Q2T1 min WRED threshold to 80%
cr22-vss-core(config-if-range)# rcv-queue random-detect max-threshold 2 100 100 100 100
! Sets all WRED max thresholds on Q2 to 100%

cr22-vss-core(config-if-range)# rcv-queue random-detect min-threshold 3 70 80 90 100
! Sets WRED min thresholds for Q3T1, Q3T2, Q3T3 to 70 %, 80% and 90%
cr22-vss-core(config-if-range)# rcv-queue random-detect max-threshold 3 80 90 100 100
! Sets WRED max thresholds for Q3T1, Q3T2, Q3T3 to 80%, 90% and 100%
cr22-vss-core(config-if-range)# rcv-queue random-detect min-threshold 4 70 80 90 100
! Sets WRED min thresholds for Q4T1, Q4T2, Q4T3 to 70 %, 80% and 90%
cr22-vss-core(config-if-range)# rcv-queue random-detect max-threshold 4 80 90 100 100
! Sets WRED max thresholds for Q4T1, Q4T2, Q4T3 to 80%, 90% and 100%
cr22-vss-core(config-if-range)# rcv-queue random-detect min-threshold 5 70 80 90 100
! Sets WRED min thresholds for Q5T1, Q5T2, Q5T3 to 70 %, 80% and 90%
cr22-vss-core(config-if-range)# rcv-queue random-detect max-threshold 5 80 90 100 100
! Sets WRED max thresholds for Q5T1, Q5T2, Q5T3 to 80%, 90% and 100%
cr22-vss-core(config-if-range)# rcv-queue random-detect min-threshold 6 70 80 90 100
! Sets WRED min thresholds for Q6T1, Q6T2, Q6T3 to 70 %, 80% and 90%
cr22-vss-core(config-if-range)# rcv-queue random-detect max-threshold 6 80 90 100 100
! Sets WRED max thresholds for Q6T1, Q6T2, Q6T3 to 80%, 90% and 100%
cr22-vss-core(config-if-range)# rcv-queue random-detect min-threshold 7 60 70 80 90
! Sets WRED min thresholds for Q7T1, Q7T2, Q7T3 and Q7T4
! to 60%, 70%, 80% and 90%, respectively
cr22-vss-core(config-if-range)# rcv-queue random-detect max-threshold 7 70 80 90 100
! Sets WRED max thresholds for Q7T1, Q7T2, Q7T3 and Q7T4
! to 70%, 80%, 90% and 100%, respectively

! This section configures the DSCP-to-Receive-Queue mappings
cr22-vss-core(config-if-range)# rcv-queue dscp-map 1 1 8
! Maps CS1 (Scavenger) to Q1T1
cr22-vss-core(config-if-range)# rcv-queue dscp-map 2 1 0
! Maps DF (Best Effort) to Q2T1
cr22-vss-core(config-if-range)# rcv-queue dscp-map 3 1 14
! Maps AF13 (Bulk Data-Drop Precedence 3) to Q3T1
cr22-vss-core(config-if-range)# rcv-queue dscp-map 3 2 12
! Maps AF12 (Bulk Data-Drop Precedence 2) to Q3T2
cr22-vss-core(config-if-range)# rcv-queue dscp-map 3 3 10
! Maps AF11 (Bulk Data-Drop Precedence 1) to Q3T3
cr22-vss-core(config-if-range)# rcv-queue dscp-map 4 1 22
! Maps AF23 (Transactional Data-Drop Precedence 3) to Q4T1
cr22-vss-core(config-if-range)# rcv-queue dscp-map 4 2 20
! Maps AF22 (Transactional Data-Drop Precedence 2) to Q4T2
cr22-vss-core(config-if-range)# rcv-queue dscp-map 4 3 18
! Maps AF21 (Transactional Data-Drop Precedence 1) to Q4T3

Medium Enterprise Design Profile Reference Guide
2-110

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

cr22-vss-core(config-if-range)# rcv-queue dscp-map 5 1 30
! Maps AF33 (Multimedia Streaming-Drop Precedence 3) to Q5T1
cr22-vss-core(config-if-range)# rcv-queue dscp-map 5 2 28
! Maps AF32 (Multimedia Streaming-Drop Precedence 2) to Q5T2
cr22-vss-core(config-if-range)# rcv-queue dscp-map 5 3 26
! Maps AF31 (Multimedia Streaming-Drop Precedence 1) to Q5T3
cr22-vss-core(config-if-range)# rcv-queue dscp-map 6 1 38
! Maps AF43 (Multimedia Conferencing-Drop Precedence 3) to Q6T1
cr22-vss-core(config-if-range)# rcv-queue dscp-map 6 2 36
! Maps AF42 (Multimedia Conferencing-Drop Precedence 2) to Q6T2
cr22-vss-core(config-if-range)# rcv-queue dscp-map 6 3 34
! Maps AF41 (Multimedia Conferencing-Drop Precedence 1) to Q6T3
cr22-vss-core(config-if-range)# rcv-queue dscp-map 7 1 16
! Maps CS2 (Network Management) to Q7T1
cr22-vss-core(config-if-range)# rcv-queue dscp-map 7 2 24
! Maps CS3 (Signaling) to Q7T2
cr22-vss-core(config-if-range)# rcv-queue dscp-map 7 3 48
! Maps CS6 (Internetwork Control) to Q7T3
cr22-vss-core(config-if-range)# rcv-queue dscp-map 7 4 56
! Maps CS7 (Network Control) to Q7T4
cr22-vss-core(config-if-range)# rcv-queue dscp-map 8 4 32 40 46
! Maps CS4 (Realtime Interactive), CS5 (Broadcast Video),
! and EF (VoIP) to Q8

cr23-VSS-Core#show queueing interface Ten1/1/2 | begin Rx
Queueing Mode In Rx direction: mode-dscp
Receive queues [type = 8q4t]:
Queue Id Scheduling Num of thresholds
-----------------------------------------
01 WRR 04
02 WRR 04
03 WRR 04
04 WRR 04
05 WRR 04
06 WRR 04
07 WRR 04
08 WRR 04

WRR bandwidth ratios: 1[queue 1] 25[queue 2] 4[queue 3] 10[queue 4] 10[queue
5] 10[queue 6] 10[queue 7] 30[queue 8]
queue-limit ratios: 10[queue 1] 25[queue 2] 10[queue 3] 10[queue 4] 10[queue
5] 10[queue 6] 10[queue 7] 15[queue 8]

queue tail-drop-thresholds
--------------------------
1 70[1] 80[2] 90[3] 100[4]
2 100[1] 100[2] 100[3] 100[4]
3 100[1] 100[2] 100[3] 100[4]
4 100[1] 100[2] 100[3] 100[4]
5 100[1] 100[2] 100[3] 100[4]
6 100[1] 100[2] 100[3] 100[4]
7 100[1] 100[2] 100[3] 100[4]
8 100[1] 100[2] 100[3] 100[4]

queue random-detect-min-thresholds
----------------------------------
1 80[1] 100[2] 100[3] 100[4]
2 80[1] 100[2] 100[3] 100[4]
3 70[1] 80[2] 90[3] 100[4]
4 70[1] 80[2] 90[3] 100[4]
5 70[1] 80[2] 90[3] 100[4]
6 70[1] 80[2] 90[3] 100[4]
7 60[1] 70[2] 80[3] 90[4]
8 100[1] 100[2] 100[3] 100[4]

Medium Enterprise Design Profile Reference Guide
2-111

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

queue random-detect-max-thresholds
----------------------------------
1 100[1] 100[2] 100[3] 100[4]
2 100[1] 100[2] 100[3] 100[4]
3 80[1] 90[2] 100[3] 100[4]
4 80[1] 90[2] 100[3] 100[4]
5 80[1] 90[2] 100[3] 100[4]
6 80[1] 90[2] 100[3] 100[4]
7 70[1] 80[2] 90[3] 100[4]
8 100[1] 100[2] 100[3] 100[4]

WRED disabled queues: 8

queue thresh dscp-map
---------------------------------------
1 1 1 2 3 4 5 6 7 8 9 11 13 15 17 19 21 23 25 27 29 31 33 39 41 42 43 44 45
47
1 2
1 3
1 4
2 1 0
2 2
2 3
2 4
3 1 14
3 2 12
3 3 10
3 4
4 1 22
4 2 20
4 3 18
4 4
5 1 30 35 37
5 2 28
5 3 26
5 4
6 1 38 49 50 51 52 53 54 55 57 58 59 60 61 62 63
6 2 36
6 3 34
6 4
7 1 16
7 2 24
7 3 48
7 4 56
8 1
8 2
8 3
8 4 32 40 46

Packets dropped on Receive:
BPDU packets: 0

queue dropped [dscp-map]
---------------------------------------------
1 0 [1 2 3 4 5 6 7 8 9 11 13 15 17 19 21 23 25 27 29 31 33 39
41 42 43 44 45 47 ]
2 0 [0 ]
3 0 [14 12 10 ]
4 0 [22 20 18 ]
5 0 [30 35 37 28 26 ]
6 0 [38 49 50 51 52 53 54 55 57 58 59 60 61 62 63 36 34 ]
7 0 [16 24 48 56 ]
8 0 [32 40 46 ]

Medium Enterprise Design Profile Reference Guide
2-112

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

Implementing Network Core Egress QoS

The QoS implementation of egress traffic towards network edge devices on access-layer switches are
much simplified compared to ingress traffic which requires stringent QoS policies to provide
differentiated services and network bandwidth protection. Unlike the Ingress QoS model, the egress QoS
model must provides optimal queuing policies for each class and sets the drop thresholds to prevent
network congestion and an application performance impact. With egress queuing in DSCP mode, the
Cisco Catalyst switching platforms and linecards are bounded by a limited number of egress hardware
queues.

Catalyst 3750-X and 4500-E
The configuration and implementation guideline for egress QoS on Catalyst 3750-X StackWise and
Catalyst 4500-E with Sup6E and Sup6L-E in distribution and access-layer roles remains consistent. All
conformed traffic marked with DSCP values must be manually assigned to each egress queue based on
a four class-of-service QoS model. Refer to the “Implementing Access-Layer Egress QoS” section on
page 2-99 for the deployment details.

Catalyst 6500-E – VSS
The Cisco Catalyst 6500-E in VSS mode operates in a centralized management mode but uses a
distributed forwarding architecture. The Policy Feature Card (PFC) on active and hot-standby is
functional on both nodes and is independent of the virtual-switch role. Like ingress queuing, the network
administrator must implement egress queuing on each of the member-links of the Layer 2 or Layer 3
MEC. The egress queuing model on the Catalyst 6500-E is based on linecard type and its capabilities,
when deploying Catalyst 6500-E in VSS mode only the WS-67xx series 1G/10G linecard with daughter
card – CFC or DFC3C/DFC3CXL is supported.
Table 2-10 describes the deployment guidelines for the Catalyst 6500-E Series linecard module in the
campus distribution and core layer network. In the solutions lab, the WS-6724-SFP and WS-6708-10GE
was validated in the campus distribution and core layers. Both modules supports different egress queuing
models, this sub-section will provide deployment guidelines for both module types.

Table 2-10 Catalyst 6500-E Switch Module Egress Queuing Architecture

Egress Queue and Egress Queue Total Buffer Egress Buffer
Switch Module Daughter Card Drop Thresholds Scheduler Size Size
WS-6724-SFP CFC or DFC3 1P3Q8T DWRR 1.3 MB 1.2 MB
WS-6704-10GE CFC 1P7Q8T DWRR 16 MB 14 MB
DFC3
WS-6708-10GE DFC3 1P7Q4T DWRR 198 MB 90 MB
SRR
WS-6716-10GE DFC3 1P7Q8T 198 MB1 90 MB 1
(Oversubscription
91 MB2 1 MB2
and Perf. Mode)
1. Per Port Capacity in Performance Mode
2. Per Port Capacity in Oversubscription Mode

WS-6724-SFP – 1P3Q8T Egress Queuing Model
On the WS-6724-SFP module the egress queuing functions on per physical port basis and independent
of link-layer and above protocols settings, these functions remain consistent when the physical port is
deployed in standalone or bundled into an EtherChannel. Each 1G physical port support 4 egress queues

Medium Enterprise Design Profile Reference Guide
2-113

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

with default CoS based on the transmit side. This module is a cost-effective 1G non-blocking high speed
network module but does not provide deep application granularity based on different DSCP markings.
It does not have the flexibility to use various class-of-service egress queue for applications. Campus
LAN QoS consolidation to a 4 class model occurs on the physical paths that connects to the WAN or
Internet Edge routers, which forwards traffic across a private WAN or the Internet. Deploying the
WS-6724-SFP module in 4 class model would be recommended in that design. Figure 2-62 illustrates
1P3Q8T egress queuing model to be applied on Catalyst 6500-E – WS-6724-SF module.

Figure 2-62 1P3Q8T Egress Queuing Model

Application PHP CoS Egress Queue 1P3Q8T

Network Control CS7 CoS 7
CoS 5 Priority Queue
Internetwork Control CS6 CoS 6 CoS 4 (30%)
VoIP EF
CoS 5 CoS 7 Q3T4
Broadcast Video CS5
CoS 6 Q3T3
Multimedia Conferencing AF4 CoS 3 Q3T2
CoS 4
Realtime Interactive CS4 CoS 2 Queue 3 Q3T1
(40%)
Multimedia Streaming AF3
CoS 3
Signaling CS3

Transactional Data AF2
CoS 2
Network Management CS2 Queue 2
CoS 0 (25%)
Bulk Data AF1
CoS 1
Best Effort
Scavenger DF
CS1 DF
Queue 1

228985
CoS 1 (5%)
Best Effort DF CoS 0

The following corresponding 1P3Q8T egress queuing configuration must be applied on each
member-links of MEC.
• Catalyst 6500-E VSS (Distribution and Core)

cr23-vss-core(config)#interface range GigabitEthernet 1/2/1-24 , Gi2/2/1 - 24
cr23-vss-core(config-if-range)# wrr-queue queue-limit 20 25 40
! Allocates 20% of the buffers to Q1, 25% to Q2 and 40% to Q3
cr23-vss-core(config-if-range)# priority-queue queue-limit 15
! Allocates 15% of the buffers to the PQ
cr23-vss-core(config-if-range)# wrr-queue bandwidth 5 25 40
! Allocates 5% BW to Q1, 25% BW to Q2 and 30% BW to Q3

! This section enables WRED on Queues 1 through 3
cr23-vss-core(config-if-range)# wrr-queue random-detect 1
! Enables WRED on Q1
cr23-vss-core(config-if-range)# wrr-queue random-detect 2
! Enables WRED on Q2
cr23-vss-core(config-if-range)# wrr-queue random-detect 3
! Enables WRED on Q3

! This section configures WRED thresholds for Queues 1 through 3

Medium Enterprise Design Profile Reference Guide
2-114

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

cr23-vss-core(config-if-range)# wrr-queue random-detect max-threshold 1 100 100 100 100
100 100 100 100
! Sets all WRED max thresholds on Q1 to 100%
cr23-vss-core(config-if-range)# wrr-queue random-detect min-threshold 1 80 100 100 100 100
100 100 100
! Sets Q1T1 min WRED threshold to 80%; all others set to 100%
cr23-vss-core(config-if-range)# wrr-queue random-detect max-threshold 2 100 100 100 100
100 100 100 100
! Sets all WRED max thresholds on Q2 to 100%
cr23-vss-core(config-if-range)# wrr-queue random-detect min-threshold 2 80 100 100 100 100
100 100 100
! Sets Q2T1 min WRED threshold to 80%; all others set to 100%
cr23-vss-core(config-if-range)# wrr-queue random-detect max-threshold 3 70 80 90 100 100
100 100 100
! Sets Q3T1 max WRED threshold to 70%; Q3T2 max WRED threshold to 80%;
! Sets Q3T3 max WRED threshold to 90%; Q3T4 max WRED threshold to 100%
cr23-vss-core(config-if-range)# wrr-queue random-detect min-threshold 3 60 70 80 90 100
100 100 100
! Sets Q3T1 min WRED threshold to 60%; Q3T2 min WRED threshold to 70%;
! Sets Q3T3 min WRED threshold to 80%; Q3T4 min WRED threshold to 90%

! This section configures the CoS-to-Queue/Threshold mappings
cr23-vss-core(config-if-range)# wrr-queue cos-map 1 1 1
! Maps CoS 1 (Scavenger and Bulk Data) to Q1T1
cr23-vss-core(config-if-range)# wrr-queue cos-map 2 1 0
! Maps CoS 0 (Best Effort) to Q2T1
cr23-vss-core(config-if-range)# wrr-queue cos-map 3 1 2
! Maps CoS 2 (Network Management and Transactional Data) to Q3T1
cr23-vss-core(config-if-range)# wrr-queue cos-map 3 2 3
! Maps CoS 3 (Signaling and Multimedia Streaming) to Q3T2
cr23-vss-core(config-if-range)# wrr-queue cos-map 3 3 6
! Maps CoS 6 (Internetwork Control) to Q3T3
cr23-vss-core(config-if-range)# wrr-queue cos-map 3 4 7
! Maps CoS 7 (Network Control) to Q3T4
cr23-vss-core(config-if-range)# priority-queue cos-map 1 4 5
! Maps CoS 4 (Realtime Interactive and Multimedia Conferencing) to PQ
! Maps CoS 5 (VoIP and Broadcast Video) to the PQ

cr23-VSS-Core#show queueing interface GigabitEthernet 1/2/1
Interface GigabitEthernet1/2/1 queueing strategy: Weighted Round-Robin
Port QoS is enabled
Trust boundary disabled

Trust state: trust DSCP
Extend trust state: not trusted [COS = 0]
Default COS is 0
Queueing Mode In Tx direction: mode-cos
Transmit queues [type = 1p3q8t]:
Queue Id Scheduling Num of thresholds
-----------------------------------------
01 WRR 08
02 WRR 08
03 WRR 08
04 Priority 01

WRR bandwidth ratios: 5[queue 1] 25[queue 2] 40[queue 3]
queue-limit ratios: 20[queue 1] 25[queue 2] 40[queue 3] 15[Pri Queue]

queue tail-drop-thresholds
--------------------------
1 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
2 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
3 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]

Medium Enterprise Design Profile Reference Guide
2-115

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design
Deploying Medium Enterprise Network Foundation Services

queue random-detect-min-thresholds
----------------------------------
1 80[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
2 80[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
3 60[1] 70[2] 80[3] 90[4] 100[5] 100[6] 100[7] 100[8]

queue random-detect-max-thresholds
----------------------------------
1 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
2 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8]
3 70[1] 80[2] 90[3] 100[4] 100[5] 100[6] 100[7] 100[8]

WRED disabled queues:
queue thresh cos-map
---------------------------------------
1 1 1
1 2
1 3
1 4
1 5
1 6
1 7
1 8
2 1 0
2 2
2 3
2 4
2 5
2 6
2 7
2 8
3 1 2
3 2 3
3 3 6
3 4 7
3 5
3 6
3 7
3 8
4 1 4 5

WS-6708-10GE and WS-6716-10GE – 1P7Q4T Egress Queuing Model
The hardware design of the next-generation 10G linecards are designed with advanced ASICs and higher
capacity to ensure the campus backbone of large enterprise networks are ready for future. Both modules
support DSCP based on the 8 queue model to deploy flexible and scalable QoS in the campus core. With
8-egress queue support the WS-6708-10G and WS-6716-10G modules increased application granularity
based on various DSCP markings are done at the network edge. Figure 2-63 illustrates DSCP-based
1P7Q4T egress queuing model.

Medium Enterprise Design Profile Reference Guide
2-116

2/1/2 . ! Allocates 10% to Q5. • Catalyst 6500-E VSS (Distribution and Core) cr23-vss-core(config)#interface range TenGigabitEthernet 1/1/2 . 4% BW to Q3. 25% BW to Q2. 10% to Q3. ! Allocates 10% BW to Q5. 10% BW to Q4. 25% to Q2.8 cr23-vss-core(config-if-range)# wrr-queue queue-limit 10 25 10 10 10 10 10 ! Allocates 10% of the buffers to Q1. 10% to Q4. 10% BW to Q6 and 10% BW to Q7 cr23-vss-core(config-if-range)# priority-queue queue-limit 15 ! Allocates 15% of the buffers to the PQ ! This section enables WRED on Queues 1 through 7 cr23-vss-core(config-if-range)# wrr-queue random-detect 1 ! Enables WRED on Q1 cr23-vss-core(config-if-range)# wrr-queue random-detect 2 ! Enables WRED on Q2 cr23-vss-core(config-if-range)# wrr-queue random-detect 3 ! Enables WRED on Q3 cr23-vss-core(config-if-range)# wrr-queue random-detect 4 ! Enables WRED on Q4 cr23-vss-core(config-if-range)# wrr-queue random-detect 5 ! Enables WRED on Q5 cr23-vss-core(config-if-range)# wrr-queue random-detect 6 ! Enables WRED on Q6 cr23-vss-core(config-if-range)# wrr-queue random-detect 7 ! Enables WRED on Q7 ! This section configures WRED thresholds for Queues 1 through 7 cr23-vss-core(config-if-range)# wrr-queue random-detect max-threshold 1 100 100 100 100 Medium Enterprise Design Profile Reference Guide 2-117 . 10% to Q6 and 10% to Q7 cr23-vss-core(config-if-range)# wrr-queue bandwidth 1 25 4 10 10 10 10 ! Allocates 1% BW to Q1.8 .Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-63 P7Q4T Egress Queuing Model Application phb Ingress Queue 1P7Q4T Network Control CS7 EF Priority Queue CS5 Q8 (30%) Internetwork Control CS6 CS4 VoIP EF CS7 Broadcast Video CS5 CS6 Q7 (10%) CS3 Realtime Interactive CS4 CS2 Multimedia Conferencing AF4 AF4 Q6 (10%) Multimedia Streaming AF3 AF3 Q5 (10%) Signaling CS3 Transactional Data AF2 AF2 Q4 (10%) Network Management CS2 AF1 Q3 (4%) Bulk Data AF1 Best Effort Scavenger DF CS1 CS1 Q2 (1%) 228984 Best Effort DF DF Q1 (25%) The following corresponding 1P7Q4T egress queuing configuration must be applied on each member-links of MEC.

Q5T3 to 70 %. Q5T2. Q7T3 and Q7T4 ! to 70%. Q3T2. Q3T3 to 80%. Q4T3 to 70 %. Q4T3 to 80%. Q6T3 to 70 %. Q7T3 and Q7T4 ! to 60%. 70%. Q4T2. Q5T2. 90% and 100% cr23-vss-core(config-if-range)# wrr-queue random-detect min-threshold 6 70 80 90 100 ! Sets WRED min thresholds for Q6T1. Q3T2. 80% and 90%. 90% and 100%. Q4T2. Q6T2. 80% and 90% cr23-vss-core(config-if-range)# wrr-queue random-detect min-threshold 4 70 80 90 100 ! Sets WRED min thresholds for Q4T1. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services ! Sets all WRED max thresholds on Q1 to 100% cr23-vss-core(config-if-range)# wrr-queue random-detect min-threshold 1 80 100 100 100 ! Sets Q1T1 min WRED threshold to 80% cr23-vss-core(config-if-range)# wrr-queue random-detect max-threshold 2 100 100 100 100 ! Sets all WRED max thresholds on Q2 to 100% cr23-vss-core(config-if-range)# wrr-queue random-detect min-threshold 2 80 100 100 100 ! Sets Q2T1 min WRED threshold to 80% cr23-vss-core(config-if-range)# wrr-queue random-detect max-threshold 3 80 90 100 100 ! Sets WRED max thresholds for Q3T1. 90% and 100% cr23-vss-core(config-if-range)# wrr-queue random-detect min-threshold 7 60 70 80 90 ! Sets WRED min thresholds for Q7T1. respectively ! This section configures the DSCP-to-Queue/Threshold mappings cr23-vss-core(config-if-range)# wrr-queue dscp-map 1 1 8 ! Maps CS1 (Scavenger) to Q1T1 cr23-vss-core(config-if-range)# wrr-queue dscp-map 2 1 0 ! Maps DF (Best Effort) to Q2T1 cr23-vss-core(config-if-range)# wrr-queue dscp-map 3 1 14 ! Maps AF13 (Bulk Data-Drop Precedence 3) to Q3T1 cr23-vss-core(config-if-range)# wrr-queue dscp-map 3 2 12 ! Maps AF12 (Bulk Data-Drop Precedence 2) to Q3T2 cr23-vss-core(config-if-range)# wrr-queue dscp-map 3 3 10 ! Maps AF11 (Bulk Data-Drop Precedence 1) to Q3T3 cr23-vss-core(config-if-range)# wrr-queue dscp-map 4 1 22 ! Maps AF23 (Transactional Data-Drop Precedence 3) to Q4T1 cr23-vss-core(config-if-range)# wrr-queue dscp-map 4 2 20 ! Maps AF22 (Transactional Data-Drop Precedence 2) to Q4T2 cr23-vss-core(config-if-range)# wrr-queue dscp-map 4 3 18 ! Maps AF21 (Transactional Data-Drop Precedence 1) to Q4T3 cr23-vss-core(config-if-range)# wrr-queue dscp-map 5 1 30 ! Maps AF33 (Multimedia Streaming-Drop Precedence 3) to Q5T1 cr23-vss-core(config-if-range)# wrr-queue dscp-map 5 2 28 ! Maps AF32 (Multimedia Streaming-Drop Precedence 2) to Q5T2 cr23-vss-core(config-if-range)# wrr-queue dscp-map 5 3 26 ! Maps AF31 (Multimedia Streaming-Drop Precedence 1) to Q5T3 cr23-vss-core(config-if-range)# wrr-queue dscp-map 6 1 38 ! Maps AF43 (Multimedia Conferencing-Drop Precedence 3) to Q6T1 cr23-vss-core(config-if-range)# wrr-queue dscp-map 6 2 36 ! Maps AF42 (Multimedia Conferencing-Drop Precedence 2) to Q6T2 cr23-vss-core(config-if-range)# wrr-queue dscp-map 6 3 34 ! Maps AF41 (Multimedia Conferencing-Drop Precedence 1) to Q6T3 cr23-vss-core(config-if-range)# wrr-queue dscp-map 7 1 16 ! Maps CS2 (Network Management) to Q7T1 cr23-vss-core(config-if-range)# wrr-queue dscp-map 7 2 24 Medium Enterprise Design Profile Reference Guide 2-118 . 80%. 90% and 100% cr23-vss-core(config-if-range)# wrr-queue random-detect min-threshold 5 70 80 90 100 ! Sets WRED min thresholds for Q5T1. Q6T3 to 80%. 80% and 90% cr23-vss-core(config-if-range)# wrr-queue random-detect max-threshold 6 80 90 100 100 ! Sets WRED max thresholds for Q6T1. 80% and 90% cr23-vss-core(config-if-range)# wrr-queue random-detect max-threshold 4 80 90 100 100 ! Sets WRED max thresholds for Q4T1. 80% and 90% cr23-vss-core(config-if-range)# wrr-queue random-detect max-threshold 5 80 90 100 100 ! Sets WRED max thresholds for Q5T1. Q3T3 to 70 %. Q7T2. Q5T3 to 80%. Q7T2. respectively cr23-vss-core(config-if-range)# wrr-queue random-detect max-threshold 7 70 80 90 100 ! Sets WRED max thresholds for Q7T1. Q6T2. 90% and 100% cr23-vss-core(config-if-range)# wrr-queue random-detect min-threshold 3 70 80 90 100 ! Sets WRED min thresholds for Q3T1.

The following three major resiliency requirements encompass most of the common types of failure conditions. providing complete network availability even during planned network outage conditions. To prevent a catastrophic network failure during an unplanned network outage event. High-Availability in LAN Network Design Network reliability and availability is not a new demand. at times the maximum threshold needs to be configured before the minimum (as is the case on queues 1 through 3 in the example above). a non-responsive supervisor. the network architects builds strong. and so on. ! and EF (VoIP) to the PQ Note Due to the default WRED threshold settings. and so on. it is important to identify network fault domains and define rapid recovery plans to minimize the application impact during minor and major network outage conditions. Network reliability and availability can be simplified using several Cisco high availability technologies that offer complete failure transparency to the end users and applications during planned or unplanned network outages. the resiliency option appropriate to the role and network service type must be deployed: • Network resiliency—Provides redundancy during physical link failures. the critical network systems that are deployed in the main campus that provide global connectivity may require additional hardware and software components to provide non-stop communications. such as software crashes. bad transceivers. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services ! Maps CS3 (Signaling) to Q7T2 cr23-vss-core(config-if-range)# wrr-queue dscp-map 7 3 48 ! Maps CS6 (Internetwork Control) to Q7T3 cr23-vss-core(config-if-range)# wrr-queue dscp-map 7 4 56 ! Maps CS7 (Network Control) to Q7T4 cr23-vss-core(config-if-range)# priority-queue dscp-map 1 32 40 46 ! Maps CS4 (Realtime Interactive). • Device resiliency—Protects the network during abnormal node failure triggered by hardware or software. offers high availability to use network as a core platform that enables flexibility to overlay advanced and emerging technologies and provide non-stop network communications. this introduces a new set of challenges. • Operational resiliency—Enables resiliency capabilities to the next level. such as higher cost and the added complexity of managing more systems. the minimum threshold needs to be configured before the maximum (as is the case on queues 4 through 7 in the example above). Networks that are built on these three fundamentals. Medium Enterprise Design Profile Reference Guide 2-119 . such as fiber cut. scalable. deploying redundant systems can be effective. Cisco high availability technologies can be deployed based on critical versus non-critical platform roles in the network. Some of the high availability techniques can be achieved with the LAN network design inherent within the medium enterprise network design. The medium enterprise campus network must be build based on same fundamentals that can provide constant “on” network service for uninterrupted business operations and protects campus physical security and assets. using In Service Software Upgrade (ISSU) features. incorrect cablings. at other times. CS5 (Broadcast Video). depending on the LAN design tier. However. Because every tier of the LAN network design can be classified as a fault domain. and resilient next-generation IP network. but is well planned during the early network design phase. without making major network changes. Medium Enterprise High-Availability Framework Independent of the business function. However.

linecard. When constantly working in deterministic network response time environment the learning and work practice of end-users is rapid. Such failures can include internal faults in the network device caused by hardware or software malfunctions which includes software crash. which can be triggered by system.. The fault levels can range from network interruption to disaster.). human. while the retries for non-critical data traffic is acceptable the applications running in real-time may not. however. During the major network fault event. Improper network design or non-resilient network systems can experience higher number of faults that not only degrades user experience but may severely impact application performance and may not capture the critical physical security video information. Figure 2-64 provides a sample real-time VoIP application in campus network and sequence of user experience in different phases during minor and major unplanned network outage: Figure 2-64 VoIP Impact During Minor and Major Network Outage 50 Major Network Outage 45 40 35 30 sec 25 Data Loss (seconds) 20 15 10 Minor Network Outage 5 0 228971 No Impact Minimal Voice User Hangs Up Phone Reset Impact This high availability framework is based on the three major resiliency strategies to solve a wide-range of planned and unplanned network outage types described in the previous section. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Network faults domains in this reference architecture are identifiable but the failure conditions within the domains are un-predicted. Baselining Campus High Availability Typical application response time is in milliseconds when the campus network is build with high speed backbone connection and is in fully-operational state. Several high availability technologies must be deployed at each layer to provide higher network availability and Medium Enterprise Design Profile Reference Guide 2-120 . or even by nature. they are designed to minimize overall productivity impact and allows network to gracefully adjust and recover during minor failure conditions. Protocol-based delayed failure detection are intentional. or link transceiver failures conditions. congestion and application retries will impact the performance and alerts the user about the network faults. For example failure of 1-Gigabit Ethernet backbone connection for 10 seconds can the drop network information for more than 1Gig. which may include critical medium enterprise data or video surveillance captured data. slow internet browsing response time). during abnormal network failure causing traffic loss.e.. Every protocol operation is different in the network. user determines network connection problem based on routine experience even before an application protocols determines connection problem (i. software upgrade etc. • Unplanned Failure—Any unforeseen failures of network elements can be considered as unplanned failure. Network failures can be classified in one of the following two ways: • Planned Failure—Planned network outage occurs when any network systems is administratively planned to disable inthe network for scheduled event (i.e.

the following basic principles apply: • Deploying redundant parallel paths are the basic requirement to employ network resiliency at any tier. linecard module failure and so on. and Technologies Resilient Network Service Availability Goal Resilient Network Device Operational Strategies Resiliency Resiliency Resiliency EtherChannel/MEC NSF/SSO ISSU Resilient Technologies UDLD Stack Wise eFSU IP Event Dampening 228500 Network Resiliency Overview The most common network fault occurrence in the LAN network is a link failure between two systems. (See Figure 2-65. and acts as a backup to the native Layer 1 unidirectional link detection capabilities provided by 802. Therefore. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services rapid recovery during failure conditions. the routed access model eliminates such limitations and enables the full load balancing capabilities to increase bandwidth capacity and minimize the application impact during a single path failure. UDLD is not an EtherChannel function. Implement a defense-in-depth approach to failure detection and recovery mechanisms. the flood may not be protected. to prevent communication failure or degraded network-wide application performance. It is critical to simplify the control plane and forwarding plane operation by bundling all physical paths into a single logical bundled interface (EtherChannel).3ae standards. An example of this is configuring the UniDirectional Link Detection (UDLD) protocol. Strategy. UDLD can be deployed on ports implemented in Layer 2 or Layer 3 modes. Deploying redundant parallel paths in the recommended medium enterprise LAN design by default develops a non-optimal topology that keeps the network underutilized and requires protocol-based network recovery. In the same network design. • Ensure that the network design is self-stabilizing. within the summarized boundary.3z and 802. miswiring. Link failures can be caused by issues such as a fiber cut. It is important to remember how multiple parallel paths between two systems also changes overall higher layer protocols construct the adjacency and loop-free forwarding topology. Hardware or software errors may cause ports to flap. which creates false alarms and destabilizes the network topology.) Figure 2-65 High-Availability Goals. In the modular platform design the redundant parallel physical links between distributed modules between two systems reduces fault probabilistic and can increase network availability. Deploy IP event dampening as an tool to prevent the control and forwarding plane impact caused by physical topology instability. Implementing route summarization advertises a concise topology view to the network. However. which prevents core network instability. it operates independently over each individual physical port at Layer 2 and remains transparent to the rest of the port configuration. To develop a consistent network resiliency service in the centralized main and remote campus sites. which uses a Layer 2 keep-alive to test that the switch-to-switch links are connected and operating correctly. Medium Enterprise Design Profile Reference Guide 2-121 .

The network recovery time can remain undeterministic. Lower power supplies can be combined to allocate power to all internal and external resources. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services These principles are intended to be a complementary part of the overall structured modular design approach to the campus design. all critical medium enterprise campus network devices must be deployed with a similar device resiliency configuration. Some of the common internal failures are a software-triggered crash. Device Resiliency Overview Another major component of an overall campus high availability framework is providing device or node level protection that can be triggered during any type of abnormal internal hardware or software process within the system. This subsection provides basic redundant hardware deployment guidelines at the access layer and collapsed core switching platforms in the campus network. To protect against common network faults or resets. depending on the network design. and serve primarily to reinforce good resilient design practices. By default. power outages. but may not be able to offer power redundancy. Overall power capacity planning must be done to dynamically allow for network growth. an internal redundant power supplies on Catalyst 3560-X and use Cisco RPS 2300 external power supplies solution on Catalyst 2960-S Series switches. the power supply operates in redundant mode. To prevent network outage on fixed configuration the Catalyst switches they must be deployed with Cisco StackPower technology. and can deliver power to multiple switches. Redundant Power System Redundant power supplies for network systems protect against power outages. It is important not only to protect the internal network system but also the endpoints that rely on power delivery over the Ethernet network. as well as graceful network recovery techniques that do not impact the control plane and provide constant forwarding capabilities during failure events. The following subsections provide high availability design details. Deploying an internal and external power supply solution protects critical access layer switches during power outages. • Fixed configuration switch—Depending on the Catalyst switch capability the fixed configuration switches offers wide range of power redundancy options includes the latest innovation Cisco StackPower in Catalyst 3750-X series platform. Redundant hardware components for device resiliency vary between fixed configuration and modular Cisco Catalyst switches. and provides completes fault transparency and constant network availability. and so on. power supply failures. and so on. LAN network devices can be considered as a single-point-of-failure and are considered to be major failure condition because the recovery type may require a network administrator to mitigate the failure and recover the system. A single Cisco RPS 2300 power supply uses a modular power supply and fan for flexibility. Medium Enterprise Design Profile Reference Guide 2-122 . Redundant power systems can be deployed in the two following configuration modes: • Modular switch—Dual power supplies can be deployed in modular switching platforms such as the Cisco Catalyst 6500-E and 4500-E Series platforms. Redundant Control Plane Device or node resiliency in modular Cisco Catalyst 6500-E/4500-E platforms and Cisco StackWise provides a 1+1 redundancy option with enterprise-class high availability and deterministic network recovery time. offering the 1+1 redundant option. line card failures. causing complete or partial network outage.

Bundling SSO with NSF capability and the awareness function allows the network to operate without errors during a primary supervisor module failure. and protect common forwarding information across all member switches in a stack ring. Cisco recommends distribution and core layer design model be the center point of the entire enterprise communication network. and recovers the network in sub-seconds during master switch re-election. and IP video surveillance cameras do not freeze. Cisco StackWise is an low-cost solution to provide device-level high availability. the Catalyst 4500 must be equipped with redundant supervisors to critical endpoints.) Medium Enterprise Design Profile Reference Guide 2-123 . Cisco StackWise is designed with unique hardware and software capabilities that distribute.999 percent service availability in the access layer. every network device that connects to VSS or the redundant supervisor system must be NSF-aware to provide optimal resiliency. The Cisco VSS and redundant supervisor system is an NSF-capable platform. To provide 99. By default. Deploying redundant supervisors in the mission-critical distribution and core system provides non-stop communication throughout the network. most Cisco Layer 3 network devices are NSF-aware systems that operate in NSF helper mode for graceful network recovery. (See Figure 2-66. Non-Stop Forwarding Cisco VSS and the single highly resilient-based campus system provides uninterrupted network availability using non-stop forwarding (NSF) without impacting end-to-end application performance. thus. During master switch failure. the new master switch re-election remains transparent to the network devices and endpoints. synchronize. such as Cisco TelePresence. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Stateful Switchover The stateful switchover (SSO) capability in modular switching platforms such as the Cisco Catalyst 4500 and 6500 provides complete carrier-class high availability in the campus network. Users of realtime applications such as VoIP do not hang up the phone. Deploying Cisco StackWise according to the recommended guidelines protects against network interruption.

and replace or upgrade hardware becomes challenging without a redundant system in the campus core. Converged network environments are continuing to move toward requiring true 7x24x365 availability. The Cisco Catalyst 4500-E. Medium Enterprise Design Profile Reference Guide 2-124 . The ability to make changes. 6500-E and ASR 1000 series platform support realtime upgrade software in the campus. Figure 2-67 demonstrates platform-independent Cisco IOS software upgrade flow process using ISSU technology. Upgrading individual devices without taking them out of service is similarly based on having internal component redundancy (such as with power supplies and supervisors). and software and hardware upgrades without disrupting network services. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-66 Medium Enterprise NSF/SSO Capable and Aware Systems Edge NSF-Capable QFP NSF-Aware Switch-1 Switch-2 Active Standby VSL Core NSF-Capable Switch-1 Switch-2 Active Standby VSL Distribution NSF-Capable Standby Active Access 228501 NSF-Aware NSF-Capable Operational Resiliency Overview Designing the network to recover from failure events is only one aspect of the overall campus non-stop design. The Cisco In-Service Software Upgrade (ISSU) and Enhanced Fast Software Upgrade (eFSU) leverages NSF/SSO technology to provide continuous network availability while upgrading the critical systems that eliminates network services downtime planning and maintenance window. The medium enterprise LAN network is part of the backbone of the enterprise network and must be designed to enable standard operational processes. complemented with the system software capabilities. upgrade software. configuration changes.

Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-67 Cisco ISSU Software Process Cycle 1 ACTIVE OLD issu loadversion STANDBY Sup/RP reboots STANDBY with software version OLD 5 2 STANDBY ACTIVE ion iss NEW OLD ua ers ACTIVE STANDBY bo rtv NEW NEW rtv abo New software version becomes ers u issu commitversion effective with current ACTIVE ion iss issu runversion Commit and reboot the supervisor switchover running STANDBY with new IOS old image Software Version 4 3 STANDBY STANDBY OLD OLD ACTIVE ACTIVE NEW NEW issu acceptversion Acknowledge successful new 228972 software activation and stops ISSU roll-over timer Catalyst 4500—ISSU Full-image ISSU on the Cisco Catalyst 4500-E leverages dual redundant supervisors to allow for a full. the VSS network upgrade remains transparent and hitless to the applications and end users. Having the ability to operate the campus as a non-stop system depends on the appropriate capabilities being designed-in from the start. This leverages the NSF/SSO capabilities and unique uplink port capability to keep in operational and forwarding state even when supervisor module gets reset. while concurrently providing the ability to proactively manage the non-stop infrastructure. along with the necessary software control mechanisms. Because eFSU works in conjunction with NSF/SSO technology. such design helps in retaining bandwidth capacity while upgrading both supervisor modules at the cost of less than sub-second of traffic loss during a full Cisco IOS upgrade. Catalyst 6500 VSS—eFSU A network upgrade requires planned network and system downtime. causing sub-second traffic loss that does not impact realtime network applications. the VSS can continue to provide network services during the upgrade. the network devices can gracefully restore control and forwarding information during the upgrade process. such as moving from IOS Release 12. With the Enhanced Fast Software Upgrade (eFSU) feature. guarantee controlled and fast recovery of all data flows following any network failure. in-place Cisco IOS upgrade. while the bandwidth capacity operates at 50 percent and the data plane can converge within sub-seconds.2(53)SG1 for example. VSS offers unmatched network availability to the core. Network and device level redundancy. the ISSU process requires three sequential upgrade events for error-free software install on both virtual switch systems. With the eFSU feature. such as VoIP.2(53)SG to 12. Medium Enterprise Design Profile Reference Guide 2-125 . Each upgrade event causes traffic to be re-routed to a redundant MEC path. For a hitless software update.

it is one of the critical integrated component that gets well planned during early network design phase. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Design Strategies for Network Survivability The network reliability and availability is not a new demand. Supervisor modules 3 Catalyst 6500-E Distribution SSO/NSF Capable & Aware 2 VSS Core eFSU Medium Enterprise Design Profile Reference Guide 2-126 . Table 2-11 Medium Enterprise Network High Availability Strategy Platform Role Network Resiliency Device Resiliency Operational Efficiency 1 Catalyst 2960-S Access EtherChannel RPS 2300 Cisco FlexStack FlexStack UDLD NSF-Aware Dampening Catalyst 3560-X Redundant Power Supplies None. role and network service type appropriate resilient option must be deployed. it introduces the new set of challenges – higher cost and complexities to manage more number of systems. deploying redundant components and systems increases redundancy and load sharing capabilities. Network reliability and availability can be simplified using several Cisco high-availability and virtual-system technologies like VSS offers complete failure transparency to the end-users and applications during planned or un-planned network outage conditions. Each network tier can be classified as a fault domains. Minor and major network failure are the broad terms that’s includes several types of network faults that must be taken into consideration and implement the rapid recovery solution. Some of the high-availability techniques can be achieved with inherent campus network design without making major network changes. Power Supplies 2 ISSU 2 Distribution Red. To prevent catastrophic network failure during un-planned network outage event. The network survivability strategy can categorized in following three major resiliency requirements that can encompass most of the common types of failure conditions. however. it is important to identify network fault domains and define rapid recovery plans to minimize the application impact during minor and major network outage conditions. Depending on the network system tier. Linecard modules Core Red. Standalone systems Catalyst 3750-X Catalyst 3750ME WAN Edge Catalyst 3750-X Access Cisco StackPower Stackwise Plus StackWise Distribution NSF-Capable and Aware Catalyst 4500-E Access Red. Cisco high-availability technologies can be deployed based on critical versus non-critical platform role in the network. See Table 2-11. the critical network systems that is deployed in the center of the network to provide global connectivity may require additional hardware and software component to offer non-stop communication. However.

Starting 12. EtherChannel or MEC network environments provide significant benefits in such conditions. Redundant power and hardware components from each 3750-E member switch in Stack ring and 6500-E virtual-switch in VSS domain 3. Standalone system 1. Spanning-Tree updates the port-cost and Layer 3 routing protocols like EIGRP updates the composite metric or OSPF may change the interface cost. In Medium Enterprise Design Profile Reference Guide 2-127 . the Layer 2 and Layer 3 protocols dynamically adjusts the metrics of the aggregated port-channel interfaces. Redundant supervisor per VSS Domain (One per virtual-switch node basis). Conversely. Power Supplies ISSU Dampening Red. as network protocol remains unaware of the topology changes and allows the hardware to self-recover from faults. Software based SSO redundancy Implementing Network Resiliency The medium enterprise design guide recommends deploying a mix of hardware and software resiliency designed to address the most common campus LAN network faults and instabilities. EtherChannel / Multi-Chassis EtherChannel In a non-EtherChannel network environment. Redundant uplinks from each 3750-E member switch in Stack ring and 6500-E virtual-switch in VSS domain 2. Route Processors SSO/NSF Capable & Aware ASR 1004 Internet Edge Red. 4. None.2(33)SXI4 it is recommended to deploy redundant supervisor on each virtual-switch in a VSS domain. Implementing a resilient hardware and software design increases network resiliency and maintains the availability of all upper layer network services that are deployed in a medium enterprise campus network design. The design and implementation considerations for deploying diverse physical connectivity across redundant standalone systems and virtual-systems to create a single point-to-point logical EtherChannel is explained in the “Designing EtherChannel Network” section on page 2-41. topology synchronization. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Table 2-11 Medium Enterprise Network High Availability Strategy (continued) ASR 1006 WAN Edge EtherChannel Red. the network protocol requires fault detection. It is important to analyze the network and the application impacts from a top-down level to adapt and implement the appropriate high availability solution for creating a resilient network. and best-path recomputation to reroute traffic which requires variable time to restart the forwarding traffic. During individual member-link failures. EtherChannel/MEC Network Recovery Analysis The network recovery with EtherChannel and MEC is platform and diverse physical path dependent instead of Layer 2 or Layer 3 network protocol dependent. The medium enterprise campus LAN network design deploys EtherChannel and MEC throughout the network to develop a simplified single point-to-point network topology which does not build any parallel routing paths between any devices at any network tiers. Power Supplies ISSU 4 SSO/NSF Capable & Aware Cisco ISR PSTN Gateway . Hence an EtherChannel and MEC based network provides deterministic sub-second network recovery of minor to major network faults. ESP modules Red. Re-routing traffic over an alternate member-link of EtherChannel or MEC is based on minor system internal EtherChannel hash re-computations instead of an entire network topology re-computation.

the re-computation to select alternate member-links in EtherChannel and MEC becomes locally significant on each end of the impacted EtherChannel neighbors.2 Downstream 0. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services such events. GBIC failure. etc. However. Catalyst 6500-E VSS MEC Link Recovery Analysis Several types of network faults can trigger link failures in the network (i.5 0.3 0. The network recovery remains consistent and deterministic in all network fault conditions. with the distributed forwarding architecture in virtual-systems like Catalyst 6500-E VSS and Catalyst 3750-X StackWise Plus may require extra computation to select alternate member-link paths through its inter-chassis backplane interface—VSL or StackRing. Figure 2-68 Catalyst 6500-E VSS Inter-Chassis MEC Link Recovery Analysis 0. Medium Enterprise Design Profile Reference Guide 2-128 . Since the network topology remains intact during individual link failures. The centralized forwarding architecture in Catalyst 4500-Es can rapidly detect link failures and reprogram the hardware with new EtherChannel hash results.1 Multicast 0 2960 3560E 3750E 3750 4500E 228987 L2 MEC L3 MEC L2 MEC StackWise L3 MEC L3 MEC The medium enterprise LAN can be designed optimally for deterministic and bidirectional symmetric network recovery for unicast and multicast traffic.Refer to the “Redundant Linecard Network Recovery Analysis” section on page 2-134 for intra-chassis recovery analysis with the same network faults tested in inter-chassis scenarios. The test results in Figure 2-69 confirm the deterministic and consistent network recovery during individual Layer 2/3 EtherChannel member-link failures. Catalyst 4507R-E EtherChannel Link Recovery Analysis In the medium enterprise campus reference design. Such designs still provides deterministic recovery. but with an additional delay to recompute a new forwarding path through the remote virtual-switch node. A Cisco Catalyst 4507R-E can only be deployed in standalone mode with in-chassis supervisor and module redundancy. The link failure analysis chart with inter-chassis reroute in Figure 2-68 summarizes several types of faults induced in large scale Cisco lab during developing this validated design guide. the EtherChannel recomputation is fairly easy as the alternate member-link resides within the system. the traffic load balancing and rerouting across different EtherChannel member-links occurs within the local chassis.6 0.e. The Layer 2 or Layer 3 EtherChannel and MEC re-computation is rapid and network scale independent. However.7 0..4 sec Upstream 0. EtherChannel re-computation requires recreating new logical hash table and re-programming the hardware to re-route the traffic over the remaining available paths in the bundled interface. In standalone or non-virtual systems like Catalyst 2960-S or 4500-E. the metric change will require minor update messages in the network and do not require end-to-end topology recomputation that impacts the overall network recovery process. a single Catalyst 4507R-E with redundant hardware components is deployed in the different campus LAN network tiers. fiber pullout.).

When auto-negotiation and UDLD are enabled together. gi2/2/3 cr22-6500-LB(config-if-range)#udld port cr22-6500-LB#show udld neighbors Port Device Name Device ID Port ID Neighbor State ---. such as detecting the identity of neighbors and shutting down misconnected ports. Failure to reestablish communication with UDLD neighbor will force the port into the err-disable state that must be manually recovered by the user or the switch can be configured for auto recovery within a specified interval of time.1 Multicast 0 2960 3560E 3750E 3750 4500E 228988 L2 MEC L3 MEC L2 MEC StackWise L3 MEC L3 MEC Unidirectional Link Detection (UDLD) UDLD is a Layer 2 protocol that works with the Layer 1 features to determine the physical status of a link. it can cause loops or traffic black holes. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-69 Catalyst 4507R-E EtherChannel Link Recovery Analysis 0. ------------------- Gi1/2/3 FDO1328R0E2 1 Gi1/0/49 Bidirectional Gi2/2/3 FDO1328R0E2 1 Gi1/0/50 Bidirectional Medium Enterprise Design Profile Reference Guide 2-129 . The following illustrates a configuration example to implement the UDLD protocol: cr22-6500-LB#config t cr22-6500-LB(config)#interface range gi1/2/3 . When such physical connection errors occur. However.4 sec 0. UDLD will attempt to reestablish the state of the port. The port state for UDLD is marked as undetermined and the port behaves according to its STP state.5 0. • Aggressive mode—If bidirectional UDLD protocol state information times out.2 Downstream 0. ------------------. --------. At Layer 1. UDLD performs tasks that auto-negotiation cannot perform. UDLD functions transparently on Layer-2 or Layer-3 physical ports. if it detects the link on the port is operational. it is assumed there is no fault in the network.3 Upstream 0. --------. UDLD operates in one of two modes: • Normal mode (Recommended)—If bidirectional UDLD protocol state information times out. mismatched transmit/receive pairs can cause a link up/up condition even though bidirectional upper-layer protocol communication has not been established. because one-way communication is possible in fiber-optic environments. Copper media ports use Ethernet link pulses as a link monitoring tool and are not susceptible to unidirectional link problems. and no further action is taken. auto-negotiation takes care of physical signaling and fault detection. the Layer 1 and Layer 2 detection methods work together to prevent physical and logical unidirectional connections and prevent malfunctioning of other protocols.

the device redundancy is divided into four major categories—Redundant Power Supplies. a single interface flap can severely impact stability and availability of the entire campus network. all Layer 3 interfaces can be implemented with IP Event Dampening. Medium Enterprise Design Profile Reference Guide 2-130 . Route summarization is one technique used to isolate the fault domain and contain local network faults within the domain. It can be implemented on each individual physical or logical Layer 3 interface—physical ports. a logical penalty is assigned to the port and suppresses link status notifications to IP routing until the port becomes stable. IP dampening tracks and records the flap events. Depending on the platform architecture of the Cisco router or switch deployed in the campus network design. Like network resiliency. On multiple flaps. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services IP Event Dampening Unstable physical network connectivity with poor signaling or loose connection may cause continuous port-flaps. and Non-Stop Forwarding (NSF) with Stateful Switchover (SSO). SVI. the device resiliency solves the problem by integrating redundant hardware components and software based solutions into single standalone or virtual systems. To ensure local network domain stability during to port-flaps. IP Event Dampening is a local specific function and does not have any signaling mechanism to communicate with remote systems. Redundant Supervisor/RP. It uses the same fundamental principles as BGP dampening. Each time the Layer 3 interface flaps. When the medium enterprise network is not deployed using best practice guidelines to summarize the network boundaries at the aggregation layer. Redundant Line cards. or port-channels: • Layer 3 Port-Channel cr24-4507e-MB(config)#interface Port-Channel 1 cr24-4507e-MB(config-if)#no switchport cr24-4507e-MB(config-if)#dampening • Layer 2 Port-Channel cr24-4507e-MB(config)#interface Port-Channel 15 cr24-4507e-MB(config-if)#switchport cr24-4507e-MB(config-if)#dampening • SVI Interface cr24-4507e-MB(config)#interface range Vlan101 .120 cr24-4507e-MB(config-if-range)#dampening cr24-4507e-MB#show interface dampening Vlan101 Flaps Penalty Supp ReuseTm HalfL ReuseV SuppV MaxSTm MaxP Restart 3 0 FALSE 0 5 1000 2000 20 16000 0 … TenGigabitEthernet3/1 Connected to cr23-VSS-Core Flaps Penalty Supp ReuseTm HalfL ReuseV SuppV MaxSTm MaxP Restart 10 0 FALSE 0 5 1000 2000 20 16000 0 … Port-channel1 Connected to cr23-VSS-Core Flaps Penalty Supp ReuseTm HalfL ReuseV SuppV MaxSTm MaxP Restart 3 0 FALSE 0 5 1000 2000 20 16000 0 Port-channel15 Connected to cr24-2960-S-MB Flaps Penalty Supp ReuseTm HalfL ReuseV SuppV MaxSTm MaxP Restart 3 0 FALSE 0 5 1000 2000 20 16000 0 Implementing Device Resiliency Each device in the medium enterprise LAN and WAN network design is connected to a critical system or end-point to provide network connectivity and services for business operations.

directing that power where it is needed. The Cisco StackPower can be deployed in following two modes: • Sharing mode—All input power is available to be used for power loads. Cisco StackPower unifies the individual power supplies installed in the switches and creates a pool of power. The Catalyst platforms like the 2960 and 2960-S can be deployed with Cisco RPS 2300 for external power redundancy solution. In this mode. The total aggregated available power in all switches in the power stack (up to four) is treated as a single large power supply. powered devices and switches could be shut down. Network administrators must identify the network systems that provide network connectivity and services to mission critical servers. FA S T E N E R S M U S T B E FU LLY E N G A G E D 100-240V ~ 12A 50/60H z P R IO R T O O P E R A T IN G P O W E R S U P P LY Redundant Master Supply O U T P U T FA IL O U T P U T FA IL P O E E N A B LE D P O E E N A B LE D FA N O K FA N O K Power 2 Cisco 2300 RPS IN P U T 1 IN P U T 1 OK OK 3 4 IN P U T 2 OK IN P U T 2 OK Supply 1 2 3 4 5 6 SYSTEM 5 100-240V ~ 12A 50/60H z 4200A C V 100-240V ~ 12A 50/60H z 4200A C V StackPower 6 1 Catalyst StackWise Cable 4507R-E Plus 7 FAN STATUS 8 2 RPS Cable SUPERVISOR 9 3 Redundant SUPERVISOR 4 Power Member 200-240 V 23 A 60/50 Hz 200-240 V 23 A 60/50 Hz Supply L AL L ST AL IN N Catalyst 3750-X Master Member ST RU IN N 229373 RU 7 INPUT FAN OUTPUT OK OK FAIL INPUT FAN Power OUTPUT Supply 1 Power Supply 2 OK OK FAIL Catalyst 6500 SERIES StackWise Plus Catalyst 6509-E Catalyst 4507R-E Catalyst 2960-S The following configuration examples provide guidelines to deploy in-chassis and external power redundancy in the Catalyst switching platforms. With the modular power supply design in Catalyst 3750-X Series platform. the in-chassis power redundancy option allows flexibility to deploy dual power supplies into a single system. Depending on the Cisco platform design. the total available power is used for power budgeting decisions and no power is reserved to accommodate power-supply failures. Figure 2-70 provides complete power redundancy design and solution on various Cisco Catalyst switching platforms: Figure 2-70 Power Supply Redundancy Design Redundant Redundant Redundant Dual Internal External Power Supply Power Power 1 Supply S W IT C H E D S H O U LD B E IN T H E O FF ‘O ’ P O S IT IO N T O IN S T A LL / R E M O V E P O W E R S U P P LIE S . This would also include Layer 1 services like PoE to boot IP Phone and IP Video Surveillance Cameras for campus physical security and communications. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Redundant Power To provide non-stop network communication during power outages. This is the default mode. The next-generation borderless network ready Cisco Catalyst 3750-X introduces latest Cisco StackPower innovation that creates a global pool of power that can provide power load sharing and redundancy option. the defective power supply can be swapped without disrupting network operation. While the Cisco Catalyst 3560-X Series switches are designed to increase device resiliency with dual redundant power supplies and fans. If a power supply fails. Catalyst 3750-X—Cisco StackPower Redundancy The next-generation Catalyst 3750-X Series platform introduces innovative Cisco StackPower technology to provide power-redundancy solution for fixed configuration switches. The StackPower cable is different than the StackWise data cables and is available on all Cisco Catalyst 3750-X models. During individual power supply. FA S T E N E R S M U S T B E FU LLY E N G A G E D 100-240V ~ 12A 50/60H z P R IO R T O O P E R A T IN G P O W E R S U P P LY S W IT C H E D S H O U LD B E IN T H E O FF ‘O ’ P O S IT IO N T O IN S T A LL / R E M O V E P O W E R S U P P LIE S . Medium Enterprise Design Profile Reference Guide 2-131 . fault from the stack can regain power from global power pool to provide seamless operation in the network. critical network devices must be deployed with redundant power supplies. All switches in stack can share power with available power to all powered devices connected to PoE ports. Up to four switches can be configured in a StackPower stack with the special Cisco proprietary StackPower cable.

Following sample configuration demonstrate deploying Cisco StackPower redundancy mode and grouping the stack-member into power stack group. Cisco RPS 2300 can be provisioned for the 3750-E or 3560-E series switches through CLI: Catalyst 4500-E and 6500-E (In-Chassis Power Redundancy) The Cisco Catalyst 4500-E and 6500-E Series modular platforms allocate power to several internal hardware components and external power devices like IP Phones. the Cisco StackPower must be deployed with two power stack group to accommodate up to four switches. the possibility of having to shut down switches or powered devices in case of a power failure or extreme power load is reduced. It is recommended to budget the required power and deploy each Catalyst 3750-X switch in stack with dual power supply to meet the need. Although there is less available power in the pool for switches and powered devices to draw from. Both power supplies must have sufficient power to allocate power to all the installed modules in order to operate in 1+1 redundant mode. Dual power supplies in these systems can operate in two different modes as listed below: • Redundant Mode—By default. etc. to make new power configuration effective. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services • Redundant mode—The power from the largest power supply in the system is subtracted from the power budget. Wireless Access Points. All the power allocation is assigned from the internal power supply. it is important that network administrator must plan downtime as all the switches in the stack ring must be reloaded: cr36-3750X-xSB(config)#stack-power stack PowerStack cr36-3750X-xSB(config-stackpower)#mode redundant cr36-3750X-xSB(config)#stack-power switch 1 cr36-3750X-xSB(config-switch-stackpower)#stack-id PowerStack %The change may not take effect until the entire data stack is reloaded cr36-3750X-xSB(config)#stack-power switch 2 cr36-3750X-xSB(config-switch-stackpower)#stack-id PowerStack %The change may not take effect until the entire data stack is reloaded Catalyst 2960 (External Power Redundancy) The Cisco Redundant Power Supply (RPS) 2300 can support up to 6 RPS ports to provide seamless power backup to critical access-layer switches in the campus network. Since Cisco StackWise Plus can group up to nine 3750-X Series switches in the stack-ring. cr24-4507e-LB(config)#power redundancy-mode redundant cr24-4507e-LB#show power supplies Power supplies needed by system :1 Power supplies currently available :2 cr22-vss-core(config)#power redundancy-mode redundant switch 1 cr22-vss-core(config)#power redundancy-mode redundant switch 2 cr2-6500-vss#show power switch 1 | inc Switch|mode Switch Number: 1 system power redundancy mode = redundant Medium Enterprise Design Profile Reference Guide 2-132 . which reduces the total available power. but provides backup power in case of a power-supply failure. Additional power resiliency can be added by deploying dual power supply to backup to two devices simultaneously. The system determines power capacity and the number of power supplies required based on the allocated power to all internal and external power components. Enabling redundant mode will offer power redundancy as a backup during one of the power supply unit failure event. power supplies operate in redundant mode offering a 1+1 redundant option.

Each physical Catalyst 6500-E chassis in VSS mode at the campus distribution and core layer must be deployed with a redundant in-chassis power supply. The following global configuration will enable power redundancy mode to operate in combined mode: cr24-4507e-LB(config)#power redundancy-mode combined cr24-4507-LB#show power supplies Power supplies needed by system:2 Power supplies currently available:2 Network Recovery Analysis with Power Redundancy Each campus LAN router and switch providing critical network services must be protected with either the in-chassis or external redundant power supply system. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr2-6500-vss#show power switch 2 | inc Switch|mode Switch Number: 2 system power redundancy mode = redundant • Combined mode—If the system power requirement exceeds the single power supply capacity. The lab test results shown in Figure 2-71 performed on all power redundant campus systems confirms zero-packet loss during individual power supply failure. However it may not offer 1+1 power redundancy during a primary power supply failure event. topology changes.. Several power failures on power redundant systems were conducted to characterize overall network and application impact. This best practice is also applicable to the standalone or virtual-systems devices. Protecting virtual-systems with redundant power supplies will prevent reducing network bandwidth capacity.). Figure 2-71 Redundant Power Analysis 0. Network modules. Note that the network administrator must analyze the required power capacity that will be drawn by different hardware components (i. The high speed core design linecards are equipped with special hardware components to build the campus backbone whereas the network edge linecards are developed with more intelligence and application awareness. then the network administrator can utilize both power supplies in combined mode to increase capacity. The Catalyst 3750-X StackWise Plus must be deployed following the same rule.e. and poor application performance.1 Upstream Downstream Multicast 0 2960 3560E 3750E 3750 4500E 228990 L2 MEC L3 MEC L2 MEC StackWise L3 MEC L3 MEC Redundant Linecard Modules Modular Catalyst platforms support a wide range of linecards for network connectivity to the network core and edge. Using internal system protocols. each line card communicates with the Medium Enterprise Design Profile Reference Guide 2-133 . PoE+ etc.2 sec 0. the master and member-switches in the stack ring must be deployed with the external redundant power system.

proper Cisco VSS traffic-engineering will prevent traffic routing over the VSL which may cause network congestion during individual link or entire high-speed network module failure. The campus LAN network may face a complete network outage during linecard failures without deploying linecard redundancy as it can be considered a single point-of-failure. both virtual-switch nodes programs their local linecard modules to switch egress data plane traffic.Figure 2-72 provides an example of asymmetric traffic-loss statistics when traffic is rerouted via remote virtual-switch node across VSL links. The centralized control-plane design on the active virtual-switch node builds Layer 2/3 peerings with the neighboring devices. Deploying redundant linecards and diversifying paths across the modules will allow for inter-chassis re-route and. The impact on traffic could be in the sub-second to seconds range and may create congestion on the VSL Etherchannel link if rerouting traffic exceeds overall VSL bandwidth capacity. the network administrator must design the network by diversifying the physical cables across multiple linecard modules. At the critical large campus LAN core and distribution layer. full-mesh physical design must have quad paths to address multiple types of faults. Any type of internal communication failure or protocol malfunction may disrupt the communication between the linecard and the supervisor. the Cisco VSS traffic-engineering will prevent VSL reroute which may cause network congestion if there is not sufficient bandwidth to accommodate the rerouted traffic. Medium Enterprise Design Profile Reference Guide 2-134 . Figure 2-72 demonstrates inter-chassis reroute (without linecard redundancy) and intra-chassis re-route (with linecard redundancy). When the distribution and core layer Catalyst 4500-E and 6500-E systems are deployed with multiple redundant line cards. Redundant Linecard Network Recovery Analysis Catalyst 6500-E VSS Linecard module Recovery Analysis The distributed forwarding architecture in Catalyst 6500-Es operating in VSS mode is designed with unique traffic-engineering capabilities. which may lead to the linecard and all the physical ports associated with it to forcibly reset to resynchronize with the supervisor. However with MEC. Additionally. Data traffic traverses the VSL links as a “last-resort” in hardware if either of the virtual-switch nodes lose a local member-link from the MEC link due to a fiber cut or linecard failure. Figure 2-72 Intra-Chassis versus Inter-Chassis Traffic Re-route Inter-Chassis Re-Route Intra-Chassis Re-Route (Without Linecard Redundancy) (With Linecard Redundancy) VSL VSL SW1 SW2 SW1 SW2 228991 The single standalone Catalyst 4500-E in distribution or core layer must be deployed with linecard redundancy. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services centralized control-plane processing supervisor module through the internal backplane. A per system “V”-shaped. This design minimizes data traffic re-routing across VSL links. more importantly. traffic loss can be minimized and consistent bi-directional sub-second network recovery can be achieved by deploying redundant network modules on a per virtual-switch node basis. Figure 2-73 illustrates intra-chassis network recovery analysis showing symmetric sub-second traffic loss during individual member-links and the entire linecard module at the campus core and distribution-layer.

Figure 2-74 Catalyst 4507R-E Linecard Recovery Analysis 0. with Cisco’s latest Virtual-Switching System (VSS) Medium Enterprise Design Profile Reference Guide 2-135 .5 0. The chart in Figure 2-74 provides test results conducted by removing a linecard from the Catalyst 4507R-E chassis deployed in campus network in various roles.1 Multicast 0 2960 3560E 3750E 3750 4500E 228993 L2 MEC L3 MEC L2 MEC StackWise L3 MEC L3 MEC Redundant Supervisor Enterprise-class modular Cisco Catalyst 4500-E and 6500-E platforms support dual-redundant supervisor modules to prevent disrupting the network control-plane and topology during abnormal supervisor module failures or when forced by the admin reset. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Figure 2-73 Catalyst 6500-E VSS Intra-Chassis Link and Linecard Module Recovery Analysis 0. During a link or linecard module failure.4 0. All the redundant linecards in the chassis are stub and maintains low level information to handle ingress and egress forwarding information.3 sec Upstream 0. The Cisco Catalyst 4507R-E and 4510R-E Series platforms and all current generation Catalyst 6500-E Series chassis and supervisors support in-chassis redundant supervisor modules.2 Downstream 0. However.1 Multicast 0 2960 3560E 3750E 3750 4500E 228992 L2 MEC L3 MEC L2 MEC StackWise L3 MEC L3 MEC Catalyst 4507R-E Linecard module Recovery Analysis The centralized forwarding architecture in a Catalyst 4507R-E programs all the forwarding information on the active and standby supervisor Sup6E or Sup6L-E modules.5 0. the new forwarding information gets rapidly reprogrammed on both supervisors in the chassis.2 Downstream 0. However.3 Upstream 0.4 sec 0. deploying the EtherChannel utilizing diversified fibers across different linecard modules will provide consistent sub-second network recovery during abnormal failure or the removal of a linecard from the Catalyst 4507R-E chassis.

The uplink port remains in operation and forwarding state during an active supervisor switchover condition. Cisco Catalyst 6500-E deployed in standalone mode also synchronizes all the hardware and software state-machine info in order to provide constant network availability during intra-chassis supervisor switchover. The default redundancy mode on Catalyst 4500-E and Catalyst 6500-E series platforms is SSO. • Inter-Chassis SSO Redundancy The Cisco VSS solution extends supervisor redundancy by synchronizing SSO and all system internal communication over the special VSL EtherChannel interface between the paired virtual systems. See Figure 2-75. supervisor redundancy can be extended across dual chassis by logically clustering them into one single large virtual-switch. distributed. Note VSS does not currently support intra-chassis supervisor redundancy on each individual virtual nodes. it provides full network capacity even during SSO switchover. The virtual-switch node running in active supervisor mode will be forced to reset during the switchover. it is important to remember that both supervisor modules must be identical in type and all the internal hardware components like memory and bootflash must be the same to provide complete operational transparency during failure. During the failure. Hence it does not require any additional configuration to enable SSO redundancy. Figure 2-75 Intra-Chassis versus Inter-Chassis SSO Redundancy Intra-Chassis SSO Redundancy Intra-Chassis SSO redundancy in the Catalyst 4500-E switch provides continuous network availability across all the installed modules and the uplinks ports from active and standby supervisor modules. • Implementing SSO Redundancy To deploy supervisor redundancy. Thus. the new active virtual-switch node will perform a Layer 3 protocol graceful recovery with its neighbors in order to provide constant network availability over the local interfaces. The following sample configuration illustrates how to implement VSS in SSO mode: cr23-VSS-Core#config t Medium Enterprise Design Profile Reference Guide 2-136 . This may disrupt the network topology if not deployed with the best practices defined in this design guide. The “V”-shaped. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services innovation and the next-generation Sup720-10GE supervisor module. full-mesh fiber paths combined with single point-to-point EtherChannel or MEC links play a vital role during such type of network events.

Devices that support the routing protocol extensions to the extent that they continue to forward traffic to a restarting router are NSF-aware. The control plane is the routing protocol graceful restart. route-processors or in virtual-switching modes (i. This service availability significantly lowers the Mean Time To Repair (MTTR) and increases the Mean Time Between Failure (MTBF) to achieve highest level of network availability. During a failure. • Routing protocol—The motivation behind NSF is route convergence avoidance. The following configuration illustrates how to enable the NSF capability within EIGRP on each Layer 3 campus LAN/WAN systems deployed with redundant supervisor.e.. and the forwarding plane switches packets using hardware acceleration where available. NSF is an integral part of a routing protocol and depends on the following fundamental principles of Layer 3 packet forwarding: • Cisco Express Forwarding (CEF)—CEF is the primary mechanism used to program the network path into the hardware for packet forwarding.. CEF enables this separation by programming hardware with FIB entries in all Catalyst switches. this requires the adjacent routers to support a routing protocol with special intelligence that allows a neighbor to be aware that NSF-capable routers can undergo switchover so that its peer can continue to forward packets. A Cisco device that is NSF-capable is also NSF-aware. A router that has the capability for continuous forwarding during a switchover is NSF-capable. The NSF aware function is enabled by default on all Layer 3 platforms. the network disruption remains transparent and provides seamless availability to the campus users and applications remains during control-plane processing module (Supervisor/Route-Processor) gets reset. This ability plays a critical role in NSF/SSO failover. the underlying Layer 3 NSF capable protocols perform graceful network topology re-synchronization and the preset forwarding information in hardware on the redundant processor or distributed linecards remain intact in order to continue switching network packets. and requests routing protocol information to be resynchronized. Cisco VSS and StackWise Plus): Medium Enterprise Design Profile Reference Guide 2-137 . NSF relies on the separation of the control plane update and the forwarding plane information. Table 2-11 describes the Layer 3 NSF-capable and aware platforms deployed in the campus network environment. The NSF capability must be manually enabled on each redundant system on a per routing protocol basis. From the protocol operation perspective. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr23-VSS-Core(config)#redundancy cr23-VSS-Core(config-red)#mode sso cr23-VSS-Core#show switch virtual redundancy My Switch Id = 1 Peer Switch Id = 2 Configured Redundancy Mode = sso Operating Redundancy Mode = sso Switch 1 Slot 5 Processor Information : ----------------------------------------------- Current Software state = ACTIVE <snippet> Fabric State = ACTIVE Control Plane State = ACTIVE Switch 2 Slot 5 Processor Information : ----------------------------------------------- Current Software state = STANDBY HOT (switchover target) <snippet> Fabric State = ACTIVE Control Plane State = STANDBY Non-Stop Forwarding (NSF) When implementing NSF technology in SSO redundancy mode systems. but may bring its adjacency to hold-down (NSF recovery mode) for a brief period.

! however additional interface to new active chassis retains port-channel in up/up state %EC-SW1_SP-5-UNBUNDLE: Interface TenGigabitEthernet2/1/2 left the port-channel Port-channel100 %EC-SW1_SP-5-UNBUNDLE: Interface TenGigabitEthernet2/1/4 left the port-channel Port-channel100 ! EIGRP protocol completes graceful recovery with new active virtual-switch. In both deployment scenarios. NSF/SSO Recovery Analysis As described in the previous section. the NSF/SSO implementation and its recovery process differs on Catalyst 4507R-E (Intra-Chassis) and Catalyst 6500-E VSS (Inter-Chassis) in the medium enterprise campus LAN network design. Lowering the timer values may abruptly terminate graceful recovery causing network instability.125. changed state to down %LINK-3-UPDOWN: Interface TenGigabitEthernet2/1/4. %DUAL-5-NBRCHANGE: EIGRP-IPv4:(613) 100: Neighbor 10. It is recommended to retain the default route hold timers in the network unless it is observed that NSF recovery takes more than 240 seconds. up to 240 seconds NSF aware system can hold the routing information until routing protocol do not gracefully synchronize routing database.12 (Port-channel100) is resync: peer graceful-restart NSF Timers As depicted in the above show commands. Cisco validated the network recovery and Medium Enterprise Design Profile Reference Guide 2-138 . Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services cr23-vss-core(config)#router eigrp 100 cr23-vss-core (config-router)#nsf cr23-vss-core #show ip protocols | inc NSF *** IP Routing is NSF aware *** EIGRP NSF-aware route hold timer is 240 EIGRP NSF enabled NSF signal timer is 20s NSF converge timer is 120s cr23-vss-core #show ip protocols | inc NSF *** IP Routing is NSF aware *** EIGRP NSF-aware route hold timer is 240 Graceful Restart Example The following example demonstrates how the EIGRP protocol will gracefully recover when active supervisor/chassis switchover on a Cisco VSS core system is forced by a reset: • NSF Capable System cr23-VSS-Core#redundancy force-switchover This will reload the active unit and force switchover to standby[confirm]y NSF Aware/Helper System ! VSS active system reset will force all linecards and ports to go down !the following logs confirms connectivity loss to core system %LINK-3-UPDOWN: Interface TenGigabitEthernet2/1/2. 600 seconds after the protocol graceful-recovery starts. The default timer setting is well tuned for a well structured and concise campus LAN network topology. changed state to down ! Downed interfaces are automatically removed from EtherChannel/MEC.0. the NSF route hold-timer expires on the NSF aware system and clears the stale NSF route marking and continues to use the synchronized routing database.

5 sec Upstream 1 Downstream 0. the Cisco Catalyst 4507R-E deployed with redundant Sup6E or Sup6L-E will retain the operational and forwarding state of the uplink ports and linecard modules in the chassis. However. Medium Enterprise Design Profile Reference Guide 2-139 . with Layer 2/3 MEC links. Catalyst 4507R-E does not currently support redundancy for Layer 3 multicast routing and forwarding information. there may be around 2 second multicast traffic loss since the switch has to re-establish all the multicast routing information and forwarding information during the Sup6E or Sup6L-E switchover event.5 2 1. If a user from the remote medium campus location joins the multicast source from the main campus location then during Sup6E switchover there could be around a 3 second multicast packet loss. Figure 2-76 Catalyst 4507R-E NSF/SSO Recovery Analysis 2. The inter-chassis SSO implementation in Catalyst 6500-E VSS differs from the single-chassis redundant implementation. Catalyst 4507R-E Standby Supervisor Failure and Recovery Analysis The standby Sup6E or Sup6L-E supervisor remains in redundant mode while the active supervisor is in the operational state. With EIGRP NSF/SSO capability the unicast traffic recovers consistently within 200 msec or less.5 Multicast 0 2960 3560E 3750E 3750 4500E 228995 L2 MEC L3 MEC L2 MEC StackWise L3 MEC L3 MEC In the remote medium campus. During the SSO switchover process. Therefore. the network protocols and forwarding information remains protected via the remote virtual-switch node that can provide seamless network availability. this event will not trigger protocol graceful recovery or any network topology change. in that during active virtual-switch node failure the entire chassis and all the linecards installed will reset. the switches continued to provide network accessibility during the recovery stage. the Catalyst 4507R-E is also deployed as the PIM-SM RP with MSDP Anycast-RP peering to the Cisco VSS core in the main campus location. If the standby supervisor gets reset or gets re-inserted. However. During each test. However unicast recovery will still remain in the 200 msec or less range in the same scenario. The uplink port of the standby supervisor remains in operational and forwarding state and the network bandwidth capacity remains intact during a standby supervisor removal or insertion event.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services application performance by inducing several types of active supervisor faults that trigger Layer 3 protocol graceful recovery. Catalyst 4507R-E NSF/SSO Recovery Analysis Figure 2-76 illustrates intra-chassis NSF/SSO recovery analysis for the Catalyst 4507R-E chassis deployed with Sup6E or Sup6L-E in redundant mode.

3 0. then Cisco recommends configuring the port-channel load-defer command under the port-channel to prevent the traffic loss during the standby initialization state. When the upstream device is a Catalyst 6500-E and it is deployed in standalone mode. The amount and the direction of traffic loss depend on multiple factors – VSL interface. Since VSS is developed with the distributed forwarding architecture it can create certain race conditions during a standby re-initialization state since the virtual-switch receives traffic from the network while it is not fully ready to switch the traffic.2 sec Upstream 0. Since there is no major network topology changes and there are member-links still in an operational state. Additionally. Figure 2-77 Catalyst 6500-E VSS NSF/SSO Recovery Analysis 0. boot up ordering etc. the NSF/SSO recovery in Catalyst 6500-E VSS system is identical as losing individual links. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Catalyst 6500-E VSS NSF/SSO Recovery Analysis As described earlier. Each MEC neighbors will lose their physical path to standby switch and re-route traffic to the remaining MEC member-links connected to the active virtual-switch node. the Layer 2/3 remote device perceives this event as a loss of a member-link since the alternate link to the standby switch is in an operational and forwarding state. the entire chassis and all linecard modules installed gets reset during an active virtual-switch switchover event. Cisco recommends not configuring the port-channel load-defer command under the MEC as it will create an adverse impact to the downstream unicast and multicast traffic: Medium Enterprise Design Profile Reference Guide 2-140 . ingress and egress module type. The VSS standby virtual-switch failure will trigger a bidirectional subsecond loss as illustrated in Figure 2-77. The new active virtual-switch reestablishes PIM adjacency while continuing to switch multicast traffic based on pre-switchover programmed information. the Cisco Catalyst 6500-E supports Multicast Multilayer Switching (MMLS) NSF with SSO enabling the system to maintain the multicast forwarding state in PFC3 and DFC3 based hardware during an active virtual-switch reset. It is possible to configure the same command line under the MEC interface when the upstream device is Catalyst 6500-E and it is deployed in VSS mode instead of standalone. The primary difference with a standby virtual-switch failure is that it will not trigger a Layer 3 protocol graceful recovery since the active virtual-switch is in an operational state. With a diverse full-mesh fiber network design.1 Downstream Multicast 0 2960 3560E 3750E 3750 4500E 228996 L2 MEC L3 MEC L2 MEC StackWise L3 MEC L3 MEC Catalyst 6500-E VSS Standby Failure and Recovery Analysis The network impact during a VSS standby failure is similar to a failure of a VSS active virtual-switch node. The standby virtual-switch detects the loss of the VSL Etherchannel and transitions in active role and initializes Layer 3 protocol graceful recovery with the remote devices. See Figure 2-77.

Therefore. However. depending on the network scale size. However. but the single standalone systems are single points of failure sometimes exist or the network design simply does not allow for access if a critical node is taken out of service. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services • The port-channel load-defer command is primarily developed for Catalyst 6500-E based standalone systems and does not have much effect when the campus upstream device type is Catalyst 6500-E deployed in VSS mode. it may create an adverse impact on downstream multicast traffic. it may degrade performance and scalability. Using ISSU and eFSU technology. the ISSU stored compatibility matrix information is analyzed internally to determine interoperability between the software running on the active and standby supervisors. • There is no software restriction on turning on the feature on VSS systems. software bug fixes or critical security fixes in real time. the user may experience traffic loss for a long period of time. Implementing Operational Resiliency Path redundancy often is used to facilitate access during periods of maintenance activity. With the default multicast replication configuration. the network administrator can upgrade the Cisco IOS software to implement new features. Leveraging enterprise-class high availability features like NSF/SSO in the distribution and core layer Catalyst 4500-E and 6500-E Series platforms supports ISSU to enable real-time network upgrade capability. Catalyst 4500-E ISSU Software Design and Upgrade Process Figure 2-78 Catalyst 4500-E ISSU Software Upgrade Process ISSU Software Upgrade Pre-Requisite ISSU Compatibility Matrix When a redundant Catalyst 4500-E system is brought up with a different Cisco IOS software version. ISSU provides SSO compatibility Medium Enterprise Design Profile Reference Guide 2-141 . the MEC may drop multicast traffic until the defer timer expires (120 second default timer). • Modifying the default (egress) multicast mode to the ingress replication mode may resolve the multicast traffic loss problem.

Both supervisors are running identical 12.122-53. Boot Variable and String The system default boot variable is to boot from the local file system. it is recommended to copy the old and new Cisco IOS software on Catalyst 4500-E active and standby supervisor into local file systems—Bootflash or Compact Flash. ------------- 12. Refer to following URL for additional ISSU pre-requisites: http://www.2(44)SGBase(2) 12.htm l#wp1072849 Catalyst 4500-E ISSU Software Upgrade Procedure This subsection provides the realtime software upgrade procedure for a Catalyst 4500-E deployed in the medium enterprise campus LAN network design in several different roles—access.SG  old image cr24-4507e-MB#dir slaveslot0: Directory of slaveslot0:/ 1 -rw. the network administrator must verify ISSU software compatibility with the following command.122-53. The Slot3 supervisor is in the SSO Active role and the Slot4 supervisor is in Standby role. In the following sample output.122-53.SG1  new image Configuration It is recommended to save the running configuration to NVRAM and other local or remote locations such as bootflash or TFTP server prior upgrading IOS software.25443451 Aug 22 2009 13:26:52 -04:00 cat4500e-entservicesk9-mz. Prior to upgrading the software.SG  old image 2 -rw. distribution. cr24-4507e-MB#dir slot0: Directory of slot0:/ 1 -rw. Modify the boot string to point to the new image to boot from new IOS software version after the next reset triggered during ISSU upgrade process.25442405 Nov 23 2009 17:56:46 -05:00 cat4500e-entservicesk9-mz. Incompatible software may cause the standby supervisor to boot in RPR mode which may result in a network outage: cr24-4507e-MB#show issu comp-matrix stored Number of Matrices in Table = 1 My Image ver: 12. collapsed core.2(44)SG1 Base(2) … Managing System Parameters Software Prior to starting the software upgrade process. cr24-4507e-MB#show module | inc Chassis|Sup|12.com/en/US/partner/docs/switches/lan/catalyst4500/12.25442405 Nov 23 2009 17:53:48 -05:00 cat4500e-entservicesk9-mz.25443451 Aug 22 2009 13:22:00 -04:00 cat4500e-entservicesk9-mz. and Metro Ethernet WAN edge.cisco.2(53)SG Peer Version Compatibility ----------------.122-53.2 Medium Enterprise Design Profile Reference Guide 2-142 . Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services between several versions of software releases shipped during a 18 month period.2(53)SG Cisco IOS software version and is fully synchronized with SSO. ISSU is supported on Catalyst 4500-E Sup6E and Sup6L-E supervisor running Cisco IOS Enterprise feature set.2/53SG/configuration/issu. core.2(46)SG Base(2) 12. the Sup6E supervisor is installed in Slot3 and Slot4 respectively.SG1  new image 2 -rw. Make sure the default setting is not changed and the configuration register is set to 0x2102.

45cb 0.d8f5.45c0 to 0021. 1000BaseX (SFP) WS-X45-SUP6-E JAE1132SXQ3 4 6 Sup 6-E 10GE (X2).SG1 After issuing the above command.122-53.d8f5.2(33r)SG( 12.45c6 to 0021. the active supervisor ensures the new IOS software is downloaded on both supervisors file system and performs several additional checks on the standby supervisor for the graceful software upgrade process. Please issue the runversion command Medium Enterprise Design Profile Reference Guide 2-143 .d8f5.2(53)SG1 Ok !SSO Synchronized 3 Active Supervisor SSO Active 4 Standby Supervisor SSO Standby hot This bootup process will force the active supervisor to re-synchronize all SSO redundancy and checkpoints.4 12.d8f5.2(53)SG to 12. see the following output. %RF-5-RF_RELOAD: Peer reload. 1000BaseX (SFP) WS-X45-SUP6-E JAE1132SXRQ ! Mismatch operating system version 3 0021.4 12. cr24-4507e-MB#show module | inc Chassis|Sup|12.45cb 0. 1000BaseX (SFP) WS-X45-SUP6-E JAE1132SXRQ !Common operating system version 3 0021. With the broad range of ISSU version compatibility to form SSO communication the standby supervisor will successfully bootup again in its original standby state.d8f5.2(53)SG Ok 4 0021.2(33r)SG ( 12.122-53.2(53)SG1 Cisco IOS release without causing network topology and forwarding disruption.2 Chassis Type : WS-C4507R-E ! Common Supervisor Module Type 3 6 Sup 6-E 10GE (X2).SG1 4 slaveslot0: cat4500e-entservicesk9-mz. Reason: ISSU Loadversion Note Resetting the standby supervisor will not trigger a network protocol graceful recovery and all standby supervisor uplink ports will remain in operational and forwarding state for the transparent upgrade process.2(33r)SG ( 12.d8f5. • ISSU loadversion—This first step will direct the active supervisor to initialize the ISSU software upgrade process. ISSU changes the boot variable with the new IOS software version if no errors are found and resets the standby supervisor module.4 12.d8f5. 1000BaseX (SFP) WS-X45-SUP6-E JAE1132SXQ3 4 6 Sup 6-E 10GE (X2). VLAN database and forwarding information with the standby supervisor and will notify the user to proceed with the next ISSU step. %C4K_REDUNDANCY-5-CONFIGSYNC: The config-reg has been successfully synchronized to the standby supervisor %C4K_REDUNDANCY-5-CONFIGSYNC: The startup-config has been successfully synchronized to the standby supervisor %C4K_REDUNDANCY-5-CONFIGSYNC: The private-config has been successfully synchronized to the standby supervisor %C4K_REDUNDANCY-5-CONFIGSYNC_RATELIMIT: The vlan database has been successfully synchronized to the standby supervisor %ISSU_PROCESS-7-DEBUG: Peer state is [ STANDBY HOT ].4 12. Each upgrade steps can be aborted at any stage by issuing the issu abortversion command if software detects any failure.2(33r)SG( 12.45c5 0.45c5 0.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Chassis Type : WS-C4507R-E !Common Supervisor Module Type 3 6 Sup 6-E 10GE (X2).2(53)SG Ok 4 0021.45c0 to 0021.45c6 to 0021.d8f5.2(53)SG Ok !SSO Synchronized 3 Active Supervisor SSO Active 4 Standby Supervisor SSO Standby hot The following provides the step-by-step procedure to upgrade the Cisco IOS Release 12. cr24-4507e-MB#issu loadversion 3 slot0:cat4500e-entservicesk9-mz.

However. cr24-4507e-MB#issu runversion 4 This command will reload the Active unit.d8f5.125. Reason: Admin ISSU runversion CLI %SYS-5-RELOAD: Reload requested by console. the active supervisor reset caused by the issu runversion command will be no different than similar switchover procedures (i.4 12. The default rollback timer is up to 45 minutes which provides a network administrator an opportunity to perform several sanity checks. ISSU automatically starts internal rollback timers to re-install old IOS image. In small to mid size network designs. however the uplink ports of the active supervisor remains intact and the data plane will remain un-impacted during the switchover process. cr24-4507e-MB#show module | inc Chassis|Sup|12.d8f5. During the entire software upgrade procedure.2 Chassis Type : WS-C4507R-E ! Common Supervisor Module Type 3 6 Sup 6-E 10GE (X2).125.d8f5. administrator-forced switchover or supervisor online insertion and removal). Reload reason: Admin ISSU runversion This step will force the current active supervisor to reset itself which will trigger network protocol graceful recovery with peer devices. the default timer may be sufficient.2(33r)SG( 12.15 (Port-channel102) is resync: peer graceful-restart • NSF-Aware Layer 3 Access cr24-3560-MB# %DUAL-5-NBRCHANGE: EIGRP-IPv4:(100) 100: Neighbor 10.2(33r)SG( 12. Medium Enterprise Design Profile Reference Guide 2-144 . • NSF-Aware Core cr23-VSS-Core# %DUAL-5-NBRCHANGE: EIGRP-IPv4:(415) 100: Neighbor 10. for large networks.45c6 to 0021. 1000BaseX (SFP) WS-X45-SUP6-E JAE1132SXRQ ! Mismatch operating system version 3 0021.10 (Port-channel1) is resync: peer graceful-restart The previously active supervisor module will boot up in the standby role with the older IOS software version instead the new IOS software version.45c5 0.4 12.0. network administrators may want to adjust the timer up to 2 hours: cr24-4507e-MB#show issu rollback-timer Rollback Process State = In progress Configured Rollback Time = 45:00 Automatic Rollback Time = 19:51 The system will notify the network administrator with the following syslog to instruct them to move to the next ISSU upgrade step if no stability issues are observed and all the network services are operating as expected. From the overall network perspective. At this stage.2(53)SG Ok 4 0021. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services • ISSU runversion—After performing several steps to assure the new loaded software is stable on the standby supervisor.d8f5.2(53)SG1 Ok !SSO Synchronized 3 Active Supervisor SSO Standby hot 4 Standby Supervisor SSO Active This safeguarded software design provides an opportunity to roll back to the previous IOS software if the system upgrade causes any type of network abnormalities. 1000BaseX (SFP) WS-X45-SUP6-E JAE1132SXQ3 4 6 Sup 6-E 10GE (X2). the network administrator must proceed to the second step.45c0 to 0021.. Proceed ? [confirm]y %RF-5-RF_RELOAD: Self reload.0. this is the only step that performs SSO-based network graceful recovery. The following syslog on various Layer 3 systems confirm stable and EIGRP graceful recovery with the new supervisor running the new Cisco IOS software version.45cb 0.e.

d8f5.d8f5. cr24-4507e-MB#issu commitversion 3 Building configuration.4 12.2(33r)SG( 12.2 Chassis Type : WS-C4507R-E ! Common Supervisor Module Type 3 6 Sup 6-E 10GE (X2).2(53)SG1 Ok 4 0021. 1000BaseX (SFP) WS-X45-SUP6-E JAE1132SXQ3 4 6 Sup 6-E 10GE (X2).2(53)SG1 Ok !SSO Synchronized 3 Active Supervisor SSO Standby hot 4 Standby Supervisor SSO Active Medium Enterprise Design Profile Reference Guide 2-145 . 1000BaseX (SFP) WS-X45-SUP6-E JAE1132SXRQ ! Mismatch operating system version 3 0021.45c5 0.45c6 to 0021. cr24-4507e-MB#show issu rollback-timer Rollback Process State = Not in progress Configured Rollback Time = 45:00 cr24-4507e-MB#show module | inc Chassis|Sup|12.2(33r)SG( 12.d8f5.45c0 to 0021.d8f5.2(53)SG1 Ok !SSO Synchronized 3 Active Supervisor SSO Standby hot 4 Standby Supervisor SSO Active • ISSU commitversion—This final ISSU step forces the active supervisor to synchronize its configuration with the standby supervisor and force it to reboot with the new IOS software. If for some reason the network administrator wants to rollback to the older image.4 12. Compressed configuration from 24970 bytes to 10848 bytes[OK] %C4K_REDUNDANCY-5-CONFIGSYNC: The private-config has been successfully synchronized to the standby supervisor %RF-5-RF_RELOAD: Peer reload.45c0 to 0021. This stage concludes the ISSU upgrade procedure and the new IOS version is permanently committed on both supervisor modules.2 Chassis Type : WS-C4507R-E ! Common Supervisor Module Type 3 6 Sup 6-E 10GE (X2).d8f5. Please issue the commitversion command. 1000BaseX (SFP) WS-X45-SUP6-E JAE1132SXQ3 4 6 Sup 6-E 10GE (X2).45cb 0. 1000BaseX (SFP) WS-X45-SUP6-E JAE1132SXRQ ! Common new operating system version 3 0021.d8f5..45c6 to 0021.4 12. Please issue the acceptversion command • ISSU acceptversion—This step provides confirmation from the network administrator that the system and network is stable after the IOS install and they are ready to accept the new IOS software on the standby supervisor.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services %ISSU_PROCESS-7-DEBUG: Peer state is [ STANDBY HOT ]. it does not perform any additional steps to install the new software on standby supervisor cr24-4507e-MB#issu acceptversion 4 % Rollback timer stopped. Reason: ISSU Commitversion cr24-4507e-MB#show module | inc Chassis|Sup|12. This step stops the rollback timer and instructs the network administrator to issue the final commit command However.2(53)SG Ok 4 0021. then it is recommended to perform an ISSU-based downgrade procedure to retain the network operational state without any downtime planning.2(33r)SG( 12.45cb 0.d8f5..45c5 0.4 12.2(33r)SG( 12.d8f5.

eFSU is supported on the Catalyst 6500-E Sup720-10GE supervisor module running Cisco IOS release with the Enterprise feature set. it had limited high-availability consideration to upgrade the IOS software release. In the following sample output.2(33)SXH that supported Fast Software Upgrade (FSU). The virtual-Switch SW1 supervisor is in the SSO Active role and the SW2 supervisor is in the Standby hot role. a VSS capable Sup720-10G supervisor module is installed in Slot5 of virtual-switch SW1 and SW2 respectively. Enhanced Fast Software Upgrade (eFSU) made it completely ISSU infrastructure compliant and enhances the software and hardware design to retain its functional state during the graceful upgrade process. This may not be a desirable solution when deploying Catalyst 6500-E in the critical aggregation or core network tier. the Catalyst 6500-E supports true hitless IOS software upgrade in standalone and virtual-switch network designs. with MEC and the distributed forwarding architecture. Starting with the IOS Release 12. The ISSU mismatched software version compatibility was not supported by the FSU infrastructure which could cause network down time. In addition. Both supervisor are running identical the Cisco IOS Release 12. the forwarding plane is in an active state on both virtual-switch nodes.2(33)SXI2a software version and is fully synchronized with SSO. the network operation slightly differs compared to ISSU implemented on intra-chassis based SSO design. However. Catalyst 6500-E eFSU Software Upgrade Procedure This subsection provides the software upgrade procedure for Catalyst 6500-Es deployed in VSS mode in the medium enterprise campus LAN network design. As described earlier. most of the eFSU pre-requisites and IOS upgrade procedures remain consistent as explained in previous sub-section. In the initial introduction. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Catalyst 6500-E VSS eFSU Software Design and Upgrade Process Cisco Catalyst VSS was introduced in the initial IOS Release 12. Catalyst 6500-E VSS eFSU Software Design and Upgrade Process Figure 2-79 Catalyst 6500-E VSS eFSU Software Upgrade Process Since eFSU in the Catalyst 6500-E system is built on the ISSU infrastructure. cr23-VSS-Core#show switch virtual redundancy | inc Mode|Switch|Image|Control ! VSS switch node with control-plane ownership Medium Enterprise Design Profile Reference Guide 2-146 .2(33)SXI. the Cisco VSS technology enables inter-chassis SSO communication between two virtual-switch nodes. while the software upgrade procedure for inter-chassis eFSU upgrades is similar.

s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M).2(33)SXI3. Note Resetting standby virtual-switch node will not trigger the network protocol graceful recovery process and will not reset the linecards on the active virtual-switch.2(33)SXI2a Control Plane State = ACTIVE Switch 2 Slot 5 Processor Information : Image Version = Cisco IOS Software.2(33)SXI2a to 12. s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M). Version 12.From Active Switch (Reload peer unit). With the broad range of ISSU version compatibility to form SSO communication the standby supervisor will successfully bootup again in its original standby state. RELEASE SOFTWARE (fc2) Control Plane State = STANDBY To rejoin the virtual-switch domain. see the following output. cr23-VSS-Core#show switch virtual redundancy | inc Mode|Switch|Image|Control ! VSS switch node with control-plane ownership My Switch Id = 1 Peer Switch Id = 2 ! SSO Synchronized Configured Redundancy Mode = sso Operating Redundancy Mode = sso ! Mismatch operating system version Switch 1 Slot 5 Processor Information : Image Version = Cisco IOS Software.122-33. Reason: ISSU Loadversion %SYS-SW2_SPSTBY-5-RELOAD: Reload requested . Medium Enterprise Design Profile Reference Guide 2-147 .Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services My Switch Id = 1 Peer Switch Id = 2 ! SSO Synchronized Configured Redundancy Mode = sso Operating Redundancy Mode = sso ! Common operating system version Switch 1 Slot 5 Processor Information : Image Version = Cisco IOS Software.SXI3 2/54 slavedisk0: s72033-adventerprisek9_wan-mz. %RF-SW1_SP-5-RF_RELOAD: Peer reload.2(33)SXI2a.122-33.2(33)SXI2a Control Plane State = STANDBY The following provides a step-by-step procedure to upgrade from Cisco IOS Release 12. Version 12. the active virtual-switch ensures the new IOS software is downloaded on both supervisors file system and performs several additional checks on the standby supervisor on the remote virtual-switch for the graceful software upgrade process. s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M). Version 12. Each upgrade step can be aborted at any stage by issuing the issu abortversion command if the software detects any failures. s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M). both nodes will reestablish the VSL EtherChannel communication and force the active supervisor to resynchronize all SSO redundancy and checkpoints. cr23-VSS-Core#issu loadversion 1/5 disk0: s72033-adventerprisek9_wan-mz. It will remain in operational and forwarding state for the transparent upgrade process. VLAN database and forwarding information with the standby virtual-switch and the network administrator is notified to proceed with the next ISSU step.SXI3 After issuing the above command. ISSU changes the boot variable to the new IOS software version if no error is found and resets the standby virtual-switch and installed modules.2(33)SXI3 without causing network topology and forwarding disruption. Version 12. RELEASE SOFTWARE (fc2) Control Plane State = ACTIVE Switch 2 Slot 5 Processor Information : Image Version = Cisco IOS Software. • ISSU loadversion—This first step will direct the active virtual-switch node to initialize the ISSU software upgrade process.

the network administrator is now ready to proceed to the runversion step.. administration-forced switchover or supervisor online insertion and removal). The default rollback timer is up to 45 minutes which provides the network administrator an opportunity to perform several sanity checks. however the linecard on the current standby virtual-switch (SW2) will remain intact and the data plane traffic will continue get switched during the switchover process. In the entire eFSU software upgrade procedure.125. RELEASE SOFTWARE (fc2) Control Plane State = STANDBY Like intra-chassis ISSU implementation. NSF-Aware Distribution cr24-4507e-MB# %DUAL-5-NBRCHANGE: EIGRP-IPv4:(100) 100: Neighbor 10. From the network perspective.e. ISSU automatically starts internal rollback timers to re-install old IOS image if there are any problems. RELEASE SOFTWARE (fc2) Control Plane State = ACTIVE Switch 1 Slot 5 Processor Information : Image Version = Cisco IOS Software. Reason: Admin ISSU runversion CLI This step will force the current active virtual-switch (SW1) to reset itself which will trigger network protocol graceful recovery with peer devices. this is the only time that the systems will perform an SSO-based network graceful recovery.14 (Port-channel1) is resync: peer graceful-restart After re-negotiating and establishing the VSL EtherChannel link and going through the VSLP protocol negotiation process.2(33)SXI2a. At this stage. cr23-VSS-Core#issu runversion 2/5 This command will reload the Active unit. The following syslogs confirm stable and EIGRP graceful recovery on the virtual-switch running the new Cisco IOS software version. Proceed ? [confirm]y %issu runversion initiated successfully %RF-SW1_SP-5-RF_RELOAD: Self reload.2(33)SXI3. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services %HA_CONFIG_SYNC-6-BULK_CFGSYNC_SUCCEED: Bulk Sync succeeded %PFREDUN-SW2_SPSTBY-6-STANDBY: Ready for SSO mode %ISSU_PROCESS-SW1_SP-7-DEBUG: Peer state is [ STANDBY HOT ]. the network administrator may want to adjust the timer up to 2 hours: cr23-VSS-Core#show issu rollback-timer Rollback Process State = In progress Medium Enterprise Design Profile Reference Guide 2-148 . eFSU also provides a safeguarded software design for additional network stability and opportunity to roll back to the previous IOS software if the system upgrade causes any type of network abnormalities. the default timer may be sufficient.0. Please issue the runversion command • ISSU runversion—After performing several steps to assure the new loaded software is stable on the standby virtual-switch. the affects of the active supervisor resetting during the ISSU runversion step will be no different than the normal switchover procedure (i. In small to mid size network designs. Version 12. However for large networks. the rebooted virtual-switch module boots up in the standby role with the older IOS software version instead the new IOS software version. s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M). Version 12. s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M). cr23-VSS-Core#show switch virtual redundancy | inc Mode|Switch|Image|Control ! VSS switch node with control-plane ownership changed to SW2 My Switch Id = 2 Peer Switch Id = 1 ! SSO Synchronized Configured Redundancy Mode = sso Operating Redundancy Mode = sso ! Mismatch operating system version Switch 2 Slot 5 Processor Information : Image Version = Cisco IOS Software.

s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M). Please issue the acceptversion command • ISSU acceptversion—This eFSU step provides confirmation from the network administrator regarding the system and network stability after installing the new software and confirms they are ready to accept the new IOS software on the standby supervisor.. Please issue the commitversion command. cr23-VSS-Core#issu commitversion 1/5 Building configuration. However.From Active Switch (Reload peer unit). s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M). %issu commitversion executed successfully cr23-VSS-Core#show switch virtual redundancy | inc Mode|Switch|Image|Control ! VSS switch node with control-plane ownership My Switch Id = 2 Peer Switch Id = 1 ! SSO Synchronized Configured Redundancy Mode = sso Operating Redundancy Mode = sso ! Common operating system version Switch 2 Slot 5 Processor Information : Medium Enterprise Design Profile Reference Guide 2-149 . Version 12. RELEASE SOFTWARE (fc2) Control Plane State = STANDBY • ISSU commitversion—The final eFSU step forces the active virtual-switch to synchronize the configuration with the standby supervisor and force it to reboot with the new IOS software. cr23-VSS-Core#show issu rollback-timer Rollback Process State = Not in progress Configured Rollback Time = 00:45:00 cr23-VSS-Core#show switch virtual redundancy | inc Mode|Switch|Image|Control ! VSS switch node with control-plane ownership changed to SW2 My Switch Id = 2 Peer Switch Id = 1 ! SSO Synchronized Configured Redundancy Mode = sso Operating Redundancy Mode = sso ! Mismatch operating system version Switch 2 Slot 5 Processor Information : Image Version = Cisco IOS Software. [OK] %RF-SW2_SP-5-RF_RELOAD: Peer reload. %ISSU_PROCESS-SW2_SP-7-DEBUG: Peer state is [ STANDBY HOT ]. cr23-VSS-Core#issu acceptversion 2/5 % Rollback timer stopped. If for some reason the network administrator needs to rollback to the older image. This step stops the rollback timer and instructs the network administrator to continue to the final commit state. This stage concludes the eFSU upgrade procedure and the new IOS version is permanently committed on both virtual-switches. RELEASE SOFTWARE (fc2) Control Plane State = ACTIVE Switch 1 Slot 5 Processor Information : Image Version = Cisco IOS Software. Reason: Proxy request to reload peer %SYS-SW1_SPSTBY-5-RELOAD: Reload requested .2(33)SXI3.2(33)SXI2a.. then it is recommended to perform the eFSU-based downgrade procedure to maintain the network operational state without any downtime planning. Version 12.Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Deploying Medium Enterprise Network Foundation Services Configured Rollback Time = 00:45:00 Automatic Rollback Time = 00:36:08 The system will notify the network administrator with following syslog to continue to the next ISSU upgrade step if no stability issues are observed and all the network services are operating as expected. it does not perform any additional steps to install the new software on standby supervisor.

Version 12. s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M). operational efficiencies. Medium Enterprise Design Profile Reference Guide 2-150 . Version 12. key network foundation services such as routing. multicast. s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M). as well as where to apply these models within the various locations of a medium enterprise network. virtual learning environments. This chapter reviews the two LAN design models recommended by Cisco. QoS. and high availability best practices are given for the entire medium enterprise design. RELEASE SOFTWARE (fc2) Control Plane State = STANDBY Summary Designing the LAN network aspects for the medium enterprise network design establishes the foundation for all other aspects within the service fabric (WAN. security. and UC) as well as laying the foundation to provide safety and security. Chapter 2 Medium Enterprise Design Profile (MEDP)—LAN Design Summary Image Version = Cisco IOS Software. and secure classrooms. Finally. switching.2(33)SXI3. mobility. Each of the layers is discussed and design guidance is provided on where to place and how to deploy these layers. RELEASE SOFTWARE (fc2) Control Plane State = ACTIVE Switch 1 Slot 5 Processor Information : Image Version = Cisco IOS Software.2(33)SXI3.

Medium Enterprise Design Profile Reference Guide 3-1 . CH A P T E R 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design The Medium Enterprise WAN Design Profile is a multi-site design where a site consists of multiple buildings and services. The sites are interconnected through various WAN transports as shown in Figure 3-1.

Medium Enterprise Design Profile Reference Guide 3-2 . the service fabric network provides the foundation on which all the solutions and services are built upon to solve the business challenges. This service fabric consists of four distinct components as shown in Figure 3-2. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design Figure 3-1 Medium Enterprise WAN Design Diagram Large Building Medium Building Small Building Extra Small Building Services Block Data Center QFP Internet QFP Main Site Edge WAN PSTN Internet Private WAN Services Services Block Block Services Block Data Data Center Center Data Center Remote Small Site Large Building Medium Building Small Building Medium Building Small Building 229374 Remote Large Site Remote Medium Site Within the Medium Enterprise Design Profile.

To provide this collaborative environment. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design Figure 3-2 The Service Fabric Design Model Service Fabric Design Model Unified Mobility Security Communications Local Area Wide Area Network (LAN) Network (WAN) 228505 This chapter discusses the WAN design component of the Medium Enterprise Design Profile. QoS. the assumptions made. See Figure 3-3. The WAN design should not be viewed merely for providing access. flavors ranging from desktop video to real-time video. as well as connectivity to other networks. and general Internet access for the entire enterprise. Moreover. and main site. Therefore. highly resilient and. and partners. video. This section discusses how the WAN design is planned for medium enterprises. and the justification for choosing a platform. or data applications. the video applications. This communication could be with voice. Medium Enterprise Design Profile Reference Guide 3-3 . Therefore. the platforms chosen. and multicast WAN Transport This section discusses the different WAN transports present in the Medium Enterprise Design Profile. a WAN network that can support the following requirements is needed: • High performance • Support different classes of traffic • Native routing • Multicast capability • Security To support these requirements enterprises need to have a private WAN service to provide connectivity between remote sites. but mainly to see how the business requirements can be met. these sites need to collaborate with each other to meet the business objectives. Private WAN Service The Medium Enterprise Design Profile consists of several locations. highly performing WAN designs are required. it is important for communication to exist between the employees. These locations have similar architecture as the main site. customers. may possess. The WAN design is highly critical to provide network access for remote sites to the main site. The main components of Medium Enterprise Design Profile for WAN architecture are as follows: • WAN transport • WAN devices • Network Foundation services—Routing. However.

however. See Figure 3-4. and data applications that provide QoS service to customers. ability to provide different SLAs based on voice. • Performance. The advantages of using this WAN transport are as follows: • Scalability and reachability – The services offered would scale from 1Mbps to 10Gbps. it is available at large number of places. video. Figure 3-4 Medium Enterprise Internet Service Private WAN Medium Enterprise Site Network QFP 229376 Internet Metro Service Metro Ethernet is one of the fastest growing WAN transport technologies in the telecommunications industry. – The granular options in bandwidth. which makes this transport highly scalable. thereby. and beyond in granular increments. it is similar to a situation where a customer is connected to different service providers. QoS. both circuits are logically separated using different subinterfaces. and suitability for convergence – Inherently Ethernet networks require less processing to operate and manage and operate at higher bandwidth than other technologies. – Service providers worldwide are migrating their networks to provide metro services. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design Figure 3-3 Medium Enterprise Connectivity to Other Remote Sites Using Private WAN Remote Site 2 Remote Site 1 Remote Site 3 Medium Enterprise Private Site Remote Site 4 WAN Network QFP 229375 Remote Site X Internet Service The physical connection for reaching the Internet and the private WAN network is same. Medium Enterprise Design Profile Reference Guide 3-4 . Therefore.

the access link is a serial interface to a Frame Relay switch with individual data-link connection identifiers (DLCIs). like Frame Relay. It passes 802. and low latency that were previously not possible or prohibited by high cost. which allows flexibility. which is also known as Ethernet Virtual Private Line (EVPL) provides a point-to-point service. E-LAN which provides multipoint or any-to-any connectivity. the physical link is Ethernet. typically FastEthernet or Gigabit Ethernet. voice. In the case of Frame Relay. and data. • Expediting and enabling new applications – Accelerates implementations with reduced resources for overburdened IT departments. provides for multiplexing multiple point-to-point connections over a single physical link. – Enables new applications requiring high bandwidth. • Cost savings – Metro Ethernet brings the cost model of Ethernet to the WAN. EVPL. also known as Virtual Private LAN Services (VPLS). identifying the multiple virtual circuits or connections. E-LAN.q trunks across the SP network known as Q-in-Q. E-line. and the multiple circuits are identified as VLANs by way of an 802.Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design – Low latency and delay variation make it the best solution for video. In the case of EVPL.1q trunk. Medium Enterprise Design Profile Reference Guide 3-5 . provides any-to-any connectivity within the Metro area. There are two popular methods of service for Metro Ethernet: 1. Figure 3-5 shows the difference between these services. 2.

E-LAN provides point-to-multipoint connectivity. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design Figure 3-5 Different Services Available E-LAN E-Line 227581 This section discusses how the Metro service is designed in the Medium Enterprise Design Profile. • Performance—Since all the application services are centrally located at main site. Having a point-to-point connectivity mandates that all the remote site sites need to traverse the main site to reach the other. it is recommended that the remote large and medium remote site locations use E-line service to connect to the main site. Medium Enterprise Design Profile Reference Guide 3-6 . The Metro service is used to provide connectivity between the remote sites to the main site. Therefore. The Metro transport can provide 100Mbps. Figure 3-6 shows how the remote site locations are connected to main site using Metro service. the WAN bandwidth required for remote sites to main site should be at least 100 Mbps. and more if needed in the future. The key reasons for recommending Metro service for Medium Enterprise are as follows: • Centralized administration and management—E-line service provides point-to-point connectivity. in this design. making the centralized administration applicable. where as.

The leased-line service is more readily available for these type of locations and the bandwidth is sufficient for the small remote site application requirements. For each location in the Medium Enterprise Design Profile various WAN aggregation platforms are selected based on the requirements. Medium Enterprise Design Profile Reference Guide 3-7 . choosing the appropriate WAN aggregation router is essential. WAN Aggregation Platform Selection in the Medium Enterprise Design Profile In addition to selecting the WAN service for connectivity between remote site locations and access to the Internet. Cisco recommends that the small remote site connect to the main site using a private leased-line service. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design Figure 3-6 The Metro Transport Deployment in Medium Enterprise WAN Design Main Site Site Network ASR 1006 QFP SONET/SDH Metro Cisco 3750 Cisco 3800 Metro Switch Cisco 4800 Router Switch 229377 Large Site Medium Site Small Site Leased-Line Service The WAN bandwidth requirement for a small remote site is assumed to be 20Mbps.

and two SIP slots. 4-RU chassis with one ESP slot. • The Cisco ASR 1004 Router is an 8-SPA. The Cisco ASR 1000 Series Router family consists of three different models: • The Cisco ASR 1002 Router is a 3-SPA. The second place is where all the remote sites connect to the main site. integrated Cisco ASR 1000 Series Shared Port Adapter Interface Processor (SIP). 6-RU. The first place is where the main site location connects to outside world using private WAN and Internet networks. and integrated four Gigabit Ethernet ports. • The Cisco ASR 1006 Router is a 12-SPA. there are two places where the WAN aggregation occurs in the main site location. one RP slot. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design Main Site WAN Aggregation Platform Selection A WAN aggregation router aggregates all the incoming WAN circuits from various locations in the network as well as the Internet and also provides the proper QoS required for application delivery. Cisco recommends the Cisco ASR family of routers as the WAN aggregation platform for the main site location. two RP slots and three SIP slots. hardware redundant chassis with two ESP slots. Figure 3-7 shows the two different WAN aggregation devices. 2-rack-unit (RU) chassis with one Embedded Services Processor (ESP) slot that comes with an integrated Router Processor (RP). Medium Enterprise Design Profile Reference Guide 3-8 . In Medium Enterprise Design Profile.

Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design Figure 3-7 The WAN Aggregation Points in Medium Enterprise WAN Design Large Building Medium Building Small Building Extra Small Building Services Block Data Center WAN QFP Internet QFP Aggregation 1 Main Site Edge WAN Aggregation 2 WAN PSTN Internet Private WAN Services Services Block Block Services Block Data Data Center Center Data Center Remote Small Site Large Building Medium Building Small Building Medium Building Small Building 229378 Remote Large Site Remote Medium Site WAN Aggregation 1 A Cisco ASR 1004 Series router is recommended as the WAN aggregation platform for private WAN/Internet connectivity. routing. and resiliency—that are essential requirements for WAN aggregation router. Medium Enterprise Design Profile Reference Guide 3-9 . this platform contains built-in resiliency capabilities such as ISSU and IOS-based redundancy. Moreover. QoS. This choice was made considering the cost and required features—performance.

if there is the need for advanced WAN features such as MPLS. in addition to its role as core-layer LAN switch. this router would also support EtherChannel load balancing feature. the Cisco Catalyst 4500 Series switches has been chosen to perform the dual functionality as WAN router. and VSS does not support WAN functionality.” the medium remote site collapses the WAN edge and core-layer LAN functionality into a single switch to provide cost effectiveness to meet the budget needs for this size location. at the large remote site. the WAN and LAN aggregation platform is the Cisco Catalyst 4507 switch. This chassis would support dual route processors. However. Medium Enterprise Design Profile Reference Guide 3-10 . VSS has been chosen as technology on the distribution switch. Therefore. the Cisco 3750ME switch was selected to perform the WAN aggregation. Cisco ISR Series router or upgrading to the Cisco Catalyst 6500 series could be explored as an option. a dedicated WAN aggregation device is needed to perform that functionality. the Cisco ASR 1006 router with redundant route processors and redundant ESP’s has been recommended for the following reasons: • Performance—Up to 20 Gbps throughput • Port density—Up to 12 shared port adapters (SPAs). as per the site LAN design document. Large Remote Site WAN Aggregation Platform Selection The WAN connectivity between the large remote site to the main site is fairly simpler because of the lack of requirements of advanced encryption technologies. The remote medium site is connected to the main site location through Metro service. This switch has the necessary features to perform as WAN router. or 3750ME switches. Out of these choices. the main purpose is to reduce the cost and try to consolidate the WAN functionality into the distribution device at the large site. “Medium Enterprise Design Profile (MEDP)—LAN Design. The Cisco 3750 Metro switch has the following features/capabilities to adequately meet the requirements: • Hierarchical QoS • Routing support: OSPF. At the remote medium site. However. and dual ESP modules to support the hardware redundancy. 7200. EIGRP. and BGP • Multicast support: PIM • Redundant power supply Medium Remote Site WAN Aggregation Platform Selection As discussed in Chapter 2. For this design. Therefore. considering the cost/performance criteria. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design WAN Aggregation 2 The second WAN aggregation device provides connectivity to the large and medium remote sites to the main site. Moreover. the Cisco Catalyst 3750 ME. the highest port density solution of the three Cisco ASR 1000 routers • Resiliency—Cisco ASR 1006 router supports hardware redundancy and in-service software upgrades (ISSU). which can be an ASR. To perform this aggregation.

and this service is provided by a traditional leased line.126. and VICs • Integrated GE ports with copper and fiber support Implementation of WAN Reference Design The following section discusses the implementation details for the Medium Enterprise Design Profile. For this reason. which aggregates all the connections from the remote site locations to the main site: interface GigabitEthernet0/2/0 description Connected to cr11-3750ME-RLC ip address 10. The major components of the implementation are the following: • WAN infrastructure design • Routing • QoS • Resiliency • Multicast WAN Infrastructure Design As explained in the design considerations (where??? in chapter 1??). VWICs. NMs. the Cisco 3845 Series router is chosen as the WAN platform for the small remote site. is recommended to have 1Gbps Metro service to the main site where as the small remote site location is recommended to have at least 20Mbps of bandwidth to main site. The WAN speed between the small remote site and the main site location is assumed to be around 20Mbps. Configuration of WAN Interfaces at WAN Aggregation Router 2 The following is configuration of WAN interfaces on WAN aggregation router 2.254 ! interface GigabitEthernet0/2/1 description Connected to cr11-4507-RMC dampening no ip address load-interval 30 carrier-delay msec 0 Medium Enterprise Design Profile Reference Guide 3-11 . Therefore. Since it is a leased-line circuit. The main advantages of using the Cisco 3845 Series router are as follows: • Enhanced Network Module Slot • Support for over 90 existing and new modules • Voice Features: Analog and digital voice call support and optional voice mail support • Support for majority of existing AIMs.1 255.255. due to its size. WICs. The large remote site and medium remote site would connect to main site using Metro Ethernet services. an integrated services router is needed to meet the requirement. The large remote site. WAN devices such as Cisco 3750 Metro or 4507 switch cannot be used. The small remote site uses a leased-line service to connect to the main site location.255.0. the Medium Enterprise Design Profile uses two different services to connect the remote site locations to the main site location. The following section provides the configuration details of all the WAN devices needed to establish the WAN connectivity. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design Small Remote Site WAN Aggregation Platform Selection The small remote site is connected to main site using a private leased-line service.

The configuration below illustrates how to enable and configure the T3 interface.255.255. Cisco recommends that the small remote site connect to the main site using a private leased-line service.0 255.254 load-interval 30 carrier-delay msec 0 Leased-Line Service The WAN bandwidth requirement for a small remote site is assumed to be 20Mbps.254 Configuration of WAN interface at 4500 Medium Remote Site The following is the configuration of WAN interface at the medium remote site connected to the main site: interface GigabitEthernet4/1 description link connected to cr13-6500-pe2 gi3/2 switchport trunk native vlan 802 switchport trunk allowed vlan 102 switchport mode trunk logging event link-status load-interval 30 carrier-delay msec 0 no cdp enable spanning-tree portfast trunk spanning-tree guard root ! interface Vlan102 description Connected to cr11-ASR-WE dampening ip address 10.255.126. The following configuration steps are needed to build the lease-line service between the main site and small remote site: Medium Enterprise Design Profile Reference Guide 3-12 .255.0. which is connected to main site: interface GigabitEthernet1/1/1 description Connected to cr11-ASR-WE no switchport dampening ip address 10.0.3 255. To implement this design.2 255. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design negotiation auto cdp enable service-policy output PARENT_POLICY hold-queue 2000 in hold-queue 2000 out ! interface GigabitEthernet0/2/1.126.102 encapsulation dot1Q 102 ip address 10. The leased-line service is more readily available for these type of locations and the bandwidth is sufficient for the small remote site application requirements.126.255.254 ! ! Configuration of WAN Interface at 3750 Large Remote Site The following is configuration of WAN interface at the 3750 large remote site switch.0.255. a serial SPA is needed on the ASR 1006 WAN aggregation router at the main site and this SPA needs to be enabled for T3 interface type.

Private WAN.126. the external routing domain would connect with different service providers.0 5 load-interval 30 carrier-delay msec 0 dsu bandwidth 44210 Routing Design This section discusses how routing is designed and implemented in the Medium Enterprise Design Profile. Metro Service. The private network would provide access to reach other remote sites globally.0.4 255. This is applicable only to the WAN aggregation router 1.255. which interfaces with both Private WAN. because it the only router which interfaces with the external domain.0.254 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key ip pim sparse-mode service-policy output RSC_PARENT_POLICY ip summary-address eigrp 100 10.255.254 Configuration of WAN Interface at Small Remote Site Location The following is configuration of WAN interface at the small remote site location: interface Serial2/0 dampening ip address 10. and the internal routing domain design. and leased-line services. The following section discusses about the external routing domain design. Metro/leased-line service would help to connect remote site locations to the main site.0 255.0.255.0. Internet.124. As indicated in the WAN transport design. and the Internet service. and the internal routing domain is where the entire routing domain is within single autonomous system. Internet service would help the medium enterprise to reach Internet. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design Step 1 Enable the T3 interface on the SPA on ASR1006: card type t3 0 3 Step 2 Configure the WAN interface: interface Serial0/3/0 dampening ip address 10. the Medium Enterprise Design Profile has multiple transports—Private WAN.126.5 255. External Routing Domain As indicated above. The external routing domain is where the medium enterprise would connect with external autonomous system.255. and the Internet service. The main design considerations for routing for the Internet/private WAN edge router are as follows: • Scale up to large number of routes • Support for multi-homing—connection to different service providers • Ability to implement complex polices—Have separate policies for incoming and outgoing traffic Medium Enterprise Design Profile Reference Guide 3-13 .255. To provide connectivity using these transport services we have designed two distinct routing domains – external and internal.

It is important to design EIGRP routing domain in site infrastructure with all the design principles defined earlier in this section. Figure 3-8 shows the BGP design. and optimize the network performance. Figure 3-8 BGP Design in Medium Enterprise AS 65011 AS 30000 Private WAN Medium Enterprise Site AS 30001 Network QFP Internet 229379 For more information on designing and configuring BGP on the Internet border router. BGP supports having different policies for incoming and outgoing prefixes. BGP has is chosen as the routing protocol because of the following reasons: • Scalability—BGP is far superior when routing table entries is quite large.cisco. EIGRP is a balanced hybrid routing protocol that builds neighbor adjacency and flat routing topology on per autonomous-system (AS)-basis. simplify. The Medium Enterprise Design Profile network infrastructure must be deployed in recommended EIGRP protocol design to secure. refer to the SAFE Reference Design at the following link: http://www. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design To meet the above requirements. • Complex policies—IGP protocol is better in environments where the neighbors are trusted.com/en/US/netsol/ns954/index. which is basically connecting all the devices in the site network. Figure 3-9 depicts the design of EIGRP for internal network.html#~five Internal Routing Domain EIGRP is chosen as the routing protocol for designing the internal routing domain. whereas when dealing with different service providers’ complex policies are needed to deal with incoming and outgoing entries. Medium Enterprise Design Profile Reference Guide 3-14 .

20Mbps leased-line service to small remote Site location Step 1 Configure the neighbor authentication on interface links: interface Port-channel1 ip address 10.0.23 255. which is link between the ASR1006 router and the core 2.255. The 100Mpbs Metro link to medium remote site location 4.255. The 1Gbps Metro link to large remote site location 3.126.0.255. Port-channel link.255.1 255.125.254 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key ! Medium Enterprise Design Profile Reference Guide 3-15 .254 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key ! interface GigabitEthernet0/2/0 description Connected to cr11-3750ME-RLC ip address 10. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design Figure 3-9 EIGRP Design Diagram Main Site Site Network EIGRP AS 100 ASR 1006 QFP SONET/SDH Metro EIGRP EIGRP EIGRP AS 100 AS 100 AS 100 Cisco 3750 Cisco 3800 Metro Switch Cisco 4800 Router Switch 229380 Large Site Medium Site Small Site EIGRP Configuration on WAN Aggregation Router2 –ASR1006 The EIGRP is used on the following links: 1.

0.0 5 ! interface GigabitEthernet0/2/0 description Connected to cr11-3750ME-RLC ip address 10.0.0.255.255.0.255.0 255.255.0 5 ! interface GigabitEthernet0/2/1 description Connected to cr11-4507-RMC ! interface GigabitEthernet0/2/1.0.126.0.102 encapsulation dot1Q 102 ip address 10.254 ip summary-address eigrp 100 10.255.0.126.255.255. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design interface GigabitEthernet0/2/1 description Connected to cr11-4507-RMC dampening no ip address load-interval 30 carrier-delay msec 0 negotiation auto cdp enable hold-queue 2000 in hold-queue 2000 out ! interface GigabitEthernet0/2/1.0.255.5 255. The following command is used to verify the status: cr11-asr-we#show ip protocols Medium Enterprise Design Profile Reference Guide 3-16 .200.254 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key ! interface Serial0/3/0 dampening ip address 10.0 255.126.1 255.0.0.0 5 ! interface Serial0/3/0 ip address 10.0 eigrp router-id 10.0 255.254 ip summary-address eigrp 100 10.255.3 255.255.255.126.0 255.125.125.0 5 Step 3 Configure EIGRP routing process: router eigrp 100 network 10.102 no passive-interface Serial0/3/0 no passive-interface Port-channel1 nsf The ASR1006 router is enabled with nonstop forwarding feature.0.254 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key Step 2 Configure the summarization on the member links: interface Port-channel1 ip address 10.3 255.23 255.0.0.126.255.255.254 ip summary-address eigrp 100 10.254 ip summary-address eigrp 100 10.126.126.255.126.0.5 255.126.255.24 no auto-summary passive-interface default no passive-interface GigabitEthernet0/2/0 no passive-interface GigabitEthernet0/2/1.0.0.102 encapsulation dot1Q 102 ip address 10.255.

GigabitEthernet0/2/1. Step 1 Enable authentication on the link: interface GigabitEthernet1/1/1 description Connected to cr11-ASR-WE no switchport dampening ip address 10. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design *** IP Routing is NSF aware *** Routing Protocol is "eigrp 100" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1.0 Passive Interface(s): GigabitEthernet0/2/1 GigabitEthernet0/2/2 GigabitEthernet0/2/3 GigabitEthernet0/2/4 Serial0/3/1 Group-Async0 Loopback0 Tunnel0 Routing Information Sources: Gateway Distance Last Update (this router) 90 2w1d 10.254 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key router eigrp 100 network 10.126.0.22 90 1d17h 10.0.0.4 90 1d17h 10. GigabitEthernet0/2/0.126.0.0/16 for Port-channel1.126.0.0.126.0.0 passive-interface default no passive-interface Port-channel1 Medium Enterprise Design Profile Reference Guide 3-17 . K2=0. K4=0. K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: eigrp 100 EIGRP NSF-aware route hold timer is 240s EIGRP NSF enabled NSF signal timer is 20s NSF converge timer is 120s Time since last restart is 2w1d Automatic network summarization is not in effect Address Summarization: 10.125.0 255.255.126.0.0 90 1d17h 10.255.0.2 90 1d17h Distance: internal 90 external 170 cr11-asr-we# EIGRP Configuration on 3750 Large Remote Site Switch The EIGRP configuration at the 3750 large remote site also has similar steps compared to main site. K3=1.0.102 Serial0/3/0 Summarizing with metric 2816 Maximum path: 4 Routing for Networks: 10.

255.255 nsf ! EIGRP Configuration at 3800 Small Remote Site Router Step 1 Configure link authentication: interface Serial2/0 dampening ip address 10.255.126.255.0.123.0.0.0.0.255.1 ! EIGRP Configuration at 4750 Medium Site Switch Step 1 Enable authentication on the WAN link: interface Vlan102 description Connected to cr11-ASR-WE dampening ip address 10.1 network 10.200.2 255.0 255.126.0.255.123.4 255.1 0.200.255.0 Step 3 Configure EIGRP routing process: router eigrp 100 network 10.0.0 0.255.0 passive-interface default no passive-interface Port-channel1 no passive-interface GigabitEthernet1/1/1 eigrp router-id 10.98. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design no passive-interface GigabitEthernet1/1/1 eigrp router-id 10.1 Step 2 Configure summarization on the link: interface GigabitEthernet1/1/1 description Connected to cr11-ASR-WE no switchport dampening ip address 10.123.0 255.0.0 0.254 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key Medium Enterprise Design Profile Reference Guide 3-18 .122.0 network 10.0.254 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key Step2) Enable summarization on the WAN links interface Vlan102 ip summary-address eigrp 100 10.0 255.0.0.0.0.254 ip summary-address eigrp 100 10.122.126.0.0 5 load-interval 30 carrier-delay msec 0 Step 2 Enable EIGRP routing process: router eigrp 100 passive-interface default no passive-interface Vlan102 no auto-summary eigrp router-id 10.0.126.0.200.255 network 10.255.255.255.122.

Cisco IOS has several robust QoS tools such as classification and marking. Applications are constrained by the amount of WAN bandwidth. which is very critical to the application performance. QoS QoS is a part of foundation services. video. and jitter.0 5 load-interval 30 carrier-delay msec 0 dsu bandwidth 44210 Step 2 Configure EIGRP process: router eigrp 100 network 10. loss. and data together with newer applications such as broadcast video. and many other applications have all converged into IP networks.0 255. Before discussing the QoS design.124. This problem would be exacerbated if there were more centralized applications. policing. Traffic Characteristics The main traffic characteristics are bandwidth.1 ! To obtain more information about EIGRP design. Similarly.124. For example. refer to the “Designing an End-to-End EIGRP Routing Network” section on page 2-52. shaping. real-time video. To cater to these performance characteristics.0.200. • Bandwidth—Lack of proper bandwidth can cause applications from performing poorly. delay. queuing. video surveillance. and many other tools to effect the traffic characteristics. which could result in poor performance of delay sensitive applications like voice and video. data applications may need only high throughput.0. Moreover. Medium Enterprise Design Profile Reference Guide 3-19 . The bandwidth constraint occurs because of the difference between the bandwidth available at LAN and the WAN. voice applications need constant low bandwidth and low delay performance.0 no auto-summary eigrp router-id 10.255. As shown in Figure 3-10. The traditional applications such as voice. but are tolerant to delay and loss.0. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design Step2) Configure Summarization interface Serial2/0 dampening ip summary-address eigrp 100 10.0. each of these applications require different performance characteristics on the network. the following subsection provides a brief introduction on these characteristics. Figure 3-10 Bandwidth Constraint Due to Difference in Speeds 228512 • Jitter—Occurs when there are bandwidth mismatches between the sender and receiver. WRED. the bandwidth of the WAN transport dictates the amount of traffic received at each remote site.

video. GOLD. use hierarchical policies for sub-line-rate Ethernet connections to provide shaping and CBWFQ/LLQ. There are many benefits in deploying a consistent. To prevent that from occurring. but the difference lies in the bandwidth requirement. The general guidelines for deploying the WAN edge device considerations are as follows: • For WAN speeds between 1Mpbs to 100Mbps. QoS must always be considered in the design choice. voice. or data. there are two main considerations to start with: • Whether the service provider will provide four classes of traffic • Whether the service provider will only provide one class of traffic This document assumes that the service provider will support at least 4 classes of traffic such as REAL_TIME. coherent QoS scheme across all network layers. Regardless of the WAN transport chosen. Therefore. use ASR1000 with QFP or hardware queuing via Cisco Catalyst 3750-Metro and 6500/7600 WAN modules. This may occur because there is significant difference between LAN speeds and WAN speeds. Medium Enterprise Design Profile Reference Guide 3-20 . the congestion can occur when there are speed mismatches. the following two major tools can be used: • Low-Latency Queuing (LLQ). which plays a large role in determining the performance of the applications. For a properly designed voice network. which will be mapped to 4 classes of traffic on the WAN side. Figure 3-11 illustrates the recommended markings for different application traffic. When designing the QoS for WAN architecture. the traffic characteristics discussed above need to be fully understood before making any decisions on WAN transport or the platforms needed to deploy these services. SILVER. The voice applications have a constant and low bandwidth requirement. and data applications performance is optimized. when the platforms are selected at each network layer. QoS design is the most significant factor in determining the success of network deployment. • For WAN speeds between 100Mbps to 10Gbps. Cisco QoS tools help to optimize these characteristics so that voice. the one-way delay must be less than 150 msec. • Class-based Weighted-Fair Queuing (CBWFQ). It helps not only in optimizing the network performance. and DEFAULT. In the WAN links. which is used for highest-priority traffic (voice/ video). Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design WAN Design • Loss—occurs when the queues become full. The Medium Enterprise site LAN supports 12 classes of traffic. but the video applications have variable bandwidth requirements. QoS Design for WAN Devices For any application regardless of whether it is video. • Delay—Is an important characteristic. and there is not enough bandwidth to send the packets. which can be used for guaranteeing bandwidth to data applications. The voice and video applications are highly delay-and drop-sensitive. it is important to have a good QoS policy to accommodate these applications. it helps to mitigate network attacks and manage the control plane traffic. Therefore.

Table 3-1 describes the different classes. the percentage. As explained in the QoS design considerations. Table 3-1 Classes of Traffic Bandwidth Class of Traffic 4-class SP Model Allocated Actual Bandwidth Voice. Real Time Interactive SP. Broadcast Video. Each class should receive the adequate bandwidth. the main objective of the QoS implementation is to ensure that the 12 classes of LAN traffic is mapped into 4 classes of WAN traffic. each class must received the guaranteed minimum bandwidth. the following methods are used to implement QoS policy: Medium Enterprise Design Profile Reference Guide 3-21 . Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation Figure 3-11 Mapping of 12-Class Model to 4-Classes 4-Class Model 8-Class Model 12-Class Model Voice Voice Realtime Interactive Interactive Video Realtime Multimedia Conferencing Broadcast Video Streaming Video Multimedia Streaming Signaling/Control Call Signaling Call Signaling Network Control Network Control Network Management Critical Data Critical Data Transactional Data Bulk Data Best Effort Best Effort Best Effort 228513 Scavenger Scavenger Once the QoS policy is designed. and actual bandwidth allocated for each class of traffic. the next pertinent question is the appropriate allocation of bandwidth for the 4 classes of traffic. and during congestion. To accomplish this objective.Real-Time 30% 33 Mbps Network Control SP-Critical 1 20% 36 Mbps Signaling Transactional Data Multi-media Conferencing SP-Critical 2 20% 25 Mbps Multimedia streaming OAM Bulk data SP-Best Effort 30% 6 Mbps Scavenger Best Effort QoS Implementation This section discusses how QoS is implemented in Medium Enterprise Design Profile.

• Single-layer design—If the interface bandwidth. to implement this granular policy. • Two-layer hierarchical design—This design is needed when the interface bandwidth is higher than the SLA bandwidth allocated by the service provider. which is four in our design. As explained in the previous section. a three-layer hierarchical QoS design needs to be used. Figure 3-12 The Bandwidth Allocation at WAN Aggregation Router 1 100 Mbps WAN pipe 50M Private with 4 classes Private WAN Medium Enterprise Site Network QFP Internet 229381 50M Internet with 4 classes Medium Enterprise Design Profile Reference Guide 3-22 . and the SLA bandwidth of the provider are equal then we can use a single QoS policy to share the bandwidth among the classes of traffic. but the service provider has only allocated 50 Mbps. if the physical link is 100Mbs. In this scenario we need two policies. Figure 3-12 depicts the bandwidth allocation at the WAN aggregation router 1. It is assumed that the aggregate bandwidth is 100Mbps that should be shared between both services—50Mbps is dedicated for private WAN network and 50Mbps is dedicated for Internet traffic. which is parent policy would shape the entire traffic to 50Mbs then the child policy would queue and allocated bandwidth for each class. The first policy. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation • Three-layer hierarchical design—This is needed when multiple sites need to share a common bandwidth. This section describes detailed implementation of QoS policies at various parts of the network. and queuing within the reserved policy. and each site needs dedicated bandwidth. For example. The devices that need QoS design are as follows: • WAN aggregation router 1 for connection to the Internet and PRIVATE WAN network • WAN aggregation router 2 for connection to remote site • Cisco 3750 Metro switch at the large remote site • Cisco 4500 switch at the medium remote site • Cisco 3800 router at the small remote site QoS Implementation at WAN Aggregation Router 1 The WAN aggregation router 1 connects to two different providers: private WAN network and Internet.

Within each of the subparent policies. For example. CRITICAL_DATA. PRIVATE WAN_PARENT is a policy dedicated for PRIVATE WAN traffic. Figure 3-13 depicts this hierarchical QoS design. PRIVATE WAN_PARENT would have a PRIVATE WAN_Child policy that would classify. Step 3 Define the child policies—Classifies. which would further shape it to 50Mbps.Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation To implement a three-layer hierarchical QoS policy on the WAN aggregation1 router. BEST_EFFORT. and SCAVENGER classes. and allocate the bandwidth within each allocated bandwidth. queues. and PRIVATE WAN_Internet is specific to Internet traffic. queue. This is like a grandfather of policy. The following diagram shows the hierarchical allocation. and allocate bandwidth within each subparent policy. Step 2 Define the individual subparent policies—These would be specific to each service type. For example. there are four defined classes: REALTIME. then subparent policies are defined. Medium Enterprise Design Profile Reference Guide 3-23 . Figure 3-13 Hierarchical QoS Design IE_CHILD_POLICY WE_CHILD_POLICY IE_PARENT_POLICY WE_PARENT_POLICY PARENT_POLICY 229382 The hierarchical three-layer QoS policy is implemented in three steps as follows: Step 1 Define parent policy—Enforces the aggregate bandwidth policy for the entire interface. a higher-level parent policy is defined that would shape the aggregate WAN speed to 100Mbps.

class-map match-all REALTIME match ip dscp cs4 af41 cs5 ef class-map match-all CRITICAL_DATA match ip dscp af11 af21 cs3 cs6 class-map match-all BEST_EFFORT match ip dscp default 228926 class-map match-all SCAVENGER match ip dscp cs2 Step 2 Define the child policy maps. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation REALTIME CRITICAL BEST REALTIME CRITICAL BEST DATA EFFORT SCAVENGER DATA EFFORT SCAVENGER VLAN_WE VLAN_INTERNET NLR_Parent Internet_Parent Policy Bandwidth Sharing Equally Policy Shape Rate 50 Mbps Shape Rate 50 Mbps Parent Policy 229383 Main Interface Shape Rate of 100 Mbps Implementation Steps for QoS Policy at WAN Aggregation Router 1 This section would describes the detailed steps needed to implement the three-layer QoS policy in the WAN_Aggregation_router1. Step 1 Define the class-maps. Medium Enterprise Design Profile Reference Guide 3-24 .

Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation policy-map IE_CHILD_POLICY class REALTIME priority percent 33 class CRITICAL_DATA bandwidth remaining ratio 6 class SCAVENGER bandwidth remaining ratio 1 class BEST_EFFORT bandwidth remaining ratio 4 policy-map NLR_CHILD_POLICY class REALTIME priority percent 33 class CRITICAL_DATA bandwidth remaining ratio 6 class BEST_EFFORT bandwidth remaining ratio 4 228927 class SCAVENGER bandwidth remaining ratio 1 Step 3 Define the parent policy maps. Medium Enterprise Design Profile Reference Guide 3-25 . The parent policy would shape to 100 Mbps. class-map match-all dummy Dummy class does not classify anything ! policy-map PARENT_POLICY class dummy service-fragment share Defining service-fragment would allow other shape average 10000000 policies to point for share of bandwidth. policy-map NLR_PARENT_POLICY class class-default fragment share shape average 50000000 Parent policy allocates 50% of bandwidth service-policy NLR_CHILD_POLICY Child policy gets attached to parent policy policy-map IE_PARENT_POLICY class class-default fragment share shape average 50000000 228928 service-policy IE_CHILD_POLICY ! Step 4 Apply the policy maps created in Steps 1 to 3.

75 description link to 6500 encapsulation dot 1Q.252 service-policy output IE_PARENT_POLICY The parent policy applied on sub-interface ! interface GigabitEthernet1/0/0.10.125 255.65 description link to 6500 encapsulation dot 1Q. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation interface GigabitEthernet1/0/0 dampening no ip address load-interval 30 carrier-delay msec 0 negotiation auto service-policy output PARENT_POLICY Aggregate policy (grand-father) applied on hold-queue 2000 in main interface hold-queue 2000 out ! interface GigabitEthernet1/0/0.113 255.255.75 ip address 64.104.65 ip address 64. Figure 3-14 depicts the different types of WAN speeds Medium Enterprise Design Profile Reference Guide 3-26 .255.255.255.104.252 228929 service-policy output NLR_PARENT_POLICY ! QoS Policy Implementation for WAN Aggregation Router 2 QoS configuration at WAN aggregation router 2 is more complex than the QoS configuration of WAN aggregation router 1 because of different speeds connected to the router.10.

each medium remote site would connect to the main site using these 100Mbps links. a single-level QoS policy can be applied on each of the links. • The EtherChannel link between the ASR router and the core is 2Gbps. • The SLA between the main site and remote medium site is assumed to be 100Mbps. however. In addition.Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation Figure 3-14 WAN Link Speeds at WAN Aggregation Router 2 Device Main Site Site Network 2 Gbps Link Resiliency ASR 1006 QFP 20 Mbps SONET/SDH Metro 1 Gbps 100 Mbps Cisco 3750 Cisco 3800 Metro Switch Cisco 4507 Router Switch 229384 Large Site Medium Site Small Site The requirements of the QoS design at the WAN aggregation router 2 are as follows: • The link speed between the main site and large site is 1Gbps. requiring a three-layer hierarchical QoS policy is needed. the link speed is assumed to be 1Gbps. which contains two links of 1Gbps link speeds. The physical link speed is 44Mbps. a single-layer QoS policy can be defined on the link. Therefore. Medium Enterprise Design Profile Reference Guide 3-27 . Table 3-2 describes the different QoS policy names applied at the WAN aggregation router 2. Therefore. there is an assumption that there could be more than one remote medium site present in this design. requiring a two-level hierarchical QoS policy is needed. Since the physical link speed and the actual WAN speed is 1Gbps. The link between the main site and small remote site is 20Mbps.

Figure 3-15 The allocation of QoS Policy at Different Places on WAN Aggregation Router 2 Main Site Site Network WAN_Upstream Link Resiliency ASR 1006 QFP RSC_POLICY SONET/SDH Metro RLC_POLICY RMC_PARENT_POLICY Cisco 3750 Cisco 3800 Metro Switch Cisco 4507 Router Switch 229385 Large Site Medium Site Small Site Medium Enterprise Design Profile Reference Guide 3-28 . 2Gbps and core RSC_PARENT_POLICY Applied on link between Main Site 20Mbps and small site RSC_POLICY Figure 3-15 depicts the various points where QoS policies are applied. 1Gbps and Large Remote Site PARENT_POLICY Hierarchical Qos Policy between 100 Mbps the Main Site. RMC_CHILD_POLICY WAN_Upstream Applied on link between Main Site. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation Table 3-2 QoS Policy for WAN Aggregation Route 2 QoS Policy Name Description WAN Speed RLC_POLICY Applied on link between Main Site. and Medium Remote RMC_PARENT_POLICY Site location.

Medium Enterprise Design Profile Reference Guide 3-29 . Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation QoS Policy Between the Main Site and Large Remote Site The WAN physical link speed is 1Gbs. Also. Therefore. a single-layer QoS policy is implemented in this scenario. class-map match-all REALTIME match ip dscp cs4 af41 cs5 ef class-map match-all CRITICAL_DATA match ip dscp af11 af21 cs3 af31 cs6 class-map match-all BEST_EFFORT match ip dscp default class-map match-all SCAVENGER 228932 match ip dscp cs2 Step 2 Define the policy map. policy-map RLC_POLICY class REALTIME priority percent 33 set cos 5 class CRITICAL_DATA bandwidth remaining ratio 6 set cos 3 class SCAVENGER bandwidth remaining ratio 1 set cos 0 class BEST_EFFORT bandwidth remaining ratio 4 228933 set cos 2 ! Step 3 Apply the class-maps and policy map defined in Steps 1 and 2 on the interface connected between the main site to the large site. Step 1 Define the class-maps. the actual SLA between the main site and the large remote site is assumed to be 1Gbps.

more medium site locations could be added.255.126. the implementation details are provided for only a single medium site location.5 logging event link-status load-interval 30 negotiation auto QFP service-policy output RLC_POLICY ! Metro 228934 Large Campus QoS Policy Between the Main Site and Medium Remote Site Location A three-layer QoS design is needed between the main site and large remote medium site location.0. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation interface GigabitEthernet0/2/0 description Connected to cr11-3750ME-RLC ip address 10. Figure 3-16 shows how this design looks like when there are more than one remote medium site.0. if desired. because there could be a couple of remote medium site locations connected on a single metro link to the main site. however.1 255.126.255. Medium Enterprise Design Profile Reference Guide 3-30 .255.0 255.0.254 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key Main Campus ip pim sparse-mode ip summary-address eigrp 100 10. Figure 3-16 The WAN Link Design for Connectivity Between Main Site and Medium Remote Site Main Site ASR 1006 QFP 1 Gbps Metro 100 Mbps Links 229386 Large Site Medium Site Small Site Here.0.

Medium Enterprise Design Profile Reference Guide 3-31 . policy-map RMC_CHILD_POLICY class REALTIME priority percent 33 set cos 5 class CRITICAL_DATA bandwidth remaining ratio 6 set cos 3 class SCAVENGER bandwidth remaining ratio 1 set cos 0 228936 class BEST_EFFORT set cos 2 Step 2 Define the parent policy maps.Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation The following are implementation steps for this QoS policy: Step 1 Define the child policy maps. class-map match-all dummy ! policy-map PARENT_POLICY class dummy service-fragment share shape average 10000000 Sets the total bandwidth to 1G policy-map RMC_PARENT_POLICY class class-default fragment share Sets the bandwidth for single medium 228937 shape average 10000000 campus to 100Mbps service-policy RMC_CHILD_POLICY Step 3 Apply the policy maps.

255.102 to sub-interface encapsulation dot1Q 102 ip address 10. Medium Enterprise Design Profile Reference Guide 3-32 .0.254 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key ip pim sparse-mode ip summary-address eigrp 100 10. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation interface GigabitEthernet0/2/1 description Connected to cr11-4507-RMC Large Campus dampening no ip address load-interval 30 carrier-delay msec 0 negotiation auto QFP cdp enable service-policy output PARENT_POLICY First level policy applied hold-queue 2000 in to main interface hold-queue 2000 out ! Second level policy applied Metro interface GigabitEthernet0/2/1.0. Step 1 Define the policy map.0.126. a two-layer hierarchical QoS design is needed to implement the above policy. however.3 255. policy-map RSC_POLICY This is child policy class REALTIME priority percent 33 class CRITICAL_DATA bandwidth remaining ratio 6 class SCAVENGER bandwidth remaining ratio 1 class BEST_EFFORT bandwidth remaining ratio 4 ! policy-map RSC_PARENT_POLICY This is parent policy class class-default 228939 shape average 20000000 service-policy RSC_POLICY Step 2 Apply the policy map to the interface. Therefore. The actual WAN speed is 44Mbps.255.126.0 255.0 5 service-policy output RMC_PARENT_POLICY Medium Campus policy-map RMC_PARENT_POLICY class class-default fragment share shape average 100000000 228938 service-policy RMC_CHILD_POLICY Third level policy applied to main parent policy QoS Policy Between Main Site and Small Remote Site Location The following is the QoS policy implementation steps between main site and small remote site location. the SLA is assumed to be 20Mbps.255.

126. policy-map WAN_Upstream class REALTIME priority percent 33 class CRITICAL_DATA bandwidth remaining ratio 6 class SCAVENGER bandwidth remaining ratio 1 228941 class BEST_EFFORT bandwidth remaining ratio 4 Step 2 Apply the policy-map on both interfaces going up to the core.0. Medium Enterprise Design Profile Reference Guide 3-33 .0 255. QoS policy needs to be configured on both links.0.255.255.254 ASR 1006 ip authentication mode eigrp 100 md5 QFP ip authentication key-chain eigrp 100 eigrp-key ip pim sparse-mode ip summary-address eigrp 100 10.255. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation interface Serial0/3/0 dampening ip address 10.0.126. There are two links between the ASR 1006 and core. which is VSS.0 5 SONET/SDH logging event link-status load-interval 30 carrier-delay msec 0 dsu bandwidth 44210 Apply parent policy framing c-bit to interface cablelength 10 service-policy output RSC_PARENT_POLICY 228940 end Small Campus cr11-asr-we# QoS Policy Implementation Between the Main Site and Core The following is the QoS policy implementation between main site and core.5 255. Step 1 Define the policy-map.

which is also equal to the link speed. a single-layer QoS policy map can be created. Step 1 Define the class-maps. Medium Enterprise Design Profile Reference Guide 3-34 . class-map match-all REALTIME match ip dscp cs4 af41 cs5 ef class-map match-all CRITICAL_DATA match ip dscp af11 cs2 af21 cs3 af31 cs6 class-map match-all BEST_EFFORT match ip dscp default class-map match-all SCAVENGER 228943 match ip dscp cs1 Step 2 Define the policy-map. therefore. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation policy-map WAN_Upstream class REALTIME priority percent 33 class CRITICAL_DATA bandwidth remaining ratio 6 Main Campus class SCAVENGER bandwidth remaining ratio 1 class BEST_EFFORT Campus bandwidth remaining ratio 4 Network interface GigabitEthernet0/2/3 dampening no ip address load-interval 30 carrier-delay msec 0 negotiation auto cdp enable service-policy output WAN_Upstream channel-group 1 mode active hold-queue 2000 in hold-queue 2000 out ! ASR 1006 QFP interface GigabitEthernet0/2/4 dampening no ip address load-interval 30 carrier-delay msec 0 negotiation auto cdp enable service-policy output WAN_Upstream channel-group 1 mode active 228942 hold-queue 2000 in hold-queue 2000 out QoS Policy Between Large Remote Site and Main Site Location The WAN interface between the large remote site and main site is 1 Gbps.

255.122.0 255.255.255.0 255.0.0. interface GigabitEthernet1/1/1 description Connected to cr11-ASR-WE no switchport dampening ip address 10.0.254 Main Campus ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key ip pim sparse-mode ip summary-address eigrp 100 10.0 QFP load-interval 30 carrier-delay msec 0 srr-queue bandwidth share 1 30 35 5 priority-queue out Metro mls qos trust dscp service-policy output ME_POLICY hold-queue 2000 in hold-queue 2000 out ! Large Campus 228945 Medium Enterprise Design Profile Reference Guide 3-35 .126.Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation policy-map ME_POLICY class REALTIME priority police 220000000 8000 exceed-action drop The realtime traffic get 330 Mbps set cos 5 class CRITICAL_DATA bandwidth remaining ratio 40 set cos 3 class BEST_EFFORT bandwidth remaining ratio 35 set cos 2 class SCAVENGER bandwidth remaining ratio 25 228944 set cos 0 ! ! Step 3 Apply the QoS policy-map to the WAN interface.

Therefore. which uses 4500-E supervisor. The physical link speed is 100Mbps and the actual SLA is also 100Mbps. Step 1 Define the class-maps. class-map match-all REALTIME match ip dscp cs4 af41 cs5 ef class-map match-all CRITICAL_DATA match ip dscp af11 cs2 af21 cs3 af31 cs6 class-map match-all BEST_EFFORT match ip dscp default class-map match-all SCAVENGER 228946 match ip dscp cs1 Step 2 Define the policy-maps. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation QoS Policy Between Remote Medium Site and Main Site Location The remote medium site location uses 4500 as WAN device. policy-map RMC_POLICY class REALTIME priority police cir 33000000 conform-action transmit exceed-action drop set cos 5 class CRITICAL_DATA set cos 3 bandwidth percent 36 class SCAVENGER bandwidth percent 5 set cos 0 class BEST_EFFORT set cos 2 228947 bandwidth percent 25 ! Step 3 Apply the defined class and policy maps to the interface. a single-layer QoS policy meets the requirement. Medium Enterprise Design Profile Reference Guide 3-36 .

but the SLA is 20 Mbps. Step 1 Define the class-maps. The physical link speed is T3. Therefore. a hierarchical two-layer QoS policy is implemented. Medium Enterprise Design Profile Reference Guide 3-37 . policy-map RSC_POLICY class REALTIME priority percent 33 class CRITICAL_DATA bandwidth remaining percent 40 class SCAVENGER bandwidth remaining percent 25 228950 class BEST_EFFORT bandwidth remaining percent 35 Step 3 Define the parent policy map. class-map match-all REALTIME match ip dscp cs4 af41 cs5 ef class-map match-all CRITICAL_DATA match ip dscp af11 af21 cs3 af31 cs6 class-map match-all BEST_EFFORT match ip dscp default class-map match-all SCAVENGER 228949 match ip dscp cs2 Step 2 Define the child policy map. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation Main Campus ASR 1006 interface GigabitEthernet4/1 description link connected to cr13-6500-pe2 gi3/2 QFP switchport trunk native vlan 802 switchport trunk allowed vlan 102 switchport mode trunk logging event link-status Metro load-interval 30 carrier-delay msec 0 no cdp enable spanning-tree portfast trunk spanning-tree guard root service-policy output RMC_POLICY ! Cisco 4507 Switch 228948 Medium Campus QoS Policy Implementation Between Small Remote Site and Main Site Location This section describes the QoS policy implementation between the small remote site location and the main site. The parent policy shapes the link speed to 20Mbps and the child policy would queue and allocate the bandwidth within the 20Mbps. which is 45Mbps.

126.0.255. Some of the following failures can occur over a period of time: route flaps. different kind of redundancy should be planned.0 255. it is likely that network will be subjected to different kinds of failures occurring all the time. but the occurrence is highly likely over a long period of time. The probability of these occurring over a short period of time is low.0.124. interface Serial2/0 ASR 1006 QFP dampening ip address 10. The NSF would route packets until route convergence is complete. while packet forwarding continues with minimal interruption.255. fibers being cut. • Service Software Upgrade (ISSU) allows software to be updated or modified. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation policy-map RSC_PARENT_POLICY class class-default 228951 shape average 20000000 service-policy RSC_POLICY Step 4 Apply the policy map to interface.4 255.0 5 load-interval 30 carrier-delay msec 0 dsu bandwidth 44210 228952 Small Campus Redundancy Redundancy must be factored into the WAN design for a number of reasons. This feature is enabled on the WAN aggregation 2 device.254 ip authentication mode eigrp 100 md5 SONET/SDH ip authentication key-chain eigrp 100 eigrp-key ip pim sparse-mode service-policy output RSC_PARENT_POLICY ip summary-address eigrp 100 10.9999% of availability. The following are some of the ways to support redundancy: • NSF/SSO—For networks to obtain 99. technologies such as NSF/SSO are needed. Figure 3-17 shows where this feature is enabled. Since the WAN may span across several service provider networks. brownouts. and device failures. • Ether channel load balancing—Enabling this feature provides link resiliency and load balancing of traffic. whereas SSO allows standby RP to take immediate control and maintain connectivity protocols. To meet these challenges.0.255. Medium Enterprise Design Profile Reference Guide 3-38 .

In the Cisco Medium Enterprise Design Profile. As explained in the “WAN Aggregation Platform Selection in the Medium Enterprise Design Profile” section on page 3-7. RP This section discusses how to incorporate the resiliency principle in Cisco Medium Enterprise Design Profile for the WAN design. Table 3-3 WAN Devices Device WAN Transport Resiliency Feature WAN aggregation 1 Private WAN/Internet ISSU. Enabling resiliency adds cost and complexity to the design. the redundancy is planned at both WAN aggregation router1 and WAN aggregation router 2 in the main site location. When the ASR router interfaces with the private WAN. Similarly. the ASR 1006 with dual RP and dual ESP has been chosen to provide for hardware-based redundancy. for the ASR router that interfaces with Metro connections. there are different models at both WAN aggregation locations. However.Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation Figure 3-17 Link Resiliency Main Site Site Network Link Resiliency ASR 1006 QFP SONET/SDH Metro Cisco 3750 Cisco 3800 Metro Switch Cisco 4500 Router Switch 229387 Large Site Medium Site Small Site Table 3-3 shows the various WAN devices that are designed for resiliency. Medium Enterprise Design Profile Reference Guide 3-39 . IOS based redundancy WAN aggregation 2 Metro Redundant ESP. ASR routers have been selected at both WAN aggregation locations. Internet networks the ASR 1004 with IOS-based redundancy. Therefore. resiliency has been added at certain places where it is absolutely critical to the network architecture rather than designing redundancy at every place of the network.

You can redistribute and/or modify such GPL code under the terms of GPL Version 2. 15641929K bytes of USB flash at usb1:. 6 days. 2 hours. RELEASE SOFTWARE (fc1) Technical Support: http://www.04. Inc. For more details.0.03.0 is free software that comes with ABSOLUTELY NO WARRANTY.0. Inc.bin" Last reload reason: redundancy force-switchover cisco ASR1004 (RP1) processor with 736840K/6147K bytes of memory. 4194304K bytes of physical memory. The following are steps for implementing the IOS-based redundancy: Step 1 Check the memory on ASR 1004 router. see the documentation or "License Notice" file accompanying the IOS-XE software. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2. 6 days. see the ASR page at following URL: http://www.com/techsupport Copyright (c) 1986-2010 by Cisco Systems. 6 minutes System returned to ROM by SSO Switchover at 14:41:38 UTC Thu Mar 18 2010 System image file is "bootflash:asr1000rp1-adventerprise. 2 hours. 937983K bytes of eUSB flash at bootflash:.cisco. or the applicable URL provided on the flyer accompanying the IOS-XE software. 5 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory.2(33)XND3. ROM: IOS-XE ROMMON CR11-ASR-IE uptime is 3 weeks. To obtain more information on ASR resiliency capabilities. 39004543K bytes of SATA hard disk at harddisk:. The software code licensed under GPL Version 2. Configuration register is 0x2102 CR11-ASR-IE# Step 2 Enable the redundancy: redundancy mode sso ! Step 3 Verify that redundancy is enabled: Medium Enterprise Design Profile Reference Guide 3-40 . Version 12. Compiled Tue 02-Mar-10 09:51 by mcpre Cisco IOS-XE software. IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISE-M). All rights reserved.cisco. CR11-ASR-IE#show version Cisco IOS Software. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation Both of these models support In Service Software Upgrade (ISSU) capabilities to allow a user to upgrade Cisco IOS XE Software while the system remains in service.XND3.com/go/asr1000 Implementing IOS-based Redundancy at WAN Aggregation Router 1 The key requirement for implementing software-based redundancy on the ASR1004 is that it must have 4GB DRAM on ASR1004. Copyright (c) 2005-2010 by cisco Systems.02.122-33. 4 minutes Uptime for this control processor is 3 weeks.

com/techsupport Copyright (c) 1986-2010 by Cisco Systems.cisco. The following steps are needed to enable hardware redundancy on WAN aggregation router 2: Step 1 Configuration of SSO redundancy: redundancy mode sso Medium Enterprise Design Profile Reference Guide 3-41 .04. 2 hours.cisco. we nonstop forwarding of data can be achieved even when there are failures with either ESP or RPs. Therefore. 6 days.122-33. 11 minutes Switchovers system experienced = 3 Standby failures = 0 Last switchover reason = active unit removed Hardware Mode = Duplex Configured Redundancy Mode = sso Operating Redundancy Mode = sso Maintenance Mode = Disabled Communications = Up Current Processor Information : ------------------------------- Active Location = slot 7 Current Software state = ACTIVE Uptime in current state = 3 weeks. the WAN aggregation router 2 has redundant RPs and redundant ESPs. RELEASE SOFTWARE (fc1) Technical Support: http://www. 6 days. Compiled Tue 02-Mar-10 09:51 by mcpre BOOT = bootflash:asr1000rp1-adventerprise. with this configuration. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation CR11-ASR-IE#show redun CR11-ASR-IE#show redundancy Redundant System Information : ------------------------------ Available system uptime = 3 weeks. Inc.XND3.04.03.122-33. 0 minutes Image Version = Cisco IOS Software.02.com/techsupport Copyright (c) 1986-2010 by Cisco Systems. Version 12. CONFIG_FILE = Configuration register = 0x2102 Peer Processor Information : ---------------------------- Standby Location = slot 6 Current Software state = STANDBY HOT Uptime in current state = 3 weeks.2(33)XND3. Version 12. 59 minutes Image Version = Cisco IOS Software. IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISE-M).1.bin. IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISE-M). CONFIG_FILE = Configuration register = 0x2102 CR11-ASR-IE# Implementation of Hardware-based Redundancy at WAN Aggregation Router 2 As explained in the design considerations documents. 6 days. 2 hours.bin. Inc.XND3.1.02.03. Compiled Tue 02-Mar-10 09:51 by mcpre BOOT = bootflash:asr1000rp1-adventerprise. RELEASE SOFTWARE (fc1) Technical Support: http://www. 1 hour.2(33)XND3.

2(33)XND2.com/techsupport Copyright (c) 1986-2009 by Cisco Systems. 52 minutes Image Version = Cisco IOS Software. RELEASE SOFTWARE (fc1) Technical Support: http://www. Version 12.com/techsupport Copyright (c) 1986-2009 by Cisco Systems. Compiled Wed 04-Nov-09 18:53 by mcpre BOOT = CONFIG_FILE = Configuration register = 0x2102 cr11-asr-we# Implementation of Link Resiliency Between the WAN Aggregation Router 2 and VSS Core The following are the implementation steps to deploy link resiliency: Step 1 Configure the EtherChannel between the ASR1006 and the VSS core: interface GigabitEthernet0/2/3 dampening no ip address load-interval 30 carrier-delay msec 0 negotiation auto cdp enable service-policy output WAN_Upstream Medium Enterprise Design Profile Reference Guide 3-42 . 1 day.2(33)XND2.cisco. Version 12. IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M). 3 minutes Image Version = Cisco IOS Software. Inc. 32 minutes Switchovers system experienced = 4 Standby failures = 0 Last switchover reason = active unit removed Hardware Mode = Duplex Configured Redundancy Mode = sso Operating Redundancy Mode = sso Maintenance Mode = Disabled Communications = Up Current Processor Information : ------------------------------- Active Location = slot 6 Current Software state = ACTIVE Uptime in current state = 2 weeks. 18 hours. 19 hours. 3 hours.cisco. 1 day. RELEASE SOFTWARE (fc1) Technical Support: http://www. IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M). Compiled Wed 04-Nov-09 18:53 by mcpre BOOT = CONFIG_FILE = Configuration register = 0x2102 Peer Processor Information : ---------------------------- Standby Location = slot 7 Current Software state = STANDBY HOT Uptime in current state = 2 weeks. Inc. 6 days. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation Step 2 Verify the redundancy information: cr11-asr-we#show redundancy Redundant System Information : ------------------------------ Available system uptime = 3 weeks.

0. and not external enterprise/WAN networks. to obtain more information about multicast design for site. Anycast with Auto-RP. which include Anycast with Static.254 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp-key ip pim sparse-mode ip summary-address eigrp 100 10. This is scalability factor of the WAN edge device.255.0 255.0. The implementation section in the document shows how to enable multicast on the WAN device only. Therefore. so that this traffic does not affect the unicast traffic In the Medium Enterprise Design Profile.0. IGMP • QoS policy must be configured for multicast traffic. the multicast design looks at only between the main site and small remote site locations. Therefore.23 255.0 5 logging event link-status load-interval 30 carrier-delay msec 0 negotiation auto ! Multicast The main design considerations for multicast are as follows: • The number of groups supported by the WAN edge device.255. or Anycast with BSR • Multicast protocols—PIM-Sparse mode. it is assumed that multicast traffic would be present only within the site. refer to the“Multicast for Application Delivery” section on page 2-64. • The placement of the RP—There are couple of options available with RP placement. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation channel-group 1 mode active hold-queue 2000 in hold-queue 2000 out ! interface GigabitEthernet0/2/4 dampening no ip address load-interval 30 carrier-delay msec 0 negotiation auto cdp enable service-policy output WAN_Upstream channel-group 1 mode active hold-queue 2000 in hold-queue 2000 out ! Step 2) Configure the port-channel interface interface Port-channel1 ip address 10.255.125. Step 1 Enable multicast routing: ip multicast-routing distributed Medium Enterprise Design Profile Reference Guide 3-43 .126. The platform chosen must support the number of required groups. and what interfaces to be enabled with PIM-Sparse mode on the WAN aggregation router 2 that connects to different remote sites. Multicast Configuration on WAN Aggregation Router 2 This section shows how to enable multicast routing.

0.1 255.100.254 ip pim sparse-mode load-interval 30 carrier-delay msec 0 dsu bandwidth 44210 framing c-bit cablelength 10 ! Step 3) Configure the RP location ip pim rp-address 10.255.254 ip pim sparse-mode negotiation auto ! interface GigabitEthernet0/2/0 description Connected to cr11-3750ME-RLC ip address 10.255. The following are implementation steps: Step 1 Enable multicast routing: ip multicast-routing distributed Medium Enterprise Design Profile Reference Guide 3-44 .126.0.255.255.126.125.254 ip pim sparse-mode logging event link-status load-interval 30 negotiation auto ! interface GigabitEthernet0/2/1 description Connected to cr11-4507-RMC dampening no ip address load-interval 30 carrier-delay msec 0 negotiation auto cdp enable hold-queue 2000 in hold-queue 2000 out ! interface GigabitEthernet0/2/1.3 255.255.5 255.255.0.0. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation Step 2 Enable PIM-Spare mode on the following WAN interfaces: – Port-channel—Connects to the VSS core – Gi0/2/0—Connects to Large Remote Site site – Gi0/2/1—Connects to Medium Remote Site site – S0/3/0—Connects to Small Remote Site site interface Port-channel1 ip address 10.255.23 255.100 Configuration of Multicast on Large Remote Site This section discusses how to implement multicast on large remote site.126.100.255.254 ip pim sparse-mode ! ! interface Serial0/3/0 dampening ip address 10.102 encapsulation dot1Q 102 ip address 10.

100. Step 1 Enable multicast routing: ip multicast-routing Step 2 Enable PIM-Spare mode on the WAN interface: interface Vlan102 description Connected to cr11-ASR-WE dampening ip address 10.254 ip pim sparse-mode load-interval 30 carrier-delay msec 0 Configuration of Multicast on Small Remote Site This section discusses on how to implement multicast on small remote site.0 255.126.126.0.255.0. Step 1 Enable multicast routing: ip multicast-routing Step 2 Enable PIM -pare mode on the WAN interface: interface Serial2/0 dampening ip address 10.255.255.254 ip pim sparse-mode load-interval 30 carrier-delay msec 0 dsu bandwidth 44210 Step 3 Configure the RP location: ip pim rp-address 10. interface GigabitEthernet1/1/1 description Connected to cr11-ASR-WE no switchport dampening ip address 10.2 255.0.255.254 ip pim sparse-mode hold-queue 2000 in hold-queue 2000 out ! Configuration of Multicast on Medium Remote Site This section discusses on how to implement multicast on medium remote site.4 255.100 Allowed_MCAST_Groups override Step 4 Configure the multicast security: ip pim spt-threshold infinity ip pim accept-register list PERMIT-SOURCES ! ip access-list standard Allowed_MCAST_Groups Medium Enterprise Design Profile Reference Guide 3-45 .255.100.255.126. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design QoS Implementation Step 2 Enable PIM-Sparse mode on the WAN interface that connects to main site.

0.39 deny 224.0. and redundancy best practices are discussed for the entire Medium Enterprise Design Profile.39 permit 224.1. multicast.0.0.0. Medium Enterprise Design Profile Reference Guide 3-46 .255. QoS. scalable for future grown. Key WAN design principles such as WAN aggregation platform selection.192.1.1.0 0.1. operational efficiencies.0.31. Chapter 3 Medium Enterprise Design Profile (MEDP)—WAN Design Summary permit 224.255 deny ip any any ! Summary Designing the WAN network aspects for the Cisco Medium Enterprise Design Profile interconnects the various LAN locations as well as lays the foundation to provide safety and security.255 deny any ip access-list standard Deny_PIM_DM_Fallback deny 224. and secure classrooms.192.0.0.40 permit 239.255 239. and cost efficient to meet the budget needs of a medium enterprise.0. simplified to deploy and manage. This chapter reviewed the WAN design models recommended by Cisco and where to apply these models within the various locations within a medium enterprise network. virtual learning environments.40 permit any ! ip access-list extended PERMIT-SOURCES permit ip 10. Designing the WAN network of a medium enterprise using these recommendations and best practices will establish a network that is resilient in case of failure.125.0 0.255.0 0.0.

demanding connectivity. Business professionals tend to use state of the art applications and the enterprise network for many aspects of their lives. features. The mobility design implemented by a medium enterprise must meet the needs of these mobile workers while also addressing the requirements of guests and visitors. and technologies that provide a robust routing and switching foundation upon which all solutions and services are built. Today’s enterprise worker is dynamic. they move about while equipped with an array of mobility-enabled devices including PDAs. and operations • Effective communication and inter operation with public safety first responders in the event of an emergency. Medium enterprises should be equipped with mobility solutions that support the following: • Secure communications between local and remote sites to support employees. and technology-savvy. Operating on top of the network service fabric are all the services used within the medium enterprise network to solve business problems. Medium enterprises must remain competitive and must differentiate themselves from their peers. guests and visitors. The challenge facing a medium enterprise is to create a robust. end-to-end. both for competitive customer marketing purposes as well as to attract and retain the best employee talent. When at the enterprise site. collaboration. mobile. This connected generation of professionals is untethered from wired networks and typically assume that high-performance. performance and network flexibility wherever they may be located. and laptops. reliable wireless LANs (WLANs) are present at all medium enterprise environments. Prospective employees want to be part of medium enterprises that provide services relevant to the way Medium Enterprise Design Profile Reference Guide 4-1 . using mobility-enabled devices and mobile applications • A scalable design model that can easily accommodate the addition of new local and remote buildings as well as modifications to existing buildings • Support for bandwidth-intensive. phones. mobility-enabled network that supports their requirements at a cost that makes good business sense. which is a collection of products. high-speed multimedia applications • Simplified management tools to facilitate system-wide mobility maintenance • The use of tools and applications for mobile conferencing. CH A P T E R 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Mobility Design The Cisco Medium Enterprise Design Profile is intended to assist enterprises in the design and deployment of advanced network-based solutions within twenty-first century business environments. At the heart of the Medium Enterprise Design Profile is the network service fabric.

in ways that serve to enhance both their quality of life and their individual success potential. and other guests of the medium enterprise has become a standard and expected part of modern-day mobile business environments. and visitors. temporary office spaces. In support of this. Figure 4-1 Service Fabric Design Model Service Fabric Design Model Unified Mobility Security Communications Local Area Wide Area Network (LAN) Network (WAN) 228517 Given the mobility requirements of medium enterprise professionals. high-speed wireless network not only provides technological leadership and innovation. and resources. this chapter discusses design considerations surrounding the requirements. Secure. vendors. wireless LANs have emerged as one of the most effective and high performance means for these mobile users to access the medium enterprise network. Administrators need secure access to tools. scalable wireless networks with a low total cost of ownership. deployment. It combines the best elements of wireless and wired networking to deliver secure. This mobile enterprise lifestyle helps to drive the need for careful wireless capacity and coverage planning. In fact. and high-performance wireless guest access for contractors. the Cisco Wireless Control System (WCS). The Cisco Access Control Server (ACS) and its Authentication. They want to take full advantage of what the medium enterprise has to offer. and Accounting (AAA) features complete the solution by providing Remote Authentication Dial-In User Service (RADIUS) services in support of user authentication and authorization. expectations and trade-offs that must be taken into account when integrating mobility into the Cisco Medium Enterprise Design Profile. A medium enterprise with a pervasive. and improve productivity. work. These design considerations form a critical part of the overall service fabric design model. The Cisco Unified Wireless Network (Cisco UWN) is a unified solution that addresses the wireless network security. secure wireless technologies can enable “virtual offices” even in non-traditional settings such as leased space in professional buildings. but enables the deployment of innovative applications that streamline operations. guests. Chapter 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Mobility Design they live. and even in employee homes. as shown in Figure 4-1. which includes access points that use the Control and Provisioning of Lightweight Access Points (CAPWAP) protocol. Keep in mind that traditional offices and conference rooms are by no means the only environments seen within medium enterprises any longer. and control aspects of deploying a wireless network. Figure 4-2 shows a high-level topology of the Cisco Unified Network. Authorization. and spend their free time. enhance collaboration. Medium Enterprise Design Profile Reference Guide 4-2 . medium enterprises must evolve into mobility-enabled local and remote sites and twenty-first century business centers. as well as access to mobile voice capabilities throughout medium enterprise sites. In addition to the traditional standalone WLAN controller. and the Cisco Wireless LAN Controller (WLC). management. records. high performance. To meet these needs. alternate hardware platforms include the Cisco ISR router Wireless LAN Controller Module (WLCM) or the Cisco Catalyst 6500 Wireless Services Module (WiSM). reliable.

11n) Cisco Cisco Cisco Aironet Cisco Aironet Compatible Compatible Wireless LAN 1500 Series Wi-Fi Tags Client Client Adapters Lightweight Devices Outdoor Mesh Access Points 225263 The Cisco Medium Enterprise Design Profile accommodates a main site and one or more remote sites interconnected over a metro Ethernet or managed WAN service. Asset Cisco Wireless Cisco Cisco Cisco Tracking.11a/b/g 125 kHz and 802. Control System WCS WCS Mobile Workflow (WCS) Services Automation Engine Cisco Wireless LAN Controller Cisco Aironet Cisco Wireless Wireless Bridge LAN Controller Cisco Catalyst 6500 Module (WLCM) Series Wireless Services Module (WiSM) Cisco Aironet Lightweight Access Points Chokepoint (802. ERP. as shown in Figure 4-3. Chapter 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Mobility Design Figure 4-2 Cisco Unified Wireless Network Overview Cisco Catalyst 3750G Integrated Cisco WCS Wireless LAN Navigator Third Party Controller Browser Based Integrated N W S E Applications: E911. Medium Enterprise Design Profile Reference Guide 4-3 . Each of these sites may contain one or more buildings of various sizes.

In certain instances. enhance security. maximize network availability. The topologies and platforms are carefully selected to increase productivity while minimizing the overall cost and complexity of operation. As Figure 4-3 shows. allowing each remote site to reduce the need for separate services to be operated and maintained. Chapter 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Mobility Design Figure 4-3 Medium Enterprise Design Profile Overview Main Large Site Large Building Medium Building Small Building Extra Small Building WLAN Access Points WLAN Access Points WLAN Access Points WLAN Access Points LWAPP LWAPP LWAPP LWAPP Service Block Wireless LAN NAC WAE Controller Server Internet Data Center www V Web M Security Cisco SRST/Video Cisco ACS NAC Video WCS Email Email Web UCM Gateway Appliance Manager Surveillance Server Core Security Server Server Internet Edge Media Server MetroE HDLC Service Block Core Core Service Block Small Data Center Small Data Center Service Block LWAPP LWAPP LWAPP LWAPP LWAPP LWAPP Serverfarm WLAN Access Points WLAN Access Points WLAN Access Points WLAN Access Points WLAN Access Points WLAN Access Points 229388 Large Building Medium Building Small Building Medium Building Small Building Small Building Remote Large Site Remote Medium Site Remote Small Site Operating on top of this network are all the services used within the medium enterprise environment such as safety and security systems. This approach simplifies the deployment and operation of the network. The Cisco mobility approach within the Cisco Medium Enterprise Design Profile focuses on the following key areas: • Accessibility Medium Enterprise Design Profile Reference Guide 4-4 . helping to ensure smooth performance. the Cisco Medium Enterprise Design Profile uses a centralized approach in which key resources are centrally deployed. and reduce overall operating costs. The Cisco Medium Enterprise Design Profile takes into account that cost and limited network administrative resources can. trade-offs are necessary to reach these goals. The key feature of this integration is the use of one or more WLAN controllers at each site. be limiting factors for medium enterprises. enhance network maintainability. video surveillance equipment. in some cases. The core of these services are deployed and managed at the main (or headquarters) site building. and so on. These centralized systems and applications are served by a data center at the main site. and this document helps to point out and clarify some of these trade-offs. voice communications. with the overall WLAN management function (the Cisco WCS) located at the main site.

see Chapter 5. staff. Accessibility This section provides a brief introduction to the fundamental protocol used for communication between access points and WLAN controllers. guests and visitors to be accessible and productive on the network. secure guest access to guests such as prospective customers. • Usability In addition to extremely high WLAN transmission speeds made possible by the current generation of IEEE 802.Chapter 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Accessibility – Enabling mobile professionals. easy-to-understand WLAN management framework provides small. followed by a discussion of mobility design considerations pertaining to those aspects of the Cisco Medium Enterprise Design Profile relevant to accessibility. and visitors. Note For information on how security design is addressed within the Cisco Medium Enterprise Design Profile. – Ensuring that WLAN accessibility is maintained for employees. operate. • Reliability – Providing adequate capability to recover from a single-layer fault of a WLAN access component or controller wired link. reliability.1x and Extensible Authentication Protocol (EAP). A single. and manage hundreds of access points that may reside within a multisite medium enterprise. collaborating in a conference room. with all information sent and received on the WLAN being encrypted. vendors.” • Manageability A relatively small team of network administrators should be able to easily deploy. having lunch with colleagues within enterprise site dining areas. guests. • Security – Segmenting authorized users and blocking unauthorized users – Extending the services of the network safely to authorized parties – Enforcing security policy compliance on all devices seeking to access network computing resources. and ease of deployment required in the medium enterprise domain. and other visitors. medium. This gives preferential treatment to real-time traffic. in the event of common failures. helping to ensure that video and audio information arrives on time. future employees. “Medium Enterprise Design Profile (MEDP)—Network Security Design. regardless of whether they are in a traditional office setting. administrators. contractors. or simply enjoying a breath of fresh air outside on-site buildings – Enabling easy.11n technology. such as the following: • WLAN controller location • WLAN controller connectivity Medium Enterprise Design Profile Reference Guide 4-5 . and large sites with the level of WLAN management scalability. latency-sensitive applications (such as IP telephony and video conferencing) are supported over the WLAN using appropriately applied quality-of-service (QoS) classification. Staff enjoy rapid and reliable authentication through IEEE 802. administrators.

2 use the Lightweight Access Point Protocol (LWAPP) for these communications. Figure 4-4 shows the use of CAPWAP by access points to communicate with and tunnel traffic to a WLAN controller. Controller software releases before Release 5. see the following URL: http://www.org/rfc/rfc5415. and has the following three primary functions in the mobility design: • Control and management of the access point • Tunneling of WLAN client traffic to the WLAN controller • Collection of 802. Figure 4-4 CAPWAP Access Point to WLC Communication AP LWAPP Network LWAP P/CAP WAP WLC AP PWAP LWAPP LWAPP/CA AP A PW AP P/C AP LWAPP LW 227453 CAPWAP enables the controller to manage a collection of wireless access points.2 or later. In controller software Release 5. access points provide the radio connection to wireless clients. The mobility approach in the Cisco Medium Enterprise Design Profile is based on the feature set available in Cisco Wireless LAN Controller software Release 6. Chapter 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Accessibility • Access points The basic mobility components involved with providing WLAN access in the Cisco Medium Enterprise Design Profile consists of WLAN controllers and access points that communicate with each other using the IETF standard CAPWAP protocol. as well as enable controllers to interoperate with third-party access points in the future. Note that most CAPWAP-enabled access points are also compatible with the preceding LWAPP protocol. Medium Enterprise Design Profile Reference Guide 4-6 . An exception is that the Cisco Aironet 1140 Series Access Point supports only CAPWAP.ietf. For detailed CAPWAP protocol information. which uses CAPWAP.0.11 data for overall WLAN system management CAPWAP is also intended to provide WLAN controllers with a standardized mechanism with which to manage radio-frequency ID (RFID) readers and similar devices. Cisco lightweight access points use CAPWAP to communicate between the controller and other lightweight access points on the network. and WLAN controllers manage the access points and provide connectivity to the wired network. In this arrangement.txt.

Medium Enterprise Design Profile Reference Guide 4-7 . without the expense of 1:1 controller duplication. • Reduced component interaction points—Centralizing WLAN controllers minimizes the number of integration points that must be managed when interfacing the controller with other devices. In addition. Service blocks tend to be deployed at locations in the network where high availability routing. Some of the advantages underlying the decision to centralize the deployment of WLAN controllers on a per-site basis include the following: • Reduced acquisition and maintenance costs—By servicing the needs of all wireless users from a central point. When integrating the WLAN controller with the Network Admission Control (NAC) appliance on any given site. switching.cisco. for example. thereby conserving WAN bandwidth and improving performance overall. This can protect sites from a loss of WLAN access in the rare event of a controller failure. Chapter 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Accessibility WLAN Controller Location WLAN deployments are typically categorized into two main categories. • Centralized controller—In this model. typically on a per-building basis. • Reduced administrative requirements—By minimizing the total number of WLAN controllers deployed. In the distributed deployment model. and are responsible for managing the access points resident in a given building. the number of WLAN controller hardware platforms deployed can be reduced compared to that required for a distributed. incremental software licensing costs associated with WLAN controllers are reduced as well. these areas tend to be locally or remotely managed by network staff possessing higher skill sets. only one integration point must be administered. medium remote. the CAPWAP tunnels formed between access points and WLAN controllers are typically fully contained within the confines of the building. • Increased performance and reliability—Centralized WLAN controller deployments usually lead to highly efficient inter-controller mobility. the CAPWAP tunnels formed between them must traverse the site backbone network.com/en/US/solutions/ns340/ns414/ns742/ns820/landing_ent_mob_design. such as those contained in Chapter 2 of the Enterprise Mobility 4. each associated with the main (headquarters). distributed and centralized: • Distributed controller—In this model.1 Design Guide at the following URL: http://www. and power is present. CAPWAP tunneling between access points and WLAN controllers is not normally required to traverse WAN links (except during controller fail over).html. and small remote sites respectively. there is also an incremental economy of scale that occurs as the network grows larger. as well as facilitate cost-effective controller high availability approaches. The Cisco Medium Enterprise Design Profile is based on the centralization of WLAN controllers. • Cost-effective capacity management—The use of a centralized WLAN controller model allows the designer the ability to centrally service access points located in multiple building locations and efficiently manage controller capacity. per-building design. and follows established best practices. • Simplified network management and high availability—Centralized WLAN controller designs simplify overall network management of controllers. Figure 4-3 shows the planned deployment of WLAN controllers within distinct per-site service blocks. on a per-site basis. Because centralized WLAN controllers are typically not located in the same building as the access points they manage. These economies of scale typically increase with the size of the enterprise WLAN. This technique is commonly used to connect controllers to the medium enterprise network using distribution routers located within each building. the controller management burden imposed on site network administrators is minimized. large remote. Similarly. For large sites. WLAN controllers are placed at a centralized location within the enterprise. By centralizing WLAN controllers on a per-site basis. WLAN controllers are located throughout the medium enterprise network.

as shown in Figure 4-5.cisco. More information on the Cisco 5508 Wireless Controller can be found at the following URL: http://www.html#w p1028197. with fixed trunking characteristics. Chapter 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Accessibility Note For additional information on inter-controller mobility and roaming. Base access point controller licensing provides the flexibility to purchase only the number of access point licenses required. Figure 4-5 Cisco 5508 Wireless Controller The Cisco 5508 Wireless Controller is a highly scalable and flexible platform that enables system-wide services for mission-critical wireless in medium to large-sized enterprise environments. or load sharing/high availability is required.1Q VLAN trunk.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch2_Arch. the Cisco 5508 Wireless Controller offers the ability to simultaneously manage from 12 to a maximum of 250 access points per controller. by default.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/data_sheet_c78-521631. multiple controllers can be deployed as necessary.11n performance and maximum scalability. In sites requiring more than 250 total access points. with the ability to add additional access point licenses in the future when medium enterprise site growth occurs. Medium Enterprise Design Profile Reference Guide 4-8 . The choice of WLAN controller for the Cisco Medium Enterprise Design Profile is the Cisco 5508 Wireless Controller. see the following URL: http://www. WLAN Controller Connectivity This section discusses WLAN controller connectivity. html. including the following: • Controller connectivity to the wired network • Controller connectivity to the wireless devices • Defining WLANs and Service Set Identifiers (SSIDs) • WLAN controller mobility groups • WLAN controller access point groups • WLAN controller RF groups Controller Connectivity to the Wired Network WLAN controllers possess physical entities known as ports that connect the controller to its neighboring switch (the Cisco 5508 Wireless Controller supports up to eight Gigabit Ethernet Small Form-Factor Pluggable [SFP] ports). Each physical port on the controller supports. Designed for 802. an 802.

Interfaces are logical entities found on the controller. A special type of controller interface is known as the AP manager interface.0 at the following URL: http://www.0/configuration/guide/Controller60CG. the system dynamically manages port redundancy and load balances traffic transparently to the user.Chapter 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Accessibility Note For more information concerning the various types of ports present on Cisco WLAN controllers. Note For more information concerning the various types of interfaces present on Cisco WLAN controllers. For more information.com/en/US/docs/wireless/controller/6. Each interface is mapped to at least one primary port. and multiple interfaces can be mapped to a single controller port. An interface may have multiple parameters associated with it. The AP manager interface communicates through a distribution system port by listening across the Layer 3 network for CAPWAP “join” messages generated by access points seeking to communicate with and “join” the controller.0/configuration/guide/c60mint. including an IP address.html.0 at the following URL: http://www.0/configuration/guide/Controller60CG.cisco.com/en/US/docs/wireless/controller/6. A controller has one or more AP manager interfaces. LAG bundles all the enabled distribution ports on the WLAN controller into a single EtherChannel interface. Link aggregation (LAG) is a partial implementation of the 802. which are used for all Layer 3 communications between the controller and its joined access points. These Gigabit Ethernet connections should be distributed among different modular line cards or switch stack members as much as possible. Release 6. When LAG is enabled.html. VLAN identifier. see the following URL: http://www. Currently published best practices specify either multiple AP manager interfaces (with individual Ethernet links to one or more switches) or link aggregation (with all links destined for the same switch or switch stack) as the recommended methods of interconnecting WLAN controllers with wired network infrastructure.cisco. one or more centralized WLAN controllers are connected via the services block to the site core. This design can make use of up to eight Gigabit Ethernet connections from the Cisco 5508 Wireless Controller to the services block. see the Cisco Wireless LAN Controller Configuration Guide. as shown in Figure 4-6. Figure 4-6 WLAN Controller Link Aggregation to Services Block CT5508 WLC 228520 Services Block In this way. and Dynamic Host Configuration Protocol (DHCP) server. default gateway. optional secondary physical port. It bundles all of the controller distribution system ports into a single 802.cisco. primary physical port.html#wp12776 59. thereby reducing the number of IP addresses needed to configure the ports on your controller. the Cisco 5508 Wireless Controllers are interconnected with the modular switches or switch stacks found in the services block using link aggregation and EtherChannel exclusively.3ad port aggregation standard. In the Cisco Medium Enterprise Design Profile. so as to ensure that the failure of a single line card or switch stack failure does not result in total failure of the Medium Enterprise Design Profile Reference Guide 4-9 . The IP address of the AP manager interface is used as the tunnel source for CAPWAP packets from the controller to the access point. Release 6. see the Cisco Wireless LAN Controller Configuration Guide.com/en/US/docs/wireless/controller/6. and as the destination for CAPWAP packets from the access point to the controller.3ad port channel.

employees. the wireless infrastructure must support logical segmentation in such a fashion that a reasonable proportion of all users can be serviced simultaneously and with an appropriate degree of security and performance. Note Each set of wireless devices communicating directly with each other is called a basic service set (BSS). • With link aggregation. as well as the considerations concerning its implementation in the Cisco Medium Enterprise Design Profile can be found in Controller Link Aggregation. Defining WLANs and SSIDs In most medium enterprises. Several BSSs can be joined together to form one logical WLAN segment. These considerations include the WLAN controllers deployed in the services blocks. Although usage peaks may occur. and wireless clients continue to send and receive data. it is safe to assume that a large portion of these groups will likely want access to the WLAN at more or less the same time. Thus. An SSID is simply the 1–32 byte alphanumeric name given to each ESS. To promote ease of administration. and guests. if any of the controller ports fail. The key advantage of using link aggregation in this fashion instead of multiple AP manager interfaces is design performance. such as the administrators. the system continues to operate. Medium Enterprise Design Profile Reference Guide 4-10 . or different switch stack members (as shown in Figure 4-6). which is a sequence of characters that uniquely names a WLAN. as well as the access points that are located in buildings. As long as at least one controller port is functioning. page 4-35. These WLANs are configured and assigned a unique SSID. provides redundancy and ensures that connectivity between the services block switch and the controller is maintained in the rare event of a failure. Terminating on different modules within a single Catalyst modular switch. access points remain connected to the network. For this reason. each of which are mapped to different wired network interfaces by the WLAN controller. Chapter 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Accessibility WLAN controller connection to the site network. referred to as an extended service set (ESS). The switch features required to implement this connectivity between the WLAN controller and the services block are the same switch features that would otherwise be used for EtherChannel connectivity between switches in general. Further discussion of the advantages of using controller link aggregation. in designing for mobility in the Cisco Medium Enterprise Design Profile. Controller Connectivity to Wireless Devices This section deals with the design considerations that involve provisioning wireless access for the various user groups that reside within the medium enterprise. traffic is automatically migrated to one of the other controller ports. reliability. • Link aggregation also offers simplicity in controller configuration. link aggregation provides very high traffic bandwidth between the controller and the site network. various user groups will likely require access to the WLAN for a variety of different purposes. and simplicity: • With the Ethernet bundle comprising up to eight Gigabit Ethernet links. an SSID is also sometimes referred to simply as a network name. the value chosen for the SSID should bear some direct relationship to the intended purpose of the WLAN. configuring primary and secondary ports for each interface is not required. for example. One of the basic building blocks used in the WLAN controller to address this need is the ability to provision logical WLANs.

the names chosen for the WLAN SSIDs should be consistent within each site in the medium enterprise system. Devices that are used on the secured staff WLAN are usually procured and deployed by (or with the knowledge and cooperation of) the medium enterprise network administration staff on behalf of full-time and temporary employees. for example. or voice over WLAN (VoWLAN) phones to use on the secured staff WLAN. a uniform baseline level of authentication and encryption to be deployed for the secured staff WLAN across all such devices. administrators. The characteristics of this WLAN include the following: – Wi-Fi Protected Access 2 (WPA2) encryption with 802. and so on. – QoS profile setting of silver (best effort delivery). the set of WLAN SSIDs provide access to the following WLANs: • A secured staff WLAN network with dynamically generated per-user. Most modern WLAN client devices being produced today support this level of authentication and encryption. The addition of Cisco CKM in this case provides for faster roaming by enabling Cisco CKM-equipped clients to securely roam from one access point to another without the need to re-authenticate after the roam completes. such as laptops. in Figure 5-7 employee wireless access is made available anywhere there is WLAN RF coverage using the SSID titled “staff”. For example. per-session encryption keys. Medium Enterprise Design Profile Reference Guide 4-11 . Figure 4-7 WLAN SSIDs SSID=Guest SSID=Staff LWAPP LW SSID=VoWLAN AP P or CA PW Tunneled Guest Traffic SSID=Guest Network AP SSID=Staff LWAPP SSID=Staff LWAPP or CAPWAP SSID=VoWLAN SSID=VoWLAN P P WA CA or SSID=Guest P LWAPP AP SSID=Staff LW 229389 SSID=VoWLAN In the Medium Enterprise Design Profile. and how they are mapped to WLAN controller network interfaces or tunneled to another controller. For ease of administration and the support of employees. This allows. and Cisco Centralized Key Management (Cisco CKM. There is no real disadvantage to enabling broadcast SSID. This WLAN would be used by enterprise employees. – Broadcast SSID enabled.Chapter 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Accessibility Figure 4-7 provides a high-level illustration of the three logical WLANs that provide mobility within the Cisco Medium Enterprise Design Profile. Enabling this helps to avoid potential connectivity difficulties with some clients. An underlying assumption made here is that only devices supporting compatible authentication and encryption would be considered for deployment at all. laptops. These employees are typically prohibited from bringing their own personal PDAs. also referred to as CCKM) for enhanced roaming. administrators and other staff members using managed client devices. guests and visitors that frequent multiple sites. PDAs. The secured staff WLAN is designed to provide secure access and good performance for devices supported by the medium enterprise network administration staff.1x/EAP authentication.

4 or 5 GHz frequency bands because they are capable of using any of the three PHYs.11g physical layers (PHYs) are applied in the unlicensed 2. – WLAN controller QoS profile setting of platinum.11n. or they may be 802. To assure proper security and promote effective device management.11a PHY is applied in the unlicensed 5 GHz ISM band. Chapter 4 Medium Enterprise Design Profile (MEDP)— Mobility Design Accessibility Note For more details on WLAN QoS. This allows clients that can take advantage of benefits of 5 GHz operation (such as increased capacity and reduced interference) to do so.11b.4 GHz or 5 GHz to access this WLAN. This allows. which assigns the highest prioritization to voice traffic. Eliminating the configuration of static IP addresses helps to mitigate the risk of IP address duplication. employee staff users are typically prohibited from bringing their own personal VoWLAN phones and using them on this WLAN.11n does not precisely indicate what frequency bands the client is capable of operating within. for example. For more information about the 802.11b and 802.1e enhanced QoS prioritization to do so. page 4-26. see the references contained at the end of Quality-of-Service.11g. Medium Enterprise Design Profile Reference Guide 4-12 . Unlike the 802. whereas the 802.11a/bg clients are capable of operating in either 2. and managed by (or with the knowledge and cooperation of) the medium enterprise network administration staff. Enabling the use of WMM in this way is also in