BRKCRS-3036 - Enterprise Campus Design R PDF

Advanced Enterprise Campus Design:
Routed Access
BRKCRS-3036
Housekeeping
 We value your feedback- don't forget to complete

your online session evaluations after each session
& complete the Overall Conference Evaluation
which will be available online from Thursday
 Visit the World of Solutions
 Please remember this is a 'non-smoking' venue!
 Please switch off your mobile phones
 Please make use of the recycling bins provided
 Please remember to wear your badge at all times
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Some loops are fun ...
But not all ... sounds familiar...?
―The whole network is down‖

%IP-4-DUPADDR: Duplicate address 10.87.1.2 on Vlan100, sourced by 00d0.04e0.63fc
...
―I can‘t access anything‖

―All systems are unreachable‖
%C4K_EBM-4-HOSTFLAPPING: Host 00:02:A5:8A:8B:5E in vlan 60 is flapping between port Gi3/6 and port Po9
...
―Nothing seems to work‖ Number of topology changes 2433341 last change occurred 00:00:02 ago
%PM-SP-4-LIMITS: Virtual port count for module 5 exceeded the recommended limit of 1800
%PM-SP-4-LIMITS: Virtual port count for switch exceeded the recommended limit of 13000
Many of us have suffered the consequences of a L2 loop

The Problem? One Solution...
L2 Fails Open – i.e. Broadcast L3 Fails Closed – i.e. neighbour

and Unknowns flooded lost
Si Si
L3 Control
L2 Control Plane Failure
Si
Plane Failure
... a loop and a ... some subnets down

network down
This Is Not About...
L2 = BAD L3 = GOOD
This is about ...
A design alternative that leverages L3 routing all the

way down to the access layer, to see where it brings an
advantage while we analyze the trade offs of using it.
Enterprise Campus Design:
Routed Access
Agenda
 Introduction
 Cisco Campus Architecture Review
 Campus Routing Foundation and Best Practices
 Building a Campus Network with no L2 Loops: a
Routed Access Design
 Routed Access Design and VSS
 Routed Access Design for IPv6
 Impact of Routed Access Design for Advanced
Technologies
 Summary
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Next Generation Campus Design
21st Century Business Realities
One Time Zone—Real Time
Workers, Customers, and Partners Operate ―In the Moment‖

Rapid Collective Decisions
Strict Governance for Compliance and Risk Reduction
Resources Must be Leveraged to Their Maximum
New Network ―Users‖ (new devices)
Badge Readers
Unknown
or Guest
Partners
Si Si Si Si Si Si
Employees
Subcontractor
Si Si
Consultant
Campus
Si Si
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Center
10
New Application Traffic Models
 Application Traffic
Requirements are evolving
 Desktop based Unified
Communications
 Collaborative apps Si Si Si Si Si Si
 High Definition Video

Application
 Web portals and front- Intelligence,
ends leveraging common Si Si
Security
HTTP transport and Flow
Campus Information
Required at
Requirements for more more layers
Si Si
granular application
awareness in network
services, QoS, Security,
HA, etc.
Data Center
Unified Communications Video Evolution
 IP Telephony (IPT) is now a mainstream technology
 Ongoing evolution to the full spectrum of Unified Communications
 High Definition Video Communications requires stringent
Service-Level Agreement (SLA)
Reliable Service – High Availability Infrastructure
Application Service Management – End-to-End QoS
Presentation_IDPresentation_ID
© 2007 Cisco Systems, Inc.©All
2010 Cisco
rights and/or its affiliates.
reserved. All rights reserved.
Cisco Confidential Cisco Public 12
Medianet Application Requirements
The Effect of Convergence Times on Media Flows
0.8 sec loss 0.4 sec loss
Stresses and Effect of 0.8 sec of Interruption

on Diverse Multimedia Traffic
demands of video 600000
Traffic (Kbps)
500000
on the network 400000
0.8 sec
expose 300000
200000
shortcomings of 100000
‗good enough‘ 0
1
11
21
31
41
51
61
71
81
91
101
111
121
131
141
151
201
211
221
231
241
251
261
271
281
291
161
171
181
191
convergence
> 1 min
Fast Convergence and Reliability
Are Essential...
Routed Access
Agenda
 Introduction
Technologies
 Summary
Hierarchical Network Design
Without a Rock Solid Foundation the Rest Doesn‘t Matter
 Offers hierarchy—each layer has specific role
 Modular topology—building blocks
Access  Easy to grow, understand, and troubleshoot
 Creates small fault domains—clear demarcations and
isolation
Si Si Si Si Si Si
Distribution  Promotes load balancing and redundancy
 Promotes deterministic traffic patterns
 Incorporates balance of both Layer 2 and Layer 3
Core technology, leveraging the strength of both Si Si
 Can be applied to both the multilayer and routed

campus designs
Distribution Si Si
Si Si
Si
Si
Access
WAN Building Block Internet
Multilayer Campus Network Design
Layer 2 Access with Layer 3 Distribution
L3 L2
Si Si Si Si
Vlan 10 Vlan 20 Vlan 30 Vlan 30 Vlan 30 Vlan 30
 Each access switch has  At least some VLAN‘s span

unique VLAN‘s multiple access switches
 No layer 2 loops  Layer 2 loops
 Layer 3 link between  Layer 2 and 3 running over
distribution link between distribution
 No blocked links  Blocked links
Well Understood Best Practices
 Mature, 10+ year old design

 Evolved due to historical
pressures Si Si
Cost of routing vs. switching
Speed of routing vs. switching
Root
Non-routable protocols HSRP Bridge &
Standby HSRP
 Well understood optimization of Active
Si Si
interaction between the various
control protocols and the topology RootGuard
STP Root and HSRP primary tuning to
load balance on uplinks LoopGuard
Spanning Tree Toolkit (RootGuard,

LoopGuard, …)
etc, … CISF, BPDU Guard
BRKCRS-2031 – Multilayer Campus Architectures and Design Principals

Good Solid Design Option
 Utilizes multiple Control FHRP Convergence

Protocols 10
Spanning Tree (802.1w, …)
Time to restore VoIP data flows

FHRP (HSRP, VRRP, GLBP…)
8
Routing Protocol (EIGRP, …)
 Convergence is dependent on
(seconds)
6
multiple factors
FHRP - 900msec to 9 seconds
4
Spanning Tree - 400msec to
50 seconds
2
 FHRP Load Balancing
HSRP/VRRP – Per Subnet
GLBP – Per Host 0
250 msec 3 secs
HSRP Hello Timers
Layer 2 Loops and Spanning Tree
 Campus Layer 2 topology has sometimes proven a
operational or design challenge
 Spanning tree protocol itself is not usually the problem, it‘s the
external events that triggers the loop or flooding
 L2 has no native mechanism to dampen down a problem:
L2 fails Open, as opposed to L3 which fails closed
 Implement physical L2 loops only when you have to

DST MAC 0000.0000.4444
3/2 3/2
3/1 3/1
Switch 1 Switch 2
DST MAC 0000.0000.4444
Routed Access
Agenda
 Introduction
Technologies
 Summary
Best Practices—Campus Routing
Leverage Equal Cost Multiple Paths
 Use routed pt2pt links and do not
peer over client VLANs, SVIs.
 ECMP used to quickly re-route

around failed node/links while
providing load balancing over
redundant paths Si Si Si Si Si Si
 Tune CEF L3/L4 load balancing

hash to achieve maximum
utilization of equal cost paths
(CEF polarization) Layer 3 Equal Layer 3 Equal
Cost Link‘s Cost Link‘s
Si Si
 Build triangles not squares for
deterministic convergence
 Insure redundant L3 paths to Si Si Si Si
avoid black holes Si Si
 Summarize distribution to core to

limit event propagation
 Utilized on both Multi-Layer and WAN Data Center Internet

Routed Access designs
Routed Interfaces Offer Best
Convergence Properties
 Configuring L3 routed interfaces provides for faster convergence
than a L2 switchport with an associated L3 SVI
1. Link Down
~ 8 msec L3
loss 2. Interface Down Si Si
3. Routing Update
21:38:37.042 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/1, changed state to down
21:38:37.050 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet3/1, changed state to down
21:38:37.050 UTC: IP-EIGRP(Default-IP-Routing-Table:100): Callback: route_adjust GigabitEthernet3/1
1. Link Down
2. Interface Down
L2
3. Autostate
Si Si
~ 150-200
4. SVI Down
msec loss
5. Routing Update
21:32:47.813 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/1, changed state to down
21:32:47.821 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet2/1, changed state to down
21:32:48.069 UTC: %LINK-3-UPDOWN: Interface Vlan301, changed state to down
21:32:48.069 UTC: IP-EIGRP(Default-IP-Routing-Table:100): Callback: route, adjust Vlan301
CEF Load Balancing
Underutilized Redundant Layer 3 Paths
Redundant
 The default CEF hash Paths
‗input‘ is L3 source and Access
Ignored
Default L3 Hash
destination IP addresses
• Imbalance/overload could
occur
Distribution Si
 CEF polarization: in a
Si
Default L3 Hash
multihop design, CEF could L
select the same left/left or R
right/right path Core
Default L3 Hash Si
• Redundant paths are
Si
ignored/underutilized
 Two solutions: Distribution
Default L3 Hash
1. CEF Hash Tuning Si Si
2. CEF Universal ID L R
Access
Default L3 Hash 70% 30%
load load
CEF Load Balancing
1. Avoid Polarization with CEF Hash Tuning
 With defaults, CEF could select All Paths

the same left/left or right/right Access
Default L3 Hash
Used
paths and ignore some redundant
paths
 Alternating L3/L4 hash and default Distribution Si Si
L3 hash will give us the better L3/L4 Hash
load balancing results
 The default is L3 hash—no L R L R
modification required in core Core
Default L3 Hash Si
or access Si
 In the distribution switches use:

mls ip cef load-sharing full Distribution L
L3/L4 Hash R
to achieve better redundant Si Si
path utilization*
Access
Default L3 Hash L Left Side
Shown
CEF Load Balancing
2. Avoid Polarization with Universal ID
 Cisco IOS uses ―Universal ID‖ concept
(also called Unique ID) to prevent CEF Si Si
polarization
Universal ID generated at bootup (32-bit pseudo-
random value seeded by router‘s base IP address)
 Universal ID used as input to ECMP hash,
introduces variability of hash result at each Si Si
network layer
 Universal ID supported on Catalyst 6500
Sup-32 and Sup-720 Hash using
 Universal ID supported on Catalyst 4500 Source IP (SIP),
SupII+10GE, SupV-10GE and Sup6E Si Destination IP (DIP)
& Universal ID
Catalyst 4500 Load-Sharing Options Catalyst 6500 PFC3** Load-Sharing Options

Original Src IP + Dst IP Default* Src IP + Dst IP + Unique ID
Universal* Src IP + Dst IP + Unique ID Full Src IP + Dst IP + Src Port + Dst Port
Include Src IP + Dst IP + (Src or Dst Port) + Unique ID Full Exclude Port Src IP + Dst IP + (Src or Dst Port)
Port
Simple Src IP + Dst IP
* = Default Load-Sharing Mode Full Simple Src IP + Dst IP + Src Port + Dst Port
** = PFC3 In Sup720 and Sup32 Supervisors
Best Practice—Build Triangles Not Squares
Deterministic vs. Non-Deterministic
Triangles: Link/Box Failure Does Not Squares: Link/Box Failure Requires

Require Routing Protocol Convergence Routing Protocol Convergence
Si Si
Si Si
Si Si
Si Si
Model A Model B
 Layer 3 redundant equal cost links provide fast convergence

 Hardware based—fast recovery to remaining path
 Convergence is extremely fast (dual equal-cost paths: no need for
OSPF or EIGRP to recalculate a new path)
CEF ECMP—Optimize Convergence
ECMP Convergence Is Dependent on Number of Routes
 Time to update switch HW FIB is linearly

dependent on the number of entries (routes)
to be updated
 Summarization will decrease RP load
Si Si
as well as speed up convergence
2.5
Time to Restore Voice (Sec.)
Si
2
1.5
Time for ECMP
1
Recovery
0.5
0
800 1000 3000 6000 9000 12000
Number or Routes in Area – Sup720
Routed Access
Agenda
 Introduction
Technologies
 Summary
Layer 3 Distribution with Layer 3 Access: no L2 Loop
EIGRP/OSPF EIGRP/OSPF
Layer 3
Si Si
Layer 3
Layer 2
EIGRP/OSPF GLBP Model EIGRP/OSPF
Si Si
Layer 2
10.1.20.0 VLAN 20 Data 10.1.40.0 VLAN 40 Data

10.1.120.0 VLAN 120 Voice 10.1.140.0 VLAN 140 Voice
 Move the Layer 2/3 demarcation to the network edge

 Leverages L2 only on the access ports, but builds a L2 loop-free network
 Design Motivations: simplified control plane, ease of troubleshooting,
highest availability
Routed Access Advantages
Simplified Control Plane
 Simplified Control Plane
No STP feature placement (root bridge,
loopguard, …)
No default gateway redundancy
setup/tuning (HSRP, VRRP, GLBP ...)
Si Si
No matching of STP/HSRP priority
No asymmetric flooding
No L2/L3 multicast topology inconsistencies
No Trunking Configuration Required L3
Si Si
 L2 Port Edge features still apply:

Spanning Tree Portfast L3 L3 L3 L3
Spanning Tree BPDU Guard

Port Security, DHCP Snooping, DAI, IPSG
Storm Control Si Si
802.1x
QoS Settings ...
Simplified Network Recovery
 Routed Access network recovery is
dependent on L3 re-route
 Time to restore downstream flows is Si Si
based on a routing protocol re-route
Time to detect link failure
Time to determine new route
Process the update for the SW RIB Si Si
Update the HW FIB
 Time to restore upstream traffic flows
is based on ECMP re-route
Time to detect link failure
Si Si
Process the removal of the lost routes from
the SW RIB
Update the HW FIB Upstream Recovery: ECMP
Downstream Recovery: Routing Protocol
Faster Convergence Times
 RPVST+ convergence times
dependent on FHRP tuning Both L2 and L3 Can Provide
Proper design and tuning can Sub-Second Convergence
achieve sub-second times
2
 EIGRP converges <200 msec
1.8
 OSPF converges <200 msec 1.6
with LSA and SPF tuning Upstream
1.4
1.2 Downstream
1
0.8
0.6
Si Si
0.4
0.2
0
RPVST+ OSPF EIGRP
FHRP
Si Si
A Single Router per Subnet: Simplified Multicast
 Layer 2 access has two multicast routers per access subnet,
RPF checks and split roles between routers
 Routed Access has a single multicast router which simplifies
multicast topology and avoids RPF check altogether
IGMP Querier
(Low IP address)
Si Si
Si Si
Designated
Non-DR has to Router
drop all non-RPF (High IP Address)
Traffic
Si
Designated
Router & IGMP
Querier
Ease of Troubleshooting
 Routing troubleshooting tools Si Si
show ip route / show ip cef

Traceroute
Ping and extended pings L3
Extensive protocol debugs Si Si
Consistent troubleshooting:
access, dist, core L3 L3
L3 L3
IP SLA from the Access Layer switch#sh ip cef 192.168.0.0
192.168.0.0/24
nexthop 192.168.1.6 TenGigabitEthernet9/4
 Failure differences
Routed topologies fail closed—i.e.
neighbor loss
Layer 2 topologies fail open—i.e.
broadcast and unknowns flooded
Routed Access Design Considerations
Design Constrains
 Can‘t span VLANs across multiple

wiring closet switches
+Contained Broadcast Domains
Si Si
+But can have the same VLAN ID on all closets
 RSPAN no longer possible

Can use ER-SPAN on Catalyst 6500 L3
Si Si
 IP addressing—do you have enough
address space and the allocation plan
L3 L3 L3 L3
to support a routed access design?
Si Si
Routed Access Design Considerations
Platform Requirements
 Catalyst Requirements
Cisco Catalyst 3550 or above
(including X, E and v2 models)
Si Si
Catalyst 6500 Supervisor with an MSFC
 Catalyst IOS IP Base minimum feature set

EIGRP-Stub – Edge Router L3
PIM Stub – Edge Router Si Si
OSPF for Routed Access

L3 L3 L3 L3
200 Connected Routes
Catalyst 3000 Series IOS 12.2(55)SE – Q3CY10
Catalyst 4500 Series IOS 12.2(53)SG Si Si
Catalyst 6500 Series IOS 12.2(33)SXI4
Migrating from a L2 Access Model
DHCP
DNS
10.1.20.0/23
interface Vlan20
10.1.30.0/23 10.5.10.20
ip address 10.1.20.3 255.255.255.0
ip helper-address 10.5.10.20 ...
standby 1 ip 10.1.20.1 10.1.120.0/23
standby 1 timers msec 200 msec 750 EIGRP/OSPF
standby 1 priority 150
VLAN 20
standby 1 preempt
standby 1 preempt delay minimum 180 VLAN 30
... 20,30 ... 120
VLAN 120
Si Si
interface GigabitEthernet1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20-120 VLAN 20 VLAN 20
switchport mode trunk VLAN 30
GLBP VLAN 30
Model
switchport nonegotiate ... ...
Si
Si
VLAN 120 VLAN 120
User User
Groups Groups
 Typical deployment uses Vlan/Subnet for different user groups

 To faciliate user mobility, vlans extend to multiple closets
DHCP
DNS
10.1.20.0/23
interface Vlan20
10.1.30.0/23 10.5.10.20
ip address 10.1.20.3 255.255.255.0
ip helper-address 10.5.10.20 ...
standby 1 ip 10.1.20.1 10.1.120.0/23
VLAN 20
standby 1 preempt
standby 1 preempt delay minimum 180 VLAN 30
...
L3
20,30 ... 120
VLAN 120
Si Si
interface
GigabitEthernet1/1 L3 L3
description
switchport Distribution Downlink
ip
switchport
address 10.120.0.196
trunk encapsulation
255.255.255.254
dot1q
L3 L3
switchport trunk allowed vlan 20-120 VLAN 20 VLAN 20
switchport mode trunk VLAN 30
GLBP VLAN 30
Model
switchport nonegotiate ... ...
Si
Si
VLAN 120 VLAN 120
User User
Groups Groups
 As the routing is moved to the access layer, trunking is no longer required

 /31 addressing can be used on p2p links to optimize ip space utilization
DHCP
DNS
10.1.20.0/25
10.1.20.0/23
10.1.20.128/25
interface Vlan20
10.1.30.0/23
10.1.30.0/25
10.1.30.128/25 10.5.10.20
ip address 10.1.20.3 255.255.255.0
ip helper-address 10.5.10.20 ......
standby 1 ip 10.1.20.1 10.1.120.0/23
10.1.120.0/25
10.1.120.128/25
standby 1 preempt
standby 1 preempt delay minimum 180 L3
Si Si
interface Vlan20 L3 L3
ip address 10.1.20.3 255.255.255.128
ip helper-address 10.5.10.20
L3 L3
VLAN 20 VLAN 20
VLAN 30
GLBP VLAN 30
Model
...
Si ...
Si
VLAN 120 VLAN 120
User User
Groups Groups
 SVI configuration at the access layer is simplified
 Larger subnets used before can simply be splitted into smaller ones and
assigned to new DHCP scopes
Routed Access
Agenda
 Introduction
 Building a Campus Network with no L2 Loops: a Routed
Access Design
EIGRP Design to Route to the Access Layer
OSPF Design to Route to the Access Layer
Other Design Considerations
Technologies
Deploying a Stable and Fast
Converging EIGRP Campus Network
 The key aspects to consider are:

Using EIRGP Stub at the access layer
Route Summarization at the distribution layer
Leverage Route filters
Consider Hello and Hold Timer tuning
EIGRP Neighbors
Event Detection
 EIGRP neighbor relationships are created when a
link comes up and routing adjacency is established
 When physical interface changes state, the routing Si Si
process is notified Routed

Interface
Carrier-delay should be set as a rule because
it varies based upon the platform
 Some events are detected by the Hellos

routing protocol
Neighbor is lost, but interface is UP/UP
 To improve failure detection

Si
Use routed interfaces and not SVIs Si
Decrease interface carrier-delay to 0

L2 Switch
Decrease EIGRP hello and hold-down timers or VLAN Interface Si
Hello = 1 interface GigabitEthernet3/2

Hold-down = 3 ip address 10.120.0.50 255.255.255.252
ip hello-interval eigrp 100 1
ip hold-time eigrp 100 3
carrier-delay msec 0
EIGRP in the Campus
Conversion to an EIGRP Routed Edge
 The greatest advantages of EIGRP

are gained when the network has an
10.10.0.0/16
ip addressing plan that allows for use
of summarization and stub routers
 EIGRP allows for multiple tiers of
hierarchy, summarization and route
filtering
Si Si
 Relatively painless to migrate to a L3
10.10.128.0/17 10.10.0.0/17
access with EIGRP
 Deterministic convergence time in
very large L3 topology
Si Si Si Si
 EIGRP maps easily to campus
topology
EIGRP Design Rules for HA Campus
Limit Query Range to Maximize Performance
 EIGRP convergence is largely dependent on
query response times
 Minimize the number of queries to speed up
convergence Si Si
 Summarize distribution block routes upstream

to the core
Upstream queries are returned immediately with infinite
cost
 Configure all access switches as EIGRP
stub routers Si Si
No downstream queries are ever sent
interface TenGigabitEthernet 4/1

ip summary-address eigrp 100 10.120.0.0 255.255.0.0 5
router eigrp 100

network 10.0.0.0
distribute-list Default out <mod/port>
ip access-list standard Default

permit 0.0.0.0
router eigrp 100

network 10.0.0.0
eigrp stub connected© 2010 Cisco and/or its affiliates. All rights reserved.
Presentation_ID Cisco Public 46
EIGRP Query Process
Queries Propagate the Event
 EIGRP is an advanced distant vector;
it relies on its neighbor to provide Reply
Query Reply
Query Access
routing information
 If a route is lost and no feasible
successor is available, EIGRP Reply
Query Reply
Query Distribution
Si Si
Si
actively queries its neighbors for the
lost route(s)
 The router waits for replies from all Reply
Query Reply
Query Core
queried neighbors before the Si Si
calculating a new path

 If any neighbor fails to reply,
the queried route is stuck in Distribution
Query
Si
Reply
Query
Si
active and the router resets
neighbor adjacency
Access
 The fewer routers and routes Reply
Query Reply
queried, the faster EIGRP converges;
solution is to limit query propagation
Limiting the EIGRP Query Range
With Summarization
 When we summarize from
distribution to core for the No Queries
to Rest of Network
subnets in the access we can from Core
limit the upstream query/
reply process
 In a large network this could be Reply∞ Reply∞
Si Si
significant because queries will now
stop at the core; no additional
distribution blocks will be involved in Summary Summary
the convergence event Route Route
 The access layer is still queried

Query Query
Reply
Si Si
interface gigabitethernet 3/1

ip address 10.120.10.1 255.255.255.252
ip summary-address eigrp 1 10.130.0.0 255.255.0.0
Query
Reply Reply
Limiting the EIGRP Query Range
With Stub Routers
 A stub router signals (through hellos) Distribution
that it is a stub and not a transit path Reply
 Queries are not sent towards the stub

routers but marked as if a ―No path this Si Si
Query
direction‖ reply had been received D1 D2
I‘m Not Going to
 D1 knows that stubs cannot be transit
Send You Any
paths, so they will not have any path to Queries Since
10.130.1.0/24 You Said That
 D1 will not query the stubs, reducing
the total number of queries in this
example to one Hello, I‘m a
Stub—
 Stubs will not pass D1‘s advertisement
of 10.130.1.0/24 to D2
 D2 will only have one path to
10.130.1.0/24 STUB Stub Stub Stub
10.130.1.0/24 Access
EIGRP Query Process
With Summarization and Stub Routers
 When we summarize from
distribution into core we can limit the No Queries
to Rest of Network
upstream query/reply process from Core
 Queries will now stop at the core; no
additional routers will be involved in
the convergence event Reply∞ Reply∞
Si Si
 With EIGRP stubs we can further
reduce the query diameter
Summary Summary
 Non-stub routers do not query stub Route Route
routers—so no queries will be sent
to the access nodes Query Reply
Si Si
 Only three nodes involved in
convergence event—No secondary
queries
Stub Stub
EIGRP Route Filtering in the Campus
Control Route Advertisements Default
& other
Routes
 Bandwidth is not a constraining
factor in the campus but it is still
advisable to control number of
routing updates advertised Si Si
 Remove/filter routes from the core

to the access and inject a default
route with distribute-lists
 Smaller routing table in access is Si Si
simpler to troubleshoot
Default
 Deterministic topology 0.0.0.0
ip access-list standard Default

permit 0.0.0.0
router eigrp 100

network 10.0.0.0
distribute-list Default out <mod/port>
EIGRP Routed Access Campus Design
Summary Default
& other
Routes
 Detect the event:

Set hello-interval = 1 second and hold-
time = 3 seconds to detect soft neighbor Si Si
failures
Set carrier-delay = 0
 Propagate the event: Summary

Configure all access layer switches as Route
stub routers to limit queries from the
Si Si
distribution layer
Summarize the routes from the Default
distribution to the core to limit queries 0.0.0.0
across the campus
 Process the event:

Summarize and filter routes to minimize
calculating new successors for the RIB
and FIB Stub Stub Stub
Routed Access
Agenda
 Introduction
Access Design
Technologies
Deploying a Stable and Fast
Converging OSPF Campus Network
 Key Objectives of the OSPF Campus Design:

Map area boundaries to the hierarchical physical design
Enforce hierarchical traffic patterns
Minimize convergence times
Maximize stability of the network
OSPF Design Rules for HA Campus
Where Are the Areas?
Area 100 Area 110 Area 120
 Area size/border is bounded by the
same concerns in the campus as
the WAN
 In campus the lower number of Si Si Si Si Si Si
nodes and stability of local links
could allow you to build larger
areas however-
 Area design also based on Area 0
address summarization Si Si
 Area boundaries should define

buffers between fault domains Si Si Si
Si
Si Si
 Keep area 0 for core infrastructure
do not extend to the access
routers
WAN Data Center Internet
Hierarchical Campus Design
OSPF Areas with Router Types
Area 10 Area 20 Area 30
Internal Internal
Access
ABR Si Si ABR Si Si Si Si ABR

Distribution
Core Area 0 Backbone Backbone

Area 0
Si Si
ASBR
Distribution ABR Si Si ABR
Si Si
Si
Si
Area 300
Access Area 200

WAN Data Center Internet
BGP
Area 100
OSPF in the Campus
Conversion to an OSPF Routed Edge
 OSPF designs that utilize an area

for each campus distribution Area 20 Area 10
building block allow for straight Dist 2 Dist 1
forward migration to Layer 3
access
Si Si Si
Si
 Converting L2 switches to L3
within a contiguous area is
reasonable to consider as long as
new area size is reasonable
Si Si
Area 0
 How big can the area be?
Core
It depends
Switch type(s)
Number of links
Stability of fiber plant Area 200
Branches
When a Link Changes State
Router 1, Area 1 Router 2, Area 1
LSA
ACK Link State Table

Si
 Every router in area

hears a specific Dijkstra Algorithm
link LSA
 Each router computes
shortest path Old Routing Table New Routing Table
routing table
OSPF LSA Process
LSAs Propagate the Event
 OSPF is a Link State protocol; it
Area 0
relies on all routers within an area
LSA
SPF2 SPF2
LSA
having the same topology view of Access
the network.
 If a route is lost, OSPF sends out an
LSA to inform it‘s peers within the LSA
SPF 2 LSA
SPF 2 Distribution
Si Si
area of the lost route.

 All routers with knowledge of this
route in the OSPF network will LSA
SPF2 LSA
SPF2 Core
Si Si
receive an LSA and run SPF to
remove the lost route.
 The fewer the number of Distribution
routers with knowledge of the LSASi 2
SPF SPF
LSA
Si
2
route, the faster OSPF converges;
 Solution is to limit LSA Access
propagation range SPF2
LSA
SPF
Area 0
OSPF Regular Area
ABRs Forward All LSAs from Backbone
External Routes/LSA Present in Area 120
Si Si
Backbone
ABR Forwards the
Area 0
Following into an Area
Summary LSAs (Type 3)
Distribution Config
ASBR Summary (Type 4) router ospf 100
Specific Externals (Type 5) area 120 range 10.120.0.0 255.255.0.0 cost 10
Si networkSi 10.120.0.0 0.0.255.255 area 120
network 10.122.0.0 0.0.255.255 area 0
Area 120
Access Config:
router ospf 100
network 10.120.0.0 0.0.255.255 area 120
OSPF Stub Area
Consolidates Specific External Links—Default 0.0.0.0
Eliminates External Routes/LSA Present in Area (Type 5)
Si Si Backbone
Area 0
Distribution Config
Stub Area ABR Forwards router ospf 100
Summary LSAs area 120 stub
Summary 0.0.0.0 Default Si area 120
Si range 10.120.0.0 255.255.0.0 cost 10
network 10.120.0.0 0.0.255.255 area 120
network 10.122.0.0 0.0.255.255 area 0
Area 120
Access Config:
router ospf 100
network 10.120.0.0 0.0.255.255 area 120
OSPF Totally Stubby Area
Use This for Stable—Scalable Internetworks
Minimize the Number of LSAs and the Need for Any

External Area SPF Calculations
Si Si
Backbone
Area 0
Distribution Config
A Totally Stubby Area router ospf 100
ABR Forwards area 120 stub no-summary
Summary Default Si area 120
Si range 10.120.0.0 255.255.0.0 cost 10
network 10.120.0.0 0.0.255.255 area 120
network 10.122.0.0 0.0.255.255 area 0
Area 120
Access Config:
router ospf 100
network 10.120.0.0 0.0.255.255 area 120
Summarization Distribution to Core
Reduce SPF and LSA Load in Area 0
Minimize the Number of LSAs and the Need for Any SPF
Recalculations at the Core
Si Si
Backbone ABRs Forward
Area 0 Summary 10.120.0.0/16
Distribution Config
router ospf 100
Area Border Router area 120 stub no-summary
Si area 120
Si range 10.120.0.0 255.255.0.0 cost 10
network 10.120.0.0 0.0.255.255 area 120
network 10.122.0.0 0.0.255.255 area 0
Area 120
Access Config:
router ospf 100
network 10.120.0.0 0.0.255.255 area 120
OSPF Design Considerations
What Area Should the Distribution Link Be In?
 Two aspects of OSPF behavior can

impact convergence
Si Si
OSPF ABRs ignore LSAs generated by
other ABRs learned through non-backbone
areas when calculating least-cost paths
In a stub area environment the ABR will
generate a default route when any type
of connectivity to the backbone exists
Si Si
 Ensure loopbacks are ‗not‘ in area 0
 Configure dist to dist link as a trunk
using 2 subnets one in area 0 and
one in stub area when possible
Subsecond Hellos
Neighbor Loss Detection—Physical Link Up
 OSPF hello/dead timers detect neighbor

loss in the absence of physical link loss
 Useful in environments where an
Si Si
L2 device separates L3 devices
(Layer 2 core designs)
OSPF
 Aggressive timers quickly detect Processing
Failure
neighbor failure (Link Up)
 Not recommended with NSF/SSO
 Interface dampening is recommended with
sub-second hello timers Si Si
 OSPF point-to-point network type to avoid

designated router (DR) negotiation.
Access Config:
dampening
ip ospf dead-interval minimal hello-multiplier 4
ip ospf network point-to-point
router ospf 100 A B
timers throttle spf 10 100 5000
timers throttle lsa all 10 100 5000
timers lsa arrival 80
OSPF Timer Tuning
High-Speed Campus Convergence
 OSPF by design has a number

of throttling mechanisms to
prevent the network from Reduce Hello
thrashing during periods of Si
Interval
Si
instability
 Campus environments are
candidates to utilize OSPF timer
enhancements
Sub-second hellos
Generic IP (interface) dampening
mechanism
Si Si
Back-off algorithm for LSA
generation
Exponential SPF backoff Reduce
LSA and SPF
Configurable packet pacing Interval
OSPF Requires Sub-Second Throttling
of LSA Timers to Speed Convergence
 OSPF has an SPF throttling timer designed
to dampen route recalculation 6 5.68
Time to Restore Voice Flows (sec)

 After a failure, the router waits for the SPF 5
timer to expire before recalculating
a new route 4
 By default, there is a 500ms delay before

3
generating router and network LSAs; the wait
is used to collect changes during a
2
convergence event and minimize the number
of LSAs sent 1 0.72
 Propagation of a new instance 0.24

0
of the LSA is limited at the originator Default 10 msec. SPF 10 msec. SPF
Convergence and LSA
 Acceptance of a new LSAs is limited by the

receiver timers throttle spf 10 100 5000
 Make sure lsa-arrival < lsa-hold timers lsa arrival 80
timers throttle spf 10 100 5000

timers lsa arrival 80
OSPF Design Rules for HA Campus
LSA/SPF Exponential Back-off Throttle Mechanism
Topology Change Events
100 200 400 800 msec 1600 msec
Time [ms]
SPF Calculations
timers throttle spf <spf-start> <spf-hold> <spf-max-wait>

timers throttle lsa all <lsa-start> <lsa-hold> <lsa-max-wait>
 Sub-second timers without risk

1. spf-start or initial hold timer controls how long to wait prior to starting the
SPF calculation
2. If a new topology change event is received during the hold interval, the SPF
calculation is delayed until the hold interval expires and the hold interval is
temporarily doubled
3. The hold interval can grow until the maximum period configured is reached
4. After the expiration of any hold interval, the timer is reset
Enterprise Campus Design: Routed Access
Agenda
 Introduction
Access Design
Technologies
Routing Protocol Churn Can Be
Reduced with IP Event Dampening
 Prevents routing protocol churn caused by

constant interface state changes
Si Si
 Dampening is applied on a system: nothing Up

is exchanged between routing protocols Down
Up
Down
 Supports all IP routing protocols Up
Down
Up
Static routing, RIP, EIGRP, OSPF, IS-IS, BGP Si
In addition, it supports HSRP and CLNS routing

Applies on physical interfaces and can‘t be applied on
subinterfaces individually
Up Interface State
description Uplink to Distribution 1 Down
dampening
ip address 10.120.0.205 255.255.255.254
Interface State Perceived by EIGRP or OSPF
Up
Down
Redundant Supervisors with L3
Non-Stop-Forwarding with Stateful Switchover (NSF/SSO)
Active Standby
Supervisor Synchronization Supervisor
RP CPU Configuration
RP CPU
Routing Protocol
process
Control Path
Routing Information Base ARP Table Cisco IOS ARP Table

CEF Tables
Synchronization
IOS CEF FIB Adjacency IOS CEF FIB Adjacency
Tables Table Table Tables Table Table
Hardware Tables
Hardware Synchronization Hardware
FIB Adjacency FIB Adjacency
Table Table Table Table
Forwarding Path
Using Redundant Supervisors at the
Access Layer with SSO
1. Supervisor switchover event occurs

2. SSO maintains SSO-aware applications, Si Si
including L2 tables, L2/L3 forwarding is
maintained
3. Routing protocols will restart on the newly
active Supervisor
L3 routes are purged
Si Si
4. Routing neighbors lose adjacency with the

restarting router
Routes to the lost neighbor are purged
5. Routing neighbors reestablish

adjacencies, forwarding to and from non-
directly connected L3 networks resumes
SSO alone is not enough with a Routed Access

NSF—Configuration and Monitoring
EIGRP OSPF
Switch(config)#router eigrp 100 Switch(config)#router ospf 100

Switch(config-router)#nsf Switch(config-router)#nsf
NSF-Aware
Router#sh ip protocol Router#sh ip ospf
*** IP Routing is NSF aware *** Routing Process "ospf 100" with ID 10.120.250.4
Start time: 00:01:37.484, Time elapsed: 3w2d
Routing Protocol is "eigrp 100 100" Supports Link-local Signaling (LLS)
<snip
EIGRP NSF-aware route hold timer is 240s <snip>
Non-Stop Forwarding enabled, last NSF restart
EIGRP NSF enabled 3w2d ago (took 31 secs)
NSF-Capable
Recommendation Is to Not Tune IGP Hello Timers. Use Default Hello and Dead
Timers for EIGRP/OSPF When Peering to a Device Configured for NSF/SSO
Using Redundant Supervisors at the
Access Layer, Now with NSF/SSO
1. Supervisor switchover event occurs

2. SSO maintains SSO-aware applications, Si Si
including L2 tables, L2/L3 forwarding is
maintained
3. NSF-capable router signals NSF-aware
routing peers of a routing protocol restart
4. NSF-aware routers detect the restarting 4 Si Si
router
Assist in re-establishing full adjacency 3
Maintain forwarding to and from the 2
restarting router 1
5. NSF restart complete, traditional L3

convergence event is avoided
Design with Redundant for NSF/SSO
Status of Uplinks of the Supervisor
• Catalyst 4500 Supervisor II+, Supervisor
 Cisco Catalyst 4500: supervisor IV: 2 x GigE ports are active
uplink ports are active and forward 1/1 1/2
traffic as long as the supervisor is
fully inserted 2/1 2/2
Uplink ports do not go down when a

supervisor is reset. There are restrictions
on which ports can be active • Catalyst 4500 Supervisor II+10GE: 2 x
simultaneously in redundant systems 10GE and 4 x GigE ports are active
 Cisco Catalyst 6500: both the active 1/1 1/2 1/3 1/4 1/5 1/6
supervisor and the standby

supervisor uplink ports are active as 2/1 2/2 2/3 2/4 2/5 2/6
long as the supervisors are up and

running
• Catalyst 6500 Supervisors: all ports
Uplink ports go down when the are active
supervisor is reset
An NSF/SSO switchover also

modifies topology
Design Consideration with StackWise at
the Access Layer
 Recommended Design:
Configure priority for master and its backup
for deterministic failures
Avoid using master as uplink to reduce
Si Si
uplink related losses
Use ―stack-mac persistent timer 0‖ to
avoid the gratuitous ARP changes for
Best convergence
Where GARP processing is disabled in
the network, e.g. Security
Where network devices/host do not Si Si
support GARP, e.g. Phones
 Upstream traffic is not interrupted by
master failure
 Downstream traffic is interrupted due
to routing protocol restart and Access
Master
adjacency reset S1 S2 Si S3
Run 12.2(37)SE or higher for NSF support
Single logical Switch
Routed Access Does Not Require
Switch Management Vlan
 In the L2 design it was considered a best SNMP
Server
practice to define a unique Vlan for network

management
 In the routed access model, the best way is
to configure a loopback interface Si Si
 The /32 address should belong to the

summarized routed advertised from the
distribution block
 The loopback interface should be Si Si
configured as passive for the IGP
 ACLs should be used as required to ensure
secure network management
Si Si
interface Loopback0
description Dedicated Switch Management
ip address 10.120.254.1 255.255.255.255
Routed Access
Agenda
 Introduction
Technologies
 Summary
Virtual Switch
Catalyst 6500 Virtual Switching System (VSS)
 Virtual Switching System consists of two Catalyst 6500‘s defined as
members of the same virtual switch domain running a VSL (Virtual
Switch Link) between them
 Single Control Plane with Dual Active Forwarding Planes
 Extends NSF/SSO infrastructure to Two Switches
Virtual Switch Link (VSL)
Virtual Switch Domain
Si Si
Switch 1 + Switch 2 = VSS
Virtual Switch System
Multi-Chassis Etherchannel
 Multi-chassis Etherchannel (MEC)

replaces spanning tree as the means to
provide link redundancy
 MEC allows the physical members of the
Etherchannel bundle to be connected to
two separate physical switches
 MEC links on both switches are managed
by PAgP or LACP running on the Master
Switch via internal control messages
 PAgP or LACP packets for all links in the
MEC bundle are processed by the active
supervisor
Multi-Chassis Etherchannel
Virtual Switch System
Impact to the Campus Topology
 Physical network topology does not

change
Si Si
Still have redundant chassis
Still have redundant links
 Logical topology is simplified as we now

have a single control plane
 Allows the design to replace traditional
topology control plane with Multi-chassis
Etherchannel (MEC)
No reliance on spanning
IGP Protocol
treetotoprovide
providelink
link
redundancy
Convergence and load balancing are based
on Etherchannel Si Si
BRKCRS-3035
Presentation_ID – Advance Enterprise
© 2010 Cisco and/or Campus Cisco
its affiliates. All rights reserved. Design:
Public Virtual Switching System (VSS)81
Leveraging EtherChannel
Time to Recovery
1 Link failure detection
Link Failure
2 Removal of the Portchannel entry 1 Detection
in the software
3 Update of the hardware Portchannel
indices
Si Si
4 Notify the spanning tree and/or routing
protocol processes of path cost
change 2
Catalyst Switch Routing Protocol
4 Process
PortChannel 1 G3/1, G3/2, G4/1, G4/2

Spanning Tree
Process
3
Layer 2 Forwarding Table
Destination Destination Port
VLAN MAC
Index
G3/1
10 AA Portchannel 1
G3/2
11 BB G5/1 G4/1
Load-Balancing Hash G4/2
VSS and Routed Access Design
Link Down Convergence Without VSS
 Downstream traffic recovery is

dependent upon the Interior
Gateway Protocol reroute to the Downstream IGP reroute
peer distribution switch Upstream CEF ECMP
Use Stub on the access devices,
and proper summarization from
distribution
Tune IGP ... etc. Si
Si
 Upstream traffic recovery is

dependent upon updates to the
Access Switch‘s Forwarding
Information Base removing the
adjacency for the lost link
(ECMP)
L3 ECMP
Si Si
Link Down Convergence with VSS MEC
Downstream IGP reroute
Upstream CEF ECMP
 Access layer switch has one neighbour
 Distribution switch has neighbour count
reduced by half Si
Si
 Upstream and Downstream traffic

convergence now is an Etherchannel
link event
No IGP reconvergence event
No Impact of number of routes/vlans
L3MEC
ECMP
 No need for Fast IGP Timers (works well
Si Si
with access NSF/SSO) 2.5
Seconds of Voice Loss

2 ECMP
 Summarization rules still recommended MEC Min
1.5
 Achieves sub-second failure and no L2 1

loop on the topology
0.5
0
1000 3000 6000 9000 12000
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Number of Routes - Sup720C 84
Enable MEC Links in L3 Core—Best Multicast
 Use MEC uplinks from the access in

routed access environments with
multicast traffic Si Si
PIM
Join
 VSS MEC local switch link preference
avoids egress replication across the MEC
Uplinks
VSL link during normal conditions
SW1
 In the event of link failure multicast SW2
HOT_STANBY ACTIVE
traffic will pass across VSL link and
will experience local switch PIM
replication Joins
 Large scale mroute and s,g topology L3 MEC

the convergence may vary, however Uplinks
much better then ECMP based
topology
Routed Access
Agenda
 Introduction
Technologies
 Summary
Campus IPv6 Deployment
Three Major Options
IPv6/IPv4 Dual Stack Hosts
1. Dual-stack—The ideal way

to go for obvious reasons: Access
Layer
performance, security,
QoS, Multicast and management
Distribution
Layer
v6- v6-
Enabled Enabled
Dual Stack
Dual Stack
v6- v6- Core Layer
Enabled Enabled
Aggregation
v6-Enabled v6-Enabled Layer (DC)
Access
Layer (DC)
Dual-stack
Server
Three Major Options
1. Dual-stack—The ideal way
to go for obvious reasons: Access
performance, security, Layer
QoS, Multicast and management
ISATAP
ISATAP
Distribution
Layer
2. Hybrid—Dual-stack where NOT v6- NOT v6-
Enabled Enabled
possible, tunnels for the
rest, but all leveraging the
existing design/gear
v6- v6- Core Layer
Enabled Enabled
Service Block—A
Dual Stack
Dual Stack
new network block used
for interim connectivity for Aggregation
v6-Enabled v6-Enabled Layer (DC)
Access
Layer (DC)
Dual-stack
Server
Three Major Options
VLAN 2 VLAN 3 IPv4-only
Campus
1. Dual-stack—The ideal way Block
to go for obvious reasons:
performance, security, Access
ISATAP
QoS, Multicast and managementLayer
IPv6 Service Block

2. Hybrid—Dual-stack where
Dist.
Layer
Dedicated FW
2
possible, tunnels for the
rest, but all leveraging the
existing design/gear
Core
Layer
Internet
3. IPv6 Service Block—A
new network block used
for interim connectivity for Agg IOS FW
IPv6 overlay network Layer
Access
Layer
1
WAN/ISP Block
Data Center Block
Work the same with Routed Access
Routed Access Layer and IPv6
Support for Dual Stack Deployment
 In RA model, the first hop switch is

also the first hop router, therefore it
must be capable of routing IPv6
 The following hardware can route
IPv6
Cisco Catalyst 6500 Series Switches
SUP32 and SUP720
Cisco Catalyst 4500 Series Switches
SUP6-E and higher
Cisco Catalyst 3750 Series, E Series,
and X Series Switches
Cisco Catalyst 3560 Series, E Series,
and X Series Switches
Routed Access Layer and IPv6 For Your
Dual Stack Deployment Sample Reference

ipv6 unicast-routing
ipv6 cef
!
Access
[...] Layer
interface Vlan2
description Data VLAN for Access
L3
ipv6 address 2001:DB8:CAFE:2::CAC1:3750/64 Distribution
ipv6 nd prefix 2001:DB8:CAFE:2::/64 no-advertise Layer
v6- v6-
Dual Stack
Dual Stack
ipv6 nd managed-config-flag Enabled Enabled
ipv6 nd other-config-flag
ipv6 dhcp relay destination 2001:DB8:CAFE:10::2
ipv6 ospf 1 area 2 v6- v6- Core Layer
Enabled Enabled
ipv6 cef
!
[...]
ipv6 router ospf 1 Aggregation
router-id 10.120.2.1 v6-Enabled v6-Enabled Layer (DC)
log-adjacency-changes
auto-cost reference-bandwidth 10000
Access
area 2 stub no-summary Layer (DC)
passive-interface Vlan2
timers spf 1 5
Dual-stack
Server
Routed Access Layer and IPv6 For Your
Dual Stack Deployment Sample Reference

!
interface GigabitEthernet1/0/25
description To 6k-dist-1
Access
ipv6 address 2001:DB8:CAFE:1100::CAC1:3750/64 Layer
no ipv6 redirects
ipv6 nd suppress-ra
L3
ipv6 ospf network point-to-point Distribution
ipv6 ospf 1 area 2 Layer
v6- v6-
Dual Stack
Dual Stack
ipv6 ospf hello-interval 1 Enabled Enabled
ipv6 ospf dead-interval 3
ipv6 cef
! v6- v6- Core Layer
Enabled Enabled
interface GigabitEthernet1/0/26
description To 6k-dist-2
ipv6 address 2001:DB8:CAFE:1101::CAC1:3750/64
no ipv6 redirects Aggregation
ipv6 nd suppress-ra v6-Enabled v6-Enabled Layer (DC)
ipv6 ospf network point-to-point
ipv6 ospf 1 area 2
Access
ipv6 ospf hello-interval 1 Layer (DC)
ipv6 ospf dead-interval 3
ipv6 cef
Dual-stack
Server
Routed Access
Agenda
 Introduction
Technologies
 Summary
Analyzing the Impact on Advanced
Technologies
 Unified Communications Deployments work the

same way. You still need to provision a voice
vlan/subnet per wiring closet switch
 Identity (802.1x) solutions work the same: user vlan
assigment still possible, as well as per user dACL
(checkout BRKSEC-2005)
 Wireless LAN works seamlessly as well, since
LWAPP works with UDP hence at L3.
 We will take a closer look at;
Network Virtualization
Network Virtualization
Functional Architecture
Access Control Path Isolation Services Edge

Branch – Campus WAN – MAN – Campus Data Center – Internet Edge –
Campus
GRE MPLS
VRFs VPNs
Ethernet
VRFs
 Access control techniques remain the same with a Routed

Access Model
 Path Isolation techniques remain the same, but there are
provisioning implications by running routing at the access layer
BRKCRS-2033 – Deploying a Virtualized Campus Network Infrastructure
Network Virtualization and Routed Access
Path Isolation Issues—VRFs to the Edge
 Define VRFs on the access layer

switches
Campus  One VRF dedicated to each
Core virtual network (Red, Green, etc.)
 Map device VLANs to the
corresponding VRF
Si L3 Si
 Provisioning is more challenging,
because multiple routing
Layer 3
processes and logical interfaces
Links
are required.
VRF Red
 The chosen path isolation
VRF Green
technique must be deployed
VRF Blue from the access layer devices
VLAN 21 Red VLAN 21 Red
VLAN 22 Green VLAN 22 Green VRF-lite Ethernet
VLAN 23 Blue VLAN 23 Blue
VRF-Lite GRE
MPLS L3 VPNs
Virtualizing at the Access Layer
VLANs to VRF Mapping Configuration
ip vrf Red
rd 1:1
!
ip vrf Green Defining the VRFs
rd 2:2
!
vlan 21
name Red_access_switch_1
!
vlan 22
name Green_access_switch_1
! Defining the VLANs
interface Vlan21 (L2 and SVI) and Mapping
description Red on Access Switch 1 Them to the VRFs
ip vrf forwarding Red
ip address 10.137.21.1 255.255.255.0
!
interface Vlan22
description Green on Access Switch 1
ip vrf forwarding Green
ip address 10.137.22.1 255.255.255.0
Virtualizing at the Access Layer
Routing Protocol VRF Configuration
router eigrp 100

network 10.0.0.0
eigrp router-id 10.122.137.1
no auto-summary
eigrp stub connected
!
address-family ipv4 vrf Green
network 11.0.0.0
no auto-summary
autonomous-system 100 Defining the Routing
eigrp router-id 10.122.138.1 Protocol within the VRFs
exit-address-family
!
address-family ipv4 vrf Red
network 12.0.0.0
no auto-summary
autonomous-system 100
eigrp router-id 10.122.139.1
exit-address-family
Network Virtualization and Routed Access
Path Isolation Issues—VRFs to the Edge (Cont.)
 Catalyst 6500 supports all three

path isolation techniques:
802.1Q Ethernet VRF-Lite
Campus
GRE with VRF-Lite
Core
MPLS VPN
 Catalyst 3000s and 4500s only

Si L3 Si
support 802.1Q Ethernet VRF-Lite
Layer 3  Convergence times increase
Links
~800ms for 9 VRFs + Global
Increased load from multiple routing
VRF Red
processes and logical interfaces
VRF Green
 Operational impact of managing
VRF Blue multiple logical networks
VLAN 21 Red VLAN 21 Red
VLAN 22 Green VLAN 22 Green
VLAN 23 Blue VLAN 23 Blue
Network Virtualization--Path Isolation Design Guide

http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html#wp277205
Routed Access
Agenda
 Introduction
Technologies
 Summary
Routed Access Campus Design
End to End Routing: Fast Convergence and Maximum Reliability
Si Si
B
B
Si Si Si Si
Si Si Si Si
Si Si Si Si
B
B
Si Si
STP-Based Routed Access

Redundant Topology Redundant Topology
B = STP Blocked Link
Q and A
Summary
 Traditional Layer 2 designs

remain valid
Si Si Si Si
 Routed Access Design:

Simplified Control Plane (no
dependence on STP, HSRP, etc.)
Increased Capacity: Provide flow-
based load balancing
High Availability: 200 msec or
better recovery
Simplified Multicast
No L2 Loops Si Si
Easier Troubleshooting
 Flexibility to provide for the

right implementation for
each network requirement
Campus Design Guidance
Where To Go for More Information
http://www.cisco.com/go/srnd
Meet the Engineer
To make the most of your time at Networkers at Cisco

Live 2010, schedule a Face-to-Face Meeting with a top
Cisco Engineers.
Designed to provide a "big picture" perspective as well as

"in-depth" technology discussions, these face-to-face
meetings will provide fascinating dialogue and a wealth of
valuable insights and ideas.
Visit the Meeting Centre reception desk located in the

Meeting Centre in World of Solutions
BRKCSR-3036 Recommended Reading

BRKCRS-3036 - Enterprise Campus Design R PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS-3036 - Enterprise Campus Design R PDF

Uploaded by

Copyright:

Available Formats

Advanced Enterprise Campus Design:

 We value your feedback- don't forget to complete

―The whole network is down‖

―I can‘t access anything‖

Many of us have suffered the consequences of a L2 loop

L2 Fails Open – i.e. Broadcast L3 Fails Closed – i.e. neighbour

... a loop and a ... some subnets down

This is about ...

A design alternative that leverages L3 routing all the

One Time Zone—Real Time

Workers, Customers, and Partners Operate ―In the Moment‖

 High Definition Video

0.8 sec loss 0.4 sec loss

Stresses and Effect of 0.8 sec of Interruption

 Can be applied to both the multilayer and routed

Vlan 10 Vlan 20 Vlan 30 Vlan 30 Vlan 30 Vlan 30

 Each access switch has  At least some VLAN‘s span

 Mature, 10+ year old design

Spanning Tree Toolkit (RootGuard,

BRKCRS-2031 – Multilayer Campus Architectures and Design Principals

 Utilizes multiple Control FHRP Convergence

Time to restore VoIP data flows

 Implement physical L2 loops only when you have to

 ECMP used to quickly re-route

 Tune CEF L3/L4 load balancing

 Insure redundant L3 paths to Si Si Si Si

avoid black holes Si Si

 Summarize distribution to core to

 Utilized on both Multi-Layer and WAN Data Center Internet

 With defaults, CEF could select All Paths

 In the distribution switches use:

Catalyst 4500 Load-Sharing Options Catalyst 6500 PFC3** Load-Sharing Options

Triangles: Link/Box Failure Does Not Squares: Link/Box Failure Requires

 Layer 3 redundant equal cost links provide fast convergence

 Time to update switch HW FIB is linearly

as well as speed up convergence

10.1.20.0 VLAN 20 Data 10.1.40.0 VLAN 40 Data

 Move the Layer 2/3 demarcation to the network edge

 L2 Port Edge features still apply:

Spanning Tree BPDU Guard

 Routing troubleshooting tools Si Si

show ip route / show ip cef

 Can‘t span VLANs across multiple

 RSPAN no longer possible

 Catalyst IOS IP Base minimum feature set

PIM Stub – Edge Router Si Si

OSPF for Routed Access

Catalyst 6500 Series IOS 12.2(33)SXI4

 Typical deployment uses Vlan/Subnet for different user groups

 As the routing is moved to the access layer, trunking is no longer required

 The key aspects to consider are:

process is notified Routed

 Some events are detected by the Hellos

 To improve failure detection

Use routed interfaces and not SVIs Si

Decrease interface carrier-delay to 0

Hello = 1 interface GigabitEthernet3/2

 The greatest advantages of EIGRP

 Summarize distribution block routes upstream

interface TenGigabitEthernet 4/1

router eigrp 100

ip access-list standard Default

router eigrp 100