Campus LAN and Wireless LAN Solution Design Guide Updated: May 4, 2020 Bias-Free Language Contact Cisco V Definition and Introduction: Campus LAN and Wireless LAN ‘There is a tendency to discount the network as simple plumbing — to believe that the only design considerations are the size and the length of the pipes or the speeds and feeds of the links, and to dismiss the rest as unimportant. Just as the plumbing in a large stadium or a high-rise building is designed for scale, purpose, redundancy, protection from tampering or denial of operation, and the capacity to handle peak loads, the network requires similar consideration. As users depend on the network to access the most important information that they need to do their jobs and to transport their voice or video with reliability, the network must be able to provide resilient, intelligent transport. The reliable network design also needs to incorporate versatility in order to address the changing needs of an organization. Here are some key concepts that you should address when creating a reliable and versatile network design. The network should be: © Always on and resi nt—Continuously on and available. ‘© Intelligent-Adapting to changing needs, beyond the limits of basic standards, using insight into network activity, * Secure-Protecting the organization and its users. Planning for the Future As you look at a network design, consider the networking trends and future needs of an organization. ‘© The network must be ready to appropriately scale over time in order to meet the demands of the organization itis supporting, © Because demands on wireless access points (APs) with the latest standards, including Wi-Fi 6 (802.1 12x) technology exceed 1 Gbps, and the IEEE has ratified the 802 3hz standard that defines 2.5 Gbps and 5 Gbps Ethernet, you should deploy a network that is ready to support the demand without requiring an upgrade of thee 1g copper Ethernet wiring plant. You accommodate these latest demands by deploying network platforms including Cisco® Catalyst Multigigabit technology. '* As you deploy new devices with higher power requirements, such as lighting, surveillance cameras, virtual desktop terminals, remote access switches, and APs, your design should have the hitps hw. cisco, comieloniustdidoes'solitions/CVDICampustesco-campusan-wlan-design.guide.Mtml vet‘2072, 356 PM ‘Campus LAN and Wicelass LAN Soliton Design Guide - Cisco ability to support power over Ethernet up to 90W per port, offered with Cisco Universal Power Over Ethernet Plus, and the access layer should also provide PoE perpetual power during switch upgrade and reboot events. The Cisco Catalyst 9000 Series access layer switches are perpetual PoE-capable and ready for 100W per port, as that technology becomes available, ‘* Compliance issues drive a choice of platforms required when you support standards certifications and MACsec. For those cases, you should also be prepared to make analytic data available, using technologies such as NetFlow. * The Internet of Things (loT) impacts today's network design. Your network should support TrustSec and other segmentation and virtualization technologies, such as Cisco Software-Defined Access (SD-Access) in order to enable the scale and expanded uses and policies for the network driven by these trends. * Bandwidth needs are doubling potentially multiple times over the lifetime of a network so that the network deployed today needs to be prepared to aggregate using 10 Gbps Ethernet to 25 Gbps to 40 Gbps to 100 Gbps capacities or more over time. ‘+ The network platforms deployed today should offer the best longevity into the future, versus its of today's needs. selecting the equipment that only meets the li '* To reduce operational complexity, you can use a centralized controller with open APIs, allowing for very fast, lower-risk deployment of network devices and services through UI and existing orchestration systems—Cisco Digital Network Architecture Center (Cisco DNA Center) automates this network device configuration and management to achieve your organization's intent. Cisco Digital Network Architecture (Cisco DNA) Cisco Digital Network Architecture (Cisco DNA) provides a roadmap to digitization and a path to realize immediate benefits of network automation, assurance, and security. The campus local area network (LAN) is the network that supports devices people use within a location to connect to information. The use of the word campus does not imply any specific geographic size or organizational boundary-the campus LAN can range in size from a single switch at a small remote site up to a large multi-building infrastructure, supporting classrooms, carpeted office space, and similar places where people use their devices for their daily activities. The campus design incorporates both wired LAN and wireless LAN connectivity for a complete network access solution. This guide explains: * The design of the campus wired LAN foundation. * How the WLAN extends secure network access or is exclusive network access for your mobile workforce. ‘* How the WLAN can provide guest access for contractors and visitors to your facilities. If you didn’t download this guide from Cisco Community or Design Zone, you can check for the latest version of this guide. Find related deployment guides, design guides, and white papers, at the following pages: ‘© https://www.cisco.com/go/designzone © https://es.co/en-cvds hitps hw. cisco, comieloniustdidoes'solitions/CVDICampustesco-campusan-wlan-design.gulde Mtl ret8122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guid - Cisco Design: Campus LAN and Wireless LAN Designing a LAN for the campus use case is not a one-design-fits-all proposition. The scale of campus LAN can be as simple as a single switch and wireless AP at a small remote site or a large, distributed, multi- building complex with high-density wired port and wireless requirements. The deployment may require very high availability for the services offered by the network, with a low tolerance for risk, or there may be tolerance for fix-on-failure approach with extended service outages for a limited number of users considered acceptable, Platform choices for these deployments are often driven by needs for network capacity, the device and network capabilities offered, and the need to meet any compliance requirements that are important to the organization. © Traditional Access- Dedicated Distribution and Access Layers (L2 or L3). You impose most of the campus wired LAN design complexity when aggregating groups of access switches by interconnecting the access layers to the distribution layers. If devices connecting to the access layer have a requirement to communicate with a Layer 2 logical adjacency and those connections cover multiple physical wiring closets connected to a distribution layer, then it is possible to adapt the traditional multilayer campus design to address the Layer 2 adjacency needs. However, the traditional designs drive more complex configurations with additional protocols that must be kept consistent across multiple devices. * Simplified Access -Virtualized StackWise Access & StackWise Virtual Distribution. Tc the design, there are preferred alternatives that make the deployment easi prove F to manage and less prone to mistakes, while enhancing overall network performance, Such alternatives include the simplified distribution layer using options such as a switch stack or a StackWise Virtual system, and the simplified access layer using a switch stack with StackWise technology. Both make deployment and troubleshooting much easier for support staff * Cisco Software Defined Access - Campus Fabric and Automation of the Distribution & Access Layers. A design alternative is available for organizations that either don't have the need to extend Layer 2 connectivity across an access-to-aggregation boundary or have other means of implementing this functionality, such as when using fabric technology for campus designs—an integral part of Cisco SD-Access, The alternative to the Layer 2 designs is to extend Layer 3 connectivity to the access layer, The implementation of a well-designed Layer 3 access network ensures consistent, configuration, performance, scalability, and high availability of the network versus the traditional multilayer campus design. ‘The motivation for the recommended design choices is not that they are the only options available but that the recommendations highlight preferred choices given the scope of the requirements. Even though the traditional multilayer campus design previously mentioned is a widely deployed, valid design choice, the design is not one that is typically recommended considering better alternatives that are currently available. When you integrate the wireless components of the campus design with the wired components, the design can often be treated as an overlay that is dependent upon the services provided by the underlying campus hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl set8122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco infrastructure. This is especially evident for larger networks, because increasing capacity with dedicated devices becomes a requirement. Smaller networks, such as those at small remote sites, offer opportunities for simplification and optimization that are also reflected in the design choices shown below. The primary design options are grouped by scale, and then appropriate selections are based on the capabilities desired. The selection from the spectrum of capabilities is based on the needs of a specific deployment, Design Fundamentals: Campus Wired LAN The LAN is the networking infrastructure that provides access to network communication services and resources for end users and devices spread over a single floor or building. You create a campus network by interconnecting a group of LANs that are spread over a local geographic area. Campus network design concepts include small networks that use a single LAN switch, up to very large networks with thousands of connections ‘The campus wired LAN enables communications between devices in a building or group of buildings, as well as interconnection to the WAN and Internet edge at the network core. Specifically, this design provides a network foundation and services that enable: © Tiered LAN connectivity Wired network access for employees. IP Multicast for efficient data distribution. © Wired infrastructure ready for multimedia services. Hierarchical design model ‘The campus wired LAN uses a hierarchical design model to break the design up into modular groups or layers. Breaking the design up into layers allows each layer to implement specific functions, which simplifies the network design and therefore the deployment and management of the network Modularity in network design allows you to create design elements that can be replicated throughout the network. Replication provides an easy way to scale the network as well as a consistent deployment method. In flat or meshed network architectures, changes tend to affect a large number of systems. Hierarchical design helps constrain operational changes to a subset of the network, which makes it easy to manage as ney, well as improve resi Modular structuring of the network into small, easy-to-understand elements also facilitates resiliency via improved fault isolation, Abierarchical LAN design includes the following three layers: © Access layer-Provides endpoints and users direct access to the network © Distribution layer—Aggregates access layers and provides connectivity to services * Core layerProvides connectivity between distribution layers for large LAN environments hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 4018122122, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco Figure 1. LAN hierarchical design = ore 3K) Distrbtion fi Access fee] = (>) eA eF) cit (21 Sele) a. Slee Each layer ~access, distribution, and core provides different functionality and capability to the network. Depending on the characteristics of the deployment site, you might need one, two, or all three of the layers. For example, a site that occupies a single building might only require the access and distribution layers, while a campus of multiple buildings will most likely require all three layers. Regardless of how many layers are implemented at a location, the modularity of this design ensures that each layer will provide the same services, and in this architecture, will use the same design methods. Figure 2. Scalability by using a modular design cont [2 4 = (s]2 cine [atl ? [47] roooss le le le] = Access layer The access layer is where user-controlled devices, user-accessible devices, and other end-point devices are connected to the network. The access layer provides both wired and wireless connectivity and contains features and services that ensure security and resiliency for the entire network. Figure 3. Access layer connectivity hitps hw. cisco, comieloniustdidoes'solitions/CVDICampustesco-campusan-wlan-design.gulde Mtl set8122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco Wireless Handtla ‘Access Point recess Switch Personal <> Toopresence Lan an g sed\iornet User Prone * Device connectivity—The access layer provides high-bandwidth device connectivity. To help make the network a transparent part of an end-user's day-to-day job, the access layer must support bursts of high-bandwidth traffic when users perform routine tasks, such as sending large emails or ‘opening a file from an internal web page. Because many types of end-user devices connect at the access layer ~personal computers, IP phones, wireless APs, and IP video surveillance cameras~ the access layer can support many logical networks, delivering benefits for performance, management, and security. * Resiliency and security servicesThe access-layer design must ensure that the network is available for all users who need it, whenever they need it, As the connection point between the network and client devices, the access layer must help protect the network from human error and from malicious attacks. This protection includes ensuring that users have access only to authorized services, preventing end-user devices from taking over the role of other devices on the network, and, when possible, verifying that each end-user device is allowed on the network. ‘* Advanced technology capabilities—The access layer provides a set of network services that support advanced technologies, such as voice and video. The access layer must provide specialized access for devices using advanced technologies, to ensure that traffic from these devices is not impaired by traffic from other devices and to ensure efficient delivery of traffic that is needed by many devices in the network Multigigabit Ethernet (mGig) and PoE at the access-layer As customers migrate to 802.11ax (Wi-Fi 6), the access layer switch platforms to which the Catalyst 9100 Series APs connect may also need to be upgraded. Data rates above 1 Gbps, supported by 802.11ax (Wi-Fi 6) APs, are driving the requirement for mGig port speeds (2.5 Gbps and 5 Gbps) at the access layer. The higher MIMO rates of these APs, along with the rapid adoption of oT devices is also driving the requirement for higher PoE requirements (PoE*, Cisco UPOE / 802.3bt Type 3, and Cisco UPOE* / 802 3bt Type 4) at the access layer switch ports. Oversubscription ratios The migration to mGig may also require increasing uplink port speeds in order to maintain the desired oversubscription ratio. Determining the oversubscription ratio of the uplink when deploying mGig technology can be more challenging than traditional switches with only 1 Gbps ports. You need to take into consideration the number of access ports on the switch which support mGig, since not all switches support hitps hw. cisco, comieloniustdidoes'solitions/CVDICampustesco-campusan-wlan-design.gulde Mtl 6181192292, 956 PM Campus LAN and Wises LAN Soon Design Guid - isco mGig on all ports. You also need to take into consideration the speeds at which the mGig port is capable of operating, as well as the speed at which the port will be operating, Although an mGig switch port may be capable of operating at 10 Gbps, Cisco Catalyst 9100 Series APs only operate at mGig speeds up to 5 Gbps currently, For example, let's say you deploy a 48-port switch which supports mGig up to 10 Gbps on 12 access ports, 1 Gbps on the other 36 ports, and with 4x10 Gbps fixed uplinks. However, you only provision two 10 Gbps uplinks. This configuration would provide up to 20 Gbps uplink bandwidth, assuming all uplinks are active - as in a Multichassis EtherChannel (MEC) configuration. Figure 4. Example oversubscription ratio single access-layer switch Catalyst 3000 Series Distbution-Layer Switches + 24106 Upinks ‘Catalyst 9000 Series ‘Access-Layer Switch <— 48 Pot Suitch (12 mig ports to 10 Gbps + 36 1 Gbps ports) CCtent Devices, AP, ete 7.8:1 Maximum oversubscription rai atthe access-ayer switch uplink The maximum potential bandwidth usage of the switch ports would be 12 x 10 Gbps = 120 Gbps plus 36 x Gbps = 36 Gbps, for a total 156 Gbps. The maximum uplink oversubscription ratio would be 156 Gbps : 20 Gbps or 7.8:1, assuming all mGig ports were operating at 10 Gbps. More realistically, you may have the following actually connected to the switch: ‘* 8 Catalyst 9100 Series APs operating at 5 Gbps connected to the switch ports ‘* 32 Cisco IP Phones and/or end-user devices (PCs, Mac's etc.) operating at 1 Gbps connected to the switch ports * 8 Unused ports for future expansion and capacity ‘The actual potential bandwidth usage of the switch ports would be 8 x 5 Gbps = 40 Gbps plus 32 x 1 Gbp: 32 Gbps, for a total 72 Gbps. Therefore a more realistic view of the oversubscription ratio is 72 Gbps : 20 Gbps, or 3.6:1 This configuration provides for add nal capacity, in that you have an additional 2 x 10 Gbps unused uplinks as additional devices require mGig port speeds, as devices transition to 10 Gbps speeds, and as you expand capacity in a switch stack configuration ‘Switch stack configurations Migrating to a switch stack is an effective, flexible, and scalable solution to expand network capacity at the access-layer. The benefits of a switch stack are as follows: ‘* The switch stack behaves as a single device (characteristics and functionality of a single switch) '* The switch stack allows expansion of switch ports without having to manage multiple devices ‘* Switches can be added or removed from the switch stack without affecting the overall operation of the switch stack hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 81nana ss6ou conoisLan nit Soten Dus Ge Ce + Depenaing upon the contguration ofthe swith stack, it can continue to transmit date even if ink or auton within the stack fas When adding additional access layer switches in a stackable configuration, you should design the switch stack with the desired oversubscription ratio both during normal operations, and if there is a failure of a oviteh within the stack Figure, Example overaubsepton rao access ayr sth stack Stone (setae) sen = EERE owes gormmosme Sag ange = 3) 2) se porswtcnes (12 mia pore I SF + two eops = 561 dons pors) 1.6:1 Maumum oversubccipon ete atthe acess layer satch upine For example, let's say you deploy four 48-port switches each of which supports mGig up to 10 Gbps on 12 access ports, 1 Gbps on the other 36 ports, with fixed 4x10 Gbps uplink ports. However, you decide to use only four 10 Gbps uplinks spread across two switches in the stack, This configuration would provide up to 40 Gbps uplink bandwidth in a MEC configuration, when both switches are operational. However, you now have 192 access ports, ‘The maximum potential bandwidth usage of the switch ports would be 48 x 10 Gbps = 480 Gbps plus 144 x 1 Gbps = 144 Gbps, for a total 624 Gbps. The maximum uplink oversubscription ratio would be 624 : 40 or 15,6:1 assuming all mGig ports were operating at 10 Gbps and all the 1 Gbps ports were being used. More realistically, you may have the following actually connected to the switch: '* 32 Catalyst 9100 Series APs operating at 5 Gbps connected across the switch stack * 128 Cisco IP Phones and/or end-user devices (PCs, Mac's etc.) operating at 1 Gbps connected across the switch stack * 32 unused ports across the switch stack for future capacity The actual potential bandwidth usage of the switch ports would be 32 x 5 Gbps = 160 Gbps plus 128 x 1 Gbps = 128 Gbps, for a total 288 Gbps. Therefore a more realistic view of the oversubscription ratio is 288 Gbps : 40 Gbps, or 7.2:1 Again, this configuration provides for additional capacity, in that you have an additional 12 x 10 Gbps unused uplinks across the switch stack, as additional devices require mGig port speeds, as devices transition to 10, Gbps speeds, and as you add additional switches in the switch stack. If one of the switches with uplinks were to fail, the number of uplinks decreases to 2 x 10 Gbps. However, ‘the number of ports also decreases by 48 switch ports. In this scenario, itis important to balance the devices (operating at mGig speeds and at 1 Gbps speeds) across all switches to maintain a similar oversubscription ratio. For example, APs operating at 5 Gbps should be spread equally across the switches in the stack. This is already a best practice for AP high availability in a wireless deployment. Assuming all devices were equally distributed across the four switches in the example above, if one of the switches with uplinks were to fail, the actual oversubscription ratio would increase from approximately 7:2:1 to 10.8:1 hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 381‘2072, 356 PM ‘Campus LAN and Wicelass LAN Soliton Design Guide - Cisco Another best practice is to select switches without uplinks as the active and standby of the switch stack, as shown in the figure above. Uplinks should be provisioned on the member switches. This way, if the active switch of the stack fails, you don’t have a double failure ~ meaning that you lose both the active switch and half of your uplinks Modular access layer switch platforms An alternative to deploying switch stacks at the access layer is to deploy modular switch platforms, such as the Catalyst 9400 Series. Catalyst 9400 Series 4, 7, or 10-slot models can be deployed, depending upon the port density requirements of your floor IDFs (wiring closets). ‘An advantage of modular platforms is that additional linecards can be added to empty slots within the chassis to increase capacity, without having to worry about whether additional rack space or power {assuming sufficient power supplies are already provisioned within the chassis) exists within the IDF which houses the modular switch, Adding an additional linecard may also be less expensive than purchasing another stackable or standalone switch. Another advantage of modular platforms is that they are typically designed such that the supervisor can be upgraded to increase the performance of the platform, without having to replace it. This can be a cost advantage of modular platforms over time, compared to stackable platforms. Redundant supervisors can be deployed to provide chassis-level high availability such as Non-Stop Forwarding (NSF) and Stateful ‘Switchover (SSO) - similar to the active / standby functionality with NSF / SSO of a switch stack, ‘As with switch stacks, uplinks should be spread across linecards within the modular chassis. Oversubscription ratios should be deter 1ed both during normal operations and during failure scenarios. APs and end-user devices should be spread across available linecards to minimize the impact of the failure a single linecard within a modular chassis. Increasing uplink speeds As you continue to add more switches to a switch stack you must keep in mind the distribution of the uplinks, across the switches in the switch stack, and the oversubscription ratio during failure scenarios. Likewise, as you continue to add more linecards to a modular switch platform, you must keep in mind the distribution of the uplinks across the linecards, and the oversubscription ratio during linecard failure scenarios. Deploying multiple 10 Gbps uplinks may not be effective for larger switch stacks or moduler platforms when migrating to mGig capable switches or linecards. The maximum number of links in an EtherChannel configuration is eight, resulting in a maximum uplink bandwidth of 80 Gbps. Further, this requires eight 10 Gbps switch ports across the distribution layer switches, for each access layer switch or switch stack Hence, it may be more optimal to migrate to higher speed uplinks between the access layer switch or switch stack and the distribution layer switches. Figure 6. Example oversubscription ratio - access-layer switch stack with 25 Gbps uplinks hitps ww. cisco, comieloniustdidoes'solitions/CVD/Campusiesco-campuslan-wlan-design.guide.Mtml ret8122922, 356 PM (Campus LAN and Wireless LAN Solution Design Guid - Cisco cammvoossuns _ {[asrl, [a Saat | [ge bel se Ere ent = 5) _ spon ia sats Seed acose smc en wat : = 16.241 Maximum ovesubsctpten rato the aecesslayerswtch unk For example, instead of deploying four 48-port switches with fixed 4 x 10 Gbps uplinks in a switch stack configuration, you may want to deploy four 48-port switches along with a 2 x 25 Gbps uplink module in two of the switches within the stack. This configuration provides up to 100 Gbps uplink bandwidth in a MEC configuration, when both switches with uplinks are operational. Fewer uplink ports are required at the distribution layer StackWise Virtual pair, and fewer optical fiber pairs are needed between the distribution layer StackWise Virtual pair and each of the access layer switch stacks. However, when deciding to upgrade the uplink speeds between the access and distribution-layer switches, you should keep in mind the following: ‘* The optical transceiver modules which connect the distribution layer switches to the access layer ‘switch platforms have to interoperate with each other and have to be compatible with the fiber optic building distribution cabling - multimode fiber (MMF) or single mode fiber (SMF). Note: Cisco offers a gradual migration path with the support of dual-rate optics, where the same 25 Gbps optics can operate at both 10 Gbps and 25 Gbps speeds. With this approach, distribution layer devices can be upgraded to 25 Gbps while the access layer still operates at 10 Gbps, and the access layer switches can be upgraded over a period of time. * The distances supported by multimode fiber typically decrease as speeds increase. This means th at if you are upgrading from 10 Gbps to 25 Gbps between the distribution layer and access layer s witches, and you have building distribution cabling consisting of multimode fiber (OM2, OM3, or O MA), you have to determine ifthe cabling will support the distances between the main IDF (which may house the distribution layer switches) and the floor IDFs (which may house the access layer s witches) at the higher speeds. Keep in mind losses due to patch cables between the building dist ribution cabling and the actual equipment within the racks. Note: The Cisco 10/25GBASE-CSR Module supports a link length of up to 300/400m over OM3/4 at 10G, and up to 300/400m over OM3/4 at 25G - depending upon the multimode fiber quality. It also supports link | engths of 82m over OM2 at 10G, and up to 70m over OM2 at 25G. This module requires RS-FEC on the host Port for full reach operation at 25G. Using BASE-R FEC the module can support 70/100m over OM3/4 and wi ‘th-out FEC it can support 30/50m over OM3/4 at 25G, depending on the multimode fiber quality. For 10G op eration FEC is not required © Ifyou have older multimode fiber (OM1), speeds above 10 Gbps may not be supported. Single mode fiber generally supports both higher transmission rates and longer distances than multimode fiber. hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 101818122122, 386 PM ‘Campus LAN and Wireless LAN Soliton Design Guide ~ Cisco Uplink queuing ‘The actual uplink oversubscription ratio that you implement between your access and distribution layer switches is dependent upon your business requirements. Uplink ratios up to 20:1 between the access and distribution layer switches, and 4:1 between the distribution layer and core switches have been implemented in networks. The higher the oversubscription ratio, the higher the probability that temporary or transient congestion of the uplink may occur if multiple devices transmit or receive simultaneously. Catalyst 9000 Series switches dynamically allocate buffer space across switch ports and queues in order to optimize the utilization of the existing buffer space, However, switch buffer space is a finite quantity that depends on the model of the Catalyst 9000 Series switch platform (specifically the version of the UADP ASIC and the number of UADP ASICS within the switch platform). During periods of temporary congestion the buffers on individual switch ports and queues may become exhausted, resulting in packet loss. It is recommended to implement queuing on switches, where oversubscription of ports can result in transient congestion, which can cause packet loss. Queuing ensures that when congestion occurs, your higher priority traffic which is more susceptible to packet loss - such as voice traffic - is given preferential treatment. over lower priority traffic. This preserves the quality of experience for your business critical applications, such as voice. Access layer variations In some situations, such as for loT and for multi-dwelling unit (MDU) deployments, the access layer is often augmented with additional cascaded switches. For Cisco Software-Defined Access (described later) access extension deployments these access devices may be extended node switches. For MDU deployments the devices may be small distributed access switches or gigabit passive optical network (GPON) optical network termination devices. Network designs for these and other variations of the access layer are outside the scope of this guide, Access layer platforms ‘The preferred options for the campus wired LAN include the following Cisco switches as platforms for the access layer: © Cisco Catalyst 9400 Series Switches (modular chassis) © Cisco Catalyst 9300 and 9300-L Series Switches * Cisco Catalyst 9200 and 9200-L Series Switches Distribution layer The distribution layer supports many important services. In @ network where connectivity needs to traverse the LAN end-to-end, whether between different access layer devices or from an access layer device to the WAN, the distribution layer facilitates this connectivity. ‘© Scalability-At any site with more than two or three access-layer devices, it is impractical to interconnect all access switches. The distribution layer serves as an aggregation point for multiple access-layer switches. hitps hw. cisco, comieloniustdidoes'solitions/CVDICampustesco-campusan-wlan-design.gulde Mtl swe‘2072, 356 PM ‘Campus LAN and Wicelass LAN Soliton Design Guide - Cisco The distribution layer can lower operating costs by making the network more efficient, by requiring less memory, by creating fault domains that compartmentalize failures or network changes, and by processing resources for devices elsewhere in the network. The distribution layer also increases, network availability by containing failures to smaller domains. ‘* Reduce complexity and increase resiliency-The campus wired LAN has the option to use a simplified distribution layer, in which a distribution-layer node consists of a single logical entity that can be implemented using a pair of physically separate switches operating as one device (StackWise Virtual) or using a physical stack of switches operating as one device. Resiliency is provided by physically redundant components like power supplies, supervisors, and modules, as well as stateful switchover to redundant logical control planes. This approach reduces complexity of configuring and operating the distribution layer because fewer protocols are required. Little or no tuning is needed to provide near-second or sub-second convergence around failures or disruptions. ‘Two-tier design The distribution layer provides connectivity to network-based services, to the WAN, and to the Internet edge. Network-based services can include and are not limited to Wide Area Application Services (WAAS) and WLAN controllers. Depending on the size of the LAN, these services and the interconnection to the WAN and Internet edge may reside on a distribution layer switch that also aggregates the LAN access-layer connectivity. This is also referred to as a collapsed core design because the distribution serves as the Layer 3 aggregation layer for all devices. Figure 7. Two-tier design: Distribution layer functioning as a collapsed core hitps hw. cisco, comieloniustdidoes'solitions/CVDICampustesco-campusan-wlan-design.gulde Mtl 2618122122, 356 PM ‘Campus LAN and Wireless LAN Solition Design Guide - Cisco = Ta = 5; (xo StackWise Virtual Pair Firewall LAN Three-tier design Larger LAN designs require a dedicated distribution layer for network-based services versus sharing connectivity with access layer devices. As the density of WAN routers, WAAS controllers, Internet edge devices, and WLAN controllers grows, the ability to connect to a single distribution layer switch becomes hard to manage. When connecting at least three distributions together, using a core layer for distribution connectivity should be a consideration There are several factors that drive LAN design with multiple distribution layer modules: ‘* The number of ports and port bandwidth that the distribution layer platform can provide affects network performance and throughput. '* Network resilience is a factor when all LAN and network-based services rely on a single platform, regardless of that platform's design, it can present a single point of failure or an unacceptably large failure domain. ‘* Change control and frequency affects resi are consolidated on a single distribution layer, operational or configuration errors can affect all network operation. hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl nce. When all LAN, WAN, and other network services8122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco * Geographic dispersion of the LAN access switches across many buildings in a larger campus facility would require more fiber optic interconnects back to a single collapsed core. Like the access layer, the distribution layer also provides quality of service (QoS) for application flows to guarantee critical applications and multimedia applications perform as designed. Figure 8. Three-tier design with a network-services distribution layer se Nearer [fa pee Fy tee =|Se le fe 2 \ tis = Distribution layer platforms The preferred Cisco switches for deploying the distribution layer of the campus wired LAN include: '* Cisco Catalyst 9600 Series Switches (modular chassis) * Cisco Catalyst 9500 Series Switches '* Cisco Catalyst 9400 Series Switches (modular chassis) Core layer Ina large LAN environment, there often arises a need to have multiple distribution layer switches. One reason for this is that when access layer switches are located in multiple geographically dispersed buildings, you can save potential costly fiber-optic runs between buildings by locating a distribution layer switch in each of those buildings. As networks grow beyond three distribution layers in a single location, organizations should use a core layer to optimize the design. Another reason to use multiple distribution layer switches is when the number of access layer switches connecting to a single distribution layer exceeds the performance goals of the network designer. In a modular and scalable design, you can collocate distribution layers for data center, WAN connectivity, or Internet edge services. In environments where multiple distribution layer switches exist in close proximity and where fiber optics provide the ability for high-bandwidth interconnectivity, a core layer reduces the network complexity to N * 2 redundant links for N distributions, down from N * (N-1) / 2 redundant links, as shown in the following two figures. Figure 9. LAN topology with a core layer hitps www. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.guide.Ntml 141018122122, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco Kee == ee. x ik be Figure 10. LAN topology without a core layer ae oe xe i aK The core layer of the LAN is a critical part of the scalable network and, by design, is one of the simplest. The distribution layer provides the fault and control domains, and the core represents the 24x7x365 non-stop connectivity between them, which organizations must have in the modern business environment where ical. Connectivity to and from the core is Layer 3-only, connectivity to resources to conduct business is, which drives increased resiliency and stability. Oversubscription ratios For three-tiered designs, increasing the uplink speeds between the access and distribution layer switches may also require increasing uplink speeds between the distribution and core layer switches in order to maintain the desired oversubscription ratio, Determining the oversubscription ratio of the uplink between the distribution and core layer switches is fairly straight forward. You need to take into consideration the number of ports connecting the distribution layer switches to the access layer switches or switch stacks, as well as the speeds at which the ports are operating, Figure 11 COversubscription between the distribution and core layer switches ~ 40 Gbps uplinks hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 151818122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco cen Gata 9000 Series [>] tois'ot 321250 uptoks tom a acess yer witches seams. (sEhe|s] — uvseemnnteee = a ga mengete casino sees (fea, era, «apenas moore seoremel [seer sic fm MB) mm oname OI Toes Tse 101 Oversunseen ition he upnkeee he dition anions ayes For example, let's say your distribution layer switch is a StackWise Virtual pair that supports a building with 4 floors. Each floor has two IDFs (wiring closets). Each IDF has an access layer switch stack consisting of four 48-port switches along with a 2 x 25 Gbps uplink module in two of the switches within the stack. The total number of 25 Gbps ports required at the distribution layer switches is 4 uplinks x 2 IDFs per floor x 4 floors 32 ports. This configuration would provide up to 32 x 25 Gbps = 800 Gbps bandwidth between the distribution layer and access layer switches. Simply keeping existing 2 x 40 Gbps uplinks would only provide up to 80 Gbps between the distribution layer and core layer switches. This would provide an oversubscription ratio of 800:80 or 10:1 between the distribution and core layers. Depending upon your business requirements, this, may be insufficient. Increasing Uplink Speeds You could choose to add additional 40 Gbps links between the distribution and core layer switches, possibly operating in a Layer 3 EtherChannel configuration. However, this would require additional 40 Gbps switch ports at every distribution layer and core layer switch, More importantly, it would require additional fiber optic pairs between the distribution layer switches and the core layer switches. Ina large campus deployment, the core layer switches may be located in a centralized data center in a different building. If insufficient optical pairs exist, then additional optical cabling would need to be pulled between the centralized data center and each of the buildings. This could be a very expensive proposition, as existing conduit space between the buildings may not be capable of supporting additional cabling, and ‘you run the risk of damaging the existing cabling in the conduit - resulting in an extended outage. Installing ew conduit may involve getting the necessary right-of-way to trench and install underground conduit - on top of the cost to install the new fiber optic cable. An alternative may be to upgrade the uplink speeds between the distribution layer and core layer switches to 100 Gbps. Figure 12. Oversubscription between the distribution and core layer switches ~ 100 Gbps uplinks. hitps hw. cisco, comieloniustdidoes'solitions/CVDICampustesco-campusan-wlan-design.gulde Mtl 161818122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco ‘cxayst 9000 senes (Gov Loyor Sates = 2106 pms cumasoonsis “S271 [ec [a Toor 302250 ups om o aces nr eva siete rhode] -— Saieeananenees $20 pets cosas tna ‘Catsyat 9000 Series rs es 148 Port Swches (12 mig ports (= SN at 2 Fp Foor 2oorezer Fee 4 Oversutsepon eos tne up eteen nestor an core yes This would provide an oversubscription ratio of 800:200 or 4:1 between the distribution and core layers. ‘As with the access layer, when deciding to upgrade the uplink speeds between the distribution layer ‘switches and the core layer switches, you should keep in mind the following: ‘® The optical transceiver modules which connect the distribution layer switches to the core layer ‘switch platforms have to interoperate with each other and have to be compatible with the fiber optic cabling between buildings. Due to the increased distances between buildings, single mode fiber (SMF) may already be installed between the distribution and core layer switches. This may help facilitate the migration from 40 Gbps to 100 Gbps between the distribution and core layers Core layer platforms ‘The preferred Cisco switches used as campus platforms for the core layer are: * Cisco Catalyst 9600 Series Switches (modular chassis) ‘* Cisco Catalyst 9500 Series Switches The capacity, density, and features are the primary differences driving platform selection. Both lead platforms have sibling platforms that may be appropriate for the core role in existing networks or networks where the full capabilities of the lead platforms are not required. Design Options: Campus Wired LAN When you scale from a single switch in a campus LAN up to a full three-t r campus network, the reliability of the network is increasingly important, because network downtime likely affects a greater user population with a larger workplace and economic significance. To mitigate the concerns about unavailability of network resources, campus designs include additional resiliency options, such as redundant links, switches, and switch components. In traditional multilayer campus designs, the added resiliency comes at a cost of configuration complexity, with most of the complexity introduced from the interaction of the access and aggregation layers of the campus LAN. The primary function of the distribution layer is to aggregate access layer switches in a given building or campus. The distribution layer provides a boundary between the Layer 2 domain of the access layer and the Layer 3 domain that provides a path to the rest of the network. This boundary provides two key functions for hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 818122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco the LAN. On the Layer 2 side, the distribution layer creates a boundary for spanning tree protocol (STP), limiting propagation of Layer 2 faults. On the Layer 3 side, the distribution layer provides a logical point to summarize IP routing information when it enters the network. The summarization reduces IP route tables for easier troubleshooting and reduces protocol overhead for faster recovery from failures. Layer 2 access with traditional multilayer campus design ‘Traditional LAN designs use a multi-tier approach with Layer 2 from the access layer to the distribution layer, where the Layer 3 boundary exists. The connectivity from the access layer to the distribution layer can result in either a loop-free or looped design. In the traditional network design, the distribution layer has a pair of standalone switches for resiliency. It is recommended that you restrict a Layer 2 virtual LAN (VLAN) to a single wiring closet or access uplink pair in order to reduce or eliminate topology loops that STP must block and that are a common point of failure in LANs. Restricting a VLAN to a single switch provides a loop-free design, but it does limit network flexibility. To create a resilient IP gateway for VLANs in the traditional design, you must use first-hop redundancy protocols (FHRP), which provide hosts with a consistent MAC address and gateway IP for a VLAN. Hot standby routing protocol (HSRP) and virtual router redundancy protocol (VRRP) are the most common gateway redundancy protocols, but they only allow hosts to send data out one of the access uplinks to the distribution layer and require additi nal configuration for each aggregation switch in order to allow you to distribute VLANs across uplinks. Gateway load-balancing protocol (GLBP) does provide greater uplink utilization for traffic exiting the access layer by balancing load from hosts across multiple uplinks, but you can only use it in a non-looped topology. Note: All FHRP protocols require that you fine-tune the default timer settings in order to allow for sub- second network convergence, which can impact switch CPU resources, ‘Some organizations require the same Layer 2 VLAN be extended to multiple access layer closets to accommodate an application or service. The looped design causes spanning tree to block links, which reduces the bandwidth from the rest of the network and can cause slower network convergence. The inefficiencies and the increased potential for misconfiguration drive network engineers to look for more appealing alternatives. Figure 13. Traditional looped design with VLANs spanning access switches Ea aN30 x & x NY, ww 8 z (tertace Intertace Bocked Blockee = = = le Figure 14, Traditional loop-free design with a VLAN per access switch hitps hw. cisco, comieloniustdidoes'solitions/CVDICampustesco-campusan-wlan-design.gulde Mtl 18818122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco ‘The following is a summary of some of design and operational concerns with the traditional multilayer campus design, driving alternative approaches: ‘* Spanning-tree protocol looping behavior, including blocked links, slow convergence, asymmetric forwarding, and switch CAM and ARP table tuning to address unicast flooding © FHRP configuration consistency, slow convergence times driving protocol tuning in conflict with non-stop forwarding systems © Layer 3 protocol tuning and protocol-dependent scale and recovery, multicast protocol configuration consistency and tuning, and general control plane, management, and forwarding complexity Note: The Flexlink+ feature of enables the user to configure a pair of a Layer 2 interfaces (trunk ports or Port channels) where one interface is configured to act as a backup to the other, The feature provides an alternative solution to the Spanning Tree Protocol (STP). Because of the design and operational concerns inherent in the traditional multilayer campus design, organizations strive to deploy different designs, whenever possible. Layer 3 routed access campus design In another approach to access and distribution layer design, you can use Layer 3 beyond just the core and distribution layers and configure Layer 3 all the way into the access layer. Using the Layer 3 access design removes the Layer 2-to-Layer 3 boundary at the distribution layer, and makes each access switch the boundary between the Layer 2 access ports and outbound Layer 3 connectivity. The benefits of this design are that you eliminate spanning tree loops and reduce protocols because the IP gateway is now the access switch. Because there are no spanning-tree blocking links, you can use both u links to the access layer and increase effective bandwidth available to the users, This design makes it easy to maintain configuration consistency, while providing excellent convergence properties with minimal tuning, as the more complex Layer 2 interaction at the Layer 3 distrib ion is eliminated. Figure 15, Layer-3 Routed Access. hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 19818122122, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guid - Cisco Layer ink wne-sler | STs The challenges with the routed access layer design is that the Layer 2 domains are confined to a single access closet, which limits flexibility for applications that require Layer 2 connectivity that extends across multiple access closets, the access switches must have the capability to support the Layer 3 routing functionality, and differences in IP addressing and subnetting must be accommodated. Many organizations have been unable to overcome the application requirements driving the need for Layer 2 connectivity across access-layer switches, resulting in the desire to address the needs using alternative designs, Preferred Layer 2 access using a simplified distribution layer campus design An alternative that can handle Layer 2 access requirements and avoid the complexity of the traditional multilayer campus is called a Layer 2 access with simplified distribution layer design. The design uses multiple physical switches that act as a single logical switch, such as switch stack or Cisco StackWise Virtual Pair (SVP), or the less preferred single, highly-redundant physical switch. One advantage of this design is that spanning tree dependence is minimized, and all uplinks from the access layer to the distribution are active and passing traffic. Even in the distributed VLAN design, you eliminate spanning tree blocked links because of looped topologies. You reduce dependence on spanning tree by using EtherChannel to the access layer with dual- homed uplinks. This is a key characteristic of this design, and you can load-balance up to eight links needed for additional bandwidth. At the same time, multiple links in an EtherChannel have better performance characteristics versus single independent links. Figure 16. ‘Simplified distribution design with a VLAN per access switch Figure 17. ‘Simplified distribution design with VLANs spanning access switches hitps ww. cisco, comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.guide.Mtml 201848122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco EtherChannel is a logical interface that can use a control plane protocol to manage the physical members of the bundle. Itis better to run a dynamic channel protocol instead of using forced-on mode because a dynamic channel protocol performs consistency checks for interfaces programmed to be in the channel and Provides protection to the system from inconsistent configurations. Cisco Catalyst switches provide both port aggregation protocol (PAgP), which is a widely deployed Cisco designed protocol, and link aggregation protocol (LACP), which is based on IEEE 802.3ad, ‘There are several other advantages to the simplified distribution layer design. You no longer need IP gateway redundancy protocols such as HSRP, VRRP, and GLBP, because the default IP gateway is now on a single logical interface and re: liency is provided by the converge faster now that it is not depending on spanning tree to unblock links when a failure occurs, because EtherChannel provides fast sub-second failover between links in an uplink bundle. ribution layer switch or switches. Also, the network will The topology of the network from the distribution layer to the access layer is logically a hub-and-spoke topology, which reduces complexity of design and troubleshooting. The hub-and-spoke topology design provides a more efficient operation for IP Multicast in the distribution layer because there is now a single logical designated router to forward IP Multicast packets to a given VLAN in the access layer. Finally, by using the single logical distribution layer design, there are fewer boxes to manage, which reduces the amount of time spent on ongoing provisioning and maintenance, Using the Cisco Catalyst 9000 Series switches for physical or logical stacking is also the basis for enabling resiliency features such as stateful switchover (SSO), non-stop forwarding (NSF), and in-service software upgrades (ISSU). Cisco Software-Defined Access campus design Another way to overcome the Layer 2 adjacency restrictions while still maintaining the advantages of the routed access layer design is by adding fabric capability to a Layer 3 access campus network design, supporting an overlay network with the required Layer 2 connectivity. Benefits of Cisco SD-Access technology are the decoupling of the Layer 2/Layer 3 forwarding plane of the endpoint/user from the underlay network, the unification of wired and wireless policies, and the advantage of not having to hair-pin wireless traffic to an overlay node such as WLC. ‘The addition of the fabric overlay is automated using Cisco DNA Center to deploy Cisco SDAccess technology, The Cisco SD-Access design enables the use of virtual networks (overlay networks, or macro segmentation) running on a physical network (underlay network) in order to create alternative topologies to connect devices. Figure 1 Cisco SD-Access campus design hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 211818122122, 386 PM ‘Campus LAN and Wireless LAN Soliton Design Guide ~ Cisco Shared Services [===] (rs) ZB Distribution (StackWise Virtual) (Overiay and Underlay Border + Control Border + Control “hi \ Plane Node Plane Node, Wireless LAN Controllers Intermediate Intermediate Node Node Edge Node coco ELK) BR =) L a) c& ml AP, Beyond traditional network virtualization, Cisco SD-Access allows for software-defined segmentation and policy enforcement based on user identity and group membership, integrated with Cisco TrustSec technology to support group-based micro segmentation policies. Beyond support for the wired LAN and unlike any alternative virtualization technology, Cisco SD-Access also inherently supports integration of the wireless LAN for a common policy across the entire campus domain For additional information, see the Software-Designed Access Solution Design Guide. Alternative virtualization design for campus—BGP EVPN VXLAN For organizations not requiring the full automation and assurance support for macro and micro segmentation policies integrated with wireless across the campus LAN, there are alternative multi-vendor options available. Traditionally, multiprotocol label switching (MPLS) technology or basic segmentation using VRF-Lite has been adapted to campus networks to attempt to replicate service provider-like segmentation within the LAN. Recent standards body work has proposed an alternative means to support Ethernet VPN (EVPN) overlays in ‘the campus and, like Cisco SD-Access, has the option to use VXLAN encapsulation. Unlike Cisco SD-Access, the control plane protocol for creating forwarding tables is BGP, and scales using ‘the well-known concept of route reflectors. However, EVPN does require greater Access (Leaf) and Border forwarding table scale, due to the nature of the Multiprotocol BGP (MP-8GP) control plane. jure 19. BGP EVPN VXLAN network topology hitps hw. cisco, comieloniustdidoes'solitions/CVDICampustesco-campusan-wlan-design.gulde Mtl 22818122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco External Network Fabric Border Leaf 4 For organizations looking for an open standards-based overlay solution for their campus designs, and not needing the full intent-based networking security solution along with integrated wireless, BGP EVPN VXLAN can be a viable alternative to traditional campus virtualization options. Design Fundamentals: LAN Security Best Practices With any good network design, security must also be a focus. These tools below can help prevent attacks and make the network more secure and reliable, Note: These are a few fundamental tools to help with basic network security, check out the Enterprise Security Design Guide for a more in depth look at campus security. DHCP Snooping Rogue DHCP servers can be detrimental to the security and usability of the network if not protected against properly. Rogue DHCP servers attack the network by assigning unrouteable IP addresses to clients causing them to lose connectivity. Also, Rogue DHCP servers can be used to issue malicious DNS servers. Users then looking to go to real websites will be sent to fake copies of these sites to steal credentials or information. DHCP Snooping is a tool used to combat rogue DHCP servers. It works by assigning one or more ports as trusted, meaning these ports lead to legitimate DHCP servers. The switch will then build a database of the untrusted hosts with leased IP addresses, MAC Address, switchport, and VLAN. Traffic being sent from these untrusted hosts will be filtered of any DHCP server messages, blocking any attempt of a malicious DHCP server. Dynamic ARP Inspection hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 231818122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guid - Cisco ARP cache poisoning is a malicious tool used to stage man-in-the middle attacks. It works by sending a forged ARP packet with the IP address of another device and the MAC address of itself to poison hosts ARP cache. This means traffic destined for the legitimate device will instead be sent to the attacker. The attacker can then forward the traffic to Its intended destination making it look as if the traffic was never interrupted. Dynamic ARP Inspection (DA\) is a tool that can be used to mitigate this threat, DAI uses the DHCP snooping database for IP to MAC address bindings. DAI then intercepts all ARP packets and drops any packet where the IP to MAC address binding is not valid. BPDU Guard In L2 networks, loops can be your worst nightmare. To combat this, we use STP (Spanning Tree Protocol), but this can also be used to hurt the network if we don't protect it. In spanning tree, a root bridge is elected. This decides which ports will be put in a forwarding or blocking state. If a device is added with a lower priority than the current root bridge, it will take over causing a topology change and possibly bloc! \9 traffic from a wanted path BPDU guard is a protocol designed to solve this problem. When enabled, if a switch sees BDPU traffic coming from a port, it will automatically set it to the “errdisabled” state so that no traffic can pass. 802.1X Authentication is very important for the security of the network. A potential attacker can sneak into a building and plug into an enabled network port and gain access to the network. 802,1X is an IEEE standard used for restricting unauthorized access to the network by making users authenticate before they are allowed onto the network. 802.1X uses three different parts for authentication. Supplicant - This is software which runs on the user device that collects credentials and forwards them to be authenticated. Authenticator ~ This is the network access device, usually a switch, the supplicant sends the user credentials to. The credentials are then forwarded to the authentication server. Authentication server - This is a RADIUS server that validates the credentials based off information in its database. Cisco Umbrell With remote workers and sites being more prevalent in today's networks, it can be difficult to secure the network from malware and phishing attacks. Cisco Umbrella provides a first line of security for wherever users access the internet by using DNS as a security tool. Since DNS is a core part of the internet, it is used to block requests to malicious domains and IP addresses before a connection is established. It learns of these current and future threats through a growing database built on machine learning and Internet activity patterns. This means Cisco Umbrella can Identify and block threats before they even launch. Cisco Umbrella also provi les network administrators visibility of Internet activity across all endpoint devices on or off the corporate network. This allows users to easily view any malicious domains or IP addresses hitps ww. cisco, comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.guide.Mtml 2418418122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guid - Cisco attempted to be accessed by users. Design Fundamentals: LAN High Availability ‘To mitigate the concerns about unavailability of network resources, campus LAN designs include high availabilty / resiliency options, such as redundant links, switches, and switch components. Designing for high availabilty in the LAN must also consider the entire lifecycle of the deployment, including the need for updates and upgrades on the network. This section discusses high availabilty features specific to the LAN side of the network Stateful Switchover (SSO) Stateful switchover (SSO) synchronizes active process information, as well as configuration information, between active and standby supervisors of a modular chassis / StackWise Virtual pair, or between the active and standby switches in a switch stack. SSO allows the standby supervisor / switch to immediately take over in sub-second time if the active supervisor / switch fails. Non-stop Forwarding (NSF) Non-stop forwarding (NSF) helps to suppress routing flaps in SSO enabled devices. NSF allows for graceful restart of L3 routing protocols, in the event of the failure of the active supervisor of a modular chassis / ‘StackWise Virtual pair, or the failure of the active switch of a switch stack. When the supervisor or switch switches over from the active to the hot-standby, it will continue switching IP data traffic flows in hardware. However, the device in the active role requires time to re-establish control plane peering with IP routing neighbors. NSF allows for the forwarding of data packets to continue along known routes while the routing protocol information is being restored following a switchover. Supervisor Redundancy Cisco Catalyst C9404R, C9407R, C9410R, and C96O6R chassis models support 1+1 supervisor redundancy (Sup-1, Sup1XL, or Sup-1XL-Y on Catalyst 9400 Series, and Sup-1 on Catalyst 9600 Series). The primary supervisor is active and is responsible for normal system operation. The secondary supervisor serves as a standby, monitoring the operation of the primary. Information is synchronized between supervisors to allow the standby supervisor engine to immediately take over in sub-second time if the primary engine fails. Non- stop forwarding / stateful switchover (NSF / SSO) offers continuous packet forwarding during supervisor engine switchover. Note: When implementing 1+1 supervisor engines on Catalyst 9400 Series switches, the active uplink ports are automatically spread across the two supervisors for link-level resiliency. ‘The Catalyst 9600 Series supervisor engine does not support uplinks on the module itself. For link-level resiliency on the Catalyst 9600 Series, spread uplinks ports across the switch linecards. StackWise Virtual Technology hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 2518418122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco StackWise Virtual technology combines two Catalyst 9000 Series switches into a single logical network entity from the network control plane and management perspectives. Because the two switches operate as one, StackWise Virtual enables the creation of a loop-free topology. Spanning-tree treats the StackWise Virtual pair as one bridge node, instead of two. StackWise Virtual technology uses SSO / NSF to provide seamless traffic failover when one of the switches fails. To neighboring devices a StackWise Virtual domain appears as a single logical switch or router. Within a StackWise Virtual domain, one device is designated as the active switch and the other is designated as the standby switch. All control plane functions are centrally managed by the active switch. From the data-plane and traffic-forwarding perspectives, both switches actively forward traffic. jure 20. ‘StackWise Virtual Technology SStack\Mise Virtual Link (SVL) rs le" In order to bond the two switches together into a single logical node, special signaling and control inform: hes. To facilitate this information exchange, a dedicated link - the StackWise Virtual link (SVL) ~ is used to transfer both data and control traffic between the peer switches, The SVL is formed as an EtherChannel interface of up to eight physical port members. It is recommended to have at least two physical port members for StackWise Virtual link resiliency. Catalyst 9000 Series Switches “ion must be exchanged between the two swit Switch Stacks and Cisco StackWise Technology Cisco StackWise technology allows up to a maximum of eight switches to be stacked together physically in a ring topology to form a single, unified, virtual stack system. The stacking architecture expands form factor, switching capacity, port density, and redundancy, as well as providing a distributed data plane with a single control and management plane. ‘StackWise creates a unified control and management plane by electing one switch in the stack as the active switch and another switch as the hot-standby. Remaining switches become stack members. To logically appear as a single virtual switch, the IOS daemon (IOSd) process on the active switch of the stack centrally manages all management plane and network control plane operations with Layer 2 and Layer 3 protocols. This information is synchronized with the standby switch of the stack to provide NSF / SSO failover in case the active switch fails, To optimize data plane performance by using hardware resources from each Catalyst 9000 Series stack member switch, network services such as QoS, security ACLs, and others are distributed and programmed to be locally enforced on network ports. The hardware Forwarding Information Base (FIB) is also programmed in ASICs across all stack-member switches in the stack ring. To optimally forward the traffic within the stack ring, the packet-stripping function is performed on the destination switch instead of on the source switch. This mechanism, known as the spatial-reuse forwarding mechanism, boosts data plane switching performance in the stack-ring switching architecture. The following sub-sections discuss the StackWise implementation on Catalyst 9200 and 9300 Series switches. hitps hw. cisco, comieloniustdidoes'solitions/CVDICampustesco-campusan-wlan-design.gulde Mtl 2618418122122, 386 PM ‘Campus LAN and Wireless LAN Soliton Design Guide ~ Cisco Catalyst 9200 Series StackWise-160/80 Catalyst 9200 Series switches enable stacking of up to 8 switches and 416 ports using a stack-ring fabric known as either StackWise-160 or StackWise-80. StackWise-160 is supported on Catalyst 9200 switch models with the support of up to 160 Gbps stack bandwidth. StackWise-80 is supported on Catalyst 9200L switch models with the support of up to 80 Gbps stack bandwidth Catalyst 9300 Series StackWise-480/360 Catalyst 9300 Series switches enable stacking of up to 8 switches and 448 ports using a stack-ring fabric known as either StackWise-480 or StackWise-360, StackWise-480 is supported on Catalyst 9300 switch models with the support of up to 480 Gbps stack bandwidth. StackWise-360 is supported on Catalyst '9300L switch models with the support of up to 360 Gbps stack bandwidth. EtherChannel EtherChannel allows multiple physical Ethernet links to combine into one logical channel, allowing for load sharing of traffic among the links in the channel as well as redundancy in the event that one or more links in ‘the channel fail. Up to eight Ethernet ports can be combined into a single logical channel. Multichassis EtherChannel (MEC) and cross-stack EtherChannel extend traditional EtherChannel by allowing Ethernet ports to be aggregated towards different physical chassis that form a single virtual switch (StackWise Virtual pair or switch stack). ‘Software Maintenance Upgrades (SMUs) An SMU is a software package that can be installed on Catalyst 9000 Series switches to provide a patch fix for bugs or security resolution to an already released image. The SMU type describes the effect the installed ‘SMU has on the corresponding system. SMUs might not have an impact on traffic, or might result in device restart, reload, or switchover. Hot patching enables SMU to take effect after activation without the system having to be reloaded. After the SMU is committed, the changes are persistent across reloads. In certain cases, SMUs may require a cold (complete) reload of the operating system. This action affects the traffic flow for the duration of the reload. If a cold reload is required, users will be prompted to confirm the action. Note: SMUs support patching using install mode only. SMUs are only supported on long-lived extended maintenance releases from |OS XE 16.6.1 on. In-Service Software Upgrades (ISSUs) In-Service Software Upgrade (ISSU) is a process that upgrades an image to another image on a device while the network continues to forward packets. ISSU helps network administrators avoid a network outage when performing a software upgrade. The images are upgraded in install mode wherein each package is upgraded individually. ISSU is supported in Catalyst 9000 Series standalone and modular platforms (Catalyst 9400, 9500, and 9600 Series). Note: ISU is not supported for an upgrade from Cisco IOS XE Fuji 16.9.1 to Cisco 10S XE Fuji 16.9.2 ISSU from Cisco IOS XE Fuji 16.9.x to Cisco IOS XE Gibraltar 16.10.x or Cisco IOS XE Gibraltar 16.11.x is not supported. On Cisco Catalyst 9500 Series Switches - High Performance, ISSU with Cisco StackWise Virtual hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 27818122922, 356 PM ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco is supported starting from Cisco lOS XE Gibraltar 16.12.1. Therefore, ISSU upgrades can be performed only starting from this release to a later release. Graceful Insertion and Removal (GIR) GIR leverages redundant paths and existing routing protocols to gracefully isolate a device without impacting active flows. Conversely, GIR also gracefully reinserts the device back into service when the work is complete. GIR allows the network administrator to easily manipulate the routing and first-hop gateway. metrics of a network device that is about to undergo maintenance to make it a very unattractive path. It does this by inflating metrics or sending messages to indicate to peers that this device is no longer the best path for traffic. Once the traffic moves away from the device, maintenance actions can be undertaken. Once the maintenance is complete, returning these metrics to their former values then smoothly restores normal traffic flow. Fast Software Upgrade (FSU) and Extended Fast Software Upgrade During a software upgrade on the switch, user traffic is disrupted until the new software completely boots up. The traffic downtime is a concern for customers running critical applications. The Fast Software Upgrade (FSU) feature significantly reduces the traffic downtime during a software upgrade. The fast software upgrade feature is supported on both stacking and standalone systems from IOS XE 16.8.1a and higher. k connection, Note: Fast software upgrade is supported only on access switches with a single logical u Fast software upgrade is not supported if the Micro Controller Unit (MCU) Field Programmable Gate Array (FPGA) upgrade is required. Fast software upgrade is not supported if the switch is configured as StackWise Virtual System. Extended Fast Software Upgrade reduces the traffic downtime during software reload or upgrade operations. Compared to Fast Software Upgrade, the traffic downtime is reduced to less than 30 seconds, depending on the switch configuration, Extended Fast Software Upgrade uses graceful restart capal Cisco NSF) to ensure that device configurations, such as certain routing protocols, remain unaffected during ty (a feature of a software upgrade or reload. The following table summarizes high availability support with the various Catalyst 9000 Series switches. Table 1. High availability feature support NSF Switch Supervisor Pc Platform 1 EtherChannel_ISSU SMUs GIR Stacking Redundancy Rc sso hitpsuhwww. cisco, comieloniustdidoes'slitons/CVD/Campustesco-campusan-wlan-design.guide.ntml 2618418122122, 356 PM Platform Cisco Catalyst 9200 Series Cisco Catalyst 9300 Series ‘Switch Stacking StackWise- 160/80 with Active 1 Standby StackWise- 480/360 with Active / Standby (Campus LAN and Wireless LAN Solution Design Guide - Cisco NSF Supervisor ! EtherChannel _ISSU SMUs GIR Redundancy sso - Yes Cross-Stack No Yes No EtherChannel - Yes Cross-Stack No. Yes Yes EtherChannel_ Supports Fast Software Upgrade (FSU) and Extended FSU. hitps uw. cisco, comieloniustdidoes'solitions/CVD/Campusiesco-campusan-wlan-design.gulde.Mtml Pc Re uy sv pc su sv oF co Ne oF re st (u sv pe oF sh re 200818122122, 356 PM ‘Switch Platform Stacking Cisco = Catalyst 9400 Series Cisco - Catalyst 9500 Series isco - Catalyst 9600 Se Design Fundamental. ‘Campus LAN and Wireless LAN Solution Design Guide - Cisco Supervisor NSF sevndaney EtherChannel__ISSU SMUs GIR sso Single Yes Multichassis Yes Yes Yes chassis 1:1 EtherChannel or cross with chassis StackWise StackWise Virtual Virtual Cross Yes Multichassis Yes Yes Yes chassis EtherChannel StackWise with Virtual StackWise Virtual Single Yes Multichassis Yes Yes Yes chassis 1:1 EtherChannel ‘or cross with chassis StackWise StackWise Virtual Virtual Campus Wireless LAN Pc He sv pc su pc re re pc su Fe su wi oF or re ‘The campus WLAN provides ubiquitous data and voice connectivity for employees, wireless Internet access. for guests, and connectivity for loT devices. With the emergence of high-density networks and the loT, organizations are more dependent on wireless networks than ever before. Increasing numbers of devices connect to the network every year, ranging from high-performance client devices to low- bandwidth loT devices. hitps hw. cisco, comieloniustdidoes'solitions/CVDICampustesco-campusan-wlan-design.gulde Mtl 3018418122122, 386 PM ‘Campus LAN and Wireless LAN Soliton Design Guide ~ Cisco Cisco wireless solutions are resilient, have the integrated security organizations need, and employ adaptive and insightful intelligence providing useful insight into the network. With intent-based networking built on Cisco Digital Network Architecture (Cisco DNA), our wireless solutions go beyond the latest Wi-Fi 6 (802.1 1ax) standard and are ready for the growing user expectations, loT devices and next gen cloud-driven applications. With the ability to handle the increased mobile traffic as well as support loT at scale, Cisco's first Wi-Fi 6 APs with superior RF innovations expand wireless access with intelligence and provide a secure, reliable high quality wireless experience for all networks. Figure 21. Cisco next-generation wireless stack Seo ert Regardless of their location within the organization—on large campuses or at remote sites—wireless users have the same experience when connecting to voice, video, and data services. Infrastructure The next-generation wireless stack is built around these main hardware and software components: * Cisco Catalyst 9800 Series WLAN controllers (including appliances, virtual, and embedded) © Cisco Catalyst 9100 Wi-Fi 6 APs ‘Cisco DNA Genter (assurance and automation) * Cisco Prime Infrastructure (additional automation for more complex deployments) * Cisco DNA Spaces Cisco Catalyst 9800 Series wireless controllers Cisco Catalyst 9800 Series wireless controllers combine RF excellence with Cisco IOS-XE benefits. These highly reliable and highly secure controllers are ready to deploy anywhere~including the cloud. An organization can also choose the Cisco Embedded Wireless Controller on Cisco Catalyst 9100 Series APs, for Cisco Catalyst controller features without a dedicated appliance. Cisco Catalyst 9800 Series wireless controllers are built on the three pillars of network excellence—always on, secure, and intelligent-which strengthen the network by providing the best wireless experience without compromise, while saving time and money. © Always on—Seamless software updates enable faster resolution of critical issues, introduction of new APs with zero downtime, and flexible software upgrades. ih availability stateful switchover hitps ww. ciseo,comieloniustdidoes'solitons/CVDICampustesco-campusan-wlan-design.gulde Mtl 3181