Compact Switch Deployment Guide

Compact Switch Deployment Guide
SBA
BORDERLESS
NETWORKS
DEPLOYMENT
GUIDE
Compact Switch
Deployment Guide
S M A R T
B USI NE S S
A R C HI TEC TURE
August 2012 Series
Preface
Who Should Read This Guide
How to Read Commands
This Cisco® Smart Business Architecture (SBA) guide is for people who fill a
variety of roles:
Many Cisco SBA guides provide specific details about how to configure
Cisco network devices that run Cisco IOS, Cisco NX-OS, or other operating
systems that you configure at a command-line interface (CLI). This section
describes the conventions used to specify commands that you must enter.
• Systems engineers who need standard procedures for implementing
solutions
• Project managers who create statements of work for Cisco SBA
implementations
Commands to enter at a CLI appear as follows:
• Sales partners who sell new technology or who create implementation
documentation
Commands that specify a value for a variable appear as follows:
• Trainers who need material for classroom instruction or on-the-job
training
Commands with variables that you must define appear as follows:
configure terminal
ntp server 10.10.48.17
class-map [highest class name]
In general, you can also use Cisco SBA guides to improve consistency
among engineers and deployments, as well as to improve scoping and
costing of deployment jobs.
Commands shown in an interactive example, such as a script or when the
command prompt is included, appear as follows:
Release Series
Long commands that line wrap are underlined. Enter them as one command:
Cisco strives to update and enhance SBA guides on a regular basis. As
we develop a series of SBA guides, we test them together, as a complete
system. To ensure the mutual compatibility of designs in Cisco SBA guides,
you should use guides that belong to the same series.
The Release Notes for a series provides a summary of additions and
changes made in the series.
All Cisco SBA guides include the series name on the cover and at the
bottom left of each page. We name the series for the month and year that we
release them, as follows:
month year Series
For example, the series of guides that we released in August 2012 are
the “August 2012 Series”.
Router# enable
wrr-queue random-detect max-threshold 1 100 100 100 100 100
100 100 100
Noteworthy parts of system output or device configuration files appear
highlighted, as follows:
interface Vlan64
ip address 10.5.204.5 255.255.255.0
Comments and Questions
If you would like to comment on a guide or ask questions, please use the
SBA feedback form.
If you would like to be notified when new comments are posted, an RSS feed
is available from the SBA customer and partner pages.
You can find the most recent series of SBA guides at the following sites:
Customer access: http://www.cisco.com/go/sba
Partner access: http://www.cisco.com/go/sbachannel
August 2012 Series
Preface
Table of Contents
What’s In This SBA Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Deployment Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Cisco SBA Borderless Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Preparing the Access Layer Switch Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Route to Success. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Setting Up the Compact Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Business Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Technology Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
August 2012 Series
Appendix A: Product List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Appendix B: Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Appendix C: Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Table of Contents
What’s In This SBA Guide
Cisco SBA Borderless Networks
About This Guide
Cisco SBA helps you design and quickly deploy a full-service business
network. A Cisco SBA deployment is prescriptive, out-of-the-box, scalable,
and flexible.
This deployment guide contains one or more deployment chapters, which
each include the following sections:
Cisco SBA incorporates LAN, WAN, wireless, security, data center, application
optimization, and unified communication technologies—tested together as a
complete system. This component-level approach simplifies system integration
of multiple technologies, allowing you to select solutions that solve your
organization’s problems—without worrying about the technical complexity.
Cisco SBA Borderless Networks is a comprehensive network design
targeted at organizations with up to 10,000 connected users. The SBA
Borderless Network architecture incorporates wired and wireless local
area network (LAN) access, wide-area network (WAN) connectivity, WAN
application optimization, and Internet edge security infrastructure.
• Business Overview—Describes the business use case for the design.
Business decision makers may find this section especially useful.
• Technology Overview—Describes the technical design for the
business use case, including an introduction to the Cisco products that
make up the design. Technical decision makers can use this section to
understand how the design works.
• Deployment Details—Provides step-by-step instructions for deploying
and configuring the design. Systems engineers can use this section to
get the design up and running quickly and reliably.
You can find the most recent series of Cisco SBA guides at the following
sites:
Route to Success
Customer access: http://www.cisco.com/go/sba
To ensure your success when implementing the designs in this guide, you
should first read any guides that this guide depends upon—shown to the
left of this guide on the route below. As you read this guide, specific
prerequisites are cited where they are applicable.
Partner access: http://www.cisco.com/go/sbachannel
You Are Here
Prerequisite Guides
BORDERLESS
NETWORKS
LAN Design Overview
August 2012 Series
LAN Deployment Guide
Compact Switch
Deployment Guide
What’s In This SBA Guide
1
Introduction
Business Overview
In some situations, organizations need more flexibility in providing a greater
number of access ports to a specific location without adding more cabling.
It may be a temporary requirement, such as hosting a training session in a
conference room for the day. Or it may be a situation in which it is difficult
or expensive to run additional cabling; such as a retail environment, a cruise
ship, a classroom, or a historical building. Also, organizations often need
to respond to a sudden need for additional port density very quickly when
there is not enough time to get new cabling installed and tested before
it is needed. In such circumstances, using an additional compact switch
attached directly to the existing access layer can provide the needed connectivity within the constraints of the existing cable plant.
Technology Overview
The Cisco Smart Business Architecture (SBA) LAN access layer provides
network connections for end-user PCs, laptops, phones, printers, and other
devices in the work environment. The primary access layer switches are
designed to be housed in 19-inch equipment racks in a wiring closet or
other room appropriate for such equipment. Typical cabling plants dictate
that every device that needs access to the network has a dedicated port that
is “home run” from the work environment back to the location of the nearest
access layer switch.
You can sometimes use wireless network technologies to meet dynamic
requirements for flexibility in the number of networked devices in a location.
However, if the devices require Power over Ethernet (PoE) to operate or
support only wired network connections, you need an alternate approach to
meet these requirements. In this situation, Cisco SBA access layer provides
for the capability to extend resilient ports from an existing access layer
switch or switch stack out to an additional small switch located directly in
the work area, providing up to eight ports of network connectivity. The Cisco
Catalyst 3560-C and 2960-C Series Compact Switches are designed for
deployment outside of the wiring closet and are ideal for this purpose.
August 2012 Series
Networking Features
The Cisco SBA access layer is designed to provide the resiliency and security required for stable operations. Cisco Catalyst Infrastructure Security
Features (CISF) such as Dynamic Host Configuration Protocol (DHCP)
snooping, IP Source Guard, port security, and dynamic Address Resolution
Protocol (ARP) inspection (DAI), protect the vulnerable network edge from
common attacks.
MAC flooding attacks are used to force a LAN switch to flood all their
traffic out to all the switch interfaces. Port security limits the number of
MAC addresses that can be active on a single port to protect against such
attacks.
Port security lets you to configure Layer 2 interfaces to allow inbound traffic
from only a restricted set of MAC addresses. The MAC addresses in the
restricted set are called secure MAC addresses. In addition, the device does
not allow traffic from these MAC addresses on another interface within the
same VLAN.
The number of MAC addresses that the device secures on each interface is
configurable . For ease of management, the device can learn the addresses
dynamically. Using the dynamic learning method, the device secures MAC
addresses while ingress traffic passes through the interface. If the address
is not yet secured and the device has not reached any applicable maximum,
it secures the address and allows the traffic. The device ages dynamic
addresses and drops them when the age limit is reached.
DHCP snooping is a DHCP security feature that blocks DHCP replies on an
untrusted interface. An untrusted interface is any interface on the switch not
specifically configured as a known DHCP server or path towards a known
DHCP server.
The DHCP snooping feature helps simplify management and troubleshooting by tracking MAC address, IP address, lease time, binding type, VLAN
number, and interface information that correspond to the local untrusted
interfaces on the switch. DHCP snooping stores that information in the
DHCP binding table.
Dynamic ARP inspection (DAI) mitigates ARP poisoning attacks. An ARP
poisoning attack is a method by which an attacker sends false ARP
information to a local segment. This information is designed to poison the
ARP cache of devices on the LAN, allowing the attacker to execute man-inthe-middle attacks.
Introduction
2
Figure 1 - DHCP snooping and ARP inspection
DAI uses the data generated by the DHCP snooping feature and intercepts
and validates the IP-to-MAC address relationship of all ARP packets on
untrusted interfaces. ARP packets that are received on trusted interfaces
are not validated and invalid packets on untrusted interfaces are discarded.
The Cisco Catalyst 2960CPD-8PT-L can also draw power from an external
auxiliary adapter, allowing the flexibility to use the same switch in situations
where the upstream switch does not provide PoE. You can also use the
auxiliary adapter to provide greater resiliency for attached PoE devices in
the event one of the uplink connections fails. With the auxiliary adapter in
use, the maximum available power for edge ports is still 22.4W. For more
details on the available power with different uplink configurations, please
see the Cisco Catalyst 3560-C and 2960-C Series Compact Switches data
sheet on cisco.com.
Figure 2 - Pass-through PoE
IP Source Guard is a means of preventing a packet from using an incorrect
source IP address to obscure its true source, also known as IP spoofing. IP
Source Guard uses information from DHCP snooping to dynamically configure a port access control list (PACL) on the interface that denies any traffic
from IP addresses that are not in the DHCP binding table.
Voice and video support is enabled through network services such as
Power over Ethernet+ (PoE+), Quality of Service (QoS), IP Multicast, and
Cisco Discovery Protocol (CDP) with the Voice VLAN. When the access
layer is extended by use of an additional compact switch, it is important
that you ensure consistency of feature support for these additional access
layer ports. The Cisco Catalyst Compact Switch family supports a common
feature set with the networking platforms that are already a part of your
Cisco SBA access layer. Using Cisco SBA configuration procedures similar
to those used for your access layer switches promotes greater ease of
deployment.
Power over Ethernet Options
PoE pass-through allows a switch to power PoE end devices by using
power received from the upstream wiring closet switch. The Cisco Catalyst
2960CPD-8PT-L provides eight 10/100 Mbps PoE Ethernet ports for powering edge devices, with two Gigabit Ethernet uplink ports that receive PoE+
power from the upstream switch. This switch does not require a separate
connection for wall power because it uses power from the upstream switch.
This allows the compact switch to benefit from any power resiliency that is
provided in the upstream wiring closet.
To drive both the switch and one or more attached devices, the upstream
switch must be able to provide enough power over the uplinks to satisfy total
device power requirements. In a typical configuration with two PoE+ uplinks,
the available power for all of the edge ports combined is 22.4 watts.
August 2012 Series
The Cisco Catalyst 3560CG-8PC uses a traditional internal power supply
that must be plugged in separately, allowing it to provide 15.4W of PoE to
all 8 edge ports concurrently. The switch allows a total maximum power
consumption of 124W that can be spread across all ports in any combination
with up to 30W consumed by any single port that uses Cisco POE+. This
switch is an appropriate choice if you need to use it to drive multiple PoE+
devices, such as IP phones, wireless access points, or video surveillance
cameras. The 3560CG-8PC also provides Gigabit Ethernet on every port for
higher speed networking to any individual connection.
Compact Switch Access Topology
Because the cabling in a typical network environment connects back to the
nearest access layer wiring closet, connecting a small switch to the nearest
access switch is a common configuration. This approach extends the local
LAN access ports in the workspace to allow a greater density of attached
devices in a given location. The compact switch fits into the existing Cisco
SBA design as shown in the following figure.
Introduction
3
Figure 3 - Compact switch access topology
While the compact switches could also be connected directly to the distribution layer and configured as access switches, this would be a less common
use case. The cabling plant in your specific physical environment dictates
the available options in your network. Cabling from the workspace is normally
copper to the nearest wiring closet, and the links from the access layer
switches in the closet up to the distribution are normally fiber optic. Cisco
compact switches use copper cabling for uplinks, consistent with placement
directly in the workspace. The target use for the solution outlined in this
guide is expanding port count rapidly in the workspace with existing cabling.
August 2012 Series
Introduction
4
Deployment Details
Ideally, when you extend access layer ports to increase port density in the
workspace, it is desirable to maintain the resiliency inherent in the Cisco
SBA network architecture. Using two uplink ports allow the compact switch
to maintain connectivity to the network even if one of the cable connections
fails. Using a second uplink also provides a greater overall power budget;
however, it is possible that some pass-through PoE edge devices could lose
power with a single uplink failure, even though the switch itself is still powered. To maintain maximum resiliency, select ports from different linecards
of a chassis-based access layer switch or, if you are using a stacked access
layer, from different physical stack members. Creating this arrangement
may require a visit to the wiring closet for repatching the specific LAN ports
in the work area. Using two uplink ports, of course, requires that enough
copper runs are available from the work area.
The compact switch requires a configuration process similar to other access
layer switches. The main difference is that its upstream switch is a member
of the existing layer-2 access layer switch, as opposed to a layer-3 capable
distribution layer switch. Prepare the configuration of the upstream access
layer switch before connecting the links to the compact switch. This process
ensures the Cisco SBA access layer switch does not disable the uplink ports
on the access switch when it begins to see spanning tree BPDU packets
from the compact switch.
Reader Tip
Procedure 1
Identify access layer switch ports
Deployment procedures provided in this section are designed
to be used in conjunction with an existing Cisco Catalyst switch
running the Cisco SBA LAN access layer configuration. For details
of this configuration, please see the Cisco SBA LAN Deployment
Guide.
Step 1: Identify the switch ports to be used as uplinks from the compact
switch, and ensure that the cable runs from the work area are properly
patched into the correct switch ports. If possible, choose ports from different linecards or switch stack members to attach the compact switch.
Process
Step 2: Connect to the console or open a Secure Shell (SSH) session to
the access switch, and then examine the existing configuration of the switch
ports to be used as uplinks to the compact switch. If the configuration of the
selected ports is currently blank, move on to Procedure 2.
Preparing the Access Layer Switch Ports
1. Identify access layer switch ports
2. Configure the trunk and port channel
August 2012 Series
Step 3: If the existing switch ports are set up with an access layer edge port
configuration, use the default interface command prior to setting up the
port as a trunk connection for the compact switch. This clears any existing
configuration on the port.
default interface GigabitEthernet [slot/port]
Deployment Details
5
Procedure 2
Configure the trunk and port channel
You should configure the physical interfaces that are members of a Layer
2 EtherChannel prior to configuring the logical port-channel interface. This
sequence allows for minimal configuration because most of the commands
entered to a port-channel interface are copied to its members interfaces
and do not require manual replication.
Step 1: Configure the EtherChannel member interface by setting Link
Aggregation Control Protocol (LACP) negotiation to active on both sides to
ensure a proper EtherChannel is formed. If the access layer switch adheres
to a Cisco SBA LAN Access Layer configuration, the egress QoS macro
specific to the access platform in use. The Cisco Catalyst 2960S does not
require the switchport command.
interface [interface type] [port 1]
description Link to Compact Switch port 1
interface [interface type] [port 2]
description Link to Compact Switch port 2
!
interface range [interface type] [port 1], [interface type]
[port 2]
switchport
macro apply EgressQoS
channel-protocol lacp
channel-group [number] mode active
logging event link-status
logging event trunk-status
logging event bundle-status
Step 2: Configure the trunk. Use an 802.1Q trunk for the connection to
the compact switch. This allows it to provide connectivity for all the VLANs
defined on the access layer switch. Prune the VLANs allowed on the trunk
to only those that are required. Set DHCP snooping and ARP inspection to
trust. When using EtherChannel, the interface type will be “port-channel,”
and the number must match the channel-group configured in Step 1.
August 2012 Series
The Cisco Catalyst 2960-S and 4500 do not require the switchport trunk
encapsulation dot1q command.
interface [port-channel] [number]
description EtherChannel Link to Compact Switch
switchport trunk encapsulation dot1q
switchport trunk allowed vlan [data vlan],[voice vlan], [mgmt
vlan]
switchport trunk native vlan 999
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
logging event link-status
no shutdown
Example
interface GigabitEthernet 1/0/24
description Link to Compact Switch port 1
interface GigabitEthernet 2/0/24
description Link to Compact Switch port 2
interface range GigabitEthernet 1/0/24, GigabitEthernet 2/0/24
macro apply EgressQoS
logging event link-status
logging event trunk-status
logging event bundle-status
channel-protocol lacp
channel-group 7 mode active
no shutdown
!
interface Port-channel 7
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 100,101,115
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
no shutdown
Deployment Details
6
Step 2: Create two QoS macros, one to be used for edge ports facing end
hosts and the other to be applied to the uplinks for egress traffic, by entering the following sequence of commands.
Process
Setting Up the Compact Switch
1. Configure the platform
2. Configure the LAN switch
3. Configure Layer 2 and Layer 3 setup
4. Configure client connections
5. Configure connection to upstream switch
macro name AccessEdgeQoS
auto qos voip cisco-phone
@
!
macro name EgressQoS
mls qos trust dscp
queue-set 2
srr-queue bandwidth share 1 30 35 5
priority-queue out
@
The following procedures assume that you have:
• Connected a console terminal to the console port of the Cisco Catalyst
compact access switch you are deploying. Set the console for 9600
baud, Async, 8 databits, no parity.
• Connected the uplink ports of the compact switch to the ports on the
access layer switches, which you configured as trunk and port channel
in the previous process.
• Connected power to the Cisco Catalyst 3560-C compact access switch.
• The Cisco Catalyst 2960-C compact access switch will automatically
power up from the pass-through PoE from the access-layer switch if you
are using this method to power the 2960-C switch. Otherwise connect
power to the Cisco Catalyst 2960-C compact access switch.
The previous process allows the port channel to come up when you complete the configuration in this process.
Procedure 1
Configure the platform
Step 1: After the compact switch completes booting up, cancel the initial
system configuration dialogue, enter enable mode, and then enter configuration mode.
August 2012 Series
Procedure 2
Configure the LAN switch
Within this design, there are features and services that are common across
all LAN switches, regardless of the type of platform or role in the network.
These are system settings that simplify and secure the management of the
solution.
This procedure provides examples for some of those settings. The actual
settings and values depend on your current network configuration.
Table 1 - Common network services used in the deployment examples
Service
Address
Domain name
cisco.local
Active Directory, DNS, DHCP server
10.4.48.10
Authentication Control System
10.4.48.15
Network Time Protocol server
10.4.48.17
Step 1: Configure the device hostname. This makes it easy to identify the
device.
hostname [hostname]
Deployment Details
7
Step 2: Configure VTP transparent mode. This deployment uses VTP
transparent mode because the benefits of dynamic propagation of VLAN
information across the network are not worth the potential for unexpected
behavior that is due to operational error.
VLAN Trunking Protocol (VTP) allows network managers to configure a
VLAN in one location of the network and have that configuration dynamically
propagate out to other network devices. However, in most cases, VLANs are
defined once during switch setup with few, if any, additional modifications.
vtp mode transparent
Step 3: Enable Rapid Per-VLAN Spanning-Tree (PVST+). PVST+ provides an
instance of Rapid Spanning Tree Protocol (RSTP) (802.1w) per VLAN. Rapid
PVST+ greatly improves the detection of indirect failures or linkup restoration events over classic spanning tree (802.1D).
Although this architecture is built without any Layer 2 loops, you must still
enable spanning tree. By enabling spanning tree, you ensure that if any
physical or logical loops are accidentally configured, no actual layer 2 loops
occur.
spanning-tree mode rapid-pvst
Step 4: Enable Unidirectional Link Detection (UDLD).
UDLD is a Layer 2 protocol that enables devices connected through fiberoptic or twisted-pair Ethernet cables to monitor the physical configuration
of the cables and detect when a unidirectional link exists. When UDLD
detects a unidirectional link, it disables the affected interface and alerts you.
Unidirectional links can cause a variety of problems, including spanning-tree
loops, black holes, and non-deterministic forwarding. In addition, UDLD
enables faster link failure detection and quick reconvergence of interface
trunks, especially with fiber, which can be susceptible to unidirectional
failures.
udld enable
Step 5: Set EtherChannels to use the traffic source and destination IP
address when calculating which link to send the traffic across. This normalizes the method in which traffic is load-shared across the member links
of the EtherChannel. EtherChannels are used extensively in this design
because of their resiliency capabilities.
Step 6: Configure DNS for host lookup.
At the command line of a Cisco IOS device, it is helpful to be able to type a
domain name instead of the IP address for a destination.
ip name-server 10.4.48.10
Step 7: Configure device management protocols.
Secure HTTP (HTTPS) and Secure Shell (SSH) are more secure replacements for the HTTP and Telnet protocols. They use Secure Sockets Layer
(SSL) and Transport Layer Security (TLS) to provide device authentication
and data encryption.
The SSH and HTTPS protocols enable secure management of the LAN
device. Both protocols are encrypted for privacy, and the nonsecure protocols, Telnet and HTTP, are turned off.
Specify the transport preferred none on vty lines to prevent errant connection attempts from the CLI prompt. Without this command, if the ip
name-server is unreachable, long timeout delays may occur for mistyped
commands.
ip domain-name cisco.local
ip ssh version 2
no ip http server
ip http secure-server
line vty 0 15
transport input ssh
transport preferred none
Step 8: Enable Simple Network Management Protocol (SNMP) in order
to allow the network infrastructure devices to be managed by a Network
Management System (NMS), and then configure SNMPv2c both for a readonly and a read-write community string.
snmp-server community cisco RO
snmp-server community cisco123 RW
port-channel load-balance src-dst-ip
August 2012 Series
Deployment Details
8
Step 9: In networks where network operational support is centralized
you can increase network security by using an access list to limit the
networks that can access your device. In this example, only devices on the
10.4.48.0/24 network are able to access the device via SSH or SNMP.
access-list 55 permit 10.4.48.0 0.0.0.255
line vty 0 15
access-class 55 in
!
snmp-server community cisco RO 55
snmp-server community cisco123 RW 55
Caution
If you configure an access-list on the vty interface, you may lose
the ability to use ssh to log in from one router to the next for hopby-hop troubleshooting.
Step 10: Configure local login and password.
The local login account and password provides basic device access authentication to view platform operation. The enable password secures access
to the device configuration mode. By enabling password encryption, you
prevent the use of plain text passwords when viewing configuration files.
username admin password c1sco123
enable secret c1sco123
service password-encryption
aaa new-model
By default, https access to the switch uses the enable password for
authentication.
Step 11: If you want to reduce operational tasks per device, configure
centralized user authentication by using the TACACS+ protocol to authenticate management logins on the infrastructure devices to the Authentication,
Authorization and Accounting (AAA) server .
As networks scale in the number of devices to maintain, there is an operational burden to maintain local user accounts on every device. A centralized Authentication, Authorization and Accounting (AAA) service reduces
August 2012 Series
operational tasks per device and provides an audit log of user access for
security compliance and root cause analysis. When AAA is enabled for
access control, all management access to the network infrastructure devices
(SSH and HTTPS) is controlled by AAA.
TACACS+ is the primary protocol used to authenticate management
logins on the infrastructure devices to the AAA server. A local AAA user
database is also defined on each network infrastructure device to provide
a fallback authentication source in case the centralized TACACS+ server is
unavailable.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization console
ip http authentication aaa
tacacs-server host 10.4.48.15 key SecretKey
Reader Tip
The AAA server used in this architecture is the Cisco
Authentication Control System. Configuration of ACS is discussed
in the Cisco SBA Device Management Using ACS Deployment
Guide.
Step 12: Configure a synchronized clock by programming network devices
to synchronize to a local NTP server in the network. The local NTP server
typically references a more accurate clock feed from an outside source.
Configure console messages, logs, and debug output to provide time
stamps on output which allows cross-referencing of events in a network.
ntp server 10.4.48.17
!
clock timezone PST -8
clock summer-time PDT recurring
!
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
Deployment Details
9
Configure Layer 2 and Layer 3 setup
The access layer devices use VLANs to separate traffic from different
devices into three logical networks:
• The data VLAN provides access to the network for all attached devices
other than IP phones. This network is configured on all user-facing
interfaces.
• The voice VLAN provides access to the network for IP phones. This
network is configured on all user-facing interfaces.
• The management VLAN provides in-band access to the network for the
switches’ management interface. The management VLAN is not configured on any user-facing interface, and the VLAN interface of the switch
is the only member.
Step 1: Configure the data, voice, and management VLANs on the switch so
connectivity to clients, IP phones, and the in-band management interfaces
can be configured. You will extend the VLANs from the active upstream
Access Layer switch.
vlan
name
vlan
name
vlan
name
[data vlan]
Data
[voice vlan]
Voice
[management vlan]
Management
Step 2: Configure the switch with an IP address so that it can be managed
via in-band connectivity.
interface vlan [management vlan]
ip address [ip address] [mask]
no shutdown
ip default-gateway [default router]
Step 3: Configure DHCP snooping and enable it on the data and voice
VLANs. The switch intercepts and safeguards DHCP messages within the
VLAN. This ensures that an unauthorized DHCP server cannot serve up
addresses to end-user devices.
ip dhcp snooping vlan [data vlan],[voice vlan]
no ip dhcp snooping information option
ip dhcp snooping
August 2012 Series
Step 4: Configure ARP inspection on the data and voice VLANs.
ip arp inspection vlan [data vlan],[voice vlan]
Step 5: Configure BPDU Guard globally. This protects PortFast-enabled
interfaces by disabling the port if another switch is plugged into the port..
spanning-tree portfast bpduguard default
BPDU Guard protects against a user plugging a switch into an access port,
which could cause a catastrophic undetected spanning-tree loop.
If a PortFast-configured interface receives a BPDU, an invalid configuration
exists, such as the connection of an unauthorized device. The BPDU guard
feature prevents loops by moving a nontrunking interface into an errdisable
state when a BPDU is received on an interface when PortFast is enabled.
Figure 4 - Scenario that BPDU guard protects against
Spanning tree doesn’t detect the
loop because PortFast is enabled
SBA
Access-Layer
Switch
User-Installed
Low-End Switch
Loop caused by mis-cabling the switch
Procedure 4
2093
Procedure 3
Configure client connections
To make configuration easier when the same configuration will be applied
to multiple interfaces on the switch, use the interface range command. This
command allows you to issue a command once and have it apply to many
interfaces at the same time. Because most of the interfaces in the access
layer are configured identically, it can save a lot of time. For example, the
following command allows you to enter commands on all eight interfaces
(Gig 0/1 to Gig 0/8) simultaneously.
interface range GigabitEthernet 0/1-8
Step 1: Configure switch interfaces to support clients and IP phones.
The host interface configurations support PCs, phones, or wireless access
points. Inline power is available on switches that support 802.3AF/AT for
capable devices.
interface range [interface type] [port number]–[port number]
switchport access vlan [data vlan]
switchport voice vlan [voice vlan]
Deployment Details
10
Step 2: Because only end-device connectivity is provided at the access
layer, enable PortFast. PortFast shortens the time it takes for the interface to
go into a forwarding state by disabling 802.1q trunking and channel group
negotiation.
switchport host
Step 3: Enable QoS by applying the access edge QoS macro that was
defined in the platform configuration procedure.
macro apply AccessEdgeQoS
All client-facing interfaces allow for an untrusted PC and/or a trusted Cisco
IP Phone to be connected to the switch and automatically set QoS parameters. When a Cisco Phone is connected, trust is extended to the phone, any
device that connects to the phone is considered untrusted, and all traffic
from that device is remarked to best-effort or class of service (CoS) of 0.
Step 7: Configure DHCP snooping and ARP inspection on the interface to
process 100 packets per second of traffic on the port.
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
Step 8: Configure IP Source Guard on the interface. IP Source Guard is a
means of preventing IP spoofing.
ip verify source
Example
Next, configure port security on the interface.
Step 4: Configure 11 MAC addresses to be active on the interface at one
time; additional MAC addresses are considered to be in violation, and their
traffic will be dropped.
switchport port-security maximum 11
switchport port-security
The number of MAC addresses allowed on each interface is specific to the
organization. However, the popularity of virtualization applications, IP phones,
and passive hubs on the desktop drives the need for the number to be larger
than one might guess at first glance. This design uses a number that allows
flexibility in the organization while still protecting the network infrastructure.
Step 5: Set an aging time to remove learned MAC addresses from the
secured list after two minutes of inactivity.
switchport port-security aging time 2
switchport port-security aging type inactivity
Step 6: Configure the restrict option to drop traffic from MAC addresses
that are in violation, but do not shut down the port. This configuration
ensures that an IP phone can still function on this interface when there is a
port security violation.
switchport port-security violation restrict
August 2012 Series
vlan 100
name Data
vlan 101
name Voice
vlan 115
name Management
!
interface Vlan 115
description in-band management
ip address 10.4.15.6 255.255.255.0
no shutdown
!
ip default-gateway 10.4.15.1
!
ip dhcp snooping vlan 100,101
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 100,101
!
interface range GigabitEthernet 0/1–8
switchport access vlan 100
Deployment Details
11
switchport voice vlan 101
switchport host
macro apply AccessEdgeQoS
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security violation restrict
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
ip verify source
Procedure 5
Configure connection to upstream switch
This procedure details how to configure the links from the compact switch to
the upstream access layer switch.
The Cisco Catalyst 2960C switch does not require the switchport
command.
interface [interface type] [port 1]
description Link to Upstream Switch port 1
interface [interface type] [port 2]
description Link to Upstream Switch port 2
!
interface range [interface type] [port 1], [interface type]
[port 2]
switchport
macro apply EgressQoS
channel-protocol lacp
channel-group [number] mode active
logging event link-status
logging event trunk-status
logging event bundle-status
Step 2: Configure the trunk.
Tech Tip
The configuration steps to be applied to the compact switch for
creating the upstream trunk and port channel are identical to the
steps used earlier on the access switch. They are reiterated here
for context clarity.
Configure the physical interfaces that are members of a Layer 2
EtherChannel prior to configuring the logical port-channel interface. This
sequence allows for minimal configuration because most of the commands
entered to a port-channel interface are copied to its members interfaces
and do not require manual replication.
Step 1: Configure the EtherChannel member interface.
Set Link Aggregation Control Protocol (LACP) negotiation to active on both
sides to ensure a proper EtherChannel is formed. Also, apply the egress
QoS macro that was defined in Procedure 1, “Configure the platform,” to
ensure traffic is prioritized appropriately.
August 2012 Series
An 802.1Q trunk is used for the connection to this upstream device, which
allows the uplink to provide Layer 3 services to all the VLANs defined on the
access layer switch. Prune the VLANs allowed on the trunk to only the VLANs
that are active on the access switch. Set DHCP snooping and ARP inspection
to trust. When using EtherChannel, the interface type is port-channel, and the
number must match the channel-group configured in Step 1.
The Cisco Catalyst 2960C switch does not require the switchport trunk
encapsulation dot1q command.
interface [port-channel] [number]
description EtherChannel Link to Upstream Switch
switchport trunk encapsulation dot1q
switchport trunk allowed vlan [data vlan],[voice vlan], [mgmt
vlan]
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
logging event link-status
no shutdown
Deployment Details
12
Next, mitigate VLAN hopping on the trunk.
There is a remote possibility that an attacker can create a double 802.1Q
encapsulated packet. If the attacker has specific knowledge of the 802.1Q
native VLAN, a packet could be crafted that when processed, the first or
outermost tag is removed when the packet is switched onto the untagged
native VLAN. When the packet reaches the target switch, the inner or second tag is then processed and the potentially malicious packet is switched
to the target VLAN.
Figure 5 - VLAN hopping attack
VLAN A
VLAN B
Data
Access
Interface
VLAN B
Host
VLAN B
Data
Data
2097
802.1Q Tags
802.1Q Trunk
802.1Q Trunk with
Native VLAN A
802.1Q Tag
Attacker
At first glance, this appears to be a serious risk. However, the traffic in this
attack scenario is in a single direction and no return traffic can be switched
by this mechanism. Additionally, this attack cannot work unless the attacker
knows the native VLAN ID.
Step 3: If you want to remove the remote risk of this type of attack, configure an unused VLAN on all switch-to-switch 802.1Q trunk links from access
layer to distribution layer. Using a hard-to-guess, unused VLAN for the native
VLAN reduces the possibility that a double 802.1Q-tagged packet can hop
VLANs. If you are running the recommended EtherChannel uplink to the
LAN access layer switch, configure the switchport trunk native vlan on the
port-channel interface.
Step 4: Save the running configuration that you have entered so it will
be used as the startup configuration file when your switch is rebooted or
power-cycled.
copy running-config startup-config
Example
interface GigabitEthernet 0/9
description Link to Upstream Switch port 1
interface GigabitEthernet 0/10
description Link to Upstream Switch port 2
!
interface range GigabitEthernet 0/9, GigabitEthernet 0/10
macro apply EgressQoS
logging event link-status
logging event trunk-status
logging event bundle-status
channel-protocol lacp
channel-group 2 mode active
no shutdown
!
interface Port-channel 2
description EtherChannel Link to Upstream Switch
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 100,101,115
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
no shutdown
Vlan 999
!
interface [interface type] [number]
switchport trunk native vlan 999
August 2012 Series
Deployment Details
13
Appendix A: Product List
Extended LAN Access Layer
Functional Area
Product Description
Part Numbers
Software
Compact Switch
Cisco Catalyst Compact 3560 Switch - 8 Ethernet 10/100/1000 PoE+ ports
WS-3560CG-8PC-S
12.2(55)EX3
IP Base
Compact Switch
Cisco Catalyst Compact 2960 switch - 8 Ethernet 10/100 PoE ports
WS-2960CPD-8PT-L
12.2(55)EX3
LAN Base
LAN Access Layer
Functional Area
Product Description
Part Numbers
Software
Modular Access Layer
Switch
Cisco Catalyst 4507R+E 7-slot Chassis with 48Gbps per slot
WS-C4507R+E
3.3.0.SG(15.1-1SG)
Cisco Catalyst 4500 E-Series Supervisor Engine 7L-E
WS-X45-SUP7L-E
Cisco Catalyst 4500 E-Series 48 Ethernet 10/100/1000 (RJ45) PoE+ ports
WS-X4648-RJ45V+E
IP Base
Cisco Catalyst 4500 E-Series 48 Ethernet 10/100/1000 (RJ45) PoE+,UPoE ports WS-X4748-UPOE+E
Stackable Access Layer
Switch
Cisco Catalyst 3750-X Series Stackable 48 Ethernet 10/100/1000 PoE+ ports
WS-C3750X-48PF-S
15.0(1)SE2
Cisco Catalyst 3750-X Series Stackable 24 Ethernet 10/100/1000 PoE+ ports
WS-C3750X-24P-S
IP Base
Cisco Catalyst 3750-X Series Two 10GbE SFP+ and Two GbE SFP ports network C3KX-NM-10G
module
Standalone Access Layer
Switch
Cisco Catalyst 3750-X Series Four GbE SFP ports network module
C3KX-NM-1G
Cisco Catalyst 3560-X Series Standalone 48 Ethernet 10/100/1000 PoE+ ports
WS-C3560X-48PF-S
15.0(1)SE2
Cisco Catalyst 3560-X Series Standalone 24 Ethernet 10/100/1000 PoE+ ports
WS-C3560X-24P-S
IP Base
Cisco Catalyst 3750-X Series Two 10GbE SFP+ and Two GbE SFP ports network C3KX-NM-10G
module
Cisco Catalyst 3750-X Series Four GbE SFP ports network module
August 2012 Series
C3KX-NM-1G
Appendix A: Product List
14
Functional Area
Product Description
Part Numbers
Software
Stackable Access Layer
Switch
Cisco Catalyst 2960-S Series 48 Ethernet 10/100/1000 PoE+ ports and Two
10GbE SFP+ Uplink ports
WS-C2960S-48FPD-L
15.0(1)SE2
Cisco Catalyst 2960-S Series 48 Ethernet 10/100/1000 PoE+ ports and Four
GbE SFP Uplink ports
WS-C2960S-48FPS-L
Cisco Catalyst 2960-S Series 24 Ethernet 10/100/1000 PoE+ ports and Two
10GbE SFP+ Uplink ports
WS-C2960S-24PD-L
Cisco Catalyst 2960-S Series 24 Ethernet 10/100/1000 PoE+ ports and Four
GbE SFP Uplink ports
WS-C2960S-24PS-L
Cisco Catalyst 2960-S Series Flexstack Stack Module
C2960S-STACK
August 2012 Series
LAN Base
Appendix A: Product List
15
Appendix B:
Configuration Example
Current configuration : 12049 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname A3560C-1
!
boot-start-marker
boot-end-marker
!
enable secret 5 *****
!
username admin password 7 *****
!
macro name AccessEdgeQoS
auto qos voip cisco-phone
@
macro name EgressQoS
mls qos trust dscp
queue-set 2
srr-queue bandwidth share 1 30 35 5
priority-queue out
@
!
aaa new-model
!
aaa authentication login default group tacacs+ local
August 2012 Series
aaa authorization console
aaa authorization exec default group tacacs+ local
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
!
ip dhcp snooping vlan 100-101
no ip dhcp snooping information option
ip dhcp snooping
ip domain-name cisco.local
ip name-server 10.4.48.10
ip arp inspection vlan 100-101
vtp mode transparent
udld enable
!
mls qos map policed-dscp 0 10 18 to 8
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32
42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46
mls qos srr-queue output dscp-map queue 2 threshold 1 16
20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26
30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48
52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56
Appendix B: Configuration Example
33 40 41
47
17 18 19
27 28 29
37 38 39
49 50 51
57 58 59
16
60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5
6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13
15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint TP-self-signed-527506432
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-527506432
revocation-check none
rsakeypair TP-self-signed-527506432
!
crypto pki certificate chain TP-self-signed-527506432
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101
04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D
43657274
69666963 6174652D 35323735 30363433 32301E17 0D393330 33303130
30303632
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403
1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3532
37353036
34333230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
02818100
B2550ED0 782B05D0 3A3C3062 2CE5C627 C96910D8 AA062156 BFA6F2DE
4BCD526D
99D1D822 BBFE3904 2879E46A 0CF532A0 57536461 48A2C834 CF2DDE73
BE694067
August 2012 Series
AE4D6560 199216EC A1075D85 05CCD0B2 1764A478
9BA4B970
C0719B69 B3AF5DC2 29FC13A8 888561AA B7278322
CFE9874F
02030100 01A37430 72300F06 03551D13 0101FF04
0603551D
11041830 16821441 33353630 432D312E 63697363
1F060355
1D230418 30168014 4E4EEE23 1E8B097E A90D0EF1
301D0603
551D0E04 1604144E 4EEE231E 8B097EA9 0D0EF1CF
0D06092A
864886F7 0D010104 05000381 8100A85F 97E089A9
54266A6E
3E7DE1A5 3CA0B665 6ED0D3DF 277E9A6D 1A5C1BF7
52A34688
9D6314BF 96B334E1 8FD4C39D 9C3D3A94 D945361A
5130D3A1
AE9B0C6F 56EA5625 B118135E A2FC2FEE 4A3A6A50
BB081FF3
1C1007A8 62782390 B0117083 C675
quit
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
auto qos srnd4
!
port-channel load-balance src-dst-ip
!
vlan internal allocation policy ascending
!
vlan 100
name Data
vlan 101
name Voice
vlan 115
48EE393E D3A982F3
9D13E885 082C6118
05300301 01FF301F
6F2E6C6F 63616C30
CFAE22A2 DC91BBDB
AE22A2DC 91BBDB30
70054C1D 968C84C1
DBC69697 5755046F
30E2B0B7 E5974FAD
B09ED8A2 FEDA759F
Appendix B:Configuration Example
17
name Management
!
vlan 999
!
ip ssh version 2
!
class-map match-all AUTOQOS_VOIP_DATA_CLASS
match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
match ip dscp cs3
!
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
class AUTOQOS_VOIP_DATA_CLASS
set dscp ef
police 128000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_VOIP_SIGNAL_CLASS
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_DEFAULT_CLASS
set dscp default
police 10000000 8000 exceed-action policed-dscp-transmit
!
interface Port-channel2
description EtherChannel Link to Upstream Switch
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 100,101,115
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface GigabitEthernet0/1
switchport access vlan 100
switchport mode access
August 2012 Series
switchport voice vlan 101
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
macro description AccessEdgeQoS
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip verify source
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/2
switchport access vlan 100
switchport mode access
switchport voice vlan 101
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
macro description AccessEdgeQoS
auto qos voip cisco-phone
spanning-tree portfast
Appendix B:Configuration Example
18
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip verify source
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/3
switchport access vlan 100
switchport mode access
switchport voice vlan 101
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
macro description AccessEdgeQoS
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip verify source
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/4
switchport access vlan 100
switchport mode access
switchport voice vlan 101
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
srr-queue bandwidth share 1 30 35 5
August 2012 Series
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
macro description AccessEdgeQoS
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip verify source
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/5
switchport access vlan 100
switchport mode access
switchport voice vlan 101
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
macro description AccessEdgeQoS
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip verify source
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/6
switchport access vlan 100
switchport mode access
switchport voice vlan 101
Appendix B:Configuration Example
19
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
macro description AccessEdgeQoS
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip verify source
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/7
switchport access vlan 100
switchport mode access
switchport voice vlan 101
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
macro description AccessEdgeQoS
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
August 2012 Series
ip verify source
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/8
switchport access vlan 100
switchport mode access
switchport voice vlan 101
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
macro description AccessEdgeQoS
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip verify source
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/9
description Link to Upstream Switch port 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 100,101,115
switchport mode trunk
ip arp inspection trust
logging event trunk-status
logging event bundle-status
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
Appendix B:Configuration Example
20
mls qos trust dscp
macro description EgressQoS
channel-protocol lacp
channel-group 2 mode active
ip dhcp snooping trust
!
interface GigabitEthernet0/10
description Link to Upstream Switch port 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 100,101,115
switchport mode trunk
ip arp inspection trust
logging event trunk-status
logging event bundle-status
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust dscp
macro description EgressQoS
channel-protocol lacp
channel-group 2 mode active
ip dhcp snooping trust
!
interface Vlan1
no ip address
!
interface Vlan115
ip address 10.4.15.6 255.255.255.128
!
ip default-gateway 10.4.15.1
ip classless
no ip http server
ip http authentication aaa
ip http secure-server
!
ip access-list extended AUTOQOS-ACL-DEFAULT
August 2012 Series
permit ip any any
!
ip sla enable reaction-alerts
!
snmp-server community cisco RO
snmp-server community cisco123 RW
tacacs-server host 10.4.48.15 key 7 *****
tacacs-server directed-request
!
line con 0
line vty 0 4
length 0
transport preferred none
transport input ssh
line vty 5 15
length 0
transport preferred none
transport input ssh
!
ntp server 10.4.48.17
end
Appendix B:Configuration Example
21
Appendix C: Changes
This appendix summarizes the changes to this guide since the previous
Cisco SBA series.
• We upgraded the device software. For specific software versions, see
Appendix A: Product List.
• We made minor changes to improve the readability of this guide.
August 2012 Series
Appendix C: Changes
22
Feedback
Click here to provide feedback to Cisco SBA.
SMART BUSINESS ARCHITECTURE
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLiERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE
FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL
OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content
is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their
respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
B-0000150-1 8/12
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising