Catalyst Smart Operations : Simplify Your Network
-
Upload
cisco-russia -
Category
Technology
-
view
191 -
download
4
Transcript of Catalyst Smart Operations : Simplify Your Network
Scott Hodgdon
Senior Technical Marketing Engineer
November 18, 2014
Catalyst Smart Operations : Simplify Your Network
24.11.2014 © 2014 Cisco and/or its affiliates. All rights reserved.
Problem with Traditional VSS Configuration Up to 30 Lines
Configuration on both Active & Standby
Error prone
Version Mismatch – More manual tasks
Easy VSS
Access Switch
Multi-ChassisEtherchannel
Access Switch
Easy VSS Configuration 1 Line – ‘switch convert mode easy-vss’
Zero touch on Standby (No Config Needed)
Mismatch Discovery & Fix
Needs an L3 Reachability to the pair for communication
Option to choose VSL Link
Easy VSS
Access Switch
Multi-ChassisEtherchannel
Access Switch
#(easy-vss)#VSL ?Local Interface Remote Interface Hostname Standby-IPGigabitEthernet3/5 TenGigabitEthernet1/1 4K-DEMO 2.2.2.4GigabitEthernet3/6 TenGigabitEthernet1/2 4K-DEMO 2.2.2.4GigabitEthernet3/7 TenGigabitEthernet1/1 4K-DEMO2 2.2.2.5
Easy VSS
Switch 1Switch-1(config)# switch virtual domain 100Switch-1(config-vs-domain)# switch 1Switch-1(config-vs-domain)# exit
Switch-1(config)# interface port-channel 10Switch-1(config)# switchportSwitch-1(config-if)# switch virtual link 1Switch-1(config-if)# no shutdownSwitch-1(config-if)# exit
Switch-1(config)# interface range tengigabitethernet 3/1-2Switch-1(config-if)# channel-group 10 mode on
Switch-1# switch convert mode virtual
Switch 2
Switch-2(config)# switch virtual domain 100
Switch-2(config-vs-domain)# switch 2Switch-2(config-vs-domain)# exit
Switch-2(config)# interface port-channel 20Switch-2(config)# switchportSwitch-2(config-if)# switch virtual link 2Switch-2(config-if)# no shutdownSwitch-2(config-if)# exit
Switch-2(config)# interface range tengigabitethernet 5/2-3Switch-2(config-if)# channel-group 20 mode on
Switch-2# switch convert mode virtual
Traditional VSS Config
Easy VSS ConfigSwitch 1Switch-1# switch convert mode easy-virtual-switch#(easy-vss)#VSL Te3/1 Te3/2
Switch 2Switch-2(config)#
Auto Secure
Generally Applied Security Configuration
• 3 Simple Security Features• DHCP Snooping• Dynamic ARP Inspection• Port Security
• Several Lines of Configuration
• Difficult to Validate
Auto Security – Features Enabled
DHCP SnoopingGloballyip dhcp snooping
ip dhcp snooping vlan 2-4094
no ip dhcp snooping information option
Per Access Portip dhcp snooping limit rate 100
Per Trunk Portip dhcp snooping trust
Dynamic Arp InspectionGloballyip arp inspection vlan 2-4094
Per Access Portip arp inspection limit rate 100
Per Trunk Portip arp inspection trust
Port SecurityPer Access Portswitchport port-security
switchport port-security maximum 2
switchport port-security maximum vlan access 1
switchport port-security maximum vlan voice 1
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
Per Trunk Portswitchport port-security maximum 100
switchport port-security violation restrict
Auto Secure
Auto Security Config• 1 Line – ‘auto security’
• Uplinks and Downlinks• Global and Per Port Option• Global Config enables on all ports as well• Based on port mode – access OR trunk, it
applies host config or uplink config
Auto Secure – Features Enabled
DHCP SnoopingGloballyip dhcp snooping
ip dhcp snooping vlan 2-4094
no ip dhcp snooping information option
Per Access Portip dhcp snooping limit rate 100
Per Trunk Portip dhcp snooping trust
Dynamic Arp InspectionGloballyip arp inspection vlan 2-4094
Per Access Portip arp inspection limit rate 100
Per Trunk Portip arp inspection trust
Port SecurityPer Access Portswitchport port-security
switchport port-security maximum 2
switchport port-security maximum vlan access 1
switchport port-security maximum vlan voice 1
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
Per Trunk Portswitchport port-security maximum 100
switchport port-security violation restrict
Auto Secure – Features Enabled
DHCP SnoopingGloballyip dhcp snooping
ip dhcp snooping vlan 2-4094
no ip dhcp snooping information option
Per Access Portip dhcp snooping limit rate 100
Per Trunk Portip dhcp snooping trust
Dynamic Arp InspectionGloballyip arp inspection vlan 2-4094
Per Access Portip arp inspection limit rate 100
Per Trunk Portip arp inspection trust
Port SecurityPer Access Portswitchport port-security
switchport port-security maximum 2
switchport port-security maximum vlan access 1
switchport port-security maximum vlan voice 1
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
Per Trunk Portswitchport port-security maximum 100
switchport port-security violation restrict
Auto Secure – Configuration
auto security!interface GigabitEthernet3/3description Connected to PCswitchport access vlan 11switchport mode accessauto security-port host
!interface TenGigabitEthernet1/1description Trunk Portswitchport mode trunkauto security-port uplink
Auto Secure – Show ConfigurationSwitch#show auto security configuration
Auto Secure CLIs applied on Access Port:----------------------------------------switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security maximum 1 vlan voice switchport port-security violation restrict switchport port-security aging time 2switchport port-security aging type inactivityswitchport port-securityip arp inspection limit rate 100ip dhcp snooping limit rate 100
Auto Secure CLIs applied on Trunk Port:--------------------------------------ip dhcp snooping trustip arp inspection trustswitchport port-security maximum 100switchport port-security violation restrictswitchport port-security
Auto Secure CLIs applied globally:---------------------------------ip dhcp snoopingip dhcp snooping vlan 2-1005no ip dhcp snooping information optionip arp inspection vlan 2-1005ip arp inspection validate src-mac dst-mac ip
Auto Secure – Show Status and Interfaces
Switch#show auto security Auto Secure is Enabled globally
AutoSecure is Enabled on below interface(s): --------------------------------------------
TenGigabitEthernet1/1GigabitEthernet3/1GigabitEthernet3/3GigabitEthernet3/4GigabitEthernet3/5GigabitEthernet3/6
Switch#
Config File Readability and Manageability Smaller configuration files Built-in Interface Templates for ease of use All Interface Templates are customizable. Advantages over Auto Smart Ports Templates updates immediately ripple to interfaces
• Per session or per port templates • No change to running-config• Full rollback and precedence management• Compatible with Session Networking/AutoConf
Interface Templates Benefits Overview
Interface Templates: Built-in Templates
11 Built-in Templates based on common end devices
3850# show template interface brief
Template-Name Source Bound-to-Interface------------- ------ ------------------AP_INTERFACE_TEMPLATE Built-in NoDMP_INTERFACE_TEMPLATE Built-in NoIP_CAMERA_INTERFACE_TEMPLATE Built-in NoIP_PHONE_INTERFACE_TEMPLATE Built-in NoLAP_INTERFACE_TEMPLATE Built-in NoMSP_CAMERA_INTERFACE_TEMPLATE Built-in NoMSP_VC_INTERFACE_TEMPLATE Built-in NoPRINTER_INTERFACE_TEMPLATE Built-in NoROUTER_INTERFACE_TEMPLATE Built-in NoSWITCH_INTERFACE_TEMPLATE Built-in NoTP_INTERFACE_TEMPLATE Built-in No
Good Defaults
3850(config)# template <template_name>3850(config-template)#?Template configuration commands:aaa Authentication, Authorization and Accounting.access-session Access Session specific Interface Configuration cmdsauthentication Auth Manager Interface Configuration Commandscarrier-delay Specify delay for interface transitionsdampening Enable event dampeningdefault Set a command to its defaultsdescription Interface specific descriptiondot1x Interface Config Commands for IEEE 802.1Xexit Exit from template configuration modehold-queue Set hold queue depthip IP template configkeepalive Enable keepaliveload-interval Specify interval for load calculation for an interfacemab MAC Authentication Bypass Interface Config Commandsmls mls interface commandsno Negate a command or set its defaultspeer Peer parameters for point to point interfacespriority-queue Priority Queuequeue-set Choose a queue set for this queueradius-server Modify RADIUS query parametersservice-policy Configure CPL Service Policysource Get config from another sourcespanning-tree Spanning Tree Subsystemsrr-queue Configure shaped round-robin transmit queuesstorm-control storm configurationsubscriber Subscriber inactivity timeout value.switchport Set switching mode characteristics
Interface Templates: interface commands
• Interface level commands available for templates in first release
• Only these commands can be used in Interface Templates
• Other interface level commands configured “the usual” way
3850(config-if)#source template DMP_INTERFACE_TEMPLATE3850(config-if)# end
3850# show derived-config interface Gig 1/0/10
Derived configuration : 249 bytes!interface GigabitEthernet1/0/10switchport mode accessswitchport block unicastswitchport port-securitysrr-queue bandwidth share 1 30 35 5priority-queue out mls qos trust dscpspanning-tree portfastspanning-tree bpduguard enableend
3850# show run interface Gig 1/0/10 Building configuration...
Current configuration : 79 bytes!interface GigabitEthernet1/0/10source template DMP_INTERFACE_TEMPLATEend
Interface Templates: Static Apply an Interface Template with “source”
• Statically apply Interface template with “source <templatename>” on interface
• Full interface configuration use “show derived-config interface <intf>”
• Template name appears in “show running interface <intf>”
• By default, access vlan is 1.• Modify built-in to change
Easy to Use
Interface Templates: Modify a Built-in Templates3850(config)# template DMP_INTERFACE_TEMPLATE3850(config-template)# switchport access vlan 203850(config-template)# exit3850# show derived-config int gi1/0/10Building configuration...
Derived configuration : 276 bytes!interface GigabitEthernet1/0/10switchport access vlan 20 switchport mode accessswitchport block unicastswitchport port-securitysrr-queue bandwidth share 1 30 35 5priority-queue out mls qos trust dscpspanning-tree portfastspanning-tree bpduguard enableend
• Edit is easy. Add or modify configuration• Eg: change the access vlan for template
• Create new or customize existing with command “template <name>”
• Change made automatically• ASP have to re-apply macro after change
• Changing Built-in template, entire Template appears in running and startup configuration.
• Unchanged template doesn’t appear in config.
• Restore to original built-in with “no” command• “no template <template name>
Easy to Modify
Interface Templates: Modified Built-in Templates
• Modified templates distinguished from original built-in• Easy to determine template in use
3850# show template interface brief
Template-Name Source Bound-to-Interface------------- ------ ------------------AP_INTERFACE_TEMPLATE Built-in NoDMP_INTERFACE_TEMPLATE Modified-Built-in YesIP_CAMERA_INTERFACE_TEMPLATE Built-in NoIP_PHONE_INTERFACE_TEMPLATE Built-in NoLAP_INTERFACE_TEMPLATE Built-in NoMSP_CAMERA_INTERFACE_TEMPLATE Built-in NoMSP_VC_INTERFACE_TEMPLATE Built-in NoPRINTER_INTERFACE_TEMPLATE Built-in NoROUTER_INTERFACE_TEMPLATE Built-in NoSWITCH_INTERFACE_TEMPLATE Built-in NoTP_INTERFACE_TEMPLATE Built-in No
Easy to Troubleshoot
Interface Templates: create your own template
3850# configure term3850(config)# template APPLE_TV_INTF_TEMPLATE3850(config-template)# switchport acces vlan 333850(config-template)# spanning-tree portfast3850(config-template)# switchport mode access3850(config-template)# mls qos trust dscp3850(config-template)# description Apple TV3850(config-template)# exit
3850#3850# show template briefInterface Templates===================
Template-Name Source Bound-to-Interface------------- ------ ------------------APPLE_TV_INTF_TEMPLATE User NoAP_INTERFACE_TEMPLATE Built-in NoDMP_INTERFACE_TEMPLATE Modified-Built-in YesIP_CAMERA_INTERFACE_TEMPLATE Built-in No
• Easy to create your own template
• Non built-in templates called “user”
• Apply “user” templates is the same as applying built-in templates
Easy to Build
Interface Templates: User created template
User created templates work same as builtin templates
3850(config)# interface Gig 1/0/113850(config-if)#source template APPLE_TV_INTF_TEMPLATE3850(config-if)# end
3850# show run int gi1/0/11Current configuration : 79 bytes!interface GigabitEthernet1/0/11source template APPLE_TV_INTF_TEMPLATE
end
3850# show derived interface Gig 1/0/11 Building configuration...
Derived configuration : 156 bytes!interface GigabitEthernet1/0/11description Apple TVswitchport access vlan 33switchport mode accessmls qos trust dscpspanning-tree portfast
end
Interface Templates: Nested Templates
• Call one template from within another template
• Maximum number of nesting levels is 1
3850#show run | beg template IA_TEMPLATEtemplate IA_TEMPLATEswitchport mode accessswitchport access vlan 100switchport nonegotiateswitchport port-securitysource template IA_TEMPLATE2
template IA_TEMPLATE2spanning-tree portfast edge
Flexibility with Nesting
Interface Templates: Summary
Easy to UseEasy to ModifyEasy to TroubleshootEasy to BuildFlexible with NestingSimplifies the Configuration
Automates Interface Templates Simplifies the system configuration AutoConf is Flexible (see Gumby) No impact to running configuration Easy to Enable
AutoConf Benefits Overview
P1
P4
P2
Access Switch
switchport trunk encapsulation dot1qswitchport trunk allowed vlan ALLswitchport mode trunkswitchport nonegotiateauto qos voip trustmls qos trust cossrr-queue bandwidth limit $LIMIT
S1, S2, S3
S4
auto qos voip trustswitchport trunk encapsulation dot1qswitchport trunk allowed vlan ALLswitchport mode trun
vlan 100access-group corpinactivity 300
vlan 200access-group corpservice-policy corp
interface-templateservice-template
interface-template
service-template
Phone
Compact switch
Access point
Interface Templates• Activated on INTERFACES• Auto-conf the network device (one per
port) e.g. Switch or AP• Template impacts all the traffic via that
interface• Stays ON as long as activated
Service Templates• Activated on NETWORK SESSIONS• Template impacts only the control or data
packets to the session• No impact on other sessions sharing port• Stays ON as long as the session exists
AutoConf – Campus Use Case
Change the running config No traps generated on config change
Block NEAT on switch to switch links Switch to switch links can be authenticated
Remove original interface configuration When template is removed, original interface config is retained
AutoConf: benefits over ASP
AutoConf doesn’t:
AutoConf – Interface Templates relationship
AutoConf
Templates
Templates are the foundation for AutoConf
Templates can work without AutoConf
AutoConf requires Templates
To Enable Autoconf Globally“Autoconf enable”
Builtin parameter map auto generatedBUILTIN_DEVICE_TO_TEMPLATE
Not shown in running configuration unless modified
Based on Templates (Interface and Service) Maps Device-Type to Interface Template automatically
By default uses built-in Interface Templates (see previous section)
Built-in Policy Map and built-in Parameter Map
AutoConf: The Basics
AutoConf Policy3850# show policy-map type control subscriber BUILTIN_AUTOCONF_POLICY
BUILTIN_AUTOCONF_POLICYevent identity-update match-all
10 class always do-until-failure10 map attribute-to-service table BUILTIN_DEVICE_TO_TEMPLATE Parameter Map
3850# show parameter-map type subscriber attribute-to-service allParameter-map name: BUILTIN_DEVICE_TO_TEMPLATEMap: 10 map device-type regex "Cisco-IP-Phone"Action(s):20 interface-template IP_PHONE_INTERFACE_TEMPLATE
Map: 20 map device-type regex "Cisco-IP-Camera" Action(s):20 interface-template IP_CAMERA_INTERFACE_TEMPLATE
Map: 30 map device-type regex "Cisco-DMP" Action(s):20 interface-template DMP_INTERFACE_TEMPLATE
BUILTIN_AUTOCONF_POLICY - AutoConf policy that identifies parameter map
AutoConf: default Hierarchy
Container relationship
Mapping Device type A to interface template X
Mapping Device type B to interface template Y
Mapping Device type C to interface template Z
All built-in by default
Parameter Map associates device-type to interface template
BUILTIN_DEVICE_TO_TEMPLATE
AutoConf: Default Parameter Map
3850# show parameter-map type subscriber attribute-to-service allParameter-map name: BUILTIN_DEVICE_TO_TEMPLATEMap: 10 map device-type regex "Cisco-IP-Phone" Action(s):20 interface-template IP_PHONE_INTERFACE_TEMPLATE
Map: 20 map device-type regex "Cisco-IP-Camera" Action(s):20 interface-template IP_CAMERA_INTERFACE_TEMPLATE
Map: 30 map device-type regex "Cisco-DMP" Action(s):20 interface-template DMP_INTERFACE_TEMPLATE
Map: 40 map oui eq 00.0f.44 Action(s):20 interface-template DMP_INTERFACE_TEMPLATE
<snip>
Automatically created when autoconf enabled
Not shown in running-config unless modified
Easy to modify
After IP Phone connected to Interface Gi1/0/2
No change to running configuration Show run int <intf>
AutoConf In Action: Dynamic Binding to Interface (1)
3850# show run interface gi1/0/2 Current configuration : 38 bytes!interface GigabitEthernet1/0/2End
Gig1/0/2
After IP Phone connected to Interface Gi1/0/2 No change to running configuration Show run int <intf>
Full Configuration displayed with derived command show derived int <intf>
AutoConf In Action: Dynamic Binding to Interface (2)3850# show run interface gi1/0/2 Current configuration : 38 bytes!interface GigabitEthernet1/0/2end
3850# show derived int gi1/0/2Derived configuration : 616 bytes!interface GigabitEthernet1/0/2switchport mode accessswitchport block unicastswitchport port-security maximum 3switchport port-security maximum 2 vlan accessswitchport port-security aging time 1switchport port-security aging type inactivityswitchport port-security violation restrictswitchport port-securityload-interval 30srr-queue bandwidth share 1 30 35 5priority-queue out mls qos trust cosstorm-control broadcast level pps 1kstorm-control multicast level pps 2kstorm-control action trapspanning-tree portfastspanning-tree bpduguard enableip dhcp snooping limit rate 15end
Gig1/0/2
What template is bound to interface? show template interface binding show template binding target <intf>
AutoConf In Action: Dynamic Binding to Interface (3)3850# show template interface binding all
Template-Name Source Method Interface------------- ------ ------ ---------IP_PHONE_INTERFACE_TEMPLATE Built-in dynamic Gi1/0/2
3850# show template binding target gi1/0/2
Interface Templates===================Interface: Gi1/0/2
Method Source Template-Name------ ------ -------------dynamic Built-in IP_PHONE_INTERFACE_TEMPLATE
Gig1/0/2
Service Templates applied to Access Sessions Interface Templates applied to physical ports
Service Template configuration only impacts session traffic No impact to other sessions on same physical port.
Use Service Template on non physical interfaces For WLAN SVI Authenticated Sessions (eg: User Auth, MAC Auth) Wired and wireless
Service Templates: highlights
Built-in templates must be modified for vlan config All templates default to access vlan 1
Switchport access vlan XSwitchport voice vlan YSwitchport trunk native vlan Z
Once modified, built-in templates show in running and startup config AutoConf applied templates do not show in running config Interface Templates are not supported on EtherChannels, so not AutoConf AutoConf enabled on all interfaces by default Explicitly disable on interface “access-session inherit disable
autoconf”
Interface Template and AutoConf: Things to Remember
Max Templates: unlimited (up to 4000 template definitions defined during test)
Max Template instances: unlimited Max Template size: 128 lines of configuration What is max Scale tested: 9 member stack of 48 port switches for Catalyst 3K Family All ports of Instant Access domain
What causes the performance of the dynamic template binding to appear slow? If the system does not have any statically bound templates, then first time
dynamic binding would take longer time compared to consecutive templates provided other system factors are constant.
AutoConf and Interface Templates: Performance , Scale
AutoConf: Summary
Easy to UseEasy to ModifyEasy to BuildScalable to Thousands of PortsFlexible with Device SensingSimplifies the Configuration
Network Plug-N-Play – Simple, Secure, Scalable
Central Staging Facility
Site-1
• Install OS• Install base
configNetwork Admin
Installer
Site-3
Today’s Process
Site-2
Reseller/Partner
Ships equipment
Direct Costs•Shipping •Travel costs
Complexity•Config errors•Different products / processes
Security•3rd party not secure•Rogue devices
Time/Productivity•Manual process •Shipping , Storage, Travel
Business Challenges
Network Plug-N-Play – Simple, Secure, Scalable
Unskilled Installer GUI Based Consistent for devices and
PIN(Campus/Branch) Secure Zero-touch RMA New and Existing
Site(s)
Network PnP
Pre Provision Projects/Sites
Network Admin
1
Install & Power-on devices
2
Installer
Monitor device installation
3
Network Admin
Central Staging Facility
Site-1
• Install OS• Install base
configNetwork Admin
Installer
Site-3
Today’s Process
Site-2
Reseller/Partner
Ships equipment
Network PnP – Components
PnP Helper Applications: Applications on smart phones that facilitate deployment.Deliver Boot Strap config when needed and Status/Troubleshooting checks
PnP Server: A central server that manages Sites, Site devices and its images, configurations, files and licenses for the deployment.APIC EM has Cisco built PnP Server and also provides north bound REST API for third party/custom applications integration.PnP Server communicates with the Agents using an open PnP protocol.
PnP Agent: An embedded agent on the ISR and Catalyst to automate deployment process
Cisco Cloud Redirection Servicehttps://devicehelper.cisco.com/device-helper (not part of Phase1)
PnP Protocol: Protocol between the Agent and the PnP server. This is an open schema allowing third-party development of PnP servers
Pre Provision Site in APIC EM• Serial Number based
match rule• Config and/or Image• Installer IDNetwork
Admin
Installer
Step 1
Step 2 Step 3
APIC/PnP Server
Network Admin
InternetDeliver bootstrap*
IT Admin can remotely monitor status of install
PnP Server/Site Updates
Installer on site with PnP mobile application• Rack and Stack
devices • Power-on• Start Deployment• Check Status and/or
troubleshoot (optional)
PID Serial # Hostname IP address
ISR-2951 FOX23zxcd ISR-main 192.168.15.1
ISR-2951 FOX23zxcb ISR-bakcup 192.168.15.2
C3850 FOC123dfg Dist1 192.168.16.3
C3560C FOC443asd ACC-sw1 192.168.16.4
C3560C FOC443asa ACC-sw2 192.168.16.5
C3560C FOC443asg ACC-sw3 192.168.16.6
C3560C FOC443asx AC-sw4 192.168.16.7
New devices contact PnP Server to get provisioned
HTTP Proxy
Use Case : Branch Deployment
APIC-EM ZTD: Unclaimed/Addhoc devices
“unclaimed” devices did not match any pre-provisioned Sites
Devices ‘call-in’ automatically, and are placed here.
Admin provisions device by claiming it, or ‘ignores’ the device (rogue device)
Unclaimed Devicecould be a rogue
APIC-EM ZTD: Unclaimed Device Details
To help with identify unclaimed devices ‘details’ provide information on device
Details Include:- Version
- Inventory
- CDP neighbors
- …
Mark Device for RMA• Use Inventory to find
devicePnP Server waiting for replacement deviceOpens TAC Case
Network Admin
Day N
Use Case : Branch - Zero-touch RMA
Asst. Branch Mgr.• Removes old device.• Mount and cable
replacement device• Power-on
Day N+1
No replacement Pre Provisioning
1. Zero-touch RMA based on neighbor table
• PnP Server maintains neighbor info.
• Applies same image/config to new device
OR
2. Serial Number match• Incoming Switch SR#
configured as replacement device
• Image/Config applied to new device
Note: PID must match!
Cisco ships replacement
PnP Server
Internet
Asst. Branch Mgr.
At Branch, • No Bootstrap config• No CLI• App optional
In Summary …
Cisco Catalyst Switching offers a number of capabilities to simplify your network:
Easy VSSAuto SecurityInterface TemplatesAutoConfNext-Gen Plug and Play
The benefits of these capabilities are:
Simplify the ConfigurationSimplify DeploymentSimplify Day-to-Day OperationsSimplify Network Management