Design Review Template - NETS
Design Review Template - NETS
Design Review Template - NETS
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Cisco Systems Advanced Services<br />
National Center for Atmospheric Research<br />
Campus <strong>Design</strong> <strong>Review</strong><br />
And Best Practices Recommendation<br />
Version 1.2<br />
Corporate Headquarters<br />
Cisco Systems, Inc.<br />
170 West Tasman Drive<br />
San Jose, CA 95134-1706<br />
USA<br />
http://www.cisco.com<br />
Tel: 408 526-4000<br />
800 553-<strong>NETS</strong> (6387)<br />
Fax: 408 526-4100
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,<br />
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,<br />
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.<br />
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED<br />
WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED<br />
WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.<br />
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15<br />
of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment<br />
generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications.<br />
Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.<br />
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in<br />
accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a<br />
Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a<br />
residential installation. However, there is no guarantee that interference will not occur in a particular installation.<br />
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral<br />
devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:<br />
Turn the television or radio antenna until the interference stops.<br />
Move the equipment to one side or the other of the television or radio.<br />
Move the equipment farther away from the television or radio.<br />
Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by<br />
different circuit breakers or fuses.)<br />
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.<br />
The following third-party software may be included with your product and will be subject to the software license agreement:<br />
CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett-Packard Company. HP OpenView is a trademark of the Hewlett-Packard<br />
Company. Copyright © 1992, 1993 Hewlett-Packard Company.<br />
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version<br />
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.<br />
Network Time Protocol (NTP). Copyright © 1992, David L. Mills. The University of Delaware makes no representations about the suitability of this software for any purpose.<br />
Point-to-Point Protocol. Copyright © 1989, Carnegie-Mellon University. All rights reserved. The name of the University may not be used to endorse or promote products derived from<br />
this software without specific prior written permission.<br />
The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed by the University of California, Berkeley (UCB) as part of the UCB’s<br />
public domain version of the UNIX operating system. All rights reserved. Copyright © 1981-1988, Regents of the University of California.<br />
Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products. Fastmac software is licensed to Cisco by Madge Networks Limited, and the<br />
RingRunner chip is licensed to Cisco by Madge NV. Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered trademarks of Madge Networks Limited.<br />
Copyright © 1995, Madge Networks Limited. All rights reserved.<br />
Xremote is a trademark of Network Computing Devices, Inc. Copyright © 1989, Network Computing Devices, Inc., Mountain View, California. NCD makes no representations about the<br />
suitability of this software for any purpose.<br />
The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved.<br />
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL<br />
FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF<br />
MERCHANTABILITY, FITNESS FOR A PRACTICAL PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE<br />
PRACTICE.<br />
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT<br />
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS<br />
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.<br />
AccessPath, AtmDirector, Browse with Me, CCDE, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy,<br />
Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness<br />
Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are<br />
trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of<br />
Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo,<br />
Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar,<br />
PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S.<br />
and certain other countries.<br />
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between<br />
Cisco and any other company. (0105R)<br />
INTELLECTUAL PROPERTY RIGHTS:<br />
THIS DOCUMENT CONTAINS VALUABLE TRADE SECRETS AND CONFIDENTIAL INFORMATION OF CISCO SYSTEMS, INC. AND IT’S SUPPLIERS, AND SHALL NOT<br />
BE DISCLOSED TO ANY PERSON, ORGANIZATION, OR ENTITY UNLESS SUCH DISCLOSURE IS SUBJECT TO THE PROVISIONS OF A WRITTEN NON-DISCLOSURE<br />
AND PROPRIETARY RIGHTS AGREEMENT OR INTELLECTUAL PROPERTY LICENSE AGREEMENT APPROVED BY CISCO SYSTEMS, INC. THE DISTRIBUTION OF<br />
THIS DOCUMENT DOES NOT GRANT ANY LICENSE IN OR RIGHTS, IN WHOLE OR IN PART, TO THE CONTENT, THE PRODUCT(S), TECHNOLOGY OF<br />
INTELLECTUAL PROPERTY DESCRIBED HEREIN.<br />
<strong>Design</strong> <strong>Review</strong> <strong>Template</strong><br />
Copyright © 2001-2, Cisco Systems, Inc.<br />
All rights reserved.<br />
COMMERCIAL IN CONFIDENCE.<br />
A PRINTED COPY OF THIS DOCUMENT IS CONSIDERED UNCONTROLLED.
Contents<br />
Contents 3<br />
Document Control 4<br />
History 4<br />
<strong>Review</strong> 4<br />
About The Document 5<br />
Document Purpose 5<br />
Business Profile 5<br />
Current Topology 6<br />
Current <strong>Design</strong> Overview 6<br />
Overview of Recommendations 8<br />
Executive Summary 8<br />
Short Term <strong>Design</strong> Enhancements 9<br />
Foothills-CenterGreen: The Radio Link 9<br />
Mixed Core (L2 + L3) 9<br />
Hierarchical (MultiLayer) Network <strong>Design</strong>: An Overview 11<br />
Overview 11<br />
Long Term: AS-Proposed <strong>Design</strong> 14<br />
Configuration Best Practices 16<br />
VLAN 1 16<br />
VLAN Trunking Protocol (VTP) 17<br />
Trunking Mode 17<br />
Spanning Tree Protocol (STP) 18<br />
Unidirectional Link Detection (UDLD) 20<br />
EtherChannel (PAgP) 21<br />
<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.2 3
Document Control<br />
Author:<br />
Hazim Dahir<br />
Advanced Services – Central Engineering<br />
History<br />
Table 1<br />
Revision History<br />
Version No. Issue Date Status Reason for Change<br />
1.0 20-Feb-2003 Draft, Released First release<br />
1.1 11-Apr-2003 Introduced Mixed Core<br />
1.2 24-Apr-2003 Final Updated Diagrams and added Configuration observations<br />
<strong>Review</strong><br />
Table 2<br />
Revision <strong>Review</strong><br />
<strong>Review</strong>er’s Name Version No. Date<br />
Tsegerada Beyen and Niels Brunsgaard 1.0<br />
Advanced Services<br />
Network Engineering Team<br />
NCAR<br />
1.1 Apr-17-2003<br />
Change Forecast: High<br />
This document will be kept under revision control.<br />
A printed copy of this document is considered uncontrolled.<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.2 4
About The Document<br />
Document Purpose<br />
This network design review document is intended to provide an overall assessment of the design aspects of<br />
the network and select operational functions. The comments presented in this document are a result of<br />
information learned about the network from customer-documentation as well as the weekly discussions.<br />
This assessment is part of the Performance Engineering and Optimization services provided by the<br />
Central Engineering Team. This service will give a best practice assessment of the network as a complete<br />
system. It uses data collected about individual devices or interfaces to generate an assessment of “Campus<br />
Best Practices”. This assessment would consider network Availability, Scalability, Convergence,<br />
Modularity, Hierarchical <strong>Design</strong> and other network stability aspects.<br />
Business Profile<br />
Understanding the business goals of a company or institution is very important when analyzing a network<br />
design. The goal of a good network design is to empower users in meeting company objectives. The<br />
network should provide an acceptable level of performance and reliability while not wasting capital and<br />
other resources in the process of over-engineering the network. Nor should a network be under-engineered<br />
such that it fails to meet the service levels necessary to meet the business objectives. Many design<br />
decisions are a result of thoughtful risk/benefit analysis.<br />
The National Center for Atmospheric Research, NCAR, was established in 1960 to serve as a focus for<br />
research on atmospheric and related science problems and is recognized for its scientific contributions to<br />
our understanding of the earth system, including climate change, changes in atmospheric composition,<br />
Earth-Sun interactions, weather formation and forecasting, and the impacts of all of these components on<br />
human societies.<br />
With two major sites in Boulder, I.M. Pei's Mesa Laboratory and a newer Foothills Laboratory, NCAR's<br />
research is conducted in several principal disciplinary areas: atmospheric chemistry; mesoscale and<br />
microscale meteorology; solar and solar-terrestrial physics; and climate and the linking of climate with<br />
other environmental systems. Focused contributions are also made to national scientific initiatives. There<br />
are multi-disciplinary and cross-disciplinary efforts aimed at the development of a coupled climate system<br />
model which will simulate the complex interrelations between climate, weather, the sun, and the biosphere<br />
and oceans. Research on the societal interactions with atmospheric processes is an integral part of NCAR's<br />
program.<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.2 5
About The Document<br />
Current Topology<br />
Mesa Lab<br />
UNAVCO<br />
Pearl Street<br />
ml-mr-c2-gs<br />
POTS<br />
ps-3018-c1-ts<br />
ps-1027a-c1-<br />
es<br />
ml-062-c1-gs<br />
Ml-371-c1-<br />
gs<br />
ml-50-c1-gs<br />
ml-mr-c2-ts<br />
netscm netscm2<br />
uv-18-c1-es<br />
Foothills Lab<br />
fl2-2076-c1-e<br />
s<br />
ps-3018-c1-es<br />
ps-2008-c1-es<br />
fl1-2152-c1-gsfl3-3087-c1-gs<br />
fl3-3068-c1-gs<br />
ml-16c-c1-gs<br />
netscm3<br />
fl4-1012-c1-gs<br />
fl1-2037a-c1-gs<br />
ml-mr-c2-es<br />
fl2-3095-c1-as<br />
fl2-3095-c1-gs<br />
fl2-3095-c1-ts<br />
ml-mr-c3-gs<br />
gin<br />
fl2-2104-c1-gs<br />
ml-47-c1-gs<br />
ml-mr-c1-ts<br />
ml-mr-c1-g<br />
s<br />
Center Green<br />
fl2-2069-c1-gs<br />
fl4-2060-c1-gs<br />
cg1-2010-c3-e<br />
s cg1-2036-c1-gs<br />
ml-243b-c1-gs<br />
ml-mr-c1-as<br />
voip1r-n2<br />
ml-y2k-c1-gs<br />
ml-y2k-c1-as<br />
vbnsr<br />
Marshall<br />
marshallr-n406mar-26a-c1-es fb-12-c1-es fb-12-c2-es<br />
cg-voipr<br />
cg1-3036-c1-gs<br />
jef-126-c1-as<br />
cg1-3010-c1-es<br />
jef-126-c1-es<br />
cg2-mr-c1-gs<br />
cg2-mr-c1-ts<br />
cg1-2010-c2-es<br />
cg1-2010-c4-es<br />
cg1-2010-c1-escg1-3010-c2-es<br />
NCAR Network<br />
Diagram<br />
A TM links<br />
Gigabit Ethernet links<br />
Fleischman Building<br />
JeffCo<br />
jef-126-c1-ts<br />
L3<br />
sw itch<br />
L2<br />
Sw itch<br />
ATM<br />
Sw it<br />
ch<br />
Terminal<br />
Server<br />
Current <strong>Design</strong> Overview<br />
The current design spreads over three major campuses. The largest and most populated are Mesa and<br />
Foothills. Center Green utilizes an L2 switch as an aggregation point.<br />
The existing design facilitates for several VLANs to span multiple switches as well as multiple sites.<br />
Although this is not recommended, at NCAR this does not present any immediate problems or issues. The<br />
single homing of switches to the perspective core switch and the absence of a Spanning Tree loop at the<br />
core provide for a stable environment.<br />
At the current time, NCAR is satisfied with the current “availability” model and hope to improve it in the<br />
future. For example, the Mesa site, acts as a transport site for all traffic exchanged between CenterGreen<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 6
About The Document<br />
and Foothills. A total failure of the “ml-mr-c1-gs” switch will isolate all three major sites. Relying on internal<br />
redundancy (Dual-Supervisor and HA feature) helps reduce the chance of that type of failure.<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 7
Overview of Recommendations<br />
Executive Summary<br />
The advent of high-speed L3 switches has moved modern Enterprise/Campus Network <strong>Design</strong> away from<br />
the flat L2 vlan-based model. Cisco’s current Campus Reference <strong>Design</strong> Model, commonly known as the<br />
Multilayer Model, features high-powered L3 switches placed in key areas of the Enterprise Network.<br />
This document concentrates on key design concepts required for mission critical networks. The most<br />
important ones are:<br />
- Hierarchical Network Model: Characterization of traffic flow<br />
- Modularity: Network made up of distinct network blocks<br />
- Scalability: Allow network to grow without major changes or redesign<br />
- High Availability: Internal, External, and path redundancy<br />
- Predictability: Traffic Flows, delays, bounds, fail-over paths are predictable<br />
- Simplicity: Satisfy network requirements with the least amount of effort or Hardware<br />
The following sections attempt to describe two design improvement approaches:<br />
1. Short Term <strong>Design</strong> Enhancement<br />
2. Long Term AS Proposed <strong>Design</strong><br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.2 8
Short Term <strong>Design</strong> Enhancements<br />
Foothills-CenterGreen: The Radio Link<br />
NCAR is testing a Radio Link (TeraBeam) for possible deployment into the production environment to<br />
connect Foothills with CenterGreen. If we allow the Radio Link to act a trunk, then we are creating an<br />
environment that is STP dependent for convergence. That in return will force one of the Core links to be in<br />
the “Blocking” state. Reliability and Utilization common sense force us to “block” the Radio Link.<br />
All Links (including the Radio Link) are better utilized in an L3 Core. With the three major sites<br />
participating, this would be a full mesh. Mesa will no longer be the only link between Foothills and<br />
CenterGreen.<br />
Mixed Core (L2 + L3)<br />
The presence of several campus-wide VLANs requires Trunking (ISL or dot1Q) in the Core. Those<br />
VLANs would be handled by two trunks connecting the three sites. This is exactly how all traffic is<br />
handled today.<br />
Other VLANs that are unique to an L2 switch or to one of the sites will be cleared from the L2 trunk and<br />
can be routed via a separate L3 connection. This is best described by the following diagram.<br />
By adding a routing engine to the CenterGreen switch, three unique VLANs can be configured to represent<br />
the L3 core. The other L2 will only carry traffic for the VLANs requiring campus-wide configuration (all<br />
other VLANs must be cleared from the trunk).<br />
An important decision needs to be taken here regarding the Active gateway(s) for the ‘L2” VLANs. Any<br />
two routers in any of the three sites can handle that requirement. We can also consider M-HSRP and have<br />
one router active for half the VLANs and another router active for the other half. (Point of Discussion: This<br />
document will updated accordingly)<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.2 9
Error! Reference source not found.<br />
Mixed Core <strong>Design</strong><br />
- The L3 Core consists of the three independent point-to-point VLANs X, Y, and Z.<br />
- The L2 trunk illustrated by the blue lines will carry VLANs that need site-wide accessibility.<br />
- VLANs X, Y, and Z to be cleared from the dot1Q trunk<br />
- All Site-specific VLANs to be cleared from the dot1Q trunks.<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 10
Hierarchical (MultiLayer) Network<br />
<strong>Design</strong>: An Overview<br />
Overview<br />
The hierarchical three tiered campus design has become the preferred architecture for most networks. The three<br />
tiered architecture is comprised of an access layer that directly connect network users by means of switches,<br />
normally placed in wiring closets positioned throughout the campus. Access layer switches are also connected to<br />
a distribution layer. The distribution layer sites will have a number of access switches connected to it. The<br />
number of access switches connected to the distribution layer is often determined by geographic proximity, such<br />
as all the access switches in a building homing into one distribution site for that building. The distribution sites<br />
normally consist of switches with layer 2 and layer 3 functions. The distribution layer switches are usually<br />
deployed in pairs for system redundancy. The distribution layer switches are then connected to a core layer<br />
switch. The core switches are also usually deployed in pairs for redundancy and may support layer 3 as well as<br />
layer 2 functions. An overall campus design such as this might have a numerical profile of 8000 users connected<br />
to 40 access switches that are then connected to 4 distribution sites that are finally connected to 1 core site.<br />
Access<br />
Distribution<br />
Backbone<br />
Core<br />
Building block additions<br />
Data Center<br />
WAN Internet Remote Access<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.2 11
Hierarchical (MultiLayer) Network <strong>Design</strong><br />
A hierarchical network design distributes networking function at each layer through a layered organization.<br />
Modular designs are made out of building blocks. Modules and can be added or removed without redesigning<br />
the network. A modular design is also easier to grow and troubleshoot. Cisco’s multilayer design is an<br />
example of modular hierarchical design model. The key elements of the structured hierarchy are the Core,<br />
Distribution and Access layer in a network.<br />
The Access Layer<br />
This layer is made up of pure L2 (layer 2) switches each with dual uplinks to two L3 distribution switches.<br />
There are basically two types of access vlans that can be implemented in this area and most often we see a mix<br />
of both. The Access Layer model use one of two methods to provide redundancy and/or load balancing:<br />
The HSRP Model: It does not utilise STP and has faster convergence in the face of failures. There is no regular<br />
routing protocol running over the uplinks, only hsrp (passive vlan interfaces). Load-balancing is achieved by<br />
having half of the vlans use one distribution switch as their default gateway and the other half use the other<br />
distribution switch.<br />
It should be pointed out that the standard access model does not call for STP to be turned off on the switches.<br />
STP should be enabled but no L2 loops should physically exist. This is a precaution to avoid the network to<br />
collapse in case of wrong cabling or when channeling feature misbehaves. One common perception is that a<br />
unique vlan must be configured on each access switch, this is not true as it is allowed and sometimes<br />
advantageous to configure several vlans per access switch; the only thing that is not allowed is to configure one<br />
same vlan on more than one access switch.<br />
The Spanning Tree Model: In the early days of the VLAN technology it was a common design to group clients<br />
and their corresponding servers within the same vlan to fully take advantage of the performance of L2<br />
switching. As a result, workgroup servers were usually attached at the distribution layer where all vlans would<br />
meet. Each of these vlans would also span the whole network thereby potentially creating extended STP<br />
topologies. These designs were heavily based on the vlan concept accompanied with its highly publicized<br />
flexibility (mobility) and therefore had quite a bit of a success.<br />
Although, building-wide vlans are discouraged in the multilayer model it has to be admitted that real networks<br />
often make heavy use of their conveniences and cannot work around them easily. Hence, another access model<br />
is presented with a very simple STP topology such that it can be tolerated in the multilayer model.<br />
In the STP/VLAN-based access model, we restrict the STP topology into a triangle. Primary and secondary<br />
roots are always located at the distribution layer so that each vlan blocks once on each access switch. Many<br />
materials explain how to design, implement and troubleshoot STP optimally for this situation. In this case, you<br />
want to have at least two vlans per access switch in order to use the bandwidth on all links including blocked<br />
uplinks. On one access switch, each vlan should block a different uplink – this can easily be achieved by using a<br />
different primary root at the distribution layer for each vlan.<br />
Helpful hints and features to deploy in the access layer:<br />
• Use UDLD and loop-guard to prevent the adverse effects of STP failures.<br />
• Keep the topology as simple as possible. Triangular shaped topologies are very well suited to implement the<br />
STP’s enhancements (x-fast).<br />
• Use multiple vlans and PVST+ to loadshare traffic across blocked ports.<br />
• Location of blocked ports must be very easily predicted (a consequence of simple triangular topologies).<br />
• The distance to the root must be kept to a minimum.<br />
• Carefully choose the root location.<br />
The Distribution Layer<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 12
Hierarchical (MultiLayer) Network <strong>Design</strong><br />
This layer interfaces the Access layer with the Core Layer; it is a major aggregation point and plays a very<br />
important role. The distribution layer terminates all access vlans from the layer 2 perspective. High performing<br />
Catalysts 6k are typically used to route the vlans efficiently at wire speed towards the backbone. The switches<br />
have routing intelligence to participate in any routing protocol with core routers as well as providing HSRP<br />
functionality to load share traffic coming from the access layer. The Distribution switches do not inject routing<br />
updates into the access layer in normal circumstances.<br />
Although it consists only of two L3 switches, the way we implement and interconnect them to other layers is not<br />
trivial.<br />
Helpful hints and features to deploy in the access layer:<br />
• Aggregates the Access Layer (wiring closet) switches<br />
• Provides uplink connectivity to the Core LayerReduces the need of high density peering with a Core-only<br />
Layer<br />
• Redundancy (Availability), Load Balancing and Capacity Planning (Provisioning) are the most important<br />
aspects.<br />
o Use Layer 3 Switching in this Layer<br />
o Use HSRP and HSRP-Tracking for first-hop redundancy<br />
The Core Layer<br />
The backbone of the network. Aggregates the Distribution Layer switches and plays the primary role of<br />
connecting other network building blocks. It should provide redundancy, rapid convergence using high-speed<br />
connections and high-speed Layer 3 switching.<br />
The Server Farm:<br />
A server farm is implemented as a high-capacity building block attached to the campus backbone, and is treated<br />
as its own distribution block. Server farm is an aggregation point for much of the traffic from the whole campus.<br />
As such, it makes sense to design the server farm with less over subscription of switch and trunk resources than<br />
the normal building block. For example, if the other campus building blocks connect to the backbone with Fast<br />
Ethernet, then the server farm should probably attach to the backbone with Gigabit Ethernet.<br />
How do we handle Campus or Enterprise-Wide VLANs<br />
These are definitely incompatible with the Multilayer model, which is a strictly routed environment. There are<br />
generally two possible ways to force these protocols on the model, either we build Campus-Wide vlans with<br />
complex Spanning Tree topologies spanning the whole network or we need to bridge these protocols on the<br />
routers. Both alternatives undermine the robustness of the network.<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 13
Long Term: AS-Proposed <strong>Design</strong><br />
This section will detail a design proposal from the AS team. The following design is hierarchical,<br />
redundant, and modular. If fully implemented, the design presents a solution where each of the campuses<br />
is totally independent from the other from a traffic and fail-over point of views.<br />
Mesa/Marshall<br />
Fleischman<br />
Jeffco<br />
Server Farm<br />
POTS/WAN<br />
10/100/1000<br />
L3 GEC<br />
MESA<br />
Si<br />
Si<br />
Foot<br />
Hills<br />
Gigabit Core<br />
Center<br />
Green<br />
Si<br />
Si<br />
Si<br />
Si<br />
FootHills/Pearl Street/UNAVCO<br />
Semi-Fully Meshed Core design<br />
A link or Switch failure at any of the buildings will not affect any other building. The design is also<br />
optimised for IP Telephony and Multicast and any QoS strategy needed for any technology or application.<br />
The above diagram provides an idea of the final design; a phased migration is provided later.<br />
The proposed design offers the following advantages and common features:<br />
At the Access Layer:<br />
- Switches would have unique VLANs (one or several that exist only on that switch). This in return<br />
eliminates dependency on Spanning Tree Protocol for convergence.<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.2 14
Hierarchical (MultiLayer) Network <strong>Design</strong><br />
- User ports to be configured with PortFast (See best practices section below)<br />
- ISL or dot1Q trunks to the Distribution layer. Allow only Access Layer VLANs on the trunk.<br />
- The ability to load-balance traffic over the Access-Distribution trunks. (This is done using HSRP).<br />
If VLANs span multiple switches or buildings, then we can achieve load balancing using STP by<br />
alternating “Root” configuration between Distribution Switches.<br />
- If STP is the choice for redundancy, the UplinkFast feature is utilized to offer almost instantaneous<br />
fail-over of uplinks.<br />
At the Distribution Layer:<br />
- Two Distribution switches per building to provide maximum redundancy and performance. The<br />
two distribution switches are also directly connected to the Core using L3 connections.<br />
- Terminate and limit the size of broadcast domains. With unique VLANs configured at the Access<br />
switches, the link between the two Distribution in every building can be an L3 connections.<br />
- A failure in one of the closets will only be limited to that closet.<br />
- Configure HSRP with alternating priority levels between the two Distribution-MSFCs to provide<br />
redundancy as well as load balancing of the Uplinks.<br />
- Easy to manage and troubleshoot<br />
- Root bridges are local and known. No Root is across the WAN links.<br />
At the Core Layer:<br />
- Layer 3 Core<br />
- Highly redundant<br />
- Simple <strong>Design</strong><br />
- Point-to-Point L3 connections<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 15
Configuration Best Practices<br />
VLAN 1<br />
VLAN1 has a special significance in Catalyst networks, and can be the cause of some confusion.<br />
The Catalyst Supervisor always uses the Default VLAN, 1, to tag a number of control and management<br />
protocols when trunking, such as CDP, VTP and PAgP! All ports including the internal sc0 interface are<br />
configured to be members of VLAN1 at initial boot up. All trunks carry VLAN1 by default, and in older<br />
Catalyst code, (prior to CatOS 5.3), it was not possible to block user data in VLAN1.<br />
Two other definitions are needed to help clarify some well-used terms in Catalyst networking:<br />
• The Management VLAN is where sc0 resides, and can be changed.<br />
• The Native VLAN is defined as the VLAN a port will return to when not trunking, and is the untagged<br />
VLAN on an 802.1Q trunk.<br />
There are several good reasons to tune a network and alter the behavior of ports in VLAN1:<br />
• When the diameter of VLAN1, like any other VLAN, gets large enough to be a risk to stability,<br />
particularly from an STP perspective, it needs to be pruned back.<br />
• Control plane data on VLAN1 should be kept separate from user data in other VLANs, and ideally<br />
the management VLAN, to simplify troubleshooting and maximise available CPU.<br />
• Layer-2 loops in VLAN1 must be avoided when designing Multilayer Campus networks without<br />
STP, yet trunking is still required to the access-layer multiple there are multiple VLANs and IP<br />
subnets. To do this, manually clear VLAN1 from trunk ports.<br />
Note:<br />
• CDP, VTP and PAgP updates are always forwarded with a VLAN1 tag even if VLAN1 has been<br />
cleared on trunks and is not the native VLAN. One implication is that when trunking to a router, an<br />
interface must be defined in VLAN1 to detect CDP.<br />
• DTP updates are forwarded with VLAN1 tags on ISL trunks, but use the native VLAN on 802.1Q.<br />
• 802.1Q IEEE BPDUs are forwarded untagged on the ‘Common Spanning Tree’ VLAN1 (like ISL)<br />
for interoperability with other vendors, unless VLAN1 has been cleared from the trunk. Cisco Per-<br />
VLAN Spanning tree (PVST+) BPDUs are sent and tagged for all other VLANs. Analysis<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.2 16
Hierarchical (MultiLayer) Network <strong>Design</strong><br />
VLAN Trunking Protocol (VTP)<br />
Before you create VLANs you must decide what VTP mode to use in your network. With VTP you can<br />
make VLAN configuration changes centrally on one or more switches and have those changes<br />
automatically communicated to all the other switches in the network.<br />
VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the<br />
addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes mis-configurations<br />
and configuration inconsistencies that can result in a number of problems such as duplicate VLAN names,<br />
incorrect VLAN-type specifications, and security violations. The VLAN database built is stored in<br />
NVRAM, separately the configuration.<br />
AS recommends transparent mode. As the majority of customers do not create or delete VLANs<br />
frequently, when a new VLAN is needed it is not much effort to update all switches in a domain, usually<br />
numbering 20 or less.<br />
• This practice encourages good change control.<br />
• Limits the risk of a user error, such as deleting a VLAN, impacting the entire domain.<br />
• Eliminated the risk of any VTP bug affecting the entire network.<br />
• There is no risk from a new switch being introduced into the network with a higher VTP revision<br />
number and over-writing the entire domain's VLAN configuration. There is a positive and negative<br />
side to VTP being able to make changes very easily on a network - most enterprises prefer a cautious<br />
approach.<br />
• STP per VLAN and unnecessary flooding should be limited by explicit configuration (i.e. pruning) of<br />
what VLANs are propagated on what trunks. A per switch VLAN configuration also encourages this<br />
practice.<br />
• The extended VLAN range in CatOS 6.x, numbers1025-4094, can only be configured in this way.<br />
Trunking Mode<br />
Purpose: DTP is the second generation of DISL (Dynamic ISL) and exists to ensure that the different<br />
parameters involved in sending ISL or 802.1Q frames, like the configured encapsulation type, native<br />
VLAN, hardware capability, etc. are agreed by the Catalysts at either end of a trunk. This also helps protect<br />
against non-trunk ports flooding tagged frames, a potentially serious security risk, by ensuring ports and<br />
their neighbors are either in a safe trunking or non-trunking state.<br />
Operational Overview: DTP is a layer-2 protocol that negotiates configuration parameters between a<br />
switch port and it's neighbor. It uses another well-known multicast MAC address of 01-00-0c-cc-cc-cc and<br />
a SNAP protocol type of 0x2004. Here is a summary of the configuration modes:<br />
Note: ISL and 802.1Q encapsulation type can be set or negotiated - ISL will be preferred over dot1Q, but<br />
is recommended to be set.<br />
• DTP assumes point-to-point connection, and Cisco devices will support 802.1Q trunk ports that are<br />
only point-to-point.<br />
• During DTP negotiation, the ports will not participate in STP. Only after the port type becomes one of<br />
the three types (Access, ISL or 802.1Q), the port will be added to STP. (If PAgP is running that is the<br />
next process to run prior to the port participating in STP).<br />
• VLAN 1 will usually be there on the trunk port. If the port is trunking in ISL mode, DTP packets are<br />
sent out on VLAN 1, otherwise (for 802.1Q trunking or non-trunking ports) on the Native VLAN.<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 17
Hierarchical (MultiLayer) Network <strong>Design</strong><br />
• In desirable mode DTP packets transfer the VTP domain name, which must match for a negotiated<br />
trunk to come up, plus trunk configuration and admin status.<br />
• Messages are sent every 1s during negotiation, and every 30s after that.<br />
• Be careful that it is understood modes (on, nonegotiate, off) explicitly specify in which state the port<br />
will end up. A bad configuration can lead to a dangerous inconsistent state where one side is trunking<br />
and the other is not. A port in on, auto, or desirable sends DTP frames periodically. If a port in auto<br />
or desirable mode doesn't see a DTP packet in 5min it will be set to non-trunk.<br />
AS recommends an explicit trunk configuration of ‘Desirable-Desirable’.<br />
In this mode, network operators can trust syslog and command line status messages that a port is up and<br />
trunking, unlike the mode ‘on’ that can make a port appear up even though the neighbor is mis-configured.<br />
With the consistency of using the same configuration at both ends of the trunk, the ambiguous and default<br />
setting ‘auto’ can be avoided.<br />
set trunk desirable <br />
Importantly, also set 'trunk off' on all non-trunk ports. This helps eliminate wasted negotiation time when<br />
bringing host ports up (in conjunction with ‘port channel mode off’ and PortFast enabled - set port host).<br />
Set trunk off all<br />
By default, Trunking ports will propagate information about all VLANs, but AS recommends limiting that<br />
to the VLANs defined on the wiring closet switches. This practice has many advantages, most importantly,<br />
is the ability to isolate issues, broadcasts, and loops to one wiring closet instead of the entire network.<br />
Spanning Tree Protocol (STP)<br />
Spanning tree maintains a loop free layer two environment in redundant switched and bridged networks.<br />
Without STP, frames would loop and/or multiply indefinitely causing a network meltdown as all devices in<br />
the broadcast domain are interrupted by high traffic.<br />
As an initial observation, all Catalyst switches have STP enabled by default. AS recommends leaving the<br />
feature enabled for these reasons:<br />
• When there is a loop (induced by mis-patching/bad cable, etc.), STP will prevent detrimental effects to<br />
the network, potentially made much worse with multicast and broadcast data.<br />
• Protection against channel breaking down.<br />
• Most of networks are configured with STP and hence gets maximum exposure. More exposure<br />
generally equates to more stable code.<br />
• Protection against dual attached NICs misbehaving (or routing enabled on servers).<br />
• Many protocols are closely related to STP in the code (such as PAgP, IGMP snooping, trunking etc.) -<br />
running without it may lead to undesirable results. During a reported network disruption, TAC and DE<br />
will most likely suggest that non-usage of STP will be at the centre of the fault if at all conceivable.<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 18
Hierarchical (MultiLayer) Network <strong>Design</strong><br />
set spantree enable all<br />
! default<br />
PortFast<br />
PortFast is used to bypass normal spanning-tree operation on access-ports to speed up connectivity<br />
between end-stations and the services they need to connect to after link initialization.<br />
AS recommend STP PortFast be set on for all enabled host ports. Must be diligent to catch<br />
all ports!!!<br />
AS recommends using the “host” macro to configure PortFast on Access ports:<br />
Set port host ! macro for the following commands<br />
set spantree portfast enable<br />
set trunk off<br />
set channel mode off<br />
Note that PortFast doesn’t mean that we do not run spanning-tree at all on those ports: BPDUs are still<br />
sent, received and processed. It must also be understood that PortFast will not work on trunks since these<br />
ports are typically not access-ports. This may cause confusion on access-ports running ISL or dot1q<br />
connected to multi-homed trunking capable end-stations.<br />
PortFast BPDU-Guard provides a method for preventing loops by moving a non-trunking port into an<br />
ErrDisable state when a BPDU is received on that port.<br />
Under “normal” conditions we should never receive a BPDU packet on an access-port configured for<br />
PortFast, so if we for some reason should see a BPDU coming in, it indicates an invalid hence dangerous<br />
configuration and the action we take upon this is to shut down the access-port. When the BPDU Guard<br />
feature is enabled on the switch spanning tree shuts down PortFast-configured interfaces that receive<br />
BPDUs instead of putting them into the spanning-tree blocking state<br />
set spantree portfast bpdu-guard enable<br />
UplinkFast<br />
UplinkFast is a solution for Access Layer switches to move it’s blocking link almost instantaneously to<br />
forwarding if there is a direct link failure to the root switch. Access Layer switches using UplinkFast<br />
forward their CAM table over the new root port, preventing unknown unicasts to flood. UplinkFast feature<br />
uses uplink group, which consists of the root port and all the ports that provide an alternate connection to<br />
the root bridge (blocking redundant links). If the root port fails (primary uplink failure), a port from the<br />
uplink group is selected to immediately replace it. Uplinkfast feature is only useful when there is a<br />
redundant blocking link. Uplinkfast and the following Cross stack uplinkfast feature are not necessary if a<br />
design with no layer 2 loops is implemented<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 19
Hierarchical (MultiLayer) Network <strong>Design</strong><br />
Spanning Tree Root<br />
(Primary)<br />
Spanning Tree Root<br />
(Secondary)<br />
Distribution<br />
Trunk<br />
Access<br />
Gi0/2<br />
Gi0/1<br />
CatOS> (enable) set spantree uplinkfast enable<br />
BackboneFast<br />
In the above figure if the link between the two distribution layer switches failed then it’s considered an<br />
indirect root link failure. After an indirect failure, the secondary root bridge will start transmitting<br />
configuration BPDUs claiming itself to be the root. Access switch upon receiving the BPDU will<br />
realize that the BPDU is inferior compared to what it has on its root port. The access switch will then<br />
transmit a Root Link Query message on its root port to determine if the original root is still alive. Upon<br />
receiving a positive response from the root that it is still alive, Access switch will transmit a BPDU to<br />
the secondary root bridge so that it can calculate the path to root. Access switch will also transition the<br />
blocking port to listening and learning state then forwarding. Without backbonefast the Access switch<br />
won’t have reacted to the inferior BPDU until max-age (20 seconds by default) on the port expired.<br />
Therefore backbonefast cuts the convergence time for indirect failure by 20 seconds. The access port<br />
still goes through listening and learning states, which takes 30 seconds in total<br />
CatOS> (enable) set spantree backbonefast enable<br />
Unidirectional Link Detection (UDLD)<br />
The Uni-Directional Link Detection (UDLD) feature is intended to resolve some of the following<br />
issues:<br />
- Monitor physical cabling configurations - shutting down any mis-wired ports as ‘ErrDisabled’<br />
- Protect against Uni-directional links, on Fibre-optical and copper Ethernet interfaces. When a unidirectional<br />
link is detected -due to media or port/interface malfunction- the affected port is<br />
shutdown as ‘ErrDisabled’ and a corresponding syslog message generated<br />
- To be clear: it is the top switch in these diagrams that see a unidirectional link and will place the<br />
port in Errdisable<br />
Spanning tree, with its steady state unidirectional BPDU flow, was an acute sufferer from the above<br />
failures. It is easy to see how a port may suddenly be unable to transmit BPDUs, causing an STP state<br />
change from 'blocking' to 'forwarding' on the neighbor, yet a loop still existing as the port is still able to<br />
receive.<br />
For maximum protection against symptoms resulting from uni-directional links, AS recommends<br />
enabling UDLD on point-to-point FE/GE links between “aggressive-UDLD capable” Cisco<br />
switches – where the message interval is configurable / set to 15 seconds default.<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 20
Hierarchical (MultiLayer) Network <strong>Design</strong><br />
By default UDLD is disabled globally, and enabled in readiness on fiber ports. As UDLD is an<br />
infrastructure protocol needed between switches only, it is disabled by default on copper ports as these<br />
tend to be used for host access.<br />
Set udld enable<br />
Set udld enable <br />
! once globally enabled, all FE and<br />
GE fibre ports have UDLD enabled<br />
by default.<br />
! for additional specific ports and<br />
copper media if needed.<br />
Set udld aggressive-mode enable ! all point to point links<br />
Enabling UDLD ‘aggressive-mode’ provides additional benefits:<br />
This feature provides enhanced protection against dangerous unidirectional link conditions in the<br />
following situations, and includes attempts to re-establish a connection with the neighbor upon failure<br />
detection:<br />
- One side of a link has a port stuck (either Tx and Rx).<br />
- One side of a link remains up while the other side of the link has gone down. This reduces the<br />
reliance on Layer 1 FEFI mechanisms<br />
- After eight failed retries, the port is transitioned to an ErrDisable state and a syslog message<br />
logged<br />
- In these cases, UDLD aggressive mode will ErrDisable both of the ports on the link and stops the<br />
black-holing of traffic<br />
Aggressive mode UDLD also allows the possibility to manually configure the UDLD probe/echo<br />
message interval between values ranging from 7-90 seconds, the default interval being 15 seconds.<br />
EtherChannel (PAgP)<br />
EtherChannel technologies allow the inverse multiplexing of multiple (up to eight on Cat6k) channels into<br />
a single logical link, and although each platform differs from the next in implementation, it is important to<br />
understand the common requirement<br />
- An algorithm to statistically multiplex frames over multiple channels<br />
- Creation of a logical port so that a single instance of STP can be run An algorithm to statistically<br />
multiplex frames over multiple channels<br />
- A channel management protocol. PAgP is a management protocol that will check for parameter<br />
consistency at either end of the link, and assist the channel in adapting to link failure or addition<br />
- PAgP requires that all ports in the channel belong to the same VLAN or are configured as trunk<br />
ports. (Because dynamic VLANs can force the change of a port into a different VLAN, they are<br />
not included in EtherChannel participation.)<br />
- When a bundle already exists and a VLAN of a port is modified, all ports in the bundle are<br />
modified to match that VLAN<br />
- PAgP does not group ports that operate at different speeds or port duplex. If speed and duplex are<br />
changed when a bundle exists, PAgP changes the port speed and duplex for all ports in the bundle<br />
Configuration Options: EtherChannels can be configured in different modes, summarized in the table<br />
below:<br />
Mode<br />
On<br />
Configurable Options:<br />
PAgP not in operation. The port is channeling regardless of how the<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 21
Hierarchical (MultiLayer) Network <strong>Design</strong><br />
Off<br />
Auto (Default)<br />
Desirable<br />
Non-silent<br />
(Default on 5k fiber<br />
FE and GE ports)<br />
Silent<br />
(Default on all 6k<br />
and 4k ports, and<br />
5k copper ports)<br />
peer port is configured. If the peer port mode is on, a channel is<br />
formed.<br />
The port is not channeling regardless of how the peer port is<br />
configured.<br />
Aggregation is under control of the PAgP protocol. Places a port into<br />
a passive negotiating state and no PAgP packets are sent on the<br />
interface until at least one PAgP packet is received that indicates<br />
that the sender is operating in desirable mode.<br />
Aggregation is under control of the PAgP protocol. Places a port into<br />
an active negotiating state, in which the port initiates negotiations<br />
with other ports by sending PAgP packets. A channel is formed with<br />
another port group in either desirable or auto mode.<br />
An auto or desirable mode keyword. If no data packets are received<br />
on the interface, then the interface is never attached to an agport<br />
and cannot be used for data.<br />
This bi-directionality check was provided for specific Cat5k hardware<br />
(EBC and SAINT4/5 ASICS), as some link failures result in the<br />
channel being broken apart and is to be avoided. More flexible<br />
bundling and improved bi-directionality checks are present by default<br />
in the 4k and 6k hardware. See section on auto-negotiation.<br />
F2H1A0C4<br />
An auto or desirable mode keyword. If no data packets are received<br />
on the interface, then after a 15s timeout period, the interface is<br />
attached by itself to an agport and can thus be used for data<br />
transmission.<br />
Silent mode also allows for channel operation when the partner can<br />
be an analyzer or server that never sends PAgP.<br />
AS recommends enabling PAgP on all switch-to-switch channel connections (ie. avoid the mode ‘on’).<br />
The preferred way is to set ‘desirable mode’ at both ends of a link.<br />
The additional recommendation is to allow the ‘silent/non-silent’ keyword to default, i.e. silent on 6ks and<br />
4ks, non-silent on 5k fiber ports.<br />
As discussed in previous sections, explicitly configuring channeling off on all other port is helpful for rapid<br />
data forwarding as ports come up. Waiting up to 15s for PAgP to timeout on a port that will not be used for<br />
channeling should be avoided, especially as the port is then handed over to STP which itself can take 30s to<br />
allow data forwarding, 45s in total.<br />
set port channel mode desirable<br />
set port channel mode off! where ports not in use, part of the<br />
! set port host macro.<br />
NCAR <strong>Design</strong> <strong>Review</strong> and Recommendations v1.0 22
Corporate Headquarters<br />
Cisco Systems, Inc.<br />
170 West Tasman Drive<br />
San Jose, CA 95134-1706<br />
USA<br />
www.cisco.com<br />
Tel: 408 526-4000<br />
800 553-<strong>NETS</strong> (6387)<br />
Fax: 408 526-4100<br />
European Headquarters<br />
Cisco Systems Europe<br />
11 Rue Camille Desmoulins<br />
92782 Issy-Les-Moulineaux<br />
Cedex 9<br />
France<br />
www-europe.cisco.com<br />
Tel: 33 1 58 04 60 00<br />
Fax: 33 1 58 04 61 00<br />
Americas Headquarters<br />
Cisco Systems, Inc.<br />
170 West Tasman Drive<br />
San Jose, CA 95134-1706<br />
USA<br />
www.cisco.com<br />
Tel: 408 526-7660<br />
Fax: 408 527-0883<br />
Asia Pacific Headquarters<br />
Cisco Systems Australia, Pty., Ltd<br />
Level 9, 80 Pacific Highway<br />
P.O. Box 469<br />
North Sydney<br />
NSW 2060 Australia<br />
www.cisco.com<br />
Tel: +61 2 8448 7100<br />
Fax: +61 2 9957 4350<br />
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the<br />
Cisco Web site at www.cisco.com/go/offices.<br />
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China • Colombia • Costa Rica • Croatia • Czech Republic Denmark • Dubai, UAE<br />
Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico<br />
The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Singapore • Slovakia • Slovenia<br />
South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe