CCDP ARCH Quick Reference
Return to Table of Contents
Page 4
[3] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
Introduction
Introduction The Cisco Designing Cisco Network Service Architecture (ARCH) course helps prepare students for the Cisco Certified Design Professional (CCDP) certification. Objectives for the ARCH course include the following: n Explain Cisco Service-Oriented Enterprise Network Architecture (SONA). n Discuss how SONA can be used for enterprise network design. n Illustrate how to design functionality, performance, scalability, and availability into the various functional areas of
the enterprise network. n Review network management, high availability, security, QoS, and IP multicast design considerations. n Explain design principles for virtual private networks (VPNs) and wireless networks.
These Quick Reference Sheets summarize the main topics presented in the ARCH course materials. The information presented represents the version of content on which exam number 642-873 bases its questions.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 5
[4] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 1 Cisco Design Models
Chapter 1: Cisco Design Models This section introduces you to Ciscos Service-Oriented Network Architecture (SONA) framework for network design. In addition, you learn how to use the PPDIOO approach to network design.
Service-Oriented Network Architecture Cisco recently updated their Architecture for Voice Video and Integrated Data (AVVID) design approach to the Intelligent Information Network (IIN). IIN is a complete architecture that is more all-encompassing than AVVID. The three phases of constructing an IIN are as follows: n Integrated transport: Voice, data, and video are all converged onto a single transport. n Integrated services: Services, such as Voice over IP (VoIP) or storage networking, rely on the underlying network
transport mechanisms. n Integrated applications: Applications (for example, Cisco IP Communicator) leverage services (for example, VoIP),
which rely on the network transport. Ciscos architectural approach to designing an IIN is their SONA framework. Figure 1-1 shows individual IIN components and how those components are categorized by SONA’s three layers: (1) Networked Infrastructure Layer, (2) Infrastructure Services Layer, and (3) Application Layer.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 6
[5] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 1
Business Applications
Networked Infrastructure Layer
Interactive Services Layer
SONA Layers
Collaboration Applications
Adaptive Management Services
FIGURE 1-1
Application Layer
Cisco Design Models
Application Networking Services
Infrastructure Services
Campus
Branch
Server
Data Center
WAN/MAN
Storage
Teleworker
Clients
SONA offers the following benefits to a network design: n Functionality: Functions in a way that the design supports organizational requirements n Scalability: Meets organizational growth demands n Availability: Makes network services available consistently and reliably n Performance: Offers acceptable responsiveness, bandwidth utilization, and throughput for applications n Manageability: Offers administrators control over the network, monitoring of the network, and fault detection
within the network n Efficiency: Meets design objectives within stated financial constraints
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 7
[6] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 1 Cisco Design Models
PPDIOO Cisco categorizes a network’s life cycle into six phases identified with the acronym PPDIOO, as follows: n Prepare: This phase involves determining the network’s requirements, formulating a network strategy, and suggest-
ing a conceptual architecture of the network. n Plan: This phase compares the existing network with the proposed network to help identify tasks, responsibilities,
milestones, and resources required to implement the design. n Design: This phase clearly articulates the detailed design requirements. n Implement: This phase integrates equipment into the existing network (without disrupting the existing network) to
meet design requirements. n Operate: This phase entails the day-to-day network operation, while responding to any issues that arise. n Optimize: This phase gathers feedback from the Operate phase to potentially make adjustments in the existing
network. Changes might be implemented to address ongoing network support issues. PPDIOO’s life-cycle approach offers the following benefits: n PPDIOO reduces total cost of ownership (TCO). n PPDIOO improves network availability. n PPDIOO allows business networks to quickly respond to changing needs. n PPDIOO accelerates access to network applications and services.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 8
[7] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 1 Cisco Design Models
Designing a network in conjunction with the PPDIOO approach involves three steps: 1. Identify customer requirements.
To identify customer requirements, obtain the following pieces of information: n Network applications n Network services n Business goals n Constraints imposed by the customer n Technical goals n Constraints imposed by technical limitations
2. Identify characteristics of the current network.
To identify characteristics of the current network, perform the following tasks: n Collect existing network documentation (with the understanding that the documentation might be somewhat
dated and unreliable), and interview organizational representatives to uncover information not available in the documentation. n Conduct a network audit to identify such information as network traffic types, congestion points, and subopti-
mal routes. n Supplement the information collected in the two previous tasks by performing a network traffic analysis with
tools such as Cisco Discovery Protocol (CDP), Network Based Application Recognition (NBAR), NetFlow, Cisco Networking Services (CNS) NetFlow Collection Engine, Open Source Cacti, Network General Sniffer, WildPackets EtherPeek and AiroPeek, SolarWinds Orion, Wireshark, and remote-monitoring (RMON) probes.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 9
[8] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 1 Cisco Design Models 3. Design the network topology.
Using information collected in Steps 1 and 2, you are ready to begin your network design. Although designing a network can be a daunting task, Cisco recommends top-down design approach that assists the designer by breaking the design process into smaller and more manageable steps. The term top-down refers to beginning at the top of the OSI reference model (that is, the application layer) and working your way down through the underlying layers, as shown in Figure 1-2. FIGURE 1-2 Top-Down Design Strategy
OSI Model Design Begins Here
Application Presentation Session
Remaining design considerations sequentially address lower layers of the OSI model.
Transport Network Data Link Physical
Using a top-down design strategy, as opposed to a bottom-up design strategy (that is, where the design begins at the physical layer of the OSI model and works its way up) provides the following benefits: n Does a better job of including specific customer requirements n Offers a more clearly articulated “big picture” of the desired network for both the customer and the designer n Lays the foundation for a network that not only meets existing design requirements, but also provides scalability
to meet future network enhancements © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 10
[9] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 2 Network Design Considerations for the Enterprise Campus
Chapter 2: Network Design Considerations for the Enterprise Campus This section discusses Cisco design recommendations for an enterprise campus network. These networks need to support evolving technologies such as IP telephony, storage-area networks, content networking, and application networking.
High-Availability Design Constructing an enterprise campus network using modular building blocks can add to a network’s availability, in addition to its scalability. Traditionally, Cisco prescribed a three-layer model for network designers. Those three layers, as shown in Figure 2-1, are as follows: n Access layer: Typically, wiring closet switches connecting to end-user stations n Distribution layer: An aggregation point for wiring closet switches, where routing and packet manipulation occur,
and also where the campus network interconnects to remote networks n Core layer: The network backbone where high-speed traffic transport is the main priority
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 11
[ 10 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 2 Network Design Considerations for the Enterprise Campus FIGURE 2-1 Three-Layer Hierarchical Model
Core Layer
Distribution Layer
Access Layer
The goals of high availability are to minimize component failures (for example, network links or network endpoints) and to minimize the time required to recover from a component failure. A common design approach for high-availability networks is to fully mesh redundant switches located in the distribution and core layers. Recommended design strategies for maximizing redundancy include the following: n Alternate pathing: A single path between network devices represent a single point of failure. n Redundant components: Convergence time for redundant access layer switches can be reduced by using the
following: n Stateful switchover (SSO): Useful for both Layer 2 and Layer 3 access switches, SSO permits a backup route
processor to immediately take over control from a failed primary route processor.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 12
[ 11 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 2 Network Design Considerations for the Enterprise Campus
n Nonstop forwarding (NSF): Useful for Layer 3 access switches, NSF continues to forward packets after a
route processor switchover, until routing convergence completes. n Software Modularity Architecture of Cisco IOS Software: Using Cisco IOS Software Modularity
Architecture, software patching can be performed without reloading the supervisor engine of a Catalyst 6500 series switch.
Layer 2 Design Most commonly found at the access layer, Layer 2 components in an enterprise campus network need to be configured for optimal convergence times. Layer 2 devices use the Spanning Tree Protocol (STP) for convergence, but Cisco recommends that the use of STP be avoided because routing protocols (used by Layer 3 devices) can converge faster than STP. However, some situations require the use of STP, for example: n To support a VLAN that exists on multiple access layer switches n To protect from loops being created between access layer ports n To support certain server farm applications
Cisco offers a variety of enhancements to STP: n PortFast: Allows an access port to bypass STPs listening and learning phases n UplinkFast: Reduces STP convergence from 50 seconds to approximately 3 to 5 seconds n BackboneFast: Reduces STP convergence time for an indirect link failure n LoopGuard: Helps prevent loops that could occur because of a unidirectional link failure, a software failure, or a
bridge protocol data unit (BPDU) loss due to congestion n RootGuard: Prevents an inappropriate switch from being elected as a root bridge n BPDUGuard: Causes a port configured for PortFast to go into the errordisable state if a BPDU is received on the
port © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 13
[ 12 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 2 Network Design Considerations for the Enterprise Campus
In addition, a variety of STP implementations are supported on many Cisco Catalyst switches: n 802.1D: The original version of STP n Common Spanning Tree (CST): Shares a common spanning-tree topology for multiple VLANs n Per VLAN Spanning Tree Plus (PVST+): Ciscos proprietary approach to providing a separate spanning-tree topol-
ogy for each VLAN n 802.1w: Rapid STP (RSTP), which reduces spanning-tree convergence times n 802.1s: Multiple Spanning Tree (MST), which allows different VLANs to be mapped to one of multiple STP
instances, thus providing optimal pathing for each VLAN without necessitating an STP instance for each VLAN If STP is used, Cisco recommends the following: n Use LoopGuard on Layer 2 ports between distribution layer switches. n Configure RootGuard on distribution layer switch ports that connect to access layer switches. n Implement UplinkFast on access layer switch ports that connect to distribution layer switches. n Use BPDUGuard, RootGuard, and PortFast on access layer switch ports that connect to end-user devices. n Configure UniDirectional Link Detection (UDLD) to detect links that have failed in one direction. n Implement port security, as needed, to limit the number of MAC addresses that can pass traffic through an access
layer switch port. Layer 2 Catalyst switches also use trunks to carry traffic for multiple VLANs across a single physical connection. Cisco recommends the following best practices for trunks: n Configure IEEE 802.1Q trunks, as opposed to Inter-Switch Link (ISL) trunks.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 14
[ 13 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 2 Network Design Considerations for the Enterprise Campus
Do not pass traffic over the VLAN configured as the native VLAN. n Use the transparent VLAN Trunk Protocol (VTP) mode, to prevent corruption of the VLAN database. n Set the Dynamic Trunk Protocol (DTP) mode to desirable, to dynamically form a trunk between two switches. n Prune unneeded VLANs from trunks. n Disable trunking on ports that connect to hosts.
When higher bandwidth is needed between two Catalyst switches, you can aggregate multiple links between those switches. This collection of aggregated ports is known as an EtherChannel. An EtherChannel can be dynamically formed using either the Port Aggregation Protocol (PAgP) or the Link Aggregation Control Protocol (LACP).
Layer 3 Design Layer 3 designs should address the availability and convergence times of Layer 3 networks. Interestingly, campus networks are commonly designed for oversubscription, where the aggregation of downstream links could theoretically send more traffic coming into the Layer 3 device than the device could transmit out over its upstream link(s). Specifically, links between access layer ports and distribution layer ports typically have a 20:1 oversubscription ratio, whereas links between distribution layer ports and core layer ports typically have a 4:1 oversubscription ratio, as illustrated in Figure 2-2.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 15
[ 14 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 2 Network Design Considerations for the Enterprise Campus FIGURE 2-2 Uplink Oversubscription
Core Layer 4:1 Oversubscription Ratio
Distribution Layer 20:1 Oversubscription Ratio
Access Layer
When a network experiences only periodic congestion, quality of service (QoS) mechanisms can be used to mitigate occasional quality issues. However, if the network experiences sustained congestion, the network needs increased bandwidth on its uplinks. You have two options for increasing uplink capacity: n Bundling multiple links into a logical EtherChannel. n Using higher-speed uplink interfaces (for example, 10-Gbps interfaces).
When Cisco Express Forwarding (CEF) is in use, multilayer switches might not automatically load balance across equalcost paths. Cisco recommends that CEF be tuned to make forwarding decisions based on Layer 4 information (for example, port numbers of flows), in addition to Layer 3 information (for example, source and destination IP addresses). Similar tuning can be performed on an EtherChannel to more efficiently load balance across the individual physical links that make up an EtherChannel bundle.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 16
[ 15 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 2 Network Design Considerations for the Enterprise Campus
When designing Layer 3 networks, routing protocols with fast convergence (for example, Enhanced Interior Gateway Routing Protocol [EIGRP] or Open Shortest Path First [OSPF] Protocol) should be used to quickly route around a failure in the network. Cisco routing protocol design recommendations include the following: n Interconnect Layer 3 devices using a triangle topology, as opposed to a square topology. n Form peering relationships only on transit links, as opposed to through the access layer. n Summarize routes on links connecting distribution layer switch ports to core layer switch ports.
Another Layer 3 network design consideration involves providing redundancy for a next-hop device. This default gateway redundancy can be accomplished by using one of the following technologies: n Hot Standby Router Protocol (HSRP): Cisco proprietary default gateway redundancy method n Virtual Router Redundancy Protocol (VRRP): A standards-based default gateway redundancy method n Gateway Load Balancing Protocol (GLBP): Allows multiple routers to act as a single router by sharing a single
virtual IP address across multiple MAC addresses
Layer 2 to Layer 3 Boundary Design Enterprise campus networks can often contain both Layer 2 and Layer 3 components. Care must be taken when designing the boundary that interconnects these Layer 2 and Layer 3 components. Consider the following Layer 2 to Layer 3 boundary design models: n Layer 2 Distribution Switch Interconnection: Supports VLANs spanning more than one access layer switch n Layer 3 Distribution Switch Interconnection: Uses a Layer 3 connection between two distribution layer switches
and Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), and GLBP as a default gateway redundancy protocol n Layer 3 Access-to-Distribution Interconnection: Extends Layer 3 routing from the distribution layer to the access
layer using routing protocols such as EIGRP or OSPF © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 17
[ 16 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 2 Network Design Considerations for the Enterprise Campus
When best practices are not adhered to during the design of the Layer 2 to Layer 3 boundary in an enterprise campus network, the following issues can result: n Daisy chaining of access layer switches.
The daisy chaining of access layer switches can cause black holes if a loopback cable isn’t used. By using the StackWise technology, which is supported on some Cisco Catalyst platforms. The need for a loopback cable can be eliminated. n Too much redundancy.
Having too many links results in an inefficient use of links (many of which are blocked because of STP at any given time). An excessive number of links can prove problematic for troubleshooting. n Lack of enough redundancy. n Asymmetric routing (for example, one upstream path and two downstream paths).
Infrastructure Design Considerations Today’s enterprise campus networks support not only data applications but also mission-critical and latency-sensitive applications, such as IP telephony. Therefore, telephony, QoS, and Catalyst switch-based security features should be considered when performing a design. Traditional telephony systems boast an availability of 99.999 percent, which equates to only five minutes of downtime per year. Therefore, IP telephony requires high availability for the network. In addition, to maintain acceptable voice quality, QoS mechanisms are required to treat voice packets with priority over data packets. The access layer directly impacts IP telephony applications because IP phones connect to the network via the access layer. Some access layer switches can provide power to IP phones. Cisco developed its own method of providing Power
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 18
[ 17 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 2 Network Design Considerations for the Enterprise Campus
over Ethernet (PoE), before an industry standard. Later, the IEEE introduced the 802.3af standard. Depending on the platform, a Cisco Catalyst switch might support the proprietary prestandard or the 802.3af standard. For a modular Cisco Catalyst chassis, a designer should calculate a power budget to ensure the chassis’ power supply is sufficient to support the PoE demands. Cisco provides a web-based calculator for calculating a power budget. The calculator is available at: http://tools.cisco.com/cpc/launch.jsp. Appropriate username and password credentials are required to access the Cisco Power Calculator. Many Cisco IP Phones have an additional Ethernet port that supports the connection of a PC, allowing the PC to connect to the IP Phone, which then connects to the access layer switch. Even though the voice packets from the IP Phone and the data packets from the attached PC are transmitted in separate VLANs, the Catalyst switch port does not need to be in trunk mode. Rather, the port can be a multi-VLAN access port. The voice VLAN is called the auxiliary VLAN, and the native VLAN is used to transmit data from the attached PC. IP telephony can also benefit from QoS mechanisms. QoS can classify traffic into various classes. These classes of traffic can be placed in separate queues. Therefore, the queue containing FTP traffic, for example, might be overflowing while the queue containing voice traffic is not overflowing. QoS not only provides priority treatment to selected applications; network attacks (for example, distributed denial-ofservice [DDoS] attacks) can sometimes be mitigated by QoS mechanisms. However, numerous other security features are offered by Cisco Catalyst Integrated Security, including the following: n Port security: Can be used to mitigate MAC flooding attacks n DHCP snooping: Provides protection from a client attacking the DHCP server or switch n Dynamic ARP inspection: Uses a DHCP snooping table to add security to Address Resolution Protocol (ARP) n IP Source Guard: Uses a DHCP snooping table and tracks IP address to port associations to prevent IP spoofing
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 19
[ 18 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 3 Addressing and Routing Design Considerations
Chapter 3: Addressing and Routing Design Considerations Summarizable IP addressing is critical when constructing scalable routed networks. This includes creating specific strategies for designing scalable solutions using Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF) Protocol, and Border Gateway Protocol (BGP).
Designing IP Addressing Good IP addressing design uses summarizable blocks of addresses that enable route summarization and provides a number of benefits: n Reduced router workload and routing traffic n Increased network stability n Faster convergence n Significantly simplified troubleshooting
Creating and using summary routes depends on the use of summarizable blocks of addresses. Sequential numbers in an octet may denote a block of IP addresses as summarizable. For sequential numbers to be summarizable, the block must be N numbers in a row, where N is a power of 2, and the first number in the sequence has to be a multiple of N. The created sequence will then end one before the next multiple of N in all cases.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 20
[ 19 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 3 Addressing and Routing Design Considerations Let’s take a look at an example.
Is the range 172.19.128.0 to 172.19.159.0 summarizable? n 128 to 159 represents a range of 32 consecutive numbers. n 32 is 2 to the 5th power. n 128 represents a multiple of 32. n So in this case, 172.19.128.0 to 172.19.159.0 is summarizable.
To create a relevant mask octet for this, we calculate 256 – N. n 256 – 32 = 224 n 172.19.128.0 mask 255.255.224.0 is the summary prefix.
Traditionally IP subnets have been assigned sequentially, however recent needs have evolved: n IP phones on auxiliary VLANs. n More subnets used for Layer 3 to the access layer. n Wireless LAN addressing. n Network access control (NAC) assigns one subnet per user role. n Need for isolation of servers into separate subnets.
Summarizable addressing can support multiple network needs: n Network Address Translation (NAT) applications n Virtual private network (VPN) client addressing n Segregated VLANs for data and voice traffic n Route summarization via bit splitting © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 21
[ 20 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 3 Addressing and Routing Design Considerations
Role-Based Addressing One approach uses network 10. By using a pattern with Layer 3 closets, such as 10.number_of_closet.VLAN.x/16, a simple scheme can be constructed. The second octet is used to represent the closets of Layer 3 switches, the third octet represents VLANs, and the fourth octet is for hosts. Alternatively, some or all of the Class B private addressing blocks could be used.
VPN Client Addressing Considerations Separate VPN groups should represent each VPN client pool corresponding to user roles. Each VPN group should use a different IP address pool for the logical remote VPN client address.
NAT Allows private internal addressing to map to publicly assigned addresses where the internal network connects to the Internet.
Recommended Best Practices n Servers reached via content devices doing Static Network Address Translation (SNAT) or Dynamic Address
Translation (DNAT) should be isolated. n Support out-of-band (OOB) management VLANs in the data center with NAT. n Where possible, avoid the use of internal NAT or Port Address Translation (PAT).
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 22
[ 21 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 3 Addressing and Routing Design Considerations
Designing Advanced Routing Solutions n Use of route summarization supports manageable and fast-converging routing. n Design recommendations: n To scale routing designs, use summarization. n Use summarizable blocks for addressing.
Advertise the default route (0.0.0.0/0) dynamically into the rest of the network by the router or routers connected to the Internet service provider. OSPF stub area variants represent another form of summarization. n To reach out-of-area destinations stubs, use 0.0.0.0/0. n With OSPF to IPsec VPN sites, stubs cannot be used.
Route Filtering Filtering prefixes will ensure that a remote site will not become a transit network.
Principles of Defensive Filtering n If learning a route from another entity, only accept routes they should be advertising. n Filter what you advertise when advertising routes to another entity.
Designing Redistribution In bidirectional redistribution, filters should be applied to prevent re-advertising information back into the routing protocol region or autonomous system from which it originated. © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 23
[ 22 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 3 Addressing and Routing Design Considerations
Migration Between Protocols n Use the administrative distance (AD) to migrate the routing protocols. n Use redistribution along with a moving boundary.
Scalable EIGRP There are a number of considerations when using EIGRP: n EIGRP can be used to achieve subsecond convergence. n Multiple EIGRP autonomous systems may be implemented to achieve scalability. n With external route redistribution, the route that is installed first is preferred. n Both inbound and outbound route tags can be used to filter redistribution and support scaling.
FIGURE 3-1 Scaling EIGRP with Multiple Autonomous Systems
A RIP
C
AS 200
AS 100
B
• A route is distributed from RIP into AS 200. • Router A distributes routes into AS 100. • Router B receives this route from both AS 100 and AS 200. • Since this same route is learned through separate routing processes, the first installed route is preferred.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 24
[ 23 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 3 Addressing and Routing Design Considerations
Reasons to consider the use of multiple EIGRP autonomous systems include the following: n As a migration strategy post merger/acquisition n Need to support different domains of trust or administrative control n Provides support for dividing very large networks
Scalable OSPF Design A number of factors influence the scalability of OSPF: n Selection of the designated router. n Select routers not heavily loaded with CPU-intensive activities. n Routing information in area and domain. n The larger and more unstable an area is, the more likely performance problems associated with routing protocol
recalculation are to occur. n Areas supported by any one router. n Link-state algorithm must be run for each link-state change for every area in which the router resides. n Number of adjacent neighbors for a given router. n Link-state changes are flooded to all routers in an area.
Area Design n Consider geographic or functional boundaries, and match up address summarization and areas where possible. n Use as much summarization as possible and stub areas. n Connected routes should also be advertised via a network statement. © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 25
[ 24 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 3 Addressing and Routing Design Considerations
OSPF Hierarchy n Separate complexity from complexity with an Area Border Router (ABR). n Place area borders to reduce suboptimal routing and to increase summarization.
To provide route summarization and reduce the link-state advertisement (LSA) database size and flooding in OSPF, consider the following: n Area filtering. n Use area ranges per the OSPF RFCs. n Use summary address filtering. n Filtering for not-so-stubby-area (NSSA) routes n Originating default.
Hub-and-Spoke OSPF Design Allows every router in an area to receive the same information, but requires additional tuning.
Spoke Areas These should be the most stubby possible; and the fewer spokes in each area, the less the flooding redundancy.
Hub Should be an ABR so that each area may be summarized into the other areas.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 26
[ 25 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 3 Addressing and Routing Design Considerations
Best Approach Use a small, yet highly stable, area 0 because of the extremely important nature of the backbone area in OSPF.
OSPF Area Border Connection Dual-homed connections in a hub-and-spoke OSPF network create connections parallel to an area border. There are two possible solutions when connecting the ABRs within each area: n Add a real link between the ABRs inside the area. n Add a virtual link between the ABRs inside area 0.
OSPF Area Filtering Border area filtering and interarea filtering are supported. Border area filtering (RFC 2328) is done using the OSPF area range command. Interarea filtering uses a prefix list to filter the prefixes that are advertised either from or to a given area. Use RFC standard border area filtering. To reduce the need for OSPF flooding reduction n Reduce adjacencies for stressed routers. n Decrease volatility of network. n Use more hierarchy than large-scale full-mesh topologies. n Increase number of routers to handle adjacency workload. n Decrease the number of routers in an area.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 27
[ 26 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 3 Addressing and Routing Design Considerations
OSPF Convergence You may use several techniques to increase the speed of convergence in OSPF, including the following: n Fast hellos: Tuned timers converge much faster than default OSPF operations. Use fast hellos only if the number of
neighbors is reasonably small. Test and observe their impact on the router’s CPU. n Incremental SPF (iSPF): This uses a modified Dijkstra algorithm and provides faster OSPF convergence and saves
on CPU resources. n Bidirectional Forwarding Detection (BFD): Provides fast, reliable detection of link failure using frequent link
hellos.
Design Scalable BGP Solutions Scaling internal BGP (iBGP) requires a full mesh of peers, and this results in scalability issues. There are two alternatives to address this, route reflectors and confederations: n Route reflectors: A route reflector is an iBGP speaker that reflects routes learned from iBGP peers to other iBGP
peers. Use multiple route reflectors to avoid a single point of failure. n Route reflector client: An iBGP router that receives and sends routes of most other iBGP speakers using the
route reflector. n Route reflector cluster: A configuration of the route reflector, along with its clients.
When a route reflector receives a route from a route reflector client, it reflects the route to the other clients within the cluster, and nonclients and external BGP (eBGP) peers. If a route is received from a nonclient, it reflects it to route reflector clients, but not to other nonclients.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 28
[ 27 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 3 Addressing and Routing Design Considerations FIGURE 3-2 Scaling BGP Designs
If a router learns a route from an IBGP peer, it will not advertise that route to another IBGP peer. Advertises 10.2.2.0/24 EBGP
Learns 10.2.2.0/24 EBGP
Advertises 10.2.2.0/24 IBGP IBGP
Learns 10.2.2.0/24 IBGP
IBGP
Do Not Advertise 10.2.2.0/24 IBGP
n Confederations: These use the autonomous system path to insert information into BGP routes to prevent loops
within an autonomous system. Route advertisement with confederations work in a similar fashion to route reflectors. n Routes learned via an eBGP peer are advertised to all confederation peers, both internal and external. n Routes learned from an external peer are advertised to all confederation internal peers, as well as eBGP peers. n Routes learned from internal peers are advertised to all confederation external peers, and to eBGP peers, too.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 29
[ 28 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 4 Design Considerations for Advanced WAN Services
Chapter 4: Design Considerations for Advanced WAN Services This chapter discusses how advanced WAN technologies based on Layer 1 optical transport or Layer 2 and Layer 3 services can impact the enterprise design. Metro Ethernet, Virtual Private LAN Service (VPLS), and Multiprotocol Label Switching (MPLS) virtual private network (VPN) technologies are considered. Customer requirements and service level agreements (SLA) as a function of a WAN design are also discussed.
Constructing WANs Using Optical Technologies FIGURE 4-1
Optical Interconnection Technologies
Optical Interconnection Technologies
SONET/SDH
Layer 1
DWDM/CWDM
DTP/RPR
Layer 2
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 30
[ 29 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 4 Design Considerations for Advanced WAN Services
A number of common optical interconnection technologies are used to connect enterprise locations: n SONET/Synchronous Digital Hierarchy (SDH): The North American high-speed baseband digital transport stan-
dard that specifies increasing data stream rates for movement across optical links n Dense wavelength-division multiplexing (DWDM)/coarse wavelength-division multiplexing (CWDM):
Technologies that increase the information-carrying capacity of existing fiber-optic infrastructure by transmitting and receiving data on different wavelengths on a single strand of fiber n Dynamic Packet Transport (DPT)/Resilient Packet Ring (RPR): Designed for service providers (SP) to deliver
scalable Internet service, and to deliver reliable IP-aware optical transport and simplified network operations for metropolitan-area network (MAN) applications
Technical Specifications for SONET SONET uses time-division multiplexing (TDM) for framing voice and data onto a single wavelength of fiber. n Typically uses fiber rings and can cover a distance of 80 km without the need for repeaters. n Generally used with SONET access equipment, it may statistically multiplex 10 Mbps Ethernet, Fast Ethernet, or
Gigabit Ethernet onto a SONET circuit. Questions to ask an SP when considering SONET include the following: n What path is followed by your service? n Are end-to-end SONET rings used to provide the service? n How much bandwidth is dedicated for my specific use?
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 31
[ 30 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 4 Design Considerations for Advanced WAN Services
Wavelength-Division Multiplexing (WDM) Use a multiplexer to place multiple optical signals, each with different wavelengths, on a fiber and then use a demultiplexer at the receiver to split them off of it. The types of WDM are as follows: n CWDM: An optical technology that may be used to transmit up to 16 channels over the same fiber strand. n DWDM: Similar to CWDM, but it spaces the wavelengths more tightly, allowing up to 160 channels.
RPR Technologies Layer 2 transport architecture that provides packet based transmission based on a dual counter-rotating ring topology. Similar to Cisco Spatial Reuse Protocol (SRP), which is implemented in the Cisco Dynamic Packet Transport (DTP) products. For enterprise clients, RPR is seen as a transport ring that supports connections between their locations while overcoming some of the limitations of SONET/SDH.
Metro Ethernet Metro Ethernet is based on the Ethernet standard but supported across a metropolitan area. Metro Ethernet uses a combination of Ethernet, optical, and IP technologies in the metropolitan area. An SP might use SONET/SDH rings or point-topoint links, WDM, or RPR technologies for their Metro Ethernet architecture. Implementation of Metro Ethernet service may be based on one or more approach: n A pure Ethernet MAN uses only Layer 2 switches for all internal structure. n MPLS-based Metro Ethernet uses Layer 2 MPLS VPNs in the SP network. n SONET/SDH-based Metro Ethernet networks may be used as an intermediate step in transition from a traditional,
time-division based network to Ethernet. © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 32
[ 31 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 4 Design Considerations for Advanced WAN Services
The Cisco Metro Ethernet solution relies on an existing SONET/SDH network, switched Ethernet network, or IP MPLS network. The Cisco Optical Metro Ethernet solution supports numerous Metro Ethernet Forum (MEF) service types, including the following: n Ethernet Wire Service (EWS) n Ethernet Multipoint Service (EMS) n Ethernet Private Line (EPL) n Ethernet Relay Service (ERS) n Ethernet Relay Multipoint Service (ERMS)
End-to-end quality of service (QoS) is possible with Metro Ethernet, and is supported by an SP through the use of 802.1Q tunneling. An example of this type of 802.1Q encapsulation is a large SP using Ethernet over MPLS to break up VLAN domains with a routed domain in the middle.
VPLS VPLS is composed of a Layer 2 VPN that connects two or more customer devices using Ethernet bridging techniques. The VPLS emulates an Ethernet switch, where each Element Management System (EMS) is analogous to a VLAN. Two draft standards exist for this, but they are incompatible: n RFC 4761: Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling n RFC 4762: Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling
Hierarchical VPLS (H-VPLS) can be used to build a stable, scalable network infrastructure. Scaling with H-VPLS is provided by only interconnecting the core MPLS Network Provider Edge (NPE) routers with a full mesh of pseudowires (PW). An advantage of this approach is that the core of the network is an MPLS network, which may be used for transport of Layer 3 MPLS VPN and other traffic.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 33
[ 32 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 4 Design Considerations for Advanced WAN Services FIGURE 4-2 H-VPLS
HPVLS N-PE
U-PE
N-PE
GE
PW
Ethernet MPLS Edge Point-to-Point
MPLS Core
U-PE
GE
Ethernet MPLS Edge GE Ring
An SP’s VPLS design should address three major scaling factors: n Scaling of the full mesh of PWs between Provider Edge (PE) devices n Replication and forwarding of frames n Size of MAC address table
Routing Implications with EMS or VPLS When using OSPF routing for the design of an EMS or VPLS network, the following issues must be considered: n A multiaccess network may have inconsistent broadcast or multicast performance. n Peer adjacencies should be limited.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 34
[ 33 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 4 Design Considerations for Advanced WAN Services
VPLS Availability Availability is provided via PWs that will automatically route traffic along available backup paths in the event of a failure. When redundant PWs from redundant devices are used, a failure might require aging of MAC addresses followed by unicast flooding, resulting in lost packets and an increase in traffic that would negatively impact customer traffic.
MPLS VPN MPLS VPNs provide customer VPNs across an MPLS backbone. This represents an alternative to Metro Ethernet services. The make-up of MPLS VPNs varies depending on whether they are implemented at Layer 3 or Layer 2. Design considerations for MPLS VPNs include the following: n Who does the routing? n Who manages the Customer Edge (CE) devices? n How many MPLS VPN providers should be used? n Will QoS be required? n Is there support for IP multicast?
Implementing Advanced WAN Services Factors to be considered when selecting advanced WAN services, include the following: n Existing services characteristics n Mitigation of risk n Partnership with SP via appropriate SLA
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 35
[ 34 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 4 Design Considerations for Advanced WAN Services
Features and Requirements of the WAN Advanced WAN designs should support customer requirements and take into account such things as these: n IP multicast support n QoS support n Routing and VLAN impact n Security services n Management services and reports
Service Level Agreements An SLA is a statement of intent from the provider and represents the level of service they are willing and able to provide along with any conditions surrounding this level of service. The following are common managed service metrics: n Mean time to repair (MTTR) n Mean time between failures (MTBF)
Customers should log outage details and use these to provide timely and clear communication with the SP. Technical metrics measured in SLAs include packet loss, latency, jitter, and IP availability. Network status should be monitored by the customer to track how well the SP is doing at meeting the terms agreed upon in the SLA. Take measurements to define a network service baseline and regularly review the SP’s measurements of the SLA performance. Ongoing internal measurements should also be taken to validate the SP data and to provide evidence of network issues should they arise.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 36
[ 35 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 5 Data Center Design for the Enterprise
Chapter 5: Data Center Design for the Enterprise Here we consider enterprise data center design and discuss the three layers of the data center architecture. Modular versus one-rack unit access switch designs are compared, as are the options for scaling the data center for high availability.
Core and Aggregation Layer Infrastructure Design The three layer data center design is as follows: n Core layer: Composed of the high-speed packet-switching backplane n Aggregation layer: Provides service module integration, Layer 2 domain definitions, spanning-tree processing, and
default gateway redundancy n Access layer: Provides physical connection for servers to the network
Data center core layer design: Core layer allows for high-speed packet switching between multiple aggregation modules. Inclusion of a data center core is based on a number of considerations such as 10 Gigabit Ethernet (GigE) port density, administrative domains and models used, and plans for future growth. In this design, all links are Layer 3 at the core with the Layer 2/3 boundaries at or below the aggregation layer modules. Open Shortest Path First (OSPF) Protocol routing recommendations include the following: n Use NSSA from the core down. n The auto-cost reference-bandwidth 10000 command should be used to set the bandwidth to 10GE and allow OSPF
to differentiate the cost on higher speed links such as 10GE trunk links. n Simplify troubleshooting by using the loopback interfaces for the router ID. n Use the passive-interface default command.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 37
[ 36 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 5 Data Center Design for the Enterprise n Use OSPF authentication.
n Use the timers throttle spf command to tune OSPF timers.
Enhanced Interior Gateway Routing Protocol (EIGRP) routing recommendations include the following: n Use the ip summary-address eigrp command to advertise a default summary route into the data center and to
summarize the data center subnets. n Apply the passive-interface default command.
Aggregation layer design: A pair of interconnected aggregation switches, referred to as modules, are used to scale the aggregation layer through the following: n Spanning-tree scaling n Access layer density scaling n Hot Standby Router Protocol (HSRP) scaling n Application services scaling
If Layer 2 is used, special consideration should be given to Spanning Tree Protocol (STP) design because the aggregation modules allow the spanning-tree domain to be distributed. Rapid STP (RSTP) is recommended over Multiple Spanning Tree (MST). Integrated services module: The aggregation layer may also employ integrated service modules to provide such services as firewall, Secure Sockets Layer (SSL) offload, content switching, intrusion detection, and network analysis. Service model designs: Redundancy for these integrated services may be deployed as either active/active pairs or active/standby pairs.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 38
[ 37 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 5 Data Center Design for the Enterprise Active/Active: n Increases overall performance
n Allows uplink load balancing while having services applied
Active/Standby: n Predictable; simplifies troubleshooting n Underutilizes access layer links, service modules, and switch fabric
VRFs in the data center: n Allows use of application services with multiple access topologies n Maps to path isolation MAN/WAN designs n Supports security policy by user group n Enables partitioning of network resources
Design of the Access Layer A number of models may be used in access layer design, including Layer 2 looped model, Layer 2 loop-free model, and Layer 3 model where Layer 2 services from the aggregation layer are not supported. Layer 2 looped model: There are two primary Layer 2 model topologies, the looped triangle and the looped square.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 39
[ 38 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 5 Data Center Design for the Enterprise FIGURE 5-1 Layer 2 Looped Model
Primary STP Root Primary HSRP Active Services
Secondary STP Root Secondary HSRP Standby Services
L3 L2 .1Q Trunk
ACC 1
ACC 2
ACC 3
Looped Triangle
ACC 4
Looped Square
Benefits of the Layer 2 looped model: n Offers Layer 2 adjacency n Extends VLANs between aggregation switches n Supports sharing of service module across access layer n Provides redundancy using RSTP
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 40
[ 39 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 5 Data Center Design for the Enterprise
Layer 2 loop-free models: Used when Layer 2 support is required but a looped topology is undesirable. Enables spanning tree as a safeguard against loops and provides several benefits, including Layer 2 adjacency, stability, and active uplinks. Layer 2 loop-free topologies: Loop-free U access and loop-free inverted U access. Layer 2 FlexLinks: An alternative to the looped access topology. When using this design, STP is disabled on FlexLinks, and accidental loops between switches are possible. Layer 3 in the access layer: A dedicated subnet is used to permit access switches connect to the aggregation switches using a Layer 3 uplink. FIGURE 5-2 DC Core
Layer 3 Access Model
DC Core
DC Aggregation
DC Access
L3 L2
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 41
[ 40 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 5 Data Center Design for the Enterprise Layer 3 access model benefits: n Reduces broadcasts and fault domains.
n Provides for server stability and application isolation. n All uplinks are available up to Equal Cost Multipath (ECMP) maximum. n Fast uplink convergence in the event of a failover or fallback.
Blade servers: These may be implemented in the data center access layer, often as a replacement for older server farms or where new applications that require clustering are deployed. Blade server challenges and considerations: n Administrative domains n Interoperability n Spanning-tree scaling n Pass-through cabling n Switch trunk topologies n Environmental Issues
Blade server connectivity: Blade servers can support either Layer 2 or Layer 3 topologies depending on the server broadcast domain or specific administrative requirements. One option for connecting blade servers is integrated InfiniBand switches. Another feature of blade servers is Layer 2 trunk failover (link-state tracking), which provides Layer 2 redundancy in the network when used in conjunction with proper server network interface card (NIC) adapter tuning.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 42
[ 41 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 5 Data Center Design for the Enterprise
Scaling Data Center Architecture In designing the data center architecture, both density and scalability implications between modular and one-rack unit (1 RU) access layer switching models must be considered, as must the following: n Cabling n Cooling n Power n Density n 10 Gigabit Ethernet uplink support n Resiliency features n Intended use
Bandwidth and Uplink Density Consideration The port-channel load-balance command improves load distribution for EtherChannel ports because it presents more unique values to the hashing algorithm. EtherChannel utilization can be further optimized with the Min-Link feature, which allows for the specification of a minimum number of available ports for a PortChannel to be considered a valid path.
Service Layer Switches Service layer switches provide greater scalability by supporting service modules, but may call for quality of service (QoS) or separate links for fault-tolerant paths. This may also require Layer 3 peering with route health injection (RHI), and only necessary Layer 2 VLANs should be extended to service switches. Cisco Application Control Engine (ACE) modules may also be used to scale uplink port density or aggregate layer switch slots. © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 43
[ 42 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 5 Data Center Design for the Enterprise
Spanning-Tree Design for High Availability The recommended spanning-tree protocols for use in a data center are 802.1w, implemented by Cisco as Rapid PVST+(RSTP) and 802.1s, known as Multiple Spanning Tree (MST). STP logical interfaces: To determine STP logical interfaces, sum[(each trunk on switch) * (active VLANs on each trunk)] + (number of nontrunking interfaces on the switch). Virtual ports: These are a per-line card value that reflects the total number of spanning-tree processing instances used on a line card. To calculate STP virtual ports, sum[(each trunk port on line card) * (active VLANs per port)]. 1 RU designs: With this, the chances of a larger spanning-tree diameter, and possibly more STP issues, increase. It is best to use aggregation modules to scale STP and 10GE density. Guidelines for scaling STP designs: n Manually prune trunks. n Use MST if Rapid Spanning Tree Protocol (RSTP) cannot scale sufficiently. n Limit Hot Standby Router Protocol (HSRP) instances to 500. n Divide the STP domain by adding aggregation modules.
Providing high availability in the data center: Three key areas are seen in common failures in the path from server to aggregation switch: network links, access switch, server network adapter. To address these, dual attached servers using network adapter teaming software connected to dual attached access switches may be deployed. Having a server with a single network interface card (NIC) might lead to as many as three single points of failure; the NIC, the cable, and the switch to which it is connected. NIC teaming can eliminate these single points of failure.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 44
[ 43 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 5 Data Center Design for the Enterprise NIC teaming configurations include the following: n Adapter fault tolerance (AFT) n Switch fault tolerance (SFT) n Adaptive load balancing (ALB)
Server attachment methods: EtherChannel provides scalable bandwidth for network servers that can bundle multiple links to allow higher throughputs between servers and clients, and to provide redundancy. Failover times: Layer 2, Layer 3, and Layer 4 components all contribute to overall failover time. Components at each layer have different recovery times and should be evaluated and optimized. Nonstop forwarding (NSF) and stateful switchover (SSO): Intrachassis SSO at Layers 2 to 4 can be provided by NSF with SSO. This is an excellent method for redundancy. SSO synchronizes the state of trunks, interfaces, EtherChannels, port security, and Switched Port Analyzer / Remote Switched Port Analyzer (SPAN/RSPAN). STP, UniDirectional Link Detection (UDLD), and VLAN Trunking Protocol (VTP), or NSF with EIGRP, OSPF, Intermediate System-toIntermediate System (IS-IS), or Border Gateway Protocol (BGP) allows for recovery with no route flapping.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 45
[ 44 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 6 Storage-Area Network Design
Chapter 6: Storage-Area Network Design This chapter examines how storage-area networks (SAN) enable customers to interconnect data centers, provide continuity, provide storage consolidation, and unify storage management.
An Overview of SAN Components and Technologies SAN technologies enable organizations to maximize their storage capacity through a unified set of components and architecture. A SAN solution can separate storage from the traditional server, and can share storage among multiple servers. SANs also has a lower total cost of ownership (TCO) than direct-attached storage and can provide high I/O throughout via high-performance interconnect. One limiting factor to be aware of is that there may be limited vendor interoperability. SAN main components: n Host bus adapter (HBA): Provides connectivity between the host server and a storage device. n Data storage devices: May be hard disks based on any one of the following technologies: SCSI, Fibre Channel,
ATA, IDE, or Serial ATA. n Storage subsystems: Examples of subsystems include the following: n Just a bunch of disks (JBOD): A simple disk array. n Storage arrays: A group of devices that provide mass storage and other functions and services. n Redundant array of independent disks (RAID): RAID technologies allow disk drives to be combined and
configured to provide increased performance and fault tolerance. Overview of RAID: RAID arrays can be used to provide fault tolerance by mirroring data or through implementing parity check operations.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 46
[ 45 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 6 Storage-Area Network Design Primary RAID levels:
n RAID 0: Striping: Multiple disks are combined to form a single large volume. No fault tolerance is provided. n RAID 1: Mirroring: Data is duplicated across two or more disks. n RAID 3: Error detection: Data is striped across multiple disks and error-correction information is maintained by a
dedicated disk drive. n RAID 5: Error correction: Data and parity information, is striped across multiple disks.
Direct-attached storage features: Storage devices connect directly to the server. Storage has limited mobility because it is captive behind the server. It also has limited scalability because of limited devices. Network-attached storage features: Storage devices are attached to the IP network (network-attached storage, NAS) allowing storage devices to be shared between servers and making it possible for files to be shared by users. FIGURE 6-1
Network Attached Storage (NAS)
Network-attached storage IP LAN/WAN
Servers
NAS Devices Data is transferred in IP packets.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 47
[ 46 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 6 Storage-Area Network Design Overview of SAN technologies:
n Small Computer System Interface (SCSI): A parallel interface technology used by hosts to attach peripheral
devices. n Fibre Channel: A serial data transfer architecture that provides a very high level of scalability and bandwidth that
can be used to extend and network SCSI. This uses a point-to-point communication model facilitated by device login. Virtual SAN (VSAN): Provides isolation among multiple devices that are physically connected to the same fabric. InterVSAN routing (IVR) can be used to allow sharing of centralized storage services, such as disks or tape libraries, across VSAN fabrics without the need to merge VSANs. Fabric Shortest Path First (FSPF): A path-selection protocol used by Fibre Channel fabrics. Supports multipath routing and bases path status on a link-state protocol. Used by IVR to calculate the best path to a remote fabric. Zoning: A logical groping of fabric connected devices within a SAN or VSAN, and can be used to enable access between an initiator and the storage target. Fiber Connectivity (FICON): This upper-layer protocol was developed by IBM, and it uses the lower layers of Fibre Channel transport to facilitate connecting IBM mainframes with control units. SANTap: An Intelligent Storage Service feature supported on the Storage Services Module (SSM), it enables data to be duplicated at another virtual initiator. This allows third-party data storage applications (for example, long-distance replication, continuous backup, and so on) to be integrated into the SAN.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 48
[ 47 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 6 Storage-Area Network Design FIGURE 6-2 Zoning: Physical Topology
Physical Topology VSAN 2 Disk 2 Host 1
Disk 3 Disk 1
Zone A
Zone C
Disk 4
Host 2
Zone B
VSAN 3 Host 4 Zone D Host 3
Disk 5
Disk 6 Zone A
Design Considerations for SAN and SAN Extension A SAN design should take into account the following considerations: n Network topology should take into account the number of ports needed both today and in the future. n End-to-end performance and throughput level should be central to the design. n Business requirements for continuity and disaster recovery should guide the establishment of the necessary connec-
tivity with remote data centers.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 49
[ 48 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 6 Storage-Area Network Design
SAN design should be based on a number of factors, including the following: n Topology requirements and port density n Traffic management n Stability and convergence n Fault isolation n Oversubscription of devices
Benefits of the Cisco MDS 9000 family: SAN consolidation using VSANs, comprehensive security, and simplified SAN management. Collapsed core design: n Single-switch design: Provides 100 percent port design efficiency with a generally lower subscription ratio, while
allowing empty slots to support future growth. n Small-scale dual fabric: A small SAN with 48-port modules can provide a cost-effective solution with VLAN
support and PortChannels with high availability to other switches allowing for future growth. n Medium-scale dual fabric: Implemented using dual Director switches, it provides up to 528 ports per fabric.
Provides VLAN support, along with port bandwidth reservations to guarantee performance for those devices that require it and PortChannels with high availability to other switches to allow for future growth. n Large-scale dual fabric: Leverages 48-port modules with port bandwidth reservations providing VLAN support,
and uses port bandwidth reservations to guarantee performance for those devices requiring it. Each core switch (2) in this design supports 128 storage ports, and each edge switch (4) supports 496 host ports for a SAN system that supports a total of 1984 host ports across 256 storage ports resulting in a 7.75:1 ratio of hosts to storage. Transporting storage traffic with SAN extensions: Multiple protocols and transport stacks can be used by SAN to transfer SCSI commands and data. Fibre Channel over IP (FCIP) and SCSI over IP (iSCSI) support block-level storage for remote devices and are both used to carry SCSI commands and status. © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 50
[ 49 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 6 Storage-Area Network Design
FCIP: A standards-based protocol (RFC 3821) primarily used for SAN extension across a WAN. FCIP is used to enable storage applications such as asynchronous data replication, disaster recovery, remote tape vaulting, and host initiator to remote pooled storage to be deployed without regard to latency and distance. iSCSI: Can be used to carry SCSI commands, responses, and data over an IP network rather than over Fibre Channel. Advantages of iSCSI versus FCIP: n Supports standard networking equipment. n Provides lower overall cost of ownership. n Standards-based protocol (RFC 3720). n TCP Offload Engine (TOE) can be used to scale iSCSI.
Advances in SAN extension: n Tape acceleration: Used to speed up the I/O transactions during remote backups n FCIP write acceleration: Increases I/O transactions between disk-based storage devices such as a disk array and
servers n Hardware-assisted data compression over FCIP: Provides extremely high data compression rates across WANs n Hardware-based IP Security (IPsec) encryption: Provides secure SAN extension transactions
High-availability SAN extension: Dual fabrics such as a yellow VSAN and a blue VSAN have been used to support high availability. PortChannels and optical protection schemes can be used to further augment the design and offer an additional level of network protection.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 51
[ 50 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 7 Designing an E-Commerce Module
Chapter 7: Designing an E-Commerce Module As businesses continue to embrace the Web, e-commerce applications flourish. The e-commerce module enables organizations to support this capability through the use of a multiple component design. Here we examine how to provide both high availability and security via firewalls, server load balancers, and connections to multiple Internet serviced providers (ISP).
Achieving High Availability The prevention of downtime is the goal of any high-availability strategy, and meeting this goal will require the integration of a number of components: redundancy, technology, people, processes, and tools.
Component Design for the E-Commerce Module A number of different pieces make up the e-commerce module. Routing, switching, firewall, and server content-balancing components all make up common e-commerce designs. To construct complex e-commerce module designs, it is necessary to understand how to integrate these elements. Typical firewall design for e-commerce: Security is key in an e-commerce implementation, so the design must take into account firewall issues. Typical implementations of the e-commerce module are implemented in a data center where it is connected to the Internet via one or more ISPs. Within the e-commerce module are multiple firewalls at various layers. Large site design: A large site might have three firewalls separating and securing the web, application, and data tiers. In this design, the Internet connects to the web tier or the outer demilitarized zone (DMZ) supporting web services. Web servers then communicate with the application tier through a second pair of firewalls, and then these servers communicate with the data tier through a third pair of firewalls. Application gateway approach: An alternative approach is to route all traffic between the layers through the servers. In this approach, the web tier servers act as application-specific gateways, adding security because a hacker would have to penetrate the firewall and the web server operating system to attack the middle layer of firewalls. © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 52
[ 51 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 7 Designing an E-Commerce Module FIGURE 7-1 Server as Application Gateway
Service Provider A
Internet
Web Tier
Application Tier
Database Tier
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 53
[ 52 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 7 Designing an E-Commerce Module
Virtualization using firewall contexts: Firewall contexts are now supported within the Cisco firewall family to allow the virtualization of a physical firewall or Application Control Engine (ACE) module. When you use this, specific VLANs or interfaces may be connected to specific security contexts, which in turn supports its own policies such as access control lists (ACL), Network Address Translation (NAT), protocol fixups, and so on. Layering with Virtual Firewalls: When constructing a multitiered e-commerce model, a single pair of firewall devices may be used to create virtual firewall layers. One approach is to use a pair of Cisco Catalyst 6500 switches with Firewall Services Modules (FWSM) rather than individual firewalls. Transparent and routed mode firewalls: Firewall design using the Cisco product family now supports firewalls that operate in either transparent or bridged mode, or in traditional routed mode, and this may be established on a per-context basis. n Transparent mode: FWSM bridges two VLANs and traffic passing through the FWSM is subject to IP ACLs. n Routed mode: FWSM routes between the VLANs and traffic passing are subject to IP ACLs, security state tracking,
and so on.
Load-Balancer Designs for E-Commerce To support both scaling and high availability, a server load balancer (SLB) or content load balancer may be used. Through the use of an SLB, the workload may be spread among many actual servers while providing flexibility in extending server capacity through the addition of more server capacity to the pool. Cisco offers a number of product lines that provide content and SLB services: n Cisco CCS 11500 Series Content Services Switch (CSS) n Cisco Content Switching Module (CSM) n Cisco Application Control Engine (ACE)
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 54
[ 53 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 7 Designing an E-Commerce Module
Basic SLB designs include router mode, bridge mode inline, and one-armed (or two-armed) mode and include the need to select appropriate redundancy from among active/active, active/passive, or failover triggers. Design of an SLB may also include Client Source NAT (CSNAT), which rewrites the IP address of the client before the packet goes to the server.
E-Commerce Topology Designs Three common designs are typically used when constructing an e-commerce solution: n One firewall per ISP, with separate NAT pools. n Stateful failover with common external prefix advertised through Border Gateway Protocol (BGP) with a single
NAT pool. n Distributed data centers with multiple ISPs.
Integrated E-Commerce Designs Base Module Design This basic e-commerce design uses a core layer that houses the first stage of firewalls. Aggregation and access layers are trusted zones with no security between the web, application, and database zones. Routed mode is used to provide connectivity to the SLBs or firewalls by the aggregation layer. Further, all e-commerce traffic goes via the CSMs, which might require additional CSM configuration for direct access to the servers for non-load-balanced sessions initiated by the servers. Routing in the base e-commerce module is static for the most part, with virtual IP addresses used to support failover. With regard to traffic flow, while the firewall handles security logic, the CSM handles the SLB decision or passes management traffic directly to a specific server.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 55
[ 54 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 7 Designing an E-Commerce Module
Two Firewall Layers Additional protection can be had by inserting a firewall into the aggregation layer. This form of two firewall layers may be implemented using a one-armed design in which a one-armed SLB device is employed. In this design, it is possible to have direct server traffic flow. The one-armed SLB model with aggregation firewall may also support multiple firewall contexts. In this model, it is no longer necessary to have a separate firewall in the core layer. A further design option is a one-armed SLB with CSS modules that firewall all traffic. With CSS in the one-armed mode, non-load-balanced traffic to and from the servers can bypass the CSS devices. No matter the design that is ultimately used, it is important to test it thoroughly. Proper lab testing can help to validate network behavior and failover conditions, and can aid in future troubleshooting and design analysis.
E-Commerce Tuning A number of Cisco technologies, such as BGP tuning, enhanced object tracking, optimized edge routing, and Domain Name System (DNS) site selection and failover, offer enhanced e-commerce capabilities to suit various designs needs. n BGP Tuning: Used to control packet flow and convergence characteristics. n Enhanced Object Tracking (EOT): A standalone process to track the status of objects built in to the Cisco IOS
software. n Optimized Edge Routing (OER): Provides alternative path selection based on policies. The OER cycle is learn,
measure, apply policy, optimize, and verify. n Cisco Global Site Selector (GSS): Content development across multiple distributed and mirrored data locations is
leveraged to optimize site selection, improve DNS responsiveness, and ensure data center availability.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 56
[ 55 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 7 Designing an E-Commerce Module FIGURE 7-2 Optimized Edge Routing (OER)
SLA A
SP A
BR1
SP B
CR1
Customer Access
Master Controller SLA B
BR2
SP C
SP D
SP E
CR2
Client(s)
Server(s) iBGP and/or EIGRP, IS-IS, OSPF, RIP
Enterprise Content Provider
SLA C
BR3
SP F
Transit Service Providers
Content Consumer
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 57
[ 56 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 8 Securing an Enterprise Network
Chapter 8: Securing an Enterprise Network With today’s mission-critical network services, such as e-commerce, network security has become a major design consideration. This chapter discusses Cisco recommendations for securing an enterprise network. Specifically, this chapter discusses firewall, network admission control, intrusion detection, and intrusion prevention services.
Firewalls Firewalls contain a list of rules that control what traffic can enter or exit a network segment. These rules can be based on, for example, user access rights or specific applications. Cisco firewalls use one of two basic modes of operation: n Routed mode: The traditional mode of operation, where the firewall acts as a Layer 3 device n Transparent mode: A newer mode of operation, where the firewall acts as a Layer 2 device, with each interface
residing on the same subnet but on different VLANs Cisco IOS Software has a firewall feature set available, through which a router can act as a firewall. However, for largescale deployments dedicated appliances are often preferred. Examples of these dedicated appliances include the following: n PIX: Ciscos traditional firewall, which allows traffic from a higher-security interface (for example, the “inside”
network) to a lower-security interface (for example, the “outside” network) n ASA: Cisco Adaptive Security Appliance, which offers other services (for example, virtual private network [VPN]
and intrusion prevention) in addition to firewall services n FWSM: Cisco Firewall Services Module for the Catalyst 6500 series switch, which unlike the PIX and ASA, does
not permit any traffic flow between interfaces unless configured to do so (with the exception of Address Resolution Protocol (ARP) traffic) Modern Cisco firewalls can contain contexts, which act as virtual firewalls within a single physical firewall. VLANs are then associated with a context. Virtual firewalls can often benefit service providers, who can have a single physical device
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 58
[ 57 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 8 Securing an Enterprise Network
that provides unique firewalling services for multiple subscribers. However, from a design perspective, keep in mind that if one context is attacked, the other contexts on the physical firewall device could be impacted, too. The preferred redundancy design for firewalls is called active/active. The active/active topology leverages the context feature. Specifically, contexts are placed into failover groups, with one context acting as the active context for the failover group and the other context acting as the standby context for the failover group. For example, consider Firewall-1 and Firewall-2 shown in Figure 8-1. Firewall-1 contains the contexts CTX-1 and CTX2. Firewall-2 contains the contexts CTX-3 and CTX-4. Both CTX-1 and CTX-3 belong to the same failover group, GROUP-1. Similarly, CTX-2 and CTX-4 belong to a common failover group, GROUP-2. CTX-1 is active for GROUP-1, and CTX-4 is active for GROUP-2. In this scenario, both Firewall-1 and Firewall-2 are actively passing traffic, while being ready to take over for the other firewall in the event of a failure. FIGURE 8-1 Active/Active Topology Example
Failover Group: Group-1
Failover Group: Group-2
Standby
Standby
Active
Active
CTX-1
CTX-2
Firewall-1
CTX-3
CTX-4
Firewall-2
Asymmetric routing is a feature supported by the previously mentioned FWSMs. With asymmetric routing, return traffic for a session can enter via a different interface than the interface from which the traffic exited the FWSM. This asymmetric routing feature can function in both a failover and a nonfailover configuration, and works when the firewall is operating in either routed or transparent mode. © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 59
[ 58 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 8 Securing an Enterprise Network
Multiple FWSMs (as many as four) can be combined in a single Catalyst 6500 series switch chassis to provide enhanced throughput, using an active/active configuration. The two methods of load balancing amount the FWSMs are as follows: n Traffic engineering (for example, policy-based routing) n Routing (for example, Equal Cost Multipath [ECMP] routing)
Another way for a Catalyst switch to provide security is through the use of private VLANs (PVLAN). These PVLANs can provide privacy between groups of Layer 2 ports on a Catalyst switch. A PVLAN domain has a single primary VLAN. In addition, the PVLAN domain contains secondary VLANs that provide isolation between ports in a PVLAN domain. Cisco Catalyst switches support two categories of secondary VLANs: n Isolated VLANs: Ports belonging to an isolated VLAN lack Layer 2 connectivity between one another. n Community VLANs: Ports belonging to a community VLAN can communicate with one another, but not with ports
in other community VLANs PVLAN ports fall into one of three categories: n Promiscuous: Promiscuous ports are typically used to communicate with network devices (for example, routers or
backup servers), and these ports can communicate with all other PVLAN ports. n Isolated: Isolated ports can only communicate with a promiscuous port. n Community: Community ports can communicate with other ports in their community and also with promiscuous
ports. The Cisco IOS Firewall feature set now offers the zone-based policy firewall (ZPF) feature. With ZPF, firewall interfaces are assigned to zones, and firewall policies are applied to traffic moving between zones, rather than traffic moving between interfaces. As an example, consider Figure 8-2, which shows a router running the Cisco IOS Firewall feature set. The router’s three interfaces are each assigned to a unique zone (that is, zones for the inside network, the demilitarized zone [DMZ] network, and the outside network).
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 60
[ 59 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 8 Securing an Enterprise Network FIGURE 8-2
DMZ Zone
Zone-Based Policy Firewall Example
Router with IOS Firewall Feature Set
INSIDE Zone
OUTSIDE Zone
NAC Design Considerations Network admission control (NAC) is a collection of technologies that can be used to enhance network security services. Specifically, NAC can perform posture validation, which ensures that only permitted devices can communicate on the network. Identity-based networking services (IBNS) can be used with NAC technologies to identify and authenticate a user (or other network device), and make sure the user or network device has appropriate access to network resources.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 61
[ 60 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 8 Securing an Enterprise Network
Cisco combines multiple admission control and policy enforcement mechanisms into a device called a NAC Appliance. Specifically, the NAC Appliance is composed of the following four elements: n Cisco NAC Appliance Manager (Cisco NAM): Acts as a NAC Appliance administration server for defining poli-
cies n Cisco NAC Appliance Server (Cisco NAS): Acts as a policy enforcement server between the trusted and untrusted
networks n Cisco NAC Appliance Agent (Cisco NAA): Acts as an optional agent for Windows-based clients n NAC Appliance Policy Updates: Checks the status of updates applied to operating systems, antivirus signatures,
and other client software When designing a NAS deployment, consider the following variables: n Virtual gateway or real gateway: Defines the NAS as a Layer 2 or Layer 3 device n In-band or out-of-band operating mode: Defines how traffic flows through the NAS n Layer 2 or Layer 3 client access mode: Defines user device adjacency (that is, Layer 2 or Layer 3) to the NAS n Central or edge physical deployment: Defines whether the NAS device is physically inline with the data flow
Cisco recommends that NAC Appliance deployments be designed with full redundancy. Among the supported NAC Appliance designs are the following: n Layer 2 in-band: The most popular type of NAC Appliance deployment, where the NAS is logically, but not physi-
cally, inline with the client data, as depicted in Figure 8-3 n Layer 2 out-of-band: Similar to the Layer 2 in-band design, with the exception of a trunk (carrying traffic from the
posture assessment and the network access VLANs) being used between the access and distribution switches
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 62
[ 61 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 8 Securing an Enterprise Network FIGURE 8-3 Layer 2 In-Band NAC Appliance Deployment Model
VLAN 10
VLAN 10, 20
VLAN 30
VLAN 200
NAC Appliance Manager
NAC Appliance Server VLAN 200
• VLAN 200 - Mapped to VLAN 10 VLAN 200
• VLAN 20 - NAS Management VLAN • VLAN 30 - NAM Management VLAN
Client
n Layer 3 in-band: Securely manages traffic for VPN concentrators or from remote sites, where the client is not Layer
2 adjacent to the NAS n Layer 3 out-of-band: Allows the NAS to be centrally deployed out-of-band in the core or distribution layers
The Cisco NAC Framework leverages both Cisco technologies and third-party security solutions to analyze the posture of a host, preventing unauthorized network access. The three major components of the Cisco NAC posture validation process are as follows: n Subjects: Subjects are endpoints that access a network on which network admission control is being used. n Enforcement devices: Enforcement devices are network devices (for example, routers, VPN gateways, Catalyst
switches, and wireless access points) that NAC polices. © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 63
[ 62 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 8 Securing an Enterprise Network
n Decision and remediation devices: Decision and remediation devices (for example, AAA [authentication, authori-
zation, and accounting] servers, directory servers, posture validation servers [PVS], remediation servers, and audit servers) work together to provide the features of a NAC architecture. Cisco offers four security applications for client devices: n Cisco NAC Appliance Agent (NAA): An optional component of the Cisco Clean Access feature, which provides
Registry scans n Cisco Security Agent (CSA): A host intrusion prevention system (HIPS) application that integrates with the Cisco
NAC Framework and Monitoring, Analysis, and Response System (MARS) n Cisco Secure Services Client: Uses IEEE 802.1X to provide a single authentication framework for multiple device
types n Cisco Trust Agent: An integral component of the NAC framework that allows NAC to check the state of security or
management software
IDS and IPS Design Considerations Cisco Self-Defending Network technology leverages the features of intrusion detection systems (IDS) and intrusion prevention systems (IPS). Both IDS and IPS can help defend a network against malicious traffic such as worms, network viruses, and denial-of-service (DoS) attacks. Intrusion detection systems do not reside in the data path. Instead, they receive a copy of the data for analysis. As a result, an IDS cannot protect against certain types of attacks. For example, atomic attacks can consist of a single packet, and by the time the IDS detects the attack (based on a copy of the attack packet), the attack has already been carried out. Intrusion prevention systems, conversely, do reside in the data path. Therefore, an IPS might be able to defeat an attack that an IDS would not be able to defeat.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 64
[ 63 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 8 Securing an Enterprise Network
Both IDS and IPS solutions consist of two major components: n Sensors: Sensors collect and analyze traffic patterns, looking for attack signatures. These sensors can be a dedicated
network appliance or software than runs on a host (for example, Cisco Security Agent). n Security management and monitoring infrastructure: Cisco uses a collection of management and monitoring
solutions to carry out the functions of IDS and IPS, including the following: n Cisco Security Manager: Used to configure Cisco firewalls, VPNs, and IPS devices for security features, in
addition to performing high-level monitoring functions n Cisco Security Monitoring, Analysis, and Reporting System (MARS): Monitors both security devices in the
network and host applications n Cisco Intrusion Prevention System Device Manager (IDM): A Java application used to configure and
manage IPS sensors n IDS Event Viewer: A Java-based applications used to view and manage alarms for as many as five sensors
A designer can select from multiple options for placing an IPS sensor in an enterprise network, as illustrated in Figure 8-4. n Two Layer 2 devices (no trunk): The IPS sensor is positioned between two Layer 2 devices and connects to those
two devices via access ports on those devices. n Two Layer 3 devices: Typically used in Internet, campus, and server farm designs, this model places the IPS sensor
between two Layer 3 devices, such as routers or firewalls. n Two VLANs on the same switch: The IPS sensor bridges two VLANs together on the same switch, such that the
traffic arrives from the switch on one VLAN, and the IPS sensor sends the traffic back to the switch on a separate VLAN. n Two Layer 2 devices (trunked): The IPS sensor is positioned between two Layer 2 devices (for example, Cisco
Catalyst switches), and attaches to those devices via IEEE 802.1Q trunks.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 65
[ 64 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 8 Securing an Enterprise Network FIGURE 8-4
Two Layer 2 Devices (No Trunk)
Positioning an IPS Appliance in an Enterprise Network Two Layer 3 Devices
Two VLANs on the Same Switch VLAN A
VLAN B
Two Layer 2 Devices (Trunked)
IEEE 802.1Q Trunk
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 66
[ 65 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 9 Virtual Private Network Design
Chapter 9: Virtual Private Network Design Virtual private networks (VPN), used both in public and private networks, allow traffic to be sent securely between two network devices. For example, consider a traveling salesperson who has broadband access in his hotel in the evening. With VPN technology, that salesperson can securely connect back to his corporate headquarters. Similarly, VPNs are often beneficial for telecommuters and remote offices. In many cases, VPNs can replace previously installed WAN connections (for example, Frame Relay or ATM connections), offering security and lower cost. This chapter discusses the components that make up a VPN, and also covers VPN design considerations.
Remote-Access VPNs Remote-access VPN tunnels typically use secure tunnels between a remote user, connecting via an Internet service provider (ISP), and the corporate VPN termination device, as illustrated in Figure 9-1. A VPN is composed of three main elements: n VPN termination devices: Also known as a “headend,” this termination device (for example, and Adaptive Security
Appliance [ASA]) has the capacity to support multiple simultaneous VPN connections. n End clients: Either mobile or fixed, end clients are devices that reside at one end of VPN tunnels and connect to
VPN termination devices at the other end of VPN tunnels.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 67
[ 66 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 9 Virtual Private Network Design FIGURE 9-1
Telecommuter’s House
Remote-Access VPNs
Internet
Hotel Headquarters
Mobile Workforce
n VPN technology: VPNs can securely send data across a tunnel. Two protocols that make this secure transmission
possible are as follows: n IPsec: IPsec is normally used to secure the transmission of data. n SSL: Secure Sockets Layer (SSL) uses digital certificates to secure the transmission of web traffic. Among
SSLs VPN mechanisms are the following: n Clientless access: Proxies web pages and then transmits those web pages over an SSL connection to the
end user
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 68
[ 67 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 9 Virtual Private Network Design
n Thin client: Uses a small application to perform port forwarding, where the port forwarder acts as a local
proxy server n Thick client: A VPN client application, which is downloaded via a web page and runs on the end client
The VPN termination devices mentioned here are usually installed, along with a firewall, at the edge of the network. Cisco best practice for locating a VPN termination device is to install the VPN device behind a firewall in the enterprise’s demilitarized zone (DMZ). When designing a remote access VPN, consider the following: n Routing: Typically, static routes are configured on internal routers pointing to the headend VPN device. n Address assignment: Usually, an internal address pool is assigned for each VPN headend. These address pools are
pointed to by the static routes mentioned in the preceding bullet. n Authentication: The only authentication method supported by SSL is digital certificates. However, other authentica-
tion solutions can be used along with SSL. n Access control: Common approaches to access control include defining access control rules on the VPN headend or
defining access control rules on an internal firewall.
Site-to-Site VPNs Site-to-site VPNs, as illustrated in Figure 9-2, offer a replacement to traditional WAN connections that interconnect, for example, remote offices. Because a VPN tunnel can be created across relatively low-cost network connections, such as a digital subscriber line (DSL) connection to the Internet, site-to-site VPNs can offer significant cost savings, while continuing to provide a secure path for network traffic.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 69
[ 68 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 9 Virtual Private Network Design FIGURE 9-2
Branch A
Site-to-site VPNs VPN Access Device Internet
VPN Access Device
VPN Head-End Device Headquarters
Branch B VPN Access Device
Branch C
The primary elements comprising a site-to-site VPN include the following: n Head-end VPN devices: Similar to the remote-access headend, these devices act as the termination point for incom-
ing VPN tunnels to the main campus. n VPN access devices: Located at remote locations, these devices terminate the remote side of the VPN tunnels. n IPsec and GRE tunnels: IPsec and generic routing encapsulation (GRE) are VPN tunneling technologies, and each
offers it own unique benefits; they are often used together in site-to-site VPNs. n Internet access: Supplied by ISPs, access to the Internet offers the medium of transport between the VPN headend
and VPN access devices.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 70
[ 69 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 9 Virtual Private Network Design
Each end of a VPN tunnel needs an Internet-routable IP address. Traffic flowing through the VPN might physically pass through multiple routers (for example, routers in the ISP’s network). However, from the perspective of the VPN traffic, traveling from one end of the VPN to the other appears to be a single router hop. Therefore, the addressing of the traffic traversing the tunnel can be private addressing. Another major VPN design consideration is scalability. Although multiple factors impact the scalability of a VPN, the main indicator of scalability is the number of remote sites to be supported. Cisco recommends that redundant headend VPN devices be installed and that the CPU utilization of each headend be less than 50 percent. However, VPN access devices located at remote sites are not considered overburdened if their CPU utilization is less than 65 percent. Cisco offers a wide variety of VPN devices, which vary in their scalability. Consult current Cisco product documentation when selecting a VPN device for a design. When interconnecting multiple sites using VPN technologies, consider the following deployment models: n Peer-to-peer: Secures traffic between two sites n Hub and spoke: A common approach, in which remote sites connect back to a central location n Partial mesh: Builds on a hub-and-spoke topology to provide direct connections between some remotes, to better
accommodate for traffic patterns n Full mesh: Provides direct connections between each location in the VPN topology
The three primary approaches for placing a VPN device in an enterprise campus design are as follows: n Placing the VPN device parallel to the firewall, which supports high scalability n Placing the VPN in a firewall’s DMZ, which supports the inspection of decrypted IPsec traffic n Integrating the VPN device with the firewall, resulting in fewer devices to manage
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 71
[ 70 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 9 Virtual Private Network Design
IPsec VPNs As previously mentioned, IPsec offers secure communication over a tunnel, thus forming a secure VPN. However, multiple IPsec VPN implementations exist. A basic IPsec VPN interconnects peers over a tunnel. These tunnels are defined by security associations (SA), which specify the protocols, algorithms, and keying material used to form the tunnel. Other IPsec-based VPNs include the following: n Easy VPN: Cisco Easy VPN solution is composed of the Easy VPN server and Easy VPN remote devices. The Easy
VPN server can push security policies to remote sites. Also, the configuration can be performed using the Router and Security Device Manager (SDM) Easy VPN Server Wizard and Easy VPN Remote Wizard. n GRE tunneling: IPsec can provide security, but it only supports IP unicast traffic. GRE supports additional traffic
types (for example, IP multicast and broadcast traffic), but GRE lacks security features. By using these technologies together, multiple traffic types can be encapsulated inside of a GRE tunnel, and then those GRE tunnel packets (which are unicast IP packets) can be transmitted securely inside of an IPsec tunnel. n Dynamic multipoint VPN (DMVPN): Because hub-and-spoke designs suffer from scalability issues when the
number of sites exceed 10 (because of all traffic passing to or through the hub), DMVPN technology can be used to create on-demand tunnels. Specifically, DMVPN is most appropriate when more than 20 percent of the network traffic travels between spoke sites. DMVPN can dynamically create a spoke-to-spoke tunnel based on traffic patterns, as shown in Figure 9-3. In the figure, a dynamic VPN tunnel is established between the Branch B and Branch C sites.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 72
[ 71 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 9 Virtual Private Network Design FIGURE 9-3
Branch A
Dynamic Multipoint VPN Tunnel VPN Access Device Internet
VPN Access Device
VPN Head-End Device Headquarters
Branch B VPN Access Device Dynamic Multipoint VPN Tunnel
Branch C
n Virtual tunnel interfaces (VTI): The VTI feature offers a special type of interface, which supports routing, VPN
termination, and other configurations that cannot always be applied to a VPN tunnel (such as quality of service [QoS] configurations). n Group encrypted transport VPN (GET VPN): Although the GET VPN does provide security for network traffic in
a fully meshed network, a tunnel is not used. Instead, the GET VPN uses Cisco IOS features to provide security over a private WAN.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 73
[ 72 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 9 Virtual Private Network Design
Managing and Scaling VPNs The Cisco Security Management Suite contains multiple components, including the following: n Cisco Router and Security Device Manager (SDM): Offers a web-based interface for managing various features
(for example, QoS and security features) on Cisco routers n Cisco Adaptive Security Device Manager (ASDM): Provides a graphical interface for managing Cisco ASA, PIX,
and FWSM devices n Cisco PIX Device Manager (PDM): Supports management of some models of the Cisco PIX (Cisco PIX Security
Appliance Software Version 6.3 and earlier) and FWSM n Cisco View Device Manager (CVDM): Used to manage selected Layer 2 and Layer 3 features on a Cisco Catalyst
6500 series switch n Cisco Security Manager: Offers a GUI-based configuration solution for firewall, VPN, and intrusion prevention
system (IPS) policy configuration on some Cisco security appliances n Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS): Supports the monitoring,
identification, and isolation of security threats, in addition to countering those threats, in an appliance-based solution When scaling a VPN, the number of packets per second (PPS) transmitted between sites is more design relevant than the bandwidth, in bits per second (bps), between sites, because each packet needs to be encrypted and decrypted, for example. Applications vary in the number of PPS they send. For example, a VoIP application uses smaller packet sizes than an FTP application. Therefore, the VoIP application would send more PPS than the FTP application. Various network management tools can be used to determine the PPS rate. However, a basic method of determining the PPS rate on existing equipment is to issue the show interfaces command. Selecting an appropriate routing protocol for a VPN also helps the VPN to scale. Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) Protocol are both examples of enterprise routing protocols that support VPNs.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 74
[ 73 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 10 IP Multicast Design Considerations
Chapter 10: IP Multicast Design Considerations IP multicast offers a more efficient use of network resources, as compared to unicast and multicast technologies, for certain applications (for example, streaming video out to multiple receivers in a network). This chapter reviews the fundamentals of IP multicast technology, provides design guidance, and discusses security considerations.
Fundamentals of IP Multicast Consider a video stream that needs to be sent to multiple recipients in a company. One approach is to unicast the traffic. The source server sends a copy of every packet to every receiver, as illustrated in Figure 10-1. Obviously, this approach has serious scalability limitations. FIGURE 10-1
Receiver 10.1.1.1
Unicast
Receiver 10.1.1.2
Multicast Server
Destination Address:
Destination Address:
10.1.1.1
10.1.1.2
Non-Receiver 10.1.1.3
An alternative approach is to broadcast the video stream, so that the source server only has to send each packet once. However, everyone in the network receives the packet, in that scenario, even if they do not want it, as shown in Figure 10-2.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 75
[ 74 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 10 IP Multicast Design Considerations FIGURE 10-2
Receiver 10.1.1.1
Broadcast
Receiver 10.1.1.2
Multicast Server
Destination Address: 255.255.255.255
Non-Receiver 10.1.1.3
IP multicast technologies provide the best of both worlds. With IP multicast, the source server only sends one copy of each packet, and the packets are only sent to intended recipients, as demonstrated in Figure 10-3. FIGURE 10-3
Multicast Group: 244.1.1.1
Multicast Receiver 10.1.1.1
Receiver 10.1.1.2
Multicast Server
Destination Address: 224.1.1.1
Non-Receiver 10.1.1.3
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 76
[ 75 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 10 IP Multicast Design Considerations
Specifically, receivers join a multicast group, denoted by a Class D IP address (that is, in the range 224.0.0.0 through 239.255.255.255). The source sends traffic to the Class D address, and through switch and router protocols, packets are forwarded only to intended stations. These multicast packets are sent via User Datagram Protocol (UDP; that is, best effort). Therefore, congestion avoidance mechanisms such as weighted random early detection (WRED), which causes TCP flows to go into TCP slow start, are not effective for multicast. As you do your multicast design, also be aware of the potential for duplicate packets being received and the potential for packets arriving out of order. In addition to Layer 3 addresses, multicast applications must have Layer 2 addresses (that is, MAC addresses). Fortunately, these Layer 2 addresses can be constructed directly from the Layer 3 multicast addresses. A MAC address is a 48 bit address, and the first half (that is, 24 bits) of a multicast MAC address (in hex) is 01-00-5e. The 25 bit is always 0. The last 23 bits in the multicast MAC address come directly from the last 23 bits of the multicast IP address. Consider the following example: n Given a multicast IP address of 224.1.10.10, calculate the corresponding multicast MAC address.
1. First, convert the last three octets to binary.
0000.0001.0000.1010.0000.1010 2. If the leftmost bit isn’t already 0, it should be changed to 0, because the 25 bit of a multicast MAC address is
always 0. 0000.0001.0000.1010.0000.1010 3. Convert each nibble (that is, 4-bit section) into its hexadecimal equivalent.
01-0a-0a 4. Prepend 01-00-5e to the calculated address to produce the multicast MAC address.
01-00-5e-01-0a-0a n Interestingly, multiple other multicast IP addresses (for example, 224.129.10.10) yield an identical multicast MAC
address. This overlap issue permits 32 Layer 3 multicast addresses to map to the same Layer 2 multicast MAC address. Therefore, care must be taken when selecting Layer 3 multicast addresses to avoid this overlap. © 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 77
[ 76 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 10 IP Multicast Design Considerations
As previously mentioned, in a multicast network, the source sends multicast packets with a Class D destination address. The 224.0.0.0 through 239.255.255.255 address range is the Class D address range, because the first four bits in the first octet of a Class D address are 1110. Some ranges of addresses in the Class D address space are dedicated for special purposes: 224.0.0.0 – 224.0.0.255 – Reserved link local addresses 224.0.1.0 – 238.255.255.255 – Globally scoped addresses 232.0.0.0 – 232.255.255.255 – Source-specific multicast 233.0.0.0 – 233.255.255.255 – GLOP addresses 239.0.0.0 – 239.255.255.255 – Limited-scope addresses n Reserved link local addresses are used, for example, by many network protocols. Open Shortest Path First (OSPF)
Protocol uses 224.0.0.5 and 224.0.0.6. Routing Information Protocol Version 2 (RIPv2) uses 224.0.0.9, and Enhanced Interior Gateway Routing Protocol (EIGRP) uses 224.0.0.10. Other “well-known” addresses in this range include 224.0.0.1, which addresses all multicast hosts, and 224.0.0.2, which addresses all multicast routers. n Globally scoped addresses are used for general purpose multicast applications, and they have the ability to extend
beyond the local autonomous system. n Source-specific multicast (SSM) addresses are used in conjunction with Internet Group Management Protocol
Version 3 (IGMPv3), to allow a multicast receiver request, not only membership in a group, but also to request specific sources to receive traffic from. Therefore, in an SSM environment, multiple sources with different content can all be sending to the same multicast destination address. n GLOP addresses provide a globally unique multicast address range, based on autonomous system numbers. As an
example, if a company had an autonomous system number of 65000, its globally unique range of multicast IP addresses would be 233.253.232.0 through 233.253.232.255. The autonomous system number is used to calculate
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 78
[ 77 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 10 IP Multicast Design Considerations
the second and third octets in this address range. First, convert the autonomous system number to hexadecimal (that is, 65000 in decimal equals FD-E8 in hexadecimal). FD in hexadecimal equals 253 in decimal, and E8 in hexadecimal equals 232 in decimal. The first octet of a GLOP address is always 233. n Limited-scope addresses are used for internal multicast applications (that is, traffic that doesn’t leave its
autonomous system), much like the 10.x.x.x/8 address space is a “private” address space. The protocol used between clients (for example, PCs) and routers let routers know which of their interfaces have multicast receivers attached is IGMP. There are three version of IGMP: n IGMP Version 1: When a PC wants to join a multicast group, it sends an IGMP Report message to the router,
letting the router know it wants to receive traffic for a specific group. Every 60 seconds, by default, the router sends an IGMP Query message to determine whether the PC still wants to belong to the group. There can be up to a threeminute delay before a router realizes that a receiver left the group. The destination address of this router query is 224.0.0.1, which addresses all IP multicast hosts. n IGMP Version 2: Similar to IGMP Version 1, except that IGMP Version 2 can send queries to a specific group, and
a “leave” message is supported. Specifically, a receiver can proactively send a leave message when it no longer wants to participate in a multicast group, allowing the router to prune its interface earlier. n IGMP Version 3: Offering the same features of IGMP Version 2, except that IGMP Version 3 supports SSM, which
allows a multicast group member to request traffic from a specific host’s IP address. Only members of a multicast group receive packets destined for that group. However, the sender does not need to be a member of the group. Multicast traffic flows from a source to a destination over a “distribution tree,” which is a loop-free path. The two types of distribution trees are as follows: n Source distribution tree: A source distribution tree creates an optimal path between each source router and each
last-hop router (that is, a router connected to a receiver), at the expense of increased memory usage, as shown in Figure 10-4.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 79
[ 78 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 10 IP Multicast Design Considerations FIGURE 10-4 Source Distribution Tree
Source 1
Source Router
Source Router
Source 2
Sending to
Sending to
225.1.2.3
225.1.2.3
Last-Hop Router
Receiver Member of 225.1.2.3
n Shared distribution tree: A shared distribution tree creates a shared tree from a central rendezvous point (RP)
router to all last-hop routers, with source distribution trees being created from all sources to the RP, at the expense of increased delay, as shown in Figure 10-5. To combat the issue of receiving duplicate packets, Cisco routers perform an RPF (reverse path forwarding) check, to determine whether a multicast packet is entering a router on the correct interface. An RPF check examines the source address of an incoming packet and checks it against the router’s unicast routing table to see what interface should be used to get back to the source network. If the incoming multicast packet is using that interface, the RPF check passes, and the packet is forwarded. If the multicast packet is coming in on a different interface, the RPF check fails, and the packet is discarded, as illustrated in Figure 10-6.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 80
[ 79 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 10 IP Multicast Design Considerations FIGURE 10-5 Shared Distribution Tree
Source 1
Source Router
Rendezvous Point (RP)
Source Router
Source 2
Sending to
Sending to
225.1.2.3
225.1.2.3
Last-Hop Router
Receiver Member of 225.1.2.3
FIGURE 10-6 Reverse Path Forwarding Check
RPF Check - PASS
Video Server
Network
Interface
10.0.0.0/8
S0/0
Unicast Routing Table
S0/0
S0/1
Receiver
10.1.1.1 RPF Check - FAIL
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 81
[ 80 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 10 IP Multicast Design Considerations
When a Layer 2 switch receives a multicast frame on an interface, by default, the switch floods the frame out all other interfaces. To prevent this behavior, the switch needs awareness of what interfaces are connected to receivers for specific multicast groups. One approach to training the switch is IGMP snooping. IGMP Snooping allows a switch to autonomously determine which interfaces are connected to receivers for specific multicast groups by eavesdropping on the IGMP traffic being exchanged between clients and routers.
Protocol Independent Multicast Design The Protocol Independent Multicast (PIM) protocol is a router-to-router protocol used by Cisco routers to achieve a loopfree topology. The three main types of PIM are as follows: n PIM Any-Source Multicast (ASM): ASM is a new name for the classic PIM Sparse Mode (PIM-SM) technology,
and is the most popular multicast type deployed today. Specifically, ASM allows routers to explicitly request to join a tree using a shared distribution tree approach, and then performs SPT switchover, allowing receiver routers to form a shortest path tree with the source routers, thus creating optimal pathing. n Bidirectional PIM (Bidir PIM): Bidir PIM uses shared distribution trees to more efficiently support many-to-many
applications. n Source Specific Multicast (SSM): Supported by IGMP Version 3, SSM uses source distribution trees and allows a
multicast group member to request a specific host IP address from which it wants to receive traffic. This approach eliminates the need for an RP. When an RP is required (that is, when ASP or Bidir PIM is being used), designers can select from among the following four technologies for deploying an RP: n Anycast RP: Uses multiple routers in a PIM-SM network to offer RP load sharing and redundancy, where two RPs
act as hot backups to each other
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 82
[ 81 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 10 IP Multicast Design Considerations
n Static RP addressing: Requires that all routers pointing to an RP be statically configured with the RP’s IP address n Auto RP: Uses a multicast address of 224.0.1.39 to dynamically announce an RP’s IP address to routers n BSR: Uses PIM Version 2 to offer a vendor-independent solution for dynamically selecting an RP
Securing IP Multicast Networks When designing IP multicast networks, additional security considerations apply. Whereas unicast routing maintains a unicast routing table, IP multicast routing relies on multicast state information, which is maintained in the multicast routing table, in addition to the unicast routing table. Unicast routing can use technologies such as access control lists (ACL) or firewalls to protect traffic. These technologies can prevent one device from sending traffic to another device. However, with IP multicast routing, traffic is sent to a multicast group rather than a specific device. Therefore, a major IP multicast security consideration is to protect multicast receivers from unknown senders. Fortunately, SSM prevents an unknown host from sending to a multicast receiver, because with SSM a multicast receiver joins to a specific host. Also, with Any-Source Multicast, a receiver would only be susceptible to a multicast attack if it joined a multicast group. To limit IP multicast traffic from being propagated too far within a network, scopes can be used to set boundaries for the traffic. In addition, IP multicast traffic can be constrained using time-to-live (TTL) thresholds. In addition, consider the following approaches for securing IP multicast networks: n Packet filter based access control: Typically used for inbound traffic, packet filter based access control can filter
traffic before IP multicast routing occurs.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 83
[ 82 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 10 IP Multicast Design Considerations
n Host receiver side access control: Individual IP multicast groups can be filtered out of IGMP membership report
messages using host receiver side access control. n PIM-SM source control: PIM-SM source control denies unauthorized sources from registering with an RP. n Disabling multicast groups: Individual IP multicast groups or a range of IP multicast groups can be administra-
tively enabled, and traffic for other groups can be dropped.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 84
[ 83 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 11 Designing Voice over WLAN Networks
Chapter 11: Designing Voice over WLAN Networks Both wireless LAN (WLAN) and VoIP technologies are growing in popularity in today’s enterprise networks. Interestingly, these diverse technologies can be used in tandem to provide VoIP services for wireless clients. This section considers the design of Voice over Wireless LAN (VoWLAN) networks, including such topics as the need for VoWLANs, performing site surveys, and core infrastructure requirements.
Introduction to VoWLAN Technologies A WLAN contains access points (with which wireless devices communicate), antennas (which help determine the wireless coverage areas), and wireless endpoints (such as a laptop containing a wireless network interface card). Cisco offers a suite of wireless technologies that fall under the umbrella of the Cisco Unified Wireless Network. An example of a wireless network, demonstrating various wireless bridging methods, is illustrated in Figure 11-1. Elements of a Cisco Unified Wireless Network include mobility services, network management services, network unification, access points, and client devices. Motivation to offer VoWLAN services include the widespread deployment of WLANs in enterprise networks, the enhanced communication features offered by VoIP, in addition to productivity and cost benefits. Although some might argue that cell phones provide an alternative solution to mobile communications, VoWLAN services offer access to a wider range of enterprise voice applications (for example, access to a corporate phone directory). However, a VoWLAN designer must understand the stringent requirements of VoIP. Specifically, if VoIP packets experience excessive packet drops, jitter (that is, a variation in interpacket arrival times), and delay, the voice quality will be considered unacceptable by the end users. The G.114 recommendation offers one example of a VoIP design guideline. Specifically, the G.114 recommendation states that the maximum one-way delay for a VoIP packet should not exceed 150 ms. Fortunately, Cisco offers an array of quality of service (QoS) solutions that can help minimize packet loss, jitter, and overall delay for voice traffic.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 85
[ 84 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 11 Designing Voice over WLAN Networks FIGURE 11-1 Cisco Unified Wireless Network Example
Cisco uses the terminology of Cisco voice-ready architecture to describe their end-to-end solution for WLANs that can transmit VoIP traffic, while maintaining voice quality. The four primary components of the Cisco voice-ready architecture are as follows: n VoWLAN clients: For example, wireless IP phones n Voice-ready WLAN: A WLAN capable of prioritizing voice traffic
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 86
[ 85 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 11 Designing Voice over WLAN Networks
n Unified wired/wireless LAN infrastructure: The combination of wireless and wired network components that
provide end-to-end connectivity for VoWLAN clients n Cisco Unified Communications and mobility applications: A collection of Cisco software and hardware products
that offer a feature-rich IP telephony environment
Provisioning for VoWLAN Coverage Wireless LANs need seamless coverage through the areas where VoWLAN clients might roam. Fortunately, Cisco Unified Wireless Network offers a variety of products for ensuring appropriate coverage. As a VoWLAN client roams from one cell of coverage to another, the signal quality might vary. To maintain a more consistent call quality, Cisco recommends the following radio frequency (RF) parameters: n Wireless signal stream of –67 dBm or greater n A maximum packet error rate of 1 percent n A minimum signal-to-noise ratio (SNR) of 25 dB
A wireless access point shares bandwidth among its clients. Additional bandwidth per client can be achieved by adding access points. However, to prevent RF interference, adjacent wireless access points should use different frequencies (that is, channels). These channels should be nonoverlapping channels. Nonoverlapping channels extend coverage while maintaining available bandwidth. The three nonoverlapping channels commonly used in North America are channels 1, 6, and 11. To provide continuous coverage, as wireless devices roam from one cell to another cell, Cisco recommends a 15 percent to 20 percent cell coverage overlap. Although multiple IEEE 802.11 implementations exist for wireless networking (for example, 802.11a, 802.11b, and 802.11g), 802.11a often serves as an appropriate choice for VoWLANs. Specifically, 802.11a suffers from less RF interference from other sources, such as cordless phones, and 802.11a supports and as many as 14 simultaneous voice calls per wireless access point.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 87
[ 86 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 11 Designing Voice over WLAN Networks
Consider the following design guidelines for a VoWLAN. n Determine the required coverage area and number of wireless phones to be supported. n Use at least two wireless access points (operating on nonoverlapping channels). n The percentage of time that an access point uses a particular channel (as defined by the QoS basis service set
[QBSS]) should be less than 45 percent. n The percentage of packets transmitted error-free should be at least 99 percent. n Antenna diversity, which reduces the number of missed or retried packets, should be used on all access points. n Do not oversubscribe an access point with too many calls. 802.11b and 802.11g access points support a maximum of
seven simultaneous G.711 calls or eight G.729 calls, whereas 802.11a access points can support a maximum of fourteen G.711 calls. Conducting a site survey is an initial step to designing a VoWLAN. Performing an effective site survey involves the following steps: 1. Determine what type of devices the customer needs to support, the number of devices, the service levels of those
devices, and the location of the devices to be supported. 2. Review potential structural elements (walls, stairwells, or elevator shafts) that will impede the propagation of the
wireless signal. 3. Identify initial access point locations. 4. With the access points in place, conduct the site survey (which identifies the coverage areas and signal strengths that
result from the access point placement). 5. Record the results of the site survey.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 88
[ 87 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 11 Designing Voice over WLAN Networks
VoWLAN Design Requirements A VoWLAN design requires the designer to consider the following: n Roaming: Because VoWLAN clients need to maintain connectivity and good voice quality as they roam from one
wireless coverage cell to anther, the VoWLAN network should support roaming. Cisco wireless devices support various types of roaming, as illustrated in Figure 11-2. FIGURE 11-2 Types of Wireless Roaming
Wireless LAN Controller
LWAPP
LWAPP
Intracluster Roaming
Lightweight Access Points
LWAPP
Layer 2 Roaming (same subnet) or Layer 3 Roaming (between subnets)
n Intracluster roaming: A wireless client changes its association from one wireless access point to another wire-
less access point, where both access points are associated with the same wireless LAN controller. n Layer 2 intercontroller roaming: A wireless client changes its association from one wireless access point to
another wireless access point, where the access points are associated with different wireless LAN controllers in the same subnet.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 89
[ 88 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 11 Designing Voice over WLAN Networks
n Layer 3 intercontroller roaming: A wireless client changes its association from one wireless access point to
another wireless access point, where the access points are associated with different wireless LAN controllers in different subnets. Cisco recommends that voice traffic and data traffic be placed in separate VLANs. This VLAN separation enables the use of various security features and also aids in the prioritization of voice traffic. n Quality of service (QoS): The IEEE and the Wi-Fi Alliance each have a standard for prioritizing WLAN traffic,
specifically, the IEEE 802.1e and the Wi-Fi Multimedia (WMM) standards. Whereas the 802.1e standard specifies eight levels of priority, the WMM standard specifies four levels of priority (Platinum [typically used for voice], Gold, Silver, and Bronze). n Security: VoWLAN security recommendations include the following:
Use Extensible Authentication Protocol-Flexible Authentication via Secured Tunnel (EAP-FAST) to provide timely authentication for roaming wireless clients. Use Temporal Key Integrity (TKIP) to encrypt both voice payload (that is, Real-time Transport Protocol [RTP]) and signaling (that is, Skinny Client Control Protocol [SCCP]) traffic. Use Message Integrity Check (MIC) to verify the integrity of wireless packets. n Intelligent clients: The Cisco 7921G IP Phone is an example of an intelligent VoWLAN client. The 7921G is flexi-
ble in terms of supported radio frequencies (that is, IEEE 802.11a/b/g), and has a long battery life, enhanced security, and QoS mechanisms.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 90
[ 89 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 12 Cisco IOS Software Network Management Capabilities
Chapter 12: Cisco IOS Software Network Management Capabilities Performance, scalability, and availability all can be achieved through the rich set of embedded management functionality found in the Cisco IOS Software. We discuss the implementation of the Cisco IOS Software management instrumentation functionality as part of overall enterprise design.
Built-In Management Capabilities Large enterprises rely on WAN links, but there are several issues with these, including the following: n High cost, leading to implementation of low-speed lower-cost links n Speed mismatches between LAN and WAN links leading to congestion, packet loss, and so on n Combination of real-time applications competing for bandwidth with general data transfer
Cisco IOS software includes management capabilities through offering a broad range of show commands, and Simple Network Management Protocol (SNMP) access to information. Tools such as Security Device Manager (SDM), Adaptive SDM (ASDM), and web tools for managing single devices are also offered, as are embedded management subsystems such as syslog, NetFlow, Network Based Application Recognition (NBAR), and IP Service Level Agreement (IP SLA). Cisco application optimization cycle: 1. Create baseline of application traffic. 2. Meet objectives through optimization.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 91
[ 90 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 12 Cisco IOS Software Network Management Capabilities
3. Measure, adjust, and verify effectiveness of techniques. 4. Deploy the new applications.
Cisco IOS System Message Logging (syslog): Syslog allows reporting and archiving of error messages locally or on a remote logging server. Syslog messages always begin with a percentage sign (%) followed by a structure that consists of facility, severity, mnemonic, and message text.
Working with NetFlow Embedded within Cisco IOS Software, NetFlow is designed to provide network and security monitoring, traffic analysis, and IP accounting, and to assist with network planning. NetFlow usage: Used both by service providers and enterprise organizations, although their usage of it may differ. For service providers (SP), it can provide assistance with traffic engineering, network planning, accounting and billing, security monitoring, and information regarding peering arrangements. Enterprises typically use NetFlow for user and Internet access monitoring, application monitoring, charge-back billing for departments, and security monitoring. Defining a flow: A flow in NetFlow consists of seven fields: IP source address, IP destination address, source port number destination port number, Layer 3 protocol type, type-of-service (ToS) byte, and input logical interface. NetFlow inspects packets for key field values and compares these to existing flows in the cache. If the values are unique, a flow is created in the cache. By examining flows and caching information about unique values, NetFlow-enabled switching can provide scalability and performance based on flow cache management.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 92
[ 91 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 12 Cisco IOS Software Network Management Capabilities
NetFlow Versions There are a number of NetFlow versions. Older versions (1, 5, 7, 8) support statistically defined fields, whereas newer versions (9) support dynamically defined fields: n Version 1: Original n Version 5: Most popular n Version 7: Supports Cisco Catalyst 6500 switches with a Multilayer Switch Feature Card (MSFC) on CatOS Release
5.5(7) and later n Version 8: Provides on router aggregation; choice of 11 aggregation schemes n Version 9: Flexible, extensible file export format n IPFIX: IETF standard mechanism for information export
NetFlow Version 9: This version has an export format that allows new fields to be easily inserted. It includes a template that describes what is being exported in the export data sets. A matching ID number is then used to associate templates to the data records. Flexibility: Network managers have the flexibility to configure what key and nonkey fields define each flow. This helps provide enhanced optimization of network infrastructure while reducing costs and improving capacity planning and security detection. Deployment of NetFlow: There are a number of Cisco NetFlow products with solutions available on both Windows and Linux platforms. Deployments vary with smaller deployments using a single server for both reporting and collecting, whereas with large-scale deployments, a two-tier architecture that uses collectors at key sites is often used.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 93
[ 92 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 12 Cisco IOS Software Network Management Capabilities FIGURE 12-1 NetFlow Monitoring
IP IP IP IP Branch
IP IP
Branch
Data Center
IP IP IP
IP Wide Area Network Branch
Tele-Workers NetFlow Monitoring
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 94
[ 93 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 12 Cisco IOS Software Network Management Capabilities
Network Based Application Recognition NBAR can provide organizations with a means of traffic classification. By adding classification to the network, it can deliver more granular identification and control over multiple applications, which common quality of service (QoS) mechanisms cannot differentiate. Characteristics of NBAR: n Provides full-packet inspection to identify traffic types n Discovers application protocol statistics on interfaces n Enables application of QoS policies to traffic flows
The following classification methods are used to identify more than 90 applications and protocols: n Statically assigned TCP and UDP port numbers n Dynamically assigned TCP and UDP port numbers n Sub-port and deep inspection n Native and nonnative Protocol Description Language Modules (PDLM)
Per-protocol statistics: NBAR Discovery Protocol discovers any protocol traffic supported by NBAR and maintains perprotocol statistics for enabled interfaces with regard to the following: n Total number of input packets and bytes n Total number of output packets and bytes n Input bit rates n Output bit rates
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 95
[ 94 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 12 Cisco IOS Software Network Management Capabilities
Cisco IOS AutoQoS and NBAR: There are two different types of AutoQoS. AutoQoS for VOIP creates predefined maps for voice traffic; whereas AutoQoS Enterprise uses NBAR discovery mode to pull together traffic statistics, and then creates a policy map based on the traffic that was detected, with suggested bandwidth settings per class.
Overview of IP SLA A service level agreement (SLA) is used by organizations to specify connectivity and performance levels for an end-user service from a provider of that service. The SLA is a contract between the network provider and its customers, or internally between the department responsible for the network and internal corporate customers. Benefits of service level agreements include the following: n Guarantee regarding service level n Connectivity and performance are specified with regard to end-user service n Helps support isolation of problems and network planning
Cisco IOS IP SLA The Cisco IOS IP SLA, formerly known as Real Time Responder, and before that as the Service Assurance Agent, provides measurements that address a number of functions: n VoIP, video, and VPN network monitoring n SLA monitoring n Edge-to-edge network-availability monitoring n Network performance monitoring and network performance visibility n IP service network health readiness or assessment
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 96
[ 95 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 12 Cisco IOS Software Network Management Capabilities n Troubleshooting network operation
n Multiprotocol Label Switching (MPLS) network monitoring
Embedded Cisco IOS IP SLA measurements, on Cisco network equipment, can verify service agreements, validate network performance, improve network reliability, and proactively identify network issues, and can also react to performance metrics with changes both to configuration and network.
Understanding IP SLA Operations The IP SLA operation is a measurement consisting of protocol, frequency, traps, and thresholds. These operations are divided into two classes. Those that rely on the IP SLA Responder component to be running at the target device and those that do not. FIGURE 12-2
IP SLA Source
IP SLA with Responder
IP SLA with Responder
IP SLA Responder
Control Message Ask Receiver to Open Port 2020 on UDP IP SLA-Control
Control Phase
UDP, 1967 Responder Says OK
Starts Listening on UDP Port 2020 Send Test Packets... IP SLA-Test
Probing Phase
UDP, 220
Done: Stop Listening
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 97
[ 96 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 12 Cisco IOS Software Network Management Capabilities
IP SLA source: Defined as the device that sends data for operation. This may or may not be a Cisco IOS Software device; regardless, IP SLAs source stores results in MIB. Active measurement: In contrast to NetFlow, which passively monitors the network, the Cisco IOS IP SLA measurements actively send data across the network to measure performance between multiple network locations on a hop-by-hop basis or across end-to-end network paths. Deploying IP SLA: To effectively deploy IP SLA, processing power should be considered, particularly when there is a large amount of switching traffic passing through an IP SLA source. To assist with this, shadow routers can be dedicated to sourcing Cisco IOS IP SLAs operations. Having a dedicated router (or shadow router) has a number of advantages: n Separate memory and CPU from hardware in switching path n Easy upgrade of Cisco IOS Software release on the dedicated router n Flexibility of management and deployment n Scalability with a large number of endpoints
If you are working with a large number of sites, a hierarchical strategy might be needed for IP SLA enterprise monitoring.
IP SLA Measurements and Network Management Applications The Cisco IOS IP SLA is supported by a number of vendors in addition to Cisco’s own applications. Vendors such as HP, IBM, and Agilent Technologies, among others, work with the Cisco IPS IP SLA. Cisco’s own CiscoWorks Internetwork Performance Monitor application measures network performance based on the traffic-generation technology within the Cisco IOS IP SLA.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
CCDP ARCH Quick Reference
Return to Table of Contents
Page 98
[ 97 ] CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins
CHAPTER 12 Cisco IOS Software Network Management Capabilities
When selecting a network management application, you must consider three main things: n How the application supports provisioning IP SLA operations n How the network management application supports reporting on IP SLA operations n Whether the tool supports aggregation of hierarchical measurements for a more scalable set of measurements
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Prepared for Minh Dang, Safari ID:
[email protected] Publisher: Cisco Press Licensed by Minh Dang Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC. This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.