Cisco Press - CCDP ARCH Quick Reference Sheets

Introduction

IntroductionThe Cisco Designing Cisco Network Service Architecture (ARCH) course helps prepare students for the Cisco CertifiedDesign Professional (CCDP) certification. Objectives for the ARCH course include the following:

n Explain Cisco Service-Oriented Enterprise Network Architecture (SONA).

n Discuss how SONA can be used for enterprise network design.

n Illustrate how to design functionality, performance, scalability, and availability into the various functional areas ofthe enterprise network.

n Review network management, high availability, security, QoS, and IP multicast design considerations.

n Explain design principles for virtual private networks (VPNs) and wireless networks.

These Quick Reference Sheets summarize the main topics presented in the ARCH course materials. The informationpresented represents the version of content on which exam number 642-873 bases its questions.

[ 3 ]

© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.

CCDP ARCH Quick Reference by Kevin Wallace and Michael Watkins

CCDP ARCH Quick Reference Page 4 Return to Table of Contents

CCDP ARCH Quick ReferenceCCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990Publisher: Cisco Press

Prepared for Minh Dang, Safari ID: [email protected] by Minh Dang

Print Publication Date: 2007/10/26 User number: 927500 Copyright 2007, Safari Books Online, LLC.This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the priorwritten permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or thatotherwise violates the Safari Terms of Service is strictly prohibited.

CHAPTER 1

Cisco Design Models

[ 4 ]



Chapter 1: Cisco Design ModelsThis section introduces you to Ciscos Service-Oriented Network Architecture (SONA) framework for network design. Inaddition, you learn how to use the PPDIOO approach to network design.

Service-Oriented Network ArchitectureCisco recently updated their Architecture for Voice Video and Integrated Data (AVVID) design approach to the IntelligentInformation Network (IIN). IIN is a complete architecture that is more all-encompassing than AVVID.

The three phases of constructing an IIN are as follows:

n Integrated transport: Voice, data, and video are all converged onto a single transport.

n Integrated services: Services, such as Voice over IP (VoIP) or storage networking, rely on the underlying networktransport mechanisms.

n Integrated applications: Applications (for example, Cisco IP Communicator) leverage services (for example, VoIP),which rely on the network transport.

Ciscos architectural approach to designing an IIN is their SONA framework. Figure 1-1 shows individual IIN componentsand how those components are categorized by SONA’s three layers: (1) Networked Infrastructure Layer, (2) InfrastructureServices Layer, and (3) Application Layer.





CHAPTER 1

Cisco Design Models

SONA offers the following benefits to a network design:

n Functionality: Functions in a way that the design supports organizational requirements

n Scalability: Meets organizational growth demands

n Availability: Makes network services available consistently and reliably

n Performance: Offers acceptable responsiveness, bandwidth utilization, and throughput for applications

n Manageability: Offers administrators control over the network, monitoring of the network, and fault detectionwithin the network

n Efficiency: Meets design objectives within stated financial constraints

[ 5 ]



Inte

ract

ive

Ser

vice

sLa

yer

App

licat

ion

Laye

r

Net

wor

ked

Infr

astr

uctu

reLa

yer

Ada

ptiv

eM

anag

emen

tS

ervi

ces

Business Applications Collaboration Applications

Application Networking Services

Infrastructure Services

Server Storage Clients

Campus Branch Data Center WAN/MAN Teleworker

FIGURE 1-1SONA Layers





CHAPTER 1

Cisco Design Models

PPDIOOCisco categorizes a network’s life cycle into six phases identified with the acronym PPDIOO, as follows:

n Prepare: This phase involves determining the network’s requirements, formulating a network strategy, and suggest-ing a conceptual architecture of the network.

n Plan: This phase compares the existing network with the proposed network to help identify tasks, responsibilities,milestones, and resources required to implement the design.

n Design: This phase clearly articulates the detailed design requirements.

n Implement: This phase integrates equipment into the existing network (without disrupting the existing network) tomeet design requirements.

n Operate: This phase entails the day-to-day network operation, while responding to any issues that arise.

n Optimize: This phase gathers feedback from the Operate phase to potentially make adjustments in the existingnetwork. Changes might be implemented to address ongoing network support issues.

PPDIOO’s life-cycle approach offers the following benefits:

n PPDIOO reduces total cost of ownership (TCO).

n PPDIOO improves network availability.

n PPDIOO allows business networks to quickly respond to changing needs.

n PPDIOO accelerates access to network applications and services.

[ 6 ]







CHAPTER 1

Cisco Design Models

Designing a network in conjunction with the PPDIOO approach involves three steps:

1. Identify customer requirements.

To identify customer requirements, obtain the following pieces of information:

n Network applications

n Network services

n Business goals

n Constraints imposed by the customer

n Technical goals

n Constraints imposed by technical limitations

2. Identify characteristics of the current network.

To identify characteristics of the current network, perform the following tasks:

n Collect existing network documentation (with the understanding that the documentation might be somewhatdated and unreliable), and interview organizational representatives to uncover information not available in thedocumentation.

n Conduct a network audit to identify such information as network traffic types, congestion points, and subopti-mal routes.

n Supplement the information collected in the two previous tasks by performing a network traffic analysis withtools such as Cisco Discovery Protocol (CDP), Network Based Application Recognition (NBAR), NetFlow,Cisco Networking Services (CNS) NetFlow Collection Engine, Open Source Cacti, Network General Sniffer,WildPackets EtherPeek and AiroPeek, SolarWinds Orion, Wireshark, and remote-monitoring (RMON) probes.

[ 7 ]







CHAPTER 1

Cisco Design Models

3. Design the network topology.

Using information collected in Steps 1 and 2, you are ready to begin your network design. Although designing anetwork can be a daunting task, Cisco recommends top-down design approach that assists the designer by breakingthe design process into smaller and more manageable steps. The term top-down refers to beginning at the top of theOSI reference model (that is, the application layer) and working your way down through the underlying layers, asshown in Figure 1-2.

[ 8 ]



OSI Model

Application

Presentation

Session

Transport

Network

Data Link

Physical

DesignBegins Here

Remaining designconsiderations

sequentiallyaddress lower layers

of the OSI model.

FIGURE 1-2Top-Down DesignStrategy

Using a top-down design strategy, as opposed to a bottom-up design strategy (that is, where the design begins at thephysical layer of the OSI model and works its way up) provides the following benefits:

n Does a better job of including specific customer requirements

n Offers a more clearly articulated “big picture” of the desired network for both the customer and the designer

n Lays the foundation for a network that not only meets existing design requirements, but also provides scalabilityto meet future network enhancements





CHAPTER 2

Network Design Considerations for the Enterprise Campus

Chapter 2: Network Design Considerations for theEnterprise CampusThis section discusses Cisco design recommendations for an enterprise campus network. These networks need to supportevolving technologies such as IP telephony, storage-area networks, content networking, and application networking.

High-Availability DesignConstructing an enterprise campus network using modular building blocks can add to a network’s availability, in additionto its scalability. Traditionally, Cisco prescribed a three-layer model for network designers. Those three layers, as shownin Figure 2-1, are as follows:

n Access layer: Typically, wiring closet switches connecting to end-user stations

n Distribution layer: An aggregation point for wiring closet switches, where routing and packet manipulation occur,and also where the campus network interconnects to remote networks

n Core layer: The network backbone where high-speed traffic transport is the main priority

[ 9 ]







CHAPTER 2


The goals of high availability are to minimize component failures (for example, network links or network endpoints) andto minimize the time required to recover from a component failure. A common design approach for high-availabilitynetworks is to fully mesh redundant switches located in the distribution and core layers. Recommended design strategiesfor maximizing redundancy include the following:

n Alternate pathing: A single path between network devices represent a single point of failure.

n Redundant components: Convergence time for redundant access layer switches can be reduced by using thefollowing:

n Stateful switchover (SSO): Useful for both Layer 2 and Layer 3 access switches, SSO permits a backup routeprocessor to immediately take over control from a failed primary route processor.

[ 10 ]



Core Layer

Distribution Layer

Access Layer

FIGURE 2-1Three-LayerHierarchical Model





CHAPTER 2


n Nonstop forwarding (NSF): Useful for Layer 3 access switches, NSF continues to forward packets after aroute processor switchover, until routing convergence completes.

n Software Modularity Architecture of Cisco IOS Software: Using Cisco IOS Software ModularityArchitecture, software patching can be performed without reloading the supervisor engine of a Catalyst 6500series switch.

Layer 2 DesignMost commonly found at the access layer, Layer 2 components in an enterprise campus network need to be configuredfor optimal convergence times. Layer 2 devices use the Spanning Tree Protocol (STP) for convergence, but Cisco recom-mends that the use of STP be avoided because routing protocols (used by Layer 3 devices) can converge faster than STP.However, some situations require the use of STP, for example:

n To support a VLAN that exists on multiple access layer switches

n To protect from loops being created between access layer ports

n To support certain server farm applications

Cisco offers a variety of enhancements to STP:

n PortFast: Allows an access port to bypass STPs listening and learning phases

n UplinkFast: Reduces STP convergence from 50 seconds to approximately 3 to 5 seconds

n BackboneFast: Reduces STP convergence time for an indirect link failure

n LoopGuard: Helps prevent loops that could occur because of a unidirectional link failure, a software failure, or abridge protocol data unit (BPDU) loss due to congestion

n RootGuard: Prevents an inappropriate switch from being elected as a root bridge

n BPDUGuard: Causes a port configured for PortFast to go into the errordisable state if a BPDU is received on theport

[ 11 ]







CHAPTER 2


In addition, a variety of STP implementations are supported on many Cisco Catalyst switches:

n 802.1D: The original version of STP

n Common Spanning Tree (CST): Shares a common spanning-tree topology for multiple VLANs

n Per VLAN Spanning Tree Plus (PVST+): Ciscos proprietary approach to providing a separate spanning-tree topol-ogy for each VLAN

n 802.1w: Rapid STP (RSTP), which reduces spanning-tree convergence times

n 802.1s: Multiple Spanning Tree (MST), which allows different VLANs to be mapped to one of multiple STPinstances, thus providing optimal pathing for each VLAN without necessitating an STP instance for each VLAN

If STP is used, Cisco recommends the following:

n Use LoopGuard on Layer 2 ports between distribution layer switches.

n Configure RootGuard on distribution layer switch ports that connect to access layer switches.

n Implement UplinkFast on access layer switch ports that connect to distribution layer switches.

n Use BPDUGuard, RootGuard, and PortFast on access layer switch ports that connect to end-user devices.

n Configure UniDirectional Link Detection (UDLD) to detect links that have failed in one direction.

n Implement port security, as needed, to limit the number of MAC addresses that can pass traffic through an accesslayer switch port.

Layer 2 Catalyst switches also use trunks to carry traffic for multiple VLANs across a single physical connection. Ciscorecommends the following best practices for trunks:

n Configure IEEE 802.1Q trunks, as opposed to Inter-Switch Link (ISL) trunks.

[ 12 ]







CHAPTER 2


Do not pass traffic over the VLAN configured as the native VLAN.

n Use the transparent VLAN Trunk Protocol (VTP) mode, to prevent corruption of the VLAN database.

n Set the Dynamic Trunk Protocol (DTP) mode to desirable, to dynamically form a trunk between two switches.

n Prune unneeded VLANs from trunks.

n Disable trunking on ports that connect to hosts.

When higher bandwidth is needed between two Catalyst switches, you can aggregate multiple links between thoseswitches. This collection of aggregated ports is known as an EtherChannel. An EtherChannel can be dynamically formedusing either the Port Aggregation Protocol (PAgP) or the Link Aggregation Control Protocol (LACP).

Layer 3 DesignLayer 3 designs should address the availability and convergence times of Layer 3 networks. Interestingly, campusnetworks are commonly designed for oversubscription, where the aggregation of downstream links could theoreticallysend more traffic coming into the Layer 3 device than the device could transmit out over its upstream link(s). Specifically,links between access layer ports and distribution layer ports typically have a 20:1 oversubscription ratio, whereas linksbetween distribution layer ports and core layer ports typically have a 4:1 oversubscription ratio, as illustrated in Figure 2-2.

[ 13 ]







CHAPTER 2


When a network experiences only periodic congestion, quality of service (QoS) mechanisms can be used to mitigateoccasional quality issues. However, if the network experiences sustained congestion, the network needs increased band-width on its uplinks. You have two options for increasing uplink capacity:

n Bundling multiple links into a logical EtherChannel.

n Using higher-speed uplink interfaces (for example, 10-Gbps interfaces).

When Cisco Express Forwarding (CEF) is in use, multilayer switches might not automatically load balance across equal-cost paths. Cisco recommends that CEF be tuned to make forwarding decisions based on Layer 4 information (forexample, port numbers of flows), in addition to Layer 3 information (for example, source and destination IP addresses).Similar tuning can be performed on an EtherChannel to more efficiently load balance across the individual physical linksthat make up an EtherChannel bundle.

[ 14 ]



Core Layer

Distribution Layer

Access Layer

4:1Oversubscription

Ratio

20:1Oversubscription

Ratio

FIGURE 2-2UplinkOversubscription





CHAPTER 2


When designing Layer 3 networks, routing protocols with fast convergence (for example, Enhanced Interior GatewayRouting Protocol [EIGRP] or Open Shortest Path First [OSPF] Protocol) should be used to quickly route around a failurein the network. Cisco routing protocol design recommendations include the following:

n Interconnect Layer 3 devices using a triangle topology, as opposed to a square topology.

n Form peering relationships only on transit links, as opposed to through the access layer.

n Summarize routes on links connecting distribution layer switch ports to core layer switch ports.

Another Layer 3 network design consideration involves providing redundancy for a next-hop device. This default gatewayredundancy can be accomplished by using one of the following technologies:

n Hot Standby Router Protocol (HSRP): Cisco proprietary default gateway redundancy method

n Virtual Router Redundancy Protocol (VRRP): A standards-based default gateway redundancy method

n Gateway Load Balancing Protocol (GLBP): Allows multiple routers to act as a single router by sharing a singlevirtual IP address across multiple MAC addresses

Layer 2 to Layer 3 Boundary DesignEnterprise campus networks can often contain both Layer 2 and Layer 3 components. Care must be taken when designingthe boundary that interconnects these Layer 2 and Layer 3 components. Consider the following Layer 2 to Layer 3boundary design models:

n Layer 2 Distribution Switch Interconnection: Supports VLANs spanning more than one access layer switch

n Layer 3 Distribution Switch Interconnection: Uses a Layer 3 connection between two distribution layer switchesand Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), and GLBP as a defaultgateway redundancy protocol

n Layer 3 Access-to-Distribution Interconnection: Extends Layer 3 routing from the distribution layer to the accesslayer using routing protocols such as EIGRP or OSPF

[ 15 ]







CHAPTER 2


When best practices are not adhered to during the design of the Layer 2 to Layer 3 boundary in an enterprise campusnetwork, the following issues can result:

n Daisy chaining of access layer switches.

The daisy chaining of access layer switches can cause black holes if a loopback cable isn’t used.

By using the StackWise technology, which is supported on some Cisco Catalyst platforms. The need for a loopbackcable can be eliminated.

n Too much redundancy.

Having too many links results in an inefficient use of links (many of which are blocked because of STP at any giventime).

An excessive number of links can prove problematic for troubleshooting.

n Lack of enough redundancy.

n Asymmetric routing (for example, one upstream path and two downstream paths).

Infrastructure Design ConsiderationsToday’s enterprise campus networks support not only data applications but also mission-critical and latency-sensitiveapplications, such as IP telephony. Therefore, telephony, QoS, and Catalyst switch-based security features should beconsidered when performing a design.

Traditional telephony systems boast an availability of 99.999 percent, which equates to only five minutes of downtime peryear. Therefore, IP telephony requires high availability for the network. In addition, to maintain acceptable voice quality,QoS mechanisms are required to treat voice packets with priority over data packets.

The access layer directly impacts IP telephony applications because IP phones connect to the network via the accesslayer. Some access layer switches can provide power to IP phones. Cisco developed its own method of providing Power

[ 16 ]







CHAPTER 2


over Ethernet (PoE), before an industry standard. Later, the IEEE introduced the 802.3af standard. Depending on the plat-form, a Cisco Catalyst switch might support the proprietary prestandard or the 802.3af standard.

For a modular Cisco Catalyst chassis, a designer should calculate a power budget to ensure the chassis’ power supply issufficient to support the PoE demands. Cisco provides a web-based calculator for calculating a power budget. The calcu-lator is available at: http://tools.cisco.com/cpc/launch.jsp. Appropriate username and password credentials are required toaccess the Cisco Power Calculator.

Many Cisco IP Phones have an additional Ethernet port that supports the connection of a PC, allowing the PC to connectto the IP Phone, which then connects to the access layer switch. Even though the voice packets from the IP Phone and thedata packets from the attached PC are transmitted in separate VLANs, the Catalyst switch port does not need to be intrunk mode. Rather, the port can be a multi-VLAN access port. The voice VLAN is called the auxiliary VLAN, and thenative VLAN is used to transmit data from the attached PC.

IP telephony can also benefit from QoS mechanisms. QoS can classify traffic into various classes. These classes of trafficcan be placed in separate queues. Therefore, the queue containing FTP traffic, for example, might be overflowing whilethe queue containing voice traffic is not overflowing.

QoS not only provides priority treatment to selected applications; network attacks (for example, distributed denial-of-service [DDoS] attacks) can sometimes be mitigated by QoS mechanisms.

However, numerous other security features are offered by Cisco Catalyst Integrated Security, including the following:

n Port security: Can be used to mitigate MAC flooding attacks

n DHCP snooping: Provides protection from a client attacking the DHCP server or switch

n Dynamic ARP inspection: Uses a DHCP snooping table to add security to Address Resolution Protocol (ARP)

n IP Source Guard: Uses a DHCP snooping table and tracks IP address to port associations to prevent IP spoofing

[ 17 ]







CHAPTER 3

Addressing and Routing Design Considerations

Chapter 3: Addressing and Routing DesignConsiderationsSummarizable IP addressing is critical when constructing scalable routed networks. This includes creating specific strate-gies for designing scalable solutions using Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest PathFirst (OSPF) Protocol, and Border Gateway Protocol (BGP).

Designing IP Addressing Good IP addressing design uses summarizable blocks of addresses that enable route summarization and provides anumber of benefits:

n Reduced router workload and routing traffic

n Increased network stability

n Faster convergence

n Significantly simplified troubleshooting

Creating and using summary routes depends on the use of summarizable blocks of addresses. Sequential numbers in anoctet may denote a block of IP addresses as summarizable. For sequential numbers to be summarizable, the block must beN numbers in a row, where N is a power of 2, and the first number in the sequence has to be a multiple of N. The createdsequence will then end one before the next multiple of N in all cases.

[ 18 ]







CHAPTER 3


Let’s take a look at an example.

Is the range 172.19.128.0 to 172.19.159.0 summarizable?

n 128 to 159 represents a range of 32 consecutive numbers.

n 32 is 2 to the 5th power.

n 128 represents a multiple of 32.

n So in this case, 172.19.128.0 to 172.19.159.0 is summarizable.

To create a relevant mask octet for this, we calculate 256 – N.

n 256 – 32 = 224

n 172.19.128.0 mask 255.255.224.0 is the summary prefix.

Traditionally IP subnets have been assigned sequentially, however recent needs have evolved:

n IP phones on auxiliary VLANs.

n More subnets used for Layer 3 to the access layer.

n Wireless LAN addressing.

n Network access control (NAC) assigns one subnet per user role.

n Need for isolation of servers into separate subnets.

Summarizable addressing can support multiple network needs:

n Network Address Translation (NAT) applications

n Virtual private network (VPN) client addressing

n Segregated VLANs for data and voice traffic

n Route summarization via bit splitting

[ 19 ]







CHAPTER 3


Role-Based AddressingOne approach uses network 10. By using a pattern with Layer 3 closets, such as 10.number_of_closet.VLAN.x/16, asimple scheme can be constructed. The second octet is used to represent the closets of Layer 3 switches, the third octetrepresents VLANs, and the fourth octet is for hosts. Alternatively, some or all of the Class B private addressing blockscould be used.

VPN Client Addressing ConsiderationsSeparate VPN groups should represent each VPN client pool corresponding to user roles. Each VPN group should use adifferent IP address pool for the logical remote VPN client address.

NATAllows private internal addressing to map to publicly assigned addresses where the internal network connects to theInternet.

Recommended Best Practicesn Servers reached via content devices doing Static Network Address Translation (SNAT) or Dynamic Address

Translation (DNAT) should be isolated.

n Support out-of-band (OOB) management VLANs in the data center with NAT.

n Where possible, avoid the use of internal NAT or Port Address Translation (PAT).

[ 20 ]







CHAPTER 3


Designing Advanced Routing Solutionsn Use of route summarization supports manageable and fast-converging routing.

n Design recommendations:

n To scale routing designs, use summarization.

n Use summarizable blocks for addressing.

Advertise the default route (0.0.0.0/0) dynamically into the rest of the network by the router or routers connected to theInternet service provider.

OSPF stub area variants represent another form of summarization.

n To reach out-of-area destinations stubs, use 0.0.0.0/0.

n With OSPF to IPsec VPN sites, stubs cannot be used.

Route FilteringFiltering prefixes will ensure that a remote site will not become a transit network.

Principles of Defensive Filteringn If learning a route from another entity, only accept routes they should be advertising.

n Filter what you advertise when advertising routes to another entity.

Designing RedistributionIn bidirectional redistribution, filters should be applied to prevent re-advertising information back into the routing proto-col region or autonomous system from which it originated.

[ 21 ]







CHAPTER 3


Migration Between Protocolsn Use the administrative distance (AD) to migrate the routing protocols.

n Use redistribution along with a moving boundary.

Scalable EIGRPThere are a number of considerations when using EIGRP:

n EIGRP can be used to achieve subsecond convergence.

n Multiple EIGRP autonomous systems may be implemented to achieve scalability.

n With external route redistribution, the route that is installed first is preferred.

n Both inbound and outbound route tags can be used to filter redistribution and support scaling.

[ 22 ]



AS 200

• A route is distributed from RIP into AS 200.• Router A distributes routes into AS 100.• Router B receives this route from both AS 100 and AS 200.• Since this same route is learned through separate routing processes, the first installed route is preferred.

RIP AS 100

A

B

C

FIGURE 3-1Scaling EIGRP withMultiple AutonomousSystems





CHAPTER 3


Reasons to consider the use of multiple EIGRP autonomous systems include the following:

n As a migration strategy post merger/acquisition

n Need to support different domains of trust or administrative control

n Provides support for dividing very large networks

Scalable OSPF DesignA number of factors influence the scalability of OSPF:

n Selection of the designated router.

n Select routers not heavily loaded with CPU-intensive activities.

n Routing information in area and domain.

n The larger and more unstable an area is, the more likely performance problems associated with routing protocolrecalculation are to occur.

n Areas supported by any one router.

n Link-state algorithm must be run for each link-state change for every area in which the router resides.

n Number of adjacent neighbors for a given router.

n Link-state changes are flooded to all routers in an area.

Area Designn Consider geographic or functional boundaries, and match up address summarization and areas where possible.

n Use as much summarization as possible and stub areas.

n Connected routes should also be advertised via a network statement.

[ 23 ]







CHAPTER 3


OSPF Hierarchyn Separate complexity from complexity with an Area Border Router (ABR).

n Place area borders to reduce suboptimal routing and to increase summarization.

To provide route summarization and reduce the link-state advertisement (LSA) database size and flooding in OSPF,consider the following:

n Area filtering.

n Use area ranges per the OSPF RFCs.

n Use summary address filtering.

n Filtering for not-so-stubby-area (NSSA) routes

n Originating default.

Hub-and-Spoke OSPF DesignAllows every router in an area to receive the same information, but requires additional tuning.

Spoke AreasThese should be the most stubby possible; and the fewer spokes in each area, the less the flooding redundancy.

HubShould be an ABR so that each area may be summarized into the other areas.

[ 24 ]







CHAPTER 3


Best ApproachUse a small, yet highly stable, area 0 because of the extremely important nature of the backbone area in OSPF.

OSPF Area Border ConnectionDual-homed connections in a hub-and-spoke OSPF network create connections parallel to an area border. There are twopossible solutions when connecting the ABRs within each area:

n Add a real link between the ABRs inside the area.

n Add a virtual link between the ABRs inside area 0.

OSPF Area FilteringBorder area filtering and interarea filtering are supported. Border area filtering (RFC 2328) is done using the OSPF arearange command. Interarea filtering uses a prefix list to filter the prefixes that are advertised either from or to a given area.Use RFC standard border area filtering.

To reduce the need for OSPF flooding reduction

n Reduce adjacencies for stressed routers.

n Decrease volatility of network.

n Use more hierarchy than large-scale full-mesh topologies.

n Increase number of routers to handle adjacency workload.

n Decrease the number of routers in an area.

[ 25 ]







CHAPTER 3


OSPF ConvergenceYou may use several techniques to increase the speed of convergence in OSPF, including the following:

n Fast hellos: Tuned timers converge much faster than default OSPF operations. Use fast hellos only if the number ofneighbors is reasonably small. Test and observe their impact on the router’s CPU.

n Incremental SPF (iSPF): This uses a modified Dijkstra algorithm and provides faster OSPF convergence and saveson CPU resources.

n Bidirectional Forwarding Detection (BFD): Provides fast, reliable detection of link failure using frequent linkhellos.

Design Scalable BGP SolutionsScaling internal BGP (iBGP) requires a full mesh of peers, and this results in scalability issues. There are two alternativesto address this, route reflectors and confederations:

n Route reflectors: A route reflector is an iBGP speaker that reflects routes learned from iBGP peers to other iBGPpeers. Use multiple route reflectors to avoid a single point of failure.

n Route reflector client: An iBGP router that receives and sends routes of most other iBGP speakers using theroute reflector.

n Route reflector cluster: A configuration of the route reflector, along with its clients.

When a route reflector receives a route from a route reflector client, it reflects the route to the other clients withinthe cluster, and nonclients and external BGP (eBGP) peers. If a route is received from a nonclient, it reflects it toroute reflector clients, but not to other nonclients.

[ 26 ]







CHAPTER 3


n Confederations: These use the autonomous system path to insert information into BGP routes to prevent loopswithin an autonomous system.

Route advertisement with confederations work in a similar fashion to route reflectors.

n Routes learned via an eBGP peer are advertised to all confederation peers, both internal and external.

n Routes learned from an external peer are advertised to all confederation internal peers, as well as eBGP peers.

n Routes learned from internal peers are advertised to all confederation external peers, and to eBGP peers, too.

[ 27 ]



If a router learns a routefrom an IBGP peer, it willnot advertise that route toanother IBGP peer.

Advertises 10.2.2.0/24

Advertises 10.2.2.0/24 IBGP

Do Not Advertise10.2.2.0/24 IBGP

Learns 10.2.2.0/24 EBGP

Learns 10.2.2.0/24 IBGP

EBGP

IBGP

IBGP

FIGURE 3-2Scaling BGP Designs





CHAPTER 4

Design Considerations for Advanced WAN Services

Chapter 4: Design Considerations for Advanced WAN ServicesThis chapter discusses how advanced WAN technologies based on Layer 1 optical transport or Layer 2 and Layer 3 serv-ices can impact the enterprise design. Metro Ethernet, Virtual Private LAN Service (VPLS), and Multiprotocol LabelSwitching (MPLS) virtual private network (VPN) technologies are considered. Customer requirements and service levelagreements (SLA) as a function of a WAN design are also discussed.

Constructing WANs Using Optical Technologies

[ 28 ]



DWDM/CWDM

DTP/RPR

SONET/SDH

Layer 1

Layer 2

Optical Interconnection TechnologiesFIGURE 4-1OpticalInterconnectionTechnologies





CHAPTER 4


A number of common optical interconnection technologies are used to connect enterprise locations:

n SONET/Synchronous Digital Hierarchy (SDH): The North American high-speed baseband digital transport stan-dard that specifies increasing data stream rates for movement across optical links

n Dense wavelength-division multiplexing (DWDM)/coarse wavelength-division multiplexing (CWDM):Technologies that increase the information-carrying capacity of existing fiber-optic infrastructure by transmitting andreceiving data on different wavelengths on a single strand of fiber

n Dynamic Packet Transport (DPT)/Resilient Packet Ring (RPR): Designed for service providers (SP) to deliverscalable Internet service, and to deliver reliable IP-aware optical transport and simplified network operations formetropolitan-area network (MAN) applications

Technical Specifications for SONETSONET uses time-division multiplexing (TDM) for framing voice and data onto a single wavelength of fiber.

n Typically uses fiber rings and can cover a distance of 80 km without the need for repeaters.

n Generally used with SONET access equipment, it may statistically multiplex 10 Mbps Ethernet, Fast Ethernet, orGigabit Ethernet onto a SONET circuit.

Questions to ask an SP when considering SONET include the following:

n What path is followed by your service?

n Are end-to-end SONET rings used to provide the service?

n How much bandwidth is dedicated for my specific use?

[ 29 ]







CHAPTER 4


Wavelength-Division Multiplexing (WDM)Use a multiplexer to place multiple optical signals, each with different wavelengths, on a fiber and then use a demulti-plexer at the receiver to split them off of it. The types of WDM are as follows:

n CWDM: An optical technology that may be used to transmit up to 16 channels over the same fiber strand.

n DWDM: Similar to CWDM, but it spaces the wavelengths more tightly, allowing up to 160 channels.

RPR TechnologiesLayer 2 transport architecture that provides packet based transmission based on a dual counter-rotating ring topology.

Similar to Cisco Spatial Reuse Protocol (SRP), which is implemented in the Cisco Dynamic Packet Transport (DTP)products.

For enterprise clients, RPR is seen as a transport ring that supports connections between their locations while overcomingsome of the limitations of SONET/SDH.

Metro EthernetMetro Ethernet is based on the Ethernet standard but supported across a metropolitan area. Metro Ethernet uses a combi-nation of Ethernet, optical, and IP technologies in the metropolitan area. An SP might use SONET/SDH rings or point-to-point links, WDM, or RPR technologies for their Metro Ethernet architecture.

Implementation of Metro Ethernet service may be based on one or more approach:

n A pure Ethernet MAN uses only Layer 2 switches for all internal structure.

n MPLS-based Metro Ethernet uses Layer 2 MPLS VPNs in the SP network.

n SONET/SDH-based Metro Ethernet networks may be used as an intermediate step in transition from a traditional,time-division based network to Ethernet.

[ 30 ]







CHAPTER 4


The Cisco Metro Ethernet solution relies on an existing SONET/SDH network, switched Ethernet network, or IP MPLSnetwork. The Cisco Optical Metro Ethernet solution supports numerous Metro Ethernet Forum (MEF) service types,including the following:

n Ethernet Wire Service (EWS)

n Ethernet Multipoint Service (EMS)

n Ethernet Private Line (EPL)

n Ethernet Relay Service (ERS)

n Ethernet Relay Multipoint Service (ERMS)

End-to-end quality of service (QoS) is possible with Metro Ethernet, and is supported by an SP through the use of 802.1Qtunneling. An example of this type of 802.1Q encapsulation is a large SP using Ethernet over MPLS to break up VLANdomains with a routed domain in the middle.

VPLSVPLS is composed of a Layer 2 VPN that connects two or more customer devices using Ethernet bridging techniques.The VPLS emulates an Ethernet switch, where each Element Management System (EMS) is analogous to a VLAN. Twodraft standards exist for this, but they are incompatible:

n RFC 4761: Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling

n RFC 4762: Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling

Hierarchical VPLS (H-VPLS) can be used to build a stable, scalable network infrastructure. Scaling with H-VPLS isprovided by only interconnecting the core MPLS Network Provider Edge (NPE) routers with a full mesh of pseudowires(PW). An advantage of this approach is that the core of the network is an MPLS network, which may be used for trans-port of Layer 3 MPLS VPN and other traffic.

[ 31 ]







CHAPTER 4


An SP’s VPLS design should address three major scaling factors:

n Scaling of the full mesh of PWs between Provider Edge (PE) devices

n Replication and forwarding of frames

n Size of MAC address table

Routing Implications with EMS or VPLS When using OSPF routing for the design of an EMS or VPLS network, the following issues must be considered:

n A multiaccess network may have inconsistent broadcast or multicast performance.

n Peer adjacencies should be limited.

[ 32 ]



FIGURE 4-2H-VPLS

HPVLS

U-PEN-PE N-PE

U-PE

GE PW GE

MPLS Core Ethernet MPLSEdge GE Ring

Ethernet MPLS EdgePoint-to-Point





CHAPTER 4


VPLS AvailabilityAvailability is provided via PWs that will automatically route traffic along available backup paths in the event of a failure.When redundant PWs from redundant devices are used, a failure might require aging of MAC addresses followed byunicast flooding, resulting in lost packets and an increase in traffic that would negatively impact customer traffic.

MPLS VPNMPLS VPNs provide customer VPNs across an MPLS backbone. This represents an alternative to Metro Ethernet serv-ices. The make-up of MPLS VPNs varies depending on whether they are implemented at Layer 3 or Layer 2.

Design considerations for MPLS VPNs include the following:

n Who does the routing?

n Who manages the Customer Edge (CE) devices?

n How many MPLS VPN providers should be used?

n Will QoS be required?

n Is there support for IP multicast?

Implementing Advanced WAN ServicesFactors to be considered when selecting advanced WAN services, include the following:

n Existing services characteristics

n Mitigation of risk

n Partnership with SP via appropriate SLA

[ 33 ]







CHAPTER 4


Features and Requirements of the WANAdvanced WAN designs should support customer requirements and take into account such things as these:

n IP multicast support

n QoS support

n Routing and VLAN impact

n Security services

n Management services and reports

Service Level AgreementsAn SLA is a statement of intent from the provider and represents the level of service they are willing and able to providealong with any conditions surrounding this level of service.

The following are common managed service metrics:

n Mean time to repair (MTTR)

n Mean time between failures (MTBF)

Customers should log outage details and use these to provide timely and clear communication with the SP.

Technical metrics measured in SLAs include packet loss, latency, jitter, and IP availability.

Network status should be monitored by the customer to track how well the SP is doing at meeting the terms agreed uponin the SLA. Take measurements to define a network service baseline and regularly review the SP’s measurements of theSLA performance. Ongoing internal measurements should also be taken to validate the SP data and to provide evidenceof network issues should they arise.

[ 34 ]







CHAPTER 5

Data Center Design for the Enterprise

Chapter 5: Data Center Design for the EnterpriseHere we consider enterprise data center design and discuss the three layers of the data center architecture. Modular versusone-rack unit access switch designs are compared, as are the options for scaling the data center for high availability.

Core and Aggregation Layer Infrastructure DesignThe three layer data center design is as follows:

n Core layer: Composed of the high-speed packet-switching backplane

n Aggregation layer: Provides service module integration, Layer 2 domain definitions, spanning-tree processing, anddefault gateway redundancy

n Access layer: Provides physical connection for servers to the network

Data center core layer design: Core layer allows for high-speed packet switching between multiple aggregationmodules. Inclusion of a data center core is based on a number of considerations such as 10 Gigabit Ethernet (GigE) portdensity, administrative domains and models used, and plans for future growth.

In this design, all links are Layer 3 at the core with the Layer 2/3 boundaries at or below the aggregation layer modules.

Open Shortest Path First (OSPF) Protocol routing recommendations include the following:

n Use NSSA from the core down.

n The auto-cost reference-bandwidth 10000 command should be used to set the bandwidth to 10GE and allow OSPFto differentiate the cost on higher speed links such as 10GE trunk links.

n Simplify troubleshooting by using the loopback interfaces for the router ID.

n Use the passive-interface default command.

[ 35 ]







CHAPTER 5


n Use OSPF authentication.

n Use the timers throttle spf command to tune OSPF timers.

Enhanced Interior Gateway Routing Protocol (EIGRP) routing recommendations include the following:

n Use the ip summary-address eigrp command to advertise a default summary route into the data center and tosummarize the data center subnets.

n Apply the passive-interface default command.

Aggregation layer design: A pair of interconnected aggregation switches, referred to as modules, are used to scale theaggregation layer through the following:

n Spanning-tree scaling

n Access layer density scaling

n Hot Standby Router Protocol (HSRP) scaling

n Application services scaling

If Layer 2 is used, special consideration should be given to Spanning Tree Protocol (STP) design because the aggregationmodules allow the spanning-tree domain to be distributed. Rapid STP (RSTP) is recommended over Multiple SpanningTree (MST).

Integrated services module: The aggregation layer may also employ integrated service modules to provide such servicesas firewall, Secure Sockets Layer (SSL) offload, content switching, intrusion detection, and network analysis.

Service model designs: Redundancy for these integrated services may be deployed as either active/active pairs oractive/standby pairs.

[ 36 ]







CHAPTER 5


Active/Active:

n Increases overall performance

n Allows uplink load balancing while having services applied

Active/Standby:

n Predictable; simplifies troubleshooting

n Underutilizes access layer links, service modules, and switch fabric

VRFs in the data center:

n Allows use of application services with multiple access topologies

n Maps to path isolation MAN/WAN designs

n Supports security policy by user group

n Enables partitioning of network resources

Design of the Access LayerA number of models may be used in access layer design, including Layer 2 looped model, Layer 2 loop-free model, andLayer 3 model where Layer 2 services from the aggregation layer are not supported.

Layer 2 looped model: There are two primary Layer 2 model topologies, the looped triangle and the looped square.

[ 37 ]







CHAPTER 5


Benefits of the Layer 2 looped model:

n Offers Layer 2 adjacency

n Extends VLANs between aggregation switches

n Supports sharing of service module across access layer

n Provides redundancy using RSTP

[ 38 ]



Looped Square

.1Q Trunk

Primary STP RootPrimary HSRPActive Services

Secondary STP RootSecondary HSRPStandby Services

L3

L2

ACC 1 ACC 2

Looped Triangle

ACC 3 ACC 4

FIGURE 5-1Layer 2 LoopedModel





CHAPTER 5


Layer 2 loop-free models: Used when Layer 2 support is required but a looped topology is undesirable. Enables span-ning tree as a safeguard against loops and provides several benefits, including Layer 2 adjacency, stability, and activeuplinks.

Layer 2 loop-free topologies: Loop-free U access and loop-free inverted U access.

Layer 2 FlexLinks: An alternative to the looped access topology. When using this design, STP is disabled on FlexLinks,and accidental loops between switches are possible.

Layer 3 in the access layer: A dedicated subnet is used to permit access switches connect to the aggregation switchesusing a Layer 3 uplink.

[ 39 ]



L3

L2

DC Access

DC Aggregation

DC CoreDC CoreFIGURE 5-2Layer 3 AccessModel





CHAPTER 5


Layer 3 access model benefits:

n Reduces broadcasts and fault domains.

n Provides for server stability and application isolation.

n All uplinks are available up to Equal Cost Multipath (ECMP) maximum.

n Fast uplink convergence in the event of a failover or fallback.

Blade servers: These may be implemented in the data center access layer, often as a replacement for older server farmsor where new applications that require clustering are deployed.

Blade server challenges and considerations:

n Administrative domains

n Interoperability

n Spanning-tree scaling

n Pass-through cabling

n Switch trunk topologies

n Environmental Issues

Blade server connectivity: Blade servers can support either Layer 2 or Layer 3 topologies depending on the serverbroadcast domain or specific administrative requirements. One option for connecting blade servers is integratedInfiniBand switches.

Another feature of blade servers is Layer 2 trunk failover (link-state tracking), which provides Layer 2 redundancy in thenetwork when used in conjunction with proper server network interface card (NIC) adapter tuning.

[ 40 ]







CHAPTER 5


Scaling Data Center ArchitectureIn designing the data center architecture, both density and scalability implications between modular and one-rack unit (1 RU) access layer switching models must be considered, as must the following:

n Cabling

n Cooling

n Power

n Density

n 10 Gigabit Ethernet uplink support

n Resiliency features

n Intended use

Bandwidth and Uplink Density ConsiderationThe port-channel load-balance command improves load distribution for EtherChannel ports because it presents moreunique values to the hashing algorithm. EtherChannel utilization can be further optimized with the Min-Link feature,which allows for the specification of a minimum number of available ports for a PortChannel to be considered a valid path.

Service Layer SwitchesService layer switches provide greater scalability by supporting service modules, but may call for quality of service (QoS)or separate links for fault-tolerant paths. This may also require Layer 3 peering with route health injection (RHI), andonly necessary Layer 2 VLANs should be extended to service switches.

Cisco Application Control Engine (ACE) modules may also be used to scale uplink port density or aggregate layer switchslots.

[ 41 ]







CHAPTER 5


Spanning-Tree Design for High Availability The recommended spanning-tree protocols for use in a data center are 802.1w, implemented by Cisco as RapidPVST+(RSTP) and 802.1s, known as Multiple Spanning Tree (MST).

STP logical interfaces: To determine STP logical interfaces, sum[(each trunk on switch) * (active VLANs on eachtrunk)] + (number of nontrunking interfaces on the switch).

Virtual ports: These are a per-line card value that reflects the total number of spanning-tree processing instances used ona line card. To calculate STP virtual ports, sum[(each trunk port on line card) * (active VLANs per port)].

1 RU designs: With this, the chances of a larger spanning-tree diameter, and possibly more STP issues, increase. It is bestto use aggregation modules to scale STP and 10GE density.

Guidelines for scaling STP designs:

n Manually prune trunks.

n Use MST if Rapid Spanning Tree Protocol (RSTP) cannot scale sufficiently.

n Limit Hot Standby Router Protocol (HSRP) instances to 500.

n Divide the STP domain by adding aggregation modules.

Providing high availability in the data center:

Three key areas are seen in common failures in the path from server to aggregation switch: network links, access switch,server network adapter. To address these, dual attached servers using network adapter teaming software connected to dualattached access switches may be deployed.

Having a server with a single network interface card (NIC) might lead to as many as three single points of failure; theNIC, the cable, and the switch to which it is connected. NIC teaming can eliminate these single points of failure.

[ 42 ]







CHAPTER 5


NIC teaming configurations include the following:

n Adapter fault tolerance (AFT)

n Switch fault tolerance (SFT)

n Adaptive load balancing (ALB)

Server attachment methods: EtherChannel provides scalable bandwidth for network servers that can bundle multiplelinks to allow higher throughputs between servers and clients, and to provide redundancy.

Failover times: Layer 2, Layer 3, and Layer 4 components all contribute to overall failover time. Components at eachlayer have different recovery times and should be evaluated and optimized.

Nonstop forwarding (NSF) and stateful switchover (SSO): Intrachassis SSO at Layers 2 to 4 can be provided by NSFwith SSO. This is an excellent method for redundancy. SSO synchronizes the state of trunks, interfaces, EtherChannels,port security, and Switched Port Analyzer / Remote Switched Port Analyzer (SPAN/RSPAN). STP, UniDirectional LinkDetection (UDLD), and VLAN Trunking Protocol (VTP), or NSF with EIGRP, OSPF, Intermediate System-to-Intermediate System (IS-IS), or Border Gateway Protocol (BGP) allows for recovery with no route flapping.

[ 43 ]







CHAPTER 6

Storage-Area Network Design

Chapter 6: Storage-Area Network DesignThis chapter examines how storage-area networks (SAN) enable customers to interconnect data centers, provide continu-ity, provide storage consolidation, and unify storage management.

An Overview of SAN Components and TechnologiesSAN technologies enable organizations to maximize their storage capacity through a unified set of components and archi-tecture. A SAN solution can separate storage from the traditional server, and can share storage among multiple servers.SANs also has a lower total cost of ownership (TCO) than direct-attached storage and can provide high I/O throughoutvia high-performance interconnect. One limiting factor to be aware of is that there may be limited vendor interoperability.

SAN main components:

n Host bus adapter (HBA): Provides connectivity between the host server and a storage device.

n Data storage devices: May be hard disks based on any one of the following technologies: SCSI, Fibre Channel,ATA, IDE, or Serial ATA.

n Storage subsystems: Examples of subsystems include the following:

n Just a bunch of disks (JBOD): A simple disk array.

n Storage arrays: A group of devices that provide mass storage and other functions and services.

n Redundant array of independent disks (RAID): RAID technologies allow disk drives to be combined andconfigured to provide increased performance and fault tolerance.

Overview of RAID: RAID arrays can be used to provide fault tolerance by mirroring data or through implementingparity check operations.

[ 44 ]







CHAPTER 6


Primary RAID levels:

n RAID 0: Striping: Multiple disks are combined to form a single large volume. No fault tolerance is provided.

n RAID 1: Mirroring: Data is duplicated across two or more disks.

n RAID 3: Error detection: Data is striped across multiple disks and error-correction information is maintained by adedicated disk drive.

n RAID 5: Error correction: Data and parity information, is striped across multiple disks.

Direct-attached storage features: Storage devices connect directly to the server. Storage has limited mobility because itis captive behind the server. It also has limited scalability because of limited devices.

Network-attached storage features: Storage devices are attached to the IP network (network-attached storage, NAS)allowing storage devices to be shared between servers and making it possible for files to be shared by users.

[ 45 ]



IP LAN/WAN

Network Attached Storage (NAS)

Servers NAS Devices

Data is transferred in IP packets.

FIGURE 6-1Network-attachedstorage





CHAPTER 6


Overview of SAN technologies:

n Small Computer System Interface (SCSI): A parallel interface technology used by hosts to attach peripheraldevices.

n Fibre Channel: A serial data transfer architecture that provides a very high level of scalability and bandwidth thatcan be used to extend and network SCSI. This uses a point-to-point communication model facilitated by devicelogin.

Virtual SAN (VSAN): Provides isolation among multiple devices that are physically connected to the same fabric. Inter-VSAN routing (IVR) can be used to allow sharing of centralized storage services, such as disks or tape libraries, acrossVSAN fabrics without the need to merge VSANs.

Fabric Shortest Path First (FSPF): A path-selection protocol used by Fibre Channel fabrics. Supports multipath routingand bases path status on a link-state protocol. Used by IVR to calculate the best path to a remote fabric.

Zoning: A logical groping of fabric connected devices within a SAN or VSAN, and can be used to enable access betweenan initiator and the storage target.

Fiber Connectivity (FICON): This upper-layer protocol was developed by IBM, and it uses the lower layers of FibreChannel transport to facilitate connecting IBM mainframes with control units.

SANTap: An Intelligent Storage Service feature supported on the Storage Services Module (SSM), it enables data to beduplicated at another virtual initiator. This allows third-party data storage applications (for example, long-distance repli-cation, continuous backup, and so on) to be integrated into the SAN.

[ 46 ]







CHAPTER 6


Design Considerations for SAN and SAN ExtensionA SAN design should take into account the following considerations:

n Network topology should take into account the number of ports needed both today and in the future.

n End-to-end performance and throughput level should be central to the design.

n Business requirements for continuity and disaster recovery should guide the establishment of the necessary connec-tivity with remote data centers.

[ 47 ]



Physical Topology

VSAN 2

Zone AZone C

Zone B

Disk 2Host 1

Disk 3Disk 1

Host 2Disk 4

VSAN 3

Zone D

Zone A

Disk 5

Host 4

Host 3

Disk 6

FIGURE 6-2Zoning: PhysicalTopology





CHAPTER 6


SAN design should be based on a number of factors, including the following:

n Topology requirements and port density

n Traffic management

n Stability and convergence

n Fault isolation

n Oversubscription of devices

Benefits of the Cisco MDS 9000 family: SAN consolidation using VSANs, comprehensive security, and simplified SANmanagement.

Collapsed core design:

n Single-switch design: Provides 100 percent port design efficiency with a generally lower subscription ratio, whileallowing empty slots to support future growth.

n Small-scale dual fabric: A small SAN with 48-port modules can provide a cost-effective solution with VLANsupport and PortChannels with high availability to other switches allowing for future growth.

n Medium-scale dual fabric: Implemented using dual Director switches, it provides up to 528 ports per fabric.Provides VLAN support, along with port bandwidth reservations to guarantee performance for those devices thatrequire it and PortChannels with high availability to other switches to allow for future growth.

n Large-scale dual fabric: Leverages 48-port modules with port bandwidth reservations providing VLAN support,and uses port bandwidth reservations to guarantee performance for those devices requiring it. Each core switch (2) inthis design supports 128 storage ports, and each edge switch (4) supports 496 host ports for a SAN system thatsupports a total of 1984 host ports across 256 storage ports resulting in a 7.75:1 ratio of hosts to storage.

Transporting storage traffic with SAN extensions: Multiple protocols and transport stacks can be used by SAN totransfer SCSI commands and data. Fibre Channel over IP (FCIP) and SCSI over IP (iSCSI) support block-level storagefor remote devices and are both used to carry SCSI commands and status.

[ 48 ]







CHAPTER 6


FCIP: A standards-based protocol (RFC 3821) primarily used for SAN extension across a WAN. FCIP is used to enablestorage applications such as asynchronous data replication, disaster recovery, remote tape vaulting, and host initiator toremote pooled storage to be deployed without regard to latency and distance.

iSCSI: Can be used to carry SCSI commands, responses, and data over an IP network rather than over Fibre Channel.

Advantages of iSCSI versus FCIP:

n Supports standard networking equipment.

n Provides lower overall cost of ownership.

n Standards-based protocol (RFC 3720).

n TCP Offload Engine (TOE) can be used to scale iSCSI.

Advances in SAN extension:

n Tape acceleration: Used to speed up the I/O transactions during remote backups

n FCIP write acceleration: Increases I/O transactions between disk-based storage devices such as a disk array andservers

n Hardware-assisted data compression over FCIP: Provides extremely high data compression rates across WANs

n Hardware-based IP Security (IPsec) encryption: Provides secure SAN extension transactions

High-availability SAN extension: Dual fabrics such as a yellow VSAN and a blue VSAN have been used to support highavailability. PortChannels and optical protection schemes can be used to further augment the design and offer an addi-tional level of network protection.

[ 49 ]







CHAPTER 7

Designing an E-Commerce Module

Chapter 7: Designing an E-Commerce ModuleAs businesses continue to embrace the Web, e-commerce applications flourish. The e-commerce module enables organiza-tions to support this capability through the use of a multiple component design. Here we examine how to provide both highavailability and security via firewalls, server load balancers, and connections to multiple Internet serviced providers (ISP).

Achieving High AvailabilityThe prevention of downtime is the goal of any high-availability strategy, and meeting this goal will require the integrationof a number of components: redundancy, technology, people, processes, and tools.

Component Design for the E-Commerce ModuleA number of different pieces make up the e-commerce module. Routing, switching, firewall, and server content-balancingcomponents all make up common e-commerce designs. To construct complex e-commerce module designs, it is necessaryto understand how to integrate these elements.

Typical firewall design for e-commerce: Security is key in an e-commerce implementation, so the design must take intoaccount firewall issues. Typical implementations of the e-commerce module are implemented in a data center where it isconnected to the Internet via one or more ISPs. Within the e-commerce module are multiple firewalls at various layers.

Large site design: A large site might have three firewalls separating and securing the web, application, and data tiers. Inthis design, the Internet connects to the web tier or the outer demilitarized zone (DMZ) supporting web services. Webservers then communicate with the application tier through a second pair of firewalls, and then these servers communicatewith the data tier through a third pair of firewalls.

Application gateway approach: An alternative approach is to route all traffic between the layers through the servers. Inthis approach, the web tier servers act as application-specific gateways, adding security because a hacker would have topenetrate the firewall and the web server operating system to attack the middle layer of firewalls.

[ 50 ]







CHAPTER 7


[ 51 ]



InternetServiceProvider A

Web Tier

Application Tier

Database Tier

FIGURE 7-1Server as ApplicationGateway





CHAPTER 7


Virtualization using firewall contexts: Firewall contexts are now supported within the Cisco firewall family to allow thevirtualization of a physical firewall or Application Control Engine (ACE) module. When you use this, specific VLANs orinterfaces may be connected to specific security contexts, which in turn supports its own policies such as access controllists (ACL), Network Address Translation (NAT), protocol fixups, and so on.

Layering with Virtual Firewalls: When constructing a multitiered e-commerce model, a single pair of firewall devicesmay be used to create virtual firewall layers. One approach is to use a pair of Cisco Catalyst 6500 switches with FirewallServices Modules (FWSM) rather than individual firewalls.

Transparent and routed mode firewalls: Firewall design using the Cisco product family now supports firewalls thatoperate in either transparent or bridged mode, or in traditional routed mode, and this may be established on a per-contextbasis.

n Transparent mode: FWSM bridges two VLANs and traffic passing through the FWSM is subject to IP ACLs.

n Routed mode: FWSM routes between the VLANs and traffic passing are subject to IP ACLs, security state tracking,and so on.

Load-Balancer Designs for E-CommerceTo support both scaling and high availability, a server load balancer (SLB) or content load balancer may be used.Through the use of an SLB, the workload may be spread among many actual servers while providing flexibility inextending server capacity through the addition of more server capacity to the pool. Cisco offers a number of product linesthat provide content and SLB services:

n Cisco CCS 11500 Series Content Services Switch (CSS)

n Cisco Content Switching Module (CSM)

n Cisco Application Control Engine (ACE)

[ 52 ]







CHAPTER 7


Basic SLB designs include router mode, bridge mode inline, and one-armed (or two-armed) mode and include the need toselect appropriate redundancy from among active/active, active/passive, or failover triggers. Design of an SLB may alsoinclude Client Source NAT (CSNAT), which rewrites the IP address of the client before the packet goes to the server.

E-Commerce Topology DesignsThree common designs are typically used when constructing an e-commerce solution:

n One firewall per ISP, with separate NAT pools.

n Stateful failover with common external prefix advertised through Border Gateway Protocol (BGP) with a singleNAT pool.

n Distributed data centers with multiple ISPs.

Integrated E-Commerce Designs

Base Module DesignThis basic e-commerce design uses a core layer that houses the first stage of firewalls. Aggregation and access layers aretrusted zones with no security between the web, application, and database zones. Routed mode is used to provide connec-tivity to the SLBs or firewalls by the aggregation layer. Further, all e-commerce traffic goes via the CSMs, which mightrequire additional CSM configuration for direct access to the servers for non-load-balanced sessions initiated by theservers.

Routing in the base e-commerce module is static for the most part, with virtual IP addresses used to support failover.With regard to traffic flow, while the firewall handles security logic, the CSM handles the SLB decision or passesmanagement traffic directly to a specific server.

[ 53 ]







CHAPTER 7


Two Firewall LayersAdditional protection can be had by inserting a firewall into the aggregation layer. This form of two firewall layers maybe implemented using a one-armed design in which a one-armed SLB device is employed. In this design, it is possible tohave direct server traffic flow. The one-armed SLB model with aggregation firewall may also support multiple firewallcontexts. In this model, it is no longer necessary to have a separate firewall in the core layer. A further design option is aone-armed SLB with CSS modules that firewall all traffic. With CSS in the one-armed mode, non-load-balanced traffic toand from the servers can bypass the CSS devices.

No matter the design that is ultimately used, it is important to test it thoroughly. Proper lab testing can help to validatenetwork behavior and failover conditions, and can aid in future troubleshooting and design analysis.

E-Commerce TuningA number of Cisco technologies, such as BGP tuning, enhanced object tracking, optimized edge routing, and DomainName System (DNS) site selection and failover, offer enhanced e-commerce capabilities to suit various designs needs.

n BGP Tuning: Used to control packet flow and convergence characteristics.

n Enhanced Object Tracking (EOT): A standalone process to track the status of objects built in to the Cisco IOSsoftware.

n Optimized Edge Routing (OER): Provides alternative path selection based on policies. The OER cycle is learn,measure, apply policy, optimize, and verify.

n Cisco Global Site Selector (GSS): Content development across multiple distributed and mirrored data locations isleveraged to optimize site selection, improve DNS responsiveness, and ensure data center availability.

[ 54 ]







CHAPTER 7


FIGURE 7-2Optimized EdgeRouting (OER)

[ 55 ]



MasterController

BR1 CR1

CR2BR2

BR3

Server(s)

SP D

SP A SP B

SP C

SLA A

SLA B

SLA C

SP E

SP F

ContentConsumer

CustomerAccess

Client(s)

Transit ServiceProviders

Enterprise ContentProvider

iBGP and/orEIGRP, IS-IS,

OSPF, RIP





CHAPTER 8

Securing an Enterprise Network

Chapter 8: Securing an Enterprise NetworkWith today’s mission-critical network services, such as e-commerce, network security has become a major design consid-eration. This chapter discusses Cisco recommendations for securing an enterprise network. Specifically, this chapterdiscusses firewall, network admission control, intrusion detection, and intrusion prevention services.

FirewallsFirewalls contain a list of rules that control what traffic can enter or exit a network segment. These rules can be based on,for example, user access rights or specific applications. Cisco firewalls use one of two basic modes of operation:

n Routed mode: The traditional mode of operation, where the firewall acts as a Layer 3 device

n Transparent mode: A newer mode of operation, where the firewall acts as a Layer 2 device, with each interfaceresiding on the same subnet but on different VLANs

Cisco IOS Software has a firewall feature set available, through which a router can act as a firewall. However, for large-scale deployments dedicated appliances are often preferred. Examples of these dedicated appliances include the following:

n PIX: Ciscos traditional firewall, which allows traffic from a higher-security interface (for example, the “inside”network) to a lower-security interface (for example, the “outside” network)

n ASA: Cisco Adaptive Security Appliance, which offers other services (for example, virtual private network [VPN]and intrusion prevention) in addition to firewall services

n FWSM: Cisco Firewall Services Module for the Catalyst 6500 series switch, which unlike the PIX and ASA, doesnot permit any traffic flow between interfaces unless configured to do so (with the exception of Address ResolutionProtocol (ARP) traffic)

Modern Cisco firewalls can contain contexts, which act as virtual firewalls within a single physical firewall. VLANs arethen associated with a context. Virtual firewalls can often benefit service providers, who can have a single physical device

[ 56 ]







CHAPTER 8


that provides unique firewalling services for multiple subscribers. However, from a design perspective, keep in mind thatif one context is attacked, the other contexts on the physical firewall device could be impacted, too.

The preferred redundancy design for firewalls is called active/active. The active/active topology leverages the contextfeature. Specifically, contexts are placed into failover groups, with one context acting as the active context for the failovergroup and the other context acting as the standby context for the failover group.

For example, consider Firewall-1 and Firewall-2 shown in Figure 8-1. Firewall-1 contains the contexts CTX-1 and CTX-2. Firewall-2 contains the contexts CTX-3 and CTX-4. Both CTX-1 and CTX-3 belong to the same failover group,GROUP-1. Similarly, CTX-2 and CTX-4 belong to a common failover group, GROUP-2. CTX-1 is active for GROUP-1,and CTX-4 is active for GROUP-2. In this scenario, both Firewall-1 and Firewall-2 are actively passing traffic, whilebeing ready to take over for the other firewall in the event of a failure.

[ 57 ]



Standby Standby

ActiveActive

Failover Group:Group-1

Failover Group:Group-2

CTX-1 CTX-2

Firewall-2Firewall-1

CTX-3 CTX-4

FIGURE 8-1Active/ActiveTopology Example

Asymmetric routing is a feature supported by the previously mentioned FWSMs. With asymmetric routing, return trafficfor a session can enter via a different interface than the interface from which the traffic exited the FWSM. This asymmet-ric routing feature can function in both a failover and a nonfailover configuration, and works when the firewall is operat-ing in either routed or transparent mode.





CHAPTER 8


Multiple FWSMs (as many as four) can be combined in a single Catalyst 6500 series switch chassis to provide enhancedthroughput, using an active/active configuration. The two methods of load balancing amount the FWSMs are as follows:

n Traffic engineering (for example, policy-based routing)

n Routing (for example, Equal Cost Multipath [ECMP] routing)

Another way for a Catalyst switch to provide security is through the use of private VLANs (PVLAN). These PVLANs canprovide privacy between groups of Layer 2 ports on a Catalyst switch. A PVLAN domain has a single primary VLAN. Inaddition, the PVLAN domain contains secondary VLANs that provide isolation between ports in a PVLAN domain.Cisco Catalyst switches support two categories of secondary VLANs:

n Isolated VLANs: Ports belonging to an isolated VLAN lack Layer 2 connectivity between one another.

n Community VLANs: Ports belonging to a community VLAN can communicate with one another, but not with portsin other community VLANs

PVLAN ports fall into one of three categories:

n Promiscuous: Promiscuous ports are typically used to communicate with network devices (for example, routers orbackup servers), and these ports can communicate with all other PVLAN ports.

n Isolated: Isolated ports can only communicate with a promiscuous port.

n Community: Community ports can communicate with other ports in their community and also with promiscuousports.

The Cisco IOS Firewall feature set now offers the zone-based policy firewall (ZPF) feature. With ZPF, firewall interfacesare assigned to zones, and firewall policies are applied to traffic moving between zones, rather than traffic movingbetween interfaces. As an example, consider Figure 8-2, which shows a router running the Cisco IOS Firewall feature set.The router’s three interfaces are each assigned to a unique zone (that is, zones for the inside network, the demilitarizedzone [DMZ] network, and the outside network).

[ 58 ]







CHAPTER 8


NAC Design Considerations Network admission control (NAC) is a collection of technologies that can be used to enhance network security services.Specifically, NAC can perform posture validation, which ensures that only permitted devices can communicate on thenetwork.

Identity-based networking services (IBNS) can be used with NAC technologies to identify and authenticate a user (orother network device), and make sure the user or network device has appropriate access to network resources.

[ 59 ]



DMZ Zone

Router with IOSFirewall Feature Set

INSIDE Zone OUTSIDE Zone

FIGURE 8-2Zone-Based PolicyFirewall Example





CHAPTER 8


Cisco combines multiple admission control and policy enforcement mechanisms into a device called a NAC Appliance.Specifically, the NAC Appliance is composed of the following four elements:

n Cisco NAC Appliance Manager (Cisco NAM): Acts as a NAC Appliance administration server for defining poli-cies

n Cisco NAC Appliance Server (Cisco NAS): Acts as a policy enforcement server between the trusted and untrustednetworks

n Cisco NAC Appliance Agent (Cisco NAA): Acts as an optional agent for Windows-based clients

n NAC Appliance Policy Updates: Checks the status of updates applied to operating systems, antivirus signatures,and other client software

When designing a NAS deployment, consider the following variables:

n Virtual gateway or real gateway: Defines the NAS as a Layer 2 or Layer 3 device

n In-band or out-of-band operating mode: Defines how traffic flows through the NAS

n Layer 2 or Layer 3 client access mode: Defines user device adjacency (that is, Layer 2 or Layer 3) to the NAS

n Central or edge physical deployment: Defines whether the NAS device is physically inline with the data flow

Cisco recommends that NAC Appliance deployments be designed with full redundancy. Among the supported NACAppliance designs are the following:

n Layer 2 in-band: The most popular type of NAC Appliance deployment, where the NAS is logically, but not physi-cally, inline with the client data, as depicted in Figure 8-3

n Layer 2 out-of-band: Similar to the Layer 2 in-band design, with the exception of a trunk (carrying traffic from theposture assessment and the network access VLANs) being used between the access and distribution switches

[ 60 ]







CHAPTER 8


n Layer 3 in-band: Securely manages traffic for VPN concentrators or from remote sites, where the client is not Layer2 adjacent to the NAS

n Layer 3 out-of-band: Allows the NAS to be centrally deployed out-of-band in the core or distribution layers

The Cisco NAC Framework leverages both Cisco technologies and third-party security solutions to analyze the posture ofa host, preventing unauthorized network access. The three major components of the Cisco NAC posture validationprocess are as follows:

n Subjects: Subjects are endpoints that access a network on which network admission control is being used.

n Enforcement devices: Enforcement devices are network devices (for example, routers, VPN gateways, Catalystswitches, and wireless access points) that NAC polices.

[ 61 ]



NAC ApplianceManager

NAC ApplianceServer

VLAN 200

VLAN 30

VLAN 10

VLAN 200

Client

VLAN 200

• VLAN 200 - Mapped to VLAN 10

• VLAN 20 - NAS Management VLAN

• VLAN 30 - NAM Management VLAN

VLAN 10, 20

FIGURE 8-3Layer 2 In-Band NACApplianceDeployment Model





CHAPTER 8


n Decision and remediation devices: Decision and remediation devices (for example, AAA [authentication, authori-zation, and accounting] servers, directory servers, posture validation servers [PVS], remediation servers, and auditservers) work together to provide the features of a NAC architecture.

Cisco offers four security applications for client devices:

n Cisco NAC Appliance Agent (NAA): An optional component of the Cisco Clean Access feature, which providesRegistry scans

n Cisco Security Agent (CSA): A host intrusion prevention system (HIPS) application that integrates with the CiscoNAC Framework and Monitoring, Analysis, and Response System (MARS)

n Cisco Secure Services Client: Uses IEEE 802.1X to provide a single authentication framework for multiple devicetypes

n Cisco Trust Agent: An integral component of the NAC framework that allows NAC to check the state of security ormanagement software

IDS and IPS Design ConsiderationsCisco Self-Defending Network technology leverages the features of intrusion detection systems (IDS) and intrusionprevention systems (IPS). Both IDS and IPS can help defend a network against malicious traffic such as worms, networkviruses, and denial-of-service (DoS) attacks.

Intrusion detection systems do not reside in the data path. Instead, they receive a copy of the data for analysis. As a result,an IDS cannot protect against certain types of attacks. For example, atomic attacks can consist of a single packet, and bythe time the IDS detects the attack (based on a copy of the attack packet), the attack has already been carried out.

Intrusion prevention systems, conversely, do reside in the data path. Therefore, an IPS might be able to defeat an attackthat an IDS would not be able to defeat.

[ 62 ]







CHAPTER 8


Both IDS and IPS solutions consist of two major components:

n Sensors: Sensors collect and analyze traffic patterns, looking for attack signatures. These sensors can be a dedicatednetwork appliance or software than runs on a host (for example, Cisco Security Agent).

n Security management and monitoring infrastructure: Cisco uses a collection of management and monitoringsolutions to carry out the functions of IDS and IPS, including the following:

n Cisco Security Manager: Used to configure Cisco firewalls, VPNs, and IPS devices for security features, inaddition to performing high-level monitoring functions

n Cisco Security Monitoring, Analysis, and Reporting System (MARS): Monitors both security devices in thenetwork and host applications

n Cisco Intrusion Prevention System Device Manager (IDM): A Java application used to configure andmanage IPS sensors

n IDS Event Viewer: A Java-based applications used to view and manage alarms for as many as five sensors

A designer can select from multiple options for placing an IPS sensor in an enterprise network, as illustrated in Figure 8-4.

n Two Layer 2 devices (no trunk): The IPS sensor is positioned between two Layer 2 devices and connects to thosetwo devices via access ports on those devices.

n Two Layer 3 devices: Typically used in Internet, campus, and server farm designs, this model places the IPS sensorbetween two Layer 3 devices, such as routers or firewalls.

n Two VLANs on the same switch: The IPS sensor bridges two VLANs together on the same switch, such that thetraffic arrives from the switch on one VLAN, and the IPS sensor sends the traffic back to the switch on a separateVLAN.

n Two Layer 2 devices (trunked): The IPS sensor is positioned between two Layer 2 devices (for example, CiscoCatalyst switches), and attaches to those devices via IEEE 802.1Q trunks.

[ 63 ]







CHAPTER 8


FIGURE 8-4Positioning an IPSAppliance in anEnterprise Network

[ 64 ]



Two Layer 2 Devices (No Trunk)

Two Layer 3 Devices

Two Layer 2 Devices (Trunked)

IEEE 802.1Q Trunk

Two VLANs on the Same Switch

VLAN A

VLAN B





CHAPTER 9

Virtual Private Network Design

Chapter 9: Virtual Private Network DesignVirtual private networks (VPN), used both in public and private networks, allow traffic to be sent securely between twonetwork devices. For example, consider a traveling salesperson who has broadband access in his hotel in the evening.With VPN technology, that salesperson can securely connect back to his corporate headquarters. Similarly, VPNs areoften beneficial for telecommuters and remote offices.

In many cases, VPNs can replace previously installed WAN connections (for example, Frame Relay or ATM connec-tions), offering security and lower cost. This chapter discusses the components that make up a VPN, and also covers VPNdesign considerations.

Remote-Access VPNsRemote-access VPN tunnels typically use secure tunnels between a remote user, connecting via an Internet serviceprovider (ISP), and the corporate VPN termination device, as illustrated in Figure 9-1.

A VPN is composed of three main elements:

n VPN termination devices: Also known as a “headend,” this termination device (for example, and Adaptive SecurityAppliance [ASA]) has the capacity to support multiple simultaneous VPN connections.

n End clients: Either mobile or fixed, end clients are devices that reside at one end of VPN tunnels and connect toVPN termination devices at the other end of VPN tunnels.

[ 65 ]







CHAPTER 9


n VPN technology: VPNs can securely send data across a tunnel. Two protocols that make this secure transmissionpossible are as follows:

n IPsec: IPsec is normally used to secure the transmission of data.

n SSL: Secure Sockets Layer (SSL) uses digital certificates to secure the transmission of web traffic. AmongSSLs VPN mechanisms are the following:

n Clientless access: Proxies web pages and then transmits those web pages over an SSL connection to theend user

[ 66 ]



Headquarters

Hotel

Internet

Mobile Workforce

Telecommuter’s HouseFIGURE 9-1Remote-Access VPNs





CHAPTER 9


n Thin client: Uses a small application to perform port forwarding, where the port forwarder acts as a localproxy server

n Thick client: A VPN client application, which is downloaded via a web page and runs on the end client

The VPN termination devices mentioned here are usually installed, along with a firewall, at the edge of the network.Cisco best practice for locating a VPN termination device is to install the VPN device behind a firewall in the enterprise’sdemilitarized zone (DMZ).

When designing a remote access VPN, consider the following:

n Routing: Typically, static routes are configured on internal routers pointing to the headend VPN device.

n Address assignment: Usually, an internal address pool is assigned for each VPN headend. These address pools arepointed to by the static routes mentioned in the preceding bullet.

n Authentication: The only authentication method supported by SSL is digital certificates. However, other authentica-tion solutions can be used along with SSL.

n Access control: Common approaches to access control include defining access control rules on the VPN headend ordefining access control rules on an internal firewall.

Site-to-Site VPNsSite-to-site VPNs, as illustrated in Figure 9-2, offer a replacement to traditional WAN connections that interconnect, forexample, remote offices. Because a VPN tunnel can be created across relatively low-cost network connections, such as adigital subscriber line (DSL) connection to the Internet, site-to-site VPNs can offer significant cost savings, while contin-uing to provide a secure path for network traffic.

[ 67 ]







CHAPTER 9


The primary elements comprising a site-to-site VPN include the following:

n Head-end VPN devices: Similar to the remote-access headend, these devices act as the termination point for incom-ing VPN tunnels to the main campus.

n VPN access devices: Located at remote locations, these devices terminate the remote side of the VPN tunnels.

n IPsec and GRE tunnels: IPsec and generic routing encapsulation (GRE) are VPN tunneling technologies, and eachoffers it own unique benefits; they are often used together in site-to-site VPNs.

n Internet access: Supplied by ISPs, access to the Internet offers the medium of transport between the VPN headendand VPN access devices.

[ 68 ]



Headquarters

Branch B

Branch A

Branch C

Internet

VPN Head-EndDevice

VPN AccessDevice

VPN AccessDevice

VPN AccessDevice

FIGURE 9-2Site-to-site VPNs





CHAPTER 9


Each end of a VPN tunnel needs an Internet-routable IP address. Traffic flowing through the VPN might physically passthrough multiple routers (for example, routers in the ISP’s network). However, from the perspective of the VPN traffic,traveling from one end of the VPN to the other appears to be a single router hop. Therefore, the addressing of the traffictraversing the tunnel can be private addressing.

Another major VPN design consideration is scalability. Although multiple factors impact the scalability of a VPN, themain indicator of scalability is the number of remote sites to be supported. Cisco recommends that redundant headendVPN devices be installed and that the CPU utilization of each headend be less than 50 percent. However, VPN accessdevices located at remote sites are not considered overburdened if their CPU utilization is less than 65 percent.

Cisco offers a wide variety of VPN devices, which vary in their scalability. Consult current Cisco product documentationwhen selecting a VPN device for a design.

When interconnecting multiple sites using VPN technologies, consider the following deployment models:

n Peer-to-peer: Secures traffic between two sites

n Hub and spoke: A common approach, in which remote sites connect back to a central location

n Partial mesh: Builds on a hub-and-spoke topology to provide direct connections between some remotes, to betteraccommodate for traffic patterns

n Full mesh: Provides direct connections between each location in the VPN topology

The three primary approaches for placing a VPN device in an enterprise campus design are as follows:

n Placing the VPN device parallel to the firewall, which supports high scalability

n Placing the VPN in a firewall’s DMZ, which supports the inspection of decrypted IPsec traffic

n Integrating the VPN device with the firewall, resulting in fewer devices to manage

[ 69 ]







CHAPTER 9


IPsec VPNsAs previously mentioned, IPsec offers secure communication over a tunnel, thus forming a secure VPN. However, multi-ple IPsec VPN implementations exist.

A basic IPsec VPN interconnects peers over a tunnel. These tunnels are defined by security associations (SA), whichspecify the protocols, algorithms, and keying material used to form the tunnel.

Other IPsec-based VPNs include the following:

n Easy VPN: Cisco Easy VPN solution is composed of the Easy VPN server and Easy VPN remote devices. The EasyVPN server can push security policies to remote sites. Also, the configuration can be performed using the Router andSecurity Device Manager (SDM) Easy VPN Server Wizard and Easy VPN Remote Wizard.

n GRE tunneling: IPsec can provide security, but it only supports IP unicast traffic. GRE supports additional traffictypes (for example, IP multicast and broadcast traffic), but GRE lacks security features. By using these technologiestogether, multiple traffic types can be encapsulated inside of a GRE tunnel, and then those GRE tunnel packets(which are unicast IP packets) can be transmitted securely inside of an IPsec tunnel.

n Dynamic multipoint VPN (DMVPN): Because hub-and-spoke designs suffer from scalability issues when thenumber of sites exceed 10 (because of all traffic passing to or through the hub), DMVPN technology can be used tocreate on-demand tunnels. Specifically, DMVPN is most appropriate when more than 20 percent of the networktraffic travels between spoke sites. DMVPN can dynamically create a spoke-to-spoke tunnel based on trafficpatterns, as shown in Figure 9-3. In the figure, a dynamic VPN tunnel is established between the Branch B andBranch C sites.

[ 70 ]







CHAPTER 9


n Virtual tunnel interfaces (VTI): The VTI feature offers a special type of interface, which supports routing, VPNtermination, and other configurations that cannot always be applied to a VPN tunnel (such as quality of service[QoS] configurations).

n Group encrypted transport VPN (GET VPN): Although the GET VPN does provide security for network traffic ina fully meshed network, a tunnel is not used. Instead, the GET VPN uses Cisco IOS features to provide security overa private WAN.

[ 71 ]



Headquarters

Branch B

Branch A

Branch C

Internet

VPN Head-EndDevice

VPN AccessDevice

VPN AccessDevice

VPN AccessDevice

Dynamic MultipointVPN Tunnel

FIGURE 9-3Dynamic MultipointVPN Tunnel





CHAPTER 9


Managing and Scaling VPNsThe Cisco Security Management Suite contains multiple components, including the following:

n Cisco Router and Security Device Manager (SDM): Offers a web-based interface for managing various features(for example, QoS and security features) on Cisco routers

n Cisco Adaptive Security Device Manager (ASDM): Provides a graphical interface for managing Cisco ASA, PIX,and FWSM devices

n Cisco PIX Device Manager (PDM): Supports management of some models of the Cisco PIX (Cisco PIX SecurityAppliance Software Version 6.3 and earlier) and FWSM

n Cisco View Device Manager (CVDM): Used to manage selected Layer 2 and Layer 3 features on a Cisco Catalyst6500 series switch

n Cisco Security Manager: Offers a GUI-based configuration solution for firewall, VPN, and intrusion preventionsystem (IPS) policy configuration on some Cisco security appliances

n Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS): Supports the monitoring,identification, and isolation of security threats, in addition to countering those threats, in an appliance-based solution

When scaling a VPN, the number of packets per second (PPS) transmitted between sites is more design relevant than thebandwidth, in bits per second (bps), between sites, because each packet needs to be encrypted and decrypted, forexample. Applications vary in the number of PPS they send. For example, a VoIP application uses smaller packet sizesthan an FTP application. Therefore, the VoIP application would send more PPS than the FTP application.

Various network management tools can be used to determine the PPS rate. However, a basic method of determining thePPS rate on existing equipment is to issue the show interfaces command.

Selecting an appropriate routing protocol for a VPN also helps the VPN to scale. Enhanced Interior Gateway RoutingProtocol (EIGRP) and Open Shortest Path First (OSPF) Protocol are both examples of enterprise routing protocols thatsupport VPNs.

[ 72 ]







CHAPTER 10

IP Multicast Design Considerations

Chapter 10: IP Multicast Design ConsiderationsIP multicast offers a more efficient use of network resources, as compared to unicast and multicast technologies, forcertain applications (for example, streaming video out to multiple receivers in a network). This chapter reviews the funda-mentals of IP multicast technology, provides design guidance, and discusses security considerations.

Fundamentals of IP MulticastConsider a video stream that needs to be sent to multiple recipients in a company. One approach is to unicast the traffic.The source server sends a copy of every packet to every receiver, as illustrated in Figure 10-1. Obviously, this approachhas serious scalability limitations.

[ 73 ]



MulticastServer

DestinationAddress:

10.1.1.1

DestinationAddress:

10.1.1.2

Receiver10.1.1.1

Receiver10.1.1.2

Non-Receiver10.1.1.3

FIGURE 10-1Unicast

An alternative approach is to broadcast the video stream, so that the source server only has to send each packet once.However, everyone in the network receives the packet, in that scenario, even if they do not want it, as shown in Figure 10-2.





CHAPTER 10


IP multicast technologies provide the best of both worlds. With IP multicast, the source server only sends one copy ofeach packet, and the packets are only sent to intended recipients, as demonstrated in Figure 10-3.

[ 74 ]



MulticastServer

DestinationAddress:

255.255.255.255

Receiver10.1.1.1

Receiver10.1.1.2


FIGURE 10-2Broadcast

MulticastServer

DestinationAddress:224.1.1.1

Multicast Group:244.1.1.1

Receiver10.1.1.1

Receiver10.1.1.2


FIGURE 10-3Multicast





CHAPTER 10


Specifically, receivers join a multicast group, denoted by a Class D IP address (that is, in the range 224.0.0.0 through239.255.255.255). The source sends traffic to the Class D address, and through switch and router protocols, packets areforwarded only to intended stations. These multicast packets are sent via User Datagram Protocol (UDP; that is, besteffort). Therefore, congestion avoidance mechanisms such as weighted random early detection (WRED), which causesTCP flows to go into TCP slow start, are not effective for multicast. As you do your multicast design, also be aware of thepotential for duplicate packets being received and the potential for packets arriving out of order.

In addition to Layer 3 addresses, multicast applications must have Layer 2 addresses (that is, MAC addresses).Fortunately, these Layer 2 addresses can be constructed directly from the Layer 3 multicast addresses. A MAC address is a 48 bit address, and the first half (that is, 24 bits) of a multicast MAC address (in hex) is 01-00-5e. The 25 bit isalways 0. The last 23 bits in the multicast MAC address come directly from the last 23 bits of the multicast IP address.Consider the following example:

n Given a multicast IP address of 224.1.10.10, calculate the corresponding multicast MAC address.

1. First, convert the last three octets to binary.

0000.0001.0000.1010.0000.1010

2. If the leftmost bit isn’t already 0, it should be changed to 0, because the 25 bit of a multicast MAC address isalways 0.

0000.0001.0000.1010.0000.1010

3. Convert each nibble (that is, 4-bit section) into its hexadecimal equivalent.

01-0a-0a

4. Prepend 01-00-5e to the calculated address to produce the multicast MAC address.

01-00-5e-01-0a-0a

n Interestingly, multiple other multicast IP addresses (for example, 224.129.10.10) yield an identical multicast MACaddress. This overlap issue permits 32 Layer 3 multicast addresses to map to the same Layer 2 multicast MACaddress. Therefore, care must be taken when selecting Layer 3 multicast addresses to avoid this overlap.

[ 75 ]







CHAPTER 10


As previously mentioned, in a multicast network, the source sends multicast packets with a Class D destination address.The 224.0.0.0 through 239.255.255.255 address range is the Class D address range, because the first four bits in the firstoctet of a Class D address are 1110.

Some ranges of addresses in the Class D address space are dedicated for special purposes:

224.0.0.0 – 224.0.0.255 – Reserved link local addresses

224.0.1.0 – 238.255.255.255 – Globally scoped addresses

232.0.0.0 – 232.255.255.255 – Source-specific multicast

233.0.0.0 – 233.255.255.255 – GLOP addresses

239.0.0.0 – 239.255.255.255 – Limited-scope addresses

n Reserved link local addresses are used, for example, by many network protocols. Open Shortest Path First (OSPF)Protocol uses 224.0.0.5 and 224.0.0.6. Routing Information Protocol Version 2 (RIPv2) uses 224.0.0.9, andEnhanced Interior Gateway Routing Protocol (EIGRP) uses 224.0.0.10. Other “well-known” addresses in this rangeinclude 224.0.0.1, which addresses all multicast hosts, and 224.0.0.2, which addresses all multicast routers.

n Globally scoped addresses are used for general purpose multicast applications, and they have the ability to extendbeyond the local autonomous system.

n Source-specific multicast (SSM) addresses are used in conjunction with Internet Group Management ProtocolVersion 3 (IGMPv3), to allow a multicast receiver request, not only membership in a group, but also to requestspecific sources to receive traffic from. Therefore, in an SSM environment, multiple sources with different contentcan all be sending to the same multicast destination address.

n GLOP addresses provide a globally unique multicast address range, based on autonomous system numbers. As anexample, if a company had an autonomous system number of 65000, its globally unique range of multicast IPaddresses would be 233.253.232.0 through 233.253.232.255. The autonomous system number is used to calculate

[ 76 ]







CHAPTER 10


the second and third octets in this address range. First, convert the autonomous system number to hexadecimal (thatis, 65000 in decimal equals FD-E8 in hexadecimal). FD in hexadecimal equals 253 in decimal, and E8 in hexadeci-mal equals 232 in decimal. The first octet of a GLOP address is always 233.

n Limited-scope addresses are used for internal multicast applications (that is, traffic that doesn’t leave itsautonomous system), much like the 10.x.x.x/8 address space is a “private” address space.

The protocol used between clients (for example, PCs) and routers let routers know which of their interfaces have multi-cast receivers attached is IGMP. There are three version of IGMP:

n IGMP Version 1: When a PC wants to join a multicast group, it sends an IGMP Report message to the router,letting the router know it wants to receive traffic for a specific group. Every 60 seconds, by default, the router sendsan IGMP Query message to determine whether the PC still wants to belong to the group. There can be up to a three-minute delay before a router realizes that a receiver left the group. The destination address of this router query is224.0.0.1, which addresses all IP multicast hosts.

n IGMP Version 2: Similar to IGMP Version 1, except that IGMP Version 2 can send queries to a specific group, anda “leave” message is supported. Specifically, a receiver can proactively send a leave message when it no longerwants to participate in a multicast group, allowing the router to prune its interface earlier.

n IGMP Version 3: Offering the same features of IGMP Version 2, except that IGMP Version 3 supports SSM, whichallows a multicast group member to request traffic from a specific host’s IP address.

Only members of a multicast group receive packets destined for that group. However, the sender does not need to be amember of the group. Multicast traffic flows from a source to a destination over a “distribution tree,” which is a loop-freepath. The two types of distribution trees are as follows:

n Source distribution tree: A source distribution tree creates an optimal path between each source router and eachlast-hop router (that is, a router connected to a receiver), at the expense of increased memory usage, as shown inFigure 10-4.

[ 77 ]







CHAPTER 10


n Shared distribution tree: A shared distribution tree creates a shared tree from a central rendezvous point (RP)router to all last-hop routers, with source distribution trees being created from all sources to the RP, at the expense ofincreased delay, as shown in Figure 10-5.

To combat the issue of receiving duplicate packets, Cisco routers perform an RPF (reverse path forwarding) check, todetermine whether a multicast packet is entering a router on the correct interface. An RPF check examines the sourceaddress of an incoming packet and checks it against the router’s unicast routing table to see what interface should be usedto get back to the source network. If the incoming multicast packet is using that interface, the RPF check passes, and thepacket is forwarded. If the multicast packet is coming in on a different interface, the RPF check fails, and the packet isdiscarded, as illustrated in Figure 10-6.

[ 78 ]



SourceRouter

SourceRouter

Last-HopRouter

Member of225.1.2.3

Sending to225.1.2.3

Sending to225.1.2.3

Source 1 Source 2

Receiver

FIGURE 10-4Source DistributionTree





CHAPTER 10


FIGURE 10-5Shared DistributionTree

[ 79 ]



SourceRouter

RendezvousPoint (RP)

SourceRouter

Last-HopRouter

Member of225.1.2.3

Sending to225.1.2.3

Sending to225.1.2.3

Source 1 Source 2

Receiver

S0/0

S0/1VideoServer10.1.1.1

Receiver

RPF Check - PASS

RPF Check - FAIL

Network Interface

10.0.0.0/8 S0/0

Unicast RoutingTable

FIGURE 10-6Reverse PathForwarding Check





CHAPTER 10


When a Layer 2 switch receives a multicast frame on an interface, by default, the switch floods the frame out all otherinterfaces. To prevent this behavior, the switch needs awareness of what interfaces are connected to receivers for specificmulticast groups. One approach to training the switch is IGMP snooping. IGMP Snooping allows a switch toautonomously determine which interfaces are connected to receivers for specific multicast groups by eavesdropping onthe IGMP traffic being exchanged between clients and routers.

Protocol Independent Multicast DesignThe Protocol Independent Multicast (PIM) protocol is a router-to-router protocol used by Cisco routers to achieve a loop-free topology. The three main types of PIM are as follows:

n PIM Any-Source Multicast (ASM): ASM is a new name for the classic PIM Sparse Mode (PIM-SM) technology,and is the most popular multicast type deployed today. Specifically, ASM allows routers to explicitly request to joina tree using a shared distribution tree approach, and then performs SPT switchover, allowing receiver routers to forma shortest path tree with the source routers, thus creating optimal pathing.

n Bidirectional PIM (Bidir PIM): Bidir PIM uses shared distribution trees to more efficiently support many-to-manyapplications.

n Source Specific Multicast (SSM): Supported by IGMP Version 3, SSM uses source distribution trees and allows amulticast group member to request a specific host IP address from which it wants to receive traffic. This approacheliminates the need for an RP.

When an RP is required (that is, when ASP or Bidir PIM is being used), designers can select from among the followingfour technologies for deploying an RP:

n Anycast RP: Uses multiple routers in a PIM-SM network to offer RP load sharing and redundancy, where two RPsact as hot backups to each other

[ 80 ]







CHAPTER 10


n Static RP addressing: Requires that all routers pointing to an RP be statically configured with the RP’s IP address

n Auto RP: Uses a multicast address of 224.0.1.39 to dynamically announce an RP’s IP address to routers

n BSR: Uses PIM Version 2 to offer a vendor-independent solution for dynamically selecting an RP

Securing IP Multicast NetworksWhen designing IP multicast networks, additional security considerations apply. Whereas unicast routing maintains aunicast routing table, IP multicast routing relies on multicast state information, which is maintained in the multicastrouting table, in addition to the unicast routing table.

Unicast routing can use technologies such as access control lists (ACL) or firewalls to protect traffic. These technologiescan prevent one device from sending traffic to another device. However, with IP multicast routing, traffic is sent to amulticast group rather than a specific device. Therefore, a major IP multicast security consideration is to protect multicastreceivers from unknown senders.

Fortunately, SSM prevents an unknown host from sending to a multicast receiver, because with SSM a multicast receiverjoins to a specific host. Also, with Any-Source Multicast, a receiver would only be susceptible to a multicast attack if itjoined a multicast group.

To limit IP multicast traffic from being propagated too far within a network, scopes can be used to set boundaries for thetraffic. In addition, IP multicast traffic can be constrained using time-to-live (TTL) thresholds.

In addition, consider the following approaches for securing IP multicast networks:

n Packet filter based access control: Typically used for inbound traffic, packet filter based access control can filtertraffic before IP multicast routing occurs.

[ 81 ]







CHAPTER 10


n Host receiver side access control: Individual IP multicast groups can be filtered out of IGMP membership reportmessages using host receiver side access control.

n PIM-SM source control: PIM-SM source control denies unauthorized sources from registering with an RP.

n Disabling multicast groups: Individual IP multicast groups or a range of IP multicast groups can be administra-tively enabled, and traffic for other groups can be dropped.

[ 82 ]







CHAPTER 11

Designing Voice over WLAN Networks

Chapter 11: Designing Voice over WLAN NetworksBoth wireless LAN (WLAN) and VoIP technologies are growing in popularity in today’s enterprise networks.Interestingly, these diverse technologies can be used in tandem to provide VoIP services for wireless clients. This sectionconsiders the design of Voice over Wireless LAN (VoWLAN) networks, including such topics as the need for VoWLANs,performing site surveys, and core infrastructure requirements.

Introduction to VoWLAN TechnologiesA WLAN contains access points (with which wireless devices communicate), antennas (which help determine the wire-less coverage areas), and wireless endpoints (such as a laptop containing a wireless network interface card). Cisco offers asuite of wireless technologies that fall under the umbrella of the Cisco Unified Wireless Network. An example of a wire-less network, demonstrating various wireless bridging methods, is illustrated in Figure 11-1.

Elements of a Cisco Unified Wireless Network include mobility services, network management services, network unifica-tion, access points, and client devices. Motivation to offer VoWLAN services include the widespread deployment ofWLANs in enterprise networks, the enhanced communication features offered by VoIP, in addition to productivity andcost benefits. Although some might argue that cell phones provide an alternative solution to mobile communications,VoWLAN services offer access to a wider range of enterprise voice applications (for example, access to a corporatephone directory).

However, a VoWLAN designer must understand the stringent requirements of VoIP. Specifically, if VoIP packets experi-ence excessive packet drops, jitter (that is, a variation in interpacket arrival times), and delay, the voice quality will beconsidered unacceptable by the end users. The G.114 recommendation offers one example of a VoIP design guideline.Specifically, the G.114 recommendation states that the maximum one-way delay for a VoIP packet should not exceed 150ms. Fortunately, Cisco offers an array of quality of service (QoS) solutions that can help minimize packet loss, jitter, andoverall delay for voice traffic.

[ 83 ]







CHAPTER 11


Cisco uses the terminology of Cisco voice-ready architecture to describe their end-to-end solution for WLANs that cantransmit VoIP traffic, while maintaining voice quality. The four primary components of the Cisco voice-ready architectureare as follows:

n VoWLAN clients: For example, wireless IP phones

n Voice-ready WLAN: A WLAN capable of prioritizing voice traffic

[ 84 ]



FIGURE 11-1Cisco UnifiedWireless NetworkExample





CHAPTER 11


n Unified wired/wireless LAN infrastructure: The combination of wireless and wired network components thatprovide end-to-end connectivity for VoWLAN clients

n Cisco Unified Communications and mobility applications: A collection of Cisco software and hardware productsthat offer a feature-rich IP telephony environment

Provisioning for VoWLAN CoverageWireless LANs need seamless coverage through the areas where VoWLAN clients might roam. Fortunately, CiscoUnified Wireless Network offers a variety of products for ensuring appropriate coverage.

As a VoWLAN client roams from one cell of coverage to another, the signal quality might vary. To maintain a moreconsistent call quality, Cisco recommends the following radio frequency (RF) parameters:

n Wireless signal stream of –67 dBm or greater

n A maximum packet error rate of 1 percent

n A minimum signal-to-noise ratio (SNR) of 25 dB

A wireless access point shares bandwidth among its clients. Additional bandwidth per client can be achieved by addingaccess points. However, to prevent RF interference, adjacent wireless access points should use different frequencies (thatis, channels). These channels should be nonoverlapping channels. Nonoverlapping channels extend coverage while main-taining available bandwidth. The three nonoverlapping channels commonly used in North America are channels 1, 6, and11. To provide continuous coverage, as wireless devices roam from one cell to another cell, Cisco recommends a 15percent to 20 percent cell coverage overlap.

Although multiple IEEE 802.11 implementations exist for wireless networking (for example, 802.11a, 802.11b, and802.11g), 802.11a often serves as an appropriate choice for VoWLANs. Specifically, 802.11a suffers from less RF inter-ference from other sources, such as cordless phones, and 802.11a supports and as many as 14 simultaneous voice callsper wireless access point.

[ 85 ]







CHAPTER 11


Consider the following design guidelines for a VoWLAN.

n Determine the required coverage area and number of wireless phones to be supported.

n Use at least two wireless access points (operating on nonoverlapping channels).

n The percentage of time that an access point uses a particular channel (as defined by the QoS basis service set[QBSS]) should be less than 45 percent.

n The percentage of packets transmitted error-free should be at least 99 percent.

n Antenna diversity, which reduces the number of missed or retried packets, should be used on all access points.

n Do not oversubscribe an access point with too many calls. 802.11b and 802.11g access points support a maximum ofseven simultaneous G.711 calls or eight G.729 calls, whereas 802.11a access points can support a maximum of four-teen G.711 calls.

Conducting a site survey is an initial step to designing a VoWLAN. Performing an effective site survey involves thefollowing steps:

1. Determine what type of devices the customer needs to support, the number of devices, the service levels of thosedevices, and the location of the devices to be supported.

2. Review potential structural elements (walls, stairwells, or elevator shafts) that will impede the propagation of thewireless signal.

3. Identify initial access point locations.

4. With the access points in place, conduct the site survey (which identifies the coverage areas and signal strengths thatresult from the access point placement).

5. Record the results of the site survey.

[ 86 ]







CHAPTER 11


VoWLAN Design RequirementsA VoWLAN design requires the designer to consider the following:

n Roaming: Because VoWLAN clients need to maintain connectivity and good voice quality as they roam from onewireless coverage cell to anther, the VoWLAN network should support roaming. Cisco wireless devices supportvarious types of roaming, as illustrated in Figure 11-2.

[ 87 ]



LWAPP

IntraclusterRoaming

Layer 2 Roaming (same subnet)or

Layer 3 Roaming (between subnets)

LightweightAccess Points

Wireless LANController

LWAPP LWAPP

FIGURE 11-2Types of WirelessRoaming

n Intracluster roaming: A wireless client changes its association from one wireless access point to another wire-less access point, where both access points are associated with the same wireless LAN controller.

n Layer 2 intercontroller roaming: A wireless client changes its association from one wireless access point toanother wireless access point, where the access points are associated with different wireless LAN controllers inthe same subnet.





CHAPTER 11


n Layer 3 intercontroller roaming: A wireless client changes its association from one wireless access point toanother wireless access point, where the access points are associated with different wireless LAN controllers indifferent subnets.

Cisco recommends that voice traffic and data traffic be placed in separate VLANs. This VLAN separation enablesthe use of various security features and also aids in the prioritization of voice traffic.

n Quality of service (QoS): The IEEE and the Wi-Fi Alliance each have a standard for prioritizing WLAN traffic,specifically, the IEEE 802.1e and the Wi-Fi Multimedia (WMM) standards. Whereas the 802.1e standard specifieseight levels of priority, the WMM standard specifies four levels of priority (Platinum [typically used for voice],Gold, Silver, and Bronze).

n Security: VoWLAN security recommendations include the following:

Use Extensible Authentication Protocol-Flexible Authentication via Secured Tunnel (EAP-FAST) to provide timelyauthentication for roaming wireless clients.

Use Temporal Key Integrity (TKIP) to encrypt both voice payload (that is, Real-time Transport Protocol [RTP]) andsignaling (that is, Skinny Client Control Protocol [SCCP]) traffic.

Use Message Integrity Check (MIC) to verify the integrity of wireless packets.

n Intelligent clients: The Cisco 7921G IP Phone is an example of an intelligent VoWLAN client. The 7921G is flexi-ble in terms of supported radio frequencies (that is, IEEE 802.11a/b/g), and has a long battery life, enhanced secu-rity, and QoS mechanisms.

[ 88 ]







CHAPTER 12

Cisco IOS Software Network Management Capabilities

Chapter 12: Cisco IOS Software NetworkManagement CapabilitiesPerformance, scalability, and availability all can be achieved through the rich set of embedded management functionalityfound in the Cisco IOS Software. We discuss the implementation of the Cisco IOS Software management instrumentationfunctionality as part of overall enterprise design.

Built-In Management CapabilitiesLarge enterprises rely on WAN links, but there are several issues with these, including the following:

n High cost, leading to implementation of low-speed lower-cost links

n Speed mismatches between LAN and WAN links leading to congestion, packet loss, and so on

n Combination of real-time applications competing for bandwidth with general data transfer

Cisco IOS software includes management capabilities through offering a broad range of show commands, and SimpleNetwork Management Protocol (SNMP) access to information. Tools such as Security Device Manager (SDM), AdaptiveSDM (ASDM), and web tools for managing single devices are also offered, as are embedded management subsystemssuch as syslog, NetFlow, Network Based Application Recognition (NBAR), and IP Service Level Agreement (IP SLA).

Cisco application optimization cycle:

1. Create baseline of application traffic.

2. Meet objectives through optimization.

[ 89 ]







CHAPTER 12


3. Measure, adjust, and verify effectiveness of techniques.

4. Deploy the new applications.

Cisco IOS System Message Logging (syslog): Syslog allows reporting and archiving of error messages locally or on aremote logging server. Syslog messages always begin with a percentage sign (%) followed by a structure that consists offacility, severity, mnemonic, and message text.

Working with NetFlowEmbedded within Cisco IOS Software, NetFlow is designed to provide network and security monitoring, traffic analysis,and IP accounting, and to assist with network planning.

NetFlow usage: Used both by service providers and enterprise organizations, although their usage of it may differ. Forservice providers (SP), it can provide assistance with traffic engineering, network planning, accounting and billing, secu-rity monitoring, and information regarding peering arrangements. Enterprises typically use NetFlow for user and Internetaccess monitoring, application monitoring, charge-back billing for departments, and security monitoring.

Defining a flow: A flow in NetFlow consists of seven fields: IP source address, IP destination address, source portnumber destination port number, Layer 3 protocol type, type-of-service (ToS) byte, and input logical interface. NetFlowinspects packets for key field values and compares these to existing flows in the cache. If the values are unique, a flow iscreated in the cache.

By examining flows and caching information about unique values, NetFlow-enabled switching can provide scalability andperformance based on flow cache management.

[ 90 ]







CHAPTER 12


NetFlow VersionsThere are a number of NetFlow versions. Older versions (1, 5, 7, 8) support statistically defined fields, whereas newerversions (9) support dynamically defined fields:

n Version 1: Original

n Version 5: Most popular

n Version 7: Supports Cisco Catalyst 6500 switches with a Multilayer Switch Feature Card (MSFC) on CatOS Release5.5(7) and later

n Version 8: Provides on router aggregation; choice of 11 aggregation schemes

n Version 9: Flexible, extensible file export format

n IPFIX: IETF standard mechanism for information export

NetFlow Version 9: This version has an export format that allows new fields to be easily inserted. It includes a templatethat describes what is being exported in the export data sets. A matching ID number is then used to associate templates tothe data records.

Flexibility: Network managers have the flexibility to configure what key and nonkey fields define each flow. This helpsprovide enhanced optimization of network infrastructure while reducing costs and improving capacity planning and secu-rity detection.

Deployment of NetFlow: There are a number of Cisco NetFlow products with solutions available on both Windows andLinux platforms. Deployments vary with smaller deployments using a single server for both reporting and collecting,whereas with large-scale deployments, a two-tier architecture that uses collectors at key sites is often used.

[ 91 ]







CHAPTER 12


[ 92 ]



IP

IP

IP

Branch

IP

IP

IP

Branch

IP

IP

IP

Branch Tele-Workers

IP

Data Center

Wide Area Network

NetFlowMonitoring

FIGURE 12-1NetFlow Monitoring





CHAPTER 12


Network Based Application RecognitionNBAR can provide organizations with a means of traffic classification. By adding classification to the network, it candeliver more granular identification and control over multiple applications, which common quality of service (QoS)mechanisms cannot differentiate.

Characteristics of NBAR:

n Provides full-packet inspection to identify traffic types

n Discovers application protocol statistics on interfaces

n Enables application of QoS policies to traffic flows

The following classification methods are used to identify more than 90 applications and protocols:

n Statically assigned TCP and UDP port numbers

n Dynamically assigned TCP and UDP port numbers

n Sub-port and deep inspection

n Native and nonnative Protocol Description Language Modules (PDLM)

Per-protocol statistics: NBAR Discovery Protocol discovers any protocol traffic supported by NBAR and maintains per-protocol statistics for enabled interfaces with regard to the following:

n Total number of input packets and bytes

n Total number of output packets and bytes

n Input bit rates

n Output bit rates

[ 93 ]







CHAPTER 12


Cisco IOS AutoQoS and NBAR: There are two different types of AutoQoS. AutoQoS for VOIP creates predefined mapsfor voice traffic; whereas AutoQoS Enterprise uses NBAR discovery mode to pull together traffic statistics, and thencreates a policy map based on the traffic that was detected, with suggested bandwidth settings per class.

Overview of IP SLAA service level agreement (SLA) is used by organizations to specify connectivity and performance levels for an end-userservice from a provider of that service. The SLA is a contract between the network provider and its customers, or inter-nally between the department responsible for the network and internal corporate customers.

Benefits of service level agreements include the following:

n Guarantee regarding service level

n Connectivity and performance are specified with regard to end-user service

n Helps support isolation of problems and network planning

Cisco IOS IP SLA The Cisco IOS IP SLA, formerly known as Real Time Responder, and before that as the Service Assurance Agent,provides measurements that address a number of functions:

n VoIP, video, and VPN network monitoring

n SLA monitoring

n Edge-to-edge network-availability monitoring

n Network performance monitoring and network performance visibility

n IP service network health readiness or assessment

[ 94 ]







CHAPTER 12


n Troubleshooting network operation

n Multiprotocol Label Switching (MPLS) network monitoring

Embedded Cisco IOS IP SLA measurements, on Cisco network equipment, can verify service agreements, validatenetwork performance, improve network reliability, and proactively identify network issues, and can also react to perform-ance metrics with changes both to configuration and network.

Understanding IP SLA OperationsThe IP SLA operation is a measurement consisting of protocol, frequency, traps, and thresholds. These operations aredivided into two classes. Those that rely on the IP SLA Responder component to be running at the target device and thosethat do not.

[ 95 ]



ControlPhase

ProbingPhase

IP SLASource

IP SLAResponderIP SLA with Responder

Control Message AskReceiver to Open Port2020 on UDP

Done: Stop Listening

IP SLA-Control

Send Test Packets...

IP SLA-Test

Responder Says OK

UDP, 1967

UDP, 220

Starts Listeningon UDP Port 2020

FIGURE 12-2IP SLA withResponder





CHAPTER 12


IP SLA source: Defined as the device that sends data for operation. This may or may not be a Cisco IOS Softwaredevice; regardless, IP SLAs source stores results in MIB.

Active measurement: In contrast to NetFlow, which passively monitors the network, the Cisco IOS IP SLA measure-ments actively send data across the network to measure performance between multiple network locations on a hop-by-hopbasis or across end-to-end network paths.

Deploying IP SLA: To effectively deploy IP SLA, processing power should be considered, particularly when there is alarge amount of switching traffic passing through an IP SLA source. To assist with this, shadow routers can be dedicatedto sourcing Cisco IOS IP SLAs operations. Having a dedicated router (or shadow router) has a number of advantages:

n Separate memory and CPU from hardware in switching path

n Easy upgrade of Cisco IOS Software release on the dedicated router

n Flexibility of management and deployment

n Scalability with a large number of endpoints

If you are working with a large number of sites, a hierarchical strategy might be needed for IP SLA enterprise monitoring.

IP SLA Measurements and Network Management Applications The Cisco IOS IP SLA is supported by a number of vendors in addition to Cisco’s own applications. Vendors such as HP,IBM, and Agilent Technologies, among others, work with the Cisco IPS IP SLA. Cisco’s own CiscoWorks InternetworkPerformance Monitor application measures network performance based on the traffic-generation technology within theCisco IOS IP SLA.

[ 96 ]







CHAPTER 12


When selecting a network management application, you must consider three main things:

n How the application supports provisioning IP SLA operations

n How the network management application supports reporting on IP SLA operations

n Whether the tool supports aggregation of hierarchical measurements for a more scalable set of measurements

[ 97 ]







Documents

Cisco Press - CCDP ARCH Quick Reference Sheets