Cisco SMART Designs SBNF_OV_111512.ppt

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential© 2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco SMART DesignsSmall Business Network Foundation

Small Business Technical Marketing

December 2012

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Reduce CostsReduce CostsFlexible ways of working boosts productivityFlexible ways of working boosts productivity

Focus on New OpportunitiesFocus on New OpportunitiesReal-time access to mission-critical information, operational Real-time access to mission-critical information, operational efficienciesefficiencies

Improve Effectiveness of SalesImprove Effectiveness of SalesRicher connectivity, stronger relationshipsRicher connectivity, stronger relationships


• Improve operational efficiency Provide access to real-time business information

• Enhance employee and partner collaborationEnhance customer responsiveness

Give service agents real-time access to customer information

Provide customers with intuitive self-service options

• Protect sensitive informationSecure customer information

Identify, prevent, and adapt to security threats

• Keep costs low and returns highSimplify and accelerate deployment of network devices and intelligent features

Simplify troubleshooting and management of network


SBNF provides a secure and flexible network infrastructure to deploy other services:

•Cisco Unified CommunicationsIP telephony and related voice services

SBNF is designed for seamless addition of Cisco Unified Communications

•Wireless LANIntegrated in the SBNF solution

Optionally - Can be deployed later

•Other business specific applications Built on top of the SBNF network infrastructure, along with Cisco Unified Communication, and wireless LAN


• Network infrastructure that helps meet today’s business challenges

• Four types of offices and workers covered in the designs

Main office Primary location, provides most

of the shared data resources (files, databases, business

servers, web servers, and e-mail servers) as well as centralized

networking resources

Remote office Offices other than the main

office are called remote offices

Home office A home office is located at an employee’s residence

Mobile workerAn employee who securely accesses the main office through the Internet by

establishing a VPN connection from a laptop or other device


• Based on Cisco Small Business Series products

• Covers wired and wireless LAN deployment options

• Ideal for price-sensitive customers who need full support of potentially multiple business locations

• Supports up to 100 users and 5 remote offices

• Fast Ethernet and Gigabit Ethernet support with PoE and non-PoE options

• Security appliance to protect the network from virus, spyware, and unwanted Internet content

• Dual WAN option for redundant connectivity

• Simple GUI-based deployment


Small Business Network Foundation (SBNF)

Secure Network Foundation (SNF)

Advanced Secure Network Foundation (ADVSNF)

ScalabilityUp to 100 users, 5 remote offices

Up to 100 users, 5 remote offices

Up to 250 users, 20 remote offices

Network products used Small Business Series products

Cisco Catalyst 2960, 3560/3560-X, 3750/3750-X switches, Cisco 800/1900/2900/3900 ISRs

Cisco Catalyst 2960, 3560/3560-X, 3750/3750-X switches,

Cisco 800/1900/2900/3900 ISRs, Cisco ASA 5500 Series

Business locations served Main Office, Remote Office, Home Office, and Mobile Worker

Security On WAN router On WAN router Integrated security or dedicated security appliance

VPN Site-to-site IPsecSSL VPN

Site-to-site IPsec VPN, IPsec/GRE, Easy VPN, SSL

VPN

DMVPNEasy VPN, SSL VPN

LAN high availability using switch stacks No Yes Yes

Dual WAN links option for load sharing, failover Yes Yes Yes

Dual WAN routers for load sharing, high availability No No Yes

Dual security appliances for high availability n/a n/a Yes (optional)

Wireless LAN Part of SBNF design Deploy WLAN solutions (on SNF/ADVSNF infrastructure)



Cisco Small Business 500 Series Switches• Especially built for small businesses

• 8 to 50 port Fast Ethernet/Gigabit Ethernet switches

• PoE and non-PoE options

• QoS to prioritize delay-sensitive and high-bandwidth network traffic

• Stacking, for high availability

Basic and enhanced security• IEEE 802.1x port security, ACLs, and several other

security features like port security, BPDU guard, and storm control

Comprehensive ease-of-use capabilities • GUI-based management

• Static SmartPort and Auto SmartPort

Cisco Small Business 500 Series Switches


Cisco ISA 500 Series Router•Router, with integrated security appliance, Gigabit LAN switch, and Wireless LAN Access Point

•Options for dual WAN ports, up to 4 DMZ ports, and up to 5 LAN ports (depending on model)

•Gigabit Ethernet WAN port Supports xDSL, cable, ISDN, DSL over ISDN, etc.

•An integrated business-class firewall

•Cisco Unified Threat Management (UTM) Cloud based advanced security services – filtering based on Web reputation, and/or Network reputation, Spam filtering, Web URL filtering

Signature based advanced security services – Anti-virus, Application Control, and Intrusion Prevention

•Multiple VPN optionsSite to Site IPSec VPN, Remote IPSec VPN, SSL VPN, Easy VPN

•Integrated WLAN, with Captive Portal

Cisco ISA 500 Series Router


• Integrated switch in the WAN routerSuitable for small deployments when router has enough ports to connect all user devices

• Single external switchSuitable for deployments when a single switch has enough ports to connect all user/network devices

• Multiple switchesTraffic from multiple access switches is aggregated by an aggregation switch

Higher LAN scalability and performance

Reduces cabling if users are located in different areas of the office

Enables the router to focus on secure routing functions

• Stacked switch (aggregation and/or access)Increases high availability in LAN

Minimizes network administration of multiple (stacked) switches


• Rapid Spanning Tree Protocol Fast recovery from LAN loops caused by link failures or connection mistakes

• Separate VLANs for different traffic types, helps traffic isolation and security

Data

Voice

DMZ

Other deployment-specific VLANs can be added

• Layer 2 switching by all switches

• Automatic detection of Cisco IP phones


• Stacked aggregation switch (optional)

Stacked switches act like a single switch, which reduces management effort

Stacked aggregation switch connected to, access switches, and servers

Improved LAN high availability: No LAN traffic disruption if a stacked switch fails or if an Ethernet link of the EtherChannel fails

• Stacked access switch (optional)


Change to “Security / Unified Threat

Management (UTM)”

Change to “Security / Unified Threat

Management (UTM)”


• Simplicity: Single WAN LinkUse the dedicated 10/100/1000 WAN interface

• Dual WAN LinksUse the dedicated 10/100/1000 WAN interface as the primary link

Use an additional 10/100/1000 configurable port as a load-sharing backup WAN link

• Up to 4 DMZ linksConfigure up to 4 Configurable 10/100/1000 ports as DMZ ports

• Remote Office ConnectivityTraffic is forwarded through in a secure tunnel


• ISA500 Security Appliance integrates WAN security

• Network Infrastructure ProtectionPrevents unauthorized access to network devices

• Demilitarized Zone (DMZ)Isolates publically accessible servers in the network for security purposes

• Firewall protectionPrevents unauthorized access to network connected devices

Helps maximize network uptime by mitigating DoS attacks

• LAN SecurityHelps protect from inside the network

Port Security – limits the number of end user devices that can be connected to a switch port

BPDU Guard – prevents a malicious user from attaching a real or simulated switches to the LAN

Storm Control – limits the effect of broadcast, multicast, or unknown unicast traffic storms in the LAN

802.1x Authenticated Access – only authenticated users are connected to the LAN (Optional)

IP Source Guard, and Dynamic Arp Inspection – to ensure that only valid users are sending traffic to the LAN (Optional)


• Cisco Unified Threat Management (UTM)Cloud-based security services that scan traffic to/from the small business network

Based on a global data base constantly being updated by analyzing worldwide network traffic

Effective protection from known and new threats

Simplifies security administration

• UTM - Signature Based Security Signatures can be auto-downloaded

Anti-Virus - prevents network threats over a multitude of protocols, including HTTP, FTP, POP3, SMTP, CIFS, NETBIOS, and IMAP.

Application Control - monitors and controls the use of applications on your network- Instant messaging, P2P, File Transfer, games, etc.

Intrusion Prevention (IPS) - monitors network traffic for malicious or unwanted behaviors and can react, in real-time, to block or prevent those activities.

• UTM – Reputation Based Security

Spam Filter- drops or tags e-mails as spam, based on their reputation score

Network Reputation - blocks incoming traffic from IP addresses that are known to initiate attacks throughout the Internet.

Web Reputation Filtering - prevents client devices from accessing dangerous websites containing viruses, spyware, malware, or phishing links.

Web URL Filtering- allows you to block HTTP access to malicious websites based on URL categories.


• Network congestion in the WAN devices/links (also in LAN) results in packet drop, delay, and jitter

Affects voice and video applications

Business quality voice requires:

End-to-end delay of 150 msec (G.114)

Jitter < 30 msec recommended by Cisco

• QoS classifies traffic of various applications and treats them differently depending on application needs

• Priority treatment to delay sensitive traffic (voice)

• Ensures minimum bandwidth guarantee to other classes of traffic

• SBNF enables QoS on each network device (WAN and LAN)


• Remote office and Home OfficeEach remote office is connected to main office by IPsec site-to-site VPN

VPN maintains data integrity and confidentiality

AES with 256 bit or higher (3DES if AES is not feasible)

Hash: SHA-1

Authentication: pre-shared keys

DH group 2

Encapsulation: ESP

• Home Office

Remote IPSec VPN, SSL VPN (AnyConnect)

• Mobile WorkerSSL VPN (AnyConnect) on laptop

Traffic is encrypted and routed through the Internet

Main office router acts as the VPN gateway


Wireless LAN, as part of SBNF, can be built seamlessly over SBNF wired infrastructure

•Uses small business specific wireless products

•Covers main office, remote office, home office

•Supports data and voice

•Wireless router with integrated access point (AP) Ideal for small deployments when the router’s area of wireless coverage is sufficient

•Multiple APs are used for larger area of wireless coverageExternal APs can work with the AP integrated with a wireless router

•Provides QoS and security relevant for wireless networks


ISA5xxW ISR1941W


• Most cost-effective and simplest WLAN deployment for a small office

• Can work independently or with external APs

• Guest access support, with captive portalRedirects unauthenticated users to a portal for authentication

• Roaming supported among external APs (if RF coverage is adequate)

• SecurityFirst line of defense is encryption: WPA2 with AES

Appropriate level of authentication per business requirements

• QoS: Wi-Fi Multimedia (WMM) Prioritizes traffic in to four traffic classes

Provides each traffic class with its traffic priority or required minimum bandwidth guaranties


• Suitable for small deployments

• Cost effective, no WLAN controller

• Multiple APs placed in coverage area

• Router may have an integrated AP as well

• All standalone AP deployments use single data VLAN (and single voice VLAN)

• Supports wireless QoS and security

• Layer 2 roaming is supported if RF coverage is adequate


• Layer 2 roaming: a wireless LAN device physically moves so that its radio associates with a different AP with a stronger signal

• Layer 2 roaming requires each AP to have identical configuration (SSID, VLAN, security)

• Wireless LAN client VLAN / IP address remains valid across the APs while roaming

Wireless cells should overlap

Wireless IP client re-authenticates every time it connects to a different AP (when it roams)

Roaming delay is not a big problem for data applications

Business quality voice need delays of less than 150 ms end-to-end


• Allows several standalone APs to be clustered for management purpose

• Configuring any AP in a cluster replicates the configuration to other APs

• Helps mitigate effort to manage multiple APs

• Available only on standalone AP 541N

• All APs participating in a cluster are configured to have the same parameters:

Wireless network identifier (SSIDs)

Security features

User names and passwords

Traffic priorities (for QoS)

Radio settings

Wireless interface settings


• Lower total cost of ownership• Enhanced business performance

Profit-line benefits from operational efficiency and minimal downtime

More responsive and personalized customer relationships

Increased system performance and security

• Faster business evolution Longer lifecycle for technology investments

Spend more time managing business and less time managing technology

Employees are more productive and happy

• Smart business roadmap Right choice for today and right choice for tomorrow


Pre-sales assets• Solution bill of materials and

product selection guide

• Solution profile

• Overview presentation

Post-sales deployment assets• Design guide

• Device role configuration guides

• Implementation guide

• Application notes

www.cisco.com/go/smartdesigns/sbnf


Thank you.

Documents

Cisco SMART Designs SBNF_OV_111512.ppt