0% found this document useful (0 votes)

256 views650 pages

Ccda Slides

Uploaded by

Elias Leonardo Rocko

Available Formats

Download as PDF, TXT or read online on Scribd

Download as pdf or txt

0% found this document useful (0 votes)

256 views650 pages

Ccda Slides

Uploaded by

Elias Leonardo Rocko

Available Formats

Download as PDF, TXT or read online on Scribd

Download as pdf or txt

You are on page 1/ 650

www.CareerCert.

info

Designing for Cisco Internetwork Solutions (DESGN) v2.0

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.0-1

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study.

www.CareerCert.info

Course Introduction

Designing for Cisco Internetwork Solutions v2.0

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.0-2

www.CareerCert.info

Learner Skills and Knowledge

Prerequisite skills and knowledge Cisco CCNA certification Recommended training Introduction to Cisco Network Technologies Recommended training Interconnecting Cisco Network Devices Building Cisco Multilayer Switched Networks level knowledge of wireless and QoS topics Recommended training Building Cisco Multilayer Switched Networks Practical experience with deploying and operating networks based on Cisco network devices and Cisco IOS Software

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.0-3

www.CareerCert.info

Course Goal
To enable learners to gather customer internetworking
requirements, identify solutions, and design the network infrastructure and services to ensure the basic functionality of the proposed solutions

Designing for Cisco Internetwork Solutions v2.0

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.0-4

www.CareerCert.info

Course Flow
Day 1
Course Introduction

Day 2

Day 3

Day 4

Day 5
Implementing and Operating the Network

A M

Applying a Methodology to Network Design

Designing Basic Campus and Data Center Networks

Designing IP Addressing and Selecting Routing Protocols

Identifying Voice Networking Considerations

Final Case Study

Lunch
Final Case Study

P M

Structuring and Modularizing the Network

Designing Remote Connectivity

Evaluating Security Identifying Wireless Networking Solutions for the Considerations Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.0-5

www.CareerCert.info

Cisco Icons and Symbols

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.0-6

www.CareerCert.info

Cisco Icons and Symbols (Cont.)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.0-7

www.CareerCert.info

Cisco Certifications

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.0-8

www.CareerCert.info

Cisco Career Certifications

DESGNCertification for associate-level recognition in network design

CCDE

Expert

Required Exam
640-863 DESGN

Recommended Training Through Cisco Learning Partners

Designing for Cisco Internetwork Solutions Building Cisco Multilayer Switched Networks

CCDP

Professional

CCDA

Associate

640-801 CCNA

Interconnecting Cisco Network Devices Introduction to Cisco Network Technologies

http://www.cisco.com/go/certifications

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.0-9

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.0-10

www.CareerCert.info

Applying a Methodology to Network Design

Designing for Cisco Internetwork Solutions (DESGN) v2.0

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-1

www.CareerCert.info

Applying a Methodology to Network Design

Introducing the Cisco Service-Oriented Network Architecture

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-1

www.CareerCert.info

Growth of Applications
Business Intelligence Telephony EDI Partners Compression Custom Protocol Web Service Mobile Services

Business-toASP Business Links

Business Rules

Field Organizations Message Broker Data Center Transformation .Net ESB Database Lookup

Branch Offices
Business-toBusiness Gateway

Load Balancing Extranet

Distribution Security

Standards

MQ Series

J2EE

Legacy Applications

EAI

Compliance Logging

Event Capture

Remote Environments

Adapters

RFID

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-2

www.CareerCert.info

IT Evolution From Connectivity to Intelligent Systems

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-3

www.CareerCert.info

New Business Requirements

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-4

www.CareerCert.info

Intelligence in the Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-5

www.CareerCert.info

Cisco Service-Oriented Network Architecture Framework

SONA is an architectural framework. SONA brings several advantages to enterprises: Outlines how enterprises can evolve toward a more intelligent network Illustrates how to build integrated systems across a fully converged intelligent infrastructure Improves flexibility and increases efficiency

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-6

www.CareerCert.info

Cisco SONA Layers

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-7

www.CareerCert.info

Overview of Cisco SONA Offerings

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-8

www.CareerCert.info

Benefits of SONA
Description Functionality Scalability Availability Performance Manageability Efficiency Supports organizational requirements Supports growth and expansion of organizational tasks Provides necessary services reliably, anywhere, anytime Provides responsiveness, throughput, and utilization on a per-application basis Provides control, performance monitoring, and fault detection Provides network services with reasonable operational costs and appropriate capital investment

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-9

www.CareerCert.info

Summary
Drivers for a new network architecture include these factors: Growth of applications IT evolution from connectivity to intelligent systems Increased business expectations for networks Ciscos vision of intelligence in the network aligns network and business requirements in three phases: Phase 1 is integrated transport. Phase 2 is integrated services. Phase 3 is integrated applications. Cisco SONA is the enterprise framework for building intelligence in the network: Layer 1 is the integrated infrastructure layer. Layer 2 is the interactive services layer. Layer 3 is the application layer.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.01-10

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-11

www.CareerCert.info

Identifying Design Requirements

Applying a Methodology to Network Design

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-1

www.CareerCert.info

PPDIOO Network Life-Cycle Approach

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-2

www.CareerCert.info

Benefits of the Life-Cycle Approach

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-3

www.CareerCert.info

Design Methodology Under PPDIOO

Three steps in the design methodology:
1. Identify the customer requirements. 2. Characterize the existing network and sites. 3. Design the topology and network solutions.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-4

www.CareerCert.info

Identifying Customer Requirements

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-5

www.CareerCert.info

Identifying Planned Applications

Application Type Application Criticality (Critical/Important/ Unimportant) Comments

E-mail Groupware Web browsing Video on demand Database Customer support

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-6

www.CareerCert.info

Example: Planned Applications

Application Type Application Criticality (critical/important/ unimportant) Important We need to be able to share presentations and applications during remote meetings. Comments

E-mail

Microsoft Outlook Cisco Unified MeetingPlace Microsoft Internet Explorer, Opera, Netscape IP/TV Oracle Customer applications

Groupware

Important

Web browsing

Important

Video on demand Database Customer support

Critical Critical Critical

DESGN v2.01-7

All data storage will be based on Oracle.

www.CareerCert.info

Identifying Planned Infrastructure Services

Service Security QoS Network management High availability IP telephony Mobility Comments

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-8

www.CareerCert.info

Example: Planned Infrastructure Services

Service Security QoS Network management High availability IP telephony Mobility Comments Deploy security systematically, including firewalls, intrusion detection systems (IOSs), and access control lists (ACLs) Give priority to delay-sensitive voice traffic and other important traffic Use centralized management tools where appropriate and point product management as required Eliminate single points of failure and use redundant paths as needed Want to migrate company from regular telephony Need client laptop guest access along with mobility of employee PCs

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-9

www.CareerCert.info

Identifying Organizational Goals

Organizational Goal Increase competitiveness Reduce costs Improve customer support Add new customer services Gathered Data List competitive organizations and their abilities List current expenses List current customer support List current customer services Comments Point out possibilities to increase competitiveness Point out cost-reduction possibilities Point out possible steps to improve customer support List future desired services

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-10

www.CareerCert.info

Example: Organizational Goals

Organizational Goal Increase competitiveness Gathered Data (Existing Situation) Corporation Y, Corporation Z Enter data multiple times; time-consuming tasks Order tracking and technical support supported by individuals Telephone and fax orders; telephone and fax confirmation Comments Better products Reduce costs Single data-entry point Easy-to-learn application Simple data exchange Web-based order tracking Web-based customer technical support tools Secure web-based ordering Secure web-based confirmations

Reduce costs

Improve customer support

Add new customer services

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-11

www.CareerCert.info

Assessing Organizational Constraints

Organizational Constraint Gathered Data Comments Identify the amount of money the organization is willing to spend Specify the number of network engineers who have to attend the additional training Determine if the organization is willing to buy equipment from new vendor Use tools for resource assignment, milestones, criticalpath analysis

Budget

Amount of money to spend

Personnel

List available personnel and their expertise List preferred standards, protocols, vendors, applications

Policy

Scheduling

Specify time frame

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-12

www.CareerCert.info

Example: Organizational Constraints

Organizational Constraint Budget Gathered Data (Existing Situation) $650,000 Engineers with Cisco CCNA certificates and Cisco CCNP certificates Prefers single vendor and standardized protocols Plans to introduce new applications in the next nine months Comments Budget can be extended by maximum $78,000 Plans to hire new engineers in the network department; need technical development plan Current equipmentCisco; prefers to stay with it New applications include video conferencing, groupware, and IP telephony

Personnel

Policy

Scheduling

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-13

www.CareerCert.info

Identifying Technical Goals

Technical Goals Responsiveness and throughput Availability Manageability Security Adaptability Scalability Total
2007 Cisco Systems, Inc. All rights reserved.

Importance

Comments

100
DESGN v2.01-14

www.CareerCert.info

Example: Technical Goals

Technical Goals Performance Availability Manageability Security Adaptability Scalability Total
2007 Cisco Systems, Inc. All rights reserved.

Importance 20 25 5 15 10 25 100

Comments Important of the central site, less important in branch offices Should be 99.9 percent

Security for critical data transactions is extremely important

Scalability is critical

DESGN v2.01-15

www.CareerCert.info

Example: Technical Constraints

Technical Constraints Gathered Data Comments Replace existing coaxial cabling. Use twisted-pair to desktop and fiber optics for uplinks and in the backbone. Upgrade speeds; consider another service provider with additional services to offer. Make sure new network equipment supports IPv6.

Existing wiring

Coaxial cabling

Bandwidth availability

64-kbps WAN links

Application compatibility

IPv6 based applications

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-16

www.CareerCert.info

Summary
The PPDIOO approach reflects the life cycle phases of a standard network. The design methodology under PPDIOO includes these processes: Identifying customer requirements Characterizing the existing network and sites Designing the network topology and solutions Key steps in identifying customer requirements include these: Identifying network applications and services Defining organizational goals and constraints Defining technical goals and constraints

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-17

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-18

www.CareerCert.info

Characterizing the Existing Network and Sites

Applying a Methodology to Network Design

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-1

www.CareerCert.info

Characterizing the Existing Network and Sites

Gather documentation and query the organization. Perform a site and network assessment to help detail the network. Consider performing traffic analysis on the existing network and applications.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-2

www.CareerCert.info

Identifying Major Features of the Network

Collect the information about the planned and existing network infrastructure: Site contact information Network topology such as network devices, physical and logical links, external connections, encapsulations, bandwidths, IP addressing, routing protocols Network services such as security, QoS, high availability, IP telephony, storage, and wireless Network applications such as unified communications and video delivery Collect the information about expected network functionality. Identify network modules based on the given information.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-3

www.CareerCert.info

Sample Site Contact Questions

What is the site location or name? What is the site address? What is the shipping address? Who is the site contact? Is this site owned and maintained by the customer? Is this a staffed site? What are the hours of operation? What are the building or room access procedures? Are there any special security or safety procedures? Are there any union or labor requirements or procedures? What are the locations of the equipment cabinets and racks?

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-4

www.CareerCert.info

Example: Customer Network Diagram

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-5

www.CareerCert.info

Network Assessment Information Sources

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-6

www.CareerCert.info

Example: Network Assessment

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-7

www.CareerCert.info

Network Assessment Tools

Manual assessment: Use monitoring commands on network devices on small networks. Use scripting tools to collect information on large networks. Use existing management and auditing tools: CiscoWorks Third-party tools such as WhatsUp Gold, Castle Rock SNMPc, open source Cacti, Netcordia NetMRI, and NetQoS NetVoyant Use other tools to collect relevant information for the network devices: Third-party tools such as Network General Sniffer, AirMagnet software and devices, and WildPackets AiroPeek

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-8

www.CareerCert.info

Commands for Manual Information Collection

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-9

www.CareerCert.info

Example: Manual Information CollectionRouter CPU Utilization

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-10

www.CareerCert.info

Example: Manual Information CollectionRouter Memory Utilization

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-11

www.CareerCert.info

Example: Automatic Information CollectionCacti Device List

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-12

www.CareerCert.info

Example: Automatic Information CollectionNetMRI Inventory

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-13

www.CareerCert.info

Network Traffic Analysis

Use organizational input to identify the applications used in the existing network and their relative importance. Perform a traffic analysis to reveal additional applications used in the network. Use the results and organizational input to define QoS and security-related requirements for discovered applications.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-14

www.CareerCert.info

Steps in Analyzing Network Traffic

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-15

www.CareerCert.info

Example: Traffic Analysis

Application No. 8:
Description: Protocol: Servers: Clients: Scope: Importance: Average rate: Mbps Accounting software TCP port 5151 2 50 Campus High 50 kbps with 10-second bursts to 1

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-16

www.CareerCert.info

Network Analysis Tools

Cisco IOS Software analysis capabilities: NBAR NetFlow Cisco software-based network analyzers: Cisco CNS NetFlow Collection Engine Third-party tools, such as: Open source Cacti Network General Sniffer WildPackets EtherPeek and AiroPeek SolarWinds Orion Wireshark RMON probes
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.01-17

www.CareerCert.info

Example: NBAR Printout

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-18

www.CareerCert.info

Example: Cisco IOS NetFlow Printout

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-19

www.CareerCert.info

Example: Cacti Graph

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-20

www.CareerCert.info

Example: Solarwinds Orion

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-21

www.CareerCert.info

Summary Report
Characterization of the existing network results in a summary report that is used to:
Describe the software features required in the network Describe possible problems in the existing network Identify the actions needed to prepare the network for the implementation of the required features Influence the customer requirements

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-22

www.CareerCert.info

Example: Equipment Summary Report

The network uses 895 routers:
655 routers use Cisco IOS Software Release 12.2(10). 240 routers use an older Cisco IOS Software version.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-23

www.CareerCert.info

Example: Summary Report Problem Statement

Requirement: Queuing in the WAN Identified problem: Existing Cisco IOS Software version does not support new queuing technologies. 15 out of 19 routers with older Cisco IOS Software are in the WAN. 12 out of 15 routers do not have enough memory to upgrade to Cisco IOS Software Release 12.3 or later. 5 out of 15 routers do not have enough flash memory to upgrade to Cisco IOS Software Release 12.3 or later.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-24

www.CareerCert.info

Example: Summary Report Recommendations

Recommended action: 12 memory upgrades to 64 MB 5 flash memory upgrades to 16 MB Options: Replace hardware and software to support queuing. Find an alternative mechanism for that part of the network. Find an alternative mechanism and use it instead of queuing. Evaluate the consequences of not implementing the required feature in that part of the network.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-25

www.CareerCert.info

Documenting an Existing Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-26

www.CareerCert.info

Network Characterization Hour Estimates

Small Network
120 Switches/Routers a) Interview management team b) Interview network team c) Review documentation d) Set up network discovery tool e) Resolve SNMP access and similar problems f) Allow tools to gather data g) Analyze captured data h) Prepare high level Layer 3 diagrams i) Prepare report stating conclusions j) Incrementally prepare network diagrams Estimated manpower in hours 4448 8698 132180 288384 4 4 16 8 4 16 16 4 32 16 8 32 24 8 48 24 16 48 40 16 80 40 32 80 4 4 4 4 4 4 4 4 4 4

Medium Network
20200 Switches/Routers 8 6 6 6 8 8 6 6 6 16

Large Network
200800 Switches/Routers 12 8 8 8 16 12 12 12 8 48

Huge Network
>800 Switches/Routers 16 24 16 16 80 16 24 16 16 160

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-27

www.CareerCert.info

Summary
Characterizing an existing network entails gathering as much information about the network as possible. Organization input, a network audit, and traffic analysis provide the key information that you need. Identifying major features of the network involves gathering network documentation and querying the organization. The auditing process adds detail to the initial network documentation that you created from existing documentation and customer input. You can manually audit a small network, but you typically need automated tools to audit a large network. Traffic analysis verifies the set of applications and protocols used in the network and determines the traffic patterns of the applications.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.01-28

www.CareerCert.info

Summary (Cont.)
Tools used for traffic analysis range from manual identification of applications using Cisco IOS Software commands in combination with NBAR or NetFlow to those where dedicated software- or hardware-based analyzers capture live packets or SNMP data. The result of the network characterization is a summary report describing the health of the network.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-29

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-30

www.CareerCert.info

Using the Top-Down Approach to Network Design

Applying a Methodology to Network Design

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-1

www.CareerCert.info

Top-Down Design Practices

Start your design here.

Design down the OSI model.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-2

www.CareerCert.info

Top-Down and Bottom-Up Approach Comparison

Top-Down Approach Incorporates organizational requirements Gives the big picture to organization and designer Bottom-Up Approach Allows a quick response to a design request Facilitates design based on previous experience Implements little or no notion of actual organizational requirements May result in inappropriate network design

Benefits

Disadvantages

Incorporates organizational requirements

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-3

www.CareerCert.info

Example: Top-Down Voice Design

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-4

www.CareerCert.info

Creating a Network Decision Table

Decide which network layer requires decisions. Gather possible options for a given situation. Create a table that includes possible options and given requirements. Match given requirements with specific properties of given options. Select the option with the most matches as the most appropriate one.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-5

www.CareerCert.info

Example: Selecting a Routing Protocol

Options Required Network Parameters Large Yes Yes Yes Good

Parameters Size of Network (Small/Medium/Large/Very Large) Enterprise-Focused (Yes/No) Use of VLSM (Yes/No) Supports Cisco Routers (Yes/No) Network Support Staff Knowledge (Good/Fair/Poor)

EIGRP

OSPF

BGP

Large Yes Yes Yes Good

Large Yes Yes Yes Fair

Very Large No Yes Yes Poor

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-6

www.CareerCert.info

Assessing the Scope of the Network Design Process

Scope of Design Entire network Comments All branch office LANs upgraded to support Fast Ethernet technology Redundant equipment and links Addition of wireless client mobility Solutions to overcome bottlenecks

Campus

WAN

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-7

www.CareerCert.info

Example: Assessing the Scope of the Network Design Process

ApplicationDesigning voice transport NetworkDesigning routing, addressing Physical, data linkChoosing connection type

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-8

www.CareerCert.info

Structured Design Principles

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-9

www.CareerCert.info

Cisco SONA Offerings

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-10

www.CareerCert.info

Network Design Tools

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-11

www.CareerCert.info

Planning an Implementation
If a design is composed of multiple complex components: Implement each component separately; do not implement everything at once. Incremental implementation: Reduces troubleshooting in case of failure Reduces time needed to revert to previous state in case of failure

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-12

www.CareerCert.info

Major Implementation Components

Each step should contain the following information:
Description Reference to design sections Detailed implementation guidelines Detailed roll-back guidelines in case of failure Estimated time for implementation

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-13

www.CareerCert.info

Example: Summary Implementation Plan

Date, Time
Phase 3 Step 1 Step 2 Step 3 Step 4 Phase 4 Step 1 Step 2 Step 3 Step 4 Phase 5 Step 1 Step 2 04/05/2007 04/03/2007 04/02/2007

Description
Install campus hardware Connect switches Install routers Complete cabling Verify data link layer Configure campus hardware Configure VLANs Configure IP addressing Configure routing Verify connectivity Launch campus updates into production Complete connections to existing network Verify connectivity

Implementation Details
Section 6.2.3 Section 6.2.3.1 Section 6.2.3.2 Section 6.2.3.3 Section 6.2.3.4 Section 6.2.4 Section 6.2.4.1 Section 6.2.4.2 Section 6.2.4.3 Section 6.2.4.4 Section 6.2.5 Section 6.2.5.1 Section 6.2.5.2

Complete
3 3 3 3 3

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-14

www.CareerCert.info

Example: Detailed Implementation Plan

Section 6.2.7.3, Configure routing protocols in the WAN network module:
Number of routers involved is 50. Use template from section 4.3.1, EIGRP details. Per router configuration: Use passive-interface command on all nonbackbone LANs. (See section 4.2.3, EIGRP details.) Use summarization according to the design. (See section 4.2.3, EIGRP details, and section 4.2.2, Addressing details.) Estimated time is 10 minutes per router. Roll-back procedure is not required.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-15

www.CareerCert.info

Pilot vs. Prototype Networks

The pilot or prototype network is used as proof of concept for the design: A pilot network tests and verifies the design before the network is launched. A prototype network tests and verifies a redesign in an isolated network before it is applied to the existing network. Results: Success Failure

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-16

www.CareerCert.info

Example: Prototype Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-17

www.CareerCert.info

Detailed Structure of a Design Document

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-18

www.CareerCert.info

Summary
Designing an enterprise network is a complex project. Top-down design facilitates the process by dividing it into smaller, more manageable steps. Decision tables facilitate the selection of the most appropriate option from many possibilities. In assessing the scope of a network design, determine whether the design is for a new network or is a modification of the entire network, a single segment or module, a set of LANs, a WAN, or a remote-access network. The output of the design should be a model of the complete system. To achieve this, the top-down approach is highly recommended.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-19

www.CareerCert.info

Summary (Cont.)
When the design is complete, you are ready to document the implementation and migration in as much detail as possible. After a design is complete, you should verify it. You can test the design in an existing or live network (pilot) or in a prototype network that will not affect the existing network. A design document lists the design requirements, documents the existing network, documents the network design, identifies the proof-of-concept strategy, and details an implementation plan.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-20

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-21

www.CareerCert.info

Module Summary
Cisco SONA is the enterprise framework for implementing intelligent networks and maps business requirements to network requirements. The design methodology under PPDIOO includes these tasks: Identifying customer requirements Characterizing the existing network and sites Designing the network topology and solutions The result of network characterization is a summary report describing the health of the network. Top-down design facilitates network design.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-1

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.01-2

www.CareerCert.info

Structuring and Modularizing the Network

Designing for Cisco Internetwork Solutions (DESGN) v2.0

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-1

www.CareerCert.info

Designing the Network Hierarchy

Structuring and Modularizing the Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-1

www.CareerCert.info

Layers in the Hierarchical Model

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-2

www.CareerCert.info

Example: Hierarchical Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-3

www.CareerCert.info

Access Layer
Concentration point at which clients access the network Layer 2 switching in the access layer: Defines a single broadcast domain Multilayer switching in the campus access layer: Optimally satisfies the needs of a particular user through routing, filtering, authentication, security, or quality of service Multilayer switching in the WAN access layer: Helps control WAN costs using dial-on-demand routing (DDR) and static routing

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-4

www.CareerCert.info

Example: Access Layer Connectivity in the Campus LAN

Workstations are attached to VLANs with Layer 2 switches. Recommended practice: Implement one VLAN (IP subnet) per access switch. Access switches connect Layer 3 links (if only one VLAN per access switch) or via VLAN trunk. If needed, distribution routers route between VLANs.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.02-5

www.CareerCert.info

Distribution Layer
Provides multilayer switching between access and core layers:
Provides media transitions Aggregates bandwidth by concentrating multiple low-speed access links into a high-speed core link Determines department or workgroup access Provides redundant connections for access devices

Implements policy-based decisions:

Filtering by source or destination address Filtering on input or output ports Hiding internal network numbers by route filtering Static routing Security Quality of service mechanisms

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-6

www.CareerCert.info

Example: Distribution Layer in the Routed Campus Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-7

www.CareerCert.info

Core Layer
The function of the core layer is to provide fast and efficent data transport that:
Forms a high-speed backbone with fast transport services Provides redundancy and fault tolerance Offers good manageability

Note: Core layer should avoid packet manipulation for filtering or access list checking.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-8

www.CareerCert.info

Example: Multilayer Switching in the Campus Core

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-9

www.CareerCert.info

Example: Routing in the WAN Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-10

www.CareerCert.info

Summary
The hierarchical network model provides a modular view of a network, making it easier to design and build a network. The purpose of the access layer is to grant end-user access to network resources. The distribution layer provides aggregation for the access layer devices and uplinks to the core layer. It is also used to enforce policy within the network. The core layer provides a high-speed, highly available backbone designed to switch packets as fast as possible.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-11

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-12

www.CareerCert.info

Using a Modular Approach in Network Design

Structuring and Modularizing the Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-1

www.CareerCert.info

Service-Oriented Network Architecture

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-2

www.CareerCert.info

Example: Cisco Enterprise Campus Architecture

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-3

www.CareerCert.info

Cisco Enterprise Architecture

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-4

www.CareerCert.info

Example: Dividing the Network into Areas

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-5

www.CareerCert.info

Enterprise Campus Infrastructure Module

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-6

www.CareerCert.info

Building Access Layer

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-7

www.CareerCert.info

Building Distribution Layer

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-8

www.CareerCert.info

Campus Core Layer

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-9

www.CareerCert.info

Server Farm Module

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-10

www.CareerCert.info

Enterprise Edge Modules

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-11

www.CareerCert.info

E-Commerce Module

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-12

www.CareerCert.info

Internet Connectivity Module

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-13

www.CareerCert.info

Remote Access and VPN Module

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-14

www.CareerCert.info

WAN and MAN and Site-to-Site VPN Module

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-15

www.CareerCert.info

Enterprise Edge Guidelines

1. Determine the connectivity needed to the Internet. 2. Create the e-commerce module ID needed. 3. Design the remote access and VPN module if needed. 4. Design the WAN module to support connections to remote enterprise locations if needed.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-16

www.CareerCert.info

Service Provider Modules

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-17

www.CareerCert.info

Enterprise Remote Modules

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-18

www.CareerCert.info

Enterprise Branch Module

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-19

www.CareerCert.info

Enterprise Data Center Module

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-20

www.CareerCert.info

Enterprise Teleworker Module

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-21

www.CareerCert.info

Summary
Based on SONA, the Cisco Enterprise Architecture provides a modular enterprise-wide hierarchical approach for providing network infrastructure and services to all places in the network. The enterprise campus infrastructure module includes the campus infrastructure module and the server farm module. The enterprise edge modules include the e-commerce module, the Internet connectivity module, the remote access and VPN module, and the WAN and MAN and site-to-site modules. The remote enterprise modules include the remote branches, data centers, and teleworkers.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-22

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-23

www.CareerCert.info

Using Infrastructure Services

Structuring and Modularizing the Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-1

www.CareerCert.info

Explaining the Role of Infrastructure Services

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-2

www.CareerCert.info

Modularizing Internal Security

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-3

www.CareerCert.info

Reasons for Internal Security

The enterprise campus is protected by security functions in the enterprise edge: If the enterprise edge security fails, the unprotected enterprise campus is vulnerable. The potential attacker can gain physical access to the enterprise campus. Some network solutions require indirect external access to the enterprise campus. All vital elements in the enterprise campus must be protected independently.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-4

www.CareerCert.info

External Threats

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-5

www.CareerCert.info

Designing High Availability

Analyze the business and technical goals. Identify critical applications, systems, internetworking devices, and links. Document the trade-offs between redundancy and cost and simplicity versus complexity. Duplicate any component whose failure could disable critical applications. Duplicate vital links and connect them to different devices.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-6

www.CareerCert.info

Designing Route Redundancy

Design redundant routes:
Minimize the effect of link failures. Minimize the effect of an internetworking device failure.

Make the connection redundant:

Parallel physical links between switches and routers Backup LAN and WAN links

Make the network redundant:

Full mesh to provide complete redundancy and good performance Partial mesh, which is cheaper and more scalable

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-7

www.CareerCert.info

Example: Campus Infrastructure Redundancy

The building access network is partially meshed with the building distribution switches. The building access switch has a chance to recover from a link or building distribution switch failure.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-8

www.CareerCert.info

Example: Enterprise Edge Redundancy

The remote site establishes a backup connection via an IPsec tunnel across the Internet.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-9

www.CareerCert.info

High Availability in the Server Farm Module

Single attachmentnot recommended: Requires alternative mechanisms to dynamically find an alternative router Dual attachment to increase availability and prevent session loss: Attachment through a redundant transceiver Attachment through a redundant NIC Fast EtherChannel and Gigabit EtherChannel port bundles

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-10

www.CareerCert.info

Example: Attachment Through a Redundant Transceiver

Transceiver activates backup link on primary link failure. Transceiver cannot detect failures beyond physical link.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-11

www.CareerCert.info

Example: Attachment Through a Redundant NIC

Device driver presents two NIC cards as a single logical interface. This setup uses one MAC address on both interfaces. Backup card is activated when the primary link is gone.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-12

www.CareerCert.info

Voice Transport Overview

Two implementations: Voice over IP: Uses analog phones. Transports voice packets over the IP network using voice-enabled routers. IP telephony: Implements voice in the network using Cisco Unified CallManager and IP phones. Both implementations require properly designed networks. All modules of the enterprise network are involved in the voice network solution.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-13

www.CareerCert.info

IP Telephony Components

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-14

www.CareerCert.info

Modular Approach in Voice Network Design

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-15

www.CareerCert.info

Example: Voice Network Solution

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-16

www.CareerCert.info

Evaluating the Existing Data Infrastructure for Voice Design

Document and evaluate the existing data infrastructure in each enterprise network module in terms of:
New voice performance requirements Availability requirements Feature requirements Potential network capacity or impact

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-17

www.CareerCert.info

Wireless LAN Overview

Supports connecting mobile clients to the enterprise network Transports packets over radio waves Has connectivity and privacy issues not found in wired networks Can have implications for all modules of the enterprise network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-18

www.CareerCert.info

Centralized WLAN Model Components

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-19

www.CareerCert.info

Application Networking Services Introduction

Traditional networks handled static web pages, e-mail, and routine client-server applications. Applications are evolving into complex and highly visible services. Application deployment issues are emerging. Consolidation of data centers can result in lower productivity for remote users. A web-based ordering system may suffer because of poor responsiveness. Business partners may need immediate and secure electronic access to back-office applications. A purchasing application may need to track large orders.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-20

www.CareerCert.info

ANS Can Resolve Application Issues

Wide-area application services can compress, cache, and optimize content. Optimization of the web streams can reduce latency, suppress unnecessary reloading of web objects, and offload the web server. Security and remote connectivity services can validate requests, route them appropriately, and encrypt and prioritize responses. Application messaging services interpret purchase orders and log large orders according to business policy rules.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-21

www.CareerCert.info

Example: ANS Components

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-22

www.CareerCert.info

Summary
Network infrastructure services add intelligence to the network infrastructure, supporting application awareness within the network. Security is a network infrastructure service that increases the integrity of the network by protecting network resources and users from internal and external threats. High-availability services protect the integrity of mission-critical information with networking platforms and topologies that offer a sufficient level of resiliency.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-23

www.CareerCert.info

Summary (Cont.)
Voice infrastructure services throughout the enterprise are needed to support IP telephony. Wireless services support mobile clients and integrate with the wired network. Cisco ANS optimizes website performance, content delivery, and the security and connectivity of applications.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-24

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-25

www.CareerCert.info

Identifying Network Management Protocols and Features

Structuring and Modularizing the Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-1

www.CareerCert.info

Network Management Overview

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-2

www.CareerCert.info

SNMP Overview
Manager:
Polls agents on the network Correlates and displays information

SNMP:
Supports message exchange Runs on IP

Agent:
Collects and stores information Responds to manager requests for information Generates traps

MIB:
Database of objects (information variables) Read and write community strings for controlling access

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-3

www.CareerCert.info

SNMPv1 Message Types

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-4

www.CareerCert.info

SNMP Version 2
SNMPv2 introduced in RFC 1441 SNMPv2C defined in RFC 1901 SNMPv2 new features: Get Bulk Request Inform Request Data types with 64-bit values

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-5

www.CareerCert.info

SNMP Version 3
RFCs 3410 through 3415 Authentication and privacy Authorization and access control Usernames and key management Remotely configurable via SNMP operations Available since Cisco IOS Software Release 12.0

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-6

www.CareerCert.info

MIB Definition
Collection of managed objects Each object has a unique identifier Objects are grouped into a tree Standard MIBs = RFC xxxx Private MIBs

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-7

www.CareerCert.info

Example: Cisco Router MIB

Standard managed objects: Interfaces Buffers Memory Standard protocols Private extensions to MIB-II: 1.3.6.1.4.1.9 or iso.org.dod.internet.private.enterprise.cisco Definitions available at http://www.cisco.com/public/mibs
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.02-8

Private managed objects: Small, medium, large, and huge buffers Primary and secondary memory Proprietary protocols

www.CareerCert.info

Example: Variable Retrieval

Base format to retrieve the number of errors on an interface
iso org dod internet mgmt mib interface ifTable ifEntry ifOutErrors 1 3 6 1 2 1 2 2 1 20

Specific format to retrieve the number of errors on first interface

iso org dod internet mgmt mib interface ifTable ifEntry ifOutErrors Instance 1 3 6 1 2 1 2 2 1 20 0

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-9

www.CareerCert.info

RMON1
Supports proactive monitoring of LAN traffic: Network fault diagnosis Planning Performance tuning Works on MAC layer data: Monitors only the aggregate LAN traffic for remote LAN segments Traffic statistics and analysis Implemented on agents: Routers, switches, hubs, servers, hosts, and dedicated probes

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-10

www.CareerCert.info

RMON1 Groups (RFC 1513 and 2819)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-11

www.CareerCert.info

RMON2

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-12

www.CareerCert.info

RMON2 (RFC 2021)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-13

www.CareerCert.info

NetFlow Infrastructure

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-14

www.CareerCert.info

NetFlow vs. RMON Information Gathering

NetFlow can be configured on individual interfaces. NetFlow gathers more detailed information:
Source and destination interface numbers Source and destination IP addresses TCP/UDP source port and destination ports Number of bytes and packets in the flow Source and destination autonomous system (AS) numbers IP type of service

NetFlow provides greater scalability, customized data collection, and a lower performance impact.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-15

www.CareerCert.info

Applications Using NetFlow

Accounting and billing Network planning and analysis Network and security monitoring Application monitoring and profiling User monitoring and profiling NetFlow data warehousing and mining

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-16

www.CareerCert.info

Cisco Discovery Protocol

Upper-Layer Entry Addresses Cisco Proprietary Data Link Protocol TCP/IP Novell IPX AppleTalk Others

CDP LANs

CDP
Frame Relay

CDP
ATM

CDP
Others

Media Supporting SNAP CDP = Cisco Discovery Protocol

Provides a summary of directly connected switches, routers, and other Cisco devices Discovers neighbor devices regardless of which protocol suite they are running Requires that physical media support SNAP encapsulation

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-17

www.CareerCert.info

Discovering Neighbors with Cisco Discovery Protocol

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-18

www.CareerCert.info

Syslog Features
Devices produce syslog messages. Syslog messages contain level and facility. Common syslog facilities: IP OSPF protocol SYS operating system IP Security (IPsec) Route Switch Processor (RSP) Interface (IF) Syslog levels: Emergency (level 0, highest level) Alert (level 1) Critical (level 2) Error (level 3) Warning (level 4) Notice (level 5) Informational (level 6) Debugging (level 7)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-19

www.CareerCert.info

Example: Syslog Messages

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-20

www.CareerCert.info

Syslog Architecture

Centralized syslog daemon Remote syslog daemons: Support for syslog filters Low bandwidth utilization

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-21

www.CareerCert.info

Summary
Network management is supported with various devices and servers that use network management protocols and standards. SNMP is a simple network management protocol that is the foundation of a network management architecture. A MIB stores local management agent information on a managed device. RMON is a MIB that supports proactive management of remote networks. NetFlow collects network flow data to support network accounting, usage-based billing, planning, performance monitoring, and QoS applications. Cisco Discovery Protocol is a Cisco proprietary protocol that enables you to discover Cisco devices on the network. Syslog reports system state information based on preset facilities and severity levels.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-22

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-23

www.CareerCert.info

Module Summary
The hierarchical network structure is composed of the access, distribution, and core layers. Based on Cisco SONA, the Cisco Enterprise Architecture provides a modular hierarchical approach for providing network infrastructure and services to all places in the network. Network infrastructure services add intelligence to the network infrastructure, supporting application awareness within the network. Network management protocols support the exchange of management information between the network management system and managed devices.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-1

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.02-2

www.CareerCert.info

Designing Basic Campus and Data Center Networks

Designing for Cisco Internetwork Solutions (DESGN) v2.0

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-1

www.CareerCert.info

Describing Campus Design Considerations

Designing Basic Enterprise Campus Networks

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-1

www.CareerCert.info

Designing an Enterprise Campus

Campus design factors:
Network applications characteristics Device characteristics Environmental characteristics

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-2

www.CareerCert.info

Overview of Network Application Types

Peer-to-peer Client-local server Client-server farm Client-enterprise edge Server

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-3

www.CareerCert.info

Network Requirements of Applications

Connectivity type Total required throughput High availability Total network costs

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-4

www.CareerCert.info

Example: Peer-to-Peer Applications

Instant messaging File sharing IP phone calls Video conference systems

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-5

www.CareerCert.info

Example: Client-Local Server Applications

Servers are located close to clients. Servers and clients are in the same LAN. Request to servers from nonlocal LANs is rare.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-6

www.CareerCert.info

Example: Client-Server Farm Applications

Typical applications:
Mail servers File servers Database servers

Access to applications:
Fast Reliable Controlled (security)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-7

www.CareerCert.info

Example: Client-Enterprise Edge Applications

Typical applications:
Internet applications Mail servers Web servers Public Internet servers E-commerce applications

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-8

www.CareerCert.info

Relative Network Requirements by Application Type

Client-Local Servers Switched Medium Medium Medium Client-Server Farm Switched High High High Client-Enterprise Edge Servers Switched Medium High Medium

Peer-to-Peer Connectivity type Total required throughput High availability Total network costs Switched Medium to high Low to high Low to medium

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-9

www.CareerCert.info

Environmental Characteristics for Network Design

The network devices and distances between them determine the network geography. The campus network design is scoped with respect to geography: Intrabuilding Interbuilding Distant remote buildings

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-10

www.CareerCert.info

Intrabuilding Structure
Provides connectivity inside the building Built with the building access and building distribution layers Transmission options: Copper Optical fiber Wireless

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-11

www.CareerCert.info

Interbuilding Structure
Connectivity between buildings Distances between buildings within a few kilometers Building distribution with campus core layer Typical transmission media: optical fiber

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-12

www.CareerCert.info

Distant Remote Building Structure

Metropolitan-based network connectivity options: Using company-owned fiber Through enterprise WAN Through service provider offerings

WAN

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-13

www.CareerCert.info

Campus Transmission Media

Physical media in network design influences: Network bandwidth Allowable distance between devices Copper design considerations: Electromagnetic interference, grounding, security Signal attenuation, distance limitations Optical fiber design considerations: Light signal (LED or laser) Expensive, providing a long-term investment Wireless design considerations: Distance, interference, bandwidth, security

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-14

www.CareerCert.info

Comparison of Campus Transmission Media

Copper Twisted Pair Bandwidth Distance Up to10 Gbps Up to 100 m

Multimode Fiber Up to10 Gbps Up to 2 km (Fast Ethernet) Up to 550 m (Gigabit Ethernet) Up to 300 m (10 Gigabit Ethernet)

Single-Mode Fiber Up to10 Gbps or higher Up to 80 km (Fast Ethernet) Up to 100 m (Gigabit Ethernet) Up to 80 km (10 Gigabit Ethernet) Moderate to expensive

Wireless Up to 54 Mbps* Up to 500 m at 1 Mbps

Price

Inexpensive

Moderate

*Wireless is half-duplex, so effective bandwidth will be no more than one half this rate.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-15

www.CareerCert.info

Example: Transmission Media

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-16

www.CareerCert.info

Infrastructure Device Characteristics

Switches connect end devices as well as infrastructure devices:
Access layer is typically data link layer switches. Distribution and core layer typically use multilayer switches.

Switch type and switching layer decision is influenced by:

Infrastructure services requirements(QoS, including policing, and so on) Size of the network segments Expected network failure convergence times Cost

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-17

www.CareerCert.info

Example Network Service: QoS in LAN Switches

Enterprise QoS guarantees that critical applications receive the required bandwidth or services.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.03-18

www.CareerCert.info

Summary
Campus network design is influenced by several factors; first by applications characteristics, such as throughput and availability requirements. Second are environmental characteristics, such as the location of devices and buildings and transmission media. Third are infrastructure device characteristics, such switching type and support for network services.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-19

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-20

www.CareerCert.info

Designing the Campus Infrastructure Module

Designing Basic Enterprise Campus Networks

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-1

www.CareerCert.info

Relative Considerations for the Campus Design

Campus Infrastructure Building Access Technology Scalability High availability Performance Cost per Port Data Link Layer/ Multilayer Switched High Medium Medium Low Building Distribution Multilayer Switched Medium Medium Medium Medium Campus Core Multilayer Switched Low High High High Server Farm Multilayer Switched Medium High High High

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-2

www.CareerCert.info

Building Access Layer Design Considerations

Number of users or ports Cabling Performance Redundancy Connectivity speed for hosts and uplinks VLAN deployment Additional features such as QoS and IP multicast

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-3

www.CareerCert.info

Overview of Recommended Practices for the Building Access Layer

Manage VLANs and STP: Limit VLANs to a single closet whenever possible. If STP is required, use RPVST+. Set trunks to desirable and desirable with negotiate. Manually prune unused VLANs. Use VTP transparent mode. Manage trunks between switches. Manage default PAgP settings between the catalyst operating system and Cisco IOS Software. Consider implementing routing in the access layer.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-4

www.CareerCert.info

STP Considerations
Use only when you have to!
Required when a VLAN spans access layer switches Required to protect against user side loops More common in the data center

Use RPVST+ for best convergence. Take advantage of the Spanning Tree Toolkit.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-5

www.CareerCert.info

Cisco STP Toolkit

PortFast: Bypass listening-learning phase for access port* UplinkFast: Three to five seconds convergence after link failure BackboneFast: Cuts convergence time by max_age for indirect failure LoopGuard: Prevents alternate or root port from becoming designated in absence of BPDUs* RootGuard: Prevents external switches from becoming root* BPDUGuard: Disable PortFast-enabled port if a BPDU is received*
* Also supported with RPVST+

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-6

www.CareerCert.info

Trunk Considerations
Set trunk mode to desirable and desirable and encapsulation negotiate on Manually prune all VLANS except those needed Use VTP transparent mode to decrease potential for operational error Disable trunks on host ports: Catalyst Operating System: set port host Cisco IOS Software: switchport host

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-7

www.CareerCert.info

Layer 3 Access-to-Distribution Interconnection

Best option for fast convergence Equal-cost Layer 3 load balancing on all links No spanning tree required for convergence No HSRP or GLBP configuration required No VLAN spanning possible
DESGN v2.03-8

2007 Cisco Systems, Inc. All rights reserved.

www.CareerCert.info

Building Distribution Layer Design Considerations

Performance Redundancy Support for network infrastructure services

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-9

www.CareerCert.info

Overview of Recommended Practices for the Building Distribution Layer

Use first-hop redundancy protocols (HSRP and GLBP). Deploy Layer 3 routing protocols from distribution switches to core switches. If required, connect distribution switches to support Layer 2 VLAN spanning multiple access switches.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-10

www.CareerCert.info

Recommended Practices First-Hop Redundancy

Provides a resilient default gateway or first-hop address to end stations with HSRP, VRRP, or GLBP HSRP, VRRP, and GLBP provide millisecond timers and excellent convergence performance HSRP common in Cisco environments VRRP if you need multi-vendor interoperability GLBP facilitates uplink load balancing

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-11

www.CareerCert.info

Recommended PracticesUse Layer 3 Routing Protocols

Build triangles, not squares, for deterministic convergence. Only peer on links that you intend to use as transit. Summarize routes from distribution to core.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-12

www.CareerCert.info

Example: Build Redundant Triangles

Layer 3 redundant equal cost links support fast convergence. Hardware basedrecovery to remaining path is fast. Convergence is extremely fast (dual equal-cost paths: no need for OSPF or EIGRP to recalculate a new path).
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.03-13

www.CareerCert.info

Layer 3 Distribution Interconnection

Recommended practicetried and true No STP convergence required for uplink failure and recovery Distribution-to-distribution link required for route summarization Map Layer 2 VLAN number to Layer 3 subnet for ease of use and management
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.03-14

www.CareerCert.info

Alternate: Layer 2 Distribution Interconnection

Use only if Layer 2 VLAN spanning flexibility required STP convergence required for uplink failure and recovery More complex because STP root and HSRP should match Distribution-to-distribution link required for route summarization
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.03-15

www.CareerCert.info

Campus Core Design Considerations

Determine if core is needed. Determine performance and capacity needed. Determine redundancy. Determine if enterprise edge and WAN connectivity is to core or data center.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-16

www.CareerCert.info

Example: Large Campus Multilayer Switched Backbone Design

Reduced multilayer switch peering Topology with no spanning-tree loops Scalability to arbitrarily large size Improved network services support Two equal-cost paths to every destination network Fast recovery from link failure

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-17

www.CareerCert.info

Small and Medium Campus Design Options

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-18

www.CareerCert.info

Edge Distribution Design

Edge distribution switches have to protect the campus core from: Unauthorized access IP spoofing Network reconnaissance Packet sniffers

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-19

www.CareerCert.info

Server Placement in a Medium-Sized Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-20

www.CareerCert.info

Server Placement in a Large Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-21

www.CareerCert.info

Server Farm Design Guidelines

Key design considerations: Access control Traffic demands Oversubscription Server connectivity options: Single NIC Dual-NIC redundancy Content switching (server load balancing)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-22

www.CareerCert.info

Summary
Design an enterprise campus network using recommended practices:
Use low price per port and high port density on data link layer switches for the building access layer. Use redundant multilayer switching in the building distribution layer for high availability and performance. Use high-performance wire-rate multilayer switching in the campus core design. Group centralized servers into a server farm module for moderate enterprise server requirements.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-23

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-24

www.CareerCert.info

Describing Enterprise Data Center Considerations

Designing Basic Enterprise Campus Networks

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-1

www.CareerCert.info

Server-Centric to Service-Centric

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-2

www.CareerCert.info

Cisco Data Center Network Architecture Framework

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-3

www.CareerCert.info

Example: Data Center Network Topology

IBM

3d icons not available

www.CareerCert.info

Data Center Infrastructure Overview

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-5

www.CareerCert.info

Defining the Data Center Access Layer

Can support Layer 2 or Layer 3 access Provides port density to server farm Supports dual and single-attached servers Provides high-performance, low-latency Layer 2 switching Mix of oversubscription requirements Many uplink options

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-6

www.CareerCert.info

Density and Scalability Implications

Where are the issues? Cabling Power Cooling

2007 Cisco Systems, Inc. All rights reserved.

7 DESGN v2.03-7

www.CareerCert.info

Defining the Data Center Aggregation Layer

Aggregates traffic to data center core Aggregates advanced application and security functions Maintains connection and session state for redundancy Layer 47 services: firewall, server load balancing, SSL, IDS Large STP processing load High flexibility and economies of scale

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-8

www.CareerCert.info

Defining the Data Center Core Layer

Drivers for a data center core:
10-Gigabit Ethernet port density Administrative domains Anticipate future requirements

Key core characteristics:

Distributed forwarding architecture Low latency switching 10-Gigabit Ethernet scalability Scalable IP multicast support

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-9

www.CareerCert.info

Summary
Enterprise data centers support a rich set of applications and servers. The SONA-based Cisco Enterprise Data Center Architecture provides a modular hierarchical approach to align data center resources with business applications.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-10

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-11

www.CareerCert.info

Enterprise Campus and Data Center Design Review

Analyze organizational requirements: Type of applications, traffic volume, and traffic pattern Redundancy and backup needed Characterize the existing network and sites: Technology used and location of hosts, servers, terminals, and other end nodes Develop enterprise campus and enterprise data center network designs: Based on requirements, implement two or three hierarchical layers. Select hardware and software components to support requirements.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-1

www.CareerCert.info

Module Summary
Campus network design is influenced by application, environmental, and infrastructure device characteristics. An enterprise campus network is constructed hierarchically with building access, building distribution, and campus core layers. An enterprise data center network is constructed hierarchically, with data center access, data center aggregation, and data center core layers.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-2

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.03-3

www.CareerCert.info

Designing Remote Connectivity

Designing for Cisco Internetwork Solutions (DESGN) v2.0

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-1

www.CareerCert.info

Identifying WAN Technology Considerations

Designing Remote Connectivity

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-1

www.CareerCert.info

Role of a WAN

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-2

www.CareerCert.info

Types of WAN Interconnections

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-3

www.CareerCert.info

WAN Transport Technology Comparison

Bandwidth TDM ISDN Frame Relay ATM MPLS Metro Ethernet DSL Cable modem Wireless SONET/SDH DWDM Dark fiber
*Unbalanced

Latency and Jitter

Connect Time

Tariff

Initial Cost

Reliability

M L L M/H M/H M/H L/M* L/M* L/M H H H

Tx and Rx

L M/H L L L L M/H M/H M/H L L L

L M L L L L L L L L L L

M M M M M M L L L M M M

M L M M M M L M M H H H

M M M H H H M L L H H H

L = low, M = medium, H = high

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-4

www.CareerCert.info

Example: ADSL Implementation

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-5

www.CareerCert.info

Example: Data and Voice over Cable

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-6

www.CareerCert.info

Example: Three Uses of Wireless

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-7

www.CareerCert.info

Example: SONET/SDH

Guaranteed bandwidth High line rates (from 155 Mbps to 10 Gbps) Automatic recovery capabilities IP encapsulations: ATM or packet over SONET/SDH (POS)
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.04-8

www.CareerCert.info

Example: DWDM

Improved signaling mechanisms to optimize bandwidth usage Used inside the SONET/SDH ring

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-9

www.CareerCert.info

Example: Dark Fiber

Edge devices directly connected to regenerators or DWDM concentrators Edge devices able to use any Layer 2 encapsulation

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-10

www.CareerCert.info

WAN Transport Technology Pricing Considerations

Pricing used to include an access circuit and a distance-sensitive rate. Access circuit provisioning generally takes 60 days or more lead time. Metro Ethernet availability is spotty, and lead times are long. For Frame Relays and ATM, pricing includes an access circuit charge, per-PVC and possibly per-bandwidth (CIR or MIR) charges. MPLS VPN pricing is generally comparable with Frame Relays and ATM.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-11

www.CareerCert.info

WAN Transport Technology Contract Considerations

Tariffed commercial services are at published rates and subject to restrictions. Time to contract can be one month for standard tariff rates, longer if you negotiate SLAs. Contract periods are usually one to five years for most WAN services. For dark fiber, contract periods are generally 20 years.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-12

www.CareerCert.info

Methodology Used in Enterprise Edge Design

Planning and designing the enterprise edge is based on the PPDIOO methodology:
Analyze network requirements, including type of applications, traffic volume, and traffic patterns. Characterize the existing network for technology used and location of hosts, servers, terminals, and other end nodes. Design the topology based on availability of technology, the projected traffic pattern, and technology performance constraints and reliability.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-13

www.CareerCert.info

Identifying Application Requirements

Data File Transfer Response time Reasonable Interactive Data Application Within a second Real-Time Voice Round trip less than 250 ms with delay and with low jitter Low/low Low Real-Time Video Minimum delay and jitter High/medium Minimum

Throughput and packet loss tolerance Downtime (high reliability has low downtime)

High/medium Reasonable

Low/low Low

Zero Downtime for Mission-Critical Applications

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-14

www.CareerCert.info

Determining the Maximum Offered Traffic

WAN resources have finite capacity. End users require minimum response times. Network managers require maximum link utilization.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-15

www.CareerCert.info

Determining Physical Media Bandwidth

Bandwidth <= 1.5/2 Mbps From 1.5/2 Mbps to 45/34 Mbps ADSL (8 Mbps downstream From 45/34 Mbps to 100 Mbps From 100 Mbps to 10 Gbps

Copper

Serial or async serial, ISDN, TDM, X.25, Frame Relay, ADSL

Fiber

Ethernet, TDM (T3 or E3)

Fast Ethernet, ATM over SONET/SDH, POS

10-Gigabit Ethernet, Gigabit Ethernet, ATM over SONET/SDH, POS

Coaxial

Shared bandwidth: 27 Mbps downstream, 2.5 upstream Varies based on distance and RF quality

2.4/5 GHz WAN wireless

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-16

www.CareerCert.info

Evaluating Cost-Effectiveness of Design and Implementation

Investment and Running Costs Private Leased Shared Owner must buy, configure, and maintain the physical layer connectivity and the terminal equipment that connects each location. Fixed bandwidth is leased from a carrier company with private or leased terminal equipment. Physical resources in campus backbone are shared with many users.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-17

www.CareerCert.info

Bandwidth Usage in a WAN

Optimize the bandwidth usage on WAN links to improve network efficiency using:
Data compression: Reduces the size of a frame of data to transmit over a network link Bandwidth combination: Logically aggregates physical links Window size: Adjusts link reliability versus throughput Queuing: Avoids congestion for some traffic by giving it priority over other traffic Traffic shaping and policing: Avoids congestion by policing inbound and outbound flows

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-18

www.CareerCert.info

Queuing to Improve Link Utilization

Queuing allows network administrators to manage varying demands of applications on networks and routers. Key types of queuing: Priority queuing Custom queuing Weighted fair queuing Class-based weighted fair queuing Low latency queuing

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-19

www.CareerCert.info

Traffic Shaping and Policing

Usually found on egress ports, shaping buffers excess traffic, using a token bucket mechanism to release packets. Policers typically tag or drop traffic, depending on the mechanism, protocol, and severity of offense. Policing, historically in ATM, is on ingress ports and uses a leaky bucket mechanism.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.04-20

www.CareerCert.info

Data Compression and QoS to Optimize Bandwidth Usage

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-21

www.CareerCert.info

Summary
A WAN is a communications network that covers a relatively broad geographic area and carries a variety of traffic types using transmission facilities that are typically provided by service providers. The multiple WAN transport technologies vary in bandwidth, performance characteristics, and cost. In WAN design, enterprise edge connectivity requirements influence the trade-off between the cost of bandwidth and bandwidth efficiency.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-22

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-23

www.CareerCert.info

Designing the Enterprise WAN

Designing Remote Connectivity

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-1

www.CareerCert.info

Traditional WAN Technologies

Description Leased lines Circuit-switched PSTN (phone service, analog modems, ISDN) A service provider establishes a dedicated connection. A dedicated circuit path is established for the duration of a call. ISDN combines voice, data, and backup. Packet- and cell-switched (Frame Relay, SMDS, ATM, MPLS) A service provider creates PVCs or SVCs. ATM uses cells and provides support for multiple QoS classes.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-2

www.CareerCert.info

WAN Topologies

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-3

www.CareerCert.info

Designing the Remote-Access Network

Objective: Provide a unified solution for remote access Grant the connection seamlessly, as if in company headquarters Application requirements include: Low to medium-volume data file transfer and interactive traffic for teleworkers and traveling workers Voice services for teleworkers Connectivity option: IP access through an on-demand or always-on connection Technologies include dial-up, DSL, cable, and wireless

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-4

www.CareerCert.info

Overview of Virtual Private Networks

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-5

www.CareerCert.info

Connectivity Option: Overlay VPN

VPNs may replace dedicated point-to-point links with emulated point-to-point links sharing common infrastructure.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-6

www.CareerCert.info

Connectivity Option: Virtual Private DialUp Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-7

www.CareerCert.info

Connectivity Option: Peer-to-Peer VPN

Provider participates in the enterprise routing:
Uses MPLS VPN technology Enables organization to use any IP address space No overlapping IP address space problems

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-8

www.CareerCert.info

Benefits of VPNs

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-9

www.CareerCert.info

WAN Backup Technologies

Backup options:

2007 Cisco Systems, Inc. All rights reserved.

Dial backupanalog or ISDN Permanent secondary WAN link Shadow PVC IPsec tunnel across Internet
DESGN v2.04-10

www.CareerCert.info

Example: Permanent Secondary WAN Link

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-11

www.CareerCert.info

Example: Shadow PVC

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-12

www.CareerCert.info

WAN Backup over the Internet

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-13

www.CareerCert.info

Layer 3 Tunneling
GRE can encapsulate a variety of protocol types inside IP tunnels. It is simple and flexible for basic IP VPNs. Packet payload is not encrypted. Provisioning of tunnels is not very scalable. IPsec encapsulates IP inside of IPsec tunnels. Packet payload can be encrypted. IPsec receiver can authenticate source of packets. It uses IKE and PKI.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-14

www.CareerCert.info

Enterprise WAN Architecture Considerations

Support for network growth Appropriate availability Operational expense Operational complexity Voice and video support Effort and cost to implement Support of network segmentation

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-15

www.CareerCert.info

Cisco Enterprise MAN and WAN Architecture

Private WAN (optionally encrypted) ISP service through site-to-site and remote-access IPsec VPN Service provider-managed IP or MPLS VPN Self-deployed MPLS

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-16

www.CareerCert.info

Cisco Enterprise WAN and MAN Architecture Comparison

Private WAN Secure transport High availability Multicast Voice and video support Scalable network growth Easily shared WAN links Operational costs Network control Effort to migrate from private to WAN
2007 Cisco Systems, Inc. All rights reserved.

ISP Service IPsec (mandatory) Good Good Low Good Moderate Low Moderate Moderate

SP MPLS and IP VPN IPsec (mandatory) Excellent Good Excellent Excellent Moderate Moderate, depends on transport Moderate Moderate

Self-Deployed MPLS IPsec (mandatory) Excellent Excellent Excellent Excellent Excellent Moderate to high High High
DESGN v2.04-17

IPsec (optional) Excellent Good Excellent Moderate Moderate High High Low

www.CareerCert.info

Example: Cisco WAN Architectures in the Healthcare Environment

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-18

www.CareerCert.info

Selecting Enterprise Edge Hardware Components and Software Features

Hardware selection incorporates the selection of data link layer functions and features of a particular device Considerations: Port density, packet throughput, future expandability, redundancy Software selection focuses on network layer performance Considerations: Forwarding decisions, bandwidth optimization, security

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-19

www.CareerCert.info

Cisco IOS Software in the Network

Cisco IOS Software T

IP Services and Ease of Deployment Broadband access Mobility and wireless Data center Security IP communications

Cisco IOS Software S

IP Services and Infrastructure High-end enterprise core Service provider edge Virtual Private Networks (MPLS, Layer 2 and Layer 3) Video and content multicast

Cisco IOS Software XR

Scale and Availability Large-scale networks High availability In-service software upgrade

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-20

www.CareerCert.info

Cisco IOS Packaging

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-21

www.CareerCert.info

Cisco IOS Packaging Technology Segmentation

Data Connectivity IP Base IP Voice Advanced Security Enterprise Base SP Services Advanced IP Services Enterprise Services Advanced Enterprise Services X X X X X X X X X X X X X X X X X X X X X X X VoIP and VoFR ATM, VoATM, MPLS AppleTalk, IPX, IBM Protocols Firewall, IDS, VPN

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-22

www.CareerCert.info

Comparing Router Platforms and Software Functions

Hardware 800, 1800, 2800, 3800, 7200 7200, 7301, 7304, 7500, 10K 7600 Software Cisco IOS T Releases 12.3, 12.4, 12.3T, 12.4T Cisco IOS S Release 12.2SB Cisco IOS S Release 12.2SR Function Supports access routing platforms providing fast, scalable delivery of mission-critical enterprise applications Delivers midrange broadband and leased-line aggregation for enterprise and service provider edge networks Delivers high-end Ethernet LAN switching for enterprise access, distribution, core, and data center deployments, and high-end Metro Ethernet for service provider edge Provides massive scale, continuous system availability, and service flexibility for service provider core and edge. (Takes advantage of the massively distributed processing capabilities of the Cisco CRS-1 routing system and the Cisco 12000)

12000, CRS-1

Cisco IOS XR

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-23

www.CareerCert.info

Comparing Multilayer Switch Platforms and Software Functions

Hardware 800, 1800, 2800, 3800, 7200 4500, 4900 Software Cisco IOS S Release 12.2SE Cisco IOS S Release 12.2SG Function Provides low-end to midrange Ethernet LAN switching for enterprise access and distribution deployments Provides midrange Ethernet LAN switching for enterprise access and distribution deployments in the campus, and supports Metro Ethernet Delivers high-end Ethernet LAN switching for enterprise access, distribution, core, and data center deployments, and high-end Metro Ethernet for service provider edge

6500

Cisco IOS S Release 12.2SX

Use the Cisco Feature Navigator to find the right Cisco IOS and Catalyst operating system software release and features.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-24

www.CareerCert.info

Summary
Traditional WAN technologies include leased lines, circuit-switched PSTN, and packet-switched networks. Remote-access networks connect teleworkers and traveling employees. A VPN provides connectivity over a shared infrastructure with the same policies and performance as a private network. WAN backup strategies are needed to provide high availability between remote sites. The Cisco Enterprise WAN and MAN Architecture provides integrated QoS, network security, reliability, and manageability. Enterprise WAN design includes selecting the appropriate components, including hardware and software.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-25

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-26

www.CareerCert.info

Designing the Enterprise Branch

Designing Remote Connectivity

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-1

www.CareerCert.info

Enterprise Branch Services

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-2

www.CareerCert.info

Enterprise Branch Architecture

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-3

www.CareerCert.info

Characterizing the Branch

Number of locations Number of existing devices Scalability needed High-availability requirements Security concerns Management concerns Wireless services needed Approximate budget

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-4

www.CareerCert.info

Enterprise Branch Profiles

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-5

www.CareerCert.info

Small Branch Office Design

Infrastructure components
Access router Layer 2 Switching (integrated or external stackable) Laptops, phones, printers

WAN services and backup

Internet deployment model T1 primary link ADSL secondary link

Network fundamentals
EIGRP High availabilityfloating statics, T1 with aDSL QoSshaping, policing, scavenger class (applied to both switch and router)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-6

www.CareerCert.info

Medium Branch Office Design

Infrastructure components
Dual access routers External stackable switch (Layer 2 or Layer 3) Laptops, phones, printers

WAN services
Private WAN deployment Dual Frame Relay links

Network fundamentals
EIGRP High availabilitydual routers, HSRP QoSshaping, policing, scavenger class (applied to both switch and router)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-7

www.CareerCert.info

Large Branch Office Design

Infrastructure components
Dual access routers for WAN edge Dual ASAs for firewalls Dual multilayer switching (stackable or modular) Laptops, phones, printers

WAN services
MPLS deployment model Dual links to WAN cloud

Network fundamentals
EIGRP High availabilitydual routers at every layer, HSRP Object tracking, ASA failover QoSshaping, policing, scavenger class (applied to all routers and switches)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-8

www.CareerCert.info

Comparison of Teleworking Options

Occasional Users Part-Time or Full-Time and Day Extenders

E-mail Web-based applications Mission-critical applications Real-time collaboration Voice over IP Video on demand, Cisco IP/TV Video conferencing Remote configuration and management Integrated security Resiliency and availability
2007 Cisco Systems, Inc. All rights reserved.

Occasional Remote Worker Yes Yes Best effort Best effort Best effort Unlikely Unlikely No Basic No

Branch of One Yes Yes Prioritized Prioritized High quality High quality High quality Yes Full Yes
DESGN v2.04-9

www.CareerCert.info

Branch of One Architecture

Advanced applications support (voice, video) Centralized management IT managed security policies

Corporate-Pushed Security Policies (Not User-Managed)

Corporate Phone, Toll Bypass, Centralized Voice Mail

Integrated Security and Identity Services

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-10

www.CareerCert.info

Summary
The Cisco Enterprise Branch Architecture provides enterprise services to remote users. You should characterize each branch location to develop a suitable design: Small branch office design typically uses a single WAN access router with one or two access switches to support up to 50 users. Medium branch office design typically uses two WAN access routers with multiple access switches to support up to 100 users. Large branch office design typically uses two WAN access routers, one or more multilayer distribution switches, and multiple access switches to support up to 100 to 1000 users. An enterprise teleworker design can use a small ISR with integrated switch ports and an always on VPN to support one teleworker.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.04-11

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-12

www.CareerCert.info

Remote Connectivity Design Review

Analyze network requirements: Type of applications, the traffic volume and traffic pattern Redundancy and backup needed Characterize the existing network and sites: Technology used, and location of hosts, servers, terminals and other end nodes Develop WAN and branch network design: Select WAN and branch technology to support requirements. Select hardware and software components to support requirements.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-1

www.CareerCert.info

Module Summary
Network application and connectivity requirements influence the WAN design. The Cisco Enterprise MAN and WAN architecture provides integrated QoS, network security, reliability, and manageability on: Private WANs ISP service through site-to-site and remote-access VPNs Service Provider-managed IP or MPLS VPNs The Cisco Enterprise Branch Architecture supports small, medium, large, and teleworker locations.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-2

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.04-3

www.CareerCert.info

Designing IP Addressing and Selecting Routing Protocols

Designing for Cisco Internetwork Solutions (DESGN) v2.0

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-1

www.CareerCert.info

Designing IP Addressing

Designing IP Addressing and Selecting Routing Protocols

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-1

www.CareerCert.info

Prerequisite Knowledge
IPv4 address and mask structure IPv4 classes and CIDR Static addressing Dynamic addressing with DHCP DNS Private and public addresses NAT and PAT Static NAT Dynamic NAT Overloading

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-2

www.CareerCert.info

Private and Public IPv4 Address Guidelines

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-3

www.CareerCert.info

Network Size and IP Addressing Planning

How many locations are in the network? How many devices in each location? What are the IP addressing requirements for individual locations? What subnet size is appropriate?

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-4

www.CareerCert.info

Determining General Network Topology

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-5

www.CareerCert.info

IP Address Requirements by Location

Workstations Firewall and Net Device Interfaces Office Type IP Phones Router Interfaces Switches Layer 3

Location San Francisco Denver Houston Remote Office 1 Remote Office 2 Remote Office 3 Total

Reserve

Servers

Total 1290 441 329 28 35 21 2144

Main Regional Regional Remote Remote Remote

600 210 155 12 15 8 1000

35 7 5 1 1 1 50

600 210 155 12 15 8 1000

17 10 10 2 3 3 45

26 4 4 1 1 1 37

12 0 0 0 0 0 12

20% 20% 20% 10% 10% 10%

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-6

www.CareerCert.info

IP Addressing Hierarchy
Reasons to implement include: Influence of IP addressing on routing Modular design and scalable solutions Support for route aggregation

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-7

www.CareerCert.info

Route Summarization Groups

Benefits of hierarchical addressing include: Support for route summarization groups Efficient aggregation of routing advertisements Poorly designed IP addressing results in: Excess routing traffic, leading to additional bandwidth consumption Increased routing table recalculations, degrading router performance

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-8

www.CareerCert.info

Example: Address Blocks by Location

Location Counts Rounded Power of 2 Address Block

San Francisco Campus Denver Region

Denver Office 1 Remote Office 1 Remote Office 2

1290

441 28 35

Houston Region
Houston Campus Remote Office 3 329 21

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-9

www.CareerCert.info

Example: Address Blocks by Location

Location Counts Rounded Power of 2 Address Block

San Francisco Campus Denver Region

Denver Office 1 Remote Office 1 Remote Office 2

1290

2048

441 28 35

512 64 64

Houston Region
Houston Campus Remote Office 3 329 21 512 64

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-10

www.CareerCert.info

Example: Address Blocks by Location

Location Counts Rounded Power of 2 Address Block

San Francisco Campus Denver Region

Denver Office 1 Remote Office 1 Remote Office 2

1290

2048 1024

441 28 35

512 64 64

Houston Region
Houston Campus Remote Office 3 329 21

1024
512 64

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-11

www.CareerCert.info

Example: Address Blocks by Location

Location Counts Rounded Power of 2 Address Block 172.16.0.0 172.16.7.255 /21 172.16.8.0 172.16.11.255 /22 172.16.8.0 172.16.9.255 /23 172.16.10.0 /26 172.16.10.64 /26 172.16.12.0 172.16.15.255 /22 172.16.12.0 172.16.13.255 /23 172.16.14.0 /26

San Francisco Campus Denver Region

Denver Office 1 Remote Office 1 Remote Office 2

1290

2048 1024

441 28 35

512 64 64

Houston Region
Houston Campus Remote Office 3 329 21

1024
512 64

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-12

www.CareerCert.info

Example: Hierarchical IP Addressing Plan

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-13

www.CareerCert.info

Example: Hierarchical IP Addressing Plan

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-14

www.CareerCert.info

Managing IP Addresses
Using DHCP in the enterprise. Using DNS in the enterprise. Using NAT in the enterprise.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-15

www.CareerCert.info

Recommended Practices for IP Address Assignment

Method Criteria Node type Number of end user devices Renumbering Address tracking Additional parameters High availability Security concerns
2007 Cisco Systems, Inc. All rights reserved.

Strategic Address Assignment Infrastructure devices such as routers and switches Up to 30 end-user devices Requires manual reconfiguration of all hosts Easy address tracking Manual configuration of all hosts required IP addresses are available at any time Minor security risk

Dynamic Address Assignment with DHCP End-user devices More than 30 end user devices Only DHCP server reconfiguration is needed Requires additional DHCP server configuration Only DHCP server needs to be configured Redundant DHCP server is required Any device gets IP address
DESGN v2.05-16

www.CareerCert.info

Example: IP Address Assignment Methods in an Enterprise Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-17

www.CareerCert.info

Static vs. Dynamic Name Resolution

Names used to ease computer-human interaction Names resolved to IP addresses Different name resolution strategies: Static Dynamic

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-18

www.CareerCert.info

Recommended Practices for Name Resolution

Method Criteria Number of hosts Isolated network Internet connectivity Frequent changes and addition of names Application depending on name resolution Static Name Resolution Up to 30 hosts Applicable Not applicable Not recommended Not recommended Dynamic Name Resolution More than 30 hosts Applicable Mandatory Recommended Recommended

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-19

www.CareerCert.info

Using DNS for Name Resolution

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-20

www.CareerCert.info

Example: Locating DHCP and DNS Servers in the Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-21

www.CareerCert.info

IPv6 Address Structure

x:x:x:x:x:x:x:x, where x is 16 bits, represented by a hexadecimal number: 2031:0000:130F:0000:0000:09C0:876A:130B Can be also written as 2031:0:130F::9C0:876A:130B

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-22

www.CareerCert.info

Benefits of IPv6 Addressing

Larger address space Globally unique IP addresses Site multihoming Header format efficiency Improved privacy and security Flow labeling capability Increased mobility and multicast capabilities

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-23

www.CareerCert.info

IPv6 Address Scope Types

IPv6 address scope types: Unicast (one to one) Anycast (one to nearest) Multicast (one to many) Broadcast addresses not available

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-24

www.CareerCert.info

IPv6 Address Types: Link-Local and Site-Local

Link-Local Address

Site-Local Address

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-25

www.CareerCert.info

IPv6 Address Types: Global Aggregatable

Global Aggregatable Address

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-26

www.CareerCert.info

IPv6 Routing Protocol Considerations

Interior Gateway Protocols (IGPs) for inside autonomous systems: RIPng EIGRP IPv6 OSPFv3 Integrated IS-IS Exterior gateway protocols (EGPs) for peering between autonomous systems: BGP+
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.05-27

www.CareerCert.info

IPv6 Address Assignment Strategies

Static:
Same as IPv4

Dynamic:
Link-local Stateless Stateful using DHCPv6

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-28

www.CareerCert.info

IPv6 Name Resolution

Static: Same as IPv4 Dynamic (autoconfiguration): DNS server with IPv6 stack support

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-29

www.CareerCert.info

IPv4- and IPv6-Aware Applications and Name Resolution

In a dual-stack case, an application is IPv4- and IPv6-enabled. The application decides which stack to use and asks DNS for the address.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-30

www.CareerCert.info

IPv4-to-IPv6 Transition Strategies

Three major transition strategies are available:
Dual stack (IPv4 and IPv6 coexist in the same device and networks) Tunneling (IPv6 packets are encapsulated into IPv4 packets) Translation (IPv6-only devices can talk to IPv4 devices)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-31

www.CareerCert.info

Dual-Stack Mechanism
Both IPv4 and IPv6 stacks are enabled. Applications can talk to both stacks. IP version choice is based on name lookup and application preference. Popular operating systems support IPv6.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-32

www.CareerCert.info

Tunneling Mechanism

Encapsulates the IPv6 packet in the IPv4 packet. Techniques:

Manually configured Semiautomated Automatic
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.05-33

www.CareerCert.info

Translation Mechanism

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-34

www.CareerCert.info

Summary
Key components of an IPv4 addressing scheme include IP address structure, address classes, subnetting, and masking. Well-designed hierarchical IP addressing enables efficient aggregation of routing advertisements, which consumes less bandwidth and router CPU. Dynamic IP address assignment is a recommended practice in the enterprise. Dynamic name resolution with a DNS server is a recommended practice in the enterprise. IPv6 was designed as a successor to IPv4 to overcome IPv4 limitations. The IPv6 address structure and address types support a much larger address space than IPv4. IPv6 supports two address types: link-local and global aggregatable.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-35

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-36

www.CareerCert.info

Reviewing Enterprise Routing Protocols

Designing IP Addressing and Selecting Routing Protocols

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-1

www.CareerCert.info

Distance Vector and Link-State Comparison

Distance vector protocol characteristics:
Slow convergence Easy implementation and maintenance Limited scalability

Link-state protocol characteristics:

Fast convergence Good scalability Less routing traffic overhead More knowledge needed for implementation and maintenance

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-2

www.CareerCert.info

Example: Distance Vector Routing

Routing updates are periodic:

Include whole routing tables Use gratuitous updates (except RIPv2)
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.05-3

www.CareerCert.info

Example: Link-State Routing

Triggered updates:
Include data on link states of changing links Use multicast propagation
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.05-4

www.CareerCert.info

Interior vs. Exterior Routing Protocols

Interior Gateway Protocols (IGPs):
Routing inside autonomous systems Fast convergence and easy configuration Low administrator influence on routing decisions

Exterior gateway protocols (EGPs):

Routing between autonomous systems Slow convergence and more complex configuration High administrator influence on routing decisions

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-5

www.CareerCert.info

Example: Interior vs. Exterior Routing Protocols

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-6

www.CareerCert.info

Hierarchical vs. Flat Routing Protocols

Flat routing protocols propagate all routing information throughout the network: Classful routing protocols Not appropriate for large networks RIPv1, IGRP, RIPv2 (classless) Hierarchical routing protocols divide large networks into smaller areas: Classless routing protocols Limited route propagation between areas EIGRP, OSPF, IS-IS

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-7

www.CareerCert.info

Example: Flat and Hierarchical Networks

Comparing flat and hierarchical networks:

Hierarchical structure means less routing traffic overhead. Summarization is the key.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.05-8

www.CareerCert.info

Routing Protocol Convergence

A converged network is a stable network with all needed routing information. Network convergence takes place: Initially on network startup On topological changes Enterprise routing protocols should have short convergence times.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-9

www.CareerCert.info

Routing Protocol Convergence Comparison

Protocol RIP EIGRP OSPF

Convergence Time to Router E Holddown + 1 or 2 update intervals Matter of seconds Matter of seconds

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-10

www.CareerCert.info

Enhanced IGRP (EIGRP)

Advanced distance vector protocol based on IGRP with some link-state protocol features Supports VLSM

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-11

www.CareerCert.info

EIGRP Characteristics
EIGRP Characteristics Fast convergence Improved scalability Use of VLSM Reduced bandwidth usage Multiple network layer protocol support Implemented By Diffusing Update Algorithm (DUAL) Manual summarization, fast convergence Subnet mask in updates No periodic updates IPv4, IPv6 (Protocol Dependent Modules for IPX, AppleTalk)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-12

www.CareerCert.info

Open Shortest Path First (OSPF)

Developed in 1988 by IETF, version 2 is described in RFC 2328. OSPF was devised for use in large, scalable networks where RIP failed: Improved speed of convergence Network reachability (no hop-count limitations) Support for VLSM Improved path calculation

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-13

www.CareerCert.info

Example: OSPF Multiarea Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-14

www.CareerCert.info

OSPF Characteristics
OSPF Characteristics Fast convergence Very good scalability Use of VLSM Reduced bandwidth usage Implemented By Link-state updates (triggered), SPF calculation Multiple-area design Subnet mask in updates No periodic updates

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-15

www.CareerCert.info

Integrated IS-IS
Link-state protocol Supports IPv4, IPv6, and OSI CLNP Support for VLSM Based on Level 2 backbone to which Level 1 areas are attached Typically deployed in service provider environments, with enterprise network administrators having limited knowledge of IS-IS

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-16

www.CareerCert.info

Border Gateway Protocol (BGP)

BGP is an exterior gateway protocol (EGP) used in Internet routing. BGP is a path vector protocol with enhancements: Suited for strategic routing policies used between autonomous systems Allows administrators to adjust parameters to influence routing

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-17

www.CareerCert.info

BGP Network Implementation

BGP is primarily used for inter-AS system routing.

www.CareerCert.info

Internal BGP
BGP can run between routers within one autonomous system. IBGP neighbors need not be directly connected (use static routes or an IGP to convey reachability information). Other IBGP uses: Intra-autonomous system policy implementations QoS Policy Propagation on BGP (QPPB) MPLS VPNs (using multiprotocol IBGP)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-19

www.CareerCert.info

Recommended Enterprise Routing Protocol Comparison

Enterprise Characteristics Fast convergence Very good scalability Use of VLSM Multiple network layer protocol support Mixed vendor devices EIGRP Yes Yes Yes Yes No OSPF Yes Yes Yes No Yes

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-20

www.CareerCert.info

Summary
Protocols with hierarchical and link-state attributes support the fastest network convergence. EIGRP and OSPF are the recommend IGPs for the enterprise. EIGRP is a Cisco proprietary protocol for routing IPv4, IPv6, IPX, and AppleTalk traffic. OSPF is a standardized protocol for routing IPv4, developed to replace RIP in larger, more diverse media networks. It also can support IPv6. BGP is a representative EGP. It is primarily used to interconnect autonomous systems or to connect enterprises to an ISP.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-21

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-22

www.CareerCert.info

Designing a Routing Protocol Deployment

Designing IP Addressing and Selecting Routing Protocols

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-1

www.CareerCert.info

Routing Protocols in the Enterprise Architecture

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-2

www.CareerCert.info

Route Redistribution

Redistribution on routing protocols and domain boundaries occurs on the router.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-3

www.CareerCert.info

Route Redistribution Direction

Redistribution of routing protocols (boundary router) One-way redistribution in one direction (for example, from enterprise edge to campus core) Two-way redistribution in both directions

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-4

www.CareerCert.info

Route Redistribution in the Enterprise Network

Redistribution: From selected building access protocols Between campus core and WAN routers From static routes to enterprise IGP Static routes or BGP routes into enterprise IGP

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-5

www.CareerCert.info

Route Filtering
Filtering upon redistribution: Avoids routing loops Avoids suboptimal routing Prevents certain routes from entering routing domain

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-6

www.CareerCert.info

Route Summarization

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-7

www.CareerCert.info

Route Summarization

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-8

www.CareerCert.info

Recommended Practice: Summarize at the Distribution Layer

It is important to force summarization at the distribution layer toward the core. After link failure, for return path traffic, an OSPF or EIGRP reroute is required.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-9

www.CareerCert.info

Recommended Practice: Summarize at the Distribution Layer

It is important to force summarization at the distribution layer toward the core. After link failure, for return path traffic, an OSPF or EIGRP reroute is required. Summaries limit the number of peers an EIGRP router must query or the number of LSAs an OSPF peer must process.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-10

www.CareerCert.info

Recommended Practice: Summarize at the Distribution Layer

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-11

www.CareerCert.info

Recommended Practice: Passive Interfaces for IGP at Access Layer

Limit unnecessary peering Without passive interface: With four VLANs per wiring closet 12 adjacencies total Memory and CPU requirements increased with no real benefit Creates overhead for IGP
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.05-12

www.CareerCert.info

Summary
Large networks may implement multiple protocols for different modules of the Cisco Enterprise Architecture. Advanced routing features such as redistribution, filtering, and summarization allow multiple routing protocols to coexist and provide greater scalability. Redistribution between different routing protocols passes routing knowledge from one protocol to another. Route filtering prevents advertisement of certain routes through the routing domain. Route summarization and an IP hierarchy reduce routing traffic and unnecessary route recomputation.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-13

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-14

www.CareerCert.info

IP Addressing and Routing Review

Define the IP addressing requirements. Develop a hierarchical IP addressing plan: Use private addresses inside organization. Use public addresses facing the Internet. Use NAT or PAT for translation as needed. Develop a plan for deploying DHCP and DNS. Use EIGRP or OSPF, based on organizational requirements. Implement recommended practices, including redistribution, filtering, and summarization.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-78

www.CareerCert.info

Module Summary
IP address structure and IP address types have a large impact on the address plan for both IPv4 and IPv6. EIGRP and OSPF are the recommended IGPs for the enterprise. Advanced routing features such as redistribution, filtering, and summarization support scalability and multiple routing protocols.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-79

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.05-80

www.CareerCert.info

Evaluating Security Solutions for the Network

Designing for Cisco Internetwork Solutions (DESGN) v2.0

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-1

www.CareerCert.info

Defining Network Security

Evaluating Security Solutions for the Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-1

www.CareerCert.info

Reasons for Network Security

Defend against attacks Prevent unauthorized access Prevent data misuse and theft Comply with security legislation Comply with industry standards Comply with company policy

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-2

www.CareerCert.info

Example: Legislation and Directives

Legislation and industry directives that may affect organizational security include:
GLBAThe Gramm-Leach-Bliley Act HIPAAHealth Insurance Portability and Accountability Act EU data protection Directive 95/46/EC SOXSarbanesOxley Act PCI DSSPayment Card Industry Data Security Standard

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-3

www.CareerCert.info

Threats and Risks

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-4

www.CareerCert.info

Reconnaissance and Vulnerability Scanning

Determine active targets Determine running network services Determine operating system platform Find trust relationships Check for proper file permissions Identify user account information Port-scanning tools include:
Nmap NetStumbler SuperScan Kismet

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-5

www.CareerCert.info

Example: NMAP Screen

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-6

www.CareerCert.info

Vulnerability Assessment
Active (sending packets) or passive (sniffer) Published vulnerability information
CERT/CC MITRE Microsoft Cisco security notices

Reconnaissance tools
Nessus MBSA SAINT

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-7

www.CareerCert.info

Gaining System Access

Using knowledge of usernames and passwords Improper escalation of privilege Default administrative and service accounts Gaining access to other systems via trust relationships Using social engineering Physical access to information Psychological approach Cracking captured passwords

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-8

www.CareerCert.info

Integrity and Confidentiality Threats

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-9

www.CareerCert.info

Availability Threats (Denial of Service)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-10

www.CareerCert.info

Everything Is a Potential Target

Hosts are the preferred target for worms and viruses.
In the past year, large number of attacks targeted hosts. Compromised hosts are often used as attack launch points (botnets).

But there are other high-value alternative targets:

Infrastructure devices: routers, switches Support services: DHCP servers, DNS servers Endpoints: management stations, IP phones Infrastructure: network capacity Security devices: IDS and IPS
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.06-11

www.CareerCert.info

Network Security in the System Lifecycle

Business needs:
What does your organization want to do with the network?

Risk analysis:
What is the risk and cost balance?

Security policy:
What are the policies, standards, and guidelines to address business needs and risk?

Industry recommended practices:

What are the reliable, well-understood, and recommended security recommended practices?

Security operations:
What is the process for incident response, monitoring, maintenance, and compliance auditing of the system?

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-12

www.CareerCert.info

What Is a Security Policy?

A security policy is a formal statement of the rules by which people who are given access to an organizations technology and information assets must abide.
RFC 2196, Site Security Handbook

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-13

www.CareerCert.info

Why Is a Security Policy Needed?

Sets the framework for the security implementation
Defines organizational assets and the way to use them Defines and communicates roles Helps determine necessary tools and procedures Defines how to identify and handle security incidents

Creates a baseline of the current security posture

Defines allowed and not-allowed system behaviors Informs users of their responsibilities and ramifications of asset misuse Provides risk assessment and cost-benefit analysis

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-14

www.CareerCert.info

Network Security and Risks

Network security can reduce risks to acceptable levels:

Risk assessment defines threats and their probability and severity. A network security policy enumerates risks relevant to the network and describes how risks will be controlled or managed. A network security design implements the security policy.

Justify security costs by the potential cost and inconvenience of incidents.

www.CareerCert.info

Risk Index Calculation

Risk Probability (P) (13) Severity (S) (13) Control (C) (13) Risk Index (P * S) / C (9)

1. 2. 3. 4.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-16

www.CareerCert.info

Example: Risk Index Calculation

Risk Probability (P) (13) 1 2 Severity (S) (13) 3 2 Control (C) (13) 2 1 Risk Index (P * S) / C (9) 1.5 4

1. Breach of confidentiality of customer database 2. DDoS attack sustained for more than 1 hour against e-commerce server

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-17

www.CareerCert.info

Components of a Security Policy

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-18

www.CareerCert.info

Network Security Is a Continuous Process

Secure
Identity and authentication Filtering and stateful inspection Encryption and VPNs

Monitor
Intrusion detection and response Content-based detection and response

Test
Security posture assessment Vulnerability scanning Patch verification and application auditing

Improve
Event and data analysis and reporting Network security intelligence

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-19

www.CareerCert.info

Integrate Security Design and Network Design

Security services can reside inside network infrastructure. Security design coupled with network design is far more manageable. Recommended practice: Integrate security and network design. Integrated security and network design requires coordination.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-20

www.CareerCert.info

Summary
Security services must provide adequate protection to conduct business in a relatively open environment. There are many types security threats and associated risks. Each device on the network, such as a host, router, or switch, is a potential security target. Network security is part of the system life cycle. Network security is a continuous process built around a security policy. Security design and network design should be integrated.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-21

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-22

www.CareerCert.info

Understanding the Cisco Self-Defending Network

Evaluating Security Solutions for the Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-1

www.CareerCert.info

Cisco Self-Defending Network

Efficient security management, control, and response

Advanced technologies and security services to: Protect critical assets Mitigate the effects of outbreaks Ensure privacy

Network as Platform
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.06-2

www.CareerCert.info

Network as Platform for Security

Cisco Integrated Services Routers Cisco Adaptive Security Appliances Integrate Cisco IOS Firewall, VPN, and intrusion prevention system (IPS) High-performance firewall, services across the Cisco router IPS, network antivirus, and portfolio IPsec/SSL VPN technologies Deploy new security features on all in one unified architecture existing routers using Cisco IOS Device consolidation to Software reduce overall deployment Cisco NAC-enabled and operations costs and Cisco Catalyst Switches complexities Denial-of-service (DoS) Cisco NAC-enabled attack mitigation Integrated security service modules for high-performance threat protection and secure connectivity Man-in-the-middle attack mitigation

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-3

www.CareerCert.info

Self-Defending Network Phases

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-4

www.CareerCert.info

Trust and Identity Management

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-5

www.CareerCert.info

Trust Is the Root of Security

Trust is a relationship in which two (or more) network entities are allowed to communicate. Trust forms the root of all security policy decisions. Trust and risk are opposites; security is based on enforcing limitations to trust relationships. Trust relationships: Can be explicit or implied Can be inherited Can be abused

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-6

www.CareerCert.info

Domains of Trust

Question: From a security design perspective, what is the key difference between Case 1 and Case 2?

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-7

www.CareerCert.info

Domains of Trust

Question: From a security design perspective, what is the key difference between Case 1 and Case 2? Answer: Case 2 is more segmented into domains of trust.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.06-8

www.CareerCert.info

Example: Domains of Trust

Domains Private to Public

Gradient Extreme (high risk) Minor (low risk) Steep (considerable risk)

Safeguards Needed Advanced firewalling, flow-based inspection, misuse detection (IPS), constant monitoring Basic access control, casual monitoring Communication security, authentication, confidentiality, integrity concerns

Production to Lab Headquarters to Branch

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-9

www.CareerCert.info

Identity
Identity is the who of a trust relationship. The identity of a network entity is verified by credentials.
Both people and devices can be authenticated. Three authentication attributes: Something you know Something you have Something you are Common approaches to identity: Passwords Tokens Certificates

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-10

www.CareerCert.info

Passwords
Correlates an authorized user with network resources

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-11

www.CareerCert.info

Tokens
Strong (two-factor) authentication based on something you know and something you have

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-12

www.CareerCert.info

Access Control in Networks

Confidentiality and integrity are traditionally supported through access control. Access control enforces rules about which entities can access which resources. Network access control is based on: Authentication, which establishes the identity of the subject Authorization, which defines what a subject can do in a network Audit trails and real-time monitoring provide accounting and security auditing information.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-13

www.CareerCert.info

Example: Trust and Identity Management Technologies

Access control lists (ACLs) Firewalls Stateful inspection Application inspection Network Admission Control (NAC) NAC Framework Cisco NAC Appliance IEEE 802.1X Cisco IBNS

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-14

www.CareerCert.info

Firewall Filtering Using ACLs

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-15

www.CareerCert.info

NAC Framework and Appliance

Two approaches for Network Admission Control (NAC)
NAC Framework
Sold through NACenabled products Integrated solution leveraging Cisco network and vendor products

Cisco NAC Appliance

Sold as virtual or integrated appliance Self-contained product integrates but does not rely on partners

NAC Infrastructure
Offers customers a deployment time-frame choice Adapts to investment protection requirements of customer

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-16

www.CareerCert.info

802.1X Protocol

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-17

www.CareerCert.info

Identity and Access Control Deployment Locations

Authenticate at edge. Deploy ACLs based on policy. Practice defense in depth.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-18

www.CareerCert.info

Threat Defense
Enhances security in the existing network infrastructure Protects businesses from operation disruption, lost revenue, and loss of reputation. Adds comprehensive security on network endpoints Cisco Security Agent provides endpoint protection. Adds dedicated security technologies to networking devices and appliances Security technologies are implemented throughout the network.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-19

www.CareerCert.info

Physical Security

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-20

www.CareerCert.info

Physical Security Guidelines

Deploy adequate physical access control. Evaluate whether physical access can compromise other security features. Identify additional security issues resulting from device theft. Protect communications over infrastructure out of your control using cryptography.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-21

www.CareerCert.info

Infrastructure Protection
The measures taken to preserve the integrity and availability of the network infrastructure as a transport and service entity Goals: That the network devices are not accessed or altered in an unauthorized manner That the end-to-end network transport and any integrated services remain available Policy enforcement technologies can help preserve, directly, the integrity and availability of the network.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-22

www.CareerCert.info

Infrastructure Protection Deployment Locations

Deploy on all network infrastructure devices Different mechanisms are used on different platforms, but typically there are equivalent functions available. More advanced mechanisms are available mainly on higher-end platforms. Implement throughout the network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-23

www.CareerCert.info

Recommended Practices for Infrastructure Protection

Use SSH to access devices. Enable AAA and role-based access control for access to all network devices. Collect and archive syslog information. Use SNMPv3. Disable unused services. Use SFTP (SSH FTP) or SCP and avoid FTP and TFTP. Install vty access lists to limit access to management and CLI services. Enable control plane protocol authentication. Consider one-step lockdown in SDM for basic router security.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-24

www.CareerCert.info

Threat Detection and Mitigation

Provide early detection and notification of unpredicted malicious traffic or behavior. Goals: To detect, notify of, and help stop an event or traffic that is unauthorized and unpredicted To help preserve the availability of the network, particularly against unknown or unforeseen attacks Technologies include: Endpoint protection Infection containment Intrusion and anomaly detection Application security and anti-X defense
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.06-25

www.CareerCert.info

Example: Threat Detection and Mitigation Technologies

Network-based intrusion prevention systems (NIPS) Adaptive security appliance (ASA) IPS sensor applicance Cisco IOS IPS Host-based intrusion prevention systems (HIPS) Cisco Security Agent NetFlow Syslog Event correlation systems Cisco Security Monitoring, Analysis, and Response System (MARS) Cisco Traffic Anomaly Detector Module
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.06-26

www.CareerCert.info

Threat Detection and Mitigation Solutions Deployment Locations

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-27

www.CareerCert.info

Secure Connectivity

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-28

www.CareerCert.info

Encryption Fundamentals
A method of protecting the confidentiality of data Uses keys to encrypt the data and decrypt it at a later time

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-29

www.CareerCert.info

Encryption Keys
Shared secrets:
Secret key is carried out of band to the remote side. Easiest mechanism, but it has inherent security concerns.

Public key infrastructure (PKI):

Uses asymmetric cryptography in which the encryption key is different from the decryption key Lets you publish the encryption key, while keeping the decryption key secret Widely used in e-commerce sites around the world

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-30

www.CareerCert.info

VPN Protocols
IPsec (IP security)
Built directly on the IP layer (Protocol 50) Uses IKE and ESP Requires IPsec software on endpoints

SSL (Secure Socket Layer)

Built on top of the TCP layer (port 443) Provides confidentiality for web traffic (HTTPS) All major browsers can use SSL

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-31

www.CareerCert.info

Transmission Confidentiality

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-32

www.CareerCert.info

Transmission Confidentiality Guidelines

Evaluate the location for transmission confidentiality needs. Use the strongest available cryptography, performance permitting. Use well-known and established cryptographic algorithms. Do not focus on confidentiality alone; integrity and authenticity are also important.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-33

www.CareerCert.info

Data Integrity

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-34

www.CareerCert.info

Data Integrity Guidelines

Evaluate the need for transmission integrity. Use the strongest available cryptography, performance permitting. Use well-known and established cryptographic algorithms.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-35

www.CareerCert.info

Security Management Overview

Security management does the following: Collects, analyzes, and presents data Provisions policies on security devices Maintains consistency and change control of policies Provides role-based access control and accounts for all user activity Security implementation is only as good as policies used. Biggest risk to security in a properly planned architecture is policy error.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-36

www.CareerCert.info

Security Management Solutions

Cisco Router and Security Device Manager (SDM) Cisco Adaptive Security Device Manager (ASDM) Cisco Intrusion Prevention System Device Manager (IDM) Management Center for Cisco Security Agents Cisco Secure Access Control Server (ACS) Cisco Security Manager Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS)

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-37

www.CareerCert.info

Summary
The Cisco Self-Defending Network integrates security into the network to provide the network the ability to identify, prevent, and adapt to threats. Trust and identity management provide secure network access and admission at any point in the network and isolate and control infected or unpatched devices that attempt to access the network. Threat defense provides a strong defense against known and unknown attacks using security integrated in routers, switches, and appliances. Secure connectivity uses encryption and authentication to provide secure transport across untrusted networks. Security management is a framework for scalable policy administration and enforcement.

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-38

www.CareerCert.info

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-39

www.CareerCert.info

Selecting Network Security Solutions

Evaluating Security Solutions for the Network

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-1

www.CareerCert.info

Network Devices Supporting Integrated Security

Cisoc IOS router security PIX security appliance Adaptive security appliance (ASA) VPN concentrator Intrusion prevention system Catalyst service modules Endpoint security

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-2

www.CareerCert.info

Integrated Security for Cisco IOS Routers

Cisco IOS Firewall Stateful multiservice application-based filtering Cisco IOS IPS In-line deep-packet inspection Cisco IOS IPsec Data encryption at the IP packet level Cisco IOS trust and identity AAA PKI SSH SSL

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-3

www.CareerCert.info

Example: Security Hardware Options for ISRs

Built-in VPN acceleration Voice security options High-performance AIM Cisco IDS Network Module Cisco Content Engine Module Cisco Network Analysis Module

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-4

www.CareerCert.info

Security Appliances
VPN concentrator IPsec and SSL VPN support PIX security appliance Rich application and protocol inspection Integrated site-to-site and remote access VPNs ASA, a multifunction security appliance Stateful firewall of PIX appliance, plus Adaptive threat defense capabilities Application security Anti-X defenses IPS Advanced integration modules
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.06-5

www.CareerCert.info

Intrusion Prevention Systems

In line (IPS) or passive (IDS) Multivector threat identification Network speeds from multiple T1s to 1 Gbps IPS 4215 sensor protects up to 65 Mbps of traffic IPS 4240 sensor protects up to 250 Mbps of traffic IPS 4255 sensor protects up to 500 Mbps of traffic IPS 4260 sensor protects up to 1 Gbps of traffic

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-6

www.CareerCert.info

Cisco Catalyst Service Modules

Cisco Firewall Services Module Cisco Intrusion Detection System Services Module Cisco SSL Services Module Cisco IPSec VPN SPA Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module Cisco Network Analysis Module

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-7

www.CareerCert.info

Cisco Security Agent

Spyware and adware protection Protection against buffer overflows Distributed firewall capabilities Malicious mobile code protection Operating-system integrity assurance Application inventory Audit log consolidation

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-8

www.CareerCert.info

Securing the Enterprise Network

Embed Self-Defending Network features throughout the network in: The enterprise campus The enterprise data center The enterprise edge Use Self-Defending Network technologies, including: Identity and access control Threat defense Infrastructure protection Security management

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-9

www.CareerCert.info

Deploying Security in the Enterprise CampusIdentity and Access Control

802.1X or NAC NAC appliance ACLs Firewall Stateful inspection Application inspection

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-10

www.CareerCert.info

Deploying Security in the Enterprise CampusThreat Detection and Mitigation

NetFlow Syslog SNMP Host IPS (Cisco Security Agent) Network IPS Cisco Security MARS, Cisco Security Manager

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-11

www.CareerCert.info

Deploying Security in the Enterprise Campus Infrastructure Protection

AAA SSH SNMPv3 IGP or EGP Message Digest 5 Layer 2 security features

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-12

www.CareerCert.info

Deploying Security in the Enterprise CampusSummary

Identity and access control:
802.1x, NAC, ACLs, firewalls

Threat detection and mitigation:

NetFlow, syslog, SNMP, Cisco Security-MARS, Network IPS, Host IPS

Infrastructure protection:
AAA, SSH, SNMPv3, IGP or EGP MD5, Layer 2 security features

Security management
Cisco Security Manager, Cisco Security MARS
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.06-13

www.CareerCert.info

Deploying Security in the Enterprise Data Center Identity and Access Control
802.1X ACLs Firewalls

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-14

www.CareerCert.info

Deploying Security in the Enterprise Data CenterThreat Detection and Mitigation

NetFlow Syslog SNMP Host IPS (Cisco Security Agent) Network IPS Cisco Security MARS, Cisco Security Manager

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-15

www.CareerCert.info

Deploying Security in the Enterprise Data CenterInfrastructure Protection

AAA SNMPv3 SSH IGP or EGP MD5 Layer 2 security features

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-16

www.CareerCert.info

Deploying Security in the Enterprise Data CenterSummary

Identity and access control:
802.1X, ACLs, firewalls

Threat detection and mitigation:

NetFlow, syslog, SNMP, Cisco SecurityMARS, Network IPS, Host IPS

Infrastructure protection:
AAA, SSH, SNMPv3, IGP or EGP MD5, Layer 2 security features

Security management
Cisco Security Manager, Cisco Security MARS
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.06-17

www.CareerCert.info

Deploying Security in the Enterprise EdgeIdentity and Access Control

ACLs Firewall IPSec or SSL VPN NAC appliance

2007 Cisco Systems, Inc. All rights reserved.

DESGN v2.06-18

www.CareerCert.info

Deploying Security in the Enterprise EdgeThreat Detection and Mitigation

NetFlow Syslog SNMP IPS (host or network) Cisco Security MARS, Cisco Security Manager

DESGN v2.06-19

www.CareerCert.info

Deploying Security in the Enterprise EdgeInfrastructure Protection

SNMPv3 AAA SSH IGP or EGP MD5

DESGN v2.06-20

www.CareerCert.info

Deploying Security in the Enterprise Edge Summary

Identity and access control:
Firewalls, IPSec, SSL VPN, ACLs

Threat detection and mitigation:

NetFlow, syslog, SNMP, Cisco Security MARS, Network IPS, Host IPS

Infrastructure protection:
AAA, CoPP, SSH, RFC 2827, SNMPv3, IGP/EGP MD5

www.CareerCert.info

Summary
Cisco has integrated security features into the network devices, including ACLs, firewall support, VPNs, IPS, and event logging. The Cisco Self-Defending Network elements and Cisco network devices with integrated security are deployed throughout the enterprise network.

DESGN v2.06-22

www.CareerCert.info

DESGN v2.06-23

www.CareerCert.info

Security Design Review

Define the security requirements. Define the security policy. Integrate security in the network design: Implement trust and identity management to secure network access and admission. Deploy threat defense to provide a defense against known and unknown attacks. Use secure connectivity for encryption and authentication on untrusted networks. Deploy security management to scale policy administration and enforcement. Select locations to deploy appropriate Cisco Self-Defending Network elements and Cisco network devices.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.06-1

www.CareerCert.info

Module Summary
Network security is a continuous process built around a security policy and integrated with network design. The Cisco Self-Defending Network is based on a secure network platform and uses trust and identity management, threat defense, and secure connectivity to integrate security into the network. Cisco Self-Defending Network elements and Cisco network devices with integrated security are deployed throughout the enterprise network.

DESGN v2.06-2

www.CareerCert.info

DESGN v2.06-3

www.CareerCert.info

Identifying Voice Networking Considerations

Designing for Cisco Internetwork Solutions (DESGN) v2.0

DESGN v2.07-1

www.CareerCert.info

Reviewing Traditional Voice Architectures and Features

Identifying Voice Networking Considerations

DESGN v2.07-4

www.CareerCert.info

Analog-to-Digital Conversion

Steps for converting analog signal to digital format:

www.CareerCert.info

PBXs and Switches

PBX:
Used in private sector Scales to n * 1000 phones Mostly digital Uses 64-kbps circuits Uses proprietary protocols to control phones Interconnects remote branch subsystems and telephones

PSTN switch:
Used in public sector Scales to n * 100,000 phones Mostly digital Uses 64-kbps circuits Uses open-standard protocols between switches and phones Interconnects with other PSTN switches, PBXs, and telephones

DESGN v2.07-6

www.CareerCert.info

Example: PBXs and PSTN Switches

DESGN v2.07-7

www.CareerCert.info

PBX Features

PBX features:
Call holding Transferring Forwarding Parking Conferencing Music on hold Call history Voice mail

PBX can connect to PSTN through T1 or E1

www.CareerCert.info

PSTN Switch

DESGN v2.07-9

www.CareerCert.info

Local Loops, Trunks, and Interoffice Communications

DESGN v2.07-10

www.CareerCert.info

Foreign Exchange Trunks

Foreign Exchange Office (FXO):
Emulates a phone Connects to a station port of a PBX or to the PSTN switch

Foreign Exchange Station (FXS):

Emulates a PBX Provides connections for standard phones and fax machines

DESGN v2.07-11

www.CareerCert.info

Basic Telephony Signaling

Local-loop signaling:
Telephone to switch

Trunk signaling:
Switch to switch PBX to switch PBX to PBX

Basic categories:
Supervision signaling Address signaling Informational signaling

DESGN v2.07-12

www.CareerCert.info

Analog Signaling on a PBX

Local-loop signaling:
Loop start: The simplest For subscriber loops Occurrences of glare Ground start: Modification of loop start More intelligent For PBX loops Minimizes glare

Trunk signaling:
E&M (recEive and transMit): Between PBXs Five types of signaling Separate paths for voice and signaling

DESGN v2.07-13

www.CareerCert.info

CAS and CCS Signaling

Channel associated signaling:
Signal for call setup in the same channel as a voice call Examples: T1 or E1 signaling DTMF

Common channel signaling:

Messages for call setup Examples: ISDN DPNSS QSIG SS7

DESGN v2.07-14

www.CareerCert.info

ISDN Digital Signaling

Channel B D Capacity 64 kbps 16/64 kbps Mostly Used For Circuit-switched data Signaling information

DESGN v2.07-15

www.CareerCert.info

Q Signaling
Standards-based protocol for inter-PBX communications Enables interconnection of multivendor equipment Enables basic services and feature transparency between PBXs Is interoperable with public and private ISDNs Does not impose any restrictions on private numbering plans

DESGN v2.07-16

www.CareerCert.info

SS7 Signaling

Used between PSTN switches Signaling implemented on a separate data network Trunk channels used solely for voice transmission Replaces per-trunk in-band signaling

DESGN v2.07-17

www.CareerCert.info

PSTN Numbering Plans

Set of rules for routing voice calls through the PSTN Based on the ITU-T recommendation E.164 Example: North American Numbering Plan (NANP)

DESGN v2.07-18

www.CareerCert.info

Example Country Codes

Country Zone Code 1 1242 1787 1876 20 212 213 30 34 386 44 45 1 1 1 1 2 2 2 3 3 3 4 4 Country Canada, United States Bahamas Puerto Rico Jamaica Egypt Morocco Nigeria Greece Spain Slovenia United Kingdom Denmark Country Zone Code 51 52 61 63 679 7 81 86 886 91 966 995 5 5 6 6 6 7 8 8 8 9 9 9 Country Peru Mexico Australia Philippines Fiji Islands Kazakhstan, Russia Japan China Taiwan India Saudia Arabia Georgia

DESGN v2.07-19

www.CareerCert.info

Example: Routing Calls Based on a Numbering Plan

DESGN v2.07-20

www.CareerCert.info

Example: Routing Calls Based on a Numbering Plan

DESGN v2.07-21

www.CareerCert.info

Example: Routing Calls Based on a Numbering Plan

DESGN v2.07-22

www.CareerCert.info

Example: Routing Calls Based on a Numbering Plan

DESGN v2.07-23

www.CareerCert.info

Example: Routing Calls Based on a Numbering Plan

DESGN v2.07-24

www.CareerCert.info

Example: Routing Calls Based on a Numbering Plan

DESGN v2.07-25

www.CareerCert.info

Example: Routing Calls Based on a Numbering Plan

DESGN v2.07-26

www.CareerCert.info

Example: Routing Calls Based on a Numbering Plan

DESGN v2.07-27

www.CareerCert.info

Portion of UK National Numbering Plan

Number Range (01xxx) xxx xxx (01xxx) xxx xxx (01x1) xxx xxxxx (011x) xxx xxxxx (02x) xxxx xxxx (01xxx[x]) xxxx[x] (05x) xxxx xxxx (07xxx) xxxxxx (0800) xxx xxx (0800) xxx xxxx (0808) xxx xxxx 999 112 Description Trunk prefix (national long-distance calling prefix)

Geographic numbering optionsarea code and subscriber number

Mobile phones, pagers, and personal numbering Reserved for corporate numbering. Freephone (except for mobile phone)

Free emergency number

DESGN v2.07-28

www.CareerCert.info

Summary
A telephone system transports analog speech over a digital network. PBXs and public telephone switches share many similarities, but they also have differences. The telephone infrastructure includes local loops and trunks. In a telephony system, a signaling mechanism is required to establish and disconnect telephone communications. Each telephone must have a unique address based on the E.164 standard.

DESGN v2.07-29

www.CareerCert.info

DESGN v2.07-30

www.CareerCert.info

Identifying Design Considerations for Voice Services

Identifying Voice Networking Considerations

DESGN v2.07-1

www.CareerCert.info

Separate Voice and Data Networks

Companies want to reduce WAN costs by integration. Data is primary traffic on many voice networks. PSTN architecture is not flexible enough. PSTN can not integrate voice, data, and video.

DESGN v2.07-2

www.CareerCert.info

Example: Voice over IP

DESGN v2.07-3

www.CareerCert.info

Example: IP Telephony

DESGN v2.07-4

www.CareerCert.info

Introducing H.323
ITU-T standard Describes packet-based video, audio, and data communication across packet-based networks Provides session setup, monitoring, and termination Refers to a set of other standards: H.225 (Q.931): Call signaling H.245: Capability negotiation and media stream management

DESGN v2.07-5

www.CareerCert.info

H.323 Components

DESGN v2.07-6

www.CareerCert.info

Example: H.323 Components and Their Interactions

DESGN v2.07-7

www.CareerCert.info

The Importance of a Gatekeeper

DESGN v2.07-8

www.CareerCert.info

IP Telephony Components

DESGN v2.07-9

www.CareerCert.info

Design Goals of IP Telephony

To use end-to-end IP telephony between sites with IP connectivity To make IP telephony widely usable To lower long-distance costs To make IP telephony cost-effective To provide high availability of IP telephony To offer lower total cost of ownership and greater flexibility To enable new applications on top of IP telephony via third-party software To improve remote worker, agent, and work-at-home staff productivity To facilitate data and telephony network consolidation

DESGN v2.07-10

www.CareerCert.info

Single-Site IP Telephony Design

DESGN v2.07-11

www.CareerCert.info

Multisite WAN with Centralized Call Processing Design

DESGN v2.07-12

www.CareerCert.info

Multisite WAN with Distributed Call Processing Design

DESGN v2.07-13

www.CareerCert.info

Call Control and Transport Protocols

Voice call control functions: Q.931 call setup signaling H.245 call capability control RAS signaling RTP Control Protocol (RTCP) Voice conversation: Real-Time Transport Protocol (RTP)

DESGN v2.07-14

www.CareerCert.info

SCCP Control
SCCP is a client-server protocol. SCCP clients register with Cisco Unified CallManager to receive their configuration information. Media connections between SCCP clients use RTP.

DESGN v2.07-15

www.CareerCert.info

SIP Control
SIP is a peer-to-peer protocol. SIP user agents communicate with SIP proxy server. SIP phones can register with Cisco Unified CallManager.

DESGN v2.07-16

www.CareerCert.info

MGCP Control
MGCP is a client-server protocol. MGCP gateway translates between endpoints and IP phones. Call agents control MGCP endpoints.

DESGN v2.07-17

www.CareerCert.info

Summary
Business needs are driving the need for unified voice and data networks not on the PSTN. The H.323 standard is a foundation for audio, video, and data communications across IP-based networks, including the Internet. IP telephony refers to communication services and voice, facsimile, and voice-messaging applications that are transported via the IP network rather than the PSTN. Voice communication over IP relies on control protocols such as H.323, SCCP, SIP, and MGCP.

DESGN v2.07-18

www.CareerCert.info

DESGN v2.07-19

www.CareerCert.info

Identifying the Requirements of Voice Technologies

Identifying Voice Networking Considerations

DESGN v2.07-1

www.CareerCert.info

Voice Quality Considerations

Examine the possible causes of packet loss and delay in the initial design. Use QoS mechanisms as a groundwork for a high-quality voice network.

DESGN v2.07-2

www.CareerCert.info

Fixed Network Delay Considerations

Sources of delay:
Propagation delay: 6 ms per km Serialization delay: frame length / bit rate Processing delay: depends on codec Coding and compression Packetization

Solutions:
None Faster link, smaller packets Hardware DSPs, coding algorithm

DESGN v2.07-3

www.CareerCert.info

Variable Network Delay Considerations

Sources of delay:
Queuing delay (variable packet sizes and number of packets) Dejitter buffers

Solutions:
Link fragmentation and interleaving Constant delay, uncongested network

DESGN v2.07-4

www.CareerCert.info

Jitter
Variation in the delay of received packets Caused by network congestion, improper queuing, or configuration errors

DESGN v2.07-5

www.CareerCert.info

Packet Loss
Causes voice clipping Caused by: Congested links Improper network QoS configuration Bad packet buffer management on the routers Routing problems Up to 30 ms of lost voice correctable by DSP using interpolation Packet losses up to one packet correctable with no voice quality degradation

DESGN v2.07-6

www.CareerCert.info

Problem of Echo

DESGN v2.07-7

www.CareerCert.info

Echo Cancellers Reduce the Level of Echo

DESGN v2.07-8

www.CareerCert.info

Voice Coding and Compression

The quality of transmitted speech is a subjective listener response. MOS is a common benchmark to define sound quality. MOS scales from 1 (bad) to 5 (excellent).
ITU Standard PCM ADPCM LD-CELP CS-ACELP ACELP/MPMLQ G.711 G.726/G.727 G.728 G.729 G.723.1 Data Rate* 64 kbps 16/24/32/40 kbps 16 kbps 8 kbps 6.3/5.3 kbps MOS Score 4.1 3.85 or less 3.61 3.92 3.9/3.65

*Note: Data rates shown are for digitized speech only and do not include overhead of RTP, UDP, IP, and Layer 2 headers.

DESGN v2.07-9

www.CareerCert.info

Example: Codec Complexity and Calls per DSP on the Cisco AS54-PVDM2-64 Module

Low Complexity (Maximum 64 Calls) G.711 a-law G.711 mu-law Fax passthrough Modem passthrough Clear-channel codec

Medium Complexity (Maximum 32 Calls) G.729a G.729ab G.726: 16K, 24K, and 32K T.38 fax relay Cisco Fax Relay

High Complexity (Maximum 24 Calls) G.723.1: 5.3K and 6.3K G.723.1A: 5.3K and 6.3K G.728 Modem relay AMR-NB: 75K, 5.15K, 5.9K, 6.7K, 7.4K, 7.95K, 10.2K, 12.2K, and silence insertion descriptor

DESGN v2.07-10

www.CareerCert.info

Bandwidth Availability
Goal: Reduce the amount of traffic per voice call Solutions: Use an effective voice coding and compression mechanism. Compress IP headers by using compressed Real-Time Transport Protocol. Suppress packets of silence by using voice activity detection.

DESGN v2.07-11

www.CareerCert.info

Calculating Voice Bandwidth

Voice packet size = (Layer 2 header) + (IP/UDP/RTP header) + voice payload Voice packets per second (pps) = (codec bit rate) / (voice payload size) Bandwidth = (voice packet size) * (pps) Example for G.729 call with 8-kbps codec bit rate with cRTP and 20 bytes voice payload: Voice packet size = 6 bytes + 2 bytes + 20 bytes = 28 bytes Voice packet size = 28 bytes * 8 bits/byte = 244 bits Voice pps = 8000 bits/sec / 160 bits/packet = 50 pps Bandwidth = 244 bits * 50 pps = 11.2 kbps

DESGN v2.07-12

www.CareerCert.info

Example: Voice Codec Bandwidth Calculator for G.729 Codec

DESGN v2.07-13

www.CareerCert.info

Voice Bandwidth and Codec Standards

Compression Payload Size Bandwidth Bandwidth with cRTP No. of Calls on a 512-kbps Link (without cRTP/ with cRTP) 6/7 8/14 9/17 14/26 19/46 28/64 30/73

G.711 (64 kbps) G.726 (32 kbps) G.726 (24 kbps) G.728 (16 kbps) G.729 (8 kbps) G.723.1 (6.3 kbps) G.723.1 (5.3 kbps)

160 60 40 40 20 24 20

83 57 52 35 26 18 17

68 36 29 19 11 8 7

DESGN v2.07-14

www.CareerCert.info

Enterprise QoS Mechanisms for Voice

Traffic classification Queuing or scheduling Bandwidth provisioning and call admission control

DESGN v2.07-15

www.CareerCert.info

Access Layer QoS Mechanisms for Voice

802.1Q trunking and 802.1p Multiple egress queues Traffic classification and network trust boundary Layer 3 awareness and the ability to implement QoS access control lists

DESGN v2.07-16

www.CareerCert.info

Recommended Practice: Separate Voice and Data VLANs

Voice device protection from external networks QoS trust boundary extension to voice devices Protection from malicious network attacks Ease of management and configuration

DESGN v2.07-17

www.CareerCert.info

Example: QoS Networking Mechanisms

DESGN v2.07-18

www.CareerCert.info

Example: Low Latency Queuing

DESGN v2.07-19

www.CareerCert.info

QoS Consideration for Voice in the WAN

WAN QoS mechanisms:
Bandwidth provisioning Traffic classification Queuing and scheduling Traffic shaping Link efficiency techniques Call admission control

DESGN v2.07-20

www.CareerCert.info

Call Admission Control

Protects voice traffic from being negatively affected by other voice traffic Keeps excess voice traffic off the network Reroutes excess voice traffic in the following scenarios: Call rerouted via an alternate packet network path Call rerouted via the PSTN network path Call returned to the originating TDM switch with the reject cause code

DESGN v2.07-21

www.CareerCert.info

Example: Call Admission Control

VoIP Network Without CAC

VoIP Network with CAC

DESGN v2.07-22

www.CareerCert.info

Implementing CAC with RSVP

RSVP is an industry-standard signaling protocol that enables an application to reserve bandwidth dynamically. RSVP signaling messages are exchanged between the source and destination devices. RSVP process interacts with the QoS manager on router interfaces to "reserve" bandwidth resources. Calls are admitted or rejected based on the outcome of the RSVP reservations.

DESGN v2.07-23

www.CareerCert.info

Traffic Engineering Terms

Grade of service Erlang Centum call seconds Busy hour Busy hour traffic Blocking probability Call Detail Record

DESGN v2.07-24

www.CareerCert.info

Erlang Tables
Show erlangs of offered traffic, number of circuits, and grade of service Three common erlang tables: Erlang B assumes that calls receiving a busy signal are immediately cleared. Extended Erlang B assumes that a certain percentage of calls receiving a busy signal are redialed. Erlang C assumes that blocked calls are queued.

DESGN v2.07-25

www.CareerCert.info

Example: Erlang B Table

Number of erlangs decreases with the decreased blocking probability. Number of erlangs increases with the number of simultaneous connections.

Blocking Probability Number of Circuits 1 2 3 4 5 6 7 8 9 10 .003 .003 .081 .289 .602 .996 1.447 1.947 2.484 3.053 3.648 .005 .006 .106 .349 .702 1.132 1.822 2.158 2.730 3.333 3.961 .01 .011 .153 .456 .870 1.361 1.900 2.501 3.128 3.783 4.462 .02 .021 .224 .603 1.093 1.658 2.278 2.936 3.627 4.345 5.084 .03 0.31 0.282 0.716 1.259 1.876 2.543 3.250 3.987 4.748 5.530 .05 0.053 .382 .900 1.525 2.219 2.961 3.738 4.543 5.371 6.216

Busy hour traffic (BHT) in erlangs

www.CareerCert.info

Summary
Voice quality in an IP network is directly affected by delay, jitter, and packet loss. An echo is the audible leak of the voice of the caller into the receive (return) path. Voice communication over IP relies on voice that is coded and encapsulated into IP packets. A primary WAN issue when network designers are designing voice on IP networks is bandwidth availability. QoS mechanisms are important for networks that carry voice. Traffic engineering is a science of selecting the right number of lines and the proper types of service to accommodate users.

DESGN v2.07-27

www.CareerCert.info

DESGN v2.07-28

www.CareerCert.info

Integrating Voice in the Network Design

Define the requirements for voice services. Select an IP telephony design model based on the requirements. Implement voice support in the infrastructure: Select appropriate call control and transport protocols. Select appropriate coding and compression mechanisms. Provision needed bandwidth. Deploy VoIP components. Implement end-to-end QoS.

DESGN v2.07-1

www.CareerCert.info

Module Summary
New IP telephony solutions must integrate into existing environments and provide similar functionality. Business needs are driving the need for unified networks supporting unified communications networks. There are many issues that affect voice traffic, such as delay, jitter, packet loss, congestion, and slow-speed links. Compression techniques, LFI, and QoS mechanisms can alleviate many of these issues.

DESGN v2.07-2

www.CareerCert.info

DESGN v2.07-3

www.CareerCert.info

Identifying Wireless Networking Considerations

Designing for Cisco Internetwork Solutions (DESGN) v2.0

DESGN v2.08-1

www.CareerCert.info

Introducing the Cisco Unified Wireless Network

Identifying Wireless Networking Considerations

DESGN v2.08-1

www.CareerCert.info

Wireless LAN Background

WLANs provide network connectivity over radio waves. Wireless stations connect to wireless access points. Access points connect to the wired network. Access points were traditionally autonomous. Scaling the design and adding applications was challenging.

DESGN v2.08-2

www.CareerCert.info

Cisco Unified Wireless Network Elements

3d icon not available

Intelligent information network elements:

Mobility services Network management Network unification Access points Client devices

DESGN v2.08-3

www.CareerCert.info

Cisco Unified Wireless Network Split-MAC Operation

Access point MAC functions:

802.11: Beacons, probe response 802.11 control: Packet acknowledgment and transmission 802.11e: Frame queuing and packet prioritization 802.11i: MAC layer data encryption and decryption
2007 Cisco Systems, Inc. All rights reserved.

Controller MAC functions:

802.11 MAC management: Association requests and actions 802.11e Resource reservation 802.11i Authentication and key management
DESGN v2.08-4

www.CareerCert.info

LWAPP Fundamentals
LWAPP is an IETF draft specification. Access points communicate with a WLC using LWAPP: LWAPP control messages are exchanged between a WLC and access points. LWAPP data messages encapsulate data frames. LWAPP tunnel can be Layer 2 or Layer 3. One WLC can manage multiple access points. The WLC supplies configuration and firmware updates to access points.

DESGN v2.08-5

www.CareerCert.info

Example: Layer 2 LWAPP Architecture

Access points do not require IP addressing. Controllers need to be on every subnet on which access points reside. Layer 2 LWAPP was an early part of the architecture; many current products do not support this functionality.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-6

www.CareerCert.info

Example: Layer 3 LWAPP Architecture

Access points require IP addressing. Access points can communicate with a WLC across routed boundaries. Layer 3 LWAPP is more flexible than Layer 2 LWAPP; most current products support this LWAPP mode.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-7

www.CareerCert.info

Access Point Modes

Local mode is the default mode of operation. REAP mode enables a remote access point across a WAN link to communicate with the WLC. Rogue detector mode allows the access point to monitor rogue access points but cannot contain rogue access points. Monitor mode allows the access points to act as dedicated sensors for IDS and supports deauthentication capability. Sniffer mode functions as a network sniffer and captures and forwards all the packets on a particular channel to a remote machine that runs AiroPeek. Bridge mode allows the Cisco Aironet 1030 (indoor) and 1500 (outdoor mesh) access points to support point-to-point and pointto-multipoint bridging.

DESGN v2.08-8

www.CareerCert.info

Wireless Infrastructure
Autonomous access point is an 802.1Q translational bridge. WLAN controller bridges client traffic centrally.

DESGN v2.08-9

www.CareerCert.info

Wireless Authentication

DESGN v2.08-10

www.CareerCert.info

Example: Supported EAP Types

EAP-Transport Layer Security (EAP-TLS)
Mutual client and server authentication using digital certificates

EAP-Protected EAP (EAP-PEAP)

Authentication of RADIUS server in TLS using digital certificate Authentication of client using EAP-GTC or EAP-MSCHAPv2

EAP Tunneled Transport Layer Security (EAP-TTLS)

Authentication of RADIUS server in TLS using server certificate Authentication of client using username and password

Cisco LEAP
Early EAP method supported in Cisco Compatible Extensions

Cisco EAP-FAST
Three-phase EAP method supported in Cisco Compatible Extensions

DESGN v2.08-11

www.CareerCert.info

Important WLAN Controller Components

Three important components to understand:
PortPhysical connection to a neighbor switch or router InterfaceLogical connection mapping to a VLAN on the wired network WLANLogical entity that maps an SSID to an interface at the controller, along with security, QoS, radio policies, and other wireless networking parameters

DESGN v2.08-12

www.CareerCert.info

Summary of WLC Interfaces

Management interfaceIs used for in-band management, connectivity to AAA and other enterprise services, and for Layer 2 access point auto discovery and association AP-manager interfaceIs the source IP address used for access point-to-controller communication and Layer 3 access point autodiscovery and association Dynamic interfaceIs designated for WLAN client data and analogous to a VLAN Virtual interfaceSupports DHCP relay, Layer 3 security authentication, and mobility management Service-port interfaceProvides out-of-band management of the controller

DESGN v2.08-13

www.CareerCert.info

Example: WLANs, Interfaces, and Ports

DESGN v2.08-14

www.CareerCert.info

Cisco Wireless LAN Controller Platforms

Platform Cisco 2000 Series Wireless LAN Controller Cisco Wireless LAN Controller Module for ISRs Cisco Catalyst 3750G Integrated Wireless LAN Controller Cisco 4400 Series Wireless LAN Controller Cisco Catalyst 6500 Series Wireless Services Module Number of Access Points Supported 6

Up to 50

Up to 100

Up to 300

Note: The number of access points supported may change as products are updated. Check www.cisco.com for the latest information.

DESGN v2.08-15

www.CareerCert.info

Access Point Scalability Considerations

4400x series controllers allow 48 access points per port in the absence of link aggregation. Two options for scaling are: Multiple AP manager interfaces (supported only on 4400x appliance controllers). Link aggregation (supported on 4400x appliances, Cisco WiSM, Cisco 3750G Integrated Wireless LAN Controller). With multiple AP manager interfaces, the LWAPP algorithm load-balance access points across the AP manager interfaces. With LAG, one AP manager interface load-balances traffic across an EtherChannel interface.

DESGN v2.08-16

www.CareerCert.info

Example: Multiple AP Manager Interfaces

Each AP manager interface is mapped to a physical port. Access point load is dynamically distributed. Redundancy advantage: Platform can be connected to multiple devices. Redundancy concern: Only 48 access-points are supported per port.

DESGN v2.08-17

www.CareerCert.info

Example: LAG with a Single AP Manager Interface

One LAG group per Cisco Wireless LAN Controller is supported. Packets are forwarded out the same port they arrived on. It is recommended that you use LAG if possible.

DESGN v2.08-18

www.CareerCert.info

Summary
The Cisco Unified Wireless Network architecture centralizes WLAN configuration and control on Cisco Wireless LAN Controllers. Cisco Wireless LAN Controllers manage access points using LWAPP. The Cisco Unified Wireless Network is based on devices connecting to access points using RF signals, access points sending client traffic to controllers across an LWAPP tunnel, and Cisco Wireless LAN Controllers placing the traffic in the appropriate VLAN in the wired network. Cisco Wireless LAN Controllers components include ports (physical connections), interfaces (logical mappings to a VLAN), and WLANs (logical mappings of an SSID to an interface). Cisco Wireless LAN Controller platforms can support 6 to 300 access points.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-19

www.CareerCert.info

DESGN v2.08-20

www.CareerCert.info

Understanding Wireless Network Controller Technology

Identifying Wireless Networking Considerations

DESGN v2.08-1

www.CareerCert.info

LWAPP Discovery

1. The access point issues a DHCPDISCOVER to get an IP address. 2. If the access point supports Layer 2 LWAPP, attempt Layer 2 discovery. 3. Else, attempt Layer 3 LWAPP discovery. 4. If no WLC response, then access point reboots and returns to Step 1.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-2

www.CareerCert.info

Layer 3 LWAPP Discovery Algorithm

Access point sends Layer 3 LWAPP discovery requests: 1. As broadcasts on local subnet 2. As unicast LWAPP discovery requests to WLC IP addresses advertised by other access points, if OTAP enabled on the WLCs 3. To all previously stored WLC IP addresses 4. To IP addresses learned through DHCP Option 43 5. To IP addresses learned through DNS resolution of CISCO-LWAPP-CONTROLLER.localdomain WLCs receiving the discovery message reply with a unicast LWAPP discovery response message. Access point compiles a list of candidate controllers.

DESGN v2.08-3

www.CareerCert.info

WLC Selection Algorithm

LWAPP discovery and selection mechanism is a design decision. LWAPP discovery response contains WLC information. After the LWAPP discovery interval timer, the access point selects a WLC to send an LWAPP join request based on: 1. Previously configured primary, secondary, or tertiary WLCs (specified in the controller sysName) 2. WLC configured as a master controller 3. WLC with the greatest capacity for access point associations The WLC validates the access point and sends an LWAPP join response. An encryption key is derived, and future messages are encrypted.
DESGN v2.08-4

www.CareerCert.info

Access Point Operations

Access point downloads firmware from the WLC if its code version does not match the WLC. WLC provisions access point with the SSID, security, QoS, and other parameters. WLC periodically queries access points for status. Access point periodically sends an LWAPP heartbeat (every 30 seconds): If heartbeat is not acknowledged, the access point resends. If heartbeat is not acknowledged in five attempts, access point looks for a new WLC.

DESGN v2.08-5

www.CareerCert.info

WLC Deployment Considerations

Mobility Radio management Redundancy and load balancing Scaling IP addressing

DESGN v2.08-6

www.CareerCert.info

Mobility Defined
Mobility is a key reason for wireless networks. Mobility means the end-user device is capable of moving to new location. Roaming occurs when a wireless client moves association from one access point and reassociates to another. Mobility presents new challenges: Need to scale the architecture to support client roaming roaming can occur intracontroller and intercontroller. Depending on the application, may need to support Layer 2 or Layer 3 roaming. Need to support client roaming that is seamless (fast) and preserves security.

DESGN v2.08-7

www.CareerCert.info

Intracontroller Roaming
Intracontroller roaming occurs when a client moves association to another access point joined to the same WLC. Client may need to be reauthenticated and new security session established. Controller updates client database entry with new access point and appropriate security context. No IP address refresh is needed.

DESGN v2.08-8

www.CareerCert.info

Intercontroller RoamingLayer 2

Traffic on same IP subnet Client database entry moved to new WLC Reauthenticated and new security session established as needed No IP address refresh needed
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-9

www.CareerCert.info

Intercontroller RoamingLayer 3

Original WLC tagged as anchor Client database entry copied to new WLC, tagged as foreign Asymmetric traffic path
DESGN v2.08-10

www.CareerCert.info

Scaling the Architecture with Mobility Groups

Mobility groups allow controllers to peer with each other to support seamless roaming across controller boundaries, access point load balancing, and controller redundancy. Mobility messages are exchanged between controllers. Data is tunneled between controllers in Ethernet-in-IP (EtherIP). Each WLC in a mobility group is configured with a list of other members. Access points learn the IP addresses of the other members of the mobility group after the LWAPP join process. Mobility groups support up to 24 controllers and 3600 access points. WLC should be placed in mobility groups when intercontroller roaming is possible and for controller redundancy.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-11

www.CareerCert.info

Mobility Group Requirements

IP connectivity must exist between the management interfaces of all WLC devices. All WLCs must be configured with the same mobility group name. The mobility group name is case-sensitive. All WLCs must be configured to use the same virtual interface IP address. Each WLC is configured with the MAC address and IP address of all the other mobility group members. The WLCs exchange messages using UDP port 16666 (unencrypted) or UDP port 16667 (encrypted) .

DESGN v2.08-12

www.CareerCert.info

Supporting Roaming Recommended Practices

Minimize intercontroller roaming in your designs. Design the network for <= 10 ms RTT latency between controllers. Intercontroller Layer 2 roaming is more efficient than Layer 3 roaming. Use PKC or CCKM to speed up and secure roaming. Client roaming capabilities vary by vendor, driver, and supplicant. Look for Cisco Compatible Extensions v4 feature set.

DESGN v2.08-13

www.CareerCert.info

Controller Redundancy Design

Access point selects its WLC with this sequence:
[Deterministic] If an access point has been previously configured with a primary, secondary, or tertiary controller, the access point attempts to join these first (specified by controller sysName). [Initializing] The access point attempts to join a WLC configured as a master controller. [Dynamic] The access point attempts to join the WLC with the greatest availability for access point associations.

DESGN v2.08-14

www.CareerCert.info

Deterministic Controller Redundancy

Administrator statically assigns each access point a primary, secondary, or tertiary controller. Advantages include: Predictability (easier operational management) More network stability More flexible and powerful redundancy design options Faster failover times Fallback option in the case of failover Disadvantages include: More upfront planning and configuration Recommended leading practice is to use deterministic redundancy.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-15

www.CareerCert.info

Example: Deterministic Controller Redundancy

DESGN v2.08-16

www.CareerCert.info

Dynamic Controller Redundancy

Design relies on LWAPP to load-balance access points across controllers and populate access points with backup WLC information. Design works better when controllers are clustered in a centralized design. Advantages include: Easy to deploy and configure Access points dynamically load-balance Disadvantages include: More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No fallback option in the event of controller failure Recommended practice is not to use dynamic redundancy.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-17

www.CareerCert.info

Example: Dynamic Redundancy

DESGN v2.08-18

www.CareerCert.info

Deterministic Redundancy Designs: N+1

DESGN v2.08-19

www.CareerCert.info

Deterministic Redundancy Designs: N+N

DESGN v2.08-20

www.CareerCert.info

Deterministic Redundancy Designs: N+N+1

DESGN v2.08-21

www.CareerCert.info

Radio Resource Management

Key RF challenges with 802.11: Limited nonoverlapping channels Physical characteristics of RF propagation Contention for the medium Transient nature of RF environments RRM addresses these challenges: Continuous analysis of RF environment Dynamic channel assignment Interference detection and avoidance Dynamic transmit power control Coverage hole detection and correction Client and network load balancing
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-22

www.CareerCert.info

RF Grouping

1. Access points send and receive neighbor messages.

DESGN v2.08-23

www.CareerCert.info

RF Grouping

1. Access points send and receive neighbor messages.

2. If access points on different WLCs hear neighbor messages in the same RF group at -80 dBm or stronger, they pass information to their WLC.

DESGN v2.08-24

www.CareerCert.info

RF Grouping
3. Controllers elect an RF group leader that analyzes RF data.

1. Access points send and receive neighbor messages.

2. If access points on different WLCs hear neighbor messages in the same RF group at -80 dBm or stronger, they pass information to their WLC.

DESGN v2.08-25

www.CareerCert.info

Access Point Self-Healing

Access points receive neighbor messages from neighbor access points. Access points report a lost neighbor when they no longer receive neighbor messages at 65 dBm. RRM is used to increase power on access points near the lost access point. RRM can also adjust channel selection if needed.

DESGN v2.08-26

www.CareerCert.info

Summary
A lightweight access point uses an LWAPP discovery and join process to connect to a WLC. Lightweight access points operate by communicating with a WLC. The Cisco Unified Wireless Network provides a high quality transparent roaming experience for clients supporting both intracontroller and intercontroller roaming. It is recommended using that you use deterministic controller redundancy over dynamic controller redundancy. RRM using RF groups is a foundation of the Cisco Unified Wireless Network architecture.

DESGN v2.08-27

www.CareerCert.info

DESGN v2.08-28

www.CareerCert.info

Designing Wireless Networks with Controllers

Identifying Wireless Networking Considerations

DESGN v2.08-1

www.CareerCert.info

Reasons for an RF Site Survey

Defines RF characteristics in the environment: Discover RF coverage areas. Check for RF interference and issues. Provide RF spectrum analysis. Determine appropriate placement of wireless infrastructure devices. Helps define customer requirements

DESGN v2.08-2

www.CareerCert.info

RF Site Survey Process

1. Define customer requirements. 2. Identify coverage areas and user density. 3. Determine preliminary access point locations. 4. Perform the actual surveying. 5. Document the findings.

DESGN v2.08-3

www.CareerCert.info

RF Site Survey Customer Requirements

What type and number of wireless devices need to be supported? Is there current WLAN or RF equipment in place? Will the WLAN be used only for data? Will wireless phones be supported in the future? Are there peak periods to support? Will users be stationary or on the move while using the WLAN? Where should wireless coverage support be provided? What level of support should be provided?

DESGN v2.08-4

www.CareerCert.info

RF Site Survey Identifying Coverage Areas

File Room or Supply Room: Large Filing or Metal Cabinets Elevator Office Shafts Test Lab

Break Room: Microwave Ovens

Conference

Cubicles

Stairwells (Reinforced Building Area)

DESGN v2.08-5

www.CareerCert.info

Determining Preliminary Access Point Locations

Default Access Point Placement

DESGN v2.08-6

www.CareerCert.info

Visualizing RF Coverage

DESGN v2.08-7

www.CareerCert.info

Performing the Site Survey

Use tools and processes to determine coverage: Estimate the access point needed using planning. Measure attenuation at the corner and edge of coverage areas. Determine the coverage range. Build the WLAN coverage. Identify coverage holes.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-8

www.CareerCert.info

Site Survey Report

All information gathered and developed during the site survey should be included in the report:
Detail customer requirements. Describe and diagram access point coverage. Be very specific when describing equipment placement locations. Mark areas that are covered as well as those not needing coverage. Parts list should include: Access points Antennas Accessories and network components Discuss the tools that were used and survey methods.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-9

www.CareerCert.info

Supporting Guest Access

DESGN v2.08-10

www.CareerCert.info

Path Isolation with Ethernet in IP Tunnel

Use of EtherIP tunnels to logically segment and transport the guest traffic between edge and anchor controllers Other traffic (employee for example) still locally bridged on the corresponding VLAN No need to define the guest VLANs on the switches connected to the edge controllers Original Ethernet frame from guest maintained across LWAPP and EtherIP tunnels EtherIP supported across all WLAN controllers 2006 WLC cannot anchor EtherIP connections.

DESGN v2.08-11

www.CareerCert.info

Outdoor Wireless Deployment Options

DESGN v2.08-12

www.CareerCert.info

Outdoor Wireless Mesh Solution Components

Cisco Wireless Control System

Wireless mesh management system Enables networkwide policy configuration and device management Supports SNMP and syslog

Cisco Wireless LAN Controller

Links the wireless mesh access points to the wired network Handles RF algorithms and optimization Seamless Layer 3 Mobility Provides security and mobility management

Rooftop Access Point

Serves as root or gateway access point to the wired network Typically located on rooftops or towers Connects up to 32 pole-top mesh access points using 802.11a

Mesh Access Point

Provides 802.11b/g client access Connects to root access points via 802.11a Takes AC or DC power; PoE capable Ethernet port for connecting peripheral devices

DESGN v2.08-13

www.CareerCert.info

Example: MAP-to-RAP Connectivity in a Square Mile

DESGN v2.08-14

www.CareerCert.info

Mesh Design Recommendations

Hops Throughput

One ~10 Mbps

Two ~5 Mbps

Three ~3 Mbps

Four Up to 1 Mbps*

Latency < 10 ms per hop, 13 ms is typical Hops Outdoor: Code supports up to eight hops; four or fewer hops are recommended. Indoor: One hop is supported. Nodes per RAP One RAP supports up to 32 MAPs; 20 nodes are recommended.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.08-15

www.CareerCert.info

Common Wireless Design Questions

How many access points are needed? Where will the access points be placed? How will the access points receive power? How many WLCs are needed? Where should the WLCs be placed?

DESGN v2.08-16

www.CareerCert.info

LWAPP Access Point Feature Summary

10x0 Models

1121 AG Models

1130 AG Series

1230 AG Series

1240 AG Series

1300 Series Both (LWAPP in AP mode) Yes Yes No No (only g) N/A 16 8

1500 Series

Autonomous/LWAPP/both

LWAPP

Both

LWAPP

External antenna Outdoor install REAP or H-REAP support Dual radio Power (watts) Memory (Mb) WLANs per radio supported

Yes No REAP Yes 13 16 18

No No No No (only g) 6 16 8

No No H-REAP Yes 15 32 8

Yes No No Yes 14 16 8

Yes No H-REAP Yes 15 32 8

Yes Yes Yes Yes N/A 16 16

DESGN v2.08-17

www.CareerCert.info

WLAN Controllers and Access Point Support

Part Number (Platform) AIR-WLC2006-K9 (Cisco Wireless LAN Controller appliance) NM-AIR-WLC6-K9 (Cisco Wireless LAN Controller Module for ISRs) WS-C3750G-24WS-S25 (Cisco Catalyst 3750G Integrated Wireless LAN Controller) WS-C3750G-24WS-S50 (Cisco Catalyst 3750G Integrated Wireless LAN Controller) AIR-WLC4402-12-K9 (Cisco Wireless LAN Controller appliance) AIR-WLC4402-25-K9 (Cisco Wireless LAN Controller appliance) AIR-WLC4402-50-K9 (Cisco Wireless LAN Controller appliance) AIR-WLC4402-100-K9 (Cisco Wireless LAN Controller appliance) Cisco Catalyst 6500 Series Wireless Services Module
2007 Cisco Systems, Inc. All rights reserved.

No. of Access Points Supported 6 6 25 50 12 25 50 100 Up to 300

DESGN v2.08-18

www.CareerCert.info

Controller Placement Design

Minimize intercontroller roaming. Implement deterministic redundancy. Centralized design supports the integrated platforms. Cisco Catalyst 3750G Integrated Wireless LAN Controller for small-to-medium deployments Cisco WiSM for medium-to-large deployments Distributed designs may work well with existing networks. General recommendation is to use a centralized design, but decide based on: Current network and policies Growth plans

DESGN v2.08-19

www.CareerCert.info

Example: Distributed WLC Design

DESGN v2.08-20

www.CareerCert.info

Example: Centralized WLC Design

DESGN v2.08-21

www.CareerCert.info

Campus WLC Options

Stand-alone appliance controller
Routed network on another platform 802.1Q trunk to switched or routed network

Integrated controller
Routed network can exist on the same platform. Layer 2 connection is internal. Layer 2 or 3 connection to routed network can be used.

DESGN v2.08-22

www.CareerCert.info

Branch Wireless Network Design Considerations

Number of access points needed at the branch Availability of switch ports Availability of power Controller cost WAN bandwidth constraints Latency between the access point and the WLC should not exceed 200 ms RTT. For centralized controllers, use REAP or Hybrid REAP access points.

DESGN v2.08-23

www.CareerCert.info

Local MAC

Access point MAC functions:

Controller MAC functions:

802.11 proxy association requests and actions 802.11e resource reservation 802.11i authentication and key management

DESGN v2.08-24

www.CareerCert.info

Remote Edge Access Point

Lightweight access point designed to be controlled across WAN links: REAP is designed to support remote offices by extending LWAPP control timers. Control traffic is still LWAPP encapsulated and sent to Cisco Wireless LAN Controller. Client data is not LWAPP-encapsulated but is locally bridged. All management control and RF management is available when the WAN link is up and connectivity is available to the Cisco Wireless LAN Controller. It will continue to provide local connectivity even if the WAN is down.

DESGN v2.08-25

www.CareerCert.info

REAP Limitations
REAP devices do not support 802.1Q trunking. All WLANs terminate on a single subnet. If connectivity to the WLC is lost, only WLAN1 is supported. Multiple WLANs are not recommend on REAP devices. REAP devices support only Layer 2 security policies. REAP devices and clients require a routable IP address provided locally and do not support NAT.

DESGN v2.08-26

www.CareerCert.info

Hybrid REAP
H-REAP is a solution for small or branch offices and retail on the LWAPP Cisco IOS platforms H-REAP supports simultaneous tunneling and local bridging.
Local switching supports bridging traffic onto local VLANs. Central switching supports tunneling traffic to the controller.

H-REAP provides more security options for the remote site:

Stand-alone mode does client authentication by itself. (WPA-PSK, WPA-PSK2) Connected mode uses the controller to complete client authentication. (WPA-PSK, WPA-PSK2, VPNs, L2TP, EAP, and web auth)

Round-trip latency must not exceed 200 ms between the access point and the controller. H-REAP supports NAT and PAT.

DESGN v2.08-27

www.CareerCert.info

Example: H-REAP Deployment

DESGN v2.08-28

www.CareerCert.info

Branch Office WLC Options

Appliance controllers
Cisco 2006Support for up to six access points Cisco 4402-12, 4402-24

Integrated controller
Cisco Wireless LAN Controller Module for ISR Cisco Catalyst 3750 Series Integrated WLAN Controller (support for 25, 50 access points)

DESGN v2.08-29

www.CareerCert.info

Summary
An RF site survey is used to determine the RF characteristics of a wireless network and help determine access point placement. Guest services are easily supported using EtherIP tunnels in the Cisco Unified Wireless Network. Outdoor wireless networks are supported using outdoor access points and Cisco Wireless Mesh Networking access points. Campus wireless network design provides RF coverage for wireless clients in the campus using lightweight access points. The access points are managed to Cisco Wireless LAN Controllers. Branch wireless network design is provides RF coverage for wireless clients in the branch. Central management of REAP or H-REAP access points can be supported.

DESGN v2.08-30

www.CareerCert.info

DESGN v2.08-31

www.CareerCert.info

Wireless Networking Review

Define the wireless requirements. Conduct an RF site survey to define the RF characteristics in the environment. Define access point deployment locations based on the site survey and customer requirements. Determine the WLC design: Redundancy (primary, secondary, tertiary) Placement of WLCs in distribution layer Whether remote sites will use local centralized controllers Determine the number of mobility groups that you will need. Plan how to support internal VLANs and guest access if needed.

DESGN v2.08-1

www.CareerCert.info

Cisco Unified Wireless Network Review

DESGN v2.08-2

www.CareerCert.info

Module Summary
Cisco Unified Wireless Network architecture centralizes WLAN configuration and control on WLCs that control LWAPP access points. The Cisco Unified Wireless Network provides transparent roaming supporting both intracontroller and intercontroller roaming. Deterministic controller redundancy with integrated RRM provides the highest-quality roaming experience. An RF survey in a wireless network design determines the characteristics of the wireless network and access point placement to provide optimal RF coverage for wireless clients.

DESGN v2.08-3

www.CareerCert.info

DESGN v2.08-4

www.CareerCert.info

Implementing and Operating the Network

Designing for Cisco Internetwork Solutions (DESGN) v2.0

DESGN v2.09-1

www.CareerCert.info

Reviewing Design and Implementation Resources

Implementing and Operating the Network

DESGN v2.09-1

www.CareerCert.info

Solution Reference Network Design Guides

Focus on the specific solution Provide an overview of relevant technologies Give a description of the architecture Offer recommended design practices Provide configuration examples Are available for the following areas: Campus Data center Branch office Teleworker WAN and MAN Security Unified communications Wireless

DESGN v2.09-2

www.CareerCert.info

Cisco Networkers Online Subscription

200+ technical training sessions, including:
Application Optimization Technologies Contact Center Technologies Data Center Technologies Network Access and Aggregation Technologies Network Management Services Technologies Optical and Metro Ethernet Technologies Routing and Switching Technologies Security Technologies Storage Technologies Voice and Video Technologies

www.CareerCert.info

Summary of Cisco CCNP Courses

Building Cisco Multilayer Switched Networks (BCMSN) Recommended prerequisite for Designing for Cisco Internetwork Solutions Building Scalable Cisco Internetworks (BSCI) Implementing Secure Converged Wide Area Networks (ISCW) Optimizing Converged Cisco Networks (ONT)

DESGN v2.09-4

www.CareerCert.info

Building Cisco Multilayer Switched Networks v3.0

Use the Cisco hierarchical network model for campus networks Define VLANs to segment network traffic and use Implement spanning-tree operation Implement and verify inter-VLAN routing Implement high-availability technologies and techniques Describe and configure wireless LAN access Describe and implement security features Describe and configure switch to support voice

Covers skills required to build enterprise-class switched networks with integrated VoIP and wireless applications

DESGN v2.09-5

www.CareerCert.info

Building Cisco Multilayer Switched Networks v3.0 Course Flow

Day 1
Course Introduction

Day 2

Day 3

Day 4

Day 5
Configuring Campus Switches for Voice Minimizing Service Loss

A M

Network Requirements Defining VLANS

Implementing Spanning Tree

Inter-VLAN Routing

Wireless LAN

Lunch
Defining VLANS Implementing Spanning Tree Implementing High Availability Implementing Spanning Tree Inter-VLAN Routing Wireless LAN Minimizing Service Loss

P M

DESGN v2.09-6

www.CareerCert.info

Building Scalable Cisco Internetworks v3.0

Explain routing in the enterprise network Implement and verify EIGRP operations Build a scalable multiarea network with OSPF Configure integrated IS-IS in a single area Implement Cisco IOS routing features Implement and verify BGP for enterprise ISP connectivity Implement and verify multicast forwarding using PIM Implement IPv6 in an enterprise network

Covers skills required to build enterprise router networks with mixed, integrated internal and external routing protocols

DESGN v2.09-7

www.CareerCert.info

Building Scalable Cisco Internetworks v3.0 Course Flow

Day 1
Course Introduction

Day 2

Day 3
Configuring IS-IS Protocol

Day 4

Day 5
Implementing Multicast

A M

Network Requirements Configuring EIGRP

Configuring OSPF Manipulating Routing Updates

Implementing BGP Implementing IPv6

Lunch
Configuring EIGRP Configuring OSPF Manipulating Routing Updates Implementing BGP Implementing IPv6 Configuring OSPF Configuring IS-IS Protocol Implementing BGP Implementing Multicast

P M

DESGN v2.09-8

www.CareerCert.info

Implementing Secure Converged Wide Area Networks v1.0

Explain the Cisco hierarchical network model as it pertains to the WAN Describe and implement teleworker configuration and access Implement and verify frame mode MPLS Describe and configure a siteto-site IPsec VPN Covers skills for securing and expanding the reach of the enterprise network to teleworkers and remote sites. The focus is on securing remote access and VPN client configuration.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.09-9

Describe and configure Cisco Easy VPN Explain the strategies used to mitigate network attacks Describe and configure Cisco device hardening Describe and configure Cisco IOS firewall features

www.CareerCert.info

Implementing Secure Converged Wide Area Networks v1.0 Course Flow

Day 1
Course Introduction

Day 2
Implementing Frame Mode MPLS Lab: 3-1

Day 3
IPsec VPNs Lab: 4-2

Day 4
Cisco Device Hardening Lab: 5-1

Day 5
Cisco IOS Threat Defense Features Lab: 6-1 Cisco IOS Threat Defense Features

A M

Network Requirements Connecting Teleworkers

IPsec VPNs Implementing Frame Mode MPLS Lab: 4-3 Cisco Device Hardening

Lunch
Connecting Teleworkers IPsec VPNs IPsec VPNs Lab: 4-4 Cisco Device Hardening Lab: 5-2 Cisco Device Hardening Lab: 5-3 Lab: 6-2

P M

Simulation: 2-1 Implementing Frame Mode MPLS

Cisco IOS Threat Defense Features Lab: 6-3

Lab: 4-1

DESGN v2.09-10

www.CareerCert.info

Optimizing Converged Cisco Networks v1.0

Explain the Cisco hierarchical network model as it pertains to an end-to-end enterprise network Describe specific requirements for implementing a VoIP network Describe the need to implement QoS and the methods for implementing QoS on a converged network Explain the key IP QoS mechanisms used to implement the DiffServ QoS model Configure Auto QoS for Enterprise Describe and configure wireless security and basic wireless management

Covers techniques and skills to optimize QoS in converged networks supporting voice, wireless, and security applications

DESGN v2.09-11

www.CareerCert.info

Optimizing Converged Cisco Networks v1.0 Course Flow

Day 1
Course Introduction

Day 2

Day 3

Day 4

Day 5

Implement Wireless Implement the Implement the Scalability DIffServ QoS Model DIffServ QoS Model Introduction to IP QoS Lab: 4-1 Implement the DIffServ QoS Model Lab: 4-2 Lab: 4-6 Lab: 6-1

A M

Describing Network Requirements Describe Cisco VoIP Implementations

Implement the DIffServ QoS Model

Lab: 6-2

Lunch
Lab: 2-1 Case Study: 3-1 Implement the DIffServ QoS Model Lab: 4-3 Lab: 5-1 Lab: 6-3 Implement Wireless Scalability Lab: 6-4

P M

Describe Cisco VoIP Implementations Lab: 2-2

Lab: 3-2

Implement the DIffServ QoS Model Lab: 4-4

Lab: 5-2

Implement the DIffServ QoS Model

Lab: 4-5

Lab: 5-3

DESGN v2.09-12

www.CareerCert.info

Designing Cisco Network Service Architectures (ARCH) v1.2

Presents the Cisco AVVID framework Create intermediate network designs for: Enterprise campus infrastructure Enterprise edge infrastructure Network management High availability Security QoS IP multicast VPNs Wireless IP telephony This is the next course in the design certification track.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.09-13

www.CareerCert.info

Designing Cisco Network Service Architectures v1.2 Course Flow

Day 1
Course Introduction

Day 2

Day 3

Day 4
Designing QoS

Day 5

A M

Introducing Cisco Network Service Architectures Designing Enterprise Campus Networks

Designing Enterprise Edge Connectivity

Designing High-Availability Services

Designing IP Multicast Services

Designing IP Telephony Services

Lunch
Designing Enterprise Edge Connectivity Designing Network Management Services Designing VNPs Designing Security Services Wrap-Up Designing Enterprise Wireless Networks

P M

Designing Enterprise Campus Networks

DESGN v2.09-14

www.CareerCert.info

Foundation Courses for Channel Partners

Foundation Express for Account Managers (FXS) Foundation Express for System Engineers (CFXSE) Foundation Express for Field Engineers (CFXFE)

DESGN v2.09-15

www.CareerCert.info

Security Courses
Securing Cisco Network Devices (SND) Securing Networks with Cisco Routers and Switches (SNRS) Implementing Cisco Intrusion Prevention System (IPS) Securing Networks with PIX and ASA (SNPA) Cisco Secure Virtual Private Networks (CSVPN)

DESGN v2.09-16

www.CareerCert.info

Voice Courses
Implementing Cisco Quality of Service (QOS) Cisco Voice over IP Fundamentals (CVF) Cisco Voice over IP (CVOICE) Cisco IP Telephony Part 1 (CIPT1) Cisco IP Telephony Part 2 (CIPT2) IP Telephony Troubleshooting (IPTT) Implementing Cisco Voice Gateways and Gatekeepers (GWGK) IP Telephony Design (IPTD)

DESGN v2.09-17

www.CareerCert.info

Wireless Courses
Aironet Wireless LAN Fundamentals and Site Survey (AWFSS) Aironet Wireless LAN Advanced Topics (AWLAT) Cisco Wireless LAN Fundamentals (CWLF) Cisco Wireless LAN Advanced Topics (CWLAT) Cisco Unified Wireless Networking (CUWN) Cisco Wireless Mesh Networking (CWMN)

DESGN v2.09-18

www.CareerCert.info

Summary
SRND guides provide deployment scenarios incorporating Cisco products and technologies into a tested architecture. Cisco Networkers Online provides introductory to advanced training sessions on a subscription basis. The Building Scalable Cisco Internetworks, Implementing Secure Converged Wide Area Networks and Optimizing Converged Cisco Networks courses provide additional theory and detailed configuration information that supports enterprise network design and implementations. Designing Cisco Network Service Architectures is the next course in the design certification track. Cisco specialization courses provide in-depth, hands-on training supporting security, voice, and wireless.

DESGN v2.09-19

www.CareerCert.info

DESGN v2.09-20

Network Design Case Study 2
No ratings yet
Network Design Case Study 2
5 pages
Pavan Kumar K M: Career Objective Profile Summary
No ratings yet
Pavan Kumar K M: Career Objective Profile Summary
2 pages
Cisco CUCM - SIP Integration With Zoom
No ratings yet
Cisco CUCM - SIP Integration With Zoom
4 pages
BRKRST 2336
No ratings yet
BRKRST 2336
174 pages
Dokumen - Pub - CCDP Self Study Designing Cisco Network Architectures Arch 1587051850 9781587051852
No ratings yet
Dokumen - Pub - CCDP Self Study Designing Cisco Network Architectures Arch 1587051850 9781587051852
697 pages
Advanced Networking Tutorial Sheets
No ratings yet
Advanced Networking Tutorial Sheets
19 pages
Computer Networks
No ratings yet
Computer Networks
27 pages
CCNA Chapter7 Eigrp - OSPF
No ratings yet
CCNA Chapter7 Eigrp - OSPF
73 pages
Chapter1 Network Fundamentals
No ratings yet
Chapter1 Network Fundamentals
34 pages
CCNP 2 PDF
No ratings yet
CCNP 2 PDF
3 pages
BRKRST-2338 - 2014 San Francisco
No ratings yet
BRKRST-2338 - 2014 San Francisco
110 pages
300-420 ENSLD Designing Cisco Enterprise
No ratings yet
300-420 ENSLD Designing Cisco Enterprise
3 pages
Highly Available WAN Design
No ratings yet
Highly Available WAN Design
91 pages
AAA Network Security Services
100% (1)
AAA Network Security Services
20 pages
Composite Quiz 102 Questions: Type Text To Search Here..
No ratings yet
Composite Quiz 102 Questions: Type Text To Search Here..
47 pages
Exam Questions 350-701: Implementing and Operating Cisco Security Core Technologies
No ratings yet
Exam Questions 350-701: Implementing and Operating Cisco Security Core Technologies
7 pages
Wide Area Networks
No ratings yet
Wide Area Networks
77 pages
DCUFI - Implementing Cisco Data Center Unified Fabric 4.0
No ratings yet
DCUFI - Implementing Cisco Data Center Unified Fabric 4.0
7 pages
Cisco Voice Architect or Pre-Sales Engineer or Cisco UC Consulta
No ratings yet
Cisco Voice Architect or Pre-Sales Engineer or Cisco UC Consulta
5 pages
Configuring Basic BGP
No ratings yet
Configuring Basic BGP
77 pages
BRKCRT 8001
100% (1)
BRKCRT 8001
264 pages
CNv6 instructorPPT Chapter6
No ratings yet
CNv6 instructorPPT Chapter6
44 pages
OSI - Layer - Sikandar Notes
No ratings yet
OSI - Layer - Sikandar Notes
11 pages
CH5
0% (1)
CH5
58 pages
Introduction To NAT and PAT
No ratings yet
Introduction To NAT and PAT
5 pages
ITS323Y12S1L01 Data Communications and Networks
No ratings yet
ITS323Y12S1L01 Data Communications and Networks
25 pages
Lab IP Telephony Basic
No ratings yet
Lab IP Telephony Basic
3 pages
Networking Scenario Based Interview Questions - IP With Ease
No ratings yet
Networking Scenario Based Interview Questions - IP With Ease
10 pages
CCIE Security v6.1 Equip and SW List
0% (1)
CCIE Security v6.1 Equip and SW List
1 page
Ccda PDF
No ratings yet
Ccda PDF
96 pages
Ip Routing Principles
No ratings yet
Ip Routing Principles
30 pages
MPLS P62
No ratings yet
MPLS P62
40 pages
CISCO Books List
No ratings yet
CISCO Books List
2 pages
2018 Sundray Junior Certification Lesson - One - 02 - Products and Equipment First Knowledge - v3.6.7
No ratings yet
2018 Sundray Junior Certification Lesson - One - 02 - Products and Equipment First Knowledge - v3.6.7
42 pages
Lecture 10 IP Traffic Management-QoS Concepts
No ratings yet
Lecture 10 IP Traffic Management-QoS Concepts
45 pages
CIPT1 v8.0 VoD-SLIDES
No ratings yet
CIPT1 v8.0 VoD-SLIDES
135 pages
2021 SPOTO CCNP 350-501 Practice Questions
No ratings yet
2021 SPOTO CCNP 350-501 Practice Questions
3 pages
CCNA Brochure
No ratings yet
CCNA Brochure
2 pages
Latest Dump Compiled by Genius PDF
100% (1)
Latest Dump Compiled by Genius PDF
127 pages
Ccie SP Read List
No ratings yet
Ccie SP Read List
3 pages
Cisco Live Cisco Validated Blueprint Architecture
100% (1)
Cisco Live Cisco Validated Blueprint Architecture
57 pages
Basic Network Device Configuration
No ratings yet
Basic Network Device Configuration
50 pages
Cisco DNA Software For SD-WAN and Routing Ordering Guide Guide-C07-740642
No ratings yet
Cisco DNA Software For SD-WAN and Routing Ordering Guide Guide-C07-740642
33 pages
CCNA 1 Chapter 1 v5
No ratings yet
CCNA 1 Chapter 1 v5
13 pages
IPv6 and Packet Tracer
No ratings yet
IPv6 and Packet Tracer
98 pages
Protocols and Reference Models - CCNAv7-1
No ratings yet
Protocols and Reference Models - CCNAv7-1
41 pages
Cisco 300 410
No ratings yet
Cisco 300 410
16 pages
Lecture 1 - PPT - CNS
No ratings yet
Lecture 1 - PPT - CNS
16 pages
LISP Network Deployment and Troubleshooting The Complete Guide to LISP Implementation on IOS XE IOS XR and NX OS 1st Edition Tarique Shakil all chapter instant download
100% (5)
LISP Network Deployment and Troubleshooting The Complete Guide to LISP Implementation on IOS XE IOS XR and NX OS 1st Edition Tarique Shakil all chapter instant download
55 pages
BRKSPG 2535
100% (1)
BRKSPG 2535
88 pages
Networking Essentials 2.0 Capstone
No ratings yet
Networking Essentials 2.0 Capstone
10 pages
CCNA Dis4 - Chapter 1 - Introducing Network Design Concepts - PPT (Compatibility Mode)
100% (1)
CCNA Dis4 - Chapter 1 - Introducing Network Design Concepts - PPT (Compatibility Mode)
94 pages
PDF CCNP SWITCH Lab Manual (2nd Edition) (Lab Companion) Free Download and Read Online
No ratings yet
PDF CCNP SWITCH Lab Manual (2nd Edition) (Lab Companion) Free Download and Read Online
6 pages
Network Mergers and Migrations: Junos Design and Implementation
From Everand
Network Mergers and Migrations: Junos Design and Implementation
Gonzalo Gómez Herrero
No ratings yet
Configuring IPCop Firewalls: Closing Borders with Open Source
From Everand
Configuring IPCop Firewalls: Closing Borders with Open Source
Barrie Dempster
No ratings yet
Network Security
From Everand
Network Security
André Perez
No ratings yet
MPLS-Enabled Applications: Emerging Developments and New Technologies
From Everand
MPLS-Enabled Applications: Emerging Developments and New Technologies
Ina Minei
4/5 (4)
Deploying IPv6 in Broadband Access Networks
From Everand
Deploying IPv6 in Broadband Access Networks
Adeel Ahmed
No ratings yet
The IMS: IP Multimedia Concepts and Services
From Everand
The IMS: IP Multimedia Concepts and Services
Miikka Poikselkä
No ratings yet
In Depth Guide to IS-IS Routing: Learn Intermediate System to Intermediate System Routing from scratch
From Everand
In Depth Guide to IS-IS Routing: Learn Intermediate System to Intermediate System Routing from scratch
Mamta Devi
No ratings yet