CCDP ARCH Quick Reference

(1)

(2)

About the Authors... 3

About the Technical Editor... 3

Introduction... 4

Chapter 1. Cisco Design Models... 5

Service-Oriented Network Architecture... 5

PPDIOO... 7

Chapter 2. Network Design Considerations for the Enterprise Campus...

10

High-Availability Design... 10

Layer 2 Design... 12

Layer 3 Design... 14

Layer 2 to Layer 3 Boundary Design... 16

Infrastructure Design Considerations... 17

Chapter 3. Addressing and Routing Design Considerations... 19

Designing IP Addressing... 19

Designing Advanced Routing Solutions... 22

Scalable EIGRP... 23

Scalable OSPF Design... 24

Design Scalable BGP Solutions... 27

Chapter 4. Design Considerations for Advanced WAN Services... 29

Constructing WANs Using Optical Technologies... 29

Metro Ethernet... 31

VPLS... 32

MPLS VPN... 34

Implementing Advanced WAN Services... 34

Chapter 5. Data Center Design for the Enterprise... 36

Core and Aggregation Layer Infrastructure Design... 36

Scaling Data Center Architecture... 42

Spanning-Tree Design for High Availability... 43

Chapter 6. Storage-Area Network Design... 45

An Overview of SAN Components and Technologies... 45

Chapter 7. Designing an E-Commerce Module... 51

Achieving High Availability... 51

Integrated E-Commerce Designs... 54

Chapter 8. Securing an Enterprise Network... 57

Firewalls... 57

NAC Design Considerations... 60

IDS and IPS Design Considerations... 63

Chapter 9. Virtual Private Network Design... 66

Remote-Access VPNs... 66

Site-to-Site VPNs... 68

IPsec VPNs... 71

Managing and Scaling VPNs... 73

Chapter 10. IP Multicast Design Considerations... 74

Fundamentals of IP Multicast... 74

Protocol Independent Multicast Design... 81

Securing IP Multicast Networks... 82

Chapter 11. Designing Voice over WLAN Networks... 84

Introduction to VoWLAN Technologies... 84

Provisioning for VoWLAN Coverage... 86

CCDP ARCH Quick Reference

CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press

Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem

This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.

(3)

Network Based Application Recognition... 94 Overview of IP SLA... 95

CCDP ARCH Quick Reference

(4)

CCDP ARCH Quick

Reference

the Enterprise Campus. . . .9 Addressing and Routing Design Considerations. . . .18 Design Considerations for Advanced WAN Services. . . .28 Data Center Design for the

Enterprise. . . .35 Storage-Area Network Design. . . .44 Designing an E-Commerce Module. . .50 Securing an Enterprise Network. . . .56 Virtual Private Network Design. . . .65 IP Multicast Design Considerations. . .73 Designing Voice over WLAN

Networks. . . .83 Cisco IOS Software Network

Management Capabilities. . . .89

Kevin Wallace and Michael Watkins

ciscopress.com

CCDP ARCH Quick Reference

(5)

Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA

All rights reserved. No part of this digital short cut may be reproduced or transmit-ted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.

First Digital Edition October 2007 ISBN-10: 1-58705-499-X ISBN-13: 978-1-58705-499-0

Warning and Disclaimer

This digital Short Cut is designed to provide information about networking. Every effort has been made to make this digital Short Cut as complete and accurate as possible, but no warranty or fitness is implied.

The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this digital short cut.

The opinions expressed in this digital Short Cut belong to the authors and are not necessarily those of Cisco Systems, Inc.

in this digital Short Cut should not be regarded as affecting the validity of any trademark or service mark.

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members of the professional technical community.

Reader feedback is a natural continuation of this process. If you have any comments on how we could improve the quality of this digital short cut, or otherwise alter it to better suit your needs, you can contact us through e-mail at [email protected]. Please be sure to include the digital Short Cut title and ISBN in your message. We greatly appreciate your assistance.

Corporate and Government Sales

The publisher offers excellent discounts on this digital short cut when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and

Government Sales 1-800-382-3419 [email protected].

For sales outside the United States please contact: International Sales [email protected]

CCDP ARCH Quick Reference

Licensed by

Kevin Kem

(6)

About the Authors:

Kevin Wallace, CCIE No. 7945, is a certified Cisco instructor and a full-time instructor for SkillSoft. With 18 years of Cisco networking experience, Kevin has been a network design specialist for The Walt Disney World Resort and a network manager for Eastern Kentucky University. Kevin holds a bachelor’s of science in electrical engineering from the University of Kentucky. Kevin is also a CCVP, CCSP, CCNP, and CCDP with multiple Cisco security and IP communica-tions specializacommunica-tions.

Michael Watkins, CCNA/CCNP/CCVP/CCSP, is a full-time senior technical instructor with SkillSoft. With 12 years of network management, training, and consulting experience, Michael has worked with organizations such as Kraft Foods, Johnson and Johnson, Raytheon, and the United States Air Force to help them implement and learn the latest network technologies. In addition to holding over 20 industry certifications in the areas of networking and programming technolo-gies, Michael holds a bachelors of arts degree from Wabash College.

About the Technical Editor:

Anthony Sequeira, CCIE RS No. 15626, possesses high-level certifications from both Cisco and Microsoft. For the past 15 years, he has written and lectured to massive audiences about the latest in networking technologies. Anthony is currently a certified Cisco instructor with SkillSoft. Anthony currently lives with his wife and daughter in Tampa, Florida.

CCDP ARCH Quick Reference

(7)

Introduction

The Cisco Designing Cisco Network Service Architecture (ARCH) course helps prepare students for the Cisco Certified Design Professional (CCDP) certification. Objectives for the ARCH course include the following:

n Explain Cisco Service-Oriented Enterprise Network Architecture (SONA).

n Discuss how SONA can be used for enterprise network design.

n Illustrate how to design functionality, performance, scalability, and availability into the various functional areas of the enterprise network.

n Review network management, high availability, security, QoS, and IP multicast design considerations.

n Explain design principles for virtual private networks (VPNs) and wireless networks.

These Quick Reference Sheets summarize the main topics presented in the ARCH course materials. The information presented represents the version of content on which exam number 642-873 bases its questions.

CCDP ARCH Quick Reference

(8)

Chapter 1: Cisco Design Models

This section introduces you to Ciscos Service-Oriented Network Architecture (SONA) framework for network design. In addition, you learn how to use the PPDIOO approach to network design.

Service-Oriented Network Architecture

Cisco recently updated their Architecture for Voice Video and Integrated Data (AVVID) design approach to the Intelligent Information Network (IIN). IIN is a complete architecture that is more all-encompassing than AVVID.

The three phases of constructing an IIN are as follows:

n Integrated transport: Voice, data, and video are all converged onto a single transport.

n Integrated services: Services, such as Voice over IP (VoIP) or storage networking, rely on the underlying network transport mechanisms.

n Integrated applications: Applications (for example, Cisco IP Communicator) leverage services (for example, VoIP), which rely on the network transport.

Ciscos architectural approach to designing an IIN is their SONA framework. Figure 1-1 shows individual IIN components and how those components are categorized by SONA’s three layers: (1) Networked Infrastructure Layer, (2) Infrastructure Services Layer, and (3) Application Layer.

CCDP ARCH Quick Reference

(9)

Cisco Design Models

SONA offers the following benefits to a network design:

n Functionality: Functions in a way that the design supports organizational requirements n Scalability: Meets organizational growth demands

n Availability: Makes network services available consistently and reliably

n Performance: Offers acceptable responsiveness, bandwidth utilization, and throughput for applications n Manageability: Offers administrators control over the network, monitoring of the network, and fault detection

within the network

n Efficiency: Meets design objectives within stated financial constraints

Interactive Services Layer Application Layer Networked _{Infrastructure} Layer Adaptive Management Services

Business Applications Collaboration Applications

Application Networking Services

Infrastructure Services

Server Storage Clients Campus Branch Data Center WAN/MAN Teleworker

FIGURE 1-1

SONA Layers

CCDP ARCH Quick Reference

(10)

PPDIOO

Cisco categorizes a network’s life cycle into six phases identified with the acronym PPDIOO, as follows:

n Prepare: This phase involves determining the network’s requirements, formulating a network strategy, and suggest-ing a conceptual architecture of the network.

n Plan: This phase compares the existing network with the proposed network to help identify tasks, responsibilities, milestones, and resources required to implement the design.

n Design: This phase clearly articulates the detailed design requirements.

n Implement: This phase integrates equipment into the existing network (without disrupting the existing network) to meet design requirements.

n Operate: This phase entails the day-to-day network operation, while responding to any issues that arise. n Optimize: This phase gathers feedback from the Operate phase to potentially make adjustments in the existing

network. Changes might be implemented to address ongoing network support issues. PPDIOO’s life-cycle approach offers the following benefits:

n PPDIOO reduces total cost of ownership (TCO).

n PPDIOO improves network availability.

n PPDIOO allows business networks to quickly respond to changing needs.

n PPDIOO accelerates access to network applications and services.

CCDP ARCH Quick Reference

(11)

Cisco Design Models

Designing a network in conjunction with the PPDIOO approach involves three steps:

1. Identify customer requirements.

To identify customer requirements, obtain the following pieces of information:

n Network applications

n Network services

n Business goals

n Constraints imposed by the customer

n Technical goals

n Constraints imposed by technical limitations

2. Identify characteristics of the current network.

To identify characteristics of the current network, perform the following tasks:

n Collect existing network documentation (with the understanding that the documentation might be somewhat dated and unreliable), and interview organizational representatives to uncover information not available in the documentation.

n Conduct a network audit to identify such information as network traffic types, congestion points, and subopti-mal routes.

n Supplement the information collected in the two previous tasks by performing a network traffic analysis with tools such as Cisco Discovery Protocol (CDP), Network Based Application Recognition (NBAR), NetFlow, Cisco Networking Services (CNS) NetFlow Collection Engine, Open Source Cacti, Network General Sniffer, WildPackets EtherPeek and AiroPeek, SolarWinds Orion, Wireshark, and remote-monitoring (RMON) probes.

CCDP ARCH Quick Reference

(12)

3. Design the network topology.

Using information collected in Steps 1 and 2, you are ready to begin your network design. Although designing a network can be a daunting task, Cisco recommends top-down design approach that assists the designer by breaking the design process into smaller and more manageable steps. The term top-down refers to beginning at the top of the OSI reference model (that is, the application layer) and working your way down through the underlying layers, as shown in Figure 1-2.

OSI Model Application Presentation Session Transport Network Data Link Physical Design Begins Here Remaining design considerations sequentially address lower layers of the OSI model.

FIGURE 1-2

Top-Down Design Strategy

Using a top-down design strategy, as opposed to a bottom-up design strategy (that is, where the design begins at the physical layer of the OSI model and works its way up) provides the following benefits:

n Does a better job of including specific customer requirements

n Offers a more clearly articulated “big picture” of the desired network for both the customer and the designer

n Lays the foundation for a network that not only meets existing design requirements, but also provides scalability to meet future network enhancements

CCDP ARCH Quick Reference

(13)

Network Design Considerations for the Enterprise Campus

Chapter 2: Network Design Considerations for the

Enterprise Campus

This section discusses Cisco design recommendations for an enterprise campus network. These networks need to support evolving technologies such as IP telephony, storage-area networks, content networking, and application networking.

High-Availability Design

Constructing an enterprise campus network using modular building blocks can add to a network’s availability, in addition to its scalability. Traditionally, Cisco prescribed a three-layer model for network designers. Those three layers, as shown in Figure 2-1, are as follows:

n Access layer: Typically, wiring closet switches connecting to end-user stations

n Distribution layer: An aggregation point for wiring closet switches, where routing and packet manipulation occur, and also where the campus network interconnects to remote networks

n Core layer: The network backbone where high-speed traffic transport is the main priority

CCDP ARCH Quick Reference

(14)

The goals of high availability are to minimize component failures (for example, network links or network endpoints) and to minimize the time required to recover from a component failure. A common design approach for high-availability networks is to fully mesh redundant switches located in the distribution and core layers. Recommended design strategies for maximizing redundancy include the following:

n Alternate pathing: A single path between network devices represent a single point of failure.

n Redundant components: Convergence time for redundant access layer switches can be reduced by using the following:

n Stateful switchover (SSO): Useful for both Layer 2 and Layer 3 access switches, SSO permits a backup route processor to immediately take over control from a failed primary route processor.

Core Layer Distribution Layer Access Layer FIGURE 2-1 Three-Layer Hierarchical Model

CCDP ARCH Quick Reference

(15)

n Nonstop forwarding (NSF): Useful for Layer 3 access switches, NSF continues to forward packets after a route processor switchover, until routing convergence completes.

n Software Modularity Architecture of Cisco IOS Software: Using Cisco IOS Software Modularity Architecture, software patching can be performed without reloading the supervisor engine of a Catalyst 6500 series switch.

Layer 2 Design

Most commonly found at the access layer, Layer 2 components in an enterprise campus network need to be configured for optimal convergence times. Layer 2 devices use the Spanning Tree Protocol (STP) for convergence, but Cisco recom-mends that the use of STP be avoided because routing protocols (used by Layer 3 devices) can converge faster than STP. However, some situations require the use of STP, for example:

n To support a VLAN that exists on multiple access layer switches

n To protect from loops being created between access layer ports

n To support certain server farm applications Cisco offers a variety of enhancements to STP:

n PortFast: Allows an access port to bypass STPs listening and learning phases

n UplinkFast: Reduces STP convergence from 50 seconds to approximately 3 to 5 seconds n BackboneFast: Reduces STP convergence time for an indirect link failure

n LoopGuard: Helps prevent loops that could occur because of a unidirectional link failure, a software failure, or a bridge protocol data unit (BPDU) loss due to congestion

n RootGuard: Prevents an inappropriate switch from being elected as a root bridge

n BPDUGuard: Causes a port configured for PortFast to go into the errordisable state if a BPDU is received on the port

CCDP ARCH Quick Reference

(16)

In addition, a variety of STP implementations are supported on many Cisco Catalyst switches:

n 802.1D: The original version of STP

n Common Spanning Tree (CST): Shares a common spanning-tree topology for multiple VLANs

n Per VLAN Spanning Tree Plus (PVST+): Ciscos proprietary approach to providing a separate spanning-tree topol-ogy for each VLAN

n 802.1w: Rapid STP (RSTP), which reduces spanning-tree convergence times

n 802.1s: Multiple Spanning Tree (MST), which allows different VLANs to be mapped to one of multiple STP instances, thus providing optimal pathing for each VLAN without necessitating an STP instance for each VLAN If STP is used, Cisco recommends the following:

n Use LoopGuard on Layer 2 ports between distribution layer switches.

n Configure RootGuard on distribution layer switch ports that connect to access layer switches.

n Implement UplinkFast on access layer switch ports that connect to distribution layer switches.

n Use BPDUGuard, RootGuard, and PortFast on access layer switch ports that connect to end-user devices.

n Configure UniDirectional Link Detection (UDLD) to detect links that have failed in one direction.

n Implement port security, as needed, to limit the number of MAC addresses that can pass traffic through an access layer switch port.

Layer 2 Catalyst switches also use trunks to carry traffic for multiple VLANs across a single physical connection. Cisco recommends the following best practices for trunks:

n Configure IEEE 802.1Q trunks, as opposed to Inter-Switch Link (ISL) trunks.

CCDP ARCH Quick Reference

(17)

Do not pass traffic over the VLAN configured as the native VLAN.

n Use the transparent VLAN Trunk Protocol (VTP) mode, to prevent corruption of the VLAN database.

n Set the Dynamic Trunk Protocol (DTP) mode to desirable, to dynamically form a trunk between two switches.

n Prune unneeded VLANs from trunks.

n Disable trunking on ports that connect to hosts.

When higher bandwidth is needed between two Catalyst switches, you can aggregate multiple links between those switches. This collection of aggregated ports is known as an EtherChannel. An EtherChannel can be dynamically formed using either the Port Aggregation Protocol (PAgP) or the Link Aggregation Control Protocol (LACP).

Layer 3 Design

Layer 3 designs should address the availability and convergence times of Layer 3 networks. Interestingly, campus networks are commonly designed for oversubscription, where the aggregation of downstream links could theoretically send more traffic coming into the Layer 3 device than the device could transmit out over its upstream link(s). Specifically, links between access layer ports and distribution layer ports typically have a 20:1 oversubscription ratio, whereas links between distribution layer ports and core layer ports typically have a 4:1 oversubscription ratio, as illustrated in Figure 2-2.

CCDP ARCH Quick Reference

(18)

When a network experiences only periodic congestion, quality of service (QoS) mechanisms can be used to mitigate occasional quality issues. However, if the network experiences sustained congestion, the network needs increased band-width on its uplinks. You have two options for increasing uplink capacity:

n Bundling multiple links into a logical EtherChannel.

n Using higher-speed uplink interfaces (for example, 10-Gbps interfaces).

When Cisco Express Forwarding (CEF) is in use, multilayer switches might not automatically load balance across equal-cost paths. Cisco recommends that CEF be tuned to make forwarding decisions based on Layer 4 information (for example, port numbers of flows), in addition to Layer 3 information (for example, source and destination IP addresses). Similar tuning can be performed on an EtherChannel to more efficiently load balance across the individual physical links that make up an EtherChannel bundle.

Core Layer Distribution Layer Access Layer 4:1 Oversubscription Ratio 20:1 Oversubscription Ratio FIGURE 2-2 Uplink Oversubscription

CCDP ARCH Quick Reference

(19)

When designing Layer 3 networks, routing protocols with fast convergence (for example, Enhanced Interior Gateway Routing Protocol [EIGRP] or Open Shortest Path First [OSPF] Protocol) should be used to quickly route around a failure in the network. Cisco routing protocol design recommendations include the following:

n Interconnect Layer 3 devices using a triangle topology, as opposed to a square topology.

n Form peering relationships only on transit links, as opposed to through the access layer.

n Summarize routes on links connecting distribution layer switch ports to core layer switch ports.

Another Layer 3 network design consideration involves providing redundancy for a next-hop device. This default gateway redundancy can be accomplished by using one of the following technologies:

n Hot Standby Router Protocol (HSRP): Cisco proprietary default gateway redundancy method n Virtual Router Redundancy Protocol (VRRP): A standards-based default gateway redundancy method n Gateway Load Balancing Protocol (GLBP): Allows multiple routers to act as a single router by sharing a single

virtual IP address across multiple MAC addresses

Layer 2 to Layer 3 Boundary Design

Enterprise campus networks can often contain both Layer 2 and Layer 3 components. Care must be taken when designing the boundary that interconnects these Layer 2 and Layer 3 components. Consider the following Layer 2 to Layer 3 boundary design models:

n Layer 2 Distribution Switch Interconnection: Supports VLANs spanning more than one access layer switch n Layer 3 Distribution Switch Interconnection: Uses a Layer 3 connection between two distribution layer switches

and Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), and GLBP as a default gateway redundancy protocol

n Layer 3 Access-to-Distribution Interconnection: Extends Layer 3 routing from the distribution layer to the access layer using routing protocols such as EIGRP or OSPF

CCDP ARCH Quick Reference

(20)

When best practices are not adhered to during the design of the Layer 2 to Layer 3 boundary in an enterprise campus network, the following issues can result:

n Daisy chaining of access layer switches.

The daisy chaining of access layer switches can cause black holes if a loopback cable isn’t used.

By using the StackWise technology, which is supported on some Cisco Catalyst platforms. The need for a loopback cable can be eliminated.

n Too much redundancy.

Having too many links results in an inefficient use of links (many of which are blocked because of STP at any given time).

An excessive number of links can prove problematic for troubleshooting.

n Lack of enough redundancy.

n Asymmetric routing (for example, one upstream path and two downstream paths).

Infrastructure Design Considerations

Today’s enterprise campus networks support not only data applications but also mission-critical and latency-sensitive applications, such as IP telephony. Therefore, telephony, QoS, and Catalyst switch-based security features should be considered when performing a design.

Traditional telephony systems boast an availability of 99.999 percent, which equates to only five minutes of downtime per year. Therefore, IP telephony requires high availability for the network. In addition, to maintain acceptable voice quality, QoS mechanisms are required to treat voice packets with priority over data packets.

The access layer directly impacts IP telephony applications because IP phones connect to the network via the access layer. Some access layer switches can provide power to IP phones. Cisco developed its own method of providing Power

CCDP ARCH Quick Reference

(21)

over Ethernet (PoE), before an industry standard. Later, the IEEE introduced the 802.3af standard. Depending on the plat-form, a Cisco Catalyst switch might support the proprietary prestandard or the 802.3af standard.

For a modular Cisco Catalyst chassis, a designer should calculate a power budget to ensure the chassis’ power supply is sufficient to support the PoE demands. Cisco provides a web-based calculator for calculating a power budget. The calcu-lator is available at: http://tools.cisco.com/cpc/launch.jsp. Appropriate username and password credentials are required to access the Cisco Power Calculator.

Many Cisco IP Phones have an additional Ethernet port that supports the connection of a PC, allowing the PC to connect to the IP Phone, which then connects to the access layer switch. Even though the voice packets from the IP Phone and the data packets from the attached PC are transmitted in separate VLANs, the Catalyst switch port does not need to be in trunk mode. Rather, the port can be a multi-VLAN access port. The voice VLAN is called the auxiliary VLAN, and the native VLAN is used to transmit data from the attached PC.

IP telephony can also benefit from QoS mechanisms. QoS can classify traffic into various classes. These classes of traffic can be placed in separate queues. Therefore, the queue containing FTP traffic, for example, might be overflowing while the queue containing voice traffic is not overflowing.

QoS not only provides priority treatment to selected applications; network attacks (for example, distributed denial-of-service [DDoS] attacks) can sometimes be mitigated by QoS mechanisms.

However, numerous other security features are offered by Cisco Catalyst Integrated Security, including the following:

n Port security: Can be used to mitigate MAC flooding attacks

n DHCP snooping: Provides protection from a client attacking the DHCP server or switch

n Dynamic ARP inspection: Uses a DHCP snooping table to add security to Address Resolution Protocol (ARP) n IP Source Guard: Uses a DHCP snooping table and tracks IP address to port associations to prevent IP spoofing

CCDP ARCH Quick Reference

(22)

Chapter 3: Addressing and Routing Design

Considerations

Summarizable IP addressing is critical when constructing scalable routed networks. This includes creating specific strate-gies for designing scalable solutions using Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF) Protocol, and Border Gateway Protocol (BGP).

Designing IP Addressing

Good IP addressing design uses summarizable blocks of addresses that enable route summarization and provides a number of benefits:

n Reduced router workload and routing traffic

n Increased network stability

n Faster convergence

n Significantly simplified troubleshooting

Creating and using summary routes depends on the use of summarizable blocks of addresses. Sequential numbers in an octet may denote a block of IP addresses as summarizable. For sequential numbers to be summarizable, the block must be N numbers in a row, where N is a power of 2, and the first number in the sequence has to be a multiple of N. The created sequence will then end one before the next multiple of N in all cases.

CCDP ARCH Quick Reference

(23)

Addressing and Routing Design Considerations Let’s take a look at an example.

Is the range 172.19.128.0 to 172.19.159.0 summarizable?

n 128 to 159 represents a range of 32 consecutive numbers.

n 32 is 2 to the 5th power.

n 128 represents a multiple of 32.

n So in this case, 172.19.128.0 to 172.19.159.0 is summarizable. To create a relevant mask octet for this, we calculate 256 – N.

n 256 – 32 = 224

n 172.19.128.0 mask 255.255.224.0 is the summary prefix.

Traditionally IP subnets have been assigned sequentially, however recent needs have evolved:

n IP phones on auxiliary VLANs.

n More subnets used for Layer 3 to the access layer.

n Wireless LAN addressing.

n Network access control (NAC) assigns one subnet per user role.

n Need for isolation of servers into separate subnets. Summarizable addressing can support multiple network needs:

n Network Address Translation (NAT) applications

n Virtual private network (VPN) client addressing

n Segregated VLANs for data and voice traffic

n Route summarization via bit splitting

CCDP ARCH Quick Reference

(24)

Role-Based Addressing

One approach uses network 10. By using a pattern with Layer 3 closets, such as 10.number_of_closet.VLAN.x/16, a simple scheme can be constructed. The second octet is used to represent the closets of Layer 3 switches, the third octet represents VLANs, and the fourth octet is for hosts. Alternatively, some or all of the Class B private addressing blocks could be used.

VPN Client Addressing Considerations

Separate VPN groups should represent each VPN client pool corresponding to user roles. Each VPN group should use a different IP address pool for the logical remote VPN client address.

NAT

Allows private internal addressing to map to publicly assigned addresses where the internal network connects to the Internet.

Recommended Best Practices

n Servers reached via content devices doing Static Network Address Translation (SNAT) or Dynamic Address Translation (DNAT) should be isolated.

n Support out-of-band (OOB) management VLANs in the data center with NAT.

n Where possible, avoid the use of internal NAT or Port Address Translation (PAT).

CCDP ARCH Quick Reference

(25)

Addressing and Routing Design Considerations

Designing Advanced Routing Solutions

n Use of route summarization supports manageable and fast-converging routing.

n Design recommendations:

n To scale routing designs, use summarization.

n Use summarizable blocks for addressing.

Advertise the default route (0.0.0.0/0) dynamically into the rest of the network by the router or routers connected to the Internet service provider.

OSPF stub area variants represent another form of summarization.

n To reach out-of-area destinations stubs, use 0.0.0.0/0.

n With OSPF to IPsec VPN sites, stubs cannot be used.

Route Filtering

Filtering prefixes will ensure that a remote site will not become a transit network.

Principles of Defensive Filtering

n If learning a route from another entity, only accept routes they should be advertising.

n Filter what you advertise when advertising routes to another entity.

Designing Redistribution

In bidirectional redistribution, filters should be applied to prevent re-advertising information back into the routing proto-col region or autonomous system from which it originated.

CCDP ARCH Quick Reference

(26)

Migration Between Protocols

n Use the administrative distance (AD) to migrate the routing protocols.

n Use redistribution along with a moving boundary.

Scalable EIGRP

There are a number of considerations when using EIGRP:

n EIGRP can be used to achieve subsecond convergence.

n Multiple EIGRP autonomous systems may be implemented to achieve scalability.

n With external route redistribution, the route that is installed first is preferred.

n Both inbound and outbound route tags can be used to filter redistribution and support scaling.

AS 200

• A route is distributed from RIP into AS 200. • Router A distributes routes into AS 100.

• Router B receives this route from both AS 100 and AS 200. • Since this same route is learned through separate routing processes, the first installed route is preferred.

RIP AS 100

A

B C

FIGURE 3-1

Scaling EIGRP with Multiple Autonomous Systems

CCDP ARCH Quick Reference

(27)

Reasons to consider the use of multiple EIGRP autonomous systems include the following:

n As a migration strategy post merger/acquisition

n Need to support different domains of trust or administrative control

n Provides support for dividing very large networks

Scalable OSPF Design

A number of factors influence the scalability of OSPF:

n Selection of the designated router.

n Select routers not heavily loaded with CPU-intensive activities.

n Routing information in area and domain.

n The larger and more unstable an area is, the more likely performance problems associated with routing protocol recalculation are to occur.

n Areas supported by any one router.

n Link-state algorithm must be run for each link-state change for every area in which the router resides.

n Number of adjacent neighbors for a given router.

n Link-state changes are flooded to all routers in an area.

Area Design

n Consider geographic or functional boundaries, and match up address summarization and areas where possible.

n Use as much summarization as possible and stub areas.

n Connected routes should also be advertised via a network statement.

CCDP ARCH Quick Reference

(28)

OSPF Hierarchy

n Separate complexity from complexity with an Area Border Router (ABR).

n Place area borders to reduce suboptimal routing and to increase summarization.

To provide route summarization and reduce the link-state advertisement (LSA) database size and flooding in OSPF, consider the following:

n Area filtering.

n Use area ranges per the OSPF RFCs.

n Use summary address filtering.

n Filtering for not-so-stubby-area (NSSA) routes

n Originating default.

Hub-and-Spoke OSPF Design

Allows every router in an area to receive the same information, but requires additional tuning.

Spoke Areas

These should be the most stubby possible; and the fewer spokes in each area, the less the flooding redundancy.

Hub

Should be an ABR so that each area may be summarized into the other areas.

CCDP ARCH Quick Reference

(29)

Best Approach

Use a small, yet highly stable, area 0 because of the extremely important nature of the backbone area in OSPF.

OSPF Area Border Connection

Dual-homed connections in a hub-and-spoke OSPF network create connections parallel to an area border. There are two possible solutions when connecting the ABRs within each area:

n Add a real link between the ABRs inside the area.

n Add a virtual link between the ABRs inside area 0.

OSPF Area Filtering

Border area filtering and interarea filtering are supported. Border area filtering (RFC 2328) is done using the OSPF area range command. Interarea filtering uses a prefix list to filter the prefixes that are advertised either from or to a given area. Use RFC standard border area filtering.

To reduce the need for OSPF flooding reduction

n Reduce adjacencies for stressed routers.

n Decrease volatility of network.

n Use more hierarchy than large-scale full-mesh topologies.

n Increase number of routers to handle adjacency workload.

n Decrease the number of routers in an area.

CCDP ARCH Quick Reference

(30)

OSPF Convergence

You may use several techniques to increase the speed of convergence in OSPF, including the following:

n Fast hellos: Tuned timers converge much faster than default OSPF operations. Use fast hellos only if the number of neighbors is reasonably small. Test and observe their impact on the router’s CPU.

n Incremental SPF (iSPF): This uses a modified Dijkstra algorithm and provides faster OSPF convergence and saves on CPU resources.

n Bidirectional Forwarding Detection (BFD): Provides fast, reliable detection of link failure using frequent link hellos.

Design Scalable BGP Solutions

Scaling internal BGP (iBGP) requires a full mesh of peers, and this results in scalability issues. There are two alternatives to address this, route reflectors and confederations:

n Route reflectors: A route reflector is an iBGP speaker that reflects routes learned from iBGP peers to other iBGP peers. Use multiple route reflectors to avoid a single point of failure.

n Route reflector client: An iBGP router that receives and sends routes of most other iBGP speakers using the route reflector.

n Route reflector cluster: A configuration of the route reflector, along with its clients.

When a route reflector receives a route from a route reflector client, it reflects the route to the other clients within the cluster, and nonclients and external BGP (eBGP) peers. If a route is received from a nonclient, it reflects it to route reflector clients, but not to other nonclients.

CCDP ARCH Quick Reference

(31)

n Confederations: These use the autonomous system path to insert information into BGP routes to prevent loops within an autonomous system.

Route advertisement with confederations work in a similar fashion to route reflectors.

n Routes learned via an eBGP peer are advertised to all confederation peers, both internal and external.

n Routes learned from an external peer are advertised to all confederation internal peers, as well as eBGP peers.

n Routes learned from internal peers are advertised to all confederation external peers, and to eBGP peers, too.

If a router learns a route from an IBGP peer, it will not advertise that route to another IBGP peer.

Advertises 10.2.2.0/24 Advertises 10.2.2.0/24 IBGP Do Not Advertise 10.2.2.0/24 IBGP Learns 10.2.2.0/24 EBGP Learns 10.2.2.0/24 IBGP EBGP IBGP IBGP FIGURE 3-2 Scaling BGP Designs

CCDP ARCH Quick Reference

(32)

Chapter 4: Design Considerations for Advanced

WAN Services

This chapter discusses how advanced WAN technologies based on Layer 1 optical transport or Layer 2 and Layer 3 serv-ices can impact the enterprise design. Metro Ethernet, Virtual Private LAN Service (VPLS), and Multiprotocol Label Switching (MPLS) virtual private network (VPN) technologies are considered. Customer requirements and service level agreements (SLA) as a function of a WAN design are also discussed.

Constructing WANs Using Optical Technologies

DWDM/CWDM

DTP/RPR SONET/SDH

Layer 1

Layer 2 Optical Interconnection Technologies

FIGURE 4-1

Optical Interconnection Technologies

CCDP ARCH Quick Reference

(33)

Design Considerations for Advanced WAN Services

A number of common optical interconnection technologies are used to connect enterprise locations:

n SONET/Synchronous Digital Hierarchy (SDH): The North American high-speed baseband digital transport stan-dard that specifies increasing data stream rates for movement across optical links

n Dense wavelength-division multiplexing (DWDM)/coarse wavelength-division multiplexing (CWDM): Technologies that increase the information-carrying capacity of existing fiber-optic infrastructure by transmitting and receiving data on different wavelengths on a single strand of fiber

n Dynamic Packet Transport (DPT)/Resilient Packet Ring (RPR): Designed for service providers (SP) to deliver scalable Internet service, and to deliver reliable IP-aware optical transport and simplified network operations for metropolitan-area network (MAN) applications

Technical Specifications for SONET

SONET uses time-division multiplexing (TDM) for framing voice and data onto a single wavelength of fiber.

n Typically uses fiber rings and can cover a distance of 80 km without the need for repeaters.

n Generally used with SONET access equipment, it may statistically multiplex 10 Mbps Ethernet, Fast Ethernet, or Gigabit Ethernet onto a SONET circuit.

Questions to ask an SP when considering SONET include the following:

n What path is followed by your service?

n Are end-to-end SONET rings used to provide the service?

n How much bandwidth is dedicated for my specific use?

CCDP ARCH Quick Reference

(34)

Wavelength-Division Multiplexing (WDM)

Use a multiplexer to place multiple optical signals, each with different wavelengths, on a fiber and then use a demulti-plexer at the receiver to split them off of it. The types of WDM are as follows:

n CWDM: An optical technology that may be used to transmit up to 16 channels over the same fiber strand. n DWDM: Similar to CWDM, but it spaces the wavelengths more tightly, allowing up to 160 channels.

RPR Technologies

Layer 2 transport architecture that provides packet based transmission based on a dual counter-rotating ring topology. Similar to Cisco Spatial Reuse Protocol (SRP), which is implemented in the Cisco Dynamic Packet Transport (DTP) products.

For enterprise clients, RPR is seen as a transport ring that supports connections between their locations while overcoming some of the limitations of SONET/SDH.

Metro Ethernet

Metro Ethernet is based on the Ethernet standard but supported across a metropolitan area. Metro Ethernet uses a combi-nation of Ethernet, optical, and IP technologies in the metropolitan area. An SP might use SONET/SDH rings or point-to-point links, WDM, or RPR technologies for their Metro Ethernet architecture.

Implementation of Metro Ethernet service may be based on one or more approach:

n A pure Ethernet MAN uses only Layer 2 switches for all internal structure.

n MPLS-based Metro Ethernet uses Layer 2 MPLS VPNs in the SP network.

n SONET/SDH-based Metro Ethernet networks may be used as an intermediate step in transition from a traditional, time-division based network to Ethernet.