10.07.2015 Views

Designing Cisco Network Service Architectures - Free Books

Designing Cisco Network Service Architectures - Free Books

Designing Cisco Network Service Architectures - Free Books

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

ARCH<strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong><strong>Service</strong> <strong>Architectures</strong>Version 2.0Lab Guide05.03.07


DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES INCONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OFTHIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIEDWARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULARPURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early releasecontent, and while <strong>Cisco</strong> believes it to be accurate, it falls subject to the disclaimer above.ii <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Table of ContentsLab Guide 1Overview 1Outline 1Case Study 1: MegaCorp Campus Design 2Activity Objective 2Visual Objective 2Required Resources 2MegaCorp Campus Case Study Scenario 3Campus Design: Business Factors 4Campus Design: Technical Factors 5MegaCorp Campus Design Tasks 6Activity Verification 8Case Study 2: CP Hotels Addressing and Routing Design 9Activity Objective 9Visual Objective 9Required Resources 10CP Hotels Case Study Scenario 10CP Hotels Design Tasks 19Activity Verification 20Case Study 3: CP Hotels <strong>Network</strong> Initiatives 21Activity Objective 21Visual Objective 21Required Resources 21CP Hotels Case Study Scenario 22CP Hotels Design Tasks 24CP Hotels Design Tasks 24Activity Verification 26Case Study 4: CP Hotels Security and IPsec VPN <strong>Network</strong> 27Activity Objective 27Visual Objective 27Required Resources 27CP Hotels Case Study Scenario 27CP Hotels Design Tasks 32Activity Verification 33Case Study 5: DS Medical Research Institute <strong>Network</strong> Infrastructure 35Activity Objective 35Visual Objective 35Required Resources 36DS-MRI Case Study Scenario 36DS-MRI Design Tasks 37Activity Verification 39Answer Key 41Case Study 1 Answer Key: MegaCorp Campus Design 41Case Study 2 Answer Key: CP Hotels Addressing and Routing Design 45Case Study 3 Answers: CP Hotels <strong>Network</strong> Initiatives 49Case Study 4 Answer Key: CP Hotels Security and IPsec VPN <strong>Network</strong> 53Case Study 5 Answer Key: DS Medical Research Institute <strong>Network</strong> Infrastructure 57© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide iii


iv <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


ARCHLab GuideOverviewThis guide presents the instructions and other information concerning the activities for thiscourse. You can find the recommended solutions in the Case Study Answer Key.OutlineThis guide includes these activities:This guide includes these activities:• Case Study 1: MegaCorp Campus Design• Case Study 2: CP Hotels Addressing and Routing Design• Case Study 3: CP Hotels <strong>Network</strong> Initiatives• Case Study 4: CP Hotels Security and IPsec VPN <strong>Network</strong>• Case Study 5: DS Medical Research Institute <strong>Network</strong> Infrastructure


Case Study 1: MegaCorp Campus DesignThis case study enables you to practice the skills and knowledge learned in the “Reviewing<strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong>” and “Enterprise Campus <strong>Network</strong> Design” modules.This Case Study is based on a fictional company, MegaCorp. MegaCorp is a rapidly-growingand leading knowledge worker-based company with many large offices. They operate in theinsurance, financial, marketing, services, and/or government areas of business.You represent a <strong>Cisco</strong> Premier Partner and have been called in by the CIO to review theMegaCorp design. The design is focused on their campus network.Activity ObjectiveIn this activity, you will create a high level design for the campus portions of the MegaCorpnetwork.After completing this activity, you will be able to meet these objectives:• Document and explain the real customer requirements for this scenario.• Complete and present an optimal high-level design, including diagram, physical and logicaltopology descriptions, recommended switch models and alternatives, other significantdetails, notes on how your design will support IP Telephony, and notes on what your Powerover Ethernet (PoE) recommendations are. Describe and defend the pros and cons for youroptimal design, and how it improves on the existing MegaCorp design.• Describe any other technical design factors the detailed design should incorporate.• Present a high-level approach for how to smoothly migrate from the old to the new networkdesign.• Describe how to mitigate risks in the present MegaCorp design using <strong>Cisco</strong> switches.• Complete and present a design using Metro Ethernet components as provided in this CaseStudy to connect to remote office buildings.Visual ObjectiveThere is no visual objective for this case study.Required ResourcesThese are the resources and equipment required to complete this activity:• Case Study guidelines, presented in the Course Introduction• MegaCorp Campus Case Study Scenario, presented here in the Lab Guide• A workgroup consisting of two to four students• Blank sheets of paper and a pencil2 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


MegaCorp Campus Case Study ScenarioMegaCorp has a large campus network supporting 10,000 users. The campus consists of 8equally-sized buildings. Each building has 5 floors of approximately 30,000 square feet perfloor with 2 wiring closets (A and B) per floor.The present campus network uses a design recommended by their present switch vendor, whois no longer in business. The design uses stackable switches in a daisy-chain in each closet. Theend switches in each daisy chain connect to a pair of building switches. Spanning tree isdisabled in the closets – the switches detect link state loss and only activate one of the twouplinks at a time. Access ports are 10 Mbps and uplinks 100 Mbps in many cases.The two building switches are connected with a trunk to each other. Each building switchconnects back to one of the two core switches. The core switches have a link between them andoperate at Layer 2 only. All the uplinks and the connecting link are in one VLAN. The buildingswitches route the building subnets into the one core VLAN, which every building switch isconnected to.The present design uses one VLAN per department. Real-estate “wars” have led to departmentsbeing spread over different parts of different floors in each building. Shuffling ports to differentVLANs to support personnel moves keeps several recent technical institute grads busy.MegaCorp thinks their current network is very stable. They only have an outage every month ortwo, and staff can usually fix them within an hour by turning off one of the two buildingswitches. In the evening, they power it up, and disconnect switches until the STP problem isfound. The staff doesn’t mind the overtime pay.© 2007<strong>Cisco</strong> Systems, Inc. Lab Guide 3


The company is now using the offices from 6 AM to 12 midnight, with different peopleworking different hours to service customers in different time zones. Many cubicles arevirtualized or used for hoteling, with different occupants at different times or on different days.MegaCorp prides itself on providing good customer service.Campus Design: Technical FactorsYou conducted a network baseline. The baseline monitoring indicates that there is a moderatedegree of STP instability in the current network. This causes bursts of 50 second outages thatemployees do not complain about, because they have gotten so used to them. There is evidencethat the 100 Mbps uplinks from the closets are congested.The technical staff think <strong>Cisco</strong> VTP sounds interesting, as it might save having to createVLANs on switches to support moves, adds, changes.The CIO wants more availability than MegaCorp has at present, and has specifically asked for adesign using three building switches instead of two, to get better availability.The network staff asked that the switches quoted be “IPT and wireless ready”, whatever thatmeans.The draft Bill of Materials given you by the technical staff indicates a plan for all switches tobe equipped for Power over Ethernet (PoE) on all ports. They also asked for an option forequipment without PoE since power injectors sound less costly to some of the lead technicalstaff.© 2007<strong>Cisco</strong> Systems, Inc. Lab Guide 5


MegaCorp Campus Design TasksComplete these steps:Step 1Determine what MegaCorp’s business and technical requirements really are (orshould be), and how to convince MegaCorp that you are correct. (Do not spend a lotof time on this.)_____________________________________________________________________________________________________________________________________________________________________________________________Step 2Determine a recommended design, and its pros and cons, as well as how it improvesthe current MegaCorp design. Diagram the design, and use bullet lists to itemizespecifics. Be prepared to justify any changes to the MegaCorp plan that you propose.Include in your plans:• Physical topology (port counts, links, and link speeds, diagrams)• Logical topology (VLAN locations and scopes, Layer 2, Layer 3, other protocols(VTP, STP choice, STP settings, routing protocol, First Hop Routing Protocol, etc.)• Recommended switch models and alternatives• Other significant details• Plans for IP Telephony support• Recommendation for PoE_____________________________________________________________________________________________________________________________________________________________________________________________Step 3Identify other technical design elements that the detailed design should include (e.g.type of STP, security measures, etc.)_____________________________________________________________________________________________________________________________________________________________________________________________Step 4Provide a high level plan for how the network could be smoothly migrated over tothe new equipment over several months._____________________________________________________________________________________________________________________________________________________________________________________________6 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Activity VerificationYour group has completed this activity when you have completed answers to the abovequestions, and selected a presenter for the group.The presenter should be prepared to explain and defend your answers to the class. The topicsfor discussion include the following:• What you think are the requirements for MegaCorps, and the justification for your answers• Your diagram, etc. for the best design• Your list of pros and cons for the best design, and how it improves the current MegaCorp(proposed) design. (See the list of detailed items to provide above.)• Your justifications for any changes to the MegaCorp plan that you propose.• Your list of other technical design factors the detailed design should incorporate• Your high-level migration plan.• Your plan for how to mitigate risks in a “modern equipment” version of the MegaCorpcurrent design.• Your proposal for how to accommodate the Metro Ethernet and acquisition into yourdesign, and justification for the main elements you propose.8 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Case Study 2: CP Hotels Addressing and RoutingDesignThis case study enables you to practice the skills and knowledge learned in the modules up tothis point, especially the “Advanced Addressing and Routing Design” lesson. Any technologywe have not yet discussed is used in only minor ways where superficial knowledge or theinformation provided within the case study should suffice.This case study is based on a fictional company, CP Hotels. CP Hotels is a rapidly-growinghotel organization providing services to a family of 8 hotel brand names such as SuiteSpot TM ,CheapStay TM , El Quarto TM , and PurpleRoof Inn TM . The brands are different corporate divisionswith different cost structures and networking requirements, serviced by the shared ITorganization. Each brand provides different pricing and customer amenities (premium serviceversus low cost, single room versus suite, etc.).You represent a <strong>Cisco</strong> Partner called in to review the existing CP Hotels addressing and routingdesign, and provide recommendations for improvement.We normally try to use private addressing in case studies. In this case study, we use somefictional public IP address blocks for clarity and a real-world flavor.Activity ObjectiveIn this activity, you will critically review, redesign, and create new parts of an IP addressingand routing design for CP Hotels.After completing this activity, you will be able to meet these objectives:• Examine and critique a moderately complex IP addressing scheme, and propose how toimprove it.• Examine and critique a moderately complex routing scheme, and propose how to improveit.• Evaluate and improve the current route redistribution scheme. Evaluate and improve thecurrent default routing scheme.• Propose a new addressing scheme to provide out-of-band NAC roles and voice VLANs inthe four HQ buildings.• Discuss the impact of moving web servers to collocation facilities, and propose a design forhow to best connect them back to the data centers, and how to best perform routing tothem.Visual ObjectiveThere is no visual objective for this case study.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 9


Required ResourcesThese are the resources and equipment required to complete this activity:• Case study guidelines, presented in the Course Introduction• CP Hotels Case Study Scenario• A workgroup consisting of two to four students• Blank sheets of paper and a pencilCP Hotels Case Study Scenario<strong>Network</strong> TopologyThere are four large headquarters (HQ) buildings, two data centers (A and B), eight callcenters, and 2000 hotel sites in the CP Hotels network. There are also connections to partners(suppliers and local packages such as sports and tour vendors, etc.).The two data centers are identical to each other. The network is structured around two core<strong>Cisco</strong> Catalyst 6509 Series Layer 3 switches in each of the data centers. They areinterconnected through dense wavelength-division multiplexing (DWDM) over a fiber ring.Various network modules connect to the core two switches in each data center. Each moduleterminates in two core-facing routers or Layer 3 switches. Each core-facing router or Layer 3switch in the module connects to both core <strong>Cisco</strong> Catalyst 6509 Series switches in its datacenter building.The data center modules are:• Server Farm (Server) Module• Hotels Module• Call Center Module• Partner Module• Corporate Internet Access Module• HQ Router ModuleRemote sites or partners connect to the relevant module in each data center. Dual local links areused where feasible to provide increased availability. In such cases, one link goes to each datacenter.10 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


The following diagram illustrates the CP Hotels network topology at a high level:Data Center AServer Farm ModuleMainframe & website DMZ also located herex 8Internetx 8CoreAggregation Access Rows of racks of serversHotels ModuleFrameRelayCoreAggregation (4 pairs)L2 connectivity(shared)Access (4 groupsof 4, 16 total)To 2000hotelsCall Center ModuleMPLSVPNPartner ModulePartnersCorporate Internet AccessVariousconnectionmethodsInternetHQ ModuleHQ 1 & 2HQ 3 & 4Data Center B(Identical layout)© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 11


Server Farm ModuleIn each data center, there are many servers organized into rows. Each server row is connects toa pair of <strong>Cisco</strong> Catalyst 6509 Series access switches placed at the end of the row. Eight serverrows connect to a pair of Layer 3 <strong>Cisco</strong> Catalyst 6509 Series aggregation switches using 4Gbps EtherChannel. Although a smaller chassis might have been used for the aggregationswitches, this approach keeps the equipment model inventory simple and allows space forNAM blades and service modules.There are currently two pairs of aggregation switches (two aggregation modules of 8 rowseach) connecting to the core server switches by 4 Gbps EtherChannel.The corporate mainframes also connect to switches via Gigabit connections. They run IBMOSA, which uses OSPF to route traffic to the rest of the network, mainly to detect and respondto Gigabit link failure. They connect directly to aggregation layer switches in one of the twoaggregation modules.Server Farm ModuleMainframe & website DMZ also located herex 8Internetx 8CoreAggregation Access Rows of racks of serversThe corporate public-facing web and e-commerce servers are in a DMZ complex connected toone pair of access switches in the server farm area. They produce a high volume of traffic, alllocal to the server module. Separate dedicated high-speed Internet connections connect to theoutside of the firewalls in the DMZ complex. All servers, mainframes, and web servers areduplicated at the second data center site.Hotels ModuleEach hotel connects via frame relay to each data center through the Hotels Module. There are16 access routers, each of which connects to approximately 128 hotels. They aggregate intofour pairs of aggregation routers, one pair for each of four Regions. The aggregation routersconnect to two Layer 3 switches at the core-facing edge of the Hotels Module. The data centeraccess router WAN links are fractional T3, running at approximately 20 (or 30) Mbps, one toeach access router. The hotels have 256 Kbps PVCs with fractional T1 access circuits.Hotels ModuleFrameRelayCoreAggregation (4 pairs)L2 connectivity(shared)Access (4 groupsof 4, 16 total)To 2000hotels12 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Note128 x 256 Kbps is approximately 33 Mbps. So each data center access router needs somefraction of that bandwidth, depending on how much oversubscription is built into the network.Call Center ModuleThe Call Center Module connects to eight Call Centers.Call Center ModulePartners ModuleMPLSVPNPartners connect via a variety of methods, including leased lines, Frame Relay, IPsec VPN andMPLS VPN. Firewalls are used so that only specific partner server IP addresses may talk topartner servers in the server farm.128 x 256 Kbps = 33 Mbps, approximately. So each Data Center access router needs somefraction of that bandwidth, depending on how much oversubscription is built into the network.Partner ModulePartnersVariousconnectionmethodsCorporate Internet Access ModuleInternet connectivity is provided through the Corporate Internet Access Module.Corporate Internet AccessInternetHQ ModuleEach HQ building is connected to a HQ router in both data centers. These eight connections arethrough DS-3 ATM.HQ ModuleHQ 1 & 2HQ 3 & 4© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 13


Routing at CP HotelsThe following diagram indicates the routing design.Data Center AServer Farm ModuleOSPFMainframe & website DMZ also located here (not shown)x 8Internetx 8EBGPCoreAggregation Access Rows of racks of serversHotels ModuleCoreIBGPAggregation (4 pairs)4 OSPF AS’sAccess (4 groupsof 4, 16 total)FrameRelayTo 2000hotelsCall Center ModulePartner ModuleCorporate Internet AccessEBGPStatic routingStatic routingMPLSVPNPartnersVariousconnectionmethodsInternetHQ ModuleHQ 1 & 2OSPFHQ 3 & 4Data Center B(Identical layout)14 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


The routing design uses external Border Gateway protocol (EBGP) to isolate routing in thevarious modules. Most modules use Open Shortest Path First (OSPF) within the module. Eachmodule has a different private BGP autonomous system (AS) number, to simplify writing BGPpolicy rules. The module pair of routers uses EBGP to the two core routers in each data center.Each module router peers with both core routers in its data center. The two data center corepairs each have different BGP AS numbers and also use EBGP to the other data center pair.Each module router pair redistributes the relevant Interior Gateway Protocol (IGP) into BGP.Default is injected into the IGP in each module, so that default points to the core (which thenroutes to the dedicated Internet links).Server Farm ModuleThe Server Module uses OSPF. OSA on the mainframe is isolated behind dedicated <strong>Cisco</strong> 7300Series model routers, in their own totally stubby area, to isolate the mainframes from routechanges.Server Farm ModuleOSPFMainframe & website DMZ also located herex 8Internetx 8CoreAggregation Access Rows of racks of serversHotel ModuleThe Hotel Module uses EBGP between its core-facing edge routers and the core. It uses IBGPbetween those routers and the aggregation routers. The aggregation routers summarize OSPFinto the IBGP. They are connected to OSPF area 0, but each pair of aggregation routers uses alogically separate OSPF area 0 for its Region. This keeps route changes from a Region frompropagating into the other Regions, and corresponds the fact that hotel to hotel traffic is notallowed.Hotels ModuleCoreIBGPAggregation (4 pairs)4 OSPF AS’sAccess (4 groupsof 4, 16 total)FrameRelayTo 2000hotelsThe 4 access routers in a Region act as Area Border Routers, summarizing their areas into theRegion’s area 0. Each access router uses one area for every 32 sites it connects to.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 15


NoteThis frame relay design approach gives us 5 areas per ABR (128/32 = 4, plus area 0). Thiswas very aggressive design as of 5-10 years ago, when 3 areas on one router wasconsidered aggressive. One alternative would have been to put 64 hotels per area. Thisalternative would however waste more bandwidth on LSA flooding within each area. Forpurposes of this Case Study, we will stick with the aggressive OSPF design is used.Call Center ModuleThe Call Center routers speak EBGP to the MPLS VPN provider, also to the core routers. EachCall Center runs EIGRP, but that is not visible from the Data Center.Call Center ModuleEBGPMPLSVPNPartner ModuleThe Partner Module uses static routing internally, whatever the external routing may be. Thecore-facing routers use BGP network statements to pass a summary of these routes into thecore. Default routing cannot be used to reach partners, since that needs to direct traffic to thecorporate Internet links via the Corporate Internet Module.Partner ModuleStatic routingPartnersHQ ModuleThe HQ Module uses OSPF to the four HQ buildings. Each HQ building WAN routersummarizes the building into the WAN, which is area 0 for the HQ OSPF autonomous system.One VLAN per area uses the DWDM connection to tie each ABR in data center A to its “twin”in Data Center B. Each pair of aggregation routers in each data center connect via a VLAN tothe corresponding pair in the other data center via two VLANs that are in their area 0, to makeHQ ModuleHQ 1 & 2the area 0 networks contiguous.OSPFHQ 3 & 416 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Addressing at CP HotelsHQ buildings were addressed from the public address block 150.1.0.0 /16.Site Address Block Total Addresses in Block Active Desktop and Access PortsHQ1 150.1.0-31 8192 2500HQ2 150.1.32-63 8192 2500HQ3 150.1.64-95 8192 3000HQ4 150.1.96-111 4096 1000Data Center A uses some addresses from 150.1.240-255. Both data center s use addresses from10.1.0.0 /16 and 172.20.0.0 /16. This scheme reflects different addressing schemes over time,and the difficulty of getting server staff to change addresses on servers. (“Server addresses areforever.”)Call Centers use addresses from 180.1.0.0 /16, assigned to allow room for growth. They areassigned as follows:Site Address Block Active Desktop and Access PortsCC1 180.1.0-11 200CC2 180.1.12-23 200CC3 180.1.24-35 200CC4 180.1.36-47 200CC5 180.1.48-59 100CC6 180.1.60-71 100CC7 180.1.72-83 100CC8 180.1.84-95 100Partner addresses are public addresses chosen by the partner to avoid any possible addressduplication. They come from multiple blocks per partner.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 17


Each Region of 500 hotels is assigned address blocks as follows:Region Address Block Total Addresses in Block Active Desktop and Access Ports1 10.96-103 2,097,152 Up to 128,000 (500 x 256)2 10.104-111 2,097,152 Up to 128,0003 10.112-119 2,097,152 Up to 128,0004 10.120-127 2,097,152 Up to 128,000This matches to a bit mapping design of 10.011r raaa.aass ssss.hhhh hhhh, where “r” indicatesthe region bits (region minus 1), “a” indicates the area bits within that region, “s” indicates thesubnet bits relative to the area, and “h” indicates the host bits in the subnet.Within each region, the 5 area bits allow for 32 areas (16 plus area 0 forces us up to 32,however, or 6 bits). Within each area, we need to connect 32 or fewer hotels, which means weneed 32 subnets (5 subnet bits, make it 6 to allow more flexibility, and also provide /30 blocksfor the WAN links).18 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


CP Hotels Design TasksComplete these steps:Step 1Step 2Comment on the current addressing scheme, and its strong and weak points. Allcriticism should be constructive. That is, if you don’t like the current plan, propose abetter addressing plan.Comment on the existing routing scheme, its good points and bad points. Whatrouting protocol changes would you make, and where? Why? What other routingrecommendations would you make to CP Hotels?Some specific things to consider:— Are the right routing protocols being used? In the right places?— Can the route summarization be improved?— Would the BGP route reflector feature help in this setting?— What other routing features might be useful?— Why are the links between data centers needed for each hotel access router and itstwin? The areas are contiguous since both ABR routers link to the 32 hotels withinthe area.— What happens if a link to a Partner fails? What can and cannot connect to thePartner?— What should be done for failover of the corporate Internet connections?Step 3Comment on the pros and cons of the current default routing and redistributionstrategy. If you propose a different approach, be prepared to describe how it works,and its pros and cons.Some specific things to consider:— What are the alternatives to redistributing Module routes into EBGP? Pros and consof each?— What topology change would allow keeping Partner routes out of the core? Howwould this work with failover to the other Data Center?Step 4Propose a new or revised addressing scheme to accommodate out-of-band NACroles and IPT (IP Telephony) voice VLANs in the HQ buildings.Some details:— The following roles or VLANs are needed at each Layer 3 switch: guest, user, sysadmin, developer, financial sys admin, voice VLAN, plus a few more for growth.— Assume the design has or will have one Layer 3 access switch per 200 users, dualhomedinto a pair of building aggregation switches that route to the data centers. Thenumber of users in each building is shown above.— Each role subnet must allow for up to 254 users, since ordinary users, developers, orsystem administrators might be grouped near each other. That is, you cannot safelyassume the users will be evenly distributed among roles.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 19


Step 5The CP Hotels web site is being moved to a pair of collocation facilities, each ofwhich will connect back to the data centers via DS-3 links. Taking the existingtopology and routing into account, what do you recommend as the best way toconnect the collocation facility back into the data center?Activity VerificationSome specific things to consider:— Where should the connections terminate in a router?— Assume the collocated routers and firewalls and servers will be managed by CPHotels. If the collocation provider were providing a managed firewalls service, thenCP Hotels might feel the need to put firewalls in at the point where the collocationlinks terminate. We will keep things simple for this Case Study.Your group has completed this activity when you have completed answers to the abovequestions, and selected a presenter for the group.The presenter should be prepared to explain and defend your answers to the class. The topicsfor discussion include the following:• The pros and cons of the current IP addressing scheme, and your proposed changes to theIP addressing scheme.• The pros and cons of the current IP routing scheme, including summarization. And yourproposed improvements or changes to the routing scheme, including summarization.• The pros and cons of the current default routing and redistribution schemes, and yourproposed changes or improvements to the default routing and route redistribution schemes.• Your proposed new addressing scheme to provide out-of-band NAC roles and voiceVLANs in the four HQ buildings.• Your list of key points concerning the impact of moving web servers to collocationfacilities. Your proposed design for how to best connect the collocation facilities back tothe data centers, and how to best perform routing to them.Page 20 WHAT IS MY NAME? (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Case Study 3: CP Hotels <strong>Network</strong> InitiativesThis case study enables you to practice the skills and knowledge learned in the modules up tothis point, especially the “Advanced WAN <strong>Service</strong>s Design Considerations”, “<strong>Designing</strong> theEnterprise Data Center”, “Design Considerations for Storage Area <strong>Network</strong>ing”, and“<strong>Designing</strong> the E-Commerce Module” modules.This case study is based on a fictional company, CP Hotels, which is discussed in Case Study 2.In this case study, CP Hotels is upgrading some components in their network. They have askedyour consulting firm to work on the new designs.Activity ObjectiveIn this activity, you will critically review and design or redesign parts of the CP Hotelsnetwork.After completing this activity, you will be able to meet these objectives:• Prepare and present a design for the replacement E-Commerce WAN. Your design shouldaddress the specific questions and requirements listed below.• Prepare and present a new design for the Server Farm Module upgrade. Your design shouldaddress the specific questions and requirements listed below.• Prepare and present a new design for the E-Commerce Collocation upgrade, taking intoaccount advances in technology. Your design should address the specific questions andrequirements listed below.• Prepare and present the business case and a high-level design for an E-CommerceCollocation SAN, or be prepared to justify why you feel that a SAN is not needed or isinappropriate.Visual ObjectiveThere is no visual objective for this case study.Required ResourcesThese are the resources and equipment required to complete this activity:• Case Study guidelines, presented in the Course Introduction• The prior CP Hotels Case Study 2 Scenario• A workgroup consisting of two to four students• Blank sheets of paper and a pencilPage 21 Lab Guide © 2007 <strong>Cisco</strong> Systems, Inc.


CP Hotels Case Study ScenarioSee Case Study 2 for a description of the current CP Hotels network.Parts of the diagrams are replicated here for reference.CP Hotels Web Site TopologyThe following diagram illustrates the current data from CP Hotels showing the networktopology for the E-Commerce web site at a high level. The cages show the Gigabit Ethernet andmanaged switches inside the collocation facility.ISP1InternetISP2CollocationCage ACollocationCage BWebserversVLAN 10WebserversVLAN 10App serversVLAN 20App serversVLAN 20DB serversVLAN 30DB serversVLAN 30Data Center AData Center BThere are two Production Collocation Facilities. They are each paired with one data center.(For this case study, we will not discuss the additional single Performance and Test module,also located in one of the collocation facilities. It is similar in design.)Inside each collocation facility, VLANs 10, 20, and 30 respectively are the web server,application server, and DB server VLANs. The site runs IBM WebSphere using IBM servers.All traffic enters the web complex through a pair of Brand X firewalls. The paired CSS devicesroute between the firewall VLAN and the “internal” VLANs 10, 20, and 30. Servers in eachVLAN (10, 20, 30) have the CSS virtual interface as their default gateway, to keep serverrouting simple.The firewalls also secure the connection back to the CP Hotels data centers. The firewalls arerunning VRRP on the connections to the CP Hotel data centers, The edge <strong>Cisco</strong> Catalyst 3550Page 22 WHAT IS MY NAME? (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Series switches use HSRP and EIGRP to the edge WAN routers connecting to the data centers.The <strong>Cisco</strong> Catalyst 3550 Series switches also provide a SPAN port for troubleshooting. Thefirewalls and <strong>Cisco</strong> Catalyst 3550 Series switches have static routes pointed at each other’s VIPaddresses.There are two WAN routers at each E-Commerce web site. Each WAN router has a DS-3connection back to one router at the paired Data Center. The data center WAN routers connectback to aggregation layer switches inside the Server Farm Module in that data center.CP Hotels Server Farm TopologyAs you know (you designed it!), the Server Farm topology is as follows.• Servers are (mostly) dual-homed to access layer switches, one pair of access switches perrow of racks of servers. The paired access layer switches have one VLAN that runs atLayer 2 on uplinks to both aggregation layer switches.• Aggregation layer switches have a trunk carrying all access VLANs between them. Theyroute traffic to the Server Farm Module core switches.• There are presently two halves to the server farm infrastructure. Each half consists of eightrows of servers. Each server row is connected to a pair of access switches, for a total of 16access switches. Each set of 16 access switches connect to two aggregation switches. Thereare four aggregation switches in the server farm infrastructure. The four aggregationswitches connect to both of the two Server Farm core switches.• All the Server Farm access switches use Gigabit Ethernet uplinks. Aggregation switchesuse two Gigabit EtherChannels to the core switches. The aggregation and core switches usea single MSFC1A for routing.x 8 rows1 Gbps uplinksLayer 2AggregationAggregation2 Gbps EtherChannelCore2 Gbps EtherChannelCoreLayer 3Aggregation1 Gbps uplinksAggregationLayer 2Example serverconnectionx 8 rowsPage 23 Lab Guide © 2007 <strong>Cisco</strong> Systems, Inc.


CP Hotels Design TasksComplete these steps:Step 1 (E-Commerce WAN Statement of Work) CP Hotels’ website is experiencing 50%growth in traffic back to the Data Centers every year. The current links are at 80%utilization, so that if one fails, the other will not have enough capacity. Assuming allthe old and new WAN technologies are available, recommend an updatedE-Commerce WAN design.Be sure to address the following:— Are there any WAN technologies that should clearly be ruled out? If so, why?— Are there any WAN technologies that are particularly suitable for this use?— Is there an approach that would provide the ability to “turn up the bandwidth”without new hardware or access circuits?— How much bandwidth do you recommend that CP Hotels start out with on thereplacement WAN links?— What SLA characteristics are needed for these links, if CP Hotels views them as partof the highly critical revenue-producing e-commerce site?Step 2 (Server Farm Statement of Work) CP Hotels is asking you, as their favorite andhighly-skilled consultant, to comment on the data center Server Farm Moduledesign.— Management has asked for a “green field” re-design of the Server Farm modulefrom scratch. As you know from some late nights, there have been several“configuration accidents” and the odd hardware problem leading to large SpanningTree loops. Management would like to “add another 9 of availability” for the serverfarm network.— The CIO emphasized that the new design should take advantage of technology andspeed improvements, while complying with shifts in what are considered BestPractices.— The CP Hotels server administrators discovered VMWare about 2 years ago, andstarted rolling it into large-scale production use about 9 months ago. As you know,VMWare allows one physical server to be divided into multiple logical servers,providing isolation for different applications with a heavy hardware investment for“one application, one server”. They have been testing VMotion, which can“snapshot” a virtual server and move it to another physical server in about 1 second,without having to take it out of service. Their VMotion consultant is telling them thebest way to deploy VMotion is to use one or two dedicated interface(s) per server,on a dedicated VLAN, to ensure rapid problem-free moves without contention fromdata traffic. Many rows of racks are full, however, so any “unused” servers forVMotion could be anywhere in the data center. Space at row ends is tight, so CPHotels cannot just add some spare racks and servers to the existing rows.— CP Hotels wants your recommendation on how to accommodate the VMotionrequirements while meeting the first goal of “adding another 9 of availability”.Page 24 WHAT IS MY NAME? (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Step 3 (E-Commerce Redesign Statement of Work) The hardware in the CollocationFacility is coming off lease, and the E-Commerce manager has the budget to “do itwell”. You have been asked to come up with a proposed design, meeting thefollowing requirements:— Firewall support is desired between web and application, application and databaselayers. That way, a server compromise in one layer might be contained before itaffects the other layers.— If there is a good way to protect servers within a VLAN from each other, CP Hotelswould like to know about it.— The CIO emphasized that the new design should take advantage of technology andspeed improvements, while complying with shifts in what are consideredrecommended practices.— Simplicity and low device count matter – collocation space is costly, and tight.— The web site is doubling in traffic volume every year. The design needs to scale tocover growth over the next 4-5 years.— There is talk of the collocation provider managing the devices within its site, soappropriate security is needed inside the data centers in case there is a lapse in thesecurity they provide.— Do not forget to put in IPS capability.— After losing millions of dollars due to a single extended outage, management haspurchased the <strong>Network</strong> General Infinistream product, which does packet capture andreporting based on terabytes of disk space. The intent is to use it as a “network flightrecord” to help analyze the next outage. Your design will need to provide SPANports and “plumbing” so that the Infinistream can capture every packet every devicein the collocation facility transmits on the inside of the firewall.Step 4 SAN Business Case and High-Level Design for Collocation Facilities— All web pages and application and database files are static, used to generateresponses to web queries. Some of the databases are refreshed nightly, others changemonthly, reflecting new hotel locations, etc. Actual guest reservations, frequenttraveler benefits, and so on are stored in databases within the data center, not thecollocation facility.— At a very high level, what might be some business or technical reasons for usingSAN in the collocation facilities? If you think a SAN is not needed or inappropriate,prepare to justify this.— How would you describe your SAN design at a high level, taking the above securityrequirements into account?Page 25 Lab Guide © 2007 <strong>Cisco</strong> Systems, Inc.


Activity VerificationYour group has completed this activity when you have completed answers to the abovequestions, and selected a presenter for the group.The presenter should be prepared to explain and defend your answers to the class. The topicsfor discussion include the following:• Prepare and present a design for the replacement E-Commerce WAN. Your design shouldaddress the specific questions and requirements listed below.• Prepare and present a new design for the Server Farm Module upgrade. Your design shouldaddress the specific questions and requirements listed below.• Prepare and present a new design for the E-Commerce Collocation upgrade, taking intoaccount advances in technology. Your design should address the specific questions andrequirements listed below.• Prepare and present the business case and a high-level design for an E-Commercecollocation SAN, or be prepared to justify why you feel that a SAN is not needed orinappropriate. Your design should address the specific questions and requirements listedbelow.Page 26 WHAT IS MY NAME? (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Case Study 4: CP Hotels Security and IPsec VPN<strong>Network</strong>This case study enables you to practice the skills and knowledge learned in the modules up tothis point, especially the “Security <strong>Service</strong>s Design” and the “IPsec and SSL VPN Design”modules.This case study is based on a fictional company, CP Hotels, discussed in a previous case study.You represent a <strong>Cisco</strong> Partner called in to review the existing CP Hotels addressing and routingdesign, and provide recommendations for improvement.We normally try to use private addressing in case studies. In this case study, we use somefictional public IP address blocks for clarity and a real-world flavor.Activity ObjectiveIn this activity, you will critically review and/or redesign key portions of the CP Hotelsnetwork, using your new Security and IPsec VPN design skills.After completing this activity, you will be able to meet these objectives:• Recommend what type of IPsec VPN CP Hotels should use, and present the pros, cons, andjustification for your recommendation. Determine and present a detailed design for thehotel IPsec VPN, including overall hotel routing with failover, how IPsec reaches the othertunnel endpoint, and detailed IP addressing plan.• Critically review and make recommendations to improve security at CP Hotels, includingspecific items listed below.• Determine and present a design for <strong>Network</strong> Admission Control (NAC) Appliancedeployment in CP Hotels headquarters (HQ) buildings, including coverage of specific itemslisted below.Visual ObjectiveThere is no visual objective for this case study.Required ResourcesThese are the resources and equipment required to complete this activity:• Case Study guidelines, presented in the Course Introduction• Previous CP Hotels IP Addressing and Routing Case Study Scenario• A workgroup consisting of two to four students• Blank sheets of paper and a pencilCP Hotels Case Study ScenarioSee Case Study 2 for a description of the current CP Hotels network. The diagrams areprovided in this case study for ease of reference.Page 27 Lab Guide © 2007 <strong>Cisco</strong> Systems, Inc.


CP Hotels <strong>Network</strong> TopologyThe following diagram illustrates the CP Hotels network topology at a high level:Data Center AServer Farm ModuleMainframe & website DMZ also located herex 8Internetx 8CoreAggregation Access Rows of racks of serversHotels ModuleFrameRelayCoreAggregation (4 pairs)L2 connectivity(shared)Access (4 groupsof 4, 16 total)To 2000hotelsCall Center ModuleMPLSVPNPartner ModulePartnersCorporate Internet AccessVariousconnectionmethodsInternetHQ ModuleHQ 1 & 2HQ 3 & 4Data Center B(Identical layout)Page 28 WHAT IS MY NAME? (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


The following diagram indicates the routing design.Data Center AServer Farm ModuleOSPFMainframe & website DMZ also located herex 8Internetx 8EBGPCoreHotels ModuleCoreIBGPAggregation Access Rows of racks of serversAggregation (4 pairs)4 OSPF AS’sAccess (4 groupsof 4, 16 total)FrameRelayTo 2000hotelsCall Center ModulePartner ModuleCorporate Internet AccessEBGPStatic routingStatic routingMPLSVPNPartnersVariousconnectionmethodsInternetHQ ModuleHQ 1 & 2OSPFHQ 3 & 4Data Center B(Identical layout)Page 29 Lab Guide © 2007 <strong>Cisco</strong> Systems, Inc.


Addressing at CP HotelsHQ buildings were addressed from the public address block 150.1.0.0 /16.Site Address Block Total Addresses in Block Active Desktop and Access PortsHQ1 150.1.0-31 8192 2500HQ2 150.1.32-63 8192 2500HQ3 150.1.64-95 8192 3000HQ4 150.1.96-111 4096 1000Data Center A uses some addresses from 150.1.240-255. Both data centers use addresses from10.1.0.0 /16 and 172.20.0.0 /16. This scheme reflects different addressing schemes over time,and the difficulty of getting server staff to change addresses on servers. (“Server addresses areforever.”)Partner addresses are public addresses chosen by the partner to avoid any possible addressduplication. They come from multiple blocks per partner.Call Centers use addresses from 180.1.0.0 /16, assigned to allow room for growth.Concerning hotels, each Region of 500 hotels is assigned address blocks as follows:Region Address Block Total Addresses in Block Active Desktop and Access Ports1 10.96-103 2,097,152 Up to 128,000 (500 x 256)2 10.104-111 2,097,152 Up to 128,0003 10.112-119 2,097,152 Up to 128,0004 10.120-127 2,097,152 Up to 128,000This matches a bit mapping of 10.011r raaa.aass ssss.hhhh hhhh, where “r” indicates the regionbits (region minus 1), “a” indicates the area bits within that region, “s” indicates the subnet bitsrelative to the area, and “h” indicates the host bits in the subnet.Within each region, the 5 area bits allow for 32 areas (16 plus area 0 forces us up to 32,however, or 6 bits). Within each area, there are 32 or fewer hotels, which use 32 subnets. 6subnet bits are used to allow flexibility and also provide /30 blocks for the WAN links.Consulting Statement of Work 1CP Hotels requires a completely new design for the hotels portion of the network (HotelsModule internals, plus WAN connections). All other connectivity will remain the same asbefore.The plan is to reduce costs by using one or two <strong>Cisco</strong> ISR routers at each hotel, with one or twoInternet connections from local ISPs. Hotel guests will be able to use a hotel wired and/orwireless network to access the Internet directly over the ISP link, protected by the IOS Firewall.Page 30 WHAT IS MY NAME? (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


The data centers will be connected to the hotels through major international ISPs. Traffic fromhotels will reach the data centers across the Internet from the hotel local ISPs through variouspeering points.At each hotel, the main office and front desk will be on a separate interface or VLAN protectedby the IOS Firewall. CP Hotels believes the switch-let and secure wireless modules areattractive for future data connectivity within the front office. Right now IT <strong>Service</strong>s does notattempt to manage LAN connectivity in hotels, local contractors provide those services, so theISR routers will not contain such modules at least initially.Hotel office traffic will be carried back to the data centers via IPsec VPN. A VPN to each datacenter will be used for redundancy.The routing metrics on IPsec tunnels or routes to IPsec peers are to be adjusted in some fashionto provide determinism, so that half the hotels normally route via Data Center A, and halfthrough Data Center B. The design should dynamically fail over to the other data center if theprimary path becomes unavailable.Congratulations on winning this design project! If your consulting firm does a good job on thedesign and documentation, you may be asked to assist in the implementation phase (full-timework for 8 consultants for at least one year, with a lot of travel). If you continue to impress theCIO, your team will get complimentary upgraded rooms and breakfast at the hotels used duringthe implementation. (Although the hotel chain is paying the travel expenses for the projectanyway.)Consulting Statement of Work 2CP Hotels wants you to review their design for high-level “holistic” security. Specific questionsto consider are listed below. They have already re-designed their collocated web site to use aclassic three-layer DMZ implemented using FWSM and CSM or ACE modules in the switcheswithin the collocation facility.Consulting Statement of Work 3CP Hotels wants you to come up with a design for NAC Appliance deployment in the HQbuildings.You are to build a design for HQ3 (3000 users) that can be suitably scaled down and replicatedat the other buildings. The design must describe where the NAC Appliances are to be located,what mode the NAC Appliances are to be used in, and specifics as to how default gateway orrouting are to be handled. The design must use redundant NAC equipment. If the designrequires changes to the current IP addressing scheme, you must explain the impact.NoteYou are not to design IP addressing and summarization, since in Case Study 2 you alreadydeveloped a sample addressing plan.Page 31 Lab Guide © 2007 <strong>Cisco</strong> Systems, Inc.


The roles are as stated in Case Study 2:— The following roles or VLANs are needed at each Layer 3 switch: guest, user,system administrators, developer, financial system administrators, voice VLAN,plus a few more for growth.— Each role subnet must allow for up to 254 users, since ordinary users, developers, orsystem administrators might be grouped near each other. That is, you cannot safelyassume the users will be evenly distributed among roles.The CP Hotels network team has decided that the following role to VLAN mapping will beused:VLAN Purpose1 Default for unassigned ports: don’t use2 Native VLAN on trunks, no other use3 Guest4 User5 Sys admin6 Developer7 Financial sys admin8 Voice VLAN9-16 Reserved for future expansion of rolesCP Hotels Design TasksComplete these steps:Step 1 Complete a design for the new CP Hotels VPN. Your design should include thefollowing components:— Your recommendation as to what type of IPsec VPN CP Hotels should use, why yourecommend that approach, and its pros and cons.— An explanation of how each hotel will connect in your design.— An explanation of how your design routes to each hotel, including how failoverworks. Also explain how routing will allow packets to reach the other IPsec tunnelendpoint (i.e. how the IPsec packets would be routed).— Details of routing protocol implementation, e.g. OSPF areas, and EIGRP or OSPFsummarization.— Your description of how your design controls routing impact of any instability inlocal or regional ISPs.— Detailed addressing and routing plan, implementing the summarization (and, ifrelevant, areas) of the previous step.Page 32 WHAT IS MY NAME? (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Step 2 Review the CP Hotels design concerning overall security. Your report shouldinclude at least the following:— Your observations of any security problems in the present design. Also note ways inwhich packet and control plane security might be improved.— A check that all external connections are properly secured with firewalls. (Since allthe details have not been specified, indicate what you want the design to look like ateach external connection.)— Your recommendations for where CP Hotels should deploy IPS systems, and howthey should be deployed, also where to deploy <strong>Cisco</strong> MARS.— Your evaluation of the risks concerning the Call Centers, and how best to mitigatethose risks. The CP Hotel.com site and the Call Centers are crucial to revenueproduction at CP Hotels. The collocation facility redesign secured the e-commercesite. Now it is time to ensure the Call Centers are secure.Step 3 Assume that NAC Appliance is to be deployed in HQ3, with 3000 users, and 15Layer 3 access switches connected to two building switches that connect back to thedata centers. The specific requirement is role-based control over who can accesswhich servers. While the formal policy has yet to be determined, you will need todevelop a preliminary design, answering the following questions at a high level:— How many and where to deploy NAC Appliances?— In-band or out-of-band deployment? Other info about deployment mode (virtual /real gateway, etc.)?— Either way, describe how it impacts addressing and VLAN definitions, performance,and manageability. If additional VLANs will be needed, describe what they shouldbe and why they are needed. Do not do any detailed IP addressing design, all that isdesired here is a high-level description of any addressing impact of your proposeddesign.— Describe where your design allows traffic to be controlled (building access layer,building aggregation layer, data center core, data center module core-facing edge),and for what filtering purpose each possible location might be used.— Also describe what traffic your design approach will not be able to control, if any.Activity VerificationYour group has completed this activity when you have completed answers to the abovequestions, and selected a presenter for the group.The presenter should be prepared to explain and defend your answers to the class. The topicsfor discussion include the following:• Your recommendation as to what type of IPsec VPN CP Hotels should use, pros, cons, andjustification. Your detailed design plan for the hotel IPsec VPN, including overall hotelrouting with failover, how IPsec reaches the other tunnel endpoint, and detailed IPaddressing plan.• Your critical review of and recommendations to improve security at CP Hotels, includingthe specific items listed above.• Your NAC Appliance design, including coverage of the specific items listed above.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 33


34 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Case Study 5: DS Medical Research Institute<strong>Network</strong> InfrastructureThis case study enables you to practice the skills and knowledge learned in the modules up tothis point, especially “IPsec and SSL VPN Design”, “IP Multicast Design”, “Voice OverWLAN Design”, and “<strong>Network</strong> Management Capabilities with <strong>Cisco</strong> IOS Software” modules.It is intended as a cumulative case study to bring together the concepts you have learned in thiscourse.This Case Study is based on a fictional organization funded by a large trust fund established byan extremely wealthy donor with initials DS. The DS Medical Research Institute (“DS-MRI”)is trying to speed medical progress with cutting edge research towards cures for severaltargeted major medical problems. The staff of DS-MRI conducts pharmaceutical, biochemistry,and computer-driven research, and also acts as a clearinghouse for data on cases and drug trialsfrom around the world.You represent a <strong>Cisco</strong> Partner that was invited to design a network for DS-MRI. The firstbuilding for the new Headquarters and Research Campus is already under construction. TheInstitute Director wants to design and pre-stage the network so that researchers can be up andrunning as soon as possible.What is needed now is a high-level design, where you propose a general approach. If theInstitute Director likes your work, your company may be asked to develop the detailed design,order the equipment, and do the pre-staging and installation work.Activity ObjectiveIn this activity, you will design the network for DS-MRI.After completing this activity, you will be able to meet these objectives:• Prepare and present a high-level building and data center design for DS-MRI• Prepare and present high-level alternative to add security• Design and justify how to extend the design to include more buildings• Propose a suitable high-level routing design• Prepare and present a high-level SAN design for the scenario• Propose a design or technology for grouped servers with substantial inter-servercommunications• Prepare and present a WAN design meeting the specified requirements• Propose and defend an IP multicast design• Prepare and present a high-level wireless design supporting VoWLAN and the <strong>Cisco</strong>Location Appliance• Prepare and present a design for using <strong>Cisco</strong> IOS network management features to meet thecustomer need, along with describing where those features will be usedVisual ObjectiveThere is no visual objective for this case study.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 35


Required ResourcesThese are the resources and equipment required to complete this activity:• Case Study guidelines, presented in the Course Introduction• The scenario below• A workgroup consisting of two to four students• Blank sheets of paper and a pencilDS-MRI Case Study ScenarioThe first building will be completed in a few months. More buildings are planned for thecampus but are not yet funded or designed.The Building 1 of the planned campus consists of five interconnected wings, each of which has6 floors. There will also be a large attached data center connected to the back of the building byelevated walkways providing views of the beautiful hillside campus setting.The wings are named A, B, C, D, and E. They mingle office space, bio/chem/medical lab space,and computer researcher spaces. The spaces are intended for somewhat flexible use as projectsand initiatives start and end, and as needs changes.Each floor of each wing is about 20,000 square feet, housing up to 200 staff, with four networkports planned per 100 square feet, for a total of 800 ports per floor. All ports will be wired forGigabit Ethernet. Uplinks are to be at least 10 Gbps.The medical researchers’ time is precious. The promise of copious computing and networksupport was made to help recruit key research talent. Some of the researchers use medicalimaging of cancer or other patients, reviewing high resolution CAT, DS-MRI and other scan“movie” files that can be 10 GB or larger in size. The computer research tends to be computeintensive(gene database lookup or correlation, molecular modeling, etc.). Some of thecomputer research leads to computer-animated images, but at much lower resolution than themedical imaging. Researchers working with outside researchers or clinical trials sometimesreceive DVDs with data and need to load these into the appropriate server(s) for statistical orother analysis.The data center will host a large number of servers. Some will provide file, print, and directoryservices for staff. Others will provide research database or compute cluster capabilities. Theplan is to have the data center network provide flexible hosting, to allow server hardware to beshifted between projects. Highly compute-intensive projects may use special hardwareappropriate for the type of computation being done. Longer-running computations will requirean appropriate degree of data center High Availability so as not to lose days or weeks ofcomputation.The plan is for the data center to start with 2000 servers, probably mostly blade servers. Eachwill have two Gigabit Ethernet connections to the network. That number may well grow to6000 or more servers, as more projects and then more buildings are added.There will also be 200 file or database servers providing access to large medical images. Theseare to be connected with either multi-Gigabit EtherChannel or 10 Gbps Ethernet connections.36 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


DS-MRI Design TasksComplete these steps:Step 1 Complete a high-level design for the Building 1 and the data center infrastructures.— The Institute Director wants to know how much bandwidth the various parts of yourdesign will supply, and what switch models you have in mind. Some approximateport counting would be a good idea.— You should describe how they would be organized, both for Building 1 and for thedata center, as well as how they interconnect.NoteAt the time of this writing, the 6500 models can hold up to 8 blades with eight 10-Gbps portseach, for a total of sixty-four 10-Gbps ports.The 3750-E and 3560-E models come with two 10-Gbps uplink ports. The 3750-E may beput into stacks of up to 9 switches. Both come with either 24 or 48 10/100/1000 Mbps portmodels, either with or without PoE. They allow use of the TwinGig converter, for 2 GbpsSFP ports initially, then one 10 Gbps ports later.Step 2 Design to address security concerns. Research activity needs to be secured byproject. Every attempt will be made to put project team members close to oneanother, but that sometimes is not possible.— The DS-MRI is mostly concerned about restricting access to servers based onproject. How will your plan accommodate this?— Suppose there is concern about protection of Intellectual Property, since any patentsthat come from research could be worth millions of dollars. Does that change yourdesign? If so, how?Step 3Step 4Step 5Step 6Step 7Plan for growth. Your design needs to include a description of how you wouldexpand coverage to 3 more similar buildings located 200-300 yards from each other,in a loop around the lake in the middle of the campus.Describe your proposed routing architecture at a high level. Detailed addressplanning is not needed at this time, but you should describe information such aswhere you would summarize routes, and what routing protocol(s) you would use.Discuss storage support. The current plans call for starting with 2000 blade servers,later expanding to 6000 or more. Provide a high-level SAN design to support thesedata center blade servers and expansion.Discuss server approach. The Institute Director asked a specific question: some ofthe computing requires many grouped servers with substantial amounts of interservercommunication. Is there any way to improve performance for these servers?Cost-effective 10 Gbps connectivity for servers is another related concern.Discuss WAN connectivity. DS-MRI is working internationally on many vitalmedical projects, teaming with many local doctors, professors, and otherresearchers. A flexible architecture is needed to allow for very rapid addition orremoval of external WAN access, with security for data about local patients, sinceresearchers may be actively involved in the ongoing treatment of patients. Thearchitecture must accommodate a range of media and speeds, depending on whatlocal facilities are available.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 37


— DS-MRI is willing to consider commercial shipment of pre-configured small <strong>Cisco</strong>routers, to simplify connectivity and support at remote sites containing teams ofresearchers. The DS-MRI views this as providing facilities for and empoweringlocal research teams.— It is also important that local researchers be able to interact, and send data andpossibly voice traffic as directly as possible to peers, rather than sending it to theU.S. and back out, to minimize latency.— Recommend a WAN approach that maximizes flexibility without compromisingsecurity.Step 8 Discuss IP Multicast implications. The HQ campus will be doing IP multicast forvideo and audio transmission of technical seminars and training materials. Lowerresolution versions could be made available to remote sites, or this material could beprovided in the form of downloads from an internal web site.— What are your recommendations, including security and other aspects of themulticast design (at a high level)?— If DS-MRI is going to be using IP multicast, where should the RP(s) be located?Bearing in mind the topics covered in our IP multicast module, what other designfeatures should be used by DS-MRI in their multicast design?— Does multicast require any impact or change your solution to the WAN connectivitydesign question above? If so, describe the changes needed.Step 9 Discuss VoWLAN considerations. DS-MRI intends to deploy VoWLAN in the HQbuildings, to facilitate reaching staff when they are away from their desk or lab. TheDS-MRI is also considering using the Location Appliance.— How does this impact your design? How will the wireless devices connect to yourswitch design?— What are the key site survey and AP placement considerations to support this?— Approximately how many access points , controllers, or other items will DS-MRIneed to purchase to cover the first building?— Is there any business justification for using Location <strong>Service</strong>s with VoWLAN at DS-MRI?Note As of this writing, one WCS can support up to 3000 access points managed by up to 250controllers. A single Location Appliance can track up to 2500 wireless devices.Step 10 Discuss network management considerations. The DS-MRI anticipates that it willneed to allocate network overhead to various research projects, for internal costaccounting corresponding to the research grant focus of the organization. To helptroubleshoot issues with WAN connections, the DS-MRI <strong>Network</strong> OperationsCenter (NOC) will need to be able to track packet loss, latency, and jitter.— What <strong>Cisco</strong> IOS network management features should DS-MRI consider using?— Where in the network should DS-MRI use these features?38 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Activity VerificationYour group has completed this activity when you have completed answers to the abovequestions, and selected a presenter for the group.The presenter should be prepared to explain and defend your answers to the class. The topicsfor discussion include the following:• The high-level building and data center design• The high-level alternatives to add security to the design• The design to extend the building design to include more buildings• The high-level routing design• The high-level SAN design for 2000 blade servers, and how you propose to expand it to6000• The proposed approach for grouped servers with substantial inter-server communications• The proposed WAN approach• The proposed IP multicast design• The requested wireless design information• The proposed network management features and where they will be used© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 39


40 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Answer KeyThe recommended solutions for the activities that are described in this guide appear here.Case Study 1 Answer Key: MegaCorp Campus DesignYou will create a high level design for the campus portions of the MegaCorp network includingthe following objectives:• Document and explain the real customer requirements for this scenario.• Complete and present an optimal high-level design, including diagram, physical and logicaltopology descriptions, recommended switch models and alternatives, other significantdetails, notes on how your design will support IP Telephony, and notes on what your Powerover Ethernet (PoE) recommendations are. Describe and defend the pros and cons for youroptimal design, and how it improves on the existing MegaCorp design.• Describe any other technical design factors the detailed design should incorporate.• Present a high-level approach for how to smoothly migrate from the old to the new networkdesign.• Describe how to mitigate risks in the present MegaCorp design using <strong>Cisco</strong> switches.• Complete and present a design using Metro Ethernet components as provided in this CaseStudy to connect to remote office buildings.Step 1 Real Requirements• If IPT and video are under consideration, the network needs to be highly available and haveplenty of bandwidth.• The stated outage rate and duration is not compatible with “high availability”. Betteravailability is needed.• The long hours of office use suggest productivity and frugality are important to MegaCorp.The network needs to operate 18 x 5, not just 9 x 5.• Good service is hard to provide if customer records cannot be accessed due to a networkoutage. The same is even more so when IPT is in use. Not answering the phone sends thewrong signal to customers. This just emphasizes that reliability and high availability areimportant requirements for MegaCorp.• IPT means the design should use QoS-capable switches.• The access switches need to be PoE-capable on most if not all ports. There should be littleto no need for PoE on distribution and core switches.• The access switches should provide at least 100 Mbps access ports and 1 Gbps uplinks.• The design should be recommended practices compliant. This is both a requirement andsomething you can use as a major justification for appropriate differences from the staffdesign.• Unless there is an unstated good reason for it, there is no reason to tie VLANs todepartments. A follow-up question should clarify this.• Simplicity and ease of troubleshooting would be good.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 41


• Note that using 3 instead of 2 switches for the building distribution switches is a customersolution to a perceived problem. The real requirement is higher availability. It is up to thedesigner to decide the best way to provide the higher availability.• The network staff needs training and skills-building. Bringing in someone with deepertechnical skills might inspire staff to build skills.Step 2 Proposed DesignHere are some points about the optimal design and how to justify it:• The current MegaCorp design is clearly an older style of design. More substantial use ofLayer 3 switching would provide better stability. The problem is telling the customer that,diplomatically but effectively. Justification: Routing limits the scope of failure domains andis simpler and easier to troubleshoot.• Use VLANs per closet or portion of floor, and get out of the moves, adds, changesbusiness. Justification: This frees up staff for more useful tasks, or cuts costs. It also helpsminimize VLANs spanning distribution switches.• With 10,000 employees, 8 buildings, there will be about 1250 people per building, perhaps250 or 300 per floor. This design assumes to start that twice that many ports are needed. Tosupport this port density, a modular switch such as a <strong>Cisco</strong> Catalyst 4500 or 6500 Seriesswitch is recommended.NoteAn alternate design would use five or size 48 port 100/1000 switches at the access layer percloset per floor to support the expected 500 to 600 ports per floor. The <strong>Cisco</strong> Catalyst 3750Series switches with StackWise technology would avoid daisy-chaining access layerswitches as occurred in the original design. Daisy-chained switches are strongly to beavoided, due to the high likelihood of STP problems . However, this alternative with multipleindividual switches should be avoided since the sheer number of devices becomes hard tomanage.• You should plan for one or two VLANs per access switch. With 20:1 oversubscriptionestimate, and 100 MB access ports, each chassis would need an uplink of about 1.25 G souse 2 GB EtherChannel to each building switches. The VLANs should be at most trianglesconsisting of the two uplinks and the trunk between the distribution layer switches ifneeded to span distribution switches.• Layer 3 (routing) to the access layer should be considered as a desirable option. It increasescost mildly, but would greatly reduce the need to troubleshoot Spanning Tree (simplicity!).It would require some staff training for the MegaCorp technical staff.• The distribution layer could be small 6500s, and the core bigger 6500 model switches. Oneargument in favor of using the 6500 would be 10 Gbps readiness which can also supportoversubscription ratios for data today, and voice in the future.• The current Layer 2 Core is an older approach. Most sites want Layer 3 cores to avoid thelarge-scale outage a core Spanning Tree loop creates. You should highly recommendMegaCorp use a Layer 3 core. A Layer 2 Core would be unwise with 8 x 2 + 2 = 18switches in the STP domain.• The building switches should have two uplinks to the core switches, not just one.Recommended Practice: “Use triangles, not squares.” Justification: Equal-cost routingprovides fast failover. If you use 4:1 oversubscription model, the uplinks from building tocore would be (2 closets * 2 GB * 5 floors)/4 = 5GB. So the design can start with 4 GB42 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


uplinks, since the speeds on the uplinks from closets were rounded up. All uplinks in thedesign will need to be upgraded when VoIP is deployed.• Simplicity is somewhat at odds with power injection. PoE is affordable for MegaCorp ifused where needed, namely in the access switches. While utility ports (printers, etc.) mightbe grouped on one non-PoE blade, it may be simpler to just provide PoE support on anyport or blade in an access switch.• The distribution and core switches need little or no PoE.• VTP transparent mode is required: there is little reason for VLANs to be changingfrequently.Step 3 Other Technical Design Elements• Turning off STP anywhere should be avoided.• Layer 2 and Layer 3 security features should be used (disable trunking on access ports, setnative VLANs to an unused VLAN for trunks, BPDU Guard, Root Guard, Dynamic ARPInspection, …).• Any Layer 2 switches should use the Layer 2 toolkit (UplinkFast, UDLD, etc.).• Use voice VLANs in every closet.• (Later topic) Plan addressing to assist in IPT deployment, and allow simple access lists forquality of <strong>Service</strong> (QoS) and voice security.• Coming up with a QoS architecture (plan) would be a good follow-up task.NoteCongratulations! MegaCorp agrees to your proposal. They especially liked the part aboutincluding design and implementation services in with the three year equipment lease.Step 4 <strong>Network</strong> Migration Plan• Put in the replacement core switches next to the existing ones. Cable them, and routebetween old and new networks. This is simplified if a distinct address block or prefix isused for the new switches.• Put in the replacement building switches next to the existing one. Cable their uplinks to thecore. Configure routing, etc.• Schedule building cutover to occur during the night (one building per week allows time forpreparation, recovery from a late evening, etc.). When cutting over an existing building,pre-position and configure closet switches. First test link status and cable or fiber quality onthe uplinks, then shut those ports down before configuring the switch. Pre-provision anyDHCP scopes that will be needed.• The actual cutover then consists of activating uplinks, moving user patch cables, readdressingprinters and devices with hard-coded addresses, verifying DHCP is working,verifying key applications work, troubleshooting, etc.• Have a Quality Assurance plan to help make sure that everything is done properly despitelate night brain fogging.Step 5 Mitigating the MegaCorp “Equipment Modernizing” Plan• Use Layer 3 Core if at all possible.• Decrease the size of VLANs to single closets if at all possible.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 43


• Use the Layer 2 toolkit (UplinkFast, UDLD, etc.)• Use Rapid PVST+ not regular Spanning Tree.• Tell them that a third building distribution switch will not provide them more redundancy,it will mostly provide more complexity to the solution.Step 6 Redesign for Metro Ethernet and Acquisition• The point here is that Ethernet WAN or Metro Ethernet are similar to Ethernet in the Core.• Use Layer 3 switching from each remote building back to the core. This will contain anySpanning Tree problems to the building. While it would be best if the remote buildingdistribution layer switches did Layer 3 switching, terminating in a routed connection on themain campus core at least protects the existing campus from Spanning Tree problems to afair degree.• The case for Layer 3 switches at remote buildings is to isolate Spanning Tree problems toone remote site. Otherwise, any Spanning Tree problem could and probably would impactall the Layer 2-connected sites on the Metro Ethernet network.• Consider the routers at each remote site. The concern is that a T1 router might well not becapable of routing between the building 100 Mbps or faster speed network and the MetroEthernet 100 Mbps link. These routers probably need to be replaced. Given the speeds inquestion, and to provide some room for growth, Layer 3 switches are advisable. Whetherseparate switches are used, or the building switches replaced, is a choice of the customer.Replacing routers with small switches as an interim measure is quick. Replacing buildingswitches with Layer 3 building switches might take a little longer. It makes some sense toget the new acquisition connected, then go back and revamp the building networks asneeded. This is a choice for the customer to make. The designer’s role is to present thealternatives and pros and cons of each, as well as estimate the level of effort to completeimplementation for each alternative, if needed.• Since the number of peers for the core switches is getting moderately large (8 x 2 + 1 = 17before adding the remote buildings), you might consider a separate Metro Ethernet corepair of Layer 3 switches. On the other hand, adding five remote devices only bumps thenumber of peers to 22, which is a bit high but not terrible.44 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Case Study 2 Answer Key: CP Hotels Addressing and RoutingDesignStep 1 AddressingBased on the scenario, this section includes a proposed solution. According to the case studyguidelines, there may be some minor variations in your solutions.• The Call Center blocks go up by 12. Going up by 8 would summarize better and stillprovide enough address space.• It would be good to have a plan for address consolidation in the Data Centers, to get serversonto one prefix per Data Center, say over a 5-7 year period as servers are replaced.Step 2 Routing and Summarization• The hotel areas should be made totally stubby. (This was not specified, and should bebrought up with the customer, recommended if not part of the present design.)• The HQ areas should also be totally stubby.• EIGRP would make the design simpler in the following ways:— EIGRP can filter all but corporate prefix summaries or default routes from the routessent to the hotels, greatly reducing the routing traffic to hotels. OSPF has to flood allLSAs to all hotels, plus all prefixes imported from BGP. This is exacerbated by FRinstability.— OSPF does not allow intra-area filtering, so all hotels within an areas see routes toeach other, yet there is no reason for one hotel to have a route to any other hotel.— In conjunction with filtering and corporate summaries, the EIGRP stub featurewould be useful for hotels.— The VLAN links between Data Centers would not be needed for area contiguity andavoiding having OSPF transit traffic going through hotel sites to stay within an area.They still would be needed due to the route summarization, however. (Why?)• EIGRP could be useful in the Server Farm Module, for more flexibility, although OSPFshould work reasonably well there, given the regularity of the topology. OSPF has thevirtue that it can be used with <strong>Cisco</strong> FWSM or PIX, CSS/CSM Route Health Injection, etc.,whereas EIGRP cannot.• The OSPF aggregation routers could be done away with, but the price would be a muchlarger (and single) area 0, more routes being sent to hotels, and a lot of peers for the corefacingEBGP routers. The present design compartmentalizes the large-scale hotel routingwell.• NAT for partners would avoid the injection of random prefixes into core BGP, also wouldallow partners to use private addresses without concern about overlapping server addressesat CP Hotels that they need to communicate with.• BGP route reflector won’t help with EBGP. It might be used for the IBGP in the HotelsModule, although the same peering would be needed (each aggregation router peered toboth core-facing routers). Not using Route Reflector has the advantage that one hotelaggregation block (Region) doesn’t need to see routes to the others anyway.• The links to twin routers are needed to prevent black-holing packets if a hotel link fails.Otherwise, the summary prefix advertisement may draw in packets to the router with the© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 45


failed link, and it would have no good way to get them to its twin in the other Data Centerwith a good link to the hotel. The same might happen with EIGRP summarization.• There is no failover to Partners. Careful import of routes via BGP and BGP peering throughthe firewalls is one option. Another would be redistribution into OSPF and passing OSPFto the firewalls and the core-facing routers. <strong>Network</strong> statements could then advertise thePartner prefixes into the EBGP.• The answer for Corporate Internet failover is to use EBGP to the ISPs or some othermethod (see the later Data Center module) to track connectivity. And then pass defaultback into the core. Static default routing is unsatisfactory for failover.Step 3 Redistribution and Default Routing• It would be better to use network statements to selectively inject routes into EBGP. Thiswould mitigate the risk of having a problem with excess or incorrect routes in one Modulespilling over into the core. (Tradeoff: maintenance that control requires versus increasedstability).• If the Partner Module connected into the Corporate Internet Module’s core-facing routers,then traffic to a Partner could follow default, say from a server to the Internet core-facingrouter, which would then have a more-specific route to the Partner.• For Partner failover, dynamic routing is needed. A dedicated link (VLAN) or two to thePartner Module in the other Data Center would also be needed. That way, the more specificroutes would work even if a Partner link were down in one Data Center. (This is the priceof summarization, viewing default routing as an extreme case of summarization.)Step 4 NAC Addressing SchemeAddressing for NAC roles requires some calculations. You will need a subnet per role at eachLayer 3 switch. One design choice is to use 8 or 16 subnets per Layer 3 switch. It is a goodpractice for each HQ building to be summarizable.Figuring that room for expansion requires 16 subnets per Layer 3 switch, we would have:HQ Building Active Ports Number of Layer 3switches1 2500 132 2500 133 3000 154 1000 5The information about 254-user subnets means we need a /24 for each role. Another way ofsaying that: the last 8 bits are host bits. They would be preceded by the 4 bits we need for 16subnets. That gets us to xxxx xxxx.xxxx xxxx.xxxx ssss.hhhh hhhh, using “s” for subnet bitsand “h” for host bits, “x” for unknown bits.Let us use 4 bits for the Layer 3 switch. That brings us to xxxx xxxx.xxxx xxxx.rrrr ssss.hhhhhhhh, using “r” for router or Layer 3 switch.46 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Another option uses 3 bits for designating the HQ building (building in some room for growth,management always grows). Using “b” for the HQ building brings us to xxxx xxxx.xxxxxbbb.rrrr ssss.hhhh hhhh.Assuming the addresses are available, we might then use 10.80-83 for the four buildings.Within each of those, we would use the third octet to indicate Layer 3 switch (first four bits)and role subnet relative to that switch. All subnets would be /24s, which keeps things simple.This scheme is somewhat wasteful of address space. There are two advantages of the scheme:1. It readily accommodates moves adds and changes of users2. It is uniform, rather than treating four HQ buildings differently.Step 5 Collocation of Web ServersThe simplest thing is to view the collocation site as a WAN extension of the Server FarmModule. That is why we ruled out managed services at the collocation facility, to avoid thecomplexity of firewalls in between the data center and the collocation facility.One design would add a pair of routers into the Server Farm Module, connecting into theaggregation or core switches within that module. The WAN links would terminate to thecollocation facility in those routers. The collocation site would run as a separate OSPF areawith summarization.If firewalls were added, routing OSPF to the firewalls is perhaps the simplest answer. There areother alternatives that are discussed later in the course.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 47


48 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Case Study 3 Answers: CP Hotels <strong>Network</strong> InitiativesThese tasks are all intended to stimulate debate. The Server Farm and to some extent WANtasks are somewhat open-ended, where any of several answers might be suitable. The E-Commerce module is more of a direct “interpret the slides in this context” effort, requiringthinking through how to best fit a FWSM and Content Switching Module (CSM) orApplication Control Engine (ACE), or ACE alone, into a chassis to meet the requirements. TheSAN design is mostly about “Is there a business case?”, the design concepts available for usewithout more SAN expertise are rather limited.Step 1 E-Commerce WAN• Frame relay and ATM are too slow and typically too costly to be attractive. They also donot provide much speed flexibility. On the other hand, ATM from a quality provider that isnot phasing it out (yet) might be very reliable and affordable, if they view the service asrevenue from equipment that is already fully depreciated.• The connections are highly critical, so very high availability and low mean time to repair(MTTR) is also a requirement. If available at a reasonable price, dark fiber, especially onone or two SONET rings, would be most attractive. The alternative would be some form ofMetro Ethernet, if available. Smaller companies might favor the latter, viewing dark fiberor SONET as having associated equipment and skill costs. Larger companies might (ormight not) consider Metro Ethernet a business risk. Inquiry into the underlying topologyand how the Metro Ethernet service is provided could reassure management as to the risks.Unfortunately, knowing that the customer demarcation point is Gigabit Ethernet tells younothing about the quality of and reliability of the underlying provider network.• One factor not specified is how robust the applications in the E-Commerce collocationfacility are. Does a little WAN hiccup cause say 20-30 minutes of slow web response tocustomers? Or can the WAN be down for 3-5 minutes and applications pick right up wherethey left off? Can reservations be booked via some local storage if the data center andmainframes are unavailable? This information helps to evaluate business risk. However,even if this information is available, the information may not be valid, since most sites justdo not have the time to conduct intensive testing to understand E-Commerce complexfailure modes. It is bad enough getting the next build tested for functionality and intoproduction on time.• There are several options for the WAN service. A service where CP Hotels pays forincrements of say 10 Mbps on Fast Ethernet, or 100 Mbps on a Gbps Ethernet, would beattractive for ability to “turn up the bandwidth”. Dark fiber could be viewed in the sameway: use it for long haul (LH) or very long haul (VLH) Ethernet or Packet Over SONET orresilient packet ring (RPR), then shift to coarse wavelength-division multiplexing(CWDM) or dense wavelength-division multiplexing (DWDM) as more bandwidth isneeded (assuming there would be no issues with wavelengths and repeaters).• In any case, you should recommend a Layer 2 service to CP Hotels, since it would beuseful to run routing over the replacement WAN, to provide fast failover. Putting providerMultiprotocol Border Gateway Protocol (MBGP) in the middle of the WAN is undesirable.• You should recommend that CP Hotels start with at least 2 x DS-3 x 80% = approximately72 Mbps, to avoid failover problems.NoteThis amount of bandwidth is needed on each link.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 49


• To allow for another year of operation at 50% growth per year, that number should beincreased to 1.5 x 72 = 108 Mbps. To allow for two years of operation at 50% growth peryear, the bandwidth should be 1.5 x 108 = 162 Mbps. If the bandwidth can readily beincreased, then there is no good reason to incur the costs for the second year until they areclose to being necessary.• You should look for a service level agreement (SLA) with fast response time, fast MTTR,very high availability, very low packet loss, low latency and jitter. The penalties fornon-compliance should be commensurate with the costs of an outage. Being able to playone provider off against another (“if your service doesn’t improve, we’ll take all ourbusiness elsewhere”) would help.Step 2 Server Farm Refresh• There is significant trade-offs in design options, between robustness driving some designerstowards “Layer 3 to the access layer”, and cost and vendor solutions such as IBM highavailabilityclusters (HACMP), Oracle High Availability, and VMotion pushing for“VLANs that go everywhere”. We view the latter as a substantial risk. The issue can bequite political: how well can the risk be explained to management? Can the server farm bemanaged so that VLANs can be contained within a row or one of the two aggregationblocks? (If not, it might be good to put your recommendations to the contrary into adiplomatic write up, and make sure the management chain sees them.) The “right answer”varies by the organization. In any case, try to limit all VLANs to one or two rows of racks,to limit per-VLAN STP domain sizes.• We recommend R-PVST+, the STP toolkit (root guard, BPDU guard, host mode on ports,VTP transparent, manually pruned VLANs, UDLD, etc. – to limit exposure to STP-relatedproblems).• Concerning technology updates, there are several things to consider:— tradeoffs between Sup32 or a Sup720 variants for the fabric throughput— Implementing 10 Gbps links (core to aggregation, possibly in a year or two fromaggregation to access)— Potential need for ACE in portions of the server farm— Out of band management of servers using multiple VLANs or via dedicated cablingand switches to localize the management STP domains— Terminal server access to network devices? Servers?— Planning for coordination concerning blade servers, including discussion of whattype of internal switch is used (if any), who manages it, and how they do so• Concerning recommended practices, consider:— Creating isolation VLANs or private VLANs (PVLANs) for “anti-social” servers orclusters that use multicast or unknown unicast flooding— Using firewall service module (FWSM) in selected aggregation or access switches toisolate critical / sensitive servers (financial, credit card, or medical records)— Adding intrusion prevention systems (IPS) for such “zones”.— Deploying remote packet capture and analysis capability on SPAN ports near criticalservers (NAM, Distributed Sniffer, laptop with WireShark and VNC, etc.). Thismakes staff much more productive than spending time lugging a capture device tothe server farm, plugging it in, setting up a SPAN port (chance for error), and thencapturing in a noisy and uncomfortable environment.50 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Step 3 E-Commerce Refresh• For the E-Commerce infrastructure, a recommended design is using a <strong>Cisco</strong> Catalyst 6500Series switches with ACE module, with or without an accompanying FWSM (or four,depending on capacity needs).• Whether to complement the <strong>Cisco</strong> Catalyst 6500 Series switches with FWSM as somewhatdebatable: “Are ACE or Multilayer Switched Feature Card (MSFC) Route Processoraccess-lists enough, and how much significant value does a firewall add?” The case againstFWSM is that the design is simpler without it.• Another debatable is whether to logically place the FWSM or the ACE closer to the MSFC.Some may consider one approach simpler. The other consideration is whether the logicalblade “placement” supports Route Health Injection (RHI), and is RHI desired.• The figure shows one solution for the E-Commerce Collocation network. It based on theOne-Armed Server Load Balancer (SLB) with Firewall Context design. If an EthernetbasedWAN link to the data center is available, no extra switches or routers are needed inthe Collocation Facility.Cat6509-Core-1InternetCat6509-Core-2VLAN 12 VLAN 12Cat6513-Agg-1Cat6513-Agg-2Secure InternalVLAN 2SegmentVLAN 2FWSM1VLAN 7VLAN 8VLAN 9Multiple ControlPortChannelsVLAN 7VLAN 8VLAN 9FWSM2VLAN 17 VLAN 18 VLAN 18 VLAN 17VLAN 19 VLAN 19Web VLANApp VLANDB VLANCat6509-Access-1Cat6509-Access-2App Server Web ServerDB Server© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 51


• A good alternative is to have the ACE do the routing instead of the MSFC, to simplifypassing traffic between the different tiers of servers. That is, put the ACE logically betweenthe MSFC and the FWSM, rather than the other way around.• Firewalls are needed for the data center edge, due to the specified security requirement.• One or multiple IDSM-2 modules would be attractive for IDS/IPS functionality, assumingthere is room in the switch.• Note about the Infinistream deployment: did you spot the slightly subtle “SPAN port”issue? One alternative would be to use a VACL to feed each IDSM-2 module(s), also theInfinistream, since multiple VLANs or ports would need to be spanned. Another approachwould be to use relatively inexpensive copper or fiber taps at key points in the cablinginfrastructure.Step 4 SAN High-Level Design• One good question would be, “How many servers are there in the E-Commerce Module?”If only a few, deploying a SAN is probably not going to help much. If many, the usual“economies of disk space” reasoning applies.• SAN might be useful for backup. On the other hand, if the servers are all clones of somebase image using static or dynamically generated content, then there might be no need toback them up.• SAN might be useful for faster pushes of new builds. Coupled with VMotion, it mightprovide a way to bring virtual servers running a new build online rapidly, rather thanhaving to run off a test or other production environment during the day or so to switch overto new disk content, content databases, etc.• SAN is an enabler for VMware. One approach to troubleshooting E-Commerce serverproblems is to just take the offending server(s) offline using the Server Load Balancer(SLB), while shifting load over to fresh virtual servers. This assumes the problem is onewhere the servers ran OK for a while, then got into some odd state. Instead oftroubleshooting a complex problem under pressure, the new approach is to just swap theserver out, and troubleshoot it offline if desired.• Our SAN design would be to estimate the relevant number of ports, allowing for somegrowth, preferably based on some trending data from the capacity planning group. Then putin a pair of SAN switches with enough ports. If that is not possible, then a cascadedapproach would be needed.• For security, VSANs and zones could be used. Separate VSANs should be created for theweb, application and db servers to keep the files for each type of server secure from theothers.52 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Case Study 4 Answer Key: CP Hotels Security and IPsec VPN<strong>Network</strong>Based on the scenario, this section includes a proposed solution. According to the case studyguidelines, there may be some minor variations in your solutions.Step 1 Hotel IPsec VPN• There is certainly some room for discussion concerning type of IPsec VPN. Some thoughtsare provided here:— Basic IPsec tunnels with EasyVPN is not appropriate due to weak security based onshared passwords.— “Raw” IPsec VPN with Reverse Route Injection (RRI) is a possibility to consider. Insome ways, it greatly simplifies addressing and routing. Some coherent assignmentof addresses to hotels would be needed, so that the injected routes would summarize.There would be no tunnels, so no need for addresses for tunnels. The RRI wouldeffectively make the hotels “stubby”, needing only to know summary routes to thedestinations at the data center. Raw IPsec does create a separate security associationper configured crypto ACL entry, which would represent some extra overhead onthe aggregating IPsec termination routers in the data center.— Generic Route Encapsulation (GRE) over IPsec would be messy to configure, butprovides dynamic routing and support for IP multicast. IP addressing for GRE ismoderately complex, since remote hotel addresses plus GRE tunnel addresses wouldneed to be considered.— DMVPN would reduce the number of tunnel interfaces at the head end, allowinglarger subnets than /30 to be used. It would allow dynamic routing but not IPmulticast. Since hotels do not need to directly communicate, the Next Hop RoutingProtocol (NHRP) features accompanying DMVPN would not be needed.— Group Encrypted Transport VPN (GET VPN) is another alternative. Since a fullmesh is not needed, GET VPN appears to provide little advantage to CP Hotels.— In all of the methods (except Easy VPN), specifying endpoint IP addresses, toprovide some control and security is recommended. This does mean that hotelswould need to have fixed IP addresses, and could not use DHCP from their ISP(s).There is another debate issue here. Generally, one would want business class DSL orcable services, with faster outage response times, and such plans generally include afixed (static) IP address.• The two best options in this case appear to be GRE over IPsec or DMVPN. The rest of thisanswer will assume GRE over IPsec has been chosen.• Each hotel would connect with two GRE tunnels, one to each data center.• The data center Hotel Module access routers would use default to the Internet to reachhotels. This is acceptable since they would not be forwarding any traffic to the CorporateInternet Module. Hotels would use default routes to the Internet and their ISP’s routing toreach the data centers.• For routing to each hotel, EIGRP is recommended. The design should make each hotelstubby, and filter all routes from the GRE tunnels except for corporate summary routes torelevant data center blocks of addresses. An alternative to filtering would be to summarizeall the hotel prefixes back to the hotel, eliminating all the more-specific prefixes.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 53


• Note that each access router would need to be connected to its peer in the other data centerif it advertises a summary. The EIGRP design permits summarization at the aggregationrouters and decreased peering to the core. Furthermore, if point-to-point Ethernet links areused rather than a VLAN to interconnect access routers and their aggregation router, theinfrastructure can filter or summarize on the point-to-point links to limit the propagation ofspecific prefixes. A GRE tunnel flap might affect the connected access router, which wouldpass the change information to its aggregation router, but the summaries or filtering wouldstop the change from propagating elsewhere.• This design controls routing impact of any instability in local or regional ISPs. EIGRPprovides us the ability to summarize more flexibly and more thoroughly, for greaterreduction of change propagation than OSPF would permit.• Concerning routing, the assumption is that the Internet links are big pipes (OC-12 perhaps)terminating in a pair of routers at each data center. All these routers would do is forwardthe IPsec traffic to the proper access router. Note that the ISP links would have toaccommodate approximately 1 Mbps x 2000 hotels = 2 Gbps, with some oversubscriptionand load balancing across two edge devices at each data center . For less oversubscriptionat higher cost, multiple OC-12 connections, or single OC-48 connections, could be used toeach router. Gigabit Ethernet connections would cost less for equipment, if available.• Concerning IP addressing, the existing scheme could be used. One alternative approachwould be to determine the optimal number of access routers, based on IPsec and routingload on CPU under adverse conditions.— For example, the 7200 VXR with VAM-2 is rated at 280 Mbps of AdvancedEncryption Standard (AES) encrypted traffic. All traffic is two-way (encrypt,decrypt) so the rating is 140 Mbps of connectivity. A conservative design would beto figure on about 70 Mbps of throughput, to leave some CPU resources for othertasks including some GRE overhead. Taking our 2 Gbps worst-case figure, 2000/70= 29 access routers. This would fit our approach with Frame Relay, using 32 accessrouters, each connecting to 64 sites. Note that the number of tunnels is not close tobeing a problem. With this approach, the old addressing scheme could be re-used,which would simplify migration as well. Furthermore, the number of remote sitesaffected by any access layer problem would not be too great.— Another example would be to use the VPN SPA in a <strong>Cisco</strong> 7600 Series routerchassis. It is rated at up to 2.5 Gbps of AES for each SPA. Conservative designmight then terminate 600 Mbps of traffic per SPA. Four 7600 chassis with one VPNSPA each, or two with two each are possible approaches. However, you should testthis load in a <strong>Cisco</strong> Customer Proof-of-Concept (CPOC) lab since putting 500routing and tunnel peers on one device would impose a very heavy routing burdenunder adverse conditions. It is not recommended to have 1000 dynamically routedpeers on one device, even just in terms of managing risk and the impact of anydowntime.— With this latter approach (4 x <strong>Cisco</strong> 7600 Series routers with VPN SPA), there willbe 500 hotels per regional access routers. An addressing scheme such as 10.011rrsss.ssss ssss.hhhh hhhh could be used, where “r” is access router, “s” is subnet, “h”is host. This reworks the prior addressing scheme by removing the area bits, sincethe hotels would get a summary for all of 10.96-127, 10.96.0.0 mask 255.224.0.0,rather than any smaller summaries or specific prefixes.— It might be wise to allocate more values in the 3 rd octet, to allow for expansion toperhaps twice as many access routers and hotels. Future expansion is possible, assuccessful businesses do grow.54 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Step 2 CP Hotels Security• The topic of security and managing risk is large. Although only a portion of security topicsare specifically covered in this course, security considerations and analysis need to bebroad.• This case study assumes that there is no hidden external connectivity, including any formsof remote (server, network, telephone) administrative access. Specifically, the followingparts of the CP Hotels network connect to external entities via the data centers:— All HQ buildings— Call Centers• A network audit should be used to confirm the validity of this assumption.• The web DMZ is well secured with firewalls inside the Collocation Facilities.• There is remote support access to the mainframe, but it is powered off when not needed.• The Corporate Internet access uses firewalls.• The Partner module uses firewalls to secure all partner connectivity, and only allows accessto specific servers.• Hotels and the hotel module do connect to the Internet. The Hotels Module Internet edgetraffic could be secured with firewalls, however, only IKE and IPsec traffic is allowed intothe edge routers. There may be a philosophical debate lurking here, as to exactly how andwhy firewalls are better than routers with access lists.• The IPS units should be placed inside external firewalls (or routers) to detect suspect ormalicious traffic that makes it through the outermost level of security. A suitable number ofMARS units for monitoring should be located in one or both data centers. All of thisrequires staffing and training to allow for the necessary level of monitoring and rulesmaintenance.• An anomaly detection and a Distributed Denial of <strong>Service</strong> (DDoS) mitigation plan isrecommended for the E-Commerce site. This might be provided by either CP Hotels or bythe Collocation Provider.• Internal security and governance are a growing concern. Further discussions with CPHotels are recommended concerning firewalls or other isolation techniques to create secureserver zones, protecting key servers from attack via other servers. Integrating NAC rolebasedsubnets to allow control over which internal users can send traffic of any kind to keyservers is recommended. This will prevent a generic staffer from using hacker tools to tryto find and exercise a server exploit, at least on critical groups of servers.• The remaining major risk is the 2000 hotels. With 2000 routers, each with 3 access lists(outside interface, GRE tunnel interface, office LAN interface), there is a high likelihood oferror. Having a configuration auditing capability is recommended, to detect situationswhere the access list deviates from policy, or where an access list is not currently applied toan interface. (This does really happen!)• In addition, there is the whole topic of audit and accountability trail on access listexceptions. Who granted each one, why was it needed, who is the point of contact, whenwas the information last verified, etc. Otherwise, access lists just get longer and longer,with many entries that nobody can explain. The form should be capable of emitting a list ofauthorized exceptions per-site, to allow for some form of automated access list checking.• Routing security and Control Plane Policing might also be considered for CP Hotels. Thesetopics can be considered lower priority than the other items above.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 55


• Concerning the Call Centers, there is the separate consideration of voice security, e.g.preventing outsiders from placing international calls, etc. In addition, if IP Telephony ispresent, the voice VLANs and <strong>Cisco</strong> Unified Call Managers should be secured andprotected from the data parts of the network. Access lists and QoS are the tools formitigating internal VoIP / IPT security risks.NoteThis is a brief treatment of security considerations. In a production environment, moreattention should be applied to the Call Center security. Similar real world consulting workmight lead to 50 pages of specifics as well as the general principles listed above.Step 3 NAC Appliance Design• Using the heuristic of one NAC Appliance per 1500 users, two NAC Appliances areneeded. Four NAC Appliances are needed for redundancy. In addition, two Clean AccessManagers are needed to cover all sites, unless standalone site capability is desired.• Layer 3 out-of-band deployment is recommended. Although Policy Based Routing (PBR)is often viewed as complex, it does allow gradual phase-in of the NAC functionality. It alsoallows scaling by adding more NAC Appliances, and by allowing selected traffic to bypassthe NAC Appliances.• The NAC Appliances would be connected to the combined core/aggregation (building)switch pair. Due to the Layer 3 access layer switches, PBR is needed to steer quarantineVLAN traffic into the NAC Appliances for users whose posture has not yet been validated.• There is no need at this site to isolate different groups of users, which conceivably mightrequire access layer placement of the NAC Appliances. Having one NAC Appliance peraccess switch gets rather costly.• All VLANs would be routed at the access layer. Only the initial quarantine VLAN wouldneed to be policy routed through the NAC Appliance. Once a desktop computer posturewas validated, its switch port would be changed to the appropriate VLAN, bypassing theNAC Appliance.• An alternative to PBR would be to have a quarantine VLAN spanning all access switchesand the distribution switches. A VLAN spanning the building might be rather hazardous toyour building network’s health, and is not recommended.• Traffic could be controlled with inbound access lists on the VLAN interfaces, whereappropriate. Alternatively, it could be controlled elsewhere, e.g. at the data center HQModule routers, or at the data center core-facing Server Farm Module switches.56 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Case Study 5 Answer Key: DS Medical Research Institute<strong>Network</strong> InfrastructureHere is one set of possible answers, including some discussion of some of the alternatives. Aswith all the case studies, part of the objective is to cause discussion of alternatives where theremay not be one obvious or correct solution.Step 1 High Level Building and Data Center Design• The most striking design consideration is the speeds and number of ports involved. Theintent was for the class to have a bit of fun pushing the limits of the technology.• Concerning the building design, the port counts mean that approximately two to three <strong>Cisco</strong>Catalyst 6500 Series switches would be needed per floor for the access layer. Uplinks couldbe dual 10 Gbps EtherChannel links to a pair of distribution layer <strong>Cisco</strong> Catalyst 6500Series switches per wing. These distribution switches could be interconnected with a fourlink 10 Gbps EtherChannel to each other and as well as through four link 10 GbpsEtherChannel uplinks to a pair of building core switches.— In order to combine the distribution and core layers into one building aggregationlayer, the design would have to connect 3 x 6 x 5 = 90 switches. Using single 10Gbps uplinks already pushes the limits of the aggregating chassis. Therefore, usingmultiple 10 Gbps uplinks requires the separate distribution layer.— One might consider using 3560-E or 3750-E switches in closet stacks, with 10 Gbpsuplinks. The 3750-E stacking capability would keep the device count somewhatmanageable.• Concerning the data center, the 200 image servers might be connected with GbpsEtherChannel or with 10 Gbps Ethernet links. At one 10 Gbps link each, three to four <strong>Cisco</strong>Catalyst 6500 Series switches would be needed to aggregate the connections. With dualhoming,that number would need to be doubled. These switches should probably use multi-10 Gbps EtherChannel uplinks.• For the 2000 blade servers, the design supports one pair of Gbps connections each. If theseare copper connections, they can be connected to 48 port blades. That would require abouteight <strong>Cisco</strong> Catalyst 6500 Series switches, with sixteen switches for dual-homing theservers.— In some research environments, servers are singly homed, since despite some desirefor high availability, the impact of losing a server switch is fairly low: computationsneed to wait for the blade or chassis to be repaired or replaced.— Similarly, the impact of losing a single server NIC or link is very low – the workloadis just allocated to other servers.• That means the data center has either 4 + 8 = 12 access switches, or 24 with dual-homing.Using 10 Gbps uplinks for the blade server switches, and two link or four link 10 GbpsEtherChannel uplinks for the medical image servers, there are 16 or 24 10 Gbps uplinks forthe singly-homed server approach, and double that for dual-homed servers. A pair of “datacenter aggregation” switches can cover that.— For data center expansion, the above scheme can be replicated.— Whether a data center core is needed is debatable. Initially, the aggregation switchesmight connect to the building core switches. With more buildings, that is notappropriate, but connecting to “campus core” switches might be.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 57


— It is open to debate which switches are Layer 2 and which are Layer 3, per theCampus module. The buildings might have Layer 3 at the access layer, and the datacenter might be Layer 2 at the access layer.Step 2 LAN Security Design• Restricting server access might just mean limiting logins to servers. If what is meant islimiting the ability to send any packets to certain servers, then NAC is the answer. Giventhe speeds involved, it would have to be Out-of-Band NAC Appliance or NAC Framework,to avoid creation of a 1 Gbps bottleneck. There is insufficient information provided todetermine which of the two would be a better fit for this customer.— In the initial scenario description. NAC might be used to assign users role-basedVLANs or subnets. Access lists on switches in the data center could then controlwhich role subnets could reach which servers. The access lists might be placed onthe Layer 3 switches nearest the servers. FWSM or ACE modules might also beused. There are designs available for using an ACE to split load across four ACEmodules. Given the size of the connections, throughput is a major issue here.— If the requirement is to secure different user populations from each other, one coulduse VLANs and access lists. This is difficult to implement and may affect networkstability and manageability unless the VLANs are rather localized. As above, eitherOut of Band NAC Appliance or NAC Framework is a viable alternative. Usingeither would allow the use of role-based access lists at the first Layer 3 reached byuser traffic. These access lists would have to be applied inbound (or outbound) onevery user VLAN. The maintenance burden of doing this is another factor toconsider.Step 3 Design Extensions• To connect other buildings in the future, there is a choice of technologies, with argumentsfor each.— One might use 10 Gbps links (one or several) in a Layer 3 ring between buildingcore switch pairs. The max distance is 80 km, so distance will not be a problem inthe campus. The 10 Gbps Layer 3 ring is not bad as long as the ring has at most fourto six buildings in it. For more buildings, multiple rings could be used – it is a newcampus, so it should be relatively inexpensive to put a lot of fiber in place.— RPR or SONET could be used. The main challenge with that approach is justifyingthe extra layer of equipment and the extra skills that would be required to support it.— Yet another alternative would be to start using DWDM equipment. The counterargumentis that DWDM is generally used where fiber count is low. In this case itmight cost less to just put many fiber pairs in place. Many fiber pairs would also besimpler to manage.Step 4 High Level Routing Design• Use EIGRP or OSPF, with summarization at building boundaries, possibly even at wingboundaries. If NAC role subnets are used in a design with Layer 3 closets, there will be avery large number of subnets, so summarization will definitely be needed.— If OSPF is used, one then has the question of using BGP in the core to add anotherlayer of summarization. The relatively slow convergence of BGP is a strongdisadvantage to doing so.— OSPF timers could be tweaked, or other features used, to enhance convergencespeed, per the “Advanced Addressing and Routing Design” module.58 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


Step 5 High Level Storage Design• The simplest answer is to use the large scale dual fabric core-edge design shown in the“Design Considerations for Storage Area <strong>Network</strong>s” module for 2000 servers, and usemore copies of that for additional groupings of 2000 servers.— One would have to work further with the customer to understand whether that is avalid grouping, or whether the servers should be logically broken into smallergroups with different SAN storage and administration.— One would also need to understand whether three separate SAN fabrics would workfor the customer, in terms of future use.Step 6 Servers ApproachStep 7 WAN Design• Infiniband might be considered for some of the server groupings, or to lower costs andoffload processing for 10 Gbps server connections (for servers with intense data rates).• IPsec using DMVPN appears to be the best fit to the requirements described in the casestudy. Internet connections are generally the fastest way to get a remote site online.DMVPN would then allow local sites to establish direct connections on an ad hoc basis inresponse to temporary needs, without administrative intervention.Step 8 IP Multicast Design• The campus should use PIM-SM with Anycast RP and some access controls to limit anyrogue IP multicast. The RPs should probably be located centrally, in the core or distributionlayers, for efficient traffic flows.— A good IP multicast assignment scheme should be used, with addresses from the239.0.0.0 /8 block, in accord with the <strong>Cisco</strong> IP multicast addressing guide.— Multicast boundaries should be used to keep multicast off the IPsec WAN, sinceDMVPN cannot handle IP multicast. Alternatively, if IP multicast on the WAN is arequirement, then GET VPN might be considered.— Multicast is also not appropriate for the data center, except perhaps for the servers orvideo units that are sources of the multicast traffic. Application multicast, includingclusters, load balancing, etc., is best when contained within a VLAN and notmulticast routed. Not enabling PIM on such VLAN interfaces is one simple way tokeep such multicast localized.— In a setting like this, WAN bandwidth requirements are likely to vary widely. Oneanswer might be to use GET VPN for sites with sufficient bandwidth, and use VideoOn Demand or a “push” approach to distribute content (Although not in the scope ofthis case study, the <strong>Cisco</strong> Application and Content <strong>Network</strong>ing System (ACNS) or<strong>Cisco</strong> Wide-Area Application <strong>Service</strong>s (WAAS) products are “push” approaches todistribute content.).— Cluster or grid computing often uses multicast to distribute computational tasks toservers. Part of design might be determining policy on where such servers would belocated in the data center. One could then enable multicast in a limited fashion if thenumber of servers suggests distributing them across switches and across multipleVLAN. Keeping inter-server traffic localized to just part of the data center would bea good idea. As the number of servers increases, this may be difficult to do, unlesssufficient rack space was reserved for expansion.© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 59


Step 9 High Level VoWLAN Design• The main impact is on the wireless site survey and access point placement. Using LWAPPand controllers keeps the impact on the design minimal: controllers would probably beattached to wing or building switches, depending on how many are needed.— The Location Appliance requirement suggests placing access point s in corners andon building edges, using directional antennas. Internal access point s could then beadded as needed to achieve the appropriate cell sizes and access point densities tosupport Location triangulation and VoWLAN coverage. Since edge and corneraccess point s only cover ¼ or ½ a circle, they add to the access point count.— Using the 3000 square foot per access point figure for a first approximation to thenumber of access point s, then each wing floor would require 20,000 / 3,000 = 7access point s, or more. The 200 users would thus be divided into up to 30 per accesspoint. If they all need to use wireless simultaneously, you would need to deployadditional collocated access points on different channels.— If one knows the floor dimensions, say 100 feet by 200 feet, one can then do a littlemore careful estimation and initial access point placement. This level of detail wouldbe appropriate for a real customer, but is too time-consuming to do in this casestudy.— Each wing would then need 6 x 7 = 42 access points (or more). So one approachwould be to use a 50- access point controller per wing, with fallback to a sparesomeplace else.— Do not forget to include WCS and Location Appliance(s) to manage the WLAN Toestimate the number of Location Appliances, one needs to know what or who isbeing tracked.— Location Appliance coupled with wireless phones would permit locating staff orequipment. On the other hand, tracking staff locations might raise privacy concerns.Step 10 <strong>Network</strong> Management Design• NetFlow could be used to track traffic volumes and do cost allocation. It would be bestapplied inbound on interfaces in the traffic path. If most traffic will be data center todesktop, NetFlow might be used at the building or wing distribution layer. Note that thiswould miss some localize IP phone or desktop to desktop traffic.• IP SLA could be used to provide the desired information about the WAN. This may be oflimited value for Internet connections, since there is little that can be done to improve onpoor conditions.— IP SLA would most likely be done between the remote router and central siterouters.— As the number of remote connections increases, it might be wise to offload thecentral IP SLA responder role to dedicated routers.— IP SLA should not be needed within the campus or datacenter. However, some toolsshould be used to identify duplex or speed problems with links, and Spanning Treeor routing instability in the network, as all would cause performance problems withtraffic across the campus.60 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.


• DS-MRI would also need to identify tools that are:— Cost-effective— Scale to the desired scale— Reasonably easy to manage and use— Produce good reports with the desired information© 2007 <strong>Cisco</strong> Systems, Inc. Lab Guide 61


62 <strong>Designing</strong> <strong>Cisco</strong> <strong>Network</strong> <strong>Service</strong> <strong>Architectures</strong> (ARCH) v2.0 © 2007 <strong>Cisco</strong> Systems, Inc.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!