Designing Cisco Network Service Architectures - Free Books

More documents

Recommendations

Info

• A good alternative is to have the ACE do the routing instead of the MSFC, to simplifypassing traffic between the different tiers of servers. That is, put the ACE logically betweenthe MSFC and the FWSM, rather than the other way around.• Firewalls are needed for the data center edge, due to the specified security requirement.• One or multiple IDSM-2 modules would be attractive for IDS/IPS functionality, assumingthere is room in the switch.• Note about the Infinistream deployment: did you spot the slightly subtle “SPAN port”issue? One alternative would be to use a VACL to feed each IDSM-2 module(s), also theInfinistream, since multiple VLANs or ports would need to be spanned. Another approachwould be to use relatively inexpensive copper or fiber taps at key points in the cablinginfrastructure.Step 4 SAN High-Level Design• One good question would be, “How many servers are there in the E-Commerce Module?”If only a few, deploying a SAN is probably not going to help much. If many, the usual“economies of disk space” reasoning applies.• SAN might be useful for backup. On the other hand, if the servers are all clones of somebase image using static or dynamically generated content, then there might be no need toback them up.• SAN might be useful for faster pushes of new builds. Coupled with VMotion, it mightprovide a way to bring virtual servers running a new build online rapidly, rather thanhaving to run off a test or other production environment during the day or so to switch overto new disk content, content databases, etc.• SAN is an enabler for VMware. One approach to troubleshooting E-Commerce serverproblems is to just take the offending server(s) offline using the Server Load Balancer(SLB), while shifting load over to fresh virtual servers. This assumes the problem is onewhere the servers ran OK for a while, then got into some odd state. Instead oftroubleshooting a complex problem under pressure, the new approach is to just swap theserver out, and troubleshoot it offline if desired.• Our SAN design would be to estimate the relevant number of ports, allowing for somegrowth, preferably based on some trending data from the capacity planning group. Then putin a pair of SAN switches with enough ports. If that is not possible, then a cascadedapproach would be needed.• For security, VSANs and zones could be used. Separate VSANs should be created for theweb, application and db servers to keep the files for each type of server secure from theothers.52 Designing Cisco Network Service Architectures (ARCH) v2.0 © 2007 Cisco Systems, Inc.
Case Study 4 Answer Key: CP Hotels Security and IPsec VPNNetworkBased on the scenario, this section includes a proposed solution. According to the case studyguidelines, there may be some minor variations in your solutions.Step 1 Hotel IPsec VPN• There is certainly some room for discussion concerning type of IPsec VPN. Some thoughtsare provided here:— Basic IPsec tunnels with EasyVPN is not appropriate due to weak security based onshared passwords.— “Raw” IPsec VPN with Reverse Route Injection (RRI) is a possibility to consider. Insome ways, it greatly simplifies addressing and routing. Some coherent assignmentof addresses to hotels would be needed, so that the injected routes would summarize.There would be no tunnels, so no need for addresses for tunnels. The RRI wouldeffectively make the hotels “stubby”, needing only to know summary routes to thedestinations at the data center. Raw IPsec does create a separate security associationper configured crypto ACL entry, which would represent some extra overhead onthe aggregating IPsec termination routers in the data center.— Generic Route Encapsulation (GRE) over IPsec would be messy to configure, butprovides dynamic routing and support for IP multicast. IP addressing for GRE ismoderately complex, since remote hotel addresses plus GRE tunnel addresses wouldneed to be considered.— DMVPN would reduce the number of tunnel interfaces at the head end, allowinglarger subnets than /30 to be used. It would allow dynamic routing but not IPmulticast. Since hotels do not need to directly communicate, the Next Hop RoutingProtocol (NHRP) features accompanying DMVPN would not be needed.— Group Encrypted Transport VPN (GET VPN) is another alternative. Since a fullmesh is not needed, GET VPN appears to provide little advantage to CP Hotels.— In all of the methods (except Easy VPN), specifying endpoint IP addresses, toprovide some control and security is recommended. This does mean that hotelswould need to have fixed IP addresses, and could not use DHCP from their ISP(s).There is another debate issue here. Generally, one would want business class DSL orcable services, with faster outage response times, and such plans generally include afixed (static) IP address.• The two best options in this case appear to be GRE over IPsec or DMVPN. The rest of thisanswer will assume GRE over IPsec has been chosen.• Each hotel would connect with two GRE tunnels, one to each data center.• The data center Hotel Module access routers would use default to the Internet to reachhotels. This is acceptable since they would not be forwarding any traffic to the CorporateInternet Module. Hotels would use default routes to the Internet and their ISP’s routing toreach the data centers.• For routing to each hotel, EIGRP is recommended. The design should make each hotelstubby, and filter all routes from the GRE tunnels except for corporate summary routes torelevant data center blocks of addresses. An alternative to filtering would be to summarizeall the hotel prefixes back to the hotel, eliminating all the more-specific prefixes.© 2007 Cisco Systems, Inc. Lab Guide 53
Page 1 and 2:
ARCHDesigning Cisco NetworkService
Page 3 and 4:
Table of ContentsLab Guide 1Overvie
Page 5 and 6: ARCHLab GuideOverviewThis guide pre
Page 7: MegaCorp Campus Case Study Scenario
Page 10: MegaCorp Campus Design TasksComplet
Page 13 and 14: Case Study 2: CP Hotels Addressing
Page 15 and 16: The following diagram illustrates t
Page 17 and 18: Note128 x 256 Kbps is approximately
Page 19 and 20: The routing design uses external Bo
Page 21 and 22: Addressing at CP HotelsHQ buildings
Page 23 and 24: CP Hotels Design TasksComplete thes
Page 25 and 26: Case Study 3: CP Hotels Network Ini
Page 27 and 28: Series switches use HSRP and EIGRP
Page 29 and 30: Step 3 (E-Commerce Redesign Stateme
Page 31 and 32: Case Study 4: CP Hotels Security an
Page 33 and 34: The following diagram indicates the
Page 35 and 36: The data centers will be connected
Page 37 and 38: Step 2 Review the CP Hotels design
Page 39 and 40: Case Study 5: DS Medical Research I
Page 41 and 42: DS-MRI Design TasksComplete these s
Page 43 and 44: Activity VerificationYour group has
Page 45 and 46: Answer KeyThe recommended solutions
Page 47 and 48: uplinks, since the speeds on the up
Page 49 and 50: Case Study 2 Answer Key: CP Hotels
Page 51 and 52: Another option uses 3 bits for desi
Page 53 and 54: Case Study 3 Answers: CP Hotels Net
Page 55: Step 3 E-Commerce Refresh• For th
Page 59 and 60: Step 2 CP Hotels Security• The to
Page 61 and 62: Case Study 5 Answer Key: DS Medical
Page 63 and 64: Step 5 High Level Storage Design•
Page 65 and 66: • DS-MRI would also need to ident
show all

Designing Cisco Network Service Architectures - Free Books

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?