Designing Cisco Network Service Architectures - Free Books

More documents

Recommendations

Info

• Note that each access router would need to be connected to its peer in the other data centerif it advertises a summary. The EIGRP design permits summarization at the aggregationrouters and decreased peering to the core. Furthermore, if point-to-point Ethernet links areused rather than a VLAN to interconnect access routers and their aggregation router, theinfrastructure can filter or summarize on the point-to-point links to limit the propagation ofspecific prefixes. A GRE tunnel flap might affect the connected access router, which wouldpass the change information to its aggregation router, but the summaries or filtering wouldstop the change from propagating elsewhere.• This design controls routing impact of any instability in local or regional ISPs. EIGRPprovides us the ability to summarize more flexibly and more thoroughly, for greaterreduction of change propagation than OSPF would permit.• Concerning routing, the assumption is that the Internet links are big pipes (OC-12 perhaps)terminating in a pair of routers at each data center. All these routers would do is forwardthe IPsec traffic to the proper access router. Note that the ISP links would have toaccommodate approximately 1 Mbps x 2000 hotels = 2 Gbps, with some oversubscriptionand load balancing across two edge devices at each data center . For less oversubscriptionat higher cost, multiple OC-12 connections, or single OC-48 connections, could be used toeach router. Gigabit Ethernet connections would cost less for equipment, if available.• Concerning IP addressing, the existing scheme could be used. One alternative approachwould be to determine the optimal number of access routers, based on IPsec and routingload on CPU under adverse conditions.— For example, the 7200 VXR with VAM-2 is rated at 280 Mbps of AdvancedEncryption Standard (AES) encrypted traffic. All traffic is two-way (encrypt,decrypt) so the rating is 140 Mbps of connectivity. A conservative design would beto figure on about 70 Mbps of throughput, to leave some CPU resources for othertasks including some GRE overhead. Taking our 2 Gbps worst-case figure, 2000/70= 29 access routers. This would fit our approach with Frame Relay, using 32 accessrouters, each connecting to 64 sites. Note that the number of tunnels is not close tobeing a problem. With this approach, the old addressing scheme could be re-used,which would simplify migration as well. Furthermore, the number of remote sitesaffected by any access layer problem would not be too great.— Another example would be to use the VPN SPA in a Cisco 7600 Series routerchassis. It is rated at up to 2.5 Gbps of AES for each SPA. Conservative designmight then terminate 600 Mbps of traffic per SPA. Four 7600 chassis with one VPNSPA each, or two with two each are possible approaches. However, you should testthis load in a Cisco Customer Proof-of-Concept (CPOC) lab since putting 500routing and tunnel peers on one device would impose a very heavy routing burdenunder adverse conditions. It is not recommended to have 1000 dynamically routedpeers on one device, even just in terms of managing risk and the impact of anydowntime.— With this latter approach (4 x Cisco 7600 Series routers with VPN SPA), there willbe 500 hotels per regional access routers. An addressing scheme such as 10.011rrsss.ssss ssss.hhhh hhhh could be used, where “r” is access router, “s” is subnet, “h”is host. This reworks the prior addressing scheme by removing the area bits, sincethe hotels would get a summary for all of 10.96-127, 10.96.0.0 mask 255.224.0.0,rather than any smaller summaries or specific prefixes.— It might be wise to allocate more values in the 3 rd octet, to allow for expansion toperhaps twice as many access routers and hotels. Future expansion is possible, assuccessful businesses do grow.54 Designing Cisco Network Service Architectures (ARCH) v2.0 © 2007 Cisco Systems, Inc.
Step 2 CP Hotels Security• The topic of security and managing risk is large. Although only a portion of security topicsare specifically covered in this course, security considerations and analysis need to bebroad.• This case study assumes that there is no hidden external connectivity, including any formsof remote (server, network, telephone) administrative access. Specifically, the followingparts of the CP Hotels network connect to external entities via the data centers:— All HQ buildings— Call Centers• A network audit should be used to confirm the validity of this assumption.• The web DMZ is well secured with firewalls inside the Collocation Facilities.• There is remote support access to the mainframe, but it is powered off when not needed.• The Corporate Internet access uses firewalls.• The Partner module uses firewalls to secure all partner connectivity, and only allows accessto specific servers.• Hotels and the hotel module do connect to the Internet. The Hotels Module Internet edgetraffic could be secured with firewalls, however, only IKE and IPsec traffic is allowed intothe edge routers. There may be a philosophical debate lurking here, as to exactly how andwhy firewalls are better than routers with access lists.• The IPS units should be placed inside external firewalls (or routers) to detect suspect ormalicious traffic that makes it through the outermost level of security. A suitable number ofMARS units for monitoring should be located in one or both data centers. All of thisrequires staffing and training to allow for the necessary level of monitoring and rulesmaintenance.• An anomaly detection and a Distributed Denial of Service (DDoS) mitigation plan isrecommended for the E-Commerce site. This might be provided by either CP Hotels or bythe Collocation Provider.• Internal security and governance are a growing concern. Further discussions with CPHotels are recommended concerning firewalls or other isolation techniques to create secureserver zones, protecting key servers from attack via other servers. Integrating NAC rolebasedsubnets to allow control over which internal users can send traffic of any kind to keyservers is recommended. This will prevent a generic staffer from using hacker tools to tryto find and exercise a server exploit, at least on critical groups of servers.• The remaining major risk is the 2000 hotels. With 2000 routers, each with 3 access lists(outside interface, GRE tunnel interface, office LAN interface), there is a high likelihood oferror. Having a configuration auditing capability is recommended, to detect situationswhere the access list deviates from policy, or where an access list is not currently applied toan interface. (This does really happen!)• In addition, there is the whole topic of audit and accountability trail on access listexceptions. Who granted each one, why was it needed, who is the point of contact, whenwas the information last verified, etc. Otherwise, access lists just get longer and longer,with many entries that nobody can explain. The form should be capable of emitting a list ofauthorized exceptions per-site, to allow for some form of automated access list checking.• Routing security and Control Plane Policing might also be considered for CP Hotels. Thesetopics can be considered lower priority than the other items above.© 2007 Cisco Systems, Inc. Lab Guide 55
Page 1 and 2:
ARCHDesigning Cisco NetworkService
Page 3 and 4:
Table of ContentsLab Guide 1Overvie
Page 5 and 6:
ARCHLab GuideOverviewThis guide pre
Page 7: MegaCorp Campus Case Study Scenario
Page 10: MegaCorp Campus Design TasksComplet
Page 13 and 14: Case Study 2: CP Hotels Addressing
Page 15 and 16: The following diagram illustrates t
Page 17 and 18: Note128 x 256 Kbps is approximately
Page 19 and 20: The routing design uses external Bo
Page 21 and 22: Addressing at CP HotelsHQ buildings
Page 23 and 24: CP Hotels Design TasksComplete thes
Page 25 and 26: Case Study 3: CP Hotels Network Ini
Page 27 and 28: Series switches use HSRP and EIGRP
Page 29 and 30: Step 3 (E-Commerce Redesign Stateme
Page 31 and 32: Case Study 4: CP Hotels Security an
Page 33 and 34: The following diagram indicates the
Page 35 and 36: The data centers will be connected
Page 37 and 38: Step 2 Review the CP Hotels design
Page 39 and 40: Case Study 5: DS Medical Research I
Page 41 and 42: DS-MRI Design TasksComplete these s
Page 43 and 44: Activity VerificationYour group has
Page 45 and 46: Answer KeyThe recommended solutions
Page 47 and 48: uplinks, since the speeds on the up
Page 49 and 50: Case Study 2 Answer Key: CP Hotels
Page 51 and 52: Another option uses 3 bits for desi
Page 53 and 54: Case Study 3 Answers: CP Hotels Net
Page 55 and 56: Step 3 E-Commerce Refresh• For th
Page 57: Case Study 4 Answer Key: CP Hotels
Page 61 and 62: Case Study 5 Answer Key: DS Medical
Page 63 and 64: Step 5 High Level Storage Design•
Page 65 and 66: • DS-MRI would also need to ident
show all

Designing Cisco Network Service Architectures - Free Books

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?