CCDA Notes Modular Network Design
For many years, Cisco recommended a three-layer network design model: access layer, distribution layer, and core layer. However, to provide for enhanced scalability and flexibility, Cisco later introduced the Cisco Enterprise Architecture, which categorizes enterprise networks into six modules. The three layers of the Cisco Service Oriented Network Architecture (SONA) can be found in each of these six modules. Specifically, each module can contain its own network infrastructure, services, and applications. This section explores the design considerations surrounding the modules that comprise the Cisco Enterprise Architecture.
Designing the Network Hierarchy
Traditionally, Cisco prescribed a three-layer model for network designers.Those three layers, as shown, are as follows:
- Access layer—Typically, wiring closet switches connecting to end-user stations
- Distribution layer—An aggregation point for wiring closet switches, where routing and packet manipulation occur
- Core layer—The network backbone where high-speed traffic transport is the main priority
Modularizing Network Design
The three-layer hierarchical approach suffers from scalability limitations.For today’s enterprise networks, Cisco developed the Cisco Enterprise Architecture. The functional areas that comprise the Enterprise Architecture, as illustrated, include the following:
- Enterprise campus—The portion of the network design providing performance, scalability, and availability that defines operation within the main campus
- Enterprise edge—An aggregation point for components at the edge of the network (for example, Internet and MAN/WAN connectivity) that routes traffic to and from the Enterprise Campus functional area
- WAN and Internet—The portion of the network made available by a service provider (for example, Frame Relay or ATM)
- Enterprise branch—Remote network locations that benefit from extended network services, such as security
- Enterprise data center—A consolidation of applications, servers, and storage solutions (similar to a campus data center)
- Enterprise teleworker—A collection of small office/home office (SOHO) locations securely connected to the enterprise edge via an Internet service provider (ISP) or public switched telephone network (PSTN)
When designing the enterprise campus functional area, as diagramed in, in the enterprise architecture, four primary areas need to be addressed:
- Building access—Connects end-user devices to the network
- Building distribution—Aggregates building access switches and performs Layer 3 switching (that is, routing) functions
- Campus core—Provides high-speed, redundant connectivity between buildings
- Server farm and data center—Consolidates application servers, e-mail servers, domain name servers, file servers, and network management applications
- E-commerce—Contains the servers used to provide an e-commerce presence for an organization, including the following:
- Internet connectivity—Provides Internet-related services, including the following:
Domain Name System (DNS) servers
Public web servers
- WAN and MAN site-to-site VPN (virtual private network)—
Interconnects a main office with remote offices over various transport technologies, such as the following:
- Remote access and VPN—Provides secure access for remote workers (for example, telecommuters) or remote offices and includes components such as the following:
Dial-in access concentrators
Cisco Adaptive Security Appliances (ASA)
Intrusion detection system (IDS) appliances
The WAN and Internet modules are sometimes referred to as service provider modules. These modules are the areas of the Enterprise Composite Network module not explicitly designed because the service provider modules are designed, owned, and operated by a service provider. However, the enterprise network designer can specify the type of connection to use in connecting to the service provider(s). Specifically, the service provider modules include the following types
- Frame Relay
- Point-to-point leased line
- SONET and Synchronous Digital Hierarchy (SDH)
- Cable modem
- Digital subscriber line (DSL)
- Wireless bridging
Enterprise locations are supported via the following previously described modules:
- Enterprise branch
- Enterprise data center
- Enterprise teleworker
Identifying Infrastructure Services
Layered on top of an enterprise’s network infrastructure are infrastructure services, which enable business applications. Examples of these infrastructure services include the following.
The security service helps protect a network from both internal and external attacks. These threats might vary depending on the attack target (for example, the campus core or the e-commerce module). Therefore, security threats should be evaluated on a module-by-module
Security services in enterprise edge can mitigate many attacks originating outside the enterprise network. However, some attacks might get through, and some attacks might originate internally. Therefore, critical devices in the enterprise campus need to be independently protected.
Examples of attacks that originate from outside the network include the following:
- IP spoofing
- Password attacks
- Denial-of-service (DoS) attacks
- Application layer attacks
- High-availability attacks
Today’s enterprise networks often carry mission-critical traffic. Therefore, one of your design goals should be to include a degree of redundancy in a design, such that traffic can continue to flow through the enterprise network even if there is a link or component failure. However, adding redundancy (for example, redundant WAN links) not only adds to the complexity of the network, but it can also dramatically increase the cost to implement the design. With these factors in mind,
consider which specific areas of the network would benefit most from a redundant design.
Approaches to providing redundancy include the following:
- Adding redundant devices—You could add redundant switches/routers to your design, as demonstrated in, so that traffic continues to flow even if a router or switch fails.
- Adding redundant physical connections to end stations—In a server farm, for example, you could have more than one network interface card (NIC) for each server. Each NIC could be connected to a different switch. Therefore, the server maintains network connectivity in the event of a single switch failure.
- Advertising multiple routes to reach a destination network— When you include physical redundant paths in your design, those routes should be advertised by a routing protocol with fast convergence (for example, Open Shortest Path First Protocol [OSPF] or Enhanced Interior Gateway Routing Protocol [EIGRP]).
- Adding redundant links for load balancing and to accommodate for a link failure—You can add more than one link between switches/routers, as depicted in Figure 2-5. These redundant links can not only improve network availability, but also provide load balancing for increased throughput.
Modern enterprise network designs need to support the transmission of voice traffic. This voice traffic can come from both analog phones (much like the phones typically found in homes) and IP phones, which are Ethernet devices that transmit voice IP packets. Because the analog phones cannot generate IP packets, they connect to analog gateways (such as Cisco routers), which convert the analog waveforms into IP packets.
The term Voice over IP, or VoIP, is used to describe the transmission of voice over a network using voice-enabled routers. However, the term IP telephony refers to the use of IP phones and a call-processing server
(for example, Cisco Unified CallManager).
shows the basic components of an IP telephony network.
IP phone—Provides IP voice to the desktop.
Gatekeeper—Provides call admission control (CAC), bandwidth control and management, and address translation.
Gateway—Provides translation between VoIP and non-VoIP networks, such as the PSTN. A gateway also provides physical access for local analog and digital voice devices, such as telephones, fax machines, key sets, and PBXs.
Multipoint control unit (MCU)—Mixes audio/video streams, thus allowing participants in multiple locations to attend the same conference.
Call agent—Provides call control for IP phones, CAC, bandwidth control and management, and address translation.
Application server—Provides services such as voice mail, unified messaging, and Cisco CallManager Attendant Console.
Videoconference station—Provides access for end-user participation in videoconferencing. The videoconference station contains a video capture device for video input and a microphone for audio input. The user can view video streams and hear the audio that originates at a remote user station. Cisco targets its VT Advantage product at desktop videoconferencing applications.
Other components, such as software voice applications, interactive voice response (IVR) systems, and softphones, provide additional services to meet the needs of enterprise sites.
Not all devices in an enterprise network are necessarily wired into the network. Today, wireless connectivity is growing in popularity, allowing users to roam throughout the enterprise with their wireless device, such as a laptop.
However, because wireless networks send data through radio waves, as opposed to using physical cabling, security becomes a concern.Improper wireless designs might have the radio waves extended out of the building, into neighboring buildings or a parking lot. This type of
radio frequency coverage provides an opportunity for attackers to infiltrate the enterprise network
These Quick Reference Sheets address wireless design considerations in much more detail in a different section. However, for now, understand that wireless LANs are made up of four primary components:
- End devices—For example, laptops and PCs that have a wireless network adapter
- Wireless access points—Devices that act much like a shared hub for wireless clients and serve as an interconnection between the wireless and wired networks
- Existing routed and switched wired network—The enterprise network to which wireless access points connect
- Wireless LAN controller—A device that adds management and support capabilities to a wireless LAN, in addition to services (for example, roaming)
Application Networking Services (ANS) can use caching and compression technologies to make LAN-like responsiveness available to application users at remote offices. For example, when a web page is downloaded to a remote office, the images that make up the web page can be locally cached. Then, if a subsequent request is made for that web page, the initially downloaded graphics can be retrieved from the local cache, providing better response time and less demand on the WAN bandwidth. Also, security services validate application requests and provide confidentiality through encryption.
Primary components of a Cisco ANS network include the following:
- Cisco Wide Area Application Engine (WAE)—An appliance that provides LAN-like responsiveness to enterprise applications and data
- Cisco Wide Area Application Services (WAAS)—Software that provides high-performance access to centralized applications, servers, and storage resources
- Cisco 2600/3600/3700 Series Content Engine Module—A module installed in certain Cisco router platforms that contributes to WAN bandwidth optimization
Specifying Network Management Protocols and Features
When designing a network, remember to include network management protocols and features to allow network administrators to monitor their network devices, network connections, and network services. A network management solution can contain the following elements:
- Network Management System (NMS)—An NMS is a server that runs some sort of network management software, such as CiscoWorks.
- Network Management Protocols—Commonly used protocols that support network management functionality include the following:
Simple Network Management Protocol (SNMP)—SNMP acts as the protocol used to transfer network management information between a managed device and a network management server. SNMP uses an SNMP agent that stores statistical information about a managed device inside of a Management Information Base (MIB). The three most popular implementations of SNMP are SNMPv1, SNMPv2c, and SNMPv3. The latest incarnation of SNMP (that is, SNMPv3) adds additional security levels.
Management Information Base (MIB)—A MIB defines specific types of information about a device that an SNMP server can retrieve using a network management protocol, such as SNMP.
Remote Monitoring (RMON)—RMON extends the information available in a MIB. Specifically, RMON collects and stores information locally on a device, and this information can be retrieved by an NMS to, for example, provide trend analysis.Many network devices support two levels of RMON, named RMON1 and RMON2. RMON1 only provides information about the physical and data link layers, whereas RMON2 can collect upper-layer information, as shown
Managed network elements include the following:
- RMON—RMON extends the information available in a MIB.Specifically, RMON collects and stores information locally on a device, and this information can be retrieved by an NMS.
- Managed device—A managed device is an endpoint (such as a server) that can be monitored, and perhaps controlled, by an NMS.
- Management agent—A management agent is a piece of software that runs on a managed device. Management agents include both SNMP agents and RMON agents.
- Management information—Data stored in MIBs are commonly referred to as management information.
Other applications that can assist in network management include the following:
- NetFlow—The Cisco NetFlow technology offers another approach to monitoring network statistics. NetFlow can store information about network flows, which are unidirectional communications paths between two devices. This stored information can then be exported to a network management collector, such as a NetFlow Collection Engine. Because of the way NetFlow analyzes specific flows, its information gathering places minimal overhead on a router’s processor. Also, the data collected by NetFlow provides more detailed information than the data collected by RMON.
NetFlow data can be used by various applications, such as
Billing applications based on network usage
Applications used for network planning
Security monitoring applications
Applications that need to know the network’s quality of service (for example, amount of delay and percentage of dropped packets)
- Cisco Discovery Protocol (CDP)—Another protocol that can provide visibility into a network’s topology is CDP. CDP functions at Layer 2 of the OSI model and can dynamically discover adjacent Cisco devices. For example, a Cisco router could discover information about Cisco Catalyst switches connected to that router. Because CDP is a Layer 2 technology, adjacent devices do not need to have a Layer 3 IP address to be discovered.
- Syslog—Network managers can also benefit from the System Message and Error Reporting Service, commonly known as syslog. Cisco’s network devices can generate syslog messages to log various events to a syslog server. Each of these syslog messages contains a severity level and a facility.The severity level provides a measure of how serious an event is considered to be. For example, the debugging severity level (that is, Level 7) causes syslog messages to be sent for all routine operations, which can generate a large amount of output. However, a severity level of emergency (that is, Level 0) only generates a syslog message for the most serious events.A syslog facility identifies the service associated with the event. Examples of syslog facilities include IP, OSPF, and IPsec