CCDA Notes Remote Connectivity Design
Remote office locations, such as branch offices or the homes of teleworkers, connect to the enterprise campus via the enterprise edge and enterprise WAN. When selecting an appropriate WAN technology to extend to these remote locations, design considerations include ownership (that is, private, leased, or shared ownership) of the link, reliability of the link, and a backup link if the primary link were to fail. This section explores various WAN technologies and provides guidance for designing the enterprise WAN and the enterprise branch.
Considering WAN Technology Options
In the Cisco Enterprise Architecture, the enterprise edge allows the enterprise campus to connect to remote offices using a variety of WAN, Internet access, and remote-access technologies (for example, secure virtual private network [VPN] access). A WAN spans a relatively broad geographical area and a wide variety of connectivity options exist.Therefore, designing a WAN can be a complex task. To begin a WAN design, first understand the following network characteristics:
- Service level agreement (SLA)—This document is an agreement between a customer and service provider that specifies acceptable levels of bandwidth, latency, and packet loss across a WAN.
- Cost and usage—Understanding how the WAN will be used can help determine a cost-effective technology to meet the design requirements.
The primary goals of WAN design include the following:
- The WAN must achieve the goals, meet the characteristics, and support the policies of the customer.
- The WAN must use a technology to meet present requirements, in addition to requirements for the near future.
- The expense of the WAN (one-time and recurring expenses) should not exceed customer-specified budgetary constraints.
Today’s WAN designer can select from a plethora of technologies.
Consider the characteristics of the following modern WAN technologies:
- Time-division multiplexing (TDM)—A TDM circuit is a dedicated point-to-point connection that is constantly connected. T1 and E1 circuits are examples of TDM circuits.
- Integrated Services Digital Network (ISDN)—ISDN uses digital
phone connections to support the simultaneous transmission of voice, video, and data. ISDN is considered to be a circuit-switched technology because an ISDN call is set up much the same way a telephone call is set up.
- Frame Relay—Frame Relay is considered to be a packet-switched technology, which uses the concept of permanent virtual circuits (PVC) and switched virtual circuits (SVC) to potentially create multiple logical connections using a single physical connection
- Multiprotocol Label Switching (MPLS)—MPLS is considered to be a label-switching technology, where packets are forwarded based on a 32-bit label, as opposed to an IP address. Service providers often use MPLS to engineer traffic through the network based on an initial route lookup, quality of service (QoS) classification, and application bandwidth requirements.
- Metro Ethernet—Metro Ethernet uses Ethernet technology to provide high-speed, yet cost-effective, links for some metropolitan-area networks (MAN) and WANs.
- Digital subscriber line (DSL)—DSL provides high-bandwidth links over existing phone lines. A variety of DSL implementations exist. The most popular type of DSL found in homes is asynchronous DSL (ADSL), which allows home users to simultaneously use their phone line for both high-speed data connectivity and traditional analog telephone access.
- Cable—Cable technology leverages existing coaxial cable, used for delivery of television signals, to simultaneously deliver highspeed data access to the WAN, and optionally to the public switched telephone network (PSTN), as illustrated.
- Wireless—Wireless technologies use radio waves to connect devices, such as cell phones and computers. As an example of a wireless application, wireless bridges can connect two buildings that are less than 1 mile apart and have a line-of-site path between them, as shown.
- Synchronous Optical Networking (SONET) and Synchronous Digital Hierarchy (SDH)—SONET and SDH both use TDM technology to provide services over an optical network, as demonstrated. Thanks to the optical transport used by these technologies, relatively high-bandwidth solutions are available. Some of the popular SONET/SDH access speeds include 155 Mbps and 622 Mbps, with a maximum bit rate of 10 Gbps.
- Dense wavelength division multiplexing (DWDM)—DWDM increases the bandwidth capacity of an optical cable by sending multiple traffic flows over the same fiber, with each flow using a different wavelength.
When selecting a WAN technology, be aware that provisioning a circuit can require 60 days or more. Therefore, sufficient lead time must be built in to the schedule. Also, Metro Ethernet coverage is limited compared to other technologies. Be sure to negotiate an SLA that meets your design requirements, and be conscious of the contract period. Typically, WAN contract periods are in the range of one to five years.
Enterprise edge design uses the PPDIOO approach discussed earlier.
Specifically, you should do the following:
- Determine network requirements—Network requirements are influenced by the volume and patterns of traffic generated by networked applications.
- Evaluate existing network technology—When documenting current network technology, include not only the types of equipment connected to the network (for example, hosts and servers), but also the location of the equipment.
- Design the network topology—The network topology design should preserve the customer’s existing investment by leveraging existing technology, with the understanding that upgrades might be required. Also, the proposed topology should accommodate not only existing traffic patters, but projected traffic patterns.
When you are designing networks to traverse the WAN, a primary design consideration is making the most efficient use of the relatively limited WAN bandwidth. Fortunately, Cisco provides a variety of QoS mechanisms that can help:
- Compression—By compressing the header/payload of a packet, that packet requires less bandwidth for transmission across a WAN. Therefore, compressing traffic is much like adding WAN bandwidth. However, there is a drawback. Compression requires processing resources from the router. Therefore, although more information can be sent across the same link speed, the router’s processor bears an additional burden.
- Link aggregation—Cisco routers support the bonding together of physical links into a virtual link. For example, if you have two serial interfaces, each running at a speed of 256 kbps, you can use a technology such as Multilink PPP (MLP) to create a virtual multilink interface running at a speed of 512 kbps.
- Window size—TCP traffic uses the concept of a “sliding window.” A window is the number of segments that a TCP sender can transmit before receiving an acknowledgment from the receiver. Network delay can be reduced by increasing the window size (that is, sending more TCP segments before expecting an
acknowledgment). However, on unreliable links that suffer from high error rates, the number of retransmissions could increase dramatically.
- Queuing—When a router is receiving traffic (for example, from a LAN interface) faster than it can transmit that traffic (for example, out of a WAN interface), the router delays the excess traffic in a buffer called a queue. To prevent bandwidth-intense applications from consuming too much of the limited WAN bandwidth, various queuing technologies can place different types of traffic into different queues, based on the traffic priority. Then, different amounts of bandwidth can be given to the different queues, allowing more important applications to receive the bandwidth they need, as illustrated.
- Traffic conditioning—To prevent some types of traffic (for example, music downloads from the Internet) from consuming too much WAN bandwidth, a traffic conditioner called policing can be used to set a “speed limit” on those specific traffic types, and drop any traffic exceeding that limit. Similarly, to prevent a WAN link from becoming oversubscribed (for example, oversubscribing a remote office’s 128 kbps link when receiving traffic from the headquarters that is transmitting at a speed of 768 kbps), another traffic conditioner, called shaping, can be used to prevent traffic from exceeding a specified bandwidth. With shaping, compared to policing, excessive traffic is delayed and transmitted when bandwidth becomes available, instead of being dropped. Unlike shaping, policing mechanisms can also re-mark traffic, giving lower-priority QoS markings to traffic exceeding a bandwidth limit. Policing mechanisms include Committed Access Rate (CAR) and class-based policing; examples of shaping mechanisms include Frame Relay Traffic Shaping (FRTS) and class-based shaping.
Performing the Enterprise WAN Design
When considering design elements for the enterprise WAN, be aware of possible WAN design choices. Consider the following WAN design categories:
- Traditional WAN design—Most traditional WAN designs could be categorized under one of three options:
1. Leased Lines—A leased line is a point-to-point connection that provides a reserved amount of bandwidth for a customer
An example of a leased line WAN is a T1 link between two sites using PPP.
2. Circuit switched—A circuit-switched design uses circuits that are brought up on an as-needed basis and then torn down. ISDN falls under the category of a circuit-switched network.
3. Packet/cell switched—A packet-switched (for example, Frame Relay) or cell-switched (for example, ATM) network can use permanent virtual circuits (PVC) and switched virtual circuits (SVC) to connect multiple sites. These networks can leverage a variety of topologies, such as full mesh or hub and spoke. - Remote-access network design—Remote-access networks allow remote employees (for example, telecommuters or traveling salespeople) to access the corporate network. Besides data, a remoteaccess network might also need to support voice calls. Typical technologies offering remote access include dial-up (using a traditional modem or an ISDN connection), DSL, cable, and wireless.
- Virtual private network (VPN) design—A VPN can provide security to a remote connection by creating a virtual tunnel through which all traffic is sent, even though the connection might be traversing an untrusted network. One type of VPN is a site-tosite VPN, which might connect a remote office with the headquarters office over the publicly accessible Internet. In such a design, each site typically has hardware to terminate each end of the VPN tunnel. Another option is to have VPN client software on a user’s PC, allowing them to connect to the headquarters’ VPN equipment and set up a secure VPN connection, by providing credentials, such as a username and password.shows sample topologies of these VPN types.
- WAN backup design—WAN links tend to be less reliable than LAN connections. Therefore, a good WAN design provides for fault tolerance in the form of a WAN backup. Consider the following options:
1. Dial Backup Routing—Dial backup routing uses dial-up technologies, such as modem and ISDN technologies, to bring up a backup link if the primary link fails.
2. Redundant WAN link—Instead of having a backup link that comes up only when needed, a secondary WAN link can be a permanent link. One option for using this permanent secondary link is to use a floating static route, or a routing protocol, to send traffic over that secondary link only when the primary link is unavailable.Another option is to leverage the extra bandwidth provided by the secondary link and perform load balancing across both links, when both links are available. Then, if one link goes down, the other link can carry all the traffic.
3. Shadow PVC—A shadow PVC is made available by your service provider, typically at an extra charge. This shadow PVC becomes active only if your primary PVC becomes unavailable.
4. IPsec tunnel—Because most networks already have Internet access, in addition to WAN links that connect office locations, the Internet can act as a backup WAN link. However, because the Internet is a public network, security becomes a concern. IPsec tunneling can alleviate that concern by protecting sensitive corporate traffic inside a secure VPN tunnel.
At this point, you understand remote connectivity requirements, and you have been exposed to various WAN architectures. You are now ready to select an appropriate WAN architecture for your design. Following are design considerations for the enterprise WAN architecture:
- Network growth—Your design should not only accommodate existing bandwidth requirements but should also allow the customer to grow their network along with their business.
- Availability—A common availability design goal is for the network to be up 99.999 percent of the time. This metric is commonly referred to as “the five nines of availability.” The five nines of availability translates into only five minutes of downtime per year. A key design factor that influences availability is redundancy. Redundancy should be built in to the design, such that no major component (for example, a router or a WAN link) represents a single point of failure. In addition to equipment and link backups, also consider a power backup. Do you have sufficient UPS (uninterruptible power supply) and generator equipment in your design to sustain key network components if an extended power outage occurs?
- Recurring expenses—Companies pay regular subscription fees to their service provider for their WAN service. This type of recurring expense (in addition to equipment leases) can influence your decision in selecting a WAN technology. For example, Frame Relay and ATM WANs usually cost more than using an IPsec VPN over the public Internet. However, performance trade-offs might come with cost savings. For example, if you select an IPsec VPN over the Internet, as opposed to a Frame Relay network, your network might suffer from QoS issues.
- Network complexity—Your customer might have their own IT staff for maintaining their WAN connection. Therefore, you need to understand the skill set of the IT staff and their ability to work with complex network designs, because different WAN technologies require differing levels of technical expertise.
- Multimedia support—Determine whether the customer is going to use the WAN link to transmit voice/video. If these types of multimedia applications are going to be transmitted over the network, your design must include QoS mechanisms to ensure appropriate treatment for these latency-sensitive traffic types.
- Migration expense—Migrating one MAN/WAN technology to another MAN/WAN technology often necessitates a significant initial investment (for example, to cover the expenses of the new equipment, installation labor, and employee training). However, this initial investment might very well be recovered from future cost savings. Therefore, your design should include a return on investment (ROI) calculation for your proposed expenditures.
- Network segmentation—Instead of having multiple autonomous networks, having a single network that is logically segmented can reduce the expenses (for example, equipment and maintenance expenses) of supporting multiple physical networks. The single physical network can be logically segmented into multiple network segments, thus providing security between the different segments.
After identifying the remote connectivity requirements and architecture for a design, the next step is to select the specific WAN components to be used in the design. This step involves the selection of hardware and software components:
- Hardware selection—When selecting hardware for your design, examine the product documentation looking for such product specifics as port density, throughput, enhanced capabilities, and redundancy.
- Software selection—Cisco IOS Software supports a wide variety of features, services, and platforms. For example, consider the following “trains” of IOS Software:
1. T Train—T train Cisco IOS Software supports IP services such as IP communications, security, and mobility. Such services are well suited for the enterprise core and service
provider edge.
2. S Train—S train Cisco IOS Software is appropriate for highend enterprise core networks. The S train offers various IP services and infrastructure features such as MPLS, video, and multicast.
3. XR Train—XR train Cisco IOS Software is appropriate for large-scale networks. The XR train offers high availability features such as in-service software upgrades.
When selecting an appropriate Cisco IOS version, you might need to select from various IOS feature sets. As a reference,provides a sampling of features included in various feature sets.
Performing the Enterprise Branch Design
The Cisco enterprise branch architecture seeks to extend enterprise services (for example, voice, video, and security services) to smaller branch locations. An employee’s residence can also serve as a branch office.
Following are devices commonly found in enterprise branch architectures:
- WAN routers
- LAN switches
- Security appliances
- Wireless access points
- Call-processing servers for voice/video calls (for example, Cisco
Unified CallManager) - Endpoints (for example, IP phones and computers)
When designing the enterprise branch, consider the following issues:
- Total number of branch locations
- Total number of connected devices
- Anticipated growth
- Level of required security Server farm requirements
- Location of network management system
- Impact of wireless networking (if used)
- Available budget
While a branch office is considered to be a “smaller” remote office, different degrees of smallness exist. Specifically, branch offices can be categorized as one of the following:
- Small branch office—A branch office is considered small if it has fewer than 50 users. The network supporting a small branch office is typically a single-tier design, as opposed to a hierarchical design. Therefore, Spanning Tree Protocol (STP) design is not an issue, although STP should be enabled to prevent the accidental creation of a Layer 2 switching loop. Design recommendations might include the integration of switch ports into an Integrated Services Router (ISR) or a multiservice router, using a Cisco EtherSwitch module.
- Medium branch office—A branch office is considered medium sized if it supports 50 to 100 users. This type of network can benefit from a two-tier design. Therefore, STP becomes a design issue. Because of the increased number of devices to be supported on the network, instead of integrating switch ports into a router, external stackable switches might be used.
- Large branch office—A branch office is considered large if it supports at least 100 users, but no more than 200 users. With this number of users, the network design can start to benefit from a three-layer hierarchical design. Redundant components (for example, redundant distribution layer switches and redundant WAN routers running Hot Standby Router Protocol [HSRP]) can improve the network’s availability. Access layer switches tend to be higher-density stackable switches, whereas distribution layer switches might run enhanced Cisco IOS images to support, for example, multiple routing protocols and policy-based routing.
Other than the small, medium, and large sized branch offices, some networks support teleworkers, which are sometimes considered to be a “branch of one.” Enterprise teleworkers, however, can be distinguished from typical telecommuters in that enterprise teleworkers enjoy access to networking services typically available to clients of a corporate network (for example, VoIP, videoconferencing, and real-time collaboration applications). These services are usually available to teleworkers over a secure VPN connection because the link between a teleworker’s home and the corporate office is via the public Internet. Access to the Internet leverages widely available broadband services, such as DSL and cable. If the broadband link becomes unavailable, a traditional dialup modem can be used as a backup link.
More Resources