Ccdadesgnv2 0

www.CareerCert.
info
Designing for Cisco

Internetwork Solutions
(DESGN) v2.0
2007 Cisco Systems, Inc. All rights reserved.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
DESGN v2.0-1
www.CareerCert.info
Course Introduction
Designing for Cisco Internetwork Solutions v2.0
DESGN v2.0-2
www.CareerCert.info
Learner Skills and Knowledge

Prerequisite skills and knowledge
Cisco CCNA certification
Recommended training Introduction to Cisco Network
Technologies
Recommended training Interconnecting Cisco Network
Devices
Building Cisco Multilayer Switched Networks level knowledge of
wireless and QoS topics
Recommended training Building Cisco Multilayer Switched
Networks
Practical experience with deploying and operating networks
based on Cisco network devices and Cisco IOS Software
DESGN v2.0-3
www.CareerCert.info
Course Goal
To enable learners to gather customer internetworking
requirements, identify solutions, and design the
network infrastructure and services to ensure the
basic functionality of the proposed solutions
Designing for Cisco Internetwork Solutions v2.0
DESGN v2.0-4
www.CareerCert.info
Course Flow
Day 1
Day 2
Day 3
Day 4
Course
Introduction
A
M
Applying a
Methodology to
Network Design
Designing Basic
Campus and Data
Center Networks
Designing IP
Addressing and
Selecting Routing
Protocols
Identifying Voice
Networking
Considerations
Day 5
Implementing and
Operating the
Network
Final Case
Study
Lunch
Final Case
Study
P
M
Structuring and
Modularizing the
Network
Designing Remote
Connectivity
Evaluating Security Identifying Wireless

Networking
Solutions for the
Considerations
Network
DESGN v2.0-5
www.CareerCert.info
Cisco Icons and Symbols
DESGN v2.0-6
www.CareerCert.info
Cisco Icons and Symbols (Cont.)
DESGN v2.0-7
www.CareerCert.info
Cisco Certifications
DESGN v2.0-8
www.CareerCert.info
Cisco Career Certifications

DESGNCertification for
associate-level recognition in network design
CCDE
CCDP
Expert
Professional
Required
Exam
640-863
DESGN
Recommended Training Through

Cisco Learning Partners
Designing for Cisco
Building Cisco Multilayer Switched
Networks
CCDA
Associate
640-801
CCNA
Interconnecting Cisco Network

Devices
Introduction to Cisco Network
Technologies
http://www.cisco.com/go/certifications
DESGN v2.0-9
www.CareerCert.info
DESGN v2.0-10
www.CareerCert.info
Applying a
Methodology to
Network Design
Designing for Cisco Internetwork Solutions (DESGN) v2.0
DESGN v2.01-1
www.CareerCert.info
Applying a
Methodology to
Network Design
Introducing the Cisco Service-Oriented Network Architecture
DESGN v2.01-1
www.CareerCert.info
Growth of Applications
Telephony
Business
Intelligence
EDI
Custom
Protocol
Partners
Compression
Business
Rules
Field Organizations
Message
Broker Data Center Transformation
.Net
Mobile
Services
Branch Offices
Business-toBusiness Gateway
ESB
Database
Lookup
MQ Series
Compliance
Logging
EAI
Distribution
Load
Balancing
J2EE
Legacy
Applications
Web
Service
Business-toASP
Business Links
Adapters
Standards
Security
Extranet
Remote
Environments
Event
Capture
RFID
DESGN v2.01-2
www.CareerCert.info
IT Evolution
From Connectivity to Intelligent Systems
DESGN v2.01-3
www.CareerCert.info
New Business Requirements
DESGN v2.01-4
www.CareerCert.info
Intelligence in the Network
DESGN v2.01-5
www.CareerCert.info
Cisco Service-Oriented Network

Architecture Framework
SONA is an architectural framework.
SONA brings several advantages to enterprises:
Outlines how enterprises can evolve toward a more intelligent
network
Illustrates how to build integrated systems across a fully
converged intelligent infrastructure
Improves flexibility and increases efficiency
DESGN v2.01-6
www.CareerCert.info
Cisco SONA Layers
DESGN v2.01-7
www.CareerCert.info
Overview of Cisco SONA Offerings
DESGN v2.01-8
www.CareerCert.info
Benefits of SONA
Description
Functionality
Supports organizational requirements
Scalability
Supports growth and expansion of organizational tasks
Availability
Provides necessary services reliably, anywhere, anytime
Performance
Provides responsiveness, throughput, and utilization on a

per-application basis
Manageability
Provides control, performance monitoring, and fault detection
Efficiency
Provides network services with reasonable operational costs

and appropriate capital investment
DESGN v2.01-9
www.CareerCert.info
Summary
Drivers for a new network architecture include these factors:
Growth of applications
IT evolution from connectivity to intelligent systems
Increased business expectations for networks
Ciscos vision of intelligence in the network aligns network and
business requirements in three phases:
Phase 1 is integrated transport.
Phase 2 is integrated services.
Phase 3 is integrated applications.
Cisco SONA is the enterprise framework for building intelligence
in the network:
Layer 1 is the integrated infrastructure layer.
Layer 2 is the interactive services layer.
Layer 3 is the application layer.
DESGN v2.01-10
www.CareerCert.info
DESGN v2.01-11
www.CareerCert.info
Identifying Design
Requirements
Applying a Methodology to Network Design
DESGN v2.01-1
www.CareerCert.info
PPDIOO Network Life-Cycle Approach
DESGN v2.01-2
www.CareerCert.info
Benefits of the Life-Cycle Approach
DESGN v2.01-3
www.CareerCert.info
Design Methodology Under PPDIOO

Three steps in the design methodology:
1. Identify the customer requirements.
2. Characterize the existing network and sites.
3. Design the topology and network solutions.
DESGN v2.01-4
www.CareerCert.info
Identifying Customer Requirements
DESGN v2.01-5
www.CareerCert.info
Identifying Planned Applications

Application Type
Application
Criticality
(Critical/Important/
Unimportant)
Comments
E-mail
Groupware
Web browsing
Video on demand
Database
Customer support
DESGN v2.01-6
www.CareerCert.info
Example: Planned Applications

Application Type
E-mail
Application
Criticality
(critical/important/
unimportant)
Microsoft Outlook
Important
Cisco Unified
MeetingPlace
Important
Microsoft Internet
Explorer, Opera,
Netscape
Important
Video on demand
IP/TV
Critical
Database
Oracle
Critical
Customer
applications
Critical
Groupware
Web browsing
Customer support
Comments
We need to be able to share

presentations and applications
during remote meetings.
All data storage will be based

on Oracle.
DESGN v2.01-7
www.CareerCert.info
Identifying Planned Infrastructure

Services
Service
Comments
Security
QoS
Network management
High availability
IP telephony
Mobility
DESGN v2.01-8
www.CareerCert.info
Example: Planned Infrastructure

Services
Service
Comments
Security
Deploy security systematically, including firewalls, intrusion detection

systems (IOSs), and access control lists (ACLs)
QoS
Give priority to delay-sensitive voice traffic and other important traffic
Network management
Use centralized management tools where appropriate and point

product management as required
High availability
Eliminate single points of failure and use redundant paths as needed
IP telephony
Want to migrate company from regular telephony
Mobility
Need client laptop guest access along with mobility of employee PCs
DESGN v2.01-9
www.CareerCert.info
Identifying Organizational Goals

Organizational Goal
Gathered Data
Comments
Increase competitiveness
List competitive organizations

and their abilities
Point out possibilities to

increase competitiveness
Reduce costs
List current expenses
Point out cost-reduction

possibilities
Improve customer support
List current customer support
Point out possible steps to

improve customer support
Add new customer services
List current customer services
List future desired services
DESGN v2.01-10
www.CareerCert.info
Example: Organizational Goals

Organizational Goal
Gathered Data
(Existing Situation)
Comments
Increase competitiveness
Corporation Y, Corporation Z
Better products
Reduce costs
Reduce costs
Enter data multiple times;

time-consuming tasks
Single data-entry point

Easy-to-learn application
Simple data exchange
Improve customer support
Order tracking and technical

support supported by individuals
Web-based order tracking

Web-based customer
technical support tools
Add new customer services
Telephone and fax orders;

telephone and fax confirmation
Secure web-based ordering

Secure web-based
confirmations
DESGN v2.01-11
www.CareerCert.info
Assessing Organizational Constraints

Organizational Constraint
Gathered Data
Comments
Budget
Amount of money to spend
Identify the amount of money

the organization is willing to
spend
Personnel
List available personnel and

their expertise
Specify the number of network

engineers who have to attend
the additional training
Policy
List preferred standards,

protocols, vendors, applications
Determine if the organization is

willing to buy equipment from
new vendor
Scheduling
Specify time frame
Use tools for resource

assignment, milestones, criticalpath analysis
DESGN v2.01-12
www.CareerCert.info
Example: Organizational Constraints

Organizational Constraint
Gathered Data
(Existing Situation)
Comments
Budget
$650,000
Budget can be extended by

maximum $78,000
Personnel
Engineers with Cisco CCNA

certificates and Cisco CCNP
certificates
Plans to hire new engineers in

the network department; need
technical development plan
Policy
Prefers single vendor and

standardized protocols
Current equipmentCisco;
prefers to stay with it
Scheduling
Plans to introduce new

applications in the next nine
months
New applications include

video conferencing, groupware,
and IP telephony
DESGN v2.01-13
www.CareerCert.info
Identifying Technical Goals

Technical Goals
Importance
Comments
Responsiveness and
throughput
Availability
Manageability
Security
Adaptability
Scalability
Total
100
DESGN v2.01-14
www.CareerCert.info
Example: Technical Goals

Technical Goals
Importance
Comments
Performance
20
Important of the central site, less important in branch

offices
Availability
25
Should be 99.9 percent
Manageability
Security
15
Adaptability
10
Scalability
25
Total
100
Security for critical data transactions is extremely

important
Scalability is critical
DESGN v2.01-15
www.CareerCert.info
Example: Technical Constraints

Technical Constraints
Gathered Data
Comments
Coaxial cabling
Replace existing coaxial

cabling. Use twisted-pair to
desktop and fiber optics for
uplinks and in the backbone.
Bandwidth availability
64-kbps WAN links
Upgrade speeds; consider

another service provider with
additional services to offer.
Application compatibility
IPv6 based applications
Make sure new network

equipment supports IPv6.
Existing wiring
DESGN v2.01-16
www.CareerCert.info
Summary
The PPDIOO approach reflects the life cycle phases of a standard
network.
The design methodology under PPDIOO includes these
processes:
Identifying customer requirements
Characterizing the existing network and sites
Designing the network topology and solutions
Key steps in identifying customer requirements include these:
Identifying network applications and services
Defining organizational goals and constraints
Defining technical goals and constraints
DESGN v2.01-17
www.CareerCert.info
DESGN v2.01-18
www.CareerCert.info
Characterizing the
Existing Network
and Sites
DESGN v2.01-1
www.CareerCert.info
Characterizing the Existing Network

and Sites
Gather documentation and query the organization.
Perform a site and network assessment to help detail the network.
Consider performing traffic analysis on the existing network and
applications.
DESGN v2.01-2
www.CareerCert.info
Identifying Major Features of the Network

Collect the information about the planned and existing network
infrastructure:
Site contact information
Network topology such as network devices, physical and
logical links, external connections, encapsulations,
bandwidths, IP addressing, routing protocols
Network services such as security, QoS, high availability,
IP telephony, storage, and wireless
Network applications such as unified communications and
video delivery
Collect the information about expected network functionality.
Identify network modules based on the given information.
DESGN v2.01-3
www.CareerCert.info
Sample Site Contact Questions

What is the site location or name?
What is the site address?
What is the shipping address?
Who is the site contact?
Is this site owned and maintained by the customer?
Is this a staffed site?
What are the hours of operation?
What are the building or room access procedures?
Are there any special security or safety procedures?
Are there any union or labor requirements or procedures?
What are the locations of the equipment cabinets and racks?
DESGN v2.01-4
www.CareerCert.info
Example: Customer Network Diagram
DESGN v2.01-5
www.CareerCert.info
Network Assessment Information

Sources
DESGN v2.01-6
www.CareerCert.info
Example: Network Assessment
DESGN v2.01-7
www.CareerCert.info
Network Assessment Tools

Manual assessment:
Use monitoring commands on network devices on small networks.
Use scripting tools to collect information on large networks.
Use existing management and auditing tools:
CiscoWorks
Third-party tools such as WhatsUp Gold, Castle Rock SNMPc,
open source Cacti, Netcordia NetMRI, and NetQoS NetVoyant
Use other tools to collect relevant information for the network devices:
Third-party tools such as Network General Sniffer, AirMagnet
software and devices, and WildPackets AiroPeek
DESGN v2.01-8
www.CareerCert.info
Commands for Manual Information

Collection
DESGN v2.01-9
www.CareerCert.info
Example: Manual Information

CollectionRouter CPU Utilization
DESGN v2.01-10
www.CareerCert.info
Example: Manual Information

CollectionRouter Memory Utilization
DESGN v2.01-11
www.CareerCert.info
Example: Automatic Information

CollectionCacti Device List
DESGN v2.01-12
www.CareerCert.info
Example: Automatic Information

CollectionNetMRI Inventory
DESGN v2.01-13
www.CareerCert.info
Network Traffic Analysis

Use organizational input to identify the applications used in the
existing network and their relative importance.
Perform a traffic analysis to reveal additional applications used in
the network.
Use the results and organizational input to define QoS and
security-related requirements for discovered applications.
DESGN v2.01-14
www.CareerCert.info
Steps in Analyzing Network Traffic
DESGN v2.01-15
www.CareerCert.info
Example: Traffic Analysis

Application No. 8:
Description:
Accounting software
Protocol:
TCP port 5151
Servers:
Clients:
50
Scope:
Campus
Importance:
High
Average rate:
Mbps
50 kbps with 10-second bursts to 1
DESGN v2.01-16
www.CareerCert.info
Network Analysis Tools

Cisco IOS Software analysis capabilities:
NBAR
NetFlow
Cisco software-based network analyzers:
Cisco CNS NetFlow Collection Engine
Third-party tools, such as:
Open source Cacti
Network General Sniffer
WildPackets EtherPeek and AiroPeek
SolarWinds Orion
Wireshark
RMON probes
DESGN v2.01-17
www.CareerCert.info
Example: NBAR Printout
DESGN v2.01-18
www.CareerCert.info
Example: Cisco IOS NetFlow Printout
DESGN v2.01-19
www.CareerCert.info
Example: Cacti Graph
DESGN v2.01-20
www.CareerCert.info
Example: Solarwinds Orion
DESGN v2.01-21
www.CareerCert.info
Summary Report
Characterization of the existing network results in a
summary report that is used to:
Describe the software features required in the network
Describe possible problems in the existing network
Identify the actions needed to prepare the network for the
implementation of the required features
Influence the customer requirements
DESGN v2.01-22
www.CareerCert.info
Example: Equipment Summary Report

The network uses 895 routers:
655 routers use Cisco IOS Software Release 12.2(10).
240 routers use an older Cisco IOS Software version.
DESGN v2.01-23
www.CareerCert.info
Example: Summary Report

Problem Statement
Requirement: Queuing in the WAN
Identified problem:
Existing Cisco IOS Software version does not support new
queuing technologies.
15 out of 19 routers with older Cisco IOS Software are in the
WAN.
12 out of 15 routers do not have enough memory to upgrade to
Cisco IOS Software Release 12.3 or later.
5 out of 15 routers do not have enough flash memory to
upgrade to Cisco IOS Software Release 12.3 or later.
DESGN v2.01-24
www.CareerCert.info
Example: Summary Report

Recommendations
Recommended action:
12 memory upgrades to 64 MB
5 flash memory upgrades to 16 MB
Options:
Replace hardware and software to support queuing.
Find an alternative mechanism for that part of the network.
Find an alternative mechanism and use it instead of queuing.
Evaluate the consequences of not implementing the required
feature in that part of the network.
DESGN v2.01-25
www.CareerCert.info
Documenting an Existing Network
DESGN v2.01-26
www.CareerCert.info
Network Characterization Hour

Estimates
Small Network
Medium Network
Large Network
Huge Network
120
Switches/Routers
20200
Switches/Routers
200800
Switches/Routers
>800
Switches/Routers
a) Interview management team
12
12
16
16
b) Interview network team
12
24
24
c) Review documentation
12
16
16
d) Set up network discovery tool
16
16
e) Resolve SNMP access and similar problems
16
16
48
80
160
g) Analyze captured data
16
16
24
24
40
40
h) Prepare high level Layer 3 diagrams
16
16
32
i) Prepare report stating conclusions
16
16
32
32
48
48
80
80
f) Allow tools to gather data
j) Incrementally prepare network diagrams

Estimated manpower in hours
4448
8698
132180
288384
DESGN v2.01-27
www.CareerCert.info
Summary
Characterizing an existing network entails gathering as much
information about the network as possible. Organization input, a
network audit, and traffic analysis provide the key information that
you need.
Identifying major features of the network involves gathering
network documentation and querying the organization.
The auditing process adds detail to the initial network
documentation that you created from existing documentation and
customer input.
You can manually audit a small network, but you typically need
automated tools to audit a large network.
Traffic analysis verifies the set of applications and protocols used
in the network and determines the traffic patterns of the
applications.
DESGN v2.01-28
www.CareerCert.info
Summary (Cont.)
Tools used for traffic analysis range from manual identification
of applications using Cisco IOS Software commands in
combination with NBAR or NetFlow to those where dedicated
software- or hardware-based analyzers capture live packets or
SNMP data.
The result of the network characterization is a summary report
describing the health of the network.
DESGN v2.01-29
www.CareerCert.info
DESGN v2.01-30
www.CareerCert.info
Using the Top-Down

Approach to Network
Design
DESGN v2.01-1
www.CareerCert.info
Top-Down Design Practices

Start your design here.
Design down the OSI model.
DESGN v2.01-2
www.CareerCert.info
Top-Down and Bottom-Up

Approach Comparison
Top-Down Approach
Benefits
Disadvantages
Bottom-Up Approach
Incorporates organizational
requirements
Allows a quick response

to a design request
Gives the big picture to

organization and designer
Facilitates design based

on previous experience
Incorporates organizational
requirements
Implements little or
no notion of actual
organizational requirements
May result in inappropriate
network design
DESGN v2.01-3
www.CareerCert.info
Example: Top-Down Voice Design
DESGN v2.01-4
www.CareerCert.info
Creating a Network Decision Table

Decide which network layer requires decisions.
Gather possible options for a given situation.
Create a table that includes possible options and
given requirements.
Match given requirements with specific properties of
given options.
Select the option with the most matches as the most
appropriate one.
DESGN v2.01-5
www.CareerCert.info
Example: Selecting a Routing Protocol

Options
Parameters
EIGRP
OSPF
BGP
Required
Network
Parameters
Size of Network
(Small/Medium/Large/Very Large)
Large
Large
Very Large
Large
Enterprise-Focused
(Yes/No)
Yes
Yes
No
Yes
Use of VLSM
(Yes/No)
Yes
Yes
Yes
Yes
Supports Cisco Routers

(Yes/No)
Yes
Yes
Yes
Yes
Good
Fair
Poor
Good
Network Support Staff Knowledge

(Good/Fair/Poor)
DESGN v2.01-6
www.CareerCert.info
Assessing the Scope of the Network

Design Process
Scope of Design
Comments
Entire network
All branch office LANs upgraded to support Fast Ethernet technology
Campus
WAN
Redundant equipment and links

Addition of wireless client mobility
Solutions to overcome bottlenecks
DESGN v2.01-7
www.CareerCert.info
Example: Assessing the Scope of the

Network Design Process
ApplicationDesigning voice transport
NetworkDesigning routing, addressing
Physical, data linkChoosing connection
type
DESGN v2.01-8
www.CareerCert.info
Structured Design Principles
DESGN v2.01-9
www.CareerCert.info
Cisco SONA Offerings
DESGN v2.01-10
www.CareerCert.info
Network Design Tools
DESGN v2.01-11
www.CareerCert.info
Planning an Implementation
If a design is composed of multiple complex components:
Implement each component separately; do not implement
everything at once.
Incremental implementation:
Reduces troubleshooting in case of failure
Reduces time needed to revert to previous state
in case of failure
DESGN v2.01-12
www.CareerCert.info
Major Implementation Components

Each step should contain the following information:
Description
Reference to design sections
Detailed implementation guidelines
Detailed roll-back guidelines in case of failure
Estimated time for implementation
DESGN v2.01-13
www.CareerCert.info
Example: Summary Implementation Plan

Date, Time
Description
Implementation
Details
04/02/2007
Install campus hardware
Section 6.2.3
Step 1
Connect switches
Section 6.2.3.1
Step 2
Install routers
Section 6.2.3.2
Step 3
Complete cabling
Section 6.2.3.3
Step 4
Verify data link layer
Section 6.2.3.4
Configure campus hardware
Section 6.2.4
Step 1
Configure VLANs
Section 6.2.4.1
Step 2
Configure IP addressing
Section 6.2.4.2
Step 3
Configure routing
Section 6.2.4.3
Step 4
Verify connectivity
Launch campus updates into
production
Complete connections to
existing network
Verify connectivity
Section 6.2.4.4
Phase 3
Phase 4
04/03/2007
Phase 5
04/05/2007
Step 1
Step 2
Complete
Section 6.2.5
Section 6.2.5.1
Section 6.2.5.2
DESGN v2.01-14
www.CareerCert.info
Example: Detailed Implementation Plan

Section 6.2.7.3, Configure routing protocols in the WAN
network module:
Number of routers involved is 50.
Use template from section 4.3.1, EIGRP details.
Per router configuration:
Use passive-interface command on all nonbackbone LANs.
(See section 4.2.3, EIGRP details.)
Use summarization according to the design. (See section 4.2.3,
EIGRP details, and section 4.2.2, Addressing details.)
Estimated time is 10 minutes per router.
Roll-back procedure is not required.
DESGN v2.01-15
www.CareerCert.info
Pilot vs. Prototype Networks

The pilot or prototype network is used as proof of concept
for the design:
A pilot network tests and verifies the design before the
network is launched.
A prototype network tests and verifies a redesign in an
isolated network before it is applied to the existing network.
Results:
Success
Failure
DESGN v2.01-16
www.CareerCert.info
Example: Prototype Network
DESGN v2.01-17
www.CareerCert.info
Detailed Structure of a Design Document
DESGN v2.01-18
www.CareerCert.info
Summary
Designing an enterprise network is a complex project.
Top-down design facilitates the process by dividing it into smaller,
more manageable steps.
Decision tables facilitate the selection of the most appropriate
option from many possibilities.
In assessing the scope of a network design, determine whether
the design is for a new network or is a modification of the entire
network, a single segment or module, a set of LANs, a WAN,
or a remote-access network.
The output of the design should be a model of the complete
system. To achieve this, the top-down approach is highly
recommended.
DESGN v2.01-19
www.CareerCert.info
Summary (Cont.)
When the design is complete, you are ready to document the
implementation and migration in as much detail as possible.
After a design is complete, you should verify it. You can test
the design in an existing or live network (pilot) or in a prototype
network that will not affect the existing network.
A design document lists the design requirements, documents
the existing network, documents the network design, identifies
the proof-of-concept strategy, and details an implementation plan.
DESGN v2.01-20
www.CareerCert.info
DESGN v2.01-21
www.CareerCert.info
Module Summary
Cisco SONA is the enterprise framework for implementing
intelligent networks and maps business requirements to network
requirements.
The design methodology under PPDIOO includes these tasks:
Identifying customer requirements
Characterizing the existing network and sites
Designing the network topology and solutions
The result of network characterization is a summary report
describing the health of the network.
Top-down design facilitates network design.
DESGN v2.01-1
www.CareerCert.info
DESGN v2.01-2
www.CareerCert.info
Structuring and
Modularizing the
Network
DESGN v2.02-1
www.CareerCert.info
Designing the
Network Hierarchy
Structuring and Modularizing the Network
DESGN v2.02-1
www.CareerCert.info
Layers in the Hierarchical Model
DESGN v2.02-2
www.CareerCert.info
Example: Hierarchical Network
DESGN v2.02-3
www.CareerCert.info
Access Layer
Concentration point at which clients access the network
Layer 2 switching in the access layer: Defines a single broadcast
domain
Multilayer switching in the campus access layer: Optimally
satisfies the needs of a particular user through routing, filtering,
authentication, security, or quality of service
Multilayer switching in the WAN access layer: Helps control WAN
costs using dial-on-demand routing (DDR) and static routing
DESGN v2.02-4
www.CareerCert.info
Example: Access Layer Connectivity in

the Campus LAN
Workstations are attached to VLANs with Layer 2 switches.

Recommended practice: Implement one VLAN (IP subnet) per access switch.
Access switches connect Layer 3 links (if only one VLAN per access switch)
or via VLAN trunk.
If needed, distribution routers route between VLANs.
DESGN v2.02-5
www.CareerCert.info
Distribution Layer
Provides multilayer switching between access and core layers:
Provides media transitions
Aggregates bandwidth by concentrating multiple low-speed access links into a
high-speed core link
Determines department or workgroup access
Provides redundant connections for access devices
Implements policy-based decisions:

Filtering by source or destination address
Filtering on input or output ports
Hiding internal network numbers by route filtering
Static routing
Security
Quality of service mechanisms
DESGN v2.02-6
www.CareerCert.info
Example: Distribution Layer in the

Routed Campus Network
DESGN v2.02-7
www.CareerCert.info
Core Layer
The function of the core layer is to provide fast and
efficent data transport that:
Forms a high-speed backbone with fast transport services
Provides redundancy and fault tolerance
Offers good manageability
Note: Core layer should avoid packet manipulation

for filtering or access list checking.
DESGN v2.02-8
www.CareerCert.info
Example: Multilayer Switching in the

Campus Core
DESGN v2.02-9
www.CareerCert.info
Example: Routing in the WAN Network
DESGN v2.02-10
www.CareerCert.info
Summary
The hierarchical network model provides a modular view of a
network, making it easier to design and build a network.
The purpose of the access layer is to grant end-user access to
network resources.
The distribution layer provides aggregation for the access layer
devices and uplinks to the core layer. It is also used to enforce
policy within the network.
The core layer provides a high-speed, highly available backbone
designed to switch packets as fast as possible.
DESGN v2.02-11
www.CareerCert.info
DESGN v2.02-12
www.CareerCert.info
Using a Modular
Approach in
Network Design
DESGN v2.02-1
www.CareerCert.info
Service-Oriented Network Architecture
DESGN v2.02-2
www.CareerCert.info
Example: Cisco Enterprise Campus

Architecture
DESGN v2.02-3
www.CareerCert.info
Cisco Enterprise Architecture
DESGN v2.02-4
www.CareerCert.info
Example: Dividing the Network into

Areas
DESGN v2.02-5
www.CareerCert.info
Enterprise Campus Infrastructure

Module
DESGN v2.02-6
www.CareerCert.info
Building Access Layer
DESGN v2.02-7
www.CareerCert.info
Building Distribution Layer
DESGN v2.02-8
www.CareerCert.info
Campus Core Layer
DESGN v2.02-9
www.CareerCert.info
Server Farm Module
DESGN v2.02-10
www.CareerCert.info
Enterprise Edge Modules
DESGN v2.02-11
www.CareerCert.info
E-Commerce Module
DESGN v2.02-12
www.CareerCert.info
Internet Connectivity Module
DESGN v2.02-13
www.CareerCert.info
Remote Access and VPN Module
DESGN v2.02-14
www.CareerCert.info
WAN and MAN and Site-to-Site

VPN Module
DESGN v2.02-15
www.CareerCert.info
Enterprise Edge Guidelines

1. Determine the connectivity needed to the Internet.
2. Create the e-commerce module ID needed.
3. Design the remote access and VPN module if needed.
4. Design the WAN module to support connections to remote
enterprise locations if needed.
DESGN v2.02-16
www.CareerCert.info
Service Provider Modules
DESGN v2.02-17
www.CareerCert.info
Enterprise Remote Modules
DESGN v2.02-18
www.CareerCert.info
Enterprise Branch Module
DESGN v2.02-19
www.CareerCert.info
Enterprise Data Center Module
DESGN v2.02-20
www.CareerCert.info
Enterprise Teleworker Module
DESGN v2.02-21
www.CareerCert.info
Summary
Based on SONA, the Cisco Enterprise Architecture provides a
modular enterprise-wide hierarchical approach for providing
network infrastructure and services to all places in the network.
The enterprise campus infrastructure module includes the
campus infrastructure module and the server farm module.
The enterprise edge modules include the e-commerce module,
the Internet connectivity module, the remote access and VPN
module, and the WAN and MAN and site-to-site modules.
The remote enterprise modules include the remote branches,
data centers, and teleworkers.
DESGN v2.02-22
www.CareerCert.info
DESGN v2.02-23
www.CareerCert.info
Using Infrastructure
Services
DESGN v2.02-1
www.CareerCert.info
Explaining the Role of Infrastructure

Services
DESGN v2.02-2
www.CareerCert.info
Modularizing Internal Security
DESGN v2.02-3
www.CareerCert.info
Reasons for Internal Security

The enterprise campus is protected by security functions in the
enterprise edge:
If the enterprise edge security fails, the unprotected enterprise
campus is vulnerable.
The potential attacker can gain physical access to the
enterprise campus.
Some network solutions require indirect external access to the
enterprise campus.
All vital elements in the enterprise campus must be protected
independently.
DESGN v2.02-4
www.CareerCert.info
External Threats
DESGN v2.02-5
www.CareerCert.info
Designing High Availability

Analyze the business and technical goals.
Identify critical applications, systems, internetworking devices,
and links.
Document the trade-offs between redundancy and cost and
simplicity versus complexity.
Duplicate any component whose failure could disable critical
applications.
Duplicate vital links and connect them to different devices.
DESGN v2.02-6
www.CareerCert.info
Designing Route Redundancy

Design redundant routes:
Minimize the effect of link failures.
Minimize the effect of an internetworking device failure.
Make the connection redundant:

Parallel physical links between switches and routers
Backup LAN and WAN links
Make the network redundant:

Full mesh to provide complete redundancy and good performance
Partial mesh, which is cheaper and more scalable
DESGN v2.02-7
www.CareerCert.info
Example: Campus Infrastructure

Redundancy
The building access network is partially meshed

with the building distribution switches.
The building access switch has a chance to recover
from a link or building distribution switch failure.
DESGN v2.02-8
www.CareerCert.info
Example: Enterprise Edge Redundancy
The remote site establishes a backup connection

via an IPsec tunnel across the Internet.
DESGN v2.02-9
www.CareerCert.info
High Availability in the Server Farm

Module
Single attachmentnot recommended:
Requires alternative mechanisms to dynamically find
an alternative router
Dual attachment to increase availability and prevent session loss:
Attachment through a redundant transceiver
Attachment through a redundant NIC
Fast EtherChannel and Gigabit EtherChannel port bundles
DESGN v2.02-10
www.CareerCert.info
Example: Attachment Through a

Redundant Transceiver
Transceiver activates backup link on primary link failure.

Transceiver cannot detect failures beyond physical link.
DESGN v2.02-11
www.CareerCert.info
Example: Attachment Through a

Redundant NIC
Device driver presents two NIC cards as a single logical interface.

This setup uses one MAC address on both interfaces.
Backup card is activated when the primary link is gone.
DESGN v2.02-12
www.CareerCert.info
Voice Transport Overview

Two implementations:
Voice over IP: Uses analog phones. Transports voice packets
over the IP network using voice-enabled routers.
IP telephony: Implements voice in the network using Cisco
Unified CallManager and IP phones.
Both implementations require properly designed networks.
All modules of the enterprise network are involved in the voice
network solution.
DESGN v2.02-13
www.CareerCert.info
IP Telephony Components
DESGN v2.02-14
www.CareerCert.info
Modular Approach in Voice Network

Design
DESGN v2.02-15
www.CareerCert.info
Example: Voice Network Solution
DESGN v2.02-16
www.CareerCert.info
Evaluating the Existing Data

Infrastructure for Voice Design
Document and evaluate the existing data infrastructure
in each enterprise network module in terms of:
New voice performance requirements
Availability requirements
Feature requirements
Potential network capacity or impact
DESGN v2.02-17
www.CareerCert.info
Wireless LAN Overview

Supports connecting mobile clients to the enterprise network
Transports packets over radio waves
Has connectivity and privacy issues not found in wired networks
Can have implications for all modules of the enterprise network
DESGN v2.02-18
www.CareerCert.info
Centralized WLAN Model Components
DESGN v2.02-19
www.CareerCert.info
Application Networking Services

Introduction
Traditional networks handled static web pages,
e-mail, and routine client-server applications.
Applications are evolving into complex and highly visible services.
Application deployment issues are emerging.
Consolidation of data centers can result in lower productivity
for remote users.
A web-based ordering system may suffer because of poor
responsiveness.
Business partners may need immediate and secure electronic
access to back-office applications.
A purchasing application may need to track large orders.
DESGN v2.02-20
www.CareerCert.info
ANS Can Resolve Application Issues

Wide-area application services can compress, cache,
and optimize content.
Optimization of the web streams can reduce latency, suppress
unnecessary reloading of web objects, and offload the web server.
Security and remote connectivity services can validate requests,
route them appropriately, and encrypt and prioritize responses.
Application messaging services interpret purchase orders and log
large orders according to business policy rules.
DESGN v2.02-21
www.CareerCert.info
Example: ANS Components
DESGN v2.02-22
www.CareerCert.info
Summary
Network infrastructure services add intelligence to the network
infrastructure, supporting application awareness within the
network.
Security is a network infrastructure service that increases the
integrity of the network by protecting network resources and users
from internal and external threats.
High-availability services protect the integrity of mission-critical
information with networking platforms and topologies that offer a
sufficient level of resiliency.
DESGN v2.02-23
www.CareerCert.info
Summary (Cont.)
Voice infrastructure services throughout the enterprise are
needed to support IP telephony.
Wireless services support mobile clients and integrate with the
wired network.
Cisco ANS optimizes website performance, content delivery, and
the security and connectivity of applications.
DESGN v2.02-24
www.CareerCert.info
DESGN v2.02-25
www.CareerCert.info
Identifying Network
Management
Protocols and
Features
DESGN v2.02-1
www.CareerCert.info
Network Management Overview
DESGN v2.02-2
www.CareerCert.info
SNMP Overview
Manager:
Polls agents on the network
Correlates and displays information
SNMP:
Supports message exchange
Runs on IP
Agent:
Collects and stores information
Responds to manager requests for
information
Generates traps
MIB:
Database of objects
(information variables)
Read and write community strings for
controlling access
DESGN v2.02-3
www.CareerCert.info
SNMPv1 Message Types
DESGN v2.02-4
www.CareerCert.info
SNMP Version 2
SNMPv2 introduced in RFC 1441
SNMPv2C defined in RFC 1901
SNMPv2 new features:
Get Bulk Request
Inform Request
Data types with 64-bit values
DESGN v2.02-5
www.CareerCert.info
SNMP Version 3
RFCs 3410 through 3415
Authentication and privacy
Authorization and access control
Usernames and key management
Remotely configurable via SNMP operations
Available since Cisco IOS Software Release 12.0
DESGN v2.02-6
www.CareerCert.info
MIB Definition
Collection of managed objects
Each object has a unique
identifier
Objects are grouped into
a tree
Standard MIBs = RFC xxxx
Private MIBs
DESGN v2.02-7
www.CareerCert.info
Example: Cisco Router MIB

Standard managed
objects:
Private managed
objects:
Interfaces
Buffers
Memory
Standard protocols
Small, medium, large,

and huge buffers
Primary and secondary
memory
Proprietary protocols
Private extensions to MIB-II:

1.3.6.1.4.1.9
or
iso.org.dod.internet.private.enterprise.cisco
Definitions available at
http://www.cisco.com/public/mibs
DESGN v2.02-8
www.CareerCert.info
Example: Variable Retrieval

Base format to retrieve the number of errors on an interface
iso org dod internet mgmt mib interface ifTable ifEntry ifOutErrors
1
3
6
1
2
1
2
2
1
20
Specific format to retrieve the number of errors on first interface

iso org dod internet mgmt mib interface ifTable ifEntry ifOutErrors Instance
1
3
6
1
2
1
2
2
1
20
0
DESGN v2.02-9
www.CareerCert.info
RMON1
Supports proactive monitoring of LAN traffic:
Network fault diagnosis
Planning
Performance tuning
Works on MAC layer data:
Monitors only the aggregate LAN traffic
for remote LAN segments
Traffic statistics and analysis
Implemented on agents:
Routers, switches, hubs, servers, hosts,
and dedicated probes
DESGN v2.02-10
www.CareerCert.info
RMON1 Groups (RFC 1513 and 2819)
DESGN v2.02-11
www.CareerCert.info
RMON2
DESGN v2.02-12
www.CareerCert.info
RMON2 (RFC 2021)
DESGN v2.02-13
www.CareerCert.info
NetFlow Infrastructure
DESGN v2.02-14
www.CareerCert.info
NetFlow vs. RMON Information

Gathering
NetFlow can be configured on individual interfaces.
NetFlow gathers more detailed information:
Source and destination interface numbers
Source and destination IP addresses
TCP/UDP source port and destination ports
Number of bytes and packets in the flow
Source and destination autonomous system (AS) numbers
IP type of service
NetFlow provides greater scalability, customized data

collection, and a lower performance impact.
DESGN v2.02-15
www.CareerCert.info
Applications Using NetFlow

Accounting and billing
Network planning and analysis
Network and security monitoring
Application monitoring and profiling
User monitoring and profiling
NetFlow data warehousing and mining
DESGN v2.02-16
www.CareerCert.info
Cisco Discovery Protocol

Upper-Layer Entry Addresses
TCP/IP
Novell IPX
AppleTalk
Others
Cisco Proprietary Data Link Protocol
CDP
CDP
CDP
CDP
Media Supporting SNAP
LANs
Frame Relay
ATM
Others
CDP = Cisco Discovery Protocol
Provides a summary of directly connected switches, routers, and other

Cisco devices
Discovers neighbor devices regardless of which protocol suite they are
running
Requires that physical media support SNAP encapsulation
DESGN v2.02-17
www.CareerCert.info
Discovering Neighbors with Cisco Discovery

Protocol
DESGN v2.02-18
www.CareerCert.info
Syslog Features
Devices produce syslog
messages.
Syslog messages contain level
and facility.
Common syslog facilities:
Syslog levels:
Emergency (level 0, highest
level)
Alert (level 1)
Critical (level 2)
IP
Error (level 3)
OSPF protocol
Warning (level 4)
SYS operating system
Notice (level 5)
IP Security (IPsec)
Informational (level 6)
Route Switch Processor (RSP)
Debugging (level 7)
Interface (IF)
DESGN v2.02-19
www.CareerCert.info
Example: Syslog Messages
DESGN v2.02-20
www.CareerCert.info
Syslog Architecture
Centralized syslog daemon

Remote syslog daemons:
Support for syslog filters
Low bandwidth utilization
DESGN v2.02-21
www.CareerCert.info
Summary
Network management is supported with various devices and servers that
use network management protocols and standards.
SNMP is a simple network management protocol that is the foundation of
a network management architecture.
A MIB stores local management agent information on a managed device.
RMON is a MIB that supports proactive management of remote networks.
NetFlow collects network flow data to support network accounting,
usage-based billing, planning, performance monitoring, and QoS
applications.
Cisco Discovery Protocol is a Cisco proprietary protocol that enables you
to discover Cisco devices on the network.
Syslog reports system state information based on preset facilities and
severity levels.
DESGN v2.02-22
www.CareerCert.info
DESGN v2.02-23
www.CareerCert.info
Module Summary
The hierarchical network structure is composed of the access,
distribution, and core layers.
Based on Cisco SONA, the Cisco Enterprise Architecture provides
a modular hierarchical approach for providing network
infrastructure and services to all places in the network.
Network infrastructure services add intelligence to the network
infrastructure, supporting application awareness within the network.
Network management protocols support the exchange of
management information between the network management
system and managed devices.
DESGN v2.02-1
www.CareerCert.info
DESGN v2.02-2
www.CareerCert.info
Designing Basic
Campus and Data
Center Networks
DESGN v2.03-1
www.CareerCert.info
Describing
Campus Design
Considerations
Designing Basic Enterprise Campus Networks
DESGN v2.03-1
www.CareerCert.info
Designing an Enterprise Campus

Campus design factors:
Network applications
characteristics
Device characteristics
Environmental characteristics
DESGN v2.03-2
www.CareerCert.info
Overview of Network Application Types

Peer-to-peer
Client-local server
Client-server farm
Client-enterprise edge Server
DESGN v2.03-3
www.CareerCert.info
Network Requirements of Applications

Connectivity type
Total required throughput
High availability
Total network costs
DESGN v2.03-4
www.CareerCert.info
Example: Peer-to-Peer Applications

Instant messaging
File sharing
IP phone calls
Video conference systems
DESGN v2.03-5
www.CareerCert.info
Example: Client-Local
Server Applications
Servers are located close
to clients.
Servers and clients are in
the same LAN.
Request to servers from
nonlocal LANs is rare.
DESGN v2.03-6
www.CareerCert.info
Example: Client-Server
Farm Applications
Typical applications:
Mail servers
File servers
Database servers
Access to applications:
Fast
Reliable
Controlled (security)
DESGN v2.03-7
www.CareerCert.info
Example: Client-Enterprise
Edge Applications
Typical applications:
Internet applications
Mail servers
Web servers
Public Internet servers
E-commerce applications
DESGN v2.03-8
www.CareerCert.info
Relative Network Requirements by

Application Type
Connectivity type
Total required throughput
High availability
Total network costs
Peer-to-Peer
Client-Local
Servers
Client-Server
Farm
Client-Enterprise
Edge Servers
Switched
Switched
Switched
Switched
Medium to high
Medium
High
Medium
Low to high
Medium
High
High
Low to medium
Medium
High
Medium
DESGN v2.03-9
www.CareerCert.info
Environmental Characteristics for

Network Design
The network devices and distances between them determine the
network geography.
The campus network design is scoped with respect to geography:
Intrabuilding
Interbuilding
Distant remote buildings
DESGN v2.03-10
www.CareerCert.info
Intrabuilding Structure
Provides connectivity inside
the building
Built with the building access
and building distribution layers
Transmission options:
Copper
Optical fiber
Wireless
DESGN v2.03-11
www.CareerCert.info
Interbuilding Structure
Connectivity between
buildings
Distances between buildings
within a few kilometers
Building distribution with
campus core layer
Typical transmission media:
optical fiber
DESGN v2.03-12
www.CareerCert.info
Distant Remote Building Structure

Metropolitan-based network connectivity options:
Using company-owned fiber
Through enterprise WAN
Through service provider offerings
WAN
DESGN v2.03-13
www.CareerCert.info
Campus Transmission Media

Physical media in network design influences:
Network bandwidth
Allowable distance between devices
Copper design considerations:
Electromagnetic interference, grounding, security
Signal attenuation, distance limitations
Optical fiber design considerations:
Light signal (LED or laser)
Expensive, providing a long-term investment
Wireless design considerations:
Distance, interference, bandwidth, security
DESGN v2.03-14
www.CareerCert.info
Comparison of Campus
Transmission Media
Copper
Twisted Pair
Multimode Fiber
Single-Mode Fiber
Wireless
Bandwidth
Up to10 Gbps
Up to10 Gbps
Up to10 Gbps or higher
Up to 54 Mbps*
Distance
Up to 100 m
Up to 2 km
(Fast Ethernet)
Up to 80 km
(Fast Ethernet)
Up to 500 m at
1 Mbps
Up to 550 m
(Gigabit Ethernet)
Up to 100 m
(Gigabit Ethernet)
Up to 300 m
(10 Gigabit Ethernet)
Up to 80 km
(10 Gigabit Ethernet)
Moderate
Moderate to expensive
Price
Inexpensive
Moderate
*Wireless is half-duplex, so effective bandwidth will be no more than one half this rate.
DESGN v2.03-15
www.CareerCert.info
Example: Transmission Media
DESGN v2.03-16
www.CareerCert.info
Infrastructure Device Characteristics

Switches connect end devices as well as infrastructure devices:
Access layer is typically data link layer switches.
Distribution and core layer typically use multilayer switches.
Switch type and switching layer decision is influenced by:

Infrastructure services requirements(QoS, including policing, and so on)
Size of the network segments
Expected network failure convergence times
Cost
DESGN v2.03-17
www.CareerCert.info
Example Network Service:

QoS in LAN Switches
Enterprise QoS guarantees that critical applications

receive the required bandwidth or services.
DESGN v2.03-18
www.CareerCert.info
Summary
Campus network design is influenced by several factors; first by
applications characteristics, such as throughput and availability
requirements.
Second are environmental characteristics, such as the location
of devices and buildings and transmission media.
Third are infrastructure device characteristics, such switching type
and support for network services.
DESGN v2.03-19
www.CareerCert.info
DESGN v2.03-20
www.CareerCert.info
Designing the Campus

Infrastructure Module
DESGN v2.03-1
www.CareerCert.info
Relative Considerations for the

Campus Design
Campus Infrastructure
Building
Access
Building
Distribution
Campus
Core
Server
Farm
Data Link Layer/

Multilayer
Switched
Multilayer
Switched
Multilayer
Switched
Multilayer
Switched
High
Medium
Low
Medium
High availability
Medium
Medium
High
High
Performance
Medium
Medium
High
High
Cost per Port
Low
Medium
High
High
Technology
Scalability
DESGN v2.03-2
www.CareerCert.info
Building Access Layer Design

Considerations
Number of users or ports
Cabling
Performance
Redundancy
Connectivity speed for hosts
and uplinks
VLAN deployment
Additional features such as QoS
and IP multicast
DESGN v2.03-3
www.CareerCert.info
Overview of Recommended Practices for the

Building Access Layer
Manage VLANs and STP:
Limit VLANs to a single closet whenever possible.
If STP is required, use RPVST+.
Set trunks to desirable and desirable with negotiate.
Manually prune unused VLANs.
Use VTP transparent mode.
Manage trunks between switches.
Manage default PAgP settings between the catalyst operating
system and Cisco IOS Software.
Consider implementing routing in the access layer.
DESGN v2.03-4
www.CareerCert.info
STP Considerations
Use only when you have to!
Required when a VLAN
spans access layer switches
Required to protect against
user side loops
More common in the
data center
Use RPVST+ for best

convergence.
Take advantage of the
Spanning Tree Toolkit.
DESGN v2.03-5
www.CareerCert.info
Cisco STP Toolkit

PortFast: Bypass listening-learning
phase for access port*
UplinkFast: Three to five seconds
convergence after link failure
BackboneFast: Cuts convergence
time by max_age for indirect failure
LoopGuard: Prevents alternate or root
port from becoming designated in
absence of BPDUs*
RootGuard: Prevents external switches
from becoming root*
BPDUGuard: Disable PortFast-enabled
port if a BPDU is received*
* Also supported with RPVST+
DESGN v2.03-6
www.CareerCert.info
Trunk Considerations
Set trunk mode to desirable
and desirable and encapsulation
negotiate on
Manually prune all VLANS
except those needed
Use VTP transparent mode to
decrease potential for operational
error
Disable trunks on host ports:
Catalyst Operating System:
set port host
Cisco IOS Software:
switchport host
DESGN v2.03-7
www.CareerCert.info
Layer 3 Access-to-Distribution Interconnection
Best option for fast convergence

Equal-cost Layer 3 load balancing on all links
No spanning tree required for convergence
No HSRP or GLBP configuration required
No VLAN spanning possible
DESGN v2.03-8
www.CareerCert.info
Building Distribution Layer Design

Considerations
Performance
Redundancy
Support for network
infrastructure services
DESGN v2.03-9
www.CareerCert.info
Overview of Recommended Practices for

the Building Distribution Layer
Use first-hop redundancy protocols (HSRP and GLBP).
Deploy Layer 3 routing protocols from distribution switches to
core switches.
If required, connect distribution switches to support Layer 2
VLAN spanning multiple access switches.
DESGN v2.03-10
www.CareerCert.info
Recommended Practices
First-Hop Redundancy
Provides a resilient default
gateway or first-hop address
to end stations with HSRP,
VRRP, or GLBP
HSRP, VRRP, and GLBP
provide millisecond timers
and excellent convergence
performance
HSRP common in Cisco
environments
VRRP if you need
multi-vendor interoperability
GLBP facilitates uplink load
balancing
DESGN v2.03-11
www.CareerCert.info
Recommended PracticesUse Layer 3

Routing Protocols
Build triangles, not
squares, for deterministic
convergence.
Only peer on links that you
intend to use as transit.
Summarize routes from
distribution to core.
DESGN v2.03-12
www.CareerCert.info
Example: Build Redundant Triangles
Layer 3 redundant equal cost links support fast convergence.

Hardware basedrecovery to remaining path is fast.
Convergence is extremely fast (dual equal-cost paths: no need for OSPF
or EIGRP to recalculate a new path).
DESGN v2.03-13
www.CareerCert.info
Layer 3 Distribution Interconnection
Recommended practicetried and true

No STP convergence required for uplink failure and recovery
Distribution-to-distribution link required for route summarization
Map Layer 2 VLAN number to Layer 3 subnet for ease of use and
management
DESGN v2.03-14
www.CareerCert.info
Alternate: Layer 2 Distribution

Interconnection
Use only if Layer 2 VLAN spanning flexibility required

STP convergence required for uplink failure and recovery
More complex because STP root and HSRP should match
Distribution-to-distribution link required for route summarization
DESGN v2.03-15
www.CareerCert.info
Campus Core Design Considerations

Determine if core is needed.
Determine performance
and capacity needed.
Determine redundancy.
Determine if enterprise
edge and WAN connectivity
is to core or data center.
DESGN v2.03-16
www.CareerCert.info
Example: Large Campus Multilayer

Switched Backbone Design
Reduced multilayer switch
peering
Topology with no spanning-tree
loops
Scalability to arbitrarily large
size
Improved network services
support
Two equal-cost paths to every
destination network
Fast recovery from link failure
DESGN v2.03-17
www.CareerCert.info
Small and Medium Campus Design

Options
DESGN v2.03-18
www.CareerCert.info
Edge Distribution Design

Edge distribution switches
have to protect the campus
core from:
Unauthorized access
IP spoofing
Network reconnaissance
Packet sniffers
DESGN v2.03-19
www.CareerCert.info
Server Placement in a
Medium-Sized Network
DESGN v2.03-20
www.CareerCert.info
Server Placement in a Large Network
DESGN v2.03-21
www.CareerCert.info
Server Farm Design Guidelines

Key design considerations:
Access control
Traffic demands
Oversubscription
Server connectivity options:
Single NIC
Dual-NIC redundancy
Content switching (server
load balancing)
DESGN v2.03-22
www.CareerCert.info
Summary
Design an enterprise campus network using
recommended practices:
Use low price per port and high port density on data link layer
switches for the building access layer.
Use redundant multilayer switching in the building distribution
layer for high availability and performance.
Use high-performance wire-rate multilayer switching in the
campus core design.
Group centralized servers into a server farm module for moderate
enterprise server requirements.
DESGN v2.03-23
www.CareerCert.info
DESGN v2.03-24
www.CareerCert.info
Describing Enterprise
Data Center
Considerations
DESGN v2.03-1
www.CareerCert.info
Server-Centric to Service-Centric
DESGN v2.03-2
www.CareerCert.info
Cisco Data Center Network Architecture

Framework
DESGN v2.03-3
www.CareerCert.info
Example: Data Center Network Topology
IBM
3d icons not available

DESGN v2.03-4
www.CareerCert.info
Data Center Infrastructure Overview
DESGN v2.03-5
www.CareerCert.info
Defining the Data Center Access Layer

Can support Layer 2 or Layer 3
access
Provides port density to server
farm
Supports dual and single-attached
servers
Provides high-performance,
low-latency Layer 2 switching
Mix of oversubscription
requirements
Many uplink options
DESGN v2.03-6
www.CareerCert.info
Density and Scalability Implications

Where are the issues?
Cabling
Power
Cooling
7
DESGN v2.03-7
www.CareerCert.info
Defining the Data Center Aggregation Layer

Aggregates traffic to data center
core
Aggregates advanced application
and security functions
Maintains connection and session
state for redundancy
Layer 47 services: firewall,
server load balancing, SSL, IDS
Large STP processing load
High flexibility and
economies of scale
DESGN v2.03-8
www.CareerCert.info
Defining the Data Center Core Layer

Drivers for a data center core:
10-Gigabit Ethernet port density
Administrative domains
Anticipate future requirements
Key core characteristics:

Distributed forwarding architecture
Low latency switching
10-Gigabit Ethernet scalability
Scalable IP multicast support
DESGN v2.03-9
www.CareerCert.info
Summary
Enterprise data centers support a rich set of
applications and servers.
The SONA-based Cisco Enterprise Data Center
Architecture provides a modular hierarchical approach
to align data center resources with business
applications.
DESGN v2.03-10
www.CareerCert.info
DESGN v2.03-11
www.CareerCert.info
Enterprise Campus and Data Center

Design Review
Analyze organizational requirements:
Type of applications, traffic volume, and traffic pattern
Redundancy and backup needed
Characterize the existing network and sites:
Technology used and location of hosts, servers, terminals,
and other end nodes
Develop enterprise campus and enterprise data center network
designs:
Based on requirements, implement two or three hierarchical
layers.
Select hardware and software components to support
requirements.
DESGN v2.03-1
www.CareerCert.info
Module Summary
Campus network design is influenced by application,
environmental, and infrastructure device characteristics.
An enterprise campus network is constructed hierarchically with
building access, building distribution, and campus core layers.
An enterprise data center network is constructed hierarchically,
with data center access, data center aggregation, and data center
core layers.
DESGN v2.03-2
www.CareerCert.info
DESGN v2.03-3
www.CareerCert.info
Designing Remote
Connectivity
DESGN v2.04-1
www.CareerCert.info
Identifying WAN
Technology
Considerations
Designing Remote Connectivity
DESGN v2.04-1
www.CareerCert.info
Role of a WAN
DESGN v2.04-2
www.CareerCert.info
Types of WAN Interconnections
DESGN v2.04-3
www.CareerCert.info
WAN Transport Technology Comparison

Bandwidth
Latency
and Jitter
Connect
Time
Tariff
Initial
Cost
Reliability
TDM
ISDN
M/H
Frame Relay
ATM
M/H
MPLS
M/H
Metro Ethernet
M/H
DSL
L/M*
M/H
Cable modem
L/M*
M/H
Wireless
L/M
M/H
SONET/SDH
DWDM
Dark fiber
*Unbalanced
Tx and Rx
L = low, M = medium, H = high
DESGN v2.04-4
www.CareerCert.info
Example: ADSL Implementation
DESGN v2.04-5
www.CareerCert.info
Example: Data and Voice over Cable
DESGN v2.04-6
www.CareerCert.info
Example: Three Uses of Wireless
DESGN v2.04-7
www.CareerCert.info
Example: SONET/SDH
Guaranteed bandwidth
High line rates (from
155 Mbps to 10 Gbps)
Automatic recovery
capabilities
IP encapsulations:
ATM or packet over
SONET/SDH (POS)
DESGN v2.04-8
www.CareerCert.info
Example: DWDM
Improved signaling mechanisms to optimize bandwidth usage

Used inside the SONET/SDH ring
DESGN v2.04-9
www.CareerCert.info
Example: Dark Fiber
Edge devices directly connected to regenerators or DWDM

concentrators
Edge devices able to use any Layer 2 encapsulation
DESGN v2.04-10
www.CareerCert.info
WAN Transport Technology

Pricing Considerations
Pricing used to include an access circuit and a
distance-sensitive rate.
Access circuit provisioning generally takes 60 days or more lead
time.
Metro Ethernet availability is spotty, and lead times are long.
For Frame Relays and ATM, pricing includes an access circuit
charge,
per-PVC and possibly per-bandwidth (CIR or MIR) charges.
MPLS VPN pricing is generally comparable with Frame Relays
and ATM.
DESGN v2.04-11
www.CareerCert.info
WAN Transport Technology

Contract Considerations
Tariffed commercial services are at published rates and subject
to restrictions.
Time to contract can be one month for standard tariff rates, longer
if you negotiate SLAs.
Contract periods are usually one to five years for most WAN
services.
For dark fiber, contract periods are generally 20 years.
DESGN v2.04-12
www.CareerCert.info
Methodology Used in
Enterprise Edge Design
Planning and designing the enterprise edge is based on the
PPDIOO methodology:
Analyze network requirements, including type of applications,
traffic volume, and traffic patterns.
Characterize the existing network for technology used and
location of hosts, servers, terminals, and other end nodes.
Design the topology based on availability of technology, the
projected traffic pattern, and technology performance constraints
and reliability.
DESGN v2.04-13
www.CareerCert.info
Identifying Application Requirements

Data File
Transfer
Interactive Data
Application
Real-Time
Voice
Real-Time
Video
Response time
Reasonable
Within a second
Round trip less than

250 ms with delay
and with low jitter
Minimum
delay and
jitter
Throughput and packet

loss tolerance
High/medium
Low/low
Low/low
High/medium
Downtime (high
reliability has low
downtime)
Reasonable
Low
Low
Minimum
Zero Downtime for Mission-Critical

Applications
DESGN v2.04-14
www.CareerCert.info
Determining the Maximum Offered

Traffic
WAN resources have finite

capacity.
End users require minimum
response times.
Network managers require
maximum link utilization.
DESGN v2.04-15
www.CareerCert.info
Determining Physical Media Bandwidth

Bandwidth
<= 1.5/2 Mbps
From 1.5/2 Mbps to

45/34 Mbps
Copper
Serial or async
serial, ISDN,
TDM, X.25, Frame
Relay, ADSL
ADSL (8 Mbps
downstream
Fiber
Ethernet,
TDM (T3 or E3)
Coaxial
Shared bandwidth:
27 Mbps
downstream, 2.5
upstream
2.4/5 GHz WAN

wireless
Varies based on
distance and RF
quality
From 45/34
Mbps to 100
Mbps
From 100 Mbps to

10 Gbps
Fast Ethernet,
ATM over
SONET/SDH,
POS
10-Gigabit Ethernet,
Gigabit Ethernet,
ATM over
SONET/SDH, POS
DESGN v2.04-16
www.CareerCert.info
Evaluating Cost-Effectiveness of Design

and Implementation
Investment and Running Costs
Private
Owner must buy, configure, and maintain the physical layer connectivity
and the terminal equipment that connects each location.
Leased
Fixed bandwidth is leased from a carrier company with private or leased

terminal equipment.
Shared
Physical resources in campus backbone are shared with many users.
DESGN v2.04-17
www.CareerCert.info
Bandwidth Usage in a WAN

Optimize the bandwidth usage on WAN links to improve
network efficiency using:
Data compression: Reduces the size of a frame of data to
transmit over a network link
Bandwidth combination: Logically aggregates physical links
Window size: Adjusts link reliability versus throughput
Queuing: Avoids congestion for some traffic by giving it priority
over other traffic
Traffic shaping and policing: Avoids congestion by policing
inbound and outbound flows
DESGN v2.04-18
www.CareerCert.info
Queuing to Improve Link Utilization

Queuing allows network administrators to manage varying
demands of applications on networks and routers.
Key types of queuing:
Priority queuing
Custom queuing
Weighted fair queuing
Class-based
weighted fair
queuing
Low latency
queuing
DESGN v2.04-19
www.CareerCert.info
Traffic Shaping and Policing
Usually found on egress ports, shaping buffers excess traffic, using a

token bucket mechanism to release packets.
Policers typically tag or drop traffic, depending on the mechanism,
protocol, and severity of offense.
Policing, historically in ATM, is on ingress ports and uses a leaky
bucket mechanism.
DESGN v2.04-20
www.CareerCert.info
Data Compression and QoS to Optimize

Bandwidth Usage
DESGN v2.04-21
www.CareerCert.info
Summary
A WAN is a communications network that covers a relatively
broad geographic area and carries a variety of traffic types using
transmission facilities that are typically provided by service
providers.
The multiple WAN transport technologies vary in bandwidth,
performance characteristics, and cost.
In WAN design, enterprise edge connectivity requirements
influence the trade-off between the cost of bandwidth and
bandwidth efficiency.
DESGN v2.04-22
www.CareerCert.info
DESGN v2.04-23
www.CareerCert.info
Designing the
Enterprise WAN
DESGN v2.04-1
www.CareerCert.info
Traditional WAN Technologies

Description
Leased lines
A service provider establishes a dedicated

connection.
Circuit-switched PSTN (phone

service, analog modems, ISDN)
A dedicated circuit path is established for

the duration of a call.
ISDN combines voice, data, and backup.
Packet- and cell-switched (Frame

Relay, SMDS, ATM, MPLS)
A service provider creates PVCs or SVCs.

ATM uses cells and provides support for
multiple QoS classes.
DESGN v2.04-2
www.CareerCert.info
WAN Topologies
DESGN v2.04-3
www.CareerCert.info
Designing the Remote-Access Network

Objective: Provide a unified solution for remote access
Grant the connection seamlessly, as if in company headquarters
Application requirements include:
Low to medium-volume data file transfer and interactive traffic
for teleworkers and traveling workers
Voice services for teleworkers
Connectivity option: IP access through an on-demand or
always-on connection
Technologies include dial-up, DSL, cable, and wireless
DESGN v2.04-4
www.CareerCert.info
Overview of Virtual Private Networks
DESGN v2.04-5
www.CareerCert.info
Connectivity Option: Overlay VPN
VPNs may replace dedicated point-to-point links with emulated

point-to-point links sharing common infrastructure.
DESGN v2.04-6
www.CareerCert.info
Connectivity Option: Virtual Private DialUp Network
DESGN v2.04-7
www.CareerCert.info
Connectivity Option: Peer-to-Peer VPN

Provider participates in the enterprise routing:
Uses MPLS VPN technology
Enables organization to use any IP address space
No overlapping IP address space problems
DESGN v2.04-8
www.CareerCert.info
Benefits of VPNs
DESGN v2.04-9
www.CareerCert.info
WAN Backup Technologies
Backup options:
Dial backupanalog or ISDN

Permanent secondary WAN link
Shadow PVC
IPsec tunnel across Internet
DESGN v2.04-10
www.CareerCert.info
Example: Permanent Secondary

WAN Link
DESGN v2.04-11
www.CareerCert.info
Example: Shadow PVC
DESGN v2.04-12
www.CareerCert.info
WAN Backup over the Internet
DESGN v2.04-13
www.CareerCert.info
Layer 3 Tunneling
GRE can encapsulate a variety of protocol types inside IP tunnels.
It is simple and flexible for basic IP VPNs.
Packet payload is not encrypted.
Provisioning of tunnels is not very scalable.
IPsec encapsulates IP inside of IPsec tunnels.
Packet payload can be encrypted.
IPsec receiver can authenticate source of packets.
It uses IKE and PKI.
DESGN v2.04-14
www.CareerCert.info
Enterprise WAN Architecture

Considerations
Support for network growth
Appropriate availability
Operational expense
Operational complexity
Voice and video support
Effort and cost to implement
Support of network segmentation
DESGN v2.04-15
www.CareerCert.info
Cisco Enterprise MAN and WAN Architecture

Private WAN (optionally encrypted)
ISP service through site-to-site and remote-access IPsec VPN
Service provider-managed IP or MPLS VPN
Self-deployed MPLS
DESGN v2.04-16
www.CareerCert.info
Cisco Enterprise WAN and MAN

Architecture Comparison
Private
WAN
ISP
Service
SP
MPLS and IP
VPN
Self-Deployed
MPLS
Secure transport
IPsec
(optional)
IPsec
(mandatory)
IPsec
(mandatory)
IPsec
(mandatory)
High availability
Excellent
Good
Excellent
Excellent
Good
Good
Good
Excellent
Voice and video support
Excellent
Low
Excellent
Excellent
Scalable network growth
Moderate
Good
Excellent
Excellent
Easily shared WAN links
Moderate
Moderate
Moderate
Excellent
Moderate to
high
Multicast
Operational costs
High
Low
Moderate,
depends on
transport
Network control
High
Moderate
Moderate
High
Effort to migrate from

private to WAN
Low
Moderate
Moderate
High
DESGN v2.04-17
www.CareerCert.info
Example: Cisco WAN Architectures in

the Healthcare Environment
DESGN v2.04-18
www.CareerCert.info
Selecting Enterprise Edge Hardware

Components and Software Features
Hardware selection incorporates the selection of data link layer
functions and features of a particular device
Considerations: Port density, packet throughput, future
expandability, redundancy
Software selection focuses on network layer performance
Considerations: Forwarding decisions, bandwidth optimization,
security
DESGN v2.04-19
www.CareerCert.info
Cisco IOS Software in the Network
Cisco IOS Software T

IP Services and Ease
of Deployment
Broadband access
Mobility and wireless
Data center
Security
IP communications
Cisco IOS Software S
Cisco IOS Software XR
IP Services and Infrastructure
Scale and Availability
High-end enterprise core

Service provider edge
Virtual Private Networks
(MPLS, Layer 2 and Layer 3)
Video and content multicast
Large-scale networks
High availability
In-service software
upgrade
DESGN v2.04-20
www.CareerCert.info
Cisco IOS Packaging
DESGN v2.04-21
www.CareerCert.info
Cisco IOS Packaging Technology

Segmentation
Data
Connectivity
VoIP and
VoFR
ATM, VoATM,
MPLS
AppleTalk,
IPX, IBM
Protocols
IP Base
IP Voice
Advanced Security
Enterprise Base
SP Services
Advanced IP
Services
Enterprise Services
Advanced
Enterprise Services
Firewall,
IDS, VPN
X
X
X
DESGN v2.04-22
www.CareerCert.info
Comparing Router Platforms and

Software Functions
Hardware
Software
Function
800, 1800, 2800,

3800, 7200
Cisco IOS T Releases

12.3, 12.4, 12.3T, 12.4T
Supports access routing platforms providing

fast, scalable delivery of mission-critical
enterprise applications
7200, 7301,
7304, 7500, 10K
Cisco IOS S Release

12.2SB
Delivers midrange broadband and leased-line

aggregation for enterprise and service provider
edge networks
7600
Cisco IOS S Release

12.2SR
Delivers high-end Ethernet LAN switching

for enterprise access, distribution, core, and
data center deployments, and high-end Metro
Ethernet for service provider edge
12000, CRS-1
Cisco IOS XR
Provides massive scale, continuous system

availability, and service flexibility for service
provider core and edge. (Takes advantage of
the massively distributed processing
capabilities of the Cisco CRS-1 routing system
and the Cisco 12000)
DESGN v2.04-23
www.CareerCert.info
Comparing Multilayer Switch Platforms

and Software Functions
Hardware
Software
Function
800, 1800, 2800,

3800, 7200
Cisco IOS S Release

12.2SE
Provides low-end to midrange Ethernet LAN

switching for enterprise access and distribution
deployments
4500, 4900
Cisco IOS S Release

12.2SG
Provides midrange Ethernet LAN switching

for enterprise access and distribution
deployments in the campus, and supports
Metro Ethernet
6500
Cisco IOS S Release

12.2SX
Delivers high-end Ethernet LAN switching for

enterprise access, distribution, core, and data
center deployments, and high-end Metro
Ethernet for service provider edge
Use the Cisco Feature Navigator to find the right Cisco IOS
and Catalyst operating system software release and features.
DESGN v2.04-24
www.CareerCert.info
Summary
Traditional WAN technologies include leased lines,
circuit-switched PSTN, and packet-switched networks.
Remote-access networks connect teleworkers and traveling
employees.
A VPN provides connectivity over a shared infrastructure with the
same policies and performance as a private network.
WAN backup strategies are needed to provide high availability
between remote sites.
The Cisco Enterprise WAN and MAN Architecture provides
integrated QoS, network security, reliability, and manageability.
Enterprise WAN design includes selecting the appropriate
components, including hardware and software.
DESGN v2.04-25
www.CareerCert.info
DESGN v2.04-26
www.CareerCert.info
Designing the
Enterprise Branch
DESGN v2.04-1
www.CareerCert.info
Enterprise Branch Services
DESGN v2.04-2
www.CareerCert.info
Enterprise Branch Architecture
DESGN v2.04-3
www.CareerCert.info
Characterizing the Branch

Number of locations
Number of existing devices
Scalability needed
High-availability requirements
Security concerns
Management concerns
Wireless services needed
Approximate budget
DESGN v2.04-4
www.CareerCert.info
Enterprise Branch Profiles
DESGN v2.04-5
www.CareerCert.info
Small Branch Office Design

Infrastructure components
Access router
Layer 2 Switching (integrated
or external stackable)
Laptops, phones, printers
WAN services and backup

Internet deployment model
T1 primary link
ADSL secondary link
Network fundamentals
EIGRP
High availabilityfloating statics,
T1 with aDSL
QoSshaping, policing,
scavenger class (applied to both
switch and router)
DESGN v2.04-6
www.CareerCert.info
Medium Branch Office Design

Dual access routers
External stackable switch
(Layer 2 or Layer 3)
WAN services
Private WAN deployment
Dual Frame Relay links
EIGRP
High availabilitydual routers,
HSRP
scavenger class (applied to both
switch and router)
DESGN v2.04-7
www.CareerCert.info
Large Branch Office Design

Dual access routers for WAN
edge
Dual ASAs for firewalls
Dual multilayer switching
(stackable or modular)
WAN services
MPLS deployment model
Dual links to WAN cloud
EIGRP
High availabilitydual routers at
every layer, HSRP
Object tracking, ASA failover
scavenger class (applied to all
routers and switches)
DESGN v2.04-8
www.CareerCert.info
Comparison of Teleworking Options

Occasional
Users
E-mail
Web-based applications
Occasional Remote
Worker
Yes
Part-Time or
Full-Time and
Day Extenders
Branch of One
Yes
Yes
Yes
Mission-critical applications
Best effort
Prioritized
Real-time collaboration
Best effort
Prioritized
Voice over IP
Best effort
High quality
Video on demand, Cisco IP/TV
Unlikely
High quality
Video conferencing
Unlikely
High quality
No
Yes
Basic
Full
No
Yes
Remote configuration and management

Integrated security
Resiliency and availability
DESGN v2.04-9
www.CareerCert.info
Branch of One Architecture

Centralized management
IT managed security policies
Advanced applications
support (voice, video)
Corporate-Pushed
Security Policies
(Not User-Managed)
Corporate Phone, Toll

Bypass, Centralized
Voice Mail
Integrated Security
and Identity Services
DESGN v2.04-10
www.CareerCert.info
Summary
The Cisco Enterprise Branch Architecture provides enterprise
services to remote users.
You should characterize each branch location to develop a
suitable design:
Small branch office design typically uses a single WAN access
router with one or two access switches to support up to 50
users.
Medium branch office design typically uses two WAN access
routers with multiple access switches to support up to 100
users.
Large branch office design typically uses two WAN access
routers, one or more multilayer distribution switches, and
multiple access switches to support up to 100 to 1000 users.
An enterprise teleworker design can use a small ISR with
integrated switch ports and an always on VPN to support one
teleworker.
DESGN v2.04-11
www.CareerCert.info
DESGN v2.04-12
www.CareerCert.info
Remote Connectivity Design Review

Analyze network requirements:
Type of applications, the traffic volume and traffic pattern
Redundancy and backup needed
Characterize the existing network and sites:
Technology used, and location of hosts, servers, terminals and
other end nodes
Develop WAN and branch network design:
Select WAN and branch technology to support requirements.
Select hardware and software components to support
requirements.
DESGN v2.04-1
www.CareerCert.info
Module Summary
Network application and connectivity requirements influence
the WAN design.
The Cisco Enterprise MAN and WAN architecture provides
integrated QoS, network security, reliability, and manageability
on:
Private WANs
ISP service through site-to-site and remote-access VPNs
Service Provider-managed IP or MPLS VPNs
The Cisco Enterprise Branch Architecture supports small,
medium, large, and teleworker locations.
DESGN v2.04-2
www.CareerCert.info
DESGN v2.04-3
www.CareerCert.info
Designing IP
Addressing and
Selecting Routing
Protocols
DESGN v2.05-1
www.CareerCert.info
Designing IP
Addressing
Designing IP Addressing and Selecting Routing Protocols
DESGN v2.05-1
www.CareerCert.info
Prerequisite Knowledge
IPv4 address and mask structure
IPv4 classes and CIDR
Static addressing
Dynamic addressing with DHCP
DNS
Private and public addresses
NAT and PAT
Static NAT
Dynamic NAT
Overloading
DESGN v2.05-2
www.CareerCert.info
Private and Public IPv4 Address

Guidelines
DESGN v2.05-3
www.CareerCert.info
Network Size and IP Addressing

Planning
How many locations are in the network?
How many devices in each location?
What are the IP addressing requirements for individual locations?
What subnet size is appropriate?
DESGN v2.05-4
www.CareerCert.info
Determining General Network Topology
DESGN v2.05-5
www.CareerCert.info
Office Type
Workstations
Servers
IP Phones
Router
Interfaces
Switches
Layer 3
Firewall and
Net Device
Interfaces
Reserve
IP Address Requirements by Location
Total
Main
600
35
600
17
26
12
20%
1290
Denver
Regional
210
210
10
20%
441
Houston
Regional
155
155
10
20%
329
Remote Office 1
Remote
12
12
10%
28
Remote Office 2
Remote
15
15
10%
35
Remote Office 3
Remote
10%
21
1000
50
1000
45
37
12
Location
San Francisco
Total
2144
DESGN v2.05-6
www.CareerCert.info
IP Addressing Hierarchy
Reasons to implement include:
Influence of IP addressing
on routing
Modular design and
scalable solutions
Support for route
aggregation
DESGN v2.05-7
www.CareerCert.info
Route Summarization Groups

Benefits of hierarchical addressing include:
Support for route summarization groups
Efficient aggregation of routing advertisements
Poorly designed IP addressing results in:
Excess routing traffic, leading to additional bandwidth
consumption
Increased routing table recalculations, degrading router
performance
DESGN v2.05-8
www.CareerCert.info
Example: Address Blocks by Location

Location
Counts
San Francisco Campus
1290
Rounded Power of 2
Address Block
Denver Region
Denver Office 1
441
Remote Office 1
28
Remote Office 2
35
Houston Region
Houston Campus
329
Remote Office 3
21
DESGN v2.05-9
www.CareerCert.info

Location
Counts
Rounded Power of 2
1290
2048
Denver Office 1
441
512
Remote Office 1
28
64
Remote Office 2
35
64
Houston Campus
329
512
Remote Office 3
21
64
Address Block
Denver Region
Houston Region
DESGN v2.05-10
www.CareerCert.info

Location
Counts
Rounded Power of 2
1290
2048
Denver Region
Address Block
1024
Denver Office 1
441
512
Remote Office 1
28
64
Remote Office 2
35
64
Houston Region
1024
Houston Campus
329
512
Remote Office 3
21
64
DESGN v2.05-11
www.CareerCert.info

Location
Counts
Rounded Power of 2
Address Block
1290
2048
172.16.0.0
172.16.7.255 /21
1024
172.16.8.0
172.16.11.255 /22
Denver Region
Denver Office 1
441
512
172.16.8.0
172.16.9.255 /23
Remote Office 1
28
64
172.16.10.0 /26
Remote Office 2
35
64
172.16.10.64 /26
1024
172.16.12.0
172.16.15.255 /22
Houston Region
Houston Campus
329
512
172.16.12.0
172.16.13.255 /23
Remote Office 3
21
64
172.16.14.0 /26
DESGN v2.05-12
www.CareerCert.info
Example: Hierarchical
IP Addressing Plan
DESGN v2.05-13
www.CareerCert.info
Example: Hierarchical
IP Addressing Plan
DESGN v2.05-14
www.CareerCert.info
Managing IP Addresses
Using DHCP in the enterprise.
Using DNS in the enterprise.
Using NAT in the enterprise.
DESGN v2.05-15
www.CareerCert.info
Recommended Practices for

IP Address Assignment
Method
Criteria
Strategic Address Assignment
Dynamic Address Assignment

with DHCP
Node type
Infrastructure devices such

as routers and switches
End-user devices
Number of end user devices
Up to 30 end-user devices
More than 30 end user devices
Renumbering
Requires manual
reconfiguration of all hosts
Only DHCP server

reconfiguration is needed
Address tracking
Easy address tracking
Requires additional DHCP

server configuration
Additional parameters
Manual configuration of all

hosts required
Only DHCP server needs to

be configured
High availability
IP addresses are available

at any time
Redundant DHCP server

is required
Security concerns
Minor security risk
Any device gets IP address
DESGN v2.05-16
www.CareerCert.info
Example: IP Address Assignment

Methods in an Enterprise Network
DESGN v2.05-17
www.CareerCert.info
Static vs. Dynamic Name Resolution

Names used to ease computer-human interaction
Names resolved to IP addresses
Different name resolution strategies:
Static
Dynamic
DESGN v2.05-18
www.CareerCert.info

Name Resolution
Method
Criteria
Static Name Resolution
Dynamic Name Resolution
Number of hosts
Up to 30 hosts
More than 30 hosts
Isolated network
Applicable
Applicable
Internet connectivity
Not applicable
Mandatory
Frequent changes and

addition of names
Not recommended
Recommended
Application depending on
name resolution
Not recommended
Recommended
DESGN v2.05-19
www.CareerCert.info
Using DNS for Name Resolution
DESGN v2.05-20
www.CareerCert.info
Example: Locating DHCP and DNS

Servers in the Network
DESGN v2.05-21
www.CareerCert.info
IPv6 Address Structure
x:x:x:x:x:x:x:x, where x is 16 bits, represented by a hexadecimal

number:
2031:0000:130F:0000:0000:09C0:876A:130B
Can be also written as 2031:0:130F::9C0:876A:130B
DESGN v2.05-22
www.CareerCert.info
Benefits of IPv6 Addressing

Larger address space
Globally unique IP addresses
Site multihoming
Header format efficiency
Improved privacy and security
Flow labeling capability
Increased mobility and multicast capabilities
DESGN v2.05-23
www.CareerCert.info
IPv6 Address Scope Types

IPv6 address scope types:
Unicast (one to one)
Anycast (one to nearest)
Multicast (one to many)
Broadcast addresses not available
DESGN v2.05-24
www.CareerCert.info
IPv6 Address Types:

Link-Local and Site-Local
Link-Local Address
Site-Local Address
DESGN v2.05-25
www.CareerCert.info
IPv6 Address Types:

Global Aggregatable
Global Aggregatable Address
DESGN v2.05-26
www.CareerCert.info
IPv6 Routing Protocol Considerations
Interior Gateway Protocols (IGPs) for inside autonomous systems:

RIPng
EIGRP IPv6
OSPFv3
Integrated IS-IS
Exterior gateway protocols (EGPs) for peering between autonomous
systems:
BGP+
DESGN v2.05-27
www.CareerCert.info
IPv6 Address Assignment Strategies

Static:
Same as IPv4
Dynamic:
Link-local
Stateless
Stateful using DHCPv6
DESGN v2.05-28
www.CareerCert.info
IPv6 Name Resolution

Static: Same as IPv4
Dynamic (autoconfiguration): DNS server with IPv6 stack
support
DESGN v2.05-29
www.CareerCert.info
IPv4- and IPv6-Aware Applications and

Name Resolution
In a dual-stack case, an application is IPv4- and IPv6-enabled.

The application decides which stack to use and asks DNS for the
address.
DESGN v2.05-30
www.CareerCert.info
IPv4-to-IPv6 Transition Strategies

Three major transition strategies are available:
Dual stack (IPv4 and IPv6 coexist in the same device and
networks)
Tunneling (IPv6 packets are encapsulated into IPv4 packets)
Translation (IPv6-only devices can talk to IPv4 devices)
DESGN v2.05-31
www.CareerCert.info
Dual-Stack Mechanism
Both IPv4 and IPv6 stacks are
enabled.
Applications can talk to both
stacks.
IP version choice is based on
name lookup and application
preference.
Popular operating systems
support IPv6.
DESGN v2.05-32
www.CareerCert.info
Tunneling Mechanism
Encapsulates the IPv6 packet in the IPv4 packet. Techniques:

Manually configured
Semiautomated
Automatic
DESGN v2.05-33
www.CareerCert.info
Translation Mechanism
DESGN v2.05-34
www.CareerCert.info
Summary
Key components of an IPv4 addressing scheme include IP address
structure, address classes, subnetting, and masking.
Well-designed hierarchical IP addressing enables efficient aggregation of
routing advertisements, which consumes less bandwidth and router CPU.
Dynamic IP address assignment is a recommended practice in the
enterprise.
Dynamic name resolution with a DNS server is a recommended
practice in the enterprise.
IPv6 was designed as a successor to IPv4 to overcome IPv4 limitations.
The IPv6 address structure and address types support a much larger
address space than IPv4.
IPv6 supports two address types: link-local and global aggregatable.
DESGN v2.05-35
www.CareerCert.info
DESGN v2.05-36
www.CareerCert.info
Reviewing Enterprise
Routing Protocols
DESGN v2.05-1
www.CareerCert.info
Distance Vector and Link-State

Comparison
Distance vector protocol characteristics:
Slow convergence
Easy implementation and maintenance
Limited scalability
Link-state protocol characteristics:

Fast convergence
Good scalability
Less routing traffic overhead
More knowledge needed for implementation and maintenance
DESGN v2.05-2
www.CareerCert.info
Example: Distance Vector Routing
Routing updates are periodic:

Include whole routing tables
Use gratuitous updates (except RIPv2)
DESGN v2.05-3
www.CareerCert.info
Example: Link-State Routing
Triggered updates:
Include data on link states of changing links
Use multicast propagation
DESGN v2.05-4
www.CareerCert.info
Interior vs. Exterior Routing Protocols

Interior Gateway Protocols (IGPs):
Routing inside autonomous systems
Fast convergence and easy configuration
Low administrator influence on routing decisions
Exterior gateway protocols (EGPs):

Routing between autonomous systems
Slow convergence and more complex configuration
High administrator influence on routing decisions
DESGN v2.05-5
www.CareerCert.info
Example: Interior vs. Exterior Routing

Protocols
DESGN v2.05-6
www.CareerCert.info
Hierarchical vs. Flat Routing Protocols

Flat routing protocols propagate all routing information throughout
the network:
Classful routing protocols
Not appropriate for large networks
RIPv1, IGRP, RIPv2 (classless)
Hierarchical routing protocols divide large networks into smaller
areas:
Classless routing protocols
Limited route propagation between areas
EIGRP, OSPF, IS-IS
DESGN v2.05-7
www.CareerCert.info
Example: Flat and Hierarchical Networks
Comparing flat and hierarchical networks:

Hierarchical structure means less routing traffic overhead.
Summarization is the key.
DESGN v2.05-8
www.CareerCert.info
Routing Protocol Convergence

A converged network is a stable network with all needed routing
information.
Network convergence takes place:
Initially on network startup
On topological changes
Enterprise routing protocols should have short convergence
times.
DESGN v2.05-9
www.CareerCert.info
Routing Protocol Convergence

Comparison
Protocol
Convergence Time to Router E
RIP
Holddown + 1 or 2 update intervals
EIGRP
Matter of seconds
OSPF
Matter of seconds
DESGN v2.05-10
www.CareerCert.info
Enhanced IGRP (EIGRP)
Advanced distance vector protocol based on

IGRP with some link-state protocol features
Supports VLSM
DESGN v2.05-11
www.CareerCert.info
EIGRP Characteristics
EIGRP Characteristics
Implemented By
Fast convergence
Diffusing Update Algorithm (DUAL)
Improved scalability
Manual summarization, fast

convergence
Use of VLSM
Subnet mask in updates
Reduced bandwidth usage
No periodic updates
Multiple network layer protocol support
IPv4, IPv6
(Protocol Dependent Modules for IPX,
AppleTalk)
DESGN v2.05-12
www.CareerCert.info
Open Shortest Path First (OSPF)

Developed in 1988 by IETF, version 2 is described in RFC 2328.
OSPF was devised for use in large, scalable networks
where RIP failed:
Improved speed of convergence
Network reachability (no hop-count limitations)
Support for VLSM
Improved path calculation
DESGN v2.05-13
www.CareerCert.info
Example: OSPF Multiarea Network
DESGN v2.05-14
www.CareerCert.info
OSPF Characteristics
OSPF Characteristics
Implemented By
Fast convergence
Link-state updates (triggered), SPF calculation
Very good scalability
Multiple-area design
Use of VLSM
Subnet mask in updates
Reduced bandwidth usage
No periodic updates
DESGN v2.05-15
www.CareerCert.info
Integrated IS-IS
Link-state protocol
Supports IPv4, IPv6, and OSI CLNP
Support for VLSM
Based on Level 2 backbone to which Level 1 areas are
attached
Typically deployed in service provider environments, with
enterprise network administrators having limited knowledge
of IS-IS
DESGN v2.05-16
www.CareerCert.info
Border Gateway Protocol (BGP)

BGP is an exterior gateway protocol (EGP) used in Internet
routing.
BGP is a path vector protocol with enhancements:
Suited for strategic routing policies used between autonomous
systems
Allows administrators to adjust parameters to influence routing
DESGN v2.05-17
www.CareerCert.info
BGP Network Implementation
BGP is primarily used for inter-AS system routing.

DESGN v2.05-18
www.CareerCert.info
Internal BGP
BGP can run between routers within one autonomous system.
IBGP neighbors need not be directly connected (use static routes
or an IGP to convey reachability information).
Other IBGP uses:
Intra-autonomous system policy implementations
QoS Policy Propagation on BGP (QPPB)
MPLS VPNs (using multiprotocol IBGP)
DESGN v2.05-19
www.CareerCert.info
Recommended Enterprise Routing

Protocol Comparison
Enterprise Characteristics
EIGRP
OSPF
Fast convergence
Yes
Yes
Very good scalability
Yes
Yes
Use of VLSM
Yes
Yes
Multiple network layer protocol support
Yes
No
Mixed vendor devices
No
Yes
DESGN v2.05-20
www.CareerCert.info
Summary
Protocols with hierarchical and link-state attributes support the
fastest network convergence.
EIGRP and OSPF are the recommend IGPs for the enterprise.
EIGRP is a Cisco proprietary protocol for routing IPv4, IPv6,
IPX, and AppleTalk traffic.
OSPF is a standardized protocol for routing IPv4, developed to
replace RIP in larger, more diverse media networks. It also can
support IPv6.
BGP is a representative EGP. It is primarily used to
interconnect autonomous systems or to connect enterprises
to an ISP.
DESGN v2.05-21
www.CareerCert.info
DESGN v2.05-22
www.CareerCert.info
Designing a Routing
Protocol Deployment
DESGN v2.05-1
www.CareerCert.info
Routing Protocols in the

Enterprise Architecture
DESGN v2.05-2
www.CareerCert.info
Route Redistribution
Redistribution on routing protocols and domain

boundaries occurs on the router.
DESGN v2.05-3
www.CareerCert.info
Route Redistribution Direction

Redistribution of routing protocols
(boundary router)
One-way redistribution in one
direction (for example, from
enterprise edge to campus core)
Two-way redistribution in both
directions
DESGN v2.05-4
www.CareerCert.info
Route Redistribution in
the Enterprise Network
Redistribution:
From selected
building access
protocols
Between campus core
and WAN routers
From static routes to
enterprise IGP
Static routes or BGP
routes into enterprise
IGP
DESGN v2.05-5
www.CareerCert.info
Route Filtering
Filtering upon redistribution:
Avoids routing loops
Avoids suboptimal routing
Prevents certain routes from
entering routing domain
DESGN v2.05-6
www.CareerCert.info
Route Summarization
DESGN v2.05-7
www.CareerCert.info
Route Summarization
DESGN v2.05-8
www.CareerCert.info
Recommended Practice:
Summarize at the Distribution Layer
It is important to force
summarization at the
distribution layer toward
the core.
After link failure, for return
path traffic, an OSPF or
EIGRP reroute is required.
DESGN v2.05-9
www.CareerCert.info
the core.
Summaries limit the number
of peers an EIGRP router
must query or the number
of LSAs an OSPF peer must
process.
DESGN v2.05-10
www.CareerCert.info
the core.
Summaries limit the number
of peers an EIGRP router
must query or the number
of LSAs an OSPF peer must
process.
Summaries allow faster
reroutes.
DESGN v2.05-11
www.CareerCert.info
Passive Interfaces for IGP at Access Layer
Limit unnecessary peering

Without passive interface:
With four VLANs per wiring closet
12 adjacencies total
Memory and CPU requirements increased with no real benefit
Creates overhead for IGP
DESGN v2.05-12
www.CareerCert.info
Summary
Large networks may implement multiple protocols for different
modules of the Cisco Enterprise Architecture.
Advanced routing features such as redistribution, filtering, and
summarization allow multiple routing protocols to coexist and
provide greater scalability.
Redistribution between different routing protocols passes
routing knowledge from one protocol to another.
Route filtering prevents advertisement of certain routes
through the routing domain.
Route summarization and an IP hierarchy reduce routing traffic
and unnecessary route recomputation.
DESGN v2.05-13
www.CareerCert.info
DESGN v2.05-14
www.CareerCert.info
IP Addressing and Routing Review

Define the IP addressing requirements.
Develop a hierarchical IP addressing plan:
Use private addresses inside organization.
Use public addresses facing the Internet.
Use NAT or PAT for translation as needed.
Develop a plan for deploying DHCP and DNS.
Use EIGRP or OSPF, based on organizational requirements.
Implement recommended practices, including redistribution,
filtering, and summarization.
DESGN v2.05-78
www.CareerCert.info
Module Summary
IP address structure and IP address types have a large impact on
the address plan for both IPv4 and IPv6.
EIGRP and OSPF are the recommended IGPs for the enterprise.
Advanced routing features such as redistribution, filtering, and
summarization support scalability and multiple routing protocols.
DESGN v2.05-79
www.CareerCert.info
DESGN v2.05-80
www.CareerCert.info
Evaluating Security
Solutions for the
Network
DESGN v2.06-1
www.CareerCert.info
Defining Network
Security
Evaluating Security Solutions for the Network
DESGN v2.06-1
www.CareerCert.info
Reasons for Network Security

Defend against attacks
Prevent unauthorized access
Prevent data misuse and theft
Comply with security legislation
Comply with industry standards
Comply with company policy
DESGN v2.06-2
www.CareerCert.info
Example: Legislation and Directives

Legislation and industry directives that may affect
organizational security include:
GLBAThe Gramm-Leach-Bliley Act
HIPAAHealth Insurance Portability and Accountability Act
EU data protection Directive 95/46/EC
SOXSarbanesOxley Act
PCI DSSPayment Card Industry Data Security Standard
DESGN v2.06-3
www.CareerCert.info
Threats and Risks
DESGN v2.06-4
www.CareerCert.info
Reconnaissance and Vulnerability

Scanning
Determine active targets
Determine running network services
Determine operating system platform
Find trust relationships
Check for proper file permissions
Identify user account information
Port-scanning tools include:
Nmap
SuperScan
NetStumbler
Kismet
DESGN v2.06-5
www.CareerCert.info
Example: NMAP Screen
DESGN v2.06-6
www.CareerCert.info
Vulnerability Assessment
Active (sending packets) or passive (sniffer)
Published vulnerability information
CERT/CC
MITRE
Microsoft
Cisco security notices
Reconnaissance tools
Nessus
MBSA
SAINT
DESGN v2.06-7
www.CareerCert.info
Gaining System Access

Using knowledge of usernames and passwords
Improper escalation of privilege
Default administrative and service accounts
Gaining access to other systems via trust relationships
Using social engineering
Physical access to information
Psychological approach
Cracking captured passwords
DESGN v2.06-8
www.CareerCert.info
Integrity and Confidentiality Threats
DESGN v2.06-9
www.CareerCert.info
Availability Threats (Denial of Service)
DESGN v2.06-10
www.CareerCert.info
Everything Is a Potential Target

Hosts are the preferred target for worms
and viruses.
In the past year, large number of attacks targeted hosts.
Compromised hosts are often used as attack launch
points (botnets).
But there are other high-value alternative targets:

Infrastructure devices: routers, switches
Support services: DHCP servers, DNS servers
Endpoints: management stations, IP phones
Infrastructure: network capacity
Security devices: IDS and IPS
DESGN v2.06-11
www.CareerCert.info
Network Security in the System Lifecycle

Business needs:
What does your organization want to do with
the network?
Risk analysis:
What is the risk and cost balance?
Security policy:
What are the policies, standards, and guidelines
to address business needs and risk?
Industry recommended practices:

What are the reliable, well-understood,
and recommended security recommended
practices?
Security operations:
What is the process for incident response,
monitoring, maintenance, and compliance
auditing of the system?
DESGN v2.06-12
www.CareerCert.info
What Is a Security Policy?

A security policy is a formal statement of the rules by
which people who are given access to an organizations
technology and information assets must abide.
RFC 2196, Site Security Handbook
DESGN v2.06-13
www.CareerCert.info
Why Is a Security Policy Needed?

Sets the framework for the security implementation
Defines organizational assets and the way to use them
Defines and communicates roles
Helps determine necessary tools and procedures
Defines how to identify and handle security incidents
Creates a baseline of the current security posture

Defines allowed and not-allowed system behaviors
Informs users of their responsibilities and ramifications of asset
misuse
Provides risk assessment and cost-benefit analysis
DESGN v2.06-14
www.CareerCert.info
Network Security and Risks
Network security can

reduce risks to acceptable levels:
Risk assessment defines threats and their probability
and severity.
A network security policy enumerates risks relevant to
the network and describes how risks will be controlled or
managed.
A network security design implements the security policy.
Justify security costs by the potential cost and

inconvenience of incidents.
DESGN v2.06-15
www.CareerCert.info
Risk Index Calculation

Risk
Probability
(P)
(13)
Severity
(S)
(13)
Control
(C)
(13)
Risk Index
(P * S) / C
(9)
1.
2.
3.
4.
DESGN v2.06-16
www.CareerCert.info
Example: Risk Index Calculation

Risk
Probability
(P)
(13)
Severity
(S)
(13)
Control
(C)
(13)
Risk Index
(P * S) / C
(9)
1. Breach of confidentiality
of customer database
1.5
2. DDoS attack sustained

for more than 1 hour against
e-commerce server
DESGN v2.06-17
www.CareerCert.info
Components of a Security Policy
DESGN v2.06-18
www.CareerCert.info
Network Security Is a Continuous

Process
Secure
Identity and authentication
Filtering and stateful inspection
Encryption and VPNs
Monitor
Intrusion detection and response
Content-based detection and response
Test
Security posture assessment
Vulnerability scanning
Patch verification and application auditing
Improve
Event and data analysis and reporting
Network security intelligence
DESGN v2.06-19
www.CareerCert.info
Integrate Security Design and Network

Design
Security services can reside inside network infrastructure.
Security design coupled with network design is far more
manageable.
Recommended practice: Integrate security and network design.
Integrated security and network design requires coordination.
DESGN v2.06-20
www.CareerCert.info
Summary
Security services must provide adequate protection to conduct
business in a relatively open environment.
There are many types security threats and associated risks.
Each device on the network, such as a host, router, or switch,
is a potential security target.
Network security is part of the system life cycle.
Network security is a continuous process built around a
security policy.
Security design and network design should be integrated.
DESGN v2.06-21
www.CareerCert.info
DESGN v2.06-22
www.CareerCert.info
Understanding the
Cisco Self-Defending
Network
DESGN v2.06-1
www.CareerCert.info
Cisco Self-Defending Network

Efficient security
management, control, and
response
Advanced technologies
and security services to:
Protect critical assets
Mitigate the effects of
outbreaks
Ensure privacy
Network as Platform
DESGN v2.06-2
www.CareerCert.info
Network as Platform for Security

Cisco Integrated Services Routers
Cisco Adaptive Security
Appliances
Integrate Cisco IOS Firewall, VPN, and
intrusion prevention system (IPS)
High-performance firewall,
services across the Cisco router
IPS, network antivirus, and
portfolio
IPsec/SSL VPN technologies
Deploy new security features on
all in one unified architecture
existing routers using Cisco IOS
Device consolidation to
Software
reduce overall deployment
Cisco NAC-enabled
and operations costs and
Cisco Catalyst Switches
complexities
Denial-of-service (DoS)
Cisco NAC-enabled
attack mitigation
Integrated security service modules for
high-performance threat protection and
secure connectivity
Man-in-the-middle attack mitigation
DESGN v2.06-3
www.CareerCert.info
Self-Defending Network Phases
DESGN v2.06-4
www.CareerCert.info
Trust and Identity Management
DESGN v2.06-5
www.CareerCert.info
Trust Is the Root of Security

Trust is a relationship in which two (or more) network
entities are allowed to communicate.
Trust forms the root of all security policy decisions.
Trust and risk are opposites; security is based on
enforcing limitations to trust relationships.
Trust relationships:
Can be explicit or implied
Can be inherited
Can be abused
DESGN v2.06-6
www.CareerCert.info
Domains of Trust
Question: From a security design perspective, what is the key

difference between Case 1 and Case 2?
DESGN v2.06-7
www.CareerCert.info
Domains of Trust
Question: From a security design perspective, what is the key

difference between Case 1 and Case 2?
Answer: Case 2 is more segmented into domains of trust.
DESGN v2.06-8
www.CareerCert.info
Example: Domains of Trust
Domains
Gradient
Safeguards Needed
Private to Public
Extreme
(high risk)
Advanced firewalling, flow-based

inspection, misuse detection (IPS),
constant monitoring
Production to Lab
Minor
(low risk)
Basic access control, casual monitoring
Headquarters to
Branch
Steep
(considerable risk)
Communication security, authentication,

confidentiality, integrity concerns
DESGN v2.06-9
www.CareerCert.info
Identity
Identity is the who of a trust relationship. The identity of
a network entity is verified by credentials.
Both people and devices can be authenticated.
Three authentication attributes:
Something you know
Something you have
Something you are
Common approaches to identity:
Passwords
Tokens
Certificates
DESGN v2.06-10
www.CareerCert.info
Passwords
Correlates an
authorized user with
network resources
DESGN v2.06-11
www.CareerCert.info
Tokens
Strong (two-factor) authentication based
on something you know and something
you have
DESGN v2.06-12
www.CareerCert.info
Access Control in Networks

Confidentiality and integrity are traditionally supported through
access control.
Access control enforces rules about which entities can access which
resources.
Network access control is based on:
Authentication, which establishes the identity of the subject
Authorization, which defines what a subject can do in a network
Audit trails and real-time monitoring provide accounting and security
auditing information.
DESGN v2.06-13
www.CareerCert.info
Example: Trust and Identity Management

Technologies
Access control lists (ACLs)
Firewalls
Stateful inspection
Application inspection
Network Admission Control (NAC)
NAC Framework
Cisco NAC Appliance
IEEE 802.1X
Cisco IBNS
DESGN v2.06-14
www.CareerCert.info
Firewall Filtering Using ACLs
DESGN v2.06-15
www.CareerCert.info
NAC Framework and Appliance

Two approaches for Network Admission Control (NAC)
NAC Framework
Cisco NAC Appliance
Sold through NACenabled products
Sold as virtual or
integrated appliance
Integrated solution
leveraging Cisco
network and vendor
products
Self-contained product
integrates but does not
rely on partners
NAC Infrastructure
Offers customers a deployment time-frame choice
Adapts to investment protection requirements of customer
DESGN v2.06-16
www.CareerCert.info
802.1X Protocol
DESGN v2.06-17
www.CareerCert.info
Identity and Access Control Deployment

Locations
Authenticate
at edge.
Deploy ACLs
based on
policy.
Practice
defense in
depth.
DESGN v2.06-18
www.CareerCert.info
Threat Defense
Enhances security in the existing network infrastructure
Protects businesses from operation disruption, lost revenue,
and loss of reputation.
Adds comprehensive security on network endpoints
Cisco Security Agent provides endpoint protection.
Adds dedicated security technologies to networking devices and
appliances
Security technologies are implemented throughout the
network.
DESGN v2.06-19
www.CareerCert.info
Physical Security
DESGN v2.06-20
www.CareerCert.info
Physical Security Guidelines

Deploy adequate physical access control.
Evaluate whether physical access can compromise other security
features.
Identify additional security issues resulting from device theft.
Protect communications over infrastructure out of your control
using cryptography.
DESGN v2.06-21
www.CareerCert.info
Infrastructure Protection
The measures taken to preserve the integrity
and availability of the network infrastructure as
a transport and service entity
Goals:
That the network devices are not accessed or altered in
an unauthorized manner
That the end-to-end network transport and any integrated
services remain available
Policy enforcement technologies can help preserve, directly,
the integrity and availability of the network.
DESGN v2.06-22
www.CareerCert.info
Infrastructure Protection Deployment

Locations
Deploy on all network infrastructure devices
Different mechanisms are used on different platforms,
but typically there are equivalent functions available.
More advanced mechanisms are available mainly on
higher-end platforms.
Implement throughout the network
DESGN v2.06-23
www.CareerCert.info

Infrastructure Protection
Use SSH to access devices.
Enable AAA and role-based access control for access to all
network devices.
Collect and archive syslog information.
Use SNMPv3.
Disable unused services.
Use SFTP (SSH FTP) or SCP and avoid FTP and TFTP.
Install vty access lists to limit access to management and CLI
services.
Enable control plane protocol authentication.
Consider one-step lockdown in SDM for basic router security.
DESGN v2.06-24
www.CareerCert.info
Threat Detection and Mitigation

Provide early detection and notification of unpredicted malicious
traffic or behavior.
Goals:
To detect, notify of, and help stop an event or traffic that is
unauthorized and unpredicted
To help preserve the availability of the network, particularly
against unknown or unforeseen attacks
Technologies include:
Endpoint protection
Infection containment
Intrusion and anomaly detection
Application security and anti-X defense
DESGN v2.06-25
www.CareerCert.info
Example: Threat Detection and Mitigation

Technologies
Network-based intrusion prevention systems (NIPS)
Adaptive security appliance (ASA)
IPS sensor applicance
Cisco IOS IPS
Host-based intrusion prevention systems (HIPS)
Cisco Security Agent
NetFlow
Syslog
Event correlation systems
Cisco Security Monitoring, Analysis, and Response System
(MARS)
Cisco Traffic Anomaly Detector Module
DESGN v2.06-26
www.CareerCert.info
Threat Detection and Mitigation

Solutions Deployment Locations
DESGN v2.06-27
www.CareerCert.info
Secure Connectivity
DESGN v2.06-28
www.CareerCert.info
Encryption Fundamentals
A method of protecting the confidentiality of data
Uses keys to encrypt the data and decrypt it at a later time
DESGN v2.06-29
www.CareerCert.info
Encryption Keys
Shared secrets:
Secret key is carried out of band to the remote side.
Easiest mechanism, but it has inherent security concerns.
Public key infrastructure (PKI):

Uses asymmetric cryptography in which the encryption key is
different from the decryption key
Lets you publish the encryption key, while keeping the decryption
key secret
Widely used in e-commerce sites around the world
DESGN v2.06-30
www.CareerCert.info
VPN Protocols
IPsec (IP security)
Built directly on the IP layer (Protocol 50)
Uses IKE and ESP
Requires IPsec software on endpoints
SSL (Secure Socket Layer)

Built on top of the TCP layer (port 443)
Provides confidentiality for web traffic (HTTPS)
All major browsers can use SSL
DESGN v2.06-31
www.CareerCert.info
Transmission Confidentiality
DESGN v2.06-32
www.CareerCert.info
Transmission Confidentiality Guidelines

Evaluate the location for transmission confidentiality needs.
Use the strongest available cryptography, performance permitting.
Use well-known and established cryptographic algorithms.
Do not focus on confidentiality alone; integrity and authenticity are
also important.
DESGN v2.06-33
www.CareerCert.info
Data Integrity
DESGN v2.06-34
www.CareerCert.info
Data Integrity Guidelines

Evaluate the need for transmission integrity.
Use the strongest available cryptography, performance permitting.
Use well-known and established cryptographic algorithms.
DESGN v2.06-35
www.CareerCert.info
Security Management Overview

Security management does the following:
Collects, analyzes, and presents data
Provisions policies on security devices
Maintains consistency and change control of policies
Provides role-based access control and accounts for all user
activity
Security implementation is only as good as policies used.
Biggest risk to security in a properly planned architecture is policy
error.
DESGN v2.06-36
www.CareerCert.info
Security Management Solutions

Cisco Router and Security Device Manager (SDM)
Cisco Adaptive Security Device Manager (ASDM)
Cisco Intrusion Prevention System Device Manager (IDM)
Management Center for Cisco Security Agents
Cisco Secure Access Control Server (ACS)
Cisco Security Manager
Cisco Security Monitoring, Analysis, and
Response System (Cisco Security MARS)
DESGN v2.06-37
www.CareerCert.info
Summary
The Cisco Self-Defending Network integrates security into the
network to provide the network the ability to identify, prevent, and
adapt to threats.
Trust and identity management provide secure network access
and admission at any point in the network and isolate and control
infected or unpatched devices that attempt to access the network.
Threat defense provides a strong defense against known and
unknown attacks using security integrated in routers, switches,
and appliances.
Secure connectivity uses encryption and authentication to provide
secure transport across untrusted networks.
Security management is a framework for scalable policy
administration and enforcement.
DESGN v2.06-38
www.CareerCert.info
DESGN v2.06-39
www.CareerCert.info
Selecting Network
Security Solutions
DESGN v2.06-1
www.CareerCert.info
Network Devices Supporting

Integrated Security
Cisoc IOS router security
PIX security appliance
Adaptive security appliance (ASA)
VPN concentrator
Intrusion prevention system
Catalyst service modules
Endpoint security
DESGN v2.06-2
www.CareerCert.info
Integrated Security for

Cisco IOS Routers
Cisco IOS Firewall
Stateful multiservice application-based filtering
Cisco IOS IPS
In-line deep-packet inspection
Cisco IOS IPsec
Data encryption at the IP packet level
Cisco IOS trust and identity
AAA
PKI
SSH
SSL
DESGN v2.06-3
www.CareerCert.info
Example: Security Hardware Options

for ISRs
Built-in VPN acceleration
Voice security options
High-performance AIM
Cisco IDS Network Module
Cisco Content Engine Module
Cisco Network Analysis Module
DESGN v2.06-4
www.CareerCert.info
Security Appliances
VPN concentrator
IPsec and SSL VPN support
PIX security appliance
Rich application and protocol inspection
Integrated site-to-site and remote access VPNs
ASA, a multifunction security appliance
Stateful firewall of PIX appliance, plus
Adaptive threat defense capabilities
Application security
Anti-X defenses
IPS
Advanced integration modules
DESGN v2.06-5
www.CareerCert.info
Intrusion Prevention Systems

In line (IPS) or passive (IDS)
Multivector threat identification
Network speeds from multiple T1s to 1 Gbps
IPS 4215 sensor protects up to 65 Mbps of traffic
IPS 4260 sensor protects up to 1 Gbps of traffic
DESGN v2.06-6
www.CareerCert.info
Cisco Catalyst Service Modules

Cisco Firewall Services Module
Cisco Intrusion Detection System Services Module
Cisco SSL Services Module
Cisco IPSec VPN SPA
Cisco Traffic Anomaly Detector Module
Cisco Anomaly Guard Module
Cisco Network Analysis Module
DESGN v2.06-7
www.CareerCert.info
Cisco Security Agent

Spyware and adware protection
Protection against buffer overflows
Distributed firewall capabilities
Malicious mobile code protection
Operating-system integrity assurance
Application inventory
Audit log consolidation
DESGN v2.06-8
www.CareerCert.info
Securing the Enterprise Network

Embed Self-Defending Network features throughout the
network in:
The enterprise campus
The enterprise data center
The enterprise edge
Use Self-Defending Network technologies, including:
Identity and access control
Threat defense
Infrastructure protection
Security management
DESGN v2.06-9
www.CareerCert.info
Deploying Security in the Enterprise

CampusIdentity and Access Control
802.1X or NAC
NAC appliance
ACLs
Firewall
Stateful inspection
Application inspection
DESGN v2.06-10
www.CareerCert.info

CampusThreat Detection and Mitigation
NetFlow
Syslog
SNMP
Host IPS (Cisco Security
Agent)
Network IPS
Cisco Security MARS,
DESGN v2.06-11
www.CareerCert.info

Campus Infrastructure Protection
AAA
SSH
SNMPv3
IGP or EGP Message
Digest 5
Layer 2 security features
DESGN v2.06-12
www.CareerCert.info

CampusSummary
Identity and access control:
802.1x, NAC, ACLs,
firewalls
Threat detection and

mitigation:
NetFlow, syslog, SNMP,
Cisco Security-MARS,
Network IPS, Host IPS
Infrastructure protection:
AAA, SSH, SNMPv3,
IGP or EGP MD5, Layer 2
security features
Security management
Cisco Security Manager,
Cisco Security MARS
DESGN v2.06-13
www.CareerCert.info
Deploying Security in the Enterprise Data

Center Identity and Access Control
802.1X
ACLs
Firewalls
DESGN v2.06-14
www.CareerCert.info
Deploying Security in the Enterprise Data

CenterThreat Detection and Mitigation
NetFlow
Syslog
SNMP
Host IPS (Cisco Security
Agent)
Network IPS
DESGN v2.06-15
www.CareerCert.info

Data CenterInfrastructure Protection
AAA
SNMPv3
SSH
IGP or EGP MD5
Layer 2 security features
DESGN v2.06-16
www.CareerCert.info

Data CenterSummary
802.1X, ACLs, firewalls

mitigation:
Cisco SecurityMARS,
AAA, SSH, SNMPv3,
IGP or EGP MD5, Layer 2
security features
Security management
Cisco Security MARS
DESGN v2.06-17
www.CareerCert.info

EdgeIdentity and Access Control
ACLs
Firewall
IPSec or SSL VPN
NAC appliance
DESGN v2.06-18
www.CareerCert.info

EdgeThreat Detection and Mitigation
NetFlow
Syslog
SNMP
IPS (host or network)
DESGN v2.06-19
www.CareerCert.info

EdgeInfrastructure Protection
SNMPv3
AAA
SSH
IGP or EGP MD5
DESGN v2.06-20
www.CareerCert.info

Edge Summary
Firewalls, IPSec, SSL VPN,
ACLs

mitigation:
AAA, CoPP, SSH, RFC 2827,
SNMPv3, IGP/EGP MD5
Security management
Cisco Security MARS
DESGN v2.06-21
www.CareerCert.info
Summary
Cisco has integrated security features into the network devices,
including ACLs, firewall support, VPNs, IPS, and event logging.
The Cisco Self-Defending Network elements and Cisco network
devices with integrated security are deployed throughout the
enterprise network.
DESGN v2.06-22
www.CareerCert.info
DESGN v2.06-23
www.CareerCert.info
Security Design Review

Define the security requirements.
Define the security policy.
Integrate security in the network design:
Implement trust and identity management to secure network
access and admission.
Deploy threat defense to provide a defense against known
and unknown attacks.
Use secure connectivity for encryption and authentication
on untrusted networks.
Deploy security management to scale policy administration
and enforcement.
Select locations to deploy appropriate Cisco Self-Defending
Network elements and Cisco network devices.
DESGN v2.06-1
www.CareerCert.info
Module Summary
Network security is a continuous process built around a security
policy and integrated with network design.
The Cisco Self-Defending Network is based on a secure network
platform and uses trust and identity management, threat defense,
and secure connectivity to integrate security into the network.
Cisco Self-Defending Network elements and Cisco network
devices with integrated security are deployed throughout the
enterprise network.
DESGN v2.06-2
www.CareerCert.info
DESGN v2.06-3
www.CareerCert.info
Identifying Voice
Networking
Considerations
DESGN v2.07-1
www.CareerCert.info
Reviewing Traditional
Voice Architectures
and Features
Identifying Voice Networking Considerations
DESGN v2.07-4
www.CareerCert.info
Analog-to-Digital Conversion
Steps for converting analog signal to digital format:

Filtering
Sampling
Digitizing
Quantization and coding
Companding (a-law, mu-law)
DESGN v2.07-5
www.CareerCert.info
PBXs and Switches

PBX:
PSTN switch:
Used in private sector
Used in public sector
Scales to n * 1000 phones
Scales to n * 100,000 phones
Mostly digital
Mostly digital
Uses 64-kbps circuits
Uses 64-kbps circuits
Uses proprietary protocols to control

phones
Uses open-standard protocols

between switches and phones
Interconnects remote branch

subsystems and telephones
Interconnects with other PSTN

switches, PBXs, and telephones
DESGN v2.07-6
www.CareerCert.info
Example: PBXs and PSTN Switches
DESGN v2.07-7
www.CareerCert.info
PBX Features
PBX features:
Call holding
Conferencing
Transferring
Music on hold
Forwarding
Call history
Parking
Voice mail
PBX can connect to PSTN through T1 or E1

DESGN v2.07-8
www.CareerCert.info
PSTN Switch
DESGN v2.07-9
www.CareerCert.info
Local Loops, Trunks, and Interoffice

Communications
DESGN v2.07-10
www.CareerCert.info
Foreign Exchange Trunks

Foreign Exchange Office (FXO):
Emulates a phone
Connects to a station port of
a PBX or to the PSTN switch
Foreign Exchange Station (FXS):

Emulates a PBX
Provides connections for standard
phones and fax machines
DESGN v2.07-11
www.CareerCert.info
Basic Telephony Signaling

Local-loop signaling:
Telephone to switch
Trunk signaling:
Switch to switch
PBX to switch
PBX to PBX
Basic categories:
Supervision signaling
Address signaling
Informational signaling
DESGN v2.07-12
www.CareerCert.info
Analog Signaling on a PBX

Local-loop signaling:
Trunk signaling:
Loop start:
E&M (recEive and transMit):
The simplest
Between PBXs
For subscriber loops
Five types of signaling
Occurrences of glare
Separate paths for voice and

signaling
Ground start:
Modification of loop start
More intelligent
For PBX loops
Minimizes glare
DESGN v2.07-13
www.CareerCert.info
CAS and CCS Signaling

Channel associated signaling:
Signal for call setup in
the same channel as a
voice call
Examples:
T1 or E1 signaling
DTMF
Common channel signaling:

Messages for call setup
Examples:
ISDN
DPNSS
QSIG
SS7
DESGN v2.07-14
www.CareerCert.info
ISDN Digital Signaling

Channel
Capacity
Mostly Used For
64 kbps
Circuit-switched data
16/64 kbps
Signaling information
DESGN v2.07-15
www.CareerCert.info
Q Signaling
Standards-based protocol for
inter-PBX communications
Enables interconnection of
multivendor equipment
Enables basic services and
feature transparency between
PBXs
Is interoperable with public and
private ISDNs
Does not impose any
restrictions on private
numbering plans
DESGN v2.07-16
www.CareerCert.info
SS7 Signaling
Used between PSTN switches

Signaling implemented on a separate data network
Trunk channels used solely for voice transmission
Replaces per-trunk in-band signaling
DESGN v2.07-17
www.CareerCert.info
PSTN Numbering Plans

Set of rules for routing voice calls through the PSTN
Based on the ITU-T recommendation E.164
Example: North American Numbering Plan (NANP)
DESGN v2.07-18
www.CareerCert.info
Example Country Codes

Country Zone
Code
Country
Country Zone
Code
Country
Canada, United States
51
Peru
1242
Bahamas
52
Mexico
1787
Puerto Rico
61
Australia
1876
Jamaica
63
Philippines
20
Egypt
679
Fiji Islands
212
Morocco
Kazakhstan, Russia
213
Nigeria
81
Japan
30
Greece
86
China
34
Spain
886
Taiwan
386
Slovenia
91
India
44
United Kingdom
966
Saudia Arabia
45
Denmark
995
Georgia
DESGN v2.07-19
www.CareerCert.info
Example: Routing Calls Based on a

Numbering Plan
DESGN v2.07-20
www.CareerCert.info

Numbering Plan
DESGN v2.07-21
www.CareerCert.info

Numbering Plan
DESGN v2.07-22
www.CareerCert.info

Numbering Plan
DESGN v2.07-23
www.CareerCert.info

Numbering Plan
DESGN v2.07-24
www.CareerCert.info

Numbering Plan
DESGN v2.07-25
www.CareerCert.info

Numbering Plan
DESGN v2.07-26
www.CareerCert.info

Numbering Plan
DESGN v2.07-27
www.CareerCert.info
Portion of UK National Numbering Plan

Number Range
Description
(01xxx) xxx xxx
Trunk prefix (national long-distance calling prefix)
(01xxx) xxx xxx

(01x1) xxx xxxxx
(011x) xxx xxxxx
(02x) xxxx xxxx
(01xxx[x]) xxxx[x]
Geographic numbering optionsarea code and

subscriber number
(05x) xxxx xxxx
Mobile phones, pagers, and personal numbering
(07xxx) xxxxxx
Reserved for corporate numbering.
(0800) xxx xxx

(0800) xxx xxxx
(0808) xxx xxxx
Freephone (except for mobile phone)
999
112
Free emergency number
DESGN v2.07-28
www.CareerCert.info
Summary
A telephone system transports analog speech over a digital
network.
PBXs and public telephone switches share many similarities,
but they also have differences.
The telephone infrastructure includes local loops and trunks.
In a telephony system, a signaling mechanism is required to
establish and disconnect telephone communications.
Each telephone must have a unique address based on the
E.164 standard.
DESGN v2.07-29
www.CareerCert.info
DESGN v2.07-30
www.CareerCert.info
Identifying Design
Considerations for
Voice Services
DESGN v2.07-1
www.CareerCert.info
Separate Voice and Data Networks
Companies want to reduce

WAN costs by integration.
Data is primary traffic on
many voice networks.
PSTN architecture is not
flexible enough.
PSTN can not integrate
voice, data, and video.
DESGN v2.07-2
www.CareerCert.info
Example: Voice over IP
DESGN v2.07-3
www.CareerCert.info
Example: IP Telephony
DESGN v2.07-4
www.CareerCert.info
Introducing H.323
ITU-T standard
Describes packet-based video, audio, and data communication
across packet-based networks
Provides session setup, monitoring, and termination
Refers to a set of other standards:
H.225 (Q.931): Call signaling
H.245: Capability negotiation and media stream management
DESGN v2.07-5
www.CareerCert.info
H.323 Components
DESGN v2.07-6
www.CareerCert.info
Example: H.323 Components and

Their Interactions
DESGN v2.07-7
www.CareerCert.info
The Importance of a Gatekeeper
DESGN v2.07-8
www.CareerCert.info
IP Telephony Components
DESGN v2.07-9
www.CareerCert.info
Design Goals of IP Telephony

To use end-to-end IP telephony between sites with IP connectivity
To make IP telephony widely usable
To lower long-distance costs
To make IP telephony cost-effective
To provide high availability of IP telephony
To offer lower total cost of ownership and greater flexibility
To enable new applications on top of IP telephony via third-party
software
To improve remote worker, agent, and work-at-home staff
productivity
To facilitate data and telephony network consolidation
DESGN v2.07-10
www.CareerCert.info
Single-Site IP Telephony Design
DESGN v2.07-11
www.CareerCert.info
Multisite WAN with Centralized Call

Processing Design
DESGN v2.07-12
www.CareerCert.info
Multisite WAN with Distributed Call

Processing Design
DESGN v2.07-13
www.CareerCert.info
Call Control and Transport Protocols

Voice call control functions:
Q.931 call setup
signaling
H.245 call capability
control
RAS signaling
RTP Control
Protocol (RTCP)
Voice conversation:
Real-Time Transport
Protocol (RTP)
DESGN v2.07-14
www.CareerCert.info
SCCP Control
SCCP is a client-server protocol.
SCCP clients register with Cisco Unified CallManager to receive
their configuration information.
Media connections between SCCP clients use RTP.
DESGN v2.07-15
www.CareerCert.info
SIP Control
SIP is a peer-to-peer protocol.
SIP user agents communicate with SIP proxy server.
SIP phones can register with Cisco Unified CallManager.
DESGN v2.07-16
www.CareerCert.info
MGCP Control
MGCP is a client-server protocol.
MGCP gateway translates between endpoints and IP phones.
Call agents control MGCP endpoints.
DESGN v2.07-17
www.CareerCert.info
Summary
Business needs are driving the need for unified voice and data
networks not on the PSTN.
The H.323 standard is a foundation for audio, video, and data
communications across IP-based networks, including the Internet.
IP telephony refers to communication services and voice,
facsimile, and voice-messaging applications
that are transported via the IP network rather than
the PSTN.
Voice communication over IP relies on control protocols such
as H.323, SCCP, SIP, and MGCP.
DESGN v2.07-18
www.CareerCert.info
DESGN v2.07-19
www.CareerCert.info
Identifying the
Requirements of
Voice Technologies
DESGN v2.07-1
www.CareerCert.info
Voice Quality Considerations

Examine the possible causes of packet loss
and delay in the initial design.
Use QoS mechanisms as a groundwork
for a high-quality voice network.
DESGN v2.07-2
www.CareerCert.info
Fixed Network Delay Considerations

Sources of delay:
Solutions:
Propagation delay: 6 ms per km
None
Serialization delay: frame length / bit rate
Faster link, smaller packets
Processing delay: depends on codec
Hardware DSPs, coding algorithm
Coding and compression

Packetization
DESGN v2.07-3
www.CareerCert.info
Variable Network Delay Considerations

Sources of delay:
Solutions:
Queuing delay (variable

packet sizes and number
of packets)
Link fragmentation and interleaving
Dejitter buffers
Constant delay, uncongested network
DESGN v2.07-4
www.CareerCert.info
Jitter
Variation in the delay of received packets
Caused by network congestion, improper queuing,
or configuration errors
DESGN v2.07-5
www.CareerCert.info
Packet Loss
Causes voice clipping
Caused by:
Congested links
Improper network QoS configuration
Bad packet buffer management on the routers
Routing problems
Up to 30 ms of lost voice correctable by DSP using interpolation
Packet losses up to one packet correctable with no voice quality
degradation
DESGN v2.07-6
www.CareerCert.info
Problem of Echo
DESGN v2.07-7
www.CareerCert.info
Echo Cancellers
Reduce the Level of Echo
DESGN v2.07-8
www.CareerCert.info
Voice Coding and Compression

The quality of transmitted speech is a subjective listener response.
MOS is a common benchmark to define sound quality.
MOS scales from 1 (bad) to 5 (excellent).
ITU Standard
Data Rate*
MOS Score
G.711
64 kbps
4.1
G.726/G.727
16/24/32/40 kbps
3.85 or less
LD-CELP
G.728
16 kbps
3.61
CS-ACELP
G.729
8 kbps
3.92
G.723.1
6.3/5.3 kbps
3.9/3.65
PCM
ADPCM
ACELP/MPMLQ
*Note: Data rates shown are for digitized speech only and do
not include overhead of RTP, UDP, IP, and Layer 2 headers.
DESGN v2.07-9
www.CareerCert.info
Example: Codec Complexity and Calls per DSP

on the Cisco AS54-PVDM2-64 Module
Low Complexity
(Maximum 64 Calls)
Medium Complexity
(Maximum 32 Calls)
High Complexity
(Maximum 24 Calls)
G.711 a-law
G.729a
G.723.1: 5.3K and 6.3K
G.711 mu-law
G.729ab
G.723.1A: 5.3K and 6.3K
Fax passthrough
G.726: 16K, 24K, and 32K
G.728
Modem passthrough
T.38 fax relay
Modem relay
Clear-channel codec
Cisco Fax Relay
AMR-NB: 75K, 5.15K, 5.9K,

6.7K, 7.4K, 7.95K, 10.2K,
12.2K, and silence insertion
descriptor
DESGN v2.07-10
www.CareerCert.info
Bandwidth Availability
Goal: Reduce the amount of traffic per voice call
Solutions:
Use an effective voice coding and compression mechanism.
Compress IP headers by using compressed Real-Time
Transport Protocol.
Suppress packets of silence by using voice activity detection.
DESGN v2.07-11
www.CareerCert.info
Calculating Voice Bandwidth

Voice packet size = (Layer 2 header) + (IP/UDP/RTP header) +
voice payload
Voice packets per second (pps) = (codec bit rate) / (voice payload
size)
Bandwidth = (voice packet size) * (pps)
Example for G.729 call with 8-kbps codec bit rate with cRTP and
20 bytes voice payload:
Voice packet size = 6 bytes + 2 bytes + 20 bytes = 28 bytes
Voice packet size = 28 bytes * 8 bits/byte = 244 bits
Voice pps = 8000 bits/sec / 160 bits/packet = 50 pps
Bandwidth = 244 bits * 50 pps = 11.2 kbps
DESGN v2.07-12
www.CareerCert.info
Example: Voice Codec Bandwidth

Calculator for G.729 Codec
DESGN v2.07-13
www.CareerCert.info
Voice Bandwidth and Codec Standards

Compression
Payload
Size
Bandwidth
Bandwidth
with cRTP
No. of Calls on a
512-kbps Link
(without cRTP/
with cRTP)
G.711 (64 kbps)
160
83
68
6/7
G.726 (32 kbps)
60
57
36
8/14
G.726 (24 kbps)
40
52
29
9/17
G.728 (16 kbps)
40
35
19
14/26
G.729 (8 kbps)
20
26
11
19/46
G.723.1 (6.3 kbps)
24
18
28/64
G.723.1 (5.3 kbps)
20
17
30/73
DESGN v2.07-14
www.CareerCert.info
Enterprise QoS Mechanisms for Voice

Traffic classification
Queuing or scheduling
Bandwidth provisioning and call admission control
DESGN v2.07-15
www.CareerCert.info
Access Layer QoS Mechanisms for Voice

802.1Q trunking and 802.1p
Multiple egress queues
Traffic classification and network trust boundary
Layer 3 awareness and the ability to implement QoS access
control lists
DESGN v2.07-16
www.CareerCert.info
Recommended Practice: Separate Voice

and Data VLANs
Voice device protection from external networks
QoS trust boundary extension to voice devices
Protection from malicious network attacks
Ease of management and configuration
DESGN v2.07-17
www.CareerCert.info
Example: QoS Networking Mechanisms
DESGN v2.07-18
www.CareerCert.info
Example: Low Latency Queuing
DESGN v2.07-19
www.CareerCert.info
QoS Consideration for Voice in the WAN

WAN QoS mechanisms:
Bandwidth provisioning
Traffic classification
Queuing and scheduling
Traffic shaping
Link efficiency techniques
Call admission control
DESGN v2.07-20
www.CareerCert.info
Call Admission Control

Protects voice traffic from being negatively affected by other
voice traffic
Keeps excess voice traffic off the network
Reroutes excess voice traffic in the following scenarios:
Call rerouted via an alternate packet
network path
Call rerouted via the PSTN network path
Call returned to the originating TDM switch with the reject
cause code
DESGN v2.07-21
www.CareerCert.info
Example: Call Admission Control

VoIP Network Without CAC
VoIP Network with CAC
DESGN v2.07-22
www.CareerCert.info
Implementing CAC with RSVP

RSVP is an industry-standard signaling protocol that enables an
application to reserve bandwidth dynamically.
RSVP signaling messages are exchanged between the source
and destination devices.
RSVP process interacts with the QoS manager on router
interfaces to "reserve" bandwidth resources.
Calls are admitted or rejected based on the outcome of the RSVP
reservations.
DESGN v2.07-23
www.CareerCert.info
Traffic Engineering Terms

Grade of service
Erlang
Centum call seconds
Busy hour
Busy hour traffic
Blocking probability
Call Detail Record
DESGN v2.07-24
www.CareerCert.info
Erlang Tables
Show erlangs of offered traffic, number of circuits, and grade
of service
Three common erlang tables:
Erlang B assumes that calls receiving a busy signal are
immediately cleared.
Extended Erlang B assumes that a certain percentage of calls
receiving a busy signal are redialed.
Erlang C assumes that blocked calls are queued.
DESGN v2.07-25
www.CareerCert.info
Example: Erlang B Table

Number of erlangs decreases with
the decreased blocking probability.
Number of erlangs increases with the

number of simultaneous connections.
Blocking Probability
Number of Circuits
.003
.005
.01
.02
.03
.05
.003
.006
.011
.021
0.31
0.053
.081
.106
.153
.224
0.282
.382
.289
.349
.456
.603
0.716
.900
.602
.702
.870
1.093
1.259
1.525
.996
1.132
1.361
1.658
1.876
2.219
1.447
1.822
1.900
2.278
2.543
2.961
1.947
2.158
2.501
2.936
3.250
3.738
2.484
2.730
3.128
3.627
3.987
4.543
3.053
3.333
3.783
4.345
4.748
5.371
10
3.648
3.961
4.462
5.084
5.530
6.216
Busy hour traffic (BHT) in erlangs

DESGN v2.07-26
www.CareerCert.info
Summary
Voice quality in an IP network is directly affected by delay, jitter,
and packet loss.
An echo is the audible leak of the voice of the caller into the
receive (return) path.
Voice communication over IP relies on voice that is coded and
encapsulated into IP packets.
A primary WAN issue when network designers are designing
voice on IP networks is bandwidth availability.
QoS mechanisms are important for networks that carry voice.
Traffic engineering is a science of selecting the right number of
lines and the proper types of service to accommodate users.
DESGN v2.07-27
www.CareerCert.info
DESGN v2.07-28
www.CareerCert.info
Integrating Voice in the Network Design

Define the requirements for voice services.
Select an IP telephony design model based on the requirements.
Implement voice support in the infrastructure:
Select appropriate call control and transport protocols.
Select appropriate coding and compression mechanisms.
Provision needed bandwidth.
Deploy VoIP components.
Implement end-to-end QoS.
DESGN v2.07-1
www.CareerCert.info
Module Summary
New IP telephony solutions must integrate into existing
environments and provide similar functionality.
Business needs are driving the need for unified networks
supporting unified communications networks.
There are many issues that affect voice traffic, such as delay,
jitter, packet loss, congestion, and slow-speed links. Compression
techniques, LFI, and QoS mechanisms can alleviate many of
these issues.
DESGN v2.07-2
www.CareerCert.info
DESGN v2.07-3
www.CareerCert.info
Identifying Wireless
Networking
Considerations
DESGN v2.08-1
www.CareerCert.info
Introducing the
Cisco Unified
Wireless Network
Identifying Wireless Networking Considerations
DESGN v2.08-1
www.CareerCert.info
Wireless LAN Background

WLANs provide network connectivity over radio waves.
Wireless stations connect to wireless access points.
Access points connect to the wired network.
Access points were traditionally autonomous.
Scaling the design and adding applications was challenging.
DESGN v2.08-2
www.CareerCert.info
Cisco Unified Wireless Network

Elements
3d icon
not
available
Intelligent information
network elements:
Mobility services
Network management
Network unification
Access points
Client devices
DESGN v2.08-3
www.CareerCert.info
Cisco Unified Wireless Network

Split-MAC Operation
Access point MAC functions:

802.11: Beacons, probe response
802.11 control: Packet acknowledgment
and transmission
802.11e: Frame queuing and packet
prioritization
802.11i: MAC layer data encryption and
decryption
Controller MAC functions:

802.11 MAC management: Association
requests and actions
802.11e Resource reservation
802.11i Authentication and key
management
DESGN v2.08-4
www.CareerCert.info
LWAPP Fundamentals
LWAPP is an IETF draft specification.
Access points communicate with a WLC using LWAPP:
LWAPP control messages are exchanged between
a WLC and access points.
LWAPP data messages encapsulate data frames.
LWAPP tunnel can be Layer 2 or Layer 3.
One WLC can manage multiple access points.
The WLC supplies configuration and firmware updates
to access points.
DESGN v2.08-5
www.CareerCert.info
Example: Layer 2 LWAPP Architecture
Access points do not require IP addressing.

Controllers need to be on every subnet on which
access points reside.
Layer 2 LWAPP was an early part of the architecture;
many current products do not support this functionality.
DESGN v2.08-6
www.CareerCert.info
Example: Layer 3 LWAPP Architecture
Access points require IP addressing.

Access points can communicate with a WLC
across routed boundaries.
Layer 3 LWAPP is more flexible than Layer 2 LWAPP;
most current products support this LWAPP mode.
DESGN v2.08-7
www.CareerCert.info
Access Point Modes

Local mode is the default mode of operation.
REAP mode enables a remote access point across a WAN link
to communicate with the WLC.
Rogue detector mode allows the access point to monitor rogue
access points but cannot contain rogue access points.
Monitor mode allows the access points to act as dedicated
sensors for IDS and supports deauthentication capability.
Sniffer mode functions as a network sniffer and captures and
forwards all the packets on a particular channel to a remote
machine that runs AiroPeek.
Bridge mode allows the Cisco Aironet 1030 (indoor) and 1500
(outdoor mesh) access points to support point-to-point and pointto-multipoint bridging.
DESGN v2.08-8
www.CareerCert.info
Wireless Infrastructure
Autonomous access point
is an 802.1Q translational
bridge.
WLAN controller bridges
client traffic centrally.
DESGN v2.08-9
www.CareerCert.info
Wireless Authentication
DESGN v2.08-10
www.CareerCert.info
Example: Supported EAP Types

EAP-Transport Layer Security (EAP-TLS)
Mutual client and server authentication using digital certificates
EAP-Protected EAP (EAP-PEAP)

Authentication of RADIUS server in TLS using digital certificate
Authentication of client using EAP-GTC or EAP-MSCHAPv2
EAP Tunneled Transport Layer Security (EAP-TTLS)

Authentication of RADIUS server in TLS using server certificate
Authentication of client using username and password
Cisco LEAP
Early EAP method supported in Cisco Compatible Extensions
Cisco EAP-FAST
Three-phase EAP method supported in Cisco Compatible Extensions
DESGN v2.08-11
www.CareerCert.info
Important WLAN Controller Components

Three important components to understand:
PortPhysical connection to a neighbor switch or router
InterfaceLogical connection mapping to a VLAN on the wired
network
WLANLogical entity that maps an SSID to an interface at the
controller, along with security, QoS, radio policies, and other
wireless networking parameters
DESGN v2.08-12
www.CareerCert.info
Summary of WLC Interfaces

Management interfaceIs used for in-band management,
connectivity to AAA and other enterprise services, and for Layer 2
access point auto discovery and association
AP-manager interfaceIs the source IP address used for access
point-to-controller communication and Layer 3 access point
autodiscovery and association
Dynamic interfaceIs designated for WLAN client data and
analogous to a VLAN
Virtual interfaceSupports DHCP relay, Layer 3 security
authentication, and mobility management
Service-port interfaceProvides out-of-band management of the
controller
DESGN v2.08-13
www.CareerCert.info
Example: WLANs, Interfaces, and Ports
DESGN v2.08-14
www.CareerCert.info
Cisco Wireless LAN Controller Platforms

Platform
Number of Access Points

Supported
Cisco 2000 Series Wireless LAN

Controller
Cisco Wireless LAN Controller

Module for ISRs
Cisco Catalyst 3750G Integrated

Wireless LAN Controller
Up to 50
Cisco 4400 Series Wireless LAN

Controller
Up to 100
Cisco Catalyst 6500 Series

Wireless Services Module
Up to 300
Note: The number of access points supported may change as products

are updated. Check www.cisco.com for the latest information.
DESGN v2.08-15
www.CareerCert.info
Access Point Scalability Considerations

4400x series controllers allow 48 access points per port in the
absence of link aggregation.
Two options for scaling are:
Multiple AP manager interfaces (supported only on 4400x
appliance controllers).
Link aggregation (supported on 4400x appliances, Cisco
WiSM, Cisco 3750G Integrated Wireless LAN Controller).
With multiple AP manager interfaces, the LWAPP algorithm
load-balance access points across the AP manager interfaces.
With LAG, one AP manager interface load-balances traffic
across an EtherChannel interface.
DESGN v2.08-16
www.CareerCert.info
Example: Multiple AP Manager Interfaces

Each AP manager interface
is mapped to a physical port.
Access point load is
dynamically distributed.
Redundancy advantage:
Platform can be connected
to multiple devices.
Redundancy concern:
Only 48 access-points
are supported per port.
DESGN v2.08-17
www.CareerCert.info
Example: LAG with a Single AP Manager

Interface
One LAG group per Cisco
Wireless LAN Controller
is supported.
Packets are forwarded out
the same port they arrived
on.
It is recommended that
you use LAG if possible.
DESGN v2.08-18
www.CareerCert.info
Summary
The Cisco Unified Wireless Network architecture centralizes
WLAN configuration and control on Cisco Wireless LAN
Controllers.
Cisco Wireless LAN Controllers manage access points using
LWAPP.
The Cisco Unified Wireless Network is based on devices
connecting to access points using RF signals, access points
sending client traffic to controllers across an LWAPP tunnel, and
Cisco Wireless LAN Controllers placing the traffic in the
appropriate VLAN in the wired network.
Cisco Wireless LAN Controllers components include ports
(physical connections), interfaces (logical mappings to a VLAN),
and WLANs (logical mappings of an SSID to an interface).
Cisco Wireless LAN Controller platforms can support 6 to 300
access points.
DESGN v2.08-19
www.CareerCert.info
DESGN v2.08-20
www.CareerCert.info
Understanding Wireless
Network Controller
Technology
DESGN v2.08-1
www.CareerCert.info
LWAPP Discovery
1. The access point issues a DHCPDISCOVER

to get an IP address.
2. If the access point supports Layer 2 LWAPP,
attempt Layer 2 discovery.
3. Else, attempt Layer 3 LWAPP discovery.
4. If no WLC response, then access point reboots
and returns to Step 1.
DESGN v2.08-2
www.CareerCert.info
Layer 3 LWAPP Discovery Algorithm
Access point sends Layer 3 LWAPP discovery requests:

1. As broadcasts on local subnet
2. As unicast LWAPP discovery requests to WLC IP addresses
advertised by other access points, if OTAP enabled on the
WLCs
3. To all previously stored WLC IP addresses
4. To IP addresses learned through DHCP Option 43
5. To IP addresses learned through DNS resolution of
CISCO-LWAPP-CONTROLLER.localdomain
WLCs receiving the discovery message reply with a unicast

LWAPP discovery response message.
Access point compiles a list of candidate controllers.
DESGN v2.08-3
www.CareerCert.info
WLC Selection Algorithm
LWAPP discovery and selection mechanism is a design

decision.
LWAPP discovery response contains WLC information.
After the LWAPP discovery interval timer, the access point

selects a WLC to send an LWAPP join request based on:
1. Previously configured primary, secondary, or tertiary
WLCs (specified in the controller sysName)
2. WLC configured as a master controller
3. WLC with the greatest capacity for access point
associations
The WLC validates the access point and sends an

LWAPP join response. An encryption key is derived, and future
messages are encrypted.
DESGN v2.08-4
www.CareerCert.info
Access Point Operations

Access point downloads firmware from the WLC if its code version
does not match the WLC.
WLC provisions access point with the SSID, security, QoS, and
other parameters.
WLC periodically queries access points for status.
Access point periodically sends an LWAPP heartbeat (every 30
seconds):
If heartbeat is not acknowledged, the access point resends.
If heartbeat is not acknowledged in five attempts, access point
looks for a new WLC.
DESGN v2.08-5
www.CareerCert.info
WLC Deployment Considerations

Mobility
Radio management
Redundancy and load balancing
Scaling
IP addressing
DESGN v2.08-6
www.CareerCert.info
Mobility Defined
Mobility is a key reason for wireless networks.
Mobility means the end-user device is capable of moving to new
location.
Roaming occurs when a wireless client moves association from
one access point and reassociates to another.
Mobility presents new challenges:
Need to scale the architecture to support client roaming
roaming can occur intracontroller and intercontroller.
Depending on the application, may need to support
Layer 2 or Layer 3 roaming.
Need to support client roaming that is seamless (fast) and
preserves security.
DESGN v2.08-7
www.CareerCert.info
Intracontroller Roaming
Intracontroller roaming
occurs when a client moves
association to another access
point joined to the same WLC.
Client may need to be
reauthenticated and
new security session
established.
Controller updates client
database entry with new
access point and appropriate
security context.
No IP address refresh
is needed.
DESGN v2.08-8
www.CareerCert.info
Intercontroller RoamingLayer 2
Traffic on same IP subnet

Client database entry moved
to new WLC
Reauthenticated and new
security session established
as needed
No IP address refresh needed
DESGN v2.08-9
www.CareerCert.info
Intercontroller RoamingLayer 3
New WLC uses different

subnet; client IP address
does not change
Original WLC tagged

as anchor
Client database entry
copied to new WLC,
tagged as foreign
Asymmetric traffic path
DESGN v2.08-10
www.CareerCert.info
Scaling the Architecture with Mobility

Groups
Mobility groups allow controllers to peer with each other to
support seamless roaming across controller boundaries, access
point load balancing, and controller redundancy.
Mobility messages are exchanged between controllers.
Data is tunneled between controllers in Ethernet-in-IP
(EtherIP).
Each WLC in a mobility group is configured with a list of other
members.
Access points learn the IP addresses of the other members of the
mobility group after the LWAPP join process.
Mobility groups support up to 24 controllers and 3600 access
points.
WLC should be placed in mobility groups when intercontroller
roaming is possible and for controller redundancy.
DESGN v2.08-11
www.CareerCert.info
Mobility Group Requirements

IP connectivity must exist between the management interfaces of
all WLC devices.
All WLCs must be configured with the same mobility group name.
The mobility group name is case-sensitive.
All WLCs must be configured to use the same virtual interface IP
address.
Each WLC is configured with the MAC address and IP address of
all the other mobility group members.
The WLCs exchange messages using UDP port 16666
(unencrypted) or UDP port 16667 (encrypted) .
DESGN v2.08-12
www.CareerCert.info
Supporting Roaming
Recommended Practices
Minimize intercontroller roaming in your designs.
Design the network for <= 10 ms RTT latency between
controllers.
Intercontroller Layer 2 roaming is more efficient than Layer 3
roaming.
Use PKC or CCKM to speed up and secure roaming.
Client roaming capabilities vary by vendor, driver, and supplicant.
Look for Cisco Compatible Extensions v4 feature set.
DESGN v2.08-13
www.CareerCert.info
Controller Redundancy Design

Access point selects its WLC with this sequence:
[Deterministic] If an access point has been previously configured
with a primary, secondary, or tertiary controller, the access point
attempts to join these first (specified by controller sysName).
[Initializing] The access point attempts to join a WLC configured
as a master controller.
[Dynamic] The access point attempts to join the WLC with the
greatest availability for access point associations.
DESGN v2.08-14
www.CareerCert.info
Deterministic Controller Redundancy

Administrator statically assigns each access point a primary,
secondary, or tertiary controller.
Advantages include:
Predictability (easier operational management)
More network stability
More flexible and powerful redundancy design options
Faster failover times
Fallback option in the case of failover
Disadvantages include:
More upfront planning and configuration
Recommended leading practice is to use deterministic
redundancy.
DESGN v2.08-15
www.CareerCert.info
Example:
Deterministic Controller Redundancy
DESGN v2.08-16
www.CareerCert.info
Dynamic Controller Redundancy

Design relies on LWAPP to load-balance access points across
controllers and populate access points with backup WLC
information.
Design works better when controllers are clustered in a
centralized design.
Advantages include:
Easy to deploy and configure
Access points dynamically load-balance
Disadvantages include:
More intercontroller roaming
Bigger operational challenges due to unpredictability
Longer failover times
No fallback option in the event of controller failure
Recommended practice is not to use dynamic redundancy.
DESGN v2.08-17
www.CareerCert.info
Example: Dynamic Redundancy
DESGN v2.08-18
www.CareerCert.info
Deterministic Redundancy Designs:

N+1
DESGN v2.08-19
www.CareerCert.info

N+N
DESGN v2.08-20
www.CareerCert.info

N+N+1
DESGN v2.08-21
www.CareerCert.info
Radio Resource Management

Key RF challenges with 802.11:
Limited nonoverlapping channels
Physical characteristics of RF propagation
Contention for the medium
Transient nature of RF environments
RRM addresses these challenges:
Continuous analysis of RF environment
Dynamic channel assignment
Interference detection and avoidance
Dynamic transmit power control
Coverage hole detection and correction
Client and network load balancing
DESGN v2.08-22
www.CareerCert.info
RF Grouping
1. Access points send and

receive neighbor messages.
DESGN v2.08-23
www.CareerCert.info
RF Grouping

2. If access points on different WLCs

hear neighbor messages
in the same RF group at -80 dBm
or stronger, they pass information
to their WLC.
DESGN v2.08-24
www.CareerCert.info
RF Grouping
3. Controllers elect an
RF group leader that
analyzes RF data.

2. If access points on different WLCs

hear neighbor messages
in the same RF group at -80 dBm
or stronger, they pass information
to their WLC.
DESGN v2.08-25
www.CareerCert.info
Access Point Self-Healing

Access points receive neighbor messages from neighbor access
points.
Access points report a lost neighbor when they no longer receive
neighbor messages at 65 dBm.
RRM is used to increase power on access points near the lost
access point.
RRM can also adjust channel selection if needed.
DESGN v2.08-26
www.CareerCert.info
Summary
A lightweight access point uses an LWAPP discovery and join
process to connect to a WLC.
Lightweight access points operate by communicating with a WLC.
The Cisco Unified Wireless Network provides a high quality
transparent roaming experience for clients supporting both
intracontroller and intercontroller roaming.
It is recommended using that you use deterministic controller
redundancy over dynamic controller redundancy.
RRM using RF groups is a foundation of the Cisco Unified
Wireless Network architecture.
DESGN v2.08-27
www.CareerCert.info
DESGN v2.08-28
www.CareerCert.info
Designing Wireless
Networks with Controllers
DESGN v2.08-1
www.CareerCert.info
Reasons for an RF Site Survey
Defines RF characteristics in the environment:

Discover RF coverage areas.
Check for RF interference and issues.
Provide RF spectrum analysis.
Determine appropriate placement of wireless infrastructure
devices.
Helps define customer requirements
DESGN v2.08-2
www.CareerCert.info
RF Site Survey Process

1. Define customer requirements.
2. Identify coverage areas and user density.
3. Determine preliminary access point locations.
4. Perform the actual surveying.
5. Document the findings.
DESGN v2.08-3
www.CareerCert.info
RF Site Survey
Customer Requirements
What type and number of wireless devices need to be supported?
Is there current WLAN or RF equipment in place?
Will the WLAN be used only for data?
Will wireless phones be supported in the future?
Are there peak periods to support?
Will users be stationary or on the move while using the WLAN?
Where should wireless coverage support be provided?
What level of support should be provided?
DESGN v2.08-4
www.CareerCert.info
RF Site Survey
Identifying Coverage Areas
Elevator Office
Shafts
File Room or
Supply Room:
Large Filing or
Metal Cabinets
Test Lab
Break Room:
Microwave
Ovens
Conference
Cubicles
Stairwells
(Reinforced Building
Area)
DESGN v2.08-5
www.CareerCert.info
Determining Preliminary Access Point

Locations
Default Access Point Placement
DESGN v2.08-6
www.CareerCert.info
Visualizing RF Coverage
DESGN v2.08-7
www.CareerCert.info
Performing the Site Survey

Use tools and
processes to determine
coverage:
Estimate the access
point needed
using planning.
Measure attenuation
at the corner and edge
of coverage areas.
Determine the
coverage range.
Build the WLAN
coverage.
Identify coverage
holes.
DESGN v2.08-8
www.CareerCert.info
Site Survey Report

All information gathered and developed during the site
survey should be included in the report:
Detail customer requirements.
Describe and diagram access point coverage.
Be very specific when describing equipment placement
locations.
Mark areas that are covered as well as those not needing
coverage.
Parts list should include:
Access points
Antennas
Accessories and network components
Discuss the tools that were used and survey methods.
DESGN v2.08-9
www.CareerCert.info
Supporting Guest Access
DESGN v2.08-10
www.CareerCert.info
Path Isolation with Ethernet in IP Tunnel

Use of EtherIP tunnels to logically
segment and transport the guest traffic
between edge and anchor controllers
Other traffic (employee for example)
still locally bridged on the corresponding
VLAN
No need to define the guest VLANs
on the switches connected to the edge
controllers
Original Ethernet frame from guest
maintained across LWAPP and EtherIP
tunnels
EtherIP supported across all WLAN
controllers
2006 WLC cannot anchor EtherIP
connections.
DESGN v2.08-11
www.CareerCert.info
Outdoor Wireless Deployment Options
DESGN v2.08-12
www.CareerCert.info
Outdoor Wireless Mesh Solution

Components
Cisco Wireless
Control System
Wireless mesh
management
system
Enables networkwide policy
configuration and
device
management
Supports SNMP
and syslog
Cisco Wireless
LAN Controller
Rooftop Access
Point
Mesh Access
Point
Links the wireless

mesh access points
to the wired network
Handles RF
algorithms and
optimization
Seamless Layer 3
Mobility
Provides security
and mobility
management
Serves as root or
gateway access
point to the wired
network
Typically located on
rooftops or towers
Connects up to 32
pole-top mesh
access points using
802.11a
Provides 802.11b/g
client access
Connects to root
access points via
802.11a
Takes AC or DC
power; PoE
capable
Ethernet port for
connecting
peripheral devices
DESGN v2.08-13
www.CareerCert.info
Example: MAP-to-RAP Connectivity

in a Square Mile
DESGN v2.08-14
www.CareerCert.info
Mesh Design Recommendations
Hops
Throughput
One
~10 Mbps
Two
~5 Mbps
Three
~3 Mbps
Four
Up to 1 Mbps*
Latency
< 10 ms per hop, 13 ms is typical
Hops
Outdoor: Code supports up to eight hops; four or fewer hops are recommended.
Indoor: One hop is supported.
Nodes per RAP
One RAP supports up to 32 MAPs; 20 nodes are recommended.
DESGN v2.08-15
www.CareerCert.info
Common Wireless Design Questions

How many access points are needed?
Where will the access points be placed?
How will the access points receive power?
How many WLCs are needed?
Where should the WLCs be placed?
DESGN v2.08-16
www.CareerCert.info
LWAPP Access Point Feature Summary
10x0
Models
1121 AG
Models
1130 AG
Series
1230 AG
Series
1240 AG
Series
1300
Series
1500
Series
LWAPP
Both
Both
Both
Both
Both
(LWAPP in
AP mode)
LWAPP
External antenna
Yes
No
No
Yes
Yes
Yes
Yes
Outdoor install
No
No
No
No
No
Yes
Yes
REAP
No
H-REAP
No
H-REAP
No
Yes
Yes
No
(only g)
Yes
Yes
Yes
No
(only g)
Yes
Power (watts)
13
15
14
15
N/A
N/A
Memory (Mb)
16
16
32
16
32
16
16
WLANs per radio supported
18
16
Autonomous/LWAPP/both
REAP or H-REAP support

Dual radio
DESGN v2.08-17
www.CareerCert.info
WLAN Controllers and Access Point

Support
Part Number (Platform)
No. of Access
Points Supported
AIR-WLC2006-K9 (Cisco Wireless LAN Controller appliance)
NM-AIR-WLC6-K9 (Cisco Wireless LAN Controller Module for

ISRs)
WS-C3750G-24WS-S25 (Cisco Catalyst 3750G Integrated

Wireless LAN Controller)
25
WS-C3750G-24WS-S50 (Cisco Catalyst 3750G Integrated

Wireless LAN Controller)
50
AIR-WLC4402-12-K9 (Cisco Wireless LAN Controller appliance)
12
25
50
100
Cisco Catalyst 6500 Series Wireless Services Module

Up to 300
DESGN v2.08-18
www.CareerCert.info
Controller Placement Design

Minimize intercontroller roaming.
Implement deterministic redundancy.
Centralized design supports the integrated platforms.
Cisco Catalyst 3750G Integrated Wireless LAN Controller for
small-to-medium deployments
Cisco WiSM for medium-to-large deployments
Distributed designs may work well with existing networks.
General recommendation is to use a centralized design,
but decide based on:
Current network and policies
Growth plans
DESGN v2.08-19
www.CareerCert.info
Example: Distributed WLC Design
DESGN v2.08-20
www.CareerCert.info
Example: Centralized WLC Design
DESGN v2.08-21
www.CareerCert.info
Campus WLC Options

Stand-alone appliance controller
Routed network on another platform
802.1Q trunk to switched or routed
network
Integrated controller
Routed network can exist on the
same platform.
Layer 2 connection is internal.
Layer 2 or 3 connection to routed
network can be used.
DESGN v2.08-22
www.CareerCert.info
Branch Wireless Network

Design Considerations
Number of access points needed at the branch
Availability of switch ports
Availability of power
Controller cost
WAN bandwidth constraints
Latency between the access point and the WLC
should not exceed 200 ms RTT.
For centralized controllers, use REAP or Hybrid REAP
access points.
DESGN v2.08-23
www.CareerCert.info
Local MAC
Access point MAC functions:

802.11: Beacons, probe response
802.11 control: Packet acknowledgment
and transmission
802.11e: Frame queuing and packet prioritization
802.11i: MAC layer data encryption and decryption
Controller MAC functions:

802.11 proxy association requests
and actions
802.11e resource reservation
802.11i authentication and key
management
802.11 MAC management: Association requests

and actions
DESGN v2.08-24
www.CareerCert.info
Remote Edge Access Point

Lightweight access point designed to be controlled across WAN
links:
REAP is designed to support remote offices by extending
LWAPP control timers.
Control traffic is still LWAPP encapsulated and sent to Cisco
Wireless LAN Controller.
Client data is not LWAPP-encapsulated but is locally bridged.
All management control and RF management is available when
the WAN link is up and connectivity is available to the Cisco
Wireless LAN Controller.
It will continue to provide local connectivity even if the WAN is
down.
DESGN v2.08-25
www.CareerCert.info
REAP Limitations
REAP devices do not support 802.1Q trunking. All WLANs
terminate on a single subnet.
If connectivity to the WLC is lost, only WLAN1 is supported.
Multiple WLANs are not recommend on REAP devices.
REAP devices support only Layer 2 security policies.
REAP devices and clients require a routable IP address provided
locally and do not support NAT.
DESGN v2.08-26
www.CareerCert.info
Hybrid REAP
H-REAP is a solution for small or branch offices and retail on the
LWAPP Cisco IOS platforms
H-REAP supports simultaneous tunneling and local bridging.
Local switching supports bridging traffic onto local VLANs.
Central switching supports tunneling traffic to the controller.
H-REAP provides more security options for the remote site:

Stand-alone mode does client authentication by itself. (WPA-PSK,
WPA-PSK2)
Connected mode uses the controller to complete client authentication.
(WPA-PSK, WPA-PSK2, VPNs, L2TP, EAP, and web auth)
Round-trip latency must not exceed 200 ms between the access

point and the controller.
H-REAP supports NAT and PAT.
DESGN v2.08-27
www.CareerCert.info
Example: H-REAP Deployment
DESGN v2.08-28
www.CareerCert.info
Branch Office WLC Options

Appliance controllers
Cisco 2006Support for up to
six access points
Cisco 4402-12, 4402-24
Integrated controller
Cisco Wireless LAN Controller
Module for ISR
Cisco Catalyst 3750 Series
Integrated WLAN Controller
(support for 25, 50 access points)
DESGN v2.08-29
www.CareerCert.info
Summary
An RF site survey is used to determine the RF characteristics of a
wireless network and help determine access point placement.
Guest services are easily supported using EtherIP tunnels in the
Cisco Unified Wireless Network.
Outdoor wireless networks are supported using outdoor access
points and Cisco Wireless Mesh Networking access points.
Campus wireless network design provides RF coverage for
wireless clients in the campus using lightweight access points.
The access points are managed to Cisco Wireless LAN
Controllers.
Branch wireless network design is provides RF coverage for
wireless clients in the branch. Central management of REAP or
H-REAP access points can be supported.
DESGN v2.08-30
www.CareerCert.info
DESGN v2.08-31
www.CareerCert.info
Wireless Networking Review

Define the wireless requirements.
Conduct an RF site survey to define the RF characteristics in the
environment.
Define access point deployment locations based on the site survey
and customer requirements.
Determine the WLC design:
Redundancy (primary, secondary, tertiary)
Placement of WLCs in distribution layer
Whether remote sites will use local centralized controllers
Determine the number of mobility groups that you will need.
Plan how to support internal VLANs and guest access if needed.
DESGN v2.08-1
www.CareerCert.info
Cisco Unified Wireless Network Review
DESGN v2.08-2
www.CareerCert.info
Module Summary
Cisco Unified Wireless Network architecture centralizes WLAN
configuration and control on WLCs that control LWAPP access
points.
The Cisco Unified Wireless Network provides transparent roaming
supporting both intracontroller and intercontroller roaming.
Deterministic controller redundancy with integrated RRM provides
the highest-quality roaming experience.
An RF survey in a wireless network design determines the
characteristics of the wireless network and access point placement
to provide optimal RF coverage for wireless clients.
DESGN v2.08-3
www.CareerCert.info
DESGN v2.08-4
www.CareerCert.info
Implementing
and Operating
the Network
DESGN v2.09-1
www.CareerCert.info
Reviewing Design
and Implementation
Resources
Implementing and Operating the Network
DESGN v2.09-1
www.CareerCert.info
Solution Reference Network

Design Guides
Focus on the specific solution
Provide an overview of relevant technologies
Give a description of the architecture
Offer recommended design practices
Provide configuration examples
Are available for the following areas:
Campus
WAN and MAN
Data center
Security
Branch office
Unified communications
Teleworker
Wireless
DESGN v2.09-2
www.CareerCert.info
Cisco Networkers Online Subscription

200+ technical training sessions, including:
Application Optimization Technologies
Contact Center Technologies
Data Center Technologies
Network Access and Aggregation Technologies
Network Management Services Technologies
Optical and Metro Ethernet Technologies
Routing and Switching Technologies
Security Technologies
Storage Technologies
Voice and Video Technologies
www.networkersonline.net
DESGN v2.09-3
www.CareerCert.info
Summary of Cisco CCNP Courses

Building Cisco Multilayer Switched Networks (BCMSN)
Recommended prerequisite for Designing for Cisco
Building Scalable Cisco Internetworks (BSCI)
Implementing Secure Converged Wide Area Networks (ISCW)
Optimizing Converged Cisco Networks (ONT)
DESGN v2.09-4
www.CareerCert.info
Building Cisco Multilayer

Switched Networks v3.0
Use the Cisco hierarchical
network model for campus
networks
Define VLANs to segment
network traffic and use
Implement spanning-tree
operation
Implement and verify
inter-VLAN routing
Implement high-availability
technologies and techniques
Describe and configure
wireless LAN access
Describe and implement
security features
Describe and configure switch
to support voice
Covers skills required to build enterprise-class switched

networks with integrated VoIP and wireless applications
DESGN v2.09-5
www.CareerCert.info
Building Cisco Multilayer Switched

Networks v3.0 Course Flow
Day 1
Day 2
Day 3
Day 4
Course
Introduction
A
M
Network
Requirements
Implementing
Spanning
Tree
Inter-VLAN
Routing
Wireless
LAN
Day 5
Configuring
Campus
Switches
for Voice
Minimizing
Service Loss
Defining
VLANS
Lunch
Defining
VLANS
Implementing
Spanning Tree
Implementing
High
Availability
P
M
Implementing
Spanning Tree
Wireless
LAN
Minimizing
Service Loss
Inter-VLAN
Routing
DESGN v2.09-6
www.CareerCert.info
Building Scalable Cisco Internetworks

v3.0
Explain routing in the
enterprise network
Implement Cisco IOS routing

features
Implement and verify EIGRP

operations
Implement and verify BGP for

enterprise ISP connectivity
Build a scalable multiarea

network with OSPF
Implement and verify multicast

forwarding using PIM
Configure integrated IS-IS in

a single area
Implement IPv6 in an
enterprise network
Covers skills required to build enterprise router networks

with mixed, integrated internal and external routing protocols
DESGN v2.09-7
www.CareerCert.info
Building Scalable Cisco Internetworks v3.0

Course Flow
Day 1
Day 2
Course
Introduction
A
M
Network
Requirements
Day 3
Day 4
Configuring
IS-IS
Protocol
Configuring
OSPF
Implementing
Multicast
Implementing
BGP
Manipulating
Routing
Updates
Configuring
EIGRP
Day 5
Implementing
IPv6
Lunch
Configuring
EIGRP
P
M
Configuring
OSPF
Manipulating
Routing
Updates
Implementing
BGP
Implementing
IPv6
Configuring
OSPF
Configuring
IS-IS
Protocol
Implementing
BGP
Implementing
Multicast
DESGN v2.09-8
www.CareerCert.info
Implementing Secure Converged Wide

Area Networks v1.0
Explain the Cisco hierarchical
network model as it pertains to
the WAN
Describe and implement
teleworker configuration and
access
Implement and verify frame
mode MPLS
Describe and configure Cisco

Easy VPN
Explain the strategies used to
mitigate network attacks
device hardening
IOS firewall features
Describe and configure a siteto-site IPsec VPN

Covers skills for securing and expanding the reach of the enterprise
network to teleworkers and remote sites. The focus is on securing
remote access and VPN client configuration.
DESGN v2.09-9
www.CareerCert.info
Implementing Secure Converged Wide

Area Networks v1.0 Course Flow
A
M
Day 1
Day 2
Day 3
Day 4
Day 5
Course
Introduction
Implementing
Frame Mode
MPLS
IPsec VPNs
Cisco Device
Hardening
Cisco IOS Threat

Defense Features
Lab: 5-1
Lab: 6-1
Cisco Device
Hardening
Cisco IOS Threat

Defense Features
IPsec VPNs
Lab: 5-2
Lab: 6-2
Lab: 4-4
Cisco Device
Hardening
Cisco IOS Threat

Defense Features
Cisco Device
Hardening
Lab: 5-3
Lab: 6-3
Lab: 4-2
Network
Requirements
Lab: 3-1
Connecting
Teleworkers
Implementing
Frame Mode
MPLS
IPsec VPNs
Lab: 4-3
Lunch
Connecting
Teleworkers
P
M
IPsec
VPNs
Simulation: 2-1
Implementing
Frame Mode
MPLS
Lab: 4-1
DESGN v2.09-10
www.CareerCert.info
Optimizing Converged Cisco Networks

v1.0
Explain the Cisco hierarchical
network model as it pertains to
an
end-to-end enterprise network
Describe specific requirements
for implementing a VoIP
network
Describe the need to
implement QoS and the
methods for implementing QoS
on a converged network
Explain the key IP QoS

mechanisms used to
implement the DiffServ QoS
model
Configure Auto QoS for
Enterprise
Describe and configure
wireless security and basic
wireless management
Covers techniques and skills to optimize QoS in converged

networks supporting voice, wireless, and security applications
DESGN v2.09-11
www.CareerCert.info
Optimizing Converged Cisco Networks

v1.0 Course Flow
Day 1
Day 2
Describing Network
Requirements
Day 4
Day 5
Implement Wireless
Implement the
Implement the
Scalability
DIffServ QoS Model DIffServ QoS Model
Course
Introduction
A
M
Day 3
Introduction to
IP QoS
Describe
Cisco VoIP
Implementations
Lab: 4-1
Implement the
DIffServ QoS Model
Lab: 4-2
Lab: 4-6
Lab: 6-1
Implement the
DIffServ QoS Model
Lab: 6-2
Lab: 5-1
Lab: 6-3
Lab: 5-2
Implement
Wireless
Scalability
Lab: 5-3
Lab: 6-4
Lunch
Lab: 2-1
Case Study: 3-1
Implement the
DIffServ QoS Model
Lab: 4-3
P
M
Describe
Cisco VoIP
Implementations
Lab: 3-2
Implement the
DIffServ QoS Model
Lab: 4-4
Lab: 2-2
Implement the
DIffServ QoS Model
Lab: 4-5
DESGN v2.09-12
www.CareerCert.info
Designing Cisco Network Service

Architectures (ARCH) v1.2
Presents the Cisco AVVID framework
Create intermediate network designs for:
Enterprise campus infrastructure
Enterprise edge infrastructure
Network management
High availability
Security
QoS
IP multicast
VPNs
Wireless
IP telephony
This is the next course in the design certification track.
DESGN v2.09-13
www.CareerCert.info
Designing Cisco Network Service

Architectures v1.2 Course Flow
Day 1
Day 2
Day 3
Course
Introduction
A
M
Introducing Cisco
Network Service
Architectures
Designing
Enterprise Campus
Networks
Day 4
Day 5
Designing
QoS
Designing
Enterprise Edge
Connectivity
Designing
High-Availability
Services
Designing
IP Multicast
Services
Designing
IP Telephony
Services
Lunch
P
M
Designing
Enterprise
Campus
Networks
Designing
Enterprise Edge
Connectivity
Designing
Network
Management
Services
Designing
VNPs
Designing
Security
Services
Wrap-Up
Designing
Enterprise
Wireless
Networks
DESGN v2.09-14
www.CareerCert.info
Foundation Courses for

Channel Partners
Foundation Express for Account Managers (FXS)
Foundation Express for System Engineers (CFXSE)
Foundation Express for Field Engineers (CFXFE)
DESGN v2.09-15
www.CareerCert.info
Security Courses
Securing Cisco Network Devices (SND)
Securing Networks with Cisco Routers and Switches (SNRS)
Implementing Cisco Intrusion Prevention System (IPS)
Securing Networks with PIX and ASA (SNPA)
Cisco Secure Virtual Private Networks (CSVPN)
DESGN v2.09-16
www.CareerCert.info
Voice Courses
Implementing Cisco Quality of Service (QOS)
Cisco Voice over IP Fundamentals (CVF)
Cisco Voice over IP (CVOICE)
Cisco IP Telephony Part 1 (CIPT1)
Cisco IP Telephony Part 2 (CIPT2)
IP Telephony Troubleshooting (IPTT)
Implementing Cisco Voice Gateways and Gatekeepers (GWGK)
IP Telephony Design (IPTD)
DESGN v2.09-17
www.CareerCert.info
Wireless Courses
Aironet Wireless LAN Fundamentals and Site Survey (AWFSS)
Aironet Wireless LAN Advanced Topics (AWLAT)
Cisco Wireless LAN Fundamentals (CWLF)
Cisco Wireless LAN Advanced Topics (CWLAT)
Cisco Unified Wireless Networking (CUWN)
Cisco Wireless Mesh Networking (CWMN)
DESGN v2.09-18
www.CareerCert.info
Summary
SRND guides provide deployment scenarios incorporating Cisco
products and technologies into a tested architecture.
Cisco Networkers Online provides introductory to advanced
training sessions on a subscription basis.
The Building Scalable Cisco Internetworks, Implementing Secure
Converged Wide Area Networks and Optimizing Converged Cisco
Networks courses provide additional theory and detailed
configuration information that supports enterprise network design
and implementations.
Designing Cisco Network Service Architectures is the next course
in the design certification track.
Cisco specialization courses provide in-depth, hands-on training
supporting security, voice, and wireless.
DESGN v2.09-19
www.CareerCert.info
DESGN v2.09-20

Ccdadesgnv2 0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ccdadesgnv2 0

Uploaded by

Copyright:

Available Formats

www.CareerCert.

Designing for Cisco

2007 Cisco Systems, Inc. All rights reserved.

Designing for Cisco Internetwork Solutions v2.0

2007 Cisco Systems, Inc. All rights reserved.

Learner Skills and Knowledge

2007 Cisco Systems, Inc. All rights reserved.

Designing for Cisco Internetwork Solutions v2.0

2007 Cisco Systems, Inc. All rights reserved.

Evaluating Security Identifying Wireless

2007 Cisco Systems, Inc. All rights reserved.

Cisco Icons and Symbols

2007 Cisco Systems, Inc. All rights reserved.

Cisco Icons and Symbols (Cont.)

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Cisco Career Certifications

Recommended Training Through

Interconnecting Cisco Network

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Designing for Cisco Internetwork Solutions (DESGN) v2.0

2007 Cisco Systems, Inc. All rights reserved.

Introducing the Cisco Service-Oriented Network Architecture

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

New Business Requirements

2007 Cisco Systems, Inc. All rights reserved.

Intelligence in the Network

2007 Cisco Systems, Inc. All rights reserved.

Cisco Service-Oriented Network

2007 Cisco Systems, Inc. All rights reserved.

Cisco SONA Layers

2007 Cisco Systems, Inc. All rights reserved.

Overview of Cisco SONA Offerings

2007 Cisco Systems, Inc. All rights reserved.

Supports organizational requirements

Supports growth and expansion of organizational tasks

Provides necessary services reliably, anywhere, anytime

Provides responsiveness, throughput, and utilization on a

Provides control, performance monitoring, and fault detection

Provides network services with reasonable operational costs

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Applying a Methodology to Network Design

2007 Cisco Systems, Inc. All rights reserved.

PPDIOO Network Life-Cycle Approach

2007 Cisco Systems, Inc. All rights reserved.

Benefits of the Life-Cycle Approach

2007 Cisco Systems, Inc. All rights reserved.

Design Methodology Under PPDIOO

2007 Cisco Systems, Inc. All rights reserved.

Identifying Customer Requirements

2007 Cisco Systems, Inc. All rights reserved.

Identifying Planned Applications

2007 Cisco Systems, Inc. All rights reserved.

Example: Planned Applications

We need to be able to share

All data storage will be based

Identifying Planned Infrastructure

2007 Cisco Systems, Inc. All rights reserved.

Example: Planned Infrastructure