Scribd Logo
Upload

Welcome to Scribd!

  • Main Office With ISR: Cisco Secure Network Foundation Smart Designs

    Uploaded by

    Ryan Belicov
    55 views30 pages
    it

    Original Title

    SMBEN20S04L02

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPS, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    it

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    55 views30 pages

    Main Office With ISR: Cisco Secure Network Foundation Smart Designs

    Uploaded by

    Ryan Belicov
    it

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 30

    Main Office with ISR

    Cisco Secure Network Foundation Smart Designs

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-1

    Lesson Overview
    Upon completing this lesson, you will be able to identify SNF architecture designs to meet customer needs. This ability includes being able to meet these objectives:
    Discuss components of SNF design

    Articulate relevant main office models of the SNF Architecture Guide


    Describe the Layer 2 and Layer 3 LAN design

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-2

    Main Office

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-3

    SNF Smart Design Goals


    This design addresses the needs of a typical SMB by providing: A foundation design that can handle as many as 96 users A flexible design that allows for later addition of enhanced capabilities Secure Internet access Secure network infrastructure Best-in-class WAN and LAN switching Voice-ready, adapted design for future deployments Complete network design for rapid deployment Entire system configurable via easyto-use graphical tools: Cisco Network Assistant and Cisco SDM
    2008 Cisco Systems, Inc. All rights reserved. SMBEN v2.04-4

    SNF Smart Design Architecture Framework Considerations


    The Smart Design Architecture Framework outlines considerations for implementing various deployment options in the following specific sections:
    Business locations

    Services offered
    Smart Design Architecture: architecture models and components Choosing between hybrid and integrated models

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-5

    Main Office with Integrated Router


    WAN/Internet

    Integrated router

    DMZ

    Centralized Call Processing, Unity server

    Aggregation switch

    Web servers, e-mail servers, etc.

    Access switches

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-6

    Main Office WAN Services

    Access switch Aggregation switch

    800 ISR

    Linksys

    DSL/ cable
    Linksys

    Teleworker Internet
    Linksys

    ISR

    Main office

    Mobile worker

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-7

    Main Office Services Offered


    IP address conservation (NAT)
    Internet access Access to main office servers (such as HTTP, e-mail, DNS) IP telephony support

    Centralized call control


    Infrastructure to support video traffic Multicast from main office (sender) VPN with Dynamic Multipoint VPN VPN with Easy VPN VPN with SSL VPN

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-8

    Main Office Services Offered (Cont.)


    Single WAN interface for Internet and inter-site traffic
    Dual WAN interfaces for redundancy Dual Cisco ASAs for active-standby redundancy Protection against access switches for redundancy

    Protection against access switch uplink failure (via redundant links)


    Firewall IPS (optional)

    Infrastructure protection
    Monitoring WAN router health and notification via e-mail/Syslog

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-9

    Main Office Network Infrastructure


    Dynamic routing
    VPN (Dynamic Multipoint VPN) VPN (Easy VPN) VPN (SSL VPN)

    QoS
    Voice ready Video ready Multicast Firewall IPS Infrastructure security GUI-based configuration
    2008 Cisco Systems, Inc. All rights reserved. SMBEN v2.04-10

    Architecture Framework Variations


    Integrated model
    Hybrid model Simplified Design with Layer 2 LAN

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-11

    Integrated vs. Hybrid Models for the Main Office


    Integrated Model
    WAN/Internet

    Hybrid Model
    WAN/Internet WAN router

    Firewall functionality integrated with WAN router(s) Aggregation switch

    DMZ Servers

    DMZ servers

    Separate firewall
    Local Servers Local servers

    Aggregation switch
    Call Processing, DHCP, etc. Call processing, DHCP, etc.

    Access switches

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-12

    Simplified Design with Layer 2 LAN

    Catalyst Express 500 24PC Catalyst Express 500G 12TC 2800 ISR

    800 ISR

    Teleworker Internet

    Main Office

    Mobile Worker

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-13

    SNF Design Comparison


    Hybrid Design Target network size Uses separate security appliance Supports Branch offices High (up to 250 users) Yes Yes Integrated Design High to Medium (up to 250 users) No Yes Layer-2-LAN design Low (up to 99 users) No No

    Supports teleworkers/mobile workers GUI-based provisioning focus


    Design supports high availability

    Yes

    Yes

    Yes

    Low
    Yes

    Low
    Yes

    High
    No

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-14

    Hardware Components
    Number of Users 0-24 25-36 37-48 49-96 Router Cisco 2801 Cisco 2811 Cisco 2821 Cisco 2851 Aggregation Switch No Catalyst Express 500G-12TC Catalyst Express 500G-12TC Catalyst Express 500G-12TC Access Switch Catalyst Express 500-24PC (1) Catalyst Express 500-24PC (2) Catalyst Express 500-24PC (2) Catalyst Express 500-24PC (3-4)

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-15

    Layer 2 LAN Design


    Local service VLAN 4 (AAA server) Cisco data VLAN 31

    10/100/1000 Mbps V

    10/100/1000 Mbps

    802.1Q trunk

    WAN router

    Aggregation 802.1Q trunk switch

    Access switch Cisco voice VLAN 41

    Layer 2 LAN

    Possible LAN designs


    Layer 3 processing at WAN router only Layer 3 processing at WAN router and aggregation switch Layer 3 processing at WAN router, aggregation switch and access switches
    2008 Cisco Systems, Inc. All rights reserved. SMBEN v2.04-16

    VLANs
    VLAN Name Cisco-Data Cisco-Voice Local-Services VLAN Number VLAN Description at the Main Office 31 41 4 Carries traffic from/to PCs Voice traffic Optional; used to connect a server such as an AAA server to authenticate users, or other servers, providing local services not accessible from the Internet

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-17

    802.1Q Trunking and STP


    Local service VLAN 4 (AAA server) Cisco data VLAN 31

    STP
    10/100/1000 Mbps V 10/100/1000 Mbps

    802.1Q trunk
    Aggregation switch

    802.1Q trunk

    WAN router

    Access Switch Cisco voice VLAN 41

    Layer 2 LAN

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-18

    SmartPorts Roles
    Switch Model Port Type and Number Fast Ethernet ports 1 to 24 (connected to PCs, phones) Gigabit Ethernet or SFP module ports 1 and 2 (connected to aggregation switch) Gigabit Ethernet ports 1 to 8 (connected to any server) Recommended SmartPort Ports Role phone+desktop switch Recommended SmartPort Parameters Data VLAN = 31 Voice VLAN = 41 Note: all VLANs are trunked

    WS-CE500-24PC (access switch)

    WS-CE500G12TC (aggregation switch)

    servers

    Use access VLAN = the VLAN for the server


    (for AAA and CUCM, this VLAN is 4)

    Gigabit Ethernet or switch or router Note: all VLANs are SFP module ports 9 to depending on where trunked 12 it is connected
    CUCM = Cisco Unified Communications Manager

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-19

    WAN Design

    Catalyst Express Catalyst Express


    Linksys

    800 ISR

    DSL/ cable
    Linksys

    Teleworker Internet
    Linksys

    2800 ISR

    Main office

    Mobile worker

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-20

    Layer 3 Design

    Layer 3 Services
    IP routing IP routing protocols IP addressing and DHCP DNS Network Address Translation NTP
    Internet

    QoS

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-21

    Layer 3 Design: IP Addressing and DHCP


    Laptop IP phone 2800 ISR Integrated DHCP server

    10.11.41.x 10.11.31.y Voice VLAN subnet Data VLAN subnet


    Address Pools: Voice VLAN Pool: 10.11.41.0/24 Data VLAN Pool: 10.11.31.0/24

    IP Addressing Considerations
    Voice and data VLANS

    DHCP address assignment


    DNS name to IP address resolution
    2008 Cisco Systems, Inc. All rights reserved. SMBEN v2.04-22

    Layer 3 Design: NAT


    10.11.31.9/24 11.31.108/24

    NAT Inside

    Public IP address (50.101.1.1) NAT Outside

    NAT Translation Table: Inside IP Outside IP 10.11.31.9 50.101.1.1:5001 10.11.31.19 50.101.1.1:5006

    Internet

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-23

    Layer 3 Design: NTP


    Ensures accurate local time synchronization within a network Maintained by a master source, typically radio or atomic clock on Internet

    Ensures network events and messages contain accurate time information


    Collects call-detail records and generates billing reports

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-24

    Layer 3 Design: QoS


    QoS provides:
    Dedicated bandwidth support for specific types of traffic Improved traffic loss characteristics Network congestion avoidance and management techniques

    Traffic shaping to smooth intermittent bursts


    Traffic prioritization across a network

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-25

    SNF: Integrated Security Design


    Infrastructure Protection
    Secure device access Port-based security Disable unused services Traffic control Spanning-tree protection Enable necessary services

    Policy Enforcement
    Anti-spoofing services Virus prevention Unauthorized access prevention

    Intrusion Prevention
    Worm mitigation

    Secure Connectivity
    Virtual private network

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-26

    Q&A

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-27

    Lesson Summary

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-28

    Lesson Summary
    The SMB Smart Design addresses the secure infrastructure needs of a typical small business and provides many benefits. Three variations of the Smart Design architecture framework are available: the Integrated model, the Hybrid model, and the Simplified Design with Layer 2 LAN. LAN designs, which can consist of core, distribution, and access layers, are typically deployed in one of three ways using either Layer 2 or Layer 3 LAN considerations.

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-29

    2008 Cisco Systems, Inc. All rights reserved.

    SMBEN v2.04-30

    You might also like