Upload
others
View
8
Download
1
Embed Size (px)
Citation preview
Session ID 20PT
Smart Business Architecture for Enterprise
Ben Thomas
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 2
Agenda
Cisco Smart Business Architecture - Intro
Using SBA Deployment Guides
SBA Design Methodology
Key Aspects of the Design
Summary and Closing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 3
Guidance in This Presentation Uses the Following SBA Principles…
Ease of Deployment: Deploy the design consistently across all products included in the architecture. The configurations used in the deployment represent a best-practice methodology to enable a fast and resilient deployment.
Flexibility and Scalability: The architecture can grow with the organization without being redesigned.
Resiliency and Security: The architecture keeps the network operating even during unplanned outages and attacks.
Easy to Manage: The deployment guidance includes configuring devices to be managed by a network management system (NMS) or as unique elements of the network.
Advanced Technology Ready: Implementing advanced technologies like collaboration is easy because the network foundation is already configured with the required baseline network services.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 4
SBA Enterprise Architecture
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 5
The Challenge
Which platform should I choose? Many to choose from at each place in the network
Catalyst 2960S
I want to design and deploy a network….
What are the best practices?
How do I manage it?
How do I put it all together?
How can I do it quickly?
How can I anticipate what
the network might need to
do in the future so I don’t
have to revisit my design
and deployment? ASR1000
WAE-7341
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 6
Cisco Smart Business Architecture
Overview
Tested
Optimized
Flexible Flexible architecture to help ensure easy migration as the organization grows
One architecture optimized for two sizes of organizations
• Midsize Organizations with up to 2500 users
• Enterprise Organizations with 2,000–10,000 users
A reference design, tested, and supported by Cisco
Comprehensive Seamless support for quick deployment of wired and wireless network access for data, voice, teleworker, and wireless guest
Secure Security and high availability for corporate information resources, and Internet-facing applications
Performance Improved WAN performance and cost reduction through the use of WAN optimization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 7
SBA Deployment Guide Structure
Within the Deployment Guide
Business Overview
Technical Overview
Deployment Details
Process
Process
Process
Process
This section discusses how the technology is implemented within
the specific architecture to address business issues
Each solution outlines the business issues or problems relevant to
the organization.
Procedure
Procedure
Procedure
Step
Step
Step
Step
Step
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 8
SBA Deployment Guide (Sample Page)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 9
SBA LAN Design
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 10
SiSi SiSi
SiSiSiSi
SiSi SiSi
Hierarchical Network Design
Building Block
Access
Distribution
Core
Distribution
Access Each layer has specific role
Modular topology—building blocks
Easy to grow, understand, and troubleshoot
Creates small fault domains— clear demarcations and isolation
Promotes load balancing and redundancy
………….
Also maps well to our session agenda!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 11
Access Layer Attributes
Transparent Ethernet network access
Wired 10/100/1000
Wireless 802.11a/b/g/n
Simplified and flexible design
Layer 2 edge for applications that require spanned vlans
Avoid Spanning Tree loops for resiliency
Policy enforcement point
Secure network and applications from malicious attacks
Packet marking for QoS
Advanced Technologies support
Deliver PoE services: 802.3af(PoE) and 802.3at(PoE+)
QoS enforcement to protect multimedia applications
SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSiSiSi
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 12
SBA Access Layer Design
A common deployment method is used for all access layer devices in the design
Whether they are located in the headquarters or at a remote site.
A single interface configuration is used for a standalone computer, an IP phone, an IP phone with an attached computer, or a wireless access point.
The LAN access layer is configured as a Layer 2
All Layer 3 services provided by directly connected distribution layer switch or router.
SiSi
Wireless
Access Point
User IP Phone
Access
Switch
Distribution
Switch
OR
Remote
Router
Uniform deployment in the network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 13
SiSiSiSi
Single Logical Switch
S1 S2 S3
3750-X and 2960-S Resiliency
Stack Master provides central control over multiple Catalyst 2960S or 3750X Series switches configured in a stack
To increase resiliency in a 3750X or 2960S Stack of three or more switches:
Platform Specific Configuration
Cisco Smart Business Architecture – Enterprise Borderless Networks: Revision H2CY10
MASTER
Creates
double failure
Configure the stack MASTER
on a switch that does not
have uplinks configured
Ensure that the original stack master MAC
address remains the stack MAC address
after a failure to prevent protocol restart
stack-mac persistent timer 0
SiSiSiSi
Single Logical Switch
S1 S2 S3
MASTER MAC=00:BB:AA:CC:DD:FF
switch [switch number] priority 15
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 14
Resiliency Features for LAN Switches
Rapid PVST+ for Layer 2 loop detection
Greatly improves the detection of indirect failures or linkup restoration events over classic spanning tree.
UDLD to detect and protect against unidirectional links caused by incorrect physical interconnects that can cause spanning tree loops
Works for switch inter-connects using fiber-optic or twisted-pair Ethernet cables
VTP allows for centralized creation of VLANs. Unless you have a large Layer-2 domain, configure the switches to ignore vtp updates, but still pass them to other devices.
Global LAN Switch Configuration
spanning-tree mode rapid-pvst
udld enable
vtp mode transparent
SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSiSiSi
Protection across the LAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 15
Client Facing Interfaces
A single port profile for all access ports
Where only end-device connectivity is provided at the access layer, shorten the time it takes for the interface to go into a forwarding state by enabling portfast, disable 802.1q trunking, and disable channel grouping.
To enable QoS, configure the following commands:
Access Switch Configuration
interface range [interface type] [port number]–[port number]
switchport access vlan [data vlan]
switchport mode access
switchport voice vlan [voice vlan]
switchport host
macro apply AccessEdgeQoS
Wireless
Access Point
User IP Phone
Access
Switch
The host interface configuration supports
PCs, phones, or wireless access points.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 16
Simplified Distribution Layer Design
Traditional two box distribution layer has many points to manage
SBA Distribution Layer uses a ―Single Box Design‖
Two switches acting as a single logical switch (Catalyst 6500 Virtual Switching System)
A single highly redundant switch
A multiple member switch stack acting as a single logical switch
Simplified Design Benefits
Less boxes to manage
Simplified configuration
Logical Hub and Spoke topology
SBA LAN Distribution Layer Traditional two box design
SiSi SiSi
SiSi SiSi
-FHRP-
Spanning Tree
Loop Avoidance
Multiple Boxes
to manage
Catalyst 6500 Virtual Switching System
First Hop
Routing Protocol
for
Resilient IP
Default Gateway
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 17
Simplified Distribution Layer Design
Traditional designs:
Looped design with spanned VLANs
Relies on SPT to block loops
Reduces available bandwidth
Loop free design
Can increase bandwidth
Still relies on FHRP
Multiple distribution layer boxes to configure
SBA Design:
Simplified design provides
Uses EtherChannel for resilient links with all links forwarding
No need for FHRP, acts as a single Default IP gateway
Works with VLAN per closet or few VLANs spanned designs
Logical Hub and Spoke topology
Reduced dependence on Spanning Tree – keep enabled for edge protection (RPVST+)
SBA LAN Distribution Layer
SiSi SiSi
Vlan 30 Vlan 30 Vlan 30
SiSi SiSi
Vlan 10 Vlan 20 Vlan 30
SiSiSiSi
Vlan 30 Vlan 30 Vlan 30
SiSiSiSi
Vlan 10 Vlan 20 Vlan 30
-OR-
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 18
Distribution Layer IP Unicast Routing
EIGRP was chosen for simplicity, scalability, and flexibility
Enable EIGRP for address space in use
Disable automatic summarization of the IP networks
Enable all routed links to be passive by default
Tie eigrp router-id to loopback 1 for maximum resiliency
Single Logical Distribution Layer design
Uses Stateful SwitchOver(SSO) and Non-Stop Forwarding(NSF)
SSO provides sub-second failover to redundant supervisor
NSF maintains packet forwarding while control plane recovers
SBA Distribution Layer
SiSiSiSi
La
ye
r 2
L
aye
r 3
router eigrp [as number]
network [network] [inverse mask]
no auto-summary
passive-interface default
eigrp router-id [ip addr of loopback 1]
nsf
NSF Capable
•Works on dual supervisor system
•Signals peer of SSO and to delay adjacency timeout
•Once control plane recovers, re-establishes peering
NSF Aware
•Nothing to enable.
•Only need IOS version that supports nsf for EIGRP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 19
Core Layer Attributes
Primary function is distribution layer aggregation for large or geographically dispersed LAN deployment
Lowers the complexity and cost of a fully meshed distribution layer
Must be highly resilient with no single points of failure in design
No high touch/high complexity services
Avoid constant tuning or configuration changes
Layer 3 Transport
No Spanning Tree convergence or blocking
SBA LAN Core Layer Do I need a Core Layer?
SiSiSiSi
SiSiSiSi
SiSi
SiSi
SiSi
SiSi
SiSi
SiSi
SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSiSiSi
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 20
SBA Security Design
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 21
Internet Edge Designs
Two design options
Internet Edge 5k, offers a single connection to one ISP
Internet Edge 10k, offers dual Internet connections in Active/Standby mode
Internet Edge 5k Internet Edge 10k
Outside Switch
Cisco WSA
Cisco ASA 5520 IPS
Collapsed Core+Distribution
Internet Servers
Cisco ESA
Inter
net
IE Router
DMZ Switch
ISP A
Internal Network
Outside Switch
Cisco WSA
IE Routers
Internet Servers
Cisco ESA
Cisco ASA 5540 + IPS
RA VPN Cisco ASA 5520/40
Collapsed Core+Distribution
DMZ Switch
ISP A ISP B
Internal Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 22
Email Security Appliance Organization Overview
Internet
ESA on DMZ
Inside Network
ASA
There are two major problems with email in networks today
Floods of unsolicited and unwanted emails (spam)
Large numbers of emails use phishing
Email is a critical business service - can be as important as telephone service
Solutions for this problem include hosted services that provide filtering as part of the email solution or network solutions that are installed in front of a local email server
The goal of the solution is to filter out positively identified spam and quarantine or discard emails sent from untrusted or potentially hostile locations.
Anti-virus (AV) scanning is applied to emails and attachments from all servers to remove known malware.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 23
• Known good
is delivered
• Suspicious is rate limited
and spam filtered
• Known bad is
blocked
IronPort
Anti-Spam
Incoming Mail
Good, Bad, and
Unknown Email
Reputation
Filtering
Cisco on Cisco
Our Corporate
Email Experience
Message Category % Messages
Stopped by Reputation Filtering 93.1% 700,876,217
Stopped as Invalid recipients 0.3% 2,280,104
Spam Detected 2.5% 18,617,700
Virus Detected 0.3% 2,144,793
Stopped by Content Filter 0.6% 4,878,312
Total Threat Messages: 96.8% 728,797,126
Clean Messages 3.2% 24,102,874
Total Attempted Messages: 752,900,000
SenderBase Reputation Filtering Real Time Threat Prevention
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 24
ESA Technology Overview
Acts as a Mail Transfer Agent (MTA)
Can be deployed with a single physical interface
Uses reputation-based and context-based filters
Uses Virus Outbreak Filters and AV signatures to fight viruses
Supports DLP for policy based filtering
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 26
Phishing Demo (Unfiltered)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 27
Phishing Demo (Filtered)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 28
WSA Technology Overview
The Cisco ASA redirects HTTP and HTTPS connections using the Web Cache Control Protocol (WCCP) to the WSA.
Determine how web traffic will be sent to the WSA – Explicit or Transparent mode
Determine what type of physical topology will be used
Most common method is to combine management and proxy services onto the management interface
User
Community
Internet
Cisco WSA
Cisco ASA
1. User initiates web request
2. ASA Firewall redirects request to
Cisco WSA
3. WSA checks request, replies with
denial if request violates policy
4. WSA initiates new connection to the
Web if request is acceptable
5. Web Server replies with content which
is sent to WSA
6. WSA checks content for objectionable
material and forwards content to
originating user if no issues are
encountered
1
LAN
2
3
4 5
6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 29
Reputation in Action New York Times: Victim of an Advertiser Attack!
Seemingly legitimate ad turned malicious causing 3 redirects
Ultimate destination: protection-check07.com
Drive By Scareware
Full-screen pop-up simulates real AV software, asks user to buy full version to clean machine.
Cisco Web Rep Score: -9.3
Default Action: BLOCK
NYT site allowed but malicious
redirect blocked
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 30
IPS/IDS Internet Edge – Design Overview
Traffic inspected by ASA firewall policy
If denied by firewall policy traffic is dropped
Permitted traffic matching inspection policy sent to IPS module
Traffic matching reputation filter list or with a GC adjusted risk rating of 90+ is dropped
Clean traffic is sent back to ASA
VPN access policies applied if present then traffic sent forward onto network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 31
Global Correlation Inspection: How Much Does the Risk Rating Change?
Global Correlation adjusts the risk rating of events based on the reputation of the attacker and the original risk rating.
Example: An event is triggered with RR = 85 and an attacker reputation of –5; the sensor raises the risk rating to 99 and the attach is dropped.
This event would not have been blocked on a sensor without Global Correlation.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 32
1. New attacker hits the IPS
2. Attacker without a reputation
3. Signatures or anomaly detection identify activity
4. The attack is handled according to the security policy implemented on the sensor (deny if risk rating reaches threshold)
5. Information about the attacker is sent back to Cisco to track the attacker’s reputation (if configured)
Local Inspection Will Always Matter Example 1: Unknown Attacker
Preprocessing
IPS Reputation Filters
Signature Inspection
Anomaly Detection
Global Correlation
Decision Engine
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 33
Global Correlation Inspection Example 2: Suspicious Attacker
1. Suspicious attacker attacks
2. Attacker has medium reputation
3. Signatures identify suspicious activity and give this attacker a medium risk rating
4. Global Correlation adds context of attacker reputation to risk rating
5. Decision engine blocks attack
6. Information on new reputation is sent back to Cisco
Identified Through Local Inspection, Denied Due to Global Correlation
Preprocessing
IPS Reputation Filters
Signature Inspection
Anomaly Detection
Global Correlation
Decision Engine
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 34
AnyConnect Secure Mobility Client
SSL full tunnel
IPsec (IKEv2)
Trusted Network Detection
WSA Integration
Always on VPN
802.1X Supplicant (Free)
Wired and Wireless
ScanSafe integration
Corporate
Office
Mobile
User
Home
Office
Secure,
Consistent
Access
Voice—Video—Apps—Data
Wired
Cellular/Wi-Fi
Wi-Fi
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 35
SBA WAN Design
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 36
MPLS A
MPLS B
Layer 2
WAN
ISP A / ISP B
DMVPN Hub Routers
Internet Edge
DMVPN 1 DMVPN 2
MPLS CE Routers
Layer 2 WAN CE Router
WAN-Aggregation Reference Design
WAN Distribution Layer
Core Layer
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 37
Hierarchical WAN Design
Core/
Distribution
Distribution
Access
Regional Hub
Spoke Site 1
Spoke Site N
... Spoke Site 1’
Spoke Site N’
...
Core
Spoke Site 1
Spoke Site N
...
Data Center /HQ
SBA ≤ 500 Remote Sites
Data Center /HQ
Regional Hub
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 38
MPLS
Non Redundant
MPLS WAN
MPLS + Internet WAN
Internet WAN
WAN Remote Site Designs (MPLS and DMVPN)
Internet DMVPN
Redundant Links
MPLS
MPLS-A MPLS-B
Internet DMVPN
Internet (DMVPN-
1)
Internet (DMVPN-
2)
Redundant Links & Routers
MPLS
MPLS-A MPLS-B
Internet DMVPN
Internet (DMVPN-
1)
Internet (DMVPN-
2)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 39
VPLS
Non Redundant
VPLS WAN
WAN Remote Site Designs (Layer 2, 3G and DMVPN)
3G/DMVPN WAN
3G (DMVPN)
VPLS + Internet WAN
Redundant Links
VPLS Internet
(DMVPN)
Redundant Links & Routers
VPLS Internet
(DMVPN)
MPLS + 3G/Internet WAN
MPLS 3G
(DMVPN) MPLS 3G
(DMVPN)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 40
WAN Remote Site Reference Designs Access Layer Only
Single Router Remote Sites
Add Router and Transit Network and Enable
HSRP
Vlan65 – Wireless Data
Vlan64 - Data
Vlan70 – Wireless Voice
Vlan69 - Voice
802.1q Vlan Trunk (64-65, 69-70)
No HSRP Required
Vlan Usage Access Layer Only Designs IP Network Assignment (Example)
Vlan65 Wireless Data Yes 10.5.50.0/24
Vlan70 Wireless Voice Yes 10.5.51.0/24
Vlan64 Data 1 Yes 10.5.52.0/24
Vlan69 Voice 1 Yes 10.5.53.0/24
Vlan99 Transit Yes (Dual Router Only) 10.5.48.0/30
Dual Router Remote Sites
Vlan65 – Wireless Data
Vlan64 - Data
Vlan70 – Wireless Voice
Vlan69 - Voice
Vlan99 - Transit
802.1q Vlan Trunk (64-65, 69-70, 99)
HSRP Vlans
Active HSRP Router
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 41
WAN-Aggregation IP Routing Detail
BGP AS = 65511
MPLS A
AS 65401
MPLS B
AS 65402
Layer 2
WAN
ISP A / ISP B
DMVPN Hub Routers
Internet Edge
DMVPN 1
Default
DMVPN 2
MPLS CE Routers
Layer 2 WAN CE Router
EIGRP
BGP
EIGRP
BGP
EIGRP
EIGRP
EIGRP (300)
EIGRP
EIGRP
eBGP eBGP
iBGP
WAN Distribution Layer
EIGRP (200)
EIGRP (201)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 42
WAN Edge
All:
No static routes
No FHRPs
WAN
Connection Methods Compared
WAN
WAN
Edge
Router
WAN
Core/Distribution
Si Si
Core/Distribution Core/Distribution
Single Logical Control Plane
Port-Channel for H/A
SBA Recommended
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 43
Link redundancy achieved through redundant L3 paths
Flow based load-balancing through CEF forwarding across
Routing protocol reconvergence when uplink failed
Convergence time may depends on routing protocol used and the size of routing entries
Optimize Convergence and Redundancy Multichassis EtherChannel
SiSi SiSi
P-to-P Link
Layer 3
Provide Link Redundancy and reduce peering complexity
Tune L3/L4 load-balancing hash to achieve maximum utilization
No L3 reconvergence required when member link failed
No individual flow can go faster than the speed of an individual member of the link
VSS/3750Stacks
IGP Recalc
Channel Member
Removed
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 44
Dual-Router WAN Remote Site Design Traffic In/Out Same Interface
Vlan64 - Data
Active HSRP Router
Remote Site
10.5.52.0/24
(.2)
(.3)
(.1)
Gig0/1.64
Gig0/1.64
2. Received by R1 on Gig0/1.64
R1 R2
1. Host sends packet to HSRP active (10.5.52.1)
4. R1 sends packet to 10.5.52.3, via Gig0/1.64 (hairpin out same intf)
3. R1 does route lookup, next hop 10.5.52.3
6. Packet forwarded to the WAN and final destination
5. Received by R2 on Gig0/1.64
Host Sending Data to Remote Site (10.5.52.10 → 10.5.192.10)
If WCCP Is Enabled Inbound on Gig0/1.64 Interfaces, This Will Cause Double Redirect
10.5.192.0/21
D EX 10.5.192.0/21 [170/xxxx] via 10.5.52.3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 45
Dual-Router WAN Remote Site Design Introduce Transit Network
Vlan64 - Data
Active HSRP Router
Remote Site
10.5.48.0/30
(.2)
(.3)
(.1)
Gig0/1.64
Gig0/1.64
2. Received by R1 on Gig0/1.64
R1 R2
1. Host sends packet to HSRP active (10.5.52.1)
4. R1 sends packet to 10.5.48.2, via Gig0/1.99
3. R1 does route lookup, next hop 10.5.48.2
6. Packet forwarded to the WAN and final destination
5. Received by R2 on Gig0/1.99
Host sending Data to Remote Site (10.5.52.10 → 10.5.192.10)
Vlan99 - Transit
(.1)
(.2)
10.5.52.0/24
WCCP Is Not Enabled on the Transit Network
10.5.192.0/21
D EX 10.5.192.0/21 [170/xxxx] via 10.5.48.2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 46
WAN with 3G Backup
Vlan64 - Data
Enhanced Object Tracking with EEM Scripts
R1#
ip sla 100
icmp-echo 192.168.3.26 source-interface GigabitEthernet0/0
timeout 1000
threshold 1000
frequency 15
ip sla schedule 100 life forever start-time now
track 60 ip sla 100 reachability
event manager applet ACTIVATE-3G
event track 60 state down
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/0/0"
action 4 cli command "no shutdown"
action 5 cli command "end"
action 99 syslog msg "Activating 3G interface"
IP SLA
Probe
No HSRP Required
Ce0/0/0
3G Wireless WAN
R1
R1#
14:22:14: %TRACKING-5-STATE: 60 ip sla 100 reachability Up->Down
14:22:14: %SYS-5-CONFIG_I: Configured from console by on vty0(EEM:ACTIVATE-3G)
14:22:14: %HA_EM-6-LOG: ACTIVATE-3G: Activating 3G interface
14:22:34: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
14:22:34: %DIALER-6-BIND: Interface Ce0/0/0 bound to profile Di1
14:22:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0,
changed state to up
14:22:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed
state to up
14:22:40: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
14:22:42: %DUAL-5-NBRCHANGE: EIGRP-IPv4 200: Neighbor 10.4.34.1 (Tunnel11) is
up: new adjacency
Note: This Method Is Also Compatible with a Dual Router Design (Probes Are Sent from R2)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 47
WAN with 3G Only Link
Vlan64 - Data
Time Based Connection with EEM Scripts
R1#
event manager applet TIME-OF-DAY-ACTIVATE-3G
event timer cron cron-entry "45 4 * * 1-5"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/0/0"
action 4 cli command "no shutdown"
action 5 cli command "end"
action 99 syslog msg "M-F @ 4:45AM Activating 3G interface“
event manager applet TIME-OF-DAY-DEACTIVATE-3G
event timer cron cron-entry "15 18 * * 1-5"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/0/0"
action 4 cli command "shutdown"
action 5 cli command "end"
action 99 syslog msg "M-F @ 6:15PM Deactivating 3G interface"
No HSRP Required
Ce0/0/0
VP
N T
unnel
3G Wireless WAN
R1
Limit connection time to reduce usage charges
EEM scripts leverage CRON
Additional scripting or enhancements can allow for manual override for weekend or after hours use.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 48
WAN Quality of Service Defining SBA QoS Classes of Service
Class of Service Traffic Type DSCP
Value(s)
Bandwidth (%) Congestion
Avoidance
VOICE Voice Traffic ef 10 (PQ)
INTERACTIVE-VIDEO Interactive Video
(Video Conferencing)
cs4
af41
23 (PQ)
CRITICAL-DATA Highly Interactive
(Such as Telnet, Citrix, and
Oracle Thin Clients)
cs3
af31
15 DSCP Based
DATA Data af21 19 DSCP Based
SCAVENGER
Scavenger cs1
af11
5
NETWORK-CRITICAL Routing Protocols. Operations,
Administration and
Maintenance (OAM) Traffic.
cs2
cs6
3
Class-Default Best Effort Other 25 Random
class-map match-any VOICE
match dscp ef
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
class-map match-any CRITICAL-DATA
match dscp cs3 af31
class-map match-any DATA
match ip dscp af21
class-map match-any SCAVENGER
match ip dscp cs1 af11
class-map match-any NETWORK-CRITICAL
match ip dscp cs2 cs6
class-map match-any BGP-ROUTING
match protocol bgp
policy-map MARK-BGP
class BGP-ROUTING
set dscp cs6
ip access-list extended ISAKMP
permit udp any eq isakmp any eq isakmp
class-map match-any NETWORK-CRITICAL
match access-group name ISAKMP
For MPLS CE Routers:
For DMVPN Routers:
All WAN Routers:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 49
WAN Quality of Service Implementing SBA Classes of Service
CBWFQ
FQ
Low Latency Queueing
Packets In
VOICE
INTERACTIVE-VIDEO
PQ
Layer 3 Queueing Subsystem
CRITICAL-DATA
DATA
SCAVENGER
NETWORK-CRITICAL
Class-Default
Police
Police
To Layer 2
Queueing
Subsystem
policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect
Random Early Detection (RED)
Weighted Random Early Detection
(WRED)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 50
Traffic Shaping
Policers typically drop traffic
Shapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops
Very common with Ethernet WAN, as well as Non-Broadcast Multiple-Access (NBMA) network topologies such as Frame-Relay and ATM
With Traffic Shaping
Without Traffic Shaping Line Rate
Shaped Rate
Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 51
WAN Quality of Service Implementing SBA Classes of Service
LFI, Shaping and Serialization
Layer 2 Queueing Subsystem
From Layer 3
Queueing
Subsystem
policy-map WAN-INTERFACE-G0/0/4
class class-default
shape average 300000000
service-policy WAN
interface GigabitEthernet0/0/4
bandwidth 300000
service-policy output WAN-INTERFACE-G0/0/4
Fragment
Packets Out
TX Ring
Interleave
Shaping
LFI Only Typically Used at <768 Kbps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 52
Summary
SBA provides a step by step deployment process based on cumulative Cisco best practices The design methodology allows for either a small or large scale initial deployment. Flexibility is built into the design. Adding additional scale, resiliency, or capabilities is straightforward. The SBA design uses advanced features and capabilities. Each is documented in a prescriptive manner.
www.cisco.com/go/sba www.cisco.com/go/cn/iba
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 53
You Now Have the Tools to Build This!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 54
Complete Your Session Evaluation
Please give us your feedback!!
Complete the evaluation form you were given when you entered the room
This is session BRKxxx-xxxx
Don’t forget to complete the overall event evaluation form included in your registration kit
YOUR FEEDBACK IS VERY IMPORTANT FOR US!!! THANKS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 55