Smart Business Architecture for Enterprise€¦ · Cisco Smart Business Architecture Overview Tested Optimized Flexible Flexible architecture to help ensure easy migration as the

Session ID 20PT

Smart Business Architecture for Enterprise

Ben Thomas

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 2

Agenda

Cisco Smart Business Architecture - Intro

Using SBA Deployment Guides

SBA Design Methodology

Key Aspects of the Design

Summary and Closing


Guidance in This Presentation Uses the Following SBA Principles…

Ease of Deployment: Deploy the design consistently across all products included in the architecture. The configurations used in the deployment represent a best-practice methodology to enable a fast and resilient deployment.

Flexibility and Scalability: The architecture can grow with the organization without being redesigned.

Resiliency and Security: The architecture keeps the network operating even during unplanned outages and attacks.

Easy to Manage: The deployment guidance includes configuring devices to be managed by a network management system (NMS) or as unique elements of the network.

Advanced Technology Ready: Implementing advanced technologies like collaboration is easy because the network foundation is already configured with the required baseline network services.


SBA Enterprise Architecture


The Challenge

Which platform should I choose? Many to choose from at each place in the network

Catalyst 2960S

I want to design and deploy a network….

What are the best practices?

How do I manage it?

How do I put it all together?

How can I do it quickly?

How can I anticipate what

the network might need to

do in the future so I don’t

have to revisit my design

and deployment? ASR1000

WAE-7341


Cisco Smart Business Architecture

Overview

Tested

Optimized

Flexible Flexible architecture to help ensure easy migration as the organization grows

One architecture optimized for two sizes of organizations

• Midsize Organizations with up to 2500 users

• Enterprise Organizations with 2,000–10,000 users

A reference design, tested, and supported by Cisco

Comprehensive Seamless support for quick deployment of wired and wireless network access for data, voice, teleworker, and wireless guest

Secure Security and high availability for corporate information resources, and Internet-facing applications

Performance Improved WAN performance and cost reduction through the use of WAN optimization


SBA Deployment Guide Structure

Within the Deployment Guide

Business Overview

Technical Overview

Deployment Details

Process

Process

Process

Process

This section discusses how the technology is implemented within

the specific architecture to address business issues

Each solution outlines the business issues or problems relevant to

the organization.

Procedure

Procedure

Procedure

Step

Step

Step

Step

Step


SBA Deployment Guide (Sample Page)


SBA LAN Design


SiSi SiSi

SiSiSiSi

SiSi SiSi

Hierarchical Network Design

Building Block

Access

Distribution

Core

Distribution

Access Each layer has specific role

Modular topology—building blocks

Easy to grow, understand, and troubleshoot

Creates small fault domains— clear demarcations and isolation

Promotes load balancing and redundancy

………….

Also maps well to our session agenda!


Access Layer Attributes

Transparent Ethernet network access

Wired 10/100/1000

Wireless 802.11a/b/g/n

Simplified and flexible design

Layer 2 edge for applications that require spanned vlans

Avoid Spanning Tree loops for resiliency

Policy enforcement point

Secure network and applications from malicious attacks

Packet marking for QoS

Advanced Technologies support

Deliver PoE services: 802.3af(PoE) and 802.3at(PoE+)

QoS enforcement to protect multimedia applications

SiSi SiSi

SiSiSiSi

SiSiSiSi

SiSiSiSi


SBA Access Layer Design

A common deployment method is used for all access layer devices in the design

Whether they are located in the headquarters or at a remote site.

A single interface configuration is used for a standalone computer, an IP phone, an IP phone with an attached computer, or a wireless access point.

The LAN access layer is configured as a Layer 2

All Layer 3 services provided by directly connected distribution layer switch or router.

SiSi

Wireless

Access Point

User IP Phone

Access

Switch

Distribution

Switch

OR

Remote

Router

Uniform deployment in the network


SiSiSiSi

Single Logical Switch

S1 S2 S3

3750-X and 2960-S Resiliency

Stack Master provides central control over multiple Catalyst 2960S or 3750X Series switches configured in a stack

To increase resiliency in a 3750X or 2960S Stack of three or more switches:

Platform Specific Configuration

Cisco Smart Business Architecture – Enterprise Borderless Networks: Revision H2CY10

MASTER

Creates

double failure

Configure the stack MASTER

on a switch that does not

have uplinks configured

Ensure that the original stack master MAC

address remains the stack MAC address

after a failure to prevent protocol restart

stack-mac persistent timer 0

SiSiSiSi

Single Logical Switch

S1 S2 S3

MASTER MAC=00:BB:AA:CC:DD:FF

switch [switch number] priority 15


Resiliency Features for LAN Switches

Rapid PVST+ for Layer 2 loop detection

Greatly improves the detection of indirect failures or linkup restoration events over classic spanning tree.

UDLD to detect and protect against unidirectional links caused by incorrect physical interconnects that can cause spanning tree loops

Works for switch inter-connects using fiber-optic or twisted-pair Ethernet cables

VTP allows for centralized creation of VLANs. Unless you have a large Layer-2 domain, configure the switches to ignore vtp updates, but still pass them to other devices.

Global LAN Switch Configuration

spanning-tree mode rapid-pvst

udld enable

vtp mode transparent

SiSi SiSi

SiSiSiSi

SiSiSiSi

SiSiSiSi

Protection across the LAN


Client Facing Interfaces

A single port profile for all access ports

Where only end-device connectivity is provided at the access layer, shorten the time it takes for the interface to go into a forwarding state by enabling portfast, disable 802.1q trunking, and disable channel grouping.

To enable QoS, configure the following commands:

Access Switch Configuration

interface range [interface type] [port number]–[port number]

switchport access vlan [data vlan]

switchport mode access

switchport voice vlan [voice vlan]

switchport host

macro apply AccessEdgeQoS

Wireless

Access Point

User IP Phone

Access

Switch

The host interface configuration supports

PCs, phones, or wireless access points.


Simplified Distribution Layer Design

Traditional two box distribution layer has many points to manage

SBA Distribution Layer uses a ―Single Box Design‖

Two switches acting as a single logical switch (Catalyst 6500 Virtual Switching System)

A single highly redundant switch

A multiple member switch stack acting as a single logical switch

Simplified Design Benefits

Less boxes to manage

Simplified configuration

Logical Hub and Spoke topology

SBA LAN Distribution Layer Traditional two box design

SiSi SiSi

SiSi SiSi

-FHRP-

Spanning Tree

Loop Avoidance

Multiple Boxes

to manage

Catalyst 6500 Virtual Switching System

First Hop

Routing Protocol

for

Resilient IP

Default Gateway


Simplified Distribution Layer Design

Traditional designs:

Looped design with spanned VLANs

Relies on SPT to block loops

Reduces available bandwidth

Loop free design

Can increase bandwidth

Still relies on FHRP

Multiple distribution layer boxes to configure

SBA Design:

Simplified design provides

Uses EtherChannel for resilient links with all links forwarding

No need for FHRP, acts as a single Default IP gateway

Works with VLAN per closet or few VLANs spanned designs

Logical Hub and Spoke topology

Reduced dependence on Spanning Tree – keep enabled for edge protection (RPVST+)

SBA LAN Distribution Layer

SiSi SiSi

Vlan 30 Vlan 30 Vlan 30

SiSi SiSi


SiSiSiSi


SiSiSiSi


-OR-


Distribution Layer IP Unicast Routing

EIGRP was chosen for simplicity, scalability, and flexibility

Enable EIGRP for address space in use

Disable automatic summarization of the IP networks

Enable all routed links to be passive by default

Tie eigrp router-id to loopback 1 for maximum resiliency

Single Logical Distribution Layer design

Uses Stateful SwitchOver(SSO) and Non-Stop Forwarding(NSF)

SSO provides sub-second failover to redundant supervisor

NSF maintains packet forwarding while control plane recovers

SBA Distribution Layer

SiSiSiSi

La

ye

r 2

L

aye

r 3

router eigrp [as number]

network [network] [inverse mask]

no auto-summary

passive-interface default

eigrp router-id [ip addr of loopback 1]

nsf

NSF Capable

•Works on dual supervisor system

•Signals peer of SSO and to delay adjacency timeout

•Once control plane recovers, re-establishes peering

NSF Aware

•Nothing to enable.

•Only need IOS version that supports nsf for EIGRP


Core Layer Attributes

Primary function is distribution layer aggregation for large or geographically dispersed LAN deployment

Lowers the complexity and cost of a fully meshed distribution layer

Must be highly resilient with no single points of failure in design

No high touch/high complexity services

Avoid constant tuning or configuration changes

Layer 3 Transport

No Spanning Tree convergence or blocking

SBA LAN Core Layer Do I need a Core Layer?

SiSiSiSi

SiSiSiSi

SiSi

SiSi

SiSi

SiSi

SiSi

SiSi

SiSi SiSi

SiSiSiSi

SiSiSiSi

SiSiSiSi


SBA Security Design


Internet Edge Designs

Two design options

Internet Edge 5k, offers a single connection to one ISP

Internet Edge 10k, offers dual Internet connections in Active/Standby mode

Internet Edge 5k Internet Edge 10k

Outside Switch

Cisco WSA

Cisco ASA 5520 IPS

Collapsed Core+Distribution

Internet Servers

Cisco ESA

Inter

net

IE Router

DMZ Switch

ISP A

Internal Network

Outside Switch

Cisco WSA

IE Routers

Internet Servers

Cisco ESA

Cisco ASA 5540 + IPS

RA VPN Cisco ASA 5520/40

Collapsed Core+Distribution

DMZ Switch

ISP A ISP B

Internal Network


Email Security Appliance Organization Overview

Internet

ESA on DMZ

Inside Network

ASA

There are two major problems with email in networks today

Floods of unsolicited and unwanted emails (spam)

Large numbers of emails use phishing

Email is a critical business service - can be as important as telephone service

Solutions for this problem include hosted services that provide filtering as part of the email solution or network solutions that are installed in front of a local email server

The goal of the solution is to filter out positively identified spam and quarantine or discard emails sent from untrusted or potentially hostile locations.

Anti-virus (AV) scanning is applied to emails and attachments from all servers to remove known malware.


• Known good

is delivered

• Suspicious is rate limited

and spam filtered

• Known bad is

blocked

IronPort

Anti-Spam

Incoming Mail

Good, Bad, and

Unknown Email

Reputation

Filtering

Cisco on Cisco

Our Corporate

Email Experience

Message Category % Messages

Stopped by Reputation Filtering 93.1% 700,876,217

Stopped as Invalid recipients 0.3% 2,280,104

Spam Detected 2.5% 18,617,700

Virus Detected 0.3% 2,144,793

Stopped by Content Filter 0.6% 4,878,312

Total Threat Messages: 96.8% 728,797,126

Clean Messages 3.2% 24,102,874

Total Attempted Messages: 752,900,000

SenderBase Reputation Filtering Real Time Threat Prevention


ESA Technology Overview

Acts as a Mail Transfer Agent (MTA)

Can be deployed with a single physical interface

Uses reputation-based and context-based filters

Uses Virus Outbreak Filters and AV signatures to fight viruses

Supports DLP for policy based filtering


Phishing Demo (Unfiltered)


Phishing Demo (Filtered)


WSA Technology Overview

The Cisco ASA redirects HTTP and HTTPS connections using the Web Cache Control Protocol (WCCP) to the WSA.

Determine how web traffic will be sent to the WSA – Explicit or Transparent mode

Determine what type of physical topology will be used

Most common method is to combine management and proxy services onto the management interface

User

Community

Internet

Cisco WSA

Cisco ASA

1. User initiates web request

2. ASA Firewall redirects request to

Cisco WSA

3. WSA checks request, replies with

denial if request violates policy

4. WSA initiates new connection to the

Web if request is acceptable

5. Web Server replies with content which

is sent to WSA

6. WSA checks content for objectionable

material and forwards content to

originating user if no issues are

encountered

1

LAN

2

3

4 5

6


Reputation in Action New York Times: Victim of an Advertiser Attack!

Seemingly legitimate ad turned malicious causing 3 redirects

Ultimate destination: protection-check07.com

Drive By Scareware

Full-screen pop-up simulates real AV software, asks user to buy full version to clean machine.

Cisco Web Rep Score: -9.3

Default Action: BLOCK

NYT site allowed but malicious

redirect blocked


IPS/IDS Internet Edge – Design Overview

Traffic inspected by ASA firewall policy

If denied by firewall policy traffic is dropped

Permitted traffic matching inspection policy sent to IPS module

Traffic matching reputation filter list or with a GC adjusted risk rating of 90+ is dropped

Clean traffic is sent back to ASA

VPN access policies applied if present then traffic sent forward onto network


Global Correlation Inspection: How Much Does the Risk Rating Change?

Global Correlation adjusts the risk rating of events based on the reputation of the attacker and the original risk rating.

Example: An event is triggered with RR = 85 and an attacker reputation of –5; the sensor raises the risk rating to 99 and the attach is dropped.

This event would not have been blocked on a sensor without Global Correlation.


1. New attacker hits the IPS

2. Attacker without a reputation

3. Signatures or anomaly detection identify activity

4. The attack is handled according to the security policy implemented on the sensor (deny if risk rating reaches threshold)

5. Information about the attacker is sent back to Cisco to track the attacker’s reputation (if configured)

Local Inspection Will Always Matter Example 1: Unknown Attacker

Preprocessing

IPS Reputation Filters

Signature Inspection

Anomaly Detection

Global Correlation

Decision Engine

http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images?q=biohazard&hl=en&lr=&safe=off


Global Correlation Inspection Example 2: Suspicious Attacker

1. Suspicious attacker attacks

2. Attacker has medium reputation

3. Signatures identify suspicious activity and give this attacker a medium risk rating

4. Global Correlation adds context of attacker reputation to risk rating

5. Decision engine blocks attack

6. Information on new reputation is sent back to Cisco

Identified Through Local Inspection, Denied Due to Global Correlation

Preprocessing

IPS Reputation Filters

Signature Inspection

Anomaly Detection

Global Correlation

Decision Engine

http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images?q=biohazard&hl=en&lr=&safe=off


AnyConnect Secure Mobility Client

SSL full tunnel

IPsec (IKEv2)

Trusted Network Detection

WSA Integration

Always on VPN

802.1X Supplicant (Free)

Wired and Wireless

ScanSafe integration

Corporate

Office

Mobile

User

Home

Office

Secure,

Consistent

Access

Voice—Video—Apps—Data

Wired

Cellular/Wi-Fi

Wi-Fi


SBA WAN Design


MPLS A

MPLS B

Layer 2

WAN

ISP A / ISP B

DMVPN Hub Routers

Internet Edge

DMVPN 1 DMVPN 2

MPLS CE Routers

Layer 2 WAN CE Router

WAN-Aggregation Reference Design

WAN Distribution Layer

Core Layer


Hierarchical WAN Design

Core/

Distribution

Distribution

Access

Regional Hub

Spoke Site 1

Spoke Site N

... Spoke Site 1’

Spoke Site N’

...

Core

Spoke Site 1

Spoke Site N

...

Data Center /HQ

SBA ≤ 500 Remote Sites

Data Center /HQ

Regional Hub


MPLS

Non Redundant

MPLS WAN

MPLS + Internet WAN

Internet WAN

WAN Remote Site Designs (MPLS and DMVPN)

Internet DMVPN

Redundant Links

MPLS

MPLS-A MPLS-B

Internet DMVPN

Internet (DMVPN-

1)

Internet (DMVPN-

2)

Redundant Links & Routers

MPLS

MPLS-A MPLS-B

Internet DMVPN

Internet (DMVPN-

1)

Internet (DMVPN-

2)


VPLS

Non Redundant

VPLS WAN

WAN Remote Site Designs (Layer 2, 3G and DMVPN)

3G/DMVPN WAN

3G (DMVPN)

VPLS + Internet WAN

Redundant Links

VPLS Internet

(DMVPN)

Redundant Links & Routers

VPLS Internet

(DMVPN)

MPLS + 3G/Internet WAN

MPLS 3G

(DMVPN) MPLS 3G

(DMVPN)


WAN Remote Site Reference Designs Access Layer Only

Single Router Remote Sites

Add Router and Transit Network and Enable

HSRP

Vlan65 – Wireless Data

Vlan64 - Data

Vlan70 – Wireless Voice

Vlan69 - Voice

802.1q Vlan Trunk (64-65, 69-70)

No HSRP Required

Vlan Usage Access Layer Only Designs IP Network Assignment (Example)

Vlan65 Wireless Data Yes 10.5.50.0/24

Vlan70 Wireless Voice Yes 10.5.51.0/24

Vlan64 Data 1 Yes 10.5.52.0/24

Vlan69 Voice 1 Yes 10.5.53.0/24

Vlan99 Transit Yes (Dual Router Only) 10.5.48.0/30

Dual Router Remote Sites

Vlan65 – Wireless Data

Vlan64 - Data

Vlan70 – Wireless Voice

Vlan69 - Voice

Vlan99 - Transit

802.1q Vlan Trunk (64-65, 69-70, 99)

HSRP Vlans

Active HSRP Router


WAN-Aggregation IP Routing Detail

BGP AS = 65511

MPLS A

AS 65401

MPLS B

AS 65402

Layer 2

WAN

ISP A / ISP B

DMVPN Hub Routers

Internet Edge

DMVPN 1

Default

DMVPN 2

MPLS CE Routers

Layer 2 WAN CE Router

EIGRP

BGP

EIGRP

BGP

EIGRP

EIGRP

EIGRP (300)

EIGRP

EIGRP

eBGP eBGP

iBGP

WAN Distribution Layer

EIGRP (200)

EIGRP (201)


WAN Edge

All:

No static routes

No FHRPs

WAN

Connection Methods Compared

WAN

WAN

Edge

Router

WAN

Core/Distribution

Si Si

Core/Distribution Core/Distribution

Single Logical Control Plane

Port-Channel for H/A

SBA Recommended


Link redundancy achieved through redundant L3 paths

Flow based load-balancing through CEF forwarding across

Routing protocol reconvergence when uplink failed

Convergence time may depends on routing protocol used and the size of routing entries

Optimize Convergence and Redundancy Multichassis EtherChannel

SiSi SiSi

P-to-P Link

Layer 3

Provide Link Redundancy and reduce peering complexity

Tune L3/L4 load-balancing hash to achieve maximum utilization

No L3 reconvergence required when member link failed

No individual flow can go faster than the speed of an individual member of the link

VSS/3750Stacks

IGP Recalc

Channel Member

Removed


Dual-Router WAN Remote Site Design Traffic In/Out Same Interface

Vlan64 - Data

Active HSRP Router

Remote Site

10.5.52.0/24

(.2)

(.3)

(.1)

Gig0/1.64

Gig0/1.64

2. Received by R1 on Gig0/1.64

R1 R2

1. Host sends packet to HSRP active (10.5.52.1)

4. R1 sends packet to 10.5.52.3, via Gig0/1.64 (hairpin out same intf)

3. R1 does route lookup, next hop 10.5.52.3

6. Packet forwarded to the WAN and final destination


Host Sending Data to Remote Site (10.5.52.10 → 10.5.192.10)

If WCCP Is Enabled Inbound on Gig0/1.64 Interfaces, This Will Cause Double Redirect

10.5.192.0/21

D EX 10.5.192.0/21 [170/xxxx] via 10.5.52.3


Dual-Router WAN Remote Site Design Introduce Transit Network

Vlan64 - Data

Active HSRP Router

Remote Site

10.5.48.0/30

(.2)

(.3)

(.1)

Gig0/1.64

Gig0/1.64


R1 R2

1. Host sends packet to HSRP active (10.5.52.1)

4. R1 sends packet to 10.5.48.2, via Gig0/1.99

3. R1 does route lookup, next hop 10.5.48.2

6. Packet forwarded to the WAN and final destination


Host sending Data to Remote Site (10.5.52.10 → 10.5.192.10)

Vlan99 - Transit

(.1)

(.2)

10.5.52.0/24

WCCP Is Not Enabled on the Transit Network

10.5.192.0/21

D EX 10.5.192.0/21 [170/xxxx] via 10.5.48.2


WAN with 3G Backup

Vlan64 - Data

Enhanced Object Tracking with EEM Scripts

R1#

ip sla 100

icmp-echo 192.168.3.26 source-interface GigabitEthernet0/0

timeout 1000

threshold 1000

frequency 15

ip sla schedule 100 life forever start-time now

track 60 ip sla 100 reachability

event manager applet ACTIVATE-3G

event track 60 state down

action 1 cli command "enable"

action 2 cli command "configure terminal"

action 3 cli command "interface cellular0/0/0"

action 4 cli command "no shutdown"

action 5 cli command "end"

action 99 syslog msg "Activating 3G interface"

IP SLA

Probe

No HSRP Required

Ce0/0/0

3G Wireless WAN

R1

R1#

14:22:14: %TRACKING-5-STATE: 60 ip sla 100 reachability Up->Down

14:22:14: %SYS-5-CONFIG_I: Configured from console by on vty0(EEM:ACTIVATE-3G)

14:22:14: %HA_EM-6-LOG: ACTIVATE-3G: Activating 3G interface

14:22:34: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up

14:22:34: %DIALER-6-BIND: Interface Ce0/0/0 bound to profile Di1

14:22:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0,

changed state to up

14:22:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed

state to up

14:22:40: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

14:22:42: %DUAL-5-NBRCHANGE: EIGRP-IPv4 200: Neighbor 10.4.34.1 (Tunnel11) is

up: new adjacency

Note: This Method Is Also Compatible with a Dual Router Design (Probes Are Sent from R2)


WAN with 3G Only Link

Vlan64 - Data

Time Based Connection with EEM Scripts

R1#

event manager applet TIME-OF-DAY-ACTIVATE-3G

event timer cron cron-entry "45 4 * * 1-5"




action 4 cli command "no shutdown"


action 99 syslog msg "M-F @ 4:45AM Activating 3G interface“

event manager applet TIME-OF-DAY-DEACTIVATE-3G

event timer cron cron-entry "15 18 * * 1-5"




action 4 cli command "shutdown"


action 99 syslog msg "M-F @ 6:15PM Deactivating 3G interface"

No HSRP Required

Ce0/0/0

VP

N T

unnel

3G Wireless WAN

R1

Limit connection time to reduce usage charges

EEM scripts leverage CRON

Additional scripting or enhancements can allow for manual override for weekend or after hours use.


WAN Quality of Service Defining SBA QoS Classes of Service

Class of Service Traffic Type DSCP

Value(s)

Bandwidth (%) Congestion

Avoidance

VOICE Voice Traffic ef 10 (PQ)

INTERACTIVE-VIDEO Interactive Video

(Video Conferencing)

cs4

af41

23 (PQ)

CRITICAL-DATA Highly Interactive

(Such as Telnet, Citrix, and

Oracle Thin Clients)

cs3

af31

15 DSCP Based

DATA Data af21 19 DSCP Based

SCAVENGER

Scavenger cs1

af11

5

NETWORK-CRITICAL Routing Protocols. Operations,

Administration and

Maintenance (OAM) Traffic.

cs2

cs6

3

Class-Default Best Effort Other 25 Random

class-map match-any VOICE

match dscp ef

class-map match-any INTERACTIVE-VIDEO

match dscp cs4 af41

class-map match-any CRITICAL-DATA

match dscp cs3 af31

class-map match-any DATA

match ip dscp af21

class-map match-any SCAVENGER

match ip dscp cs1 af11

class-map match-any NETWORK-CRITICAL

match ip dscp cs2 cs6

class-map match-any BGP-ROUTING

match protocol bgp

policy-map MARK-BGP

class BGP-ROUTING

set dscp cs6

ip access-list extended ISAKMP

permit udp any eq isakmp any eq isakmp

class-map match-any NETWORK-CRITICAL

match access-group name ISAKMP

For MPLS CE Routers:

For DMVPN Routers:

All WAN Routers:


WAN Quality of Service Implementing SBA Classes of Service

CBWFQ

FQ

Low Latency Queueing

Packets In

VOICE

INTERACTIVE-VIDEO

PQ

Layer 3 Queueing Subsystem

CRITICAL-DATA

DATA

SCAVENGER

NETWORK-CRITICAL

Class-Default

Police

Police

To Layer 2

Queueing

Subsystem

policy-map WAN

class VOICE

priority percent 10

class INTERACTIVE-VIDEO

priority percent 23

class CRITICAL-DATA

bandwidth percent 15

random-detect dscp-based

class DATA


random-detect dscp-based

class SCAVENGER

bandwidth percent 5

class NETWORK-CRITICAL

bandwidth percent 3

service-policy MARK-BGP

class class-default


random-detect

Random Early Detection (RED)

Weighted Random Early Detection

(WRED)


Traffic Shaping

Policers typically drop traffic

Shapers typically delay excess traffic, smoothing bursts and preventing unnecessary drops

Very common with Ethernet WAN, as well as Non-Broadcast Multiple-Access (NBMA) network topologies such as Frame-Relay and ATM

With Traffic Shaping

Without Traffic Shaping Line Rate

Shaped Rate

Traffic Shaping Limits the Transmit Rate to a Value Lower Than Line Rate


WAN Quality of Service Implementing SBA Classes of Service

LFI, Shaping and Serialization

Layer 2 Queueing Subsystem

From Layer 3

Queueing

Subsystem

policy-map WAN-INTERFACE-G0/0/4

class class-default

shape average 300000000

service-policy WAN

interface GigabitEthernet0/0/4

bandwidth 300000

service-policy output WAN-INTERFACE-G0/0/4

Fragment

Packets Out

TX Ring

Interleave

Shaping

LFI Only Typically Used at <768 Kbps


Summary

SBA provides a step by step deployment process based on cumulative Cisco best practices The design methodology allows for either a small or large scale initial deployment. Flexibility is built into the design. Adding additional scale, resiliency, or capabilities is straightforward. The SBA design uses advanced features and capabilities. Each is documented in a prescriptive manner.

www.cisco.com/go/sba www.cisco.com/go/cn/iba


You Now Have the Tools to Build This!


Complete Your Session Evaluation

Please give us your feedback!!

Complete the evaluation form you were given when you entered the room

This is session BRKxxx-xxxx

Don’t forget to complete the overall event evaluation form included in your registration kit

YOUR FEEDBACK IS VERY IMPORTANT FOR US!!! THANKS


Documents

Smart Business Architecture for Enterprise€¦ · Cisco Smart Business Architecture Overview Tested Optimized Flexible Flexible architecture to help ensure easy migration as the