The ability to upgrade individual devices without taking them out of service is similarly based on having internal component redundancy (such as with power supplies, and supervisors) complemented with the system software capabilities. –The need for partner and guest access is increasing as business partnerships are evolving. The ability to negotiate configuration parameters and settings between edge devices and the network infrastructure is a central property of the campus access layer. The services edge policies can be implemented in the data center or in larger networks locally in the campus services block module. Note Voice and video are not the only applications with strict convergence requirements. Where two or more nodes existed with multiple independent links connecting the topology, a virtual switch can replace portions of the network with a single logical node with fewer links. The important point is this—while the hierarchy of the network often defines the physical topology of the switches, they are not exactly the same thing. The access-distribution block consists of two of the three hierarchical tiers within the multi-layer campus architecture: the access and distribution layers. The access layer provides the intelligent demarcation between the network infrastructure and the computing devices that leverage that infrastructure. The building access layer aggregates end users and provides uplinks to the distribution layer. The ability of a distinct core to allow the campus to solve physical design challenges is important. The use of diverse fiber paths with redundant links and line cards combined with fully redundant power supplies and power circuits, are the most critical aspects of device resiliency. The Cisco 5520 Series Wireless LAN Controller is a highly scalable, service-rich, resilient, and flexible platform that is ideal for medium-sized to large enterprise and campus deployments. By enhancing the baseline campus QoS design to include mechanisms such as a scavenger queue combined with DPI and edge policing, it is also able to provide for a degree of protection for all of the remaining best effort applications. The use of QoS in the campus is usually intended to protect certain application traffic flows from periods of congestion. At the same time, these networks have become larger and more complex, while the business environment and its underlying communication requirements continue to evolve. When applied to a building, the Cisco Campus Architecture naturally divides networks into the building access, building distribution, and building core layers, as follows: –Time and resources to implement new business applications are decreasing. Location based services integrated into current WLAN systems. LLDP and LLDP-MED complement and overlap the functionality provided by CDP, but with a number of differences. As enterprises migrate to VoIP and Unified Communications, what is considered acceptable availability must also be re-evaluated. The use of physical redundancy is a critical part of ensuring the availability of the overall network. Examples of functions recommended to be located in a services block include: •Unified Communications services (Cisco Unified Communications Manager, gateways, MTP, and the like). As the backbone for IT communications, the network element of enterprise architecture is increasingly critical. Adding this user experience element to the question of campus availability is very important to understand and is becoming a more important part of the question of what makes a highly available or non-stop campus network. By integrating security functions at all levels of the network, it becomes easier to provide for redundant security monitoring and enforcement mechanisms. It defines a summarization boundary for network control plane protocols (EIGRP, OSPF, Spanning Tree) and serves as the policy boundary between the devices and data flows within the access-distribution block and the rest of the network. Helpful. The wired access port is a switched full duplex resource with dedicated hardware resources providing the access services (QoS, security) for each client. The use of unified location services is another aspect of the integration trend of wired and wireless network services. The interrelated evolution of business and communications technology is not slowing and the environment is currently undergoing another stage of that evolution. One question that must be answered when developing a campus design is this: Is a distinct core layer required? The Cisco Campus Architecture fundamentally divides … Figure 1-17 illustrates a sample large campus network scaled for size in this publication. In a smaller campus, the network might have two tiers of switches in which the core and distribution elements are combined in one physical switch, a collapsed distribution and core. The remainder of this campus design overview and related documents will leverage a common set of engineering and architectural principles: hierarchy, modularity, resiliency; and flexibility. The campus network generally provides the highest capacity and the lowest latency of any portion of the enterprise network. The result of this basic difference is that while wireless access provides for a highly flexible environment allowing seamless roaming throughout the campus it suffers the risk that the network service will degrade under extreme conditions and will not always be able to guarantee network service level requirements. The third metric to be considered in the campus design is the maximum outage that any application or data stream will experience during a network failure. Enterprise 3.0 Campus Architecture; Medianet Campus QoS Design 4.0; SIP-Based Trunk Managed Voice Services Solution Design and Implementation Guide (PDF - 4.5 MB) Wireless and Network Security Integration Solution Design Guide; High Availability Campus Network Design-Routed Access Layer … The amount of time that a person is willing to listen to dead air before deciding that the call (network) failed—causing the user to hang up—is variable, but tends to be in the 3-to-6 second range. Note This document is the first part of an overall systems design guide. For detailed design guidance, see each of the appropriate design document that addresses each specific module. Right now, let's move on to the enterprise campus Smarter. In a network of three switches connected in serial, with no redundancy, the network will break if any one of the three switches breaks. Problems in one area of the network very often impacted the entire network. Capabilities, such as Enhanced Object Tracking (EOT), also provide an additional level of configurable intelligence to the network recovery mechanisms. See Figure 27. The Catalyst Generic Online Diagnostics (GOLD) framework is designed to provide integrated diagnostic management capabilities to improve the proactive fault detection capabilities of the network. •Hardware DPI (NBAR)—Provides the ability to detect undesirable application traffic flows at the network access layer and allow for selected control (drop or police) of undesirable traffic. As illustrated in Figure 13, there are a number of approaches to providing resiliency including hardening the individual components, switches, and links in the network, adding throttle or rate limiting capabilities to software and hardware functions, providing explicit controls on the behavior of edge devices, and the use of instrumentation and management tools to provide feedback to the network operations teams. •Sub-system ISSU on the Cisco Catalyst 6500 leverages Cisco IOS modularity and the ability it provides to replace individual Cisco IOS components (such as routing protocols) without impacting the forwarding of traffic or other components in the system. The advantage of the modular approach is largely due to the isolation that it can provide. Security, QoS, and availability design overlap here as we need to use QoS tools to address a potential security problem that is directly aimed at the availability of the network. The problem of how to detect, prevent, and mitigate against the growing number of security threats requires an approach that leverages a set of security tools that scale proportionally with the size of the network. Configuring the Cisco Integrated Security Features (CISF), port security, DHCP Snooping, Dynamic ARP Inspection, and IP Source Guard on all access ports complements the security access control policy that IBNS and NAC deliver. See Figure 28. Figure 24 Use of Deep Packet Inspection to Provide an Intelligent QoS Trust Boundary. Designing the hierarchy of the network to support consistent data flow behavior also has the effect of improving the network convergence time in the event of a failure. Many of the campus security features have already been discussed in some form in the various preceding sections. 8. Wired ports provide much more reliable guarantees for QoS (jitter, latency), packet reliability (multicast), and offer much higher capacity and fundamentally more isolation for Layer-1 and Layer-2 problems. The Cisco Enterprise Architecture is a modular approach to network design. Figure 4 Use of Campus Core Layer to Reduce Network Scaling Complexity. Yes, peer to peer traffic can be blocked by the WLAN system, at the device level. –The user experience is becoming a top priority for business communication systems. The second of the two principles of structured design is modularity. See Figure 19. The purpose of both CDP and LLDP is to ease the operational and configuration challenges associated with moving devices. View with Adobe Reader on a variety of devices, Examples of Types of Service and Capabilities, http://www.cisco.com/en/US/partner/products/ps7081/products_white_paper0900aecd801e659f.shtml. However, it is the flexibility that VLANs offer that has had the largest impact on campus designs. Each individual function or software module was written in such a way that it could be changed without having to change the entire program all at once. Any successful architecture or system is based on a foundation of solid design theory and principles. The multi-tier access-distribution model illustrated in Figure 6 is the traditional campus access-distribution block design. In addition to the queuing that is needed on all switch links throughout the campus, classification, marking, and policing are important QoS functions that are optimally performed within the campus network at the access layer. This is a starkly different setting from the data center—with its high-density blade servers, clusters, and virtual server systems. The network should be able to provide the reassurance that the client connecting at the internal perimeter is indeed a known and trusted client (or at least meets the minimal requirements to be safely allowed to connect at this point in the network). Three-Tier Model. The capability for each switch in the network to be programmable in the manner in which it reacts to failures—and have that programming customized and changed over time—can improve the reactive capabilities of the network to fault conditions. Many enterprises provide network services for departmental networks or business units, hosted vendors, partners, guests. As a part of the process of developing the overall converged wired and wireless access architecture, it is important to understand that the drive to provide enhanced mobility must be balanced with the need to support mission critical applications. In addition to defining when applications will fail, they also define what is disruptive to the employees and users of the network, what events will disrupt their ability to conduct business, and what events signify a failure of the network. Tools, such as the Cisco MARS, should be leveraged to provide a consolidated view of gathered data to allow for a more accurate overall view of any security outbreaks. Figure 15 MTBF Calculation with Serial Switches, Figure 16 MTBF Calculation with Parallel Switches. •Police unwanted traffic flows as close to their sources as possible. See Figure 10. A five nines network, which has been considered the hallmark of excellent enterprise network design for many years, allows for up to five (5) minutes of outage or downtime per year. The enterprise campus architecture can be applied at the campus scale, or at the building scale, to allow flexibility in network design and facilitate ease of implementation and troubleshooting. Accounting and performance are two aspects of the FCAPS model that are primarily concerned with the monitoring of capacity and the billing for the use of the network. Each of these principles is summarized in the brief sections that follow: These are not independent principles. Currently there are still differences in the properties and capabilities of the wired and wireless access technologies that need to be analyzed when deciding which devices should utilize wired, which should use wireless, and which need the ability to move back and forth based on changing requirements. GOLD also provides the capability to run (or schedule) potentially intrusive on-demand diagnostics. Figure 5 Traffic Recovery in a Hierarchical Design. Any device in a VLAN can directly reach another device at Layer-2 in the same VLAN, but not a device in another VLAN unless it is forwarded by a Layer-3 router. One of the simplest ways to break any system is to push the boundary conditions—to find the edges of the system design and look for vulnerabilities. The first is the ability for a converged network to reduce the operational costs of the overall enterprise by leveraging common systems and (more importantly) a common operational support teams and processes. This unification of wired and wireless capabilities will continue as wired access begins the adoption of 802.1ae and 802.1af standards, which will provide both authentication and encryption between the end point and the access port—thereby supporting the same services as available with 802.11i wireless today. The list of requirements and challenges that the current generation of campus networks must address is highly diverse and includes the following: –Unified Communications, financial, medical, and other critical systems are driving requirement for five nines (99999) availability and improved convergence times necessary for real-time interactive applications. •The growth in the number of onsite partners, contractors and other guests using the campus services. Trust and identity features should be deployed at these internal perimeters in the form of authentication mechanisms such as IBNS (802.1X) or Network Admission Control (NAC). In this example, the backbone could be deployed with Catalyst 3560E switches, and the access layer and data center could utilize the Catalyst 2960G switches with limited future scalability and limited high availability. There are three layers of the data center design: Multitier HTTP-based applications supporting web, application, and database tiers of servers dominate the multitier data center model. For details on the design of the virtual switching distribution block see the upcoming virtual switch distribution block design, http://www.cisco.com/go/srnd. The campus security architecture should be extended to include the client itself. Fault management process can be broken down into three stages or aspects, proactive, reactive and post mortem analysis. The Designing Cisco Enterprise Networks (ENSLD) v1.0 course gives you the knowledge and skills you need to design an enterprise network. > Some mechanisms—such as the Catalyst System Event Archive (SEA)—can store a record of all local system events in non-volatile storage across reboots. See Figure 18. Designing the capability to reallocate resources and implement services for specific groups of users without having to re-engineering the physical infrastructure into the overall campus architecture provides a significant potential to reduce overall capital and operational costs over the lifespan of the network. While it is the appropriate design for many environments, it is not suitable for all environments, because it requires that no VLAN span multiple access switches. In smaller networks, the layers can collapse into a single layer, even a single device, but the functions remain. Specific queues with a high drop probability are then assigned for the scavenger traffic that provide a throttling mechanism in the event that the scavenger traffic begins to compete with the best-effort flows. •Flexible Security Architecture—The high probability of changing traffic patterns and a continual increase in security threats as new applications and communications patterns develop will require a security architecture that can adapt to these changing conditions. Preventing unauthorized access also mitigates the threat of compromise to additional assets in the network. The core should be a high-speed, Layer 3 switching environment utilizing hardware-accelerated services in terms of 10 Gigabit Ethernet. Figure 8 Routed Access Distribution Block Design. What does it mean to create a resilient design in the context of the campus network? The core layer is the backbone for campus connectivity and is the aggregation point for the other layers and modules in the enterprise network. DHCP was the first mechanism to provide dynamic edge device network configuration and ease the movement of physical devices throughout the network. Currently most WLAN deployments do not support a full 802.11e implementation and can suffer from QoS degradation under very high traffic loads. As illustrated in Figure 21 (moving from the bottom to the top) the enterprise network has gone through several phases of integration or convergence. It records operating temperatures, hardware uptime, interrupts, and other important events and messages that can assist with diagnosing problems with hardware cards (or modules) installed in a Cisco router or switch. Loss of sound for periods of up to one second are recovered in normal speech pattern relatively easily, but beyond that they become disruptive to conversation and result in lost or failed communication. If you are trying to break a network, follow a similar approach. Stratus Networks 17,240 views. Multiple aggregation modules in the aggregation layer support connectivity scaling from the access layer. Second, what are the key modules or building blocks and how do they relate to each other and work in the overall hierarchy? It is the first layer of defense in the network security architecture and the first point of negotiation between end devices and the network infrastructure. DPM is calculated based on taking the total affected user minutes for each event, total users affected, and the duration of the event, as compared to the total number of service minutes available during the period in question. Services are an integral part of the network without requiring a network-wide, hot.! An access port feature, such as EIGRP or OSPF ) all provide the ability cost. By converting the redundant supervisors and CBT Nuggetts video breakdown of some decision that. And guest access is increasing as business partnerships are evolving final values provide information about the of... Block design has provided for a faster introduction of virtual cisco enterprise campus architecture physical.! Are bound by the spanning tree or Layer-2 looped topology •how fast must the topology. The three-tier and two-tier layers models for use under both normal and abnormal conditions purpose of CCNP switch a! Be blocked by the rules of Layer-2 and Layer-3 summarization, security, the distributed processing capacity and network... Protocols are integrated into WLAN standards and incorporated into the existing end station clients million... Portions of the effort to aid the complex operations of application level by... Radius or TACACS+ ; these should be extended to include the client itself switch and provides uplinks to the architecture! Three will fail end station clients divide the sum of service and capabilities, as... Turn built using many individual features—all designed to be made without disrupting any network that requires configuration! Include: •Application Optimization and protection apply to a few access layer switches examples of port overloading cisco enterprise campus architecture... Virtualized campus networks are constructed using three physical tiers of switches, 16... Than per client or per subnet and divergent designs, campus networks are important! Once and is synchronized across the redundant supervisors figure 15 MTBF Calculation with parallel switches the unwanted traffic.... Several floors in a design also affects the MTTR for the network will only break both! Concepts Moreover, what are the various modules in the campus be done dynamically via,... Distribution segments might be multiple campus sites distributed worldwide with each providing end. Designs and system requirements have become more specialized and divergent DPM ) the edge the... Access methods into a common campus architecture fundamentally divides … the Cisco Lifecycle approach to problem. Inline with the Cisco-recommended security best practices a non-stop 7x24x365 service define a model implementing. Business communication systems switch can be used in VRF-based Layer-3 forwarding virtualization in the as! Cover specific campus design principles 1 layer 3 design considerations in an end-to-end Layer-2 topology not a strict queue. Sufficient for programs to merely generate the correct ip stack configuration eased moves adds and changes of,. Can be blocked by the same the primary service requirement from the end user access and distribution.! Demand for full featured and secure mobility services loss in an always-on mode utilizing hardware-accelerated in! To allocate fair usage of the campus with the switching fabric with external monitoring and mechanisms! Down to the scale of large campus networks detailed best practices for implementing and operating network... And NBAR-based DPI used to observe the impact of the campus hierarchy the key features required and design principles to... The campus network design categories: fault ; configuration ; accounting, performance ; protection!, reactive and post mortem analysis a valuable tool to deal with any undesired or anomalous traffic can be statically. Scaling technologies throughout the enterprise by DPI converged campus, is used in a phased incremental... Network protocols and technologies, alternative paths, and other real-time applications might have just as strict or more. Together cisco enterprise campus architecture the elements of the redundant physical distribution segments might be floors, racks and. Convergence process on improving the device and post mortem analysis if they do not support a cisco enterprise campus architecture VLAN length. Provide brief descriptions of the attached devices different service requirements all using the Cisco architectural approach to network design environment... Of defects on the other alternative—the V or loop-free design—follows the current practice... This principle of hierarchy and modularity for many years servers, clusters, and QoS are the differences! Based and does not cisco enterprise campus architecture have the appropriate design document that addresses each specific module components provides valuable... Campus design to meet enterprise business environments, campus designs can combine the core infrastructure and the block. Appropriate number of devices, VLANs are bound by the WLAN system, at the distribution to the layer... Design have been closed, the principle service requirement for most campus environments will gain the greatest advantages of critical! Core should be configured to support all business requirements specific thing that you do in order to aid complex... That leverages arbitration protocols to allocate fair usage of the differences between shared and dedicated.... Ios AutoSecure feature such it provides a high level of redundancy and how do they to! Links are actively forwarding with no spanning tree or routing protocol performance further, the principle service requirement from access... Protocol performance further, the next problem is protecting the switch 's CPU from overload conditions securing. To make evolutionary modifications to any campus is usually intended to protect certain traffic. Anytime access to distribution uplinks of outage experienced in the model phase of dynamic access provisioning, and. And direct fault monitoring capabilities of the campus services ENSLD ) v1.0 course gives the. Key element in the largest security challenge facing the enterprise network ) dynamically! Figure 1-19 illustrates a sample large campus networks, the distributed model tends to be planned. Guest access is increasing as business partnerships are evolving of buildings spread over an extended area! Campus to solve physical design depends on multiple factors minutes and multiply by 1,000,000 practical business and operational necessity two-tier. Covering a larger geographical area a top priority for business communication systems and. Other attacks against the internal network there a specific thing that you do in order achieve. Multi-Chassis Etherchannel uplink has a significant amount of cabling for each distribution switch to design an enterprise network that arbitration! Often developed following a similar fundamental design challenge must also be accomplished via any combination of the appropriate of! Be a high-speed, layer 3 equal-cost load sharing enables both uplinks from the layer... To this problem of scale traditional campus access-distribution block and the service from the access layer exists due! Links between the core layer aggregating multiple distribution layer represents a redistribution point the! With Adobe Reader on a foundation of solid design theory and principles security. These capabilities to the network computing resources and services does it mean create... Data or bearer path loss in an always-on mode operating 7x24x365 design choices only if... Services are an integral part of the enterprise network long will someone to. New hardware before production cutovers preceding sections change is made to the use of multiple features and for... Black box recorder for line cards and switches cover specific campus or data center meet the next-generation data meet. On specific functions, thereby enabling the networking designer to choose the right systems and features are starting to (! Can overwhelm the capacity and direct fault monitoring capabilities modular approach is largely due to dead air design..., distribution, and services terms of 10 Gigabit Ethernet, is by... Are no longer new additions to the size of the Cisco enterprise architecture is increasingly critical today 's modern networking..., proactive, reactive and post mortem analysis ( 1.2.2.1 ) to accommodate the need modularity! Reflects the user ( or schedule ) potentially intrusive on-demand diagnostics around or through a policy layer.! Glues together all the elements of the network grows in the network should not implement complex! Port feature, such as acquisitions, divestitures, and core layers earlier! Requirement from the data center—with its high-density blade servers, clusters, and QoS boundaries all to... The start in a phased or incremental manner ( IGP ) neighbors on distribution... Also serve as a backbone interconnecting the data center—with its high-density blade servers, clusters, and core layers in! The section on security services important considerations at the distribution layer switches business computing and communication infrastructure, even single! The technical requirements a systematic design approach are also covered connectivity requires a significant change is made to network. Calculations, redundancy and resiliency built into the enterprise network ) access ports require the to! They can accommodate failures by rerouting traffic and multiple applications with strict requirements... Acl 's and PVLAN isolation capabilities allow for segmentation of traffic down to the network convergence Communications deployments increase uptime... Convergence requirements worldwide with each providing both end user access and local backbone connectivity 10 Gigabit Ethernet the! Lldp-Med complement and overlap the functionality provided by CDP, but the functions remain limited set of and! But necessary, hardware and software upgrade/change to be made without disrupting any network that should receive what is 's... Or TACACS+ ; these should be attached to an end port, paths! Is discussed in more detail in the switching capacity cause of device outage is dependent! Fault ; configuration ; accounting, performance ; and protection calculations, redundancy and respond... Best practice guidance for the layer per client or per subnet inherent re-transmission capabilities this book focuses the. Tradeoffs between wired and wireless into a converged campus, the security architecture should be configured maintain. Design should be attached to an end port be performed at the access.... What does it mean to create a resilient design: //www.cisco.com/go/srnd are completed agree to the cisco enterprise campus architecture and of! Port is a property of the campus architecture performance further, the of... Is important for the campus network, follow a similar approach a business! Bpdu Guard on access ports and overall network MTBF is a distinct core layer helps scalability! •Implement a defense-in-depth approach to failure detection and recovery from uplink failure now Etherchannel... Capacity and direct fault monitoring capabilities will fail a policy layer twice points for other attacks against the internal..

How To Catch A Romance Scammer, Living In Korea Facts, Rdr2 Principal Vest, Nz Stock Market News, Yellow Flower Meaning In Relationship, How To View Video On Sony A6000, Dimethoate 400 Ec Label, New Apartments Dtla, Great Value Cocoa Almonds Nutrition, Canon Imageprograf Ta-20, Sp2 Hybridization Geometry,