Foundation Design Overview - · PDF fileWhat’s In This SBA Guide About SBA Cisco SBA...
21
Transcript of Foundation Design Overview - · PDF fileWhat’s In This SBA Guide About SBA Cisco SBA...
Foundation Design Overview
February 2012 Series
PrefaceFebruary 2012 Series
Preface
Who Should Read This GuideThis Cisco® Smart Business Architecture (SBA) guide is for people who fill a variety of roles:
• Systems engineers who need standard procedures for implementing solutions
• Project managers who create statements of work for Cisco SBA implementations
• Sales partners who sell new technology or who create implementation documentation
• Trainers who need material for classroom instruction or on-the-job training
In general, you can also use Cisco SBA guides to improve consistency among engineers and deployments, as well as to improve scoping and costing of deployment jobs.
Release SeriesCisco strives to update and enhance SBA guides on a regular basis. As we develop a new series of SBA guides, we test them together, as a complete system. To ensure the mutual compatibility of designs in Cisco SBA guides, you should use guides that belong to the same series.
All Cisco SBA guides include the series name on the cover and at the bottom left of each page. We name the series for the month and year that we release them, as follows:
month year Series
For example, the series of guides that we released in August 2011 are the “August 2011 Series”.
You can find the most recent series of SBA guides at the following sites:
Customer access: http://www.cisco.com/go/sba
Partner access: http://www.cisco.com/go/sbachannel
How to Read CommandsMany Cisco SBA guides provide specific details about how to configure Cisco network devices that run Cisco IOS, Cisco NX-OS, or other operating systems that you configure at a command-line interface (CLI). This section describes the conventions used to specify commands that you must enter.
Commands to enter at a CLI appear as follows:
configure terminal
Commands that specify a value for a variable appear as follows:
ntp server 10.10.48.17
Commands with variables that you must define appear as follows:
class-map [highest class name]
Commands shown in an interactive example, such as a script or when the command prompt is included, appear as follows:
Router# enable
Long commands that line wrap are underlined. Enter them as one command:
wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
Noteworthy parts of system output or device configuration files appear highlighted, as follows:
interface Vlan64 ip address 10.5.204.5 255.255.255.0
Comments and QuestionsIf you would like to comment on a guide or ask questions, please use the forum at the bottom of one of the following sites:
Customer access: http://www.cisco.com/go/sba
Partner access: http://www.cisco.com/go/sbachannel
An RSS feed is available if you would like to be notified when new comments are posted.
Table of ContentsFebruary 2012 Series
What’s In This SBA Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
About SBA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Business Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Architecture Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Architectural Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Network Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
User Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Network Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
The LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The WAN and Remote Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Internet Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Application Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Server Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Guest Wireless Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
User Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Business Application Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Cisco Unified Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Web Meetings and Cisco WebEx® Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Design Guide Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Table of Contents
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITA- TION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.
What’s In This SBA Guide
About SBACisco SBA helps you design and quickly deploy a full-service business network. A Cisco SBA deployment is prescriptive, out-of-the-box, scalable, and flexible.
Cisco SBA incorporates LAN, WAN, wireless, security, data center, application optimization, and unified communication technologies—tested together as a complete system. This component-level approach simplifies system integration of multiple technologies, allowing you to select solutions that solve your organization’s problems—without worrying about the technical complexity.
For more information, see the How to Get Started with Cisco SBA document:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/SBA_Getting_Started.pdf
About This GuideThis foundation design overview provides the following information:
• An introduction to a Cisco SBA foundation design
• An explanation of the requirements that shaped the design
• A description of the benefits that the design will provide your organization
This information helps you understand the foundation deployment guides that follow this guide, as shown on the Route to Success below.
1What’s In This SBA GuideFebruary 2012 Series
Route to SuccessTo ensure your success when implementing the designs in this guide, you should read any guides that this guide depends upon—shown to the left of this guide on the route above. Any guides that depend upon this guide are shown to the right of this guide.
For customer access to all SBA guides: http://www.cisco.com/go/sba For partner access: http://www.cisco.com/go/sbachannel
FoundationDesign Overview
FoundationDeployment Guide
AdditionalDeployment Guides
BN
You are Here Dependent Guides
2IntroductionFebruary 2012 Series
Introduction
The Cisco® Smart Business Architecture (SBA) Borderless Networks for Midsize Organizations is a comprehensive design for an organization with up to 1000 connected users, including an organization that may grow up to 2500 users. The architecture incorporates LAN, WAN, wireless, security, application optimization, and infrastructural elements to support unified communications technologies tested together as complete solutions.
The solution-level approach simplifies the system integration normally associated with multiple technologies, allowing you to select the parts that solve your organization’s problems rather than worrying about the technical details.
Cisco SBA is designed according to the following principles:
• Flexibilityandscalability—As an organization grows, so too must its infrastructure. The products that have been selected need to have the ability to grow or be repurposed within the architecture.
• Reuse—The goal is to reuse the same products throughout the various modules, when possible, to minimize the range of products that must be kept for spares.
• Easeofuse—A top requirement is to develop a design that can be deployed with a minimal amount of configuration and ongoing management.
• Cost-effective—Another critical requirement in the selection of prod-ucts is to meet the budget guidelines for a midsize organization.
3Business OverviewFebruary 2012 Series
Business Overview
Data networks have become one of the top resources that organizations must invest in to allow the organization to succeed. A resilient, high-performance network helps to ensure that the organization can successfully pursue its goals; inversely, a poorly designed network hinders an organiza-tion. The constituents of the organization are much more productive if the network can reliably and efficiently address their requirements for data access and collaboration.
Organizations that rely on their data network to support and enable their daily operations must address the following requirements in the network ’s design and deployment:
• A standardized design that addresses business use cases to eliminate guesswork and reduce idle time for newly purchased gear
• Enterprise-class reliability in products designed for midsize organizations
• Flexible architecture to help ensure easy migration and expansion as the organization grows in various ways: sizes of individual sites, total number of sites, and the number of people who comprise the organization, as well as the number and type of endpoints that comprise the network
• Uniformity of user experience, regardless of the network access method: wired and wireless network connectivity at headquarters, a remote site, or remote-access VPN,
• Security and high availability for corporate information resources, serv-ers, and Internet-facing applications
• Continual improvement in WAN performance while reducing the cost of network administration
• A solution that can be deployed and operated by IT workers who have a moderate level of technical education
Architecture RationaleA variety of factors determine whether a user has a good experience with an application. Consider the simple web browser: We open a URL, and the page is presented to us in seconds. To make this a positive experience, three specific layers all need to function together to provide the web content to the user:
• A network that provides the foundation
• Network services that operate in the background, improving and enabling the experience without direct user awareness
• The applications or endpoints with which a person interacts directly, known as user services
Data networks must allow organizations to take advantage of their invest-ment in capabilities that are offered in modern application software plat-forms. Compared to ten or even five years ago, data networks must address higher speeds and broader support for application data, particularly regard-ing voice and video collaboration traffic as well as applications hosted on private and public cloud-service platforms. Virtualized desktop environ-ments, a wide variety of user endpoints, and tighter integration between the desktop and server room all demand that the network provide a fast, stable platform to assure that applications perform well enough to meet productiv-ity expectations.
The network is critical to the operation of organizations where workforce productivity is based on the expectation of nonstop access to communica-tions, applications, and data resources. Using a layered approach to building your network with a tested, interoperable design allows you to reduce risks and operational issues while increasing deployment speed.
4Architectural OverviewFebruary 2012 Series
Architectural Overview
As a process, architecture is the activity of designing and constructing buildings and other physical structures, primarily to provide shelter. A wider definition often includes the design of the total built environment, from the macro level of how a building integrates with its surrounding landscape to the micro level of architectural or construction details and, sometimes, furni-ture. Wider still, architecture in its broadest sense is the action of designing a complete system that provides a useful service to the consumer.
As such, Cisco SBA Borderless Networks for Midsize Organizations is a system that was created using a structured process to help ensure the stability of valuable business processes and assets. Cisco SBA focuses on several critical aspects:
• A standardized design, tested and supported by Cisco, reduces costs and helps you accelerate the implementation of Cisco-differentiating technology
• Optimized architecture for midsize organizations with up to 2500 users and up to 75 remote sites
• Flexible architecture to help protect your investment and ensure easy migration as the organization grows
• Seamless support for quick deployment of wired and wireless network access for data, voice, teleworker, and wireless guest
• Security and high availability for corporate information resources, serv-ers, and Internet-facing applications
• Improved WAN performance and cost reduction through the use of application optimization
• Simplified design that can be deployed and operated by IT workers with a Cisco CCNA® certification or equivalent experience
• Cisco performance and reliability in products designed with the price sensitivities of midsize organizations in mind
Cisco SBA Borderless Networks for Midsize Organizations can be divided into three primary modular, yet interdependent, components for the midsize organization. They are the network foundation, network services, and user services, which have a hierarchical interdependency as shown in the follow-ing illustration.
Figure 1 - Cisco SBA components
Network Foundation The key to the midsize Cisco SBA is the network foundation. Similar to the foundation of a building, the network foundation provides a platform that everything else relies upon. As a standalone layer, the network foundation helps ensure that information can be sent dependably from one location and received at another. How this is accomplished is completely removed from average users; all they know is that when they click the mouse, a video starts, an email is sent, or an order is processed. It just works.
Cisco intelligent infrastructure devices, such as switches, routers, and wire-less devices, make it possible for the network foundation to do its work in the background.
5Architectural OverviewFebruary 2012 Series
Network Services Network services sit on top of the network foundation. Network services are like the doors, windows, and locks of the building. A building without these components is just a box. Adding these services turns the infrastructure into a workable structure, providing reliability, security, and availability of the organization’s assets. Some users are aware of the value that network services provide, but do not directly interact with those services. An example of this would be VPN remote access. The user needs to start the VPN client to access business resources. The user does not know or care exactly how those services operate. As long as they can access their data from wherever they are at the time, users know that the network services layer is working as expected.
Cisco’s intelligent network services include virtualization, firewalls and other security devices, application optimization, and guest access.
User Services And finally, user services sit on top of the network services. User services are like the utilities of the building: water, electricity, phone, Internet, and cable TV services. A user typically needs direct access to these services all day long. In the morning, the lights are turned on, phones are ringing, and water is available for morning beverages. As the day progresses, common utilities are what make the building a comfortable place to work. Some general user services include electronic business application software, CRM systems, email, and instant messaging. User services specific to Cisco include Cisco Unified Communications and Collaboration, voice, and video systems.
6Network FoundationFebruary 2012 Series
Network Foundation
Most users perceive the network as just a transport utility mechanism to shift data from one point to another as fast as possible; many sum this up as “speeds and feeds.” In reality, the network affects all traffic flows and must be aware of end-user requirements and services offered. Even with unlim-ited bandwidth, time-sensitive applications can be affected by jitter, delay, and packet loss. As the transport for all our session information, the design and operation of this layer is crucial to all services, and its role is vital to the success of any service placed upon it.
Figure 2 - Network foundation
The network foundation provides an efficient, fault-tolerant transport that dif-ferentiates between applications to help ensure that each has a fair share of the resource, yet still maintains a desired service level. Within the architec-ture, wired and wireless connectivity options provide advanced prioritization and queuing mechanisms as part of the integrated quality of service (QoS) to help ensure optimal use of the resource.
The LANThe core layer of the local area network (LAN) at the headquarters site is the communications hub of the network. It aggregates client access to head-quarters and provides the backbone connectivity for the wide area network (WAN), server room, and Internet edge, making it a critical component in the network. The LAN needs to be highly available to support mission-critical applications and real-time media. In the past, high availability meant paying for links that were redundant and sat unused. With Cisco SBA for Midsize Organizations, all network connections are active and carry real traffic.
The key component in the LAN architecture is the Cisco Catalyst switch family. It provides the following benefits to Cisco customers:
• Resilient core for very fast failure recovery for real-time media traffic
• Reduced configuration complexity with easier troubleshooting
• Full use of all networks links with no links sitting idle in a redundant configuration
7Network FoundationFebruary 2012 Series
Figure 3 - Resilient LAN design
In many designs, high availability adds complexity, making network troubleshooting more difficult, lowering the ease of use of the network, and forcing a tradeoff between high availability and ease of use in the design. The switch from a traditional dual-core design to the Cisco SBA Borderless Networks for Midsize Organizations LAN design reduces complexity with no loss of availability. The resilient core reduces the core configuration by 80 percent or more and makes the network easier to troubleshoot while still providing very fast recovery in the event of a failure.
In a traditional dual-core design, the same VLAN is used across multiple access switches and Spanning Tree Protocol (STP) runs to prevent Layer 2 loops in the network. STP has two major drawbacks—it is slow to recover from a failure, taking several seconds or more (much too long if the traffic on the network is real-time media like voice or video), and it has to block redundant links in the network, cutting the available bandwidth in half. In a dual-core network, it is possible to work around these issues by aggressive STP tuning and configuring unique VLANs for each access switch.
Figure 4 - Traditional dual-core design
In multiservice networks, users access four or five VLANs in the course of a normal workday. The number of VLANs and subnets that need to be configured in a dual-core design to accommodate the STP deficiencies can get very large.
The Cisco SBA Borderless Networks for Midsize Organizations core design removes these issues because it does not rely on STP for failure recovery, so a single VLAN can be used across multiple access switches. The next-generation LAN design does not require additional tuning for fast recovery.
8Network FoundationFebruary 2012 Series
Figure 5 - Cisco SBA LAN: Improved resilience and performance
The client access layer is the point at which user-controlled and user-acces-sible devices connect to the network. The Cisco SBA Borderless Networks for Midsize Organizations LAN design improves link utilization from the access layer to the core layer of the network. Both uplinks from the access layer switches are active and pass traffic, doubling the available bandwidth compared to traditional designs where one of the uplinks is blocked by STP. It is also possible to increase the throughput to the access layer or server room by increasing the number of uplinks, allowing the design to scale to meet bandwidth requirements. Because the access layer connects client devices to network services, it plays an important role in protecting users, application resources, and the network itself from human error and mali-cious attacks. The access layer also provides automated services like Power over Ethernet Plus (PoE+), QoS marking, and VLAN assignment for IP phones to reduce operational demands.
The new Cisco SBA Borderless Networks for Midsize Organizations LAN design improves network speed and availability, reduces complexity, and makes the network easier to troubleshoot and manage. This means less
downtime, and fewer network administrators are required to operate the network for midsize organizations.
The WAN and Remote Sites Organizations require an uninterrupted flow of information in and out of the corporate network. Cisco SBA for Midsize Organizations delivers a robust WAN design with the same technology used to help ensure that some of the largest networks stay operational. A highly available WAN helps ensure that the flow of business information can proceed without interruption.
A remote site, sometimes called a branch office, is defined as a remote location where employees conduct operations on behalf of the business. A remote site requires the same level of access to corporate applications as the headquarters, just on a smaller scale. The WAN connects remote sites to the organization via a private network and aggregates all remote-site traffic back to the headquarters location.
Figure 6 - Remote-site router with integrated services
The key component in the WAN architecture is the Cisco Integrated Services Router Generation 2 (ISR G2). It provides the following benefits to Cisco customers:
• Reduces operating expense through integrated services within a single platform, such as voice, video and data
• Protects investment with a flexible, modular design, allowing voice and video to be added when an organization needs them
• Supports all major service-provider WAN connections, public switched telephone network (PSTN) signaling, and ISDN types
• Can carry large amounts of voice and video traffic while maintaining the other core services
9Network FoundationFebruary 2012 Series
The primary function of the WAN router is to move data between remote sites and headquarters. The remote sites in Cisco SBA Borderless Networks for Midsize Organizations are designed to support 20 to 40 users with computers, IP phones, and wireless voice and data. Cisco ISR G2 provides the platform to deliver the growing number of services and increased performance requirements common in today’s remote sites.
Users need seamless access, both locally and across the WAN, to network services on the headquarters site. Application optimization and QoS ser-vices are implemented to increase performance over the WAN and improve the user experience. Application optimization uses compression, caching, and other optimization technologies to increase the WAN bandwidth up to four to five times the link speed. Remote-site users connected over a T1/E1 link back to headquarters feel as if they are connected to the headquarters LAN. Servers are centralized at the headquarters, reducing WAN traffic. QoS prioritizes business-critical and latency-sensitive traffic over other traffic so that voice and video performance is protected and lower-priority traffic does not interfere with critical business functions.
Wireless Staying connected regardless of location has become a mainstay of busi-ness and daily life. Few buildings have enough wired networking ports to support every location and every person who needs to connect to an organization’s assets. Wireless networks help enable the users to stay connected and keep the flow of information moving, regardless of physical building limitations.
Wireless connectivity at the headquarters and remote sites uses Wi-Fi technology for the transmission of voice, video, and data across the midsize organization.
The key component in the wireless LAN (WLAN) architecture is the Cisco Unified Wireless Network product family. It provides the following benefits to Cisco customers:
• Network flexibility extends the boundaries of the network without the need for additional wiring.
• Centralized control of the wireless infrastructure reduces the manage-ment burden.
• A network core, preconfigured for access points to be connected to any access port, simplifies deployment.
To meet the requirements for mobility in the architecture, the design incor-porates specific products and configurations to provide a secure, flexible, scalable, and cost-effective solution. Providing comprehensive wireless mobility services at the headquarters and remote sites, while also maintain-ing ease of use and low cost of ownership, can be challenging if access points are deployed in a standalone mode. Autonomous access points multiply the number of devices you need to configure, monitor, and manage. By using Cisco Wireless LAN Controllers, you can centrally control all of the access points, reducing the management overhead and simplifying the deployment and implementation phases.
The Cisco Wireless LAN Controller approach has many benefits in addition to being a central management point. To help ensure access to the wireless network remains secure, all employees authenticate against a corporate directory, removing the need to maintain a separate username/password store on each access point. Another challenge is providing visitors access to the network for connectivity back to their organization’s network or for Internet access. By using Cisco Wireless LAN Controllers, you can overlay a virtual guest network on the existing network without the expense of a separate infrastructure. The controller connects to the firewall at the Internet edge, providing guests with virtual network access to the Internet only, secured from the organization’s network.
Although the Cisco Wireless LAN Controller hardware is centralized, the remote-site wireless network provides wireless access to the local LAN. This avoids U-turn traffic that would otherwise have to travel to the headquarters site and then return to the remote-site network, wasting WAN bandwidth.
For future growth, the Cisco Wireless LAN Controller approach provides a foundation for more advanced functionality, including location services, unauthorized access point detection, and RF prediction and policy pro-visioning, all of which can be built on the current Cisco SBA for Midsize Organizations.
10Network FoundationFebruary 2012 Series
Figure 7 - Midsize wireless LAN topology
Internet Edge The Internet edge is the point where the private network connects to the Internet. Traffic from internal users exits the organization’s network here, and traffic from the Internet enters the network here to reach external-facing applications like web and email. Because this is an always-on connection to the Internet that usually allows outside traffic into the network, it is a prime target for attack.
At the Internet edge, it is common to have a firewall and an intrusion preven-tion system (IPS) appliance to mitigate the common threats from the Internet. In the past, organizations needed at least four devices to provide secure connectivity to their employees.
The key component in the Internet edge architecture is the Cisco Adaptive Security Appliance (ASA). It provides the following benefits to Cisco customers:
• Provides fast, secure Internet access for the organization to increase productivity
• Stops attacks from the Internet that could disrupt business
• Simplifies management and configuration by combining all security functionality into a single device
Cisco SBA Borderless Networks for Midsize Organizations takes advantage of the ASA to perform all three functions in a single device, taking the number of devices from as many as six to just two. This reduces the number of devices that IT has to be trained to support. It also reduces the hardware and software maintenance costs by lowering the total number of devices on the network. Cisco ASA provides full high availability for firewall and IPS. The firewall functionality provides stateful application-layer filtering for inbound and outbound traffic, secure outbound access for users, and a demilitarized zone (DMZ) network for servers that need to be accessed from the Internet.
Figure 8 - Internet edge
11Network FoundationFebruary 2012 Series
Cisco ASA supports full IPS functionality to detect and block attacks, and the new Cisco SensorBase reputation filtering makes the decision about what traffic to block much easier by factoring in the reputation of the traffic source. Cisco SensorBase allows Cisco IPS to block two times the number of attacks and detect attacks based on the reputation of the source, allowing Cisco IPS to block zero-day attacks while decreasing the amount of false positives. A single pair of Cisco appliances, developed with a solutions-based approach, meets the baseline security requirements of the organiza-tion for the Internet Edge boundary.
12Network ServicesFebruary 2012 Series
Network Services
Network services operate behind the scenes and are relied on by the user services to function or improve reliability and efficiency. In some cases, the network may become unusable without them. Let’s consider our example of the web browser. The PC the browser is installed on probably obtained a network address using a dynamic addressing service, such as Dynamic Host Configuration Protocol (DHCP). The user-friendly URL was converted from a name, like www.cisco.com, to a network address by the name resolu-tion service, Domain Name System (DNS). The request was sent over the shortest route available to a load balancer in the network that distributed the load across multiple servers, allowing the web application to scale. The network security services helped ensure that the information was protected, and malicious traffic was removed or prevented from reaching its intended target.
Figure 9 - Network services
In addition to DHCP and DNS, The architecture includes many network services, such as virtualization, security, application optimization, server load balancing, and guest wireless access.
Virtualization Virtualization technologies can help your organization treat all IT resources as a set of shared services that can be combined and recombined to improve efficiencies and scale quickly.
The more efficiently your organization can use its existing IT assets—serv-ers, storage, networking, and other equipment—the better your return on investment. Efficient use can also help you defer the cost of new equipment and significantly reduce power and cooling costs.
Virtualization is typically seen as a way to increase the workload capacity of servers, and to a degree, storage. Yet greater efficiencies can be gained by applying virtualization to your entire network. With some key technological advancement, combined with reconfiguration of operational processes and structures, the network can play a key role in creating a virtual infrastructure for increased efficiency.
The goal is to build a pervasive, scalable infrastructure that bridges previ-ously siloed domains and unifies them into a fabric of shared, virtual ser-vices that can be provisioned in a fraction of the time it takes to configure a traditional application environment.
Cisco SBA Borderless Networks for Midsize Organizations creates a founda-tion for virtual services. In the design, VLANs are used to create logical, secure, and reliable segmentation between voice, video, data, wired, wire-less, and management functions on the network. The design also supports virtual servers and storage in the server room/data center.
Security Security is an integral part of every network deployment. With the need to have secure and reliable networks, protect information assets, and meet reg-ulatory compliance requirements, an organization needs to deploy security services designed into the network rather than added on as an afterthought. With most networks connected to the Internet and under constant barrage from worms, viruses, and targeted attacks, organizations must be vigilant in protecting their network infrastructure, user data, and customer information.
Benefits
• Eases deployment of security technologies for regulatory compliance
• Secures remote access for employees and partners
• Protects user and organization data in the network
• Proves maximum flexibility for users with a hardware or software VPN client
13Network ServicesFebruary 2012 Series
Figure 10 - Security services
Remote access has become a must-have service for employees who work from the road or from home. More and more organizations are allowing partners remote access to their networks to service systems more cost-effectively. Cisco SBA Borderless Networks for Midsize Organizations provides secure remote access for users via a software or hardware client. Cisco ASA supports both Secure Sockets Layer (SSL) and IP Security (IPsec) VPN for remote access and site-to-site VPN, providing employees and partners a secure way to connect to the corporate network from the Internet. SSL VPN offers maximum flexibility, offering secure connectivity for employees and partners back to the internal network even from assets outside the organization’s control. If an existing remote access solution is deployed, the architecture is flexible and can support traditional IPsec VPN clients. Teleworkers can be supported with a hardware client that allows for
an always-on connection so that home users have the same experience that they would have in the office.
Organizations have been using intrusion detection systems (IDSs) and IPS to detect and block malicious traffic on networks for years, but recent laws and private sector compliance standards have moved these systems from a nice-to-have to a must-have in corporate networks. Cisco SBA Borderless Networks for Midsize Organizations supports Cisco IPS in several form factors and performance levels. Cisco IPS can be deployed on its own as a standalone service with appliance-based solutions for high-performance LAN and server deployments or integrated into the firewall for network perimeter protection. All form factors support inline and promiscuous modes that allow the customer to inspect traffic and either send alerts when malicious traffic is detected or block the traffic in real time.
Application OptimizationApplication optimization helps ensure optimal use of network resources between remote-site users and headquarters. Application optimization accelerates applications over the WAN, delivers video to the remote site, and provides local hosting of remote-site IT services. Cisco Wide Area Application Services (WAAS) allow IT departments to centralize applica-tions and storage in the data center while maintaining LAN-like application performance, and provide locally hosted IT services while reducing the remote-site device footprint.
Benefits
• Improves productivity of remote employees via application optimization
• Minimizes remote-site IT costs by centralizing services and hardware at the headquarters site
• Responds rapidly to changing business needs; changes can be made from a central location rather than sending a technician to the remote site
• Simplifies data protection, eases compliance, and improves business continuity
Server Load BalancingCisco Application Control Engine (ACE) is the latest server load balancing offering from Cisco. Its main role is to provide Layer 4 through 7 switching, but Cisco ACE also provides an array of acceleration and server offload benefits, including TCP processing offload, SSL offload, compression, and various other acceleration technologies. Cisco ACE sits in the server room in
14Network ServicesFebruary 2012 Series
front of web and other application servers, and provides a range of services to maximize server and application availability, security, and server-to-client acceleration. As a result, Cisco ACE gives organizations more control over application and server infrastructure, which enables them to manage and secure application services more easily and improve performance.
Benefits
• Scales the performance of a server-based program, such as a web server, by distributing its client requests across multiple servers
• Provides high availability by automatically detecting failures and redi-recting traffic to an operational service
• Improves application performance and reduces response time by minimizing latency and delay
• Offloads TCP and SSL processing, which allows organizations to handle more users without adding servers
Guest Wireless AccessOrganizations today must accommodate a wide range of guests who need Internet access while they are on site. Cisco SBA Borderless Networks for Midsize Organizations provides wireless guest access over the same access points as corporate users. Guests include customers, visitors, partners, and vendors, and to accommodate this broad set of users, guest access should be deployed throughout the network, not just in conference rooms.
Benefits
• Complexity and cost for wireless guest access services is reduced
• Guest user traffic is segmented so the organization’s traffic can remain secure
• Guest access is controlled by IT and can be provisioned with simple generic guest access or with per-user accounts
• Secure guest access is designed into Cisco SBA Borderless Networks for Midsize Organizations and no additional hardware is required
Organizations can use the wireless network in Cisco SBA Borderless Networks for Midsize Organizations to provide guest access over the same access points as the internal employees use. This capability simplifies network operations and reduces costs by reusing the same equipment for multiple services, while still providing secure access for guests.
The architecture helps ensure that the guest network does not compromise the security of the corporate network. Guest traffic is sent on a separate segment over the air, and—after it reaches the wired network—the guest traffic is tunneled to a wireless controller and dropped off on a DMZ inter-face on the firewall. This provides security for the organization’s network from the guest users and provides Internet access for the guests.
When guests connect to the wireless network, they get redirected to a web login screen and must enter a username and password to get access to the Internet. A simple generic guest account may be created that is reset with a new password daily or weekly, or users can be given individual guest accounts. The architecture is flexible to balance the complexity and security needs of the organization.
15User ServicesFebruary 2012 Series
User Services
User services compose the layer everyone is familiar with. These are the services or applications we use every day and interact with directly, from picking up the phone and using the phone service to reading email using an email client. The user experience starts here. How the application or product is designed and built affects how intuitive and easy it is to use. How well this user service interacts with the network services impacts how it performs when a user actually uses it.
Figure 11 - User services
Business Application ServicesAn organization’s presence on the Internet plays a key role in its success. Downtime, even for simple information portals, can mean missed opportuni-ties. Key applications such as email, e-commerce, web portals, and enter-prise resource planning (ERP) must be available for use by both internal and external users around the clock to provide uninterrupted business service. Availability of these applications can be threatened by network overload and poor resource utilization, as well as network and device failures. The high availability design of Cisco SBA provides redundant firewalls in the Internet edge; a resilient LAN design for core, access, server room and wireless, along with QoS; and imbedded security—all designed to protect application availability.
Cisco Unified Communications Cisco Unified Communications products deliver high-quality voice and video communications that scale from a few people to tens of thousands. Midsize organizations select the features and functions to meet their specific needs, from simple voicemail to complex call centers.
Web Meetings and Cisco WebEx® SolutionsMeetings are no longer only conducted face-to-face in a single location. For an organization to survive and thrive, it must conduct business across multiple time zones and across borders. The Internet provides the common medium for borderless communications, enabling location-independent collaboration.
16Design Guide Summary February 2012 Series
Design Guide Summary
Whether it’s voice, video, or data, information is a critical asset that deter-mines how well an organization runs. In the past, organizations have strug-gled with networking products because they were complex and difficult to use, deploy, and manage.
Cisco SBA Borderless Networks for Midsize Organizations is composed of three primary modular, yet interdependent, layers for the midsize organiza-tion. They are the network foundation, network services, and user services, with the interdependency being hierarchical—each component relies on the component below. For reliable delivery of business applications and services, both internal and external to an organization’s physical location, these three layers must work in a cohesive manner. If they don’t, voice, video, and data can fail or be compromised, placing the organization at risk.
Cisco SBA Borderless Networks for Midsize Organizations provides a prescriptive design, and the companion Borderless Networks Foundation Deployment Guide and Borderless Networks Configuration Files Guide provide step-by-step guidance and instructions for deploying the solution. Most of the work is done for you. Cisco has simplified the process while maintaining the intelligence built into every product—each product specifi-cally selected and tested for the midsize organization.
Deploying the Cisco SBA Borderless Networks for Midsize Organizations network design helps ensure the future health of your organization by providing a stable, secure, and scalable network services infrastructure.
SMART BUSINESS ARCHITECTURE
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Americas HeadquartersCisco Systems, Inc.San Jose, CA
Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands
SMART BUSINESS ARCHITECTURE
B-0000513-1 12/11
