Solution Implementation - Cisco › c › en › us › td › docs › solutions › Verticals ›...

Cisco PCI 2.0 S OL-13453-01

C H A P T E R4

Solution Implementation

OverviewCisco customers have asked Cisco to provide insight into how Cisco products can be used to address PCI DSS 2.0 requirements. To fully accomplish this goal, Cisco hired an auditor and went through the same process as retailers. To audit Cisco products for the capability to address compliance, they had to be installed and configured within a representative design.

This chapter demonstrates how the Cisco PCI Solution for Retail was installed and configured to address the specifications of PCI 2.0. Cisco partnered with RSA, HyTrust, EMC, VCE, and Verizon Business to create a comprehensive design that reflected the framework and architectural principles discussed in earlier chapters.

The Cisco PCI Solution for Retail was validated in the Cisco Retail Lab in San Jose, California. The stores, data center, WAN, and Internet edge network infrastructures were built using Cisco best practice design guides, as represented by the Connected Retail Reference Architecture (http://www.cisco.com/go/designzone). The individual components were installed and configured to adhere to PCI 2.0 specifications. Verizon Business then conducted an assessment of the design and advised on remediation for specific configurations of individual components. After the remediation was complete, Verizon Business provided a detailed reference architecture report (see Appendix B, “Verizon Business Reference Architecture Report—Cisco PCI Solution for Retail.”)

Tip An architecture is a strategic structure for the consistent design, construction, and operation of systems to achieve a desired set of outcomes.

A design is a tactical implementation of an architectural strategy, using specific configurations of products to satisfy business requirements.

Chapter 3, “Solution Architecture,” describes the enterprise architecture with regards to compliance. This chapter demonstrates a design or, in other words, a specific implementation of components to achieve these principles. Various designs can result from the solution architecture. The design that was implemented is not intended to represent the only way that Cisco and partner products can be installed to address PCI. It is intended to provide an example showing how and what was used to achieve the principles described in Chapter 3, “Solution Architecture.”

4-1olution for Retail Design and Implementation Guide

http://www.cisco.com/go/designzone

Infrastructure Infrastructure

Although every company has specific considerations that vary from this implementation, these designs and the configurations of the components in Appendix E, “Detailed Full Running Configurations,” provide an instructive example of what is needed to secure credit card data. Each component selected was audited for its capabilities, and that assessment is covered in the next chapter.

In each section, the reference architecture is shown with the corresponding design that was implemented and validated within the Cisco PCI laboratories. The full configurations of each individual component are available in Appendix E, “Detailed Full Running Configurations.”

InfrastructureThe infrastructure layer of the solution framework addresses the components such as routers, switches, firewalls, and security components, as shown in Figure 4-1.

Figure 4-1 Infrastructure Layer of the Solution Framework

The following sections describe the designs that were implemented from the reference architecture.

Figure 4-2 shows the retail enterprise-wide reference architecture.

2908

58

• Network: Routers, Switches, and Wireless • Security: Firewalls and Intrusion Detection

• Point of Sale: Servers, and Applications • Voice: Phones and Contact Center Applications • Email : Data Loss Prevention • Physical : Surveillance and Badge Access

• Authentication• Management

Internet EdgeData Center Contact CenterStore

Infrastructure

• Encryption• Monitoring

• Assess• Design• Implement• Audit

Services

ScopeAdministration

Endpoints andApplications

4-2Cisco PCI 2.0 Solution for Retail Design and Implementation Guide

OL-13453-01

Chapter 4 Solution Implementation Infrastructure

Figure 4-2 Retail Enterprise-Wide Reference Architecture

Referencing the retail enterprise-wide architecture shown in Figure 4-2, the design shown in Figure 4-3 was created in the Cisco Retail Lab.

QFP

QFP

QFP

QFP

Ecommerce/Internet Edge/Service Provider Edge(Demilitarized Zone)

2908

59

QFP

QFP

QFP

QFP

QFP

QFP

QFP

QFP

Partner Edge(Demilitarized Zone)

PublicInternetWAN

PartnerWAN

PrivateWAN Backstage

Locations

WAN Aggregation Layer

Data Center

Stores

Core Layer

Aggregation Layer

CorporateHQ

Mobile POS POS Manager PC IP Phone Surveillance

POS Server

www

Services Layer

Access Layer

Host/Server/Farm Layer and Storage

IP

QFPQFP


OL-13453-01


Figure 4-3 Cisco PCI Solution for Retail Lab Architecture

Note the following:

• Six store designs were selected to represent Cisco and partner products.

• The data center consists of a single aggregation block based on the Data Center 3.0 architecture.

• The Internet edge is representative of both the e-commerce and partner edge for the purposes of validation.

The following sections describe this enterprise-wide design in more detail, and demonstrate what was implemented within the lab.

StoresMultiple store footprints were implemented that address a variety of business objectives. Each store footprint section contains designs that were extracted from the reference architecture. Each design contains the following:

• Reference architecture

• Store design

– Logical topology

– Addressing plan

– Components selected

IP IP

IP

MSE

www www

3750 3750

LargeStore

MediumStore

SmallStore

MiniStore

Managed ServiceStore

ConvenienceStore

Internet Edge Data Center

Access

Core

Service Aggregation

WAN Aggregation

Management Servers Application Servers

ServiceProviderInternet

DMZ Servers

DMZ

IronPortIronPort

Secure IDMobile Worker

ServiceProvider

Private WAN

2904

17


OL-13453-01


For component compliance functionality, see Chapter 5, “Component Assessment.”. For full device configurations, see Appendix E, “Detailed Full Running Configurations.”

Note Each of these store designs includes a variety of components that can be interchangeably used between them, depending on business requirements. For validation purposes, it was not necessary to implement all possible components in each design.

Small Store Architecture

The small store network scenario, shown in Figure 4-4, meets the following design requirements:

• Store size averages between 2000–6000 square feet

• Fewer than 25 devices requiring network connectivity

• Single router with firewall/IPS, integrated Ethernet switch, compact switch, and power-over-Ethernet (PoE)

• Preference for integrated services within fewer network components because of physical space requirements

• Wireless connectivity

Figure 4-4 Small Store Architecture

StoreWorker

PC

DataVLAN/WLAN

2914

76

MobilePoS

PoS CashRegister

PoS VLAN/WLAN

Cisco Integrated Services Router(IOS Security and Ethernet Switch)

PoSServer

InventoryManagement

Alternate WANConnection

Primary WANConnection

Cisco 802.11AGWLAN Access Point

WCS

ACS

RSAenVision

SecurityManager

Centralized ManagementServers


OL-13453-01


The small store reference architecture is a powerful platform for running an enterprise retail business that requires simplicity and a compact form factor. This combination appeals to many retail formats that can include the following:

• Small store—Specialty shops, discount retailers

• Mini stores—Fuel stations, mall outlet

• Convenience stores—Pop-up stores, mall kiosks

• Managed service provider store—WAN access controlled by service provider

This network architecture is widely used and consolidates many services into fewer infrastructure components. The small store also supports a variety of retail business application models because an integrated Ethernet switch supports high-speed LAN services. In addition, an integrated content engine supports centralized application optimization requirements such as Web Cache Communications Protocol (WCCP)-based caching, pre-positioning of data, local media streaming, and other application velocity services.

Advantages include the following:

• Lower cost per store

• Fewer parts to spare

• Fewer software images to maintain

• Lower equipment maintenance costs

Limitations include the following:

• Decreased levels of network resilience

• Greater potential downtime because of single points of failure

Small Store—Small Design

Figure 4-5 shows the small store network design.


OL-13453-01


Figure 4-5 Small Store Network Design

Components Selected

• Cisco 2921 Integrated Services Router (ISR)

• Cisco Catalyst 2960S 48-port PoE Switch

• Cisco Aironet 3502i Access Points

• Cisco Video Surveillance 4500 Series IP Cameras

• Cisco Physical Access Gateway

R-A2-SMALL-1

Small Store IP Addressing

10.10.255.128/24

SRE1/0: 10.10.142.41/30

Cisco2921-VSECSRST/IPS/FWL0: 10.10.142.1/32

2904

28

Data Center

SimulatedPrivate

MPLS WAN

G0/3 G0/4 G0/5

G0/1

Stack

Stack

Store Workstation10.10.128.82/24

HREAP

10.10.x.1for all vlans

Trun

kTr

unk

Voi

ce/D

ATA

CA

PW

AP

AIR-CAP3502IVLAN18:10.10.135.11/24Cisco7975

VLAN13:10.10.130.100/24

WS-C2960S-48FPD-LVLAN1000:10.10.143.11/24

WS-C2960S-48FPD-LSTACK


CIAC-GW-K910.10.137.201/24

CIVS-IPC-450010.10.137.101/24

CAPWAP

G0/0

G0/1

10.10.254.128/24

G0/1

10.10.128.0 255.255.240.0 Small Store Aisle 2

VLAN11 (POS)VLAN12 (Data)VLAN13 (Voice)VLAN14 (Wireless)VLAN15 (Wireless POS)VLAN16 (Partner)VLAN17 (Wireless Guest)VLAN18 (Wireless Control)VLAN19 (WAE) VLAN20 (Security Systems)(Future) (Future) (Future) (Future)Other- (Misc)R-A2-Small-1 Loop 0 (Future)(Future) (Future) (Future) VLAN 110 (SRE-SM)VLAN 111 (SRE-SM)VLAN1000(Management)

10.10.128.0 /2410.10.129.0 /2410.10.130.0 /2410.10.131.0 /2410.10.132.0 /2410.10.133.0 /2410.10.134.0 /2410.10.135.0 /2410.10.136.0 /2410.10.137.0 /2410.10.138.0 /2410.10.139.0 /2410.10.140.0 /2410.10.141.0 /2410.10.142.0 /2410.10.142.1 /3210.10.142.16 /3010.10.142.20 /3010.10.142.24 /3010.10.142.28 /3010.10.142.32 /29 10.10.142.40 /3010.10.143.0 /24 S-A2-SMALL-1

S-A2-SMALL-2

MSE

WAAS/UCS-X

IP

IP

G0/2

Cisco9971VLAN13:

10.10.130.101/24

G0/4

G0/4


OL-13453-01


Small Store—Mini Design

The mini store represents an alternate design for the small store architecture, using different components.

Figure 4-6 shows the mini store network design.

Figure 4-6 Mini Store Network Design

Components Selected


• Cisco Catalyst 2960 Switch

• Cisco Aironet 3502e Access Point

G0/0

R-A2-MINI-1

Mini Store IP Addressing

10.10.255.144/24

CISCO1941WL0: 10.10.158.1/32

2904

27

Data Center

SimulatedPrivate

MPLS WAN

G0/2 G0/8

G0/8

G0/1


HREAP


Trun

kS

FP

-Fib

er T

runk

AIR-CAP3502EVLAN18:

10.10.151.11/24

WS-C2960G-8TC-LVLAN1000:10.10.159.11/24

G0/1

Trun

k

G0/1

10.10.144.0 255.255.240.0 Mini Store Aisle 2

VLAN11 (POS)VLAN12 (Data)VLAN13 (Voice)VLAN14 (Wireless)VLAN15 (Wireless POS)VLAN16 (Partner)VLAN17 (Wireless Guest)VLAN18 (Wireless Control)VLAN19 (WAE) (Future) (Future) (Future) (Future) (Future)Other- (Misc)R-A2-Mini-1 Loop 0 (Future)(Future) (Future) (Future) VLAN 110 (Wireless NM)VLAN 111 (WAE ManagementVLAN1000(Management)

10.10.144.0 /2410.10.145.0 /2410.10.146.0 /2410.10.147.0 /2410.10.148.0 /2410.10.149.0 /2410.10.150.0 /2410.10.151.0 /2410.10.152.0 /2410.10.153.0 /2410.10.154.0 /2410.10.155.0 /2410.10.156.0 /2410.10.157.0 /2410.10.158.0 /2410.10.158.1 /3210.10.158.16 /3010.10.158.20 /3010.10.158.24 /3010.10.158.28 /3010.10.158.32 /29 10.10.158.40 /3010.10.159.0 /24

S-A2-MINI-1

WS-C2960-8TC-LVLAN1000:

10.10.159.12/24

S-A2-MINI-1

MSE


OL-13453-01


Small Store—Convenience Design

The convenience store represents an alternate design for the small store architecture. Figure 4-7 shows the convenience store network design.

Figure 4-7 Convenience Store Network Design

Components Selected

• Cisco 891 Series Integrated Services Router (ISR)

• Cisco Catalyst 2960 Series Switch

• Cisco Aironet 1042N Access Point

R-A2-CONV-1

Convenience Store IP Addressing

10.10.255.160/24

CISCO891W-AGNL0: 10.10.174.1/32

2904

26

Data Center

SimulatedPrivate

MPLS WAN

SimulatedPublic

Internet

F0/3 F0/2

F0/1


HREAP


DHCP

Trun

kTr

unk

AIR-CAP1042NVLAN18:

10.10.167.11/24

WS-C2960PD-8TT-LVLAN1000:10.10.175.11/24

CAPWAP

Fa0

Fa8

G0

10.10.160.0 255.255.240.0 Convenience Store Aisle 2

VLAN11 (POS)VLAN12 (Data)VLAN13 (Voice)VLAN14 (Wireless)VLAN15 (Wireless POS)VLAN16 (Partner)VLAN17 (Wireless Guest)VLAN18 (Wireless Control)VLAN19 (WAE) (Future) (Future) (Future) (Future) (Future)Other- (Misc)R-A2-Conv-1 Loop 0 (Future)(Future) (Future) (Future) (Future) (Future)VLAN1000(Management)

10.10.160.0 /2410.10.161.0 /2410.10.162.0 /2410.10.163.0 /2410.10.164.0 /2410.10.165.0 /2410.10.166.0 /2410.10.167.0 /2410.10.168.0 /2410.10.169.0 /2410.10.170.0 /2410.10.171.0 /2410.10.172.0 /2410.10.173.0 /2410.10.174.0 /2410.10.174.1 /3210.10.174.16 /3010.10.174.20 /3010.10.174.24 /3010.10.174.28 /3010.10.174.32 /29 10.10.174.40 /3010.10.175.0 /24

S-A2-CONV-1

MSE


OL-13453-01


Small Store—Managed Service Provider Design

The managed service provider store represents an alternate design for the small store architecture. Figure 4-8 shows the managed service provider network design.

Figure 4-8 Managed Service Provider Network Design

Components Selected

• Cisco ASA 5510 Firewall with SSM-10

• Cisco Catalyst 3560E Switch

• Cisco Aironet 3502e Access Points

Managed Service Provider StoreIP Addressing

10.10.255.176/24

10.10.191.21

FW-A2-MSP-1ASA5510

2904

25

Data Center

SimulatedPrivate

MPLS WAN

G0/3 G0/2

G0/1


HREAP


Trun

kTr

unk

AIR-CAP3502EVLAN18:

10.10.183.11/24

WS-C3506E-PS-24VLAN1000:10.10.191.11/24

F0/1

F0/0

10.10.176.0 255.255.240.0 MSP Store Aisle 2

VLAN11 (POS)VLAN12 (Data)VLAN13 (Voice)VLAN14 (Wireless)VLAN15 (Wireless POS)VLAN16 (Partner)VLAN17 (Wireless Guest)VLAN18 (Wireless Control)VLAN19 (WAE) (Future) (Future) (Future) (Future) (Future)Other- (Misc)R-A2-MSP-1 Loop 0 SP to FW link (Future) (Future) (Future) (Future) (Future)VLAN1000(Management)

10.10.176.0 /2410.10.177.0 /2410.10.178.0 /2410.10.179.0 /2410.10.180.0 /2410.10.181.0 /2410.10.182.0 /2410.10.183.0 /2410.10.184.0 /2410.10.185.0 /2410.10.186.0 /2410.10.187.0 /2410.10.188.0 /2410.10.189.0 /2410.10.190.0 /2410.10.190.1 /3210.10.190.16 /3010.10.190.20 /3010.10.190.24 /3010.10.190.28 /3010.10.190.32 /29 10.10.190.40 /3010.10.191.0 /24

S-A2-MSP-1

MSE

G0/11

SSM


OL-13453-01


Medium Store Architecture

The medium store network scenario, shown in Figure 4-9, meets the following design requirements:

• Store size averages between 6,000–18,000 square feet

• The physical size of the store is smaller than a large store, so a distribution layer of network switches is not required

• Number of devices connecting to the network averages 25–100 devices

• Redundant LAN and WAN infrastructures with firewall/IPS

• Wireless connectivity

Figure 4-9 Medium Store Architecture

The medium retail store reference architecture is designed for enterprise retail businesses that require network resilience and increased levels of application availability over the small store architecture and its single-threaded, simple approach. As more mission-critical applications and services converge onto the IP infrastructure, network uptime and application availability are more important. The dual-router and dual-LAN switch design of the medium store supports these requirements. Each of the Cisco ISR routers can run Cisco IOS Software security services and other store communication services

StoreWorker

PC

DataVLAN/WLAN

MobilePoS

PoS CashRegister

PoS VLAN/WLAN

PoSServer Inventory

Management

2914

77

Partner Devicefor InventoryManagement

Personal Shopper/PDA for EnhancedCustomer Service

Cisco ISR(WLC and WAAS)

Cisco ISR IOS(VSOM/VSMS and UCS-X)

Vendor/GuestWVLAN

Cisco 802.11a/b/gWLAN Access Points


ManagementVLAN

Catalyst Switches(Power over Ethernet and Security)

CentralizedManagement

Servers



OL-13453-01


simultaneously. Each of the Cisco ISR routers is connected to a dedicated WAN connection. Hot Standby Routing Protocol (HSRP) is used to ensure network resilience in the event that the network connection fails.

The access layer of the network offers enhanced levels of flexibility and more access ports compared to the small store. Up to 12 wireless access points can be installed in the store, supported by the Cisco Wireless Control System (WCS) controller as tested and without adding more controllers. The distributed Cisco Catalyst switches can support a combination of larger physical buildings or a larger number of endpoints than the small store.


• More adaptive access layer with support for a greater number of endpoints and more diverse building requirements (multiple floors, sub-areas, and so on)

• Improved network resilience through parallel device design

• Improved network and application availability through parallel paths


• No distribution layer between core layer (the ISR) and the access layer switches

• Single WCS Controller decreases in-store resilience of the wireless network; the recommendation is to have store APs fallback to the central WCS controller if the local WCS controller fails, or to install dual-local WCS controllers.


OL-13453-01


Medium Store—Design

Figure 4-10 shows the medium store network design.

Figure 4-10 Medium Store Network Design

Components Selected


• Cisco Catalyst 3750X 48-port PoE Switch

• Cisco Catalyst 2960 Compact Switch

• Cisco Aironet 3502e and 1262N Access Points

• Cisco Video Surveillance 2421 IP Dome Camera

• Cisco Video Surveillance 2500 Series IP Camera

• Cisco Operations Manager v4.1


S-A2-MED-1

S-A2-MED-3

S-A2-MED-2

2904

29

G20/1G20/2G1/0/1

G1/0/3

G1/0/4 G1/0/6

G10/2

Stack StackWS-C3750X-48PF-SSTACK

AIR-LAP1262N10.10.119.11/24

WS-C3750X-48PF-SVLAN1000:

10.10.127.11/24

WS-C2960CPD-8PT-LVLAN1000:

10.10.127.13/24

Voi

ce/D

ata


Cisco797510.10.114.100/24

IP

Cisco997110.10.114.101/24

IP

G1/0/5

CIVS-IPC-450010.10.121.101/24 CIVS-IPC-2421

10.10.121.102/24

CIVS-IPC-2500W10.10.121.103/24

CIVS-IPC-2530V10.10.121.105/24

CIVS-IPC-242110.10.121.104/24

CIAC-GW-K910.10.105.201/24

CA

PW

AP

Tru

nk

CA

PW

AP

Tru

nk

AIR-CAP3502I10.10.135.12/24

CISCO2951-VSECSRST/IPS/FW

L0: 10.10.126.1/32

CISCO2951-VSECSRST/IPS/FWL0: 10.10.126.2/32

R-A2-MED-1 R-A2-MED-2

10.10.254.112/2410.10.255.112/24

G0/0

G0/1 G0/2 G0/2 G0/1

G0/0

Data Center

SimulatedPrivate

MPLS WANCIAC-PAME

Medium Store IP Addressing10.10.112.0 255.255.240.0 Medium Store Aisle 2

VLAN11 (POS)VLAN12 (Data)VLAN13 (Voice)VLAN14 (Wireless)VLAN15 (Wireless POS)VLAN16 (Partner)VLAN17 (Wireless Guest)VLAN18 (Wireless Control)VLAN19 (WAE) VLAN20 (Security Systems)(Future) (Future) (Future) (Future)Other- (Misc)R-A2-MED-1 Loop 0 R-A2-MED-2 Loop 0(Future)(Future) VLAN101 (Router Link)VLAN102 (Router Link)VLAN 110 (SRE-SM)VLAN 111 (SRE-SM)VLAN 112 (SRE-SM)VLAN 113 (SRE-SM)VLAN1000 (Management)

10.10.112.0 /2410.10.113.0 /2410.10.114.0 /2410.10.115.0 /2410.10.116.0 /2410.10.117.0 /2410.10.118.0 /2410.10.119.0 /2410.10.120.0 /2410.10.121.0 /2410.10.122.0 /2410.10.123.0 /2410.10.124.0 /2410.10.125.0 /2410.10.126.0 /2410.10.126.1 /3210.10.126.2 /3210.10.126.16 /3010.10.126.20 /3010.10.126.24 /3010.10.126.28 /3010.10.126.32 /29 10.10.126.40 /3010.10.126.44 /3010.10.126.48 /3010.10.127.0 /24

Trun

k

Trun

k

Trun

k

SRE2/0: 10.10.126.41/30

NME1/0: 10.10.126.33/30

WAAS

WLC

SRE2/0: 10.10.126.50/30

SRE1/0: 10.10.126.45/30

UCS-X

VSOM/VSMS

G1/0/7 G2/0/12

G2/0/13

G2/0/14

G2/0/15


OL-13453-01


Large Store Architecture

The large store network scenario, shown in Figure 4-11, meets the following design requirements:

• Store size averages between 15,000–150,000 square feet

• More than 100 devices per store requiring network connectivity

• Multiple routers with firewall/IPS for primary and backup network requirements

• Preference for a combination of network services distributed within the store to meet resilience and application availability requirements

• Tiered network architecture within the store; distribution layer switches are employed between the central network services core and the access layer connecting to the network endpoints (POS, wireless APs, servers)

Figure 4-11 Large Store Architecture

MobilePoS


CentralizedManagement

Servers

2914

78

InventoryManagement

Personal Shopper/PDA Customer

Service

Data VLAN/ WVLAN

Vendor/GuestWVLAN

Cisco 802.11a/b/gWLAN Access Points

WirelessControllers

ManagementVLAN


Cisco ISRs(IOS Security)

BranchWorker

PC

PoS

PoS VLAN/WLAN

PoSServer

Catalyst Switches(Distribution and Access)

Vendor Devicefor InventoryManagement


OL-13453-01


The large retail store reference architecture takes some of the elements of Cisco campus network architecture recommendations and adapts them to a large retail store environment. Network traffic can be better segmented (logically and physically) to meet business requirements. The distribution layer of the large store architecture can greatly improve LAN performance while offering enhanced physical media connections (that is, fiber and copper for connection to remote access layer switches and wireless access points). A larger number of endpoints can be added to the network to meet business requirements. This type of architecture is widely used by large format retailers globally. Dual routers and distribution layer media flexibility greatly improve network serviceability because the network is highly available and scales to support the large retail store requirements. Routine maintenance and upgrades can be scheduled and performed more frequently or during normal business hours because of parallel path design.


• Highest network resilience based on highly available design

• Port density and fiber density for large retail locations

• Increase segmentation of traffic

• Scalable to accommodate shifting requirements in large retail stores


• Higher cost because of network resilience based on highly available design

• These retail store network designs are capable of helping a retailer achieve PCI compliance, and also serve as the scalable platform for new services and applications


OL-13453-01


Large Store Design

Figure 4-12 shows the large store network design.

Figure 4-12 Large Store Network Design

Components Selected


• Cisco Catalyst 3560X and 4500 switches

• Cisco Aironet 3502e and 3502i Access Points

• Cisco 5508 Wireless Controller

• Cisco 4500 Video Surveillance Camera


CISCO3945-VSECSRST/IPS/FW

L0: 10.10.110.1/32

CISCO3945-VSECSRST/IPS/FWL0: 10.10.110.2/32

R-A2-LRG-1 R-A2-LRG-2

S-A2-LRG-3 S-A2-LRG-4

S-A2-LRG-1 S-A2-LRG-2

G0/1.101:10.10.110.25/30

10.10.254.96/2410.10.255.96/24

G0/0.102:10.10.110.30/30

WS-4507R10.10.111.12/24

WAVE-A2-LRG-1WAVE547

10.10.104.150/24MSP-A2-LRG-1

CPS-MSP-1RU-K910.10.105.11

2904

30

G6/45

G0/2

G0/0 G0/1 G0/0 G0/1

G0/2

G6/47G6/47 G6/45

G2/3 G6/10 G2G6/18

G6/1 G1G6/17

G6/43

G0/2G0/1G0/1

G0/25

G0/2

G6/41G6/43G6/41

Data Center

SimulatedPrivate

MPLS WANCIAC-PAME

WS-4507R10.10.111.11/24

WS-C3560X-48PF-S10.10.111.14/24

WS-C3560CPD10.10.111.15/24

WS-C3560X-48PF-S10.10.111.13/24

WLC-A2-LRG-1AIR-CT5508-12-K9G1:10.10.103.10/24G2:Trunk Vlan14-17

G6/10G2 G6/18

G6/1G1 G6/17

G6/43G6/41


Voi

ce/D

ATA

Cisco7975VLAN13:

10.10.98.100

Store Server VM10.10.96.81/24

UCS-C200SRV-A2-LRG-01 – ESXi

IP

Cisco9971VLAN13:

10.10.98.101

IP

G0/4 G0/6

CIAC-GW-K910.10.105.201/24

CIVS-IPC-450010.10.105.101/24

G0/5 G0/4 G0/7G0/3G0/11

AIR-CAP3502E10.10.103.11/24

AIR-CAP3502I10.10.135.12/24

Large Store IP Addressing10.10.96.0 255.255.240.0 Large Store Aisle 2

VLAN11 (POS)VLAN12 (Data)VLAN13 (Voice)VLAN14 (Wireless)VLAN15 (Wireless POS)VLAN16 (Partner)VLAN17 (Wireless Guest)VLAN18 (Wireless Control)VLAN19 (WAE) VLAN20 (Security Systems)(Future) (Future) (Future) (Future)Other- (Misc)R-A2-LRG-1 Loop 0 R-A2-LRG-2 Loop 0(Future)(Future) VLAN101 (Router Link)VLAN102 (Router Link)VLAN 110 (SRE)VLAN 111 (WAE Management)VLAN1000 (Management)

10.10.96.0 /2410.10.97.0 /2410.10.98.0 /2410.10.99.0 /2410.10.100.0 /2410.10.101.0 /2410.10.102.0 /2410.10.103.0 /2410.10.104.0 /2410.10.105.0 /2410.10.106.0 /2410.10.107.0 /2410.10.108.0 /2410.10.109.0 /2410.10.110.0 /2410.10.110.1 /3210.10.110.2 /3210.10.110.16 /3010.10.110.20 /3010.10.110.24 /3010.10.110.28 /3010.10.110.32 /29 10.10.110.40 /3010.10.111.0 /24


OL-13453-01


Data CenterThe data center is where centralized data processing, data storage, and data communications take place (see Figure 4-13). The data center is also the place where management systems are deployed. The data center provides centralized control from an administrative perspective because it is typically where the tools that are used to monitor and enforce compliance are deployed.

Figure 4-13 Data Center Architecture

Design considerations are as follows:

• Centralized solution management supports all aspects of network, security, and systems management; and supports remote access from anywhere on the network.

• Standardized equipment and software images, deployed in a modular, layered approach, simplify configuration management and increase the systems availability.

• The highly available data center design permits highly resilient access from stores to core data and storage services.

• WAN aggregation alternatives allow flexible selection of service provider network offerings.

• The service aggregation design allows for a modular approach to adding new access layers and managing shared network services (for example, firewall, IPS, application networking, wireless management)

Stores

QFP

QFP

QFP

QFP

Ecommerce/Internet Edge/Service Provider Edge(Demilitarized Zone)

2908

62

QFP

QFP

QFP

QFP

QFP

QFP

QFP

QFP

Partner Edge(Demilitarized Zone)

PublicInternetWAN

PartnerWAN

PrivateWAN Backstage

Locations

WAN Aggregation Layer

Data Center

Core Layer

Applications

Aggregation Layer

CorporateHQ

www

Services Layer

Access Layer

Host/Server/Farm Layer and Storage

CiscoNAC/ISE

CiscoACS

EMC IonixNCM

RSAenVision

RSAKey Manager

HyTrustAppliance

NTP DNS ActiveDirectory

CiscoSecurityManager

CiscoWCS

Cisco VoiceSolutions

InfrastructureServicesEMC Ionix

NCMRSA

ArcherRSA

AuthenticationManager

VMwarevSphere

CVP

ICM

CC

M

QFPQFP


OL-13453-01


• Firewall, IPS, and application networking services are available at the service and aggregation layers of the data center.

• Scalability to accommodate shifting requirements in data center compute and storage requirements.

• WAN access speeds are typically the limiting factor between the store network systems and the WAN aggregation layer.

• It is typical for retailers to over-subscribe the WAN circuits between the stores and the WAN edge aggregation router. Over-subscription can cause inconsistent results and packet loss of payment card information in the event that more traffic enters the WAN circuit simultaneously.

• Backup network connections from store networks to the data center are recommended when payment card information is transported via the WAN.

Figure 4-14 shows the data center design.

Figure 4-14 Data Center Design

Data centers can house many types of functions and the term itself can encompass narrow and broad aspects. For the purposes of this guide, data centers include the following functions:

• WAN aggregation layer—Aggregates the store and backstage WAN connections to the core

• Core layer—Highly available, high-speed area that is the central point of connectivity to all data center areas

• Aggregation block—Aggregates the services of one area and connects that area to the core, including Vblock1 design

• Internet edge—Secure connectivity to the Internet

MSE

www www

3750 3750

Internet Edge Data Center

Access

Core

Service Aggregation

WAN Aggregation

Management Servers Application Servers

DMZ Servers

DMZ

IronPortIronPort

2914

79


OL-13453-01


WAN Aggregation Layer Design

Figure 4-15 shows the WAN aggregation layer design.

Figure 4-15 WAN Aggregation Layer Design

Components Selected

• Cisco ASR 1002-Fixed Router

• Cisco ASA 5540 Adaptive Security Appliance

• Cisco Catalyst 3750X Switch

HSRP192.168.11.1/24

2914

80

G0/0/0

G1/0/1 G2/0/1

G1/0/2 G2/0/2

G1/0/2 G2/0/2

G1/0/11 G2/0/11

G2/0/1 G1/0/1

G0/0/0

G0/0 G0/0

G0/1

G0/3 G0/3

SSM SSMG0/1

G0/0/2 G0/0/2

192.168.11.2

192.16.11.24192.16.11.23

192.168.11.3

10.10.1.6 10.10.2.6

Failover-link

Service ProviderSimulated Private MPLS Cloud

Stores

WAN Aggregation

RWAN-1

ASA-WAN-1192.168.11.20(21)Transparent-mode

SWAN-1(2)192.168.11.14 /24

SWAN-3(4)192.168.11.13/24

RWAN-2

ASA-WAN-2Standby


OL-13453-01


Core Layer Design

Figure 4-16 shows the core layer design.

Figure 4-16 Core Layer Design

Components Selected

• Cisco Catalyst 6500-E Switch

2914

81

T2/3-4 T2/3-4

G1/1 G1/1

192.168.11.11 192.168.11.12

192.168.10.29/30 192.168.10.29/30

HSRP192.168.11.10

Core Layer

RCORE-1L0: 192.168.1.1/32

RCORE-2L0: 192.168.1.2/32


OL-13453-01


Aggregation Block Design

Figure 4-17 shows the aggregation block design.

Figure 4-17 Aggregation Block Design

Components Selected

• Cisco ASA 5585-X Adaptive Security Appliance

• Cisco Nexus 7010 Switch


– Cisco ACE 20

– Cisco IDSM-2

• Cisco Nexus 5020 Switch

• Cisco Catalyst 4948 Switch

T1/29-32

T2/3-4 T2/3-4

T1/29-32

T1/21-24

T1/11-12T1/9-10T1/6&8T1/2&4

E2/1-2 E2/3-4 E2/1-2 E2/3-4 E1/33-34 E1/35-36 E1/35-36 E1/33-34 G1/0/48 G1/0/47

T1/14

T1/18

T1/17

T1/1 T1/2 T1/1 T1/2

T2/6

T2/5

T2/2

T2/1

T2/6

T2/5

T2/2

T2/1T1/16

T1/15

T1/20

T1/19

T1/18

T1/17

T1/16

T1/15

T1/20

T1/19

T1/7

T1/5

G2/3

G2/1

T1/7

T1/5

G2/3

G2/1

G0/1

G0/0

T0/7

T1/1 T1/3 T1/1 T1/3

T2/1 T2/2 T2/1 T2/2

T0/6

G0/1

G0/0

T0/7

T0/6

T0/9

T0/8

T0/9

T0/8

T1/13 T1/11-12T1/9-10T1/6&8T1/2&4 T1/14T1/13

G2/14

G2/13 G2/13

G2/14

T1/21-24

vPC99

VDC-1L0: 192.168.1.11

Ports:T1/1-8, 25-32, G2/1-12

VDC-1L0: 192.168.1.12

Ports:T1/1-8, 25-32, G2/1-12

T1/1-9-24

PC-111 PC-112 PC-1 PC-2 PC-3 PC-4

T1/1-9-24

VDC-2L0: 192.168.1.31

VDC-2L0: 192.168.1.32

VLAN 172 = State VLANVLAN 171 = Failover VLAN

VLAN 172 = State VLANVLAN 171 = Failover VLAN

192.168.42.39

Active/ActiveService Chassis

Design

Active/ActiveService Chassis

Design

VLAN152

VLAN154

VLAN164,42,804

VLAN172

VLAN171

VLAN162

VLAN162

VLAN152

VLAN152

VLAN151

VLAN161

VLAN42,164,803VLAN154

VLAN172

VLAN171

VLAN162

VLAN152

VLAN162VLAN152

VLAN151

VLAN161

VLAN154VLAN162

VLAN164

VLAN163 VLAN156

Access Layer

Core Layer

Services LayerServices Layer

Aggregation Layer

PC99

PC99

L3

F-UCS-1Fabric-6120

192.168.42.41

F-UCS-2Fabric-6120

192.168.42.42

SACCESS-1Catalyst 4948192.168.42.33


SACCESS-3Nexus 5020

M: 192.168.42.31

SACCESS-4Nexus 5020

M: 192.168.42.32


RSERV-2L0: 192.168.1.22/32

RSERV-2L0: 192.168.1.22/32

ACE20

VDC-2

VDC-1

VDC-2

VDC-1

IDSM2

192.168.42.38

ACE20

IDSM2

RAGG-2Nexus7010

M0: 192.168.42.37

RAGG-1Nexus7010

M0: 192.168.42.36

RCORE-1Catalyst6509-E

L0: 192.168.1.1/32

RCORE-1Catalyst6509-E

L0: 192.168.1.2/32

ASA-DC-2ASA55x0

M0: 192.168.42.22To SACCESS-5

G1/14

ASA-DC-1ASA55x0

M0: 192.168.42.21To SACCESS-5

G1/13

192.168.10.26/30192.168.10.14/30

192.168.10.25/30192.168.10.13/30

192.168.10.18/30192.168.10.22/30

192.168.10.17/30

192.168.10.29/30 192.168.10.30/30

192.168.10.21/30

2904

19


OL-13453-01


Vblock Design

Figure 4-18 shows the Vblock design.

Figure 4-18 Vblock Design

Components Selected

• Cisco UCS 5108 Blade Server Chassis

– Cisco UCS B200 Blade Server

• Cisco UCS 6120 Fabric Interconnect

• Cisco MDS 9506 Multilayer Director

• EMC CLARiion CX4 Model 240

2904

20

E1/2&4 E1/6&8

G1/1 G1/1

192.168.41.40

F-UCS-CLUSTER

PC-11

vPC

Nexus 7010RAGG-1

Nexus 7010RAGG-2

MDS 9506MDS-DC-1

192.168.41.51

MDS 9506MDS-DC-2

192.168.41.52

Fabric-6120F-UCS-1

192.168.41.41

UCS 5108DC-UCS-1

UCS 5108DC-UCS-2

Fabric-6120F-UCS-2192.168.41.42

PC-111

E2/1-2

E1/9-12 E1/13-16

E2/3-4

E1/2&4 E1/6&8

PC-12

PC-112

PC-11PC-12

E1/2&4

TG1/29-32 TG1/29-32

L1-L2

E1/1-4Left

E1/1-4Right

E1/1-4Right

E1/1-4Left

A2

2/36

2/362/122/12

2/252/25

2/262/262/24

2/482/48

F1F2 B2 A3 B3 A2 B2 A3 B3

F1

F2

2/24

E1/2&4

E1/9-12 E1/13-16

L1-L2


OL-13453-01


Internet Edge Design

Figure 4-19 shows the Internet edge network design.

Figure 4-19 Internet Edge Network Design

Components Selected

• Cisco 7200 Series Router


– Cisco ACE 20

– Cisco IDSM-2

• Cisco Catalyst 3750X Switch

• Cisco MDS 9204i Switch

• Cisco IronPort C670

192.168.21.95

M,D1-D3G1/13-16

M,D1-D3G1/21-24

P1, P2, T1, T2G1/17-20

IronPortM670, S60,

C670

ESA-IE-2M:192.168.23.69/28VLAN 2305

WSA-IE-1M:192.168.23.101/28VLAN 2307

ESMA-IE-1M:192.168.23.85/28VLAN 2306

ESA-IE-2M:192.168.23.68/28

VLAN 2305

WSA-IE-1M:192.168.23.100/28

VLAN 2307

ESMA-IE-1M:192.168.23.84/28

VLAN 2306

www

M

MG1/13-16

M,D1-D3 G1/13-16

M,D1-D3 G1/21-24

P1, P2, T1, T2 G1/17-20

RIE-1

RIE-3

SIE-1 SIE-2

ASA-IE-1 ASA-IE-2

RIE-4

RIE-2

Internet Cloud

192.168.22.11/24

192.168.21.1/24 192.168.21.2/24

192.168.11.61/24 192.168.11.62/24

192.168.22.12/24

IronPortM670, S60,

C670HSRP

192.168.22.10/24

2904

24

To Campus/Data CenterSWAN-3

To Campus/Data CenterSWAN-3

G0/3 G0/3

G1/5

G5/1G5/2

G5/1G5/2

G1/47 G1/48

Fa 1/0/1

G1/5

HSRP192.168.22.1/24

HSRP192.168.21.1/24

Failovercable

HSRP192.168.11.60/24

www

M

M G1/13-16

Fa 1/0/2 Fa 1/0/1 Fa 1/0/2

MDS-IE-1 MDS-IE-2G1/3

G1/1 G1/2 G1/1 G1/2

G1/3

FWSM HSRP192.168.21.10/24

192.168.21.10/24 192.168.21.12/24

G0/1 G0/2

G1/1 G1/2

G1/0 G1/0

G1/1 G1/1

G0/12 G0/12

IDSM2

SIE-1/2

ACEACE

MSFC

RIE-3 RIE-4

192.168.22.2/24

192.168.21.97Mgmt

192.168.21.98Mgmt

192.168.21.94Mgmt

192.168.21.93Mgmt

192.168.21.10/24

192.168.21.91/24

FWSM (outside)VLAN 22

FWSM (inside)VLAN 21

192.168.22.1

192.168.21.10

IDSM2

MSFC

192.168.22.3/24

192.168.20.5/29192.168.20.4/29

192.168.20.29/29

192.168.21.96

192.168.21.12/24

192.168.21.92/24

FWSM (outside)VLAN 22

VLAN 82VLAN 82

VLAN 84VLAN 84

VLAN 83 VLAN 83

FWSM (inside)VLAN 21

FWSM (DMZ)192.168.20.26/29

192.168.20.28/29

FWSM (DMZ)192.168.20.25/29

VLAN 85 = AH

VLAN 91 = FailoverVLAN 92 = State


OL-13453-01

Scope Administration Scope Administration

Scope Administration The scope administration layer of the solution framework addresses the components such as authentication, encryption, management, and monitoring, as shown in Figure 4-20.

Figure 4-20 Scope Administration Layer of the Solution Framework

Authentication

Components Selected

• Cisco Secure Access Control Server (ACS)

• Cisco Identity Services Engine (ISE)

• RSA Authentication Manager

• Windows Active Directory

Encryption

Components Selected

• Cisco Security Manager

• Cisco Key Manager

• RSA Data Protection Manager

2914

42





Infrastructure



Services

ScopeAdministration



OL-13453-01

Chapter 4 Solution Implementation Endpoints and Applications

Management

Components Selected

• EMC Ionix Network Configuration Manager (NCM)

• Cisco Security Manager

• Cisco Wireless Control Server Manager

• EMC Unified Infrastructure Manager

• VMware vSphere vCenter

• Cisco Video Surveillance Manager

• Cisco Physical Access Manager

• RSA Archer

Monitoring

Components Selected

• RSA enVision

• HyTrust

• EMC Ionix Network Configuration Manager (NCM)

Endpoints and ApplicationsThe endpoints and applications layer of the solution framework addresses the components such as voice, e-mail, and physical security, as shown in Figure 4-21.

Figure 4-21 Endpoints and Applications Layer of the PCI Solution Framework

2914

43





Infrastructure



Services

ScopeAdministration



OL-13453-01

Endpoints and Applications Endpoints and Applications

Voice

Components Selected

• Cisco Unified Communications Manager

• Cisco IP Phones (9971, 7975)

• Cisco Survivable Remote Site Telephony (SRST)

E-mail

Components Selected

• Cisco IronPort Email Security Appliance with Data Loss Prevention

• Microsoft Exchange Server 2008

Physical

Components Selected


• Cisco Video Surveillance Cameras (2421, 2500, 4500)

Note For a complete Bill of Materials, see Appendix A, “Bill Of Material.” For assessment of components selected for PCI compliance, see Chapter 5, “Component Assessment.” For complete running configurations of components, see Appendix E, “Detailed Full Running Configurations.”


OL-13453-01

Solution Implementation - Cisco › c › en › us › td › docs › solutions › Verticals ›...

Documents

Transcript of Solution Implementation - Cisco › c › en › us › td › docs › solutions › Verticals ›...