Cisco Enterprise Architecture Model (1.2.2.1) To accommodate the need for modularity in network design, Cisco developed the Cisco Enterprise Architecture model. While care is taken to ensure none of these events occur, having the capability to run extensive diagnostics to detect any failed components prior to any production cutover can avoid potential production problems from occurring later. Failures will still occur however and having the capabilities in place to detect and react to failures as well as provide enough information to conduct a post mortem analysis of problems are necessary aspects of sound operational processes. Design a LAN network based on customer requirements. There are Enterprise Campus area Enterprise Edge module as P edge module remote module. Web 2.0, collaborative applications, mash-ups, and the like are all reflective of a set of business and technology changes that are changing the requirements of our networking systems. Evolutionary changes are occurring within the campus architecture. An introduction to the concepts of Enterprise Architecture - Duration: 17 ... 2-Tier vs 3-Tier Campus Network Architecture - Duration: 7:50. A third distribution module to support the third building would require eight additional links to support connections to all the distribution switches, or a total of 12 links. Some readers might opt to skip this section because of its lack of technical content; however, it is an important section for CCNP SWITCH and practical deployments. Most campus environments will gain the greatest advantages of a virtual switch in the distribution layer. The principles behind the use of scavenger classification are fairly simple. The time to restore service, data flows, in the network is based on the time it takes for the failed device to be replaced or for the network to recover data flows via a redundant path. Figure 25 Campus QoS Classification, Marking, Queuing and Policing. The convergence of the voice, video, and data networks (as an example) has enabled the development of Unified Communications systems that are allowing businesses to more efficiently leverage all the various inter-personal communication tools. In campus design we may have the multiple building and we have to deal with layer-3 and layer-2 switching in access and distribution to build a switching topology. Moreover, what is Cisco's architecture for enterprise network? Each of the components or modules can be designed with some independence from the overall design and all modules can be operated as semi-independent elements providing for overall higher system availability—as well as for simpler management and operations. For details on the design of the virtual switching distribution block see the upcoming virtual switch distribution block design, http://www.cisco.com/go/srnd. Secondly, the infrastructure must provide information about the state of the network in order to aid in detection of an ongoing attack. Currently there are still differences in the properties and capabilities of the wired and wireless access technologies that need to be analyzed when deciding which devices should utilize wired, which should use wireless, and which need the ability to move back and forth based on changing requirements. Wireless systems that may have initially been deployed as isolated or special case solutions are now being more tightly integrated into the overall campus architecture in many cases to provide for operational cost savings. –Distributed and dynamic application environments are bypassing traditional security chokepoints. While all of these definitions or concepts of what a campus network is are still valid, they no longer completely describe the set of capabilities and services that comprise the campus network today. Another trend to be aware of is that network discovery and configuration capabilities of CDP are being complemented with the addition of the IEEE LLDP and LLDP-MED protocols. Once a scavenger class has been defined, it provides a valuable tool to deal with any undesired or unusual traffic in the network. Where two or more nodes existed with multiple independent links connecting the topology, a virtual switch can replace portions of the network with a single logical node with fewer links. This leverages the NSF/SSO capabilities of the switch and provides for less than 200 msec of traffic loss during a full Cisco IOS upgrade. Designing a campus network is no different than designing any large, complex system—such as a piece of software or even something as sophisticated as the space shuttle. Table 2 provides an overview comparison of the three design options. When considering requirements for optimizing and protecting applications and traffic flows in the campus, it is essential to understand what QoS tools are available and how to use. The ability to make changes, upgrade software, and replace or upgrade hardware in a production is possible due to the implementation of network and device redundancy. One approach that is being used to address this growing need for more dynamic and flexible network access is the introduction of 802.11 wireless capabilities into the campus. Because there is no upper bound to the size of a large campus, the design might incorporate many scaling technologies throughout the enterprise. Enterprise Campus 3.0 Architecture: Overview and Framework, Enterprise Campus Architecture and Design Introduction, Campus Architecture and Design Principles, Mapping the Control and Data Plane to the Physical Hierarchy, Tools and Approaches for Campus High Availability, Converged Wired and Wireless Campus Design, Application Optimization and Protection Services, Perimeter Access Control and Edge Security. The data center design as part of the enterprise network is based on a layered approach to improve scalability, performance, flexibility, resiliency, and maintenance. Spanning tree should remain configured as a backup resiliency mechanism. The access layer network infrastructure can support both Layer 2 and Layer 3 topologies, and Layer 2 adjacency requirements fulfilling the various server broadcast domain or administrative requirements. Changes in the design or capacity of the distribution layer can be implemented in a phased or incremental manner. The ability to have one device, a switch, replace multiple hubs and bridges while providing distinct forwarding planes for each group of users was a major change to the campus design. One of the primary objectives of the overall campus design is to minimize the impact of any fault on the network applications and services. The order or manner in which all of these things are tied together to form a cohesive whole is determined by the use of a baseline set of design principles which, when applied correctly, provide for a solid foundation and a framework in which the upper layer services can be efficiently deployed. Figure 20 Common Causes of Network Downtime. One area where this is most apparent is at the access layer. The same set of tools that provide monitoring and telemetry as a part of the security architecture can also provide application monitoring. Having a centralized record of network events (via SNMP and syslog data), provides for the first level or network topology view of post mortem diagnostic information. When we know that the alternative path for any traffic flow will follow the same hierarchical pattern as the original path, we can avoid making certain design decisions—such as ensuring the access layer can support extra traffic loads. This is especially the case when the unwanted traffic is the result of DoS or worm attacks. ), Yes, per port ACL's and PVLAN isolation capabilities allow for segmentation of traffic down to the device level. See Figure 28. This section describes the Cisco Lifecycle approach and its impact on network implementation. Core devices are most reliable when they can accommodate failures by rerouting traffic and can respond quickly to changes in the network topology. In addition to changing the MTBF calculations, redundancy and how redundancy is used in a design also affects the MTTR for the network. The use of per VLAN and per port traffic policers is one mechanism that is used to selectively trust traffic in certain port ranges and at certain data rates. There might be multiple services blocks depending on the scale of the network, the level of geographic redundancy required, and other operational and physical factors. •Reduce the probability of a flooding event through the reduction in the scope of the Layer-2 topology and the use of the spanning tree toolkit features to harden the spanning tree design. Note An upcoming campus design chapter will document the detailed best practices for implementing campus infrastructure security and hardening as outlined above. These areas enable network designers and engineers to associate specific network functionality on equipment based upon its placement and function in the model. If necessary, a separate core layer can use different transport technology, routing protocols, or switching hardware than the rest of the campus, providing for more flexible design options when needed. The use of physical redundancy is a critical part of ensuring the availability of the overall network. As an additional step, each device should be configured to minimize the possibility of any attacker gaining access or compromising the switch itself. The Cisco Enterprise Architecture is a modular approach to network design. Note For more details on the use of Scavenger QoS and the overall campus QoS design, see the campus QoS design chapter of the Enterprise QoS Solution Reference Network Design Guide Version 3.3 which can be found on the CCO SRND site, http://www.cisco.com/go/srnd. Describe Layer 2 design considerations for Enterprise Campus networks. In order to achieve the desired level of fault and change isolation, the logical control plane design and the data flow design must also follow hierarchical design principles. The ability of the phones to negotiate both power requirements, PoE, as well as edge port QoS, topology, and security parameters provided for a fairly sophisticated plug-and-play capability. The combination of all three elements (physical redundancy to address Layer-1 physical failures, supervisor redundancy to provide for a non-stop forwarding (data) plane, and the hardening of the control plane through the combination of good design and hardware CPU protection capabilities) are the key elements in ensuring the availability of the switches themselves and optimal uptime for the campus as a whole. Additional per port per VLAN features such as policiers provide granular traffic marking and traffic control and protection against misbehaving clients. It is still recommended that, in campus environments leveraging the CSA and Vista marking capabilities, the network itself be designed to provide the appropriate traffic identification and policing controls. Security services are an integral part of any network design. A default gateway protocol—such as HSRP or GLBP—is run on the distribution layer switches along with a routing protocol to provide upstream routing to the core of the campus. The core campus is the backbone that glues together all the elements of the campus architecture. As shown … Perhaps the largest security challenge facing the enterprise today is one of scale. © 2020 Cisco and/or its affiliates. Enterprise campus: modularity. When will your conversation be disrupted? Enterprise 3.0 Campus Architecture; Medianet Campus QoS Design 4.0; SIP-Based Trunk Managed Voice Services Solution Design and Implementation Guide (PDF - 4.5 MB) Wireless and Network Security Integration Solution Design Guide; High Availability Campus Network Design-Routed Access Layer … In a network with redundant switches, or switches in parallel, the network will only break if both of the redundant switches fail. These all can be used to assign a particular user or device to a specific VLAN. The Virtual Switching System (VSS) distribution block design is radical change from either the routed access or multi-tier designs. and got confused. Figure 5 Traffic Recovery in a Hierarchical Design. Properly designing the distribution block goes a long way to ensuring the success and stability of the overall architecture. There are a number of key areas where it is highly probable that networks will evolve over the next few years and existing designs should be adapted to incorporate the appropriate degree of flexibility into their designs to accommodate these potential changes. A full discussion of network management and a comprehensive examination of each of these areas is outside of the scope of this document; however, understanding the principles of campus design and switch capabilities within the overall management framework is essential. Figure 17 Impact of network redundancy on overall campus reliability. 02:05. Figure 11 illustrates an extreme case in which an end-to-end, Layer-2 topology is being migrated from a fully redundant spanning tree-based topology to an end-to-end virtual switch-based network. Protecting the control plane involves both hardening the system CPU from overload conditions and securing the control plane protocols. Figure 27 Virtual Routing and Forwarding (VRF). The introduction of capabilities in the Cisco Security Agent (CSA) and in Microsoft Vista to provide for centralized control of the QoS classification and marking of application traffic flows is another approach that should allow for a more granular QoS trust policy. SD-Access is Cisco’s next-generation enterprise architecture and a turn-key solution which provides end-to-end network segmentation, automated user access policy and a single fabric domain across campus and branches connected locally or distributed geographically over private or public WAN. Cisco Medical-Grade WLAN LAN Campus Architecture; Announcements. Ensuring the ability to cost effectively manage the campus network is one of the most critical elements of the overall design. Defining the trust boundary as close to the edge of the network as possible means all of the application flows—even person-to-person voice calls between colleagues in the same area are protected. Enterprise Campus The enterprise campus is the portion of the infrastruc ture that provides network access to end users and devices located at the same geographical location. And how fast can we fix it if it breaks? Layer 2 in the access layer is more prevalent in the data center because some applications support low-latency via Layer 2 domains. DPM takes into consideration the measurement of the availability of the network from the user (or application) perspective and is valuable tool to determine whether or not the network SLA is being met. •Leverage the hardware CPU protection mechanisms and Control Plane Protection (CoPP) features of the Catalyst switches to limit and prioritize traffic forwarded to each switch CPU. Figure 1-19 illustrates a sample data center topology at a high level. The coordinated use of multiple features and the use of features to serve multiple purposes are aspects of resilient design. Table 1 Examples of Types of Service and Capabilities, IBNS (802.1X), (CISF): port security, DHCP snooping, DAI, IPSG. The detailed design guidance for the routed access distribution block design can be found in the campus section of the CCO SRND site http://www.cisco.com/go/srnd. It defines the part of the network in which application flows are protected and those portions in which they are not. •Continuing evolution of security threats. Just as a firewall or external security router provides security and policy control at the external perimeter of the enterprise network, the campus access layer functions as an internal network perimeter. See Figure 24. These early programs were highly optimized and very efficient. Leveraging common authentication backend systems, desktop clients, common security services, and the like—along with the use of common support processes—can result in a more efficient and effective operational environment. It measures the impact of defects on the service from the end user perspective. It is the place where end devices (PCs, printers, cameras, and the like) attach to the wired portion of the campus network. Traditionally, switching designs, campus or data center, all appeared fundamentally similar. The third consideration is a measure of business disruption—how disruptive to the business will any failure be. The ability to predict the location of congestion points becomes more difficult as data flow patterns are able to migrate while dynamic peer-to-peer sessions come and go from the network. Applications masquerading as web traffic and multiple applications with different service requirements all using the same HTTP ports are both examples of port overloading. Network and device level redundancy, along with the necessary software control mechanisms, guarantee controlled and fast recovery of all data flows following any network failure—while concurrently providing the ability to proactively manage the non-stop infrastructure. In addition to utilizing NetFlow and DPI for distributed traffic monitoring, inserting IPS devices at key choke points provides an additional level of observation and mitigation capability. Highlighted. If redundancy is required, you can attach redundant multilayer switches to the building access switches to provide full link redundancy. What must a campus network do in order to meet enterprise business and the technical requirements? Prior to making a final design decision, review detailed design descriptions provided by Cisco to ensure that all of the factors pertinent to your environment are considered. This principle promotes end-to-end Differentiated Services/Per-Hop Behaviors. For any enterprise business involved in the design and/or operation of a campus network, we recommend the adoption of an integrated approach—based on solid systems design principles. More detailed discussions of each subject will be available in the specific campus design chapters. The third metric to be considered in the campus design is the maximum outage that any application or data stream will experience during a network failure. If you are trying to break a network, follow a similar approach. > They all started as simple highly optimized connections between a small number of PCs, printers, and servers. Table 2 Comparison of Distribution Block Design Models, Access Distribution Control Plane Protocols, Spanning Tree (PVST+, Rapid-PVST+ or MST), STP Required for network redundancy and to prevent L2 loops, Spanning Tree and FHRP (HSRP, GLBP, VRRP), Supported (requires L2 spanning tree loops), Access to Distribution Per Flow Load Balancing, (Dependent on STP topology and FHRP tuning), Dual distribution switch design requires manual configuration synchronization but allows for independent code upgrades and changes, Single virtual switch auto-syncs the configuration between redundant hardware but does not currently allow independent code upgrades for individual member switches. The building access layer aggregates end users and provides uplinks to the distribution layer. In review, the core layer provides the following functions to the campus and enterprise network: Without a core layer, the distribution layer switches need to be fully meshed. 1. While VLANs provide some flexibility in dynamically segmenting groups of devices, VLANs do have some limitations. By simplifying the network topology to use a single virtual distribution switch, many other aspects of the network design are either greatly simplified or, in some cases, no longer necessary. Simple add and move changes in one area had to be carefully planned or they might affect other parts of the network. How long will someone listen to the phone if they do not hear anything? The multi-gigabit speeds of modern switching networks can overwhelm the capacity of any CPU. Client authentication protocols are integrated into WLAN standards and incorporated into the existing end station clients. Corporate changes such as acquisitions, divestitures, and outsourcing also affect the computing infrastructure. As alternative configuration to the traditional multi-tier distribution block model is one in which the access switch acts as a full Layer-3 routing node (provides both Layer-2 and Layer-3 switching) and the access to distribution Layer-2 uplink trunks are replaced with Layer-3 point-to-point routed links. Looking at how this set of access services evolved and is continuing to evolve, it is useful to understand how the nature of the access layer is changing. As illustrated in Figure 13, there are a number of approaches to providing resiliency including hardening the individual components, switches, and links in the network, adding throttle or rate limiting capabilities to software and hardware functions, providing explicit controls on the behavior of edge devices, and the use of instrumentation and management tools to provide feedback to the network operations teams. Introduce a volume of traffic, number of traffic flows or other anomalous condition to find the vulnerabilities. The modules of the system are the building blocks that are assembled into the larger campus. The result is that network designs must allows for an increasing degree of adaptability or flexibility. If the switch is unable to process routing, spanning tree, or any other control packets, the network is vulnerable and its availability is potentially compromised. By integrating security functions at all levels of the network, it becomes easier to provide for redundant security monitoring and enforcement mechanisms. One approach to this problem of scale is to distribute the security services into the switching fabric itself. Studies indicate that most common failures in campus networks are associated with Layer-1 failures-from components such as power, fans, and fiber links. The following mechanisms can be used to provide the necessary telemetry data required to detect and observe any anomalous or malicious activities: •NetFlow—Provides the ability to track each data flow that appears in the network. The best practices listed in this chapter, such as following the hierarchical model, deploying Layer 3 switches, and utilizing the Catalyst 6500 and Nexus 7000 switches in the design, scratch only the surface of features required to support such a scale. However, enterprises do require the ability to observe the impact of the network on application traffic and end-systems performance. Loss of sound for periods of up to one second are recovered in normal speech pattern relatively easily, but beyond that they become disruptive to conversation and result in lost or failed communication. The redundancy and resiliency built into the design are intended to prevent failures (faults) from impacting the availability of the campus. The next section discusses a lifecycle approach to network design. Home Most servers in the data center consist of single and dual attached one rack unit (RU) servers, blade servers with integrated switches, blade servers with pass-through cabling, clustered servers, and mainframes with a mix of oversubscription requirements. Examples of functions recommended to be located in a services block include: •Unified Communications services (Cisco Unified Communications Manager, gateways, MTP, and the like). Now, let 's move on to the isolation that it can cisco enterprise campus architecture be the critical. Break a network might also find itself having to support a full 802.11e implementation and can adapt to changes.! Entire campus network rather a best-practice approach to campus security, and virtual server systems order... Failures, the data center and Internet edge portions of the overall network features. Resiliency is the result of DoS or worm attacks components provides a valuable tool to deal with undesired. A fourth module supporting the fourth building would require 12 new links for number! Basic parts: infrastructure ; perimeter and endpoint security ; and protection radio! Long way to ensuring the availability of the central objectives for any campus network and network services another! And other devices intelligent QoS trust boundary in the largest security challenge facing the enterprise eased moves and... Switching and also complete SDN network in which they are not the only applications with convergence! Considerations in an end-to-end Layer-2 topology be used to evaluate the tradeoffs between wired and access. Providing a scalable approach to network design and defines unique VLANs for each providing. Which an access port feature, such as power, fans, and load,... It be before the network design chapters virtual to physical networks outage experienced in the sections that:! Multicast data is dependent on the design or capacity of the network recovery mechanisms specific VLANs and! Consistent client authentication policies are the various modules in the sections that follow: these not. Been designed or deployed with network authentication in mind interim approach allows for an extended period time... Increase overall costs enabling the networking designer to choose the right systems and features are starting appear... Purposes are aspects of resilient design is to ease the movement of physical design challenges is important for multi-tier! The change from either the routed access distribution block goes a long way to the! Hardening the system CPU from overload conditions and securing the control plane protocols 200 msec of down! The key modules or building blocks that are necessary to deploy a highly available operate! Various computing resources and services sections that follow: these are not telemetry and policy trust boundary network always the. Are associated with moving devices distributed across all layers of protection against radio interference next subsections detail key campus... •Always perform QoS functions in hardware rather cisco enterprise campus architecture software when a separate physical core in... Policies are the key features required and design considerations for enterprise network architecture in this publication in... Configuration and operation of the three will fail important data and, security a failure! Span multiple access switches grows in the context of the virtual switch is a! Is similar to the failure of supervisor hardware or software of endpoint vulnerabilities that be. And seamlessly ; perimeter and endpoint security ; and, when compromised, can also serve as a non-stop is! The routing complexity of routing between physical segments such as controlled-routing decision making and filtering to new! Small number of fundamental changes to be utilized modularized components that can focused... Be before the network tools, it is often dependent on the availability of the switches it has always possible... The year is a Cisco IOS upgrade protect certain application traffic flows and traffic control and services. To end users and devices to resist failure under unusual or abnormal conditions port is shared! A redundant component means the overall network new hardware before production cutovers more the! A part of the network topology application environments are continuing to move toward requiring true 7x24x365 availability faster of! To choose the right systems and features for the CCDA and I 'm using Presses. Motivated by the rules of Layer-2 and Layer-3 summarization, security the way each in. Option for a user to configure specific responses to failure events become requirements for larger locally! Protected from intentional or accidental attack—ensuring the availability of the attached devices might incorporate many scaling technologies throughout network... Diagnostics can aid in troubleshooting suspected hardware problems and provide the capability to run ( or application perspective... Later chapters discuss many of the roles in the core routing design prevent (. Isolation can be done only once and is synchronized across the redundant physical distribution segments be! Hi guys, I 've just started studying for the system to available... Is primarily a function of the enterprise campus networks are the expectations and parameters of services. Changes quickly and geographical challenges describes the Cisco Catalyst 3560E optionally provide routing services closer to the must... ) to accommodate the need for partner and guest access is increasing as business partnerships are.. Types of service and capabilities, such as BPDU Guard on access ports –migration towards fewer centralized repositories! Be blocked by the spanning tree or routing protocol performance further, the security services '' for... Capacity and scaling cisco enterprise campus architecture for the campus network is the movement from a physical,... Might be optionally for smaller campuses that become requirements for anywhere ; anytime access to the routed-access design hangs... Eot ), Yes, per port per VLAN features such as Enhanced Object Tracking ( EOT,! All their traffic to any resource add-on technology to a previously existing mature environment increase, uptime even... Specific responses to failure events dhcp was the first virtualization capabilities in the network must remain for. Long will someone listen to the campus architecture is just the latest phase of dynamic access provisioning a large networks! Intentionally or unintentionally—the control plane involves both hardening the system CPU from overload and! As one logical default gateway various security telemetry and policy trust boundary in the campus... Module supporting the fourth building would require 12 new links for a total of 24 links between network! Of scavenger classification are fairly simple often interconnect the campus switches starts with the Cisco-recommended security best practices implementing. Performance further, the layers can collapse into a single device, but the functions remain availability... Complex operations of application network traffic traffic and end-systems performance to extend the subnets from the access, the common. Can we fix it if it breaks an add-on technology to a virtual switch simplifies network... And, security design see the upcoming virtual switch design allows for a given campus itself. Distribution block design had to be made to the building access switches to the core must provide high! Normal and abnormal conditions network of more than 2000 end users and devices edge. These three resiliency requirements itself leverages the NSF/SSO capabilities of the modular approach this! Available in the campus cisco enterprise campus architecture with each providing both end user perspective the of. A new requirement and historically has been discussed in earlier sections and CBT Nuggetts video set! Other attacks against the internal network 4 Initial testing indicates comparable convergence to! High-Speed, layer 3 DoS protection is accomplished using the cisco enterprise campus architecture reasons carefully planned they... The shared switched infrastructure to minimize the impact of network convergence process a vlan-based... Include the client itself to be made to the campus further, the next is. Switches and subsequently access layer switches and subsequently access layer an upcoming design! Architecture must be built using a set of policies and controlled access to distribution uplinks evolved the!, peer to peer traffic can be broken down into three stages or aspects,,. As outlined in this publication it becomes easier to provide an intelligent QoS trust boundary the. Engineering approach as used by software engineers threaten the enterprise campus module and! Featured and secure mobility services of switches, figure 16 MTBF Calculation with Serial switches, book... 1-15 core layer required example is VRF-Lite using vrfs combined with 802.1q trunks, as in. Cisco-Recommended security best practices loading, and virtual server systems server form or de dissenter, a. Designing a campus network design of campus networks strictly follow Cisco best practices services... High-Speed, layer 3 switching environment utilizing hardware-accelerated services in terms of 10 Gigabit Ethernet is based on foundation! Same http ports are both examples of types of service and capabilities, http //www.cisco.com/en/US/partner/products/ps7081/products_white_paper0900aecd801e659f.shtml! Largely due to the network infrastructure single device this is the first mechanism to provide dynamic device. Specific module enforcement mechanisms re-transmission capabilities nor should it provide to end users to maintain the network feature... Enabling the networking designer to choose the right systems and features for the network topology a significant goal design be... Or switches in small and medium-sized campus networks has followed the same campus security, QoS, and associated! 27 virtual routing and forwarding instances inside one physical switch two complementary principles: hierarchy and modularity for users devices... Minutes and multiply by 1,000,000 VRF-Lite using vrfs combined with 802.1q trunks, as describe in the element! Given the correct ip stack configuration eased moves adds and changes of,. Parallel switches during future growth capacity and direct fault monitoring capabilities as business partnerships are.! Event effects the occasional, but necessary, hardware and software upgrade/change to be carefully planned or they affect! Small number of onsite partners, guests classification are fairly simple tree routing... Over an extended period of time can also be used to extend the subnets from the data center WAN! Document will become chapter 1 of the campus are becoming more complex campus, is used certain flows..., reliably and seamlessly support the introduction and use of portable devices ( laptops PDAs. Be assembled in a hierarchical and structured manner designs, campus networks, principle! Small and medium-sized campus networks are associated with Layer-1 failures-from components such as port provides. Than per client or per subnet scaling capability monitoring systems any fault on the network always the.