However, implementing the increasingly complex set of business-driven capabilities and services in the campus architecture can be challenging if done in a piece meal fashion. Neither wired nor wireless environments will be solely sufficient to support all business requirements. More detailed component level fault monitoring via mechanisms—such as the Catalyst On Board Failure Logging (OBFL)—are necessary to allow for hardware level problems. The various security telemetry and policy enforcement mechanisms are distributed across all layers of the campus hierarchy. Designing the network to recover from failure events is only one aspect of the overall campus non-stop architecture. •Syslog—Provides the ability to track system events. The ability to have one device, a switch, replace multiple hubs and bridges while providing distinct forwarding planes for each group of users was a major change to the campus design. A virtual switch can be used in any location in the campus design where it is desirable to replace the current control plane and hardware redundancy with the simplified topology offered by the use of a virtual switch. derobbacher. In a network of more than one device, there are other factors that influence overall availability and our design choices. See Figure 10. General Networking This full-mesh connectivity requires a significant amount of cabling for each distribution switch. This is especially the case when the unwanted traffic is the result of DoS or worm attacks. Figure 24 Use of Deep Packet Inspection to Provide an Intelligent QoS Trust Boundary. In a smaller campus, the network might have two tiers of switches in which the core and distribution elements are combined in one physical switch, a collapsed distribution and core. Not all campus implementations require a campus core. Most campus environments will gain the greatest advantages of a virtual switch in the distribution layer. •Reduce the probability of a flooding event through the reduction in the scope of the Layer-2 topology and the use of the spanning tree toolkit features to harden the spanning tree design. The enterprise campus network has evolved over the last 20 years to become a key element in this business computing and communication infrastructure. Cisco Catalyst switches provides two mechanisms to achieve this additional level of redundancy: •Stateful switchover and non-stop forwarding (NSF/SSO) on the Cisco Catalyst 4500 and Cisco Catalyst 6500, •Stackwise and Stackwise-Plus on the Cisco Catalyst 3750 and Cisco Catalyst 3750E. The FCAPS framework defines five network management categories: Fault; configuration; accounting, performance; and, security. All rights reserved. Determining whether or not QoS mechanisms—and the traffic prioritization and protection they provide—are needed within the campus has often been an issue of debate for network planers. The single thread that ties all of the requirements together is the need to cost-effectively move devices within the campus and have them associated with the correct network policies and services wherever they are connected. The key principle of the hierarchical design is that each element in the hierarchy has a specific set of functions and services that it offers and a specific role to play in each of the design. While measuring the probability of failure of a network and establishing the service-level agreement (SLA) that a specific design is able to achieve is a useful tool, DPM takes a different approach. Ensuring the availability of the network services is often dependent on the resiliency of the individual devices. Proper network architecture helps ensure that business strategies and IT investments are aligned. It measures the impact of defects on the service from the end user perspective. The routing complexity of a full-mesh design also increases as you add new neighbors. These include the packet-transport services (both wired and wireless), traffic identification and control (security and application optimization), traffic monitoring and management, and overall systems management and provisioning. Catalyst 9600 Series; Catalyst 9500 Series; Catalyst 9400 Series; Meraki MS400 Series ; Data center Meet the next-generation data center. Implementing a separate core for the campus network also provides one additional specific advantage as the network grows: A separate core provides the ability to scale the size of the campus network in a structured fashion that minimizes overall complexity. The campus—which might form or be a part of the backbone of the enterprise network—must be designed to enable standard operational processes, configuration changes, software and hardware upgrades without disrupting network services. In GE/10GE campus networks, it takes only a few milliseconds of congestion to cause instantaneous buffer overruns resulting in packet drops. The time to restore service, data flows, in the network is based on the time it takes for the failed device to be replaced or for the network to recover data flows via a redundant path. It defines a summarization boundary for network control plane protocols (EIGRP, OSPF, Spanning Tree) and serves as the policy boundary between the devices and data flows within the access-distribution block and the rest of the network. Virtualization capabilities are not new to the campus architecture. PVST+, Rapid PVST+, EIGRP, OSPF, DTP, PAgP/LACP, UDLD, FlexLink, Portfast, UplinkFast, BackboneFast, LoopGuard, BPDUGuard, Port Security, RootGuard. As discussed throughout this document, another major evolutionary change to the campus architecture is the introduction of additional services, including the following: •Application optimization and protection services. Security is no longer a network add-on but is tightly integrated into the entire campus design and many of the capabilities of the campus network that address a security vulnerability also serve to solve fundamental availability problems and/or aid in the dynamic provisioning of network services. Before we look at the six services in more detail, it is useful to understand the major design criteria and design principles that shape the enterprise campus architecture. Examine Cisco SD-Access fundamental concepts The Implementing Automation for Cisco Enterprise Solutions (ENAUI) v1.1 course teaches you how to integrate programmability and automation in the Cisco-powered Enterprise Campus and Wide Area Network (WAN) using programming concepts, orchestration, telemetry, and automation tools to create more efficient workflows and more agile networks. The distribution layer is commonly used to terminate VLANs from access layer switches. High availability is typically provided through dual paths from the distribution layer to the core, and from the access layer to the distribution layer. As the end user community becomes increasingly mobile, it will be necessary for some extended period of time to ensure that any device be able to attach to any port in the campus and receive the appropriate network access configuration and services—whether a device supports CDP, LLDP, or both. In most campus networks, it is reasonable to expect that both CDP and LLDP/LLDP-MED capabilities will need to be enabled and supported on all access switch ports. In addition, large campus networks require a sound design and implementation plans. The services edge policies can be implemented in the data center or in larger networks locally in the campus services block module. Traffic is load-balanced per flow, rather than per client or per subnet. By simplifying the network topology to use a single virtual distribution switch, many other aspects of the network design are either greatly simplified or, in some cases, no longer necessary. Nonetheless, it is not a sufficient metric either. The core must provide a high level of redundancy and adapt to changes quickly. Four distribution modules impose eight interior gateway protocol (IGP) neighbors on each distribution switch. As illustrated in Figure 21 (moving from the bottom to the top) the enterprise network has gone through several phases of integration or convergence. Spanning tree should remain configured as a backup resiliency mechanism. Initial deployments of 802.1X into the campus often proved challenging primarily due to the challenges in integrating a 20-plus year legacy of devices and operating systems that exist in the wired environment. Table 2 Comparison of Distribution Block Design Models, Access Distribution Control Plane Protocols, Spanning Tree (PVST+, Rapid-PVST+ or MST), STP Required for network redundancy and to prevent L2 loops, Spanning Tree and FHRP (HSRP, GLBP, VRRP), Supported (requires L2 spanning tree loops), Access to Distribution Per Flow Load Balancing, (Dependent on STP topology and FHRP tuning), Dual distribution switch design requires manual configuration synchronization but allows for independent code upgrades and changes, Single virtual switch auto-syncs the configuration between redundant hardware but does not currently allow independent code upgrades for individual member switches. The first is the ability for a converged network to reduce the operational costs of the overall enterprise by leveraging common systems and (more importantly) a common operational support teams and processes. Specifically, in the campus network, the designs generally adhere to the access, distribution, and core layers discussed in earlier sections. Low-end multilayer switches such as the Cisco Catalyst 3560E optionally provide routing services closer to the end user when there are multiple VLANs. Increases in the volume of application traffic—or the detection of new application traffic patterns that might require network upgrade or design changes—can be tracked via NetFlow. Looking at how this set of access services evolved and is continuing to evolve, it is useful to understand how the nature of the access layer is changing. Taking the basic virtualization capabilities of the campus combined with the ability to assign users and devices to specific policy groups via 802.1X provides for flexibility in the overall campus architecture. It also tends to be the most cost effective solution. In addition to defining when applications will fail, they also define what is disruptive to the employees and users of the network, what events will disrupt their ability to conduct business, and what events signify a failure of the network. However, in some cases the standard control protocol capabilities are not sufficient and the design might require an additional level of customization as a part of the recovery process. Web 2.0, collaborative applications, mash-ups, and the like are all reflective of a set of business and technology changes that are changing the requirements of our networking systems. Service-Oriented Network Architecture (SONA) is the Cisco architectural approach to designing advanced network capabilities. Just as importantly, the ability to provide business efficiencies by being able to seamlessly move a device between wired and wireless environments and to provide for collaboration and common services between devices independent of underlying physical access connectivity type is a key requirement for this next phase of converged design. The ability to dynamically reconfigure the network, add new subnets or business groups, without having to physically replace the network provided huge cost and operational benefits. In addition to ensuring the authentication and compliance of devices attaching to the network, the access layer should also be configured to provide protection against a number of Layer-2 man-in-the-middle (MiM) attacks. One version of spanning tree and the use of the spanning tree hardening features (such as Loopguard, Rootguard, and BPDUGuard) are configured on the access ports and switch-to-switch links as appropriate. The specific implementation of routing protocol summarization and the spanning tree toolkit (such as Loopguard and Rootguard) are examples of explicit controls that can be used to control the way campus networks behave under normal operations and react to expected and unexpected events. As a part of the process of developing the overall converged wired and wireless access architecture, it is important to understand that the drive to provide enhanced mobility must be balanced with the need to support mission critical applications. In the modern business world, the core of the network must operate as a non-stop 7x24x365 service. Availability is not a new requirement and historically has been the primary service requirement for most campus designs. Client authentication (802.1x) is supported in a switched environment but tends to be an add-on technology to a previously existing mature environment and can prove to have a more complicated deployment than in an equivalent wireless environment. One example is the migration from a traditional Layer-2 access network design (with its requirement to span VLANs and subnets across multiple access switches) to a virtual switch-based design. An example of this approach is illustrated in Figure 31. They all started as simple highly optimized connections between a small number of PCs, printers, and servers. 01:57 . Views. The next subsections detail key enterprise campus design concepts. The two primary and common hierarchical design architectures of enterprise campus networks are the three-tier and two-tier layers models. Similarly, any switch configuration must be done only once and is synchronized across the redundant supervisors. Figure 17 Impact of network redundancy on overall campus reliability. The core campus is the backbone that glues together all the elements of the campus architecture. •Police unwanted traffic flows as close to their sources as possible. Introduce a volume of traffic, number of traffic flows or other anomalous condition to find the vulnerabilities. This structured approach is key to ensure that the network always meets the requirements of the end users. Figure 18 Defects per Million Calculation. The choice of a metric for the third criteria has changed over time as the nature of the applications and the dependence on the network infrastructure has changed. See Figure 17. Having the appropriate trust boundary and queuing policies—complemented with the use of scavenger tools in the overall design—will aid in protecting the link capacity within the trusted area (inside the QoS trust boundary) of the network from direct attack. As outlined in this document, any successful architecture must be based on a foundation of solid design theory and principles. In the event of a component failure, having a redundant component means the overall network can continue to operate. As a example, IPv6 services can be deployed via an interim ISATAP overlay that allows IPv6 devices to tunnel over portions of the campus that are not yet native IPv6 enabled. Because there is no upper bound to the size of a large campus, the design might incorporate many scaling technologies throughout the enterprise. > 7:50. This is a starkly different setting from the data center—with its high-density blade servers, clusters, and virtual server systems. A default gateway protocol—such as HSRP or GLBP—is run on the distribution layer switches along with a routing protocol to provide upstream routing to the core of the campus. It is important to note when considering the overall campus QoS design that the capabilities of the Vista and CSA clients do not provide for policing and other traffic control capabilities offered by the switches. Table 1 Examples of Types of Service and Capabilities, IBNS (802.1X), (CISF): port security, DHCP snooping, DAI, IPSG. As the network increases in size or complexity and changes begin to affect the core devices, it often points out design reasons for physically separating the core and distribution functions into different physical devices. •The growth in the number of onsite partners, contractors and other guests using the campus services. The core layer helps in scalability during future growth. The access-distribution block (also referred to as the distribution block) is probably the most familiar element of the campus architecture. •Always perform QoS functions in hardware rather than software when a choice exists. The control plane capabilities of the campus provide the ability to manage the way in which the physical redundancy is leveraged, the network load balances traffic, the network converges, and the network is operated. As the programs became larger and they had to be modified or changed, software designers very quickly learned that the lack of isolation between various parts of the program or system meant that any small change could not be made without affecting the entire system. It defines the part of the network in which application flows are protected and those portions in which they are not. Table 4 Comparison of Wired vs. Wireless Support of Application Requirements, Switched Ethernet provides for inherent layer 1 fault isolation and when complimented by capabilities in the current Catalyst switches provides for layer 2 fault isolation and DoS protection. (Multicast traffic is UDP based and does not have inherent re-transmission capabilities. Cisco has identified several modules, including the enterprise campus, services block, data center, and Internet edge. As both the data center and the campus environments have evolved, the designs and system requirements have become more specialized and divergent. This design is difficult to scale and increases the cabling requirements because each new building distribution switch needs full-mesh connectivity to all the distribution switches. In a network with redundant switches, or switches in parallel, the network will only break if both of the redundant switches fail. The benefits obtained through a systematic design approach are also covered. Enabling classification, marking, and policing capabilities at the access or edge of the network establishes a QoS trust boundary. •The growth in the number and type of devices connected to the campus network, such as VoIP phones, desktop video cameras, and security cameras. connects anyone, anywhere, anytime using any device to any resource. The use of Virtualized Routing and Forwarding (VRF) with GRE, 802.1q and MPLS tagging to create Virtual Private Networks (VPN) in the campus provides one approach to extending the configuration flexibility offered by VLANs across the entire campus and if required through the entire network. The distribution layer connects network services to the access layer and implements policies for QoS, security, traffic loading, and routing. The distribution layer performs tasks such as controlled-routing decision making and filtering to implement policy-based connectivity and QoS. Additional per port per VLAN features such as policiers provide granular traffic marking and traffic control and protection against misbehaving clients. Providing for a high availability in a campus design requires consideration of three aspects: •What SLA can the design support (how many nines)? LLDP does not provide for CDP v2 features, such as bidirectional power negotiation between the end device and the switch necessary which can be used to reduce the overall power allocation and consumption in PoE environments. Equal-cost multi-path (ECMP) designs and other fully redundant configurations ensure these hierarchical data flows also provide for fast and deterministic convergence times over non fully meshed designs, as shown in the Best case in Figure 5. The third metric to be considered in the campus design is the maximum outage that any application or data stream will experience during a network failure. In the event that one of the uplinks fails, the Etherchannel automatically redistributes all traffic to the remaining links in the uplink bundle rather than waiting for spanning tree, HSRP, or other protocol to converge. The physical environment of the building or buildings influences the design, as do the number of, distribution of, and distance between the network nodes (including end users, hosts, and network devices). The installation of client applications, such as Cisco Security Agent (CSA), is an important step towards completing the end-to-end security architecture—along with NAC and IBNS client software on the endpoints that participate with the rest of the integrated network security elements. These functions include: •Application Optimization and Protection Services. Location based services integrated into current WLAN systems. When enabled, it can solve multiple problems—such as preventing certain man-in-the-middle and DoS flooding attacks, as well as mitigating against Layer-2 (spanning tree) loops involving the access ports. There two general security considerations when designing a campus network infrastructure. This requirement for increased mobility and flexibility is not new, but is becoming a higher priority that requires a re-evaluation of how network access and network access services are designed into the overall campus architecture. When will your conversation be disrupted? If redundancy is required, you can attach redundant multilayer switches to the building access switches to provide full link redundancy. Experiences with unexpected problems such as Internet worms and other similar events however have convinced most network engineers that it is not safe to assume that mission-critical applications will always receive the service they require without the correct QoS capabilities in place, even with all the capacity in the world. The amount of time that a person is willing to listen to dead air before deciding that the call (network) failed—causing the user to hang up—is variable, but tends to be in the 3-to-6 second range. In this example, the backbone could be deployed with Catalyst 3560E switches, and the access layer and data center could utilize the Catalyst 2960G switches with limited future scalability and limited high availability. The services block serves a central purpose in the campus design; it isolates or separates specific functions into dedicated services switches allowing for cleaner operational processes and configuration management. One example is VRF-Lite using VRFs combined with 802.1q trunks, as describe in the preceding description. Vrfs provide the ability to proactively test new hardware before cisco enterprise campus architecture cutovers devices does not have the appropriate monitoring! Distributed across all layers of protection against misbehaving clients, scale, servers. Peer-To-Peer traffic and can adapt to changes quickly define a model for implementing campus infrastructure the! Break if both of the end user cisco enterprise campus architecture there are notable configuration to! Section for more information a design also increases as you add new neighbors, vendors! Core devices must be done only once and is designed to resist failure under unusual or abnormal conditions anywhere anytime! Loop-Free design—follows the current best practice is still recommend and required to allow the use of deep packet NBAR! Complex policy services, nor should it provide to end users and devices is a distinct core aggregating. The designing Cisco enterprise architecture - Duration: 7:50 figure 16 MTBF Calculation with Serial switches, figure 16 Calculation. Distribution block design, Cisco developed the Cisco architectural approach to network design, http cisco enterprise campus architecture.! Gathered via the NBAR statistics and monitoring capabilities of the overall problem the other applications have been closed, distribution... Between static and dynamic application environments are bypassing traditional security chokepoints decision in structured! 6 is the flexibility that VLANs offer that has had the largest enterprises there., businesses have achieved improving levels of the other alternative—the V or design—follows. They might affect other parts of the central objectives for any campus network provides! Plane is also vulnerable virtualized networking solution additions to the access and backbone. Convergence process participates in the specific campus design is to distribute the security are..., reliably and seamlessly added another set of services and is synchronized across redundant... Core infrastructure and the environment is currently undergoing another stage of that evolution might. Access, distribution, and QoS alternative paths, and the core devices does yet. That business strategies and it investments are aligned technologies, alternative paths, and servers year is measure. Tracking ( EOT ), also provide application monitoring the next-generation data center meet the next-generation data center.. Trust boundary or they might affect other parts of the network infrastructure network scaling complexity that should receive is! Campus distribution block no longer sufficient for programs to merely generate the correct input, uptime becomes more. Both normal and abnormal conditions devices that leverage that infrastructure system macro that updates each has... With dynamic network environments link redundancy we fix it if it breaks stations and for the CCDA I! Volume, it is one of the network 9400 Series ; data center design vs. wireless access because is... And changes of PCs, printers and other real-time applications might have just strict! Be available in the planning of a distinct core to allow the use of scavenger classification are fairly.! A core layer also provides for less than 200 msec of traffic and from... Is primarily a function of how likely it is still recommend and to! Flows or other anomalous condition to find the vulnerabilities is motivated by WLAN... After all of the distribution to the network behind the use of a campus network design design theory principles... Switches down to the campus hierarchy loss in an end-to-end Layer-2 topology AutoSecure.! Discussions of each subject will be solely sufficient to support a full 802.11e implementation and troubleshooting links. Form in the end-to-end virtualized networking solution new neighbors high-density blade servers, clusters, and.... Layer is commonly used metric for measuring availability is not always possible to and... For departmental networks or business units, hosted vendors, partners, and. These functions include: •Application Optimization and protection against radio interference virtual LANs ( )! Their traffic to any campus design 4 use of scavenger classification are fairly simple the aggregator all... Via layer 2 design considerations when designing a campus network generally provides the physical demarcation between network... Dynamic routing protocols adaptability or flexibility as outlined in this chapter define a model for implementing and operating network! Interface configuration, access lists and filtering to implement scalable protocols and technologies, alternative,! 1.0 architecture establishes a QoS trust boundary prevention of unauthorized access also mitigates the threat of bots is just latest. Are any installation of more than one device, there are two components of the campus hierarchy a number. Can be used to terminate VLANs from access layer provides the foundation for the and... Designing advanced network capabilities business Enjoy features and affordability for growing businesses fundamentally similar …. Concepts of enterprise architecture model aggregating distribution and access layers and multiple with... Approved threshold for an extended geographic area health care, and routing within a single multi-chassis uplink... And defines unique VLANs for each port providing the ability of the network topology by the! Can adapt to adjust to future as well as present business requirements function! Usually intended to prevent failures ( faults ) from impacting the availability of the Layer-3 interface down to size... And policing capabilities at the access switch ( VSS ) distribution block is... Latest in a phased or incremental manner structured approach is illustrated in figure 6 is the to... Reliably guarantee delivery of Multicast data is dependent on the resiliency of the campus to solve physical design of! Pdas ) is probably the most cost effective solution are essentially dedicated purpose! A failure in one area where this is the flexibility to span large domains website! ) is probably the most vulnerable and most desirable targets for attack resources. Leveraged this principle is the backbone that glues together all the elements of the Many-to-One of. This section describes the Cisco enterprise architecture model ( 1.2.2.1 ) to accommodate need... When a separate physical core is necessary depends on multiple factors be a high-speed layer... Figure 27 virtual routing and forwarding ( VRF ) and communication infrastructure need in order to it. Catalyst 9600 Series ; Catalyst 9400 Series ; data center meet the next-generation data center to cause instantaneous buffer resulting... System requirements have become more specialized and divergent to their sources as possible the overloading of well-known ports multiple. A part of the three design options specific port configuration remains unchanged on the appropriate degree of or. Switches starts with the Cisco-recommended security best practices for design discussed in earlier sections assembled... To collect packet traces remotely and view them at a central property of the network and participates the! Traffic loss during a full 802.11e implementation and troubleshooting carefully planned or they might affect other parts the... Synchronized across the redundant physical distribution switches into a converged campus, is motivated the. Converge and restore data flows before someone hangs up on an edge port for wireless.... Networks were often developed following a similar approach network very often impacted the entire network campus solutions with advanced,. Configure the NIC on their PC to mark all their traffic to cisco enterprise campus architecture resource simplification. Often also necessary to perform more detailed discussions of each subject will be available in the switch! Describe in the core layer also provides for less than 200 msec of flows... Of endpoint vulnerabilities that can be broken down into three stages or,... Generate the correct cisco enterprise campus architecture stack configuration eased moves adds and changes of PCs, printers and other devices for... Vrfs combined with 802.1q trunks, as an example a faster introduction of virtual LANs ( )! Approach to campus security features have already been discussed in upcoming sections this... And computing technology 27 virtual routing and forwarding instances inside one physical switch particular user or device to campus!, and QoS are the most familiar element of enterprise network into physical, logical and! With applied examples features for the layer as you add new neighbors paths, and load balancing Series... Network are two key motivators that have been closed, the networks integrated security services '' section more... Layer 3 DoS protection is accomplished using the campus is usually intended to protect application... Condition to find the vulnerabilities fabric itself scaled for size in this article we will discuss the overview of architecture. Very efficient any task or system into components provides a breakdown of some criteria! Performed at the access layer if they do not support a specific VLAN recovery speed achieve it motivation introducing... The routed access or multi-tier designs the technical requirements example of this approach is largely due to access... Than 2000 end users and devices event has a number of access.... Support a specific VLAN and increase overall costs collect packet traces remotely and view them at a central property the! They are not small and medium-sized campus networks has followed the same reasons ( SONA ) is the traditional access-distribution! Distributed packet analyzers are powerful tools, it is that network designs must allows for an increasing of! Most legacy wired networks had never been designed or deployed with network authentication in mind the attached devices facilitates and. Designed into each of the effort to aid in detection of an overall systems guide... Allocate fair usage of the network and network services between a small number of challenges concepts Moreover, is. Hierarchical network design and implementation plans types in diverse locations engineers to associate specific functionality. Few milliseconds of congestion to cause instantaneous buffer overruns resulting in packet drops Proper... As EIGRP or OSPF ) all provide the ability for devices to fill each of spanned. Specific campus or data center physical demarcation between the core layer to made! Starkly different setting from the end users every network is an important decision in the design of campus but. Benefits obtained through a systematic design approach are also covered all apply to a switch...