Documente Academic
Documente Profesional
Documente Cultură
Lab Guide
05.03.07
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
ii
Table of Contents
Lab Guide
Overview Outline Case Study 1: MegaCorp Campus Design Activity Objective Visual Objective Required Resources MegaCorp Campus Case Study Scenario Campus Design: Business Factors Campus Design: Technical Factors MegaCorp Campus Design Tasks Activity Verification Case Study 2: CP Hotels Addressing and Routing Design Activity Objective Visual Objective Required Resources CP Hotels Case Study Scenario CP Hotels Design Tasks Activity Verification Case Study 3: CP Hotels Network Initiatives Activity Objective Visual Objective Required Resources CP Hotels Case Study Scenario CP Hotels Design Tasks CP Hotels Design Tasks Activity Verification Case Study 4: CP Hotels Security and IPsec VPN Network Activity Objective Visual Objective Required Resources CP Hotels Case Study Scenario CP Hotels Design Tasks Activity Verification Case Study 5: DS Medical Research Institute Network Infrastructure Activity Objective Visual Objective Required Resources DS-MRI Case Study Scenario DS-MRI Design Tasks Activity Verification Answer Key Case Study 1 Answer Key: MegaCorp Campus Design Case Study 2 Answer Key: CP Hotels Addressing and Routing Design Case Study 3 Answers: CP Hotels Network Initiatives Case Study 4 Answer Key: CP Hotels Security and IPsec VPN Network Case Study 5 Answer Key: DS Medical Research Institute Network Infrastructure
1
1 1 2 2 2 2 3 4 5 6 8 9 9 9 10 10 19 20 21 21 21 21 22 24 24 26 27 27 27 27 27 32 33 35 35 35 36 36 37 39 41 41 45 49 53 57
Lab Guide
iii
iv
ARCH
Lab Guide
Overview
This guide presents the instructions and other information concerning the activities for this course. You can find the recommended solutions in the Case Study Answer Key.
Outline
This guide includes these activities: This guide includes these activities: Case Study 1: MegaCorp Campus Design Case Study 2: CP Hotels Addressing and Routing Design Case Study 3: CP Hotels Network Initiatives Case Study 4: CP Hotels Security and IPsec VPN Network Case Study 5: DS Medical Research Institute Network Infrastructure
Activity Objective
In this activity, you will create a high level design for the campus portions of the MegaCorp network. After completing this activity, you will be able to meet these objectives: Document and explain the real customer requirements for this scenario. Complete and present an optimal high-level design, including diagram, physical and logical topology descriptions, recommended switch models and alternatives, other significant details, notes on how your design will support IP Telephony, and notes on what your Power over Ethernet (PoE) recommendations are. Describe and defend the pros and cons for your optimal design, and how it improves on the existing MegaCorp design. Describe any other technical design factors the detailed design should incorporate. Present a high-level approach for how to smoothly migrate from the old to the new network design. Describe how to mitigate risks in the present MegaCorp design using Cisco switches. Complete and present a design using Metro Ethernet components as provided in this Case Study to connect to remote office buildings.
Visual Objective
There is no visual objective for this case study.
Required Resources
These are the resources and equipment required to complete this activity: Case Study guidelines, presented in the Course Introduction MegaCorp Campus Case Study Scenario, presented here in the Lab Guide A workgroup consisting of two to four students Blank sheets of paper and a pencil
Lab Guide
The company is now using the offices from 6 AM to 12 midnight, with different people working different hours to service customers in different time zones. Many cubicles are virtualized or used for hoteling, with different occupants at different times or on different days. MegaCorp prides itself on providing good customer service.
Lab Guide
Determine what MegaCorps business and technical requirements really are (or should be), and how to convince MegaCorp that you are correct. (Do not spend a lot of time on this.) _______________________________________________________________ _______________________________________________________________ _______________________________________________________________
Step 2
Determine a recommended design, and its pros and cons, as well as how it improves the current MegaCorp design. Diagram the design, and use bullet lists to itemize specifics. Be prepared to justify any changes to the MegaCorp plan that you propose. Include in your plans: Physical topology (port counts, links, and link speeds, diagrams) Logical topology (VLAN locations and scopes, Layer 2, Layer 3, other protocols (VTP, STP choice, STP settings, routing protocol, First Hop Routing Protocol, etc.) Recommended switch models and alternatives Other significant details Plans for IP Telephony support Recommendation for PoE _______________________________________________________________ _______________________________________________________________ _______________________________________________________________
Step 3
Identify other technical design elements that the detailed design should include (e.g. type of STP, security measures, etc.) _______________________________________________________________ _______________________________________________________________ _______________________________________________________________
Step 4
Provide a high level plan for how the network could be smoothly migrated over to the new equipment over several months. _______________________________________________________________ _______________________________________________________________ _______________________________________________________________
Step 5
If the client insists on just modernizing equipment by replacing the existing switches with Cisco switches in their present design and extending to 3 building switches instead of 2, what can you do to mitigate any negative aspects of the design? (Identify the aspects you feel are risky or negative, and then how you propose to reduce the related risk.) _______________________________________________________________ _______________________________________________________________ _______________________________________________________________
Without knowing more about the Metro Ethernet service, you can think of it as being more or less like standard Ethernet connecting to some other switched buildings. How does this impact your design? What do you propose? Can you fit the acquired locations into your previous design? _______________________________________________________________ _______________________________________________________________ _______________________________________________________________
Note
One sign of a good design is that it readily accommodates changes and new requirements.
Lab Guide
Activity Verification
Your group has completed this activity when you have completed answers to the above questions, and selected a presenter for the group. The presenter should be prepared to explain and defend your answers to the class. The topics for discussion include the following: What you think are the requirements for MegaCorps, and the justification for your answers Your diagram, etc. for the best design Your list of pros and cons for the best design, and how it improves the current MegaCorp (proposed) design. (See the list of detailed items to provide above.) Your justifications for any changes to the MegaCorp plan that you propose. Your list of other technical design factors the detailed design should incorporate Your high-level migration plan. Your plan for how to mitigate risks in a modern equipment version of the MegaCorp current design. Your proposal for how to accommodate the Metro Ethernet and acquisition into your design, and justification for the main elements you propose.
Activity Objective
In this activity, you will critically review, redesign, and create new parts of an IP addressing and routing design for CP Hotels. After completing this activity, you will be able to meet these objectives: Examine and critique a moderately complex IP addressing scheme, and propose how to improve it. Examine and critique a moderately complex routing scheme, and propose how to improve it. Evaluate and improve the current route redistribution scheme. Evaluate and improve the current default routing scheme. Propose a new addressing scheme to provide out-of-band NAC roles and voice VLANs in the four HQ buildings. Discuss the impact of moving web servers to collocation facilities, and propose a design for how to best connect them back to the data centers, and how to best perform routing to them.
Visual Objective
There is no visual objective for this case study.
Lab Guide
Required Resources
These are the resources and equipment required to complete this activity: Case study guidelines, presented in the Course Introduction CP Hotels Case Study Scenario A workgroup consisting of two to four students Blank sheets of paper and a pencil
Network Topology
The two data centers are identical to each other. The network is structured around two core Cisco Catalyst 6509 Series Layer 3 switches in each of the data centers. They are interconnected through dense wavelength-division multiplexing (DWDM) over a fiber ring. Various network modules connect to the core two switches in each data center. Each module terminates in two core-facing routers or Layer 3 switches. Each core-facing router or Layer 3 switch in the module connects to both core Cisco Catalyst 6509 Series switches in its data center building. The data center modules are: Server Farm (Server) Module Hotels Module Call Center Module Partner Module Corporate Internet Access Module HQ Router Module Remote sites or partners connect to the relevant module in each data center. Dual local links are used where feasible to provide increased availability. In such cases, one link goes to each data center.
10
The following diagram illustrates the CP Hotels network topology at a high level:
Data Center A Server Farm Module Mainframe & website DMZ also located here
x8
Internet
x8
Core
Aggregation
Access
Hotels Module
Frame Relay
L2 connectivity (shared) Access (4 groups of 4, 16 total) To 2000 hotels
Core
Aggregation (4 pairs)
MPLS VPN
Partner Module
Partners
Various connection methods
Internet
Lab Guide
11
Server Farm Module In each data center, there are many servers organized into rows. Each server row is connects to a pair of Cisco Catalyst 6509 Series access switches placed at the end of the row. Eight server rows connect to a pair of Layer 3 Cisco Catalyst 6509 Series aggregation switches using 4 Gbps EtherChannel. Although a smaller chassis might have been used for the aggregation switches, this approach keeps the equipment model inventory simple and allows space for NAM blades and service modules. There are currently two pairs of aggregation switches (two aggregation modules of 8 rows each) connecting to the core server switches by 4 Gbps EtherChannel. The corporate mainframes also connect to switches via Gigabit connections. They run IBM OSA, which uses OSPF to route traffic to the rest of the network, mainly to detect and respond to Gigabit link failure. They connect directly to aggregation layer switches in one of the two aggregation modules.
Server Farm Module Mainframe & website DMZ also located here
x8
Internet
x8
Core
Aggregation
Access
The corporate public-facing web and e-commerce servers are in a DMZ complex connected to one pair of access switches in the server farm area. They produce a high volume of traffic, all local to the server module. Separate dedicated high-speed Internet connections connect to the outside of the firewalls in the DMZ complex. All servers, mainframes, and web servers are duplicated at the second data center site. Hotels Module Each hotel connects via frame relay to each data center through the Hotels Module. There are 16 access routers, each of which connects to approximately 128 hotels. They aggregate into four pairs of aggregation routers, one pair for each of four Regions. The aggregation routers connect to two Layer 3 switches at the core-facing edge of the Hotels Module. The data center access router WAN links are fractional T3, running at approximately 20 (or 30) Mbps, one to each access router. The hotels have 256 Kbps PVCs with fractional T1 access circuits.
Hotels Module
Frame Relay
L2 connectivity (shared) Access (4 groups of 4, 16 total) To 2000 hotels
Core
Aggregation (4 pairs)
12
Note
128 x 256 Kbps is approximately 33 Mbps. So each data center access router needs some fraction of that bandwidth, depending on how much oversubscription is built into the network.
Call Center Module The Call Center Module connects to eight Call Centers.
Call Center Module
MPLS VPN
Partners Module Partners connect via a variety of methods, including leased lines, Frame Relay, IPsec VPN and MPLS VPN. Firewalls are used so that only specific partner server IP addresses may talk to partner servers in the server farm. 128 x 256 Kbps = 33 Mbps, approximately. So each Data Center access router needs some fraction of that bandwidth, depending on how much oversubscription is built into the network.
Partner Module
Partners
Various connection methods
Corporate Internet Access Module Internet connectivity is provided through the Corporate Internet Access Module.
Corporate Internet Access
Internet
HQ Module Each HQ building is connected to a HQ router in both data centers. These eight connections are through DS-3 ATM.
HQ Module HQ 1 & 2 HQ 3 & 4
Lab Guide
13
Internet
OSPF
x8
x8
EBGP
Core
Aggregation
Access
Hotels Module
Frame Relay
IBGP
Core Call Center Module
Aggregation (4 pairs)
To 2000 hotels
MPLS VPN
Partner Module
Static routing
Partners
Various connection methods
Static routing
Internet
OSPF
(Identical layout) Data Center B
14
The routing design uses external Border Gateway protocol (EBGP) to isolate routing in the various modules. Most modules use Open Shortest Path First (OSPF) within the module. Each module has a different private BGP autonomous system (AS) number, to simplify writing BGP policy rules. The module pair of routers uses EBGP to the two core routers in each data center. Each module router peers with both core routers in its data center. The two data center core pairs each have different BGP AS numbers and also use EBGP to the other data center pair. Each module router pair redistributes the relevant Interior Gateway Protocol (IGP) into BGP. Default is injected into the IGP in each module, so that default points to the core (which then routes to the dedicated Internet links). Server Farm Module The Server Module uses OSPF. OSA on the mainframe is isolated behind dedicated Cisco 7300 Series model routers, in their own totally stubby area, to isolate the mainframes from route changes.
Server Farm Module Mainframe & website DMZ also located here
Internet
x8
OSPF
x8
Core
Aggregation
Access
Hotel Module The Hotel Module uses EBGP between its core-facing edge routers and the core. It uses IBGP between those routers and the aggregation routers. The aggregation routers summarize OSPF into the IBGP. They are connected to OSPF area 0, but each pair of aggregation routers uses a logically separate OSPF area 0 for its Region. This keeps route changes from a Region from propagating into the other Regions, and corresponds the fact that hotel to hotel traffic is not allowed.
Hotels Module
Frame Relay
IBGP
Core
Aggregation (4 pairs)
4 OSPF ASs
To 2000 hotels
The 4 access routers in a Region act as Area Border Routers, summarizing their areas into the Regions area 0. Each access router uses one area for every 32 sites it connects to.
Lab Guide
15
Note
This frame relay design approach gives us 5 areas per ABR (128/32 = 4, plus area 0). This was very aggressive design as of 5-10 years ago, when 3 areas on one router was considered aggressive. One alternative would have been to put 64 hotels per area. This alternative would however waste more bandwidth on LSA flooding within each area. For purposes of this Case Study, we will stick with the aggressive OSPF design is used.
Call Center Module The Call Center routers speak EBGP to the MPLS VPN provider, also to the core routers. Each Call Center runs EIGRP, but that is not visible from the Data Center.
Call Center Module
EBGP
MPLS VPN
Partner Module The Partner Module uses static routing internally, whatever the external routing may be. The core-facing routers use BGP network statements to pass a summary of these routes into the core. Default routing cannot be used to reach partners, since that needs to direct traffic to the corporate Internet links via the Corporate Internet Module.
Partner Module
Static routing
Partners
HQ Module The HQ Module uses OSPF to the four HQ buildings. Each HQ building WAN router summarizes the building into the WAN, which is area 0 for the HQ OSPF autonomous system. One VLAN per area uses the DWDM connection to tie each ABR in data center A to its twin in Data Center B. Each pair of aggregation routers in each data center connect via a VLAN to the corresponding pair in the other data center via two VLANs that are in their area 0, to make
HQ Module HQ 1 & 2 HQ 3 & 4
OSPF
the area 0 networks contiguous.
16
Addressing at CP Hotels
HQ buildings were addressed from the public address block 150.1.0.0 /16. Site HQ1 HQ2 HQ3 HQ4 Address Block 150.1.0-31 150.1.32-63 150.1.64-95 150.1.96-111 Total Addresses in Block 8192 8192 8192 4096 Active Desktop and Access Ports 2500 2500 3000 1000
Data Center A uses some addresses from 150.1.240-255. Both data center s use addresses from 10.1.0.0 /16 and 172.20.0.0 /16. This scheme reflects different addressing schemes over time, and the difficulty of getting server staff to change addresses on servers. (Server addresses are forever.) Call Centers use addresses from 180.1.0.0 /16, assigned to allow room for growth. They are assigned as follows: Site CC1 CC2 CC3 CC4 CC5 CC6 CC7 CC8 Address Block 180.1.0-11 180.1.12-23 180.1.24-35 180.1.36-47 180.1.48-59 180.1.60-71 180.1.72-83 180.1.84-95 Active Desktop and Access Ports 200 200 200 200 100 100 100 100
Partner addresses are public addresses chosen by the partner to avoid any possible address duplication. They come from multiple blocks per partner.
Lab Guide
17
Each Region of 500 hotels is assigned address blocks as follows: Region Address Block 1 2 3 4 10.96-103 10.104-111 10.112-119 10.120-127 Total Addresses in Block 2,097,152 2,097,152 2,097,152 2,097,152 Active Desktop and Access Ports Up to 128,000 (500 x 256) Up to 128,000 Up to 128,000 Up to 128,000
This matches to a bit mapping design of 10.011r raaa.aass ssss.hhhh hhhh, where r indicates the region bits (region minus 1), a indicates the area bits within that region, s indicates the subnet bits relative to the area, and h indicates the host bits in the subnet. Within each region, the 5 area bits allow for 32 areas (16 plus area 0 forces us up to 32, however, or 6 bits). Within each area, we need to connect 32 or fewer hotels, which means we need 32 subnets (5 subnet bits, make it 6 to allow more flexibility, and also provide /30 blocks for the WAN links).
18
Comment on the current addressing scheme, and its strong and weak points. All criticism should be constructive. That is, if you dont like the current plan, propose a better addressing plan. Comment on the existing routing scheme, its good points and bad points. What routing protocol changes would you make, and where? Why? What other routing recommendations would you make to CP Hotels? Some specific things to consider:
Step 2
Are the right routing protocols being used? In the right places? Can the route summarization be improved? Would the BGP route reflector feature help in this setting? What other routing features might be useful? Why are the links between data centers needed for each hotel access router and its twin? The areas are contiguous since both ABR routers link to the 32 hotels within the area. What happens if a link to a Partner fails? What can and cannot connect to the Partner? What should be done for failover of the corporate Internet connections? Comment on the pros and cons of the current default routing and redistribution strategy. If you propose a different approach, be prepared to describe how it works, and its pros and cons. Some specific things to consider:
Step 3
Step 4
What are the alternatives to redistributing Module routes into EBGP? Pros and cons of each? What topology change would allow keeping Partner routes out of the core? How would this work with failover to the other Data Center? Propose a new or revised addressing scheme to accommodate out-of-band NAC roles and IPT (IP Telephony) voice VLANs in the HQ buildings. Some details:
The following roles or VLANs are needed at each Layer 3 switch: guest, user, sys admin, developer, financial sys admin, voice VLAN, plus a few more for growth. Assume the design has or will have one Layer 3 access switch per 200 users, dualhomed into a pair of building aggregation switches that route to the data centers. The number of users in each building is shown above. Each role subnet must allow for up to 254 users, since ordinary users, developers, or system administrators might be grouped near each other. That is, you cannot safely assume the users will be evenly distributed among roles.
Lab Guide
19
Step 5
The CP Hotels web site is being moved to a pair of collocation facilities, each of which will connect back to the data centers via DS-3 links. Taking the existing topology and routing into account, what do you recommend as the best way to connect the collocation facility back into the data center? Some specific things to consider:
Where should the connections terminate in a router? Assume the collocated routers and firewalls and servers will be managed by CP Hotels. If the collocation provider were providing a managed firewalls service, then CP Hotels might feel the need to put firewalls in at the point where the collocation links terminate. We will keep things simple for this Case Study.
Activity Verification
Your group has completed this activity when you have completed answers to the above questions, and selected a presenter for the group. The presenter should be prepared to explain and defend your answers to the class. The topics for discussion include the following: The pros and cons of the current IP addressing scheme, and your proposed changes to the IP addressing scheme. The pros and cons of the current IP routing scheme, including summarization. And your proposed improvements or changes to the routing scheme, including summarization. The pros and cons of the current default routing and redistribution schemes, and your proposed changes or improvements to the default routing and route redistribution schemes. Your proposed new addressing scheme to provide out-of-band NAC roles and voice VLANs in the four HQ buildings. Your list of key points concerning the impact of moving web servers to collocation facilities. Your proposed design for how to best connect the collocation facilities back to the data centers, and how to best perform routing to them.
Page 20
Activity Objective
In this activity, you will critically review and design or redesign parts of the CP Hotels network. After completing this activity, you will be able to meet these objectives: Prepare and present a design for the replacement E-Commerce WAN. Your design should address the specific questions and requirements listed below. Prepare and present a new design for the Server Farm Module upgrade. Your design should address the specific questions and requirements listed below. Prepare and present a new design for the E-Commerce Collocation upgrade, taking into account advances in technology. Your design should address the specific questions and requirements listed below. Prepare and present the business case and a high-level design for an E-Commerce Collocation SAN, or be prepared to justify why you feel that a SAN is not needed or is inappropriate.
Visual Objective
There is no visual objective for this case study.
Required Resources
These are the resources and equipment required to complete this activity: Case Study guidelines, presented in the Course Introduction The prior CP Hotels Case Study 2 Scenario A workgroup consisting of two to four students Blank sheets of paper and a pencil
Page 21
Lab Guide
Collocation Cage A
Collocation Cage B
Web servers
VLAN 10
Web servers
VLAN 10
App servers
VLAN 20
App servers
VLAN 20
DB servers
VLAN 30
DB servers
VLAN 30
Data Center A
Data Center B
There are two Production Collocation Facilities. They are each paired with one data center. (For this case study, we will not discuss the additional single Performance and Test module, also located in one of the collocation facilities. It is similar in design.) Inside each collocation facility, VLANs 10, 20, and 30 respectively are the web server, application server, and DB server VLANs. The site runs IBM WebSphere using IBM servers. All traffic enters the web complex through a pair of Brand X firewalls. The paired CSS devices route between the firewall VLAN and the internal VLANs 10, 20, and 30. Servers in each VLAN (10, 20, 30) have the CSS virtual interface as their default gateway, to keep server routing simple. The firewalls also secure the connection back to the CP Hotels data centers. The firewalls are running VRRP on the connections to the CP Hotel data centers, The edge Cisco Catalyst 3550
Page 22 WHAT IS MY NAME? (ARCH) v2.0 2007 Cisco Systems, Inc.
Series switches use HSRP and EIGRP to the edge WAN routers connecting to the data centers. The Cisco Catalyst 3550 Series switches also provide a SPAN port for troubleshooting. The firewalls and Cisco Catalyst 3550 Series switches have static routes pointed at each others VIP addresses. There are two WAN routers at each E-Commerce web site. Each WAN router has a DS-3 connection back to one router at the paired Data Center. The data center WAN routers connect back to aggregation layer switches inside the Server Farm Module in that data center.
x 8 rows
1 Gbps uplinks
Layer 2
Aggregation
2 Gbps EtherChannel
Aggregation
Core
2 Gbps EtherChannel
Core
Layer 3
Aggregation
1 Gbps uplinks
Aggregation
Layer 2
x 8 rows
Page 23
Lab Guide
(E-Commerce WAN Statement of Work) CP Hotels website is experiencing 50% growth in traffic back to the Data Centers every year. The current links are at 80% utilization, so that if one fails, the other will not have enough capacity. Assuming all the old and new WAN technologies are available, recommend an updated E-Commerce WAN design. Be sure to address the following:
Step 2
Are there any WAN technologies that should clearly be ruled out? If so, why? Are there any WAN technologies that are particularly suitable for this use? Is there an approach that would provide the ability to turn up the bandwidth without new hardware or access circuits? How much bandwidth do you recommend that CP Hotels start out with on the replacement WAN links? What SLA characteristics are needed for these links, if CP Hotels views them as part of the highly critical revenue-producing e-commerce site? (Server Farm Statement of Work) CP Hotels is asking you, as their favorite and highly-skilled consultant, to comment on the data center Server Farm Module design. Management has asked for a green field re-design of the Server Farm module from scratch. As you know from some late nights, there have been several configuration accidents and the odd hardware problem leading to large Spanning Tree loops. Management would like to add another 9 of availability for the server farm network. The CIO emphasized that the new design should take advantage of technology and speed improvements, while complying with shifts in what are considered Best Practices. The CP Hotels server administrators discovered VMWare about 2 years ago, and started rolling it into large-scale production use about 9 months ago. As you know, VMWare allows one physical server to be divided into multiple logical servers, providing isolation for different applications with a heavy hardware investment for one application, one server. They have been testing VMotion, which can snapshot a virtual server and move it to another physical server in about 1 second, without having to take it out of service. Their VMotion consultant is telling them the best way to deploy VMotion is to use one or two dedicated interface(s) per server, on a dedicated VLAN, to ensure rapid problem-free moves without contention from data traffic. Many rows of racks are full, however, so any unused servers for VMotion could be anywhere in the data center. Space at row ends is tight, so CP Hotels cannot just add some spare racks and servers to the existing rows. CP Hotels wants your recommendation on how to accommodate the VMotion requirements while meeting the first goal of adding another 9 of availability.
Page 24
Step 3
(E-Commerce Redesign Statement of Work) The hardware in the Collocation Facility is coming off lease, and the E-Commerce manager has the budget to do it well. You have been asked to come up with a proposed design, meeting the following requirements: Firewall support is desired between web and application, application and database layers. That way, a server compromise in one layer might be contained before it affects the other layers. If there is a good way to protect servers within a VLAN from each other, CP Hotels would like to know about it. The CIO emphasized that the new design should take advantage of technology and speed improvements, while complying with shifts in what are considered recommended practices. Simplicity and low device count matter collocation space is costly, and tight. The web site is doubling in traffic volume every year. The design needs to scale to cover growth over the next 4-5 years. There is talk of the collocation provider managing the devices within its site, so appropriate security is needed inside the data centers in case there is a lapse in the security they provide. Do not forget to put in IPS capability. After losing millions of dollars due to a single extended outage, management has purchased the Network General Infinistream product, which does packet capture and reporting based on terabytes of disk space. The intent is to use it as a network flight record to help analyze the next outage. Your design will need to provide SPAN ports and plumbing so that the Infinistream can capture every packet every device in the collocation facility transmits on the inside of the firewall. SAN Business Case and High-Level Design for Collocation Facilities All web pages and application and database files are static, used to generate responses to web queries. Some of the databases are refreshed nightly, others change monthly, reflecting new hotel locations, etc. Actual guest reservations, frequent traveler benefits, and so on are stored in databases within the data center, not the collocation facility. At a very high level, what might be some business or technical reasons for using SAN in the collocation facilities? If you think a SAN is not needed or inappropriate, prepare to justify this. How would you describe your SAN design at a high level, taking the above security requirements into account?
Step 4
Page 25
Lab Guide
Activity Verification
Your group has completed this activity when you have completed answers to the above questions, and selected a presenter for the group. The presenter should be prepared to explain and defend your answers to the class. The topics for discussion include the following: Prepare and present a design for the replacement E-Commerce WAN. Your design should address the specific questions and requirements listed below. Prepare and present a new design for the Server Farm Module upgrade. Your design should address the specific questions and requirements listed below. Prepare and present a new design for the E-Commerce Collocation upgrade, taking into account advances in technology. Your design should address the specific questions and requirements listed below. Prepare and present the business case and a high-level design for an E-Commerce collocation SAN, or be prepared to justify why you feel that a SAN is not needed or inappropriate. Your design should address the specific questions and requirements listed below.
Page 26
Activity Objective
In this activity, you will critically review and/or redesign key portions of the CP Hotels network, using your new Security and IPsec VPN design skills. After completing this activity, you will be able to meet these objectives: Recommend what type of IPsec VPN CP Hotels should use, and present the pros, cons, and justification for your recommendation. Determine and present a detailed design for the hotel IPsec VPN, including overall hotel routing with failover, how IPsec reaches the other tunnel endpoint, and detailed IP addressing plan. Critically review and make recommendations to improve security at CP Hotels, including specific items listed below. Determine and present a design for Network Admission Control (NAC) Appliance deployment in CP Hotels headquarters (HQ) buildings, including coverage of specific items listed below.
Visual Objective
There is no visual objective for this case study.
Required Resources
These are the resources and equipment required to complete this activity: Case Study guidelines, presented in the Course Introduction Previous CP Hotels IP Addressing and Routing Case Study Scenario A workgroup consisting of two to four students Blank sheets of paper and a pencil
Page 27
Lab Guide
x8
Internet
x8
Core
Aggregation
Access
Hotels Module
Frame Relay
L2 connectivity (shared) Access (4 groups of 4, 16 total) To 2000 hotels
Core
Aggregation (4 pairs)
MPLS VPN
Partner Module
Partners
Various connection methods
Internet
Page 28
Internet
x8
OSPF
x8
EBGP
Core
Aggregation
Access
Hotels Module
Frame Relay
IBGP
Core Call Center Module
Aggregation (4 pairs)
To 2000 hotels
MPLS VPN
Partner Module
Static routing
Partners
Various connection methods
Static routing
Internet
OSPF
(Identical layout) Data Center B
Page 29
Lab Guide
Addressing at CP Hotels
HQ buildings were addressed from the public address block 150.1.0.0 /16. Site HQ1 HQ2 HQ3 HQ4 Address Block 150.1.0-31 150.1.32-63 150.1.64-95 150.1.96-111 Total Addresses in Block 8192 8192 8192 4096 Active Desktop and Access Ports 2500 2500 3000 1000
Data Center A uses some addresses from 150.1.240-255. Both data centers use addresses from 10.1.0.0 /16 and 172.20.0.0 /16. This scheme reflects different addressing schemes over time, and the difficulty of getting server staff to change addresses on servers. (Server addresses are forever.) Partner addresses are public addresses chosen by the partner to avoid any possible address duplication. They come from multiple blocks per partner. Call Centers use addresses from 180.1.0.0 /16, assigned to allow room for growth. Concerning hotels, each Region of 500 hotels is assigned address blocks as follows: Region Address Block 1 2 3 4 10.96-103 10.104-111 10.112-119 10.120-127 Total Addresses in Block 2,097,152 2,097,152 2,097,152 2,097,152 Active Desktop and Access Ports Up to 128,000 (500 x 256) Up to 128,000 Up to 128,000 Up to 128,000
This matches a bit mapping of 10.011r raaa.aass ssss.hhhh hhhh, where r indicates the region bits (region minus 1), a indicates the area bits within that region, s indicates the subnet bits relative to the area, and h indicates the host bits in the subnet. Within each region, the 5 area bits allow for 32 areas (16 plus area 0 forces us up to 32, however, or 6 bits). Within each area, there are 32 or fewer hotels, which use 32 subnets. 6 subnet bits are used to allow flexibility and also provide /30 blocks for the WAN links.
The data centers will be connected to the hotels through major international ISPs. Traffic from hotels will reach the data centers across the Internet from the hotel local ISPs through various peering points. At each hotel, the main office and front desk will be on a separate interface or VLAN protected by the IOS Firewall. CP Hotels believes the switch-let and secure wireless modules are attractive for future data connectivity within the front office. Right now IT Services does not attempt to manage LAN connectivity in hotels, local contractors provide those services, so the ISR routers will not contain such modules at least initially. Hotel office traffic will be carried back to the data centers via IPsec VPN. A VPN to each data center will be used for redundancy. The routing metrics on IPsec tunnels or routes to IPsec peers are to be adjusted in some fashion to provide determinism, so that half the hotels normally route via Data Center A, and half through Data Center B. The design should dynamically fail over to the other data center if the primary path becomes unavailable. Congratulations on winning this design project! If your consulting firm does a good job on the design and documentation, you may be asked to assist in the implementation phase (full-time work for 8 consultants for at least one year, with a lot of travel). If you continue to impress the CIO, your team will get complimentary upgraded rooms and breakfast at the hotels used during the implementation. (Although the hotel chain is paying the travel expenses for the project anyway.)
Page 31
Lab Guide
The roles are as stated in Case Study 2: The following roles or VLANs are needed at each Layer 3 switch: guest, user, system administrators, developer, financial system administrators, voice VLAN, plus a few more for growth. Each role subnet must allow for up to 254 users, since ordinary users, developers, or system administrators might be grouped near each other. That is, you cannot safely assume the users will be evenly distributed among roles.
The CP Hotels network team has decided that the following role to VLAN mapping will be used: VLAN Purpose 1 2 3 4 5 6 7 8 9-16 Default for unassigned ports: dont use Native VLAN on trunks, no other use Guest User Sys admin Developer Financial sys admin Voice VLAN Reserved for future expansion of roles
Complete a design for the new CP Hotels VPN. Your design should include the following components: Your recommendation as to what type of IPsec VPN CP Hotels should use, why you recommend that approach, and its pros and cons. An explanation of how each hotel will connect in your design. An explanation of how your design routes to each hotel, including how failover works. Also explain how routing will allow packets to reach the other IPsec tunnel endpoint (i.e. how the IPsec packets would be routed). Details of routing protocol implementation, e.g. OSPF areas, and EIGRP or OSPF summarization. Your description of how your design controls routing impact of any instability in local or regional ISPs. Detailed addressing and routing plan, implementing the summarization (and, if relevant, areas) of the previous step.
Page 32
Step 2
Review the CP Hotels design concerning overall security. Your report should include at least the following: Your observations of any security problems in the present design. Also note ways in which packet and control plane security might be improved. A check that all external connections are properly secured with firewalls. (Since all the details have not been specified, indicate what you want the design to look like at each external connection.) Your recommendations for where CP Hotels should deploy IPS systems, and how they should be deployed, also where to deploy Cisco MARS. Your evaluation of the risks concerning the Call Centers, and how best to mitigate those risks. The CP Hotel.com site and the Call Centers are crucial to revenue production at CP Hotels. The collocation facility redesign secured the e-commerce site. Now it is time to ensure the Call Centers are secure. Assume that NAC Appliance is to be deployed in HQ3, with 3000 users, and 15 Layer 3 access switches connected to two building switches that connect back to the data centers. The specific requirement is role-based control over who can access which servers. While the formal policy has yet to be determined, you will need to develop a preliminary design, answering the following questions at a high level: How many and where to deploy NAC Appliances? In-band or out-of-band deployment? Other info about deployment mode (virtual / real gateway, etc.)? Either way, describe how it impacts addressing and VLAN definitions, performance, and manageability. If additional VLANs will be needed, describe what they should be and why they are needed. Do not do any detailed IP addressing design, all that is desired here is a high-level description of any addressing impact of your proposed design. Describe where your design allows traffic to be controlled (building access layer, building aggregation layer, data center core, data center module core-facing edge), and for what filtering purpose each possible location might be used. Also describe what traffic your design approach will not be able to control, if any.
Step 3
Activity Verification
Your group has completed this activity when you have completed answers to the above questions, and selected a presenter for the group. The presenter should be prepared to explain and defend your answers to the class. The topics for discussion include the following: Your recommendation as to what type of IPsec VPN CP Hotels should use, pros, cons, and justification. Your detailed design plan for the hotel IPsec VPN, including overall hotel routing with failover, how IPsec reaches the other tunnel endpoint, and detailed IP addressing plan. Your critical review of and recommendations to improve security at CP Hotels, including the specific items listed above. Your NAC Appliance design, including coverage of the specific items listed above.
Lab Guide
33
34
Activity Objective
In this activity, you will design the network for DS-MRI. After completing this activity, you will be able to meet these objectives: Prepare and present a high-level building and data center design for DS-MRI Prepare and present high-level alternative to add security Design and justify how to extend the design to include more buildings Propose a suitable high-level routing design Prepare and present a high-level SAN design for the scenario Propose a design or technology for grouped servers with substantial inter-server communications Prepare and present a WAN design meeting the specified requirements Propose and defend an IP multicast design Prepare and present a high-level wireless design supporting VoWLAN and the Cisco Location Appliance Prepare and present a design for using Cisco IOS network management features to meet the customer need, along with describing where those features will be used
Visual Objective
There is no visual objective for this case study.
2007 Cisco Systems, Inc. Lab Guide 35
Required Resources
These are the resources and equipment required to complete this activity: Case Study guidelines, presented in the Course Introduction The scenario below A workgroup consisting of two to four students Blank sheets of paper and a pencil
36
Complete a high-level design for the Building 1 and the data center infrastructures. The Institute Director wants to know how much bandwidth the various parts of your design will supply, and what switch models you have in mind. Some approximate port counting would be a good idea. You should describe how they would be organized, both for Building 1 and for the data center, as well as how they interconnect.
At the time of this writing, the 6500 models can hold up to 8 blades with eight 10-Gbps ports each, for a total of sixty-four 10-Gbps ports. The 3750-E and 3560-E models come with two 10-Gbps uplink ports. The 3750-E may be put into stacks of up to 9 switches. Both come with either 24 or 48 10/100/1000 Mbps port models, either with or without PoE. They allow use of the TwinGig converter, for 2 Gbps SFP ports initially, then one 10 Gbps ports later.
Note
Step 2
Design to address security concerns. Research activity needs to be secured by project. Every attempt will be made to put project team members close to one another, but that sometimes is not possible. The DS-MRI is mostly concerned about restricting access to servers based on project. How will your plan accommodate this? Suppose there is concern about protection of Intellectual Property, since any patents that come from research could be worth millions of dollars. Does that change your design? If so, how? Plan for growth. Your design needs to include a description of how you would expand coverage to 3 more similar buildings located 200-300 yards from each other, in a loop around the lake in the middle of the campus. Describe your proposed routing architecture at a high level. Detailed address planning is not needed at this time, but you should describe information such as where you would summarize routes, and what routing protocol(s) you would use. Discuss storage support. The current plans call for starting with 2000 blade servers, later expanding to 6000 or more. Provide a high-level SAN design to support these data center blade servers and expansion. Discuss server approach. The Institute Director asked a specific question: some of the computing requires many grouped servers with substantial amounts of interserver communication. Is there any way to improve performance for these servers? Cost-effective 10 Gbps connectivity for servers is another related concern. Discuss WAN connectivity. DS-MRI is working internationally on many vital medical projects, teaming with many local doctors, professors, and other researchers. A flexible architecture is needed to allow for very rapid addition or removal of external WAN access, with security for data about local patients, since researchers may be actively involved in the ongoing treatment of patients. The architecture must accommodate a range of media and speeds, depending on what local facilities are available.
Lab Guide 37
Step 3
Step 4
Step 5
Step 6
Step 7
DS-MRI is willing to consider commercial shipment of pre-configured small Cisco routers, to simplify connectivity and support at remote sites containing teams of researchers. The DS-MRI views this as providing facilities for and empowering local research teams. It is also important that local researchers be able to interact, and send data and possibly voice traffic as directly as possible to peers, rather than sending it to the U.S. and back out, to minimize latency. Recommend a WAN approach that maximizes flexibility without compromising security. Discuss IP Multicast implications. The HQ campus will be doing IP multicast for video and audio transmission of technical seminars and training materials. Lower resolution versions could be made available to remote sites, or this material could be provided in the form of downloads from an internal web site. What are your recommendations, including security and other aspects of the multicast design (at a high level)? If DS-MRI is going to be using IP multicast, where should the RP(s) be located? Bearing in mind the topics covered in our IP multicast module, what other design features should be used by DS-MRI in their multicast design? Does multicast require any impact or change your solution to the WAN connectivity design question above? If so, describe the changes needed. Discuss VoWLAN considerations. DS-MRI intends to deploy VoWLAN in the HQ buildings, to facilitate reaching staff when they are away from their desk or lab. The DS-MRI is also considering using the Location Appliance. How does this impact your design? How will the wireless devices connect to your switch design? What are the key site survey and AP placement considerations to support this? Approximately how many access points , controllers, or other items will DS-MRI need to purchase to cover the first building? Is there any business justification for using Location Services with VoWLAN at DSMRI?
As of this writing, one WCS can support up to 3000 access points managed by up to 250 controllers. A single Location Appliance can track up to 2500 wireless devices.
Step 8
Step 9
Note
Step 10
Discuss network management considerations. The DS-MRI anticipates that it will need to allocate network overhead to various research projects, for internal cost accounting corresponding to the research grant focus of the organization. To help troubleshoot issues with WAN connections, the DS-MRI Network Operations Center (NOC) will need to be able to track packet loss, latency, and jitter. What Cisco IOS network management features should DS-MRI consider using? Where in the network should DS-MRI use these features?
38
Activity Verification
Your group has completed this activity when you have completed answers to the above questions, and selected a presenter for the group. The presenter should be prepared to explain and defend your answers to the class. The topics for discussion include the following: The high-level building and data center design The high-level alternatives to add security to the design The design to extend the building design to include more buildings The high-level routing design The high-level SAN design for 2000 blade servers, and how you propose to expand it to 6000 The proposed approach for grouped servers with substantial inter-server communications The proposed WAN approach The proposed IP multicast design The requested wireless design information The proposed network management features and where they will be used
Lab Guide
39
40
Answer Key
The recommended solutions for the activities that are described in this guide appear here.
Lab Guide
41
Note that using 3 instead of 2 switches for the building distribution switches is a customer solution to a perceived problem. The real requirement is higher availability. It is up to the designer to decide the best way to provide the higher availability. The network staff needs training and skills-building. Bringing in someone with deeper technical skills might inspire staff to build skills.
You should plan for one or two VLANs per access switch. With 20:1 oversubscription estimate, and 100 MB access ports, each chassis would need an uplink of about 1.25 G so use 2 GB EtherChannel to each building switches. The VLANs should be at most triangles consisting of the two uplinks and the trunk between the distribution layer switches if needed to span distribution switches. Layer 3 (routing) to the access layer should be considered as a desirable option. It increases cost mildly, but would greatly reduce the need to troubleshoot Spanning Tree (simplicity!). It would require some staff training for the MegaCorp technical staff. The distribution layer could be small 6500s, and the core bigger 6500 model switches. One argument in favor of using the 6500 would be 10 Gbps readiness which can also support oversubscription ratios for data today, and voice in the future. The current Layer 2 Core is an older approach. Most sites want Layer 3 cores to avoid the large-scale outage a core Spanning Tree loop creates. You should highly recommend MegaCorp use a Layer 3 core. A Layer 2 Core would be unwise with 8 x 2 + 2 = 18 switches in the STP domain. The building switches should have two uplinks to the core switches, not just one. Recommended Practice: Use triangles, not squares. Justification: Equal-cost routing provides fast failover. If you use 4:1 oversubscription model, the uplinks from building to core would be (2 closets * 2 GB * 5 floors)/4 = 5GB. So the design can start with 4 GB
42
uplinks, since the speeds on the uplinks from closets were rounded up. All uplinks in the design will need to be upgraded when VoIP is deployed. Simplicity is somewhat at odds with power injection. PoE is affordable for MegaCorp if used where needed, namely in the access switches. While utility ports (printers, etc.) might be grouped on one non-PoE blade, it may be simpler to just provide PoE support on any port or blade in an access switch. The distribution and core switches need little or no PoE. VTP transparent mode is required: there is little reason for VLANs to be changing frequently.
Use the Layer 2 toolkit (UplinkFast, UDLD, etc.) Use Rapid PVST+ not regular Spanning Tree. Tell them that a third building distribution switch will not provide them more redundancy, it will mostly provide more complexity to the solution.
44
Step 1 Addressing
The Call Center blocks go up by 12. Going up by 8 would summarize better and still provide enough address space. It would be good to have a plan for address consolidation in the Data Centers, to get servers onto one prefix per Data Center, say over a 5-7 year period as servers are replaced.
EIGRP could be useful in the Server Farm Module, for more flexibility, although OSPF should work reasonably well there, given the regularity of the topology. OSPF has the virtue that it can be used with Cisco FWSM or PIX, CSS/CSM Route Health Injection, etc., whereas EIGRP cannot. The OSPF aggregation routers could be done away with, but the price would be a much larger (and single) area 0, more routes being sent to hotels, and a lot of peers for the corefacing EBGP routers. The present design compartmentalizes the large-scale hotel routing well. NAT for partners would avoid the injection of random prefixes into core BGP, also would allow partners to use private addresses without concern about overlapping server addresses at CP Hotels that they need to communicate with. BGP route reflector wont help with EBGP. It might be used for the IBGP in the Hotels Module, although the same peering would be needed (each aggregation router peered to both core-facing routers). Not using Route Reflector has the advantage that one hotel aggregation block (Region) doesnt need to see routes to the others anyway. The links to twin routers are needed to prevent black-holing packets if a hotel link fails. Otherwise, the summary prefix advertisement may draw in packets to the router with the
Lab Guide
45
failed link, and it would have no good way to get them to its twin in the other Data Center with a good link to the hotel. The same might happen with EIGRP summarization. There is no failover to Partners. Careful import of routes via BGP and BGP peering through the firewalls is one option. Another would be redistribution into OSPF and passing OSPF to the firewalls and the core-facing routers. Network statements could then advertise the Partner prefixes into the EBGP. The answer for Corporate Internet failover is to use EBGP to the ISPs or some other method (see the later Data Center module) to track connectivity. And then pass default back into the core. Static default routing is unsatisfactory for failover.
1 2 3 4
The information about 254-user subnets means we need a /24 for each role. Another way of saying that: the last 8 bits are host bits. They would be preceded by the 4 bits we need for 16 subnets. That gets us to xxxx xxxx.xxxx xxxx.xxxx ssss.hhhh hhhh, using s for subnet bits and h for host bits, x for unknown bits. Let us use 4 bits for the Layer 3 switch. That brings us to xxxx xxxx.xxxx xxxx.rrrr ssss.hhhh hhhh, using r for router or Layer 3 switch.
46
Another option uses 3 bits for designating the HQ building (building in some room for growth, management always grows). Using b for the HQ building brings us to xxxx xxxx.xxxx xbbb.rrrr ssss.hhhh hhhh. Assuming the addresses are available, we might then use 10.80-83 for the four buildings. Within each of those, we would use the third octet to indicate Layer 3 switch (first four bits) and role subnet relative to that switch. All subnets would be /24s, which keeps things simple. This scheme is somewhat wasteful of address space. There are two advantages of the scheme: 1. It readily accommodates moves adds and changes of users 2. It is uniform, rather than treating four HQ buildings differently.
Lab Guide
47
48
Lab Guide
49
To allow for another year of operation at 50% growth per year, that number should be increased to 1.5 x 72 = 108 Mbps. To allow for two years of operation at 50% growth per year, the bandwidth should be 1.5 x 108 = 162 Mbps. If the bandwidth can readily be increased, then there is no good reason to incur the costs for the second year until they are close to being necessary. You should look for a service level agreement (SLA) with fast response time, fast MTTR, very high availability, very low packet loss, low latency and jitter. The penalties for non-compliance should be commensurate with the costs of an outage. Being able to play one provider off against another (if your service doesnt improve, well take all our business elsewhere) would help.
Concerning recommended practices, consider: Creating isolation VLANs or private VLANs (PVLANs) for anti-social servers or clusters that use multicast or unknown unicast flooding Using firewall service module (FWSM) in selected aggregation or access switches to isolate critical / sensitive servers (financial, credit card, or medical records) Adding intrusion prevention systems (IPS) for such zones. Deploying remote packet capture and analysis capability on SPAN ports near critical servers (NAM, Distributed Sniffer, laptop with WireShark and VNC, etc.). This makes staff much more productive than spending time lugging a capture device to the server farm, plugging it in, setting up a SPAN port (chance for error), and then capturing in a noisy and uncomfortable environment.
2007 Cisco Systems, Inc.
50
Internet
Cat6509-Core-1 VLAN 12 Cat6513-Agg-1 Cat6513-Agg-2 Cat6509-Core-2 VLAN 12
FWSM2 VLAN 17
Cat6509-Access-1
Cat6509-Access-2
DB Server
Lab Guide
51
A good alternative is to have the ACE do the routing instead of the MSFC, to simplify passing traffic between the different tiers of servers. That is, put the ACE logically between the MSFC and the FWSM, rather than the other way around. Firewalls are needed for the data center edge, due to the specified security requirement. One or multiple IDSM-2 modules would be attractive for IDS/IPS functionality, assuming there is room in the switch. Note about the Infinistream deployment: did you spot the slightly subtle SPAN port issue? One alternative would be to use a VACL to feed each IDSM-2 module(s), also the Infinistream, since multiple VLANs or ports would need to be spanned. Another approach would be to use relatively inexpensive copper or fiber taps at key points in the cabling infrastructure.
52
Case Study 4 Answer Key: CP Hotels Security and IPsec VPN Network
Based on the scenario, this section includes a proposed solution. According to the case study guidelines, there may be some minor variations in your solutions.
The two best options in this case appear to be GRE over IPsec or DMVPN. The rest of this answer will assume GRE over IPsec has been chosen. Each hotel would connect with two GRE tunnels, one to each data center. The data center Hotel Module access routers would use default to the Internet to reach hotels. This is acceptable since they would not be forwarding any traffic to the Corporate Internet Module. Hotels would use default routes to the Internet and their ISPs routing to reach the data centers. For routing to each hotel, EIGRP is recommended. The design should make each hotel stubby, and filter all routes from the GRE tunnels except for corporate summary routes to relevant data center blocks of addresses. An alternative to filtering would be to summarize all the hotel prefixes back to the hotel, eliminating all the more-specific prefixes.
Lab Guide
53
Note that each access router would need to be connected to its peer in the other data center if it advertises a summary. The EIGRP design permits summarization at the aggregation routers and decreased peering to the core. Furthermore, if point-to-point Ethernet links are used rather than a VLAN to interconnect access routers and their aggregation router, the infrastructure can filter or summarize on the point-to-point links to limit the propagation of specific prefixes. A GRE tunnel flap might affect the connected access router, which would pass the change information to its aggregation router, but the summaries or filtering would stop the change from propagating elsewhere. This design controls routing impact of any instability in local or regional ISPs. EIGRP provides us the ability to summarize more flexibly and more thoroughly, for greater reduction of change propagation than OSPF would permit. Concerning routing, the assumption is that the Internet links are big pipes (OC-12 perhaps) terminating in a pair of routers at each data center. All these routers would do is forward the IPsec traffic to the proper access router. Note that the ISP links would have to accommodate approximately 1 Mbps x 2000 hotels = 2 Gbps, with some oversubscription and load balancing across two edge devices at each data center . For less oversubscription at higher cost, multiple OC-12 connections, or single OC-48 connections, could be used to each router. Gigabit Ethernet connections would cost less for equipment, if available. Concerning IP addressing, the existing scheme could be used. One alternative approach would be to determine the optimal number of access routers, based on IPsec and routing load on CPU under adverse conditions. For example, the 7200 VXR with VAM-2 is rated at 280 Mbps of Advanced Encryption Standard (AES) encrypted traffic. All traffic is two-way (encrypt, decrypt) so the rating is 140 Mbps of connectivity. A conservative design would be to figure on about 70 Mbps of throughput, to leave some CPU resources for other tasks including some GRE overhead. Taking our 2 Gbps worst-case figure, 2000/70 = 29 access routers. This would fit our approach with Frame Relay, using 32 access routers, each connecting to 64 sites. Note that the number of tunnels is not close to being a problem. With this approach, the old addressing scheme could be re-used, which would simplify migration as well. Furthermore, the number of remote sites affected by any access layer problem would not be too great. Another example would be to use the VPN SPA in a Cisco 7600 Series router chassis. It is rated at up to 2.5 Gbps of AES for each SPA. Conservative design might then terminate 600 Mbps of traffic per SPA. Four 7600 chassis with one VPN SPA each, or two with two each are possible approaches. However, you should test this load in a Cisco Customer Proof-of-Concept (CPOC) lab since putting 500 routing and tunnel peers on one device would impose a very heavy routing burden under adverse conditions. It is not recommended to have 1000 dynamically routed peers on one device, even just in terms of managing risk and the impact of any downtime. With this latter approach (4 x Cisco 7600 Series routers with VPN SPA), there will be 500 hotels per regional access routers. An addressing scheme such as 10.011r rsss.ssss ssss.hhhh hhhh could be used, where r is access router, s is subnet, h is host. This reworks the prior addressing scheme by removing the area bits, since the hotels would get a summary for all of 10.96-127, 10.96.0.0 mask 255.224.0.0, rather than any smaller summaries or specific prefixes. It might be wise to allocate more values in the 3rd octet, to allow for expansion to perhaps twice as many access routers and hotels. Future expansion is possible, as successful businesses do grow.
54
A network audit should be used to confirm the validity of this assumption. The web DMZ is well secured with firewalls inside the Collocation Facilities. There is remote support access to the mainframe, but it is powered off when not needed. The Corporate Internet access uses firewalls. The Partner module uses firewalls to secure all partner connectivity, and only allows access to specific servers. Hotels and the hotel module do connect to the Internet. The Hotels Module Internet edge traffic could be secured with firewalls, however, only IKE and IPsec traffic is allowed into the edge routers. There may be a philosophical debate lurking here, as to exactly how and why firewalls are better than routers with access lists. The IPS units should be placed inside external firewalls (or routers) to detect suspect or malicious traffic that makes it through the outermost level of security. A suitable number of MARS units for monitoring should be located in one or both data centers. All of this requires staffing and training to allow for the necessary level of monitoring and rules maintenance. An anomaly detection and a Distributed Denial of Service (DDoS) mitigation plan is recommended for the E-Commerce site. This might be provided by either CP Hotels or by the Collocation Provider. Internal security and governance are a growing concern. Further discussions with CP Hotels are recommended concerning firewalls or other isolation techniques to create secure server zones, protecting key servers from attack via other servers. Integrating NAC rolebased subnets to allow control over which internal users can send traffic of any kind to key servers is recommended. This will prevent a generic staffer from using hacker tools to try to find and exercise a server exploit, at least on critical groups of servers. The remaining major risk is the 2000 hotels. With 2000 routers, each with 3 access lists (outside interface, GRE tunnel interface, office LAN interface), there is a high likelihood of error. Having a configuration auditing capability is recommended, to detect situations where the access list deviates from policy, or where an access list is not currently applied to an interface. (This does really happen!) In addition, there is the whole topic of audit and accountability trail on access list exceptions. Who granted each one, why was it needed, who is the point of contact, when was the information last verified, etc. Otherwise, access lists just get longer and longer, with many entries that nobody can explain. The form should be capable of emitting a list of authorized exceptions per-site, to allow for some form of automated access list checking. Routing security and Control Plane Policing might also be considered for CP Hotels. These topics can be considered lower priority than the other items above.
Lab Guide
55
Concerning the Call Centers, there is the separate consideration of voice security, e.g. preventing outsiders from placing international calls, etc. In addition, if IP Telephony is present, the voice VLANs and Cisco Unified Call Managers should be secured and protected from the data parts of the network. Access lists and QoS are the tools for mitigating internal VoIP / IPT security risks.
Note This is a brief treatment of security considerations. In a production environment, more attention should be applied to the Call Center security. Similar real world consulting work might lead to 50 pages of specifics as well as the general principles listed above.
56
Concerning the data center, the 200 image servers might be connected with Gbps EtherChannel or with 10 Gbps Ethernet links. At one 10 Gbps link each, three to four Cisco Catalyst 6500 Series switches would be needed to aggregate the connections. With dualhoming, that number would need to be doubled. These switches should probably use multi10 Gbps EtherChannel uplinks. For the 2000 blade servers, the design supports one pair of Gbps connections each. If these are copper connections, they can be connected to 48 port blades. That would require about eight Cisco Catalyst 6500 Series switches, with sixteen switches for dual-homing the servers. In some research environments, servers are singly homed, since despite some desire for high availability, the impact of losing a server switch is fairly low: computations need to wait for the blade or chassis to be repaired or replaced. Similarly, the impact of losing a single server NIC or link is very low the workload is just allocated to other servers.
That means the data center has either 4 + 8 = 12 access switches, or 24 with dual-homing. Using 10 Gbps uplinks for the blade server switches, and two link or four link 10 Gbps EtherChannel uplinks for the medical image servers, there are 16 or 24 10 Gbps uplinks for the singly-homed server approach, and double that for dual-homed servers. A pair of data center aggregation switches can cover that. For data center expansion, the above scheme can be replicated. Whether a data center core is needed is debatable. Initially, the aggregation switches might connect to the building core switches. With more buildings, that is not appropriate, but connecting to campus core switches might be.
Lab Guide
57
It is open to debate which switches are Layer 2 and which are Layer 3, per the Campus module. The buildings might have Layer 3 at the access layer, and the data center might be Layer 2 at the access layer.
58
Lab Guide
59
60
DS-MRI would also need to identify tools that are: Cost-effective Scale to the desired scale Reasonably easy to manage and use Produce good reports with the desired information
Lab Guide
61
62