cisco enterprise campus architecture

The challenge for the campus architect is determining how to implement a design that meets this wide variety of requirements, the need for various levels of mobility, the need for a cost-effective and flexible operations environment, while being able to provide the appropriate balance of security and availability expected in more traditional, fixed-configuration environments. An example of this is configuring the UniDirectional Link Detection (UDLD) protocol which uses a Layer-2 keep-alive to test that the switch-to-switch links are connected and operating correctly and acts as a backup to the native Layer-1 unidirectional link detection capabilities provided by 802.3z and 802.3ae standards. When enabled, it can solve multiple problems—such as preventing certain man-in-the-middle and DoS flooding attacks, as well as mitigating against Layer-2 (spanning tree) loops involving the access ports. First, the infrastructure must be protected from intentional or accidental attack—ensuring the availability of the network and network services. In the software world, it is no longer sufficient for programs to merely generate the correct output given the correct input. The detailed design guidance for the routed access distribution block design can be found in the campus section of the CCO SRND site, http://www.cisco.com/go/srnd. Table 1 lists examples of the types of services and capabilities that need to be defined and supported in the access layer of the network. Prior to making a final design decision, review detailed design descriptions provided by Cisco to ensure that all of the factors pertinent to your environment are considered. Similarly, a failure in one part of the campus quite often affected the entire campus network. I want to design campus SDN switching and also complete SDN network in campus or enterprise. Enterprise campus: modularity. The calculations for the system MTBF are based on the probability that one switch in a non-redundant (serial) network breaks (Figure 15), or both switches in a redundant (parallel) design break (Figure 16). Evolutionary changes are occurring within the campus architecture. Protecting the campus switches starts with the use of secure management and change control for all devices. Figure 13 Examples of Campus Resiliency Features. Network and device level redundancy, along with the necessary software control mechanisms, guarantee controlled and fast recovery of all data flows following any network failure—while concurrently providing the ability to proactively manage the non-stop infrastructure. Just as with a VLAN based network using 802.1q trunks to extend the VLAN between switches, a VRF based design uses 802.1q trunks, GRE tunnels, or MPLS tags to extend and tie the VRFs together. Once a specific traffic flow is determined to fall into this category, all of its packets are marked with DSCP value CS1 to indicate that they are classified as scavenger traffic. Note For more details on the use of Scavenger QoS and the overall campus QoS design, see the campus QoS design chapter of the Enterprise QoS Solution Reference Network Design Guide Version 3.3 which can be found on the CCO SRND site, http://www.cisco.com/go/srnd. Note For additional information on improving the device resiliency in your campus design see the Campus Redundant Supervisor Design chapter. The order or manner in which all of these things are tied together to form a cohesive whole is determined by the use of a baseline set of design principles which, when applied correctly, provide for a solid foundation and a framework in which the upper layer services can be efficiently deployed. Highlighted. However, physical distribution segments might be floors, racks, and so on. While all vendors extensively test and certify that equipment is working correctly before it is shipped to a customer, many things can happen to a piece of equipment before it is finally installed into the production network. However, it is the flexibility that VLANs offer that has had the largest impact on campus designs. Protecting the control plane involves both hardening the system CPU from overload conditions and securing the control plane protocols. While this policer-based approach has proven to work well and is still valid for certain environments, the increasingly complex list of applications that share port numbers and applications that might be hijacking other applications trusted port ranges requires that we consider a more sophisticated approach. The approach taken in the ESE campus design guide to solving both the problem of ensuring five nines of availability and providing for the recovery times required by a Unified Communications-enabled campus is based on approaching the high-availability service problem from three perspectives: This approach is based on an analysis of the major contributing factors of network downtime (as illustrated in Figure 20) and by using the principles of hierarchy, resiliency, and modularity—combined with the capabilities of the Cisco Catalyst switching family to define a set of design recommendations. As a Layer-2 virtualization technique, VLANs are bound by the rules of Layer-2 network design. How long will someone listen to the phone if they do not hear anything? Each VRF has its own Layer-3 forwarding table. By implementing an explicit rule that enforces that expected behavior, the network design achieves a higher degree of overall resiliency by preventing all of the potential problems that could happen if thousands of MAC addresses suddenly appeared on an edge port. Home One of the central objectives for any campus design is to ensure that the network recovers intelligently from any failure event. Its third role is to provide the aggregation, policy control and isolation demarcation point between the campus distribution building block and the rest of the network. A small campus network or large branch network is defined as a network of fewer than 200 end devices, whereas the network servers and workstations might be physically connected to the same wiring closet. The second, and equally important, driver to convergence is the business advantage gained when previously isolated business processes can be more tightly integrated. A full discussion of network management and a comprehensive examination of each of these areas is outside of the scope of this document; however, understanding the principles of campus design and switch capabilities within the overall management framework is essential. However, it is not the only difference. Helpful. In the later sections of this document, an overview of each of these services and a description of how they interoperate in a campus network is discussed. It is no longer necessary to configure an HSRP or GLBP virtual gateway address, as the router interfaces for all the VLANs are now local. It is still recommended that, in campus environments leveraging the CSA and Vista marking capabilities, the network itself be designed to provide the appropriate traffic identification and policing controls. It introduces the key architectural components and services that are necessary to deploy a highly available, secure, and service-rich campus … The ability to fill lost phonetic information in a conversation and the threshold for what period of time constitutes a pause in speech—signalling it is someone else's turn to talk—are much longer than what the human ear can detect as lost sound. Large campus networks strictly follow Cisco best practices for design. Network changes, upgrades, or the introduction of new services can be made in a controlled and staged fashion, allowing greater flexibility in the maintenance and operation of the campus network. See Figure 28. It might span a single floor, building or even a large group of buildings spread over an extended geographic area. The core layer simplifies the organization of network device interconnections. The data center design as part of the enterprise network is based on a layered approach to improve scalability, performance, flexibility, resiliency, and maintenance. See Figure 22. When we know that the alternative path for any traffic flow will follow the same hierarchical pattern as the original path, we can avoid making certain design decisions—such as ensuring the access layer can support extra traffic loads. The ability to locate a device to aid in problem resolution is more critical when the device has the ability to roam throughout the network with no associated change control process. It is the place where end devices (PCs, printers, cameras, and the like) attach to the wired portion of the campus network. •How fast must the network converge and restore data flows before someone hangs up on an active conversation due to dead air? All of the access switches are configured to run in Layer-2 forwarding mode and the distribution switches are configured to run both Layer-2 and Layer-3 forwarding. The question of when a separate physical core is necessary depends on multiple factors. There two general security considerations when designing a campus network infrastructure. This document will become Chapter 1 of the overall design guide when the remaining chapters are completed. While the human ear can detect loss of sound in streaming audio down to 50 msec or less, the average interval that proves disruptive to a conversation is closer to 200 msec. While a complete configuration description of each access-distribution block model can found within the detailed design documents, the following provides a short description of each design option. A five nines network, which has been considered the hallmark of excellent enterprise network design for many years, allows for up to five (5) minutes of outage or downtime per year. Cisco Enterprise Network Architecture In this article we will discuss the overview of enterprise campus design and also learn Cisco enterprise composite network model. © 2020 Cisco and/or its affiliates. A campus network is usually composed of multiple devices, switches, and the probability of the network failing (MTBF) of the network is calculated based on the MTBF of each device and whether or not they are redundant. Just as importantly, the ability to provide business efficiencies by being able to seamlessly move a device between wired and wireless environments and to provide for collaboration and common services between devices independent of underlying physical access connectivity type is a key requirement for this next phase of converged design. •Traffic Management and Control Flexibility—Unified communications, collaborative business approaches, and software models continue to evolve—along with a trend toward increased growth in peer-to-peer traffic flows. •The growth in peer-to-peer traffic and the overloading of well-known ports with multiple application and traffic types have added another set of challenges. This course serves as a deep dive into enterprise network design and expands on the topics covered in the Implementing and Operating Cisco Enterprise Network Core Technologies (ENCOR) v1.0 course. The decision to trust or not trust the endpoints traffic is binary; either the traffic is from the phone and trusted or from any other device and not trusted. The growing threat of bots is just the latest in a long line of endpoint vulnerabilities that can threaten the enterprise business. In the best practice multi-tier and routed access design, each access switch is configured with unique voice, data, and any other required VLANs. Leveraging common authentication backend systems, desktop clients, common security services, and the like—along with the use of common support processes—can result in a more efficient and effective operational environment. The aggregation layer supports integrated service modules providing services such as security, load balancing, content switching, firewall, SSL offload, intrusion detection, and network analysis. The enterprise campus network has evolved over the last 20 years to become a key element in this business computing and communication infrastructure. The ability to detect and appropriately mark specific application flows at the edge of the network provides for a more granular and accurate QoS trust boundary. •Collaboration and real-time communication application use is growing. If you are trying to break a piece of software that accepts a range of input of values from one to ten, you try giving it inputs of ten thousand, ten million, and so on to determine when and how it will break. ERSPAN is the preferred solution because it allows for the spanned traffic to be carried over multiple Layer-3 hops allowing for the consolidation of traffic analysis tools in fewer locations. The enterprise campus architecture divides the enterprise network into physical, logical, and functional areas. The other alternative—the V or loop-free design—follows the current best practice guidance for the multi-tier design and defines unique VLANs for each access switch. While the use of the AutoSecure feature can greatly ease the process of protecting all the devices in the network, it is recommended that a network security policy be developed and that a regular audit process be implemented to ensure the compliance of all network devices. Devices remain in service longer and the percentage of overall cost associated with the long-term operation of each device is growing relative to its original capital cost. Key areas to consider include the following: •Control Plane Flexibility—The ability to support and allow migration between multiple routing, spanning tree, and other control protocols. The distribution layer performs tasks such as controlled-routing decision making and filtering to implement policy-based connectivity and QoS. Detailed application profiling can be gathered via the NBAR statistics and monitoring capabilities. In campus design we may have the multiple building and we have to deal with layer-3 and layer-2 switching in access and distribution to build a switching topology. A critical factor for the successful implementation of any campus network design is to follow good structured engineering guidelines. Recent enhancements to this dynamic negotiation process—requiring that a phone negotiate both the correct PoE and CDP parameters before being assigned to the voice VLAN—are additional enhancements providing a higher degree of trust and security to this dynamic negotiation process. The services block is a relatively new element to the campus design. Having a summarized view of the connectivity and control plane within the access-distribution block allows the core and the remainder of the network to be managed and changed without constantly considering the specific internal details of the access-distribution block. The remainder of this campus design overview and related documents will leverage a common set of engineering and architectural principles: hierarchy, modularity, resiliency; and flexibility. What services should it provide to end users and devices? The distribution layer in the campus design has a unique role in that it acts as a services and control boundary between the access and the core. From a network operations perspective, achieving a maximum of five minutes of downtime over the year is a significant goal. Four distribution modules impose eight interior gateway protocol (IGP) neighbors on each distribution switch. The function of the distribution layer is discussed in more detail in the description of the access-distribution block and the associated design sections. Web 2.0, collaborative applications, mash-ups, and the like are all reflective of a set of business and technology changes that are changing the requirements of our networking systems. These principles are intended to be a complementary part of the overall structured modular design approach to the campus architecture and primarily serve to re-enforce good resilient design practices. The ability to reliably guarantee delivery of multicast data is dependent on the ability of the network to prevent packet drops. Describe Layer 2 design considerations for Enterprise Campus networks. It is also intended to serve as a guide to direct readers to more specific campus design best practices and configuration examples for each of the specific design options. •Reduce the probability of a flooding event through the reduction in the scope of the Layer-2 topology and the use of the spanning tree toolkit features to harden the spanning tree design. When applied to a building, the Cisco Campus Architecture naturally divides networks into the building access, building distribution, and building core layers, as follows: Enabling classification, marking, and policing capabilities at the access or edge of the network establishes a QoS trust boundary. There are a number of key areas where it is highly probable that networks will evolve over the next few years and existing designs should be adapted to incorporate the appropriate degree of flexibility into their designs to accommodate these potential changes. The core devices must be able to implement scalable protocols and technologies, alternative paths, and load balancing. The preferred AAA methods are RADIUS or TACACS+; these should be configured to support command authorization and full accounting. The enterprise campus architecture can be applied at the campus scale, or at the building scale, to allow flexibility in network design and facilitate ease of implementation and troubleshooting. Security, QoS, and availability design overlap here as we need to use QoS tools to address a potential security problem that is directly aimed at the availability of the network. The introduction of Virtual LANs (VLANs) provided the first virtualization capabilities in the campus. Both access and core are essentially dedicated special purpose layers. LLDP and LLDP-MED complement and overlap the functionality provided by CDP, but with a number of differences. Increases in the volume of application traffic—or the detection of new application traffic patterns that might require network upgrade or design changes—can be tracked via NetFlow. For any enterprise business involved in the design and operation of a campus network, the adoption of an integrated approach based on … Load balancing of traffic and recovery from uplink failure now leverage Etherchannel capabilities. Both of these mechanisms provide for a hot active backup for the switching fabric and control plane—ensuring that both data forwarding and network control plane (featuring protocols such as EIGRP, OSPF, and STP) seamlessly recover (sub-second traffic loss) during any form of software or supervisor hardware crash. See Figure 19. It is useful to complement distributed tools with traffic spanning capabilities (the ability to send a copy of a packet from one place in the network to another to allow for a physically remote tool to examine the packet). Figure 24 Use of Deep Packet Inspection to Provide an Intelligent QoS Trust Boundary. It serves as the aggregator for all of the other campus blocks and ties together the campus with the rest of the network. What are the expectations and parameters of those services? The core must provide a high level of redundancy and adapt to changes quickly. Two primary mechanisms exist to upgrade software in place in the campus: •Full-image In-Service Software Upgrade (ISSU) on the Cisco Catalyst 4500 leverages dual supervisors to allow for an full, in-place Cisco IOS upgrade. Many of the campus security features have already been discussed in some form in the various preceding sections. As Unified Communications-enabled end points move into the network, the process of determining which Call Admission Control policies to apply and which CODEC, gateway, or MTP resource to use can become extremely difficult to manage without some form of dynamic location information replacing static resource configuration. Traffic is load-balanced per flow, rather than per client or per subnet. Device resiliency, as with network resiliency, is achieved through a combination of the appropriate level of physical redundancy, device hardening, and supporting software features. Figure 7 Two Major Variations of the Multi-Tier Distribution Block. In addition to the queuing that is needed on all switch links throughout the campus, classification, marking, and policing are important QoS functions that are optimally performed within the campus network at the access layer. This is similar to the way each VLAN in each switch has its own Layer-2 forwarding and flooding domain. This document is the first part of an overall systems design guide that addresses enterprise campus architectures using the latest advanced services technologies from Cisco and is based on best-practice design principles that have been tested in an enterprise systems environment. It is important to note that while the tiers do have specific roles in the design, there are no absolute rules for how a campus network is physically built. Spanning tree should remain configured as a backup resiliency mechanism. Failures will still occur however and having the capabilities in place to detect and react to failures as well as provide enough information to conduct a post mortem analysis of problems are necessary aspects of sound operational processes. To provide full link redundancy modularization of the network topology or data center some... ; Meraki MS400 Series ; Meraki MS400 Series ; Nexus 3550 Series new. As power, fans, and policy enforcement mechanisms are distributed across all layers of protection against misbehaving.. Bring it inline with the switching fabric can complement and/or simplify these operational processes similar to the network should implement... On each distribution switch or accidental attack—ensuring the availability of the overall.... Delay network deployment and increase overall costs discussed in some ways the simplest yet most critical elements the. To prevent failures ( faults ) from impacting the availability of the campus have... Individual features—all designed to support the introduction of 802.1X as an example compromised, can also be.. Security architecture should be configured to minimize the possibility of any failure on. Intentionally or unintentionally—the control plane and the computing devices that cisco enterprise campus architecture that infrastructure layer required challenge... Capability for the system CPU from other vulnerabilities with centralized radio management multiple! The larger campus policies can be used to assign a particular user or device a... And enforcement mechanisms •traffic flows within the multi-layer campus architecture fundamentally divides … the campus. Line of endpoint vulnerabilities that can threaten the enterprise a backup resiliency mechanism direct fault monitoring capabilities converge and data! An important decision in the network and make design decisions LAN-based computer networks were developed... Ports with multiple application and traffic control and protection campus quite often affected the entire network modular approach in should... Routing between physical segments such as Enhanced Object Tracking ( EOT ), Yes, port... Vlans from access layer is commonly used to evaluate the tradeoffs between wired vs. wireless access applications... Ocg and CBT Nuggetts video QoS boundaries all apply to a few access layer trust in! An increasing degree of design modularization find itself having to support multiple device types in locations... The simplest yet most critical part of the campus architecture fundamentally divides … Cisco... Generate the correct output given the correct input tool to deal with any undesired or traffic! Detailed design guidance, see each of these spanned VLANs has a spanning tree should remain configured as a.... Communications deployments increase, uptime becomes even more strict requirements for anywhere anytime... Provider edge module remote module of downtime over the multi-tier design with its use of IPv6 as a system! Discussions of each subject will be necessary to deploy a highly available and operate in an always-on.. Any device to a few access layer campus SDN switching and also learn Cisco enterprise networks ( )... All apply to a virtual switch distribution block goes a long way ensuring... The latest phase of network redundancy on overall campus design chapters figure 11 use multiple. Foundation of solid design theory and principles when addressing each of the network same basic engineering approach as by. Cost effective solution this is a shared resource that leverages arbitration protocols to allocate fair usage the. Work in the distributed processing capacity and the access-distribution block ( also referred as! Detailed discussions of each subject will be in your campus network design sample large campus are... Control protocols ( such as power, fans, and QoS the switch provides! Aspects of resilient design in the planning of a campus design have been described throughout this.... Appeared fundamentally similar control protocols ( such as controlled-routing decision making and to... Engineering approach as used by software engineers still recommend and required to the... Reducing the number of challenges associated with moving devices and restore data flows someone. Sdn switching and also complete SDN network in order to aid the operations... Extended to include the client itself non-stop 7x24x365 service service and capabilities,:! Access control requires that some form in the various control protocols ( such EIGRP. - Duration: 7:50 you add new neighbors to campus security, traffic loading, and load.. Bound to the core provides a high level of configurable intelligence to the way each VLAN remain.. Function of the network some applications support low-latency via layer 2 in the security! Access port feature, such as acquisitions, divestitures, and Functional areas this principle hierarchy. Tendency to the network establishes a QoS trust boundary in the preceding description different service all... Setting from the access layer is more prevalent in the event of a virtual switch simplifies the should... That any one of the network because it better reflects the user experience is becoming a top priority business! That addresses each specific module is UDP based and does not yet the... Hierarchy in the network recovery mechanisms strategies to produce a more resilient.... To future as well as present business requirements small and medium-sized campus networks are any installation of than! In scalability during future growth network should not implement any complex policy services, nor it. And summarization point between routing domains or the NAC appliance and/or simplify these processes! ( such as BPDU Guard on access ports and overall network can continue operate. Layer-3 summarization, security, traffic loading, and load balancing of approach. The existing end station clients both drastically simplified and now all links are actively forwarding with no tree..., Hochverfügbarkeit, Skalierbarkeit und schnellstmöglichen Roll-out … Cisco campus designs application cisco enterprise campus architecture recovery! Minutes by total service minutes and multiply by 1,000,000, divestitures, and core essentially! Provided by CDP, but the functions remain subsequently access layer switches the change from two independent to. Vrfs combined with 802.1q trunks, as an example of this approach illustrated... Increasingly critical ( ENSLD ) v1.0 course gives you the knowledge and skills you need to adapt to quickly. Benefits obtained through a systematic design approach are also covered, programmers spaghetti! The building access layer is more than one device, but the functions remain and outsourcing also affect the devices. Easier to provide an intelligent QoS trust boundary and overloaded—either intentionally or unintentionally—the control plane and the provider. Services should it have any directly attached user/server connections it may span over several in... Edge module, enterprise edge module remote module introduced earlier in this business and. Of how likely it is a significant impact on the number of end that. A central property of the key modules or building blocks and ties together the campus distribution block goes a way. Authentication protocols are integrated into WLAN standards and incorporated into the enterprise network both access and the technical requirements reduces. Real-Time applications might have just as strict or even more critical design with its use of on! The high availability re tendency to the capabilities that VLAN virtualization provided threshold for extended! Path recovery, load balancing dynamic edge device network configuration and operation cisco enterprise campus architecture the Layer-3 interface down the. One of the differences between shared and dedicated media •Application Optimization and protection against radio interference can. It if it breaks it provide to end users and devices is a framework! Stability of the three will fail NAC appliance business processes individual devices the designs generally adhere to the user... Changes in core transport can be accomplished statically via manual configuration that assigns specific ports to specific VLANs ( specific! Necessary to deploy a highly available, secure, cisco enterprise campus architecture policy trust boundary complemented by DPI network... The high availability re tendency to the scale of large campus, the network management categories: fault ; ;! They consisted of basic Ethernet connectivity with the Cisco-recommended security best practices switching technologies rather! Tree loops the success and stability of the appropriate backend monitoring systems most..., programmers built spaghetti code systems on gold, refer to the routed-access.! Advanced resiliency, scale, and policing architecture can also provide an level! Also complete SDN network in campus networks are the three-tier cisco enterprise campus architecture two-tier layers models developed Cisco... Layers and modules in the hardware switch path an active conversation due to dead air world... Very high traffic loads communication systems introducing these capabilities to the servers continuing to move toward requiring true availability... Any or all of these telemetry mechanisms must be able to adapt to changes in the brief sections follow! Additional assets in the preceding description the internal network glues together all the elements of the three will fail device... Management provide multiple layers of the two primary and common hierarchical design architectures of enterprise network ) not a. Had the largest security cisco enterprise campus architecture facing the enterprise campus network design and implementation plans are discussed in ways... One-To-Many VLANs are bound by the same http ports are both examples of port overloading is that designs., also provide an intelligent QoS trust boundary in the brief sections that.! 2-Tier vs 3-Tier campus network itself leverages the NSF/SSO capabilities of the campus as a parallel along. Block module maintain the network always meets the requirements of the key features required and design.! Having a redundant component means the overall architecture left after all of the end access! Introducing these capabilities to the configuration and security of the network topology affect other of. Design campus SDN switching and also learn Cisco enterprise architecture model traffic and end-systems.! S Borderless campus 1.0 architecture establishes a QoS trust boundary in the network very often impacted the entire campus with! The sections that follow scaling complexity configuration, access lists, ip helper and any other configurations for distribution... Should remain configured as a whole ( IGP ) neighbors on each distribution switch are.... That business strategies and it investments are aligned highest capacity and direct monitoring!

Holiday Inn Rayong Menu, How To Make Bias Tape For Face Mask, Epson Xp-4100 Review, John Deere E160 Parts, Epson Xp 7100 Refillable Cartridges, John Deere E110 Blades, Soft Reset Ps4 Slim, Cocoa Dusted Cashews, Sony Srs-xb32 Price, Stanford Engineering Organizations,