Search This Blog

Thursday, February 21, 2013

CCDA Notes: WAN Technology

WAN Technology

When designing a WAN solution, the requirements typically stem from two goals:
  • Service Level Agreement (SLA): This agreement defines the availability of the network, based on what level of availability, downtime and impact are acceptable to the organization.
  • Cost and Usage: Consider the budget, expected utilization and usage requirements
Three objectives of effective WAN solution design:
  1. WAN must support policies and goals of the organization
  2. WAN technology selected must meet application requirements as well as future growth
  3. The proposed design must be within the budget allocated
The WAN interfaces with the Enterprise Edge module. There can be multiple connections, commonly used connectivity modules include Internet, DMZ, and site-to-site circuits. ISPs offer many options for Internet and DMZ connectivity as well as inter-site connectivity such as MPLS VPN/WAN. Alternative connection options include DSL/cable with IPSEC VPN.

WAN technology can be point-to-point or point-to-multipoint, such as MPLS or Frame Relay. Public WAN connections over the Internet such as cable/DSL are available as well. Usually Internet connections have a much lower SLA than MPLS/Frame Relay connections.

WAN Transport Technology

When choosing which WAN technology to implement, consideration must be taken for whether public Internet transport or private WAN connections are required. Geography also plays a role in what WAN technologies are available in a given area. Major cities have many options, while rural areas typically have few. Here are some WAN technologies compared/contrasted in terms of bandwidth, reliability, latency and cost:

ISDN: Low bandwidth, medium reliability, medium latency, low cost
DSL: Low/medium bandwidth, low reliability, medium latency, low cost
Cable: Low/medium bandwidth, low reliability, medium latency, low cost
Wireless: Low/medium bandwidth, low reliability, medium latency, medium cost
Frame Relay: Low/medium bandwidth, medium reliability, low latency, medium cost
TDM: Medium bandwidth, high reliability, low latency, medium cost
Metro Ethernet: Medium/high bandwidth, high reliability, low latency, medium cost
SONET/SDH: High bandwidth, high reliability, low latency, high cost
MPLS: High bandwidth, high reliability, low latency, high cost
Dark Fiber: High bandwidth, high reliability, low latency, high cost
DWDM: High bandwidth, high reliability, low latency, high cost

Above technologies explained below:


Integrated Services Digital Network was standardized in the early 1980's. It's an all-digital phone line that carries voice and data. It comes in two flavors: Basic Rate Interface (BRI) and Primary Rate Interface (PRI).


BRI consists of two B channels and one D channel. Both BRI channels operate at 64kbps and carry data. D channel handles signaling/control info and operates at 16kbps. 48kbps is used for synchronization, totalling 192kbps data rate.


PRI consists of 23 B channels and 1 D channel in North America/Japan. Each channel operates at 64kbps, totalling 1.544 Mbps including the overhead. In Europe/Australia the service has 30 B channels and 1 64 kbps D channel.

Digital Subscriber Line (DSL)

DSL provides high speed Internet over plain old copper telephone cable using frequencies not utilized in normal voice calls.

ADSL is the most popular flavor of DSL and most widely available. The upstream/downstream is asymmetric, usually upstream is much slower than downstream. ADSL's main drawback is that it must be deployed geographically close to a digital subscriber line access multiplexer (DSLAM), typically less than 2 km. With DSL, the customer premise equipment (CPE) generally means a DSL modem and PC. An ADSL circuit consists of twisted-pair telephone line containing three info channels:
  • Medium-speed downstream channel
  • Low-speed upstream channel
  • Basic telephone service channel
DSL splitters separate the voice and data traffic. Since DSL crosses the public Internet it is suggested to use DSL in conjunction with VPN to connect to the corporate network.



Sunday, February 17, 2013

CCDA Notes: Wireless LAN Design (Mobility and WLAN Design Best Practice)

WLAN Mobility

AP Controller Equipment Scaling

Cisco provides different solutions for supporting differing numbers of APs within an enterprise. Standalone WLCs, modules for Integrated Services Routers (ISR), and modules for 6500 switches. Below is listed different WLC types, followed by the number of supported APs that can be associated:
  • 2100 series WLC: 25
  • WLC for ISR: 25
  • Catalyst 3750 Integrated WLC: 50
  • 4400 series WLC: 100
  • 6500/6700 series WLC module: 300
  • 5500 series WLC: 500

To scale beyond the default 48 supported APs on a Cisco WLC:
  1. Use multiple AP interfaces: This option only works on 4400 series WLCs
  2. Use link aggregation (LAG): This option works on 5500 and 4400 series WLC, and is the default operation on Catalyst 3750 Integrated WLCs and Catalyst 6500 WiSM

The largest limitation of LAG is that only one may exist per WLC, so if a LAG exists all physical ports are members. This means the WLC can only be connected to one neighboring device.

 Roaming and Mobility Groups

Roaming occurs when users move from one AP association to another, this may occur as a user moves around. This must be seamless to the end user, and can be intercontroller, or intracontroller.

Intracontroller Roaming

This occurs when a user moves between APs that are both associated with the same WLC. The WLC updates its client database with the new AP association and does not change the client's IP address. If required, a client is reauthenticated when changing AP associations and a new security association is created.

Layer 2 Intercontroller Roaming

This occurs when a user moves between two APs that are associated to different WLCs, but both WLCs are part of the same subnet. When this sort of roaming occurs, the WLC passes its client database to the other WLC, and no IP address change happens for the client. If required the client is reauthenticated and a new security association is created.

Layer 3 Intercontroller Roaming

This occurs when a client moves between APs associated to WLCs that are on different subnets. When the client moves its association, the new WLC and the previous WLC exchange mobility messages. The client database is not moved to the new WLC, instead the first WLC marks the client as an 'anchor' entry and the new WLC marks the client as a 'foreign' entry. The wireless client's IP address is preserved and, if required, the client reauthenticates and gets a new security association. From then on, traffic is routed asymmetrically. Traffic from the client is forwarded to the wired network by the new WLC, but traffic that is destined for the client is forwarded from the wired network to the original WLC.  The original WLC then forwards that traffic to the new WLC via Ether-in-IP tunneling, which is then sent from the new WLC to the client.

Mobility Groups

Mobility groups allow WLCs to peer with each other to allow roaming across the controller's boundaries, AP load balancing and redundancy. When WLCs are placed into the same mobility group, they will exchange mobility messages and the EtherIP tunneling is possible when roaming occurs. For this reason WLCs that are meant to be redundant and allow roaming should be placed into the same mobility groups.

Up to 24 WLCs can be placed into a mobility group, and what devices are in the group determine how many APs can be supported. WLCs can also be configured with mobility lists, which are lists of which WLCs belong to which mobility groups. If a WLC has this list, clients can roam between mobility groups so long as mobility lists are configured on the WLCs. Mobility lists can support 48 mobility groups with Release 5.0, or 72 lists with Release 5.1 or later

WLCs use UDP port 16666 for unencrypted messages and UDP 166667 for encrypted messages. APs learn the IPs of other members of the mobility group when joining via CAPWAP

Cisco best practice is to minimize intercontroller roaming, and if needed, Layer 2 intercontroller roaming is preferred as it is far more efficient. Total round-trip travel time between controllers should be under 10ms. Proactive key caching (PKC) or Cisco Compatible Extensions (CCKM) Version 4 is recommended to speed/secure roaming.

WLAN Design Best Practice

Controller Redundancy: Dynamic or Deterministic

Deterministic redundancy is best practice and requires APs to be configured with a primary/secondary/tertiary controller preference. This requires more front-end work, but allows for deterministic failover and predictability. Deterministic advantages include:
  • Predictability
  • Network scalability
  • Flexible/powerful redundancy options
  • Faster failover
  • Deterministic fallback

Dynamic redundancy uses CAPWAP to load balance APs across WLCs, by populating each AP with a backup WLC. This solution works best when all WLCs are located centrally since it is dynamic. Dynamic advantages include:
  • Easier configuration
  • Dynamic AP load balancing

Unpredictable operation and longer failover occurs with dynamic redundancy, as well as a lack of other options for failover.

N+1 WLC Redundancy

With this redundancy option, a single WLC is configured as a backup for multiple WLCs. This could cause the backup to become oversubscribed.

N+N WLC Redundancy

With this redundancy option, an equal number of backup WLCs are configured. A pair of WLCs on one floor may be configured as backup WLCs for another floor, and vice versa. There needs to be enough capacity to allow for failover if needed (no more than 50% capacity used).

N+N+1 WLC Redundancy

With this redundancy option, an equal number of controllers are configured as backups for each other (as above), and a tertiary backup WLC is configured as well. This tertiary controller backs up the secondary controllers, usually placed in the data center or NOC

Radio Management/Radio Groups

Due to the ISM limit on available frequencies for 802.11b/g/n there is a limit on what non-overlapping channels can be used (1, 6, 11). Best practice for APs is to limit the number of data devices attached to a single AP to 20, or 7 concurrent Voice over WLAN (VoWLAN) calls using G.711 codec, or 8 concurrent VoWLAN calls using G.729.

As user population grows on the WLAN additional APs should be added to maintain the ratio. Cisco Radio Resource Management (RRM) manages AP RF channels/power configuration to minimize interference. WLCs use RRM algorithm to automatically optimize and self-heal the radio frequencies using these functions:
  • Radio Resource Monitor: LWAPs monitor all radio channels and monitor for rogue APs, clients and interfering APs
  • Dynamic Channel Assignment: WLCs automatically manage channels for APs to avoid interference
  • Interference Detection/Avoidance: Interference is detected by a predefined threshold (10% default)
  • Dynamic Transmit Power Control: WLCs automatically adjust broadcast power of APs
  • Coverage Hole Detection/Correction: WLCs can adjust AP power output if clients report low signals
  • Client/Network Load Balancing: Clients can be influenced to connect to certain APs to load balance

WLCs can use RRM to raise power levels and channels of APs to compensate for lost/downed APs.

RF Groups

RF groups are clusters of WLCs that coordinate their RRM calculations. When the WLCs join the group, the RRM calculation expands to include the WLCs joined. APs send neighbor messages to each other, and if the message is above -80dBm the controllers form an RF group. WLCs elect a leader to analyze the RF data and make RRM decisions. The leader exchanges messages among RF group members on UDP port 12114 for 802.b/g/n, and UDP port 12115 for 802.11a.

How RF groups form:
  1. APs send out neighbor messages looking for other APs, which includes an encrypted shared secret key that is preconfigured on trusted WLCs
  2. Messages with the same secret key are validated and trusted. These messages must be transmitted above -80dBm to form the group.
  3. Members of the formed RF group elect a leader to analyze and push a master power/channel scheme for the group. The leader receives realtime data about the WLAN to make this calculation

RF Site Survey

Site surveys are done similarly to surveys for wired network design. The RF site survey identifies customer requirements and coverage needed as well as check for interference. The site survey should consist of the following steps:
  1. Define customer requirements, what applications are needed (such as VOIP) and what types of devices need to be supported as well as where these wireless devices will be located
  2. Obtain a facility diagram to identify RF interference/dead zones
  3. Visually inspect the facility to identify barriers to wireless signal like elevator shafts and stairwells
  4. Identify areas intensively used as well as areas that are not used often
  5. Determine preliminary AP locations, power placement, wired network access, channel selection, mounting locations, antennas
  6. Use an AP to survey locations and the received RF strength based on targeted AP placement
  7. Document findings by recording locations, signal readings, data rates at the outer areas of coverage. The report includes:
  • Detailed customer requirements, diagram AP coverage
  • Parts list including antennas, accessories, network components
  • Tools/methods used for site survey

Ethernet over IP Tunnels for Guest Services

Basic guest access entails separating guest SSID/vlan from the corporate network, broadcasting guest access but not corporate. Another solution involves EoIP to tunnel the guest traffic from the AP to the an anchor WLC. When guests access the guest APs, their connections are automatically tunneled to the specified anchor WLC for guest access. This keeps guest traffic logically separated from the corporate network without the need to run extra vlans.

Wireless Mesh in Outdoor Wireless

Wireless Mesh Components:
  • Wireless Control System (WCS): Wireless mesh SNMP management system allows network-wide configuration/management
  • WLAN Controller (WLC): Links the meshed APs to the wired network, manages security, mitigates radio interference, etc
  • Rooftop AP(RAP): Connects the mesh to the wired network, serves as root. Communicates with MAPs, typically located on rooftops/towers
  • Mesh Access Point(MAP): AP that provides access to wireless clients, communicating with RAPs for wired network connection. Usually located on a lamppost or other pole.

Mesh Design Recommendations

  • Less than 10ms latency per hop, 2-3ms preferred
  • Four or fewer hops are recommended for outdoor deployment though eight are supported
  • For indoor deployment one hop is supported
  • Best performance occurs when no more than 20 MAPs are used per RAP, though 32 are supported
  • Throughput: One hop = 14Mbps, two hops = 7 Mbps, three hops = 3 Mbps, four hops = 1 Mbps

Campus Design Considerations

  • Number of APs: Should be enough APs to provide full coverage for wireless clients for the expected access locations. 20 data devices per AP, and 7 G.711 concurrent or 8 G.729 concurrent VoWLAN calls.
  • AP Placement: APs should be placed in a centralized location of the expected access area, and placed in conference rooms to accommodate peak requirements
  • AP Power: Traditional wall power can be used, or Power over Ethernet (PoE)
  • Number of WLCs: The number of WLCs depends on the redundancy strategy and number of required APs
  • WLC Placement: WLCs are placed in secured wiring closets or the data center. Intercontroller roaming should be minimized, and deterministic redundancy is recommended

Branch Design Considerations

Branch offices may not need a WLC installed depending on how many APs are needed. If a WLC is not installed at the branch office, the round-trip time between APs and the WLC should not exceed 300ms. REAP or Hybrid REAP (H-REAP) should be used.

Local MAC: CAPWAP supports local media access control for branch deployments. In this deployment, the AP provides MAC management support for associations, terminating traffic at the AP instead of a WLC. This allows local access without requiring traffic to travel all the way to a central office WLC, and to continue functioning if the connection to the central office is lost.

REAP: REAP supports branch offices by extending LWAPP control timers. Control traffic is still encapsulated over an LWAPP tunnel over the WAN to a WLC, but local traffic is bridged. In this way the clients still have access to local resources if the WAN fails. REAP devices only support Layer 2 security policy, do not support NAT and need a routable IP address.

Hybrid REAP: H-REAP enhances REAP by providing additional capabilities like NAT and the ability to control three APs remotely. APs connect to WLC over WAN and use two security modes:
  1. Standalone: H-REAP authenticates clients when the WLC can't be reached. WPA-PSK and WPA2-PSK are supported.
  2. Connected: The AP uses the WLC for client authentication. H-REAP supports WPA-PDK, WPA2-PSK, VPN, L2TP, EAP and web authentication

H-REAP round-trip time must not exceed 300ms and CAPWAP must be prioritized traffic.

Branch Office Controllers

  1. Cisco 2100 series
  2. Cisco 4402-12/4402-24
  3. WLC Module in Integrated Services Router
  4. 3750 with WLAN controller

WLAN Design Summary

  • RF site survey will determine RF characteristics and AP placement
  • Guest services are supported using EoIP in the Cisco Unified Wireless Network
  • Outdoor wireless is supported using outdoor APs and mesh networking APs
  • Campus WLAN design provides wireless coverage using LWAPs managed by WLCs
  • Branch WLAN design deals with wireless access management at remote sites using REAP or H-REAP
  • Each AP should be limited to 20 data devices
  • Separate SSIDs should be used for voice, and APs should not have more than 7 concurrent calls using G.711 codec, or 8 using G.729 codec

UDP Ports Used by Wireless

LWAPP Control: 12223
LWAPP Data: 12222
WLC Exchange Messages (unencrypted): 16666
WLC Exchange Messages (encrypted): 16667
RF 802.11b/g/n: 12114
RF 802.11a: 12115
CAPWAP Control: 5246
CAPWAP Data: 5247

Saturday, February 16, 2013

CCDA Notes: Wireless LAN Design (WLAN Standards and WLCs)

Wireless LAN Design

WLAN Standards

First standard for WLAN was established by IEEE, 802.11, ratified in 1997. Originally implemented at speeds of 1-2 MBPS using direct sequence spread spectrum (DSSS) and frequency-hopping spread spectrum (FHSS) at the Physical Layer of OSI model. DSSS separates data into sections which is transmitted over different frequencies at the same time, while FHSS uses frequency-hopping to send data in bursts, transmitting part of the data on channel 1, then hopping to channel 2 for the next part, then back to channel 1.

802.11b was announced in 1999 which provided 11MBPS data rate, using 11 channels of the Industrial, Scientific and Medical (ISM) frequencies. 802.1b uses DSSS and is backwards compatible with other 802.11 systems which use DSSS.

802.11a was approved as a second standard in 1999, providing 54MBPS data rate but being incompatible with 802.11b. 802.11a uses 13 channels of Unlicensed National Information Infrastructure (UNII) frequencies and is incompatible with 802.11b/g.

802.11g was approved in 2003 which used ISM frequencies and provided 54 MBPS data rate. 802.11g was also backwards-compatible with 802.11b.

802.11n standard was ratified in 2009. It uses multiple-input multiple-output (MIMO) antennas and expected max data rate of 600 MBPS using 4 streams, each with 40-MHz width. Uses DSSS and orthogonal frequency-division multiplexing (OFDM) as the digital carrier modulation method, 802.11n uses both 2.4-GHz and 5-GHz bands.

ISM and UNII Frequencies

802.11b/g uses 2.4-GHz range of frequencies as set in ISM, with overlapping channels that are 22MHz wide. Common non-overlapping channels used are 1, 6 and 11 to prevent interference.

UNII has three ranges:
  1. 5.15 GHz - 5.25 GHz, and 5.25 GHz - 5.35 GHz
  2. 5.47 GHz - 5.725 GHz. Used by High Performance Radio LAN in Europe
  3. 5.725 GHz - 5.875 GHz. This range overlaps ISM
802.11a has 12 non-overlapping channels.

Service Set Identifier

WLANs use an SSID to identify WLAN network name. SSIDs can be 2 to 32 characters, and all devices in WLAN must use the same SSID to communicate. This acts very much like a vlan in a wired network. The main difficulty in large networks is configuring SSID, frequency and power settings for remotely located access points. Cisco use Wireless Control System (UCS).

WLAN Layer 2 Access

802.11 media layer access control uses Carrier Sense Multiple Access Collision Avoidance (CSMA/CA) as the access method. Each WLAN station listens for other stations transmitting, and then transmits if no other traffic is detected on the radio frequency. Of course, with a centrally located access point it is entirely possible to have stations unable to detect each other, whereas on a wired network the collision would be detected by all participants on the network segment. If the AP does not receive the transmission, the station backs off a random amount of time before trying again.

WLAN Security

Because of wireless signals proliferation and ease of eavesdropping on signal, wireless security has its own set of challenges. Several standards were created to address wireless security concerns. The first was Wireless Equivalent Privacy (WEP) which was used in the 802.11b standard. This method used a short preshared key to encrypt traffic and was easily cracked. In 2004, the 802.11i standard was created to provide additional security for WLAN networks. This standard is also known as Wireless Protected Access 2 (WPA2) and Robust Security Network (RSN). 802.11 contains the following:
  • 4-Way Handshake and Group Key Handshake, both using 802.1x for authentication (using Extensible Authentication Protocol and an authentication server)
  • Robust Security Network for establishment and tracking of robust security associations
  • Advanced Encryption Standard (AES) for confidentiality, integrity, and origin authentication

Unauthorized Access

Wireless signals are difficult to control and contain. Because wireless signal may extend beyond the physical boundaries, attackers may be able to gain access to the network. If the wireless network does not have a mechanism to compare wireless card MAC addresses of hosts to a database of approved MACs, attackers may achieve unauthorized access. Simply having a database is also not protection because MAC addresses can be spoofed by attackers. Because static MAC address lists are not scalable and are defeated by spoofing, wireless encryption methods such as WEP/WPA2 need to be employed so that attackers cannot gain access without the security keys.

WLAN Security Design Approach

Two assumptions are made concerning the security design approach described:
  • All WLAN devices are connected to a unique IP subnet
  • Most services available to the wired network are also available to users of the WLAN
With those assumptions in mind, there are two basic security approaches:
  • Use EAP via Secure Tunneling (EAP-FAST) to secure authentication
  • Use VPN with IP Security (IPSec) to secure traffic from wireless to wired network
WLANS can potentially open new attack vectors for hackers and so security should be enhanced by using VPN with IPSec, 802.1x protocol, and WPA.

802.1x Port-Based Authentication

802.1x is a port-based authentication protocol that can be used on Ethernet, Fast Ethernet and WLAN networks. Client hosts run 802.1x software utilizing EAP to communicate with the AP. The AP relays the authentication request to an authentication server that will accept or deny the credentials, activating or deactivating the port/wireless connection. Usually a Remote Authentication Dial-In User Service (RADIUS) server handles authentication requests. This request is not encrypted as 802.1x is not an encryption protocol.

Dynamic WEP Keys and LEAP

Cisco offers dynamic, per-session WEP keys that are more secure than statically configured WEP keys. To centralize user-based authentication, Cisco developed LEAP. LEAP uses mutual authentication between client/server and 802.1x for wireless authentication messaging. LEAP can use Temporary Key Integrity Protocol (TKIP) rather than WEP to overcome the weakness of WEP. LEAP uses RADIUS to manage user information.

LEAP combines 802.1x and EAP, combining the ability to authenticate to various servers (such as RADIUS) with the ability to force users to log onto an AP that compares logon info with RADIUS. This solution is far more scalable than trying to keep a database of authorized MAC addresses.

Because the WLAN access depends on receiving an address using DHCP, and authenticating connection attempts via RADIUS, the WLAN needs access to these servers. LEAP does not support one-time passwords (OTP) so good password security practice is essential.

Controlling WLAN Access to Servers

The security posture of servers accessible to the WLAN should be similar to that of a DMZ because it is potentially accessible by attackers. WLAN RADIUS and DHCP servers should be kept on a separate segment (vlan) from other primary servers. Access into this vlan should be filtered, which ensures that attacks on these WLAN-accessible servers are contained within that segment. Network access to these servers should be controlled and restricted, as the WLAN should be considered an unsecured network segment. 

These WLAN-accessible servers also need to be protected from attack, possibly using IDS/IPS or firewalls.

Cisco Unified Wireless Network

Cisco UWN Architecture

The Cisco Unified Wireless Network architecture combines elements of wireless and wired networks to manage, secure and scale WLANS. Cisco UWN architecture is comprised of five elements:
  • Client Devices: Laptops, workstations, IP phones, PDAs and manufacturing devices to access WLAN
  • Access Points: Placed in strategic locations to maximize signal and minimize interference
  • Network Unification: The WLAN should support wireless applications by providing security policy, QoS, intrusion prevention, and radio management. Cisco WLAN Controllers provide this functionality and integrates within all major routing/switching platforms
  • Network Management: Cisco Wireless Control System (WCS) provides central management tool to allow design, control and monitoring of WLAN
  • Mobility Services: Includes guest access, location services, voice services, threat detection/mitigation

The Cisco UWN provides benefits:
  • Reduced Total Cost of Ownership (TCO)
  • Enhanced visibility/control
  • Dynamic radio management
  • WLAN Security
  • Unified wireless/wired network
  • Enterprise mobility
  • Enhanced collaboration/productivity

Lightweight Access Point Protocol

LWAPP is an IETF standard for control messaging between APs and WLCs. LWAPP control messages can be transmitted as Layer 2 or Layer 3 tunnels. Layer 2 LWAPP tunnels came first, and APs did not need an IP address, but the WLC had to be on every subnet on which an AP resides because only Layer 2 traffic was available. Layer 3 LWAPP is now the preferred solution, but lightweight APs can support both. LWAPP Layer 3 tunneling uses IP addresses that are collected from a mandatory DHCP server. When using Layer 2 tunneling, LWAPP uses a proprietary code to communicate with access points. WLCs reside on the wired network and the lightweight APs are at the edge, not directly connected. This is why tunneling is needed, to protect control traffic between WLCs and LWAPs.

LWAPP Layer 2 uses EtherType code 0xBBBB, Layer 3 uses UDP ports 12222/12223.

Control And Provisioning for Wireless Access Points

CAPWAP is an IETF standard for control messaging between APs and WLCs. Using Control Software 5.2, Cisco LWAPs use CAPWAP to communicate between LWAPs and WLCs. CAPWAP is different from LWAPP in the following ways:
  • CAPWAP uses Datagram Transport Layer Security (DTLS) for authentication and encryption to protect traffic between LWAP and WLC. LWAPP uses EAP for the same.
  • CAPWAP has a dynamic MTU discovery mechanism.
  • CAPWAP control messages use UDP port 5246.
  • CAPWAP data messages use UDP port 5247.
CAPWAP uses Layer 3 tunnels between the LWAP and WLC. The LWAP obtains an IP from DHCP servers. Control and data messages sent from an LWAP use an ephemeral UDP port that is derived from a hash of the AP MAC addresses, while WLC traffic uses UDP port 5246/5247 for control/data traffic.

Cisco Unified Wireless Split-MAC Architecture

With split-MAC architecture, LWAP control and data messaging is split. LWAPs communicate with WLCs using control messages over the wired network, while LWAPP/CAPWAP data messages are encapsulated and forwarded to/from wireless clients. WLCs provide configuration and firmware updates to APs as needed.

LWAP MAC functions:
  • 802.11: Beacons, probe response
  • 802.11 Control: Packet acknowledgement and transmission
  • 802.11e: Frame queuing and packet prioritization
  • 802.11i: MAC layer data encryption/decryption
Controller MAC Functions:
  • 802.11 MAC Management: Association requests and actions
  • 802.11e Resource Reservation: Reserves resources for specific applications
  • 802.11i: Authentication and key management

Local MAC

Local MAC is supported by CAPWAP, which moves the MAC management from the WLC to the local AP. This allows termination of client traffic at the wired port of the AP. This is useful at small or remote offices where a WLC isn't needed. 

LWAP MAC Functions:
  • 802.11: Beacons, probe response
  • 802.11 Control: Packet acknowledgement/transmission
  • 802.11e: Frame queuing/packet prioritization
  • 802.11i: MAC layer data encryption/decryption
  • 802.11 MAC Management: Association requests/actions

Controller MAC Functions:
  • 802.11: Proxy association requests/actions
  • 802.11e Resource Reservation: Reserves resources for specific applications
  • 802.11i: Authentication and key management

With autonomous APs not associated to a WLC, the AP simply acts as a trunk carrying different vlan traffic. With a WLC connected with CAPWAP, the AP tunnels to the WLC and then the WLC trunks to the switch.

AP Modes

  • Local mode: Default mode of operation. Every 180 secs, the AP measures noise floor/interference and scans for IDS events. This occurs on unused channels, lasts 60ms
  • Hybrid Remote Edge AP (H-REAP) Mode: Enables LWAP to reside across a WAN from the WLC. It uses local MAC, and is supported on Cisco 1130, 1140, 1240AB, and 1250AG series LWAPs.
  • Monitor mode: Feature to allow specific CAPWAP-enabled APs to opt out of handling data traffic, instead serving as sensors for rogue APs, intrusion detection and location-based services (LBS). These monitors continuously cycle through channels listening to each for 60ms.
  • Rogue Detector mode: LWAPs in this mode monitor for rogue APs. RD APs are attached to a trunk port to enable seeing all traffic since rogue APs can be connected to any vlan. The wired switch sends a list of rogue AP/client MACs to the RD AP and the RD AP forwards the list to the WLC to compare with MACs registered over the WLAN. If there are matches, then the WLC is aware that a rogue AP is plugged into the wired network and what rogue clients are connected.
  • Sniffer mode: LWAP that operates in sniffer mode captures and forwards packets on a particular channel to a remote machine running AiroPeek. This mode only works with AiroPeek, a 3rd party packet sniffer.
  • Bridge mode: This mode is only available on Cisco 1130 and 1240 series (typically indoor), and 1500 APs (typically outdoor mesh) and provides high-bandwidth cost-effective bridging. Point-to-point, point-to-multipoint, point-to-point wireless access with integrated backhaul and point-to-multipoint wireless access with integrated backhaul 

LWAPP Discovery of WLC

LWAPs placed on the network attempt DHCP discovery to obtain an IP address, followed by a Layer 3 LWAPP discovery attempt. If the WLC does not respond, the AP reboots and tries again. Layer 3 LWAPP discovery algorithm follows:
  1. AP sends a Layer 3 LWAPP discovery request
  2. All WLCs that receive this request reply with a unicast LWAPP discovery response message
  3. The requesting AP compiles a list of responding WLCs.
  4. The AP selects its preferred WLC based on certain criteria
  5. The AP validates the selected WLC and sends an LWAPP join response. An encryption key is agreed upon and future communications are encrypted.

Layer 3 discovery requests are sent in one or more of the following ways:
  • Local subnet broadcast
  • Unicast LWAPP discovery requests to WLCs advertised by other APs
  • Previously stored WLC addreses
  • IP addresses learned by DHCP option 43
  • IP addresses learned by DNS resolution of CISCO-LWAPP-CONTROLLER.local-domain

The WLC which is selected is selected based on certain criteria:
  • Previously configured primary/secondary/tertiary WLCs
  • WLC configured as master
  • WLC which has the most capacity for AP associations

If the WLC has CAPWAP, the AP follows this process:
  1. CAPWAP AP begins discovery process to find the WLC using a CAPWAP request, to which the WLC sends a CAPWAP response.
  2. If the AP receives no CAPWAP response within 60 seconds, the AP uses LWAPP discovery
  3. If the AP cannot find a WLC using LWAPP within 60 seconds it tries CAPWAP again.

CAPWAP is a design decision that is configurable within the WLC. APs select the WLC to create a CAPWAP tunnel based on information contained within the WLC responses. These responses contain the controller sysName, current capacity and load, status of the master WLC and the AP manager IP address. Based on this information, the AP will select its preferred WLC as followed:
  • Primary/Secondary/Tertiary WLC preconfigured sysName (preconfigured preference)
  • Master WLC
  • WLC with greatest capacity for AP associations


WLAN Authentication

When wireless clients try to associate with an AP, they need to authenticate with an authentication server before being granted access to the WLAN. The authentication server resides in the wired LAN and and EAP/RADIUS tunnel is built from the WLC to the server to handle the request. Cisco has a Secure Access Control (ACS) which uses EAP which can service these requests.

Authentication Options

Different types of EAP have advantages and disadvantages. There are trade-offs in security, types of devices supported, ease of use and infrastructure support.
  • EAP-Transport Layer Security (EAP-TLS): Open IETF standard that is well-supported but rarely deployed. Uses PKI to secure communications to the RADIUS server using TLS and digital certificates.
  • Protected Extensible Authentication Protocol (PEAP): PEAP/MSCHAPv2 is the most common version deployed and is widely available. Similar in design to EAP-TTLS, needing only a server-side PKI cert to create a secure TLS tunnel to protect user authentication. PEAP-GTC allows more generic authentication to other kinds of user databases such as Novell Directory Services.
  • EAP-Tunneled TLS (EAP-TTLS): Widely supported across platforms, offers good security, using PKI certs on the authentication server. 
  • Cisco Lightweight EAP (LEAP): Early proprietary method of EAP supported in Cisco Certified Extensions (CCX) program. Vulnerable to dictionary attacks.
  • EAP-Flexible Authentication via Secure Tunneling (EAP-FAST): Proposal by Cisco to address the weaknesses of LEAP. EAP-FAST uses a Protected Access Credential with optional server certificates. EAP-FAST has three phases:
  1. Phase 0: Optional phase where PAC can be provisioned manually or dynamically.
  2. Phase 1: Client and AAA server use the PAC to establish a TLS tunnel.
  3. Client sends information over the established tunnel

WLAN Controller Components

Three major components of WLCs:
  • WLANS: Identified by unique SSID network names, each assigned to an interface on the WLC.
  • Interface: A logical connection mapping a wireless network to a vlan on the wired network
  • Port: Physical connection to the wired LAN, usually a trunk. There could be multiple ports on a WLC that are port-channeled into a single interface. Some WLCs may have an out-of-band management port.

WLC Interface Types

WLCs have five different interface types:
  •   Management: Mandatory static interface configured at setup, used for in-band management, AAA authentication and Layer 2 discovery/association
  • Service Port: Optional, statically configured at setup, used for out-of-band management
  • AP Manager: Static, configured at setup, mandatory on all but 5508 model WLC. Used for Layer 3 discovery/association, has source IP of AP that is statically configured
  • Dynamic: Analogous to vlans, used for client data
  • Virtual: Static, configured at setup, and mandatory, used for Layer 3 security authentication, DHCP relay, and mobility management

Monday, February 4, 2013

CCDA Notes: Data Center Design

Enterprise Data Center Architectures

Data Centers used to use mainframes to centrally process data, with users connecting via terminals to do work on the mainframe (Data Center 1.0).

Data Center 2.0 introduced the concept of client/server connections and distributed computing. Business applications were installed on servers in data center and accessed by users on their workstations. Applications services were distributed because of cost of WAN links and slow performance.

In Data Center 3.0, consolidation and virtualization are the main components. Due to communication equipment becoming cheaper and stronger computing power being available, the current move is toward consolidating services in data centers, which centralizes management and is more cost-effective than distributing services. Newer architecture takes advantage of server virtualization which results in higher utilization of computing/network resources. This raises return on investment (ROI) and lowers total cost of ownership (TCO).

Data Center 3.0 Components

  • Virtual local area networks (vlans), virtual storage-area networks (VSAN), virtual device contexts (VDC) help segment LAN/SAN/network instances
  • Cisco Nexus 1000V virtual switch for VMWare ESX/ESXi helps with policy control and visibility of virtual machines (VM)
  • Flexible network options that support multiple server form factors/vendors including those with integrated Ethernet/Fibre channel switches
Unified Fabric
  • Fibre Channel over Ethernet (FCoE) and Internet Small Computer Systems Interface (iSCSI) are two methods to implement unified fabric in data center oveer 10 Gigabit Ethernet networks
  • FCoE is supported on VMWare ESX/ESXi vSphere 4.0 and up
  • Cisco Catalyst/Nexus/MDS family of switches support iSCSI. Cisco Nexus 5000  supports unified fabric lossless operation which improves iSCSI performance using 10 Gigabit Ethernet
  • Cisco Nexus switches created to support unified fabric. Nexus 4000/5000 supports data center bridging (DCB) and FCoE, in future Nexus 7000 and Cisco MDS switches will as well
  • Converged network adapters (CNA) run at 10GE speeds and support FCoE. Available from Emulex and QLogic, and certain software stacks for 10GE interfaces are available from Intel
Unified Computing
  • Cisco Unified Computing System (UCS) is next-gen platform designed to converge computing, storage, network and virtualization together into one system
  • Integrates lossless 10GE unified network fabric with x86-based servers
  • Allows Cisco Virtual Interface Cards to virtualize network interfaces on servers
  • Cisco VN-Link virtualization
  • Supports extended memory technology patented by Cisco
  • Uses just-in-time provisioning using service profiles to increase productivity
At top layer of architecture, the virtual machines are software entities that run hypervisors which emulate hardware. Then there are the unified computing resources within which service profiles define the identity of the server. Identity includes hardware settings such as allocated memory and CPU, network card information, boot image and storage. 10GE, FCoE and Fibre Channel technologies provide unified fabric supported by Cisco Nexus 50000. FCoE allows native Fibre Channel frames to function on 10GE networks. VLAN/VSAN technology segments multiple LANs and SANs on same physical equipment. At the lowest layer there is virtualized hardware where storage devices can be virtualized into storage pools, and network devices are virtualized using virtual device contexts.

Challenges in the Data Center

Data center requirements and mechanical specifications help to define the following:
  • Power needed
  • Physical rack space used
  • Limits on scaling
  • Management (resources, firmware)
  • Security
  • Virtualization support
  • Management effort required

Data Center Facility Considerations

  • Space available
  • Floor load capacity
  • Power/cooling capacity
  • Cabling infrastructure
  • Operating temperature and humidity level
  • Access to site, security alarms and fire suppression
  • Space for employees to move/work
  • Compliance with regulations such as Payment Card Industry (PCI), Sarbanes-Oxley (SOX), and Health Insurance Portability and Accountability Act (HIPAA)

Data Center Space

  • Number of employees who will support data center
  • Number of servers and amount of storage/network gear needed
  • Space needed for non-infrastructure areas such as shipping/receiving, server/network staging, storage/break/bathrooms, and office space
Other considerations related to equipment rack/cabinet space:
  • Weight of rack/equipment
  • Heat expelled from equipment
  • Amount and type of power required (UPS/RPS)
  • Loading, which determines what/how many devices can be installed

Data Center Power

Desired power reliability drives requirements which may include multiple redundant power feeds from utility, backup generators, redundant power supplies. Power in the data center is used to power and cool devices in the data center. The power system also needs to protect against power surges, failures and other electrical problems. Key points of a power design will:
  • Define overall power capacity
  • Provides physical electrical infrastructure and addresses redundancy

Data Center Cooling

Cooling is used to control humidity and temperature in order to extend the lifespan of devices. High-density rack design should be weighed against heating considerations. Smaller form-factor servers allow more to be placed into a rack but airflow and cooling must be accounted for. Cabinets and racks should be organized into 'cold' and 'hot' aisles. In cold aisles, the fronts of devices should face each other across the aisle and in hot aisles the backs of devices should face each other across the aisle. Cold aisles should have perforated floor tiles through which cold air is blown that will be drawn into the fronts of the devices, flushing the hot air out of the back into the hot aisles. Hot aisles should have no perforated tiles, which will keep hot/cold air from mixing and diluting its effect.

If equipment does not exhaust heat to the rear, other cooling techniques can be leveraged:
  • Block unnecessary air escapes to increase airflow
  • Increase height of raised floor
  • Spread equipment to unused racks
  • Use open racks rather than cabinets in places security is not a concern
  • Use cabinets with meshed front/back
  • Custom perforated tiles with larger openings to allow more cold airflow

Data Center Heat

Data center design must account for high density servers and heat produced by them. Considerations in design for cooling need to be taken into account for proper sizing of servers and anticipated growth, along with the corresponding heat output.
  • Increase number of HVAC units
  • Increase airflow through devices
  • Increase space between racks/rows
  • Use alternative cooling technologies such as water-cooled racks

Data Center Cabling

Data center cabling is known as passive infrastructure. The cabling plant is what connects everything together, terminating connections between devices and governing how devices communicate. Cabling must be easy to maintain, abundant and capable of supporting different media types and connectors for proper operations.

Considerations for following must be determined during design:
  • Media selection
  • Number of connections
  • Type of cable termination organizers
  • Space for cabling on horizontal/vertical cable trays
Cabling needs to avoid the following:
  • Inadequate cooling due to restricted airflow
  • Outages due to accidental disconnections
  • Unplanned dependencies
  • Difficult troubleshooting options

Enterprise Data Center Infrastructure

Current enterprise data center design follows Cisco multilayer (hierarchical) architecture including access, aggregation and core layers. This model supports blade servers, single rack-unit (RU) servers and mainframes.

Defining Data Center Access Layer

The main purpose of data center access layer is to provide Layer 2/3 physical port density for various servers. The access layer also provides low-latency and high-performance switching that can support oversubscription requirements. Most data centers are built with Layer 2 connectivity but Layer 3 (routed access) options are available. Layer 2 connectivity uses vlan trunk uplinks to allow aggregation services to be shared across the same vlan across multiple switches. Spanning Tree is used in Layer 2 access to avoid loops in network. The recommended STP instance is RPVST+.
New routed access design aims to contain Layer 2 to the access layer and avoid the use of STP. First-hop redundancy must be be provided as the access switch becomes the first-hop router. Access layer benefits are as follows:
  • Port density for server farms
  • Supports single/dual-homed servers
  • High-performance, low-latency Layer 2 switching
  • Supports mix of oversubscription requirements

Defining Data Center Aggregation Layer

Aggregation (Distribution) layer aggregates Layer 2/3 links from the access layer and connects upstream to the core layer. Layer 3 connectivity, if not implemented at access layer, is typically used towards core from aggregation layer. The aggregation layer is a critical point for data center application and security services including load balancing, SSL offloading, and firewall/IPS services. Depending on design requirements the Layer 2/3 border could be in multilayer switches, firewalls, or content switching devices. Multiple aggregation layers can support different environments such as a test environment, production, etc each with its own applications and security requirements. First-hop redundancy is typically implemented in aggregation layer if Layer 3 is not implemented at the access layer. Benefits of the aggregation layer are:
  • Aggregates traffic from data center access layer and connects to data center core
  • Supports advanced security/application services
  • Layer 4 services such as firewalls, IPS, SSL offloading and server load balancing
  • Large STP process load
  • Highly flexible/scalable

Defining Data Center Core Layer

Data Center Core connects the campus core to the data center aggregation layer utilizing high-speed Layer 3 links. The core is a centralized Layer 3 routing layer to which the data center aggregation layers connect. Data center networks are summarized here and shared with the campus core, and default routes are injected into the data center aggregation layer from the data center core. Multicast traffic must also be allowed through the data center core to support a growing list of multicast applications.

Data Center Core Drivers
  • 10 Gigabit Ethernet density: Are there enough links to link multiple aggregation layers together?
  • Administrative domains/policies: Separate cores help isolate campus distribution from data center aggregation for troubleshooting and QoS/ACL policies
  • Future Growth: Future impact/downtime that would be needed to expand later makes it important to provide enough core layers when designing for initial implementation
Characterisics of a Data Center Core
  • Low-latency switching
  • Distributed forwarding architecture
  • 10 Gigabit Ethernet
  • Scalable IP Multicast support

Virtualization Overview

Virtualization technology allows one physical device to emulate several, or several physical devices to emulate a single logical device. The modern data center is changing based on virtualizatuion and data center design changes with it.

Virtualization Driving Forces
  • Need to reduce rising cost of powering/cooling devices while getting more productivity
  • Data center consolidation of assets performing individual tasks
  • Logical, separate user groups secured from other groups on same network
  • Eliminate underutilized hardware that has poor performance/price ratio

Virtualization Benefits
  • Better use of computing resources, higher server densities, simplified server migration
  • Flexibility and ease of management for adds/reassignments/repurposing of resources
  • Separation of groups utilizing same physical network, enabling traffic isolation
  • Ability to provide per-department security policy
  • Reduction in power/space needed
  • Increased uptime, decreased operational cost

Network Virtualization
  • VLAN
  • VSAN
  • VRF (Virtual Routing/Forwarding)
  • VPN
  • vPC (Virtual Port Channel)

Device Virtualization
  • Server virtualization (VM)
  • Cisco Application Control Enginre (ACE) context
  • Virtual Switching System (VSS)
  • Cisco ASA firewall context
  • Virtual device contexts (VDC)

Virtualization Technologies

Virtual Switching System is network virtualization that allows two physical Cisco Catalyst 6500 series switches to act as a single logical switch. Similar to StackWise technology used on Cisco Catalyst 3750 switches that allows chaining multiple switches together into a single logical switch, but VSS is limited to two chassis linked together.

Virtual routing and forwarding virtualizes Layer 3 route tables to allow multiple routing tables to exist on a single device. In Multi-Protocol Label Switching VPN environment, VRF allows  multiple networks to exist on the same MPLS network. Routing information is contained in VRF and is only visible to other routers participating in the same VRF instance. Because of this duplicate IP address schemes can be used.

Virtual Port Channel technology works by virtualizing two Cisco Nexus 7000 or Nexus 5000 series switches as a single logical switch. 10GE links connect the two physical switches which then represent themselves as a single logical switch for purposes of port channeling. Although multiple redundant paths exist, the spanning tree topology appears loop-free. This allows all links to be utilized.

Device Contexts
Device contexts allow a single physical network device to host multiple virtual devices. Each context is its own instance with its own configuration, policies, network interfaces and management. Most features available on single network devices also exist on contexts. These devices support contexts:
  • Cisco Nexus 7000 series switches
  • Cisco ASA Firewall
  • Cisco Catalyst 6500 Firewall Services Module (FSM)
  • Cisco Application Control Engine Appliance
  • Cisco Catalyst 6500 Application Control Engine Module
  • Cisco IPS
Server Virtualization
Server virtualization is a software technique which abstracts server resources from hardware to provide flexibility and optimize the usage of the underlying hardware. The virtualized hypervisor controls hardware and physical resources that can be allocated to the different server VMs. This shares resources among the VMs without the VMs being aware of their actual physical hardware. Several vendors for server virtualization, along with products:
  • VMWare ESX Server
  • Citrix XenServer
  • Microsoft Hyper-V

Network Virtualization Design Considerations

Access Control
Access should be controlled to make sure users and devices are identified and authorized to communicate with their assigned network segment.

Path Isolation
Path isolation involves the creation of independent logical paths over the same physical network infrastructure. MPLS VPN assigned to specific VRFs is an example of this. VLANs and VSANs also logical separate networks.

Services Edge
Services Edge refers to making services available to the users, groups and devices intended with an enforced centralized managed policy. Effective way to enforce service access is a firewall or other centralized device that contains policies on what should and should not be accessible.


Sunday, February 3, 2013

CCDA Notes: Enterprise LAN Design (Best Practice)

Campus LAN design factors in following categories:
  1. Network Application Characteristics: Different types of applications
  2. Infrastructure Device Characteristics: Layer 2/3 switching and hierarchy
  3. Environmental Characteristics: Geography, wiring, space, distance, etc

Application Characteristics

Application requirements drive design due to usability constraints. Time and drop-sensitive applications need special consideration as far as allowable latency/packet loss.

Peer-to-Peer: Instant messaging, file sharing, IP/video calls. Requires medium/high throughput, can allow low/high availability depending on application and has low to medium network cost

Client-local servers: Servers are located in same segment as clients or close by, normally on same LAN. With 80/20 workgroup rule, 80% of traffic is local and 20% is routed elsewhere. Requires medium throughput, medium availability and incurs medium network cost.

Client-server farm: Mail, database, etc servers. Access to servers is fast, reliable and controlled. Requires high throughput, high availability and a high network cost.

Client-enterprise edge servers: External servers such as smtp relay, web, DMZ. e-commerce. Requires medium throughput. high availability and medium network cost.

Hierarchical Layer Best Practice

Access Layer Best Practice

  • Limit vlans to single switch/closet when possible to provide deterministic and highly available network topology
  • Use Rapid Per-Vlan Spanning Tree+ (RPVST+) if STP is needed
  • Set trunks to on/on and nonegotiate
  • Manually prune unused vlans from trunks to avoid unnecessary broadcast traffic propagating between switches
  • Use Vlan Trunking Protocol (VTP) in Transparent mode because common vlan propagation in hierarchical network is not needed
  •  Disable dynamic trunking on host ports, enable Portfast
  • Consider routing in access layer to speed up convergence and provide Layer 3 load balancing
  • Use switchport host command on server/host ports to enable Portfast and disable channelling
  • Use Cisco STP toolkit (Portfast, Loop Guard, Root Guard, BPDU Guard) to prevent loops and protect deterministic Spanning Tree topology

Distribution Layer Best Practice

  • Links to core must support aggregated bandwidth of access layer links
  • Redundant links to access/core layers
  • QoS/security/policy enforcement should occur at this layer
  • Use first-hop redundancy protocols such as Hot Standby Router Protocol (HSRP) or Gateway Load Balancing Protocol (GLBP) if layer 2 trunks are used between access and distribution layers
  • Use Layer 3 routing protocols between distribution and core to allow fast convergence and load balancing to occur
  • Only peer with other routers on links intended to be used as transit links
  • Build Layer 3 triangle links,  not squares:

  • Use distribution switches to connect Layer 2 vlans that span multiple access switches
  • Summarize routes from distribution layer to core to reduce routing overhead
  • Use Virtual Switching System (if possible) to eliminate need for STP and first-hop redundancy

Core Layer Best Practice

  • Must support fast switching, redundant paths and and high availability to distribution points
  • Reduce switch peering by using redundant triangle connections between switches (as above)
  • Use routing topology that allows no Layer 2 loops seen in Layer 2 links utilizing STP
  • Use Layer 3 switches in core which provide intelligent services Layer 2 switches do not support
  • Use equal-cost dual paths to each destination network

Large-Building LANs

  • Tend to be separated by floors or departments
  • Access component serves one or more floors/departments
  • Distribution component aggregates multiple floors/departments
  • Core components connects data center, building distribution components, and enterprise edge distribution component
  • Access layer typically uses Layer 2 switches to save costs
  • Distribution layer typically uses Layer 3 switches for access control, QoS and policy enforcement
  • Core layer utilizes Layer 3 switches for fast switching and fast convergence/load balancing
  • FastEthernet at access layer, GigabitEthernet for distribution/core links

Enterprise Campus LAN

  • Typically connects two or more buildings within local geographic area using high-bandwidth LAN backbone
  • GigabitEthernet backbones connecting campus buildings are new standard
  • Requires hierarchical composite design with network-level addressing to control broadcasts
  • Each building should have network addressing leveraged to facilitate summarization
  • Use Layer 3 switches with fast-switching capabilities in core
  • In smaller campuses, distribution layer can be collapsed and core can connect directly to access layer
  • Can also collapse distribution layer by utilizing Layer 3 switching in access layer to provide access/distribution services

Edge Distribution

  • On large LANs, provides additional security between campus LAN and enterprise edge
  • Can help defend campus LAN against IP spoofing, unauthorized access, network reconnaissance, and packet sniffing

Medium-Size LANs

  • Typically utilizes collapsed core hierarchy
  • 200 - 1000 devices

Small/Remote Site LANs

  • Typically connect to corporate network via small router which filters broadcasts to WAN and forwards packets requiring services from corporate network
  • Local servers tend to be small and provide minimal services for network connectivity such as DHCP and backup domain controller
  • If local servers are not used then router must forward broadcast and other types of traffic to corporate network

Server Farm

  • Most servers connect to access switches via GigEthernet, 10GigEthernet or Etherchannels
  • Server farm switches connect via redundant links to core, larger farms may need distribution layer which utilizes QoS, policies and access control 
  • Servers typically connected to switch by:
  1. Single network interface card (NIC)
  2. Dual NIC with Etherchannel
  3. Dual NIC to separate access switches
  4. Content Switching (advanced content switches that front end user requests and provide redundancy/load balancing)

Enterprise Data Center Architecture

Data centers have different server technologies including standalone servers, blades, mainframes, clustered servers and virtual servers.
  • Data center access layer must provide port density to support server connections, high performance/low latency Layer 2 switching, and support single/dual connected servers
  • Preferred design contains Layer 2 switching to access layer and moves Layer 3 to distribution layer, though some designs can push Layer 3 to access layer
  • Cisco Data Center 3.0 architecture provides next evolution of data center
  • Distribution layer aggregates access links to core
  • Load balancers are implemented at distribution layer
  • SSL offloading devices terminate Secure Socket Layer sessions
  • Firewalls control/filter access
  • Intrusion Detection/Intrusion Prevention devices used to detect/prevent attacks

Campus LAN QoS Consideration

  • Access layer marks frames/packets for QoS policies in distribution layer
  • Classification is done via ISL or 802.1q tagging by setting Class of Service (CoS) bits
  • Traffic should be marked as close as possible to source

Multicast Traffic Consideration

  • Internet Group Management Protocol (IGMP) is used between hosts and local Layer 3 switch, IGMP is also protocol used between hosts and local router
  • IGMP messages uses IP protocol number 2, and messages are limited to local interface and not routed
  • Hosts report multicast membership to local routers to receive multicast traffic
  • End hosts in campus LAN may be flooded with unwanted multicast traffic if measures are not taken to prune/bound traffic.
  • Cisco Group Management Protocol (CGMP) and IGMP Snooping are solutions to unwanted multicast traffic issue
CGMP is Cisco proprietary protocol used to control multicast traffic at Layer 2. Because Layer 2 switches are unaware of Layer 3 IGMP messages it can't stop multicast traffic from going to all ports. CGMP allows Layer 2 switch to receive MAC addresses of hosts who subscribe to multicast from local router. Router must also be configured to use CGMP to pass info to Layer 2 switches

IGMP Snooping also allows multicast traffic to be controlled at Layer 2, and is now the preferred method. With IGMP switches listen to IGMP messages between hosts and routers. If hosts sends multicast query message to router, the switch will add the host to the multicast group and permits that port to receive the multicast. If the host sends an IGMP leave message the traffic is no longer forwarded. In order to use IGMP snooping the switch must listen to all IGMP messages which may negatively impact CPU usage.