Designing Cisco Network Service Architectures

Transcription

1 ARCH Designing Cisco Network Service Architectures Volume 2 Version 2.0 Student Guide

2 DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.

3 Table of Contents Volume 2 E-Commerce Module Design Overview Module Objectives High Availability for E-Commerce 7-3 Overview Objectives E-Commerce Module Overview Components of High Availability Redundancy Technology People Processes Tools Summary Common Component Designs for the E-Commerce Module 7-15 Overview Objectives Common Firewall Designs for E-Commerce Typical E-Commerce Topology Server as Application Gateway Virtualization with Firewall Contexts Virtual Firewall Layers Firewall Modes Common Server Load Balancer Designs for E-Commerce Functions of a Server Load Balancer Cisco Server Load Balancing Products SLB Design Models SLB Router Mode SLB Inline Bridge Mode SLB One-Arm Mode Overview Common Topology Designs for E-Commerce Design Option: One Firewall Per ISP Design Option: Stateful Failover with Common External Prefix Design Option: Distributed Data Centers Summary Integrated E-Commerce Designs 7-37 Overview Objectives Base E-Commerce Module Design Base Design Routing Logic Base Design Server Traffic Flows Two Firewall Layers Design Two Firewall Layers Design Traffic Flows One-Armed Design with Two Firewall Layers One-Armed Design with Two Firewall Layers Traffic Flows One-Armed Design with Direct Server Traffic Flows One-Armed SLB Design with Firewall Contexts One-Armed SLB Design with Firewall Contexts Traffic Flows One-Armed SLB Design with CSS Testing E-Commerce Designs Summary

4 Tuning for E-Commerce 7-53 Overview Objectives E-Commerce Tuning Overview BGP Tuning Enhanced Object Tracking Example: HSRP and IP SLA Tracking Example: Injecting Routes and IP SLA Optimized Edge Routing Overview OER Operations OER Solution Topologies Cisco Global Server Load Balancing Summary Module Summary References Module Self-Check Module Self-Check Answer Key Security Services Design Overview Module Objectives Firewall Design Considerations 8-3 Overview Lesson Objectives Firewall Modes Virtual Firewall Overview Firewall Context Design Considerations MSFC Placement Active/Active Firewall Topology Active/Active Topology Features Asymmetric Routing with Firewalls Asymmetric Routing with ASR Group on a Single FWSM Asymmetric Routing with Active/Active Topology Performance Scaling with Multiple FWSMs Example: Load Balancing FWSMs Using Policy-Based Routing Example: Load Balancing FWSMs Using ECMP Routing Private VLAN Security PVLAN Review FWSM in PVLAN Environment - Isolated Ports FWSM in PVLAN Environment - Community VLANs Zone-Based Policy Firewall Summary Network Admission Control Design 8-23 Overview Lesson Objectives Network Security with Access Control Network Admission Control Comparison NAC Appliance Fundamentals NAC Appliance Components NAS Scaling NAS Deployment Options NAS Gateway Modes NAS Operating Modes NAS Client Access Modes Physical Deployment Models NAC Appliance Designs Layer 2 In-Band Designs Layer 2 Out-of-Band Designs ii Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

5 Layer 3 In-Band Designs Layer 3 Out-of-Band Designs NAC Framework Overview Router Platform Support for NAC Framework Switch Platform Support for NAC Framework Cisco Client Security Software Summary Intrusion Detection and Prevention Designs 8-55 Overview Lesson Objectives IDS/IPS Overview IPS/IDS Design Considerations IDS/IPS Deployments IPS Appliance Deployment Options IPS Deployment Challenges IDS/IPS Management Interface Deployment Options IDS/IPS Monitoring and Management Scaling CS-MARS with Global Controller Deployment Summary Module Summary References Module Self-Check Module Self-Check Answer Key IPsec and SSL VPN Design Overview Module Objectives Remote Access VPN Design 9-3 Overview Objectives Remote Access VPN Overview Example: Easy VPN Client IPsec Implementation SSL VPNs Clientless Access Thin Client Thick Client Remote Access VPN Design Considerations VPN Termination Device and Firewall Placement Routing Design Considerations Address Assignment Design Considerations Other Design Considerations Example: VPN Architecture Summary Site-to-Site VPN Design 9-17 Overview Objectives Site-to-Site VPN Applications WAN Replacement Using Site-to-Site IPsec VPNs WAN Backup Using Site-to-Site IPsec VPNs Regulatory Encryption Using Site-to-Site IPsec VPNs Site-to-Site VPN Design Considerations IP Addressing and Routing Scaling, Sizing, and Performance Design Topologies VPN Device Placement Designs Summary Cisco Systems, Inc. Designing Cisco Network Service Architectures (ARCH) v2.0 iii

6 IPsec VPN Technologies 9-33 Overview Objectives IPSec VPN Overeview Extensions to Standard IPsec VPNs Cisco Easy VPN Overview of Easy VPN Server Wizard on SDM Overview of Easy VPN Remote Wizard on SDM GRE over IPsec GRE over IPsec Design Recommendations DMVPN DMVPN Overview Example: DMVPN Topology DMVPN Design Recommendations VTI Overview GET VPN GET VPN Topology Summary VPN Management and Scaling 9-51 Overview Objectives Recommendations for Managing VPNs Cisco Security Management Suite for VPNs Recommendations for Managing VPNs Considerations for Scaling VPNs Determining PPS Determining the PPS Rate Routing Protocol Considerations for IPsec VPNs Summary Module Summary References Module Self-Check Module Self-Check Answer Key IP Multicast Design Overview Module Objectives IP Multicast Review 10-3 Overview Objectives Overview of IP Multicast Unicast vs. Multicast TCP Contrasted to UDP Multicast Adoption Trends Cisco Multicast Architecture IP Multicast Group Membership Multicast Group Address Range IP Multicast MAC Address Mapping Multicast Address Assignment IGMP Multicast Routing Multicast Distribution Tree Creation RPF Overview Multicast Distribution Trees Multicast Forwarding at Layer IGMP Snooping Summary iv Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

7 PIM and RP Considerations Overview Objectives PIM Deployment Models Any-Source Multicast Bidirectional PIM Source Specific Multicast RP Considerations Anycast RP Static RP Addressing Auto-RP BSR Summary IP Multicast Security Overview Objectives Security Considerations for IP Multicast Unicast and Multicast State Requirements Multicast State and Replication Attack Traffic in Multicast Networks Scoped Addresses Multicast Access Control Host Receiver Side Access Control PIM-SM Source Control Disabling Multicast Groups Summary Module Summary References Module Self-Check Module Self-Check Answer Key Voice Over WLAN Design Overview Module Objectives VoWLAN in the Enterprise 11-3 Overview Objectives VoWLAN Drivers Cisco Unified Wireless Network Review VoWLAN Drivers in the Enterprise Voice-Ready Architecture Cisco Voice-Ready Architecture Voice Impact on WLANs Summary VoWLAN Coverage and RF Survey Overview Objectives Enterprise VoWLAN Coverage Considerations Signal-to-Noise Ratio Non-Overlapping Channels General Recommendations for VoWLANs VoWLAN Site Survey Cisco WCS Deployment Planning Tool Access Point Location Conducting the RF Survey for VoWLAN Summary Cisco Systems, Inc. Designing Cisco Network Service Architectures (ARCH) v2.0 v

8 VoWLAN Infrastructure Considerations Overview Objectives Voice Specific Infrastructure Considerations Roaming Layer 2 Intercontroller Roaming Layer 3 Intercontroller Roaming Enhanced Neighbor Lists QoS Considerations IEEE e and Wi-Fi Multimedia Call Admission Control Security Considerations VoWLAN Authentication and Encryption Recommendations Other Design Recommendations for VoWLAN Security VoWLAN Clients Summary Module Summary References Module Self-Check Module Self-Check Answer Key Network Management Capabilities with Cisco IOS Software Overview Module Objectives Embedded Management Capabilities 12-3 Overview Objectives Embedded Management Rationale Enterprise Applications Rely on WAN Links Cisco IOS Software Supports Network Management Application Optimization and Cisco IOS Technologies Syslog Considerations Cisco IOS Syslog Message Standard Syslog Issues Summary NetFlow Considerations Overview Objectives NetFlow Technology Overview Principal NetFlow Uses Definition of a Flow Traditional IP Flows Flow Record Creation Example: NetFlow Data Before QoS Deployment Example: NetFlow Data After QoS Deployment NetFlow Cache Management NetFlow Export Versions NetFlow Version 9 Export Packet NetFlow Deployment Where to Apply NetFlow Monitoring Summary NBAR Considerations Overview Objectives NBAR Overview NBAR Overview NBAR Packet Inspection NBAR Protocol Discovery vi Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

9 NetFlow and NBAR Differentiation Reporting NBAR Protocol Discovery Statistics Example: AdventNet NetFlow Analyzer Example: Concord ehealth Example: InfoVista VistaView Example: Micromuse Netcool Proviso Example: MRTG Support for NBAR NBAR and AutoQoS Cisco AutoQoS for Enterprise Example: AutoQoS Discovery Progress Example: AutoQoS Suggested Policy Summary IP SLA Considerations Overview Objectives IP SLA Technology Overview Cisco IOS IP SLA Measurements Cisco IOS IP SLA Measurements Capability IP SLA Source and Responder IP SLA Operation With Responder IP SLA SNMP Features Deploying IP SLA Measurements Impact of QoS on IP SLA Statistics Scaling IP SLA Deployments Hierarchical Monitoring with IP SLA Measurements Network Management Applications Using IP SLA Measurements Network Management Application Considerations Summary Module Summary References Module Self-Check Module Self-Check Answer Key Cisco Systems, Inc. Designing Cisco Network Service Architectures (ARCH) v2.0 vii

10 viii Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

11 Module 7 E-Commerce Module Design Overview The e-commerce module enables organizations to support e-commerce applications through the Internet. The e-commerce module uses multiple component design techniques that have been discussed in this course. The first lesson reviews how high availability is of particular importance for the e-commerce module. The second lesson examines common uses of firewalls, server load balancers, and connections to multiple ISPs in e-commerce designs. The third lesson discusses how to integrate network components into e-commerce design providing varying levels of security. The last lesson looks at tools and techniques for tuning e-commerce designs. Module Objectives Upon completion of this module, you will be able to: Discuss the importance of high availability for e-commerce designs Discuss how firewalls, server load balancers, and multiple ISP connections are used in e-commerce designs. Discuss how to integrate firewalls and server load balancers into functioning e-commerce designs. Describe tuning techniques for improving the performance and availability of an e-commerce module design

12 7-2 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

13 Lesson 1 High Availability for E-Commerce Overview Objectives This lesson identifies why high availability is so important for the e-commerce module. It also discusses aspects of providing high availability for an e-commerce design. Since high availability is not achieved solely by spending money on technical products, this lesson discusses some non-technical aspects of high availability. Upon completing this lesson, you will be able to discuss high availability requirements and components for e-commerce modules. This ability includes being able to meet these objectives: Discuss the importance of high availability for e-commerce designs Discuss high availability components needed to support the e-commerce network module

14 E-Commerce Module Overview This topic provides an overview of the high availability requirements of the e-commerce module. E-Commerce Module Overview The e-commerce module is the public face of an organization: Web and application responses to users must be fast. E-commerce downtime is particularly harmful: It reflects negatively on the organization. Lost business can cost millions of dollars an hour. The e-commerce module must minimize downtime. Multiple high availability techniques are used in the e-commerce designs. ARCH v E-commerce applications represent the public face of an organization; therefore the e-commerce module has strict design requirements. Web and application responses to users must be fast. E-commerce downtime is particularly harmful not only because it reflects negatively on the organization, but also because lost business can cost millions of dollars per hour. Therefore, e-commerce designs have a more stringent requirement to minimize downtime compared to other parts of an enterprise network. Multiple high availability techniques are used in e-commerce designs. 7-4 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

15 Components of High Availability This section identifies components of high availability. Components of High Availability The objective of high availability is to prevent outages and minimize downtime. Achieving high availability integrates multiple components: 1. Redundancy 2. Technology 3. People 4. Processes 5. Tools The first two components are relatively easy The last three components are usually where gaps lead to outages: Designer may not be able to fix people, processes, and tools Consultant doing post-outage design review can talk about them ARCH v High availability is an organizational objective with the goal of preventing outages or at least minimizing downtime. Achieving high availability is hard work. It takes ongoing effort and iterated improvement. High availability is not something you have or do not have, it is a skill that an organization achieves and perfects over time. To actually start making progress on providing high availability requires integrating multiple components: 1. Redundancy 2. Technology (including hardware and software features) 3. People 4. Processes 5. Tools The network redundancy and technology components are relatively easy to accomplish because they are elements that can be purchased and deployed. A traditional network designer will expect to be involved with these two aspects of high availability. However, no matter how much and how well redundancy and technology have been designed and deployed, high availability will not have been achieved unless the people component (sufficient manpower with the right skills, training, and mind-set), the process component (company expectations, change control process, etc.), and the tools component (network management, good documentation) are present. If any one of the last three high availability 2007 Cisco Systems, Inc. E-Commerce Module Design 7-5

16 components is missing, then incidents will happen and outages will occur. Initially the network designer may not be able to fix the people, processes, and tools in an organization. Often it takes a consultant doing a post-outage design review to talk about these components and suggest changes. 7-6 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

17 Redundancy Redundancy means using extra equipment or network links to reduce or eliminate the effects of a failure. Redundancy Redundancy is used to reduce or eliminate the effects of a failure. Design of redundancy attempts to eliminate single points of failure: Avoid single causes of failure. Use geographic diversity and path diversity. Use dual devices and links. Use dual WAN providers. As appropriate, implement dual data centers. As appropriate, use dual co-locations, dual central office facilities, power substations, etc. Design of redundancy needs to trade off cost versus benefit: Hours of downtime is compared to costs of redundancy, planning, etc. ARCH v Redundancy designs attempts to eliminate single points of failure, where one failed device or design element brings down service. Single causes of failure are also avoided in a redundant design: Geographic diversity and path diversity are often included Dual devices and links are very common. Dual WAN providers are fairly common Dual data centers are sometimes used, especially for large companies and large e-commerce sites Dual co-location facilities, dual phone central office facilities, and dual power substations can be implemented Redundant design must trade off cost versus benefit. It takes time to plan redundancy and verify geographic diversity of service providers. Additional links and equipment cost money to purchase and maintain. These options need to be balanced against risks, costs of downtime, etc. The time and money invested in redundancy designs should be spent where they will have the most impact. Consequently, redundancy is most frequently found in network, data center, or e-commerce module cores, then in critical WAN links or ISP connections. Additional e-commerce module redundancy can double up elements in the path between users and applications, and the applications and back end databases and mainframes Cisco Systems, Inc. E-Commerce Module Design 7-7

18 Technology Use of appropriate Cisco technologies can improve high availability. Technology Cisco routing continuity options Non-Stop Forwarding Stateful Switch-Over Techniques for detecting failure and triggering failover Service monitoring on server load balancers Enhanced Object Tracking and IP SLA Optimized Edge Routing Other technologies Fast converging routing Server load balancing Firewall stateful failover Active Forwarding Continues SSO Standby Line Cards No Link Flap BGP Adjacency Maintained ARCH v There are several Cisco routing continuity options such as Non-Stop Forwarding (NSF), Stateful Switch-Over (SSO), and graceful restart capabilities that can improve availability. These technologies allow processor failover without a link flap, continued forwarding of packets, and maintenance of BGP adjacencies. Note NSF with SSO is discussed in more detail in the Design Enterprise Campus Networks module of this course. There are also techniques for detecting failure and triggering failover to a redundant device. These techniques include service monitoring on server load balancers, Enhanced Object Tracking for IP Service Level Agreements (SLA), and Optimized Edge Routing (OER). Other technologies also contribute to high availability. For example, fast routing convergence helps maintain high availability, as does using server load balancers. Firewall stateful failover allows user or application sessions to be maintained across a firewall device failover. Note Firewall stateful failover is discussed in more detail in the Security Services Design module of this course. 7-8 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

19 People People are one of the most critical components of high availability. People Staff work habits and skills matter! Attention to detail Reliability and consistency Good skills and ongoing technical training are needed: Including lab time working with technology, practical skills, troubleshooting challenge scenarios, etc. Communication and documentation are important. What other groups expect Why the network is designed the way it is, how it is supposed to work. If people are not given the time to do the job right, they cut corners: If the design target is just adequate, falling short is poor. Staff team should align with services. Owner and experts for each key service application and other components. ARCH v Redundant equipment and links and advanced technology are just the beginnings of high availability. In the prepare, plan, design, implement, operate, and optimize (PPDIOO) methodology, the people component is vitally important as well. Staff work habits and skills can impact high availability. For example, attention to detail enhances high availability while sloppiness hurts availability. Reliable and consistent wiring and configurations are easier to manage and troubleshoot. The level of staff skills and technical training are also important when it comes to taking full advantage of redundancy. Devices must be correctly configured. Lab testing is important in order to understand under what circumstances failover will activate, and what failover will and will not accomplish. For example, non-stateful firewall failover may be adequate in terms of passing traffic, a practical understanding of the application can show that with non-stateful failover. Application sessions will lock up for an extended period of time until an application timeout causes session re-establishment. Designs including failover must be tested for the entire system, not just for individual components. Good communication and documentation are also important. The network administrators need to be able to communicate with other network, security, application, and server teams. The network documentation should cover why things are designed the way they are, and how the network is supposed to work. Failover behavior is complex enough that it is unwise to have to re-capture failover logic and boundary conditions every time some part of the design changes. Field experience leads to the observation that if people are not given the time to do the job right, they will have to cut corners. Testing and documentation are often the first items to be eliminated. Lack of thorough testing and documentation will have long term consequences on the ability to maintain, expand, and troubleshoot the network Cisco Systems, Inc. E-Commerce Module Design 7-9

20 If the design target is just adequate coverage, falling short of that target can lead to a poor design. Designs should try for something better than adequate, to ensure that no part of the implementation or operation of the high availability network is inadequate. One other organizational recommendation is to align staff teams with services. If the corporate web page depends on staff reporting to other managers, then the manager of the e-commerce site may be competing for staff time with the Network Engineering or Operations manager. In most cases, the person who does the staff evaluation and provides the pay bonus generally gets most of the staff person s attention. This can make it hard to get routine testing or maintenance done for the e-commerce site if the staff does not report to the e-commerce manager. The owner or expert on key service applications and other components should be identified, and included in design and re-design efforts Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

21 Processes Processes also play an important role in high availability. Processes Build repeatable processes: Document change procedures, failover planning and lab testing, and implementation procedures. Use labs appropriately: Lab reflects the production network, failover mechanisms are tested and understood, new code is validated before deployment. Use meaningful change controls: Test all changes before deployment, use good planning with roll-back plans, conduct realistic and thorough risk analysis. Manage operation changes: Perform regular capacity management audits, manage IOS versions, track design compliance as recommended practices change, develop disaster recovery plans. ARCH v Sound repeatable process can lead to high availability. Continual process improvement as part of the PPDIOO methodology plays a role in achieving high availability. Organizations need to build repeatable processes and then gradually improve them. Tasks that are always implemented as one-off items represent a lost opportunity to learn as an organization. Organizations should build repeatable processes: By documenting change procedures for repeated changes (e.g. IOS upgrades) By documenting failover planning and lab testing procedures By documenting the network implementation procedure, so that the process can be revised and improved the next time components are deployed Organizations should use labs appropriately: Lab equipment should accurately reflect the production network Failover mechanisms are tested and understood New code is systematically validated before deployment Since staff members tend to ignore processes that consume a lot of time or appear to be a waste of time, organizations also need meaningful change controls: Test failover and all changes before deployment. Plan well, including roll-back planning in detail Conduct a realistic and thorough risk analysis 2007 Cisco Systems, Inc. E-Commerce Module Design 7-11

22 Management of operational changes are also important: Perform regular capacity management audits Track and manage IOS versions Track design compliance as recommended practices change Develop plans for disaster recovery and continuity of operations 7-12 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

23 Tools Software and documentation are tools that contribute to high availability. Tools Monitor availability and key statistics for devices and links Use performance thresholds, TopN reporting, and trending to spot potential problems Monitor packet loss, latency, jitter, drops Good documentation is a set of power tools: Network diagrams Network design write-ups Key addresses, VLANs, servers Services to applications, application to virtual server, and virtual server to real server tables ARCH v Organizations are starting to monitor service and component availability. Assuming proper failover, services should continue operating when single components fail. Without component monitoring, a failure to detect and replace a failed redundant component may lead to an outage when the second component subsequently fails. Performance thresholds and reporting the top N devices with a specific characteristics (TopN reporting) are useful, both for noticing when capacity is running out, and also for correlating service slowness with stressed network or server resources. Monitoring packet loss, latency, and jitter, and drops for WAN links or ISPs is also important. Those metrics can be the first indication of an outage, or of potential SLA deterioration to the point where it affects delivery of services. Good documentation provides an extremely powerful set of tools: Network diagrams help in planning, and also in fixing outages more quickly. Out of date documentation can lead to design errors, lack of redundancy, and other undesirable consequences. Documentation of how and why the network is designed the way it is helps capture knowledge that can be critical when a different person needs to alter the design, re-examine how failover works, or make other changes. Key addresses, VLANs and servers should be documented. Documentation tying services to applications and virtual and physical servers can be incredibly useful when troubleshooting Cisco Systems, Inc. E-Commerce Module Design 7-13

24 Summary This topic summarizes the key points discussed in this lesson. Summary High availability is particularly important for the e-commerce module, since it is the public face of the organization. Multiple components are all needed to provide high availability: Redundancy components are extra equipment or network links that reduce effects of a single failure. Technology components are features such as NSF/SSO and graceful restart that support network continuity. People components include the staff and their training. Process components include change processes and failover testing. Tools include appropriate monitoring tools and good documentation. ARCH v An e-commerce design including only redundancy and technology components will be incomplete without the other components of high availability Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

25 Lesson 2 Common Component Designs for the E-Commerce Module Overview Objectives The e-commerce module ties together routing, switching, firewall, and server content load balancing components. It may also include other components. This lesson reviews common e-commerce designs using firewalls and server load balancers as preparation for integrating these elements into more complex e-commerce module designs in later lessons. It also discusses common approaches for connecting to multiple ISPs. Upon completing this lesson, you will be able to discuss common design approaches for e-commerce modules. This ability includes being able to meet these objectives: Discuss common design approaches to redundant firewalls Discuss common design approaches to redundant server load balancers Discuss common design approaches to multiple ISP connections

26 Common Firewall Designs for E-Commerce This topic looks at common firewall designs for the e-commerce module. Typical E-Commerce Topology Most e-commerce modules look very similar in how they connect to the Internet. Typical E-Commerce Topology Service Provider A Internet Service Provider B Edge Routers Internal Network WEB Tier Core Switches Aggregation Switches Access Switches Application Tier Database Tier ARCH v The e-commerce module is typically implemented in the data center facility. It is connected to the Internet by means of one or multiple Service Providers. Inside the e-commerce module, there are multiple layers of firewalling. These multiple layers are the reason some people refer to this design as a firewall sandwich. The firewall connections in the diagram are either in an active or standby state. A large site may use three layers of firewalls, while smaller sites may use only two layers of firewalls. Typically the Internet connects to a web tier or the outer DMZ supporting web servers, as shown in the diagram. The web tier servers are protected from Internet devices by a pair of firewalls. The web servers communicate with application or middleware servers in the data center through a second pair of firewalls. The servers providing the application or middleware services represent the Application Tier. The application servers communicate with mainframes or databases in the Database Tier through the third pair of firewalls. Although the specific connection is not shown, the e-commerce servers connect through the firewalls back to the internal network. This connectivity permits staff to update the applications and servers, and do other maintenance and monitoring. When the e-commerce module is at a co-location facility, the edge routers may also provide the connection back to the corporate internal network. If the e-commerce module resides within a data center, the inner-most firewalls may provide the connection back to the internal network Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

27 Server as Application Gateway Some minor variations on this firewall sandwich design are occasionally used. Server as Application Gateway Service Provider A Internet Web Tier Application Tier Database Tier Note: Diagram omits switches and some details for clarity. Only way between firewall layers is through a server application. Is more secure then two firewalls. Hacker would need to penetrate two operating systems to attack the next firewall in sequence. Can be implemented with outer and inner VLANs on a switch at each tier. Can be implemented on a single interface per server with port-specific ACLs on firewalls. Workaround option is a direct VLAN between firewall layers. May be required due to application or site needs. ARCH v In some architectures, all traffic between the firewall layers goes through the servers. In the diagram, one interface of the web servers provides web services, and a separate interface connects to application servers through another firewall. In this design, the web tier servers are acting as application-specific gateways. Note Sites requiring high levels of security sometimes require firewalls using different operating systems, to ensure that if the outer firewall is breached, the same compromise does not permit breach of the inner firewall. When it is possible, this application-specific gateway approach adds security because a hacker would have to penetrate the firewall and the web server operating system in order to attack the middle layer of firewalls. This approach may support the high level of security requirement and avoid operating firewalls from multiple vendors. The diagram shows a logical representation of the application-specific gateway design. Usually, the two web tier server interfaces connect to a switch (or four interfaces connect to two switches). Separate VLANs represent the outer and inner sets of interface connections for the web tier servers. Another variation of the application-specific gateway design uses one connection from each server to each switch, but uses a port-specific access list (ACL) on the firewalls. In this case, the ACL on the Internet edge firewall pair allows only web and related traffic to the web servers. The middle firewall only allows application traffic coming from the web servers Cisco Systems, Inc. E-Commerce Module Design 7-17

28 As a workaround option when there is some traffic that must go between firewalls, a single VLAN can connect to both firewall layers. This might be needed if an application tier server needs to communicate directly with some devices on the Internet or in the internal network if the internal network is connected to the Internet edge firewall. Virtualization with Firewall Contexts The Cisco firewall family now allows for virtualization using firewall contexts. Virtualization with Firewall Contexts Specific VLANs or interfaces are attached to specific security contexts. Each context has its own policies (NAT, access lists, protocol fixups, etc.). FWSM FWSM FWSM FWSM Firewall Server Farm ARCH v A physical firewall or Application Control Engine (ACE) module can be virtualized, or divided up into separate contexts. These virtual contexts operate very much like separate physical firewall devices. It is possible to control the actual firewall resources that each context is allocated. This prevents a problem in one context from affecting another. The figure shows a server farm connected to a firewall where the firewall contexts are to be used to provide virtual firewalls to different servers. The firewall contexts retain the secure separation of rules and other customer features. In enterprise networks, firewall contexts can be used to separate different Internet-facing e-commerce blocks, different layers of the firewall sandwich, and for other purposes. Contexts can also separate different types of functionality for a Firewall Services Module (FWSM) within a Cisco Catalyst 6500 Series switch chassis. Note Additional details of virtual firewalls are discussed in the Security Services Design module of this course Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

29 Virtual Firewall Layers The actual implementation of the multi-tiered e-commerce module may be done with a single pair of firewall devices using virtual firewall layers. Virtual Firewall Layers Service Provider A Internet 6500 switch Web Tier Application Tier VLANs FWSM FWSM Interfaces Logical Traffic Flow ARCH v For example, a pair of Cisco Catalyst 6500 series switches with FWSMs might be used instead of the four firewalls shown in the previous diagram. The dotted lines in the figure correspond to the layers of links in the logical traffic flow diagram. Traffic would come from the Internet, pass through the firewall to get to the web tier, pass through the firewall again to get from the web tier to the application tier, and pass once more through the firewall to get to the databases, mainframe, or internal network. Note If such a design is used, it is a good idea to provide a logical diagram showing the VLANs internal to the 6500 switch. Routing or default gateway logic can be superimposed, to document how packets flow, why traffic can or cannot flow from a tier directly to/from the Internet, how failover works, etc. Some sites prefer to document this design using the firewall sandwich diagram shown earlier, with notes indicating the different firewall layers in the diagram are actually the same physical device Cisco Systems, Inc. E-Commerce Module Design 7-19

30 Firewall Modes A firewall can run in either routed or transparent mode. Firewall Modes Transparent Mode /16 Routed Mode /16 Management Interface /16 VLAN 30 VLAN /16 Outside Interface /16 Inside Interface /16 VLAN 30 VLAN /16 Transparent Mode FWSM bridges (switches) two VLANs. Traffic passing through the FWSM is subject to IP ACLs. Routed Mode FWSM routes between VLANs. Traffic routed between VLANs is subject to IP ACLs, security state tracking, etc. ARCH v Cisco firewall technology now allows for firewall designs where the firewall operates in either the transparent or bridged mode, or in traditional routed mode. The mode can be established on a per-context basis depending on licensing. The difference between the modes is that in transparent mode, the firewall bridges two VLANs together. Normally one VLAN corresponds to one subnet. With transparent mode, the firewall switches traffic at Layer 2 between two VLANs, which together make up one IP subnet. Any traffic that goes through the firewall is subject to stateful IP address-based access lists, etc. This mode is sometimes described as the bump in the wire mode. In the traditional routed mode, the firewall routes traffic between VLANs or interfaces. As traffic is routed, it passes through the firewall and is subject to stateful IP address-based access lists, inspection, and other firewall configuration options. Note Additional details of firewall modes are discussed in the Security Services Design module of this course. Most current designs use the firewalls in the routed mode Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

31 Example: Transparent Firewall Application The example discusses an example application using a firewall in transparent mode. Example: Transparent Firewall Application A transparent mode FWSM can isolate less secure servers from more secure servers within the same VLAN and subnet: No server re-addressing is needed. Selected switch ports are shifted from VLAN 10 to 11 and the FWSM bridges the two VLANs. Object-oriented IP ACLs for are supported. Alternatives include: VACLs with no ability to create objects for logical groupings and simpler rules Private VLANs VLAN 10 VLAN 11 MSFC FWSM ARCH v Some organizations need to isolate a set of servers from other servers on the same VLAN. One solution is shown in the figure. The more secure server ports are placed on VLAN 11, The FWSM in a Cisco Catalyst 6500 Series switch is configured in transparent mode to bridge VLANs 10 and 11 together. The Multilayer Switch Feature Card (MSFC) routes traffic for the subnet onto the combined VLAN 10 and 11. The FWSM uses an IP ACL to control what traffic passes from VLAN 10 into VLAN 11. No re-cabling and no re-addressing are needed to support this implementation. An alternate solution is to use switch VLAN ACLs (VACLs). Switch VACLs control traffic within a VLAN at the IP address level. Using ACLs would require server re-addressing to relocate some of the servers onto a different VLAN and subnet. This is difficult to do quickly, and can require a lot of work from server and application staff. Note Maintaining VACLs can be difficult. Many organization prefer to use FWSMs for their object oriented configuration, since the FWSMs allow for logical grouping of IP addresses and ports making for simpler rules. Private VLANs might also be considered as another alternative for securing the server ports. Note Additional details of private VLANs are discussed in the Security Services Design module of this course Cisco Systems, Inc. E-Commerce Module Design 7-21

32 Common Server Load Balancer Designs for E-Commerce There are some common design approaches used with Content Load Balancing devices. Functions of a Server Load Balancer This section discusses the functions of a server load balancer (SLB). Functions of a Server Load Balancer Clients Load Balancer Web Servers Database Represents multiple server farms with public IP addresses. Intelligently distributes incoming requests according to configurable rules. Can rewrite source and/or destination IP or MAC addresses, depending on mode. Monitors the health of servers. Application ARCH v A SLB or content load balancer supports both scaling and high availability by distributing client requests for service across active servers. A SLB provides a public IP address or virtual IP address for each service. Clients resolve this address through DNS requests. The SLB intelligently passes traffic through to a pool of real servers based on load and configured rules. The SLB can rewrite source as well as destination IP or MAC addresses, depending on mode. SLBs allow a heavy workload to be spread across many actual servers. The SLB monitors the health and performance of the servers. When a server needs to be taken down for maintenance, it can be removed from the server pool, and the SLB will continue providing the services using the remaining servers. Similarly, additional server capacity can be added to the pool if the need should arise. These features contribute to enhanced availability for e-commerce module designs. Paired SLB devices can function in various failover configurations. Sophisticated service monitoring can be used to ensure that service fails over to the redundant device should the primary SLB device lose vital connectivity Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

33 Cisco Server Load Balancing Products Cisco has three product lines providing content and server load balancing services, as well as numerous other features. Cisco Server Load Balancing Products CSS CSM ACE These products provide much functionality in addition to server load balancing. ARCH v The Cisco CSS Series Content Services Switch (CSS) is a high-performance, highavailability modular architecture for web infrastructures. As the premiere switch for the Cisco Web Network Services Software, the Cisco CSS Series helps businesses to build global Web networks optimized for content delivery and e-commerce. By activating HTTP headers, the CSS Series helps to ensure availability, optimize utilization, reduce latency, increase scalability, and enhance security for websites, server farms, cache clusters, and firewall systems. The CSS has a mechanism to monitor backend servers and their applications for load balancing decisions. The Cisco Content Switching Module (CSM) adds advanced Layer 4 to Layer 7 server load balancing capabilities to Cisco Catalyst 6500 Series switches or the Cisco 7600 Series routers. The Cisco CSM offers a complete set of advanced features and benefits including: Investment protection in a high-density, scalable platform with proven reliability Reduced application response times, optimized service delivery, increased application uptime and service scalability for servers, firewalls, VPN devices, Secure Socket Layer protocol (SSL) termination devices and caches Fault-tolerant configurations to provide improved application uptime utilizing connection and sticky state redundancy for seamless failover Accommodation for a wide range of common IP protocols, including TCP, User Datagram Protocol (UDP), and higher-level protocols, including Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Telnet, Domain Name System (DNS), Real-Time Streaming Protocol (RTSP) and Simple Mail Transfer Protocol (SMTP) 2007 Cisco Systems, Inc. E-Commerce Module Design 7-23

34 Integration into an existing infrastructure, minimizing the time and resources required to deploy server load balancing services The Cisco Application Control Engine (ACE) provides: Centralized control for IT over the deployment and management of application service while allowing individual groups to administer their own application instances: The capability to manage 250 virtual partitions, which incorporate Layer 2-7 services, within a single physical device plus role-based access control, workflow management, and rollback capability, help simplify management and reduce costs. Industry-leading application and device performance: 16-Gbps throughput and 345,000 sustained connection setups per second to handle large-scale operations plus unique WAN latency and bandwidth reduction capabilities help drive optimal end-user response times across the network Rich levels of application and network security: includes bidirectional support for content inspection, SSL encryption/decryption, and transaction logging for application security forensics 7-24 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

35 SLB Design Models This section discusses design approaches that can be used with SLB devices. SLB Design Models Three basic SLB design models: Router mode Bridge mode inline One arm mode (or two arm mode) with alternative implementations: Server default gateway is the SLB. PBR is used. Client source NAT is used. Redundancy decisions Active/passive Active/active Failover triggers ARCH v There are three basic design approaches used with SLB devices: Router mode. In this design approach, the SLB routes between outside and inside subnets. Bridge mode (inline). In this design approach, the SLB operates in a transparent bridging mode. One-arm (or two-arm) mode. The one-arm or two-arm mode can be implemented in several ways. The server default gateway can be set to the SLB device. Policy Based Routing (PBR) or client source Network Address Translation (NAT) can be used. The point of these techniques is to force replies from servers to pass back through the SLB on their way to the customer or end-user. With any of the three basic design approaches, there are options for redundancy. One redundancy option is an active/passive implementation where the SLBs are configured with one active SLB that is backed up by a passive SLB. With active/active redundancy, one SLB is active for certain virtual IP addresses or services, and another SLB is active for others. The SLBs in the active/active implementation back each other up. There are also various configuration options for failover triggers. Note A discussion of failover triggers is beyond the scope of the this course Cisco Systems, Inc. E-Commerce Module Design 7-25

36 SLB Router Mode One very popular SLB design approach is the SLB Router Mode. SLB Router Mode Subnet A Inside Outside Inside SLB routes in router mode: VIPs are usually in routable public subnet. Servers are in private IP subnet Design is easy to deploy with many server IP subnets. By default,if a packet is sent to the MAC address of the SLB, the SLB will route the packet from an outside address to an inside address. Design is the preferred configuration for appliance-based server load balancers. Subnet B Subnet C Servers Default Gateway: SLB Inside Address ARCH v In this design approach, the SLB routes between outside and inside subnets. The Virtual IP addresses (VIPs) of services are usually in a globally routable public IP subnet. In the figure, public network is subnet A. The real servers are typically in a private IP subnet. In the figure, the private networks are subnets B and C. The SLB knows to route a packet between the public and the private subnets when it sees its MAC address as destination. This design is easy to deploy and works well with many server IP subnets. It is the recommended approach for the CSS or any appliance-based content load balancer. The real servers typically use the SLB inside address as their default gateway. As the return reply traffic passes through the SLB, the source real IP is changed to the VIP address, so the end-user has no direct way of telling that there is a SLB in the path. The end user does not see the IP address of the real server. Note You may need to readdress some network devices to support SLB deployments. Using private IP addresses for the real servers protects them from direct attack across the Internet. Would-be hackers cannot route traffic directly to the real servers Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

37 SLB Inline Bridge Mode The SLB may be used in an inline bridge mode. SLB Inline Bridge Mode Subnet A VLAN 10 VLAN 20 Servers Default Gateway: Upstream Router SLB bridges in bridge mode: Servers are in routable IP subnet. VIPs can be in the same or different subnet. Design requires one IP subnet for each server farm. The SLB acts as a transparent device between the servers and upstream firewall or Layer 3 device. Although this is a suggested configuration for integrated load balancers, there can be spanning tree and redundancy issues for appliancebased load balancers. ARCH v This mode operates much like the firewall transparent bridging mode. The content load balancer or SLB device bridges, acting as a bump in the wire or transparent device between servers and upstream firewall or Layer 3 device. With this design, the real servers are in a globally routable IP subnet. The VIP addresses of services can be in the same or a different subnet. Each server farm must be in one IP subnet which means the servers cannot be spread across multiple subnets. This restriction is because the MAC address of the common VIP is changed to the specific MAC address of a real server in order to direct traffic to the appropriate real server. This design is one suggested configuration for integrated load balancers. If SLBs are deployed in a redundant configuration, you need to be concerned about spanning tree implications in the design. Note Configuring and designing for SLBs for routed operation is typically simpler than for bridged operation because troubleshooting SLB-induced spanning tree issues can get complicated Cisco Systems, Inc. E-Commerce Module Design 7-27

38 SLB One-Arm Mode Overview The One-Armed (or Two-Armed) mode is another popular approach for deploying SLB devices. SLB One-Arm Mode Overview Subnet B Subnet B SLB is not inline. Return traffic requires PBR, server default gateway pointing to SLB, or client source NAT. Mode is not as common as bridge or routed mode. This out-of-band approach supports scaling. Servers Default Gateway: SLB ARCH v In this approach, the SLB is connected to a switch, typically with one or two connections. It is not directly inline with the traffic path as with the previous designs. In the one-armed approach, the SLB VIP and the real servers are in the same VLAN or subnet. In the two-armed approach, the SLB routes traffic to the real server subnet, which can be a private subnet. Routing causes inbound end-user traffic to reach the VIP on the SLB. The SLB then translates the IP destination to a real server IP address and forwards to the real server, as in routed mode. The main difference is that return traffic needs to be forced to go to the SLB, so that the source IP address of traffic from the real server can be translated back to the VIP that the end user device thinks it is communicating with. There are multiple ways to cause return traffic to go through the SLB: The simplest way is to set the server default gateway to the SLB rather than the router. Another approach is to use policy based routing to push or deflect the appropriate outbound server traffic over to the SLB as next hop. A third approach is to use client source NAT (CSNAT), where the client source address is replaced with the SLB address. The server then sends its reply back to the SLB, which changes the destination address back to the real end user address and forwards the packet. This is based on a connection table in the SLB. The main reason this approach is not as popular is that many sites want the original end user IP address, either for simple web logs and marketing purposes, or for security audit trail purposes. CSNAT interferes with the direct ability to do either of these things. One advantage of the one-armed or two-armed (out of band) approach is that inbound and outbound traffic need not go through the SLB. For example, PBR can allow the real server to 7-28 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

39 do a file transfer or backup directly out of the e-commerce module, without having to burden the SLB with processing all those packets. This may be helpful in scaling the e-commerce module to support greater traffic volumes. Another advantage is that scaling by adding SLBs is simple. Different VIPs steer traffic to the different SLBs. PBR or CSNAT steer replies back through the correct SLB. Server default gateways could be used to provide services using completely different server pools. Misconfigured SLB One-Arm Mode Flows This figure shows how the traffic flows in misconfigured one-armed SLB mode. 1 Misconfigured SLB One-Arm Mode Flows Source Destination Router MAC SLB MAC Client IP VIP Random Port VIP Port 2 Selected SLB MAC Server MAC Selected Client IP Server IP Random Port 3 Server MAC VIP Port SLB MAC Selected Server IP VIP Port RESET Client IP Random Port Without PBR, Client NAT, or Servers Gateway Being Set for Load Balancer ARCH v Step 1: The client sends traffic to the VIP. It is routed by the edge router, which uses its MAC address as source MAC. It looks up the VIP in its routing table and applies the SLB MAC as destination MAC address. Step 2: The SLB substitutes its MAC as source MAC, and the selected server MAC and IP as destination information. Step 3: Unless server default gateway, PBR, or CSNAT is in place, the real server reply goes directly to the client. This will cause a RESET, since the client is receiving traffic from a different IP address than the VIP its connection was established to. The RESET means the SLB will appear to be operating incorrectly. Really, the problem is the lack of having deployed a mechanism to force replies back through the SLB Cisco Systems, Inc. E-Commerce Module Design 7-29

40 SLB Full Rewrite The figure shows a SLB device doing full rewrite based on Client Source NAT (CSNAT). SLB Full Rewrite Based on Client Source NAT Source Destination Router MAC Client IP Random Port SLB MAC VIP VIP Port SLB MAC SLB Natpool IP SLB Random Port Selected Server MAC Selected Server IP Specific Server Port ARCH v With CSNAT, the IP address of the client is rewritten by NAT before the packet goes to the server. Note that everything about the source (MAC, IP, and port) is rewritten. When the server replies, it has no choice but to reply to the SLB device. One potential issue with CSNAT is accountability. Traffic logs on the servers will only show the IP address of the SLB Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

41 Common Topology Designs for E-Commerce This topic discusses common topology designs for e-commerce. Design Option: One Firewall Per ISP One of the key components for e-commerce is ISP connectivity. Design Option: One Firewall Per ISP Devices use NAT to two ISP-assigned blocks. Service Provider A Internet Service Provider B DNS resolves of VIP addresses from both ISP blocks. Failover is disruptive. External DNS needs to be aware of site connectivity /24 X / /8 ARCH v The figure shows a common approach to dual-homing or connecting a site to two ISPs. This approach is common among small sites since it is relatively easy to set up and administer. The basic approach is to use a router and/or firewall to connect to each ISP. Note With the Cisco IOS firewall features, one device might be used for both functions. Another variation on this design uses one router to support both ISP connections. Each edge path uses NAT to translate the inside address of the e-commerce servers to the address block provided by the ISP. External DNS resolves the site name, to an address from either external address block. If the DNS software resolves using a round robin approach, users are roughly load balanced across the two paths to the company web server. Routing takes the traffic to the outside of the relevant NAT device or firewall. There are some drawbacks to this design. The main issue is that any failure on the ISP edge path means loss of session because the failover between edge paths is not stateful. Dual routers and connections per ISP can be used for more robust connectivity to each ISP. In this case, the non-stateful failover will only be used when connectivity through one ISP is lost. In addition, the external DNS needs to be aware of site connectivity so that it can cease resolving the domain name to addresses at the site that is down Cisco Systems, Inc. E-Commerce Module Design 7-31

42 Design Option: Stateful Failover with Common External Prefix A more sophisticated way to dual-home an e-commerce site to two ISPs uses stateful failover with a common external prefix. Design Option: Stateful Failover with Common External Prefix Devices use NAT to a common external prefix. Both ISPs advertise the common prefix. Firewalls support stateful failover. Service Provider A Internet /24 Service Provider B /8 ARCH v The figure shows this approach. The main difference is that the firewall pair and the NAT devices support some form of stateful failover. The NAT devices translates addresses to a block that both ISPs are willing to advertise for the site, /24 in the figure. This might be a block obtained from one of the providers, or for large organizations it can be a block obtained independently from the IP address authorities. The edge routers advertise this block via BGP to both ISPs, who must be willing to advertise it to their peers. Note The site should use an assigned BGP AS number to prevent the site becoming a transit link between the ISPs, and also to prevent looping of routing information. When one provider loses routing or its link, BGP provides users with automatic failover to the other path into the site. Should there be a failure internal to the site (switches or links), the firewalls can support stateful failover with an active/active design. HSRP is used for failover should one switch to router link fail Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

43 Design Option: Distributed Data Centers Very large e-commerce sites often use distributed data centers. Design Option: Distributed Data Centers Service Provider A Internet Service Provider B APP A APP B APP A APP B Production Data Center FC Active/active designs Off the air detection DNS-based Cisco GSS DNS approach Diversity Advertisement of both sites FC Backup Data Center ARCH v A two chassis deployment can provide more failover flexibility than having one chassis with dual components such as power and supervisor modules. Similarly, having two sites increases overall high availability while lessening the uptime requirements for each individual site. When the e-commerce modules are implemented in well designed distributed data centers, this approach also means that one site can occasionally be taken offline for maintenance while not disrupting customer service. Using two e-commerce sites also protects against regional problems. This feature is becoming a requirement for banks and other critical services. To support the distributed data center design, applications need to be migrated to technology allowing active/active hot databases as opposed to active database and mirrored hot spare database. Another key element when using distributed sites is technology to detect when a site is off the air and should be failed over. The devices that detect the need for failover and respond must be external to the two sites. This technology can be an external service, or can be provided by equipment at one or more Service Provider co-location facilities. The off the air detection might be provided by an external service such Akamai or Ultra DNS. It might also be provided using the Cisco Global Site Selector (GSS) technology, typically within a provider colocation facility. The function provided is called Global Server Load Balancing (GSLB). Note GLSB is discussed in more detail in this module. Some organizations dislike any DNS-based failover techniques because DNS or browser caches retain old DNS values for quite some time, and that many implementations do not exhibit proper behavior in regard to DNS TTL values. Implementations also may incorrectly use source IP to guess user location, or do reordering when a DNS server or GSS provides an 2007 Cisco Systems, Inc. E-Commerce Module Design 7-33

44 ordered list of addresses. Nonetheless, various large sites do use GSLB and feel strongly that it improves their service offering. Another consideration at some sites is diversity of DNS which impacts the degree of protection against Distributed Denial of Service (DDoS) on DNS servers. Large external DNS services using Anycast IP are one way to protect DNS from attacks. Other approaches you might consider are site-controlled external DNS servers or GSS devices in co-location facilities. One design approach for distributed e-commerce modules is to tie the redundant sites together via an internal WAN link to avoid the need for external failover response. With this approach, DNS provides the addresses of servers at either site, addressed from a block of addresses advertised through the ISPs of both sites. Should the connectivity from one site to the Internet fail, Internet and internal routing redirect traffic to go through the other connection. Delay in failover and the impact of any routing instability are potential drawbacks to this approach. On the other hand, failover at Internet scale cannot be too rapid or instability would results. Note This discussion briefly overviews some of the major factors a multi-site designer should consider Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

45 Summary This topic summarizes the key points discussed in this lesson. Summary The firewall sandwich approach is common in e-commerce module designs: It separates web, application, and database or inside zones with redundant firewall layers. These layers may be virtualized in a FWSM. Firewalls are used in routing or bridging modes. SLBs map a virtual IP to real servers for enhanced availability and scaling of server capacity SLBs can be used in router, bridge, or one-armed modes Dual ISP connections is a common e-commerce topology: One firewall per ISP with separate NAT pools is one design. Common external prefix advertised through BGP with a single NAT pool is another design. Distributed data centers with different ISPs supports very large e-commerce sites. ARCH v Cisco Systems, Inc. E-Commerce Module Design 7-35

46 7-36 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

47 Lesson 3 Integrated E-Commerce Designs Overview Objectives This lesson focuses on complete e-commerce designs, rather than how to design for the addition of one more component to a network infrastructure. Complete design are important because the e-commerce design differs in crucial ways from the rest of a data center or campus design. In this lesson, various common ways to assemble functioning e-commerce modules are discussed. Four designs are examined in some detail to illustrate options and allow analysis of how each topology works. The lesson concludes with some general observations that apply to any of the four common designs. Upon completing this lesson, you will be able to discuss integrated e-commerce designs. This ability includes being able to meet these objectives: Discuss a basic e-commerce module design including traffic flows Discuss a two firewall layer SLB design including traffic flows Discuss the one-armed SLB design with two firewall layers including traffic flows Discuss the one-armed SLB design with multiple security contexts including traffic flows Discuss testing incidents and failovers in prospective e-commerce module designs

48 Base E-Commerce Module Design The figure shows the essentials of a basic e-commerce module design. Base E-Commerce Module Design Cat6509-Core-1 Internet Cat6509-Core-2 VLAN 2 VLAN 2 VLAN 3 Cat6513-Agg-1 Cat6513-Agg-2 VLAN 3 VLAN 200 CSM1 CSM2 VLAN 17 Control PortChannel VLAN 17 VLAN 18 VLAN 18 VLAN 19 VLAN 19 Cat6509-Access-1 Web VLAN App VLAN DB VLAN App Server Web Server DB Server Cat6509-Access-2 Security Details Layer 3 firewall used Firewall perimeter at the core Aggregation and access are considered trusted zones Security perimeter not possible between web/app/db tiers SLB Details CSM is used in routed mode Server default gateway is the CSM VIP CSM default gateway is the HSRP group on the MSFC RHI is possible All server traffic goes through the CSM Additional configurations needed for direct access to servers and non-load balanced server initiated sessions ARCH v The basic e-commerce design is deployed in a redundant manner. The core layer supports the first stage of firewalls. In the figure, the core layer uses Cisco Catalyst 6509 Series switches with integrated Firewall Service Modules (FWSMs). This design places the firewall perimeter at the core, and the firewalls in the core are used in Layer 3 routed mode. The aggregation and access layers are considered trusted zones. There is no security between the web, application, and database zones in this basic design. This does mean that if one of the servers is compromised, the attacker may have full access to the other servers and the internal network. The aggregation layer supports connectivity to the server load balancers (SLBs) or firewalls in routed mode. In the figure, Cisco Catalyst 6513 Series switches with Cisco Content Switching Module (CSM) are used as SLBs. Other SLBs such as the Application Control Engine (ACE) could be used. The default gateway for the e-commerce servers is the virtual IP address (VIP) on the SLB or firewall in the aggregation layer. The default gateway for the CSMs is an HSRP address on the Multilayer Switched Feature Card (MSFC) on the same switch. Since the MSFC is directly connected to the SLB, route health injection supporting host routes is possible. The access switches connect the web servers, application servers, and database servers. In some more complex designs, the database servers or mainframes are inside the main data center, isolated by firewalls from the e-commerce module. In this design, all e-commerce traffic goes via the CSMs. Additional CSM configuration is needed for direct access to the servers, or for non-load-balanced sessions initiated by the servers Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

49 De Base Design Routing Logic This section discusses the routing logic in the base e-commerce design. Base Design Routing Logic Static or BGP route Static route, NH=FW Static route, NH=HSRP Connected routes, NH=CSM Connected subnets CORE1 Internet CORE2 VLAN 2 VLAN 2 VLAN 3 AGG1 AGG2 VLAN 3 VLAN 200 CSM1 CSM2 VLAN 17 Control PortChannel VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 ACC1 Web VLAN App VLAN DB VLAN ACC2 0/0, NH=ISP router connected interface 0/0, NH=HSRP VIP 0/0, NH=FW 0/0, NH=HSRP VIP 0/0, NH=CSM Switches are Cisco Catalyst 6500 Series App Server Web Server DB Server ARCH v The routing in the base e-commerce module is mostly static, using virtual IP addresses to support failover. The figure clarifies how the routing is intended to work. This can be particularly helpful in determining that failover has been properly designed. The left side of the figure shows how traffic is routed by way of next hop (NH) addresses to the Virtual IP of a service on the CSM and then to a server IP. The right side of the figure shows how traffic is routed out from servers using NH addresses to the Internet. Inbound, the ISP uses a static or BGP route to direct traffic to the network shown. The border router probably uses a static route with Next Hop (NH) the outside IP of the firewall. OSPF routing might be used instead. The firewall uses a static route, with next hop the HSRP address of the Route Processor component in the switch. That in turn uses a connected route to reach the CSM or ACE, and static routes to reach the server actual IP addresses. If route health injection (RHI) is used, it provides the necessary routes to the virtual IPs (VIPs). Finally, the CSM or ACE views the server subnets as directly connected subnets. Outbound, servers use the CSM or ACE as default gateway. From there, a default route causes traffic to go to the HSRP VIP on the MSFCs, and then to the firewall inside IP address, then to the HSRP VIP of the border router pair, and finally to the connected interface of the ISP router. The VLANs between the aggregation layer switches are used for first hop redundancy protocols (FHRP) or failover heartbeat detection Cisco Systems, Inc. E-Commerce Module Design 7-39

50 De Base Design Server Traffic Flows The graphic shows representative flows going to and from a web server in the base design. Base Design Server Traffic Flows CORE1 Internet CORE2 CORE1 Internet CORE2 VLAN 2 VLAN 2 Firewall Makes Security VLAN 3 AGG1 Decisions AGG2 VLAN 3 VLAN 2 VLAN 2 Firewall Makes Security VLAN 3 AGG1 Decisions AGG2 VLAN 3 CSM Makes SLB Decision VLAN 200 CSM1 CSM2 Control PortChannel VLAN 17 VLAN 17 VLAN 18 VLAN 18 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN CSM Makes SLB Decision VLAN 200 CSM1 CSM2 Control PortChannel VLAN 17 VLAN 17 VLAN 18 VLAN 18 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN ACC1 ACC2 ACC1 ACC2 App Server Web Server DB Server Load Balanced Session Flow App Server Web Server DB Server Server Management Session Flow ARCH v The left side of the figure shows a load-balanced session flow. The right side shows a server management session flow, perhaps an SSH connection direct to a server. The flow is fairly straightforward. The firewall handles security logic. The CSM handles the SLB decision or passes management traffic directly to a specific server. Note Sometimes special server management addresses are used to make it easier to configure the CSM to pass management traffic directly to the server. In other cases, the actual server address is used, rather than the Virtual IP (VIP) of the service, to indicate management traffic to the SLB module Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

51 Two Firewall Layers Design This section discusses a sample design using two firewall layers to support the e-commerce module. Two Firewall Layers Design FWSM1 Internet VLAN 2 VLAN 2 VLAN 3 AGG1 AGG2 VLAN 3 VLAN 7 VLAN 8 VLAN 8 VLAN 7 VLAN 9 VLAN 9 Multiple Control CSM1 PortChannels CSM2 VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 ACC1 CORE1 Web VLAN App VLAN DB VLAN App Server Web Server DB Server CORE2 ACC2 FWSM2 Security Details Layer 3 firewall used as firewall perimeter at the core Layer 3 firewall with single context at the aggregation layer Firewall services are deployed in the aggregation between Web/App/DB tiers SLB Details CSM is used in bridged design with multiple bridged VLAN pairs Server default gateway is the aggregation firewall primary IP address No extra configurations needed for direct access to servers or non-load balanced server initiated sessions CSM default gateway is the firewall primary IP address MSFC is not directly connected to the CSM, RHI is not possible All server traffic goes through the CSM ARCH v For more protection, a firewall can be inserted into the aggregation layer. In the sample design in the figure, FWSM modules have been added to the aggregation switches. The additional FWSM provides security between the web, application, and database tiers. Even if the exteriorfacing web servers are compromised, there is a high degree of protection for the application and database servers, and any connections to the rest of the internal data center network or mainframe. Note ACE modules could be used in place of the FWSMs. With this design, the CSM can be used in routed mode as was done in the base design or it can be used in bridged mode to bridge between multiple VLAN pairs. The figure illustrates a bridged approach where the default gateway for the servers is the primary FWSM interface in the aggregation switch rather than an address on the CSM. The aggregation switch FWSM routes traffic directly to the server subnets. This traffic is bridged through the CSM, so the traffic burden on the CSM is not reduced. However, no extra configuration is needed for direct access to the servers (e.g. for deterministic testing from outside) or for non-load-balanced sessions initiated by the servers (e.g. FTP downloads). Note Since the MSFC is not on the same subnet as the CSM, route health injection is not possible Cisco Systems, Inc. E-Commerce Module Design 7-41

52 The VLANs between the aggregation layer switches is used for FHRP or failover heartbeat detection. Two Firewall Layers Design Traffic Flows The graphic shows representative flows going to and from a web server in the two firewall layers design. Two Firewall Layers Design Traffic Flows CORE1 Internet CORE2 CORE1 Internet CORE2 VLAN 2 VLAN 2 Core Firewall Makes VLAN 3 AGG1 Security AGG2 VLAN 3 Decisions VLAN 2 VLAN 2 VLAN 3 AGG1 AGG2 VLAN 3 FWSM1 Internal DMZs FWSM2 Perimeters VLAN 7 VLAN 8 VLAN 8 VLAN 7 CSM1 VLAN 9 VLAN 9 CSM Multiple Makes Control PortChannels SLB Decision CSM2 VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN FWSM1 Internal DMZs FWSM2 Perimeters VLAN 7 VLAN 8 VLAN 8 VLAN 7 CSM1 VLAN 9 VLAN 9 Multiple Control CSM Bridges PortChannels Traffic CSM2 VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN ACC1 ACC2 ACC1 ACC2 App Server Web Server DB Server Load Balanced Session Flow App Server Web Server DB Server Web Server to App Server Session Flow ARCH v User web traffic is shown in the left half of the figure: The perimeter firewall at the core still makes security decisions. The aggregation layer firewall provides internal DMZ perimeters protecting the servers. The CSM makes the SLB decisions as before. The right half of the figure shows the traffic flow from web server to application server. The flow from the web server is bridged through the CSM to the default gateway for that subnet on the aggregation switch FWSM. The FWSM then routes the traffic to the application server subnet. The traffic is bridged through the CSM to the application server. Return traffic from the application server to the web server is handled similarly. The application server subnet default gateway is used to direct traffic to the FWSM, which routes it back onto the web server subnet Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

53 One-Armed Design with Two Firewall Layers This section discusses a design using one-armed SLB device with two firewall layers supporting the e-commerce module. One-Armed Design with Two Firewall Layers FWSM1 Internet VLAN 2 VLAN 2 VLAN 3 AGG1 AGG2 VLAN 3 Multiple Control PortChannels CSM1 CSM2 VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 ACC1 CORE1 Web VLAN App VLAN DB VLAN FWSM2 App Server Web Server DB Server CORE2 ACC2 Security Details Layer 3 firewall is used as firewall perimeter at the core. Layer 3 firewall with single context is used at the aggregation layer. Firewall services are deployed in the aggregation between Web/App/DB tiers. SLB Details CSM is used in a one-armed fashion: Servers default gateway is the aggregation firewall primary IP address. No extra configurations needed for direct access to servers or non-load balanced server initiated sessions. All non-load balanced traffic to/from servers will bypass the CSM. CSM default gateway is the HSRP group address on the MSFC. Since MSFC is directly connected to the CSM, RHI is possible. ARCH v In a one-armed design with two firewall layers, the CSM can be moved to a position where selected traffic to and from the servers does not go through the CSM. The design can be scaled by adding additional FWSM and CSM or ACE modules to the switch chassis. In this design, the default gateway of the servers remains the appropriate primary IP address on the firewall interface in the aggregation switch in the relevant subnet (VLAN). The default gateway of the CSM is the HSRP group address on the MSFCs. Inbound traffic is routed to the CSM as a connected route to the VIP of the service on the CSM. The CSM then statically routes inbound traffic to the aggregation switch FWSM, which routes to the connected server subnet. Traffic bound directly for a real server IP bypasses the CSM. The appropriate outbound traffic from servers needs to be directed by PBR or CSNAT to the CSM. The MSFC is once again directly connected to the CSM, so route health injection is possible. No extra configuration is needed for direct traffic to and from servers. Non-load balanced traffic bypasses the CSM Cisco Systems, Inc. E-Commerce Module Design 7-43

54 One-Armed Design with Two Firewall Layers Traffic Flows The graphic shows representative flows going to and from a web server in the one-armed SLB design with two firewall layers. One-Armed Design with Two Firewall Layers Traffic Flows CORE1 Internet CORE2 CORE1 Internet CORE2 VLAN 2 PBR/ Core Firewall SRC- Makes VLAN 3 AGG1 AGG2 VLAN 3 NAT Security Multiple Decisions Control PortChannels CSM1 CSM2 ACE Makes SLB Decision FWSM1 Internal DMZs FWSM2 VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN VLAN 2 VLAN 2 VLAN 2 VLAN 3 AGG1 AGG2 VLAN 3 CSM1 Multiple Control PortChannels ACE Is Bypassed CSM2 FWSM1 Internal DMZs FWSM2 VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN ACC1 ACC2 ACC1 ACC2 App ServerWeb Server DB Server App ServerWeb Server DB Server Load Balanced Session Flow Web Server to App Server Session Flow ARCH v The left half of the figure remains much the same as before. The difference is that PBR or CSNAT is required to direct the outbound server traffic from the MSFC to the SLB. The right half of the figure differs from the previous design. The web server to application server traffic can bypass the CSM in this design approach. The FWSM can route traffic between the web server VLAN and the application server VLAN. If server load balancing is desired for web to application traffic, a more complex approach is required, for example, virtual application server address in another subnet to allow simple routing of web to virtual application traffic by way of the CSM Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

55 One-Armed Design with Direct Server Traffic Flows The graphic shows representative flows for server management and direct Internet traffic differently going to and from a web server in the one-armed design with two firewall layers. One-Armed Design with Direct Server Traffic Flows CORE1 Internet CORE2 VLAN 2 VLAN 2 Firewall Makes Security VLAN 3 AGG1 Decisions AGG2 Multiple Control PortChannels ACE Is CSM1 Bypassed CSM2 FWSM1 Internal DMZs Perimeters VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN FWSM2 ACC1 ACC2 App Server Web Server DB Server Server Management Session Flow ARCH v This design moves the CSM out of the traffic path so that the CSM can be bypassed for non-load-balanced traffic and direct Internet traffic to and from the servers Cisco Systems, Inc. E-Commerce Module Design 7-45

56 One-Armed SLB Design with Firewall Contexts This section arm discusses a design option using the one-armed SLB model with the aggregation firewall supporting multiple firewall contexts. One-Armed Design with Firewall Contexts CORE1 Internet CORE2 VLAN 12 VLAN 12 AGG1 AGG2 Security Details Layer 2 firewall used with multiple contexts. Firewall perimeter at outside, internal and each DMZ. Aggregation MSFC is a secure internal segment with protection from each connected network. Secure Internal VLAN 2 VLAN 2 Segment FWSM1 VLAN 7 VLAN 8 VLAN 9 Multiple Control PortChannels VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN ACC1 App Server Web Server VLAN 7 VLAN 8 VLAN 9 DB Server FWSM2 ACC2 SLB Details CSM is used in a one-armed fashion: Servers default gateway is the HSRP primary IP address. No extra configurations needed for direct access to servers or non-load balanced server initiated sessions. All non-load balanced traffic to/from servers will bypass the CSM. CSM default gateway is the HSRP group address on the MSFC. Since MSFC is directly connected to the CSM, RHI is possible. ARCH v The aggregation FWSM can be used in transparent mode, with the MSFC routing between the server VLANs. A firewall context can also be placed logically in the Layer 2 path before traffic reaches the MSFC. This option removes the need for a separate firewall in the core layer. The CSM is deployed in a one-armed topology still in routed mode. Since the MSFC is directly connected to the CSM, route health injection is possible. Since the CSM is in onearmed mode, non-load-balanced traffic can easily bypass the CSM Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

57 One-Armed SLB Design with Firewall Contexts Traffic Flows The graphic shows representative flows going to and from a web server in the one-armed design with multiple firewall contexts. One-Armed SLB Design with Firewall Contexts Traffic Flows CORE1 Internet CORE2 CORE1 Internet CORE2 VLAN 12 VLAN 12 AGG1 AGG2 ACE Makes SLB Decision VLAN 2 Secure Internal Segment VLAN 2 VLAN 7 VLAN 8 VLAN 9 Multiple Control PortChannels VLAN 7 VLAN 8 VLAN 9 FWSM1 FWSM2 VLAN Virtual 17 VLAN 18 VLAN 18 VLAN 17 FWs VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN VLAN 12 VLAN 12 AGG1 ACE Is Bypassed VLAN 2 Secure Internal Segment VLAN 2 VLAN 7 VLAN 8 VLAN 9 AGG2 VLAN 7 VLAN 8 VLAN 9 Multiple Control PortChannels FWSM1 FWSM2 VLAN Virtual 17 VLAN 18 VLAN 18 VLAN 17 FWs VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN ACC1 ACC2 ACC1 ACC2 App Server Web Server DB Server Load Balanced Session Flow App Server Web Server DB Server Web Server to App Server Session Flow ARCH v On the left side of the figure, inbound traffic reaches the core router and is routed to the MSFC in the aggregation layer switch. In order to reach the MSFC, it passes through a FWSM firewall context in transparent mode for security checks and ACLs. The MSFC then routes inbound packets to the VIP on the CSM, which does destination NAT on the packets. The CSM then routes the packets to the web server subnet. Since the FWSM is logically between the MSFC and the VLAN for the web servers, the FSWM applies ACLs and security enforcement. Note Each subnet (web, app, DB) occurs on two VLANs, which the FWSM bridges together. Outbound traffic from web server goes through FWSM to MSFC, is routed to the CSM via PBR, and goes from there out to the core router. The right half of the diagram shows traffic being routed by the MSFC between the web server subnet and the application server subnet. This traffic passes through the FWSM twice, giving ample opportunity to enforce ACLs and security policies. Return traffic also passes through the FWSM twice. All routing next hops use HSRP virtual addresses, either on the MSFC or on the core routers. With a little configuration effort, traffic from web to application server can pass through the CSM. Note This discussion did not cover how the redundant CSM or FWSM gets used. The trunk between the switches is necessary to support failover Cisco Systems, Inc. E-Commerce Module Design 7-47

58 One-Armed SLB Design with CSS This section looks at a one-armed SLB design with CSS modules that firewalls all traffic. One-Armed SLB Design with CSS CORE1 MSFC VLAN 6 VLAN 14 FWSM1 CSS11506_1 VLAN 5 VLAN 3 Internal Router Secure Internal Segment Data PortChannel LAN FailOver PortChannel StateLink PortChannel VLAN /27 Web Server 2 VLAN /28 App Server 2 VLAN /23 VLAN /24 VLAN /30 Web Server 1 App Server 1 VLAN 200 VLAN 201 Internet Inside Core CSS11506_2 CORE2 MSFC FWSM2 Edge Router 1 Edge Router 2 Design Approach Layer 2 firewall used with multiple contexts. NAT is performed on the MSFC. Firewall perimeters are at outside, internal and each DMZ. Aggregation MSFC is a secure internal segment with protection from each connected network. Server access switches are set up as Layer 2 devices. Server Load Balancing Details CSM is used in a one-armed fashion Servers default gateway is the HSRP primary IP address. All non-load balanced traffic to/from servers will bypass the CSM. CSM default gateway is the HSRP group address on the MSFC. Since MSFC is directly connected to the CSM, RHI is possible. ARCH v The figure shows how a FWSM can be used to firewall all traffic. In this design, a Layer 2 firewall is used with multiple security contexts. There are several DMZs, with firewall perimeters outside, inside, and at each DMZ. The aggregation layer MSFC is a secure internal segment with protection from each connected network including malicious activity from data center networks. In the figure, the external CSS is used in one-armed fashion. The dual CSS devices are connected with ports in the same VLANs. NAT is implemented on the MSFC, since a transparent firewall does not support this function. Another design option is to use an additional routed context on FWSM to support NAT. The CSS default gateway is the HSRP group address on the MSFC. The CSS pair are directly connected at Layer 2 to the MSFCs, so RHI is possible. Due to the implementation of CSS in one-armed mode, non-load-balanced traffic to and from servers can bypass the CSS devices Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

59 Testing E-Commerce Designs This section discusses considerations for testing and troubleshooting e-commerce designs. Testing E-Commerce Designs Lab testing can validate network behavior for failover conditions. Good preparations allows simulations of failures to align closely with real conditions: Silent packet discards can be simulated by sending traffic in a VLAN on a trunk. Layer 3 switches may experience partial or total system failures. Documenting tested conditions and results aids future troubleshooting and design analysis. ARCH v Redundant hardware components and proper configurations help support high availability. But when something breaks, a good designer will need to understand the ways in which redundant devices fail over. It is also very important to test failover conditions as thoroughly as possible. This requires preliminary analysis on how the network devices detect different types of failures. Testing not only confirms correct device configuration, but can also help identify modes where failover does not occur. For example, application operation may act differently when packets are silently dropped (e.g. due to loss of NAT or stateful firewall state) than when a TCP RESET or ICMP Unreachable is received. Since about any device or link can fail, failover testing looks at how to best simulate failures. Good preparation leads to good testing. For example, simulating a link failure by removing the Ethernet connection out at one end works does cause a failure. But that is a fairly clean failure mode, where the switch or other device detects loss of Ethernet link voltage. Simulations of failures should align closely with real conditions. You may also want to simulate a one-way cabling condition or quiet packet drops: Silent packet discards can be simulated by sending traffic in a VLAN on a trunk, where the VLAN is disallowed at the other end of the trunk. Routing some network prefix to NULL0 also discards packets to that destination prefix. However, implementing passive interfaces or otherwise altering routing to delete the route to a destination is not the same as a silent discard since the router will normally send Destination network unreachable packets back to the sender when packets are received without a prefix in the routing table. Layer 3 switches might experience a system failure (simulated turning off power), or might experience a partial failure (simulated by removing one module). In the case of a partial failure, Layer 3 operations might stop functioning but Layer 2 operations may continue. Neighboring devices would then experience loss of traffic and connectivity, but not loss of 2007 Cisco Systems, Inc. E-Commerce Module Design 7-49

60 Ethernet link status. This might be simulated by configuring no ip routing on the MSFC or route processor on a Layer 3 switch. Good documentation of the preparation and testing will aid in future troubleshooting. When an incident occurs in the production network, the documentation can be updated, reflecting lessons learned, possibly presenting alternatives to simulate the observed failure mode. This process can enable future testing to include the recent lesson learned. A test lab and documentation can also be used to validate new software releases and configuration changes. It is important to run through the regression tests to make sure aspects of failover has not changed based on new software or configuration enhancements which may render the existing network design or configuration less useful Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

61 Summary This topic summarizes the key points discussed in this lesson. Summary Where security requirements are moderate, a basic e-commerce design may provide firewall services only in the core layer. A two firewall layers design provides additional security by providing firewall services in the core and aggregation layer. In the one-armed mode, LSBs can be deployed attached to one side of the MSFC with the FWSM routing between MSFC and e- commerce servers. A higher level of security can be attained by using the one-armed LSB design with multiple firewall contexts providing a firewall perimeters outside, inside, and at each network connection or DMZ. Testing consists of analysis of failure points and modes, along lab simulations of the various failure modes and effects. ARCH v Cisco Systems, Inc. E-Commerce Module Design 7-51

62 7-52 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

63 Lesson 4 Tuning for E-Commerce Overview Objectives This lesson examines several devices and technologies that enhance the performance and availability of an e-commerce module. The lesson illustrates how some of these technologies can be used to improve a design. Upon completing this lesson, you will be able to discuss tuning for e-commerce designs. This ability includes being able to meet these objectives: Discuss how Border Gateway Protocol (BGP) tuning can be used to control packet flow in e-commerce designs Discuss how Enhanced Object Tracking (EOT) is used to support e-commerce designs Discuss how Optimized Edge Routing (OER) is used to support e-commerce designs Discuss how Global Server Load Balancing (GSLB) is used to support e-commerce designs

64 E-Commerce Tuning Overview There are Cisco technologies that can enhance e-commerce designs. Tuning for E-Commerce Multiple Cisco technologies can enhance e-commerce designs. Several technologies may be useful in a broad range of situations: BGP tuning Enhanced Object Tracking Optimized Edge Routing DNS-based site selection and failover ARCH v This lesson will highlight several technologies that may be useful in a broad range of situations: Border Gateway Protocol (BGP) tuning Enhanced Object Tracking (EOT) Optimized Edge Routing (OER) DNS-based site selection and failover including GLSB with Cisco Global Site Selector Note This list is a sampling of technologies and techniques that can be used to tune e-commerce designs Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

65 BGP Tuning BGP routing can be tuned to control packet flow and convergence characteristics. BGP Tuning BGP is the tool of choice for communicating to the ISP. Designs should consider which traffic enters and exits the e-commerce module by which ISP. Designs should plan the failover behavior. Service Provider A Internet Service Provider B Note: Review the Building Scalable Cisco Internetworks course and the Configuring BGP on Cisco Routers course for details. ARCH v BGP tuning can be used to control packet flow by communicating the available prefixes, routing policies and preferences of a site to their ISP. Designs need to consider which traffic enters and exits the e-commerce data center or data centers by which ISP and which link. Most sites attempt some form of load balancing. While load balancing ideally should result in traffic flows being split across two links, in practice this is hard to achieve. Designs should attempt approximate balancing with some capacity for simple tuning. This practice recognizes that traffic monitoring will be necessary, and that re-tuning of traffic flows will require changes to router BGP configurations. With a single provider, MED or BGP communities can be used to communicate the site preferences for traffic flow from the Internet to the organization. RFC 1998 provides the details of using BGP communities. With multiple providers, MED is unlikely to be advertised between providers, so BGP communities or AS pre-pending can be used to influence inbound traffic. The failover behavior of the BGP routing needs to be tested and understood. ISPs constantly update route filters, so monitoring traffic and periodic testing is a good way to assure that your prefixes have not been accidentally filtered. Note Manipulating routing updates and configuring BGP is covered in the Building Scalable Cisco Internetworks course and in the Configuring BGP on Cisco Routers course Cisco Systems, Inc. E-Commerce Module Design 7-55

66 Enhanced Object Tracking Enhanced Object Tracking (EOT) is a Cisco IOS capability that efficiently uses a standalone process to track the status of objects. Enhanced Object Tracking Enhanced Tracking Clients HSRP Objects Tracked Line protocol IP routing state VRRP GLBP Object Tracking Process IP route reachability IP route metric threshold IP SLA operations EOT is a stand-alone process that tracks objects. EOT can help verify the end-to-end path status. HSRP, GLBP, and VRRP can be clients of EOT. EOT ensures high availability with more options than interface tracking. ARCH v The EOT process notifies other processes that registered interest when EOT detects a problem. EOT was first available in 12.2(15) T Cisco IOS software. EOT is useful in verifying end-to-end path availability and helps identify situations where the network is sending traffic down a path that is black-holing packets, has congestion or has bad quality problems. Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), and Gateway Load Balancing Protocol (GLBP) have the ability to track the up or down state of a local interface on a router. These protocols are First Hop Redundancy Protocols (FHRPs). If the link fails on a primary FHRP router, standby tracking can cause the FHRP to switch traffic over to a standby router to ensure continued communication. EOT adds the ability to discover non-local problems and react. HSRP, GLBP, and VRRP can be clients of EOT. EOT can track: Line protocol IP routing state (interface up, IP address known, and routing enabled) Reachability of an IP route (route present and accessible) IP routing metric (above or below a threshold) Results of IP SLA operations (reachability of target, or thresholds for packet loss, latency, and jitter) [First available in 12.3(4) T and 12.2(25) S code.] EOT can also track Boolean and and or combinations of conditions, as well as weighted combinations of condition thresholds for sophisticated failover logic Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

67 Example: HSRP and IP SLA Tracking The figure shows one way in which EOT might be used. Example: HSRP and IP SLA Tracking ServerA Internet ISP1 IP SLA ISP2... ip sla 18 icmp-echo <server> ip sla schedule 18 start-time now life forever track 100 rtr 18 state interface FastEthernet0/0 ip address standby 1 ip standby 1 priority 105 standby 1 preempt standby 1 track 100 decrement 10 Router1.1 HSRP: Router ARCH v In the figure, an IP Service Level Agreements (SLA) measurement is being run from Router1 to ServerA across ISP1. Local hosts reach ServerA by way of Router1 until EOT forces a failover to Router2 in response to loss of packets, latency, or jitter along the ISP1 connection. This is a sample configuration: ip sla 18 icmp-echo <server> ip sla schedule 18 start-time now life forever track 100 rtr 18 state interface FastEthernet0/0 ip address standby 1 ip standby 1 priority 105 standby 1 preempt standby 1 track 100 decrement 10 This example illustrates that EOT can be used to influence the choice of exit router and outbound path. Typically this is done in response to conditions outside the local network Cisco Systems, Inc. E-Commerce Module Design 7-57

68 Example: Injecting Routes and IP SLA This example looks at how route injection into BGP can depend on server reachability. Example: Injecting Routes and IP SLA User1 Internet ISP1 BGP 3. Don t Advertise BGP ISP 2 the Route Anymore Router1 Router2 IP SLA 1. Original Path XX 4. Alternate Path ServerA 2. Traffic Black Holed ARCH v In the figure, an IP SLA measurement is set up from Router1 to ServerA, based on a specific route to the server. A more general prefix is configured as a static route that tracks this IP SLA measurement. If ServerA should become unreachable (quit responding), then the static route will be withdrawn. The BGP configuration can advertise this static routes. When the static routes are withdrawn in response to an EOT condition, BGP will cease advertising the routes to the ISP1.In this case, EOT provides a relatively simple way to track reachability through a complex network. When reachability fails, failover to another ISP link or another site can be triggered. This example illustrates how to control what is advertised to a BGP peer at an ISP. The advertisement controls the path and entrance router used by inbound traffic. This is a simplified portion of the configuration: ip sla 1 icmp-echo <server> ip sla schedule 18 start-time now life forever track 123 rtr 1 reachability ip route <server_network> Null0 track 123! (more specific routes will be used to forward packets) router bgp redistribute static 7-58 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

69 Optimized Edge Routing Overview Cisco IOS Optimized Edge Routing (OER) is another alternative to detect undesirable conditions along a path. Optimized Edge Routing (OER) Overview WAN access links are the largest end-to-end bottleneck. By default, BGP chooses best path based on fewest AS-Path hops. OER provides alternate path selection based on policies. OER components include MC and BRs. ARCH v WAN access links are the largest end-to-end bottleneck in wide area connectivity. Normally BGP determines the best outbound path based on shortest Autonomous System (AS) Path, together with all the other BGP decision criteria. OER allows the path selection to be based on policies that can include measured reachability, delay, loss, jitter, synthetic Mean Option Score (for voice), load, and monetary cost. OER provides automatic outbound route optimization and load distribution for multiple connections by selecting the optimal exit point. OER is an integrated Cisco IOS software solution that allows users to monitor IP traffic flows and then define policies and rules based on prefix performance, link load distribution, link cost, and traffic type. OER selects which exit path is best. It does not affect routing or path selection for inbound traffic from outside the site. To implement OER, a site configures one or more border routers (BRs) that communicate with a router chosen and configured as the master controller (MC). The MC makes decisions about which outbound path to use, based on the configured policy. The figure shows multiple paths from an enterprise or content provider to a remote office or content consumer Cisco Systems, Inc. E-Commerce Module Design 7-59

70 OER Operations The section provides a high level discussion of how OER works. OER Operations Feedback from Netflow to confirms that traffic is going through selected Exit. Prefix and/or Traffic Class* Control prefix using BGP or STATIC. Passive measurement/ Active measurement using IP SLA Control traffic class using PBR. Policy based on delay, loss, unreahability, jitter, load, and range. ARCH v Learn Phase Measure Phase OER follows a cycle of learn, measure, apply policy, optimize, and verify. In the Learn phase, the configuration identifies prefixes and traffic classes of interest. In the Measure phase, passive or active measurement provides measurements using each BR. Passive monitoring amounts to looking up NetFlow data in memory. The router observes what happens when packets are sent, and record the results as internal NetFlow statistics. If there are no packets being sent, there is no new data for the system. NetFlow data captures delay and throughput statistics. The delay measurements are based on TCP round trip time (RTT) for the initial SYN to following ACK. The OER data also records packet loss (comparing highest TCP sequence number and received packets with lower sequence number) and Unreachables (SYN with no received ACK) for passive measurements. OER passive monitoring is based on TCP traffic flows for IP traffic. Passive monitoring of non-tcp sessions is not supported because UDP does not readily provide delay estimates, response counts, and other traffic data. Active probing defaults to ICMP echo and ping. Note Repeated ping probing might trigger an IDS or IPS intervention (or to activate) on the remote site. OER active probing can be configured to use IP SLA measurements instead of ping. This allows OER to respond to delay or jitter in the network. Currently, OER can use ICMP, TCP 7-60 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

71 Apply Phase Optimize Phase Verify Phase connections, or UDP echo for active probing. Note that the target for the latter two must be capable of responding. If the target is a router, it must be configured with "rtr responder". As of Cisco IOS software release 12.3(14) T, OER can do traceroute probes. These probes collect delay, loss, and reachability information for each hop from source address to probe target prefix. You can configure these probes to run in three ways: continuous (run all the time), policy based (run only when the prefix is out of policy), or on-demand. In the Apply Policy phase, the MC periodically gathers data from the BRs, and applies the configured policy to determine the best route. In the Optimize Phase, controls are applied either by adding a static or BGP route, or if traffic classes are to be controlled, through Policy Based Routing (PBR). OER routing control is exerted by injecting routes into the BRs. This is done through OER command messages from the MC to the BRs, and not by inserting routes on the master controller. Currently, OER can influence routing in two ways: Setting the BGP local preference for a specific prefix Creating a temporary static route for a specific prefix This routing change at the BRs influences the other routers in the internal network through one of the following methods: Internal BGP peering BGP or static route redistribution into the IGP If you have BRs in close proximity (namely, with a high speed LAN connection between them), you can use default routes to get packets to the border, and then have OER shift some traffic for selected prefixes between the two exit routers. OER is mainly concerned about preferring one BR to the other. The IGP routing only comes into this if you have to rely on your IGP to route traffic between the BRs, or if you want optimal routing, directly to the "correct" BR. The injected BGP or static route is not advertised to external peers, and has no routing impact outside the local site. In the Verify Phase, feedback from NetFlow confirms that traffic is using the selected exit path Cisco Systems, Inc. E-Commerce Module Design 7-61

72 OER Solution Topologies There are several design topologies where OER can be useful. OER Solution Topologies 1) SOHO/Broadband 2) Remote Office BR ISP1/WAN1 MC/BR ISP2/WAN2 MC/BR 3) Headquarters/Content/Hosting/Data Centers BR ISP1/WAN1 MC ISP2/WAN2 BR BR Border Router, MC Master Controller ARCH v The figure shows some of the topologies where OER can be used. In the first example, a small office home office (SOHO) or broadband site has two exit paths. The single edge router is configured to be both MC and BR. It selects between the two exit paths using OER. This topology reflects a smaller site doing E-Commerce, with one router connected to two ISPs or to two Points of Presence for a single ISP. In the second example, a remote office with two exit routers to two ISPs uses OER to select the best path to headquarters. One of the BRs is also the MC. This topology might be a site doing e-commerce, with two routers connected to two ISPs or to two Points of Presence (PoPs) for a single ISP. In third example, a larger e-commerce site has an MC separate from the two BRs. OER helps select the better outbound path through ISP1 or ISP2. OER is generally used to influence outbound traffic path selection. Using EOT with selective route advertisement is one good way to influence inbound traffic path Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

73 Cisco Global Server Load Balancing This section provides a brief overview of Cisco Global Server Load Balancing. Cisco Global Server Load Balancing In real-time, globally load balance all web-based traffic across multiple data centers. Re-route all traffic to a backup data center in case of a disaster. Simplify the management of the DNS process by providing centralized command and control. SLB, CSM, CSS DataCenter A DataCenter B SLB, CSM, CSS Local DNS Clients Requesting Websites RR Records Best Destination GSS-1 GSS-2 ARCH v Another way of tuning e-commerce service delivery is to provide external selection of the best destination for each client. Organizations that provide web and application hosting services often require network devices that can perform complex request routing to two or more redundant, geographically dispersed data centers. These network devices need to provide fast response times and disaster recovery and failover protection through global server load balancing (GSLB). The Cisco GSLB product is the Cisco Global Site Selector (GSS). GSS leverages global content deployment across multiple distributed and mirrored data locations, optimizing site selection, improving Domain Name System (DNS) responsiveness, and ensuring data center availability/ GSS provides real-time global load balancing across multiple data centers and improves the global data center selection process by offering user-selectable global load-balancing algorithms. It scales to support hundreds of data centers or server load balancers (SLBs). GSS provides traffic rerouting in case of disaster. It provides a scalable dedicated hardware platform to ensure web-based applications are always available, by detecting site outages or site congestion and rerouting content requests. GSS traffic-management process continuously monitors the load and health of the SLBs within each data center. This information is used in conjunction with customer-controlled load-balancing algorithms to enable the GSS to select a data center that is available and not overloaded within userdefinable load conditions-in real time. GSS offloads DNS servers by taking over the domain resolution process, and transmits these requests at thousands of requests per second. It complements the existing DNS infrastructure by providing centralized domain management Cisco Systems, Inc. E-Commerce Module Design 7-63

74 Summary This topic summarizes the key points discussed in this lesson. Summary BGP is the primary way to communicate reachable prefixes and routing policies and preferences to multiple ISPs. EOT is an efficient way to track the status of remote objects and react to this status. OER uses passive or active measurements including IP SLA measurements to determine best exit router. GSLB provides a way to externally load balance site selection for user traffic and respond to site outages or congestion. ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

75 Module Summary This topic summarizes the key points discussed in this module. Module Summary High availability e-commerce designs require redundancy and Cisco technology, supplemented by organizational efforts concerning people, processes, and tools. E-commerce module design requires integrating firewall, SLB, multiple ISP routing, routing, Layer 2 switches, and servers into a highly available design. Common e-commerce designs support load balancing traffic to servers with levels of security provided by firewall perimeters. Tuning using BGP features, EOT, OER, and GSLB enhance the performance and availability of e commerce designs. ARCH v References High availability is an important consideration for the e-commerce module. High availability design requires redundancy and Cisco technology, supplemented by organizational efforts concerning people, processes, and tools. E-Commerce module design requires integrating firewall, server load balancing, multiple ISP connections, routing, Layer 2 switches, and servers into a highly available design. Typical e-commerce designs support load balancing traffic to servers with levels of security provided by firewall perimeters. Basic designs provide one level of firewall services, while more advanced designs include multiple firewall contexts supporting firewall perimeters at every network connection in the e-commerce module Many technologies can be useful in enhancing the performance and availability of e-commerce designs. Features such as BGP tuning, EOT, OER, and GSLB are often deployed in a broad range of situations. For additional information, refer to these resources: Cisco Systems, Inc. Data Center Networking: Integrating Security, Load Balancing, and SSL Services Using Service Modules (Systems Reference Network Design) at f252b.pdf Cisco Systems, Inc. Data Center Networking: Internet Edge Design Architectures (Solutions Reference Network Design) at 2007 Cisco Systems, Inc. E-Commerce Module Design 7-65

76 ee4e.pdf Cisco Systems, Inc. Designing and Managing High Availability Networks at d b.pdf Cisco Systems, Inc. High availability Introduction at Cisco Systems, Inc. Configuring Secure (Router) Mode on the Content Switching Module at Cisco Systems, Inc. Configuring Single Subnet (Bridge) Mode on the CSM at Cisco Systems, Inc. APP-1103: Introduction to Content Switching Technologies Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. DC-2503: Implementing Data Center Services (Interop, Design and Deploymnet) Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. Configuring Enhanced Object Tracking at df Cisco Systems, Inc. Building Scalable Cisco Internetworks course at IT/LPCM/LpcmLLController?action=CourseDesc&COURSE_ID=4952 Cisco Systems, Inc. Configuring BGP on Cisco Routers course at IT/LPCM/LpcmLLController?action=CourseDesc&COURSE_ID=4807 Cisco Systems, Inc. Cisco IOS Optimized Edge Routing Configuration Guide at 86a b51.pdf Chesapeake NetCraftsmen, Inc. Basics of Cisco Optimized Edge Routing (OER) at Chesapeake NetCraftsmen, Inc. Configuring Cisco Optimized Edge Routing (OER) at Cisco Systems, Inc. Cisco Global Site Selector CLI-Based Global Server Load-Balancing Configuration Guide at 86a00807e0a23.pdf 7-66 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

77 Module Self-Check Use the questions here to review what you learned in this module. The correct answers and solutions are found in the Module Self-Check Answer Key. Q1) What are two characteristics of an e-commerce designs? (Choose two.) (Source: High Availability for E-Commerce) A) e-commerce applications are independent of the servers that use them B) e-commerce designs have less stringent high availability requirements as compared to other parts of an enterprise network C) e-commerce designs have more stringent high availability requirements as compared to other parts of an enterprise network D) e-commerce downtime is particularly harmful to an organization E) e-commerce downtime is typically not particularly harmful to an organization Q2) What are the two traditional design components for high availability? (Choose two.) (Source: High Availability for E-Commerce) A) tools B) technology C) processes D) applications E) redundancy Q3) Which one of these items do most redundancy designs attempt to eliminate? (Source: High Availability for E-Commerce) A) single points of failure B) multiple points of congestion C) geographic diversity D) dual co-location facilities E) doubled-up elements in the path between users and applications Q4) What are two Cisco routing continuity options that support high availability? (Choose two.) (Source: High Availability for E-Commerce) A) IP SLA B) NSF C) OER D) service monitoring on service load balancers E) SSO Q5) Which one of the following is an organizational recommendation to support high availability? (Source: High Availability for E-Commerce) A) align staff teams with services B) communicate with other network, security, application, and server teams C) enhance high availability with attention to detail D) identify the owner or expert on key service applications E) implement reliable and consistent wiring and configurations for easier management and troubleshooting 2007 Cisco Systems, Inc. E-Commerce Module Design 7-67

78 Q6) How do processes play an important role in supporting high availability? (Source: High Availability for E-Commerce) A) failover and change testing should be performed after deployment B) lab equipment should accurately reflect the production network C) repeatable processes can be gradually improved D) roll-back processes should be outlined in implementation plans E) services should continue operating when single components fail Q7) What two power tools contribute to high availability? (Chose two.) (Source: High Availability for E-Commerce) A) TopN reporting B) network diagrams C) packet monitoring D) repeatable processes E) network design write-ups Q8) Where is an e-commerce design typically implemented? (Source: Common Designs for the E-Commerce Module) A) in the aggregation layer B) in the application tier C) in the core layer D) in the data center E) in the web tier Q9) What is a firewall sandwich? (Source: Common Designs for the E-Commerce Module) A) a method to avoid operating firewalls from multiple vendors B) an architectures where all traffic between firewalls goes through application-specific gateways C) an architectures where all traffic between firewalls goes through application-specific servers D) firewall connections in either an active or standby state E) multiple layers of firewalling Q10) What are three functions of a SLB? (Choose three.) (Source: Common Designs for the E-Commerce Module) A) providing a private IP address or virtual IP address for each service B) providing a public IP address or virtual IP address for each service C) resolving DNS requests for destination IP addresses for each service D) rewriting source as well as destination IP or MAC addresses depending on SLB mode E) supporting scaling and high availability by distributing client requests for service across active servers Q11) What are three characteristics of SLB router mode? (Choose three.) (Source: Common Designs for the E-Commerce Module) A) The design supports multiple server subnets. B) The end user does not see the IP address of the real server. C) The end user sees the IP address of the real server. D) The SLB acts as a bump in the wire between servers and upstream firewall or Layer 3 devices. E) The SLB routes between outside and inside subnets Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

79 Q12) What are three characteristics of SLB one-arm mode? (Choose three.) (Source: Common Designs for the E-Commerce Module) A) Return traffic does not require special handling. B) The SLB is directly inline with the default traffic path. C) The SLB is not directly inline with the default traffic path. D) The SLB VIP and the real servers are in the same VLAN or subnet. E) Return traffic can use PBR to deflect appropriate outbound server traffic over to the SLB as next hop. F) The SLB routes traffic to the real server subnet if the real servers are not in the same VLAN or subnet as the SLB VIPs. Q13) Why is a common external prefix desirable in e-commerce topologies? (Source: Common Designs for the E-Commerce Module) A) Devices can use NAT to a common external prefix. B) HSRP can be used for failover should one switch to router link fail. C) DNS software can resolve queries using a round robin approach between sites. D) When one ISP loses routing or its link, BGP can provide users with automatic failover to the other path into the site. E) An assigned BGP AS number prevents the site becoming a transit link between the ISPs and prevents looping of routing information. Q14) Where is the firewall perimeter in a basic e-commerce design? (Source: Integrated E- Commerce Designs) A) at the Internet B) at the core layer C) at the core and aggregation layers D) at the aggregation and access layers E) between the aggregation layer router and the e-commerce servers Q15) What are three characteristics about the one armed SLB design? (Chose three.) (Source: Integrated E-Commerce Designs) A) Outbound traffic from servers may need to be directed by PBR or CSNAT to the CSM. B) The CSM statically routes all inbound server traffic to the aggregation switch FWSM, which routes the traffic to the connected server subnet. C) The MSFC is directly connected to the CSM. D) The MSFC is not directly connected to the CSM. E) The SLB is moved to a position where selected traffic to and from the servers does not go through the SLB Q16) What are two characteristics about the two firewall layers e-commerce design when the CSM is not in routed mode? (Chose two.) (Source: Integrated E-Commerce Designs) A) Outbound traffic from servers may need to be directed by PBR or CSNAT to the CSM. B) The aggregation switch FWSM routes traffic to the server subnets. C) The MSFC is directly connected to the CSM. D) The MSFC is not directly connected to the CSM. E) The SLB is moved to a position where selected traffic to and from the servers does not go through the SLB 2007 Cisco Systems, Inc. E-Commerce Module Design 7-69

80 Q17) How does BGP tuning control packet flow into the e-commerce module? (Source: Tuning for E-Commerce) A) by communicating the available prefixes, routing policies and preferences of a site to their ISP B) by detecting undesirable conditions along the path to the e-commerce module C) by moving the SLB to a position where selected traffic to and from the servers does not go through the SLB D) by tracking the status of objects along the path to the e-commerce module E) by using the MED to communicate the site preferences for traffic to multiple ISPs Q18) What are three characteristics of EOT? (Chose three.) (Source: Tuning for E-Commerce) A) It helps verify end-to-end path availability. B) HSRP, GLBP, and VRRP can be clients of EOT. C) It improves DNS responsiveness by providing centralized domain management. D) It load balances traffic flows across two links. E) It provides automatic outbound route optimization and load distribution for multiple connections by selecting the optimal exit point. F) It helps identify situations where the network is sending traffic down a path that is black-holing packets. Q19) What are three characteristics of OER? (Chose three.) (Source: Tuning for E-Commerce) A) HSRP, GLBP, and VRRP can be clients of OER. B) It uses a MC and BRs. C) It helps to detect undesirable conditions along a path. D) It uses AS pre-pending to influence inbound traffic. E) It provides automatic outbound route optimization and load distribution for multiple connections by selecting the optimal exit point. F) It provides external selection of the best destination for each client. Q20) What are three characteristics of GSS? (Chose three.) (Source: Tuning for E-Commerce) A) It helps verify end-to-end path availability. B) HSRP, GLBP, and VRRP can be clients of GSS. C) It uses AS pre-pending to influence inbound traffic. D) It provides external selection of the best destination for each client. E) It provides real-time global load balancing across multiple data centers. F) It improves DNS responsiveness by providing centralized domain management Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

81 Module Self-Check Answer Key Q1) C, D Q2) B, E Q3) A Q4) B, E Q5) A Q6) C Q7) B, E Q8) D Q9) E Q10) B, D, E Q11) A, B, E Q12) C, D, E Q13) D Q14) B Q15) A, C, E Q16) B, D Q17) A Q18) A, B, F Q19) B, C, E Q20) D, E, F 2007 Cisco Systems, Inc. E-Commerce Module Design 7-71

82 7-72 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

83 Module 8 Security Services Design Overview As enterprises continually expand their mission-critical networks with new intranet, extranet, and e-commerce applications, network security is increasingly vital to prevent corruption and intrusion, and eliminate network security vulnerabilities. Without precautions, enterprises could experience major security breaches, resulting in serious damages or loss. This module looks at security design. It assumes you already know how to implement firewalls and security features including access control lists (ACLs), IP security (IPsec) connections, network address translation (NAT), and port address translation (PAT). Module Objectives Upon completing this module, you will be able to design security-intelligent network services for performance, scalability, and availability, given specified enterprise network needs. This ability includes being able to meet these objectives: Discuss design considerations for firewall services in the enterprise Describe design considerations for using network admission control services in the enterprise Discuss design considerations for intrusion detection and prevention services in the enterprise

84 8-2 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

85 Lesson 1 Firewall Design Considerations Overview Firewalls have long provided the first line of defense in network security infrastructures. They accomplish this by comparing corporate policies about network access rights for users to the connection information surrounding each access attempt. User policies and connection information must match up, or the firewall does not grant access to network resources. This lesson looks at firewall design considerations. It discusses options for firewall deployment and topologies including firewall modes, virtual firewalls, asymmetric routing using active/active topologies, scaling firewall performance, private VLANs, and zone-based firewalls. Lesson Objectives Upon completing this lesson, you will be able to discuss and design firewall services for enterprise networks. This ability includes being able to meet these objectives: Describe routed and transparent firewall modes Describe considerations for designing virtual firewalls Discuss the active/active firewall topology and its design considerations Describe requirements for asymmetric routing with firewall designs Discuss load balancing options for scaling firewall performance Discuss private VLAN security considerations Discuss zone-based policy firewalls

86 Firewall Modes A firewall can run in either routed or transparent mode. Firewall Mode Routed or Transparent Routed Mode Transparent Mode / /24 Outside Interface /24 Inside Interface /24 Routed mode: Is the traditional firewall mode. Is a Layer 3 device with each interface addressed. Transparent mode: Is available starting version 2.2 in FWSM and 7.0 in PIX and ASA. Is a Layer 2 device with only management interface per bridge group addressed. Supports routing protocols and IP multicast traffic. VLAN 30 VLAN /24 Management Interface /24 VLAN 30 VLAN /24 ARCH v In the traditional routed mode, the firewall is considered to be a Layer 3 device in the network. It can perform NAT between connected networks. Routed mode supports many interfaces, and each interface is on a different subnet and requires an IP address on that subnet. Transparent mode is a newer mode available since Firewall Service Module (FWSM) 2.2 and 7.0 in the Cisco Adaptive Security Appliance (ASA) devices. Note This lesson primarily uses the FWSM as the example firewall. ASA and PIX devices could be used as well. PIX or ASA operational differences are shown in the lesson. In transparent mode, the firewall is not a router hop but a Layer 2 device. Per context, the firewall connects the same network on its inside and outside interface in transparent mode. Note A single firewall can be partitioned into multiple virtual devices, known as security contexts. Each context has its own security policy, interfaces, and administrators. Firewalls can support multiple pairs of inside and outside interfaces as a bridge group. Each bridge group connects to a different network. A transparent firewall has one IP address assigned to the entire bridge group, and uses this management address as the source address for packets originating on the firewall. Similar to routed mode, transparent mode requires access lists to allow traffic through the FWSM, except for ARP packets which are allowed automatically. 8-4 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

87 Note FWSM and ASA have different access control list (ACL) mechanisms for controlling traffic. For an ASA, IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to a lower security interface, without an access list. ARPs are allowed through the transparent firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection. For Layer 3 traffic traveling from a low (originating from lower security level interface) to a high security interface, an extended access list is required. Transparent mode can allow certain types of traffic in an access list that are blocked by routed mode, including unsupported routing protocols. Routing protocol adjacencies are supported through a transparent firewall. OSPF, RIP, EIGRP, or BGP traffic is allowed based on an extended access list. Protocols such as HSRP, VRRP, and IP multicast can be supported through a transparent firewall. Transparent mode can also optionally use EtherType access lists to allow non-ip traffic. 2007, Cisco Systems, Inc Security Services Design 8-5

88 Virtual Firewall Overview A virtual firewall (VFW) separates multiple firewall security contexts on a single firewall. Virtual Firewall Overview FSWM Core/Internet MSFC VLAN 10 VLAN 25 ADMIN VFW-1 VFW-2 VFW-3 VLAN 11 VLAN 21 VLAN 31 A B C Specific VLANs are attached to specific security contexts. Up to 250 contexts on the FWSM Administrative context isused for network connectivity. Each context has its own policies (NAT, access lists, protocol fixups, etc.). ARCH v Specific VLANs are tied to a specific security context. In routed mode, up to 256 VLANs can be assigned to a context. The FWSM has an overall limit of 1000 VLAN interfaces divided between all contexts. Up to 250 contexts are supported on a FWSM depending on the software license.. Each context has its own policies such as NAT, access lists, and protocol fixups. The Cisco Firewall Service Module (FSWM) uses the administrative context for network connectivity and to assign VLANs to contexts. With the default FWSM software, up to two security contexts and the administrative context are provided. Note The FWSM does not include any external physical interfaces. VLAN interfaces are assigned to the FWSM similar to assigning a VLAN to a switch port. The FWSM includes an internal interface to the Switch Fabric Module (if present) or the shared bus. 8-6 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

89 Firewall Context Design Considerations Resources classes are important to firewall operations because multiple contexts can use a resource class. Firewall Context Design Considerations Default Class Context Soft Drinks Gold Class (All Limits Set) Silver Class (Some Limits Set) Bronze Class (Some Limits Set) Context Soda Context Tonic Context Pop Context Water Note: Limits set in default class are the base for all other classes and contexts not assigned to a class. ARCH v An attack or anomaly on one context can impact another context. All contexts belong to the default class if they are not assigned to another class. If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if a class has any settings that are not defined, then the member context uses the default class for those limits. By default, all security contexts have unlimited access to the resources of the FWSM or security appliance, except where maximum limits per context are enforced. If one or more contexts use too many resources, they cause other contexts to be denied connections. Resource management limits the use of resources per context. Note The FWSM does not limit the bandwidth per context; however, the switch containing the FWSM can limit bandwidth per VLAN. The FWSM and security appliances manage resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. If some resources are oversubscribed, or some resources are unlimited, a few contexts can use up those resources, potentially affecting service to other contexts. As a recommended practice, set limits for all resources together as a percentage of the total available for the device and set the limit for individual resources as a percentage or as an absolute value. The FWSM and security appliances are subject to oversubscription if more than 100 percent of the resources are assigned across all contexts. For example, if the Bronze class is set to limit connections to 20 percent per context, and 10 contexts are assigned to the class, a total of 200 percent is allocated. If contexts concurrently use more than the system limit, then each context 2007, Cisco Systems, Inc Security Services Design 8-7

90 gets less than the 20 percent you intended and some connections will be denied because the system limit is reached. MSFC Placement The Multilayer Switch Feature Card (MSFC) can be placed on the inside or the outside of the firewall depending on the VLANs assigned to the FWSM. MSFC Placement Inside or Outside MSFC can be placed on the inside or the outside of the firewall. Is configured based on the VLAN assignment. Placing the MSFC inside the firewall secures the MSFC. Placing the MSFC outside makes design and management easier. VLAN 100 Internet Internet FWSM MSFC VLAN 200 VLAN 201 VLAN 2 FWSM VLAN 4 VLAN 6 MSFC Outside of FWSM MSFC VLAN 5 VLAN 7 MSFC Inside of FWSM VLAN 101 VLAN 9 ARCH v In the figure, the MSFC is outside of the firewall when VLAN 200 is assigned to the outside interface of the FWSM. The FWSM processes and protects all traffic to the inside VLANs 2, 4, and 6. The MSFC routes between the Internet and the switched networks. Placing the MSFC outside the FWSM makes design and management easier. The MSFC is inside of the firewall when VLAN 101 is assigned to the outside interface of the FWSM. The MSFC routes between VLANs 201, 5, 7, and 9. No inside traffic goes through the FWSM unless it is destined for the Internet. The FWSM secures the MSFC. For multiple context mode, if the MSFC is placed inside the FWSM, it should only connect to a single context. If the MSFC connects to multiple firewall contexts, the MSFC will route between the contexts which might not be your intention. Note The typical scenario for multiple contexts is to use the MSFC outside of the FWSM and to have the MSFC route between the Internet and the switched networks and between contexts. 8-8 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

91 Active/Active Firewall Topology The active/active firewall topology uses two firewalls that are both actively providing firewall services. Active/Active Firewall Topology VLAN /24.1 TOP.1 North VLAN 1201 FWSM FWSM #1 act #2 Ctx sby A Failover #1 Ctx sby A #2 act Trunk South VLAN 1102 VLAN /24.1 Down.1.1 Server VLAN 100 ARCH v When a FWSM is running in virtual firewall mode, it is possible to use active/active redundancy. In the active/active topology, the security contexts on the FWSM are divided into failover groups. A failover group is a logical group of one or more security contexts. The FWSM supports a maximum of 2 failover groups. The administrative context is always a member of failover group 1, and any unassigned security contexts are by default also members of failover group 1. In the figure, FWSM-1 and FWSM-2 are each configured with two failover groups. FSWM-1 is active for group 1, and standby for group 2. FSWM-2 is active for group 2, and standby for group 1. The first VFW is mapped to group 1, while the second VFW is mapped to group , Cisco Systems, Inc Security Services Design 8-9

92 Active/Active Topology Features This section identifies several of the important features of the active/active topology. Active/Active Topology Features Two identical FWSMs are connected through a dedicated failover link. Virtual firewalls are mapped to a failover group. Failover group status is active or standby. Active state of both failover groups with all contexts can be assumed by either FWSM. Failover can be configured as preemptive: FWSM with higher priority for a failover group regains active role. For failover link redundancy, EtherChannels are used from separate linecard modules. Design supports load balancing in network. ARCH v The active/active failover configuration requires two identical FWSMs connected to each other through a dedicated failover link and optionally a state link using an inter-chassis design. Note The active/active failover configuration can also be supported with redundant FWSM in a single chassis. The failover link is a VLAN. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs. The MAC address of the primary unit is used by all interfaces in the active contexts. When an active failover group fails, it changes to the standby state while the associated standby failover group becomes active. The interfaces in the failover group that becomes active assume the MAC address and IP addresses of the interfaces in the failover group that failed. This design supports preemption so that the FWSM with a higher priority will resume an active role after recovering from a failure condition. Additional redundancy is supported if links from separate modules are used to form the Gigabit Ethernet EtherChannels supporting the failover trunk and state traffic VLANs. Since both devices can pass network traffic with active/active topology, this design supports load balancing in the network Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

93 Asymmetric Routing with Firewalls The FWSMs support asymmetric routing where return traffic for a session is received through a different interface than the interface where the traffic originated. Asymmetric Routing ASR groups supports asymmetric routing for a connection. Use the asr-group command to configure. Supports up to eight interfaces in an ASR group. Supports up to 32 groups per FWSM. Operates in failover and non-failover configurations. Operates in both routed and transparent modes. ARCH v Asymmetric routing most commonly occurs when two interfaces on a single FWSM, or two FWSMs in a failover pair, are connected to different service providers and the outbound connection does not use a NAT address. By default, the FWSM drops the return traffic because there is no connection information for the traffic received through a different interface than the interface where the traffic originated. Asymmetric routing of the return traffic is supported by using the asr-group interface command. The FSWM supports up to 32 ASR groups. Each ASR groups supports a maximum of 8 interfaces. Asymmetric routing is supported in the active/active failover redundancy mode, and in designs without failover redundancy in either single mode or within a virtual firewall by using asymmetric routing (ASR) groups. Asymmetric routing is supported in both the routed and transparent modes of firewall operation. 2007, Cisco Systems, Inc Security Services Design 8-11

94 Asymmetric Routing with ASR Group on a Single FWSM Interfaces inside a common ASR group support packets belonging to a given session to enter and leave from any interface within the ASR group. Asymmetric Routing with ASR Groups on a Single FWSM Any interface inside a common ASR group supports packets for a given session. After valid SYN packet, FWSM accepts returning SYN-ACK segment on another interface in ASR group. A Outbound Session Traffic Out-one Top FWSM Out-two Inbound Session Traffic B Client ARCH v When an interface configured with the asr-group command receives a packet for which it has no session information, it checks the session information for the other interfaces that are in the same group. If it does not find a match, the packet is dropped. If it finds a match, and the incoming traffic originated on a different interface on the same unit, some or all of the Layer 2 header is rewritten and the packet is re-injected into the stream and forwarded to the intended host. After valid SYN is sent out an ASR group interface, the FWSM will accept a returning SYN-ACK on another interface in ASR group Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

95 Asymmetric Routing with Active/Active Topology Interfaces inside a common ASR group in an active/active topology also support asymmetric routing. Asymmetric Routing with Active/Active Topology VLAN W VLAN X Server Top Inbound Session Traffic Ctx A VLAN Y FWSM-1 Ctx B Forwarded Inbound Session Traffic Failover Trunk Ctx AB FWSM-2 Ctx B VLAN Z Outbound Session Traffic Down Client ARCH v In the active/active topology, when an interface configured with the asr-group command receives a packet for which it has no session information, it checks the session information for the other interfaces that are in the same group. If it does not find a match, the packet is dropped. If it finds a match, and the incoming traffic originated on a peer unit that was active for the context, some or all of the Layer 2 header is rewritten and the packet is redirected to the active peer. The figure shows that the traffic is forwarded though the outside interface of context A on the unit where context A is in the standby state and returns through the outside interface of context A on the unit where context A is in the active state. This redirection continues as long as the session is active. 2007, Cisco Systems, Inc Security Services Design 8-13

96 Performance Scaling with Multiple FWSMs For high throughput, up to four FWSMs can be installed in a single chassis using an active/active design. This section discusses two methods to load balance multiple FWSMs: 1. Traffic engineering mechanisms, such as Policy-based Routing (PBR), to selectively steer traffic through multiple FWSMs 2. Routing, such as static or Equal Cost Multipath Routing (ECMP), to direct flows per FWSM Example: Load Balancing FWSMs Using Policy-Based Routing GATE Routing is not by destination address: Can use source IP address or application type. Can support redundant paths. Can support asymmetric routing. FWSM 6500 MSFC FWSM FWSM FWSM 6500 Server Farm ARCH v Example: Load Balancing FWSMs Using Policy-Based Routing PBR is a mechanism for implementing packet forwarding and routing according to policies defined by the network administrator instead of paths selected by traditional routing methods. Instead of routing by the destination address as determined by a routing protocol, PBR uses more flexible methods such as source IP addresses or application types to match on the identity of the user and then selects the forwarding path. A redundant path could be configured in the event of a link failure or the device going down. The figure shows load balancing multiple FWSMs in an active/active design using PBR supported by the gateway router. A source-based selection method is used to determine destination firewall path. This is a static load sharing method based on class maps and route maps to divide traffic among multiple FWSMs. The route maps are configured with redundancy so that if the first FWSM goes down, a backup FWSM is used Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

97 Example: Load Balancing FWSMs Using Equal Cost Multipath Routing Routing is by source address. Selectively routes traffic through each FWSM. Can support asymmetric routing. FWSM FWSM 6500 FWSM 6500 FWSM MSFC Server Farm ARCH v Example: Load Balancing FWSMs Using ECMP Routing Static routing or ECMP routing can also be used to selectively route traffic through each of the FWSMs. Care must be taken to ensure that the return path goes through the same firewall, or that the FWSM support asymmetric routing in an active/active design. The figure shows load balancing multiple FWSMs in an active/active design using ECMP routing. The standard destination-based selection method is used by the routing protocol to determine which FWSM to use. If a FWSM goes down, the routing protocol will automatically load balance the traffic across the remaining FWSMs. 2007, Cisco Systems, Inc Security Services Design 8-15

98 Private VLAN Security PVLAN Review This topic discusses how private VLANs (PVLANs) can be used to provide security in the enterprise campus. PVLANs allow Layer2 isolation between ports within a VLAN. Private VLAN Review Promiscuous Port Primary VLAN Community VLAN Community VLAN Isolated VLAN x x x x Community A Community B Isolated Ports ARCH v In a regular VLAN, all ports can communicate. PVLANs provide Layer 2 isolation between the ports within the same private VLAN without having to rely on separate VLANs for each port and on subnetting. PVLANS provide a logical separation of the network that keeps traffic isolated. The ports that belong to a private VLAN are associated with a set of primary, community, and isolated VLANs that are used to create the private VLAN structure. A private VLAN domain has one primary VLAN. Every port in a private VLAN domain is a member of the primary VLAN. Secondary VLANs provide Layer 2 isolation between ports within the same private VLAN domain. There are two types of secondary VLANs: Isolated VLANs Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level. Community VLANs Ports within a community VLAN can communicate with each other but can not communicate with ports in other communities at the Layer 2. There are three types of private VLAN ports: Promiscuous This port communicates with all other private VLAN ports and is the port used to communicate with network devices including routers, backup servers, and administrative workstations. This port listens to the secondary VLANs, and send traffic using the primary VLAN Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

99 Isolated This port has complete Layer 2 separation from the other ports within the same private VLAN with the exception of the promiscuous port. Isolated ports use a secondary VLAN to send traffic out and block any traffic coming from the secondary VLAN. All the isolated ports in the system can share the same secondary VLAN. Community These ports communicate among themselves and with their promiscuous ports. These ports are isolated at Layer 2 from all other ports in other communities and from isolated ports. A separate secondary VLAN is allocated for each community. Note If a broadcast or multicast packet comes from the promiscuous port, it is sent to all the ports in the private VLAN domain including all community and isolated ports. 2007, Cisco Systems, Inc Security Services Design 8-17

100 FWSM in PVLAN Environment - Isolated Ports The FWSM 3.1 supports private VLANs with Cisco IOS Software 12.2(18)SXF. FWSM in PVLAN Environment Isolated Ports on FWSM in Routed Mode PVLANs are popular in DMZ and server farms. Primary VLAN are assigned to the FWSM. Primary and secondary VLAN mapping are provided by the MSFC. Hosts in the isolated PVLAN are segregated. FWSM will not route packets back out the interface they came in from. Secondary VLAN VLAN 500 VLAN 500 MSFC FWSM 6500 Layer 3 Routed Mode VLAN 822 VLAN 1000 Primary VLAN VLAN 500 Layer 2 Layer Isolated Ports ARCH v PVLANs provide an easy way to implement Layer 2 traffic segregation within a VLAN. This feature is popular in DMZ and server farm designs. On a Cisco Catalyst 6500 Series switch, the primary and secondary VLANs are configured on the supervisor. From the perspective of the Multilayer Switch Feature Card (MSFC) router integrated in the switch, the FWSM is sitting on a promiscuous port and sees all traffic to and from the PVLAN. Only the primary VLAN is assigned to the FWSM, but is it made aware of the primary and secondary VLAN mappings through the MSFC. The FWSM automatically supports isolation of the secondary VLAN traffic to the community and isolated VLANs. The FWSM acts as a gateway between hosts on the PVLANs and the outside world. The figure illustrates the use of PVLANs supporting isolated ports with the FWSM in routed mode. Isolated ports are separated at Layer 2 by the switch processor. Outbound traffic from an isolated port is sent by the FSWM to the MSFC which routes the traffic appropriately. The FWSM will not forward traffic between isolated ports, since the FWSM will not route packets back out the interface they came in from. Inbound traffic for the isolated port is sent by the MSFC to the FWSM, which sends it to the switch processor. The switch processor forwards the packets to the isolated port based on MAC address Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

101 FWSM in PVLAN Environment - Community VLANs Community VLANs are supported by Layer 2 functions in the switch processor. FWSM in PVLAN Environment Community Ports on FWSM in Routed Mode Hosts in the community PVLAN can communicate with each other: Outbound traffic is seen by all devices in the VLAN. Inbound traffic is forwarded by the FWSM to the community VLAN. MSFC FWSM Layer 3 Routed Mode VLAN 822 VLAN 501, 1000 Primary VLAN Secondary VLAN VLAN Layer Community VLAN ARCH v The figure illustrates the use of community VLANs with the FWSM in routed mode. Community ports are interconnected at Layer 2 by the switch processor. Outbound traffic from a community port is seen by all devices on the community VLAN including the FWSM. The FSWM will forward outbound traffic to the MSFC which routes the traffic appropriately. Inbound traffic for the community port is sent by the MSFC to the FWSM, which sends it community VLAN. The Layer 2 switch processor forwards to the appropriate community port or ports based on MAC address. 2007, Cisco Systems, Inc Security Services Design 8-19

102 Zone-Based Policy Firewall The zone-based policy firewall configuration model is new design supported by the Cisco IOS Firewall feature set. Zone-Based Policy Firewall DMZ Untrusted Trusted ZPF is a new Cisco IOS Firewall configuration model: Interfaces are assigned to zones. Policies are applied to traffic moving between zones, not interfaces. ZPF is more flexible and more easily understood: Firewall configuration and troubleshooting is based on the explicit policy on inter-zone traffic. Default policy is to deny all between zones. Multiple traffic classes and actions can be applied per zone pair. ARCH v Zone-based policy firewall (ZPF) changes the design model from the older interface-based model to a zone-based configuration model. The ZPF configuration model assigns interfaces to zones, and applies an inspection policy to traffic moving between the zones. Zones establish the security borders of the network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of the network. A security zone is configured for each region of relative security within the network, so that all interfaces that are assigned to the same zone are protected with a similar level of security. For example, the figure shows an access router with three interfaces each assigned to its own zone: One interface connected to the public Internet One interface connected to a private trusted LAN that must not be accessible from the public untrusted Internet One interface connected to an Internet service demilitarized zone (DMZ), where a Web server, Domain Name System (DNS) server, and server must be accessible to the public Internet. In this figure, each zone holds only one interface. If an additional interface is added to the private zone, the hosts connected to the new interface in the zone would be able to pass traffic to all hosts on the existing interface in the same zone. Traffic to hosts in other zones would be similarly affected by existing policies. ZPF allows a more flexible, more easily configuration model. Firewall policy troubleshooting is based on the explicit policy on inter-zone traffic. The ZPF default policy between zones is to deny all. If no policy is explicitly configured, all traffic moving between zones is blocked. This 8-20 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

103 is a significant departure from stateful inspection model, in which traffic was implicitly allowed unless it was explicitly blocked with an access control list (ACL). Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone. Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to multiple host groups connected to the same router interface. Multiple traffic classes and actions can be applied per zone-pair. 2007, Cisco Systems, Inc Security Services Design 8-21

104 Summary This topic summarizes the key points discussed in this lesson. Summary In the traditional routed mode, the firewall is considered to be a Layer 3 device. In transparent mode, the firewall is a Layer 2 device. A VFW separates multiple firewall security contexts on a single firewall. The active/active firewall topology uses two firewalls that are both actively providing firewall services. FWSMs 3.1 support asymmetric routing. Firewall performance can be scaled using up to four FWSMs in a chassis using load balancing. PVLANs allow Layer 2 isolation between ports within a VLAN. The zone-based policy firewall model applies an inspection policy to traffic moving between the zones. ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

105 Lesson 2 Network Admission Control Design Overview Network admission control (NAC) is a set of technologies and solutions built on an industry initiative led by Cisco Systems. NAC uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats such as viruses, worms, and spyware. Customers using NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices. Lesson Objectives Upon completing this module, you will be able to discuss and design network admission control services. This ability includes being able to meet these objectives: Discuss methods to provide network security with access control Discuss NAC Appliance fundamentals Describe NAC Appliance deployment optionsdescribe NAC Appliance designs Discuss the NAC Framework Describe Cisco client security software

106 Network Security with Access Control Network security services can be enhanced with access control. Network Access Control Identity-Based Networking Services (IBNS) Identifies and authenticates the user or device on the network and ensures access to correct network resources X provides port-based access control and operates at Layer 2. Network Admission Control (NAC) Performs posture validation to ensure that only compliant machines can connect to the network. NAC provides posture assessment and device containment at Layer 3 or Layer 2. IBNS and NAC are complementary functions. Si Si Edge Access Control ARCH v Cisco Identity Based Networking Services (IBNS) is an integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources. Cisco IBNS solution enables greater security while simultaneously offering cost-effective management of changes throughout the organization. The IBNS framework allows enterprises to manage user mobility and reduce the overhead costs associated with granting and managing access to network resources x authenticates clients requesting Layer 2 (link layer) access to the network. However, with IBNS users and devices are authenticated and allowed admission to the network based on who or what they are, but not their condition. Network Admission Control (NAC) helps ensure that only healthy client devices, such as workstations and end-user PCs, are granted full network access. Cisco NAC agent loaded on the client device queries anti-virus, patch management, and personal firewall client software to assess the condition or posture of a client device before allowing that device network access. NAC helps ensure that a network client has an up-to-date virus signature set, the most current operating system patches, and is not infected. If the client requires an anti-virus signature update or an operating system update, NAC directs the client to complete the necessary updates before allowing access to the protected network resources. If the client has been compromised or if a virus outbreak is occurring on the network, NAC places the client into a quarantined network segment. After the client has completed its update process or disinfection, the client is checked again. Clients with a healthy status are permitted normal network access. IBNS/802.1x and NAC provide complementary functions: user authentication and posture validation Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

107 Network Admission Control Comparison This section compares NAC Appliance and NAC Framework. Cisco NAC Framework Network Admission Control Comparison Hosts Attempting Network Access Cisco Posture Agent Credentials EAP/UDP, EAP/802.1x Notification Network Access Devices Enforcement Credentials RADIUS Access Rights Policy Server Decision Points and Remediation AAA Server Comply? Credentials HTTPS Vendor Servers Cisco NAC Appliance Cisco NAA Credentials UDP (discovery) SSL Notification Cisco NAS Credentials SNMP Comply or Fix Cisco NAM Cisco.com Update Server (Windows. Symantec, McAfee, Trend, Sophos, Zone, CA, etc.) ARCH v Cisco supports two flavors of NAC: The Cisco NAC Framework is technology standard that integrates an intelligent network infrastructure with solutions from more than 60 manufacturers of leading antivirus and other security and management software solutions to enforce security policy compliance on all devices seeking to access network computing resources. The Cisco NAC Framework is embedded software modules within NAC-enabled products that provide ubiquitous across all network access methods. Posture information can be gathered and access policy enforced for hosts attempting network access through routers, switches, wireless access points, and VPN concentrators. The NAC Framework leverages multiple Cisco and NACaware vendor products. Cisco NAC Appliance (formerly called Cisco Clean Access) is a turnkey solution for controlling and securing networks. The Cisco NAC Appliance condenses NAC capabilities into an appliance form. The Cisco NAC Appliance client, server, and manager products allow network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether networked devices such as laptops, IP phones, personal digital assistants, or printers are compliant with an organization's security policies, and repairs any vulnerabilities before permitting access to the network. 2007, Cisco Systems, Inc Security Services Design 8-25

108 NAC Appliance Fundamentals This topic discusses fundamentals of the Cisco NAC Appliance including components and terminology. NAC Appliance Components The Cisco NAC Appliance is an admission control and compliance enforcement solution. NAC Appliance Components Cisco NAC Appliance Manager (Cisco NAM) Centralizes management for administrators, support personnel, and operators. Cisco NAC Appliance Server (Cisco NAS) Serves as an in-band or out-of-band device for network access control. Cisco NAC Appliance Agent (Cisco NAA) Provides an optional Windows-based read-only client that validates what must or must not be running before a host is allowed network access. Rule-set Updates Supports scheduled automatic updates for anti-virus, critical hot-fixes and other applications. ARCH v There are four components comprising the Cisco NAC Appliance: Cisco NAC Appliance Manager (Cisco NAM) Administration server for Cisco NAC Appliance deployment where the policies are defined. The secure web console of the Cisco NAM is the single point of management for up to 20 Cisco NAC Appliance Servers in a deployment (or 40 NASes in a Super-NAM installation). The NAM acts as the authentication proxy to the authentication servers that reside on the back end. For Out-of- Band (OOB) deployment, the NAM console allows control of switches and VLAN assignment of user ports through the use of SNMP. Cisco NAC Appliance Server (Cisco NAS) Enforcement server between the untrusted (managed) network and the trusted network. The Cisco NAS enforces the policies defined in the NAM web console, including network access privileges, authentication requirements, bandwidth restrictions, and Cisco NAC Appliance system requirements. It can be deployed in-band (always inline with user traffic) or out-of-band (inline with user traffic only during authentication and posture assessment). It can also be deployed in Layer-2 mode (users are Layer 2-adjacent to NAS) or Layer-3 mode (users are multiple Layer 3 hops away from the NAS) Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

109 Cisco NAC Appliance Agent (Cisco NAA) Optional read-only agent that resides on Windows clients. The Cisco NAA checks applications, files, services or registry keys to ensure that clients meets specified network and software requirements prior to gaining access to the network. NAC Appliance Policy Updates Regular updates of pre-packaged policies and rules that can be used to check the up-to-date status of operating systems, antivirus, antispyware, and other client software. The Cisco NAC Appliance Policy Updates currently provide built-in support for 24 antivirus vendors and 17 antispyware vendors. Example: Clean Access Policy Updates Critical Windows Updates Windows XP, Windows 2000, Windows 98, Windows ME Anti-Virus Updates Anti-Spyware Updates Other 3 rd Party Checks Cisco Security Agent Note: Customers can easily add customized checks. ARCH v Example: Cisco NAC Appliance Policy Updates Automatic security policy updates provided by Cisco as part of the standard software maintenance package deliver predefined policies for the most common network access criteria, including policies that check for critical operating system updates, common antivirus software virus definition updates, and common antispyware definition updates. The figure show some of the software applications supported. The Cisco NAC Appliance is preconfigured to offer policy checks for more than 200 applications from 50 vendors. Note For the latest supported applications, please review the release notes under "Clean Access Supported AV/AS Product List at In addition to the preconfigured checks, the customer has full access to the Cisco NAC Appliance rules engine and can create any custom check or rule for any other third-party application. 2007, Cisco Systems, Inc Security Services Design 8-27

110 Example: Process Flow with NAC Appliance 1 End user attempts to access network NAM Authentication Server NAS 2 User is redirected to a login page Intranet/ Network 3a Device is noncompliant or login is incorrect Quarantine Role 3b Device is clean ARCH v Example: Process Flow with NAC Appliance The figure illustrates the process flow with NAC Appliance: 1. The end user attempts to access a Web page or use the Intranet. 2. The user is redirected to a login page. The NAC Appliance validates username and password, and also performs device and network scans to assess vulnerabilities on the device. 3a. If the device is noncompliant to corporate policies or the login is incorrect, the user is denied access to the network and assigned to a quarantine role with access only to online remediation resources. Note After remediation, the user returns to step 2 for validation and scanning. 3b. If the login is correct and the device is compliant to the policies, the device is placed on the certified devices list and is granted access to network Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

111 NAS Scaling This topic looks at scaling servers and managers in the NAC Appliance solution. NAC Appliance Solution Sizing Super Manager manages up to 40 Enterprise and Branch Servers Users = online, concurrent Standard Manager Manager Lite manages up to 3 Branch Office or SMB Servers manages up to 20 Enterprise and Branch Servers 1500 or 2500 users each 1500 or 2500 users each 100 users 250 users 500 users ARCH v There are three levels of NAM for supporting NAC Appliance solutions: Cisco NAC Appliance Lite Manager manages up to 3 NAS supporting 100, 250, or 500 users per server. Cisco NAC Appliance Standard Manager manages up to 20 NAS supporting 1500 or 2500 users per server. Cisco NAC Appliance Super Manager manages up to 40 NAS supporting 1500 or 2500 users per server. 2007, Cisco Systems, Inc Security Services Design 8-29

112 Server Scaling Numbers Values apply to concurrent postureassessed users only, NOT concurrent devices. Bandwidth is the least important calculation for determining how many users a NAS can support. Factors included are numerous: Number of new user authentications per second Number of posture assessments per second How many checks are in each posture assessment Number of agent-less network scans per second Number of plug-ins per scan Rescan timer intervals Per role and total online timer intervals Bandwidth controls Filters and access controls ARCH v Users supported on a server is a measure of concurrent users that have been scanned for posture compliance, not network devices such as printers or IP phones. The number of users supported per server is influenced by many factors that consume CPU and server resources: Number of new user authentications per second Number of posture assessments per second How many checks are in each posture assessment Number of agent-less network scans per second Number of plug-ins per scan Rescan timer intervals Per role and total online timer intervals Bandwidth controls Filters and access controls Note Interface bandwidth is the least important calculation for determining how many users a NAS can support Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

113 NAS Deployment Options This topic describes the deployment options for the NAS. NAS Deployment Options Virtual or real gateway mode In-band or out-of-band operating mode Layer 2 or Layer 3 client access deployment Central or edge deployment ARCH v There are four deployment variables with NAS deployments: Virtual gateway or real gateway which determines if the NAS acts as a Layer 2 or Layer 3 device in the network. In-band or out-of-band operating mode which defines when traffic flows through the NAS. Layer 2 or Layer 3 client access mode which defines whether user devices are Layer 2 or Layer 3 adjacent to the NAS. Central or edge physical deployment which determines whether the NAS devices is physically inline with the traffic path. Note These variables are discussed in this section. 2007, Cisco Systems, Inc Security Services Design 8-31

114 NAS Gateway Modes There are three NAS gateway modes. NAS Gateway Modes Virtual Gateway NAS Intranet/ Network Real-IP Gateway NAT Gateway NAS Intranet/ Network ARCH v The NAS can operate as a logical Layer 2 or Layer 3 network device depending on the gateway mode configured: In a Virtual Gateway mode, the NAS operates as a standard Layer 2 Ethernet bridge, but with added functionality provided by the IP filter and IP Security (IPsec) module. This configuration is typically used when the untrusted network already has a Layer 3 gateway, and is the most common deployment option. In the Real-IP Gateway mode, the NAS operates as the Layer 3 default gateway for untrusted network (managed) clients. All traffic between the untrusted and trusted network passes through the NAS, which applies the IP filtering rules, access policies, and any other traffic handling mechanisms that are configured. NAS is designated as a static route for the managed subnet, and can perform DHCP services or act as a DHCP relay. In the NAT Gateway mode, the NAS functions similarly to the Real-IP Gateway configuration as a Layer 3 gateway, but adds Network Address Translation (NAT) services. With NAT, clients are assigned IP addresses dynamically from a private address pool. The NAS performs the translation between the private and public addresses as traffic is routed between the untrusted (managed) and external network. The NAS supports standard, dynamic NAT and 1:1 NAT. In 1:1 NAT, there is a one-to-one correlation between public and private addresses. With 1:1 NAT, port numbers as well as IP addresses can be mapped for translation. Note The NAT Gateway mode is primarily intended to facilitate testing, as it requires the least amount of network configuration and is easy to initially set up. However, because it is limited in the number of connections it can handle, NAT Gateway mode (in-band or out-of-band) is not supported for production deployment Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

115 The installation type and operating mode determines the services the NAS will provide. For example, the NAS can operate as a bridge between the untrusted and trusted network, or it can operate as a gateway for the untrusted network. NAS Operating Modes NAS has two traffic flow deployment models, in-band (IB)or out-of-band (OOB). NAS Operating Modes In-Band: Easiest deployment NAS remains in traffic path Ongoing ACL filtering and role based access control Out-of-Band: NAS in traffic path only during posture assessment VLAN port based and role based access control ACL filtering during posture assessment VLAN 10 VLAN 10 NAS VLAN 10 VLAN 110 NAS VLAN 10 VLAN 110 VLAN 110 VLAN 110, 10 Note: IB is supported on any switch, hub, or access point. OOB is supported on common Cisco switches. ARCH v Any NAS can be configured for either method, but a NAS can only be one at a time. Selection of mode is based on whether the customer wants to remove the NAS from the data path after posture assessment. IB traffic flow is the easiest deployment option. The NAS remains in the traffic path before and after posture assessment. In-band operation provides ongoing ACL filtering and bandwidth throttling as well as role based access control. OOB traffic flow has the NAS in the traffic path only during the posture assessment. OOB mode provides port VLAN based and role based access control. ACL filtering and bandwidth throttling are provided only during posture assessment. Note IB is supported with the NAS connected to any switch, hub, or access point. OOB is supported with the NAS connected to most common Cisco switches with recent software releases. 2007, Cisco Systems, Inc Security Services Design 8-33

116 NAS Client Access Modes This section discusses the NAS client access deployment modes. NAS Client Access Modes Layer 2 Mode MAC address of client is used to identify device. Is most common deployment mode for LANs. Layer 3 Mode IP and MAC address of client is needed to identify device. Client access mode is independent from NAS operating mode. NAS can be configured for either mode, but only one at a time. VLAN 10 Layer 2 NAS VLAN 10 VLAN 110 Layer 3 NAS VLAN 10 VLAN 110 VLAN 110 VLAN 10 ARCH v The client access deployment mode selection is based on whether the client is Layer 2 adjacent to the NAS: Layer 2 Mode. The MAC address of the client device is used to uniquely identify the device. This mode supports both Virtual Gateway and the Real-IP Gateway operations in both IB and OOB deployments. This is the most common deployment model for LANs. Layer 3 Mode. The client device is not Layer 2 adjacent to the NAS. The IP (and MAC starting with NAA v. 4 in L3 OOB applications) address of the client is used to identify the device. This mode supports both Virtual Gateway and the Real-IP Gateway operations with IB and OOB deployments. Any NAS can be configured for either client access method, but a NAS can only be one at a time. Client access mode is configured independently from NAS operating mode Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

117 Physical Deployment Models This section discusses the NAS physical deployment modes that affect the physical traffic path. NAS Physical Deployment Models Edge: NAS is physically and logically in traffic path. VAN IDs are passed through NAS. NAS VLAN 10 VLAN 10 Central: Is most common option NAS is logically inline, but not physically inline. VAN IDs are mapped across NAS. Is most scalable option. NAS VLAN 10, 20 VLAN 110, 120 VLAN 110, 10 VLAN 10, 20 VLAN 120, 20 ARCH v The edge deployment model is the easiest physical deployment option to understand. The NAS is physically and logically in line to the traffic path. VLAN IDs are passed straight through the device when in virtual gateway mode. This deployment option can become complex when there are multiple access closets. The central deployment model is the most common option and the easiest deployment option. In this option, the NAS is logically inline, but not physically inline. The VLAN IDs need to be mapped across the NAS when in virtual gateway mode. This deployment option is the most scalable option for large environments as each NAS can support devices from multiple access switches. 2007, Cisco Systems, Inc Security Services Design 8-35

118 NAC Appliance Designs This topic reviews some common NAC Appliance designs. NAC Appliance Redundancy Design Standby Active VLAN 900 Standby Active Access VLAN 40, 50, 60 VLAN 40, 50, 60 Active VLAN 140, 150, 160 VLAN 10, 20, 30 VLAN 110, 120, 130 Si Layer 2 Trunk Si VLAN 140, 150, 160 VLAN 10, 20, 30 VLAN 110, 120, 130 Standby Collapsed Core / Distribution Access VLAN 110 VLAN 120 VLAN 130 VLAN 140 VLAN 150 VLAN 160 Note: Redundancy is not shown in the following examples for diagram simplicity only! ARCH v As a recommended practice, the NAC Appliance solutions are implemented with full redundancy. A failover bundle is either a pair of NAMs or NASes. The NAM failover bundle provides management redundancy. The NAS failover bundle provides redundant NAS operations for the protected devices. In the figure, the network has two sets of NAS failover bundles. One NAS failover bundle support devices on VLANs 110, 120, and 130. The other NAS failover bundle support devices on VLANs 140, 150, and 160. All components in the design are in an active / standby state. Each failover bundle shares a virtual MAC and virtual IP address. Because of the shared MAC address, Layer 2 connectivity is required between components. The redundant distribution switches are interconnected with a Layer 2 trunk. Note The VLANs do not span the access layer switches in this design. The Layer 2 trunk between the distribution switches is only needed to provide Layer 2 connectivity between the NAS failover bundles. The NAMs connect to the redundant distribution switches and support all the NASes in the network. Note Redundancy is not shown in the rest of the figures in this lesson for simplicity only. Every design that follows can, should, and would have redundancy Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

119 Layer 2 In-Band Designs This section reviews some Layer 2 In-Band designs. Layer 2 In-Band Client traffic is always inline. NAS securely manages traffic. Design supports hubs, access points, and switches. NAM VLAN 91 VLAN 10 VLAN 110 VLAN 10, 90 VLAN 110 NAS (VLAN 110 mapped to VLAN 10) VLAN 110 ARCH v The Layer 2 In-Band topology is the most common deployment option. The NAS is logically inline with the client traffic, but is not physically inline. When the Virtual Gateway mode is implemented, the VLAN IDs are mapped by the NAS. In the figure, VLAN 110 is mapped to VLAN 10 by the NAS. All client traffic passes through the NAS. The NAS securely manages all traffic after posture assessment. The MAC address of the client is used to identify the device. This is the most scalable design in large environments, as this design can be transparently implemented in the existing network supporting multiple access layer switches. It will support all network infrastructure equipment. 2007, Cisco Systems, Inc Security Services Design 8-37

120 Example: Layer 2 In-Band Virtual Gateway VLAN 10 Intranet/ Network NAM VLAN 91 VLAN 10, 90 NAS Management VLAN 110 VLAN 110 VLAN 110 SVI VLAN SVI VLAN SVI VLAN DHCP Server VLAN 10 Scope Client IP Default Gateway ARCH v Example: Layer 2 In-Band Virtual Gateway The figure illustrates a Layer 2 In-Band Virtual Gateway design. The NAS maps traffic from VLAN 110 to VLAN 10. The Layer 3 distribution switch has switched virtual interfaces (SVIs) for the VLANs connecting to the NAM, NAS, and access switches. The distribution switch is the DHCP server and the default gateway for the access layer devices. The existing IP addressing in the network is not changed when the Virtual Gateway is implemented Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

121 Example: Layer 2 In-Band Real-IP Gateway VLAN 10 Intranet/ Network NAM VLAN 91 VLAN 10, 90 NAS Management VLAN 110 SVI VLAN SVI VLAN SVI VLAN VLAN 110 VLAN 110 SVI VLAN SVI VLAN SVI VLAN DHCP Server VLAN 110 Scope Client IP Default Gateway ARCH v Example: Layer 2 In-Band Real-IP Gateway The figure illustrates a Layer 2 In-Band Real-IP Gateway design. The NAS is now the DHCP server and the default gateway for the access layer devices. The NAS has static routes to the other subnets in the organization. The Layer 3 distribution switch has switched virtual interfaces (SVIs) for the VLANs connecting to the NAM, NAS, and access switches. The existing IP addressing in the network changes when the Real-IP Gateway is implemented. 2007, Cisco Systems, Inc Security Services Design 8-39

122 Layer 2 Out-of-Band Designs This section reviews some Layer 2 Out-of-Band designs. Layer 2 Out-of-Band Client is inline before and during posture assessment. User VLAN is changed and NAS is bypassed only after a successful login. NAS securely manages traffic only during assessment. Design requires supported OOB switches. NAS uses SNMP for traps and switch configuration. NAM VLAN 91 VLAN 10 VLAN 10, 110 VLAN 110 Posture Assessment VLAN 10, 90 VLAN 110 VLAN 10 Network Access NAS ARCH v The connections of the Layer 2 Out-of-Band is similar to the Layer 2 In-Band design, except that the link from the access switch to the distribution switch is now a trunk supporting both the posture assessment VLAN and the network access VLAN. The client is inline with the NAS before and during posture assessment. The user VLAN is changed and NAS is bypassed only after a successful login and assessment. The NAS securely manages traffic only during assessment. Note The NAM can support either dynamic VLAN assignment based on roles, or geographic VLAN assignment based on the VLANs on the switch. Only one MAC address is supported per switch port except for IP telephony devices. This design requires use of supported OOB switches such as the Cisco Catalyst Series 2950, 2960, 3500XL, 3550, 3560, 3750, 4500, and 6500 switches with the appropriate software image. Note Refer to the following link for a list of Cisco NAC Appliance supported switches and versions: m#wp65186 The NAM uses SNMP for traps and switch configuration Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

123 Example: Layer 2 Out-of-Band Virtual Gateway VLAN 10 Intranet/ Network NAM VLAN 91 VLAN 10, 90 NAS VLAN 10, 110 VLAN 10 or VLAN 110 VLAN 110 SVI VLAN SVI VLAN SVI VLAN DHCP Server VLAN 10 Scope Client IP Default Gateway ARCH v Example: Layer 2 Out-of-Band Virtual Gateway The figure example addressing with a Layer 3 Out-of-Band Virtual Gateway design. The NAS maps traffic from VLAN 110 to VLAN 10 during the posture assessment. The Layer 3 distribution switch has switched virtual interfaces (SVIs) for the VLANs connecting to the NAM, NAS, and access switches. The distribution switch is the DHCP server and the default gateway for the access layer devices. The existing IP addressing in the network is not changed when the Virtual Gateway is implemented. 2007, Cisco Systems, Inc Security Services Design 8-41

124 Layer 3 In-Band Designs This section reviews some Layer 3 In-Band designs. Layer 3 In-Band Client traffic is always inline. Intranet/ Network NAS securely manages traffic. Design used when MAC address is no longer unique. NAM VLAN 91 VLAN 10 VLAN 10, 90 VLAN 110 NAS VLAN 110 VLAN 700 ARCH v With the Layer 3 In-Band topology, the client device is not Layer 2 adjacent to the NAS. The IP address of the client is used to identify the device, since the MAC address provided to the NAS is not from the client. This design is used to securely manage traffic from remote sites or for VPN concentrators Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

125 Example: Layer 3 In-Band with Virtual Gateway Intranet/ Network VLAN 10 NAM VLAN 91 VLAN 10, 90 NAS VLAN 110 LAN IP WAN IP Default Gateway VLAN 110 SVI VLAN SVI VLAN SVI VLAN LAN IP WAN IP Default Gateway VLAN 700 VLAN 700 Client IP Default Gateway ARCH v Example: Layer 3 In-Band Virtual Gateway The figure illustrates a Layer 3 In-Band Virtual Gateway design. The NAS maps traffic from VLAN 110 to VLAN 10. The Layer 3 distribution switch has switched virtual interfaces (SVIs) for the VLANs connecting to the NAM, NAS, and access switches. The distribution switch is the default gateway for the access layer devices. The DHCP server is typically a remote router. Traffic from remote site all goes through NAS. This design also supports VPN concentrators. Instead of the remote router pair, the VPN concentrator connects to the distribution switch. Traffic from the VPN concentrator is forwarded through the NAS for posture assessment and management. 2007, Cisco Systems, Inc Security Services Design 8-43

126 Example: Layer 3 In-Band with Multiple Remotes Intranet/ Network VLAN 10 NAM VLAN 91 VLAN 10, 90 NAS LAN IP WAN IP WAN IP Default Gateway LAN IP WAN IP Default Gateway VLAN 110 VLAN 110 SVI VLAN SVI VLAN SVI VLAN LAN IP WAN IP Default Gateway Client IP Default Gateway Client IP Default Gateway ARCH v Example: Layer 3 In-Band Virtual Gateway with Multiple Remote Sites The figure illustrates a Layer 3 In-Band Virtual Gateway design with multiple remote sites. The NAS maps traffic from VLAN 110 to VLAN 10. Traffic to centralized hosts and Internet goes through NAS. Note Unless additional configuration steps are taken, traffic between clients at remote sites does not go through NAS since the campus router allows routing between the edge routers. In order to securely manage traffic between the remote sites, you can implement networking technologies such as policy based routing or virtual routing and forwarding instances to isolate the remote sites. Implementing NAS at the remote sites will also secure the traffic Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

127 Layer 3 Out-of-Band Designs This section reviews some Layer 3 Out-of-Band designs. Layer 3 Out-of-Band Client is in-line before and during posture assessment User VLAN is changed and NAS is bypassed only after a successful login and assessment. NAM uses SNMP for traps and switch configuration Design requires supported OOB switches. NAM VLAN 91 VLAN 10 VLAN 10, 90 NAS VLAN 110 VLAN 110 VLAN 70, 80 VLAN 70 or VLAN 80 ARCH v Layer 3 support for out-of-band deployments enables administrators to deploy the NAS out-ofband centrally in core or distribution layer to support users behind Layer 3 access switches and remote users behind WAN routers in some instances. With Layer 3 OOB, users more than one Layer 3 hop away from the NAS are supported for authentication and posture assessment. After authentication and posture assessment, the client traffic no longer passes through the NAS. With the Layer 3 Out-of-Band topology, the IP address (and MAC address starting with NAA v. 4 Layer 3 OOB applications) of the client is used to identify the device, since the MAC address (prior to NAA v.4 client) provided to the NAS is not from the client. This design requires use of supported OOB switches such as the Cisco Catalyst Series 2950, 2960, 3500XL, 3550, 3560, 3750, 4500, and 6500 switches with the appropriate software image. The NAM uses SNMP for traps and switch configuration. Note Refer to the list of Cisco NAC Appliance supported switches and versions at m#wp , Cisco Systems, Inc Security Services Design 8-45

128 Example: Layer 3 Out-of-Band with Addressing Intranet/ Network VLAN 10 NAM VLAN 90 VLAN 10, 90 NAS VLAN 110 LAN IP WAN IP Default Gateway VLAN 110 SVI VLAN SVI VLAN SVI VLAN VLAN 70 IP VLAN 80 IP WAN IP INET IP Default Gateway Internet VLAN 70, 80 VLAN 70 or VLAN 80 VLAN 70 Client IP Default Gateway VLAN 80 Client IP Default Gateway ARCH v Example: Layer 3 Out-of-Band Virtual Gateway The figure shows example addressing with a Layer 3 Out-of-Band Virtual Gateway design supporting remote users. The NAS maps traffic from VLAN 110 to VLAN 10 during the posture assessment. The Layer 3 distribution switch has switched virtual interfaces (SVIs) for the VLANs connecting to the NAM, NAS, and access switches. The remote site edge router is the DHCP server and the default gateway for the client devices. The remote site edge router uses a trunk to the remote access switch to support either the production VLAN or the posture assessment VLAN Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

129 NAC Framework Overview NAC Framework is as an architecture-based framework solution designed to take advantage of an existing base of both Cisco network technologies and existing deployments of security and management solutions from other manufacturers. NAC Framework Architecture Subject (Managed or Unmanaged Host) Enforcement Decision and Remediation ACS LAN WAN Remote Directory Server Patch Server Reporting Server Posture Validation Server(s) Audit Server ARCH v Cisco NAC Framework assesses the state, or posture, of a host to prevent unauthorized or vulnerable endpoints from accessing the network. The Cisco NAC posture validation process has three major architectural components: Subjects. Managed or unmanaged hosts that are accessing the network on which NAC is enforced. Typical hosts are desktop computers, laptops, and servers, but may also include IP phones, network printers, and other network-attached devices. The subjects use posture agent software to communicate with NAC devices. The Cisco Trust Agent is Cisco s implementation of the posture agent. Enforcement devices. Network devices acting as a NAC enforcement point. These may include Cisco access routers, VPN gateways, Cisco Catalyst Layer 2 and Layer 3 switches, and wireless access points. Decision and remediation devices. Many network devices that support the NAC architecture: AAA Server (Authentication, Authorization and Accounting Server) The central policy server that aggregates one or more authentications and/or authorizations into a single system authorization decision and maps this decision to a network access profile for enforcement by the NAD. Cisco Secure Access Control Server (ACS) is Cisco s AAA server product that supports NAC. Directory Server A centralized directory server for performing user and/or machine authentication. Possible directory services include Lightweight Directory Access Protocol (LDAP), Microsoft Active Directory (AD), Novell Directory Services (NDS), and one-time token password servers (OTP). 2007, Cisco Systems, Inc Security Services Design 8-47

130 Posture Validation Server (PVS) A posture validation server from one or more third parties acts as an application-specific policy decision point in NAC for authorizing a set of posture credentials from one or more posture plug-in against a set of policy rules. Examples include anti-virus servers or security application servers. Remediation Server A management solution used to bring non-compliant hosts into compliance. This could be a specialized patch management application or as simple as a web site for distributing software. The better and more efficient your host patching and remediation is, the less risk Audit Server A server or software that performs vulnerability assessment (VA) against a host to determine the level of compliance or risk of the host prior to network admission Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

131 Router Platform Support for NAC Framework This section discusses NAC Framework support on Cisco router platforms. Router Platform Support NAC Layer 3 IP shipped June 2004 in IOS 12.3(8)T T-train images with security The same image that includes firewall, NIPS, and crypto NAC Agentless Host (audit) supported in Cisco IOS 12.4(6)T Network module switches 16, 24, 48 port NM 2800, 3700, 3800 router platforms NAC Layer x and NAC Layer 2 IP Cisco 18xx, 28xx, 38xx Cisco 72xx, 75xx Cisco 37xx Cisco 3640, 3660-ENT Series Cisco 2600XM, 2691 Cisco 1701, 1711, 1712, 1721, 1751, 1751-V, 1760 Cisco 83x Cisco 74xx, 73xx, 71xx (S-train) Cisco 5xxx Cisco 4500 Cisco 3660-CO Series Cisco 3620 Cisco 2600 Non-XM Models Cisco 1750, 1720, 1710 Yes Yes Yes Yes Yes Yes Yes TBD TBD No No No No No ARCH v Routers that support NAC-L3-IP method (EAP over UDP) are considered NAC Release 1.0 devices. NAC-L3-IP was first introduced as part of the initial release of NAC in the summer of NAC-L3-IP is a posture-only credential checks that supports authorization capabilities, URL redirect, and downloadable ACLs. NAC-L3-IP is triggered by a Layer 3 packet entering a router interface with an IP admission ACL configured. NAC-L3-IP is mainly positioned for aggregation deployments (WAN, VPN, WLAN, etc.). The current deployment options currently preclude the use of NAC-L3-IP in the distribution layer of a campus infrastructure since the Catalyst Layer 3 switches do not currently support NAC-L3-IP. NAC agentless hosts are a mechanism in NAC to allow network access to hosts that do not or cannot perform NAC or other compliance authorizations. Network attached devices that fall into this category often include printers, scanners, photocopiers, cameras, sensors, badge readers, and specialized equipment. NAH devices may also include computers with unsupported OSes, hardened OSes, embedded OSes, or personal firewalls. Static exceptions can be configured to allow hosts to bypass the posture validation process based on specified MAC or IP address. Static exceptions can be configured in ACS to allow any specified hosts to bypass the posture validation process based on MAC address. Both individual and wildcard addresses can be specified. NAC Agentless Host is supported in Cisco IOS 12.4(6)T. Devices that support either the NAC-L2-IP method which uses Extensible Authentication Protocol over User Data Protocol (EAP over UDP), or the NAC L X (EAP over IEEE 802.1X) method are NAC Release 2.0 devices. NAC-L2- IP is triggered by ARP or optionally DHCP traffic on a switch interface. NAC-L2-IP is also a posture-only credential checks that supports authorization capabilities, URL redirect, and downloadable ACLs. NAC-L2-IP sessions are active for as long as the host responds to periodic status query messages implemented using ARP probes or until they are terminated. The access-control lists that set the default policy for the switch port on the NAC-L2-IP switches are implemented in hardware. 2007, Cisco Systems, Inc Security Services Design 8-49

132 One of the main benefits of NAC-L2-IP is that it was designed to support multiple hosts per port. The network administrator needs to be aware that unlike NAC-L3-IP, there are a limited number of hosts per port that can be supported in NAC-L2-IP. Some network module switches for the Cisco Integrated Services Router platforms support NAC-L2-IP or the NAC-L X. Note Refer to the following URL for a list of supported routers: tm#wp Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

133 Switch Platform Support for NAC Framework This section discusses NAC Framework support on Cisco router platforms. Switch Platform Support Platform, Supervisor OS NAC Layer x NAC Layer 2 IP NAC Layer 3 IP NAC Agentless Host 6500 Sup32, 720 Native Cisco IOS Future Yes Future NAC Layer 2 IP 6500 Sup2 Native Cisco IOS No No No No 6500 Sup2, 32, 720 Hybrid Yes Yes No NAC Layer 2 IP 6500 Sup2, 32, 720 CATOS Yes Yes No NAC Layer 2 IP 4500 Series SupII+, II+TS, II+10GE, IV, V, V-10GE Cisco IOS Yes Yes Future NAC Layer 2 IP 4900 Cisco IOS Yes Yes Future NAC Layer 2 IP 3550,3560, 3750 Cisco IOS Yes Yes No NAC Layer 2 IP 2950,2940, 2955, 2960, 2970 Cisco IOS Yes No No No 6500 Sup1A All No No No No 5000 All No No No No 4000 Sup I, II, III (Cisco IOS) CATOS No No No No ARCH v The table shows NAC Framework support in Cisco Catalyst switches. NAC performs posture validation at the Layer 2 network edge for hosts with or without 802.1x enabled. Vulnerable and noncompliant hosts can be isolated, given reduced network access, or directed to remediation servers based on organizational policy. By ensuring that every host complies with security policy, organizations can significantly reduce the damage caused by infected hosts. Note Refer to the following URL for a list of supported switches at tm#wp , Cisco Systems, Inc Security Services Design 8-51

134 Cisco Client Security Software This section reviews three client security software applications from Cisco. Cisco Client Software Cisco NAC Appliance Agent: Optional client-side component of the Cisco Clean Access system Provides device-based registry scans Cisco Security Agent: Provides threat protection for server and desktop computing systems Integrates with NAC Framework and Cisco Security MARS Cisco Secure Services Client: Client software that provides a single authentication framework for multiple device types on the basis of the IEEE 802.1X standard Provides an end-to-end authentication service when combined with the Cisco Secure Access Control Server (ACS) Cisco Trust Agent: Is a core component of the NAC Framework Allows NAC to determine if security or management software is installed and current. ARCH v Cisco has four client security software applications that support network security: Cisco NAC Appliance Agent (NAA). Is an optional client-side component of the Cisco NAC Appliance system. It is a read-only client that delivers device-based registry scans on unmanaged environments. The agent enhances posture assessment functions and streamlines remediation. It is a free download provisioned over the Internet. Many customers that use the Cisco NAC Appliance Agent often it a required download before network access is granted. It only works with NAS. Cisco Security Agent. Is security software provides threat protection for server and desktop computing systems. The Cisco Security Agent goes identifies and prevents malicious behavior before it can occur, thereby removing potential known and unknown security risks that threaten enterprise networks and applications. It also provides the capability at the endpoint to apply QoS markings to application network traffic as specified by Cisco Security Agent policy rules. These markings can be used by Cisco IOS devices upstream in the enterprise network to classify the packets and apply QoS service policies such as policing and queuing. Cisco Security Agent integrates with NAC Framework and Cisco Security Monitoring, Analysis, and Response System (MARS) to support threat identification and investigation across the network Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

135 Cisco Secure Services Client (SSC). Is client software that supports the deployment of a single authentication framework on multiple device types, for access to both wired and wireless networks. As a component of the Cisco Unified Wireless Network, the Secure Services Client: Provides a single authentication framework for multiple device types on the basis of the IEEE 802.1X standard Supports leading security standards such as Wi-Fi Protected Access (WPA), WPA2, and Extensible Authentication Protocol (EAP) Supports Windows 2000 and Windows XP Provides an end-to-end authentication service when combined with the Cisco Secure Access Control Server Fully integrates with the Cisco Unified Wireless Network access points and wireless LAN controllers Supports third-party credential databases Protects network endpoint devices Enforces security policies Cisco Trust Agent. Is client software that must be installed on hosts whose host policy state requires validation prior to permitting network access under the NAC Framework. A core component of the NAC Framework, Cisco Trust Agent allows NAC to determine if Cisco Security Agent, antivirus software, or other required third-party security or management software is installed and current. It also provides information about the OS version and patch level. As a component of the NAC Framework, the Cisco Trust Agent: Acts as a middleware component that takes host policy information and securely communicates the information to the authentication, authorization, and accounting (AAA) policy server. Interacts directly with "NAC-enabled" applications running on the host without user intervention. Can communicate at Layer 3 or Layer 2 using built-in communication components. Includes an 802.1x supplicant for Layer 2 communications in wired environments. Authenticates the requestor through encrypted communications with the AAA server. Allows customers to build scripts for custom information gathering. Integrates with Cisco Security Agent and can be distributed by NAC participants with their applications for simplified management and distribution. 2007, Cisco Systems, Inc Security Services Design 8-53

136 Summary This topic summarizes the key points discussed in this lesson. Summary IBNS and NAC are two complementary methods to provide network security with access control. The NAC Appliance is an admission control and compliance enforcement solution comprised of NAM, NAS, NAA, and clean access policy updates. A NAS can be configured based on gateway type, operating mode, client access mode, and physical deployment mode. NAC Appliance designs can redundantly implement the NAS Layer 2 or Layer 3 network device supporting in-band or out-ofband traffic flow. The NAC framework architecture leverages both Cisco network technologies and other security and management solutions. Cisco client security software includes NAS Appliance Agent, Cisco Security Agent, Cisco Trust Agent, and Cisco Secure Services Client. ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

137 Lesson 3 Intrusion Detection and Prevention Designs Overview Cisco intrusion detection and prevention solutions are part of the Cisco Self-Defending Network. Designed to identify and stop worms, network viruses, and other malicious traffic, these solutions can help protect networks. Cisco provides a broad array of solutions for intrusion detection and prevention at both the network and at the endpoint. This module gives an overview of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) used in enterprise networks. Lesson Objectives Upon completing this module, you will be able to discuss and design IDS/IPS services for enterprise networks. This ability includes being able to meet these objectives: Provide an overview of IDS/IPS solutions Discuss IDS/IPS deployments Discuss IDS/IPS monitoring and management

138 IDS/IPS Overview This section provides an overview of intrusion detection and intrusion prevention systems. IDS/IPS Comparison Intrusion Detection System IP Address Network Link to the Management Console Promiscuous Interface: No IP Address Data Capture Data Flow Intrusion Prevention System IP Address Network Link to the Management Console Data Flow Transparent Interface: No MAC or IP Addresses ARCH v IPS and IDS systems can be a hardware appliance or part of the Cisco IOS software. Cisco IPS software is usually capable of both inline (IPS feature) and promiscuous (IDS feature) monitoring, while Cisco IDS software is only capable of promiscuous (IDS feature) monitoring. Intrusion Detection Systems Intrusion Detection Systems (IDS) passively listen to network traffic. The IDS is not in the traffic path, but listens promiscuously to copies of all traffic on the network. Typically only one promiscuous interface is required for network monitoring on an IDS. Further promiscuous interfaces could be used to monitor multiple networks. When IDS detects malicious traffic, it sends an alert to the management station. An IDS may also have the capability of sending a TCP reset to the end host to terminate any malicious TCP connections. In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

139 Intrusion Prevention Systems Intrusion Prevention Systems (IPS) are active devices in the traffic path, listening inline to network traffic and permitting or denying flows and packets into the network. The inline interfaces have no MAC or IP address and cannot be detected directly. All traffic passes through the IPS for inspection. Traffic arrives on one IPS interface and exits on another. When an IPS detects malicious traffic, it sends an alert to the management station and can block the malicious traffic immediately. The original and subsequent malicious traffic are blocked as the IPS proactively prevents attacks protecting against network viruses, worms, malicious applications and vulnerability exploits. An IPS resembles a Layer 2 bridge or repeater. An IPS by default passes all packets unless specifically denied by a policy. Operating in inline interface pair mode puts the IPS directly into the traffic flow and affects packet-forwarding rates making them slower by adding latency. This allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on Layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (Layers 3 to 7). This deeper analysis lets the system identify and stop and/or block attacks that would normally pass through a traditional firewall device. 2007, Cisco Systems, Inc Designing Security Services 8-57

140 IDS/IPS Components There are two main components in an IDS/IPS solution. IDS/IPS Components Sensors: Can be host-based or network-based Include three common types: Signature-based Anomaly-based Policy-based Security management and monitoring infrastructure: Performs configuration and deployment services Performs alert collection, aggregation, and correlation ARCH v There are two major components in an IDS/IPS solution: Sensors. Can be either host-based such as the Cisco Secure Agent or network-based such as an IPS appliance. The network-based sensors use specialized software and hardware to collect and analyze network traffic. The network-based sensors can be appliances, modules in a router or a switch or security appliance. There are three common types of IDS/IPS technologies: Signature-based IPS/IDS look for specific predefined patterns or signatures in network traffic. Traffic patterns are compared to a database of known attacks and trigger an alarm or drop traffic if a match is found. An anomaly-based IDS/IPS checks for defects or anomalies in packets or packet sequences and verifies if there is any anomaly traffic behavior. Policy-based IDS/IPS are configured based on the network security policy and detect traffic that does not match the policy. Security management and monitoring infrastructure. Configures the sensors and serves as the collection point for alarms for security management and monitoring. The management and monitoring applications performs alert collection, aggregation, and correlation. Cisco Security Manager is used to centrally provision device configurations and security policies for Cisco firewalls, virtual private networks (VPNs), and IPS. Cisco Security Monitoring, Analysis and Response System (MARS) provides security monitoring for network security devices and host applications. Cisco Intrusion Prevention System Device Manager (IDM) is a web-based Java application that allows configuration and management of IPS sensors. IDS Event Viewer is a Java-based application that enables network managers to view and manage alarms for up to five sensors Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

141 Host-Based Intrusion Prevention Systems This section reviews host-based intrusion prevention systems (HIPS). Typical HIPS Components External Database (optional) Admin GUI Management Servers Updates Downloads Alerts/Polls Alerts/Polls Agents ARCH v HIPS deployments include two components: Endpoint Agents Enforces security policy received from management server. Endpoint agents send event information to the management server, and interact with the user if necessary. The goal of an endpoint agent is providing threat protection for end system. Cisco Security Agent is Cisco s endpoint agent to provide threat protection for server and desktop computing systems. Cisco Security Agent consists of host-based agents that report to the Cisco Management Center for Cisco Security Agents. The Cisco Security Agent software resides between the applications and the kernel on a PC, enabling maximum application visibility with minimal impact to the stability and performance of the underlying operating system. Management Server Deploys security policies to endpoints. The management server is responsible for configuring and maintaining the environment. The server receives and stores events information, and sends alerts to administrators. The management server may deploy software such as endpoint agent software updates. The interface to a HIPS management server is typically a GUI console that allows policy configuration and event viewing. For highly scalable environments it is possible to have a dedicated database running where the configuration and event information is stored. The Management Center for Cisco Security Agents provides all management functions for Cisco Security Agent deployments. Note The majority of this lesson will focus on network-based IDS/IPS. 2007, Cisco Systems, Inc Designing Security Services 8-59

142 IPS/IDS Design Considerations This topic explains design considerations to effectively use intrusion detection and prevention in the network. IDS/IPS Design Considerations Selecting IDS/IPS Inline or promiscuous Placement Outside firewall Inside firewall At critical servers Traffic impact Failure of device Latency and performance IDS IPS Internet Corporate Network ARCH v The underlying security policy should be the same for an IDS or an IPS deployment. An IPS solution must be deployed inline with the network in order to deny traffic, while an IDS sensor is connected in promiscuous mode, where packets do not flow through the sensor. The IDS sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. If your security policy does not support denying traffic, then use an IDS deployment. IDS/IPS sensors are placed in the network where they can effectively support the underlying security policy. Deployment decisions are often based on where you need to detect or stop an intrusion as soon as possible. Typical locations include placing the sensors at the perimeter of the network outside a firewall where the network is most exposed, internal to the network inside the firewall between boundaries between zones of trust, and at critical servers where an incident would be most costly. Traffic impact considerations are increased with inline IPS sensors over IDS deployments. A failure of the IDS means traffic monitoring has stopped. A failure of the IPS can disrupt network traffic flow unless bypass methods are implemented. An IPS deployment also impacts inline traffic. The latency through the IPS sensor should generally be under a millisecond and as low as possible. The IPS sensors have bandwidth limitations on the amount of traffic that can be supported through the device. Exceeding the performance of a sensor will result in dropped packets and a general degradation of network performance Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

143 IDS/IPS Deployments This topic discusses IDS/IPS deployment recommendations. Candidate Areas for IDS/IPS Deployment Management Network Data Center Remote/Branch Office Connectivity Corporate Network Internet Remote Access Systems Extranet Connections Business Partner Access DMZ Connections ARCH v IDS/IPS sensors can be deployed based on the priority of targets. Internet and Extranet connections are typically secured first due to their exposure. An IDS outside the firewall can detects all attacks and generate a lot of alarms, but is useful for analyzing what kind of traffic is reaching the organization and how an attack is executed. An IDS inside the firewall can detect firewall misconfigurations by showing what kind of traffic passes through the firewall. An IPS can provide more focused application protection and firewall augmentation for Extranet and DMZ resources. Management networks and data centers are often next in priority. A layered approach for maximum protection is appropriate for the high security areas. There might be one system installed after the firewall and a second system at the entry point to the high security area such as the data center. Host specific IDS can detect attacks against a specific server. An IPS can be used to block application specific traffic which should not reach the server. IPS deployments at remote and branch offices can both protect the branch from corporate incidents, and protect the corporate resources from security incidents arising from branch practices. Remote access systems need protection as well. 2007, Cisco Systems, Inc Designing Security Services 8-61

144 IPS Appliance Deployment Options This section looks at deployment options for IPS appliances. IPS Appliance Deployment Options Two Layer 2 devices (no trunk) Two Layer 3 devices Two VLANs on the same switch VLAN x Two Layer 2 devices (trunked) VLAN y.1q Trunk ARCH v When placing an IPS sensor in an enterprise networks there are multiple options available depending on the infrastructure and the desired results: Two Layer 2 devices (no trunk). Sensor placement between two Layer 2 devices without trunking is a typical campus design. In this deployment the IPS appliance is placed between two switches. The IPS can be between the same VLAN on two different switches or between different VLANs with the same subnet on two different switches. Scenarios include placement between different security zones in a campus environment or between critical devices in a data center. Two Layer 3 devices. Sensor placement between Layer 3 devices is common in Internet, campus, and server farm designs. The two Layer 3 devices are in the same subnet. One advantage in these scenarios is the ease of configuration since the integration can take place without touching any other device. Two VLANs on the same switch. This design allows a sensor to bridge VLANs together on the same switch. The sensor brings packets in on one VLAN and out a different VLAN for traffic in the same subnet. Two Layer 2 devices (trunked). Sensor placement on a trunk port between switches is a common scenario providing protection of several VLANs from a single location. Note IPS module deployments follow the same general guidelines as for IPS appliances Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

145 Feature: Inline VLAN Pairing VLAN X VLAN Y Trunk port allowing VLANs X and Y IPS bridges VLANs together on the same physical interface. Multiple VLAN pairs per physical interface are supported. Note: VLAN pairing is supported on all sensors that are compatible with IPS 6.0 except NM-CIDS, AIP-SSM-10, and AIP-SSM-20. ARCH v Feature: Inline VLAN Pairing The IPS can associate VLANs in pairs on a physical interface. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. The sensor brings packets in on one VLAN and out a different VLAN on the same trunk link for traffic in the same subnet. The sensor replaces the VLAN ID field in the 802.1q header of each received packet with the ID of the egress VLAN on which the sensor forwards the packet. This design supports multiple VLAN pairs per physical interface and reduces the need to have many physical interfaces per chassis. Note VLAN pairs are supported on all sensors that are compatible with IPS 6.0 except NM- CIDS, AIP-SSM-10, and AIP-SSM , Cisco Systems, Inc Designing Security Services 8-63

146 IPS Deployment Challenges Asymmetric traffic patterns and high availability are challenges for IPS deployments. IPS Deployment Challenges Asymmetric Traffic Issue Stateful Failover Issue SYN SYN SynAck SynAck Design Workaround Mirror Mirror ARCH v Traditional packet flows in a network are symmetrical and consist of connections that take the same path through the network in both directions. Many newer network designs do not guarantee symmetrical flows, and engineer the network to take advantage of all available links. This greatly increases the chance that traffic may use multiple paths to and from its destination. This asymmetric traffic flow can cause problems with inline IPS devices. Since an IPS sensor inspects traffic statefully and needs to see both sides of the connection to function properly, asymmetric traffic flows may cause valid traffic to be dropped. High availability is another deployment challenge. A failure of any redundant component in the network should not cause an interruption in network availability. This implies that existing sessions should continue to flow normally and not be dropped. The current IPS 6.0 solutions do not support asymmetric flows or high availability natively in the product. A design workaround uses the network to mirror all traffic between two sensors in a failover pair. The IPS sensors in the pair see all packets traversing a point in the network. If one sensor fails for any reason, the network reroutes all traffic through the other sensor since it is the only available path. The secondary sensor has already seen all the packets and has built a complete state table for the flows so traffic is not interrupted. Asymmetric traffic is also supported by this mirroring technique Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

147 IDS/IPS Management Interface Deployment Options This section discusses options for deploying the IDS/IPS management interface. Secure Management Separate VLAN DMZ Inside Attacker Internet Mgmt Separate monitoring and management network segment ARCH v Monitoring an IDS/IPS solution is one of the crucial elements to provide fast detection of any suspicious activity and an indication of prevented attacks. IDS/IPS management consolidates and centralizes alarms from multiple sources in order to provide the required view of the network. On the network boundary, the sensors are usually installed adjacent to a firewall. The monitoring and management interfaces of an IPS sensor can therefore be connected to two different networks. This is especially critical when the outside sensor needs to communicate with the inside network. One option is to connect the monitoring interface to the outside network, and the management interface is directly connected to the inside network. All management is done in-band over the internal network. This type of setup is simple, but provides a path around the firewall if the sensor is compromised. This design is not recommended. A preferred design places the monitoring interface on the outside network, and the management interface on a separate inside VLAN. With this setup, the management interface is isolated by an IPS management VLAN from the rest of the inside network. If the VLAN is sufficiently trusted, this design provides good separation of the IDS/IPS sensor. Note Using private VLANs to put all sensors on isolated ports is recommended, because the sensors do not need to talk to each other except when distributed blocking is used. This prevents the compromise of a single sensor which helps to prevent other sensors from being compromised. 2007, Cisco Systems, Inc Designing Security Services 8-65

148 In-Band Management Through Tunnels Another option for deploying IDS/IPS uses a combination of management through an out-of-band network and management through secure tunnels depending on the location of the sensors. In-Band Management Through Tunnels DMZ Inside Mgmt Firewall provides connection from IDS/IPS management interface to management segment for less secure devices Encrypted tunnels terminated at firewall or at management station ARCH v For devices outside the perimeter firewall, the monitoring interface remains on the outside network, but the management interface is terminated on a separate demilitarized zone (DMZ). Management is supported in-band across an encrypted tunnel. The firewall protects the outside sensor from the inside devices, and provides better separation compared to the previous solution. For internal devices in more secure areas, management is provided through a separate management VLAN Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

149 IDS/IPS Monitoring and Management This topic reviews Cisco applications for monitoring and managing IDS/IPS implementations. Monitoring and Managing IDS/IPS CSM CS-MARS ARCH v Cisco Security Monitoring, Analysis, and Response System (MARS) and Cisco Security Manager are part of the Cisco Security Management Suite, which delivers policy administration and enforcement for the Cisco Self-Defending Network. Both tools should be implemented in the management VLAN in a protected place such as the server farm or data center. MARS provides multi-vendor event correlation and proactive response, distributing IPS signatures to mitigate active threats. MARS proactively identifies active network threats and distributes IPS signatures to mitigate them. MARS ships with a set of predefined compliance reporting that are easy to customize. MARS stores event information from every type of device. This information can be grouped in one single report. For a small to medium sized organization, a centralized MARS implemented as a Local Controller is a typical deployment. Cisco Security Manager enables organizations to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of VPN and firewall services across IOS routers, PIX and ASA security appliances, and Catalyst 6500/7600 services modules. It also supports IPS technologies on routers, service modules, and IPS devices. Security Manager supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS and logging. Cisco Security Manager, through its IPS Manager component, supports the management and configuration of Cisco Intrusion Prevention System (IPS) sensors (appliances, switch modules, 2007, Cisco Systems, Inc Designing Security Services 8-67

150 network modules, and Security Service modules [SSMs]) and Cisco IOS IPS devices (Cisco IOS routers with IPS-enabled images and Cisco Integrated Services Routers [ISRs]). You configure IPS sensors and IOS IPS devices through the use of policies, each of which defines a different part of the configuration of the sensor. While Security Manager 3.0 allowed you to cross-launch the IPS Management Center to access IPS functionality, Cisco Security Manager 3.1 provides fully integrated IPS features. Cisco Security Manager version 3.1 enables you to manage security policies on Cisco security devices. Cisco Security Manager supports integrated provisioning of firewall, IPS, and VPN (site-to-site, remote access, and SSL) It provides integrated IPS provisioning services across: Starting in version 3.1, Cisco Security Manager supports IPS 5.1/6.0 and IOS IPS in IOS 12.4(11)T. It provides support for the following features on IPS 6.0 devices: Virtual sensors Anomaly detection Passive OS fingerprinting Simplified custom signature creation Signature update wizard, preview and tuning of new signatures IPS signature update license management External product interface (linkage of IPS sensor with CSA MC) 8-68 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

151 Scaling CS-MARS with Global Controller Deployment The CS-MARS Global Controller enables network monitoring scaling. Scaling CS-MARS with Global Controller Deployment CS-MARS 50 US Corporate Office AsiaPac Office CS-MARS 200 CS-MARS GC EMEA Office CS-MARS 100 CS-MARS GC Communicates over HTTPS using certificates Only incidents from global rules are rolled up Updates, rules, report templates, access rules, and queries can be distributed ARCH v If an organization is supporting multiple MARS Local Controllers, they can deploy a distributed solution using a Global Controller to summarizes the findings of two or more Local Controllers and manage the Local Controllers. The Global Controller communicates over HTTPS using certificates. Only incidents from global rules are rolled up into the Global Controller. The Global Controller can distribute updates, rules, report templates, access rules, and queries across the Local Controller. 2007, Cisco Systems, Inc Designing Security Services 8-69

152 Summary This topic summarizes the key points discussed in this lesson. Summary IDS passively listen to network traffic while IPS are active devices inline with the traffic path. The two major components in an IDS/IPS solution are sensors and the security management infrastructure. IDS/IPS sensors are deployed in the enterprise based on the priority of targets. IPS sensors can be placed between two Layer 2 devices or two Layer 3 devices. MARS can proactively identify active network threats and distribute IPS signatures to mitigate them, as well as support configuring and managing security policies on Cisco security devices. Cisco Security Manager supports IPS technologies on routers, service modules, and IPS devices. ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

153 Module Summary This topic summarizes the key points discussed in this module. Module Summary Firewalls provide the first line of defense in network security by comparing corporate policies about network access rights for users to the connection information surrounding each access attempt. NAC is a set of technologies and solutions that use the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. IDS/IPS solutions help identify and stop worms, network viruses, and other malicious traffic. ARCH v Firewalls have long provided the first line of defense in network security infrastructures. They accomplish this by comparing corporate policies about network access rights for users to the connection information surrounding each access attempt. User policies and connection information must match up, or the firewall does not grant access to network resources. NAC is a set of technologies and solutions built on an industry initiative led by Cisco Systems. NAC framework uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats such as viruses, worms, and spyware by using embedded software modules within NAC-enabled products. Customers using NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices. Cisco NAC Appliance condenses NAC capabilities into an appliance form where client, server, and manager products allow network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. Cisco intrusion detection and prevention solutions are part of the Cisco Self-Defending Network. Designed to identify and stop worms, network viruses, and other malicious traffic, these solutions can help protect networks. Cisco provides a broad array of solutions for intrusion detection and prevention at both the network and at the endpoint Cisco Systems, Inc. Security Services Design 8-71

154 References For additional information, refer to these resources: Cisco Systems, Inc. SEC-2020: Deploying Firewalls Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. SEC-2030: SEC-2030 Deploying Network-Based Intrusion Prevention Systems Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. SEC-2040: Understanding and Deploying Network Admission Control (NAC) Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Release 3.1(1) at 6a bef.pdf Cisco Systems, Inc. Network Admission Control Framework Deployment Guide at pdf Cisco Systems, Inc. Release Notes for Network Admission Control, Release 2.0 at Cisco Systems, Inc. Cisco NAC Appliance Release Notes at Cisco Systems, Inc. Switch Support for Cisco NAC Appliance at Cisco Systems, Inc. Cisco NAC Appliance Data Sheet at d802da1b5.pdf Cisco Systems, Inc. Cisco NAC Appliance - Clean Access Server Installation and Administration Guide Release 4.1 at 86a00807a4090.pdf Cisco Systems, Inc. Cisco Security Appliance Command Line Configuration Guide at 86a f89.pdf Cisco Systems, Inc. Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1 at 86a f89.pdf Cisco Systems, Inc. Cisco Secure Services Client Introduction at Cisco Systems, Inc. Installing and Using Cisco Intrusion Prevention System Device Manager 6.0 at 86a00807a9287.pdf 8-72 Designing Cisco Network Service Architectures (ARCH) v , Cisco Systems, Inc.

155 Cisco Systems, Inc. Cisco Security Agent Version 5.2 Data Sheet at d805baf46.pdf Cisco Systems, Inc. Cisco Trust Agent 2.0 Data Sheet at d pdf Cisco Systems, Inc. Zone-Based Policy Firewall Design Guide at Cisco Systems, Inc. Security Services Design 8-73

156 8-74 Designing Cisco Network Service Architectures (ARCH) v , Cisco Systems, Inc.

157 Module Self-Check Use the questions here to review what you learned in this module. The correct answers and solutions are found in the Module Self-Check Answer Key. Q1) What is the traditional mode for a firewall? (Source: Firewall Design Considerations) A) bridged mode B) context mode C) routed mode D) security mode E) transparent mode Q2) What is a VFW? (Source: Firewall Design Considerations) A) a logical separation of multiple firewall security contexts on a single firewall B) a physical separation of multiple firewall security contexts in a single chassis C) a routed firewall mode D) a transparent firewall mode E) an administrative context for network connectivity Q3) What topology uses two firewalls that are both actively providing firewall services? (Source: Firewall Design Considerations) A) multiple context topology B) active/standby topology C) active/passive topology D) active/failover topology E) active/active topology Q4) What command provides support for asymmetric routing? (Source: Firewall Design Considerations) A) asr-active interface command on FWSM 2.1 B) asr-active interface command on FWSM 3.0 C) asr-group interface command on FWSM 2.1 D) asr-group interface command on FWSM 3.0 E) asr-redundancy interface command on FWSM 2.1 F) asr-redundancy interface command on FWSM 3.0 Q5) What are two mechanisms can be used to scale performance with FWSMs? (Chose two.) (Source: Firewall Design Considerations) A) use PBR with multiple VFRs in a chassis B) use PBR with multiple VFWs in a chassis C) use PBR with multiple FWSMs in a chassis D) use ECMP routing with multiple VFRs in a chassis E) use ECMP routing with multiple VFWs in a chassis F) use ECMP routing with multiple FWSMs in a chassis 2007 Cisco Systems, Inc. Designing IP Multicast Services 8-75

158 Q6) What are three components of a PVLAN? (Chose three.) (Source: Firewall Design Considerations) A) communications VLAN B) community VLAN C) isolated VLAN D) isolation VLAN E) primary VLAN F) promiscuous VLAN Q7) What are two characteristics of a ZBF model? (Chose two.) (Source: Firewall Design Considerations) A) a design supported by the FWSM B) a design supported by the Cisco IOS Firewall feature set C) a transparent model with zero security before the firewall D) a model that uses a DMZ for intermediate security between the public and private zones E) a model where a security zone is configured for each region of relative security within the network F) a model where an interface is configured for each zone of relative security within the network Q8) What are two methods to provide network security with access control? (Chose two.) (Source: Network Admission Control Design) A) 802.1x posture alignment B) 802.1x posture assessment C) IBNS authentication D) INBS authentication E) NAC posture alignment F) NAC posture assessment Q9) What are two components of Cisco NAC Appliance? (Chose two.) (Source: Network Admission Control Design) A) 802.1x posture alignment B) NAM C) NAS D) Cisco Trust Agent E) NAC posture assessment F) SSC Q10) Cisco NAC Appliance Super Manager manages up to how many NAC Appliance Servers? (Source: Network Admission Control Design) A) 3 B) 5 C) 20 D) 40 E) Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

159 Q11) What are two characteristics of Virtual Gateway mode? (Chose two.) (Source: Network Admission Control Design) A) The NAM has an IP address for every managed VLAN. B) The NAM operates as a standard Ethernet bridge, but with added functionality. C) The NAS does not operate as the default gateway for untrusted network clients. D) The NAS has an IP address for every managed VLAN. E) The NAS operates as a standard Ethernet bridge, but with added functionality. F) The NAS operates as the default gateway for untrusted network clients. Q12) What are two characteristics of Real-IP Gateway mode? (Chose two.) (Source: Network Admission Control Design) A) The NAM has an IP address for every managed VLAN. B) The NAM operates as a standard Ethernet bridge, but with added functionality. C) The NAS does not operate as the default gateway for untrusted network clients. D) The NAS has an IP address for every managed VLAN. E) The NAS operates as a standard Ethernet bridge, but with added functionality. F) The NAS operates as the default gateway for untrusted network clients. Q13) What are three major architectural components of the Cisco NAC Framework posture validation process? (Chose three.) (Source: Network Admission Control Design) A) enforcement devices B) subjects (NAC appliances) C) decision and remediation devices D) enforcement and decision devices E) subjects (managed or unmanaged hosts) F) Clean Access Agents remediation devices Q14) What are two typical NAC agentless hosts? (Chose two.) (Source: Network Admission Control Design) A) Cisco Secure Services clients B) enforcement devices C) printers D) scanners E) Windows 2000 devices F) Windows XP devices Q15) What are two characteristics of an IDS sensor? (Chose two.) (Source: Intrusion Detection and Prevention Designs) A) a permissive interface is used to monitor networks B) a promiscuous interface is used to monitor the network C) an active device in the traffic path D) passively listens to network traffic E) traffic arrives on one IDS interface and exits on another Q16) What are two characteristics of an IPS sensor? (Chose two.) (Source: Intrusion Detection and Prevention Designs) A) an active device in the traffic path B) passively listens to network traffic C) a permissive interface is used to monitor networks D) a promiscuous interface is used to monitor the network E) traffic arrives on one IPS interface and exits on another 2007 Cisco Systems, Inc. Designing IP Multicast Services 8-77

160 Q17) What are three options for placing an IPS sensor in an enterprise network? (Chose three.) (Source: Intrusion Detection and Prevention Designs) A) bridging VLANs on two switches B) bridging two VLANs on one switch C) between two Layer 2 devices with trunking D) between two Layer 2 devices without trunking E) between a Layer 2 device and a Layer 3 device without trunking Q18) What are two challenges for IPS deployments? (Chose two.) (Source: Intrusion Detection and Prevention Designs) A) supporting inline VLAN pairing B) supporting asymmetric traffic flows C) natively supporting symmetric traffic flows D) natively bridging VLANs on two switches E) supporting failover without dropping valid traffic Q19) What are three mechanisms used to secure management traffic from outside IPS sensors? (Chose three.) (Source: Intrusion Detection and Prevention Designs) A) using secure VLANs to isolate sensors B) using secure tunnels C) using private VLANs to put all sensors on isolated ports D) using asymmetric traffic flows to isolate sensors E) using a separate management VLAN F) providing an out-of-band path around the firewall Q20) What mechanism can be used to scale MARS deployments? (Source: Intrusion Detection and Prevention Designs) A) inline VLAN pairing for Local Controllers B) symmetric traffic flows to a Central Controller C) a Global Controller to summarize multiple Local Controllers D) a Central Controller to summarize multiple Local and Global Controllers E) HTTPS certificates for each Global Controller 8-78 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

161 Module Self-Check Answer Key Q1) C Q2) A Q3) E Q4) D Q5) C, F Q6) B, C, E Q7) B, E Q8) C, F Q9) B, C Q10) D Q11) C, E Q12) D, F Q13) A, C, E Q14) C, D Q15) B, D Q16) A, E Q17) C, D, E Q18) B, E Q19) B, C, E Q20) C 2007 Cisco Systems, Inc. Designing IP Multicast Services 8-79

162 8-80 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

163 Module 9 IPsec and SSL VPN Design Overview This module reviews virtual private network (VPN) design in the enterprise. VPNs are networks deployed on a public or private network infrastructure. VPNs are useful for telecommuters, mobile users, and remote offices as well as for customers, suppliers, and partners. For enterprises, VPNs are an alternative WAN infrastructure, replacing or augmenting existing private networks that utilize dedicated WANs based on leased-line, Frame Relay, ATM, or other technologies. Increasingly, enterprises are turning to their service providers for VPNs and other complete service solutions tailored to their particular business. Module Objectives Upon completing this module, you will be able to design enterprise solutions using appropriate VPN technology. This ability includes being able to meet these objectives: Discuss design considerations for remote-access VPNs Discuss design considerations for site-to-site VPNs Discuss technologies for implementing VPNs Discuss managing and scaling VPNS

164 9-2 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

165 Lesson 1 Remote Access VPN Design Overview Objectives Remote access virtual private networks (VPNs) permit secure, encrypted connections between mobile or remote users and their corporate networks through a third-party network, such as a service provider. Deploying a remote access VPN enables enterprises to reduce communications expenses by leveraging the local packet switching infrastructures of Internet service providers. Cisco Remote Access VPN solutions deliver both IP Security (IPsec) and Secure Sockets Layer (SSL) technologies on a single platform with unified management. Upon completing this lesson, you will be able to design remote-access VPNs. This ability includes being able to meet these objectives: Provide an overview of remote access VPNs Describe attributes of SSL VPNs Discuss remote access VPN design considerations

166 Remote Access VPN Overview Remote access VPNs using IPsec or SSL technologies permit secure, encrypted connections between mobile or remote users and their corporate network across public networks. Remote Access VPN Overview Firewall Router Internet VPN POP DSL Cable Telecommuter POP VPN Security Appliance Components: Termination device (high number of endpoints) Client (mobile or fixed) Technology (IPsec or SSL) Mechanism for secure communication over IP: Authenticity (unforged/trusted party) Integrity (unaltered/tampered) Confidentiality (unread) Consumer Mobile Mobile ARCH v There are three remote access VPN components: VPN termination device or headend supporting a high number of endpoints End clients that can be mobile of fixed. The remote access client can be built inside of operating system or application, or be installed as a Layer 3 software client such as the Cisco VPN Client. Technology that connects the VPN headend and the end clients. The two main protocols supporting remote access VPNs are IP Security (IPsec) and Secure Socket Layer (SSL): IPsec is used primarily for data confidentiality and device authentication, but extensions to the standard allow for user authentication and authorization to occur as part of the IPsec process. The main role of SSL is to provide security for web traffic. With SSL, the browser client supports the VPN connection to a host. SSL is a default capability in leading browsers. Both IPsec and SSL remote access VPNs are mechanisms to provide secure communication: Authenticity identifies the trusted party by asking for username and password or a credential. Integrity checking verifies that packets were not altered or tampered with as they travelled across the network. Confidentiality is supported using encryption to ensure communications were not read by others. 9-4 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

167 Example: Easy VPN Client IPsec Implementation Cisco Easy VPN provides simple IPsec VPN deployments for remote offices and teleworkers. Example: Easy VPN Client IPsec Implementation Remote User SBO IKE Mode Config Allows VPN Parameters to be Pushed to a Client HQ Cisco VPN Client Dynamically Updated: Central services and security policy Offload VPN function from local devices Client and network extension mode Internet Internal IP Address Internal Network Mask Internal DNS Server Internal WINS Server Split Tunneling IPsec Transforms VPN Server Centralized Control: Configuration and security policy is pushed at the time of the VPN tunnel establishment. ARCH v The Cisco Easy VPN Server allows Cisco routers and security appliances to act as IPsec VPN head-end devices in remote-access and site-to-site VPNs. Note IPsec components and features are covered in the prerequisite ISCW course. For remote access VPNS, the Cisco Easy VPN Server terminates VPN tunnels initiated by remote workers running the Cisco VPN Client software on PCs. This capability allows mobile and remote workers to access critical data and applications on their corporate intranet. The Easy VPN Server pushes configurations and security policies defined at the central site to the remote client device, helping to ensure that those connections have appropriate information and up-todate policies in place before the connection is established. Easy VPN Server can pass a variety of information to the client including IP address and mask, information on the internal DNS and WINS server, and organization policies. Note Easy VPN Server is discussed in more detail in the Remote Access VPN Implementation Technologies lesson in this module Cisco Systems, Inc. IPsec and SSL VPN Design 9-5

168 SSL VPNs SSL is a protocol designed to enable secure communications on an insecure network such as the Internet. SSL Overview SSL protocol was developed by Netscape for secure e-commerce: Creates a tunnel between web browser and web server. Authenticated by digital certificates and encrypted. Self-signed root certificates are included in leading browsers. SSL VPNs can support more than just web pages: Must fit into existing networks and application environments. Must support all of the same authentication mechanisms and often extensive application list as available for IPsec. ARCH v SSL is a technology developed by Netscape to provide encryption between a web browser and a web server. SSL supports integrity of communications along with strong authentication using digital certificates: Web server certificates are used to authenticate the identity of a website to visiting browsers. When a user wants to send confidential information to a web server, the browser will access the server s digital certificate. The certificate, which contains the public key of the web server will be used by the browser to authenticate the identity of the web server and to encrypt information for the server using SSL technology. Since the web server is the only entity with access to its private key, only the server can decrypt the information. Root certificates are self-signed digital certificates that are generated during the creation of a certification authority (CA). Trusted root certificates refer to CA certificates that are stored in the trust lists that are natively embedded in the leading web browsers. There are a limited number of CA certificates which come embedded in the web browsers from Microsoft and Netscape. SSL for VPNs can be more than basic web page supporting secure access to the applications available as static web pages on HTTP servers: SSL VPNs can fit into existing networks and application environments and provide support for complex applications such as corporate directory and calendar systems, e-commerce applications, file sharing, and remote system management. SSL VPNs can support the same authentication mechanisms and often extensive application list as available for IPsec. 9-6 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

169 SSL Access Mechanisms Embedded clientless access provides content rewriting and application translation through Layer 7 features. Port forwarding using a thin client provides access to a set of resources. A dynamic VPN client using a thick client provides full network access. ARCH v SSL VPNs have multiple access mechanisms: Content rewriting and application translation using embedded clientless access and Layer 7 features. Clientless access is where a user can connect with little requirements beyond a basic web browser. Port forwarding which is known as thin client. With a thin client, a small applet or application, generally less than 100K in size, provides access to a subset of resources. Dynamic VPN client with full network access known as thick client. With a thick client, a larger client generally around 500K is delivered to the end user. The applications that can be reached through the thick client are very similar to those available via IPsec VPNs. This client is delivered via a web page and never needs to be manually distributed or installed Cisco Systems, Inc. IPsec and SSL VPN Design 9-7

170 Clientless Access This section discusses clientless access for SSL VPNs. Clientless Access Concentrator proxies HTTP and HTTPS over SSL connection: Limited support HTML pages Web-based applications Content rewriting: Translates content to HTTP. Delivers HTML look-and-feel. Supports file sharing. Clientless access does not require specialized VPN software on the user desktop. Minimal provision and support concerns. ARCH v The SSL VPN system supports clientless access by proxying web pages. The system connects to a web server, downloads and translates a web page, and then transfers it over an SSL connection to the browser of the end user. The SSL VPN system rewrites or translates content so that the internal addresses and names on a web page are accessible to the end users. Only web-enabled and some client-server applications-such as intranets, applications with web interfaces, , calendaring, and file servers-can be accessed using a clientless connection. This limited access is suitable for partners or contractors that need access to a limited set of resources on the network. There are several content rewriting functions involved in proxying the remote applications: Translating protocol to HTTP Delivering HTML look-and-feel Supporting file sharing Clientless access for SSL VPNs does not require specialized VPN software on the user desktop as all VPN traffic is transmitted and delivered through a standard web browser. Because no special-purpose VPN software has to be delivered to the user desktop, provisioning and support concerns are minimized. 9-8 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

171 Thin Client Thin client supports port forwarding for SSL VPNs with a small applet or application. Thin Client (Port Forwarding) Client Workstation Hosts Client Program Web Browser Java Applet TCP Connection to Local Port Thin client acts as local proxy: Tunnels and forwards application traffic. VPN appliance delivers forwarded traffic. Port forwarding maintains native application look-and-feel. Port forwarding has some limitations: Works with predictable non-web applications. Generally outbound, TCP-based, with static ports. Telnet, SMTP, POP3 are supported. HTTS Connection to VPN Appliance VPN Appliance Remote Server Protocol Connection to Remote Server ActiveX or Java applet support as well as system permissions may be required. ARCH v Organizations that have not implemented web-based applications can often rely on the thin clients that support port forwarding. Port forwarding requires a very small application often in the form of Java or ActiveX that runs on the end user system. The port forwarder acts as a local proxy server. The client application listens for connections on a port defined for an application on a local host address. It tunnels packets that arrive on this port inside of an SSL connection to the SSL VPN device, which unpacks them and forwards them to the real application server. Port forwarding maintains the native application look-and-feel for the end user. Port forwarding is an effective technique, but it also has some limitations. For port forwarding to work, the applications need to be well-behaved and predictable in their network connectivity patterns and needs. Examples of applications that are not web-enabled but can be addressed with port forwarding are common mail protocols, including SMTP, POP3 and MAPI, and remote shell programs, such as Telnet. ActiveX or Java applet support may also be required on the client machine, along with the permissions in the browser to run them Cisco Systems, Inc. IPsec and SSL VPN Design 9-9

172 Thick Client This section discusses the thick client that supports full access through SSL VPN network extension. Thick Client (Layer 3 Network Access) Supports network extension. Traditional-style client delivered through automatic download (Active X, Java, and/or EXE). Requires administrative privileges for initial install. Provides similar access to IPsec: Better accessibility over firewalls and NAT Smaller installation package ARCH v SSL VPN network extension connects the end user system to the corporate network with access controls only based on network-layer information, such as destination IP address and port number. Network extension uses a thick client that provides authorized users with secure access to the entire corporate LAN. The thick client is automatically delivered through the web page and does not need to be manually distributed or installed. The thick client requires administrative access to the local system. The Layer 3 thick client provides a virtual adapter for the end user typically using ActiveX and Java. The applications that can be accessed with the thick client are very similar to those available through an IPsec VPN. The Cisco SSL VPN Client for WebVPN is a Cisco implementation of the thick client. Since the SSL VPN network extension runs on top of the SSL protocol, it is simpler to manage and has greater robustness with different network topologies such as firewalls and network address translation (NAT) then the higher security of IPsec. The thick client is typically a smaller installation then the IPsec client. Thick mode should be used when users need full application access and IT wants tighter integration with the operating system for additional security and ease of use Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

173 Remote Access VPN Design Considerations This topic discusses some remote access VPN design considerations. VPN Termination Device and Firewall Placement The VPN termination device is typically deployed with a firewall at the network edge. VPN Termination and Firewall Placement Limit incoming traffic to IPsec and SSL for FW policy: Terminate IPsec tunnel on VPN appliance. Possibly send traffic through firewall for additional inspection. Enforce endpoint security compliance on remote system. Parallel Inline DMZ ARCH v The VPN termination device can be deployed in parallel with a firewall, inline with a firewall, or in a DMZ. For best security, the recommended practice is to place the public side of the VPN termination device in a DMZ behind a firewall. Note The firewall could be the VPN termination device. The firewall policies should limit incoming traffic to the VPN termination device to IPsec and SSL. Any IPsec tunnels should terminate on the VPN appliance. For extra security, sending traffic through another firewall for additional inspection after it passes through the VPN appliance. You should also enforce endpoint security compliance on remote system Cisco Systems, Inc. IPsec and SSL VPN Design 9-11

174 Routing Design Considerations Routing design considerations are mainly a VPN headend consideration for remote access VPNs. Routing Design Considerations Remote SW Client /32 Internet Router S RRI: I Can Reach X P Head-End S Most common configuration is a static route for address blocks pointing to the VPN head-end. Reverse Route Injection can populate the routing table of internal routers for OSPF and RIPv2. VPN software clients assigned IP address are added as hosts routes. A hardware client in Network Extension Mode can inject its protected network address. ARCH v For non-local subnet IP addresses, the most common configuration is that the internal routers use a static route for these address blocks pointing to the private interface of the head-end device. Another option is to use Reverse Route Injection (RRI) to populate the routing table of internal routers through Open Shortest Path First (OSPF) or Routing Information Protocol version 2 (RIPv2). RRI is the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities. With RRI, the assigned IP address of VPN software clients are injected as host routes into the routing table by the VPN head-end. An Easy VPN hardware client will need RRI if it connects using Network Extension Mode (NEM) to inject its protected network address. Note Smaller organizations typically configure a few static routes to point to the VPN device and do not need RRI. The RRI function is usually of more benefit to larger organizations that have more complex requirements, for example that do not have a dedicated scope of DHCP addresses that are associated to a specific VPN head-end Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

175 Address Assignment Design Considerations This section discusses some design considerations for address assignment with remote access VPNs. Address Assignment Design Consideration IPsec, thin, and thick clients access: Most common approach is internal address pools. ACLs on an internal firewall can use group-based address pools. DHCP assignment is next most common. Static assignment requires RADIUS or LDAP to deploy. Clientless access: The head-end device will proxy ARP on behalf of all local subnet IP addresses. Clientless users do not receive their own unique IP address, instead their traffic will originate from the head-end interface IP. ARCH v For IPsec, thin, and thick clients there are three common addressing techniques: The most simple and common address assignment design is to use internal address pools per VPN head-end and to implement a static route for this subnet to the VPN head-end. With this approach, ACLs on an internal firewall can support group-based address pools for incoming user policies. Using DHCP to assign addresses is another popular choice. A recommended practice is to associate a dedicated scope of DHCP addresses to a specific VPN head-end. For situations where the remote user needs a static IP address assignment to support a specific application, organizations will need to deploy RADIUS or LDAP with attribute to assign the user the same IP. In this case, RRI may be needed. An IP address is not assigned for clientless end user devices: The head-end device will proxy ARP on behalf of all local subnet IP addresses. Since the clientless users do not receive unique IP address, their traffic will originate from the head-end interface IP. This is good for scalability, but harder to monitor Cisco Systems, Inc. IPsec and SSL VPN Design 9-13

176 Other Design Considerations Two other design considerations are authentication and access control. Other Design Consideration VPNs can use many types of client authentication. More security conscious organizations use one time passwords. Static password databases can also be used. Access control rules should be implemented for VPNs. Typically are defined at a per-group basis on the VPN head-end device or on the RADIUS server. Tunnel-based VPNs provide Layer 3 control at the protocol/port and destination IP level. Clientless SSL VPNs can provide more granular Layer 7 access control. ARCH v Authentication Access Control Although the SSL protocol does not support client authentication methods other than digital certificates, it is possible to use other authentication methods in conjunction with SSL. The simplest approach is username and password, but more security conscious organizations use stronger authentication methods, such as security tokens and one time password (OTP). Customers focused on convenience sometimes authenticate to an internal NT domain controller or static RADIUS password database. Any type of static password configuration leaves the organization vulnerable to brute force password attacks. Access control rules allow organizations to restrict network access. Some companies choose to maintain all access rules on an internal firewall based on source IP of the client. This scenario supports addresses that are assigned to a specific pool based on group assignment. Access control rules can be defined at a per-group basis on the VPN head-end device. This approach is easy to deploy, but can be more difficult to maintain with large numbers of policies or across multiple devices. Access control rules can also be defined on the head-end RADIUS server, although generic RADIUS has a 4K packet size limit. The Cisco Secure ACS offers a downloadable ACL feature which can be used with Cisco head-end devices to support large sized policies. Tunnel-based VPNs (IPsec and SSL VPN clients) provide Layer 3 control at the protocol/port and destination IP level. Clientless SSL VPNs can provide more granular Layer 7 access control including URL-based access or file server directory level access control Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

177 Example: VPN Architecture This section discusses an example VPN architecture. Example: VPN Architecture Non-Corporate PC with Web Browser Employee PC with IPsec VPN client Load Balancing VPN Cluster AAA Server Internet Public ACME Internal Resources Unencrypted Traffic Encrypted Traffic ARCH v The figure shows an example architecture for a VPN design supporting employees and partners. The employees connect across the Internet using an IPsec VPN client. The non-corporate users connect using SSL. The IPsec or SSL clients are authenticated using the AAA server. Both IPsec and SSL VPNs come in on the public interface of the VPN cluster and are terminated. Load balancing is used for resiliency, stateless failover and capacity growth on the VPN cluster. The private interface of the VPN head-end connects through routers to the internal corporate network. Inbound ACLs on the internal edge routers provide access control rules to permit traffic to specific internal resources. Users organized into various groups with appropriate security policy profiles and user authentication and authorization information. Both Cisco IPsec VPN and SSL VPN clients are supported as well as clientless SSL VPN with optional port forwarding feature Cisco Systems, Inc. IPsec and SSL VPN Design 9-15

178 Summary This topic summarizes the key points discussed in this lesson. Summary Remote access VPNs using IPsec or SSL technologies permit secure, encrypted connections between mobile or remote users and their corporate network across public networks. SSL technology supports VPNs using clientless access, port forwarding, and thick mode dynamic VPN clients. VPN design considerations include where to deploy VPN termination devices, when RRI is needed to support remote clients, address assignment practices for remote clients, and the importance of authentication and access control. ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

179 Lesson 2 Site-to-Site VPN Design Overview Objectives Site-to-site VPNs are an alternative WAN infrastructure used to connect branch offices, home offices, or business partners to all or portions of an enterprise network. VPNs do not inherently change private WAN requirements, such as support for multiple protocols, high reliability, and extensive scalability, but instead meet these requirements more cost-effectively and with greater flexibility. Site-to-site VPNs utilize the most pervasive transport technologies available today, such as the public Internet or service provider IP networks, by employing tunneling and encryption for data privacy and quality of service (QoS) for transport reliability. Upon completing this lesson, you will be able to design simple and complex site-to-site VPNs, given enterprise VPN needs. This ability includes being able to meet these objectives: Identify typical applications for an enterprise site-to-site VPN Discuss design considerations for enterprise site-to-site VPNs

180 Site-to-Site VPN Applications This topic identifies common applications for site-to-site VPNs. WAN Replacement Using Site-to-Site IPsec VPNs WAN replacement is one of the biggest reasons organizations implement IPsec VPNs. WAN Replacement Using Site-to-Site IPsec VPNs Intranet Branch/Remote Office VPN Frame Internet Relay WAN VPN Network VPN Central Site VPN POP VPN Extranet Business-to-Business VPN DSL Cable Teleworkers Mobile Users ARCH v Up to 40 percent of typical enterprise employees work in branch offices, away from the central sites providing mission-critical applications and services required for business operations. As these services are extended to branch office employees, requirements increase for bandwidth, security, and high availability. IPsec VPNs can provide a cost effective replacement for a private WAN infrastructure. Often the cost of a relatively high-bandwidth IP connection, such as an ISP connection, IP VPN provider, or broadband DSL/cable access, is lower than existing or upgraded WAN circuits. Organizations can use IPsec VPNs to connect remote branches, offices, teleworkers and mobile users to the corporate resources as the central site. Organizations also use IPsec VPNs to provide extranet connectivity for business to business applications. The key components of site-to-site VPN include: Head-end VPN devices: Serve as VPN head-end termination devices at a central campus (head-end devices) VPN access devices: Serve as VPN branch-end termination devices at branch office locations IPSec and GRE tunnels: Interconnect the head-end and branch-end devices in the VPN Internet services from ISPs: Serve as the WAN interconnection medium 9-18 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

181 WAN Backup Using Site-to-Site IPsec VPNs Another common business application using IPsec VPNs is for backing up an existing WAN. Example: WAN Backup Using Site-to-Site IPsec VPNs Central Site Intranet Branch/Remote Office VPN Frame Relay WAN Network VPN VPN Internet VPN PSTN/ISDN Broadband VPN Extranet Business-to-Business ARCH v When a primary network connection malfunctions, the remote branch office can rely on Internet VPN connectivity while waiting for the primary connection to be restored. IPsec VPNs over a high-speed ISP connection or broadband cable/dsl access can provide a very cost-effective secondary WAN connection for branch offices. Many customers continue to route their most critical traffic across their private WAN circuits, and route higher-bandwidth, less critical traffic across IPsec VPNs as a secondary connection path. If a failure occurs of their primary WAN circuit, the IPsec VPN can also function as an established backup path Cisco Systems, Inc. IPsec and SSL VPN Design 9-19

182 Regulatory Encryption Using Site-to-Site IPsec VPNs Another common business application using IPsec VPNs is for mandatory or regulatory encryption. Example: Regulatory Encryption Using Site-to-Site IPsec VPNs Intranet Branch/Remote Office VPN VPN Frame Relay or MPLS VPNs VPN VPN Extranet Business-to-Business (Financial Data) ARCH v Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (S-Ox), and the Basel II Agreement recommend or mandate the need for companies to implement all reasonable safeguards to protect personal, customer, and corporate information. IPsec VPNs inherently provide a high degree of data privacy through establishment of trust points between communicating devices, and data encryption with the Triple Data Encryption Standard (3DES) or Advanced Encryption Standard (AES). Site-to-site VPNs support regulatory constraints and business policies. As network security risks increase and regulatory compliance becomes essential, organizations are using IPsec VPNs to encrypt and protect data such as medical records, corporate or personal financial data, and sensitive information such as legal, police, and academic records whether using a private WAN, IP VPN, or the Internet for connectivity Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

183 Site-to-Site VPN Design Considerations This topic identifies some design considerations for site-to-site IPsec VPNs. IP Addressing and Routing An IPsec VPN is an overlay on an existing IP network. IP Addressing and Routing IP addressing IPsec VPN is an overlay on existing IP network: VPN device needs routable outside IP address. Private IP address space can be used inside VPN. VPN addressing designs need to allow summarization. NAT may be needed within an organization. VPN is typically implemented in tunnel mode. Routing Large-scale networks require dynamic routing. IPsec does not inherently support transport of broadcast or IP multicast packets. ARCH v The VPN termination devices need routable IP addresses for the outside Internet connection. Private IP addresses can be used on the inside of the VPN. Just as good IP network design support summarization, the VPN address space needs to be designed to allow for network summarization as well. Network address translation (NAT) may be needed to support overlapping address space between sites in an organization. Most IPsec VPNs forward data across the network using IPsec tunnel mode which encapsulates and protects an entire IP packet. Because tunnel mode encapsulates or hides the IP header of the pre-encrypted packet, a new IP header is added so that the packet can be successfully forwarded. Many larger enterprise WANs need dynamic routing protocols such as Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) to provide routing and maintain link state and path resiliency. All Interior Gateway Protocols (IGPs) routing protocols use either broadcast or IP multicast as a method of transmitting routing table information. However, basic IPsec designs cannot transport IGP dynamic routing protocols or IP multicast traffic. When support for one or more of these features is required, IPsec should be used in conjunction with other technologies such as Generic Route Encapsulation (GRE) Cisco Systems, Inc. IPsec and SSL VPN Design 9-21

184 Scaling, Sizing, and Performance This section describes the critical factors that affect the scalability of an IPsec VPN design. Scaling, Sizing, and Performance Head-end VPN device scaling and sizing considerations: Total number of remote sites VPN traffic throughput Features including routing protocols, GRE, firewall, QoS VPN device performance considerations: A head-end device should have less than 50% CPU utilization. Branch devices should have less than 65% CPU utilization. ARCH v Scaling large aggregations while maintaining performance and high availability is challenging, and requires careful planning and design. Many factors affect scalability of an IPsec VPN design, including number of route sites, access connection speeds, routing peer limits, IPsec encryption engine throughput, features to be supported, and applications that will be transported over the IPsec VPN. The number of remote sites is a primary factor in determining scalability of a design and affects the routing plan, high availability design, and ultimately the overall throughput that must be aggregated by the VPN headend routers. Different routers can support different numbers of tunnels. IPsec VPN throughput depends on several factors, including connection speeds, capacity of the crypto engine, and CPU limits of the router. An IPsec crypto engine in a Cisco IOS router is a unidirectional device that must process bidirectional packets. Outbound packets must be encrypted by the IPsec crypto engine, while inbound packets must be decrypted by the same device. For each interface having packets encrypted, it is necessary to consider the bi-directional speed of the interface. For example, a T1 connection speed is Mbps, but the IPsec throughput required is Mbps. Cisco has some recommended practices for VPN device performance limits: Redundant head-end device should be deployed in a configuration that results in CPU utilization less than 50%. The 50% target includes all overhead incurred by IPsec and any other enabled features such as firewall, routing, IDS, and logging. This performance limit will allow the head-end device to handle failover of the other head-end device. Since branch devices will need to support fewer additional tunnels in a failover event, branch devices can be deployed in a configuration less than 65% CPU utilization Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

185 Cisco Router Performance with IPsec VPNs This section discusses some IPsec VPN performance numbers for Cisco routers. Cisco Router Performance with IPsec VPNs Cisco VPN Security Router Max Tunnels 3DES Throughput AES Throughput Cisco Mbps 8 Mbps Cisco Mbps 30 Mbps Cisco 1841 with AIM-VPN/BPII Mbps 95 Mbps Cisco 2801 with AIM-VPN/BPII 1, Mbps 100 Mbps Cisco 2811 with AIM-VPN/EPII 1, Mbps 130 Mbps Cisco 2821 with AIM-VPN/EPII 1, Mbps 140 Mbps Cisco 2851 with AIM-VPN/EPII 1, Mbps 145 Mbps Cisco 3825 with AIM-VPN/EPII 2, Mbps 175 Mbps Cisco 3845 with AIM-VPN/EPII 2, Mbps 185 Mbps Cisco 7200VXR with a Single SA-VAM2+ 5, Mbps 260 Mbps Cisco 7301 with SA-VAM2+ 5, Mbps 370 Mbps Cisco Catalyst 6500/7600 with One IPsec VPN SPA 8, Gbps 2.5 Gbps ARCH v Because IPsec VPN connections do not normally have a bandwidth associated with them, the overall physical interface connection speeds of both the headend and branch routers largely determine the maximum speeds at which the IPsec VPN must operate. The figure shows best case scenarios with minimal features running IPsec VPNs in a lab with 1400 byte packets. However, the packet per second (pps) rate matters more than throughput bandwidth (bps) for the connection speeds being terminated or aggregated. In general, routers and crypto engines have upper boundaries for processing a given number of pps. The size of packets used for testing and throughput evaluations can understate or overstate true performance. For example, if a device can support 20 Kpps, then 100-byte packets lead to 16 Mbps throughput, while 1400-byte packets at the same packet rate lead to 224 Mbps. Because of such a wide variance in throughput, pps is generally a better parameter to consider for scalability than bps. Each time a crypto engine encrypts or decrypts a packet, it performs mathematical computations on the IP packet payload using the unique crypto key for the trustpoint, agreed upon by the sender and receiver. If more than one IPsec tunnel is terminated on a router, the router has multiple trust points and therefore multiple crypto keys. When packets are to be sent or received to a different tunnel than the last packet sent or received, the crypto engine must swap keys to use the right key matched with the trust point. This key swapping can degrade the performance of a crypto engine, depending on its architecture, and increase the router CPU utilization. For some Cisco platforms, such as the 7200VXR with SA-VAM2+, as the number of tunnels increases, throughput of the IPsec crypto engine decreases. For other Cisco platforms, such as the 7600 with VPN SPA, performance is relatively linear, with relatively the same throughput for a single tunnel as for 1000 or even Cisco Systems, Inc. IPsec and SSL VPN Design 9-23

186 Cisco Router Security Performance This section discusses some security performance numbers for Cisco routers. Cisco Router Security Performance Performance and Service Scalable Performance Up to 1.1Gbps F/W* Up to 185 Mbps IPsec Up to 425 Mbps IPS** Up to 2,500 tunnels 530 Mbps F/W 145 Mbps IPsec VPN 250 Mbps 1,500 Tunnels 455 Mbps F/W 140 Mbps IPsec VPN 200 Mbps IPS 1,500 Tunnels 130 Mbps F/W 130 Mbps IPsec VPN 70 Mbps IPS 1,500 Tunnels 127 Mbps F/W 100 Mbps IPsec VPN 65 Mbps IPS 1,500 Tunnels 125 Mbps F/W 95 Mbps IPsec VPN 60 Mbps IPS 800 Tunnels 1.1 Gbps F/W 185 Mbps IPsec VPN 425 Mbps IPS 2,500 Tunnels 855 Mbps F/W 175 Mbps IPsec VPN 325 Mbps IPS 2,000 Tunnels * Firewall performance is with NAT and logging enabled ** Branch scenario when tested with optimal traffic conditions Cisco 3845 Cisco 3825 Cisco 2851 Cisco 2821 Cisco 2811 Cisco 2801 Cisco 1841 ARCH v The Cisco Integrated Service Routers (ISRs) are built with fast processors and crypto to support high performance security features. The Cisco IOS Advanced Security feature set combines a rich VPN feature set with advanced firewall, intrusion prevention, and extensive Cisco IOS Software capabilities including QoS, multiprotocol, multicast, and advanced routing support. The figure shows some best case performance measures for individual security features. The VPN throughput numbers are with 1400 byte packets and AIM acceleration cards installed. Note The performance numbers in a production environment may be different Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

187 Cisco ASA 5500 Series Performance This section discusses some security performance numbers for the Cisco ASA 5500 Series Adaptive Security Appliances. Cisco ASA 5500 Series Performance Model Cisco ASA 5505 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA 5540 Cisco ASA 5550 SSL/IPsec Scalability 25 simultaneous VPN sessions 250 simultaneous VPN sessions 750 simultaneous VPN sessions 2500 simultaneous SSL VPN sessions; 5000 simultaneous IPsec VPN sessions; 5000 simultaneous VPN sessions Max VPN Throughput 100 Mbps 170 Mbps 225 Mbps 325 Mbps 425Mbps ARCH v Cisco ASA 5500 Series all-in-one adaptive security appliances deliver enterprise-class security and VPN to small and medium-sized businesses and large enterprise networks in a modular, purpose-built appliance. The Cisco ASA 5500 Series incorporates a wide range of integrated security services, including firewall, intrusion prevention system (IPS), and anti-x services with SSL and IPsec VPN services in an easy-to-deploy, high-performance solution. The Cisco ASA 5500 Series is Cisco's most feature-rich solution for SSL and IPsec-based remote access, and supports robust site-to-site connectivity. The series provides higher scalability and greater throughput capabilities than the widely deployed Cisco VPN 3000 Series Concentrators. The figure shows some best case performance measures for the Cisco ASA 5500 Series. Note The performance numbers in a production environment may be different Cisco Systems, Inc. IPsec and SSL VPN Design 9-25

188 Typical VPN Device Deployments This table shows where Cisco VPN devices are typically deployed. Typical VPN Device Deployment Teleworkers Location Cisco 850/870 Models SOH0 Small Business Small Branch Medium Branch Enterprise Branch Enterprise Edge Enterprise Headquarters Data Center Cisco 850/870 Cisco ASA 5505 Cisco 1800 Cisco ASA 5510 Cisco 2800 Cisco ASA 5520 Cisco 3800 Cisco ASA 5540 and 5550 Cisco 7200 and 7301 Catalyst 6500 Cisco 7600 Cisco ASA 5550 ARCH v The Cisco ASA 5500 Series supports both IPsec VPNs and SSL-based remote-access VPN services deployments on a single integrated platform. The Cisco Integrated Services Routers and Cisco Catalyst Switches support site-to-site IPsec VPNs of any topology-from hub-andspoke to the more complex fully meshed VPNs on networks of all sizes integrating security services with extensive Cisco IOS Software capabilities including QoS, multiprotocol, multicast, and advanced routing support Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

189 Design Topologies This section gives a high-level overview of several different IPsec VPN design topologies that can be deployed. Design Topologies Peer-to-peer Hub and spoke Is most common topology. Has performance penalty due to two encryption/decryption cycles. Partial Mesh Adds some direct spoke-to-spoke communications to hub and spoke topology. Full Mesh Provides direct spoke-to-spoke communications across topology. Has issues with scaling and provisioning. ARCH v A peer-to-peer IPsec VPN provides connectivity between two sites through a tunnel that secures traffic. Typically, remote peers are connected to the central site over a shared infrastructure in a hub-and-spoke topology with tunnels from the multiple spokes to the head-end hub. The hub-and-spoke topology scales well. However, there is a performance penalty due to two encryption/decryption cycles for spoke-to-spoke traffic. A meshed topology may be the appropriate design to use when there are multiple locations with a large amount of traffic flowing between them. To eliminate the performance penalty due to two encryption/decryption cycles for spoke-to-spoke traffic, a partial mesh topology can be used. The partial mesh topology is similar to a hub-and-spoke topology, but supports some direct spoke-to-spoke connectivity. The full mesh topology provides direct connectivity between all locations. There are scaling issues as the number of IPsec tunnels needed grows exponentially as number of sites increases. This topology is also more difficult to provision. Note Design topologies are discussed in more detail in the VPN Implementation Technologies lesson in this chapter Cisco Systems, Inc. IPsec and SSL VPN Design 9-27

190 VPN Device Placement Designs This section discusses designs for placing the VPN device in the network. VPN Device Parallel to Firewall The VPN device can be placed parallel to a firewall in the network. VPN Device Placement: Parallel to Firewall To WAN Edge To Campus DMZ Advantages Supports simplified implementation. Supports high scalability. Disadvantages IPsec decrypted traffic is not firewall inspected. No centralized point of logging/content inspection. ARCH v There are advantages in placing the VPN device parallel to the firewall: Simplified implementation to deploy since firewall addressing does not need to change High scalability since multiple VPN devices can be deployed in parallel with the firewall There are some disadvantages to placing the VPN device parallel to the firewall: IPsec decrypted traffic is not firewall inspected. This issue is a major concern if the traffic is not subject to a stateful inspection. No centralized point of logging or content inspection is implemented Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

191 VPN Device on a DMZ of Firewall The VPN device can be placed in the DMZ on the firewall in the network. VPN Device Placement: In DMZ of Firewall DMZ DMZ To WAN Edge To Campus Advantages IPsec decrypted traffic is firewall inspected. Has moderate to high scalability. Disadvantages Has increased configuration complexity. Firewall may impose bandwidth restrictions. ARCH v There are advantages to placing the VPN device in the DMZ of a firewall: The firewall can statefully inspect the decrypted VPN traffic. The design supports the layered security model and enforces firewall security policies. The design supports moderate-to-high scalability by adding additional VPN devices. Migration to this design is relatively straightforward with addition of LAN interface to firewall. There are disadvantages to placing the VPN device in the DMZ of a firewall: The configuration complexity increases because additional configuration on firewall to support the additional interfaces. The firewall must support policy routing to differentiate VPN versus non-vpn traffic. The firewall may impose bandwidth restrictions on stacks of VPN devices Cisco Systems, Inc. IPsec and SSL VPN Design 9-29

192 Integrated VPN and Firewall Another option is an integrated VPN and firewall device in the network. VPN Device Placement: Integrated with Firewall or IPS To WAN Edge To Campus Advantages DMZ IPsec decrypted traffic is firewall inspected. Has same or fewer devices to manage. Disadvantages Has scaling concerns. Has increased configuration complexity. ARCH v There are advantages to integrating the VPN device and the firewall: The firewall can statefully inspect the decrypted VPN traffic. The design supports the layered security model and enforces firewall security policies. The design may be easier to manage with the same or fewer devices to support. There are disadvantages to placing the VPN device in the DMZ of a firewall: Scalability can be an issue as single device must scale to meet performance requirements of multiple features. The configuration complexity increases because all the configurations are applied to one device Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

193 Summary This topic summarizes the key points discussed in this lesson. Summary Site-to-site VPN applications include WAN replacement, WAN backup, and supporting regulatory mandates. Site-to-site VPN design considerations include addressing and routing practices to support integration with existing networks, sizing for scaling and performance, and using design topologies and placement of VPN devices to support required layers of security. ARCH v Cisco Systems, Inc. IPsec and SSL VPN Design 9-31

194 9-32 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

195 Lesson 3 IPsec VPN Technologies Overview Objectives There are several types of IPsec VPNs that are used to permit secure, encrypted communication between network devices. This lesson reviews some industry standard and Cisco technologies used in supporting IPsec VPNs. Upon completing this lesson, you will be discuss technologies used to support IPsec VPN. This ability includes being able to meet these objectives: Review standard IPsec VPN deployments Discuss EASY VPN Describe Generic Route Encapsulation (GRE) tunneling over IPsec VPN design considerations Describe Dynamic Multipoint VPN (DMVPN) design considerations Discuss Virtual Tunnel Interface design considerations Describe Group Encrypted Transport VPN (GET VPN) design considerations

196 IPSec VPN Overeview IPsec functionality provides data encryption at the IP packet level, offering a robust, standardsbased, security solution. IPsec VPN Features Provides point-to-point tunnel between two peers Provides data encryption at the IP packet level Several configuration parameters are needed Only supports unicast traffic ARCH v IPSec provides secure point-to-point tunnels between two peers, such as two routers. These tunnels are actually sets of security associations (SAs) that are established between two IPSec peers. The SAs define which protocols and algorithms should be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol, either Authentication Header (AH) or Encapsulating Security Payload (ESP). With IPSec, the network manager can define what traffic should be protected between two IPSec peers by configuring ACLs and applying these ACLs to interfaces by way of crypto maps. The ACLs used for IPSec are used only to determine which traffic should be protected by IPSec, not which traffic should be blocked or permitted through the interface. Separate ACLs define blocking and permitting at the interface. IPsec can support certain traffic receiving one combination of IPSec protection (for example, authentication only) and other traffic receiving a different combination of IPSec protection (for example, both authentication and encryption), by using two different crypto ACLs to define the two different types of traffic. These different ACLs are then used in different crypto map entries, which specify different IPSec policies. Standard IPsec VPNs only support unicast traftic, which is an issue for deploying them within an enterprise Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

197 Extensions to Standard IPsec VPNs There are several site-to-site VPN solutions that extend the capabilities of basic IPsec VPNs. Extensions to Standard IPsec VPNs Easy VPN GRE tunneling Dynamic Multipoint VPN (DMVPN) Virtual tunnel interfaces (VTI) Group Encrypted Transport VPN (GET VPN). ARCH v Cisco provides several site-to-site VPN solutions that support routing to deliver reliable transport for complex mission-critical traffic, such as voice and client-server applications. These solutions are built on five underlying VPN technologies: Easy VPN GRE tunneling Dynamic Multipoint VPN (DMVPN) Virtual tunnel interfaces (VTI) Group Encrypted Transport VPN (GET VPN) Each technology is customized to meet specific deployment requirements. Note This lesson compares these technologies and provides guidance on when to use them Cisco Systems, Inc. IPsec and SSL VPN Design 9-35

198 Cisco Easy VPN The Cisco Easy VPN solution provides simple VPN deployments for remote offices and teleworkers. Easy VPN Implementation Easy VPN Server Central Site Easy VPN Remote Branch Office 1 Internet Easy VPN Remote Branch Office 2 POP DSL Cable Easy VPN Remote Teleworker Predefined security policies pushed to remote sites Configuration parameters pushed to remote sites: Internal IP addresses Internal subnet masks, DHCP server addresses Split-tunneling flags ARCH v Ease of deployment is critical when technical resources are not available for VPN configuration at remote offices and for teleworkers. The Cisco Easy VPN solution centralizes VPN management across all Cisco VPN devices and reduces the management complexity of VPN deployments. The Cisco Easy VPN Remote feature and the Cisco Easy VPN Server feature offer flexibility, scalability, and ease of use for site-to-site and remote-access VPNs. The Cisco Easy VPN Remote feature allows Cisco routers running Cisco IOS Release 12.2(4)YA (or later releases), Cisco PIX firewalls, and Cisco hardware clients to act as remote VPN clients. These devices can receive predefined security policies and configuration parameters from the VPN head-end at the central site, which minimizes the VPN configuration required at the remote location. Parameters such as internal IP addresses, internal subnet masks, DHCP server addresses, WINS server addresses, and split-tunneling flags are all pushed to the remote device. The Cisco Easy VPN Server feature, available in Cisco IOS Release 12.2(8)T or later releases, increases compatibility of Cisco VPN products, and allows Cisco VPN concentrators, Cisco PIX firewalls, or Cisco routers to act as VPN head-end devices in site-to-site or remote-access VPNs. Using this feature, security policies defined at the head-end can be pushed to the remote office devices running the Cisco Easy VPN Remote feature Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

199 Overview of Easy VPN Server Wizard on SDM The Security Device Manager (SDM) Easy VPN Server Wizard can configure the Easy VPN server on Cisco routers. Easy VPN Server Wizard on SDM With the Easy VPN Server Wizard: Select the interface on which the client connections will terminate Configure IKE policies Configure group policy lookup method Configure user authentication Configure group policies on local database Configure an IPsec transform set ARCH v Cisco Easy VPN solution is ideal for remote offices with little IT support or for large customer deployments where it is impractical to individually configure multiple remote devices. This feature makes VPN configuration as easy as entering a password, which minimizes local IT support, increases productivity, and lowers costs. The figure shows the starting SDM screen for the Easy VPN Server Wizard that can configure the Easy VPN server. The Easy VPN Server Wizard guides network administrators in performing the tasks to successfully configure an Easy VPN server on a router: Selecting the interface on which the client connections will terminate Configuring Internet Key Exchange (IKE) policies Configuring group policy lookup method Configuring user authentication Configuring group policies on local database, if needed Configuring an IP Security (IPsec) transform set. Note SDM supports VPNs with basic IPsec tunnels, Generic Route Encapsulation (GRE) over IPsec tunnels, and Dynamic Multipoint VPN (DMVPN) Cisco Systems, Inc. IPsec and SSL VPN Design 9-37

200 Overview of Easy VPN Remote Wizard on SDM The SDM Easy VPN Remote Wizard can configure the Easy VPN remote devices. Easy VPN Remote Wizard on SDM ARCH v The Easy VPN Remote Wizard SDM can configure a remote router that will be connecting to the Easy VPN Server router. To launch the wizard in SDM, on the configuration Tasks button list on the left, click VPN. Select Easy VPN Remote in the tree hierarchy on the left. With the Create An Easy VPN Remote option selected, click the Launch The Selected Task button. Note The Cisco Adaptive Security Device Manager (ASDM) can be used to configure Easy VPN server or remote operation on the Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX 500 Series Security Appliances (running Cisco PIX Security Appliance Software Version 7.0 or above) and the Cisco Catalyst 6500 Series Firewall Services Modules (FWSM version 3.1 or above) Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

201 GRE over IPsec This topic discusses Generic Route Encapsulation (GRE) tunneling over IPsec. Tunnels and IPsec L3 GRE Tunnel IPsec Tunnel IP IP ESP HDR Data IP GRE IP IP HDR HDR HDR Data HDR HDR HDR GRE HDR IP HDR Data IP HDR Data Encrypted Decapsulate Twice Tunnel mode is recommended over transport mode IPsec: Tunnel mode is faster with hardware acceleration. Tunnels that transit a NAT or PAT device require it. Some new features also require tunnel mode. Basic IPsec tunnels only IP unicast traffic. GRE tunnels encapsulates non-ip and IP multicast or broadcast packets into IP unicast packets. Hub uses a GRE interface per spoke. ARCH v Tunnel mode IPsec works by encapsulating and protecting an entire IP packet. IPsec transport mode works by inserting the Encapsulating Security Protocol (ESP) header between the IP header and the next protocol or the transport layer of the packet. Tunnel mode IPsec is recommended over transport mode IPsec for forwarding traffic across a network because: Tunnel mode is faster with hardware acceleration. If the crypto tunnel transits either a Network Address Translation (NAT) or Port Address Translation (PAT) device, tunnel mode is required. Some new features such as Look-Ahead Fragmentation also require tunnel mode. Basic IPsec designs cannot transport IGP dynamic routing protocols or IP multicast traffic because because the IPsec ESP only tunnels unicast IP traffic. To support the routing or IP multicast requirements of most enterprises, IPsec should be used in conjunction with other technologies such as GRE. GRE tunneling encapsulates non-ip and IP multicast or broadcast packets into IP unicast packets. These GRE packets can be encrypted by the IPsec tunnel. At the remote end of the IPsec tunnel, both the IPsec encapsulation and the GRE encapsulation is removed to recover the original packet. With GRE over IPsec designs, the hub router uses a single GRE interface for each spoke Cisco Systems, Inc. IPsec and SSL VPN Design 9-39

202 GRE over IPsec Design Recommendations This section discusses design recommendations for point-to-point GRE over IPsec VPNs. GRE over IPsec Design Recommendations h1 h2 Internet On failure recovery, the load should be dynamically rebalanced at the head-end devices. In general, the head-end routing protocol can safely scale up to 500 peers EIGRP is recommended since it is less CPU intensive than OSPF. GRE keepalives can be used for failure detection in case of static routing or point-to-point tunnels s1 s2 ARCH v A routing protocol can dynamically rebalance traffic across redundant head-end routers on failover recovery. Although IPsec can typically scale to thousands of tunnels on some platforms, a routed point-to-point GRE over IPsec design is generally limited by the routing protocol being used and the number of routing peers exchanging routing information. In general, the head-end routing protocol can safely scale up to 500 peers: 500 peers for the Cisco 7200VXR with NPE-G1 600 peers for the Cisco 7200VXR with NPE-G peers for the Cisco 7600 (or Catalyst 6500) with Sup720 Enhanced Interior Gateway Routing Protocol (EIGRP) is recommended as the routing protocol because of its conservative use of router CPU and network bandwidth as well as its quick convergence times. EIGRP also provides a range of options for address summarization and default route propagation. GRE keepalives can be used for failure detection in case of static routing on point-to-point tunnels. Beginning in Cisco IOS software version 12.2(8)T, the GRE keepalive feature is available for use on tunnel interfaces. This functionality allows the line protocol of the tunnel interface to track the reachability between the two tunnel endpoints. If GRE keepalives are sent and acknowledged by the remote router, the line protocol is up. If successive GRE keepalives are not acknowledged, based on the configured interval and number of retries, the tunnel line protocol is marked down Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

203 GRE over IPsec Design Recommendations (cont.) h1 h2 Internet s1 s2 Designs should avoid asymmetric routing with redundant head-end routers: Change bandwidth value for both GRE interfaces Watch for unrealistic bandwidth settings Consider using the delay command under GRE tunnel interface Hub-and-spoke is most common point-to-point GRE over IPsec topology: Partial mesh is limited by routing protocol and static IP addressing Full mesh is limited routing protocol, static IP addressing, and administrative overhead ARCH v The figure shows a simple hub-and-spoke network with multiple head-end devices for redundancy. Point-to-point GRE and crypto tunnels functionally co-exist on the same router CPU on the head-end devices. The head-ends service multiple point-to-point GRE over IPsec tunnels for a prescribed number of branch office locations. In addition to terminating the VPN tunnels at the central site, the head-ends can advertise branch routes using IP routing protocols such as EIGRP and Open Shortest Path First (OSPF). In order to avoid asymmetric routing when routing is running over the tunnels, one of the GRE tunnels between the head-end routers and each remote site must be favored. The routing metric should be consistent both upstream and downstream to prevent asymmetric routing. There are options for configuring different paths in this design with slightly different metrics to provide preference between the tunnels: Change bandwidth value for the GRE interface on both ends to create primary and secondary tunnels Watch for unrealistic bandwidth settings that might affect the flow control of EIGRP Use the delay command under GRE tunnel interface Hub-and-spoke topologies are the most common topologies in a point-to-point GRE over IPsec design: Although partial mesh topologies are available, they are limited by both the routing protocol and the availability of static public IP addresses for the spokes. Full mesh topologies in a point-to-point GRE over IPsec design are available as well and have the same limitations as partial mesh topologies. With the administrative overhead involved, a full mesh topology is not recommended in a point-to-point GRE over IPsec design Cisco Systems, Inc. IPsec and SSL VPN Design 9-41

204 DMVPN This topic discusses Dynamic Multipoint Virtual Private Networks (DMVPNs). Drivers for DMVPN There are some issues with meshed VPNs: All spoke-to-spoke traffic is through hub Configuration task complexity Single GRE interface for EACH spoke All tunnels need to be pre-defined Number of IPsec SAs grows exponentially Dynamic peer discovery and on-demand tunnel creation needed. ARCH v Mesh designs simply do not scale well for greater than 10 sites. With a traditional hub-andspoke topology, all spoke-to-spoke traffic is through the hub. As more nodes are added to a mesh topology, the configuration task becomes more complex and the number of IPsec security associations (SAs) grow exponentially as number of spoke sites increases. In these cases, dynamic peer discovery and on-demand tunnel creation mechanisms are required. When there is more than 20% spoke-to-spoke traffic or a full mesh VPN topology is required, a DMVPN solution should be considered Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

205 DMVPN Overview DMVPN is a technology that supports IPsec VPNs with simplified configuration through crypto profiles and dynamic discovery of tunnel endpoints. DMVPN Overview Create the spoke-to-spoke tunnels dynamically based on traffic requirements Uses IPsec, GRE, and NHRP Backbone supports direct spoke-to-spoke functionality Advantages: Dynamic mesh with fewer active tunnels on each spoke Configuration scales better Easy to add a node Spokes can have dynamic address or be behind NAT ARCH v DMVPN enables dynamic configuration and reduces the maintenance and configuration on the hubs. DMVPN is a combination of IPsec, GRE, and next hop routing protocol (NHRP). DMVPN has a backbone hub-and-spoke topology, but allows direct spoke-to-spoke functionality using tunneling to enable the secure exchange of data between two branch offices without traversing the head office. DMVPN has several advantages: With a dynamic mesh, the number of active tunnels is much lower on each spoke then with a full mesh design. Smaller routers can be used at the spokes. The configuration scales better because there is no need for static definitions for each spoke-in-the-hub. It is easier to add a node to the topology since there is no need to configure the new spoke on all the other nodes The spokes can have dynamic address or be behind NAT Note You can use SDM to configure a router as a DMVPN hub, or as a spoke router in a DMVPN network Cisco Systems, Inc. IPsec and SSL VPN Design 9-43

206 DMVPN Topology Permanent IPsec + GRE tunnel Dynamic IPsec + GRE tunnel /24..1 Hub Physical: Tunnel0: Internet Physical: Tunnel0: SpokeB.1 Physical: Tunnel0: /24 SpokeA Physical: Tunnel0: SpokeC / /24 ARCH v Example: DMVPN Topology The figure shows an example DMVPN topology. DMVPN does not alter the standards-based IPsec VPN tunnels, but it changes their configuration. The hub router maintains a NHRP database of public interface addresses for each spoke. The hub uses a single multipoint GRE (mgre) tunnel interface to support multiple IPsec tunnels. The spokes have a permanent IPsec tunnel to the hub, but not to the other spokes. The spokes register as clients of the NHRP server. The spoke learns of all private networks on the other spokes and the hub through routing updates sent by the hub. A spoke queries the NHRP database for real addresses of a destination spoke when it needs to communicate to another destination. The spoke uses the real destination address to build a dynamic IPsec tunnel to the target spoke. The spoke-to-spoke tunnel is also built over an mgre interface. After the spoketo-spoke tunnel is built, the IP next-hop for the remote spoke network is the spoke-to-spoke tunnel interface. After a programmable timeout period, the NHRP entries will age out, triggering IPsec to break down the dynamic spoke to spoke tunnel. In the figure, SpokeA uses the real IP address of to bring up a tunnel to SpokeB Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

207 DMVPN Design Recommendations This section describes the recommended design practices for a DMVPN topology with the hub-andspoke deployment. DMVPN Design Recommendations Use the tunnel protection mode Use IPsec in tunnel mode Use 3DES or AES Use digital certificates/pki Use EIGRP with route summarization for dynamic routing Deploy hardware-acceleration of IPsec to minimize router CPU overhead Use a NHRP network ID and password key to prevent unauthorized nodes from joining the VPN Use multiple NHRP servers on multiple hubs for backup ARCH v Cisco recommends several practices for DMVPN with the hub-and-spoke topology: Use the tunnel protection mode to associate a GRE tunnel with the IPsec profile on the same router. Tunnel protection specifies that IPsec encryption is performed after the GRE headers are added to the tunnel packet. Both ends of the tunnel need to be protected. Use IPsec in tunnel mode. Configure Triple DES (3DES) or Advanced Encryption Standard (AES) for encryption of transported data. Use Digital Certificates or Public Key Infrastructure (PKI) for scalable tunnel authentication. Typically the certificate authority is located on the private subnet of the hub. Configure EIGRP with route summarization for dynamic routing. Deploy hardware-acceleration of IPsec to minimize router CPU overhead to support traffic with low latency and jitter requirements, and for the highest performance for cost. Use a NHRP network ID and password key to prevent unauthorized nodes from joining the VPN. Provide each mgre tunnel interface with a unique tunnel key, NHRP network-id, and IP subnet address. The mgre tunnel key configured on the spokes must match the hub, and it is a recommended practice that the network ID match on both sides of the tunnel. Use multiple NHRP servers on multiple hubs for backup and redundancy Cisco Systems, Inc. IPsec and SSL VPN Design 9-45

208 VTI Overview This section discusses IPsec virtual tunnel interfaces (VTIs). IPsec Virtual Tunnel Interface Overview /24 IPsec Static Virtual Tunnel Interfaces /30.1 Tunnel / Provides routable interface type for terminating IPsec tunnels Supports QoS, multicast, and other routing functions that previously required GRE Simplifies VPN configuration by eliminating crypto maps, ACLs, and GRE More scalable alternative to GRE Offers both static and dynamic VTIs Allows VPN interoperability with other vendors Available in Cisco Easy VPN ARCH v Another mechanism for supporting VPNs is with IPsec VTI. IPsec VTIs provide a routable interface type for terminating IPsec tunnels and an easy way to define protection between sites to form an overlay network. A VTI supports native IPsec tunneling, and allows interface commands to be applied directly to the IPsec tunnels. The IPsec tunnel endpoint is associated with a virtual interface. Because there is a routable interface at the tunnel endpoint, many common interface capabilities can be applied to the IPsec tunnel. The IPsec VTI supports QoS, multicast, and other routing functions that previously required GRE. VTIs allow for the flexibility of sending and receiving both IP unicast and multicast encrypted traffic on any physical interface, such as in the case of multiple paths. Traffic is encrypted or decrypted when it is forwarded from or to the tunnel interface and is managed by the IP routing table. Dynamic or static IP routing can be used to route the traffic to the virtual interface. VTI simplifies VPN configuration and design. Customers can use the Cisco IOS virtual template to clone on demand new virtual access interfaces for IPsec. Using IP routing to forward the traffic to the tunnel interface simplifies the IPsec VPN configuration compared to the more complex process of using access control lists (ACLs) with the crypto map in native IPsec configurations. GRE or Layer 2 Tunneling Protocol tunnels are not needed for encapsulation. DVTIs function like any other real interface so quality of service (QoS), firewall, and other security services can be applied as soon as the tunnel is active. In addition, existing management applications now can monitor separate interfaces for different sites. The use of VTIs improves network scaling. IPsec VTIs use single security associations per site, which cover different types of traffic and enable improved scaling as compared to GRE. A major benefit associated with IPsec VTIs is that the configuration does not require a static mapping of IPsec sessions to a physical interface Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

209 Both static VTI (SVTI) and dynamic VTIs (DVTIs) are available. SVTI configurations can be used for site-to-site connectivity in which a tunnel provides always-on access between two sites. The advantage of using SVTIs as opposed to crypto map configurations is that users can enable dynamic routing protocols on the tunnel interface without the extra 4 bytes required for GRE headers, thus reducing the bandwidth for sending encrypted data. DVTIs can provide highly secure and scalable connectivity for remote-access VPNs. The DVTI technology replaces dynamic crypto maps and the dynamic hub-and-spoke method for establishing tunnels. Dynamic VTIs can be used for both the server and remote configuration. Note You can use SDM to configure Easy VPN Server and Easy VPN Remote with IPsec DVTI. VTIs support interoperability with standard-based IPsec installations of other vendors. The Cisco Easy VPN for both the Server and Remote configuration support DVTI. The tunnels provide an on-demand separate virtual access interface for each Easy VPN connection. The Cisco Easy VPN with DVTI configuration provides a routable interface to selectively send traffic to different destinations, such as an Easy VPN concentrator, a different site-to-site peer, or the Internet. IPsec DVTI configuration does not require a static mapping of IPsec sessions to a physical interface. This allows for the flexibility of sending and receiving encrypted traffic on any physical interface, such as in the case of multiple paths. Traffic is encrypted when it is forwarded from or to the tunnel interface Cisco Systems, Inc. IPsec and SSL VPN Design 9-47

210 GET VPN This topic discusses Group Encrypted Transport VPNs (GET VPNs). Group Encrypted Transport VPN Is a set of software features that secure unicast or multicast group IP traffic over a private WAN Combines the keying protocol Group Domain of Interpretation (GDOI) with IPsec encryption Enables the router to apply encryption to IP multicast and unicast packets not in a tunnel Is supported on Cisco IOS Release 12.4(11)T and on VPN acceleration modules ARCH v The Cisco IOS Software-based GET VPN set of software features that provides a tunnel-less technology to provides end-to-end security for voice, video, and data in a native mode for a fully meshed network. GET VPN can secure IP multicast group traffic or unicast traffic over a private WAN. It uses the core network's ability to route and replicate the packets between various sites within the enterprise. Cisco IOS GET VPN preserves the original source and destination addresses in the encryption header for optimal routing; hence, it is largely suited for an enterprise running over a private Multiprotocol Label Switching (MPLS)/IP-based core network. Cisco IOS GET VPN is enabled in customer edge routers without using tunnels. Cisco IOS GET VPN uses Group Domain of Interpretation (GDOI) as the keying protocol with IPsec for efficiently encrypting and decrypting the data packets. GET VPN enables the router to apply encryption to nontunneled (that is, "native") IP multicast and unicast packets and eliminates the requirement to configure tunnels to protect multicast and unicast traffic. GET VPN is supported on Cisco IOS Release 12.4(11)T and on Cisco VPN acceleration modules: Cisco AIM-VPN/SSL Module for Cisco Integrated Services Routers Cisco VPN acceleration Module 2+ for Cisco 7200 series routers and Cisco 7301 series routers 9-48 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

211 GET VPN Topology GET VPN uses a group management model where the GDOI protocol operates between a group member and a group controller or key server. GET VPN Topology /24 Key Server Private WAN Group member 2 Group member / /24 Group member /24 1. Key and Policy Distribution 2. IPsec Encrypted Packet Exchange 3. Push of Rekey ARCH v The key server establishes security associations (SAs) among authorized group members. GDOI is protected by a Phase 1 ISAKMP security association. There are three traffic flows that are necessary for group members to participate in a group: 1. The group member registers with the key server to get the IPsec SA or SAs that are necessary to communicate with the group. The group member provides the group ID to the key server to get the respective policy and keys for this group. The key server authenticates and authorizes the group members and downloads the IPsec policy and keys that are necessary for them to encrypt and decrypt IP multicast packets. The key server is responsible to maintain the policy and create and maintain the keys for the group. 2. Group members exchange IP multicast packets that are encrypted using IPsec. 3. Because the key server is also responsible for rekeying the group before existing keys expire, the key server will pushes a rekey message to the group members. The rekey message contains new IPsec policy and keys to use when old IPsec SAs expire. Rekey messages are sent in advance of the SA expiration time to ensure that valid group keys are always available Cisco Systems, Inc. IPsec and SSL VPN Design 9-49

212 Summary This topic summarizes the key points discussed in this lesson. Summary Standard IPsec VPNs provide data encryption for IP unicast packets. Easy VPN provides ease of deployment using centralized management of VPNs for remote offices and teleworkers. GRE over IPsec VPNs support IP unicast, multicast and broadcast packets as well as non IP traffic. DMVPN supports spoke-to-spoke IP unicast and multicast traffic in meshed networks efficiently with dynamic configuration combining IPsec, GRE, and NHRP. VTIs provide a routable interface type for terminating IPsec tunnels and supporting QoS, multicast, and routing functions without using GRE. GET VPNs provide a tunnel-less technology for end-to-end security of IP unicast and multicast traffic using IPsec. ARCH v Easy VPNs provide simple, unified configuration framework for mix of Cisco VPN products. Easy VPN should be used when simplifying overall VPN configuration and management is the primary goal, but only limited networking features are required. GRE over IPsec can be used when routing needs be supported across the VPN. GRE over IPsec is typically used for the same functions as hub-and-spoke DMVPN, but requires more detailed configuration DMVPNs simplifies configuration for hub-and-spoke VPNs while supporting routing, QoS, and multicast. DMVPNs provides low-scale, on-demand meshing. VTIs provide easy way to define protection using native IPsec tunneling between sites to form an overlay network. The IPsec VTI solutions supports QoS, multicast, and other routing functions that previously required GRE. VTI simplifies VPN configuration and design. GET VPN adds encryption to MPLS or IP WANs while preserving any-to-any connectivity and networking features. GET VPN offers scalable, full-time meshing for IPsec VPNs. It enables participation of smaller routers in meshed networks, and simplifies encryption key management while supporting routing, QoS, and multicast Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

213 Lesson 4 VPN Management and Scaling Overview Objectives The Cisco Security Management products and internal processes can be used for scalable VPN administration and enforcement. Scaling VPNs involves several considerations including crypto engine performance for real traffic and routing characteristics and metrics. This lesson will look at both VPN management and scaling considerations. Upon completing this lesson, you will be able to discuss options for managing and scaling VPNs. This ability includes being able to meet these objectives: Discuss recommendations for managing VPNs Discuss considerations for scaling VPNs

214 Recommendations for Managing VPNs This topic discusses some tools and recommendations for managing VPNs. Cisco Security Management Suite for VPNs This section discusses some tools for managing VPNs. Cisco Security Management Suite for VPNs Element management on the device: Cisco Router and Security Device Manager Cisco Adaptive Security Device Manager Cisco PIX Device Manager CiscoView Device Manager Multiple device managers: Cisco Security Manager Cisco Security Monitoring, Analysis, and Response System ARCH v The Cisco Security Management Suite is a framework of products and technologies designed for scalable policy administration and enforcement for the Cisco Self-Defending Network. This integrated solution can simplify and automate the tasks associated with security management operations, including configuration, monitoring, analysis, and response. There are several components of this suite for managing VPNs: Cisco Router and Security Device Manager (SDM): Cisco SDM is a web-based devicemanagement tool for Cisco routers that can improve the productivity of network managers; simplify router deployments for integrated services such as dynamic routing, WAN access, wireless LAN (WLAN), firewall, VPN, SSL VPN, IPS, and quality of service (QoS); and help troubleshoot complex network and VPN connectivity issues. Cisco SDM is a single device element manager that can support a wide range of Cisco IOS Software releases and is available free of charge on Cisco router models from Cisco 830 Series Routers to Cisco 7301 Routers. Cisco Adaptive Security Device Manager (ASDM): Cisco ASDM provides security management and monitoring services for the Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX 500 Series Security Appliances (running Cisco PIX Security Appliance Software Release 7.0 or later) and the Cisco Catalyst 6500 Series Firewall Services Modules (FWSM version 3.1 or later) through an intuitive, easy-to-use web-based management interface. Cisco ASDM is an element manager that accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

215 Cisco PIX Device Manager (PDM): Cisco PDM security management and monitoring services for Cisco PIX security appliances (running Cisco PIX Security Appliance Software Version 6.3 and prior) and the Cisco Catalyst 6500 Series Firewall Services Module (FWSM). PDM is an element manager that features an intuitive GUI with integrated online help and intelligent wizards to simplify setup and ongoing management. In addition, informative, real-time, and historical reports provide critical insight into usage trends, performance baselines, and security events. Administrative and device security is supported through the use of user passwords (with optional authentication via a RADIUS or TACACS server) and encrypted communications to local or remote devices. CiscoView Device Manager (CVDM). The CVDM for the Cisco Catalyst 6500 Series Switch is a device-management software application that resides on a switch and manages several Layer 2 and Layer 3 features for a single chassis. A task-based tool, CiscoView Device Manager eases the initial setup and deployment of end-to-end services across modules by offering configuration templates based on recommended best practices. It further enhances the user-friendliness of the Cisco Catalyst 6500 Series through graphical representation of VLANs, and by providing a single launch point for multiple module managers including the VPN service module, the SSL service module, and the WebVPN service module. Cisco Security Manager: Cisco Security Manager is a powerful but easy-to-use solution for configuring firewall, VPN, and IPS policies on multiple Cisco security appliances, firewalls, routers, and switch modules. Using a GUI, Cisco Security Manager allows security policies easily to be configured per device, per device group, or globally. Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS): Cisco Security MARS is an appliance-based solution that allows network and security administrators to monitor, identify, isolate, and counter security threats. Cisco Security MARS obtains network intelligence by understanding the topology and device configurations from multiple routers, switches, NetFlow, IPS, firewalls, and other network devices and by profiling network traffic. The integrated network discovery in the system builds a topology map containing device configuration and current security policies that enables Cisco Security MARS to model packet flows through the network. Because the appliance does not operate in-line and makes minimal use of existing software agents, there is minimal impact on network or system performance Cisco Systems, Inc. IPsec and SSL VPN Design 9-53

216 Recommendations for Managing VPNs This section discusses some recommendations for managing VPNs. Recommendations for Managing VPNs Use dedicated management interfaces if possible Take precautions when managing a VPN device across the Internet Use static address and crypto maps to manage remote devices via a VPN tunnel Use available IPsec information ARCH v There are several recommended practices for managing VPNs: Use dedicated management interfaces if possible for out-of-band management. If this is not possible, use a VPN for secure management and restrict access over the tunnel to management protocols only. Take precautions when managing a VPN device across the Internet. You should use strong authentication, integrity and encryption practices. You should use a different username for configuration management and for troubleshooting. If you cannot use IPsec to connect to remote devices, use SSH/SSL for access. Use static public IP addresses at remote sites and static crypto maps at the head-end in order to manage remote devices through a VPN tunnel. You need to be aware that some services such as TFTP do not always use the public IP address as the source address. Use the available IPsec information. IPsec information can be accessed minimally through syslog information or with the IPsec MIB via SNMP Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

217 Considerations for Scaling VPNs This topic discusses considerations for scaling VPNs. Packets Per Second vs. Megabits Per Second Crypto Performance in Megabits per Second Traffic Profile: Marketing IMIX Converged 20M All 1400 Byte 100% CPU IMIX 100% CPU 40M Converged 80% CPU 150M Marketing literature states crypto performance in megabits per second at 100% CPU with all MTU-sized (~1400 byte) packets Actual performance with IMIX or converged traffic is significantly different Crypto performance in pps is the key for sizing the head-end Not bps Not tunnels ARCH v Scaling VPNs depends on many factors, but the primary issue is offered load, in number of packets per second (pps), from the branch routers. The pps rate matters more than throughput bandwidth (bps) for the connection speeds being terminated or aggregated. In general, routers and crypto engines have upper boundaries for processing a given number of pps. Each time a crypto engine encrypts or decrypts a packet, it performs mathematical computations on the IP packet payload using the crypto key for the tunnel. The crypto engine performance measured in packets per second is the key for sizing the head-end. Marketing numbers state crypto performance in megabits per second at 100% CPU with all MTU-sized (~1400 byte) packets to achieve the best results. This is an unrealistic traffic pattern. Internet mix traffic (IMIX) contains a mixture of frame sizes in a ratio to each other that approximates the overall makeup of frame sizes observed in real Internet traffic. Using IMIX traffic provides a better simulation of real network traffic. Converged traffic with a mix of 30 percent voice traffic at a maximum of 80 percent CPU utilization is the most realistic simulation of real network traffic for enterprise networks. The figure compares the relative performance of three types of traffic an a router. The pps is also a more critical metric than the number of tunnels, although the number of tunnels impacts the routing processes on the CPU. The number of tunnels also impacts crypto processing, If more than one IPsec tunnel is terminated on a router, the router has multiple crypto keys. When packets are to be sent or received to a different tunnel than the last packet sent or received, the crypto engine must swap keys. This key swapping can degrade the performance of a crypto engine, depending on its architecture, and increase the router CPU utilization Cisco Systems, Inc. IPsec and SSL VPN Design 9-55

218 Determining PPS This section discusses considerations for estimating packets per second for remote branch enterprise traffic. Determining PPS Are determined by user applications on the network High Mbps throughput equates to large bytes per packet VoIP decreases the average packet size and increases the number of PPS. Test tools should emulate real application behavior Packet blasting tools are poor indicators of real-world performance ARCH v The pps per connection are determined by user applications on the network. Highs Mbps throughput in the network typically corresponds to large byte size per packet. The presence of voice over IP (VoIP) in network decreases the average packet size and increases the number of PPS. To correctly simulate network behavior, test tools must emulate real application behavior. Testing using packet blasting tools are poor indicators of real-world performance Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

219 Enterprise WAN Categories Characterizing enterprise WANs into categories helps estimate the type of traffic to expect from the remote branches when scaling the VPN. Enterprise WAN Categories Point of Sale Teleworker/ Teleagent Integrated Services Branch Number of Branches Extra Large 1,000 10,000 Large 1,000 3,000 Medium 500 1,000 VoIP Support? No Yes, Usually One Call Yes, 33% Bandwidth IP Multicast? Generally Not Nice to Have Yes Availability? Required Async Dial-Backup Too costly Dial Bandwidth Insufficient for VoIP Multiple WAN Links Physical Interface Broadband/POTS Broadband Leased Line ARCH v Enterprise WANs can be categorized into three groups: Point of sale WANs. These WANs typically support a high number of retail branches for credit card and point of sale applications. The number of branches here may be 2,000 or more. They have low data volume, and do not support VoIP or IP multicast. The WANs need availability that the routing protocol provides. The physical interface for the remote sites is typically broadband or dial up plain old telephony service (POTS). Teleworker / Teleagent WANs. These WANs typically support a single user with IP phone at the remote end. In the Cisco Enterprise Architecture, this is the Branch of One or Teleworker design. There can be large numbers of remote sites to support. Support for IP multicast is nice to have, but may not be present. Backup availability is typically not provided, since dial backup bandwidth is insufficient for the VoIP application. The remote sites typically connect using broadband. Integrated Services Branch WAN. These WANs typically connect remote enterprise branches to the central site and have high or bursty data volume and relatively high number of branches from 500 to 1,000. They are likely to support converged applications including voice and video and IP multicast. VoIP traffic is typically 30% of the bandwidth. Backup availability is provided with multiple WAN links. The physical interface is typically a leased line or high speed DSL Cisco Systems, Inc. IPsec and SSL VPN Design 9-57

220 Traffic Profiles Per Branch Router This section discusses the traffic profile per branch router. Traffic Profiles Per Branch Router Point of Sale TCP 18 HTTP Get 300 Bytes up, 1,000 Bytes down 2 FTP (1 up, 1 down 120K File Size) Teleworker/ Teleagent UDP 1 G.729 Voice Call (100 PPS) 1 DNS TCP 1 POP3 1 Call Setup (CS3) 1 TN3270 (Best Effort) 1 TN3270 (AF21) 1 HTTP (Best Effort) 1 HTTP (AF21) 1 FTP (1 up 240K File) Integrated Services Branch Enterprise Mix V3PN UDP 33% BW for G.729 VoIP (100 pps per call) 9 calls per T1 9 DNS TCP 4 POP3 6 TN3270 (Best Effort) 6 TN3270 (AF21) 3 HTTP (Best Effort) 3 HTTP (AF21) 4 FTP (2 up, 2 down 768K File) While Traffic Profiles May Vary Head-End Scalability Is Governed by Packets per Second ARCH v The major factor in head-end VPN scaling is the pps load of the hub for switching packets. Packet switching is impacted by the size of the packets. Based on field testing, the Cisco Enterprise Systems Engineering group has developed some traffic profiles for representing real enterprise branch routers in the lab. The average packet size is influenced by the applications in use in the traffic profile: Does traffic mix include VoIP, video, or IP multicast? What VoIP codec is in use (G.711 at 4kbps versus G.729 at 8 kbps)? Do the workstations have interface Maximum Transmission Unit (MTU) changed? Do workstations use path MTU discovery? Is the router configured to adjust TCP Maximum Segment Size (MSS)? What applications are in use? Is application optimization such as HTTP pipelining in place? Scaling considerations at the head-end are also impacted by number of neighbors per hub which impacts path selection overhead Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

221 Example: Enterprise Mix Packet Size Percent of Bytes with Average Packet Size (Excludes GRE and IPsec Headers/Trailers) Downstream Upstream 1052 (FTP Get) 53.5% 60 (VoIP) 22.2% 889 (TN3270).9% 1016 (TN Immed).9% 1044 (FTP Put) 57.6% 45 (FTP Get) 1.9% 60 (VoIP) 27.4% 89 (TN3270).2% 89 (TN Immed).2% 44 (FTP Put) 1.0% 462 (POP3) 3.4% Average Packet Size = 188 Average Packet Size = (WWW) 5.9% 377 (WWW-2 Immed) 10.2% 124 (DNS) 2.1% 45 (POP3).3% NetFlow Protocol-Port-ToS Aggregation Exported and Summarized 72 (WWW) 4.2% 131 (DNS) 2.8% 109 (WWW-2 Immed) 5.3% ARCH v Example: Enterprise Mix Packet Size The figure shows the average packet sizes for representative downstream and upstream traffic captured with NetFlow. The key point to notice is that the average packet size with VoIP traffic in the mix is significantly smaller than the 1400 byte packets used to describe marketing performance Cisco Systems, Inc. IPsec and SSL VPN Design 9-59

222 Estimated PPS Based on Branch Profile To accurately size the head-end device, you need to measure the average / busy hour pps rate of the branch routers. Estimated PPS Based on Branch Profile Point of Sale data only - no VoIP Teleworker / Teleagent ip tcp adjust-mss 542 Integrated Services Branch Enterprise Mix V3PN TCP max segment size ,303 pps PPS (both directions) < 50 pps 144K / 144K ISDN Digital Subscriber Line (IDSL) 1 VoIP G pps 256K/1.4M Broadband DSL Internet 1 VoIP G Bytes/packet 795 pps 384K/1.5M Broadband Cable Lab 1 VoIP 637 Bytes/packet 495 pps 768K/3.0M Broadband Cable Internet 9 VoIP 900 pps for VoIP 1.5M/1.5M (T1) Leased Line 18 VoIP G Bytes /pak 1800 pps for VoIP 3.0M / 3.0M Fractional DS3 Lab ARCH v The Enterprise Systems Engineering has some rough pps estimates can be starting point for VPN scaling: A point of sale branch on a low speed link that supports only data may only have an average of 50 pps of traffic. A teleworker on a higher speed link will have higher traffic requirements. The teleworker may generate 125 pps to 800 pps depending on the link speed and network configuration. The integrated services branch may need to support multiple voice calls. If we use the rule of thumb that 30 percent of the bandwidth is used for voice, then a T1 line could support 9 voice calls of 100 pps or 50 pps in both directions. The head-end would need to support 900 pps for VoIP traffic plus the data requirements of the remote site Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

223 Determining the PPS Rate If you are migrating an existing network, you can measure the average / busy hour pps rate of the existing branch routers. Determining the PPS Rate For migration an existing network, measure the average / busy hour pps rate of the branch routers Knowing 500 branches and a 45Mbps link at the head-end is not enough Can use commands show interfaces fastethernet 4 include rate Can use GUI tools with SNMP or Netflow ARCH v Measuring rates at the remote branches at the busy hour will provide useful data. Most network managers when simply asked will not have any details and may reply I have 500 branches and a 45Mbps link at the head-end. The measurement can be as simple as using the show interfaces fastethernet 4 include rate command. You can also use network management tools querying SNMP or NetFlow data Cisco Systems, Inc. IPsec and SSL VPN Design 9-61

224 Example: Packet and Application View Netflow Data Export Top Ap plicatio n IN vpn- 871 Application View - Teleworker Web surfing HTTP and other TCP applications VoIP G.711 Conference Call Backup ARCH v Example: Packet and Application View NetFlow Data Export This example shows a view of the packets per hour and types of packets for a teleworker that supported a conference call, web based data backup, and some web surfing during the day Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

225 Routing Protocol Considerations for IPsec VPNs This section discusses some routing protocol considerations for scaling VPNs. Routing Protocol Considerations for IPsec VPNs Either EIGRP or OSPF can be used with non-basic IPsec VPNs The distance vector characteristics of EIGRP are better for huband-spoke IPsec VPNs: EIGRP can summarize per interface. EIGRP is quiet and does not need to flood topology database. EIGRP stub eliminates queries to spokes. Some disadvantages to the link state characteristics of OSPF for hub-and-spoke IPsec VPNs: OSPF needs to synchronize router databases periodically. OSPF brings hierarchy decisions into the hub-and-spoke topology. Increasing the number of neighbors increases process switching. ARCH v Both Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) are appropriate enterprise routing protocols that can be supported on IPsec with GRE tunnels, DMVPNs, VTI, and GET VPNs. The distance vector characteristics of EIGRP are typically better for the hub-and-spoke VPN topology: EIGRP can summarize per interface. By summarizing to the core, and summarizing to the spoke, the branch routers will have less routes in the routing table. EIGRP is a quiet protocol when configured with stubs. There is no need to flood topology database with EIGRP. EIGRP stub eliminates queries to spokes. As a recommended practice, configure the branch routers as stubs. The stub routers receive the default route from the head-end router, and advertise back up the branch subnets. There are some disadvantages to the link state characteristics of OSPF for hub-and-spoke IPsec VPNs: OSPF needs to synchronize router databases periodically. OSPF brings hierarchy decisions into the hub-and-spoke topology. The number of routers per area needs to be allocated. A recommended practice is to use a power of two for best summarization. With either protocol, increasing the number of neighbors increases the amount of process switching the hub routers need to support. Buffer tuning can help maintain network stability by minimizing the number of buffer misses and failures that may equate to losing or dropping neighbors Cisco Systems, Inc. IPsec and SSL VPN Design 9-63

226 EIGRP Metric Component Consideration The EIGRP metric components can have an impact on IPsec VPNs. EIGRP Metric Considerations Delay EIGRP calculates delay as the cumulative network delay. Delay is based on the input interface value of the receiving router. Bandwidth EIGRP uses the minimum bandwidth for all the links. Default bandwidth value for tunnel is EIGRP updates throttled to 50% of bandwidth of the interface. Consider matching tunnel bandwidth to physical link value. ARCH v EIGRP calculates delay as the cumulative network delay. It adds the delay from all the hops to the source network. EIGRP delay is based on the input interface value of the receiving router. EIGRP uses the minimum bandwidth for all the links to a network. The default bandwidth value for tunnel is 9K. EIGRP updates are throttled to 50% of bandwidth of the interface. You should consider matching tunnel bandwidth to physical link value if you send more than the default route and a summary route across a link, because the EIGRP process can be throttled by the 9K default bandwidth of the tunnel Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

227 Summary This topic summarizes the key points discussed in this lesson. Summary VPNs can be managed with either on the devices element managers or multiple device managers from the Cisco Security Management Suite. Dedicated management interfaces and precautions are recommended to protect VPN devices. Scaling VPNs depends on many factors, but the primary issue is the number of pps that need to be processed by the crypto engine. Using enterprise WAN categories helps to estimate traffic from remote branches. ARCH v Cisco Systems, Inc. IPsec and SSL VPN Design 9-65

228 9-66 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

229 Module Summary This topic summarizes the key points discussed in this module. Summary Remote access VPNs permit secure, encrypted connections between mobile or remote users and their corporate networks using IPsec and SSL technologies. Site-to-site VPNs are an alternative WAN infrastructure used to connect branch offices, home offices, or business partners to all or portions of an enterprise network using service provider networks. There are several types of technologies that can support IPsec VPNs including Easy VPN, GRE over IPsec, DMVPN, VTI, and GET VPN. Both products and internal processes are needed for managing VPNs. Scaling VPNs involves several considerations including crypto engine performance for real traffic and routing characteristics. ARCH v References This module examined how to design enterprise solutions for remote access and site-to-site VPNs. VPNs enable secure use of cost-effective, high-speed links. VPNs encrypt and authenticate traffic traversing the WAN to deliver true network security in an insecure, networked world. For additional information, refer to these resources: Cisco Systems, Inc. SEC-2010: Deploying Remote-Access IP Security and SSL VPNs Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. SEC-2011: Deploying Site-to-Site IPSec VPNs Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. SEC-2012: Deploying Dynamic Multipoint VPNs Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. RST-2266: Large-Scale IPsec Aggregation Networks Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. Cisco Easy VPN at , Cisco Systems, Inc. IPsec and SSL VPN Design 9-67

230 Cisco Systems, Inc. IPsec VPN WAN Design Overview at f22f.pdf Cisco Systems, Inc. Dynamic Multipoint VPN (DMVPN) Introduction at Cisco Systems, Inc. IPSec Virtual Tunnel Interface at 10/hipsctm.pdf Cisco Systems, Inc. Virtual Tunnel Interface (VTI) Design Guide at b.pdf Cisco Systems, Inc. Cisco Group Encrypted Transport VPN at getvpn.pdf Cisco Systems, Inc. Cisco IPsec and SSL VPN Solutions Portfolio at 86a00801f0a72.pdf 9-68 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

231 Module Self-Check Use the questions here to review what you learned in this module. The correct answers and solutions are found in the Module Self-Check Answer Key. Q1) In what two ways does the Cisco Easy VPN Server support remote access VPNS? (Chose two.) (Source: Remote Access VPNs) A) by accepting a variety of information from the client including IP address and mask and information on the internal DNS and WINS server B) by sending a variety of information to the client including IP address and mask and information on the internal DNS and WINS server C) by terminating IPsec VPN tunnels initiated by remote workers running the Cisco VPN Client software on PCs D) by terminating SSL VPN tunnels initiated by remote workers running the Cisco VPN Client software on PCs E) by terminating SSL VPN tunnels initiated by remote workers running the Cisco SSL VPN Client for WebVPN software on PCs Q2) What is the recommended practice deploying the VPN termination device for best security? (Source: Remote Access VPNs) A) to terminate any IPsec tunnels on inline firewall B) to place the VPN termination device in line with a firewall C) to place the VPN termination device in parallel with a firewall D) to place the private side of the VPN termination device in a DMZ behind a firewall E) to place the public side of the VPN termination device in a DMZ behind a firewall Q3) When might RRI be needed in remote access VPNs? (Source: Remote Access VPNs) A) when IPsec tunnels are terminated on inline firewall B) when a dedicated scope of DHCP addresses is associated to a specific VPN head-end C) when internal routers use a static route for address blocks pointing to the private interface of the head-end device D) when VPN software clients need to inject their assigned IP address as hosts routes into the routing table of OSPF and RIPv2 E) when VPN software clients need to inject their assigned IP address as hosts routes into the routing table of OSPF and EIGRP Q4) What is the most common address assignment design for remote access VPNs? (Source: Remote Access VPNs) A) using a dedicated scope of DHCP addresses associated to a specific VPN head-end B) using internal address pools per VPN head-end and implementing a static route for these subnets to the VPN head-end C) using RRI when IPsec tunnels are terminated on inline firewall D) using static IP address assignment for end users with LDAP and RRI E) using static IP address assignment for end users with RADIUS and RRI 2007, Cisco Systems, Inc. IPsec and SSL VPN Design 9-69

232 Q5) What are the three access mechanisms for SSL VPNs? (Chose three.) (Source: Remote Access VPNs) A) content rewriting with a thin client B) content rewriting with clientless access C) dynamic VPN support with a thick client D) dynamic VPN support with a thin client E) port forwarding with a thin client F) port forwarding with thick client Q6) What are two site-to-site VPN applications? (Chose two.) (Source: Site-to-Site VPN Design) A) WAN replacement B) content rewriting C) port forwarding D) data privacy through 3DES or AES E) mandated or regulatory encryption Q7) What are two addressing considerations in IPsec design? (Chose two.) (Source: Site-to- Site VPN Design) A) Basic IPsec tunnels can transport IP unicast and multicast traffic. B) IPsec VPNs are typically implemented in tunnel mode. C) IPsec VPNs are typically implemented in transport mode. D) VPN devices need a routable outside IP addresses. E) VPN devices need a routable inside IP addresses. Q8) What is the typical IPsec deployment design? (Source: Site-to-Site VPN Design) A) basic IPsec tunnels transporting IP unicast and multicast traffic B) full mesh topology with direct connectivity between all locations C) partial mesh topology with direct connectivity between many locations D) remote peers connected over a shared infrastructure in a spoke-to-spoke topology E) remote peers connected to the central site over a shared infrastructure in a hub-and-spoke topology Q9) What are two advantages to placing the VPN device in the DMZ of a firewall? (Chose two.) (Source: Site-to-Site VPN Design) A) The design allows moderate-to-high scalability by adding additional VPN devices. B) The design allows firewall to impose bandwidth restrictions on stacks of VPN devices. C) The design supports the layered security model and enforces firewall security policies. D) The design supports remote peers connecting over a shared infrastructure in a spoke-to-spoke topology E) The design supports firewalls that do not need to support policy routing to differentiate VPN versus non-vpn traffic Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

233 Q10) What are two characteristics of the Cisco Easy VPN Solution? (Chose two.) (Source: IPsec VPN Technologies) A) uses the GDOI protocol B) mesh design scalability for greater than 10 sites C) reduced management complexity for VPN deployments D) uses Easy VPN Remote and Easy VPN Services features E) centralized VPN management across all Cisco VPN devices Q11) What are two reasons for implementing GRE tunnels? (Chose two.) (Source: IPsec VPN Technologies) A) to support IP broadcast and multicast traffic B) to support IP unicast traffic C) to support IPsec encryption D) to support routing protocols E) to avoid asymmetric routing when routing is running over the tunnels Q12) What are two advantages to implementing DMVPN tunnels? (Chose two.) (Source: IPsec VPN Technologies) A) supports IP broadcast and multicast traffic B) provides deterministic mesh with fewer active tunnels on each spoke C) provides dynamic mesh with fewer active tunnels on each spoke D) creates hub-and-spoke tunnels dynamically based on traffic requirements E) creates spoke-to-spoke tunnels dynamically based on traffic requirements Q13) What are two characteristics of the VTI? (Chose two.) (Source: IPsec VPN Technologies) A) uses tunnel mode protection B) provides a routable interface type for terminating IPsec tunnels C) is a set of software features that provides a tunnel-less technology to provides end-to-end security D) supports QoS, multicast, and other routing functions that previously required GRE E) uses a NHRP network ID and password key to prevent unauthorized nodes from joining the VPN Q14) What are two characteristics of the GET VPN? (Chose two.) (Source: IPsec VPN Technologies) A) is a set of software features that provides a tunnel-less technology to provides end-to-end security B) provides a routable interface type for terminating IPsec tunnels C) secures IP multicast group traffic or unicast traffic over a private WAN D) supports interoperability with standard-based IPsec installations of other vendors E) uses a NHRP network ID and password key to prevent unauthorized nodes from joining the VPN 2007, Cisco Systems, Inc. IPsec and SSL VPN Design 9-71

234 Q15) What are two element managers for VPNs? (Chose two.) (Source: VPN Management and Scaling) A) Cisco ASDM B) Cisco PSDM C) Cisco SDM D) Cisco Security Manager E) Cisco Security SDM Q16) What are three recommendations for managing VPNs? (Chose three.) (Source: VPN Management and Scaling) A) use in-band management if possible B) use dedicated management interfaces if possible C) use the same username for configuration management and for troubleshooting D) use a different username for configuration management and for troubleshooting E) use IPsec for access to VPN devices across the Internet instead of SSH/SSL F) use SSH/SSL for access to VPN devices across the Internet instead of IPsec Q17) What are three biggest factors to consider in scaling VPNs? (Chose three.) (Source: VPN Management and Scaling) A) pps from remote routers B) number of routes in network C) Mbps capacity of head-end router D) crypto engine performance for large packets E) number of tunnels terminated at head-end router Q18) What is the primary issue in scaling VPNs? (Source: VPN Management and Scaling) A) crypto engine performance for large packets B) Mbps capacity of head-end router C) number of routes in network D) number of tunnels terminated at head-end router E) pps from remote routers Q19) What enterprise WAN category typically has 30% VoIP traffic bandwidth? (Source: VPN Management and Scaling) A) data center WAN B) e-commerce WAN C) integrated services branch WAN D) point of sale WAN E) teleworker WAN Q20) Which routing protocol is recommended for large scale enterprise IPsec VPNs? (Source: VPN Management and Scaling) A) BGP B) EIGRP C) OSPF D) RIPv2 E) static routing 9-72 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

235 2007, Cisco Systems, Inc. IPsec and SSL VPN Design 9-73

236 Module Self-Check Answer Key Q1) B, C Q2) E Q3) D Q4) B Q5) B, C, E Q6) A, E Q7) B, D Q8) E Q9) A, C Q10) C, E Q11) A, D Q12) C, E Q13) B, D Q14) A, C Q15) A, C Q16) B, D, E Q17) A, C, E Q18) E Q19) C Q20) B 9-74 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

237 Module 10 IP Multicast Design Overview IP multicast provides bandwidth conservation that reduces traffic load by simultaneously delivering a single stream of information to multiple recipients. Multicasting enables a more efficient distribution of video conferencing, corporate communications, distance learning, distribution of software, and other applications. This module reviews IP multicast technology discussed in the Cisco Building Scalable Cisco Internetworks course. It then provides some design recommendations for implementing IP multicast. It also discusses some security consideration for IP multicast designs. Module Objectives Upon completing this module, you will be able to design IP multicast intelligent network services for performance, scalability, and availability, given specified enterprise network needs. This ability includes being able to meet these objectives: Provide an overview of IP multicast technology Describe design recommendations for IP multicast Discuss security considerations for IP multicast

238 10-2 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

239 Lesson 1 IP Multicast Review Overview Objectives Traditional IP communication allows a host to send packets to a single host (unicast transmission) or to all hosts (broadcast transmission). IP multicast provides a third possibility: allowing a host to send packets to a subset of all hosts as a group transmission. This lesson provides an overview of IP multicast. Upon completing this lesson, you will be able to identify the IP multicast implementation options. This ability includes being able to meet these objectives: Provide an overview of IP multicast technology Explain the purpose and use of IP multicast group membership Discuss Layer 3 multicast routing Discuss multicast forwarding at Layer 2 and control mechanisms

240 Overview of IP Multicast This topic provides an overview of IP multicast. Unicast vs. Multicast Unicast and multicast technologies use different means to transfer packets from a source to multiple destinations. Unicast vs. Multicast Unicast Server Multicast Server 2006 Cisco Systems, Inc. All rights reserved. ARCH v With a unicast design, an application sends one copy of each unicast packet to every client unicast address. Unicast transmission can require a large amount of bandwidth, as the same information has to be carried multiple times even on shared links. A large number of clients can impact the scalability of the network. Intermediate devices in the network path need to replicate the required number of packets. IP multicast, as an alternative to unicast and broadcast, sends packets to a subset of network hosts simultaneously. By requiring only a single copy of each packet to be sent on each interface, multicast helps reduce network traffic. Multicast packets are replicated in the network at the point where paths diverge by Cisco routers enabled with Protocol Independent Multicast (PIM), resulting in the most efficient delivery of data to multiple receivers. Even low-bandwidth applications can benefit from using IP multicast when there are thousands of concurrent receivers. High-bandwidth applications, such as MPEG video, may require a large portion of the available network bandwidth for a single stream. In these applications, IP multicast is the only practical way to send to more than one receiver simultaneously. IP multicast provides a reduced load on server, a reduced load on network links, and scales to any number of receivers Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

241 TCP Contrasted to UDP IP multicast uses User Datagram Protocol (UDP) for transport. TCP Contrasted to UDP TCP - Unicast TCP is connection orientated protocol Requires 3 way Handshake Reliable due to sequence numbers + Ack Flow control UDP - Unicast and Multicast Connectionless Unreliable Can not support some application layer protocols such as ARP or HSRP 2006 Cisco Systems, Inc. All rights reserved. ARCH v Transmission Control Protocol (TCP) supports only unicast transmissions. TCP is a connection oriented protocol that requires a three way handshake to establish communications. TCP enforces end-to-end reliability of packet delivery with sequence numbers and acknowledgements. TCP supports flow control. In contrast, UDP can support both unicast and multicast transmissions. UDP is a connectionless protocol that does not use a handshake to establish communication. The UDP transport protocol has no reliability mechanisms, so reliability issues have to be addressed in multicast applications where reliable data transfer is necessary. UDP can not support protocols such as ARP and HSRP Cisco Systems, Inc. IP Multicast Design 10-5

242 Multicast Disadvantages Best-effort delivery results in occasional packet drops. Can make voice content unintelligible. Can cause artifacts and degradation in video. Lack of congestion control may result in network congestion. Duplicate packets may occasionally be generated. Out-of-sequence delivery of packets to the application may happen. Multicast security is still evolving Cisco Systems, Inc. All rights reserved. ARCH v There are some disadvantages to using IP multicast. Most multicast applications are UDPbased. This foundation results in some undesirable consequences compared to similar unicast TCP applications. Best-effort delivery results in occasional packet drops. Requesting retransmission of the lost data at the application layer for multicast applications is not always feasible. Many multicast applications that operate in real time may be affected by these losses: Heavy drops on voice applications result in jerky, missed speech patterns that can make the content unintelligible when the drop rate gets too high. Moderate to heavy drops in video are sometimes better tolerated by the human eye and appear as unusual artifacts in the picture. However, some compression algorithms may be severely affected by low drop rates, which will cause the picture to become jerky or to freeze for several seconds while the decompression algorithm recovers. Lack of congestion control may result in overall network degradation as the popularity of UDP-based multicast applications grow. Duplicate packets may occasionally be generated as multicast network topologies change. Applications must expect occasional duplicate packets to arrive and must be designed accordingly. Out-of-sequence delivery of packets to the application may also result during network topology changes or other network events that affect the flow of multicast traffic. Multicast security is still evolving. The issue of restricting multicast traffic to only a selected group of receivers to protect against eavesdropping issues has not yet been sufficiently resolved. Note Some commercial applications become possible only when reliability and security issues are fully resolved (for example, financial data delivery) Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

243 Multicast Adoption Trends Multicast applications are emerging as the demand for them grows. Multicast Adoption Trends Research Community MBONE Early Adopters NASA, DOD, Cisco, Microsoft, Sprint Corporate Communication HP, IBM, Intel, Ford, BMW, Dupont E Learning 150 Universities in US, Hawaii, Oregon, USC, UCLA, Berkley Financials NASDAQ, NYSE, LIFE, Morgan, GS, Prudential MXU & Content Providers Fastweb, B2, Yahoo, BBC, CNN Multicast Deployment Surveillance Law Enforcement and Federal IPv6 Multicast NTT, Sony, Panasonic, Multicast VPN C&W, MCI, AT&T, TI, FT, DT, NTT z 1986 z z Cisco Systems, Inc. All rights reserved. ARCH v Initially, multicast was used primarily by the research community. The first major enterprise deployments were in the financial service communities. Distant learning and corporate communication were in the next waves of multicast applications. Content provisioning and security surveillance are some of the more recent multicast applications. Real-time applications of multicast include live broadcasts, financial data delivery, whiteboard collaboration, and videoconferencing. Other applications include file transfer, data and file replication, and video on demand Cisco Systems, Inc. IP Multicast Design 10-7

244 Cisco Multicast Architecture The Cisco Multicast Architecture spans from campus multicast to interdomain multicast. Cisco Multicast Architecture ISP A Multicast Source X DR RP MSDP RP ISP B Multicast Source Y ISP B IGMP Snooping ISP A MBGP IGMP End Stations (hosts-to-routers) IGMP Switches (Layer 2 Optimization) IGMP Snooping Routers (Multicast Forwarding Protocol) PIM Sparse Mode or Bidirectional PIM 2006 Cisco Systems, Inc. All rights reserved. DR Campus Multicast PIM-SM Bidir PIM PIM-SSM MVPN DR Interdomain Multicast Multicast routing across domains MBGP Multicast Source Discovery MSDP with PIM-SM Source Specific Multicast PIM-SSM ARCH v The figure illustrates the protocols used to support multicast in the enterprise in both campus multicast solutions and in interdomain multicast solutions: Internet Group Management Protocol (IGMP) Protocol Independent Multicast (PIM) PIM Sparse Mode (PIM-SM) Bidirectional PIM (Bidir PIM) Multiprotocol Border Gateway Protocol (MBGP) Multiprotocol Virtual Private Network (MVPN) PIM Source Specific Multicast (PIM-SSM) Multicast Source Discovery (MSDP) Note The components in the Cisco Multicast Architecture are discussed in the three lessons in this module Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

245 IP Multicast Group Membership This topic explains the purpose and use of IP multicast receiver group membership and distribution trees. IP Multicast Group Membership You must be a member of a group to receive its data. If you send to a group address, all members receive it. You do not have to be a member of a group to send to a group Cisco Systems, Inc. All rights reserved. ARCH v In normal TCP/IP routing, a packet is routed from a source address to a destination address, traversing the IP network on a hop-by-hop basis. IP multicast relies on the concept of a virtual group address. In IP multicast, the destination address of a packet is not assigned to a single destination but to a virtual group address. When receivers join a multicast group, packets addressed to virtual group address flow to receivers. All members of the group receive the packet. Devices can send to the group without being a member of that group. The source address for multicast packets is always the unicast source address. In the figure, packets that are sent to group addresses go to all group members, but are not delivered to non-group members. Non-group members can send packets to a group Cisco Systems, Inc. IP Multicast Design 10-9

246 Multicast Group Address Range All IP multicast group addresses fall in the range from through Multicast Group Addresses to Reserved locally scoped range is to Predefined addresses include: All hosts All multicast routers All DVMRP routers All PIMv2 routers , , , and are used by unicast routing protocols Globally scoped range is from to Reserved ranges are to , /8, and /8. Administratively scoped range is from to Includes site-local and organization-local addresses ARCH v The Internet Assigned Numbers Authority (IANA) has assigned the IPv4 Class D address space to be used for IP multicast group addresses. Some addresses in this range are reserved for specific functions, but most of the addresses are free for dynamic use. Local scope addresses fro m to are reserved. Multicasts in this range are never forwarded off the local network, regardless of Time to Live (TTL). The TTL is usually set to 1. There are several predefined local multicast addresses: All hosts All multicast routers All Distance Vector Multicast Routing Protocol (DVMRP) routers All Open Shortest Path First Protocol (OSPF) routers All OSPF designated routers All Routing Information Protocol version 2 (RIPv2) routers All Enhanced Interior Gateway Routing Protocol (EIGRP) routers Globally scoped addresses are addresses through Some of these addresses have been reserved for use by multicast applications through IANA, including the range to , /8, and /8. The rest of the addresses in this range are transient addresses are dynamically assigned and then returned for others to use when no longer needed Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

247 Administratively scoped addresses are addresses /8. Administratively scoped multicast addresses are for private use within an organization. The address space is further divided into two ranges. site-local scope ( /16, with /16, /16, and /16 also reserved) and organization-local scope ( to ) addresses. The normal procedure is for the enterprise network to have "multicast boundaries" configured at the borders of the network so that traffic in the 239/8 address range can neither enter nor leave the Enterprise network IP Multicast MAC Address Mapping IP multicast addresses are mapped to MAC addresses for forwarding through the network. IP Multicast MAC Address Mapping (FDDI and Ethernet) 5 Bits Lost Bits 28 Bits e-7f Bits 23 Bits 48 Bits 23 Bits 2006 Cisco Systems, Inc. All rights reserved. ARCH v The Ethernet MAC address range from e to e-7f-ff-ff is available for supporting Layer 3 IP multicast addresses. The 0x01005e prefix is used for mapping Layer 3 IP multicast addresses into Layer 2 MAC addresses. Only the low-order 23 bits of the Layer 2 MAC address are used to map Layer 3 IP addresses. Because there are 28 bits of unique address space for an IP multicast address (32 minus the first four bits containing the 1110 Class D prefix), and there are only 23 bits mapped into the IEEE MAC address, the IP addresses can not be uniquely translated Cisco Systems, Inc. IP Multicast Design 10-11

248 32:1 MAC Address Overlap 32 IP Multicast Addresses Multicast MAC Address (FDDI and Ethernet) 0x0100.5E Cisco Systems, Inc. All rights reserved. ARCH v Multiple Layer 3 addresses map to the same Layer 2 multicast address because the five unmapped IP address bits result in a 32:1 overlap of Layer 3 addresses to Layer 2 addresses. The figure shows one mapping of 32 IP multicast addresses to one multicast MAC address. Another example is that all of the IP multicast addresses in the following table map to the same Layer 2 multicast of 0x0100.5e0a IP Multicast Addresses Mapping to MAC Address 0x0100.5e0a Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

249 Multicast Address Assignment Layer 3 IP multicast addresses are typically assigned statically. Multicast Address Assignment Enterprise Internal Group Address Assignment: Can be statically assigned by enterprise network administrator Can use MADCAP to lease multicast addresses Global Group Address Assignment: Can be assigned by IANA Can use GLOP addressing as defined in RFC 2770: Group range is /8. AS number is inserted in middle two octets of address. Remaining low-order octet is used for group assignment Cisco Systems, Inc. All rights reserved. ARCH v Since any multicast source can send to any group address and any multicast client can receive any group without regard to geography, aggregation and summarization of multicast group addresses are meaningless. Administrative or private address space can and should be used within the enterprise unless multicast traffic will be sourced to the Internet which requires a unique group address. The multicast addresses can be allocated globally or locally: Enterprise Internal Group Address Assignment. Static address allocation methods are typically used by enterprise network administrators to allocate specific addresses or address ranges from the administratively scoped address range, /8. The Multicast Address Dynamic Client Allocation Protocol (MADCAP) allows a client workstation to "lease" a multicast address from a MADCAP server in a manner similar to how it "leases" an IP address from a DHCP server. Global Group Address Assignment. Static multicast addresses can be assigned by the IANA on a permanent basis. These are valid everywhere and in all networks. This technique permits applications and hardware devices to have these addresses "hard-coded" into their software or microcode. In the late 1990s when native multicast was beginning to be deployed in the Internet, several content providers planned to begin multicasting some of their audio and video content. An experimental form of static address allocation was proposed by the IETF. This allocation methodology, called GLOP addressing, which is defined in RFC 2770, uses the multicast group range of through (233/8). Note GLOB is not an acronym, and does not stand for anything Cisco Systems, Inc. IP Multicast Design 10-13

250 This block was assigned by the IANA and is an experimental, statically assigned range of multicast addresses intended for use by content providers, ISPs, or anyone wishing to source content into the global Internet. GLOP addresses set the high order octet to 233 (decimal), followed by the next two octets which contain the 16-bit ASN of the content provider or ISP that is sourcing the multicast traffic, followed by remaining octet used for group assignment. IGMP Internet Group Management Protocol (IGMP) is used to dynamically register individual hosts in a multicast group on a particular LAN. Host-Router Signaling: IGMP H1 H H3 Report IGMPv1: Host sends IGMP Report to join group IGMPv2: Hosts can also send IGMP Leave Group to leave group IGMPv3: Hosts can also indicate sources of expected traffic so routers can provide source filtering Cisco Systems, Inc. All rights reserved. ARCH v Hosts send an IGMP messages to their local multicast router indicating that they are interested in joining a group. Under IGMP, routers listen to IGMP messages and periodically send out queries to discover which groups are active or inactive on a particular subnet. Members joining a group do not have to waited for a query to join; they send in an unsolicited report indicating their interest. This functionality is supported in all versions of IGMP. IGMP version 2 allows hosts to actively communicate to the local multicast router that they intend to leave the group with a leave group message. IGMP Version 3 (IGMPv3) is the third step in the evolution of IGMP. IGMPv3 adds support for "source filtering," which enables a multicast receiver host to signal to a router the groups from which it wants to receive multicast traffic, and from which sources this traffic is expected. This membership information enables Cisco IOS software to forward traffic from only those sources from which receivers requested the traffic Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

251 Multicast Routing This section explains discusses how multicast routing works. Multicast Routing Multicast routing is concerned about where the packet came from. The origination IP address is a known source. The destination IP address is an unknown group of receivers. Multicast routing is connection-oriented. Receivers must first be connected to the source before traffic begins to flow. Connection messages follow unicast routing table toward multicast source. Paths to the source build multicast distribution trees that determine where to forward packets. Distribution trees are rebuilt dynamically in case of network topology changes. RPF forwards traffic away from source Cisco Systems, Inc. All rights reserved. ARCH v The multicast routing model is backwards from unicast routing. Unicast routing is concerned about where the packet is going while multicast routing is concerned about where the packet came from. In multicast transmissions: The origination IP address is a known source. The destination IP address is an unknown group of receivers. Because the destination IP address of a multicast packet is a group address, it can not be used to directly determine where to forward the packet. Multicast routing is connection-oriented since multicast traffic does not flow to the destinations until connection messages are sent toward the source to set up the flow paths for the traffic. Note Multicast sources can just start transmitting. The collection of these paths form multicast distribution trees that define the path and replication points in the network for multicast forwarding. The building of the multicast distribution trees via connection messages is a dynamic process. When network topology changes occur, the distribution trees are rebuilt around failed links. Forwarding traffic away from the source, rather than to the receiver, is called Reverse Path Forwarding (RPF). Multicast routing uses RPF to broadcast packets out from all interfaces except where packets are incoming from the source Cisco Systems, Inc. IP Multicast Design 10-15

252 Multicast Distribution Tree Creation Multicast-capable routers create distribution trees that control the path that IP multicast traffic takes through the network in order to deliver traffic to all receivers. Multicast Distribution Tree Creation Based on source address. SRC Best path to source found in unicast routing table. Each router determines where to send the Join request. The Join continues towards source to build multicast tree. Multicast data flows down tree. B A Join Join C D E0 E1 Unicast Route Table Network Interface /24 E0 E E2 R Cisco Systems, Inc. All rights reserved. ARCH v The figure illustrates the creation of a multicast distribution tree which is based on source address. A host sends a request to join the source at Router E selects interface E0 as the best path to the source found in its unicast routing table. E0 gets added to the multicast routing entry for that particular group. The join request is then forwarded to Router B. Router B selects the best path to the source found in its unicast routing table. Router B adds the interface that received the join request as the outgoing interface in the multicast routing table, and the interface it selects as the best path to the source as the incoming interface. Router B forwards the join request to Router A. The join request is forwarded to the source and the tree is built with a forwarding state from the source to the receiver. Multicast data then flows from the source down the multicast distribution tree to the receiver Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

253 RPF Overview RPF is a key concept in multicast forwarding. RPF Overview The source address is checked against the unicast routing table. If the packet arrives from the interface on the reverse path to the source, the packet is forwarded. Else the packet is dropped Cisco Systems, Inc. All rights reserved. ARCH v RPF enables routers to correctly forward multicast traffic down the distribution tree. RPF makes use of the existing unicast routing table to determine the upstream and downstream neighbors. A router will forward a multicast packet only if it is received on the upstream interface. This RPF check helps to guarantee that the distribution tree will be loop-free. When a multicast packet arrives at a router, the router performs an RPF check on the packet: The router looks up the source address in the unicast routing table to determine if the packet has arrived on the interface that is on the reverse path back to the source. If the packet has arrived on the interface leading back to the source, the RPF check succeeds and the packet is forwarded. If the RPF check fails, the packet is dropped Cisco Systems, Inc. IP Multicast Design 10-17

254 Multicast Distribution Trees This section looks at the two types of multicast distribution trees. IP Multicast Source Distribution Tree The simplest form of a multicast distribution tree is a source tree with its root at the source and branches forming a spanning tree through the network to the receivers. IP Multicast Source Distribution Tree (Shortest Path Tree) Supports optimal paths from source to all receivers Minimizes delay Uses more memory 2006 Cisco Systems, Inc. All rights reserved. ARCH v Because this tree uses the shortest path through the network, it is also referred to as a shortest path tree (SPT). The figure shows an example of an SPT for group rooted at the source, host A, and connecting two receivers, hosts B and C. The special notation of (S,G), which can be thought of as source comma group is pronounced S comma G, and enumerates an SPT where S is the IP address of the source and G is the multicast group address. Using this notation, the SPT for the example shown in the figure would be ( , ). The (S,G) notation implies that a separate SPT exists for each individual source sending to each group, which is correct. For example, if host B is also sending traffic to group and hosts A and C are receivers, a separate (S,G) SPT would exist with a notation of ( , ). Source trees have the advantage of creating the optimal path between the source and the receivers. This advantage guarantees the minimum amount of network latency for forwarding multicast traffic. However, this optimization comes at a cost: the routers must maintain path information for each source. In a network that has thousands of sources and thousands of groups, this overhead can quickly become a resource issue on the routers. Memory consumption from the size of the multicast routing table is a factor that network designers must take into consideration. The multicast routing table is required to maintain current values, called state, that determine multicast routing behavior Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

255 Shared Distribution Tree The other multicast distribution tree is a shared tree that use a single common root placed at some chosen point in the network. IP Multicast Shared Distribution Tree Uses less memory May result in sub-optimal paths from source to all receivers May introduce extra delay 2006 Cisco Systems, Inc. All rights reserved. ARCH v The shared root is called a rendezvous point (RP). The figure shows a shared tree for the group with the root located at router D. This shared tree is unidirectional. Source traffic is sent towards the RP on a source tree. The traffic is then forwarded down the shared tree from the RP to reach all of the receivers, unless the receiver is located between the source and the RP, in which case it will be serviced directly. With multicast Layer 2 addresses, flowing multicast traffic through an RP saves memory. Alternatively, the multicast traffic can flow through the RP and then through the SPT. In the example, multicast traffic from the sources, hosts A and D, travels to the root (router D) and then down the shared tree to the two receivers, hosts B and C. Because all sources in the multicast group use a common shared tree, a wildcard notation written as (*,G), pronounced star comma G, represents the tree, followed by an (S,G) entry with a subset outgoing interface list. Shared trees have the advantage of requiring the minimum amount of state in each router. The disadvantage of shared trees is that under certain circumstances the paths between the source and receivers might not be the optimal paths, which might introduce some latency in packet delivery. For example, in the figure, the shortest path between host A (source 1) and host B (a receiver) would be router A and router C. Because we are using router D as the root for a shared tree, the traffic must traverse routers A, B, D and then C Cisco Systems, Inc. IP Multicast Design 10-19

256 Multicast Forwarding at Layer 2 This section discusses multicast forwarding at Layer 2. Layer 2 Multicast Frame Switching Layer 2 switches by default flood the frame to every port on the destination LAN. Static entries can sometimes be set to specify which ports should receive which group(s) of multicast traffic Dynamic configuration of these entries would cut down on user administration PIM Multicast 2006 Cisco Systems, Inc. All rights reserved. ARCH v The default behavior for a data link layer switch is to forward all multicast traffic to every port that belongs to the destination LAN on the switch. This behavior reduces the bandwidth efficiency of the switch because it does not limit traffic to only the ports that need to receive the data. Flooding is appropriate for unknown traffic and broadcasts, but IP multicast hosts may join and be interested in only specific multicast groups. Forwarding multicast traffic out all ports results in wasted bandwidth on both the segments and on the end stations. One option is to configure the switch manually to associate a multicast MAC address with specific ports so that only these ports receive the multicast traffic destined for the multicast group. Since IP multicast hosts dynamically join and leave groups using IGMP to signal to the multicast router, a static way of entering the multicast information is not very scalable. Dynamic configuration of the forwarding table of the switches would be a better idea, and would decrease user administration requirements Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

257 IGMP Snooping IGMP snooping is an IP multicast constraining mechanism that runs on a data link layer LAN switch. IGMP Snooping IGMP Snooping Switches are IGMP aware Switch must examine contents of IGMP messages to determine which ports want what traffic IGMP membership reports IGMP leave messages Switch can forward multicast traffic more efficiently Hardware Support Current Cisco switches support IGMP snooping hardware. Catalyst 6500/4500 switches support multicast packet replication in hardware. PIM Multicast 2006 Cisco Systems, Inc. All rights reserved. ARCH v With IGMP snooping, the Layer 2 switches are IGMP aware. IGMP snooping constrains IPv4 multicast traffic at Layer 2 by configuring the Layer 2 LAN ports dynamically to forward IPv4 multicast traffic only to those ports that want to receive it. IGMP snooping requires the LAN switch to examine, or snoop, some network layer information such as IGMP Join and Leave messages in the IGMP packets sent between the hosts and a router or multilayer switch. When the switch hears the IGMP host report from a host for a particular multicast group, the switch adds the port number of the host to the associated multicast table entry. When the switch hears the IGMP leave group message from a host, the switch removes the table entry of the host. IGMP Snooping is used on subnets that include end users or receiver clients IGMP snooping allows a Layer 2 switch to more efficiently handle IP multicast. IGMP snooping requires special hardware in the switches so the forwarding throughput is maintained. Current Cisco switches support IP multicast data packet forwarding using advanced application-specific integrated circuit switching hardware that can distinguish IGMP information packets from other packets for the multicast group. In addition, the Cisco Catalyst 6500 Series switches and Cisco Catalyst 4500 Series switches support multicast packet replication in hardware which more efficiently copies multicast packets to the network interfaces where the multicast path flows diverge Cisco Systems, Inc. IP Multicast Design 10-21

258 Summary This topic summarizes the key points discussed in this lesson. Summary IP multicast is an alternative to unicast and broadcast that sends packets to a subset of network hosts simultaneously. By requiring only a single copy of each packet to be sent on each interface, multicast helps reduce network traffic. The destination of an IP multicast packet is a virtual group address. Members join a group and receive multicast packets addressed to that group. Multicast routing uses RPF with distribution trees to control the path that IP multicast traffic takes through the network. IP multicast packets are replicated only at routers where paths diverge to reach the intended recipients. By default, a data link layer switch will forward all multicast traffic to every port that belongs to the destination LAN. IGMP snooping is a multicast control mechanism that limits multicast traffic to the ports that need to receive the data Cisco Systems, Inc. All rights reserved. ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

259 Lesson 2 PIM and RP Considerations Overview Objectives Multicast deployments require three elements: the application, the network infrastructure, and client devices. This lesson discusses how Protocol Independent Multicast (PIM) is used in the network infrastructure. It also discusses considerations for deploying rendezvous points (RP) in multicast networks. Upon completing this lesson, you will be able to design an IP multicast solution in an existing unicast infrastructure. This includes being able to meet these objectives: Describe the design considerations for deploying Protocol Independent Multicast (PIM) Describe the design considerations for deploying RPs in PIM spare mode networks

260 PIM Deployment Models This topic discusses Protocol Independent Multicast (PIM) deployment models used to perform the multicast forwarding functions. Major PIM Deployment Models PIM Any-Source Multicast (Classical PIM-SM) Uses RP, SPT, and shared tree. Bidirectional PIM Uses shared tree only, no SPT. Source Specific Multicast Uses SPT only, no RP. ARCH v PIM uses the unicast routing table to perform the Reverse Path Forwarding (RPF) check function instead of building up a completely independent multicast routing table. Multicastcapable routers dynamically create distribution trees that control the path the content travels through the network. PIM uses two types of multicast distribution trees: shared trees and source trees. Note Source trees are also called Shortest Path Trees (SPTs). There are three main PIM deployments used to support multicast services and applications: Any-Source Multicast (ASM). ASM uses a combination of the shared and source trees and rendezvous points (RPs). ASM is the classical PIM Sparse Mode (PIM-SM) deployment. The majority of deployed multicast networks use this model. Few new deployments are implementing this model. Bidirectional PIM (Bidir PIM). Bidir PIM exclusively uses shared trees. Bidir PIM is recommended to support many-to-many host applications. Bidir PIM drastically reduces the total (S,G) state information needed in network. Source Specific Multicast (SSM). SSM exclusively uses source trees. SSM is recommended to support one-to-many applications. SSM greatly simplifies the network and eliminates the need for RP engineering Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

261 Any-Source Multicast ASM is also known as PIM sparse mode (PIM-SM), the traditional form for PIM deployments. PIM-SM is described in RFC PIM-SM Shared Tree Join 2 1 ARCH v PIM-SM forwards multicast traffic only to network segments with active receivers that have explicitly requested the data. PIM-SM distributes information about active sources by forwarding data packets on shared trees. Because PIM-SM uses shared trees at least initially, it requires the use of a RP. The RP must be administratively configured in the network. Sources register with the RP and then data is forwarded down the shared tree to the receivers. The edge routers learn about a particular source when they receive data packets on the shared tree from that source through the RP. The edge router then sends PIM (S,G) Join messages toward that source. Each router along the reverse path compares the unicast routing metric of the RP address to the metric of the source address. If the metric for the source address is better, it will forward a PIM (S,G) Join message towards the source. If the metric for the RP is the same or better, then the PIM (S,G) Join message will be sent in the same direction as the RP. In this case, the shared tree and the source tree would be considered congruent. In the figure, an active receiver has joined multicast group G. The router knows the IP address of the RP for group G and it sends a (*,G) Join for this group towards the RP. This (*,G) Join travels hop-by-hop to the RP, building a branch of the shared tree that extends from the RP to the last-hop router directly connected to the receiver. At this point, group G traffic can flow from the RP down the shared tree to the receiver Cisco Systems, Inc. IP Multicast Design 10-25

262 PIM-SM Sender Registration The multicast source registers with the predefined RP using a sender registration. PIM-SM Sender Registration Traffic Flow Shared Tree Source Tree (S, G) Register (S, G) Join (S, G) Register-Stop (unicast) (unicast) ARCH v As soon as an active source for group G sends a packet to its first-hop router, the router is responsible for registering the source with the RP and requesting the RP to build a tree back to that router. During the sender registration process, the source router encapsulates the multicast data from the source in a special PIM-SM message called the Register message and unicasts that data to the RP. When the RP receives the Register message it does two things: The RP unencapsulates the multicast data packet inside of the Register message and forwards it down the shared tree to receivers in group G. The RP sends an (S,G) Join back towards the source network S to create a branch of an (S,G) shortest path tree (SPT). This results in (S,G) state being created in all the routers along the SPT, including the RP. As soon as the SPT is built from the source router to the RP, multicast traffic begins to flow from source S to the RP. Once the RP begins receiving multicast data on the SPT from source S, the RP sends a Register-Stop to the first-hop router of the source to inform it that it can stop sending the unicast Register messages Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

263 PIM-SM SPT Switchover SPT Switchover allows PIM-SM to more efficiently support multicast traffic. PIM-SM SPT Switchover Traffic Flow Shared Tree Source Tree (S, G) Join Note: Automatic SPT switchover in Cisco routers is supported by the default value of 0 for the SPT-threshold. ARCH v PIM-SM includes the capability for last-hop routers (that is, routers with directly connected group members) to switch to the SPT and bypass the RP if the traffic rate is above a set threshold, called the SPT-threshold. Note The default value of the SPT-threshold in Cisco routers is zero. If the infinity keyword is specified, all sources for the specified group use the shared tree, never switching to the source tree. This means that the default behavior for PIM-SM leaf routers attached to active receivers is to immediately join the SPT to the source as soon as the first packet arrives via the (*,G) shared tree. In the figure, the last-hop router sends an (S,G) Join message toward the source to join the shortest path tree and bypass the RP. The (S,G) Join messages travel hop-by-hop to the first-hop router (the router connected directly to the source), thereby creating another branch of the shortest path tree. This also creates (S,G) state in all the routers along this branch of the shortest path tree Cisco Systems, Inc. IP Multicast Design 10-27

264 Bidirectional PIM Bidirectional PIM (Bidir PIM) is an enhancement of the PIM protocol that was designed for efficient many-to-many communications within an individual PIM domain. Bidirectional PIM There are issues with many-to-many IP multicast in PIM-SM. Large number of sources creates huge (S,G) state problem for PIM-SM. Bidir PIM addresses these issues: Use a bidirectional shared tree to deliver traffic from sources to the RP and to all other receivers. Benefits of Bidir PIM: Less state in routers Only (*, G) state is used. SPT is not used. Source traffic follows the Shared Tree. Flows up the Shared Tree to reach the RP. Flows down the Shared Tree to reach all other receivers. ARCH v The shared trees created in PIM-SM are unidirectional. A source tree must be created to bring the data stream to the RP (the root of the shared tree) and then it can be forwarded down the branches to the receivers through the shared tree. Source data cannot flow up the shared tree toward the RP. Several multicast applications use a many-to-many model where each participant is receiver and sender as well. In a PIM-SM deployment, routers that support hosts that are a source as well as a receiver would need to have a source tree for each host to the RP, as well as a common shared tree from the RP for each group. In a PIM-SM domain supporting a large number of many-to-many participants, the (*,G) and (S,G) entries appear everywhere along the path from participants and the associated RP resulting in increased memory and protocol overhead. The large number of sources can create a huge (S,G) state problem. Bidir PIM allows packets to be natively forwarded from a source to the RP using shared tree state only. In bidirectional mode, traffic is routed through a bidirectional shared tree that is rooted at the RP for the group. This ensures that only (*,G) entries will appear in multicast forwarding tables. The SPT between sources and the RP are eliminated, and the (S,G) state information is eliminated as well. With Bidir PIM, the path taken by packets flowing from the participant (whether source or receiver) to the RP and back from the RP to the participant will be the same. Multicast groups in bidirectional mode can scale to an arbitrary number of sources with only a minimal amount of additional overhead Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

265 Bidir PIM Example Receiver RP Sender/ Receiver DF Source Traffic forwarded bidirectionally using (*,G) state. Shared Tree Source Traffic Receiver ARCH v The figure shows a bidirectional shared tree. Data from the source can flow up the shared tree (*, G) towards the RP and then down the shared tree to the receiver. There is no registration process and so source tree (S, G) is not created. Bidir PIM uses a designated forwarder (DF) so that bidirectional sources can reach the RP. The main responsibility of the DF is to decide what packets need to be forwarded upstream toward the rendezvous point. The figure shows a case where the source is also a receiver, and traffic originating from that host will be traveling against the direction of the shared tree. This breaks the original assumption that shared trees only accept traffic on their Reverse Path Forwarding (RPF) interface to the rendezvous point. The same shared tree is now used to distribute traffic from the rendezvous point to receivers and from the sources to the rendezvous point, resulting in a bidirectional branch. The algorithm to elect the designated forwarder is straightforward, all the PIM neighbors in a subnet advertise their unicast route to the rendezvous point and the router with the best route is elected. This effectively builds a shortest path between every subnet and the rendezvous point without consuming any multicast routing state since no (S,G) entries are generated. The RP in Bidir PIM only serves the function of getting sources and receivers to learn about each other. The IP address of the RP acts as the key to having all routers establish a loop-free spanning tree topology rooted in that IP address. This IP address need not be a router address, but can be any unassigned IP address on a network that is reachable throughout the PIM domain. Traffic from the source is going to be forwarded hop by hop toward the RP by the DF mechanism, and joins from the receivers will also be sent to the rendezvous point Cisco Systems, Inc. IP Multicast Design 10-29

266 Source Specific Multicast Source Specific Multicast (SSM) is an extension of the PIM protocol that allows for an efficient data delivery mechanism in one-to-many communications. Source Specific Multicast SSM uses source trees only. Receivers are responsible for source and group discovery. Receivers select what traffic they want from a group. Receivers use IGMPv3 to signal which (S,G) to join. RP and shared trees are not needed in the network. SSM solves multicast address allocation problems. Flows differentiated by both source and group. Content providers can use same group ranges. Each (S,G) flow is unique. Only explicitly request flows are forwarded to receivers. Note: IGMPv3 is specified in RFC An overview of SSM is provided in RFC ARCH v In traditional multicast implementations, source applications join to an IP multicast group address and traffic is distributed to the entire IP multicast group. If two applications with different sources and receivers use the same IP multicast group address, receivers of both applications will receive traffic from the both senders. This situation can generate noticeable levels of unwanted network traffic. SSM enables a receiving client, once it has learned about a particular multicast source through a directory service to receive content directly from the source, rather than receiving it using a shared RP. In SSM, routing of multicast traffic is entirely accomplished with source trees. There are no shared trees and therefore an RP is not required. The prerequisite for SSM deployment is a mechanism that allows hosts not only to report the group they want to join but also the specific source in the group. This mechanism is built into emerging IGMP version 3 standard. In an SSM-enhanced multicast network, the last-hop router (the router closest to the receiver) will see a request from a receiver to join to a specific multicast source in a multicast group. The particular source can be identified by using the INCLUDE mode in IGMPv3. The multicast router can now send the request directly to the specific source rather than send the request to a common RP as in PIM sparse mode. The first-hop router starts forwarding the multicast traffic down the SPT to the receiver as soon as the SPT is built by receiving first (S,G) Join. The Internet Assigned Numbers Authority (IANA) has reserved the global address range /8 for SSM applications and protocols. This assigned range simplifies the address allocation for content and service providers. Providers can use the same group range to deliver content with a unique flow. Routers running in SSM mode will route data streams based on the Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

267 full (S, G) address. Assuming that a source has a unique IP address to send on the Internet, any (S, G) from this source also would be unique. The ability for SSM to explicitly include and exclude particular sources allows for a limited amount of security. Traffic from a source to a group that is not explicitly listed on the INCLUDE list will not be forwarded to uninterested receivers. Note IGMPv3 is specified in RFC An overview of SSM is provided in RFC SSM Join Process Source 1. Receiver learns of source, group/port. 2. Last-hop learns of source, group/port. 3. Last-hop send PIM (S,G) Join. A B C D 3 1 PIM (S, G) Join Out-of-band source directory, example: web server IGMPv3 (S, G) Join 2 E Receiver 1 F ARCH v The figure illustrates the SSM Join process. A receiver determines the source and group address for a multicast source. The receiver sends a source specific IGMPv3 Join request to its closest router. The last-hop router sends a PIM (S,G) Join request to the first-hop router closest to the source Cisco Systems, Inc. IP Multicast Design 10-31

268 SSM Shortest Path Tree Source Result: SPT rooted at the source, with no shared tree. A B C D Out-of-band source directory, example: web server E F Receiver 1 ARCH v The first-hop router builds the SPT to the last-hop router. The first-hop router starts forwarding the multicast traffic down the SPT to the receiver. SSM is easy to install and provision in a network because it does not require the network to maintain which active sources are sending to multicast groups. SSM is a recommended practice for Internet broadcast-style applications Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

269 RP Considerations An RP is required only in networks running PIM-SM and Bidir PIM. This topic discusses considerations for deploying RPs. Anycast RP Anycast RP is a technique for configuring a PIM-SM network to provide for fault tolerance and load sharing within a single multicast domain. Anycast RP Src Src RP1 A /32 SA MSDP SA RP2 B /32 Rec Rec Rec Rec Two or more routers share source registration process. The RPs act as hot backups for each other. ARCH v Anycast is a term from IPv6 that refers to an address that is shared by devices performing the same function. This allows routing to the closest device. There are no defined Anycast addresses in IPv4. Anycast RP allows two or more RPs to share the load for source registration and the ability to act as hot backup routers for each other. To perform the Anycast RP function within IPv4, a unicast host address (/32 mask) is assigned and then is duplicated on loopback interfaces on the RPs. All the downstream routers are configured so that the IP address of their local RP is this loopback address. IP routing automatically selects the topologically closest RP for each source and receiver. Since some sources might end up using one RP, and some receivers a different RP, there needs to be some way for the RPs to exchange information about active sources. This is done with Multicast Source Discovery Protocol (MSDP). MSDP is used to announce sources sending to a group. All the RPs are configured to be MSDP peers of each other. Each RP will know about the active sources in the other RP's area. If any of the RPs was to fail, IP routing will converge and one of the RPs would become the active RP in both areas. Note The RPs are only used to setup the initial connection between sources and receivers in PIM-SM. After the last hop routers join the shortest path tree the RP is no longer necessary Cisco Systems, Inc. IP Multicast Design 10-33

270 Static RP Addressing Static RP addressing deployments require that every router in the network to be manually configured with the IP address of a single RP. Static RP Addressing RP address must be configured on every router. All routers must have the same RP configuration. RP fail-over not possible except through Anycast RPs. ARCH v If this RP fails, there is no way for routers to fail-over to a standby RP. The exception to this rule is if Anycast-RPs are in use with MSDP running between each RP in the network Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

271 Auto-RP The Auto-RP protocol is a dynamic way to learn the RP information for every router in the network. Auto-RP: RP Announcements Announce C-RP Announce Announce C A Announce MA B Announce MA Announce Announce D C-RP Announce RP announcements are multicast to group by C-RPs. ARCH v In Auto-RP, one or more routers are designated as RP mapping agents, which receive the RP announcement messages from candidate RPs (C-RPs) and arbitrate conflicts. The RP mapping agent then sends the consistent group-to-rp mappings to all other routers by dense mode flooding. This process allows all routers automatically to discover which RP to use for the groups they support. IANA has assigned two group addresses, and , for Auto-RP. All PIM-enabled routers automatically join the Cisco RP discovery group, , which allows them to receive all group-to-rp mapping information. With Auto-RP, the network administrator configures one or more routers in the network to serve as the C-RPs. The C-RPs announce their willingness to serve as RP for a particular group range by periodically multicasting Auto-RP Announce messages to the Cisco Announce multicast group, Cisco Systems, Inc. IP Multicast Design 10-35

272 Auto-RP: RP Discovery Messages C-RP Discovery Discovery C A MA Discovery Discovery Discovery Discovery B MA Discovery Discovery D C-RP MA selects RP for each group. RP discoveries are multicast by MA to the group. ARCH v The mapping agent is a router that joins the Cisco RP announce group, The mapping agent listens to all RP candidate announcements and builds a table with the information. If several RPs announce themselves for a multicast group range, the mapping agent chooses the RP with the highest IP address. It then advertises the RP to all PIM routers in the network using an RP discovery message in dense mode flooding. Mapping agents send this information by default every 60 seconds. When the network routers receive one of these RP discovery messages, they store the elected RP information in their Group-to-RP mapping cache so that they know what RP is active for what group range. Note The C-RP and the mapping agent can be on the same router Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

273 Avoiding DM Fallback and DM Flooding Dense mode fallback (DM fallback) is the condition of the PIM mode falling back from sparse mode which requires an RP to dense mode which does not use an RP. Dense mode fallback occurs when RP information is lost. By default, PIM dense mode fallback is enabled and a multicast group in the absence of RP information will fall to dense mode, regardless of the interface mode configuration. Avoiding DM Fallback and DM Flooding Older Cisco IOS software needs all interfaces configured in sparse-dense mode: Use the ip pim sparse-dense-mode interface configuration command. Use a sink RP or RP of last resort to prevent groups other than and from operating in dense mode. New Cisco IOS software command prevents DM fallback: Use the no ip pim dm-fallback global configuration command. Is available starting with 12.3(4)T, 12.2(28)S, 12.2(33)SRA. New Cisco IOS software command prevents DM flooding: Use the ip pim autorp listener global configuration command. Is available starting with 12.3(4)T, 12.2(28)S, 12.2(33)SRA. ARCH v A previous requirement of Auto-RP was that all interfaces must be configured in sparse-dense mode using the ip pim sparse-dense-mode interface configuration command. An interface configured in sparse-dense mode is treated in either sparse mode or dense mode of operation, depending on which mode the multicast group operates. If a multicast group has a known RP, the interface is treated in sparse mode. If a group has no known RP, the interface is treated in dense mode and data will be flooded over this interface. To successfully implement Auto-RP and prevent any groups other than and from operating in dense mode with this scenario, Cisco recommends configuring a "sink RP" which is also known as "RP of last resort". A sink RP is a statically configured RP that may or may not actually exist in the network. Configuring a sink RP does not interfere with Auto-RP operation because by default Auto-RP messages supersede static RP configurations. Note The override keyword permits the statically defined RP address to take precedence over Auto-RP learned Group-to-RP mapping information Cisco Systems, Inc. IP Multicast Design 10-37

274 Two new Cisco IOS software configuration commands are available to prevent DM flooding and DM fallback. The ip pim autorp listener global configuration command causes IP multicast traffic for the two Auto-RP groups and to be PIM dense mode flooded across interfaces operating in PIM sparse mode. The command supports interfaces configured for PIM sparse mode operation in order to establish a network configuration where Auto-RP operates in PIM dense mode and multicast traffic can operate in sparse mode, bidirectional mode, or SSM mode. This command is available starting with Cisco IOS software releases 12.3(4)T, 12.2(28)S, 12.2(33)SRA. If the ip pim autorp listener command is not supported on your devices, Cisco recommends configuring a sink RP for all possible multicast groups in the network, because it is possible for an unknown or unexpected source to become active. If no RP is configured to limit source registration, the group will revert to dense mode operation and be flooded with data. The ip pim dm-fallback global configuration command disables DM fallback and blocks all multicast traffic for groups not specifically configured. When IP multicast is used in mission-critical networks, you should avoid the use of PIM-DM. PIM makes the determination as to whether a multicast group operates in PIM-DM or PIM sparse-dense mode based solely on the existence of RP information in the group-to-rp mapping cache. If Auto-RP is configured or a bootstrap router (BSR) is used to distribute RP information, there is a risk that RP information can be lost if all RPs, Auto-RP, or the BSR for a group fails due to network congestion. This failure can lead to the network either partially or fully falling back into PIM-DM. If a network falls back into PIM-DM, dense mode flooding will occur. Routers that lose RP information will switch all existing states into dense mode and any new states that must be created for the failed group will be created in dense mode. This command is available starting with Cisco IOS software releases 12.3(4)T, 12.2(28)S, 12.2(33)SRA Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

275 BSR Bootstrap router (BSR) is another dynamic RP selection protocol that also supports interoperability between vendors. BSR Election G BSR Msg BSR Msg C-BSR C-BSR A D BSR Msg BSR Msg BSR Msg BSR Msg BSR Msg BSR Msg BSR Msg BSR Msg C-BSR F BSR Msg BSR Msg B C E BSR messages are flooded hop-by-hop. C-BSR with highest priority is elected as the active BSR. ARCH v BSR performs similarly to Auto-RP in that it uses candidate routers for the RP function and for relaying the RP information for a group. The network administrator configures one or more routers in the network to serve as Candidate BSRs (C-BSR). At network startup, all C-BSRs participate in the BSR election process by sending a PIM BSR message containing its BSR priority out all interfaces. This information is distributed through link-local multicast messages that travel from PIM router to PIM router. These BSR messages are flooded hop-by-hop throughout the entire network. At the end of the BSR-Election-Interval, the BSR with the highest BSR priority is elected as the active BSR. Note The BSR election process is similar in nature to the Root-Bridge election mechanism in the Spanning-Tree protocol Cisco Systems, Inc. IP Multicast Design 10-39

276 C-RPs and BSR Messages G D C-RP Advertisement (unicast) BSR Msg BSR Msg BSR A BSR Msg BSR Msg C-RP Advertisement (unicast) F C-RP B C C-RP C-RPs will unicast their C-RP Announcement messages directly to the active BSR. BSR sends entire list of C-RPs in periodic BSR messages. E ARCH v All routers in the network including C-RPs know which C-BSR has been elected as the currently active BSR. The C-RPs will unicast their C-RP Announcement messages directly to the active BSR. The active BSR stores all incoming C-RP Announcements in its Group-to-RP mapping cache. The BSR then sends the entire list of C-RPs from its Group-to-RP mapping cache in periodic BSR messages which are flooded hop-by-hop throughout the entire network. As each router receives a copy of these BSR messages, it updates the information in its local Group-to-RP mapping cache so it knows the IP address of all C-RPs in the network. However, unlike Auto-RP where the mapping agent elects the active RP for a group range and announces the election results to the network, the BSR does not elect the active RP for a group. This task is left to each individual router in the network. Each router in the network will elect the currently active RP for a particular group range using a well-known hashing algorithm. Since each router is running the same algorithm against the same list of C-RPs, they all elect the same RP for a particular group range Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

277 Summary This topic summarizes the key points discussed in this lesson. Summary There are three major PIM deployment models: SSM should be used for one-to-many applications. Bidir should be used for many-to-many applications. ASM (Classic PIM-SM) can be used for other general purpose applications. An RP is required in networks running PIM-SM. There are four common methods and technologies for deploying RPs: Anycast RP provides fault tolerance and load sharing within a single multicast domain. Static RP addressing requires every router in the network to be manually configured. Auto-RP is a dynamic way to learn the RP information for every router in the network. Bootstrap router (BSR) is another dynamic RP selection model that supports interoperability between vendors. ARCH v Cisco Systems, Inc. IP Multicast Design 10-41

278 10-42 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

279 Lesson 3 IP Multicast Security Overview Objectives Multicast deployments have additional security considerations as compared unicast routing due to the multicast architecture. The factors that make multicast routing different are the state information, replication process, join process, and unidirectional flows. Multicast networks can use various access control mechanisms to help secure multicast networks. Both multicast security considerations and access control mechanisms are discussed in this lesson. Upon completing this lesson, you will be able to describe security considerations and access control mechanisms for an IP multicast network. This includes being able to meet these objectives: Discuss security considerations specific to multicast networks Describe access control mechanisms that help secure multicast networks

280 Security Considerations for IP Multicast This topic describes security considerations for IP multicast implementations. Security Goals for Multicast Keep network running under Mis-configuration, Malfunction, Attacks Manage resources Sender / Receiver Rogue servers Rogue RPs Account for Resource utilization, service participation Note: Wide range of tools and technologies available. No simple mapping between goals and means. ARCH v There are different concerns with IP multicast then with unicast routing due to the difference in routing applications. The main goal for security with multicast networks is to keep the network running even if there are misconfigurations, malfunctions, or network attacks such as denial of service (DoS) attacks from unknown servers. Part of multicast security involves managing network resources and access control for multiple senders and receivers by defining what multicast traffic should be allowed in the network, and protecting against rogue servers or rendezvous points (RPs) that should not legitimately be in the network. Managing network resource utilization includes accounting for multicast state information in the network and services participating in multicast activity. There are a wide range of tools and technologies that can be used to manage multicast security. With the variety of concerns and tools, there is no simple mapping between goals and means to support these goals Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

281 Multicast Control and Enforcement Policy-Server AAA Hop-by-Hop Coordinated Local Router switch Where: Location Device What: Target Links Network Data plane Control plane Service Content Packet level policing, encryption State creation Why: Control type Access Permission/ Credential How: Method Policy Admission Resource availability ARCH v Multicast control and enforcement looks at answering four questions: Why control? Network administrators want to control which users and servers have access to network resources. They can be supporting organization policies, or protecting access to resources with permissions and controls. Controlling admission helps manage resource availability. How to control? Control in multicast environments can involve methods such as managing state creation or providing packet level control by policing, filtering, and encryption techniques. What are the targets? Multicast networks want to protect the service content, the control plane of the network devices from being overloaded, and the impacts to the data plane of the network from overloading the links between the devices. Where to control? Controls can be enforced in multiple locations, but most are configured locally on a router or switch. These controls may implicit protect the service across the network. There are also protocols that can be coordinated to provide protection on a hop-by-hop basis, and mechanisms that rely on policy servers to provide authentication, authorization, and admission (AAA). The factors that make multicast routing different from unicast routing are the state information, replication process, join process, and unidirectional flows in the multicast architecture Cisco Systems, Inc. IP Multicast Design 10-45

282 Unicast and Multicast State Requirements There are different state requirements for unicast and multicast routing. Unicast and Multicast State Requirements Unicast: State is the unicast routing table. State changes only when network topology changes. CPU is active when network topology changes. CPU is not impacted by user activity. Network design constraint with link bandwidth. Multicast: State is the unicast routing table plus multicast state information. State grows when user starts application. CPU active when application state changes and when network topology changes. CPU is impacted by user activity. Network design constraint is number of applications and sources. ARCH v For unicast routing, the state in the network is the unicast routing table. The state is fairly stable, and only changes when the network topology changes. The router CPU is active after network topology changes. End user activity does not impact amount of state or the activity on the router other than traffic through the links. The main network design constraint is the bandwidth requirements on the links. For multicast routing, the state includes the unicast routing state plus multicast state information. The multicast state grows when sources and receivers run multicast applications. The router CPU is active when application state changes or when network topology changes occur. Protocol Independent Multicast (PIM) and Internet Group Management Protocol (IGMP) create more periodic activity for the CPU then unicast protocols do. The network design constraint is worst case application behavior, so the design needs to consider the number of applications and sources in the network in order to provide a secure network Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

283 Multicast State and Replication There are different state requirements for unicast and multicast routing. Multicast State and Replication Ingress state per application/sender Egress state per receiver branch State limits: 5000 >100,000 in hardware 100,000 in software Throughput limits: Unicast: Ingress Packet Rate Multicast: Egress Packet Rate On routers and switches Multicast Lookup/Ingress States Multicast Egress/Replication States S1,G1 S2,G2 ARCH v With IP multicast, there is state information associated with ingress lookups per application on a server. The memory requirements of ingress state scales with the number of applications per server. The egress state information is concerned with replication of packets to multiple interfaces supporting receiver branches in the distribution tree. The state information scales with the number of applications across the number of receiver branches on outgoing interfaces. Hardware acceleration provides the optimal multicast performance, but there are hard limits on hardware state based on the available chip sets in the platform. There are also much larger soft limits in memory on software platforms. Throughput concerns are different in unicast and multicast routing. Unicast routing is concerned with the amount of traffic received or the ingress packet rate. Multicast routing is concerned with the egress packet rate and the ability to replicate outgoing packets. Because of the requirements for packet replication, low input packet rates can potentially overload the capacity of the router to support the egress load. Egress throughput impacts both routers and Layer 3 switches supporting IGMP snooping Cisco Systems, Inc. IP Multicast Design 10-47

284 Impact of Replication on Access Control Multicast replication has an impact on where access control is applied. Impact of Replication on Access Control Source X Example: Inhibit Source X to A traffic Unicast: can filter anywhere on path Multicast: Receiver: MUST filter after last replication Uses egress filtering S1 Sources: MUST filter before first replication Uses ingress filtering Unicast Multicast R1 R2 C A B ARCH v In the example, we want to inhibit receiver A from receiving traffic from Source X. For unicast, we can filter traffic anywhere along the path based on source and receiver addresses. This model does not work for multicast since the receiver address is a group address. For multicast, filtering for receivers must always happen after last replication point to potential other receivers. In the figure, the filtering has to occur at Switch S1 egress to avoid impacting receiver B. To filter sources, it should happen before first potential replication point. This will block the source information throughout the network Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

285 Attack Traffic in Multicast Networks This section looks at how attack traffic is forwarded in unicast and multicast networks. Attack Traffic from Rogue Sources to Hosts Unicast provides no implicit protection. Main reason for Firewalls. Multicast provides implicit protection: SSM: No attacks possible from unwanted sources. Traffic stops at first-hop router. ASM: Sources can attack groups. No host specific attacks are possible. Unicast SSM RP ASM/ Bidir ARCH v In unicast routing, any device can send a packet to another device. There is no implicit protection of receivers from sources. Firewalls and access control lists (ACLs) can be used to protect against unwanted traffic. In multicast routing, source devices do not send traffic to specific devices but to a multicast group. A receiver in a branch of the network needs to explicitly join a multicast group before traffic is forwarded to that branch. Multicast protects receivers implicitly against packets from unknown sources or potential attackers: With Source Specific Multicast (SSM), unknown attacks are not possible because receivers have to join to a specific host in a specific multicast group. Unwanted traffic will only reach the first-hop router closest to the source, and then be discarded. This traffic will not even create state information on the first-hop router. With Any-Source Multicast (ASM) and Bidirectional Multicast (Bidir), an end device will only receive traffic only when it is joined to group. An attacker can not attack a particular host explicitly but sends attacks against a multicast group as well as the network Cisco Systems, Inc. IP Multicast Design 10-49

286 Attack Traffic from Sources to Networks Another type of network attack targets network devices. Attack Traffic from Rogue Sources to Networks without Receivers PIM-SM: State attack Impacts (*,G) on first-hop router Impacts (S, G) on RP Bidir-PIM: Bidir PIM-SM First Hop router Not a state attack just traffic Similar to unicast attack on RP Uses (*,G/m) towards RP. Note: IOS IPv4 multicast may still creates (*,G) state due to legacy implementations (except 6500/7600). RP ARCH v Denial of service attacks can attack network infrastructure devices. These attacks are often referred to as control plane attacks or state attacks, and the aim of the attacker is usually to increase the amount of multicast state information in routers above a manageable level so the device experiences extremely slow convergence or crashes. State can have an impact on ASM and Bidir multicast implementations. Note SSM will drop traffic from unknown sources at the first-hop router closest to the source. For the traditional PIM sparse mode (PIM-SM) networks (also known as ASM networks), attacks from rogue sources increase the (S,G) and (*,G) creation on the first-hop router and the RP. The first-hop router sends unicast Register messages to the RP as a (*,G) Join that uses state. The RP joins to the first-hop router as with a (S, G) join. This state information is relatively short lived, 260 seconds by default. However, if the attacker is able to generate 100 IGMPv3 (S,G) joins a second, each carrying 10 sources, the amount of state after 260 seconds would be 260,000 state entries. One way to limit this attack is to limit the rate of Register messages to the RP. For Bidir networks, all receiver-less traffic is carried across single route to RP which is a (*,G/M) route. This attack is similar to a unicast traffic attack to the RP. Due to older implementations, the receiver-less traffic will create new (*, G) state information except on the Cisco Catalyst 6500 Series switches and the Cisco 7600 series routers Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

287 Attack Traffic from Rogue Receivers Receivers in the network can also attack network devices. Attack Traffic from Rogue Receivers Attack against content: Receive unauthorized content Attack against bandwidth: Overload network bandwidth and harms legitimate receivers Attack against routers/switches: Overload state tables and increase convergence times Source(s) RP Join S1,G1 Join G2 Join S2,G2 ARCH v Multicast receivers can create state attacks where there is no equivalent action in unicast networks. There are three types of receiver attacks: Attack against content. The rogue receiver attempts to gain access to content that they are not unauthorized to review. Attack against bandwidth. The receiver attempts to overload network bandwidth. This is typically against shared network bandwidth and is actually an attack against other receivers. Attack against routers and switches. The receiver tries to create more state information than the router or switch can handle. Processing the multiple join requests from the receiver can increase the convergence time of other states or cause the network device to reboot Cisco Systems, Inc. IP Multicast Design 10-51

288 Scoped Addresses Scoping addresses can provide some architectural security. Scoped Addresses and TTL Boundaries Unicast: RFC-1918 addresses Reuse of host addresses Provides privacy for hosts Multicast: IPv4: / 8 addresses Geographic form of access control for applications. Allows reuse of group addresses TTL threshold Uses the ip multicast ttl-threshold command SITE /16 INTERNET COMPANY REGION SITE / / /16 SITE / ARCH v Unicast networks have two scopes: public Internet addresses and private site addresses. RFC-1918 defines the private address ranges for IPv4. Multicast has multiple scopes both as defined by the Internet Assigned Numbers Authority (IANA) and as deployed within an organization. IPv4 multicast supports administratively scoped definitions within /8 address range. Organizations can use the site-local addresses and organization-local addresses as a geographic form of access control for applications with these local addresses. Routers are configured with ACLs to prevent multicast traffic in this address range from flowing outside an autonomous system (AS) or any userdefined domain. Within an autonomous system or domain, the limited scope address range can be further subdivided so that local multicast boundaries can be defined. This subdivision is called address scoping and allows for address reuse between these smaller domains. Routers can also configure the time-to-live (TTL) threshold of multicast packets being forwarded out an interface by using the ip multicast ttl-threshold command in interface configuration mode. This command allows only packets with a TTL value greater than the threshold to be forwarded out the interface. One example used is setting the TTL threshold on a border router to 200, which is a very high value. Since most multicast applications generally set the TTL value to well below 200, no packets will be forwarded out the interface Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

289 Multicast Access Control One mechanism to secure IP multicast networks is with access controls. Packet Filter Based Access Control ip access-group [in out] DA = SA = E0 DA = SA = Network Engineer Allow just IPmc traffic from a well known address range and to a well known group range ip access-list extended source permit ip host deny ip any log deny ip any any log interface ethernet0 ip address ip access-group source in ACL is hardware installed on most platforms. It filters before multicast routing, so no state creation is needed. Typical use is for ingress traffic. ARCH v Cisco IOS software supports packet filter based ACLs that can help control traffic in a multicast network. These ACLs are typically implemented in hardware on most router platforms. Since the packet based ACL filters traffic is deployed at the network ingress interface on the data plane before multicast processing, there is no state creation for dropped traffic. Although packet filters can also filter on outbound side, protocol filtering is typically preferred for egress traffic. The main advantage of this approach is simplicity and clarity. The drawback is having to apply an ACL to any inbound interface a multicast source might be on including all user or server subnets Cisco Systems, Inc. IP Multicast Design 10-53

290 Host Receiver Side Access Control IGMP access groups can be used to provide host receiver side access control. Host Receiver Side Access Control ip igmp access-group Filters group/channels in IGMP membership reports Controls entries into IGMP cache Deny only effective if protocol = ip H H2 Report Report ip access-list extended allowed-multicast-igmp permit ip any host ! Like simple ACL permit ip deny ip any any interface ethernet 0 ip igmp access-group allowed-multicast ARCH v Network administrators can use the ip igmp access-group command to filter groups from IGMP reports by use of a standard access list or to filter sources and groups from IGMPv3 reports by use of an extended access list. This command allows filtering to control allowed receivers and the groups they join or the (S,G) channels. When an IGMP extended access list is referenced in the ip igmp access-group command on an interface, the (S, G) pairs in the permit and deny statements of the extended access list are matched against the (S,G) pair of the IGMP reports received on the interface. The first part of the extended access list clause controls the source (multicast sender), and the second part of the extended access list clause controls the multicast group. Specifically, if an IGMP report with (S1, S2...Sn, G) is received, first the group (0, G) is checked against the access list statements. If the group is denied, the entire IGMP report is denied. If the group is permitted, each individual (S, G) pair is checked against the access list. Denied sources are taken out of the IGMP report, thereby denying any sources that match the access list from sending to the group. The ACL in the figure controls entries into the IGMP cache by allowing IGMP from any host to join group , and from any host in network /8 to join groups in the 232.x.x.x range Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

291 PIM-SM Source Control A candidate RP router can filter PIM register messages using the ip pim accept-register command in global configuration mode. PIM-SM Source Control ip pim accept-register ip pim accept-register list 10 access-list 10 permit Unwanted Sender Register RP Register-Stop Source Traffic Unknown source traffic hits first-hop router. First-hop First-hop router creates (S,G) state and sends Register to RP. RP rejects Register, sends back a Register-Stop. Limited RP-based access control for (S,G) in PIM-SM is provided: (S,G) state on first-hop router is still created. (S,G) traffic still sent to local receivers. ARCH v This command is used to prevent unauthorized sources from registering with the RP. If an unauthorized source sends a register message to the RP, the RP will immediately send back a register-stop message. The filter can be on the source address in a standard ACL or on the (S,G) pair in an extended ACL. This allows for a limited form of centralized source control with PIM-SM. However, it does not inhibit (S,G) state creation on the first-hop router. Receivers on same first-hop router will still receive traffic from invalid sources Cisco Systems, Inc. IP Multicast Design 10-55

292 Disabling Multicast Groups Cisco IOS software supports disabling multicast groups by range for IPv6. Disabling Multicast Groups New global commands support selectively enabling multicast groups: ipv6 multicast group-range access-list-name (12.4T) ip multicast group-range access-list-name (future) This command disable all operations for groups denied by the ACL: Drop or ignore group in all control packets Do not create state information Drop all data packets ARCH v The ipv6 multicast group-range access-list-name command in global configuration mode allows a network administrator to specify an authorized group-range. Multicast protocol actions and traffic forwarding for unauthorized groups or channels is on all the interfaces in a router is disabled with this command if the group is denied by the ACL: All control packets are dropped. No state information is created. All data packets are dropped on hardware discarding platforms. The command is supported in Cisco IOS software release 12.4(4)T for IPv6. Support for IPv4 is planned in the future Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

293 Summary This topic summarizes the key points discussed in this lesson. Summary Multicast has additional security considerations as compared to unicast routing: Unlike unicast networks, multicast state grows when sources and receivers run multicast applications. Multicast routing is concerned with the egress packet rate and the ability to replicate outgoing packets. SSM deployments provide the most protection from DoS attacks. Multicast scoping allows organizations to use site-local addresses and organization-local addresses as a geographic form of access control. ARCH v Summary (Cont.) Access control mechanisms help secure multicast networks: Packet filter ACLs deny traffic at the network ingress. Host receiver side access control filters channels and groups in IGMP membership reports. The PIM accept register provides a limited form of centralized source control. The IPv6 multicast group-range command provides a simple way to selectively enable multicast groups. ARCH v Cisco Systems, Inc. IP Multicast Design 10-57

294 10-58 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

295 Module Summary This topic summarizes the key points discussed in this module. Summary Multicast communications allows hosts to send packets to a group of receivers. The three major PIM deployment models are SSM used for oneto-many applications, Bidir PIM used for many-to-many applications, and PIM-SM used for general purpose applications. Multicast security considerations include state information, packet replication process, the join process, and address scoping. Access control mechanisms can help secure multicast networks. ARCH v References For additional information, refer to these resources: Cisco Systems, Inc. RST-1261: Introduction to IP Multicast Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. RST-2261: Deploying IP Multicast Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. RST-2262: Multicast Security Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. IP Multicast Technology Overview at Cisco Systems, Inc. Bidirectional PIM Deployment Guide at d80310db2.pdf Cisco Systems, Inc. Guidelines for Enterprise IP Multicast Address Allocation at d80310d68.pdf 2007 Cisco Systems, Inc. IP Multicast Design

296 Cisco Systems, Inc. Cisco IOS IP Multicast Configuration Guide, Release 12.4 at b9f.html The Internet Engineering Task Force. RFC 1112: Host Extensions for IP Multicasting The Internet Engineering Task Force. RFC 3376: Internet Group Management Protocol, Version 3 The Internet Engineering Task Force. RFC 3569: An Overview of Source-Specific Multicast (SSM) Designing Cisco Network Service Architectures (ARCH) v1.2 Copyright 2004, Cisco Systems, Inc.

297 Module Self-Check Use the questions here to review what you learned in this module. The correct answers and solutions are found in the Module Self-Check Answer Key. Q1) What differentiates IP multicast from other transmission modes? (Source: IP Multicast Review) A) IP multicast sends packets to a single host. B) IP multicast sends packets to a subset of hosts. C) IP multicast sends packets to all hosts sequentially. D) IP multicast sends packets to all hosts simultaneously. Q2) What is a benefit of using IP multicast to deliver source traffic to multiple receivers? (Source: IP Multicast Review) A) It guarantees packet delivery. B) It reduces network bandwidth consumption. C) It is highly efficient for sending single stream application traffic. D) It replicates packets at all network devices to enable multiple client requests. Q3) Where in the network are IP multicast packets replicated? (Source: IP Multicast Review) A) at the source B) at the destination C) at routers where the paths to the recipients diverge D) at each router included in the path to each recipient Q4) In order for a broadcast to flood packets out all interfaces, except those incoming from the source, multicast routing utilizes. (Source: IP Multicast Review) A) unicasts B) multicast routers C) RPF D) OSPF E) SPT Q5) What is one potential drawback to source distribution trees compared to shared distribution trees? (Source: IP Multicast Review) A) increased latency B) increased memory overhead C) sub-optimal path calculations D) increased bandwidth utilization Q6) What purpose is served by IGMP in IP multicast? (Source: IP Multicast Review) A) IGMP performs the RPF check. B) IGMP registers hosts in a multicast group. C) IGMP provides reliable multicast transport. D) IGMP performs the multicast forwarding function Cisco Systems, Inc. IP Multicast Design 10-61

298 Q7) What is an SPT in multicast networking? (Chose two.) (Source: IP Multicast Review) A) shared path tree B) shortest path tree C) source distribution tree D) shared distribution tree E) source path tree F) spanning path tree Q8) In what type of environments would PIM-SSM be efficiently used? (Source: PIM and RP Considerations) A) deployments that use shared distribution trees B) deployments where switches are used pervasively C) deployments where only a few receivers need IP multicast content D) one-to-many applications E) many-to-many applications Q9) In what type of environments would Bidir PIM be efficiently used? (Source: PIM and RP Considerations) A) deployments that use shared distribution trees B) deployments where switches are used pervasively C) deployments where only a few receivers need IP multicast content D) one-to-many applications E) many-to-many applications Q10) What are three characteristics of ASM? (Chose three.) (Source: PIM and RP Considerations) A) RPs are not needed. B) It is also known as PIM-SSM. C) Deployments use shared distribution trees. D) Deployments use source distribution trees. E) It is the traditional form for PIM deployments. Q11) What are three characteristics of Bidir PIM? (Chose three.) (Source: PIM and RP Considerations) A) RPs are not needed. B) It is also known as PIM-SSM. C) Deployments use shared distribution trees. D) Deployments use source distribution trees. E) It is the traditional form for PIM deployments. Q12) What deployment model does not track (S,G) state? (Source: PIM and RP Considerations) A) Anycast RP B) ASM C) Bidir PIM D) PIM-SM E) SSM Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

299 Q13) What are three characteristics of Anycast RP? (Chose three.) (Source: PIM and RP Considerations) A) It uses the and group addresses. B) It uses MSDP. C) It uses a unicast host address with a /32 mask. D) It is a technique for configuring a PIM-SM network to provide for fault tolerance and load sharing within a single multicast domain. E) It is a technique for configuring a PIM-SM network to provide for fault tolerance and load sharing across domains. Q14) What command causes IP multicast traffic for the two Auto-RP groups to be PIM dense mode flooded across interfaces operating in PIM sparse mode? (Source: PIM and RP Considerations) A) ip pim sparse-dense-mode B) ip pim sparse-dense-mode override C) ip pim autorp listener D) ip pim dm-fallback E) no ip pim dm-fallback Q15) What protocol uses mapping agents? (Source: PIM and RP Considerations) A) Anycast RP B) Auto-RP C) BSR D) C-RP E) DM fallback F) MSDP Q16) What two protocol use candidate RPs? (Chose two.) (Source: PIM and RP Considerations) A) Anycast RP B) Auto-RP C) BSR D) C-BSR E) DM fallback F) MSDP Q17) What is the default value of the SPT-threshold in Cisco routers? (Source: PIM and RP Considerations) A) zero B) one C) two D) four E) sixteen 2007 Cisco Systems, Inc. IP Multicast Design 10-63

300 Q18) What are three characteristics of multicast state information? (Chose three.) (Source: IP Multicast Security) A) It does not include the unicast routing state information. B) It grows when sources and receivers run multicast applications. C) It includes the unicast routing state information. D) It only changes when the network topology changes. E) State changes do not impact CPU utilization. F) State changes impact CPU utilization. Q19) Which two deployments are more susceptible to attacks from unknown sources? (Chose two.) (Source: IP Multicast Security) A) ASM B) Bidir PIM C) PIM-SM RP D) RP-Switchover E) SSM Q20) How is packet filter based access control typically deployed? (Source: IP Multicast Security) A) at the network egress interface on the control plane after multicast processing B) at the network egress interface on the data plane after multicast processing C) at the network ingress interface on the control plane before multicast processing D) at the network ingress interface on the data plane before multicast processing Q21) What command is used to prevent unauthorized sources from registering with the RP? (Source: IP Multicast Security) A) ip igmp accept-rp B) ip pim register-rp C) ip pim accept-register D) ip igmp access-group E) ip multicast group-range access-list-name Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

301 Module Self-Check Answer Key Q1) B Q2) B Q3) C Q4) C Q5) B Q6) B Q7) B, C Q8) D Q9) E Q10) C, D, E Q11) A, C Q12) C Q13) B, C, D Q14) C Q15) B Q16) B, C Q17) A Q18) B, C, F Q19) A, B Q20) D Q21) C 2007 Cisco Systems, Inc. IP Multicast Design 10-65

302 10-66 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

303 Module 11 Voice Over WLAN Design Overview Wireless LANs (WLANs) are rapidly becoming pervasive among enterprises. The availability of wireless voice clients, the introduction of dual-mode (wireless and cellular) smart phones, and the increased productivity realized by enabling a mobile workforce are moving enterprises to implement voice over WLANs (VoWLANs). This module looks at requirements for enterprise VoWLAN. It also looks at site surveys and basic core design principles needed when deploying a wireless LAN infrastructure to support voice applications. While businesses may not initially take advantage of voice services, having a network that is capable of supporting the services for future use is important for protecting the upfront investment in infrastructure and services. Module Objectives Upon completing this module, you will be able to design enterprise solutions for IP telephony, given enterprise network needs. This ability includes being able to meet these objectives: Describe the Cisco voice-ready architecture for supporting VoWLANs Discuss VoWLAN coverage concerns and RF survey requirements Describe VoWLAN infrastructure considerations

304 11-2 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

305 Lesson 1 VoWLAN in the Enterprise Overview Objectives This lesson identifies the drivers for voice over WLAN (VoWLAN) in the enterprise. It also provides an overview of how voice requirements need to be taken into consideration to create a voice-ready WLAN. Upon completing this lesson, you will be able to discuss drivers for enterprise VoWLAN solutions. You will also be able to describe voice requirements are supported in a voice-ready WLAN. This ability includes being able to meet these objectives: Identify drivers for VoWLAN deployments Identify how voice requirements influence a voice-ready WLAN

306 VoWLAN Drivers This topic will discuss drivers for VoWLAN. The wireless network infrastructure includes access points, antennas, and wireless endpoint devices, including wireless network interface cards (NICs) and wireless phones such as the Cisco 7921G Wireless IP Phone. The infrastructure can support various client types such as hardware phones and software phones. Similar to wired LAN networks, WLAN networks enable devices to transmit data, voice, and video at data rates up to 54 Mbps Cisco Unified Wireless Network Review The Cisco Unified Wireless Network incorporates advanced features that elevate a wireless deployment from a means of efficient data connectivity to a secure, converged communications network for voice and data applications. Cisco Unified Wireless Network Review Mobility services Network management Network unification Access points Client devices ARCH v The Cisco Unified Wireless Network is composed of five interconnected elements that work together to deliver a unified end-to-end enterprise-class wireless solution. Beginning with a base of client devices, each element adds capabilities as network needs evolve and grow, interconnecting with the elements above and below it to create a comprehensive, secure WLAN solution. These are the five interconnected elements of the Cisco Unified Wireless Network architecture: Client devices: More than 90 percent of shipping client devices are certified as Cisco Compatible supporting Cisco infrastructure equipment s powerful advanced features. Secure client devices provide out-of-the-box wireless security through Cisco Compatible Certified components Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

307 Access points: Dynamically configured access points provide ubiquitous network access in all environments. Enhanced productivity is supported through plug-and play-with Lightweight Access Point Protocol (LWAPP). Cisco access points are a proven platform with a large installed base and market share leadership. All Cisco controller based access points support mobility services, such as fast secure roaming for voice and location services for real-time network visibility. Network unification: Integration of the wired and wireless network is critical for unified network control, scalability, security, and reliability. Seamless functionality is provided through wireless integration into all major switching and routing platforms, including Cisco Wireless LAN Controller appliances, Cisco Wireless LAN Controller Modules for Integrated Services Routers, and Cisco Catalyst 6500 Series Wireless Services Module (WiSM). World-class network management: The same level of security, scalability, reliability, ease of deployment, and management for WLANs as for wired LANs is provided through network management systems such as Cisco Wireless Control System (WCS), which visualizes and helps manage the air space. Location services are provided with the Cisco Wireless Location Appliance. Mobility services: Unified mobility services deliver enhanced mobility services, including advanced security threat detection and mitigation, voice services such as those briefly discussed in this module, location services, and guest access. Benefits of the Cisco Unified Wireless Network architecture include ease of deployment and upgrades, reliable connectivity through dynamic RF management, optimized per-user performance through user load balancing, guest networking, Layer 2 and 3 roaming, an embedded wireless intrusion detection system (IDS), location services, voice over IP, lowered total cost of ownership (TCO), and wired and wireless unification. An enterprise network can start with the base components of client devices, controller based access points, and wireless LAN controllers (WLCs). As an organization s wireless networking requirements grow, the organization can then add additional elements, such as Cisco WCS and the Cisco Wireless Location Appliance. Cisco WCS is an optional network management component that works in conjunction with Cisco controller based access points and Cisco Wireless LAN Controllers. With Cisco WCS, network administrators have a single solution for RF prediction, policy provisioning, network optimization, troubleshooting, user tracking, security monitoring, and WLAN systems management. Cisco WCS includes tools for WLAN planning and design, RF management, basic location tracking, intrusion detection system (IDS), and WLAN systems configuration, monitoring, and management. The Cisco Wireless Location Appliance integrates with Cisco WCS for enhanced location tracking of many wireless devices to within a few meters. This appliance also records historical location information that can be used for location trending, rapid problem resolution, and RF capacity management. 2007, Cisco Systems, Inc. VoWLAN Design 11-5

308 VoWLAN Drivers in the Enterprise There are several drivers for VoWLAN in the enterprise. VoWLAN Drivers in the Enterprise WLANs are pervasive among enterprises. VoIP provides a rich set of features.. VoWLAN can improve productivity and reduce costs: Support single access to enterprise unified communications. Eliminates missed calls. Leverages least cost call routing. Provides consistent user experience. Note: Infonetics Research, Inc. projects that voice will be a driver in 30% of all WLAN sales by the end of ARCH v Because WLANs are pervasive among enterprises and there is rich set of features available with voice over IP (VoIP) deployments, organizations are looking combine these technologies in VoWLAN to improve productivity and reduce costs. VoWLAN deployments provide multiple benefits: Enable access to enterprise unified communications supporting one phone number and one voic . Help employees eliminate missed calls by providing mobility within a building or campus Help organizations gain control over mobile communications costs by leveraging least cost call routing and provides call detail recording Provide a consistent user experience for improved user satisfaction These factors coupled with the availability of wireless voice clients and the introduction of dual-mode (wireless and cellular) smart phones are moving enterprises to implement VoWLANs. Note A report by Infonetics Research, Inc. projects that voice will be a driver in 30% of all WLAN sales by the end of Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

309 Alternative to VoWLAN: Cell Phones One alternative to VoWLAN is a cell phone solution. Alternative to VoWLAN: Cell Phones Advantages Good selection of phones Multiple carriers Challenges No access to enterprise voice applicatons No access to corporate directory Multiple phone numbers and mailboxes Security concerns ARCH v Cell phones can support the mobility requirements of VoWLAN. Cell phone solutions currently have a few advantages as compared to VoWLAN: There is a good selection of cell phones available. There are multiple carriers that can provide cell phone service. However, there are some disadvantages to cell phone solutions: There is no access to enterprise voice applications such as the corporate directory. Use of a cell phone and an VoIP phone leads to multiple phone numbers and multiple mailboxes. Productivity may decrease as users support duplicate voice mails retrieval. There may be security concerns with mobile phones that are not managed by the organization. Although at this time there is no seamless handoff on a dual mode phone, dual mode smart phones likely will replace cell phones in the future. Organizations are now looking at making their WLANs voice-ready for current or future uses to protect the upfront investment in infrastructure and services. 2007, Cisco Systems, Inc. VoWLAN Design 11-7

310 Voice-Ready Architecture This topic discusses a voice-ready architecture. Voice Service Requirements Voice has stringent performance requirements. Digitized voice is a sampling of an analog signal: Is sensitive to delays during transit. End-to-end transit time should be < 150 ms. Transit delays cause jitter. Use end-to-end QoS to minimize delay and jitter. ARCH v Voice services place stringent performance requirements on the entire network. Because digitized voice is a sampling of verbal communication which is an analog signal, the transmission of digitized voice is very sensitive to delays during transit. Voice requires a pervasive deployment, which means that the network needs to have continuous coverage everywhere a client may roam in order to avoid any dead spots or gaps in coverage that may cause a call to drop. This pervasive coverage differs from the traditional data-only approach because data applications are far more tolerant of brief network interruptions. In order for voice to work correctly over any infrastructure, the end-to-end transit time (cumulative time encoding the packet, leaving the sending client, traversing the network, then being decoded at the receiving client) must be less than 150 ms. Quality of service (QoS) for a VoIP call must be maintained, whether the call is being delivered to a wired or a wireless endpoint. Issues encountered during transit result in variations in timing, or the time of arrival, of the received signal in the reconstituted signal is known as jitter. It is critically important to minimize end-to-end delay and jitter for VoIP packets in order to provide optimal audio quality. To maintain QoS, establishing priority across the VoWLAN and the translating the packet priority from wireless to wired infrastructure during transit are critical requirements Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

311 Cisco Voice-Ready Architecture Voice-ready wireless is an end-to-end solutions approach that addresses the convergence of VoIP and wireless networks and allows enterprises to flexibly extend the mobility benefits of wireless networks to their voice communications. Cisco Voice-Ready Architecture VoWLAN Clients Voice-Ready WLAN Unified Wired/ Wireless LAN Infrastructure Unified Communications and Mobility Applications More than an Access Point ARCH v The Cisco voice-ready architecture builds upon the highly-scalable, low total cost of ownership Cisco Unified Wireless Network. The voice-ready architecture is designed to support pervasive deployments that are typical of customers with mobile voice applications. Additionally, innovative features in the solution, such as end-to-end quality of service, and fast secure roaming backed by a portfolio of access points with enhanced radios, make the Cisco Unified Wireless Network voice-ready. The Cisco voice-ready architecture has four main components: VoWLAN clients. The clients can be wireless IP phones from Cisco or vendors supporting Cisco Compatible extensions. The IP Communicator software application on a laptop can also function as a VoWLAN client. Voice-ready WLAN. The wireless network infrastructure includes access points and antennas. The voice-ready VLAN provides optimized packet handling in the radio frequency (RF) network. Unified wired/ wireless LAN infrastructure is used to provide wired and wireless end to end prioritization and classification of voice. It includes management tools to control delay, roam time, and packet loss. Cisco Unified Communications and mobility applications support increased call capacity, higher network availability, and improved performance for all clients. The infrastructure supports converged voice and data on wired and wireless networks for an end-to-end intelligent integration. 2007, Cisco Systems, Inc. VoWLAN Design 11-9

312 Voice Impact on WLANs There are several design considerations due to the impact of voice on WLANs. Voice Impact on WLANs Coverage requirements and deployment planning Network infrastructure and logical subnet design Wireless "over-the-air" quality of service (QoS) Network security architecture VoWLAN client requirements ARCH v WLANs are based on a random access protocol and allow clients to roam freely. The WLAN infrastructure is a shared medium among all wireless devices. WLANs are typically implemented with security protocols. Adding voice services to a WLAN has implications in several design areas, including: RF Coverage requirements and deployment planning Network infrastructure and logical subnet design Wireless "over-the-air" quality of service (QoS) Network security architecture VoWLAN client requirements These topics are discussed in the VoWLAN Coverage and RF Survey and the VoWLAN Infrastructure Considerations lessons Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

313 Summary This topic summarizes the key points discussed in this lesson. Summary Organizations are looking combine WLAN and VoIP technologies in VoWLANs to improve productivity and reduce costs. The Cisco voice-ready architecture is an end-to-end solutions approach that allows enterprises to flexibly extend the mobility benefits of wireless networks to their voice communications. ARCH v , Cisco Systems, Inc. VoWLAN Design 11-11

314 11-12 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

315 Lesson 2 VoWLAN Coverage and RF Survey Overview Objectives To deploy a WLAN that is voice-services-ready, the design needs to anticipate the mobile nature of voice clients and the minimum expectation that calls will not get dropped as users roam across a building or campus. This means that the network must be deployed pervasively, with continuous coverage in areas where voice services are planned. This lesson identifies the methodology and the concepts involved to conduct and document a proper site survey for a supporting a pervasive voice wireless LAN (VoWLAN). Upon completing this lesson, you will be able to determine customer needs as part of preparation for designing and deploying a VoWLAN. This ability includes being able to meet these objectives: Identify enterprise VoWLAN coverage considerations Describe steps for performing and verifying a VoWLAN site survey

316 Enterprise VoWLAN Coverage Considerations Voice clients are mobile in nature and expect that calls will not get dropped as users roam across a building or campus. Pervasive Coverage File/Supply Room (Large Filing or Metal Cabinets) Elevator Shafts Office Test Lab Break Room (Microwave Ovens 2450 Mhz) Conference Room Cubes Stairwells (Reinforced Building Area) VIP (CEO) ARCH v This means that the network must be deployed pervasively, with continuous coverage in areas where voice services are planned. Areas such as main lobbies, employee entrance areas, parking garages/lots, courtyards, and break/copy/supply/storage/cage rooms will need WLAN coverage when voice clients are deployed on the campus. Additional consideration should be given to providing coverage in stairwells, walkways, and elevators, since these are areas where it is reasonable to conduct a business conversation. The Cisco Unified Wireless Network provides an extensive product line that satisfies the requirements for coverage areas, ranging from just a floor of a building to complete campus coverage, both indoors and outdoors. Equally important to the satisfaction of end users is ensuring that the proper expectations are set for voice usage. Many customers believe that the coverage expectations have been established by the cellular network service available onsite and that the WLAN availability and coverage should be significantly more pervasive than the cellular benchmark. Creating predictable service is also important. Users expect that Wi-Fi phones will at a minimum operate with the same quality as a cellular handset, and optimally as well as a land line phone. This means that the WLAN will have to minimize interference in order to optimize call quality. Although many network administrators have already performed RF site surveys for their initial data WLAN deployments, wireless IP phones have somewhat different roaming characteristics and RF coverage requirements than data devices Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

317 Network administrators must perform a second site survey for voice to prepare for the performance requirements of wireless IP phones. This second survey gives network administrators the opportunity to tune the access points to ensure that the wireless IP phones have enough RF coverage and bandwidth to provide proper voice quality. Some of the factors to look at in the survey include signal-to-noise ratio, and nonoverlapping channel deployment. 2007, Cisco Systems, Inc. VoWLAN Design 11-15

318 Signal-to-Noise Ratio Voice-ready wireless service is concerned about the noise level within a wireless cell. Signal-to-Noise Ratio Signal of -67 dbm or higher Packet Error Rate no higher than 1% Minimum SNR of 25 db = -92 dbm noise level Power (dbm) RSSI / Signal Strength Signal to Noise Ratio Noise Level Time (Seconds) Adding signal does not always increase SNR ARCH v Noise levels vary from site to site and also within different locations of a site. The noise level affects the ability of a radio to receive data or voice packets. Noise is defined as a signal that is not in an IEEE Direct Sequence Spread Spectrum (DSSS) format but is in the frequency range of the configured channel for the access point. The noise can originate from an GHz frequency-hopping radio, a 2.4-GHz or 5 GHz wireless phone, a ham radio, a microwave oven, or a Bluetooth radio. Signals from a distant out-of-network b/g or a radio may also be seen as noise. Any signal that the access point cannot decode is considered noise. If the signal strength on a valid packet is higher than the receiver threshold of the access point radio or the client device radio, the data packet is decoded. The received signal sensitivity value is measured in dbm, an abbreviation for the power ratio in decibel (db) of the measured power referenced to one milliwatt. Most radios have a receiver sensitivity value of 94 dbm to 85 dbm at a data rate of 1 Mbps (the lower the dbm value, the better the receiver sensitivity of the radio). Radio receiver sensitivity changes with data rates; for example, an access point radio might have a receiver sensitivity of 94 dbm at 1 Mbps, but the radio sensitivity might be 84 dbm at 11 Mbps. The access point discards random data traffic, valid packets that can be decoded but which are not from clients associated to the access point. Random data traffic can originate from a shared media or from a client device that is transmitting at a data rate that the access point does not support Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

319 Acceptable SNR values will vary depending on the data rate of the signal. Recommended SNR Values 2.4 GHz Data Rate (Mbps) 54 Minimum Signal Strength (dbm) -71 Data Cell Minimum SNR (db) 25 VoWLAN Cell Minimum Signal Strength (dbm) -56 Minimum SNR (db) ARCH v A high data rate signal will need a larger separation from noise than a lower data rate signal. Also VoWLAN will require additional signal strength and SNR compared to data only cell coverage. The figure shows recommended SNR values for data only cells and for VoWLAN cells. The goal is to target higher data rates exclusively such as 11 Mbps for b shown above to improve data throughput, reduce packet delay, and reduce the size of the RF cell size. 2007, Cisco Systems, Inc. VoWLAN Design 11-17

320 Example: Single-to-Noise Ratio from Cisco Aironet Site Survey Utility ARCH v The figure shows the noise level, signal strength, and signal-to-noise (SNR) at a specific location within a wireless cell as measured by Cisco Aironet Desktop Utility and a Cisco a/b/g client adapter. The signal strength is 74 dbm, the noise level is 95 dbm, and the SNR is 21 db. Since the noise level reported by the Aironet Desktop Utility is 95 dbm and the a/b/g receiver sensitivity at 11 Mbps is 90 dbm, there is a margin of 5 db at the receiver. A signal strength value of 74 dbm less the noise value of 95 dbm equals an SNR of 21 db as reported by the Aironet Desktop Utility. The higher the SNR value, the better able are the phones to communicate with the access point Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

321 Non-Overlapping Channels Because the wireless medium is continuous and shared, all clients that are associated with access points on the same channel will share the bandwidth available in that channel with reception power (and therefore data rates) diminishing with distance b/g Radio Channels Nonoverlapping cells are 22 MHz apart. 1, 6, 11 (North America) 1, 6, 11 or 2, 7, 12, etc. (Europe and Japan) Do not have to be exactly 5 channels apart (i.e. 1, 7, 13). Channels GHz 22 MHz GHz ARCH v Valid data packets from b/g or a radios that are not associated to an access point are considered data traffic. Those packets are decoded by the access point and client devices but are discarded. They increase the channel utilization on the access point, and limit the number of voice clients that can associate. If there are numerous clients in an area, or the supported data applications require significant bandwidth, adding capacity to the network is accomplished by using more access points on spectrally exclusive (i.e. non-overlapping) channels since same-channel interference must be minimized. Fourteen channels are defined in the IEEE b DSSS channel set. Each DSSS channel transmitted is 22 MHz wide, but the channel separation is only 5 MHz. This leads to channel overlap such that signals from neighboring channels can interfere with each other. In the US, 11 DSSS channels are usable, but only three nonoverlapping channels 25 MHz apart are possible, such as channels 1, 6, and 11. This channel spacing governs the use and allocation of channels in a multi-access point environment such as an office or campus. Access points are usually deployed in cellular fashion within an enterprise where adjacent access points are allocated nonoverlapping channels. Alternatively, access points can be co-located using channels 1, 6, and 11 to deliver 33 Mbps bandwidth to a single area, but only 11 Mbps to a single client. The figure shows three non overlapping channels, 1, 6 and 11, in the total of the 11 channels in the to 2.483GHz frequency band. A critical issue for voice services is minimizing the co-channel interference (clients and access points in the same channel interfering with each other) and maximizing coverage and capacity. 2007, Cisco Systems, Inc. VoWLAN Design 11-19

322 Cell Overlap Guidelines When communicating on one channel, wireless endpoints typically are unaware of traffic and communication occurring on other nonoverlapping channels. Cell Overlap Guidelines Use a 15-20% cell coverage overlap from each of the adjoining cells. Provides almost complete redundancy throughout the cell. The radius of the cell should be -67 dbm. Yellow c The separation of same channel cells should be 19 dbm. Channel 1- Yellow Channel 6- Purple Purple Green Purple -67dBm -86dBm Channel 11-Green Yellow ARCH v Access point coverage should be deployed so that minimal or no overlap occurs between access points configured with the same channel. However, proper access point deployment and coverage on nonoverlapping channels requires an overlap of 15 to 20 percent from adjoining cells. This amount of overlap ensures smooth roaming for wireless voice endpoints as they move between access point coverage cells and provides a near-complete redundancy throughout the cell. Overlap of less than 15 to 20 percent can result in slower roaming times and poor voice quality, while overlap of more than 15 to 20 percent can result in too frequent or constant roaming. The size of a voice-ready cell is not defined in traditional measurements such as feet or meters, instead the unit of measurement is the strength or absolute power of the signal. For an ideal voice-ready wireless cell size, the radius or size of each cell should be -67 dbm. This power level can be achieved either in very small physical areas or in cells that are quite large, depending on the RF characteristics of the environment. Separation of 19dBm for the same channel cells is recommended. The figure shows the recommended cell characteristics for a typical voice deployment. In a pervasive network, maintaining this policy of non-overlapping channels requires careful planning to ensure that the network is prepared to support voice services. In general, for office and cubical environments, a convenient guideline is to have a single cell that covers approximately 3000 square feet Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

323 Multi-Floor Concerns 2 nd Floor Channel 1 1 st Floor Channel 6 Channel 11 Channel 11 Channel 1 Channel 6 ARCH v Deploying wireless devices in a multi-story building such as an office high-rise or hospital introduces a third-dimension to wireless access point and channel coverage planning. The 2.4 GHz wave form of b/g can pass through floors and ceilings as well as walls. For this reason, not only is it important to consider overlapping cells or channels on the same floor, but it is also necessary to consider channel overlap between adjacent floors. With only three channels, proper overlap can be achieved only through careful three-dimensional planning. The RF coverage is mostly dependant on the access point transmitter power and antenna type and it s associated characteristics of gain and directional beam. The above example would result from omni antennas. 2007, Cisco Systems, Inc. VoWLAN Design 11-21

324 802.11a Radio Channels a wireless networks currently support up to twelve nonoverlapping channels a Radio Channels Channel GHz Frequency Channel GHz Frequency Nonoverlapping cells are 20 MHz apart. ARCH v Currently, the majority of enterprises have implemented b and g for VoWLAN deployment, due to their compatibility and the near ubiquity of those standards in various client devices. More recent deployments are using a based on its ability to support 12 nonoverlapping channels which is significantly more than the 3 nonoverlapping channels that b/g deployments support Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

325 802.11a Channel Reuse Design ARCH v The figure illustrates a possible channel deployment of a products on a floor. The cells are easier to deploy then b.g because there are twelve different channels to work with. Generally the design should provide as much separation as possible. It is recommended that neighboring cells not be placed on neighboring frequencies or adjacent frequencies. For example, in the figure there is either a separation of one channel between cells or a separation of two cells between near channels 2007, Cisco Systems, Inc. VoWLAN Design 11-23

326 The future architectural direction for VoWLAN is moving towards a voice solutions. Advantages to a for VoWLAN A significantly greater number of channels are available with a a access point radios can support 14 simultaneous calls. The 5GHz spectrum does not suffer as much from RF interference. Shorter ranges on the higher frequency radios help prevent floor to floor bleed-through of the signal. ARCH v There are notable advantages of deploying a for voice and b/g for data: A significantly greater number of channels are available for higher density deployments. With more channels and a higher approximate throughput, a access point radios can support 14 simultaneous calls. The 5GHz spectrum does not suffer from as much interference from devices such as cordless phones and Bluetooth devices. Since the range on the higher frequency radios are generally shorter, the signals will not travel through walls as well as the lower frequency radios. This feature helps prevent floor to floor bleed-through of the signal Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

327 General Recommendations for VoWLANs This topic discusses general recommendations in VoWLAN designs. A site survey is needed to measure these values. General Recommendations for VoWLAN Number of phones used in an area determines number of access points needed. Smaller cells with less transmit power use more access points and support more calls in a given coverage area a access points support more calls than b/g access points with less RF interference. Designs should at minimum use 2 access points on nonoverlapping frequency channels. Signal strength will vary with supported data rate: 11 or 12 Mbps: use greater than -67 dbm at all times 54 Mbps: use greater than -56 dbm at all times Channel utilization QBSS load per access point should be less than 45%. ARCH v The first step in developing a VoWLAN design is to define and document what coverage areas will be established and the number of phones to be used in the areas. The design scope should be developed with the target user community so that the appropriate network infrastructure is deployed. The number of phones used in a given area helps determine the transmit power of the clients and access point. The transmit power can be decreased in order to create smaller coverage cells, which increases the number of access points and the number of calls supported in a given floor space. In addition, a access points can support more calls than b/g access points. Cisco recommends that a minimum design should use 2 access points on nonoverlapping channels with 15 to 20% coverage overlap. The received signal strength indication (RSSI) will vary with the supported data rate: For data rates of 11 Mbps, the RSSI should be greater than -67 dbm. An access point data rate configuration of 11 Mbps minimum for VoWLAN cells is recommended. For data rates of 54 Mbps, the RSSI should be greater than -56 dbm The channel utilization QoS Basis Service Set (QBSS) load per access point should be less than 45 percent. The QBSS load represents the percentage of time that the channel is in use by the access point. This channel utilization provides for smoother roaming and a backup access point if one of the access points suddenly becomes unavailable or busy. 2007, Cisco Systems, Inc. VoWLAN Design 11-25

328 General Recommendations for VoWLAN (Cont.) PER should be no higher than 1%. Transmit power value on the access point should be the same as on the IP phones. All access points should use antenna diversity. Call loading varies by access point type: Allow no more than seven G.711 or eight G.729 concurrent phone calls on b/g access point radios. Allow no more than fourteen G.711 concurrent phone calls on a access point radios. Load-balancing access points can support high-usage areas. Overlapped BSSs or access points sharing the same RF channel reduce the number of concurrent calls. ARCH v The network should maintain a Packet Error Rate (PER) of no higher than 1 percent (or a success rate of 99 percent). TCP performance and VoIP calls can suffer substantially when packet error rates increase beyond a value of about 1%. The design should use the same transmit power on the access point and on the IP phones. If the transmit power of the access points varies, set the transmit power of the phones to the highest transmit power of the access points. Note If enabled on the access point and supported by the WLAN device, Dynamic Transmit Power Control (DTPC) allows the access point to broadcast its transmit power, and clients can automatically configure themselves to that power while associated with that access point. All access point should use antenna diversity. The purpose of diversity is to provide the best possible throughput by reducing the number of packets that are missed or retried which is particularly important to voice. With antenna diversity, the access point samples the radio signal from two integrated antenna ports and chooses a preferred antenna. This diversity creates robustness where there is multipath distortion. Some WLAN phones such as the Cisco Unified Wireless IP Phone 7921G support antenna diversity. The maximum number of phones supported per access point depends on the calling patterns of individual users and the access point type. Currently, a recommended call loading for b/g is 7 active voice calls per access point using the voice encoding G.711 codec or 8 active calls using G.729 codec. This number is based on simultaneous requirements for data clients and quality voice calls with current data rates and packet sizes. Beyond that number of current calls, when excessive background data is present, the voice quality of all calls becomes unacceptable. In comparison, a access point radios can support 14 active voice calls using the G.711 codec Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

329 Channel and modulation type determine the number of concurrent calls. If more concurrent phone calls are needed in a high-usage area, plan to have load-balancing access points available during the site survey. Using overlapped basic service sets (BSSs) or access points sharing the same RF channel reduce the number of concurrent phone calls per access point. 2007, Cisco Systems, Inc. VoWLAN Design 11-27

330 VoWLAN Site Survey A well-executed site survey is a required first step to building a robust, voice-ready wireless network. This topic describes steps for performing a VoWLAN site survey. RF Site Survey Process 1. Define customer requirements. 2. Identify coverage areas and user density. 3. Determine preliminary access point locations. 4. Perform the actual surveying. 5. Document the findings. ARCH v An RF site survey is the first step in the design and deployment of a wireless network and the most important step to ensure desired operation. When building a network designed to support voice services, the site survey and implementation steps assume even greater importance due to the more stringent network and coverage requirements of VoIP. The goal of any site survey should be to gain a total view of the characteristics of the radio frequency (RF) environment into which the wireless network will be deployed. Unlicensed frequencies (2.4-GHz and 5- GHz, especially the 2.4-GHz) can be "noisy" environments, with microwave ovens to radar systems to Bluetooth vying for air time. With the advent of emerging RF technologies such as sensor networks, this trend will continue. The are several typical steps in an RF site survey: 1. Define customer requirements in terms of devices to support, sites where wireless devices will be located, and service levels expected. Peak requirements such as support for conference rooms should also be defined. 2. Obtain a facility diagram to identify the potential RF obstacles. Based on the customer requirements, identify planned wireless coverage areas. Visually inspect the facility to look for potential barriers to the propagation of RF signals, such as metal racks, elevator shafts, and stairwells. Identify user areas that may be intensively used, such as conference rooms, and areas that may only be used for voice, such as stairwells. 3. Determine preliminary access point locations. These locations include the power and wired network access, cell coverage and overlap, channel selection, and mounting locations and antenna Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

331 4. Perform the actual surveying to verify the access point location. Make sure to use the same access point model for the survey that is in use or that will be used in production. While the survey is being performed, relocate access points as needed and retest. 5. Document the findings. Record the locations and log signal readings as well as data rates at outer boundaries. The site survey should provide a precise view into what other RF activity is present. Cognio: Reporting Non and Devices ARCH v A clear view of the RF domain can help mitigate potential sources of interference. A spectrum analysis tool such as Cognio Spectrum Expert can provide analysis to classify the interference, determine the impact of the interference on the Wi-Fi network, and enable the administrator to physically locate the source of interference and take action. The site survey should also identify areas within the deployment that may require additional capacity due to a concentration of users or likelihood of co-channel interference. A site survey should be conducted using the same frequency plan intended for the actual deployment. This provides a more accurate estimate of how a particular channel at a particular location will react to the interference and multipath. The site survey should be conducted with the voice client that will be deployed; each client has a unique RF performance, so different clients will yield different results. The same is true for the radios and external or internal antennas in the infrastructure. In summary, access point and client selection should be finalized prior to the site survey. As new client devices are added, a periodic update to the site survey is a proactive step to ensure the RF network is optimized. It is also advisable to conduct several site surveys, varying the times and days to ensure that a comprehensive view of the RF domain is obtained. RF activity can be variable and depends on many factors, including employee activity. The site survey should identify sources of RF interference and variability in RF patterns due to physical building changes (e.g. movement of machinery, elevator shafts) and employee movements (e.g. weekly all-hands meetings). 2007, Cisco Systems, Inc. VoWLAN Design 11-29

332 Cisco WCS Deployment Planning Tool The Cisco Unified Wireless Network integrates Radio Resource Management software, which works together with the integrated network planning and design features in the Cisco Wireless Control System (WCS). Determining Preliminary Access Point Locations Default Access Point Placement ARCH v Cisco WCS provides integrated RF prediction tools that can be used to create a detailed wireless LAN design, including access point placement, configuration, and performance/coverage estimates. IT staff can import real floor plans into Cisco WCS and assign RF characteristics to building components to increase design accuracy. The resulting map can help provide a starting point for quantity and location of access points during a site survey and initial estimates on quantity of access points. The final site survey will adjust the actual number and location of access points and associated antennas. The WCS deployment planning tool is ideal for general open space office environments. For challenging RF environments such as those found in hospitals and manufacturing plants, Cisco recommends specialized survey services. In addition, for manual verification of the wireless network, the Cisco Unified Wireless IP Phone 7920 and the Cisco Unified Wireless IP Phone 7921G integrate site survey tools to enable the IT manager to display a list of access points that are in range. These tools are useful for validating and troubleshooting specific problem areas Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

333 Access Point Location The location of access points is the most important characteristic in making the network ready for voice services. Larger Cells Support Fewer Calls ARCH v The traditional method of access point deployments recommends deploying access points for greatest range to support data. This approach is limited in the number of voice calls that can be supported. Other issues result with large cell coverage areas such as down shift of data rate of VoWLAN clients when reaching the outer end of the coverage cell. Even though the VoWLAN traffic might have been designed for high data rates, the actual call is receiving far less throughput due to weak signal causing the down shift in data rate. An increased cell coverage area increases the chance of RF interference between the access points and its associated clients. 2007, Cisco Systems, Inc. VoWLAN Design 11-31

334 Traditional Small Cell Deployment The voice-services-ready approach recommends deploying for density by implementing as many access points as possible to cover a given area without creating excessive interference by using smaller cell sizes. Smaller Cells Support More Calls ARCH v Smaller, overlapping cells increase average capacity, and provide higher availability in the event of an access point failure. The cell size is estimated based on the requirements for VoWLAN phone call capacities. In dense deployments with many access points, the transmit power of each access point is lowered so as to limit co-channel interference with neighboring access points. The design should plan for the antennas needed and transmit powers required for the access points within the site. Note It is a good idea to keep the transmit power of the access point and the phone at the same level in order to avoid one-way audio occurrences, which are a result of a mismatch between the reach of the signal. As a guideline and starting point for site surveys, in a voice-ready WLAN, access points should be deployed approximately one every 3000 square feet, as opposed to 5000 square feet used for data-only networks. This level of density helps ensure that voice services have the necessary RF coverage redundancy and throughput required to provide optimal service capacity. There still should be a site survey to maximize coverage and minimize interference Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

335 Alternative Design: Perimeter and Center Deployment This alternate deployment model places access points with directional antennas around the perimeter of the floor. It uses staggered access points with omni-directional antennas in the center of the floor for more complete coverage and greater redundancy to facilitate location tracking in addition to VoWLAN. Alterative Design: Perimeter and Center Deployment ARCH v This deployment requires specific placement of access points during the site survey. A goal for access point placement is to allow each location on the floor to be able to associate with at least three access. This alternative access point deployment facilitates location tracking when combined with the Cisco Wireless Location Appliance along with WCS for visual maps and reports. The Cisco Wireless Location Appliance performs location computations based on the RSSI information received from the Cisco wireless LAN controllers. Once site floor plans and access points are added to the appliance, RF predictions and heat maps can be generated to graphically display the location of devices on site floor plans. Cisco WCS Location displays its location information visually, which provides an immediate location application for customers who want to enhance their RF capacity management, utilize location based security, and have asset visibility for WLAN devices. 2007, Cisco Systems, Inc. VoWLAN Design 11-33

336 Conducting the RF Survey for VoWLAN After the requirements are defined, the coverage areas are identified, and the preliminary VoWLAN access point locations are defined, the next step is to conduct the actual RF survey. Conducting the RF Survey for VoWLAN Look for: Areas to be filled in with additional antennas Changes to existing data rate and transmit power settings Possible changes to the antenna types Impact of multi-floor coverage Requirements to survey without an installed network ARCH v When surveying with an existing WLAN or VoWLAN, you should expect that there will be areas to be filled in and changes will be made to existing data rate and transmit power settings. You should plan on possible changes to the antenna types. At a multi-floor site, the survey of the coverage should also include the floor above and below. When doing a manual survey, record the cell edges of the current floor and then use your survey tool on other floors to measure and record the signal levels. When doing an automated survey, be sure to include the access point on the floors above and below while completing the walk-through survey. When you survey a site without an installed network, plan to use two or three access points to measure cell coverage and cell overlap. For example, the cell edge for the Cisco Unified Wireless IP Phone 7920 at the 11-Mbps data rate is -67 dbm. The signal strength at the edge of that cell needs to be 19 db weaker than the signal from the next cell on the same channel. That means at the -67 dbm edge of the cell, the next cell on the same channel should measure -86 dbm Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

337 Survey Documentation After completing the RF survey, you should end with a documented plan for the VoWLAN infrastructure. Survey Documentation Document antenna placement and types. Document coverage patterns and heat maps. Verify coverage with a two voice conversation walk around of all areas. Test with known interferences operational. Document call results from an analytical tool. Do a coverage area call capacity test. ARCH v The survey documentation should include the following information: Documented antenna placement and types informational for final implementation. Documented coverage patterns and heat maps for base line data. Verification information on coverage based on at least a two voice conversation walk around of all areas. The test should be conducted with known interference sources operational. It is appropriate to document the call results from an analytical tool. Documented coverage area call capacity test results for base line date. You can have seven users begin by making phone calls in a given area, and then move apart while placing new calls. You should verify voice quality during this process. After conducting an RF site survey and configuring the access points and the phones, it is crucial to conduct verification tests to ensure that everything works as desired. These tests should be performed throughout the VoWLAN coverage area. Tests may include verify phone association with the appropriate access point, or that calls can be placed successfully from the VoWLAN IP phone with acceptable voice quality. 2007, Cisco Systems, Inc. VoWLAN Design 11-35

338 VoWLAN Steps to Success VoWLAN deployments are supported by the partner Cisco Steps to Success program. Cisco partners need both Advanced Unified Communications and Advanced Wireless specializations to be authorized to resell Cisco VoWLAN phones. VoWLAN Steps to Success VoWLAN Configuration Checklist VoWLAN Design Checklist VoWLAN High Level Design 7920 Site Survey Guide 7920 Design and Deployment Guide Located at: cisco.com/go/stepstosuccess ARCH v VoWLAN coverage and capacity can vary by deployment due to factors such as physical access point placement, building materials, antenna selection, and the type of clients used. In addition, environmental factors such as microwave ovens and cordless analog phones can also cause interference that may impact VoWLAN performance. The Steps to Success program provides important templates and tools to assist partners in the proper planning and implementation of WLAN and VoWLAN installations: Cisco 7920 Wireless IP Phone Design and Deployment Guide - This document provides design and deployment considerations and guidelines for implementing wireless Cisco IP telephony solutions based on Cisco Service-Oriented Network Architecture (SONA). Cisco VoWLAN Site Survey Deliverable - This document provides a checklist of all items that need to be considered prior to a network implementation. VoWLAN Configuration Checklist - This document provides instructions to help partner apply pertinent configuration information regarding a VoWLAN solution. VoWLAN Design Checklist - This document provides a checklist template to help partners apply pertinent design information regarding a VoWLAN solution. Voice over Wireless LAN High Level Design for the Cisco VoWLAN Phone - This document provides required specifications for availability, capacity, and security that will meet the defined service requirements. These tools help minimize the chance for improperly or insufficiently designed VoWLAN. As part of the program, the assessment to quality VoWLAN team reviews each order to ensure that the proposed solution and partner meet the published and most current Cisco VoWLAN Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

339 standards. The team may also help identify potential problem areas and suggest solutions and assign resources as appropriate. 2007, Cisco Systems, Inc. VoWLAN Design 11-37

340 Summary This topic summarizes the key points discussed in this lesson. Summary Enterprise VoWLANs expect pervasive coverage, appropriate SNR, and 20% coverage overlap of nonoverlapping frequency channels to support the mobile nature of voice clients and the minimum expectation that calls will not get dropped as users roam across a building or campus. A well-executed site survey is a first step to building a robust, voice-ready wireless network. VoWLANs use dense deployment of access points with smaller cell size to increase average capacity and provide higher availability. VoWLAN deployments are supported by the partner Cisco Steps to Success program. ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

341 Lesson 3 VoWLAN Infrastructure Considerations Overview Objectives This lesson identifies the special requirements to support voice in a WLAN. It discusses how voice requirements need to be taken into consideration to create a voice over WLAN (VoWLAN) deployment. Upon completing this lesson, you will be able to the unique requirements voice service imposes on a WLAN deployment. This ability includes being able to meet these objectives: Describe the voice requirements for roaming in a VoWLAN Describe the voice requirements for Quality of Service (QoS) in a VoWLAN Describe the voice requirements for Security in a VoWLAN Describe the requirements for intelligent clients in a VoWLAN

342 Voice Specific Infrastructure Considerations Voice support places unique requirements on the WLAN. Voice Specific Infrastructure Considerations Roaming Quality of Service Security Intelligent Clients ARCH v There are several voice specific requirements to consider when implementing a VoWLAN: Roaming. Voice calls need the ability to maintain network connectivity while the client is physically moving and removes its association from one access point and reassociates to another. Voice calls typically move more often than a data only client. Quality of Service (QoS). QoS is essential to ensure that voice traffic receives timely and reliable treatment with low delay, low jitter, and little or no packet loss on the network. QoS also includes call admission control (CAC) to police the call capacity on a peraccess-point basis. Security. Wireless IP telephony networks require a carefully planned security implementation to ensure that the telephony network operates properly and that voice traffic is secure. Intelligent Clients. A voice-ready WLAN requires an intelligent client capable of supporting the voice-ready Cisco infrastructure functions for enterprise roaming, QoS, CAC, and security. The Cisco Unified Wireless Network supports all these requirements through software capabilities and technological enhancements in both the infrastructure and in Cisco Compatible clients. These capabilities and enhancements are discussed in the rest of this lesson Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

343 Roaming Roaming is integral to voice services on wireless networks. VoWLAN Roaming Three types: Intracontroller Layer 2 Layer 3 Cisco Centralized Key Management supports authenticated clients Need software release or later on WLCs Intracontroller Roam Layer 3 Roam, Layer 2 Roam ARCH v One of the obvious benefits of WLAN voice clients is the ability of the user to move from place to place within the enterprise campus while having a conversation. A wireless voice client must be able to maintain its association from one access point to another securely and with as little latency as possible. It is therefore important to understand roaming options: Intracontroller Roaming. When the wireless client moves its association from one access point to another on the same wireless LAN controller (WLC), the WLC simply updates the client database with the new associated access point. If necessary, new security context and associations are established as well. With this roaming type, an IP address refresh is not needed. Layer 2 Intercontroller Roaming: Layer 2 roaming occurs when the client traffic is bridged to the same IP subnet provisioned through the LAN interfaces on both WLCs. Layer 3 Intercontroller Roaming: Layer 3 roaming occurs when the client associates to an access point on a different WLC and the traffic is bridged to a different subnet. WLAN clients are always reauthenticated by the system in some way on a roam. This process is necessary to protect against client spoofing. With VoWLANs, Cisco Centralized Key Management enables authenticated client devices to roam securely from one access point to another without any perceptible delay during reassociation. Note The Cisco Unified Wireless IP Phone 7921G and Cisco Unified Wireless IP Phone 7920 support Cisco Centralized Key Management but not can use proactive key caching (PKC) at this time. WLCs with a software release or later also support Cisco Centralized Key Management. 2007, Cisco Systems, Inc. VoWLAN Design 11-41

344 With the support of Cisco Centralized Key Management protocol, the wireless IP phone is able to negotiate the handoff from one access point to another more easily. During the roaming process, the phone must scan for the nearby access points, determine which access point can provide the best service, and then reassociate with the new access point. When implementing stronger authentication methods, such as Wi-Fi Protected Access (WPA) and Extensible Authentication Protocol (EAP), the number of information exchanges increases and causes more delay during roaming. To avoid additional delays, use Cisco Centralized Key Management to manage authentication. Note This course discusses roaming within the enterprise frame work. Handoffs or roaming for dual mode clients between a cellular wireless network and an enterprise WLAN is not covered Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

345 Layer 2 Intercontroller Roaming The VoWLAN design can support intercontroller Layer 2 roaming. Layer 2 Intercontroller Roaming WLC-2 Traffic on same IP subnet Client database entry moved to new WLC Reauthenticated and new security session established as needed No IP address refresh needed ARCH v The figure illustrates an intercontroller Layer 2 roam. A Layer 2 roam occurs when the client traffic is bridged to the same IP subnet provisioned through the LAN interfaces on both WLCs. When the client reassociates to an access point connected to a new WLC, the new WLC exchanges mobility messages with the original WLC, and the client database entry is moved to the new WLC. New security context and associations are established if necessary, and the client database entry is updated for the new access point. With Layer 2 intercontroller roaming, an IP address refresh is not needed. This process is transparent to the end user. Note Both forms of intercontroller roaming require the controllers to be in the same mobility group. When the wireless client moves its association from one access point to another, the controllers update the client database with the newly associated access point. If necessary, new security context and associations are established as well. This capability coupled with Cisco Centralized Key Management helps ensure that time-sensitive applications, such as VoIP, can be fully mobile and secure with minimal roaming latency. With Lightweight Access Point Protocol (LWAPP)-enabled Cisco access points configured with a controller, it is possible for a client to roam from an access point attached to one controller to an access point attached to a second controller. With intercontroller roaming, the infrastructure must maintain these same roaming characteristics. The Cisco Unified Wireless Network employs a Mobility Messaging Exchange protocol that helps enable seamless roaming across physically separate controllers. When the client associates to an access point joined to a new controller, the new controller exchanges mobility messages with the original controller, and the client database entry is moved to the new controller. New security contexts and associations are established if necessary, and the 2007, Cisco Systems, Inc. VoWLAN Design 11-43

346 client database entry is updated for the new access point. This process, as well as the interaccess point handoff, is transparent to the user Layer 3 Intercontroller Roaming In cases where Layer 2 VLAN configuration is difficult, it is highly recommended that the capability to roam be designed to operate across Layer 3 subnets. Layer 3 Intercontroller Roaming WLC-2 New WLC uses different subnet; client IP address does not change Original WLC tagged as anchor Client database entry copied to new WLC, tagged as foreign Asymmetric traffic path ARCH v This design eliminates the need to configure Layer 2 VLANs that extend across the entire enterprise, and reduces the cost of the WLAN infrastructure. To do this, Cisco enables Layer 3 mobility through the use of mobility groups, which provide the mechanism for pooling resources together to facilitate this desired client behavior. A mobility group does more than just define the RF connectivity of the client. It defines the infrastructure resources and their connectivity to each other. If a client needs to seamlessly roam from one location to another, even across IP subnets, the resources in those locations need to be in the same defined mobility group. When the client reassociates to an access point connected to a new WLC, the new WLC exchanges mobility messages with the original WLC. In this case, instead of moving the client entry to the client database of the new controller, the original WLC marks the client with an anchor entry in its own client database. The database entry is copied to the new controller client database, and marked with a foreign entry in the new WLC. Security credentials and context are reestablished if necessary. The roam is still transparent to the wireless client, and the wireless client maintains its original IP address. After a Layer 3 roam, the data transferred to and from the wireless client flows in an asymmetric traffic path. Traffic from the client to the network is forwarded directly into the network by the foreign WLC. Traffic to the client arrives at the anchor WLC, which forwards the traffic to the foreign WLC in an Ethernet-in-IP (EtherIP) tunnel. The foreign WLC then forwards the data to the client. If a wireless client roams to a new foreign WLC, the client Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

347 database entry is moved from the original foreign WLC to the new foreign WLC, but the original anchor WLC is always maintained. To enable mobility groups, the administrator simply defines which physical locations should be included. As a general guideline, a single mobility group should encompass an area that covers 80 to 90 percent of user roaming patterns, because clients cannot seamlessly roam across mobility groups. This means that prior to enabling mobility groups, the deployment team must have a good understanding of how users move throughout the building and incorporate this into the creation of each mobility group. 2007, Cisco Systems, Inc. VoWLAN Design 11-45

348 Enhanced Neighbor Lists The Cisco voice-ready architecture can use enhanced neighbor lists to improve roaming. Enhanced Neighbor Lists Clients are classified with a roaming type. Network parameters are distributed to clients in a neighbor list: Authorized access points nearby RF parameters of nearby access points RF measurements at edge of cell Capacity utilization on nearby access points Clients select access point based on capacity and network parameters: Clients receive the best audio quality. Audio gaps in roams is minimized. Overall network capacity is increased through load balancing. ARCH v Typically handsets will continually scan the access points in the neighbor list to stay associated with the best access point. The Cisco VoWLAN solution has the ability to classify clients based on roaming type and have the clients participate in the roaming process based on information gathered from the infrastructure. Examples of enhanced roaming classifications are fast-roam, slow roam, and a/b/g only. The information gathered from the network infrastructure is provided in the form of neighbor lists. The access points provide to the client a list of neighboring access points that have the ability to service the client based on the client s classification. The enhanced neighbor lists contains information that helps the client make association decisions between potential access points: Authorized access points nearby RF parameters of nearby access points RF measurements at edge of cell Capacity utilization on nearby access points Based on the neighbor information, the client can preemptively decide to associate with an access point with sufficient capacity and RF parameters. Based on the client classification, if the access point has the ability to service the client, association will occur. This intelligent roaming process enables the clients to associate to the access point that will provide them the best audio quality and also helps minimize or eliminate audio gaps in roams. Overall network capacity is increased through load balancing Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

349 QoS Considerations QoS is essential to ensure that voice traffic receives timely and reliable treatment with low delay, low jitter, and little or no packet loss on the network. End-to-End QoS LWAPP Encapsulated e DSCP Payload DSCP DSCP Payload 802.1p DSCP Payload LWAPP Tunnels WLAN Controller Si Ethernet Switch AP LWAPP Encapsulated e DSCP Payload 802.1p DSCP DSCP Payload 802.1p DSCP Payload Separate voice and data VLANs are used. Over the air packets to the access point are policed. Edge switches trust the QoS marking of the packets. ARCH v Separate voice and data VLANs can support different security features as well as prioritizing voice traffic so that it can be dealt with using minimal delay characteristics. As a start, separating traffic by VLAN and using the QoS profiles for traffic reduces the chance of data clients crowding the voice WLAN and causing unnecessary traffic overhead and delays. Using separate data and voice VLANs enables specific QoS settings on all traffic from the voice VLAN to support end-to-end QoS. This separation of client traffic is best continued into separate wireless RF spectrum such as a (5 GHz) for voice and b/g for data (2.4 GHz). The final selection of which RF spectrum depends on clients hardware capabilities for 2.4 GHz b/g, 5 GHz a or possible both radios. Voice deployment in 5 GHz also assumes that more RF interference is present in a crowded 2.4 GHz RF spectrum. Note Separate VLANs are in addition to the RF recommendation of ensuring nonoverlapping channel frequencies to avoid interference. If the over the air packets to the access point have trust enforced, the edge switches of the wired network can trust the QoS marking of the packets from the access point. Since all WLAN traffic that passes between the access point and the LWAPP wireless LAN controller is encapsulated, the LWAPP encapsulation maintains the Layer 3 marking in the original packet. Once the LWAPP packet is de-encapsulated at the access point or wireless LAN controller, the original Layer 3 marking is again used by QoS mechanisms in the network infrastructure. With this capability enabled in the LWAPP and the Unified Wireless Network infrastructure, the 2007, Cisco Systems, Inc. VoWLAN Design 11-47

350 network can achieve end-to-end QoS for the voice traffic both over the air and across the wired network. IEEE e and Wi-Fi Multimedia QoS on a pervasive WLAN is much more than simply prioritizing one type of packet over another. WMM for Differentiated Services Select QoS level of WLAN based on traffic type: Platinum for Voice Gold for Video Silver for Best Effort (default) Bronze for Background User priority enforces ceiling on WMM traffic. ARCH v The number of active users in any location changes dynamically and cannot be addressed through the capacity management tools used in wired networks. WLAN traffic is non-deterministic. The channel access is based on a binary back-off algorithm defined by the IEEE standard (CSMA/CA) and is by nature variable, based on the number of clients access the network causing difficulties to maintain QoS for VoWLAN more difficult. To improve the reliability of voice transmissions in this nondeterministic environment, the IEEE formed the e specification and standard that adds QoS features and multimedia support to the existing b, g, and a wireless networks. Before the IEEE e was ratified, the wireless industry trade association known as the Wi-Fi Alliance accelerated the use of WLAN QoS through an early certification called Wi-Fi Multimedia (WMM). The WMM is a partial mirror of IEEE e features for wireless networks used to improve the user experience for audio, video and voice applications. WMM adds prioritized capabilities to wireless networks and optimizes their performance when multiple concurring applications, each with different latency and throughput requirements, compete for network resources. VoWLANs can use Cisco Unified Wireless IP Phone 7920 and Cisco Unified Wireless IP Phone 7921G devices which support the e standard and are WMM-certified. In order for these differentiated services to provide sufficient QoS for voice packets, only a certain amount of voice bandwidth can be serviced or admitted on a channel at any one time. If the network can handle "N" voice calls with reserved bandwidth, when the amount of voice traffic is increased beyond this limit (i.e. to the "N+1" call), the quality of all calls will suffer Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

351 Cisco WLANs support four levels of QoS over the air: Platinum/Voice, Gold/Video, Silver/Best Effort (default), and Bronze/Background. As a recommended practice, configure the voice traffic WLAN to use Platinum QoS, assign the low-bandwidth WLAN to use Bronze QoS, and assign all other traffic between the remaining QoS levels. The WLAN QoS level (platinum, gold, silver, or bronze) defines a specific e user priority for over-the-air traffic. This user priority is used to derive the over-the-wire priorities for non-wmm traffic, and it also acts as the ceiling when managing WMM traffic with various levels of priorities. An access point uses this QoS-profile-specific user priority to derive the IP DSCP value that is visible on the wired LAN. Note WMM requires Cisco Compatible Extensions version 3 or later. 2007, Cisco Systems, Inc. VoWLAN Design 11-49

352 Call Admission Control The Cisco Unified Wireless Network supports Call Admission Control (CAC) to police the call capacity on a per-access-point basis. Call Admission Control CAC limits the number of calls on a channel to a percent of the bandwidth. The remaining bandwidth percent is for data. ARCH v Cisco Unified Call Manager provides additional CAC features for the wired network, ensuring an end-to-end CAC implementation. Cisco requires the use of Cisco Compatible clients to enable the use of the traffic specification (TSpec) of the traffic flows for the calculation of call limits and proper WLAN load balancing. The TSpec of each voice flow allows the system to allocate bandwidth to client devices on a first-come, first-served basis and maintains a small reserve so mobile phone clients can roam into a neighboring access point (even though the access point could otherwise be at "full capacity"). Once the limit for voice bandwidth is reached, the next call will be load-balanced to a neighboring access point and the call completed without affecting the quality of the existing calls on the channel. With CAC enabled and devices supporting current the Cisco Compatible Extensions, the Cisco Unified Wireless Network allows the resources to be globally managed by the wireless network controller across all the adjacent access points. Thus, each access point is not permitted to admit the same amount of voice traffic as it could if it were operating in isolation. The numbers of voice calls for the RF channel is limited to a percent of the channel s bandwidth. A percentage of the bandwidth is reserved to support roaming, and the rest of the bandwidth can be available for data calls. Access points employ MAC measurements from clients and neighboring access points to aid in determining the amount of traffic on the RF channel and whether a new call should be admitted Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

353 Security Considerations For VoWLAN deployments, security is also a concern. VoWLAN Authentication and Encryption Recommendations The strict requirements for voice in terms of packet delivery time and predictability, coupled with the ability for clients to roam across access points and subnets, presents a challenge to security architectures. VoWLAN Authentication and Encryption Recommendations Use EAP-FAST TLS tunnel is based on string secrets that are unique to clients. Cisco Unified Wireless IP Phone 7920 clients need firmware release 3.0 or later. Use TKIP and MIC End to end latency should be < 150 ms. Client needs to be compliant with Cisco Compatible Extensions Version 4 or later. MIC ensures that encrypted packets are not being altered. ARCH v To minimize the delay introduced by authenticating roaming clients, Cisco recommends using the Extensible Authentication Protocol-Flexible Authentication via Secured Tunnel (EAP- FAST) with Cisco Centralized Key Management. EAP-FAST is an 802.1x EAP framework for authentication that encrypts EAP transactions with a Transport Layer Security (TLS) tunnel. The EAP-FAST tunnel establishment is based upon strong secrets that are unique to clients. Note Cisco Unified Wireless IP Phone 7920 clients with a firmware release 3.0 or later support EAP-FAST. All Cisco Unified Wireless IP Phone 7921G clients support EAP-FAST. During roaming, reauthentication time back to the RADIUS server alone can take 500 ms or more. To remedy this, Cisco recommends using Cisco Centralized Key Management to achieve access point-to-access point roaming latency of less than 100 ms so that end to end latency is less than 150 ms.. Cisco Centralized Key Management permits the negotiation of a session key from a cached master key and avoids the need to go back to the authentication, authorization, and accounting (AAA) server during a roam. When the client roams, it informs the infrastructure that it has roamed and the infrastructure forwards the keying material to the new access point. 2007, Cisco Systems, Inc. VoWLAN Design 11-51

354 The efficiency of EAP-FAST with Cisco Centralized Key Management helps ensure maximum protection with minimum transaction time. Cisco Centralized Key Management is available with the Cisco Unified Wireless IP Phone 7920 and 7921G clients, as well as any client that is compliant with Cisco Compatible Extensions Version 4. To ensure that voice traffic is secure, Cisco recommends using Temporal Key Integrity Protocol (TKIP) for encryption. This mechanism encrypts both the signaling (SCCP) packets and voice (RTP) packets between the access point and the wireless IP phone. TKIP provides per-packet key ciphering and longer initialization vectors that strengthen encryption. In addition, a Message Integrity Check (MIC) ensures that encrypted packets are not being altered. TKIP removes the predictability of the earlier Wired Equivalent Privacy (WEP) that can help intruders decipher the WEP key Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

355 Other Design Recommendations for VoWLAN Security Cisco VLAN technology separates the physical network into multiple logical networks. Other Design Recommendations for VoWLAN Security Separate VLANs and SSIDs should be used for voice traffic. Separate VLANs provide protection from some threats: DoS attacks Eavesdropping and interception Unauthorized access Follow published recommendations for general wireless security Five Steps to Securing Your Wireless LAN and Preventing Wireless Threats" available at networking_solutions_white_paper0900aecd8042e23b.shtml ARCH v For secure voice calls, Cisco recommends creating separate VLANs and SSIDs for voice. In turn, associating the voice SSID with the voice VLAN creates a single, unified voice network across both the wired and wireless networks with consistent security and QoS profiles. The wireless controller will bridge the traffic from the voice SSIDs to the voice VLANs. The primary advantage of this physical separation of voice and data traffic is that traffic sent over the voice network is not visible to insiders or outsiders connected to data network. The converse is also true. Following are some of the ways that VLANs protect the voice system from security threats: Denial of service (DoS) attacks. Most DoS attacks originate from a PC; therefore, they cannot affect IP phones and call-processing servers connected to a separate voice VLAN. Eavesdropping and interception. Hackers typically eavesdrop on conversations using a PC with special software to connect to the same VLAN as one or more parties in the conversation. If voice participants are logically cordoned off, however, a hacker cannot connect to the voice VLAN with a PC. Unauthorized access. Companies can apply different access control policies to their voice VLAN. They can authorize employees by roles in the organization; for example limiting manufacturing employees to the data segment but not the voice segment. 2007, Cisco Systems, Inc. VoWLAN Design 11-53

356 In addition to these voice-specific guidelines, Cisco has published best practices for general wireless security. The paper "Five Steps to Securing Your Wireless LAN and Preventing Wireless Threats" discusses best practices in a multilayered approach to secure the network from unauthorized use through a WLAN link. These practices should be validated against an organization's own risk-management processes and complemented by a strong security implementation. Note This paper is available at available at s_white_paper0900aecd8042e23b.shtml Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

357 VoWLAN Clients To use the voice-ready Cisco infrastructure for enterprise roaming, management, and security features, Cisco recommends the voice clients be either a Cisco Unified Wireless IP Phone 7920 or 7921G device or a voice-capable device that supports the advanced voice features through the Cisco Compatible Extensions program. Cisco Unified Wireless IP Phone 7921G Overview Flexible radio frequencies a/b/g CCX version 4 compliant Enterprise class security Extended battery life Clear, high quality voice ARCH v The Cisco Unified Wireless IP Phone 7921G is a second-generation Cisco Systems wireless IP phone that now supports dual-band a/b/g radios, a speakerphone, and has a highresolution color display. It has dedicated volume and mute buttons, and an application button that supports Push-to-talk via XML. The phone is also Cisco Compatible Extensions (CCX) Version 4.0 compliant. The phone supports a comprehensive list of enterprise wireless security features including EAP-FAST, TKIP, MIC, and Cisco Centralized Key Management. Two types of batteries are available for the phone. The standard lithium-ion (Li-ion) battery provides up to 10 hours of talk time OR 80 hours of standby. The extended Li-ion battery provides up to 12 hours of talk time OR 100 hours of standby. The actual battery life varies based on environmental factors and the display timeout option selected It supports voice-quality enhancements including e TSpec, Enhanced Distributed Channel Access (EDCA), and QBSS. Because the Cisco Unified Wireless IP Phone 7921G is designed to grow with system capabilities, features will keep pace with new system enhancements. 2007, Cisco Systems, Inc. VoWLAN Design 11-55

358 Cisco Compatible Extensions Version 4 Voice Ready WLAN Version 3 Performance & Security WMM, Proxy ARP, EAP- FAST, & WPA2, Single Sign-On Call admission control, UPSD, Voice metrics, MBSSIDs, Location, Link tests, NAC Voice Ready Basic QoS Version 2 Scaling Version 1 Secure Connectivity AP assisted roam, CCKM, Radio measurements, Transmit power control LEAP, WPA, 802.1x & VLANs per AP TKIP, WI-FI Fast Secure Roaming ARCH v The Cisco Compatible Extensions program for WLAN client devices is a program where Cisco licenses a specification with the latest WLAN standards and Cisco innovations. A program participant, such as a maker of a WLAN client adapter or client device, implements support for all features and then submits the product to an independent lab for rigorous testing. Only by passing all tests does the device earn the right to be called Cisco Compatible. The Cisco Compatible Extensions program ensures the widespread availability of client devices that are interoperable with a Cisco WLAN infrastructure and take advantage of Cisco innovations for enhanced security, mobility, quality of service, and network management. There are four versions of the Cisco Compatible specification; each version builds upon its predecessors: Features of Cisco Compatible V1 include: Compliance with IEEE and Wi-Fi Support for the 802.1X authentication type: Cisco LEAP Ability to interoperate with an access point that supports multiple Service Set Identifiers (SSIDs) tied to multiple VLANs, providing benefits such as flexible security schemes in a mixed client environment Features of Cisco Compatible V2 include: Compliance with Wi-Fi Protected Access (WPA), including support for WPA Temporal Key Integrity Protocol (TKIP) encryption Support for the 802.1X authentication type: Protected EAP (PEAP) with EAP-GTC Fast, secure roaming through support of the 802.1X key management protocol: Cisco Centralized Key Management (CCKM) Radio frequency (RF) scanning, with scanned data sent to the access point and ultimately to CiscoWorks Wireless LAN Solution Engine (WLSE) for analysis and Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

359 performance of RF management functions such as intrusion detection, assisted site survey, and detection of interference sources Features of Cisco Compatible V3 include: Compliance with WPA 2, including support for AES encryption Support for the 802.1X authentication type: EAP-FAST Support for WMM, a subset of the IEEE e QoS standard defined by the Wi-Fi Alliance Features of Cisco Compatible V4 include: Support of Cisco Network Admission Control Call admission control addressing VoIP stability, roaming, and other QoS related issues Support for a power-saving mechanism, Unscheduled Automatic Power Save Delivery (U-APSD), in QoS environments VoIP metrics for reporting to optimize WLAN VoIP performance Enhanced roaming Ability to function as an location tag 2007, Cisco Systems, Inc. VoWLAN Design 11-57

360 Summary This topic summarizes the key points discussed in this lesson. Summary There are several voice specific requirements to consider when implementing a VoWLAN: Roaming is integral to voice services on wireless networks. QoS is essential to ensure that voice traffic receives timely and reliable treatment with low delay, low jitter, and little or no packet loss on the network. QoS also includes CAC to police the call capacity on a per-access-point basis. VoWLAN deployments require a carefully planned security implementation to ensure that the network operates properly and that voice traffic is secure. A voice-ready WLAN requires an intelligent client capable of supporting the voice-ready Cisco infrastructure functions for enterprise roaming, QoS, CAC, and security. ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

361 Module Summary This topic summarizes the key points discussed in this module. Summary The Cisco voice-ready architecture is an end-to-end solution for combining WLAN and VoIP technologies in a VoWLAN. Enterprise VoWLANs expect pervasive coverage, appropriate SNR, and 20% coverage overlap of nonoverlapping frequency channels. A well-executed site survey is a first step to building a robust, voice-ready wireless network. Voice specific requirements to consider when implementing a VoWLAN include roaming, QoS, security, and intelligent clients. ARCH v References The Cisco voice-ready architecture is an end-to-end solution for combining WLAN and VoIP technologies in a VoWLAN. Voice services should be on a separate VLAN from data. Enterprise VoWLANs expect pervasive coverage, appropriate SNR, and 20% overlap coverage of nonoverlapping frequency channels. A well-executed site survey is a first step to building a robust, voice-ready wireless network. Overlapping coverage of the access point RF cells facilitates roaming. To handle the voice load, a denser deployment of access points with reduced transmission power is needed. When possible, leverage the nonoverlapping channels and high data rate of a. Voice specific requirements to consider when implementing a VoWLAN include roaming, QoS, security, and intelligent clients. Voice needs over-the-air and wired end-to-end QoS from the client throughout the infrastructure. Cisco Compatible Extension version 4 ensures the highest performance for voice clients. For additional information, refer to these resources: Cisco Systems, Inc. AGG-2017: Designing for Voice over WLAN (VoWLAN) Phones and Network Configurations Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. Design Principles for Voice Over WLAN at aecd804f1a46.shtml

362 Cisco Systems, Inc. Cisco Wireless IP Phone 7920 Design and Deployment Guide at guide_book09186a00802a029a.html Cisco Systems, Inc. Five Steps to Securing Your Wireless LAN and Preventing Wireless Threats at _paper0900aecd8042e23b.shtml Cisco Systems, Inc. Cisco Compatible Extensions Program for Wireless LAN (WLAN) Client Devices at Infonetics Research, Inc. The Evolution of Voice over IP over Wireless LAN in the Enterprise August-2006.pdf Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

363 Module Self-Check Use the questions here to review what you learned in this module. The correct answers and solutions are found in the Module Self-Check Answer Key. Q1) What type of deployment best supports VoWLAN? (Source: VoWLAN in the Enterprise) A) permissive B) pervasive C) salt and pepper D) wired Q2) What are three major components of a VoWLAN? (Choose three.) (Source: VoWLAN in the Enterprise) A) IP phones B) mesh WLAN C) unified wired/wireless LAN infrastructure D) unified wired/wireless WAN infrastructure E) voice-ready WLAN F) wireless IP phones Q3) What unit is used to measure the received signal sensitivity? (Source: VoWLAN Coverage and RF Survey) A) db B) dbi C) dbm D) GHz E) Hz F) mw Q4) What is the recommended VoWLAN cell edge signal strength value for 11 Mbps data rate? (Source: VoWLAN in the Enterprise) A) 18 db B) 25 db C) 65 dbm D) -67 dbm E) -92 dbm Q5) What is the recommended minimum SNR for VoWLAN cell at the 11 Mbps data rate? (Source: VoWLAN Coverage and RF Survey) A) 18 db B) 25 db C) 44 db D) -67 dbm E) -92 dbm 2007 Cisco Systems, Inc. Designing IP Telephony Solutions 11-61

364 Q6) What is the recommended range overlap needed to allow uninterrupted connections by phones? (Source: VoWLAN Coverage and RF Survey) A) 5 B) 10% C) 15% D) 20% E) 25% Q7) A separate RF survey is recommended for adding voice to an existing data only WLAN. (True or False) (Source: VoWLAN Coverage and RF Survey) A) True B) False Q8) How many nonoverlapping a channels are supported in the US? (Source: VoWLAN Coverage and RF Survey) A) 2 B) 3 C) 5 D) 8 E) 11 F) 12 Q9) How many nonoverlapping g channels are supported in the US? (Source: VoWLAN Coverage and RF Survey) A) 2 B) 3 C) 5 D) 8 E) 11 F) 12 Q10) What are three characteristics of call loading? (Chose three.) (Source: VoWLAN Coverage and RF Survey) A) A recommended call loading for a is 8 active voice calls per access point using the voice encoding G.711 codec. B) A recommended call loading for a is 14 active voice calls per access point using the voice encoding G.711 codec. C) A recommended call loading for b/g is 7 active voice calls per access point using the voice encoding G.711 codec. D) A recommended call loading for b/g is 8 active voice calls per access point using the voice encoding G.729 codec. E) The maximum number of phones supported per access point depends on the calling patterns of individual users and the access point type. F) The minimum number of phones supported per access point depends on the calling patterns of individual users and the access point type Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

365 Q11) What wireless tool supports integrated network planning and design for VoWLANs? (Source: VoWLAN Coverage and RF Survey) A) G.711 codec B) RRM C) UWN D) WCS E) WLC Q12) What are three differences between VoWLAN deployments and data only WLAN deployments? (Choose three.) (Source: VoWLAN Coverage and RF Survey) A) VoWLAN use larger cell sizes. B) VoWLAN use smaller cell sizes. C) VoWLANs deploy access points with a higher transmit power. D) VoWLANs deploy access points with a lower transmit power. E) VoWLANs recommend nonoverlapping cell frequencies. F) VoWLANs recommend overlapping cell frequencies. Q13) What is the recommended QoS level for over the air voice traffic? (Source: VoWLAN Infrastructure Considerations) A) bronze B) copper C) gold D) palladium E) platinum F) silver Q14) What are three correct statements about WMM? (Choose three.) (Source: VoWLAN Infrastructure Considerations) A) It allows a defined maximum amount of voice bandwidth to be serviced or admitted on a channel at any one time. B) It allows a defined maximum amount of voice bandwidth to be serviced or admitted on an access point at any one time. C) It is a Wi-Fi certification that adds QoS features and multimedia support to the existing b, g, and a wireless networks. D) It is an IEEE specification that adds QoS features and multimedia support to the existing b, g, and a wireless networks. E) It is based on a subset of the IEEE e wireless QoS specification. F) It is based on a superset of the IEEE e wireless QoS specification. Q15) What protocol is recommended for client authentication in Cisco VoWLAN deployments? (Source: VoWLAN Infrastructure Considerations) A) CKMP B) EAP-FAST C) MIC D) PKC E) TKIP F) WEP 2007 Cisco Systems, Inc. Designing IP Telephony Solutions 11-63

366 Q16) What two protocols are recommended for traffic encryption in Cisco VoWLAN deployments? (Source: VoWLAN Infrastructure Considerations) A) CKMP B) EAP-FAST C) MIC D) PKC E) TKIP F) WEP Q17) What are two recommended voice clients in Cisco VoWLAN deployments? (Chose two.) (Source: VoWLAN Infrastructure Considerations) A) CCX version 2 B) CCX version 4 C) Enhanced CCX version 5 D) Cisco Unified Wireless IP Phone 1240AG E) Cisco Unified Wireless IP Phone 7921G F) Cisco Unified Wireless IP Phone 7922G Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

367 Module Self-Check Answer Key Q1) B Q2) C, E, F Q3) C Q4) D Q5) B Q6) D Q7) A Q8) F Q9) B Q10) B, C, D Q11) D Q12) B, D, E Q13) E Q14) A, C, E Q15) B Q16) C, E Q17) B, E 2007 Cisco Systems, Inc. Designing IP Telephony Solutions 11-65

368 11-66 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

369 Module 12 Network Management Capabilities with Cisco IOS Software Overview Cisco IOS Software provides a rich set of features that enable customers to efficiently manage their networks. This embedded management functionality enables network engineers to achieve efficient performance, scalability, and availability in their network. It provides critical data for baseline, capacity planning, bottleneck spotting, and general design-related information. This module discusses the importance, requirements, and considerations for implementing the Cisco IOS Software management instrumentation functionality in the overall enterprise design. Module Objectives Upon completing this module, you will be able to design discuss design considerations for using the embedded management functionality in Cisco IOS Software. This ability includes being able to meet these objectives: Identify the rationale for embedded management functionality in network infrastructure devices Discuss design considerations for NetFlow Discuss design considerations for Network-Based Application Recognition (NBAR) Discuss design considerations for IP Service Level Agreements (IP SLAs)

370 12-2 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

371 Lesson 1 Embedded Management Capabilities Overview Objectives Network management includes a broad range of policies, procedures, and purpose-built hardware and software used to manage computer networks. Network management affects the performance, reliability, and security of the entire network. Embedded management describes software subsystems within Cisco IOS Software that help manage, monitor, and automate actions within a router or switch running Cisco IOS Software. Embedded management capabilities adds a dimension to the management infrastructure by enabling devices to manage themselves according to policies. It allows devices to automatically take action and collect data, improving service providers' ability to better manage devices and the network. Upon completing this lesson, you will be able to identify xxx. This ability includes being able to meet these objectives: Discuss the rationale for embedded management tools within the network infrastructure Discuss considerations for using syslog to support network management

372 Embedded Management Rationale This topic identifies some reasons for using embedded management in the network infrastructure. Network Management Rationale Verify your network is working well. Have the ability to characterize the performance. Know how much traffic is flowing and where. ARCH v Network management is a set of tools and processes to help manage the network. Network administrators use network management so they can be confident in the performance of the network: They use it to verify the network is working well and behaving in the planned manner They use it to characterize the performance of the network They use it to understand how much traffic is flowing and where it is flowing in the network 12-4 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

373 Enterprise Applications Rely on WAN Links Enterprise applications rely on WAN links to connect the places in the network. Enterprise Applications Rely on WAN Links Branch Data Center Branch HQ WAN WAN Links Tele- Workers Issues: Links are expensive. Speed mismatches can degrade performance. All traffic is not alike. ARCH v Network management is often used to manage WAN links.. Existing network management processes may focus on managing WAN links due to scarce bandwidth and susceptibility to issues. However, there is increasing interest in extending network management to support application optimization at the data center and throughout the enterprise. There are several issues with the WAN links: The expense of WAN connections causes organizations to implement low speed lower cost links. There are speed mismatches between LAN and WAN links that can lead to congestion, packet loss, and degraded application performance. Different types of application traffic with different delivery requirements use the WAN links. Real-time applications such as voice and video are especially sensitive to congestion, and suffer from degraded performance due to delay, jitter, and packet loss Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-5

374 Cisco IOS Software Supports Network Management There are many Cisco IOS software tools that network managers use. Cisco IOS Software Supports Network Management Non-managed equipment is difficult to support: When something goes wrong, what is the problem and cause? Cisco IOS Software provides management capabilities: Broad range of show commands SNMP access to information Many SNMP MIBs are supported. SDM, ASDM, web tools for managing single devices Embedded management software subsystems: Syslog NetFlow NBAR IP SLA ARCH v Non-managed equipment is difficult to support. When something goes wrong, it can be extremely hard to figure out the problem and cause, if the device provides no information or just RMON data. This is a total cost of ownership issue. Cisco IOS Software provides extensive management capabilities: A broad range of show commands provide network information that is available for both in-band and out-of-band management. Cisco devices support many SNMP MIBs. Through these MIBS, SNMP access to vast amounts of information is supported. Device management applications such as the Cisco Router and Security Device Manager (SDM) and the Cisco Adaptive Security Device Manager (ASDM) provide web based tools for managing single devices. Embedded management software subsystems within Cisco IOS Software that help manage, monitor, and automate network management. Cisco IOS system message logging (syslog) NetFlow Network-Based Application Recognition (NBAR) Cisco IOS IP Service Level Agreement (IP SLA) Note The embedded management software subsystems are the focus of this.module. This lesson discusses syslog Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

375 Application Optimization and Cisco IOS Technologies The embedded Cisco IOS technologies provide network management support for application optimization in the network. Application Optimization and Cisco IOS Technologies Baseline Application Traffic NetFlow NBAR/NBAR Protocol Discovery IP SLAs Deploy New Applications NBAR NetFlow 1 Application Optimization Cycle Optimize to Meet Objectives Quality of Service AutoQoS-VoIP AutoQoS-Enterprise Measure, Adjust, and Verify NetFlow NBR Protocol Discovery IP SLAs Syslog ARCH v Cisco has defined an application optimization cycle: Develop a baseline on the application traffic. In the first phase, a baseline is developed that measures data. The baseline is used so that the network manager can understand the basic traffic and application flows and the default network performance. Cisco IOS software technologies that support this phase include NetFlow, Network-Based Application Recognition (NBAR) Protocol Discovery, and IP Service Level Agreements (IP SLAs). Optimize to meet objectives. After understanding the baseline, the network manager can apply policies and prioritize traffic so that the each application has an optimal portion of network resources. Resources are allocated based on their value to the organization. Quality of Service (QoS) is used to reduce congestion, prioritize specific traffic, and optimize endto-end performance of critical applications. Cisco IOS software technologies that support this phase include QoS, NBAR, AutoQoS-VoIP, and AutoQoS-Enterprise. Measure, adjust, verify. In the third phase of the application optimization cycle, the network manager uses ongoing measurements and proactive adjustments to verify that the optimization techniques and QoS provide the network resources needed to meet the service objectives of the applications. This information is also used to resolve network issues that may occur. There are several Cisco IOS software features that help measure network performance including NetFlow, NBAR Protocol Discovery, IP SLAs., and Syslog Deploy new applications. In this phase, network engineers determine the service objectives for new applications, estimate the network resources that will be needed to support these objectives, and allocate resources for new applications. Network management tools and process allow the network manager to have the confidence to deploy new 2007 Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-7

376 applications based on their understanding of the existing applications. NBAR and NetFlow are common Cisco IOS technologies that are used to support this phase. Applying Cisco IOS Technologies for Measuring Application Traffic Branch IP SLA Measurements Data Center NetFlow Monitoring Branch IP SLA Measurements HQ WAN NBAR Monitoring Tele- Workers Syslog reporting on all infrastructure devices. ARCH v The figure highlights where these technologies are commonly deployed in the enterprise environment. Networks should be configured for manageability and security. Using a predefined template to structure network management configuration and reporting information is a recommended practice. Note This lesson discusses syslog technology considerations. Other Cisco IOS Software technologies are discussed in the NetFlow Consideration, NBAR Considerations, and IP SLA Considerations lessons in this module Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

377 Syslog Considerations This topic will describe how the Cisco IOS system message logging (syslog) can help the network manager better manage the network. Syslog Overview Allows software subsystems to report and save important error messages either locally or to a remote logging server. Can send messages on UDP port 514. Provides very comprehensive reporting mechanism in plain English text. ESM provides a programmable framework to filter, escalate, correlate, route, and customize syslog. Is available in Cisco IOS Software release 12.3(2)T and later versions. ESM Modules Buffer Console tty Syslog Server ARCH v The Cisco IOS system message logging (syslog) process allows a device to report and save important error and notification messages, either locally or to a remote logging server. Syslog messages can be sent to local console connections, monitor (TTY) connections, the system buffer, or to remote syslog servers. Syslog allows text messages to be sent to a syslog server using UDP port 514. Syslog provides a very comprehensive reporting mechanism logging system messages in plain English text. The syslog messages include both messages in a standardized format (called system logging messages, system error messages, or simply system messages) and output from debug commands. These messages are generated during network operation to assist with identifying the type and severity of a problem, or to aid users in monitoring router activity such as configuration changes. The Embedded Syslog Manager (ESM) feature provides a programmable framework that allows a network manager to filter, escalate, correlate, route, and customize system logging messages prior to delivery by the Cisco IOS system message logger. ESM is available in Cisco IOS Software release 12.3(2)T and later versions. ESM also allows system messages can be logged independently as standard messages, XML-formatted messages, or ESM filtered messages. These outputs can be sent to any of the traditional syslog targets. For example, a network manager could enable standard logging to the console connection, XML-formatted message logging to the buffer, and ESM filtered message logging to the monitor. Similarly, each type of output could be sent to different remote hosts. A benefit of separate logging processes is that if, for example, there is some problem with the ESM filter modules, standard logging will not be affected Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-9

378 Cisco IOS Syslog Message Standard This section discusses the Cisco IOS Software syslog message standard. Cisco Syslog Message Standard %FACILITY-SUBFACILITY-SEVERITY-MNEMONIC: Message-text %SYS-5-CONFIG_I: Configured from console by cwr2000 on vty0 ( ) Documentation for each release explains the meaning of the messages. ARCH v The system messages begin with a percent sign (%) and are structured as shown in the figure: FACILITY is a code consisting of two or more uppercase letters that indicate the hardware device, protocol, or a module of the system software. SEVERITY is a single-digit code from 0 to 7 that reflects the severity of the condition. The lower the number, the more serious the situation. MNEMONIC is a code that uniquely identifies the error message. Message-text is a text string describing the condition. This portion of the message sometimes contains detailed information about the event, including terminal port numbers, network addresses, or addresses that correspond to locations in the system memory address space. The figure shows a typical message that indicates the operating system (facility = SYS) is providing a notification (SEVERITY = 5) has been configured (MNEUMONIC = CONFIG). The message text indicates that a user on VTY0 from IP address made this change. Note The documentation for each Cisco IOS Software release explains the meaning of these messages, such as the information found at ook09186a00806f9890.html Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

379 Syslog Issues There are some issues with syslog. Syslog Issues Severity is not consistently used across different Cisco platforms and Cisco IOS versions: For example, the environmental monitor initiated shutdown event: Cisco IOS 11.2 ENVM-1-SHUTDOWN Cisco IOS 12.0 ENVM-0-SHUT Can be verbose, offering a mix of useful and less useful messages. Can use filters or scripts to pull out the important messages. Is not a reliable mechanism (uses UDP for delivery) Cisco IOS Release 12.4(11)T provides support for the Reliable Delivery for Syslog over BEEP. Is not a secure mechanism. ARCH v The severity of messages is not used consistently across the different Cisco platforms, so documentation for each Cisco IOS Software release is needed to explain the meaning of these messages. This can cause confusion when network managers filter to extract certain severity level information, but are running different software releases. Syslog is verbose, and can provide too many informational messages along with useful messages for a specific problem or condition. Network managers can use filters or scripts to pull out important messages. There are also third party tools that help manage syslog messages such as Syslog-NG, Kiwi Syslog, and others. Syslog is based on UDP for its delivery communication mechanism. This is typically not a problem for a monitoring and alerting tool. However, RFC 3195 provides a specification for a reliable delivery mechanism for syslog. Cisco IOS Release 12.4(11)T provides support for the Reliable Delivery for Syslog over Blocks Extensible Exchange Protocol (BEEP) feature that allows a device to be customized for receipt of syslog messages. This feature provides reliable and secure delivery for syslog messages using BEEP. Additionally, it allows multiple sessions to a single logging host, independent of the underlying transport method, and provides a filtering mechanism called a message discriminator. Syslog is not a secure mechanism. However, this should not preclude the network manager from using syslog. Secure practices include establishing access control lists to allow receipt of syslog packets only from internal resources Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-11

380 Summary This topic summarizes the key points discussed in this lesson. Summary Cisco IOS Software includes embedded management tools that support application optimization, performance measurement, and SLA verification. Syslog is an Cisco IOS Software process that allows a device to report and save important error and notification messages, either locally or to a remote logging server. Syslog data helps network manager track the network status. ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

381 Lesson 2 NetFlow Considerations Overview Objectives NetFlow is an important embedded Cisco IOS software technology that provides visibility into how network assets are being used and the network behavior. This lesson will describe how both traditional and Flexible NetFlow help the network manager understand the behavior of traffic in the network. Upon completing this lesson, you will be able to identify design considerations for using NetFlow technology to help manage the network. This ability includes being able to meet these objectives: Provide an overview of NetFlow technology Describe the characteristics of a flow Describe flow record creation Describe cache management Discuss data export formats Discuss NetFlow deployment options

382 \ NetFlow Technology Overview This topic describes the basic characteristics of NetFlow. Cisco IOS NetFlow Developed and patented at Cisco Systems in NetFlow is the defacto standard for acquiring IP operational data. Now available as IETF standard IPFIX. Provides network and security monitoring, network planning, traffic analysis, and IP accounting. ARCH v Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service (DoS) monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow in 1996 and is the leader in IP traffic flow technology NetFlow answers the questions of what, when, where, and how traffic is flowing in the network. NetFlow data can be exported to network management applications that further process the information, resulting in display tables and graphs for accounting and billing or as an aid for network planning. The Cisco IOS NetFlow version 9 is now on the IETF standards track in the IP Information Export (IPFIX) working group. The new generic data transport capability within Cisco routers, IPFIX export, can be used to transport any performance information from a router or switch. The main NetFlow focus has always been IP Flow information but this is now changing with Cisco implementation of a generic export transport format that is an innovative IETF standard. New information is being exported using the NetFlow version 9 export format including Layer 2 information, new security detection and identification information, IPv6, Multicast, MPLS, BGP information, and more Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

383 \ Principal NetFlow Uses Service provider and enterprise environments deploy NetFlow to support different functions. Principal NetFlow Uses Service Provider Peering Arrangements Network Planning Traffic Engineering Accounting and Billing Enterprise Internet Access Monitoring (Protocol Distribution; Where Traffic Is Going/Coming) User Monitoring Application Monitoring Charge-Back Billing for Departments Security Monitoring Security Monitoring ARCH v Organizations use NetFlow in different ways depending on their focus. Both service providers (SPs) and enterprises use NetFlow to analyzing new applications and their impact on the network. Understanding who is utilizing the network and the end points of traffic flows is important for SPs for network planning and traffic engineering, and important to enterprises for monitoring network resources, users and applications. Organizations can use NetFlow to determine application ports before writing access control lists (ACLs.) While an SP is concerned about accounting and billing to its customers, enterprises may be concerned about charge-back billing for their departments. In addition, NetFlow can help organizations avoid costly upgrades by identifying the applications causing congestion and help reduce peak WAN traffic. Both types of organization use NetFlow for security monitoring and troubleshooting the network. NetFlow can help in diagnosing slow network performance, bandwidth hogs and bandwidth utilization in real-time. It can be used to confirm that appropriate bandwidth has been allocated to each Class of Service (CoS). It can also help detect unauthorized WAN traffic and support for anomaly detection and worm diagnosis Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-15

384 \ Definition of a Flow Each packet that is forwarded within a router or switch is part of a flow. Definition of a Flow A flow is a stream of traffic from a source to a destination that moves across a device. Seven fields identify flows: IP source address IP destination address Source port number Destination port number Layer 3 protocol type ToS byte Input logical interface (ifindex) ARCH v A flow is a unidirectional stream of packets between a given source and destination both defined by a network-layer IP address and transport-layer source and destination port numbers. Traditionally, a flow in NetFlow is identified as the combination of the following seven key fields: IP source address. Source address allows the understanding of who is originating the traffic. IP destination address. Destination address tells who is receiving the traffic. Source port. Ports characterize the application utilizing the traffic up to Layer 4. Destination port. Ports characterize the application utilizing the traffic up to Layer 4. Layer 3 protocol type. Protocol type characterized the application utilizing the traffic. ToS Byte. The type of service (ToS) byte identifies the class of service or priority of the traffic. ifindex. The device interface tells how traffic is being utilized by the network device. All packets with the same source/destination IP address, source/destination ports, protocol, interface and class of service are grouped into a flow with traditional NetFlow. For each flow, NetFlow tallies the packets and bytes. Note Cisco IOS Flexible NetFlow is the next-generation in flow technology. Flexible NetFlow supports additional flexibility, scalability, aggregation of flow data beyond traditional NetFlow Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

385 \ Traditional IP Flows NetFlow examines each packet for a set of IP packet attributes. Traditional IP Flows Traffic NetFlow Enabled Device NetFlow Key Fields Inspect 1 Packet Source IP Address Destination IP Address Source Port 2 Destination Port Layer 3 Protocol ToS Byte (DSCP) Input Interface NetFlow Cache Flow Information Address, Ports Packets 11,000 Create a Flow from the Packet Attributes 1. Inspect seven key fields in a packet and identify the values 2. If the set of key field values is unique, create a flow record or cache entry 3. When the flow terminates, export the flow to the collector 2 Bytes/Packet 1,528 NetFlow Export Packets Reporting ARCH v In the traditional NetFlow implementation, a set of seven key attributes are use to determine if a packet is unique or similar to other packets. The key attributes methodology of determining a flow is quite scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache. NetFlow operates by creating a NetFlow cache entry that contains the information for all active flows. The NetFlow cache is built by processing the first packet of a flow through the standard switching path. A Flow record is maintained within the NetFlow cache for all active flows. Each flow record in the NetFlow cache contains key fields that can be later used for exporting data to a collection device. NetFlow export, unlike SNMP polling, pushes information periodically to the NetFlow reporting collector. In general, the NetFlow cache is constantly filling with flows, and software in the router or switch is searching the cache for flows that have terminated or expired, and these flow records are exported to the NetFlow collector server. Each flow record is created by identifying packets with similar flow characteristics and counting or tracking the packets and bytes per flow. The flow details or cache information is exported to a flow collector server periodically based upon flow timers. The collector contains a history of flow information that was switched within Cisco device. NetFlow is very efficient, the amount of export data being about 1.5% of the switched traffic in the router. NetFlow accounts for every packet (non-sampled mode) and provides a highly condensed and detailed view of all network traffic that entered the router or switch. Network managers review NetFlow information using either Cisco IOS software show commands or by exporting NetFlow to a collecting server called a NetFlow Collector Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-17

386 \ Flow Record Creation This section looks at flow record creation with NetFlow. Flow Record Creation Example 1 Example 2 Inspect Packet Key Fields Packet 1 Source IP Destination IP Source port Destination port Layer 3 Protocol ToS Byte Input Interface TCP Ethernet 0 Create flow record in the cache Source IP Dest. IP Dest. I/F E1 Protocol 6 1. Inspect packet for key field values 2. Compare set of values to NetFlow cache 3. If the set of values are unique, create a flow in cache 4. Inspect the next packet TOS 0 Pkts Source IP ToS Byte Inspect Packet Key Fields Packet 2 Source IP Destination IP Source port Destination port Layer 3 Protocol Input Interface E TCP Ethernet 0 Add new flow to the NetFlow cache Dest. IP Dest. I/F E1 Protocol 6 TOS 0 0 Pkts ARCH v NetFlow inspects packets for key field values. These values are compared to existing flows in the cache. If the set of values are unique, NetFlow creates a new flow record in the cache. Additional information is included to the Flow Record in non-key fields in both forms of NetFlow. Non-key fields are added to the flow entry in the NetFlow cache and exported. The non-key fields are not used to create or characterize the flows but are exported and just added to the flow in traditional NetFlow. If a field is non-key, such as the outbound interface, normally only the first packet of the flow is used for the value in this field. In the figure, two unique flows are created in the cache because there are different values in the source IP address key fields Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

387 \ NetFlow Data Before QoS Deployment Srclf SrclPadd Dstlf DstlPadd TOS Pkts Src Port Dst Port NextHop Bytes/ Pkt Start Time End Time Fa1/0 Fa1/0 Fa1/0 Fa1/ Fa0/0 Fa0/0 Fa0/0 Fa0/ ,000 2,491 10,000 2,210 00A A A A , ,428 1, The Flow in Red Before QoS Deployment ToS byte is zero because QoS is not deployed. This is a small sample of a result. 100,000s of flows are normally available in the NetFlow cache. ARCH v Example: NetFlow Data Before QoS Deployment NetFlow records contain the Type of Service (ToS) field in the IP header as well as application ports, traffic volumes and timestamps. This information allows the network manager to understand traffic profiles per class of service (CoS) for traffic including data, voice and video. The user of NetFlow can verify the QoS levels achieved and optimize bandwidth for specific classes of service. This figure and the next figure illustrate how the ToS key field distinguishes between flows. Before QoS is implemented in the network, the ToS value is 0 for all traffic between a specific source and destination pair. There is one traffic flow between this pair. Note Using show commands allow the cache to be examined in real-time, although collection and reporting tools provide better visibility into what is going on 2007 Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-19

388 \ NetFlow Data After QoS Deployment Srclf SrclPadd Dstlf DstlPadd TOS Pkts Src Port Dst Port NextHop Bytes/ Pkt Start Time End Time Fa1/0 Fa1/0 Fa1/0 Fa1/0 Fa1/0 Fa1/0 Fa1/0 Fa1/0 Fa1/0 Fa1/0 Fa1/0 Fa1/0 Fa1/ Fa0/0 Fa0/0 Fa0/0 Fa0/0 Fa0/0 Fa0/0 Fa0/0 Fa0/0 Fa0/0 Fa0/0 Fa0/0 Fa0/0 Fa0/ EF CS6 AF41 CS4 CS3 AF21 CS2 AF11 CS ,020 2,212 4,000 3,333 7,474 2, , ,000 2,491 10,000 2,210 00A2 00A2 00A2 00A2 00A2 00A2 00A2 00A2 00A2 00A A A2 00A2 00A2 00A2 00A2 00A2 00A2 00A2 00A2 00A A ,528 1, ,428 1, The one flow is now 10 because traffic is distributed per class. NetFlow analysis now shows each class of service added to the network. ARCH v Example: NetFlow Data After QoS Deployment This figure shows the NetFlow data after QoS is implemented in the network. The multiple ToS values between a specific source and destination pair lead to multiple flows between the pairs as traffic is distributed per class. The NetFlow analysis now shows each class of service between the source and destination pair. This can be useful for verifying your QoS configuration is working and that bandwidth levels are set appropriately for the volume of traffic Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

389 \ NetFlow Cache Management The key to NetFlow-enabled switching scalability and performance is highly intelligent flow cache management. NetFlow Cache Management 1. Create and update flows in NetFlow cache Srclf * SrclPadd Dstlf * DstlPadd *Protocol *ToS Flgs Pkts * Src Port Src Msk Src AS * Dst Port Dst Msk Dst AS NextHop Bytes/ Pkt Active Idle Fa1/ Fa0/ ,000 00A2 / A2 / ,528 1,745 4 Fa1/ Fa0/ , / / Fa1/ Fa0/ ,000 00A1 / A1 / ,428 1, Fa1/ Fa0/ , / / , Expire timers Inactive timer expired (15 sec is default) Active timer expired (30 min (1,800 sec) is default) NetFlow cache is full (oldest flows are expired) RST or FIN TCP Flag * Key Fields Srclf * SrclPadd Dstlf * DstlPadd *Protocol *ToS Flgs Pkts * Src Port Src Msk Src AS * Dst Port Dst Msk Dst AS NextHop Bytes/ Pkt Active Idle Fa1/ Fa0/ ,000 00A2 / A2 / ,528 1, Package flows in export packet Non-Aggregated Flows Export Version 5 or 9 4. Transport flows to reporting server Export Packet 30 Flows per 1,500 Byte Export Packet Header Payload (Flows) ARCH v The NetFlow cache management software contains a highly sophisticated set of algorithms for efficiently determining if a packet is part of an existing flow or should generate a new flow cache entry. The algorithms are also capable of dynamically updating per-flow accounting measurements residing in the NetFlow cache, and cache aging/flow expiration determination. Rules for expiring NetFlow cache entries include: Flows which have been idle for a specified time are expired and removed from the cache Long lived flows are expired and removed from the cache (flows are not allowed to live more than 30 minutes by default, the underlying packet conversation remains undisturbed) As the cache becomes full a number of heuristics are applied to aggressively age groups of flows simultaneously TCP connections which have reached the end of byte stream (FIN) or which have been reset (RST) will be expired The figure shows an example of the NetFlow cache, aggregation cache and timers. Expired flows are grouped together into "NetFlow Export" datagrams for export from the NetFlowenabled device. NetFlow Export datagrams may consist of up to 30 flow records for NetFlow version 5 or 9 flow export Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-21

390 \ NetFlow Export Versions There are various versions of NetFlow Export formats. NetFlow Export Versions NetFlow Version Comments 1 Original 5 Standard and Most Common IPFIX Adds IP address of shortcut router for Catalyst 6500 Choice of Eleven Aggregation Schemes Reduces Resource Usage Flexible, Extensible File Export Format to Enable Easier Support of Additional Fields and Technologies; Coming Out Now MPLS, Multicast, and BGP Next Hop IETF IP Flow Information Working Group Standard for Flow Export; Based on Cisco NetFlow Version 9 ARCH v The first versions of NetFlow Export support statically defined fields: Version 1 is the original version. Version 5 is the most popular. It adds autonomous system (AS) data and sequencing info to the NetFlow data export (NDE) packets. NetFlow version 5 is used with traditional NetFlow and is a fixed export format with a limited set of information being exported. Version 7 adds a field for the IP address of the shortcut router used by Cisco Catalyst 6500 Series switches. Version 8 is for on-router aggregation. It includes a choice of eleven aggregation schemes. The latest generation of NetFlow Export supports dynamically defined fields: Version 9 is the new extensible NDE version that allows for new fields without requiring a new NDE version. With NetFlow version 9, routers send out a template with field IDs and lengths that define the subsequent NDE packets. IPFIX is the IETF standard mechanism for information export. IPFIX is based on NetFlow version 9. The most common format used is NetFlow export version 5. However, version 9 is the latest format and has some advantages for key technologies such as security, traffic analysis and multicast. Some reporting tools may prefer unaggregated version 5 to version 9, as version 9 requires more complicated processing Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

391 NetFlow Version 9 Export Packet Cisco IOS Flexible NetFlow is the next generation flow technology by Cisco. NetFlow Version 9 Export Packet Flows from Interface A Flows from Interface B Header (Version, # Packets, Sequence #, Source ID) Template Set Template Record Template ID #1 (Specific Field, Types, and Lengths) Template Record Template ID #2 (Specific Field, Types, and Lengths) Data Set Set ID #1 Data Record (Field Values) Data Record (Field Values) Data Set Set ID #2 Data Record (Field Values) Option Template Set Template ID (Specific Field, Types, and Lengths) Option Data Set Set ID Option Option Data Data Record Record (Field Values) (Field Values) Version 9 export format allows easily inserted new fields. A template describes what is being exported in the export data sets. Matching ID numbers help to associate template to the data records. The network manager can configure what key and non-key fields define flows. ARCH v Flexible NetFlow uses flexible and extensible NetFlow version 9 format to provide enhanced optimization of the network infrastructure, reduced costs, and improved capacity planning and security detection beyond other flow based technologies available today. NetFlow version 9 includes a template to describe what is being exported and the export data. The template is periodically sent to the NetFlow collector telling it what data to expect from the router or switch. The data is then sent for the reporting system to analyze. Matching ID numbers are used to help to associate template to the data records. The NetFlow Version 9 record format consists of a packet header followed by at least one or more template or data FlowSets. A FlowSet is a generic term for a collection of records that follow the packet header in an export packet. There are both template and data FlowSets. An export packet contains one or more FlowSets, and both template and data FlowSets can be mixed within the same export packet. A template FlowSet provides a description of the fields that will be present in future data FlowSets. Data FlowSets may occur later within the same export packet or in subsequent export packets. Since NetFlow version 9 is configurable and customizable, theoretically any data available in the device can be sent in NetFlow version 9 format. The network manager can configure what key and non-key fields define flows Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-23

392 Flexible NetFlow Advantages Flexibility, scalability, aggregation of flow data beyond traditional NetFlow The ability to monitor a wider range of packet information producing new information about network behavior User configurable flow information to perform customized traffic identification and the ability to focus and monitor specific network behavior Simultaneous multiple NetFlow application support through multiple Flow Monitors Enhanced network anomaly and security detection Basis for the IETF standard IPFIX ARCH v The current Flexible NetFlow model has several key advantages over traditional NetFlow: By flexibly targeting specific information, the amount of information is reduced and the number of flows being exported can be reduced, allowing enhanced scalability and aggregation beyond traditional NetFlow. Flexible NetFlow can monitor a wider range of packet information. Flexible NetFlow enhances the rich feature capabilities of traditional NetFlow by allowing the tracking of information at Layer 2 for switching environments, Layer 3 and 4 for IP information and up to Layer 7 with deep packet inspection for application monitoring. In Flexible NetFlow, non-key fields are configurable by the user. Flexible NetFlow will also allow the user to select what key and non-key fields define flows. This configuration capability allows the user customization and flexibility beyond traditional NetFlow. Version 9 provides a NetFlow architecture that can track multiple NetFlow applications simultaneously by using different Flow Monitors. A Flow Monitor describes the NetFlow cache or information stored in the cache and contains the Flow Records or key and non-key fields within the cache. Part of the Flow Monitor is the Flow Exporter which contains information about the export of NetFlow information including the destination address of the NetFlow collector. The Flow Monitor includes various cache characteristics including the timers for exporting, the size of the cache and if required, the packet sampling rate. The user can create simultaneous and separate Flow Monitors for security analysis and for traffic analysis. Cisco IOS Flexible NetFlow provides enhanced security detection and or network troubleshooting by allowing customization of flow information. For example, the user can create a specific Flow Monitor to focus and analyze a particular network issue or incident. In addition, Flexible NetFlow allows a customizable active timer for the cache that can be set as low as 1 second as compared to the traditional NetFlow minimum value of 60 seconds. This customizable timer aids in tracking security incidents where open or partial flows might be recorded (i.e.: SYN flood attack). It provides real-time monitoring with immediate flow cache capabilities and long term or permanent tracking of flow data Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

393 NetFlow version 9 is the basis for the IETF standard IPFIX associated with the IP Flow and Information working group in IETF. Flexible NetFlow is an important technology available in Cisco devices to help with visibility into how network assets are being used and the network behavior. Flexible NetFlow is an improved NetFlow bringing better scalability, aggregation of data and user customization. Flexible NetFlow will enhance the ability to detect security incidents and understand the behavior of traffic in the network beyond what is possible in other flow based technologies Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-25

394 \ NetFlow Deployment There are a large number of NetFlow collectors including Cisco, freeware and third party commercial products that report and utilize NetFlow data. NetFlow Reporting Application Examples NetQos IBM Aurora AdventNet Partner Links: Tech/nmp/netflow/partners/commercial/ Tech/nmp/netflow/partners/freeware/ ARCH v Some reporting systems offer a two-tier architecture where collectors are placed near key sites in the network and they aggregate and forward the data to a main reporting server. Other solutions use multiple distributed collectors, a central database, a management server, and a reporting server. Smaller deployments may have a single server for reporting and collection. There are many Cisco NetFlow reporting products offered. In recent years, many new partners and solutions are available on both Windows and Linux operating systems. The typical starting prices for commercial products range from $3500 to greater than $100,000 depending on size of the enterprise. Note For a list of Cisco partners and freeware NetFlow reporting tools, please reference Table 2 and Table 3 in the Cisco Systems white paper Introduction to Cisco IOS NetFlow - A Technical Overview at shtml Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

395 \ Where to Apply NetFlow Monitoring NetFlow is typically used on a central site because all traffic from the remote sites is characterized and is available within NetFlow. Where to Apply NetFlow Monitoring Branch Data Center Wide Area Network Branch WAN Links Branch Tele- Workers NetFlow Monitoring ARCH v The location where NetFlow is deployed depends on the location of the reporting solution and the topology of the network. If the reporting collection server is centrally located, then implementing NetFlow close to the reporting collector server is optimal. NetFlow can also be enabled at remote branch locations with the understanding that the export data will utilize bandwidth. The two-tier architecture solutions allow remote aggregation of data and can help manage WAN bandwidth. NetFlow is in general an ingress measurement technology which should be deployed on appropriate interfaces on edge/aggregation or WAN access routers to gain a comprehensive view of originating and terminating traffic to meet customer needs for accounting, monitoring or network planning data. Egress NetFlow accounting is available in newer releases of the Cisco IOS software including release 12.3(11)T and later. The key mechanism for enhancing NetFlow data volume manageability is careful planning of NetFlow deployment. NetFlow can be deployed incrementally (i.e. interface by interface) and strategically (i.e. on well chosen routers) instead of widespread deployment of NetFlow on every router in the network. The network designer should determine key routers and key interfaces where NetFlow should be activated based on the customer's traffic flow patterns and network topology and architecture. Since about 1-5% of the switched traffic is used for export to the collection server, Cisco recommends careful planning of NetFlow deployment with NetFlow services activated on strategically located edge/aggregation routers which capture the data required for planning, monitoring and accounting applications. Some thought needs to be given to exactly which interfaces should enable NetFlow collection and export so that flows are not double-counted Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-27

396 \ Summary This topic summarizes the key points discussed in this lesson. Summary NetFlow technology answers the questions of what, when, where, and how traffic is flowing in the network: Looks at a flow, a unidirectional stream of packets between a given source and destination with specific attributes. Measures and creates flow records for traffic flows that are stored in a cache Uses cache management algorithms to export flow data to reporting servers Exports using multiple formats. Version 5 is the traditional and most commonly format Version 9 is the latest format with key advantages. Reports from export data provided by Cisco, freeware, and commercial products ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

397 Lesson 3 NBAR Considerations Overview Objectives Enterprise applications require different levels of service based upon business requirements. These requirements can be translated into network policies. Network Based Application Recognition (NBAR) is an important embedded Cisco IOS software technology that provides visibility into how network assets are being used by applications. This lesson discusses how NBAR can classify network traffic so that applications can receive the appropriate policy and bandwidth in the network. Upon completing this lesson, you will be able to discuss design considerations for using NBAR to support network management. This ability includes being able to meet these objectives: Provide an overview of NBAR Discuss options for reporting NBAR Protocol Discovery statistics Describe how NBAR can be used with AutoQoS for the Enterprise

398 NBAR Overview This topic identifies how Network Based Application Recognition (NBAR) supports enterprise goals for network management with intelligent traffic classification in the network infrastructure. Rationale for NBAR Traffic Classification Traffic classification can answer many questions: What applications run on the network and what is their resources consumption? How is application resource utilization tracked? Are users following application usage policies? How much bandwidth should be assigned to different QoS classes? What plan will allocate and deploy applications (e.g., VoIP) most efficiently? ARCH v Traffic classification can help organizations answer many questions about network resources: What applications run on the network and what is their resources consumption? How is application resource utilization tracked? Are users following application usage policies? How much bandwidth should be assigned to different QoS classes? What plan will allocate and deploy applications (e.g., VoIP) most efficiently? NBAR supports the business requirements of an organization by adding classification to the network to deliver more granular identification and control over multiple Internet-based and client/server applications, which other QoS mechanisms cannot differentiate Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

399 NBAR Overview Network-Based Application Recognition (NBAR) is an embedded Cisco IOS Software capability that enables precise traffic classification. NBAR Overview My Application Is too Slow! NBAR provides full-packet, stateful inspection that identifies traffic types. NBAR Protocol Discovery discovers application protocol statistics on interfaces. NBAR enables application of QoS policies to traffic flows. Backup, etc. P2P Bulk Streaming- Video Best Effort = 25% Critical Data Net Mgmt Transactional Real- Time = 33% Link Utilization Voice Mission-Critical Interactive- Video Routing Call-Signaling ARCH v NBAR is a classification engine that recognizes and classifies a wide variety of protocols and applications. NBAR provides full packet stateful inspection that identifies applications and even protocols that use dynamic TCP/UDP port assignments. NBAR includes an optional feature called NBAR Protocol Discovery. NBAR Protocol Discovery analyzes application traffic patterns in real time and discovers which traffic is running on the network. NBAR develops statistics on protocol traffic on interfaces. NBAR is the foundation for applying quality of service (QoS) policies to traffic flows in the network. NBAR gives network administrators the ability to see the variety of protocols and the amount of traffic generated by each protocol. After gathering this information, NBAR allows the network administrator to organize traffic into classes. These classes can then be used to provide different levels of service for network traffic, thereby allowing better network management by providing the right level of network resources for network traffic. After NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate QoS for that application or traffic with that protocol Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-31

400 \ NBAR Packet Inspection The NBAR packet classification engine provides full packet inspection that identify applications and protocols from with information from Layer 3 through Layer 7. NBAR Packet Inspection IP Packet TCP/UDP Packet Data Packet ToS Protocol Source IP Addr Dest IP Addr Src Port Dst Port Sub-Port and Deep Inspection NBAR supports methods to identify over 90 applications and protocols: Statically assigned TCP and UDP port numbers Dynamically assigned TCP and UDP port numbers using stateful inspection Sub-port and deep packet inspection on content within packet Native and nonnative PDLMs Note: NBAR is enabled when a class map with a match protocol option is applied to an interface. ARCH v NBAR uses five elements to identify a flow per interface: Source IP address Destination IP address Source port Destination port Layer 3 protocol type Note Traditional NetFlow uses these identifiers for each interface plus Type of Service (ToS). NBAR has several classification methods to identify over 90 applications and protocols: Statically assigned TCP and UDP port numbers. NBAR can classify application traffic by looking at statically assigned TCP and UDP port numbers. Although access control lists (ACLs) can also be used for classifying static port protocols, NBAR is easier to configure, and provides classification statistics that are not available when ACLs are used. Dynamically assigned TCP and UDP port numbers. NBAR can also classify dynamically assigned TCP and UDP port numbers by using stateful inspection of a protocol across multiple packets during packet classification. NBAR uses approximately 150 bytes of DRAM for each traffic flow that requires stateful inspection Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

401 Sub-port and deep inspection. NBAR looks beyond the port numbers of a packet to provide sub-port and deep packet classification by looking into the Layer 3 payload itself and classifying packets based on content within the payload such as the transaction identifier, message type, or other similar data. Deep-packet classification is classification performed at a finer level of granularity. For instance, if a packet is already classified as HTTP traffic, it may be further classified. Classification of HTTP traffic by URL, host, or Multipurpose Internet Mail Extension (MIME) type is an example of deep-packet classification. NBAR classifies HTTP traffic by text within the URL or host fields of a request using regular expression matching. HTTP URL matching in NBAR supports most HTTP request methods such as GET, PUT, HEAD, POST, DELETE, and TRACE. The NBAR engine then converts the specified match string into a regular expression. NBAR can only monitor applications that it recognizes. However, it does allow adding application recognition modules known as Packet Description Language Modules (PDLMs) to support additional applications. A nonnative PDLM is a separate downloadable file available on used to add support for a protocol that is currently not available as part of the native PDLM embedded in the Cisco IOS Software release. NBAR also provides custom protocol support for static port-based protocols and applications that are not currently supported in NBAR. Ten custom applications can be assigned using NBAR, and each custom application can have up to 16 TCP and 16 UDP ports each mapped to the individual custom protocol. The real-time statistics of each custom protocol can be monitored using Protocol Discovery. Note NBAR is enabled by default when class maps with a match protocol option are applied to an interface Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-33

402 \ NBAR Protocol Discovery NBAR Protocol Discovery provides protocol traffic discovery and real-time statistics. NBAR Protocol Discovery Traffic Discovery and Real-Time Statistics Automatically discovers traffic for all protocols known to NBAR Provides statistics per application, per interface Packet counts Byte counts Bit rate (bps) Note: NBAR Protocol Discovery is enabled with the ip nbar protocol-discovery interface configuration command. ARCH v NBAR Protocol Discovery discovers any protocol traffic that is supported by NBAR and gathers statistics that are associated with that protocol. NBAR Protocol Discovery maintains the following per-protocol statistics for enabled interfaces: Total number of input packets and bytes Total number of output packets and bytes Input bit rates Output bit rates The statistics can then be used to define classes and traffic policies for each traffic class. The traffic policies or policy maps are used to apply specific QoS features and functionality to the traffic classes. Note NBAR Discovery is configured with the ip nbar protocol-discovery interface configuration command Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

403 \ NetFlow and NBAR Differentiation NetFlow and NBAR are complimentary technologies. NetFlow and NBAR Differentiation Link Layer Header IP Header TCP/UDP Header Data Packet Interface ToS Protocol Source IP Address Destination IP Address Source Port Destination Port Deep Packet (Payload) Inspection NetFlow NBAR NetFlow Monitors data in Layers 2 through 4. Determines applications by port. Uses 7 key fields for flow. Flow information who, what, when, where for all traffic. NBAR Uses 5 key fields for flow. Examines data from Layers 3 & 4 plus packet inspection through Layer 7 for classification for traffic it knows about. Supports stateful inspection of dynamic-port traffic. Supports QoS mechanisms. ARCH v The main objective of NetFlow is to provide visibility into how network assets are being used and the network behavior. In traditional NetFlow, flows are defined by a set of seven key characteristics that document who is using the which part of the network for what purposes at what times. NetFlow is a passive technology that monitors network activity typically from OSI Layers 2 through 4. NetFlow data export allows trending of network records. Note Flexible NetFlow can monitor packet information from Layer 2 for switching environments, Layer 3 and 4 for IP information and up to Layer 7 with deep packet inspection for application monitoring. The main objective of NBAR is to identify and classify traffic based on payload attributes and protocol characteristics. Flows are defined by a set of five key characteristics. NBAR can support by static and stateful dynamic inspections. QoS mechanisms work on the classified packets to support optimization of application performance. NBAR is an active technology that can be used to validate or reclassify ToS marking based on packet inspection in OSI Layers 3 through 7. NBAR Protocol Discovery provides an easy way to discover the application protocols that are operating on an interface that can be queried through SNMP Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-35

404 \ Reporting NBAR Protocol Discovery Statistics NBAR Protocol Discovery statistics can be viewed from the Cisco IOS Software command line interface (CLI) or through reporting with third party vendor applications. Reporting NBAR Protocol Discovery Statistics from the Command Line router# show ip nbar protocol-discovery interface FastEthernet 6/0 FastEthernet6/0 Input Output Protocol Packet Count Packet Count Byte Count Byte Count 5 minute bit rate (bps) 5 minute bit rate (bps) http pop snmp Total ARCH v The figure shows a portion of the output from the show ip nbar protocol-discovery command for one Ethernet interface. This command by default displays statistics for all interfaces on which NBAR Protocol Discovery is currently enabled. The default output from this command includes, in the following order, input bit rate (in bits per second), input byte count, input packet count, and protocol name. An option on this command is to show the top-n number most active NBAR-supported protocols, where number is the number of protocols to be displayed. For instance, if top-n 3 is entered, the three most active NBAR supported protocols will be displayed. Protocol discovery can be used to monitor both input and output traffic and may be applied with or without a service policy enabled. NBAR Protocol Discovery gathers statistics for packets switched to output interfaces. Note These statistics are not necessarily for packets that exited the router on the output interfaces, because packets may have been dropped after switching for various reasons, including policing at the output interface, access lists, or queue drops Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

405 \ AdventNet NetFlow Analyzer ARCH v Example: AdventNet NetFlow Analyzer The figure shows a screen shot from AdventNet NetFlow Analyzer application that uses the NBAR Discovery Protocol information Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-37

406 Concord CA ehealth Top Protocol Distribution Drill-down report ARCH v Example: Concord ehealth The figure shows a screen shot from Concord ehealth application that shows the top protocol distribution from the NBAR Discovery Protocol statistics Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

407 InfoVista VistaView Traffic Monitoring ARCH v Example: InfoVista VistaView The figure shows a screen shot from the InfoVista VistaView application Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-39

408 Micromuse Netcool Proviso Top-N Protocol Statistics ARCH v Example: Micromuse Netcool Proviso The figure shows a screen shot from Micromuse Netcool Proviso application. It shows the Top-N 8 protocol statistics. This information allows the network manager to identify the traffic mix on a specific link, and understand what applications are consuming bandwidth Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

409 MRTG NBAR Support MRTG Graphing Support for NBAR ARCH v Example: MRTG Support for NBAR The figure shows an example screen shot using the Cacti Multi Router Traffic Grapher (MRTG) freeware to graph NBAR Protocol Discovery statistics. The MRTG tool uses the Vermeer add-on to report on NBAR data collected through SNMP from routers Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-41

410 \ NBAR and AutoQoS The AutoQoS feature of Cisco IOS Software is supported with NBAR. NBAR and AutoQoS Cisco IOS AutoQos feature has two flavors: AutoQoS for VoIP creates pre-defined policy maps for voice traffic. AutoQoS Enterprise uses NBAR discovery mode to gather traffic statistics, then creates a policy map based on the detected traffic with suggested bandwidth settings per class. Two modes to handle traffic classification: Trusted mode relies on existing preset DSCP. Untrusted mode discovers applications by leveraging NBAR. ARCH v Cisco IOS Software includes two features to automate the deployment of QoS in the network: AutoQoS Voice over IP (VoIP). This feature is available with Cisco IOS Software release 12.2(15)T and later releases. The AutoQoS VoIP feature provides a means for simplifying the implementation and provisioning of QoS for VoIP traffic. AutoQoS for the Enterprise. This feature is available with Cisco IOS Software release 12.3(11)T and later releases. The AutoQoS for the Enterprise feature helps automate the deployment of QoS in a general business environment, particularly for midsize companies and branch offices of larger companies. It expands on the functionality available with the AutoQoS VoIP feature and supports QoS features required for voice, video, and data traffic. This feature creates class maps and policy maps on the basis of Cisco experience and "best practices" methodology after using NBAR discovery on lower speed WAN links. Both of these AutoQoS features can take advantage of the traffic classification functionality of NBAR. When AutoQoS is configured on an interface with the trust option, the differentiated services code point (DSCP) markings of a packet are relied on for classification of the voice traffic. If the optional trust keyword is not specified, the voice traffic is classified using NBAR, and the packets are marked with the appropriate DSCP value Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

411 \ Cisco AutoQoS for Enterprise The AutoQoS for the Enterprise feature consists of a two phase configuration process. Cisco AutoQoS for Enterprise Two phase procedure: 1. Invoke auto discovery qos command on the applicable link. Use show auto discovery qos command to view data collection in progress. 2. Automatically configure the link with auto qos command. Use show auto qos command to display the QoS policy settings deployed. Traffic Class IP Routing Interactive Voice Interactive Video Streaming Video Telephony Signaling Transaction/Interactive Network Management Bulk Data Best Effort Scavenger DSCP CS6 EF AF41 CS4 CS3 AF21 CS2 AF11 0 CS1 ARCH v In the first phase, Auto-Discovery collects data and evaluates traffic in the network. The Auto-Discovery phase is started by using the auto discovery qos [trust] command: In the untrusted mode, the Auto-Discovery phase uses NBAR protocol discovery to detect and classify the applications on the network and perform statistical analysis on the network traffic. In the trusted mode, the Auto-Discovery phase classifies packets based on DSCP values in the IP header and collects the NBAR Protocol Discovery statistics to calculate bandwidth and average rate/peak rate and passes that data to the template module. The data should be collected for several days to a week as desired. The show auto discovery qos command should be used to display the results of the data collected during the Auto-Discovery phase. In the second phase, the AutoQoS template generation and installation process generates templates from the data collected during the Auto-Discovery phase and installs the templates on the interface. These templates can be used as the basis for creating the class maps and policy maps for the network. The recommended policy is based on Auto-Discovery statistics. After the class maps and policy maps are created with values for bandwidth and scheduling parameters, they are then installed on the interface. Note These class maps and policies should be reviewed by a network manager. Although the process creates some suggested class maps and policy maps, these are typically customized by the network manager Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-43

412 \ The AutoQoS template generation phase is started by using the auto qos command. The class maps and policy maps should be reviewed by using the show auto qos command. Example: AutoQoS Discovery Progress router# show auto discovery qos AutoQoS Discovery enabled for applications Discovery up time: 2 days, 55 minutes AutoQoS Class information: Class VoIP: Recommended Minimum Bandwidth: 517 Kbps/50% (PeakRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) rtp audio 76/7 517/ Class Interactive Video: Recommended Minimum Bandwidth: 24 Kbps/2% (AverageRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) rtp video 24/2 5337/ Class Transactional: Recommended Minimum Bandwidth: 0 Kbps/0% (AverageRate) Detected applications and data: Application/ AverageRate PeakRate Total Protocol (kbps/%) (kbps/%) (bytes) citrix 36/3 74/ sqlnet 12/1 7/< ARCH v Example: AutoQoS Discovery Progress The figure shows a sample result from the AutoQoS Discovery process. By default, the NBAR mechanisms do not show unclassified traffic. The show ip nbar unclassified-port-stats command returns the following error message: router1# show ip nbar unclassified-port-stats Port Statistics for unclassified packets is not turned on. Under carefully controlled circumstances, you can use the debug ip nbar unclassified-portstats command to configure the router to begin tracking on which ports that packets arrive. Then the show ip nbar unclassified-port-stats command is used to verify the collected information. The output will display a histogram of the most commonly used ports. Note Using NetFlow is to look at the unclassified traffic is typically a better practice, with less potential for overloading the router CPU Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

413 Example: AutoQoS Suggested Policy Suggested AutoQoS Policy for the current uptime:! class-map match-any AutoQoS-Voice-Et3/1 match protocol rtp audio! class-map match-any AutoQoS-Inter-Video-Et3/1 match protocol rtp video! class-map match-any AutoQoS-Signaling-Et3/1 match protocol sip match protocol rtcp! class-map match-any AutoQoS-Transactional-Et3/1 match protocol citrix! class-map match-any AutoQoS-Bulk-Et3/1 match protocol exchange policy-map AutoQoS-Policy-Et3/1 class AutoQoS-Voice-Et3/1 priority percent 1 set dscp ef class AutoQoS-Inter-Video-Et3/1 bandwidth remaining percent 1 set dscp af41 class AutoQoS-Signaling-Et3/1 bandwidth remaining percent 1 set dscp cs3 ARCH v Example: AutoQoS Suggested Policy The figure shows a suggested policy from the AutoQoS template generation process Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-45

414 Summary This topic summarizes the key points discussed in this lesson. Summary Information NBAR is an embedded Cisco IOS Software capability that enables precise traffic classification to support QoS functions. NBAR Protocol Discovery provides protocol traffic discovery and real-time statistics available through SNMP. NBAR Protocol Discovery statistics can be viewed from the command line or through third party vendors applications. The two phase configuration process for AutoQoS for the Enterprise feature uses data collected from NBAR to create and templates on the interfaces. These templates are used as the basis for creating the class maps and policy maps for the network. ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

415 Lesson 4 IP SLA Considerations Overview Objectives Enterprises are under increasing pressure to offer Service Level Agreements (SLAs) to their internal customers or other departments or verify and measure outsourced SLAs. The embedded Cisco IOS IP SLA measurements capability allows network managers to validate network performance, proactively identify network issues, and verify service guarantees by using active monitoring to generate probe traffic in a continuous, reliable, and predictable manner. This lesson will discuss the integrated IP SLA measurements can be used to support network management functions. Upon completing this lesson, you will be able to identify design considerations with Cisco IOS IP SLA measurements. This ability includes being able to meet these objectives: Discuss capabilities of Cisco IOS IP SLA measurements Describe IP SLA measurements deployments Discuss network management applications using IP SLA measurements

416 IP SLA Technology Overview This topic describes the basic characteristics of IP SLA measurements. Service Level Agreement Review Companies need predictability with regard to IP services as networks becoming increasingly important. An SLA is a contract between the provider and its customers: Provides a guarantee with regard to service level Specifies connectivity and performance agreements for an end-user service Supports problem isolation and network planning ARCH v The network has become increasingly critical for customers, and any downtime or degradation can adversely impact revenue. Companies need some form of predictability with regard to IP services. A service level agreement (SLA) is a contract between the network provider and its customers, or between a network department and internal corporate customers. It provides a form of guarantee to customers with regard to the level of user experience. An SLA specifies connectivity and performance agreements for an end-user service from a provider of service. The SLA will typically outline the minimum level of service and the expected level of service. The networking department can use the SLAs to verify that the service provider is meeting its own SLAs, or to define service levels for critical business applications. An SLA can also be used as the basis for planning budgets and justifying network expenditures. Administrators can ultimately reduce the mean time to repair by proactively isolating network issues. They can change the network configuration based on optimized performance metrics Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

417 Typically, the technical components of an SLA contain: a guarantee level for network availability; network performance in terms of round trip time; and network response in terms of latency, jitter, and packet loss. The specifics of an SLA varies depending on the applications an organization is supporting in the network. Example: Multimedia Service Requirements Traffic Type Maximum Packet Loss Maximum One-Way Latency Max. Jitter VoIP 1 % 150 ms 30 ms Video-conferencing 1 % 150 ms 30 ms Streaming video 2 % 5 s N/A ARCH v Example: Multimedia Service Requirements For example, converged IP networks must become optimized for performance levels. Administrators can use a variety of benchmarks, including delay, packet loss, jitter, packet sequencing and connectivity to gauge the quality of service received by the end user. One-way delay is the difference between the time the test packet goes out and the time when the test packet arrives at the responder. Jitter is the variance of delay. The figure shows typical multimedia media service requirements which are more stringent that data only requirements Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-49

418 \ Cisco IOS IP SLA Measurements Cisco IOS IP SLA network performance measurements within and between Cisco devices allow Cisco customers to understand IP service levels for IP applications and services. Cisco IOS IP SLA Measurements Uses Availability Network Performance Monitoring VoIP Monitoring SLA Monitoring Network Assessment MPLS Monitoring Trouble Shooting Measurement Metrics Latency Packet Loss Network Jitter Operations Jitter FTP DNS DHCP DLSW ICMP UDP TCP Dist. of Stats HTTP Connectivity LDP H.323 SIP RTP IP Server Cisco IOS Software IP SLA Source Cisco IOS Software IP SLA MIB Data Active Generated Traffic to Measure the Network IP Server Destination Cisco IOS Software Responder IP SLA ARCH v The IP SLA measurement functionality in Cisco IOS allows configuration of a router to send synthetic traffic to a host computer or a router that has been configured to respond. One-way travel times and packet loss data is gathered. Certain measurements also allow jitter data to be collected. There are several common functions for IP SLA measurements: Edge-to-edge network availability monitoring Network performance monitoring and network performance visibility Voice-over-IP (VoIP), video, and VPN network monitoring SLA monitoring IP service network health readiness or assessment Multiprotocol Label Switching (MPLS) network monitoring Troubleshooting of network operation Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

419 Cisco IOS IP SLA measurements uses a variety of operations and actively generated traffic probes to gather many types of measurement statistics including: Network latency and response time Packet loss statistics Network jitter and voice quality scoring Statistical end-to-end matrix of performance information End-to-end network connectivity Multiple IP SLA operations (measurements) can be running in a network at one time. Reporting tools use SNMP to extract the data into a database, and then report on it. IP SLA measurements allow the network manager to verify service guarantees, increases network reliability by validating network performance, proactively identifies network issues, and eases the deployment of new IP services Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-51

420 \ Cisco IOS IP SLA Measurements Capability SLAs that support application solutions are becoming an increasingly common requirement, and measurement of SLAs in the IP infrastructure are becoming an essential part of optimizing the network for business. Cisco IOS IP SLA Measurement Capability Enterprise and Small Medium Business Understand Network Performance and Ease Deployment Verify Service Levels Verify Outsourced SLAs Service Providers Measure and provide SLAs Access Enterprise Backbone Enterprise Premise Edge Service Provider Aggregation Edge Service Provider Core Cisco IOS Software Comprehensive hardware support Committed Cisco partner support Cisco IOS Software, the world s leading network infrastructure software ARCH v The embedded Cisco IOS IP SLA measurement capability supports a network that is "performance-aware". Using IP SLA measurements, Cisco network equipment can verify service guarantees, validate network performance, improve network reliability, proactively identify network issues, and react to performance metrics with changes to the configuration and network. The Cisco IOS IP SLA measurement capability has comprehensive hardware support. Other than the Cisco Catalyst 4500 Series switches, all Cisco hardware that run Cisco IOS Software support Cisco IOS IP SLA measurements. IP SLA measurements data collection and reporting support is included in several third-party partner performance management products. Since Cisco IOS IP SLA measurements is embedded within Cisco IOS Software, there is no additional device to deploy, learn, or manage. As dependable tools used to verify IP service levels, Cisco IOS IP SLA measurements provide a scalable, cost-effective solution for network performance measurement. Note Cisco IOS IP SLA measurements, a core part of the Cisco IOS Software portfolio, has grown from technology previously known as Cisco IOS Service Assurance Agent (SAA). IP SLA measurements perform active monitoring by generating and analyzing traffic to measure performance between Cisco IOS Software devices or to network application servers Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

421 \ IP SLA Source and Responder IP SLA operations are divided into two classes, which depend on whether they rely on the IP SLA Responder component to be running at the target device or not. IP SLA Source and Responder IP SLA Source Cisco IOS software device that sends data for operation. Target device may or may not be a Cisco IOS software device. Some operations require an IP SLAs responder. IP SLAs source stores results in MIB. IP SLA Responder Greater measurement accuracy is available between a IP SLAs source and responder. IP SLA Responder is a Cisco IOS software device configured to responds to IP SLA packets based on the ip sla monitor responder configuration command. IP SLA Operations Network manager defines UDP/TCP port for each IP SLA measurement operation. IP SLA control protocol is used between source and responder. MD 5 authentication is supported between source and responder. Results are stored on IP SLA source in the IP SLA MIB. ARCH v You set up an IP SLA operation to a target device. If the operation is something like DNS or HTTP, the target device might be any suitable computer. For operations such as testing the port used by a database, an organization might not want to risk unexpected effects, and would use the IP SLA Responder functionality to have a router respond in place of the actual database server. Responder functionality can be enabled in a router with one command, and requires no complex or per-operation configuration. The IP SLA Source is where all IP SLA measurements probe operations are configured either by the command line interface or through an SNMP tool that supports IP SLA operation. The source is also the Cisco IOS device that sends probe packets. The destination of the probe may be another Cisco router or another network target such as a web server or IP host. Although the destination of the probe can be any IP device, the measurement accuracy is improved with a Cisco IOS IP SLA Responder. An IP SLA Responder is a device that runs Cisco IOS Software and is configured as an IP SLA measurements responder with the ip sla monitor responder configuration command. The network manager configures a target device, protocol, and port number on the IP SLA Source for each operation. The source uses the IP SLA Control Protocol to communicate with responder before sending test packets. To increase security on Cisco IOS IP SLA measurements control messages, the responder can utilize MD5 authentication for securing the control protocol exchange. Once the operation is finished and the response is received, the results are stored in the IP SLA MIB on the source, and are retried using SNMP Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-53

422 \ IP SLA Operation With Responder This section discusses an IP SLA operation in a network with a IP SLA Responder. IP SLA Operation With Responder IP SLA Source Control Message Ask Receiver to Open Port 2020 on UDP IP SLA Responder Control Phase Probing Phase IP SLA-Control Responder Says OK Sending Test Packets IP SLA-Test Done: Stop Listening UDP, 1967 Start Listening on UDP Port 2020 UDP, 2020 ARCH v The network manager configures an IP SLA operation by defining a target device, protocol, and port number on the IP SLA Source. The network manager can also configure reaction conditions. The operation is scheduled to be run for a period of time to gather statistics. The following sequence of events occurs for each Cisco IOS IP SLA operation that requires a responder on the target: 1. At the start of the control phase, the IP SLA Source sends a control message with the configured IP SLA operation information to IP SLA control port UDP 1967 on the target router. The control message carries information such as protocol, port number, and duration. If MD5 authentication is enabled, MD5 checksum is sent with the control message. If the authentication of the message is enabled, the responder verifies it; if the authentication fails, the responder returns an authentication failure message. If the Cisco IOS IP SLA measurement operation does not receive a response from a responder, it tries to re-transmit the control message and eventually times out. 2. If the responder processes the control message, it sends an okay message to the source router and listens on the port specified in the control message for a specified duration. If the responder cannot process the control message, it returns an error. In the figure, UDP port 2020 will be used for the IP SLA test packets. Note The responder is capable of responding to multiple Cisco IOS IP SLA measurements operations that try to connect to the same port number Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

423 \ 3. If the return code of control message is ok, then the Cisco IOS IP SLA operation moves to the probing phase where it will send one or more test packets to the responder for response time computations. The return code is available in the show ip sla statistics command. In the figure, these test message are sent on control port The responder accepts the test packets and responds. Based on the type of operation, the responder may add an in timestamp and an out timestamp in the response packet payload to account for CPU time spent in measuring unidirectional packet loss, latency, and jitter to a Cisco device. These timestamps help the Cisco IOS IP SLA Source to make accurate assessments on one-way delay and the processing time in the target routers. The responder disables the user-specified port once it responds to the Cisco IOS IP SLA measurements packet, or when a specified time expires. IP SLA Responder Timestamps IP SLA Source IP SLA Responder T1 T2 T5 CPU T4 = T3-T2 T3 CPU IP SLA Responder takes two timestamps (T2 and T3) IP SLA Responder factors out destination processing time, making results highly accurate. IP SLA Responder allows for one-way measurements for latency, jitter, and packet loss. ARCH v IP SLA Responder Time Stamps The figure illustrates the use of IP SLA Responder timestamps in round-trip calculations. The IP SLA Source will use four timestamps for the round-trip time calculation. The IP SLA Source sends a test packet at time T1. The IP SLA Responder includes both the receipt time (T2) and the transmitted time (T3). Because of other high-priority processes, routers can take tens of milliseconds to process incoming packets. The delay affects the response times, because the reply to test packets might be sitting in a queue while waiting to be processed. his time stamping is made with a granularity of submilliseconds. At times of high network activity, an ICMP ping test often shows a long and inaccurate response time, while an IP SLA-based responder shows an accurate response time. The IP SLA Source subtracts T2 from T3 to produce the time spent processing the test packet in the IP SLA Responder. This time is represented by a delta value. The delta value is then subtracted from the overall round-trip time. The same principle is applied by IP SLA Source where the incoming T4 is also taken at the interrupt level to allow for greater accuracy as compared to T5 when the packet is processed Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-55

424 An additional benefit of two timestamps at the IP SLA Responder is the ability to track one-way delay, jitter, and directional packet loss. These statistics are critical because a great deal of network behavior is asynchronous. To capture one-way delay measurements, the configuration of both IP SLA Source and IP SLA Responder with Network Time Protocol (NTP) is required. Both the source and target need to be synchronized to the same clock source. The Cisco IOS IP SLA Responder provides enhanced accuracy for measurements, without the need for dedicated third-party external probe devices. It also provides additional statistics, which are not otherwise available via standard ICMP based measurements Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

425 \ IP SLA SNMP Features This section discusses some of the SNMP features of Cisco IOS IP SLA measurements. IP SLA SNMP Features Is an active measurement tool. Uses RTTMON-MIB for data storage from operations: Jitter and packet loss ratio are the two most commonly polled statistics. IP SLAs support classes of services using DSCP. Supports proactive notification and actions. Thresholds can trigger SLA operation activation for further analysis. IP Host Measure SNMP Trap Management Application Collect Present IP SLA Measure Cisco IOS IP SLA Device Measure (IP SLA Responder) ARCH v As compared to NetFlow which passively monitors the network, Cisco IOS IP SLA measurements actively sends data across the network to measure performance between multiple network locations on a hop-by-hop basis or across end-to-end network paths. The IP SLA measurements are accessible through SNMP. The Cisco Response Time Monitor MIB (Cisco-RTTMON-MIB) is the MIB used with IP SLA measurements. The data from the Cisco IOS IP SLA operations is stored within the RTTMON MIB. Network management system applications can retrieve network performance statistics from this MIB. Network managers can build custom equations to monitor specific statistics. The MIB can store measurements over a period of time. Cisco IOS IP SLA measurements can be configured to monitor different classes of services over the same link, if the differentiated services code point (DSCP) bits are configured with the ToS command. This command is supported by all Cisco IOS IP SLA measurements operations. The feature is available in Release 12.2T and all subsequent releases. In addition, Cisco IOS IP SLA measurements provides a proactive notification feature with an SNMP trap. Each measurement operation can monitor against a pre-set performance threshold such as threshold packet loss, latency, and jitter were relevant. Cisco IOS IP SLA measurements generates an SNMP trap to alert management applications if this threshold is crossed. Available thresholds include round trip time, average jitter, one-way latency, jitter, packet loss, mean opinion score (MOS), and connectivity tests. Administrators can also configure Cisco IOS IP SLA measurements to run a new SNMP operation automatically when the threshold is crossed after a configurable number of times. For instance, when latency exceeds a threshold three times this can trigger a secondary operation to measure hop-by-hop latency to isolate the problem area in the network Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-57

426 Deploying IP SLA Measurements Different IP SLA operations are needed to support different deployment profiles. Deployment Profiles for IP SLAs Data Traffic VoIP SLA Verification Availability Streaming Video Requirement Minimize delay, packet loss Verify QoS Minimize delay, packet loss, jitter Measure delay, packet loss, jitter One-way Connectivity testing Minimize delay, packet loss IP SLA Measurement Jitter Packet loss Latency Jitter Packet loss Latency MOS voice Quality score Jitter Packet loss Latency One-way Enhanced accuracy NTP Connectivity tests to IP devices Jitter Packet loss Latency ARCH v The first step in IP SLA deployment involves answering the question of what needs to be monitored. A variety of operation types are supported by the Cisco IOS IP SLA measurements. The most common operation used is UDP jitter which measures IP performance for UDP performance-sensitive applications. The table shows the requirements and common IP SLA measurements for several network profiles. For example, data only deployments typically seek to minimize delay and packet loss. They may obtain the jitter, packer loss, and latency measurements using the UDP jitter operation. With the addition of real-time traffic such as VoIP, the focus shifts not just in the reliability of the network, but also on the delays involved in transmitting the data. Real-time traffic is delay sensitive. For VoIP traffic, packet loss is manageable to some extent, but frequent losses impair communication between endpoints. The UDP jitter operation is the again most popular operation because the user can obtain packet loss, jitter and latency from one operation. This also includes unidirectional measurements as well. VoIP networks may also measure MOS Voice Quality scores Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

427 \ Impact of QoS on IP SLA Statistics The IP SLA statistics is effected by QoS in the network. IP SLAs Data Before QoS Deployment SrclPadd DstlPadd TOS SD Latency DS Latency SD Packet Loss DS Packet Loss SD Jitter DS Jitter The Flow in Red Will Be Tracked Before QoS Deployment One Class of Service is used. Results are a statistical sampling over time based on frequency of measurements. ARCH v This figure shows the IP SLA statistics for a particular flow before QoS is deployed in the network. For ToS=0, the results show a statistical sampling over time based on the frequency of measurements Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-59

428 IP SLA Data After QoS Deployment SrclPadd A measurement is set up for each class of service monitored. This demonstrates how QoS is working end-to-end. Performance per class verifies QoS working well. DstlPadd TOS EF CS6 AF41 CS4 CS3 AF21 CS2 AF11 CS SD Latency DS Latency SD Packet Loss DS Packet Loss SD Jitter DS Jitter ARCH v This figure shows the IP SLA statistics the same operation across multiple flows after QoS is deployed in the network. In this case, a measurement is developed for each class of service monitored. The varied results per ToS show that the performance per class is working end-to-end across the network. In general, QoS is about preferential treatment for certain traffic classes. If all your traffic is getting the same treatment, either the network is not congested, or your QoS configuration is not working properly at some point in the path Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

429 Scaling IP SLA Deployments Processing power for IP SLA operations may be a concern when there is a large amount of switching traffic passing through an IP SLA source. Scaling IP SLA Deployments Processing power for IP SLA operations is a scaling concern. Shadow routers can be dedicated to sourcing Cisco IOS IP SLAs operations. Hub site has in large hub and spoke networks has the shadow router. Spokes respond to the shadow routers IP SLA packets. Several advantages to deploying a dedicated router: Separate memory and CPU from hardware in switching path Easy upgrade of Cisco IOS Software release on the dedicated router Management and deployment flexibility Scalability with a large number of endpoints ARCH v In these cases, it is necessary to cut down on the frequency of the sampling interval or use a dedicated SLA router to perform the IP SLA measurements operations. The dedicated router (or shadow router) is used when the number of operations is high for an IP SLA Source, such as for hundreds or thousands of measurements. A shadow router is simply a router dedicated to sourcing Cisco IOS IP SLA measurements operations. Dedicated routers are often deployed in large hub and spoke networks at the hub site, where spokes respond to IP SLA packers from the shadow router. The advantages of deploying a dedicated router include: Separate memory and CPU from hardware in switching path. The dedicated router focuses on IP SLA operations. Easy upgrade of Cisco IOS Software release on the dedicated router. Upgrades to the shadow router will not affect production traffic. Management and deployment flexibility. Shadow routers can be deployed at the hub site or at regional aggregation locations. Allows scalability with a large number of endpoints. A dedicated router provides the benefit of polling a central source location Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-61

430 \ Hierarchical Monitoring with IP SLA Measurements For a large scale IP SLA enterprise monitoring, a hierarchical strategy may be needed. Hierarchical Monitoring with IP SLAs Corp. HQ Regional Data Center Aggregation Remote Campus Home Office Retail Branch Network Connectivity Server Connectivity Small Office ARCH v If the number of sites is extremely large, then the number of measurements for connectivity to every remote may be prohibitive for even a dedicated router. You can use dedicated routers at multiple points in the network. Another method to support large scale enterprises is to have a series of measurements in a hierarchical design. Many dedicated routers are also used in large service provider networks for point-of-presence (POP)-to-POP measurements or from the POP to the customer premises equipment (CPE) routers. The hierarchical approach allows regional aggregation routers to be the source of IP SLA measurements traffic for access routers in each region. A centralized router is the source of IP SLA traffic to the regional aggregation routers. Potential round trip times can be summed to give an approximate answer for end-to-end measurement. With a hierarchical deployment, the network manager will still look for issues on individual measurement as the reporting tools might not correlate end-to-end times, but threshold violations on single links are all that an operations group typically needs to detect problems Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

431 Network Management Applications Using IP SLA Measurements Cisco IOS IP SLA is supported by both Cisco applications and a wide range of vendor partners that report and utilize IP SLA data. Cisco and Partners IOS IP SLA Applications IP Communications Service Monitor Cisco Network Management Solutions Internetwork Performance Monitor Telephony monitoring Enterprise performance measurements Third Party Products ARCH v The figure shows some of the network management products that use IP SLA measurements Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-63

432 Example: CiscoWorks IPM Application ARCH v Example: CiscoWorks IPM Application The figure shows some images from the CiscoWorks Internetwork Performance Monitor (IPM). IPM is a network response-time and availability troubleshooting application that measures network performance based on the traffic-generation technology within Cisco IOS IP SLA. CiscoWorks IPM facilitates performance measurement of differentiated services (for example, voice, video, and data) in an enterprise network. CiscoWorks IPM helps the network engineer to proactively monitor network response time for problems. CiscoWorks IPM notifies the network engineer when response time degrades or a monitored link becomes unavailable, and helps pinpoint the link causing the problem. IPM allows the network manager the ability to define a collector consisting of one or many IP SLA Sources, many IP SLA Responders, and many IP SLA operations. I Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

433 \ Network Management Application Considerations There are several design considerations involved in selecting a network management application to use with IP SLA measurements. Network Management Application Considerations Provisioning Does the tool provision IP SLA (easily), or do you have to do it via CLI? How much effort in turning on many IP SLA measurements? Reporting What does the tool support for IP SLA data collection and reports? Easy to set up and maintain? Hierarchy Does the tool support aggregate of hierarchical measurements for a more scalable set of measurements? ARCH v Network mangers should consider how the network management application supports provisioning IP SLA operations: Does the network management tool provision IP SLA easily, or is manual configuration using CLI needed for every IP SLA source and responder? For large deployments, manual configuration of every device should be avoided. Looking at the details is important, because some applications may emphasize reporting over initial configuration. How much effort is involved in enabling many IP SLA measurements? Ease of use will promote use of applications. Network mangers should also consider how the network management application supports reporting on IP SLA operations: What does the application support for IP SLA data collection and reports? A variety of predefined and customizable reports help provide quick views of the results. Is the application easy to set up and maintain? Again, ease of use is often directly related to how often the application gets used. Hierarchical reporting is becoming a more important consideration: Does the tool support aggregation of hierarchical measurements for a more scalable set of measurements? At this time, there are few if any products that support automated aggregation of hierarchical IP SLA data Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-65

434 Summary This topic summarizes the key points discussed in this lesson. Summary The embedded Cisco IOS IP SLAs capability provides end-to-end performance measurements by generating traffic. Jitter, packet loss, and latency are key measurements. In IP SLA deployments, IP SLAs measures are performed between an IP SLA Source and a destination (IP host or IP SLA Responder.) Dedicated shadow routers and hierarchical deployments help scale IP SLA. Both Cisco and a wide range of vendor partners network management applications report and utilize IP SLA data. ARCH v Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

435 Module Summary This topic summarizes the key points discussed in this module. Summary Cisco IOS Software embedded self-management tools support application optimization, performance measurement, and SLA verification: Syslog allows a device to report and save important error and notification messages, either locally or to a remote logging server. NetFlow technology answers the questions of what, when, where, and how traffic is flowing in the network. NBAR enables precise traffic classification to support QoS functions while NBAR Protocol Discovery provides protocol traffic discovery and real-time statistics available through SNMP. IP SLAs capability provides end-to-end performance measurements including jitter, packet loss, and latency based on generated traffic. ARCH v References This module examined the embedded Cisco IOS Software functionality that enable customers to efficiently manage their networks. This module discusses the importance, requirements, and considerations for implementing syslog, NetFlow, NBAR, and IP SLA measurements features in the overall enterprise design. For additional information, refer to these resources: Cisco Systems, Inc. APP-1205: Cisco IOS Tools for Application Optimization Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. NMS-1204 Introduction to Network Performance Measurement with Cisco IOS IP Service Level Agent (IP SLA) Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. NMS-3011: Getting the Right Events from Network Elements Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. NMS-3043: Performance Management with Cisco IOS IP SLAs Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. NMS-3361:Advanced Accounting and Performance Management with NBAR Networkers 2006 presentation (accessible on a subscription basis) at Cisco Systems, Inc. Network Management Services Design 12-67

436 Cisco Systems, Inc. Cisco IOS Software Releases 12.4 Mainline Error and System Messages at Cisco Systems, Inc. Cisco IOS Software Releases 12.3T Embedded Syslog Manager at a8516.html Cisco Systems, Inc. Cisco IOS NetFlow Introduction at Cisco Systems, Inc. NetFlow Services Solutions Guide at gn_guide09186a00800d6a11.html Cisco Systems, Inc. Introduction to Cisco IOS NetFlow - A Technical Overview at tml Cisco Systems, Inc. Cisco IOS IP Service Level Agreements (SLAs) Introduction at Cisco Systems, Inc. Network Based Application Recognition (NBAR) Introduction at Cisco Systems, Inc. User Guide for Internetwork Performance Monitor 2.6 (With LMS 2.5.1) at 86a cf7.html Cisco Systems, Inc T System Message Guide at 6a00806f9890.html The Internet Engineering Task Force. RFC 3195: Reliable Delivery for syslog Designing Cisco Network Service Architectures (ARCH) v , Cisco Systems, Inc.

437 Module Self-Check Use the questions here to review what you learned in this module. The correct answers and solutions are found in the Module Self-Check Answer Key. Q1) What is a benefit of ESM? (Source: Embedded Self-Management Overview) A) includes NetFlow, NBAR, and IP SLA software subsystems B) includes NetFlow, Syslog, and IP SLA software subsystems C) provides a predefined framework for filtering and correlating messages D) supports multiple MIBs E) supports two logging processes so output can be sent in standard and ESM format Q2) What is port does syslog use for sending messages to a syslog server? (Source: Embedded Self-Management Overview) A) UDP 514 B) UDP 520 C) UDP 1697 D) UDP 1967 E) UDP 2020 F) It is specified in the control message. Q3) Which of the following syslog severity codes indicates the most serious condition? (Source: Embedded Self-Management Overview) A) 1 B) 3 C) 5 D) 7 E) 15 Q4) What are five key fields used to identify a flow in traditional NetFlow? (Choose five.) (Source: NetFlow Considerations) A) destination IP address B) destination MAC address C) DLCI flag D) ifindex E) ifoutput F) Layer 3 protocol type G) source IP address H) source MAC address I) ToS byte Q5) What are three characteristics of the NetFlow cache in traditional NetFlow? (Chose three.) (Source: NetFlow Considerations) A) It maintains Flow records. B) It holds SNMP data on flows. C) It tracks seven key attributes per flow. D) It tracks five key attributes per flow. E) It tracks non-key fields with flow entries. F) It is unaffected by the introduction of QoS in the network Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-69

438 Q6) What are three reasons for expiring NetFlow cache entries? (Chose three.) (Source: NetFlow Considerations) A) As the cache becomes full, a number of heuristics are applied to aggressively age groups of flows simultaneously. B) Flows in the cache are expired and removed from the cache after the default 20 minute timer. C) Flows which have been idle for a specified time are expired and removed from the cache. D) TCP connections which have reached the end of byte stream (FIN) will be expired. E) UDP connections which have reached the end of byte stream (FIN) will be expired. Q7) What is the most common NetFlow export record type? (Source: NetFlow Considerations) A) Version 1 B) Version 5 C) Version 7 D) Version 8 E) Version 9 F) Version 10 Q8) What is the NetFlow export record type does Flexible NetFlow use? (Source: NetFlow Considerations) A) Version 1 B) Version 5 C) Version 7 D) Version 8 E) Version 9 F) Version 10 Q9) What are three characteristics of the Flexible NetFlow export record? (Chose three.) (Source: NetFlow Considerations) A) It always includes a template to describe what is being exported. B) It can include a template to describe what is being exported. C) It consists of a packet header followed by at least one or more template or data FlowSets. D) Key and non-key fields that define flows can be configured. E) Non-key fields are not included in the data FlowSet Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

439 Q10) What are three characteristics of the Flexible NetFlow? (Chose three.) (Source: NetFlow Considerations) A) It is based on IPFIX. B) It is the basis for IPFIX. C) It is the most commonly NetFlow application. D) It can monitor a wider range of packet information than traditional NetFlow. E) It can track multiple NetFlow applications simultaneously by using different Flow Sets. F) It can track multiple NetFlow applications simultaneously by using different Flow Monitors. Q11) What are four fields used to identify a flow in NBAR? (Choose four.) (Source: NBARConsiderations) A) destination IP address B) destination MAC address C) ifindex D) Layer 3 payload information E) Layer 3 protocol type F) source IP address G) source MAC address H) ToS byte Q12) What are two characteristics of the NBAR? (Chose two.) (Source: NBAR Considerations) A) It is based on IPFIX. B) It is the basis for IPFIX. C) It can only monitor applications that it recognizes from a PDLM. D) It can monitor a wider range of packet information than traditional NetFlow. E) It is enabled with the ip nbar protocol-discovery configuration command. F) It is enabled with the ip nbar protocol-match configuration command. Q13) What are three true statements about AutoQoS and NBAR? (Chose three.) (Source: NBAR Considerations) A) AutoQoS for the Enterprise has a two phase configuration process. B) AutoQoS VoIP has a two phase configuration process. C) Both Cisco IOS Software AutoQoS features can take advantage of the traffic classification functionality of NBAR. D) Auto-Discovery collects data and evaluates traffic in the network in AutoQoS VoIP. E) In the untrusted mode, the Auto-Discovery phase uses NBAR protocol discovery to detect and classify the applications on the network. F) In the trusted mode, the Auto-Discovery phase uses NBAR protocol discovery to detect and classify the applications on the network. Q14) What are two components provide the greatest accuracy with IP SLAs? (Chose two.) (Source: IP SLA Considerations) A) IP SLA Receiver B) IP SLA Responder C) IP SLA Router D) IP SLA Source E) IP SLA Target 2007 Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-71

440 Q15) What three devices can be an IP SLA probe target? (Chose three.) (Source: IP SLA Considerations) A) any host B) any IP host C) a VoIP phone D) a GSM cellular phone E) a Cisco switch running CatOS Software Q16) What is port does IP SLA use for control messages? (Source: IP SLA Considerations) A) UDP 514 B) UDP 520 C) UDP 1697 D) UDP 1967 E) UDP 2020 F) It is specified in the control message. Q17) What is port does IP SLA use for probe messages? (Source: IP SLA Considerations) A) UDP 514 B) UDP 520 C) UDP 1697 D) UDP 1967 E) UDP 2020 F) It is specified in the control message. Q18) What are two advantages to shadow routers? (Chose two.) (Source: IP SLA Considerations) A) Allows scalability with a large number of endpoints B) Cuts down on the frequency of the sampling interval C) Is required with hierarchical IP SLA deployments D) Provide separate memory and CPU from hardware in switching path E) Verifies performance per class when QoS is running in the network Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

441 Module Self-Check Answer Key Q1) E Q2) A Q3) A Q4) A, D, F, G, I Q5) A, C Q6) A, C, D Q7) B Q8) E Q9) B, C, D Q10) B, D, F Q11) A, D, E, F Q12) C, D Q13) A, C, E Q14) B, D Q15) B, C, E Q16) D Q17) F Q18) A, D 2007 Cisco Systems, Inc. Network Management Capabilities with Cisco IOS Software 12-73

442 12-74 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

443 ARCH Course Glossary The Course Glossary for the Cisco Designing Cisco Network Service Architectures (ARCH) v2.0 course highlights and defines key terms and acronyms used throughout this course. Many of these terms are also described in the Cisco Internetworking Terms and Acronyms resource, available at

444 Acronym or Term (*,G) (S,G) 3DES Definition (all source IP addresses, group multicast address) (source IP address, group multicast address) Triple Data Encryption Standard The IEEE standard that specifies carrier-sense MAC and physical layer specifications for 1- and 2-Mbps wireless LANs operating in the 2.4-GHz band a The IEEE standard that specifies carrier-sense MAC and physical layer specifications for wireless LANs operating in the 5-GHz frequency band b The IEEE standard that specifies carrier-sense MAC and physical layer specifications for 5.5- and 11-Mbps wireless LANs operating in the 2.4-GHz frequency band g The IEEE standard that specifies carrier-sense MAC and physical layer specifications for wireless LANs operating in the 2.4-GHz frequency band. AAA ABR access control list Access Control Server ACE ACELP ACL adaptive differential pulse code modulation Adaptive Security Appliance Adaptive Security Device Manager Address Resolution Protocol ADPCM ADSL ADSL Transmission Unit-Remote Advanced Encryption Standard advanced integration module AES AIM ALG algebraic code-excited linear prediction authentication, authorization, and accounting. area border router. See ACL. See Cisco Secure ACS. Application Control Engine. algebraic code-excited linear prediction. access control list. Filter list used for services such as security, QoS, and routing. A list kept by routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router). See ADPCM. See Cisco ASA. See Cisco ASDM. See ARP. adaptive differential pulse code modulation. asymmetric digital subscriber line. See ATU-R. See AES. See AIM. Advanced Encryption Standard. advanced integration module. application level gateway. See ACELP. A-2 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

445 Acronym or Term American National Standards Institute ANSI AppleTalk Remote Access Application Control Engine application level gateway Application Networking Services Application-Oriented Networking Software APS ARA ARCH course area border router ARP ARP inspection AS ASM ASR group asymmetric digital subscriber line Asynchronous Transfer Mode ATA ATA ATM ATU-R authentication, authorization, and accounting automatic protection switching autonomous system AWFSS course AWLAT course Definition See ANSI. American National Standards Institute. See ARA. See ACE. See ALG. See Cisco ANS. See Cisco AON. automatic protection switching. AppleTalk Remote Access. Cisco Designing Cisco Network Service Architectures course. See ABR. Address Resolution Protocol Process that compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and then either forwards or drops the packets. autonomous system. Any-Source Multicast. asymmetric routing group. See ADSL. See ATM. Advanced Technology Attachment Advanced Technology Attachment Asynchronous Transfer Mode. The international standard for cell relay in which multiple service types (such as voice, video, or data) are conveyed in fixed-length (53-byte) cells. Fixed-length cells allow cell processing to occur in hardware, reducing transit delays. ATM is designed to take advantage of high-speed transmission media, such as E3, SONET, and T3. ADSL Transmission Unit-Remote. See AAA. See APS. See AS. Cisco Aironet Wireless LAN Fundamentals and Site Survey course. Cisco Aironet Wireless LAN Advanced Topics course Cisco Systems, Inc. Appendix A Course Glossary A--3

446 Acronym or Term Basic Rate Interface BBC B-channel BCMSN course beacon BEEP BGP BHT Bill of Materials BoM Border Gateway Protocol BPDU BRI bridge protocol data unit BSCI course BSR BSS busy hour traffic cable modem termination system cable television CAC call admission control Call Detail Record CAR CATV CBAC CBC C-BSR CBWFQ CCKM CCS Definition See BRI. buffer-to-buffer credit. The number of buffer credits allowed to accumulate before the source stops sending data due to lack of acknowledgements. bearer channel. Cisco Building Cisco Multilayer Switched Networks course. A wireless LAN packet that signals the availability and presence of the wireless device. Blocks Extensible Exchange Protocol. Border Gateway Protocol. Interdomain routing protocol that replaces EGP. BGP exchanges reachability information with other BGP systems. It is defined by RFC busy hour traffic. See BoM. Bill of Materials. See BGP. bridge protocol data unit. When STP is enabled, bridges send and receive spanning-tree frames, called BPDUs, at regular intervals and use the frames to maintain a loop-free network. Basic Rate Interface. See BPDU. Cisco Building Scalable Cisco Internetworks course. bootstrap router Basic Service Set See BHT. See CMTS. See CATV. call admission control. See CAC. See CDR. committed access rate. A traffic policing and marking mechanism. The CAR and DCAR services limit the input or output transmission rate on an interface or subinterface based on a flexible set of criteria. cable television. context-based access control. Cipher Block Chaining. candidate BSR. class-based weighted fair queuing. Cisco Centralized Key Management centum call seconds. A-4 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

447 Acronym or Term CDR cell CELP central office centum call seconds CFIS Challenge Handshake Authentication Protocol channel service unit CHAP CIDR Cipher Block Chaining CIR Cisco ANS Cisco AON Cisco ASA Cisco ASDM Cisco Catalyst 6500 Series FWSM Cisco Catalyst 6500 Series IDS Services Module Cisco Centralized Key Management Cisco Discovery Protocol Cisco Express Forwarding Cisco IBNS Cisco IDM Cisco IOS Software Definition Call Detail Record. The area of radio range or coverage in which the wireless devices can communicate with the base station. The size of the cell depends on the speed of the transmission, the type of antenna used, and the physical environment, as well as other factors. code-excited linear prediction. See CO. See CCS. Common Information File System See CHAP. See CSU. Challenge Handshake Authentication Protocol. classless interdomain routing. See CBC. committed information rate. The rate at which a Frame Relay network agrees to transfer information under normal conditions, averaged over a minimum increment of time. CIR, measured in bits per second, is one of the key negotiated tariff metrics. Cisco Application Networking Services. Cisco Application-Oriented Networking Software. Cisco Adaptive Security Appliance. Cisco Adaptive Security Device Manager. Cisco Catalyst 6500 Series Firewall Services Module. See IDSM. Using Cisco Centralized Key Management, authenticated client devices can roam from one access point to another without any perceptible delay during re-association. An access point on your network acts as a subnet context manager and creates a cache of security credentials for client devices on the subnet enabled with Cisco Centralized Key Management. The subnet context manager's cache of credentials dramatically reduces the time required for re-association when a client device enabled with this technology roams to a new access point. CDP is a Layer 2 protocol supported on all Cisco routers, bridges, access servers, and switches that allows network management applications to discover Cisco devices that are neighbors of already known devices, in particular.. An advanced Layer 3 IP switching technology. Cisco Express Forwarding optimizes network performance and scalability for networks with large and dynamic traffic patterns. VRF tables use Cisco Express Forwarding technology; therefore, MPLS VPNs must be enabled to use Cisco Express Forwarding. Cisco Identity-Based Networking Services. Cisco IPS Device Manager. Cisco operating system software that runs on routers and switches. Cisco system software that provides common functionality, scalability, and security for all products under the CiscoFusion architecture. Cisco IOS Software allows centralized, integrated, and automated installation and management of internetworks while ensuring support for a wide variety of protocols, media, services, and platforms Cisco Systems, Inc. Appendix A Course Glossary A--5

448 Acronym or Term Cisco Key Integrity Protocol Cisco NAM Cisco Router and Security Device Manager Cisco SDM Cisco Secure ACS Cisco Security Agent Cisco Security MARS Cisco Service-Oriented Network Architecture Cisco Unified Contact Center Cisco WAAS Cisco WAE Cisco WCS Cisco WiSM CiscoWorks RME CiscoWorks WLSE class of service class-based weighted fair queuing classless interdomain routing CLI CLNP CMIP CMTS CO codec code-excited linear prediction command-line interface committed access rate committed information rate Common Management Information Protocol Definition The Cisco WEP key permutation technique based on an early algorithm presented by the IEEE i security task group. Cisco Network Analysis Module. See Cisco SDM. Cisco Router and Security Device Manager. Cisco Secure Access Control Server. Software that provides threat protection for server and desktop computing systems, also known as endpoints. Cisco Security Monitoring, Analysis, and Response System See SONA. Software that delivers intelligent contact routing, call treatment, network-to-desktop computer telephony integration (CTI), and multichannel contact management over an IP infrastructure Cisco Wide-Area Application Services. Service that gives remote offices LAN-like access to centrally hosted applications, servers, storage, and multimedia. Cisco Wide-Area Application Engine. Products that provide global LAN-like access to enterprise applications and data. Cisco Wireless Control System. Cisco Catalyst 6500 Series Wireless Services Module. CiscoWorks Resource Manager Essentials. CiscoWorks Wireless LAN Solution Engine. See CoS. See CBWFQ. See CIDR. command-line interface. Connectionless Network Protocol. Common Management Information Protocol. cable modem termination system. central office. coder-decoder. See CELP. See CLI. See CAR. See CIR. See CMIP. A-6 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

449 Acronym or Term Common Spanning- Tree protocol compressed Real-Time Transport Protocol congestion congestion avoidance conjugate structure algebraic code-excited linear prediction Connectionless Network Protocol context-based access control control plane control plane policing CoPP CoS Definition See CST. See crtp. Traffic in excess of network capacity. Mechanism by which a network controls the traffic entering the network to minimize delays. To use resources most efficiently, lower-priority traffic is discarded at the edge of the network if conditions indicate that it cannot be delivered. See CS-ACELP. See CLNP. See CBAC. The software that manages all operational aspects of a router or switch except the perpacket analysis and forwarding through the device. These operations can include updating routing tables and managing interfaces. See CoPP. control plane policing. CoPP increases security on infrastructure devices by protecting the CPU from unnecessary or DoS attack traffic and giving priority to important control plane and management traffic. CoPP can be used to protect most of the CPU-bound traffic and ensure routing stability, reachability, and packet delivery. class of service. The methods that provide differentiated service, in which the network delivers a particular kind of service based on the CoS specified for each packet. CoS provides specific categories of service such as gold, silver, and best-effort service classes. CoS is a set of concrete device features in which a single network router treats traffic in different classes differently. CoS techniques provide a means of specifying policies to control network resource allocation in support of customer and applications requirements. The implementation of CoS techniques delivers measurable QoS. CPE CQ CRC C-RP crtp CS-ACELP CSM CSNAT CSS CST CST CSU CSVPN course custom queuing customer premises equipment. custom queuing. cyclic redundancy check. candidate RP. compressed Real-Time Transport Protocol. conjugate structure algebraic code-excited linear prediction. Content Switching Module. client source NAT. Content Services Switch. Common Spanning-Tree protocol. Common Spanning Tree. channel service unit. Cisco Secure Virtual Private Networks course. See CQ Cisco Systems, Inc. Appendix A Course Glossary A--7

450 Acronym or Term customer premises equipment CUWN course CVF course CVOICE course CWDM CWLAT course CWLF course CWMN course cyclic redundancy check DAS Data Encryption Standard data plane Data Security Standard data service unit data-link connection identifier Data-over-Cable Service Interface Specifications db dbm DCAR DCF D-channel DDoS DDR demilitarized zone denial of service dense wavelengthdivision multiplexing DES DHCHAP Definition See CPE. Cisco Unified Wireless Networking course. Cisco Voice over IP Fundamentals course. Cisco Voice over IP course. coarse wavelength-division multiplexing. A technology that increases the information carrying capacity of existing fiber optic infrastructure by transmitting and receiving data on different light wavelengths on a single strand of fiber Cisco Wireless LAN Advanced Topics course. Cisco Wireless LAN Fundamentals course. Cisco Wireless Mesh Networking course. See CRC. directly attached storage. A topology where the storage devices connect directly to the server. See DES. Services and settings related to the data passing through a router or switch (as opposed to that directed to it). The data plane is for forwarding all traffic not in the control or management planes. See DSS. See DSU. See DLCI. See DOCSIS. decibel power ratio in decibel (db) of the measured power referenced to one milliwatt distributed committed access rate. Distributed Coordination Function. data channel. distributed denial of service. dial-on-demand routing. See DMZ. See DoS. See DWDM. Data Encryption Standard. DHCHAP is an authentication protocol that authenticates the devices connecting to a switch. Fibre Channel authentication allows only trusted devices to be added to a fabric, thus preventing unauthorized devices from accessing the switch. A-8 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

451 Acronym or Term DHCP DHCP snooping dial-on-demand routing DID differentiated services code point DiffServ Diffusing Update Algorithm Digital Private Network Signaling System digital signal processor digital subscriber line Direct Inward Dialing distributed denial of service distributed weighted random early detection DLCI DMVPN DMZ DNS DOCSIS Domain Name System DoS DPNSS DPT Definition Dynamic Host Configuration Protocol. A protocol available with many operating systems that automatically issues IP addresses within a specified range to devices on the network. The device retains the assigned address for a specific administrator-defined period. A security feature that filters untrusted DHCP messages and builds and maintains a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall. See DDR. Direct Inward Dialing. See DSCP. differentiated services. See DUAL. See DPNSS. See DSP. See DSL. See DID. See DDoS. See DWRED. data-link connection identifier. Value that specifies a PVC or an SVC in a Frame Relay network. In the basic Frame Relay specification, DLCIs are locally significant (connected devices might use different values to specify the same connection). In the LMI extended specification, DLCIs are globally significant (DLCIs specify individual end devices). Dynamic Multipoint VPN. demilitarized zone. A secured network zone between the private (inside) network and a public (outside) network. Domain Name System. A server that translates text names into IP addresses. The server maintains a database of host alphanumeric names and their corresponding IP addresses. Data-over-Cable Service Interface Specifications. See DNS. denial of service. Digital Private Network Signaling System. Dynamic Packet Transfer. A RPR technology designed for SPs to deliver scalable Internet service, reliable IP-aware optical transport, and simplified network operations principally for metropolitan area applications. DPT is based on Spatial Reuse Protocol (SRP), a Cisco-developed MAC-layer protocol for ring-based packet internetworking Cisco Systems, Inc. Appendix A Course Glossary A--9

452 Acronym or Term DR DSCP DSL DSL access multiplexer DSLAM DSP DSS DSSS DSTM DSU DTMF DTP DTPC DTPC DUAL Dual Stack Transition Mechanism dual tone multifrequency DVMRP DVTI DWDM DWRED Dynamic Host Configuration Protocol Dynamic Trunking Protocol E&M E1 Definition designated router: The router in a PIM-SM tree that instigates the Join/Prune message cascade upstream to the rendezvous point in response to IGMP membership information it receives from IGMP hosts. differentiated services code point. In the IP header, the DSCP octet classifies the packet service level. The DSCP maps to a particular observable forwarding behavior called a per-hop behavior. The DSCP replaces the ToS octet in the IPv4 header, and the Class octet in the IPv6 header. Currently, only the first six bits are used, allowing up to 64 classifications for service levels. The DSCP is unstructured, but it does reserve some values to maintain limited backward compatibility with the IP precedence bits in the ToS octet. digital subscriber line. See DSLAM. DSL access multiplexer. digital signal processor. Data Security Standard. Direct Sequence Spread Spectrum Dual Stack Transition Mechanism. data service unit. dual tone multifrequency. Dynamic Trunking Protocol. Dynamic Transmit Power Control Dynamic Transmit Power Control Diffusing Update Algorithm. See DSTM. See DTMF. Distance Vector Multicast Routing Protocol Dynamic VTI. dense wavelength-division multiplexing. A technology that increases the information carrying capacity of existing fiber optic infrastructure by transmitting and receiving data on different light wavelengths on a single strand of fiber distributed weighted random early detection. See DHCP. See DTP. ear and mouth (or receive and transmit). A European transmission circuit of 32 channels running at 64 kbps sampled at 8000 times per second for Mbps. E3 A European transmission circuit of 512 channels running at 64 kbps sampled at 8000 times per second (or 16 E1s) running at Mbps. EAP Extensible Authentication Protocol. An optional IEEE 802.1X security feature ideal for organizations with a large user base and access to an EAP-enabled RADIUS server. A-10 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

453 Acronym or Term EAP-FAST EAP-Flexible Authentication via Secure Tunneling ear and mouth (or receive and transmit) EBGP EDCA EFDA EGP EIGRP EIRP EISL E-LAN E-LINE EMS Encapsulated Security Protocol Enhanced Interior Gateway Routing Protocol enterprise resource planning EOT EPL ERMS ERP Definition EAP-Flexible Authentication via Secure Tunneling. See EAP-FAST. See E&M. External BGP. EBGP communicates among different network domains or autonomous systems. The primary function of EBGP is to exchange network reachability information between autonomous systems, including information about the list of autonomous system routes. The autonomous systems use EBGP border edge routers to distribute the routes, which include label-switching information. Each border edge router rewrites the next-hop and MPLS labels. Enhanced Distributed Channel Access Erbium Doped Fiber Amplifier. A form of fiber optical amplification that transmits a light signal through a section of erbium-doped fiber and amplifies the signal with a laser pump diode. EDFA is used in transmitter booster amplifiers, in-line repeating amplifiers, and in receiver preamplifiers. Exterior Gateway Protocol. Enhanced Interior Gateway Routing Protocol. Effective Isotropic Radiated Power. EIRP is the combination of radio transmit power, antenna cable loss, and antenna gain. For example, if the 100 mw transmit power of the radio equals 20 dbm, the loss of a 100-foot cable is 6 db, and the gain of an antenna is 3 dbi, the result is an EIRP of 17 dbm. Enhanced ISL. Frame format used by MDS 9000 to support trunking of VSANs. Ethernet LAN. Multipoint Ethernet service defined by the MEF. Ethernet Line. Point-to-point Ethernet service defined by the MEF. Ethernet Multipoint Service. A multipoint-to-multipoint port-based E-LAN service that is used for transparent LAN applications. See ESP. See EIGRP. See ERP. Enhanced Object Tracking. Ethernet Private Line. A port-based point-to-point E-Line service that maps Layer 2 traffic directly onto a TDM circuit. Ethernet Relay Multipoint Service. A multipoint-to-multipoint VLAN-based E-LAN service that is used primarily for establishing a multipoint-to-multipoint connection between customer routers. enterprise resource planning Cisco Systems, Inc. Appendix A Course Glossary A--11

454 Acronym or Term ERS ESM ESP EtherIP EVC EWS Extensible Authentication Protocol Exterior Gateway Protocol External BGP failover group fault, configuration, accounting, performance, and security management FCAPS FCIP FCP FE FHR FHRP fiber connection Fibre Channel FICON FIFO File Transfer Protocol FIN Firewall Services Module first in, first out fixed-length subnet mask FLSM FM Definition Ethernet Relay Service. A point-to-point VLAN-based E-Line service, that is used primarily for establishing a point-point connection between customer routers. Embedded Syslog Manager. A feature that provides a programmable framework that allows a network manager to filter, escalate, correlate, route, and customize system logging messages prior to delivery. Encapsulated Security Protocol. Ethernet-in-IP Ethernet Virtual Circuit. Ethernet Wire Service. A point-to-point port-based E-Line service that is used primarily to connect geographically remote LANs over an SP network. See EAP. See EGP. See EBGP. A logical group of one or more security contexts. See FCAPS. fault, configuration, accounting, performance, and security management. ISO network management model defining five functional areas of network management. Fibre Channel over IP. FCIP is used primarily for SAN Extension across a wide area network. Fibre Channel Protocol. Sometimes used as an acronym for Fast Ethernet. first-hop router. Router closest to multicast source. first hop redundancy protocol. See FICON. A serial data transfer architecture with very high level of scalability and bandwidth that supports the extension of SCSI technologies. fiber connection. first in, first out. See FTP. TCP end of byte flag See Cisco Catalyst 6500 Series FWSM. See FIFO. See FLSM. fixed-length subnet mask. frequency modulation. A-12 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

455 Acronym or Term Foreign Exchange Office Foreign Exchange Station FQDN Frame Relay Frame Relay traffic shaping frequency modulation FRTS FTP fully qualified domain name FXO FXS Gateway Load Balancing Protocol GBIC GDOI GE General Packet Radio Service generic routing encapsulation generic traffic shaping generic traffic shaping GET VPN gigabit interface converter GLBP Global Positioning Systems Global System for Mobile Communications GPRS Definition See FXO. See FXS. fully qualified domain name. Industry-standard, switched, data-link layer protocol that handles multiple virtual circuits using HDLC encapsulation between connected devices. Frame Relay is more efficient than X.25, the protocol for which it generally is considered a replacement. See FRTS. See FM. Frame Relay traffic shaping. Queuing method that uses queues on a Frame Relay network to limit surges that can cause congestion. Data is buffered and sent into the network in regulated amounts to ensure that the traffic can fit within the promised traffic envelope for the particular connection. File Transfer Protocol. See FQDN. Foreign Exchange Office. Foreign Exchange Station. See GLBP. gigabit interface converter. A swappable transceiver that converts serial electrical signals to serial optical signals, and optical signals to electrical signals. Group Domain of Interpretation. Sometimes used as an acronym for Gigabit Ethernet. See GPRS. See GRE. Provides a mechanism to control the traffic flow on a particular interface. It reduces outbound traffic flow to avoid congestion by constraining specified traffic to a particular bit rate (also known as the token bucket approach), while queuing bursts of the specified traffic. Thus, traffic adhering to a particular profile can be shaped to meet downstream requirements, eliminating bottlenecks in topologies with data-rate mismatches. See GTS. Group Encrypted Transport VPN. See GBIC. Gateway Load Balancing Protocol. See GPS. See GSM. General Packet Radio Service Cisco Systems, Inc. Appendix A Course Glossary A--13

456 Acronym or Term GPS graphical user interface GRE GSLB GSM GSS GTS GUI GWGK course Hash-Based Message Authentication Code with Message Digest 5 Hash-Based Message Authentication Code with Secure Hash Algorithm HBA HDLC Health Insurance Portability and Accountability Act High-Level Data Link Control high-speed WAN interface card HIPAA HIPS Definition Global Positioning System. See GUI. generic routing encapsulation. Tunneling protocol that was developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels and thus create a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment. Global Server Load Balancing. Global System for Mobile Communications. Cisco Global Site Selector. generic traffic shaping. graphical user interface. Cisco Implementing Cisco Voice Gateways and Gatekeepers course. See HMAC-MD5. See HMAC-SHA. host bus adapter High-Level Data Link Control. See HIPAA. See HDLC. See HWIC. Health Insurance Portability and Accountability Act. host-based intrusion prevention system. HMAC-MD5 Hash-Based Message Authentication Code with Message Digest 5. HMAC-SHA host-based intrusion prevention system Hot Standby Router Protocol H-REAP HSRP HWIC Hybrid Remote Edge Access Point IANA Hash-Based Message Authentication Code with Secure Hash Algorithm. See HIPS. See HSRP. Hybrid Remote Edge Access Point. Hot Standby Router Protocol. high-speed WAN interface card. See H-REAP. Internet Assigned Numbers Authority. A-14 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

457 Acronym or Term IBGP IDE IDE Identity-Based Networking Services IDS IDSM IETF IGMP IGMP Query IGMP Report IGMP Snooping IGP IIS IKE InfiniBand in-service software upgrade Integrated Services Digital Network integrated services router interactive voice response Interior Gateway Protocol Intermediate Systemto-Intermediate System routing protocol intermix Internal BGP Definition Internal BGP. IBGP communicates internally within an autonomous system. The primary function of IBGP is to exchange BGP information between multiple BGP routers within an autonomous system. Routers communicating with IBGP must be connected in a full mesh to prevent loops, or you can use route reflectors or confederations. Integrated Drive Electronics Integrated Drive Electronics See Cisco IBNS. intrusion detection system. Cisco Catalyst 6500 Series IDS Services Module. Internet Engineering Task Force. Task force that consists of more than 80 working groups responsible for developing Internet standards. The IETF operates under the auspices of the Internet Society. Internet Group Management Protocol. IGMP is the protocol used by IPv4 systems to report their IP multicast group memberships to neighboring multicast routers. IGMP messages originating from the router(s) to elicit multicast group membership information from its connected hosts. Report: IGMP messages originating from the hosts that are joining, maintaining or leaving their membership in a multicast group. Snooping requires the LAN switch to examine, or "snoop," some layer 3 information in the IGMP packet sent from the host to the router. When the switch hears an IGMP Report from a host for a particular multicast group, the switch adds the host's port number to the associated multicast table entry. When it hears an IGMP Leave Group message from a host, it removes the host's port from the table entry. Interior Gateway Protocol. Microsoft Internet Information Server. Internet Key Exchange. InfiniBand is an architecture specification to offload data movement from the CPU to dedicated hardware to address the problem of server performance with respect to I/O. InfiniBand is a high-performance switched fabric communications link primarily including QoS and failover, and it is designed to be scalable. It defines a connection between processor nodes and high-performance I/O nodes such as storage devices. See ISSU. See ISDN. See ISR. See IVR. See IGP. See IS-IS. A common Fibre Channel transport network and I/O infrastructure used by mixed systems implementing FICON and Fibre Channel using Fibre Channel Protocol (FCP). See IBGP Cisco Systems, Inc. Appendix A Course Glossary A--15

458 Acronym or Term International Telecommunication Union Internet Assigned Numbers Authority Internet Engineering Task Force Internet Group Management Protocol Internet Key Exchange Internet Protocol Internet service provider Internetwork Packet Exchange intrusion detection system intrusion prevention system IntServ IP IP precedence IP Security IPIX IPS IPS course IPS Device Manager IPsec IPTD course IPTT course IPX iscsi ISCW course ISDN IS-IS ISL Definition See ITU. See IANA. See IETF. See IGMP. See IKE. See IP. See ISP. See IPX. See IDS. See IPS. Integrated Services. Internet Protocol. Network layer protocol in the TCP/IP stack offering a connectionless internetwork service. IP provides features for addressing, ToS specification, fragmentation and reassembly, and security. Defined in RFC 791. A 3-bit value in the ToS byte that is used for assigning precedence to IP packets. See IPsec. IP Information Export intrusion prevention system. Cisco Implementing Cisco Intrusion Prevention System course. See Cisco IDM. IP Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication among participating peers. IPsec provides these security services at the IP layer. IPsec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPsec. IPsec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. Cisco IP Telephony Design course. Cisco IP Telephony Troubleshooting course. Internetwork Packet Exchange. SCSI over IP or Internet SCSI. iscsi is a protocol used to carry SCSI commands, responses and data over an IP network. Cisco Implementing Secure Converged Wide Area Networks course. Integrated Services Digital Network. Intermediate System-to-Intermediate System routing protocol. Inter-Switch Link. Interconnection between switches. A-16 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

459 Acronym or Term Definition islb iscsi Server Load Balancing. Feature in Cisco MDS 9000 SAN-OS Software Release 3.0 that provides consolidation of Gigabit Ethernet ports and further simplifies configuration. ISP ISR ISSU ITU IVR IVR JBOD L2F L2TP label Label Distribution Protocol label imposition label information base label switch router label-switched path LAG LAN Layer 2 Forwarding Protocol Layer 2 Tunneling Protocol LBS LCP LD-CELP LDP LEAP Internet service provider. Provider of internet access and services through a single BGP autonomous system. integrated services router. in-service software upgrade. International Telecommunication Union. interactive voice response. Inter-VSAN routing. Allows a resource on any individual VSAN to be shared by users of a different VSAN without merging the fabrics. IVR is also known as fabric routing. Just a Bunch of Disks Layer 2 Forwarding Protocol. Protocol that supports the creation of secure VPDNs over the Internet. Layer 2 Tunneling Protocol. Protocol that is used for implementing VPDNs and VPNs by tunneling PPP with multivendor interoperability and acceptance. This protocol was proposed as an alternative to IPsec but is often used with IPsec for authentication. This protocol merges the Microsoft PPTP and Cisco L2F technologies. A header that is used by a label switch router to forward packets. The header format depends on network characteristics. In router networks, the label is a separate, 32-bit header. In ATM networks, the label is placed into the VCI/VPI cell header. In the core, LSRs read only the label, not the packet header. One key to the scalability of MPLS is that labels have only local significance between two devices that are communicating. See LDP. The act of putting the first label on a packet. See LIB. See LSR. See LSP. link aggregation. local area network. High-speed, low-error data network that covers a relatively small geographic area (up to a few thousand meters). LANs connect workstations, peripherals, terminals, and other devices in a single building or other geographically limited area. LAN standards specify cabling and signaling at the physical and data-link layers of the OSI model. Ethernet, FDDI, and Token Ring are widely used LAN technologies. See L2F. See L2TP. location-based services. link control protocol. Low-delay code-excited linear prediction. Label Distribution Protocol. Provides communication between edge and core devices. It assigns labels in edge and core devices to establish LSPs in conjunction with routing protocols such as OSPF, IS-IS, EIGRP, or BGP. Lightweight Extensible Authentication Protocol Cisco Systems, Inc. Appendix A Course Glossary A--17

460 Acronym or Term LED LFI LH Ethernet LHR Li-on LIB light-emitting diode Lightweight Access Point Protocol Lightweight Extensible Authentication Protocol link aggregation link control protocol link fragmentation and interleaving link-state advertisement LLQ LMI local area network Local Management Interface location-based services Long-Reach Ethernet low latency queuing Low-delay code-excited linear prediction LRE LSA LSP LSR LWAPP MAC MADCAP MAN Management Center for Cisco Security Agents Definition light-emitting diode. link fragmentation and interleaving. long haul Ethernet. Ethernet supported over a single-mode fiber up to 100 km. last-hop router. Router closest to multicast packet destination. Lithium ion label information base. A database that is used by an LSR to store labels that are learned from other LSRs, as well as labels that are assigned by the local LSR. See LED. See LWAPP. See LEAP. See LAG. See LCP. See LFI. See LSA. low latency queuing. Local Management Interface. See LAN. See LMI. See LBS. See LRE. See LLQ. See LD-CELP. Long-Reach Ethernet. link-state advertisement. label-switched path. A sequence of hops (R0... Rn) in which a packet travels from R0 to Rn through label-switching mechanisms. An LSP can be established dynamically, based on normal routing mechanisms, or it can be established through configuration. label switch router. The core device that switches labeled packets according to precomputed switching tables. It can also be a switch or a router. Lightweight Access Point Protocol. Media Access Control. A unique 48-bit number used in Ethernet data packets to identify an Ethernet device such as an access point or a client adapter. Multicast Address Dynamic Client Allocation Protocol metropolitan-area network. Core management software that provides a central means of defining and distributing policies, providing software updates, and maintaining communications to the agents. A-18 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

461 Acronym or Term Management Information Base management plane MAP MBGP MBSA MC MCU mean opinion score MED Media Access Control Media Gateway Control Protocol MEF mesh access point message integrity check message waiting indication metropolitan-area network MGCP MIB MIC MIC Microsoft Baseline Security Analyzer Microsoft Challenge Handshake Authentication Protocol Microsoft Internet Information Server MIME Modular QoS CLI MOH Monitoring, Analysis, and Response System Definition See MIB. Services, settings, and data streams related to setting up and examining the static configuration of a router or switch and the authentication and authorization of administrators and operators. mesh access point. Multiprotocol Border Gateway Protocol. Microsoft Baseline Security Analyzer. multipoint controller. multipoint control unit. See MOS. multi-exit discriminator. See MAC. See MGCP. Metro Ethernet Forum See MAP. See MIC. See MWI. See MAN. Media Gateway Control Protocol. Management Information Base. Database of network management information that is used and maintained by a network management protocol, such as SNMP or CMIP. The value of a MIB object can be changed or retrieved using SNMP or CMIP commands, usually through a GUI NMS. MIB objects are organized in a tree structure that includes public (standard) and private (proprietary) branches. message integrity check. message integrity check See MBSA. See MS-CHAP. See IIS. Multipurpose Internet Mail Extension See MQC. music on hold. See Cisco Security MARS Cisco Systems, Inc. Appendix A Course Glossary A--19

462 Acronym or Term MOS MP MP-BGP MPLS MPLS VPN MQC MRTG MRTG MS-CHAP MSDP MSFC MST MTBF MTTR MTTY Multi Router Traffic Grapher multipoint control unit multipoint controller multipoint processor Multiprotocol Label Switching music on hold MWI NAA NAC NAM NANP NAP Definition mean opinion score. multipoint processor. multiprotocol BGP. Multiprotocol Label Switching. Switching method that forwards IP traffic using a label. This label instructs the routers and the switches in the network where to forward the packets based on pre-established IP routing information. The MPLS VPN solution is a set of provider edge routers that are connected via a common backbone network to supply private IP interconnectivity between two or more customer sites for a given customer. Modular QoS CLI. A CLI structure that allows users to create traffic policies and attach these policies to interfaces. A traffic policy contains a traffic class and one or more QoS features. A traffic class is used to classify traffic, while the QoS features in the traffic policy determine how the classified traffic is treated. Multi Router Traffic Grapher. Multi Router Traffic Grapher Microsoft Challenge Handshake Authentication Protocol. Multicast Source Discovery Protocol. A mechanism to connect multiple PIM-SM domains. MSDP allows multicast sources for a group to be known to all rendezvous points in different domains. Each PIM-SM domain uses its own rendezvous points and does not need to depend on them in other domains. A rendezvous point runs MSDP over TCP to discover multicast sources in other domains. MSDP is also used to announce sources sending to a group. These announcements must originate at the domain's Rendezvous Point. MSDP depends heavily on MP-BGP for interdomain operation. Multilayer Switched Feature Card. The card in the Cisco Catalyst 6500 Series switch or the Cisco 7600 Series router that provides the multilayer functions including routing. Multiple Spanning Tree. Mean Time Between Failures. MTBF is a measure of how often failures occur. MTBF can be used to project how often failures are expected Mean Time to Repair. MTTR is a measure of how long it takes to repair failures. mean time to repair See MRTG. See MCU. See MC. See MP. See MPLS. See MOH. message waiting indication. Cisco NAC Appliance Agent Network Admission Control. Cisco NAC Appliance Manager North American Numbering Plan. network access provider. A-20 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

463 Acronym or Term NAS NAS NAS NAT NBA NBAR NBMA NCP NDE NDS NEBS network access provider network access server Network Address Translation Network Admission Control Network Analysis Module Network Control Protocol Network Equipment Building System network interface card network management system Network Mapper network service provider Network-Based Application Recognition network-based intrusion detection system NHRP NIC NIDS NMAP NM-CIDS NM-NAM Definition network access server. network attached storage. A topology where the storage devices connect to the network. Cisco NAC Appliance Server Network Address Translation. network bus adapter Network-Based Application Recognition. NBAR is an embedded Cisco IOS software capability that enables precise traffic classification. nonbroadcast multiaccess. Network Control Protocol. NetFlow Data Export Novell Directory Service. Network Equipment Building System. See NAP. See NAS. See NAT. See NAC. See Cisco NAM. See NCP. See NEBS. See NIC. See NMS. See NMAP. See NSP. See NBAR. See NIDS. Next Hop Routing Protocol. network interface card. network-based intrusion detection system. Network Mapper. Order code for the Cisco IDS Network Module. Order code for the Cisco NAM Cisco Systems, Inc. Appendix A Course Glossary A--21

464 Acronym or Term NMS NOC nonbroadcast multiaccess nonstop forwarding North American Numbering Plan not-so-stubby area Novell Directory Service NPA N-PE NSF NSF NSP NSSA numbering plan area OADM OC OER omnidirectional one-time password ONT course Open Shortest Path First Open Systems Interconnection optical carrier OSA OSI OSPF OTAP OTP overlay VPN over-the-air provisioning PAC Definition network management system. network operations center See NBMA. See NSF. See NANP. See NSSA. See NDS. numbering plan area. network-provider edge nonstop forwarding. non-stop forwarding. network service provider. not-so-stubby area. See NPA. optical add/drop multiplexer. optical carrier. Optimized Edge Routing. Typically refers to a primarily circular antenna radiation pattern. See OTP. Cisco Optimizing Converged Cisco Networks course. See OSPF. See OSI. See OC. Open Systems Adapters Open Systems Interconnection. Open Shortest Path First. over-the-air provisioning. one-time password. A VPN model in which the service provider provides virtual circuits between customer sites as a replacement for dedicated point-to-point links. See OTAP. Protected Access Credentials. A-22 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

465 Acronym or Term packet packet over SONET packet voice DSP module packets per second PAgP Pairwise Master Key PAM PAP Password Authentication Protocol PAT payload Payment Card Industry PBR PBX PCI PCM PDLM PEAP PEAP-Generic Token Card PEAP-GTC peer-to-peer VPN PER Per VLAN Spanning Tree Plus protocol Perceptual Speech Quality Measurement permanent virtual circuit Definition Logical grouping of information that includes a header containing control information and (usually) user data. Packets most often are used to refer to network layer units of data. The terms datagram, frame, message, and segment also are used to describe logical information groupings at various layers of the OSI reference model and in various technology circles. See POS. See PVDM. See PPS. Port Aggregation Protocol. See PMK. pulse amplitude modulation. Password Authentication Protocol. See PAP. Port Address Translation. Portion of a cell, frame, or packet that contains upper-layer information (data). See PCI. policy-based routing. Routing scheme that forwards packets to specific interfaces based on user-configured policies. Such policies might specify that traffic sent from a particular network should be forwarded out one interface, while all other traffic should be forwarded out another interface. private branch exchange. Payment Card Industry. The PCI DSS was developed to ensure safe handling of sensitive payment information, such as storage and transfer of credit card information. PCI is the umbrella program for other programs, such as Visa Cardholder Information Security Program (CISP) and MasterCard Site Data Protection (SDP) Program. pulse code modulation. Packet Description Language Modules Protected Extensible Authentication Protocol. See PEAP-GTC. PEAP-Generic Token Card. A VPN model in which the service provider actively participates in customer routing. packet error ratio. See PVST+. See PSQM. See PVC Cisco Systems, Inc. Appendix A Course Glossary A--23

466 Acronym or Term PGM PGM PIM PIM-SM PKC PKI plain old telephone service PMK PoE point of presence Point-to-Point Protocol Point-to-Point Tunneling Protocol policy-based routing pop POP Port Address Translation Port Aggregation Protocol POS POTS Power over Ethernet PPDIOO PPP PPS PPTP Definition Pragmatic General Multicast. Pragmatic General Multicast. PGM is a reliable multicast transport protocol for applications that require ordered, duplicate-free, multicast data delivery from multiple sources to multiple receivers. PGM guarantees that a receiver in a multicast group either receives all data packets from transmissions and retransmissions, or can detect unrecoverable data packet loss. PGM is intended as a solution for multicast applications with basic reliability requirements. Protocol Independent Multicast. Multicast routing architecture that allows the addition of IP multicast routing on existing IP networks. PIM is independent of unicast routing protocols and can be operated in two modes: dense and sparse. PIM sparse mode. Form of PIM that delivers multicast traffic only to network segments with active receivers that have explicitly requested the data. Proactive Key Caching. public key infrastructure. See POTS. Pairwise Master Key. For EAP-TLS authentication, the PMK is the key from the RADIUS MS-MPPE-Recv-Key attribute. For pre-shared key authentication, the PMK is the preshared key. Power over Ethernet. See POP. See PPP. See PPTP. See PBR. MPLS action, removing a label. point of presence. Service POPs groom traffic from the customer network, perform edge packet switching when IP services are enabled, and perform backbone switching when POPs are interconnected. Service POPs are also hubs of high-value Internet services such as web content, DNS servers to ISPs, VPN services, and other applications deployed on a range of flexible, scalable, high-performance IP routers. See PAT. See PAgP. packet over SONET plain old telephone service See PoE. prepare, plan, design, implement, operate, optimize. Point-to-Point Protocol. Successor to SLIP that provides router-to-router and host-tonetwork connections over synchronous and asynchronous circuits. SLIP was designed to work with IP, but PPP was designed to work with several network layer protocols, such as IP, IPX, and ARA. PPP also has built-in security mechanisms, such as CHAP and PAP. PPP relies on two protocols: LCP and NCP. packets per second. Point-to-Point Tunneling Protocol. RFC 2637 describes PPTP. A-24 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

467 Acronym or Term PQ prepare, plan, design, implement, operate, optimize PRI Primary Rate Interface priority queuing private branch exchange Proactive Key Caching Protected Access Credentials Protected Extensible Authentication Protocol Protocol Independent Multicast PSQM PSTN public key infrastructure public switched telephone network pulse amplitude modulation pulse code modulation push PVC PVDM PVST+ PW Q Signaling QBSS QoS QOS course QoS Policy Propagation on BGP Definition priority queuing. See PPDIOO. Primary Rate Interface. See PRI. See PQ. See PBX. See PKC. See PAC. See PEAP. See PIM. Perceptual Speech Quality Measurement. public switched telephone network. See PKI. See PSTN. See PAM. See PCM. MPLS action imposing or inserting a label. permanent virtual circuit (or connection, in ATM terminology). Virtual circuit that is permanently established. PVCs save bandwidth that is associated with circuit establishment and teardown in situations where certain virtual circuits must exist all the time. packet voice DSP module. Per VLAN Spanning Tree Plus protocol. pseudo-wire. A logical point-to-point connection between pairs of PE routers used to emulate services like Ethernet over an underlying core MPLS network through encapsulation into a common MPLS format. See QSIG. QoS Basis Service Set quality of service. The goal of QoS is to provide better and more predictable network service by providing dedicated bandwidth, controlled jitter and latency, and improved loss characteristics. QoS achieves these goals by providing tools for managing network congestion, shaping network traffic, using expensive wide-area links more efficiently, and setting traffic policies across the network. Cisco Implementing Cisco Quality of Service course. See QPPB Cisco Systems, Inc. Appendix A Course Glossary A--25

468 Acronym or Term QPPB QSIG quality of service rack unit radio frequency Radio Resource Management RAID random early detection RAP Rapid Per VLAN Spanning Tree Plus protocol Rapid Spanning Tree Protocol RAS Definition QoS Policy Propagation on BGP. Q Signaling. See QoS. See RU. See RF. See RRM. Redundant Array of Independent Disks. A technology where by disk drives are combined and configured to provide increased performance and fault tolerance. See RED. rooftop access point. See RPVST+. See RSTP. registration, admission, and status. RC4 Rivest Cipher 4. RDP Real-Time Transport Protocol REAP received signal strength indication RED registration, admission, and status Remote Edge Access Point Remote Monitoring protocol Resilient Packet Ring Resource Manager Essentials Resource Reservation Protocol return on investment RF Router Discovery Protocol. See RTP. Remote Edge Access Point. See RSSI. random early detection. This class of algorithms is designed to reduce congestion in networks before it becomes a problem. RED works by monitoring traffic load at points in the network and randomly discarding packets if the congestion begins to increase. The result of the drop is that the source detects the dropped traffic and slows its transmission. RED is designed to work primarily with TCP in IP internetwork environments. See RAS. See REAP. See RMON. See RPR. See CiscoWorks RME. See RSVP. See ROI. radio frequency. A generic term for radio-based technology. A-26 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

469 Acronym or Term RHI Rivest Cipher 4 RMON roaming ROI rooftop access point round-trip time Router Discovery Protocol RP RPF RPR RPR RPVST+ RRI RRM RSSI RSSI RST RSTP RSVP RTCP RTP RTP Control Protocol RTSP RTT RU SAA SAINT Definition route health injection. Allows a CSM in a Cisco Catalyst to install a host route in the MSFC if the virtual server is in the Operational state. The CSM and the MSFC must share a client-side VLAN. See RC4. Remote Monitoring protocol. A feature of some access points that allows users to move through a facility while maintaining an unbroken connection to the enterprise network. return on investment. See RAP. See RTT. See RDP. rendezvous point. The multicast router that is the root of the PIM-SM shared multicast distribution tree. Reverse Path Forwarding Resilient Packet Ring. resilient packet ring. Rapid Per VLAN Spanning Tree Plus protocol. reverse route injection. The ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities. Radio Resource Management. received signal strength indication. received signal strength indication. TCP reset flag Rapid Spanning Tree Protocol. Resource Reservation Protocol. Protocol that supports the reservation of resources across an IP network. Applications running on IP end systems can use RSVP to indicate to other nodes the nature (bandwidth, jitter, maximum burst, and so on) of the packet streams that they want to receive. RSVP depends on IPv6. Also known as Resource Reservation Setup Protocol. RTP Control Protocol. Real-Time Transport Protocol. Commonly used with IP networks. RTP is designed to provide end-to-end network transport functions for applications that transmit real-time data, such as audio, video, or simulation data, over multicast or unicast network services. RTP provides such services as payload type identification, sequence numbering, time stamping, and delivery monitoring to real-time applications. See RTCP. Real-Time Streaming Protocol. round-trip time. rack unit. Service Assurance Agent. Security Administrator's Integrated Network Tool Cisco Systems, Inc. Appendix A Course Glossary A--27

470 Acronym or Term SAN SAN fabric SAN island Sarbanes-Oxley Act of 2002 SCCP SCP SCSI SCSI initiator SCSI target SDF SDH Secure Copy Protocol Secure Real-Time Transport Protocol Secure Shell protocol Secure Socket Layer protocol Security Administrator's Integrated Network Tool Serial Line Internet Protocol Service Assurance Agent service class service level agreement service multiplexing service set identifier service-oriented architecture session initiation protocol SFP SFTP Shortest Path First Definition storage area networking or storage area network. The hardware that connects workstations and servers to storage devices in a SAN. A completely physically isolated switch or group of switches used to connect hosts to storage devices. See SOX. Skinny Client Control Protocol. Secure Copy Protocol. SCP is a means of securely transferring computer files between a local and a remote host or between two remote hosts, using the SSH protocol. Small Computer System Interface A SCSI initiator is typically the storage device in a SAN system. A SCSI target is typically the storage device in a SAN system. signature definition file. Synchronous Digital Hierarchy. A European standard for digital optical link See SCP. See SRTP. See SSH. See SSL. See SAINT. See SLIP. See SAA. Collection of service types that are required for a specific service that is being offered. Each service class includes the attributes and values that define the type or QoS that is associated with a given class. For example, data connectivity is a service class that you might define that includes the service type data bandwidth. See SLA. Ability to support multiple instances of services or EVCs on a single customer UNI. See SSID. See SOA. See SIP. small form-factor pluggable. A compact optical transceiver used in optical communications. SFP was designed after the GBIC interface, and allows greater port density (number of transceivers per inch along the edge of a motherboard) than the GBIC. SSH FTP. See SPF. A-28 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

471 Acronym or Term signature definition file Simple Mail Transfer Protocol Simple Network Management Protocol SIP Skinny Client Control Protocol SLA SLB SLIP small form-factor pluggable small office, home office SMDS SMTP SNA SNAP SND course SNMP SNPA course SNR SNR SNRD SOA SOHO Solutions Reference Network Design SONA SONET source routing Definition See SDF. See SMTP. See SNMP. session initiation protocol. See SCCP. service level agreement. Negotiated contracts between service providers and their subscribers. An SLA defines the criteria for the specific services that the subscriber expects the provider to deliver. The SLA is the only binding mechanism that the subscriber has to ensure that the service provider delivers the services as agreed. Server Load Balancer. Serial Line Internet Protocol. See SFP. See SOHO. Switched Multimegabit Digital Service. SMDS is a fast packet-switching service offered by telephone companies that enables organizations to connect geographically separate LANs into a single WAN. SMDS provides packet-switched bandwidth, on demand, in increments up to 34 Mb Simple Mail Transfer Protocol. Systems Network Architecture. Subnetwork Access Protocol. Cisco Securing Cisco Network Devices course. Simple Network Management Protocol. Cisco Securing Networks with PIX and ASA course. signal-to-noise ratio. signal-to-noise ratio Cisco Securing Networks with Cisco Routers and Switches course. service-oriented architecture. small office, home office. See SRND. Cisco Service-Oriented Network Architecture. A Cisco architectural framework that guides the evolution of enterprise networks to a more intelligent infrastructure. Synchronous Optical Network. North American high-speed baseband digital transport standard specifying incrementally increasing data stream rates for movement across digital optical links. Routing based on the traffic source that overrides the Interior Gateway Protocol (IGP)- created routing table in each of the intermediate routers. Source routing requires the host to create the IP packets requesting source routing and is not an available tool for TE Cisco Systems, Inc. Appendix A Course Glossary A--29

472 Acronym or Term SOX Spanning Tree Protocol SPF SPR SPT SRND SRST SRTP SSH SSH FTP SSID SSID SSL SSM SSM SSO SSO stateful switchover storage area networking STP Subnetwork Access Protocol Definition Sarbanes-Oxley Act of A U.S. federal law that establishes new or enhanced auditing and financial standards for all U.S. public company boards, management, and public accounting firms. The act contains 11 sections, ranging from additional corporate board responsibilities to criminal penalties, and it requires the U.S. Securities and Exchange Commission to implement rulings on requirements to comply with the new law. See STP. Shortest Path First. Spatial Reuse Protocol. A Cisco-developed MAC-layer protocol for ring-based packet internetworking. shortest path tree. Also known as source tree. A multicast distribution path that directly connects the source's and receivers' Designated Routers (or the rendezvous point) to obtain the shortest path through the network. Results in most efficient routing of data between source and receivers, but may result in unnecessary data duplication throughout network if built by anyone other than the rendezvous point. Solutions Reference Network Design. Survivable Remote Site Telephony. Secure Real-Time Transport Protocol. Secure Shell protocol. SSH provides a secure replacement for the suite of Berkeley r-tools such as rsh, rlogin, and rcp. (Cisco IOS Software supports rlogin.) The protocol secures the sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. See SFTP. service set identifier. (Also referred to as radio network name ). A unique identifier used to identify a radio network and which stations must use to be able to communicate with each other or to an access point. The SSID can be any alphanumeric entry up to a maximum of 32 characters. service set identifier. (Also referred to as radio network name ). A unique identifier used to identify a radio network and which stations must use to be able to communicate with each other or to an access point. The SSID can be any alphanumeric entry up to a maximum of 32 characters. Secure Socket Layer protocol. The main role of SSL is to provide security for web traffic. Security includes confidentiality, message integrity, and authentication. SSL achieves these elements of security through the use of cryptography, digital signatures, and certificates. Source Specific Multicast. Source Specific Multicast stateful switchover. With redundant supervisor engines, SSO establishes one of the supervisor engines as active while the other supervisor engine is designated as standby, and then SSO synchronizes information between them. A switchover from the active to the redundant supervisor engine occurs when the active supervisor engine fails, is removed from the switch, or is manually shut down for maintenance. This type of switchover ensures that Layer 2 traffic is not interrupted. stateful switchover. See SSO. See SAN. Spanning Tree Protocol. See SNAP. A-30 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

473 Acronym or Term Survivable Remote Site Telephony SVC SVTI Switched Multimegabit Digital Service switched virtual circuit Synchronous Digital Hierarchy Synchronous Optical Network syslog syslog Systems Network Architecture T1 T3 TCO TCO TCP TCP TDM TDMA TE Temporal Key Integrity Protocol Time to Live time-division multiple access time-division multiplexing TKIP TLS TLV TopN ToS Definition See SRST. switched virtual circuit. SVCs are established on demand through a call setup request from the customer edge device. Static VTI. See SMDS. See SVC. See SDH. See SONET. system log. system message logging. See SNA. A North American or Japanese transmission circuit of 24 channels running at 64 kbps sampled at 8000 times per second for Mbps. A North American or Japanese transmission circuit of 672 channels running at 64 kbps sampled at 8000 times per second (or 28 T1s) running at Mbps. total cost of ownership. total cost of ownership Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack. TCP Offload Engine time-division multiplexing. time-division multiple access. traffic engineering. The techniques and processes that are used to cause routed traffic to travel through a network on a path other than the one that would have been chosen if standard routing methods had been used. See TKIP. See TTL. See TDMA. See TDM. Temporal Key Integrity Protocol. Transport Layer Security protocol. type, length, value. The Switch TopN Reports utility allows network administrators to collect and analyze data for each physical port on a switch. type of service. A byte in the IPv4 header Cisco Systems, Inc. Appendix A Course Glossary A--31

474 Acronym or Term total cost of ownership TPC traffic engineering Transmission Control Protocol Transport Layer Security protocol TSpec TTL TTLS tunnel Tunneled Transport Layer Security protocol tunneling type of service type, length, value U-APSD UA UAC UAS ubr UDP UMTS UNI Unicast Reverse Path Forwarding universal broadband router Universal Mobile Telecommunications Service U-PE urpf user agent user agent client user agent server User Datagram Protocol Definition See TCO. Transmit Power Control See TE. See TCP. See TLS. traffic specification Time to Live. Tunneled Transport Layer Security protocol. Secure communication path between two peers, such as two routers. See TTLS. Architecture that provides the services that are necessary to implement any standard point-to-point data encapsulation scheme. See ToS. See TLV. Unscheduled Automatic Power Save Delivery. user agent. user agent client. user agent server. universal broadband router. User Datagram Protocol. Connectionless transport layer protocol in the TCP/IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that error processing and retransmission be handled by other protocols. UDP is defined in RFC 768. Universal Mobile Telecommunications Service. user network interface. See urpf. See ubr. See UMTS. user-provider edge Unicast Reverse Path Forwarding. See UA. See UAC. See UAS. See UDP. A-32 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

475 Acronym or Term VACL VAD variable-length subnet mask video on demand VIP virtual circuit virtual fabric trunking virtual LAN virtual path virtual path identifier/virtual circuit identifier virtual private dial-up network virtual private network Virtual Private Network version 4 Virtual Router Redundancy Protocol virtual routing and forwarding VLAN VLH Ethernet VLSM VoD voice activity detection Voice over IP voice over WLAN VoIP VoWLAN VPDN Definition VLAN ACL. voice activity detection. See VLSM. See VoD. virtual IP address.. Logical circuit created to ensure reliable communication between two network devices. A virtual circuit is defined by a VPI/VCI pair and can be either a PVC or an SVC. Virtual circuits are used in Frame Relay and X.25. In ATM, a virtual circuit is called a virtual channel. Sometimes abbreviated VC. Enables interconnect ports to transmit and receive frames in more than one VSAN over the same physical link. See VLAN. A collection of virtual circuits with a common VPI. See VPI/VCI. See VPDN. See VPN. See VPNv4. See VRRP. See VRF. virtual LAN. Group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible. very long haul Ethernet. variable-length subnet mask. video on demand. See VAD. See VoIP. See VoWLAN. Voice over IP. The ability to carry normal telephony-style voice over an IP-based internet with POTS-like functionality, reliability, and voice quality. VoIP enables a router to carry voice traffic (for example, telephone calls and faxes) over an IP network. In VoIP, the DSP segments the voice signal into frames, which then are coupled in groups of two and stored in voice packets. These voice packets are transported using IP in compliance with ITU-T specification H.323. voice over WLAN. virtual private dial-up network Cisco Systems, Inc. Appendix A Course Glossary A--33

476 Acronym or Term VPI/VCI VPLS VPN VRF VRRP VSAN VTI WAN weighted fair queuing weighted random early detection WEP WFQ wide area network Wide-Area Application Engine Wide-Area Application Services Wi-Fi Protected Access Wired Equivalent Privacy Wireless Control System wireless LAN Wireless LAN Solution Engine Wireless Services Module WLAN WLAN controller WLC Definition virtual path identifier/virtual circuit identifier. The VPI is an 8-bit field in the header of an ATM cell. The VCI is a 16-bit field in the header of an ATM cell. The VCI, together with the VPI, is used to identify the next destination of a cell as it passes through a series of ATM switches on its way to its destination. Virtual Private LAN Services. A class of VPN that supports the connection of multiple sites in a single bridged domain over a managed IP/MPLS network. virtual private network. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level. virtual routing and forwarding. Virtual Router Redundancy Protocol. virtual storage area network. A VSAN is a logical SAN that provides isolation among devices that are physically connected to the same fabric. virtual tunnel interface. wide area network. Data communications network that serves users across a broad geographic area and often uses transmission devices that are provided by common carriers. Frame Relay, SMDS, and X.25 are examples of WANs. See WFQ. See WRED. Wired Equivalent Privacy. A simple mechanism defined within the standard designed to make the link integrity of wireless devices equal to that of a cable. This mechanism is not secure enough for enterprise networks. weighted fair queuing. Congestion-management algorithm that identifies conversations (in the form of traffic streams), separates packets that belong to each conversation, and ensures that capacity is shared fairly among these individual conversations. WFQ is an automatic way of stabilizing network behavior during congestion and results in increased performance and reduced retransmission. See WAN. See Cisco WAE. See Cisco WAAS. See WPA. See WEP. See Cisco WCS. See WLAN. See CiscoWorks WLSE. See Cisco WiSM. wireless LAN. A LAN that is used to provide network connectivity over radio waves. See WLC. WLAN controller. A-34 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.

477 Acronym or Term WMM WPA WRED Definition Wi-Fi-Multimedia Wi-Fi Protected Access. A security solution from the Wireless Ethernet Compatibility Alliance. WPA relies on the interim version of IEEE standard i. WPA supports WEP and TKIP encryption algorithms as well as 802.1X and EAP for simple integration with existing authentication systems. WPA key management uses a combination of encryption methods to protect communication between client devices and the access point. weighted random early detection Cisco Systems, Inc. Appendix A Course Glossary A--35

478 A-36 Designing Cisco Network Service Architectures (ARCH) v Cisco Systems, Inc.