CCDA 640-864 Official Cert Guide

CCDA 640-864 Official Cert Guide
CCDA 640-864
Official Cert Guide
Anthony Bruno, CCIE No. 2738
Steve Jordan, CCIE No. 11293
Cisco Press
800 East 96th Street
Indianapolis, IN 46240
ii
CCDA 640-864 Official Cert Guide
CCDA 640-864 Official Cert Guide
Anthony Bruno, CCIE No. 2738
Steve Jordan, CCIE No. 11293
Copyright © 2011 Pearson Education, Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without written permission from the publisher, except for the inclusion of brief quotations in a
review.
First Printing May 2011
Library of Congress Cataloging-in-Publication data is on file.
ISBN-10: 1-58714-257-0
ISBN-13: 978-1-58714-257-4
Warning and Disclaimer
This book is designed to provide information about the CCDA exam. Every effort has been made to make
this book as complete and accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have
neither liability nor responsibility to any person or entity with respect to any loss or damages arising from
the information contained in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc.
iii
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise of
members of the professional technical community.
Reader feedback is a natural continuation of this process. If you have any comments on how we could
improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us
through email at [email protected] Please be sure to include the book title and ISBN in your
message.
We greatly appreciate your assistance.
Corporate and Government Sales
Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact:
U.S. Corporate and Government Sales 1-800-382-3419 [email protected]
For sales outside of the U.S., please contact:
International Sales 1-317-581-3793 [email protected]
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use
of a term in this book should not be regarded as affecting the validity of any trademark or service mark.
Publisher: Paul Boger
Manager, Global Certification: Erik Ullanderson
Associate Publisher: David Dusthimer
Business Operation Manager, Cisco Press: Anand Sundaram
Executive Editor: Brett Bartow
Technical Editors: David Morgan and Farai Tafa
Managing Editor: Sandra Schroeder
Copy Editor: Keith Cline
Development Editor: Andrew Cupp
Book Designer: Gary Adair
Senior Project Editor: Tonya Simpson
Publishing Coordinator: Vanessa Evans
Cover Designer: Sandra Schroeder
Composition: Mark Shirar
Indexer: Cheryl Lenser
iv
CCDA 640-864 Official Cert Guide
About the Authors
Anthony Bruno, CCIE No. 2738, is a senior principal consultant with BT with more than
20 years of experience in the internetworking field. Previously, he worked for International
Network Services, Lucent Technologies, and as a captain in the U.S. Air Force. His other
network certifications include CCDP, CCVP, CCSP, Cisco Data Center Network
Infrastructure Specialist, Cisco Security Solutions & Design Specialist, JNCIS-ER,
Project+, ITILv3 Foundation, and CWNA. He has consulted for many enterprise and service provider customers in the design, implementation, and optimization of large-scale data
and IP telephony networks. Anthony leads architecture and design teams in building nextgeneration networks for his customers. He completed his Master of Science in Electrical
Engineering at the University of Missouri–Rolla in 1994 and his Bachelor of Science in
Electrical Engineering at the University of Puerto Rico–Mayaguez in 1990. He is also a
part-time instructor for the University of Phoenix–Online, teaching networking courses.
Steve Jordan, CCIE No. 11293, is a senior consultant with Extropy with more than 15
years of experience in the internetworking field. Previously, he worked for General
Datatech in Houston, Texas. His other certifications include VMware VCP4 and Cisco
DC specializations in Network Infrastructure, Storage, and Unified Computing Design.
He specializes in data center architecture involving network, storage, compute, and virtualization technologies. He has extensive experience with large-scale data center environments and has designed and implemented network solutions in the financial, energy,
retail, manufacturing, and telecommunications industries.
Steve was also the coauthor for the previous edition of the CCDA Exam Certification
Guide, Third Edition.
v
About the Technical Reviewers
David Morgan is a senior technical consultant, technical trainer, and UC Practice Lead
for General Datatech, a Cisco Gold Partner in Dallas, Texas. He has designed, deployed,
and supported hundreds of communications systems, with enterprise implementations
supporting as many as 120,000+ phones and 2000+ remote sites. He has more than 12
years of general networking experience. He also has experience supporting LAN, WAN,
security, and voice technologies and Microsoft server technology, and IBM AS/400 systems. David lives in Arlington, Texas with his wife, Trisha, and two sons.
Farai Tafa, CCIE No. 14811, is a senior consultant with British Telecom with ten years
of experience in the internetworking field. He holds CCIE certifications in the Routing
and Switching and Service Provider tracks. His other certifications include the CCVP,
JNCIA, JNCIS, and ITILv3 Foundation certifications. Prior to British Telecom, Farai had
the privilege of working for industry powerhouses such as Google, Inc. and Cisco
Systems, Inc. Farai has ten years of experience in the design, implementation, and support
of enterprise and service provider routing and switching solutions, and Enterprise Cisco
IP Telephony and Unified Wireless solutions.
vi
CCDA 640-864 Official Cert Guide
Dedications
This book is dedicated to my wife, Yvonne Bruno, Ph.D., and to our daughters, Joanne
and Dianne. Thanks for all of your support during the development of this book. Joanne,
hopefully this book will help me pay for your computer engineering classes at Texas
A&M!
—Anthony Bruno
This book is dedicated to my wife of 17 years, Dorin, and my three sons, Blake, Lance,
and Miles, for their support during the development of this book. For Blake, Lance, and
Miles, we can now play many more games! I also want to dedicate this book to both of
my grandmothers, Frances Cross and Anna C. Smith, who recently passed. I miss you
both very much!
—Steve Jordan
Acknowledgments
This book would not have been possible without the efforts of many dedicated people.
Thanks to Andrew Cupp, development editor, for his guidance and special attention to
detail. Thanks to Tonya Simpson, senior project editor, for her accuracy. Thanks to Brett
Bartow, executive editor, for his vision. Thanks to all other Cisco Press team members
who worked behind the scenes to make this a better book.
A special thanks my coauthor, Steve Jordan, for contributing five chapters. And a special
thanks to the technical reviewers, David Morgan and Farai Tafa. Their technical advice
and careful attention to detail made this book accurate.
—Anthony Bruno
This book would not be possible without all the great people who have assisted me. I
would first like to thank Anthony Bruno for inviting me to assist him in this endeavor
once more. Thanks to Brett Bartow, executive editor, for his guidance and support during
the book development. Thanks again to Andrew Cupp, development editor, for supporting my schedule delays and keeping me on track.
Special thanks goes to the technical reviewers of this book, David Morgan and Farai Tafa,
who provided wisdom and helped with keeping the book accurate.
Finally, thanks to all the managers and marketing people at Cisco Press who make all
these books possible.
—Steve Jordan
vii
Contents at a Glance
Introduction
xxxi
Part I
General Network Design
3
Chapter 1
Network Design Methodology
Chapter 2
Network Structure Models
Part II
LAN and WAN Design
Chapter 3
Enterprise LAN Design
Chapter 4
Data Center Design
Chapter 5
Wireless LAN Design
Chapter 6
WAN Technologies
Chapter 7
WAN Design
Part III
The Internet Protocol and Routing Protocols
Chapter 8
Internet Protocol Version 4
265
Chapter 9
Internet Protocol Version 6
305
Chapter 10
Routing Protocol Characteristics, RIP, and EIGRP
345
Chapter 11
OSPF, BGP, Route Manipulation, and IP Multicast
387
Part IV
Security, Convergence, Network Management
Chapter 12
Managing Security
445
Chapter 13
Security Solutions
481
Chapter 14
Voice and Video Design
Chapter 15
Network Management Protocols
Part V
Comprehensive Scenarios and Final Prep
Chapter 16
Comprehensive Scenarios
Chapter 17
Final Preparation
5
37
77
79
121
153
199
227
613
263
515
599
575
597
443
viii
CCDA 640-864 Official Cert Guide
Part VI
Appendixes
Appendix A
Answers to the “Do I Know This Already?” Quizzes
and Q&A Questions 623
Appendix B
CCDA Exam Updates: Version 1.0
Appendix C
OSI Model, TCP/IP Architecture, and Numeric Conversion
Glossary
Index
621
677
690
Elements Available on the CD
Appendix D
Memory Tables
Appendix E
Memory Tables Answer Key
657
661
ix
Contents
Introduction
xxxi
Part I
General Network Design
3
Chapter 1
Network Design Methodology
“Do I Know This Already?” Quiz
Foundation Topics
5
5
8
Cisco Architectures for the Enterprise
Borderless Networks Architecture
Collaboration Architecture
8
9
9
Data Center/Virtualization Architecture
10
Prepare, Plan, Design, Implement, Operate, and
Optimize Phases 11
Prepare Phase
Plan Phase
13
14
Design Phase
14
Implement Phase
Operate Phase
14
14
Optimize Phase
14
Summary of PPDIOO Phases
14
Design Methodology Under PPDIOO
15
Identifying Customer Design Requirements
Characterizing the Existing Network
Steps in Gathering Information
Network Audit Tools
17
17
18
Network Analysis Tools
Network Checklist
15
22
22
Designing the Network Topology and Solutions
Top-Down Approach
23
Pilot and Prototype Tests
Design Document
24
25
References and Recommended Reading
Exam Preparation Tasks
Review All Key Topics
26
27
27
Complete Tables and Lists from Memory
Define Key Terms
Q&A
28
27
27
23
x
CCDA 640-864 Official Cert Guide
Chapter 2
Network Structure Models
37
“Do I Know This Already?” Quiz
Foundation Topics
37
40
Hierarchical Network Models
40
Benefits of the Hierarchical Model
Hierarchical Network Design
Core Layer
41
41
Distribution Layer
Access Layer
40
42
43
Hierarchical Model Examples
45
Cisco Enterprise Architecture Model
Enterprise Campus Module
Enterprise Edge Area
50
E-Commerce Module
50
Internet Connectivity Module
VPN/Remote Access
Enterprise WAN
47
48
51
52
53
Service Provider Edge Module
Remote Modules
54
55
Enterprise Branch Module
56
Enterprise Data Center Module
Enterprise Teleworker Module
Borderless Network Services
56
56
58
High Availability Network Services
58
Workstation-to-Router Redundancy and LAN
High Availability Protocols 59
ARP
59
Explicit Configuration
RDP
RIP
HSRP
59
59
59
60
VRRP
61
GLBP
61
Server Redundancy
61
Route Redundancy
62
Load Balancing
62
Increasing Availability
62
Link Media Redundancy
64
xi
References and Recommended Reading
Exam Preparation Tasks
65
66
Review All Key Topics
66
Complete Tables and Lists from Memory
Define Key Terms
Q&A
66
66
66
Part II
LAN and WAN Design
77
Chapter 3
Enterprise LAN Design
79
“Do I Know This Already?” Quiz
Foundation Topics
LAN Media
79
82
82
Ethernet Design Rules
83
100-Mbps Fast Ethernet Design Rules
Gigabit Ethernet Design Rules
84
86
1000BASE-LX Long-Wavelength Gigabit Ethernet
86
1000BASE-SX Short-Wavelength Gigabit Ethernet
87
1000BASE-CX Gigabit Ethernet over Coaxial Cable
1000BASE-T Gigabit Ethernet over UTP
10 Gigabit Ethernet Design Rules
10GE Media Types
EtherChannel
88
89
Comparison of Campus Media
LAN Hardware
Repeaters
Hubs
89
89
90
90
Bridges
Switches
Routers
88
91
91
92
Layer 3 Switches
93
Campus LAN Design and Best Practices
94
Best Practices for Hierarchical Layers
95
Access Layer Best Practices
96
Distribution Layer Best Practices
Core Layer Best Practices
Large-Building LANs
101
Enterprise Campus LANs
Edge Distribution
98
103
102
96
87
87
xii
CCDA 640-864 Official Cert Guide
Medium-Size LANs
103
Small and Remote Site LANs
Server Farm Module
103
104
Server Connectivity Options
105
Enterprise Data Center Infrastructure
Campus LAN QoS Considerations
Multicast Traffic Considerations
CGMP
105
106
108
108
IGMP Snooping
109
References and Recommended Readings
Exam Preparation Tasks
109
110
Review All Key Topics
110
Complete Tables and Lists from Memory
Define Key Terms
Q&A
Chapter 4
110
110
110
Data Center Design
121
“Do I Know This Already?” Quiz
Foundation Topics
121
124
Enterprise DC Architectures
124
Data Center 3.0 Components
125
Data Center 3.0 Topology Components
Challenges in the DC
127
Data Center Facility Aspects
Data Center Space
130
Data Center Power
131
Data Center Cooling
Data Center Heat
128
132
133
Data Center Cabling
133
Enterprise DC Infrastructure
135
Defining the DC Access Layer
136
Defining the DC Aggregation Layer
Defining the DC Core Layer
Virtualization Overview
Challenges
127
138
139
141
141
Defining Virtualization and Benefits
Types of Virtualization
142
141
xiii
Virtualization Technologies
VSS
143
143
VRF
143
vPC
143
Device Contexts
144
Server Virtualization
144
Network Virtualization Design Considerations
Access Control
Path Isolation
145
Services Edge
145
References and Recommended Readings
Exam Preparation Tasks
145
147
Review All Key Topics
147
Complete Tables and Lists from Memory
Define Key Terms
Q&A
Chapter 5
144
145
148
148
148
Wireless LAN Design
153
“Do I Know This Already?” Quiz
Foundation Topics
155
Wireless LAN Technologies
WLAN Standards
153
155
155
ISM and UNII Frequencies
156
Summary of WLAN Standards
Service Set Identifier
157
WLAN Layer 2 Access Method
WLAN Security
157
157
157
Unauthorized Access
158
WLAN Security Design Approach
158
IEEE 802.1X-2001 Port-Based Authentication
Dynamic WEP Keys and LEAP
159
Controlling WLAN Access to Servers
Cisco Unified Wireless Network
Cisco UWN Architecture
LWAPP
159
160
160
162
CAPWAP
163
Cisco Unified Wireless Network Split-MAC
Architecture 163
159
xiv
CCDA 640-864 Official Cert Guide
Local MAC
AP Modes
164
164
LWAPP Discovery of WLC
WLAN Authentication
166
167
Authentication Options
168
WLAN Controller Components
WLC Interface Types
169
169
AP Controller Equipment Scaling
Roaming and Mobility Groups
Intracontroller Roaming
171
173
173
Layer 2 Intercontroller Roaming
173
Layer 3 Intercontroller Roaming
174
Mobility Groups
WLAN Design
174
176
Controller Redundancy Design: Deterministic
vs. Dynamic 176
N+1 WLC Redundancy
176
N+N WLC Redundancy
177
N+N+1 WLC Redundancy
177
Radio Management and Radio Groups
RF Groups
178
179
RF Site Survey
179
Using EoIP Tunnels for Guest Services
Wireless Mesh for Outdoor Wireless
Mesh Design Recommendations
Campus Design Considerations
Branch Design Considerations
Local MAC
REAP
181
181
182
183
184
184
184
Hybrid REAP
184
Branch Office Controller Options
References and Recommended Readings
Exam Preparation Tasks
185
186
187
Review All Key Topics
187
Complete Tables and Lists from Memory
Define Key Terms
Q&A
188
187
187
xv
Chapter 6
WAN Technologies
199
“Do I Know This Already?” Quiz
Foundation Topics
WAN Overview
202
202
WAN Defined
202
WAN Connection Modules
WAN Transport Technologies
ISDN
203
204
205
ISDN BRI Service
205
ISDN PRI Service
205
Digital Subscriber Line
Cable
199
206
206
Wireless
207
Frame Relay
208
Time-Division Multiplexing
Metro Ethernet
SONET/SDH
209
209
209
Multiprotocol Label Switching
Dark Fiber
211
211
Dense Wavelength-Division Multiplexing
212
Ordering WAN Technology and Contracts
WAN Design Methodology
Response Time
Throughput
Reliability
212
213
214
214
215
Bandwidth Considerations
WAN Link Categories
215
216
Optimizing Bandwidth Using QoS
217
Queuing, Traffic Shaping, and Policing
Classification
217
218
Congestion Management
Priority Queuing
218
Custom Queuing
218
Weighted Fair Queuing
218
218
Class-Based Weighted Fair Queuing
Low-Latency Queuing
219
Traffic Shaping and Policing
219
218
xvi
CCDA 640-864 Official Cert Guide
Link Efficiency
Window Size
220
220
References and Recommended Readings
Exam Preparation Tasks
220
221
Review All Key Topics
221
Complete Tables and Lists from Memory
Define Key Terms
Q&A
Chapter 7
221
221
222
WAN Design
227
“Do I Know This Already?” Quiz
Foundation Topics
227
230
Traditional WAN Technologies
Hub-and-Spoke Topology
Full-Mesh Topology
230
230
231
Partial-Mesh Topology
231
Remote-Access Network Design
VPN Network Design
232
232
Enterprise VPN vs. Service Provider VPN
Enterprise VPNs
234
Service Provider Offerings
234
Enterprise Managed VPN: IPsec
IPsec Direct Encapsulation
Cisco Easy VPN
234
234
235
Generic Routing Encapsulation
IPsec DMVPN
233
236
236
IPsec Virtual Tunnel Interface Design
237
Layer 2 Tunneling Protocol Version 3
237
Service Provider Managed Offerings
Metro Ethernet
Virtual Private LAN Services
MPLS
237
237
238
238
MPLS Layer 3 Design Overview
VPN Benefits
239
239
WAN Backup Design
240
Load-Balancing Guidelines
240
WAN Backup over the Internet
241
xvii
Enterprise WAN Architecture
241
Cisco Enterprise MAN/WAN
243
Enterprise WAN/MAN Architecture Comparison
Enterprise WAN Components
Comparing Hardware and Software
Enterprise Branch Architecture
Branch Design
247
248
248
Enterprise Branch Profiles
248
ISR G2 New Features
249
Small Branch Design
250
Medium Branch Design
Large Branch Design
250
252
Enterprise Teleworker Design
ISRs for Teleworkers
254
254
References and Recommended Readings
Exam Preparation Tasks
255
256
Review All Key Topics
256
Complete Tables and Lists from Memory
Define Key Terms
Q&A
256
257
257
Part III
The Internet Protocol and Routing Protocols
Chapter 8
Internet Protocol Version 4
“Do I Know This Already?” Quiz
Foundation Topics
IPv4 Header
ToS
243
245
268
268
271
IPv4 Fragmentation
IPv4 Addressing
274
275
IPv4 Address Classes
276
Class A Addresses
277
Class B Addresses
277
Class C Addresses
277
Class D Addresses
277
Class E Addresses
278
IPv4 Address Types
278
IPv4 Private Addresses
279
265
265
263
xviii
CCDA 640-864 Official Cert Guide
NAT
279
Private and Public IP Address and NAT Guidelines
IPv4 Address Subnets
282
Mask Nomenclature
283
IP Address Subnet Design
283
Determining the Network Portion of an IP Address
Variable-Length Subnet Masks
Loopback Addresses
286
288
IP Telephony Networks
288
VLSM Address Assignment: Example 2
Address Assignment and Name Resolution
289
290
Recommended Practices of IP Address Assignment
DHCP
291
292
ARP
295
References and Recommended Readings
Exam Preparation Tasks
296
297
Review All Key Topics
297
Complete Tables and Lists from Memory
Define Key Terms
Chapter 9
290
291
DNS
Q&A
285
286
VLSM Address Assignment: Example 1
BOOTP
280
297
297
298
Internet Protocol Version 6
305
“Do I Know This Already?” Quiz
Foundation Topics
Introduction to IPv6
IPv6 Header
305
308
308
309
IPv6 Address Representation
311
IPv4-Compatible IPv6 Addresses
IPv6 Prefix Representation
312
312
IPv6 Address Scope Types and Address Allocations
IPv6 Address Allocations
IPv6 Unicast Address
313
314
Global Unicast Addresses
Link-Local Addresses
314
315
Unique Local IPv6 Address
315
313
xix
Global Aggregatable IPv6 Address
IPv4-Compatible IPv6 Address
IPv6 Anycast Addresses
ICMPv6
316
316
IPv6 Multicast Addresses
IPv6 Mechanisms
316
317
320
320
IPv6 Neighbor Discovery Protocol
IPv6 Name Resolution
320
321
Path MTU Discovery
322
IPv6 Address-Assignment Strategies
322
Link-Local Address (Stateless Autoconfiguration)
322
Autoconfiguration of Globally Unique IP address
323
DHCPv6
324
IPv6 Security
324
IPv6 Routing Protocols
RIPng
325
325
EIGRP for IPv6
OSPFv3
325
325
IS-IS for IPv6
325
BGP4 Multiprotocol Extensions (MP-BGP) for IPv6
IPv4 to IPv6 Transition Mechanisms and
Deployment Models 326
Dual-Stack Mechanism
326
IPv6 over IPv4 Tunnels
326
Protocol Translation Mechanisms
IPv6 Deployment Models
Dual-Stack Model
Hybrid Model
328
329
329
330
Service Block Model
330
IPv6 Deployment Model Comparison
IPv6 Comparison with IPv4
333
References and Recommended Readings
Exam Preparation Tasks
334
336
Review All Key Topics
336
Complete Tables and Lists from Memory
Define Key Terms
Q&A
337
332
337
337
326
xx
CCDA 640-864 Official Cert Guide
Chapter 10
Routing Protocol Characteristics, RIP, and EIGRP
“Do I Know This Already?” Quiz
Foundation Topics
345
348
Routing Protocol Characteristics
348
Static Versus Dynamic Route Assignment
348
Interior Versus Exterior Routing Protocols
Distance-Vector Routing Protocols
EIGRP
345
350
351
351
Link-State Routing Protocols
352
Distance-Vector Routing Protocols Versus Link-State Protocols
Hierarchical Versus Flat Routing Protocols
Classless Versus Classful Routing Protocols
IPv4 Versus IPv6 Routing Protocols
Administrative Distance
356
Bandwidth
357
Cost
358
Load
358
Delay
355
359
Reliability
359
Maximum Transmission Unit
360
Routing Loop-Prevention Schemes
Split Horizon
360
Poison Reverse
361
Counting to Infinity
Triggered Updates
Summarization
361
361
361
RIPv2 and RIPng
362
Authentication
362
MD5 Authentication
RIPv2 Routing Database
RIPv2 Message Format
RIPv2 Timers
364
RIPv2 Design
364
RIPv2 Summary
RIPng
365
364
353
354
Routing Protocol Metrics and Loop Prevention
Hop Count
353
362
362
363
360
356
352
xxi
RIPng Timers
365
Authentication
365
RIPng Message Format
RIPng Design
RIPng Summary
EIGRP
365
366
366
367
EIGRP Components
367
Protocol-Dependent Modules
368
Neighbor Discovery and Recovery
RTP
DUAL
368
368
368
EIGRP Timers
369
EIGRP Metrics
370
EIGRP Packet Types
EIGRP Design
371
372
EIGRP for IPv4 Summary
373
EIGRP for IPv6 (EIGRPv6) Networks
EIGRP for IPv6 Design
374
EIGRP for IPv6 Summary
374
References and Recommended Readings
Exam Preparation Tasks
373
375
377
Review All Key Topics
377
Complete Tables and Lists from Memory
Define Key Terms
Q&A
Chapter 11
377
377
377
OSPF, BGP, Route Manipulation, and IP Multicast
“Do I Know This Already?” Quiz
Foundation Topics
OSPFv2
387
391
391
OSPFv2 Metric
391
OSPFv2 Adjacencies and Hello Timers
OSPFv2 Areas
392
393
OSPF Router Types
OSPF DRs
395
LSA Types
396
394
Autonomous System External Path Types
397
387
xxii
CCDA 640-864 Official Cert Guide
OSPF Stub Area Types
Stub Areas
397
397
Totally Stubby Areas
NSSAs
398
398
Virtual Links
399
OSPFv2 Router Authentication
OSPFv2 Summary
OSPFv3
399
399
400
OSPFv3 Changes from OSPFv2
400
OSPFv3 Areas and Router Types
OSPFv3 LSAs
401
OSPFv3 Summary
BGP
401
404
404
BGP Neighbors
eBGP
406
iBGP
406
405
Route Reflectors
407
Confederations
409
BGP Administrative Distance
409
BGP Attributes, Weight, and the BGP Decision Process
BGP Path Attributes
410
Next-Hop Attribute
411
Local Preference Attribute
Origin Attribute
411
411
Autonomous System Path Attribute
MED Attribute
412
412
Community Attribute
413
Atomic Aggregate and Aggregator Attributes
Weight
414
BGP Decision Process
BGP Summary
Route Manipulation
PBR
414
415
416
416
Route Summarization
416
Route Redistribution
419
Default Metric
420
OSPF Redistribution
421
413
409
xxiii
Route Filtering
421
Routing Protocols on the Hierarchical Network
Infrastructure 422
IP Multicast Review
423
Multicast Addresses
423
Layer 3-to-Layer 2 Mapping
IGMP
424
425
IGMPv1
425
IGMPv2
425
IGMPv3
426
CGMP
426
IGMP Snooping
427
Sparse Versus Dense Multicast
427
Multicast Source and Shared Trees
PIM
428
428
PIM-SM
429
PIM DR
429
Auto-RP
429
PIMv2 Bootstrap Router
DVMRP
430
430
IPv6 Multicast Addresses
430
References and Recommended Readings
Exam Preparation Tasks
431
433
Review All Key Topics
433
Complete Tables and Lists from Memory
Define Key Terms
Q&A
433
433
434
Part IV
Security, Convergence, Network Management
Chapter 12
Managing Security
445
“Do I Know This Already?” Quiz
Foundation Topics
Network Security Overview
Security Legislation
Security Threats
445
448
448
448
450
Reconnaissance and Port Scanning
Vulnerability Scanners
Unauthorized Access
451
452
450
443
xxiv
CCDA 640-864 Official Cert Guide
Security Risks
Targets
453
453
Loss of Availability
454
Integrity Violations and Confidentiality Breaches
Security Policy and Process
456
Security Policy Defined
457
Basic Approach of a Security Policy
Purpose of Security Policies
458
Security Policy Components
459
Risk Assessment
Risk Index
455
458
459
460
Continuous Security
461
Integrating Security Mechanisms into Network Design
Trust and Identity Management
Trust
463
Domains of Trust
Identity
463
464
Passwords
Tokens
462
464
464
Certificates
465
Access Control
466
Secure Connectivity
466
Encryption Fundamentals
Encryption Keys
VPN Protocols
466
467
467
Transmission Confidentiality
Data Integrity
Threat Defense
469
469
470
Physical Security
470
Infrastructure Protection
471
Security Management Solutions
472
References and Recommended Readings
Exam Preparation Tasks
473
474
Review All Key Topics
474
Complete Tables and Lists from Memory
Define Key Terms
Q&A
475
475
474
462
xxv
Chapter 13
Security Solutions
481
“Do I Know This Already?” Quiz
Foundation Topics
481
484
Cisco SAFE Architecture
484
Network Security Platforms
485
Cisco Security Control Framework
Trust and Identity Technologies
Firewall ACLs
486
486
487
Cisco NAC Appliance
488
Cisco Identity-Based Network Services
489
Identity and Access Control Deployments
Detecting and Mitigating Threats
489
490
Threat Detection and Mitigation Technologies
491
Threat-Detection and Threat-Mitigation Solutions
Cisco IronPort ESA
493
Cisco IronPort WSA
494
Security Management Applications
Security Platform Solutions
495
495
Security Management Network
496
Integrating Security into Network Devices
IOS Security
497
498
ISR G2 Security Hardware Options
Cisco Security Appliances
Intrusion Prevention
499
499
500
Catalyst 6500 Service Modules
Endpoint Security
500
502
Securing the Enterprise
502
Implementing Security in the Campus
502
Implementing Security in the Data Center
503
Implementing Security in the Enterprise Edge
and WAN 504
References and Recommended Readings
Exam Preparation Tasks
507
508
Review All Key Topics
508
Complete Tables and Lists from Memory
Define Key Terms
Q&A
509
509
508
492
xxvi
CCDA 640-864 Official Cert Guide
Chapter 14
Voice and Video Design
515
“Do I Know This Already?” Quiz
Foundation Topics
518
Traditional Voice Architectures
PBX and PSTN Switches
518
518
Local Loop and Trunks
Ports
515
519
520
Major Analog and Digital Signaling Types
Loop-Start Signaling
522
Ground-Start Signaling
E&M Signaling
522
523
CAS and CCS Signaling
PSTN Numbering Plan
Centrex Services
527
528
528
Database Services
IVR
524
526
Other PSTN Services
Voice Mail
521
528
528
ACD
528
Voice Engineering Terminology
Grade of Service
Erlangs
528
528
Centum Call Second
Busy Hour
529
529
Busy-Hour Traffic
529
Blocking Probability
Call Detail Records
530
530
Converged Multiservice Networks
VoIP
528
530
531
IPT Components
532
Design Goals of IP Telephony
IPT Deployment Models
535
Single-Site Deployment
535
534
Multisite WAN with Centralized Call Processing Model
536
Multisite WAN with Distributed Call Processing Model
536
Unified CallManager Express Deployments
Video Deployment Considerations
Codecs
539
537
537
xxvii
Analog-to-Digital Signal Conversion
Codec Standards
540
540
VoIP Control and Transport Protocols
DHCP, DNS, and TFTP
SCCP
542
RTP and RTCP
MGCP
544
H.264
547
548
IPT Design
549
Bandwidth
VAD
543
544
H.323
SIP
541
542
550
550
Calculating Voice Bandwidth
551
Delay Components in VoIP Networks
Packet Loss
552
555
Echo Cancellation
555
QoS and Bandwidth Mechanisms for VoIP and Video Networks
cRTP
556
IEEE 802.1P
556
Resource Reservation Protocol
LFI
LLQ
557
557
557
Auto QoS
559
IPT Design Recommendations
560
Service Class Recommendations
561
References and Recommended Readings
Exam Preparation Tasks
562
564
Review All Key Topics
564
Complete Tables and Lists from Memory
Define Key Terms
Q&A
Chapter 15
565
565
Network Management Protocols
“Do I Know This Already?” Quiz
Foundation Topics
575
578
Simple Network Management Protocol
SNMP Components
MIB
580
575
579
579
564
555
xxviii
CCDA 640-864 Official Cert Guide
SNMP Message Versions
SNMPv1
581
SNMPv2
582
SNMPv3
582
581
Other Network Management Technologies
RMON
583
583
RMON2
584
NetFlow
585
NetFlow Compared to RMON and SNMP
CDP
Syslog
587
588
References and Recommended Reading
Exam Preparation Tasks
589
591
Review All Key Topics
591
Complete Tables and Lists from Memory
Define Key Terms
Q&A
591
591
592
Part V
Comprehensive Scenarios and Final Prep
Chapter 16
Comprehensive Scenarios
Scenario One Questions
Scenario One Answers
600
Scenario Two Questions
604
604
605
Scenario Three: Beauty Things Store
Scenario Three Questions
Scenario Three Answers
599
601
Scenario Two: Big Oil and Gas
Scenario Two Answers
606
607
608
Scenario Four: Falcon Communications
Scenario Four Questions
Scenario Four Answers
Final Preparation
597
599
Scenario One: Pearland Hospital
Chapter 17
586
608
609
609
613
Tools for Final Preparation
613
Pearson Cert Practice Test Engine and Questions on the CD
Install the Software from the CD
614
Activate and Download the Practice Exam
614
613
xxix
Activating Other Exams
Premium Edition
615
615
The Cisco Learning Network
Memory Tables
615
615
Chapter-Ending Review Tools
616
Suggested Plan for Final Review/Study
Subnetting Practice
616
Using the Exam Engine
Summary
616
617
618
Part VI
Appendixes
Appendix A
Answers to the “Do I Know This Already?” Quizzes and Q&A
Questions 623
Appendix B
CCDA Exam Updates: Version 1.0
Appendix C
OSI Model, TCP/IP Architecture, and Numeric Conversion
Glossary
Index
621
677
690
Elements Available on the CD
Appendix D
Memory Tables
Appendix E
Memory Tables Answer Key
657
661
xxx
CCDA 640-864 Official Cert Guide
Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions
used in the IOS Command Reference. The Command Reference describes these conventions as follows:
■
Bold indicates commands and keywords that are entered literally as shown. In actual
configuration examples and output (not general command syntax), bold indicates
commands that are manually input by the user (such as a show command).
■
Italic indicates arguments for which you supply actual values.
■
Vertical bars (|) separate alternative, mutually exclusive elements.
■
Square brackets ([ ]) indicate an optional element.
■
Braces ({ }) indicate a required choice.
■
Braces within brackets ([{ }]) indicate a required choice within an optional element.
xxxi
Introduction
So, you have worked on Cisco devices for a while, designing networks for your customers, and now you want to get certified? There are several good reasons to do so. The
Cisco certification program allows network analysts and engineers to demonstrate their
competence in different areas and levels of networking. The prestige and respect that
come with a Cisco certification will definitely help you in your career. Your clients, peers,
and superiors will recognize you as an expert in networking.
Cisco Certified Design Associate (CCDA) is the associate-level certification that represents knowledge of the design of Cisco internetwork infrastructure. The CCDA demonstrates skills required to design routed and switched networks, LANs, and WANs. The
CCDA also has knowledge of campus designs, data centers, network security, IP telephony, and wireless LANs.
Although it is not required, Cisco suggests taking the DESGN 2.1 course before you take
the CCDA exam. For more information about the various levels of certification, career
tracks, and Cisco exams, go to the Cisco Certifications page at www.cisco.com/web/
learning/le3/learning_career_certifications_and_learning_paths_home.html.
Our goal with this book is to help you pass the 640-864 CCDA exam. This is done by
assessment on and coverage of all the exam topics published by Cisco. Reviewing tables
and practicing test questions will help you practice your knowledge on all subject areas.
About the 640-864 CCDA Exam
The CCDA exam measures your ability to design networks that meet certain requirements for performance, security, capacity, and scalability. The exam focuses on small- to
medium-sized networks. The candidate should have at least one year of experience in the
design of small- to medium-sized networks using Cisco products. A CCDA candidate
should understand internetworking technologies, including, Cisco’s enterprise network
architecture, IPv4 subnets, IPv6 addressing and protocols, routing, switching, WAN technologies, LAN protocols, security, IP telephony, and network management. The new
exam adds topics such as borderless networks, data centers design, and updates on IPv6,
voice and video design, wireless LANs, WAN technologies, and security.
The test to obtain CCDA certification is called Designing for Cisco Internetwork
Solutions (DESGN) Exam #640-864. It is a computer-based test that has 65 questions and
a 90-minute time limit. Because all exam information is managed by Cisco Systems and is
therefore subject to change, candidates should continually monitor the Cisco Systems site
for course and exam updates at www.cisco.com/web/learning/le3/learning_career_
certifications_and_learning_ paths_home.html.
You can take the exam at Pearson VUE testing centers. You can register with VUE at
www.vue.com/cisco/. The CCDA certification is valid for three years. To recertify, you
can pass a current CCDA test, pass a CCIE exam, or pass any 642 or Cisco Specialist
exam.
xxxii
CCDA 640-864 Official Cert Guide
640-864 CCDA Exam Topics
Table I-1 lists the topics of the 640-864 CCDA exam and indicates the part in the book
where they are covered.
Table I-1
640-864 CCDA Exam Topics
Exam Topic
Part
Describe the Methodology Used to Design a Network
Describe developing business trends
I
Identify network requirements to support the organization
I
Describe the tools/process to characterize an existing network
I
Describe the top down approach to network design
I
Describe network management protocols and features
IV
Describe Network Structure and Modularity
Describe the network hierarchy
I
Describe the modular approach in network design
I
Describe network architecture for the enterprise
II
Design Basic Enterprise Campus Networks
Describe Campus Design considerations
II
Design the enterprise campus network
II
Design the enterprise data center
II
Describe enterprise network virtualization tools
II
Design Enterprise Edge and Remote Network Modules
Describe the enterprise edge, branch, and teleworker design characteristics
II
Describe physical and logical WAN connectivity
II
Design the branch office WAN solutions
II
Describe access network solutions for a remote worker
II
Design the WAN to support selected redundancy methodologies
II
Identify design considerations for a remote data center
II
Design IP Addressing and Routing Protocols
Describe IPv4 addressing
III
Describe IPv6 addressing
III
Identify Routing Protocol Considerations in an Enterprise Network
Design a routing protocol deployment
III
xxxiii
Design Network Services
Describe the security life cycle
IV
Identify Cisco technologies to mitigate security vulnerabilities
IV
Select appropriate Cisco security solutions and deployment placement
IV
Describe high-level voice and video architectures
IV
Identify the design considerations for voice/video services
IV
Describe Cisco Unified Wireless network architectures and features
II
Design wireless network using controllers
II
About the CCDA 640-864 Official Cert Guide
This book maps to the topic areas of the 640-864 CCDA exam and uses a number of features to help you understand the topics and prepare for the exam.
Objectives and Methods
This book uses several key methodologies to help you discover the exam topics on which
you need more review, to help you fully understand and remember those details, and to
help you prove to yourself that you have retained your knowledge of those topics. So,
this book does not try to help you pass the exams only by memorization, but by truly
learning and understanding the topics. This book is designed to help you pass the CCDA
exam by using the following methods:
■
Helping you discover which exam topics you have not mastered
■
Providing explanations and information to fill in your knowledge gaps
■
Supplying exercises that enhance your ability to recall and deduce the answers to
test questions
■
Providing practice exercises on the topics and the testing process via test questions
on the CD
Book Features
To help you customize your study time using this book, the core chapters have several
features that help you make the best use of your time:
■
“Do I Know This Already?” quiz: Each chapter begins with a quiz that helps
you determine how much time you need to spend studying that chapter.
■
Foundation Topics: These are the core sections of each chapter. They explain the
concepts for the topics in that chapter.
xxxiv
CCDA 640-864 Official Cert Guide
■
Exam Preparation Tasks: After the “Foundation Topics” section of each chapter,
the “Exam Preparation Tasks” section lists a series of study activities that you should
do at the end of the chapter. Each chapter includes the activities that make the most
sense for studying the topics in that chapter:
■
Review All the Key Topics: The Key Topic icon appears next to the most
important items in the “Foundation Topics” section of the chapter. The Review
All the Key Topics activity lists the key topics from the chapter, along with their
page numbers. Although the contents of the entire chapter could be on the
exam, you should definitely know the information listed in each key topic, so
you should review these.
■
Complete the Tables and Lists from Memory: To help you memorize
some lists of facts, many of the more important lists and tables from the chapter
are included in a document on the CD. This document lists only partial information, allowing you to complete the table or list.
■
Define Key Terms: Although the exam may be unlikely to ask a question such
as “Define this term,” the CCDA exams do require that you learn and know a lot
of networking terminology. This section lists the most important terms from the
chapter, asking you to write a short definition and compare your answer to the
glossary at the end of the book.
■
CD-based practice exam: The companion CD contains the Pearson Cert Practice
Test engine that allows you to take practice exam questions. Use these to prepare
with a sample exam and to pinpoint topics where you need more study.
How This Book Is Organized
This book contains 16 core chapters—Chapters 1 through 16. Chapter 17 includes some
preparation tips and suggestions for how to approach the exam. Each core chapter covers
a subset of the topics on the CCDA exam. The core chapters are organized into parts.
They cover the following topics:
Part I: General Network Design
■
Chapter 1: Network Design Methodology covers Cisco architectures for the enterprise network, the Prepare, Plan, Design, Implement, Operate, and Optimize
(PPDIOO) methodology, and the process of completing a network design.
■
Chapter 2: Network Structure Models covers hierarchical network models, the
Cisco Enterprise Architecture model, and high-availability network services.
Part II: LAN and WAN Design
■
Chapter 3: Enterprise LAN Design covers LAN media, campus LAN design and
models, and best practices for campus networks.
■
Chapter 4: Data Center Design covers enterprise data center design fundamentals,
technology trends, data center challenges, and virtualization technologies.
xxxv
■
Chapter 5: Wireless LAN Design covers technologies and design options used for
wireless LANs.
■
Chapter 6: WAN Technologies examines technologies, design methodologies, and
requirements for the enterprise WANs.
■
Chapter 7: WAN Design covers WAN design for the Enterprise WAN and enterprise
branch, including remote-access and virtual private network (VPN) architectures.
Part III: The Internet Protocol and Routing Protocols
■
Chapter 8: Internet Protocol Version 4 covers the header, addressing, subnet
design, and protocols used by IPv4.
■
Chapter 9: Internet Protocol Version 6 covers the header, addressing, design, and
protocols used by IPv6.
■
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP covers routing protocol characteristics, metrics, RIPv2, and Enhanced Interior Gateway Routing
Protocol (EIGRP).
■
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast covers Open
Shortest Path First (OSPF) Protocol, Border Gateway Protocol (BGP), route summarization, route redistribution, route filtering, and IP multicast.
Part IV: Security, Convergence, Network Management
■
Chapter 12: Managing Security examines security management, security policy,
threats, risks, security compliance, and trust and identity management.
■
Chapter 13: Security Solutions covers Cisco SAFE architecture, security technologies, and design options for securing the enterprise.
■
Chapter 14: Voice and Video Design reviews traditional voice architectures, integrated multiservice networks, Cisco’s IPT architecture, video deployment considerations, and IPT design.
■
Chapter 15: Network Management Protocols covers Simple Network Management
Protocol (SNMP), Remote Monitor (RMON), NetFlow, Cisco Discovery Protocol
(CDP), and syslog.
Part V: Comprehensive Scenarios and Final Prep
■
Chapter 16: Comprehensive Scenarios provides network case studies for further
comprehensive study.
■
Chapter 17: Final Preparation identifies tools for final exam preparation and helps
you develop an effective study plan. It contains tips on how to best use the CD
material to study.
Part VI: Appendixes
■
Appendix A: Answers to “Do I Know This Already?” Quizzes and Q&A
Questions
xxxvi
CCDA 640-864 Official Cert Guide
■
Appendix B: CCDA Exam Updates: Version 1.0 provides instructions for finding
updates to the exam and this book when and if they occur.
■
Appendix C: OSI Model, TCP/IP Architecture, and Numeric Conversion reviews
the Open Systems Interconnection (OSI) reference model to give you a better understanding of internetworking. It reviews the TCP/IP architecture and also reviews the
techniques to convert between decimal, binary, and hexadecimal numbers. Although
there might not be a specific question on the exam about converting a binary number to decimal, you need to know how to do so to do problems on the test.
■
Appendix D: Memory Tables (a CD-only appendix) contains the key tables and lists
from each chapter, with some of the contents removed. You can print this appendix
and, as a memory exercise, complete the tables and lists. The goal is to help you
memorize facts that can be useful on the exams. This appendix is available in PDF
format on the CD; it is not in the printed book.
■
Appendix E: Memory Tables Answer Key (a CD-only appendix) contains the
answer key for the memory tables in Appendix D. This appendix is available in PDF
format on the CD; it is not in the printed book.
This page intentionally left blank
CCDA exam topics covered in this part:
■
Describe developing business trends
■
Identify network requirements to support the organization
■
Describe the tools/process to characterize an existing network
■
Describe the top-down approach to network design
■
Describe the network hierarchy
■
Describe the modular approach in network design
■
Describe network architecture for the enterprise
Part I: General Network Design
Chapter 1: Network Design Methodology
Chapter 2: Network Structure Models
This chapter covers the following subjects:
■
Cisco Architectures for the Enterprise
■
Prepare, Plan, Design, Implement, Operate, and
Optimize Phases
■
Identifying Customer Requirements
■
Characterizing the Existing Network
■
Designing the Network Topology and Solutions
CHAPTER 1
Network Design Methodology
Networks can become complex and difficult to manage. Network architectures and design methodologies help you manage the complexities of networks. This chapter provides
an overview of Cisco’s architectures for the enterprise and the Prepare, Plan, Design, Implement, Operate, and Optimize (PPDIOO) network life cycle. This chapter also describes
the six network life cycle phases and steps in design methodology.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The ten-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 1-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 1-1
“Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered
in This Section
Cisco Architectures for the Enterprise
1, 2, 3, 4
Prepare, Plan, Design, Implement, Operate, and Optimize Phases
5, 6
Identifying Customer Requirements
9, 10
Characterizing the Existing Network
7
Designing the Network Topology and Solutions
8
6
CCDA 640-864 Official Cert Guide
1. Which are the three Cisco network architectures for the enterprise?
a.
Hierarchical
b.
Borderless
c.
Integrated
d.
Data center/virtualization
e.
OSI model
f.
Collaboration
2. Which technology forces affect decisions for the enterprise network?
a.
Removal of borders
b.
Virtualization
c.
Growth of applications
d.
10GigEthernet
e.
Regulation
f.
ROI
g.
Competitiveness
3. Network resiliency and control occurs in which layer of the borderless network architecture?
a.
Policy and Control
b.
Borderless Network Services
c.
Borderless User Services
d.
Connection Management
4. Presence occurs in which collaboration architecture layer?
a.
Communication and Collaboration
b.
Collaboration Services
c.
Infrastructure
d.
Media Services
5. Which of the following is the correct order of the six phases of PPDIOO?
a.
Prepare, Plan, Design, Implement, Operate, Optimize
b.
Plan, Prepare, Design, Implement, Operate, Optimize
c.
Prepare, Plan, Design, Implement, Optimize, Operate
d.
Plan, Prepare, Design, Implement, Optimize, Operate
Chapter 1: Network Design Methodology 7
6. The PPDIOO design methodology includes which steps? (Select all that apply.)
a.
Identify customer requirements.
b.
Design the network topology.
c.
Characterize the network.
d.
Optimize the network.
e.
Operate the network.
f.
Implement the network.
g.
Prepare and plan.
7. What are the three primary sources of information in a network audit?
a.
CIO, network manager, network engineer
b.
Network manager, management software, CDP
c.
Network discovery, CDP, SNMP
d.
Existing documentation, management software, new management tools
8. Which design solution states that a design must start from the application layer and
finish in the physical layer?
a.
OSI model
b.
PPDIOO
c.
Hierarchical architecture
d.
Top-down
9. Budget and personnel limitations are examples of what?
a.
Organization requirements
b.
Organization constraints
c.
Technical goals
d.
Technical constraints
10. Improving network response time and reliability are examples of what?
a.
Organization requirements
b.
Organization constraints
c.
Technical goals
d.
Technical constraints
8
CCDA 640-864 Official Cert Guide
Foundation Topics
With the complexities of networks, it is necessary to use architectures and methodologies
in network design to support business goals. The Cisco Prepare, Plan, Design, Implement,
Operate, and Optimize (PPDIOO) network life cycle defines a continuous cycle of phases
in a network’s life. Each phase includes key steps in successful network planning, design,
implementation, and operation. The top-down design approach to network design adapts
the network infrastructure to the network applications’ needs.
Cisco Architectures for the Enterprise
With the constant evolution of networks, Cisco keeps updating its enterprise architectures and frameworks. Business drivers can affect network architecture and technology
forces that affect business.
Business forces affecting decisions for the enterprise network include the following:
Key
Topic
■
Return on investment: Companies expect a return (be it cost savings or increased
productivity) on its investments of network infrastructure. The solutions need to use
technology to work within a business solution.
■
Regulation: Companies need to meet industry regulations; for example, the Health
Insurance Portability and Accountability Act (HIPAA) for the health insurance industry and Payment Card Industry Data Security Standard (PCI DSS) for the credit card
industry.
■
Competitiveness: To maintain a competitive edge, companies need to use technology to make them more competitive than other businesses.
The technology forces affecting decisions for the enterprise network are
■
Removal of borders: Traditional network boundaries have been removed. Access to
network resources need to be enabled from branch offices, teleworkers, home offices,
mobile devices, customers, and partner networks.
■
Virtualization: Allows for the maximization of efficiencies through the reduction of
hardware, power consumption, heating and cooling costs, facilities space, and management effort. Virtualization and its benefits are a key goal for almost all organization. It has gained popularity by industry leaders such as VMware.
■
Growth of applications: Customers continue to ask for new products, service offerings, improved customer service, greater security, and customization flexibility—all
at a lower cost.
IT optimization areas are divided into three groups:
■
Data center
■
Network
■
Applications
Each group has its own experts, budget, and challenges.
Chapter 1: Network Design Methodology 9
Cisco has created an interwoven framework to create three architectures for each group
that provides for optimization at an individual level and the integration with other areas:
■
Borderless networks architecture
■
Collaboration architecture
■
Data center/virtualization architecture
These three architectures are shown in Figure 1-1 and are covered in more detail in the following sections.
Enterprise Architectures
Collaboration
Data Center/
Virtualization
Borderless
Networks
Figure 1-1
Cisco Enterprise Architectures
Borderless Networks Architecture
Cisco Borderless Network Architecture is a next-generation solution that enables connectivity to anyone and anything, anywhere, and at any time. The connectivity needs to be
secure, reliable, and seamless. The borderless architecture optimizes both business and
network performance.
As shown in Figure 1-2, the Cisco borderless network architecture blueprint consists of
four major blocks:
■
Policy and Control: Policies are applied to all users and devices across the architecture.
■
Network Services: These services include resiliency and control. Cisco EnergyWise and Medianet provide capabilities to borderless networks.
■
User Services: These services include mobility, performance, and security.
■
Connection Management: This block delivers secure access anytime and anywhere, regardless of how the network is accessed.
Collaboration Architecture
Cisco’s collaboration architecture is composed of three layers:
■
Communication and Collaboration Applications: This layer contains conferencapplications, and TelePresence.
10
CCDA 640-864 Official Cert Guide
■
Collaboration Services: This layer contains services that support the collaboration
applications: presence, location, session management, contact management, client
frameworks, tagging, and policy and security management.
■
Infrastructure: This layer is responsible for allowing collaboration anytime, from
anywhere, on any device. It includes virtual machines, the network, and storage.
Policy and Control
MediaNet
Cisco EnergyWise
Network Resiliency and Control
Borderless Network Services
Borderless
Mobility
Borderless
Security
Borderless
Performance
Borderless User Services
Borderless Connection Management
Borderless Architecture
Figure 1-2
Data Center/Virtualization Architecture
Cisco’s data center/virtualization architecture is built upon Cisco Data Center 3.0. It comprises a comprehensive set of virtualization technologies and services that bring the network, computing, storage, and virtualization platforms together. Figure 1-3 shows the
architecture framework for data centers.
Data center architecture and design is covered in Chapter 4, “Data Center Design.”
Table 1-2 lists the benefits of Cisco network architectures.
Table 1-2
Benefits of Cisco Network Architectures
Benefit
Description
Functionality
Supports organizational requirements
Scalability
Supports growth and expansion of organizational tasks
Availability
Provides services reliability, anywhere and anytime
Chapter 1: Network Design Methodology 11
Benefits of Cisco Network Architectures
Table 1-2
Benefit
Description
Performance
Provides responsiveness, throughput, and utilization on a per-application
basis
Manageability
Provides control, performance monitoring, and fault detection
Efficiency
Provides network services and infrastructure with a reasonable operational
costs and appropriate capital investment
Consolidation
Open
Standards
Application
Performance
Unified
Fabric
Switching
Figure 1-3
Virtualization
Application
Networking
Automation
Energy
Efficiency
Continuity
Storage
Workload
Mobility
Unified
Computing
Unified
Network Services
Security
Cloud
OS
Management
Compute
Data Center Architecture Framework
Prepare, Plan, Design, Implement, Operate, and
Optimize Phases
Cisco has formalized a network’s life cycle into six phases: Prepare, Plan, Design,
Implement, Operate, and Optimize. These phases are collectively known as PPDIOO.
The PPDIOO life cycle provides four main benefits:
■
It lowers the total cost of ownership by validating technology requirements and planning for infrastructure changes and resource requirements.
■
It increases network availability by producing a sound network design and validating
the network operation.
■
It improves business agility by establishing business requirements and technology
strategies.
■
It speeds access to applications and services by improving availability, reliability, security, scalability, and performance.
Key
Topic
12
CCDA 640-864 Official Cert Guide
These benefits are realized by the actions listed in Tables 1-3 through 1-6.
Table 1-3
Actions That Lower the Cost of Ownership
Actions That Lower the Cost of Ownership
Identifying and validating technology requirements
Planning for infrastructure changes and resource requirements
Developing a sound network design aligned with technical requirements and business goals
Accelerating successful implementation
Improving the efficiency of the network and the staff that supports it
Reducing operating expenses by improving the efficiency of operation processes and tools
Table 1-4
Actions That Increase Network Availability
Actions That Increase Network Availability
Assessing the state of the network and its ability to support the proposed design
Specifying the correct set of hardware and software releases and keeping them current
Producing a sound operations design and validating network operation
Staging and testing the proposed system before deployment
Improving staff skills
Proactively monitoring the system and assessing availability trends and alerts
Proactively identifying security breaches and defining remediation plans
Table 1-5
Actions That Improve Business Agility
Actions That Improve Business Agility
Establishing business requirements and technology strategies
Readying sites to support the system that will be implemented
Integrating technical requirements and business goals into a detailed design and demonstrating
that the network is functioning as specified
Expertly installing, configuring, and integrating system components
Continually enhancing performance
Chapter 1: Network Design Methodology 13
Table 1-6
Actions That Accelerate Access to Applications and Services
Actions That Accelerate Access to Applications and Services
Accessing and improving operational preparedness to support current and planned network
technologies and services
Improving service delivery efficiency and effectiveness by increasing availability, resource capacity, and performance
Improving the availability, reliability, and stability, of the network and the applications that run
on it
Managing and resolving problems that affect the system and keeping software applications
current
Figure 1-4 shows the PPDIOO network life cycle.
Prepare
Optimize
Plan
Operate
Design
Implement
Figure 1-4
Cisco PPDIOO Network Life Cycle
The following sections discuss the PPDIOO phases in detail.
Prepare Phase
The Prepare phase establishes organization and business requirements, develops a network
strategy, and proposes a high-level conceptual architecture to support the strategy. Techestablish a financial justification for a network strategy.
14
CCDA 640-864 Official Cert Guide
Plan Phase
The Plan phase identifies the network requirements based on goals, facilities, and user
needs. This phase characterizes sites and assesses the network, performs a gap analysis
against best-practice architectures, and looks at the operational environment. A project
plan is developed to manage the tasks, responsible parties, milestones, and resources to do
the design and implementation. The project plan aligns with the scope, cost, and resource
parameters established with the original business requirements. This project plan is followed (and updated) during all phases of the cycle.
Design Phase
The network design is developed based on the technical and business requirements obtained from the previous phases. The network design specification is a comprehensive detailed design that meets current business and technical requirements. It provides high
availability, reliability, security, scalability, and performance. The design includes network
diagrams and an equipment list. The project plan is updated with more granular information for implementation. After the Design phase is approved, the Implement phase begins.
Implement Phase
New equipment is installed and configured, according to design specifications, in the Implement phase. New devices replace or augment the existing infrastructure. The project
plan is followed during this phase. Planned network changes should be communicated in
change control meetings, with necessary approvals to proceed. Each step in the implementation should includes a description, detailed implementation guidelines, estimated time
to implement, rollback steps in case of a failure, and any additional reference information.
As changes are implemented they are also tested before moving to the Operate phase.
Operate Phase
The Operate phase maintains the network’s day-to-day operational health. Operations include managing and monitoring network components, routing maintenance, managing upgrades, managing performance, and identifying and correcting network faults. This phase
is the design’s final test. During operation, network management stations should monitor
the network’s general health and generate traps when certain thresholds are reached. Fault
detection, correction, and performance monitoring events provide initial data for the optimize phase.
Optimize Phase
The Optimize phase involves proactive network management by identifying and resolving
issues before they affect the network. The Optimize phase may create a modified network
design if too many network problems arise, to improve performance issues, or to resolve
application issues. The requirement for a modified network design leads to the network
life cycle beginning.
Summary of PPDIOO Phases
Table 1-7 summarizes the PPDIOO phases.
Chapter 1: Network Design Methodology 15
Table 1-7
PPDIOO Network Life Cycle Phases
PPDIOO Phase
Description
Prepare
Establishes organization and business requirements, develops a network
strategy, and proposes a high-level architecture
Plan
Identifies the network requirements by characterizing and assessing the
network, performing a gap analysis
Design
Provides high availability, reliability, security, scalability, and performance
Implement
Installation and configuration of new equipment
Operate
Day-to-day network operations
Optimize
Proactive network management; modifications to the design
Design Methodology Under PPDIOO
The following sections focus on a design methodology for the first three phases of the
PPDIOO methodology. This design methodology has three steps:
Step 1.
Identifying customer network requirements
Step 2.
Characterizing the existing network
Step 3.
Designing the network topology and solutions
In Step 1, decision makers identify requirements, and a conceptual architecture is proposed. This step occurs in the PPDIOO Prepare phase.
In Step 2, the network is assessed, and a gap analysis is performed to determine the infrastructure necessary to meet the requirements. The network is assessed on function, performance, and quality. This step occurs in the PPDIOO Plan phase.
In Step 3, the network topology is designed to meet the requirements and close the network gaps identified in the previous steps. A detailed design document is prepared during
this phase. Design solutions include network infrastructure, Voice over IP (VoIP), content
networking, and intelligent network services. This set occurs in the PPDIOO Design phase.
Identifying Customer Design Requirements
To obtain customer requirements, you need to not only talk to network engineers, but also
talk to business unit personnel and company managers. Networks are designed to support
applications; you want to determine the network services that you need to support.
As shown in Figure 1-5, the steps to identify customer requirements are as follows:
Step 1.
Identify network applications and services.
Step 2.
Define the organizational goals.
Step 3.
Define the possible organizational constraints.
Step 4.
Define the technical goals.
Step 5.
Define the possible technical constraints.
16
CCDA 640-864 Official Cert Guide
ldentify Network
Applications and
Services
Define Technical
Constraints
Define Technical
Goals
Figure 1-5
Define
Organizational
Goals
Document the
Collected Information
Define
Organizational
Constraints
Identifying Customer Requirements
After you complete these steps, you then analyze the data and develop a network design.
You need to identify current and planned applications and determine the importance of
each application. Is email as important as customer support? Is IP telephony being deployed? High-availability and high-bandwidth applications need to be identified for the
design to accommodate their network requirements. A table identifying applications
should list the following:
■
Planned application types: Such as email, collaboration, voice, web browsing, file
sharing, database
■
Concrete applications: Such as Outlook, MeetingPlace
■
Business importance: Labeled as critical, important, or unimportant
■
Comment: Any additional information critical to the design of the network
Planned infrastructure services should also be gathered. Network services include security, quality of service (QoS), network management, high availability, unified communications, mobility, and virtualization.
For organizational goals, you should identify whether the company’s goal is to improve
customer support, add new customer services, increase competitiveness, or reduce
costs. It might be a combination of these goals, with some of them being more important than others. Some organizational goals are as follows:
■
Increase competitiveness
■
Reduce costs
Chapter 1: Network Design Methodology 17
■
Improve customer support
■
Add new customer services
Organizational constraints include budget, personnel, policy, and schedule. The company
might limit you to a certain budget or timeframe. The organization might require the project to be completed in an unreasonable timeframe. It might have limited personnel to support the assessment and design efforts, or it might have policy limitations to use certain
protocols.
Technical goals support the organization’s objectives and the supported applications.
Technical goals include the following:
■
Improve the network’s response-time throughput
■
Decrease network failures and downtime (high availability)
■
Simplify network management
■
Improve network security
■
Improve reliability of mission-critical applications
■
Modernize outdated technologies (technology refresh)
■
Improve the network’s scalability
Network design might be constrained by parameters that limit the solution. Legacy applications might still exist that must be supported going forward, and these applications
might require a legacy protocol that may limit a design. Technical constraints include the
following:
■
Existing wiring does not support new technology.
■
Bandwidth might not support new applications.
■
The network must support exiting legacy equipment.
■
Legacy applications must be supported (application compatibility).
Characterizing the Existing Network
Characterizing the network is Step 2 of the design methodology. In this section, you learn
to identify a network’s major features, tools to analyze existing network traffic, and tools
for auditing and monitoring network traffic.
Steps in Gathering Information
When arriving at a site that has an existing network, you need to obtain all the existing
documentation. Sometimes no documented information exists. You should be prepared to
use tools to obtain information and get access to log in to the network devices to obtain
information. Here are the steps for gathering information:
18
CCDA 640-864 Official Cert Guide
Key
Topic
Step 1.
Identify all existing organization information and documentation.
Step 2.
Perform a network audit that adds detail to the description of the network.
Step 3.
Use traffic analysis information to augment information on applications and
protocols used.
When gathering exiting documentation, you look for site information such as site names,
site addresses, site contacts, site hours of operation, and building and room access. Network infrastructure information includes locations and types of servers and network devices, data center and closet locations, LAN wiring, WAN technologies and circuit
speeds, and power used. Logical network information includes IP addressing, routing protocols, network management, and security access lists used. You need to find out whether
voice or video is being used on the network.
Network Audit Tools
When performing a network audit, you have three primary sources of information:
■
Existing documentation
■
Existing network management software tools
■
New network auditing tools
After gathering the existing documentation, you must obtain access to the existing management software. The client may already have CiscoWorks tools from which you can obtain hardware models and components and software versions. You can also obtain the
existing router and switch configurations.
The network audit should provide the following information:
■
Network device list
■
Hardware models
■
Software versions
■
Configuration of network devices
■
Auditing tools output information
■
Interface speeds
■
Link, CPU, and memory utilization
■
WAN technology types and carrier information
In small network, you might be able to obtain the required information via a manual assessment. For larger network, a manual assessment might be too time-consuming. Network assessment tools include the following:
■
Manual assessment
■
Manual commands: Review of device configuration and operation though the use
of show
■
Scripting tools
Chapter 1: Network Design Methodology 19
■
■
Existing management and auditing tools
■
CiscoWorks: Maps the network and collects network topology, hardware and
software versions, and configurations
■
NetFlow: Provides a view of network traffic flows on a specific network interface.
■
Network-Based Application Recognition (NBAR): Intelligent classification engine.
■
Third-party tools: Such as AirMagnet Survey PRO, BVS Yellowjacket, Redcell
Engineering, Netcordia NEtMRI, Netformix, NetQoS, and Pari Networks
Assessment Tool
Additional tools with emphasis on VoIP, wireless, and security
■
AirMagnet Analyzer Pro
■
Ekahau Site Survey
■
LANguard Network Security scanner
■
NetIQ Vivinet Assessor
■
neteXpose DNA
■
Cisco Operations Manager
■
Stats Manager
■
Service Statistics Manager
■
ClarusIPC
■
Prognosis
When performing manual auditing on network devices, you can use the following commands to obtain information:
■
show tech-support
■
show processes cpu (provides the average CPU utilization information)
■
show version
■
show processes memory
■
show log
■
show interface
■
show policy-map interface
■
show running-config (provides the full router or switch configuration)
Example 1-1 shows the output of a show version command. This command shows the operating system version, the router type, the amount of flash and RAM memory, the router
uptime, and interface types.
20
CCDA 640-864 Official Cert Guide
show version Command
Example 1-1
R2>show version
Cisco IOS Software, 7200 Software (C7200-K91P-M), Version 12.2(25)S9, RELEASE SO
FTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright
1986-2006 by Cisco Systems, Inc.
Compiled Tue 28-Mar-06 23:12 by alnguyen
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-K91P-M), Version 12.2(25)S9, RELEASE SOFTWARE (fc1
)
R2 uptime is 5 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0
x0, BOOT_COUNT 0, BOOTDATA 19
System image file is “tftp://255.255.255.255/unknown”
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected]co.com.
Cisco 7206VXR (NPE400) processor (revision A) with 147456K/16384K bytes of memory.
Processor board ID 4294967295
R7000 CPU at 150Mhz, Implementation 39, Rev 2.1, 256KB L2 Cache
6 slot VXR midplane, Version 2.1
Last reset from power-on
PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb0_mb1 has a total of 200 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
Chapter 1: Network Design Methodology 21
PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document “Cisco 7200 Series Port
Adaptor Hardware Configuration Guidelines” on CCO <www.cisco.com>,
for c7200 bandwidth points oversubscription/usage guidelines.
1 FastEthernet interface
8 Serial interfaces
125K bytes of NVRAM.
65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102
NetFlow provides extremely granular and accurate traffic measurements and a high-level
collection of aggregated traffic. The output of NetFlow information is displayed via the
show ip cache flow command on routers. Table 1-8 shows a description of the fields for
NetFlow output.
Table 1-8
NetFlow Output Description
Field
Description
Bytes
Number of bytes of memory that are used by the NetFlow cache
Active
Number of active flows
Inactive
Number of flow buffers that are allocated in the NetFlow cache
Added
Number of flows that have been created since the start of the summary
Exporting
flows
IP address and User Datagram Protocol (UDP) port number of the workstation to which flows are exported
Flows
exported
Total number of flows export and the total number of UDP datagrams
Protocol
IP protocol and well-known port number
Total flows
Number of flows for this protocol since the last time that statistics were
cleared
Flows/sec
Average number of flows this protocol per second
Packets/flow
Average number of packets per flow per second
Bytes/pkt
Average number of bytes for this protocol
Packets/sec
Average number of packets for this protocol per second
22
CCDA 640-864 Official Cert Guide
Network Analysis Tools
To obtain application-level information, the IP packet needs to be further inspected. Cisco
devices or dedicated hardware or software analyzers capture packets or use Simple Network Management Protocol (SNMP) to gather specific information. Network analysis
tools include the following:
■
Netformx DesignXpert Enterprise: An integrated desktop tool for discovery,
design, configuration, quoting and proposing integrated communications network
solutions.
■
CNS NetFlow Collector Engine: Cisco hardware that gathers every flow in a network segment.
■
Cisco Embedded Resource Manager (ERM): Allows for granular monitoring on a
task basis within the Cisco IOS software. It monitors the internal system resource utilization for specific resources, such as the buffer, memory, and CPU.
■
Third-party tools: Such as Sniffer, AirMagnet Wifi Analyzer, BVS Yellowjacket
802.11, NetIQ Vivinet Assessor, Netcordia NetMRI, and SolarWinds Orion.
Network Checklist
The following network checklist can be used to determine a network’s health status:
■
New segments should use switched and not use dated hub/shared technology.
■
No WAN links are saturated (no more than 70 percent sustained network utilization).
■
The response time is generally less than 100ms (one-tenth of a second); more commonly, less than 2ms in a LAN.
■
No segments have more than 20 percent broadcasts or multicast traffic. Broadcasts
are sent to all hosts in a network and should be limited. Multicast traffic is sent to a
group of hosts but should also be controlled and limited to only those hosts registered to receive it.
■
No segments have more than one cyclic redundancy check (CRC) error per million
bytes of data.
■
On the Ethernet segments, less than 0.1 percent of the packets result in collisions.
■
A CPU utilization at or more than 75 percent for a 5-minute interval likely suggests network problems. Normal CPU utilization should be much lower during normal periods.
■
The number of output queue drops has not exceeded 100 in an hour on any Cisco
router.
■
The number of input queue drops has not exceeded 50 in an hour on any Cisco router.
■
The number of buffer misses has not exceeded 25 in an hour on any Cisco router.
■
The number of ignored packets has not exceeded 10 in an hour on any interface on a
Cisco router.
Chapter 1: Network Design Methodology 23
■
QoS should be enabled on network devices to allow for prioritization of time-sensitive or bandwidth-sensitive applications.
Table 1-9 summarizes areas in characterizing the network.
Table 1-9
Characterizing the Network
Characteristic
Description
Steps in gathering information
1. Obtain existing information and documentation
2. Network audit
3. Traffic analysis
Primary sources of network audit information
Existing documentation
Existing network management software
New network management tools
Designing the Network Topology and Solutions
This section describes the top-down approach for network design, reviews pilot and
prototype test networks, and describes the components of the design document. As
part of the Design phase of the PPDIOO methodology, a top-down approach is used
that begins with the organization’s requirements before looking at technologies. Network designs are tested using a pilot or prototype network before moving into the
Implement phase.
Top-Down Approach
Top-down design just means starting your design from the top layer of the OSI model and
working your way down. Top-down design adapts the network and physical infrastructure
to the network application’s needs. With a top-down approach, network devices and technologies are not selected until the applications’ requirements are analyzed. To complete a
top-down design, the following is accomplished:
■
Analysis of application and organization requirements
■
Design from the top of the OSI reference model
■
■
Define requirements for upper layers (Application, Presentation, Session)
■
Specify infrastructure for lower OSI layers (transport, network, data link, physical)
Gather additional data on the network
Figure 1-6 shows a top-down structure design process. The design process begins with
the applications and moves down to the network. Logical subdivisions are then incorporated with specifics.
Key
Topic
24
CCDA 640-864 Official Cert Guide
Application
Design
Network
Infrastructure Design
Top-Down
Design
Close Design Interaction
Infrastructure
Services Design
Modularize
the Network
Implement
Functional Hierarchy
Logical
Subdivision
Technology
Selection
Figure 1-6
Physical
Topology Design
Addressing
Design
Logical
Subdivision
Routing
Design
QoS
Design
Security Design
IP Multicast
Design
Top-Down Design Process
Table 1-10 compares the top-down approach to the bottom-up approach to network design.
Table 1-10
Top-Down Design Compared to Bottom-Up Design
Design
Benefits
Approach
Disadvantages
Top-down Incorporates the organization’s requirements. Provides the big picture. The design meets current and future
requirements.
More time-consuming.
Bottomup
May result in inappropriate design.
Organizational requirements are not
included.
The design is based on previous experience and allows for a quick solution.
Pilot and Prototype Tests
As soon as the design is complete and before the full implementation, it is a best practice to test the new solution. This testing can be done in one of two ways: prototype or
pilot.
A prototype network is a subset of the full design, tested in an isolated environment. The
prototype does not connect to the existing network. The benefit of using a prototype is
that it allows testing of the network design before it is deployed before affecting a production network. When implementing a new technology such as IPsec, you might want to
implement a prototype test before deploying it to the operational network.
Chapter 1: Network Design Methodology 25
A pilot site is an actual “live” location that serves as a test site before the solution is deployed to all locations in an enterprise. A pilot allows real-world problems to be discovered before deploying a network design solution to the rest of the internetwork.
With both a prototype and a pilot, successful testing leads to proving the design and moving forward with implementation. A failure leads to correcting the design and repeating
the tests to correct any deficiencies.
Design Document
The design document describes the business requirements; old network architecture; network requirements; and design, plan, and configuration information for the new network.
The network architects and analysts use it to document the new network changes, and it
serves as documentation for the enterprise. The design document should include the following sections:
■
Introduction describes the project’s purpose and the reasons for the network design.
■
Design Requirements lists the organization’s requirements, constraints, and goals.
■
Existing Network Infrastructure includes logical (Layer 3) topology diagrams; physical topology diagrams; audit results; network health analysis; routing protocols; a
summary of applications; a list of network routers, switches, and other devices; configurations; and a description of issues.
■
Design contains the specific design information, such as logical and physical topology, IP addressing, routing protocols, and security configurations.
■
Proof of Concept results from live pilot or prototype testing.
■
Implementation Plan includes the detailed steps for the network staff to implement
the new installation and changes.
■
Appendixes contains list of exiting network devices, configurations, and additional
information used in the design of the network.
Table 1-11 summarizes the contents of the design document.
Table 1-11
Sections of the Design Document
Section
Description
Introduction
Purpose and goals of the network design
Design Requirements
Organization requirements and constraints
Existing Network Infrastructure
Contains diagrams, hardware and software versions, and existing
configurations
Design
New logical topology, design, and IP addressing
Proof of Concept
Results from pilot or prototype
Implementation Plan
Detailed steps for implementation
Appendixes
Supporting information
26
CCDA 640-864 Official Cert Guide
The implementation of a network consists of several phases. The each step should contain
the following information:
■
Description of the step
■
Reference to the design document
■
Detailed implementation guidelines
■
Detailed rollback guidelines
■
Estimated time to implement
References and Recommended Reading
Cisco Design Zone. www.cisco.com/en/US/netsol/ns742/
networking_solutions_program_category_home.html.
Design Zone for Borderless Networks. www.cisco.com/en/US/netsol/ns1063/
networking_solutions_program_home.html.
Design Zone for Collaboration. www.cisco.com/en/US/netsol/ns1062/
networking_solutions_program_home.html.
Design One for Data Center. www.cisco.com/en/US/netsol/ns743/
networking_solutions_program_home.html
Cisco Data Center. www.cisco.com/en/US/netsol/ns340/ns394/ns224/architecture.html.
Chapter 1: Network Design Methodology 27
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topics icon in the
outer margin of the page. Table 1-12 lists a reference of these key topics and the page
numbers on which each is found.
Table 1-12
Key Topics
Key Topic
Element
Description
Page
List
Forces affecting decisions for the enterprise network
8
List
PPDIOO life cycle four main benefits
11
List
Steps in gathering information
18
Summary
Describes the top-down approach to network design
23
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the
section for this chapter, and complete the tables and lists from memory. Appendix E,
“Memory Tables Answer Key,” also on the CD, includes completed tables and lists to
check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
PPDIOO, NBAR, NetFlow, policy control, virtualization
28
CCDA 640-864 Official Cert Guide
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. List the PPDIOO phases in order.
2. Which business forces affect decisions for the enterprise network?
a.
Removal of borders
b.
Virtualization
c.
Growth of applications
d.
10GigEthernet
e.
Regulation
f.
ROI
g.
Competitiveness
3. Which design methodology step is important for identifying organizational goals?
a.
Identify customer requirements
b.
Characterize the existing network
c.
Design the network topology and solution
d.
Examine the architecture
e.
Validate the design
f.
Obtain the ROI
4. What needs to be obtained prior to designing the network?
a.
Expected ROI
b.
Organizational and technical goals
c.
Technical constraints
d.
Bill of materials
e.
Existing and new network applications
5. Match each PPDIOO phase with its description.
i.
Implement
ii.
Optimize
iii. Design
iv.
Prepare
v.
Operate
vi. Plan
Chapter 1: Network Design Methodology 29
a.
Establish requirements
b.
Gap analysis
c.
Provides high-availability design
d.
Installation and configuration
e.
Day to day
f.
Proactive management
6. Which borderless architecture provides mobility?
a.
Policy
b.
Network services
c.
User services
d.
Connection management
e.
Control services
7. Which are the three steps in PPDIOO design methodology?
a.
Reviewing the project cost
b.
Designing the network topology and solution
c.
Characterizing the network
d.
Identifying customer requirements.
e.
Validating the design
8. Match each infrastructure service with its description.
i.
Identity
ii.
Mobility
iii. Storage
iv.
Compute
v.
Security
vi. Voice/collaboration
a.
Access from a remote location
b.
Improved computational resources
c.
Unified messaging
d.
AAA, NAC
e.
Storage of critical data
f.
Secure communications
30
CCDA 640-864 Official Cert Guide
9. A company location is used to test a new VoIP solution. What is this type of test called?
a.
Prototype
b.
Pilot
c.
Implementation
d.
New
10. An isolated network is created to test a new design. What is this type of test called?
a.
Prototype
b.
Pilot
c.
Implementation
d.
New
11. NBAR, NetFlow, and EtherPeek are examples of what?
a.
Network audit tools
b.
Network analysis tools
c.
SNMP tools
d.
Trending tools
12. Monitoring commands, CiscoWorks, and WhatsUP are examples of what?
a.
Network audit tools
b.
Network analysis tools
c.
SNMP tools
d.
Trending tools
13. Which of the following are technical constraints? (Select all that apply.)
a.
Existing wiring
b.
Existing network circuit bandwidth
c.
Improving the LAN’s scalability
d.
Adding redundancy
14. Which of the following are technical goals? (Select all that apply.)
a.
Existing wiring
b.
Existing network circuit bandwidth
c.
Improving the LAN’s scalability
d.
Adding redundancy
Chapter 1: Network Design Methodology 31
15. Which of the following are organizational goals? (Select all that apply.)
a.
Improving customer support
b.
Budget has been established
c.
Increasing competitiveness
d.
Completion in three months
e.
Reducing operational costs
f.
Network personnel are busy
16. Which of the following are organizational constraints? (Select all that apply.)
a.
Improving customer support
b.
Budget has been established
c.
Increasing competitiveness
d.
Completion in three months
e.
Reducing operational costs
f.
Network personnel are busy
17. What components are included in the design document? (Select four.)
a.
IP addressing scheme
b.
Implementation plan
c.
List of Layer 2 devices
d.
Design requirements
e.
Selected routing protocols
f.
List of Layer 1 devices
18. Match each design document section with its description.
i.
Introduction
ii.
Design requirements
iii. Existing Network Infrastructure
iv.
Design
v.
Proof of Concept
vi. Implementation Plan
vii. Appendix
32
CCDA 640-864 Official Cert Guide
a.
Detailed steps
b.
Current diagram and configuration
c.
Organizational requirements
d.
Goals
e.
Pilot
f.
New logical topology
g.
Supporting information
19. The network health analysis is based on what information?
a.
The number of users accessing the Internet
b.
The statements made by the CIO
c.
Statistics from the existing network
d.
The IP addressing scheme
20. While performing a network audit, you encounter a Frame Relay WAN segment running at a sustained rate of 75 percent from 9 a.m. to 5 p.m. What do you recommend?
a.
Nothing. The daily 24-hour average rate is still 45 percent.
b.
Change from Frame Relay to MPLS.
c.
Increase the provisioned WAN bandwidth.
d.
Deny VoIP calls from 9 a.m. to 5 a.m.
21. What information is included in the network audit report? (Select all that apply.)
a.
Network device list
b.
IOS versions
c.
Router models
d.
Interface speeds
e.
WAN utilization
22. Which three tasks are part of characterizing the existing network?
a.
Speaking with the CIO
b.
Using traffic analysis
c.
Automated auditing of the network using tools
d.
Collect information
e.
Obtaining organizational chart
f.
Defining organizational goals
Chapter 1: Network Design Methodology 33
23. Which command provides the average CPU of a Cisco router?
a.
show cpu
b.
show processes cpu
c.
show processes memory
d.
show cpu utilization
e.
show cpu average
24. Which parameters can be obtained by the use of a traffic analyzer?
a.
Application importance
b.
QoS requirements
c.
Devices using a specific protocol
d.
IP addresses of devices and TCP/UDP port number
e.
Average bit rate and packet rate
25. Which commands provide information about individual applications, protocols, or
flows? (Choose three.)
a.
show process cpu
b.
show ip interface
c.
show ip cache flow
d.
show ip nbar protocol-discovery
e.
show process memory
f.
show interface application
26. What is used to create the documentation of the existing network?
a.
Router show commands
b.
Network audit, documentation, and traffic analysis tools
c.
Audit tools
d.
Existing documentation and input from organization
27. What is the sequence for the stages of top-down design?
34
CCDA 640-864 Official Cert Guide
28. Which are potential scopes for a network design project? (Choose three.)
a.
Network layer redundancy
b.
Campus upgrade
c.
Data link layer redundancy
d.
Network redesign
e.
WAN upgrade
f.
Application upgrade
29. A credit card company network is being designed. Secure transactions are emphasized throughout the initial requirements. Redundant links are required to reduce network outages. What is the order of importance of the following design issues?
a.
IP addressing design
b.
Physical topology design
c.
Network modules
d.
Security design
30. Which types of tools are used during the network design process?
a.
Network management tools
b.
Network trending tools
c.
Network modeling tools
d.
Network simulation and testing tools
e.
Network implementation tools
31. Which four items should be present in the implementation plan?
a.
Implementation description
b.
Estimated time to implement
c.
Reference to design document
d.
Rollback procedure
e.
Estimated cost of implementation
f.
Application profiles
Chapter 1: Network Design Methodology 35
32. A new design uses IPsec for the WAN. Which approach should be used to verify
the design?
a.
Live network
b.
Pilot network
c.
Prototype network
d.
Cable network
e.
Internet network
33. Which three is included in the design document?
a.
Design details
b.
Design requirements
c.
Current cable runs
d.
List of Layer 2 devices
e.
Implementation plan
This chapter covers the following subjects:
■
Hierarchical Network Models
■
Cisco Enterprise Architecture Model
■
High Availability Network Services
CHAPTER 2
Network Structure Models
This chapter reviews the hierarchical network model and introduces Cisco’s Enterprise
Architecture model. This architecture model separates network design into more manageable modules. This chapter also addresses the use of device, media, and route redundancy
to improve network availability.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The eight-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time.
Table 2-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 2-1
“Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered
in This Section
Hierarchical Network Models
1, 3
Cisco Enterprise Architecture Model
2, 5, 6, 7
High Availability Network Services
4, 8
38
CCDA 640-864 Official Cert Guide
1. In the hierarchical network model, which layer is responsible for fast transport?
a.
Network
b.
Core
c.
Distribution
d.
Access
2. Which Enterprise Architecture model component interfaces with the service
provider (SP)?
a.
Campus infrastructure
b.
Access layer
c.
Enterprise edge
d.
Edge distribution
3. In the hierarchical network model, at which layer do security filtering, address aggregation, and media translation occur?
a.
Network
b.
Core
c.
Distribution
d.
Access
4. Which of the following is/are method(s) of workstation-to-router redundancy in the
access layer?
a.
AppleTalk Address Resolution Protocol (AARP)
b.
Hot Standby Router Protocol (HSRP)
c.
Virtual Router Redundancy Protocol (VRRP)
d.
Answers B and C
e.
Answers A, B, and C
5. The network-management module has tie-ins to which component(s)?
a.
Campus infrastructure
b.
Server farm
c.
Enterprise edge
d.
SP edge
e.
Answers a and b
f.
Answers a, b, and c
g.
Answers a, b, c, and d
Chapter 2: Network Structure Models 39
6. Which of the following is an SP edge module in the Cisco Enterprise Architecture
model?
a.
Public switched telephone network (PSTN) service
b.
Edge distribution
c.
Server farm
d.
Core layer
7. In which module would you place Cisco Unified Communications Manager (CUCM)?
a.
Campus core
b.
E-commerce
c.
Server farm
d.
Edge distribution farm
8. High availability, port security, and rate limiting are functions of which hierarchical layer?
a.
Network
b.
Core
c.
Distribution
d.
Access
40
CCDA 640-864 Official Cert Guide
Foundation Topics
With the complexities of network design, the CCDA needs to understand network models
used to simplify the design process. The hierarchical network model was one of the first
Cisco models that divided the network into core, distribution, and access layers.
The Cisco Enterprise Architecture model provides a functional modular approach to network design. In addition to a hierarchy, modules are used to organize server farms, network management, campus networks, WANs, and the Internet.
Hierarchical Network Models
Key
Topic
Hierarchical models enable you to design internetworks that use specialization of function combined with a hierarchical organization. Such a design simplifies the tasks required
to build a network that meets current requirements and can grow to meet future requirements. Hierarchical models use layers to simplify the tasks for internetworking. Each layer
can focus on specific functions, allowing you to choose the right systems and features for
each layer. Hierarchical models apply to both LAN and WAN design.
Benefits of the Hierarchical Model
The benefits of using hierarchical models for your network design include the following:
■
Cost savings
■
Ease of understanding
■
Modular network growth
■
Improved fault isolation
After adopting hierarchical design models, many organizations report cost savings because they are no longer trying to do everything in one routing or switching platform. The
model’s modular nature enables appropriate use of bandwidth within each layer of the hierarchy, reducing the provisioning of bandwidth in advance of actual need.
Keeping each design element simple and functionally focused facilitates ease of understanding, which helps control training and staff costs. You can distribute network monitoring and management reporting systems to the different layers of modular network
architectures, which also helps control management costs.
Hierarchical design facilitates changes. In a network design, modularity lets you create design elements that you can replicate as the network grows. As each element in the network
design requires change, the cost and complexity of making the upgrade are contained to a
small subset of the overall network. In large, flat network architectures, changes tend to
impact a large number of systems. Limited mesh topologies within a layer or component,
such as the campus core or backbone connecting central sites, retain value even in the hierarchical design models.
Network managers can easily understand the transition points in the network, which helps
Chapter 2: Network Structure Models 41
identify failure points. It is more difficult to troubleshoot if hierarchical design is not used
because the network is not divided into segments.
Today’s fast-converging protocols were designed for hierarchical topologies. To control
the impact of routing-protocol processing and bandwidth consumption, you must use
modular hierarchical topologies with protocols designed with these controls in mind, such
as the Open Shortest Path First (OSPF) routing protocol.
Hierarchical network design facilitates route summarization. Enhanced Interior Gateway
Routing Protocol (EIGRP) and all other routing protocols benefit greatly from route summarization. Route summarization reduces routing-protocol overhead on links in the network and reduces routing-protocol processing within the routers. It is less possible to
provide route summarization if the network is not hierarchical.
Hierarchical Network Design
As shown in Figure 2-1, a traditional hierarchical LAN design has three layers:
■
The core layer provides fast transport between distribution switches within the enterprise campus.
■
The distribution layer provides policy-based connectivity.
■
The access layer provides workgroup and user access to the network.
To Enterprise
Edge Modules
Core
Distribution
Access
Figure 2-1 Hierarchical Network Design Has Three Layers: Core, Distribution, and Access
Each layer provides necessary functionality to the enterprise campus network. You do not
need to implement the layers as distinct physical entities. You can implement each layer in
one or more devices or as cooperating interface components sharing a common chassis.
Smaller networks can “collapse” multiple layers to a single device with only an implied hierarchy. Maintaining an explicit awareness of hierarchy is useful as the network grows.
Core Layer
The core layer is the network’s high-speed switching backbone that is crucial to corporate
ing characteristics:
42
CCDA 640-864 Official Cert Guide
■
Fast transport
■
High reliability
■
Redundancy
■
Fault tolerance
■
Low latency and good manageability
■
Avoidance of CPU-intensive packet manipulation caused by security, inspection,
quality of service (QoS) classification, or other processes
■
Limited and consistent diameter
■
QoS
When a network uses routers, the number of router hops from edge to edge is called the
diameter. As noted, it is considered good practice to design for a consistent diameter
within a hierarchical network. The trip from any end station to another end station across
the backbone should have the same number of hops. The distance from any end station to
a server on the backbone should also be consistent.
Limiting the internetwork’s diameter provides predictable performance and ease of troubleshooting. You can add distribution layer routers and client LANs to the hierarchical
model without increasing the core layer’s diameter. Use of a block implementation isolates
existing end stations from most effects of network growth.
Distribution Layer
The network’s distribution layer is the isolation point between the network’s access and
core layers. The distribution layer can have many roles, including implementing the following functions:
■
Policy-based connectivity (for example, ensuring that traffic sent from a particular
network is forwarded out one interface while all other traffic is forwarded out another
interface)
■
Redundancy and load balancing
■
Aggregation of LAN wiring closets
■
Aggregation of WAN connections
■
QoS
■
Security filtering
■
Address or area aggregation or summarization
■
Departmental or workgroup access
■
Broadcast or multicast domain definition
■
Routing between virtual LANs (VLAN)
■
Media translations (for example, between Ethernet and Token Ring)
Chapter 2: Network Structure Models 43
■
Redistribution between routing domains (for example, between two different routing
protocols)
■
Demarcation between static and dynamic routing protocols
You can use several Cisco IOS Software features to implement policy at the distribution layer:
■
Filtering by source or destination address
■
Filtering on input or output ports
■
Hiding internal network numbers by route filtering
■
Static routing
■
QoS mechanisms, such as priority-based queuing
The distribution layer provides aggregation of routes providing route summarization to
the core. In the campus LANs, the distribution layer provides routing between VLANs
that also apply security and QoS policies.
Access Layer
The access layer provides user access to local segments on the network. The access layer is
characterized by switched LAN segments in a campus environment. Microsegmentation
using LAN switches provides high bandwidth to workgroups by reducing the number of
devices on Ethernet segments. Functions of the access layer include the following:
■
Layer 2 switching
■
High availability
■
Port security
■
Broadcast suppression
■
QoS classification and marking and trust boundaries
■
Rate limiting/policing
■
Address Resolution Protocol (ARP) inspection
■
Virtual access control lists (VACL)
■
Spanning tree
■
Trust classification
■
Power over Ethernet (PoE) and auxiliary VLANs for VoIP
■
Auxiliary VLANs
You implement high availability models at the access layer. The section, “Network
Availability,” covers availability models. The LAN switch in the access layer can control
access to the port and limit the rate at which traffic is sent to and from the port. You can
access lists.
44
CCDA 640-864 Official Cert Guide
Other chapters of this book cover the other functions in the list.
For small office/home office (SOHO) environments, the entire hierarchy collapses to interfaces on a single device. Remote access to the central corporate network is through traditional WAN technologies such as ISDN, Frame Relay, and leased lines. You can implement
features such as dial-on-demand routing (DDR) and static routing to control costs. Remote
access can include virtual private network (VPN) technology.
Table 2-2 summarizes the hierarchical layers.
Table 2-2
Cisco Enterprise Architecture Model
Hierarchical
Layer
Description
Core
Fast transport
High reliability
Redundancy
Fault tolerance
Low latency and good manageability
Avoidance of slow packet manipulation caused by filters or other
processes
Limited and consistent diameter
QoS
Distribution
Policy-based connectivity
Redundancy and load balancing
Aggregation of LAN wiring closets
Aggregation of WAN connections
QoS
Security filtering
Address or area aggregation or summarization
Departmental or workgroup access
Broadcast or multicast domain definition
Routing between VLANs
Media translations (for example, between Ethernet and Token Ring)
Redistribution between routing domains (for example, between two different routing protocols)
Demarcation between static and dynamic routing protocols
Chapter 2: Network Structure Models 45
Table 2-2
Cisco Enterprise Architecture Model
Hierarchical
Layer
Description
Access
Layer 2 switching
High availability
Port security
Broadcast suppression
QoS
Rate limiting
ARP inspection
VACLs
Spanning tree
Trust classification
PoE and auxiliary VLANs for VoIP
Hierarchical Model Examples
You can implement the hierarchical model by using a traditional switched campus design
or routed campus network. Figure 2-2 is an example of a switched hierarchical design in
the enterprise campus. In this design, the core provides high-speed transport between the
distribution layers. The building distribution layer provides redundancy and allows policies to be applied to the building access layer. Layer 3 links between the core and distribution switches are recommended to allow the routing protocol to take care of load
balancing and fast route redundancy in the event of a link failure. The distribution layer is
the boundary between the Layer 2 domains and the Layer 3 routed network. Inter-VLAN
communications are routed in the distribution layer. Route summarization is configured
on interfaces toward the core layer. The drawback with this design is that Spanning Tree
Protocol (STP) allows only one of the redundant links between the access switch and the
distribution switch to be active. If the event of a failure, the second link becomes active,
but at no point does load balancing occur.
Figure 2-3 shows examples of a routed hierarchical design. In this design, the Layer 3
boundary is pushed toward the access layer. Layer 3 switching occurs in access, distribution, and core layers. Route filtering is configured on interfaces toward the access layer.
Route summarization is configured on interfaces toward the core layer. The benefit of this
design is that load balancing occurs from the access layer since the links to the distribution switches are routed.
Another solution for providing redundancy between the access and distribution switching
is the Virtual Switching System (VSS). VSS solves the STP looping problem by converting
the distribution switching pair into a logical single switch. It removes STP, and negates the
need for Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol
(VRRP), or Gateway Load Balancing Protocol (GLBP).
46
CCDA 640-864 Official Cert Guide
Layer 3 Switching
in the Core
Core
Route Summarization
and Load Balancing
Layer 3
Routed
Distribution
Layer 2
Switched
Layer 3 Boundary, Packet
Filtering, Policing, Aggregation
of Access
Access
Layer 2 Switching
in Wiring Closet
Figure 2-2
Switched Hierarchical Design
Layer 3 Switching
in the Core
Core
Route Summarization
and Load Balancing
Layer 3 Boundary, Packet
Filtering, Policing
Distribution
Route Filtering Toward
Access Layer
Access
Layer 3
Routed
Layer 2
Switched
Figure 2-3
VLANs Local to
Wiring Closet
Routed Hierarchical Design
With VSS, the physical topology changes as each access switch has a single upstream distribution switch versus having two upstream distribution switches. VSS is configured only
on Cisco 6500 switches using the VSS Supervisor 720-10G. As shown in Figure 2-4, the
two switches are connected via a 10GE link called virtual switch link (VSL), which makes
them seem as a single switch. The key benefits of VSS include
■
Layer 3 switching can be used toward the access layer, enhancing nonstop communication.
■
Scales system bandwidth up to 1.44 Tbps.
Chapter 2: Network Structure Models 47
■
Simplified management of a single configuration of the VSS distribution switch.
■
Better return on investment (ROI) via increased bandwidth between the access layer
and the distribution layer.
■
Uses existing Catalyst 6500 switches; no new chassis are needed.
Traditional with STP
Between Access and
Distribution Layers
VSS 1440 Allows
Both Upstream Links
to Be Used
VSS Logical View
STP Blocked Links
Figure 2-4
VSS
Cisco Enterprise Architecture Model
The Cisco Enterprise Architecture model facilitates the design of larger, more scalable
networks.
As networks become more sophisticated, it is necessary to use a more modular approach
to design than just WAN and LAN core, distribution, and access layers. The architecture
divides the network into functional network areas and modules. These areas and modules
of the Cisco Enterprise Architecture are
■
Enterprise campus area
■
Enterprise data center module
■
Enterprise branch module
■
Enterprise teleworker module
The Cisco Enterprise Architecture model maintains the concept of distribution and access
components connecting users, WAN services, and server farms through a high-speed campus backbone. The modular approach in design should be a guide to the network architect. In smaller networks, the layers can collapse into a single layer, even a single device,
but the functions remain.
Figure 2-5 shows the Cisco Enterprise Architecture model. The enterprise campus area
48
CCDA 640-864 Official Cert Guide
e-commerce, VPN, and WAN modules that connect the enterprise to the service
provider’s facilities. The SP edge area provides Internet, public switched telephone network (PSTN), and WAN services to the enterprise.
Enterprise Campus
Key
Topic
Enterprise Edge
SP Edge
WAN/Internet
Remote
Modules
E-Commerce/
DMZ/Internet
ISP 1
Enterprise
Branch
Data Center
ISP 2
Enterprise
WAN
Campus
Core
MPLS/MAN
Frame Relay
ATM
Enterprise
Data Center
Building
Distribution
Enterprise
Teleworkers
Remote
Access VPN
Building
Access
PSTN
Figure 2-5
Cisco Enterprise Architecture Model
The network management servers reside in the campus infrastructure but have tie-ins to all
the components in the enterprise network for monitoring and management.
The enterprise edge connects to the edge-distribution module of the enterprise campus.
In small and medium sites, the edge distribution can collapse into the campus backbone
component. It provides connectivity to outbound services that are further described in
later sections.
Enterprise Campus Module
The enterprise campus consists of the following submodules:
■
Campus core
■
Building distribution
■
Building access
■
Server farm/data center
Figure 2-6 shows the Enterprise Campus model. The campus infrastructure consists of the
campus core, building distribution, and building access layers. The campus core provides a
Chapter 2: Network Structure Models 49
high-speed switched backbone between buildings, to the server farm and towards the enterprise edge. This segment consists of redundant and fast-convergence connectivity. The
building distribution layer aggregates all the closet access switches and performs access
control, QoS, route redundancy, and load balancing. The building access switches provide
VLAN access, PoE for IP phones and wireless access points, broadcast suppression, and
spanning tree.
Enterprise Campus
Data Center
Campus
Core
Building
Distribution
Building
Access
Figure 2-6
Enterprise Campus Model
The server farm or data center provides high-speed access and high availability (redundancy) to the servers. Enterprise servers such as file and print servers, application servers,
email servers, Dynamic Host Configuration Protocol (DHCP), and Domain Name System
(DNS) servers are placed in the server farm. Cisco Unified CallManager servers are placed
in the server farm for IP telephony networks. Network management servers are located in
the server farm, but these servers link to each module in the campus to provide network
monitoring, logging, trending, and configuration management.
An enterprise campus infrastructure can apply to small, medium, and large locations. In
most instances, large campus locations have a three-tier design with a wiring-closet component (building access layer), a building distribution layer, and a campus core layer. Small
campus locations likely have a two-tier design with a wiring-closet component (Ethernet
ble to configure distribution functions in a multilayer building access device to maintain
50
CCDA 640-864 Official Cert Guide
the focus of the campus backbone on fast transport. Medium-sized campus network designs sometimes use a three-tier implementation or a two-tier implementation, depending
on the number of ports, service requirements, manageability, performance, and availability
required.
Enterprise Edge Area
As shown in Figure 2-7, the enterprise edge consists of the following submodules:
■
E-commerce networks and servers
■
Internet connectivity and demilitarized zone (DMZ)
■
VPN and remote access
■
Enterprise WAN
Enterprise Edge
E-Commerce
DMZ/Internet
Enterprise
WAN
Remote
Access VPN
Figure 2-7
Enterprise Edge Module
E-Commerce Module
business services. It uses the high availability designs of the server farm module with the
Chapter 2: Network Structure Models 51
Internet connectivity of the Internet module. Design techniques are the same as those described for these modules. Devices located in the e-commerce submodule include
■
Web and application servers: Primary user interface for e-commerce navigation.
■
Database servers: Contain the application and transaction information.
■
Firewall and firewall routers: Govern the communication between users of the
system.
■
Network intrusion prevention systems (IPS): Provide monitoring of key network
segments in the module to detect and respond to attacks against the network.
■
Multilayer switch with IPS modules: Provide traffic transport and integrated security monitoring.
Internet Connectivity Module
The Internet submodule of the enterprise edge provides services such as public servers,
email, and DNS. Connectivity to one or several Internet service providers (ISP) is also provided. Components of this submodule include
■
Firewall and firewall routers: Provide protection of resources, stateful filtering of
traffic, and VPN termination for remote sites and users
■
Internet edge routers: Provide basic filtering and multilayer connectivity
■
FTP and HTTP servers: Provide for web applications that interface the enterprise
with the world via the public Internet
■
SMTP relay servers: Act as relays between the Internet and the intranet mail
servers.
■
DNS servers: Serve as authoritative external DNS server for the enterprise and relay
internal requests to the Internet
Several models connect the enterprise to the Internet. The simplest form is to have a single
circuit between the enterprise and the SP, as shown in Figure 2-8. The drawback is that
you have no redundancy or failover if the circuit fails.
Service Provider
Edge
Enterprise
Edge
Figure 2-8
Simple Internet Connection
52
CCDA 640-864 Official Cert Guide
You can use multihoming solutions to provide redundancy or failover for Internet service.
Figure 2-9 shows four Internet multihoming options:
■
Option 1: Single router, dual links to one ISP
■
Option 2: Single router, dual links to two ISPs
■
Option 3: Dual routers, dual links to one ISP
■
Option 4: Dual routers, dual links to two ISPs
Option 1
Option 2
ISP A
ISP A
SP
Edge
ISP B
SP
Edge
Enterprise Edge
Enterprise Edge
ISP A
ISP A
SP
Edge
ISP B
SP
Edge
Enterprise Edge
Enterprise Edge
Option 3
Option 4
Figure 2-9
Internet Multihoming Options
Option 1 provides link redundancy but does not provide ISP and local router redundancy.
Option 2 provides link and ISP redundancy but does not provide redundancy for a local
router failure. Option 3 provides link and local router redundancy but does not provide for
an ISP failure. Option 4 provides for full redundancy of the local router, links, and ISPs.
VPN/Remote Access
The VPN/remote access module of the enterprise edge provides remote-access termination services, including authentication for remote users and sites. Components of this submodule include
■
Firewalls: Provide stateful filtering of traffic, authenticate trusted remote sites, and
provide connectivity using IPsec tunnels
■
Dial-in access concentrators:
cate individual users
Chapter 2: Network Structure Models 53
■
Cisco Adaptive Security Appliances (ASA): Terminate IPsec tunnels and authenticate individual remote users, and provide firewall and intrusion prevention services
■
Network intrusion prevention system (IPS) appliances
If you use a remote-access terminal server, this module connects to the PSTN. Today’s networks often prefer VPNs over remote-access terminal servers and dedicated WAN links.
VPNs reduce communication expenses by leveraging the infrastructure of SPs. For critical
applications, the cost savings might be offset by a reduction in enterprise control and the
loss of deterministic service. Remote offices, mobile users, and home offices access the
Internet using the local SP with secured IPsec tunnels to the VPN/remote access submodule via the Internet submodule.
Figure 2-10 shows a VPN design. Branch offices obtain local Internet access from an ISP.
Teleworkers also obtain local Internet access. VPN software creates secured VPN tunnels
to the VPN server that is located in the VPN submodule of the enterprise edge.
Enterprise Edge
SP Edge
Internet Access
ISP A
Internet Connectivity
Internet
ISP B
VPN Access
Server
Figure 2-10
VPN Architecture
Enterprise WAN
The enterprise edge of the enterprise WAN includes access to WANs. WAN technologies
include the following:
■
Multiprotocol Label Switching (MPLS)
■
Metro Ethernet
■
Leased lines
■
Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy (SDH)
■
PPP
■
Frame Relay
54
CCDA 640-864 Official Cert Guide
■
ATM
■
Cable
■
Digital subscriber line (DSL)
■
Wireless
Chapter 6, “WAN Technologies,” and Chapter 7, “WAN Design,” cover these WAN technologies. Routers in the enterprise WAN provide WAN access, QoS, routing, redundancy,
and access control to the WAN. Of these WAN technologies, MPLS is the most popular
WAN technology used today. For MPLS networks, the WAN routers prioritize IP packets
based on configured differentiated services code point (DSCP) values to use one of several MPLS QoS levels. Figure 2-11 shows the WAN module connecting to the Frame Relay
SP edge. The enterprise edge routers in the WAN module connect to the SP’s Frame Relay
switches.
Enterprise
Edge
Frame Relay
Network
Campus
Infrastructure
Figure 2-11
SP Edge
WAN Module
Use the following guidelines when designing the enterprise edge:
■
Determine the connection needed to connect the corporate network to the Internet.
These connections are assigned to the Internet connectivity module.
■
Create the e-commerce module for customers and partners that require Internet access to business and database applications.
■
Design the remote access/VPN module for VPN access to the internal network from
the Internet. Implement the security policy and configure authentication and authorization parameters.
■
Assign the edge sections that have permanent connections to remote branch offices.
Assign these to the WAN, metro-area network (MAN), and VPN module.
Service Provider Edge Module
The SP edge module, shown in Figure 2-12, consists of SP edge services such as the
following:
■
Internet services
■
PSTN services
■
WAN services
Chapter 2: Network Structure Models 55
SP Edge
WAN/Internet
Internet Service
Provider 1
Internet Service
Provider 2
MPLS/MAN
Frame Relay
ATM
PSTN
Figure 2-12
WAN/Internet SP Edge Module
Enterprises use SPs to acquire network services. ISPs offer enterprises access to the Internet. ISPs can route the enterprise’s networks to their network and to upstream and peer Internet providers. Some ISPs can provide Internet services with DSL access. Connectivity
with multiple ISPs was described in the section, “Internet Edge.”
For voice services, PSTN providers offer access to the global public voice network. For the
enterprise network, the PSTN lets dialup users access the enterprise via analog or cellular
wireless technologies. It is also used for WAN backup using ISDN services.
WAN SPs offer MPLS, Frame Relay, ATM, and other WAN services for enterprise site-tosite connectivity with permanent connections. These and other WAN technologies are described in Chapter 6.
Remote Modules
The remote modules of the Cisco Enterprise Architecture model are the enterprise branch,
enterprise data center, and enterprise teleworker modules.
56
CCDA 640-864 Official Cert Guide
Enterprise Branch Module
The enterprise branch normally consists of remote offices or sales offices. These branch
offices rely on the WAN to use the services and applications provided in the main campus. Infrastructure at the remote site usually consists of a WAN router and a small LAN
switch, as shown in Figure 2-13. As an alternative to MPLS, it is common to use site-tosite IPsec VPN technologies to connect to the main campus.
Enterprise Branch
WAN to Main
Enterprise
Headquarters
Figure 2-13
Enterprise Branch Module
Enterprise Data Center Module
The enterprise data center uses the network to enhance the server, storage, and application
servers. the offsite data center provides disaster recovery and business continuance services for the enterprise. Highly available WAN services are used to connect the enterprise
campus to the remote enterprise data center. The data center components include
■
Network infrastructure: Gigabit and 10 Gigabit Ethernet, InfiniBand, optical transport and storage switching
■
Interactive services: Computer infrastructure services, storage services, security,
application optimization
■
DC management: Cisco Fabric Manager and Cisco VFrame for server and service
management
The enterprise data center is covered in detail in Chapter 4, “Data Center Design.”
Enterprise Teleworker Module
The enterprise teleworker module consists of a small office or a mobile user who needs to
access services of the enterprise campus. As shown in Figure 2-14, mobile users connect
from their homes, hotels, or other locations using dialup or Internet access lines. VPN
Chapter 2: Network Structure Models 57
small integrated service routers (ISR) in the VPN solution. IP phone capabilities are also
provided in the Cisco Virtual Office solution, providing corporate voice services for mobile users.
Teleworker
Internet
Broadband
IP
VPN
Hub Router
Enterprise
Services
Figure 2-14
Enterprise Teleworker Solution
Table 2-3 summarizes the Cisco Enterprise Architecture.
Table 2-3
Cisco Enterprise Architecture Model
Enterprise Area or
Module
Description
Enterprise campus area
The enterprise campus module includes the building access and
building distribution components and the shared campus backbone component or campus core. Edge distribution provides
connectivity to the enterprise edge. High availability is implemented in the server farm, and network management monitors
the enterprise campus and enterprise edge.
Enterprise edge area
Consists of e-commerce, Internet, VPN/remote access, and
WAN modules.
Enterprise WAN module
This module provides MPLS or other WAN technologies.
Enterprise remote branch
module
The enterprise branch normally consists of remote offices,
small offices, or sales offices. These branch offices rely on the
WAN to use the services and applications provided in the main
campus.
Enterprise data center
module
The enterprise data center consists of using the network to enhance the server, storage, and application servers. The offsite
data center provides disaster recovery and business continuance services for the enterprise.
58
CCDA 640-864 Official Cert Guide
Table 2-3
Cisco Enterprise Architecture Model
Enterprise Area or
Module
Description
Enterprise teleworker
The enterprise teleworker module supports a small office, mobile users, or home users providing access to corporate systems
via VPN tunnels.
Borderless Network Services
Cisco borderless network architecture is a next-generation solution that enables connectivity to anyone and anything, anywhere, and at any time. The connectivity needs to be
secure, reliable, and seamless. The borderless architecture optimizes both business and
network performance.
Borderless network services divide into four key pillars of functionality:
■
Mobility: Cisco Motion delivers anywhere, anytime access to information for wired,
wireless, and remote users from any device. It also provides detection, classification,
location, and mitigation of sources of wireless interference.
■
Security: Cisco TrustSec provides a foundation for identity-directed, policy-based
access, and one-touch ease of use to strengthen security across distributed networks.
Uses Cisco ASA devices, Cisco Virtualization Security, and Cisco AnyConnect, an
endpoint/user service. The Cisco SAFE blueprint provides design and implementation guidelines for building secure and reliable network infrastructure. Security designs are covered in Chapter 12, “Managing Security,” and Chapter 13, “Security
Solutions.”
■
Application performance: Application Velocity optimizes the speed and performance of any application by using Wide Area Application Services (WAAS).
■
Voice and video (IP Communication): Medianet for the Enterprise optimizes multimedia though the automatic endpoints and optimized network configuration. It reduces video deployment time and provides clear and accurate multicast video from
wired to wireless networks with Cisco VideoStream technology. Voice and video design are covered in Chapter 14, “Voice and Video Design.”
High Availability Network Services
This section covers designs for high availability network services in the access layer.
Key
Topic
When designing a network topology for a customer who has critical systems, services, or
network paths, you should determine the likelihood that these components will fail and
design redundancy where necessary. Consider incorporating one of the following types of
redundancy into your design:
■
Workstation-to-router redundancy in the building access layer
■
Server redundancy in the server farm module
Chapter 2: Network Structure Models 59
■
Route redundancy within and between network components
■
Link media redundancy in the access layer
The following sections discuss each type of redundancy.
Workstation-to-Router Redundancy and LAN High Availability Protocols
When a workstation has traffic to send to a station that is not local, the workstation has
many possible ways to discover the address of a router on its network segment, including
the following:
■
ARP
■
Explicit configuration
■
ICMP Router Discovery Protocol (RDP)
■
RIP
■
HSRP
■
VRRP
■
GLBP
■
VSS
The following sections cover each of these methods.
ARP
Some IP workstations send an ARP frame to find a remote station. A router running proxy
ARP can respond with its data link layer address. Cisco routers run proxy ARP by default.
Explicit Configuration
Most IP workstations must be configured with the IP address of a default router, which is
sometimes called the default gateway.
In an IP environment, the most common method for a workstation to find a server is via
explicit configuration (a default router). If the workstation’s default router becomes unavailable, you must reconfigure the workstation with the address of a different router.
Some IP stacks enable you to configure multiple default routers, but many other IP implementations support only one default router.
RDP
RFC 1256 specifies an extension to Internet Control Message Protocol (ICMP) that allows
an IP workstation and router to run RDP to let the workstation learn a router’s address.
RIP
An IP workstation can run RIP to learn about routers, although this is not common prac-
60
CCDA 640-864 Official Cert Guide
Usually in these implementations, the workstation is a UNIX system running the routed or
gated UNIX process.
HSRP
The Cisco HSRP provides a way for IP workstations that support only one default router
to keep communicating on the internetwork even if their default router becomes unavailable. HSRP works by creating a virtual router that has its own IP and MAC addresses. The
workstations use this virtual IP address as their default router.
HSRP routers on a LAN communicate among themselves to designate two routers as active and standby. The active router sends periodic hello messages. The other HSRP routers
listen for the hello messages. If the active router fails and the other HSRP routers stop receiving hello messages, the standby router takes over and becomes the active router. Because the new active router assumes both the phantom’s IP and MAC addresses, end
nodes see no change. They continue to send packets to the phantom router’s MAC address, and the new active router delivers those packets.
HSRP also works for proxy ARP. When an active HSRP router receives an ARP request for
a node that is not on the local LAN, the router replies with the phantom router’s MAC address instead of its own. If the router that originally sent the ARP reply later loses its connection, the new active router can still deliver the traffic.
Figure 2-15 shows a sample implementation of HSRP.
Workstation
E0
S0
Figure 2-15
E0
Phantom Router
Virtual IP:
192.168.1.1/24
Router A Ethernet 0
IP: 192.168.1.2/24
Router B Ethernet 0
IP: 192.168.1.3/24
S0
HSRP: The Phantom Router Represents the Real Routers
In Figure 2-15, the following sequence occurs:
1. The workstation is configured to use the phantom router (192.168.1.1) as its default
router.
2. Upon booting, the routers elect Router A as the HSRP active router. The active router
does the work for the HSRP phantom. Router B is the HSRP standby router.
3.
sponds with the phantom router’s MAC address.
Chapter 2: Network Structure Models 61
4. If Router A goes offline, Router B takes over as the active router, continuing the delivery of the workstation’s packets. The change is transparent to the workstation.
VRRP
VRRP is a router redundancy protocol defined in RFC 3768. RFC 5768 defined VRRPv3
for both IPv4 and IPv6 networks. VRRP is based on Cisco’s HSRP, but is not compatible.
VRRP specifies an election protocol that dynamically assigns responsibility for a virtual
router to one of the VRRP routers on a LAN. The VRRP router controlling the IP addresses associated with a virtual router is called the master, and forwards packets sent to
these IP addresses. The election process provides dynamic fail over in the forwarding responsibility should the master become unavailable. This allows any of the virtual router IP
addresses on the LAN to be used as the default first hop router by end hosts. The virtual
router backup assumes the forwarding responsibility for the virtual router should the master fail.
GLBP
GLBP protects data traffic from a failed router or circuit, such as HSRP, while allowing
packet load sharing between a group of redundant routers. The difference in GLBP from
HSRP is that it provides for load balancing between the redundant routers. It load balances
by using a single virtual IP address and multiple virtual MAC addresses. Each host is configured with the same virtual IP address, and all routers in the virtual router group participate in forwarding packets. GLBP members communicate between each other through
hello messages sent every three seconds to the multicast address 224.0.0.102, User Datagram Protocol (UDP) port 3222. GLBP benefits include
■
Load sharing: GLBP can be configured in a way that traffic from LAN clients can be
shared by multiple routers.
■
Multiple virtual routers: GLBP supports up to 1024 virtual routers (GLBP groups)
on each physical interface of a router.
■
Preemption: GLBP enables you to preempt an active virtual gateway with a higherpriority backup.
■
Authentication: Simple text password authentication is supported.
Server Redundancy
Some environments need fully redundant (mirrored) file and application servers. For example, in a brokerage firm where traders must access data to buy and sell stocks, two or more
redundant servers can replicate the data. Also, you can deploy Cisco Unified Communications Manager (CUCM) servers in clusters for redundancy. The servers should be on different networks and use redundant power supplies. To provide high availability in the server
farm module, you have the following options:
■
Single attachment:
nisms (HSRP, GLBP) to dynamically find alternate router.
62
CCDA 640-864 Official Cert Guide
■
Dual attachment: This solution increases availability by using redundancy network
interface cards (NIC).
■
Fast EtherChannel (FEC) and Gigabit EtherChannel (GEC) port bundles
Route Redundancy
Designing redundant routes has two purposes: balancing loads and increasing availability.
Load Balancing
Most IP routing protocols can balance loads across parallel links that have equal cost. Use
the maximum-paths command to change the number of links that the router will balance
over for IP; the default is four, and the maximum is six. To support load balancing, keep
the bandwidth consistent within a layer of the hierarchical model so that all paths have the
same cost. (Cisco Enhanced Interior Gateway Routing Protocol [EIGRP] is an exception
because it can load balance traffic across multiple routes that have different metrics by using a feature called variance.)
A hop-based routing protocol does load balancing over unequal-bandwidth paths as long
as the hop count is equal. After the slower link becomes saturated, packet loss at the saturated link prevents full utilization of the higher-capacity links; this scenario is called pinhole congestion. You can avoid pinhole congestion by designing and provisioning
equal-bandwidth links within one layer of the hierarchy or by using a routing protocol
that takes bandwidth into account.
IP load balancing in a Cisco router depends on which switching mode the router uses.
Process switching load balances on a packet-by-packet basis. Fast, autonomous, silicon,
optimum, distributed, and NetFlow switching load balance on a destination-by-destination basis because the processor caches information used to encapsulate the packets
based on the destination for these types of switching modes.
Increasing Availability
In addition to facilitating load balancing, redundant routes increase network availability.
You should keep bandwidth consistent within a given design component to facilitate load
balancing. Another reason to keep bandwidth consistent within a layer of a hierarchy is
that routing protocols converge much faster on multiple equal-cost paths to a destination
network.
By using redundant, meshed network designs, you can minimize the effect of link failures.
Depending on the convergence time of the routing protocols, a single link failure cannot
have a catastrophic effect.
You can design redundant network links to provide a full mesh or a well-connected partial
mesh. In a full-mesh network, every router has a link to every other router, as shown in
Figure 2-16. A full-mesh network provides complete redundancy and also provides good
performance because there is just a single-hop delay between any two sites. The number
of links in a full mesh is n(n – 1)/2, where n is the number of routers. Each router is conrouter with links to at least two other routing devices in the network.
Chapter 2: Network Structure Models 63
Figure 2-16
Network
Full-Mesh Network: Every Router Has a Link to Every Other Router in the
A full-mesh network can be expensive to implement in WANs because of the required
number of links. In addition, groups of routers that broadcast routing updates or service
advertisements have practical limits to scaling. As the number of routing peers increases,
the amount of bandwidth and CPU resources devoted to processing broadcasts increases.
A suggested guideline is to keep broadcast traffic at less than 20 percent of the bandwidth of each link; this amount limits the number of peer routers that can exchange routing tables or service advertisements. When designing for link bandwidth, reserve 80
percent of it for data, voice, and video traffic so that the reset can be used for routing and
other link traffic. When planning redundancy, follow guidelines for simple, hierarchical
design. Figure 2-17 illustrates a classic hierarchical and redundant enterprise design that
uses a partial-mesh rather than a full-mesh topology. For LAN designs, links between the
access and distribution layer can be Fast Ethernet, with links to the core at Gigabit Ethernet speeds.
Headquarters
1.5 Mbps
Regions
128 Kbps
Branches
Figure 2-17
Partial-Mesh Design with Redundancy
64
CCDA 640-864 Official Cert Guide
Link Media Redundancy
In mission-critical applications, it is often necessary to provide redundant media.
In switched networks, switches can have redundant links to each other. This redundancy is
good because it minimizes downtime, but it can result in broadcasts continuously circling
the network, which is called a broadcast storm. Because Cisco switches implement the
IEEE 802.1d spanning-tree algorithm, you can avoid this looping in Spanning Tree Protocol (STP). The spanning-tree algorithm guarantees that only one path is active between
two network stations. The algorithm permits redundant paths that are automatically activated when the active path experiences problems.
STP has a design limitation of only allowing one of the redundant paths to be active. VSS
can be used with Catalyst 6500 switches to overcome this limitation.
Because WAN links are often critical pieces of the internetwork, WAN environments often deploy redundant media. As shown in Figure 2-18, you can provision backup links so
that they become active when a primary link goes down or becomes congested.
Primary
Backup
Access Sites
Figure 2-18
Backup Links Can Provide Redundancy
Often, backup links use a different technology. For example, a leased line can be in parallel with a backup dialup line or ISDN circuit. However, it is more common to use DSL
lines as backup in today’s networks. By using floating static routes, you can specify that
the backup route have a higher administrative distance (used by Cisco routers to select
routing information) so that it is not normally used unless the primary route goes down.
This design is less available than the partial mesh presented previously. Typically, ondemand backup links reduce WAN charges.
Note: When provisioning backup links, learn as much as possible about the physical circuit routing. Different carriers sometimes use the same facilities, meaning that your backup
path might be susceptible to the same failures as your primary path. Do some investigative
work to ensure that your backup really is acting as a backup.
Chapter 2: Network Structure Models 65
Cisco supports Multilink Point-to-Point Protocol (MPPP), which is an Internet Engineering Task Force (IETF) standard for ISDN B-channel (or asynchronous serial interface) aggregation. It bonds multiple WAN links into a single logical channel. MPPP is defined in
RFC 1990. MPPP does not specify how a router should accomplish the decision-making
process to bring up extra channels. Instead, it seeks to ensure that packets arrive in sequence at the receiving router. Then, the data is encapsulated within PPP and the datagram
is given a sequence number. At the receiving router, PPP uses this sequence number to recreate the original data stream. Multiple channels appear as one logical link to upper-layer
protocols. For Frame Relay networks, FRF.16.1 Multilink Frame Relay is used to perform
the similar function.
Table 2-4 summarizes the four main redundancy models.
Table 2-4
Redundancy Models
Redundancy Type
Description
Workstation to router redundancy
Use of HSRP, VRRP, and VSS
Server redundancy
Uses dual-attached NICs, FEC, or GEC port bundles
Route redundancy
Provides load balancing and high availability
Link redundancy
Use of multiple WAN links that provide primary and secondary
failover for higher availability
References and Recommended Reading
Cisco Enterprise Teleworker Solution.www.cisco.com/en/US/netsol/ns340/ns394/ns430/
networking_solutions_packages_list.html.
Enterprise Architectures. www.cisco.com/en/US/netsol/ns517/
networking_solutions_market_segment_solutions_home.html.
Cisco Enterprise Solutions Portal. www.cisco.com/en/US/netsol/ns340/networking_
solutions_large_enterprise_home.html.
Borderless Networks Solutions. www.cisco.com/en/US/netsol/ns1016/index.html.
Borderless Networks Architecture. www.cisco.com/en/US/netsol/ns1015/architecture.html.
Cisco TrustSec. www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/
at_a_glance_c45-577269.pdf.
Medianet at a Glance. www.cisco.com/web/solutions/medianet/docs/C45-511997-00medialnet_aag120308.pdf.
Application Performance white paper.www.cisco.com/en/US/solutions/ns1015/
lippis_white_paper_application_velocity.pdf.
RFC 3758. Virtual Router Redundancy Protocol (VRRP).
RFC 1990. The PPP Multilink Protocol (MP).
ps9336/prod_qas0900aecd806ed74b.html.
66
CCDA 640-864 Official Cert Guide
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topics icon in the
outer margin of the page. Table 2-5 lists a reference of these key topics and the page numbers on which each is found.
Table 2-5
Key Topics
Key Topic
Element
Description
Page
Summary
Hierarchical Network models
40
Figure 2-5
Cisco Enterprise Architecture model
48
Summary
High availability network services
58
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
core layer, distribution layer, access layer, VLAN, PoE, ARP, VSS, enterprise campus
module, enterprise edge, enterprise WAN module, enterprise remote branch module,
enterprise data center module, enterprise teleworker module, HSRP, VRRP, GLBP
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. True or false: The core layer of the hierarchical model does security filtering and media translation.
2. True or false: The access layer provides high availability and port security.
Chapter 2: Network Structure Models 67
3. You add Communications Manager to the network as part of a Voice over IP (VoIP)
solution. In which submodule of the Enterprise Architecture model should you place
Communications Manager?
4. True or false: HSRP provides router redundancy.
5. Which enterprise edge submodule connects to an ISP?
6. List the six modules of the Cisco Enterprise Architecture model for network design.
7. True or false: In the Cisco Enterprise Architecture model, the network management
submodule does not manage the SP edge.
8. True or false: You can implement a full-mesh network to increase redundancy and reduce a WAN’s costs.
9. How many links are required for a full mesh of six sites?
10. List and describe four options for multihoming to the SP between the Enterprise
Edge and the SP Edge. Which option provides the most redundancy?
11. To what enterprise edge submodule does the SP Edge Internet submodule connect?
12. What are four benefits of hierarchical network design?
13. In an IP telephony network, in which submodule or layer are the IP phones and
CUCM servers located?
14. Match the redundant model with its description:
i.
Workstation-router redundancy
ii.
Server redundancy
iii. Route redundancy
iv.
Media redundancy
a.
Cheap when implemented in the LAN and critical for the WAN
b.
Provides load balancing
c.
Host has multiple gateways
d.
Data is replicated
15. True or false: Small to medium campus networks must always implement three layers
of hierarchical design.
16. How many full-mesh links do you need for a network with ten routers?
17. Which layer provides routing between VLANs and security filtering?
a.
Access layer
b.
Distribution layer
c.
Enterprise edge
d.
WAN module
68
CCDA 640-864 Official Cert Guide
18. List the four modules of the enterprise edge area.
19. List the three submodules of the SP edge.
20. List the components of the Internet edge.
21. Which submodule contains firewalls, VPN concentrators, and ASAs?
a.
WAN
b.
VPN/remote access
c.
Internet
d.
Server farm
22. Which of the following describe the access layer? (Select two.)
a.
High-speed data transport
b.
Applies network policies
c.
Performs network aggregation
d.
Concentrates user access
e.
Provides PoE
f.
Avoids data manipulation
23. Which of the following describe the distribution layer? (Select two.)
a.
High-speed data transport
b.
Applies network policies
c.
Performs network aggregation
d.
Concentrates user access
e.
Provides PoE
f.
Avoids data manipulation
24. Which of the following describe the core layer? (Select two.)
a.
High-speed data transport
b.
Applies network policies
c.
Performs network aggregation
d.
Concentrates user access
e.
Provides PoE
f.
Avoids data manipulation
Chapter 2: Network Structure Models 69
25. Which campus submodule connects to the enterprise edge module?
a.
SP edge
b.
WAN submodule
c.
Building distribution
d.
Campus core
e.
Enterprise branch
f.
Enterprise data center
26. Which remote module connects to the enterprise via the Internet or WAN submodules and contains a small LAN switch for users?
a.
SP edge
b.
WAN submodule
c.
Building distribution
d.
Campus core
e.
Enterprise branch
f.
Enterprise data center
27. Which three types of servers are placed in the e-commerce submodule?
a.
Web
b.
Application
c.
Database
d.
Intranet
e.
Internet
f.
Public share
70
CCDA 640-864 Official Cert Guide
Use Figure 2-19 to answer questions 28–33.
3
2
1
to ISP
4
5
6
Figure 2-19
Scenario for Questions 28–33
28. Which is the campus core layer?
29. Which is the enterprise edge?
30. Which is the campus access layer?
31. Which is the enterprise edge distribution?
32. Which is the campus distribution layer?
33. Which is the campus data center?
34. Which solution supports the enterprise teleworker?
a.
IP telephony
b.
Enterprise campus
c.
Cisco virtual office
d.
SP edge
e.
Hierarchical design
f.
Data Center 3.0
Chapter 2: Network Structure Models 71
35. Which are two benefits of using a modular approach?
a.
Simplifies the network design
b.
Reduces the amount of network traffic on the network
c.
Often reduces the cost and complexity of the network
d.
Makes the network simple by using full mesh topologies
36. Which three modules provide infrastructure for remote users? (Select three.)
a.
Teleworker module
b.
WAN module
c.
Enterprise branch module
d.
Campus module
e.
Enterprise data center
f.
Core, distribution, access layers
37. Which are borderless networks infrastructure services? (Select three.)
a.
IP telephony
b.
Security
c.
QoS
d.
SP edge
e.
High availability
f.
Routing
38. Which module contains devices that supports AAA and stores passwords?
a.
WAN module
b.
VPN module
c.
Server farm module
d.
Internet connectivity module
e.
SP edge
f.
TACACS
39. Which topology is best used for connectivity in the building distribution layer?
a.
Full mesh
b.
Partial mesh
c.
Hub and spoke
d.
Dual ring
e.
EthernetChannel
72
CCDA 640-864 Official Cert Guide
40. What are two ways that wireless access points are used? (Choose two.)
a.
Function as a hub for wireless end devices
b.
Connect to the enterprise network
c.
Function as a Layer 3 switch for wireless end devices
d.
Provide physical connectivity for wireless end devices
e.
Filter out interference from microwave devices
41. In which ways does application network services helps resolve application issues?
a.
It can compress, cache, and optimize content.
b.
Optimizes web streams which can reduce latency and offload the web server.
c.
Multiple data centers increases productivity.
d.
Improves application response times by using faster servers.
42. Which are key features of the distribution layer?
a.
Aggregates access layer switches
b.
Provides a routing boundary between access and core layers
c.
Provides connectivity to end devices
d.
Provides fast switching
e.
Provides transport to the enterprise edge
f.
Provides VPN termination
43. Which Cisco solution allows a pair of switches to act as a single logical switch?
a.
HSRP
b.
VSS
c.
STP
d.
GLB
44. Which module or layer connects the server layer to the enterprise edge?
a.
Campus distribution layer
b.
Campus data center access layer
c.
Campus core layer
d.
Campus MAN module
e.
WAN module
f.
Internet connectivity module
Chapter 2: Network Structure Models 73
45. Which server type is used in the Internet connectivity module?
a.
Corporate
b.
Private
c.
Public
d.
Internal
e.
Database
f.
Application
46. Which server types are used in the e-commerce module for users running applications and storing data? (Select three.)
a.
Corporate
b.
Private
c.
Public
d.
Internet
e.
Database
f.
Application
g.
Web
47. Based on Figure 2-20, and assuming that devices may be in more than one layer, list
which devices are in each layer.
A
E
MPLS
B
C
F
D
Figure 2-20
Question 47
74
CCDA 640-864 Official Cert Guide
Access layer:
Distribution layer:
Core:
Use Figure 2-21 to answer questions 48–50.
A
H.323
MPLS
B
Internet
C
D
E
Figure 2-21
Scenario for Questions 48–50
48. Which section(s) belong to the core layer?
49. Which section(s) belong to the distribution layer?
50. Which section(s) belong to the access layer?
This page intentionally left blank
CCDA exam topics covered in this part:
■
Describe network architecture for the enterprise
■
Describe campus design considerations
■
Design the enterprise campus network
■
Design the enterprise data center
■
Describe enterprise network virtualization tools
■
Describe the enterprise edge, branch, and teleworker design characteristics
■
Describe physical and logical WAN connectivity
■
Design the branch office WAN solutions
■
Describe access network solutions for a remote worker
■
Design the WAN to support selected redundancy methodologies
■
Identify design considerations for a remote data center
■
Describe Cisco Unified wireless network architectures and features
■
Design wireless network using controllers
Part II: LAN and WAN Design
Chapter 3: Enterprise LAN Design
Chapter 4: Data Center Design
Chapter 5: Wireless LAN Design
Chapter 6: WAN Technologies
Chapter 7: WAN Design
This chapter covers the following subjects:
■
LAN Media
■
LAN Hardware
■
Campus LAN Design and Best Practices
CHAPTER 3
Enterprise LAN Design
This chapter covers the design of campus local-area networks (LAN). It reviews LAN media, components, and design models. The section “LAN Media” reviews the design characteristics of different Ethernet media technologies.
This chapter covers how you apply Layer 2 switches, Layer 3 switches, and routers in
the design of LANs. It reviews several design models for large building, campus, and remote LANs.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The eight-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time.
Table 3-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 3-1
“Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
LAN Media
2
LAN Hardware
1, 3, 5, 8
Campus LAN Design and Best Practices
4, 6, 7
80
CCDA 640-864 Official Cert Guide
1. What device filters broadcasts?
a.
Layer 2 switch
b.
Hub
c.
Layer 3 switch
d.
Router
e.
A and C
f.
C and D
g.
A, C, and D
2. What is the maximum segment distance for Fast Ethernet over unshielded twistedpair (UTP)?
a.
100 feet
b.
500 feet
c.
100 meters
d.
285 feet
3. What device limits the collision domain?
a.
Layer 2 switch
b.
Hub
c.
Layer 3 switch
d.
Router
e.
A and C
f.
C and D
g.
A, C, and D
4. The summarization of routes is a best practice at which layer?
a.
Access layer
b.
Distribution layer
c.
Core layer
d.
WAN layer
Chapter 3: Enterprise LAN Design
5. What type of LAN switches are preferred in the campus backbone of an enterprise
network?
a.
Layer 2 switches
b.
Layer 3 switches
c.
Layer 3 hubs
d.
Hubs
6. Two workstations are located on separate VLANs. They exchange data directly. What
type of application is this?
a.
Client/server
b.
Client-peer
c.
Peer-peer
d.
Client-enterprise
7. Which type of cable is the best solution in terms of cost for connecting an access
switch to the distribution layer requiring 140 meters?
a.
UTP
b.
Copper
c.
Multimode fiber
d.
Single-mode fiber
8. Why is switching preferred over shared segments?
a.
Shared segments provide a collision domain for each host.
b.
Switched segments provide a collision domain for each host.
c.
Shared segments provide a broadcast domain for each host.
d.
Switched segments provide a broadcast domain for each host.
81
82
CCDA 640-864 Official Cert Guide
Foundation Topics
This chapter covers the design of LANs. It reviews LAN media, components, and design
models. Figure 3-1 shows the Enterprise Campus section of the Enterprise Composite
Network model. Enterprise LANs have a campus backbone and one or more instances of
building-distribution and building-access layers, with server farms and an enterprise edge
to the WAN or Internet.
Enterprise Campus
Server Farm/Data Center
Edge
Distribution
Campus
Core
Building
Distribution
Building
Access
Figure 3-1
Enterprise Campus
LAN Media
This section identifies some of the constraints you should consider when provisioning various LAN media types. It covers the physical specifications of Ethernet, Fast Ethernet,
and Gigabit Ethernet.
You must also understand the design constraints of wireless LANs in the campus network.
Specifications for wireless LANs are covered in Chapter 5, “Wireless LAN Design.”
Chapter 3: Enterprise LAN Design
Ethernet Design Rules
Ethernet is the underlying basis for the technologies most widely used in LANs. In the
1980s and early 1990s, most networks used 10-Mbps Ethernet, defined initially by Digital, Intel, and Xerox (DIX Ethernet Version II) and later by the IEEE 802.3 working group.
The IEEE 802.3-2002 standard contains physical specifications for Ethernet technologies
through 10 Gbps.
Table 3-2 describes the physical Ethernet specifications up to 100 Mbps. It provides scalability information that you can use when provisioning IEEE 802.3 networks. Of these
specifications, 10BASE-5 and 10BASE-2 are no longer used but are included for completeness, and Fast Ethernet is preferred over 10BASE-T Ethernet.
Table 3-2
Scalability Constraints for IEEE 802.3
Specification 10BASE-5
10BASE-2
10BASE-T
100BASE-T
Physical
topology
Bus
Bus
Star
Star
Maximum
segment
length (in
meters)
500
185
100 from hub to
station.
100 from hub to
station.
Maximum
number of attachments per
segment
100
30
2 (hub and station
or hub-hub).
2 (hub and station
or hub-hub).
Maximum
collision
domain
2500 meters
(m) of five segments and four
repeaters. Only
three segments
can be populated.
2500 m of five
segments and four
repeaters. Only
three segments
can be populated.
2500 m of five
segments and four
repeaters. Only
three segments
can be populated.
See the details in
the section “100Mbps Fast Ethernet
Design Rules,” later
in this chapter.
The most significant design rule for Ethernet is that the round-trip propagation delay in
one collision domain must not exceed 512-bit times. This is a requirement for collision detection to work correctly. This rule means that the maximum round-trip delay for a 10Mbps Ethernet network is 51.2 microseconds. The maximum round-trip delay for a
100-Mbps Ethernet network is only 5.12 microseconds because the bit time on a 100Mbps Ethernet network is 0.01 microseconds, as opposed to 0.1 microseconds on a 10Mbps Ethernet network. Networks that are built outside of the specifications for segment
distances cause larger propagation delays and should be avoided.
83
84
CCDA 640-864 Official Cert Guide
100-Mbps Fast Ethernet Design Rules
IEEE introduced the IEEE 802.3u-1995 standard to provide Ethernet speeds of 100 Mbps
over UTP and fiber cabling. The 100BASE-T standard is similar to 10-Mbps Ethernet in
that it uses carrier sense multiple access collision detect (CSMA/CD); runs on Category
(CAT) 3, 4, and 5 UTP cable; and preserves the frame formats. Connectivity still uses
hubs, repeaters, bridges, and switches.
100-Mbps Ethernet, or Fast Ethernet, topologies present some distinct constraints on the
network design because of their speed. The combined latency due to cable lengths and repeaters must conform to the specifications for the network to work properly. This section
discusses these issues and provides sample calculations.
The overriding design rule for 100-Mbps Ethernet networks is that the round-trip collision
delay must not exceed 512-bit times. However, the bit time on a 100-Mbps Ethernet network is 0.01 microseconds, as opposed to 0.1 microseconds on a 10-Mbps Ethernet network. Therefore, the maximum round-trip delay for a 100-Mbps Ethernet network is 5.12
microseconds, as opposed to the more lenient 51.2 microseconds in a 10-Mbps Ethernet
network.
The following are specifications for Fast Ethernet, each of which is described in the following sections:
■
100BASE-TX
■
100BASE-T4
■
100BASE-FX
100BASE-TX Fast Ethernet The 100BASE-TX specification uses CAT 5 UTP wiring.
Like 10BASE-T, Fast Ethernet uses only two pairs of the four-pair UTP wiring. If CAT 5
cabling is already in place, upgrading to Fast Ethernet requires only a hub or switch and
network interface card (NIC) upgrades. Because of the low cost, most of today’s
installations use switches. The specifications are as follows:
■
Transmission over CAT 5 UTP wire
■
RJ-45 connector (the same as in 10BASE-T)
■
Punchdown blocks in the wiring closet must be CAT 5 certified
■
4B5B coding
100BASE-T4 Fast Ethernet The 100BASE-T4 specification was developed to
support UTP wiring at the CAT 3 level. This specification takes advantage of higher-speed
Chapter 3: Enterprise LAN Design
Ethernet without recabling to CAT 5 UTP. This implementation is not widely deployed.
The specifications are as follows:
■
Transmission over CAT 3, 4, or 5 UTP wiring.
■
Three pairs are used for transmission, and the fourth pair is used for collision detection.
■
No separate transmit and receive pairs are present, so full-duplex operation is not
possible.
■
8B6T coding.
100BASE-FX Fast Ethernet The 100BASE-FX specification for fiber is as follows:
■
It operates over two strands of multimode or single-mode fiber cabling.
■
It can transmit over greater distances than copper media.
■
It uses media interface connector (MIC), Stab and Twist (ST), or Stab and Click (SC)
fiber connectors defined for FDDI and 10BASE-FX networks.
■
4B5B coding.
100BASE-T Repeaters To make 100-Mbps Ethernet work, distance limitations are
much more severe than those required for 10-Mbps Ethernet. Repeater networks have no
five-hub rule; Fast Ethernet is limited to two repeaters. The general rule is that 100-Mbps
Ethernet has a maximum diameter of 205 meters (m) with UTP cabling, whereas 10-Mbps
Ethernet has a maximum diameter of 500 m with 10BASE-T and 2500 m with 10BASE5.
Most networks today use switches rather than repeaters, which limits the length of
10BASE-T and 100BASE-TX to 100 m between the switch and host.
The distance limitation imposed depends on the type of repeater.
The IEEE 100BASE-T specification defines two types of repeaters: Class I and Class II.
Class I repeaters have a latency (delay) of 0.7 microseconds or less. Only one repeater hop
is allowed. Class II repeaters have a latency of 0.46 microseconds or less. One or two repeater hops are allowed.
Table 3-3 shows the maximum size of collision domains, depending on the type of repeater.
Table 3-3
Maximum Size of Collision Domains for 100BASE-T
Repeater Type
Copper Mixed Copper and
Multimode Fiber
Multimode Fiber
DTE-DTE (or switchswitch)
100 m
Not applicable
412 m (2000 if full
duplex)
One Class I repeater
200 m
260 m
272 m
One Class II repeater
200 m
308 m
320 m
Two Class II repeaters
205 m
216 m
228 m
85
86
CCDA 640-864 Official Cert Guide
Again, for switched networks, the maximum distance between the switch and the host
is 100 m.
Gigabit Ethernet Design Rules
Gigabit Ethernet was first specified by two standards: IEEE 802.3z-1998 and 802.3ab-1999.
The IEEE 802.3z standard specifies the operation of Gigabit Ethernet over fiber and coaxial
cable and introduces the Gigabit Media-Independent Interface (GMII). These standards are
superseded by the latest revision of all the 802.3 standards included in IEEE 802.3-2002.
The IEEE 802.3ab standard specified the operation of Gigabit Ethernet over CAT 5 UTP.
Gigabit Ethernet still retains the frame formats and frame sizes, and it still uses
CSMA/CD. As with Ethernet and Fast Ethernet, full-duplex operation is possible. Differences appear in the encoding; Gigabit Ethernet uses 8B10B coding with simple nonreturn
to zero (NRZ). Because of the 20 percent overhead, pulses run at 1250 MHz to achieve a
1000 Mbps throughput.
Table 3-4 gives an overview of Gigabit Ethernet scalability constraints.
Table 3-4
Gigabit Ethernet Scalability Constraints
Type
Speed
Maximum Segment
Length
Encoding
Media
1000BASE-T
1000
Mbps
100 m
Five-level
CAT 5 UTP
1000BASE-LX
(long wavelength)
1000
Mbps
550 m
8B10B
Single-mode/multimode fiber
1000BASE-SX
(short wavelength)
1000
Mbps
62.5 micrometers: 220 m 8B10B
1000BASE-CX
1000
Mbps
25 m
Multimode fiber
50 micrometers: 500 m
8B10B
Shielded balanced
copper
The following are the physical specifications for Gigabit Ethernet, each of which is described in the following sections:
■
1000BASE-LX
■
1000BASE-SX
■
1000BASE-CX
■
1000BASE-T
1000BASE-LX Long-Wavelength Gigabit Ethernet
IEEE 1000BASE-LX uses long-wavelength optics over a pair of fiber strands. The specifications are as follows:
■
Uses long wave (1300 nanometers [nm]).
■
Use on multimode or single-mode fiber.
Chapter 3: Enterprise LAN Design
■
Maximum lengths for multimode fiber are
■
62.5-micrometer fiber: 440 m
■
50-micrometer fiber: 550 m
■
Maximum length for single-mode fiber (9 micrometers) is 5 km.
■
Uses 8B10B encoding with simple NRZ.
1000BASE-SX Short-Wavelength Gigabit Ethernet
IEEE 1000BASE-SX uses short-wavelength optics over a pair of multimode fiber strands.
The specifications are as follows:
■
Uses short wave (850 nm)
■
Use on multimode fiber
■
Maximum lengths:
■
■
62.5-micrometer fiber: 260 m
■
50-micrometer fiber: 550 m
Uses 8B10B encoding with simple NRZ
1000BASE-CX Gigabit Ethernet over Coaxial Cable
IEEE 1000BASE-CX standard is for short copper runs between servers. The specification
is as follows:
■
Used on short-run copper
■
Runs over a pair of 150-ohm balanced coaxial cables (twinax)
■
Maximum length 25 m
■
Mainly for server connections
■
Uses 8B10B encoding with simple NRZ
1000BASE-T Gigabit Ethernet over UTP
The IEEE standard for 1000-Mbps Ethernet over CAT 5 UTP was IEEE 802.3ab; it was approved in June 1999. It is now included in IEEE 802.3-2002. This standard uses the four
pairs in the cable. (100BASE-TX and 10BASE-T Ethernet use only two pairs.) The specifications are as follows:
■
CAT 5, four-pair UTP.
■
Maximum length 100 m.
■
Encoding defined is a five-level coding scheme.
■
1 byte is sent over the four pairs at 1250 MHz.
87
88
CCDA 640-864 Official Cert Guide
10 Gigabit Ethernet Design Rules
The IEEE 802.3ae supplement to the 802.3 standard, published in August 2002, specifies
the standard for 10 Gigabit Ethernet (10GE). It is defined for full-duplex operation over
optical media, UTP, and copper. The IEEE 802.3an standard provides the specifications
for running 10GE over UTP cabling. Hubs or repeaters cannot be used because they operate in half-duplex mode. It allows the use of Ethernet frames over distances typically encountered in metropolitan-area networks (MAN) and wide-area networks (WAN). Other
uses include data centers, corporate backbones, and server farms.
10GE Media Types
10GE has seven physical media specifications based on different fiber types and encoding. Multimode fiber (MMF) and single-mode fiber (SMF) are used. Table 3-5 describes
the different 10GE media types.
Table 3-5
10GE Media Types
10GE Media Wavelength/Fiber
Type
(Short or
Long)/UTP/Copper
Distance
Other Description
10GBASE-SR
Short-wavelength MMF
To 300 m
Uses 66B encoding
10GBASESW
Short-wavelength MMF
To 300 m
Uses the WAN interface sublayer
(WIS)
10GBASE-LR Long-wavelength SMF
To 10 km
Uses 66B encoding for dark fiber use
10GBASE-LW Long-wavelength SMF
To 10 km
Uses WIS
10GBASE-ER Extra-long-wavelength
SMF
To 40 km
Uses 66B encoding for dark fiber use
10GBASEEW
Extra-long-wavelength
SNMP
To 40 km
Uses WIS
10GBASELX4
Uses division multiplex- To 10 km
ing for both MMF and
SMF
Uses 8B/10B encoding
10GBASECX4
4 pairs of twinax copper 15 m
IEEE 802.3ak
10GBASE-T
CAT6a UTP
IEEE 802.3an
100 m
Short-wavelength multimode fiber is 850 nm. Long-wavelength is 1310 nm, and extralong-wavelength is 1550 nm. The WIS is used to interoperate with Synchronous Optical
Network (SONET) STS-192c transmission format.
Chapter 3: Enterprise LAN Design
89
EtherChannel
The Cisco EtherChannel implementations provide a method to increase the bandwidth
between two systems by bundling Fast Ethernet, Gigabit Ethernet, or 10GE links. When
bundling Fast Ethernet links, use Fast EtherChannel. Gigabit EtherChannel bundles Gigabit Ethernet links. EtherChannel port bundles enable you to group multiple ports into a
single logical transmission path between the switch and a router, host, or another switch.
EtherChannels provide increased bandwidth, load sharing, and redundancy. If a link fails
in the bundle, the other links take on the traffic load. You can configure EtherChannel
bundles as trunk links.
Depending on your hardware, you can form an EtherChannel with up to eight compatibly
configured ports on the switch. The participating ports must have the same speed and duplex mode and belong to the same VLAN.
Comparison of Campus Media
As noted previously, several media types are used for campus networks. Table 3-6 provides a summary comparison of them. Wireless LAN (WLAN) is included here for completeness. WLAN technologies are covered in Chapter 5.
Table 3-6
Campus Transmission Media Comparison
Specification Copper/UTP Multimode
Fiber
Single-Mode Fiber
Wireless LAN
Bandwidth
Up to 10
Gbps
Up to 10 Gbps
Up to 10 Gbps
Up to 300 Mbps
Distance
Up to 100 m
Up to 2 km (FE)
Up to 80 km (FE)
Up to 500 m at 1
Mbps
Up to 550 m (GE) Up to 100 m (GE)
Price
Inexpensive
Up to 300 m
(10GE)
Up to 80 km (10GE)
Moderate
Moderate to
expensive
Key
Topic
Moderate
LAN Hardware
This section covers the hardware devices and how to apply them to LAN design. You
place devices in the LAN depending on their roles and capabilities. LAN devices are categorized based on how they operate in the Open Systems Interconnection (OSI) model.
This section covers the following devices:
■
Repeaters
■
Hubs
■
Bridges
Key
Topic
90
CCDA 640-864 Official Cert Guide
■
Switches
■
Routers
■
Layer 3 switches
Repeaters
Repeaters are the basic unit in networks that connect separate segments. Repeaters take
incoming frames, regenerate the preamble, amplify the signals, and send the frame out all
other interfaces. Repeaters operate at the physical layer of the OSI model. Because repeaters are unaware of packets or frame formats, they do not control broadcasts or collision domains. Repeaters are said to be protocol-transparent because they are unaware of
upper-layer protocols such as IP, Internetwork Packet Exchange (IPX), and so on.
One basic rule of using Ethernet repeaters is the 5-4-3 Rule, shown in Figure 3-2. The
maximum path between two stations on the network should not be more than five segments, with four repeaters between those segments, and no more than three populated
segments. Repeaters introduce a small amount of latency, or delay, when propagating the
frames. A transmitting device must be able to detect a collision with another device
within the specified time after the delay introduced by the cable segments and repeaters is
factored in. The 512-bit time specification also governs segment lengths.
Repeater
Host A
Maximum Distance from Host A to Host Z:
5 Segments, 4 Repeaters
Figure 3-2
Host Z
Repeater 5-4-3 Rule
Hubs
With the increasing density of LANs in the late 1980s and early 1990s, hubs were introduced to concentrate thinnet and 10BASE-T networks in the wiring closet. Traditional
Chapter 3: Enterprise LAN Design
hubs operate on the physical layer of the OSI model and perform the same functions as
basic repeaters. The difference is that hubs have more ports than basic repeaters.
Bridges
Bridges connect separate segments of a network. They differ from repeaters in that
bridges are intelligent devices that operate in the data link layer of the OSI model. Bridges
control the collision domains on the network. Bridges also learn the MAC layer addresses
of each node on each segment and on which interface they are located. For any incoming
frame, bridges forward the frame only if the destination MAC address is on another port
or if the bridge is unaware of its location. The latter is called flooding. Bridges filter any
incoming frames with destination MAC addresses that are on the same segment from
where the frame arrives; they do not forward these frames.
Bridges are store-and-forward devices. They store the entire frame and verify the cyclic redundancy check (CRC) before forwarding. If the bridges detect a CRC error, they discard
the frame. Bridges are protocol transparent; they are unaware of the upper-layer protocols
such as IP, IPX, and AppleTalk. Bridges are designed to flood all unknown and broadcast
traffic.
Bridges implement Spanning Tree Protocol (STP) to build a loop-free network topology.
Bridges communicate with each other, exchanging information such as priority and bridge
interface MAC addresses. They select a root bridge and then implement STP. Some interfaces are in a blocking state, whereas other bridges have interfaces in forwarding mode.
Figure 3-3 shows a network with bridges. STP has no load sharing or dual paths, as there is
in routing. STP provides recovery of bridge failure by changing blocked interfaces to a forwarding state if a primary link fails. Although DEC and IBM versions are available, the
IEEE 802.1d standard is the STP most commonly used.
STP elects a root bridge as the tree’s root. It places all ports that are not needed to reach
the root bridge in blocking mode. The selection of the root bridge is based on the lowest
numerical bridge priority. The bridge priority ranges from 0 to 65,535. If all bridges have
the same bridge priority, the bridge with the lowest MAC address becomes the root. The
concatenation of the bridge priority and the MAC address is the bridge identification
(BID). Physical changes to the network force spanning-tree recalculation.
Switches
Switches use specialized integrated circuits to reduce the latency common to regular
bridges. Switches are the evolution of bridges. Some switches can run in cut-through
mode, where the switch does not wait for the entire frame to enter its buffer; instead, it
begins to forward the frame as soon as it finishes reading the destination MAC address.
Cut-through operation increases the probability that frames with errors are propagated on
the network, because it forwards the frame before the entire frame is buffered and
checked for errors. Because of these problems, most switches today perform store-andforward operation as bridges do. As shown in Figure 3-4, switches are exactly the same as
bridges with respect to collision-domain and broadcast-domain characteristics. Each port
broadcast domain. Assignment to different VLANs changes that behavior.
91
92
CCDA 640-864 Official Cert Guide
Forwarding
Blocking
Forwarding
Blocking
Figure 3-3
Spanning Tree Protocol
Collision Domain
Collision Domain
Broadcast Domain
(IP Subnet)
Figure 3-4
Switches Control Collision Domains
Switches have characteristics similar to bridges; however, they have more ports and run
faster. Switches keep a table of MAC addresses per port, and they implement STP.
Switches are data link layer devices. They are transparent to protocols operating at the
network layer and above. Each port on a switch is a separate collision domain but is part
of the same broadcast domain. Switches do not control broadcasts on the network.
The use of LAN switches instead of bridges or hubs is nearly universal. Switches are preferred over shared technology because they provide full bandwidth in each direction
when configured in duplex mode. All the devices on a hub share the bandwidth in a single
collision domain. Switches can also use VLANs to provide more segmentation. The “LAN
Design Types and Models” section discusses VLANs.
Routers
Routers make forwarding decisions based on network layer addresses. When an Ethernet
Chapter 3: Enterprise LAN Design
Layer 3 IP address and adds a new Layer 2 address at the egress interface. In addition to
controlling collision domains, routers bound data link layer broadcast domains. Each interface of a router is a separate broadcast domain. Routers do not forward data link layer
broadcasts. IP defines network layer broadcast domains with a subnet and mask. Routers
are aware of the network protocol, which means they can forward packets of routed protocols, such as IP and IPX. Figure 3-5 shows a router; each interface is a broadcast and a
collision domain.
Broadcast Domain
Broadcast Domain
Collision Domain
Collision Domain
Figure 3-5
Routers Control Broadcast and Collision Domains
Routers exchange information about destination networks using one of several routing
protocols. Routers use routing protocols to build a list of destination networks and to
identify the best routes to reach those destinations. The following are examples of routing
protocols:
■
Enhanced Interior Gateway Routing Protocol (EIGRP)
■
Open Shortest Path First (OSPF)
■
Border Gateway Protocol (BGP)
■
Routing Information Protocol (RIP)
■
Intermediate System-to-Intermediate System (IS-IS)
Chapters 10 and 11 cover routing protocols in further detail. Routers translate data-link
protocols. They are the preferred method of forwarding packets between networks of differing media, such as Ethernet to Token Ring or Ethernet to serial. They also provide
methods to filter traffic based on the network layer address, route redundancy, load balancing, hierarchical addressing, and multicast routing.
Layer 3 Switches
LAN switches that can run routing protocols are Layer 3 switches. These switches can
run routing protocols and communicate with neighboring routers. They are also referred
to as multilayer switches. Layer 3 switches have LAN technology interfaces that perform
network layer packet forwarding. The use of switching technologies at the network layer
greatly accelerates packet forwarding between connected LANs, including VLANs. You
can use the router capacity you save to implement other features, such as security filtering
and intrusion detection.
Layer 3 switches perform the functions of both data link layer switches and network layer
93
94
CCDA 640-864 Official Cert Guide
domains (subnets). As with routers, a routing protocol provides network information to
other network layer devices (subnets), and a routing protocol provides network information to other Layer 3 switches and routers.
Table 3-7 summarizes LAN devices for review.
Table 3-7
LAN Device Comparison
Device
OSI Layer Is Domain Protocol Transparent
or Protocol Aware?
Boundary
What It
Understands
Repeater
Layer 1:
physical
Transparent
Amplify
signal
Bits
Hub
Layer 1:
physical
Transparent
Amplify
signal
Bits
Bridge
Layer 2:
data link
Transparent
Collision
domain
Frames
Switch
Layer 2:
data link
Transparent
Collision
domain
Frames
Router
Layer 3:
network
Aware
Broadcast
domain
Packets
Layer 3
switch
Layer 3:
network
Aware
Broadcast
domain
Packets
Campus LAN Design and Best Practices
LANs can be classified as large-building LANs, campus LANs, or small and remote LANs.
The large-building LAN typically contains a major data center with high-speed access and
floor communications closets; the large-building LAN is usually the headquarters in
larger companies. Campus LANs provide connectivity between buildings on a campus.
Redundancy is usually a requirement in large-building and campus LAN deployments.
Small and remote LANs provide connectivity to remote offices with a relatively small
number of nodes.
Campus design factors include the following categories:
■
Network application characteristics: Different application types
■
Infrastructure device characteristics: Layer 2 and Layer 3 switching, hierarchy
■
Environmental characteristics: Geography, wiring, distance, space, power, number of nodes
Applications are defined by the business, and the network must be able to support them.
Applications may require high bandwidth or be time sensitive. The infrastructure devices
influence the design. Decisions on switched or routed architectures and port limitations
Chapter 3: Enterprise LAN Design
95
or fiber media may be influenced by the environmental or distance requirements. The following sections show some sample LAN types. Table 3-8 summarizes the different application types.
Table 3-8
Application Types
Application Type
Description
Peer to peer
Includes instant messaging, file sharing, IP phone calls, and videoconferencing.
Client-local servers
Servers are located in the same segment as the clients or close by,
normally on the same LAN. With 80/20 workgroup rule, 80% of
traffic is local, 20% not local.
Client/server farms
Mail, server, file, and database servers. Access is fast, reliable, and
controlled.
Client-enterprise edge
servers
External servers such as Simple Mail Transfer Protocol (SMTP), web,
public servers, and e-commerce.
There is a wide range of network requirements for applications depending on the application types. Networks today are switched and not shared. Server farms require high-capacity links to the servers and redundant connections on the network to provide high
availability. Costs are lower for peer-to-peer applications and become higher for applications that traverse the network with high redundancy. Table 3-9 summarizes network requirements for applications.
Table 3-9
Network Requirements for Application Types
Requirement
Peer to
Peer
Client-Local
Servers
Client/Server
Farm
Client-Enterprise Edge
Services
Connectivity
type
Switched
Switched
Switched
Switched
Throughput
required
Medium to Medium
high
High
Medium
Availability
Low to
high
Medium
High
High
Network costs
Low to
medium
Medium
High
Medium
Best Practices for Hierarchical Layers
Each layer of the hierarchical architecture contains special considerations. The following
sections describe best practices for each of the three layers of the hierarchical architecture: access, distribution, and core.
Key
Topic
96
CCDA 640-864 Official Cert Guide
Access Layer Best Practices
When designing the building access layer, you must consider the number of users or ports
required to size up the LAN switch. Connectivity speed for each host should also be considered. Hosts might be connected using various technologies such as Fast Ethernet, Gigabit Ethernet, or port channels. The planned VLANs enter into the design.
Performance in the access layer is also important. Redundancy and QoS features should
be considered.
The following are recommended best practices for the building access layer:
■
Limit VLANs to a single closet when possible to provide the most deterministic and
highly available topology.
■
Use Rapid Per-VLAN Spanning Tree Plus (RPVST+) if STP is required. It provides the
faster convergence than traditional 802.1d default timers.
■
Set trunks to ON and ON with no-negotiate.
■
Manually prune unused VLANs to avoid broadcast propagation (commonly done on
the distribution switch).
■
Use VLAN Trunking Protocol (VTP) Transparent mode, because there is little need
for a common VLAN database in hierarchical networks.
■
Disable trunking on host ports, because it is not necessary. Doing so provides more
security and speeds up PortFast.
■
Consider implementing routing in the access layer to provide fast convergence and
Layer 3 load balancing.
■
Use the switchport host commands on server and end-user ports to enable PortFast
and disable channeling on these ports.
■
Use Cisco STP Toolkit, which provides
■
PortFast: Bypass listening-learning phase for access ports
■
Loop Guard: Prevents alternate or root port from becoming designated in
absence of bridge protocol data units (BPDU)
■
Root Guard: Prevents external switches from becoming root
■
BPDU Guard: Disables PortFast-enabled port if a BPDU is received
Distribution Layer Best Practices
As shown in Figure 3-6, the distribution layer aggregates all closet switches and connects
to the core layer. Design considerations for the distribution layer include providing wirespeed performance on all ports, link redundancy, and infrastructure services.
The distribution layer should not be limited on performance. Links to the core must be
Chapter 3: Enterprise LAN Design
the core layer allow for high availability in the event of a link failure. Infrastructure services include quality of service (QoS) configuration, security, and policy enforcement. Access lists are configured in the distribution layer.
Core
Layer
Building
Distribution
Building
Access
Workstations
Figure 3-6
Distribution Layer
The following are recommended best practices at the distribution layer:
■
Use first-hop redundancy protocols. Hot Standby Router Protocol (HSRP) or Gateway Load Balancing Protocol (GLBP) should be used if you implement Layer 2 links
between the Layer 2 access switches and the distribution layer.
■
Use Layer 3 routing protocols between the distribution and core switches to allow for
fast convergence and load balancing.
■
Only peer on links that you intend to use as transit.
■
Build Layer 3 triangles, not squares, as shown in bold in Figure 3-7.
Core
Distribution
Triangle Links
Figure 3-7
Layer 3 Triangles
Square Connectivity
(Do Not Use)
97
98
CCDA 640-864 Official Cert Guide
■
Use the distribution switches to connect Layer 2 VLANs that span multiple access
layer switches.
■
Summarize routes from the distribution to the core of the network to reduce routing
overhead.
■
Use Virtual Switching System (VSS) as an option described in the following paragraph to eliminate the use of STP and the need for HSRP.
VSS solves the STP unused blocked links problem by converting the distribution switching pair into a logical single switch. With VSS, the physical topology changes as each access switch has a single upstream distribution switch versus having two upstream
distribution switches. VSS is configured only on Cisco 6500 switches using the VSS Supervisor 720-10G. As shown in Figure 3-8, the two switches are connected via 10GE links
called virtual switch links (VSL), which makes them seem as a single switch. The key benefits of VSS include
■
Layer 3 switching can be used toward the access layer.
■
Simplified management of a single configuration of the VSS distribution switch.
■
Better return on investment (ROI) via increased bandwidth between the access layer
and the distribution layer.
Traditional with STP
Between Access and
Distribution Layers
VSS 1440 Allows
Both Upstream Links
to Be Used
VSS Logical View
STP Blocked Links
Figure 3-8
Virtual Switching System
Core Layer Best Practices
Depending on the network’s size, a core layer might or might not be needed. For larger
networks, building distribution switches are aggregated to the core. This is called a collapsed core. This provides high-speed connectivity to the server farm / data center and to
the enterprise edge (to the WAN and the Internet).
Figure 3-9 shows the criticality of the core switches. The core must provide high-speed
must support gigabit speeds and data and voice integration.
Chapter 3: Enterprise LAN Design
Server Farm/Data Center
Campus
Core
Building
Distribution
Building
Access
Figure 3-9
Core Switches
The following are best practices for the campus core:
■
Reduce the switch peering by using redundant triangle connections between
switches.
■
Use routing that provides a topology with no Layer 2 loops, which are seen in Layer 2
links using STP.
■
Use Layer 3 switches on the core that provide intelligent services that Layer 2
switches do not support.
■
Use two equal-cost paths to every destination network.
Table 3-10 summarizes campus layer best practices.
99
100 CCDA 640-864 Official Cert Guide
Table 3-10
Campus Layer Design Best Practices
Campus Layer
Best Practices
Access layer
Limit VLANs to a single closet when possible to provide the most
deterministic and highly available topology.
Use RPVST+ if STP is required. It provides the best convergence.
Set trunks to ON and ON with no-negotiate.
Manually prune unused VLANs to avoid broadcast propagation.
Use VTP Transparent mode, because there is little need for a common VLAN database in hierarchical networks.
Disable trunking on host ports, because it is not necessary. Doing so
provides more security and speeds up PortFast.
Consider implementing routing in the access layer to provide fast
convergence and Layer 3 load balancing.
Use Cisco STP Toolkit, which provides PortFast, Loop Guard, Root
Guard, and BPDU Guard.
Distribution layer
Use first-hop redundancy protocols. Hot Standby Router Protocol
(HSRP) or Gateway Load Balancing Protocol (GLBP) should be used
if you implement Layer 2 links between the access and distribution.
Use Layer 3 links between the distribution and core switches to allow for fast convergence and load balancing.
Build Layer 3 triangles, not squares.
Use the distribution switches to connect Layer 2 VLANs that span
multiple access layer switches.
Summarize routes from the distribution to the core of the network
to reduce routing overhead.
Use VSS as an option described below to eliminate the use of STP.
Core layer
Reduce the switch peering by using redundant triangle connections
between switches.
Use routing that provides a topology with no spanning-tree loops.
Use Layer 3 switches on the core that provide intelligent services
that Layer 2 switches do not support.
Use two equal-cost paths to every destination network.
Chapter 3: Enterprise LAN Design
Large-Building LANs
Large-building LANs are segmented by floors or departments. The building-access component serves one or more departments or floors. The building-distribution component
serves one or more building-access components. Campus and building backbone devices
connect the data center, building-distribution components, and the enterprise edge-distribution component. The access layer typically uses Layer 2 switches to contain costs, with
more expensive Layer 3 switches in the distribution layer to provide policy enforcement.
Current best practice is to also deploy multilayer switches in the campus and building
backbone. Figure 3-10 shows a typical large-building design.
Floor
Access
Switches
Building
Distribution
Figure 3-10
Large-Building LAN Design
Each floor can have more than 200 users. Following a hierarchical model of building access, building distribution, and core, Fast Ethernet nodes can connect to the Layer 2
switches in the communications closet. Fast Ethernet or Gigabit Ethernet uplink ports
101
102 CCDA 640-864 Official Cert Guide
applications, Dynamic Host Configuration Protocol (DHCP), Domain Name System
(DNS), intranet, and other services.
Enterprise Campus LANs
A campus LAN connects two or more buildings within a local geographic area using a
high-bandwidth LAN media backbone. Usually the enterprise owns the medium (copper
or fiber). High-speed switching devices minimize latency. In today’s networks, Gigabit
Ethernet campus backbones are the standard for new installations. In Figure 3-11, Layer 3
switches with Gigabit Ethernet media connect campus buildings.
Building A
Building B
Si
Building C
Si
Si
Si
Si
Si
Si
Si
Si
Campus Backbone
GE or 10GE Links
Si
Si
Si
Si
Si
Si
Si
Si
Building D
Figure 3-11
Building E
Si
Building F
Campus LAN
Ensure that you implement a hierarchical composite design on the campus LAN and that
you assign network layer addressing to control broadcasts on the networks. Each building
should have addressing assigned in such a way as to maximize address summarization. Apply contiguous subnets to buildings at the bit boundary to apply summarization and ease
the design. Campus networks can support high-bandwidth applications such as video conferencing. Remember to use Layer 3 switches with high-switching capabilities in the campus-backbone design. In smaller installations, it might be desirable to collapse the
building-distribution component into the campus backbone. An increasingly viable alternative is to provide building access and distribution on a single device selected from
among the smaller Layer 3 switches now available.
Chapter 3: Enterprise LAN Design
As shown in the previous sections, each individual module has different requirements. The
building access layer is the only layer that uses Layer 2 switching. Both the campus core
and the server farm have requirements for high availability, high performance, and a higher
cost per port.
Table 3-11 shows network requirements for application types.
Table 3-11
Network Requirements for Application Types
Specification Building Access
Distribution
Layer
Campus
Core
Server Farm
Technology
Layer 2 and Layer 3
switches
Layer 3 switches
Layer 3
switches
Layer 3
switches
Scalability
High
Medium
Low
Medium
Availability
Medium
Medium
High
High
Performance
Medium
Medium
High
High
Cost per port
Low
Medium
High
High
Edge Distribution
For large campus LANs, the edge distribution module provides additional security between the campus LAN and the enterprise edge (WAN, Internet, and virtual private networks [VPN]). The edge distribution protects the campus from the following threats:
■
IP spoofing: The edge distribution switches protect the core from spoofing of IP
addresses.
■
Unauthorized access: Controls access to the network core.
■
Network reconnaissance: Filtering of network discovery packets to prevent discovery from external networks.
■
Packet sniffers: The edge distribution separates the edge’s broadcast domains from
the campus, preventing possible network packet captures.
Medium-Size LANs
Medium-size LANs contain 200 to 1000 devices. Usually, the distribution and core layers
are collapsed in the medium-size network. Access switches are still connected to both distribution/core switches to provide redundancy. Figure 3-12 shows the medium-size campus LAN.
Small and Remote Site LANs
Small and remote sites usually connect to the corporate network via a small router. The
LAN service is provided by a small LAN switch. The router filters broadcast to the WAN
circuit and forward packets that require services from the corporate network. You can
such as a backup domain controller and DNS; if not, you must configure the router to
103
104 CCDA 640-864 Official Cert Guide
forward DHCP broadcasts and other types of services. As the site grows, you need the
structure provided by the Enterprise Composite Network model. Figure3-13 shows a
typical architecture of a remote LAN.
Server Farm/Data Center
Campus Core/
Building
Distribution
Building
Access
Figure 3-12
Medium-Size Campus LAN
WAN
Figure 3-13
Remote Office LAN
Server Farm Module
The server farm or data center module provides high-speed access to servers for the campus networks. You can attach servers to switches via Gigabit Ethernet or 10GE. Some
campus deployments might need EtherChannel technology to meet traffic requirements.
Figure 3-14 shows an example of a server farm module for a small network. Servers are
connected via Fast Ethernet or Fast EtherChannel.
The server farm switches connect via redundant uplink ports to the core switches. The
largest deployments might find it useful to hierarchically construct service to the data
center using access and distribution network devices.
Server distribution switches are used in larger networks. Access control lists and QoS feaices and to enforce network policies.
Chapter 3: Enterprise LAN Design
Core Switches
Si
Si
Server Farm
Switches
Figure 3-14
Server Farm
Server Connectivity Options
Servers can be connected in three primary ways:
■
Single network interface card (NIC)
■
Dual NIC EtherChannel
■
Dual NIC to separate access switches
■
Content switching
Single NIC connected servers contain Fast or Gigabit Ethernet full-duplex speeds with no
redundancy. Servers requiring redundancy can be connected with dual NICs using switch
EtherChannel or each link connected to separate access switches.
Advanced redundancy solutions use content switches that front end multiple servers. This
provides redundancy and load balancing per user request.
Enterprise Data Center Infrastructure
Data centers (DC) contain different types of server technologies, including standalone
servers, blade servers, mainframes, clustered servers, and virtual servers.
Figure 3-15 shows the enterprise DC. The DC access layer must provide the port density
to support the servers, provide high-performance/low-latency Layer 2 switching, and
support dual and single connected servers. The preferred design is to contain Layer 2 to
the access layer and Layer 3 on the distribution. Some solutions push Layer 3 links to the
access layer. Blade chassis with integrated switches and virtual machines have become a
popular solution for DCs. Cisco Data Center 3.0 architecture is the next evolution of the
DC. DC architecture is covered in detail in Chapter 4, “Data Center Design.”
The DC aggregation layer (distribution layer) aggregates traffic to the core. Deployed on
the aggregation layer are
■
Load balancers to provide load balancing to multiple servers
■
SSL offloading devices to terminate Secure Sockets Layer (SSL) sessions
105
106 CCDA 640-864 Official Cert Guide
■
Firewalls to control and filter access
■
Intrusion detection devices to detect network attacks
Core
Distribution
Layer
DC
Access Layer
L2 Clusters
NIC Teaming
Figure 3-15
Blade Chassis
with Passthru
Blade Chassis
with Integrated Switch
L3 Access
Mainframe
Enterprise Data Center
Campus LAN QoS Considerations
For the access layer of the campus LAN, you can classify and mark frames or packets to
apply quality of service (QoS) policies in the distribution or at the enterprise edge. Classification is a fundamental building block of QoS and involves recognizing and distinguishing between different traffic streams. For example, you distinguish between HTTP/
HTTPS, FTP, and VoIP traffic. Without classification, all traffic is treated the same.
Marking sets certain bits in a packet or frame that has been classified. Marking is also
called coloring or tagging. Layer 2 has two methods to mark frames for CoS:
■
Inter-Switch Link (ISL)
■
IEEE 802.1p/802.1Q
The IEEE 802.1D-1998 standard describes IEEE 802.1p traffic class expediting.
encapsulation method for carrying VLANs over Fast Ethernet or Gigabit Ethernet interfaces.
Chapter 3: Enterprise LAN Design
ISL appends tags to each frame to identify the VLAN it belongs to. As shown in Figure 316, the tag is a 30-byte header and CRC trailer that are added around the Fast Ethernet
frame. This includes a 26-byte header and 4-byte CRC. The header includes a 15-bit
VLAN ID that identifies each VLAN. The user field in the header also includes 3 bits for
the class of service (CoS).
3 Bits Used for
CoS
ISL Header
26 Bytes
Encapsulated Frame
1...24.5 KB
Figure 3-16
FCS
(4 Bytes)
ISL Frame
The IEEE 802.1Q standard trunks VLANs over Fast Ethernet and Gigabit Ethernet interfaces, and you can use it in a multivendor environment. IEEE 802.1q uses one instance of
STP for each VLAN allowed in the trunk. Like ISL, IEEE 802.1Q uses a tag on each frame
with a VLAN identifier. Figure 3-17 shows the IEEE 802.1Q frame. Unlike ISL, 802.1Q
uses an internal tag. IEEE 802.1Q also supports the IEEE 802.1p priority standard, which
is included in the 802.1D-1998 specification. A 3-bit Priority field is included in the
802.1Q frame for CoS.
PREAM
SFD
DA
SA
TYPE
3 “Priority” Bits Used for
CoS; Values 0-7 on
802.1p/Q Ports
Figure 3-17
PRI
TAG
PT
DATA
CFI
VLAN ID
FCS
IEEE 802.1Q Frame
The preferred location to mark traffic is as close as possible to the source. Figure 3-18
shows a segment of a network with IP phones. Most workstations send packets with CoS
or IP precedence bits (ToS) set to 0. If the workstation supports IEEE 802.1Q/p, it can
mark packets. VoIP traffic from the phone is sent with a Layer 2 CoS set to 5. The phone
also reclassifies data from the PC to a CoS/ToS of 0. With differentiated services codepoint (DSCP) at Layer 3, VoIP bearer traffic is set to Expedited Forwarding (EF) (which
implies a ToS set to 5), binary value 101110 (hexadecimal 2E). Signaling traffic is set to
DSCP AF31.
As shown in Figure 3-18, switch capabilities vary in the access layer. If the switches in this
layer are capable, configure them to accept the markings or remap them. The advanced
remap the CoS/DSCP values to different markings.
107
108 CCDA 640-864 Official Cert Guide
Mark as close to the source as possible.
PC
IP Phone
Figure 3-18
Access Layer
Distribution Layer
Marking of Frames or Packets
Multicast Traffic Considerations
Internet Group Management Protocol (IGMP) is the protocol between end workstations
and the local Layer 3 switch. IGMP is the protocol used in multicast implementations between the end hosts and the local router. RFC 2236 describes IGMP Version 2 (IGMPv2).
RFC 1112 describes the first version of IGMP. IP hosts use IGMP to report their multicast
group memberships to routers. IGMP messages use IP protocol number 2. IGMP messages are limited to the local interface and are not routed.
RFC 3376 describes IGMP Version 3 (IGMPv3) IGMPv3 provides the extensions required
to support source-specific multicast (SSM). It is designed to be backward compatible with
both prior versions of IGMP. All versions of IGMP are covered in Chapter 11, “OSPF,
BGP, Route Manipulation, and IP Multicast.”
When campus LANs use multicast media, end hosts that do not participate in multicast
groups might get flooded with unwanted traffic. Two solutions are
■
Cisco Group Management Protocol (CGMP)
■
IGMP snooping
CGMP
Cisco Group Management Protocol is a Cisco proprietary protocol implemented to control multicast traffic at Layer 2. Because a Layer 2 switch is unaware of Layer 3 IGMP
messages, it cannot keep multicast packets from being sent to all ports.
As shown in Figure 3-19, with CGMP, the LAN switch can speak with the IGMP router to
find out the MAC addresses of the hosts that want to receive the multicast packets. You
must also enable the router to speak CGMP with the LAN switches. With CGMP,
switches distribute multicast sessions to the switch ports that have group members.
When a CGMP-enabled router receives an IGMP report, it processes the report and then
sends a CGMP message to the switch. The switch can then forward the multicast messages to the port with the host receiving multicast traffic. CGMP Fast-Leave processing allows the switch to detect IGMP Version 2 leave messages sent by hosts on any of the
supervisor engine module ports. When the IGMPv2 leave message is sent, the switch can
then disable multicast for the port.
Chapter 3: Enterprise LAN Design
Without CGMP
With CGMP
Si
A
Figure 3-19
B
Si
C
D
A
B
C
D
CGMP
IGMP Snooping
IGMP snooping is another way for switches to control multicast traffic at Layer 2. IGMP
snooping has become the preferred solution over CGMP. With IGMP snooping, switches
listen to IGMP messages between the hosts and routers. If a host sends an IGMP query
message to the router, the switch adds the host to the multicast group and permits that
port to receive multicast traffic. The port is removed from multicast traffic if an IGMP
leave message is sent from the host to the router. The disadvantage of IGMP snooping is
that it must listen to every IGMP control message, which can impact the switch’s CPU
utilization.
References and Recommended Readings
10Gigabit Alliance, www.10gea.org.
Cisco Data Center Network Architecture and Solutions Overview, www.cisco.com/en/US/
solutions/collateral/ns340/ns517/ns224/ns377/net_brochure0900aecd802c9a4f.pdf
.
“CSMA/CD Access Method, IEEE 802.3-2005.” New York, NY: Institute of Electrical and
Electronics Engineers, 2005.
IEEE P802.3ae 10Gb/s Ethernet Task Force, http://grouper.ieee.org/groups/802/3/ae/
index.html.
“Token-Ring Access Method, IEEE 802.5-1998.” Piscataway, NJ: Institute of Electrical
and Electronics Engineers, 1998.
109
110 CCDA 640-864 Official Cert Guide
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the
outer margin of the page. Table 3-12 lists a reference of these key topics and the page
numbers on which each is found.
Table 3-12
Key Topics
Key Topic
Element
Description
Page
Table 3-6
Comparison of copper, UTP, multimode fiber,
and single-mode fiber
89
List
Covers LAN devices, such as hubs, switches, and
routers
89
Summary
Covers best practices for the access, distribution,
and core layers
95
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
CSMA/CD, 100BASE-TX, IEEE 802.3ab, EtherChannel, Layer 3 switches, access
layer, distribution layer, core layer
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. True or false: Layer 2 switches control network broadcasts.
2. What technology can you use to limit multicasts at Layer 2?
3. True or false: Packet marking is also called coloring.
4. True or false: Usually, the distribution and core layers are collapsed in medium-size
networks.
Chapter 3: Enterprise LAN Design
5. What are two methods to mark frames to provide CoS?
6. Which of the following is an example of a peer-to-peer application?
a.
IP phone call
b.
Client accessing file server
c.
Web access
d.
Using a local server on the same segment
7. What primary design factors affect the design of a campus network? (Select three.)
a.
Environmental characteristics
b.
Number of file servers
c.
Infrastructure devices
d.
Fiber and UTP characteristics
e.
Network applications
f.
Windows, Linux, and mainframe operating systems
8. You need to connect a building access switch to the distribution switch. The cable
distance is 135 m. What type of cable do you recommend?
a.
UTP
b.
Coaxial cable
c.
Multimode fiber
d.
Single-mode fiber
9. Which layer of the campus network corresponds to the data center aggregation layer?
a.
Core layer
b.
Distribution layer
c.
Access layer
d.
Server farm
10. Which of the following is an access layer best practice?
a.
Reduce switch peering and routing
b.
Use HSRP and summarize routes
c.
Disable trunking and use RPVST+
d.
Offload SSL sessions and use load balancers
111
112 CCDA 640-864 Official Cert Guide
11. Which of the following is a distribution layer best practice?
a.
Reduce switch peering and routing
b.
Use HSRP and summarize routes
c.
Disable trunking and use RPVST+
d.
Offload SSL sessions and use load balancers
12. Which of the following is a core layer best practice?
a.
Reduce switch peering and routing
b.
Use HSRP and summarize routes
c.
Disable trunking and use RPVST+
d.
Offload SSL sessions and use load balancers
13. Which of the following is a DC aggregation layer best practice?
a.
Reduce switch peering and routing
b.
Use HSRP and summarize routes
c.
Disable trunking and use RPVST+
d.
Offload SSL sessions and use load balancers
14. Which of the following are threats to the edge distribution?
a.
IP spoofing
b.
Network discovery
c.
Packet-capture devices
d.
All of the above
15. An enterprise network has grown to multiple buildings supporting multiple departments. Clients access servers that are in local and other buildings. The company security assessment has identified policies that need to be applied. What do you
recommend?
a.
Move all departments to a single building to prevent unauthorized access.
b.
Move all servers to one of the LAN client segments.
c.
Move all servers to a server farm segment that is separate from client LANs.
d.
Move all servers to the building distribution switches.
Chapter 3: Enterprise LAN Design
16. Link redundancy and infrastructure services are design considerations for which layers?
a.
Core layer
b.
Distribution layer
c.
Access layer
d.
All of the above
17. Which of the following are server connectivity methods in the server farm?
a.
Single NIC
b.
EtherChannel
c.
Content switch
d.
All of the above
18. What is the recommended method to connect the distribution switches to the core?
a.
Redundant triangle links
b.
Redundant cross-connect links
c.
Redundant Layer 3 squares
d.
Redundant Layer 2 links
19. A campus network of four buildings is experiencing performance problems. Each
building contains 400 to 600 devices, all in one IP subnet. The buildings are connected in a hub-and-spoke configuration back to building 1 using Gigabit Ethernet
with multimode fiber. All servers are located in building 1. What do you recommend
to improve performance?
a.
Connect all buildings in a ring topology.
b.
Implement multiple VLANs in each building.
c.
Move servers to the buildings.
d.
Use single-mode fiber to make the Gigabit Ethernet links faster.
20. What of the following is true about data link layer broadcasts?
a.
Not controlled by routers
b.
Not forwarded by routers
c.
Not forwarded by switches
d.
Not controlled by VLANs
113
114 CCDA 640-864 Official Cert Guide
21. Match each LAN medium with its original physical specification.
i.
Fast Ethernet
ii.
Gigabit Ethernet
iii. WLAN
iv.
Token Ring
v.
10 Gigabit Ethernet
a.
IEEE 802.3ab
b.
IEEE 802.11b
c.
IEEE 802.3u
d.
IEEE 802.3ae
e.
IEEE 802.5
22. True or false: Layer 3 switches bound Layer 2 collision and broadcast domains.
23. Match each enterprise campus component with its description.
i.
Campus infrastructure
ii.
Server farm
iii. Edge distribution
a.
Consists of backbone, building-distribution, and building-access modules
b.
Connects the campus backbone to the Enterprise Edge
c.
Provides redundancy access to the servers
24. Match each LAN device type with its description.
i.
Hub
ii.
Bridge
iii. Switch
iv.
Layer 3 switch
v.
Router
a.
Legacy device that connects two data link layer segments
b.
Network layer device that forwards packets to serial interfaces connected to the
WAN
c.
High-speed device that forwards frames between two or more data link layer
segments
d.
High-speed device that bounds data link layer broadcast domains
e.
Device that amplifies the signal between connected segments
Chapter 3: Enterprise LAN Design
25. Match each application type with its description.
i.
Peer to peer
ii.
Client-local server
iii. Client/server farm
iv.
Client-enterprise edge
a.
Server on the same segment
b.
IM
c.
Web access
d.
Client accesses database server
26. Match each transmission medium with its upper-limit distance.
i.
UTP
ii.
Wireless
iii. Single-mode fiber
iv.
Multimode fiber
a.
2 km
b.
100 m
c.
90 km
d.
500 m
27. True or false: IP phones and LAN switches can reassign a frame’s CoS bits.
28. Name two ways to reduce multicast traffic in the access layer.
29. What are two VLAN methods you can use to carry marking CoS on frames?
30. True or false: You can configure both CGMP and IGMP snooping in mixed Cisco
switch and non-Cisco router environments.
115
116 CCDA 640-864 Official Cert Guide
Use Figure 3-20 to answer questions 31–36.
Si
Si
Si
Si
Si
Si
to Internet
Building
Building
Si
Building A
Si
To WAN
L3 Switches
Si
Si
Si
Si
Building
L2 Switches
IP Phones
Workstations
Figure 3-20
Enterprise Campus Diagram
31. What medium do you recommend for the campus LAN backbone?
32. The workstations send frames with the DSCP set to EF. What should the IP phones
do so that the network gives preference to VoIP traffic over data traffic?
33. If the Layer 2 switches in Building A cannot look at CoS and ToS fields, where should
these fields be inspected for acceptance or reclassification: in the building Layer 3
switches or in the backbone Layer 3 switches?
34. Does the network have redundant access to the WAN?
35. Does the network have redundant access to the Internet?
36. Does Figure 3-20 use recommended devices for networks designed using the Enterprise Architecture model?
37. Which are environmental characteristics? (Select three.)
a.
Transmission media characteristics
b.
Application characteristics
c.
Distribution of network nodes
d.
Operating system used
e.
Remote-site connectivity requirements
Chapter 3: Enterprise LAN Design
38. Which network application type is most stringent on the network resources?
a.
Peer to peer
b.
Client to local server
c.
Client to server farm
d.
Client to enterprise edge
39. Why is LAN switching used more than shared LAN technology? (Select two.)
a.
Shared LANs do not consume all available bandwidth.
b.
Switched LANs offer increased throughput.
c.
Switched LANs allow two or more ports to communicate simultaneously.
d.
Switched LANs forward frames to all ports simultaneously.
40. An application used by some users in a department generates significant amounts of
bandwidth. Which is a best design choice?
a.
Rewrite the application to reduce bandwidth.
b.
Use Gigabit Ethernet connections for those users.
c.
Put the application users into a separate broadcast domain.
d.
Add several switches and divide the users into the two.
41. Users access servers located on a server VLAN and servers located in departmental
VLANs. Users are located in the departmental VLAN. What is the expected traffic
flow from users to servers?
a.
Most traffic is local.
b.
All traffic requires multilayer switching.
c.
There is no need for multilayer switching.
d.
Most of the traffic will have to be multilayer switched.
42. Company departments are located across several buildings? These departments use
several common servers. Network policy and security are important. Where should
servers be placed?
a.
Within all department buildings and duplicate the common servers in each building.
b.
Connect the common servers to the campus core.
c.
Use a server farm.
d.
Connect the servers to the distribution layer.
117
118 CCDA 640-864 Official Cert Guide
43. A large company has a campus core. What is the best practice for the core campus
network?
a.
Use triangles.
b.
Use squares.
c.
Use rectangles.
d.
Use point-to-point mesh.
44. A company has five floors. It has Layer 2 switches in each floor with servers. They
plan move servers to a new computer room and create a server farm. What should
they use?
a.
Replace all Layer 2 switches with Layer 3 switches.
b.
Connect the Layer 2 switches to a Layer 3 switch in the computer room.
c.
Connect the Layer 2 switches to a new Layer 2 switch in the computer room.
d.
Connect the Layer 2 switches to each other.
45. A Fast Ethernet uplink is running at 80 percent utilization. Business-critical applications are used. What can be used to minimize packet delay and loss?
a.
Implement QoS with classification and policing in the distribution layer.
b.
Add additional VLANs so that the business applications are used on PCs on
that VLAN.
c.
Perform packet bit rewrite in the distribution switches.
d.
Classify users in the access with different priority bits.
46. Which are four best practices used in the access layer?
a.
Disable trunking in host ports.
b.
Limit VLANS to one closet.
c.
Use PVST+ as the STP with multilayer switches.
d.
Enable trunking on host ports.
e.
Use VLAN spanning to speed convergence of STP.
f.
Use VTP Server mode in hierarchical networks.
g.
Use VTP Transparent mode in hierarchical networks.
h.
Use RPVST+ as the STP with multilayer switches.
Chapter 3: Enterprise LAN Design
47. Which are three best practices used in the distribution layer?
a.
Use HSRP or GLBP.
b.
Provide fast transport.
c.
Use Layer 3 routing protocols to the core.
d.
Use Layer 2 routing protocols to the core.
e.
Summarize routes to the core layer.
f.
Summarize routes to the access layer.
48. Which are four best practices used in the distribution layer?
a.
Disable trunking in host ports.
b.
Limit VLANS to one closet.
c.
Use HSRP.
d.
Use GLBP.
e.
Use VLAN spanning to speed convergence of STP.
f.
Use Layer 3 routing to the core.
g.
Summarize routes.
h.
Use RPVST+ as the STP with multilayer switches.
49. Which are three best practices used in the core layer?
a.
Use routing with no Layer 2 loops.
b.
Limit VLANS to one closet.
c.
Use HSRP.
d.
Use GLBP.
e.
Use Layer 3 switches with fast forwarding.
f.
Use Layer 3 routing to the core.
g.
Use two equal-cost paths to every destination network.
h.
Use RPVST+ as the STP with multilayer switches.
119
This chapter covers the following subjects:
■
Enterprise DC Architectures
■
Challenges in the DC
■
Enterprise DC Infrastructure
■
Virtualization Overview
■
Virtualization Technologies
■
Network Virtualization Design Considerations
CHAPTER 4
Data Center Design
This chapter covers enterprise data center design fundamentals, technology trends, and
challenges facing the data center. General data center architecture, components, and design considerations are examined, but detailed data center design is not covered.
This chapter also provides an overview of virtualization, discusses the various virtualization technologies and network virtualization design considerations.
The CCDA candidate can expect plenty of questions related to data center fundamentals,
challenges, architecture, and virtualization.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” helps you identify your strengths and deficiencies in this
chapter’s topics.
The ten-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 4-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 4-1
Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
Enterprise DC Overview
1, 2
Challenges in the DC
3, 4
Enterprise DC Infrastructure
5, 6
Virtualization Overview
7
Virtualization Technologies
8, 9
Network Virtualization Design Considerations
10
122 CCDA 640-864 Official Cert Guide
1. What are two methods for implementing unified fabric in the data center over 10Gigabit Ethernet?
a.
VSS
b.
FCoE
c.
iSCSI
d.
vPC
2. What best describes the characteristics of Data Center 3.0 architecture?
a.
Mainframes
b.
Consolidation/virtualization/automation
c.
Distributed client/server computing
d.
Decentralized computing
3. Which of the following data center facility aspects best corresponds with architectural and mechanical specifications?
a.
Space, load, and power capacity
b.
PCI, SOX, and HIPPA
c.
Operating temperature and humidity
d.
Site access, fire suppression, and security alarms
4. Which of the following uses the highest percentage of power within the overall data
center power budget?
a.
Lighting
b.
Servers and storage
c.
Network devices
d.
Data center cooling
5. Which data center architecture layer provides Layer 2/Layer 3 physical port density
for servers in the data center?
a.
Data center core
b.
Data center aggregation
c.
Data center access
d.
Data center distribution
Chapter 4: Data Center Design
6. Layer 4 security and application services including server load balancing, Secure
Sockets Layer (SSL) offloading, firewalling, and intrusion prevention system (IPS)
services are provided by the data center ___________ layer?
a.
Access
b.
Routed
c.
Core
d.
Aggregation
7. Virtualization technologies allow a _________ device to share its resources by acting
as multiple versions of itself?
a.
Software
b.
Virtual
c.
Logical
d.
Physical
8. Which of the following are examples of logical isolation techniques in which network
segments share the same physical infrastructure? (Select all that apply.)
a.
VRF
b.
VLAN
c.
VSAN
d.
VSS
9. Which of the following are examples of technologies that employ device virtualization or the use of contexts? (Select all that apply.)
a.
VRF
b.
ASA
c.
VLAN
d.
ACE
10. What involves the creation of independent logical network paths over a shared network infrastructure?
a.
Access control
b.
Services edge
c.
Path isolation
d.
Device context
123
124 CCDA 640-864 Official Cert Guide
Foundation Topics
This chapter covers general enterprise data center considerations that you need to master
for the CCDA exam. It starts with a discussion of the enterprise data center architecture
and how we have evolved from Data Center 1.0 to Data Center 3.0. The section “Data Center 3.0 Components” covers the virtualization technologies and services that unify network, storage, compute, and virtualization platforms. The section “Data Center 3.0
Topology Components” shows how the virtualization technologies integrate with unified
computing and the unified fabric.
The “Challenges in the Data Center” section describes the common server deployment
challenges present in the data center. Major facility aspect issues involving rack space,
power, cooling, and management are covered. Data center cabling is examined along with
the data center cable considerations critical to the proper cable plant management.
Following that, the “Enterprise Data Center Infrastructure” section explores the Cisco
multilayer architecture that is used for building out enterprise data centers to support
blades servers, 1RU (rack unit) servers, and mainframes. Design aspects of the multilayer
architecture involving data center access layer, aggregation layer, and core layer design
considerations are also covered.
The chapter wraps up with several sections on virtualization. An overview of virtualization is covered along with key drivers that are pushing the adoption of virtualization in the
data center. The section “Virtualization Technologies” compares the two main types of
virtualization and provides several examples. Then the section “Network Virtualization
Design Considerations” covers access control, path isolation, and services edge.
Enterprise DC Architectures
Over the past two decades, we have seen an evolution of data center “architectures”. With
Data Center 1.0, data centers were centralized, using mainframes to process and store data.
The users of Data Center 1.0 used terminals to access and perform their work on the mainframes. Mainframes are still prevalent in many data centers because of the overall benefits
in terms of availability, resiliency, and service level agreements (SLA).
Figure 4-1 illustrates the evolution of data center architectures from Data Center 1.0 to
Data Center 3.0.
Data Center 2.0 brought client/server and distributed computing into the mainstream data
center. Business applications were installed on servers and were accessed by users with
client software on their PCs. Application services were distributed because of high cost of
WAN links and application performance. Also, the costs of mainframes were too costly to
be used as an alternative for client/server computing.
Currently, we are moving away from Data Center 2.0 and toward Data Center 3.0, where
consolidation and virtualization are the key components. The cost of communication
equipment is lowering, and there is an increase in computing capacities, which is driving
effective when compared to the distributed approach. The newer architecture takes
Chapter 4: Data Center Design
advantage of virtualization, which results in a higher utilization of computing and network
resources. In addition, the newer Data Center 3.0 architecture increases the overall return
on investment (ROI) and lowers the total cost of ownership (TCO).
Data Center 1.0
Data Center 2.0
Data Center 3.0
Mainframe
Client-Server and
Distributed Computing
Service-Oriented and
Web 2.0-Based
Consolidate
Virtualize
Automate
Decentralized
Virtualized
Cisco Data Center Architecture Evolution
Figure 4-1
Data Center 3.0 Components
Figure 4-2 highlights the Cisco Data Center 3.0 components.
Virtualization
Unified
Computing
Figure 4-2
Unified
Fabric
Cisco Data Center 3.0 Architecture Framework
The architectural components of Data Center 3.0 include virtualization technologies
and services that unify network, storage, compute, and virtualization platforms. These
technologies and network services enable incredible flexibility, visibility, and policy
125
126 CCDA 640-864 Official Cert Guide
enforcement, which are critical for virtualized data centers. Here are the three main
components of Cisco Data Center 3.0 architecture:
■
Key
Topic
■
■
Virtualization
■
Virtual local-area network (VLAN), virtual storage-area network (VSAN), and virtual device contexts (VDC) help to segment the LAN, SAN, and network devices
instances.
■
Cisco Nexus 1000V virtual switch for VMware ESX and ESXi help to deliver visibility and policy control for virtual machines (VM).
■
Flexible networking options with support for all server form factors and vendors,
including support for blade servers from Cisco, Dell, IBM, and HP with integrated Ethernet and Fibre Channel switches.
Unified fabric
■
Fibre Channel over Ethernet (FCoE) and Internet Small Computer Systems
Interface (iSCSI) are two methods for implementing unified fabric in the data center over 10 Gigabit Ethernet networks.
■
FCoE is supported on VMware ESX/ESXi vSphere 4.0 and later.
■
The Cisco Catalyst, Cisco Nexus, and Cisco MDS family of switches all support
iSCSI. The Cisco Nexus 5000 support unified fabric lossless operation, which
improves the performance of iSCSI traffic using 10 Gigabit Ethernet.
■
The Cisco Nexus family of switches was designed to support unified fabric.
Currently, the Cisco Nexus 5000 and the Nexus 4000 supports data center bridging (DCB) and FCoE. However, there are future plans for the Cisco Nexus 7000
series and the Cisco MDS family of switches to support FCoE, as well.
■
Converged network adapters (CNA) run at 10GE and support FCoE. CNAs are
available from both Emulex and QLogic. Additionally, a software stack is available
for certain 10GE network interfaces from Intel.
Unified computing
■
Cisco Unified Computing System (UCS) is an innovative next-generation data center platform that converges computing, network, storage, and virtualization
together into one system.
■
Integrates lossless 10GE unified network fabric with x86 architecture-based
servers.
■
Allows for Cisco Virtual Interface Card to virtualize your network interfaces on
your server.
■
Offers Cisco VN-Link virtualization.
■
Supports Extended Memory Technology patented by Cisco.
■
Increases productivity with just-in-time provisioning using service profiles.
Chapter 4: Data Center Design
127
Data Center 3.0 Topology Components
Figure 4-3 shows the Cisco Data Center 3.0 topology.
Virtualized Server Environment
Unified Computing Resources
Consolidated Connectivity
(Fibre Channel Ethernet FCoE)
Ethernet FCoE
Virtualized SAN and LAN
VSLAN
FC
VLAN
Virtualized Storage and
Network Devices
Figure 4-3
Cisco Data Center 3.0 Topology
At the top layer, we have virtual machines which are software entities that have hardware
level abstraction capable of running a guest OS on top of a resource scheduler also known
as a hypervisor.
Key
Topic
Within the unified computing resources, the service profile defines the identity of the
server. The identity contains many items such as memory, CPU, network cards, storage information, and boot image.
10 Gigabit Ethernet, FCoE, and Fibre Channel technologies provide the unified fabric and
is supported on the Cisco Nexus 5000. FCoE is one of the key technologies that allow native Fibre Channel frames to be used on 10G Ethernet networks.
Virtualization technologies such as VLANs and VSANs provide for virtualized LAN and
SAN connectivity by logically segmenting multiple LANs and SANs on the same physical
equipment. Each VLAN and VSAN operates independently from one another.
At the lowest layer, we have virtualized hardware where storage devices can be virtualized
into storage pools and network devices are virtualized using virtual device contexts (VDC).
Challenges in the DC
In the data center, server deployments are of great concern along with facilities and network equipment. Here are some of the challenges that must be dealt with when deploying
servers:
■
Power required
■
Physical rack space usage
Key
128 CCDA 640-864 Official Cert Guide
■
Limits to scale
■
Management (resources, firmware)
■
Server security
■
Virtualization support
■
Management effort required
Server growth is consistently rising which is requiring more power, which is driving the
need for energy efficiency for most data center server deployments. Although rack servers
are low cost and provide high performance, unfortunately they take up space and consume a lot of energy to operate. Because both rack space and power cost money, efficiency gains need to be considered in these areas.
Blade servers provide similar computing power when compared to rack mount servers, but
require less space, power, and cabling. The chassis in most blade servers allows for shared
power, Ethernet LAN, and Fibre Channel SAN connections, which reduce the number of
cables needed.
With both rack-mounted servers and blade servers, server virtualization software provides
for better utilization of hardware resources, which requires less physical hardware to deploy servers, which in turn increases efficiency. Server virtualization also enables server
scalability because more rack and cabinet space is available to deploy new ESX hosts running additional virtual machines.
Server management is a key element for deploying servers, and there are solutions available from OEMs such as Integrated Lights Out (ILO) and VMware Infrastructure Client.
These products ease the management of larger server deployments and provide for secure
remote management capabilities.
Data Center Facility Aspects
Multiple facility considerations go into the design and planning for a new data center
build out.
During the planning sessions, data center architectural and mechanical specifications help
define the following:
■
How much space will be available
■
How much load the floor can support
■
The power and cooling capacity that will be available
■
The cabling plant that will be needed and how to manage it
The facility also needs to meet certain environmental conditions, and the data center
equipment selections process dictates the operating temperatures and humidity levels that
need to be maintained in the data center.
Chapter 4: Data Center Design
129
Another important consideration is physical security. Because the data center usually
stores data that needs to be secured from third parties, access to the site needs to be well
controlled. In addition, fire suppression and alarm systems should be in place to protect
equipment and data from natural disasters and theft.
Because the data center facilities are limited in capacity, they need to be designed properly to allow for the best use of employee space for today and into the future.
Most companies must now adhere to regulatory compliance, including environmental requirements, and provide disaster recovery in some form to enable business continuity.
Data centers need to provide an infrastructure that can recover network communications,
data, and applications and provide high availability.
To build a reliable data center that maximizes the investment, the design needs to be considered early in the building development process. It is important to include team members in several area of expertise, including telecommunications, power, architectural, and
heating, ventilating, and air conditioning (HVAC). Each team member needs to work together to ensure that the designed systems interoperate most effectively. The design of the
data center needs to incorporate current requirements and support future growth.
Careful planning and close attention to design guidelines is crucial for the data center
build out to be successful. Missing critical aspects of the design can cause the data center
to be vulnerable to early obsolescence, which can impact data center availability and lead
to a loss of revenue or increased cost to remediate.
Table 4-2 describes a number of data center facility considerations.
Table 4-2
Summary of Data Center Facility Considerations
Data Center Facility
Considerations
Description
Architectural and mechanical
specifications
Space available
Load capacity
Power and cooling capacity
Cabling infrastructure
Environmental conditions
Operating temperature
Humidity level
Physical security
Access to the site
Fire suppression
Security Alarms
Capacity limits
Space for employees
Compliance and regulation
Payment Card Industry (PCI), Sarbannes-Oxley (SOX), and
Health Insurance Portability and Accountability Act (HIPAA)
Key
Topic
130 CCDA 640-864 Official Cert Guide
Data Center Space
The space that the data center occupies makes up the physical footprint and helps answer many questions, including how to size the overall data center, where to position
servers, how to make it flexible for future growth, and how to protect the valuable equipment inside.
The data center space element defines the number of racks for servers and telecommunications equipment that can be installed. The floor loading is affected by the rack weight after the racks are populated with equipment. Careful planning is needed to ensure that the
floor loading is sufficient for current and future needs of the data center.
Selecting the proper size of the data center has a great influence on the cost, longevity,
and flexibility of the data center. Although estimating the size of the data center is challenging, it is also critically importance that it be done correctly.
Several factors need to be considered, including the following:
■
The number of employees who will be supporting the data center
■
The number of servers and the amount of storage gear and networking equipment
that will be needed
■
The space needed for non-infrastructure areas:
■
Shipping and receiving
■
Server and network staging
■
Storage rooms, break rooms, and bath rooms
■
Employee office space
Keep in mind that if the data center is undersized it will not sufficiently satisfy compute,
storage, and network requirements and will negatively impact productivity and cause additional costs for expansion. On the flip side, a data center that is too spacious is a waste
of capital and recurring operational expenses.
Right-size data center facilities consider the placement of infrastructure and equipment;
and if properly planned, the data center can grow and support the organization into the
future without costly upgrades or relocations.
Here are some other rack and cabinet space considerations to keep in mind:
■
Weight of the rack and equipment
■
Heat expelled from equipment
■
Amount and type of power needed
■
■
Automatic transfer switch for equipment that has single power supplies
■
Uninterruptible power supplies (UPS)
■
Redundant power distribution units (PDU)
Loading, which determines what and how many devices can be installed
Chapter 4: Data Center Design
131
Data Center Power
The power in the data center facility is used to power cooling devices, servers, storage
equipment, the network, and some lighting equipment. Cooling down the data center requires the most power, next to servers and storage.
Because many variables make up actual power usage, determining power requirements for
equipment in the data center can prove difficult. In server environments, the power usage
depends on the computing load place on the server. For example, if the server needs to
work harder by processing more data, it has to draw more AC power from the power supply, which in turn creates more heat that needs to be cooled down.
The desired reliability drives the power requirements, which may include multiple power
feeds from the power utility, UPS, redundant power circuits, and diesel generators. Depending on the options chosen, various levels of power redundancy can affect both capital and recurring operating expenses. Determining the right amount of power redundancy
to meet the requirements takes careful planning to ensure success.
Estimating the power capacity needed involves collecting the requirements for all the current equipment, including the future requirements of the equipment for the data center.
The complete power requirements must encompass the UPS, generators, HVAC, lighting,
and all the network, server, and storage equipment.
Figure 4-4 shows an example of data center power usage.
Lighting
3%
Key
Topic
Conversion Loss
11%
Network
10%
Server and Storage
26%
Cooling
0%
Figure 4-4
50%
20%
40%
60%
Data Center Power Usage Example
The designed power system should include electrical components such as PDUs, circuit
breaker panels, electrical conduits, and wiring necessary to support the desired amount of
physical redundancy. The power system also needs to provide protection for utility power
failures, power surges, and other electrical problems by addressing the power redundancy
requirements in the design.
Here are some key points related to data center power:
■
Defines the overall power capacity.
■
Provides physical electrical infrastructure and addresses redundancy.
132 CCDA 640-864 Official Cert Guide
■
Power is consumed by the following:
■
Cooling
■
Servers
■
Storage
■
Network
■
Conversion and lighting
Data Center Cooling
Devices in the data center produce variable amounts of heat depending on the device load.
Heat overtime decreases the reliability of the data center devices. Cooling is used to control the temperature and humidity of the devices, and it is applied to zones, racks, or individual devices.
Environmental conditions need to be considered and measured by using probes to measure temperature changes, hot spots, and relative humidity.
A major issue with high-density computing is overheating. There are more hot spots, and
therefore more heat overall is produced. The increase in heat and humidity threatens
equipment life spans. Computing power and memory requirements demand more power
and thus generate more heat output. Space-saving servers increase the server density possible in a rack, but keep in mind that density = heat. It might not be a big deal for one
chassis at 3 kilowatt (kW), but with five or six servers per rack, the heat output increases
to 20 kW. In addition, humidity levels can affect static electricity in the data center. So, it
is recommended that relative humidity level be in the range of 40 percent to 55 percent.
High levels of static electricity can cause damage to data center equipment.
Proper airflow is required to reduce the amount of heat generated by the high-density
equipment. Sufficient cooling equipment must be available to produce acceptable temperatures within the data center. The cabinets and racks should be arranged in the data center
with an alternating pattern of “cold” and “hot” aisles. The cold aisle should have equipment arranged face to face, and the hot aisle should have equipment arranged back to
back. In the cold aisle, there should be perforated floor tiles drawing cold air from the
floor into the face of the equipment. This cold air passes through the equipment and
flushes out the back into the hot aisle. The hot aisle does not have any perforated tiles,
and this design prevents the hot air from mixing with the cold air.
Figure 4-5 illustrates the alternating pattern of cold and hot aisles along with airflow.
For equipment that does not exhaust heat to the rear, here are some other cooling techniques:
■
Block unnecessary air escapes to increase airflow.
■
Increase the height of the raised floor.
■
Spread out equipment into unused racks.
■
Use open racks rather than cabinets where security is not a concern.
Chapter 4: Data Center Design
■
Use cabinets with mesh fronts and backs.
■
Custom perforated tiles with larger openings.
Rack
Figure 4-5
Rack
+ 9˚F (5˚C)
Rack
+ 9˚F (5˚C)
Rack
Data Center Cold and Hot Aisles
Note: 1 watt = 3.41214 British thermal units (BTU). Many manufacturers publish kW,
kilovolt ampere (kWA), and BTU in their equipment specifications. Sometimes dividing the
BTU value by 3.413 does not equal the published wattage. Use the manufacturer information if available, if not this can be a helpful conversion formula to use.
Data Center Heat
Blade server deployments allow for more efficient use of space for servers, which is good,
but there is also an increased amount of heat per server, which requires more cooling to
maintain consistent temperatures.
The data center design must address the increased use of high density servers and the heat
that they produce. During the data center design, considerations for cooling need to be
taken into account for the proper sizing of the servers and the anticipated growth of the
servers along with their corresponding heat output.
Here are some cooling solutions to address the increasing heat production:
■
Increase the number of HVAC units.
■
Increase the airflow through the devices.
■
Increase the space between the racks and rows.
■
Use alternative cooling technologies, such as water-cooled racks.
Data Center Cabling
The cabling in the data center is known as the passive infrastructure. Data center teams
rely on a structured and well-organized cabling plant. Although the active electronics are
crucial for keeping server, storage, and network devices up and running, the physical cabling infrastructure is what ties everything together. The cabling in the data center terminates connections between devices and governs how each device communicates with one
another.
Cabling has several key characteristics, such as the physical connector, media type, and
cable length. Copper and fiber-optic cables are commonly used today.
bling allows for longer distances and is less prone to interference than copper
133
Key
Topic
134 CCDA 640-864 Official Cert Guide
two main types of optical fiber are single-mode and multi-mode. Copper cabling is
widely available, costs less, and generally covers shorter distances (up to 100 meters,
about 328 feet). Typical copper cabling found in the data center is CAT 5e/CAT 6 with
RJ-45 connectors.
Keep in mind that the emerging 10GBASE-T standard requires CAT6A twisted-pair cabling to support distances up to 100 meters.
It is important for cabling to be easy to maintain, abundant and capable of supporting various media types and requirements for proper data center operations.
Cable management and simplicity is affected by the following:
■
Media selection
■
Number of connections
■
Type of cable termination organizers
■
Space for cables on horizontal and vertical cable trays
These considerations must to be addressed during the data center facility design (for the
server, storage, network, and all the associated technologies that are going to be implemented).
Figure 4-6 shows an example of cabling that is out of control.
Figure 4-6
Data Center Cabling the Wrong Way
Figure 4-7 shows the proper way to manage copper cabling.
The cabling infrastructure needs to avoid the following pitfalls:
■
Inadequate cooling due to restricted airflow
■
Outages due to accidental disconnect
■
Unplanned dependencies resulting in more downtime
■
Difficult troubleshooting options
Chapter 4: Data Center Design
Figure 4-7
Data Center Cabling the Right Way
For example, using under-floor cabling techniques, especially with a high number of
power and data cables can restrict proper airflow. Another disadvantage with this approach is that cable changes require you to lift floor tiles, which changes the airflow and
creates cooling inefficiencies.
One solution is a cable management system above the rack for server connectivity. Cables
should be located in the front or rear of the rack to simplify cable connections. In most
service provider environments, cabling is located in the front of the rack.
Enterprise DC Infrastructure
Today’s enterprise data center design follows the Cisco multilayer architecture, which includes DC core, DC aggregation, and DC access layers. This multitier model is the most
common model used in the enterprise and it supports blade servers, single rack unit (1RU)
servers, and mainframes.
Figure 4-8 provides a high-level overview of an enterprise data center infrastructure.
At the edge of the data center infrastructure is the access layer. The data center access
layer needs to provide physical port density and both Layer 2 and Layer 3 services for
flexible server connectivity options.
The data center aggregation layer ties the DC core and DC access layers together, which
provides hierarchy for security and server farm services. Security services such as access
control lists (ACL), firewalls, and intrusion prevention systems (IPS) should be implemented in the data center aggregation layer. In addition, server farm services such as content switching, caching, and Secure Sockets Layer (SSL) offloading should be deployed in
the data center aggregation. Both the data center aggregation and core layers are commonly implemented in pairs for redundancy, to avoid single points of failure.
135
136 CCDA 640-864 Official Cert Guide
10 Gigabit Ethernet
Gigabit Ethernet or Etherchannel
Backup
Campus Core
DC
Core
DC
Aggregation
Aggregation 2
Aggregation 3
Aggregation 4
DC
Access
Layer 2 Access with
Clustering and NIC
Teaming
Figure 4-8
Blade Chassis with
Passthru Modules
Mainframe
with OSA
Blade Chassis
Layer 3 Access with
with Integrated Small Broadcast Domains
Switch
and Isolated Servers
Enterprise Data Center Infrastructure Overview
Defining the DC Access Layer
Key
Topic
The data center access layer’s main purpose is to provide Layer 2 and Layer 3 physical
port density for various servers in the data center. In addition, data center access layer
switches provide high-performance, low-latency switching and can support a mix of oversubscription requirements. Both Layer 2 and Layer 3 access (also called routed access) designs are available, but most data center access layers are built using Layer 2 connectivity.
The Layer 2 access design uses VLAN trunks upstream, which allows data center aggregation services to be shared across the same VLAN and across multiple switches. Other advantages of Layer 2 access are support for NIC teaming and server clustering that requires
network connections to be Layer 2 adjacent or on the same VLAN with one another.
Figure 4-9 highlights the data center access layer in the overall enterprise architecture.
The Spanning Tree Protocol (STP) manages physical loops that are present in the Layer 2
design. Currently, the recommended STP mode is Rapid per-VLAN Spanning Tree Plus
(RPVST+), which ensures a logical loop-free topology and fast convergence.
Chapter 4: Data Center Design
Campus Core
137
10 Gigabit Ethernet
Gigabit Ethernet or Etherchannel
Backup
DC
Core
DC
Aggregation
Aggregation 2
Aggregation 3
Aggregation 4
DC
Access
Layer 2 Access with
Clustering and NIC
Teaming
Figure 4-9
Blade Chassis with
Passthru Modules
Mainframe Blade Chassis
Layer 3 Access with
with OSA with Integrated Small Broadcast Domains
Switch
and Isolated Servers
Data Center Access Layer
New routed access designs aim to contain Layer 2 locally to avoid the use of the STP.
With routed access designs, the default gateway function needs to be provided because
the access switch becomes the first-hop router in the network.
Designs with both Layer 2 and Layer 3 access provide flexibility for multiple server solutions to be supported, including 1RU servers and modular blade server chassis.
Here are some of the data center access layer benefits:
■
Provides port density for server farms
■
Supports single homed and dual homed servers
■
Provides high-performance, low-latency Layer 2 switching
■
Supports mix of oversubscription requirements
138 CCDA 640-864 Official Cert Guide
Defining the DC Aggregation Layer
Key
Topic
The data center aggregation (distribution) layer aggregates Layer 2/Layer 3 links from the
access layer and connects using upstream links to the data center core. Layer 3 connectivity is typically implemented between the data center aggregation and the data center core
layers. The aggregation layer is a critical point for security and application services. The
Layer 4 security and application services in the data center aggregation layer include
server load balancing, SSL offloading, firewalling, and IPS services. These services maintain connection and session state for redundancy purposes and are commonly deployed in
pairs using Cisco Catalyst 6500 service modules. This design reduces the total cost of
ownership (TCO) and eases the management overhead by simplifying the number of devices that must be managed.
The highlighted section in Figure 4-10 illustrates the data center aggregation layer.
Campus Core
10 Gigabit Ethernet
Gigabit Ethernet or Etherchannel
Backup
DC
Core
DC
Aggregation
Aggregation 2
Aggregation 3
Aggregation 4
DC
Access
Layer 2 Access with
Clustering and NIC
Teaming
Figure 4-10
Blade Chassis with
Passthru Modules
Data Center Aggregation Layer
Mainframe
with OSA
Blade Chassis
Layer 3 Access with
with Integrated Small Broadcast Domains
Switch
and Isolated Servers
Chapter 4: Data Center Design
139
Depending on the requirements of the design, the boundary between Layer 2 and Layer 3
can be in the multilayer switches, firewalls, or content switching devices in the aggregation
layer. Multiple aggregation layers can be built out to support separate network environments, such as production, test, and PCI infrastructure, each with its own security zone
and application services. First-hop redundancy protocols Hot Standby Router Protocol
(HRSP) and Gateway Load Balancing Protocol (GLBP) are commonly used in the aggregation layer. Many aggregation designs include positioning STP primary and secondary root
bridges to help control the loop-free topology and support a larger STP processing load.
Here are some of the data center aggregation layer benefits:
■
Aggregates traffic from DC access and connects to DC core.
■
Supports advanced application and security services.
■
Layer 4 services include firewall, server load balancing, SSL offload, and IPS.
■
Large STP processing load.
■
Highly flexible and scalable.
Defining the DC Core Layer
The data center core connects the campus core to the data center aggregation layer using
high-speed Layer 3 links. The core is a centralized Layer 3 routing layer in which one or
more data center aggregation layers connect. The data center networks are summarized,
and the core injects the default route into data center aggregation. The data center core
also needs to support IP multicast to provide connectivity to the growing use of IP multicast applications.
The data center core layer is a best practice component of larger data center networks.
Smaller data centers may use a collapsed core design combining the aggregation layer and
core layers together. However, if you are building a greenfield data center, it is recommended to implement a data center core in the beginning to avoid network downtime
later. Table 4-3 shows some drivers to help you decide whether a data center core is appropriate for your design.
Table 4-3
Data Center Core Drivers
Data Center Core
Drivers
Description
10 Gigabit Ethernet
density
Are there enough 10GE ports to connect campus core to multiple
data center aggregation layers?
Administrative domains
and policies
Separate cores help to isolate campus distribution from DC aggregation for troubleshooting and quality of service/access control
list (QoS/ACL) policies.
Future growth
The impact and downtime from implementing a core at a later
date make it worthwhile to install sufficent core layers in the
beginning.
Key
Topic
140 CCDA 640-864 Official Cert Guide
The highlighted section in Figure 4-11 illustrates the data center core layer.
Campus Core
Core
10 Gigabit Ethernet
Gigabit Ethernet or Etherchannel
Backup
Aggregation
Access
Figure 4-11
Data Center Core Layer
Here are some of the data center core characteristics:
■
Low-latency switching
■
Distributed forwarding architecture
■
10 Gigabit Ethernet
■
Scalable IP multicast support
Chapter 4: Data Center Design
141
Virtualization Overview
As the demand for IT to do more with less while increasing efficiency has risen, virtualization has become a critical component in most enterprise networks. Virtualization technologies allow a physical device to share its resources by acting as multiple versions of
itself. Other forms of virtualization can enable multiple physical devices to logically appear as one.
Virtualization is a critical component of the Cisco network architectures for the enterprise data center and is changing the way data centers are architected. The use of virtualization improves network efficiency, provides enhanced flexibility, and reduces
operational expenses.
Challenges
Network designers face many challenges that are driving the need to deploy virtualization
technologies in the network. Data centers are growing rapidly, and these challenges directly impact the profitability of the business.
Take a look at some of the key driving forces for virtualization adoption in Table 4-4.
Table 4-4
Virtualization Key Drivers
Virtualization Driving
Forces
Description
Operational cost
Need to reduce rising cost of powering and cooling devices
in the DC while getting more productivity
Reduce the number of physical devices
DC consolidation of assets performing individual tasks
Traffic isolation
Logical, separate user groups secured from other groups on
the same network
Increased performance/price
ratio
Eliminate underutilized hardware that exhibits poor performance/price ratio
Defining Virtualization and Benefits
Virtualization is an umbrella term used to represent several different technologies. Virtualization technologies share a common theme in their ability to abstract logical elements
from hardware (applications or operating systems) or networks (LANs and SANs) and run
them in a virtual state. Virtualization brings many benefits, from consolidation to increased efficiency.
Key
Topic
142 CCDA 640-864 Official Cert Guide
Here are some of the common benefits achieved through virtualization techniques:
■
Better use of computing resources, higher server densities, and simplified server
migrations
■
Provides flexibility for ease of management for adds, reassignments, or repurposing
resources
■
Separation of users groups on the same physical network, enabling traffic isolation
■
Ability to provide per-department security policies
■
Reduction in power and space required
■
Increased uptime and reduced operational costs
Types of Virtualization
Enterprise networks consist of two main types of virtualization technologies groupings,
called network virtualization and device virtualization:
■
Key
Topic
Network virtualization encompasses logical isolated network segments that share
the same physical infrastructure. Each segment operates independently and is logically
separate from the other segments. Each network segment appears with its own privacy, security, independent set of policies, QoS levels, and independent routing paths.
Here are some examples of network virtualization technologies:
■
■
VLAN: Virtual local-area network
■
VSAN: Virtual storage-area network
■
VRF: Virtual routing and forwarding
■
VPN: Virtual private network
■
vPC: Virtual Port Channel
Device virtualization allows for a single physical device to act like multiple copies of
itself. Device virtualization enables many logical devices to run independently of
each other on the same physical piece of hardware. The software creates virtual hardware that can function just like the physical network device. Another form of device
virtualization entails using multiple physical devices to act as one logical unit.
Here are some examples of device virtualization technologies:
■
Server virtualization: Virtual machines (VM)
■
Cisco Application Control Engine (ACE) context
■
Virtual Switching System (VSS)
■
Cisco Adaptive Security Appliance (ASA) firewall context
■
Virtual device contexts (VDC)
Chapter 4: Data Center Design
143
Virtualization Technologies
Virtualization is built from abstracting logical entities from pooled physical resources.
The Cisco network architectures for the enterprise data center contains many forms of
network and device virtualization technologies.
Figure 4-12 illustrates the many virtualization technologies in use today.
Virtual Machines
Virtual Switching Systems (VSS)
Virtual Private Networks (VPN)
Virtual Switches
Virtual Storage Area Networks (VSAN)
Virtual Routing and Forwarding (VRF)
Virtual Local Area Networks (VLAN)
Virtual Port Channels (vPC)
Virtual Device Contexts (VDC)
Figure 4-12
Data Center Virtualization Technologies
VSS
Virtual Switching System (VSS) is a network virtualization technology that allows two
physical Cisco Catalyst 6500 series switches to act as a single logical virtual switch. The
VSS increases operational efficiencies and scales bandwidth up to 1.4 Tb/s. This technology is very similar to StackWise technology used with the Cisco Catalyst 3750 series
product line, which enables switches stacked together to operate as one and use a single
command-line interface (CLI) for management. However, VSS is limited to two physical
chassis connected together.
VRF
Virtual routing and forwarding (VRF) is a routing virtualization technology that creates
multiple logical Layer 3 routing and forwarding instances (route tables) that can function
on the same physical router. In Multiprotocol Label Switching (MPLS) VPN environments,
the use of VRF technology plays a major role by allowing multiple networks to coexist on
the same MPLS network. The routing information is contained inside the VRF and is visible only to routers participating in the same VRF. Because the routing information with
VRF is separated, duplicate IP addressing schemes can be used.
vPC
Virtual Port Channel (vPC) technology works by combining two Cisco Nexus 7000 series
switches or two Cisco Nexus 5000 series switches with 10GE links, which are then represented to other switches as a single logical switch for port channeling purposes. With
present in the physical topology.
Key
Topic
144 CCDA 640-864 Official Cert Guide
Device Contexts
Key
Topic
Device contexts enable a single physical network device to host multiple virtual network
devices. Each device context is an independent configuration with its own policy, network
interfaces, and management accounts. The virtualized contexts that run on a single network device operate similarly to standalone network devices. Most of the same features
present on the physical device are also supported on the individual device contexts.
The following Cisco network devices support the use of device contexts:
■
Cisco Nexus 7000 series switches (VDC)
■
Cisco Adaptive Security Appliance (ASA) firewall
■
Cisco Catalyst 6500 Firewall Services Module (FWSM)
■
Cisco Application Control Engine Appliance
■
Cisco Catalyst 6500 Application Control Engine Module
■
Cisco Intrusion Prevention System (IPS)
Server Virtualization
The use of server virtualization has exploded onto the market over the past several years
and can be found in most data center environments. Server virtualization is a software
technique that abstracts server resources form the hardware to provide flexibility and to
optimize the usage of the underlying hardware. As a result, many data center applications
are no longer bound to bare-metal hardware resources.
The server virtualized hypervisor provides the foundation for the virtualized environment
on the host. The hypervisor controls the hardware and physical resources that can be allocated to virtual machines running on the host. This makes the VMs unaware of the physical hardware, but they can use CPUs, memory, and network infrastructure as shared pools
available through the virtualization process.
The following represents several server virtualization vendors and their associated products:
■
VMware ESX Server
■
Citrix XenServer
■
Microsoft Hyper-V
Network Virtualization Design Considerations
Network solutions are needed to solve the challenges of sharing network resources but
keeping users totally separate from one another. Although the users are separate, we still
need to ensure that the network is highly available, secure, and can scale along with the
business growth. Network virtualization offers solutions to these challenges and provides
design considerations around access control, path isolation, and services edge.
Chapter 4: Data Center Design
145
Access Control
Access needs to be controlled to ensure that users and devices are identified and authorized for entry to their assigned network segment. Security at the access layer is critical for
protecting the network from threats, both internal and external.
Path Isolation
Path isolation involves the creation of independent logical network paths over a shared
network infrastructure. MPLS VPN is an example of path-isolation technique where devices are mapped to a VRF to access the correct set of network resources. Other segmentation options include VLANs and VSANs, which logically separate LANs and SANs. The
main goal when segmenting the network is to improve the scalability, resiliency, and security services as with non-segmented networks.
Services Edge
The services edge refers to making network services available to the intended users,
groups, and devices with an enforced centralized managed policy. Separate groups or devices occasionally need to share information that may be on different VLANs, each with
corresponding group policies. For example, traffic from the sales VLAN might need to
talk to the engineering VLAN, but it needs to go through the firewall to permit the traffic
and might even be tied to certain hours of the day. In such cases, the network should have
a central way to manage the policy and control access to the resources. An effective way
to address policy enforcement is to use an FWSM in a Cisco Catalyst 6500 series switch
providing firewall services for the data center.
Table 4-5 describes network virtualization considerations.
Table 4-5
Network Virtualization Design Considerations
Network Virtualization
Consideration
Description
Access control
Ensures users and devices are recognized, classified, and
authorized for entry to their assigned network segments
Path isolation
Provides independent logical traffic paths over shared network
Services edge
Ensures the right services are accessible the intended users,
groups, or devices
References and Recommended Readings
Module 3 (Designing Basic Campus and Data Center Networks)—Designing for Cisco Internetwork Solution Course (DESGN) 2.1.
Cisco Design Zone for Data Centers, www.cisco.com/en/US/netsol/ns743/
networking_solutions_program_home.html.
Key
Topic
146 CCDA 640-864 Official Cert Guide
Data Center Design – IP Network Infrastructure, www.cisco.com/en/US/docs/solutions/
Enterprise/Data_Center/DC_3_0/DC-3_0_IPInfra.html#wp1037111.
Cisco Data Center Infrastructure 2.5 Design Guide, www.cisco.com/en/US/docs/solutions/
Enterprise/Data_Center/DC_Infra2_5/DCInfra_2.html.
Security and Virtualization in the Data Center, www.cisco.com/en/US/docs/solutions/
Enterprise/Data_Center/DC_3_0/dc_sec_design.html#wp1056029.
Examples of Good Cable Management, www.geekshout.com/media/photos/9-examplesof-good-cable-management-and-1-bad-one/.
Chapter 4: Data Center Design
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noticed with the Key Topic icon in the
outer margin of the page. Table 4-6 lists a reference of these key topics and the page numbers on which each is found.
Table 4-6
Key Topics
Key Topic Element
Description
Page
Data Center 3.0
Components
Virtualization, Unified Fabric, and
Unified Computing
126
Data Center 3.0
Topology Components
Virtualized servers, consolidated
connectivity, and network devices
127
Challenges in the DC
Power, space, security, and
management
127
Data Center Facility
Aspects
Architectural and mechanical specifications, environmental conditions,
physical security, capacities and
compliance
129
Data Center Power
Cooling, server, storage, and network
131
Data Center Cabling
Controls the temperature and humidity
of the devices
133
DC Access Layer
Provides Layer 2 and Layer 3 physical
port density for devices
136
DC Aggregation Layer
Aggregates L2/L3 links from the access layer and connects using upstream
links to the data center core
138
DC Core Layer
Centralized Layer 3 routing layer in
which one or more data center
aggregation layers connect
139
147
148 CCDA 640-864 Official Cert Guide
Table 4-6
Key Topics
Key Topic Element
Description
Page
Challenges
Operational cost, traffic isolation, and
increased performance/price ratio
141
Types of Virtualization
Network and device virtualization
142
Virtualization Technolo- VRF, vPC, and VSS
gies
143
Device Contexts
VDC, ASA, and ACE
144
Services Edge
Secure network services available to
users and groups with centralized
managed policy
145
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
Cisco Nexus 1000V, Cisco Unified Computing System (UCS), Fibre Channel over
Ethernet (FCoE), Internet Small Computer Systems Interface (iSCSI), data center
space element, power, cabling, data center access, data center aggregation, data
center core, virtualization technologies, network virtualization, device virtualization,
access control, path isolation, services edge
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. Which data center architecture was based on client/server and distributed computing?
a.
Data Center 1.0
b.
Data Center 2.0
c.
Data Center 3.0
d.
Data Center 4.0
Chapter 4: Data Center Design
2. What Cisco Nexus switch helps deliver visibility and policy control for virtual machines (VM)?
a.
Nexus 7000
b.
Nexus 4000
c.
Nexus 2000
d.
Nexus 1000V
3. Which of the following is a network adapter that can run at 10GE and support Fibre
Channel over Ethernet (FCoE)?
a.
CNA
b.
VN-Link
c.
MDS
d.
NAS
4. What is an innovative next-generation data center platform that converges computing, network, storage, and virtualization all together into one system? (Select the best
answer.)
a.
Cisco MDS
b.
Cisco Nexus 7000
c.
Cisco Nexus 5000
d.
Cisco UCS
5. Which of the following Cisco Nexus switches support virtual device contexts using (VDCs)?
a.
Cisco Nexus 7000
b.
Cisco Nexus 2000
c.
Cisco Nexus 5000
d.
Cisco Nexus 4000
6. What services option provides an effective way to address firewall policy enforcement in a Cisco Catalyst 6500 series switch?
a.
IPS
b.
FWSM
c.
Nexus 1000V
d.
VDCs
149
150 CCDA 640-864 Official Cert Guide
7. What has enabled applications to no longer be bound to bare metal hardware resources?
a.
Unified fabric
b.
Device virtualization
c.
Network virtualization
d.
Server virtualization
8. Which of the following supports network virtualization technology that allows two
physical Cisco Catalyst 6500 series switches to act as a single logical virtual switch?
a.
VN-Link technology
b.
Unified fabric
c.
Virtual Switching System (VSS)
d.
Virtual routing and forwarding (VRF)
9. What enables the spanning-tree topology to appear loop-free although multiple redundant paths are present in the physical topology?
a.
vPC
b.
VRF
c.
VSS
d.
VDC
10. Which of the following are data center core layer characteristics? (Select all that apply.)
a.
10GE
b.
High-latency switching
c.
Distributed forwarding architecture
d.
Service modules
11. Which data center layer provides advanced application and security services and has
a large STP processing load?
a.
Data center access layer
b.
Data center aggregation layer
c.
Data center services layer
d.
Data center core layer
Chapter 4: Data Center Design
12. Which of the following are drivers for the data center core layer? (Select all that apply.)
a.
Future growth
b.
10 Gigabit Ethernet density
c.
Services edge
d.
Administrative domains and policies
13. Benefits such as port density for server farms, high-performance low-latency Layer
2 switching, and a mix of oversubscription requirements belong to which data center layer?
a.
Core
b.
Distribution
c.
Access
d.
Aggregation
14. Cable management is affected by which of the following? (Select all that apply.)
a.
Alternative cooling technologies
b.
Number of connections
c.
Media selection
d.
Increase in the number of HVAC units
15. Which of the following best describes how “cold” and “hot” aisles should be arranged
in the data center?
a.
Hot and cold aisles facing each other
b.
Alternating pattern of cold and hot aisles
c.
Nonalternating pattern of hot and cold aisles
d.
None of the above
16. Within the unified computing resources, what defines the identity of the server?
a.
Virtualization
b.
Unified fabric
c.
Services profile
d.
Virtual machines
151
This chapter covers the following subjects:
■
Wireless LAN Technologies
■
Cisco Unified Wireless Network
■
Wireless LAN Design
CHAPTER 5
Wireless LAN Design
Wireless LANs (WLAN) allow users to connect to network resources and services without using cables. With WLANs, users connect to the network in common areas, away
from their desk, and in areas that do not easily accommodate the installation of wired cabling, such as outdoors and in designated historical sites. This chapter describes WLAN
technologies, design, and Cisco solutions.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The eight-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time.
Table 5-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 5-1
“Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
Wireless LAN Technologies
1, 2
Cisco Unified Wireless Network
3, 4, 5
Wireless LAN Design
6, 7, 8
1. What technology provides 54 Mbps of bandwidth using UNII frequencies?
a.
IEEE 802.11b
b.
IEEE 802.11g
c.
IEEE 802.11a
d.
IEEE 802.11n
e.
Both C and D
2. What frequency allotment provides 11 channels for unlicensed use for WLANs in
North America?
154 CCDA 640-864 Official Cert Guide
a.
UNII
b.
ISM
c.
Bluetooth
d.
FM
3. What standard is used for control messaging between access points and controllers?
a.
IEEE 802.11
b.
CSMA/CA
c.
IEEE 802.1X
d.
CAPWAP
4. Which WLAN controller interface is used for out-of-band management?
a.
Management interface
b.
Service-port interface
c.
AP manager interface
d.
Virtual interface
5. How many access points are supported by a Cisco Catalyst 3750 with an integrated
controller?
a.
6
b.
50
c.
100
d.
300
6. Which WLAN controller redundancy scheme uses a backup WLC configured as the
tertiary WLC in the APs?
a.
N+1
b.
N+N
c.
N+N+1
d.
N+N+B
7. What is the recommended maximum number of data devices associated to a WLAN?
a.
8
b.
20
c.
50
d.
100
8. Which device of Cisco’s Wireless Mesh Networking communicates with the rooftop
AP (RAP)?
a.
WLC
b.
WCS
c.
RAP
d.
MAP
Chapter 5: Wireless LAN Design 155
Foundation Topics
Cisco has developed a strategy to address the increasing wireless demands placed on today’s networks. The Cisco Unified Wireless Network (UWN) architecture combines elements of wireless and wired networks to deliver scalable, manageable, and secure WLANs.
Lightweight Access Point Protocol (LWAPP) and Control and Provisioning for Wireless
Access Point (CAPWAP) allow the placement of lightweight access points (LWAP) that are
remotely configured and easily deployable versus them being manually configured on autonomous APs. Cisco provides solutions for client roaming, radio frequency management,
and controller designs that make wireless networks scalable. This chapter covers the Cisco
UWN architecture and general WLAN technologies and design.
Wireless LAN Technologies
This section reviews the Institute of Electronics and Electrical Engineers (IEEE) 802.11
WLAN standards, WLAN frequencies, access methods, security, and authentication.
WLAN Standards
WLAN applications include inside-building access, LAN extension, outside building-tobuilding communications, public access, and small office/home office (SOHO) communications. The first standard for WLANs was IEEE 802.11, approved by the IEEE in 1997.
The current specification is IEEE 802.11-1999, with many amendments thereafter.
Key
Topic
IEEE 802.11 implemented WLANs at speeds of 1 Mbps and 2 Mbps using direct sequence spread spectrum (DSSS) and frequency-hopping spread spectrum (FHSS) at the
physical layer of the Open Systems Interconnection (OSI) model. DSSS divides data into
separate sections; each section travels over different frequencies at the same time. FHSS
uses a frequency-hopping sequence to send data in bursts. With FHSS, some data transmits at Frequency 1, and then the system hops to Frequency 2 to send more data, and so
on, returning to transmit more data at Frequency 1. The interoperability certification for
IEEE 802.11 WLANs is wireless fidelity (WiFi). The Wireless Ethernet Compatibility
Alliance (WECA) governs the WiFi certification.
In 1999, the 802.11b amendment was introduced, providing an 11-Mbps data rate. It provides speeds of 11, 5.5, 2, and 1 Mbps and uses 11 channels of the Industrial, Scientific,
and Medical (ISM) frequencies. IEEE 802.11b uses DSSS and is backward compatible with
802.11 systems that use DSSS.
The IEEE approved a second standard in 1999. IEEE 802.11a provides a maximum 54Mbps data rate but is incompatible with 802.11b. It provides speeds of 54, 48, 36, 24, 18,
12, 9, and 6 Mbps. IEEE 802.11a uses 13 channels of the Unlicensed National Information
Infrastructure (UNII) frequencies and is incompatible with 802.11b and 802.11g. IEEE
802.11a is also known as WiFi5.
ible with 802.11b.
156 CCDA 640-864 Official Cert Guide
The IEEE 802.11n standard was ratified in 2009. It added multiple-input multiple-output
(MIMO) antennas and expected maximum data rate up to 600 Mbps using four spatial
streams, each with a 40-MHz width. In addition to DSSS, it uses orthogonal frequency-division multiplexing (OFDM) as a digital carrier modulation method. IEEE 802.11n uses
both the 2.4-GHz and 5-GHz bands.
ISM and UNII Frequencies
ISM frequencies are set aside by ITU-R radio regulations 5.138 and 5.150. In the United
States, the Federal Communications Commission (15.247) specifies the ISM bands for unlicensed use. ISM bands are specified in the following ranges:
■
900 MHz to 928 MHz
■
2.4 GHz to 2.5 GHz
■
5.75 GHz to 5.875 GHz
Of these, channels located in the 2.4-GHz range are used for 802.11b and 802.11g. As
shown in Figure 5-1, 11 overlapping channels are available for use. Each channel is 22
MHz wide. It is common to use channels 1, 6, and 11 in the same areas because these
three channels do not overlap.
Frequency
2.402 GHz
2.483 GHz
2.441 GHz
6
1
11
7
2
8
3
4
9
5
10
ISM Channels
Figure 5-1
ISM 2.4 Channels
The UNII radio bands were specified for use with 802.11a wireless. UNII operates over
three ranges:
■
UNII 1: 5.15 GHz to 5.25 GHz and 5.25 GHz to 5.35 GHz.
■
UNII 2: 5.47 GHz to 5.725 GHz. This range is used by High Performance Radio LAN
(HiperLAN) in Europe.
■
UNII 3: 5.725 GHz to 5.875 GHz. This range overlaps with ISM.
UNII provides 12 nonoverlapping channels for 802.11a.
Chapter 5: Wireless LAN Design 157
Summary of WLAN Standards
Table 5-2 summarizes WLAN standards, frequencies, and data rates.
Table 5-2
WLAN Standards Summary
IEEE
Protocol
Standard Release
Date
Frequency Typical Data
Rate
Maximum Data
Rate
Legacy
1997
ISM
1 Mbps
2 Mbps
802.11a
1999
UNII
25 Mbps
54 Mbps
802.11b
1999
ISM
6.5 Mbps
11 Mbps
802.11g
2003
ISM
25 Mbps
54 Mbps
802.11n
2009
ISM or
UNII
200 Mbps
600 Mbps
Service Set Identifier
WLANs use a service set identifier (SSID) to identify the WLAN’s “network name.” The
SSID can be 2 to 32 characters long. All devices in the WLAN must have the same configured SSID to communicate. It is similar to a VLAN identifier in a wired network. The difficulty in large networks is configuring the SSID, frequency, and power settings for
hundreds of remotely located access points. Cisco addresses this problem with the Cisco
Wireless Control System (WCS). WCS is covered in more detail in the “Cisco UWN Architecture” section.
WLAN Layer 2 Access Method
The IEEE 802.11 Media Access Control (MAC) layer implements carrier sense multiple access collision avoidance (CSMA/CA) as an access method. With CSMA/CA, each WLAN
station listens to see whether a station is transmitting. If no activity is occurring, the station transmits. If activity is occurring, the station uses a random countdown timer. When
the timer expires, the station transmits. The difference from wired networks is that in
wired networks collisions are detected on the physical wire; hence CSMA/CD (collision
detection) is used.
WLAN Security
WLANs provide an effective solution for hard-to-reach locations and enable mobility to a
level that was previously unattainable. However, the reach of wireless beyond physical
connections and boundaries presents additional security concerns. Several standards have
been developed to address these security concerns. The Wired Equivalent Privacy (WEP)
security protocol, used in the IEEE 802.11b standard, is considered faulty and vulnerable
to numerous attacks. The 802.11b protocol is the most commonly deployed wireless protocol, and although WEP’s flawed handling of the encryption key left it vulnerable to attack.
158 CCDA 640-864 Official Cert Guide
In June 2004, the IEEE 802.11i standard was ratified to provide additional security in
WLAN networks. It supersedes WEP security, and introduces the 4-way Handshake and
the Group Key Handshake. IEEE 802.11i is also known as WiFi Protected Access 2
(WPA2) and Robust Security Network (RSN). The 802.11i architecture contains the following components:
■
4-Way Handshake and Group Key Handshake. Both use 802.1X for authentication
(entailing the use of Extensible Authentication Protocol [EAP] and an authentication
server).
■
Robust Security Network (RSN) for the establishment and tracking of robust security
network associations.
■
Advanced Encryption Standard (AES) for confidentiality, integrity, and origin authentication.
Unauthorized Access
A problem that confronts WLANs comes from the fact that wireless signals are not easily
controlled or contained. WEP works at the data link layer, sharing the same key for all
nodes that communicate. The 802.11 standard was deployed because it allowed bandwidth speed up to 11 Mbps and it is based on DSSS technology. DSSS also enables APs to
identify WLAN cards via their MAC addresses. Because traditional physical boundaries
do not apply to wireless networks, attackers can gain access using wireless from outside
the physical security perimeter. Attackers achieve unauthorized access if the wireless network does not have a mechanism to compare a MAC address on a wireless card to a database
that contains a directory with access rights. An individual can roam within an area, and each
AP that comes into contact with that card must also rely on a directory. Statically allowing
access via a MAC address is also unsecure because MAC addresses can be spoofed.
Some APs can implement MAC address and protocol filtering to enhance security or limit
the protocols used over the WLAN. With hundreds of WLAN clients, MAC address filtering is not a scalable solution. Again, attackers can hack MAC address filtering. A user
can listen for transmissions, gather a list of MAC addresses, and then use one of those
MAC addresses to connect to the AP. This is why additional security protocols such as
WEP, WPA, and WPA2 have to be implemented so that the attacker has to attempt to
crack the security keys to gain access.
WLAN Security Design Approach
The WLAN security design approach makes two assumptions, which this chapter describes. The assumptions are that all WLAN devices are connected to a unique IP subnet
and that most services available to the wired network are also available to the wireless
nodes. Using these two assumptions, the WLAN security designs offer two basic security
approaches:
■
Use of EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) to secure
authentication
■
the WLAN to the wired network
Chapter 5: Wireless LAN Design 159
Considering WLAN as an alternative access methodology, remember that the services
these WLAN users access are often the same as those accessed by the wired users.
WLANs potentially open many new attack vectors for hackers, and you should consider
the risks before deployment.
To enhance security, you can implement WLANs with IPsec VPN software, use the IEEE
802.1X-2001 port-based access control protocol, and use WPA.
IEEE 802.1X-2001 Port-Based Authentication
IEEE 802.1X-2001 is a port-based authentication standard for LANs. It authenticates a
user before allowing access to the network. You can use it on Ethernet, Fast Ethernet, and
WLAN networks.
With IEEE 802.1X-2001, client workstations run client software to request access to services. Clients use EAP to communicate with the LAN switch. The LAN switch verifies
client information with the authentication server and relays the response to the client.
LAN switches use a Remote Authentication Dial-In User Service (RADIUS) client to communicate with the server. The RADIUS authentication server validates the client’s identity
and authorizes the client. But note that it does not provide encryption privacy. The server
uses RADIUS with EAP extensions to make the authorization.
Dynamic WEP Keys and LEAP
Cisco also offers dynamic per-user, per-session WEP keys to provide additional security
over statically configured WEP keys, which are not unique per user. For centralized userbased authentication, Cisco developed LEAP. LEAP uses mutual authentication between
the client and the network server and uses IEEE 802.1X for 802.11 authentication messaging. LEAP can be used with the Temporal Key Integrity Protocol (TKIP) rather than
WEP to overcome the weaknesses of WEP. LEAP uses a RADIUS server to manage user
information.
LEAP is a combination of 802.1X and EAP. It combines the capability to authenticate to
various servers such as RADIUS with forcing the WLAN user to log on to an access point
that compares the logon information to RADIUS. This solution is more scalable than
MAC address filtering.
Because the WLAN access depends on receiving an address, using Dynamic Host
Configuration Protocol (DHCP), and the authentication of the user using RADIUS,
the WLAN needs constant access to these back-end servers. In addition, LEAP does
not support one-time passwords (OTP), so you must use good password-security
practices. The password issue and maintenance practice are a basic component of
corporate security policy.
Controlling WLAN Access to Servers
In the same way you place Domain Name System (DNS) servers accessible via the Internet
on a demilitarized zone (DMZ) segment, you should apply a similar strategy to the RADIUS and DHCP servers accessible to the WLAN. These servers should be secondary
160 CCDA 640-864 Official Cert Guide
Access to this VLAN is filtered. Such placement ensures that any attacks launched on
these servers are contained within that segment.
You should control network access to the servers. Consider the WLAN an unsecured segment and apply appropriate segmentation and access lists. Such a step ensures that WLAN
access is controlled and directed to only those areas that need it. For example, you might
not want to permit WLAN access to management servers and HR servers.
You must also protect these servers against network attack. The criticality of these servers
makes them an ideal target for denial-of-service (DoS) attacks. Consider using network
based intrusion detection systems (IDS) to detect network attacks against these devices.
Cisco Unified Wireless Network
This section covers the Cisco Unified Wireless Network (UWN) architecture, Control
and Provisioning for Wireless Access Point (CAPWAP), WLAN controller components,
roaming, and mobility groups. Cisco UWN components provide scalable WLAN solutions using WLAN controllers to manage LWAPs. The CCDA must understand how these
components work with each other, how they scale, and how roaming and mobility
groups work.
Cisco UWN Architecture
Key
Topic
With the explosion of wireless solutions in and out of the enterprise, designers must create solutions that provide mobility and business services while maintaining network security. The Cisco UWN architecture combines elements of wireless and wired networks to
deliver scalable, manageable, and secure WLANs. As shown in Figure 5-2, the Cisco
UWN architecture is composed of five network elements:
■
Client devices: These include laptops, workstations, IP phones, PDAs, and manufacturing devices to access the WLAN.
■
Access points: These devices provide access to the wireless network. APs are
placed in strategic locations to minimize interference.
■
Network unification: The WLAN system should be able to support wireless applications by providing security policies, QoS, intrusion prevention, and radio frequency (RF) management. Cisco WLAN controllers provide this functionality and
integration into all major switching and routing platforms.
■
Network management: The Cisco Wireless Control System (WCS) provides a central management tool that lets you design, control, and monitor wireless networks.
■
Mobility services: These include guest access, location services, voice services, and
threat detection and mitigation.
Cisco UWN provides the following benefits:
■
Reduced total cost of ownership (TCO)
■
Enhanced visibility and control
■
Dynamic RF management
Chapter 5: Wireless LAN Design 161
■
WLAN security
■
Unified wired and wireless network
■
Enterprise mobility
■
Enhanced productivity and collaboration
Network Management
Mobility Services
Unified
Network
Mesh
Mesh
Mesh
Mesh
Access
Points
Mesh
Mesh
Mesh
Clients
IP
IP
Cisco UWN Architecture
Figure 5-2
Table 5-3 covers Cisco UWN architecture.
Table 5-3
Cisco UWN Architecture
Cisco UWN
Element
Description
Client devices
These include laptops, workstations, IP phones, PDAs, and manufacturing
devices to access the WLAN.
Access points
Provide access to the network.
Network unification
The WLAN system should be able to support wireless applications by
providing security policies, QoS, intrusion prevention, RF management,
and wireless controllers.
Network management
Cisco Wireless Control System (WCS) provides a central management
tool that lets you design, control, and monitor wireless networks.
Mobility services
Include guest access, location services, voice services, and threat detection and mitigation.
162 CCDA 640-864 Official Cert Guide
LWAPP
Lightweight Access Point Protocol (LWAPP) is a draft Internet Engineering Task Force
(IETF) standard for control messaging for setup, authentication, and operations between
APs and WLAN controllers (WLC).
In the LWAPP RFC draft, LWAPP control messages can be transported at Layer 2 tunnels
or Layer 3 tunnels. Layer 2 LWAPP tunnels were the first method developed in which the
APs did not require an IP address. The disadvantage of Layer 2 LWAPP was that the WLC
needed to be on every subnet on which the AP resides. Layer 2 LWAPP is a deprecated solution for Cisco. Layer 3 LWAPP is the preferred solution. In the configuration, Layer 2 or
Layer 3 transport modes can be selected. When set Layer 3, the LWAPP uses IP addresses
to communicate with the access points; these IP addresses are collected from a mandatory
DHCP server. When set to Layer 2, the LWAPP uses proprietary code to communicate
with the access points.
Note: Layer 2 LWAPP tunnels use EtherType code 0xBBBB. Layer 3 LWAPP uses UDP
ports 12222 and 12223.
As shown in Figure 5-3, Layer 3 LWAPP tunnels are used between the LWAP and the
WLC. Messages from the WLC use User Datagram Port (UDP) port 12223 for control
and UDP port 12222 for data messages. In this solution, APs require an IP address, but the
WLC does not need to reside on the same segment.
Wired
Network
LWAP
LWAP
L3 LWAPP Tunnels WLC
Wireless Clients
Figure 5-3
Layer 3 LWAPP
Chapter 5: Wireless LAN Design 163
CAPWAP
Control and Provisioning for Wireless Access Point (CAPWAP) is an IETF standard for
control messaging for setup, authentication, and operations between APs and WLCs. In
Controller Software 5.2, Cisco LWAPs use CAPWAP communication between the WLC
and LWAPs. CAPWAP is similar to LWAPP except for the following differences:
■
CAPWAP uses Datagram Transport Layer Security (DTLS) for authentication and encryption to protect traffic between APs and controllers. LWAPP uses AES.
■
CAPWAP has a dynamic maximum transmission unit (MTU) discovery mechanism.
■
CAPWAP control messages run over UDP 5246.
■
CAPWAP data messages use UDP 5247.
CAPWAP uses a Layer 3 tunnel between the LWAP and the WLC. Figure 5-4 shows the
architecture. The APs obtain an IP address via DHCP. On the AP side, the control and data
messages use an ephemeral UDP port that is derived from a hash between the AP MAC
addresses. CAPWAP uses UDP port 5247 for data messages and UDP port 5246 for control messages.
LWAP
Wired
Infrastructure
WLC
Layer 3
CAPWAP Tunnel
Wireless Clients
Figure 5-4
CAPWAP Tunnel
Cisco Unified Wireless Network Split-MAC Architecture
With the Cisco UWN split-MAC operation, the control and data messages are split.
LWAPs communicate with the WLCs using control messages over the wired network.
LWAPP or CAPWAP data messages are encapsulated and forwarded to and from wireless
clients. The WLC manages multiple APs, providing configuration information and
firmware updates as needed.
LWAP MAC functions are
■
802.11: Beacons, probe response
■
802.11 Control: Packet acknowledgment and transmission
Key
Topic
164 CCDA 640-864 Official Cert Guide
■
802.11e: Frame queuing and packet prioritization
■
802.11i: MAC layer data encryption/decryption
Controller MAC functions are
■
802.11 MAC Management: Association requests and actions
■
802.11e Resource Reservation: To reserve resources for specific applications
■
802.11i: Authentication and key management
Local MAC
CAPWAP supports local MAC. Local MAC moves the MAC management from the WLC
to the local AP. This allow for termination of client traffic at the wired port of the AP. The
functionality is useful for small and remote branch offices, which would not require a WLC.
LWAP MAC functions are
■
802.11: Beacons, probe response
■
802.11 Control: Packet acknowledgment and transmission
■
802.11e: Frame queuing and packet prioritization
■
802.11i: MAC layer data encryption/decryption
■
802.11 MAC Management: Association requests and actions
Controller MAC functions are
■
802.11: Proxy association requests and actions
■
802.11e Resource Reservation: To reserve resources for specific applications
■
802.11i: Authentication and key management
Figure 5-5 shows the difference between an autonomous AP and a CAPWAP using WLC.
Autonomous APs act as a 802.1Q translational bridge with a trunk to the LAN switch. In
CAPWAP with WLC, the AP uses a CAPWAP tunnel, and the WLC establishes the
802.1Q trunk to the LAN switch.
AP Modes
APs operate in one of six different modes:
■
Local mode: This is the default mode of operation. In this mode, every 180 seconds
the AP measures noise floor and interference, and scans for IDS events. This scanning
activity occurs on unused channels and lasts for 60 milliseconds.
■
Hybrid Remote Edge AP (H-REAP) mode: This mode enables an LWAP to reside
across a WAN link and still be able to communicate with the WLC and provide the
Key
Topic
supported on Cisco 1130, 1140, 1240AB, and 1250AG series LWAPs.
Chapter 5: Wireless LAN Design 165
Wired
Infrastructure
Autonomous
AP
L3 Switch
Data VLAN
Voice VLAN
Management VLAN
Wireless Clients
Si
Wired
Infrastructure
L3 Switch
LWAP
WLC
Layer 3
CAPWAP Tunnel
Data VLAN
Voice VLAN
Management VLAN
Si
Wireless Clients
Figure 5-5
Autonomous AP Versus CAPWAP AP with WLC
■
Monitor mode: Monitor mode is a feature designed to allow specified CAPWAP-enabled APs to exclude themselves from handling data traffic between clients and the
infrastructure. They instead act as dedicated sensors for location-based services
(LBS), rogue AP detection, and intrusion detection (IDS). When APs are in Monitor
mode, they cannot serve clients and continuously cycle through all configured channels, listening to each channel for approximately 60 ms.
■
Rogue detector mode: LWAPs that operate in Rogue Detector mode to monitor for
rogue APs. They do not transmit or contain rogue APs. The idea is that the rogue detector (RD) should be able to see all the VLANs in the network, because rogue APs
can be connected to any of the VLANs in the network. (Therefore, we connect it to a
trunk port.) The LAN switch sends all the rogue AP/client MAC address lists to the
RD. The RD then forwards those to the WLC to compare with the MAC addresses of
clients that the WLC APs have heard over the air. If the MAC addresses match, the
WLC knows that the rogue AP to which those clients are connected is on the wired
network.
■
Sniffer mode: A CAPWAP that operates in Sniffer mode functions as a sniffer and
166 CCDA 640-864 Official Cert Guide
strength, packet size, and so on. The Sniffer feature can be enabled only if you run
AiroPeek, a third-party network analyzer software that supports decoding of data
packets.
■
Bridge mode: The Bridge mode feature on the Cisco 1130 and 1240 series (typically
indoor usage) and 1500 APs (typically outdoor mesh usage) provides cost-effective,
high-bandwidth wireless bridging connectivity. Applications supported are point-topoint bridging, point-to-multipoint bridging, point-to-point wireless access with integrated wireless backhaul, and point-to-multipoint wireless access with integrated
wireless backhaul.
Table 5-4 summarizes the AP modes.
Table 5-4
Access Point Modes
AP Mode
Description
Local mode
The default mode of operation.
H-REAP mode
For remote LWAP management across WAN links.
Monitor mode
The APs exclude themselves from handling data traffic and dedicate
themselves to location-based services (LBS).
Rogue Detector
mode
Monitors for rouge APs.
Sniffer mode
Captures and forwards all packets of a remote sniffer.
Bridge mode
For point-to-point and point-to-multipoint solutions.
LWAPP Discovery of WLC
When LWAPs are placed on the network, they first perform DHCP discovery to obtain an
IP address. Then Layer 3 LWAPP discovery is attempted. If there is no WLC response, the
AP reboots and repeats this process. The Layer 3 LWAPP discovery algorithm is as follows:
1. The AP sends a Layer 3 LWAPP discovery request.
2. All WLCs that receive the discovery request reply with a unicast LWAPP discovery
response message.
3. The AP compiles a list of WLCs.
4. The AP selects a WLC based on certain criteria.
5. The AP validates the selected WLC and sends an LWAPP join response. An encryption key is selected, and future messages are encrypted.
Layer 3 discovery requests are sent as listed:
■
Local subnet broadcast
■
Unicast LWAPP discovery requests to WLC IP addresses advertised by other APs
Chapter 5: Wireless LAN Design 167
■
To previously stored WLC IP addresses
■
To IP addresses learned by DHCP option 43
■
To IP addresses learned by DNS resolution of CISCO-LWAPP-CONTROLLER.localdomain
The selected WLC is based on the following:
■
Previously configured primary, secondary, or tertiary WLCs
■
The WLC configured as the master controller
■
The WLC with the most capacity for AP associations
For controllers that have a CAPWAP image, the AP follows the following process:
1. The CAPWAP AP starts the discovery process to find the controller by using a CAPWAP request. The WLC responds with a CAPWAP response.
2. If a CAPWAP response is not received after 60 seconds, the AP starts the discovery
process using LWAPP discovery.
3. If the AP cannot find a controller using LWAPP within 60 seconds, it returns to step 1.
WLC selection by a CAPWAP is a design decision. This is configurable in the WLC. The
AP selects the WLC to create a CAPWAP tunnel based on the information configured in
the WLC. The WLC responses contain controller sysName, controller type, controller AP
capacity and load, the master controller status, and the AP manager IP addresses. The AP
selects one or several WLCs to send a CAPWAP tunnel request based on Table 5-5. The
WLC validates the AP and sends a CAPWAP tunnel response, an encryption key is derived, and future messages are encrypted. The AP then selects one WLC and sends a join
request.
Table 5-5
WLAN Controller Platforms
Order
WLC
First
Primary sysName (preconfigured)
Second
Second sysName (preconfigured)
Third
Tertiary sysName (preconfigured)
Fourth
Master controller
Fifth
WLC with greatest capacity for AP associations
WLAN Authentication
Wireless clients first associate to an AP. Then wireless clients need to authenticate with an
authentication server before the AP allows access to services. As shown in Figure 5-6, the
168 CCDA 640-864 Official Cert Guide
authentication server resides in the wired infrastructure. An EAP/RADIUS tunnel occurs
between the WLC and the authentication server. Cisco’s Secure Access Control Server
(ACS) using EAP is an example of an authentication server.
Wired
Infrastructure
Wireless Clients
(Supplicant)
LWAP
CAPWAP
Tunnel
WLC
EAP/RADIUS
(Authenticator)
Tunnel
Secure ACS
Authentication
Server
802.1x Authentication
Key Management
Key Distribution
Secure Data Flow
Figure 5-6
WLAN Authentication
Authentication Options
Wireless clients communicate with the authentication server using EAP. Each EAP type
has advantages and disadvantages. Trade-offs exist between the security provided, EAP
type manageability, the operating systems supported, the client devices supported, the
client software and authentication messaging overhead, certificate requirements, user ease
of use, and WLAN infrastructure device support. The following summarizes the authentication options:
■
EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that is wellsupported among wireless vendors but rarely deployed. It uses Public Key Infrastructure
(PKI) to secure communications to the RADIUS authentication server using TLS and
digital certificates.
■
Protected Extensible Authentication Protocol (PEAP) is a joint proposal by Cisco
Systems, Microsoft, and RSA Security as an open standard. PEAP/MSCHAPv2 is the
most common version, and it is widely available in products and widely deployed. It is
similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a
secure TLS tunnel to protect user authentication. PEAP-GTC allows more generic authentication to a number of databases such as Novell Directory Services (NDS).
■
EAP-Tunneled TLS (EAP-TTLS) was co-developed by Funk Software and Certicom.
cates only on the authentication server.
Chapter 5: Wireless LAN Design 169
■
Cisco Lightweight Extensible Authentication Protocol (LEAP) is an early proprietary EAP method supported in the Cisco Certified Extensions (CCX) program. It is
vulnerable to dictionary attacks.
■
EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) is a proposal by
Cisco Systems to fix the weaknesses of LEAP. EAP-FAST uses a Protected Access
Credential (PAC), and use of server certificates is optional. EAP-FAST has three
phases. Phase 0 is an optional phase in which the PAC can be provisioned manually or
dynamically. In Phase 1, the client and the AAA server use the PAC to establish the
TLS tunnel. In Phase 2, the client sends user information across the tunnel.
WLAN Controller Components
The CCDA candidate must understand the three major components of WLCs:
■
WLANs
■
Interfaces
■
Ports
Key
Topic
WLANs are identified by unique SSID network names. The LAN is a logical entity. Each
WLAN is assigned to an interface in the WLC. Each WLAN is configured with radio policies, quality of service (QoS), and other WLAN parameters.
A WLC interface is a logical connection that maps to a VLAN on the wired network. Each
interface is configured with a unique IP address, default gateways, physical ports, VLAN
tag, and DHCP server.
Table 5-6 covers WLC components.
Table 5-6
WLC Components
WLC Component
Description
WLAN
Identified by a unique SSID and assigned to an interface
Interface
A logical connection that maps to a VLAN in the wired network
Port
A physical connection to the wired LAN
The port is a physical connection to the neighboring switch or router. By default, each
port is an IEEE 802.1Q trunk port. There may be multiple ports on a WLC into a single
port-channel interface. These ports can be aggregated using link aggregation (LAG). Some
WLCs have a service port that is used for out-of-band management. Figure 5-7 shows the
WLC components.
WLC Interface Types
A WLC has five interface types:
■
Management interface (static, configured at setup, mandatory) is used for in-band
170 CCDA 640-864 Official Cert Guide
■
Service-port interface (static, configured at setup, optional) is used for out-of-band
management. It is an optional interface that is statically configured.
■
AP manager interface (static, configured at setup, mandatory except for 5508 WLC)
is used for Layer 3 discovery and association. It has the source IP address of the AP
that is statically configured.
■
Dynamic interface (dynamic) is analogous to VLANs and is designated for WLAN
client data.
■
Virtual interface (static, configured at setup, mandatory) is used for Layer 3 security
authentication, DHCP relay support, and mobility management.
Wireless LAN Controller
WLANs
Interfaces
WLAN1
SSID
<1>
Dynamic
Interface 1
WLAN2
SSID
<2>
Dynamic
Interface 2
Ports
Physical
Port
VLAN
a
VLAN
b
WLANn
SSID
<n>
VLAN
n
Dynamic
Interface n
VLAN
m
AP Manager
Interface
Management
Interface
Service Port
Service-port
Interface
Virtual
Interface
Figure 5-7
WLAN Controller Components
Table 5-7 covers WLC interface types.
Table 5-7
WLC Interface Types
WLC Interface Type
Description
Management interface
For in-band management
Service-port interface
For out-of-band management
AP manager interface
For Layer 3 discovery and association
VLAN
s
Chapter 5: Wireless LAN Design 171
Table 5-7
WLC Interface Types
WLC Interface Type
Description
Dynamic interface
Dedicated to WLAN client data; analogous to VLANs
Virtual interface
For Layer 3 authentication and mobility management
AP Controller Equipment Scaling
Cisco provides different solutions to support the differing numbers of APs present in enterprise customers. Standalone devices, modules for Integrated Services Routers (ISR), and
modules for 6500 switches support numerous APs. Table 5-8 lists the platforms and the
number of APs supported.
Table 5-8
WLAN Controller Platforms
Platform
Number of Supported Access Points
Cisco 2100 series WLC
25
Cisco WLC for ISRs
25
Catalyst 3750 Integrated WLC
50
Cisco 4400 series WLC
100
Cisco 6500/7600 series WLC module
300
Cisco 5500 series WLC
500
There are two ways to scale beyond the default 48 APs on a Cisco WLC:
■
Use multiple AP interfaces: This option is only supported on 4400 series controllers.
■
Use link aggregation (LAG): This option is supported by 5500 and 4400 series controllers and is the default for 3750G Integrated WLC and Catalyst 6500 series WiSM.
As shown in Figure 5-8, with multiple AP manager interfaces each manager interface is
mapped to a physical port. The AP load is distributed dynamically. One advantage with AP
manager interfaces is that the WLC can be connected to more than one neighbor device.
Figure 5-9 shows the use of LAG. With LAG, the system dynamically manages port redundancy and load balances APs across an EtherChannel interface transparently. The limit
of 48 APs per port does not apply when LAG is enabled. With LAG enabled, the 4402
controller supports up to 50 APs, and the 4404 supports up to 100 APs. LAG is the recommended solution.
One limitation of LAG is that the WLC platforms only support one LAG group per controller. When LAG is enabled, all the physical ports, excluding the services port, are included in the bundle. Therefore, the WLC using LAG cannot be connected to more than
one neighbor device.
172 CCDA 640-864 Official Cert Guide
Wireless LAN Controller
Ports
Interfaces
Physical
Port 1
AP Manager
Interface 1
Port 1
Port 2
AP Manager
Interface 2
Port 1
Port 2
Physical
Port 2
Management
Interface
Port 1 Primary
Port 2 Secondary
Figure 5-8
WLC AP Manager Interface
Wireless LAN Controller
Ports
Interfaces
Physical
Port 1
AP Manager
Interface
Physical
Port 2
Management
Interface
Figure 5-9
WLC LAG
Chapter 5: Wireless LAN Design 173
Roaming and Mobility Groups
The primary reason to have wireless networks is roaming: the ability to access network resources from common areas and in areas where it is difficult to run cabling. End clients
might want to move from one location to another. Mobility allows users to access the network from several locations. Roaming occurs when the wireless client changes association
from one AP to another. The challenge is to scale the wireless network to allow client
roaming that is seamless and secure. Roaming can be intracontroller or intercontroller.
Intracontroller Roaming
Intracontroller roaming, shown in Figure 5-10, occurs when a client moves association
from one AP to another AP that is joined to the same WLC. The WLC updates the client
database with the new associated AP and does not change the client’s IP address. If required, clients are reauthenticated, and a new security association is established. The
client database remains on the same WLC.
Data Traffic Bridge
onto VLAN
WLC
CAPWAP Tunnels
AP1
AP2
Pre-Roam
Data Path
Post-Roam
Data Path
Wireless Client
Roams from AP1 to AP2
Figure 5-10
Intracontroller Roaming
Layer 2 Intercontroller Roaming
Intercontroller roaming occurs when a client moves association from one AP to another
Key
Topic
174 CCDA 640-864 Official Cert Guide
when the client traffic is bridged to the same IP subnet. Figure 5-11 shows Layer 2 intercontroller roaming. Traffic remains of the same IP subnet, and no IP address changes to
the client occur. The client database is moved from WLC1 to WLC2. The client is reauthenticated, and a new security session is established.
VLAN x (IP Subnet x)
Mobility Message Exchange
WLC2
WLC1
CAPWAP
Tunnel
CAPWAP
Tunnel
AP1
AP2
Pre-Roam
Data Path
Post-Roam
Data Path
Wireless Client
Roams from AP1 to AP2
Figure 5-11
• Client uses same IP address
• Client database moved
• Re-authentication
• New security session
Layer 2 Intercontroller Roaming
Layer 3 Intercontroller Roaming
With Layer 3 intercontroller roaming, shown in Figure 5-12, a client moves association
from one AP to another AP that is joined to a different WLC that is on a different IP subnet than the first WLC. Then the traffic is bridged onto a different IP subnet. When the
client associates to AP2, WLC2 then exchanges mobility messages with WLC1. The original client database is not moved to WLC 2. Instead, WLC1 marks the client with an “Anchor” entry in its database. The database entry is copied to WLC2’s database and is
marked as a “Foreign” entry. The wireless client maintains its original IP address and is
reauthenticated. A new security session is then established.
Client traffic then routes in an asymmetric manner. Traffic from the client is forwarded by
the Foreign WLC, but traffic to the client arrives at the Anchor WLC, which forwards it
through an Ethernet-in-IP (EtherIP) tunnel to the Foreign WLC. The Foreign WLC forwards the data traffic to the client.
Mobility Groups
Mobility groups allow controllers to peer with each other to support roaming across con-
Chapter 5: Wireless LAN Design 175
VLAN x (IP Subnet x)
VLAN y (IP Subnet y)
WLC1
Anchor
WLC2
Foreign
Ethernet in IP Tunnel
Mobility Message Exchange
CAPWAP
Tunnel
CAPWAP
Tunnel
AP1
AP2
Pre-Roam
Data Path
Post-Roam
Data Path
Wireless Client
Roams from AP1 to AP2
Figure 5-12
• Client uses same IP address
• Original WLC is Anchor
• New WLC is Foreign
• EoIP tunnel used
• Client database copied
• Re-authentication
• New security session
Layer 3 Intercontroller Roaming
When you assign WLCs to mobility groups, the WLCs dynamically exchange mobility
messages and data is tunneled via EtherIP between the Anchor and Foreign AP. WLCs
should be placed in mobility groups when intercontroller roaming is possible and for controller redundancy.
Mobility groups support up to 24 controllers. The upper limit of APs supported in a mobility group is determined by the number of APs that the controllers support, which varies
by controller type. A mobility list is a group of controllers configured on a single controller that specifies members in different mobility groups. Controllers can communicate
across mobility groups, and clients can roam between APs in different mobility groups if
the controllers are included in each other’s mobility lists. Each WLC is configured with a
list of the members in the mobility group. Mobility lists can support up to 72 controllers
with Release 5.1 or later, up to 48 controllers with Release 5.0.
The WLCs exchange messages using UDP port 16666 for unencrypted messages or UDP
port 16667 for encrypted messages. APs learn the IP addresses of other members of the
mobility group after the CAPWAP join process.
As an example of the scalability, if 24 Cisco 2100 WLCs (25 APs supported per 2100
WLC) are used, 24 * 25 = 144 APs are supported. As another example recall that Cisco
4404-100 series WLCs support 100 APs. If 20 4404-100 WLCs are used, 20 * 100 = 2000
APs are supported.
As a best practice, Cisco recommends minimizing intercontroller roaming in the network.
controllers. Cisco also states that Layer 2 roaming is more efficient than Layer 3 roaming
176 CCDA 640-864 Official Cert Guide
because of the asymmetric communication of Layer 3 roaming. Proactive key caching
(PKC) or Cisco Compatible Extensions (CCKM) Version 4 is recommended to speed up
and secure roaming.
WLAN Design
This section covers controller redundancy design, radio frequency groups, site survey, and
WLAN design considerations.
Controller Redundancy Design: Deterministic vs. Dynamic
Key
Topic
WLCs can be configured for dynamic or deterministic redundancy. For deterministic redundancy, the AP is configured with a primary, secondary, and tertiary controller. This requires more upfront planning but allows better predictability and faster failover times.
Deterministic redundancy is the recommended best practice. N+1, N+N, and N+N+1 are
examples of deterministic redundancy. Advantages of deterministic redundancy include
■
Predictability
■
Network stability
■
Flexible and powerful redundancy design options
■
Faster failover times
■
Fallback option in case of failover
The disadvantage of deterministic controller redundancy is that it requires more upfront
planning and configuration.
Dynamic controller redundancy uses CAPWAP to load balance APs across WLCs. CAPWAP populates APs with a backup WLC. This solution works better when WLCs are in a
centralized cluster. The disadvantages are longer failover times and unpredictable operation. An example is adjacent APs registering with differing WLCs.
Advantages of Dynamic controller redundancy include
■
Easy to deploy and configure
■
Access Points dynamically load balance
Disadvantages include longer failover times, unpredictable operation, more intercontroller
roaming, and no fallback option in the event of controller failure.
N+1 WLC Redundancy
With N+1 redundancy, shown in Figure 5-13, a single WLC acts as the backup of multiple
WLCs. The backup WLC is configured as the secondary WLC on each AP. One design
constraint is that the backup WLC might become oversubscribed if there are too many
APs and it is normally placed in the data center.
Chapter 5: Wireless LAN Design 177
AP1
Primary WLC for
AP1 and AP2
AP2
Secondary
WLC
AP3
AP4
Figure 5-13
Primary WLC for
AP3 and AP4
N+1 Controller Redundancy
N+N WLC Redundancy
With N+N redundancy, shown in Figure 5-14, an equal number of controllers back up
each other. For example, a pair of WLCs on one floor serves as a backup to a second pair
on another floor. The top WLC is primary for AP1 and AP2 and secondary for AP3 and
AP4. The bottom WLC is primary for AP3 and AP4 and secondary for AP1 and AP2.
There should be enough capacity on each controller to manage a failover situation.
AP1
Primary WLC for
AP1 and AP2.
Secondary WLC
for
AP3 and AP4.
AP2
AP3
AP4
Figure 5-14
Primary WLC for
AP3 and AP4.
Secondary WLC
for
AP1 and AP2.
N+N Controller Redundancy
N+N+1 WLC Redundancy
With N+N+1 redundancy, shown in Figure 5-15, an equal number of controllers back up
each other (as with N+N), plus a backup WLC is configured as the tertiary WLC for the
APs. N+N+1 redundancy functions the same as N+N redundancy plus a tertiary controller
network operations center.
178 CCDA 640-864 Official Cert Guide
AP1
Primary WLC for
AP1 and AP2.
Secondary WLC
for AP3
and AP4.
AP2
Tertiary
WLC
AP3
AP4
Primary WLC for
AP3 and AP4.
Secondary WLC
for AP1
and AP2.
N+N+1 Controller Redundancy
Figure 5-15
Table 5-9 covers WLC redundancy.
Table 5-9
WLC Redundancy
WLC
Redundancy
Description
N+1
A single WLC acts as the backup for multiple WLCs. The backup WLC is
configured as the secondary on APs.
N+N
An equal number of controllers back up each other.
N+N+1
An equal number of controllers back up each other. The backup WLC is
configured as the tertiary on APs.
Radio Management and Radio Groups
The limit of available channels in the ISM frequencies used by the IEEE 802.11b/g/n standard presents challenges to the network designer. There are three nonoverlapping channels
(channels 1, 6, and 11). The recommended best practice is to limit the number of data devices connected to each AP to 20, or no more than 7 concurrent voice over WLAN
(VoWLAN) calls using G.711 or 8 concurrent VoWLAN calls using G.729. Additional APs
should be added as user population grows to maintain this ratio of data and voice per AP.
Cisco Radio Resource Management (RRM) is a method to manage AP RF channel and
power configuration. Cisco WLCs use the RRM algorithm to automatically configure, optimize, and self-heal. Cisco RRM functions are as follows:
■
Radio resource monitoring:
are sent to the WLC, which can detect rouge APs, clients, and interfering APs.
Chapter 5: Wireless LAN Design 179
■
Dynamic channel assignment: WLCs automatically assign channels to avoid interference.
■
Interference detection and avoidance: As Cisco LWAPs monitor all channels, interference is detected by a predefined threshold (10 percent by default). Interference
can be generated by rogue APs, microwaves, cordless telephones, Bluetooth devices,
neighboring WLANs, or other electronic devices.
■
Dynamic transmit power control: The WLCs automatically adjust power levels.
■
Coverage hole detection and correction: WLCs may adjust the power output
of APs if clients report that a low received signal strength indication (RSSI) level is
detected.
■
Client and network load balancing: Clients can be influenced to associate with
certain APs to maintain network balance.
With AP self-healing WLCs use RRM to raise the power levels and adjust the channel selection of neighbor APs to compensate for lost of coverage of a failed AP. APs report a
lost neighbor when they no longer receive neighbor messages at –70 dBm.
RF Groups
An RF group is a cluster of WLC devices that coordinate their RRM calculations. When
the WLCs are placed in an RF group, the RRM calculation can scale from a single WLC to
multiple floors, buildings, or even the campus. As shown in Figure 5-16, APs send neighbor messages to other APs. If the neighbor message is above –80 dBm, the controllers
form an RF group. The WLCs elect an RF group leader to analyze the RF data. The RF
group leader exchanges messages with the RF group members using UDP port 12114 for
802.11b/g/n and UDP port 12115 for 802.11a.
RF groups are formed with the following process:
1. APs send out neighbor messages over the air. The message includes an encrypted
shared secret that is configured in the WLC and pushed to each AP.
2. APs sharing the same secret are able to validate messages from each other. Neighbor
messages need to be over –80dBm to form a RF group.
3. The members in the RF group elect an RF group leader to maintain a “master” power
and channel scheme for the RF group. The RF group leader analyzes real-time radio
data collected by the system and calculates the master power and channel plan.
RF Site Survey
Similar to performing an assessment for a wired network design, RF site surveys are done
to determine design parameters for WLANs and customer requirements. RF site surveys
help determine the coverage areas and check for RF interference. This helps determine the
appropriate placement of wireless APs.
The RF site survey has the following steps:
1.
devices to support, sites where wireless devices will be located.
Key
Topic
180 CCDA 640-864 Official Cert Guide
2.
Obtain a facility diagram to identify the potential RF obstacles.
3.
Visually inspect the facility to look for potential barriers to the propagation of RF
signals, such as metal racks, elevator shafts, and stairwells.
4.
Identify user areas that may be intensively used, such as conference rooms, and areas
that are not heavily used, such as stairwells.
5.
Determine preliminary AP locations, which need power, wired network access, cell
coverage and overlap, channel selection, mounting locations, and antennas.
6. Perform the actual survey by using an AP to survey the location and received
RF strength based on the targeted AP placement. Consider the effects of electrical
machinery. Microwave ovens and elevators might distort the radio signal from the
APs.
7.
Document the findings by recording the target AP locations, log signal readings,
and data rates at outer boundaries. Information included in the report includes the
following:
■
Detail customer requirements; describe and diagram AP coverage.
■
Parts list, including APs, antennas, accessories, and network components.
■
Describe tools used and methods used for the survey.
WLCs Select RF Group Leader
WLC2
WLC1
AP1
Neighbor
Messages
Figure 5-16
RF Groups
AP2
Neighbor
Messages
Neighbor
Messages
Chapter 5: Wireless LAN Design 181
Using EoIP Tunnels for Guest Services
Basic solutions use separate VLANs for guest and corporate users to segregate guest traffic from corporate traffic. The guest SSID is broadcast, but the corporate SSID is not. All
other security parameters are configured. Another solution is to use Ethernet over IP
(EoIP) to tunnel the guest traffic from the CAPWAP to an anchor WLC.
As shown in Figure 5-17, EoIP is used to logically segment and transport guest traffic
from the edge AP to the anchor WLC. There is no need to define guest VLANs in the internal network, and corporate traffic is still locally bridged. The Ethernet frames from the
guest clients are maintained across the CAPWAP and EoIP tunnels.
Internet
Anchor WLC
EolP
Tunnels
Access
Points
Guest
Clients
Figure 5-17
EoIP Tunnels
Wireless Mesh for Outdoor Wireless
Traditionally, outdoor wireless solutions have been limited to point-to-point and point-tomultipoint bridging between buildings. With these solutions, each AP is wired to the network. The Cisco wireless mesh networking solution, shown in Figure 5-18, eliminates the
need to wire each AP and allows users to roam from one area to another without having to
reconnect.
The wireless mesh components are shown in Table 5-10.
Key
Topic
182 CCDA 640-864 Official Cert Guide
Mesh
RAP
WLC
WCS
Mesh
Mesh
Mesh
MAPs
Mesh
Mesh
Mesh
Mesh
Figure 5-18
Table 5-10
Wireless Mesh Components
Wireless Mesh Components
Wireless Mesh
Component
Description
Wireless Control System (WCS)
The wireless mesh SNMP management system allows networkwide
configuration and management.
WLAN Controller
(WLC)
Links the mesh APs to the wired network and performs all the tasks
previously described for a WLC such as management of multiple
APs, mitigate radio interference, manage security, and provide
Layer 3 mobility.
Rooftop AP (RAP)
Connects the mesh to the wired network and serves as the root. It
also communicates with the MAPs. RAPs are typically located on
rooftops or towers.
Mesh Access Point
(MAP)
Remote APs that provide access to wireless clients. They communicate with the RAP to connect to the wired network. MAPs are typically located on top of a pole, such as a lamppost.
Mesh Design Recommendations
The following are Cisco recommendations (and considerations) for mesh design:
■
There is a < 10-ms latency per hop. Typically 2 ms to 3 ms.
■
For outdoor deployment, four or fewer hops are recommended for best performance.
A maximum of eight hops is supported.
■
For indoor deployment, one hop is supported.
■
For best performance, 20 MAP nodes per RAP is recommended. Up to 32 MAPs is
supported per RAP.
■
Throughput: one hop =14 Mbps, two hops = 7 Mbps, three hops = 3 Mbps, four hops
= 1 Mbps.
Chapter 5: Wireless LAN Design 183
Campus Design Considerations
When designing for the Cisco Unified Wireless Network, you need to be able to determine how many LWAPs to place and how they will be managed with the WLCs. Table 5-11
summarizes campus design considerations.
Table 5-11
WLAN Design Considerations
Design Item
Description
Number of APs
The design should have enough APs to provide full RF coverage for wireless clients for all the expected locations in the enterprise. Cisco recommends 20 data devices per AP and 7 G.711 concurrent or 8 G.729
concurrent VoWLAN calls.
Placement of APs
APs are placed in a centralized location of the expected area for which
they are to provide access. APs are placed in conference rooms to accommodate peak requirements.
Power for APs
Traditional wall power can be used, but the preferred solution is to use
Power over Ethernet (PoE) to power APs and provide wired access.
Number of WLCs
The number of WLCs depends on the selected redundancy model based
on the client’s requirements. The number of controllers is also dependent
on the number of required APs and the number of APs supported by the
differing WLC models.
Placement of
WLCs
WLCs are placed on secured wiring closets or in the data center. Deterministic redundancy is recommended, and intercontroller roaming should
be minimized. WLCs can be placed in a central location or distributed in
the campus distribution layer.
Table 5-12 compares indoor AP features for Cisco APs.
Table 5-12
Supported Features and Specifications for Cisco APs
Feature
AP
1130
AP 1140 AP
3500i
Data uplink
10/100
10/100/
1000
10/100/ 10/100
1000
10/100/1000
Power
802.3af 802.3af
requirement
802.3af 802.3af
AP1240 AP1250
AP 1260
AP
3500e
10/100/
1000
10/100/
1000
E-PoE 802.3af 802.3af
802.3af
Installation
for carpeted
offices
for carpeted
offices
for carpeted
offices
rugged
rugged
rugged
rugged
Temp range
0 to
+40C
0 to
+40C
0 to
+40C
20 to
+55C
20 to +55C
20 to
+55C
20 to
184 CCDA 640-864 Official Cert Guide
Table 5-12
Supported Features and Specifications for Cisco APs
Feature
AP
1130
Antennas
Internal Internal
WiFi
standards
a/b/g
DRAM
Flash
AP 1140 AP
3500i
AP1240 AP1250
AP 1260
AP
3500e
Internal External External
External
External
a/b/g/n
a/b/g/n
a/b/g/n
a/b/g/n
a/b/g/n
32 MB
128 MB
128 MB 32 MB
64 MB
128 MB
128 MB
16 MB
32 MB
32 MB
32 MB
32 MB
32 MB
a/b/g
16 MB
Branch Design Considerations
For branch networks, you need to consider the number and placement of APs, which depends on the location and expected number of wireless clients at the branch office. It may
not be cost-justifiable to place a WLC at each branch office of an enterprise. One requirement is that the round-trip time (RTT) between the AP and the WLC should not exceed
300 ms. For centralized controllers, it is recommended that you use REAP or Hybrid
REAP (H-REAP).
Local MAC
CAPWAP supports local media access control (local MAC), which can be used in branch
deployments. Unlike with split-MAC, the AP provides MAC management support for association requests and actions. Local MAC terminates client traffic at the wired port of
the AP versus at the WLC. This allows direct local access to branch resources without requiring the data to travel to the WLC at the main office. Local MAC also allows the wireless client to function even if a WAN link failure occurs.
REAP
REAP is designed to support remote offices by extending LWAPP control timers. With
REAP control, traffic is still encapsulated over a LWAPP tunnel and is sent to the WLC.
Management control and RF management are done over the WAN. Client data is locally
bridged. With REAP, local clients still have local connectivity if the WAN fails.
WLCs support the same number of REAP devices as APs. REAP devices support only
Layer 2 security policies, do not support Network Address Translation (NAT), and require
a routable IP address.
Hybrid REAP
H-REAP is an enhancement to REAP that provides additional capabilities such as NAT,
more security options, and the ability to control up to three APs remotely. It is the preferred solution for remote or small office APs to connect to the wireless controllers over
the WAN.
Chapter 5: Wireless LAN Design 185
H-REAP operates in two security modes:
■
Standalone mode: H-REAP does the client authentication itself when the WLC
cannot be reached. In standalone mode, H-REAP supports WPA-PSK and WPA2-PSK
for client authentication.
■
Connected mode: The device uses the WLC for client authentication. In connected
mode, H-REAP supports WPA-PSK, WPA2-PSK, VPNs, L2TP, EAP, and web authentication for client authentication.
H-REAP is delay sensitive. The RTT must not exceed 300 ms between the AP and the
WLC. And, CAPWAP must be prioritized over other traffic.
Branch Office Controller Options
For branch offices, Cisco recommends one of four options:
■
Cisco 2100 series: Supports up to 25 APs.
■
Cisco 4402-12 and 4402-24: These devices support 12 and 24 APs, respectively.
■
WLC Module in Integrated Services Router (ISR): Supports up to 25 APs.
■
3750 with WLAN controller: Depending on the model, this can support 25 or 50 APs.
The following points summarize WLAN design:
■
An RF site survey is used to determine a wireless network’s RF characteristics and AP
placement.
■
Guest services are easily supported using EoIP tunnels in the Cisco Unified Wireless
Network.
■
Outdoor wireless networks are supported using outdoor APs and Cisco wireless
mesh networking APs.
■
Campus wireless network design provides RF coverage for wireless clients in the campus using LWAPs. The LWAPs are managed by WLCs.
■
Branch wireless network design provides RF coverage for wireless clients in the
branch. Central management of REAP or H-REAP APs can be supported.
■
Each AP should be limited to 20 data devices on a data WLAN.
■
For voice over wireless design, it is recommended that a separate SSID be used for
voice and that each AP support roughly seven (G.711) to eight (G.729) voice calls over
VoWLAN. This is because all devices share bandwidth.
Table 5-13 provides a quick summary of the UDP ports used by wireless protocols.
Table 5-13
UDP Ports Used by WLAN Protocols
WLAN Protocol
UDP Port
LWAPP control
UDP 12223
LWAPP data
UDP 12222
186 CCDA 640-864 Official Cert Guide
Table 5-13
UDP Ports Used by WLAN Protocols
WLAN Protocol
UDP Port
WLC exchange messages (unencrypted)
UDP 16666
WLC exchange messages (encrypted)
UDP 16667
RF group IEEE 802.11b/g
UDP 12114
RF group IEEE 802.11a
UDP 12115
CAPWAP control
UDP 5246
CAPWAP data
UDP 5247
References and Recommended Readings
Cisco Outdoor Wireless Network Solution, www.cisco.com/en/US/netsol/ns621/
networking_solutions_package.html.
Cisco Unified Wireless Network, www.cisco.com/en/US/netsol/ns340/ns394/ns348/
ns337/networking_solutions_package.html.
Cisco Wireless Control System, www.cisco.com/en/US/products/ps6305/index.html.
Enterprise Mobility 3.0 Design Guide, www.cisco.com/univercd/cc/td/doc/solution/
emblty30.pdf.
IEEE Std 802.11g-2003. Amendment to IEEE Std 802.11, 1999 Edition.
Lightweight Access Point FAQ,www.cisco.com/en/US/products/ps6306/
products_qanda_item09186a00806a4da3.shtml.
Light Weight Access Point Protocol (LWAPP), (draft-ohara-capwap-lwapp-02),
http://tools.ietf.org/html/draft-ohara-capwap-lwapp-02.
RFC 5415, Control and Provisioning of Wireless Access Points (CAPWAP) Protocol Specification, http://tools.ietf.org/search/rfc5415.
RFC 5416, Control and Provisioning of Wireless Access Points (CAPWAP) Protocol Binding for IEEE 802.11,http://tools.ietf.org/search/rfc54156.
Cisco Wireless LAN Controller FAQ, www.cisco.com/en/US/products/ps6366/
products_qanda_item09186a008064a991.shtml.
Cisco Wireless LAN Controller Best Practices, www.cisco.com/en/US/tech/tk722/tk809/
technologies_tech_note09186a0080810880.shtml.
“Wireless LAN MAC and Physical Layer (PHY) Specifications,” IEEE 802.11-1999. Piscataway, New Jersey: Institute of Electrical and Electronics Engineers, 1999.
Chapter 5: Wireless LAN Design 187
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the
outer margin of the page. Table 5-14 lists a reference of these key topics and the page
numbers on which each is found.
Table 5-14
Key Topics
Key Topic
Element
Description
Page
Summary
WLAN standards campus media
155
Summary
Cisco Unified Wireless Network Architecture
160
Summary
CAPWAP
163
List
Access point modes
164
List
WLAN controller components
169
Summary
Roaming and mobility groups
173
Summary
Controller redundancy design
176
Summary
Radio frequency groups
179
Summary
Wireless mesh for outdoor wireless
181
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
AP, CAPWAP, CSMA/CA, DSSS, FHSS, H-REAP, IEEE 802.1x, LAG, LWAPP,
MIMO, MAP, N+1 redundancy, N+N redundancy, N+N+1 redundancy, RF groups,
RRM, RAP, SSID, split-MAC, WLAN, WLC
188 CCDA 640-864 Official Cert Guide
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. What is the maximum data rate of IEEE 802.11g?
2. What is the typical data rate of IEEE 802.11n?
3. What are some difficulties with having to manage hundreds of standalone APs?
4. What standard does IEEE 802.11i use for confidentiality, integrity, and authentication?
5. List at least four benefits of Cisco UWN.
6. True or false: With split-MAC, the control and data frames are load-balanced between the LWAP and the WLC.
7. True or false: With split-MAC, the WLC, not the LWAP, is responsible for authentication and key management.
8. What CAPWAP transport mode is the preferred and most scalable?
a.
Intra
b.
Layer 2
c.
Layer 3
d.
EoIP
9. What is the preferred intercontroller roaming option?
a.
Intra
b.
Layer 2
c.
Layer 3
d.
EoIP
10. What device places user traffic on the appropriate VLAN?
a.
Lightweight AP
b.
WLAN controller
c.
MAP
d.
RAP
11. How many access points are supported in a mobility group using Cisco 4400 series WLCs?
a.
144
b.
1200
c.
2400
d.
7200
Chapter 5: Wireless LAN Design 189
12. What is the recommended number of data devices an AP can support for best performance?
a.
About 6
b.
7 to 8
c.
10 to 15
d.
About 20
13. What is the recommended number of VoWLAN devices an AP can support for best
performance?
a.
2 to 3
b.
7 to 8
c.
10 to 15
d.
About 20
14. What method is used to manage radio frequency channels and power configuration?
a.
WLC
b.
WCS
c.
RRM
d.
MAP
15. What is the typical latency per wireless mesh hop in milliseconds?
a.
1 to 3
b.
7 to 8
c.
10 to 15
d.
About 20
16. What is the recommended maximum RTT between an AP and the WLC?
a.
20 ms
b.
50 ms
c.
100 ms
d.
300 ms
17. What is the recommended controller redundancy technique?
a.
N+1+N
b.
Static
c.
Dynamic
d.
Deterministic
190 CCDA 640-864 Official Cert Guide
18. What is the recommended best practice for guest services?
a.
Use separate VLANs.
b.
Use separate routers and access lists.
c.
Obtain a DSL connection and bridge to the local LAN.
d.
Use EoIP to isolate traffic to the DMZ.
19. What is the recommended best practice for branch WLANs?
a.
Use H-REAP with centralized controllers.
b.
Use local-MAP.
c.
Use wireless mesh design.
d.
Use EoIP.
20. What are two recommended best practices for WLC design?
a.
Maximize intercontroller roaming.
b.
Minimize intercontroller roaming.
c.
Use distributed controller placement.
d.
Use centralized controller placement.
21. How many APs does the Cisco 6500 WLC module support?
a.
6
b.
50
c.
100
d.
300
22. Match each access point mode with its description:
i.
Local
ii.
REAP
iii. Monitor
iv.
Rogue detector
v.
Sniffer
vi. Bridge
a.
For location-based services
b.
Captures packets
c.
For point-to-point connections
d.
Default mode
Chapter 5: Wireless LAN Design 191
e.
Management across the WAN
f.
Monitors rouge APs
23. Match each WLC interface type with its description.
i.
Management
ii.
Service port
iii. AP manager
iv.
Dynamic
v.
Virtual
a.
Authentication and mobility
b.
Analogous to user VLANs
c.
Discovery and association
d.
Out-of-band management
e.
In-band management
24. Match each roaming technique with its client database entry change.
i.
Intracluster roaming
ii.
Layer 2 intercluster roaming
iii. Layer 3 intercluster roaming
a.
The client entry is moved to a new WLC.
b.
The client entry is updated on the same WLC.
c.
The client entry is copied to a new WLC.
25. Match each UDP port with its protocol.
i.
LWAPP data
ii.
RF group 802.11b/g
iii. WLC encrypted exchange
iv.
LWAPP control
v.
WLC unencrypted exchange
vi. CAPWAP control
vii. CAPWAP data
a.
UDP 12114
b.
UDP 12222
c.
UDP 5246
192 CCDA 640-864 Official Cert Guide
d.
UDP 5247
e.
UDP 12223
f.
UDP 16666
g.
UDP 16667
26. Match each wireless mesh component with its description.
i.
WCS
ii.
WLC
iii. RAP
iv.
MAP
a.
Root of the mesh network
b.
Remote APs
c.
Networkwide configuration and management
d.
Links APs to the wired network
27. How many MAP nodes are recommended per rooftop AP?
a.
6
b.
20
c.
500
d.
100
28. Which of the following shows the correct order of the steps in an RF site survey?
a.
Define requirements, document findings, perform the survey, determine preliminary AP locations, identify coverage areas.
b.
Define requirements, perform the survey, determine preliminary AP locations,
identify coverage areas, document findings.
c.
Identify coverage areas, define requirements, determine preliminary AP locations, perform the survey, document findings.
d.
Define requirements, identify coverage areas, determine preliminary AP locations, perform the survey, document findings.
29. What technique performs dynamic channel assignment, power control, and interference detection and avoidance?
a.
CAPWAP
b.
RRM
c.
Mobility
d.
LEAP
Chapter 5: Wireless LAN Design 193
30. What are the three nonoverlapping channels of IEEE 802.11b/g?
a.
Channels A, D, and G
b.
Channels 1, 6, and 11
c.
Channels 3, 8, and 11
d.
Channels A, E, and G
31. Which of the following statements is true?
a.
IEEE 802.11g is backward compatible with 802.11b; 802.11a is not compatible
with 802.11b.
b.
IEEE 802.11a is backward compatible with 802.11b; 802.11g is not compatible
with 802.11b.
c.
IEEE 802.11b is backward compatible with 802.11a; 802.11g is not compatible
with 802.11b.
d.
IEEE 802.11n is backward compatible with 802.11a and 802.11g.
32. What is necessary when you use H-LEAP for authentication?
a.
WLC
b.
WCS
c.
RADIUS server
d.
LWAP
33. A LWAP is added to a network. What sequence accurately reflects the process it will
use to associate with the WLAN controller?
a.
First master, secondary, tertiary, greatest AP capacity
b.
Primary, secondary, tertiary, greatest AP capacity, master
c.
Primary, secondary, tertiary, master, greatest AP capacity
d.
Greatest AP capacity, primary, secondary, master
34. An LWAP is added to a network that is in a separate IP subnet from the WLAN controller. OTAP has not been enabled. Which two methods can be used by the LWAP to
find the WLAN controller?
a.
DHCP
b.
Primary, secondary, tertiary, greatest AP capacity, master
c.
Primary, secondary, tertiary, master, greatest AP capacity
d.
Greatest AP capacity, primary, secondary, master
e.
DNS
f.
Local subnet broadcast
194 CCDA 640-864 Official Cert Guide
35. Which two of the following statements represent a preferred Wireless LWAPP implementation? (Select two.)
a.
Use of Layer 2 LWAPP is preferred over Layer 3 LWAPP.
b.
Use of Layer 3 LWAPP is preferred over Layer 2 LWAPP.
c.
Open ports for Layer 2 LWAPP on EtherType 0xABAB and Layer 3 on TCP
12222 and TCP 12223.
d.
Open ports on Layer 2 LWAPP on EtherType 0xBBBB and Layer 3 on UDP
12222 and UDP 12223.
e.
Open ports on Layer 2 LWAPP on EtherType 0xBABA and Layer 3 on UDP
12222 and TCP 12223.
36. Which two of the following statements represent a preferred split-MAC LWAPP implementation? (Select two.)
a.
IEEE 802.1Q trunking extends from the wired infrastructure to a WLAN controller. Then the 802.1Q packet is encapsulated in CAPWAP or LWAPP and sent
to the access point for transmission over the SSID.
b.
Each wireless client authentication type maps to a unique SSID, which in turn
maps to a common shared VLAN.
c.
802.1Q trunking extends from the wired infrastructure to the access point for
translation into SSIDs.
d.
Each wireless client authentication type maps to a unique SSID, which in turn
maps to a unique VLAN.
e.
802.1Q trunking extends from the wired infrastructure to a WLAN controller
for translation into SSIDs.
37. Which two of these are required for Cisco wireless client mobility deployment?
a.
Matching security
b.
Matching mobility group name
c.
Matching RF channel
d.
Matching RF group name
e.
Matching RF power
f.
Assigned master controller
Chapter 5: Wireless LAN Design 195
38. Which describe best practice for Cisco outdoor wireless mesh networks? (Select three.)
a.
RAP implemented with 20 or fewer MAP nodes
b.
RAP implemented with 20 to 32 MAP nodes
c.
Mesh hop counts of 4 or fewer
d.
Mesh hop counts of 8 to 4
e.
Client access via 802.11b/g and backhaul with 802.11a
f.
Client access via 802.11a and backhaul with 802.11b/g
39. Which describe best practices for Cisco WLAN guest access? (Select two.)
a.
Guest tunnels have limitations on which wireless controllers can originate the
tunnel.
b.
Guest tunnels have limitations on which wireless controllers can terminate the
tunnel.
c.
Dedicated guest VLANs are only extended to the wireless controllers in the network to ensure path isolation.
d.
Dedicated guest VLANs are extended throughout the network to the access
points for path isolation.
e.
Dedicated guest access in the DMZ extends from the origination to the termination controllers without dedicated guest VLANs.
f.
Guest tunnels can originate and terminate on any wireless controller platform.
40. How are WLANs identified?
a.
MAC addresses
b.
IP subnet
c.
SSID
d.
WEP key
e.
LAN ports
f.
Secure encryption key
41. Which description is correct regarding Wireless solutions that provide higher bandwidth than point-to-multipoint (p2mp) wireless?
a.
p2p links tend to be slower than p2mp.
b.
p2mp wireless connections can provide up to 1.544-Mbps raw bandwidth.
c.
p2p wireless connections can provide up to 44-Mbps raw bandwidth.
d.
P2mp links tend to be faster than p2mp.
196 CCDA 640-864 Official Cert Guide
42. Which WLAN attributes should be considered during a site survey? (Select two.)
a.
Channels
b.
Power
c.
SSID
d.
Network name
e.
Authentication
f.
Encryption
43. Which WLC interfaces are mandatory? (Select all that apply.)
a.
Management
b.
AP manager
c.
Dynamic
d.
Virtual
e.
Service port
f.
Extended
44. Which are differences between CAPWAP and LWAPP? (Select three.)
a.
CAPWAP uses the newer AES. LWAPP uses DTLS.
b.
CAPWAP uses DTLS. LWAPP uses AES.
c.
CAPWAP control uses UDP 5246. LWAPP control uses UDP 12223.
d.
CAPWAP control uses UDP 12223. LWAPP control uses UDP 5246.
e.
CAPWAP is preferred.
f.
LWAPP is preferred.
45. Which two of these functions of an access point in a split MAC architecture?
(choose two)
a.
802.1Q encapsulation
b.
EAP authentication
c.
MAC layer encryption/decryption
d.
Process probe response
This page intentionally left blank
This chapter covers the following subjects:
■
WAN Overview
■
WAN Transport Technologies
■
WAN Design Methodology
CHAPTER 6
WAN Technologies
This chapter reviews wide-area network technologies. Expect plenty of questions about
the selection and use of WAN technologies. The CCDA must understand the various
WAN technology options and what makes them different from each other. This chapter
also covers WAN design methodologies and how some quality of service (QoS) techniques can make better use of the available bandwidth.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The ten-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 6-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 6-1
Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
WAN Overview
1
WAN Transport Technologies
2–8
WAN Design Methodology
9, 10
200 CCDA 640-864 Official Cert Guide
1. What are two modules or blocks used in the enterprise edge?
a.
Internet and campus core
b.
Core and building access
c.
Internet connectivity and WAN
d.
WAN and building distribution
2. What MAN/WAN technology has bandwidth available from 10 Mbps to 1 Gbps?
a.
DSL
b.
Metro Ethernet
c.
TDM
d.
Frame Relay
3. How much bandwidth does a T1 circuit provide?
a.
155 Mbps
b.
64 kbps
c.
1.544 kbps
d.
1.544 Mbps
4. What methodology is used when designing the enterprise edge?
a.
Cisco-powered network
b.
ISL
c.
PPDIOO
d.
IEEE
5. SONET/SDH technology is what kind of technology?
a.
Packet based
b.
Cell based
c.
Circuit based
d.
Segment based
6. What technology delivers IP services using labels to forward packets from the source
to the destination?
a.
ADSL
b.
Cable
c.
Frame Relay
d.
MPLS
Chapter 6: WAN Technologies
7. GSM, GPRS, and UMTS are all part of ____________________technologies.
a.
Wireless LAN
b.
Wireless bridging
c.
Mobile wireless
d.
SONET/SDH
8. When designing a network for four separate sites, what technology allows a full mesh
by using only one link per site rather than point-to-point TDM circuits?
a.
Dark fiber
b.
Cable
c.
ISDN
d.
Frame Relay
9. The _______ size specifies the maximum number of frames that are transmitted without receiving an acknowledgment.
a.
Segment
b.
Access
c.
TCP
d.
Window
10. Which of the following adds strict PQ to modular class-based QoS?
a.
LLQ
b.
FIFO
c.
CBWFQ
d.
WFQ
201
202 CCDA 640-864 Official Cert Guide
Foundation Topics
This chapter describes the WAN topics that you need to master for the CCDA exam.
These topics include the WAN modules included in the enterprise edge, WAN technologies, WAN technology selection considerations, and WAN design methodologies. In addition, this chapter describes quality of service (QoS) and how it can be used to prioritize
network traffic and better utilize the available WAN bandwidth.
WAN Overview
WANs provide network connectivity for the enterprise edge, remote branch edge locations, and the Internet. Many WAN choices are available, and new ones are continually
emerging. When you are selecting WAN transport technologies, it is important to consider factors such as cost, bandwidth, reliability, manageability, and hardware capabilities.
In addition, enterprise branch offices can take advantage of cable and digital subscriber
line (DSL) technologies for remote virtual private network (VPN) connectivity back to the
headquarters or main office.
WAN Defined
Wide-area networks (WAN) are communications networks that are used to connect geographically disperse network locations. Generally, WAN services are offered by service
providers or telecommunication carriers. WANs can transport data, voice, and video traffic. Service providers charge fees, called tariffs, for providing WAN services or communications to their customers. Sometimes the term service is referred to as the WAN
communications provided by the carrier.
Key
Topic
When designing a WAN, you should become familiar with the design’s requirements,
which typically derive from these two important goals:
■
Service level agreement (SLA): Defines the availability of the network. Networked applications rely on the underlying network between the client and server to
provide its functions. There are multiple levels of application availability that can be
part of a negotiated SLA with a service provider. Organizations have to work with the
carrier to define what level of service, such as bandwidth, allowed latency, and loss, is
acceptable to the organization.
■
Cost and usage: To select the correct reliable WAN service, you must consider the
budget and usage requirements of the WAN service.
There are three key objectives of an effective WAN design:
■
The WAN needs to support the goals and policies of the organization.
■
The WAN technologies selected needs to meet the current application requirements
and provide for growth of the organization in the future.
■
The proposed design should stay with the budget that is allocated for the WAN design
Figure 6-1 shows a typical enterprise edge with Multiprotocol Label Switching (MPLS)
and Internet WAN connections.
Chapter 6: WAN Technologies
Internet
Firewalls
Enterprise Campus
Backbone
Internet
Routers
Internet
Enterprise
Edge
WAN Routers
Teleworker
MPLS
Branch
Offices
Figure 6-1
Enterprise WAN
WAN Connection Modules
The enterprise edge can have multiple WAN interconnections. Common connectivity
modules include but are not limited to the Internet, the demilitarized zone (DMZ), and
the WAN. Internet service providers (ISP) offer many connectivity options for the
Internet and DMZ modules in the enterprise edge. WAN connectivity between an organization’s headquarters and remote sites is generally across a service provider network,
such as with MPLS WAN. Alternative options for connecting branch offices involve
using broadband technologies, such as cable and DSL, coupled with IPsec VPNs over
the Internet.
WAN technologies can be point-to-point (P2P) or multipoint such as Frame Relay or
MPLS WAN services. Most WAN service providers offer MPLS WAN solutions where
the enterprise edge router interacts with service providers at Layer 3. Public WAN connections over the Internet are available ranging from cable/DSL technologies all the way
up to multigigabit connectivity options. Typically, these services do not provide any
guarantee of network availability, so they are considered a “best effort” service. Frame
Relay and MPLS network solutions usually have a much higher degree of reliability and
availability.
203
204 CCDA 640-864 Official Cert Guide
Note: When you are seeking a WAN service, the options can vary depending service
provider offering, so it is recommended to review options from multiple WAN service
providers.
Figure 6-2 illustrates the use of modules, or blocks, in the enterprise edge.
Enterprise Campus
Building Access
Enterprise Edge
Internet/WAN
DMZ/E-Commerce
ISP 1
Building Distribution
Internet
ISP 2
Campus Core
Remote Access VPN
PSTN
WAN/MAN
Data Center/Server Farm
Figure 6-2
Frame/TDM/
ATM/MPLS
WAN Interconnections
WAN Transport Technologies
Several factors should be considered when selecting a WAN transport technology. Some
WAN options are public Internet based, and some are private WAN based. Geography
also plays a key role in what WAN technologies are available in a given area. Major cities
have the most WAN transport options, and rural areas are more limited as to the availability of WAN service options.
Table 6-2 examines some WAN technologies and highlights some common factors used to
make WAN technology selections. This information also reflects the different characteristics of each WAN technology. However, keep in mind that your service provider offerings
limit the WAN technology choices available to you during your selection.
Chapter 6: WAN Technologies
Table 6-2
205
WAN Comparison
WAN Technology
Bandwidth
Reliability
Latency
Cost
ISDN
Low
Medium
Medium
Low
DSL
Low/medium
Low
Medium
Low
Cable
Low/Medium
Low
Medium
Low
Wireless
Low/Medium
Low
Medium
Medium
Frame Relay
Low/Medium
Medium
Low
Medium
TDM
Medium
High
Low
Medium
Metro Ethernet
Medium/high
High
Low
Medium
SONET/SDH
High
High
Low
High
MPLS
High
High
Low
High
Dark fiber
High
High
Low
High
DWDM
High
High
Low
High
The following sections offer more details about each WAN technology covered in Table 6-2.
ISDN
Integrated Services Digital Network (ISDN) is an all-digital phone line connection that was
standardized in the early 1980s. ISDN allows both voice and data to be transmitted over
the digital phone line instead of the analog signals used in dialup connections. ISDN provides greater bandwidth and lower latency compared to dialup analog technology. ISDN
comes in two service types: Basic Rate Interface (BRI) and Primary Rate Interface (PRI).
ISDN BRI Service
ISDN BRI consists of two B channels and one D channel (2B+D). Both of the BRI B channels operate at 64 kbps and carry user data. The D channel handles the signaling and control information and operates at 16 kbps. Another 48 kbps is used for framing and
synchronization, for a total bit rate of 192 kbps.
ISDN PRI Service
ISDN PRI service offers 23 B channels and 1 D channel (23B+D) in both North America
and Japan. Each channel (including the D channel) operates at 64 kbps, for a total bit rate
of 1.544 Mbps, including overhead. In other parts of the world, such as Europe and
Australia, the ISDN PRI service provides 30 B channels and 1 64-kbps D channel.
Key
Topic
206 CCDA 640-864 Official Cert Guide
Note: Although ISDN has been around for many years, the industry is moving toward
using broadband technologies such as cable, DSL and public wireless with IPsec VPNs.
ISDN remains as an effective WAN solution only if broadband is not available.
Digital Subscriber Line
Digital subscriber line (DSL) is a technology that provides high-speed Internet data services over ordinary copper telephone lines. It achieves this by using frequencies that are not
used in normal voice telephone calls.
The term xDSL describes the various competing forms of DSL available today.
ADSL is the most popular DSL technology and is widely available. The key to ADSL is
that the downstream bandwidth is asymmetric or higher than the upstream bandwidth.
Some limitations include that ADSL can be used only in close proximity to the local
DSLAM, typically less than 2 km. The local DSLAM, or digital subscriber line access
multiplexer, allows telephone lines to make DSL connections to the Internet. Download
speeds usually range from 768 kbps to 9 Mbps, and upload speeds range from 64 kbps to
1.5 Mbps. The customer premises equipment (CPE) refers to a PC along with DSL modem
or DSL router that connects back to the network access provider (NAP) DSLAMs.
The ADSL circuit consists of a twisted-pair telephone line that contains their information
channels:
■
Medium-speed downstream channel
■
Low-speed upstream channel
■
Basic telephone service channel
DSL splitters are used to separate basic telephone service from the ADSL modem/router
to provide service even if the ADSL signaling fails.
Although DSL is primarily used in the residential community, this technology can also be
used as a WAN technology for an organization. However, keep in mind that because this
is a public network connection over the Internet, it is recommended that this technology
be used in conjunction with a firewall/VPN solution back into your corporate enterprise
network. The high speeds and relatively low cost make this a popular Internet access
WAN technology.
Cable
Broadband cable is a technology used to transport data using a coaxial cable medium
over cable distribution systems. The equipment used on the remote-access side or customer premises is the cable modem, and it connects to the Cable Modem Termination
System (CMTS) on the ISP side. The Universal Broadband Router (uBR) or CMTS provides the CMTS services, which forward traffic upstream through the provider’s Internet
connections.
Cable modems support data, voice, and video TCP/IP traffic. Generally, cable modems are
and corporate teleworkers.
Chapter 6: WAN Technologies
The Data Over Cable Service Interface Specifications (DOCSIS) protocol defines the cable
procedures that the equipment needs to support.
Figure 6-3 illustrates how a cable modem connects to the CMTS. The PC connects to the
TCP/IP network using PPP over Ethernet (PPPoE) or Dynamic Host Configuration Protocol (DHCP).
Internet Service Provider
Remote Access
Cable Modem
Termination
System (CMTS)
Cable Modem
PPPoE
Cable
DHCP
Figure 6-3
Cable Modem
Data over Cable
Wireless
Wireless as a technology uses electromagnetic waves to carry the signal between endpoints. Everyday examples of wireless technology include cell phones, wireless LANs,
cordless computer equipment, and global positioning systems (GPS).
Here are some examples of wireless implementations:
■
Bridge wireless: Wireless bridges connect two separate wireless networks, typically
located in two separate buildings. This technology enables high data rates for use
with line-of-sight applications. When interconnecting hard-to-wire sites, temporary
networks, or warehouses, a series of wireless bridges can be connected to provide
connectivity.
■
Wireless LAN: WLANs have increased, too, in both residential and business environments to meet the demands of LAN connections over the air. Commonly called
IEEE 802.11a/b/g/n or WiFi networks, 802.11n is now available and provides typical
data rates of 150 Mbps to 300 Mbps. The growing range of applications includes
guest access, voice over wireless, and advanced security and location-based services.
A key advantage of WLANs is the ability to save time and money by avoiding costly
physical layer wiring installations.
■
Mobile wireless: Consists of cellular applications and mobile phones. Most wireless
technologies, such as the second and third generations, are migrating to more digital
207
208 CCDA 640-864 Official Cert Guide
services to take advantage of the higher speeds. Mobile wireless technologies include
GSM, GPRS, and UMTS:
■
GSM: Global System for Mobile Communications. A digital mobile radio standard that uses time-division multiplex access (TDMA) technology in three bands
(900, 1800, and 1900 MHz). The data transfer rate is 9600 bps and includes the
ability to roam internationally.
■
GPRS: General Packet Radio Service. Extends the capability of GSM speeds
from 64 kbps to 128 kbps.
■
UMTS: Universal Mobile Telecommunications Service. Also known as 3G broadband. Provides packet-based transmission of digitized voice, video, and data at
rates up to 2.0 Mbps. UMTS also provides a set of services available to mobile
users, location-independent throughout the world.
Figure 6-4 shows examples of bridge wireless and wireless LANs.
Bridge Wireless
Campus Network
Wireless LANs
Figure 6-4
Wireless Implementations
Frame Relay
Relay is an industry standard networking protocol that uses virtual circuits between
Chapter 6: WAN Technologies
209
connected devices. The data link layer in Frame Relay establishes connections using a
DTE device such as a router and a DCE device such as a frame switch.
Frame Relay circuits between sites can be either permanent virtual circuits (PVC) or
switched virtual circuits (SVC). PVCs are used more predominantly because of the connections’ permanent nature. SVCs, on the other hand, are temporary connections created
for each data transfer session.
A point-to-point PVC between two routers or endpoints uses a data-link connection identifier (DLCI) to identify the local end of the PVC. The DLCI is a locally significant numeric value that can be reused throughout the Frame Relay WAN if necessary.
Frame Relay has been deployed since the late 1980s, but the use of Frame Relay is on the
decline because of the popularity of MPLS.
Time-Division Multiplexing
Time-division multiplexing (TDM) is a type of digital multiplexing in which multiple
channels such as data, voice, and video are combined over one communication medium by
interleaving pulses representing bits from different channels. Basic DS0 channel bandwidth is defined at 64 kbps. In North America, a DS1 or T1 circuit provides 1.544 Mbps
of bandwidth consisting of 24 time slots of 64 kbps each and an 8-kbps channel for control information. In addition, a DS3 or T3 circuit provides 44.736 Mbps of bandwidth.
Other parts of the world, such as Europe, follow E1 standards, which allow for 30 channels
at 2.048 Mbps of bandwidth. Service providers can guarantee or reserve the bandwidth
used on TDM networks. The customers’ TDM transmissions are charged for their exclusive access to these circuits. On the other hand, packet-switched networks typically are
shared, thereby allowing the service providers more flexibility in managing their networks
and the services they offer.
Metro Ethernet
Metro Ethernet uses well-known “Ethernet” to deliver low-cost and high-speed
MAN/WAN connectivity for organizations. Many service providers now offer Metro Ethernet solutions to deliver a wide range of converged network services such as data, voice,
and video on the same wire. Metro Ethernet provides enterprise LAN type functionality
out in the MAN and WAN, increasing the throughput available for applications. Metro
Ethernet bandwidths can range from 10Mbps to 1 Gbps, and even higher in some cases,
allowing for support for higher performance and increased QoS requirements. In contrast
to the rigid nature of traditional TDM provisioning, Metro Ethernet services are much
easier to deploy and scale due to the flexible bandwidth increments. Metro Ethernet technology is appealing to many customers because they are already comfortable using Ethernet throughout their LAN environments.
SONET/SDH
The architecture of SONET/SDH is circuit-based and delivers high-speed services over an
specification, and the International Telecommunications Union (ITU) defines SDH.
Key
Topic
210 CCDA 640-864 Official Cert Guide
SONET/SDH guarantees bandwidth and has line rates of 155 Mbps to more than 10 Gbps.
Common circuit sizes are OC-3, or 155 Mbps, and OC-12, or 622 Mbps.
SONET/SDH uses a ring topology by connecting sites and providing automatic recovery
capabilities and has self-healing mechanisms. SONET/SDH rings support ATM or Packet
over SONET (POS) IP encapsulations. The Optical Carrier (OC) rates are the digital bandwidth hierarchies that are part of the SONET/SDH standards. The optical carrier speeds
supported are as follows:
■
OC-1 = 51.85 Mbps
■
OC-3 = 155.52 Mbps
■
OC-12 = 622.08 Mbps
■
OC-24 = 1.244 Gbps
■
OC-48 = 2.488 Gbps
■
OC-192 = 9.952 Gbps
■
OC-255 = 13.21 Gbps
Figure 6-5 shows an OC-48 SONET ring with connections to three sites that share the ring.
Headquarters
Cisco ONS
15454
OC-48 SONET RING
Remote
Campus
North
Remote
Campus
South
802.1Q
Trunk
Figure 6-5
SONET/SDH
Chapter 6: WAN Technologies
211
Multiprotocol Label Switching
MPLS is technology for the delivery of IP services using labels (numbers) to forward
packets. In normal routed environments, packets are forwarded hop by hop from the
sources to the destination. Each router in the path performs a Layer 3 destination address
lookup, rewrites the Layer 2 address, and forwards the packet to the destination. However,
MPLS functions by marking packet headers that include label information. As soon as
packets are marked with a label, specific paths through the network can be designed to
correspond to that distinct label. MPLS labels can be set on parameters such as source addresses, Layer 2 circuit ID, or QoS value. Packets that are destined to the same endpoint
with the same requirements can be forwarded based on the labels, without a routing decision at every hop. Typically, the labels correspond to the Layer 3 destination address,
which makes MPLS the same as destination-based routing.
MPLS labels can also be used to implement traffic engineering by overriding the routing
tables. MPLS packets can run over most Layer 2 technologies, such as ATM, Frame Relay,
POS, and Ethernet. The goal of MPLS is to maximize switching using labels and minimize
Layer 3 routing.
In MPLS implementations, there are customer edge (CE) and provider edge (PE) routers.
The CE router resides at the customer premise and that is typically where internal and external routing information is exchanged. The CE router then connects to the PE router,
which is the ingress to the MPLS service provider network. The PE router is in the service
provider network.
Figure 6-6 shows an end-to-end MPLS WAN and how the CE routers connect to the PE
routers.
MPLS Provider
Network
CE Router
PE Router CE Router
PE Router
Provider (P)
Routers
Figure 6-6
Dark Fiber
MPLS
Key
Topic
212 CCDA 640-864 Official Cert Guide
regenerators are used in some implementations. The framing for dark fiber is determined
by the enterprise, not the provider. The edge devices can use the fiber just like within the
enterprise, which allows for greater control of the services provided by the link. Dark fiber
is owned by service providers in most cases and can be purchased similarly to leased-line
circuits for use in both the MAN and WAN. The reliability of these types of links also
needs to be designed by the enterprise and is not provided by the service provider. High
availability using dark fiber needs to be designed with multiple links, which differs from
SONET/SDH technology that has redundancy built into the architecture.
Dense Wavelength-Division Multiplexing
Dense wavelength-division multiplexing (DWDM) increases fiber optic’s bandwidth capabilities by using different wavelengths of light called channels over the same fiber strand.
Each fiber channel is the equivalent to several (Nx) Gigabit Ethernet links. It maximizes
the use of the installed base of fiber used by service providers and is a critical component
of optical networks. DWDM allows for service providers to increase the services offered
to customers by adding new bandwidth to existing channels on the same fiber. DWDM
lets a variety of devices access the network, including IP routers, ATM switches, and
SONET terminals.
Figure 6-7 illustrates the use of DWDM using Cisco ONS devices and a SONET/SDH ring.
ONS 15201
ONS 15252
Si
Si
GigE
Multiple
GigE
GigE
ONS 15201
Figure 6-7
Increased use of bandwidth
using existing fiber
Used inside the SONET/SDH ring
DWDM
Ordering WAN Technology and Contracts
When you order WAN transport technology, early planning is key. It usually takes at least
60 days for the carrier to provision circuits. Generally, the higher a circuit’s capacity, the
more lead time required to provision. When ordering bandwidth overseas, a lead-time of
60 to 120 days is fairly common.
WAN transport in most cases includes an access circuit charge and, at times, distancebased charges. However, some carriers have eliminated TDM distance-based charges because T1s are readily available from most carriers. Metro Ethernet availability is spotty at
best, and the lead times are long. In rare cases, construction is necessary to provide fiber
able WAN technology options from competing carriers.
Chapter 6: WAN Technologies
213
When ordering Frame Relay and ATM, a combination of access circuit charges, per-PVC
charges, and per-bandwidth committed information rate (CIR) charges are customary. CIR
is the rate that the provider guarantees it will provide. Some carriers set the CIR to half the
circuit’s speed, thereby allowing customers to burst two times above the CIR. Frame Relay
speeds can be provisioned up to T3 speeds, but typically they are less than 10 Mbps.
MPLS VPNs have been competitive with ATM and Frame Relay rates. Service providers
are offering MPLS VPNs with higher bandwidth at lower rates to persuade their customers away from traditional ATM and Frame Relay services. However, other service
providers see more value in MPLS VPNs and price them higher than ATM and Frame Relay because of the added benefits of traffic engineering.
When you are selecting a standard carrier package, it takes about a month to contract a
WAN circuit. If you want to negotiate a detailed SLA, expect to take another five months
or more, including discussions with the service provider’s legal department. The bigger the
customer, the more influence it has over the SLAs and the contract negotiations.
Contract periods for most WAN services are one to five years. Contracts are usually not
written for longer durations because of the new emerging technologies and better offerings from providers. An exception is dark fiber, which is usually contracted for a 20-year
term. In this case, you also want to have the right of non-reversion written in the SLA.
This means that no matter what happens to the service provider, the fiber is yours for the
20-year period. The process to repair fiber cuts needs to be defined in the SLA.
Tariffed commercial WAN services are available at published rates but are subject to restrictions. However, carriers are moving toward unpublished rates to be more competitive
and to offer more options.
WAN Design Methodology
The PPDIOO methodology should be used when designing enterprise edge networks (PPDIOO) stands for Prepare, Plan, Design, Implement, Operate, and Optimize. Some keys to
PPDIOO are the processes of analyzing network requirements, characterizing the existing
network, and designing the topology:
■
Analyzing the network requirements includes reviewing the types of applications, the traffic volume, and the traffic patterns in the network.
■
Characterizing the existing network reviews the technologies used and the locations of hosts, servers, network equipment, and other end nodes.
■
Designing the topology is based on the availability of technology, the projected
traffic patterns, technology performance, constraints, and reliability.
When designing the WAN topology, remember that the design should describe the functions that the enterprise edge modules should perform. The expected service levels provided by each WAN technology should be explained. WAN connections can be
connect two or more sites together.
Key
Topic
214 CCDA 640-864 Official Cert Guide
New network designs should be flexible and adaptable to future technologies and should
not limit the customer’s options going forward. Voice over IP and video are examples of
technologies that network designs should be able to support if the customer decides to
move to a converged network. The customer should not have to undergo major hardware
and software upgrades to implement these types of technologies. Another important
consideration is the design’s cost-effectiveness throughout the design and implementation stages. For example, the support and management of the network should be an important factor.
High availability is what most users want for their networked applications. The key components of application availability are response time, throughput, and reliability. Real-time
applications such as voice and video are not very tolerant to jitter and delay.
Table 6-3 identifies various application requirements for data, voice, and video traffic.
Table 6-3
Key
Topic
Application Requirements
Data File
Transfer
Interactive
Data
Application
Real-Time Voice
Real-Time
Video
Response time
Reasonable Within a second
Round trip less than
250 ms with the delay
and low jitter
Minimum delay and jitter
Throughput and
packet loss tolerance
High/Med Low/Low
Low/low
High/medium
Low
Minimum
Downtime (high relia- Reasonable Low
bility has low downtime)
Response Time
Response time measures the time between the client user request and the response from
the server host. The end user will accept a certain level of delay in response time and still
be satisfied. However, there is a limit to how long the user will wait. This amount of time
can be measured and serves as a basis for future application response times. Users perceive the network communication in terms of how quickly the server returns the requested information and how fast the screen updates. Some applications, such as a request
for an HTML web page, require short response times. On the other hand, a large FTP
transfer might take awhile, but this is generally acceptable.
Throughput
In network communications, throughput is the measure of data transferred from one host
to another in a given amount of time. Bandwidth-intensive applications have more of an
high-throughput applications usually involve some type of file-transfer activity. Because
Chapter 6: WAN Technologies
215
throughput intensive applications have longer response times, you can usually schedule
them when time sensitive traffic volumes are lower, such as after hours.
Reliability
Reliability is the measure of a given application’s availability to its users. Some organizations require rock-solid application reliability, such as five-nines (99.999 percent); this has a
higher price than most other applications. For example, financial and security exchange
commissions require nearly 100 percent uptime for their applications. These types of networks are built with a high amount of physical and logical redundancy. It is important to
ascertain the level of reliability needed for a network that is being designed. Reliability
goes further than availability by measuring not only whether the service is there but
whether it is performing as it should.
Bandwidth Considerations
Table 6-4 compares a number of different WAN technologies, along with the speeds and
media types associated with them.
Table 6-4
Physical Bandwidth Comparison
Bandwidth
Less Than
2 Mbps
2 Mbps to
45 Mbps
45 Mbps to
100 Mbps
100 Mbps to 10
Gbps
Copper
Serial, ISDN,
Frame Relay,
TDM, ADSL
Frame Relay,
Ethernet,
ADSL, cable,
T3
Fast Ethernet
Gigabit Ethernet,
10 Gigabit Ethernet (10GBASECX4)
Fiber
N/A
Ethernet
Fast Ethernet,
ATM
Gigabit Ethernet,
10 Gigabit Ethernet, ATM,
SONET/SDH,
POS, dark fiber
Wireless
802.11b
802.11b, wire- 802.11a/g
less WAN
(varies)
802.11n
Key
Topic
216 CCDA 640-864 Official Cert Guide
The WAN designer must engineer the network with enough bandwidth to support the
needs of the users and applications that will use the network. How much bandwidth a network needs depends on the services and applications that will require network bandwidth.
For example, VoIP requires more bandwidth than interactive Secure Shell (SSH) traffic. A
large number of graphics or CAD drawings require an extensive amount of bandwidth
compared to file or print sharing information being transferred on the network. A big
driver in increasing demands for more bandwidth is the expanded use of collaboration applications that use video interactively.
When designing bandwidth for the WAN, remember that implementation and recurring
costs are always important factors. It is best to begin planning for WAN capacity early.
When the link utilization reaches around 50 percent to 60 percent, you should consider increases and closely monitor the capacity at that point. When the link utilization reaches
around 75 percent, immediate attention is required to avoid congestion problems and
packet loss that will occur when the utilization nears full capacity.
QoS techniques become increasingly important when delay-sensitive traffic such as VoIP
is using the limited bandwidth available on the WAN. LAN bandwidth, on the other hand,
is generally inexpensive and plentiful; in the age of robust real-time applications, however,
QoS can be necessary. To provide connectivity on the LAN, you typically need to be concerned only with hardware and implementation costs.
WAN Link Categories
When you start to evaluate WAN link characteristics, they generally fall into three broad
categories: private, leased, and shared. There are many factors to consider, such as the how
the WAN is used, the cost, advantages, and what technologies are available in a given area.
Table 6-5 identifies various WAN link characteristics.
Table 6-5
Key
Topic
Private
WAN Link Characteristics
Use
Cost
Advantages
Examples
WAN to connect distant LANs
Owner must buy
and configure
network.
High security.
Metro Ethernet
using dark fiber
Transmission quality.
Expensive to
maintain.
Leased
Shared
WAN to connect distant LANs
Shared-circuit or
packet-switched
WAN
High cost.
Equipment is
leased or private.
Cost is fair.
Bandwidth is
leased.
Equipment is
leased or private.
Provider is responsible for maintenance.
TDM, SONET
Dedicated bandwidth.
Provider is responsible for maintenance.
Shared network for
multiple sites.
MPLS or Frame
Relay
Chapter 6: WAN Technologies
217
There are fixed and recurring costs in most WAN environments. Fixed costs include the
network equipment, circuit provisioning, and network management tools. The recurring
costs include the service provider monthly WAN service fees, maintenance costs of the
WAN, and the network operations personnel.
Optimizing Bandwidth Using QoS
QoS is an effective tool for managing a WAN’s available bandwidth. Keep in mind that
QoS does not add bandwidth; it only helps you make better use of it. For chronic congestion problems, QoS is not the answer; you need to add more bandwidth. However, by prioritizing traffic, you can make sure that your most critical traffic gets the best treatment
and available bandwidth in times of congestion. One popular QoS technique is to classify
your traffic based on a protocol type or a matching access control list (ACL) and then give
policy treatment to the class. You can define many classes to match or identify your most
important traffic classes. The remaining unmatched traffic then uses a default class in
which the traffic can be treated as best effort.
Queuing, Traffic Shaping, and Policing
Cisco has developed many different QoS mechanisms, such as queuing, policing, and
traffic shaping, to enable network operators to manage and prioritize the traffic flowing on the network. Applications that are delay sensitive, such as VoIP, require special
treatment to ensure proper application functionality. Queuing refers to the buffering
process used by routers and switching when they receive traffic faster than can be
transmitted. Different queuing mechanisms can be implemented to influence the order
in which the different queues are serviced (that is, how different types of traffic are
emptied from the queues).
Table 6-6 identifies QoS considerations to optimize bandwidth.
Table 6-6
QoS Considerations
QoS Category
Description
Classification
Identifies and marks flow and provides priority to certain flows
Congestion management
Mechanism to handle traffic overflow using a queuing algorithm
Link-efficiency
mechanisms
Reduce latency and jitter for network traffic on low-speed links
Traffic shaping and policing
Avoids congestion by policing ingress and egress flows
Key
Topic
218 CCDA 640-864 Official Cert Guide
Classification
For a flow to have priority, it first must be identified and marked. Both of these tasks are
referred to as classification. The following technologies are a couple of ways that have features that support classification:
■
Network-Based Application Recognition (NBAR) is a technology that uses deep
packet content inspection to identify network applications. An advantage of NBAR is
that it can recognize applications even when they do not use standard network ports.
Furthermore, it matches fields at the application layer. Before NBAR, classification
was limited to Layer 4 TCP and User Datagram Protocol (UDP) port numbers.
■
Committed access rate (CAR) uses an ACL to set precedence and allows customization of the precedence assignment by user, source or destination IP address,
and application type.
Congestion Management
Two types of output queues are available on routers: the hardware queue and the software
queue. The hardware queue uses the strategy of first in, first out (FIFO). The software
queue schedules packets first and then places them in the hardware queue. Keep in mind
that the software queue is used only during periods of congestion. The software queue
uses QoS techniques such as priority queuing, custom queuing, weighted fair queuing,
class-based weighted fair queuing, low-latency queuing, and traffic shaping and policing.
Priority Queuing
Priority queuing (PQ) is a queuing method that establishes four interface output queues
that serve different priority levels: high, medium, default, and low. Unfortunately, PQ can
starve other queues if too much data is in one queue because higher-priority queues must
be emptied before lower-priority queues.
Custom Queuing
Custom queuing (CQ) uses up to 16 individual output queues. Byte size limits are assigned to each queue so that when the limit is reached, it proceeds to the next queue. The
network operator can customize these byte size limits. CQ is fairer than PQ because it allows some level of service to all traffic. This queuing method is considering legacy due to
the improvements in the queuing methods.
Weighted Fair Queuing
Weighted fair queuing (WFQ) ensures that traffic is separated into individual flows or sessions without requiring that you define ACLs. WFQ uses two categories to group sessions: high bandwidth and low bandwidth. Low-bandwidth traffic has priority over
high-bandwidth traffic. High-bandwidth traffic shares the service according to assigned
weight values. WFQ is the default QoS mechanism on interfaces below 2.0 Mbps.
Class-Based Weighted Fair Queuing
Chapter 6: WAN Technologies
correspond to match criteria, including ACLs, protocols, and input interfaces. Traffic that
matches the class criteria belongs to that specific class. Each class has a defined queue that
corresponds to an output interface.
After traffic has been matched and belongs to a specific class, you can modify its characteristics, such as assigning bandwidth, maximum queue limit, and weight. During periods
of congestion, the bandwidth assigned to the class is the guaranteed bandwidth that is delivered to the class.
One of CBWFQ’s key advantages is its modular nature, which makes it extremely flexible
for most situations. It is often referred to as MQC or Modular QoS CLI, which is the
framework for building QoS policies. Many classes can be defined to separate your network traffic as needed in the MQC.
Low-Latency Queuing
Low-latency queuing (LLQ) adds a strict priority queue (PQ) to CBWFQ. The strict PQ allows delay-sensitive traffic such as voice to be sent first, before other queues are serviced.
That gives voice preferential treatment over the other traffic types. Unlike priority queuing, LLQ provides for a maximum threshold on the PQ to prevent lower priority traffic
from being starved by the PQ.
Without LLQ, CBWFQ would not have a priority queue for real-time traffic. The additional classification of other traffic classes is done using the same CBWFQ techniques.
LLQ is the standard QoS method for many VoIP networks.
Traffic Shaping and Policing
Traffic shaping and policing are mechanisms that inspect traffic and take an action based
on the traffic’s characteristics, such as DSCP or IP precedence bits set in the IP header.
Traffic shaping slows down the rate at which packets are sent out an interface (egress) by
matching certain criteria. Traffic shaping uses a token bucket technique to release the
packets into the output queue at a preconfigured rate. Traffic shaping helps eliminate potential bottlenecks by throttling back the traffic rate at the source. In enterprise environments, traffic shaping is used to smooth the flow of traffic going out the provider. This is
desirable for several reasons. In provider networks, it prevents the provider from dropping
traffic that exceeds the contracted rate.
Policing tags or drops traffic depending on the match criteria. Generally, policing is used
to set the limit of incoming traffic coming into an interface (ingress) and uses a “leaky
bucket mechanism.” Policing is also referred to as committed access rate or CAR. One example of using policing is to give preferential treatment to critical application traffic by elevating to a higher class and reducing best-effort traffic to a lower-priority class.
When you contrast traffic shaping with policing, remember that traffic shaping buffers
packets while policing can be configured to drop packets. In addition, policing propagates
bursts, but traffic shaping does not.
219
220 CCDA 640-864 Official Cert Guide
Link Efficiency
Within Cisco IOS, several link-efficiency mechanisms are available. Link fragmentation
and interleaving (LFI), Multilink PPP (MLP), and Real-Time Transport Protocol (RTP)
header compression provide for more efficient use of available bandwidth.
Table 6-7 describes Cisco IOS link-efficiency mechanisms.
Table 6-7
Link-Efficiency Mechanisms
Key
Topic Mechanisms
Description
Link fragmentation and interleaving (LFI)
Reduces delay and jitter on slower-speed links by breaking
up large packet flows and inserting smaller data packets (Telnet, VoIP) in between them.
Multilink PPP (MLP)
Bonds multiple links together between two modes, which increases the available bandwidth. MLP can be used on analog
or digital links and is based on RFC 1990.
Real-Time Transport (RTP)
header compression
Provides increased efficiency for applications that take advantage of RTP on slow links. Compresses RTP/UDP/IP
headers from 40 bytes down to 2 bytes to 5 bytes.
Window Size
The window size defines the upper limit of frames that can be transmitted without getting
a return acknowledgment. Transport protocols, such as TCP, rely on acknowledgments to
provide connection-oriented reliable transport of data segments. For example, if the TCP
window size is set to 8192, the source stops sending data after 8192 bytes if no acknowledgment has been received from the destination host. In some cases, the window size
might need to be modified because of unacceptable delay for larger WAN links. If the
window size is not adjusted to coincide with the delay factor, retransmissions can occur,
which affects throughput significantly. It is recommended that you adjust the window size
to achieve better connectivity conditions.
References and Recommended Readings
Cisco IOS Quality of Service Solutions Configuration Guide Release 12.2,
www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/index.htm.
Frame Relay,www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/frame.htm.
Integrated Services Digital Network, www.cisco.com/univercd/cc/td/doc/cisintwk/
ito_doc/isdn.htm.
Module 4, “Designing Remote Connectivity,” Designing for Cisco Internetwork Solution
Course (DESGN) v2.1.
RFC 1990, www.ietf.org/rfc/rfc1990.txt.
tdm.php.
Chapter 6: WAN Technologies
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the
outer margin of the page. Table 6-8 lists a reference of these key topics and the page numbers on which each is found.
Table 6-8
Key Topics
Key Topic Element
Description
Page
List
WAN design goals
202
Table 6-2
WAN comparison
205
Summary
Metro Ethernet
209
Summary
MPLS
211
List
Keys to PPDIOO
213
Table 6-3
Application requirements
214
Table 6-4
Physical bandwidth comparison
215
Table 6-5
WAN link characteristics
216
Table 6-6
QoS considerations
217
Table 6-7
Link-efficiency mechanisms
220
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
service level agreement, digital subscriber line, broadband cable, wireless,
time-division multiplexing, Frame Relay, MPLS, SONET/SDH, DWDM
221
222 CCDA 640-864 Official Cert Guide
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. When using PPDIOO design methodology, what should a network designer do after
identifying the customer requirements?
a.
Design the network topology.
b.
Design a test network.
c.
Plan the implementation.
d.
Characterize the existing network.
2. Which module within the enterprise campus connects to the enterprise edge module?
a.
Server module
b.
Campus core
c.
Building distribution
d.
Remote access/VPN module
3. What WAN technology is most cost effective and suitable for the telecommuter?
a.
MPLS
b.
Dark fiber
c.
ISDN
d.
DSL
4. What two modules are found in the enterprise edge?
a.
Campus core
b.
Building access
c.
Internet
d.
MAN/WAN
5. Which of the following statements best describes window size for good throughput?
a.
A large window size reduces the number of acknowledgments.
b.
A small window size reduces the number of acknowledgments.
c.
A small window size provides better performance.
d.
None of the above
Chapter 6: WAN Technologies
6. What is the default queuing mechanism for router interfaces below 2.0 Mbps?
a.
Traffic shaping
b.
WFQ
c.
CBWFQ
d.
LLQ
7. Which of the following best describes the PPDIOO design methodology? (Select three.)
a.
Analyze the network requirements.
b.
Characterize the existing network.
c.
Implement the network management.
d.
Design the network topology.
8. Which of the following modules belongs in the enterprise edge?
a.
Building distribution
b.
Campus core
c.
Network management
d.
DMZ/e-commerce
9. Which network modules connect to ISPs in the enterprise edge? (Select two.)
a.
Building distribution
b.
Campus core
c.
Internet
d.
DMZ/e-commerce
10. Which enterprise edge network modules connect using the PSTN connectivity?
a.
Remote-access/VPN
b.
Campus core
c.
Building access
d.
DMZ/e-commerce
11. Which enterprise edge network modules connect using Frame Relay and ATM?
a.
Remote-access/VPN
b.
WAN/MAN
c.
Building distribution
d.
Server farm
223
224 CCDA 640-864 Official Cert Guide
12. During which part of the PPDIOO design methodology does implementation planning occur?
a.
Analyze the network requirements.
b.
Design the topology.
c.
Characterize the existing network.
d.
None of the above.
13. What functional area provides connectivity between the central site and remote sites?
a.
DMZ/e-commerce
b.
Campus core
c.
Building distribution
d.
MAN/WAN
14. What WAN technology allows the enterprise to control framing?
a.
Cable
b.
Wireless
c.
DWDM
d.
Dark fiber
15. Which QoS method uses a strict PQ in addition to modular traffic classes?
a.
CBWFQ
b.
Policing
c.
WFQ
d.
LLQ
16. A T1 TDM circuit uses how many timeslots?
17. Which wireless implementation is designed to connect two wireless networks in different buildings?
a.
Mobile wireless
b.
GPRS
c.
Bridge wireless
d.
UMTS
18. What improves the utilization of optical-fiber strands?
19. On the ISP side of a cable provider, cable modems connect to what system?
Chapter 6: WAN Technologies
20. If Frame Relay, ATM, and SONET technologies are used, what enterprise edge network module would they connect to?
a.
WAN/MAN
b.
VPN/remote access
c.
Internet
d.
DMZ/e-commerce
21. What protocol describes data-over-cable procedures that the equipment must support?
22. Into what WAN technology category does ISDN fit?
a.
Cell switched
b.
UTMS switched
c.
Circuit switched
d.
Packet switched
23. What do service providers use to define their service offerings at different levels?
a.
SWAN
b.
WAN tiers
c.
WWAN
d.
SLA
24. When is it appropriate to use various queuing solutions?
a.
WAN has frequent congestion problems.
b.
WAN occasionally becomes congested.
c.
WAN is consistently at 50 percent utilized.
d.
WAN is consistently at 40 percent utilized.
225
This chapter covers the following subjects:
■
Traditional WAN Technologies
■
Remote-Access Network Design
■
VPN Network Design
■
Enterprise VPN vs. SP VPN
■
WAN Backup Design
■
Enterprise WAN Architecture
■
Enterprise WAN Components
■
Enterprise Branch Architecture
■
Enterprise Teleworker Design
CHAPTER 7
WAN Design
This chapter covers wide-area network (WAN) designs for the enterprise WAN and enterprise branch architecture. It starts out by reviewing traditional WAN technologies and network topologies. Remote-access design is examined with an emphasis on virtual private
networks (VPN). Next, enterprise VPNs are compared and contrasted with service
provider VPNs. Then, this chapter covers WAN architecture, WAN components, and
WAN backup design. The chapter wraps up with enterprise branch architecture and enterprise teleworker design.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The ten-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 7-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 7-1
“Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
Traditional WAN Technologies
1
Remote-Access Network Design
2
VPN Network Design
3
Enterprise VPN vs. SP VPN
4
WAN Backup Design
5
Enterprise WAN Architecture
6, 7
Enterprise WAN Components
8
Enterprise Branch Architecture
9, 10
Enterprise Teleworker Design
N/A
228 CCDA 640-864 Official Cert Guide
1. Which of the following are examples of packet- and cell-switched technologies used
in the enterprise edge?
a.
Frame Relay and ATM
b.
ISDN and T1
c.
Cable and DSL
d.
Analog voice and T1
2. Typical remote-access network requirements include which of the following? (Select
all that apply.)
a.
Best-effort interactive and low-volume traffic patterns
b.
Voice and VPN support
c.
Connections to the enterprise edge using Layer 2 WAN technologies
d.
Server load balancing
3. Which VPN infrastructure is used for business partner connectivity and uses the Internet or a private infrastructure?
a.
Access VPN
b.
Intranet VPN
c.
Extranet VPN
d.
Self-deployed MPLS VPN
4. What IPsec technology in the enterprise uses routers along with NHRP and mGRE?
a.
IPsec direct encapsulation
b.
Easy VPN
c.
GET VPN
d.
DMVPN
5. What backup option allows for both a backup link and load-sharing capabilities using
the available bandwidth?
a.
Dial backup
b.
Secondary WAN link
c.
Shadow PVC
d.
IPsec tunnel
6. Which common factor is used for WAN architecture selection that involves eliminating single points of failure to increase uptime and growth?
a.
Network segmentation
b.
Ease of management
c.
Redundancy
d.
Support for growth
Chapter 7: WAN Design 229
7. What WAN/MAN architecture is provided by the service provider and has excellent
growth support and high availability?
a.
Private WAN
b.
ISP service
c.
SP MPLS/IP VPN
d.
Private MPLS
8. Which Cisco IOS software family has been designed for low-end to mid-range LAN
switching?
a.
IOS T Releases 12.3, 12.4, 12.3T, and 12.4T
b.
IOS S Releases 12.2SE and 12.2SG
c.
IOS XR
d.
IOS SX
9. When designing enterprise branch architecture, which of the following are common
network components? (Select all that apply.)
a.
Routers supporting WAN edge connectivity
b.
Switches providing the Ethernet LAN infrastructure
c.
Network management servers
d.
IP phones
10. Which branch design supports 50 to 100 users and provides Layer 3 redundancy
features?
a.
Small branch
b.
Medium branch
c.
Large branch
d.
Enterprise teleworker
230 CCDA 640-864 Official Cert Guide
Foundation Topics
This chapter covers WAN design topics that you need to master for the CCDA exam. It begins by discussing physical WAN technology and WAN topologies used in the enterprise.
Next is a review of remote-access network requirements that are used to design remoteaccess networks. The chapter goes on to cover the specifics of VPN design and the different connectivity options available for enterprise VPNs and service provider (SP) VPNs.
Next, several backup strategies are explored that are used when designing WANs. Then
the chapter reviews the considerations used in developing WAN architectures, including
the hardware and software options used when selecting components for network designs.
In addition, the design of branch offices is discussed, with a review of several options for
designing different sizes of branch offices.
Traditional WAN Technologies
When selecting a particular WAN technology, you should be familiar with the three major
categories that represent traditional WANs:
■
Circuit switched: Data connections that can be brought up when needed and terminated when finished. Examples include ordinary public switched telephone network
(PSTN) phone service, analog modems, and ISDN. Carriers reserve that call path
through the network for the duration of the call.
■
Leased lines: A dedicated connection provided by the SP. These types of connections are point to point and generally more expensive. Time-division multiplexing
(TDM)-based leased lines usually use synchronous data transmission.
■
Packet and cell switched: Connections that use virtual circuits (PVC/SVC) established by the SP. Packet-switched technologies include Frame Relay and cell-switched
technologies such as ATM. ATM uses cells and provides support for multiple quality
of service (QoS) classes. The virtual circuits are part of the shared ATM/Frame Relay
SP backbone network. This gives the SP greater flexibility with its service offerings.
Key
Topic
When planning and designing a packet-switched WAN, you should become familiar with
some basic WAN topologies. These WAN topologies include hub-and-spoke, partialmesh, and full-mesh topologies, as shown in Figure 7-1.
Hub-and-Spoke Topology
A star or hub-and-spoke topology provides a hub router with connections to the spoke
routers through the WAN cloud. Network communication between the sites flows
through the hub router. Significant WAN cost savings, lower circuit counts, and simplified
management are benefits of the hub-and-spoke topology. In addition, hub-and-spoke
topologies provide WAN hierarchy and can provide high availability through the use of
dual routers at the hub site.
sent a single point of failure. The hub-and-spoke topology can also limit the overall
Chapter 7: WAN Design 231
performance when resources are accessed through the central hub router from the spoke
routers, such as with spoke-to-spoke network traffic.
Partial Mesh
Topology
Figure 7-1
Full Mesh
Topology
Hub and Spoke
Topology
WAN Topologies
Full-Mesh Topology
With full-mesh topologies, each site has a connection to all other sites in the WAN cloud
(any-to-any). As the numbers of sites grow, so does the number of spoke connections that
are ultimately required. Consequently, the full-mesh topology is not viable in very large
networks. However, a key advantage of this topology is that it has plenty of redundancy in
the event of network failures. But redundancy implemented with this approach does have
a high price associated with it.
Here are some issues inherent with full-mesh topologies:
■
Many virtual circuits (VC) are required to maintain the full mesh.
■
Issues occur with the amount of broadcast and multicast replication packets for
each site.
■
Complex configurations are needed.
■
High cost.
The number of VCs required for a full mesh can be calculated using the formula ((N – 1) x
N / 2). For example if you have 4 sites, ((4 – 1) x 4 / 2) = 6 VCs are required.
Partial-Mesh Topology
not all sites in the cloud are required to be connected to each other. However, some sites
232 CCDA 640-864 Official Cert Guide
on the WAN cloud have full-mesh characteristics. Partial-mesh topologies can give you
more options and flexibly for where to place the high-redundancy VCs based on your specific requirements.
Remote-Access Network Design
One of the goals of remote-access network design is to provide a unified solution that allows for seamless connectivity as if the users are on the HQ LAN. The primary function
of remote access is to provide your users access to internal resources and applications. Because connection requirements drive the technology selection process, it is important that
you analyze the application and network requirements in addition to reviewing the available service provider options.
The following summarizes typical remote-access requirements:
Key
Topic
■
Best-effort interactive and low-volume traffic patterns
■
Connections to the enterprise edge using Layer 2 WAN technologies (consider capital
and recurring costs)
■
Voice and IPsec VPN support
Remote-access network connections are enabled over permanent always-on connections
or on-demand connections. Technologies include digital subscriber line (DSL), cable, wireless 802.11 a/b/g/n LAN, and 3G/4G wireless WAN (WWAN). However, these remote-access technologies might or might not be available, so it is best to check the availability for
the location in your network design.
VPN Network Design
VPNs are typically deployed over some kind of shared or public infrastructure. VPNs are
similar to tunnels in that they carry traffic over an existing IP infrastructure. VPN technologies use the Internet, ATM/Frame Relay WANs, and point-to-point connected IP infrastructures to transport data from end to end. A disadvantage of using VPNs over public
networks is that the connectivity is best effort in nature and troubleshooting is also difficult because you do not have visibility into the service provider’s infrastructure.
Figure 7-2 shows VPN connectivity options.
The three VPN groups are divided by application:
■
Key
Topic
Access VPN: These types of VPN connections give users connectivity over shared
networks such as the Internet to their corporate intranets. Users connect remotely using cable/DSL, wireless LAN, or 3G/4G WWAN. Remote network connectivity into
the corporate network over the Internet is typically outsourced to an Internet service
provider (ISP), and the VPN clients are usually supported by the internal helpdesk.
Two architectural options are used to initiate the VPN connections: client-initiated or
network access server (NAS)-initiated VPN connections. Client-initiated VPN connections let users establish IPsec encrypted sessions over the Internet to the corporate VPN terminating device. NAS-initiated VPN connections are where
connect to the NAS and then the NAS sets up a VPN tunnel to the corporate
Chapter 7: WAN Design 233
■
Intranet VPN: Intranet VPNs or site-to-site VPNs connect remote offices to the
headend offices. Generally, the remote sites use their Internet connection to establish
the VPN connection back to the corporate headend office. But, they can also use a
VPN tunnel over an IP backbone provided by the service provider. The main benefits
of intranet VPNs are reduced WAN infrastructure, lower WAN tariffs, and reduction
in the operational costs.
■
Extranet VPN: VPN infrastructure for business partner connectivity also uses the
Internet or a private infrastructure for network access. Keep in mind that it is important to have secure extranet network policies to restrict the business partners’ access.
Typically, these types of VPNs terminate in a partner designated firewalled demilitarized zone (DMZ).
Headquarters Site
Teleworker
Internet
Extranet Partner
POP
Site-to-Site
Remote Office
Traveling User
Figure 7-2
VPN Examples
Enterprise VPN vs. Service Provider VPN
When you need to provide secure remote access using VPNs, you must consider several
things. One key consideration is the use of enterprise VPNs or service provider based
VPNs. Enterprise VPNs typically require in-house VPN design, implementation, and supHere are some technology options that are available when selecting VPNs.
234 CCDA 640-864 Official Cert Guide
Enterprise VPNs
Here is a list of VPNs that can be found in enterprise environments:
■
IP Security (IPsec)
■
Cisco Easy VPN
■
Generic routing encapsulation (GRE)
■
Dynamic Multipoint Virtual Private Network (DMVPN)
■
Virtual tunnel interface (VTI)
■
Layer 2 Tunneling Protocol Version 3 (L2TPv3)
Service Provider Offerings
Here is a list of VPNs that can be found with most SPs:
■
Multiprotocol Label Switching (MPLS)
■
Metro Ethernet
■
Virtual Private LAN Services (VPLS)
Enterprise Managed VPN: IPsec
What is IPsec? IPsec is a network layer protocol suite for encrypting IP packets between
two hosts and thereby creating a secure “tunnel.” The IETF defined IPsec in RFC 4301.
IPsec uses open standards and provides secure communication between peers to ensure
data confidentiality, integrity, and authenticity through network layer encryption. IPsec
connections are commonly configured between firewalls, VPN appliances, or routers that
have IPsec features enabled. IPsec can scale from small to very large networks.
The IPsec protocols include Internet Security Association and Key Management Protocol
(ISAKMP), and two other IPsec IP protocols: Encapsulating Security Payload (ESP) and
Authentication Header (AH). IPsec uses symmetrical encryption algorithms to provide
data protection. These algorithms need a secure method to exchange keys to ensure that
the data is protected. Internet Key Exchange (IKE) ISAKMP protocols provide these functions. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, and anti-replay services. AH is used to provide integrity and data origin
authentication, usually referred to as just authentication.
In addition, IPsec can secure data from eavesdropping and modification using transforms
sets, which give you varying levels of strength for the data protection. IPsec also has several Hash Message Authentication Codes (HMAC) available to provide protection from attacks such as man-in-the-middle, packet-replay, and data-integrity attacks.
IPsec Direct Encapsulation
IPsec provides a tunnel mode of operation that enables it to be used as a standalone connection method and is the most fundamental VPN design model. When you are using
The headend IPsec terminating device needs to use static IP addressing, but the remote
Chapter 7: WAN Design 235
IPsec endpoints can use static or dynamic IP addressing. Redundancy can be provided at
the headend by using multiple IPsec terminating devices, and each remote IPsec endpoint
can be populated with a list of headend endpoints to make connections with.
IPsec packet payloads can be encrypted, and IPsec receivers can authenticate packet origins. Internet Key Exchange (IKE) and Public Key Infrastructure (PKI) can also be used
with IPsec. IKE is the protocol used to set up a security association (SA) with IPsec. PKI
is an arrangement that provides for third-party verification of identities.
Figure 7-3 shows the topology for IPsec direction encapsulation with multiple headend
sites to provide resiliency for the branch offices.
Headend Site 2
Headend Site 1
Primary IPsec Tunnel
Backup IPsec Tunnel
Branch Site 1
Figure 7-3
Branch Site 2
IPsec Direct Encapsulation Example
Cisco Easy VPN
Although VPNs provide a high level of authentication and encryption of data between
endpoints, it also increases the complexity for the end user to set up and configure. Cisco
Easy VPN remote feature reduces the difficultly inherent with setting up VPN endpoints
by using the Cisco VPN Client protocol. This allows most of the VPN parameters to be
defined at the Cisco Easy VPN Server at the headend site. After the Cisco Easy VPN
Server has been configured, a VPN connection can be set up with a simple configuration
on the Cisco Easy VPN remote. The remote feature is available on the Cisco 800 series
Routers (ISR).
236 CCDA 640-864 Official Cert Guide
Generic Routing Encapsulation
GRE was developed by Cisco to encapsulate a variety of protocols inside IP tunnels. This
approach consists of minimal configuration for basic IP VPNs but lacks in both security
and scalability. In fact, GRE tunnels do not use any encryption to secure the packets during transport.
Using IPsec with GRE tunnels provides for secure VPN tunnels by encrypting the GRE
tunnel. There are many advantages with this approach, such as the support for dynamic
IGP routing protocols, non-IP protocols, and IP multicast support. Other advantages include support for QoS policies and deterministic routing metrics for headend IPsec termination points. Because all the primary and backup GRE over IPsec tunnels are
preestablished, there is built-in redundancy to support failure scenarios. The IP addressing
for the remote sites can have dynamic or static addressing, but the headend site requires
static IP addressing. Primary tunnels can be differentiated from backup tunnels by modifying the routing metrics slightly to prefer the one of the other.
IPsec DMVPN
DMVPN is a Cisco IOS solution for building IPsec + GRE VPNs in a dynamic and scalable manner.
DMVPN relies on two key technologies called NHRP and mGRE:
■
Next Hop Resolution Protocol (NHRP) creates a mapping database for all spoke tunnels to real public addresses.
■
Multipoint GRE (mGRE) is a single GRE interface, which provides support for multiple GRE, and IPsec tunnels to reduce the complexity and the size of the configuration.
DMVPM supports a reduced configuration framework and supports the following features:
■
IP unicast, IP multicast, and dynamic routing protocol support
■
Remote spoke routers with dynamic IP addressing
■
Spoke routers behind dynamic Network Address Translation (NAT) and hub routers
behind static NAT
■
Dynamic spoke-to-spoke tunnels for partial scaling or fully meshed VPNs
■
Support for all of the GRE tunnel benefits such as QoS, deterministic routing, and redundancy scenarios
Each remote site is connected using a point-to-point (P2P) GRE tunnel interface to a single
mGRE headend interface. The headend mGRE interface dynamically accepts new tunnel
connections.
Redundancy can be achieved by configuring spokes to terminate to multiple headends at
one or more hub locations. IPsec tunnel protection is typically used to map the cryptographic attributes to the tunnel that is originated by the remote peer.
Dead peer detection (DPD) can be used to detect the loss of a peer IPsec connection.
mGRE interfaces.
Chapter 7: WAN Design 237
IPsec Virtual Tunnel Interface Design
Virtual tunnel interface (VTI) is a new IPsec VPN design option available in Cisco IOS
software. VTI has some interesting advantages over previous IPsec design options, including support for dynamic routing protocols and IP multicast without using GRE or mGRE
type interfaces. Also, because VTI tunnels are assigned an unique interface, specific tunnel level features such as QoS can be configured for each tunnel separate from other VTI
tunnels. The physical topology for VTI designs can be designed the same way as IPsec direct encapsulation using multiple headends and two tunnels from the remote sites, one to
each headend.
Layer 2 Tunneling Protocol Version 3
L2TPv3 provides a high-speed transparent Layer 2 to Layer 2 service over an IP backbone.
The signaling in L2TPv3 is responsible for the control plane functions such as authentication, session IDs, and the exchange of configuration parameters. L2TPv3 has support for
Frame Relay, Ethernet, IEEE 802.1Q, HDLC, and PPP encapsulation types to be tunneled.
Service Provider Managed Offerings
Metro Ethernet
Demand for bandwidth in the metro-area network (MAN) is increasing due to the result
of the high throughput requirements of data-intensive applications. Today, many SPs are
offering Metro Ethernet services to fulfill the demand; these are based on Ethernet, IP,
and optical technologies such as dense wavelength-division multiplexing (DWDM) or
coarse wavelength-division multiplexing.
Metro Ethernet services can provide more bandwidth, the ability to upgrade the bandwidth as needed, and higher levels of redundancy through multiple route processors. Because Metro Ethernet can support the higher bandwidth requirements, it is often better
suited to support converged network services (for example, voice, video, and data services
combined on the same link).
Most service providers are using Ethernet as a method to access their backbone network.
Ethernet handoff is becoming common even if the transport is based on SONET/SDH,
MPLS, Frame Relay, or the Internet.
Table 7-2 shows the benefits Ethernet handoffs at the customer edge provide.
Table 7-2
Benefits of Ethernet Handoffs at the Customer Edge
Benefit
Description
Service-enabling solution
Layering value added services in addition to the network
Flexible architecture
No need for truck roll for increasing port speeds
No need for new customer premises equipment (CPE)
Evolving existing Frame/ATM services to an IP-based
solution
238 CCDA 640-864 Official Cert Guide
Table 7-2
Benefits of Ethernet Handoffs at the Customer Edge
Benefit
Description
Seamless enterprise
integration
Ease of integration with existing LAN network equipment
Virtual Private LAN Services
Virtual Private LAN Services (VPLS) defines an architecture that enables Ethernet Multipoint Service (EMS) over an MPLS network. The operation of VPLS allows for connecting
L2 domains over IP/MPLS network, which emulates an IEEE Ethernet bridge.
Figure 7-4 depicts a VPLS topology in an MPLS network.
VPLS is an Architecture
MPLS Provider Network
CE Router
PE Router
PE Router
CE Router
PE Router
CE Router
Figure 7-4
VPLS Topology Example
VPLS is a type of VPN that allows for the connection of multiple sites into a single L2
domain over a managed IP/MPLS network. VPLS presents an Ethernet interface, which
simplifies the LAN/WAN demarc for service providers. This enables rapid and flexible
service provisioning because the service bandwidth is not tied to the physical interface.
All the VPLS services appear to be on the same VLAN regardless of physical location in
the WAN.
VPLS uses edge routers that learn L2 domains, bridges them, and replicates them through
the VPN. Within the IP/MPLS cloud is a collection of full-mesh connections providing
any-to-any connectivity between sites. VPLS supports many of the new applications and
services need to be on the same L2 network to function properly. Some services lack network layer addressing or are transparent to the upper-layer protocols.
MPLS
MPLS is a technology for the delivery of IP services using an efficient encapsulation
Chapter 7: WAN Design 239
used to guarantee bandwidth. MPLS can run on many L2 technologies, including ATM,
Frame Relay, PPP, Packet over SONET (POS), and Ethernet.
MPLS is an economical solution that can be easily integrated over any existing infrastructure offering flexibility because MPLS is independent of access technologies. SPs can offer intelligent network services to their customers over a single infrastructure. Each of the
SP’s customers can have one or more VPNs within the overall MPLS network, called virtual routing and forwarding (VRF) instances.
MPLS Layer 3 Design Overview
MPLS Layer 3 VPNs have the following characteristics:
■
The MPLS network distributes labels to each VPN.
■
Only labels for other VPN members are distributed.
■
Each VPN is automatically provisioned by IP routing.
■
Each MPLS network is as secure as Frame Relay connections.
■
Encryption can be added to the VPN to provide privacy.
■
Only one label for both for QoS and VPN is needed.
MPLS Layer 3 VPNs represent the most popular deployed MPLS technology. MPLS Layer
3 VPNs leverage Border Gateway Protocol (BGP) to distribution VPN-related information.
The SP typically manages the BGP routing domain within the MPLS cloud. This can significantly reduce the operational costs and complexities for enterprise environments.
Inside the MPLS cloud, network routes are learned with a dynamic Interior Gateway Protocol (IGP) routing protocol such as Open Shortest Path First (OSFP) Protocol, Enhanced
Interior Gateway Routing Protocol (EIGRP), Border Gateway Protocol (BGP), or with
static routes that are manually configured.
MPLS VPNs use labels to specify the VRF and the corresponding VPN destination networks, which prevent the overlapping of addresses between VPNs. With MPLS Layer 3
VPNs, other valued-added services can be layered on such as QoS and traffic engineering.
These services might offer enhanced network services such as voice, video, and data, for
example. In addition, MPLS TE and Fast Reroute (FRR) features can be used to provide
“tight service level agreements (SLA),” including up to five levels of QoS SLAs.
VPN Benefits
The major benefits of using VPNs are flexibility, cost, and scalability. VPNs are easy to set
up and deploy over existing infrastructure in most cases. VPNs enable network access to
remote users, remote sites, and extranet business partners. VPNs lower the cost of ownership by reducing the WAN recurring monthly charges and standardizing VPN security
policies. The geographic coverage of VPNs is nearly everywhere Internet access is availcause they can be deployed in a secure consistent manner.
240 CCDA 640-864 Official Cert Guide
WAN Backup Design
Redundancy is a critical component of WAN design for the remote site because of the unreliable nature of WAN links, when compared to LANs that they connect. Most enterprise
edge solutions require high availability between the primary and remote site. Because
WAN links have lower reliability and lack bandwidth, they are good candidates for most
WAN backup designs.
Branch offices should have some type of backup strategy in the event of a primary link
failure. Backup links can be either dialup, permanent WAN, or Internet-based connections.
WAN backup options are as follows:
■
Dial backup: ISDN provides backup dialup services in the event of a primary failure
of a WAN circuit. The backup link is initiated if a failure occurs with the primary link.
The ISDN backup link provides network continuity until the primary link is restored,
and then the backup link is terminated such as with floating static route techniques.
■
Secondary WAN link: Adding a secondary WAN link makes the network more fault
tolerant. This solution offers two key advantages:
Key
Topic
■
Backup link: Provides for network connectivity if the primary link fails.
Dynamic or static routing techniques can be used to provide routing consistency
during backup events. Application availability can also be increased because of
the additional backup link.
■
Additional bandwidth: Load sharing allows both links to be used at the same
time, increasing the available bandwidth. Load balancing can be achieved over the
parallel links using automatic routing protocol techniques.
■
Shadow PVC: SPs can offer shadow Frame Relay PVCs, which provide additional
PVCs for use if needed. The customer is not charged for the PVC if it does not exceed limits set by the provider while the primary PVC is available. If the limit is exceeded, the SP charges the customer accordingly.
■
IPsec tunnel across the Internet: An IPsec VPN backup link can direct redirect
traffic to the corporate headquarters when a network failure has been detected.
Load-Balancing Guidelines
Load balancing can be implemented per packet or per destination using fast switching. If
WAN links are less than 56 kbps, per-packet load balancing is preferred. Fast switching is
enabled on WAN links that are faster than 56 kbps, and per-destination load balancing is
preferred.
A major disadvantage of using duplicate WAN links is cost. Duplicate WAN links require
additional WAN circuits for each location, and more network interfaces are required to
terminate the connections. However, the loss of productivity if a site loses network connectivity and becomes isolated can be greater than the cost of the duplicate WAN link.
Chapter 7: WAN Design 241
WAN Backup over the Internet
Another alternative for WAN backup is to use the Internet as the connectivity transport
between sites. However, keep in mind that this type of connection does not support bandwidth guarantees. The enterprise also needs to work closely with the ISP to set up the tunnels and advertise the company’s networks internally so that remote offices have reachable
IP destinations.
Security is of great importance when you rely on the Internet for network connectivity, so
a secure tunnel using IPsec needs to be deployed to protect the data during transport.
Figure 7-5 illustrates connectivity between the headend or central site and a remote site
using traditional ATM/Frame Relay connections for the primary WAN link. The IPsec tunnel is a backup tunnel that provides redundancy for the site if the primary WAN link fails.
Service Provider
Remote Site
ATM/FR
WAN
Main Office
Internet
IPsec Tunnel - Backup
Figure 7-5
WAN Backup over the Internet
IPsec tunnels are configured between the source and destination routers using tunnel interfaces. Packets that are destined for the tunnel have the standard formatted IP header. IP
packets that are forwarded across the tunnel need an additional GRE/IPsec header placed
on them, as well. As soon as the packets have the required headers, they are placed on the
tunnel with a destination address of the tunnel endpoint. After the packets cross the tunnel and arrive on the far end, the GRE/IPsec headers are removed. The packets are then
forwarded normally using the original IP packet headers.
Enterprise WAN Architecture
When selecting an enterprise WAN architecture, you should identify and understand the
business and technical requirements. It is important to review sample network designs that
could help identify requirements. Here are some common factors that influence decisions
for WAN architecture selection:
■
High availability:
Topic
242 CCDA 640-864 Official Cert Guide
of failure in the design, either by software features or hardware-based resiliency. Redundancy is critical in providing high levels of availability for the enterprise. Some
technologies have built-in techniques that enable them to be highly available. For
technologies that do not, other techniques can be used, such as using additional
WAN circuits or backup power supplies.
■
Support for growth: Often, enterprises want to provide for growth in their WAN architectures, considering the amount of effort and time required to connect additional
sites. High-growth WAN technologies can reduce the amount of effort and cost involved in network expansions. WAN technologies that do not provide growth require
significantly more effort, time, and cost to add new branches or remote offices.
■
Operational expenses: Private line and traditional ATM/Frame Relay tend to have
higher recurring expenses than Internet-based IP VPNs. Public networks such as the
Internet can be used for WAN services to reduce cost, but there are some trade-offs
with reliability and security compared to private or ATM/Frame Relay-type transports. Moreover, public networks make it more difficult to provide advanced technologies such as real-time voice and video.
■
Operational complexity: The expertise of the technical staff who are required to
maintain and support MAN and WAN technologies varies. Most enterprises have the
internal IT knowledge to handle most traditional MAN and WAN upgrades without
the need for much training. However, some of the advanced technologies usually reserved for SPs may require additional training for the IT staff if the support is brought
in-house. Depending on the technology and the design, you have opportunities to reduce the complexity through network management.
■
Cost to implement: In most cases, the implementation cost is a major concern. During the design process, it is important to evaluate the initial and recurring costs along
with the design’s benefits. Sometimes an organization can migrate from legacy connectivity to new technology with minimal investment in terms of equipment, time,
and resources. In other cases, a network migration can require a low initial cost in
terms of equipment and resources but can provide recurring operational savings and
greater flexibility over the long term.
■
Network segmentation support: Segmentation provides for Layer 2/3 logical separations between networks instead of physically separate networks. Advantages include reduced costs associated with equipment, maintenance, and carrier charges. In
addition, separate security polices can be implemented per department or by functional area of the network to restrict access as needed.
■
Support for voice and video: There is an increasing demand for the support of voice
over MAN and WAN technologies. Some WAN providers offer Cisco QoS-Certified
IP VPNs, which can provide the appropriate levels of QoS needed for voice and video
deployments. In cases where Internet or public network connections are used, QoS
cannot always be assured. When voice and video are required for small offices, teleworkers, or remote agents, 768-kbps upstream bandwidth or greater is recommended.
Chapter 7: WAN Design 243
Cisco Enterprise MAN/WAN
The Cisco Enterprise MAN/WAN architecture uses several technologies that work together in a cohesive relationship.
Here is the list of Cisco enterprise MAN/WAN technologies:
■
Private WAN (optional encryption)
■
Private WAN with self-deployed MPLS
■
ISP service (Internet with site-to-site and remote-access VPN)
■
SP-managed IP/MPLS VPN
■
Cisco Wide Area Application Services (WAAS)
These architectures provide integrated QoS, security, reliability, and ease of management
that is required to support enterprise business applications and services. As you can see,
these architectures provide a number of alternative technologies to the traditional private
WAN and can allow for network growth and reduced monthly carrier charges.
Cisco WAAS is a comprehensive WAN optimization solution that delivers LAN-like performance to applications over the WAN. WAAS can provide accelerated application access
to the branch office. The local WAAS appliance can also host local branch IT services for
applications that are pushed out to the remote branch office.
Enterprise WAN/MAN Architecture Comparison
Enterprise WAN/MAN architectures have common characteristics that allow the network
designer to compare the advantages and disadvantages of each approach. Table 7-3 compares the characteristics of private WAN, ISP service, SP MPLS/IP VPN, and private
MPLS architectures.
Table 7-3
WAN/MAN Architecture Comparison
Characteristic
Private
WAN
ISP Service
SP MPLS/IP
VPN
Private
MPLS
High availability
Excellent
Good
Excellent
Excellent
Growth support
Moderate
Good
Excellent
Excellent
Security
IPsec (optional)
IPsec (mandatory)
IPsec (optional)
IPsec (optional)
Ongoing expenses
High
Low
Moderate to
high
Moderate to
high
Ease of management
High
Medium
Medium
High
Voice/video support
Excellent
Low
Excellent
Excellent
Effort to migrate from private WAN
Low
Moderate
Moderate
High
Multicast
Good
Good
Good
Excellent
244 CCDA 640-864 Official Cert Guide
The Cisco enterprise MAN/WAN architectures includes private WAN, ISP service, SP
MPLS/IP VPN, and private MPLS:
■
Private WAN generally consists of Frame Relay, ATM, private lines, and other traditional WAN connections. If security is needed, private WAN connections can be
used in conjunction with encryption protocols such as Digital Encryption Standard
(DES), Triple DES (3DES), and Advanced Encryption Standard (AES). This technology
is best suited for an enterprise with moderate growth outlook where some remote or
branch offices will need to be connected in the future. Businesses that require secure
and reliable connectivity to comply with IT privacy standards can benefit from IPsec
encrypted connectivity over the private WAN. Disadvantages of private WANs are
that they have high recurring costs from the carriers and they are not the preferred
technology for teleworkers and remote call center agents. Some enterprises may use
encryption on the network, connecting larger sites and omitting encryption on the
smaller remote offices with IP VPNs.
■
ISP service (Internet with site-to-site and remote-access VPN) uses strong encryption standards such as DES, 3DES, and AES, which make this WAN option more secure than the private WAN. ISP service also provides compliance with many new
information security regulations imposed on some industries, such as healthcare and
finance. This technology is best suited for basic connectivity over the Internet. However, if you need to support voice and video, consider IPsec VPN solutions that have
the desired QoS support needed to meet your network requirements. The cost of this
technology is relatively low. It is useful for connecting large numbers of teleworkers,
remote contact agents, and small remote offices.
■
SP MPLS/IP VPN is similar to private WAN technology, but with added scalability
and flexibility. MPLS-enabled IP VPNs enable mesh-like behavior or any-to-any
branch-type connectivity. SP MPLS networks can support enterprise QoS requirements for voice and video, especially those with high growth potential. SP MPLS features secure and reliable technology with generally lower carrier fees. This makes it a
good option for connecting branch offices, teleworkers, and remote call center agents.
■
Private WAN with self-deployed MPLS enables the network to be segmented into
multiple logical segments allowing for multiple VPNs internally. Self-deployed MPLS
is usually reserved for large enterprises that are willing to make substantial investments in equipment and training to build out the MPLS network. The IT staff needs
to be well trained and comfortable with supporting complex networks.
Figure 7-6 illustrates SP MPLS, private WAN with encryption, and IPsec VPNs WAN
architectures.
Chapter 7: WAN Design 245
Remote Offices
Teleworker
Main Office
SP MPLS
Internet
Remote User
Call Center Agent
West Branch
East Branch
SP MPLS
Private WAN with Encryption
IPsec VPNs
Figure 7-6
WAN Architectures
Enterprise WAN Components
When selecting enterprise edge components, you want to keep several considerations in
mind. Here are some factors to examine during the selection process:
■
■
Hardware selection involves the data-link functions and features offered by the device.
Considerations include the following:
■
Port density
■
Types of ports supported
■
Modularity (add-on hardware)
■
Backplane and packet throughput
■
Redundancy (CPU and/or power)
■
Expandability for future use
Software selection focuses on the network performance and the feature sets included
in the software. Here are some factors to consider:
■
Forwarding decisions
■
Technology feature support
Key
Topic
246 CCDA 640-864 Official Cert Guide
■
Bandwidth optimization
■
Security vulnerabilities
■
Software issues
When evaluating hardware, it is recommended to use the latest Cisco product datasheets
to research hardware and determine the equipment’s capabilities. Remember to consider
the port densities and types of ports the device offers. Some other areas to investigate
include device modularity, packet throughput, redundancy capabilities, and the device’s
expandability options. Finally, remember to factor in what power options the hardware
supports.
Figure 7-7 shows Cisco ISR G2 hardware options.
860, 880, 890
Virtual Office
1941, 1941-W
Secure Mobility
2901, 2911,
2821, 2951
Customizable
Applications
3925, 3945
Secure
Collaboration
Scalable
Rich-Media
Services
Enhancing the Customer Experience
Figure 7-7
Cisco ISR G2 Hardware
Cisco’s Integrated Services Routers second generation (ISR G2) are part of the Borderless
Networks with the Cisco Network Architectures for the Enterprise. These ISR G2 routers
provide the platform for business innovation by meeting the performance requirements for
the next generation of WAN and network services. This architecture allows cost-effective
delivery of high-definition (HD) collaboration solutions at the branch office and supports
the secure transition to the private cloud. Cisco ISR G2 routers enable the business to
deploy on-demand services, which reduces the overall cost of ownership.
Here are some key advantages of the ISR G2 routers:
■
Delivers next-gen WAN and network service capabilities
■
Provides video-based collaboration and rich-media services
■
Enables secure transition to cloud and virtualized network services
■
Reduced energy consumption and costs to support corporate responsibility
Chapter 7: WAN Design 247
Comparing Hardware and Software
Table 7-4 compares the Cisco router and switch hardware platforms and their associated
software families, releases, and functional descriptions.
Table 7-4
Cisco Router/Switch Platform and Software Comparison
Router/Switch Hardware
Software
Description
800, 1800, 2800, 3800, 7200
Cisco IOS T Releases
12.3, 12.4, 12.3T, and
12.4T
Access routing platforms supporting fast and scalable delivery of
data for enterprise applications.
800, 1900, 2900, 3900, 7200
Cisco IOS 15.0(1)
Delivers security, voice, and IP
services with support for richmedia applications such as HD
video and on-demand services
7x00, 10000
Cisco IOS S Release
12.2SB
Delivers midrange routing services
for the enterprise and SP edge
networks.
7600
Cisco IOS S Release
12.2SR
Delivers high-end LAN switching
for enterprise access, distribution,
core, and data center. Also supports Metro Ethernet for the SP
edge.
12000, CRS-1
Cisco IOS XR
High availability, providing large
scalability and flexibility for the SP
core and edge (takes advantage of
highly distributed processing capabilities of the Cisco CRS-1 routing
systems and the Cisco 12000).
2970, 3560, 3750
Cisco IOS S Release
12.2SE
Provides low-end to mid-range
LAN switching for enterprise access and distribution deployments.
4500, 4900
Cisco IOS S Release
12.2SG
Provides mid-range LAN switching
for enterprise access and distribution in the campus. Also supports
Metro Ethernet.
6500
Cisco IOS S Release
12.2SX
Delivers high-end LAN switching
for enterprise access, distribution,
core, and data center. Also supports
Metro Ethernet for the SP edge.
248 CCDA 640-864 Official Cert Guide
Enterprise Branch Architecture
Enterprise branch architectures encompass a wide range of services that customers want
to deploy at the edge of the enterprise. These architectures allow for a variety of connection options, and distance typically is not an issue. The services in this architecture give
customers new opportunities to increase security, converge their voice and data traffic,
improve productivity, and reduce costs.
The Cisco enterprise branch architecture is a flexible and secure framework for extending
headend application functionality to the remote site. The Cisco enterprise branch architecture uses the Cisco Network Architectures for the Enterprise framework but applies it to a
smaller scale of a branch site.
Common branch network components found within the enterprise framework include
■
Routers supporting the WAN edge connectivity
■
Switches providing the Ethernet LAN infrastructure
■
Security appliances securing the branch devices
■
Wireless access points (AP) allowing for roaming mobility
■
Call processing providing Unified Communications and video support
■
IP phones and PCs for the end-user devices
Branch Design
It is important to characterize the existing network by gathering requirements to develop a
suitable design for the branch.
Here are some questions you should ask:
■
How much scalability is expected for (network devices, servers, users)?
■
How much scalability is expected?
■
What level of high availability or redundancy is required?
■
Is a specific server or network protocol support needed?
■
Will the network management or support be centralized or distributed?
■
Are there any network segmentation restrictions, such as DMZ segments, or internal
networks versus external networks?
■
Will wireless services be needed, and to what extent?
■
What is the estimated budget for the branch design?
Enterprise Branch Profiles
profiles are not intended to be the only architectures for branch offices but rather a common
Chapter 7: WAN Design 249
set of services that each branch should include. These profiles serve as a basis on which
integrated services and application networking are built. The three profiles for the enterprise
branch are as follows:
■
Small office: Up to 50 users (single-tier design)
■
Medium office: Between 50 and 100 users (dual-tier design)
■
Large office: Between 100 and 1000 users (three-tier design)
Requirements such as high availability, scalability, and redundancy influence the branch
profile selected for a branch office.
To integrate the WAN edge and the LAN infrastructure, an ISR can be used to provide
voice, security, and data services. The ISR supports triple-speed interfaces
(10/100/1000), high-speed WAN interface cards (HWIC), network modules, and embedded security capabilities.
ISR G2 New Features
The Cisco ISR second generation (ISR G2) series models of routers builds on the success
of the first-generation models, with new features that deliver better performance, a rich
set of new service options, and a single universal Cisco IOS software image. A couple of
the new innovations include the video-ready branch based on high-density digital signal
processors (DSP) and services virtualization, providing cloud extensibility and missioncritical application survivability.
Table 7-5 compares the features of ISR versus ISR G2.
Table 7-5
ISR Versus ISR G2 Feature Comparison
Cisco ISR
Cisco ISR G2
WAN performance Up to 45 Mbps with services
Up to 350 Mbps with services
Network processor Single
Multicore with future expandability
Service module
performance and
capacity
1X and 160 GB storage
Up to 7X with dual core and 1 TB
storage
Onboard DSPs
Voice only
Voice- and video-ready DSPs
Switch modules
Fast Ethernet with Power over
Ethernet (PoE); based on Catalyst
3750
Fast Ethernet/Gigabit Ethernet with
POE+ based on Catalyst
3560E/2950
IOS image
Multiple images
Single universal IOS image
Services delivery
Hardware-coupled
Services on demand
Redundancy
Single motherboard
Field-upgradeable motherboard
Energy efficiency
EnergyWise
Real-time power reporting
250 CCDA 640-864 Official Cert Guide
Small Branch Design
The small branch design is recommended for branch offices that do not require hardware
redundancy and that have a small user base supporting up to 50 users. This profile consists of an access router providing WAN services and connections for the LAN services.
The access router can connect the Layer 2 switch ports in one of three ways:
■
Integrated Layer 2 switching using an optional EtherSwitch module that provides 16
to 48 Ethernet ports for client connections. Some modules support PoE.
■
External Layer 2 switching using a trunk connection to an access switch that aggregates the Ethernet connections. The access switch can also include PoE to support IP
phones and wireless APs.
■
Logical EtherChannel interface between the ISR and the access switches using the
EtherSwitch module. The access switches can also provide PoE as needed.
Key
Topic
The Layer 3 WAN services are based on the WAN and Internet deployment model. A T1 is
used for the primary link, and an ADSL secondary link is used for backup. Other network
fundamentals are supported, such as EIGRP, floating static routes, and QoS for bandwidth
protection.
The ISR can support the default gateway function and other Layer 3 services such as
DHCP, NAT, IPsec VPN, and IOS Firewall.
Layer 2 services can be provided by the Cisco ISR using switch modules or the Cisco Catalyst 2960, 3560 or 3750 series-based access switches. It is recommended that you use
Rapid Per VLAN Spanning Tree Plus (PVST+) for all Layer 2 branch offices where loops
are present. Rapid PVST+ ensures a loop-free topology when multiple Layer 2 connections are used for redundancy purposes.
Both the Cisco 2921 and the 2951 ISRs support three integrated 10/100/1000 Ethernet interfaces, which support Layer 3 routing, and one slot for a network module. There are 16,
24, and 48 port Cisco EtherSwitch network modules available.
Figure 7-8 illustrates the small branch design connecting back to the corporate office
where the corporate resources are located.
Medium Branch Design
Key
Topic
The medium branch design is recommended for branch offices of 50 to 100 users, which is
similar to the small branch but with an additional access router in the WAN edge (slightly
larger) allowing for redundancy services. Typically, two 2921 or 2951 routers are used to
support the WAN, and separate access switches are used to provide LAN connectivity.
Chapter 7: WAN Design 251
WAN
Internet
T1
ADSL
Acess
Router
Figure 7-8
Small Branch Design
The infrastructure components are dual-access routers, external Layer 2 / Layer 3
switches, laptops, desktops, printers, and IP phones. Dual Frame Relay links provide the
private WAN services, which are used to connect back to the corporate offices via both of
the access routers.
Layer 3 protocols such as EIGRP are typically deployed. Because there are two routers,
Hot Standby Router Protocol (HSRP) or Gateway Load Balancing Protocol (GLBP) can be
used to provide redundancy gateway services. QoS can also be used to provide guaranteed bandwidth for VoIP, and policing can be used to restrict certain traffic classes from
overwhelming the available bandwidth. Cisco IOS features such as QoS, access control
lists (ACL), and RIP routing capabilities are available in the IP Base feature set, but IP unicast routing and multicast routing require the IP Services feature set.
The medium branch design supports using a higher-density external switch or using the
EtherSwitch module with the ISR to create trunks to the external access switches. The
Cisco Catalyst 3750 series switches have StackWise technology, allowing multiple
switches to be connected and managed as one. This also increases the port density available for end-user connections. With Cisco StackWise technology, customers can create a
single, 32-Gbps switching unit that can connect up to nine 3750 series switches using a
variety of fiber and copper ports, allowing greater flexibility with the connection options.
Figure 7-9 illustrates the medium branch design using dual routers back to the corporate
office where the corporate resources are located.
252 CCDA 640-864 Official Cert Guide
Corporate HQ
WAN
Figure 7-9
Medium Branch Design
Large Branch Design
Key
Topic
The large branch design is the largest of the branch profiles, supporting between 100 and
1000 users. This design profile is similar to the medium branch design in that it also provides dual access routers in the WAN edge. In addition, dual Adaptive Security Appliances (ASA) are used for stateful firewall filtering, and dual distribution switches provide
the multilayer switching component. The WAN services use an MPLS deployment model
with dual WAN links into the WAN cloud.
Because there are dual routers, redundant network routing can be achieved through
EIGRP load balancing. On the distribution layer switches, first-hop redundancy protocols
such as HSRP/GLBP can be used to provide gateway redundancy. The dual ASA configuration allows for redundancy and stateful failover. QoS services such as shaping and policing can be applied to all the routers and switches as required.
To meet the requirements of the larger user base, a distribution layer of multilayer
switches is added to aggregate the connected access switches. A multilayer switch provides the additional LAN switching capabilities to meet the port density requirements and
allowing flexibility to support additional network devices.
Chapter 7: WAN Design 253
A couple of hardware options for this design are the Cisco Catalyst 3750/3750X with
StackWise technology or using a modular approach with a Cisco Catalyst 4500. The
Cisco 3750/3750X series of switches provide great port density options and can even
provide the redundant power. The Cisco 4500 switch platform is a modular chassis-based
switch that not only allows for flexibility by increasing port densities through additional
modules but can also provides redundant power internally for the entire chassis when using dual power supplies. All of these switch models have PoE options available for both
IEEE 802.3af (PoE) or IEEE 802.3at (PoE+). The Cisco Catalyst 4507 switch also support
dual supervisor capabilities for high-availability types of environments.
If Cisco Catalyst 3560 and 3750/3750X switches are used, additional Layer 2 security
features such as dynamic Address Resolution Protocol (ARP) inspection, Dynamic Host
Control Protocol (DHCP) snooping, and IP Source Guard can be used to provide additional security enhancements.
Figure 7-10 illustrates the large branch design using dual routers, ASAs, and distribution
switches.
Corporate HQ
WAN
Figure 7-10
Large Branch Design
254 CCDA 640-864 Official Cert Guide
Enterprise Teleworker Design
At the remote edges of the network is another branch office known as enterprise teleworkers. Cisco developed a solution called Cisco Virtual Office Solution, which was designed with the enterprise teleworker in mind. As organizations continually try to reduce
costs and improve employee productivity, working from home is becoming an increasingly popular option for businesses and organizations. This approach allows employees to
manage their work schedules more effectively and increase their productivity. This also results in greater job satisfaction and flexibility in the work schedules. The work-from-home
teleworker is an extension of the enterprise and serves as the basis for the enterprise teleworker solution.
Key
Topic
Enterprise teleworkers need to be differentiated from the occasional remote worker. The
full-time enterprise teleworker has more extensive application access and requirements
than the occasional remote worker. Occasionally, remote users connect to the corporate
network at a hotspot, but generally they do not have the same application demands of an
enterprise teleworker. Generally, enterprise teleworkers connect to a local ISP through a
cable or DSL connection in their residence.
The Cisco Virtual Office Solution for the Enterprise Teleworker is implemented using the
Cisco 800 series ISRs. Each ISR has integrated switch ports that then connect to the user’s
broadband connection. The solution uses a permanent always-on IPsec VPN tunnel back
to the corporate network. This architecture provides for centralized IT security management, corporate-pushed security policies, and integrated identity services. In addition,
this solution supports the enterprise teleworker needs through advanced applications such
as voice and video. For example, the enterprise teleworker can take advantage of toll bypass, voicemail, and advanced IP phone features not available in the PSTN.
ISRs for Teleworkers
Cisco 860 and 880 series offers integrated services at broadband speeds for small offices
and enterprise teleworkers. Depending on the Cisco 800 series ISR selected, features include support for data, security, and wireless technologies.
Cisco 860 ISRs provide the following:
■
Broadband services for small office and teleworkers
■
Four-port 10/100 FE switch with VLAN support
■
Security: SPI firewall, IPsec VPN (3DES/AES)
■
Wireless 802.11g/n access point support
■
CON/AUX port or web-based management tools
Chapter 7: WAN Design 255
Cisco 880 ISRs provide the following:
■
Broadband services for small office and teleworkers
■
WAN diversity, FE, DSL, 3G wireless, and ISDN
■
Four-port 10/100 FE switch with VLAN support; two ports allow for PoE
■
Security
■
SPI firewall with control for email, IM, and HTTP
■
IPsec VPN (3DES/AES), DMVPN, GET VPN, and Secure Sockets Layer (SSL) VPN
■
IPS (intrusion prevention system; inline deep-packet inspection)
■
Content filtering (category-based reputation rating, keyword/URL blocking)
■
Wireless 802.11g/n access point support (unified or autonomous)
■
CON/AUX port or web-based management tools
References and Recommended Readings
Services Ready Large Branch Network System Assurance Guide, www.cisco.com/en/US/
docs/voice_ip_comm/cvd/G2srlgbrnt/G2srlgbrnt_Book.html.
Module 4, “Designing Remote Connectivity,” Designing for Cisco Internetwork Solution
Course (DESGN) v2.1.
RFC 4301, Security Architecture for the Internet Protocol,www.ietf.org/rfc/rfc4301.
RFC 2406, IP Encapsulating Security Payload, www.ietf.org/rfc/rfc2406.txt.
RFC 2402, IP Authentication Header,www.ietf.org/rfc/rfc2402.txt.
What’s New on Cisco ISR G2? www.cisco.com/assets/prod/rt/isr/whats-new-isrg2.html.
Cisco Enhanced Power over Ethernet (PoE),www.cisco.com/en/US/prod/collateral/
switches/ps5718/ps5023/QA_Enhanced_Power_over_Ethernet.html.
256 CCDA 640-864 Official Cert Guide
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the
outer margin of the page. Table 7-6 lists a reference of these key topics and the page numbers on which each is found.
Table 7-6
Key Topics
Key Topic
Element
Description
Page
List
The three major categories that represent traditional
WANs
230
List
Typical remote-access requirements
232
List
Three VPN groups divided by application
232
List
WAN backup options
240
List
Common factors that influence decisions for WAN
architecture selection
241
List
Enterprise edge component considerations
245
List
Three ways access routers can connect the Layer 2
switch ports
250
Summary
Medium branch design
250
Summary
Large branch design
252
Summary
Enterprise teleworker design
254
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section for
this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables
Answer Key,” also on the CD, includes completed tables and lists to check your work.
Chapter 7: WAN Design 257
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
circuit switched, leased lines, packet and cell switched, hub-and-spoke (or star) topology,
partial-mesh topology, full-mesh topology, access VPN, intranet (site-to-site) VPN,
extranet VPN, IPsec, MPLS, Virtual Private LAN Services (VPLS), dial backup,
secondary WAN link, shadow PVC, small branch design, medium branch design,
large branch design
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. What type of WAN technology provides a dedicated connection from the service
provider?
a.
Circuit-switched data connection
b.
Leased lines
c.
Packet switched
d.
Cell switched
2. What type of topology suffers from a single point of failure?
a.
Hub-and-spoke topology
b.
Full-mesh topology
c.
Partial-mesh topology
d.
None of the above
3. What kind of topology requires that each site be connected to every other site in
the cloud?
a.
Hub-and-spoke topology
b.
Full-mesh topology
c.
Partial-mesh topology
d.
All of the above
4. Which two of the following best describe WAN backup over the Internet deployments?
a.
Private WAN
b.
Redundancy for primary WAN connection
c.
VPLS
d.
Best-effort performance
258 CCDA 640-864 Official Cert Guide
5. Which VPN application gives users connectivity over shared networks?
a.
Intranet VPN
b.
Extranet VPN
c.
Access VPN
d.
None of the above
6. What are three types of WAN topologies that can be used with Cisco enterprise architectures in the WAN?
a.
Ring
b.
Full mesh
c.
Partial mesh
d.
Hub and spoke
7. The service provider plays an active role in enterprise routing with what kind of VPNs?
a.
VPDNs
b.
Peer to peer
c.
L2TP
d.
L2F
8. Which backup option provides an additional virtual circuit for use if needed?
a.
Secondary WAN link
b.
Shadow PVC
c.
Dial backup
d.
Load sharing
9. Which WAN backup option uses load sharing in addition to providing backup services?
a.
Dial backup
b.
Shadow PVC
c.
Secondary WAN link
d.
ISDN with DDR
10. What of the following best describes the difference between a small branch and a
medium branch?
a.
Small branches use dual external switches.
b.
Medium branches use single ASA firewall.
c.
Small branches use single ASA firewall.
d.
Medium branches use external L2 switches.
Chapter 7: WAN Design 259
11. How many users are supported in a large branch design?
a.
Up to 50
b.
Between 50 to 100
c.
Between 100 to 1000
d.
Between 200 to 5000
12. What two methods are used to enable private networks over public networks?
a.
IPsec
b.
PKI
c.
GRE
d.
PSTN
13. What is not a factor for WAN architecture selection?
a.
Ease of management
b.
Ongoing expenses
c.
Spanning-tree inconsistencies
d.
High availability
14. Which Layer 3 tunneling technique enables basic IP VPNs without encryption?
a.
GRE
b.
IPsec
c.
IPsec
d.
IKE
15. Which of the following is not recommended approach for designing WANs?
a.
Analyze customer requirements
b.
Characterize the existing network
c.
Design the new WAN
d.
Implement new WAN
16. What MAN/WAN architecture uses the Internet with site-to-site VPNs?
a.
Private WAN
b.
ISP service
c.
SP MPLS/IP VPN
d.
Private WAN with self-deployed MPLS
260 CCDA 640-864 Official Cert Guide
17. Which WAN backup method does not use the Internet as a transport?
a.
IPsec tunnel
b.
GRE tunnel
c.
Shadow PVC
d.
GET VPN
18. What branch design uses ASA firewalls? Select all that apply.
a.
Small branch
b.
Medium branch
c.
Large branch
d.
Secure branch
19. What WAN/MAN architecture is usually reserved for large enterprises that are willing to make substantial investments in equipment and training?
a.
Private WAN
b.
Private WAN with self-deployed MPLS
c.
ISP service
d.
SP MPLS/IP VPN
20. Match each branch profile design with its description.
a.
Small branch
b.
Medium branch
c.
Large branch
d.
Enterprise teleworker
i.
Single access router
ii.
Cable modem router
iii. Pair of access routers
iv.
Pair of firewalls
This page intentionally left blank
CCDA exam topics covered in this part:
■
Describe IPv4 addressing
■
Describe IPv6 addressing
■
Identify routing protocol considerations in an enterprise network
■
Design a routing protocol deployment
Part III: The Internet Protocol and
Routing Protocols
Chapter 8: Internet Protocol Version 4
Chapter 9: Internet Protocol Version 6
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast
This chapter covers the following subjects:
■
IPv4 Header
■
IPv4 Addressing
■
IP Address Subnets
■
Address Assignment and Name Resolution
CHAPTER 8
Internet Protocol Version 4
This chapter reviews Internet Protocol Version 4 (IPv4) address structures and IPv4 address types. IPv4 is the version of the protocol that the Internet has used since the initial
allocation of IPv4 addresses in 1981. The size of the enterprise indicated the address class
that was allocated. This chapter covers the IPv4 header to give you an understanding of
IPv4 characteristics. The mid-1990s saw the implementation of classless interdomain routing (CIDR), Network Address Translation (NAT), and private address space to prevent the
apparent exhaustion of IPv4 address space. Companies implement variable-length subnet
masks (VLSM) in their networks to provide intelligent address assignment and summarization. Separate IP subnets are used for IP phones and wireless LANs to segregate this traffic from data traffic. The CCDA needs to understand all these concepts to design IPv4
addressing for a network.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The ten-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 8-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 8-1
“Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
IPv4 Header
4, 10
IPv4 Addressing
1, 5, 9
IPv4 Address Subnets
2, 3, 6, 7
Address Assignment and Name Resolution
8
266 CCDA 640-864 Official Cert Guide
1. Which of the following addresses is an IPv4 private address?
a.
198.176.1.1
b.
172.31.16.1
c.
191.168.1.1
d.
224.130.1.1
2. How many IP addresses are available for hosts in the subnet 198.10.100.64/27?
a.
14
b.
30
c.
62
d.
126
3. What subnet mask should you use in loopback addresses?
a.
255.255.255.252
b.
255.255.255.254
c.
255.255.255.0
d.
255.255.255.255
4. In what IPv4 field are the precedence bits located?
a.
Priority field
b.
IP Protocol field
c.
Type of Service field
d.
IP Options field
5. What type of address is 225.10.1.1?
a.
Unicast
b.
Multicast
c.
Broadcast
d.
Anycast
6. Which subnetworks are summarized by the following summary route:
150.10.192.0/21?
a.
150.10.192.0/24, 150.10.193.0/24
b.
150.10.192.0/22, 150.10.196.0/23, 150.10.197.0/24
c.
150.10.192.0/22, 150.10.199.0/22
d.
150.10.192.0/23, 150.10.194.0/23, 150.10.196.0/23, 150.10.197.0/24,
150.10.198.0/24
Chapter 8: Internet Protocol Version 4
7. What type of network and subnet mask would you use to save address space in a
point-to-point WAN link?
a.
100.100.10.16/26
b.
100.100.10.16/28
c.
100.100.10.16/29
d.
100.100.10.16/30
8. What is DHCP?
a.
Dynamic Host Control Protocol
b.
Dedicated Host Configuration Protocol
c.
Dynamic Host Configuration Protocol
d.
Predecessor to BOOTP
9. A company needs to use public IP addresses so that four network servers are accessible from the Internet. What technology is used to meet this requirement?
a.
DNS
b.
IPsec
c.
Static NAT
d.
Dynamic NAT
10. The DS field of DSCP is capable of how many codepoints?
a.
8
b.
32
c.
64
d.
128
267
268 CCDA 640-864 Official Cert Guide
Foundation Topics
This chapter reviews IPv4 headers, address classes, and assignment methods.
IP is the network layer protocol in TCP/IP. It contains logical addressing and information
for routing packets throughout the internetwork. IP is described in RFC 791, which was
prepared for the Defense Advanced Research Projects Agency (DARPA) in September 1981.
IP provides for the transmission of blocks of data, called datagrams or packets, from a
source to a destination. The sources and destinations are identified by 32-bit IP addresses.
The source and destination devices are workstations, servers, printers, and routers. The
CCDA candidate must understand IPv4 logical address classes and assignment. The IPv4
protocol also provides for the fragmentation and reassembly of large packets for transport
over networks with small maximum transmission units (MTU). The CCDA candidate must
have a good understanding of this packet fragmentation and reassembly.
Appendix C, “OSI Model, TCP/IP Architecture, and Numeric Conversion,” provides an
overview of the TCP/IP architecture and how it compares with the OSI model. It also reviews binary numbers and numeric conversion (to decimal), which is a skill needed to understand IP addresses and subnetting.
IPv4 Header
The best way to understand IPv4 is to know the IPv4 header and all its fields. Segments
from TCP or the User Datagram Protocol (UDP) are passed on to IP for processing. The IP
header is appended to the TCP or UDP segment. The TCP or UDP segment then becomes
the IP data. The IPv4 header is 20 bytes in length when it uses no optional fields. The IP
header includes the addresses of the sending host and destination host. It also includes the
upper-layer protocol, a field for prioritization, and a field for fragmentation. Figure 8-1
shows the IP header format.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Version
IHL
Type of Service
flags
Identification
Time to Live
Protocol
Source Address
Destination Address
IP Options Field
Figure 8-1
Total Length
Fragment Offset
Header Checksum
Padding
IP Header
The following is a description of each field in the IP header:
■
Version: This field is 4 bits in length. It indicates the IP header’s format, based on the
Chapter 8: Internet Protocol Version 4
■
IHL (Internet Header Length): This field is 4 bits in length. It indicates the length
of the header in 32-bit words (4 bytes) so that the beginning of the data can be found
in the IP header. The minimum value for a valid header (five 32-bit words) is 5 (0101).
■
ToS (Type of Service): This field is 8 bits in length. Quality of service (QoS) parameters such as IP precedence or DSCP are found in this field. These are explained further in this chapter.
■
Total Length: This field is 16 bits in length. It represents the length of the datagram
or packet in bytes, including the header and data. The maximum length of an IP
packet can be 216 – 1 = 65,535 bytes. Routers use this field to determine whether fragmentation is necessary by comparing the total length with the outgoing MTU.
■
Identification: This field is 16 bits in length. It identifies fragments for reassembly.
■
Flags: This field is 3 bits in length. It indicates whether the packet can be fragmented
and whether more fragments follow. Bit 0 is reserved and set to 0. Bit 1 indicates May
Fragment (0) or Do Not Fragment (1). Bit 2 indicates Last Fragment (0) or More Fragments to Follow (1).
■
Fragment Offset: This field is 13 bits in length. It indicates (in bytes) where in the
packet this fragment belongs. The first fragment has an offset of 0.
■
Time to Live: This field is 8 bits in length. It indicates the maximum time the packet
is to remain on the network. Each router decrements this field by 1 for loop avoidance. If this field is 0, the packet must be discarded. This scheme permits routers to
discard undeliverable packets.
■
Protocol: This field is 8 bits in length. It indicates the upper-layer protocol. The Internet Assigned Numbers Authority (IANA) is responsible for assigning IP protocol values. Table 8-2 shows some key protocol numbers. You can find a full list atwww.iana.
org/assignments/protocol-numbers.
Table 8-2
IP Protocol Numbers
Protocol Number
Protocol
1
Internet Control Message Protocol (ICMP)
2
Internet Group Management Protocol (IGMP)
6
Transmission Control Protocol (TCP)
17
User Datagram Protocol (UDP)
41
IPv6 encapsulation
50
Encapsulating Security Payload (ESP)
51
Authentication Header (AH)
58
ICMPv6
88
269
270 CCDA 640-864 Official Cert Guide
Table 8-2
IP Protocol Numbers
Protocol Number
Protocol
89
Open Shortest Path First (OSPF)
103
Protocol-Independent Multicast (PIM)
112
Virtual Router Redundancy Protocol (VRRP)
■
Header Checksum: This field is 16 bits in length. The checksum does not include
the data portion of the packet in the calculation. The checksum is recomputed and
verified at each point the IP header is processed.
■
Source Address: This field is 32 bits in length. It is the sender’s IP address.
■
Destination Address: This field is 32 bits in length. It is the receiver’s IP address.
■
IP Options: This field is variable in length. The options provide for control functions
that are useful in some situations but unnecessary for the most common communications. Specific options are security, loose source routing, strict source routing, record
route, and timestamp.
■
Padding: This field is variable in length. It ensures that the IP header ends on a 32-bit
boundary.
Table 8-3 summarizes the fields of the IP header.
Table 8-3
IPv4 Header Fields
Field
Length
Description
Version
4 bits
Indicates the IP header’s format, based on the version number. Set
to 0100 for IPv4.
IHL
4 bits
Length of the header in 32-bit words.
ToS
8 bits
QoS parameters.
Total Length
16 bits
Length of the packet in bytes, including header and data.
Identification
16 bits
Identifies a fragment.
Flags
3 bits
Indicates whether a packet is fragmented and whether more fragments follow.
Fragment
Offset
13 bits
Location of the fragment in the total packet.
Time to Live
8 bits
Decremented by 1 by each router. When this is 0, the router discards the packet.
Protocol
8 bits
Indicates the upper-layer protocol.
Header Checksum
16 bits
Checksum of the IP header; does not include the data portion.
Chapter 8: Internet Protocol Version 4
Table 8-3
271
IPv4 Header Fields
Field
Length
Description
Source Address
32 bits
IP address of the sending host.
Destination Ad- 32 bits
dress
IP address of the destination host.
IP Options
Variable
Options for security, loose source routing, record route, and
timestamp.
Padding
Variable
Added to ensure that the header ends in a 32-bit boundary.
ToS
The ToS field of the IP header is used to specify QoS parameters. Routers and Layer 3
switches look at the ToS field to apply policies, such as priority, to IP packets based on the
markings. An example is a router prioritizing time-sensitive IP packets over regular data
traffic like web or email, which are not time-sensitive.
The ToS field has undergone several definitions since RFC 791. Figure 8-2 shows the several formats of the ToS service field based on the evolution of RFCs 791 (1981), 1349
(1992), 2474 (1998), and 3168 (2001). The following paragraphs describe this evolution.
0
1
2
RFC 791 (1981)
IP precedence
RFC 1349 (1992)
IP precedence
3
RFC 2474 (1998)
DSCP
RFC 3168 (2001)
DSCP
Figure 8-2
4
5
ToS
6
7
0
0
ToS
0
0
0
ECN
Evolution of the IPv4 ToS Field
The first 3 (leftmost) bits are the IP precedence bits. These bits define values that are used
by QoS methods. The precedence bits especially help in marking packets to give them differentiated treatment with different priorities. For example, Voice over IP (VoIP) packets
can get preferential treatment over regular data packets. RFC 791 describes the precedence bits as shown in Table 8-4.
Key
Topic
272 CCDA 640-864 Official Cert Guide
Table 8-4
IP Precedence Bit Values
Decimal
Binary
Description
0
000
Routine
1
001
Priority
2
010
Immediate
3
011
Flash
4
100
Flash override
5
101
Critical
6
110
Internetwork control
7
111
Network control
All default traffic is set with 000 in the precedence bits. Voice traffic is usually set to 101
(critical) to give it priority over normal traffic. Applications such as FTP are assigned a
normal priority because it tolerates network latency and packet loss. Packet retransmissions are typically acceptable for normal traffic.
Note: It is common to see voice traffic classified as IP precedence 5, video traffic classified as IP precedence 4, and voice and video signaling classified as IP precedence 3. Default
traffic remains as IP precedence 0.
RFC 1349 redefined bits 3 and 6 (expanding for ToS bits) to reflect a desired type of service optimization. Table 8-5 shows the ToS field values that indicate service parameters to
use for IP packets.
Table 8-5
ToS Field Values
ToS Bits 3 to 6
Description
0000
Normal service
1000
Minimize delay
0100
Maximize throughput
0010
Maximize reliability
0001
Minimize monetary cost
In 1998, RFC 2474 redefined the ToS octet as the Differentiated Services (DS) field and
further specified bits 0 through 5 as the Differentiated Services Codepoint (DSCP) bits to
tion of an Explicit Congestion Notification (ECN) field.
Chapter 8: Internet Protocol Version 4
The DS field takes the form shown in Figure 8-2. The DS field provides more granular levels of packet classification by using 6 bits for packet marking. DS has 26 = 64 levels of classification, which is significantly higher than the 8 levels of the IP precedence bits. These
64 levels are called codepoints, and they have been defined to be backward compatible
with IP precedence values. RFC 2474 defines three sets of PHBs: Class Selector (CS), Assured Forwarding (AF), and Expedited Forwarding (EF). The CS PHB set is for DSCP values that are compatible with IP precedence bits. The AF PHB set is used for queuing and
congestion avoidance. The EF PHB set is used for premium service. The CS per-hop behaviors (PHB), in the form of xxx000, make it backwards compatible with IP precedence.
The network designer uses DSCP to give priority to IP packets using Cisco routers.
Routers should be configured to map these codepoints to PHBs with queuing or other
bandwidth-management techniques. Table 8-6 compares DSCP and IP precedence values
used to assign priority and apply policies to IP packets.
Table 8-6
DSCP and IP Precedence Values
IP Precedence
Limitation
DSCP
Service Type
Decimal
Binary Class
Decimal
Codepoint
Routine
0
000
Best effort
0
000xxx
Priority
1
001
Assured Forwarding (AF)
Class 1
8
001xxx
Immediate
2
010
AF Class 2
16
010xxx
Flash
3
011
AF Class 3
24
011xxx
Flash override
4
100
AF Class 4
32
100xxx
Critical
5
101
Expedited Forwarding
(EF)
40
101xxx
Internetwork control
6
110
Control
48
110xxx
Network control
7
111
Control
56
111xxx
RFC 2597 defines recommended values for AF codepoints with low, medium, and high
packet-drop precedence. Table 8-7 shows the recommended AF codepoint values.
Table 8-7
DSCP AF Packet-Drop Precedence Values
Precedence
AF Class 1
AF Class 2
AF Class 3
AF Class 4
Low drop precedence
001010
010010
011010
100010
Medium drop precedence
001100
010100
011100
100100
High drop precedence
001110
010110
011110
273
274 CCDA 640-864 Official Cert Guide
RFC 2598 defines the EF PHB for low loss, loss latency, and assured bandwidth types of
traffic. This is considered a premium service. Traffic such as VoIP is classified as EF. The
codepoint for EF is 101110, which corresponds to a DSCP value of 46.
When you are configuring Cisco routers, the following options are preconfigured and
summarize the defined values for DSCP. Table 8-8 shows the IP DSCP values predefined in
Cisco values.
Table 8-8
IP DSCP Values
DSCP Class
Codepoint Value
Default
000000
CS1
001000
AF11
001010
AF12
001100
AF13
001110
CS2
010000
AF21
010010
AF22
010100
AF23
010110
CS3
011000
AF31
011010
AF32
011100
AF33
011110
CS4
100000
AF41
100010
AF42
100100
AF43
100110
CS5
101000
EF
101110
CS6
110000
CS7
111000
IPv4 Fragmentation
One key characteristic of IPv4 is fragmentation and reassembly. Although the
length of an IP packet is 65,535 bytes, most of the common lower-layer protocols
not
Chapter 8: Internet Protocol Version 4
support such large MTUs. For example, the MTU for Ethernet is approximately 1518 bytes.
When the IP layer receives a packet to send, it first queries the outgoing interface to get its
MTU. If the packet’s size is greater than the interface’s MTU, the layer fragments the packet.
When a packet is fragmented, it is not reassembled until it reaches the destination IP layer.
The destination IP layer performs the reassembly. Any router in the path can fragment a
packet, and any router in the path can fragment a fragmented packet again. Each fragmented packet receives its own IP header and is routed independently from other packets.
Routers and Layer 3 switches in the path do not reassemble the fragments. The destination
host performs the reassembly and places the fragments in the correct order by looking at
the identification and fragment offset fields.
If one or more fragments are lost, the entire packet must be retransmitted. Retransmission
is the responsibility of the higher-layer protocol (such as TCP). Also, you can set the Flags
field in the IP header to “Do Not Fragment” the packet. If the field indicates Do Not Fragment, the packet is discarded if the outgoing MTU is smaller than the packet.
IPv4 Addressing
This section covers the IPv4 address classes, private addressing, and NAT. The IPv4 address
space was initially divided into five classes. Each IP address class is identified by the initial
bits of the address. Classes A, B, and C are unicast IP addresses, meaning that the destination is a single host. IP Class D addresses are multicast addresses, which are sent to multiple hosts. IP Class E addresses are reserved. Private addresses are selected address ranges
that are reserved for use by companies in their private networks. These private addresses
are not routed in the Internet. NAT translates between private and public addresses.
An IP addresses is a unique logical number to a network device or interface. An IP address
is 32 bits in length. To make the number easier to read, the dotted-decimal format is used.
The bits are combined into four 8-bit groups, each converted into decimal numbers (for
example, 10.1.1.1). If you are not familiar with binary numbers, Appendix C contains a review of binary and hexadecimal number manipulation.
The following example shows an IP address in binary and decimal formats:
Binary IP address: 01101110 00110010 11110010 00001010
Convert each byte into decimal.
For the first octet:
0
1
1
0
1
1
1
0
0
+64
+32
+0
+8
+4
+2
+0 = 110
01101110 = 110
For the second octet:
0
0
1
1
0
0
1
0
0
+0
+32
+16
+0
+0
+2
+0 = 50
00110010 = 50
275
276 CCDA 640-864 Official Cert Guide
For the third octet:
1
1
1
1
0
0
1
0
128
+64
+32
+16
+0
+0
+2
+0 = 242
11110010 = 242
For the fourth octet:
0
0
0
0
1
0
1
0
0
+0
+0
+0
+8
+0
+2
+0 = 10
00001010 = 10
The IP address is 110.50.242.10.
IPv4 Address Classes
IPv4 addresses have five classes: A, B, C, D, and E. In classful addressing, the most significant bits of the first byte determine the address class of the IP address. Table 8-9 shows
the high-order bits of each IP address class.
Table 8-9
High-Order Bits of IPv4 Address Classes
Address Class
High-Order Bits
A
0xxxxxxx
B
10xxxxxx
C
110xxxxx
D
1110xxxx
E
1111xxxx
*x can be either 1 or 0, regardless of the address class.
Again, the IPv4 Class A, B, and C addresses are unicast addresses. Unicast addresses represent a single destination. Class D is for multicast addresses. Packets sent to a multicast
address are sent to a group of hosts. Class E addresses are reserved for experimental use.
IANA allocates the IPv4 address space. IANA delegates regional assignments to Regional
Internet Registries (RIR). The five RIRs are
■
ARIN (American Registry for Internet Numbers)
■
RIPE NCC (Reseaux IP Europeens Network Control Center)
■
APNIC (Asia Pacific Network Information Center)
■
LACNIC (Latin America and Caribbean Network Information Center)
■
AfriNIC (African Network Information Centre)
Chapter 8: Internet Protocol Version 4
Updates to the IPv4 address space can be found at www.iana.org/assignments/
ipv4-address-space.
The following sections discuss each of these classes in detail.
Class A Addresses
Class A addresses range from 0 (00000000) to 127 (01111111) in the first byte. Network
numbers available for assignment to organizations are from 1.0.0.0 to 126.0.0.0. Networks 0
and 127 are reserved. For example, 127.0.0.1 is reserved for local host or host loopback. A
packet sent to a local host address is sent to the local machine.
By default, for Class A addresses, the first byte is the network number, and the three remaining bytes are the host number. The format is N.H.H.H, where N is the network part
and H is the host part. With 24 bits available, there are 224 – 2 = 16,777,214 IP addresses
for host assignment per Class A network. We subtract two for the network number (all 0s)
and broadcast address (all 1s). A network with this many hosts will surely not work with
so many hosts attempting to broadcast on the network. This section discusses subnetting
later as a method of defining smaller networks within a larger network address.
Class B Addresses
Class B addresses range from 128 (10000000) to 191 (10111111) in the first byte.
Network numbers assigned to companies or other organizations are from 128.0.0.0 to
191.255.0.0. This section discusses the 16 networks reserved for private use later.
By default, for Class B addresses, the first two bytes are the network number, and the remaining two bytes are the host number. The format is N.N.H.H. With 16 bits available,
there are 216 – 2 = 65,534 IP addresses for host assignment per Class B network. As with
Class A addresses, having a segment with more than 65,000 hosts broadcasting will surely
not work; you resolve this issue with subnetting.
Class C Addresses
Class C addresses range from 192 (11000000) to 223 (11011111) in the first byte. Network numbers assigned to companies are from 192.0.0.0 to 223.255.255.0. The format is
N.N.N.H. With 8 bits available, there are 28 – 2 = 254 IP addresses for host assignment per
Class C network. H = 0 is the network number; H = 255 is the broadcast address.
Class D Addresses
Class D addresses range from 224 (11100000) to 239 (11101111) in the first byte. Network numbers assigned to multicast groups range from 224.0.0.1 to 239.255.255.255.
These addresses do not have a host or network part. Some multicast addresses are already
assigned; for example, 224.0.0.10 is used by routers running EIGRP. You can find a full list
of assigned multicast addresses at www.iana.org/assignments/multicast-addresses.
277
278 CCDA 640-864 Official Cert Guide
Class E Addresses
Class E addresses range from 240 (11110000) to 254 (11111110) in the first byte. These
addresses are reserved for experimental networks. Network 255 is reserved for the broadcast address, such as 255.255.255.255. Table 8-10 summarizes the IPv4 address classes.
Again, each address class can be uniquely identified in binary by the high-order bits.
Table 8-10
IPv4 Address Classes
Address Class
High-Order Bits
Network Numbers
A
0xxxxxxx
1.0.0.0 to 126.0.0.0*
B
10xxxxxx
128.0.0.0 to 191.255.0.0
C
110xxxxx
192.0.0.0 to 223.255.255.0
D
1110xxxx
224.0.0.1 to 239.255.255.255
E
1111xxxx
240.0.0.0 to 254.255.255.255
*
Networks 0.0.0.0 and 127.0.0.0 are reserved as special-use addresses.
IPv4 Address Types
IPv4 addresses can also be classified in one of three types:
Key
Topic
■
Unicast
■
Broadcast
■
Multicast
Unicast address represent a single interface of a host (PC, router, server). It can be a source
or destination IP address. A broadcast address is a destination IP address that is set to all
other devices in a given address range, normally it is sent to all devices in the IP subnet. A
multicast address is a destination IP address sent to a specific set of hosts. Table 8-11 summarizes IPv4 address types.
Table 8-11
IPv4 Address Type
Description
IPv4 Address
Type
The IP address of an interface on a single host. It can be a source or
destination address
Unicast
An IP address that reaches all hosts in an address range. It is only a
destination address.
Broadcast
An IP address that reaches a group of hosts. It is only a destination
address
Multicast
Chapter 8: Internet Protocol Version 4
279
IPv4 Private Addresses
Some network numbers within the IPv4 address space are reserved for private use. These
numbers are not routed on the Internet. Many organizations today use private addresses
in their internal networks with NAT to access the Internet. (NAT is covered later in this
chapter.) Private addresses are explained in RFC 1918, Address Allocation for Private Internets, published in 1996. Private addresses were one of the first steps dealing with the
concern that the globally unique IPv4 address space would become exhausted. The availability of private addresses combined with NAT reduces the need for organizations to
carefully define subnets to minimize the waste of assigned, public, global IP addresses.
Key
Topic
The IP network address space reserved for private internets is 10/8, 172.16/12, and
192.168/16. It includes one Class A network, 16 Class B networks, and 256 Class C networks. Table 8-12 summarizes private address space. Large organizations can use network
10.0.0.0/8 to assign address space throughout the enterprise. Midsize organizations can
use one of the Class B private networks 172.16.0.0/16 through 172.31.0.0/16 for IP addresses. The smaller Class C addresses, which begin with 192.168, support only up to 254
hosts each.
Table 8-12
IPv4 Private Address Space
Class Type
Start Address
End Address
Class A
10.0.0.0
10.255.255.255
Class B
172.16.0.0
172.31.255.255
Class C
192.168.0.0
192.168.255.255
NAT
NAT devices convert internal IP address space into globally unique IP addresses. NAT was
originally specified by RFC 1631; the current specification is RFC 3022. Companies use
NAT to translate internal private addresses to public addresses and vice versa.
The translation can be from many private addresses to a single public address or from
many private addresses to a range of public addresses. When NAT performs many-to-one,
the process is called Port Address Translation (PAT) because different port numbers identify translations.
As shown in Figure 8-3, the source addresses for outgoing IP packets are converted to
globally unique IP addresses. The conversion can be configured statically, or it can dynamically use a global pool of addresses.
NAT has several forms:
■
Static NAT: Maps an unregistered or private IP address to a registered IP address; it is
configured manually. It is commonly used to assign a network device with internal private IP address a unique public address so that they can be accessed
Key
Topic
280 CCDA 640-864 Official Cert Guide
■
Dynamic NAT: Dynamically maps an unregistered or private IP address to a registered IP address from a pool (group) of registered addresses. The two subsets of dynamic NAT are overloading and overlapping:
■
Overloading: Maps multiple unregistered or private IP addresses to a single registered IP address by using different ports. This is also known as PAT, singleaddress NAT, or port-level multiplexed NAT.
■
Overlapping: Maps registered internal IP addresses to outside registered IP
addresses. It can also map external addresses to internal registered addresses.
Inside Network
Public Network
ethernet 0
(inside)
Serial 0
(outside)
NAT Router
Inside local addresses:
192.168.10.0/24
192.168.11.0/24
Figure 8-3
Inside global address pool:
200.100.100.1 to 200.100.100.254
Network Address Translation
When designing for NAT, you should understand the following terminology:
■
Stub domain: The internal network that might be using private IP addresses.
■
Public network: Outside the stub domain, it resides in the Internet. Addresses in the
public network can be reached from the Internet.
■
Inside local address: The real IP address of the device that resides in the internal
network. This address is used in the stub domain.
■
Inside global address: The translated IP address of the device that resides in the internal network. This address is used in the public network.
■
Outside global address: The real IP address of a device that resides in the Internet,
outside the stub domain.
■
Outside local address: The translated IP address of the device that resides in the
Internet. This address is used inside the stub domain.
Figure 8-4 illustrates the terms described in the list. The real IP address of the host in the
stub network is 192.168.10.100; it is the inside local address. The NAT router translates the
inside local address into the inside global address (200.100.10.100). Hosts located in the Internet have their real IP address (outside global address) translated; in the example,
30.100.2.50 is translated into the outside local address of 192.168.100.50.
Private and Public IP Address and NAT Guidelines
Use public IP addresses on external-facing devices that require connectivity to the Internet and external organizations. Examples include
■
■
E-commerce module
Chapter 8: Internet Protocol Version 4
■
Remote-access and virtual private network (VPN) module, where public IP addresses
are used for selected connections
Stub Network
Public Network
NAT Router
Inside local addresses: 192.168.10.100
Outside local addresses: 192.168.100.50
Figure 8-4
Inside global address: 200.100.10.100
Outside global address: 30.100.2.50
Terminology Example
Use private IP addresses throughout the internal enterprise network.
Use NAT and PAT as needed to translate between private internal IP addresses to public
external addresses.
Use one private address to one public address NAT when servers on the internal network
need to be visible from the public network. In firewalls, this is a “static” NAT configuration.
Use PAT for many private to one public address translation for end systems that need to
access the public network.
Table 8-13 provides examples of where public or private IP addresses should be used in
the Cisco network architecture.
Table 8-13
Public Versus Private IP Addresses
Network Location
Public or Private Address
E-commerce module
Public
Intranet website
Private
External DNS servers
Public
Remote-access/VPN module
Public
Inside global address
Public
Real IP address of WWW server located in internal network
Private
Table 8-14 summarizes NAT concepts.
Table 8-14
NAT Concepts
Description
NAT Address
Type
Commonly used to assign a network device with internal private IP
address an unique public address so that they can be accessed from the
Internet.
Static NAT
281
282 CCDA 640-864 Official Cert Guide
Table 8-14
NAT Concepts
Description
NAT Address
Type
Dynamically maps an unregistered or private IP address to a registered IP
address from a pool (group) of registered addresses.
Dynamic NAT
Maps multiple unregistered or private IP addresses to a single registered
IP address by using different ports.
PAT
The real IP address of the device that resides in the internal network. This
address is used in the stub domain.
Inside local
address
The translated IP address of the device that resides in the internal network. This address is used in the public network.
Inside global
address
The real IP address of a device that resides in the Internet, outside the
stub domain.
Outside Global
address
The translated IP address of the device that resides in the Internet. This
address is used inside the stub domain.
Outside local
address
IPv4 Address Subnets
Subnetting plays an important part in IPv4 addressing. The subnet mask helps determine
the network, subnetwork, and host part of an IP address. The network architect uses subnetting to manipulate the default mask to create subnetworks for LAN and WAN segments. These subnetworks provide enough addresses for LANs of different sizes.
Point-to-point WAN links usually get a subnet mask that allows for only two hosts because only two routers are present in the point-to-point WAN link. You should become familiar with determining subnetwork numbers, broadcast addresses, and host address
ranges given an IP address and mask.
Key
Topic
Subnet masks are used for Class A, B, and C addresses only. Multicast addresses do not
use subnet masks. A subnet mask is a 32-bit number in which bits are set to 1 to identify
the network portion of the address, and a 0 is the host part of the address. The mask’s bits
set to 1 are contiguous on the left portion of the mask; the bits set to 0 are contiguous on
the right portion of the mask. Table 8-15 shows the default masks for Class A, B, and C addresses. This section addresses various ways to represent IP subnet masks. Understanding
these ways is significant because the representation of a network and its mask can appear
differently in Cisco documentation or on the command-line interface.
Table 8-15
IPv4 Default Network Address Masks
Class
Binary Mask
Dotted-Decimal Mask
A
11111111 00000000 00000000 00000000
255.0.0.0
B
11111111 11111111 00000000 00000000
255.255.0.0
C
11111111 11111111 11111111 00000000
255.255.255.0
Chapter 8: Internet Protocol Version 4
Mask Nomenclature
There are several ways to represent IP subnet masks. The mask can be binary, hexadecimal,
dotted decimal, or a prefix “bit mask.” Historically, the most common representation was
the dotted-decimal format (255.255.255.0). The prefix bit mask format is now more popular. This format represents the mask by using a slash followed by the number of leading
address bits that must be set to 1 for the mask. It is also referred to as classless interdomain routing (CIDR) prefix notation. For example, 255.255.0.0 is represented as /16.
Table 8-16 shows most of the mask representations. The /24 mask is common on LAN
segments. The /30 mask is common for WAN point-to-point links, and /32 is used for
router loopback addresses.
Table 8-16
Subnet Masks
Dotted Decimal
Bit Mask
Hexadecimal
255.0.0.0
/8
FF000000
255.192.0.0
/10
FFC00000
255.255.0.0
/16
FFFF0000
255.255.224.0
/19
FFFFE000
255.255.240.0
/20
FFFFF000
255.255.255.0
/24
FFFFFF00
255.255.255.128
/25
FFFFFF80
255.255.255.192
/26
FFFFFFC0
255.255.255.224
/27
FFFFFFE0
255.255.255.240
/28
FFFFFFF0
255.255.255.248
/29
FFFFFFF8
255.255.255.252
/30
FFFFFFFC
255.255.255.255
/32
FFFFFFFF
IP Address Subnet Design
The development of an IP address Plan or IP address subnet design is an important concept for the network designer. You should be capable of creating an IP address plan based
on many factors:
■
Number of locations
■
Number of devices per location
283
284 CCDA 640-864 Official Cert Guide
■
■
IP addressing requirements for each individual location
■
Number of devices in each communication closet
■
Site requirements: VoIP devices, wireless LAN, video
Subnet size
The following example shows subnetting for a small company. Suppose the company has
200 hosts and is assigned the Class C network of 195.10.1.0/24. The 200 hosts need to be
in six different LANs.
You can subnet the Class C network using a mask of 255.255.255.224. Looking at the
mask in binary (11111111 11111111 11111111 11100000), the first 3 bytes are the network part, the first 3 bits of the fourth byte determine the subnets, and the 5 remaining 0
bits are for host addressing.
Table 8-17 shows the subnetworks created with a mask of 255.255.255.224. Using this
mask, 2n subnets are created, where n is the number of bits taken from the host part for
the subnet mask. This example uses 3 bits, so 23 = 8 subnets. The first column of the table
lists the LANs. The second column shows the binary of the fourth byte of the IP address.
The third column shows the subnet number, and the fourth and fifth columns show the
first host and broadcast address of the subnet.
Table 8-17
Subnets for Network 195.1.1.0
LAN
Fourth Byte
Subnet Number
First Host
Broadcast Address
LAN 0
00000000
195.10.1.0
195.10.1.1
195.10.1.31
LAN 1
00100000
195.10.1.32
195.10.1.33
195.10.1.63
LAN 2
01000000
195.10.1.64
195.10.1.65
195.10.1.95
LAN 3
01100000
195.10.1.96
195.10.1.97
195.10.1.127
LAN 4
10000000
195.10.1.128
195.10.1.129
195.10.1.159
LAN 5
10100000
195.10.1.160
195.10.1.161
195.10.1.191
LAN 6
11000000
195.10.1.192
195.10.1.193
195.10.1.223
LAN 7
11100000
195.10.1.224
195.10.1.225
195.10.1.255
Use the formula 2n – 2 to calculate the number of hosts per subnet, where n is the number of bits for the host portion. The preceding example has 5 bits in the fourth byte for
host addresses. With n = 5, 25 – 2 = 30 hosts. For LAN 1, host addresses range from
195.10.1.33 to 195.10.1.62 (30 addresses). The broadcast address for the subnet is
195.10.1.63. Each LAN repeats this pattern with 30 hosts in each subnet.
Chapter 8: Internet Protocol Version 4
Determining the Network Portion of an IP Address
Given an address and mask, you can determine the classful network, the subnetwork, and
the subnetwork’s broadcast number. You do so with a logical AND operation between the
IP address and subnet mask. You obtain the broadcast address by taking the subnet number and making the host portion all 1s. Table 8-18 shows the logical AND operation. Notice that the AND operation is similar to multiplying bit 1 and bit 2; if any 0 is present, the
result is 0.
Table 8-18
AND Logical Operation
Bit 1
Bit 2
AND
0
0
0
0
1
0
1
0
0
1
1
1
As an example, take the IP address 150.85.1.70 with a subnet mask of 255.255.255.224,
as shown in Table 8-19. Notice the 3 bold bits in the subnet mask. These bits extend the
default Class C prefix (/24) 3 bits to a mask of /27. As shown in Table 8-19, you perform
an AND operation of the IP address with the subnet mask to obtain the subnetwork. You
obtain the broadcast number by making all the host bits 1. As shown in bold, the subnet
mask reaches 3 bits in the fourth octet. The subnetwork is identified by the five rightmost 0s in the fourth octet, and the broadcast is identified by all 1s in the 5 rightmost
bits.
Table 8-19
Subnetwork of IP Address 150.85.1.70
Binary First, Second, and Third
Octets
Binary Fourth
Octet
Dotted-Decimal
IP
IP address
10010110 01010101 00000001
010
00110
150.85.1.70
Subnet mask
11111111 11111111 11111111
111
00000
255.255.255.224
Subnetwork
10010110 01010101 00000001
010
00000
150.85.1.64
Major network portion
Subnet
Host
10010110 01010101 00000001
010
11111
Broadcast
address
150.85.1.95
285
286 CCDA 640-864 Official Cert Guide
Variable-Length Subnet Masks
Key
Topic
Variable-length subnet masks (VLSM) divide a network into subnets of various sizes to
prevent wasting IP addresses. If a Class C network uses 255.255.255.240 as a subnet mask,
16 subnets are available, each with 14 IP addresses. If a point-to-point link needs only 2 IP
addresses, 12 IP addresses are wasted. This problem scales further with Class B and Class
A address space. With VLSMs, small LANs can use /28 subnets with 14 hosts, and larger
LANs can use /23 or /22 masks with 510 and 1022 hosts, respectively. Point-to-point networks use a /30 mask, which supports two hosts.
There is not one way to subdivide a network, so there is not a single correct way to create
subnets. The best practice is to divide large networks into smaller subnets that can be assigned to sites. Further divide each site subnet into smaller subnets for data, VoIP, wireless
LAN, and other subnets to be used in site VLANs. Furthermore, WAN and point-to-point
links, router, and switch loopback addresses are allocated IP subnets.
VLSM Address Assignment: Example 1
Let’s look at a VLSM IP address assignment example. Take Class B network 130.20.0.0/16
as an example. Using a /20 mask produces 16 subnetworks. Table 8-20 shows the subnetworks. With the /20 subnet mask, the first 4 bits of the third byte determine the subnets.
Table 8-20
Subnets with the /20 Mask
Third Byte
Subnetwork
00000000
130.20.0.0/20
00010000
130.20.16.0/20
00100000
130.20.32.0/20
00110000
130.20.48.0/20
01000000
130.20.64.0/20
01010000
130.20.80.0/20
01100000
130.20.96.0/20
01110000
130.20.112.0/20
10000000
130.20.128.0/20
10010000
130.20.144.0/20
10100000
130.20.160.0/20
10110000
130.20.176.0/20
11000000
130.20.192.0/20
11010000
130.20.208.0/20
11100000
130.20.224.0/20
11110000
130.20.240.0/20
Chapter 8: Internet Protocol Version 4
With fixed-length subnet masks, the network supports only 16 networks. Any LAN or
WAN link has to use a /20 subnet. In this scenario, if the sites involved vary in size, this
“one network size fits all” solution might be a waste of address space and therefore is inefficient. With VLSMs, you can further subnet the /20 subnets.
For example, take 130.20.64.0/20 and subdivide it to support LANs with about 500 hosts.
A /23 mask has 9 bits for hosts, producing 29 – 2 = 510 IP addresses for hosts. Table 8-21
shows the subnetworks for LANs within a specified subnet.
Table 8-21
Subnetworks for 130.20.64.0/20
Third Byte
Subnetwork
01000000
130.20.64.0/23
01000010
130.20.66.0/23
01000100
130.20.68.0/23
01000110
130.20.70.0/23
01001000
130.20.72.0/23
01001010
130.20.74.0/23
01001100
130.20.76.0/23
01001110
130.20.78.0/23
With VLSMs, you can further subdivide these subnetworks of subnetworks. Take subnetwork 130.20.76.0/23 and use it for two LANs that have fewer than 250 hosts. It produces
subnetworks 130.20.76.0/24 and 130.20.77.0/24. Also, subdivide 130.20.78.0/23 for serial
links. Because each point-to-point serial link needs only two IP addresses, use a /30 mask.
Table 8-22 shows the subnetworks produced.
Table 8-22
Third Byte
Serial-Link Subnetworks
Fourth Byte
Subnetwork
01001110
00000000
130.20.78.0/30
01001110
00000100
130.20.78.4/30
01001110
00001000
130.20.78.8/30
01001110
00001100
130.20.78.12/30
...
...
...
01001111
11110100
130.20.79.244/30
01001111
11111000
130.20.79.248/30
01001111
11111100
130.20.79.252/30
287
288 CCDA 640-864 Official Cert Guide
Each /30 subnetwork includes the subnetwork number, two IP addresses, and a broadcast
address. Table 8-23 shows the bits for 130.20.78.8/30.
Table 8-23
Addresses Within Subnetwork 110.20.78.8/30
Binary Address
IP Address
Function
10000010 00010100 01001110 00001000
130.20.78.8
Subnetwork
10000010 00010100 01001110 00001001
130.20.78.9
IP address 1
10000010 00010100 01001110 00001010
130.20.78.10
IP address 2
10000010 00010100 01001110 00001011
130.20.78.11
Broadcast address
Loopback Addresses
You can also reserve a subnet for router loopback addresses. Loopback addresses provide
an always-up interface to use for router-management connectivity. The loopback address
can also serve as the router ID for some routing protocols. The loopback address is a single IP address with a 32-bit mask. In the previous example, network 130.20.75.0/24 could
provide 255 loopback addresses for network devices, starting with 130.20.75.1/32 and
ending with 130.20.75.255/32.
IP Telephony Networks
You should reserve separate subnets for LANs using IP phones. IP phones are normally
placed in a VLAN that is in a logical segment separate from that of the user workstations.
Separating voice and data on different subnets or VLANs also aids in providing QoS for
voice traffic with regard to classifying, queuing, and buffering. This design rule also facilitates troubleshooting.
Table 8-24 shows an example of allocating IP addresses for a small network for a company
located within three buildings. Notice that separate VLANs are used for the VoIP devices.
Table 8-24
IP Address Allocation for VoIP Networks
Building Floor/Function
VLAN Number
IP Subnet
First-floor data
VLAN 11
172.16.11.0/24
Second-floor data
VLAN 12
172.16.12.0/24
Third-floor data
VLAN 13
172.16.13.0/24
First-floor VoIP
VLAN 111
172.16.111.0/24
Second-floor VoIP
VLAN 112
172.16.112.0/24
Third-floor VoIP
VLAN 113
Chapter 8: Internet Protocol Version 4
VLSM Address Assignment: Example 2
Because this is an important topic, here is another example of VLSM design. Take network 10.0.0.0/8, which is commonly used by companies in their internal networks because
this is private IP address space.
Global companies divide this address space into continental regions for the Americas, Europe/Middle East, Africa, and Asia/Pacific. An example is shown in Table 8-25, where the
address space has been divided into four major blocks:
■
10.0.0.0 to 10.63.0.0 is reserved.
■
10.64.0.0 to 10.127.0.0 for the Americas.
■
10.128.0.0 to 10.191.0.0 for Europe, Middle East, and Africa.
■
10.192.0.0 to 10.254.0.0 for Asia Pacific.
Table 8-25
Global IP Address Allocation
Region
Network
Reserved
10.0.0.0/10
North America
10.64.0.0/10
South America
10.96.0.0/11 *part of the above
Europe/Middle East
10.128.0.0/10
Africa
10.160.0.0/11 *part of the above
Asia Pacific
10.192.0.0/10
From each of these regions, address blocks can be allocated to company sites. Large sites
may require 4, 8, or 16 Class C equivalent (/24) subnets to assign to data, voice, wireless,
and management VLANs. Table 8-26 shows an example. The large site is allocated network 10.64.16.0/20. The first four /24 subnets are assigned for data VLANs, the second
four /24 subnets are assigned for voice VLANs, and the third four /24 subnets are assigned
for wireless LAN VLANs. Other subnets are used for router and switch interfaces, pointto-point links, and network management devices.
Table 8-26
IP Address Allocation in a Large Site
Function
IP Subnet
Data VLAN 1
10.64.16.0/24
Data VLAN 2
10.64.17.0/24
Data VLAN 3
10.64.18.0/24
Data VLAN 4
10.64.19.0.24
Voice VLAN 1
10.64.20.0/24
Voice VLAN 2
10.64.21.0/24
289
290 CCDA 640-864 Official Cert Guide
Table 8-26
IP Address Allocation in a Large Site
Function
IP Subnet
Voice VLAN 3
10.64.22.0/24
Voice VLAN 4
10.64.23.0/24
Wireless VLAN 1
10.64.24.0/24
Wireless VLAN 2
10.64.25.0/24
Wireless VLAN 3
10.64.26.0/24
Wireless VLAN 4
10.64.27.0/24
Reserved
10.64.28.0/24
Reserved
10.64.29.0/24
Router/switch loopbacks
10.64.30.0/24
P2P links, misc.
10.64.31.0/24
Address Assignment and Name Resolution
Device network configuration parameters such as IP addresses, subnet masks, default
gateways, and DNS server IP addresses can be assigned statically by the administrator or
dynamically by DHCP or BOOTP servers. You should statically assign most shared network systems, such as routers and servers, but dynamically assign most client systems like
end-user PCs and laptops. This section covers the protocols you use to dynamically assign
IP address parameters to a host, which are the Bootstrap Protocol (BOOTP) and the Dynamic Host Configuration Protocol (DHCP). This section also covers Domain Name System (DNS) and Address Resolution Protocol (ARP), which are two significant protocols in
IP networks. DNS maps domain names to IP addresses, and ARP resolves IP addresses to
MAC addresses. These protocols are important in TCP/IP networks because they simplify
the methods of address assignment and resolution.
Recommended Practices of IP Address Assignment
IP addresses can be assigned statically (manual configuration) or dynamically:
■
Use static IP address assignment for network infrastructure devices.
■
Use dynamic IP address assignment for end user devices.
Use static IP address assignment for routers, switches, access points, printers, and servers
statically. These static IP addresses are assigned in the network infrastructure, data center
modules, and in modules of the enterprise edge and WAN. You need to manage and monitor these systems, so you must access them via a stable IP address.
You should dynamically assign end-client workstations to reduce the configuration tasks
required to connect these systems to the network. Cisco IP phones and mobile devices are
Chapter 8: Internet Protocol Version 4
291
and how to reach its default gateway as the network is discovered. One of the first methods used to dynamically assign IP addresses was BOOTP. The current method to assign IP
addresses is DHCP.
BOOTP
The basic BOOTP was first defined in RFC 951. It has been updated by RFC 1497 and
RFC 1542. It is a protocol that allows a booting host to configure itself by dynamically
obtaining its IP address, IP gateway, and other information from a remote server. You can
use a single server to centrally manage numerous network hosts without having to configure each host independently.
BOOTP is an application layer protocol that uses UDP/IP for transport. The BOOTP
server port is UDP port 67. The client port is UDP port 68. Clients send BOOTP requests
to the BOOTP server, and the server responds to UDP port 68 to send messages to the
client. The destination IP of the BOOTP requests uses the all-hosts address
(255.255.255.255), which the router does not forward. If the BOOTP server is one or more
router hops from the subnet, you must configure the local default gateway router to forward the BOOTP requests.
BOOTP requires that you build a “MAC address to IP address” table on the server. You
must obtain every device’s MAC address, which is a time-consuming effort. BOOTP has
been replaced by the more sophisticated DHCP.
DHCP
DHCP provides a way to dynamically configure hosts on the network. Based on BOOTP,
it is defined in RFC 2131 and adds the capability to reuse network addresses and additional configuration options. DHCP improves on BOOTP by using a “lease” for IP addresses and providing the client with all the IP configuration parameters needed to
operate in the network.
DHCP servers allocate network addresses and deliver configuration parameters dynamically to hosts. With DHCP, the computer can obtain its configuration information—IP address, subnet mask, IP default gateway, DNS servers, WINS servers, and so on—when
needed. DHCP also includes other optional parameters that you can assign to clients. The
configuration information is managed centrally on a DHCP server.
Routers act as relay agents by passing DHCP messages between DHCP clients and servers.
Because DHCP is an extension of BOOTP, it uses the message format defined in RFC 951
for BOOTP. It uses the same ports as BOOTP: DHCP servers use UDP port 67, and DHCP
clients use UDP port 68. Because of these similarities, the configuration to support
DHCP in the routers is the same described for BOOTP.
DHCP has three address allocation mechanisms:
■
Manual: In manual allocation, DHCP is used to dispatch a preallocated IP address to
a specific MAC address.
■
Automatic:
The IP address does not expire.
Key
Topic
292 CCDA 640-864 Official Cert Guide
■
Dynamic: For dynamic allocation, IP addresses are assigned for a limited time or until the host explicitly releases the address. This dynamic-allocation mechanism can
reuse the IP address after the lease expires.
An IP address is assigned as follows:
1. The client sends a DHCPDISCOVER message to the local network using a
255.255.255.255 broadcast.
2. BOOTP relay agents (routers) can forward the DHCPDISCOVER message to the
DHCP server in another subnet.
3. The server sends a DHCPOFFER message to respond to the client, offering IP address, lease expiration, and other DHCP option information.
4. DHCPREQUEST: The client can request additional options or an extension on its
lease of an IP address. This message also confirms that the client is accepting the
DHCP offer.
5. The server then sends a DHCPACK (acknowledgment) message that confirms the
lease and contains all the pertinent IP configuration parameters.
6. If the server is out of addresses or it determines that the client request is invalid, it
sends a DHCPNAK message to the client.
One important note for the CCDA to remember is to place DHCP servers in the Enterprise
Campus Data Center/Server Farm module and Enterprise Branch of the Enterprise Campus architecture.
Table 8-27 summarizes DHCP allocation mechanisms.
Table 8-27
DHCP Allocation Mechanisms
Network Location
Address Allocation
Mechanism
This mechanism can reuse the IP address after the lease expires.
Dynamic
Dispatches an IP address allocated to a specific MAC address.
Manual
Allocations of IP addresses are permanently assign to a
host.
Automatic
DNS
Key
Topic
The Domain Name System (DNS) is an Internet-based directory system that returns the
destination IP addresses given a domain name (such as www.cisco.com). DNS is a distributed database. Separate, independent organizations administer their assigned domain
name spaces and can break their domains into a number of subdomains. For example,
Chapter 8: Internet Protocol Version 4
1035. It has also been updated by RFCs 1101, 1122, 1183, 1706, 1876, 1982, 1995, 1996,
2136, 2137, 2181, 2308, 2535, 2782, 2845, 3425 and RFC 3658.
Figure 8-5 shows a simplified view of the DNS process for name resolution. The client device queries its configured DNS server (the resolver) for the IP address of a fully qualified
domain name (FQDN; for example,www.cisco.com). The resolver in turn queries the DNS
server of the foreign or remote DNS server, which responds with the IP address of www.
cisco.com. This response is stored in cache on the resolver so that it can be used for future queries. The resolver provides the response to the client machine, which can then
communicate via IP address to the destination.
Queries
User query
Internet
User
response
Client
Figure 8-5
Responses Remote
DNS
Server
Local
DNS
DNS Name Resolution
DNS was implemented to overcome the limitations of managing a single text host table.
Imagine creating and maintaining text files with the names and IP addresses of all the
hosts on the Internet! DNS scales hostname-to-IP address translation by distributing responsibility for the domain name space. DNS follows a reversed tree structure for domain
name space, as shown in Figure 8-6. IANA (www.iana.org) manages the tree’s root.
. (root)
.com .gov .net .org .edu .mil .us .fr .de .mx
.com
.nasdaq .cisco .faa .ins
.telmex .att
.companyx
.hr
.manufacturing
Figure 8-6
DNS Tree
.sales
.marketing
293
294 CCDA 640-864 Official Cert Guide
DNS data is called resource records (RR). Resource records are the data within a DNS
zone. Table 8-28 lists some common resource records.
DNS Resource Records
Table 8-28
DNS RR
Description
A
Address. Provides the name-to-address mapping. It contains the IP address in
dotted-decimal form.
AAAA
Secure IPv6 address.
CNAME
Canonical Name. Used for aliases or nicknames.
MX
Mail Exchanger. Specifies the IP of the server where mail should be delivered.
NS
Name Server. Specifies the name of the device that provides DNS for a particular
domain.
PTR
Pointer. Used for reverse mapping from the translation of IP addresses to names.
SOA
Start of Authority. Designates the start of a zone. This is the device that is the
master of DNS data for a zone.
DNS uses TCP and UDP port 53. UDP is the recommended transport protocol for DNS
queries. TCP is the recommended protocol for zone transfers between DNS servers. A
zone transfer occurs when you place a secondary server in the domain and transfer the
DNS information from the primary DNS server to the secondary server. A DNS query
searches for the IP address of an FQDN, such aswww.cnn.com.
One important note for the CCDA to remember is to place DNS servers in the Enterprise
Campus Server Farm module and Enterprise Branch of the Enterprise Campus architecture (see Figure 8-7).
Table 8-29 summarizes the placement of DHCP and DNS servers on the Cisco enterprise
network.
Table 8-29
DHCP and DNS Servers
Network Location
Server Type
Campus Data Center
DHCP and Internal DNS
Enterprise Branch
DHCP and Internal DNS
E-Commerce
External DNS
Internet
External DNS
SP Edge Premises
Internal DNS
Remote Enterprise Data Center
Internal and External DNS
Chapter 8: Internet Protocol Version 4
DHCP and
Internal DNS
Enterprise Campus
Data Center
Enterprise
Edge
DHCP and
Internal DNS
E-Commerce/
DMZ/Internet
External
DNS
Internal and
External DNS
Campus
Core
Enterprise
WAN
Building
Distribution
Building
Access
Figure 8-7
External
DNS
SP Edge
Premise
Remote Access
VPN
Internet
Remote
Modules
Enterprise
Branch
Enterprise
Data Center
Enterprise
Teleworkers
DHCP and DNS Servers in the Network
ARP
When an IP host needs to send an IP packet over an Ethernet network, it needs to find out
what 48-bit MAC physical address to send the frame to. Given the destination IP, ARP obtains the destination MAC. The destination MAC can be a local host or the gateway
router’s MAC address if the destination IP is across the routed network. ARP is described
in RFC 826. The local host maintains an ARP table with a list relating IP address to MAC
address.
ARP operates by having the sender broadcast an ARP request. Figure 8-8 shows an example of an ARP request and reply. Suppose a router with the IP address 10.1.1.1 has a packet
to send to 10.1.1.10 but does not have the destination MAC address in its ARP table. It
broadcasts an ARP request to all hosts in a subnet. The ARP request contains the sender’s
IP and MAC address and the target IP address. All nodes in the broadcast domain receive
the ARP request and process it. The device with the target IP address sends an ARP reply
to the sender with its MAC address information; the ARP reply is a unicast message sent to
10.1.1.1. The sender now has the target MAC address in its ARP cache and sends the frame.
295
296 CCDA 640-864 Official Cert Guide
10.1.1.1
10.1.1.9
10.1.1.10
Source Device
IP: 10.1.1.1
MAC: 0000.0c07.ab01
Destination Device
IP: 10.1.1.10
MAC: 0000.0000.0000
ARP Request
Destination Device
IP: 10.1.1.1
MAC: 0000.0c07.ab01
Source Device
IP: 10.1.1.10
MAC: 0000.0c07.ab6a
ARP Reply
Figure 8-8
10.1.1.11
ARP Request and Reply
References and Recommended Readings
RFC 1349, Type of Service in the Internet Protocol Suite,www.ietf.org/rfc.
RFC 951, Bootstrap Protocol (BOOTP), www.ietf.org/rfc.
RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), www.ietf.org/rfc.
RFC 2131, Dynamic Host Configuration Protocol, www.ietf.org/rfc.
RFC 1631, The IP Network Address Translator (NAT),www.ietf.org/rfc.
RFC 2597, Assured Forwarding PHB Group,www.ietf.org/rfc.
RFC 791, Internet Protocol, www.ietf.org/rfc.
RFC 1034, Domain Names - Concepts and Facilities, www.ietf.org/rfc.
RFC 1035, Domain Names - Implementation and Specification,www.ietf.org/rfc.
RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6
Headers, www.ietf.org/rfc.
RFC 826, Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48-bit Ethernet Address for Transmission on Ethernet Hardware,www.ietf.org/rfc.
RFC 3168, The Addition of Explicit Congestion Notification (ECN) to IP,www.ietf.org/rfc.
RFC 1918, Address Allocation for Private Internets,www.ietf.org/rfc.
RFC 3022, Traditional IP Network Address Translator (Traditional NAT),www.ietf.org/rfc.
RFC 5798, Virtual Router Redundancy Protocol (VRRP),www.ietf.org/rfc.
RFC 3168, The Addition of Explicit Congestion Notification (ECN) to IP,www.ietf.org/rfc.
RFC 2598, An Expedited Forwarding PHB, www.ietf.org/rfc.
RFC 2474, Differentiated Services Field, www.ietf.org/rfc.
www.cisco.com/en/US/products/sw/netmgtsw/ps1982/
products_user_guide_chapter09186a00800ade55.html.
Chapter 8: Internet Protocol Version 4
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the
outer margin of the page. Table 8-30 lists a reference of these key topics and the page
numbers on which each is found.
Table 8-30
Key Topics
Key Topic
Element
Description
Page
Summary
The Type of Service field of the IP header is used
to specify QoS parameters.
271
List
IPv4 address types.
278
Summary
IPv4 private addresses.
279
Summary
NAT
279
Summary
IPv4 address subnets.
282
Summary
VLSM
286
List
Three address-allocation mechanisms of DHCP.
291
Summary
DNS
292
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory
Tables Answer Key,” also on the CD, includes completed tables and lists to check your
work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
IPv4, DHCP, DNS, DSCP, NAT, PAT, ToS, VLSM
297
298 CCDA 640-864 Official Cert Guide
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. List the RFC 1918 private address ranges.
2. True or false: You can use DHCP to specify the TFTP host’s IP address to a client PC.
3. True or false: 255.255.255.248 and /28 are two representations of the same IP mask.
4. True or false: Upper-layer protocols are identified in the IP header’s protocol field.
TCP is protocol 6, and UDP is protocol 17.
5. Fill in the blank: Without any options, the IP header is _________ bytes in length.
6. The IP header’s ToS field is redefined as the DS field. How many bits does DSCP use
for packet classification, and how many levels of classification are possible?
7. True or false: NAT uses different IP addresses for translations. PAT uses different port
numbers to identify translations.
8. True or false: The IP header’s header checksum field performs the checksum of the IP
header and data.
9. Calculate the subnet, the address range within the subnet, and the subnet broadcast
of the address 172.56.5.245/22.
10. When packets are fragmented at the network layer, where are the fragments reassembled?
11. Which protocol can you use to configure a default gateway setting on a host?
a.
ARP
b.
DHCP
c.
DNS
d.
RARP
12. How many host addresses are available with a Class B network with the default mask?
a.
63,998
b.
64,000
c.
65,534
d.
65,536
13. Which of the following is a dotted-decimal representation of a /26 prefix mask?
a.
255.255.255.128
b.
255.255.255.192
c.
255.255.255.224
d.
255.255.255.252
Chapter 8: Internet Protocol Version 4
14. Which network and mask summarize both the 192.170.20.16/30 and
192.170.20.20/30 networks?
a.
192.170.20.0/24
b.
192.170.20.20/28
c.
192.170.20.16/29
d.
192.170.20.0/30
15. Which AF class is backward compatible with IP precedence bits’ flash traffic?
a.
AF2
b.
AF3
c.
AF4
d.
EF
16. Which of the following is true about fragmentation?
a.
Routers between source and destination hosts can fragment IPv4 packets.
b.
Only the first router in the network can fragment IPv4 packets.
c.
IPv4 packets cannot be fragmented.
d.
IPv4 packets are fragmented and reassembled at each link through the network.
17. A packet sent to a multicast address reaches what destinations?
a.
The nearest destination in a set of hosts.
b.
All destinations in a set of hosts.
c.
Broadcasts to all hosts.
d.
Reserved global destinations.
18. What are three types of IPv4 addresses?
a.
Anycast
b.
Multicast
c.
Dynamic
d.
Broadcast
e.
Unicast
f.
Global
g.
Static
299
300 CCDA 640-864 Official Cert Guide
19. Which devices should be assigned an IP address dynamically? (Select three.)
a.
Cisco IP phones
b.
LAN switches
c.
Workstations
d.
Mobile devices
e.
Routers
20. Which name resolution method reduces administrative overhead?
a.
Static name resolution
b.
Dynamic name resolution
c.
DHCP name resolution
d.
Host.txt name resolution
21. How many hosts can be addressed with the following IPv4 subnet:
172.30.192.240/28?
a.
6
b.
14
c.
126
d.
1024
22. What is the smallest subnet and mask that can be used in a DMZ network that needs
to have only three hosts?
a.
192.168.10.32/30
b.
192.168.10.32/29
c.
192.168.10.32/28
d.
192.168.10.32/27
Answer the following questions based on the given scenario and Figure 8-9.
Company VWX has the network shown in Figure 8-9. The main site has three LANs,
with 100, 29, and 60 hosts. The remote site has two LANs, each with 100 hosts. The
network uses private addresses. The Internet service provider assigned the company
the network 210.200.200.8/26.
Chapter 8: Internet Protocol Version 4
Internet
Company VWX
Router C
WAN
Remote Site
Router B
Main Site
Router A
100 Hosts
LAN 3 - 29 Hosts
LAN 1 - 100 Hosts
100 Hosts
LAN 2- 60 Hosts
Figure 8-9
Scenario Diagram
23. The remote site uses the network prefix 192.168.10.0/24. What subnets and masks
can you use for the LANs at the remote site and conserve address space?
a.
192.168.10.64/26 and 192.168.10.192/26
b.
192.168.10.0/25 and 192.168.10.128/25
c.
192.168.10.32/28 and 192.168.10.64/28
d.
192.168.10.0/30 and 192.168.10.128/30
24. The main site uses the network prefix 192.168.15.0/24. What subnets and masks can
you use to provide sufficient addresses for LANs at the main site and conserve address space?
a.
192.168.15.0/25 for LAN 1, 192.168.15.128/26 for LAN 2, and 172.15.192.0/27
for LAN 3
b.
192.168.15.0/27 for LAN 1, 192.168.15.128/26 for LAN 2, and 172.15.192.0/25
for LAN 3
c.
192.168.15.0/100 for LAN 1, 192.168.15.128/60 for LAN 2, and 172.15.192.0/29
for LAN 3
d.
192.168.15.0/26 for LAN 1, 192.168.15.128/26 for LAN 2, and 172.15.192.0/29
for LAN 3
301
302 CCDA 640-864 Official Cert Guide
25. Which network and mask would you use for the WAN link to save the most address space?
a.
192.168.11.240/27
b.
192.168.11.240/28
c.
192.168.11.240/29
d.
192.168.11.240/30
26. What networks does Router C announce to the Internet service provider’s Internet
router?
a.
210.200.200.8/26
b.
192.168.10.0/24 and 192.168.11.0/24
c.
192.168.10.0/25 summary address
d.
201.200.200.8/29 and 192.168.10.0/25
27. What technology does Router C use to convert private addresses to public addresses?
a.
DNS
b.
NAT
c.
ARP
d.
VLSM
28. What mechanism supports the ability to divide a given subnet into smaller subnets
based on need?
a.
DNS
b.
NAT
c.
ARP
d.
VLSM
This page intentionally left blank
This chapter covers the following subjects:
■
Introduction to IPv6
■
IPv6 Header
■
IPv6 Address Representation
■
IPv6 Address Scope Types and Address Allocations
■
IPv6 Mechanisms
■
IPv6 Routing Protocols
■
IPv4 to IPv6 Transition Strategies and Deployments
■
IPv6 Comparison with IPv4
CHAPTER 9
Internet Protocol Version 6
This chapter reviews Internet Protocol Version 6 (IPv6) address structures, address assignments, representations, and mechanisms used to deploy IPv6. Expect plenty of questions
about IPv6 on the exam. The CCDA must understand how an IPv6 address is represented
and the different types of IPv6 addresses. This chapter also covers the benefits of IPv6
over IPv4, compares the protocols, and examines migration to IPv6 options.
As IPv6 matures, different deployment models will be used to implement the new protocol with existing IPv4 networks. This chapter covers these models at a high level. This
chapter does not discuss the configuration of IPv6 because it is not a requirement for
CCDA certification.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The 13-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 9-1 outlines the major topics discussed in this chapter and the “Do I Know This
Already?” quiz questions that correspond to those topics.
Table 9-1
“Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
Introduction to IPv6
11
IPv6 Header
1, 2
IPv6 Address Representation
5, 8, 9
IPv6 Address Types and Address Allocations
3, 4, 7
IPv6 Mechanisms
10
IPv4 to IPv6 Transition Strategies and Deployments
6
IPv6 Routing Protocols
12
IPv6 comparison with IPv4
13
306 CCDA 640-864 Official Cert Guide
1. IPv6 uses how many more bits for addresses than IPv4?
a.
32
b.
64
c.
96
d.
128
2. What is the length of the IPv6 header?
a.
20 bytes
b.
30 bytes
c.
40 bytes
d.
128 bytes
3. What address type is the IPv6 address FE80::300:34BC:123F:1010?
a.
Aggregatable global
b.
Unique-local
c.
Link-local
d.
Multicast
4. What are three scope types of IPv6 addresses?
a.
Unicast, multicast, broadcast
b.
Unicast, anycast, broadcast
c.
Unicast, multicast, endcast
d.
Unicast, anycast, multicast
5. What is a compact representation of the address
3f00:0000:0000:a7fb:0000:0000:b100:0023?
a.
3f::a7fb::b100:0023
b.
3f00::a7fb:0000:0000:b100:23
c.
3f::a7fb::b1:23
d.
3f00:0000:0000:a7fb::b1:23
6. What is NAT-PT?
a.
Network Address Translation-Port Translation. Translates RFC 1918 addresses to
public IPv4 addresses.
b.
Network Addressable Transparent-Port Translation. Translates network addresses
to ports.
c.
Network Address Translation-Protocol Translation. Translates between IPv4 and
IPv6 addresses.
d.
Next Address Translation–Port Translation.
7. What IPv6 address scope type replaces the IPv4 broadcast address?
a.
Unicast
b.
Multicast
Chapter 9: Internet Protocol Version 6
c.
Broadcast
d.
Anycast
8. What is the IPv6 equivalent to 127.0.0.1?
a.
0:0:0:0:0:0:0:0
b.
0:0:0:0:0:0:0:1
c.
127:0:0:0:0:0:0:1
d.
FF::1
9. Which of the following is an “IPv4-compatible” IPv6 address?
a.
::180.10.1.1
b.
f000:0:0:0:0:0:180.10.1.1
c.
180.10.1.1::
d.
2010::180.10.1.1
10. Which protocol maps names to IPv6 addresses?
a.
Address Resolution Protocol (ARP)
b.
Network Discovery (ND)
c.
Domain Name System (DNS)
d.
DNSv2
11. Which of the following are IPv6 enhancements over IPv4?
a.
Larger address space, globally private IP address, multicast
b.
Larger address space, globally unique IP addresses, no broadcasts
c.
Larger address space, globally private IP address, multicast
d.
Larger address space, address auto-configuration, enhanced broadcasts
12. Which of the following supports routing on IPv6 networks?
a.
RIPv3, OSPFv3, EIGRP for IPv6
b.
RIPng, OSPFv3, EIGRPv6
c.
RIPng, OSPFv3, EIGRP for IPv6
d.
RIPv2, OSPFv2, EIGRP
13. What changed from the IPv4 header to the IPv6 header?
a.
Protocol Type became Next Header field.
b.
ND is used rather than ARP.
c.
AAAA records are used rather than A records.
d.
All of the above.
307
308 CCDA 640-864 Official Cert Guide
Foundation Topics
The following sections cover topics that you need to master for the CCDA exam. The section “IPv6 Header” covers each field of the IPv6 header, which helps you understand the
protocol. The section “IPv6 Address Representation” covers the hexadecimal representation of IPv6 addresses and the compressed representation. The section “IPv6 Address
Types” covers unicast, multicast, and anycast IPv6 addresses, special address types, and
the current allocations of IPv6 addresses.
The section “IPv6 Mechanisms” covers Internet Control Message Protocol Version 6
(ICMPv6), ND, address assignment and resolution, and introduces IPv6 routing protocols.
The section “IPv4 to IPv6 Transition Strategies and Deployments” covers dual-stack backbones, IPv6 over IPv4 tunnels, dual-stack hosts, and Network Address Translation-Protocol
Translation (NAT-PT).
Introduction to IPv6
You should become familiar at a high level with IPv6 specifications, addressing, and design. The driving motivation for the adoption of a new version of IP is the limitation imposed by the 32-bit address field in IPv4. In the 1990s, there was concern that the IP
address space would be depleted soon. Although classless interdomain routing (CIDR) and
NAT have slowed down the deployment of IPv6, its standards and deployments are becoming mature. IPv6 is playing a significant role in the deployment of IP services for wireless phones. Some countries such as Japan directed IPv6 compatibility back in 2005.
Other countries, such as China, France, and Korea, have been implementing IPv6. The
2008 Summer Olympics was accessible from the IPv6 Internet. The U.S. federal government had mandated all agencies to support IPv6 by mid 2008. Operating systems such as
Windows 7, Vista, Linux, Mac OS, and others all support IPv6. Google and Facebook are
also accessible in the IPv6 Internet.
The IPv6 specification provides 128 bits for addressing, a significant increase from 32
bits. The overall specification of IPv6 is in RFC 2460. Other RFCs describing IPv6 specifications are 4921, 3513, 3587, 3879, 2373, 2374, 2461, 1886, and 1981.
IPv6 includes the following enhancements over IPv4:
■
Larger address space: IPv6 uses 128-bit addresses rather than the 32-bit addresses in IPv4. This supports more address hierarchy levels and uses simpler address
autoconfiguration.
■
Globally unique IP addresses: The additional address space allows each node to
have a unique address and eliminate the need for NAT.
■
Header format efficiency: The IPv6 header length is fixed, lowering header processing time and thus allowing vendors to improve packet switching efficiency.
■
Improved option mechanism: IPv6 options are placed in separate optional headers
Key
Topic
headers are not required.
Chapter 9: Internet Protocol Version 6
■
Address autoconfiguration: This capability provides for dynamic assignment of
IPv6 addresses. IPv6 hosts can automatically configure themselves, with or without a
Dynamic Host Configuration Protocol (DHCP) server. Stateful and stateless autoconfiguration is supported.
■
Flow labeling capability: Instead of the Type of Service field in IPv4, IPv6 enables
the labeling of packets belonging to a particular traffic class for which the sender requests special handling, such as quality of service (QoS) and real-time service. This
support aids specialized traffic, such as real-time voice or video.
■
Security capabilities: IPv6 includes features that support authentication and privacy. IP Security (IPsec) is a requirement.
■
Maximum transmission unit (MTU) path discovery: IPv6 eliminates the need to
fragment packets by implementing MTU path discovery before sending packets to a
destination.
■
Site multihoming: IPv6 allows multihoming by allowing hosts to have multiple IPv6
addresses and networks to have multiple IPv6 prefixes, which facilitates connection
to multiple ISPs.
■
Support for mobility and multicast: Mobile IPv6 allows for IPv6 nodes to change
its location on a network and maintain its existing connection. The Mobile node is always reachable via one permanent address.
■
Eliminate the use of broadcasts: IPv6 reduces unnecessary bandwidth by eliminating the use of broadcasts, replacing it with multicasts.
309
IPv6 Header
This section covers each field of the IPv6 header. The IPv6 header is simpler than the IPv4
header. Some IPv4 fields have been eliminated or changed to optional fields. The IPv6
header size is 40 bytes. The fragment offset fields and flags in IPv4 have been eliminated
from the header. IPv6 adds a flow label field for QoS mechanisms to use.
The use of 128 bits for source and destination addresses provides a significant improvement over IPv4. With 128 bits, there are 3.4 * 1038 or 34 billion billion billion billion IPv6
addresses, compared to only 4.3 billion IPv4 addresses.
IPv6 improves over IPv4 by using a fixed-length header. The IPv6 header appears in
Figure 9-1.
The following is a description of each field in the IP header:
■
Version: This field is 4 bits long. It indicates the format, based on the version number,
of the IP header. These bits are set to 0110 for IPv6 packets.
■
Traffic Class: This field is 8 bits in length. It describes the class or priority of the
IPv6 packet and provides functionality similar to the IPv4 Type of Service field.
■
Flow Label: This field is 20 bits in length. It indicates a specific sequence of packets
data (voice and video).
Key
Topic
310 CCDA 640-864 Official Cert Guide
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
0
Version
Traffic Class
Flow Label
Next Header
Payload Length
Hop Limit
128-Bit
Source
Address
128-Bit
Destination
Address
Figure 9-1
IPv6 Header Format
■
Payload Length: This field is 16 bits in length. It indicates the payload’s size in
bytes. Its length includes any extension headers.
■
Next Header: This field is 8 bits in length. It indicates the type of header that follows this IPv6 header. In other words, it identifies the upper-layer protocol. It uses
values defined by the Internet Assigned Numbers Authority (IANA). Table 9-2 shows
some key protocol numbers. You can find a full list atwww.iana.org/assignments/
protocol-numbers.
Table 9-2
IP Protocol Numbers
Protocol Number
Protocol
6
Transmission Control Protocol (TCP)
17
User Datagram Protocol (UDP)
50
Encapsulating Security Payload (ESP)
51
Authentication Header (AH)
85
ICMP for IPv6
59
No Next Header for IPv6
60
Destination Options for IPv6
88
Enhanced IGRP (EIGRP)
89
Open Shortest Path First (OSPF)
■
Hop Limit: This field is 8 bits in length. It is decremented by 1 by each router that
forwards the packets. If this field is 0, the packet is discarded.
■
Source Address: This field is 128 bits in length. It indicates the sender’s IPv6 address.
Chapter 9: Internet Protocol Version 6
■
311
Destination Address: This field is 128 bits in length. It indicates the destination
host’s IPv6 address.
Notice that although the IPv6 address is four times the length of an IPv4 address, the IPv6
header is only twice the length (40 bytes). Optional network layer information is not included in the IPv6 header; instead, it is included in separate extended headers. Some extended headers are the routing header, fragment header, and hop-by-hop options header.
The routing header is used for source routing. The fragment header is included in fragmented datagrams to provide information to allow the fragments to be reassembled. The
hop-by-hop extension header is used to support jumbo-grams.
Two important extended headers are the Authentication Header (AH) and the Encapsulating Security Payload (ESP) header. These headers are covered later in the chapter.
IPv6 Address Representation
RFC 4291 (obsoletes RFC 3513 and RFC 2373) specifies the IPv6 addressing architecture.
IPv6 addresses are 128 bits in length. For display, the IPv6 addresses have eight 16-bit
groups. Each 16-bit group is represented using hexadecimal numbers. (See Appendix C
for a quick review on hexadecimal numbers.) The hexadecimal value is x:x:x:x:x:x:x:x,
where each x represents four hexadecimal digits (16 bits).
An example of a full IPv6 address is 1111111000011010 0100001010111001
0000000000011011 0000000000000000 0000000000000000 0001001011010000
0000000001011011 0000011010110000.
The hexadecimal representation of the preceding IPv6 binary number is
FE1A:42B9:001B:0000:0000:12D0:005B:06B0
Groups with a value of 0 can be represented with a single 0. For example, you can also
represent the preceding number as
FE1A:42B9:01B:0:0:12D0:05B:06B0
You can represent multiple groups of 16-bit 0s with ::, which is allowed to appear only
once in the number. Also, you do not need to represent leading 0s in a 16-bit group. The
preceding IPv6 address can be further shortened to
FE1A:42B9:1B::12D0:5B:6B0
Tip: Remember that the fully expanded address has eight blocks and that the double
colon represents only 0s. You can use the double colon only once.
You expand a compressed address by reversing the process described earlier : add leading
0s in groups where they have been omitted, then add 0s represented by ::. For example,
the IPv6 address 2001:4C::50:0:0:741 expands as follows:
2001:004C::0050:0000:0000:0741
Key
Topic
312 CCDA 640-864 Official Cert Guide
Because there should be eight blocks of addresses and you have six, you can expand the
double colon to two blocks as follows:
2001:004C:0000:0000:0050:0000:0000:0741
IPv4-Compatible IPv6 Addresses
IPv6 allows for IPv4 compatible IPv6 addresses. In a mixed IPv6/IPv4 environment, the
IPv4 portion of the address requires the last two 16-bit blocks, or 32 bits of the address,
which is represented in IPv4 dotted-decimal notation. The portion of the IPv6 address
preceding the IPv4 information is all 0s. Six hexadecimal 16-bit blocks are concatenated
with the dotted-decimal format. The first 96 bits are 0, and the last 32 bits are used for the
IPv4 address. This form is x:x:x:x:x:x:d.d.d.d, where each x represents the hexadecimal
digits and d.d.d.d is the dotted-decimal representation.
An example of a mixed full address is 0000:0000:0000:0000:0000:0000:100.1.1.1; this example can be shortened to 0:0:0:0:0:0:100.1.1.1 or ::100.1.1.1.
RFC 4921 mentions that IPv4-compatible IPv6 addresses have been deprecated since updated IPv6 transition mechanisms no longer use these addresses.
IPv6 Prefix Representation
IPv6 prefixes are represented similar to IPv4, with the following format:
IPv6-address/prefix
The IPv6-address portion is a valid IPv6 address. The prefix portion is the number of
leftmost contiguous bits that represent the prefix. You use the double colon only once in
the representation. An example of an IPv6 prefix is 200C:001b:1100:0:0:0:0:0/40 or
200C:1b:1100::/40.
For another example, look at the representations of the 60-bit prefix 2001000000000ab0:
2001:0000:0000:0ab0:0000:0000:0000:0000/60
2001:0000:0000:0ab0:0:0:0:0/60
2001:0000:0000:ab0::/60
2001:0:0:ab0::/60
The rules for address representation are still valid when using a prefix. The following is not
a valid representation of the preceding prefix:
2001:0:0:ab0/60
The preceding representation is missing the trailing double colon:
2001::ab0/60
2001:0000:0000:0ab0::/60.
Chapter 9: Internet Protocol Version 6
When representing an IPv6 host address with its subnet prefix, you combine the two. For
example, the IPv6 address 2001:0000:0000:0ab0:001c:1bc0:08ba:1c9a in subnet prefix
2001:0000:0000:0ab0::/60 is represented as the following:
2001:0000:0000:0ab0:001c:1bc0:08ba:1c9a/60
IPv6 Address Scope Types and Address Allocations
This section covers the major types of IPv6 addresses. IPv4 addresses are unicast, multicast, or broadcast. IPv6 maintains each of these address functions, except that the IPv6
address types are defined a little differently. A special “all-nodes” IPv6 multicast address
handles the broadcast function. IPv6 also introduces the anycast address type.
Also important to understand are the IPv6 address allocations. Sections of the IPv6 address space are reserved for particular functions, each of which is covered in this section.
To provide you with a full understanding of address types, the following sections describe
each type.
IPv6 Address Allocations
The leading bits of an IPv6 address can define the IPv6 address type or other reservations.
These leading bits are of variable length and are called the format prefix (FP). Table 9-3
shows the allocation of address prefixes. The IPv6 address space was delegated to IANA.
You can find current IPv6 allocations at www.iana.org/assignments/ipv6-address-space.
Many prefixes are still unassigned.
Table 9-3
IPv6 Prefix Allocation
Binary Prefix
Hexadecimal/Prefix
Allocation
0000 0000
0000::/8
Unspecified, loopback, IPv4-compatible
0000 0001
0100::/8
Unassigned
0000 001
0200:/7
Unassigned
0000 010
0400::/7
Reserved for Internetwork Packet Exchange
(IPX) allocation
0000 1
0800::/5
Unassigned
001
1000::/4
Unassigned
001
2000::/3
Global unicast address
010
4000::/3
Unassigned
011
6000::/3
Unassigned
100
8000::/3
Reserved for geographic-based unicast addresses
101
A000::/3
Unassigned
110
C000::/3
Unassigned
313
314 CCDA 640-864 Official Cert Guide
Table 9-3
IPv6 Prefix Allocation
Binary Prefix
Hexadecimal/Prefix
Allocation
1110
E000::/3
Unassigned
1111 0
F000::/5
Unassigned
1111 10
F800::/6
Unassigned
1111 110
FC00::/7
Unique Local Unicast
1111 1110 0
FE00::/9
Unassigned
1111 1110 10
FE80:/10
Link-local unicast addresses
1111 1110 11
FEC0::/10
Unassigned; was site-local unicast addresses
(deprecated)
1111 1111
FF00::/8
Multicast addresses
An unspecified address is all 0s: 0:0:0:0:0:0:0:0. It signifies that an IPv6 address is not
specified for the interface. Unspecified addresses are not forwarded by an IPv6 router.
The IPv6 loopback address is 0:0:0:0:0:0:0:1. This address is similar to the IPv4 loopback
address of 127.0.0.1.
IPv6 Unicast Address
Key
Topic
The IPv6 unicast (one-to-one) address is the logical identifier of a single-host interface.
With a unicast address, a single source sends to a single destination. It is similar to IPv4
unicast addresses. Unicast addresses are divided into
■
Link-local address scope
■
Unique-local address scope
■
Global aggregatable address scope
■
IPv4-compatible IPv6 addresses
Global Unicast Addresses
IPv6 global addresses connect to the public network. These unicast addresses are globally
unique and routable. This address format is initially defined in RFC 2374. RFC 3587 provides updates to the format.
The original specification defined the address format with a three-layer hierarchy: public
topology, site topology, and interface identifier. The public topology consisted of service
providers that provided transit services and exchanges of routing information. It used a
top-level aggregator (TLA) identifier and a next-level identifier. A site-level aggregator
(SLA) was used for site topology. The site topology is local to the company or site and
Chapter 9: Internet Protocol Version 6
RFC 3587. RFC 3587 simplifies these identifiers with a global routing prefix and subnet
identifier for the network portion of the address.
Figure 9-2 shows the format of the standard IPv6 global unicast address. The global routing prefix is generally 48 bits in length, and the subnet ID is 16 bits. The interface ID is 64
bits in length and uniquely identifies the interface on the link.
Network Portion
Host Portion
48 Bits
16 Bits
64 Bits
Global Routing Prefix
Subnet ID
Interface ID
Figure 9-2
IPv6 Global Unicast Address Format
The interface ID is obtained from the 48-bit MAC address of the host. The MAC is converted to the EUI-64 identifier format by inserting the FFFE hexadecimal value in between the 24-bit left and rightmost values.
For example, with the following MAC address 01:00:0C:A4:BC:D0. The leftmost 24 bits
are 01:00:0C and the rightmost bits are 01:00:0C. By inserting FFFE the IPv6 64bit identifier becomes:
01:00:0C:FF:FE:A4:BC:D0.
Link-Local Addresses
IPv6 link-local addresses are significant only to nodes on a single link. Routers do not forward packets with a link-local source or destination address beyond the local link. Link-local addresses are identified by leading FE8 hexadecimal numbers. Link-local addresses are
configured automatically or manually.
As shown in Figure 9-3, the format of the link-local address is an FP of 1111111010, followed by 54 0s and a 64-bit interface identifier (ID). The interface ID is obtained from the
device MAC address and verified automatically through communication with other nodes
in the link. The interface ID is then concatenated with the link-local address prefix of
FE80::/64 to obtain the interface link-local address.
10 Bits
54 Bits
64 Bits
1111 1110 10
0
Interface ID
Figure 9-3
IPv6 Link-Local Address Format
Unique Local IPv6 Address
315
316 CCDA 640-864 Official Cert Guide
addresses. As shown in Figure 9-4, the format of the unique local address is an FP of 1111
110 (FC00::/7) followed by global ID, followed by the subnet ID and then the 64-bit interface identifier (ID). The bit labeled L is set to 1 if the prefix is locally assigned, and setting
it to 0 has not been defined.
7 Bits
40 Bits
16 Bits
64 Bits
FC00::/7
Global ID
Subnet ID
Interface ID
L
1111 110
Figure 9-4
IPv6 Unique Local Address
Global Aggregatable IPv6 Address
Global aggregatable unicast addresses allow the aggregation of routing prefixes. This allows a reduction of the number of routes in the global routing table. These addresses are
used in links to aggregate (summarize) routes upwards to the core in large organizations or
to ISPs. Global aggregatable addresses are identified by the fixed prefix of 2000:/3. As
shown in Figure 9-5, the format of the global aggregatable IPv6 address is a global routing
prefix starting with binary 001, followed by the subnet ID and then the 64-bit interface
identifier (ID). The device MAC address is normally used as the interface ID.
48 Bits
Global Routing Prefix
16 Bits
Subnet ID
64 Bits
Interface ID
001
Figure 9-5
IPv6 Link-Local Address Format
IPv4-Compatible IPv6 Address
IPv4-compatible IPv6 addresses begin with 96 binary 0s (six 16-bit groups) followed by
the 32-bit IPv4 address, as in 0:0:0:0:0:0:130.100.50.1 or just ::130.100.50.1. IPv4-compatible IPv6 addresses have been deprecated since updated transition mechanisms no longer
require this format.
IPv6 Anycast Addresses
Key
Topic
The IPv6 anycast (one-to-nearest) address identifies a set of devices. An anycast address
mon characteristics and are explicitly configured for anycast.
Chapter 9: Internet Protocol Version 6
317
You can use the anycast address to identify a set of routers or servers within an area.
When a packet is sent to the anycast address, it is delivered to the nearest device as determined by the routing protocol. An example of the use of anycast addresses is to assign an
anycast address to a set of servers—one in North America, and the other in Europe. Users
in North America would be routed to the North American server, and those in Europe to
the European server.
You cannot use an anycast address as a source address. Also, you must explicitly configure nodes to which the anycast address is assign to recognize the anycast address.
IPv6 Multicast Addresses
The IPv6 multicast (one-to-many) address identifies a set of hosts. The packet is delivered
to all the hosts identified by that address. This type is similar to IPv4 multicast (Class D)
addresses. IPv6 multicast addresses also supersede the broadcast function of IPv4 broadcasts. You use an “all-nodes” multicast address instead. One additional function of IPv6
multicast is to provide the IPv4 broadcast equivalent with the all-nodes multicast group.
Some IPv6 multicast addresses are
FF01:0:0:0:0:0:0:1—Indicates all-nodes address for interface-local scope.
FF02:0:0:0:0:0:0:2—All-routers address for link-local.
RFC 4291 specifies the format of IPv6 multicast addresses. As shown in Figure 9-6, the
fields of the IPv6 multicast address are the FP, a value of 0xFF, followed by a 4-bit flags
field, a 4-bit scope field, and 112 bits for the group identifier (ID). Again, a quick way to
recognize an IPv6 multicast address is that it begins with FF::/8.
8 Bits
4 Bits
4 Bits
11111111
FLGS
SCOP
Figure 9-6
112 Bits
Group ID
Multicast Address Format
The FLGS (flags) field consists of three leading 0s followed by a T bit: 000T. If T = 0, the
address is a well-known multicast address assigned by the global IANA. If T = 1, the address is not a permanently assigned address.
The SCOP (scope) field limits the scope of the multicast group. Table 9-4 shows the assigned scope values.
Table 9-4
Multicast Scope Assignments
SCOP (Binary)
SCOP (Hexadecimal)
Assignment
0000
0
Reserved
0001
1
Node-local scope
0010
2
Link-local scope
Key
Topic
318 CCDA 640-864 Official Cert Guide
Table 9-4
Multicast Scope Assignments
SCOP (Binary)
SCOP (Hexadecimal)
Assignment
0011
3
Unassigned
0100
4
Admin-local scope
0101
5
Site-local scope
0110
6
Unassigned
0111
7
Unassigned
1000
8
Organization-local scope
1001
9
Unassigned
1010
A
Unassigned
1011
B
Unassigned
1100
C
Unassigned
1101
D
Unassigned
1110
E
Global scope
1111
F
Reserved
The group ID identifies the multicast group within the given scope. The group ID is independent of the scope. A group ID of 0:0:0:0:0:0:1 identifies nodes, whereas a group ID of
0:0:0:0:0:0:2 identifies routers. Some well-known multicast addresses appear in Table 9-5
associated with a variety of scope values.
Table 9-5
Well-Known IPv6 Multicast Addresses
Multicast Address
Multicast Group
FF01::1
All nodes (node-local)
FF02::1
All nodes (link-local)
FF01::2
All routers (node-local)
FF02::2
All routers (link-local)
FF02::5
Open Shortest Path First Version 3 (OSPFv3)
FF02::6
OSPFv3 designated routers
FF02::9
Routing Information Protocol (RIPng)
FF02::A
EIGRP routers
FF02::B
Mobile agents
FF02::C
DHCP servers/relay agents
Chapter 9: Internet Protocol Version 6
Table 9-5
Well-Known IPv6 Multicast Addresses
Multicast Address
Multicast Group
FF02::D
All Protocol Independent Multicast (PIM) routers
FF05::1
All nodes in the local network site
FF0x::FB
Multicast DNS
FF02::1:2
All DHCP and relay agents on the local network site (RFC 3313)
FF05::1:3
All DHCP servers on the local network site (RFC 3313)
Table 9-6 summarizes the IPv6 address types.
Table 9-6
IPv6 Address Types
Description
IPv6 Address
Type
The IP address of an interface on a single host. It can be a source or destination address.
Unicast
An IP address that identifies a set of devices within an area. It is only a
destination address.
Anycast
An IP address that reaches a group of hosts identified by the address. It is
only a destination address
Multicast
The CCDA should know how to identify address types based from the prefix. Table 9-7
summarizes the prefixes their respective address type.
Table 9-7
IPv6 Addresses Prefix
Description
IPv6 Address Type
0000::0001
Loopback
0000::0000
Unspecified address
2000::/3
Global unicast address
FC00::/7
Unique local unicast
FE80:/10
Link-local unicast address
FF00::/8
Multicast address
FF02::5
OSPFv3
FF02::A
EIGRP routers
FF02::C
DHCP
319
320 CCDA 640-864 Official Cert Guide
IPv6 Mechanisms
Key
Topic
The changes to the 128-bit address length and IPv6 header format modified the underlying protocols that support IP. This section covers ICMPv6, IPv6 ND, address resolution,
address assignment, and IPv6 routing protocols. These protocols must now support 128bit addresses. For example, DNS adds a new record locator for resolving fully qualified
domain names (FQDN) to IPv6 addresses. IPv6 also replaces ARP with the IPv6 ND protocol. IPv6 ND uses ICMPv6.
ICMPv6
ICMP needed some modifications to support IPv6. RFC 2463 describes the use of
ICMPv6 for IPv6 networks. All IPv6 nodes must implement ICMPv6 to perform network
layer functions. ICMPv6 performs diagnostics (ping), reports errors, and provides reachability information. Although IPv4 ICMP uses IP protocol 1, IPv6 uses a next header number of 58.
Informational messages are
■
Echo request
■
Echo reply
Some error messages are
■
Destination unreachable
■
Packet too big
■
Time exceeded
■
Parameter problem
The destination-unreachable messages also provide further details:
■
No route to destination
■
Destination administratively prohibited
■
Address unreachable
■
Port unreachable
Other IPv6 mechanisms use ICMPv6 to determine neighbor availability, path MTU, destination address, or port reachability.
IPv6 Neighbor Discovery Protocol
IPv6 does not implement the ARP that is used in IPv4. Instead, IPv6 implements the
Neighbor Discovery (ND) protocol described in RFC 2461. Hosts use ND to implement
plug-and-play functions that discover all other nodes in the same link, check for duplicate
the primary fails.
Chapter 9: Internet Protocol Version 6
The IPv6 ND protocol performs the following functions:
■
Stateless address autoconfiguration: The host can determine its full IPv6 address
without the use of DHCP.
■
Duplicate address detection: The host can determine whether the address it will
use is already in use on the network.
■
Prefix discovery: The host finds out the link’s IPv6 prefix.
■
Parameter discovery: The host finds out the link’s MTU and hop count.
■
Address resolution: The host can determine the MAC address of other nodes without the use of ARP.
■
Router discovery: The host finds local routers without the use of DHCP.
■
Next-hop determination: The host can determine a destination’s next hop.
■
Neighbor unreachability detection: The host can determine whether a neighbor is
no longer reachable.
■
Redirect: The host can tell another host if a preferred next hop exists to reach a particular destination.
IPv6 ND uses ICMPv6 to implement some of its functions. These ICMPv6 messages are
■
Router Advertisement (RA): Sent by routers to advertise their presence and linkspecific parameters
■
Router Solicitation (RS): Sent by hosts to request RA from local routers
■
Neighbor Solicitation (NS): Sent by hosts to request link layer addresses of other
hosts (also used for duplicate address detection)
■
Neighbor Advertisement (NA): Sent by hosts in response to an NS
■
Redirect: Sent to a host to notify it of a better next hop to a destination
The link address resolution process uses NS messages to obtain a neighbor’s link layer address. Nodes respond with a NA message that contains the link layer address.
IPv6 Name Resolution
Name resolution for IPv6 addresses can be static or dynamic. Just as with IPv4, static
names to IPv6 addresses can be manually configured in the host configuration file. Dynamic name resolution relies on the Domain Name System (DNS).
IPv4 uses A records to provide FQDN name-to-IPv4 address resolution. DNS adds a resource record (RR) to support name-to-IPv6-address resolution. RFC 3596 describes the
addition of a new DNS resource record type to support transition to IPv6 name resolution. The new record type is AAAA, commonly known as “quad-A.” Given a domain
name, the AAAA record returns an IPv6 address to the requesting host.
RFC 2874 specifies another DNS record for IPv6; it defines the A6 resource record. The
RR. But RFC 3363 has changed the status of the A6 RR to deprecated.
321
322 CCDA 640-864 Official Cert Guide
Current DNS implementations need to be able to support A (for IPv4), and AAAA resource records, with type A having the highest priority and AAAA the lowest.
For hosts that support dual-stack (IPv4 and IPv6) the application decides with stack to use
and accordingly requests an AAAA or A record. As shown in Figure 9-7 below the client
device requests the AAAA record of the destination IPv6 server. The DNS server returns
the IPv6 address. Note that this is the same DNS server that supports IPv4 addresses; no
separate DNS servers are needed for IPv6 networks.
AAAA?
IPv6
Address
Client
Local
DNS
IPv6
Network
IPv6
Server
Figure 9-7
IPv6 DNS AAAA Request
Path MTU Discovery
IPv6 does not allow packet fragmentation throughout the internetwork. Only sending
hosts are allowed to fragment. Routers are not allowed to fragment packets. RFC 2460
specifies that the MTU of every link in an IPv6 must be 1280 bytes or greater. RFC 1981
recommends that nodes should implement IPv6 path MTU discovery to determine
whether any paths are greater than 1280 bytes. ICMPv6 packet-too-big error messages determine the path MTU. Nodes along the path send the ICMPv6 packet-too-big message to
the sending host if the packet is larger than the outgoing interface MTU.
Figure 9-8 shows a host sending a 2000-byte packet. Because the outgoing interface MTU
is 1500 bytes, Router A sends an ICMPv6 packet-too-big error message back to Host A.
The sending host then sends a 1500-byte packet. The outgoing interface MTU at Router B
is 1300 bytes. Router B sends an ICMPv6 packet-too-big error message to Host A. Host A
then sends the packet with 1300 bytes.
IPv6 Address-Assignment Strategies
Assignment of IPv6 addresses to a host can be static or dynamically configured. Static
IPv6 address assignment just involves manual configuration on the host’s configuration
files. Dynamic IPv6 address assignment can be in one of three ways.
Key
Topic
■
Stateless autoconfiguration of link-local address
■
Stateless autoconfiguration of globally unique address
■
Stateful configuration with DHCPv6
Link-Local Address (Stateless Autoconfiguration)
method, without DHCP. Hosts obtain their link-local addresses automatically as an
Chapter 9: Internet Protocol Version 6
interface is initialized. First, the host performs a duplicate address-detection process. The
host joins the all-nodes multicast group to receive neighbor advertisements from other
nodes. The neighbor advertisements include the subnet or prefix associated with the link.
The host then sends a neighbor-solicitation message with the tentative IP address (interface
identifier) as the target. If a host is already using the tentative IP address, that host replies
with a neighbor advertisement. If the host receives no neighbor advertisement, the target
IP address becomes the link-local address of the originating host. It uses the link-local
prefix FE80::. An alternate is to manually configure the link-local address.
Router A
Router B
mtu 1300
mtu 2000
Host A
mtu 1500
2000 Bytes
ICMPv6 Packet to Big, MTU = 1500
1500 Bytes
ICMPv6 Packet to Big, MTU = 1300
1300 Bytes
Figure 9-8
ICMPv6 Packet-Too-Big Message
Autoconfiguration of Globally Unique IP address
RFC 2462 describes stateless autoconfiguration. With autoconfiguration of globally
unique IP addresses, IPv6 hosts can use a stateless autoconfiguration method, without
DHCP, to acquire their own IP address information. It is done on a per-interface basis. As
shown in Figure 9-9, after a host has autoconfigured a link-local address it listens for
router advertisement messages. These router messages contain the prefix address to be
used for the network. The IPv6 address is then formed from the prefix plus the interface
ID (derives from the MAC address).
Router
Prefix
MAC Address
Prefix
Interface ID
Autoconfigured IPv6 Address
Figure 9-9
Stateless Autoconfiguration
323
324 CCDA 640-864 Official Cert Guide
Table 9-8 summarizes IPv6 address schemes.
Table 9-8
IPv6 Address Autoconfiguration Scheme
Description
IPv6 Address
Configuration Scheme
Host sends a neighbor-solicitation message that includes the
target IPv6 address that begins with FE80::.
Stateless link-local
Combines the router prefix with the local MAC address
Stateless global unique
Provides stateful address allocation
DHCPv6
DHCPv6
DHCPv6 is the updated version of DHCP that provides dynamic IP address assignment for
IPv6 hosts. DHCPv6 is described in RFC 3315. It provides the same functions as DHCP,
with more control than stateless autoconfiguration, and it supports renumbering without
routers. DHCPv6 assignment is stateful, whereas IPv6 link-local and global unique autoconfiguration is not.
IPv6 Security
IPv6 has two integrated mechanisms to provide security for communications. It natively
supports IP Security (IPsec). IPsec is mandated at the operating-system level for all IPsec
hosts. RFC 2401 describes IPsec. Extension headers carry the IPsec AH and ESP headers.
The AH provides authentication and integrity. The ESP header provides confidentiality by
encrypting the payload. For IPv6, the AH defaults to message digest algorithm 5 (MD5),
and the ESP encryption defaults to Data Encryption Standard-cipher block chaining
(DES-CBC).
A description of the IPsec mechanisms appears in Chapter 13, “Security Solutions.” More
information also appears in RFC 2402, IP Authentication Header, and in RFC 2406, IP Encapsulating Security Payload (ESP).
Table 9-9 summarizes IPv6 mechanisms.
Table 9-9
IPv6 Mechanisms
Description
IPv6 Mechanism
Performs diagnostics and reachability information. Next header
number of 58.
ICMPv6
Discovers all nodes in the same link and checks for duplicate
addresses.
IPv6 neighbor
discovery
DNS resource record for IPv6.
AAAA
Provides stateful IPv6 address assignment.
DHCPv6
Routing protocol that uses UDP port 521.
RIPng
Chapter 9: Internet Protocol Version 6
Table 9-9
IPv6 Mechanisms
Description
IPv6 Mechanism
Cisco routing protocol for IPv6.
EIGRP for IPv6
Link-state routing protocol for IPv6.
OSPFv3
IPv6 Routing Protocols
New routing protocols have been developed to support IPv6, such as RIPng, Intermediate
System-to-Intermediate System (IS-IS), Enhanced Interior Gateway Routing Protocol
(EIGRP) for IPv6, and Open Shortest Path First Version 3 (OSPFv3) Protocol. Border
Gateway Protocol (BGP) also includes changes that support IPv6. These routing protocols
are only briefly mentioned here because they are covered in detail in Chapter 10, “Routing
Protocol Characteristics, RIP, and EIGRP,” and Chapter 11, “OSPF, BGP, Route Manipulation, and IP Multicast.”
RIPng
RFC 2080 describes changes to RIP to support IPv6 networks, called RIP next generation
(RIPng). RIP mechanisms remain the same. RIPng still has a 15-hop limit, counting to infinity, and split horizon with poison reverse. Instead of User Datagram Protocol (UDP)
port 520 for RIPv2, RIPng uses UDP port 521. RIPng supports IPv6 addresses and prefixes. Cisco IOS software currently supports RIPng. RIPng uses multicast group FF02::9
for RIP updates to all RIP routers.
EIGRP for IPv6
Cisco has developed EIGRP support for IPv6 networks to route IPv6 prefixes. EIGRP for
IPv6 is configured and managed separately from EIGRP for IPv4; no network statements
are used. EIGRP for IPv6 retains all the characteristics (network discovery, DUAL, modules) and functions of EIGRP for IPv4. EIGRP uses multicast group FF02::A for EIGRP
updates.
OSPFv3
RFC 2740 describes OSPFv3 to support IPv6 networks. OSPF algorithms and mechanisms (flooding, designated router [DR] election, areas, shortest path first [SPF] calculations) remain the same. Changes are made for OSPF to support IPv6 addresses, address
hierarchy, and IPv6 for transport. Cisco IOS software currently supports OSPFv3.
OSPFv3 uses multicast group FF02::5 for all OSPF routers and FF02::6 for all DRs.
IS-IS for IPv6
Specifications for routing IPv6 with integrated IS-IS are currently an Internet draft of the
IETF. The draft specifies new type, length, and value (TLV) objects, reachability TLVs, and
for IPv6 as currently described in the draft standard.
325
326 CCDA 640-864 Official Cert Guide
BGP4 Multiprotocol Extensions (MP-BGP) for IPv6
RFC 2545 specifies the use of BGP attributes for passing on IPv6 route information. MPBGP is also referred as BGP4+. The MP_REACH_NLRI (multiprotocol-reachable) attribute describes reachable destinations. It includes the next-hop address and a list of
Network Layer Reachability Information (NLRI) prefixes of reachable networks. The
MP_UNREACH_NLRI (multiprotocol-unreachable) attribute conveys unreachable networks. IOS currently supports these BGP4 multiprotocol attributes to communicate
reachability information for IPv6 networks.
IPv4 to IPv6 Transition Mechanisms and Deployment
Models
This section describes transition mechanisms and deployment models to migrate from
IPv4 to IPv6. During a transition time, both protocols can coexist in the network. The
three major transition mechanisms are
Key
Topic
■
Dual-stack (IPv4 and IPv6 coexist in hosts and networks.)
■
Tunneling (IPv6 packets are encapsulated into IPv4 packets.)
■
Translation (IPv6 packets are translated to IPv4 packets.)
IPv6 deployment models are also divided into three major categories:
■
Dual-stack model (IPv4 and IPv6 coexist on hosts and network.)
■
Hybrid model (combination of Intra-Site Automatic Tunneling Protocol (ISATAP) or
manually configured tunnels and dual-stack mechanisms)
■
Service block model (combination of ISATAP and manually configured tunnels and
dual-stack mechanisms)
Each model provides several advantages and disadvantages; familiarize yourself with
those. Of all these models, the dual-stack model is recommended because it requires no
tunneling and is easier to manage.
Dual-Stack Mechanism
Devices running dual-stack can communicate with both IPv4 and IPv6 devices. The IPv4
protocol stack is used between IPv4 hosts, and the IPv6 protocol stack is used between
IPv6 hosts. The application decides which stack to use to communicate with destination
hosts. As shown in Figure 9-10, when a frame is received, the Ethernet type code identifies
whether the packet needs to be forwarded to IPv4 (0x0800) or IPv6 (ox86DD). When using dual stacks, a host also uses DNS to determine which stack to use to reach a destination. If DNS returns an IPv6 (AAAA record) address to the host, the host uses the IPv6
stack. If DNS returns an IPv4 (A record) address to the host, the host uses the IPv4 stack.
IPv6 over IPv4 Tunnels
nels. With tunneling, IPv6 traffic is encapsulated within IPv4 packets so that they are sent
Chapter 9: Internet Protocol Version 6
over the IPv4 WAN. The advantage of this method is that you do not need separate circuits to connect the IPv6 networks. A disadvantage of this method is the increased protocol overhead of the encapsulated IPv6 headers. Tunnels are created manually,
semiautomatically, or automatically.
Application
TCP
UDP
IPv4
IPv6
0x0800
0x86DD
Ethernet
Figure 9-10
Dual-Stack Mechanism
For manually configured (static configuration) tunnels, the tunnels are configured with
IPv4 and IPv6 addresses for tunnel source and destination. Tunnels can be built between
border routers or between routers and hosts.
In semiautomatic configured tunnels, a tunnel broker is used. The tunnel broker is a server
on the IPv4 network that receives requests from dual-stack clients and builds a tunnel on
the tunnel router and associates it with the client.
Automatic tunnel mechanisms are
■
IPv4 compatible
■
6to4
■
6over4
■
ISATAP
IPv4-compatible tunnels use IPv4-compatible addresses. This mechanism does not scale,
and IP-compatible addresses have been deprecated, so this mechanism is appropriate only
for testing.
RFC 3056 specifies the 6to4 method for transition by assigning an interim unique IPv6
prefix. 2002::/16 is the assigned range for 6to4. Each 6to4 site uses a /48 prefix that is
concatenated with 2002. The border router extracts the IPv4 address that is embedded in
forwards it to the IPv6 destination.
327
328 CCDA 640-864 Official Cert Guide
Figure 9-11 shows a network using IPv4 tunnels. Site A and Site B both have IPv4 and
IPv6 networks. The IPv6 networks are connected using an IPv4 tunnel in the WAN.
IPv6 Site A
IPv6 Site B
IPv4 WAN
IPv4 Tunnel
IPv4 Site A
Figure 9-11
IPv4 Site B
IPv6 over IPv4 Tunnels
6over4 is another tunnel method that requires an IPv4 multicast-enabled network. IPv6
multicast packets get encapsulated into IPv4 multicast packets to communicate with other
6over4 hosts. 6over4 is of limited practical use.
Another method to tunnel IPv6 over IPv4 is the Intra-Site Automatic Tunnel Addressing
Protocol (ISATAP). With ISATAP, a tunnel is created between dual-stack hosts or routers
to transmit IPv6 packets over an IPv4 network. Unlike 6over4 mechanism, ISATAP does
not require the IPv4 to be multicast enabled.
With ISATAP the link-local address is generated by concatenating
FE80:0000:0000:0000:0000:5EFE: with the IPv4 address expressed in hexadecimal. For
example, with IPv4 192.168.10.10 the link-local address is
FE80:0000:0000:0000:0000:5EFE: C0A8:0A0A. ISATAP also requires the use of a
routable address (for example, a global unicast IPv6 address that uses the same 0000:5EFE
IANA reserved value for the interface ID along with the 32-bit IPv4 embedded address).
Protocol Translation Mechanisms
One of the mechanisms for an IPv6-only host to communicate with an IPv4-only host
without using dual stacks is protocol translation. Translation is basically an extension to
IPv4 NAT techniques. Some techniques are
■
Application layer gateways (ALG): These use dual stacks and allow one host on
the IPv4 domain to communicate with the host on the IPv6 domain.
■
Application programming interfaces (API): An API module intercepts IP traffic
through an API and coverts it for the IPv6 counterpart.
■
Translation techniques:
(DSTM).
Chapter 9: Internet Protocol Version 6
329
DSTM proposes the use of a dual stack that uses IPv4 addresses only when needed and
the use of IPv4 over IPv6 tunneling to reach a destination IPv4 address. It is used when
there is an IPv6-only backbone but an application needs to reach an IPv4 address.
RFC 2766 describes NAT-PT, which provides translation between IPv6 and IPv4 hosts.
NAT-PT operates similarly to the NAT mechanisms to translate IPv4 private addresses to
public address space. NAT-PT binds addresses in the IPv6 network to addresses in the
IPv4 network and vice versa. Figure 9-12 shows a network using NAT-PT. RFC 4699 is a
recent Informational RFC that recommends that NAT-PT be placed into historical status
and recommends against its use (although the protocol is still supported in IOS).
NAT-PT
IPv6 Site A
Figure 9-12
IPv4 Site B
Network Address Translation-Protocol Translation
Cisco also introduces the Cisco 6PE for Multiprotocol Label Switching (MPLS) service
providers. Cisco 6PE allows IPv6 islands to communicate over an MPLS/IPv4 core network using MPLS label-switched paths (LSP). The Cisco 6PE routers are dual stack. The
method relies on BGP extensions in the IPv4 6PE routers to exchange IPv6 reachability information, along with an MPLS label for each IPv6 address prefix announced.
IPv6 Deployment Models
Deployment of IPv6 can be done in one of the following models:
■
Dual-stack model (IPv4 and IPv6 coexist on hosts and network)
■
Hybrid model (combination of ISATAP or manually configured tunnels and dualstack mechanisms)
■
Service block model (combination of ISATAP and manually configured tunnels and
dual-stack mechanisms)
Dual-Stack Model
In the dual-stack model, both devices and the network routers and switches all run both
IPv4 and IPv6 protocol stacks. The applications on the devices decide which stack to use
to communicate with destination hosts. Or DNS is used to decide which stack to use. A
DNS AAAA RR return uses IPv6, and a DNS A RR return uses IPv4. Because most mature operating systems are now supporting IPv6, this is the preferred technique for transition to IPv6. Figure 9-13 shows a dual-stack network where both protocols reside. Older
IPv4 sites that have not migrated to the dual-stack model can communicate
the network with other IPv4 devices.
Key
Topic
330 CCDA 640-864 Official Cert Guide
Site C
IPv4 and IPv6
Site A
IPv4 only
Dual-Stack Backbone
IPv4 and IPv6
Site B
IPv4 and
IPv6
Figure 9-13
Site D
IPv4 and IPv6
Dual-Stack Network Address Translation-Protocol Translation
Hybrid Model
The hybrid model uses a combination of transition mechanisms. The transition mechanisms used are based on multiple network criteria such as number of hosts, IPv6 capable
hardware, and location of IPv6 services. The hybrid model uses a combination of transition mechanisms:
■
Dual-stack mechanism
■
ISATAP
■
Manually configured tunnels
The hybrid model can be used to tunnel a dual-stack host on an IPv4 access layer to an
IPv6 core. As shown in Figure 9-14, the dual-stack computer establishes an ISATAP tunnel
to the core layer to access services from the dual-stack server on the right.
Another scenario is to tunnel dual-stack distribution layers over an IPv4-only core. As
shown in Figure 9-15, the dual-stack computer on the left can access the dual-stack server
on the right via the manually configured tunnels. Multiple tunnels are configured to provide redundancy and load balancing.
Service Block Model
In the service block model, a centralized layer that services dual-stack devices is created
with tunnels manually configured between the distribution layer and the service block.
Dual-stack hosts also connect via ISATAP tunnels. In Figure 9-16, the dual-stack client on
the left connects to the service block to establish connectivity with the dual-stack server
on the right.
Chapter 9: Internet Protocol Version 6
Access
Layer
Distribution
Layer
Core
Layer
Distribution
Layer
Access
Layer
Dual-Stack Infrastructure
IPv4 and IPv6
Dual-Stack
Server
Dual-Stack
Client
Primary ISATAP Tunnel
Figure 9-14
Secondary ISATAP Tunnel
IPv6 Hybrid Model with ISATAP Tunnel
Access
Layer
Distribution
Layer
Core
Layer
Distribution
Layer
Access
Layer
Dual-Stack Infrastructure
IPv4 and IPv6
Dual-Stack Infrastructure
IPv4 and IPv6
Dual-Stack
Client
Dual-Stack
Server
Manually Configured Tunnels
Figure 9-15
IPv6 Hybrid Model with Manually Configured Tunnels
331
332 CCDA 640-864 Official Cert Guide
Access
Layer
Distribution
Layer
Core
Layer
Distribution
Layer
Access
Layer
Dual-Stack Infrastructure
IPv4 and IPv6
Dual-Stack
Server
Dual-Stack
Client
ISATAP Tunnels
Manually Configured Tunnels
Service Block IPv4 and IPv6
Figure 9-16
Service Block Deployment Model
IPv6 Deployment Model Comparison
Table 9-10 summarizes the advantages and disadvantages of the IPv6 deployment models.
Table 9-10
IPv6 Deployment Model Comparison
IPv6
Advantages
Deployment
Model
Disadvantages
Dual-stack
model
Network equipment upgrades.
Tunneling not required.
Better processing performance.
IPv4 & IPv6 independent routing,
QoS, security, and multicast policies.
Hybrid
model 1
Existing network can be leveraged
with no upgrades.
IPv6 multicast not supported within
ISATAP tunnels.
Terminating ISATAP tunnels in core
makes the core appear to be in IPv6
access layer.
Hybrid
model 2
IPv4 and IPv6 have independent
routing, QoS, security, and multicast
policies.
Many static tunnels which makes it
difficult to manage.
Server block
model
Lesser impact on existing network.
Large amounts of tunneling.
Flexible when controlling access to
IPv6-enabled applications.
Cost of additional equipment.
Table 9-11
name. Study this table for the test.
Chapter 9: Internet Protocol Version 6
Table 9-11
333
IPv6 Deployment Models
Description
IPv6 Deployment
Model
All routers and hosts run IPv6 and IPv4.
Dual-stack model
Uses ISATAP or manually configured tunnels to allow dual-stack
clients to connect to dual-stack servers over a IPv4 core.
Hybrid model
Uses ISATAP and manually configured tunnels to a service module.
Service block model
IPv6 Comparison with IPv4
This section provides a summary comparison of IPv6 to IPv4. Become knowledgeable
about the characteristics summarized in Table 9-12. The use of 128 bits over 32 bits is an
obvious change. The upper-layer protocol is identified with the Next Header field in IPv6,
which was the Protocol Type field used in IPv4. ARP is replaced by IPv6 ND.
Table 9-12
IPv6 and IPv4 Characteristics
Characteristic
IPv6
IPv4
Address length
128 bits
32 bits
Address representation
Hexadecimal
Dotted-decimal
Header length
Fixed (40 bytes)
Variable
Upper-layer
protocols
Next header field
Protocol Type field
Link address
resolution
ND
ARP
Address configuration
Stateless autoconfiguration or stateful
DHCP
Stateful DHCP
DNS (name-toaddress
resolution)
AAAA records
A records
Interior routing
protocols
EIGRPv6, OSPFv3, RIPng, IS-IS for
IPv6
EIGRP, OSPFv2, RIPv2, IS-IS
Classification
and marking
Traffic Class and Flow Label fields,
differentiated services code point
(DSCP)
IP Precedence bits, Type of
Service field, DSCP
Private
addresses
Unique-local addresses
RFC 1918 private address space
Key
Topic
334 CCDA 640-864 Official Cert Guide
Table 9-12
IPv6 and IPv4 Characteristics
Characteristic
IPv6
IPv4
Fragmentation
Sending host only
Sending host and intermediate
routers
Loopback
address
0:0:0:0:0:0:0:1
127.0.0.1
Address scope
types
Unicast, anycast, multicast
Unicast, multicast, broadcast
References and Recommended Readings
RFC 3056, Connection of IPv6 Domains via IPv4 Clouds, www.ietf.org/rfc.
RFC 2740, OSPF for IPv6, www.ietf.org/rfc.
RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version
6 (IPv6) Specification, www.ietf.org/rfc.
RFC 2874, DNS Extensions to Support IPv6 Address Aggregation and Renumbering,
www.ietf.org/rfc
.
RFC 2460, Internet Protocol, Version 6 (IPv6) Specification,www.ietf.org/rfc.
Doyle, J. and J. Carroll. Routing TCP/IP, Volume I, Second Edition. Indianapolis: Cisco
Press, 2005.
Doyle, J. and J. Carroll. Routing TCP/IP, Volume II. Indianapolis: Cisco Press, 2001.
RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6), www.ietf.org/rfc.
RFC 2373, IP Version 6 Addressing Architecture,www.ietf.org/rfc.
RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture,www.ietf.org/rfc.
RFC 3587, IPv6 Global Unicast Address Format,www.ietf.org/rfc.
RFC 2374, An IPv6 Aggregatable Global Unicast Address Format, www.ietf.org/rfc.
Hopps, C. Routing IPv6 for IS-IS (draft), www.simpleweb.org/ietf/internetdrafts/complete/
draft-ietf-isis-ipv6-03.txt.
RFC 3879, Deprecating Site Local Addresses, www.ietf.org/rfc.
Implementing IPv6 Networks Training, www.cisco.com/application/pdf/en/us/guest/tech/
tk373/c1482/ccmigration_09186a008019d70b.pdf.
Chapter 9: Internet Protocol Version 6
RFC 2401, Security Architecture for the Internet Protocol,www.ietf.org/rfc.
RFC 2402, IP Authentication Header,www.ietf.org/rfc.
RFC 2406, IP Encapsulating Security Payload (ESP), www.ietf.org/rfc.
RFC 2080, RIPng for IPv6, www.ietf.org/rfc.
RFC 2545, Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing,
www.ietf.org/rfc
.
RFC 1981, Path MTU Discovery for IP version 6, www.ietf.org/rfc.
RFC 2461, Neighbor Discovery for IP Version 6 (IPv6), www.ietf.org/rfc.
RFC 1886, DNS Extensions to Support IP Version 6, www.ietf.org/rfc.
RFC 2766, Network Address Translation – Protocol Translation (NAT-PT),
www.ietf.org/rfc.
RFC 4291 IP Version 6 Addressing Architecture,www.ietf.org/rfc.
www.cisco.com/web/strategy/docs/gov/IPv6FedGov_wp.pdf.
RFC 3587 IPv6 Global Unicast Address Format, www.ietf.org/rfc.
RFC 363, Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name
System (DNS), www.ietf.org/rfc.
Cisco IOS IPv6 Provider Edge Router (6PE) over MPLS, www.cisco.com/en/US/products/
sw/iosswrel/ps1835/products_data_sheet09186a008052edd3.html.
www.isatap.org/.
RFC 5214, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP),www.ietf.org/rfc.
IPv6 Extension Headers Review and Considerations, www.cisco.com/en/US/technologies/
tk648/tk872/technologies_white_paper0900aecd8054d37d.html.
335
336 CCDA 640-864 Official Cert Guide
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the
outer margin of the page. Table 9-13 lists a reference of these key topics and the page
numbers on which each is found.
Table 9-13
Key Topics
Key Topic
Element
Description
Page
List
Lists the enhancements of IPv6 over IPv4
308
Summary
Describes each field of the IPv6 header
309
Summary
Describes how IPv6 addresses are represented
311
Summary
Describes unicast address types
314
Summary
Describes anycast address types
316
Summary
Describes multicast address types
317
Summary
Describes mechanisms such as ICMPv6, IPv6 ND, and
address resolution
320
List
Describes stateless autoconfiguration or stateful DHCP
address assignment.
322
List
Describes dual-stack, tunneling, and translation-transition
mechanisms
326
List
Describes dual-stack, hybrid model, and service block
model deployment models
329
Table 9-12
Summarizes IPv6 characteristics as they compare with IPv4
333
Chapter 9: Internet Protocol Version 6
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory
Tables Answer Key,” also on the CD, includes completed tables and lists to check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
ALG, AGI, ICMPv6, IANA, ID, ISATAP, FQDN, DHCPv6, IPsec, MTU, NAT-PT, ND,
RIPng, OSPFv3, MP-BGP
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. True or false: OSPFv2 supports IPv6.
2. True or false: DNS AAAA records are used in IPv6 networks for name-to-IPv6address resolution.
3. Fill in the blank: IPv6 ND is similar to what _______ does for IPv4 networks.
4. How many bits are there between the colons of IPv6 addresses?
5. The first field of the IPv6 header is 4 bits in length. What binary number is it
always set to?
6. True or false: DHCP is required for dynamic allocation of IPv6 addresses.
7. IPv6 multicast addresses begin with what hexadecimal numbers?
8. IPv6 link-local addresses begin with what hexadecimal prefix?
9. True or false: ISATAP allows tunneling of IPv6 through IPv4 networks.
10. List the eight fields of the IPv6 header.
11. Which of the following is not an IPv6 address type?
a.
Unicast
b.
Broadcast
c.
Anycast
d.
Multicast
12. True or false: The IPv6 address 2001:0:0:1234:0:0:0:abcd can be represented as
2001::1234:0:0:0:abcd and 2001:0:0:1234::abcd.
13. What is the subnet prefix of 2001:1:0:ab0:34:ab1:0:1/64?
14. The IPv6 address has 128 bits. How many hexadecimal numbers does
address have?
337
338 CCDA 640-864 Official Cert Guide
15. What type of IPv6 address is the following?
FF01:0:0:0:0:0:0:2
16. What is the compact format of the address
2102:0010:0000:0000:0000:fc23:0100:00ab?
a.
2102:10::fc23:01:ab
b.
2102:001::fc23:01:ab
c.
2102:10::fc23:100:ab
d.
2102:0010::fc23:01:ab
17. When using the dual-stack backbone, which of the following statements is correct?
a.
The backbone routers have IPv4/IPv6 dual stacks, and end hosts do not.
b.
The end hosts have IPv4/IPv6 dual stacks, and backbone routers do not.
c.
Both the backbone routers and end hosts have IPv4/IPv6 dual stacks.
d.
Neither the backbone routers nor end hosts have IPv4/IPv6 dual stacks.
18. How does a dual-stack host know which stack to use to reach a destination?
a.
It performs an ND, which returns the destination host type.
b.
It performs a DNS request that returns the IP address. If the returned address is
IPv4, the host uses the IPv4 stack. If the returned address is IPv6, the host uses
the IPv6 stack.
c.
The IPv6 stack makes a determination. If the destination is IPv4, the packet is
sent to the IPv4 stack.
d.
The IPv4 stack makes a determination. If the destination is IPv6, the packet is
sent to the IPv6 stack.
19. What protocol numbers are used by Ethernet to identify IPv4 versus IPv6?
a.
Protocol 6 for IPv4 and protocol 17 for IPv6.
b.
0x86DD for IPv6 and 0x0800 for IPv4.
c.
0x8000 for IPv4 and 0x86DD for IPv6.
d.
0x0800 for both IPv4 and IPv6; they are identified in the packet layer.
20. Which of the following describes the IPv6 header? (Select two.)
a.
It is 40 bytes in length.
b.
It is of variable length.
c.
The Protocol Number field describes the upper-layer protocol.
d.
The Next Header field describes the upper-layer protocol.
Chapter 9: Internet Protocol Version 6
21. Which of the following is true about fragmentation?
a.
Routers between source and destination hosts can fragment IPv4 and IPv6
packets.
b.
Routers between source and destination hosts cannot fragment IPv4 and IPv6
packets.
c.
Routers between source and destination hosts can fragment IPv6 packets only.
IPv4 packets cannot be fragmented.
d.
Routers between source and destination hosts can fragment IPv4 packets only.
IPv6 packets cannot be fragmented.
22. A packet sent to an anycast address reaches what?
a.
The nearest destination in a set of hosts
b.
All destinations in a set of hosts
c.
Broadcasts to all hosts
d.
Global unicast destinations
23. Which of the following is/are true about IPv6 and IPv4 headers?
a.
The IPv6 header is of fixed length, and the Next Header field describes the upper-layer protocol.
b.
The IPv4 header is of variable length, and the Protocol field describes the upperlayer protocol.
c.
The IPv6 header is of fixed length, and the Protocol field describes the upperlayer protocol.
d.
A and B
e.
B and C
24. An organization uses an IPv6 address range that it received from its ISP. The IPv6 addresses will be used internally, and employees will access the Internet using Port Address Translation. What is required for DNS?
a.
DNS servers need to support only IPv4 addresses.
b.
DNS servers need to support only IPv6 addresses.
c.
No changes are needed to the DNS servers.
d.
DNS servers need to support both IPv4 and IPv6 addresses
e.
Additional DNS servers for IPv6 addresses are needed.
f.
DNS servers are not needed for PAT.
339
340 CCDA 640-864 Official Cert Guide
25. Which statements about IPv6 addresses are true? (Select two.)
a.
Leading 0s are required.
b.
Two colons (::) are used to separate fields.
c.
Two colons (::) are used to represent successive hexadecimal fields of 0s.
d.
A single interface will have multiple IPv6 addresses of different types.
26. You have duplicate files servers at multiple locations. Which IPv6 address type allows
each end station to send a request to the nearest filer server using the same destination address, regardless of the location of that end station?
a.
Anycast
b.
Broadcast
c.
Unicast
d.
Global unicast
e.
Multicast
27. Which strategy allows both IPv4 and IPv6 addressing/stacks to coexist on a host to
facilitate a migration?
a.
Deploy NAT-PT between the networks.
b.
Hosts run IPv4 and router run native IPv6.
c.
Enable anycast in the routing protocol.
d.
Run both IPv4 and IPv6 address stacks on devices.
e.
Redistribute between the IPv4 and IPv6 networks.
28. Which strategy would be most flexible for a corporation with the following characteristics?
2,400,000 hosts
11,000 routers
Internet connectivity
High volume of traffic with customers and business partners
a.
Deploy NAT-PT between business and Internet networks.
b.
Hosts run IPv4 and router run native IPv6.
c.
Both hosts and routers run dual stack.
d.
Enable anycast in the routing protocol.
e.
Redistribute between the IPv4 and IPv6 networks.
Chapter 9: Internet Protocol Version 6
29. What is the hierarchy for IPv6 aggregatable addresses?
a.
Global, site, loop
b.
Public, site, interface
c.
Internet, site, interface
d.
Multicast, anycast, unicast
30. NAT-PT translates between what address types?
a.
Translates RFC 1918 private addresses to public IPv4 addresses
b.
Translates between IPv4 and IPv6 addresses
c.
Translates between network addresses and IPv6 ports
d.
Translates between private IPv6 addresses to public IPv6 addresses
31. In a network where IPv6 exists within an IPv4 network, which two strategies allow
both schemes to coexist? (Select two.)
a.
Translate between the protocols.
b.
Hosts run IPv4 and routers run native IPv6.
c.
Encapsulate IPv6 packets into IPv4 packets.
d.
Enable anycast in the routing protocol.
e.
Redistribute between the IPv4 and IPv6 networks.
32. Which IPv6 feature enables routing to distribute connection requests to the nearest
content server?
a.
Anycast
b.
Link-local
c.
Aggregatable
d.
Multicast
e.
Site-local
33. Which statement best describes the efficiency of the IPv6 header?
a.
It is less efficient than the IPv4 header.
b.
It has the same efficiency as the IPv4 header; the larger IPv6 address makes it faster.
c.
It is more efficient that the IPv4 header.
d.
It is larger than the IPv4 header.
341
342 CCDA 640-864 Official Cert Guide
34. What does one-to-nearest communication mean for IPv6?
a.
Anycast
b.
Broadcast
c.
Multicast
d.
Unicast
35. Which tunneling protocol allows dual-stack hosts to tunnel over IPv4 network that is
not multicast enabled?
a.
6to4
b.
6over4
c.
IPsec
d.
ISATAP
Questions 36 through 39 are based on the following scenario and Figure 9-17.
IPv4 Site D
IPv6 Site A
IPv4 WAN
IPv4 Site C
Figure 9-17
Company Adds Sites A and B
IPv6 Site B
Chapter 9: Internet Protocol Version 6
A company has an existing WAN that uses IPv4. Sites C and D use IPv4. As shown in
Figure 9-17, the company plans to add two new locations (Sites A and B). The new sites
will implement IPv6. The company does not want to lease more WAN circuits.
36. What options does the company have to connect Site A to Site B?
37. What mechanism needs to be implemented so that IPv6 hosts can communicate with
IPv4 hosts and vice versa?
38. If a dual-stack backbone is implemented, do all WAN routers and all hosts need an
IPv6-IPv4 dual stack?
39. If an IPv4 tunnel is implemented between Sites A and B, do all WAN routers require
an IPv6-IPv4 dual stack?
343
This chapter covers the following subjects:
■
Routing Protocol Characteristics
■
Routing Protocol Metrics and Loop Prevention
■
RIPv2 and RIPng
■
EIGRP
CHAPTER 10
Routing Protocol Characteristics, RIP,
and EIGRP
This chapter covers the metrics used and other characteristics of routing protocols. Routing protocols can be categorized as distance-vector or link-state and as hierarchical or flat.
The CCDA must understand how each routing protocol is categorized to select the one
that meets the customer’s requirements. This chapter covers the routing protocols at a high
level. The following chapters go into more detail about the operations and algorithms used
in each routing protocol.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The ten-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 10-1 outlines the major topics discussed in this chapter and the “Do I Know This
Already?” quiz questions that correspond to those topics.
Table 10-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
Routing Protocol Characteristics
1, 2, 4, 7, 8
Routing Protocol Metrics and Loop Prevention
6, 9
RIPv2 and RIPng
1, 5, 8
EIGRP
3, 7, 8, 9, 10
346 CCDA 640-864 Official Cert Guide
1. Which of the following routing protocols are classful?
a.
Routing Information Protocol Version 1 (RIPv1) and RIPv2
b.
Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path
First (OSPF)
c.
Intermediate System-to-Intermediate System (IS-IS) and OSPF
d.
RIPv1 only
2. Which type of routing protocol would you use when connecting to an Internet service provider?
a.
Classless routing protocol
b.
Interior gateway protocol
c.
Exterior gateway protocol
d.
Classful routing protocol
3. Which routing protocol is distance vector and classless?
a.
RIPv2
b.
EIGRP
c.
OSPF
d.
IS-IS
4. Which type of routing protocol sends periodic routing updates?
a.
Static
b.
Distance vector
c.
Link state
d.
Hierarchical
5. Which distance-vector routing protocol is used for IPv6 networks?
a.
OSPFv2
b.
RIPng
c.
OSPFv3
d.
BGPv3
6. Which of the following is true regarding routing metrics?
a.
If the metric is bandwidth, the path with the lowest bandwidth is selected.
b.
If the metric is bandwidth, the path with the highest bandwidth is selected.
c.
If the metric is bandwidth, the highest sum of the bandwidth is used to calculate
the highest cost.
d.
If the metric is cost, the path with the highest cost is selected.
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 347
7. Both OSPF and EIGRP are enabled on a router with default values. Both protocols
have a route to a destination network in their databases. Which route is entered into
the routing table?
a.
The OSPF route.
b.
The EIGRP route.
c.
Both routes are entered with load balancing.
d.
Neither route is entered; an error has occurred.
8. Which of the following are classless routing protocols?
a.
RIPv1 and RIPv2
b.
EIGRP and RIPv2
c.
IS-IS and OSPF
d.
Answers B and C
9. Which parameters are included in the computation of the EIGRP composite metric
use by default?
a.
Bandwidth and load
b.
Bandwidth and delay
c.
Bandwidth and reliability
d.
Bandwidth and maximum transmission unit (MTU)
10. Which routing protocol implements the Diffusing Update Algorithm (DUAL)?
a.
IS-IS
b.
IGRP
c.
EIGRP
d.
OSPF
348 CCDA 640-864 Official Cert Guide
Foundation Topics
This chapter covers the high-level characteristics of routing protocols and their metrics.
You should become familiar with the different categories of routing protocols and their
characteristics for the exam. Understand how each metric is used and, based on the metric, which path is preferred. For example, you need to know that a path with the highest
bandwidth is preferred over a path with lower bandwidth. This chapter also covers distance vector routing protocols: RIPv2, RIPng, and EIGRP.
Routing Protocol Characteristics
This section discusses the different types and characteristics of routing protocols.
Characteristics of routing-protocol design are
Key
Topic
■
Distance-vector, link-state, or hybrid: How routes are learned
■
Interior or exterior: For use in private networks or the public Internet
■
Classless (classless interdomain routing [CIDR] support) or classful: CIDR
enables aggregation of network advertisements (supernetting) between routers
■
Fixed-length or variable-length subnet masks (VLSM): Conserve addresses
within a network
■
Flat or hierarchical: Addresses scalability in large internetworks
■
IPv4 or IPv6: Newer routing protocols are used for IPv6 networks
This section also covers the default administrative distance assigned to routes learned
from each routing protocol or from static assignment. Routes are categorized as statically
(manually) configured or dynamically learned from a routing protocol. The following sections cover all these characteristics.
Static Versus Dynamic Route Assignment
Static routes are manually configured on a router. They do not react to network outages. The
one exception is when the static route specifies the outbound interface: In this situation, if
the interface goes down, the static route is removed from the routing table. Because static
routes are unidirectional, they must be configured for each outgoing interface the router will
use. The size of today’s networks makes it impossible to manually configure and maintain all
the routes in all the routers in a timely manner. Human configuration can involve many mistakes. Dynamic routing protocols were created to address these shortcomings. They use algorithms to advertise, learn about, and react to changes in the network topology.
The main benefit of static routing is that a router generates no routing protocol overhead.
Because no routing protocol is enabled, no bandwidth is consumed by route advertisements between network devices. Another benefit of static routing protocols is that they
are easier to configure and troubleshoot than dynamic routing protocols. Static routing is
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 349
remote site because the hub is the only route used to reach all other sites. Static routes are
also used at network boundaries (Internet or partners) where routing information is not
exchanged. These static routes are then redistributed into the internal dynamic routing
protocol used.
Figure 10-1 shows a hub-and-spoke WAN where static routes are defined in the remote
WAN routers because no routing protocols are configured. This setup eliminates routing
protocol traffic on the low-bandwidth WAN circuits.
Static Routes Configured on
Slow Speed WAN Links
Dynamic Routing
64 k
128 k
56 k
Figure 10-1
Static Routes in a Hub-and-Spoke Network
Routing protocols dynamically determine the best route to a destination. When the network topology changes, the routing protocol adjusts the routes without administrative intervention. Routing protocols use a metric to determine the best path toward a destination
network. Some use a single measured value such as hop count. Others compute a metric
value using one or more parameters. Routing metrics are discussed later in this chapter.
The following is a list of dynamic routing protocols:
■
RIPv1
■
RIPv2
■
IGRP
■
EIGRP
■
OSPF
■
IS-IS
■
RIPng
■
OSPFv3
350 CCDA 640-864 Official Cert Guide
■
EIGRP for IPv6
■
Border Gateway Protocol (BGP)
Interior Versus Exterior Routing Protocols
Routing protocols can be categorized as interior gateway protocols (IGP) or exterior gateway protocols (EGP). IGPs are meant for routing within an organization’s administrative
domain (in other words, the organization’s internal network). EGPs are routing protocols
used to communicate with exterior domains, where routing information is exchanged between administrative domains. Figure 10-2 shows where an internetwork uses IGPs and
EGPs with multiple autonomous administrative domains. BGP exchanges routing information between the internal network and an ISP. IGPs appear in the internal private network.
ISP
Use an EGP:
- BGP
Internal Network
Figure 10-2
Use IGPs:
-RIPv2
-EIGRP
-OSPF
-IS-IS
Interior and Exterior Routing Protocols
One of the first EGPs was called exactly that: Exterior Gateway Protocol. Today, BGP is
the de facto (and the only available) EGP.
Potential IGPs for an IPv4 network are
■
RIPv2
■
OSPF
■
IS-IS
■
EIGRP
Potential IGPs for an IPv6 network are
■
RIPng
■
OSPFv3
■
EIGRP for IPv6
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 351
RIPv1 is no longer recommended because of its limitations. RIPv2 addresses many of the
limitations of RIPv1 and is the most recent version of RIP. IGRP is an earlier version of
EIGRP. RIPv1 and IGRP are no longer CCDA exam topics. Table 10-2 provides a quick
high-level summary of which protocol should be selected.
Table 10-2
IGP and EGP Protocol Selection
Description
Routing
Protocol
Used to connect to an ISP
BGP
IGP used in enterprise networks, supports large network and multi-vendor
OSPF
IGP used in large enterprise networks with Cisco routers
EIGRP
Distance-Vector Routing Protocols
The first IGP routing protocols introduced were distance-vector routing protocols. They
used the Bellman-Ford algorithm to build the routing tables. With distance-vector routing
protocols, routes are advertised as vectors of distance and direction. The distance metric is
usually router hop count. The direction is the next-hop router (IP address) toward which
to forward the packet. For RIP, the maximum number of hops is 15, which can be a serious limitation, especially in large nonhierarchical internetworks.
Distance-vector algorithms call for each router to send its entire routing table to only its
immediate neighbors. The table is sent periodically (30 seconds for RIP). In the period between advertisements, each router builds a new table to send to its neighbors at the end of
the period. Because each router relies on its neighbors for route information, it is commonly said that distance-vector protocols “route by rumor.”
Having to wait half a minute for a new routing table with new routes is too long for today’s
networks. This is why distance-vector routing protocols have slow convergence.
RIPv2 and RIPng can send triggered updates—full routing table updates sent before the
update timer has expired. A router can receive a routing table with 500 routes with only
one route change, which creates serious overhead on the network (another drawback). Furthermore, RFC 2091 updates RIP with triggered extensions to allow triggered updates
with only route changes. Cisco routers support this on fixed point-to-point interfaces.
The following is a list of IP distance-vector routing protocols:
■
RIPv1 and RIPv2
■
EIGRP (which could be considered a hybrid)
■
RIPng
EIGRP
link-state routing protocol characteristics. Although EIGRP uses distance-vector metrics,
352 CCDA 640-864 Official Cert Guide
it sends partial updates and maintains neighbor state information just as link-state protocols do. EIGRP does not send periodic updates as other distance-vector routing protocols
do. The important thing to consider for the test is that EIGRP could be presented as a hybrid protocol. EIGRP metrics and mechanisms are discussed later in this chapter.
Link-State Routing Protocols
Link-state routing protocols address some of the limitations of distance-vector protocols.
When running a link-state routing protocol, routers originate information about themselves (IP addresses), their connected links (the number and types of links), and the state
of those links (up or down). The information is flooded to all routers in the network as
changes in the link state occur. Each router makes a copy of the information received and
forwards it without change. Each router independently calculates the best paths to each
destination network by using the Dijkstra shortest path algorithm, creating a shortest path
tree with itself as the root, and maintains a map of the network.
After the initial exchange of information, link-state updates are not sent unless a change in
the topology occurs. Routers do send small hello messages between neighbors to maintain
neighbor relationships. If no updates have been sent, the link-state route database is refreshed after 30 minutes.
The following is a list of link-state routing protocols:
■
OSPF
■
IS-IS
■
OSPFv3
OSPF, OSPFv3, and IS-IS are covered in Chapter 11, “OSPF, BGP, Route Manipulation,
and Multicast.”
Distance-Vector Routing Protocols Versus Link-State Protocols
When choosing a routing protocol, consider that distance-vector routing protocols use
more network bandwidth than link-state protocols. Distance-vector protocols generate
more bandwidth overhead because of the large periodic routing updates. Link-state routing protocols do not generate significant routing update overhead but do use more router
CPU and memory resources than distance-vector protocols. Generally, WAN bandwidth is
a more expensive resource than router CPU and memory in modern devices.
Table 10-3 compares distance-vector to link-state routing protocols.
Table 10-3
Distance-Vector Versus Link-State Routing Protocols
Key
Topic Characteristic
Distance Vector
Link State
Scalability
Limited
Good
Convergence
Slow
Fast
Routing overhead
More traffic
Less traffic
Implementation
Easy
More complex
Protocols
RIPv1, RIPv2, EIGRP, RIPng
OSPF, IS-IS, OSPFv3
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 353
EIGRP is a distance-vector protocol with link-state characteristics (hybrid) that give it high
scalability, fast convergence, less routing overhead, and relatively easy configuration. If
“distance-vector” is not an answer to a question, then “hybrid” would be a valid option.
Hierarchical Versus Flat Routing Protocols
Some routing protocols require a network topology that must have a backbone network
defined. This network contains some, or all, of the routers in the internetwork. When the
internetwork is defined hierarchically, the backbone consists of only some devices. Backbone routers service and coordinate the routes and traffic to or from routers not in the local internetwork. The supported hierarchy is relatively shallow. Two levels of hierarchy are
generally sufficient to provide scalability. Selected routers forward routes into the backbone. OSPF and IS-IS are hierarchical routing protocols. By default, EIGRP is a flat routing protocol, but it can be configured with manual summarization to support hierarchical
designs.
Flat routing protocols do not allow a hierarchical network organization. They propagate
all routing information throughout the network without dividing or summarizing large
networks into smaller areas. Carefully designing network addressing to naturally support
aggregation within routing-protocol advertisements can provide many of the benefits offered by hierarchical routing protocols. Every router is a peer of every other router in flat
routing protocols; no router has a special role in the internetwork. EIGRP, RIPv1, and
RIPv2 are flat routing protocols.
Classless Versus Classful Routing Protocols
Routing protocols can be classified based on their support of VLSM and CIDR. Classful
routing protocols do not advertise subnet masks in their routing updates; therefore, the
configured subnet mask for the IP network must be the same throughout the entire internetwork. Furthermore, the subnets must, for all practical purposes, be contiguous within
the larger internetwork. For example, if you use a classful routing protocol for network
130.170.0.0, you must use the chosen mask (such as 255.255.255.0) on all router interfaces
using the 130.170.0.0 network. You must configure serial links with only two hosts and
LANs with tens or hundreds of devices with the same mask of 255.255.255.0. The big disadvantage of classful routing protocols is that the network designer cannot take advantage
of address summarization across networks (CIDR) or allocation of smaller or larger subnets within an IP network (VLSM). For example, with a classful routing protocol that uses
a default mask of /25 for the entire network, you cannot assign a /30 subnet to a serial
point-to-point circuit. Classful routing protocols are
■
RIPv1
■
IGRP (this protocol not a test topic)
354 CCDA 640-864 Official Cert Guide
Classless routing protocols advertise the subnet mask with each route. You can configure
subnetworks of a given IP network number with different subnet masks (VLSM). You can
configure large LANs with a smaller subnet mask and configure serial links with a larger
subnet mask, thereby conserving IP address space. Classless routing protocols also allow
flexible route summarization and supernetting (CIDR). You create supernets by aggregating classful IP networks. For example, 200.100.100.0/23 is a supernet of 200.100.100.0/24
and 200.100.101.0/24. Classless routing protocols are
■
RIPv2
■
OSPF
■
EIGRP
■
IS-IS
■
RIPng
■
OSPFv3
■
EIGRP for IPv6
■
BGP
IPv4 Versus IPv6 Routing Protocols
With the increasing use of the IPv6 protocol, the CCDA must be prepared to design networks using IPv6 routing protocols. As IPv6 was defined, routing protocols needed to be
updated to support the new IP address structure. None of the IPv4 routing protocols support IPv6 networks, and none of the IPv6 routing protocols are backward compatible with
IPv4 networks. But both protocols can coexist on the same network, each with its own
routing protocol. Devices with dual stacks recognize which protocol is being used by the
IP Version field in the IP header.
RIPng is the IPv6-compatible RIP routing protocol. EIGRP for IPv6 is the new version of
EIGRP that supports IPv6 networks. OSPFv3 was developed for IPv6, and OSPFv2 remains for IPv4. Internet drafts were written to provide IPv6 routing using IS-IS. Multiprotocol extensions for BGP provide IPv6 support for BGP. Table 10-4 summarizes IPv4
versus IPv6 routing protocols.
Table 10-4
IPv4 and IPv6 Routing Protocols
IPv4 Routing Protocols
IPv6 Routing Protocols
RIPv2
RIPng
EIGRP
EIGRP for IPv6
OSPFv2
OSPFv3
IS-IS
IS-IS for IPv6
BGP
Multiprotocol BGP
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 355
Administrative Distance
On Cisco routers running more than one routing protocol, it is possible for two different
routing protocols to have a route to the same destination. Cisco routers assign each routing protocol an administrative distance. When multiple routes exist for a destination, the
router selects the longest match. For example, if to reach a destination of 170.20.10.1
OSPF has a route prefix of 170.20.10.0/24 and EIGRP has a route prefix of 170.20.0.0/16,
the OSPF route is preferred because the /24 prefix is longer than the /16 prefix. It is more
specific.
If two or more routing protocols offer the same route (with same prefix length) for inclusion in the routing table, the Cisco IOS router selects the route with the lowest administrative distance.
The administrative distance is a rating of the trustworthiness of a routing information
source. Table 10-5 shows the default administrative distance for configured (static) or
learned routes. In the table, you can see that static routes are trusted over dynamically
learned routes. Within IGP routing protocols, EIGRP internal routes are trusted over
OSPF, IS-IS, and RIP routes.
Table 10-5
Default Administrative Distances for IP Routes
IP Route
Administrative Distance
Connected interface
0
Static route directed to a connected interface
1
Static route directed to an IP address
1
EIGRP summary route
5
External BGP route
20
Internal EIGRP route
90
IGRP route
100
OSPF route
110
IS-IS route
115
RIP route
120
EGP route
140
External EIGRP route
170
Internal BGP route
200
Route of unknown origin
255
The administrative distance establishes the precedence used among routing algorithms.
Suppose a router has an EIGRP route to network 172.20.10.0/24 with the best path out
356 CCDA 640-864 Official Cert Guide
administrative distance of 90 and OSPF has an administrative distance of 110, the router
enters the EIGRP route in the routing table and sends packets with destinations of
172.20.10.0/24 out Ethernet 0.
Static routes have a default administrative distance of 1. There is one exception. If the
static route points to a connected interface, it inherits the administrative distance of connected interfaces, which is 0. You can configure static routes with a different distance by
appending the distance value to the end of the command.
Table 10-6 provides a summary of routing protocol characteristics.
Table 10-6
Routing Protocol Characteristics
Routing
Protocol
Distance Vector or
Link State
Interior or
Exterior
Classful or
Classless
Administrative
Distance
RIPv2
DV
Interior
Classless
120
EIGRP
DV (hybrid)
Interior
Classless
90
OSPF
LS
Interior
Classless
110
IS-IS
LS
Interior
Classless
115
BGP
Path vector
Both
Classless
20
Routing Protocol Metrics and Loop Prevention
Routing protocols use a metric to determine best routes to a destination. Some routing
protocols use a combination of metrics to build a composite metric for best path selection. This section describes metrics and also covers routing loop-prevention techniques.
You must understand each metric for the CCDA.
Some routing metric parameters are
■
Hop count
■
Bandwidth
■
Cost
■
Load
■
Delay
■
Reliability
■
Maximum transmission unit (MTU)
Hop Count
The hop count parameter counts the number of links between routers the packet must traverse to reach a destination. The RIP routing protocol uses hop count as the metric for
problem with routing protocols that use only this metric is that the shortest hop count is
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 357
not always the most appropriate path. For example, between two paths to a destination
network—one with two 56-kbps links and another with four T1 links—the router chooses
the first path because of the lower number of hops (see Figure10-3). However, this is not
necessarily the best path. You would prefer to transfer a 20-MB file via the T1 links rather
than the 56-kbps links.
Path 1: 3 Hop Counts
56 k
56 k
T-1
T-1
T-1
T-1
Path 2: 5 Hop Counts
Figure 10-3
Hop Count Metric
Bandwidth
The bandwidth parameter uses the interface bandwidth to determine a best path to a destination network. When bandwidth is the metric, the router prefers the path with the highest bandwidth to a destination. For example, a Fast Ethernet (100 Mbps) is preferred over
a DS-3 (45 Mbps). As shown in Figure 10-3, a router using bandwidth to determine a path
would select Path 2 because of the larger bandwidth, 1.5 Mbps over 56 kbps.
If a routing protocol uses only bandwidth as the metric and the path has several different
speeds, the protocol can use the lowest speed in the path to determine the bandwidth for
the path. EIGRP and IGRP use the minimum path bandwidth, inverted and scaled, as one
part of the metric calculation. In Figure 10-4, Path 1 has two segments, with 256 kbps
and 512 kbps of bandwidth. Because the smaller speed is 256 kbps, this speed is used as
Path 1’s bandwidth. The smallest bandwidth in Path 2 is 384 kbps. When the router has
to choose between Path 1 and Path 2, it selects Path 2 because 384 kbps is larger than
256 kbps.
Path 1: BW - 256 kbps
256 k
512 k
512 kbps
T-1
384 kbps
768 kbps
Path 2: BW - 384 kbps
Figure 10-4
Bandwidth Metric Example
358 CCDA 640-864 Official Cert Guide
Cost
Cost is the name of the metric used by OSPF and IS-IS. In OSPF on a Cisco router, a link’s
default cost is derived from the interface’s bandwidth.
Cisco’s implementation of IS-IS assigns a default cost of 10 to all interfaces.
The formula to calculate cost in OSPF is
108/BW
where BW is the interface’s default or configured bandwidth.
For 10-Mbps Ethernet, cost is calculated as follows:
BW = 10 Mbps = 10 * 106 = 10,000,000 = 107
cost (Ethernet) = 108 / 107 = 10
The sum of all the costs to reach a destination is the metric for that route. The lowest cost
is the preferred path.
Figure 10-5 shows an example of how the path costs are calculated. The path cost is the
sum of all costs in the path. The cost for Path 1 is 350 + 180 = 530. The cost for Path 2 is
15 + 50 + 100 + 50 = 215.
Path 1: Cost = 350 + 180 = 530
350
180
15
50
50
100
Path 2: Cost = 15 + 50 + 100 + 50 = 215
Figure 10-5
Cost Metric Example
Because the cost of Path 2 is less than that of Path 1, Path 2 is selected as the best route to
the destination.
Load
The load parameter refers to the degree to which the interface link is busy. The router
keeps track of interface utilization; routing protocols can use this metric when calculating
the best route. Load is one of the five parameters included in the definition of the EIGRP
metric. By default, it is not used to calculate the composite metric. If you have 512-kbps
and 256-kbps links to reach a destination, but the 512-kbps circuit is 99 percent busy and
the 256-kbps is only 5 percent busy, the 256 kbps link is the preferred path. On Cisco
routers, the percentage of load
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 359
is shown as 255/255, and utilization at 0 percent is shown as 0/255. Example 10-1 shows
the load of a serial interface at 5/255 (1.9 percent).
Example 10-1 Interface Load
router3>show interface serial 1
Serial1 is up, line protocol is up
Hardware is PQUICC Serial
Internet address is 10.100.1.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 5/255
Delay
The delay parameter refers to how long it takes to move a packet to the destination. Delay
depends on many factors, such as link bandwidth, utilization, port queues, and physical
distance traveled. Total delay is one of the five parameters included in the definition of the
EIGRP composite metric. By default, it is used to calculate the composite metric. You can
configure an interface’s delay with the delay tens-of-microseconds command, where
tens-of-microseconds specifies the delay in tens of microseconds for an interface or network segment. The interface delay can be checked with the show interface command. As
shown in Example 10-2, the interface’s delay is 20,000 microseconds.
Example 10-2
Interface Delay
router3>show interface serial 1
Serial1 is up, line protocol is up
Hardware is PQUICC Serial
Internet address is 10.100.1.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Reliability
The reliability parameter is the dependability of a network link. Some WAN links tend to
go up and down throughout the day. These links get a small reliability rating. Reliability is
measured by factors such as a link’s expected received keepalives and the number of
packet drops and interface resets. If the ratio is high, the line is reliable. The best rating is
255/255, which is 100 percent reliability. Reliability is one of the five parameters included
in the definition of the EIGRP metric. By default, it is not used to calculate the composite
metric. As shown in Example 10-3, you can verify an interface’s reliability using the show
interface command.
Example 10-3
Interface Reliability
router4#show interface serial 0
Serial0 is up, line protocol is up
Hardware is PQUICC Serial
360 CCDA 640-864 Official Cert Guide
Maximum Transmission Unit
The MTU parameter is simply the maximum size of bytes a unit can have on an interface.
If the outgoing packet is larger than the MTU, the IP protocol might need to fragment it.
If a packet larger than the MTU has the Do Not Fragment flag set, the packet is dropped.
As shown in Example 10-4, you can verify an interface’s MTU using the show interface
command.
Example 10-4
Interface MTU
router4#show interface serial 0
Serial0 is up, line protocol is up
Hardware is PQUICC Serial
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Routing Loop-Prevention Schemes
Some routing protocols employ schemes to prevent the creation of routing loops in the
network. These schemes are
■
Split horizon
■
Poison reverse
■
Counting to infinity
Split Horizon
Split horizon is a technique used by distance-vector routing protocols to prevent routing
loops. Routes that are learned from a neighboring router are not sent back to that neighboring router, thus suppressing the route. If the neighbor is already closer to the destination, it already has a better path.
In Figure 10-6, Routers 1, 2, and 3 learn about Networks A, B, C, and D. Router 2 learns
about Network A from Router 1 and also has Networks B and C in its routing table.
Router 3 advertises Network D to Router 2. Now, Router 2 knows about all networks.
Router 2 sends its routing table to Router 3 without the route for Network D because it
learned that route from Router 3.
Net A = metric
Net B = metric
Router 1
Network A
Router 2
Network B
Router 3
Network C
With Split Horizon, Router 2 sends Net A
and Net B routes to Router 3; no route for
Net D is sent to Router 3.
Figure 10-6
Simple Split-Horizon Example
Network D
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 361
Poison Reverse
Poison reverse is a route update sent out an interface with an infinite metric for routes
learned (received) from the same interface. Poison reverse simply indicates that the learned
route is unreachable. It is more reliable than split horizon alone. Examine Figure 10-7. Instead of suppressing the route for Network D, Router 2 sends that route in the routing
table marked as unreachable. In RIP, the poison-reverse route is marked with a metric of
16 (infinite) to prevent that path from being used.
Net A = metric
Net B = metric
Net D = unreachable
Router 1
Network A
Router 2
Network B
Router 3
Network C
Network D
With Poison Reverse, Router 2 sends Net A
and Net B routes to Router 3; also, a
route for Net D with an infinite metric.
Figure 10-7
Poison Reverse
Counting to Infinity
Some routing protocols keep track of router hops as the packet travels through the network. In large networks where a routing loop might be present because of a network outage, routers might forward a packet without its reaching its destination.
Counting to infinity is a loop-prevention technique in which the router discards a packet
when it reaches a maximum limit. It assumes that the network diameter is smaller than the
maximum allowed hops. RIP has a maximum of 16 hops. And EIGRP has a maximum of
100 hops by default. These values are considered infinity.
Triggered Updates
Another loop-prevention and fast-convergence technique used by routing protocols is
triggered updates. When a router interface changes state (up or down), the router is required to send an update message, even if it is not time for the periodic update message.
Immediate notification about a network outage is key to maintaining valid routing entries
within all routers in the network by allowing faster convergence. Some distance-vector
protocols, including RIP, specify a small time delay to avoid having triggered updates generate excessive network traffic. The time delay is variable for each router.
Summarization
Another characteristic of routing protocols is the ability to summarize routes. Protocols
that support VLSMs can perform summarization outside of IP class boundaries. By sumupdates on the network occur.
362 CCDA 640-864 Official Cert Guide
RIPv2 and RIPng
This section covers RIPv2 and RIPng. RIPv2 is used for IPv4 networks and RIPng was created to support IPv6 networks. RIPv2 was first described in RFC 1388 and RFC 1723
(1994); the current RFC is 2453, written in November 1998. Although current environments
use advanced routing protocols such as OSPF and EIGRP, some networks still use RIP. The
need to use VLSMs and other requirements prompted the definition of RIPv2. RIPv1 was
the first version of RIP, which did not support VLSMs. RIPv1 is not a CCDA topic.
RIPv2 improves on RIPv1 with the ability to use VLSM, with support for route authentication, and with multicasting of route updates. RIPv2 supports CIDR. It still sends updates every 30 seconds and retains the 15-hop limit; it also uses triggered updates. RIPv2
still uses UDP port 520; the RIP process is responsible for checking the version number. It
retains the loop-prevention strategies of poison reverse and counting to infinity. On Cisco
routers, RIPv2 has the same administrative distance as RIPv1, which is 120. Finally, RIPv2
uses the IP address 224.0.0.9 when multicasting route updates to other RIP routers. As in
RIPv1, RIPv2 by default summarizes IP networks at network boundaries. You can disable
autosummarization if required.
You can use RIPv2 in small networks where VLSM is required. It also works at the edge of
larger networks.
Authentication
Authentication can prevent communication with any RIP routers that are not intended to
be part of the network, such as UNIX stations running routed. Only RIP updates with the
authentication password are accepted. RFC 1723 defines simple plain-text authentication
for RIPv2.
MD5 Authentication
In addition to plain-text passwords, the Cisco implementation provides the ability to use
message digest 5 (MD5) authentication, which is defined in RFC 1321. MD5 is a hashing
algorithm that takes a variable-length string of text and produces a fixed-length 128-bit
output. One significant advantage to hashing plaintext is that the original message cannot
be reconstituted even with knowledge of the hash algorithm. This provides greater security than using plaintext authentication.
RIPv2 Routing Database
RIPv2 maintains a routing table database as in Version 1. The difference is that it also keeps
the subnet mask information. The following list repeats the table information of RIPv1:
■
IP address: The IP address of the destination host or network, with subnet mask
■
Gateway: The first gateway along the path to the destination
■
Interface: The physical network that must be used to reach the destination
■
Metric: A number indicating the number of hops to the destination
■
Timer: The amount of time since the route entry was last updated
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 363
RIPv2 Message Format
The RIPv2 message format takes advantage of the unused fields in the RIPv1 message
format by adding subnet masks and other information. Figure 10-8 shows the RIPv2 message format.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Command
Version
Unused (must be zero)
Address Family Identifier
Route Tag
IP address (1st route entry)
Subnet Mask
Next Hop
Metric
Address Family Identifier
Route Tag
IP address (2nd route entry - up to 25)
Subnet Mask
Next Hop
Metric
Figure 10-8
RIPv2 Message Format
The following describes each field:
■
Command: Indicates whether the packet is a request or response message. The request message asks that a router send all or a part of its routing table. Response messages contain route entries. The router sends the response periodically or as a reply to
a request.
■
Version: Specifies the RIP version used. It is set to 2 for RIPv2 and to 1 for RIPv1.
■
AFI: Specifies the address family used. RIP is designed to carry routing information
for several different protocols. Each entry has an AFI to indicate the type of address
specified. The AFI for IP is 2. The AFI is set to 0xFFF for the first entry to indicate
that the remainder of the entry contains authentication information.
■
Route tag: Provides a method for distinguishing between internal routes (learned by
RIP) and external routes (learned from other protocols). You can add this optional attribute during the redistribution of routing protocols.
■
IP Address: Specifies the IP address (network) of the destination.
■
Subnet Mask: Contains the subnet mask for the destination. If this field is 0, no subnet mask has been specified for the entry.
■
Next Hop:
the destination.
364 CCDA 640-864 Official Cert Guide
■
Metric: Indicates how many router hops to reach the destination. The metric is between 1 and 15 for a valid route or 16 for an unreachable or infinite route.
Again, as in RIPv1, the router permits up to 25 occurrences of the last five 32-bit words
(20 bytes) for up to 25 routes per RIP message. If the AFI specifies an authenticated message, the router can specify only 24 routing table entries. The updates are sent to the multicast address of 224.0.0.9.
RIPv2 Timers
RIPv2 timers are the same as in RIPv1. They send periodic updates every 30 seconds.
The default invalid timer is 180 seconds, the hold-down timer is 180 seconds, and the
flush timer is 240 seconds. You can write this list as 30/180/180/240, representing the
U/I/H/F timers.
RIPv2 Design
Things to remember in designing a network with RIPv2 include that it supports VLSM
within networks and allows for the summarization of routes in a hierarchical network.
RIPv2 is still limited to 16 hops; therefore, the network diameter cannot exceed this limit.
RIPv2 multicasts its routing table every 30 seconds to the multicast IP address 224.0.0.9.
RIPv2 is usually limited to accessing networks where it can interoperate with servers running routed or with non-Cisco routers. RIPv2 also appears at the edge of larger internetworks. RIPv2 further provides for route authentication.
As shown in Figure 10-9, when you use RIPv2, all segments can have different subnet masks.
Router A
172.16.3.4/30
Router B
172.16.2.64.0/26
172.16.1.0/24
Figure 10-9
RIPv2 Design
RIPv2 Summary
The characteristics of RIPv2 follow:
Key
Topic
■
Distance-vector protocol.
■
Uses UDP port 520.
■
Classless protocol (support for CIDR).
■
Supports VLSMs.
■
Metric is router hop count.
■
Low scalability: maximum hop count is 15; infinite (unreachable) routes
metric of 16.
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 365
■
Periodic route updates are sent every 30 seconds to multicast address 224.0.0.9.
■
25 routes per RIP message (24 if you use authentication).
■
Supports authentication.
■
Implements split horizon with poison reverse.
■
Implements triggered updates.
■
Subnet mask included in route entry.
■
Administrative distance for RIPv2 is 120.
■
Not scalable. Used in small, flat networks or at the edge of larger networks.
RIPng
RIPng (RIP next generation) is the version of RIP that can be used in IPv6 networks. It is
described in RFC 2080. Most of the RIP mechanisms from RIPv2 remain the same. RIPng
still has a 15-hop limit, counting to infinity, and split horizon with poison reverse. A hop
count of 16 still indicates an unreachable route.
Instead of using UDP port 520 as in RIPv2, RIPng uses UDP port 521. RIPng supports
IPv6 addresses and prefixes. RIPng uses multicast group FF02::9 for RIPng updates to all
RIPng routers.
RIPng Timers
RIPng timers are similar to RIPv2. Periodic updates are sent every 30 seconds. The default
invalid timeout for routes to expire is 180 seconds, the default hold-down timer is 180
seconds, and the default garbage-collection timer is 120 seconds.
Authentication
RIPng does not implement authentication methods in its protocol as RIPv2 does. RIPng
relies on built-in IPv6 authentication functions.
RIPng Message Format
Figure 10-10 shows the RIPng routing message. Each route table entry (RTE) consists of
the IPv6 prefix, route tag, prefix length, and metric.
0
1
2
3
01234567890123456789012345678901
Version
Must
be zero
Prefix length
metric
Command
Route entry 1: IPv6 Prefix
128 bits
Route tag
Route entry 2: IPv6 prefix
128 bits
Route tag
Figure 10-10
Prefix length
metric
RIPng Update Message Format
366 CCDA 640-864 Official Cert Guide
The following describes each field:
■
Command: Indicates whether the packet is a request or response message. This field
is set to 1 for a request and to 2 for a response.
■
Version: Set to 1, the first version of RIPng.
■
IPv6 prefix: The destination 128-bit IPv6 prefix.
■
Route Tag: As with RIPv2, this is a method that distinguishes internal routes
(learned by RIP) from external routes (learned by external protocols). Tagged during
redistribution.
■
Prefix Length: Indicates the significant part of the prefix.
■
Metric: This 8-bit field contains the router hop metric.
RIPv2 has a Next Hop field for each of its route entries. An RTE with a metric of 0xFF indicates the next-hop address to reduce the number of route entries in RIPng. It groups all
RTEs after it to summarize all destinations to that particular next-hop address. Figure 1011 shows the format of the special RTE indicating the next-hop entry.
0
1
2
3
01234567890123456789012345678901
IPv6 next-hop address
128 bits
Must be zero
Figure 10-11
zeros
0xFF
RIPng Next-Hop Route Table Entry
RIPng Design
RIPng has low scalability. As with RIPv2, it is limited to 15 hops; therefore, the network
diameter cannot exceed this limit. RIPng also broadcasts its routing table every 30 seconds, which causes network overhead. RIPng can be used only in small networks.
RIPng Summary
The characteristics of RIPng are as follows:
Key
Topic
■
Distance-vector protocol for IPv6 networks only.
■
Uses UDP port 521.
■
Metric is router hop count.
■
Maximum hop count is 15; infinite (unreachable) routes have a metric of 16.
■
Periodic route updates are sent every 30 seconds to multicast address FF02::9.
■
Uses IPv6 functions for authentication.
■
Implements split horizon with poison reverse.
■
Implements triggered updates.
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 367
■
Prefix length included in route entry.
■
Administrative distance for RIPv2 is 120.
■
Not scalable. Used in small networks.
EIGRP
Cisco Systems released EIGRP in the early 1990s as an evolution of IGRP toward a more
scalable routing protocol for large internetworks. EIGRP is a classless protocol that permits the use of VLSMs and that supports CIDR for the scalable allocation of IP addresses.
EIGRP does not send routing updates periodically, as does IGRP. EIGRP allows for authentication with MD5. EIGRP autosummarizes networks at network borders and can
load share over unequal-cost paths. Packets using EIGRP use IP 88. Only Cisco routers
can use EIGRP.
EIGRP is an advanced distance-vector protocol that implements some characteristics similar to those of link-state protocols. Some Cisco documentation refers to EIGRP as a hybrid protocol. EIGRP advertises its routing table to its neighbors as distance-vector
protocols do, but it uses hellos and forms neighbor relationships as link-state protocols do.
EIGRP sends partial updates when a metric or the topology changes on the network. It
does not send full routing-table updates in periodic fashion as do distance-vector protocols. EIGRP uses Diffusing Update Algorithm (DUAL) to determine loop-free paths to
destinations. This section discusses DUAL.
By default, EIGRP load balances traffic if several paths have equal cost to the destination.
EIGRP performs unequal-cost load sharing if you configure it with the variance n command. EIGRP includes routes that are equal to or less than n times the minimum metric
route to a destination. As in RIP and IGRP, EIGRP also summarizes IP networks at network boundaries.
EIGRP internal routes have an administrative distance of 90. EIGRP summary routes have
an administrative distance of 5, and EIGRP external routes (from redistribution) have an
administrative distance of 170.
EIGRP Components
EIGRP has four components that characterize it:
■
Protocol-dependent modules
■
Neighbor discovery and recovery
■
Reliable Transport Protocol (RTP)
■
Diffusing Update Algorithm (DUAL)
You should know the role of the EIGRP components, which are described in the following
sections.
Key
Topic
368 CCDA 640-864 Official Cert Guide
Protocol-Dependent Modules
EIGRP uses different modules that independently support IP, Internetwork Packet Exchange (IPX), and AppleTalk routed protocols. These modules are the logical interface between DUAL and routing protocols such as IPX RIP, and AppleTalk Routing Table
Maintenance Protocol (RTMP). The EIGRP module sends and receives packets but passes
received information to DUAL, which makes routing decisions.
When configured to support IPX, EIGRP communicates with the IPX RIP and forwards
the route information to DUAL to select the best paths. AppleTalk EIGRP automatically
redistributes routes with AppleTalk RTMP to support AppleTalk networks. IPX and AppleTalk area not CCDA objectives and are not covered in this book.
Neighbor Discovery and Recovery
EIGRP discovers and maintains information about its neighbors. It multicasts hello packets
(224.0.0.10) every 5 seconds on most interfaces. The router builds a table with EIGRP
neighbor information. The holdtime to maintain a neighbor is 3 times the hello time: 15
seconds. If the router does not receive a hello in 15 seconds, it removes the neighbor from
the table. EIGRP multicasts hellos every 60 seconds on multipoint WAN interfaces (X.25,
Frame Relay, ATM) with speeds less than a T-1 (1.544 Mbps), inclusive. The neighbor
holdtime is 180 seconds on these types of interfaces. To summarize, hello/holdtime timers
are 5/15 seconds for high-speed links and 60/180 seconds for low-speed links.
Example 10-5 shows an EIGRP neighbor database. The table lists the neighbor’s IP address, the interface to reach it, the neighbor holdtime timer, and the uptime.
Example 10-5
Router#
EIGRP Neighbor Database
show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
RTO
Q
Seq Type
Cnt
Num
1
172.17.1.1
Se0
11 00:11:27
16
200
0
2
0
172.17.2.1
Et0
12 00:16:11
22
200
0
3
RTP
EIGRP uses RTP to manage EIGRP packets. RTP ensures the reliable delivery of route updates and uses sequence numbers to ensure ordered delivery. It sends update packets using multicast address 224.0.0.10. It acknowledges updates using unicast hello packets with
no data.
DUAL
EIGRP implements DUAL to select paths and guarantee freedom from routing loops. J. J.
Garcia Luna-Aceves developed DUAL. It is mathematically proven to result in a loop-free
make convergence slower.
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 369
DUAL selects a best path and a second-best path to reach a destination. The best path selected by DUAL is the successor, and the second-best path (if available) is the feasible
successor. The feasible distance is the lowest calculated metric of a path to reach the destination. The topology table in Example 10-6 shows the feasible distance. The example
also shows two paths (Ethernet 0 and Ethernet 1) to reach 172.16.4.0/30. Because the
paths have different metrics, DUAL chooses only one successor.
Example 10-6
Router8#
Feasible Distance as Shown in the EIGRP Topology Table
show ip eigrp topology
IP-EIGRP Topology Table for AS(100)/ID(172.16.3.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.4.0/30, 1 successors, FD is 2195456
via 172.16.1.1 (2195456/2169856), Ethernet0
via 172.16.5.1 (2376193/2348271), Ethernet1
P 172.16.1.0/24, 1 successors, FD is 281600
via Connected, Ethernet0
The route entries in Example 10-6 are marked with a P for the passive state. A destination
is in passive state when the router is not performing any recomputations for the entry. If
the successor goes down and the route entry has feasible successors, the router does not
need to perform any recomputations and does not go into active state.
DUAL places the route entry for a destination into active state if the successor goes down
and there are no feasible successors. EIGRP routers send query packets to neighboring
routers to find a feasible successor to the destination. A neighboring router can send a reply packet that indicates it has a feasible successor or a query packet. The query packet indicates that the neighboring router does not have a feasible successor and will participate
in the recomputation. A route does not return to passive state until it has received a reply
packet from each neighboring router. If the router does not receive all the replies before
the “active-time” timer expires, DUAL declares the route as stuck in active (SIA). The default active timer is 3 minutes.
EIGRP Timers
EIGRP sets updates only when necessary and sends them only to neighboring routers.
There is no periodic update timer.
EIGRP uses hello packets to learn of neighboring routers. On high-speed networks, the
default hello packet interval is 5 seconds. On multipoint networks with link speeds of T1
and slower, hello packets are unicast every 60 seconds.
The holdtime to maintain a neighbor adjacency is 3 times the hello time: 15
router does not receive a hello within the holdtime, it removes the neighbor
370 CCDA 640-864 Official Cert Guide
table. Hellos are multicast every 60 seconds on multipoint WAN interfaces (X.25, Frame
Relay, ATM) with speeds less than 1.544 Mbps, inclusive. The neighbor holdtime is 180
seconds on these types of interfaces. To summarize, hello/holdtime timers are 5/15 seconds for high-speed links and 60/180 seconds for multipoint WAN links less than 1.544
Mbps, inclusive.
Note: EIGRP does not send updates using a broadcast address; instead, it sends them to
the multicast address 224.0.0.10 (all EIGRP routers). It also can send an updates using unicast packets if the neighbor command is used.
EIGRP Metrics
EIGRP uses the same composite metric as IGRP, but the bandwidth (BW) term is multiplied by 256 for finer granularity. The composite metric is based on bandwidth, delay,
load, and reliability. MTU is not an attribute for calculating the composite metric.
EIGRP calculates the composite metric with the following formula:
EIGRPmetric = {k1 * BW + [(k2 * BW)/(256 – load)] + k3 * delay} * {k5/(reliability + k4)}
In this formula, BW is the lowest interface bandwidth in the path, and delay is the sum of
all outbound interface delays in the path. The router dynamically measures reliability and
load. It expresses 100 percent reliability as 255/255. It expresses load as a fraction of 255.
An interface with no load is represented as 1/255.
Bandwidth is the inverse minimum bandwidth (in kbps) of the path in bits per second
scaled by a factor of 256 * 107. The formula for bandwidth is
(256 * 107)/BWmin
The delay is the sum of the outgoing interface delays (in tens of microseconds) to the destination. A delay of all 1s (that is, a delay of hexadecimal FFFFFFFF) indicates that the
network is unreachable. The formula for delay is
[sum of delays] * 256
Reliability is a value between 1 and 255. Cisco IOS routers display reliability as a fraction
of 255. That is, 255/255 is 100 percent reliability, or a perfectly stable link; a value of
229/255 represents a 90 percent reliable link.
Load is a value between 1 and 255. A load of 255/255 indicates a completely saturated
link. A load of 127/255 represents a 50 percent saturated link.
By default, k1 = k3 = 1 and k2 = k4 = k5 = 0. EIGRP’s default composite metric, adjusted
for scaling factors, is
EIGRPmetric = 256 * { [107/BWmin] + [sum_of_delays] }
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 371
BWmin is in kbps, and sum_of_delays is in 10s of microseconds. The bandwidth and delay
for an Ethernet interface are 10 Mbps and 1 ms, respectively.
The calculated EIGRP BW metric is
256 * 107/BW = 256 * 107/10,000
= 256 * 10,000
= 256,000
The calculated EIGRP delay metric is
256 * sum of delay = 256 * 1 ms
= 256 * 100 * 10 microseconds
= 25,600 (in 10s of microseconds)
Table 10-7 shows some default values for bandwidth and delay.
Table 10-7
Default EIGRP Values for Bandwidth and Delay
Media Type
Delay
Bandwidth
Satellite
5120 (2 seconds)
5120 (500 Mbps)
Ethernet
25,600 (1 ms)
256,000 (10 Mbps)
T-1 (1.544 Mbps)
512,000 (20,000 ms)
1,657,856
64 kbps
512,000
40,000,000
56 kbps
512,000
45,714,176
The metric weights subcommand is used change EIGRP metric computation. You can
change the k values in the EIGRP composite metric formula to select which EIGRP metrics to use. The command to change the k values is the metric weights tos k1 k2 k3 k4 k5
subcommand under router eigrp n. The tos value is always 0. You set the other arguments
to 1 or 0 to alter the composite metric. For example, if you want the EIGRP composite
metric to use all the parameters, the command is as follows:
router eigrp n
metric weights 0 1 1 1 1 1
EIGRP Packet Types
EIGRP uses five packet types:
■
Hello: EIGRP uses hello packets in the discovery of neighbors. They are multicast to
WAN links with 1.544 Mbps speeds or less).
372 CCDA 640-864 Official Cert Guide
■
Acknowledgment: An acknowledgment packet acknowledges the receipt of an update packet. It is a hello packet with no data. EIGRP sends acknowledgment packets
to the unicast address of the sender of the update packet.
■
Update: Update packets contain routing information for destinations. EIGRP unicasts update packets to newly discovered neighbors; otherwise, it multicasts update
packets to 224.0.0.10 when a link or metric changes. Update packets are acknowledged to ensure reliable transmission.
■
Query: EIGRP sends query packets to find feasible successors to a destination.
Query packets are always multicast unless they are sent as a response; then they are
unicast back to the originator.
■
Reply: EIGRP sends reply packets to respond to query packets. Reply packets provide a feasible successor to the sender of the query. Reply packets are unicast to the
sender of the query packet.
EIGRP Design
When designing a network with EIGRP, remember that it supports VLSMs and network
summarization. EIGRP allows for the summarization of routes in a hierarchical network.
EIGRP is not limited to 16 hops as RIP is; therefore, the network diameter can exceed this
limit. In fact, the EIGRP diameter can be 225 hops. The default diameter is 100. EIGRP
can be used in the site-to-site WAN and IPsec virtual private networks (VPN). In the enterprise campus, EIGRP can be used in data centers, server distribution, building distribution, and the network core.
EIGRP does not broadcast its routing table periodically, so there is no large network overhead. You can use EIGRP for large networks; it is a potential routing protocol for the core
of a large network. EIGRP further provides for route authentication.
As shown in Figure 10-12, when you use EIGRP, all segments can have different subnet
masks.
Router A
172.16.3.4/30
Router B
172.16.2.64.0/26
172.16.1.0/24
Figure 10-12
EIGRP Design
EIGRP is suited for almost all enterprise environments, included LANs and WANs and is
simple to design. The only caveat is that it is a Cisco proprietary routing protocol which cannot be used with other vendors. The use of EIGRP is preferred over RIP in all environments.
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 373
EIGRP for IPv4 Summary
The characteristics of EIGRP for IPv4 networks follow:
■
Hybrid routing protocol (a distance-vector protocol that has link-state protocol
characteristics).
■
Uses IP protocol number 88.
■
Classless protocol (supports VLSMs).
■
Default composite metric uses bandwidth and delay.
■
You can factor load and reliability into the metric.
■
Sends partial route updates only when there are changes.
■
Supports MD5 authentication.
■
Uses DUAL for loop prevention.
■
Fast convergence.
■
By default, equal-cost load balancing with equal metrics. Unequal-cost load sharing
with the variance command.
■
Administrative distance is 90 for EIGRP internal routes, 170 for EIGRP external
routes, and 5 for EIGRP summary routes.
■
High scalability; used in large networks.
■
Multicasts updates to 224.0.0.10.
■
Does not require a hierarchical physical topology.
■
Provides routing for IPv4, plus legacy protocols such as AppleTalk and IPX.
EIGRP for IPv6 (EIGRPv6) Networks
Cisco has developed EIGRP support for IPv6 networks to route IPv6 prefixes. EIGRP for
IPv6 is configured and managed separately from EIGRP for IPv4; no network statements
are used. EIGRP for IPv6 retains all the same characteristics (network discovery, DUAL,
modules) and functions as EIGRP for IPv4. The major themes with EIGRP for IPv6 are as
follows:
■
Implements the protocol-independent modules.
■
EIGRP neighbor discovery and recovery.
■
Reliable transport.
■
Implements the DUAL algorithm for a loop-free topology.
■
Same metrics as EIGRP for IPv4 networks.
■
Same timers as EIGRP for IPv4.
■
Uses same concepts of feasible successors and feasible distance as EIGRP for IPv4.
■
Uses the same packet types as EIGRP for IPv4.
Key
Topic
374 CCDA 640-864 Official Cert Guide
■
Managed and configured separately from EIGRP for IPv4.
■
Requires a router ID before it can start running.
■
Configured on interfaces. No network statements are used.
The difference is the use of IPv6 prefixes and the use of IPv6 multicast group FF02::A for
EIGRP updates. Another difference is that EIGRP for IPv6 defaults to a shutdown state for
the routing protocols and must be manually or explicitly enabled on an interface to become operational. Because EIGRP for IPv6 uses the same characteristics and functions as
EIGRP for IPv4 covered in the previous section on EIGRP, they are not repeated here.
EIGRP for IPv6 Design
Use EIGRP for IPv6 in large geographic IPv6 networks. EIGRP’s diameter can scale up to
255 hops, but this network diameter is not recommended. EIGRP authentication can be
used instead of IPv6 authentication.
EIGRP for IPv6 can be used in the site-to-site WAN and IPsec VPNs. In the enterprise
campus, EIGRP can be used in data centers, server distribution, building distribution, and
the network core.
EIGRP’s DUAL algorithm provides for fast convergence and routing loop prevention.
EIGRP does not broadcast its routing table periodically, so there is no large network overhead. The only constraint is that EIGRP for IPv6 is restricted to Cisco routers.
EIGRP for IPv6 Summary
The characteristics of EIGRP for IPv6 are as follows:
Key
Topic
■
Uses the same characteristics and functions as EIGRP for IPv4.
■
Hybrid routing protocol (a distance-vector protocol that has link-state protocol
characteristics).
■
Uses Next Header protocol 88.
■
Routes IPv6 prefixes.
■
Default composite metric uses bandwidth and delay.
■
You can factor load and reliability into the metric.
■
Sends partial route updates only when there are changes.
■
Supports EIGRP MD5 authentication.
■
Uses DUAL for loop prevention and fast convergence.
■
By default, equal-cost load balancing. Unequal-cost load balancing with the variance
command.
■
Administrative distance is 90 for EIGRP internal routes, 170 for EIGRP external
routes, and 5 for EIGRP summary routes.
■
Uses IPv6 multicast FF02::A for EIGRP updates.
■
High scalability; used in large networks.
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 375
The CCDA should understand EIGRP specific characteristics and benefits. Table 10-8 provides a summary for reference.
Table 10-8
EIGRP Protocol Characteristics
Characteristic
EIGRP Support
Distance vector or link
state
Hybrid: distance-vector routing protocol with link-state characteristics
Convergence
Fast convergence with DUAL for a loop-free topology
Classless or classful
Classless routing protocol, supports VLSMs
Scalability
Highly scalable, supports large networks
Multiprotocol support
Supports IPv4, IPv6, plus legacy protocols such as IPX and
AppleTalk
Multicast address for
updates
224.0.0.10 for IPv4; FF02::A for IPv6
References and Recommended Readings
Bruno, A. CCIE Routing and Switching Exam Certification Guide. Indianapolis: Cisco
Press, 2002.
RFC 1058, Routing Information Protocol,www.ietf.org/rfc.
RFC 2453, RIP Version 2,www.ietf.org/rfc.
RFC 2328, OSPF Version 2,www.ietf.org/rfc.
RFC 1142, OSI IS-IS Intra-domain Routing Protocol, www.ietf.org/rfc.
Bruno, A. CCIE Routing and Switching Exam Certification Guide. Indianapolis: Cisco
Press, 2002.
Doyle, J. Routing TCP/IP, Volume I. Indianapolis: Cisco Press, 1998.
“Enhanced IGRP,” www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/en_igrp.htm.
“Enhanced Interior Gateway Routing Protocol,” www.cisco.com/en/US/tech/tk365/
tk207/technologies_white_paper09186a0080094cb7.shtml.
RFC 1058, Routing Information Protocol,www.ietf.org/rfc.
“Implementing EIGRP for IPv6,” www.cisco.com/en/US/partner/products/sw/iosswrel/
ps5187/products_configuration_guide_chapter09186a00805fc867.html#wp1049317.
RFC 1723, RIP Version 2 - Carrying Additional Information,www.ietf.org/rfc.
RFC 2453, RIP Version 2,www.ietf.org/rfc.
376 CCDA 640-864 Official Cert Guide
RFC 2080, RIPng for IPv6, www.ietf.org/rfc.
RFC 1321, The MD5 Message-Digest Algorithm, www.ietf.org/rfc.
“Routing Information Protocol,” www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/
rip.htm.
“Tech Notes: How Does Unequal Cost Path Load Balancing (Variance) Work in IGRP and
EIGRP?,” www.cisco.com/warp/public/103/19.html.
“IPv6 Deployment Strategies,” www.cisco.com/en/US/docs/ios/solutions_docs/ipv6/
IPv6dswp.html#wp1028199.
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 377
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the
outer margin of the page. Table 10-9 lists a reference of these key topics and the page
numbers on which each is found.
Table 10-9
Key Topics
Key Topic
Element
Description
Page
List
Routing protocol characteristics
348
Table 10-3
Distance-vector routing protocols versus link-state
protocols
352
List
RIPv2 summary
364
List
RIPng summary
366
List
EIGRP components
367
List
EIGRP for IPv4 summary
373
List
EIGRP for IPv6 summary
374
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
administrative distance, BW, delay, distance vector, DUAL, EIGRP, EGP, hop count,
IGP, link state, load, RIPng, RIPv2, VLSM
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. True or false: Link-state routing protocols send periodic routing updates.
2. True or false: RIPv2 was created to support IPv6.
3. True or false: The path with the lowest cost is preferred.
378 CCDA 640-864 Official Cert Guide
4. True or false: A link with a reliability of 200/255 is preferred over a link with a reliability of 10/255.
5. True or false: A link with a load of 200/255 is preferred over a link with a load of 10/255.
6. On a router, both EIGRP and OSPF have a route to 198.168.10.0/24. Which route is
injected into the routing table?
7. On a router, both RIPv2 and IS-IS have a route to 198.168.10.0/24. Which route is injected into the routing table?
8. On a router, EIGRP has a route to the destination with a prefix of /28, and OSPF has a
route to the destination with a prefix of /30. Which is used to reach the destination?
9. Which of the following is the best measurement of an interface’s reliability and load?
a.
Reliability 255/255, load 1/255
b.
Reliability 255/255, load 255/255
c.
Reliability 1/255, load 1/255
d.
Reliability 1/255, load 255/255
10. Which routing protocols permit an explicit hierarchical topology?
a.
BGP
b.
EIGRP
c.
IS-IS
d.
RIP
e.
OSPF
f.
B and D
g.
C and E
11. What routing protocol parameter is concerned with how long a packet takes to travel
from one end to another in the internetwork?
12. For what routing protocol metric is the value of a Fast Ethernet interface calculated as
108 /108 = 1?
13. Match the loop-prevention technique (numerals) with its description (letters).
i.
Split horizon
ii.
Poison reverse
iii. Triggered updates
iv.
Counting to infinity
a.
Sends an infinite metric from which the route was learned
b.
Drops a packet when the hop count limit is reached
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 379
c.
Suppresses a route announcement from which the route was learned
d.
Sends a route update when a route changes
14. True or false: Link-state routing protocols are more CPU and memory intensive than
distance-vector routing protocols.
15. Which routing protocols would you select if you needed to take advantage of
VLSMs? (Select all that apply.)
a.
RIPv1
b.
RIPv2
c.
IGRP
d.
EIGRP
e.
OSPF
f.
IS-IS
16. Which standards-based protocol would you select in a large IPv6 network?
a.
RIPng
b.
OSPFv3
c.
EIGRP for IPv6
d.
RIPv2
17. Which of the following routing protocols are fast in converging when a change in the
network occurs? (Select three.)
a.
RIPv1
b.
RIPv2
c.
EIGRP
d.
OSPF
e.
IS-IS
f.
BGP
18. If you are designing a large corporate network that cannot be designed in a hierarchy,
which routing protocol would you recommend?
a.
RIPv1
b.
RIPv2
c.
EIGRP
d.
OSPF
e.
IS-IS
f.
BGP
380 CCDA 640-864 Official Cert Guide
19. Which routing protocols support VLSMs? (Select all that apply.)
a.
RIPv1
b.
RIPv2
c.
EIGRP
d.
OSPF
e.
IS-IS
f.
All of the above
20. You are connecting your network to an ISP. Which routing protocol would you use to
exchange routes?
a.
RIPv1
b.
RIPv2
c.
EIGRP
d.
OSPF
e.
IS-IS
f.
BGP
g.
All of the above
21. Which routing protocol requires only Cisco routers on the network?
a.
RIPv1
b.
RIPv2
c.
EIGRP
d.
OSPF
e.
IS-IS
f.
BGP
g.
All of the above
22. Which routing protocol would be supported on an IPv6 network with multiple vendor routers?
a.
RIPv2
b.
EIGRP for IPv6
c.
BGPv6
d.
OSPFv3
e.
RIPv3
f.
All of the above
g.
B and D
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 381
23. Which of the following characteristics are implemented differently between distancevector and link-state routing protocols?
a.
IP route tables
b.
Route information distribution
c.
Routing tables
d.
Forwarding of traffic
e.
Verification of route information sources
f.
Administrative distance
24. Which two are true for IGPs and EGPs?
a.
IGPs can be substituted with static routing.
b.
IGPs are better at finding the fastest paths across the network.
c.
IGPs must converge quickly, but EGPs do not.
d.
IGPs are for inter-autonomous system connection, EGPs are used for intra-autonomous system connections.
25. How is convergence related to routing information?
a.
The speed of convergence affects the frequency of routing updates
b.
The faster the convergence, less consistent routing information is produced
c.
The faster the convergence, more consistent routing information is produced
d.
There is no relation between convergence and routing information consistency.
26. What is a major advantage of classless structured network over a classless network?
a.
There is less overhead in classless networks
b.
There is more overhead in classless networks.
c.
Less IP addresses are used in classful networks.
d.
Classless networks do not have advantages over classful networks.
27. Which two EIGRP features make it appropriate for a company’s network?
a.
Slow convergence
b.
VLSM support
c.
DUAL
d.
Automatic summarization
e.
Multivendor support
382 CCDA 640-864 Official Cert Guide
28. Match the protocol with the characteristic.
i.
EIGRP for IPv6
ii.
RIPv2
iii. RIPng
iv.
EIGRP
a.
Uses multicast FF02::9
b.
Uses multicast 224.0.0.9
c.
Uses multicast 224.0.0.10
d.
Uses multicast FF02::A
29. A small network is experiencing excessive broadcast traffic and slow response times.
The current routing protocol is RIPv1. What design changes would you recommend?
a.
Migrate to RIPv2.
b.
Migrate to RIPng.
c.
Migrate to EIGRP for IPv4.
d.
Migrate to EIGRPv6.
30. Match the EIGRP component with its description.
i.
RTP
ii.
DUAL
iii. Protocol-dependent modules
iv.
Neighbor discovery
a.
An interface between DUAL and IPX RIP, IGRP, and AppleTalk
b.
Used to deliver EIGRP messages reliably
c.
Builds an adjacency table
d.
Guarantees a loop-free network
31. Match each EIGRP parameter with its description.
i.
Feasible distance
ii.
Successor
iii. Feasible successor
iv.
Active state
a.
The best path selected by DUAL.
b.
The successor is down.
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 383
c.
The lowest calculated metric of a path to reach the destination.
d.
The second-best path.
32. On an IPv6 network, you have RIPng and EIGRP running. Both protocols have a
route to destination 10.1.1.0/24. Which route gets injected into the routing table?
a.
The RIPng route
b.
The EIGRP route
c.
Both routes
d.
Neither route, because of a route conflict.
33. Which routing protocol should be used if the network requirements include fastest
convergence time and unequal load balancing?
a.
Use BGP.
b.
Use OSPF.
c.
Use EIGRP.
d.
Use RIPv2.
34. Which two routing protocols converge most quickly?
a.
BGP
b.
OSPF
c.
EIGRP
d.
RIPv2
35. Which routing protocol represents each column of Table 10-10?
Table 10-10
Routing Protocol Characteristics
Characteristic
A
B
C
D
E
Supports VLSM
Yes
Yes
Yes
Yes
Yes
Convergence
Fast
Fast
Slow
Fast
Fast
Scalability
High
High
Low
High
High
Supports IPv6
Yes
No
No
No
Yes
Proprietary
Yes
No
No
Yes
No
Answer questions 36–38 based on Figure 10-13.
384 CCDA 640-864 Official Cert Guide
Route 2
128 k
PC 1
PC 2
512 k
512 k
384 k
Route 1
Figure 10-13
Scenario Diagram
36. A user performs a Telnet from PC 1 to PC 2. If the metric used by the configured
routing protocol is the bandwidth parameter, which route will the packets take?
a.
Route 1
b.
Route 2
c.
Neither, because the information is insufficient.
d.
One packet takes Route 1, the following packet takes Route 2, and so on.
37. A user performs a Telnet from PC 1 to PC 2. If the metric used by the configured
routing protocol is hop count, which route will the packets take?
a.
Route 1
b.
Route 2
c.
Neither, because the information is insufficient.
d.
One packet takes Route 1, the following packet takes Route 2, and so on.
38. A user performs a Telnet from PC 1 to PC 2. If the metric used by the configured
routing protocol is OSPF cost, which route will the packets take?
a.
Route 1
b.
Route 2
c.
Neither, because the information is insufficient.
d.
One packet takes Route 1, the following packet takes Route 2, and so on.
Use Figure 10-14 to answer the remaining questions.
39. By default, if RIPv2 is enabled on all routers, what path is taken?
a.
Path 1
b.
Path 2
c.
Unequal load balancing with Path 1 and Path 2
d.
Equal load balancing with Path 1 and Path 2
Chapter 10: Routing Protocol Characteristics, RIP, and EIGRP 385
Path 1
256 kbps
Router A
768 kbps
T-1
512 kbps
Path 2
Figure 10-14
Path Selection
40. By default, if RIPng is enabled on all routers, what path is taken?
a.
Path 1
b.
Path 2
c.
Unequal load balancing with Path 1 and Path 2
d.
Equal load balancing with Path 1 and Path 2
41. By default, if EIGRP is enabled on all routers, what path is taken?
a.
Path 1
b.
Path 2
c.
Unequal load balancing with Path 1 and Path 2
d.
Equal load balancing with Path 1 and Path 2
42. EIGRP is configured on the routers. If it is configured with the variance command,
what path is taken?
a.
Path 1
b.
Path 2
c.
Unequal load sharing Path 1 and Path 2
d.
Equal load balancing with Path 1 and Path 2
43. By default, if EIGRP for IPv6 is enabled on all routers, and this is an IPv6 network,
what path is taken?
a.
Path 1
b.
Path 2
c.
Unequal load balancing with Path 1 and Path 2
d.
Equal load balancing with Path 1 and Path 2
This chapter covers the following subjects:
■
OSPFv2
■
OSPFv3
■
BGP
■
Route Manipulation
■
IP Multicast Review
CHAPTER 11
OSPF, BGP, Route Manipulation, and
IP Multicast
This chapter reviews the characteristics and design issues of the Open Shortest Path First
Version 2 (OSPFv2) routing protocol. For IPv6 networks, OSPFv3 is also covered. OSPFv2
and OSPFv3 are link-state routing protocols. They do not broadcast their route tables as
distance-vector routing protocols do. Routers using link-state routing protocols send information about the status of their interfaces to all other routers in the area. Then they perform database computations to determine the shortest paths to each destination. This
chapter also covers the Border Gateway Protocol (BGP), which is used to exchange routes
between autonomous systems. It is most frequently used between enterprises and service
providers. The “Route Manipulation” section covers route summarization, route filtering,
and redistribution of route information between routing protocols. The CCDA should
know where redistribution occurs when required by the network design. This chapter concludes by covering IP multicast protocols.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The 13-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 11-1 outlines the major topics discussed in this chapter and the “Do I Know This
Already?” quiz questions that correspond to those topics.
Table 11-1
Mapping
“Do I Know This Already?” Foundation Topics Section-to-Question
Foundation Topics Section
Questions Covered in This Section
OSPFv2
1, 2, 3, 4, 6,
OSPFv3
7
BGP
8, 12
Route Manipulation
9, 13
Multicast
5, 10, 11
388 CCDA 640-864 Official Cert Guide
1. Which protocol defines an Area Border Router (ABR)?
a.
Enhanced Interior Gateway Routing Protocol (EIGRP)
b.
Open Shortest Path First (OSPF)
c.
Intermediate System-to- Intermediate System (IS-IS)
d.
Routing Information Protocol (RIP)
2. Which routing protocols support variable-length subnet masks (VLSM)?
a.
EIGRP
b.
OSPF
c.
IS-IS
d.
A and B
e.
A and C
f.
B and C
g.
A, B, and C
3. What is an ASBR?
a.
Area Border Router
b.
Autonomous System Boundary Router
c.
Auxiliary System Border Router
d.
Area System Border Router
4. What is the OSPFv2 link-state advertisement (LSA) type for autonomous system
external LSAs?
a.
Type 1
b.
Type 2
c.
Type 3
d.
Type 4
e.
Type 5
5. What address do you use to multicast to the OSPFv2 designated router (DR)?
a.
224.0.0.1
b.
224.0.0.5
c.
224.0.0.6
d.
224.0.0.10
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 389
6. To where are OSPF Type 1 LSAs flooded?
a.
The OSPF area
b.
The OSPF domain
c.
From the area to the OSPF backbone
d.
Through the virtual link
7. What OSPFv3 LSA carries address prefixes?
a.
Network LSA
b.
Summary LSA
c.
Interarea-router LSA
d.
Intra-area-prefix LSA
8. What protocol do you use to exchange IP routes between autonomous systems?
a.
IGMP
b.
eBGP
c.
EIGRP
d.
OSPF
9. Where should routes be summarized?
a.
On the core routers
b.
On the distribution routers
c.
On the access routers
d.
None of the above
10. What is IGMP?
a.
Interior Group Management Protocol
b.
Internet Group Management Protocol
c.
Interior Gateway Routing Protocol
d.
Interior Gateway Media Protocol
11. How many bits are mapped from the Layer 3 IPv4 multicast address to a Layer 2
MAC address?
a.
16 bits
b.
23 bits
c.
24 bits
d.
32 bits
390 CCDA 640-864 Official Cert Guide
12. What is the administrative distance of eBGP routes?
a.
20
b.
100
c.
110
d.
200
13. What is CIDR?
a.
Classful intradomain routing
b.
Classful interior domain routing
c.
Classless intradomain routing
d.
Classless interdomain routing
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 391
Foundation Topics
This chapter covers the link-state routing protocol OSPF. OSPF is an Interior Gateway Protocol (IGP) used within an autonomous system. OSPF is a popular standards-based protocol used in enterprises. OSPFv2 is used for IPv4 networks, and OSPFv3 is used for IPv6
networks. IS-IS is another link-state routing protocol, but it is not covered here because it
is no longer a CCDA exam topic.
The “BGP” section covers the characteristics and design of BGP. eBGP exchanges routes
between autonomous systems. eBGP is commonly used between enterprises and their
service providers.
The section “Route Manipulation” covers how you use policy-based routing (PBR) to
change packets’ destination addresses based on policies. This section also covers route summarization, filtering, and redistribution of route information between routing protocols.
The section “IP Multicast Review” covers multicast protocols such as Internet Group
Management Protocol (IGMP), Cisco Group Management Protocol (CGMP), and Protocol
Independent Multicast (PIM).
OSPFv2
RFC 2328 defines OSPFv2, a link-state routing protocol that uses Dijkstra’s shortest path
first (SPF) algorithm to calculate paths to destinations. OSPFv2 is used in IPv4 networks.
OSPF was created for its use in large networks where RIP failed. OSPF improved the
speed of convergence, provided for the use of variable-length subnet masks (VLSM), and
improved the path calculation.
In OSPF, each router sends link-state advertisements (LSA) about itself and its links to all
other routers in the area. Note that it does not send routing tables but link-state information about its interfaces. Then, each router individually calculates the best routes to the
destination by running the SPF algorithm. Each OSPF router in an area maintains an identical database describing the area’s topology. The routing table at each router is individually constructed using the local copy of this database to construct a shortest-path tree.
OSPFv2 is a classless routing protocol that permits the use of VLSMs. With Cisco routers,
OSPF also supports equal-cost multipath load balancing and neighbor authentication. OSPF
uses multicast addresses to communicate between routers. OSPF uses IP protocol 89.
This section covers OSPF theory and design concepts. It discusses OSPF LSAs, area
types, and router types. OSPF uses a two-layer hierarchy with a backbone area at the top
and all other areas below. Routers send LSAs informing other routers of the status of their
interfaces. The use of LSAs and the characteristics of OSPF areas are important concepts
to understand for the exam.
OSPFv2 Metric
392 CCDA 640-864 Official Cert Guide
108 / BW, where BW is the bandwidth of the interface expressed as a full integer of bits
per second (bps). If the result is smaller than 1, the cost is set to 1. A 10BASE-T (10 Mbps
= 107 bps) interface has a cost of 108 / 107 = 10. OSPF performs a summation of the costs
to reach a destination; the lowest cost is the preferred path. Table11-2 shows some sample
interface metrics.
Table 11-2
OSPF Interface Costs
Interface Type
OSPF Cost
10 Gigabit Ethernet
.01 => 1
Gigabit Ethernet
.1 => 1
OC-3 (155 Mbps)
.64516 => 1
Fast Ethernet
108/108 = 1
DS-3 (45 Mbps)
2
Ethernet
108/107 = 10
T1
64
512 kbps
195
256 kbps
390
The default reference bandwidth used to calculate OSPF costs is 108 (cost = 108 / BW).
Notice that for technologies that support speeds greater than 100 Mbps, the default metric gets set to 1 without regard for the network’s different capabilities (speed).
Because OSPF was developed prior to high-speed WAN and LAN technologies, the default metric for 100 Mbps was 1. Cisco provides a method to modify the default reference
bandwidth. The cost metric can be modified on every interface.
OSPFv2 Adjacencies and Hello Timers
OSPF uses Hello packets for neighbor discovery. The default Hello interval is 10 seconds
(30 seconds for nonbroadcast multiaccess [NBMA] networks). For point-to-point networks the Hello interval is 10 seconds. Hellos are multicast to 224.0.0.5 (ALLSPFRouters).
Hello packets include such information as the router ID, area ID, authentication, and
router priority.
After two routers exchange Hello packets and set two-way communication, they establish
adjacencies.
Figure 11-1 shows a point-to-point network and an NBMA network.
For point-to-point networks, valid neighbors always become adjacent and communicate
using multicast address 224.0.0.5. For broadcast (Ethernet) and NBMA networks (Frame
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 393
router (BDR) but not to each other. All routers reply to the DR and BDR using the multicast address 224.0.0.6. The section “OSPF DRs,” covers the DR concept.
Point-to-Point
Network
Nonbroadcast
Multiple-Access
Network
Area 2
Area 4
Figure 11-1
OSPF Networks
On OSPF point-to-multipoint nonbroadcast networks, it is necessary to configure the set
of neighbors that are directly reachable over the point-to-multipoint network. Each neighbor is identified by its IP address on the point-to-multipoint network. Nonbroadcast
point-to-multipoint networks do not elect DRs, so the DR eligibility of configured neighbors is undefined. OSPF communication in point-to-point networks use unicast or multicast addresses for neighbor communication.
OSPF virtual links unicast OSPF packets. Later, the section “Virtual Links” discusses virtual links.
OSPFv2 Areas
As a network grows, the initial flooding and database maintenance of LSAs can burden a
router’s CPU. OSPF uses areas to reduce these effects. An area is a logical grouping of
routers and links that divides the network. Routers share link-state information with only
the routers in their areas. This setup reduces the size of the database and the cost of computing the SPF tree at each router.
Each area is assigned a 32-bit integer number. Area 0 (or 0.0.0.0) is reserved for the backbone area. Every OSPF network should have a backbone area. The backbone area must exist in any internetwork using OSPF over multiple areas as a routing protocol. As you can
see in Figure 11-2, communication between Area 1 and Area 2 must flow through Area 0.
This communication can be internal to a single router that has interfaces directly connected to Areas 0, 1, and 2.
Intra-area traffic is packets passed between routers in a single area.
Key
Topic
394 CCDA 640-864 Official Cert Guide
Area 3
Area 0
Area 2
Area 1
Area 4
Figure 11-2
OSPF Areas
OSPF Router Types
Key
Topic
OSPF classifies participating routers based on their place and function in the area architecture. Figure 11-3 shows OSPF router types.
ASBR
External
AS
Area 0
Backbone
ABR
External
AS
Area 2
Area 1
ABR
ASBR
Internal
Figure 11-3
OSPF Router Types
Table 11-3 explains each router type in Figure 11-3.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 395
Table 11-3
Major LSA Types
Type
Description
Internal
router
Any router whose interfaces all belong to the same OSPF area. These routers
keep only one link-state database.
ABR
Routers that are connected to more than one area. These routers maintain a
link-state database for each area they belong to. These routers generate summary LSAs.
ASBR
Routers that inject external LSAs into the OSPF database (redistribution).
These external routes are learned via either other routing protocols or static
routes.
Backbone
router
Routers with at least one interface attached to Area 0.
Tip: An OSPF router can be an ABR, an ASBR, and a backbone router at the same time.
The router is an ABR if it has an interface on Area 0 and another interface in another area.
The router is a backbone router if it has one or more interfaces in Area 0. The router is an
ASBR if it redistributes external routes into the OSPF network.
OSPF DRs
On multiaccess networks (such as Ethernet), some routers get selected as DRs. The purpose of the DR is to collect LSAs for the multiaccess network and to forward the LSA to
all non-DR routers; this arrangement reduces the amount of LSA traffic generated. A
router can be the DR for one multiaccess network and not the DR in another attached
multiaccess network.
The DR also floods the network LSAs to the rest of the area. OSPF also selects a BDR; it
takes over the function of the DR if the DR fails. Both the DR and BDR become adjacent
to all routers in the multiaccess network. All routers that are not DR and BDR are sometimes called DRothers. These routers are only adjacent to the DR and BDR. The DR generates a Type 2 (network) LSA, which advertises all other routers on the multiaccess
segment. This allows the DRothers routers to get the Type 1 LSAs. OSPF routers multicast
LSAs only to adjacent routers. DRothers multicast packets to the DR and BDR using the
multicast address 224.0.0.6 (ALLDRouters). The DR floods updates using ALLSPFRouters
(224.0.0.5).
DR and BDR selection is based on an OSPF DR interface priority. The default value is 1,
and the highest priority determines the DR. In a tie, OSPF uses the numerically highest
router ID. The router ID is the IP address of the configured loopback interface. The router
ID is the highest configured loopback address, or if the loopback is not configured, it’s the
highest physical address. Routers with a priority of 0 are not considered for DR/BDR selection. The dotted lines in Figure 11-4 show the adjacencies in the network.
396 CCDA 640-864 Official Cert Guide
Router C
DRother
Priority 1
Router A
DR
Priority 10
Router D
DRother
Priority 0
Router B
BDR
Priority 5
Dotted lines
show adjacencies.
DRs
Figure 11-4
In Figure 11-4, Router A is configured with a priority of 10, and Router B is configured
with a priority of 5. Assuming that these routers are turned on simultaneously, Router A
becomes the DR for the Ethernet network. Router C has a lower priority, becoming adjacent to Router A and Router B but not to Router D. Router D has a priority of 0 and therefore is not a candidate to become a DR or BDR.
If you introduce a new router to the network with a higher priority than that of the current DR and BDR, it does not become the selected DR unless both the DR and BDR fail. If
the DR fails, the current BDR becomes the DR.
LSA Types
OSPF routers generate LSAs that are flooded within an area, between areas, and throughout the entire autonomous system. OSPF defines different LSA types for participating
routers, DRs, ABRs, and ASBRs. Understanding the LSA types can help you with other
OSPF concepts. Table 11-4 describes the major LSA types. There are other LSA types that
are not covered in this book.
Key
Topic
Table 11-4
Major LSA Types
Type
Code
Type
Description
1
Router LSA
Produced by every router. Includes all the router’s links,
interfaces, state of links, and cost. This LSA type is
flooded within a single area.
2
Network LSA
Produced by every DR on every broadcast or NBMA
network. It lists all the routers in the multiaccess network. This LSA type is contained within an area.
3
Summary LSA for ABRs
Produced by ABRs. It is sent into an area to advertise
destinations outside the area.
4
Summary LSA for ASBRs
Originated by ABRs. Sent into an area by the ABR to advertise the ASBRs.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 397
Table 11-4
Major LSA Types
Type
Code
Type
Description
5
Autonomous system external LSA
Originated by ASBRs. Advertises destinations external
to the OSPF autonomous system, flooded throughout
the whole OSPF autonomous system.
7
Not-so-stubby area
(NSSA) external LSA
Originated by ASBRs in an NSSA. It is not flooded
throughout the OSPF autonomous system, only to the
NSSA. Similar to the Type 5 LSA.
Type 1 and Type 2 LSAs are intra-area LSAs that haven an area-flooding scope. Type 3
LSAs area a summary of destinations outside the local area but within the OSPF domain.
Type 4 LSAs provide reachability about the ASBR. Type 3 and Type 4 LSAs are interarea
LSAs that have an area-flooding scope. ABRs exchange Type 3 and Type 4 LSAs. Type 5
LSAs advertise external destinations. Type 5 LSAs have a domain-flooding scope, meaning they are flooded throughout all areas.
Autonomous System External Path Types
The two types of autonomous system external paths are Type 1 (E1) and Type 2 (E2), and
they are associated with Type 5 LSAs. ASBRs advertise external destinations whose cost
can be just a redistribution metric (E2) or a redistribution metric plus the costs of each
segment (E1) used to reach the ASBR.
By default, external routes are of Type 2, which is the metric (cost) used in the redistribution. Type 1 external routes have a metric that is the sum of the redistribution cost plus
the cost of the path to reach the ASBR.
OSPF Stub Area Types
OSPF provides support for stub areas. The concept is to reduce the number of interarea or
external LSAs that get flooded into a stub area. RFC 2328 defines OSPF stub areas. RFC
1587 defines support for NSSAs. Cisco routers use totally stubby areas, such as Area 2, as
shown in Figure 11-5.
Stub Areas
Consider Area 1 in Figure 11-5. Its only path to the external networks is via the ABR
through Area 0. All external routes are flooded to all areas in the OSPF autonomous system. You can configure an area as a stub area to prevent OSPF external LSAs (Type 5)
from being flooded into that area. A single default route is injected into the stub area instead. If multiple ABRs exist in a stub area, all inject the default route. Traffic originating
within the stub area routes to the closest ABR.
Note that network summary LSAs (Type 3) from other areas are still flooded into the
stub Area 1.
398 CCDA 640-864 Official Cert Guide
Area 3
ASBR
Area 0
Backbone
Internal
ABR
NSSA
Stub
Area
Area 2
Area 1
ABR
ASBR
Internal
Figure 11-5
OSPF Stub Networks
Totally Stubby Areas
Take the Area 1 in Figure 11-5 one step further. The only path for Area 1 to get to Area 0
and other areas is through the ABR. A totally stubby area does not flood network summary LSAs (Type 3). It stifles Type 4 LSAs, as well. Like regular stub areas, totally stubby
areas do not flood Type 5 LSAs. They send just a single LSA for the default route. If multiple ABRs exist in a totally stubby area, all ABRs inject the default route. Traffic originating
within the totally stubby area routes to the closest ABR.
NSSAs
Notice that Area 2 in Figure 11-5 has an ASBR. If this area is configured as an NSSA, it
generates the external LSAs (Type 7) into the OSPF system while retaining the characteristics of a stub area to the rest of the autonomous system. There are two options for the
ABR. First, the ABR for Area 2 can translate the NSSA external LSAs (Type 7) to autonomous system external LSAs (Type 5) and flood the rest of the internetwork. Second,
the ABR is not configured to convert the NSSA external LSAs to Type 5 external LSAs,
and therefore the NSSA external LSAs remain within the NSSA.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 399
There is also an NSSA totally stub area. The difference is that the default NSSA has no default route unless the ABR is explicitly configured to advertise one. The NSSA totally stub
area does receive a default route.
Virtual Links
OSPF requires that all areas be connected to a backbone router. Sometimes, WAN link
provisioning or failures can prevent an OSPF area from being directly connected to a
backbone router. You can use virtual links to temporarily connect (virtually) the area to
the backbone.
As shown in Figure 11-6, Area 4 is not directly connected to the backbone. A virtual link
is configured between Router A and Router B. The flow of the virtual link is unidirectional
and must be configured in each router of the link. Area 2 becomes the transit area through
which the virtual link is configured. Traffic between Areas 2 and 4 does not flow directly
to Router B. Instead, the traffic must flow to Router A to reach Area 0 and then pass
through the virtual link.
Area 3
Area 0
Area 2
Virtual Link
Area 1
Router A
Router B
Area 4
Figure 11-6
OSPF Virtual Link
OSPFv2 Router Authentication
OSPFv2 supports the authentication of routes using 64-bit clear text or cryptographic
message digest 5 (MD5) authentication. Authentication can be performed on a per-area or
per-interface basis. Plaintext authentication passwords do not need to be the same for the
routers throughout the area, but they must be the same between neighbors.
MD5 authentication provides higher security than plaintext authentication. As with plaintext authentication, passwords do not have to be the same throughout an area, but they do
need to be same between neighbors.
OSPFv2 Summary
OSPFv2 is used in large enterprise IPv4 networks. The network topology must be hierar-
400 CCDA 640-864 Official Cert Guide
The characteristics of OSPFv2 follow:
■
Link-state routing protocol.
■
Uses IP protocol 89.
■
Classless protocol (supports VLSMs and CIDR).
■
Metric is cost (based on interface bandwidth by default).
■
Fast convergence. Uses link-state updates and SPF calculation.
■
Reduced bandwidth use. Sends partial route updates only when changes occur.
■
Routes are labeled as intra-area, interarea, external Type 1, or external Type 2.
■
Support for authentication.
■
Uses the Dijkstra algorithm to calculate the SPF tree.
■
Default administrative distance is 110.
■
Uses multicast address 224.0.0.5 (ALLSPFRouters).
■
Uses multicast address 224.0.0.6 (ALLDRouters).
■
Good scalability. Recommended for large networks.
OSPFv3
RFC 2740 describes OSPF Version 3 as a routing protocol for IPv6 networks. Note that
OSPFv3 is for IPv6 networks only and that it is not backward compatible with OSPFv2
(used in IPv4). OSPF algorithms and mechanisms, such as flooding, router types, designated router election, areas, stub and NSSA, and SPF calculations, remain the same.
Changes are made for OSPF to support IPv6 addresses, address hierarchy, and IPv6 for
transport. OSPFv3 uses multicast group FF02::5 for all OSPF routers and FF02::6 for all
designated routers.
OSPFv3 Changes from OSPFv2
The following are the major changes for OSPFv3:
■
Version number is 3: Obviously, this is a newer version of OSPF, and it runs over
IPv6 only.
■
Support for IPv6 addressing: New LSAs created to carry IPv6 addresses and
prefixes.
■
Per-link processing: OSPFv2 uses per-subnet processing. With link processing,
routers in the same link can belong to multiple subnets.
■
Address semantics removed: Addresses are removed from the router and network
LSAs. These LSAs now provide topology information.
■
No authentication in the OSPFv3 protocol:
schemes inherited in IPv6.
Key
Topic
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 401
■
New link LSA: For local-link flooding scope.
■
New intra-area-prefix LSA: Carries all the IPv6 prefix information. Similar to
OSPFv2 router and network LSAs.
■
Identifying neighbors by router ID: Neighbors are always identified by the router
ID. This does not occur in OSPFv2 point-to-point and broadcast networks.
■
Options field changes: Two Options bits, the R-bit and the V6-bit, have been added
to the Options field for processing router LSAs during the SPF calculation.
Note: In OSPFv3, the router IDs, area IDs, and LSA link-state IDs remain at the size of 32
bits. Larger IPv6 addresses cannot be used.
OSPFv3 Areas and Router Types
OSPFv3 retains the same structure and concepts as OSPFv2. The area topology, interfaces,
neighbors, link-state database, and routing table remain the same. RFC 2740 does not define new area types or router types.
The OSPF areas shown in Figure 11-2 and the router types shown in Figure 11-3 remain
the same. The router types in relation to the OSPF areas are
■
Internal router: Any router whose interfaces all belong to the same OSPF area.
These routers keep only one link-state database.
■
ABR: Routers that are connected to more than one area, in which one area is Area 0.
These routers maintain a link-state database for each area they belong to. These
routers generate summary LSAs.
■
ASBR: Routers that inject external LSAs into the OSPF database (redistribution).
These external routes are learned via either other routing protocols or static routes.
■
Backbone router: Routers with at least one interface attached to Area 0.
OSPFv3 LSAs
OSPFv3 retains the LSA types used by OSPFv2 with some modifications and introduces
two new LSAs: link LSA and intra-area-prefix.
All LSAs use a common 20-byte header that indicates the LS type, the advertising router,
and the sequence number. Figure 11-7 shows the format of the LSA header.
The LS Age indicates the time in seconds since the LSA was generated.
The LS Type indicates the function performed by this LSA. This field includes a U bit and
S2 and S1 bits. When the U bit is set to 0, the LSA is flooded only locally. When the U bit
is set to 1, the LSA is stored and flooded. The S1 and S2 bits have the functions indicated
in Table 11-5.
402 CCDA 640-864 Official Cert Guide
0
1
2
3
01234567890123456789012345678901
LS Age
LS Type
Link State ID
Advertising Router
LS Sequence Number
LS Checksum
Figure 11-7
Table 11-5
Length
LSA Header
LSA Header S2 S1 Bits
S2 S1
Flooding Scope
00
Link-local scope
01
Flood to all routers within the area
10
Flood to all routers within the autonomous system
11
Reserved
The Link State ID is used with the LS type and advertising router to identify the link-state
database. The Advertising Router field contains the 32-bit router ID of the router that generated the LSA. The LS Sequence Number is used to detect old or duplicate LSAs. The LS
Checksum is for error checking. The Length field indicates the length of the LSA, including the header.
Table 11-6 summarizes the nine LSAs that can be used in OSPF. Most LSAs retain the
same function used in OSPFv2 for IPv4. Each OSPFv3 LSA is described in more detail following the table.
Table 11-6
Key
Topic LSA Name
OSPFv3 LSA Types
LS
Type
Description
Router LSA
0x2001
State of router interfaces
Network LSA
0x2002
Generated by DR routers in broadcast or NBMA networks
Interarea-prefix LSA
0x2003
Routes to prefixes in other areas
Interarea-router LSA
0x2004
Routes to routers in other areas
Autonomous system
external LSA
0x4005
Routes to networks external to the autonomous system
Group-membership
LSA
0x2006
Networks that contain multicast groups
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 403
Table 11-6
OSPFv3 LSA Types
LSA Name
LS
Type
Description
NSSA Type 7 LSA
0x2007
Routers to networks external to the autonomous system, injected into the NSSA
Link LSA
0x0008
Link-local addresses and list IPv6 prefixes associated with
the link
Intra-area-prefix LSA
0x2009
IPv6 prefixes associated with a router, a stub network, or an
associated transit network segment
Router LSAs describe the cost and state of all the originating router’s interfaces. These
LSAs are flooded within the area only. Router LSAs are LS type 0x2001. No IPv6 prefixes
are contained in this LSA.
Network LSAs are originated by DRs in broadcast or NBMA networks. They describe all
routers attached to the link that are adjacent to the DR. These LSAs are flooded within the
area only. The LS type is 0x2002. No IPv6 prefixes are contained in this LSA.
Interarea-prefix LSAs describe routes to IPv6 prefixes that belong to other areas. They are
similar to OSPFv2 type 3 summary LSAs. The interarea-prefix LSA is originated by the
ABR and has an LS type of 0x2003. It is also used to send the default route in stub areas.
These LSAs are flooded within the area only.
Each interarea-router LSA describes a route to a router in another area. It is similar to
OSPF Type 4 summary LSAs. It is originated by the ABR and has an LS type of 0x2004.
These LSAs are flooded within the area only.
Autonomous system-external LSAs describe networks that are external to the autonomous system. These LSAs are originated by ASBRs, have an LS type of 0x4005, and
therefore are flooded to all routers in the autonomous system.
The group-membership LSA describes the directly attached networks that contain members of a multicast group. This LSA is limited to the area and has an LS type of 0x2006. This
LSA is described further in RFC 1584. This LSA is not supported in Cisco IOS software.
Type 7 LSAs describe networks that are external to the autonomous system, but they are
flooded to the NSSA area only. NSSAs are covered in RFC 1587. This LSA is generated by
the NSSA ASBR and has a type of 0x2007.
Link LSAs describe the router’s link-local address and a list of IPv6 prefixes associated
with the link. This LSA is flooded to the local link only and has a type of 0x0008.
The intra-area-prefix LSA is a new LSA type that is used to advertise IPv6 prefixes associated with a router, a stub network, or an associated transit network segment. This LSA
contains information that used to be part of the router LSAs and network LSAs.
404 CCDA 640-864 Official Cert Guide
OSPFv3 Summary
OSPFv3 is used in large enterprise IPv6 networks. The network topology must be hierarchical. OSPF is used in the enterprise campus building access, distribution, and core layers. OSPF is also used in the enterprise data center, WAN/MAN, and branch offices.
The characteristics of OSPFv3 follow:
■
Link-state routing protocol for IPv6.
■
Uses IPv6 Next Header 89.
■
Metric is cost (based on interface bandwidth by default).
■
Sends partial route updates only when changes occur.
■
Routes are labeled as intra-area, interarea, external Type 1, or external Type 2.
■
Uses IPv6 for authentication.
■
Uses the Dijkstra algorithm to calculate the SPF tree.
■
Default administrative distance is 110.
■
Uses multicast address FF02::5 (ALLSPFRouters).
■
Uses multicast address FF02::6 (ALLDRouters).
■
Fast convergence, scalable, and reduces bandwidth.
■
Recommended for large IPv6 networks.
BGP
This section covers Border Gateway Protocol theory and design concepts. The current
version of BGP, Version 4, is defined in RFC 1771 (March 1995). BGP is an interdomain
routing protocol. What this means is that you use BGP to exchange routing information
between autonomous systems. (It is used for inter-autonomous system routing.) The primary function of BGP is to provide and exchange network-reachability information between domains or autonomous systems. BGP is a path-vector protocol. BGP is best suited
for setting routing policies between autonomous systems. In the enterprise campus architecture, BGP is used in the Internet connectivity module.
BGP is the de facto standard for routing between service providers on the Internet because of its rich features. You can also use it to exchange routes in large internal networks.
The Internet Assigned Numbers Authority (IANA) reserved TCP port 179 to identify the
BGP protocol. BGPv4 was created to provide CIDR, a feature that was not present in the
earlier versions of BGP. BGP is a path-vector routing protocol; it is neither a distance-vector nor link-state routing protocol.
Note: RFC 1519 describes CIDR, which provides the capability to forward packets based
on IP prefixes only, with no concern for IP address class boundaries. CIDR was created as
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 405
summarization of IP addresses across network class boundaries. The early 1990s saw an
increase in the growth of Internet routing tables and a reduction in Class B address space.
CIDR provides a way for service providers to assign address blocks smaller than a Class B
network but larger than a Class C network.
BGP Neighbors
BGP is usually configured between two directly connected routers that belong to different autonomous systems. Each autonomous system is under different technical administration. BGP is frequently used to connect the enterprise to service providers and to
interconnect service providers, as shown in Figure 11-8. The routing protocol within the
enterprise could be any Interior Gateway Protocol (IGP). Common IGP choices include
RIPv2, EIGRP, OSPF, IS-IS. BGPv4 is the only deployed Exterior Gateway Protocol (EGP).
Service Provider 3
AS 300
Service Provider 1
AS 100
Service Provider 2
AS 400
Router A
1.1.1.1
1.1.1.2
Router B
Enterprise
Autonomous System
AS 200
Figure 11-8
BGP Neighbors
BGP is an interdomain routing protocol that allows BGP speakers residing in different autonomous systems to exchange routing (NLRI) information. An autonomous system is a
collection of devices under common administration. BGP autonomous systems range from
1 through 65,535. Autonomous system numbers (ASN) 1 through 64,511 are considered
public ASNs. These are allocated by IANA to Regional Internet Registries (RIR). Entities
wanting to receive an ASN must complete the application process of their local RIR and
be approved before being assigned an ASN. ASNs 65,512 through 65,535 are considered
private ASNs. These ASNs can be used by any organization, but,
dresses, cannot be used on the Internet.
406 CCDA 640-864 Official Cert Guide
Before two BGP routers can exchange routing updates, they must become established
neighbors. After BGP routers establish a TCP connection, exchange information, and accept the information, they become established neighbors and start exchanging routing updates. If the neighbors do not reach an established state, they do not exchange BGP
updates. The information exchanged before the neighbors are established includes the
BGP version number, ASN, BGP router ID, and BGP capabilities.
eBGP
Key
Topic
External Border Gateway Protocol is the term used to describe BGP peering between
neighbors in different autonomous systems. As required by RFC 1771, the eBGP peers
share a common subnet (although Cisco does allow some flexibility to avoid doing so). In
Figure 11-9, all routers speak eBGP with routers in other autonomous systems. Within autonomous system 500, the routers communicate using iBGP, which is covered next.
AS 100
AS 200
EBGP
EBGP
AS 300
EBGP
IBGP
AS 500
Figure 11-9
eBGP Used Between Autonomous Systems
iBGP
Key
Topic
Internal Border Gateway Protocol is the term used to describe the peering between BGP
neighbors in the same autonomous system. iBGP is used primarily in transit autonomous
systems. Transit autonomous systems forward traffic from one external autonomous system to another external autonomous system. If transit autonomous systems did not use
iBGP, the eBGP-learned routes would have to be redistributed into an IGP and then redistributed into the BGP process in another eBGP router. Normally, the number of eBGP
routes is too large for an IGP to handle.
iBGP provides a better way to control the routes within the transit autonomous system.
With iBGP, the external route information (attributes) is forwarded. The various IGPs
system paths, between eBGP routers.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 407
Another use of iBGP is in large corporations where the IGP networks are in smaller independent routing domains along organizational or geographic boundaries. In Figure 11-10,
a company has decided to use three independent IGPs: one for the Americas; another for
Asia and Australia; and another for Europe, the Middle East, and Africa. Routes are redistributed into an iBGP core.
Asia
IGP
IBGP Core
EMEA
IGP
America
IGP
Figure 11-10
iBGP in a Large Corporation
Other Uses of iBGP The CCDA should know at a high level these other uses for
iBGP:
■
Applying policies in the internal autonomous system with the help of BGP
path attributes: BGP path attributes are covered in a later section.
■
QoS policy propagation on BGP (QPPB): QPPB uses iBGP to spread common
QoS parameters from one router to other routers in the network. It classifies packets
using IP precedence bits based on BGP community lists, BGP autonomous system
paths, and access lists. After packets are classified, QoS features can enforce policies.
■
Multiprotocol BGP peering of Multiprotocol Label Switching (MPLS) virtual
private networks (VPN): The multiprotocol version of BGP is used to carry MPLS
VPN information between all provider edge (PE) routers within a VPN community.
MP-BGP is defined in RFC 2858. It introduces a new BGP capabilities advertisement
to determine whether a BGP peer supports MP-BGP. It introduces optional nontransitive attributes used to advertise feasible routes to a peer, network layer reachability
information, and other characteristics. It defines an address family identifier (AFI) of
2 to identify IPv6, which is used to convey an IPv4 address as the BGP next hop for
the advertised IPv6 prefixes.
Route Reflectors
iBGP requires that all routers be configured to establish a logical connection with all other
iBGP routers. The logical connection is a TCP link between all iBGP-speaking routers. The
meshed peers can become very large. Network administrators can use route reflectors to
408 CCDA 640-864 Official Cert Guide
reduce the number of required mesh links between iBGP peers. Some routers are selected
to become the route reflectors to serve several other routers that act as route-reflector
clients. Route reflectors allow a router to advertise or reflect routes to clients. The route reflector and its clients form a cluster. All client routers in the cluster peer with the route reflectors within the cluster. The route reflectors also peer with all other route reflectors in
the internetwork. A cluster can have more than one route reflector.
In Figure 11-11, without route reflectors, all iBGP routers are configured in an iBGP mesh,
as required by the protocol. When Routers A and G become route reflectors, they peer
with Routers C and D; Router B becomes a route reflector for Routers E and F. Routers A,
B, and G peer among each other.
Full IBGP Mesh Without RR
To AS 1
To AS 2
AS 100
A
B
G
C
F
E
D
To AS 3
To AS 4
To AS 1
To AS 6
To AS 5
IBGP Connections Reduced with RR
AS 100
A
To AS 2
B
G
C
F
Cluster 10
To AS 3
D
To AS 4
Figure 11-11
E
Cluster
To AS 6
To AS 5
Route Reflectors
Note: The combination of the route reflector and its clients is called a cluster. In Figure 11-11,
Routers A, G, C, and D form a cluster. Routers B, E, and F form another cluster.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 409
Routers A and G are configured to peer with each other and with Routers B, C, and D. The
configuration of Routers C and D is different from the rest; they are configured to peer
with Routers A and G only. All route reflectors in the same cluster must have the same
cluster ID number.
Router B is the route reflector for the second cluster. Router B peers with Routers A and G
and with Routers E and F in its cluster. Routers E and F are route-reflector clients and peer
only with Router B. If Router B goes down, the cluster on the right goes down because no
second route reflector is configured.
Confederations
Another method to reduce the iBGP mesh within an autonomous system is BGP confederations. With confederations, the autonomous system is divided into smaller, sub autonomous systems, and the whole group is assigned a confederation ID. The sub-ASNs or
identifiers are not advertised to the Internet but are contained within the iBGP networks.
The routers within each private autonomous system are configured with the full iBGP
mesh. Each sub-autonomous system is configured with eBGP to communicate with other
sub-autonomous systems in the confederation. External autonomous systems see only the
ASN of the confederation, and this number is configured with the BGP confederation
identifier.
In Figure 11-12, a confederation divides the autonomous system into two.
Routers A, B, and G are configured for eBGP between the sub autonomous systems. You
configure the bgp confederation identifier command on all routers The confederation
identifier number is the same for all routers in the network. You use the bgp confederation peers command to identify the ASN of other sub-autonomous systems in the confederation. Because Routers A and G are in autonomous system 10, the peer confederation to
Router B is autonomous system 20. Router B is in autonomous system 20, and its peer confederation to Routers A and G is autonomous system 10. Routers C and D are part of autonomous system 10 and peer with each other and with Routers A and G. Routers E and F
are part of autonomous system 20 and peer with each other and with Router B.
BGP Administrative Distance
The Cisco IOS software assigns an administrative distance to eBGP and iBGP routes, as it
does with other routing protocols. For the same prefix, the route with the lowest administrative distance is selected for inclusion in the IP forwarding table. For BGP, the administrative distances are
■
eBGP routes: 20
■
iBGP routes: 200
BGP Attributes, Weight, and the BGP Decision Process
The BGP protocol uses path attributes to select the best path to a destination. This subBGP decision process.
Key
Topic
410 CCDA 640-864 Official Cert Guide
Full iBGP Mesh with No Confederation to AS 2
To AS 1
To AS 2
AS 100
A
B
G
C
F
E
D
To AS 3
To AS 6
To AS 5
To AS 4
iBGP Connections Reduced with Confederation
To AS 1
AS 10
A
AS 20
Confederation 100
To AS 2
B
G
C
F
To AS 3
D
To AS 4
Figure 11-12
E
To AS 6
To AS 5
BGP Confederations
BGP Path Attributes
BGP uses several attributes for the path-selection process. BGP uses path attributes to
communicate routing policies. BGP path attributes include next hop, local preference, autonomous system path, origin, multi-exit discriminator (MED), atomic aggregate, and aggregator. Of these, the autonomous system path is one of the most important attributes: It
lists the number of autonomous system paths to reach a destination network.
BGP attributes can be categorized as well known or optional. Well-known attributes are
recognized by all BGP implementations. Optional attributes do not have to be supported
by the BGP process.
Well-known attributes can be further subcategorized as mandatory or discretionary.
Mandatory attributes are always included in BGP update messages. Discretionary attributes might or might not be included in the BGP update message.
Optional attributes can be further subcategorized as transitive or nontransitive
must advertise the route with transitive attributes to its peers even if it does not support
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 411
the attribute locally. If the path attribute is nontransitive, the router does not have to advertise the route to its peers.
The following subsections cover each attribute category.
Next-Hop Attribute
The next-hop attribute is the IP address of the next IP hop that will be used to reach the
destination. The next-hop attribute is a well-known mandatory attribute.
Local Preference Attribute
The local preference attribute indicates which path to use to exit the autonomous system.
It is a well-known discretionary attribute used between iBGP peers and is not passed on
to external BGP peers. In Cisco IOS software, the default local preference is 100. The
higher local preference is preferred.
The default local preference is configured on the BGP router with an external path; it then
advertises its local preference to internal iBGP peers. Figure 11-13 shows an example of
the local preference attribute where Routers B and C are configured with different local
preference values. Router A and other iBGP routers then receive routes from both Router B
and Router C. Router A prefers using Router C to route Internet packets because it has a
higher local preference (400) than Router B (300). The arrows represent the paths taken to
go out of the autonomous system.
AS 300
Internet
AS 200
Router D
s0: 2.2.2.1
Router E
s0: 3.1.1.1
AS 100
Router B
pat
h
1.2.1.1
local pref = 300
iBGP
Router C
1.3.1.1
local pref = 400
h
pat
Router A
1.1.1.1
Figure 11-13
BGP Local Preference
Origin Attribute
Origin is a well-known mandatory attribute that defines the source of the
tion. Do not confuse the origin with comparing whether the route is
(eBGP) or
412 CCDA 640-864 Official Cert Guide
internal (iBGP). The origin attribute is received from the source BGP router. There are
three types:
■
IGP: Indicated by an i in the BGP table. Present when the route is learned by way of
the network statement.
■
EGP: Indicated by an e in the BGP table. Learned from EGP.
■
Incomplete: Indicated by a question mark (?) in the BGP table. Learned from redistribution of the route.
In terms of choosing a route based on origin, BGP prefers routes that have been verified
by an IGP over routes that have been learned from EGP peers, and BGP prefers routes
learned from eBGP peers over incomplete paths.
Autonomous System Path Attribute
The autonomous system path is a well-known mandatory attribute that contains a list of
ASNs in the path to the destination. Each autonomous system prepends its own ASN to
the autonomous system path. The autonomous system path describes all the autonomous
systems a packet would have to travel to reach the destination IP network. It is used to ensure that the path is loop free. When the autonomous system path attribute is used to select a path, the route with the fewest autonomous system hops is preferred. In the case of
a tie, other attributes, such as MED, break the tie. Example 12-1 shows the autonomous
system path for network 200.50.32.0/19. To reach the destination, a packet must pass autonomous systems 3561, 7004, and 7418. The command show ip bgp 200.50.32.0 displays the autonomous system path information.
Example 12-1 Autonomous System Path Attribute
Router# show ip bgp 200.50.32.0
BGP routing table entry for 200.50.32.0/19, version 93313535
Paths: (1 available, best #1)
Not advertised to any peer
3561 7004 7418
206.24.241.181 (metric 490201) from 165.117.1.219 (165.117.1.219)
Origin IGP, metric 4294967294, localpref 100, valid, internal, best
Community: 2548:182 2548:337 2548:666 3706:153
MED Attribute
The MED attribute, also known as a metric, tells an external BGP peer the preferred path
into the autonomous system when multiple paths into the same autonomous system exist.
In other words, MED influences which one of many paths a neighboring autonomous system uses to reach destinations within the autonomous system. It is an optional nontransitive attribute carried in eBGP updates. The MED attribute is not used with iBGP peers.
The lowest MED value is preferred, and the default value is 0. Paths received with no
MED are assigned a MED of 0. The MED is carried into an autonomous
not leave the autonomous system.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 413
Consider the diagram shown in Figure 11-14. With all attributes considered equal, consider that Router C selects Router A as its best path into autonomous system 100 based on
Router A’s lower router ID (RID). If Router A is configured with a MED of 200, that will
make Router C select Router B as the best path to autonomous system 100. No additional
configuration is required on Router B because the default MED is 0.
AS 200
Router C
2.1.1.1
Router A
1.1.1.1
MED = 200
Router B
1.2.1.1
MED = 0
AS 100
Figure 11-14
MED Attribute
Community Attribute
Although it is not an attribute used in the routing-decision process, the community attribute groups routes and applies policies or decisions (accept, prefer) to those routes. It is a
group of destinations that share some common property. The community attribute is an
optional transitive attribute of variable length.
Atomic Aggregate and Aggregator Attributes
The atomic aggregate attribute informs BGP peers that the local router used a less specific
(aggregated) route to a destination without using a more specific route.
If a BGP router selects a less-specific route when a more-specific route is available, it must
attach the atomic aggregate attribute when propagating the route. The atomic aggregate
attribute lets the BGP peers know that the BGP router used an aggregated route. A morespecific route must be in the advertising router’s BGP table before it propagates an aggregate route.
When the atomic aggregate attribute is used, the BGP speaker has the option to send the
aggregator attribute. The aggregator attribute includes the ASN and the IP address of the
router that originated the aggregated route. In Cisco routers, the IP address used is the
discretionary attribute, and aggregator is an optional transitive attribute.
414 CCDA 640-864 Official Cert Guide
Weight
Weight is assigned locally on a router to specify a preferred path if multiple paths exist
out of a router for a destination. Weights can be applied to individual routes or to all
routes received from a peer. Weight is specific to Cisco routers and is not propagated to
other routers. The weight value ranges from 0 to 65,535. Routes with a higher weight are
preferred when multiple routes exist to a destination. Routes that are originated by the local router have a default weight of 32,768.
You can use weight rather than local preference to influence the selected path to external
BGP peers. The difference is that weight is configured locally and is not exchanged in BGP
updates. On the other hand, the local preference attribute is exchanged between iBGP
peers and is configured at the gateway router.
When the same destinations are advertised from both Router B and Router C, as shown in
Figure 11-15, Router A prefers the routes from Router C over Router B because the routes
received from Router C have a larger weight (600) locally assigned.
AS 100
Internet
AS 200
Router C
5.1.1.1
Router B
4.1.1.1
AS 500
Weight = 600
Weight = 400
Router A
Figure 11-15
BGP Weight
BGP Decision Process
By default, BGP selects only a single path to reach a specific destination (unless you specify maximum paths). The Cisco implementation of BGP uses a simple decision process.
When the path is selected, BGP puts the selected path in its routing table and propagates
the path to its neighbors.
To select the best path to a destination, Cisco routers running BGP use the following algorithm in the following order:
1. If the specified next hop is inaccessible, drop the path.
2.
drop the path.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 415
3. Prefer the path with the largest weight. (This step is Cisco specific, and weight is localized to the router.)
4. Prefer the path with the largest local preference. iBGP uses this path only to reach the
preferred external BGP router.
5. Prefer the path that was locally originated via a network or aggregate BGP subcommand or through redistribution from an IGP. Local paths sourced by network or
redistribute commands are preferred over local aggregates sourced by the aggregateaddress command. (This step is Cisco specific.)
6. If no route was originated, prefer the route that has the shortest autonomous system
path. (This step is Cisco specific.)
7. If all paths have the same autonomous system path length, prefer the path with the
lowest origin type. Paths with an origin type of IGP (lower) are preferred over paths
originated from an EGP such as BGP, and EGP origin is preferred over a route with an
incomplete origin. (This step is Cisco specific.)
8. If the origin codes are the same, prefer the path with the lowest MED attribute. An
eBGP peer uses this attribute to select a best path to the autonomous system. (This
step is a tiebreaker, as described in the RFC that defines the BGP.)
9. If the paths have the same MED, prefer the external (eBGP) path over the internal
(iBGP) path. (This step is Cisco specific.)
10. If the paths are still the same, prefer the path through the closest IGP neighbor (best
IGP metric). (This step is a tiebreaker, as described in the RFC that defines the BGP.)
11. Prefer the path with the BGP neighbor with the lowest router ID. (The RFC that defines the BGP describes the router ID.)
After BGP decides on a best path, it marks it with a > sign in the show ip bgp table and
adds it to the IP routing table.
BGP Summary
The characteristics of BGP follow:
■
BGP is an Exterior Gateway Protocol (EGP) used in routing in the Internet. It is an interdomain routing protocol.
■
BGP is a path-vector routing protocol suited for strategic routing policies.
■
It uses TCP port 179 to establish connections with neighbors.
■
BGPv4 implements CIDR.
■
eBGP is used for external neighbors. It is used between different autonomous systems.
■
iBGP is used for internal neighbors. It is used within an autonomous system.
■
BGP uses several attributes in the routing-decision algorithm.
■
It uses confederations and route reflectors to reduce BGP peering overhead.
■
bound traffic.
416 CCDA 640-864 Official Cert Guide
■
Weight is used to influence the path of outbound traffic from a single router, configured locally.
Route Manipulation
This section covers policy-based routing (PBR), route summarization, route filtering, and
route redistribution. You can use PBR to modify the next hop of packets from what is selected by the routing protocol. PBR is useful when the traffic engineering of paths is required. Routes are summarized to reduce the size of routing tables and at network
boundaries. Redistribution between routing protocols is required to inject route information from one routing protocol to another. Route filtering is used to control network addresses that get redistributed or control access to certain parts of the network. The CCDA
must understand the issues with the redistribution of routes.
PBR
You can use PBR to modify the next-hop address of packets or to mark packets to receive
differential service. Routing is based on destination addresses; routers look at the routing
table to determine the next-hop IP address based on a destination lookup. PBR is commonly used to modify the next-hop IP address based on the source address. You can also
use PBR to mark the IP precedence bits in outbound IP packets so that you can apply QoS
policies. In Figure 11-16, Router A exchanges routing updates with routers in the WAN.
The routing protocol might select Serial 0 as the preferred path for all traffic because of
the higher bandwidth. The company might have business-critical systems that use the T1
but does not want systems on Ethernet 1 to affect WAN performance. You can configure
PBR on Router A to force traffic from Ethernet 1 out on Serial 1.
Ethernet 0: 192.168.1.0/24
Serial 0: T-1
Router A
WAN
Serial 1: 512 k
Ethernet 1: 192.168.2.0/24
Figure 11-16
Policy-Based Routing
Route Summarization
Key
Topic
Large networks can grow quickly from 500 routes to 1000, to 2000, and higher. Network
IP addresses should be allocated to allow for route summarization. Route summarization
reduces the amount of route traffic on the network and unnecessary route computation.
Route summarization also allows the network to scale as a company grows.
The recommended location for route summarization is to summarize at the distribution
layer of the network topology. Figure 11-17 shows a hierarchical network. It has a network
core, regional distribution routers, and access routes for sites.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 417
Network Core
10.3.0.0/16
10.1.0.0/16
10.2.0.0/16
Distribution
router
Distribution
router
Europe
North America
Brazil
10.1.1.0/24
10.1.2.0/24
...
Figure 11-17
10.2.1.0/24
10.2.2.0/24
...
10.3.1.0/24
10.3.2.0/24
...
Route Summarization
Routers in Europe need to know only the summarized route to get to Brazil and North
America, and vice versa. Again, a design best practice is to summarize at the distribution
toward the core. The core needs to know only the summarized route of the regional areas.
You can also use summarization to aggregate four contiguous Class C networks at the /22
bit level. For example, networks 200.1.100.0, 200.1.101.0, 200.1.102.0, and 200.1.103.0 share
common bits, as shown in Table 11-7. The resulting network is 200.1.100.0/22, which you
can use for a 1000-node network.
Table 11-7
Common Bits Within Class C Networks
Binary Address
IP Address
11001000 00000001 01100100 00000000
200.1.100.0
11001000 00000001 01100101 00000000
200.1.101.0
11001000 00000001 01100110 00000000
200.1.102.0
11001000 00000001 01100111 00000000
200.1.103.0
It is important for an Internet network designer to assign IP networks in a manner that
permits summarization. It is preferred that a neighboring router receive one summarized
route, rather than 8, 16, 32, or more routes, depending on the level of summarization. This
setup reduces the size of the routing tables in the network.
418 CCDA 640-864 Official Cert Guide
Figure 11-18 shows another example of route summarization. All the edge routers send
network information to their upstream routers. Router E summarizes its two LAN networks
by sending 192.168.16.0/23 to Router A. Router F summarizes its two LAN networks by
sending 192.168.18.0/23. Router B summarizes the networks it receives from Routers
C and D. Routers B, E, and F send their routes to Router A. Router A sends a single route
(192.168.16.0/21) to its upstream router, instead of sending eight routes. This process reduces the number of networks that upstream routers need to include in routing updates.
192.168.16.0/21
Router A
192.168.20.0/22
Router B
192.168.16.0/23
192.168.18.0/23
Router E
Router F
192.168.16.0/24
192.168.17.0/24
192.168.18.0/24
192.168.19.0/24
Figure 11-18
Router C
Router D
192.168.20.0/24
192.168.21.0/24
192.168.22.0/24
192.168.23.0/24
Route Summarization
Notice in Table 11-8 that all the Class C networks share a bit boundary with 21 common
bits. The networks are different on the 22nd bit and thus cannot be summarized beyond
the 21st bit. All these networks are summarized with 192.168.16.0/21.
Table 11-8
Summarization of Networks
Binary Address
IP Network
11000000 10101000 00010000 00000000
192.168.16.0
11000000 10101000 00010001 00000000
192.168.17.0
11000000 10101000 00010010 00000000
192.168.18.0
11000000 10101000 00010011 00000000
192.168.19.0
11000000 10101000 00010100 00000000
192.168.20.0
11000000 10101000 00010101 00000000
192.168.21.0
11000000 10101000 00010110 00000000
192.168.22.0
11000000 10101000 00010111 00000000
192.168.23.0
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 419
To summarize, the recommended practices regarding summarization include the following:
■
Implement summarization at WAN connectivity and remote-access points toward the
network core, to reduce the routing table size.
■
Summarize at the distribution layer for all network at interfaces that point to the network core.
■
Implement passive interfaces on access layer interfaces so that neighbor adjacencies
are not established through the access layer. A more-specific route might be created,
which would be taken over a summarized route.
Route Redistribution
Route redistribution is an exchange of routes between routing protocols (for example, between EIGRP and OSPF). You configure the redistribution of routing protocols on routers
that reside at the service provider edge of the network. These routers exchange routes
with other autonomous systems. Redistribution is also done on routers that run more than
one routing protocol. Here are some reasons to do redistribution:
■
Migration from an older routing protocol to a new routing protocol.
■
Mixed-vendor environment in which Cisco routers might be using EIGRP and other
vendor routers might be using OSPF.
■
Different administrative domain between company departments using different routing protocols.
■
Mergers and acquisitions in which the networks initially need to communicate. In this
scenario, two different EIGRP processes might exist.
Figure 11-19 shows an example of the exchange of routes between two autonomous
systems. Routes from autonomous system 100 are redistributed into BGP on Router A.
Routes from autonomous system 200 are redistributed into BGP on Router B. Then,
Routers A and B exchange BGP routes. Router A and Router B also implement filters to
redistribute only the desired networks.
OSPF 100
Router A
BGP
Redistribution of Routes
Router B
OSPF 200
Figure 11-19
Redistribution of BGP Routes
Key
Topic
420 CCDA 640-864 Official Cert Guide
A company might also acquire another company that might be running another routing
protocol. Figure 11-20 shows a network that has both OSPF and EIGRP routing protocols.
Routers A and B perform redistribution between OSPF and EIGRP. Both routers must filter routes from OSPF before redistributing them into EIGRP and filter routes from EIGRP
before redistributing them into OSPF. This setup prevents route feedback.
Redistribution of Routes
Router A
OSPF 100
EIGRP 150
Router B
Figure 11-20
Redistribution Between IGPs
Route feedback occurs when a routing protocol learns routes from another routing protocol and then announces the routes to the other routing protocol. In Figure 11-20, OSPF
should not advertise the routes it learned from EIGRP on Router A back to EIGRP on
Router B. And EIGRP should not announce the routes it learned from OSPF on Router B
back to EIGRP on Router A.
You can use access lists, distribution lists, and route maps when redistributing routes. You
can use these methods to specify (select) routes for redistribution, to set metrics, or to set
other policies for the routes. They are used to prevent loops in the redistribution. They are
also used to control routes’ redistribution direction. Redistribution can be accomplished
by two methods:
■
Two-way redistribution
■
One-way redistribution
In two-way redistribution, routing information is exchanged between both routing protocols. No static routes are used in this exchange. Route filters are used to prevent routing
loops. Routing loops can be caused by one route protocol redistributing routes that were
learned from a second route protocol back to that second routing protocol.
One-way redistribution only allows redistribution from one routing protocol to another.
Normally, it is used in conjunction with a default or static route at the edge of a network.
Figure 11-21 shows an example of one-way redistribution. The routing information from
the WAN routes is redistributed into the campus, but campus routes are not redistributed
out to the WAN. The WAN routers use a default gateway to get back to the campus.
Other locations for one-way redistribution are from building access networks, BGP routes
or static routes into the IGP, and from VPN static routes into the IGP.
Default Metric
You should configure the metric of the redistributed routes to a metric other than 0. You can
configure the metric in the redistribution
can also use the command in OSPF. IS-IS does not use the default-metric command. The
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 421
default-metric command is used to specify the seed metric that is used if one is not specified during redistribution The default-metric command has the following syntax for EIGRP:
default-metric bandwidth delay reliability load mtu
Campus
Network
Edge
Distribution
Remote WAN
Sites
One-way
redistribution
Figure 11-21
One-Way Route Redistribution
OSPF Redistribution
This subsection reviews a few things you need to remember when designing a network
that will redistribute with OSPF.
When redistributing routes into OSPF, use the subnets keyword to permit subnetted
routes to be received. If you do not use it, only the major network route is redistributed,
without any subnetworks. In other words, OSPF performs automatic summarization to IP
classful network values. Also, unlike EIGRP and RIPv2, OSPF does not need a metric to
be specified during redistribution, neither does it need a seed metric to be specified because it uses a default metric for redistributed routes.
By default, redistributed routes are classified as external Type 2 (E2) in OSPF. You can use
the metric-type keyword to change the external route to an external Type 1 (E1). The network design can take into account the after-redistribution cost (Type 2) or the after-redistribution cost plus the path’s cost (Type 1).
In Figure 11-22, Router B is configured to perform mutual redistribution between EIGRP
100 and OSPF process ID 50. In this example, you can use route maps and access lists to
prevent routing loops. The route maps permit or deny the networks that are listed in the
access lists. The subnets keyword redistributes every subnet in EIGRP into OSPF. This
book does not cover exact configurations.
Route Filtering
Filtering of routes can occur on either a redistribution point or in the routing domain to
prevent some parts of the network from accessing other sections of the network.
Filtering at a redistribution point provides the following:
■
Avoids routing loops
■
Avoids suboptimal routing
■
Prevents certain routes from entering the domain
422 CCDA 640-864 Official Cert Guide
OSPF 50
EIGRP 100
170.10.0.0
170.10.8.1/30
S0
140.1.9.1/24
E0
140.1.0.0
Router B
Figure 11-22
OSPF and EIGRP Redistribution
Another redistribution point where filtering is important is in a multihomed BGP connection with multiple Internet providers. When BGP routes get exchanged with multiple Internet service providers (ISP) route filtering is used to prevent of advertisement of private
addresses and addresses that are out of scope of the domain. Route filtering is also used
to filter routes at the redistribution of BGP into IGPs such as OSPF, EIGRP, or RIP.
Routing Protocols on the Hierarchical Network Infrastructure
The selected routing protocol should be used based on the network design goals and the
network module being used. As shown in Figure 11-23, high-speed routing is recommended for the network core and distribution layers. These routing protocols react fast to
network changes. It is a best practice that the same routing protocol be used in the three
layers (core, distribution, access) of the enterprise network.
The enterprise edge connects the campus network with external connectivity including
WAN, Internet, VPN, remote-access modules. Routing protocols in the enterprise edge
may be EIGRP, OSPF, BGP, and static routes. Specifically in the Internet module you will
find BGP/static routes.
Table 11-9 shows a summary of the recommended routing protocols in the network infrastructure.
Table 11-9 Routing Protocols on the Hierarchical
Network Infrastructure
Network Module
Routing Protocols
Campus core
EIGRP, OSPF
Campus distribution
EIGRP, OSPF
Enterprise edge
EIGRP, OSPF, BGP, Static
Internet and VPN modules
BGP, Static
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 423
Enterprise Campus
Data Center
EIGRP
OSPF
BGP
Static
Enterprise Edge
E-Commerce/
DMZ/Internet
Enterprise
WAN
Campus
Core
EIGRP
OSPF
Building
Distribution
BGP
Static
Building
Access
Figure 11-23
Remote
Access VPN,
Internet
Routing Protocols on the Hierarchical Network Infrastructure
IP Multicast Review
With multicast, packets are sent to a multicast group, which is identified with an IP multicast address. Multicast supports the transmission of IP packets from one source to multiple hosts. Packets with unicast addresses are sent to one device, and broadcast addresses
are sent to all hosts; packets with multicast addresses are sent to a group of hosts.
Multicast Addresses
Multicast addressing uses Class D addresses from the IPv4 protocol. Class D addresses
range from 224.0.0.0 to 239.255.255.255. IANA manages multicast addresses.
Routing protocols (RIPv2, EIGRP, and OSPF) use multicast addresses to speak to their
neighbors. For example, OSPF routers use 224.0.0.6 to speak to the designated router (DR)
in a multiaccess network. Class D multicast addresses range from 224.0.0.0 to
239.255.255.255. Multicast addresses in the range of 224.0.0.1 to 224.255.255.255 are reserved for special addresses or network protocol on a multiaccess link. RFC 2365 reserves
multicast addresses in the range of 239.192.000.000 to 239.251.255.255 for organizationlocal scope. Similarly, 239.252.000.000 to 239.252.255.255, 239.254.000.000 to
239.254.255.255, and 239.255.000.000 to 239.255.255.255 are reserved for site-local scope.
Table 11-10 lists some well-known and multicast address blocks.
Key
Topic
424 CCDA 640-864 Official Cert Guide
Table 11-10
Multicast Addresses
Multicast Address
Description
224.0.0.0/24
Local network control block
224.0.0.1
All hosts or all systems on this subnet
224.0.0.2
All multicast routers
224.0.0.4
Distance-Vector Multicast Routing Protocol (DVMRP)
routers
224.0.0.5
All OSPF routers
224.0.0.6
All OSPF DR routers
224.0.0.9
RIPv2 routers
224.0.0.10
EIGRP routers
224.0.0.13
All PIM routers
224.0.1.0/24
Internetwork control block
224.0.1.39
Rendezvous point (RP) announce
224.0.1.40
RP discovery
224.0.2.0 to 224.0.255.0
Ad hoc block
239.000.000.000 to 239.255.255.255
Administratively scoped
239.192.000.000 to 239.251.255.255
Organization-local scope
239.252.000.000 to 239.254.255.255
Site-local scope
Layer 3-to-Layer 2 Mapping
Multicast-aware Ethernet, Token Ring, and Fiber Distributed Data Interface (FDDI) network interface cards use the reserved IEEE 802 address 0100.5e00 for multicast addresses
at the MAC layer. This includes Fast Ethernet and Gigabit Ethernet. Notice that for the address, the high-order byte 0x01 has the low-order bit set to 1. This bit is the
Individual/Group (I/G) bit. It signifies whether the address is an individual address (0) or a
group address (1). Hence, for multicast addresses, this bit is set to 1.
Ethernet interfaces map the lower 23 bits of the IP multicast address to the lower 23 bits
of the MAC address 0100.5e00.0000. As an example, the IP multicast address 224.0.0.2 is
mapped to the MAC layer as 0100.5e00.0002. Figure 11-24 shows another example looking at the bits of multicast IP 239.192.44.56. The IP address in hexadecimal is
EF:C0:2C:38. The lower 23 bits get mapped into the lower 23 bits of the base multicast
MAC to produce the multicast MAC address 01:00:5E:40:2C:38.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 425
Multicast IP
Decimal: 239.192.44.56
Hex:
EF C0 2C 38
Binary: 11101111 1100000000101100 00111000
Base MAC address
Hex:
01 00 5E 00 00 00
Binary: 00000001 00000000 01011110 00000000 00000000 00000000
Multicast MAC address
Binary: 00000001 00000000 01011110 0100000 000101100 00111000
Hex:
01
00 5E 40 2C 38
Figure 11-24
Mapping of Multicast IP Addressing to MAC Addresses
IGMP
Internet Group Management Protocol is the protocol used in multicast implementations
between the end hosts and the local router. RFC 2236 describes IGMP Version 2
(IGMPv2). RFC 3376 describes IGMP Version 3 (IGMPv3). RFC 1112 describes the first
version of IGMP.
IP hosts use IGMP to report their multicast group memberships to routers. IGMP messages use IP protocol number 2. IGMP messages are limited to the local interface and are
not routed.
IGMPv1
The first RFC describing IGMP (RFC 1112), written in 1989, describes the host extensions for IP multicasting. IGMPv1 provides simple message types for communication between hosts and routers. These messages are
■
Membership query: Sent by the router to check whether a host wants to join a multicast group
■
Membership report: Sent by the host to join a multicast group in the segment
The problem with IGMPv1 is the latency involved for a host to leave a group. With
IGMPv1, the router sends membership queries periodically; a host must wait for the membership query message to leave a group. The query interval is 60 seconds, and it takes
three query intervals (3 minutes) for a host to leave the group.
IGMPv2
IGMPv2 improves on IGMPv1 by allowing faster termination or leaving of multicast groups.
IGMPv2 has three message types, plus one for backward compatibility:
■
Membership query: Sent by the router to check whether a host wants to join a group.
426 CCDA 640-864 Official Cert Guide
■
Version 2 membership report: A message sent to the group address with the multicast group members (IP addresses). It is sent to by hosts to join and remain in multicast groups on the segment.
■
Version 2 leave group: Sent by the hosts to indicate that a host will leave a group; it
is sent to destination 224.0.0.2. After the host sends the leave group message, the
router responds with a group-specific query.
■
Version 1 membership report: For backward compatibility with IGMPv1 hosts.
You enable IGMP on an interface when you configure a multicast routing protocol, such
as PIM. You can configure the interface for IGMPv1, IGMPv2, or IGMPv3.
IGMPv3
IGMPv3 provides the extensions required to support source-specific multicast (SSM). It is
designed to be backward compatible with both earlier versions of IGMP.
IGMPv3 has two message types, plus three for backward compatibility:
■
Membership query: Sent by the router to check that a host wants to join a group.
■
Version 3 membership report: A message sent to the group address with the multicast group members (IP addresses). It is sent by hosts to request and remain in multicast groups on the segment.
■
Version 2 membership report: A message sent to the group address with the multicast group members (IP addresses). It is sent by hosts to request and remain in multicast groups on the segment. This message is used for backward compatibility with
IGMPv2 hosts.
■
Version 2 leave group: Sent by the hosts to indicate that a host will leave a group,
to destination 224.0.0.2. The message is sent without having to wait for the IGMPv2
membership report message. This message is used for backward compatibility with
IGMPv2 hosts.
■
Version 1 membership report: A message used for backward compatibility with
IGMPv1 hosts.
You enable IGMP on an interface when you enable a multicast routing protocol, such as
PIM. You can configure the interface for IGMPv1, IGMPv2, or IGMPv3.
CGMP
CGMP is a Cisco proprietary protocol implemented to control multicast traffic at Layer 2.
Because a Layer 2 switch is unaware of Layer 3 IGMP messages, it cannot keep multicast
packets from being sent to all ports.
As shown in Figure 11-25, with CGMP the LAN switch can speak with the IGMP router
to find out the MAC addresses of the hosts that want to receive the multicast packets.
With CGMP, switches distribute multicast sessions only to the switch ports that have
group members.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 427
Without CGMP
A
B
Figure 11-25
C
With CGMP
D
A
B
C
D
CGMP
When a router receives an IGMP report, it processes the report and then sends a CGMP
message to the switch. The switch can then forward the multicast messages to the port with
the host receiving multicast traffic. CGMP fast-leave processing allows the switch to detect
IGMP Version 2 leave messages sent by hosts on any of the switch ports. When a host
sends the IGMPv2 leave message, the switch can then disable multicasting for the port.
CGMP is no longer used and is not a CCDA topic. IGMP snooping is the standards-based
protocol used in today’s networks.
IGMP Snooping
IGMP snooping is standards-based method for switches to control multicast traffic at
Layer 2. It has replaced CGMP. It listens to IGMP messages between the hosts and routers.
If a host sends an IGMP query message to the router, the switch adds the host to the multicast group and permits that port to receive multicast traffic. The port is removed from
multicast traffic if the host sends an IGMP leave message to the router. The disadvantage
of IGMP snooping is that it has to process every IGMP control message, which can impact the CPU utilization of the switch.
Sparse Versus Dense Multicast
IP multicast traffic for a particular (source, destination group) multicast pair is transmitted
from the source to the receivers using a spanning tree from the source that connects all the
hosts in the group. Multicast destinations are represented in the following form: (S,G) or
(*,G). Any multicast transmission has a Class D multicast group address, G. A multicast
group can have more than one source, and each such source will also have a “regular”
(Class A, B or C, or CIDR) Internet address, S. The notation (*,G) means every possible
source for a given group G, while (S,G) means a particular source, at a particular Internet
address S, in the group G.
428 CCDA 640-864 Official Cert Guide
trees that chart paths from each sender to all receivers. IP multicast routing protocols follow two approaches.
The first approach assumes that the multicast group members are densely distributed
throughout the network (many of the subnets contain at least one group member), all devices want to receive multicast traffic, and that bandwidth is plentiful. The approach with
dense multicast routing protocols is to flood the traffic throughout the network and then,
at the request of receiving routers, stop the flow of traffic on branches of the network that
have no members of the multicast group. Multicast routing protocols that follow this technique of flooding the network include DVMRP, Multicast Open Shortest Path First (MOSPF), and Protocol-Independent Multicast-Dense Mode (PIM-DM).
The second approach to multicast routing assumes that multicast group members are
sparsely distributed throughout the network, assumes received do not want to receive
multicast traffic, and that bandwidth is not necessarily widely available. Sparse mode does
not imply that the group has few members, just that they are widely dispersed. The approach with sparse multicast routing protocols is to not send traffic until it is requested by
the receiving routers or hosts. Multicast routing protocols of this type are Core-Based
Trees (CBT) and Protocol-Independent Multicast-Sparse Mode (PIM-SM). CBT is not
widely deployed and is not discussed in this book.
Multicast Source and Shared Trees
Multicast distribution trees control the path that multicast packets take to the destination
hosts. The two types of distribution trees are source and shared. With source trees, the
tree roots from the source of the multicast group and then expands throughout the network in spanning-tree fashion to the destination hosts. Source trees are also called shortest-path trees (SPT) because they create paths without having to go through a rendezvous
point (RP). The drawback is that all routers through the path must use memory resources
to maintain a list of all multicast groups. PIM-DM uses a source-based tree.
Shared trees create the distribution tree’s root somewhere between the network’s source
and receivers. The root is called the RP. The tree is created from the RP in spanning-tree
fashion with no loops. The advantage of shared trees is that they reduce the memory requirements of routers in the multicast network. The drawback is that initially the multicast
packets might not take the best paths to the receivers because they need to pass through
the RP. After the data stream begins to flow from sender to RP to receiver, the routers in
the path optimize the path automatically to remove any unnecessary hops. The RP function consumes significant memory on the assigned router. PIM-SM uses an RP.
PIM
PIM comes in two flavors: sparse mode (PIM-SM) and dense mode (PIM-DM). The first
uses shared trees and RPs to reach widely dispersed group members with reasonable protocol bandwidth efficiency. The second uses source trees and reverse path forwarding
(RPF) to reach relatively close group members with reasonable processor and memory efficiency in the network devices of the distribution trees.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 429
With RPF, received multicast packets are forwarded out all other interfaces, allowing the
data stream to reach all segments. If no hosts are members of a multicast group on any of
the router’s attached or downstream subnets, the router sends a prune message up the distribution tree (the reverse path) to tell the upstream router not to send packets for the multicast group. So, the analogy for PIM-DM is the push method for sending junk mail, and
the intermediate router must tell upstream devices to stop sending it.
PIM-SM
PIM-SM is defined in RFC 2362. PIM-SM assumes that no hosts want to receive multicast
traffic unless specifically requested The RP gathers the information from senders and
makes the information available to receivers. Routers with receivers have to register with
the RP. The end-host systems request multicast group membership using IGMP with their
local routers. The routers serving the end systems then register as traffic receivers with the
RPs for the specified group in the multicast network.
Joining PIM-SM With PIM-SM, DRs on end segments receive IGMP query messages
from hosts wanting to join a multicast group. The router checks whether it is already
receiving the group for another interface. If it is receiving the group, the router adds
the new interface to the table and sends membership reports periodically on the new
interface.
If the multicast group is not in the multicast table, the router adds the interface to the
multicast table and sends a join message to the RP with multicast address 224.0.0.13 (all
PIM routers) requesting the multicast group.
Pruning PIM-SM
When a PIM-SM does not have any more multicast receiving hosts
or receiving routers out any of its interfaces, it sends a prune message to the RP. The
prune message includes the group to be pruned or removed.
PIM DR
A designated router is selected in multiaccess segments running PIM. The PIM DR is
responsible for sending join, prune, and register messages to the RP. The PIM router with
the highest IP address is selected as the DR.
Auto-RP
Another way to configure the RP for the network is to have the RP announce its services
to the PIM network. This process is called auto-RP. Candidate RPs send their announcements to RP mapping agents with multicast address 224.0.1.39 (cisco-rp-announce). RP
mapping agents are also configured. In smaller networks, the RP can be the mapping
agent. The 224.0.1.40 address is used in AUTO-RP-DISCOVERY is the destination address
for messages from the RP mapping agent to discover candidates. Configured RP mapping
agents listen to the announcements. The RP mapping agent then selects the RP for a group
based on the highest IP address of all the candidate RPs. The RP mapping agents then
430 CCDA 640-864 Official Cert Guide
send RP-discovery messages to the rest of the PIM-SM routers in the internetwork with
the selected RP-to-group mappings.
PIMv2 Bootstrap Router
Instead of using auto-RP, you can configure a PIMv2 bootstrap router (BSR) to automatically select an RP for the network. The RFC for PIM Version 2, RFC 2362, describes BSR.
With BSR, you configure BSR candidates (C-BSR) with priorities from 0 to 255 and a BSR
address. C-BSRs exchange bootstrap messages. Bootstrap messages are sent to multicast
IP 224.0.0.13 (all PIM routers). If a C-BSR receives a bootstrap message, it compares it
with its own. The largest priority C-BSR is selected as the BSR.
After the BSR is selected for the network, it collects a list of candidate RPs. The BSR selects RP-to-group mappings, which is called the RP set, and distributes the selected RPs
using bootstrap messages sent to 224.0.0.13 (all PIM routers).
DVMRP
RFC 1075 describes DVMRP. It is the primary multicast routing protocol used in the multicast backbone (MBONE). The MBONE is used in the research community.
DVMRP operates in dense mode using RPF by having routers send a copy of a multicast
packet out all paths. Routers that receive the multicast packets then send prune messages
back to their upstream neighbor router to stop a data stream if no downstream receivers of
the multicast group exist (either receiving routers or hosts on connected segments).
DVMRP implements its own unicast routing protocol, similar to RIP, based on hop counts.
DVMRP has a 32 hop-count limit. DVMRP does not scale suboptimally. Cisco’s support
of DVMRP is partial; DVMRP networks are usually implemented on UNIX machines running the mrouted process. A DVMRP tunnel is typically used to connect to the MBONE
DVMRP network.
IPv6 Multicast Addresses
IPv6 retains the use and function of multicast addresses as a major address class. IPv6 prefix FF00::/8 is allocated for all IPv6 multicast addresses. IPv6 multicast addresses are described in RFC 2373. EIGRP for IPv6, OSPFv3, and RIPng routing protocols use multicast
addresses to communicate between router neighbors.
The format of the IPv6 multicast address is described in Chapter 9, “Internet Protocol Version 6.” The common multicast addresses are repeated in Table 11-11.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 431
Table 11-11
Well-Known Multicast Addresses
Multicast Address
Multicast Group
FF01::1
All nodes (node-local)
FF02::1
All nodes (link-local)
FF01::2
All routers (node-local)
FF02::2
All routers (link-local)
FF02::5
OSPFv3 routers
FF02::6
OSPFv3 DRs
FF02::9
Routing Information Protocol (RIPng)
FF02::A
EIGRP routers
FF02::B
Mobile agents
FF02::C
DHCP servers/relay agents
FF02::D
All PIM routers
References and Recommended Readings
Bruno, A. CCIE Routing and Switching Exam Certification Guide. Indianapolis: Cisco
Press, 2002.
RFC 2740, OSPF for IPv6, Available fromwww.ietf.org/rfc.
RFC 1587, The OSPF NSSA Option, www.ietf.org/rfc.
Martey, A. IS-IS Network Design Solutions. Indianapolis: Cisco Press, 2002.
RFC 1584, Multicast Extensions to OSPF, www.ietf.org/rfc.
RFC 2328, OSPF Version 2,www.ietf.org/rfc.
RFC 1142, OSI IS-IS Intra-domain Routing Protocol, www.ietf.org/rfc.
Border Gateway Protocol, www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/bgp.htm.
RFC 1997, BGP Communities Attribute, www.ietf.org/rfc.
RFC 1112, Host Extensions for IP Multicasting, www.ietf.org/rfc.
Doyle, J. and J. Carroll. Routing TCP/IP, Volume I, Second Edition. Indianapolis: Cisco
Press, 2005.
Doyle, J. and J. Carroll. Routing TCP/IP, Volume II. Indianapolis: Cisco Press, 2001.
432 CCDA 640-864 Official Cert Guide
RFC 2362, Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification (experimental), www.ietf.org/rfc.
RFC 2236, Internet Group Management Protocol, Version 2,www.ietf.org/rfc.
RFC 1519, Classless Inter-Domain Routing (CIDR): An Address Assignment and Aggregation Strategy, www.ietf.org/rfc.
Halabi, S. Internet Routing Architectures. Indianapolis: Cisco Press, 2000.
“Internet Protocol (IP) Multicast Technology Overview” (white paper), www.cisco.com/
en/US/products/ps5763/products_white_paper0900aecd804d5fe6.shtml.
RFC 2365, Administratively Scoped IP Multicast, www.ietf.org/rfc.
A Border Gateway Protocol 4 (BGP-4), www.ietf.org/rfc.
RFC 1075, Distance Vector Multicast Routing Protocol,www.ietf.org/rfc.
Williamson, B. Developing IP Multicast Networks. Indianapolis: Cisco Press, 1999.
RFC 2858, Multiprotocol Extensions for BGP-4, www.ietf.org/rfc.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 433
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the
outer margin of the page. Table 11-12 lists a reference of these key topics and the page
numbers on which each is found.
Table 11-12
Key Topics
Key Topic Element
Description
Page
Summary
OSPFv2 areas
393
Summary
OSPF router types
394
Summary
OSPF LSA types
396
List
Major changes to OSPFv3
400
Table 11-6
OSPFv3 LSA types
402
Summary
eBGP
406
Summary
iBGP
406
List
BGP administrative distances
409
Summary
Route summarization
416
Summary
Route redistribution
419
Summary
Route filtering
421
Summary
Multicast
423
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
OSPFv2, OSPFv3, ABR, ASBR, DR, LSA, stub, BGP, iBGP, QPPB, MP-BGP, PBR, IGMP,
PIM
434 CCDA 640-864 Official Cert Guide
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. True or false: A router needs to have all its interfaces in Area 0 to be considered an
OSPF backbone router.
2. True or false: OSPF IS-IS uses a designated router in multiaccess networks.
3. Which multicast addresses do OSPFv2 routers use?
4. Which multicast addresses are used by OSPFv3 routers?
5. What is the Cisco administrative distance of OSPF?
6. Which OSPFv2 router type generates the OSPF Type 3 LSA?
7. Which OSPFv2 router type generates the OSPF Type 2 LSA?
8. What is included in an OSPFv2 router LSA?
9. True or false: The router with the lowest priority is selected as the OSPF DR.
10. True or false: You use iBGP to exchange routes between different autonomous systems.
11. True or false: BGP Version 4 does not include support for CIDR, only OSPF and
EIGRP do.
12. True or false: eBGP and iBGP redistribute automatically on a router if the BGP peers
are configured with the same autonomous system number.
13. eBGP routes have an administrative distance of ____, and iBGP routes have an administrative distance of ____.
14. True or false: IGMP snooping and CGMP are methods to reduce the multicast traffic
at Layer 2.
15. True or false: PIM has a hop-count limit of 32.
16. True or false: PIM-SM routers use the multicast 224.0.0.13 address to request a multicast group to the RP.
17. True or false: autonomous system path is the only attribute BGP uses to determine
the best path to the destination.
18. List three IP routing protocols that use multicast addresses to communicate with
their neighbors.
19. What IPv6 multicast address does EIGRP use for IPv6?
20. Match the routing protocol with the description:
i.
EIGRP
ii.
OSPFv2
iii. RIPv2
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 435
iv.
BGP
a.
Distance-vector protocol used in the edge of the network
b.
IETF link-state protocol used in the network core
c.
Hybrid protocol used in the network core
d.
Path-vector protocol
21. What is the default OSPF cost for a Fast Ethernet interface?
22. Which routing protocol do you use in the core of a large enterprise network that supports VLSMs for a network with a mix of Cisco and non-Cisco routers?
23. What is the benefit of designing for stub areas?
24. What constraint does the OSPF network design have for traffic traveling between areas?
25. How is OSPFv3 identified as the upper-layer protocol in IPv6?
26. Which routing protocols are recommended for large enterprise networks?
a.
RIPv2
b.
OSPFv2
c.
EIGRP
d.
IS-IS
e.
A and B
f.
B and C
g.
B and D
h.
A, B, C, and D
27. What OSPFv3 has an LS type of 0x0008?
a.
Router LSA
b.
Interarea-router LSA
c.
Link LSA
d.
Intra-area-prefix LSA
28. Which routing protocol does not support VLSMs?
a.
RIPv1
b.
OSPFv2
c.
EIGRP
d.
RIPv2
e.
B and C
f.
B, C, and D
436 CCDA 640-864 Official Cert Guide
29. Which routing protocols have fast convergence for IPv4 networks?
a.
BGP
b.
OSPFv2
c.
EIGRP
d.
RIPv2
e.
B and C
f.
B, C, and D
g.
A, B, and C
30. Which routing protocols have fast convergence for IPv6 networks?
a.
RIPng
b.
OSPFv3
c.
EIGRP for IPv6
d.
RIPv2
e.
MP-BGP
f.
B and C
g.
B, C, and D
h.
B, C, and E
31. A retail chain has about 800 stores that connect to the headquarters and a backup location. The company wants to limit the amount of routing traffic used on the WAN
links. What routing protocol(s) is/are recommended?
a.
RIPv1
b.
RIPv2
c.
OSPFv2
d.
EIGRP
e.
IS-IS
f.
BGP
g.
B, C, and D
h.
C and D
i.
C, D, and E
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 437
32. Which of the following statements is correct?
a.
OSPFv3 provides changes to OSPFv2 for use in IPv4 networks.
b.
OSPFv3 provides changes to OSPFv2 for use in IPv6 networks.
c.
OSPFv3 provides changes to OSPFv2 for use in IPv6 and IPv4 networks.
d.
OSPFng provides changes to OSPFv2 for use in IPv6 networks.
Use Figure 11-26 to answer the following question.
Path 1
256 k
Router A
T-1
768 k
1024 k
Path 2
Figure 11-26
Path Selection
33. If OSPF is enabled on all routers with the default metrics unchanged, what path is taken?
a.
Path 1
b.
Path 2
c.
Unequal load balance with Path 1 and Path 2
d.
Equal load balance with Path 1 and Path 2
Use Figure 11-27 to answer the following question.
BGP
Area 0
D
B
C
Area 1
A
Area 2
E
F
Figure 11-27
OSPF Router Types
438 CCDA 640-864 Official Cert Guide
34. Identify the OSPF router types shown in Figure 11-27.
Router A = _______
Router B = _______
Router C = _______
Router D = _______
Router E = _______
Router F = _______
35. Match the IP multicast address with its description.
i.
224.0.0.1
ii.
224.0.0.2
iii. 224.0.0.5
iv.
224.0.0.10
a.
All OSPF routers
b.
All routers
c.
EIGRP routers
d.
All hosts
36. Match the BGP attribute with its description.
i.
Local preference
ii.
MED
iii. Autonomous system path
iv.
Next hop
a.
IP address
b.
Indicates the path used to exit the autonomous system
c.
Tells external BGP peers the preferred path into the autonomous system
d.
List of ASNs
37. Which Cisco feature can you use instead of local preference to influence the selected
path to external BGP routers?
38. What is the purpose of route reflectors?
39. When BGP confederations are used, which number do external peers see?
40. With ____________ all routers peer with each other within the private autonomous
system, and with __________ client routers peer only with the reflector.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 439
41. Which of the following shows the correct order that BGP uses to select a best path?
a.
Origin, lowest IP, autonomous system path, weight, local preference, MED
b.
Weight, local preference, autonomous system path, origin, MED, lowest IP
c.
Lowest IP, autonomous system path, origin, weight, MED, local preference
d.
Weight, origin, local preference, autonomous system path, MED, lowest IP
42. What feature did BGPv4 implement to provide forwarding of packets based on IP
prefixes?
43. What route should be used to summarize the following networks?
10.150.80.0/23, 10.150.82.0/24, 10.150.83.0/24, 10.150.84.0/22
a.
10.150.80.0/23, 10.150.82.0/23, and 10.150.84.0/22
b.
10.150.80.0/22 and 10.150.84/22
c.
10.150.80.0/21
d.
10.150.80.0/20
44. Match the IPv6 multicast address with its description.
i.
FF02::1
ii.
FF02::2
iii. FF02::5
iv.
FF02::9
v.
FF02::A
a.
OSPFv3 routers
b.
RIPng routers
c.
All routers
d.
EIGRP routers
e.
All nodes
45. Route summarization and redistribution occur in which layer of the hierarchical model?
a.
Building access
b.
Distribution
c.
Core
d.
Server access
440 CCDA 640-864 Official Cert Guide
46. Which of the following best describes route summarization?
a.
Grouping contiguous addresses to advertise a large Class A network
b.
Grouping noncontiguous addresses to advertise a larger network
c.
Grouping contiguous addresses to advertise a larger network
d.
Grouping Internet addresses
Refer to Figure 11-28 to answer the following questions.
Router C
Router A
EIGRP 150
AS 100
OSPF 100
Router B
Figure 11-28
Service Provider
AS 500
Router D
Network Scenario
47. Where should you configure BGP?
a.
Routers A and B
b.
Routers C and D
c.
Answers A and B
d.
Routers A and C
48. On which router should you configure redistribution for OSPF and EIGRP?
a.
Router A only
b.
Router B only
c.
Routers A and B
d.
Redistribution occurs automatically.
Chapter 11: OSPF, BGP, Route Manipulation, and IP Multicast 441
49. To announce the networks from autonomous system 100 to autonomous system 500,
which routing protocols should you redistribute into BGP?
a.
OSPF only
b.
EIGRP only
c.
OSPF and EIGRP
d.
iBGP
50. Where should you use filters?
a.
Routers A and B
b.
Routers C and D
c.
Routers A and C
d.
Answers A and B
CCDA exam topics covered in this part:
■
Describe network management protocols and features
■
Describe the security lifecycle
■
Identify Cisco technologies to mitigate security vulnerabilities
■
Select appropriate Cisco security solutions and deployment placement
■
Describe high-level voice and video architectures
■
Identify the design considerations for voice/video services
Part IV: Security, Convergence,
Network Management
Chapter 12: Managing Security
Chapter 13: Security Solutions
Chapter 14: Voice and Video Design
Chapter 15: Network Management Protocols
This chapter covers the following subjects:
■
Network Security Overview
■
Security Policy and Process
■
Trust and Identity Management
■
Secure Connectivity
■
Threat Defense
■
Security Management Solutions
CHAPTER 12
Managing Security
This chapter discusses network security in terms of security management and policy. You
will be tested on network security topics that include security threats, risks, policy compliance, and securing network connectivity. The chapter goes on to explain how network
security management and policy provide a framework for secure networks. This chapter
also explores trust and identity management, which defines how network access can occur, and threat defense, which adds increased levels of security into network endpoints.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The ten-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 12-1 outlines the major topics discussed in this chapter and the “Do I Know This
Already?” quiz questions that correspond to those topics.
Table 12-1
Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
Network Security Overview
1–4
Security Policy and Process
5, 6
Trust and Identity Management
7
Secure Connectivity
8
Threat Defense
9
Security Management Solutions
10
446 CCDA 640-864 Official Cert Guide
1. Which of the following security legislation applies protection for credit card
holder data?
a.
SOX
b.
GLBA
c.
HIPAA
d.
PCI DSS
2. What classification of security threat gathers information about the target host?
a.
Gaining unauthorized access
b.
Reconnaissance
c.
Denial of service
d.
None of the above
3. What type of security threat works to overwhelm network resources such as memory, CPU, and bandwidth?
a.
Denial of service
b.
Reconnaissance
c.
Gaining unauthorized access
d.
NMAP scans
4. What is it called when attackers change sensitive data without proper authorization?
a.
VLAN filtering
b.
ACLs
c.
Integrity violations
d.
Loss of availability
5. What security document focuses on the processes and procedures for managing network events in addition to emergency-type scenarios?
a.
Acceptable-use policy
b.
Incident-handling policy
c.
Network access control policy
d.
Security management policy
6. Which of the following should be included in a security policy? (Select all that apply.)
a.
Identification of assets
b.
Definition of roles and responsibilities
c.
Description of permitted behaviors
d.
All of the above
Chapter 12: Managing Security 447
7. Authentication of the identity is based on what attributes? (Select all that apply.)
a.
Something the subject knows
b.
Something the subject has
c.
Something the subject is
d.
All of the above
8. What VPN protocol uses encrypted point-to-point GRE tunnels?
a.
GRE-based VPN
b.
Cisco Easy VPN
c.
Cisco GET VPN
d.
Cisco DMVPN
9. What are some physical security guidelines to consider for a secure infrastructure?
(Select all that apply.)
a.
Evaluate potential security breaches
b.
Use physical access controls such as locks or alarms
c.
Assess the impact of stolen network resources and equipment
d.
Syslog and SNMP analysis
10. Which of the following benefits does a security management solution provide?
a.
SAINT scans
b.
Provisions network security policies for deployment
c.
Prevents unauthorized access
d.
NMAP scans
448 CCDA 640-864 Official Cert Guide
Foundation Topics
This chapter examines security management topics that you need to master for the CCDA
exam. It begins by explaining the reasons for network security and some techniques that
can be used to prevent attacks. Next, the chapter describes the types of attacks that can
compromise network security and classifications of security threats. It goes on to cover
the risks inherent in network security, along with a series of risk examples that illustrate
how attacks can occur. The chapter then looks what a “security policy” is and how it is
used as a framework for network security.
In addition, this chapter explores ways to control and permit network access at any point
within the network and discusses enabling security in network equipment by using traffic-isolation techniques. The chapter wraps up with examining some security management
solutions.
Network Security Overview
For many years, networks were designed to be fairly open in nature and did not require
much security. The greatest area of concern was physical access. Over time, networks grew
in size, and complexity increased the need for network security. For today’s businesses and
organizations, security is now a mandatory part of designing IT systems, because the risks
are too high if critical data is lost or tampered with. Security teams within organizations
must now provide adequate levels of protection for the business to conduct its operations.
Network security is used to defend against network attacks and prevent unauthorized access from intruders. In addition, network security protects data from manipulation and
theft. Businesses today also need to comply with company policy and security legislation
that is in place to help protect data and keep it private.
Network security needs to be transparent to the end users and should also be designed to
prevent attacks by
■
Blocking external attackers from accessing the network
■
Permitting access to only authorized users
■
Preventing attacks from sourcing internally
■
Supporting different levels of user access
■
Safeguarding data from tampering or misuse
Security Legislation
A number of legislative bodies along with the public have insisted that security controls
be in place to protect private information and make certain that it is handled properly.
These legislative bodies influence network security by imposing mandates with which organizations are required to comply. These requirements might include protecting customer
in question.
Chapter 12: Managing Security 449
The United States has a growing body of security legislation that you need to be aware of:
■
U.S. Public Company Accounting Reform and Investor Protection Act of
2002 (Sarbanes-Oxley or SOX): Focuses on the accuracy and controls imposed
on a company’s financial records. This was passed as a U.S. federal law because of a
number of corporate and accounting scandals.
■
Payment Card Industry (PCI) Data Security Standard (DSS): PCI is a data security standard that defines how to protect credit card holder data, including the storage and transfer of credit card holder information. Many retailers that accept credit
cards have to meet PCI DSS standards or pay stiff penalties and are subject to regular
and rigorous audits for PCI DSS compliance.
■
Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA):
Provides protection against the sale of bank and account information that is regularly
bought and sold by financial institutions. GLBA also guards against the practice of
obtaining private information through false pretenses.
■
U.S. Health Insurance Portability and Accountability Act (HIPAA): Applies to
the protection of private health information that is used electronically. The purpose is
to enable better access to health information, reduce fraud, and lower the cost of
health care in the United States.
■
EU Data Protection Directive 95/46/EC: Calls for the protection of people’s right
to privacy with respect to the processing of personal data.
Table 12-2 describes the security legislation and identifies its abbreviation.
Table 12-2
Security Legislation
Legislation Description
Legislation
Abbreviation
Focuses on the accuracy and the controls imposed on a company’s
financial records
SOX
Data security standard that defines how to protect credit card holder
data
PCI DSS
Protection against the sale of bank and account information that is
regularly bought and sold by financial institutions
GLBA
Protection of private health information that is used electronically
HIPPA
Protection of people’s privacy with respect to the processing of
personal data
Directive 95/46/EC
Key
Topic
450 CCDA 640-864 Official Cert Guide
Security Threats
It is important to be aware of the different types of attacks that can impact the security of
IT systems. Security threats can be classified into three broad categories:
■
Reconnaissance: The goal of reconnaissance is to gather as much information as
possible about the target host/network. Generally, this type of information gathering
is done before an attack is carried out.
■
Gaining unauthorized access: Refers to the act of attacking or exploiting the target system or host. Operating systems, services, and physical access to the target host
have known system vulnerabilities that the attacker can take advantage of and use to
increase his or her privileges. Social engineering is another technique for obtaining
confidential information from employees by manipulation. As a result of the attacker
exploiting the host, confidential information can be read, changed, or deleted from
the system.
■
Denial of service (DoS): DoS attacks aim to overwhelm resources such as memory,
CPU, and bandwidth and thus impact the target system and deny legitimate user’s access. distributed DoS (DDoS) attacks involve multiple sources working together to
deliver the attack.
Table 12-3 outlines the categorized security threats.
Table 12-3
Security Threats
Key
Topic Threat Description
Threat Category
Gathering information about a host/network segment
Reconnaissance
Attacks aimed at overwhelming resources such as memory,
CPU, and bandwidth of an attacked system
Denial of service (DoS)
Act of attacking or exploiting the target host system
Gaining unauthorized access
Reconnaissance and Port Scanning
Reconnaissance network tools are used to gather information from the hosts attached to
the network. They have many capabilities, including identifying the active hosts and
which services the hosts are running. In addition, these tools can find trust relationships,
determine OS platforms, and identify user and file permissions.
Some of the techniques that these scanning tools use include TCP connects (open), TCP
SYNs (half open), ACK sweeps, Internet Control Message Protocol (ICMP) sweeps, SYN
sweeps, and Null scans. Listed here are some of the more popular port-scanning tools and
their uses:
■
NMAP (Network Mapper) is designed to scan large networks or even a single host. It
is an open source utility used for network exploration/security audits.
■
Superscan provides high-speed scanning, host detection, Windows host enumeraclients.
Chapter 12: Managing Security 451
■
NetStumbler identifies wireless networks using 802.11a/b/g wireless LAN (WLAN)
standards with or without service set identifier (SSID) being broadcast. NetStumbler
runs on Microsoft Windows–based platforms, including Windows Mobile.
■
Kismet is an 802.11 wireless sniffer and intrusion detection system (IDS) application
that can collect traffic from 802.11a/b/g/n networks. Kismet collects packets and detects wireless networks even when they are hidden.
Figure 12-1 shows NMAP scanning several hosts that have different operating systems.
This particular scan displays the IP address, open ports, services, device type, and OS
details.
Figure 12-1
NMAP: Scanning Several Hosts
Vulnerability Scanners
Vulnerability scanners determine what potential exposures are present in the network.
Passive scanning tools are used to analyze the traffic flowing on the network. Active testing injects sample traffic onto the network. Here are some various sources for published
vulnerability information:
■
CERT CC: www.cert.org
■
MITRE: www.cve.mitre.org
■
Microsoft: www.microsoft.com/technet/security/bulletin/summary.mspx
■
Cisco Security Notices: www.cisco.com/en/US/products/products_security_
advisories_listing.html
452 CCDA 640-864 Official Cert Guide
Here are some tools used for vulnerability scanning:
■
Nessus is designed to automate the testing and discovery of known vulnerabilities.
Nessus is an open source tool that runs on various operating systems, including
Linux, UNIX and Microsoft Windows-based operating systems.
■
SAINT (Security Administrator’s Integrated Network Tool) is a vulnerabilityassessment application that runs on Linux/UNIX hosts.
■
MBSA (Microsoft Baseline Security Analyzer) is used to scan systems and identify
whether patches are missing for Windows products such as operating systems, Internet Information Services (IIS), Structured Query Language (SQL), Exchange Server,
Internet Explorer, Media Player, and Microsoft Office applications. MBSA also alerts
you if it finds any known security vulnerabilities such as weak or missing passwords
and other common security issues.
The MBSA security report in Figure 12-2 displays several security issues on this host.
There are some user account passwords with blank or missing passwords, Windows hotfixes missing, and some hard disks that are not using NTFS file systems.
Figure 12-2
MBSA: Security Report
Unauthorized Access
Another threat that you need to be concerned with is attackers gaining access. Hackers
use several techniques to gain system access. One approach is when unauthorized people
use usernames and passwords to escalate the account’s privilege levels. Furthermore, some
system user accounts have default administrative username and password pairings that are
common knowledge, which makes them very unsecure. Trust relationships between systems and applications are another way unauthorized access takes place.
Unauthorized access is also obtained through the use of social engineering (the practice
Chapter 12: Managing Security 453
by walking around an organization. Many security items can be found unsecured in offices and cubicles. For example, it is not uncommon to find passwords written on notes or
badges and keys left on tops of desks or in unlocked drawers. The psychology method is
another way of gaining confidential information. For example, someone pretending to be
from the IT department calls a user and asks for her account information to maintain or
correct an account discrepancy.
In addition to these approaches, hackers can obtain account information by using password-cracking utilities or by capturing network traffic.
Security Risks
To protect network resources, processes, and procedures, technology needs to address
several security risks. Important network characteristics that can be at risk from security
threats include data confidentiality, data integrity, and system availability:
■
System availability should ensure uninterrupted access to critical network and computing resources to prevent business disruption and loss of productivity.
■
Data integrity should ensure that only authorized users can change critical information and guarantee the authenticity of data.
■
Data confidentiality should ensure that only legitimate users can view sensitive information to prevent theft, legal liabilities, and damage to the organization.
In addition, the use of redundant hardware and encryption can significantly reduce the
risks associated with system availability, data integrity, and data confidentiality.
Table 12-4 summarizes security risks types with descriptions.
Table 12-4
Security Risks
Risk Description
Risk Type
Ensure only legitimate users can view sensitive information to prevent
theft, legal liabilities, and damage to the organization.
Confidentiality of
data
Ensure only authorized users can change critical information and
guarantee the authenticity of data.
Integrity of data
Allow uninterrupted access to critical network and computing
resources to prevent business disruption and loss of productivity.
System and data
availability
Targets
Given the wide range of potential threats, just about everything in the network has become vulnerable and is a potential target. Ordinary hosts top the list as the favorite target,
especially for worms and viruses. After a host has been compromised, it is frequently
used as a new attack point. (A collection of such hosts is referred to as a botnet.)
Key
Topic
454 CCDA 640-864 Official Cert Guide
Other high-value targets include devices that support the network. Here is a list of some
network devices, servers, and security devices that stand out as potential targets:
■
Infrastructure devices: Routers, switches
■
Security devices: Firewalls, intrusion detection/prevention systems (IDS/IPS)
■
Network services: Dynamic Host Configuration Protocol (DHCP) and Domain
Name System (DNS) servers
■
Endpoints: Management stations and IP phones
■
Infrastructure: Network throughput and capacity
Loss of Availability
Denial of service (DoS) attacks try to block or deny access to impact the availability of network services. These types of attacks can interrupt business transactions, cause considerable loss, and damage the company’s reputation. DoS attacks are fairly straightforward to
carry out, even by an unskilled attacker. Distributed DoS (DDoS) attacks are initiated by
multiple source locations within the network to increase the attack’s size and impact.
DDoS attacks occur when the attacker takes advantage of vulnerabilities in the
network/host. Here are some common failure points:
■
A network, host, or application fails to process large amounts of data sent to it, which
crashes or breaks communication ability.
■
A host or application is unable to handle an unexpected condition, such as improperly formatted data and memory or resource depletion.
■
Nearly all DoS attacks are carried out with spoofing and flooding methods.
Table 12-5 lists some DoS-mitigating IOS software features.
Table 12-5
Software Features to Manage DoS Attacks
Key
Topic Feature Description
Feature
Verifies DHCP transactions and prevents rogue DHCP servers
from interfering with production traffic
DHCP snooping
Intercepts Address Resolution Protocol (ARP) packets and verifies that the packets have valid IP-to-MAC bindings
Dynamic ARP Inspection
(DAI)
Prevents unknown source addresses from using the network as a
transport mechanism to carry out attacks
Unicast Reverse Path Forwarding (uRFP)
Controls what traffic is allowed on the network
Access control lists (ACL)
Controls the rate of bandwidth that incoming traffic, such as
ARP packets and DHCP requests
Rate limiting
Chapter 12: Managing Security 455
Figure 12-3 shows a DoS threat on availability. The attacker is performing a DoS attack on
the network and servers using a flood of packets. Keep in mind that this is an external attack; however, an internal attack is also certainly possible.
Enterprise Campus
DMZ/E-Commerce
Building Access
Internet
Building Distribution
Attacker
Internet
Campus Core
Remote Access VPN
Flooding Network and
Servers with Packets
WAN/MAN
Data Center/Server Farm
Figure 12-3
DoS Threat
Integrity Violations and Confidentiality Breaches
When attackers change sensitive data without the proper authorization, this is called an
integrity violation. For example, an attacker might access financial data and delete critical
information. The effect of this change might not be felt for some time or until a significant
loss has occurred. Integrity attacks like this are considered by many companies to be one
of the most serious threats to their business. Furthermore, identifying these attacks can be
difficult, and the effects can be devastating.
Confidentiality breaches occur when the attacker attempts to read sensitive information.
It is difficult to detect these types of attacks, and loss of data can happen without the
owner’s knowledge.
It is important to use restrictive access controls to prevent integrity violations and confidentiality attacks. Here are some ways to enforce access control to reduce risks:
■
■
Restrict access with OS-based controls in both Windows and UNIX.
456 CCDA 640-864 Official Cert Guide
■
Limit user access by using user profiles for different departmental roles.
■
Use encryption techniques to secure data or digitally sign data.
Figure 12-4 shows an attacker viewing, altering, and stealing competitive information. Pay
particular attention to the obstacles the attacker must go through to get to the data.
Enterprise Campus
DMZ/E-Commerce
Building Access
Internet
Building Distribution
Attacker
Internet
Campus Core
Remote Access VPN
View and Alter Confidential
Information
Steal Competitive Information
WAN/MAN
Data Center/Server Farm
Figure 12-4
Confidentiality and Integrity Threats
Security Policy and Process
To provide the proper levels of security and increase network availability, a security policy
is a crucial element in providing secure network services. This is an important concept to
understand, and such business requirements should be considered throughout the system
life cycle. Business requirements and risk analysis are used in the development of a security policy. It is often a balance between ease of access versus the security risk and cost of
implementing the security technology.
In terms of network security in the system life cycle, the business needs are a key area to
consider. Business needs define what the business wants to do with the network.
Chapter 12: Managing Security 457
Risk analysis is another part of the system life cycle. It explains the risks and their costs.
Business needs and risk assessment feed information into the security policy.
The security policy describes the organization’s processes, procedures, guidelines, and
standards. Furthermore, industry and security best practices are leveraged to provide wellknown processes and procedures.
Finally, an organization’s security operations team needs to have processes and procedures defined. This information helps explain what needs to happen for incident response,
security monitoring, system maintenance, and managing compliance.
Table 12-6 outlines key network security considerations.
Key Network Security Elements of the Network Security Life Cycle
Table 12-6
Security Consideration
Name
What are the business requirements?
Business needs
What is associated risk and cost?
Risk analysis
What policy governs the business requirements and risk?
Security policy
What are the recommend industry security best practices?
Best practices
What will the process be for incident, compliance, and change
management?
Security operations
Figure 12-5 shows the flow of the network security life cycle.
Business Needs
Risk Analysis
Security Policy
Guidelines, Processes, Standards
Security System
Best Practices
Security Operations
Incident Response, Monitoring, Compliance
Figure 12-5
Network Security: System Life Cycle
Security Policy Defined
RFC 2196 says, “A security policy is a formal statement of the rules by which people who
are given access to an organization’s technology and information assets must abide.”
Key
Topic
458 CCDA 640-864 Official Cert Guide
When you are developing security policies for an organization, RFC 2196 can serve as a
guide for developing security processes and procedures. This RFC lists issues and factors
that an organization must consider when setting its policies. Organizations need to make
many decisions and come to agreement when creating their security policy.
Basic Approach of a Security Policy
To help create a security policy, here is a generally accepted approach from RFC 2196:
Step 1.
Identify what you are trying to protect.
Step 2.
Determine what you are trying to protect it from.
Step 3.
Determine how likely the threats are.
Step 4.
Implement measures that protect your assets in a cost-effective manner.
Step 5.
Review the process continuously, and make improvements each time a weakness is found.
Purpose of Security Policies
One of the main purposes of a security policy is to describe the roles and requirements
for securing technology and information assets. The policy defines the ways in which
these requirements will be met.
There are two main reasons for having a security policy:
■
■
It provides the framework for the security implementation:
■
Identifies assets and how to use them
■
Defines and communicates roles and responsibilities
■
Describes tools and procedures
■
Clarifies incident handling of security events
It creates a security baseline of the current security posture:
■
Describes permitted and unpermitted behaviors
■
Defines consequences of asset misuse
■
Provides cost and risk analysis
Here are some questions you might need to ask when developing a security policy:
■
What data and assets will be included in the policy?
■
What network communication is permitted between hosts?
■
How will policies be implemented?
■
What happens if the policies are violated?
■
How will the latest attacks impact your network and security systems?
Chapter 12: Managing Security 459
Security Policy Components
A security policy is divided into smaller parts that help describe the overall risk management policy, identification of assets, and where security should be applied. Other components of the security policy explain how responsibilities related to risk management are
handled throughout the enterprise.
Further documents concentrate on specific areas of risk management:
■
Acceptable-use policy is a general end-user document that is written in simple language. This document defines the roles and responsibilities within risk management
and should have clear explanations to avoid confusion.
■
Network access control policy defines general access control principles used in the
network and how data is classified, such as confidential, top secret, or internal.
■
Security management policy explains how to manage the security infrastructure.
■
Incident-handling policy defines the processes and procedures for managing security
incidents including the handling of emergency scenarios.
Several other documents supplement these; they vary depending on the organization. The
security policy requires the acceptance and support of all employees to make it successful. All the key stakeholders or business leaders, including members of senior management, should have input into the development of the security policy. In addition, key
stakeholders should continue to participate in the ongoing maintenance and updates to
the security policy in order to keep it up-to-date.
Table 12-7 summarizes additional security policy documents.
Table 12-7
Security Policy Documents
Policy Description
Document Name
Defines the roles and responsibilities within risk
management
Acceptable-use policy
Defines general access control principles used and how data
is classified, such as confidential, top secret, or internal
Network access control
policy
Explains how to manage the security infrastructure
Security management policy
Defines the processes and procedures for managing incidents
Incident-handling policy
Risk Assessment
Within network security, proper risk management is a technique used to lower risks to
within acceptable levels. A well thought-out plan for network security design implements
the components that are part of the security policy. The security policies that an organization employs use risk assessments and cost-benefit analysis to reduce security risks.
Figure 12-6 shows the three major components of risk assessment. Control refers to how
you use the security policy to minimize potential risks. Severity
Key
Topic
460 CCDA 640-864 Official Cert Guide
risk to the organization, and probability is the likeliness that an attack against the assets
will occur.
Severity
Control
Risk
Assessment
Probability
Figure 12-6
Risk Assessment Components
Risk assessments should explain the following:
■
What assets to secure
■
The monetary value of the assets
■
The actual loss that would result from an attack
■
The severity and the probability that an attack against the assets will occur
■
How to use security policy to control or minimize the risks
In many cases, security costs can be justified by describing the loss of productivity or
revenue that could occur during security incidents.
Generally, network systems are built with just enough security to reduce potential losses
to a reasonable level. However, some organizations have higher security requirements,
such as complying with PCI DSS, SOX or HIPAA regulations, so they need to employ
stronger security mechanisms.
Risk Index
A risk index is used to consider the risks of potential threats. The risk index is based on
risk assessment components (factors):
■
Severity of loss if the asset is compromised
■
Probability of the risk actually occurring
■
Ability to control and manage the risk
One approach to determining a risk index is to give each risk factor a value from 1 (lowest)
to 3 (highest). For example, a high-severity risk would have a substantial impact on the
user base and/or the entire organization. Medium-severity risks would have an effect on a
single department or site. Low-severity risks would have limited impact and would be relatively straightforward to mitigate.
Chapter 12: Managing Security 461
The risk index is calculated by multiplying the severity times the probability factor, and
then dividing by the control factor:
Risk index = (severity factor * probability factor) / control factor
Table 12-8 shows a sample risk index calculation for a typical large corporation facing a
couple of typical risks. If the risk index number calculated is high, there is more risk and
therefore more impact to the organization. The lower the index number calculated means
that there is less risk and less impact to the organization.
Table 12-8
Risk Index Calculation
Risk
Severity (S)
Range 1
to 3
Probability
(P) Range 1
to 3
Control
Range 1
to 3
Risk Index
(S * P)/C Range
.3 to 9
DoS attack lasting for 1.5
hours on the email server
2
2
1
4
Breach of confidential
customer lists
3
1
2
1.5
Continuous Security
As requirements change and new technology is developed, the network security policy
should be updated to reflect the changes. Here are four steps are used to facilitate continuing efforts in maintaining security policies:
Step 1.
Secure: Identification, authentication, ACLs, stateful packet inspection (SPI),
encryption, and VPNs
Step 2.
Monitor: Intrusion and content-based detection and response
Step 3.
Test: Assessments, vulnerability scanning, and security auditing
Step 4.
Improve: Data analysis, reporting, and intelligent network security
Figure 12-7 shows the four-step process that updates and continues the development of
security policies.
Policy
Monitor
Improve
Secure
Test
Figure 12-7
Continuous Security
462 CCDA 640-864 Official Cert Guide
Table 12-9 lists the steps for continuous security.
Table 12-9
Steps for Continuous Security
Key
Topic Process Description
Process
Name
Identification, authentication, ACLs, stateful packet inspection (SPI), encryption, and VPNs
Secure
Intrusion and content-based detection and response
Monitor
Assessments, vulnerability scanning, and security auditing
Test
Assessments, vulnerability scanning, and security auditing
Improve
Integrating Security Mechanisms into Network Design
Today’s network designs demonstrate an increased use of security mechanisms and have
become more tightly integrated with network design. Many security services such as
IDS/IPS, firewalls, and IPsec virtual private network (VPN) concentrators now reside
within the internal network infrastructure. It is recommended that you incorporate network security during the network design planning process. This requires close coordination between the various engineering and operation teams.
Trust and Identity Management
Trust and identity management is part of the Cisco Security Architecture for the Enterprise (SAFE) security reference architecture that is crucial for the development of a secure
network system. Trust and identity management defines who and what can access the network, and when, where, and how that access can occur. Access to the business applications and network equipment is based on the user-level rights that are granted and
assigned by the administrators. Trust and identity management also attempts to isolate
and keep infected machines off the network by enforcing access control. The three main
components of trust and identity management are trust, identity, and access control, as
shown in Figure 12-8. The following sections cover these components in detail.
Trust
Trust and
Identity
Management
Identity
Access Control
Figure 12-8
Trust and Identity Management
Chapter 12: Managing Security 463
Trust
Trust is the relationship between two or more network entities that are permitted to communicate. Security policy decisions are largely based on this premise of trust. If you are
trusted, you are allowed to communicate as needed. However, sometimes security controls need to apply restraint to trust relationships by limiting or preventing access to the
designated privilege level. Trust relationships can be explicit or implied by the organization. Some trust relationships can be inherited or passed down from one system to another. However, keep in mind that these trust relationships can also be abused.
Domains of Trust
Domains of trust are a way to group network systems that share a common policy or function. Network segments have different trust levels, depending on the resources they are
securing. When applying security controls within network segments, it is important to
consider the trust relationships between the segments. Keep in mind that customers, partners, and employees each have their own unique sets of requirements from a security perspective that can be managed independently with “domains of trust” classifications. When
domains of trust are managed in this way, consistent security controls within each segment can be applied.
Figure 12-9 shows two examples of trust domains with varying levels of trust segmented.
The lighter shading indicates an internal environment with higher security, and the darker
areas represent less-secure areas with lower security.
Example B
Example A
Campus and WAN
DMZ
WAN
Internet
Internet
FW
VPN
VPN
Internal Servers
Figure 12-9
Domains of Trust
464 CCDA 640-864 Official Cert Guide
Trust levels such as the internal network can be very open and flexible, whereas the outside needs to be considered unsafe and therefore needs strong security to protect the resources. Table 12-10 shows different levels of trust, from low to high.
Table 12-10
Domains of Trust: Risks from Low to High
Domain
Level
Safeguards Required
Production to lab
Low risk
ACLs and network monitoring
Headquarters to branch
(IPsec VPN)
Medium
risk
Authentication, confidentiality, integrity concerns,
ACLs, route filtering
Inside (private) to outside
(public)
High risk
Stateful packet inspection, intrusion protection (IPS),
security monitoring
Identity
Identity is the “who” of a trust relationship. These can be users, devices, organizations, or
all of the above. Network entities are validated by credentials. Authentication of the identity is based on the following attributes:
■
Something the subject knows: Knowledge of a secret, password, PIN, or private key
■
Something the subject has: Possession of an item such as a token card, smartcard,
or hardware key
■
Something the subject is: Human characteristics, such as a fingerprint, retina scan,
or voice recognition
Generally, identity credentials are checked and authorized by requiring passwords, pins,
tokens, or certificates.
Passwords
Passwords are used to give users access and allow them to access network resources. Passwords are an example of the authentication attribute called “something you know.” Typically, users do not want to use strong passwords; they usually prefer to use passwords that
are easy to remember. Users present a weakness in password security that requires increased enforcement of the organization’s password policy. Passwords should not be common dictionary words and should be time-limited. Passwords should never be shared or
posted on a computer monitor.
Tokens
Tokens represent a way to increase security by requiring “two-factor authentication.” This
type of authentication is based on “something you know” and “something you have.” For
example, one factor may be a six-digit PIN, and another is the seven-digit code on the
physical token. The code on the tokens changes frequently, and it is not useful without the
PIN. The code plus the PIN is transmitted to the authentication server for authorization.
Chapter 12: Managing Security 465
Some token-based systems even require a password along with the pin and code from the
token. This is known as two-factor authentication.
Figure 12-10 shows two-factor authentication using a username and password, along with
a token access code.
Connect to www.cisco.com
The server www.cisco.com at CCO requires a username and
password.
Warning: The server is requesting that your username and
password be sent in an insecure manner (basic: authentication
with a secure connection).
User name:
Password:
Remember my password
Access is Granted or Denied
OK
Cancel
Authentication Server
Figure 12-10
Using Tokens
Certificates
Certificates are used to digitally prove your identity or right to access information or services. Certificates, also known as digital certificates, bind an identity to a pair of electronic
keys that can be used to encrypt and sign digital information. A digital certificate is
signed and issued by a certification authority (CA) with the CA’s private key. A digital certificate contains the following:
■
Owner’s public key
■
Owner’s name
■
Expiration date of the public key
■
Name of the certificate authority
■
Serial number
■
Digital signature of the CA
Certificates can be read or written by an application conforming to the X.509 CCITT international standard and are typical when deploying Secure Sockets Layer (SSL)-based
server applications.
466 CCDA 640-864 Official Cert Guide
Access Control
Access control is a security mechanism for controlling admission to networks and resources. These controls enforce the security policy and employ rules about which resources can be accessed. Access control ensures the confidentiality and integrity of the
network resources.
The core of network access control consists of the following:
■
Authentication establishes the user’s identity and access to the network resources.
■
Authorization describes what can be done and what can be accessed.
■
Accounting provides an audit trail of activities by logging the actions of the user.
Authentication, authorization, and accounting (AAA) are the network security services
that help manage the network access control on your network equipment.
Secure Connectivity
Secure connectivity is a component of the Cisco SAFE security reference architecture.
This component of SAFE aims to protect the integrity and privacy of organizations’ sensitive information. With increased security risks on the rise, it is critical that security be implemented within today’s network environments. Consider, for example, the increased use
of the Internet as a transport for extranet and teleworker connectivity via always-on
broadband connectivity. Internal network segments have traditionally been considered
trusted, but now require higher levels of network security. However, internal threats are
now more than ten times more expensive and destructive than external threats. Data that
flows across the network needs to be secured so that its privacy and integrity are preserved. These are important concepts to keep in mind when making business decisions
about securing connectivity.
The Cisco Secure Connectivity System provides secure transport for data and applications using encryption and authentication techniques. Many security technologies exist
for securing data, voice, and video traffic using wired or wireless networks.
Security technologies include
■
IP Security (IPsec)
■
Secure Shell (SSH)
■
Secure Sockets Layer (SSL)
■
Multiprotocol Label Switching (MPLS) VPNs
■
MPLS VPNs with IPsec
Encryption Fundamentals
Cryptography uses encryption to keep data private, thus protecting its confidentiality.
crypt the data and reveal the message transmitted. The encryption and decryption can be
Chapter 12: Managing Security 467
used only by authorized users. Most encryption algorithms require the user to have
knowledge of the secret keys. IPsec is an example of a security protocol framework that
uses encryption algorithms to hide the IP packet payload during transmission.
Encryption Keys
An encryption session between two endpoints needs a key to encrypt the traffic and a
key to decrypt the traffic at the remote endpoint. There are two ways to send a key to the
remote endpoint:
■
■
Shared secrets
■
Both sides can use the same key or use a transform to create the decryption key.
■
The key is placed on the remote endpoint out of band.
■
This is a simple mechanism, but it has security issues because the key does not
change frequently enough.
Key
Topic
PKI
■
It relies on asymmetric cryptography, which uses two different keys for encryption.
■
Public keys are used to encrypt and private keys to decrypt.
■
PKI requires a certificate to be issued by a certificate authority (CA) and is used
by many e-commerce sites on the Internet.
Figure 12-11 shows what occurs during the encryption process using shared secret keys.
Protect Me, Please!
Protect Me, Please!
Data Is Secured
[email protected]#@!>@>#[email protected]?
Encrypt (Lock) with
Secret Key
Figure 12-11
Decrypt (Unlock)
with Secret Key
Encryption Keys
VPN Protocols
There are several VPN protocols to choose from, each with varying benefits and uses:
■
Standard IPsec
Key
■
secure data.
468 CCDA 640-864 Official Cert Guide
■
■
■
■
■
Uses Internet Key Exchange (IKE) for dynamic key exchange.
■
Endpoints require IPsec software.
■
Choose when multi-vendor interoperability support is required.
Cisco Dynamic Multipoint Virtual Private Network (DMVPN)
■
Secure encrypted point-to-point generic routing encapsulation (GRE) tunnels
■
Provides on-demand spoke-to-spoke connectivity
■
Routing, multicast, and quality of service (QoS) support
■
When hub and spoke VPN is needed
Cisco Easy VPN
■
Simplifies hub-and-spoke VPNs.
■
QoS support.
■
Choose when reducing management of VPNs is the primary goal.
Cisco GRE-based VPN
■
Enables routing and multicast traffic across an IPsec VPN.
■
Non-IP protocol and QoS support.
■
Choose when more detailed configuration than DMVPN is required.
Cisco GET VPN
■
Encryption integration on IP and MPLS WANs.
■
Simplifies encryption management using group keying.
■
Any-to-any connectivity.
■
Support for routing, multicast, and QoS.
■
Choose when adding encryption to IP or MPLS WANs while allowing any-to-any
connectivity.
Table 12-11 describes key features of VPN security protocols.
Table 12-11
VPN Protocols
VPN Description
VPN Name
Use AH and ESP to secure data; requires endpoints have IPsec software
Standard IPsec
Secure encrypted point-to-point GRE tunnels; on-demand spoke-tospoke connectivity
Cisco DMVPN
Simplifies hub-and-spoke VPNs; need to reduce VPN management
Cisco Easy VPN
Chapter 12: Managing Security 469
Table 12-11
VPN Protocols
VPN Description
VPN Name
Enables routing and multicast traffic across an IPsec VPN; non-IP protocol and QoS support
Cisco GRE-based
VPN
Encryption integration on IP and MPLS WANs; simplifies encryption
management using group keying; any-to-any connectivity
Cisco GET VPN
IPsec comes in two forms: IP ESP and IP AH, which use protocol numbers 50 and 51, respectively. ESP is defined in RFC 2406, and AH is defined in RFC 2402. ESP provides confidentiality, data-origin authentication, integrity, and anti-replay service. AH allows for
connectionless integrity, origin authentication, and anti-replay protection. These protocols can be used together or independently. Most IPsec-enabled clients or routers use IKE
to exchange keys and ESP to encrypt the traffic.
Another type of VPN technology is SSL VPNs, which have become increasingly popular
because of their clientless nature. The client only needs a standard web browser and a connection to the SSL VPN host, usually via the Internet.
Transmission Confidentiality
To ensure that data is kept private over unsecure networks such as the Internet, transmission confidentiality is used. Because the Internet is a public network, ordinary access control mechanisms are unavailable. Therefore, you need to encrypt the data before
transporting over any untrusted network such as the Internet.
To provide transmission confidentiality, IPsec VPNs that support encryption can create a
secure tunnel between the source and destination. As packets leave one site, they are encrypted; when they reach the remote site, they are decrypted. Eavesdropping on the Internet can occur, but with IPsec-encrypted packets, it is much more difficult.
IPsec VPNs commonly use well-known algorithms to perform the confidentiality treatment for packets. The well-known cryptographic algorithms include Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), and Rivest Cipher 4 (RC4).
These algorithms are thoroughly tested and checked and are considered trusted. However,
keep in mind that cryptography can pose some performance problems, depending on the
network’s state. That is why it is important to carefully analyze the network before deploying VPNs with IPsec.
Data Integrity
Cryptographic protocols protect data from tampering by employing secure fingerprints
and digital signatures that can detect changes in data integrity.
Secure fingerprints function by appending a checksum to data that is generated and verified with the secret key. Only those who are authorized also know the secret key. An example of secure fingerprints is Hash-based Message Authentication Code (HMAC), which
maintains packet integrity and the authenticity of the data protected.
470 CCDA 640-864 Official Cert Guide
Digital signatures use a related cryptography method that digitally signs the packet data.
A signer creates the signature using a key that is unique and known only to the original
signer. Recipients of the message can check the signature by using the signature verification key. The cryptography inherent in digital signatures guarantees accuracy and authenticity because the originator signed it. Financial businesses rely on digital signatures to
electronically sign documents and also to prove that the transactions did in fact occur.
Keep in mind the following data integrity guidelines:
■
Analyze the need for transmission integrity.
■
Factor in performance, but use the strongest cryptography.
■
Always use well-known cryptographic algorithms.
Threat Defense
As part of the Cisco SAFE security reference architecture, threat defense enhances the security in the network by adding increased levels of security protection on network devices, appliances, and endpoints. Both internal and external threats have become much
more destructive than in the past. DoS attacks, man-in-the-middle attacks, and Trojan
horses have the potential to severely impact business operations. The Cisco Threat Defense System (Cisco TDS) provides a strong defense against these internal and external
threats.
Threat defense has three main areas of focus:
■
Enhancing the security of the existing network: Preventing loss of downtime,
revenue, and reputation
■
Adding full security services for network endpoints: Securing servers and desktops endpoints with Cisco Network Admission Control (NAC)
■
Enabling integrated security in routers, switches, and appliances: Security
techniques enabled throughout the network, not just in point products or locations
Physical Security
During your security implementations, it is essential to incorporate physical security to
increase the strength of the overall security design. Physical security helps protect and restrict access to network resources and physical network equipment. Sound security policies must defend against potential attacks that can cause loss of uptime or reputation, or
even revenue impacts.
Here are some considerations for potential physical threats:
■
Vulnerabilities inherent in systems when attackers access the hardware directly
through console access or untrusted software.
■
Access to the network, allowing attackers to capture, alter, or remove data flowing in
the network.
■
Attackers may use their own hardware, such as a laptop or router, to inject malicious
traffic onto the network.
Chapter 12: Managing Security 471
Keep in mind these physical security guidelines when designing physical security architectures:
■
Use physical access controls such as locks or alarms.
■
Evaluate potential security breaches.
■
Assess the impact of stolen network resources and equipment.
■
Use controls such as cryptography to secure traffic flowing on networks outside
your control.
Figure 12-12 shows some physical security threat locations that an attacker could potentially exploit.
Public Networks:
Internet, PSTN, etc.
Attacker
Data Center/Server Farm
Roaming User
Headquarters
Figure 12-12
Physical Security Threats
Infrastructure Protection
The infrastructure needs to be protected using security features and services to meet the
growing needs of business without disruption. Infrastructure protection is the process of
taking steps to reduce the risks and threats to the network infrastructure and to maintain
the integrity and high availability of network resources.
By using best practices and a security policy, you can secure and harden the infrastructure
equipment to prevent potential attacks. To combat network threats, Cisco has enhanced
Cisco IOS with security features to support the secure infrastructure and increase the network’s availability.
Here are some recommended best practices for infrastructure protection:
■
Access network equipment remotely with SSH rather than with Telnet.
■
In network switching infrastructure, use BPDU Guard, Root Guard, and VLAN
Trunking Protocol (VTP) mode Transparent.
472 CCDA 640-864 Official Cert Guide
■
In network switching infrastructure, use ARP inspection and DHCP snooping.
■
In network switching infrastructure, use Control Plane Policing (CoPP).
■
Use AAA for access control management.
■
Enable syslog collection; review the logs for further analysis.
■
Use Simple Network Management Protocol Version 3 (SNMPv3) for its security and
privacy features.
■
Disable unused network services, such as tcp-small-servers and udp-small-servers.
■
Use FTP or SFTP rather than TFTP to manage images.
■
Use access classes to restrict access to management and the command-line interface (CLI).
■
Enable routing protocol authentication when available (Enhanced Interior Gateway
Routing Protocol [EIGRP], Open Shortest Path First [OSPF] Protocol, Intermediate
System-to-Intermediate System [IS-IS], Border Gateway Protocol [BGP], Hot Standby
Router Protocol [HSRP], VLAN Trunking Protocol [VTP]).
■
Use one-step lockdown in Security Device Manager (SDM) before connecting the
router to the Internet.
Security Management Solutions
Security management solutions are used to monitor, control, and support the network infrastructure. These same tools can be helpful during network audits and can save administrators a considerable amount of time.
Security management solutions provide the following:
Key
Topic
■
Collects, interprets, and presents information
■
Provisions network security policies for deployment
■
Maintains consistency by tracking policy changes
■
Monitors account activity and provides role-based access control (RBAC)
A strong security implementation is only as good as the policies that are used. One of
the biggest risks with a good security implementation is policy error. The network operations personnel need to fully understand the security policies, processes, and tools
so that they can respond quickly when a security incident arises.
Chapter 12: Managing Security 473
References and Recommended Readings
IANA protocol numbers, www.iana.org/assignments/protocol-numbers.
Module 6, “Evaluating Security Solutions for the Network,” Designing for Cisco Internetwork Solution Course (DESGN) v2.1.
Cisco SAFE Solution Overview, www.cisco.com/en/US/docs/solutions/Enterprise/Security/
SAFESolOver.html.
Cisco SAFE Reference Guide,www.cisco.com/en/US/docs/solutions/Enterprise/Security/
SAFE_RG/SAFE_rg.html.
RFC 2196, Site Security Handbook, www.ietf.org/rfc/rfc2196.txt.
RFC 2402, IP Authentication Header,www.ietf.org/rfc/rfc2402.txt.
RFC 2406, IP Encapsulating Security Payload (ESP), www.ietf.org/rfc/rfc2406.txt.
474 CCDA 640-864 Official Cert Guide
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the
outer margin of the page. Table 12-12 lists a reference of these key topics and the page
numbers on which each is found.
Table 12-12
Key Topics
Key Topic Element
Description
Page
Table 12-2
Security legislation
449
Table 12-3
Security threats
450
Table 12-4
Security risks
453
Table 12-5
Software features to manage DoS attacks
454
Table 12-6
Key network security elements of the network
security life cycle
457
Table 12-7
Security policy documents
459
Table 12-9
Steps for continuous security
462
List
Two ways to send a key to the remote endpoint
467
List
VPN protocols
467
List
Security management solutions
472
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory
Tables Answer Key,” also on the CD, includes completed tables and lists to check your
work.
Chapter 12: Managing Security 475
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
U.S. Public Company Accounting Reform and Investor Protection Act of 2002,
Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA), U.S.
Health Insurance Portability and Accountability Act (HIPAA), EU Data Protection
Directive 95/46/EC, reconnaissance, gaining unauthorized access, denial of service
(DoS), NMAP, Superscan, DHCP snooping, Dynamic ARP Inspection, Unicast RPF,
access control lists (ACLs), rate limiting, NetStumbler, Kismet, acceptable-use policy,
network access control policy, security management policy, incident-handling policy,
secure, monitor, test, improve, authentication, authorization, accounting, Adaptive
Security Appliance (ASA), routers, Catalyst switches
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. What technique can be used to protect private information that is transported over
the Internet between the headquarters and branch office? (Select the best answer.)
a.
Authentication
b.
Log all data
c.
Encryption
d.
Accounting
2. What would be recommended to protect database servers connected to or accessible
from the Internet? (Select all that apply.)
a.
Firewall
b.
Server load balancing (SLB)
c.
Syslog
d.
SPAN
3. What network security issue does 3DES encryption aim to solve?
a.
Data integrity
b.
User authentication
c.
Data authentication
d.
Data confidentiality
476 CCDA 640-864 Official Cert Guide
4. Users are reporting a DoS attack in the DMZ. All the servers have been patched, and
all unnecessary services have been turned off. What else can you do to alleviate some
of the attack’s effects? (Select all that apply.)
a.
Rate limit traffic on the firewall’s ingress.
b.
Use ACLs to let only allowed traffic into the network.
c.
Block all TCP traffic from unknown sources.
d.
DHCP snooping for the DMZ segment.
5. You are a network engineer for ABC Corp. You need to bring your coworkers up-todate on network security threats. What would you discuss with them? (Select all
that apply.)
a.
Reconnaissance and gaining unauthorized access
b.
DHCP snooping
c.
DMZ security
d.
DoS
6. True or false: IPsec can ensure data integrity and confidentiality across the Internet.
7. What focuses on the accuracy and controls imposed on a company’s financial
records?
a.
HIPAA
b.
GLBA
c.
SOX
d.
EU Data Protection Directive
8. What are components of managing the security infrastructure? (Select all that apply.)
a.
Security management policy
b.
Incident-handling policy
c.
Network access control policy
d.
None of the above
9. Which security legislative body calls for the protection of people’s privacy?
a.
HIPAA
b.
GLBA
c.
EU Data Protection Directive
d.
SOX
Chapter 12: Managing Security 477
10. How can attackers obtain sensitive account information? (Select all that apply.)
a.
Password-cracking utilities
b.
Capturing network traffic
c.
Social engineering
d.
All of the above
11. What best describes how to protect data’s integrity?
a.
System availability
b.
Data confidentiality
c.
Ensuring that only legitimate users can view sensitive data
d.
Allowing only authorized users to modify data
12. What provides an audit trail of network activities?
a.
Authentication
b.
Accounting
c.
Authorization
d.
SSHv1
13. What authenticates valid DHCP servers to ensure unauthorized host systems are not
from interfering with production systems?
14. What contains the organization’s procedures, guidelines, and standards?
15. How can you enforce access control? (Select all that apply.)
a.
Restrict access using VLANs
b.
Restrict access using OS-based controls
c.
Use encryption techniques
d.
All of the above
16. What is a general user document that is written in simple language to describe the
roles and responsibilities within risk management?
17. True or false: The network access control policy defines the general access control
principles used and how data is classified, such as confidential, top secret, or internal.
478 CCDA 640-864 Official Cert Guide
18. What are the four steps used to facilitate continuing efforts in maintaining security
policies?
a.
Secure, monitor, maintain, close out
b.
Monitor, test, evaluate, purchase
c.
Improve, test, purchase, evaluate
d.
Secure, monitor, test, improve
19. Match the encryption keys and VPN protocols with their definitions.
i.
IPsec
ii.
SSL
iii. Shared secret
iv.
PKI
a.
Both sides use the same key.
b.
Uses AH and ESP.
c.
Web browser TCP port 443.
d.
Asymmetric cryptography.
20. What does Cisco recommend as the foundation of any deployed security solution?
a.
Customer requirements
b.
Security audit
c.
SLA policy
d.
Security policy
21. Which two of the following protocols are used for IP security?
a.
SSH and EIGRP
b.
BGP and TCP
c.
AH and ESP
d.
SSH and RIP
Chapter 12: Managing Security 479
22. Which security solution best meets requirements for confidentiality, integrity, and
authenticity when using the public network such as the Internet?
a.
Cisco IOS firewall
b.
Intrusion prevention
c.
Secure connectivity
d.
AAA
e.
Traffic Guard Protector
23. What uses security integrated into routers, switches, and appliances to defend against
attacks?
a.
Trust and identity management
b.
Threat defense
c.
Secure connectivity
d.
Cisco SAFE
e.
Secure firewalling
24. Encryption and authentication are used to provide secure transport across untrusted
networks by providing ________________.
a.
Trust and identity management
b.
Threat defense
c.
Secure connectivity
d.
Cisco SAFE
e.
Secure firewalling
This chapter covers the following subjects:
■
Cisco SAFE Architecture
■
Trust and Identity Technologies
■
Detecting and Mitigating Threats
■
Security Management Applications
■
Integrating Security into Network Devices
■
Securing the Enterprise
CHAPTER 13
Security Solutions
This chapter covers Cisco Security Architecture for the Enterprise (SAFE), security technologies, and design options for securing the enterprise. The CCDA candidate can expect
many questions related to integrating security technologies and mitigating security exposures. This chapter also focuses on how to integrate security into existing network devices
and security platforms throughout your network. Furthermore, the CCDA must understand the different types of security features available and where to deploy them.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” helps you identify your strengths and deficiencies in this
chapter’s topics.
The ten-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 13-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 13-1
Mapping
“Do I Know This Already?” Foundation Topics Section-to-Question
Foundation Topics Section
Questions Covered in This Section
Cisco SAFE Architecture
1, 2
Trust and Identity Technologies
3, 4
Detecting and Mitigating Threats
5, 6
Security Management Applications
7
Integrating Security into Network Devices
8
Securing the Enterprise
9, 10
482 CCDA 640-864 Official Cert Guide
1. Which of the following are benefits of using Cisco SAFE Architecture? (Select all
that apply.)
a.
SAFE eases the development, implementation, and management of secure networks.
b.
SAFE provides for an open, modular, and expandable structure.
c.
SAFE is the basis for the design of highly available secure networks.
d.
SAFE provides for self-healing of network devices.
2. What network security platform combines a high-performance firewall with an IPS,
antivirus, IPsec, and an SSL VPN in a single unified architecture?
a.
Integrated Services Routers
b.
Cisco Catalyst switches
c.
Adaptive Security Appliances
d.
NAC
3. Which media-level access control standard developed by IEEE permits and denies access to the network and applies traffic policy based on identity?
a.
AES
b.
802.1X
c.
NAC
d.
FWSM
4. What mechanism protects networks from threats by enforcing security compliance
on all devices attempting to access the network?
a.
NAC
b.
SNMP
c.
ASDM
d.
SDM
5. Which of the following can be used to perform firewall filtering with the use of
ACLs? (Select all that apply.)
a.
ASA
b.
IPS
c.
FWSM
d.
All of the above
Chapter 13: Security Solutions
6. What Cisco security appliance acts as an SMTP gateway for the enterprise?
a.
Cisco NAC Appliance
b.
Cisco IronPort ESA
c.
Cisco ASA
d.
Cisco IronPort WSA
7. Which security management solution integrates the configuration management of
firewalls, VPNs, routers, switch modules, and IPS devices?
a.
CSM
b.
SDM
c.
ASDM
d.
ACS
8. When integrating security into the network, which of the following can be used?
(Select all that apply.)
a.
RMON
b.
ASA
c.
Cisco IOS IPS
d.
Syslog
9. Which of the following technologies is used to detect and mitigate threats in network
traffic?
a.
802.1X
b.
NetFlow
c.
NAC
d.
SSH
10. What Cisco security management platform is used to control the TACACS and
RADIUS protocols?
a.
SSH
b.
NIPS
c.
ACS
d.
IDM
483
484 CCDA 640-864 Official Cert Guide
Foundation Topics
This chapter covers security topics that you need to master for the CCDA exam. It begins
with a discussion of the Cisco SAFE architecture and then covers the strategy for identifying and responding to security threats. The next section, “Trust and Identity Technologies,” discusses the technologies and services used on network security devices such as
routers and firewalls. The section “Detecting and Mitigating Threats” covers the technologies supporting threat defense, such as network- and host-based intrusion prevention systems (IPS), Adaptive Security Appliances (ASA), and Cisco Security Monitoring, Analysis,
and Response System (MARS).
The “Security Management Applications” section describes the Cisco security management products designed to support the Cisco SAFE architecture. Next, the “Integrating
Security into Network Devices” section covers the security features integrated into Cisco
network devices, such as routers, firewalls, IPS, endpoint security, and Catalyst service
modules. Then, the “Securing the Enterprise” section reviews the locations to deploy security devices and solutions in the enterprise campus, data center, and WAN edge.
Cisco SAFE Architecture
Cisco Security Architecture for the Enterprise (SAFE) is a security reference architecture
that provides detailed design and implementation guidelines to assist in the development
of secure and reliable networks. Part of the SAFE architecture discusses the building
blocks of secure networks that are resilient to well-known and new forms of attack. Because enterprise networks are key enablers of business, networks must be designed with
integrated security in mind to ensure confidentiality, integrity, and availability of network
resources, especially those networks that support critical business activity.
One key principle of Cisco SAFE architecture relates to the need for deep security and
protection from both the inside and outside of the organization, along with providing
guidelines for analyzing security requirements. The Cisco SAFE approach allows for the
analysis of expected threats and supports the design of the network security strategy. In
addition, the modular nature of Cisco SAFE allows for the security system to be expanded and scaled as the business grows.
Here are the goals of Cisco SAFE:
■
Mitigation of threats and security based on policy
■
Secure management tools and the development of reports
■
Authentication, authorization, and accounting (AAA) for network equipment
■
Use of security mechanisms for all network devices
■
Intrusion detection for network devices and IP subnets
Here are the benefits of Cisco SAFE:
■
SAFE is the basis for the design of highly available secure networks.
■
SAFE provides for an open, modular, and expandable structure.
Chapter 13: Security Solutions
■
SAFE facilitates the development, implementation, and management of secure
networks.
Figure 13-1 shows Cisco SAFE components and major concepts.
Security Devices
• VPNs
• Firewall
• Admission Control
• Monitoring • Email Filtering • Intrusion Prevention
Security Solutions
Network Devices
• Routers
• Servers
• Switches
• PCI
• DLP
• Threat Control
Identify
Harden
Monitor
Visibility
Isolate
Correlate
Control
Enforce
Security Control Framework
Data
Center
Campus
WAN
Edge
Branch
Internet
Edge
Ecommerce
Cisco
Virtual
Office
Virtual
User
Partner
Sites
Secured Mobility, Unified Communications, Network Virtualization
Network Foundation Protection
Figure 13-1
Cisco SAFE Architecture
Network Security Platforms
Network security starts with having a secure underlying network. The underlying network
provides an ideal place to implement core and advanced security solutions. The center of
these secure network solutions consists of the Adaptive Security Appliances (ASA), Integrated Services Routers (ISR), and Cisco Catalyst switches that have integrated security
features. These are highly intelligent network security devices with many built-in security
features that provide a framework for incorporating security throughout the network.
Here is a description of some important security device platforms:
■
ASA is a high-performance firewall appliance with IPS, antivirus, IPsec, and Secure
Shell (SSL) virtual private network (VPN) technologies integrated into a single unified
architecture. ASA also has embedded Network Admission Control (NAC) capabilities.
■
ISR G2 combines IOS firewall, VPN, and IPS services across the router portfolio, enabling new security features on existing routers. Supported VPNs include IPsec VPN,
485
486 CCDA 640-864 Official Cert Guide
Cisco Easy VPN, Dynamic Multipoint VPN (DMVPN), and SSL VPN. ISRs can also
be NAC enabled.
■
Cisco Catalyst switches include denial of service (DoS) and man-in-the-middle attack
mitigations and integration with service modules that provide firewall and VPN capabilities providing for secure connectivity. Unique security zones can be set up along
with the virtualization of firewalls.
Cisco Security Control Framework
The Cisco Security Control Framework (SCF) is a security framework that provides a
foundation for securing networks based on proven industry best practices and security architecture principles. Cisco SCF is designed to address current threats and threats that are
still evolving by using common and comprehensive security solutions. The Cisco SAFE architecture uses SCF to develop secure network designs that ensure high availability of
network services. Cisco SCF influences security product selection and helps guide network implementations to allow for better visibility and control.
SCF assumes the presence of security policies derived from threat and risk assessments
that complement the goals of the business. Security policies and guidelines define the acceptable-use policy for the secure use of network services and devices in the organization. The security policies should also determine the process and procedures for handling
security events, which help define the security operations. To achieve business goals, it is
critical to businesses that security policy and procedures empower the business rather
than prevent access.
Key
Topic
Total Visibility and Complete Control are two of the main components of SCF. Network
security is a function of visibility and control. Without visibility, there is a lack of control,
and without control, you are missing key elements of security. The success of a security
policy depends on solid visibility and control. Within SCF, there are 6 security actions
used to enforce security policy and allow for visibility and control. Visibility is improved
with identify, monitor, and correlate security actions; and control is enhanced through
the harden, isolate, and enforce security actions. Each of these security actions is further
defined in the SCF model.
Figure 13-2 describes of components of the Cisco SCF model.
Trust and Identity Technologies
Key
Topic
Trust and identity technologies are security controls that enable network traffic security.
The following are examples of technologies used to support trust and identity management:
■
Access control lists (ACL): ACLs are used on routers, switches, and firewalls to
control access. For example, ACLs are commonly used to restrict traffic on the
ingress or egress of an interface by a wide variety of methods, such as using IP addresses and TCP or User Datagram Protocol (UDP) ports.
■
Firewall: A security device designed to permit or deny network traffic based on
rity by using the access and authorization policy to determine what is trusted and
Chapter 13: Security Solutions
untrusted. The firewall also performs stateful packet inspection (SPI), which keeps
track of the state of each TCP/UDP connection. SPI permits ingress traffic if the traffic originated from a higher security interface, such as the inside.
■
Cisco Network Admission Control (NAC) Appliance: Protects the network from
security threats by enforcing security compliance on all devices attempting to access
the network.
■
802.1X: An IEEE media-level access control standard that permits and denies admission to the network and applies traffic policy based on identity.
■
Cisco Identity-Based Network Services (IBNS): Based on several Cisco solutions integrated to enable authentication, access control, and user policies to secure
network infrastructure and resources.
Cisco Security Control Framework Model
Total Visibility
Complete Control
Identify, Monitor, Collect, Detect and
Classify Users, Traffic, Applications, and
Protocols
Harden, Strengthen Resiliency, Limit
Access, and Isolate Devices, Users,
Traffic, Applications, and Protocols
Identify
Monitor
Correlate
Harden
Isolate
• Identify,
Classify, and
Assign Trust
Levels to
Subscribers,
Services, and
Traffic
• Monitor
Performance,
Behaviours,
Events, and
Compliance
with Policies
• Collect,
Correlate, and
Analyze
System-Wide
Events
• Harden
Devices,
Transport,
Services and
Applications
• Isolate
Subscribers,
Systems, and
Services
• Identify,
Notify, and
Report on
Significant
Related
Events
• Strengthen
Infrastructure
Resiliency,
Redundancy,
and Fault
Tolerance
Figure 13-2
• Identify
Anomalous
Traffic
• Contain and
Protect
Enforce
• Enforce
Security
Policies
• Migrate
Security
Events
• Dynamically
Respond to
Anomalous
Event
Cisco Security Control Framework
The following sections cover some of these trust and identity technologies in more detail.
Firewall ACLs
Firewalls control access to and from the Internet and to provide interaction with customers, suppliers, and employees. But because the Internet is unsecure, firewalls need to
use ACLs to permit and deny traffic flowing through it. Firewalls use security zones to define trust levels that are associated with the firewall’s interfaces. For example, the trusted
zone is associated with an interface connected to the internal network, and the untrusted
zone is associated with an interface connected to outside of the firewall. Common security zones include the inside, outside, and demilitarized zone (DMZ), but others can be
created as needed.
487
488 CCDA 640-864 Official Cert Guide
Figure 13-3 shows an ASA firewall with three zones and the permitted policy and flow of
the traffic.
DMZ Public Zone
HTTP/FTP
E-Commerce SSL
HTTP/
FTP/SSL
Untrusted Internet Zone
Trusted Internal Zone
Internet
HTTP/SSL
Figure 13-3
Firewall ACLs and Zones
The policy for the firewall shown in Figure 13-3 includes the following:
■
Allow HTTP and HTTPS to the Internet
■
Allow HTTPS and FTP to the public web and FTP server
■
Allow HTTPS to the public e-commerce server
Cisco NAC Appliance
The Cisco NAC Appliance is a turnkey solution that can meet any organization’s technology and operational needs. The Cisco NAC Appliance is a self-contained product that integrates with the infrastructure to provide user authentication and enforce security
policy for wired and wireless devices seeking access into the network. NAC Appliances
can provide posture compliance and remediation before allowing access to the network
infrastructure.
NAC can restrict access of noncompliant devices but permit access to trusted wired or
wireless endpoints such as desktops, laptops, PDAs, and servers.
Successful deployments of NAC infrastructure require detailed planning, with considerations for timeframes, groups involved, and customer requirements.
Chapter 13: Security Solutions
Cisco Identity-Based Network Services
The Cisco Identity-Based Network Services solution is a way to authenticate host access
based on policy for admission to the network. IBNS supports identity authentication, dynamic provisioning of VLANs on a per-user basis, guest VLANs, and 802.1X with port
security.
The 802.1X protocol is a standards-based protocol for authenticating network clients by
permitting or denying access to the network. The 802.1X protocol operates between the
end-user client seeking access and an Ethernet switch or wireless access point (AP) providing the connection to the network. In 802.1X terminology, clients are called supplicants,
and switches and APs are called authenticators. A back-end RADIUS server such as a
Cisco Access Control Server (ACS) provides the user account database used to apply
authentication and authorization.
With an IBNS solution, the host uses 802.1X and Extensible Authentication Protocol over
LANs (EAPoL) to send the credentials and initiate a session to the network. After the host
and switch establish LAN connectivity, username and password credentials are requested.
The client host then sends the credentials to the switch, which forwards them to the
RADIUS ACS.
The RADIUS ACS performs a lookup on the username and password to determine the
credentials’ validity. If the username and password are correct, an accept message is sent
to the switch or AP to allow access to the client host. If the username and password are
incorrect, the server sends a message to the switch or AP to block the host port.
Figure 13-4 illustrates the communication flow of two hosts using 802.1X and EAPoL
with the switch, AP, and back-end RADIUS server.
Identity and Access Control Deployments
Validating user authentication should be implemented as close to the source as possible,
with an emphasis on strong authentication for access from untrusted networks. Access rules
should enforce policy deployed throughout the network with the following guidelines:
■
Source-specific rules with any type destinations should be applied as close to the
source as possible.
■
Destination-specific rules with any type sources should be applied as close to the
destination as possible.
■
Mixed rules integrating both source and destination should be used as close to the
source as possible.
An integral part of identity and access control deployments is to allow only the necessary
access. Highly distributed rules allow for greater granularity and scalability but, unfortunately, increase the management complexity. On the other hand, centralized rule deployment eases management but lacks flexibility and scalability.
Practicing “defense in depth” by using security mechanisms that back each other up is an
ACLs to filter packets in addition to the firewall inspecting packets at a deeper level.
489
490 CCDA 640-864 Official Cert Guide
802.1X
EAPoL
RADIUS
Host Attempts
Access
Host Attempts
Access
RADIUS
Messages
Request Credentials
Forward Credentials
to ACS
Send Credentials
Authentication Answer
Accept/Reject
Set VLAN Policy
Cisco ACS
Server
Apply Policy to Port
Figure 13-4
802.1X and EAPoL
Figure 13-5 shows the importance of the authentication databases and how many network
components in the enterprise rely on them for authentication services.
Detecting and Mitigating Threats
Key
Topic
The use of threat detection and mitigation techniques enables early detection of and notifications about unwanted malicious traffic. The goals are to detect, notify, and help stop
unforeseen and unauthorized traffic. These techniques help increase the network’s availability, particularly against unidentified and unexpected attacks. Threat detection and mitigation solutions include the following:
■
Endpoint protection: Viruses and worms can create havoc by propagating infections from host to host throughout the network. Antivirus services can help hosts detect and remove infections based on known virus pattern markings.
■
Application security and content security defense: Several new application
layer network products have been released that help address new classes of threats,
such as spam, phishing, spyware, packet abuse, and unauthorized point-to-point file
sharing. Content security products such as Cisco IronPort Appliances provide comprehensive antivirus, antispyware, file-blocking, antispam, URL blocking, and content-filtering services. These products supplement traditional firewalls and
network-based intrusion detection system (NIDS) solutions with more granular traffic
throughout the network.
Chapter 13: Security Solutions
■
Infection containment: The Cisco ASA, Firewall Services Module (FWSM), and
IOS firewalls protect the network by creating security zones that partition the network into separate segments. The firewall services provide perimeter network security but do not eliminate the need for continuous network monitoring. As part of the
Cisco SAFE architecture, NAC can be used in the perimeter to perform policy-based
admission control, thus reducing potential threats.
■
Inline IPS and anomaly detection: Cisco has innovated in the area of NIDS by being the first to incorporate NIDS into the IOS on routing and switching platforms. In
addition, IPS solutions have inline filtering features that can remove unwanted traffic
with programmable features that classify traffic patterns. The Cisco IPS 4200 sensor
appliances, Cisco Catalyst 6500 IDSM-2, and the Cisco IOS IPS can identify, analyze,
and stop unwanted traffic from flowing on the network. Another set of tools used to
prevent distributed DoS (DDoS) attacks and ensure business continuity is the Cisco
Traffic Anomaly Detector XT and Guard XT appliances, along with the Cisco Catalyst 6500 Traffic Anomaly Detector Module and Cisco Anomaly Guard Module.
Enterprise Campus
802.1 X Wireless Authentication
Firewall and Router
Access Control Lists
Enterprise Edge
Internet/WAN
DMZ/E-Commerce
ISP 1
Wireless Access
VPN Authentication
Internet
ISP 2
Remote Access VPN
PSTN
LAN Access
Authentication
Databases
WAN/MAN
Frame/TDM/
ATM/MPLS
802.1 X Wireless Authentication
Figure 13-5
SSH Authentication
WAN Peer Authentication
Identity and Access Control
Threat Detection and Mitigation Technologies
Here are some examples of Cisco threat-detection and threat-mitigation technologies:
■
FWSM: Catalyst 6500 Firewall Services Module
■
ASA: Adaptive Security Appliance (Robust firewall or NIPS)
491
492 CCDA 640-864 Official Cert Guide
■
IOS firewall: Cisco IOS software feature set
■
IPS sensor appliance: NIPS
■
IPS: Intrusion prevention system (IOS feature)
■
NAC: Cisco NAC Appliance
■
Cisco Traffic Anomaly Detector Module: Detects high-speed DoS attacks
■
Cisco IronPort Web Security Appliance (Cisco WSA)
■
Cisco IronPort Email Security Appliance (Cisco ESA)
■
Network management protocols and solutions
■
NetFlow: Stats on packets flowing through router (IOS feature)
■
Syslog: Logging data (IOS feature)
■
SNMP: Simple Network Management Protocol (IOS feature)
■
Cisco MARS: Monitoring, Analysis, and Response System
■
Cisco Security Manager
■
Cisco NAC Manager
Threat-Detection and Threat-Mitigation Solutions
Threat-detection and threat-mitigation solutions are deployed throughout the network
and can serve as an effective layered defense for secure network communications. For example, suppose your network is being attacked from the Internet (for example, via a worm
or virus outbreak). The Internet WAN routers are your first line of protection and can be
used to spot increasing network load or suspicious NetFlow data. After some information
has been collected, you can use specific granular ACLs to further identify the attack.
The NIPS appliances can provide deep packet inspection to determine the additional details about the attack’s signature. The IPS signature information, along with other data that
is collected, can be used to correlate a solution to prevent and stop the attack.
Firewalls can perform stateful packet inspections and can ultimately block unwanted network traffic in the event of an attack. However, it is preferable to engage the ISP and have
them block the attack from even entering your network.
To successfully detect threats and mitigate them, it is important to understand where to
look for potential threats. The following are good sources of information for detecting
and mitigating threats:
■
NetFlow
■
Syslog
■
Remote Monitor (RMON) events
Chapter 13: Security Solutions
■
Simple Network Management Protocol (SNMP) thresholds and traps
■
CPU and interface statistics
■
Cisco Security MARS reporting
Figure 13-6 depicts an attacker sourcing from the Internet and targeting the internal network and how to detect and mitigate the threat.
HTTP
FTP
Internet
Cisco
MARS
DMZ Switch
2) Attack identified
- use of granular
ACLs to further
identify attack
ISP Router
4) Attack can be blocked
via firewall
Internet WAN
Router
Stateful Firewall
1) Network load
increasing - spotted by
rising CPU, interface
stats, and NetFlow
3) Deep packet scanning
via IPS - determining
attack signature
NIPS
Campus
Internal User
Figure 13-6
Threat Detection and Mitigation
Cisco IronPort ESA
IronPort Email Security Appliances (ESA) are designed to protect networks from today’s
and tomorrow’s email threats. IronPort ESA is a firewall and threat-monitoring appliance
for Simple Mail Transfer Protocol (SMTP; TCP port 25)-based traffic. In the email delivery
process, ESA acts as a SMTP gateway firewall for the enterprise. One of the advantages of
using IronPort ESA for your MTA is that ESA can determine the source IP address and
query that against the Cisco SensorBase to get the sender’s reputation score. IronPort ESA
uses the reputation score to stop junk mail and various malware from arriving in users’
mailboxes.
Multiple deployment options are available depending on the number of interfaces used. It
493
494 CCDA 640-864 Official Cert Guide
most common deployment option uses a single physical interface inserted in a firewalled
DMZ network segment. An alternative approach is to use two interfaces, one to send and
receive email traffic located in the DMZ and another interface connected to an inside network to deliver mail to internal mail servers. With either approach, it is recommended to
use a static Network Address Translation (NAT) on the Internet firewall to translate the
public address into a private address located in the DMZ.
Cisco IronPort WSA
IronPort Web Security Appliances (WSA) are designed to monitor and mitigate abnormal
web traffic between users and the public Internet. The WSA acts as a web proxy for the
corporate users residing on the internal network segments and is logically placed in the
path between the users and the internet. There are three ways to implement the WSA, two
of which require internet browser customizations.
Table 13-2 describes the Cisco IronPort WSA mode options.
Table 13-2
IronPort WSA Modes
Cisco IronPort WSA Mode
Description
Explicit mode with proxy autoconfiguration (PAC) files
Proxy information stores in PAC
Automatic download of PAC to browser using
DHCP/DNS
Supports redundancy; multiple WSAs listed in
PAC
Explicit mode without PAC files
Requires changes to every browser
Configuration of browser to point to the WSA
as its proxy
Does not support redundancy
Transparent mode with Web Cache
Communication Protocol (WCCP)
Web traffic transparently directed to WSA using
WCCP redirection
No changes to browser necessary
Requires configuration of WCCP enabled
FW/Router/L3 switch to point traffic to WSA
Supports load sharing and redundancy
It is recommended to use explicit mode with PAC files for testing and then transition to
WCCP for final implementation. The PAC file implementation is much easier to deploy
during testing than WCCP because you just need to modify the test browser proxy settings, however the WCCP mode is much more elegant in the long run because you do not
need to modify all the users’ browsers settings.
Chapter 13: Security Solutions
495
Security Management Applications
Security management applications consolidate network management and monitoring,
which allows more secure control of the network. Security management provides several
functions:
■
Central repository for collecting network information for further analysis of securityrelated events. In addition, many applications have reporting capabilities to help network managers’ present technical information to upper management. Some examples
include authentication, authorization, and accounting (AAA) with TACACS and RADIUS servers, syslog servers, and IPS System Manager, which enables deep inspection
of complex security events.
■
Allows for easier deployment of security policies into the security devices via graphical user interface (GUI) tools. These tools help you maintain the consistency of the
security policies across a broad spectrum of network device types.
■
Role-based access control for all accounts to separate administrative tasks and user
functions.
Security implementations need to be planned properly using the security policies governed by the organization to make good use of the security applications. From time to
time, audits are necessary, which requires updates to the security policy and related security management applications. A major risk to security implementations is policy error.
Management needs to be cognizant of the security policy and know how to manage incidents properly.
Security Platform Solutions
Cisco has a variety of security management products and technologies that allow scalable
administration and enforcement of security policy for the Cisco SCF architecture. These
solutions reduce the operational management and automate many of the common tasks,
including configuration, analysis, incident response, and reporting. Security management
platforms include the following:
■
Cisco Security Manager (CSM) is an integrated solution for GUI configuration management of firewall, VPN, and IPS policies on Cisco security appliances, firewalls,
routers, and switch modules. CSM has capabilities for security policies to be deployed by device, by group, or globally for all devices.
■
Cisco Secure Access Control Server (ACS) provides centralized control for administrative access to Cisco devices and security applications. ACS provides for AAA security services and supports routers, switches, VPN services, ASAs, and Cisco NAC
clients. In addition, Cisco ACS also supports back-end directory integration with
Lightweight Directory Access Protocol (LDAP) and Microsoft Active Directory (AD)
for authentication services.
■
Cisco Security Monitoring, Analysis, and Response System (Cisco Security
MARS)
tor, identify, isolate, and respond to security threats. MARS understands the network
Key
Topic
496 CCDA 640-864 Official Cert Guide
topology and device configurations from routers, switches, firewalls, and IPS devices.
MARS also can model packet flows on the network.
■
Cisco NAC Manager is an appliance that manages the Cisco NAC servers. NAC Manager has a web-based interface for managing security policies and online users that
are part of the NAC infrastructure. Cisco NAC Manager acts as an authentication
proxy using Cisco ACS or Microsoft AD.
■
System Administration Host provides a centralized host used to stage configuration,
software images, and implement network changes.
■
Network Time Protocol (NTP) server provides time synchronization to NTP clients
such as routers and switches. Time synchronization is crucial in the analysis of event
correlations.
■
Configuration and Software Archive Host serves as a repository to backup device
configurations and software images.
Security Management Network
The SAFE architecture design incorporates a management network module dedicated to
carrying network management and control plane traffic such as NTP, SSH, SNMP,
TACACS, VPN, syslog, and NetFlow reporting. Two primary technologies are used in the
management module: Cisco IOS routers acting as terminal servers and a management
VLAN or separate network segment. Together, these technologies provide configuration
management to nearly all network devices. The management VLAN provides the primary
access method for devices using SSH and HTTPS. Hardened terminal servers provide console access and command-line interface (CLI) using reverse Telnet functions. It is a best
practice to configure your network devices to send network management traffic such as
NTP, SSH, SNMP, TACACS, syslog, and NetFlow traffic back to the dedicated network
management VLAN.
Network management can be implemented in both in-band (IB) management and out-ofband (OOB) management configurations designed to provide secure management of network devices within the enterprise. OOB management is typically located at the
headquarters and uses dedicated Ethernet ports on the devices connected to the OOB
VLAN or network segment. These Ethernet ports are intended to be used for management
and monitoring functions of the network devices. The OOB management network can be
a separate LAN or by using an isolated VLAN. The in-band management is used for remote devices such as branch site routers and the access is provided through a firewalled
data path through the core network.
In some cases, console access to the network equipment is needed, and that functionality
can be provided using an OOB console server.
Figure 13-7 illustrates the SAFE management network using both IB and OOB networks
for carrying control and management plane traffic. The firewall controls the security between the IB and OOB networks.
Chapter 13: Security Solutions
497
Admin
VPN
Core
Switches
In-Band Mgmt
WAN Edge
Routers
Campus
Switches
MPLS
Branch Router
Firewalls
Out-of-Band Mgmt
Terminal
Server
CSM
System Admin
Host
Figure 13-7
Cisco NAC
Manager
NTP Server
Configuration and
Software Archive
Host
CS-MARS
Cisco ACS
SAFE Management Network: In-Band and Out-of-Band
Integrating Security into Network Devices
It is crucial to integrate security into all network devices throughout your network.
Common device types include
■
IOS routers and switches
■
Adaptive Security Appliances (ASA)
■
Intrusion Prevention Systems (IPS)
■
Catalyst 6500 service modules
■
Endpoint security
Key
Topic
498 CCDA 640-864 Official Cert Guide
The following sections discuss device security integration in more detail.
IOS Security
Cisco has developed many security features that are integrated into the IOS base software
or security-specific feature sets. Here are some of the major areas of security focus that
have been included with IOS releases:
■
Cisco IOS firewall is a security-specific option that provides stateful firewall functionality for perimeter IOS routers. Cisco IOS firewall provides effective control of
application traffic flowing through the network. Key benefits of IOS firewall include
protecting networks from network and application layer attacks, improving uptime,
and offering policy enforcement for internal and external connections.
■
Cisco IOS IPS offers inline deep packet inspection to successfully diminish a wide
range of network attacks. IOS IPS can identify, classify, and block malicious traffic in
real time. IOS IPS operates by loading attack signatures on the router and then matching the attacks based on signatures. Cisco also provides prebuilt signature definition
files (SDF) that contain high-fidelity signatures that are based on the memory available on the router.
■
Cisco IOS IPsec encrypts data at the IP packet level using a set of standards-based
protocols. IPsec provides data authentication, anti-replay, and data confidentially, and
is the preferred method of securing VPNs.
■
Cisco IOS Trust and Identity is a set of core technologies that enables network traffic security. Technologies include the following:
■
AAA: Framework and mechanisms for controlling device access
■
Secure Shell (SSH): Used for encrypted access between applications and routers
■
Secure Socket Layer (SSL): Secure web application access
■
PKI (Public Key Infrastructure): Strong authentication for e-commerce
applications
Table 13-3 describes the Cisco IOS integrated security features.
Table 13-3
Integrated Security for Cisco IOS
Key
Topic Cisco IOS Integrated Security
Description
Cisco IOS firewall
Stateful multiservice application-based filtering
Cisco IOS IPS
Inline deep packet inspection
Cisco IOS IPsec
Data encryption at the packet level
Cisco IOS Trust and Identity
AAA, PKI, SSH, SSL
Chapter 13: Security Solutions
499
ISR G2 Security Hardware Options
The Cisco G2 ISRs have additional hardware options that enhance the routers’ security capabilities. Here are some of the available hardware options:
■
Built-In VPN Acceleration is hardware-based encryption that offloads VPN processing from the router’s internal CPU to improve VPN throughput.
■
High-Performance Advanced Integration Module (AIM) is a VPN encryption advanced integration module used to terminate large numbers of VPN tunnels such as
with Dynamic Multipoint VPN (DMVPN). The module supports Triple Digital Encryption Standard (3DES) and Advanced Encryption Standard (AES), which increases
the router’s encryption and compression performance.
■
IPS Enhanced Network Module (IPS NME) provides technologies to prevent a large
range of security threats using hardware-based intrusion prevention. Cisco IPS NME
can identify, classify, and stop unwanted traffic, including spyware, malware, network
viruses, and worms. The IPS NME can monitor up to 75 Mbps of traffic and supports T1/E1 and T3 WAN interfaces.
■
Universal serial bus (USB) port and removable credentials: G2 ISRs were designed
with onboard USB 1.1 ports enabling security and storage capabilities. The USB ports
allow for storing removable credentials for establishing IPsec VPN connections, configuration files, and software images.
■
Secure Voice is referred to as digital signal processor (DSP) slots on the ISR for use
with packet voice/fax DSP modules (PVDMs). These offer capabilities such as conferencing and transcoding. In addition, Secure Real-time Transport Protocol (SRTP) protects the entire voice payload by encryption, except for the header, which remains in
clear text to support QoS.
■
Cisco NAC Network Module adds NAC server (NAS) capabilities to the Cisco 2900
and 3900 series ISR G2s. The Cisco NAC module provides authentication, authorization, evaluation, and remediation for wired and wireless networks before allowing access to the network. The integration of the Cisco NAS capabilities into a network
module reduces network complexity and combines data, voice, and security into a
single device for the branch office.
Note: For a complete ISR G2 series comparison, go to www.cisco.com/en/US/products/
ps10536/prod_series_comparison.html.
Cisco Security Appliances
Cisco security appliances provide robust security services and protection for firewalling,
VPN services, content defenses, intrusion prevention services, and network access control. The following is an overview of Cisco security appliances:
■
Adaptive Security Appliance (ASA): The ASA is a high-performance, multifuncwork environments. The services are customized through product editions tailored
Key
Topic
500 CCDA 640-864 Official Cert Guide
for firewall, IPS, anti-virus, and VPN. The ASA is a critical component of the Cisco
SAFE architecture that provides proactive threat mitigation, controls application data
flows, and delivers flexible VPN and IPS services. In addition, the ASA is very costeffective and easy to manage, and offers advanced integration modules that enhance
the processing capabilities.
■
ASAs for VPNs: The Cisco ASAs provide businesses with IPsec and SSL VPN connectivity. ASAs are flexible and offer many deployment scenarios. Although they are
commonly used to terminate VPN sessions for remote-access connections, ASAs can
also be used to terminate site-to-site tunnels with other ASAs, routers, or even nonCisco firewalls. The centralized architecture and web-based management ease the administrative burden and consolidate the VPN connectivity for the enterprise.
■
NAC Appliance: The Cisco NAC Appliance support both wired and wireless environments and can provide posture assessments for both network environments. The
Cisco NAC Appliance can integrate with Cisco NAC Guest Server and Cisco NAC
Profiler to enhance the NAC implementation.
Intrusion Prevention
The Cisco IPS solution integrates passive intrusion detection, inline prevention services,
and new technologies to increase accuracy and keep legitimate traffic from being affected. The Cisco IPS 4200 series sensors offer significant protection by detecting and
stopping threats from attacking your network. Cisco IPS Sensor Software Version 7.0 supports inline (IPS) capabilities with improved accuracy to stop more threats and reduce the
number of false positives. The IPS appliances support multivector threat identification
through detailed inspection of data flows in Layers 2 through 7. Multivector identification
secures the network from policy violations, vulnerability exploits, and abnormal reconnaissance activities. The following IPS sensors support bandwidth requirements ranging
from 250 Mbps to 4 Gbps:
■
IPS 4240 monitors traffic and provides protection up to 250 Mbps in environments
with multiple T3 WAN, gigabit, and fully saturated 10/100 Mbps interfaces. The IPS
4240 has support for multiple 10/100/1000 interfaces. IPS 4240-DC supports DC
power and is Network Equipment Building Standards (NEBS) Level 3 compliant.
■
IPS 4255 delivers up to 600 Mbps of performance and can be used to protect partially utilized gigabit-connected subnets.
■
IPS 4260 delivers up to 2 Gbps of performance and can be used on Gigabit subnets
with copper or fiber network connections, providing additional flexibility.
■
IPS 4270 delivers up to 4 Gbps of intrusion prevention performance and has fiber
and copper interfaces expansion options for up to 16 interfaces that can be used to
monitor and protect multiple network segments.
Catalyst 6500 Service Modules
The Catalyst 6500 switching platform supports additional security services and functionKey
Topic
bilities of security-related services with the Cisco Catalyst 6500 platform. Many
Chapter 13: Security Solutions
environments now combine many of these service modules together to form what is now
referred to as services switches.
Catalyst 6500 security-related service modules include the following:
■
Firewall Services Module (FWSM) is a high-speed firewall module for use in the
Cisco Catalyst 6500 and Cisco 7600 series routing platforms. Up to four FWSMs can
be installed in a single chassis, providing 5 Gbps of throughput performance per
module. For service provider and large enterprise environments, the FWSM supports
advanced features such as multiple security contexts for both routed and bridged
firewall modes. Running multiple contexts on the same firewall hardware is a technique used to virtualize the FW into multiple firewalls, each with its own configuration and firewall policy.
■
Intrusion Detection Service Module 2 (IDSM2) is an IDS module that is part of the
Cisco IPS family that supports both inline (IPS) and passive (IDS) operation. IDSM2
provides up to 500 Mbps of packet inspection capabilities to efficiently monitor and
protect your infrastructure.
■
SSL Service Module is an integrated service module for terminating SSL sessions on
Cisco Catalyst 6500 series switch or Cisco 7600 series routing platforms. By offloading the SSL terminations with the SSL module, the web server’s CPU is reduced, and
they can support more connections, thereby increasing operational efficiency. Up to
four SSL modules can be used in a single chassis.
■
IPsec VPN SPA enables cost-effective and scalable VPN services using the Cisco
Catalyst 6500 series switches and Cisco 7600 series routing platforms. The module
does not have any interfaces, but instead uses the other LAN and WAN interfaces
that are available on the chassis. Using the SPA Carrier-400, each slot of the Cisco
Catalyst 6500 or Cisco 7600 router can support up to two Cisco IPsec VPN SPAs.
■
WebVPN Services Module is a high-speed integrated SSL VPN Services Module for
support of large-scale remote-access VPN deployments. The WebVPN Services
Module support up to 32,000 SSL VPN users, and up to 4 modules can be used in a
single chassis.
■
Network Analysis Module provides packet-capture capabilities and visibility into all
the layers of the network data flows. You can analyze application traffic between
hosts, networks, and servers. The NAMs support Remote Network Monitoring 2
(RMON2) and mini-RMON features to provide port-level Layer 2 traffic statistics.
■
Traffic Anomaly Detector Module uses behavioral analysis and attack recognition
technology to identify attack patterns. It monitors traffic destined for application
servers and builds detailed profiles based on the normal operating conditions. If the
module detects any abnormal behavior in the per-flow data conversations, it considers this behavior a potential attack and responds based on the configured preference.
You can have the module send an operator an alert or launch the Cisco Anomaly
Guard Module to begin mitigation services.
501
502 CCDA 640-864 Official Cert Guide
■
Anomaly Guard Module provides the attack response by blocking malicious traffic
at Gbps line rates. With multiple layers of defense, it can divert traffic destined for
specific targeted devices only whereby not affecting legitimate traffic.
Endpoint Security
Endpoint security solutions protect server and desktop endpoints from the latest threats
caused by malicious network attacks. Endpoint security solutions can identify and prevent network attacks that are considered unknown or “day-zero”-type threats. Endpoint
security solutions are packed with many features, including firewall capabilities, intrusion
prevention, malicious mobile code protection, operating system integrity assurance, and
audit log consolidation. Cisco Network Admission Control (NAC) enables the network to
enforce security policies on both wired and wireless devices seeking access to the network infrastructure. Cisco NAC protects data and prevents unauthorized network access
by initially confirming a user’s identity before allowing access. Cisco NAC also provides
posture assessment to reduce the risks associated with noncompliant devices by not allowing network access until the device is compliant with the configured policy. Cisco
endpoint security solutions are based on integrations with various third-party vendors
such as Trend, Sophos, and Priveon (Bit9).
Securing the Enterprise
The Cisco SAFE architecture provides the most comprehensive security systems for securing the enterprise network from the threats of today and tomorrow.
Each location in the enterprise network has unique security requirements because concerns are different and vary by location. In most cases, however, customizing network security solutions by functional area offers the best protection for the enterprise network.
The following sections examine some ways to use Cisco security solutions in the campus,
data center, and enterprise edge.
Implementing Security in the Campus
Security for the campus begins with remembering that you need to implement security
throughout your network. Several technologies, protocols, solutions, and devices work together to provide the secure campus. Network security should be implemented in the
core, distribution, and access layers and can be grouped into four broad categories, as described in Table 13.4.
Table 13-4
Security in the Campus
Key
Topic Cisco Security
Security Solutions
Category
Identity and access
control
802.1X, NAC, ACLs, and firewalls
Threat detection and
mitigation
NetFlow, syslog, SNMP, RMON, CS-MARS, and NIPS
Chapter 13: Security Solutions
Table 13-4
Security in the Campus
Cisco Security
Category
Security Solutions
Infrastructure protection
AAA, TACACS, RADIUS, SSH, SNMPv3, IGP/EGP MD5, and
Layer 2 security features
Security management
CSM, CS-MARS, and ACS
Figure 13-8 illustrates an enterprise campus security scenario and shows where security
technologies, protocols, and mechanisms can be deployed in the enterprise campus.
Core
CS-MARS
CSM
ACS
NAC
NetFlow
FWSM
Syslog
RMON
ACLs
SNMPv3
MD5
Distribution
NIPS
Access
L2 Security
Figure 13-8
802.1X
Enterprise Campus Security
Implementing Security in the Data Center
The enterprise data center hosts critical servers and applications for the main campus and
the branch offices. Many of the servers require high availability because of the importance of the information and the high volume of users they serve. Several of the servers
503
504 CCDA 640-864 Official Cert Guide
may contain sensitive information that is crucial to the business and therefore cannot become compromised. Therefore, it needs to be highly secured. Network performance is another area that is critically important, which can limit the choice of protection
mechanisms and technologies. Here are some of the risks inherent with enterprise data
centers:
■
Compromised applications and unauthorized access to critical information
■
Exploiting different servers in the business by launching an attack from the compromised servers
To provide adequate security protection, organizations can implement the network security solutions described in Table 13.5.
Table 13-5
Security in the Data Center
Key
Topic Cisco Security
Security Solutions
Category
Identity and access
control
802.1X, ACLs, and firewalls (FWSM)
Threat detection and
mitigation
NetFlow, syslog, SNMP, RMON, CS-MARS, and NIPS
Infrastructure protection
AAA, TACACS, RADIUS, SSH, SNMPv3, IGP/EGP MD5, and
Layer 2 security features
Security management
CSM, CS-MARS, and ACS
Figure 13-9 illustrates an enterprise data center security scenario and shows where security
technologies, protocols, and mechanisms can be deployed in the enterprise data center.
Implementing Security in the Enterprise Edge and WAN
The enterprise edge and WAN provide connectivity to other parts of your network over
both private and public networks. It is important to consider the available security options
when transferring data between locations and over WAN and Internet transports.
Keep in mind the following potential risk areas when moving data between locations:
■
Attackers obtain access to the network and compromise the confidentiality and integrity of sensitive information with eavesdropping or data manipulation.
■
Misconfiguration of the WAN could cause inappropriate WAN configuration and unwanted connectivity.
To provide adequate security protection between locations, organizations can implement
the security solutions described in Table 13.6.
Chapter 13: Security Solutions
505
Core
CS-MARS
CSM
NetFlow
ACS
FWSM
Syslog
RMON
ACLs
SNMPv3
MD5
Distribution
NIPS
Access
802.1X L2 Security
Figure 13-9
Table 13-6
Enterprise Data Center Security
Security in the Enterprise Edge
Cisco Security
Category
Security Solutions
Identity and access
control
Firewalls, IPsec, SSL VPN, and ACLs
Threat detection and
mitigation
NetFlow, syslog, SNMP, RMON, IDS modules, CS-MARS, and
NIPS
Infrastructure protection
AAA, CoPP, TACACS, RADIUS, SSH, SNMP v3, IGP/EGP MD5,
RFC 2827 ingress filtering and Layer 2 security features
Security management
CSM, CS-MARS, and ACS
Key
Topic
506 CCDA 640-864 Official Cert Guide
Figure 13-10 illustrates the use of enterprise edge and WAN security, and where security
technologies, protocols, and mechanisms can be deployed in the enterprise edge and WAN.
CS-MARS
CSM
IPS
IPS
ACS
FWSM
ACLs
NetFlow
NIPS
Syslog
RMON
SNMPv3
ASA
MD5
NAC
DMZ
IPS
ACLs
Internet
Figure 13-10
Enterprise Edge and WAN Security
Chapter 13: Security Solutions
References and Recommended Readings
The Cisco ASA 5500 as a Superior Firewall Solution, www.cisco.com/en/US/netsol/
ns340/ns394/ns171/ns413/networking_solutions_white_paper0900aecd8058ec85.shtml.
Cisco ISR G2 at a Glance, www.cisco.com/en/US/prod/collateral/routers/ps10538/
aag_c45_556315.pdf.
Cisco Security Solutions Quick Reference Guide, www.cisco.com/en/US/prod/collateral/
vpndevc/ps6032/ps6094/ps6120/brochure_c02-518424.pdf.
Cisco SAFE Solution Overview, www.cisco.com/en/US/docs/solutions/Enterprise/Security/
SAFESolOver.html.
Deploying Firewalls Throughout Your Organization,www.cisco.com/en/US/netsol/
ns340/ns394/ns171/ns413/networking_solutions_white_paper0900aecd8057f042.shtml.
Module 6 (Evaluating Security Solutions for the Network)—Designing for Cisco Internetwork Solution Course (DESGN) 2.1.
Cisco Security Control Framework (SCF) Model, www.cisco.com/en/US/docs/solutions/
Enterprise/Security/CiscoSCF.html.
RFC 2827, Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ
IP Source Address Spoofing, www.faqs.org/rfcs/rfc2827.html.
IronPort Email Security Appliance, white paper, www.ironport.com/pdf/
ironport_email_security_appliance_whitepaper.pdf.
507
508 CCDA 640-864 Official Cert Guide
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the
outer margin of the page. Table 13-7 lists a reference of these key topics and the page
numbers on which each is found.
Table 13-7
Key Topics
Key Topic Element
Description
Page
Summary
Cisco Security Control Framework
486
List
Trust and Identity technologies
486
List
Detecting and mitigating threats
490
List
Security platform solutions
495
List
Integrating security into network devices
497
Table 13-3
Integrated security for Cisco IOS
498
List
Cisco security appliances
499
List
Catalyst 6500 service modules
500
Table 13-4
Security in the campus
502
Table 13-5
Security in the data center
504
Table 13-6
Security in the enterprise edge
505
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory
Tables Answer Key,” also on the CD, includes completed tables and lists to check
your work.
Chapter 13: Security Solutions
Define Key Terms
Define the following key terms from this chapter, and check your answers in the
glossary:
Adaptive Security Appliance (ASA), Integrated Services Router (ISR) G2, Cisco
Catalyst switches, access control lists, firewall, Network Admission Control (NAC),
802.1X, Cisco Identity-Based Network Services (IBNS), Cisco Security Manager
(CSM), Cisco Secure Access Control Server (ACS), Cisco Security Monitoring,
Analysis, and Response System (MARS), Cisco Router and Security Device Manager
(SDM), Cisco Adaptive Security Device Manager (ASDM), Cisco Intrusion Prevention System Device Manager (IDM)
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. What security device combines IOS firewall with VPN and IPS services?
a.
ASA
b.
ISR
c.
Cisco Catalyst switches
d.
IPS
2. Which of the following is a standards-based protocol for authenticating network
clients?
a.
NAC
b.
PoE
c.
802.1X
d.
CSM
3. Cisco ________ Appliance is an integrated solution led by Cisco that incorporates the
network infrastructure and third-party software to impose security policy on attached endpoints.
a.
ASA
b.
CSM
c.
ISR
d.
NAC
509
510 CCDA 640-864 Official Cert Guide
4. What is an appliance-based solution for network security administrators to monitor,
identity, isolate, and respond to security threats? (Select the best answer.)
a.
CS-MARS
b.
CSA MC
c.
ASDM
d.
IDM
5. Cisco IOS Trust and Identity has a set of services that include which of the following? (Select all that apply.)
a.
802.1X
b.
SSL
c.
AAA
d.
ASDM
6. Cisco IOS ______________ offers data encryption at the IP packet level using a set of
standards-based protocols.
a.
IPS
b.
IPsec
c.
L2TP
d.
L2F
7. What provides hardware VPN encryption for terminating a large number of VPN
tunnels for ISRs?
a.
FWSM
b.
IDS Network Module
c.
Network Analysis Module
d.
High-Performance AIM
8. What are two ways to enhance VPN performance on Cisco ISR G2s?
a.
SSL Network Module
b.
IDS Network Module
c.
Built-In Hardware VPN Acceleration
d.
High-Performance AIM
Chapter 13: Security Solutions
9. Which Cisco security solution can prevent noncompliant devices from accessing the
network until they are compliant?
a.
CS-MARS
b.
IDS module
c.
ACS
d.
NAC
10. Which of the following service modules do Cisco Catalyst 6500 switches support?
(Select all that apply.)
a.
FWSM
b.
IDSM2
c.
IPsec VPN Shared Port Adapter (SPA)
d.
ASA
11. What provides attack responses by blocking malicious traffic with Gbps line rates?
a.
Network Analysis Module
b.
Anomaly Guard Module
c.
Content Switch Module
d.
Traffic Anomaly Detector Module
12. Which of the following are identity and access control protocols and mechanisms?
(Select all that apply.)
a.
802.1X
b.
ACLs
c.
NAC
d.
NetFlow
13. Which two of the following are Cisco security management tools?
a.
CS-MARS
b.
IDS module
c.
ACS
d.
NAC
14. True or false: NetFlow is used for threat detection and mitigation.
15. True or false: Cisco ASAs, PIX security appliances, FWSM, and IOS firewall are part
of infection containment.
511
512 CCDA 640-864 Official Cert Guide
16. What IOS feature offers inline deep packet inspection to successfully diminish a wide
range of network attacks?
a.
IOS SSH
b.
IOS SSL VPN
c.
IOS IPsec
d.
IOS IPS
17. The Cisco 4200 ___________ sensor appliances can identify, analyze, and block unwanted traffic from flowing on the network.
18. What provides centralized control for administrative access to Cisco devices and security applications?
a.
CSM
b.
ACS
c.
CS-MARS
d.
ASDM
19. True or false: IPS 4255 delivers 10000 Mbps of performance and can be used to protect partially utilized gigabit-connected subnets.
20. Match each protocol, mechanism, or feature with its security grouping:
i.
CSM
ii.
IGP/EGP MD5
iii. NetFlow
iv.
NAC
a.
Identity and access control
b.
Threat detection and mitigation
c.
Infrastructure protection
d.
Security management
This page intentionally left blank
This chapter covers the following subjects:
■
Traditional Voice Architectures
■
Converged Multiservice Networks
■
IPT Design
CHAPTER 14
Voice and Video Design
The designs of enterprise voice networks are migrating from the traditional use of Private
Branch Exchange (PBX) switches to the use of IP telephony architectures such as Cisco
Unified CallManager. Enterprise networks now have to be designed with IP telephony in
mind. This chapter reviews public switched telephone network (PSTN) and PBX voice networks, converged multiservice networks, IP telephony (IPT) design, and quality of service
(QoS) for IPT networks.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The ten-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 14-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 14-1
Mapping
“Do I Know This Already?” Foundation Topics Section-to-Question
Foundation Topics Section
Questions Covered in This Section
Traditional Voice Architectures
5, 9
Converged Multiservice Networks
1, 2, 3, 4, 6, 7
IPT Design
8, 10
1. Which International Telecommunication Union (ITU) standard provides a framework
for multimedia protocols for the transport of voice, video, and data over packetswitched networks?
a.
Session Initiation Protocol (SIP)
b.
Voice over IP (VoIP)
c.
H.323
d.
Weighted fair queuing (WFQ)
516 CCDA 640-864 Official Cert Guide
2. What is the default coder-decoder (codec) used with VoIP dial peers?
a.
G.711
b.
G.723
c.
G.728
d.
G.729
3. Real-time Transport Protocol (RTP) operates at what layer of the OSI model?
a.
Application
b.
Session
c.
Transport
d.
Network
4. Which H.323 protocol is responsible for call setup and signaling?
a.
H.245
b.
G.711
c.
H.225
d.
RTCP
5. What unit represents the average number of concurrent voice calls, commonly calculated for the period of 1 hour?
a.
Kbps
b.
Erlang
c.
DS0
d.
FXS
6. Which feature does not transmit packets when there is silence?
a.
Ear and mouth (E&M)
b.
Voice-activity detection (VAD)
c.
Dial peers
d.
Digital silence suppressor (DSS)
7. What does Compressed Real-time Transport Protocol (cRTP) compress?
a.
RTP headers
b.
RTP, TCP, and IP headers
c.
RTP, User Datagram Protocol (UDP), and IP headers
d.
Real-time Transport Control Protocol (RTCP) headers
Chapter 14: Voice and Video Design
8. Which QoS mechanism is recommended for VoIP networks?
a.
Custom queuing
b.
Low-latency queuing (LLQ)
c.
Priority queuing
d.
Switched-based queuing
9. Where is the local loop located?
a.
Between phones and the central office (CO) switch
b.
Between two PBXs
c.
Between the loopback interfaces of two VoIP routers
d.
Between two PSTN switches
10. What is jitter?
a.
The echo caused by mismatched impedance
b.
The loss of packets in the network
c.
The variable delay of received packets
d.
The fixed delay of received packets
517
518 CCDA 640-864 Official Cert Guide
Foundation Topics
This chapter covers traditional voice architectures, integrated voice design, and QoS in
voice networks. The section “Traditional Voice Architectures” covers the architecture of
time-division multiplexing (TDM) voice networks. It also discusses PSTN technologies
and limitations.
The section “Converged Multiservice Networks” covers IP telephony design for Cisco
Unified Communications. The “IPT Design” section covers QoS mechanisms used in IPT
networks and provides IPT design recommendations.
Traditional Voice Architectures
This section reviews technologies and concepts to help you understand traditional voice
networks.
The PSTN is the global public voice network that provides voice services. The PSTN is a
variety of networks and services that are in place worldwide; it provides a circuit-switched
service that uses Signaling System 7 (SS7) to control its calls. Central office (CO) switches
exchange SS7 messages to place and route voice calls throughout the network. The PSTN
uses TDM facilities to have multiple calls to be placed into a single signal. From the CO to
the customer premises, the call can be analog, ISDN, or TDM digital. Each call consumes
64 k bps of bandwidth, called digital service zero (DS0).
PBX and PSTN Switches
Traditional switches and PBXs route voice using TDM technology and analog technology.
The CCDA must understand some of the differences between these devices. The PBX, as
its name states, is used in a private network and uses proprietary protocols. The PBX is located in the enterprise’s data center. Each PBX may scale up to thousands of phones.
Companies deploy PBX networks to obtain enterprise feature such as extension dialing,
dialing privilege control, voice mail, transfers, conferencing, and so on. Also companies
that have multiple large locations with lots of intersite calling can implement tie lines to
reduce long distance charges. On these types of circuits, there are no toll charges, but
there are fixed costs associated with the circuits, which are provided by network carriers/phone companies.
PBXs are customer-owned voice switches. Enterprise companies install and configure
their own PBXs to provide telephony service, abbreviated or extension dialing, remote-office extensions, voice mail, and private-line routing within other features. Organizations
can reduce toll charges by using private tie lines between their switches. Calls that are
placed between offices through the private voice network are called on-net. If a user needs
to place a call outside the private network, the call is routed to the local PSTN. If the call
is forwarded to the PSTN, it is called off-net.
Figure 14-1
Chapter 14: Voice and Video Design
toll charges by using its private voice network. A separate private network is in place for
data traffic. If a user places a call from San Diego to Los Angeles, it is routed to the PSTN
from the San Diego PBX. Then, toll charges are incurred for the call.
PSTN
Chicago
PSTN
PSTN
Private Tie Lines
Atlanta
San Diego
Houston
PSTN
Figure 14-1
PBX Network
Another issue in the design is the limitation on the number of calls per private line. If the
private lines are T1s, they are each limited to carrying 24 concurrent calls at a time. This is
because each call takes 64 kbps of bandwidth with the G.711 codec, and 24 calls times 64
kbps/call equals 1.536 Mbps, the bandwidth of a T1. All of this bandwidth is allocated for
voice calls and cannot be used for data transport.
PSTN switches are not private. They can scale up to tens of thousands of phones and use
open standards because they have to communicate with other switches, PBXs, fax machines, and home telephones. PSTN switches normally are located at the CO of the local
or interexchange carrier.
Local Loop and Trunks
Depending on the dialed digits, a call routes through the local loop, one or more trunks,
and the destination local loop to reach the destination phone. The local loop is the pair of
wires that runs from the CO to the home or business office.
the trunk is connecting. The term tie line is frequently used instead of
519
520 CCDA 640-864 Official Cert Guide
dedicated line connecting two telephone switches within a single organization. The following is a list of trunk types:
■
Interoffice trunk connects two CO switches. Also called a PSTN switch trunk.
■
Tandem trunk connects central offices within a geographic area.
■
Toll-connecting trunk connects the CO to the long-distance office.
■
Intertoll trunk connects two long-distance offices.
■
Tie trunk connects two PBXs. Also called a private trunk.
■
PBX-to-CO trunk or CO-to-PBX business line connects the CO switch to the enterprise PBX.
Figure 14-2 shows an example of the PSTN. All phones connect to their local CO via the
local loop. Calls between Phones 1 and 2 and between Phones 4 and 5 go through interoffice trunks. Calls between Phones 2 and 3 go through tandem trunks within a region.
When you place calls between Texas and Massachusetts, they are forwarded to the longdistance toll provider via a toll-connecting trunk and are routed through intertoll trunks.
Tandem
Trunks
Local Loop
CO
CO
Phone 1
Houston, TX
Tandem
Interoffice
Trunk
Phone 4
Boston, MA
CO
CO
Phone 2
Houston, TX
CO
Phone 3
Pearland, TX
Local Loop
Figure 14-2
Toll
Toll Connecting
Trunk
Toll
Phone 5
Boston, MA
Toll Connecting
Trunk
Intertoll
Trunk
(AT&T, Verizon, Sprint)
Local Loops and Trunks
Ports
Key
Topic
You can use several ports to connect to voice end stations (phones) and private voice
switches:
■
Foreign Exchange Station (FXS)
endpoint device such as traditional telephones or fax machines. It provides line
power, dial tone, and ring voltage.
Chapter 14: Voice and Video Design
■
Foreign Exchange Office (FXO) allows a switch such as a PBX to us a standard analog connection (FXS) from the PSTN or from another switch. In this case the PBX is
emulating an endpoint device. Because this is a standard endpoint connection it uses
two-wire connections just like a standard phone and often uses an RJ-11 connector
interface.
■
Ear and Mouth (E&M) connects private switches. It is an analog trunk used to connect to a voice switch; it supports tie-line facilities or signaling between phone
switches. E&M can be connected with two-wire and four-wire. E&M is also called
Earth and Magnet.
■
Channelized T1 (or E1) circuits can be used to connect PBXs and the PSTN or 2
PBXs. These circuits can be provisioned in two different formats:
■
Channel Associated Signaling (CAS) circuits provide 24 (for T1) or 32 (for E1)
channels (1 per DS0). CAS circuits get their name from the fact that switch to
switch signaling (dialed digits, caller ID, and so on) occurs in band along on each
individual channel with the voice traffic. Each DS0 channel is fixed at 64 Kbps,
so this type of signaling takes a small number of bits away from the voice transmission to carry signaling data. Because of this CAS is also known as robbed-bit
signaling.
■
Common Channel Signaling (CCS) circuits also use T1/E1 circuits. However,
unlike CAS circuits, CCS circuits set aside one channel specifically for carrying
signaling information for all of the other channels. This architecture allows for
CCS circuits to provide a more robust feature set between switches. ISDN PRI
uses CCS signaling and is the preferred connection type for PSTN-to-PBX or
PBX-to-PBX connections. CCS support is not always available, and therefore CAS
circuits are still widely used.
Major Analog and Digital Signaling Types
Signaling is needed to provide the state of telephones, digit dialing, and other information.
For a call to be placed, managed, and closed, all of the following signaling categories have
to occur:
■
Supervisory provides call control and phone state (on-hook and off-hook).
■
Addressing provides dialed digits.
■
Informational provides information such as dial and busy tones and progress indicators.
These different signaling categories are provided by analog and digital circuit types.
The signaling type depends on the type of connection. The major areas are
■
Loop start (CO to phone) is an analog signaling type commonly found in residential
applications. The circuit is “started” when the loop is closed (connected) completing
the circuit.
■
start. Ground start allows for signaling between switches that allows one switch to
521
522 CCDA 640-864 Official Cert Guide
signal to the other that it is fixing to go off-hook by “grounding” the line. This helps
in preventing both sides from trying to seize access at the same time (called glare).
■
E&M (PBX to PBX) is another analog switch-to-switch (PSTN-to-PBX or PBX-toPBX) signaling type that provides additional signaling capability and can be a twowire or four-wire implementation.
■
CAS T1/E1 circuits get their name from the fact that switch to switch signaling (dialed digits, caller ID, and so on) occurs in band along on each individual channel with
the voice traffic.
■
CCS ISDN PRI circuits set aside one channel specifically for carrying signaling information for all the other channels.
■
Q Signaling (Q.SIG).
■
SS7 interswitch PSTN signaling.
Loop-Start Signaling
Loop-start signaling is an analog signaling technique used to indicate on-hook and offhook conditions in the network. It is commonly used between the telephone set and the
CO, PBX, or FXS module. As shown in Figure 14-3, with loop start, the local loop is open
when the phone is on-hook. When the phone is taken off-hook, a –48 direct current (DC)
voltage loops from the CO through the phone and back. Loop-start signaling is used for
residential lines.
Telephone
CO or FXS Module
Tip
Ring
Gen
On-Hook
(Open Loop)
Ring
Telephone
-48 DC Battery
CO or FXS Module
Tip
Off-Hook
(Closed Loop)
Ring
Gen
Ring
-48 DC Battery
Figure 14-3
Loop-Start Signaling
Ground-Start Signaling
Ground-start signaling is an analog signaling technique used to indicate on-hook and off-
Chapter 14: Voice and Video Design
difference between ground start and loop start is that ground start requires the closing of
the loop at both locations. Ground start is commonly used by PBXs.
The standard way to transport voice between two telephone sets is to use tip and ring lines.
Tip and ring lines are the twisted pair of wires that connect to your phone via an RJ-11 connector. As shown in Figure 14-4, the CO switch grounds the tip line. The PBX detects that
the tip line is grounded and closes the loop by removing ground from the ring line.
Tip
TIP Grd
Det
Open Loop
Ring
Gen
Ring
PBX
-48 DC Battery
CO or FXS Module
Tip
CO grounds
TIP Grd
Det
Ring
Gen
the tip line.
Ring
-48 DC Battery
PBX
TIP Grd
Det
PBX closes
CO or FXS Module
Tip
loop, removes
Ring
Gen
ring ground.
Ring
Figure 14-4
-48 DC Battery
Ground-Start Signaling
E&M Signaling
E&M is an analog signaling technique often used in PBX-to-PBX tie lines. E&M is receive
and transmit, or more commonly called Ear and Mouth. Cisco routers support four E&M
signal types: Type I, Type II, Type III, and Type V. Types I and II are most popular on the
American continents. Type V is common outside North America.
There are also three forms of E&M dial supervision signaling to seize the E&M trunk:
■
Immediate start: This is the most basic protocol. In this technique, the originating
switch goes off-hook, waits for a finite period of time (for example, 200 ms), and then
sends the dial digits without regard for the far end.
■
Wink start:
(which is interpreted as an indication to proceed), and then sends the dial digits.
-
523
524 CCDA 640-864 Official Cert Guide
■
Delay dial: In this technique, the originating side goes off-hook, waits for about 200
ms, and then checks whether the far end is on-hook. If the far end is on-hook, it outputs dial digits. If the far end is off-hook, it waits until it goes on-hook and then outputs dial digits.
CAS and CCS Signaling
Key
Topic
Digital signaling has two major forms: Channel Associated Signaling (CAS) and Common
Channel Signaling (CCS). The major difference is that with CAS the signaling is included in
the same channel as the voice call. With CCS, the signaling is provided in a separate channel. Table 14-2 shows the common types of CAS and CCS. They are covered in the following sections.
Table 14-2
Common CAS and CCS Signaling Types
Signaling
Signaling/Circuit Type
CAS
T1 or E1 signaling
CCS
ISDN PRI or BRI
QSIG
SS7
T1/E1 CAS Digital T1 CAS uses selected bits within each channel to transmit signaling
information. CAS is also called robbed-bit signaling or in-band signaling in the T1
implementation. Robbed-bit CAS works with digital voice because losing an occasional
voice sample does not affect the voice quality. The disadvantage of robbed-bit CAS is that
it cannot be used on channels that might carry voice or data without reducing the data
rate to 56 Kbps to ensure that signaling changes do not damage the data stream. Because
of the implementation of signaling via a limited number of bits, CAS signaling is limited in
signaling feature support.
E1 CAS uses a separate channel in the shared medium for CAS, so it does not have this
disadvantage. The E1 signaling bits are channel associated, but they are not in-band.
CCS CCS circuits set aside one channel specifically for carrying signaling information
for all the other channels. This architecture allows for CCS circuits to provide a more
robust feature set between switches. ISDN PRI uses CCS signaling and is the preferred
connection type for PSTN-to-PBX or PBX-to-PBX connections.
ISDN PRI/BRI ISDN T1 PRI provides 23 64-kbps B (bearer) channels for voice, with a
separate 64-kbps D (data signaling) channel for signaling. The ISDN E1 PRI provides 30 B
channels. The use of messages in a separate channel, rather than preassigned bits, is also
called Common Channel Signaling. ISDN provides the advantage of not changing bits in
the channels and thus is useful for data traffic in addition to voice traffic.
The ISDN BRI interface includes two 64-kbps B channels for voice or data and a separate
16-kbps D channel that provides signaling for the interface.
Q.SIG Q.SIG is the preferred signaling protocol used between PBX switches. It is a
Chapter 14: Voice and Video Design
services. It is feature transparent between PBXs. It is interoperable with public and private
ISDN networks and imposes no restrictions on private dial plans. QSIG is also used
between Cisco Unified Communications Manager (CUCM) and enterprise PBXs in hybrid
implementations. It is also used on Cisco IOS voice gateways for PBX integration.
SS7 SS7 is a global ITU standard for telecommunications control that allows voicenetwork calls to be routed and controlled by call control centers. SS7 is used between
PSTN switches. SS7 implements call setup, routing, and control, ensuring that
intermediate and far-end switches are available when a call is placed. With SS7, telephone
companies can implement modern consumer telephone services such as caller ID, toll-free
numbers, call forwarding, and so on.
SS7 provides mechanisms for exchanging control, status, and routing messages on public
telephone networks. SS7 messages pass over a separate channel than that used for voice
communication. SS7 is a CCS technology. CCS7 controls call signaling, routing, and connections between CO, interexchange carrier, and competitive local-exchange carrier
switches. Figure 14-5 shows the connectivity between SS7 components.
SSP
Access
Link
STP
Cross
Link
SSP
Access
Links
STP
SSP
Access
Link
STP
STP
Bridge
Links
Access
Links
Cross
Link
STP
SCP
Access
Links
SCP
Bridge
Links
Cross
Link
SSP
Access
Link
Figure 14-5
STP
SS7 Signaling Components
As shown in Figure 14-5, SS7 has the following system components:
■
Signaling Control Point (SCP): Databases that provide the necessary information
for special call processing and routing, including 800 and 900 call services, credit
card calls, local number portability, cellular roaming services, and advanced call center applications.
■
Signaling Transfer Point (STP): Receives and routes incoming signaling messages
toward their destinations. STPs are deployed in mated pairs and share the traffic between them.
■
Signaling Switching Point (SSP):
and signaling links. Each SSP is connected to both STPs in a mated pair.
525
526 CCDA 640-864 Official Cert Guide
Addressing Digit Signaling There are two methods for submitting analog address
digits to place a call:
■
Pulse or rotary dialing
■
Dual-tone multifrequency (DTMF) dialing
Pulse dialing uses the opening and closing of a switch at the telephone set. A rotary register at the CO detects the opening and closing of the loop. When the number 5 is dialed on
a rotary phone, the dial mechanism opens and closes five times, each one-tenth of a second apart.
DTMF uses two tones simultaneously to indicate the dialed number. Table 14-3 shows the
phone keypad and the frequencies used. For example, when the number 5 is dialed, the
frequencies 770 Hz and 1336 Hz are sent to the CO.
Table 14-3
DTMF Frequencies
Frequency
1209 Hz
697 Hz
1
770 Hz
852 Hz
941 Hz
1336 Hz
1477 Hz
ABC
DEF
2
3
GHI
JKL
MNO
4
5
6
PRS
TUV
WXY
7
8
9
*
OPER
#
0
PSTN Numbering Plan
The PSTN uses the ITU E.164 standard for public network addressing. The E.164 standard
uses a maximum of 15 digits and makes each phone unique in the PSTN. Examples of
E.164 addresses are the residential, business, IP phones, and cell phones that you use
every day. Each country is assigned a country code to identify it. The country codes can
be one to three digits in length. Table 14-4 shows some examples of country codes.
Table 14-4
E.164 Country Codes
Country Code
Country
1
United States, Canada
1-787, 1-939
Puerto Rico
55
Brazil
39
Italy
Chapter 14: Voice and Video Design
Table 14-4
E.164 Country Codes
Country Code
Country
86
China
20
Egypt
91
India
49
Germany
380
Ukraine
44
United Kingdom
81
Japan
52
Mexico
966
Saudi Arabia
The ITU website that lists country codes is located at www.itu.int/itudoc/itu-t/ob-lists/
icc/e164_763.html.
Each country divides its network into area codes that identify a geographic region or city.
The United States uses the North American Numbering Plan (NANP). NANP has the address format of NXX-NXX-XXXX, where N is any number from 2 to 9 and X is any
number from 0 to 9. The first three digits are the area code. The address is further divided
into the office code (also known as prefix) and line number. The prefix is three digits, and
the line number is four digits. The line number identifies the phone.
An example of a PSTN address in the United States is 1-713-781-0300. The 1 identifies the
United States; the 713 identifies an area code in the Houston, Texas, geographical region.
The 781 identifies a CO in west Houston. The 0300 identifies the phone.
Another example of a PSTN address is 52-55-8452-1110. The country code 52 identifies
the country of Mexico. The area code 55 identifies the geographic area of Mexico City.
The office code 8452 and line number 1110 follow.
Other PSTN Services
The PSTN provides a suite of services in addition to call setup and routing:
■
Centrex
■
Voice mail
■
Database services
■
Interactive voice response (IVR)
■
Automatic call distribution (ACD)
527
528 CCDA 640-864 Official Cert Guide
Centrex Services
Companies can use the local phone company to handle all their internal and external calls
from the CO. In this voice model, the CO acts as the company’s voice switch, with PBX
features such as four-digit extension dialing, voice mail, and call holds and transfers. The
Centrex service gives the company the appearance of having its own PBX network.
Voice Mail
PSTN service providers can enable voice messaging for customers that request the service.
Voice mail provides automated call answering and message recording. Users can then retrieve the message and forward it to other extensions.
Database Services
The PSTN must keep call detail records (CDR) in the database systems. CDR information
includes all types of call information, such as called party, caller, time, duration, locations,
and user service plans. This information is used for billing and reporting.
IVR
IVR systems connect incoming calls to an audio playback system. IVR queues the calls,
provides prerecorded announcements, prompts the caller for key options, provides the
caller with information, and transfers the call to another switch extension or agent. IVR is
used in customer call centers run by companies in all industries to gather and provide information to the customers before transferring them to agents.
ACD
ACD routes calls to a group of agents. ACD keeps statistics on each agent, such as the
number of calls and their duration. Based on the statistics, the ACD system then can
evenly distribute the calls to the agents or to the appropriate agent skill group. ACD is
used by airline reservation systems, customer service departments, and other call centers.
Voice Engineering Terminology
Key
Topic
You must consider voice traffic requirements when designing a network. The CCDA must
be familiar with the following voice engineering terms.
Grade of Service
Grade of service (GoS) is the probability that a call will be blocked by a voice gateway
when attempting to seize a circuit during the busiest hour. If it is determined that a network has a P.02 GoS, the probability is that 2 percent of all attempted calls will be
blocked. A P.01 GoS indicates a 1 percent probability of callers being blocked.
Erlangs
An Erlang is a theoretical unit of measurement used to define the trunking (voice path)
utilization in a voice application or environment. Erlangs values are used in Erlang formu-
Chapter 14: Voice and Video Design
aggregate trunk usage for a system and do not apply to any specific trunk or call. The
hour used for the Erlang calculation should be the busiest hour (peak hour) in the day.
If a group of users makes/receives 20 calls in the average busiest hour and each call lasts
and average of 10 minutes, the Erlangs are calculated as follows:
20 calls per hour * 10 minutes per call = 200 minutes per hour
Traffic volume = (200 minutes per hour) / (60 minutes per hour) = 3.33 Erlangs
The name Erlang came from the inventor, Agner Krarup Erlang, a Danish telecom engineer
and mathematician who defined many formulas still used today in the design of voice systems. The most commonly used formulas are known as Erlang B, Extended Erlang B, and
Erlang C.
There are three common Erlang models:
■
Erlang B is a formula that estimates the amount of trunking capacity required given an
Erlang value (busy-hour traffic) and a desired Grade of Service (also known as blocking percentage). It is the most common model used. Extending the previous example,
3.33 Erlangs (BHT) and a GoS of 1 percent results in an Erlang B value of nine trunks
required. An Erlang B calculator can be found at www.erlang.com/calculator/erlb/.
■
Extended Erlang B adds a “retry” percentage to the Erlang B model. It assumes that
some blocked or failed calls will be reattempted, and therefore additional load is added.
■
Erlang C queues excess calls instead of blocking them. This model is used to calculate the number of agents required in a call center environment. It is based on measurements of handling time, expected call volumes, and the amount of time a caller
spends with an agent. This model is used in call centers where calls are queued for
service.
Centum Call Second
A call second is equivalent to a single call lasting 1 second. A Centum call second (CCS)
represents one call occupying a channel for 100 seconds. It is the equivalent of 1/36th of
an Erlang. In other words, 36 CCS equals 1 Erlang (3600 seconds). The typical range is
around 6 to 12 CCS per port.
Busy Hour
The busy hour is the specific hour within a 24-hour period in which the highest traffic
load occurs. Most calls are placed and are of longer durations during this hour. It is also
called peak hour.
Busy-Hour Traffic
Busy-hour traffic (BHT) is the amount of voice traffic that occurs in the busy hour, expressed in Erlangs. It is calculated by multiplying the average call duration by the number
of calls in the hour and then dividing that by 3600.
529
530 CCDA 640-864 Official Cert Guide
For example, if 300 calls occurred during the busy hour, with an average duration of 150
seconds, the BHT is calculated as follows:
BHT = (150 seconds * 300 calls per hour) / (3600 seconds per hour)
BHT = 12.5 Erlangs
Blocking Probability
In voice environments, it is nearly impossible or at least cost-ineffective to provision capacity so that no calls are ever blocked. Therefore, planning for a target GoS is an important aspect in voice networks. The term blocking refers to those calls that cannot be
completed due to capacity constraints, usually during peak periods or call spikes.
The blocking probability is the probability that a call will be blocked. Blocking probability
is described as a percentage of calls. For example, a blocking probability of 0.02 means
that 2 percent of the calls will be blocked, or 20 per every 1000 calls.
Call Detail Records
Call detail records include statistical and other information related to all calls placed. Information included in CDRs includes call time, call duration, source phone number, dialed
(destination) phone number, and the amount billed. For VoIP networks, the CDR may also
include source and destination IP addresses.
Converged Multiservice Networks
The introduction of packetized voice technology allows the convergence of data and voice
networks. This lets companies save toll charges on voice telephone calls. It also reduces
companies’ total cost of ownership by not having to build and operate separate networks
for voice, video, and data. Figure 14-6 shows an example of a Cisco Unified Communications network. The network provides a resilient and redundant foundation with QoS enabled to support the voice and video streams and Unified Communication applications.
Call admission control is a QoS mechanism for identifying capacity issues as part of the
call routing process. Call processing is the term used to define the logical operations of a
phone system.
The dial plan is used to define call routing (the physical/network paths that voice calls can
take to connect two endpoints). It is responsible for defining what gateways, phone circuits, PSTN providers, or network paths should be taken to connect a call end to end
based on goals such as cost, reliability, utilization, and redundancy.
Packetized voice systems allow for applications and services including voice mail and email
combinations (unified messaging), multiparty calls (conferencing), integration of a user’s
availability status (presence), mobility, call centers, and collaboration applications such as
integrated instant messaging, web meetings, and other rich communication applications.
Chapter 14: Voice and Video Design
Operations &
Serviceability
User and Device
Provisioning
Voice Quality
Monitoring & Alerting
Operations & Fault
Monitoring
Network & Application
Probing
WWW
HDTV
Applications
& Services
CC
Voice
Messaging
Presence
Services
Rich Media
Conferencing
Mobility
Contact Center
Collaboration
Clients
ICM
Call
Control
MP
V
LDAP &
Directory Services
Media
Resources
MoH
End Points
CIP
Unified CUCM
Applications
Call
Routing
Device
Mobility
V
Call
Processing
Dial Plan & Call
Admission Control
Video
Telephony
PSTN & IP
Gateways
PSTN
Services
Remote Site
Survivability
IP
Network
Access
Switch
Figure 14-6
Wireless
Distribution &
Core Switching
WAN
Router
Firewall
Security
Quality of
Service
IP WAN &
Internet Access
Cisco Unified Network
In multiservice networks, digitized (coded) voice is packaged into packets, cells, or
frames; sent as data throughout the networks; and converted back to analog voice. The underlying protocols used for these converged services are
■
Voice over Frame Relay (VoFR)
■
Voice over Asynchronous Transfer Mode (VoATM)
■
Voice over Internet Protocol (VoIP)
Initially, VoFR and VoATM were used but lost ground to VoIP solutions. VoFR and
VoATM are no longer exam topics for the CCDA and are not covered further. VoIP is also
referred to as IP telephony (IPT) when it is integrated with IP-based signaling and call control. Most new phone system deployments are IPT systems.
VoIP
VoIP provides transport of voice over the IP protocol family. IP makes voice globally
available regardless of the data-link protocol in use (Ethernet, ATM, Frame Relay). With
VoIP, enterprises do not have to build separate voice and data networks. Integrating voice
and data into a single converged network eliminates duplicate infrastructure, management,
and costs.
531
532 CCDA 640-864 Official Cert Guide
Figure 14-7 shows a company that has separate voice and data networks. Phones connect
to local PBXs, and the PBXs are connected using TDM trunks. Off-net calls are routed to
the PSTN. The data network uses LAN switches connected to WAN routers. The WAN
for data uses Frame Relay. Separate operations and management systems are required for
these networks. Each system has its corresponding monthly WAN charges and personnel,
resulting in additional costs. With separate voice and data networks,
Atlanta
MPLS
San Diego
Houston
PSTN
Figure 14-7
Separate Voice and Data Networks
■
Data is primary traffic on many voice service provider networks.
■
Companies want to reduce WAN costs.
■
PSTN architecture is not flexible enough to accommodate data.
■
PSTN cannot integrate voice, data, and video.
With IP telephony, you can reduce the number of systems, circuits, and support personnel. Figure 14-8 shows a converged IP telephony network that employs Ethernet-based
phones with server-based call processing and integrated service gateway routers. Survivable Remote Site Telephony (SRST) is used for failover or backup call processing if WAN
failure occurs. On-net calls travel through the Frame Relay network, and off-net calls are
forwarded to the PSTN. The PSTN link is also used if voice overflow or congestion occurs
on the WAN network. Calls are then routed to the PSTN.
IPT Components
Key
Topic
The Cisco IPT architecture divides voice system architectures into four major VoIP components, as shown in Figure 14-9:
■
Client endpoints
■
Call processing
■
Service applications
■
Voice-enabled infrastructure
Chapter 14: Voice and Video Design
Atlanta
CUCM
MPLS
V
San Diego
Houston
V
PSTN
V
Figure 14-8
Converged VoIP Network
Client
Endpoints
Call
Processing
Service
Applications
Auto-Attendant/IVR
IP Phones
Voice/Unified Messaging
DSP Farm
Cisco CallManager
Call/Contact Center
Gateway
Voice Enabled Infrastructure
QoS Enabled L2 Switch
Figure 14-9
QoS Enabled L3 Switch
Router
Cisco IPT Functional Areas
Client endpoints include the IP phones, analog and digital gateways, digital signal processor (DSP) farms, and software applications. Included here is Cisco’s IP Communicator,
which is the software-based IP phone that runs on a PC or laptop. Gateways are transitional devices that bridge two different systems and connection types. They can provide
533
534 CCDA 640-864 Official Cert Guide
connections between VoIP/IPT systems and analog or digital circuits. This allows
VoIP/IPT systems to integrate with the PSTN, PBXs, and analog endpoints.
The Cisco Unified Communications Manager (CUCM) fulfills the role of call processing.
The CUCM servers are the “brains” of the voice dial plan and are used to establish IPT
calls between IP phones. It provides a scalable and distributable VoIP call processing solution. CUCM performs the functions similar to traditional PBXs on older voice networks.
Service applications include IVR, Auto Attendant, and Unified Messaging (voice mail).
Cisco IP Contact Center (IPCC) is used for enterprise call center applications. In addition,
a standards-based Telephony Application Programming Interface (TAPI) allows third-party
companies to develop applications for CUCM.
The voice-enabled infrastructure provides services to support IPT voice, including Power
over Ethernet (PoE) and QoS. PoE allows a switch to detect a phone and provide it with
power so that power does not have to be provided everywhere that phones are present.
With this model, backup/redundant power can be provided from a centralized location. In
addition, when a switch detects a phone, it can put that phone in a separate VLAN from
other endpoints and allow QoS signaling from the phones. LAN switches and WAN
routers work together to provide queuing of data and end-to-end prioritization of VoIP
over other types of network traffic during times of congestion.
Table 14-5 summarizes the IPT functional areas.
Table 14-5
IPT Functional Areas
IPT Functional Area
Description
Service applications
Unity, IVR, TAPI interface
Call processing
Cisco CUCM
Client endpoints
IP phones, digital and analog gateways
Voice-enabled infrastructure
Layer 2 and Layer 3 switches and routers
Design Goals of IP Telephony
Key
Topic
The overall goal of IP telephony is to replace the traditional, highly complex, expensive,
and isolated TDM-based telephone systems and the required duplicate infrastructure with
simpler, more cost-effective IPT components using existing data infrastructure and leveraging integration to provide flexibility and cost savings along with robust features and
functionality. IPT also allows third-party software providers to develop new applications
for IP phones.
The following summarizes the design goals for a VoIP network:
■
To use end-to-end VoIP between sites
■
To make VoIP widely usable
■
Chapter 14: Voice and Video Design
■
To make VoIP cost-effective
■
To provide the same reliability and high availability traditionally associated with older
voice technologies
■
To offer lower cost of ownership than traditional telephony
■
To offer greater flexibility than traditional telephony (remote worker, mobility)
■
To leverage integration to provide new applications (presence, IVR, contact centers)
■
To improve remote worker, agent, and work-at-home staff productivity
■
To facilitate data and telephony network consolidation
■
To ensure backward compatibility with traditional systems and endpoints such as
PBXs, faxes, and the PSTN
535
IPT Deployment Models
This section covers the Cisco IPT call processing deployment models:
Key
Topic
■
Single-site deployment
■
Multisite WAN with centralized call processing
■
Multisite WAN with distributed call processing
■
CallManager Express deployment
Single-Site Deployment
The single-site deployment model, shown in Figure 14-10, is a solution for enterprises located in a single large building or campus area with no voice on the WAN links. There are
no remote sites.
Cisco Unified
Communications Manager
Unity: Voice Mail
(CUCM) Cluster
V
PSTN Gateway
Router
Access Layer
Inline Power
LAN Switches
Figure 14-10
Single-Site Deployment Model
PSTN
536 CCDA 640-864 Official Cert Guide
A single cluster of CUCM servers is deployed for redundancy in the server farm. IP
phones are deployed on PoE- and QoS-enabled LAN switches. The CUCM cluster supports up to 30,000 IP devices in a cluster. Gateway routers are configured with PRI cards
to legacy PBXs and the PSTN. A single cluster of Unity or Unity Connection servers support voice-mail and unified messaging requirements. IP phones are deployed on PoE inline
power LAN switches.
Multisite WAN with Centralized Call Processing Model
The centralized WAN call processing model is a solution for medium enterprises with one
large location and many remote sites. Figure 14-11 shows the centralized call processing
model. A CUCM cluster with multiple servers is deployed for redundancy at the large site.
Call processing and voice-mail servers are located only at the main site. Remote-site IP
phones register to the CUCM cluster located in the main site. PoE switches are used to
power all IP phones. Remote sites use voice-enabled gateway routers with SRST for call
processing redundancy in the event of a WAN failure.
CUCM Cluster
Unity: Voice Mail
SRST
Router
Site B
V
WAN
V
WAN Router and
PSTN Gateway
PSTN
V
SRST
Router
Figure 14-11
Site C
Multisite WAN with Centralized CM Deployment Model
On the WAN, QoS features are configured to prioritize the VoIP packets over other
packet types. In the event of WAN failure, SRST-configured routers forward calls through
the PSTN. The PSTN circuit can be used for local inbound and outbound calls at the remote site. In this model, call admission control (CAC) is configured to impose a limit on
the number of on-net calls permitted between sites.
Multisite WAN with Distributed Call Processing Model
The multisite WAN with distributed call processing is a solution for large enterprises with
several large locations. Figure 14-12 shows the distributed WAN model. Up to 30,000
Chapter 14: Voice and Video Design
redundancy, and Unity servers are used for messaging. Intercluster trucks are created to
establish communication between clusters. IP phones are deployed on PoE LAN switches.
CUCM Cluster B
CUCM Cluster A
Unity: Voice Mail
Unity: Voice Mail
WAN
Router with
PSTN
V
WAN
Site B
V
CUCM Cluster C
WAN
Router with
PSTN
Gateway
PSTN
V
WAN
Router with
PSTN
Figure 14-12
Unity: Voice Mail
Site C
Multisite WAN with Distributed CM Deployment Model
This model also supports remote sites to be distributed off the large sites. Cisco gatekeepers (special software feature on IOS routers) can be deployed to support a unified dial
plan and enforce CAC.
Unified CallManager Express Deployments
Cisco provides express versions of its CallManager and Unity solutions integrated in its
Integrated Services Routers (ISR). CallManager Express (CME) provides the call processing capabilities on a router. Unity Express provides voice-mail and auto-attendant functions on special modules that can be installed in a router. CME deployments support up
to 450 Cisco IP phones (hardware dependent, based on 3945 ISR G2). It is a distributed,
lower-cost solution for small branch offices.
Video Deployment Considerations
There has been an increase in the amount of video over IP traffic on data networks. In the
workplace, the use of desktop video conferencing, video broadcasts, IP video surveillance
are increasingly being seen on the network. Video surveillance requires high bandwidth
537
538 CCDA 640-864 Official Cert Guide
and low loss and delay between the camera source and the storage device to produce the
best video. We also see traffic from “unmanaged” sources from the Internet, such as video
from news sites, YouTube, and TV programming shows. Video traffic is more susceptible
to QoS issues than VoIP or data traffic, although end users are used to some intermediate
chop in video as long as the audio going with it does not skip. Table 14-6 shows the
packet-loss target for each traffic category.
Table 14-6
Key
Topic Traffic Type
Data, Voice, and Video Sensitivities to Packet Loss
Sensitivity to Multisecond Interruption
Packet-Loss Target
Data
Tolerant
1 % to 2 %
Voice
Less tolerant
<1%
Video
Intolerant
< 0.05 %
The network designer should be aware that different video applications behave differently
and place different requirements on the network. Table 14-7 shows characteristics of video
media application models.
Table 14-7
Video Media Application Models
Tool
Model
Flow Direction
TelePresence
Many
Client ←→ Client
to many MCU ←→ Client
4 Mbps to 12 Mbps for high-def video.
Desktop video
conferencing
Many
Client ←→ Client
to many MCU ←→ Client
Collaboration across geographies.
Video
surveillance
Many
to few
Source → Storage
Storage → Client
Traffic Trends
Growing peer-to-peer model.
Up to 3 Mbps to 4 Mbps per camera based
on video quality and frame rates.
Source → Client
Desktop
Few to
streaming media many
Storage → Client
Source → Client
Increase in application driving more
streams. Higher-quality video adds more
bandwidth.
Chapter 14: Voice and Video Design
An architecture framework for media services supports different models of video models.
As shown in Figure 14-13, the network provides service to video media in the Media Services Framework. Those services are access services, transport services, bridging services,
storage servers, and session control services, which are provided to endpoints.
■
Access services provide identity of end devices, mobility, and location services.
■
Transport services provide QoS for reliable packet delivery.
■
Bridging services provide transcoding, conferencing, and recording services of media
streams.
■
Storage services provide capture and storage of media streams and content management and distribution.
■
Session control services provide session signaling and control and gateway services.
End
Points
Session Control Services
Gateways
V
V
Access
Services
HDTV
Figure 14-13
Transport
Services
V
Bridging
Services
Storage
Services
V
Media Services Architectural Framework
Codecs
Because speech is an analog signal, it must be converted into digital signals for transmission over digital systems. The first basic modulation and coding technique was pulse-code
modulation (PCM). The international standard for PCM is G.711. With PCM, analog
speech is sampled 8000 times a second. Each speech sample is mapped onto 8 bits. Thus,
PCM produces (8000 samples per second) * (8 bits per sample) = 64,000 bits per second =
64-kbps coded bit rate. Other coding schemes have been developed to further compress
the data representation of speech. G.711 is used as the primary with IPT over LANs where
high bandwidth is available.
539
540 CCDA 640-864 Official Cert Guide
Analog-to-Digital Signal Conversion
For clear voice communications, analog speech is converted in to digital format. Digitized
voice can travel longer distances than analog voice. The steps involved to covert voice from
analog into digital format are
Step 1.
Filtering
Step 2.
Sampling
Step 3.
Digitizing
Most of the spoken language ranges from 300 Hz to approximately 3400 Hz. In the first
step, codecs are configured to filter signals over 4000 Hz out of the analog signal.
In the second step, the signal is sampled at 8000 times per second using pulse-amplitude modulation (PAM). It is sampled 8000 times a second because that is twice the
highest frequency of the filtered voice stream at 4000 Hz. This produces a sample every
125 microseconds.
Third, the amplitude samples are converted to a binary code. This is process where PCM
occurs. The difference between PCM and PAM is that PCM does the additional step of
encoding each analog sample into binary.
The digitizing process is divided further into two subprocesses:
■
Companding: This term comes from “compressing and expanding.” The analog samples are compressed into logarithmic segments. Then each segment is quantized and
coded, which is the next subprocess.
■
Quantization and coding: This process converts the analog value into a distinct
value that is assigned a digital value. The standard word size is 8 bits, which allows for
256 distinct quantization intervals. The rate then becomes the sampling rate times the
size of the codeword (2 * 4kHz * 8 bits = 64 kbps).
Codec Standards
Codecs transform analog signals into a digital bit stream and digital signals back into analog signals. Figure 14-14 shows that an analog signal is digitized with a coder for digital
transport. The decoder converts the digital signal into analog form.
Analog Input
Signal
Coder
Figure 14-14
Digital Coded
Signal
Decoder
Analog Output
Signal
Codec
Each codec provides a certain quality of speech. Each codec provides a certain level of fidelity to the original audio, or quality of speech. The term mean opinion score (MOS) is
used to rate the fidelity for a codec. A MOS score is not a scientific measure. Instead, it is
dio fidelity from 1 (bad) to 5 (best). The scores are then averaged to provide the MOS for
Chapter 14: Voice and Video Design
541
each codec. For example, the established MOS score for G.711 is 4.1, and G.729 is 3.92.
The default codec setting for VoIP dial peers in Cisco IOS software is G.729 (g729r8), but
this can be configured with several other options, including G.711. Other codec standards
are shown in Table 14-8. An explanation of the compression techniques is beyond the
scope of the CCDA test.
Table 14-8
Codec Standards
Codec
Bit Rate
MOS
Description
G.711u
64 kbps
4.1
PCM. Mu-law version used in North America and Japan. Samples speech 8000 times per second, represented in 8 bits.
G.711a
64 kbps
4.1
PCM. A-law used in Europe and international systems.
G.726
16/24/32/40 3.85
kbps
Adaptive differential pulse-code modulation (AD-PCM).
G.728
16 kbps
3.61
Low-Delay CELP (LDCELP).
G.729
8 kbps
3.92
Conjugate Structure Acelp (Cs-Acelp).
G.723.1 6.3 kbps
3.9
Multipulse Excitation–Maximum Likelihood Quantization
(MPE-MLQ).
G.723.1 5.3 kbps
3.65
Algebraic Code–Excited Linear Prediction (ACELP).
Key
Topic
VoIP Control and Transport Protocols
A number of different protocols are used in a VoIP environment for call control, device
provisioning, and addressing.
Figure 14-15 shows those protocols focused on VoIP control and transport.
Call Control
H.225
Q.931
Audio Video
G.7xx
H.26x
Audio
and
Video
Control Control
RTCP RAS
H.245
RTP
TCP
UDP
IP
Layer 2: FR, MPLS, Ethernet, PPP
Figure 14-15
VoIP Control and Transport Protocols
Key
Topic
542 CCDA 640-864 Official Cert Guide
Some of the most significant protocols are
■
Dynamic Host Configuration Protocol (DHCP): Used to provide device configuration parameters such as IP configuration (address, subnet mask, default gateway)
and TFTP servers (via DHCP option 150).
■
TFTP: To obtain ring tones, backgrounds, configuration files, and firmware files.
■
Skinny Client Control Protocol (SCCP): Used for call control for Cisco IP phones
(Cisco proprietary).
■
Real-time Transport Protocol (RTP): For voice stream (VoIP) station-to-station
traffic in an active call.
■
Real-time Transport Control Protocol (RTCP): For RTP control and reporting
(accompanying stream to RTP between endpoints).
■
Media Gateway Control Protocol (MGCP): A client/server protocol for control of
endpoints and gateways. In the MGCP model, intelligence resides on the call agent
(server), and the device is controlled by the agent.
■
H.323: An ITU standard for VoIP networks that is a peer-to-peer system (call processing logic is local to each device) used for gateways and endpoints.
■
Session Initiation Protocol (SIP): A standard for VoIP networks defined by the
IETF and used for gateways and endpoints. SIP is feature rich (native IM, presence,
and video support), lightweight, and designed for easy troubleshooting (ASCII-based
messages).
DHCP, DNS, and TFTP
IP phones use DHCP to obtain their IP addressing information: IP address, subnet mask,
and default gateway. DHCP also provides the IP address of the DNS servers and the name
or IP address of the TFTP server. You use TFTP to download the IP phone operating system and configuration. Both DHCP and TFTP run over UDP. These protocols are covered
in detail in Chapter 8, “Internet Protocol Version 4.”
SCCP
SCCP is a Cisco proprietary client/server signaling protocol for call setup and control.
SCCP runs over TCP. SCCP is called a “skinny” protocol because it uses less overhead
than the call-setup protocols used by H.323. IP phones typically use SCCP to register
with CUCM and to establish calls. SCCP can also be used by the call agent to communicate with gateways and control analog endpoints such as FXS ports. It is also used to manage resources such as DSPs on voice gateways. SCCP is used for VoIP call signaling and
for features such as message-waiting indicators. As shown in Figure14-16, IP phones communicate with the CUCM server using SCCP, but RTP is the protocol used for voice media streams between IP phones.
Chapter 14: Voice and Video Design
CUCM
SCCP
SCCP
RTP
Figure 14-16
SCCP
RTP and RTCP
In VoIP, RTP transports audio streams. RTP is a transport layer protocol that carries digitized voice in its payload. RTP was initially defined in RFC 1889, and the current RFC is
3550. RTP runs over UDP, which has lower delay than TCP. Because of the time sensitivity
of voice traffic and the delay incurred in retransmissions, UDP is used rather than TCP.
Real-time traffic is carried over UDP ports ranging from 16,384 to 32767. The only requirement is that the RTP data be transported on an even port and that the RTCP data be
carried on the next odd port. RTCP is also defined in RFC 3550. RTCP is a session layer
protocol that monitors the delivery of data and provides control and identification functions. Figure 14-17 shows a VoIP packet with the IP, UDP, and RTP headers. Notice that
the sum of the header lengths is 20 + 8 + 12 = 40 bytes.
IP Header
(20 bytes)
Figure 14-17
UDP Header
(8 bytes)
RTP Header
(12 bytes)
CODEC Sample CODEC Sample
(10 bytes)
(10 bytes)
IP, UDP, and RTP Headers of a VoIP Packet
WAN links use RTP header compression to reduce the size of voice packets. This is also
called Compressed RTP (cRTP), which is defined in RFC 2508. As shown in Figure 14-18,
cRTP reduces the IP/UDP/RTP header from 40 bytes to 2 or 4 bytes (a significant decrease in overhead). cRTP happens on a hop-by-hop basis, with compression and decompression occurring on every link. It must be configured on both ends of the link. It is
recommended for slow links up to 768 kbps. cRTP is not used much anyone because slow
WAN link bandwidths are seen less. Higher speed links are not recommended because of
the high CPU requirements and they reduce call quality.
40 bytes of headers
IP Header
(20 bytes)
After CRTP
Figure 14-18
UDP
(8 bytes)
Header
(2 or 4 bytes)
cRTP
RTP
(12 bytes)
Payload
(variable)
Payload
(variable)
543
544 CCDA 640-864 Official Cert Guide
MGCP
MGCP is a client/server signaling protocol that is used to allow centralized call processing
agents (such as CUCM) to control gateways in VoIP networks. MGCP is defined in RFC
3661. MGCP’s primary advantage is centralized device and dial plan configuration. Figure
14-19 shows a network where MGCP is used by the CUCM to control a voice gateway.
MGCP gateways handle transition between TDM and IP voice network. MGCP is also
used to provide enhanced functionality such as QSIG trunking, which is not supported in
H.323 or SIP IOS gateways, and gateway failover and load balancing.
CUCM
MPLS
MGCP
V
Gateway
IP Phones
Figure 14-19
PSTN
RTP
MGCP
MGCP defines two components: call agents and endpoints. In MGCP networks, endpoints
cannot function without communication and control from the call agent. Call agents such
as CUCM control the gateways. An endpoint is any gateway interface, such as a PRI trunk
or analog interface.
H.323
H.323 is a standard published by the ITU that works as a framework document for multimedia protocols, including voice, video, and data conferencing, for use over packetswitched networks. H.323 standards describe terminal (endpoints), gateway, gatekeeper,
and multipoint control unit (MCU) devices to be used in a multimedia network.
As shown in Figure 14-20, H.323 includes the following elements:
■
Terminals: Telephones, video phones, and voice-mail systems (devices that provide
real-time two-way voice).
■
MCUs: An MCU is a device used for joining together multiple audio/video streams
into a single bridge, or conference. The MCU is responsible for taking streams from
the different conference participants, mixing the streams together, and then sending
the combined stream back to the participants.
■
Gateways: A device that provides transitional services from one network type to another such as connecting a VoIP network to a TDM network such as the PSTN (analog/T1 PRI). Gateways also provide translation services between H.323 endpoints
and non-H.323 devices.
Chapter 14: Voice and Video Design
■
Gatekeepers: Provide dial plan unification, CAC, device registration, and call routing services to the VoIP network and are often used to unify multiple different VoIP
networks as a single call routing hub. Gatekeepers are recommended when interconnecting more than two CUCM networks, to reduce dial plan and call routing configuration and provide centralized CAC.
CUCM Gatekeeper
MPLS
LAN
V
Gateway
PSTN
IP Phones
(Terminals)
MCU
Figure 14-20
H.323 Components
Gatekeeper Use for Scalability By definition, H.323 networks are peer-to-peer,
autonomous systems. This means that configuration is required on each device about all
other devices in the network with which it needs to communicate (a mesh configuration),
including network addressing, call routing, CAC, and other configuration parameters (a
logical connection). As a network grows, the number of logical connections required
grows exponentially. For example, if a gatekeeper is not used, logical connections need to
be configured on each gateway to connect to every single other gateway on the network.
The number of logical connections is represented by the following formula:
L = (N * (N – 1)) / 2
where N is the number of devices in the network.
For example, in a network with 7 devices, 21 logical connections must be configured to
ensure that each device can communicate with every other device.
Alternatively, this configuration can be consolidated into a centralized system called a
gatekeeper. In a gatekeeper-controlled system, each device needs to be configured with
only a logical connection to the gatekeeper. In this fashion, the number of configurations
required is exponentially reduced, and administration can be done from a central point.
Going back to the earlier configuration example, only 7 logical connections need to be
configured in a gatekeeper-controlled environment as opposed to the 21 that have to be
configured without it. In a larger network of 100 devices, it is 100 versus 4950 connections!
545
546 CCDA 640-864 Official Cert Guide
As shown in Figure 14-21, for three gateways the number of logical connections is only
three but grows to ten connections when there are only five gateways. With a gatekeeper,
each gateway contains a simpler dial plan and connects only to the gatekeeper.
V
V
V
V
3 Gateways
3 Logical Connections
V
V
V
V
5 Gateways
10 Logical Connections
V
Gatekeeper
V
V
V
V
Figure 14-21
V
5 Gateways
5 Logical Connections to GK
A Gatekeeper Reduces the Number of Logical Gateway Connections
H.323 terminals must support the following standards:
■
H.245 call capability control
■
Q.931 call setup signaling
■
H.225 call signaling
■
RTP/RTCP voice streams
H.245 specifies messages for opening and closing channels for media streams and other
commands, requests, and indications. It is a control channel protocol.
Q.931 is a standard for call signaling used by H.323 within the context of H.225. It is also
used by PRI links.
Chapter 14: Voice and Video Design
H.225 performs registration, admission, and status (RAS) signaling for H.323 sessions.
RTP is the transport layer protocol used to transport VoIP packets. RTCP is also a transport layer protocol.
H.323 includes a series of protocols for multimedia, as shown in Table 14-9.
Table 14-9
H.323 Protocols
H.323 protocol
Video
Audio
Data
Transport
H.261
G.711
T.122
RTP
H.263
G.722
T.124
H.225
H.264
G.723.1
T.125
H.235
G.728
T.126
H.245
G.729
T.127
H.450.1
H.450.2
H.450.3
X.224.0
H.264
H.264 is an ITU-T standard that defines video compression algorithm. It is identical to
ISO/IEC MPEG-4 Part 10 and also called Advanced Video Coding (AVC). It is an upgrade
from the H.263 standard that is found in Flash, YouTube, and Google video today. H.264
also handles encoding of pixel blocks more effectively, thus reducing the pixilation seen
on video conferences when motion occurs. H.264 encodes and transmits two interlaced
fields for each frame: 30 frames per second and 60 fields per second. H.263 only does 30
fields per second.
Table 14-10 provides typical bandwidth requirements of H.264 video sources.
Table 14-10
H.264 Video Bandwidth
Video Source
Resolution
Typical Load
TelePresence 3000
1080p
12.3 Mbps
TelePresence 3000
720p
6.75
TelePresence 1000
1080p
4.1 Mbps
TelePresence 1000
720p
2.25 Mbps
Cisco 4500 Video Surveillance
1080p
4–6 Mbps
Cisco DMS – Digital Sign SD
720x480
1.5–2.5 Mbps
Cisco DMS – Digital Sign HD
1080p
8–12 Mbps
Cisco Video Advantage
CIF
768 kbps
YouTube HD
720p
2 Mbps
547
548 CCDA 640-864 Official Cert Guide
SIP
SIP is a protocol defined by the IETF and specified in RFC 2543. It is an alternative multimedia framework to H.323, developed specifically for IP telephony. It is meant to be a
simple lightweight replacement to H.323. Cisco now supports SIP on CUCM, IP phones,
and gateways.
SIP is an application layer control (signaling) protocol for creating, modifying, and terminating IP multimedia conferences, Internet telephone calls, and multimedia distribution.
Communication between members of a session can be via a multicast, a unicast mesh, or a
combination.
SIP is designed as part of the overall IETF multimedia data and control architecture that
incorporates protocols such as the following:
■
Resource Reservation Protocol (RSVP) (RFC 2205) for reserving network bandwidth
and priority (low-latency) queuing
■
RTP and RTCP (RFC 3550) for transporting real-time data and providing QoS feedback
■
Real-Time Streaming Protocol (RTSP) (RFC 2326) for controlling delivery of streaming media
■
Session Announcement Protocol (SAP) (RFC 2974) for advertising multimedia sessions via multicast
■
Session Description Protocol (SDP) (RFC 2327) for describing multimedia sessions
SIP supports user mobility by using proxy and redirect servers to redirect requests to the
user’s current location. Users can register their current locations, and SIP location services
provide the location of user agents.
Figure 14-22 shows SIP components.
SIP Proxy
CUCM
SIP Trunk
IP
SIP
RTP
Figure 14-22
SIP
SIP
SCCP
SIP Voice Mail
SIP Architecture
SIP uses a modular architecture that includes the following components:
■
SIP user agent (UA): These endpoints create and terminate sessions, SIP phones,
SIP PC clients, or gateways. A UA client (UAC) initiates a SIP request. A UA server
CUCM can act as both a server and a client.
Chapter 14: Voice and Video Design
■
SIP proxy server: Routes messages between SIP UAs. It acts as an intermediate that
receives SIP requests from a client and forwards the requests on behalf of the client.
SIP proxy servers perform authentication, authorization, routing, reliable request retransmission, and security.
■
SIP redirect server: Call control device used to provide routing information to
user agents. It provides information about the next hop or hops that a message
should take.
■
SIP registrar server: Stores the location of all user agents in the domain or subdomain. It processes requests from UACs for registration of their current locations. SIP
proxy servers or redirect servers can contain registrar servers.
■
SIP location services: Provide logical location of UAs; used by the proxy, redirect,
and registrar servers.
■
Back-to-back user agent: Call control device that divides a voice call into two
call legs.
Table 14-11 summarizes protocols used in VoIP networks.
Table 14-11
Significant Protocols in VoIP Networks
Protocol
Description
DHCP
Dynamic Host Control Protocol. Provides IP address, mask, gateway, DNS address, and TFTP address.
TFTP
Trivial File Transfer Protocol. Provides the IP phone configuration and operating
system.
SCCP
Skinny Client Control Protocol. Establishes calls between IP phones and CUCM.
RTP
Real-time Transport Protocol. Used for the transmission of real time traffic such
as voice and video.
RTCP
Real-time Transport Control Protocol. Provides out of band statistics and control
information for RTP streams.
H.323
An ITU standard for VoIP networks. H.323 is older and more stable than SIP, but
is also more process intensive and is limited to traditional voice and video functionality.
SIP
Session Initiation Protocol. An IETF standard for VoIP networks. Newer and less
mature than H.323, but also less process intensive and has support for new features such as IM and presence.
IPT Design
This section covers network design issues and solutions that a designer needs to be aware
of when designing a network for IPT. Topics such as bandwidth requirements, delay, and
QoS schemes should be considered.
549
550 CCDA 640-864 Official Cert Guide
Bandwidth
VoIP calls need to meet bandwidth and delay parameters. The amount of bandwidth required depends on the codec used, the Layer 2 protocol, and whether voice-activity detection (VAD) is enabled. For the purpose of call control, you can use the following
bandwidth requirements (minimum values) for VoIP design:
■
G.729 calls use 26 kbps.
■
G.711 calls use 80 kbps.
When you’re designing for VoIP networks, the total bandwidth for voice, data, and video
should not exceed 75 percent sustained of the provisioned link capacity during peak
times. Best practice is to provision/plan for no more than one-third of any links for the priority queue/real time traffic. Use the following formula to provision interface speeds:
Link capacity = [required bandwidth for voice] + [required bandwidth for video] + [required bandwidth for data]
The remaining bandwidth is used by routing, multicast, and management protocols.
VAD
As we listen and pause between sentences, typical voice conversations can contain up to
60 percent silence in each direction. In circuit-switched telephone networks, all voice calls
use fixed-bandwidth 64-kbps links regardless of how much of the conversation is speech
and how much is silence. In multiservice networks, all conversation and silence is packetized. Using VAD, you can suppress packets of silence. Silence suppression at the source
IP telephone or VoIP gateway increases the number of calls or data volumes that can be
carried over the links, more effectively utilizing network bandwidth. Bandwidth savings
are at least 35 percent in conservative estimates. VAD is enabled by default for all VoIP
calls. In real-world practice, is it suggested that VAD be avoided because it creates quality
issues and breaks applications such as fax and modem transmissions.
Table 14-12 shows how much bandwidth is required based on different parameters. Notice
that for G.729 bandwidth is reduced from 26.4 kbps to 17.2 kbps with VAD and to 7.3
kbps with VAD and cRTP enabled.
Table 14-12
VoIP Bandwidth Requirements with cRTP and VAD
Technique
Codec Bit
Rate (kbps)
Payload Bandwidth
Size
Multilink PPP
(Bytes) (MLP) or FRF.12
(kbps)
Bandwidth with
VAD MLP or
FRF.12 (kbps)
Bandwidth with
cRTP and VAD
MLP or FRF.12
(kbps)
G.711 (64)
240
76
50
43
G.711 (64)
160
(default)
83
54
44
G.726 (32)
120
44
34
29
22
G.726 (32)
80
(default)
50
35
33
23
Chapter 14: Voice and Video Design
Table 14-12
VoIP Bandwidth Requirements with cRTP and VAD
Technique
Codec Bit
Rate (kbps)
Payload Bandwidth
Multilink PPP
Size
(Bytes) (MLP) or FRF.12
(kbps)
G.726 (24)
80
38
G.726 (24)
60
(default)
G.728 (16)
Bandwidth with
VAD MLP or
FRF.12 (kbps)
Bandwidth with
cRTP and VAD
MLP or FRF.12
(kbps)
27
25
17
42
27
27
18
80
25
18
17
12
G.728 (16)
40
(default)
35
19
23
13
G.729 (8)
40
17.2
9.6
11.2
6.3
G.729 (8)
20
(default)
26.4
11.2
17.2
7.3
G.723.1 (6.3)
48
12.3
7.4
8.0
4.8
G.723.1 (6.3)
24
(default)
18.4
8.4
12.0
5.5
G.723.1 (5.3)
40
11.4
6.4
7.4
4.1
G.723.1 (5.3)
20
(default)
17.5
7.4
11.4
4.8
Calculating Voice Bandwidth
The CCDA test expects the designer to be able to calculate some basic voice bandwidth
estimates. Use the following assumptions when calculating voice bandwidth:
■
IP/UDP/RTP header uses 40 bytes.
■
cRTP reduces the IP/UDP/RTP header to 2 or 4 bytes.
■
The WAN Layer 2 header adds 6 bytes on a point-to-point circuit.
■
Voice packet size = (Layer 2 header) + (IP/UDP/RTP header) + (voice payload).
■
Voice packets per second (pps) = codec bit rate / voice payload size.
■
Voice bandwidth (bps) = (voice packet size) * (pps).
As an example, calculate the WAN bandwidth used at a site that will have 10 concurrent
G.729 calls with cRTP and a default voice payload of 20 bytes.
From this description, we obtain the following:
■
G.729 codec is used: 8 kbps codec bit rate.
■
cRTP = 2-byte IP/UDP/RTP header.
551
552 CCDA 640-864 Official Cert Guide
■
Default voice payload= 20 bytes * (8 bits/bytes) = 160 bits.
■
WAN header = 6 bytes.
■
Voice packet size = 6 bytes + 2 bytes + 20 bytes = 28 bytes * (8 bits/byte) = 224 bits.
■
PPS = 8 kbps / 160 bits = 8000/160 = 50 pps.
■
BW per call = 224 (bits/packet) * 50 (pps) = 11200 bps = 11.2 kbps.
■
BW for 10 calls = 11.2kbps * 10 = 112 kbps.
Here is a second example: Calculate the WAN bandwidth used by a G.711 calls with no
cRTP and a default voice payload.
From this description, we obtain the following:
■
G.711 codec is used: 64 kbps codec bit rate
■
IP/UDP/RTP header = 40 bytes
■
Default voice payload= 160 bytes * (8 bits/bytes) = 1280 bits
■
WAN header = 6 bytes
■
Voice packet size = 6 bytes + 40 bytes + 160 bytes = 206 bytes * (8 bits/byte) =
1648 bits
■
PPS = 64 kbps / 1280 bits = 64,000/1280 = 50 pps
■
BW per call = 1648 (bits/packet) * 50 (pps) = 82400 bps = 82.4 kbps
Cisco has developed a tool, available on its website, that you can use to obtain accurate
estimates for IPT design. The tool is the Voice Codec Bandwidth Calculator, and it is available at http://tools.cisco.com/Support/VBC/do/CodecCalc1.do.
Delay Components in VoIP Networks
Key
Topic
The ITU’s G.114 recommendation specifies that the one-way delay between endpoints
should not exceed 150 ms to be acceptable, commercial voice quality. In private networks,
somewhat longer delays might be acceptable for economic reasons. The ITU G.114 recommendation specifies that 151-ms to 400-ms one-way delay might be acceptable provided
that organizations are aware that the transmission time will affect the quality of user applications. One-way delays of above 400 ms are unacceptable for general network planning purposes.
Delay components are one of two major types: fixed delay and variable delay.
As shown in Figure 14-23, fixed delay includes the following types.
■
Propagation delay
■
Processing delay (and packetization)
■
Serialization delay
Propagation delay is how long it takes a packet to travel between two points. It is based on
the distance between the two endpoints. You cannot overcome this delay component. The
Chapter 14: Voice and Video Design
speed of light is the theoretical limit. A reasonable planning figure is approximately 10 ms
per 1000 miles, or 6 ms per 1000 m (6 ms per km). This figure allows for media degradation and devices internal to the transport network. Propagation delay is noticeable on
satellite links.
CUCM
Serialization
Delay
MPLS
V
Processing
Delay
IP Phones
Figure 14-23
Serialization
Delay
V
Propagation
Delay
V
Processing
Propagation Delay
Delay
Fixed Delays
Processing delay includes coding, compression, decoding, and decompression delays.
G.729 has a delay of 15 ms, and G.711 PCM has a delay of 0.75 ms. The delay created by
packetization is also a processing delay. Packetization delay occurs in the process of waiting for a number of digital voice samples before sending out a packet. Packetization delay
is the time taken to fill a packet payload with encoded/compressed speech. This delay is a
function of the sample block size required by the coder and the number of blocks placed
in a single frame.
Serialization delay is how long it takes to place bits on the circuit. Faster circuits have less
serialization delay. Serialization delay is calculated with the following formula:
Serialization delay = frame size in bits / link bandwidth in bps
A 1500-byte packet takes (1500 * 8) / 64,000 = 187 ms of serialization delay on a 64 Kbps
circuit. If the circuit is increased to 512 kbps, the serialization delay changes to (1500 * 8)
/ 512,000 = 23.4 ms. Data-link fragmentation using link fragmentation and interleaving
(LFI) or FRF.12 mechanisms reduces the serialization delay by reducing the size of the
larger data packets. This arrangement reduces the delay experienced by voice packets as
data packet fragments are serialized and voice packets are interleaved between the fragments. A reasonable design goal is to keep the serialization delay experienced by the
largest packets or fragments on the order of 10 ms at any interface.
Variable delays are
■
Queuing delay
■
Jitter buffer delay
As packets cross a network, they pass through several devices. At every output port of
these devices, it is possible that other voice and data traffic is sharing the link. Queuing
553
554 CCDA 640-864 Official Cert Guide
transmission on a link. It is the sum of the serialization delays of all the packets scheduled
ahead of delayed packets. LFI is used as a solution for queuing delay issues. LFI is covered
in the next section.
Figure 14-24 shows variable delays.
CUCM
Queuing
Delay
V
Queuing
Delay
Queuing
Delay
V
V
MPLS
Variable
Packet
Sizes
Figure 14-24
Dejitter
Buffer
Variable Delays
Packets might not arrive at a constant rate because they take different paths and have perhaps experienced congestion in the network. This variable delay is called jitter. The receiving end uses dejitter buffers to smooth out the variable delay of received VoIP packets.
Dejitter buffers change the variable delay to fixed delay.
As the traffic load on a network increases, both the probability of delay and the length of
the probable delay increase. The actual queuing delay depends on the number of queues,
queue lengths, and queue algorithms. Queuing effects in VoIP networks are covered in the
next section.
Table 14-13 summarizes the fixed and variable network delays, descriptions, and possible
solutions.
Table 14-13
Network Delays
Fixed Delay
Description
Propagation
delay
6 ms per km. No solution.
Serialization
delay
Frame length/bit rate. A faster link and smaller packets help reduce.
Processing
delay
Depends on codec used: coding, compression, and packetization. Add
hardware DSPs.
Queuing delay
Variable packet sizes and number of packets. Use LLQ, CBWFQ, LFI.
Jitter
Caused by variable delay. Use dejitter buffers to make delay constant;
design as much as possible for an uncongested network.
Chapter 14: Voice and Video Design
555
Packet Loss
Packet loss is another item that affects voice and video quality. It causes voice and video
clipping and skips. It is caused by several factors: congested links, improper QoS configuration, bad packet buffer management, and routing issues. Packet loss is also caused by
packets received outside of the dejitter buffer range, which are packets that are discarded.
Cisco VoIP uses 20-ms samples of voice payload per VoIP packet. Codec algorithms can
then correct up to 30 ms of lost voice. For the codec correction to be effective, only 1
packet can be lost during any given time. When this occurs, the DSP interpolates the conversation with what it thinks the audio should be.
Echo Cancellation
In phone calls, sometimes speech is echoed back to the speaker. This is usually caused by
an impedance mismatch. Echo cancellation involves first recognizing the originally transmitted signal that reappears, with some delay, in the transmitted or received signal. Once
the echo is recognized, it can be removed by subtracting it from the transmitted or received signal. ITU-T defines that echo delays more than 15 ms should be suppressed with
echo cancellers. Echo delays up to 15 ms do not need to be suppressed.
QoS and Bandwidth Mechanisms for VoIP and Video Networks
Cisco provides different QoS tools that you should use on edge and backbone routers to
support VoIP networks. First, the CCDA should understand the different categories of
QoS mechanisms:
■
Classification: Process that identifies the class or group a packet belongs to. Matches
are based on protocol, input port, IP precedence, DSCP, or 802.1P class of service
(CoS). Classification is accomplished using class maps, access lists, and route maps.
■
Marking: Process of marking packets with differentiated service codepoint (DSCP)
values for QoS.
■
Congestion avoidance: Mechanism that seeks to avoid congestion by preemptively
dropping packets to signal traffic flows to slow sending rates. Examples are Weighted
Random Early Discard (WRED) and Distributed WRED (DWRED).
■
Traffic conditioners: These are of two types: traffic shaper and policer. The shaper
delays excessive traffic by using a buffer or queuing mechanism and shape the flow
of traffic. Traffic policing drops traffic or reclassifies excessive traffic to a lower priority. Frame Relay Traffic Shaping and Committed Access Rate (CAR) are examples.
Figure 14-25 shows the differences.
Key
Topic
556 CCDA 640-864 Official Cert Guide
■
Congestion management: These queuing algorithms segregate traffic and use a
determined method to prioritize traffic. Examples are weighted fair queuing (WFQ),
priority queuing (PQ), custom queuing (CQ), class-based WFQ (CBWFQ), and lowlatency queuing (LLQ).
■
Link efficiency: Tools used to improve QoS characteristics on specific links within a
network. Examples are Compressed RTP and LFI.
Traffic
Traffic
Policing
Time
Time
Traffic
Traffic
Shaping
Time
Figure 14-25
Time
Policing and Shaping of Traffic
Several QoS and bandwidth management mechanisms are used on VoIP networks:
■
cRTP
■
IEEE 802.1Q/P
■
RSVP
■
LFI
■
LLQ
■
Auto QoS
cRTP
cRTP was covered in an earlier section. It compresses the IP/UDP/RTP headers from 40
bytes to 2 or 4 bytes. It is configured on a link-to-link basis. Cisco recommends using
cRTP for links lower than 768 kbps. Do not configure cRTP if the router CPU is above 75
percent utilization.
IEEE 802.1P
The IEEE 802.1P signaling technique is an OSI Layer 2 standard for prioritizing network
traffic at the data link/MAC sublayer. It can also be defined as best-effort QoS at Layer 2.
Chapter 14: Voice and Video Design
IEEE 802.1P traffic is simply classified and sent to the destination; no bandwidth reservations are established.
IEEE 802.1P is a spin-off of the 802.1Q VLAN trunking standard. The 802.1Q standard
specifies a tag that appends to a MAC frame. The VLAN tag carries VLAN information.
The VLAN tag has two parts: the VLAN ID (12 bit) and Prioritization (3 bit). The Prioritization field was never defined in the VLAN standard. The 802.1P implementation defines
this Prioritization field.
802.1P establishes eight levels (3 bits) of priority similar to IP precedence. Network
adapters and switches route traffic based on the priority level. Using Layer 3 switches allows you to map 802.1P prioritization to IP precedence before forwarding to routers.
Resource Reservation Protocol
Resource Reservation Protocol (RSVP) is a signaling protocol that enables end stations or
applications to obtain special QoS for their data flows. Basically, RSVP reserves bandwidth for the application. RSVP does not transport application data but is rather an Internet control protocol, like Internet Control Message Protocol (ICMP), Internet Group
Management Protocol (IGMP), or routing protocols. RSVP is also known as Resource
Reservation Setup Protocol. You can find the IETF charter atwww.ietf.org/html.charters/
rsvp-charter.html. The first “standards” version of the protocol can be found in RFC 2205.
RSVP is used by a host to request specific QoS from the network for particular application data streams or flows. RSVP requests generally result in resources being reserved in
each node along the data path.
LFI
LFI is a QoS mechanism used to reduce the serialization delay. In a multiservice network,
small VoIP packets have to compete with large data traffic packets for outbound interfaces. If the large data packet arrives at the interface first, the VoIP packet has to wait until
the large data packet has been serialized. When the large packet is fragmented into smaller
packets, the VoIP packets can be interleaved between the data packets. Figure 14-26
shows how LFI works. With no LFI, all VoIP packets and other small packets must wait
for the FTP data to be transmitted. With LFI, the FTP data packet is fragmented. The
queuing mechanism then can interleave the VoIP packets with the other packets and send
them out the interface.
FRF.12 is a fragmentation and interleaving mechanism specific to Frame Relay networks. It
is configured on Frame Relay permanent virtual circuits (PVC) to fragment large data
packets into smaller packets and interleave them with VoIP packets. This process reduces
the serialization delay caused by larger packets.
LLQ
As shown in Figure 14-27, LLQ provides a strict-priority queue for VoIP traffic. LLQ then
is configured with multiple queues to guarantee bandwidth for different classes of traffic.
Other traffic is WFQ’d based on its classification. With LLQ, all voice call traffic is as-
557
558 CCDA 640-864 Official Cert Guide
class. It also reduces jitter for voice and video streams because it gives priority to those
traffic types. With LLQ for Frame Relay, queues are set up on a per-PVC basis. Each PVC
has a PQ to support voice traffic. This congestion management method is considered the
most optimal for voice.
No LFI
Output
Line
FTP data
IP Voice
Transmit
Transmit
Queue
Queue
HTTP
With LFI
FTP data
Transmit
Queue
IP Voice
Output
Line
HTTP
interleaving
Fragmentation
Figure 14-26
LFI
Class
Priority
Priority
Queue
Class 1
Reserved
Queue 1
WFQ
Classification
Scheduler
Figure 14-27
LLQ
Class 2
Reserved
Queue 2
Class
Default
Unreserved
Queue
Interface
Output
Chapter 14: Voice and Video Design
If multiple classes are configured for LLQ, they share a single queue but are allocated
bandwidth and policed individually. It is recommended that you place only voice in the
priority queue, because voice traffic typically is well behaved, requiring fixed maximum
amounts of bandwidth per call. The voice traffic is identified by IP precedence bits set to a
value of 5 or a DSCP of Expedited Forwarding (EF) with values of 101xxx. Introducing
video or other variable-rate, real-time or non-real-time traffic types could cause unacceptable jitter for the voice traffic. Video traffic normally is set to AF41 (100010). And signaling normally is set to an IP precedence of 3 or a DSCP of 011xxx.
Auto QoS
Auto QoS is a Cisco IOS feature that uses a simpler command-line interface (CLI) to enable QoS for VoIP in WAN and LAN environments. Auto QoS significantly reduces the
number of configuration lines necessary to support VoIP in the network.
For the WAN, Auto QoS provides the following capabilities:
■
Automatically classifies RTP and VoIP control packets
■
Builds VoIP Modular QoS in the Cisco IOS software
■
Provides LLQ for VoIP bearer traffic
■
Provides minimum-bandwidth guarantees by using CBWFQ for VoIP control traffic
For the LAN, Auto QoS provides the following capabilities:
■
Enforces a trust boundary at the Cisco IP phone
■
Enforces a trust boundary on the Catalyst switch access and uplink and downlink ports
■
Enables strict-priority queuing and weighted round robin for voice and data traffic
■
Modifies queue admission criteria by performing CoS-to-queue mapping
■
Modifies queue sizes and queue weights where required
■
Modifies CoS-to-DSCP and IP precedence-to-DSCP mappings
AutoQoS is beneficial for small and medium-size businesses that need to deploy IPT
quickly but lack the experience and staffing to plan and deploy IP QoS services.
AutoQoS also benefits large customer enterprises that need to deploy Cisco IPT on a
large scale while reducing the costs, complexity, and timeframe for deployment and ensuring that the appropriate QoS for voice applications is being set consistently.
Table 14-14 summarizes QoS schemes used with IPT.
Table 14-14
QoS Scheme Summary
QoS
Scheme
Description
cRTP
bytes.
559
560 CCDA 640-864 Official Cert Guide
Table 14-14
QoS Scheme Summary
QoS
Scheme
Description
LFI
Link fragmentation and interleaving. Fragments large data packets and interleaves VoIP packets between them.
LLC
Uses a single strict queue for RTP traffic. Differentiated QoS available for all
other traffic.
AutoQoS
AutoQoS is a Cisco IOS feature that enables QoS for VoIP in WAN and LAN
environments. AutoQoS significantly reduces the number of configuration
lines necessary to support VoIP in the network.
IPT Design Recommendations
The following are some best-practice recommendations when implementing IPT:
Key
Topic
■
Use separate VLANs and IP subnets for IP phones and data to provide ease of management and simplified QoS configuration.
■
Use private IP addresses for IP phones subnets to allow for more security to voice
devices.
■
Place CallManager and Unity servers on filtered VLAN/IP subnets in the server access in the data center.
■
Use IEEE 802.1Q trunking and 802.1P to allow for prioritization at Layer 2.
■
Extend QoS trust boundaries to voice devices but not to PCs and other data devices.
■
In the access layer, use multiple egress queues to provide priority queuing of RTP
voice streams.
■
Use DSCP for classification and marking.
■
Use LLQ on WAN links.
■
Use LFI on WAN links less than 768 kbps.
■
Use CAC to avoid oversubscription of circuits.
IEEE 802.1Q should be configured on the PoE LAN switch ports to allow a voice VLAN
for the IP phone and a data VLAN for the PC connected to the IP phone. These VLANs
should be on separate IP subnets, and the IP phone should be an RFC 1918 private address
subnet. Furthermore, the CallManager servers should be placed on a separate IP subnet in
the data center. This lets you restrict access to the IPT environment.
IPT voice packets should be marked with a DSCP of EF (IP precedence 5), and signaling
packets should be marked with AF31 (IP precedence 3). This allows QoS schemes to give
precedence to the marked packets. LLQ takes the EF marked packets and places them in
the strict-priority queue, guaranteeing bandwidth for voice. LFI should be configured on
packets. LFI and LLQ also reduce jitter in IPT conversations.
Chapter 14: Voice and Video Design
CAC should be used to keep excess voice traffic from the network by ensuring that there
is enough bandwidth for new calls. Call admission control (CAC) is used to control the
number of calls to reduce the WAN bandwidth for a site that has IPT. CAC is configured
for the site on the CUCM servers. A maximum bandwidth or maximum number of calls is
provisioned for the site. CAC enforces a maximum number of calls between two locations to ensure that call quality will not be degraded by allowing more calls than a network can support. CAC causes excessive calls between two locations to be refused. The
IPT system must then either reroute the call to different available path, such as the PSTN,
or deny the call.
Service Class Recommendations
RFC 4594, Configuration Guidelines for DiffServ Services Classes (updated by RFC
5865), provides guidelines for specifying services. Six of these are specific for voice or
video traffic. The 12 service classes are as follows:
■
Network Control: For routing and network control functions
■
Operations, Administration, and Management (OAM): For network configuration and management functions
■
Telephony: Includes VoIP and circuit emulation
■
Signaling: For peer-to-peer and client/server signaling, such as SIP, MGCP, H.323,
and H.248
■
Multimedia Conferencing: For applications that can change their encoding rate,
such as H.323/V2
■
Real-Time Interactive: For RTP/UDP streams for video conferencing applications
that cannot change the encoding rate
■
Multimedia Streaming: For variable-rate elastic streaming media applications and
webcasts
■
Broadcast Video: For inelastic streaming media with low jitter and low packet loss,
such as broadcast TV, video surveillance, and security
■
Low-Latency Data: For data processing applications, such as web-based ordering
■
High-Throughput Data: For store-and-forward applications, such as FTP
■
Standard: For traffic that has not been identified for any preferential treatment
■
Low-Priority Data: For traffic types that do not required any bandwidth assurance
Cisco modified some of the DSCP per-hop behavior (PHB) recommendations (switched
broadcast video and call signaling, for example) from the RFC and added queuing and
dropping recommendations for MediaNetworks. Table 14-15 summarizes these.
561
562 CCDA 640-864 Official Cert Guide
Table 14-15
Cisco Service Class PHB Recommendations
Application Class
DSCP Queuing and
PHB Dropping
Applications
Network Control
CS6
BW queue
Network routing, EIGRP, OSPF, BGP,
HSRP, IKE
Telephony
EF
PQ
IPT bearer traffic, VoIP, G.711, G.729
Broadcast Video
CS5
PQ (optional)
Cisco IP video surveillance
Multimedia Conferencing
AF4
BW queue +
DSCP WRED
H.323/V2 video conferencing; Cisco
Unified Personal Communicator
Real-Time Interactive
CS4
PQ (optional)
Video conferencing and interactive
gaming; TelePresence
Multimedia Streaming
AF3
BW queue +
DSCP WRED
Streaming video and audio on demand;
Cisco Digital Media System (VoD)
Call Signaling
CS3
BW queue
IPT signaling, H.323, SCCP, SIP
Low-Latency Transactional AF2
data
BW queue +
DSCP WRED
Client/server, web-based ordering, Webex, MeetingPlace, ERP apps
Operations, Administration, Management (OAM)
CS2
BW queue
OAM&P, SNMP, SSH, syslog
High-Throughput Bulk
Data
AF1
BW queue +
DSCP WRED
Store-and-forward apps, email, FTP,
backup
Low-Priority Scavenger
Data
CS1
Minimum BW
queue
Flows with no bandwidth assurance,
YouTube, BitTorrent, Xbox
Standard Best Effort
CS0
Default queue
+ WRED
Default class
References and Recommended Readings
RFC 3435, Media Gateway Control Protocol (MGCP) Version 1.0,www.ietf.org/rfc.
RFC 2705, Media Gateway Control Protocol (MGCP) Version 1.0,www.ietf.org/rfc.
RFC 1890, RTP Profile for Audio and Video Conferences with Minimal Control,
www.ietf.org/rfc
.
RFC 1889, RTP: A Transport Protocol for Real-Time Applications,www.ietf.org/rfc.
Chapter 14: Voice and Video Design
RFC 2543, SIP: Session Initiation Protocol, www.ietf.org/rfc.
Keagy, S. Integrating Voice and Data Networks. Indianapolis: Cisco Press, 2000.
Kotha, S. “Deploying H.323 Applications in Cisco Networks” (white paper),
www.cisco.com/warp/public/cc/pd/iosw/ioft/mmcm/tech/h323_wp.htm.
Lovell, D. Cisco IP Telephony. Indianapolis: Cisco Press, 2002.
McQuerry, S., K. McGrew, S. Foy, Cisco Voice over Frame Relay, ATM, and IP. Indianapolis: Cisco Press, 2001.
Reference Guide, Packet Voice Networking,www.cisco.com/warp/public/cc/pd/rt/
mc3810/prodlit/pvnet_in.htm.
Tech Notes: Voice Network Signaling and Control, www.cisco.com/warp/public/788/
signalling/net_signal_control.html.
Voice over IP: Per Call Bandwidth Consumption,www.cisco.com/warp/public/788/
pkt-voice-general/bwidth_consume.htm.
Cisco Recommendations for MediaNets, www.cisco.com/en/US/docs/solutions/Enterprise/
Video/qosmrn.html.
www.erlang.com/
RFC 3261, SIP: Session Initiation Protocol, www.ietf.org/rfc.
RFC 3262, Reliability of Provisional Responses in the Session Initiation Protocol (SIP),
www.ietf.org/rfc
.
RFC 3263, Session Initiation Protocol (SIP): Locating SIP Servers, www.ietf.org/rfc.
RFC 3264, An Offer/Answer Model with the Session Description Protocol (SDP),
www.ietf.org/rfc
.
RFC 3265, Session Initiation Protocol (SIP)-Specific Event Notification, www.ietf.org/rfc.
RFC 4594, Configuration Guidelines for Diffserv Service Classes, www.ietf.org/rfc.
RFC 2508, Compressing IP/UDP/RTP Headers for Low-Speed Serial Links,www.ietf.org/rfc.
563
564 CCDA 640-864 Official Cert Guide
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the
outer margin of the page. Table 14-16 lists a reference of these key topics and the page
numbers on which each is found.
Table 14-16
Key Topics
Key Topic Element
Description
Page
List
Ports
520
Summary
CAS and CCS signaling
524
Summary
Voice engineering terminology
528
List
IPT components
532
Summary
Design goals for IPT
534
List
IPT deployment models
535
Table 14-6
Data, voice, and video sensitivities to packet loss
538
Table 14-8
Codec standards
541
Summary
VoIP control and transport protocols
541
Summary
Delay components
552
List
QoS mechanisms
555
List
IPT design recommendations
560
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory
Tables Answer Key,” also on the CD, includes completed tables and lists to check your
work.
Chapter 14: Voice and Video Design
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
ACD, BHT, CAC, CCS, CDR, CO, Centrex, codec, companding, cRTP, CUCM, Erlang, E&M, FXS, FXO, gatekeeper, gateway, GoS, H.323, LLQ, MGCP, MOS, OAM,
PSTN, PBX, RSVP, RTP, RTCP, SCCP, SIP, SS7, VAD
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. True or false: LLQ is recommended for VoIP networks.
2. True or false: H.323 is an IETF standard, and SIP is an ITU standard for multimedia
protocols.
3. True or false: An Erlang is a unit that describes the number of calls in an hour.
4. What do you implement to stop packets from being transmitted when there is silence
in a voice conversation?
5. The variable delay of received VoIP packets is corrected with what kind of buffers?
6. True or false: Common Channel Signaling uses a separate channel for signaling.
7. True or false: FXO ports are used for phones, and FXS ports connect to the PSTN.
8. True or false: SS7 provides mechanisms for exchanging control and routing messages
in the PSTN.
9. An organization uses what kind of system to gather and provide information for the
customer before transferring her to an agent?
10. An organization uses what kind of system to route calls to agents based on the agent
skill group or call statistics?
11. In addition to codec selection, both _______ and _______ can be used to reduce the
bandwidth of VoIP calls.
12. Label each of the following delays as fixed or variable:
a.
Processing
b.
Dejitter buffer
c.
Serialization
d.
Queuing
e.
Propagation
13. How can you reduce serialization delay?
14.
565
566 CCDA 640-864 Official Cert Guide
15. True or false: The maximum one-way delay in the G.114 recommendation for acceptable voice is 200 ms.
16. True or false: FRF.12 is an LFI standard used in networks with VoFR and VoIP over
Frame Relay.
17. An assessment of a network determines that the average round-trip time between two
sites is 250 ms. Can an IPT solution be implemented between the sites?
18. Match each protocol with its description:
i.
DHCP
ii.
SCCP
iii. RTP
iv.
H.323
v.
TFTP
a.
Transports coded voice streams
b.
Controls Cisco IOS gateways
c.
Provides call signaling between Cisco IP phones and CUCM
d.
Provides IP address
e.
Provides phone configuration
19. Match each CM deployment model with its description:
i.
Single-site deployment
ii.
Multisite WAN with distributed call processing
iii. Multisite WAN with centralized call processing
a.
Single CUCM cluster with SRST at remote sites
b.
Single CUCM cluster implemented in a large building
c.
Multiple CUCM clusters
20. Match each component with its Cisco IPT functional area:
i.
CUCM
ii.
Layer 3 switch
iii. Digital gateway
iv.
Unity
a.
Service applications
b.
Call processing
c.
Client endpoint
d.
Infrastructure
Chapter 14: Voice and Video Design
21. Which protocol is preferred for inter-PBX trunks?
a.
SS7
b.
RTP
c.
Q.SIG
d.
DTMF
22. cRTP compresses the IP/UDP/RTP header to what size?
a.
2 or 4 bytes
b.
2 or 5 bytes
c.
40 bytes
d.
It compresses the RTP header only.
23. The steps of converting an analog signal to digital format occur in which order?
a.
Sampling, filtering, digitizing
b.
Filtering, sampling, digitizing
c.
Digitizing, filtering, sampling
d.
Sampling, digitizing, filtering
24. Digitizing is divided into which two processes?
a.
Filtering and sampling
b.
Expanding and filtering
c.
Companding, and quantizing and coding
d.
Sampling, and quantizing and coding
25. Which of the following are goals of IP telephony?
a.
Use the existing IP infrastructure
b.
Provide lower cost of ownership
c.
Provide greater flexibility in voice communications
d.
All of the above
26. An analysis of a 384-kbps WAN link shows complaints of voice quality issues between two sites when large file transfers take place. The circuit is running at 45 percent utilization. What QoS schemes should be implemented to alleviate this?
a.
CQ and cRTP
b.
LFI and cRTP
c.
LLQ
d.
All of the above
567
568 CCDA 640-864 Official Cert Guide
27. Which codec is recommended for use in WAN links?
a.
G.711
b.
G.723
c.
G.726
d.
G.729
28. Which technology reduces the amount of bandwidth used? (Select all that apply.)
a.
QoS
b.
LFI
c.
cRTP
d.
VAD
29. Which of the following statements is true?
a.
CAC prevents voice calls from affecting other voice calls.
b.
CAC prevents voice calls from affecting data bandwidth.
c.
CAC prevents data from affecting voice calls.
d.
CAC prevents data from affecting other data traffic.
30. What IPT component contains the dial plan and is used to register IP phones?
a.
Gateway
b.
Unity server
c.
Gatekeeper
d.
Cisco Unified CallManager
31. Which are drivers for Unified Communications?
a.
Better quality
b.
Reduce WAN costs
c.
Flexibility to carry data, voice and video
d.
Efficient integration with legacy PSTN infrastructure
e.
Improvement of QoS on the network
32. Match the H.323 component with its description.
a.
Gateway
b.
Gatekeeper
c.
MCU
d.
Terminal
Chapter 14: Voice and Video Design
i.
IP phone
ii.
Manages multipoint conferences
iii. Call control and signaling
iv.
Provides translation services between H.323 endpoints
33. Which IPT component provides the call processing component?
a.
Cisco Call Processing Manager
b.
Cisco Gateway Manager
c.
Cisco Unified Communications Manager
d.
Cisco IP Contact Center
34. Which protocol is used for communications between two IP endpoints?
a.
SCCP
b.
SIP
c.
H.323
d.
MGCP
e.
RSVP
f.
CAC
g.
CUCM
h.
RTP
35. Which protocol is an IETF-defined application layer control protocol used to establish and terminate calls between two or more endpoints?
a.
SCCP
b.
SIP
c.
H.323
d.
MGCP
e.
RSVP
f.
CAC
g.
CUCM
h.
RTP
569
570 CCDA 640-864 Official Cert Guide
36. Which protocol is defined in RFC 3661 and used by CUCM to control gateways?
a.
SCCP
b.
SIP
c.
H.323
d.
MGCP
e.
RSVP
f.
CAC
g.
CUCM
h.
RTP
37. Which services from the Media Services Framework provide capture of media
streams?
a.
Access services
b.
Transport services
c.
Bridging services
d.
Storage services
e.
Session control services
f.
Application services
g.
Endpoint services
h.
Reliable services
38. Which services from the Media Services Framework provide transcoding?
a.
Access services
b.
Transport services
c.
Bridging services
d.
Storage services
e.
Session control services
f.
Application services
g.
Endpoint services
h.
Reliable services
39. Which traffic type is recommended for AF4 PHB?
a.
Network control
b.
Telephony
Chapter 14: Voice and Video Design
c.
Broadcast video
d.
Multimedia conferencing
e.
Real time
f.
OAM
g.
FTP
h.
YouTube
40. Which traffic type is recommended for CS2 PHB?
a.
Network control
b.
Telephony
c.
Broadcast video
d.
Multimedia conferencing
e.
Real time
f.
OAM
g.
FTP
h.
YouTube
41. Which traffic type is recommended for CS4 PHB?
a.
Network control
b.
Telephony
c.
Broadcast video
d.
Multimedia conferencing
e.
Real time
f.
OAM
g.
FTP
h.
YouTube
42. Which CODEC generates an 8-kbps bit rate?
a.
G.711
b.
G.726
c.
G.728
d.
G.729
e.
G.723
571
572 CCDA 640-864 Official Cert Guide
43. Which CODEC generates a 64-kbps bit rate?
a.
G.711
b.
G.726
c.
G.728
d.
G.729
e.
G.723
44. Which is the recommended QoS mechanism for VoIP networks?
a.
WRED
b.
PQ
c.
WFQ
d.
LLQ
e.
DSCP
45. How much bandwidth is generated by Cisco TelePresence 3000 at 1080p?
a.
12.3 Mbps
b.
4.1 Mbps
c.
6 Mbps
d.
768 kbps
e.
2 Mbps
46. How much bandwidth is generated by VT Advantage?
a.
12.3 Mbps
b.
4.1 Mbps
c.
6 Mbps
d.
768 kbps
e.
2 Mbps
Use both the scenario described in the following paragraph and Figure 14-28 to
answer the following questions.
The client has an existing Frame Relay network, as shown in Figure 14-28. The network has a large site and 50 small remote sites. The client wants a design for a VoIP
network. The client wants to provide differentiated CoS for the voice, Systems Network Architecture (SNA), FTP, and other traffic.
Chapter 14: Voice and Video Design
Remote Sites
Site 1
Main Site
Frame Relay
.
.
Site 50
Figure 14-28
Client’s Current Frame Relay Network
47. Based on the current network diagram, which Cisco IPT deployment model should
you recommend?
48. What feature should you recommend to provide call processing in the event of a
WAN failure?
49. Which queuing technique should you recommend?
50. For Site 1, the current data traffic is 512 kbps, and video traffic is 0. What is the minimum bandwidth required to support four concurrent VoIP G.729 calls plus the data
traffic to the site?
51. Should you implement a multisite WAN with centralized call processing CUCM
cluster?
52. What feature can you use to reduce bandwidth over the WAN links?
53. Which LFI technique should you use to reduce the serialization delay?
573
This chapter covers the following subjects:
■
Simple Network Management Protocol
■
Other Network Management Technologies
CHAPTER 15
Network Management Protocols
This chapter introduces the following network management protocols and components:
Simple Network Management Protocol (SNMP), Management Information Base (MIB),
Remote Monitoring (RMON) protocol, Cisco Discovery Protocol (CDP), and the use of
NetFlow and system logging (syslog).
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in
this chapter’s topics.
The ten-question quiz, derived from the major sections in the “Foundation Topics” portion
of the chapter, helps you determine how to spend your limited study time.
Table 15-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 15-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
Simple Network Management Protocol
1, 2, 3, 4, 6, 8
Other Network Management Technologies
5, 7, 9, 10
1. Which version of SNMP introduces security extensions for authentication and encryption?
a.
SNMPv1
b.
SNMPv2
c.
SNMPv3
d.
SNMPv4
2. SNMP runs over which protocol?
a.
TCP
b.
UDP
c.
IP
d.
MIB
576 CCDA 640-864 Official Cert Guide
3. Which SNMP component contains an agent?
a.
Managed device
b.
Agent
c.
NMS manager
d.
MIB
4. Which SNMP component is a collection of information that is stored on the local agent?
a.
Managed device
b.
Agent
c.
NMS manager
d.
MIB
5. CDP is an acronym for which Cisco function?
a.
Collection Device Protocol
b.
Cisco Device Protocol
c.
Campus Discovery Protocol
d.
Cisco Discovery Protocol
6. Which SNMP operation obtains full table information from an agent?
a.
Get
b.
GetNext
c.
GetBulk
d.
Inform
7. RMON1 provides information at what levels of the OSI model?
a.
Data link and physical
b.
Network, data link, physical
c.
Transport and network
d.
Application to network
8. Which of the following is not an SNMP operation?
a.
Get
b.
Community
c.
Set
d.
Trap
Chapter 15: Network Management Protocols
9. Which solution gathers information that can be used for accounting and billing applications?
a.
RMON
b.
NetFlow
c.
CDP
d.
Syslog
10. What is CDP?
a.
Client/server protocol
b.
Hello-based protocol
c.
Network management agent
d.
Request-response protocol
577
578 CCDA 640-864 Official Cert Guide
Foundation Topics
After a new network is designed, installed, and configured, it must be managed by the
operations team. Network management tools are used to gather operating statistics and
to manage devices. Statistics are gathered on WAN bandwidth utilization, router CPU
and memory utilization, and interface counters. Configuration changes are also made
through network management tools such as CiscoWorks. The ISO defines five types of
network management processes that are commonly known as FCAPS. These processes
are as follows:
■
Fault management: Refers to detecting and correcting network fault problems
■
Configuration management: Refers to baselining, modifying, and tracking configuration changes
■
Accounting management: Refers to keeping track of circuits for billing of services
■
Performance management: Measures the network’s effectiveness at delivering
packets
■
Security management: Tracks the authentication and authorization information
Network management is supported by the elements listed in Table 15-2.
Table 15-2
Network Management Elements
Network Management
Element
Description
NMS
Network management systems run the applications that manage and monitor managed devices.
Network management protocols and standards
These are used to exchange management information between the NMS and the managed devices. The key protocols
and standards are SNMP, MIB, and RMON.
Managed devices
These are the devices managed by the NMS.
Management agents
Reside in the managed devices and include SNMP agents and
RMON agents.
The protocols and tools described is this chapter perform some of these functions. SNMP
is the underlying protocol used for network management. Agents are configured in managed devices (routers) that allow the NMS to manage the device. RMON is used for advanced monitoring of routers and switches. CDP is a Cisco proprietary protocol that
allows the discovery of Cisco devices. NetFlow is a network monitoring solution that allows for greater scalability than RMON. Syslog allows system messages and error events
to be gathered for review.
Chapter 15: Network Management Protocols
579
Simple Network Management Protocol
Simple Network Management Protocol (SNMP) is an IP application layer protocol that has
become the standard for the exchange of management information between network devices. SNMP was initially described in RFC 1157. It is a simple solution that requires little
code to implement, which allows vendors to build SNMP agents on their products.
SNMP runs over User Datagram Protocol (UDP) and therefore does not inherently provide
for sequencing and acknowledgment of packets, but it still reduces the amount of overhead used for management information.
SNMP Components
SNMP has three network-managed components:
■
The managed devices
■
The agent that resides on the managed device
■
The NMS
Figure 15-1 shows the relationship between these components.
Network Management
System
SNMP
Messages
Agent
Managed
Device
Figure 15-1
Agent
Managed
Device
SNMP Components
A managed device is a router or LAN switch or any other device that contains an SNMP
agent. These devices collect and store management information and make this information
available to the NMS. SNMP community strings (passwords) are configured on routers
and switches to allow for SNMP management.
The agent is the network management software that resides in the managed device. The
agent gathers the information and puts it in SNMP format. It responds to the manager’s request for information and also generates traps.
Key
Topic
580 CCDA 640-864 Official Cert Guide
for network management. It polls agents on the network and correlates and displays the
management information.
MIB
A Management Information Base (MIB) is a collection of information that is stored on the
local agent of the managed device. MIBs are organized hierarchically and are accessed by
the NMS. MIBs are databases of objects organized in a tree-like structure, with each
branch containing similar objects. Each object has a unique object identifier (number) that
uniquely identifies the managed object of the MIB hierarchy. Read and write community
strings are used to control access to MIB information.
The top-level MIB object IDs belong to different standards organizations, and lower-level
object IDs are allocated to associated organizations. Standard MIBs are defined by RFCs.
Vendors define private branches that include managed objects for their products. Figure
15-2 shows a portion of the MIB tree structure. RFC 1213 describes the MIBs for TCP/IP.
Cisco defines the MIBs under the Cisco head object. For example, a Cisco MIB can be
uniquely identified by either the object name, iso.org.dod.private.enterprise.cisco, or the
equivalent object descriptor, 1.3.6.1.4.1.9.
ccitt (0)
iso (1)
mem (2)
org (3)
dod (6)
mgmt (2)
internet (1)
exp (3)
mib (1)
system (1)
IP (4)
Figure 15-2
private (4)
sec (5)
enterprise (1)
TCP (6) UDP (7) SNMP (11)
cisco (9)
MIB Tree Structure
Each individual manageable feature in the MIB is called a MIB variable. The MIB module
is a document that describes each manageable feature that is contained in an agent. The
MIB module is written in Abstract Syntax Notation 1 (ASN.1). Three ASN.1 data types are
required: name, syntax, and encoding. The name serves as the object identifier. The syntax
defines the object’s data type (integer or string). The encoding data describes how information associated with a managed object is formatted as a series of data items for transmission on the network. Some examples of standard managed objects that can be
obtained from the MIB tree are as follows:
■
Interfaces
■
Buffers
Chapter 15: Network Management Protocols
■
Memory
■
Standard protocols
From the Cisco private tree, you can obtain additional information such as the following:
■
Small, medium, large buffers
■
Primary and secondary memory
■
Proprietary protocols (Enhanced Interior Gateway Routing Protocol [EIGRP]), for
example)
You can find more specific information about Cisco MIBs at www.cisco.com/public/
sw-center/netmgmt/cmtk/mibs.shtml.
SNMP Message Versions
SNMPv1 was initially defined by RFC 1157. Since then, SNMP has evolved with a second
and third version, each adding new message types. The CCDA should understand each
message type and the version associated with each.
SNMPv1
SNMPv1 is defined by RFC 1157. It is a simple request-and-response protocol. The NMS
manager issues a request, and managed devices return responses. The date types are limited to 32-bit values. SNMPv1 uses four protocol operations, with five message types to
carry out the communication:
■
Get request: Retrieves the value of a specific MIB variable.
■
GetNext request: Retrieves the next instance of the MIB variable.
■
Get response: Contains the values of the requested variable.
■
Set request: This is a request from the manager to the agent to set a MIB variable. It
can be used to modify the agent’s configuration.
■
Trap: Transmits an unsolicited alarm condition.
Figure 15-3 shows the SNMPv1 message types.
NMS
Manager
Get Request
Get Response
GetNext
Set Request
Trap
Figure 15-3
Agent
SNMPv1 Message Types
581
582 CCDA 640-864 Official Cert Guide
The NMS manager uses the Get operation to retrieve the value-specific MIB variable from
an agent. The GetNext operation is used to retrieve the next object instance in a table or
list within an agent. The Get Response contains the value of the requested variable.
The NMS manager uses the Set operation to set values of the object instance within an
agent. For example, the Set operation can be used to set an IP address on an interface or
to bring an interface up or down. Agents use the Trap operation to inform the NMS manager of a significant alarm event. For example, a trap is generated when a WAN circuit
goes down.
SNMPv2
SNMPv2 is an evolution of the initial SNMPv1 and is defined in RFCs 1901 and 1902.
SNMPv2 offers improvements to SNMPv1, including additional protocol operations. The
Get, GetNext, and Set operations used in SNMPv1 are exactly the same as those used in
SNMPv1. The SNMP Trap operation serves the same function as in SNMPv1, but it uses a
different message format.
SNMPv2 defines two new protocol operations:
■
GetBulk: Reduces repetitive requests for MIB variables
■
Inform request: Alerts an SNMP manager of specific conditions with confirmation
The NMS manager uses the GetBulk operation to retrieve large blocks of data, such as
multiple rows in a table. This is more efficient than repeating GetNext commands. If the
agent responding to the GetBulk operation cannot provide values for all the variables in a
list, it provides partial results. The Inform operation allows one NMS manager to send trap
information to other NMS managers and to receive information. Another improvement is
that data type values can be 64 bits.
Table 15-3 summarizes SNMP message types.
Table 15-3
SNMP Message Types
SNMP Message
Description
Get request
Retrieves the value of a specific MIB variable
GetNext request
Retrieves the next issuance of the MIB variable
Get response
Contains the values of the requested variable
Set request
Modifies the value of a MIB variable
Trap
Transmits an unsolicited alarm condition
GetBulk
Reduces repetitive requests for MIB variables
Inform request
Alerts an SNMP manager of specific conditions with confirmation
SNMPv3
SNMPv3 was developed to correct several deficiencies in the earlier versions of
security being a primary reason. SNMPv3 is defined in RFCs 3410 through 3415. SNMPv3
Chapter 15: Network Management Protocols
583
provides authentication and privacy by using usernames and access control by using
key management. Security levels are implemented to determine which devices a user can
read, write, or create. SNMPv3 also verifies each message to ensure that it has not been
modified during transmission. SNMPv3 removes the use of community-based authentication strings, which were sent in clear text over the network. It is recommended that
SNMPv1 and SNMPv2 be used only for read-only access, while SNMPv3 be used with
read-write access.
SNMPv3 introduces three levels of security:
■
noAuthNoPriv: No authentication and no encryption
■
authNoPriv: Authentication and no encryption
■
authPriv: Authentication and encryption
The noAuthNoPriv level provides no authentication and no privacy (encryption). At the
authNoPriv level, authentication is provided but not encryption. The authPriv level provides authentication and encryption.
Authentication for SNMPv3 is based on Hash-based Message Authentication Code – message digest 5 (HMAC-MD5) or HMAC – Secure Hash (HMAC-SHA) algorithms. The Cipher Block Chaining-Data Encryption Standard (CBC-DES) standard is used for
encryption.
Table 15-4 summarizes SNMP security levels.
Table 15-4
SNMP Security Levels
Version
Level
Authentication
Encryption
SNMPv1
NoAuthNoPriv
Community String
None
SNMPv2
NoAuthNoPriv
Community String
None
SNMPv3
NoAuthNoPriv
Username
None
SNMPv3
AuthNoPriv
MD5 or SHA
None
SNMPv3
AuthPriv
MD5 or SHA
DES, 3DES, AES
Other Network Management Technologies
This section covers RMON, NetFlow, CDP, and syslog technologies used to gather network information.
RMON
RMON is a standard monitoring specification that enables network monitoring devices
Key
584 CCDA 640-864 Official Cert Guide
needed. RMON looks at MAC-layer data and provides aggregate information on the statistics and LAN traffic.
Enterprise networks deploy network probes on several network segments; these probes
report back to the RMON console. RMON allows network statistics to be collected even
if a failure occurs between the probe and the RMON console. RMON1 is defined by
RFCs 1757 and 2819, and additions for RMON2 are defined by RFC 2021.
The RMON MIB is located at iso.org.dod.internet.mgt.mib.rmon or by the equivalent object descriptor, 1.3.6.1.2.1.16. RMON1 defines nine monitoring groups; each group provides specific sets of data. One more group is defined for Token Ring. Each group is
optional, so vendors do not need to support all the groups in the MIB. Table 15-5 shows
the RMON1 groups.
Table 15-5
RMON1 Groups
ID Name
Description
1
Statistics
Contains real-time statistics for interfaces: packets sent, bytes, cyclic
redundancy check (CRC) errors, fragments.
2
History
Stores periodic statistic samples for later retrieval.
3
Alarm
An alarm event is generated if a statistic sample crosses a threshold.
4
Host
Host-specific statistics.
5
HostTopN
Most active hosts.
6
Matrix
Stores statistics for conversations between two hosts.
7
Filters
Allows packets to be filtered.
8
Packet Capture
Allows packets to be captured for subsequent analysis.
9
Events
Generates notification of events.
RMON2
RMON1 is focused on the data link and physical layers of the OSI model. As shown in
Figure 15-4, RMON2 provides an extension for monitoring upper-layer protocols.
OSI Model
Application
Presentation
Session
Transport
Network
Data Link
Physical
Figure 15-4
RMON
RMON2
RMON1
RMON1 and RMON2 Compared to the OSI Model
Chapter 15: Network Management Protocols
585
Defined by RFC 2021, RMON2 extends the RMON group with the MIB groups listed in
Table 15-6.
Table 15-6
RMON2 Groups
ID
Name
Description
11
Protocol Directory
Lists the protocols the device supports
12
Protocol Distribution
Traffic statistics for each protocol
13
Address Mapping
Contains network-to-MAC layer address mapping (IP to MAC)
14
Network Layer Host
Contains statistics for traffic sent to or from network layer hosts
15
Network Layer
Matrix
Contains statistics for conversations between two network layer
hosts
16
Application Layer
Host
Contains application layer statistics for traffic sent to or from
each host
17
Application Layer
Matrix
Contains application layer statistics for conversations between
pairs of hosts
18
User History
Contains periodic samples of specified variables
19
Probe Configuration
Probes parameter configuration
NetFlow
Cisco NetFlow allows the tracking of IP flows as they are passed through routers and multilayer switches. IP flows are a set of IP packets within a specific timeslot that share a
number of properties, such as the same source address, destination address, type of service, and protocol number. NetFlow information is forwarded to a network data analyzer,
network planning tools, RMON applications, or accounting and billing applications. NetFlow allows for network planning, traffic engineering, billing, accounting, and application
monitoring. The most recent version of NetFlow is NetFlow Version 9, which is defined in
RFC 3954. NetFlow consists of three major components:
■
NetFlow accounting: Collects IP data flows entering router or switch interfaces and
prepares data for export. It enables the accumulation of data on flows with unique
characteristics, such as IP addresses, application, and class of service (CoS).
■
Flow collector engines: Captures exported data from multiple routers and filters
and aggregates the data according to customer policies, and then stores this summarized or aggregated data.
■
Network data analyzers: Displays a graphical user interface (GUI) and analyzes
NetFlow data collected from flow collector files. This allows users to complete nearreal-time visualization or trending analysis of recorded and aggregated flow data.
Users can specify the router and aggregation scheme and desired time interval.
devices aggregate data and export the information. Each unidirectional network flow is
Key
Topic
586 CCDA 640-864 Official Cert Guide
identified by both source and destination IP addresses and transport layer port numbers.
NetFlow can also identify flows based on IP protocol number, type of service, and input
interface. NetFlow data record contains the following information:
■
Source and destination IP address
■
Source and destination TCP/UDP ports
■
Type of service (ToS)
■
Packet and byte counts
■
Start and end timestamps
■
Input and output interface numbers
■
TCP flags and encapsulated protocol (TCP/UDP)
■
Routing information (next-hop address, source and destination autonomous system
number, destination prefix mask)
■
Data analyzers
The NetFlow export or transport mechanism sends the NetFlow data to a collection engine or network management collector. Flow collector engines perform data collection
and filtering. They aggregate data from several devices and store the information. Different NetFlow data analyzers can be used based on the intended purpose. NetFlow data can
be analyzed for the following key applications:
■
Accounting and billing: Used by service providers for charging based on bandwidth and application usage and quality of service (QoS).
■
Network planning and analysis: Link and router capacity.
■
Network and security monitoring: Visualize real-time traffic patterns.
■
Application monitoring and profiling: Time-based view of application usage.
■
User monitoring and profiling: Identifies customer and user network utilization
and resource application.
■
NetFlow data warehousing and mining: NetFlow data can be warehoused for
later retrieval and analysis.
NetFlow Compared to RMON and SNMP
NetFlow enables you to gather more statistical information than RMON with fewer resources. It provides greater detail of the collected data, with date and time stamping. NetFlow has greater scalability and does not require network probes. As compared with
SNMP, NetFlow reports on traffic statistics and is push based, whereas SNMP reports primarily on device statistics and is poll-based.
NetFlow can be configured on individual Layer 3 interfaces on routers and Layer 3
switches. NetFlow provides detailed information on the following:
Chapter 15: Network Management Protocols
■
Source and destination IP addresses
■
Source and destination interface identifiers
■
TCP/UDP source and destination port numbers
■
Number of bytes and packets per flow
■
Source and destination autonomous system numbers
■
IP type of service (ToS)
587
CDP
Cisco Discovery Protocol (CDP) is a Cisco-proprietary protocol that can be used to discover only Cisco network devices. CDP is media and protocol independent, so it works
over Ethernet, Frame Relay, ATM, and other media. The requirement is that the media support Subnetwork Access Protocol (SNAP) encapsulation. CDP runs at the data link layer
of the OSI model. CDP uses hello messages; packets are exchanged between neighbors,
but CDP information is not forwarded. In addition to routers and switches, IP phones and
Cisco Unified Communication Manager (CUCM) servers also advertise CDP information.
Being protocol and media independent is CDP’s biggest advantage over other network
management technologies. CDP provides key information about neighbors, including platforms, capabilities, and IP addresses, which is significant for network discovery. It is useful when SNMP community strings are unknown when performing a network discovery.
When displaying CDP neighbors, you can obtain the following information:
■
Local interface: Local interface that is connected to the discovered neighbor
■
Device ID: Name of the neighbor device and MAC address or serial number
■
Device IP address: IP address of the neighbor
■
Hold time: How long (seconds) to hold the neighbor information
■
Device capabilities: Type of device discovered: router, switch, transparent bridge,
host, IGMP, repeater
■
Version: IOS or switch OS version
■
Platform: Router or switch model number
■
Port ID: Interface of the neighboring device
Network management devices can obtain CDP information for data gathering. CDP
should be disabled on untrusted interfaces, such as those that face the Internet, thirdparty networks, or other secure networks. CDP works only on Cisco devices.
Note: Disable CDP on interfaces for which you do not want devices to be discovered,
such as Internet connections.
Key
Topic
588 CCDA 640-864 Official Cert Guide
Syslog
The syslog protocol is currently defined in RFC 3164. Syslog transmits event notification
messages over the network. Network devices send the event messages to an event server
for aggregation. Network devices include routers, servers, switches, firewalls, and network
appliances. Syslog operates over UDP, so messages are not sequenced or acknowledged.
The syslog messages are also stored on the device that generates the message and can be
viewed locally.
Syslog messages are generated in many broad areas. These areas are called facilities. Cisco
IOS has more than 500 facilities. Common facilities include
■
IP
■
CDP
■
OSPF
■
TCP
■
Interface
■
IPsec
■
SYS operating system
■
Security/authorization
■
Spanning Tree Protocol (STP)
Each syslog message has a level. The syslog level determines the event’s criticality. Lower
syslog levels are more important. Table 15-7 lists the syslog levels.
Table 15-7
Syslog Message Levels
Syslog Level
Severity
Level
0
Emergency
System is unusable
1
Alert
Take action immediately
2
Critical
Critical conditions
3
Error
Error messages
4
Warning
Warning conditions
5
Notice
Normal but significant events
6
Informational
Informational messages
7
Debug
Debug level messages
Common syslog messages are interface up and down events. Access lists can also be configured on routers and switches to generate syslog messages when a match occurs. Each
Chapter 15: Network Management Protocols
syslog message includes a time stamp, level, and facility. Syslog messages have the following format:
mm/dd/yy:hh/mm/ss:FACILITY-LEVEL-mnemonic:description
Syslog messages can create large amounts of network bandwidth. It is important to enable
only syslog facilities and levels that are of particular importance.
Table 15-8 summarizes some of the protocols just covered in this section.
Table 15-8
NetFlow, CDP, and Syslog
Technology
Description
NetFlow
Collects network flow data for network planning, performance, accounting,
and billing applications
CDP
Proprietary protocol for network discovery that provides information on
neighboring devices
Syslog
Reports state information based on facility and severity levels
RMON
Remote Monitoring. Provides aggregate information of network statistics and
LAN traffic
References and Recommended Reading
NetFlow Performance Analysis, www.cisco.com/en/US/tech/tk812/
technologies_white_paper0900aecd802a0eb9.shtml.
NetFlow Version 9, www.cisco.com/en/US/products/ps6645/
products_ios_protocol_option_home.html.
MIBs Supported by Product, www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFC 1157, A Simple Network Management Protocol (SNMP).
RFC 1441, Introduction to Version 2 of the Internet-Standard Network Management
Framework.
RFC 1757, Remote Network Monitoring Management Information Base.
RFC 1901, Introduction to Community-Based SNMPv2.
RFC 1902, Structure of Management Information for Version 2 of the Simple Network
Management Protocol (SNMPv2).
RFC 2021, Remote Network Monitoring Management Information Base Version 2 Using SMIv2.
RFC 2576, Coexistence Between Version 1, Version 2, and Version 3 of the Internet Standard Network Management Framework.
RFC 3164, The BSD Syslog Protocol.
589
590 CCDA 640-864 Official Cert Guide
RFC 3410, Introduction and Applicability Statements for Internet Standard Management
Framework.
RFC 3411, An Architecture for Describing Simple Network Management Protocol
(SNMP) Management Frameworks.
RFC 3412, Message Processing and Dispatching for the Simple Network Management
Protocol (SNMP).
RFC 3414, User-Based Security Model (USM) for Version 3 of the Simple Network Management Protocol (SNMPv3).
RFC 3415, View-Based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP).
RFC 3416, Protocol Operations for SNMPv2.
RFC 3418, Management Information Base for SNMPv2.
RFC 3954, Cisco Systems NetFlow Services Export Version 2.
Chapter 15: Network Management Protocols
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topics icon in the
outer margin of the page. Table 15-9 lists a reference of these key topics and the page
numbers on which each is found.
Table 15-9
Key Topics
Key Topic
Element
Description
Page
Summary
Simple Network Management Protocol. Standard for
the exchange of management information between
network devices.
579
Summary
Remote Monitoring. Provides aggregate information
of network statistics and LAN traffic.
583
Summary
Tracks IP flows as they are passed through routers
and multilayer switches.
585
Summary
Media- and protocol-independent Cisco protocol
used to discover Cisco network devices.
587
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section
for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
Accounting management, CDP, configuration management, fault management,
FCAPS, MIB, NetFlow, performance management, RMON, SNMP, syslog
591
592 CCDA 640-864 Official Cert Guide
Q&A
The answers to these questions appear in Appendix A. For more practice with exam format questions, use the exam engine on the CD-ROM.
1. What does the acronym FCAPS stand for?
2. CDP runs at what layer of the OSI model?
3. Syslog level 5 is what level of severity?
4. True or false: RMON provides more scalability than NetFlow.
5. True or false: NetFlow provides detailed information on the number of bytes and
packets per conversation.
6. What information can be obtained from a neighbor using CDP?
7. What SNMP message is sent by an agent when an event occurs?
a.
Get
b.
Set
c.
GetResponse
d.
Trap
8. What SNMP message is sent to an agent to obtain an instance of an object?
a.
Get
b.
Set
c.
GetResponse
d.
Trap
9. What SNMP message is used to configure a managed device?
a.
Get
b.
Set
c.
GetResponse
d.
Trap
10. About how many facilities are available for syslog in Cisco routers?
a.
25
b.
100
c.
500
d.
1000
Chapter 15: Network Management Protocols
11. Which SNMPv3 level provides authentication with no encryption?
a.
authPriv
b.
authNoPriv
c.
noAuthNoPriv
d.
noauthPriv
12. What encryption standard does SNMPv3 use?
a.
3DES
b.
CBC-DES
c.
HMAC-MD5
d.
MD5
13. Which technologies can you use to assess a network and create documentation? (Select two.)
a.
RMON
b.
MIB
c.
CDP
d.
NetFlow
14. Which of the following are true about CDP? (Select three.)
a.
It uses UDP.
b.
It is a data-link protocol.
c.
It provides information on neighboring routers and switches.
d.
It is media and protocol independent.
e.
It uses syslog and RMON.
15. RMON2 provides information at what levels of the OSI model?
a.
Data link and physical
b.
Network, data link, and physical
c.
Transport and network only
d.
Application to network
16. Which network management technology operates over TCP?
a.
SNMP
b.
RMON
c.
NetFlow
d.
None of the above
593
594 CCDA 640-864 Official Cert Guide
17. Which statement is correct?
a.
SNMPv1 uses GetBulk operations and 32-bit values.
b.
SNMPv2 uses 32-bit values, and SNMPv3 uses 64-bit values.
c.
SNMPv1 uses 32-bit values, and SNMPv2 uses 64-bit values.
d.
SNMPv1 uses GetBulk operations, and SNMPv2 uses Inform operations.
18. Which SNMPv3 level provides authentication and privacy?
a.
authPriv
b.
authNoPriv
c.
noAuthNoPriv
d.
noauthPriv
19. Match the RMON group with its description.
i.
Statistics
ii.
Matrix
iii. alHost
iv.
protocoldir
a.
Stores statistics for conversations between two hosts
b.
Lists the protocols that the device supports
c.
Contains real-time statistics for interfaces: packets sent, bytes, CRC errors,
fragments
d.
Contains application layer statistics for traffic sent to or from each host
20. What is the most critical syslog priority level?
a.
0
b.
1
c.
6
d.
7
21. Which management protocol will help a company concentrate on Layer 4 monitoring
and gain information to assist in long-term trending analysis?
a.
SNMPv3
b.
RMON2
c.
NetFlow
d.
CDP
e.
MIB
Chapter 15: Network Management Protocols
22. Which management protocol performs network traffic analysis?
a.
SNMPv3
b.
RMON2
c.
NetFlow
d.
CDP
e.
MIB
23. What virtual information store is used by SNMP?
a.
SNMPv3
b.
RMON2
c.
ASN.1
d.
CDP
e.
MIB
24. What standard language is used by SNMP?
a.
SNMPv3
b.
RMON2
c.
ASN.1
d.
CDP
e.
MIB
25. Which SNMPv3 method provides authentication but no encryption?
a.
noAuthNoPriv
b.
authPriv
c.
authNoPriv
d.
noauthPriv
26. Which is not an SNMP operation?
a.
GetNext
b.
Trap
c.
Inform Request
d.
Community
e.
GetBulk
27. Which protocol allows for vendor specific information?
a.
SNMPv3
b.
RMON2
c.
ASN.1
d.
CDP
e.
MIB
595
This page intentionally left blank
Part V: Comprehensive Scenarios
and Final Prep
Chapter 16: Comprehensive Scenarios
Chapter 17: Final Preparation
This chapter covers four comprehensive scenarios that
draw on several design topics covered in this book:
■
Scenario One: Pearland Hospital
■
Scenario Two: Big Oil and Gas
■
Scenario Three: Beauty Things Store
■
Scenario Four: Falcon Communications
CHAPTER 16
Comprehensive Scenarios
The case studies and questions in this chapter draw on your knowledge of CCDA exam
topics. Use these exercises to help master the topics as well as to identify areas you still
need to review for the exam.
Understand that each scenario presented encompasses several exam topics. Each scenario,
however, does not necessarily encompass all the topics. Therefore, work through all the
scenarios in this chapter to cover all the topics. Your CCDA exam will probably contain
questions that require you to analyze a scenario. This chapter contains four case studies
that are similar in style to the ones you might encounter on the CCDA exam. Read
through each case study and answer the corresponding questions. You will find the answers to the case study questions at the end of each scenario. Sometimes more than one
solution can satisfy the customer’s requirements. In these cases, the answers presented
represent recommended solutions developed using good design practices. An explanation
accompanies the answer where necessary.
Scenario One: Pearland Hospital
Mr. Robertson, the IT director at Pearland Hospital, is responsible for managing the network. Mr. Robertson has requested your help in proposing a network solution that will
meet the hospital’s requirements. The hospital is growing, and the management has released funds for network improvements.
The medical staff would like to be able to access medical systems using laptops from any
of the patient rooms. Doctors and nurses should be able to access patient medical records,
x-rays, prescriptions, and recent patient information. Mr. Robertson purchased new servers
and placed them in the data center. The wireless LAN (WLAN) has approximately 30 laptops, and about 15 more are due in six months. The servers must have high availability.
Patient rooms are on floors 6 through 10 of the hospital building. Doctors should be able
to roam and access the network from any of the floors. A wireless radio-frequency (RF)
survey report mentions that a single access point located in each communication closet
can reach all the rooms on each floor. The current network has ten segments that reach a
single router that also serves the WAN. Only a single link is used from the floors to the
core router. The router is running Open Shortest Path First (OSPF) Protocol, and they
want to move to a routing protocol that is easier to manage. The back-end new servers are
located in the same segment as those used on floor 1. Mr. Robertson mentions that users
addresses (see Table 16-1).
600 CCDA 640-864 Official Cert Guide
Table 16-1
Current IP Addresses
Floor
Servers
Clients
IP Network
1
15
40
200.100.1.0/24
2
0
43
200.100.2.0/24
3
0
39
200.100.3.0/24
4
0
42
200.100.4.0/24
5
0
17
200.100.5.0/24
6
0
15
200.100.6.0/24
7
0
14
200.100.7.0/24
8
0
20
200.100.8.0/24
9
0
18
200.100.9.0/24
10
0
15
200.100.10.0/24
Mr. Robertson would like a proposal to upgrade the network with updated switches that
support 1 Gigabit Ethernet copper, 10 Gigabit Ethernet fiber, and Power over Ethernet
(PoE) and to provide 1 Gigabit Ethernet access to the servers. The proposal should also
cover secure WLAN access on floors 6 through 10 with centralized management. Include
an IP addressing scheme that reduces the number of Class C networks the hospital uses.
Mr. Robertson wants to reduce the number of networks leased from the Internet service
provider (ISP).
Scenario One Questions
The following questions/directives refer to scenario one:
1. What are Pearland Hospital’s business requirements?
2. Are there any business-cost constraints?
3. What are the network’s technical requirements?
4. What are the network’s technical constraints?
5. Prepare a logical diagram of the current network.
6. Does the hospital use IP addresses effectively?
7. What do you recommend to improve the switching speed between floors?
8. Based on the number of servers and clients provided, what IP addressing scheme
would you propose?
9. What routing protocols do you recommend?
10. What solution do you recommend for WLAN access and the network upgrade?
11. Draw the proposed network solution.
Chapter 16: Comprehensive Scenarios
Scenario One Answers
1.
The hospital needs to provide access to patient records, prescriptions, and information from patient rooms.
2.
No cost restrictions were discussed.
3.
The technical requirements are as follows:
WLAN access from rooms on floors 6 through 10
Centralized WLAN management
Power over Ethernet (IEEE 802.3af)
Redundant access to servers in the data center
10 Gigabit Ethernet switching between LAN segments
4.
The technical constraint is as follows:
Servers must be located in the first floor data center rooms.
5.
Figure 16-1 shows the logical diagram of the current network.
Data Center
WAN
Floor Switches
1 Through 5
Floor Switches
6 Through 10
Figure 16-1 Pearland Hospital Current Network
6.
The hospital does not use IP addresses effectively. It uses public Class C networks on
each floor. Each floor wastes more than 200 IP addresses, because each Class C network provides up to 254 IP addresses.
7.
Recommend using a high-speed 10 Gigabit Ethernet Layer 3 switches for the building
collapsed core/distribution layer. They can use the existing router for WAN access.
8.
The primary recommendation is to use private addresses for the network. Using private addresses has been a best-practice policy for private internal networks since
601
602 CCDA 640-864 Official Cert Guide
to the ISP, retaining two for ISP connectivity. In addition, it allows for the parallel infrastructure to be built prior to migrating users to the new network.
With private addresses, the hospital can choose to use 172.16.0.0/16 for private addressing. The addressing scheme shown in Table 16-2 provides sufficient address
space for each network.
Table 16-2
IP Addressing Scheme Using Private Addresses
Floor
Servers
Clients
IP Network
1
15
0
172.16.0.0/24
1
0
40
172.16.1.0/24
2
0
43
172.16.2.0/24
3
0
39
172.16.3.0/24
4
0
42
172.16.4.0/24
5
0
17
172.16.5.0/24
6
0
15
172.16.6.0/24
7
0
14
172.16.7.0/24
8
0
20
172.16.8.0/24
9
0
18
172.16.9.0/24
10
0
15
172.16.10.0/24
WLAN: 6, 7, 8, 9, 10
0
40
172.16.20.0/24
Another solution is to retain the public addresses and use them in the internal network. This solution is less preferred than private addressing. Table 16-3 shows the recommended address scheme that would reduce the number of Class C networks.
Table 16-3
IP Addressing Scheme Using Public Address Space
Floor
Servers
Clients
IP Network
1
0
40
200.100.1.0/26
1
15
N/A
200.100.1.64/26
2
0
43
200.100.1.128/26
3
0
39
200.100.1.192/26
4
0
42
200.100.2.0/26
5
0
17
200.100.2.64/26
6
0
15
200.100.2.128/26
7
0
14
200.100.2.192/26
Chapter 16: Comprehensive Scenarios
Table 16-3
IP Addressing Scheme Using Public Address Space
Floor
Servers
Clients
IP Network
8
0
20
200.100.3.0/26
9
0
18
200.100.3.64/26
10
0
15
200.100.3.128/26
WLAN: 6, 7, 8, 9, 10 0
40
200.100.3.192/26
Each subnet has 62 IP addresses for host addressing. Based on the preceding IP addressing scheme, Pearland Hospital does not need networks 200.100.4.0/24 through
200.100.10.0/24.
9.
Recommend routing protocols that support variable-length subnet masks (VLSM).
The network is small. Recommend Enhanced Interior Gateway Routing Protocol
(EIGRP). Do not recommend OSPF because of its configuration complexity.
10. Recommend using 1 wireless LAN controller (WLC) and two wireless access points
(AP) on each floor for redundancy. Use a VLAN that spans floors 6 through 10.
Change the router to a Layer 3 switch. Use the router for WAN access.
11. Figure 16-2 shows the diagram. The router is replaced by the L3 switch with 10 Gigabit Ethernet to provide high-speed switching between LANs. Dual links are used to
provide redundancy between the access layer and the core/distribution layer. Each
floor has an IP subnet plus a subnet for the WLAN and another for the data center.
Each floor has two access points for redundancy and access switches with 10 Gigabit
Ethernet Uplinks to the data center. Servers can connect using Gigabit Ethernet.
WAN
Data Center
WLAN
Access
Controller
Layer 3
Switching
Redundant
Links
Floor Switches
1 Through 5
WLAN
Access Points
Floor Switches
6 Through 10
Figure 16-2 Pearland Hospital Proposed Network Solution
603
604 CCDA 640-864 Official Cert Guide
Scenario Two: Big Oil and Gas
Mr. Drew is an IT director at Big Oil and Gas, a medium-sized petrochemical company
based in Houston. It also has operations in the Gulf of Mexico and in South America. Mr.
Drew is in charge of the network infrastructure, including routers and switches. His group
includes personnel who can install and configure Cisco routers and switches.
The Big Oil and Gas CIO wants to begin migrating from the voice network to an Unified
Communications (UC) solution to reduce circuit and management costs. Existing data
WAN circuits have 50 percent utilization or less but spike up to 80 percent when sporadic
FTP transfers occur.
Mr. Drew hands you the diagram shown in Figure 16-3. The exiting data network includes
35 sites with approximately 30 people at each site. The network is Multiprotocol Label
Switching (MPLS) WAN, with approximately 200 people at the headquarters. The WAN
links range from 384-kbps circuits to T1 speeds. Remote-site applications include statistical files and graphical-site diagrams that are transferred using FTP from remote sites to the
headquarters.
Headquarters
MPLS
WAN
35 Remote Sites
Figure 16-3 Big Oil and Gas Current Network
Mr. Drew wants a UC solution that manages the servers at headquarters but still provides
redundancy or failover at the remote site. He mentions that he is concerned that the FTP
traffic might impact the VoIP traffic. He wants to choose a site to implement a test before
implementing UC at all sites.
Scenario Two Questions
The following questions/directives refer to scenario two:
1. What are the business requirements for Big Oil and Gas?
2. Are there any business-cost constraints?
Chapter 16: Comprehensive Scenarios
3. What are the network’s technical requirements?
4. What are the network’s technical constraints?
5. Approximately how many IP phones should the network support?
6. What type of UC architecture should you propose?
7. What quality of service (QoS) features would you propose for the WAN?
8. What PoE recommendations would you make?
9. Would you propose a prototype or a pilot?
10. What solution do you suggest for voice redundancy at the remote sites?
11. Diagram the proposed solution.
Scenario Two Answers
1.
The company wants to provide voice services in a converged network.
2.
The solution should provide reduced costs over the existing separate voice and
data networks.
3.
The technical requirements are as follows:
Provide UC over the data network.
Provide voice redundancy or failover for the remote sites.
Prevent FTP traffic from impacting the voice traffic.
4.
The technical constraint is as follows:
Call-processing servers need to be located at headquarters, and IP phones need to
continue to work even if the WAN goes down or has limited bandwidth.
5.
There are 200 IP phones at headquarters, and 35 * 30 = 1050 remote IP phones, for a
total of 1250 IP phones.
6.
Propose the WAN centralized call-processing architecture with a CallManager (CM)
cluster at headquarters.
7.
Use low-latency queuing (LLQ) on the WAN links to give the highest priority to voice
traffic. Then define traffic classes for regular traffic and FTP traffic. Make bandwidth
reservations for the voice traffic and maximum bandwidth restrictions for the FTP
traffic. Call Admission Control (CAC) is recommended to limit the number of calls
from and to a remote site. CAC should be used to reroute calls to the public switched
telephone network (PSTN) if there is no available bandwidth to support a new call.
For example, you can limit calls at sites with 384k links to only three calls via the
WAN. Any additional call gets routed to the PSTN.
8.
Recommend standard-based Power over Ethernet (PoE), also known as IEEE (802.3af)
for the switches to provide power to the IP phones.
605
606 CCDA 640-864 Official Cert Guide
9.
To prove that calls can run over the WAN links, implement a pilot site. The pilot
would test the design’s functionality over the WAN with or without FTP traffic.
10. Recommend the use of Survivable Remote Site Telephony (SRST) to provide voice
services in the event of WAN failure, and reroute calls to the (PSTN).
11. Figure 16-4 shows the diagram, which shows headquarters and two remote sites for
clarity. This architecture is duplicated for all remote sites. Each site uses a voice router
that is connected to both the IP WAN and the PSTN. SRST provides voice survivability in the case of WAN failure. A CM cluster is implemented at the headquarters. The
Cisco Unified Communications Manager (CUCM) servers are in the data center in a
redundant network.
Centralized
CallManager Cluster
IP WAN
Router/GW
DSP
PSTN
V
V
IP WAN
Router/GW
SRST
Remote
Sites
Headquarters
IP WAN
V
IP WAN
Router/GW
SRST
Figure 16-4 Headquarters and Two Remote Sites
Scenario Three: Beauty Things Store
Beauty Things is a chain of stores that sell beauty supplies. Its headquarters is in Houston,
Texas, and more than 60 stores are located throughout the United States. The CIO tells
you that they are in the middle of a WAN migration from Frame Relay to MPLS. It will be
completed in two months. Most WAN links are less than 384 kbps.
After the W