Ccda desgn v2.0 sg ppt to pdf

www.CareerCert.info

Designing for Cisco
Internetwork Solutions
(DESGN) v2.0

© 2007 Cisco Systems, Inc. All rights reserved. DESGN v2.0-1

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.

www.CareerCert.info

Course Introduction

Designing for Cisco Internetwork Solutions v2.0



www.CareerCert.info

Learner Skills and Knowledge

Prerequisite skills and knowledge
– Cisco CCNA® certification
Recommended training Introduction to Cisco Network
Technologies
Recommended training Interconnecting Cisco Network
Devices
Building Cisco Multilayer Switched Networks level knowledge of
wireless and QoS topics
– Recommended training Building Cisco Multilayer Switched
Networks
Practical experience with deploying and operating networks
based on Cisco network devices and Cisco IOS Software



www.CareerCert.info

Course Goal
“To enable learners to gather customer internetworking
requirements, identify solutions, and design the
network infrastructure and services to ensure the
basic functionality of the proposed solutions”

Designing for Cisco Internetwork Solutions v2.0



www.CareerCert.info

Course Flow
Day 1 Day 2 Day 3 Day 4 Day 5
Course Implementing and
Introduction Operating the
Designing IP Identifying Voice Network
A Designing Basic
Addressing and Networking
Campus and Data
M Applying a Center Networks
Selecting Routing Considerations
Methodology to Protocols
Final Case
Network Design Study

Lunch

Final Case
Study
P Structuring and Evaluating Security Identifying Wireless
Designing Remote
Modularizing the Solutions for the Networking
M Connectivity
Network Network Considerations



www.CareerCert.info

Cisco Icons and Symbols



www.CareerCert.info

Cisco Icons and Symbols (Cont.)



www.CareerCert.info

Cisco Certifications



www.CareerCert.info

Cisco Career Certifications
DESGN—Certification for
associate-level recognition in network design

CCDE Expert Required Recommended Training Through
Exam Cisco Learning Partners

640-863 Designing for Cisco
DESGN Internetwork Solutions
CCDP Professional
Building Cisco Multilayer Switched
Networks

Associate 640-801 Interconnecting Cisco Network
CCDA CCNA Devices

Introduction to Cisco Network
Technologies

http://www.cisco.com/go/certifications



www.CareerCert.info



www.CareerCert.info

Applying a
Methodology to
Network Design

Designing for Cisco Internetwork Solutions (DESGN) v2.0

© 2007 Cisco Systems, Inc. All rights reserved. DESGN v2.0—1-1


www.CareerCert.info

Applying a
Methodology to
Network Design

Introducing the Cisco Service-Oriented Network Architecture



www.CareerCert.info

Growth of Applications

Telephony
Business EDI
Intelligence
Custom
Partners Protocol
Compression Business-to- Web
ASP Service
Business Links
Field Organizations
Business Message Mobile
Rules Broker Data Center Transformation Services
Branch Offices
.Net Business-to-
Business Gateway
ESB Distribution Standards
Load
Database Balancing
Lookup Security
MQ Series
Extranet
J2EE
Remote
Event Environments
Compliance Capture
Legacy EAI
Logging
Applications

RFID
Adapters



www.CareerCert.info

IT Evolution—
From Connectivity to Intelligent Systems



www.CareerCert.info

New Business Requirements



www.CareerCert.info

Intelligence in the Network



www.CareerCert.info

Cisco Service-Oriented Network
Architecture Framework

SONA is an architectural framework.
SONA brings several advantages to enterprises:
– Outlines how enterprises can evolve toward a more intelligent
network
– Illustrates how to build integrated systems across a fully
converged intelligent infrastructure
– Improves flexibility and increases efficiency



www.CareerCert.info

Cisco SONA Layers



www.CareerCert.info

Overview of Cisco SONA Offerings



www.CareerCert.info

Benefits of SONA

Description

Functionality Supports organizational requirements

Scalability Supports growth and expansion of organizational tasks

Availability Provides necessary services reliably, anywhere, anytime

Provides responsiveness, throughput, and utilization on a
Performance
per-application basis

Manageability Provides control, performance monitoring, and fault detection

Provides network services with reasonable operational costs
Efficiency
and appropriate capital investment



www.CareerCert.info

Summary

Drivers for a new network architecture include these factors:
– Growth of applications
– IT evolution from connectivity to intelligent systems
– Increased business expectations for networks
Cisco’s vision of intelligence in the network aligns network and
business requirements in three phases:
– Phase 1 is integrated transport.
– Phase 2 is integrated services.
– Phase 3 is integrated applications.
Cisco SONA is the enterprise framework for building intelligence
in the network:
– Layer 1 is the integrated infrastructure layer.
– Layer 2 is the interactive services layer.
– Layer 3 is the application layer.



www.CareerCert.info



www.CareerCert.info

Identifying Design
Requirements

Applying a Methodology to Network Design



www.CareerCert.info

PPDIOO Network Life-Cycle Approach



www.CareerCert.info

Benefits of the Life-Cycle Approach



www.CareerCert.info

Design Methodology Under PPDIOO

Three steps in the design methodology:
1. Identify the customer requirements.
2. Characterize the existing network and sites.
3. Design the topology and network solutions.



www.CareerCert.info

Identifying Customer Requirements



www.CareerCert.info

Identifying Planned Applications

Criticality
Application Type Application (Critical/Important/ Comments
Unimportant)

E-mail

Groupware

Web browsing

Video on demand

Database

Customer support



www.CareerCert.info

Example: Planned Applications

Criticality
Application Type Application (critical/important/ Comments
unimportant)

E-mail Microsoft Outlook Important

We need to be able to share
Cisco Unified
Groupware Important presentations and applications
MeetingPlace
during remote meetings.

Microsoft Internet
Web browsing Explorer, Opera, Important
Netscape

Video on demand IP/TV Critical

All data storage will be based
Database Oracle Critical
on Oracle.

Customer
Customer support Critical
applications



www.CareerCert.info

Identifying Planned Infrastructure
Services

Service Comments

Security

QoS

Network management

High availability

IP telephony

Mobility



www.CareerCert.info

Example: Planned Infrastructure
Services

Service Comments

Deploy security systematically, including firewalls, intrusion detection
Security
systems (IOSs), and access control lists (ACLs)

QoS Give priority to delay-sensitive voice traffic and other important traffic

Use centralized management tools where appropriate and point
Network management
product management as required

High availability Eliminate single points of failure and use redundant paths as needed

IP telephony Want to migrate company from regular telephony

Mobility Need client laptop guest access along with mobility of employee PCs



www.CareerCert.info

Identifying Organizational Goals

Organizational Goal Gathered Data Comments

List competitive organizations Point out possibilities to
Increase competitiveness
and their abilities increase competitiveness

Point out cost-reduction
Reduce costs List current expenses
possibilities

Point out possible steps to
Improve customer support List current customer support
improve customer support

Add new customer services List current customer services List future desired services



www.CareerCert.info

Example: Organizational Goals

Gathered Data
Organizational Goal Comments
(Existing Situation)

Better products
Increase competitiveness Corporation Y, Corporation Z
Reduce costs

Single data-entry point
Enter data multiple times;
Reduce costs Easy-to-learn application
time-consuming tasks
Simple data exchange

Web-based order tracking
Order tracking and technical
Improve customer support Web-based customer
support supported by individuals
technical support tools

Secure web-based ordering
Telephone and fax orders;
Add new customer services Secure web-based
telephone and fax confirmation
confirmations



www.CareerCert.info

Assessing Organizational Constraints

Organizational Constraint Gathered Data Comments

Identify the amount of money
Budget Amount of money to spend the organization is willing to
spend

Specify the number of network
List available personnel and
Personnel engineers who have to attend
their expertise the additional training

Determine if the organization is
List preferred standards,
Policy willing to buy equipment from
protocols, vendors, applications new vendor

Use tools for resource
Scheduling Specify time frame assignment, milestones, critical-
path analysis



www.CareerCert.info

Example: Organizational Constraints

Gathered Data
Organizational Constraint Comments
(Existing Situation)

Budget can be extended by
Budget $650,000
maximum $78,000

Engineers with Cisco CCNA® Plans to hire new engineers in
Personnel certificates and Cisco CCNP® the network department; need
certificates technical development plan

Prefers single vendor and Current equipment—Cisco;
Policy
standardized protocols prefers to stay with it

Plans to introduce new New applications include
Scheduling applications in the next nine video conferencing, groupware,
months and IP telephony



www.CareerCert.info

Identifying Technical Goals

Technical Goals Importance Comments

Responsiveness and
throughput

Availability

Manageability

Security

Adaptability

Scalability

Total 100



www.CareerCert.info

Example: Technical Goals

Technical Goals Importance Comments

Important of the central site, less important in branch
Performance 20
offices

Availability 25 Should be 99.9 percent

Manageability 5

Security for critical data transactions is extremely
Security 15
important

Adaptability 10

Scalability 25 Scalability is critical

Total 100



www.CareerCert.info

Example: Technical Constraints

Technical Constraints Gathered Data Comments

Replace existing coaxial
cabling. Use twisted-pair to
Existing wiring Coaxial cabling
desktop and fiber optics for
uplinks and in the backbone.

Upgrade speeds; consider
Bandwidth availability 64-kbps WAN links another service provider with
additional services to offer.

Make sure new network
Application compatibility IPv6 based applications
equipment supports IPv6.



www.CareerCert.info

Summary

The PPDIOO approach reflects the life cycle phases of a standard
network.
The design methodology under PPDIOO includes these
processes:
– Identifying customer requirements
– Characterizing the existing network and sites
– Designing the network topology and solutions
Key steps in identifying customer requirements include these:
– Identifying network applications and services
– Defining organizational goals and constraints
– Defining technical goals and constraints



www.CareerCert.info



www.CareerCert.info

Characterizing the
Existing Network
and Sites




www.CareerCert.info

Characterizing the Existing Network
and Sites

Gather documentation and query the organization.
Perform a site and network assessment to help detail the network.
Consider performing traffic analysis on the existing network and
applications.



www.CareerCert.info

Identifying Major Features of the Network

Collect the information about the planned and existing network
infrastructure:
– Site contact information
– Network topology such as network devices, physical and
logical links, external connections, encapsulations,
bandwidths, IP addressing, routing protocols
– Network services such as security, QoS, high availability,
IP telephony, storage, and wireless
– Network applications such as unified communications and
video delivery
Collect the information about expected network functionality.
Identify network modules based on the given information.



www.CareerCert.info

Sample Site Contact Questions

What is the site location or name?
What is the site address?
What is the shipping address?
Who is the site contact?
Is this site owned and maintained by the customer?
Is this a staffed site?
What are the hours of operation?
What are the building or room access procedures?
Are there any special security or safety procedures?
Are there any union or labor requirements or procedures?
What are the locations of the equipment cabinets and racks?



www.CareerCert.info

Example: Customer Network Diagram



www.CareerCert.info

Network Assessment Information
Sources



www.CareerCert.info

Example: Network Assessment



www.CareerCert.info

Network Assessment Tools

Manual assessment:
– Use monitoring commands on network devices on small networks.
– Use scripting tools to collect information on large networks.
Use existing management and auditing tools:
– CiscoWorks
– Third-party tools such as WhatsUp Gold, Castle Rock SNMPc,
open source Cacti, Netcordia NetMRI, and NetQoS NetVoyant
Use other tools to collect relevant information for the network devices:
– Third-party tools such as Network General Sniffer, AirMagnet
software and devices, and WildPackets AiroPeek



www.CareerCert.info

Commands for Manual Information
Collection



www.CareerCert.info

Example: Manual Information
Collection—Router CPU Utilization



www.CareerCert.info

Example: Manual Information
Collection—Router Memory Utilization



www.CareerCert.info

Example: Automatic Information
Collection—Cacti Device List



www.CareerCert.info

Example: Automatic Information
Collection—NetMRI Inventory



www.CareerCert.info

Network Traffic Analysis

Use organizational input to identify the applications used in the
existing network and their relative importance.
Perform a traffic analysis to reveal additional applications used in
the network.
Use the results and organizational input to define QoS and
security-related requirements for discovered applications.



www.CareerCert.info

Steps in Analyzing Network Traffic



www.CareerCert.info

Example: Traffic Analysis

Application No. 8:
Description: Accounting software
Protocol: TCP port 5151
Servers: 2
Clients: 50
Scope: Campus
Importance: High
Average rate: 50 kbps with 10-second bursts to 1
Mbps



www.CareerCert.info

Network Analysis Tools

Cisco IOS Software analysis capabilities:
– NBAR
– NetFlow
Cisco software-based network analyzers:
– Cisco CNS NetFlow Collection Engine
Third-party tools, such as:
– Open source Cacti
– Network General Sniffer
– WildPackets EtherPeek and AiroPeek
– SolarWinds Orion
– Wireshark
– RMON probes



www.CareerCert.info

Example: NBAR Printout



www.CareerCert.info

Example: Cisco IOS NetFlow Printout



www.CareerCert.info

Example: Cacti Graph



www.CareerCert.info

Example: Solarwinds Orion



www.CareerCert.info

Summary Report

Characterization of the existing network results in a
summary report that is used to:
Describe the software features required in the network
Describe possible problems in the existing network
Identify the actions needed to prepare the network for the
implementation of the required features
Influence the customer requirements



www.CareerCert.info

Example: Equipment Summary Report

The network uses 895 routers:
655 routers use Cisco IOS Software Release 12.2(10).
240 routers use an older Cisco IOS Software version.



www.CareerCert.info

Example: Summary Report
Problem Statement

Requirement: Queuing in the WAN
Identified problem:
– Existing Cisco IOS Software version does not support new
queuing technologies.
– 15 out of 19 routers with older Cisco IOS Software are in the
WAN.
– 12 out of 15 routers do not have enough memory to upgrade to
Cisco IOS Software Release 12.3 or later.
– 5 out of 15 routers do not have enough flash memory to
upgrade to Cisco IOS Software Release 12.3 or later.



www.CareerCert.info

Example: Summary Report
Recommendations

Recommended action:
– 12 memory upgrades to 64 MB
– 5 flash memory upgrades to 16 MB
Options:
– Replace hardware and software to support queuing.
– Find an alternative mechanism for that part of the network.
– Find an alternative mechanism and use it instead of queuing.
– Evaluate the consequences of not implementing the required
feature in that part of the network.



www.CareerCert.info

Documenting an Existing Network



www.CareerCert.info

Network Characterization Hour
Estimates

Small Network Medium Network Large Network Huge Network
1–20 20–200 200–800 >800
Switches/Routers Switches/Routers Switches/Routers Switches/Routers

a) Interview management team 4 4 8 8 12 12 16 16

b) Interview network team 4 4 6 6 8 12 24 24

c) Review documentation 4 4 6 6 8 12 16 16

d) Set up network discovery tool 4 4 6 6 8 8 16 16

e) Resolve SNMP access and similar problems 4 4 8 16 16 48 80 160

f) Allow tools to gather data

g) Analyze captured data 4 8 16 16 24 24 40 40

h) Prepare high level Layer 3 diagrams 4 4 4 8 8 16 16 32

i) Prepare report stating conclusions 16 16 32 32 48 48 80 80

j) Incrementally prepare network diagrams

Estimated manpower in hours 44–48 86–98 132–180 288–384



www.CareerCert.info

Summary

Characterizing an existing network entails gathering as much
information about the network as possible. Organization input, a
network audit, and traffic analysis provide the key information that
you need.
Identifying major features of the network involves gathering
network documentation and querying the organization.
The auditing process adds detail to the initial network
documentation that you created from existing documentation and
customer input.
You can manually audit a small network, but you typically need
automated tools to audit a large network.
Traffic analysis verifies the set of applications and protocols used
in the network and determines the traffic patterns of the
applications.



www.CareerCert.info

Summary (Cont.)

Tools used for traffic analysis range from manual identification
of applications using Cisco IOS Software commands in
combination with NBAR or NetFlow to those where dedicated
software- or hardware-based analyzers capture live packets or
SNMP data.
The result of the network characterization is a summary report
describing the health of the network.



www.CareerCert.info



www.CareerCert.info

Using the Top-Down
Approach to Network
Design




www.CareerCert.info

Top-Down Design Practices

Start your design here.

Design down the OSI model.



www.CareerCert.info

Top-Down and Bottom-Up
Approach Comparison

Top-Down Approach Bottom-Up Approach

Incorporates organizational Allows a quick response
requirements to a design request
Benefits
Gives the big picture to Facilitates design based
organization and designer on previous experience

Implements little or
no notion of actual
Incorporates organizational organizational requirements
Disadvantages
requirements
May result in inappropriate
network design



www.CareerCert.info

Example: Top-Down Voice Design



www.CareerCert.info

Creating a Network Decision Table

Decide which network layer requires decisions.
Gather possible options for a given situation.
Create a table that includes possible options and
given requirements.
Match given requirements with specific properties of
given options.
Select the option with the most matches as the most
appropriate one.



www.CareerCert.info

Example: Selecting a Routing Protocol

Options

Required
Parameters EIGRP OSPF BGP Network
Parameters

Size of Network
Large Large Very Large Large
(Small/Medium/Large/Very Large)

Enterprise-Focused
Yes Yes No Yes
(Yes/No)

Use of VLSM
Yes Yes Yes Yes
(Yes/No)

Supports Cisco Routers
Yes Yes Yes Yes
(Yes/No)

Network Support Staff Knowledge
Good Fair Poor Good
(Good/Fair/Poor)



www.CareerCert.info

Assessing the Scope of the Network
Design Process

Scope of Design Comments

Entire network All branch office LANs upgraded to support Fast Ethernet technology

Redundant equipment and links
Campus
Addition of wireless client mobility

WAN Solutions to overcome bottlenecks



www.CareerCert.info

Example: Assessing the Scope of the
Network Design Process

Application—Designing voice transport
Network—Designing routing, addressing
Physical, data link—Choosing connection
type



www.CareerCert.info

Structured Design Principles



www.CareerCert.info

Cisco SONA Offerings



www.CareerCert.info

Network Design Tools



www.CareerCert.info

Planning an Implementation

If a design is composed of multiple complex components:
– Implement each component separately; do not implement
everything at once.
Incremental implementation:
– Reduces troubleshooting in case of failure
– Reduces time needed to revert to previous state
in case of failure



www.CareerCert.info

Major Implementation Components

Each step should contain the following information:
Description
Reference to design sections
Detailed implementation guidelines
Detailed roll-back guidelines in case of failure
Estimated time for implementation



www.CareerCert.info

Example: Summary Implementation Plan
Implementation
Date, Time Description Complete
Details
Phase 3 04/02/2007 Install campus hardware Section 6.2.3
Step 1 Connect switches Section 6.2.3.1
Step 2 Install routers Section 6.2.3.2
Step 3 Complete cabling Section 6.2.3.3
Step 4 Verify data link layer Section 6.2.3.4
Phase 4 04/03/2007 Configure campus hardware Section 6.2.4
Step 1 Configure VLANs Section 6.2.4.1
Step 2 Configure IP addressing Section 6.2.4.2
Step 3 Configure routing Section 6.2.4.3
Step 4 Verify connectivity Section 6.2.4.4
Launch campus updates into
Phase 5 04/05/2007 Section 6.2.5
production
Complete connections to
Step 1 … Section 6.2.5.1
existing network
Step 2 Verify connectivity Section 6.2.5.2



www.CareerCert.info

Example: Detailed Implementation Plan

Section 6.2.7.3, “Configure routing protocols in the WAN
network module”:
Number of routers involved is 50.
Use template from section 4.3.1, “EIGRP details.”
Per router configuration:
– Use passive-interface command on all nonbackbone LANs.
(See section 4.2.3, “EIGRP details.”)
– Use summarization according to the design. (See section 4.2.3,
“EIGRP details,” and section 4.2.2, “Addressing details.”)
Estimated time is 10 minutes per router.
Roll-back procedure is not required.



www.CareerCert.info

Pilot vs. Prototype Networks

The pilot or prototype network is used as proof of concept
for the design:
– A pilot network tests and verifies the design before the
network is launched.
– A prototype network tests and verifies a redesign in an
isolated network before it is applied to the existing network.
Results:
– Success
– Failure



www.CareerCert.info

Example: Prototype Network



www.CareerCert.info

Detailed Structure of a Design Document



www.CareerCert.info

Summary

Designing an enterprise network is a complex project.
Top-down design facilitates the process by dividing it into smaller,
more manageable steps.
Decision tables facilitate the selection of the most appropriate
option from many possibilities.
In assessing the scope of a network design, determine whether
the design is for a new network or is a modification of the entire
network, a single segment or module, a set of LANs, a WAN,
or a remote-access network.
The output of the design should be a model of the complete
system. To achieve this, the top-down approach is highly
recommended.



www.CareerCert.info

Summary (Cont.)

When the design is complete, you are ready to document the
implementation and migration in as much detail as possible.
After a design is complete, you should verify it. You can test
the design in an existing or live network (pilot) or in a prototype
network that will not affect the existing network.
A design document lists the design requirements, documents
the existing network, documents the network design, identifies
the proof-of-concept strategy, and details an implementation plan.



www.CareerCert.info



www.CareerCert.info

Module Summary

Cisco SONA is the enterprise framework for implementing
intelligent networks and maps business requirements to network
requirements.
The design methodology under PPDIOO includes these tasks:
– Identifying customer requirements
– Characterizing the existing network and sites
– Designing the network topology and solutions
The result of network characterization is a summary report
describing the health of the network.
Top-down design facilitates network design.



www.CareerCert.info



www.CareerCert.info

Structuring and
Modularizing the
Network




www.CareerCert.info

Designing the
Network Hierarchy

Structuring and Modularizing the Network



www.CareerCert.info

Layers in the Hierarchical Model



www.CareerCert.info

Example: Hierarchical Network



www.CareerCert.info

Access Layer

Concentration point at which clients access the network
Layer 2 switching in the access layer: Defines a single broadcast
domain
Multilayer switching in the campus access layer: Optimally
satisfies the needs of a particular user through routing, filtering,
authentication, security, or quality of service
Multilayer switching in the WAN access layer: Helps control WAN
costs using dial-on-demand routing (DDR) and static routing



www.CareerCert.info

Example: Access Layer Connectivity in
the Campus LAN

Workstations are attached to VLANs with Layer 2 switches.
Recommended practice: Implement one VLAN (IP subnet) per access switch.
Access switches connect Layer 3 links (if only one VLAN per access switch)
or via VLAN trunk.
If needed, distribution routers route between VLANs.



www.CareerCert.info

Distribution Layer

Provides multilayer switching between access and core layers:
Provides media transitions
Aggregates bandwidth by concentrating multiple low-speed access links into a
high-speed core link
Determines department or workgroup access
Provides redundant connections for access devices
Implements policy-based decisions:
Filtering by source or destination address
Filtering on input or output ports
Hiding internal network numbers by route filtering
Static routing
Security
Quality of service mechanisms



www.CareerCert.info

Example: Distribution Layer in the
Routed Campus Network



www.CareerCert.info

Core Layer

The function of the core layer is to provide fast and
efficent data transport that:
Forms a high-speed backbone with fast transport services
Provides redundancy and fault tolerance
Offers good manageability

Note: Core layer should avoid packet manipulation
for filtering or access list checking.



www.CareerCert.info

Example: Multilayer Switching in the
Campus Core



www.CareerCert.info

Example: Routing in the WAN Network



www.CareerCert.info

Summary

The hierarchical network model provides a modular view of a
network, making it easier to design and build a network.
The purpose of the access layer is to grant end-user access to
network resources.
The distribution layer provides aggregation for the access layer
devices and uplinks to the core layer. It is also used to enforce
policy within the network.
The core layer provides a high-speed, highly available backbone
designed to switch packets as fast as possible.



www.CareerCert.info



www.CareerCert.info

Using a Modular
Approach in
Network Design




www.CareerCert.info

Service-Oriented Network Architecture



www.CareerCert.info

Example: Cisco Enterprise Campus
Architecture



www.CareerCert.info

Cisco Enterprise Architecture



www.CareerCert.info

Example: Dividing the Network into
Areas



www.CareerCert.info

Enterprise Campus Infrastructure
Module



www.CareerCert.info

Building Access Layer



www.CareerCert.info

Building Distribution Layer



www.CareerCert.info

Campus Core Layer



www.CareerCert.info

Server Farm Module



www.CareerCert.info

Enterprise Edge Modules



www.CareerCert.info

E-Commerce Module



www.CareerCert.info

Internet Connectivity Module



www.CareerCert.info

Remote Access and VPN Module



www.CareerCert.info

WAN and MAN and Site-to-Site
VPN Module



www.CareerCert.info

Enterprise Edge Guidelines

1. Determine the connectivity needed to the Internet.
2. Create the e-commerce module ID needed.
3. Design the remote access and VPN module if needed.
4. Design the WAN module to support connections to remote
enterprise locations if needed.



www.CareerCert.info

Service Provider Modules



www.CareerCert.info

Enterprise Remote Modules



www.CareerCert.info

Enterprise Branch Module



www.CareerCert.info

Enterprise Data Center Module



www.CareerCert.info

Enterprise Teleworker Module



www.CareerCert.info

Summary

Based on SONA, the Cisco Enterprise Architecture provides a
modular enterprise-wide hierarchical approach for providing
network infrastructure and services to all places in the network.
The enterprise campus infrastructure module includes the
campus infrastructure module and the server farm module.
The enterprise edge modules include the e-commerce module,
the Internet connectivity module, the remote access and VPN
module, and the WAN and MAN and site-to-site modules.
The remote enterprise modules include the remote branches,
data centers, and teleworkers.



www.CareerCert.info



www.CareerCert.info

Using Infrastructure
Services




www.CareerCert.info

Explaining the Role of Infrastructure
Services



www.CareerCert.info

Modularizing Internal Security



www.CareerCert.info

Reasons for Internal Security

The enterprise campus is protected by security functions in the
enterprise edge:
– If the enterprise edge security fails, the unprotected enterprise
campus is vulnerable.
– The potential attacker can gain physical access to the
enterprise campus.
– Some network solutions require indirect external access to the
enterprise campus.
All vital elements in the enterprise campus must be protected
independently.



www.CareerCert.info

External Threats



www.CareerCert.info

Designing High Availability

Analyze the business and technical goals.
Identify critical applications, systems, internetworking devices,
and links.
Document the trade-offs between redundancy and cost and
simplicity versus complexity.
Duplicate any component whose failure could disable critical
applications.
Duplicate vital links and connect them to different devices.



www.CareerCert.info

Designing Route Redundancy

Design redundant routes:
Minimize the effect of link failures.
Minimize the effect of an internetworking device failure.
Make the connection redundant:
Parallel physical links between switches and routers
Backup LAN and WAN links
Make the network redundant:
Full mesh to provide complete redundancy and good performance
Partial mesh, which is cheaper and more scalable



www.CareerCert.info

Example: Campus Infrastructure
Redundancy

The building access network is partially meshed
with the building distribution switches.
The building access switch has a chance to recover
from a link or building distribution switch failure.



www.CareerCert.info

Example: Enterprise Edge Redundancy

The remote site establishes a backup connection
via an IPsec tunnel across the Internet.



www.CareerCert.info

High Availability in the Server Farm
Module

Single attachment—not recommended:
– Requires alternative mechanisms to dynamically find
an alternative router
Dual attachment to increase availability and prevent session loss:
– Attachment through a redundant transceiver
– Attachment through a redundant NIC
Fast EtherChannel and Gigabit EtherChannel port bundles



www.CareerCert.info

Example: Attachment Through a
Redundant Transceiver

Transceiver activates backup link on primary link failure.
Transceiver cannot detect failures beyond physical link.



www.CareerCert.info

Example: Attachment Through a
Redundant NIC

Device driver presents two NIC cards as a single logical interface.
This setup uses one MAC address on both interfaces.
Backup card is activated when the primary link is gone.



www.CareerCert.info

Voice Transport Overview

Two implementations:
– Voice over IP: Uses analog phones. Transports voice packets
over the IP network using voice-enabled routers.
– IP telephony: Implements voice in the network using Cisco
Unified CallManager and IP phones.
Both implementations require properly designed networks.
All modules of the enterprise network are involved in the voice
network solution.



www.CareerCert.info

IP Telephony Components



www.CareerCert.info

Modular Approach in Voice Network
Design



www.CareerCert.info

Example: Voice Network Solution



www.CareerCert.info

Evaluating the Existing Data
Infrastructure for Voice Design

Document and evaluate the existing data infrastructure
in each enterprise network module in terms of:
New voice performance requirements
Availability requirements
Feature requirements
Potential network capacity or impact



www.CareerCert.info

Wireless LAN Overview

Supports connecting mobile clients to the enterprise network
Transports packets over radio waves
Has connectivity and privacy issues not found in wired networks
Can have implications for all modules of the enterprise network



www.CareerCert.info

Centralized WLAN Model Components



www.CareerCert.info

Application Networking Services
Introduction

Traditional networks handled static web pages,
e-mail, and routine client-server applications.
Applications are evolving into complex and highly visible services.
Application deployment issues are emerging.
– Consolidation of data centers can result in lower productivity
for remote users.
– A web-based ordering system may suffer because of poor
responsiveness.
– Business partners may need immediate and secure electronic
access to back-office applications.
– A purchasing application may need to track large orders.



www.CareerCert.info

ANS Can Resolve Application Issues
Wide-area application services can compress, cache,
and optimize content.
Optimization of the web streams can reduce latency, suppress
unnecessary reloading of web objects, and offload the web server.
Security and remote connectivity services can validate requests,
route them appropriately, and encrypt and prioritize responses.
Application messaging services interpret purchase orders and log
large orders according to business policy rules.



www.CareerCert.info

Example: ANS Components



www.CareerCert.info

Summary

Network infrastructure services add intelligence to the network
infrastructure, supporting application awareness within the
network.
Security is a network infrastructure service that increases the
integrity of the network by protecting network resources and users
from internal and external threats.
High-availability services protect the integrity of mission-critical
information with networking platforms and topologies that offer a
sufficient level of resiliency.



www.CareerCert.info

Summary (Cont.)

Voice infrastructure services throughout the enterprise are
needed to support IP telephony.
Wireless services support mobile clients and integrate with the
wired network.
Cisco ANS optimizes website performance, content delivery, and
the security and connectivity of applications.



www.CareerCert.info



www.CareerCert.info

Identifying Network
Management
Protocols and
Features




www.CareerCert.info

Network Management Overview



www.CareerCert.info

SNMP Overview
Manager:
Polls agents on the network
Correlates and displays information
SNMP:
Supports message exchange
Runs on IP
Agent:
Collects and stores information
Responds to manager requests for
information
Generates traps
MIB:
Database of objects
(information variables)
Read and write community strings for
controlling access



www.CareerCert.info

SNMPv1 Message Types



www.CareerCert.info

SNMP Version 2

SNMPv2 introduced in RFC 1441
SNMPv2C defined in RFC 1901
SNMPv2 new features:
– Get Bulk Request
– Inform Request
– Data types with 64-bit values



www.CareerCert.info

SNMP Version 3

RFCs 3410 through 3415
Authentication and privacy
Authorization and access control
Usernames and key management
Remotely configurable via SNMP operations
Available since Cisco IOS Software Release 12.0



www.CareerCert.info

MIB Definition

Collection of managed objects
Each object has a unique
identifier
Objects are grouped into
a “tree”
Standard MIBs = RFC xxxx
Private MIBs



www.CareerCert.info

Example: Cisco Router MIB
Standard managed Private managed
objects: objects:
– Interfaces – Small, medium, large,
– Buffers and huge buffers
– Memory – Primary and secondary
memory
– Standard protocols
– Proprietary protocols

Private extensions to MIB-II:
– 1.3.6.1.4.1.9
or
– iso.org.dod.internet.private.enterprise.cisco
Definitions available at
http://www.cisco.com/public/mibs


www.CareerCert.info

Example: Variable Retrieval

Base format to retrieve the number of errors on an interface
iso org dod internet mgmt mib interface ifTable ifEntry ifOutErrors
1 3 6 1 2 1 2 2 1 20

Specific format to retrieve the number of errors on first interface
iso org dod internet mgmt mib interface ifTable ifEntry ifOutErrors Instance
1 3 6 1 2 1 2 2 1 20 0



www.CareerCert.info

RMON1
Supports proactive monitoring of LAN traffic:
– Network fault diagnosis
– Planning
– Performance tuning
Works on MAC layer data:
– Monitors only the aggregate LAN traffic
for remote LAN segments
– Traffic statistics and analysis
Implemented on agents:
– Routers, switches, hubs, servers, hosts,
and dedicated probes



www.CareerCert.info

RMON1 Groups (RFC 1513 and 2819)



www.CareerCert.info

RMON2



www.CareerCert.info

RMON2 (RFC 2021)



www.CareerCert.info

NetFlow Infrastructure



www.CareerCert.info

NetFlow vs. RMON Information
Gathering
NetFlow can be configured on individual interfaces.
NetFlow gathers more detailed information:
– Source and destination interface numbers
– Source and destination IP addresses
– TCP/UDP source port and destination ports
– Number of bytes and packets in the flow
– Source and destination autonomous system (AS) numbers
– IP type of service
NetFlow provides greater scalability, customized data
collection, and a lower performance impact.



www.CareerCert.info

Applications Using NetFlow

Accounting and billing
Network planning and analysis
Network and security monitoring
Application monitoring and profiling
User monitoring and profiling
NetFlow data warehousing and mining



www.CareerCert.info

Cisco Discovery Protocol
Upper-Layer Entry Addresses TCP/IP Novell IPX AppleTalk Others

Cisco Proprietary Data Link Protocol CDP CDP CDP CDP

Media Supporting SNAP LANs Frame Relay ATM Others

CDP = Cisco Discovery Protocol

Provides a summary of directly connected switches, routers, and other
Cisco devices
Discovers neighbor devices regardless of which protocol suite they are
running
Requires that physical media support SNAP encapsulation



www.CareerCert.info

Discovering Neighbors with Cisco Discovery
Protocol



www.CareerCert.info

Syslog Features
Devices produce syslog Syslog levels:
messages. – Emergency (level 0, highest
Syslog messages contain level level)
and facility. – Alert (level 1)
Common syslog facilities: – Critical (level 2)
– IP – Error (level 3)
– OSPF protocol – Warning (level 4)
– SYS operating system – Notice (level 5)
– IP Security (IPsec) – Informational (level 6)
– Route Switch Processor (RSP) – Debugging (level 7)
– Interface (IF)



www.CareerCert.info

Example: Syslog Messages



www.CareerCert.info

Syslog Architecture

Centralized syslog daemon
Remote syslog daemons:
– Support for syslog filters
– Low bandwidth utilization



www.CareerCert.info

Summary

Network management is supported with various devices and servers that
use network management protocols and standards.
SNMP is a simple network management protocol that is the foundation of
a network management architecture.
A MIB stores local management agent information on a managed device.
RMON is a MIB that supports proactive management of remote networks.
NetFlow collects network flow data to support network accounting,
usage-based billing, planning, performance monitoring, and QoS
applications.
Cisco Discovery Protocol is a Cisco proprietary protocol that enables you
to discover Cisco devices on the network.
Syslog reports system state information based on preset facilities and
severity levels.



www.CareerCert.info

Module Summary
The hierarchical network structure is composed of the access,
distribution, and core layers.
Based on Cisco SONA, the Cisco Enterprise Architecture provides
a modular hierarchical approach for providing network
infrastructure and services to all places in the network.
Network infrastructure services add intelligence to the network
infrastructure, supporting application awareness within the network.
Network management protocols support the exchange of
management information between the network management
system and managed devices.



www.CareerCert.info



www.CareerCert.info

Designing Basic
Campus and Data
Center Networks




www.CareerCert.info

Describing
Campus Design
Considerations

Designing Basic Enterprise Campus Networks



www.CareerCert.info

Designing an Enterprise Campus

Campus design factors:
Network applications
characteristics
Device characteristics
Environmental characteristics



www.CareerCert.info

Overview of Network Application Types

Peer-to-peer
Client-local server
Client-server farm
Client-enterprise edge Server



www.CareerCert.info

Network Requirements of Applications

Connectivity type
Total required throughput
High availability
Total network costs



www.CareerCert.info

Example: Peer-to-Peer Applications

Instant messaging
File sharing
IP phone calls
Video conference systems



www.CareerCert.info

Example: Client-Local
Server Applications

Servers are located close
to clients.
Servers and clients are in
the same LAN.
Request to servers from
nonlocal LANs is rare.



www.CareerCert.info

Example: Client-Server
Farm Applications

Typical applications:
Mail servers
File servers
Database servers
Access to applications:
Fast
Reliable
Controlled (security)



www.CareerCert.info

Example: Client-Enterprise
Edge Applications

Typical applications:
Internet applications
– Mail servers
– Web servers
– Public Internet servers
E-commerce applications



www.CareerCert.info

Relative Network Requirements by
Application Type

Client-Local Client-Server Client-Enterprise
Peer-to-Peer
Servers Farm Edge Servers

Connectivity type Switched Switched Switched Switched

Total required throughput Medium to high Medium High Medium

High availability Low to high Medium High High

Total network costs Low to medium Medium High Medium



www.CareerCert.info

Environmental Characteristics for
Network Design

The network devices and distances between them determine the
network geography.
The campus network design is scoped with respect to geography:
– Intrabuilding
– Interbuilding
– Distant remote buildings



www.CareerCert.info

Intrabuilding Structure

Provides connectivity inside
the building
Built with the building access
and building distribution layers
Transmission options:
– Copper
– Optical fiber
– Wireless



www.CareerCert.info

Interbuilding Structure

Connectivity between
buildings
Distances between buildings
within a few kilometers
Building distribution with
campus core layer
Typical transmission media:
optical fiber



www.CareerCert.info

Distant Remote Building Structure

Metropolitan-based network connectivity options:
Using company-owned fiber
Through enterprise WAN
Through service provider offerings

WAN



www.CareerCert.info

Campus Transmission Media

Physical media in network design influences:
– Network bandwidth
– Allowable distance between devices
– Copper design considerations:
Electromagnetic interference, grounding, security
Signal attenuation, distance limitations
Optical fiber design considerations:
– Light signal (LED or laser)
– Expensive, providing a long-term investment
Wireless design considerations:
– Distance, interference, bandwidth, security



www.CareerCert.info

Comparison of Campus
Transmission Media

Copper
Multimode Fiber Single-Mode Fiber Wireless
Twisted Pair

Bandwidth Up to10 Gbps Up to10 Gbps Up to10 Gbps or higher Up to 54 Mbps*

Distance Up to 100 m Up to 2 km Up to 80 km Up to 500 m at
(Fast Ethernet) (Fast Ethernet) 1 Mbps
Up to 550 m Up to 100 m
(Gigabit Ethernet) (Gigabit Ethernet)
Up to 300 m Up to 80 km
(10 Gigabit Ethernet) (10 Gigabit Ethernet)

Price Inexpensive Moderate Moderate to expensive Moderate

*Wireless is half-duplex, so effective bandwidth will be no more than one half this rate.



www.CareerCert.info

Example: Transmission Media



www.CareerCert.info

Infrastructure Device Characteristics

Switches connect end devices as well as infrastructure devices:
Access layer is typically data link layer switches.
Distribution and core layer typically use multilayer switches.
Switch type and switching layer decision is influenced by:
Infrastructure services requirements(QoS, including policing, and so on)
Size of the network segments
Expected network failure convergence times
Cost



www.CareerCert.info

Example Network Service:
QoS in LAN Switches

Enterprise QoS guarantees that critical applications
receive the required bandwidth or services.


www.CareerCert.info

Summary

Campus network design is influenced by several factors; first by
applications characteristics, such as throughput and availability
requirements.
Second are environmental characteristics, such as the location
of devices and buildings and transmission media.
Third are infrastructure device characteristics, such switching type
and support for network services.



www.CareerCert.info



www.CareerCert.info

Designing the Campus
Infrastructure Module




www.CareerCert.info

Relative Considerations for the
Campus Design
Campus Infrastructure

Building Building Campus Server
Access Distribution Core Farm
Data Link Layer/
Multilayer Multilayer Multilayer
Technology Multilayer
Switched Switched Switched
Switched

Scalability High Medium Low Medium

High availability Medium Medium High High

Performance Medium Medium High High

Cost per Port Low Medium High High



www.CareerCert.info

Building Access Layer Design
Considerations

Number of users or ports
Cabling
Performance
Redundancy
Connectivity speed for hosts
and uplinks
VLAN deployment
Additional features such as QoS
and IP multicast



www.CareerCert.info

Overview of Recommended Practices for the
Building Access Layer

Manage VLANs and STP:
– Limit VLANs to a single closet whenever possible.
– If STP is required, use RPVST+.
– Set trunks to desirable and desirable with negotiate.
– Manually prune unused VLANs.
– Use VTP transparent mode.
Manage trunks between switches.
Manage default PAgP settings between the catalyst operating
system and Cisco IOS Software.
Consider implementing routing in the access layer.



www.CareerCert.info

STP Considerations
Use only when you have to!
– Required when a VLAN
spans access layer switches
– Required to protect against
“user side” loops
– More common in the
data center
Use RPVST+ for best
convergence.
Take advantage of the
Spanning Tree Toolkit.



www.CareerCert.info

Cisco STP Toolkit
PortFast: Bypass listening-learning
phase for access port*
UplinkFast: Three to five seconds
convergence after link failure
BackboneFast: Cuts convergence
time by max_age for indirect failure
LoopGuard: Prevents alternate or root
port from becoming designated in
absence of BPDUs*
RootGuard: Prevents external switches
from becoming root*
BPDUGuard: Disable PortFast-enabled
port if a BPDU is received*

* Also supported with RPVST+



www.CareerCert.info

Trunk Considerations
Set trunk mode to desirable
and desirable and encapsulation
negotiate on
Manually prune all VLANS
except those needed
Use VTP transparent mode to
decrease potential for operational
error
Disable trunks on host ports:
– Catalyst Operating System:
set port host
– Cisco IOS Software:
switchport host



www.CareerCert.info

Layer 3 Access-to-Distribution Interconnection

Best option for fast convergence
Equal-cost Layer 3 load balancing on all links
No spanning tree required for convergence
No HSRP or GLBP configuration required
No VLAN spanning possible


www.CareerCert.info

Building Distribution Layer Design
Considerations

Performance
Redundancy
Support for network
infrastructure services



www.CareerCert.info

Overview of Recommended Practices for
the Building Distribution Layer

Use first-hop redundancy protocols (HSRP and GLBP).
Deploy Layer 3 routing protocols from distribution switches to
core switches.
If required, connect distribution switches to support Layer 2
VLAN spanning multiple access switches.



www.CareerCert.info

Recommended Practices—
First-Hop Redundancy
Provides a resilient default
gateway or first-hop address
to end stations with HSRP,
VRRP, or GLBP
HSRP, VRRP, and GLBP
provide millisecond timers
and excellent convergence
performance
HSRP common in Cisco
environments
VRRP if you need
multi-vendor interoperability
GLBP facilitates uplink load
balancing



www.CareerCert.info

Recommended Practices—Use Layer 3
Routing Protocols
Build triangles, not
squares, for deterministic
convergence.
Only peer on links that you
intend to use as transit.
Summarize routes from
distribution to core.



www.CareerCert.info

Example: Build Redundant Triangles

Layer 3 redundant equal cost links support fast convergence.
Hardware based—recovery to remaining path is fast.
Convergence is extremely fast (dual equal-cost paths: no need for OSPF
or EIGRP to recalculate a new path).


www.CareerCert.info

Layer 3 Distribution Interconnection

Recommended practice—tried and true
No STP convergence required for uplink failure and recovery
Distribution-to-distribution link required for route summarization
Map Layer 2 VLAN number to Layer 3 subnet for ease of use and
management


www.CareerCert.info

Alternate: Layer 2 Distribution
Interconnection

Use only if Layer 2 VLAN spanning flexibility required
STP convergence required for uplink failure and recovery
More complex because STP root and HSRP should match
Distribution-to-distribution link required for route summarization



www.CareerCert.info

Campus Core Design Considerations
Determine if core is needed.
Determine performance
and capacity needed.
Determine redundancy.
Determine if enterprise
edge and WAN connectivity
is to core or data center.



www.CareerCert.info

Example: Large Campus Multilayer
Switched Backbone Design

Reduced multilayer switch
peering
Topology with no spanning-tree
loops
Scalability to arbitrarily large
size
Improved network services
support
Two equal-cost paths to every
destination network
Fast recovery from link failure



www.CareerCert.info

Small and Medium Campus Design
Options



www.CareerCert.info

Edge Distribution Design
Edge distribution switches
have to protect the campus
core from:
Unauthorized access
IP spoofing
Network reconnaissance
Packet sniffers



www.CareerCert.info

Server Placement in a
Medium-Sized Network



www.CareerCert.info

Server Placement in a Large Network



www.CareerCert.info

Server Farm Design Guidelines
Key design considerations:
Access control
Traffic demands
Oversubscription
Server connectivity options:
Single NIC
Dual-NIC redundancy
Content switching (server
load balancing)



www.CareerCert.info

Summary

Design an enterprise campus network using
recommended practices:
Use low price per port and high port density on data link layer
switches for the building access layer.
Use redundant multilayer switching in the building distribution
layer for high availability and performance.
Use high-performance wire-rate multilayer switching in the
campus core design.
Group centralized servers into a server farm module for moderate
enterprise server requirements.



www.CareerCert.info



www.CareerCert.info

Describing Enterprise
Data Center
Considerations




www.CareerCert.info

Server-Centric to Service-Centric



www.CareerCert.info

Cisco Data Center Network Architecture
Framework



www.CareerCert.info

Example: Data Center Network Topology

IBM

3d icons not available


www.CareerCert.info

Data Center Infrastructure Overview



www.CareerCert.info

Defining the Data Center Access Layer
Can support Layer 2 or Layer 3
access
Provides port density to server
farm
Supports dual and single-attached
servers
Provides high-performance,
low-latency Layer 2 switching
Mix of oversubscription
requirements
Many uplink options



www.CareerCert.info

Density and Scalability Implications

Where are the issues?
– Cabling
– Power
– Cooling

© 2007 Cisco Systems, Inc. All rights reserved. 7
DESGN v2.0—3-7


www.CareerCert.info

Defining the Data Center Aggregation Layer
• Aggregates traffic to data center
core
• Aggregates advanced application
and security functions
• Maintains connection and session
state for redundancy
• Layer 4–7 services: firewall,
server load balancing, SSL, IDS
• Large STP processing load
• High flexibility and
economies of scale



www.CareerCert.info

Defining the Data Center Core Layer

Drivers for a data center core:
10-Gigabit Ethernet port density
Administrative domains
Anticipate future requirements
Key core characteristics:
Distributed forwarding architecture
Low latency switching
10-Gigabit Ethernet scalability
Scalable IP multicast support



www.CareerCert.info

Summary

• Enterprise data centers support a rich set of
applications and servers.
• The SONA-based Cisco Enterprise Data Center
Architecture provides a modular hierarchical approach
to align data center resources with business
applications.



www.CareerCert.info



www.CareerCert.info

Enterprise Campus and Data Center
Design Review
Analyze organizational requirements:
– Type of applications, traffic volume, and traffic pattern
– Redundancy and backup needed
Characterize the existing network and sites:
– Technology used and location of hosts, servers, terminals,
and other end nodes
Develop enterprise campus and enterprise data center network
designs:
– Based on requirements, implement two or three hierarchical
layers.
– Select hardware and software components to support
requirements.



www.CareerCert.info

Module Summary
Campus network design is influenced by application,
environmental, and infrastructure device characteristics.
An enterprise campus network is constructed hierarchically with
building access, building distribution, and campus core layers.
An enterprise data center network is constructed hierarchically,
with data center access, data center aggregation, and data center
core layers.



www.CareerCert.info



www.CareerCert.info

Designing Remote
Connectivity




www.CareerCert.info

Identifying WAN
Technology
Considerations

Designing Remote Connectivity



www.CareerCert.info

Role of a WAN



www.CareerCert.info

Types of WAN Interconnections



www.CareerCert.info

WAN Transport Technology Comparison
Latency Connect Initial
Bandwidth Tariff Reliability
and Jitter Time Cost
TDM M L L M M M
ISDN L M/H M M L M
Frame Relay L L L M M M
ATM M/H L L M M H
MPLS M/H L L M M H
Metro Ethernet M/H L L M M H
DSL L/M* M/H L L L M
Cable modem L/M* M/H L L M L
Wireless L/M M/H L L M L
SONET/SDH H L L M H H
DWDM H L L M H H
Dark fiber H L L M H H
*Unbalanced Tx and Rx L = low, M = medium, H = high



www.CareerCert.info

Example: ADSL Implementation



www.CareerCert.info

Example: Data and Voice over Cable



www.CareerCert.info

Example: Three Uses of Wireless



www.CareerCert.info

Example: SONET/SDH

Guaranteed bandwidth
High line rates (from
155 Mbps to 10 Gbps)
Automatic recovery
capabilities
IP encapsulations:
ATM or packet over
SONET/SDH (POS)



www.CareerCert.info

Example: DWDM

Improved signaling mechanisms to optimize bandwidth usage
Used inside the SONET/SDH ring



www.CareerCert.info

Example: Dark Fiber

Edge devices directly connected to regenerators or DWDM
concentrators
Edge devices able to use any Layer 2 encapsulation



www.CareerCert.info

WAN Transport Technology
Pricing Considerations
Pricing used to include an access circuit and a
distance-sensitive rate.
Access circuit provisioning generally takes 60 days or more lead
time.
– Metro Ethernet availability is spotty, and lead times are long.
For Frame Relays and ATM, pricing includes an access circuit
charge,
per-PVC and possibly per-bandwidth (CIR or MIR) charges.
MPLS VPN pricing is generally comparable with Frame Relays
and ATM.



www.CareerCert.info

WAN Transport Technology
Contract Considerations
Tariffed commercial services are at published rates and subject
to restrictions.
Time to contract can be one month for standard tariff rates, longer
if you negotiate SLAs.
Contract periods are usually one to five years for most WAN
services.
For dark fiber, contract periods are generally 20 years.



www.CareerCert.info

Methodology Used in
Enterprise Edge Design
Planning and designing the enterprise edge is based on the
PPDIOO methodology:
Analyze network requirements, including type of applications,
traffic volume, and traffic patterns.
Characterize the existing network for technology used and
location of hosts, servers, terminals, and other end nodes.
Design the topology based on availability of technology, the
projected traffic pattern, and technology performance constraints
and reliability.



www.CareerCert.info

Identifying Application Requirements

Data File Interactive Data Real-Time Real-Time
Transfer Application Voice Video

Response time Reasonable Within a second Round trip less than Minimum
250 ms with delay delay and
and with low jitter jitter

Throughput and packet High/medium Low/low Low/low High/medium
loss tolerance

Downtime (high Reasonable Low Low Minimum
reliability has low
downtime) Zero Downtime for Mission-Critical
Applications



www.CareerCert.info

Determining the Maximum Offered
Traffic

WAN resources have finite
capacity.
End users require minimum
response times.
Network managers require
maximum link utilization.



www.CareerCert.info

Determining Physical Media Bandwidth
Bandwidth <= 1.5/2 Mbps From 1.5/2 Mbps to From 45/34 From 100 Mbps to
45/34 Mbps Mbps to 100 10 Gbps
Mbps

Copper Serial or async ADSL (8 Mbps
serial, ISDN, downstream
TDM, X.25, Frame
Relay, ADSL

Fiber Ethernet, Fast Ethernet, 10-Gigabit Ethernet,
TDM (T3 or E3) ATM over Gigabit Ethernet,
SONET/SDH, ATM over
POS SONET/SDH, POS

Coaxial Shared bandwidth:
27 Mbps
downstream, 2.5
upstream

2.4/5 GHz WAN Varies based on
wireless distance and RF
quality



www.CareerCert.info

Evaluating Cost-Effectiveness of Design
and Implementation

Investment and Running Costs

Private Owner must buy, configure, and maintain the physical layer connectivity
and the terminal equipment that connects each location.

Leased Fixed bandwidth is leased from a carrier company with private or leased
terminal equipment.

Shared Physical resources in campus backbone are shared with many users.



www.CareerCert.info

Bandwidth Usage in a WAN

Optimize the bandwidth usage on WAN links to improve
network efficiency using:
Data compression: Reduces the size of a frame of data to
transmit over a network link
Bandwidth combination: Logically aggregates physical links
Window size: Adjusts link reliability versus throughput
Queuing: Avoids congestion for some traffic by giving it priority
over other traffic
Traffic shaping and policing: Avoids congestion by policing
inbound and outbound flows



www.CareerCert.info

Queuing to Improve Link Utilization

Queuing allows network administrators to manage varying
demands of applications on networks and routers.
Key types of queuing:
– Priority queuing
– Custom queuing
– Weighted fair queuing
– Class-based
weighted fair
queuing
– Low latency
queuing



www.CareerCert.info

Traffic Shaping and Policing

• Usually found on egress ports, shaping buffers excess traffic, using a
token bucket mechanism to release packets.
• Policers typically “tag” or “drop” traffic, depending on the mechanism,
protocol, and severity of offense.
• Policing, historically in ATM, is on ingress ports and uses a “leaky
bucket” mechanism.



www.CareerCert.info

Data Compression and QoS to Optimize
Bandwidth Usage



www.CareerCert.info

Summary
A WAN is a communications network that covers a relatively
broad geographic area and carries a variety of traffic types using
transmission facilities that are typically provided by service
providers.
The multiple WAN transport technologies vary in bandwidth,
performance characteristics, and cost.
In WAN design, enterprise edge connectivity requirements
influence the trade-off between the cost of bandwidth and
bandwidth efficiency.



www.CareerCert.info



www.CareerCert.info

Designing the
Enterprise WAN




www.CareerCert.info

Traditional WAN Technologies

Description

Leased lines A service provider establishes a dedicated
connection.

Circuit-switched PSTN (phone A dedicated circuit path is established for
service, analog modems, ISDN) the duration of a call.
ISDN combines voice, data, and backup.

Packet- and cell-switched (Frame A service provider creates PVCs or SVCs.
Relay, SMDS, ATM, MPLS) ATM uses cells and provides support for
multiple QoS classes.



www.CareerCert.info

WAN Topologies



www.CareerCert.info

Designing the Remote-Access Network

Objective: Provide a unified solution for remote access
Grant the connection seamlessly, as if in company headquarters
Application requirements include:
– Low to medium-volume data file transfer and interactive traffic
for teleworkers and traveling workers
– Voice services for teleworkers
Connectivity option: IP access through an on-demand or
always-on connection
Technologies include dial-up, DSL, cable, and wireless



www.CareerCert.info

Overview of Virtual Private Networks



www.CareerCert.info

Connectivity Option: Overlay VPN

VPNs may replace dedicated point-to-point links with emulated
point-to-point links sharing common infrastructure.



www.CareerCert.info

Connectivity Option: Virtual Private Dial-
Up Network



www.CareerCert.info

Connectivity Option: Peer-to-Peer VPN

Provider participates in the enterprise routing:
Uses MPLS VPN technology
Enables organization to use any IP address space
No overlapping IP address space problems



www.CareerCert.info

Benefits of VPNs



www.CareerCert.info

WAN Backup Technologies

Backup options:
Dial backup—analog or ISDN
Permanent secondary WAN link
Shadow PVC
IPsec tunnel across Internet


www.CareerCert.info

Example: Permanent Secondary
WAN Link



www.CareerCert.info

Example: Shadow PVC



www.CareerCert.info

WAN Backup over the Internet



www.CareerCert.info

Layer 3 Tunneling

GRE can encapsulate a variety of protocol types inside IP tunnels.
– It is simple and flexible for basic IP VPNs.
– Packet payload is not encrypted.
– Provisioning of tunnels is not very scalable.
IPsec encapsulates IP inside of IPsec tunnels.
– Packet payload can be encrypted.
– IPsec receiver can authenticate source of packets.
– It uses IKE and PKI.



www.CareerCert.info

Enterprise WAN Architecture
Considerations

Support for network growth
Appropriate availability
Operational expense
Operational complexity
Voice and video support
Effort and cost to implement
Support of network segmentation



www.CareerCert.info

Cisco Enterprise MAN and WAN Architecture

Private WAN (optionally encrypted)
ISP service through site-to-site and remote-access IPsec VPN
Service provider-managed IP or MPLS VPN
Self-deployed MPLS



www.CareerCert.info

Cisco Enterprise WAN and MAN
Architecture Comparison
SP
Private ISP Self-Deployed
MPLS and IP
WAN Service MPLS
VPN

IPsec IPsec IPsec IPsec
Secure transport
(optional) (mandatory) (mandatory) (mandatory)

High availability Excellent Good Excellent Excellent

Multicast Good Good Good Excellent

Voice and video support Excellent Low Excellent Excellent

Scalable network growth Moderate Good Excellent Excellent

Easily shared WAN links Moderate Moderate Moderate Excellent

Moderate,
Moderate to
Operational costs High Low depends on
high
transport

Network control High Moderate Moderate High

Effort to migrate from
Low Moderate Moderate High
private to WAN



www.CareerCert.info

Example: Cisco WAN Architectures in
the Healthcare Environment



www.CareerCert.info

Selecting Enterprise Edge Hardware
Components and Software Features

Hardware selection incorporates the selection of data link layer
functions and features of a particular device
Considerations: Port density, packet throughput, future
expandability, redundancy
Software selection focuses on network layer performance
Considerations: Forwarding decisions, bandwidth optimization,
security



www.CareerCert.info

Cisco IOS Software in the Network

Cisco IOS Software T Cisco IOS Software S Cisco IOS Software XR
IP Services and Ease
IP Services and Infrastructure Scale and Availability
of Deployment

Broadband access High-end enterprise core Large-scale networks
Mobility and wireless Service provider edge High availability
Data center Virtual Private Networks In-service software
Security (MPLS, Layer 2 and Layer 3) upgrade
IP communications Video and content multicast



www.CareerCert.info

Cisco IOS Packaging



www.CareerCert.info

Cisco IOS Packaging Technology
Segmentation
AppleTalk,
Data VoIP and ATM, VoATM, Firewall,
IPX, IBM
Connectivity VoFR MPLS IDS, VPN
Protocols

IP Base X

IP Voice X X

Advanced Security X X

Enterprise Base X X

SP Services X X X

Advanced IP
X X X X
Services

Enterprise Services X X X X

Advanced
X X X X X
Enterprise Services



www.CareerCert.info

Comparing Router Platforms and
Software Functions
Hardware Software Function

800, 1800, 2800, Cisco IOS T Releases Supports access routing platforms providing
3800, 7200 12.3, 12.4, 12.3T, 12.4T fast, scalable delivery of mission-critical
enterprise applications

7200, 7301, Cisco IOS S Release Delivers midrange broadband and leased-line
7304, 7500, 10K 12.2SB aggregation for enterprise and service provider
edge networks

7600 Cisco IOS S Release Delivers high-end Ethernet LAN switching
12.2SR for enterprise access, distribution, core, and
data center deployments, and high-end Metro
Ethernet for service provider edge

12000, CRS-1 Cisco IOS XR Provides massive scale, continuous system
availability, and service flexibility for service
provider core and edge. (Takes advantage of
the massively distributed processing
capabilities of the Cisco CRS-1 routing system
and the Cisco 12000)



www.CareerCert.info

Comparing Multilayer Switch Platforms
and Software Functions
Hardware Software Function

800, 1800, 2800, Cisco IOS S Release Provides low-end to midrange Ethernet LAN
3800, 7200 12.2SE switching for enterprise access and distribution
deployments

4500, 4900 Cisco IOS S Release Provides midrange Ethernet LAN switching
12.2SG for enterprise access and distribution
deployments in the campus, and supports
Metro Ethernet

6500 Cisco IOS S Release Delivers high-end Ethernet LAN switching for
12.2SX enterprise access, distribution, core, and data
center deployments, and high-end Metro
Ethernet for service provider edge

Use the Cisco Feature Navigator to find the right Cisco IOS
and Catalyst operating system software release and features.



www.CareerCert.info

Summary
Traditional WAN technologies include leased lines,
circuit-switched PSTN, and packet-switched networks.
Remote-access networks connect teleworkers and traveling
employees.
A VPN provides connectivity over a shared infrastructure with the
same policies and performance as a private network.
WAN backup strategies are needed to provide high availability
between remote sites.
The Cisco Enterprise WAN and MAN Architecture provides
integrated QoS, network security, reliability, and manageability.
Enterprise WAN design includes selecting the appropriate
components, including hardware and software.



www.CareerCert.info



www.CareerCert.info

Designing the
Enterprise Branch




www.CareerCert.info

Enterprise Branch Services



www.CareerCert.info

Enterprise Branch Architecture



www.CareerCert.info

Characterizing the Branch

Number of locations
Number of existing devices
Scalability needed
High-availability requirements
Security concerns
Management concerns
Wireless services needed
Approximate budget



www.CareerCert.info

Enterprise Branch Profiles



www.CareerCert.info

Small Branch Office Design
Infrastructure components
– Access router
– Layer 2 Switching (integrated
or external stackable)
– Laptops, phones, printers
WAN services and backup
– Internet deployment model
– T1 primary link
– ADSL secondary link
Network fundamentals
– EIGRP
– High availability—floating statics,
T1 with aDSL
– QoS—shaping, policing,
scavenger class (applied to both
switch and router)



www.CareerCert.info

Medium Branch Office Design
– Dual access routers
– External stackable switch
(Layer 2 or Layer 3)
WAN services
– Private WAN deployment
– Dual Frame Relay links
– EIGRP
– High availability—dual routers,
HSRP
scavenger class (applied to both
switch and router)



www.CareerCert.info

Large Branch Office Design
– Dual access routers for WAN
edge
– Dual ASAs for firewalls
– Dual multilayer switching
(stackable or modular)
WAN services
– MPLS deployment model
– Dual links to WAN cloud
– EIGRP
– High availability—dual routers at
every layer, HSRP
– Object tracking, ASA failover
scavenger class (applied to all
routers and switches)



www.CareerCert.info

Comparison of Teleworking Options
Part-Time or
Occasional
Full-Time and
Users
Day Extenders

Occasional Remote
Branch of One
Worker
E-mail Yes Yes
Web-based applications Yes Yes
Mission-critical applications Best effort Prioritized
Real-time collaboration Best effort Prioritized
Voice over IP Best effort High quality
Video on demand, Cisco IP/TV Unlikely High quality
Video conferencing Unlikely High quality
Remote configuration and management No Yes
Integrated security Basic Full
Resiliency and availability No Yes



www.CareerCert.info

Branch of One Architecture

Advanced applications Centralized management
support (voice, video) IT managed security policies

Corporate-Pushed Corporate Phone, Toll Integrated Security
Security Policies Bypass, Centralized and Identity Services
(Not User-Managed) Voice Mail



www.CareerCert.info

Summary

The Cisco Enterprise Branch Architecture provides enterprise
services to remote users.
You should characterize each branch location to develop a
suitable design:
– Small branch office design typically uses a single WAN access
router with one or two access switches to support up to 50
users.
– Medium branch office design typically uses two WAN access
routers with multiple access switches to support up to 100
users.
– Large branch office design typically uses two WAN access
routers, one or more multilayer distribution switches, and
multiple access switches to support up to 100 to 1000 users.
An enterprise teleworker design can use a small ISR with
integrated switch ports and an always on VPN to support one
teleworker.


www.CareerCert.info



www.CareerCert.info

Remote Connectivity Design Review

Analyze network requirements:
– Type of applications, the traffic volume and traffic pattern
– Redundancy and backup needed
Characterize the existing network and sites:
– Technology used, and location of hosts, servers, terminals and
other end nodes
Develop WAN and branch network design:
– Select WAN and branch technology to support requirements.
– Select hardware and software components to support
requirements.



www.CareerCert.info

Module Summary

Network application and connectivity requirements influence
the WAN design.
The Cisco Enterprise MAN and WAN architecture provides
integrated QoS, network security, reliability, and manageability
on:
– Private WANs
– ISP service through site-to-site and remote-access VPNs
– Service Provider-managed IP or MPLS VPNs
The Cisco Enterprise Branch Architecture supports small,
medium, large, and teleworker locations.



www.CareerCert.info



www.CareerCert.info

Designing IP
Addressing and
Selecting Routing
Protocols




www.CareerCert.info

Designing IP
Addressing

Designing IP Addressing and Selecting Routing Protocols



www.CareerCert.info

Prerequisite Knowledge

IPv4 address and mask structure
IPv4 classes and CIDR
Static addressing
Dynamic addressing with DHCP
DNS
Private and public addresses
NAT and PAT
– Static NAT
– Dynamic NAT
– Overloading



www.CareerCert.info

Private and Public IPv4 Address
Guidelines



www.CareerCert.info

Network Size and IP Addressing
Planning

How many locations are in the network?
How many devices in each location?
What are the IP addressing requirements for individual locations?
What subnet size is appropriate?



www.CareerCert.info

Determining General Network Topology



www.CareerCert.info

IP Address Requirements by Location

Workstations

Firewall and
Office Type

Net Device
IP Phones

Interfaces

Interfaces
Switches

Reserve
Servers

Layer 3
Router
Location Total

San Francisco Main 600 35 600 17 26 12 20% 1290

Denver Regional 210 7 210 10 4 0 20% 441

Houston Regional 155 5 155 10 4 0 20% 329

Remote Office 1 Remote 12 1 12 2 1 0 10% 28



Total 1000 50 1000 45 37 12 2144



www.CareerCert.info

IP Addressing Hierarchy

Reasons to implement include:
• Influence of IP addressing
on routing
• Modular design and
scalable solutions
• Support for route
aggregation



www.CareerCert.info

Route Summarization Groups

Benefits of hierarchical addressing include:
– Support for route summarization groups
– Efficient aggregation of routing advertisements
Poorly designed IP addressing results in:
– Excess routing traffic, leading to additional bandwidth
consumption
– Increased routing table recalculations, degrading router
performance



www.CareerCert.info

Example: Address Blocks by Location

Location Counts Rounded Power of 2 Address Block

San Francisco Campus 1290

Denver Region
Denver Office 1 441

Remote Office 1 28

Remote Office 2 35

Houston Region
Houston Campus 329

Remote Office 3 21



www.CareerCert.info



San Francisco Campus 1290 2048

Denver Region
Denver Office 1 441 512

Remote Office 1 28 64


Houston Region
Houston Campus 329 512




www.CareerCert.info



San Francisco Campus 1290 2048

Denver Region 1024
Denver Office 1 441 512



Houston Region 1024
Houston Campus 329 512




www.CareerCert.info



San Francisco Campus 1290 2048 172.16.0.0 –
172.16.7.255 /21

Denver Region 1024 172.16.8.0 –
172.16.11.255 /22

Denver Office 1 441 512 172.16.8.0 –
172.16.9.255 /23

Remote Office 1 28 64 172.16.10.0 /26

Remote Office 2 35 64 172.16.10.64 /26

Houston Region 1024 172.16.12.0 –
172.16.15.255 /22

Houston Campus 329 512 172.16.12.0 –
172.16.13.255 /23

Remote Office 3 21 64 172.16.14.0 /26



www.CareerCert.info

Example: Hierarchical
IP Addressing Plan



www.CareerCert.info

Managing IP Addresses

Using DHCP in the enterprise.
Using DNS in the enterprise.
Using NAT in the enterprise.



www.CareerCert.info

Recommended Practices for
IP Address Assignment

Method

Criteria Strategic Address Assignment Dynamic Address Assignment
with DHCP

Node type Infrastructure devices such End-user devices
as routers and switches

Number of end user devices Up to 30 end-user devices More than 30 end user devices

Renumbering Requires manual Only DHCP server
reconfiguration of all hosts reconfiguration is needed

Address tracking Easy address tracking Requires additional DHCP
server configuration

Additional parameters Manual configuration of all Only DHCP server needs to
hosts required be configured

High availability IP addresses are available Redundant DHCP server
at any time is required

Security concerns Minor security risk Any device gets IP address



www.CareerCert.info

Example: IP Address Assignment
Methods in an Enterprise Network



www.CareerCert.info

Static vs. Dynamic Name Resolution

Names used to ease computer-human interaction
Names resolved to IP addresses
Different name resolution strategies:
– Static
– Dynamic



www.CareerCert.info

Name Resolution

Method

Criteria Static Name Resolution Dynamic Name Resolution

Number of hosts Up to 30 hosts More than 30 hosts

Isolated network Applicable Applicable

Internet connectivity Not applicable Mandatory

Frequent changes and Not recommended Recommended
addition of names

Application depending on Not recommended Recommended
name resolution



www.CareerCert.info

Using DNS for Name Resolution



www.CareerCert.info

Example: Locating DHCP and DNS
Servers in the Network



www.CareerCert.info

IPv6 Address Structure

x:x:x:x:x:x:x:x, where x is 16 bits, represented by a hexadecimal
number:
2031:0000:130F:0000:0000:09C0:876A:130B
Can be also written as 2031:0:130F::9C0:876A:130B



www.CareerCert.info

Benefits of IPv6 Addressing

Larger address space
Globally unique IP addresses
Site multihoming
Header format efficiency
Improved privacy and security
Flow labeling capability
Increased mobility and multicast capabilities



www.CareerCert.info

IPv6 Address Scope Types

IPv6 address scope types:
– Unicast (one to one)
– Anycast (one to nearest)
– Multicast (one to many)
Broadcast addresses not available



www.CareerCert.info

IPv6 Address Types:
Link-Local and Site-Local
Link-Local Address

Site-Local Address



www.CareerCert.info

IPv6 Address Types:
Global Aggregatable

Global Aggregatable Address



www.CareerCert.info

IPv6 Routing Protocol Considerations

Interior Gateway Protocols (IGPs) for inside autonomous systems:
– RIPng
– EIGRP IPv6
– OSPFv3
– Integrated IS-IS
Exterior gateway protocols (EGPs) for peering between autonomous
systems:
– BGP+



www.CareerCert.info

IPv6 Address Assignment Strategies

Static:
Same as IPv4
Dynamic:
Link-local
Stateless
Stateful using DHCPv6



www.CareerCert.info

IPv6 Name Resolution
Static: Same as IPv4
Dynamic (autoconfiguration): DNS server with IPv6 stack
support



www.CareerCert.info

IPv4- and IPv6-Aware Applications and
Name Resolution

In a dual-stack case, an application is IPv4- and IPv6-enabled.
The application decides which stack to use and asks DNS for the
address.



www.CareerCert.info

IPv4-to-IPv6 Transition Strategies

Three major transition strategies are available:
Dual stack (IPv4 and IPv6 coexist in the same device and
networks)
Tunneling (IPv6 packets are encapsulated into IPv4 packets)
Translation (IPv6-only devices can talk to IPv4 devices)



www.CareerCert.info

Dual-Stack Mechanism

Both IPv4 and IPv6 stacks are
enabled.
Applications can talk to both
stacks.
IP version choice is based on
name lookup and application
preference.
Popular operating systems
support IPv6.



www.CareerCert.info

Tunneling Mechanism

Encapsulates the IPv6 packet in the IPv4 packet. Techniques:
Manually configured
Semiautomated
Automatic


www.CareerCert.info

Translation Mechanism



www.CareerCert.info

Summary

Key components of an IPv4 addressing scheme include IP address
structure, address classes, subnetting, and masking.
Well-designed hierarchical IP addressing enables efficient aggregation of
routing advertisements, which consumes less bandwidth and router CPU.
– Dynamic IP address assignment is a recommended practice in the
enterprise.
– Dynamic name resolution with a DNS server is a recommended
practice in the enterprise.
IPv6 was designed as a successor to IPv4 to overcome IPv4 limitations.
– The IPv6 address structure and address types support a much larger
address space than IPv4.
– IPv6 supports two address types: link-local and global aggregatable.



www.CareerCert.info



www.CareerCert.info

Reviewing Enterprise
Routing Protocols




www.CareerCert.info

Distance Vector and Link-State
Comparison

Distance vector protocol characteristics:
Slow convergence
Easy implementation and maintenance
Limited scalability
Link-state protocol characteristics:
Fast convergence
Good scalability
Less routing traffic overhead
More knowledge needed for implementation and maintenance



www.CareerCert.info

Example: Distance Vector Routing

Routing updates are periodic:
Include whole routing tables
Use gratuitous updates (except RIPv2)


www.CareerCert.info

Example: Link-State Routing

Triggered updates:
Include data on link states of changing links
Use multicast propagation


www.CareerCert.info

Interior vs. Exterior Routing Protocols
Interior Gateway Protocols (IGPs):
Routing inside autonomous systems
Fast convergence and easy configuration
Low administrator influence on routing decisions
Exterior gateway protocols (EGPs):
Routing between autonomous systems
Slow convergence and more complex configuration
High administrator influence on routing decisions



www.CareerCert.info

Example: Interior vs. Exterior Routing
Protocols



www.CareerCert.info

Hierarchical vs. Flat Routing Protocols

Flat routing protocols propagate all routing information throughout
the network:
– Classful routing protocols
– Not appropriate for large networks
– RIPv1, IGRP, RIPv2 (classless)
Hierarchical routing protocols divide large networks into smaller
areas:
– Classless routing protocols
– Limited route propagation between areas
– EIGRP, OSPF, IS-IS



www.CareerCert.info

Example: Flat and Hierarchical Networks

Comparing flat and hierarchical networks:
Hierarchical structure means less routing traffic overhead.
Summarization is the key.



www.CareerCert.info

Routing Protocol Convergence

A converged network is a stable network with all needed routing
information.
Network convergence takes place:
– Initially on network startup
– On topological changes
Enterprise routing protocols should have short convergence
times.



www.CareerCert.info

Routing Protocol Convergence
Comparison

Protocol Convergence Time to Router E

RIP Holddown + 1 or 2 update intervals

EIGRP Matter of seconds

OSPF Matter of seconds



www.CareerCert.info

Enhanced IGRP (EIGRP)

Advanced distance vector protocol based on
IGRP with some link-state protocol features
Supports VLSM



www.CareerCert.info

EIGRP Characteristics

EIGRP Characteristics Implemented By

Fast convergence Diffusing Update Algorithm (DUAL)

Improved scalability Manual summarization, fast
convergence

Use of VLSM Subnet mask in updates

Reduced bandwidth usage No periodic updates

Multiple network layer protocol support IPv4, IPv6
(Protocol Dependent Modules for IPX,
AppleTalk)



www.CareerCert.info

Open Shortest Path First (OSPF)

Developed in 1988 by IETF, version 2 is described in RFC 2328.
OSPF was devised for use in large, scalable networks
where RIP failed:
– Improved speed of convergence
– Network reachability (no hop-count limitations)
– Support for VLSM
– Improved path calculation



www.CareerCert.info

Example: OSPF Multiarea Network



www.CareerCert.info

OSPF Characteristics

OSPF Characteristics Implemented By

Fast convergence Link-state updates (triggered), SPF calculation

Very good scalability Multiple-area design

Use of VLSM Subnet mask in updates

Reduced bandwidth usage No periodic updates



www.CareerCert.info

Integrated IS-IS

Link-state protocol
– Supports IPv4, IPv6, and OSI CLNP
– Support for VLSM
– Based on Level 2 backbone to which Level 1 areas are
attached
Typically deployed in service provider environments, with
enterprise network administrators having limited knowledge
of IS-IS



www.CareerCert.info

Border Gateway Protocol (BGP)

BGP is an exterior gateway protocol (EGP) used in Internet
routing.
BGP is a path vector protocol with enhancements:
– Suited for strategic routing policies used between autonomous
systems
– Allows administrators to adjust parameters to influence routing



www.CareerCert.info

BGP Network Implementation

BGP is primarily used for inter-AS system routing.



www.CareerCert.info

Internal BGP

BGP can run between routers within one autonomous system.
IBGP neighbors need not be directly connected (use static routes
or an IGP to convey reachability information).
Other IBGP uses:
– Intra-autonomous system policy implementations
– QoS Policy Propagation on BGP (QPPB)
– MPLS VPNs (using multiprotocol IBGP)



www.CareerCert.info

Recommended Enterprise Routing
Protocol Comparison

Enterprise Characteristics EIGRP OSPF

Fast convergence Yes Yes

Very good scalability Yes Yes

Use of VLSM Yes Yes

Multiple network layer protocol support Yes No

Mixed vendor devices No Yes



www.CareerCert.info

Summary

Protocols with hierarchical and link-state attributes support the
fastest network convergence.
EIGRP and OSPF are the recommend IGPs for the enterprise.
– EIGRP is a Cisco proprietary protocol for routing IPv4, IPv6,
IPX, and AppleTalk traffic.
– OSPF is a standardized protocol for routing IPv4, developed to
replace RIP in larger, more diverse media networks. It also can
support IPv6.
– BGP is a representative EGP. It is primarily used to
interconnect autonomous systems or to connect enterprises
to an ISP.



www.CareerCert.info



www.CareerCert.info

Designing a Routing
Protocol Deployment




www.CareerCert.info

Routing Protocols in the
Enterprise Architecture



www.CareerCert.info

Route Redistribution

Redistribution on routing protocols and domain
boundaries occurs on the router.



www.CareerCert.info

Route Redistribution Direction

Redistribution of routing protocols
(boundary router)
One-way redistribution in one
direction (for example, from
enterprise edge to campus core)
Two-way redistribution in both
directions



www.CareerCert.info

Route Redistribution in
the Enterprise Network

Redistribution:
From selected
building access
protocols
Between campus core
and WAN routers
From static routes to
enterprise IGP
Static routes or BGP
routes into enterprise
IGP



www.CareerCert.info

Route Filtering

Filtering upon redistribution:
Avoids routing loops
Avoids suboptimal routing
Prevents certain routes from
entering routing domain



www.CareerCert.info

Route Summarization



www.CareerCert.info

Recommended Practice:
Summarize at the Distribution Layer
It is important to force
summarization at the
distribution layer toward
the core.
After link failure, for return
path traffic, an OSPF or
EIGRP reroute is required.



www.CareerCert.info

the core.
Summaries limit the number
of peers an EIGRP router
must query or the number
of LSAs an OSPF peer must
process.



www.CareerCert.info

the core.
Summaries limit the number
of peers an EIGRP router
must query or the number
of LSAs an OSPF peer must
process.
Summaries allow faster
reroutes.



www.CareerCert.info

Passive Interfaces for IGP at Access Layer

Limit unnecessary peering
Without passive interface:
– With four VLANs per wiring closet
– 12 adjacencies total
– Memory and CPU requirements increased with no real benefit
– Creates overhead for IGP


www.CareerCert.info

Summary

Large networks may implement multiple protocols for different
modules of the Cisco Enterprise Architecture.
Advanced routing features such as redistribution, filtering, and
summarization allow multiple routing protocols to coexist and
provide greater scalability.
– Redistribution between different routing protocols passes
routing knowledge from one protocol to another.
– Route filtering prevents advertisement of certain routes
through the routing domain.
– Route summarization and an IP hierarchy reduce routing traffic
and unnecessary route recomputation.



www.CareerCert.info



www.CareerCert.info

IP Addressing and Routing Review

Define the IP addressing requirements.
Develop a hierarchical IP addressing plan:
– Use private addresses inside organization.
– Use public addresses facing the Internet.
– Use NAT or PAT for translation as needed.
Develop a plan for deploying DHCP and DNS.
Use EIGRP or OSPF, based on organizational requirements.
Implement recommended practices, including redistribution,
filtering, and summarization.



www.CareerCert.info

Module Summary

IP address structure and IP address types have a large impact on
the address plan for both IPv4 and IPv6.
EIGRP and OSPF are the recommended IGPs for the enterprise.
Advanced routing features such as redistribution, filtering, and
summarization support scalability and multiple routing protocols.



www.CareerCert.info



www.CareerCert.info

Evaluating Security
Solutions for the
Network




www.CareerCert.info

Defining Network
Security

Evaluating Security Solutions for the Network



www.CareerCert.info

Reasons for Network Security

Defend against attacks
Prevent unauthorized access
Prevent data misuse and theft
Comply with security legislation
Comply with industry standards
Comply with company policy



www.CareerCert.info

Example: Legislation and Directives

Legislation and industry directives that may affect
organizational security include:
GLBA—The Gramm-Leach-Bliley Act
HIPAA—Health Insurance Portability and Accountability Act
EU data protection Directive 95/46/EC
SOX—Sarbanes–Oxley Act
PCI DSS—Payment Card Industry Data Security Standard



www.CareerCert.info

Threats and Risks



www.CareerCert.info

Reconnaissance and Vulnerability
Scanning

Determine active targets
Determine running network services
Determine operating system platform
Find trust relationships
Check for proper file permissions
Identify user account information

Port-scanning tools include:
– Nmap – SuperScan
– NetStumbler – Kismet



www.CareerCert.info

Example: NMAP Screen



www.CareerCert.info

Vulnerability Assessment
Active (sending packets) or passive (sniffer)
Published vulnerability information
– CERT/CC
– MITRE
– Microsoft
– Cisco security notices
Reconnaissance tools
– Nessus
– MBSA
– SAINT



www.CareerCert.info

Gaining System Access

Using knowledge of usernames and passwords
– Improper escalation of privilege
– Default administrative and service accounts
– Gaining access to other systems via trust relationships
Using social engineering
– Physical access to information
– Psychological approach
Cracking captured passwords



www.CareerCert.info

Integrity and Confidentiality Threats



www.CareerCert.info

Availability Threats (Denial of Service)



www.CareerCert.info

Everything Is a Potential Target

Hosts are the preferred target for worms
and viruses.
– In the past year, large number of attacks targeted hosts.
– Compromised hosts are often used as attack launch
points (botnets).
But there are other high-value alternative targets:
– Infrastructure devices: routers, switches
– Support services: DHCP servers, DNS servers
– Endpoints: management stations, IP phones
– Infrastructure: network capacity
– Security devices: IDS and IPS



www.CareerCert.info

Network Security in the System Lifecycle
Business needs:
What does your organization want to do with
the network?
Risk analysis:
What is the risk and cost balance?
Security policy:
What are the policies, standards, and guidelines
to address business needs and risk?
Industry recommended practices:
What are the reliable, well-understood,
and recommended security recommended
practices?
Security operations:
What is the process for incident response,
monitoring, maintenance, and compliance
auditing of the system?



www.CareerCert.info

What Is a Security Policy?

“A security policy is a formal statement of the rules by
which people who are given access to an organization’s
technology and information assets must abide.”

RFC 2196, Site Security Handbook



www.CareerCert.info

Why Is a Security Policy Needed?
Sets the framework for the security implementation
– Defines organizational assets and the way to use them
– Defines and communicates roles
– Helps determine necessary tools and procedures
– Defines how to identify and handle security incidents
Creates a baseline of the current security posture
– Defines allowed and not-allowed system behaviors
– Informs users of their responsibilities and ramifications of asset
misuse
– Provides risk assessment and cost-benefit analysis



www.CareerCert.info

Network Security and Risks

Network security can
reduce risks to acceptable levels:
– Risk assessment defines threats and their probability
and severity.
– A network security policy enumerates risks relevant to
the network and describes how risks will be controlled or
managed.
– A network security design implements the security policy.
Justify security costs by the potential cost and
inconvenience of incidents.



www.CareerCert.info

Risk Index Calculation

Risk Probability Severity Control Risk Index
(P) (S) (C) (P * S) / C
(1–3) (1–3) (1–3) (⅓–9)

1.

2.

3.

4.



www.CareerCert.info

Example: Risk Index Calculation

Risk Probability Severity Control Risk Index
(P) (S) (C) (P * S) / C
(1–3) (1–3) (1–3) (⅓–9)

1. Breach of confidentiality 1 3 2 1.5
of customer database

2. DDoS attack sustained 2 2 1 4
for more than 1 hour against
e-commerce server



www.CareerCert.info

Components of a Security Policy



www.CareerCert.info

Network Security Is a Continuous
Process
Secure
– Identity and authentication
– Filtering and stateful inspection
– Encryption and VPNs
Monitor
– Intrusion detection and response
– Content-based detection and response
Test
– Security posture assessment
– Vulnerability scanning
– Patch verification and application auditing
Improve
– Event and data analysis and reporting
– Network security intelligence



www.CareerCert.info

Integrate Security Design and Network
Design

Security services can reside inside network infrastructure.
Security design coupled with network design is far more
manageable.
Recommended practice: Integrate security and network design.
Integrated security and network design requires coordination.



www.CareerCert.info

Summary

Security services must provide adequate protection to conduct
business in a relatively open environment.
– There are many types security threats and associated risks.
– Each device on the network, such as a host, router, or switch,
is a potential security target.
Network security is part of the system life cycle.
– Network security is a continuous process built around a
security policy.
– Security design and network design should be integrated.



www.CareerCert.info



www.CareerCert.info

Understanding the
Cisco Self-Defending
Network




www.CareerCert.info

Cisco Self-Defending Network
Efficient security
management, control, and
response

Advanced technologies
and security services to:
Protect critical assets
Mitigate the effects of
outbreaks
Ensure privacy

Network as Platform



www.CareerCert.info

Network as Platform for Security
Cisco Integrated Services Routers Cisco Adaptive Security
– Integrate Cisco IOS Firewall, VPN, and Appliances
intrusion prevention system (IPS) – High-performance firewall,
services across the Cisco router IPS, network antivirus, and
portfolio
IPsec/SSL VPN technologies
– Deploy new security features on all in one unified architecture
existing routers using Cisco IOS
Software – Device consolidation to
– Cisco NAC-enabled reduce overall deployment
and operations costs and
Cisco Catalyst Switches complexities
– Denial-of-service (DoS)
attack mitigation – Cisco NAC-enabled
– Integrated security service modules for
high-performance threat protection and
secure connectivity
– Man-in-the-middle attack mitigation



www.CareerCert.info

Self-Defending Network Phases



www.CareerCert.info

Trust and Identity Management



www.CareerCert.info

Trust Is the Root of Security

Trust is a relationship in which two (or more) network
entities are allowed to communicate.
Trust forms the root of all security policy decisions.
Trust and risk are opposites; security is based on
enforcing limitations to trust relationships.
Trust relationships:
– Can be explicit or implied
– Can be inherited
– Can be abused



www.CareerCert.info

Domains of Trust

Question: From a security design perspective, what is the key
difference between Case 1 and Case 2?



www.CareerCert.info

Domains of Trust

Question: From a security design perspective, what is the key
difference between Case 1 and Case 2?
Answer: Case 2 is more segmented into domains of trust.



www.CareerCert.info

Example: Domains of Trust

Domains Gradient Safeguards Needed

Private to Public Extreme Advanced firewalling, flow-based
(high risk) inspection, misuse detection (IPS),
constant monitoring

Production to Lab Minor Basic access control, casual monitoring
(low risk)

Headquarters to Steep Communication security, authentication,
Branch (considerable risk) confidentiality, integrity concerns



www.CareerCert.info

Identity

Identity is the “who” of a trust relationship. The identity of
a network entity is verified by credentials.
Both people and devices can be authenticated.
Three authentication attributes:
– Something you know
– Something you have
– Something you are
Common approaches to identity:
– Passwords
– Tokens
– Certificates



www.CareerCert.info

Passwords

Correlates an
authorized user with
network resources



www.CareerCert.info

Tokens

Strong (two-factor) authentication based
on “something you know” and “something
you have”



www.CareerCert.info

Access Control in Networks
Confidentiality and integrity are traditionally supported through
access control.
Access control enforces rules about which entities can access which
resources.
Network access control is based on:
– Authentication, which establishes the identity of the subject
– Authorization, which defines what a subject can do in a network
Audit trails and real-time monitoring provide accounting and security
auditing information.



www.CareerCert.info

Example: Trust and Identity Management
Technologies

Access control lists (ACLs)
Firewalls
– Stateful inspection
– Application inspection
Network Admission Control (NAC)
– NAC Framework
– Cisco NAC Appliance
IEEE 802.1X
Cisco IBNS



www.CareerCert.info

Firewall Filtering Using ACLs



www.CareerCert.info

NAC Framework and Appliance
Two approaches for Network Admission Control (NAC)
NAC Framework Cisco NAC Appliance
Sold through NAC- Sold as virtual or
enabled products integrated appliance
Integrated solution Self-contained product
leveraging Cisco integrates but does not
network and vendor rely on partners
products

NAC Infrastructure
Offers customers a deployment time-frame choice
Adapts to investment protection requirements of customer



www.CareerCert.info

802.1X Protocol



www.CareerCert.info

Identity and Access Control Deployment
Locations

Authenticate
at edge.
Deploy ACLs
based on
policy.
Practice
defense in
depth.



www.CareerCert.info

Threat Defense

Enhances security in the existing network infrastructure
– Protects businesses from operation disruption, lost revenue,
and loss of reputation.
Adds comprehensive security on network endpoints
– Cisco Security Agent provides endpoint protection.
Adds dedicated security technologies to networking devices and
appliances
– Security technologies are implemented throughout the
network.



www.CareerCert.info

Physical Security



www.CareerCert.info

Physical Security Guidelines

Deploy adequate physical access control.
Evaluate whether physical access can compromise other security
features.
Identify additional security issues resulting from device theft.
Protect communications over infrastructure out of your control
using cryptography.



www.CareerCert.info

Infrastructure Protection

The measures taken to preserve the integrity
and availability of the network infrastructure as
a transport and service entity
Goals:
– That the network devices are not accessed or altered in
an unauthorized manner
– That the end-to-end network transport and any integrated
services remain available
Policy enforcement technologies can help preserve, directly,
the integrity and availability of the network.



www.CareerCert.info

Infrastructure Protection Deployment
Locations

Deploy on all network infrastructure devices
– Different mechanisms are used on different platforms,
but typically there are equivalent functions available.
– More advanced mechanisms are available mainly on
higher-end platforms.
Implement throughout the network



www.CareerCert.info

Infrastructure Protection

Use SSH to access devices.
Enable AAA and role-based access control for access to all
network devices.
Collect and archive syslog information.
Use SNMPv3.
Disable unused services.
Use SFTP (SSH FTP) or SCP and avoid FTP and TFTP.
Install vty access lists to limit access to management and CLI
services.
Enable control plane protocol authentication.
Consider one-step lockdown in SDM for basic router security.



www.CareerCert.info

Threat Detection and Mitigation

Provide early detection and notification of unpredicted malicious
traffic or behavior.
Goals:
– To detect, notify of, and help stop an event or traffic that is
unauthorized and unpredicted
– To help preserve the availability of the network, particularly
against unknown or unforeseen attacks
Technologies include:
– Endpoint protection
– Infection containment
– Intrusion and anomaly detection
– Application security and anti-X defense



www.CareerCert.info

Example: Threat Detection and Mitigation
Technologies

Network-based intrusion prevention systems (NIPS)
– Adaptive security appliance (ASA)
– IPS sensor applicance
– Cisco IOS IPS
Host-based intrusion prevention systems (HIPS)
– Cisco Security Agent
NetFlow
Syslog
Event correlation systems
– Cisco Security Monitoring, Analysis, and Response System
(MARS)
Cisco Traffic Anomaly Detector Module


www.CareerCert.info

Threat Detection and Mitigation
Solutions Deployment Locations



www.CareerCert.info

Secure Connectivity



www.CareerCert.info

Encryption Fundamentals

A method of protecting the confidentiality of data
Uses keys to encrypt the data and decrypt it at a later time



www.CareerCert.info

Encryption Keys

Shared secrets:
Secret key is carried “out of band” to the remote side.
Easiest mechanism, but it has inherent security concerns.

Public key infrastructure (PKI):
Uses “asymmetric cryptography” in which the encryption key is
different from the decryption key
Lets you publish the encryption key, while keeping the decryption
key secret
Widely used in e-commerce sites around the world



www.CareerCert.info

VPN Protocols

IPsec (IP security)
Built directly on the IP layer (Protocol 50)
Uses IKE and ESP
Requires IPsec software on endpoints

SSL (Secure Socket Layer)
Built on top of the TCP layer (port 443)
Provides confidentiality for web traffic (HTTPS)
All major browsers can use SSL



www.CareerCert.info

Transmission Confidentiality



www.CareerCert.info

Transmission Confidentiality Guidelines

Evaluate the location for transmission confidentiality needs.
Use the strongest available cryptography, performance permitting.
Use well-known and established cryptographic algorithms.
Do not focus on confidentiality alone; integrity and authenticity are
also important.



www.CareerCert.info

Data Integrity



www.CareerCert.info

Data Integrity Guidelines

Evaluate the need for transmission integrity.
Use the strongest available cryptography, performance permitting.
Use well-known and established cryptographic algorithms.



www.CareerCert.info

Security Management Overview

Security management does the following:
– Collects, analyzes, and presents data
– Provisions policies on security devices
– Maintains consistency and change control of policies
– Provides role-based access control and accounts for all user
activity
Security implementation is only as good as policies used.
Biggest risk to security in a properly planned architecture is policy
error.



www.CareerCert.info

Security Management Solutions

Cisco Router and Security Device Manager (SDM)
Cisco Adaptive Security Device Manager (ASDM)
Cisco Intrusion Prevention System Device Manager (IDM)
Management Center for Cisco Security Agents
Cisco Secure Access Control Server (ACS)
Cisco Security Manager
Cisco Security Monitoring, Analysis, and
Response System (Cisco Security MARS)



www.CareerCert.info

Summary

The Cisco Self-Defending Network integrates security into the
network to provide the network the ability to identify, prevent, and
adapt to threats.
Trust and identity management provide secure network access
and admission at any point in the network and isolate and control
infected or unpatched devices that attempt to access the network.
Threat defense provides a strong defense against known and
unknown attacks using security integrated in routers, switches,
and appliances.
Secure connectivity uses encryption and authentication to provide
secure transport across untrusted networks.
Security management is a framework for scalable policy
administration and enforcement.



www.CareerCert.info



www.CareerCert.info

Selecting Network
Security Solutions




www.CareerCert.info

Network Devices Supporting
Integrated Security

Cisoc IOS router security
PIX security appliance
Adaptive security appliance (ASA)
VPN concentrator
Intrusion prevention system
Catalyst service modules
Endpoint security



www.CareerCert.info

Integrated Security for
Cisco IOS Routers

Cisco IOS Firewall
– Stateful multiservice application-based filtering
Cisco IOS IPS
– In-line deep-packet inspection
Cisco IOS IPsec
– Data encryption at the IP packet level
Cisco IOS trust and identity
– AAA
– PKI
– SSH
– SSL



www.CareerCert.info

Example: Security Hardware Options
for ISRs

Built-in VPN acceleration
Voice security options
High-performance AIM
Cisco IDS Network Module
Cisco Content Engine Module
Cisco Network Analysis Module



www.CareerCert.info

Security Appliances

VPN concentrator
– IPsec and SSL VPN support
PIX security appliance
– Rich application and protocol inspection
– Integrated site-to-site and remote access VPNs
ASA, a multifunction security appliance
– Stateful firewall of PIX appliance, plus
– Adaptive threat defense capabilities
Application security
Anti-X defenses
IPS
– Advanced integration modules


www.CareerCert.info

Intrusion Prevention Systems

In line (IPS) or passive (IDS)
Multivector threat identification
Network speeds from multiple T1s to 1 Gbps
– IPS 4215 sensor protects up to 65 Mbps of traffic
– IPS 4260 sensor protects up to 1 Gbps of traffic



www.CareerCert.info

Cisco Catalyst Service Modules

Cisco Firewall Services Module
Cisco Intrusion Detection System Services Module
Cisco SSL Services Module
Cisco IPSec VPN SPA
Cisco Traffic Anomaly Detector Module
Cisco Anomaly Guard Module
Cisco Network Analysis Module



www.CareerCert.info

Cisco Security Agent

Spyware and adware protection
Protection against buffer overflows
Distributed firewall capabilities
Malicious mobile code protection
Operating-system integrity assurance
Application inventory
Audit log consolidation



www.CareerCert.info

Securing the Enterprise Network

Embed Self-Defending Network features throughout the
network in:
– The enterprise campus
– The enterprise data center
– The enterprise edge
Use Self-Defending Network technologies, including:
– Identity and access control
– Threat defense
– Infrastructure protection
– Security management



www.CareerCert.info

Deploying Security in the Enterprise
Campus—Identity and Access Control

802.1X or NAC
NAC appliance
ACLs
Firewall
– Stateful inspection
– Application inspection



www.CareerCert.info

Campus—Threat Detection and Mitigation

NetFlow
Syslog
SNMP
Host IPS (Cisco Security
Agent)
Network IPS
Cisco Security MARS,



www.CareerCert.info

Campus – Infrastructure Protection

AAA
SSH
SNMPv3
IGP or EGP Message
Digest 5
Layer 2 security features



www.CareerCert.info

Campus—Summary

Identity and access control:
802.1x, NAC, ACLs,
firewalls
Threat detection and
mitigation:
NetFlow, syslog, SNMP,
Cisco Security-MARS,
Network IPS, Host IPS
Infrastructure protection:
AAA, SSH, SNMPv3,
IGP or EGP MD5, Layer 2
security features
Security management
Cisco Security Manager,
Cisco Security MARS


www.CareerCert.info

Deploying Security in the Enterprise Data
Center – Identity and Access Control

802.1X
ACLs
Firewalls



www.CareerCert.info

Deploying Security in the Enterprise Data
Center—Threat Detection and Mitigation

NetFlow
Syslog
SNMP
Host IPS (Cisco Security
Agent)
Network IPS



www.CareerCert.info

Data Center—Infrastructure Protection

AAA
SNMPv3
SSH
IGP or EGP MD5
Layer 2 security features



www.CareerCert.info

Data Center—Summary

802.1X, ACLs, firewalls
mitigation:
Cisco SecurityMARS,
AAA, SSH, SNMPv3,
IGP or EGP MD5, Layer 2
security features
Security management
Cisco Security MARS



www.CareerCert.info

Edge—Identity and Access Control

ACLs
Firewall
IPSec or SSL VPN
NAC appliance



www.CareerCert.info

Edge—Threat Detection and Mitigation

NetFlow
Syslog
SNMP
IPS (host or network)



www.CareerCert.info

Edge—Infrastructure Protection

SNMPv3
AAA
SSH
IGP or EGP MD5



www.CareerCert.info

Edge – Summary

Firewalls, IPSec, SSL VPN,
ACLs
mitigation:
AAA, CoPP, SSH, RFC 2827,
SNMPv3, IGP/EGP MD5
Security management
Cisco Security MARS



www.CareerCert.info

Summary
Cisco has integrated security features into the network devices,
including ACLs, firewall support, VPNs, IPS, and event logging.
The Cisco Self-Defending Network elements and Cisco network
devices with integrated security are deployed throughout the
enterprise network.



www.CareerCert.info



www.CareerCert.info

Security Design Review

Define the security requirements.
Define the security policy.
Integrate security in the network design:
– Implement trust and identity management to secure network
access and admission.
– Deploy threat defense to provide a defense against known
and unknown attacks.
– Use secure connectivity for encryption and authentication
on untrusted networks.
– Deploy security management to scale policy administration
and enforcement.
Select locations to deploy appropriate Cisco Self-Defending
Network elements and Cisco network devices.



www.CareerCert.info

Module Summary

Network security is a continuous process built around a security
policy and integrated with network design.
The Cisco Self-Defending Network is based on a secure network
platform and uses trust and identity management, threat defense,
and secure connectivity to integrate security into the network.
Cisco Self-Defending Network elements and Cisco network
devices with integrated security are deployed throughout the
enterprise network.



www.CareerCert.info



www.CareerCert.info

Identifying Voice
Networking
Considerations




www.CareerCert.info

Reviewing Traditional
Voice Architectures
and Features

Identifying Voice Networking Considerations



www.CareerCert.info

Analog-to-Digital Conversion

Steps for converting analog signal to digital format:
Filtering
Sampling
Digitizing
– Quantization and coding
– Companding (a-law, mu-law)



www.CareerCert.info

PBXs and Switches

PBX: PSTN switch:
Used in private sector Used in public sector

Scales to n * 1000 phones Scales to n * 100,000 phones
Mostly digital Mostly digital
Uses 64-kbps circuits Uses 64-kbps circuits
Uses proprietary protocols to control Uses open-standard protocols
phones between switches and phones
Interconnects remote branch Interconnects with other PSTN
subsystems and telephones switches, PBXs, and telephones



www.CareerCert.info

Example: PBXs and PSTN Switches



www.CareerCert.info

PBX Features

PBX features:
– Call holding – Conferencing
– Transferring – Music on hold
– Forwarding – Call history
– Parking – Voice mail
PBX can connect to PSTN through T1 or E1


www.CareerCert.info

PSTN Switch



www.CareerCert.info

Local Loops, Trunks, and Interoffice
Communications



www.CareerCert.info

Foreign Exchange Trunks

Foreign Exchange Office (FXO):
Emulates a phone
Connects to a station port of
a PBX or to the PSTN switch
Foreign Exchange Station (FXS):
Emulates a PBX
Provides connections for standard
phones and fax machines



www.CareerCert.info

Basic Telephony Signaling

Local-loop signaling:
Telephone to switch
Trunk signaling:
Switch to switch
PBX to switch
PBX to PBX

Basic categories:
Supervision signaling
Address signaling
Informational signaling



www.CareerCert.info

Analog Signaling on a PBX
Local-loop signaling: Trunk signaling:
Loop start: E&M (recEive and transMit):
– The simplest – Between PBXs
– For subscriber loops – Five types of signaling
– Occurrences of glare – Separate paths for voice and
Ground start: signaling
– Modification of loop start
– More intelligent
– For PBX loops
– Minimizes glare



www.CareerCert.info

CAS and CCS Signaling

Channel associated signaling: Common channel signaling:
Signal for call setup in Messages for call setup
the same channel as a Examples:
voice call
– ISDN
Examples:
– DPNSS
– T1 or E1 signaling
– QSIG
– DTMF
– SS7



www.CareerCert.info

ISDN Digital Signaling
Channel Capacity Mostly Used For

B 64 kbps Circuit-switched data

D 16/64 kbps Signaling information



www.CareerCert.info

Q Signaling

Standards-based protocol for
inter-PBX communications
Enables interconnection of
multivendor equipment
Enables basic services and
feature transparency between
PBXs
Is interoperable with public and
private ISDNs
Does not impose any
restrictions on private
numbering plans



www.CareerCert.info

SS7 Signaling

Used between PSTN switches
Signaling implemented on a separate data network
Trunk channels used solely for voice transmission
Replaces per-trunk in-band signaling



www.CareerCert.info

PSTN Numbering Plans
Set of rules for routing voice calls through the PSTN
Based on the ITU-T recommendation E.164
Example: North American Numbering Plan (NANP)



www.CareerCert.info

Example Country Codes
Country Zone Country Country Zone Country
Code Code
1 1 Canada, United States 51 5 Peru
1242 1 Bahamas 52 5 Mexico
1787 1 Puerto Rico 61 6 Australia
1876 1 Jamaica 63 6 Philippines
20 2 Egypt 679 6 Fiji Islands
212 2 Morocco 7 7 Kazakhstan, Russia
213 2 Nigeria 81 8 Japan
30 3 Greece 86 8 China
34 3 Spain 886 8 Taiwan
386 3 Slovenia 91 9 India
44 4 United Kingdom 966 9 Saudia Arabia
45 4 Denmark 995 9 Georgia



www.CareerCert.info

Example: Routing Calls Based on a
Numbering Plan



www.CareerCert.info

Numbering Plan



www.CareerCert.info

Portion of UK National Numbering Plan
Number Range Description
(01xxx) xxx xxx Trunk prefix (national long-distance calling prefix)
(01xxx) xxx xxx Geographic numbering options—area code and
(01x1) xxx xxxxx subscriber number
(011x) xxx xxxxx
(02x) xxxx xxxx
(01xxx[x]) xxxx[x]
(05x) xxxx xxxx Mobile phones, pagers, and personal numbering
(07xxx) xxxxxx Reserved for corporate numbering.
(0800) xxx xxx Freephone (except for mobile phone)
(0800) xxx xxxx
(0808) xxx xxxx
999 Free emergency number
112



www.CareerCert.info

Summary
A telephone system transports analog speech over a digital
network.
PBXs and public telephone switches share many similarities,
but they also have differences.
The telephone infrastructure includes local loops and trunks.
In a telephony system, a signaling mechanism is required to
establish and disconnect telephone communications.
Each telephone must have a unique address based on the
E.164 standard.



www.CareerCert.info



www.CareerCert.info

Identifying Design
Considerations for
Voice Services




www.CareerCert.info

Separate Voice and Data Networks

Companies want to reduce
WAN costs by integration.
Data is primary traffic on
many voice networks.
PSTN architecture is not
flexible enough.
PSTN can not integrate
voice, data, and video.



www.CareerCert.info

Example: Voice over IP



www.CareerCert.info

Example: IP Telephony



www.CareerCert.info

Introducing H.323

ITU-T standard
Describes packet-based video, audio, and data communication
across packet-based networks
Provides session setup, monitoring, and termination
Refers to a set of other standards:
– H.225 (Q.931): Call signaling
– H.245: Capability negotiation and media stream management



www.CareerCert.info

H.323 Components



www.CareerCert.info

Example: H.323 Components and
Their Interactions



www.CareerCert.info

The Importance of a Gatekeeper



www.CareerCert.info

IP Telephony Components



www.CareerCert.info

Design Goals of IP Telephony

To use end-to-end IP telephony between sites with IP connectivity
To make IP telephony widely usable
To lower long-distance costs
To make IP telephony cost-effective
To provide high availability of IP telephony
To offer lower total cost of ownership and greater flexibility
To enable new applications on top of IP telephony via third-party
software
To improve remote worker, agent, and work-at-home staff
productivity
To facilitate data and telephony network consolidation



www.CareerCert.info

Single-Site IP Telephony Design



www.CareerCert.info

Multisite WAN with Centralized Call
Processing Design



www.CareerCert.info

Multisite WAN with Distributed Call
Processing Design



www.CareerCert.info

Call Control and Transport Protocols
Voice call control functions:
– Q.931 call setup
signaling
– H.245 call capability
control
– RAS signaling
– RTP Control
Protocol (RTCP)
Voice conversation:
– Real-Time Transport
Protocol (RTP)



www.CareerCert.info

SCCP Control
SCCP is a client-server protocol.
SCCP clients register with Cisco Unified CallManager to receive
their configuration information.
Media connections between SCCP clients use RTP.



www.CareerCert.info

SIP Control
SIP is a peer-to-peer protocol.
SIP user agents communicate with SIP proxy server.
SIP phones can register with Cisco Unified CallManager.



www.CareerCert.info

MGCP Control
MGCP is a client-server protocol.
MGCP gateway translates between endpoints and IP phones.
Call agents control MGCP endpoints.



www.CareerCert.info

Summary

Business needs are driving the need for unified voice and data
networks not on the PSTN.
The H.323 standard is a foundation for audio, video, and data
communications across IP-based networks, including the Internet.
IP telephony refers to communication services and voice,
facsimile, and voice-messaging applications
that are transported via the IP network rather than
the PSTN.
Voice communication over IP relies on control protocols such
as H.323, SCCP, SIP, and MGCP.



www.CareerCert.info



www.CareerCert.info

Identifying the
Requirements of
Voice Technologies




www.CareerCert.info

Voice Quality Considerations
Examine the possible causes of packet loss
and delay in the initial design.
Use QoS mechanisms as a groundwork
for a high-quality voice network.



www.CareerCert.info

Fixed Network Delay Considerations
Sources of delay: Solutions:
Propagation delay: 6 ms per km None
Serialization delay: frame length / bit rate Faster link, smaller packets
Processing delay: depends on codec Hardware DSPs, coding algorithm
– Coding and compression
– Packetization



www.CareerCert.info

Variable Network Delay Considerations
Sources of delay: Solutions:
Queuing delay (variable Link fragmentation and interleaving
packet sizes and number
of packets)
Constant delay, uncongested network
Dejitter buffers



www.CareerCert.info

Jitter

Variation in the delay of received packets
Caused by network congestion, improper queuing,
or configuration errors



www.CareerCert.info

Packet Loss

Causes voice clipping
Caused by:
– Congested links
– Improper network QoS configuration
– Bad packet buffer management on the routers
– Routing problems
Up to 30 ms of lost voice correctable by DSP using interpolation
Packet losses up to one packet correctable with no voice quality
degradation



www.CareerCert.info

Problem of Echo



www.CareerCert.info

Echo Cancellers
Reduce the Level of Echo



www.CareerCert.info

Voice Coding and Compression
The quality of transmitted speech is a subjective listener response.
MOS is a common benchmark to define sound quality.
MOS scales from 1 (bad) to 5 (excellent).

ITU Standard Data Rate* MOS Score

PCM G.711 64 kbps 4.1

ADPCM G.726/G.727 16/24/32/40 kbps 3.85 or less

LD-CELP G.728 16 kbps 3.61

CS-ACELP G.729 8 kbps 3.92

ACELP/MPMLQ G.723.1 6.3/5.3 kbps 3.9/3.65

*Note: Data rates shown are for digitized speech only and do
not include overhead of RTP, UDP, IP, and Layer 2 headers.



www.CareerCert.info

Example: Codec Complexity and Calls per DSP
on the Cisco AS54-PVDM2-64 Module

Low Complexity Medium Complexity High Complexity
(Maximum 64 Calls) (Maximum 32 Calls) (Maximum 24 Calls)

G.711 a-law G.729a G.723.1: 5.3K and 6.3K

G.711 mu-law G.729ab G.723.1A: 5.3K and 6.3K

Fax passthrough G.726: 16K, 24K, and 32K G.728

Modem passthrough T.38 fax relay Modem relay

Clear-channel codec Cisco Fax Relay AMR-NB: 75K, 5.15K, 5.9K,
6.7K, 7.4K, 7.95K, 10.2K,
12.2K, and silence insertion
descriptor



www.CareerCert.info

Bandwidth Availability

Goal: Reduce the amount of traffic per voice call
Solutions:
– Use an effective voice coding and compression mechanism.
– Compress IP headers by using compressed Real-Time
Transport Protocol.
– Suppress packets of silence by using voice activity detection.



www.CareerCert.info

Calculating Voice Bandwidth

Voice packet size = (Layer 2 header) + (IP/UDP/RTP header) +
voice payload
Voice packets per second (pps) = (codec bit rate) / (voice payload
size)
Bandwidth = (voice packet size) * (pps)
Example for G.729 call with 8-kbps codec bit rate with cRTP and
20 bytes voice payload:
– Voice packet size = 6 bytes + 2 bytes + 20 bytes = 28 bytes
– Voice packet size = 28 bytes * 8 bits/byte = 244 bits
– Voice pps = 8000 bits/sec / 160 bits/packet = 50 pps
– Bandwidth = 244 bits * 50 pps = 11.2 kbps



www.CareerCert.info

Example: Voice Codec Bandwidth
Calculator for G.729 Codec



www.CareerCert.info

Voice Bandwidth and Codec Standards
Compression Payload Bandwidth Bandwidth No. of Calls on a
Size with cRTP 512-kbps Link
(without cRTP/
with cRTP)

G.711 (64 kbps) 160 83 68 6/7

G.726 (32 kbps) 60 57 36 8/14

G.726 (24 kbps) 40 52 29 9/17

G.728 (16 kbps) 40 35 19 14/26

G.729 (8 kbps) 20 26 11 19/46

G.723.1 (6.3 kbps) 24 18 8 28/64

G.723.1 (5.3 kbps) 20 17 7 30/73



www.CareerCert.info

Enterprise QoS Mechanisms for Voice

Traffic classification
Queuing or scheduling
Bandwidth provisioning and call admission control



www.CareerCert.info

Access Layer QoS Mechanisms for Voice

802.1Q trunking and 802.1p
Multiple egress queues
Traffic classification and network trust boundary
Layer 3 awareness and the ability to implement QoS access
control lists



www.CareerCert.info

Recommended Practice: Separate Voice
and Data VLANs

Voice device protection from external networks
QoS trust boundary extension to voice devices
Protection from malicious network attacks
Ease of management and configuration



www.CareerCert.info

Example: QoS Networking Mechanisms



www.CareerCert.info

Example: Low Latency Queuing



www.CareerCert.info

QoS Consideration for Voice in the WAN

WAN QoS mechanisms:
Bandwidth provisioning
Traffic classification
Queuing and scheduling
Traffic shaping
Link efficiency techniques
Call admission control



www.CareerCert.info

Call Admission Control

Protects voice traffic from being negatively affected by other
voice traffic
Keeps excess voice traffic off the network
Reroutes excess voice traffic in the following scenarios:
– Call rerouted via an alternate packet
network path
– Call rerouted via the PSTN network path
– Call returned to the originating TDM switch with the reject
cause code



www.CareerCert.info

Example: Call Admission Control
VoIP Network Without CAC

VoIP Network with CAC



www.CareerCert.info

Implementing CAC with RSVP

RSVP is an industry-standard signaling protocol that enables an
application to reserve bandwidth dynamically.
RSVP signaling messages are exchanged between the source
and destination devices.
RSVP process interacts with the QoS manager on router
interfaces to "reserve" bandwidth resources.
Calls are admitted or rejected based on the outcome of the RSVP
reservations.



www.CareerCert.info

Traffic Engineering Terms

Grade of service
Erlang
Centum call seconds
Busy hour
Busy hour traffic
Blocking probability
Call Detail Record



www.CareerCert.info

Erlang Tables

Show erlangs of offered traffic, number of circuits, and grade
of service
Three common erlang tables:
– Erlang B assumes that calls receiving a busy signal are
immediately cleared.
– Extended Erlang B assumes that a certain percentage of calls
receiving a busy signal are redialed.
– Erlang C assumes that blocked calls are queued.



www.CareerCert.info

Example: Erlang B Table
Number of erlangs decreases with Number of erlangs increases with the
the decreased blocking probability. number of simultaneous connections.

Blocking Probability

Number of Circuits .003 .005 .01 .02 .03 .05
1 .003 .006 .011 .021 0.31 0.053
2 .081 .106 .153 .224 0.282 .382
3 .289 .349 .456 .603 0.716 .900
4 .602 .702 .870 1.093 1.259 1.525
5 .996 1.132 1.361 1.658 1.876 2.219
6 1.447 1.822 1.900 2.278 2.543 2.961
7 1.947 2.158 2.501 2.936 3.250 3.738
8 2.484 2.730 3.128 3.627 3.987 4.543
9 3.053 3.333 3.783 4.345 4.748 5.371
10 3.648 3.961 4.462 5.084 5.530 6.216

Busy hour traffic (BHT) in erlangs



www.CareerCert.info

Summary
Voice quality in an IP network is directly affected by delay, jitter,
and packet loss.
An echo is the audible leak of the voice of the caller into the
receive (return) path.
Voice communication over IP relies on voice that is coded and
encapsulated into IP packets.
A primary WAN issue when network designers are designing
voice on IP networks is bandwidth availability.
QoS mechanisms are important for networks that carry voice.
Traffic engineering is a science of selecting the right number of
lines and the proper types of service to accommodate users.



www.CareerCert.info



www.CareerCert.info

Integrating Voice in the Network Design

Define the requirements for voice services.
Select an IP telephony design model based on the requirements.
Implement voice support in the infrastructure:
– Select appropriate call control and transport protocols.
– Select appropriate coding and compression mechanisms.
– Provision needed bandwidth.
– Deploy VoIP components.
– Implement end-to-end QoS.



www.CareerCert.info

Module Summary

New IP telephony solutions must integrate into existing
environments and provide similar functionality.
Business needs are driving the need for unified networks
supporting unified communications networks.
There are many issues that affect voice traffic, such as delay,
jitter, packet loss, congestion, and slow-speed links. Compression
techniques, LFI, and QoS mechanisms can alleviate many of
these issues.



www.CareerCert.info



www.CareerCert.info

Identifying Wireless
Networking
Considerations




www.CareerCert.info

Introducing the
Cisco Unified
Wireless Network

Identifying Wireless Networking Considerations



www.CareerCert.info

Wireless LAN Background

WLANs provide network connectivity over radio waves.
Wireless stations connect to wireless access points.
Access points connect to the wired network.
– Access points were traditionally autonomous.
– Scaling the design and adding applications was challenging.



www.CareerCert.info

Cisco Unified Wireless Network
Elements

Intelligent information
network elements:
3d icon
not Mobility services
available
Network management
Network unification
Access points
Client devices



www.CareerCert.info

Cisco Unified Wireless Network—
Split-MAC Operation

Access point MAC functions:
802.11: Beacons, probe response
802.11 control: Packet acknowledgment Controller MAC functions:
and transmission 802.11 MAC management: Association
802.11e: Frame queuing and packet requests and actions
prioritization 802.11e Resource reservation
802.11i: MAC layer data encryption and 802.11i Authentication and key
decryption management


www.CareerCert.info

LWAPP Fundamentals

LWAPP is an IETF draft specification.
Access points communicate with a WLC using LWAPP:
– LWAPP control messages are exchanged between
a WLC and access points.
– LWAPP data messages encapsulate data frames.
LWAPP tunnel can be Layer 2 or Layer 3.
One WLC can manage multiple access points.
– The WLC supplies configuration and firmware updates
to access points.



www.CareerCert.info

Example: Layer 2 LWAPP Architecture

Access points do not require IP addressing.
Controllers need to be on every subnet on which
access points reside.
Layer 2 LWAPP was an early part of the architecture;
many current products do not support this functionality.



www.CareerCert.info

Example: Layer 3 LWAPP Architecture

Access points require IP addressing.
Access points can communicate with a WLC
across routed boundaries.
Layer 3 LWAPP is more flexible than Layer 2 LWAPP;
most current products support this LWAPP mode.



www.CareerCert.info

Access Point Modes
Local mode is the default mode of operation.
REAP mode enables a remote access point across a WAN link
to communicate with the WLC.
Rogue detector mode allows the access point to monitor rogue
access points but cannot contain rogue access points.
Monitor mode allows the access points to act as dedicated
sensors for IDS and supports deauthentication capability.
Sniffer mode functions as a network sniffer and captures and
forwards all the packets on a particular channel to a remote
machine that runs AiroPeek.
Bridge mode allows the Cisco Aironet 1030 (indoor) and 1500
(outdoor mesh) access points to support point-to-point and point-
to-multipoint bridging.



www.CareerCert.info

Wireless Infrastructure
• Autonomous access point
is an 802.1Q translational
bridge.
• WLAN controller bridges
client traffic centrally.



www.CareerCert.info

Wireless Authentication



www.CareerCert.info

Example: Supported EAP Types
EAP-Transport Layer Security (EAP-TLS)
– Mutual client and server authentication using digital certificates
EAP-Protected EAP (EAP-PEAP)
– Authentication of RADIUS server in TLS using digital certificate
– Authentication of client using EAP-GTC or EAP-MSCHAPv2
EAP Tunneled Transport Layer Security (EAP-TTLS)
– Authentication of RADIUS server in TLS using server certificate
– Authentication of client using username and password
Cisco LEAP
– Early EAP method supported in Cisco Compatible Extensions
Cisco EAP-FAST
– Three-phase EAP method supported in Cisco Compatible Extensions



www.CareerCert.info

Important WLAN Controller Components
Three important components to understand:
Port—Physical connection to a neighbor switch or router
Interface—Logical connection mapping to a VLAN on the wired
network
WLAN—Logical entity that maps an SSID to an interface at the
controller, along with security, QoS, radio policies, and other
wireless networking parameters



www.CareerCert.info

Summary of WLC Interfaces
Management interface—Is used for in-band management,
connectivity to AAA and other enterprise services, and for Layer 2
access point auto discovery and association
AP-manager interface—Is the source IP address used for access
point-to-controller communication and Layer 3 access point
autodiscovery and association
Dynamic interface—Is designated for WLAN client data and
analogous to a VLAN
Virtual interface—Supports DHCP relay, Layer 3 security
authentication, and mobility management
Service-port interface—Provides out-of-band management of the
controller



www.CareerCert.info

Example: WLANs, Interfaces, and Ports



www.CareerCert.info

Cisco Wireless LAN Controller Platforms
Platform Number of Access Points
Supported

Cisco 2000 Series Wireless LAN 6
Controller

Cisco Wireless LAN Controller 6
Module for ISRs

Cisco Catalyst 3750G Integrated Up to 50
Wireless LAN Controller

Cisco 4400 Series Wireless LAN Up to 100
Controller

Cisco Catalyst 6500 Series Up to 300
Wireless Services Module

Note: The number of access points supported may change as products
are updated. Check www.cisco.com for the latest information.



www.CareerCert.info

Access Point Scalability Considerations

4400x series controllers allow 48 access points per port in the
absence of link aggregation.
Two options for scaling are:
– Multiple AP manager interfaces (supported only on 4400x
appliance controllers).
– Link aggregation (supported on 4400x appliances, Cisco
WiSM, Cisco 3750G Integrated Wireless LAN Controller).
With multiple AP manager interfaces, the LWAPP algorithm
load-balance access points across the AP manager interfaces.
With LAG, one AP manager interface load-balances traffic
across an EtherChannel interface.



www.CareerCert.info

Example: Multiple AP Manager Interfaces

Each AP manager interface
is mapped to a physical port.
Access point load is
dynamically distributed.
Redundancy advantage:
Platform can be connected
to multiple devices.
Redundancy concern:
Only 48 access-points
are supported per port.



www.CareerCert.info

Example: LAG with a Single AP Manager
Interface

One LAG group per Cisco
Wireless LAN Controller
is supported.
Packets are forwarded out
the same port they arrived
on.
It is recommended that
you use LAG if possible.



www.CareerCert.info

Summary

The Cisco Unified Wireless Network architecture centralizes
WLAN configuration and control on Cisco Wireless LAN
Controllers.
Cisco Wireless LAN Controllers manage access points using
LWAPP.
The Cisco Unified Wireless Network is based on devices
connecting to access points using RF signals, access points
sending client traffic to controllers across an LWAPP tunnel, and
Cisco Wireless LAN Controllers placing the traffic in the
appropriate VLAN in the wired network.
Cisco Wireless LAN Controllers components include ports
(physical connections), interfaces (logical mappings to a VLAN),
and WLANs (logical mappings of an SSID to an interface).
Cisco Wireless LAN Controller platforms can support 6 to 300
access points.



www.CareerCert.info



www.CareerCert.info

Understanding Wireless
Network Controller
Technology




www.CareerCert.info

LWAPP Discovery

1. The access point issues a DHCPDISCOVER
to get an IP address.
2. If the access point supports Layer 2 LWAPP,
attempt Layer 2 discovery.
3. Else, attempt Layer 3 LWAPP discovery.
4. If no WLC response, then access point reboots
and returns to Step 1.


www.CareerCert.info

Layer 3 LWAPP Discovery Algorithm

Access point sends Layer 3 LWAPP discovery requests:
1. As broadcasts on local subnet
2. As unicast LWAPP discovery requests to WLC IP addresses
advertised by other access points, if OTAP enabled on the
WLCs
3. To all previously stored WLC IP addresses
4. To IP addresses learned through DHCP Option 43
5. To IP addresses learned through DNS resolution of
CISCO-LWAPP-CONTROLLER.localdomain
WLCs receiving the discovery message reply with a unicast
LWAPP discovery response message.
Access point compiles a list of candidate controllers.



www.CareerCert.info

WLC Selection Algorithm

LWAPP discovery and selection mechanism is a design
decision.
LWAPP discovery response contains WLC information.
After the LWAPP discovery interval timer, the access point
selects a WLC to send an LWAPP join request based on:
1. Previously configured primary, secondary, or tertiary
WLCs (specified in the controller sysName)
2. WLC configured as a master controller
3. WLC with the greatest capacity for access point
associations
The WLC validates the access point and sends an
LWAPP join response. An encryption key is derived, and future
messages are encrypted.



www.CareerCert.info

Access Point Operations

Access point downloads firmware from the WLC if its code version
does not match the WLC.
WLC provisions access point with the SSID, security, QoS, and
other parameters.
WLC periodically queries access points for status.
Access point periodically sends an LWAPP heartbeat (every 30
seconds):
– If heartbeat is not acknowledged, the access point resends.
– If heartbeat is not acknowledged in five attempts, access point
looks for a new WLC.



www.CareerCert.info

WLC Deployment Considerations

Mobility
Radio management
Redundancy and load balancing
Scaling
IP addressing



www.CareerCert.info

Mobility Defined

Mobility is a key reason for wireless networks.
Mobility means the end-user device is capable of moving to new
location.
Roaming occurs when a wireless client moves association from
one access point and reassociates to another.
Mobility presents new challenges:
– Need to scale the architecture to support client roaming—
roaming can occur intracontroller and intercontroller.
– Depending on the application, may need to support
Layer 2 or Layer 3 roaming.
– Need to support client roaming that is seamless (fast) and
preserves security.



www.CareerCert.info

Intracontroller Roaming
Intracontroller roaming
occurs when a client moves
association to another access
point joined to the same WLC.
Client may need to be
reauthenticated and
new security session
established.
Controller updates client
database entry with new
access point and appropriate
security context.
No IP address refresh
is needed.



www.CareerCert.info

Intercontroller Roaming—Layer 2

Traffic on same IP subnet
Client database entry moved
to new WLC
Reauthenticated and new
security session established
as needed
No IP address refresh needed


www.CareerCert.info

Intercontroller Roaming—Layer 3

Original WLC tagged
as “anchor”
Client database entry
copied to new WLC,
New WLC uses different tagged as “foreign”
subnet; client IP address
does not change Asymmetric traffic path



www.CareerCert.info

Scaling the Architecture with Mobility
Groups

Mobility groups allow controllers to peer with each other to
support seamless roaming across controller boundaries, access
point load balancing, and controller redundancy.
– Mobility messages are exchanged between controllers.
– Data is tunneled between controllers in Ethernet-in-IP
(EtherIP).
Each WLC in a mobility group is configured with a list of other
members.
Access points learn the IP addresses of the other members of the
mobility group after the LWAPP join process.
Mobility groups support up to 24 controllers and 3600 access
points.
WLC should be placed in mobility groups when intercontroller
roaming is possible and for controller redundancy.


www.CareerCert.info

Mobility Group Requirements

IP connectivity must exist between the management interfaces of
all WLC devices.
All WLCs must be configured with the same mobility group name.
The mobility group name is case-sensitive.
All WLCs must be configured to use the same virtual interface IP
address.
Each WLC is configured with the MAC address and IP address of
all the other mobility group members.
The WLCs exchange messages using UDP port 16666
(unencrypted) or UDP port 16667 (encrypted) .



www.CareerCert.info

Supporting Roaming—
Recommended Practices

Minimize intercontroller roaming in your designs.
Design the network for <= 10 ms RTT latency between
controllers.
Intercontroller Layer 2 roaming is more efficient than Layer 3
roaming.
Use PKC or CCKM to speed up and secure roaming.
Client roaming capabilities vary by vendor, driver, and supplicant.
Look for Cisco Compatible Extensions v4 feature set.



www.CareerCert.info

Controller Redundancy Design

Access point selects its WLC with this sequence:
[Deterministic] If an access point has been previously configured
with a primary, secondary, or tertiary controller, the access point
attempts to join these first (specified by controller sysName).
[Initializing] The access point attempts to join a WLC configured
as a master controller.
[Dynamic] The access point attempts to join the WLC with the
greatest availability for access point associations.



www.CareerCert.info

Deterministic Controller Redundancy

Administrator statically assigns each access point a primary,
secondary, or tertiary controller.
Advantages include:
– Predictability (easier operational management)
– More network stability
– More flexible and powerful redundancy design options
– Faster failover times
– “Fallback” option in the case of failover
Disadvantages include:
– More upfront planning and configuration
Recommended leading practice is to use deterministic
redundancy.



www.CareerCert.info

Example:
Deterministic Controller Redundancy



www.CareerCert.info

Dynamic Controller Redundancy

Design relies on LWAPP to load-balance access points across
controllers and populate access points with backup WLC
information.
– Design works better when controllers are “clustered” in a
centralized design.
Advantages include:
– Easy to deploy and configure
– Access points dynamically load-balance
Disadvantages include:
– More intercontroller roaming
– Bigger operational challenges due to unpredictability
– Longer failover times
– No fallback option in the event of controller failure
Recommended practice is not to use dynamic redundancy.


www.CareerCert.info

Example: Dynamic Redundancy



www.CareerCert.info

Deterministic Redundancy Designs:
N+1



www.CareerCert.info

N+N



www.CareerCert.info

N+N+1



www.CareerCert.info

Radio Resource Management

Key RF challenges with 802.11:
– Limited nonoverlapping channels
– Physical characteristics of RF propagation
– Contention for the medium
– Transient nature of RF environments
RRM addresses these challenges:
– Continuous analysis of RF environment
– Dynamic channel assignment
– Interference detection and avoidance
– Dynamic transmit power control
– Coverage hole detection and correction
– Client and network load balancing


www.CareerCert.info

RF Grouping

1. Access points send and
receive neighbor messages.



www.CareerCert.info

RF Grouping

1. Access points send and 2. If access points on different WLCs
receive neighbor messages. hear neighbor messages
in the same RF group at -80 dBm
or stronger, they pass information
to their WLC.



www.CareerCert.info

RF Grouping
3. Controllers elect an
RF group leader that
analyzes RF data.

1. Access points send and 2. If access points on different WLCs
receive neighbor messages. hear neighbor messages
in the same RF group at -80 dBm
or stronger, they pass information
to their WLC.



www.CareerCert.info

Access Point Self-Healing

Access points receive neighbor messages from neighbor access
points.
Access points report a lost neighbor when they no longer receive
neighbor messages at –65 dBm.
RRM is used to increase power on access points near the lost
access point.
RRM can also adjust channel selection if needed.



www.CareerCert.info

Summary

A lightweight access point uses an LWAPP discovery and join
process to connect to a WLC.
Lightweight access points operate by communicating with a WLC.
The Cisco Unified Wireless Network provides a high quality
transparent roaming experience for clients supporting both
intracontroller and intercontroller roaming.
It is recommended using that you use deterministic controller
redundancy over dynamic controller redundancy.
RRM using RF groups is a foundation of the Cisco Unified
Wireless Network architecture.



www.CareerCert.info



www.CareerCert.info

Designing Wireless
Networks with Controllers




www.CareerCert.info

Reasons for an RF Site Survey

Defines RF characteristics in the environment:
– Discover RF coverage areas.
– Check for RF interference and issues.
– Provide RF spectrum analysis.
– Determine appropriate placement of wireless infrastructure
devices.
Helps define customer requirements



www.CareerCert.info

RF Site Survey Process

1. Define customer requirements.
2. Identify coverage areas and user density.
3. Determine preliminary access point locations.
4. Perform the actual surveying.
5. Document the findings.



www.CareerCert.info

RF Site Survey—
Customer Requirements

What type and number of wireless devices need to be supported?
– Is there current WLAN or RF equipment in place?
– Will the WLAN be used only for data?
– Will wireless phones be supported in the future?
– Are there peak periods to support?
Will users be stationary or on the move while using the WLAN?
Where should wireless coverage support be provided?
What level of support should be provided?



www.CareerCert.info

RF Site Survey—
Identifying Coverage Areas
File Room or Elevator Office
Supply Room: Shafts
Large Filing or
Metal Cabinets Test Lab

Break Room:
Microwave
Ovens

Conference

Cubicles
Stairwells
(Reinforced Building
Area)



www.CareerCert.info

Determining Preliminary Access Point
Locations
Default Access Point Placement



www.CareerCert.info

Visualizing RF Coverage



www.CareerCert.info

Performing the Site Survey
Use tools and
processes to determine
coverage:
• Estimate the access
point needed
using planning.
• Measure attenuation
at the corner and edge
of coverage areas.
• Determine the
coverage range.
• Build the WLAN
coverage.
• Identify coverage
holes.



www.CareerCert.info

Site Survey Report
All information gathered and developed during the site
survey should be included in the report:
Detail customer requirements.
Describe and diagram access point coverage.
– Be very specific when describing equipment placement
locations.
– Mark areas that are covered as well as those not needing
coverage.
Parts list should include:
– Access points
– Antennas
– Accessories and network components
Discuss the tools that were used and survey methods.



www.CareerCert.info

Supporting Guest Access



www.CareerCert.info

Path Isolation with Ethernet in IP Tunnel
Use of EtherIP tunnels to logically
segment and transport the guest traffic
between edge and anchor controllers
Other traffic (employee for example)
still locally bridged on the corresponding
VLAN
No need to define the guest VLANs
on the switches connected to the edge
controllers
Original Ethernet frame from guest
maintained across LWAPP and EtherIP
tunnels
EtherIP supported across all WLAN
controllers
– 2006 WLC cannot anchor EtherIP
connections.



www.CareerCert.info

Outdoor Wireless Deployment Options



www.CareerCert.info

Outdoor Wireless Mesh Solution
Components

Cisco Wireless Cisco Wireless Rooftop Access Mesh Access
Control System LAN Controller Point Point
Wireless mesh Links the wireless Serves as “root” or Provides 802.11b/g
management mesh access points “gateway” access client access
system to the wired network point to the wired Connects to root
Enables network- Handles RF network access points via
wide policy algorithms and Typically located on 802.11a
configuration and optimization rooftops or towers Takes AC or DC
device Seamless Layer 3 Connects up to 32 power; PoE
management Mobility “pole-top” mesh capable
Supports SNMP Provides security access points using Ethernet port for
and syslog and mobility 802.11a connecting
management peripheral devices



www.CareerCert.info

Example: MAP-to-RAP Connectivity
in a Square Mile



www.CareerCert.info

Mesh Design Recommendations

Hops One Two Three Four
Throughput ~10 Mbps ~5 Mbps ~3 Mbps Up to 1 Mbps*

Latency
< 10 ms per hop, 1–3 ms is typical
Hops
Outdoor: Code supports up to eight hops; four or fewer hops are recommended.
Indoor: One hop is supported.
Nodes per RAP
One RAP supports up to 32 MAPs; 20 nodes are recommended.



www.CareerCert.info

Common Wireless Design Questions

How many access points are needed?
Where will the access points be placed?
How will the access points receive power?
How many WLCs are needed?
Where should the WLCs be placed?



www.CareerCert.info

LWAPP Access Point Feature Summary

10x0 1121 AG 1130 AG 1230 AG 1240 AG 1300 1500
Models Models Series Series Series Series Series

Both
Autonomous/LWAPP/both LWAPP Both Both Both Both (LWAPP in LWAPP
AP mode)

External antenna Yes No No Yes Yes Yes Yes

Outdoor install No No No No No Yes Yes

REAP or H-REAP support REAP No H-REAP No H-REAP No Yes

No No
Dual radio Yes Yes Yes Yes Yes
(only g) (only g)

Power (watts) 13 6 15 14 15 N/A N/A

Memory (Mb) 16 16 32 16 32 16 16

WLANs per radio supported 18 8 8 8 8 8 16



www.CareerCert.info

WLAN Controllers and Access Point
Support
No. of Access
Part Number (Platform)
Points Supported

AIR-WLC2006-K9 (Cisco Wireless LAN Controller appliance) 6

NM-AIR-WLC6-K9 (Cisco Wireless LAN Controller Module for
6
ISRs)
WS-C3750G-24WS-S25 (Cisco Catalyst 3750G Integrated
25
Wireless LAN Controller)
WS-C3750G-24WS-S50 (Cisco Catalyst 3750G Integrated
50
Wireless LAN Controller)

AIR-WLC4402-12-K9 (Cisco Wireless LAN Controller appliance) 12



Cisco Catalyst 6500 Series Wireless Services Module Up to 300



www.CareerCert.info

Controller Placement Design

Minimize intercontroller roaming.
Implement deterministic redundancy.
Centralized design supports the integrated platforms.
– Cisco Catalyst 3750G Integrated Wireless LAN Controller for
small-to-medium deployments
– Cisco WiSM for medium-to-large deployments
Distributed designs may work well with existing networks.
General recommendation is to use a centralized design,
but decide based on:
– Current network and policies
– Growth plans



www.CareerCert.info

Example: Distributed WLC Design



www.CareerCert.info

Example: Centralized WLC Design



www.CareerCert.info

Campus WLC Options

Stand-alone appliance controller
Routed network on another platform
802.1Q trunk to switched or routed
network
Integrated controller
Routed network can exist on the
same platform.
Layer 2 connection is internal.
Layer 2 or 3 connection to routed
network can be used.



www.CareerCert.info

Branch Wireless Network
Design Considerations

Number of access points needed at the branch
– Availability of switch ports
– Availability of power
Controller cost
WAN bandwidth constraints
– Latency between the access point and the WLC
should not exceed 200 ms RTT.
– For centralized controllers, use REAP or Hybrid REAP
access points.



www.CareerCert.info

Local MAC

Access point MAC functions: Controller MAC functions:
802.11: Beacons, probe response 802.11 proxy association requests
802.11 control: Packet acknowledgment and actions
and transmission 802.11e resource reservation
802.11e: Frame queuing and packet prioritization 802.11i authentication and key
802.11i: MAC layer data encryption and decryption management
802.11 MAC management: Association requests
and actions



www.CareerCert.info

Remote Edge Access Point

Lightweight access point designed to be controlled across WAN
links:
– REAP is designed to support remote offices by extending
LWAPP control timers.
– Control traffic is still LWAPP encapsulated and sent to Cisco
Wireless LAN Controller.
– Client data is not LWAPP-encapsulated but is locally bridged.
All management control and RF management is available when
the WAN link is up and connectivity is available to the Cisco
Wireless LAN Controller.
It will continue to provide local connectivity even if the WAN is
down.



www.CareerCert.info

REAP Limitations
REAP devices do not support 802.1Q trunking. All WLANs
terminate on a single subnet.
If connectivity to the WLC is lost, only WLAN1 is supported.
Multiple WLANs are not recommend on REAP devices.
REAP devices support only Layer 2 security policies.
REAP devices and clients require a routable IP address provided
locally and do not support NAT.



www.CareerCert.info

Hybrid REAP
H-REAP is a solution for small or branch offices and retail on the
LWAPP Cisco IOS platforms
H-REAP supports simultaneous tunneling and local bridging.
– “Local switching” supports bridging traffic onto local VLANs.
– “Central switching” supports tunneling traffic to the controller.
H-REAP provides more security options for the remote site:
– Stand-alone mode does client authentication by itself. (WPA-PSK,
WPA-PSK2)
– Connected mode uses the controller to complete client authentication.
(WPA-PSK, WPA-PSK2, VPNs, L2TP, EAP, and web auth)
Round-trip latency must not exceed 200 ms between the access
point and the controller.
H-REAP supports NAT and PAT.



www.CareerCert.info

Example: H-REAP Deployment



www.CareerCert.info

Branch Office WLC Options

Appliance controllers
Cisco 2006—Support for up to
six access points
Cisco 4402-12, 4402-24
Integrated controller
Cisco Wireless LAN Controller
Module for ISR
Cisco Catalyst 3750 Series
Integrated WLAN Controller
(support for 25, 50 access points)



www.CareerCert.info

Summary
An RF site survey is used to determine the RF characteristics of a
wireless network and help determine access point placement.
Guest services are easily supported using EtherIP tunnels in the
Cisco Unified Wireless Network.
Outdoor wireless networks are supported using outdoor access
points and Cisco Wireless Mesh Networking access points.
Campus wireless network design provides RF coverage for
wireless clients in the campus using lightweight access points.
The access points are managed to Cisco Wireless LAN
Controllers.
Branch wireless network design is provides RF coverage for
wireless clients in the branch. Central management of REAP or
H-REAP access points can be supported.



www.CareerCert.info



www.CareerCert.info

Wireless Networking Review
Define the wireless requirements.
Conduct an RF site survey to define the RF characteristics in the
environment.
Define access point deployment locations based on the site survey
and customer requirements.
Determine the WLC design:
– Redundancy (primary, secondary, tertiary)
– Placement of WLCs in distribution layer
– Whether remote sites will use local centralized controllers
Determine the number of mobility groups that you will need.
Plan how to support internal VLANs and guest access if needed.



www.CareerCert.info

Cisco Unified Wireless Network Review



www.CareerCert.info

Module Summary
• Cisco Unified Wireless Network architecture centralizes WLAN
configuration and control on WLCs that control LWAPP access
points.
The Cisco Unified Wireless Network provides transparent roaming
supporting both intracontroller and intercontroller roaming.
Deterministic controller redundancy with integrated RRM provides
the highest-quality roaming experience.
An RF survey in a wireless network design determines the
characteristics of the wireless network and access point placement
to provide optimal RF coverage for wireless clients.



www.CareerCert.info



www.CareerCert.info

Implementing
and Operating
the Network




www.CareerCert.info

Reviewing Design
and Implementation
Resources

Implementing and Operating the Network



www.CareerCert.info

Solution Reference Network
Design Guides
Focus on the specific solution
Provide an overview of relevant technologies
Give a description of the architecture
Offer recommended design practices
Provide configuration examples
Are available for the following areas:
– Campus – WAN and MAN
– Data center – Security
– Branch office – Unified communications
– Teleworker – Wireless



www.CareerCert.info

Cisco Networkers Online Subscription
200+ technical training sessions, including:
Application Optimization Technologies
Contact Center Technologies
Data Center Technologies
Network Access and Aggregation Technologies
Network Management Services Technologies
Optical and Metro Ethernet Technologies
Routing and Switching Technologies
Security Technologies
Storage Technologies
Voice and Video Technologies

www.networkersonline.net


www.CareerCert.info

Summary of Cisco CCNP Courses
Building Cisco Multilayer Switched Networks (BCMSN)
– Recommended prerequisite for Designing for Cisco
Internetwork Solutions
Building Scalable Cisco Internetworks (BSCI)
Implementing Secure Converged Wide Area Networks (ISCW)
Optimizing Converged Cisco Networks (ONT)



www.CareerCert.info

Building Cisco Multilayer
Switched Networks v3.0

Use the Cisco hierarchical Implement high-availability
network model for campus technologies and techniques
networks Describe and configure
Define VLANs to segment wireless LAN access
network traffic and use Describe and implement
Implement spanning-tree security features
operation Describe and configure switch
Implement and verify to support voice
inter-VLAN routing

Covers skills required to build enterprise-class switched
networks with integrated VoIP and wireless applications



www.CareerCert.info

Building Cisco Multilayer Switched
Networks v3.0 Course Flow
Course Configuring
Introduction Campus
Switches
A Network
Implementing
Inter-VLAN Wireless
for Voice
Spanning
M Requirements
Tree
Routing LAN
Minimizing
Defining Service Loss
VLANS

Lunch

Defining Implementing
VLANS Spanning Tree
P Implementing
Wireless Minimizing
High
M LAN Service Loss
Availability
Implementing Inter-VLAN
Spanning Tree Routing



www.CareerCert.info

Building Scalable Cisco Internetworks
v3.0

Explain routing in the Implement Cisco IOS routing
enterprise network features
Implement and verify EIGRP Implement and verify BGP for
operations enterprise ISP connectivity
Build a scalable multiarea Implement and verify multicast
network with OSPF forwarding using PIM
Configure integrated IS-IS in Implement IPv6 in an
a single area enterprise network

Covers skills required to build enterprise router networks
with mixed, integrated internal and external routing protocols



www.CareerCert.info

Building Scalable Cisco Internetworks v3.0
Course Flow
Course Configuring
Introduction Implementing
IS-IS Multicast
Protocol
A Network Configuring Implementing
M Requirements OSPF BGP
Manipulating
Implementing
Configuring Routing
IPv6
EIGRP Updates

Lunch
Manipulating
Configuring Configuring Implementing
Routing
EIGRP OSPF BGP
Updates
P Implementing
M IPv6
Configuring
Configuring Implementing Implementing
IS-IS
OSPF BGP Multicast
Protocol



www.CareerCert.info

Implementing Secure Converged Wide
Area Networks v1.0

Explain the Cisco hierarchical Describe and configure Cisco
network model as it pertains to Easy VPN
the WAN Explain the strategies used to
Describe and implement mitigate network attacks
teleworker configuration and Describe and configure Cisco
access device hardening
Implement and verify frame Describe and configure Cisco
mode MPLS IOS firewall features
Describe and configure a site-
to-site IPsec VPN

Covers skills for securing and expanding the reach of the enterprise
network to teleworkers and remote sites. The focus is on securing
remote access and VPN client configuration.



www.CareerCert.info

Implementing Secure Converged Wide
Area Networks v1.0 Course Flow
Implementing
Course IPsec VPNs Cisco Device Cisco IOS Threat
Frame Mode
Introduction Hardening Defense Features
MPLS
A Network
Lab: 4-2
Lab: 3-1 Lab: 5-1 Lab: 6-1
M Requirements
IPsec VPNs
Implementing Cisco Device
Connecting Cisco IOS Threat
Frame Mode Lab: 4-3 Hardening
Teleworkers Defense Features
MPLS

Lunch
Connecting Lab: 5-2 Lab: 6-2
IPsec VPNs
Teleworkers
IPsec
VPNs
P Simulation: 2-1 Lab: 4-4 Cisco Device Cisco IOS Threat
M Hardening Defense Features
Implementing
Cisco Device Lab: 6-3
Frame Mode Lab: 4-1 Lab: 5-3
Hardening
MPLS



www.CareerCert.info

Optimizing Converged Cisco Networks
v1.0
Explain the Cisco hierarchical
network model as it pertains to Explain the key IP QoS
an mechanisms used to
end-to-end enterprise network implement the DiffServ QoS
model
Describe specific requirements
for implementing a VoIP Configure Auto QoS for
network Enterprise
Describe the need to Describe and configure
implement QoS and the wireless security and basic
methods for implementing QoS wireless management
on a converged network

Covers techniques and skills to optimize QoS in converged
networks supporting voice, wireless, and security applications



www.CareerCert.info

Optimizing Converged Cisco Networks
v1.0 Course Flow
Implement the Implement the Implement Wireless
Course
DIffServ QoS Model DIffServ QoS Model Scalability
Introduction

A Introduction to
Lab: 4-1
Describing Network Lab: 4-6 Lab: 6-1
M Requirements IP QoS Implement the
DIffServ QoS Model
Describe
Cisco VoIP Implement the
Lab: 4-2 Lab: 6-2
Implementations DIffServ QoS Model

Lunch
Implement the
Lab: 2-1 Case Study: 3-1 DIffServ QoS Model Lab: 5-1 Lab: 6-3
Lab: 4-3
P Describe Implement
Lab: 3-2 Implement the Lab: 5-2 Wireless
Cisco VoIP
M DIffServ QoS Model Scalability
Implementations
Lab: 4-4
Implement the
Lab: 2-2 Lab: 5-3 Lab: 6-4
DIffServ QoS Model Lab: 4-5



www.CareerCert.info

Designing Cisco Network Service
Architectures (ARCH) v1.2
Presents the Cisco AVVID framework
Create intermediate network designs for:
– Enterprise campus infrastructure
– Enterprise edge infrastructure
– Network management
– High availability
– Security
– QoS
– IP multicast
– VPNs
– Wireless
– IP telephony

This is the next course in the design certification track.



www.CareerCert.info

Designing Cisco Network Service
Architectures v1.2 Course Flow
Course
Introduction Designing
QoS
A Introducing Cisco Designing Designing Designing
Network Service Enterprise Edge High-Availability IP Telephony
M Architectures Connectivity Services Services
Designing
Designing IP Multicast
Enterprise Campus Services
Networks

Lunch
Designing Designing
Enterprise Edge VNPs
Designing Connectivity
P Designing
Enterprise
Security Wrap-Up
M Campus Designing
Designing Services
Networks Enterprise
Network
Management Wireless
Services Networks



www.CareerCert.info

Foundation Courses for
Channel Partners

Foundation Express for Account Managers (FXS)
Foundation Express for System Engineers (CFXSE)
Foundation Express for Field Engineers (CFXFE)



www.CareerCert.info

Security Courses

Securing Cisco Network Devices (SND)
Securing Networks with Cisco Routers and Switches (SNRS)
Implementing Cisco Intrusion Prevention System (IPS)
Securing Networks with PIX and ASA (SNPA)
Cisco Secure Virtual Private Networks (CSVPN)



www.CareerCert.info

Voice Courses

Implementing Cisco Quality of Service (QOS)
Cisco Voice over IP Fundamentals (CVF)
Cisco Voice over IP (CVOICE)
Cisco IP Telephony Part 1 (CIPT1)
Cisco IP Telephony Part 2 (CIPT2)
IP Telephony Troubleshooting (IPTT)
Implementing Cisco Voice Gateways and Gatekeepers (GWGK)
IP Telephony Design (IPTD)



www.CareerCert.info

Wireless Courses

Aironet Wireless LAN Fundamentals and Site Survey (AWFSS)
Aironet Wireless LAN Advanced Topics (AWLAT)
Cisco Wireless LAN Fundamentals (CWLF)
Cisco Wireless LAN Advanced Topics (CWLAT)
Cisco Unified Wireless Networking (CUWN)
Cisco Wireless Mesh Networking (CWMN)



www.CareerCert.info

Summary

SRND guides provide deployment scenarios incorporating Cisco
products and technologies into a tested architecture.
Cisco Networkers Online provides introductory to advanced
training sessions on a subscription basis.
The Building Scalable Cisco Internetworks, Implementing Secure
Converged Wide Area Networks and Optimizing Converged Cisco
Networks courses provide additional theory and detailed
configuration information that supports enterprise network design
and implementations.
Designing Cisco Network Service Architectures is the next course
in the design certification track.
Cisco specialization courses provide in-depth, hands-on training
supporting security, voice, and wireless.



www.CareerCert.info



Ccda desgn v2.0 sg ppt to pdf

More Related Content

What's hot

Similar to Ccda desgn v2.0 sg ppt to pdf

Recently uploaded

Ccda desgn v2.0 sg ppt to pdf