Tài liệu cisco migration_Enterprise Branch Architecture Design Overview ppt

5
Enterprise Branch Architecture Design Overview
OL-11725-01
Networked Infrastructure Layer
Figure 2 Networked Infrastructure Layer—Three Profiles
Common Branch Network Components
There is not a single or typical branch network across the entire enterprise customer space. Depending
on size, marketing vertical, location, or cost, each branch has its own network design. Regardless of
network architecture, there are a set of common branch networking elements. Branch networks require
routers, switches, and, optionally, security appliances to provide network connectivity. Users at each
branch contain a combination of phones, laptops, and video equipment to run various applications.
Access points and call processing equipment might be required in branches that require mobility and
centralized voice in their network. The Enterprise Branch Architecture introduces the concept of three
branch profiles that incorporate the common branch network components. These three profiles are not
intended to be the only architectures recommended for branch networks, but rather a representation of
various aspects that branch network need to include. These profiles are used as the baseline foundation
with which all the integrated services building blocks and application networking services are built. The
design guides documented in the Enterprise Branch Architecture suite are written as such to provide
guidelines and modularity between each profile.
Single-Tier Branch Profile Overview
Figure 3 shows the single-tier branch profile.
191057
Networked
Infrastructure
Layer
Common Branch Network Components
IP
Call
Processing
M
M
M
M
M
Router Switch
Security
Appliance
Phone Laptop
Access
Point
Video
Equipment
IP
IP
Single Tier Branch Profile
IP
IP
Dual Tier Branch Profile
IP
IP
Multi Tier Branch Profile

6
Enterprise Branch Architecture Design Overview
OL-11725-01
Networked Infrastructure Layer
Figure 3 Single-Tier Branch Profile
This profile is recommended for smaller enterprise branches that do not require platform redundancy and
a large user base. This profile consists of an Integrated Services Router (ISR) as the access router with
an Integrated EtherSwitch network module for LAN and WAN connectivity. High availability is
achieved through a T1 link with an ADSL backup. This profile is intended for branch networks that want
to incorporate as many services as possible into a single platform solution. This profile is also very cost
effective and contains the least number of devices to manage at the branch. The drawback to this profile
is network resiliency and capacity planning. By having a single platform solution, there is a common
point of failure. There is no platform redundancy, so a network can affect users. User capacity is also
limited in this design to the number of LAN ports that the ISR platforms can support. For future growth,
either an external desktop switch must be used, or another router platform is needed for additional slot
capacity.
Dual-Tier Branch Profile Overview
Figure 4 shows the dual-tier branch profile.
191058
IP
IP
WAN Internet
Corporate Office
T1 ADSL
LAN
Corporate Resources
Located in Headquarters
Access
Router

7
Enterprise Branch Architecture Design Overview
OL-11725-01
Networked Infrastructure Layer
Figure 4 Dual-Tier Branch Profile
This profile is based on legacy branch networks that exist today. The intent of this profile is to illustrate
how to apply advanced services within a branch network without requiring a forklift upgrade or the
redesign of a current network. This profile consists of two ISR access routers connected to an external
switch. Dual WAN links and box redundancy provide a greater level of high availability compared to the
single-tier branch profile, at the expense of additional equipment costs and more components to manage
at the branch. This branch is typical of most branches in traditional enterprise branch networks. WAN
and LAN services are not integrated in this profile. The ISRs serve to terminate WAN connections and
the LAN connectivity is performed by a desktop switch. For additional user capacity, an additional
switch may be added via an EtherChannel. This profile exists in many legacy branch networks and is
intended to serve as a migration profile to show customers how to upgrade their branch to new WAN
transport such as Metro Ethernet or advanced services listed in the Integrated Services Building Block
layer in the overall Enterprise Branch Architecture framework.
Multi-Tier Branch Profile Overview
Figure 5 shows the multi-tier branch profile.
191059
IP
IP
Corporate Resources
Located in Headquarters
Access
Router
LAN
WAN
Corporate Office

8
Enterprise Branch Architecture Design Overview
OL-11725-01
Networked Infrastructure Layer
Figure 5 Multi-Tier Branch Profile
This profile consists of dual ISRs for WAN termination, dual ASA appliances for security, dual ISRs for
services integration, and several desktop switches in a Stackwise topology. This profile has the most
network gear but produces the greatest amount of high availability and redundancy. The top ISR routers
provide WAN termination, the ASA appliances provide security services, the middle ISRs provide
integrated services termination and LAN connectivity is provided by external desktop switches in a
Stackwise deployment model. Some services are not integrated in this profile, but redundancy and high
availability are provided at every device. The multi-tier branch profile closely resembles a small campus
and large enterprise branches. Additional switch port expansion can be easily achieved by simply adding
more external desktop switches into the stack. This profile provides the most expansion capability,
performance, and availability but requires the most management resources of devices.
In summary, the three profiles incorporate the common branch network elements into three architectures
of varying cost, availability, size, expandability, and functionality. These three profiles provide the basis
for all services such as security and mobility. The intent of using these three profile architectures is to
determine functionality of integrated services with various high availability requirements into branch
networks with various levels of services integration in a platform. The single-tier profile provides the
most integration of services into a single platform at the expense of high availability. The dual-tier
profile incorporates some high availability with distributed LAN connectivity via desktop switches and
WAN connectivity via branch routers. The multi-tier profile offers the most availability but offers no
integration of services in a single platform.
191060
Access
Router
Corporate Office
WAN
Router
IP
IP
WAN
Stackwise
Topology

9
Enterprise Branch Architecture Design Overview
OL-11725-01
Integrated Services Building Block Layer
Integrated Services Building Block Layer
The integrated services building block layer provides the key technologies that branch architecture need
to operate. These technologies can be used separately or together. The goal of the Enterprise Branch
Architecture is to layer each technology with each other in a phased approach. Ultimately, all the key
infrastructure services will function together on the three platforms established in the network
infrastructure layer. The key infrastructure services are the following:
• WAN services—Foundation for branch architectures to connect to the campus core via a public or
private ISP network
• LAN services—Provide end device connectivity to the corporate network within the branch
• Network fundamentals—Basic services required for network connectivity
• Security services —Enhance the device and network security from intrusion, data theft, secure data
transport, and denial of service
• Identity services—Allow specific users to access specific resources. A network device interrogates
the user for their identity and grants access privileges and enforces policies to them. These policies
govern the user interaction with applications, as well as apply to network permissions and VLAN
assignment
• Mobility services—Allows users to access network resources regardless of their physical location
• Cisco IP Communications (IPC) services—Deliver a foundation that carries voice and video across
the network
• Network infrastructure virtualization—Makes one network resource appear as many instances (or
many as one) and provides the ability to deal with resources on a logical rather than physical basis
Each of these key services will be explored in the three profiles established for a branch network in a
phased approach. In this overview, all the above technologies are discussed at a high level to give the
reader an overview of the entire Enterprise Branch Architecture roadmap. More details will be added as
future testing is completed.
WAN Services
WAN services provide the foundation for the Enterprise Branch Architecture to connect to the campus
or data center core via an ISP public or private network, potentially also Internet access. The WAN
services building block consists of three fundamental deployment options, each with its own set of
associated attributes, as shown in
Figure 6.

10
Enterprise Branch Architecture Design Overview
OL-11725-01
Integrated Services Building Block Layer
Figure 6 WAN Deployment Models
The Internet WAN deployment model provides no data privacy and requires a secure connectivity
mechanism for secured traffic. With this deployment model, all traffic traverses through an ISP cloud.
The routing control is determined by the ISP and, as such, only IP protocol is supported through the
cloud. Although this deployment model may provide the most cost savings, this deployment model is the
least secure of the three deployment models.
The private WAN deployment model is the traditional hub-and-spoke model that has been deployed in
enterprise networks for decades. The traditional Frame Relay or ATM networks would be categorized in
the private WAN deployment model. Data privacy is provided through traffic separation such as Frame
Relay DLCIs or ATM VCs. The routing is controlled by the enterprise routing protocol across the private
WAN and both IP and non-IP protocols are supported. This deployment model is most commonly used.
The MPLS deployment uses MPLS as the WAN transport mechanism. As with the Internet deployment
model, routing control is held by the ISP, and only IP protocol is supported through the cloud. However,
unlike the Internet deployment model, there is data privacy through traffic separation as in the private
WAN deployment model. Traffic separation is provided through labels, and traffic is placed inside a
virtual route forwarding (VRF) table.
All three WAN deployment models will be tested in the Enterprise Branch Architecture. The single-tier
profile uses the Internet deployment model. The dual-tier profile uses the private WAN deployment
model, and the multi-tier profile uses the MPLS WAN deployment model.
191061
Internet
Internet
Private WAN
MPLS VPN
Security Services
Mobility Services
Identity Services
Infrastructure
Services
WAN
Integrated Services
Building Block
Layers
Network Fundamentals
Network Virtualization
IPC Services
Management
LAN

11
Enterprise Branch Architecture Design Overview
OL-11725-01
Integrated Services Building Block Layer
For more information regarding WAN and MAN architectures, see the Enterprise WAN at the following
URL:
http://www.cisco.com/go/wanandman.
LAN Services
LAN services provide end device connectivity to the corporate network within the branch office. With
the convergence of services onto a single network infrastructure, devices such as computers, telephones,
video cameras, and so on, all require the connection to the corporate network over the LAN.
Figure 7
shows the three physical configurations that may be used for LAN connectivity.
Figure 7 LAN Deployment Models
The three configurations for LAN connectivity are as follows:
• Access router connected to a physically separate Cisco Catalyst switch as a Layer 2 only switch
• Access router with an integrated switch
• Access router integrated with Cisco Catalyst switches in a Stackwise topology
An access router connected to a separate Catalyst switch provides scaling, extensive feature support, and
end devices may be electrically powered inline by connecting to a Power over Ethernet (PoE) enabled
switch. The access router with an integrated switch provides a one-box solution: a single device with
single manageability. End devices may still receive PoE by connecting to a powered switch. The access
router in a Stackwise topology provides high availability for the LAN and fault tolerance. Another issue
of LAN connectivity is where to place Layer 3 routing decisions. In the past, switches were considered
Layer 2-only devices, but the line between Layer 2 and Layer 3 devices has blurred. Routers may now
have integrated switch ports incorporated into them, and modern switches may have Layer 3 interfaces.
191062
Security Services
Mobility Services
Identity Services
Infrastructure
Services
WAN
Integrated Services
Building Block
Layers
Network Fundamentals
Network Virtualization
IPC Services
Management
LAN
L2 Switch
IP
Router with Integrated switch
End
Device
Router with Stackwise
Switches

12
Enterprise Branch Architecture Design Overview
OL-11725-01
Integrated Services Building Block Layer
All three LAN deployment models are tested in either Layer 2 or Layer 3 topology. The single-tier
profile uses the access router with an integrated switch deployment model. The switches are Layer 2
devices in this profile. The dual-tier profile uses the access router connected to a physically separate
Cisco Catalyst switch as a Layer 2-only device. The multi-tier profile uses the Stackwise topology and
the switches all serve as Layer 3 devices.
For more information on LAN deployment models, see the following documents at
http://www.cisco.com/go/srnd under the Branch Office heading:
• LAN Baseline Architecture Overview Branch Office Network (EDCS-488184)
• LAN Baseline Architecture Branch Office Network Reference Design Guide (EDCS-488185).
Network Fundamentals
Network fundamentals refer to the basic services that are required for network connectivity. These
services include high availability, IP addressing and routing, and QoS, as shown in
Figure 8.
Figure 8 Network Fundamentals
High availability is crucial for modern branch architectures. Regardless of which technology a branch
incorporates from those in the integrated services building block Layer, remaining up during a failure or
outage is crucial. Branch networks cannot afford to have network downtime. In a branch office, there are
several methods to achieve high availability that are explored in the three profiles. Branches can have
dual WAN links to their headquarters in case of WAN failure. In addition to dual WAN links, a branch
can also provide dual devices at each branch in case of a router failure or outage. For complete high
availability, a branch can provide both a dual WAN link and a dual device high availability model.
191063
Security Services
Mobility Services
Identity Services
Infrastructure
Services
WAN
Integrated Services
Building Block
Layers
Network Fundamentals
Network Virtualization
IPC Services
Management
LAN
High Availability
Dual WAN Paths
Dual Devices
IP Addressing and
Routing
Quality of Service
(QoS)
EIGRP
OSPF
BGP
Static
RIP
Object Tracking
NAT
IPv6
Queueing
Dropping
Shaping
Link Efficiency Policies
Classification and Marking
(NBAR)
DSCP to COS mapping

13
Enterprise Branch Architecture Design Overview
OL-11725-01
Integrated Services Building Block Layer
The single-tier profile explores dual WAN link high availability with a T1 as the primary WAN type with
ADSL as the backup link. The dual-tier profile uses the dual device model leveraging Hot Standby
Routing Protocol (HSRP) for device failover. The multi-tier profile uses the combination of both high
availability deployment models. Each device in the profile is replicated for device failover, and there are
dual WAN links to the headquarters. In addition, the multi-tier profile adds another layer of high
availability by providing the external Cisco Catalyst switches in a Stackwise topology for LAN fault
tolerance.
For more information on Stackwise topology, see the Cisco Stackwise Technology White Paper at the
following URL:
http://www.cisco.com/en/US/partner/products/hw/switches/ps5023/products_white_paper09186a0080
1b096a.shtml.
IP addressing and choice of routing protocol is vital in setting up a network and allowing connectivity.
Currently, only IP is used in the Enterprise Branch Architecture; specifically IPv4. IPv6 is being scoped
and will be added in future phases.
The choice of routing protocols is as unique as branch architecture. There are advantages and
disadvantages to each routing protocol available. Unless otherwise noted, the Enterprise Branch
Architecture uses EIGRP as the routing protocol choice. Cisco developed EIGRP, and this protocol is
widely used across branch networks. OSPF, BGP, RIP, and static routing are all valid protocols; however,
EIGRP was chosen for the initial phases of testing.
QoS is being regarded as a network fundamental. Maintaining high quality voice or video within the
LAN or through the WAN is required on branch networks. QoS includes defining the trust on ports to
prohibit unauthorized use of QoS for preferential treatment on a branch network. Access routers and
switches require the following QoS policies:
• Appropriate (endpoint dependent) trust policies
• Classification and marking policies
• Policing and markdown policies
• Queuing policies
Scavenger class QoS does assist in maintaining high quality voice or video, but it can be used for
abnormal network conditions such as DoS and worm attacks through the use of Network-Based
Application Recognition (NBAR). NBAR classification is required to classify and mark traffic to
identify and immediately drop known worm traffic.
For more in depth knowledge of QoS, see the Enterprise QoS Solution Reference Network Design Guide
Ve rsion 3.3 at the following URL:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigration_09186a008049b062.
pdf
Security Services
Security services enhance the device and network security from intrusion, data theft, secure data
transport, and denial of service.
Figure 9 shows the key areas of security services.

14
Enterprise Branch Architecture Design Overview
OL-11725-01
Integrated Services Building Block Layer
Figure 9 Security Services
These three areas of security services are as follows:
• Infrastructure protection
• Secure connectivity
• Threat defense detection and mitigation
Infrastructure protection provides proactive measures to protect the infrastructure devices; in this case,
Cisco IOS Software-based routers, switches and appliances, from direct attacks as well as indirect
attacks. Infrastructure protection assists in maintaining network transport continuity and availability.
Turning off unnecessary services, password and login management, and SSH are all examples of
Infrastructure protection services.
Secure connectivity protects against information theft or alteration of the end user data over untrusted
transport mediums. The level of network security that is deployed in a branch depends on the WAN type
and deployment model chosen. In a typical enterprise branch, the WAN types are generally cable/DSL
for smaller branches, T1/E1 for medium branches, and T3/E3 for larger branches. The typical WAN
deployment models for these WAN types are Internet, private WAN (Frame Relay), and MPLS
deployment models as discussed in
WAN Services, page 9.
Both Frame Relay and MPLS provide a level of secure connectivity through the use of traffic separation
achieved through FR DLCIs, or MPLS VRFs. Traffic is separated from each user; however, the data is
not encrypted. The Internet deployment model requires a layer of encryption to be applied. Frame Relay
and MPLS can run encryption as an additional layer of secure connectivity. The fundamental aspect of
encrypting network traffic is through the use of the standard encryption method, such as IP Security
(IPsec). The IPsec standard provides a method to manage authentication and data protection between
multiple crypto peers engaging in a secure data transfer. The four following ways to use the IPsec
standard to provide secure connectivity across the WAN:
• Direct IPsec encapsulation
191064
Security Services
Mobility Services
Identity Services
Infrastructure
Services
WAN
Integrated Services
Building Block
Layers
Network Fundamentals
Network Virtualization
IPC Services
Management
LAN
Secure
Connectivity
Protect against information
threat or alteration over
untrusted transport mediums
Threat Defense
Detection & Mitigation
Detect, Mitigate and Protect
against policy violations and
unauthorized events
Protect the Infrastructure
Maintain network transport
continuity and availability
Infrastructure
Protection

Xem chi tiết: Tài liệu cisco migration_Enterprise Branch Architecture Design Overview ppt