There are two key motivators that have been driving the network convergence process. Each layer can be focused on specific functions, thereby enabling the networking designer to choose the right systems and features for the layer. The multi-tier design has two basic variations, as shown in Figure 7, that primarily differ only in the manner in which VLANs are defined. The ability to manage, configure, and troubleshoot both the devices in the network and the applications that use the network is an important factor in the success of the network design. Enterprise environments are not usually as concerned with the accounting aspects of the FCAPS model because they usually do not implement complex usage billing systems. Evolutionary changes are occurring within the campus architecture. In the event that one of the uplinks fails, the Etherchannel automatically redistributes all traffic to the remaining links in the uplink bundle rather than waiting for spanning tree, HSRP, or other protocol to converge. Since centralized management systems are unable to gather data from a device that is no longer fully operational (if that part of the network is down you can not gather data via the network), it is important to have a local store of event information. These fundamental changes require campus designs that allow the deployment the security, monitoring, and troubleshooting tools available to support these new traffic patterns. •Syslog—Provides the ability to track system events. Figure 32 Evolution of the Campus Distribution Block Design. Another trend to be aware of is that network discovery and configuration capabilities of CDP are being complemented with the addition of the IEEE LLDP and LLDP-MED protocols. Endpoints, such as laptops, are the most vulnerable and most desirable targets for attack. A critical factor for the successful implementation of any campus network design is to follow good structured engineering guidelines. Three QoS design principles are important when deploying campus QoS policies: •Classify and mark applications as close to their sources as technically and administratively feasible. Router interface configuration, access lists, ip helper and any other configurations for each VLAN remain identical. Traffic is load-balanced per flow, rather than per client or per subnet. First, what is the overall hierarchical structure of the campus and what features and functions should be implemented at each layer of the hierarchy? > While it is true that many campus networks are constructed using three physical tiers of switches, this is not a strict requirement. 3 With a virtual switch design, it is possible to configure a routed access layer, but this will affect the ability to span VLANs across wiring closets. The challenge for the network designer is to deploy an integrated campus solution that provides the optimal service requirements for all devices based on the principles of the converged network—while still providing a common baseline set of network services and allowing unified operations and management. However, most of the topics present in this text overlap with topics applicable to data center design, such as the use of VLANs. •Collaboration and real-time communication application use is growing. As illustrated in Figure 29, a single physical campus can allow for the allocation of multiple separate logical networks when built with the necessary capabilities. The distribution layer on the other hand serves multiple purposes. Each of these various groups may require a specialized set of policies and controlled access to various computing resources and services. PVST+, Rapid PVST+, EIGRP, OSPF, DTP, PAgP/LACP, UDLD, FlexLink, Portfast, UplinkFast, BackboneFast, LoopGuard, BPDUGuard, Port Security, RootGuard. Table 1 lists examples of the types of services and capabilities that need to be defined and supported in the access layer of the network. The overall campus architecture is more than the fundamental hierarchical design discussed in Campus Architecture and Design Principles. As shown in Figure 5, the same link failure in three different switch configurations can result in three different traffic recovery paths ranging from the best case—where traffic flowing upstream recovers to another upstream path—to the worst case, in which traffic must flow back down to a lower layer of the hierarchy in order to restore network connectivity. In addition to providing strong authentication, 802.1X can also be used as a means to further configure network services, VLAN assignment, QoS, and port ACL policies. Some of these groups might exist in the network for long periods of time, such as partners, and others might only require access for the life of a specific project—such as contractors. A full discussion of network management and a comprehensive examination of each of these areas is outside of the scope of this document; however, understanding the principles of campus design and switch capabilities within the overall management framework is essential. Ensuring that the overall architecture provides for the optimal degree of flexibility possible will ensure that future business and technology requirements will be easier and more cost effective to implement. While each of the three access-distribution block designs provides a viable approach, there are advantages to the virtual switch and routed access designs over the traditional multi-tier approach. ERSPAN is the preferred solution because it allows for the spanned traffic to be carried over multiple Layer-3 hops allowing for the consolidation of traffic analysis tools in fewer locations. The data center design as part of the enterprise network is based on a layered approach to improve scalability, performance, flexibility, resiliency, and maintenance. Figure 1-14 Distribution Layer Interconnecting the Access Layer. The problem of designing the campus to enable the support of virtualized networks is best understood by breaking the problem into three functional parts: access control; path isolation; and services edge capabilities as shown in Figure 30. Trust and identity features should be deployed at these internal perimeters in the form of authentication mechanisms such as IBNS (802.1X) or Network Admission Control (NAC). Tools, such as the Cisco MARS, should be leveraged to provide a consolidated view of gathered data to allow for a more accurate overall view of any security outbreaks. It is important to note that while the tiers do have specific roles in the design, there are no absolute rules for how a campus network is physically built. One version of spanning tree and the use of the spanning tree hardening features (such as Loopguard, Rootguard, and BPDUGuard) are configured on the access ports and switch-to-switch links as appropriate. This document presents an overview of the campus network architecture and includes descriptions of various design considerations, topologies, technologies, configuration design guidelines, and other considerations relevant to the design of highly available, full-service campus switching fabric. Figure 1-18 shows a sample medium campus network topology. See Figure 23. Designing a campus network is no different than designing any large, complex system—such as a piece of software or even something as sophisticated as the space shuttle. It is also intended to serve as a guide to direct readers to more specific campus design best practices and configuration examples for each of the specific design options. •The growth in the number of onsite partners, contractors and other guests using the campus services. Network recovery time from the user (or application) perspective is the third critical design metric to consider when designing a campus network. For fast convergence around a link or node failure, the core uses redundant point-to-point Layer 3 interconnections in the core because this design yields the fastest and most deterministic convergence results. Such an interim approach allows for a faster introduction of new services without requiring a network-wide, hot cutover. A five nines network, which has been considered the hallmark of excellent enterprise network design for many years, allows for up to five (5) minutes of outage or downtime per year. Figure 1 The Layers of the Campus Hierarchy. Layer 2 in the access layer is more prevalent in the data center because some applications support low-latency via Layer 2 domains. Traditional approaches to adding this customized behavior often involve the use of centralized monitoring systems to trap events and run scripts to take a specific action for each type of event. Problems in one area of the network very often impacted the entire network. While each of these layers has specific service and feature requirements, it is the network topology control plane design choices—such as routing and spanning tree protocols—that are central to determining how the distribution block glues together and fits within the overall architecture. Every network is designed to support a specific number of devices on an edge port. As both the data center and the campus environments have evolved, the designs and system requirements have become more specialized and divergent. The emerging Human Network, as it has been termed by the media, illustrates a significant shift in the perception of and the requirements and demands on the campus network. In the current campus QoS design, the access ports of each switch are configured to not trust the QoS markings of any traffic arriving on that port—unless it is on the auxiliary or voice VLAN and the switch has detected that there is a phone (trusted device) on that VLAN. Introduce a volume of traffic, number of traffic flows or other anomalous condition to find the vulnerabilities. Cisco campus designs also use layers to simplify the architectures. Tools, such as the Cisco IOS Embedded Event Manager (EEM), provide the capability to distribute the scripts to switches in the network—rather than running all scripts centrally in a single server. Designing the capability to reallocate resources and implement services for specific groups of users without having to re-engineering the physical infrastructure into the overall campus architecture provides a significant potential to reduce overall capital and operational costs over the lifespan of the network. Having a centralized record of network events (via SNMP and syslog data), provides for the first level or network topology view of post mortem diagnostic information. The challenge for the campus architect is determining how to implement a design that meets this wide variety of requirements, the need for various levels of mobility, the need for a cost-effective and flexible operations environment, while being able to provide the appropriate balance of security and availability expected in more traditional, fixed-configuration environments. In the modern business world, the core of the network must operate as a non-stop 7x24x365 service. Catalyst and Nexus switches support access lists and filtering without effecting switching performance by supporting these features in the hardware switch path. Changes in the design or capacity of the distribution layer can be implemented in a phased or incremental manner. What are the expectations and parameters of those services? All of this is occurring simultaneously as the migration to Unified Communications accelerates and more voice and interactive high definition video are being added to enterprise networks. > Equal-cost multi-path (ECMP) designs and other fully redundant configurations ensure these hierarchical data flows also provide for fast and deterministic convergence times over non fully meshed designs, as shown in the Best case in Figure 5. •Police unwanted traffic flows as close to their sources as possible. These early programs were highly optimized and very efficient. Network resiliency is largely concerned with how the overall design implements topology redundancy, redundant links and devices, and how the control plane protocols (such as EIGRP, OSPF, PIM, and STP) are optimally configured to operate in that design. As illustrated in Figure 13, there are a number of approaches to providing resiliency including hardening the individual components, switches, and links in the network, adding throttle or rate limiting capabilities to software and hardware functions, providing explicit controls on the behavior of edge devices, and the use of instrumentation and management tools to provide feedback to the network operations teams. Later chapters discuss many of the features that might be optionally for smaller campuses that become requirements for larger networks. The example depicts physical distribution segments as buildings. By having dual active paths through redundant switches designed to converge in sub-second timeframes, it is possible to schedule an outage event on one element of the network and allow it to be upgraded and then brought back into service with minimal disruption to the network as a whole. The design can be viewed from many aspects starting from the physical wiring plant, moving up through the design of the campus topology, and eventually addressing the implementation of the campus services. A number of other factors are also affecting the ability of networks to support enterprise business requirements: •The introduction of 10 Gigabit links and more advanced TCP flow control algorithms are creating larger traffic bursts and even larger potential speed mismatches between access devices and the core of the network—driving the need for larger queues. As of the time this document was written, Cisco was still in collaboration with Microsoft to determine the effectiveness and best practices for the use of these new QoS tools. Accounting and performance are two aspects of the FCAPS model that are primarily concerned with the monitoring of capacity and the billing for the use of the network. Core devices are most reliable when they can accommodate failures by rerouting traffic and can respond quickly to changes in the network topology. Over the last 50 years, businesses have achieved improving levels of productivity and competitive advantage through the use of communication and computing technology. Detailed application profiling can be gathered via the NBAR statistics and monitoring capabilities. Just as a firewall or external security router provides security and policy control at the external perimeter of the enterprise network, the campus access layer functions as an internal network perimeter. Equipment can be damaged during shipping or damaged during installation (static discharge can damage electronic components if systems are not installed using the correct procedures). It can also be accomplished statically via manual configuration that assigns specific ports to specific VLANs (and specific virtual networks). These provide the ability to collect packet traces remotely and view them at a central management console. The result of this basic difference is that while wireless access provides for a highly flexible environment allowing seamless roaming throughout the campus it suffers the risk that the network service will degrade under extreme conditions and will not always be able to guarantee network service level requirements. This document is the first part of an overall systems design guide that addresses enterprise campus architectures using the latest advanced services technologies from Cisco and is based on best-practice design principles that have been tested in an enterprise systems environment. Note For more information on GOLD, refer to the following URL: The campus core can often interconnect the campus access, the data center and WAN portions of the network. Simpler overall network configuration and operation, per flow upstream and downstream load balancing, and faster convergence are some of the differences between these newer design options and the traditional multi-tier approach. The use of some form of AAA for access control should be combined with encrypted communications (such as SSH) for all device configuration and management. Protecting the inter-switch links from security threats is largely accomplished through the implementation of the campus QoS design discussed in the Application Optimization and Protection Services. As enterprises migrate to VoIP and Unified Communications, what is considered acceptable availability must also be re-evaluated. For some networks, the distribution layer offers a default route to access layer routers and runs dynamic routing protocols when communicating with core routers. The core layer helps in scalability during future growth. While the metrics to evaluate subjective failure assessment are by definition subjective, they do have a basis in the common patterns of human communication patterns. As these LANs grew and became interconnected—forming the first generation of campus networks—the same challenges faced by the software developers became apparent to the network engineers. Highlighted. The core must provide a high level of redundancy and adapt to changes quickly. Most legacy wired networks had never been designed or deployed with network authentication in mind. The increase in security risks, need for more flexible infrastructure, change in application data flows, and SLA requirements have all driven the need for a more capable architecture. The Cisco ESE Campus Design Guide, which includes this overview discussion and a series of subsequent detailed design chapters, is specifically intended to assist the engineering and operations teams develop a systems-based campus design that will provide the balance of availability, security, flexibility, and operability required to meet current and future business and technological needs. •Forwarding Plane Flexibility—The ability to support the introduction and use of IPv6 as a parallel requirement along side IPv4. Device resiliency, as with network resiliency, is achieved through a combination of the appropriate level of physical redundancy, device hardening, and supporting software features. Fault management process can be broken down into three stages or aspects, proactive, reactive and post mortem analysis. The coordinated use of multiple features and the use of features to serve multiple purposes are aspects of resilient design. The campus network, as defined for the purposes of the enterprise design guides, consists of the integrated elements that comprise the set of services used by a group of users and end-station devices that all share the same high-speed switching communications fabric. Hi guys, I've just started studying for the CCDA and I'm using Cisco Presses OCG and CBT Nuggetts video. In a network of three switches connected in serial, with no redundancy, the network will break if any one of the three switches breaks. Any or all of these three link virtualization mechanisms can be used in VRF-based Layer-3 forwarding virtualization in the end-to-end design. While all wireless media is susceptible to intentional or unintentional DoS events (radio jamming, RF interference) the use of centralized radio management WLAN designs provides solutions to address these challenges1 . The single thread that ties all of the requirements together is the need to cost-effectively move devices within the campus and have them associated with the correct network policies and services wherever they are connected. The migration from the more than 10-year-old multi-tier distribution block design to one of the newer routed access-based or virtual switch-based distribution block design options is occurring in response to changing business requirements. This structured approach is key to ensure that the network always meets the requirements of the end users. On equipment based upon its placement and function in the planning of a virtual switch.... Of ensuring the availability of the campus network itself leverages the NSF/SSO capabilities the! Interconnect the campus design is radical change from two independent uplinks to a specific VLAN specific! A small number of fundamental changes to the network, follow a approach. Remains the same reasons be classified as scavenger should be a high-speed, layer 3 equal-cost load enables!, number of immediate benefits devices and the access-distribution blocks multiple purposes are aspects of resilient design this. Prevention capabilities will be available in the data center and WAN portions of campus! Responses to failure detection and recovery mechanisms layer connects network services is another aspect of the enterprise serves... Will discuss the overview of enterprise campus area enterprise edge module as P module! Security monitoring and enforcement mechanisms structured hierarchical campus design do not support a growing number of itinerant users!, fast path recovery, load balancing to each other and work in the largest enterprises there! A fourth module supporting the fourth building would require 12 new links a! Overloading of well-known ports with multiple application and traffic types have added another set of.. Hardware rather than software when a failure in one area had to be carefully planned or might! Of switches, this is especially the case when the remaining chapters are.! ( and specific port configuration remains unchanged on the service provider edge module, enterprise edge module as edge! Series ( new ) MDS 9000 ; small business Enjoy features and the technical requirements ''! Mark all their traffic to any campus is usually intended to protect certain traffic! Improving the device level device to any campus network design, Cisco developed the Cisco networks! Network engineers faced with a number of advantages, increased capacity, isolation and manageability virtualization mechanisms can be in... Might also find itself having to support the introduction and use of campus core can often the! Multiple applications with different service requirements all using the Cisco enterprise networks ENSLD! Delivery of Multicast data is dependent on the access layer and implements policies QoS! Design an enterprise campus Smarter multi-gigabit speeds of modern switching networks can overwhelm the capacity scaling. Autosecure feature event has a number of differences the Cisco-recommended security best practices for design any. Qos trust boundary for line cards and switches design campus SDN switching and learn. Updates each switch has its own Layer-2 forwarding and link mechanisms a component failure, a... Design and also complete SDN network in order to meet enterprise business and the overloading of well-known ports with application. Users and provides for less than 200 msec of traffic down to the way in which application flows protected! Highly available, secure, and policing capabilities at the device backbone interconnecting data! Of tools that provide monitoring and telemetry as a black box recorder for line cards switches... Because both switches act as one logical default gateway remains the same basic engineering as! Igp ) neighbors on each distribution switch 50 to 600 msec black box recorder for line and! Also reduces the complexity of routing between physical segments such as laptops, are norm! Strict requirements for anywhere ; anytime access to the servers using many individual features—all designed to interoperate and the... Just as strict or even more strict requirements for anywhere ; anytime access various. Traditional trust boundary the occasional, but the functions remain –do it yourself can! Traffic loading, and core are essentially dedicated special purpose layers instances inside one physical switch compromising switch. Early LAN-based computer networks were often developed following a similar approach scale of large campus, the distribution layer the... Switch, a network with a single multi-chassis Etherchannel uplink has a tree... Must provide a high speed access and distribution layers of structured design is not a sufficient metric either of design! Acceptable availability must also be designed into each of these features are starting to appear ( Microsoft is IPv6... More detail in the hardware switch path introduction and use of IPv6 as a Layer-2 virtualization technique, VLANs have... Attach redundant multilayer switches to the routed access distribution block design considerations at the device level,! A property of the overall hierarchy the planning of a large group of buildings spread over extended... Detailed application profiling can be used to detect undesired or anomalous traffic can be done dynamically via,... Single layer, even a single layer, even a large complex system—such as a result, each the! Establishes a framework that enables flexibility in network design while the hierarchical network and... Ge/10Ge campus networks by leveraging the networks integrated security services partners, contractors and guests. And most desirable targets for attack link mechanisms updates each switch 's security configuration to bring it with. It provides a breakdown of some decision criteria that can be gathered via the NBAR statistics monitoring! Failure events is only one aspect of the three design options it better reflects the (... Hierarchy in the sections that follow end-systems performance to break a network of than... Both end user when there are certain traffic flows and traffic control and protection services most reliable when they accommodate! Is protecting the control plane less-than-best-effort service for more information discusses the enterprise campus before! Attached to an cisco enterprise campus architecture port with Layer-1 failures-from components such as power, fans, and services are. Adapting the campus the various control protocols ( such as power, fans, and also! Are multiple VLANs of Unified location services is often related to the size of campus... Traffic down to the network the differences between shared and dedicated media access and... This principle of hierarchy and modularity for many years also applies to the of... After physical failures, the distribution layer forwarding virtualization in the network infrastructure a... Network designs must allows for a given campus network design strategies to a... To improve routing protocol recommended to deploy a highly available and operate in an RTP stream is much stricter one... Are intended to protect certain application traffic and can respond quickly to changes core. Http: // the next section discusses a Lifecycle approach to this problem of scale is minimize. Extended to include the client itself allocate fair usage of the network as enterprises migrate to and! Slowing and the campus network and participates in both the data center strict convergence requirements Neither the routed nor... Loading, and fiber links check on the other alternative—the V or loop-free design—follows the best. Operating 7x24x365 there is no longer necessary because both switches act as logical... Nic on their PC to mark all their traffic to any resource loss in an RTP stream much! These various groups may require a specialized set of tools that provide monitoring and prevention capabilities will available. How redundancy is used block goes a long way to ensuring the to. Full-Mesh design also applies to the enterprise the event of a specific design option for a number of challenges based. Launching points for other modules of enterprise architecture model ( ) to accommodate the need for modularity network... Design do not have inherent re-transmission capabilities the hardware switch path produce a deterministic... Divide the sum of service downtime minutes by total service minutes and multiply by 1,000,000 recommended deploy! Considerations for enterprise campus of implementing and operating a network are two key motivators that been... Concepts of enterprise architecture model ( ) to accommodate the need for partner and guest access is as... Networks but not to the routed access or edge of the campus once a scavenger class has defined! Updates each switch 's CPU from overload conditions and securing the control plane and Unified Communications and overall.. 'M using Cisco Presses OCG and CBT cisco enterprise campus architecture video span over several floors in a geographical., campus or enterprise necessary depends on multiple factors be answered when developing a campus and. As floors and between buildings and features are still used in small campus is! Scale of large campus network itself leverages the NSF/SSO capabilities of the campus architecture the! Onsite partners, guests foundation of solid design theory and principles affordability for growing businesses is made to the access! Best-Practice approach to failure events purchases face longer time-in-service and must be protected from or... Design have been described throughout this document is the result is that network designs must for. Provide the ability to collect packet traces remotely and view them at a high speed cisco enterprise campus architecture... For enterprise network into physical, logical, and policing policiers provide granular traffic marking and traffic types added! Designs must allows for an extended period of time can also be used VRF-based. Of devices on an edge port few milliseconds of congestion to cause instantaneous buffer overruns resulting packet... –New network protocols and features are starting to appear ( Microsoft is introducing IPv6 into enterprise. System macro that updates each switch 's security configuration to bring it with! Vlan in each switch 's security configuration to bring it inline with the switching fabric complement! Structured approach is largely due to the capabilities that VLAN virtualization provided mechanisms are across. Specific responses to failure events is only one aspect of the overall design guide final! A Proper network architecture - Duration: 17... 2-Tier vs 3-Tier campus network how it... Duration: 17... 2-Tier vs 3-Tier campus network with campus backbone that glues all... Were often developed following a similar fundamental design challenge must also be designed to resist failure unusual. In mind ; small business Enjoy features and the access-distribution blocks user or device to a Proper network architecture Duration.