NETWORK REQUIREMENTS DEFINITION

Current WAN Hardware

The CME infrastructure was upgraded from a wide range of low-end, multivendor devices, many of which were somewhat antiquated, to an enterprise-class foundational equipment suite. Over the last three years , some of the equipment deployed or retained to support corporate sites has become end-of-life (EOL) and must be replaced. Sites are connected to CME-CORP via high-cost, low-bandwidth dedicated frame relay virtual circuits carried on multiple T1 facilities. CME-CORP needs to maintain standardized devices and configurations as much as possible to ensure interoperability and simplify network management and configuration control. After analyzing the inventory, designers determined that the resources in Table 17-1 should be replaced or reallocated. The exact sequence of replacement and redeployment must be included on the master project timeline.

WAN Bandwidth

The bandwidth requirements fall into two basic types of service: dedicated private WAN and Internet-based VPN WAN. The three main sites have significantly different bandwidth needs than the typical sales office site. CME-CORP must be able to handle the aggregate bandwidth of all remote sites, as it hosts the enterprise core . CME-WEST needs high bandwidth to CME-CORP to support replication of date and services in support of disaster recovery, as well as a reasonably robust Internet presence to allow CME-WEST to assume the role of the corporate server farm in the event of a catastrophic failure. Table 17-2 details engineering calculations for WAN bandwidth.

Required bandwidth for the CME-CORP private WAN reflects aggregated bandwidth equal to virtual circuits for all sites plus additional overhead. The 35MB "provisioned" capacity will in fact require ATM DS3 service.

Required bandwidth for the CME-CORP Internet reflects aggregated bandwidth equal to all inbound and outbound Internet traffic for all sites, including VPN-connected sites based on their maximum provisioned data rate, as well as Mobile VPN, Mobile Citrix, and supplier extranet bandwidth projections. The 25MB "provisioned" capacity will in fact require dual ATM DS3 service, with each DS3 pipe carrying a 15MB virtual circuit.

CME-WEST requirements are somewhat deceptive. Both Internet and private WAN access is provided over ATM DS3 facilities. The WAN bandwidth is increased (well above the level justified by user access) to support ongoing off-hours data replication to CME-WEST as the "hot site." Additionally, by providing service over DS3 facilities, the sales office site virtual circuits could be reterminated in the event of a catastrophic failure at CME-CORP. Internet bandwidth is similarthe day-to-day requirement is a mere 1.5MBbut the DS3 ATM service allows the virtual circuit to change to 15MB or more to reterminate site-to-site VPNs in a disaster scenario.

For both CME-EUR and CME-MEX, bandwidth is based on availability of ATM service. Both will be sites within the Windows Server 2003 Active Directory Domain, and printing will be via network printers through the VPN (outside the Citrix ICA channel) to allow bandwidth management of VPN traffic by the PacketShapers. CME-MEX bandwidth appears artificially low based on the number of users at the site, but the majority of the users are Plant Floor production workers with only occasional access to Citrix or the CME-CORP services.

North American (CORP) sales offices will be provisioned as "inter-worked" circuits, re-encapsulated from frame relay (site end) to ATM (CORP end).

Several peripheral bandwidth calculations are included: Extranet bandwidth is not "supplied" by CME, but as the remote activities terminate at CME-CORP, it is included in the overall load. Dial-up RAS does not impact the raw bandwidth but must be included in specifying the CME-CORP security hardware. CME-CORP will reuse their existing RAS hardware.

WAN Hardware

Basic WAN hardware suites are consistent across similar sites to ease configuration management and allow for easier network management. Again, CME-CORP and CME-WEST are unique, given their enterprise roles. As a significant segment of the corporate WAN is VPN-based, VPN termination hardware (firewalls for site-to-site connections and a VPN concentrator for client-to-site connections) is included. Table 17-3 lists the hardware the designers have selected. Newer capabilities in the Cisco Integrated Services Router (ISR) line will be leveraged to provide link encryption of all data and eventually to allow extension of the corporate WAN to selected sites via generic routing encapsulation (GRE) over IPsec tunnels. The GRE over IPsec implementation will allow most of the "single- homed " sales office sites to dynamically restore connectivity in case of a last-mile failure of the frame relay network.

The "standard" high-capacity WAN router has more than adequate horsepower for CME's WAN connections and can easily be seen as "overkill" for CME-WEST.

Aside from the obvious answer, that CME-WEST may need to assume CME-CORP's role, standardizing on the same model for all high-bandwidth sites ensures the redundant Internet router at CME-CORP can restore service for any other router without loss of service. It is effectively a global spare that is in service to support load balancing and redundancy for CME-CORP's Internet connectivity.

The redundant (fail-over) firewall with gigabit interfaces ensures low latency throughput between the Internet router and the corporate LAN.

Although traffic load for the client access VPN is not high, redundancy is still required. As an additional benefit, the VPN concentrator can support site-to-site tunnels with multiple authentication methods .

Much of the typical IPsec traffic load will be phased out for the Cisco VPN 3030 hardware as clients move to the Citrix Access Gateway's SSL VPN.

Primary (Internet) routers for sites outside the U.S. and Canada remain "to be determined." Hardware installed outside the U.S. usually requires both host nation approval (HNA) and acceptance by the servicing ISP. In many countries , the PSTN is a pseudo-governmental entity and protects itself from competition by restricting the hardware that can be connected. In cases where the host nation and the ISP are amendable, CME-owned routers (Cisco 3825 or Cisco 1841) would be used.

Current LAN Hardware

The current LAN infrastructure at the four primary sites uses was rebuilt three years ago and requires few, if any, upgrades. The sales office hardware was reallocated from available manageable resources and remains fully usable, but phased replacements will be scheduled, as many of the items are EOL. LAN switches will be replaced with current-generation hardware to allow future expansion of voice and video to all sites.

Sales Office LAN Hardware

Sales offices share a common set of attributes: fewer than 48 users; no requirement for Gigabit Ethernet, FEC, or GEC, and originally, and a single LAN segment with no need for Layer 3 switching. Pending rollouts of video and Voice over IP (VoIP) will require segmentation of the sales office LANs to support new technologies. CME designers had a choice of LAN switchesCisco 3560-Series 48-port or Cisco 3750-Series 48-port. Designers elected to go with the more expensive 3750 switches to allow "stacking" and redundancy for larger sales offices and to allow for consolidation and simplified management of the switch stacks.

CME-MEX LAN Hardware

CME-MEX has a full Layer 3 switching solution. The majority of the 300 users are associated with the manufacturing floor and need only occasional LAN (or Citrix) access; hence the reallocation of switches from CME-CORP three years ago met requirements. Host connectivity requirements are

• – 10/100MB Ethernet (Plant Floor), 210 distributed connections, isolated from the administrative/server LAN segment by access lists (Layer 3)

• – 10/100MB Ethernet (Administrative/Servers), 135 centralized connections, isolated from the Plant Floor LAN segment by access lists (Layer 3)

• – 10/100MB Ethernet (Uplink to WAN equipment), five centralized connections, isolated by access lists (Layer 3)

• – Gigabit Ethernet (Downlink to 3508XL-EN switch), one connection Table 17-4 summarizes the additional LAN hardware needed for CME-MEX.

CME-EUR LAN Hardware

CME-EUR is similar to CME-MEX in scope but does not currently require a Layer 3 switching solution. To maintain consistency of hardware and position CME-EUR for future Layer 3 initiatives, the site will be built as Layer 3 from the beginning. The 200 users are associated with management and administration of the European Region sales force, as well as limited engineering functions. Host connectivity requirements are

• – 10/100MB Ethernet (Administrative/Servers), 212 centralized connections, isolated by access lists (Layer 3)

• – 10/100MB Ethernet (Uplink to WAN equipment), five centralized connections, isolated by access lists (Layer 3)

Table 17-5 summarizes the LAN hardware needed for CME-EUR.

CME-WEST LAN Hardware

The CME-WEST LAN is similar to CME-EUR in its day-to-day role, but the site's scope as the CME Disaster Recovery "Hot Site" requires basic additional capacity as well as the ability to incrementally expand services. The 200 users are associated with management and administration of the West Region sales force and have limited engineering functions. Host connectivity requirements are

• – 10/100MB Ethernet (administrative), 217 centralized connections, isolated by access lists (Layer 3)

• – 10/100 Ethernet (servers), four centralized connections, isolated by access lists (Layer 3)for site support servers (domain controller, DNS, and so on)

• – Gigabit Ethernet (servers), 16 centralized connections, isolated by access lists (Layer 3)for stand-by servers in the Citrix farm, domain controllers, and data storage and archive subsystems needed to reconstitute CME-CORP servers

• – Gigabit Ethernet (disaster recovery)

  • – Ten centralized connections for stackable switches during disaster recovery

  • – Sixteen centralized connections for reconstituted servers during disaster recovery

• – 10/100 Ethernet (disaster recovery), 24 centralized connections for reconstituted servers and peripherals during disaster recover

• – 10/100 Eth10/100 Ethernet (servers), four centralized connections, isolated by access lists (Layer 3)for site support servers (domain controller, DNS, and so on)

• – 10/100MB Ethernet (uplink to WAN equipment), five centralized connections, isolated by access lists (Layer 3)

Table 17-6 summarizes the LAN hardware needed for CME-WEST.

CME-CORP LAN Hardware

CME-CORP, as the enterprise core, requires significantly more resources than any other site. Requirements unique to CME-CORP include a redundant core using 1000BaseTX for servers, 1000BaseSX for infrastructure equipment such as distribution switches, and 10/100/1000BaseTX for other peripherals and low-load servers:

• – Gigabit Ethernet (1000BaseTX):

  • – Sixty-eight production Citrix server connections (34 per core switch)

  • – Eight dual-gigabit Ethernet connections (16 ports, eight ports/four servers per core) for special-purpose production Citrix servers (high-bandwidth applications)

  • – Six test/development Citrix server connections (three per core) for application test and development

  • – Twenty connections for infrastructure servers (domain controllers, print servers, mainframe, and so on)

  • – Ten dual-gigabit Ethernet connections (20 ports, ten ports/five servers per core) for special-purpose high-load servers like Oracle, Microsoft Exchange, Microsoft SQL, profile/home directory file servers, and backup servers

• – Gigabit Ethernet (1000BaseSX):

  • – Twenty connections to campus distribution layer concentration points (two per campus switch, two uplinks to the private WAN, and two uplinks to the VPN WAN/Internet)

  10/100/1000BaseTX Ethernet:

  • – Up to 48 connections per core switch for load servers and peripherals, to include compatibility with 10MB Ethernet devices

  • – Private WAN interconnect switch

• – Four 1000BaseSX connections and two 10/100/1000BaseTX connections:

  • – VPN WAN/Internet interconnect switch (DMZ distribution switch) Gigabit Ethernet (1000BaseTX)

• – Four dedicated connections for firewall interconnects

• – Gigabit Ethernet (1000BaseSX)

• – Eight connections for links to the ACCESS DMZ aggregation switch, routers, core switches, and PacketShaper

• – 10/100/1000BaseTX Ethernet

• – Up to 48 connections for a firewall and DMZ servers

• – Intrusion detection module

• – Content services module

  • – Campus distribution switches (eight required)

• – Up to 288 10/100/100 Ethernet connections per chassis for each of eight building concentration points

• – A minimum of four Gigabit fiber optic uplinks per chassis to build backbone connectivity:

  • – Wireless LAN access switches for each campus building

Table 17-7 summarizes the primary LAN hardware needed for CME-CORP.

CME-CORP Wireless LAN Requirements

The CME-CORP Wireless LAN (WLAN) provides coverage for roaming users as well as on-demand coverage for outside events on campus (the "Courtyard"). The initial deployment was based on the 802.11b wireless standard (11.0 MBps/2.4 GHz). The radio equipment has been upgraded to the 802.11g/a standard to provide up to 54 MBps access at 2.4 GHz and 5 GHz. Table 17-8 summarizes the WLAN hardware. The combination of omnidirectional and low-gain directional antennas will be installed (on the basis of a site survey) to assure coverage throughout the campus while minimizing radiation beyond the campus boundaries.

Primary Internet Connection (CME-CORP)

CME depends heavily on its Internet upstream to deliver VPN WAN connectivity (IPsec), roaming client access (VPN and Citrix), and extranet access for key suppliers, as well as to allow public access to the CME Web site. Although these are considered the critical requirements, most outbound Internet access is provided through these same connections and competes for throughput. The upstream ISPs cannot guarantee that router-based QoS values such as IP Precedence or DSCP will be honored, so a Packet-Shaper is essential.

Private WAN

Bandwidth management of the private WAN encompasses both the CME-CORP side and the remote site side of each virtual connection. The aggregate number of sites to be managed and monitored requires a solution that is both standardized and centrally managed.

Remote Sites All remote sites funnel through CME-CORP for all services. To ensure traffic is policed to protect Citrix and other critical traffic flows, remote sites will use low-end Packeteer units as part of a distributed bandwidth management solution.

CME-TNG CME-TNG has far more bandwidth than the assigned staff will need. As this is not a production site, bandwidth management is desirable, not mandatory. Extensive application-level identification and control is not required, so management will be exercised via QoS features on the link routers.

CME-CORP From the network core looking out to the remote private WAN sites, 31 separate locations must be managed. All have virtually identical parameters. A central unit capable of 30-plus individual partitions is required.

CME-WEST

CME-WEST bandwidth management is participative with the main unit on the CME-CORP private WAN connection. During normal business hours, preferential treatment is given to latency-intolerant traffic (Citrix and H.323 Video Teleconferencing [VTC]). After hours, priority is given to bulk data replication from the network core to ensure data archives at CME-WEST are current enough to reconstitute CME's business. There is no current requirement to manage bandwidth utilization over the Internet connection; however, in the event of a catastrophe at CME-CORP, the CME-WEST Internet pipe would become the lifeline for CME-EUR and CME-WEST sales offices and would require bandwidth management.

CME-MEX and CME-EUR

Bandwidth management for both sites is somewhat limited in scope. The primary concern is to ensure the limited set of authorized outbound Internet users do not degrade performance of traffic destined for the network core via the VPN tunnel. Traffic must be managed behind the firewall.

The Host Naming Scheme

After extensive discussions and arguments, CME elected to use a host naming system that met most of their design requirements: short, self-documenting , and extensible. The most complex issue, how to easily differentiate between the 1841 router in Athens, GR, and the one in Athens, GA, was resolved by basing the site name on the International Airline Travel Association (IATA) three-letter code for the major airport. Greece becomes "HEW" and Georgia becomes "AHN".

Figure 17-2 shows a partial breakdown of the naming conventions.

Figure 17-2: The CME host naming scheme (partial)

The Addressing Scheme

CME's internal IP addressing scheme uses the ranges specified by RFC 1918, Address Allocation for Private Internets , and was designed to ensure adequate capacity for growth in terms of additional main corporate campus infrastructure and users, expansion of existing primary sites, and addition of more sales offices on demand. More important, the design was intended to be generally hierarchical to allow summarization of routing information at key points such as the DMZ distribution switch and the private WAN distribution router.

The sample of the overall scheme shown in Table 17-12 does not include details on how addresses are assigned within each LAN segment subnet (DHCP ranges versus static address range or standardized ranges for specific equipment within the static range).

Public (Internet routable) IP addresses are from CME's registered block of addresses. For the purposes of the case study, CME owns 20.20.20.0/22 (20.20.20.0 to 20.20.23.254). The range 20.20.20.0/23 (20.20.20.0 to 20.20.21.254) is assigned to CME-CORP and dynamically routed via two different upstream service providers. 20.20.22.0/24 is assigned to CME-WEST for support of the disaster recovery site.

Routing Protocols and Methods

The complexity of the CME network mandates careful selection of routing protocols. Given that CME's internal and external (Internet) segments will never directly exchange routing information (due to RFC 1918 addressing and security constraints), separate interior gateway protocols (IGPs) and exterior gateway protocols (EGPs) are used.

Interior Networks Of the three logical choices for dynamic IGPs, the Interior Border Gateway Protocol (IBGP) was considered too complex and ill-suited for the large number of small (/24 or smaller) networks. Further, the cost of resources to handle IBGP at private WAN sites was prohibitive and redistributing IBGP routes into another IGP made little sense. Of the two remaining options, Open Shortest Path First (OSPF) and Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP), EIGRP is more suited to a meshed network (like the CME corporate campus), and was the most appropriate choice, with one exception: the DMZ. CME will use their registered Autonomous System Number (ASN) from BGP for their EIGRP implementation, but for the sake of illustration, configurations in the case study will use Cisco Systems register ASN (109). The exception to using EIGRP as the IGP is in the DMZ: Internet routers, firewall OUTSIDE interfaces, and VPN concentrators will all run an instance of OSPF to meet the requirement that BGP can only announce routes learned from an IGP. On the other side of the security boundary, the firewall, the DMZ distribution switch (6509), and the VPN concentrator will run a separate instance of OSPF to propagate DMZ routes to the internal network. The DMZ distribution switch will redistribute OSPF routes into the EIGRP process.

Exterior Networks The registered ASN does dual-duty: The registration process is mandatory for use with Exterior Border Gateway Protocol (EBGP, the Internet routing protocol) to ensure interoperability with different ISP upstream providers and allow local copies of the full Internet routing table to be maintained ; the same ASN is used for EIGRP and OSPF, even though the EIGRP ASN is never exposed outside the private network.