Network Requirements Definition | Citrix Access Suite 4 for Windows Server 2003: The Official Guide, Third Edition

Defining the exact requirements (in terms of network hardware and network bandwidth) provides the key component of design and implementation. Referring to the CME case study and Figure 10-1, later in the chapter, WAN requirements are calculated first.

WAN Requirements

Based on known values (site role, location, available connectivity, use load, and so on) the CME network designers reviewed existing resources and developed WAN bandwidth and hardware requirements per site.

Current WAN Hardware

The CME infrastructure currently has a wide range of low-end, multivendor devices, many of which are somewhat antiquated. Sites are connected to CME Corp via high-cost, low-bandwidth dedicated frame relay virtual circuits carried on multiple T1 facilities. CME Corp needs to standardize devices and configurations as much as possible to ensure interoperability and simplify network management and configuration control. After analyzing the inventory, designers determined that the resources in Table 17-1 could be reused. The exact sequence of replacement and redeployment must be included on the master project timeline.

Table 17-1: Reusable WAN Hardware
WAN Hardware	Current Site	Quantity	Projected Status	Future Use
Cisco 1760 Router	Atlanta, GA	1	Keep	Atlanta, GA
	Detroit, MI	1	Keep	Detroit, MI
	Helena, MT	1	Keep	Helena, MT
	Miami, FL	1	Keep	Miami, FL
	Minneapolis, MN	1	Keep	Minneapolis, MN
	New Orleans, LA	1	Keep	Salt Lake City, UT
	Salt Lake City, UT	1	Keep	Salt Lake City, UT
	San Antonio, TX	1	Keep	San Antonio, TX
	Winnipeg, MB	1	Keep	Winnipeg, MB
	CME Corp	2	Replace	Sales Offices
	CME-WEST	2	Replace	Sales Offices
	CME-MEX	1	Replace	Sales Offices
	CME-TNG	1	Keep	CME-TNG
Cisco PIX-515E w/FO	CME Corp	1	Replace	CME-WEST
Cisco PIX-515E	CME-WEST	1	Replace	CME-MEX
	CME-EUR	1	Keep	CME-EUR
Cisco PIX-506E	CME-TNG	1	Delete	Sales Offices
	CME-MEX	1	Replace	Sales Offices

WAN Bandwidth

The bandwidth requirements fall into two basic types of service: dedicated private WAN and Internet-based VPN WAN. The three main sites have significantly different bandwidth needs than the typical Sales Office site. CME Corp must be able to handle the aggregate bandwidth of all remote sites as it hosts the enterprise core. CME-WEST needs high bandwidth to CME Corp to support replication of date and services in support of disaster recovery, as well as a reasonably robust Internet presence to allow CME-WEST to assume the role of the corporate server farm in the event of a catastrophic failure. Table 17-2 details engineering calculations for WAN bandwidth.

Table 17-2: WAN Bandwidth Calculation Worksheet

Required bandwidth for the CME Corp Private WAN reflects aggregated bandwidth equal to all site virtual circuits plus additional overhead. The 35MB "provisioned" capacity will in fact require ATM DS3 service.

Required bandwidth for the CME Corp Internet reflects aggregated bandwidth equal to all inbound and outbound Internet traffic for all sites, including VPN-connected sites based on their maximum provisioned data rate, as well as Mobile VPN, Mobile Citrix, and Supplier MSAM bandwidth projections. The 25MB "provisioned" capacity will in fact require dual ATM DS3 service, with each DS3 pipe carrying a 15MB virtual circuit.

CME-WEST requirements are somewhat deceptive. Both Internet and Private WAN access are provided over ATM DS3 facilities. The WAN bandwidth is increased (well above the level justified by user access) to support on-going off-hours data replication to CME-WEST as the "hot site." Additionally, by providing service over DS3 facilities, the Sales Office site virtual circuits could be reterminated in the event of a catastrophic failure at CME Corp. Internet bandwidth is similar, the day-to-day requirement is a mere 1.5MB, but the DS3 ATM service allows the virtual circuit to change to 15MB or more to reterminate site-to-site VPNs in a disaster scenario.

For both CME-EUR and CME-MEX, bandwidth is based on availability of ATM service. Both will be sites within the Windows Server 2003 Active Directory Domain, and printing will be via network printers through the VPN (outside the Citrix ICA channel) to allow bandwidth management of VPN traffic by the Packeteer. CME-MEX bandwidth appears artificially low based on the number of users at the site, but the majority of the users are Plant Floor production workers with only occasional access to Citrix or the CME Corp services.

North American (CORP) Sales Offices will be provisioned as "interworked" circuits, reencapsulated from frame relay (site end) to ATM (CORP end).

Several peripheral bandwidth calculations are included: MSAM Access bandwidth is not "supplied" by CME, but as the remote activities terminate at CME Corp, it is included in the overall load. Dial-up RAS does not impact the raw bandwidth, but must be included in specifying the CME Corp security hardware. CME Corp will reuse their existing RAS hardware.

WAN Hardware

Basic WAN hardware suites are consistent across similar sites to ease configuration management and allow for easier network management. Again, CME Corp and CME-WEST are unique, based on their enterprise roles. As a significant segment of the corporate WAN is VPN-based, VPN termination hardware (firewalls for site-to-site connections and a VPN concentrator for client-to-site connections) are included. Table 17-3 lists the hardware the designers have selected.

Table 17-3: WAN and Security Hardware
Purpose	Quantity	Description
Private WAN router	1	Cisco 7401ASR, 128MB Flash, 512MB DRAM, (2) FE/GE ports, T3-ATM Port Adapter, IOS IP/FW/IDS/IPSEC56
Internet router	2	Cisco 7401ASR, 128MB Flash, 512MB DRAM, (2) FE/GE ports, T3-ATM Port Adapter, IOS IP/ FW/IDS/IPSEC56
Firewall/VPN	1	Cisco 535-UR and 535-FO (failover), (2) 66MHZ GE Interfaces, (2) 66MHZ 4-Port FE interfaces, 3DES License, (2) VPN Accelerator+
VPN concentrator (clients)	2	Cisco VPN 3030, redundant power supplies
Private WAN router	1	Cisco 7401ASR, 128MB Flash, 512MB DRAM, (2) FE/GE ports, T3-ATM Port Adapter, IOS IP/ FW/IDS/IPSEC56
Internet router	1	Cisco 7401ASR, 128MB Flash, 512MB DRAM, (2) FE/GE ports, T3-ATM Port Adapter, IOS IP/ FW/IDS/IPSEC56
Firewall/VPN	1	Cisco 515E redundant (failover) w/IPSEC 3DES, PIX-4FE Interface for DMZ support
Internet router	1	As determined by host nation and ISP; use Cisco 3725, 32MB Flash, 128MB DRAM, IOS IP/FW/IDS Plus IPSec 3DES
Firewall/VPN		Cisco 515E redundant (failover) w/IPSEC 3DES
Internet router	1	As determined by host nation and ISP; use Cisco 3725, 32MB Flash, 128MB DRAM, IOS IP/FW/IDS Plus IPSec 3DES
Firewall/VPN	1	Cisco 515E redundant (failover) w/IPSec 3DES
Private WAN router	30	Cisco 1760, 32MB Flash, 64MB DRAM, (1) FE Port, T1 CSU/DSU, IOS IP Plus Software
Internet router	10	As determined by host nation and ISP, use CME-owned 1760 with appropriate interface cards where possible
Firewall/VPN	10	PIX-506E w/IPSEC 3DES
Internet router	10	As determined by host nation and ISP, use CME-owned 1760 with appropriate interface cards where possible
Firewall/VPN	10	PIX-506E w/IPSec 3DES
Private WAN router	1	Cisco 1760, 32MB Flash, 64MB DRAM, (1) FE Port, ADSL Interface, IOS IP Plus Software

The "standard" high-capacity WAN router has more than adequate horsepower for CME's WAN connections and can easily be seen as "overkill" for CME-WEST. Aside from the obvious answer, that CME-WEST may need to assume CME Corp's role, standardizing on the same model for all high-bandwidth sites ensures the redundant Internet router at CME Corp can restore service for any other router without loss of service. It is effectively a global spare that is in service to support load balancing and redundancy for CME Corp's Internet connectivity.

The redundant (failover) firewall with gigabit interfaces ensures low-latency throughput between the Internet router and the corporate LAN.

Although traffic load for the client access VPN is not high, redundancy is still required. As an additional benefit, the VPN Concentrator can support site-to-site tunnels with multiple authentication methods.

Primary (Internet) routers for sites outside the U.S. and Canada remain "to be determined." Hardware installed outside the U.S. usually requires both host nation approval (HNA) and acceptance by the servicing ISP. In many countries, the PSTN is a pseudo-governmental entity and protects itself from competition by restricting the hardware that can be connected. In cases where the host nation and the ISP are amenable, CME-owned routers (Cisco 3725 or Cisco 1760) would be used.

LAN Requirements

Per-site LAN requirements are based on metrics similar to the WAN calculations. The primary factor is obviously the number of hosts (Ethernet devices) at a given site, and assumes 10/100MB switched Fast Ethernet connectivity unless higher throughput (Fast Ethernet port aggregation via Fast EtherChannel (FEC), Gigabit Ethernet, or Gigabit Ethernet port aggregation via Gigabit EtherChannel (GEC)) is required. All Sales Offices and CME-TNG will use identical hardware. Regional offices and the manufacturing plant (CME-WEST, CME-EUR, and CME-MEX) are similar but with more capacity at CME-WEST to support data center reconstitution. CME Corp is designed as a highly robust fault-tolerant infrastructure. At the four primary sites, server requirements (network cards) are identified to help calculate the number of FEC, Gigabit, and GEC ports needed.

Current LAN Hardware

The current LAN infrastructure at the four primary sites uses some Ethernet switch hardware compatible with CME's overall goals, but switches are primarily stackable units that will be replaced by faster enterprise-class, chassis-based hardware. The remaining primary site LAN hardware and all Sales Office hardware is a hodgepodge of non-manageable consumer-class devices (hubs and switches) unsuitable for CME's enterprise services. Table 17-4 lists the inventory available for reallocation.

Table 17-4: WAN and Security Hardware
WAN Hardware	Current Site	Quantity	Projected Status	Future Use
Cisco Catalyst 3548XL-EN	CME Corp	21	Replace	Sales Offices (21)
	CME-WEST	1	Replace	Sales Offices (1)
	CME-EUR	1	Replace	Sales Offices (1)
	CME-MEX	0	n/a
Cisco Catalyst 2950G-24-EI	CME Corp	5	Replace	Sales Offices (5)
	CME-WEST	0	n/a
	CME-EUR	0	n/a
	CME-MEX	3	Replace	Sales Offices (2)
				CME-EUR (1)
Cisco Catalyst 3550-48-SMI	CME Corp	12	Replace	CME-MEX (5)
				Sales Offices (7)
	CME-WEST	1	Keep
	CME-EUR	1	Replace	Sales Offices (1)
	CME-MEX	2	Keep
Cisco Catalyst 3508XL-EN	CME Corp	1	Replace	CME-MEX (1)
		2	Keep	Spare (2)

By reallocating the switches from the main site, CME has adequate hardware to deploy manageable switches to 38 of the 50 Sales Offices, and can provide a 3508 switch as a wiring closet aggregation point and five 48-port switches for the manufacturing plant floor at CME-MEX.

Sales Office LAN Hardware

Sales Offices share a common set of attributes: Less than 48 users; no requirement for Gigabit Ethernet, FEC, or GEC; and a single LAN segment with no need for Layer 3 switching. Based on equipment made available by upgrading the four primary sites, CME has 75 percent of the necessary hardware for upgrading the Sales Office on-hand. LAN requirements at CME-TNG are similar to a typical sales office. CME has decided to stay with similar hardware for the remaining needs: 14 new Catalyst 2950G-24-EI switches (12 Sales Offices, one for CME-TNG, one spare).

CME-MEX LAN Hardware

CME-MEX is the first "enterprise" LAN that requires a Layer 3 switching solution. The majority of the 300 users are associated with the manufacturing floor and need only occasional LAN (or Citrix) access; hence the reallocation of switches from CME Corp meets the requirements. Host connectivity requirements are

10/100MB Ethernet (Plant Floor), 210 distributed connections, isolated from the administrative/server LAN segment by access lists (Layer 3)
10/100MB Ethernet (Administrative/Servers), 135 centralized connections, isolated from the Plant Floor LAN segment by access lists (Layer 3)
10/100MB Ethernet (Uplink to WAN equipment), five centralized connections, isolated by access lists (Layer 3)
Gigabit Ethernet (Downlink to 3508XL-EN switch), one connection

Table 17-5 summarizes the additional LAN hardware needed for CME-MEX.

Table 17-5: CME-MEX LAN Hardware
LAN Hardware	Purpose	Description
Cisco Catalyst 4507 System	LAN Core	Cisco 4507 7-slot Chassis, redundant power supplies, (2) Catalyst Supervisor 4 with Enhanced Layer 3 IOS software, (3) 48-port 10/100/100 Ethernet modules
Cisco Catalyst 3508 System	Distribution	Cisco 3508-XL-EN Chassis (Excess form CME Corp), (1) 1000BaseTX GBIC, (5) 1000BaseSX GBIC
Cisco Catalyst 3550 System	Plant Access	(5) Cisco 3550-48-SMI Chassis (Excess from CME Corp), (5) 1000BaseSX GBIC

CME-EUR LAN Hardware

CME-EUR is similar to CME-MEX in scope, but does not currently require a Layer 3 switching solution. To maintain consistency of hardware and position CME-EUR for future Layer 3 initiatives, the site will be built as Layer 3 from the beginning. The 200 users are associated with management and administration of the European Region sales force, as well as limited engineering functions. Host connectivity requirements are

10/100MB Ethernet (Administrative/Servers), 212 centralized connections, isolated by access lists (Layer 3)
10/100MB Ethernet (Uplink to WAN equipment), five centralized connections, isolated by access lists (Layer 3)

Table 17-6 summarizes the LAN hardware needed for CME-EUR.

Table 17-6: CME-EUR LAN Hardware
LAN Hardware	Purpose	Description
Cisco Catalyst 4507 System	LAN Core	Cisco 4507 7-slot Chassis, redundant power supplies, (2) Supervisor 4 with Enhanced Layer 3 IOS software, (5) 48-port 10/100/100 Ethernet modules

CME-WEST LAN Hardware

The CME-WEST LAN is similar to CME-EUR in its day-to-day role, but the site's scope as the CME Disaster Recovery "Hot Site" requires basic additional capacity, as well as the ability to incrementally expand services. The 200 users are associated with management and administration of the West Region sales force and have limited engineering functions. Host connectivity requirements are

10/100MB Ethernet (Administrative), 217 centralized connections, isolated by access lists (Layer 3)
10/100 Ethernet (Servers), four centralized connections, isolated by access lists (Layer 3) (for site support servers (domain controller, DNS, and so on))
Gigabit Ethernet (Servers), 16 centralized connections, isolated by access lists (Layer 3) (for stand-by servers in the Citrix farm, domain controllers, and data storage and archive subsystems needed to reconstitute CME Corp servers)
Gigabit Ethernet (Disaster Recovery)
- Ten centralized connections for stackable switches during disaster recovery
- Sixteen centralized connections for reconstituted servers during disaster recovery
10/100 Ethernet (Disaster Recovery), 24 centralized connections for reconstituted servers and peripherals during disaster recover
10/100 Eth10/100 Ethernet (Servers), four centralized connections, isolated by access lists (Layer 3) (for site support servers (domain controller, DNS, and so on)
10/100MB Ethernet (Uplink to WAN equipment), five centralized connections, isolated by access lists (Layer 3)

Table 17-7 summarizes the LAN hardware needed for CME-EUR.

Table 17-7: CME-WEST LAN Hardware
LAN Hardware	Purpose	Description
Cisco Catalyst 6513 System	LAN Core	Cisco 6513 13-slot Chassis, Redundant power supplies, (2) Supervisor 720 with Enhanced Layer 3 IOS software, (6) 48-port 10/100/100 Ethernet modules, (2) 16-Port Gigabit Ethernet (TX) modules, (1) 16-port Gigabit Ethernet (GBIC) module, (10) multimode fiber-optic GBIC modules

CME Corp LAN Hardware

CME Corp, as the Enterprise core, requires significantly more resources than any other site. Requirements unique to CME Corp include the following.

Redundant Core using 1000BaseTX for servers, 1000BaseSX for infrastructure equipment such as distribution switches, and 10/100/1000BaseTX for other peripherals and low-load servers:

Gigabit Ethernet (1000BaseTX)
- Sixty-eight production Citrix MetaFrame server connection (34 per core switch)
- Eight dual-gigabit Ethernet connections (16 ports, eight ports/four servers per core) for special purpose production Citrix MetaFrame servers (high-bandwidth applications)
- Six test/development Citrix MetaFrame server connections (three per core) for application test and development
- Twenty connections for infrastructure servers (domain controllers, print servers, mainframe, and so on)
- Ten dual-gigabit Ethernet connections (20 ports, ten ports/five servers per core) for special purpose high-load servers like Oracle, Microsoft Exchange, Microsoft SQL, profile/home directory file servers, and backup servers
Gigabit Ethernet (1000BaseSX)
- Twenty connections to Campus distribution layer concentration points (two per campus switch, two uplinks to the private WAN, and two uplinks to the VPN WAN/Internet)
10/100/1000BaseTX Ethernet
- Up to 48 connections per core switch for load servers and peripherals, to include compatibility with 10MB Ethernet devices

Private WAN Interconnect Switch:

Four 1000BaseSX connections and two 10/100/1000BaseTX connections.

VPN WAN/Internet Interconnect Switch (DMZ Distribution Switch):

Gigabit Ethernet (1000BaseTX))
- Four dedicated connections for firewall interconnects
Gigabit Ethernet (1000BaseSX)
- Eight connections for links to the ACCESS DMZ aggregation switch, routers, Core switches, and PacketShaper
10/100/1000BaseTX Ethernet
- Up to 48 connections for a firewall and DMZ servers
Intrusion Detection Module
Content Services Module

Campus Distribution Switches (eight required):

Up to 288 10/100/100 Ethernet connections per chassis for each of eight building concentration points
A minimum of four gigabit fiber-optic uplinks per chassis to build backbone connectivity

Wireless LAN access switches for each campus building, as summarized in Table 17-8.

Table 17-8: CME Corp LAN Hardware
LAN Hardware	Purpose	Quantity	Description
Cisco Catalyst 3550-12G System	OUTSIDE Access Switch, ACCESS DMZ, Access Switch, Spare Access Switch	3	Cisco 3550-12G, Enhanced Layer 3 IOS, (2) 1000BaseTX ports, (10) Gigabit Interface Converter (GBIC) slots; (3) 1000BaseSX Multimode fiber-optic GBIC modules
Cisco Catalyst 6506 System	DMZ Distribution Switch	1	Cisco Catalyst 6506 6-Slot Chassis; redundant power supply; (2) Supervisor2/MSFC2 with Enhanced Layer 3 IOS; (1) 16-Port Gigabit Ethernet (GBIC) module; (1) intrusion detection system (IDS) module; (1) Content Switching Module; (1) 48-Port 10/100/1000 (TX) Module; (8) 1000BaseSX Multimode fiber-optic GBIC modules, (4) 1000BaseTX GBIC modules
Cisco Catalyst 6513 System	LAN Core (A & B)	2	Cisco Catalyst 6513 13-slot Chassis; Redundant Power Supply; (2) Catalyst Supervisor 720 with Enhanced Layer 3 IOS software, 1GB DRAM, 64MB Flash; (1) 2-port 10GB dCEF720 Switching module; (5) 16-port (GBIC) Gigabit Ethernet dCEF256 Switching modules; (1) 48-port 10/100/100 CEF256 Ethernet module; (1) (65) multimode fiber-optic GBIC modules; (2) single-mode fiber-optic modules
Cisco Catalyst 4506 System	Distribution Switch (Corp-A), Distribution Switch (Admin-A), Distribution Switch (Admin-B), Distribution Switch (Sales-A), Distribution Switch (Eng-A), Distribution Switch (Eng-B), Distribution Switch (Eng-C)	1	Cisco 4506 6-Solt Chassis; redundant power supply; (1) Supervisor 4 with Enhanced Layer 3 IOS; (1) 2-GBIC/ 32-port 10/100 Ethernet module; (4) 48-port 10/100/100 Ethernet module; (3) 1000BaseSX GBIC
Cisco Catalyst 4506 System	Distribution Switch (IT-A)	1	Cisco 4506 6-Solt Chassis; redundant power supply; (1) Supervisor 4 with Enhanced Layer 3 IOS; (1) 2-GBIC/32-port 10/100 Ethernet module; (3) 48-port 10/100/100 Ethernet module; (4) 1000BaseSX GBIC
Cisco Catalyst 3524 System	Wireless LAN Access Switches	1	(5) Cisco 3524XL-EN-PWR, 24-port 10/100 Ethernet with power injection, (6) 1000BaseSX GBIC, (1) 1000BaseTX GBIC

CME Corp Wireless LAN Requirements

The CME Corp Wireless LAN (WLAN) provides coverage for roaming users as well as on-demand coverage for outside events on campus (the "Courtyard"). The initial deployment will be based on the 802.11b wireless standard (11.0 MBps/2.4 GHz). The radio equipment can be upgraded to the 802.11a standard to provide up to 54 MBps access at 5 GHz. Table 17-9 summarizes the WLAN hardware. The combination of omni-directional and low-gain directional antennas will be installed (based on a site survey) to assure coverage throughout the campus while minimizing radiation beyond the campus boundaries.

Table 17-9: CME Corp WLAN Hardware
LAN Hardware	Quantity	Description
Cisco Aironet 1200 Wireless Access Point	32	Cisco Aironet 1200-series Wireless Access Point configured for 802.11b
Omni Antenna	20	Indoor Omni antenna
Directional Antenna	12	Indoor/Outdoor Directional Diversity Patch antenna

Bandwidth Management Requirements

For most of the Private WAN network and segments of the VPN WAN network, CME designers established requirements for advanced bandwidth management, primarily to protect latency-sensitive traffic from burst, ill-behaved traffic such as NetBIOS over IP, HTTP, and printing. Per-site hardware listed in Table 17-10 is based on the site bandwidth to be "shaped."

Table 17-10: CME Bandwidth Management Hardware
LAN Hardware	Purpose	Quantity	Description
PacketShaper 8500 System	CME Corp Private WAN	1	PacketShaper 8500 with (1) two-port 1000BaseSX fiber-optic LAN Expansion Module (LEM)
PacketShaper 6500 System	CME Corp Internet	1	PacketShaper 6500 with (1) two-port 1000BaseSX fiber-optic LEM, licensed for 45MB shaping
PacketShaper 6500 System	CME-WEST Private WAN	1	PacketShaper 6500, licensed for 45MB shaping
PacketShaper 2500 System	CME-MEX Private WAN CME-EUR Internet	2	PacketShaper 2500, licensed for 10MB shaping
PacketShaper 1550 System	Private WAN Sites	30	PacketShaper 1550, licensed for 2MB shaping

Primary Internet Connection (CME Corp)

CME depends heavily on its Internet upstream to deliver VPN WAN connectivity (IPSec), Roaming Client Access (VPN and Citrix), MSAM Access for key suppliers, and to allow public access to the CME web site. Although these are considered the critical requirements, the majority of all outbound Internet access is provided through these same connections and competes for throughput. The upstream ISPs cannot guarantee that router-based QoS values such as IP Precedence or DSCP will be honored, so a Packeteer is essential.

Private WAN

Bandwidth management of the Private WAN encompasses both the CME Corp side and the remote site side of each virtual connection. The aggregate number of sites to be managed and monitored requires a solution that is both standardized and centrally managed.

Remote Sites All remote sites funnel through CME Corp for all services. To ensure traffic is policed to protect Citrix and other critical traffic flows, remote sites will use low-end Packeteer units as part of a distributed bandwidth management solution.

CME-TNG CME-TNG has far more bandwidth than the assigned staff will need. As this is not a production site, bandwidth management is desirable, not mandatory. Extensive application-level identification and control is not required, so management will be exercised via QoS features on the link routers.

CME Corp From the network core looking out to the remote Private WAN sites, 31 separate locations must be managed. All have virtually identical parameters. A central unit capable of 30-plus individual partitions is required.

CME-WEST

CME-WEST bandwidth management is participative with the main unit on the CME Corp Private WAN connection. During normal business hours, preferential treatment is given to latency-intolerant traffic (Citrix and H.323 Video Teleconferencing (VTC)). After hours, priority is given to bulk data replication from the network core to ensure data archives at CME-WEST are current enough to reconstitute CME's business. There is no current requirement to manage bandwidth utilization over the Internet connection; however, in the event of a catastrophe at CME Corp, the CME-WEST Internet pipe would become the lifeline for CME-EUR and CME-WEST Sales Offices and would require bandwidth management.

CME-MEX and CME-EUR

Bandwidth management for both sites is somewhat limited in scope. The primary concern is to ensure the limited set of authorized outbound Internet users do not degrade performance of traffic destined for the network core via the VPN tunnel. Traffic must be managed behind the firewall.

Network Security Requirements

Security Concepts

CME's fundamental security concept is one of layered security and least-privilege. Default security levels have been assigned to ensure all firewalls offer equivalent protection, and a precise written security plan details what traffic may or may not enter (or exit) at any given level of the security model. (See Figure 17-1.)

click to expand
Figure 17-1: The layered security hierarchy

With the large number of security devices (firewalls, IDS, VPN Concentrator) deployed in the Enterprise, a single source management system was needed to maintain the secure environment, track configuration changes, and monitor and respond to security-related events. CME selected Cisco's CiscoWorks VPN/Security Management Solution (VMS) with additional Cisco Security Agents (CSA) for host-based IDS on exposed servers. Mirror image systems will be deployed at both locations with all configuration changes deployed from the CME Corp management suite. CiscoWorks VMS will manage all security devices, including the embedded IDS module in the DMZ Distribution switch.

Intrusion Detection for the Private WAN segment is monitored by a Cisco 4235 IDS Sensor appliance managed by the CiscoWorks VMS suite.

Finally, to ensure security on network devices, authenticate VPN and RAS user identity, and enforce security and authentication on wireless segments, CME will deploy a redundant pair of RADIUS servers using Cisco Secure Access Control Server (CSACS) at CME Corp, with a tertiary unit at CME-WEST. Table 17-11 identifies the components of the security management solution.

Table 17-11: Security Management Hardware/Software
Security Software	Quantity	Description
CiscoWorks VMS	2	CiscoWorks VMS (Unrestricted)
Cisco Security Agent (Server)	1	25-Agent Bundle
Cisco Secure Access Control Server	3	CSACS, primary and redundant for CME Corp, backup for CME-WEST
Cisco IDS Sensor	1	Cisco 4235 IDS Sensor

Network Infrastructure Management Requirements

Management of the network infrastructure encompasses a primary NMS site at CME Corp and a secondary, albeit limited, NMS capability at CME-WEST as a backup. For seamless interoperability, CME will use CiscoWorks products, specifically CiscoWorks LAN Management Solution (LMS) for the corporate campus, CiscoWorks Routed WAN Management Solution for maintaining the status and state of the Private WAN network, and CiscoWorks Wireless LAN Solutions Engine to manage the corporate WLAN segment. To control PacketShaper configurations and monitor the status of enterprise bandwidth, CME will use Packeteer's PolicyCenter and ReportCenter products. The CiscoWorks network management solution components listed in Table 17-12 share a common interface with the security management products discussed previously.

Table 17-12: Infrastructure Management Hardware/Software
Security Software	Quantity	Description
CiscoWorks LMS	1	LAN Management Solution
CiscoWorks RWAN	2	Routed WAN Management
CiscoWorks WLSE	1	Wireless LAN Management
Packeteer PolicyCenter	1	Centralized management of Packeteer devices
Packeteer ReportCenter	1	Centralized reporting and analysis

Network Naming, Addressing, and Routing Requirements

The Host Naming Scheme

After extensive discussions and arguments, CME elected to use a host naming system that met most of their design requirements: short, self-documenting, and extensible. The most complex issue, how to easily differentiate between the 1760 router in Athens, GR, and the one in Athens, GA was resolved by basing the site name on the International Airline Travel Association (IATA) three-letter code for the major airport. Greece becomes "HEW," and Georgia becomes "AHN."

Figure 17-2 shows a partial breakdown of the naming conventions.

click to expand
Figure 17-2: The CME host naming scheme (partial)

The Addressing Scheme

CME's Internal IP addressing scheme uses the ranges specified by RFC 1918, Address Allocation for Private Internets, and was designed to ensure adequate capacity for growth in terms of additional main corporate campus infrastructure and users, expansion of existing primary sites, and addition of more sales offices on demand. More importantly, the design was intended to be generally hierarchical to allow summarization of routing information at key points such as the DMZ distribution switch and the Private WAN distribution router.

The sample of the overall scheme shown in Table 17-13 does not include details on how addresses are assigned within each LAN segment subnet (DHCP ranges versus static address range or standardized ranges for specific equipment within the static range).

Table 17-13: Internal Network Addressing Scheme (Partial)
SUBNET	MASK	USE	SUBNET	MASK	USE
10.0.0.0	/8	CME Master RFC 1918 Address Space	10.2.1.0	/24	Point-to-Point Links to CME-CORP LAN
10.1.0.0	/16	CME-CORP Address Space	10.2.1.0	/30	ORD-SCO-A to ORD-SCO-B
10.1.0.0	/24	CME-CORP Servers Core-A	10.2.1.4	/30	ORD-SCO-A to ORD-SDMZ-A
10.1.1.0	/24	CME-CORP Servers Core-B	10.2.1.8	/30	ORD-SCO-B to ORD-SDMZ-A
			10.2.1.12	/30	ORD-SCO-A to Future ORD-SDI-?
10.1.32.0	/24	CME-CORP LAN CORP	{--------------------------Sequence Continues--------------------------}
10.1.33.0	/24	RESERVED LAN CORP Growth	10.2.1.28	/30
10.1.34.0	/24	CME-CORP LAN ADM
10.1.35.0	/24	CME-CORP LAN ADM	10.2.1.32	/30	ORD-SCO-A to ORD-SDI-A
10.1.36.0	/24	RESERVED LAN ADM Growth	10.2.1.36		ORD-SCO-A to ORD-SDI-B
{--------------------------Sequence Continues--------------------------}			10.2.1.40		ORD-SCO-A to ORD-SDI-C
10.1.44.0	/24	CME-CORP LAN IT	{--------------------------Sequence Continues--------------------------}
10.1.45.0	/24	RESERVED LAN IT Growth	10.2.1.62	/30	ORD-SCO-A to ORD-SDI-?
10.1.46.0	/24	RESERVED LAN Growth
10.1.47.0	/24	RESERVED LAN Growth	10.2.1.64	/30	ORD-SCO-B to ORD-SDI-A
			10.2.1.68	/30	ORD-SCO-B to ORD-SDI-B
10.2.0.0	/24	CME-CORP Point-to-Point Links	10.2.1.72	/30	ORD-SCO-B to ORD-SDI-C
10.2.0.0	/24	Point-to-Point Links to Private WAN	{--------------------------Sequence Continues--------------------------}
10.2.0.0	/30	ORD-SCO-A to ORD-SDI-I	10.2.1.92	/30	ORD-SCO-B to ORD-SDI-?
10.2.0.4	/30	ORD-SCO-B to ORD-SDI-I
10.2.0.8	/29	ORD-SDI-I to ORD-RPVT-A	10.101.0.0	/16	CME Private-WAN-Connected Sites LAN
10.2.0.16	/30	ORD-RPVT-A to ORD-RTNG-A	10.101.0.0	/22	CME-WEST LAN
10.2.0.20	/30	ORD-RPVT-A to Private WAN Sales Site	10.101.4.0	/22	Future Primary Site LAN
{---------------------------Sequence Continues-------------------------}			10.101.8.0	/22	Future Primary Site LAN
10.2.0.252		ORD-RPVT-A to Private WAN Sales Site	10.101.12.0	/22	Future Primary Site LAN
			10.101.32.0	/24	ORD-TNG LAN
			10.101.33.0	/24	CME Private WAN Sales Office LAN
SUBNET	MASK	USE	{--------------------------Sequence Continues--------------------------}
10.201.0.0	/16	CME VPN-WAN-Connected Sites LAN	10.101.255.0	/24	CME Private WAN Sales Office LAN
10.201.0.0	/22	CME-EUR LAN
10.201.4.0	/22	CME-MEX LAN
10.201.8.0	/22	Future Primary Site LAN
10.201.12.0	/22	Future Primary Site LAN
10.201.32.0	/24	CME VPN WAN Sales Office LAN
10.201.33.0	/24	CME VPN WAN Sales Office LAN
{-------------------Sequence Continues--------------------------------}
10.201.255.0	/24	CME VPN WAN Sales Office LAN

10.254.0.0	/16	CME-CORP DMZ Address Space
10.254.0.0	/24	CME-CORP PUBLIC DMZ
10.254.1.0	/22	CME-CORP SECURE PUBLIC DMZ
10.254.4.0	/22	CME-CORP ACCESS DMZ
10.254.4.0	/24	CME-CORP ACCESS-DMZ Interconnect (ICF)
10.254.5.0	/24	CME-CORP ACCESS DMZ CORP WLAN Pool
10.254.6.0	/24	CME-CORP ACCESS DMZ ALT WLAN Pool
10.254.7.0	/24	CME-CORP ACCESS DMZ RAS Pool
10.254.8.0	/23	CME-CORP SECURE ACCESS DMZ
10.254.8.0	/24	CME-CORP SECURE ACCESS DMZ ICF
10.254.9.0	/24	CME-CORP SECURE ACCESS DMZ VPN Pools

Public (Internet routable) IP addresses are from CME's registered block of addresses. For the purposes of the case study, CME owns 20.20.20.0/22 (20.20.20.0 to 20.20.23.254). The range 20.20.20.0/23 (20.20.20.0 to 20.20.21.254) is assigned to CME Corp, and dynamically routed via two different upstream service providers. 20.20.22.0/24 is assigned to CME-WEST for support of the disaster recovery site.

Routing Protocols and Methods

The complexity of the CME network mandates careful selection of routing protocols. Given that CME's internal and external (Internet) segments will never directly exchange routing information (due to RFC 1918 addressing and security constraints), separate Interior Gateway Protocols (IGP) and Exterior Gateway Protocols (EGP) are used.

Interior Networks Of the three logical choices for dynamic Interior Gateway Protocols (IGP), Interior Border Gateway Protocol (IBGP) was considered too complex and ill suited for the large number of small (/24 or smaller) networks. Further, the cost of resources to handle IBGP at Private WAN sites was prohibitive and redistributing IBGP routes into another IGP made little sense. Of the two remaining options, Open Shortest Path First (OSPF) and Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP), EIGRP is more suited to a meshed network (like the CME Corporate Campus), and was the most appropriate choice, with one exception: the DMZ. CME will use their registered Autonomous System Number (ASN) from BGP for their EIGRP implementation, but for the sake of illustration, configurations in the case study will use Cisco Systems register ASN (109). The exception to using EIGRP as the IGP is in the DMZ: Internet routers, firewall OUTSIDE interfaces, and VPN Concentrators will all run an instance of OSPF to meet the requirement that BGP can only announce routes learned from an IGP. On the other side of the security boundary, the firewall, DMZ Distribution Switch (6509), and VPN Concentrator will run a separate instance of OSPF to propagate DMZ routes to the internal network. The DMZ Distribution Switch will redistribute OSPF routes into the EIGRP process.

Exterior Networks The registered ASN does dual-duty: the registration process is mandatory for use with Exterior Border Gateway Protocol (EBGP) (the Internet routing protocol) to ensure interoperability with different ISP upstream providers and allow local copies of the full Internet Routing Table to be maintained; the same ASN is used for EIGRP, even though the EIGRP ASN is never exposed outside the private network.