CART

(0) items

Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide : (ccdp Arch 642-874),9781587142888

Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide : (ccdp Arch 642-874)

by
Edition:
3rd
ISBN13:

9781587142888

ISBN10:
1587142880
Media:
Hardcover
Pub. Date:
11/1/2011
Publisher(s):
Cisco Press
List Price: $72.99

Rent Book

(Recommended)
 
Term
Due
Price
$58.39

Buy New Book

Currently Available, Usually Ships in 24-48 Hours
$50.98

eBook


 
Duration
Price
$41.99

Used Book

We're Sorry
Sold Out

More New and Used
from Private Sellers
Starting at $22.12

Questions About This Book?

Why should I rent this book?
Renting is easy, fast, and cheap! Renting from eCampus.com can save you hundreds of dollars compared to the cost of new or used books each semester. At the end of the semester, simply ship the book back to us with a free UPS shipping label! No need to worry about selling it back.
How do rental returns work?
Returning books is as easy as possible. As your rental due date approaches, we will email you several courtesy reminders. When you are ready to return, you can print a free UPS shipping label from our website at any time. Then, just return the book to your UPS driver or any staffed UPS location. You can even use the same box we shipped it in!
What version or edition is this?
This is the 3rd edition with a publication date of 11/1/2011.
What is included with this book?
  • The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any CDs, lab manuals, study guides, etc.
  • The Rental copy of this book is not guaranteed to include any supplemental materials. You may receive a brand new copy, but typically, only the book itself.

Summary

Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide, Third Edition, is a Cisco®-authorized, self-paced learning tool for CCDP®foundation learning. This book provides you with the knowledge needed to perform the conceptual, intermediate, and detailed design of a network infrastructure that supports desired network solutions over intelligent network services, in order to achieve effective performance, scalability, and availability. By reading this book, you will gain a thorough understanding of how to apply solid Cisco network solution models and recommended design practices to provide viable, stable enterprise internetworking solutions. The book presents concepts and examples that are necessary to design converged enterprise networks. Advanced network infrastructure technologies, such as virtual private networks (VPNs) and other security solutions are also covered. Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide, Third Edition teaches you the latest development in network design and technologies, including network infrastructure, intelligent network services, and converged network solutions. Specific topics include campus, routing, addressing, WAN services, data center, e-commerce, SAN, security, VPN, and IP multicast design, as well as network management. Chapter-ending review questions illustrate and help solidify the concepts presented in the book. Whether you are preparing for CCDP certification or simply want to gain a better understanding of designing scalable and reliable network architectures, you will benefit from the foundation information presented in this book. Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide, Third Edition, is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visitwww.cisco.com/go/authorizedtraining. John Tiso, CCIE No. 5162, CCDPis a Product Manager for Cisco Systems. He holds a B.S. Degree in Computer Science and Mathematics from Adelphi University and a Graduate Citation in Strategic Management from Harvard University. John is a published author, has served as a technical editor for Cisco Press, and has participated as a SME for the CCIE program. Prior to Cisco, he was a senior consultant and architect in the Cisco partner channel. Learn about the Cisco Enterprise Architecture Create highly available campus and data center network designs Develop optimum Layer 3 designs Examine advanced WAN services design considerations Evaluate SAN design considerations Deploy effective e-commerce module designs Create effective security services and IPsec and SSL VPN designs Design IP multicast networks Understand the network management capabilities within Cisco IOS Software This book is in the Foundation Learning Guide Series. These guides are developed together with Cisco®as the only authorized, self-paced learning tools that help networking professionals build their understanding of networking concepts and prepare for Cisco certification exams. Category:Cisco Certification Covers:CCDP ARCH 642-874

Author Biography

John Tiso, CCIE #5162, CCDP is a Product Manager at Cisco Systems. His current responsibilities include the product management of Cisco’s training and certification programs around design and architecture. Before working with Cisco, John held various engineering and architecture roles in the Cisco partner channel. In addition to his CCIE and CCDP certifications, he holds multiple industry certifications from Cisco, Microsoft, CompTIA, and Sun Microsystems. He holds a Graduate Citation in strategic management from Harvard University and a Bachelor of Science degree in computer science and mathematics from Adelphi University. John is a published author and has served as a technical editor for both McGraw-Hill and Cisco Press. He has spoken multiple times at the Cisco Live! (Networkers) conference and the national CIPTUG conference. He has served as an expert on Cisco’s NetPro Forum “Ask the Expert” online events. John currently resides in Amherst, New Hampshire, with his wife, three children, and his running partner, Molly (who never complains, but sometimes barks). He is a nine-time marathon finisher, including five Boston Marathons. He can be reached at johnt@jtiso.com.

Table of Contents

    Foreword xxx

    Introduction xxxi

Chapter 1 The Cisco Enterprise Architecture 1

    Reviewing Cisco Enterprise Architecture 1

    The Hierarchical Model 2

        Example Hierarchical Network 3

    Enterprise Network Design for Cisco Architectures 4

    Service and Application Integration 7

        Network Services 7

        Network Applications 9

        Modularity in Cisco Network Architectures for the Enterprise 9

    Reviewing the Cisco PPDIOO Approach 12

        PPDIOO Network Lifecycle Approach 13

        Benefits of the Lifecycle Approach 14

        Using the Design Methodology Under PPDIOO 16

    Identifying Customer Requirements 16

    Characterizing the Existing Network and Sites 17

    Designing the Topology and Network Solutions 18

        Dividing the Network into Areas 18

    Summary 20

    References 21

    Review Questions 21

Chapter 2 Enterprise Campus Network Design 23

    Designing High Availability in the Enterprise Campus 24

        Enterprise Campus Infrastructure Review 24

        Access Layer 24

        Distribution Layer 26

        Core Layer 27

        Collapsed-Core Model 29

        High-Availability Considerations 30

        Implement Optimal Redundancy 30

        Provide Alternate Paths 32

        Avoid Single Points of Failure 33

        Cisco NSF with SSO 33

        Routing Protocol Requirements for Cisco NSF 34

        Cisco IOS Software Modularity Architecture 35

        Example: Software Modularity Benefits 37

    Designing an Optimum Design for Layer 2 38

        Recommended Practices for Spanning-Tree Configuration 38

        Cisco STP Toolkit 40

        STP Standards and Features 40

        Recommended Practices for STP Hardening 41

        Recommended Practices for Trunk Configuration and Vlan Trunking Protocol 43

        Dynamic Trunking Protocol 45

        Recommended Practices for UDLD Configuration 46

        Recommended Practices for EtherChannel 47

        Port Aggregation Protocol 49

        Link Aggregation Control Protocol 49

        Supporting Virtual Switching Systems Designs 50

        Common Access-Distribution Block Designs 51

        Multichassis EtherChannels and VSS 52

        VSS Design Considerations 53

        Dual Active Detection and Recovery 54

        VSS Design Best Practices 55

        Developing an Optimum Design for Layer 3 55

        Managing Oversubscription and Bandwidth 56

        Bandwidth Management with EtherChannel 56

        Bandwidth Management with 10 Gigabit Interfaces 57

        Link Load Balancing 57

        Link Load Balancing with EtherChannel 58

        EtherChannel Design Versus Equal-Cost Multipathing 59

        Routing Protocol Design 60

        Build Redundant Triangles 60

        Peer Only on Transit Links 60

        Summarize at the Distribution Layer 62

        First-Hop Redundancy 64

        Preempt Delay Tuning 65

        Elimination of FHRP in VSS Designs 66

        Overview of Gateway Load Balancing Protocol 67

        Optimizing FHRP Convergence 69

    Supporting a Layer 2 to Layer 3 Boundary Design 71

        Layer 2 to Layer 3 Boundary Design Models 71

        Layer 2 Distribution Switch Interconnection 71

        Layer 3 Distribution Switch Interconnection (with HSRP) 72

        Layer 3 Distribution Switch Interconnection (with GLBP) 72

        Layer 3 Distribution Switch with VSS Interconnection 73

        Layer 3 Access to Distribution Interconnection 74

        EIGRP Access Design Recommendations 75

        OSPF Access Design Recommendations 76

        Potential Design Issues 77

        Daisy Chaining Access Layer Switches 77

        Cisco StackWise Technology in the Access Layer 78

        Too Much Redundancy 79

        Too Little Redundancy 80

        Example: Impact of an Uplink Failure 80

        Example: Impact on Return-Path Traffic 82

        Asymmetric Routing (Unicast Flooding) 82

        Unicast Flooding Prevention 83

    Supporting Infrastructure Services 84

        IP Telephony Considerations 84

        IP Telephony Extends the Network Edge 84

        PoE Requirements 85

        Power Budget and Management 87

        Multi-VLAN Access Port 89

        Soft Phones and Voice VLANs 90

        QoS Considerations 90

        Recommended Practices for QoS 91

        Transmit Queue Congestion 91

        QoS Role in the Campus 92

        Campus QoS Design Considerations 92

        Cisco Catalyst Integrated Security Features 93

        Port Security Prevents MAC-Based Attacks 93

        DHCP Snooping Protects Against Rogue and Malicious DHCP Servers 94

        Dynamic ARP Inspection Protects Against ARP Poisoning 94

        IP Source Guard Protects Against Spoofed IP Addresses 95

        Example Catalyst Integrated Security Feature Configuration 95

    Summary 95

    References 96

    Review Questions 97

Chapter 3 Developing an Optimum Design for Layer 3 101

    Designing Advanced IP Addressing 101

        IP Address Planning as a Foundation 102

        Summary Address Blocks 102

        Summarization for IPv6 103

        Changing IP Addressing Needs 104

        Planning Addresses 104

        Applications of Summary Address Blocks 105

        Implementing Role-Based Addressing 105

        Bit Splitting for Route Summarization 106

        Example: Bit Splitting for Area 1 107

        IPv6 Address Planning 107

        Bit Splitting for IPv6 108

        Addressing for VPN Clients 109

        NAT in the Enterprise 109

        NAT with External Partners 110

    Design Considerations for IPv6 in Campus Networks 111

        IPv6 Campus Design Considerations 111

        Dual-Stack Model 112

        Hybrid Model 112

        Service Block Model 114

    Designing Advanced Routing 115

        Route Summarization and Default Routing 115

        Originating Default Routes 116

        Stub Areas and Default Route 117

        Route Filtering in the Network Design 118

        Inappropriate Transit Traffic 118

        Defensive Filtering 120

        Designing Redistribution 121

        Filtered Redistribution 122

    Migrating Between Routing Protocols 123

    Designing Scalable EIGRP Designs 123

        Scaling EIGRP Designs 124

        EIGRP Fast Convergence 124

        EIGRP Fast-Convergence Metrics 125

        Scaling EIGRP with Multiple Autonomous Systems 126

        Example: External Route Redistribution Issue 126

        Filtering EIGRP Redistribution with Route Tags 127

        Filtering EIGRP Routing Updates with Inbound Route Tags 128

        Example: Queries with Multiple EIGRP Autonomous Systems 130

        Reasons for Multiple EIGRP Autonomous Systems 130

        Designing Scalable OSPF Design 131

        Factors Influencing OSPF Scalability 131

        Number of Adjacent Neighbors and DRs 132

        Routing Information in the Area and Domain 132

        Designing OSPF Areas 133

        Area Size: How Many Routers in an Area? 134

        OSPF Hierarchy 134

        Area and Domain Summarization 136

        Number of Areas in an OSPF Hub-and-Spoke Design 137

        OSPF Hub-and-Spoke Design 137

        Issues with Hub-and-Spoke Design 138

        OSPF Hub-and-Spoke Network Types 140

        OSPF Area Border Connection Behavior 141

        Fast Convergence in OSPF 142

        OSPF Exponential Backoff 143

        Tuning OSPF Parameters 143

        OSPF LSA Pacing 145

        OSPF Event Processing 145

        Bidirectional Forwarding Detection 145

    Designing Scalable BGP Designs 146

        Scaling BGP Designs 146

        Full-Mesh IBGP Scalability 147

        Scaling IBGP with Route Reflectors 148

        BGP Route Reflector Definitions 148

        Route Reflector Basics 150

        Scaling IBGP with Confederations 151

        BGP Confederation Definitions 151

        Confederation Basics 151

        Confederations Reduce Meshing 152

        Deploying Confederations 154

    Summary 155

    References 157

    Review Questions 158

Chapter 4 Advanced WAN Services Design Considerations 161

    Advanced WAN Service Layers 161

        Enterprise Optical Interconnections 162

        Overview of SONET and SDH 163

        Enterprise View of SONET 164

        WDM Overview 165

        CWDM Technical Overview 165

        DWDM Technical Overview 166

        DWDM Systems 167

        RPR Overview 168

        RPR in the Enterprise 168

        Metro Ethernet Overview 170

        Metro Ethernet Service Model 170

        Metro Ethernet Architecture 170

        Metro Ethernet LAN Services 172

        Ethernet Private Line Service 173

        Ethernet Relay Service 174

        Ethernet Wire Service 175

        Ethernet Multipoint Service 175

        Ethernet Relay Multipoint Service 176

        Any Transport over MPLS 176

        Ethernet over MPLS 177

        End-to-End QoS 179

        Shaping and Policing on Subrate Ethernet WAN 180

        Choosing the Right Service 181

        VPLS Overview 181

        VPLS Architecture Model 182

        VPLS in the Enterprise 183

        Hierarchical VPLS Overview 184

        Scaling VPLS 184

        QoS Issues with EMS or VPLS 186

        EMS or VPLS and Routing Implications 186

        VPLS and IP Multicast 187

        VPLS Availability 187

        MPLS VPN Overview 187

        Customer Considerations with MPLS VPNs 188

        Routing Considerations: Backdoor Routes 189

        Routing Considerations: Managed Router Combined with Internal Routing 189

        Routing Considerations: Managed Router from Two Service Providers 190

    Implementing Advanced WAN Services 191

        Advanced WAN Service Selection 192

        Business Risk Assessment 192

        WAN Features and Requirements 194

        SLA Overview 195

        SLA Monitoring 196

        Application Performance Across the WAN 197

        WAN CPE Selection Considerations 198

        Cisco PfR Overview 200

        Cisco PfR Operations 200

        Cisco PfR Design and Deployment Considerations 203

    Summary 204

    References 205

    Review Questions 206

Chapter 5 Enterprise Data Center Design 211

    Designing the Core and Aggregation Layers 212

        Data Center Architecture Overview 213

        Benefits of the Three-Layer Model 213

        The Services Layer 214

        Using Dedicated Service Appliances 215

        Data Center Core Layer Design 217

        Layer 3 Characteristics for the Data Center Core 218

        OSPF Routing Protocol Design Recommendations 220

        EIGRP Routing Protocol Design Recommendations 221

        Aggregation Layer Design 221

        Scaling the Aggregation Layer 223

        STP Design 224

        Understanding Bridge Assurance 226

        Integrated Service Modules 227

        Service Module Placement Consideration 227

        Service Modules and the Services Layer 228

        Active STP, HSRP, and Service Context Alignment 230

        Active/Standby Service Module Design 232

        Active/Active Service Module Design 232

        Establishing Inbound Path Preference 233

        Using VRFs in the Data Center 235

        Using the Cisco Nexus 7000 Series in the Core and Aggregation Layer 236

        VDCs 238

        Designs Enabled by VDCs 239

        vPCs 241

        vPC Best Practices 242

        Designs Enabled by vPC 243

        Layer 2 Multipathing 244

        Designing the Access Layer 245

        Overview of the Data Center Access Layer 245

        Layer 2 Looped Designs 246

        Layer 2 Looped Topologies 247

        Layer 2 Looped Design Issues 249

        Layer 2 Loop-Free Designs 250

        Loop-Free Topologies 251

        Example: Loop-Free U Design and Layer 2 Service Modules 253

        Example: Loop-Free U Design and Cisco ACE Service Module 254

        Layer 2 FlexLink Designs 255

        FlexLink Issues and Considerations 256

        Comparison of Layer 2 Access Designs 259

        Layer 3 Access Layer Designs 260

        Multicast Source Support 261

        Benefits of Layer 3 Access 262

        Drawbacks of Layer 3 Access 262

        Blade Server Overview 262

        Blade Server Connectivity Options 264

        Blade Server Trunk Failover Feature 265

        Virtual Blade Switching 266

        Cisco Nexus Switch Family in the Access Layer 267

        TOR and EOR Designs 267

        Static and Dynamic Pinning 267

        Cisco Nexus 2000 FEX Dynamic Pinning 268

        Virtual Port Channel in the Data Center Access Layer 269

        Straight-Through FEX Design 270

        Active/Active FEX Design 270

    Cisco Nexus 1000V in the Data Center Access Layer 272

        Virtual Port Channel Host Mode 273

        Design Considerations for the Cisco Nexus 1000V 274

        Cisco Nexus 1010 275

    Layer 2 or Layer 3 Access Design? 276

    Scaling the Data Center Architecture 277

        TOR Versus EOR Designs 277

        Cabinet Design with TOR Switching 279

        Example: Network Topology with TOR Switching Model 280

        Cabinet Design with Modular Access Switches 281

        Example: Network Topology with Modular Access Switches 281

        Cabinet Design with Fabric Extenders 282

        Server NIC Density 284

        Hybrid Example with a Separate OOB Switch 284

        Oversubscription and Uplinks 285

        Scaling Bandwidth and Uplink Density 286

        Optimizing EtherChannel Utilization with Load Balancing 286

        Optimizing EtherChannel Utilization with Min-Links 287

        Scaling with Service Layer Switches 288

        Scaling Service on Cisco ACE Modules 289

    Scaling Spanning Tree and High Availability 290

        Scalability 290

        STPs in the Data Center 290

        STP Scaling 291

        STP Logical Interfaces 292

        STP Scaling with 120 Systemwide VLANs 293

        STP in 1RU Designs 295

        STP Scaling Design Guidelines 295

        Scaling the Data Center Using Zones 296

    High Availability in the Data Center 296

        Common NIC Teaming Configurations 296

        Server Attachment Methods 298

        High Availability and Failover Times 299

        High Availability and Cisco NSF with SSO 300

    Describing Network Virtualization in More Detail 302

        Definition of Virtualization 302

        Virtualization Categories 303

        Network Virtualization 304

        Virtual Routing and Forwarding 305

        Layer 3 VPNs and Network Virtualization 306

    Summary 308

    References 308

    Review Questions 309

Chapter 6 SAN Design Considerations 313

    Identifying SAN Components and Technologies 314

        SAN Components 315

        RAID Overview 317

    Storage Topologies 318

        DAS 318

        NAS 319

    SAN Technologies 320

        SCSI Overview 320

        Fibre Channel Overview 321

        Fibre Channel Communications Model 322

        VSAN 323

        IVR 324

        FSPF 325

        Zoning 325

        FICON 326

        SANTap 327

    Designing SAN and SAN Extension 328

        Port Density and Topology Requirements 329

        Device Oversubscription 330

        Traffic Management 331

        Fault Isolation 331

        Convergence and Stability 331

        SAN Designs with the Cisco MDS 9000 Family 331

        SAN Consolidation with VSANs 332

        Comprehensive SAN Security 332

        Simplified SAN Management 332

        Single-Switch Collapsed-Core Design 333

        Small-Scale, Dual-Fabric Collapsed-Core Design 334

        Medium-Scale, Dual-Fabric Collapsed-Core Design 335

        Large-Scale, Dual-Fabric Core-Edge Design 336

    SAN Extension 337

        SAN Extension Protocols 339

        Fibre Channel over IP 339

        iSCSI 340

        SAN Extension Developments 342

        High-Availability SAN Extension 343

    Integrated Fabric Designs Using Cisco Nexus Technology Overview 343

        Unified Fabric Technologies 344

        I/O Consideration in the Data Center 345

    Challenges When Building a Unified Fabric Based on 10 Gigabit Ethernet 346

        SAN Protocol Stack Extensions 348

        FCoE Components: Converged Network Adapter 349

        FCoE Components: Fibre Channel Forwarder 350

        Data Center Bridging Standards 351

        Unified Fabric Design Considerations 352

        Deploying Nexus in the Access Layer 353

        Nexus 5000/2000 Deployment Options in the Data Center 355

        FCoE VLAN to VSAN Mapping, VLAN Trunking, and the CNA 355

        Switch Mode Versus NPV Mode 357

        Unified Fabric Best Practices 358

    Summary 359

    References 359

    Review Questions 360

Chapter 7 E-Commerce Module Design 363

    Designing High Availability for E-Commerce 363

        E-Commerce High-Availability Requirements 364

        Components of High Availability 364

        Redundancy 365

        Technology 365

        People 366

        Processes 366

        Tools 367

    Common E-Commerce Module Designs 368

        Common E-Commerce Firewall Designs 368

        Typical E-Commerce Module Topology 368

        Using a Server as an Application Gateway 370

        Virtualization with Firewall Contexts 371

        Virtual Firewall Layers 372

        Firewall Modes 373

        Common E-Commerce Server Load Balancer Designs 375

        Functions of a Server Load Balancer 375

        SLB Design Models 376

        SLB Router Mode 377

        Application Control Engine 378

        SLB Inline Bridge Mode 378

        SLB One-Armed Mode 379

        Common E-Commerce Design Topologies for Connecting to Multiple ISPs 382

        One Firewall per ISP 382

        Stateful Failover with Common External Prefix 384

        Distributed Data Centers 384

    Design Option: Distributed Data Centers 385

    Additional Data Center Services 386

    Integrated E-Commerce Designs 388

        Base E-Commerce Module Design 388

        Base Design Routing Logic 390

        Base Design Server Traffic Flows 391

        Two Firewall Layers in the E-Commerce Module Design 393

        Traffic Flows in a Two-Firewall Layer Design 394

        One-Armed SLB Two-Firewall E-Commerce Module Design 395

        Traffic Flows in a One-Armed SLB Two-Firewall Layer Design 396

        Direct Server Traffic Flows in a One-Armed SLB Two-Firewall Layer Design 398

        One-Armed SLB E-Commerce Module Design with Firewall Contexts 398

        Traffic Flows in a One-Armed SLB Design with Firewall Contexts 400

        One-Armed SLB E-Commerce Module Design with ACE 401

        Testing E-Commerce Module Designs 403

    Summary 404

    References 405

    Review Questions 405

Chapter 8 Security Services Design 407

    Designing Firewalls 407

        Firewall Modes 408

        Zone-Based Policy Firewall 410

        Virtual Firewall Overview 411

        Firewall Context Design Considerations 413

        MSFC Placement 414

        Active/Active Firewall Topology 415

        Active/Active Topology Features 416

        Asymmetric Routing with Firewalls 416

        Asymmetric Routing with ASR Group on a Single FWSM 417

        Asymmetric Routing with Active/Active Topology 418

        Performance Scaling with Multiple FWSMs 419

        Example: Load Balancing FWSMs Using PBR 419

        Load Balancing FWSMs Using ECMP Routing 420

        PVLAN Security 420

        FWSM in a PVLAN Environment: Isolated Ports 422

        FWSM in a PVLAN Environment: Community VLANs 423

    Designing NAC Services 423

        Network Security with Access Control 424

        NAC Comparison 425

        Cisco NAC Appliance Fundamentals 426

        Cisco NAC Appliance Components 426

        Cisco NAC Appliance Policy Updates 427

        Process Flow with the Cisco NAC Appliance 428

        Cisco NAS Scaling 429

        Cisco NAS Deployment Options 429

        Cisco NAS Gateway Modes 430

        Cisco NAS Client Access Modes 431

        Cisco NAS Operating Modes 431

        Physical Deployment Models 432

        Cisco NAC Appliance Designs 432

        Layer 2 In-Band Designs 434

        Example: Layer 2 In-Band Virtual Gateway 434

        Example: Layer 2 In-Band Real IP Gateway 435

        Layer 2 Out-of-Band Designs 435

        Example: Layer 2 Out-of-Band Virtual Gateway 436

        Layer 3 In-Band Designs 437

        Example: Layer 3 In-Band Virtual Gateway 437

        Example: Layer 3 In-Band with Multiple Remotes 438

        Layer 3 Out-of-Band Designs 439

        Example: Layer 3 OOB with Addressing 440

        NAC Framework Overview 441

        Router Platform Support for the NAC Framework 442

        Switch Platform Support for the NAC Framework 443

    IPS and IDS Overview 444

        Threat Detection and Mitigation 444

        IDSs 444

        Intrusion-Prevention Systems 445

        IDS and IPS Overview 446

        Host Intrusion-Prevention Systems 447

        IDS and IPS Design Considerations 447

        IDS or IPS Deployment Considerations 448

        IPS Appliance Deployment Options 448

        Feature: Inline VLAN Pairing 450

        IPS Deployment Challenges 450

        IDS or IPS Management Interface Deployment Options 450

        In-Band Management Through Tunnels 451

        IDS and IPS Monitoring and Management 451

        Scaling Cisco Security MARS with Global Controller Deployment 453

    Summary 453

    References 454

    Review Questions 455

Chapter 9 IPsec and SSL VPN Design 459

    Designing Remote-Access VPNs 459

        Remote-Access VPN Overview 460

        Example: Cisco Easy VPN Client IPsec Implementation 461

        SSL VPN Overview 461

        Clientless Access 462

        Thin Client 463

        Thick Client 464

        Remote-Access VPN Design Considerations 464

        VPN Termination Device and Firewall Placement 465

        Address Assignment Considerations 465

        Routing Design Considerations 465

        Other Design Considerations 466

    Designing Site-to-Site VPNs 467

        Site-to-Site VPN Applications 468

        WAN Replacement Using Site-to-Site IPsec VPNs 468

        WAN Backup Using Site-to-Site IPsec VPNs 469

        Regulatory Encryption Using Site-to-Site IPsec VPNs 470

        Site-to-Site VPN Design Considerations 470

        IP Addressing and Routing 470

        Scaling, Sizing, and Performance 471

        Cisco Router Performance with IPsec VPNs 471

        Typical VPN Device Deployments 475

        Design Topologies 476

        VPN Device Placement Designs 476

        VPN Device Parallel to Firewall 476

        VPN Device on a Firewall DMZ 477

        Integrated VPN and Firewall 478

    Using IPsec VPN Technologies 478

        IPsec VPN Overview 478

        Extensions to Basic IPsec VPNs 480

        Cisco Easy VPN 480

        Overview of Cisco Easy VPN Server Wizard on Cisco SDM 480

        Overview of Easy VPN Remote Wizard on Cisco SDM 482

        GRE over IPsec Design Recommendations 483

        GRE over IPsec Design Recommendations 483

        DMVPN 485

        DMVPN Overview 485

        DMVPN Design Recommendations 487

        Virtual Tunnel Interfaces Overview 487

        Group Encrypted Transport VPN 489

        GET VPN Topology 489

    Managing and Scaling VPNs 491

        Recommendations for Managing VPNs 491

        Considerations for Scaling VPNs 491

        Determining PPS 493

        Routing Protocol Considerations for IPsec VPNs 497

        EIGRP Metric Component Consideration 498

    Summary 498

    References 499

    Review Questions 500

Chapter 10 IP Multicast Design 505

    IP Multicast Technologies 506

        Introduction to Multicast 506

        Multicast Versus Unicast 506

        IP Multicast Group Membership 507

        Multicast Applications and Multicast Adoption Trends 508

        Learning About Multicast Sessions 509

        Advantages of Multicast 510

        Disadvantages of Multicast 510

        Multicast IP Addresses 511

        Layer 2 Multicast Addresses 512

        Multicast Address Assignment 514

        Cisco Multicast Architecture 515

        IGMP and CGMP 516

        IGMP Version 1 516

        IGMP Version 2 517

        IGMP Version 3 518

    Multicast with Layer 2 Switches 518

        IGMP Snooping 519

        CGMP 520

        PIM Routing Protocol 520

        PIM Terminology 521

        Multicast Distribution Tree Creation 522

        Reverse Path Forwarding 522

        Source Distribution Trees 524

        Shared Distribution Trees 525

        Multicast Distribution Tree Notation 527

    Deploying PIM and RPs 527

        PIM Deployment Models 527

        ASM or PIM-SM 528

        PIM-SM Shared Tree Join 528

        PIM-SM Sender Registration 529

        PIM-SM SPT Switchover 530

        Bidirectional PIM 532

        Source-Specific Multicast 533

        SSM Join Process 534

        SSM Source Tree Creation 535

        PIM Dense Mode 535

        RP Considerations 536

        Static RP Addressing 537

        Anycast RP 537

        Auto-RP 538

        DM Fallback and DM Flooding 540

        Boot Strap Router 541

    Securing IP Multicast 543

        Security Considerations for IP Multicast 543

        Security Goals for Multicast Environments 543

        Unicast and Multicast State Requirements 544

        Unicast and Multicast Replication Requirements 546

        Attack Traffic from Rogue Sources to Receivers 547

        Attack Traffic from Sources to Networks Without Receivers 547

        Attack Traffic from Rogue Receivers 548

        Scoped Addresses 548

        Multicast Access Control 549

        Packet Filter-Based Access Control 549

        Host Receiver-Side Access Control 551

        PIM-SM Source Control 552

        Disabling Multicast Groups for IPv6 553

        Multicast over IPsec VPNs 553

        Traditional Direct Encapsulation IPsec VPNs 554

        Multicast over IPsec GRE 555

        Multicast over DMVPN 555

        Multicast Using GET VPN 557

    Summary 558

    References 560

    Review Questions 561

Chapter 11 Network Management Capabilities Within Cisco IOS Software 565

    Cisco IOS Embedded Management Tools 565

        Embedded Management Rationale 566

        Network Management Functional Areas 566

        Designing Network Management Solutions 567

        Cisco IOS Software Support of Network Management 567

        Application Optimization and Cisco IOS Technologies 568

        Syslog Considerations 571

        Cisco IOS Syslog Message Standard 571

        Issues with Syslog 572

    NetFlow 573

        NetFlow Overview 573

        Principal NetFlow Uses 574

        Definition of a Flow 574

        Traditional IP Flows 575

        Flow Record Creation 576

        NetFlow Cache Management 578

        NetFlow Export Versions 579

        NetFlow Version 9 Export Packet 580

        Flexible NetFlow Advantages 581

        NetFlow Deployment 582

        Where to Apply NetFlow Monitoring 582

    NBAR 583

        NBAR Overview 583

        NBAR Packet Inspection 584

        NBAR Protocol Discovery 586

        NetFlow and NBAR Differentiation 586

        Reporting NBAR Protocol Discovery Statistics from the Command Line 587

        NBAR and Cisco AutoQoS 588

    Cisco AutoQoS for the Enterprise 589

        Example: Cisco AutoQoS Discovery Progress 590

        Cisco AutoQoS Suggested Policy 591

    IP SLA Considerations 592

        IP SLA Overview 592

        SLAs 592

    Cisco IOS IP SLA Measurements 593

    IP SLA SNMP Features 594

        Deploying IP SLA Measurements 595

    Impact of QoS Deployment on IP SLA Statistics 596

    Scaling IP SLA Deployments 597

        Hierarchical Monitoring with IP SLA Measurements 598

        Network Management Applications Using IP SLA Measurements 599

        CiscoWorks IPM Application Example 599

    IP SLA Network Management Application Consideration 600

    Summary 600

    References 602

    Review Questions 603

Appendix A Answers to Review Questions 605

Appendix B Acronyms and Abbreviations 611

Appendix C VoWLAN Design 625

TOC, 9781587142888, 9/29/2011

 



Please wait while the item is added to your cart...