Transcription
Designing for CiscoNetwork ServiceArchitectures (ARCH)Foundation LearningGuide, Fourth EditionCCDP ARCH 300-320Marwan Al-shawi, CCDE No. 20130066André Laurent, CCDE No. 20120024, CCIE No. 21840Cisco Press800 East 96th StreetIndianapolis, Indiana 46240 USA
iiDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideDesigning for Cisco Network Service Architectures(ARCH) Foundation Learning Guide, Fourth EditionMarwan Al-shawi and André LaurentCopyright 2017 Cisco Systems, Inc.Published by:Cisco Press800 East 96th StreetIndianapolis, IN 46240 USAAll rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying, recording, or by any information storage and retrievalsystem, without written permission from the publisher, except for the inclusion of brief quotations in areview.Printed in the United States of AmericaFirst Printing December 2016Library of Congress Control Number: 2016958010ISBN-13: 978-1-58714-462-2ISBN-10: 1-58714-462-xWarning and DisclaimerThis book is designed to provide information about designing Cisco Network Service Architectures.Every effort has been made to make this book as complete and as accurate as possible, but no warranty orfitness is implied.The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shallhave neither liability nor responsibility to any person or entity with respect to any loss or damagesarising from the information contained in this book or from the use of the discs or programs that mayaccompany it.The opinions expressed in this book belong to the author and are not necessarily those of CiscoSystems, Inc.Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have beenappropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of thisinformation. Use of a term in this book should not be regarded as affecting the validity of any trademarkor service mark.
iiiSpecial SalesFor information about buying this title in bulk quantities, or for special sales opportunities (whichmay include electronic versions; custom cover designs; and content particular to your business,training goals, marketing focus, or branding interests), please contact our corporate sales department atcorpsales@pearsoned.com or (800) 382-3419.For government sales inquiries, please contact governmentsales@pearsoned.com.For questions about sales outside the U.S., please contact intlcs@pearson.com.Feedback InformationAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each bookis crafted with care and precision, undergoing rigorous development that involves the unique expertise ofmembers from the professional technical community.Readers’ feedback is a natural continuation of this process. If you have any comments regarding how wecould improve the quality of this book, or otherwise alter it to better suit your needs, you can contact usthrough email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in yourmessage.We greatly appreciate your assistance.Editor-in-Chief: Mark TaubCopy Editor: Chuck HutchinsonAlliances Manager, Cisco Press: Ron FliggeTechnical Editors: Denise Fishburne, Orhan ErgunProduct Line Manager: Brett BartowEditorial Assistant: Vanessa EvansAcquisitions Editor: Michelle NewcombCover Designer: Chuti PrasertsithManaging Editor: Sandra SchroederComposition: codeMantraDevelopment Editor: Ginny MunroeIndexer: Lisa StumpfSenior Project Editor: Tonya SimpsonProofreader: Deepa Ramesh
ivDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideAbout the AuthorsMarwan Al-shawi, CCDE No. 20130066, is a Cisco Press author whose titles includethe top Cisco certification design books CCDE Study Guide and Designing for CiscoNetwork Service Architectures (ARCH) Foundation Learning Guide, Fourth Edition.He also is an experienced technical architect. Marwan has been in the networkingindustry for more than 12 years and has been involved in architecting, designing, andimplementing various large-scale networks, some of which are global service provider–grade networks. Marwan holds a Master of Science degree in internetworking from theUniversity of Technology, Sydney. He enjoys helping and assessing network designs andarchitectures; therefore, he was selected as a Cisco Designated VIP by the Cisco SupportCommunity (CSC) (official Cisco Systems forums) in 2012 and by the Solutions andArchitectures subcommunity in 2014. In addition, Marwan was selected as a memberof the Cisco Champions program in 2015 and 2016. In his spare time, Marwan providesCCDP- and CCDE-related training and blogs at netdesignarena.com.André Laurent, 3xCCIE No. 21840, CCDE No. 20120024, is the worldwide directorof engineering for enterprise networking sales at Cisco Systems and a Cisco Pressauthor. Outside his own personal development, André has an equal passion for helpingothers develop their systems and assisting them with the certification process. André isrecognized in the industry as a subject matter expert in the areas of routing, switching,security, and design. Although he wears a Cisco badge, André takes a neutral approach inhelping clients establish a long-term business and technology vision covering necessarystrategy, execution, and metrics for measuring impact.
vAbout the Technical ReviewersDenise “Fish” Fishburne, CCDE No. 20090014, CCIE No. 2639 (R&S, SNA), is anengineer and team lead with the Customer Proof of Concept Lab (CPOC) in NorthCarolina. Fish is a geek who absolutely adores learning and passing it on. She works onmany technologies in the CPOC, but her primary technical strength is troubleshooting.Fish has been with Cisco since 1996 and CPOC since 2001, and has been a regularspeaker at Networkers/Cisco Live since 2006. Cisco Live is a huge passion for Fish!As such, in 2009, she got even more deeply involved with it by becoming a Cisco Livesession group manager. Look for Fish swimming in the bits and bytes all around you, orjust go to www.NetworkingWithFish.com.Orhan Ergun, CCDE No. 2014:0017, CCIE No. 2014:0017 (CCNP, CCDP, JNCIS,and JNCIP), is a network architect who focuses on service providers, data centers,virtualization, cloud, and network security. He has more than 13 years of IT experienceand has worked on many medium- and large-scale network design and deploymentprojects. He teaches Cisco network design concepts and writes exam questions forCisco Systems.
viDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideDedicationsI would like to dedicate this book to my wonderful mother for her continued support,love, encouragement, guidance, and wisdom, as well as to the people in my life whoalways support and encourage me.And most importantly, I would like to thank God for all blessings in my life.—MarwanI would like to dedicate this book to the women in my life. My mother, for herunconditional dedication and love. My sister, for rescuing me from the drifter life andsetting me up with my first job in the industry. My beautiful wife, who continues tostand by my side while encouraging me through all the new challenges, opportunities,and experiences life brings.—AndréAcknowledgmentsA special thank you goes to the Pearson Cisco Press team for their support in makingthis book possible.A big thank you goes to André for being part of this publication and adding his expertperspective. It’s always a pleasure to work with an experienced and extremely helpfulperson like André.We would like to give special recognition to the wonderful technical reviewers DeniseFishburne and Orhan Ergun for their valuable contributions in editing the book. BothDenise and Orhan are very experienced network designers and CCDE certified; therefore,their suggestions and feedback helped shape and optimize the quality of the contents onmultiple areas.In addition, a special thank you to Maurizio Portolani (Cisco Press author anddistinguished system engineer at Cisco Systems) and John Weston (systems engineerat Cisco) for their help and support with the technical review and optimization of theACI chapter.Also, we want to thank Adrian Arumugam (network engineer for a major contentprovider) for his technical review and valuable comments of certain chapters.
viiContents at a GlanceIntroductionxxixPart IDesigning Reliable and Resilient Enterprise Layer 2and Layer 3 NetworksChapter 1Optimal Enterprise Campus DesignChapter 2EIGRP Design49Chapter 3OSPF Design75Chapter 4IS-IS Design101Chapter 5Border Gateway Protocol Design 145Part IIEnterprise IPv6 Design Considerations and ChallengesChapter 6IPv6 Design Considerations in the EnterpriseChapter 7Challenges of the Transition to IPv6Part IIIModern Enterprise Wide-Area Networks DesignChapter 8Service Provider–Managed VPNs 229Chapter 9Enterprise-Managed WANsChapter 10Enterprise WAN Resiliency DesignPart IVEnterprise Data Center DesignsChapter 11Multitier Enterprise Data Center Designs 375Chapter 12New Trends and Techniques to Design Modern Data CentersChapter 13Cisco Application-Centric Infrastructure 431Chapter 14Data Center ConnectionsPart VDesign QoS for Optimized User ExperienceChapter 15QoS OverviewChapter 16QoS Design Principles and Best Practices 5531193219271323477513397
viiiDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideChapter 17Campus, WAN, and Data Center QoS Design 567Chapter 18MPLS VPN QoS Design605Chapter 19IPsec VPN QoS Design619Part VIIP Multicast DesignChapter 20Enterprise IP Multicast DesignChapter 21Rendezvous Point Distribution Solutions 665Part VIIDesigning Optimum Enterprise Network SecurityChapter 22Designing Security Services and Infrastructure Protection 689Chapter 23Designing Firewall and IPS Solutions 709Chapter 24IP Multicast SecurityChapter 25Designing Network Access Control Solutions 759Part VIIIDesign ScenariosChapter 26Design Case Studies 777Appendix AAnswers to Review QuestionsAppendix BReferencesIndex857855633743843
ixContentsIntroductionxxixPart IDesigning Reliable and Resilient Enterprise Layer 2 and Layer 3NetworksChapter 1Optimal Enterprise Campus DesignEnterprise Campus Design PrinciplesHierarchy123Access Layer4Distribution LayerCore Layer56Enterprise Campus Two-Tier Layer Model8Enterprise Campus Three-Tier Layer ModelModularity910Modular Enterprise Campus Architecture and Modular Enterprise Campuswith OSPF 10Access-Distribution BlockFlexibility1315Campus Network Virtualization16Campus Network Virtualization Technologies and TechniquesVLAN Assignment17Virtual Routing and ForwardingPath Isolation TechniquesResiliency17181923Enterprise Campus High-Availability Design Considerations23VLANs, Trunking, and Link Aggregation Design RecommendationsVLAN DesignTrunking27Link Aggregation28First-Hop Redundancy Protocol (FHRP)31IP Gateway Redundancy Optimization with VSS35Layer 2 to Layer 3 Boundary Design Options and ConsiderationsDistribution-to-Distribution Link Design ConsiderationsA Summary of Enterprise Campus HA DesignsSummary46Review QuestionsReferences24244846443636
xDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideChapter 2EIGRP Design49Scalable EIGRP Design Overview50EIGRP with Multiple Autonomous SystemsEIGRP Queries5052Multiple EIGRP Autonomous System DriversEIGRP Multilayer Architectures53EIGRP Two-Layer Hierarchy Architecture56EIGRP Three-Layer Hierarchy ArchitectureEIGRP Hub-and-Spoke DesignSummarization Challenges53576061Route Summarization Black Holes61Route Summarization and Suboptimal RoutingEIGRP Hub-and-Spoke Scalability OptimizationEIGRP Stub LeakingEIGRP DMVPN Scaling69Bidirectional Forwarding Detection7070EIGRP Graceful Restart/NSF Considerations7172Review QuestionsChapter 36567EIGRP Fast Convergence Design ConsiderationsSummary63OSPF Design7275OSPF Scalability Design ConsiderationsAdjacent Neighbors7676Routing Information in the Area and the Routed DomainNumbers of Routers in an AreaNumber of Areas per ABR81OSPF Area Design ConsiderationsOSPF Hierarchy808284Area and Domain SummarizationOSPF Full-Mesh Design8587OSPF Hub-and-Spoke Design88OSPF ABR Placement in Hub-and-Spoke DesignNumber of Areas in OSPF Hub-and-Spoke DesignOSPF Network Types in Hub-and-Spoke Design89919278
xiOSPF Convergence Design Considerations and OptimizationTechniques 93Event Detection94OSPF Event Propagation94OSPF Event Processing96OSPF Flooding Reduction97OSPF Database Overload ProtectionSummary98Review QuestionsChapter 497IS-IS Design99101Protocol Overview102IS-IS Characteristics103Integrated IS-IS Routing104IS-IS Hierarchical Architecture OverviewIS-IS Router and Link TypesIS-IS AdjacenciesIS-IS Versus OSPF105106108110Similarities Between IS-IS and OSPFOSPF and IS-IS Characteristics110110Integrated IS-IS and OSPF Area DesignsOSPF Area Design112Integrated IS-IS Area DesignIS-IS Technical Deep DiveIS-IS AddressingIS-IS Packets113114114117IS-IS Information Data FlowIS-IS Network Types118119IS-IS Protocol Operations119Level 1 and Level 2 LSPs and IIHsIS-IS Link-State Packets FloodingIS-IS LSDB SynchronizationIS-IS Design ConsiderationsAdvanced IS-IS Routing121122123124IS-IS Routing Logic OverviewRoute Leaking112125126126Asymmetric Versus Symmetric IS-IS Routing129
xiiDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideIS-IS Routing over NBMA Hub-and-SpokeIS-IS Routing over a Full-Mesh NetworkFlat IS-IS Routing DesignHierarchal IS-IS Design134Integrated IS-IS for IPv6136138IS-IS Single-Topology RestrictionsMultitopology IS-IS for IPv6138140Final Thoughts on IS-IS Routing Design141142Review QuestionsChapter 5133135IS-IS Routes SummarizationSummary132142Border Gateway Protocol DesignBGP Overview145146BGP Speaker Types147BGP Loop Prevention and Split-Horizon Rule148BGP Path Attributes and Path Selection (Review)BGP Path AttributesHow BGP Selects Paths150Designing Scalable iBGP NetworksiBGP Scalability LimitationsIBGP Scalability SolutionsBGP Route ReflectorsBGP Confederations149150152152152153155BGP Confederations Versus BGP Route ReflectorsBGP Route Reflector Design157158Route Reflector Split-Horizon Rule158BGP Route Reflectors Redundancy Design Options andConsiderations 159Route Reflector Clusters160Loop-Prevention Mechanisms162Congruence of Physical and Logical NetworksHierarchical Route Reflector Design165167Route Reflector Potential Network Design Issues169Enhancing the Design of BGP Policies with BGP CommunitiesBGP Community Attribute OverviewWell-Known BGP Communities170169169
xiiiBGP Named Community List171Planning for the Use of BGP Communities171Case Study: Designing Enterprise wide BGP Policies Using BGPCommunities 172Enterprise BGP Policy RequirementsBGP Community Solution Design173174Solution Detailed Design and Traffic FlowBGP Load-Sharing Design175177Single-Homing Versus Multihoming177Dual-Homing and Multihoming Design ConsiderationsSingle-Homed, Multiple Links178178Dual-Homed to One ISP Using a Single Local Edge RouterDual-Homed to One ISP Using Multiple Edge Routers180182Multihoming with Two ISPs Using a Single Local Edge RouterMultihoming with Two ISPs Using Multiple Local Edge RoutersSummary189Review Questions189Part IIEnterprise IPv6 Design Considerations and ChallengesChapter 6IPv6 Design Considerations in the EnterpriseIPv6 Deployment and Design ConsiderationsBusiness and Network Discovery PhaseAssessment Phase193194196196Planning and Design Phase196Implementation and Optimization Phases197Considerations for Migration to IPv6 Design197Acquiring IPv6 Prefixes197Provider Independent Versus Provider AssignedWhere to Start the Migration199Migration Models and Design ConsiderationsIPv6 IslandIPv6 WAN200201IPv6 Transition MechanismsDual Stack205NAT64 and DNS64Manual TunnelsTunnel Brokers206208209203200198183186
xivDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning Guide6 Rapid Deployment210Dual-Stack Lite (DS-Lite)211Locator/ID Separation Protocol (LISP)LISP Site Edge Devices212213LISP Infrastructure Devices213Final Thoughts on IPv6 Transition MechanismsSummary217Review QuestionsChapter 7217Challenges of the Transition to IPv6IPv6 Services219219Name Services220Implementation RecommendationsAddressing Services220220Implementation RecommendationsSecurity Services221221Link Layer Security ConsiderationsApplication Support221222Application Adaptation223Application WorkaroundsControl Plane Security223224Dual-Stack Security Considerations225Tunneling Security ConsiderationsMultihomingSummary216225226226Review Questions227Part IIIModern Enterprise Wide-Area Networks DesignChapter 8Service Provider–Managed VPNsChoosing Your WAN ConnectionLayer 3 MPLS VPNs229230233MPLS VPN Architecture234Enterprise Routing Considerations236Provider Edge (PE) Router ArchitectureRoute DistinguishersRoute Target (RT)237238240PE-CE Routing Protocol241Using EIGRP as the PE-CE Routing Protocol241
xvUsing OSPF as the PE-CE Routing ProtocolUsing BGP as the PE-CE Routing ProtocolCase Study: MPLS VPN Routing PropagationForwarding in MPLS VPN258Layer 2 MPLS VPN Services259Virtual Private Wire Service (VPWS)Virtual Private LAN Service (VPLS)VPLS Resiliency Considerations265266267Review QuestionsChapter 9255261263Summary252259VPLS Scalability ConsiderationsVPLS Versus VPWS247268Enterprise-Managed WANs271Enterprise-Managed VPN Overview272GRE Overview 273Multipoint GRE Overview275Point-to-Point and Multipoint GRE ComparisonIPsec Overview276278IPsec and GRE280IPsec and Virtual Tunnel InterfaceIPsec and Dynamic VTIDMVPN Overview281283283DMVPN Phase 1287DMVPN Phase 2289DMVPN Phase 3292Case Study: EIGRP DMVPN295EIGRP over DMVPN Phase 1295EIGRP over DMVPN Phase 2297EIGRP over DMVPN Phase 3299DMVPN Phase 1–3 Summary302DMVPN and Redundancy302Case Study: MPLS/VPN over GRE/DMVPNSSL VPN Overview312304
xviDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideFlexVPN Overview314FlexVPN Architecture315FlexVPN Capabilities315FlexVPN Configuration BlocksGETVPN317Summary320Review QuestionsChapter 10315321Enterprise WAN Resiliency DesignWAN Remote-Site Overview323324MPLS Layer 3 WAN Design Models326Common Layer 2 WAN Design ModelsCommon VPN WAN Design Models3G/4G VPN Design Models331335Remote Site Using Local InternetRemote-Site LAN329337339Case Study: Redundancy and ConnectivityATM WAN Design343344Remote-Site (Branch Office) WAN DesignRegional Offices WAN Design346348Basic Traffic Engineering Techniques351NGWAN, SDWAN, and IWAN Solution OverviewTransport-Independent DesignIntelligent Path ControlManagement356356Application OptimizationSecure Connectivity354356357357IWAN Design Overview358IWAN Hybrid Design Model359Cisco PfR Overview 361Cisco PfR Operations362Cisco IWAN and PfRv3363Cisco PfRv3 Design and Deployment ConsiderationsEnterprise WAN and Access ManagementAPIC-EM368Design of APIC-EMSummary371Review Questions372370367366
xviiPart IVEnterprise Data Center DesignsChapter 11Multitier Enterprise Data Center Designs375Case Study 1: Small Data Centers (Connecting Servers to an EnterpriseLAN) 376Case Study 2: Two-Tier Data Center Network Architecture378Case Study 3: Three-Tier Data Center Network ArchitectureData Center Inter-VLAN Routing381End of Row Versus Top of Rack DesignFabric Extenders388Network Interface Controller Teaming392394Review QuestionsChapter 12383385Data Center High AvailabilitySummary380394New Trends and Techniques to Design Modern Data CentersThe Need for a New Network Architecture397Limitations of Current Networking Technology398Modern Data Center Design Techniques and ArchitecturesSpine-Leaf Data Center DesignNetwork Overlays402Cisco Fabric Path402400Virtual Extensible LAN (VXLAN)VXLAN Tunnel Endpoint407408Remote VTEP Discovery and Tenant Address LearningVXLAN Control-Plane OptimizationSoftware-Defined NetworkingHow SDN Can Help413414416Selection Criteria of SDN SolutionsSDN RequirementsSDN Challenges417419419Direction of Nontraditional SDNMultitenant Data Center421422Secure Tenant Separation400422Layer 3 Separation with VRF-Lite423Device-Level Virtualization and Separation424411397
xviiiDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideCase Study: Multitenant Data Center425Microsegmentation with Overlay NetworksSummary428Review QuestionsReferencesChapter 13427429430Cisco Application-Centric Infrastructure431ACI Characteristics 432How the Cisco ACI Addresses Current Networking LimitationsCisco ACI Architecture ComponentsCisco Application Policy Infrastructure Controller (APIC)APIC Approach Within the ACI ArchitectureCisco ACI Fabric434436437ACI Network Virtualization Overlays441Application Design Principles with the Cisco ACI Policy ModelWhat Is an Endpoint Group in Cisco ACI?Design EPGs432434447450451ACI Fabric Access Polices454Building Blocks of a Tenant in the Cisco ACI456Crafting Applications Design with the Cisco ACI459ACI Interaction with External Layer 2 Connections and NetworksConnecting ACI to the Outside Layer 2 DomainACI Integration with STP-Based Layer LANACI Routing464465First-Hop Layer 3 Default Gateway in ACIBorder Leaves465467Route Propagation inside the ACI Fabric468Connecting the ACI Fabric to External Layer 3 Domains470Integration and Migration to ACI Connectivity Options471Summary473Review QuestionsReferencesChapter 14462475476Data Center Connections477Data Center Traffic Flows478Traffic Flow Directions478Traffic Flow Types479461
xixThe Need for DCI482IP Address Mobility484Case Study: Dark Fiber DCIPseudowire DCI490495Virtual Private LAN Service DCI496Customer-Managed Layer 2 DCI Deployment ModelsAny Transport over MPLS over GRE497Customer-Managed Layer 2 DCI DeploymentLayer 2 DCI Caveats501Overlay Transport Virtualization DCIOverlay Networking DCILayer 3 DCISummary498501507507509Review Questions510Part VDesign QoS for Optimized User ExperienceChapter 15QoS Overview513QoS Overview514IntServ versus DiffServ514Classification and Marking516Classifications and Marking Tools516Layer 2 Marking: IEEE 802.1Q/p Class of ServiceLayer 3 Marking: IP Type of Service519Layer 3 Marking: DSCP Per-Hop Behaviors520Layer 2.5 Marking: MPLS Experimental Bits524Mapping QoS Markings between OSI LayersLayer 7 Classification: NBAR/NBAR2Policers and Shapers527Token Bucket Algorithms529Policing Tools: Single-Rate Three-Color MarkerPolicing Tools: Two-Rate Three-Color MarkerQueuing ToolsTx-Ring535536Fair QueuingCBWFQ538537524526532533517497
xxDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideDropping Tools541DSCP-Based WREDIP ECNSummary547550Review QuestionsChapter 16541550QoS Design Principles and Best PracticesQoS Overview553Classification and Marking Design PrinciplesPolicing and Remarking Design PrinciplesQueuing Design Principles557Per-Hop Behavior Queue Design PrinciplesRFC 4594 QoS RecommendationQoS Strategy Models5585595604-Class QoS Strategy5618-Class QoS Strategy56212-Class QoS Strategy564565Review QuestionsChapter 17554556557Dropping Design PrinciplesSummary553565Campus, WAN, and Data Center QoS DesignCampus QoS OverviewVoIP and Video567568568Buffers and Bursts 569Trust States and Boundaries570Trust States and Boundaries ExampleDynamic Trust State571572Classification/Marking/Policing QoS ModelQueuing/Dropping Recommendations573574Link Aggregation “EtherChannel” QoS DesignPractical Example of Campus QoS DesignWAN QoS Overview575576588Platform Performance ConsiderationsLatency and Jitter ConsiderationsQueuing ConsiderationsShaping Considerations589590591592Practical Example of WAN and Branch QoS593
xxiData Center QoS Overview594High-Performance Trading ArchitectureBig Data Architecture595596Case Study: Virtualized Multiservice ArchitecturesData Center Bridging Toolset597Case Study: DC QoS ApplicationSummary599601Review QuestionsChapter 18603MPLS VPN QoS Design605The Need for QoS in MPLS VPN605Layer 2 Private WAN QoS Administration607Fully Meshed MPLS VPN QoS AdministrationMPLS DiffServ Tunneling ModesUniform Tunneling ModePipe Tunneling Mode612614Sample MPLS VPN QoS Roles615617Review QuestionsChapter 19608609612Short-Pipe Tunneling ModeSummary617IPsec VPN QoS Design619The Need for QoS in IPsec VPN619VPN Use Cases and Their QoS ModelsIPsec Refresher621621IOS Encryption and Classification: Order of OperationsMTU Considerations625DMVPN QoS ConsiderationsGET VPN QoS ConsiderationsSummaryChapter 20626629630Review QuestionsPart VI596631IP Multicast DesignEnterprise IP Multicast DesignHow Does IP Multicast Work?Multicast Group633634635IP Multicast Service Model636Functions of a Multicast Network638623
xxiiDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideMulticast Protocols638Multicast Forwarding and RPF Check639Case Study 1: RPF Check Fails and SucceedsMulticast Protocol BasicsMulticast Distribution Trees IdentificationPIM-SM Overview644645Receiver Joins PIM-SM Shared TreeRegistered to RP646647PIM-SM SPT SwitchoverMulticast Routing TableBasic SSM ConceptsSSM Scenario641642649652654655Bidirectional PIM657PIM Modifications for Bidirectional OperationDF Election658DF Election Messages660Case Study 2: DF ElectionSummary662Review QuestionsChapter 21660663Rendezvous Point Distribution SolutionsRendezvous Point DiscoveryRendezvous PlacementAuto-RP665667668Auto-RP Candidate RPs670Auto-RP Mapping Agents670Auto-RP and Other Routers670Case Study: Auto-RP OperationAuto-RP Scope ProblemPIMv2 BSR670674676PIMv2 BSR: Candidate RPs677PIMv2 BSR: Bootstrap Router678PIMv2 BSR: All PIMv2 RoutersBSR Flooding ProblemIPv6 Embedded Rendezvous PointAnycast RP Features681Anycast RP Example682678678679665658
xxiiiMSDP Protocol Overview683MSDP Neighbor Relationship683Case Study: MSDP Operation684Summary686Review Questions687Part VIIDesigning Optimum Enterprise Network SecurityChapter 22Designing Security Services and Infrastructure ProtectionNetwork Security Zoning690Cisco Modular Network ArchitectureCisco Next-Generation SecurityInfrastructure Device Access691696Designing Infrastructure ProtectionRouting Infrastructure696698699Device Resiliency and SurvivabilityNetwork Policy EnforcementSwitching Infrastructure701703705Review QuestionsChapter 23700702SDN Security ConsiderationsSummary689705Designing Firewall and IPS SolutionsFirewall ArchitecturesVirtualized Firewalls709709712Case Study 1: Separation of Application TiersSecuring East-West Traffic714716Case Study 2: Implementing Firewalls in a Data CenterCase Study 3: Firewall High AvailabilityIPS Architectures717720726Case Study 4: Building a Secure Campus Edge Design (Internet and ExtranetConnectivity) 729Campus Edge730Connecting External Partners737Challenges of Connecting External PartnersExtranet Topology: Remote LAN Model737Extranet Topology: Interconnect Model738737Extranet: Security and Multitenant Segmentation739
xxivDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideSummary740Review QuestionsChapter 24741IP Multicast Security743Multicast Security Challenges744Problems in the Multicast Network744Multicast Network Security ConsiderationsNetwork Element Security746Security at the Network EdgeSecuring Auto-RP and BSRMSDP Security748749751PIM and Internal Multicast SecurityMulticast Sender Control755Multicast Admission Controls757757Review QuestionsChapter 25752753Multicast Receiver ControlsSummary745758Designing Network Access Control SolutionsIEEE 802.1X Overview759Extensible Authentication Protocol802.1X Supplicants765IEEE 802.1X Phased DeploymentCisco TrustSec767768Profiling Service768Security Group Tag769Case Study: Authorization OptionsSummary763772775Review Questions775Part VIIIDesign ScenariosChapter 26Design Case Studies777Case Study 1: Design Enterprise ConnectivityDetailed Requirements and ExpectationsDesign Analysis and Task List778778779Selecting a Replacement Routing ProtocolDesigning for the New Routing Protocol780780759
xxvOSPF Design Optimization782Planning and Designing the Migration from the Old to the NewRouting 785Scaling the Design787Case Study 2: Design Enterprise BGP Network with InternetConnectivity 788Detailed Requirements and ExpectationsDesign Analysis and Task List788791Choosing the Routing Protocol792Choosing the Autonomous System NumbersBGP ConnectivityBGP Sessions795795BGP CommunitiesRouting Policy792796797Routing Policy in North American Sites797Routing Policy in European and Asian SitesInternet Routing803Public IP Space SelectionMain HQ MultihomingDefault Routing803804805Case Study 3: Design Enterprise IPv6 NetworkDetailed Requirements and ExpectationsDesign Analysis and Task ListConnecting the Branch SitesDeployment Model807808809Choosing the IP Address Type for the HQAddressing799809810812813Address Provisioning814Communication Between Branches815Application and Service Migration815Case Study 4: Design Enterprise Data Center ConnectivityDetailed Requirements and ExpectationsDesign Analysis and Task List816817818Selecting the Data Center Architecture and Connectivity ModelDCN Detailed Connectivity819818
xxviDesigning for Cisco Network Service Architectures (ARCH) Foundation Learning GuideConnecting Network AppliancesData Center Interconnect821822Data Center Network Virtualization Design823Case Study 5: Design Resilient Enterprise WANDetailed Requirements and ExpectationsDesign Analysis and Task ListSelecting WAN LinksWAN Overlay825825826828828Case Study 6: Design Secure Enterprise NetworkDetailed Requirements and ExpectationsSecurity Domains and Zone Design831832Infrastructure and Network Access SecurityLayer 2 Security Considerations830833834Main and Remote Location Firewalling835Case Study 7: Design QoS in the Enterprise NetworkDetailed Requirements and ExpectationsTraffic Discovery and AnalysisQoS Design ModelQoS Trust Boundary836837838Congestion Management838Scavenger Traffic Considerations839MPLS WAN DiffServ
of the Cisco Champions program in 2015 and 2016. In his spare time, Marwan provides CCDP- and CCDE-related training and blogs at netdesignarena.com. André Laurent, 3xCCIE No. 21840, CCDE No. 20120024, is the worldwide director of engineering for enterprise networking sales at Cisco
