Thursday, February 28, 2013
WAN design
Circuit Switching - the circuit comes up for the duration. Phone and ISDN
leased lines - dedicated to you by the service provider TDM T1
Packet and Cell - Frame and ATM
Hub and spoke to the HQ. However if the router at HQ fails all are affected.
Full mesh - expensive to maintain. N(N-1)/2
Partial Mesh - flexible to where you want it.
VPN over public networks is limited to a Best effort as you cannot control the traffic in the ISP
Access VPN for users- You can also use a NAC to connect to first which will then set up the VPN
The NAC is a public facing device Portal where you http to it and then type a user password.
Intranet VPN - this is from site to site. Using public or WAN.
Extranet VPN is for business partners so they can access the DMZ
Enterprise VPN is when you set it up.
IPSEC is one VPN usually from firewall to firewall.
It can use ESP to encrypt the data or AH which only encrypts the headers (not secure for data)
HMAC codes in it will protect from man in the middle attacks and replay.
You can also use PKI certificates for an added layer.
Cisco Easy VPN - you set up a server which is the head. Then the remote configuration is easy.
the remote devices are ISRs.
GRE - works for encapsulation all protocols. Does not have any security.
you must add IPSEC tunnel to it in order to have security.
DMVPN - dynamic VPN
NHRP next hop resolution protocol which will point to the HQ.
mGRE Multipoint GRE supports multipoint tunnels.
IP multicast , routing , dynamic spokes all QoS
Each remote site is connected using a GRE tunnel to the HQ.
For redundancy you will need two heads.
DPD dead peer detection can be used to verify tunnel is alive (keepalive)
VTI virtual tunnel interface
Can run routing , does not need GRE or mGRE.
L2tpv3
can run frame relay and ppp ethernet
Service provider VPN.
Can run MetroEthernet
VPLS is a VPN over MPLS
it allows you to run Layer 2 from one location to the next.
Useful for Storage redundancy for example.
MPLS
Uses Labels instead of routing and can run over a variety of media.
Uses VRF
Layer 3 MPLS Tight SLA and QoS.
VPNs are flexible and cost effective.
Dial Backup used for ISDN so it will ring a floating route.
Secondary WAN link - backup or load sharing.
Shadow PVC - used in frame relay.
IPSEC VPN backup tunnel can be used in case the ISP MAN fails.
Load balancing.
Cna be per packet. usually 56kbps or below.
Per flow or destination is better. also called fast switching.
Decision influence.
High Availability - backup power, backup devices, backup WAN
Growth
Expenses -
Complexity - Metro is easier.
Cost to implement -
Network Segmentation to separate traffic.
Voice and Video QoS.
Private WAN - Frame relay and ATM . You own lease the circuit
ISP WAN - basically the internet
SP MPLS/IP VPN - they are good
Private WAN with MPLS - jeez hiring some CCIE's to maintain it is expensive.
considerations
Port Density
Port Type
Modular
throughput
REdundancy / Supervisor or power
Future growth
Software
Bandwidth
Security
ISR can do wan video , voice, security
800 ISR remote user
1800 ISR branch
7200 - 10000 medium routing
7600 high end routing
12000 CSR - service provider grade.
29xx 35xx 37xx are access switches.
45xx chassis
65xx high end chassis.
Router - WAN
Switch LAN
Security appliance at the branch
AP wireless for mobility
CUCM for voice
IP phones and desktops
Small office 50 users 1 TIER
medium office 50-100 2 tier
Large 100 + 3 tier
ISR G2 is better
Small can use an ISR with ports or one switch.
Medium branch redundant routers.
Switches with Stacking.
Large Branch
Dual links
Dual routers
Dual ASA
Dual switches with stacking.
ISR 800 for teleworker.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment