foundation design overview - cisco · this foundation design overview provides the following...
TRANSCRIPT
Foundation Design Overview
February 2012 Series
PrefaceFebruary 2012 Series
Preface
Who Should Read This GuideThis Cisco® Smart Business Architecture (SBA) for Government guide is for people who fill a variety of roles:
• Systems engineers who need standard procedures for implementing solutions
• Project managers who create statements of work for Cisco SBA implementations
• Sales partners who sell new technology or who create implementation documentation
• Trainers who need material for classroom instruction or on-the-job training
In general, you can also use Cisco SBA guides to improve consistency among engineers and deployments, as well as to improve scoping and costing of deployment jobs.
Release SeriesCisco strives to update and enhance SBA guides on a regular basis. As we develop a new series of SBA guides, we test them together, as a complete system. To ensure the mutual compatibility of designs in Cisco SBA guides, you should use guides that belong to the same series.
All Cisco SBA guides include the series name on the cover and at the bottom left of each page. We name the series for the month and year that we release them, as follows:
month year Series
For example, the series of guides that we released in August 2011 are the “August 2011 Series”.
You can find the most recent series of SBA guides at the following sites:
Customer access: http://www.cisco.com/go/govsba
Partner access: http://www.cisco.com/en/US/partner/netsol/ns1117/networking_solutions_sub_program_home.html
How to Read CommandsMany Cisco SBA guides provide specific details about how to configure Cisco network devices that run Cisco IOS, Cisco NX-OS, or other operating systems that you configure at a command-line interface (CLI). This section describes the conventions used to specify commands that you must enter.
Commands to enter at a CLI appear as follows:
configure terminal
Commands that specify a value for a variable appear as follows:
ntp server 10.10.48.17
Commands with variables that you must define appear as follows:
class-map [highest class name]
Commands shown in an interactive example, such as a script or when the command prompt is included, appear as follows:
Router# enable
Long commands that line wrap are underlined. Enter them as one command:
wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
Noteworthy parts of system output or device configuration files appear highlighted, as follows:
interface Vlan64 ip address 10.5.204.5 255.255.255.0
Comments and QuestionsIf you would like to comment on a guide or ask questions, please use the forum at the bottom of one of the following sites:
Customer access: http://www.cisco.com/go/govsba
Partner access: http://www.cisco.com/en/US/partner/netsol/ns1117/networking_solutions_sub_program_home.html
An RSS feed is available if you would like to be notified when new comments are posted.
Table of ContentsFebruary 2012 Series
What’s In This SBA Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
About SBA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Architecture Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Architectural Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Network Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
User Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Network Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
The LAN and Agency Headquarters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The WAN and Agency Regional / Remote Locations . . . . . . . . . . . . . . . . . . . . 8
Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Internet Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Application Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Server Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Guest Wireless Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
User Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Business Application Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Cisco Unified Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Web Meetings and Cisco WebEx® Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Design Guide Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Table of Contents
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITA- TION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.
What’s In This SBA Guide
About SBACisco SBA helps you design and quickly deploy a full-service business network. A Cisco SBA deployment is prescriptive, out-of-the-box, scalable, and flexible.
Cisco SBA incorporates LAN, WAN, wireless, security, data center, application optimization, and unified communication technologies—tested together as a complete system. This component-level approach simplifies system integration of multiple technologies, allowing you to select solutions that solve your organization’s problems—without worrying about the technical complexity.
For more information, see the How to Get Started with Cisco SBA document:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/SBA_Getting_Started.pdf
About This GuideThis foundation design overview provides the following information:
• An introduction to a Cisco SBA foundation design
• An explanation of the requirements that shaped the design
• A description of the benefits that the design will provide your organization
This information helps you understand the foundation deployment guides that follow this guide, as shown on the Route to Success below.
1What’s In This SBA GuideFebruary 2012 Series
Route to SuccessTo ensure your success when implementing the designs in this guide, you should read any guides that this guide depends upon—shown to the left of this guide on the route above. Any guides that depend upon this guide are shown to the right of this guide.
For customer access to all SBA guides: http://www.cisco.com/go/govsba For partner access: http://www.cisco.com/en/US/partner/netsol/ns1117/network-ing_solutions_sub_program_home.html
FoundationDesign Overview
FoundationDeployment Guide
AdditionalDeployment Guides
BN
You are Here Dependent Guides
2IntroductionFebruary 2012 Series
Introduction
The Cisco® Smart Business Architecture (SBA) Borderless Networks for Midsize Government Organizations is a comprehensive design guide for a government agency with up to 1000 connected users, and scales up to 2500 users. The architecture incorporates LAN, WAN, wireless, security, applica-tion optimization, and infrastructural elements to support unified communi-cations technologies tested together as complete solutions.
The solution-level approach simplifies the system integration normally asso-ciated with multiple technologies, allowing you to select the parts that solve your agency’s problems rather than worrying about the technical details.
Cisco SBA is designed according to the following principles:
• Flexibilityandscalability—As a government agency grows, so too must its infrastructure. The products that have been selected need to have the ability to grow or be repurposed within the architecture.
• Reuse—The goal is to reuse the same products throughout the various modules, and when possible, to minimize the range of products that must be kept for spares.
• Easeofuse—A top requirement is to develop a design that can be deployed with a minimal amount of configuration and ongoing management.
• Cost-effective—Another critical requirement in the selection of prod-ucts is to meet the budget guidelines for a midsize government agency.
3OverviewFebruary 2012 Series
Overview
Data networks have become one of the top resources that government agencies must invest in to allow the agency to succeed. A resilient, high-performance network helps to ensure that the agency can successfully pursue its goals; inversely, a poorly designed network hinders an agency’s mission. The agency is much more productive if the network can reliably and efficiently address its requirements for data access and collaboration.
Government agencies that rely on their data network to support and enable their daily operations must address the following requirements in the network ’s design and deployment:
• A standardized design that addresses government challenges to eliminate guesswork and reduce idle time for newly purchased gear
• Enterprise-class reliability in products designed for midsize government agencies
• Flexible architecture to help ensure easy migration scalability to address current and future, as well as the number and type of endpoints that comprise the network
• Uniformity of user experience, regardless of the network access method: wired and wireless network connectivity at agency headquarters, a regional office, or remote-access VPN, as well as flexibility to support a wide variety of user endpoints
• Security and high availability for vital agency information resources, servers, and Internet-facing applications
• Continual improvement in WAN performance while reducing the cost of network administration
• A solution that can be deployed and operated by IT workers who have a moderate level of technical education
Architecture RationaleA variety of factors determine whether a user has a good experience with an application. Consider the simple web browser: We open a URL, and the page is presented to us in seconds. To make this a positive experience, three specific layers all need to function together to provide the web content to the user:
• A network that provides the foundation
• Network services that operate in the background, improving and enabling the experience without direct user awareness
• The applications or endpoints with which a person interacts directly, known as user services
Data networks must allow agencies to take advantage of their investment in capabilities that are offered in modern application software platforms. Compared to ten or even five years ago, data networks must address higher speeds and broader support for application data, particularly regarding voice and video collaboration traffic as well as applications hosted on private and public cloud-service platforms. Virtualized desktop environ-ments, a wide variety of user endpoints, and tighter integration between the desktop and server room all demand that the network provide a fast, stable platform to assure that applications perform well enough to meet productiv-ity expectations.
The network is critical to the operation of government agencies where work-force productivity is based on the expectation of nonstop access to com-munications, applications, and data resources. Using a layered approach to building your network with a tested, interoperable design allows you to reduce risks and operational issues while increasing deployment speed.
4Architectural OverviewFebruary 2012 Series
Architectural Overview
As a process, architecture is the activity of designing and constructing buildings and other physical structures, primarily to provide shelter. A wider definition often includes the design of the total built environment, from the macro level of how a building integrates with its surrounding landscape to the micro level of architectural or construction details and, sometimes, furni-ture. Wider still, architecture in its broadest sense is the action of designing a complete system that provides a useful service to the consumer.
As such, Cisco SBA Borderless Networks for Midsize Government Agencies is a system that was created using a structured process to help ensure the stability of valuable organizational processes and assets. Cisco SBA focuses on several critical aspects:
• A standardized design, tested and supported by Cisco, reduces costs (both capital and operational) and helps you accelerate the implementa-tion of Cisco-differentiating technology
• Optimized architecture for midsize agencies with up to 2500 users and up to 75 remote locations
• Flexible architecture to help protect your investment and ensure easy migration as the agency requirements evolve
• Seamless support for quick deployment of wired and wireless network access for data, voice, teleworker, and wireless guest
• Security and high availability for vital agency information resources, servers, and Internet-facing applications
• Improved WAN performance and cost reduction through the use of application optimization
• Simplified design that can be deployed and operated by IT workers with a Cisco CCNA® certification or equivalent experience
• Cisco performance and reliability in products designed with the price sensitivities of midsize government agencies in mind
Cisco SBA Borderless Networks for Midsize Government Agencies can be divided into three primary modular, yet interdependent, components for the agency. They are the network foundation, network services, and user ser-vices, which have a hierarchical interdependency as shown in the following illustration.
Figure 1 - Cisco SBA components
Network Foundation The key to the midsize Cisco SBA is the network foundation. Similar to the foundation of a building, the network foundation provides a platform that everything else relies upon. As a standalone layer, the network foundation helps ensure that information can be sent dependably from one location and received at another. How this is accomplished is completely removed from average users; all they know is that when they click the mouse, a video starts, an email is sent, or an order is processed. It just works.
Cisco intelligent infrastructure devices, such as switches, routers, and wire-less devices, make it possible for the network foundation to do its work in the background.
Network Services Network services sit on top of the network foundation. Network services are like the doors, windows, and locks of the building. A building without these components is just a box. Adding these services turns the infrastructure into a workable structure, providing reliability, security, and availability of the agency’s assets. Some users are aware of the value that network services provide, but do not directly interact with those services. An example of this would be VPN remote access. The user needs to start the VPN client to access business resources. The user does not know or care exactly how those services operate. As long as they can access their data from wherever they are at the time, users know that the network services layer is working as expected.
5Architectural OverviewFebruary 2012 Series
Cisco’s intelligent network services include virtualization, firewalls and other security devices, application optimization, and guest access.
User Services And finally, user services sit on top of the network services. User services are like the utilities of the building: water, electricity, phone, Internet, and cable TV services. A user typically needs direct access to these services all day long. In the morning, the lights are turned on, phones are ringing, and water is available for morning beverages. As the day progresses, common utilities are what make the building a comfortable place to work. Some general user services include electronic business application software, CRM systems, email, and instant messaging. User services specific to Cisco include Cisco Unified Communications and Collaboration, voice, and video systems.
6Network FoundationFebruary 2012 Series
Network Foundation
Most users perceive the network as just a transport utility mechanism to shift data from one point to another as fast as possible; many sum this up as “speeds and feeds.” In reality, the network affects all traffic flows and must be aware of end-user requirements and services offered. Even with unlim-ited bandwidth, time-sensitive applications can be affected by jitter, delay, and packet loss. As the transport for all our session information, the design and operation of this layer is crucial to all services, and its role is vital to the success of any service placed upon it.
Figure 2 - Network foundation
The network foundation provides an efficient, fault-tolerant transport that dif-ferentiates between applications to help ensure that each has a fair share of the resource, yet still maintains a desired service level. Within the architec-ture, wired and wireless connectivity options provide advanced prioritization and queuing mechanisms as part of the integrated quality of service (QoS) to help ensure optimal use of the resource.
The LAN and Agency HeadquartersThe core layer of the local area network (LAN) at the agency’s headquarters site is the communications hub of the network. It aggregates client access to headquarters and provides the backbone connectivity for the wide
area network (WAN), server room, and Internet edge, making it a critical component in the network. The LAN needs to be highly available to support mission-critical applications like workforce mobility and real-time media. In the past, high availability meant paying for links that were redundant and sat unused. With Cisco SBA for Midsize Government Agencies, all network connections are active and carry real traffic.
The key component in the LAN architecture is the Cisco Catalyst switch family. It provides the following benefits to Cisco customers:
• Resilient core for very fast failure recovery for real-time media traffic
• Reduced configuration complexity with easier troubleshooting
• Full use of all networks links with no links sitting idle in a redundant configuration
Figure 3 - Resilient LAN design
In many designs, high availability adds complexity, making network troubleshooting more difficult, lowering the ease of use of the network, and
7Network FoundationFebruary 2012 Series
forcing a tradeoff between high availability and ease of use in the design. The switch from a traditional dual-core design to the Cisco SBA Borderless Networks for Midsize Government Agencies LAN design reduces complex-ity with no loss of availability. The resilient core reduces the core configura-tion by 80 percent or more and makes the network easier to troubleshoot while still providing very fast recovery in the event of a failure.
In a traditional dual-core design, the same VLAN is used across multiple access switches and Spanning Tree Protocol (STP) runs to prevent Layer 2 loops in the network. STP has two major drawbacks—it is slow to recover from a failure, taking several seconds or more (much too long if the traffic on the network is real-time media like voice or video), and it has to block redundant links in the network, cutting the available bandwidth in half. In a dual-core network, it is possible to work around these issues by aggressive STP tuning and configuring unique VLANs for each access switch.
Figure 4 - Traditional dual-core design
In multiservice networks, users access four or five VLANs in the course of a normal workday. The number of VLANs and subnets that need to be configured in a dual-core design to accommodate the STP deficiencies can get very large.
The Cisco SBA Borderless Networks for Midsize Government Agencies core design removes these issues because it does not rely on STP for failure recovery, so a single VLAN can be used across multiple access switches. The next-generation LAN design does not require additional tuning for fast recovery.
Figure 5 - Cisco SBA LAN: Improved resilience and performance
The client access layer is the point at which user-controlled and user-acces-sible devices connect to the network. The Cisco SBA Borderless Networks for Midsize Government Agencies LAN design improves link utilization from the access layer to the core layer of the network. Both uplinks from the access layer switches are active and pass traffic, doubling the available bandwidth compared to traditional designs where one of the uplinks is blocked by STP. It is also possible to increase the throughput to the access layer or server room by increasing the number of uplinks, allowing the design to scale to meet bandwidth requirements. Because the access layer connects client devices to network services, it plays an important role in pro-tecting users, application resources, and the network itself from human error and malicious attacks. The access layer also provides automated services like Power over Ethernet Plus (PoE+), QoS marking, and VLAN assignment for IP phones to reduce operational demands.
The new Cisco SBA Borderless Networks for Midsize Government Agencies LAN design improves network speed and availability, reduces complexity, and makes the network easier to troubleshoot and manage. This means less downtime and fewer network administrators are required to operate the network, contributing to reduced cost and increased operational efficiencies for the agency.
8Network FoundationFebruary 2012 Series
The WAN and Agency Regional / Remote Locations Agencies require an uninterrupted flow of information between headquar-ters and the regional offices. Cisco SBA for Midsize Government Agencies delivers a robust WAN design with the same technology used to help ensure that some of the most vital government networks stay operational. A highly available WAN helps ensure that the flow of agency information can proceed without interruption. This is critical for all government agencies that need to comply with government resiliency (COOP) mandates.
A regional or remote agency location, sometimes called a branch office, is defined as a remote location where employees conduct operations on behalf of their agency or department. A remote site requires the same level of access to all agency applications as the headquarters, just on a smaller scale. The WAN connects remote sites to the various agency locations via a private network and aggregates all remote-site traffic back to the headquar-ters location.
Figure 6 - Remote-site router with integrated services
The key component in the WAN architecture is the Cisco Integrated Services Router Generation 2 (ISR G2). It provides the following benefits to Cisco customers:
• Reduces operating expense through integrated services within a single platform, such as voice, video, and data
• Protects investment with a flexible, secure modular design, allowing voice and video to be added when an agency needs them
• Supports all major service-provider WAN connections, public switched telephone network (PSTN) signaling, and ISDN types
• Can carry large amounts of voice and video traffic while maintaining the other core services
The primary function of the WAN router is to move data between remote sites and headquarters. The remote sites in Cisco SBA Borderless Networks for Midsize Government Agencies are designed to support 20 to 40 users with computers, IP phones, and wireless voice and data. Cisco ISR G2 pro-vides the platform to deliver the growing number of services and increased performance requirements common in today’s remote sites.
Users need seamless access, both locally and across the WAN, to network services on the headquarters site. Application optimization and QoS ser-vices are implemented to increase performance over the WAN and improve the user experience. Application optimization uses compression, caching, and other optimization technologies to increase the WAN bandwidth up to four to five times the link speed. Remote-site users connected over a T1/E1 link back to headquarters feel as if they are connected to the agency headquarters LAN. Servers are centralized at the agency headquarters, reducing WAN traffic. QoS prioritizes business-critical and latency-sensitive traffic over other traffic so that voice and video performance is protected and lower-priority traffic does not interfere with critical agency operations.
Wireless Staying connected regardless of location has become a mainstay of most agencies and their workforce. Few agency buildings have enough wired networking ports to support every location and every person who needs to connect to an agency’s assets. Wireless networks help enable the agency’s workforce to stay connected and keep the flow of information moving, regardless of physical building limitations.
Wireless connectivity at the agency’s headquarters and remote sites uses Wi-Fi technology for the transmission of voice, video, and data across the midsize government agency.
The key component in the wireless LAN (WLAN) architecture is the Cisco Unified Wireless Network product family. It provides the following benefits to Cisco customers:
• Network flexibility extends the boundaries of the network without the need for additional wiring.
• Centralized control of the wireless infrastructure reduces the manage-ment burden.
• A network core, preconfigured for access points to be connected to any access port, simplifies deployment.
To meet the requirements for workforce mobility in the architecture, the design incorporates specific products and configurations to pro-vide a secure, flexible, scalable, and cost-effective solution. Providing
9Network FoundationFebruary 2012 Series
comprehensive wireless mobility services at the agency’s headquarters and remote sites, while also maintaining ease of use and low cost of ownership, can be challenging if access points are deployed in a standalone mode. Autonomous access points multiply the number of devices you need to configure, monitor, and manage. By using Cisco Wireless LAN Controllers, you can centrally control all of the access points, reducing the management overhead and simplifying the deployment and implementation phases.
The Cisco Wireless LAN Controller approach has many benefits in addition to being a central management point. To help ensure access to the wireless network remains secure, all employees authenticate against the agency’s organizational directory, removing the need to maintain a separate user-name/password store on each access point. Another challenge is providing visitors and guest users access to the network for connectivity back to their agency’s network or for Internet access. By using Cisco Wireless LAN Controllers, you can overlay a virtual guest network on the existing network without the expense of a separate infrastructure. The controller connects to the firewall at the Internet edge, providing guests with virtual network access to the Internet only, secured from the agency’s network.
Although the Cisco Wireless LAN Controller hardware is centralized, the remote-site wireless network provides wireless access to the local LAN. This avoids U-turn traffic that would otherwise have to travel to the headquarters site and then return to the remote-site network, wasting WAN bandwidth.
For future growth, the Cisco Wireless LAN Controller approach provides a foundation for more advanced functionality, including location services, unauthorized access point detection, and RF prediction and policy pro-visioning, all of which can be built on the current Cisco SBA for Midsize Government Agencies.
Figure 7 - Midsize wireless LAN topology
Internet Edge The Internet edge is the point where the private network connects to the Internet. Traffic from internal users exits the agency’s network here, and traffic from the Internet enters the agency’s network here to reach external-facing applications like web and email, as well as supporting citizen-facing programs. Because this is an always-on connection to the Internet that usually allows outside traffic into the network, it is a prime target for attack.
At the Internet edge, it is common to have a firewall and an intrusion preven-tion system (IPS) appliance to mitigate the common threats from the Internet. In the past, agencies needed at least four devices to provide secure con-nectivity to their employees.
The key component in the Internet edge architecture is the Cisco Adaptive Security Appliance (ASA). It provides the following benefits to Cisco customers:
• Provides fast, secure Internet access for the agency to increase productivity
• Stops attacks from the Internet that could disrupt agency mission and / or citizen service delivery
• Simplifies management and configuration by combining all security functionality into a single device
10Network FoundationFebruary 2012 Series
Cisco SBA Borderless Networks for Midsize Government Agencies takes advantage of Cisco ASA to perform all three functions in a single device, tak-ing the number of devices from as many as six to just two. This reduces the number of devices that IT has to be trained to support. It also reduces the hardware and software maintenance costs by lowering the total number of devices on the network. Cisco ASA provides full high availability for firewall and IPS. The firewall functionality provides stateful application-layer filtering for inbound and outbound traffic, secure outbound access for users, and a demilitarized zone (DMZ) network for servers that need to be accessed from the Internet.
Figure 8 - Internet edge
Cisco ASA supports full IPS functionality to detect and block attacks, and the new Cisco SensorBase reputation filtering makes the decision about what traffic to block much easier by factoring in the reputation of the traffic source. Cisco SensorBase allows Cisco IPS to block two times the number of attacks and detect attacks based on the reputation of the source, allowing Cisco IPS to block zero-day attacks while decreasing the amount of false positives. A single pair of Cisco appliances, developed with a solutions-based approach, meets the baseline security requirements of the govern-ment agency for the Internet Edge boundary.
11Network ServicesFebruary 2012 Series
Network Services
Network services operate behind the scenes and are relied on by the user services to function or improve reliability and efficiency. In some cases, the network may become unusable without them. Let’s consider our example of the web browser. The PC the browser is installed on probably obtained a network address by using a dynamic addressing service, such as Dynamic Host Configuration Protocol (DHCP). The user-friendly URL was converted from a name, like www.cisco.com, to a network address by the name resolu-tion service, Domain Name System (DNS). The request was sent over the shortest route available to a load balancer in the network that distributed the load across multiple servers, allowing the web application to scale. The network security services helped ensure that the information was protected, and malicious traffic was removed or prevented from reaching its intended target.
Figure 9 - Network services
In addition to DHCP and DNS, The architecture includes many network services, such as virtualization, security, application optimization, server load balancing, and guest wireless access.
Virtualization Virtualization technologies can help your agency treat all IT resources as a set of shared services that can be combined and recombined to improve operational and workforce efficiencies and scale quickly.
The more efficiently government agencies can use its existing IT assets—servers, storage, networking, and other equipment—the better your return on investment. Efficient use can also help you defer the cost of new equip-ment and significantly reduce power and cooling costs.
Virtualization is typically seen as a way to increase the workload capacity of servers, and to a degree, storage. Yet greater efficiencies can be gained by applying virtualization to your entire network. With some key technological advancement, combined with reconfiguration of operational processes and structures, the network can play a key role in creating a virtual infrastructure for increased efficiency.
The goal is to build a pervasive, scalable infrastructure that bridges domains that were previously in a silo and unifies them into a fabric of shared, virtual services that can be provisioned in a fraction of the time it takes to configure a traditional application environment.
Cisco SBA Borderless Networks for Midsize Government Agencies creates a foundation for virtual services. In the design, VLANs are used to create logical, secure, and reliable segmentation between voice, video, data, wired, wireless, and management functions on the network. The design also sup-ports virtual servers and storage in the server room/data center.
Security Security is an integral part of every network deployment. With the need to have secure and reliable networks, protect information assets, and meet regulatory compliance requirements, government agencies need to deploy security services designed into the network rather than added on as an afterthought. With most networks connected to the Internet and under constant barrage from worms, viruses, and targeted attacks, agencies must be vigilant in protecting their network infrastructure, user data, and constitu-ent (citizen and joint business) information.
12Network ServicesFebruary 2012 Series
Benefits
• Eases deployment of security technologies for regulatory compliance
• Secures remote access for agency workforce and consultants, and partners
• Protects user and agency data in the network
• Proves maximum flexibility for users with a hardware or software VPN client
Figure 10 - Security services
Remote access has become a must-have service for many government employees that work in the field, on the road, or from home. More and more agencies are allowing partners remote access to their networks to service systems more cost-effectively. Cisco SBA Borderless Networks for Midsize Government Agencies provides secure remote access for users
via a software or hardware client. Cisco ASA supports both Secure Sockets Layer (SSL) and IP Security (IPsec) VPN for remote access and site-to-site VPN, providing agency employees and partners a secure way to connect to the agency network from the Internet. SSL VPN offers maximum flexibility, offering secure connectivity for the mobile workforce back to the internal network even from assets outside the agency’s control. If an existing remote access solution is deployed, the architecture is flexible and can support traditional IPsec VPN clients. Teleworkers can be supported with a hardware client that allows for an always-on connection so that home users have the same experience that they would have in the office.
Many government agencies have been using intrusion detection systems (IDSs) and IPS to detect and block malicious traffic on networks for years, but recent laws, government mandates and private sector compliance stan-dards have moved these systems from a nice-to-have to a must-have in the agency networks. Cisco SBA Borderless Networks for Midsize Government Agencies supports Cisco IPS in several form factors and performance levels. Cisco IPS can be deployed on its own as a standalone service with appliance-based solutions for high-performance LAN and server deploy-ments or integrated into the firewall for network perimeter protection. All form factors support inline and promiscuous modes that allow the various agencies to inspect traffic and either send alerts when malicious traffic is detected or block the traffic in real time.
Application OptimizationApplication optimization helps ensure optimal use of network resources between remote-site users and agency headquarters. Application optimiza-tion accelerates applications over the WAN, delivers video to the remote site, and provides local hosting of remote-site IT services. Cisco Wide Area Application Services (WAAS) allow IT departments to centralize applica-tions and storage in the data center while maintaining LAN-like application performance, and provide locally hosted IT services while reducing the remote-site device footprint.
Benefits
• Improves productivity of remote employees via application optimization
• Minimizes remote-site IT costs by centralizing services and hardware at the headquarters site
• Responds rapidly to evolving needs; changes can be made from a central location rather than sending a technician to the remote site
• Simplifies data protection, eases compliance, and improves the ability to meet resilient government mandates (COOP)
13Network ServicesFebruary 2012 Series
Server Load BalancingCisco Application Control Engine (ACE) is the latest server load balancing offering from Cisco. Its main role is to provide Layer 4 through 7 switching, but Cisco ACE also provides an array of acceleration and server offload benefits, including TCP processing offload, SSL offload, compression, and various other acceleration technologies. Cisco ACE sits in the server room in front of web and other application servers, and provides a range of services to maximize server and application availability, security, and server-to-client acceleration. As a result, Cisco ACE gives agencies more control over application and server infrastructure, which enables them to manage and secure application services more easily and improve performance.
Benefits
• Scales the performance of a server-based program, such as a web server, by distributing its client requests across multiple servers
• Provides high availability by automatically detecting failures and redi-recting traffic to an operational service
• Improves application performance and reduces response time by minimizing latency and delay
• Offloads TCP and SSL processing, which allows agencies to handle more users without adding servers
Guest Wireless AccessGovernment agencies today must accommodate a wide range of consul-tants and partners who need Internet access while they are on site. Cisco SBA Borderless Networks for Midsize Government Agencies provides wireless guest access over the same access points as corporate users. Guests include agency consultants, visitors, partners, and vendors, and to accommodate this broad set of users, guest access should be deployed throughout the network, not just in conference rooms.
Benefits
• Complexity and cost for wireless guest access services is reduced
• Guest user traffic is segmented so the agency’s traffic can remain secure
• Guest access is controlled by IT and can be provisioned based on predefined agency policy with simple generic guest access or with per-user accounts
• Secure guest access is designed into Cisco SBA Borderless Networks for Midsize Government Agencies and no additional hardware is required
Agencies can use the wireless network in Cisco SBA Borderless Networks for Midsize Government Agencies to provide guest access over the same access points as the internal employees use. This capability simplifies net-work operations and reduces capital and operational costs by reusing the same equipment for multiple services, while still providing secure access for guests.
The architecture helps ensure that the guest network does not compromise the security of the agency network. Guest traffic is sent on a separate seg-ment over the air, and—after it reaches the wired network—the guest traffic is tunneled to a wireless controller and dropped off on a DMZ interface on the firewall. This provides security for the agency’s network from the guest users and provides Internet access for the guests.
When guests connect to the wireless network, they get redirected to a web login screen and must enter a username and password to get access to the Internet. A simple generic guest account may be created that is reset with a new password daily or weekly, or users can be given individual guest accounts. The architecture is flexible to balance the complexity and security needs of the agency.
14User ServicesFebruary 2012 Series
User Services
User services compose the layer everyone is familiar with. These are the services or applications we use every day and interact with directly, from picking up the phone and using the phone service to reading email using an email client. The user experience starts here. How the application or product is designed and built affects how intuitive and easy it is to use. How well this user service interacts with the network services impacts how it performs when a user actually uses it.
Figure 11 - User services
Business Application ServicesAn agency’s presence on the Internet plays a key role in its success. Downtime, even for simple information portals, can delay citizen service delivery as well as impact agency missions. Key applications such as email, e-commerce, web portals, and enterprise resource planning (ERP) must be available for use by both the agency workforce and citizens users around the clock to provide uninterrupted service. Availability of these applications can be threatened by network overload and poor resource utilization, as well as network and device failures. The high availability design of Cisco SBA provides redundant firewalls in the Internet edge; a resilient LAN design for core, access, server room and wireless, along with QoS; and imbedded security—all designed to protect application availability.
Cisco Unified Communications Cisco Unified Communications products deliver high-quality voice and video communications that scale from a few people to tens of thousands. Government agencies can select the features and functions they need in order to achieve improved collaboration and communication to help achieve the agency’s mission. These technologies can meet specific needs such as responding in real-time to a citizen inquiry by engaging with a subject mat-ter expert (SME) via presence, as well as accelerating emergency response through video intelligence and collaboration with other agencies.
Web Meetings and Cisco WebEx® SolutionsMeetings are no longer conducted only face-to-face in a single location. To help government agencies serve and protect the public in their communi-ties, they must have access to people and information across the agency’s eco-system, across multiple time zones, and across borders. Cisco WebEx Solutions enable on-demand, secure, and virtual meetings that help accel-erate decision making and foster collaborative communications, enabling location-independent collaboration.
15Design Guide Summary February 2012 Series
Design Guide Summary
Whether the information is voice, video, or data, it is a critical asset that determines how well a government agency runs. In the past, agencies have struggled with networking products because they were complex and difficult to use, deploy, and manage.
Cisco SBA Borderless Networks for Midsize Government Agencies is com-posed of three primary modular, yet interdependent, layers for the midsize agency. They are the network foundation, network services, and user ser-vices, with the interdependency being hierarchical—each component relies on the component below. For reliable delivery of business applications and services, both internal and external to an agency’s physical location, these three layers must work in a cohesive manner. If they don’t, voice, video, and data can fail or be compromised, placing the agency at risk.
Cisco SBA Borderless Networks for Midsize Government Agencies provides a prescriptive design, and the companion Borderless Networks Foundation Deployment Guide and Borderless Networks Configuration Files Guide provide step-by-step guidance and instructions for deploying the solution. Most of the work is done for you. Cisco has simplified the process while maintaining the intelligence built into every product—each product specifi-cally selected and tested for the midsize agency.
Deploying the Cisco SBA Borderless Networks for Midsize Government Agencies network design helps ensure the future health of your agency by providing a stable, secure, and scalable network services infrastructure to support your mission objectives.
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Americas HeadquartersCisco Systems, Inc.San Jose, CA
Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands
SMART BUSINESS ARCHITECTURE
B-0000600-1 4/12