Cisco Enterprise Network Architecture

Cisco Enterprise Network Architecture

This section explains the various modules in the network design and describes the Cisco enterprise architecture model . The benefits obtained through a systematic design approach are also covered.

MODULAR NETWORK DESIGN

While the hierarchical network design works well within the campus infrastructure, the networks expanded beyond these borders. As shown in Image 1, the networks became more sophisticated and complex, and some require connections to dedicated data centers, which are usually external.

Often, branches require connectivity to campus backbones, and employees need to be able to work from their home offices or other remote locations. Because the complexity of the network to meet these demands increased, it became necessary to modify the design of the network by one that used a more modular approach.
A modular network design separates the network into several functional network modules, and each of these points to a specific place or purpose in the network. The modules represent areas that have a different physical or logical connectivity. They are responsible for designating where the different functions are carried out in the network.
The modular approach has several benefits:

• Faults that occur within a module can be isolated from the rest of the network, allowing for easier problem detection.
• Changes, updates or the introduction of new network services can be carried out in a controlled and gradual manner, allowing greater flexibility in the maintenance and operation of the campus network.
• When a specific module no longer has sufficient capacity or does not have a new function or service, it can be updated or replaced with another module that has the same structural function in the general hierarchical design.
• Security can be implemented modularly.

MODULES IN BUSINESS ARCHITECTURE

The modular approach applied to the network design further divides the three-layer hierarchical design, since it eliminates specific blocks or modular areas. These basic modules are connected to each other through the core of the network.

The basic network modules include the following:

• Access and distribution : also called “distribution block”, it is the best known element and the fundamental component of campus design ( orange frame ).
• Services : This is a generic block that is used to identify services such as the centralized wireless controllers of the Lightweight Access Point Protocol (LWAPP), the unified communications services, the policy gateways, among others ( celestial framework ).
• Data center : originally, it was called "server farm". This block is responsible for managing and maintaining many data systems that are critical to modern business operations. Employees, partners and customers rely on data and data center resources to create, collaborate and interact effectively ( green framework ).
• Business perimeter : consists of the perimeter Internet and the WAN perimeter. These blocks offer connectivity to voice, video and data services outside the company ( red frame ).

CISCO ENTERPRISE ARCHITECTURE MODEL

To meet the need for modularity in network design, Cisco developed the Cisco enterprise architecture model . This model provides all the benefits of hierarchical network design in campus infrastructure and facilitates the design of larger and scalable networks.
The Cisco enterprise architecture model separates the business network into functional areas that are known as "modules." The modularity that is incorporated into the architecture allows for flexibility in network design and facilitates its implementation and problem solving.
As shown in Image, the following are the main modules of the Cisco enterprise architecture:

• Business campus
• Enterprise Edge
• Service provider end

There are additional modules connected to the perimeter of the service provider:

• Company data center
• Company Branch
• Remote worker of the company

CISCO BUSINESS CAMPUS

A campus network is a building or group of buildings connected to a business network that consists of many LANs. Generally, a campus is limited to a fixed geographical area, but it can cover several neighboring buildings, for example, an industrial complex or the environment of an industrial park.
The business campus module describes the recommended methods for creating a scalable network, while addressing the needs of commercial operations of the campus type. The architecture is modular and can be easily expanded to include additional buildings or campus floors as the company grows.
The business campus module consists of the following submodules:

• Building access
• Building distribution
• Campus Core
• Data center

Together, these submodules do the following:

• They provide high availability through a robust hierarchical network design.
• They integrate IP communications, mobility and advanced security.
• They use multicast traffic and QoS to optimize network traffic.
• They provide greater security and flexibility by managing access, VLANs and VPNs with IPsec.
• The architecture of the business campus module provides the company with high availability through a robust multilayer design, redundant hardware and software features, and automatic procedures to reconfigure network routes when failures occur.

Integrated security protects against the impact of worms, viruses and other network attacks, in addition to mitigating it, even at the switch port level.
The data center sub-module typically contains internal corporate and email servers that provide application, archiving, printing, email and domain name system (DNS) services to internal users.

CISCO BUSINESS PERIMETER

The business perimeter module provides connectivity for voice, video and data services outside the company. Often, this module works as a link between the business campus module and the other modules.
The business perimeter module consists of the following submodules:

• E-commerce networks and servers : the e-commerce submodule allows companies to support e-commerce applications through the Internet.

They include web, application and database servers, firewall and firewall routers, and intrusion prevention systems (IPS) in the network.

• Internet connectivity and perimeter zone (DMZ) : The Internet sub-module of the business perimeter provides internal users with secure connectivity to Internet services, such as public servers, email and DNS. Connectivity is also provided to one or more Internet service providers (ISPs).

They include firewall and firewall routers, Internet perimeter routers, FTP and HTTP servers, SMTP relay servers and DNS servers.

• Remote access and VPN: The remote access and VPN sub-module of the business perimeter provides remote access termination services, including authentication for remote users and sites.

They include firewalls, dial-up hubs, Cisco Adaptive Security Devices (ASA) and intrusion prevention system (IPS) applications on the network.

WAN : The WAN submodule uses various WAN technologies to route traffic between remote sites and the central site.
They include technologies such as multi-protocol tag switching (MPLS), metropolitan Ethernet, leased lines, synchronous optical network (SONET) and synchronous digital hierarchy (SDH), PPP, Frame Relay, ATM, cable, digital subscriber line (DSL) and wireless technology.

SERVICE PROVIDER END

• Companies use service providers (SP) to link to other sites. The perimeter module of the SP may include the following:
• Internet service providers (ISP)
• WAN services, such as Frame Relay, ATM and MAN
• Public switched telephone network (PSTN) services
• The perimeter of the SP provides connectivity between the business campus module and the remote data center, branch and remote worker modules of the company.

The perimeter module of the SP has the following characteristics:

• It covers large geographic areas in a cost-effective manner.
• Converge voice, video and data services through a single IP communications network.
• Supports QoS and service level agreements.
• It supports VPN security (IPsec and MPLS) through the Layer 2 and Layer 3 WANs.
• Connection to an ISP

Redundant connections to a single ISP can include the following:

• Simple connection: a single connection to an ISP
• Double connection: two or more connections to a single ISP
• Connection to several ISPs

Redundancy can also be established with several ISPs, as shown in Image 5. The options for connecting to several ISPs include the following:

• Multiple host connection: connections to two or more ISPs
• Dual multiple host connection: multiple connections to two or more ISPs

REMOTE FUNCTIONAL AREA

The remote functional area is responsible for the remote connectivity options and includes several modules:

COMPANY BRANCH

The company's branch module includes remote branches that allow employees to work in off-campus locations.

• In general, these locations provide security, telephony and mobility options to employees, as well as general connectivity to the campus network and the various components located within the business campus.
• The company's branch module allows companies to extend applications and services from the head office, such as security, Cisco Unified Communications and advanced application performance, to remote branches.
• The perimeter device that connects the remote site to the central site varies according to the needs and size of the site.
• Large remote sites can use advanced technology Cisco Catalyst switches, while smaller sites can use an ISR G2 router. These remote sites depend on the perimeter of the SP to provide the services and applications of the main site.
• In Image, the company's branch module connects to the business campus primarily through a WAN link; however, it also has a backup internet link. The Internet link uses VPN technology with IPsec from site to site to encrypt corporate data.

REMOTE WORKER OF THE COMPANY

The company's remote worker module is responsible for providing connectivity to employees who work from various geographically dispersed locations, including domestic offices, hotels or customer sites.

• The remote worker module recommends that mobile users connect to the Internet through the services of a local ISP, such as the cable modem or DSL modem.
• VPN services can be used to protect communications between the mobile worker and the central campus.
• Integrated security and identity-based network services allow the company to extend campus security policies to the remote worker.
• Staff can log in to the network securely through the VPN and access authorized applications and services from a single cost-effective platform.

COMPANY DATA CENTER

The company's data center module is a data center with the same functional options as the campus data center, but in a remote location.

• This provides an additional layer of security, since the external data center can provide the company with disaster recovery and business continuity services.
• Advanced technology switches, such as Cisco Nexus series switches, use fast WAN services such as Metropolitan Ethernet (MetroE) to connect the business campus to the remote company's data center.
• Redundant data centers provide support through synchronous and asynchronous replication of data and applications. In addition, the network and devices offer load balancing of servers and applications to maximize performance. This solution allows the company to scale without major changes in infrastructure.