Evolution of the Enterprise · The Evolution of the Enterprise Network • Improve productivity...

2© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE

Evolution of the Enterprise Next Generation Network Solutions

Todd Truitt – [email protected]


The Evolution of the Enterprise Network

• Improve productivity through IPMobility solutions

• Extend the enterprise network reachthrough Teleworker IPCommunications

• Embed security into the network usingIdentity Based Network Services

• Provide business resilience usingadvanced Data Center architecturesand storage solutions

• Leverage the Services that ServiceProviders are beginning to offer

• Network Value

• Enterprise Mobility

• Teleworker IP Communications

• Identity and Embedded Network Security

• Data Center Resiliency

• Leveraging Service Provider Services

• Summary


Business Success Criteria Have Changed

Reducing CostsIncreasing Productivity

Differentiation

Reducing CostsReducing CostsIncreasing ProductivityIncreasing Productivity

DifferentiationDifferentiation

Where We Are Today

Global Internet Business Deployment

7 by 24 Operations

Internet Rate of Change

Global Internet Business DeploymentGlobal Internet Business Deployment

7 by 24 Operations7 by 24 Operations

Internet Rate of ChangeInternet Rate of Change

Where We Have Been

“… a major wake-up call formost large enterprises… networkinfrastructure is directly tied tothe ability to gain competitiveadvantage in the marketplacetoday and in the future.”David Passmore, Burton GroupJuly 2001DavidDavid Passmore Passmore, Burton Group, Burton GroupJuly 2001July 2001


WANSiSi

SiSi

Network Infrastructure Is Criticalfor Business Excellence

SiSi

SiSi

SiSi

SiSi

SiSi

SiSi

SiSi

SiSi

SiSi

SiSi

Wan Branch

Wan Aggregation

AccessDistribution

Core

Access Distribution

Access

DataCenter

InternetSiSi

SiSi

SiSi

SiSi

SiSi

SiSi

DataCenter

Intelligent network serviceswill positively impact profits, cash flow, and productivity

Productivity, Profits, DifferentiationProductivity, Profits, Differentiation

• Network Value






• Summary


Increasing Need for Transparent CorporateConnectivity

Sources: On the Road (TIA Travel Poll, 11/99); At Home (Gartner 2001, Cahners Instat 5/01);At Work (Wharton Center for Applied Research)

• On the Road (Hotels, Airports, Convention Centers)

280 million business trips a year

Productivity decline away from office >60–65%

In many Industries “the office is the road”

• At Home (Teleworking)

137 million telecommuters by 2003

40% of U.S. telecommuters from large or mid-size firms

• At Work (Branch Offices, Conf Rms, Business partners)

11 million business meetings a day in the U.S. - 42% areunproductive

Offices should go where the talent is


The Cost of ProductivityExample – Based on 230 work days in a year

Industrial AgePeople go “to” work

Internet AgeWork moves “with” people

Home

On themove

GroupSettings(Mtgs)

Example:$200k a year to staff an employee(Salary, Supporting, Benefits, etc)

$870 per day investment$108 per hour investment

Average Productivity = %60

Branch

Example:1 hour increase In Productivity Per day

Increased Gain in Employee investment

$108 per day$540 per week

$24,840 per year per person


WLAN VLAN 44

Campus WLAN MobilitySolution Overview

802.11b WLAN

WLAN VLAN 33

802.11b WLAN

Rogue APDetectionand denial

SecureGuest

Access

Vendor

Campus-wide

RoamingSecure User

Access


Campus WLAN MobilitySecure WLAN Access

LEAPStaticWEP

IPSecTunnel 802.1x client with PEAP

802.11b WLAN

SecuredCorporateResources

802.11b WLAN

SecuredCorporateResources

Today - WLAN SecurityOptions

Q4 2002 – Industry Standard WLANSecurity Direction


WLANVLAN=33

WLANs in the Campus - VLAN Designs

802.11b WLAN

VLAN=10

VVID=110VVID=110

Separate IP Subnets/VLANs used for Data,Voice and Wireless:

• Ease of deployment• Scalability as more WLAN devices appear• QoS and Security Trust Boundaries

Problem: WLAN devices will frequently have different QoS,IP Multicast and Security requirements than IP Phones orPCs. Additionally, installing WLANs will increase theamount of IP address spaced used.Solution: Create specific VLANs for WLANs


Campus WLAN MobilityUser based Network Access

802.1x Authenticated802.11b WLAN

EngVLAN

GuestVLAN

• Based upon user’s credentials via 802.1x(User Identity)

• Unauthorized users or those without 802.1xrunning on their laptop can be denied orplaced into a Guest VLAN

Authentication based Resource Access

1. Eng can only access Eng resources2. HR only can access HR Servers3. Guest Access for trusted 3rd Party Contractors


Campus WLAN MobilityRogue AP Detection and Denial

SiSi

Rogue AP lockedout after failedAuthentication

• Use of wireless analyzer to look forWLAN signals (Rogue AP’s)

• Only switch ports with “Authorized”AP’s have 802.1x disabled on switchport

• Un-Authorized AP’s are thereforelocked out

• Requires 802.1x on all PC’s

Rogue AP

Authorized AP

802.1x disabled only on allAuthorized AP switch ports

802.1x pushed to WLAN edge

Enables IT to control of WLAN activities and promotes sanctionedWLAN deployments – Inherently Reducing rogue WLAN activities

Note:Today Rogue WLAN activities are thehighest percentage of deployments


VLAN=20VVID=120

WLAN VLAN=33

VLAN=10VVID=110

WLAN VLAN Designs andRoaming

• Traditionally, VLANs have notspanned wiring closets to utilizerouting protocols for optimalconvergence

• This may not be realistic since RFsignals may span floors/closets

• Cisco’s 802.1w implementationallows specific VLANs to use theRapid Spanning-Tree protocol tooptimize Layer 2 convergence

SiSi

SiSi

Problem: Wireless AP radio signal may“span” wiring closet switches within abuilding. How does this affect mytraditional campus designs ?Solution: Use 802.1w within the buildingand have a single, building-widewireless VLAN.


WLAN VLAN 44

Campus-wide Layer 3 WLAN RoamingCampus Core

802.11b WLAN

WLAN VLAN 33

802.11b WLAN

Mobile IP used forinter-building

WLAN Roaming

Problem: How do Wireless devices roam between buildings ?Solution: Use Mobile IP so the Layer 3 separation between buildingis maintained for higher availability


Layer 3

BldgA

BldgB

Cat6k

Cat4kCat4k

Secure WLAN AccessSecure

Guest Access

Wireless IP Phonewith WLAN QoS

Vendor

X

Rogue APDetectionand denial

Only Cisco Delivers End-to-End, Secure QoSEnabled WLAN Network Solutions

Cisco WLAN IP Phone 7920Integrated QoS and security;802.1x, L2 Roaming

Cisco Catalyst SwitchesSecure QoS enabled access; 802.1x,dynamic VLANs with AP’s

Cisco Wireless Access Points802.1x enabled to provide Secure QoS WLANaccess; VLAN support enables wider range ofsupported WLAN devices and access types

• Network Value






• Summary


Telecommuter ExampleYesterday

CorporateOffice

Corporate Number408-526-4000

Home Office Number408-555-1212

PSTNHome Office

Internet

Can I use thePhone now?

I’m working fromhome today, call

me at 408-555-1212

Typical Teleworker Office Setup:

- Uses VPN client on PC to “dial up” corporate data network- Voice is different phone number and network- No video facilities

Results:- Extra phone line/charges for voice calls- Has to expense phone calls back to employer- Not in corporate PBX or directory – out of touch- Must remember to check voice mail periodically


Results:

- Same use of network tools/access as in corp office

- VPN connection “always on” – corp subnet exists in home

- Same Phone number and VM as Corp office

- No Extra Phone Line/charges for Voice calls

- Increased Workday Productivity

I need toCall John

408-526-4000

CorporateOffice

CorporateNumber

408-526-4000

Home Number408-555-1212

PSTN

HomeOffice

Internet


Fax

VPN Tunnel

Hello JohnSpeaking

Telecommuter MobilityToday – IP Telephony enabled Teleworker

Best effortSP QoS

QoS enabled onTeleworker Edge



Fax

Hello JohnSpeaking

Corporate OfficeCorporate Office

Number408-526-4000

PSTN

Home Office

Internet

How it Works

1. Analog line configured is same # as Corp Office Legacy PBX Phone2. Analog Line configured to go thru GW and ring Teleworker’s Home IP Phone3. Corp Office number called – Rings in both Places4. Possibly no VM light depending on Legacy PBX Vendor

VPN Tunnel(V3PN)


I need toCall John

408-526-4000

IP Telephony for TeleworkerFor Legacy PBX Environments

Legacy/ProprietaryPhone Line

Analog Phone LineSame as Corp Office

Number408-526-4000

VoIP GW

CallManager

LegacyPBX

Best effort QoS



Aironet Access Point

PC/Video

Teleworker MobilityCisco Internal Deployment

• Requirements

Many Teleworkers require thesame IP Telephony services asin Corp Office (Development,Tech Writers, Sales etc.)

Lower cost on expensed Homephone bills

Increased workday productivity

• Deployment Characteristics

Firewall and VPN tunneltermination on IOS router

QoS configuration

LLQ on WAN Interface

Service Provider “best effort”

Edge QoS with a “Best Effort”SP acceptable for benefitsgained – Toll Quality >99% ofthe time

Home Office, Reading, PA

IOS VPNRouter

x64000

Tier 1SP

7200

LocalSP

Cisco SystemsSan Jose, CA

CiscoPrivateWAN

VPNTunnelVPN

Tunnel

CallManagerfor x59017

Family

Cisco SystemsRTP, NC

x64000


Before After

• Two PSTN Lines – Home + Work

• Work number different than Corp office

• Work number shared by Fax

• Expensed Work phone bill - $200/month



Fax

• One PSTN Line – Home

• Work number same as Corp office

• Separate Fax number

• Expensed Work phone bill - $0

Home Office/Fax Number408-555-1111

PSTNInternet

Fax


SJ SJ

PSTNDialup VPN

Tunnel

Multiple CircuitsInto Home

One Circuit intoHome (DSL)

Teleworker MobilityCisco Internal Results Realized

408-526-4000 408-526-4000


HQHQ

Core BackboneSP

Cable/DSL

TeleworkerTeleworker

Branch OfficeBranch Office

>T1

IP Phone

IP Phone

SOHOAccess SP

Only Cisco provides End-to-End, FullyInteroperable V33PN Network Solution

VPNVPN

VPNVPN

VPNVPN Cisco IP Phone 79xxPhone handset withintegrated QoS

Cisco CallManagerCall setup and signaling;Host IDS protection

Cisco IOS VPN RoutersIntegrated WAN, VPN, and voicegateway for Head end and remoteoffices

Cisco Powered SP PartnersProviding QoS SLA’s

• Network Value






• Summary


Sad but true…


Why Should Security Matter?

• The number of network attacksdoubled from 2000 to 2001.They are expected to increaseanother 100-150% in 2002.Less than 50% of intrusionsare actually reported.

21,756 incidences in 2000

52,658 incidences in 2001

26,829 incidences in Q1 of2002

--source: CERT

• Estimated losses attributeddirectly to network intrusionstotaled over $15 Billion for2001.

--source: DataMonitor PLC--source: Computer Security Institute & FBI


What is Identity?

Identity embeds security into the network.

According to the FBI, the majority of all attacksoriginate from the inside of the network –Customers need to secure the “inside”.

Identity provides communications managerswith the ability to more tightly control access tothe network, the network resources andanything to which the network connects.


SiSi

SiSi

WAN

Identity Concept Overview – “The What”Identity Based Networking Services

WAN

Rogue AP

Internet

VPN(SP)

MetroEthernet

Identify mission-critical applicationsand dynamically apply security and

QoS policies

Hotel

Provide Guest Users witha “safe” way to connect to

the network

Authenticate devices tocontrol access to potentially

“dangerous” areas

Increase mobile workers/teleworkeraccess security

Enable Identity-based access to

the networkresources


Facets of Identity Based NetworkingServices

• User Identity & Provisioning

• Device Identity & Provisioning

• Application Identity & Provisioning

• Other Ideas


User Identity in Campus Networks

802.11b WLAN

Catalyst switch and Aironet APauthenticate will users via 802.1x

Problem: Currently all network ports areenabled…Anyone can gain access to the “gold”.Solution: Cisco User-based Identity accesscontrol

Unauthenticated user are blocked access to the network


Sales

VLAN=99 Cor

p W

LAN

VLA

N=

33

Guest

VLAN

=99

User Identity Provisioning in CampusNetworks

802.11b WLAN

Problem: Different users might have differentQoS, security and IP Multicast policiesSolution: Cisco User-based Identity provisioning

“Guest users orUnauthenticated users can be

placed into a safe “guest” VLANfirewalled off from the rest of

the company

EngineeringVLAN=10

Users placed in theappropriate VLAN based on

their credentials

Policies applied toport include:

• Security• QoS• VLAN


Internet

VPN Tunnel

Corp userUses VPN Tunnel

Personal userInternet Only

SOHO/Teleworker SolutionSpouse and Kids capability

ServiceProvider

802.1xIntegration

üü

ûû802.1x

Authentication

Corp Office

• TodayAccess-Lists used to differentiate corporate Teleworker versus Family users

• FutureTeleworker authenticates via 802.1x and accesses HQ through the VPN tunnel

Family users do not authenticate and simply access the Internet directly


Device Identity & ProvisioningWhat can be done in the future

VLAN 11

Video

VLAN 110Voice

Authenticatedphone placedinto the Voice

VLAN

Authenticated Video Confport unit given specific

QoS parms (required whileRSVP is being solidified)

Rogue AP locked outafter failed

Authentication

CiscoSecureACS

QoSPoliciesSecurityPolicies

etc

Printers and other3rd party devices

can be auth’d andprovisioned


Application Identity Provisioning inCampus Networks

Problem: Many of the newapplications use http forapplications. How do networkmanagers identify the missioncritical (and not-so-mission-critical) applications ?Solution: Cisco application-basedIdentity services

Identify whichapplications arecritical to businessneeds and give thempriority

MP3


Identity Based Enterprise MPLS VPN

• General Idea: Tie Identity to Policy, use policiesto separate user environments & traffic.

• Use Policies to compartmentalize users at Layer2 using VLANs.

• Map VLANs to MPLS VPNs to maintaincompartmentalization at Layer 3.

• Secure shared areas using PVLANs and VLANCapable Firewalls (FWSM).

• Increases Overall network security by providingcompartmentalization.


Increasing Overall Network Securityby Providing Compartmentalization

ACS Server MPLS VPN 1

MPLS VPN 2

MPLS VPN 3

MPLS VPN 4

1. User authenticates to network.

2. AAA Assigns VLAN touser at access layer.

3. VLAN maps to specific MPLSVPN at distribution layer.

Jane=VLAN 45=MPLS VPN 3=Accounting Network

John Authenticates

John=VLAN 70

VLAN 70=MPLS VPN 4(Engineering Network)

At shared resource edges (ie. datacenters) MPLS VPNs mapback to VLANs. VLANs segregated by FW blade or PVLANs.

• Network Value






• Summary


Data Centers & Downtime

* Meta Group

** Strategic Research Corporation

The cost of an hour of down time

Average cost: $330,000*

Brokerage House Operation: $6.5 Million**

Credit Card Authorization System: $2.6 Million**


Technology EnablersTechnology EnablersBusiness RequirementsBusiness Requirements

Enable highly availableand scalable distributedapplication environment

Data Center NetworkingTransport supporting Data

Center Mirroring

Data Center NetworkingTransport supporting Data

Center Mirroring

Support Non-stopBusiness Applications

Highly Available & ScalableData Center Infrastructure

Highly Available & ScalableData Center Infrastructure

Ensure rapid recoveryof mission-critical

applications

Storage NetworkingSupporting Data Mirroring

Storage NetworkingSupporting Data Mirroring

What High Availability means to Businesses

Predictable single and distributed site architecture Design


The evolution of Client/Server to the N-Tier Model

Thick Client

Application ServerApplication GUI

Database Server

Traditional Client/Server Model

Thick Client – Client/ServerØ Requires Heavy Management Ø Processes Information Locally and Presents it Ø Exchanges mostly Data

Thin Client - N-TierØ Needs Little to no client managementØ Only presents informationØ Exchanges Data and Presentation Format

N-Tier Model is adopted by key SW Vendors

Siebel – Oracle – Microsoft – IBM – SAP – Peoplesoft

N-Tier Model

Web ServerThin Client

Web Browser

Application Server

Database Server


N-Tier in Application Environments

Hitachi Storage

Cisco DWDM, CWDM, 10 GE, SONET

EMC IBMCompaq

Data Center Transport

Distributed Data Centers must support Distributed Computing

Application Areas

N-Tier

Data Center Architecture must support N-Tier model

Business Logic

Web & Other Servers

Database Systems

CRM ERP SCMOrder

ProcessingE-

CommerceSFA

Apache

Sybase

Java, ASP, J2EE, Java Scripting, Application Code

IIS Netscape NCSA Other

Oracle SQL Server DB2

Critical Applications use N-Tier Model


Logical View

Front-end Layer

Aggregation Layer

Internet Edge

Application Layer

Back-end Layer

Campus

FC

Storage Layer

DWDMDWDMFC

FC

Data Center Transport

Campus Core

Distribution

Access

Access

Access


Aggregation Layer

Multilayer Switches: L2 – L5FirewallsContent EnginesSSL TerminationIntrusion Detection Systems

Aggregation Layer

Internet Edge

Layer 3

Layer 2

Campus

Campus Core

Aggregation LayerØ Aggregation point for key service devicesØ Support for core L2/L3 features

Front-end LayerØ Connectivity to user facing serversØ Fast convergence and Scalable L2 domain

Front-endLayer 2 SwitchesWeb & Client Facing Servers


Application and Back-end Layers

Layer 2

Layer 2

AggregationFront-end Layers

FirewallsLayer 2 SwitchesIntrusion Detection SystemsApplication Servers

FirewallsLayer 2 SwitchesIntrusion Detection SystemsDatabase Servers

Back-end

Application

ApplicationØ Support for middle-ware or business logic serversØ Interface to Database systems using scalable & secure L2 domain

Back-endØ Connectivity to Database SystemsØ Scalable and secure L2 domain


Storage Layer

ESCON ESCON

FCFC FC

FC

FC FC

Storage Layer Storage LayerData Center Transport

Primary Data Center Distributed Data Center

FC FC

Back-end LayerBack-end Layer

Fibre Channel Switch

StorageØ Consolidation of Storage &Tape subsystemsØ File or Block access to dataØ Client to Storage and Storage-to-storage high speed access


Data Center Transport Layer

GE

Data Center TransportData Center TransportESCON ESCON

GE

FC FC

FCFC

FCFC

Primary Data Center Distributed Data Center

FC FC

Front-end Layer Data Exchange

Application Layer Data Exchange

Back-end Layer Data Exchange

Ø Distributed Computing Applications _at different peer layers_Ø High Speed transparent transport media between Data CentersØThe same transport layers support campus-to-campus communication

• Network Value






• Summary


• Cisco Powered NetworkDelivers end-to-end service level agreements to ensure

voice/video qualityhttp://www.cisco.com/pcgi-bin/cpn/cpn_pub_bassrch.pl

• Service Level AgreementPacket Loss <= .5%

Delay <= 60ms One way Delay

Jitter <= 20ms

• Contiguous CPN Service Provider Recommended

Service Provider RecommendationsFrom Enterprise Edge to Edge


Enterprise + Service Provider SLADemarcations

Coder, LAN,

WAN accessDelay = 45ms

Goal <= 150ms End to End Delay

Enterprise/Enterprise EdgeService Provider

Enterprise/Enterprise Edge

Service ProviderOne Way Delay = 60ms,

Jitter = 20msLoss = 0.5%

WAN access, LAN,

De-jitter/De-coderDelay = 45ms


Additional things to ask for from ServiceProviders

• Handling of high priority traffic exceedingcontracted rate?

• If multiple SP’s involved – How is SLA achieved?

• Monitoring and Reporting on SLA statistics

• Availability of service and mean time to repair

Service Provider Differentiation


Branch Office

Service Provider

Central Site

Ent-SP Boundary ConsiderationsSP Policing high Priority BW from Enterprise

Service Provider can police high prioritytraffic to contracted rate for billing

Example

Enterprise Contracts for 5mbps high priority trafficSP Enforces to 5mbps - If exceeded charge extra or mark to lower priority


ServiceProvider B

ServiceProvider A

Branch Office

Central Site

Service Providers must agree on how much high prioritytraffic they will accept with each other

SP ConsiderationsCross Service Provider Boundaries

Many Service Provider mark high priorityTraffic to lower priority


The Next Generation WAN: Phase 1

Branch Office 1

Branch Office n

Central Site

MPLS ServiceProvider

(Equant, ATT, etc)

Hub and Spoke Design forsimplicity and services (IP

Multicast)SLA is for a single “dumb,

but guaranteed pipe”

Shaping, policing and prioritizationall done by the enterprise edgeNo traffic classification carried

through the SP network


The Next Generation WAN: Phase 2

Branch Office 1

Branch Office n

Central Site

MPLS ServiceProvider

(Equant, ATT, etc)

Provider now offers“Service Classes” atvarying rates/costs

Shaping, policing and prioritizationstill done at the enterprise edge

Traffic (re)classified by SP for“class” admission

Classes have varying schedulingand BW guarantees


VPN Tunnels

Teleworker

Branch Office

V3PN - Voice/Video enabled VPN

IP TelephonyPrivate WAN Only

PSTN

PrivateIP WAN

HQVPN QoS

VoiceVideo

V3PNVPN – Virtual Private NetworksData Only

V3PNSP

VPN Tunnels

Teleworker

Branch Office

SP

V3PN Service Providers

YesterdayYesterday

Today

Voice and Video Enabled VPN – V33PNWhat is it?


HeadquartersHeadquarters

Core BackboneSP

Cable/DSL

TeleworkerTeleworker

Branch OfficeBranch Office

IP Telephony/Services

>T1

IP Phone

IP Phone

V3PN Service Provider Partners

SOHOAccess SP

SPs today are offering QoS SLA’s(Sprint, Cable and Wireless etc)

Best effort today – SP’s currentlydeveloping QoS enabled offerings

Cisco Powered Network SP Partnershttp://www.cisco.com/pcgi-bin/cpn/cpn_pub_bassrch.pl


Alternative 1:Managed Frame Relay

Alternative 2:Voice and Video enabled VPN

V3PN Business JustificationLexent, Inc. (NYC) – NYC HQ w/20 remote offices

• 20 sites – >$45,000 per month

• 3 year commit, >$1.5M total

• 20 sites – <$20,000 per month

• 1 year commit, <$250K total

PrivateFrame Relay Service Provider

NYC NYC

Branch OfficesBranch Offices

V V

• Network Value






• Summary


Business Dependencies

• Change is constant: now isthe time to evaluate, plan,and innovate

• Technology is an enablerfor turning change intoopportunity

• Mobility, IP Communications,Identity, Resilient Data Centersand Network Services will lowercosts or increase productivity

Now is the time to strategically leverage change for business Breakaway

626262

Evolution of the Enterprise · The Evolution of the Enterprise Network • Improve productivity...

Documents

Transcript of Evolution of the Enterprise · The Evolution of the Enterprise Network • Improve productivity...