Challenging Network Design

Similar Messages

• Ask the Expert: Hierarchical Network Design, Includes Core, Distribution, and Access

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about hierarchical network design. 
  Recommending a network topology is required for meeting a customer's corporate network design  needs in their business and technical goals and often consists of many interrelated components. The hierarchical design made this easier like "divide and conquer" the job and develop the design in layers.
  Network design experts have developed the hierarchical network design model to help to develop a topology in discrete layers. Each layer can be focused on specific functions, to select the right systems and features for the layer.
  A typical hierarchical topology is
  A core layer of high-end routers and switches that are optimized for availability and performance.
  A distribution layer of routers and switches that implement policies.
  An access layer that connects users via lower-end switches and wireless access points.
  Ahmad Manzoor is a Senior Pre-Sales Engineer at AGCN, Pakistan. He has more than 10 years of experience in first-rate management, commercial and technical skills in the field of data communication and services lifecycle—from solution design through sales pitch, designing RFPs, architecture, and solution—all with the goal toward winning projects (creating win/win situations) of obsolete solutions.  Ahmad also has vast experience in designing end-to-end data centers, from building infrastructure design to data communication and network Infrastructure design. He has worked for several large companies in Pakistan and United Arab Emirates markets; for example, National Engineer, WATEEN Telecom, Emircom, Infotech, Global Solutions, NETS International, Al-Aberah, and AGCN, also known as Getronics, Pakistan.
  Remember to use the rating system to let Ahmad know if he has given you an adequate response. 
  Because of the volume expected during this event, Ahmad might not be able to answer every question. Remember that you can continue the conversation in the  Solutions and Architectures under the sub-community Data Center & Virtualization, shortly after the event. This event lasts through August 15, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Dear Leo,
  We are discussing the following without any product line, discussing the concept of hierarchical design, which will help you to take decision which model is better for you Two Layer or Three Layer hierarchical model.  
  Two-Layer Hierarchy
  In many networks, you need only two layers to fulfill all of the layer functions—core and aggregation
  Only one zone exists within the core, and many zones are in the aggregation layer. Examine each of the layer functions to see where it occurs in a two-layer design:
  Traffic forwarding—Ideally, all interzone traffic forwarding occurs in the core. Traffic flows from each zone within the aggregation layer up the hierarchy into the network core and then back down the hierarchy into other aggregation zones.
  Aggregation—Aggregation occurs along the core/aggregation layer border, allowing only interzone traffic to pass between the aggregation and core layers. This also provides an edge for traffic engineering services to be deployed along.
  Routing policy—Routing policy is deployed along the edge of the core and the aggregation layers, generally as routes are advertised from the aggregation layer into the core.
  User attachment—User devices and servers are attached to zones within the aggregation layer. This separation of end devices into the aggregation permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, it is best not to mix transit and destination traffic in the same area of the network.
  Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the aggregation layer. You can also place traffic admittance controls at the aggregation points exiting from the aggregation layer into the core of the network, but this is not common.
  You can see, then, how dividing the network into layers enables you to make each layer specialized and to hide information between the layers. For instance, the traffic admittance policy implemented along the edge of the aggregation layer is entirely hidden from the network core.
  You also use the core/aggregation layer edge to hide information about the topology of routing zones from each other, through summarization. Each zone within the aggregation layer should have minimal routing information, possibly just how to make it to the network core through a default route, and no information about the topology of the network core. At the same time, the zones within the aggregation layer should summarize their reachability information into as few routing advertisements as possible at their edge with the core and hide their topology information from the network core.
  Three-Layer Hierarchy
  A three-layer hierarchy divides these same responsibilities through zones in three vertical network layers,
  Traffic Forwarding—As with a two-layer hierarchy, all interzone traffic within a three- layer hierarchy should flow up the hierarchy, through the layers, and back down the hierarchy.
  Aggregation—A three-layer hierarchy has two aggregation points:
  At the edge of the access layer going into the distribution layer
  At the edge of the distribution layer going into the core
  At the edge of the access layer, you aggregate traffic in two places: within each access zone and flowing into the distribution layer. In the same way, you aggregate interzone traffic at the distribution layer and traffic leaving the distribution layer toward the network core. The distribution layer and core are ideal places to deploy traffic engineering within a network.
  Routing policy—The routing policy is deployed within the distribution layer in a three- layer design and along the distribution/core edge. You can also deploy routing policies along the access/distribution edge, particularly route and topology summarization, to hide information from other zones that are attached to the same distribution layer zone.
  User attachment—User devices and servers are attached to zones within the access layer. This separation of end devices into the access layer permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, you do not want to mix transit and destination traffic in the same area of the network.
  Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the access layer. You can also place traffic admittance controls at the aggregation points along the aggregation/core edge.
  As you can see, the concepts that are applied to two- and three-layer designs are similar, but you have more application points in a three-layer design.
  Now the confusion takes place in our minds where do we use Two Layer and where the Three layer hierarchical model.
  Now we are discussing that How Many Layers to Use in Network Design?
  Which network design is better: two layers or three layers? As with almost all things in network design, it all depends. Examine some of the following factors involved in deciding whether to build a two- or three-layer network:
  Network geography—Networks that cover a smaller geographic space, such as a single campus or a small number of interconnected campuses, tend to work well as two-layer designs. Networks spanning large geographic areas, such as a country, continent, or even the entire globe, often work better as three layer designs.
  Network topology depth—Networks with a compressed, or flattened, topology tend to work better as two-layer hierarchies. For instance, service provider networks cover large geographic areas, but reducing number of hops through the network is critical in providing the services they sell; therefore, they are often built on a two-layer design. Networks with substantial depth in their topologies, however, tend to work better as three-layer designs.
  Network topology design—Highly meshed networks, with many requirements for interzone traffic flows, tend to work better as two-layer designs. Simplifying the hierarchy to two levels tends to focus the design elements into meshier zones. Networks that focus traffic flows on well-placed distributed resources, or centralized resources, such as a network with a large number of remote sites connecting to a number of centralized Data Centers, tend to work better as three-layer designs.
  Policy implementation—If policies of a network tend to focus on traffic engineering, two-layer designs tend to work better. Networks that attempt to limit access to resources attached to the network and other types of policies tend to work better as three-layer designs.
  Again, however, these are simple rules of thumb. No definitive way exists to decide whether a network should have two or three layers. Likewise, you cannot point to a single factor and say, “Because of this, the network we are working on should have three layers instead of two.”
  I hope that this helps you to understand the purposes of Two Layer & Three layer Hierarchical Model.
  Best regards,
  Ahmad Manzoor

• Office network design ideas..

  Hey all, we are upgrading to a Cisco network and wanted some input on our possible network design...
  Currently we have:
  A Juniper SSG 140 and IDP for our firewall and IDS
  3com (layer2/3) switches for our desktops
  2 Dell PowerConnect 5424 switches for our servers and firewalls
  2 Dell PowerConnect 5424 switches (separate network) for our SAN/VM hosts
  This is what we are thinking of for our next solution
  ASA 5512 for our firewall (I read we could possibly get a 25% performance speed improvement for user VPN connections?)
  2 WS-C3750x-48t-e (I think this does Layer 2/3) for our desktops
  2 WS-C3750x-48t-e for our firewalls/servers
  2 WS-C3750x-24P-L for our SAN/VM hosts
  The problem is different network services providers who are going to implement this for us are giving us different solutions
  Some desktop 3560X for desktops and 4948 for servers and others are telling me 3750x for desktops and Nexus 3048 switches for SAN
  Some are telling me we can keep SAN+VM+core traffic on the same switches and just separate them with VLANs while others are telling me we should get separate switches for them
  Basically, we just want a improved improvement with better PERFORMANCE and REDUNDANCY (esp with our core + SAN/VM traffic) without going overboard and spending a ton of money
  More thoughts:
  We need Layer 2/3 switches for core + SAN
  Do we need 10G ports?
  Let me know your thoughts...

  Hi There,
  the hardware selection actually depends on the network/site topology, number of users, traffic load and more other factors
  this is for IP network, for SAN do you mean iscsi, FCoE or pure FC SAN because these are different things and may change the HW selection,
  in general 3560 are good fro access switches and 3750 provide same capabilities with improved performance and support for swtckwise ( 3750 is a good option especially if you planing to stack them )
  for L3 it is supported on both but consider the license/image you buy with regard to the features you need
  nexus for Data center switch are the best as they are design for data center switching however you need to know, port density, 1G or 10G, do you need any FC SAN, DC load/capacity, any L3 function is required and future growth then you can decide if Nexus 3K or 5K is good for you or not
  N5K
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/data_sheet_c78-618603.html
  N3K
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps11541/at_a_glance_c45-648255.pdf
  if yo have a network topology with more details of what you need, post it here for more discussions
  hope this help
  if helpful rate

• Need help on network design

  Hi guys.
  Looking for some advice on a network design.
  Please tell me what you think may or may not be wrong or missing.
  Here are the details:
  The user count is approximately 600 (desktops, laptops and Cisco IP phones) with two locations (office and data center) connected via 100Mbps guaranteed MAN line with site-to-site VPN as backup.
  Servers will all be in the Data Center.
  Edge routers to be used as site-to-site VPN connection point between office and data center.
  Edge router at data center also to be used to connect to 4 other remote sites.
  Edge networks (router and ASA) will be used to provide internet access to equipment at their respective locations. (No routing across MAN for internet access)
  Cisco 4510 to be used as user switches.
  Supervisor engines will be connected via 10G fiber to core switches.
  There will be 2x 10G connection for each supervisor module.
  Core switches are 4500x to be stacked via VSS using 10G Twinax cables.
  Core switch will also have 1G copper sfp to connect to MAN line hand-off.
  There will also be a physically (for the most part) segregated network using 3750x 
  switches that connect back to the core. We will use 1G Fiber connections.
  Here is the current kit list:
  Office Network Edge
  1x Cisco 3925 Router to connect to internet and vpn tunnel endpoint (CISCO3925-HSEC+/K9)
  1x 2GB RAM upgrade for Cisco Router (MEM-3900-1GU2GB)
  1x 1GB Compact Flash for Cisco Router (MEM-CF-256U1GB)
  1x ASA Firewall w/ IPS  (ASA5525-IPS-K9)
  Office Network Core
  2x 4500X 32 Port Switches (WS-C4500X-32SFP+) w/ IP Enterprise License
  2x 1GB Fiber SFP module per 4500X switch to connect to 3750x  (GLC-SX-MMD)
  2x 10GB TwinAX cables to stack 4500x switches together (SFP-H10GB-CU1M)
  8x 10GB Fiber SFP+ module to connect to 4510 Sup Engines (SFP-10G-SR))
  1x 1GB Copper SFP to connect to MAN circuit hand-off (GLC-T)
  1x 1GB Copper SFP to connect to ASA firewal (GLC-T)
  Distribution
  4x Catalyst 4510R+E Switches (WS-C4510R+E) w/ IP Base License
  2x Supervisor 8-E per 4510 switch (WS-X45-SUP8-E)
  8x 48-port PoE module per 4510 switch (WS-X4748-UPOE+E)
  4x 10G Fiber SFP+ module per 4510 switch (SFP-10G-SR)
  1x 2GB SD Memory card per Supervisor Engine (SD-X45-2GB-E)
  Office Network Segregated
  4x 3750X 48-port PoE Switches (WS-C3750X-48P-L) LAN Base License
  1x 1G Fiber SFP module per 3750x switch (GLC-SX-MMD)
  1x Slot module per 3750x to connect 1GB SFP modules (C3KX-NM-1G)
  Data Center Edge
  1x Cisco 3925 Router to connect to internet and vpn tunnel endpoint (CISCO3925-HSEC+/K9)
  1x 2GB RAM upgrade for Cisco Router (MEM-3900-1GU2GB)
  1x 1GB Compact Flash for Cisco Router (MEM-CF-256U1GB)
  1x ASA Firewall w/ IPS  (ASA5525-IPS-K9)
  Data Center Core
  2x 4500X 32 Port Switches (WS-C4500X-32SFP+) w/ IP Enterprise License
  2x 10GB TwinAX cables to stack 4500x switches together (SFP-H10GB-CU1M)
  3x 10GB Fiber SFP+ modules per 4500X switch to connect to 3850 switches (SFP-10G-SR)
  1x 1GB Copper SFP to connect to MAN circuit hand-off (GLC-T)
  1x 1GB Copper SFP to connect to ASA firewall (GLC-T)
  1x 1GB Copper SFP to connect to segregated ASA (GLC-T)
  Data Center Distribution
  6x 3850 24-port PoE Switches (WS-C3850-24T-S) IP Base License
  1x Slot module per 3850 switch to connect 10GB SFP+ modules (C3850-NM-2-10G)
  1x 10G Fiber SFP+ module per 3850 switch (SFP-10G-SR)
  Data Center Segregated
  1x Cisco 2951 Router to connect to internet and vpn tunnel endpoint (CISCO2951/K9)
  1x ASA 5512-X (ASA5515-K9)
  Attached diagram is just a draft.

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  A 39xx is underpowered if you want to support gig VPN tunnel.
  If your MAN is 100 Mbps (possibly "light" for 600 users), I would suggest running your port at 100 Mbps, not gig.  (This because LAN switches don't shape, and may not be able to "see" congestion or drops within the MAN.)
  You user edge (the 4500s) will be L2 or L3.  If the latter, I would recommend not using a VSS core.
  I would recommend not using the same Internet connection for both general Internet access and VPN.

• High Level Network Design

  Hi Guys
  I am posting this because I am starting my career into network design and want some help in it. I am at present in need of a high level design overview as I need to prepare some high level network design documents. Can anyone shower some thoughts in it as how about doing this and if any there is a template for HDD so that it maybe useful.
  Also I believe in keeping information as transparent as possible to the readers of the document and need someone to explain in very simple terms if at all it is possible.
  Thanks a lot
  Vin

  Hi Vin,
  I would check the Cisco SBA and Validated Design Zone as a first pass.
  Lots of great design documents there.
  As for how I would create a high level design - keep it simple.  You just want an overview of the connectivity - e.g. for a dual-site head office with 100+ branch wan, I would only show a single branch site as a template.
  Every network is different, but the more documentation you write and read the more you will define your own style.
  Apologies I can't give you any of my customer's documentation - NDA's and everything!
  Regards, Ash,

• Cisco Video Telephony Solution Reference Network Design (SRND)

  Below are links to two design guides focused on video telephony and videoconferencing. The first link is goes to the NEW Video Telephony guide while the second links to the existing Videoconferencing guide that has been referenced before in a previous thread.
  Cisco Video Telephony Solution Reference Network Design (SRND):
  http://www.cisco.com/application/pdf/en/us/guest/netsol/ns268/c649/ccmigration_09186a008026c609.pdf
  IP Videoconferencing Solution Reference Network Design (SRND):
  http://www.cisco.com/application/pdf/en/us/guest/netsol/ns280/c649/ccmigration_09186a00800d67f6.pdf

  Hi
  As long as this is new instalation I recommend you to use SIP on all of the end points where possible and integrate with CUCM using sip trunk this will give you two main benefits
  - the transformation of the called and calling number from and to CUCM will be easier
  -if have end point using H323 and communicating with other end using sip the vcs will do internetworking to this call and you will need license for each internetworked call plus the media path will go through the vcs not direct between end points for internetworking
  If you use sip make the end point name/sip usri as [email protected]  Calls from vcs to CUCM use search rules with trsformation so if end point dial 123456 only from vcs and the default call is sip vcs will send it to CUCM as 123456@sip domain.com you need to do transformation before sending it to CUCM and send it as 123456@cucmip. 
  This is just in brief and also using the expersss way you can have your sip domain registered over the Internet and configure dns srv record point sip ton the vcs public ip and Internet calls can come to your end point sip name directly no need to publish ip to others to dial you
  HTH
  If helpful rate

• Hyper V Networking Design

  I am designing a new Hyper v network with 3 nodes. Each node has 8 NICs and I want to team 2 NICs per network.
  Team 1 will be the Management Network. A team will be created at the OS layer and a virtual switch will be created for the Network.
  OS Management
  Live migration
  Heart Beat
  These services will be added as interfaces on the network adaptor and will be VLAN'd.  QoS will then be added to the virtual switch for the Management and Heart beat network interfaces to ensure that these services are not compromised.
  The CSV network communication will managed by the virtual machine network but I may enable cluster communications on the Management network Team 1 instead.
  Please advise.

  Very informative reply.  Helps very much :)
  The other 4 ports will be for production VM traffic and storage is FC on a dual channel HBA. The over all Network design is based on Blade architecture:
  Storage
  1 FC HBA Dual Channel
  Ethernet
  2 NICS for
  OS Management
  Live migration
  Heart Beat
  4 NICs for
  VM Production Traffic
  Back ups are using the Native solution with agents for VM over a fibre channel network connection back to our DC.
  Looking Good?
  Also
  What is the better approach for managing QoS on the network for hyper v 2012 r2
  Create the team - Create the switch  - Tag the VLAN interfaces to the team for :
  OS Management
  Live migration
  Cluster comms
  then apply Weight using Powershell
  Create a management team - create a switch with the management VLAN  tagged then apply the ploicy
  Configuring Policy-based Quality of Service (QoS)
  http://technet.microsoft.com/en-us/library/hh831689.aspx
  Please advse

• Network Design CCDA

  Hiii Cisco Team,
  i want to start studying Cisco network designing course to have CCDA certificate, could you please provide me with the rquirements, links and any helping material on that? after getting CCDA, what is the next certificate on the same path?? currently i have CCNA, CCNA security and CCSP
  looking forward to have my CCDA
  thank you

  CCDA requirements are listed here.
  While it's not a prerequisite, the next logical step in that certification path or track would be CCDP. See here.

• Network Design Pointers...

  Hey everyone, I am not too sure if this is the correct location to be posting this, but I have some questions regarding networking design.
  I have created a test network within Packet Tracer, which I have added as an attachment. I just wanted some pointers on how I could have changed things, just regarding the topology. My main arean of concern is with the printers, could they have been better located.
  I have uploaded a screen shoot, and the Packet Tracer file of my design, please let me know what you guys think. This is my first time creating a network, this helps me study for my exams, as I just finished my CCENT, and now working on CCNA.
  Thanks so much for your time everyone.
  Paul St.Onge                 

  >
  Threaded interfaces - do you mean user
  interfaces?Not quite, and it possibly comes as part of the other questions, but a description (or an attempt at) is, imagine that you have one application on a server and some small applications in a series of pcs connected with the server. This applications,when started, send a command to te server which creates a thread that interfaces with the client app so that the processing can be spread more or less evenly. <hope to make sense>
  >
  Detection of java/javaw - what do you mean by that?The System.getProperties(... was what i was looking for

• Wireless Network Design

  What are best practices in consideration to wireless network design? I have a WLC 4400 and 1200 AP's that I want to deploy to replace my existing wireless network. I am researching the best network design for implementing a secured wireless infrastructure and also having a quest account for non employee's to logon to and surf the Internet. We also have WAN sites that need to be included in this design.
  Any help would be appreciated.

  Hi Tim,
  I just wanted to add a bit to the excellent info you have already received from Alejandro (nice work A!);
  Here some good "getting started" Cisco docs (and link to a video) which might help. This is a fair bit of reading :)
  Wireless LAN Design Guide
  http://www.cisco.com/web/about/ciscoitatwork/design_guides/dg-wlan.html
  Wireless Site Survey FAQ
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e9a96.shtml
  Understanding the Lightweight Access Point Protocol (LWAPP)
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns337/networking_solutions_white_paper0900aecd802c18ee.shtml
  Deploying Cisco 440X Series Wireless LAN Controllers
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a00806cfa96.html
  Cisco Wireless LAN Controller Configuration Guide, Release 4.0
  http://www.cisco.com/en/US/products/ps6366/products_configuration_guide_book09186a00806b0077.html
  WLC Video
  http://www.cisco.com/en/US/products/ps6366/index.html
  Lightweight Access Point FAQ
  http://www.cisco.com/en/US/products/ps6306/products_qanda_item09186a00806a4da3.shtml
  Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC)
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806c9e51.shtml
  Here are some excellent overall scope ideas;
  Deploying High Capacity Wireless LANs
  http://www.cisco.com/en/US/products/ps6108/products_white_paper0900aecd8027a5f7.shtml
  Cisco Deploys Wireless LAN Technology to Increase Productivity
  http://www.cisco.com/web/about/ciscoitatwork/downloads/ciscoitatwork/pdf/Cisco_IT_Case_Study_WLAN_2004_print.pdf
  Design Principles for Voice Over WLAN
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/networking_solutions_white_paper0900aecd804f1a46.shtml
  Evaluating Interference in Wireless LANs: Recommended Practice
  http://www.cisco.com/application/pdf/en/us/guest/products/wireless/c2072/cdccont_0900aecd80554f8b.pdf
  I have attached some good "getting started" type Security docs). You may also want to engage your Cisco partner and Cisco SE to help you plan and implement this most important function of Wireless.
  Wireless LAN Security White Paper
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/networking_solutions_white_paper09186a00800b469f.shtml
  Five Steps to Securing Your Wireless LAN and Preventing Wireless Threats
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/networking_solutions_white_paper0900aecd8042e23b.shtml
  WLAN Security considerations (Part of WLAN SRND Guide)
  http://www.cisco.com/application/pdf/en/us/guest/netsol/ns178/c649/ccmigration_09186a00800d67eb.pdf
  Wireless LAN Security Solution
  http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/netqa0900aecd801e3e59.html
  Wireless - Compare Products and Solutions
  http://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.html
  **Don't forget to check out the good books available from Cisco Press (link on this site)
  Hope this helps! And best of luck.
  Rob

• Network Designs

  Hi all
  I wanted to know if someone can give me some adivce,I've started my own consulting company and I have a client who wants a network redesign and a
  Core network design.Both of these are for different sites and I wanted to know what questions should I ask the client and is there some books that I can
  read upon about network design that will give me a good feel on how to proceed. I have a good ideal already about the hardware that is needed at each layer, but the network I learned on was a large enterprise network and these are smaller networks and I really want to do a good job for this user so that
  I can get repeat business.Thanks in advance and have a great day and I look forward to your replies.

  1) you should ask is why does the client want a network redesign and what are they looking to achieve by doing this ie. no one does a network redesign just for the fun of it
  2)  based on the answers to the first question you need to see the existing network design and then work out why it does not meet the clients needs.
  3) probably as important as anything else is what budget is available for the redesign ie. consultancy for you and hardware budget.
  4)  what inhouse experience the client has. You can setup the loveliest shiny network but if the customer cannot then support it it is not particularly useful to them.
  5) future plans for expansion for the client
  6) the hardest part - application, traffic patterns, bandwidth requirements of the network. Make sure you at least identify the apps that the client makes their money from and design accordingly.
  Don't decide on hardware before the design. The design dictates the hardware design and not the other way around. If you already have an idea of the hardware you are going to use you either have answers to all the above or you are getting ahead of yourself
  A good place for design info are Cisco's design papers -
  www.cisco.com/go/srnd
  Jon

• B2B network design example

  Hi Guys,
  can anyone give me an idea of how a B2B network design should look like? a url link to a desing example or a network diagram example will be appriciated.
  cheers

  This url might help....
  http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html

• Validate PIX & IPS Network Design

  Attached is my network design of the PIX and the IPS in promiscuous mode (non-inline). It doesn't look sound:
  1. Is it possible to set up the IPS in non-inline mode with two sensors?
  2. Can the IPS direct blocking commands to the PIX through the Desktop Management console? If not, do I need to place an internal switch for the desktop console and the command/control interfaces of the PIX and IPS?
  3. Other comments/suggestions?

  Cisco IPS Version 5.0 Sensor can be configured either in the IPS (inline) mode or the promiscuous IDS mode. If your sensor already has more than one monitoring interface, no additional hardware is required to run Cisco IPS Sensor Software Version 5.0 in the IPS (inline) mode. IPS services require at least one monitoring interface pair (two monitoring interfaces). Cisco provides the option of upgrading sensors with a single monitoring interface to support multiple monitoring interfaces. For more information on the various IDS and IPS sensor platforms and part numbers, please refer to Cisco IPS 4200 Series Data Sheet located at: http://www.cisco.com/go/ips
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_qanda_item0900aecd801e6a99.shtml

• Network Design Review - Best Practices

  Looking to start a discussion around best practices for inbound network design at the core. 
  The planned devices are as followings:
  Edge Routing / DMVPN - Cisco 2951
  Cisco UCM / IP Phone VPN Concentrator - Cisco ASA 5512-X
  Cisco AnyConnect SSL Client Concentrator - Cisco ASA 5515-X
  Cisco FirePower / IPS Device - Cisco ASA 5515-X
  The plan is as follows:
  All traffic enters through the 2951. 
  DMVPN traffic will go directly to the FirePower Device and then to the core network.
  IP Phones will pass-through 2951, enter 5512-X for VPN, go to FirePower and then to the core network.
  AnyConnect Clients will pass-through 2951, enter 5515-X for VPN, go to FirePower and then to the core network. 
  Wondering if anyone else has completed a similar setup and any issues you may have fun into. 
  Basic diagram attached. 
  Thanks!

  There really isn't a true two factor authentication you can just do with radius unless its ISE and your doing EAP Chaining.  One way that is a workaround and works with ACS or ISE is to use "Was machine authenticated".  This again only works for Domain Computers.  How Microsoft works:) is you have a setting for user or computer... this does not mean user AND computer.  So when a windows machine boots up, it will sen its system name first and then the user credentials.  System name or machine authentication only happens once and that is during the boot up.  User happens every time there is a full authentication that has to happen.
  Check out these threads and it explains it pretty well.
  https://supportforums.cisco.com/message/3525085#3525085
  https://supportforums.cisco.com/thread/2166573
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Location Aplliance will not synch network design

  2710 Location appliance running 4.0.33.0, WCS running 4.2.130.
  2 Campus Network Designs each with multiple buildings and floors. One can be assigned to the location server and synchroization works perfectly. The second network design shows unassigned. If I assign it to the location appliance and then sychronize network designs it reverts to unassigned.
  Has anyone run into this issue and been able to resolve it?

  1) Connect to LOCAPP CLI
  2) Stop the LOC Service(/etc/init.d/locserverd stop)
  3) Take the backup of Loation DB which can be found at /opt/locserver/db/linux/server-eng.db
  i.e. copy the server-eng.db to some other directory e.g. /home
  4) Delete the DB by issuing the command
  rm -f /opt/locserver/db/linux/server-eng.db
  5) Start the LOC service (/etc/init.d/locserverd start)
  6) Perform the sync. through WCS
  Hope this will help you...