Download Enterprise Council Comms overview

Document related concepts

Net bias wikipedia , lookup

IEEE 802.1aq wikipedia , lookup

Power over Ethernet wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Policies promoting wireless broadband in the United States wikipedia , lookup

Zigbee wikipedia , lookup

Computer security wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Computer network wikipedia , lookup

Internet protocol suite wikipedia , lookup

Airborne Networking wikipedia , lookup

Deep packet inspection wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Network tap wikipedia , lookup

Distributed firewall wikipedia , lookup

Nonblocking minimal spanning switch wikipedia , lookup

Wireless security wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Virtual LAN wikipedia , lookup

Transcript
Designing Converged
Networks
Lehner Tamás
3Com Magyarország
Bemutatkozás
• Lehner Tamás ügyvezető igazgató
– 3Com Magyarország
•
•
•
•
•
1036 Budapest, Lajos utca 48-66 E/2
Webcím: http://www.3com.hu
Email: [email protected]
Telefon: +36 1 430 2430
Fax: +36 1 430 2437
– [email protected][email protected]
1
3Com’s Tradition of Innovation
Among the Strongest Patent Portfolios in the Industry
Small Business
1972 Bob Metcalfe
Solution introduced
NBX
invents Ethernet
1996
3Com initial
introduced
public offering
1999
3Com
March
founded
1984
1979
1972 1984 1992
Ethernet patented
#4063220
13 December 1977
1st
Stackable
Ethernet Hub
1996
1998
By 2000
330,000,000
Ethernet
connections
shipped
400,000
Handsets
shipped
™
3Com
Security
Switch 6200
announced
Wireless
introduced
2000
Stackable
GbE
3Com
Introduces
SuperStack®
line
3Com Patent Portfolio June 2004
1146 patents issued
613 patents pending
3Com Switch 7700
core enterprise
platform introduced
2002
Network Jack
introduced
Joint venture
announced
with
Embedded
Firewall Security
launched
1995
Shipped 1,000,000th
10/100 Managed Switch
2003
Router
3000/5000
launched
VCX™ for enterprise
VoIP solutions
announced
2
End to End Solutions
Mobile
Security
IP
Telephony
Applications
LAN
WAN
3
Agenda
• This session will be an in-depth Network Design clinic
aimed at educating Systems Engineers and Presales
consultants on how to design and deploy converged
network infrastructure solutions using 3Com products.
The session will cover the following:
– Network Design Fundamental Concepts
– Designing infrastructure solutions for High Availability
– Designing infrastructure solutions for Convergence
– Implementing Security across the network infrastructure
– Real life scenarios for convergence designs
4
Campus Network
Fundamentals
3Com Confidential
5
Physical Layer Options (LAN & WAN)
• LAN Ethernet Campuses will be designed using the
following physical media
– UTP Category 5/5 Enhanced/6
– Connectivity to the Desktop, Server Farm, Inter switch
connectivity within the same wiring closet
– Fiber Multimode Fibre (50 micron/62.5 micron), Single Mode
Fiber (9micron)
– Campus Backbone, Building Backbone, Server Farm
– Other options
– STP (Legacy Ethernet), Volition (3M Fibre to the desktop)
• WAN
– Leased Lines, FR, DSL and VPN
6
Network Technologies
• Its the ubiquitous Ethernet !
• Ethernet technologies dominant at all areas of a
campus network
– Wiring Closet: Fast Ethernet, Gigabit Ethernet
– Backbone: Gigabit Ethernet, 10G Ethernet
– MAN/WAN: Ethernet, Fast Ethernet, Gigabit, 10G Ethernet
• Supported across all physical media, Copper/Fiber
• Alternative technologies may still be used in
legacy infrastructures but being rapidly phased
out
– ATM, Token Ring, FDDI
7
Gigabit Ethernet
• Gigabit Ethernet is now the dominant backbone and
aggregation technology in enterprise networks
– Overwhelming majority of campus backbones based on
1000BASE-SX and 1000BASE-LX
– Long haul fibre Gigabit connections for private MANs using
1000BASE-LH70
– 1000BASE-T as standard on Servers
• The availability of low cost 10/100/1000 switching is
extending its reach to the mainstream wiring closet
– Majority of new PC motherboards utilising 10/100/1000 LOM
NICs
• Fast Ethernet is still the dominant access layer
technology due to the low cost of active equipment
8
Gigabit to the Desktop has arrived
• Key factors driving the mass adoption of Gigabit to the
desktop
– Cost : Parity with high end 10/100 stackable platforms
– Future proofing : Advanced functionality, Layer 3 ready, 10
Gigabit Ethernet support
– Maturity: Many vendors already delivering 3rd/ 4th Generation
Gigabit switching architectures
– Scalability : High port density Gigabit platforms, High speed
stacking architectures
– Availability : 10/100/1000 as standard on all current
PC/Macintosh platforms, no extra cost for NIC
• Gigabit to the desktop already deployed in a variety of
customers and verticals
9
Networking Technologies – 10G
• The IEEE 802.3ae Task Force was responsible for defining the
10G Ethernet standard
– Standard was ratified in Q2CY2002 by IEEE-SA body
– 10GBASE-CX4 (IEEE 802.3ak) Task Force has now completed
specification work and is a published standard
– 10GBASE-T (IEEE 802.3an) Task Force is still undertaking
specification work and expected to be finalised in mid CY06
• 10GEA was established to promote standards based 10G
technology among vendors
– 3Com was a founding member of 10GEA
– 10GEA was dissolved in Q1CY2003 following completion of
objectives and ratification
• 10G is a key technology in 3Com enterprise strategy as it
defines the next generation high performance LAN and WAN
backbone technology
10
Ethernet Technologies and Media
(Reference)
Technology
Mode
Speed
Media
Distance
Connector
100BASE-T
Half Duplex/Full
Duplex
100Mbps
UTP/STP
100m
RJ-45
100BASE-FX
HD/FD
100Mbps
MMF/SMF
2Km/15Km
SC/ST
1000BASE-T
Full Duplex
1000Mbps
UTP
100m
RJ-45
1000BASE-SX
Full Duplex
1000Mbps
MMF
220-5Km
SC/LC/MTRJ
1000BASE-LX
Full Duplex
1000Mbps
MMF
550m
SC/LC/MTRJ
Fast Ethernet
Gigabit Ethernet
Conditioned
Launch cable reqd
1000BASE-LX
Full Duplex
1000Mbps
SMF
5Km-10Km
SC/LC/MTRJ
1000BASE-LH70
Full Duplex
1000Mbps
SMF
70Km
SC/LC/MTRJ
10GBASE-CX4
Full Duplex
10Gbps
Twinaxial
15m
microGiGaCN
10GBASE-LX4
Full Duplex
10Gbps
MMF/SMF
240m-10km
SC/LC
10GBASE-SR
Full Duplex
10Gbps
MMF
26m-300m
SC/LC
10GBASE-LR
Full Duplex
10Gbps
SMF
10km
SC/LC
10GBASE-ER
Full Duplex
10Gbps
SMF
40km
SC/LC
10GBASE-T
Full Duplex
10Gbps
UTP/TBD
55-100m
TBD
10G Ethernet
11
Network Design Layers
Application server farm
Server aggregation
Distribution
Layer
Core Layer
Access Layer
Clients
12
Access Layer
• Typically the wiring closet connecting via the
horizontal cabling distribution the following devices
– End stations, printers, IP phones, Wireless Access Points,
distributed fileservers
• Ethernet switches at the Access Layer can be fixed
configuration or modular
• Access Layer switches are typically Layer 2 devices
or Layer 2+ devices
• Networking technologies at the Access Layer can be
10/100, Gigabit Ethernet
• Power over Ethernet 802.3af technologies to support
IP telephones, wireless access points, Internet
cameras, specialised appliances
13
Key Requirements at the Access Layer
• Quality of Service and Traffic prioritization enforcement
–
–
–
–
Multiple Priority Queues – minimum 4
Multilayer traffic classification
Standards based traffic prioritization using 802.1p and DiffServ/IP ToS
Rate Limiting capabilities for bandwidth allocation
• Authentication and Authorisation of end stations and devices
– Network Login 802.1X
– Authorised MAC addresses
• Enforcement of security policies via Application Filtering or Access
Control Lists
• Basic device availability capabilities such as Backup and Restore
• Network availability features such as STP/RSTP for resilient layer 2
network designs
14
Choosing The Right Form
Factor For The Access Layer
• Fixed Configuration/Stackable
– Standalone Switches
• Advantages :Lower cost, Lower blocking ratio
• Disadvantages: Limited scalability, additional management overhead,
higher port density requirements at preceding layer, limited resiliency
– Stackable Switches
• Advantages: Low cost, high scalability, ease of management, higher
resiliency
• Disadvantages: Potential bottlenecks, limited media flexibility for
heterogeneous environments
• Modular Chassis
– Advantages: Highest availability, Performance, scalability,
flexibility, Common hardware with Distribution layer/Core
Layer, Investment protection
– Disadvantages: Cost, potential complexity
15
Power over Ethernet
• Power over Ethernet is key technology at the Access Layer
• Standard now ratified as amendment IEEE Std 802.3af-2003
• Enables the transfer of low voltage power over standard
Ethernet cabling for IP telephones, video cameras, wireless
devices etc.
• Can be integrated on an Ethernet switch or via midspan product
• Due to cost premium, a combination of PoE and normal
Ethernet connectivity applicable at the Access Layer
• Stackable PoE switches and PoE modules in modular switches
enable the mix and match of PoE and non-PoE ports
16
Wireless Connectivity at the
Access Layer
• Wireless Access points providing connectivity to wireless devices are
functionally part of the Access Layer
• Same requirements as in wired Access Layer connectivity are
applicable
– Quality of Service and traffic prioritisation
• 802.11e support
• Traffic and protocol Filtering
• Multiple 802.1Q VLAN support on Ethernet uplink
– Authentication and Authorisation
• Network Login 802.1X support
• Multiple SSID support
• Mapping VLANs to authorised users or SSID
– Security
• WAP, WEP, AES encryption
• Certificate support
• 802.11i capability
– Availability
• Roaming capabilities
• Device availability (backup and restore, Power over Ethernet support)
17
Wireless Switching
• Wireless Switching can be deployed at the Access Layer to facilitate the
deployment of many distributed access points across the campus
– In certain configurations a wireless switch may be centralised in the
Core/Aggregation Layer supporting multiple distributed APs in the Access Layer
• It centralises certain wireless capabilities on the wireless switch (RF management,
security, AAA, device profiles etc)
‘Fat’ APs
Traditional
‘Fit’ APs
Wireless Switching
Antenna
Antenna
802.11 a/b/g
Encryption
802.11 a/b/g
Lower Cost APs
Encryption
802.1X, TKIP,
802.11e, 802.11f, 802.11h
Mobile IP, IPSec, Certs
Wireless
Switch
Layer 2
Switch
Rogue Wireless Protection
Site Surveys
More Managed
Wireless Solutions
Per-user Firewall
Self-Healing
RF Management
802.1X, TKIP,
802.11e, 802.11f, 802.11h
Mobile IP, IPSec, Certs
Corporate
Network
Corporate
Network
18
Access Layer Offerings
(Reference)
Product
Form Factor
Technology
Max Port Density
Functionality
Uplink
Intellijack
Wall plate switches
10/100
5
Unmanaged, Advanced L2
FE: RJ45/SC/ST
Baseline 2226 PWR
Fixed config 10/100, Gigabit
10/100, Gigabit Uplinks
24
Web Managed
GE: SPF
SuperStack 3 Switch 4200
Fixed config 10/100, Gigabit
10/100, Gigabit Uplinks
24/28/50
Stackable, Standard L2
FE: RJ-45, GE: SC
SuperStack 3 Switch 4400
Fixed config 10/100, Gigabit
10/100, 10/100 PoE Gigabit
Uplinks
26/50
Stackable, Advanced L2
FE: RJ-45, GE: MTRJ
SuperStack 3 Switch 3200
Fixed config, 10/100, Gigabit
10/100,Gigabit Uplinks
24/50
Advanced L2, Basic L3
FE:RJ-45, GE: SFP
Switch 7700
4/7/8 slot Modular
10/100 Gigabit
288
Advanced L2, Advanced L3
FE: RJ-45/MTRJ, GE: RJ45/SC/SFP
Switch 8800
7/10/14 slot Modular
10/100. Gigabit, 10G
288
Advanced L2, Advanced L3
FE: RJ-45/MTRJ, GE: RJ45/SC/SFP
SuperStack 3 Switch 3824/48
Fixed config 10/100/1000
10/100/100 Gigabit
24+4/48+4
Standard L2
GE: SFP
SuperStack 3 Switch 3870
Fixed config 10/100/100/10G
10/100/1000 10G
24+4/48+4
Advanced L2, Basic L3*
GE: SFP, 10G: XENPAK
SuperStack 3 Switch 4900
Fixed config 10/100/1000
10/100/1000
28
Advanced L2, Advanced L3
GE: MTRJ/SC
Switch 7700
4/7/8 slot Modular
10/100/1000, 10G
120
Advanced L2, Advanced L3
GE: RJ-45/SFP/LC, 10G:
XENPAK
AP7250
Standalone AP
802.11g
100 users
802.1X, Multiple SSID, VLAN,
Encryption
10/100
AP8xxx
Standalone AP
802.11a/b/g
100 users
802.1X, Multiple SSID, VLAN,
Encryption
10/100
AP2750
Managed AP (MAP)
802.11a/b/g
802.1X, Multiple SSID, VLAN,
Encryption
10/100
WX1200
Fixed Config 10/100
Wireless switching, 10/100,
PoE
8
Advanced L2, 802.1X, Multiple
BSSID/SSID, VLAN, AAA, Per
user policies, firewall, crypto
10/100
WX4400
Fixed Config, Gigabit
Wireless switching, Gigabit
4
Advanced L2, 802.1X, Multiple
BSSID/SSID, VLAN, AAA, Per
user policies, firewall, crypto
GE:SC/RJ-45
Fast Ethernet
Gigabit Ethernet
Wireless
* future release
19
Distribution Layer
• In smaller networks or single building backbones, the
distribution layer may be omitted
• The goal of the Distribution layer is to aggregate wiring closet,
provide greater segmentation across the campus and provide
higher throughput for localised traffic
• Distribution layer switches could also be used to provide
connectivity to distributed fileservers across a campus network
• By deploying high availability at the Distribution Layer you
extend overall network fault tolerance
• Distribution layer switches could be co-located at an Access
Layer wiring closet or at a dedicated wiring closet
• If used the Distribution Layer becomes the control point for the
campus network
20
Key Requirements for the
Distribution Layer
• High Performance Gigabit switching for aggregating
multiple wiring closets
• Media flexibility to accommodate cabling infrastructure
• Quality of Service and Traffic prioritisation enforcement
– Multiple Priority Queues – minimum 4
– Multilayer traffic classification and traffic prioritisation
– Ability to identify and remark existing traffic priority before it
transverses the campus backbone
• Multilayer switching capabilities supporting Layer 2, Layer 2+ and
Layer 3 switching
– Support for many Link Aggregation groups connecting to the
Access and Core Layer
– Routing support for larger distributed internetworks
• Hardware availability and network availability features
21
Distribution Layer Offerings
(Reference)
Product
Form Factor
Technology
Max Port Density
Functionality
Uplink
SuperStack 3 Switch
4900 family
Fixed config
10/100/100
28
Advanced L2
GE: RJ-45, MTRJ, SC
Switch 40x0
Fixed config
10/100/1000
Advanced L3
10/100/1000
28
10/100/1000
Switch 7700
4/7/8 slot Modular
Advanced L3
10/100/1000
120
10G
Switch 8800
7/10/14 slot Modular
Advanced L2
10/100. Gigabit, 10G
288
GE: RJ-45, SFP,
MTRJ, SC
Advanced L2, Advanced
L3
GE: RJ-45/SFP/LC
Advanced L2, Advanced
L3
FE: RJ-45/MTRJ, GE:
RJ-45/SC/SFP
10G: XENPAK
22
Core Layer
• The Core Layer is typically implemented at the main
campus Data Centre
• It acts as the main interconnecting area across the
campus backbone linking distribution layer switches
and/or access layer switches
• The separation of the Core and Distribution layer
enhances the scalability of the campus network
especially in layer 3 centric designs
• The Core layer could also provide Server Aggregation
provided capacity exists and network topology allows
23
Key Requirements of Core Layer
• High Performance non-blocking Gigabit switching
– High performance Centralised forwarding
– Distributed forwarding capabilities in modular systems
• Scalable architectures capable of accommodating higher bandwidth,
more ports, advanced levels of functionality
• Multilayer switching capabilities to accommodate any kind of logical
design
– ASIC based multilayer switching
– Hardware based ACLs
• Advanced Convergence capabilities capable of honouring incoming
QoS settings and enforcing outgoing QoS settings
–
–
–
–
Multiple priority queues : Minimum 4
Multilayer traffic classification and prioritisation
Remarking for outgoing traffic
Rate limiting
• Future proofing capabilities
– 10G support
24
Core and Server Aggregation
Layer Offerings (Reference)
Product
Form Factor
Technology
Max Port Density
Functionality
Interfaces
Switch 7700
4/7/8 slot Modular
Gigabit, 10G
120
Distributed L2 Forwarding,
Centralised L3, Advanced L2,
Advanced L3
1000BT, 1000BSX,
1000BLX, 1000BLH70,
10GBLX4, 10GBLR,
10GBSR, 100BFX
Switch 8800
7/10/14 slot Modular
Gigabit, 10G
288
Distributed L2/L3 Forwarding,
Advanced L2, Advanced L3
1000BT, 1000BSX,
1000BLX, 1000BLH70,
10GBLX4, 10GBLR,
10GBSR, 100BFX
Gigabit Ethernet
SuperStack 3 Switch
4924
Fixed Configuration
10/100/1000
24
Advanced L2, Advanced L3
1000BT (1000BLX,
1000BSX, 1000BLH70)
SuperStack 3 Switch
3870
Fixed Configuration
10/100/1000
48
Advanced L2, Standard L3
(future)
1000BT (1000BSX,
1000BLX, 1000BLH70,
10GBLX4, 10GBLR/SR)
Switch 7700
4/7/8 slot Modular
10/100/1000
120
Advanced L2, Advanced L3
1000BT, 1000BSX,
1000BLX, 1000BLH70,
10GBLX4, 10GBLR,
10GBSR, 100BFX
16+2
Advanced Security Services
via ISV
100BT (1000BT,
1000BSX, 1000BLX,
1000BLH70)
10G
Security Switches
Security Switch 6200
Fixed Configuration
10/100/Gig
Firewall, IDS, Antivirus,
Antispam, Content Filtering
Secure IX 5100
Fixed Configuration
10/100/Gig
4+2
Advanced L3 and Security
Services, Firewall, VPN,
Content Filtering
100BT (1000BT,
1000BSX, 1000BLX,
1000BLH70)
25
Additional Design Layers
• Optional secondary design layers may be defined across
the Enterprise
– WAN Perimeter
– Internet Perimeter/DMZ
– Storage Area Network
• These additional layers may interface directly to the Core
Layer or be separated logically and physically
• Consideration should be taken with respect to connectivity
to these secondary layers in terms of:
– Performance
– Congestion
– Logical connectivity
• Typically each layer can be defined on a separate
broadcast domain for greater control and security
26
Campus Network Topologies
• 2 Tier Collapsed
Backbone
– Direct Connectivity from the
Access Layer to the Core
– Server Aggregation can be
integrated into the Core
Layer or separate
– Can be implemented for
Layer 2 or centralised Layer
3 logical topologies
– More common in smaller
networks with small number
of wiring closets
• 3 Tier Collapsed Backbone
– Connectivity to the Core via
Distribution Layer for Access
devices
– Server Aggregation can be
integrated into the Core Layer
or separate
– Can be implemented for Layer
2, centralised Layer 3 and
Distributed Layer 3 topologies
– More common for larger
campus networks with larger
number of distributed wiring
closets
27
2 Tier Collapsed Backbone
Application server farm
Core Layer
Access Layer
Clients
28
3 Tier Collapsed Backbone
Application server farm
Server aggregation
Distribution
Layer
Core Layer
Access Layer
Clients
29
Logical Topologies
Layer 2 Only Networks
• Rarely deployed but for some environments they may make
sense
• No routing implemented across the infrastructure
• A single broadcast domain for every user, Layer 2 broadcast
traffic seen by every user across the campus
• Multicast Filtering using IGMP Snooping can still be
implemented to provide bandwidth efficiency
• VLANs can still be deployed but will not be routed and
centralised servers/resources will need a presence on every
VLAN
• Advantages
– Simplicity, Cost effective (no need for Layer 3 switching)
• Disadvantages
– Potentially insecure, does not scale well for large environments,
difficult to deploy when network requires access to many
centralised services like Fileservers, Routers and Internet access
– Does not scale for large networks when using public IP addressing
30
Logical Topologies
Centralised Layer 3
• Most common logical implementations particularly for smaller
networks
• Routing is centralised on a single device at the Core Layer
• Distribution Layer switches could be deployed as Layer 2
aggregation devices
• Router Redundancy can be implemented via VRRP or if XRN via
DRR
• Advantages
– Simplified administration, Greater level of control, Security, campus wide
VLANs, user mobility
• Disadvantages
– Potentially scalability limitations (i.e. routing capacity on centralised L3
switch, ARP tables etc), costly redundancy (for dual configurations)
31
Centralized Layer 3 Switching
Application server farm
Server aggregation
Layer 2
Layer 3
Layer 2
32
Logical Topologies
Distributed Layer 3 Network Design
• Common for larger campus networks with many users or
many distinct business units (i.e. University faculties)
• Routing is distributed at the Distribution Layer and the
Core Layer
• Campus backbone based on fully routed interconnecting
links
• Router redundancy implemented via routing protocols
(i.e. OSPF) and VRRP
• Advantages
– Greater scalability, minimised peering, efficient multicasting,
potentially faster convergence (in the absence of STP)
• Disadvantages
– Complicated, potentially error prone in resilient configurations
(routing loops), interaction with Layer 2 protocols (i.e. STP)
• Alternative Designs can use Distributed Layer 3 with a
high speed Layer 2 interconnecting campus backbone
33
Distributed Layer 3 Switching
Application server farm
Server aggregation
Layer 3
Layer 3
Layer 2
34
Designing for High
Availability
3Com Confidential
35
High Availability Networks
•
Networks must go from today’s
1-9 (9x%) to 5-9s (99.999%)
availability.
– Applications, computers and
networks are integrally linked
– Converged networks require
higher availability than traditional
data-only nets
– Mission Critical applications
require High Availability and fast
response time
•
Downtime results in more than
just transaction costs
–
–
–
–
Source: Infonetics - Cost of Network Downtime 2003
Productivity loss
Customer support operations
Impact across the supply chain
Loss of reputation
36
Keys to Continuous Operation
Hardware Availability
Network Availability

Device Reliability

Link Redundancy

Power and Fabric
redundancy

Resilient Topology

Protocol Resiliency

Device Management
redundancy
Application Availability
Proactive Management

Application Prioritization

Fault Prevention

Application Filtering

Fault Identification

Application Security

Device and Network
Reporting

Service measurement
Hardware Availability
•
Hardware Availability is defined based on the following key attributes:
– Device Reliability – High MTBF, MTTR, Hot swappable components
– Power and System Redundancy – Support for redundant power, redundant
switching fabrics, redundant management modules
– Device Management Redundancy – Redundant management architecture,
fault tolerant switch software architecture, device configuration resiliency
•
Hardware availability recommendations
– Hardware Availability comes at a price but delivers greater peace of mind
– High Device Reliability for all products across all Design layers
• Reliable products = High MTBF = Less hardware failures
– Hardware redundancy mandatory for Distribution and Core layer
• Dual PSU as a minimum
• Dual Fabrics where applicable
– Use management redundancy capabilities in active equipment
• Dual Images, Device Configuration backup and restore
• Always initiate configuration backups prior to making changes or installing new
software
– On-site spares
38
3Com Hardware Availability
(Reference)
Product
MTBF
Hardware Redundancy
Management
Redundancy
Optional
Access Layer
Intellijack
PoE
N/A
Baseline 2226 PWR
PoE
N/A
N/A
SuperStack 3 Switch 4400
406,393 hrs
N/A
Stacking, Dual Images,
BU/Restore
RPS, Stack Fault Tolerance
SuperStack 3 Switch 3200
447,000 hrs
Hot Swap SFP
N/A
RPS
SuperStack 3 Switch 3824/48
282,261 hrs
Hot Swap SFP
N/A
RPS (3848)
SuperStack 3 Switch 3870
268,000 hrs
Hot Swap Module/SFP
Stacking, Dual Images
RPS, Stack Fault Tolerance
SuperStack 3 Switch 4900
317,000 hrs
Hot Swap GBIC/SFP
Dual Images, XRN, BU/Restore
RPS, XRN
PoE support, detachable
antennae, removable radios
BU/Restore
Wireless Switch support
Wireless AP
7250/8250/8750/2750
WX4400
300K hrs
Dual Hot Swap PSU, GBICs,
Flash PC Card
Multiple AP configs
Switch 7700
300K - 551,000 hrs
Hot Swap Modules, N+I PSU,
Hot Swap Fans, Distributed
Forwarding
Dual Images, BU/Restore
Dual Fabrics (7700R)
Switch 40x0
452,175 hrs
Hot Swap Fans, PSU,
SFP/GBIC
Dual Images, XRN, BU/Restore
XRN
Switch 7700
300K - 551,000 hrs
Hot Swap Modules, N+I PSU,
Hot Swap Fans, Distributed
Forwarding, Dual Fabrics
(7700R)
Dual Images, BU/Restore
Dual Fabrics (7700R)
Switch 8800
300K hrs
Hot Swap Modules, N+I PSU,
Hot Swap Fans, Distributed
Forwarding, Load sharing
fabrics
Dual Images, BU/Restore
Load sharing Fabrics
Core/Distribution
39
Network Availability
•
•
Network Availability can be achieved by a combination of fault tolerant
features and fault tolerant network design
Network Availability can be delivered via the following:
– Link Redundancy – across the backbone, at the wiring closet or the server
connectivity
– Resilient Network Topology – Standby backbone devices, redundant data
paths, multi-homed devices
– Protocol Resiliency – Useful for Layer 3 switching implementations
– Wireless Network Availability – for wireless devices
– WAN connectivity
•
Network availability for wired networks can be implemented using a
variety of LAN products depending on cost and performance
requirements
– Based on SuperStack switches, Switch 7700/8800 switches or a
combination
•
Fault tolerant network infrastructure implementations can introduce
complexity and thus need to be designed carefully
40
Link Aggregation
•
Parallel active links “bonded” as a single
logical channel for greater performance
•
It is a Point to Point technology
–
Switch 4900 100/1000
•
7700
SS4400
Traffic is hashed across Aggregated links
based on:
–
–
–
Aggregated
Gigabit Links
SS4900SX
SS4900
Point to multipoint can be achieved with
XRN Fabrics
Source/Destination MAC address
Source/Destination IP Address
Source/Destination IPX Address (7700
only)
•
Automatic recovery of any failed link for
redundancy
•
Transparent to Spanning Tree protocol and
can participate in 802.1w
•
VLAN Configuration implemented on
individual ports and aggregated links
•
Standardized by IEEE 802.3ad and LACP
41
802.1w Rapid Spanning Tree
• IEEE Std. 802.1w
– Replaces legacy STP from 802.1D but interoperable
• Determination of the Active Topology for an
arbitrary network
– Automatically eliminates loops
– Chooses optimum links with lowest Path Cost
• Can disable Spanning Tree on a per port basis
• Operates in a backward compatible mode
– Automatically inter-operates with legacy STP
– Allows staged deployment in existing networks
• Allows the use of redundant links
– Automatic use of a backup link after failure
• Very fast convergence time (less than 5 sec)
42
Multiple Spanning Tree Protocol
• VLANs are grouped into multiple spanning tree instances
• Each spanning-tree instance (MSTI) has it’s own
spanning-tree topology with it’s own Root bridge
• Load balance VLANs across multiple data forwarding
paths makes better use of bandwidth
– e.g. from A, VLAN’s 11-20
carried across link to B;
VLAN’s 21-30 are blocked
across this same link
B
• 48 MSTI supported
C
X
X
VLAN’s 11-20
VLAN’s 21-30
• Different load balancing schemes can
be supported through the use of regions
VLAN’s 21-30
VLAN’s 11-20
A
43
•
•
•
•
•
•
Delivers an Active-Standby networking
infrastructure using multi-homing and
standby core devices
Most common fault tolerant network
design implementation
Simplest form of resilient topology
Redundant core acts as a hot standby
to protect against failure on the primary
core
Link Redundancy delivered using
STP/RSTP/MSTP across the backbone
Considerations
– Use alternative devices for the
redundant core backbone to minimize
cost
– Distribute wiring closet across core
devices for increased performance
– Take into account protocol resiliency in
implementing L3 switching by using
protocols like OSPF
Redundant Backbone
Redundant Backbone Design
Redundant Core
44
Router Resiliency Using VRRP
•
•
•
•
•
•
•
Virtual Router Redundancy Protocol
based on RFC2338
Eliminates router single point of
failure
Fast fail-over to virtual redundant
router
Transparent to attached devices
Available for Switch 7700 family and
3Com routers
VRRP is a common router
redundancy implementation offered
by a variety of vendors
Considerations
–
–
Create multiple VRRP instances
with the master router configured
on separate physical switches for
extra redundancy
VRRP is only supported for unicast
IP routing
VLAN C
VLAN B
VLAN C
Master Router
Switch 7700
Backup Router
Switch 7700
VRRP
45
Manual Load Distribution
• Manual load distribution
– Link Failure across any path is recoverable using RSTP
– Users in each VLAN are served by a different Layer 3 switch for load
distribution
– VRRP failover ensures default gateway protection within seconds
– Potential complex implementation
VRRP
Master
VRRP
Backup
VRRP
Master
B
VRRP
Backup
C
802.1Q (VID=1,2)
MSTP
VID = 1
VID = 2
A
46
XRN Core Technology Overview
XRN Core Tech. is
patented 3Com tech.
that is based on standards
allowing any device to
connect to a Fabric
and take advantage of the
performance
and availability of XRN
XRN Core Tech. is an
Innovative hardware and
software implementation
that allows the design
of High Performance,
Highly Available
Gigabit networks
based on XRN
Distributed Fabrics
Distributed Device Management
Enables the Switches in an XRN
Fabric to behave
and configured as a
Single Management entity
(single IP address mgmt, fabric wide configuration etc)
Distributed Link Aggregation
Enables port trunking
across both switches
in the Fabric as
if they were a single switch
Distributed Resilient Routing
Enables the entire fabric
To behave as a single router
That uses the performance
of all switches in the fabric
47
XRN Resiliency
• XRN delivers network wide fault tolerance via the following:
– XRN Distributed Fabric
• An XRN Fabric provides no single point of failure for management, L2
and L3 switching across the interconnected switches
• Support for hardware availability on XRN enabled switches (i.e. RPS,
Dual PSU, hot swap fans, hot swap GBICs)
• Support for fault tolerant software features across the Fabric (i.e. Link
Aggregation, STP/RSTP, Resilient Links)
– Enabling Resilient Network Design
• XRN’s network availability is also delivered via supporting dual homed
aggregated links across both switches in the Fabric
• It provides management, L2 and routing resilience for all dual homed
devices
• Application availability via support for advanced Class of service and
traffic prioritization features across a Fabric
• XRN has integrated self healing capabilities allowing for smooth
network recovery following unit, cable, or fabric interconnect failure in
the Fabric
48
Availability for Wireless Networks
• WiFi networking has inherent resiliency since it enables users
to roam among distributed Access Points
• Failure in wireless LANs can be experienced via:
– Loss or limited signal coverage
– Loss of centralised security services (RADIUS)
– Interference by rogue Access Points
• Key recommendations for Wireless Availability
– Conduct Site Surveys to ensure sufficient coverage among the
campus
– Implement WiFi security (802.1X and WPA)
– Implement consistent ESSIDs to minimise re-authentication
– Wireless Switching delivers the highest level of availability for
wireless clients by enabling clients to roam seamlessly between
APs, wireless switches, subnets within a Mobility Domain and
provides rogue AP detection
49
Network Availability
Recommendations
• Network Availability should permeate overall network design
• Multi-homing and redundant paths between layers extend the
level of fault tolerance for the campus network
– Rapid Spanning Tree should be enabled across all devices to
provide fast convergence
– Mixing RSTP and STP in the same campus will result is slower
convergence times during failure and greater complexity
– Understand your STP topology and chose the most appropriate
root bridge
– Link Aggregation delivers redundancy and bandwidth
• Deploy routing protocols like OSPF for fast convergence of
routed links
• Implement Default gateway protection for IP hosts delivered via
VRRP or XRN DRR
• Implement WLAN Switching for wireless network availability
50
Application Availability
• Application Availability is a fundamental component of all high
availability network design
• Designing for Convergence section covers Application
Availability in greater detail
• Application Availability is delivered
– Application prioritization – identifying mission critical applications
to ensure consistent performance across the infrastructure
– Application Filtering – intelligently identifying rogue applications
and stopping them from consuming network bandwidth without
impeding on the remaining applications
– Network Security – protect mission critical network devices and
applications and control network access to authorized personnel
– Time base rules – tie application filtering and prioritization to time
based rules for extra flexibility
• Application availability enforced primarily through technology
deployed at the edge of the network but honored across the
backbone and potentially the WAN
51
Network Availability Features
Product
Layer 2
802.1D/802.1w
802.1s
Layer 3
802.3ad/LACP
Router Redundancy
Access Layer
Routing Protocols
N/A
Intellijack
N
N
N
SuperStack 3 Switch 4400
Y
N
Y
SuperStack 3 Switch 3200
Y
N
Y
SuperStack 3 Switch 3824/48
Y
N
Y
SuperStack 3 Switch 3870
Y
N
Y
SuperStack 3 Switch 4900
Y
N
Y
XRN DRR
OSPF
Switch 7700
Y
Y
Y
VRRP
OSPF, BGP, ISIS
WX1200/4400
Y
PVST+
Future
Switch 40x0
Y
N
Y
XRN DRR
OSPF
Switch 7700
Y
Y
N
VRRP
OSPF, BGP, ISIS
Switch 8800
Y
Y
N
VRRP
OSPF, BGP, ISIS
Core/Distribution
52
Network Availability Features
Product
Layer 2
802.1D/802.1w
802.1s
Layer 3
802.3ad/LACP
Router Redundancy
Access Layer
Routing Protocols
N/A
Intellijack
N
N
N
Baseline 2226 PWR
N
N
N
SuperStack 3 Switch 4400
Y
N
Y
SuperStack 3 Switch 3200
Y
N
Y
SuperStack 3 Switch
3824/48
Y
N
Y
SuperStack 3 Switch 3870
Y
N
Y
SuperStack 3 Switch 4900
Y
N
Y
XRN DRR
OSPF
Switch 7700
Y
Y
Y
VRRP
OSPF, BGP, ISIS
WX1200/4400
Y
PVST+
Future
Switch 40x0
Y
N
Y
XRN DRR
OSPF
Switch 7700
Y
Y
N
VRRP
OSPF, BGP, ISIS
Switch 8800
Y
Y
N
VRRP
OSPF, BGP, ISIS
Core/Distribution
53
Designing for Convergence
3Com Confidential
54
Designing for Convergence
•
•
Designing for Convergence enables Enterprise networks to
accommodate real time networked applications across the entire
infrastructure
Key Performance Considerations for Convergence
– Service Performance Parameters
• Packet Loss
– Number of packets or % of packets lost during transmission between two end
points
• Latency
– Also known as delay, is the amount of time taken for a packet to reach its
destination end point after transmission
• Jitter
– Also known as delay variation, is the difference in end to end delay between
packets transmitted on a network
– Implementing Traffic Prioritisation
– Broadcast/Multicast containment
– Efficient transport of Multicast
•
•
Designing for Convergence should be inherent in all aspects of
network design and all media (wired and wireless)
Convergence enabled network design results in high performance
55
Traffic Classification and
Prioritization
Optimal Prioritisation
1 to 1 Mapping
Classification
Protocol
Ingress
Port
IP Addr
TCP/UDP Port
7
5
Mac Addr
4
Physical Port
Time
3
Precedence
TOS
0
Access
Control
List’s
Queue 8
Queue 7
Queue 6
6
TCP flag
Ether type
VLAN
802.1D
Priority
High Priority
Egress Port
High priority Traffic
e.g. Video/Voice
Queue 5
Queue 4
Queue 3
1
Queue 2
2
Queue 1
Un-prioritised traffic
e.g. Email
De-prioritised traffic
e.g. Web file downloads
Discard
Filtered traffic
e.g. Soulseek
Low Priority
Dropped
Frames
57
Traffic Policing, Traffic
Shaping and Rate Limiting
Tokens enter bucket
at configured speed
incoming packets
outgoing packets
Tokens enter bucket at
configured speed
incoming packets
Tokens enter bucket at
configured speed
outgoing packets
incoming packets
outgoing packets
classify
classify
classify
Token
Bucket
queue
Token
Bucket
Token Bucket
queue
Discarded
packets
• Traffic Shaping
– Packets that exceed rate
are queued
– Queue empties at uniform
rate
– Introduces latency
– Less disruptive to TCP
bulk transfers
Discarded
packets
• Traffic Policing
– Uses “Committed
Access Rate”
– Packets that exceed
rate are marked or
discarded
– No queuing
buffer
•
Line Rate Limiting
– All traffic is limited
to a particular rate
out of an interface
or port
– Performed on the
port
• Does not introduce
latency
58
Considerations for
Policing, Shaping and Limiting
• Traffic Shaping is used to adjust the output rate
– Occurs after classification, so can be done selectively
– Traffic Shaping may increase network delay, at least for
some packets
• Traffic Policing is used to adjust the input rate
– Occurs after classification, so can be done selectively
– Traffic Policing may cause higher layers to resend
• Line Rate Limiting performed on the port
– Limits the output rate of all traffic irrespective of classification
59
Traffic Prioritization on
3Com Switches
Product
Queues
Queue
Scheduling
Classification/Pr
ioritisation
Application
Filtering
Provisioning
Access Layer
Intellijack
4
WFQ/SPQ
802.1p, DSCP
No
Line Rate Limiting
Baseline 2226 PWR
2
N/A
802.1p
No
N/A
SuperStack 3 Switch
4400
4
WRR/SPQ
802.1p, DSCP, L2L4, Remarking
Yes
Traffic Shaping
SuperStack 3 Switch
3200
4
WRR/SPQ
802.1p, DSCP, L2-L4
Limited (IP ACL)
Line Rate Limiting
SuperStack 3 Switch
3824/48
4
WRR
802.1p, DSCP
N/A
N/A
SuperStack 3 Switch
3870
4
WRR/SPQ
802.1p, DSCP, L2-L4
Limited (IP ACL)
Line Rate Limiting
SuperStack 3 Switch
4900
4
WRR/SPQ
802.1p, DSCP, L2L4, Remarking
Yes
N/A
Switch 7700
8
WRR
802.1p, DSCP, L2L4, Remarking, Time
Yes via ACLs
Policing/Shaping/Line
Rate Limiting
Switch 40x0
4
WRR/SPQ
802.1p, DSCP, L2L4, Remarking
Yes
N/A
Switch 7700
8
WRR
802.1p, DSCP, L2L4, Remarking, Time
Yes via ACLs
Policing/Shaping/Line
Rate Limiting
Switch 8800
8
WRR/SPQ
802.1p, DSCP, L2L4, Remarking, Time
Yes via ACLs
Policing/Shaping/Line
Rate Limiting
Core/Distribution
60
Convergence Ready Wireless
• Having the ability to support convergence applications over a
wireless medium is even more important due to limited
bandwidth
– Voice quality must be as good as wireline
• <50 ms inter-subnet latency is recommended
– Reliable performance under load (capacity management)
– Other issues for convergence over wireless (batter preservation,
voice security etc.)
• Key recommendations for Convergence capable Wireless
Service
– Separate VLANs for VoWLAN devices and assign high priority
– Deploy 802.11e capable wireless devices (clients, APs, WLAN
switches)
• EDCA: adds “offset contention windows” that separate high
priority packets from low priority packets by assigning a larger
random backoff window to lower priorities than to higher priorities.
• HCCA: adds AP-controlled client access on top of EDCF.
Agreements between the AP and client provide policed bandwidth,
polling, delay, and jitter definitions.
61
Multicast Applications
• Many emerging applications used in
enterprise networks today utilise IP
multicasting as a transport
– Video Streaming – Microsoft Windows Media
Services, RealNetworks Helix Server, Apple
QuickTime, IP/TV etc.
– Voice – Music on Hold, Voice Conferencing
– Application Sharing – Microsoft Live Meeting
etc.
– Other applications: NetWare 6, Symantec
Ghost etc.
• Supporting Multicast applications in
Enterprise networks is a key requirement in
most campus designs
• The deployment of bandwidth intensive
multicast applications on networks that are
not designed to support them can
significantly impact network performance
62
Multicast Support in 3Com Switches
Product
Multicast Filtering
Multicast Routing
Access Layer
Intellijack
IGMP Snooping
SuperStack 3 Switch 4400
IGMP Snooping
SuperStack 3 Switch 3200
IGMP Snooping
SuperStack 3 Switch 3824/48
IGMP Snooping
SuperStack 3 Switch 3870
IGMP Snooping
SuperStack 3 Switch 4900
IGMP Snooping
WX1206/4400
IGMP Snooping
Switch 7700
IGMP Snooping, GMRP
PIM-SM, PIM-DM, MSDP
Core/Distribution
Switch 40x0
IGMP Snooping
Switch 7700
IGMP Snooping, GMRP
PIM-SM, PIM-DM, MSDP
Switch 8800
IGMP Snooping, GMRP
PIM-SM, PIM-DM, MSDP
66
Defining Oversubscription
• No Gigabit network can be end to
end non-blocking
• Oversubscription can occur at every
design layer in a campus
infrastructure
• Oversubscription is more common
at the Access Layer
100Mbps
– Real life traffic at the wiring closet
is typically bursty
• A variety of subscription ratios can
be considered at the Access Layer
– 2:1, 4:1, 8:1, 10:1
• Mechanisms used for improving the
effects of oversubscription
n x 100Mbps
– TCP Windowing, Ethernet flow
control 802.3x, traffic prioritisation
67
Considerations for Oversubscription
•
Understand the implications of oversubscription on active devices
–
–
•
Understand traffic patterns on the campus network
–
•
Most traffic will transverse the Core Layer
Distributed forwarding capabilities on Core Layer switches can alleviate
congestion
Ensure that the Server Aggregation Layer does not become a problem area
–
•
Oversubscription results in latency which detrimental for multimedia
Minimize oversubscription at the Core Layer
–
–
•
What percentage of traffic is localised, peer to peer, or going to the server
farm/Internet
Understand applications on the network and the effect oversubscription will
have on these
–
•
In some switches oversubscription may not be clearly identifiable
Throughput figures for some vendors products may be based on theoretical or
unrealistic conditions
If all traffic is destined to the Server Aggregation layer and a single Gigabit port is
connecting it to the Core layer then this is the main point of congestion
Implement Traffic Prioritisation to minimise the impact of oversubscription for
mission critical applications
68
Designing for Pervasive
Network Security
3Com Confidential
69
Pervasive Security Services
“Defence in Depth”
User & Device
Profiles
Users
Devices
Detection
Intrusion Detection
Protocols
Management
Prevention
Security
Policy
Identity
Management
(e.g. X.509
certificates)
Auditing, Change
Control etc.
Application
Enforcement
Authentication, Encryption,
Antivirus, IPS, VPN, FW,
Security Updates, Support,
Isolation
70
Enterprise Topology Secure Topology
Extended Perimeter
Firewalls
Application/Host/Content
Internal
Telephones
Security Policy Management
Branch Office
Multi-Media
Encrypted
Tunnels
Factory Work
Network
Access
Control
Wi-Fi Network
Factory
Sales Rep
Intrusion
Detection &
Prevention
Home Worker
Sales Dept
CEO
System
Integrity
Mobile Worker
Executives
Unified
Secure
Management
Visitor
Internet
Quarantine
Local LAN
Public
Areas
Management
Network
71
Designing for Security
• Our aim in this section will be to concentrate on how campus
Networks can be designed to address some of the security
overlays
– Detailed security implementations and 3Com’s Pervasive
Network Security strategy available in the corresponding
sessions
• Key Security implementations in Enterprise Campus Networks
– Device Management Security
– VLAN centric design
• Separate VLANs for management
• Separate VLANs for Wireless clients
– If using WLAN switching wireless users can be on separate VLANs
• Map VLANs to Security zones and use firewalls/security appliances
where appropriate
– Authentication and Authorisation
• Network Login 802.1X
• AutoVLANs using 802.1X
– Identifying and Controlling Rogue Applications
72
VLAN Centric Design
• VLANs provide security and traffic segmentation and are
supported by Network Cards, switches, wireless access points,
routers and security appliances
• Use VLANs to segment network in logical groups or business
functions
• VLANs can be mapped to IP Subnets and are terminated by
routers/Layer 3 switches
• 802.1Q Tagging a standards based VLAN tagging mechanism
• VLAN Deployment Guidelines
– Use consistent naming and VLAN Tags for all VLANs across the
network
– Configure the correct VLAN Tags on both ends of switch-switch links
– Configure all VLANs across all switches for complete user mobility
across the campus
– In resilient topologies ensure STP does inadvertently block VLANs
between switches (use MSTP instead)
– Ensure that Aggregated Links carry the correct VLAN tagging
information
– Create a separate management VLAN for all active devices
73
Device Management Security
• For networks concerned about the security of their active
devices the following security capabilities should be
considered
– User Authentication for Device Management: Only authenticated
users can access device management (RADIUS or Local)
– Authorised manager access (Trusted IP): Only authorised IP
addresses or subnets can gain management access
– Device Management VLAN: Separate configurable VLAN/subnet
for management
– Selectable Device management options and encrypted
management sessions: Enable/Disable TELNET, HTTP access
and support for SSH, HTTPS etc.
• A combination or all of these capabilities could be
deployed to provide device protection for switches,
routers and appliances
74
Device Management VLAN
•
•
A dedicated VLAN for management of
active devices can be deployed for
greater control
The Device Management VLAN can span
the entire campus using VLAN tagging
Access to management can be in-band or
out of band
–
•
For inband access, use routing with ACLs
or security appliances to control traffic to
the management VLAN
Considerations for Device Management
VLAN
–
–
–
Ensure devices support configurable VID
for management
Campus wide management VLANs are
more applicable in centralised Layer 3
topologies
Device Management VLANs can also be
localised within a wiring closet or a
building for distributed L3 topologies
VLAN10
VLAN20
Management VLAN
VID=1
•
VLAN30
VLAN40
VLAN50
VLAN60
75
Network Authentication
and Authorisation
• Why use 802.1X?
– Users must authenticate before gaining access to network
resources
– All authorizations can be administered centrally
– Accounts can be held ( who, when, where )
• Log files can record various session data, packet counts,
session durations, user names.
• Information can be used for billing
– Security Auditing
• Network Administrators can record who is accessing the network
real-time
– Management
• Network Management applications can display user information
• Clients can be dynamically tracked in real time using Network
Management
76
Network Login and wired VLANs
• 802.1X Network Login can be associated with VLANs
using the following methods
• Static
– Authenticated users assume the pre-configured VLAN
membership of their connected port
• Dynamic (AutoVLANs)
– Authenticated users are dynamically placed in their
corresponding VLAN based on RADIUS attributes
• Non-authenticated users are either excluded or
become members of a “guest” VLAN
• Some devices such as telephones are automatically
authenticated based on MAC address
77
Auto VLAN and
QoS Assignment using 802.1X
User ID: Teacher
PWD: @#$%^
Valid User
VLAN ID: Teacher VLAN
QoS Profile: Email LowP,
Web LowP, Student
Records Server HighP
Student
VLAN
Teacher
VLAN
User ID: Teacher
PWD: @#$%^
User ID: ?
Pwd: ?
78
Network Login and wireless VLANs
• Wireless users can be placed dynamically in the
appropriate VLAN using 802.1X Network Login and
RADIUS (VLAN ID)
• VLAN tagging on Ethernet port of Access point
ensures that AP is aware of all configured VLANs
• Wireless Access point will tunnel wireless user traffic
on the appropriate tagged VLAN already configured
on Ethernet port
• Network Login based Wireless VLANs can deliver end
to end mobility across wired and wireless media
• Access Points also support multiple SSIDs that can
be mapped to separate VLANs for greater level of
security
79
Auto VLAN Assignment using
802.1X with Wireless Access Points
Valid User
VLAN ID: Teacher VLAN
User ID: Teacher
PWD: @#$%^
Student
VLAN
Teacher
VLAN
User ID: Teacher
PWD: @#$%^
User ID: ?
Pwd: ?
80
Mapping VLANs to Security Zones
•
•
Map vulnerable VLANs (i.e. wireless,
guest VLAN) to Security zones in
security appliances/Firewalls for
greater control
If all VLANs are mapped to security
zones then routing will be centralised
by security appliance
–
•
WAN
Security Zone
LAN 1
Security Zone
May have performance implications
A combination of Layer 3 switching,
ACLs and Security zones can provide
greater protection without major
performance compromises
•
When multiple VLANs are mapped to
a Security zone interVLAN routing
within the security zone can be
controlled by local Layer 3 switch
•
Use routing policies or default routes
for sending traffic to enforcement
point
LAN 2
Security Zone
Policy
Enforcement
Point
Internet DMZ
Wireless
Security Zone
81
Security Zones and VLANs
Security
Zone C
Security
Zone D
Security
Zone E
Routed virtual interfaces
VLAN1
VLAN2
VLAN10
VLAN3
Security Zone A
VLAN11
VLAN12
Security Zone B
82
Controlling Rogue Applications
•
•
•
•
•
Use QoS and Application Filtering to control rogue applications
where they originate from: the Access Layer
Using Network Management rogue users and applications can be
identified quickly and corrective action taken
Example:
How Application Filtering and autoQoS assignment on the Switch
4400 could stop the proliferation of the W32.Blaster.Worm virus
W32.Blaster.Worm virus exploits TCP:135 “DCOM RPC” and UDP:69
“TFTP”
– Create a classifier on the 4400 for TCP:135 and UDP:69
– Create a QoS profile called Blaster and assign the previous classifiers
and apply the discard service level
– Enable 802.1X and AutoVLANs, autoQoS on the user ports
– On the RADIUS server assign to all users the filter-id=Blaster attribute
– Next time a user logs in to the network the Blaster profile will be applied
on the switched port the user connects to
83
3Com Pervasive
Network Security Solutions
•
Access Layer
–
–
–
–
•
Distribution Layer
–
•
–
Router 5000/6000 delivering SPI Firewall support
Remote offices
–
•
Switch 7700/8800 with Network Login for locally attached devices (servers),
Layer 2 and Layer 3 extended ACLs, time based ACLs for greater flexibility
Security Switch 6200 defining security zones across the campus acting as the
main chokepoint between wired and wireless users delivering firewalling, VPN
connectivity and IDS across the Security zones
WAN Perimeter
–
•
XRN Fabric using 3Com Switch 40x0 with Application filtering
Core Layer
–
•
3Com Embedded Firewall
Intellijack 220 for user location mapping
SuperStack 3 Switch 4400 for Network Login, user based VLANs and user based
Security/QoS profiles, device management VLAN
3Com WX1200/4400 for secure WLAN switching and AP2750 with wireless
encryption – dedicate wireless VLAN mapped to a security zone
SecureIX deliver remote branch security via SPI Firewall, VPN support and
branch office security zone flexibility
Telecommuters
–
SecureIX delivering firewall, VPN support and security zones within the home
network
84
Security Capabilities In
3Com Campus Devices
Product
L2 Security
L3 Security
Management
Security
Identity Management
Core/Access Layer
Intellijack
DUD, VLANs, MAC
authentication
N/A
N/A
802.1X
SuperStack 3 Switch 4400
DUD, VLANs, MAC
authentication
Application Filtering
Configurable Mgmt VLAN,
SSH, Trusted IP
802.1X, RADIUS Switch
Login, user based VLANs and
QoS profiles
SuperStack 3 Switch 3200
VLANs, Port based ACLs
RADIUS, HTTPS, SSH
802.1X
SuperStack 3 Switch
3824/48
VLANs
RADIUS
SuperStack 3 Switch 3870
VLANs, Port based ACLs
Standard ACLs
RADIUS, HTTPS, SSH
802.1X
WX4400/1200
VLANs
ACLs, Protocol Filtering
RADIUS, HTTPS, SSH
802.1X, user based VLAN
and QoS profiles
AP2750/8x50/7250
VLANs
Protocol Filtering
SuperStack 3 Switch 4900
DUD, VLAN
Application Filtering,
Routed ACLs
Routed ACLs
RADIUS Switch login
Switch 7700
VLANs
Standard and Extended
ACLs, L2/L3/L4 ACLs,
Time based ACLs
Out of band Ethernet,
SNMPv3, SSHv1.5
802.1X, RADIUS Switch
Login
Switch 8800
VLANs
Standard and Extended
ACLs, L2/L3/L4 ACLs,
Time based ACLs
Out of band Ethernet,
SNMPv3, SSHv1.5
802.1X, RADIUS Switch
Login
802.1X
85
Summary
• Efficient Convergence Network Design is key to
performance, business continuity and scalability
• Multi-tiered hierarchical network design provides significant
benefits in terms of scalability and fault tolerance
• Business Continuity is delivered by introducing high
availability capabilities across all network design layers
• Campus Network Designs can be optimised to support
Convergence applications by taking into account service
performance parameters, traffic prioritisation and support for
multicast
• Pervasive Network security addresses multiple threats, at
multiple network design areas and through a variety of
mechanisms
86
Summary
Mobile
Security
IP
Telephony
Applications
LAN
WAN
87
Köszönöm