Main Office with ISR

Cisco Secure Network Foundation Smart Designs

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-1

Lesson Overview
Upon completing this lesson, you will be able to identify SNF architecture designs to meet customer needs. This ability includes being able to meet these objectives:
Discuss components of SNF design

Articulate relevant main office models of the SNF Architecture Guide

Describe the Layer 2 and Layer 3 LAN design

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-2

Main Office

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-3

SNF Smart Design Goals

This design addresses the needs of a typical SMB by providing: A foundation design that can handle as many as 96 users A flexible design that allows for later addition of enhanced capabilities Secure Internet access Secure network infrastructure Best-in-class WAN and LAN switching Voice-ready, adapted design for future deployments Complete network design for rapid deployment Entire system configurable via easyto-use graphical tools: Cisco Network Assistant and Cisco SDM
2008 Cisco Systems, Inc. All rights reserved. SMBEN v2.04-4

SNF Smart Design Architecture Framework Considerations

The Smart Design Architecture Framework outlines considerations for implementing various deployment options in the following specific sections:
Business locations

Services offered
Smart Design Architecture: architecture models and components Choosing between hybrid and integrated models

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-5

Main Office with Integrated Router

WAN/Internet

Integrated router

DMZ

Centralized Call Processing, Unity server

Aggregation switch

Web servers, e-mail servers, etc.

Access switches

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-6

Main Office WAN Services

Access switch Aggregation switch

800 ISR

Linksys

DSL/ cable
Linksys

Teleworker Internet
Linksys

ISR

Main office

Mobile worker

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-7

Main Office Services Offered

IP address conservation (NAT)
Internet access Access to main office servers (such as HTTP, e-mail, DNS) IP telephony support

Centralized call control

Infrastructure to support video traffic Multicast from main office (sender) VPN with Dynamic Multipoint VPN VPN with Easy VPN VPN with SSL VPN

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-8

Main Office Services Offered (Cont.)

Single WAN interface for Internet and inter-site traffic
Dual WAN interfaces for redundancy Dual Cisco ASAs for active-standby redundancy Protection against access switches for redundancy

Protection against access switch uplink failure (via redundant links)

Firewall IPS (optional)

Infrastructure protection
Monitoring WAN router health and notification via e-mail/Syslog

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-9

Main Office Network Infrastructure

Dynamic routing
VPN (Dynamic Multipoint VPN) VPN (Easy VPN) VPN (SSL VPN)

QoS
Voice ready Video ready Multicast Firewall IPS Infrastructure security GUI-based configuration
2008 Cisco Systems, Inc. All rights reserved. SMBEN v2.04-10

Architecture Framework Variations

Integrated model
Hybrid model Simplified Design with Layer 2 LAN

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-11

Integrated vs. Hybrid Models for the Main Office

Integrated Model
WAN/Internet

Hybrid Model
WAN/Internet WAN router

Firewall functionality integrated with WAN router(s) Aggregation switch

DMZ Servers

DMZ servers

Separate firewall
Local Servers Local servers

Aggregation switch
Call Processing, DHCP, etc. Call processing, DHCP, etc.

Access switches

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-12

Simplified Design with Layer 2 LAN

Catalyst Express 500 24PC Catalyst Express 500G 12TC 2800 ISR

800 ISR

Teleworker Internet

Main Office

Mobile Worker

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-13

SNF Design Comparison

Hybrid Design Target network size Uses separate security appliance Supports Branch offices High (up to 250 users) Yes Yes Integrated Design High to Medium (up to 250 users) No Yes Layer-2-LAN design Low (up to 99 users) No No

Supports teleworkers/mobile workers GUI-based provisioning focus

Design supports high availability

Yes

Yes

Yes

Low
Yes

Low
Yes

High
No

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-14

Hardware Components
Number of Users 0-24 25-36 37-48 49-96 Router Cisco 2801 Cisco 2811 Cisco 2821 Cisco 2851 Aggregation Switch No Catalyst Express 500G-12TC Catalyst Express 500G-12TC Catalyst Express 500G-12TC Access Switch Catalyst Express 500-24PC (1) Catalyst Express 500-24PC (2) Catalyst Express 500-24PC (2) Catalyst Express 500-24PC (3-4)

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-15

Layer 2 LAN Design

Local service VLAN 4 (AAA server) Cisco data VLAN 31

10/100/1000 Mbps V

10/100/1000 Mbps

802.1Q trunk

WAN router

Aggregation 802.1Q trunk switch

Access switch Cisco voice VLAN 41

Layer 2 LAN

Possible LAN designs

Layer 3 processing at WAN router only Layer 3 processing at WAN router and aggregation switch Layer 3 processing at WAN router, aggregation switch and access switches
2008 Cisco Systems, Inc. All rights reserved. SMBEN v2.04-16

VLANs
VLAN Name Cisco-Data Cisco-Voice Local-Services VLAN Number VLAN Description at the Main Office 31 41 4 Carries traffic from/to PCs Voice traffic Optional; used to connect a server such as an AAA server to authenticate users, or other servers, providing local services not accessible from the Internet

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-17

802.1Q Trunking and STP

Local service VLAN 4 (AAA server) Cisco data VLAN 31

STP
10/100/1000 Mbps V 10/100/1000 Mbps

802.1Q trunk
Aggregation switch

802.1Q trunk

WAN router

Access Switch Cisco voice VLAN 41

Layer 2 LAN

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-18

SmartPorts Roles
Switch Model Port Type and Number Fast Ethernet ports 1 to 24 (connected to PCs, phones) Gigabit Ethernet or SFP module ports 1 and 2 (connected to aggregation switch) Gigabit Ethernet ports 1 to 8 (connected to any server) Recommended SmartPort Ports Role phone+desktop switch Recommended SmartPort Parameters Data VLAN = 31 Voice VLAN = 41 Note: all VLANs are trunked

WS-CE500-24PC (access switch)

WS-CE500G12TC (aggregation switch)

servers

Use access VLAN = the VLAN for the server

(for AAA and CUCM, this VLAN is 4)

Gigabit Ethernet or switch or router Note: all VLANs are SFP module ports 9 to depending on where trunked 12 it is connected
CUCM = Cisco Unified Communications Manager

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-19

WAN Design

Catalyst Express Catalyst Express

Linksys

800 ISR

DSL/ cable
Linksys

Teleworker Internet
Linksys

2800 ISR

Main office

Mobile worker

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-20

Layer 3 Design

Layer 3 Services
IP routing IP routing protocols IP addressing and DHCP DNS Network Address Translation NTP
Internet

QoS

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-21

Layer 3 Design: IP Addressing and DHCP

Laptop IP phone 2800 ISR Integrated DHCP server

10.11.41.x 10.11.31.y Voice VLAN subnet Data VLAN subnet

Address Pools: Voice VLAN Pool: [Link]/24 Data VLAN Pool: [Link]/24

IP Addressing Considerations
Voice and data VLANS

DHCP address assignment

DNS name to IP address resolution
2008 Cisco Systems, Inc. All rights reserved. SMBEN v2.04-22

Layer 3 Design: NAT

[Link]/24 11.31.108/24

NAT Inside

Public IP address ([Link]) NAT Outside

NAT Translation Table: Inside IP Outside IP [Link] [Link]:5001 [Link] [Link]:5006

Internet

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-23

Layer 3 Design: NTP

Ensures accurate local time synchronization within a network Maintained by a master source, typically radio or atomic clock on Internet

Ensures network events and messages contain accurate time information

Collects call-detail records and generates billing reports

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-24

Layer 3 Design: QoS

QoS provides:
Dedicated bandwidth support for specific types of traffic Improved traffic loss characteristics Network congestion avoidance and management techniques

Traffic shaping to smooth intermittent bursts

Traffic prioritization across a network

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-25

SNF: Integrated Security Design

Infrastructure Protection
Secure device access Port-based security Disable unused services Traffic control Spanning-tree protection Enable necessary services

Policy Enforcement
Anti-spoofing services Virus prevention Unauthorized access prevention

Intrusion Prevention
Worm mitigation

Secure Connectivity
Virtual private network

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-26

Q&A

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-27

Lesson Summary

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-28

Lesson Summary
The SMB Smart Design addresses the secure infrastructure needs of a typical small business and provides many benefits. Three variations of the Smart Design architecture framework are available: the Integrated model, the Hybrid model, and the Simplified Design with Layer 2 LAN. LAN designs, which can consist of core, distribution, and access layers, are typically deployed in one of three ways using either Layer 2 or Layer 3 LAN considerations.

2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-29

 2008 Cisco Systems, Inc. All rights reserved.

SMBEN v2.04-30