111
2© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Evolution of the Enterprise Next Generation Network Solutions
Todd Truitt – [email protected]
333© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
The Evolution of the Enterprise Network
• Improve productivity through IPMobility solutions
• Extend the enterprise network reachthrough Teleworker IPCommunications
• Embed security into the network usingIdentity Based Network Services
• Provide business resilience usingadvanced Data Center architecturesand storage solutions
• Leverage the Services that ServiceProviders are beginning to offer
• Network Value
• Enterprise Mobility
• Teleworker IP Communications
• Identity and Embedded Network Security
• Data Center Resiliency
• Leveraging Service Provider Services
• Summary
555© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Business Success Criteria Have Changed
Reducing CostsIncreasing Productivity
Differentiation
Reducing CostsReducing CostsIncreasing ProductivityIncreasing Productivity
DifferentiationDifferentiation
Where We Are Today
Global Internet Business Deployment
7 by 24 Operations
Internet Rate of Change
Global Internet Business DeploymentGlobal Internet Business Deployment
7 by 24 Operations7 by 24 Operations
Internet Rate of ChangeInternet Rate of Change
Where We Have Been
“… a major wake-up call formost large enterprises… networkinfrastructure is directly tied tothe ability to gain competitiveadvantage in the marketplacetoday and in the future.”David Passmore, Burton GroupJuly 2001DavidDavid Passmore Passmore, Burton Group, Burton GroupJuly 2001July 2001
777© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
WANSiSi
SiSi
Network Infrastructure Is Criticalfor Business Excellence
SiSi
SiSi
SiSi
SiSi
SiSi
SiSi
SiSi
SiSi
SiSi
SiSi
Wan Branch
Wan Aggregation
AccessDistribution
Core
Access Distribution
Access
DataCenter
InternetSiSi
SiSi
SiSi
SiSi
SiSi
SiSi
DataCenter
Intelligent network serviceswill positively impact profits, cash flow, and productivity
Productivity, Profits, DifferentiationProductivity, Profits, Differentiation
• Network Value
• Enterprise Mobility
• Teleworker IP Communications
• Identity and Embedded Network Security
• Data Center Resiliency
• Leveraging Service Provider Services
• Summary
999© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Increasing Need for Transparent CorporateConnectivity
Sources: On the Road (TIA Travel Poll, 11/99); At Home (Gartner 2001, Cahners Instat 5/01);At Work (Wharton Center for Applied Research)
• On the Road (Hotels, Airports, Convention Centers)
280 million business trips a year
Productivity decline away from office >60–65%
In many Industries “the office is the road”
• At Home (Teleworking)
137 million telecommuters by 2003
40% of U.S. telecommuters from large or mid-size firms
• At Work (Branch Offices, Conf Rms, Business partners)
11 million business meetings a day in the U.S. - 42% areunproductive
Offices should go where the talent is
101010© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
The Cost of ProductivityExample – Based on 230 work days in a year
Industrial AgePeople go “to” work
Internet AgeWork moves “with” people
Home
On themove
GroupSettings(Mtgs)
Example:$200k a year to staff an employee(Salary, Supporting, Benefits, etc)
$870 per day investment$108 per hour investment
Average Productivity = %60
Branch
Example:1 hour increase In Productivity Per day
Increased Gain in Employee investment
$108 per day$540 per week
$24,840 per year per person
111111© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
WLAN VLAN 44
Campus WLAN MobilitySolution Overview
802.11b WLAN
WLAN VLAN 33
802.11b WLAN
Rogue APDetectionand denial
SecureGuest
Access
Vendor
Campus-wide
RoamingSecure User
Access
121212© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Campus WLAN MobilitySecure WLAN Access
LEAPStaticWEP
IPSecTunnel 802.1x client with PEAP
802.11b WLAN
SecuredCorporateResources
802.11b WLAN
SecuredCorporateResources
Today - WLAN SecurityOptions
Q4 2002 – Industry Standard WLANSecurity Direction
131313© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
WLANVLAN=33
WLANs in the Campus - VLAN Designs
802.11b WLAN
VLAN=10
VVID=110VVID=110
Separate IP Subnets/VLANs used for Data,Voice and Wireless:
• Ease of deployment• Scalability as more WLAN devices appear• QoS and Security Trust Boundaries
Problem: WLAN devices will frequently have different QoS,IP Multicast and Security requirements than IP Phones orPCs. Additionally, installing WLANs will increase theamount of IP address spaced used.Solution: Create specific VLANs for WLANs
141414© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Campus WLAN MobilityUser based Network Access
802.1x Authenticated802.11b WLAN
EngVLAN
GuestVLAN
• Based upon user’s credentials via 802.1x(User Identity)
• Unauthorized users or those without 802.1xrunning on their laptop can be denied orplaced into a Guest VLAN
Authentication based Resource Access
1. Eng can only access Eng resources2. HR only can access HR Servers3. Guest Access for trusted 3rd Party Contractors
151515© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Campus WLAN MobilityRogue AP Detection and Denial
SiSi
Rogue AP lockedout after failedAuthentication
• Use of wireless analyzer to look forWLAN signals (Rogue AP’s)
• Only switch ports with “Authorized”AP’s have 802.1x disabled on switchport
• Un-Authorized AP’s are thereforelocked out
• Requires 802.1x on all PC’s
Rogue AP
Authorized AP
802.1x disabled only on allAuthorized AP switch ports
802.1x pushed to WLAN edge
Enables IT to control of WLAN activities and promotes sanctionedWLAN deployments – Inherently Reducing rogue WLAN activities
Note:Today Rogue WLAN activities are thehighest percentage of deployments
161616© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
VLAN=20VVID=120
WLAN VLAN=33
VLAN=10VVID=110
WLAN VLAN Designs andRoaming
• Traditionally, VLANs have notspanned wiring closets to utilizerouting protocols for optimalconvergence
• This may not be realistic since RFsignals may span floors/closets
• Cisco’s 802.1w implementationallows specific VLANs to use theRapid Spanning-Tree protocol tooptimize Layer 2 convergence
SiSi
SiSi
Problem: Wireless AP radio signal may“span” wiring closet switches within abuilding. How does this affect mytraditional campus designs ?Solution: Use 802.1w within the buildingand have a single, building-widewireless VLAN.
171717© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
WLAN VLAN 44
Campus-wide Layer 3 WLAN RoamingCampus Core
802.11b WLAN
WLAN VLAN 33
802.11b WLAN
Mobile IP used forinter-building
WLAN Roaming
Problem: How do Wireless devices roam between buildings ?Solution: Use Mobile IP so the Layer 3 separation between buildingis maintained for higher availability
181818© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Layer 3
BldgA
BldgB
Cat6k
Cat4kCat4k
Secure WLAN AccessSecure
Guest Access
Wireless IP Phonewith WLAN QoS
Vendor
X
Rogue APDetectionand denial
Only Cisco Delivers End-to-End, Secure QoSEnabled WLAN Network Solutions
Cisco WLAN IP Phone 7920Integrated QoS and security;802.1x, L2 Roaming
Cisco Catalyst SwitchesSecure QoS enabled access; 802.1x,dynamic VLANs with AP’s
Cisco Wireless Access Points802.1x enabled to provide Secure QoS WLANaccess; VLAN support enables wider range ofsupported WLAN devices and access types
• Network Value
• Enterprise Mobility
• Teleworker IP Communications
• Identity and Embedded Network Security
• Data Center Resiliency
• Leveraging Service Provider Services
• Summary
202020© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Telecommuter ExampleYesterday
CorporateOffice
Corporate Number408-526-4000
Home Office Number408-555-1212
PSTNHome Office
Internet
Can I use thePhone now?
I’m working fromhome today, call
me at 408-555-1212
Typical Teleworker Office Setup:
- Uses VPN client on PC to “dial up” corporate data network- Voice is different phone number and network- No video facilities
Results:- Extra phone line/charges for voice calls- Has to expense phone calls back to employer- Not in corporate PBX or directory – out of touch- Must remember to check voice mail periodically
212121© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Results:
- Same use of network tools/access as in corp office
- VPN connection “always on” – corp subnet exists in home
- Same Phone number and VM as Corp office
- No Extra Phone Line/charges for Voice calls
- Increased Workday Productivity
I need toCall John
408-526-4000
CorporateOffice
CorporateNumber
408-526-4000
Home Number408-555-1212
PSTN
HomeOffice
Internet
Home Office Number408-526-4000
Fax
VPN Tunnel
Hello JohnSpeaking
Telecommuter MobilityToday – IP Telephony enabled Teleworker
Best effortSP QoS
QoS enabled onTeleworker Edge
QoS enabled onTeleworker Edge
222222© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Fax
Hello JohnSpeaking
Corporate OfficeCorporate Office
Number408-526-4000
PSTN
Home Office
Internet
How it Works
1. Analog line configured is same # as Corp Office Legacy PBX Phone2. Analog Line configured to go thru GW and ring Teleworker’s Home IP Phone3. Corp Office number called – Rings in both Places4. Possibly no VM light depending on Legacy PBX Vendor
VPN Tunnel(V3PN)
Home Office Number408-526-4000
I need toCall John
408-526-4000
IP Telephony for TeleworkerFor Legacy PBX Environments
Legacy/ProprietaryPhone Line
Analog Phone LineSame as Corp Office
Number408-526-4000
VoIP GW
CallManager
LegacyPBX
Best effort QoS
QoS enabled onTeleworker Edge
232323© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Aironet Access Point
PC/Video
Teleworker MobilityCisco Internal Deployment
• Requirements
Many Teleworkers require thesame IP Telephony services asin Corp Office (Development,Tech Writers, Sales etc.)
Lower cost on expensed Homephone bills
Increased workday productivity
• Deployment Characteristics
Firewall and VPN tunneltermination on IOS router
QoS configuration
LLQ on WAN Interface
Service Provider “best effort”
Edge QoS with a “Best Effort”SP acceptable for benefitsgained – Toll Quality >99% ofthe time
Home Office, Reading, PA
IOS VPNRouter
x64000
Tier 1SP
7200
LocalSP
Cisco SystemsSan Jose, CA
CiscoPrivateWAN
VPNTunnelVPN
Tunnel
CallManagerfor x59017
Family
Cisco SystemsRTP, NC
x64000
242424© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Before After
• Two PSTN Lines – Home + Work
• Work number different than Corp office
• Work number shared by Fax
• Expensed Work phone bill - $200/month
Home Number408-555-1212
Home Number408-555-1212
Fax
• One PSTN Line – Home
• Work number same as Corp office
• Separate Fax number
• Expensed Work phone bill - $0
Home Office/Fax Number408-555-1111
PSTNInternet
Fax
Home Office Number408-526-4000
SJ SJ
PSTNDialup VPN
Tunnel
Multiple CircuitsInto Home
One Circuit intoHome (DSL)
Teleworker MobilityCisco Internal Results Realized
408-526-4000 408-526-4000
252525© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
HQHQ
Core BackboneSP
Cable/DSL
TeleworkerTeleworker
Branch OfficeBranch Office
>T1
IP Phone
IP Phone
SOHOAccess SP
Only Cisco provides End-to-End, FullyInteroperable V33PN Network Solution
VPNVPN
VPNVPN
VPNVPN Cisco IP Phone 79xxPhone handset withintegrated QoS
Cisco CallManagerCall setup and signaling;Host IDS protection
Cisco IOS VPN RoutersIntegrated WAN, VPN, and voicegateway for Head end and remoteoffices
Cisco Powered SP PartnersProviding QoS SLA’s
• Network Value
• Enterprise Mobility
• Teleworker IP Communications
• Identity and Embedded Network Security
• Data Center Resiliency
• Leveraging Service Provider Services
• Summary
272727© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Sad but true…
282828© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Why Should Security Matter?
• The number of network attacksdoubled from 2000 to 2001.They are expected to increaseanother 100-150% in 2002.Less than 50% of intrusionsare actually reported.
21,756 incidences in 2000
52,658 incidences in 2001
26,829 incidences in Q1 of2002
--source: CERT
• Estimated losses attributeddirectly to network intrusionstotaled over $15 Billion for2001.
--source: DataMonitor PLC--source: Computer Security Institute & FBI
292929© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
What is Identity?
Identity embeds security into the network.
According to the FBI, the majority of all attacksoriginate from the inside of the network –Customers need to secure the “inside”.
Identity provides communications managerswith the ability to more tightly control access tothe network, the network resources andanything to which the network connects.
303030© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
SiSi
SiSi
WAN
Identity Concept Overview – “The What”Identity Based Networking Services
WAN
Rogue AP
Internet
VPN(SP)
MetroEthernet
Identify mission-critical applicationsand dynamically apply security and
QoS policies
Hotel
Provide Guest Users witha “safe” way to connect to
the network
Authenticate devices tocontrol access to potentially
“dangerous” areas
Increase mobile workers/teleworkeraccess security
Enable Identity-based access to
the networkresources
313131© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Facets of Identity Based NetworkingServices
• User Identity & Provisioning
• Device Identity & Provisioning
• Application Identity & Provisioning
• Other Ideas
323232© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
User Identity in Campus Networks
802.11b WLAN
Catalyst switch and Aironet APauthenticate will users via 802.1x
Problem: Currently all network ports areenabled…Anyone can gain access to the “gold”.Solution: Cisco User-based Identity accesscontrol
Unauthenticated user are blocked access to the network
333333© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Sales
VLAN=99 Cor
p W
LAN
VLA
N=
33
Guest
VLAN
=99
User Identity Provisioning in CampusNetworks
802.11b WLAN
Problem: Different users might have differentQoS, security and IP Multicast policiesSolution: Cisco User-based Identity provisioning
“Guest users orUnauthenticated users can be
placed into a safe “guest” VLANfirewalled off from the rest of
the company
EngineeringVLAN=10
Users placed in theappropriate VLAN based on
their credentials
Policies applied toport include:
• Security• QoS• VLAN
343434© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Internet
VPN Tunnel
Corp userUses VPN Tunnel
Personal userInternet Only
SOHO/Teleworker SolutionSpouse and Kids capability
ServiceProvider
802.1xIntegration
üü
ûû802.1x
Authentication
Corp Office
• TodayAccess-Lists used to differentiate corporate Teleworker versus Family users
• FutureTeleworker authenticates via 802.1x and accesses HQ through the VPN tunnel
Family users do not authenticate and simply access the Internet directly
353535© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Device Identity & ProvisioningWhat can be done in the future
VLAN 11
Video
VLAN 110Voice
Authenticatedphone placedinto the Voice
VLAN
Authenticated Video Confport unit given specific
QoS parms (required whileRSVP is being solidified)
Rogue AP locked outafter failed
Authentication
CiscoSecureACS
QoSPoliciesSecurityPolicies
etc
Printers and other3rd party devices
can be auth’d andprovisioned
363636© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Application Identity Provisioning inCampus Networks
Problem: Many of the newapplications use http forapplications. How do networkmanagers identify the missioncritical (and not-so-mission-critical) applications ?Solution: Cisco application-basedIdentity services
Identify whichapplications arecritical to businessneeds and give thempriority
MP3
373737© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Identity Based Enterprise MPLS VPN
• General Idea: Tie Identity to Policy, use policiesto separate user environments & traffic.
• Use Policies to compartmentalize users at Layer2 using VLANs.
• Map VLANs to MPLS VPNs to maintaincompartmentalization at Layer 3.
• Secure shared areas using PVLANs and VLANCapable Firewalls (FWSM).
• Increases Overall network security by providingcompartmentalization.
383838© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Increasing Overall Network Securityby Providing Compartmentalization
ACS Server MPLS VPN 1
MPLS VPN 2
MPLS VPN 3
MPLS VPN 4
1. User authenticates to network.
2. AAA Assigns VLAN touser at access layer.
3. VLAN maps to specific MPLSVPN at distribution layer.
Jane=VLAN 45=MPLS VPN 3=Accounting Network
John Authenticates
John=VLAN 70
VLAN 70=MPLS VPN 4(Engineering Network)
At shared resource edges (ie. datacenters) MPLS VPNs mapback to VLANs. VLANs segregated by FW blade or PVLANs.
• Network Value
• Enterprise Mobility
• Teleworker IP Communications
• Identity and Embedded Network Security
• Data Center Resiliency
• Leveraging Service Provider Services
• Summary
404040© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Data Centers & Downtime
* Meta Group
** Strategic Research Corporation
The cost of an hour of down time
Average cost: $330,000*
Brokerage House Operation: $6.5 Million**
Credit Card Authorization System: $2.6 Million**
414141© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Technology EnablersTechnology EnablersBusiness RequirementsBusiness Requirements
Enable highly availableand scalable distributedapplication environment
Data Center NetworkingTransport supporting Data
Center Mirroring
Data Center NetworkingTransport supporting Data
Center Mirroring
Support Non-stopBusiness Applications
Highly Available & ScalableData Center Infrastructure
Highly Available & ScalableData Center Infrastructure
Ensure rapid recoveryof mission-critical
applications
Storage NetworkingSupporting Data Mirroring
Storage NetworkingSupporting Data Mirroring
What High Availability means to Businesses
Predictable single and distributed site architecture Design
424242© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
The evolution of Client/Server to the N-Tier Model
Thick Client
Application ServerApplication GUI
Database Server
Traditional Client/Server Model
Thick Client – Client/ServerØ Requires Heavy Management Ø Processes Information Locally and Presents it Ø Exchanges mostly Data
Thin Client - N-TierØ Needs Little to no client managementØ Only presents informationØ Exchanges Data and Presentation Format
N-Tier Model is adopted by key SW Vendors
Siebel – Oracle – Microsoft – IBM – SAP – Peoplesoft
N-Tier Model
Web ServerThin Client
Web Browser
Application Server
Database Server
434343© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
N-Tier in Application Environments
Hitachi Storage
Cisco DWDM, CWDM, 10 GE, SONET
EMC IBMCompaq
Data Center Transport
Distributed Data Centers must support Distributed Computing
Application Areas
N-Tier
Data Center Architecture must support N-Tier model
Business Logic
Web & Other Servers
Database Systems
CRM ERP SCMOrder
ProcessingE-
CommerceSFA
Apache
Sybase
Java, ASP, J2EE, Java Scripting, Application Code
IIS Netscape NCSA Other
Oracle SQL Server DB2
Critical Applications use N-Tier Model
444444© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Logical View
Front-end Layer
Aggregation Layer
Internet Edge
Application Layer
Back-end Layer
Campus
FC
Storage Layer
DWDMDWDMFC
FC
Data Center Transport
Campus Core
Distribution
Access
Access
Access
454545© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Aggregation Layer
Multilayer Switches: L2 – L5FirewallsContent EnginesSSL TerminationIntrusion Detection Systems
Aggregation Layer
Internet Edge
Layer 3
Layer 2
Campus
Campus Core
Aggregation LayerØ Aggregation point for key service devicesØ Support for core L2/L3 features
Front-end LayerØ Connectivity to user facing serversØ Fast convergence and Scalable L2 domain
Front-endLayer 2 SwitchesWeb & Client Facing Servers
464646© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Application and Back-end Layers
Layer 2
Layer 2
AggregationFront-end Layers
FirewallsLayer 2 SwitchesIntrusion Detection SystemsApplication Servers
FirewallsLayer 2 SwitchesIntrusion Detection SystemsDatabase Servers
Back-end
Application
ApplicationØ Support for middle-ware or business logic serversØ Interface to Database systems using scalable & secure L2 domain
Back-endØ Connectivity to Database SystemsØ Scalable and secure L2 domain
474747© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Storage Layer
ESCON ESCON
FCFC FC
FC
FC FC
Storage Layer Storage LayerData Center Transport
Primary Data Center Distributed Data Center
FC FC
Back-end LayerBack-end Layer
Fibre Channel Switch
StorageØ Consolidation of Storage &Tape subsystemsØ File or Block access to dataØ Client to Storage and Storage-to-storage high speed access
484848© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Data Center Transport Layer
GE
Data Center TransportData Center TransportESCON ESCON
GE
FC FC
FCFC
FCFC
Primary Data Center Distributed Data Center
FC FC
Front-end Layer Data Exchange
Application Layer Data Exchange
Back-end Layer Data Exchange
Ø Distributed Computing Applications _at different peer layers_Ø High Speed transparent transport media between Data CentersØThe same transport layers support campus-to-campus communication
• Network Value
• Enterprise Mobility
• Teleworker IP Communications
• Identity and Embedded Network Security
• Data Center Resiliency
• Leveraging Service Provider Services
• Summary
505050© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
• Cisco Powered NetworkDelivers end-to-end service level agreements to ensure
voice/video qualityhttp://www.cisco.com/pcgi-bin/cpn/cpn_pub_bassrch.pl
• Service Level AgreementPacket Loss <= .5%
Delay <= 60ms One way Delay
Jitter <= 20ms
• Contiguous CPN Service Provider Recommended
Service Provider RecommendationsFrom Enterprise Edge to Edge
515151© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Enterprise + Service Provider SLADemarcations
Coder, LAN,
WAN accessDelay = 45ms
Goal <= 150ms End to End Delay
Enterprise/Enterprise EdgeService Provider
Enterprise/Enterprise Edge
Service ProviderOne Way Delay = 60ms,
Jitter = 20msLoss = 0.5%
WAN access, LAN,
De-jitter/De-coderDelay = 45ms
525252© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Additional things to ask for from ServiceProviders
• Handling of high priority traffic exceedingcontracted rate?
• If multiple SP’s involved – How is SLA achieved?
• Monitoring and Reporting on SLA statistics
• Availability of service and mean time to repair
Service Provider Differentiation
535353© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Branch Office
Service Provider
Central Site
Ent-SP Boundary ConsiderationsSP Policing high Priority BW from Enterprise
Service Provider can police high prioritytraffic to contracted rate for billing
Example
Enterprise Contracts for 5mbps high priority trafficSP Enforces to 5mbps - If exceeded charge extra or mark to lower priority
545454© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
ServiceProvider B
ServiceProvider A
Branch Office
Central Site
Service Providers must agree on how much high prioritytraffic they will accept with each other
SP ConsiderationsCross Service Provider Boundaries
Many Service Provider mark high priorityTraffic to lower priority
555555© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
The Next Generation WAN: Phase 1
Branch Office 1
Branch Office n
Central Site
MPLS ServiceProvider
(Equant, ATT, etc)
Hub and Spoke Design forsimplicity and services (IP
Multicast)SLA is for a single “dumb,
but guaranteed pipe”
Shaping, policing and prioritizationall done by the enterprise edgeNo traffic classification carried
through the SP network
565656© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
The Next Generation WAN: Phase 2
Branch Office 1
Branch Office n
Central Site
MPLS ServiceProvider
(Equant, ATT, etc)
Provider now offers“Service Classes” atvarying rates/costs
Shaping, policing and prioritizationstill done at the enterprise edge
Traffic (re)classified by SP for“class” admission
Classes have varying schedulingand BW guarantees
575757© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
VPN Tunnels
Teleworker
Branch Office
V3PN - Voice/Video enabled VPN
IP TelephonyPrivate WAN Only
PSTN
PrivateIP WAN
HQVPN QoS
VoiceVideo
V3PNVPN – Virtual Private NetworksData Only
V3PNSP
VPN Tunnels
Teleworker
Branch Office
SP
V3PN Service Providers
YesterdayYesterday
Today
Voice and Video Enabled VPN – V33PNWhat is it?
585858© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
HeadquartersHeadquarters
Core BackboneSP
Cable/DSL
TeleworkerTeleworker
Branch OfficeBranch Office
IP Telephony/Services
>T1
IP Phone
IP Phone
V3PN Service Provider Partners
SOHOAccess SP
SPs today are offering QoS SLA’s(Sprint, Cable and Wireless etc)
Best effort today – SP’s currentlydeveloping QoS enabled offerings
Cisco Powered Network SP Partnershttp://www.cisco.com/pcgi-bin/cpn/cpn_pub_bassrch.pl
595959© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Alternative 1:Managed Frame Relay
Alternative 2:Voice and Video enabled VPN
V3PN Business JustificationLexent, Inc. (NYC) – NYC HQ w/20 remote offices
• 20 sites – >$45,000 per month
• 3 year commit, >$1.5M total
• 20 sites – <$20,000 per month
• 1 year commit, <$250K total
PrivateFrame Relay Service Provider
NYC NYC
Branch OfficesBranch Offices
V V
• Network Value
• Enterprise Mobility
• Teleworker IP Communications
• Identity and Embedded Network Security
• Data Center Resiliency
• Leveraging Service Provider Services
• Summary
616161© 2002, Cisco Systems, Inc. All rights reserved.ttruitt – EotE
Business Dependencies
• Change is constant: now isthe time to evaluate, plan,and innovate
• Technology is an enablerfor turning change intoopportunity
• Mobility, IP Communications,Identity, Resilient Data Centersand Network Services will lowercosts or increase productivity
Now is the time to strategically leverage change for business Breakaway
626262