Transcript Enterprise Council Comms overview
Designing Converged Networks
Lehner Tamás 3Com Magyarország
Bemutatkozás
• Lehner Tamás ügyvezető igazgató – 3Com Magyarország • 1036 Budapest, Lajos utca 48-66 E/2 • • • • Webcím: http://www.3com.hu
Email: [email protected]
Telefon: +36 1 430 2430 Fax: +36 1 430 2437 – [email protected]
1
3Com’s Tradition of Innovation
Among the Strongest Patent Portfolios in the Industry 1972 Bob Metcalfe invents Ethernet
3Com
founded 1979 Small Business 3Com initial Solution introduced 1996 NBX introduced public offering 1999 March 1984 By 2000
330,000,000
Ethernet connections shipped Wireless introduced
400,000
Handsets shipped 3Com Switch 7700 core enterprise platform introduced ™ 3Com Security Switch 6200 announced 1972 1984 1992 1996 1998 2000 2002 2003 Ethernet patented
#4063220
13 December 1977 3Com Introduces SuperStack ® line 1 st Stackable Ethernet Hub
3Com Patent Portfolio June 2004 1146 patents issued 613 patents pending
1995 Stackable GbE Network Jack introduced Joint venture announced with Embedded Firewall Security launched Shipped
1,000,000 th
10/100 Managed Switch Router 3000/5000 launched VCX™ for enterprise VoIP solutions announced 2
End to End Solutions
IP Telephony Security Mobile
Applications
LAN WAN
3
Agenda
• This session will be an in-depth Network Design clinic aimed at educating Systems Engineers and Presales consultants on how to design and deploy converged network infrastructure solutions using 3Com products. The session will cover the following: – Network Design Fundamental Concepts – Designing infrastructure solutions for High Availability – Designing infrastructure solutions for Convergence – Implementing Security across the network infrastructure – Real life scenarios for convergence designs 4
Campus Network Fundamentals
3Com Confidential 5
Physical Layer Options (LAN & WAN)
• LAN Ethernet Campuses will be designed using the following physical media – – UTP Category 5/5 Enhanced/6 Connectivity to the Desktop, Server Farm, Inter switch connectivity within the same wiring closet – Fiber Multimode Fibre (50 micron/62.5 micron), Single Mode Fiber (9micron) – – Campus Backbone, Building Backbone, Server Farm Other options – STP (Legacy Ethernet), Volition (3M Fibre to the desktop) • WAN – Leased Lines, FR, DSL and VPN 6
Network Technologies
• Its the ubiquitous Ethernet !
• Ethernet technologies dominant at all areas of a campus network – – Wiring Closet: Fast Ethernet, Gigabit Ethernet Backbone: Gigabit Ethernet, 10G Ethernet – MAN/WAN: Ethernet, Fast Ethernet, Gigabit, 10G Ethernet • Supported across all physical media, Copper/Fiber
• Alternative technologies may still be used in legacy infrastructures but being rapidly phased out
– ATM, Token Ring, FDDI 7
Gigabit Ethernet
• Gigabit Ethernet is now the dominant backbone and aggregation technology in enterprise networks – Overwhelming majority of campus backbones based on 1000BASE-SX and 1000BASE-LX – Long haul fibre Gigabit connections for private MANs using 1000BASE-LH70 – 1000BASE-T as standard on Servers • The availability of low cost 10/100/1000 switching is extending its reach to the mainstream wiring closet – Majority of new PC motherboards utilising 10/100/1000 LOM NICs • Fast Ethernet is still the dominant access layer technology due to the low cost of active equipment 8
Gigabit to the Desktop has arrived
• • Key factors driving the mass adoption of Gigabit to the desktop – – Cost : Parity with high end 10/100 stackable platforms Future proofing : Advanced functionality, Layer 3 ready, 10 Gigabit Ethernet support – Maturity: Many vendors already delivering 3 rd/ Gigabit switching architectures 4 th Generation – Scalability : High port density Gigabit platforms, High speed stacking architectures – Availability : 10/100/1000 as standard on all current PC/Macintosh platforms, no extra cost for NIC Gigabit to the desktop already deployed in a variety of customers and verticals 9
Networking Technologies – 10G
• • The IEEE 802.3ae Task Force was responsible for defining the 10G Ethernet standard – Standard was ratified in Q2CY2002 by IEEE-SA body – 10GBASE-CX4 (IEEE 802.3ak) Task Force has now completed specification work and is a published standard – 10GBASE-T (IEEE 802.3an) Task Force is still undertaking specification work and expected to be finalised in mid CY06 10GEA was established to promote standards based 10G technology among vendors – – 3Com was a founding member of 10GEA 10GEA was dissolved in Q1CY2003 following completion of objectives and ratification • 10G is a key technology in 3Com enterprise strategy as it defines the next generation high performance LAN and WAN backbone technology 10
Ethernet Technologies and Media
(Reference)
Media Distance Technology Fast Ethernet
100BASE-T 100BASE-FX
Gigabit Ethernet
1000BASE-T 1000BASE-SX 1000BASE-LX
Mode
Half Duplex/Full Duplex HD/FD Full Duplex Full Duplex Full Duplex
Speed
100Mbps 100Mbps 1000Mbps 1000Mbps 1000Mbps UTP/STP MMF/SMF UTP MMF MMF 100m 2Km/15Km 100m 220-5Km 550m 1000BASE-LX 1000BASE-LH70
10G Ethernet
10GBASE-CX4 10GBASE-LX4 10GBASE-SR 10GBASE-LR 10GBASE-ER 10GBASE-T Full Duplex Full Duplex Full Duplex Full Duplex Full Duplex Full Duplex Full Duplex Full Duplex 1000Mbps 1000Mbps 10Gbps 10Gbps 10Gbps 10Gbps 10Gbps 10Gbps SMF SMF Twinaxial MMF/SMF MMF SMF SMF UTP/TBD 5Km-10Km 70Km 15m 240m-10km 26m-300m 10km 40km 55-100m
Connector
RJ-45 SC/ST RJ-45 SC/LC/MTRJ SC/LC/MTRJ Conditioned Launch cable reqd SC/LC/MTRJ SC/LC/MTRJ microGiGaCN SC/LC SC/LC SC/LC SC/LC TBD 11
Network Design Layers
Application server farm Server aggregation Core Layer Distribution Layer Access Layer Clients 12
Access Layer
• Typically the wiring closet connecting via the horizontal cabling distribution the following devices – End stations, printers, IP phones, Wireless Access Points, distributed fileservers • Ethernet switches at the Access Layer can be fixed configuration or modular • Access Layer switches are typically Layer 2 devices or Layer 2+ devices • Networking technologies at the Access Layer can be 10/100, Gigabit Ethernet • Power over Ethernet 802.3af technologies to support IP telephones, wireless access points, Internet cameras, specialised appliances 13
Key Requirements at the Access Layer
• Quality of Service and Traffic prioritization enforcement – Multiple Priority Queues – minimum 4 – – – Multilayer traffic classification Standards based traffic prioritization using 802.1p and DiffServ/IP ToS Rate Limiting capabilities for bandwidth allocation • • • Authentication and Authorisation of end stations and devices – Network Login 802.1X
– Authorised MAC addresses • Enforcement of security policies via Application Filtering or Access Control Lists Basic device availability capabilities such as Backup and Restore Network availability features such as STP/RSTP for resilient layer 2 network designs 14
Choosing The Right Form Factor For The Access Layer
• Fixed Configuration/Stackable – Standalone Switches • • Advantages :Lower cost, Lower blocking ratio Disadvantages: Limited scalability, additional management overhead, higher port density requirements at preceding layer, limited resiliency – Stackable Switches • Advantages: Low cost, high scalability, ease of management, higher resiliency • Disadvantages: Potential bottlenecks, limited media flexibility for heterogeneous environments • Modular Chassis – Advantages: Highest availability, Performance, scalability, flexibility, Common hardware with Distribution layer/Core Layer, Investment protection – Disadvantages: Cost, potential complexity 15
Power over Ethernet
• • Power over Ethernet is key technology at the Access Layer Standard now ratified as amendment IEEE Std 802.3af-2003 • Enables the transfer of low voltage power over standard Ethernet cabling for IP telephones, video cameras, wireless devices etc.
• Can be integrated on an Ethernet switch or via midspan product • Due to cost premium, a combination of PoE and normal Ethernet connectivity applicable at the Access Layer • Stackable PoE switches and PoE modules in modular switches enable the mix and match of PoE and non-PoE ports 16
Wireless Connectivity at the Access Layer
• • Wireless Access points providing connectivity to wireless devices are functionally part of the Access Layer Same requirements as in wired Access Layer connectivity are applicable – Quality of Service and traffic prioritisation • 802.11e support • Traffic and protocol Filtering • Multiple 802.1Q VLAN support on Ethernet uplink – Authentication and Authorisation • Network Login 802.1X support • Multiple SSID support • Mapping VLANs to authorised users or SSID – Security • WAP, WEP, AES encryption • Certificate support • 802.11i capability – Availability • Roaming capabilities • Device availability (backup and restore, Power over Ethernet support) 17
Wireless Switching
• • Wireless Switching can be deployed at the Access Layer to facilitate the deployment of many distributed access points across the campus – In certain configurations a wireless switch may be centralised in the Core/Aggregation Layer supporting multiple distributed APs in the Access Layer It centralises certain wireless capabilities on the wireless switch (RF management, security, AAA, device profiles etc) ‘Fat’ APs
Traditional
Antenna 802.11 a/b/g Encryption 802.1X, TKIP, 802.11e, 802.11f, 802.11h
Mobile IP, IPSec, Certs Lower Cost APs ‘Fit’ APs
Wireless Switching
Antenna 802.11 a/b/g Encryption Layer 2 Switch Corporate Network More Managed Wireless Solutions Wireless Switch Rogue Wireless Protection Site Surveys Per-user Firewall Self-Healing RF Management 802.1X, TKIP, 802.11e, 802.11f, 802.11h
Mobile IP, IPSec, Certs Corporate Network 18
Access Layer Offerings
(Reference)
Product
Fast Ethernet Intellijack Baseline 2226 PWR SuperStack 3 Switch 4200 SuperStack 3 Switch 4400 SuperStack 3 Switch 3200 Switch 7700 Switch 8800 Gigabit Ethernet SuperStack 3 Switch 3824/48 SuperStack 3 Switch 3870 SuperStack 3 Switch 4900 Switch 7700 Wireless AP7250 AP8xxx AP2750 WX1200
Form Factor
Wall plate switches Fixed config 10/100, Gigabit Fixed config 10/100, Gigabit Fixed config 10/100, Gigabit Fixed config, 10/100, Gigabit 4/7/8 slot Modular 7/10/14 slot Modular Fixed config 10/100/1000 Fixed config 10/100/100/10G Fixed config 10/100/1000 4/7/8 slot Modular Standalone AP Standalone AP Managed AP (MAP) Fixed Config 10/100 WX4400 Fixed Config, Gigabit
Technology
10/100 10/100, Gigabit Uplinks 10/100, Gigabit Uplinks 10/100, 10/100 PoE Gigabit Uplinks 10/100,Gigabit Uplinks 10/100 Gigabit 10/100. Gigabit, 10G 10/100/100 Gigabit 10/100/1000 10G 10/100/1000 10/100/1000, 10G 802.11g
802.11a/b/g 802.11a/b/g Wireless switching, 10/100, PoE Wireless switching, Gigabit
Max Port Density
5 24 24/28/50 26/50 24/50 288 288 24+4/48+4 24+4/48+4 28 120 100 users 100 users 8 4 * future release
Functionality Uplink
Unmanaged, Advanced L2 Web Managed Stackable, Standard L2 Stackable, Advanced L2 Advanced L2, Basic L3 Advanced L2, Advanced L3 Advanced L2, Advanced L3 FE: RJ45/SC/ST GE: SPF FE: RJ-45, GE: SC FE: RJ-45, GE: MTRJ FE:RJ-45, GE: SFP FE: RJ-45/MTRJ, GE: RJ 45/SC/SFP FE: RJ-45/MTRJ, GE: RJ 45/SC/SFP Standard L2 Advanced L2, Basic L3* Advanced L2, Advanced L3 Advanced L2, Advanced L3 GE: SFP GE: SFP, 10G: XENPAK GE: MTRJ/SC GE: RJ-45/SFP/LC, 10G: XENPAK 802.1X, Multiple SSID, VLAN, Encryption 802.1X, Multiple SSID, VLAN, Encryption 802.1X, Multiple SSID, VLAN, Encryption Advanced L2, 802.1X, Multiple BSSID/SSID, VLAN, AAA, Per user policies, firewall, crypto Advanced L2, 802.1X, Multiple BSSID/SSID, VLAN, AAA, Per user policies, firewall, crypto 10/100 10/100 10/100 10/100 GE:SC/RJ-45 19
Distribution Layer
• In smaller networks or single building backbones, the distribution layer may be omitted • The goal of the Distribution layer is to aggregate wiring closet, provide greater segmentation across the campus and provide higher throughput for localised traffic • Distribution layer switches could also be used to provide connectivity to distributed fileservers across a campus network • By deploying high availability at the Distribution Layer you extend overall network fault tolerance • Distribution layer switches could be co-located at an Access Layer wiring closet or at a dedicated wiring closet • If used the Distribution Layer becomes the control point for the campus network 20
Key Requirements for the Distribution Layer
• • • • • High Performance Gigabit switching for aggregating multiple wiring closets Media flexibility to accommodate cabling infrastructure Quality of Service and Traffic prioritisation enforcement – Multiple Priority Queues – minimum 4 – – Multilayer traffic classification and traffic prioritisation Ability to identify and remark existing traffic priority before it transverses the campus backbone Multilayer switching capabilities supporting Layer 2, Layer 2+ and Layer 3 switching – Support for many Link Aggregation groups connecting to the Access and Core Layer – Routing support for larger distributed internetworks Hardware availability and network availability features 21
Distribution Layer Offerings
(Reference)
Product
SuperStack 3 Switch 4900 family Switch 40x0 Switch 7700
Form Factor
Fixed config 10/100/1000 Fixed config 10/100/1000 4/7/8 slot Modular
Technology
10/100/100 10/100/1000 10/100/1000 10G
Max Port Density
28 28 120
Functionality
Advanced L2 Advanced L3 Advanced L2 Advanced L3 Advanced L2, Advanced L3 Switch 8800 7/10/14 slot Modular 10/100. Gigabit, 10G 288 Advanced L2, Advanced L3
Uplink
GE: RJ-45, MTRJ, SC GE: RJ-45, SFP, MTRJ, SC GE: RJ-45/SFP/LC 10G: XENPAK FE: RJ-45/MTRJ, GE: RJ-45/SC/SFP 22
Core Layer
• The Core Layer is typically implemented at the main campus Data Centre • It acts as the main interconnecting area across the campus backbone linking distribution layer switches and/or access layer switches • The separation of the Core and Distribution layer enhances the scalability of the campus network especially in layer 3 centric designs • The Core layer could also provide Server Aggregation provided capacity exists and network topology allows 23
Key Requirements of Core Layer
• • • • • High Performance non-blocking Gigabit switching – High performance Centralised forwarding – Distributed forwarding capabilities in modular systems Scalable architectures capable of accommodating higher bandwidth, more ports, advanced levels of functionality Multilayer switching capabilities to accommodate any kind of logical design – ASIC based multilayer switching – Hardware based ACLs Advanced Convergence capabilities capable of honouring incoming QoS settings and enforcing outgoing QoS settings – Multiple priority queues : Minimum 4 – – – Multilayer traffic classification and prioritisation Remarking for outgoing traffic Rate limiting Future proofing capabilities – 10G support 24
Core and Server Aggregation Layer Offerings
(Reference)
Product
Switch 7700 Switch 8800
Form Factor
4/7/8 slot Modular 7/10/14 slot Modular
Technology
Gigabit, 10G Gigabit, 10G
Max Port Density
120 288
Functionality
Distributed L2 Forwarding, Centralised L3, Advanced L2, Advanced L3 Distributed L2/L3 Forwarding, Advanced L2, Advanced L3
Interfaces
1000BT, 1000BSX, 1000BLX, 1000BLH70, 10GBLX4, 10GBLR, 10GBSR, 100BFX 1000BT, 1000BSX, 1000BLX, 1000BLH70, 10GBLX4, 10GBLR, 10GBSR, 100BFX Gigabit Ethernet SuperStack 3 Switch 4924 SuperStack 3 Switch 3870 Switch 7700 Fixed Configuration Fixed Configuration 4/7/8 slot Modular 10/100/1000 10/100/1000 10/100/1000 10G Security Switches Security Switch 6200 Fixed Configuration 10/100/Gig Secure IX 5100 Fixed Configuration 10/100/Gig 24 48 120 16+2 4+2 Advanced L2, Advanced L3 Advanced L2, Standard L3 (future) Advanced L2, Advanced L3 1000BT (1000BLX, 1000BSX, 1000BLH70) 1000BT (1000BSX, 1000BLX, 1000BLH70, 10GBLX4, 10GBLR/SR) 1000BT, 1000BSX, 1000BLX, 1000BLH70, 10GBLX4, 10GBLR, 10GBSR, 100BFX Advanced Security Services via ISV Firewall, IDS, Antivirus, Antispam, Content Filtering Advanced L3 and Security Services, Firewall, VPN, Content Filtering 100BT (1000BT, 1000BSX, 1000BLX, 1000BLH70) 100BT (1000BT, 1000BSX, 1000BLX, 1000BLH70) 25
Additional Design Layers
• Optional secondary design layers may be defined across the Enterprise – WAN Perimeter – – Internet Perimeter/DMZ Storage Area Network • These additional layers may interface directly to the Core Layer or be separated logically and physically • Consideration should be taken with respect to connectivity to these secondary layers in terms of: – Performance – – Congestion Logical connectivity • Typically each layer can be defined on a separate broadcast domain for greater control and security 26
Campus Network Topologies
• 2 Tier Collapsed Backbone – Direct Connectivity from the Access Layer to the Core – Server Aggregation can be integrated into the Core Layer or separate – Can be implemented for Layer 2 or centralised Layer 3 logical topologies – More common in smaller networks with small number of wiring closets • 3 Tier Collapsed Backbone – Connectivity to the Core via Distribution Layer for Access devices – Server Aggregation can be integrated into the Core Layer or separate – Can be implemented for Layer 2, centralised Layer 3 and Distributed Layer 3 topologies – More common for larger campus networks with larger number of distributed wiring closets 27
2 Tier Collapsed Backbone
Application server farm Core Layer Access Layer Clients 28
3 Tier Collapsed Backbone
Application server farm Server aggregation Core Layer Distribution Layer Access Layer Clients 29
Logical Topologies
Layer 2 Only Networks
• • • • • • • Rarely deployed but for some environments they may make sense No routing implemented across the infrastructure A single broadcast domain for every user, Layer 2 broadcast traffic seen by every user across the campus Multicast Filtering using IGMP Snooping can still be implemented to provide bandwidth efficiency VLANs can still be deployed but will not be routed and centralised servers/resources will need a presence on every VLAN Advantages – Simplicity, Cost effective (no need for Layer 3 switching) Disadvantages – Potentially insecure, does not scale well for large environments, difficult to deploy when network requires access to many centralised services like Fileservers, Routers and Internet access – Does not scale for large networks when using public IP addressing 30
Logical Topologies
Centralised Layer 3
• • • • • • Most common logical implementations particularly for smaller networks Routing is centralised on a single device at the Core Layer Distribution Layer switches could be deployed as Layer 2 aggregation devices Router Redundancy can be implemented via VRRP or if XRN via DRR Advantages – Simplified administration, Greater level of control, Security, campus wide VLANs, user mobility Disadvantages – Potentially scalability limitations (i.e. routing capacity on centralised L3 switch, ARP tables etc), costly redundancy (for dual configurations) 31
Centralized Layer 3 Switching
Application server farm Server aggregation Layer 3 Layer 2 Layer 2 32
Logical Topologies
Distributed Layer 3 Network Design
• • • • • • • Common for larger campus networks with many users or many distinct business units (i.e. University faculties) Routing is distributed at the Distribution Layer and the Core Layer Campus backbone based on fully routed interconnecting links Router redundancy implemented via routing protocols (i.e. OSPF) and VRRP Advantages – Greater scalability, minimised peering, efficient multicasting, potentially faster convergence (in the absence of STP) Disadvantages – Complicated, potentially error prone in resilient configurations (routing loops), interaction with Layer 2 protocols (i.e. STP) Alternative Designs can use Distributed Layer 3 with a high speed Layer 2 interconnecting campus backbone 33
Distributed Layer 3 Switching
Application server farm Server aggregation Layer 3 Layer 3 Layer 2 34
Designing for High Availability
3Com Confidential 35
• •
High Availability Networks
Networks must go from today’s 1-9 (9x%) to 5-9s (99.999%) availability.
– Applications, computers and networks are integrally linked – Converged networks require higher availability than traditional data-only nets – Mission Critical applications require High Availability and fast response time Downtime results in more than just transaction costs – Productivity loss – – Customer support operations Impact across the supply chain – Loss of reputation Source: Infonetics - Cost of Network Downtime 2003 36
Keys to Continuous Operation
Hardware Availability
Device Reliability Power and Fabric redundancy Device Management redundancy Application Availability
Application Prioritization Application Filtering Application Security Network Availability
Link Redundancy Resilient Topology Protocol Resiliency Proactive Management
Fault Prevention Fault Identification Device and Network Reporting Service measurement
• •
Hardware Availability
Hardware Availability is defined based on the following key attributes: – Device Reliability – High MTBF, MTTR, Hot swappable components – – Power and System Redundancy – Support for redundant power, redundant switching fabrics, redundant management modules Device Management Redundancy – Redundant management architecture, fault tolerant switch software architecture, device configuration resiliency Hardware availability recommendations – Hardware Availability comes at a price but delivers greater peace of mind – High Device Reliability for all products across all Design layers • Reliable products = High MTBF = Less hardware failures – Hardware redundancy mandatory for Distribution and Core layer • Dual PSU as a minimum • Dual Fabrics where applicable – Use management redundancy capabilities in active equipment • Dual Images, Device Configuration backup and restore • Always initiate configuration backups prior to making changes or installing new software – On-site spares 38
3Com Hardware Availability
(Reference)
MTBF Hardware Redundancy Product Access Layer
Intellijack Baseline 2226 PWR SuperStack 3 Switch 4400 SuperStack 3 Switch 3200 SuperStack 3 Switch 3824/48 SuperStack 3 Switch 3870 SuperStack 3 Switch 4900 Wireless AP 7250/8250/8750/2750 WX4400 Switch 7700 406,393 hrs 447,000 hrs 282,261 hrs 268,000 hrs 317,000 hrs 300K hrs 300K - 551,000 hrs PoE PoE N/A Hot Swap SFP Hot Swap SFP Hot Swap Module/SFP Hot Swap GBIC/SFP PoE support, detachable antennae, removable radios Dual Hot Swap PSU, GBICs, Flash PC Card Hot Swap Modules, N+I PSU, Hot Swap Fans, Distributed Forwarding
Core/Distribution
Switch 40x0 Switch 7700 Switch 8800 452,175 hrs 300K - 551,000 hrs 300K hrs Hot Swap Fans, PSU, SFP/GBIC Hot Swap Modules, N+I PSU, Hot Swap Fans, Distributed Forwarding, Dual Fabrics (7700R) Hot Swap Modules, N+I PSU, Hot Swap Fans, Distributed Forwarding, Load sharing fabrics
Management Redundancy Optional
N/A N/A Stacking, Dual Images, BU/Restore N/A N/A Stacking, Dual Images Dual Images, XRN, BU/Restore BU/Restore Multiple AP configs Dual Images, BU/Restore N/A RPS, Stack Fault Tolerance RPS RPS (3848) RPS, Stack Fault Tolerance RPS, XRN Wireless Switch support Dual Fabrics (7700R) Dual Images, XRN, BU/Restore Dual Images, BU/Restore XRN Dual Fabrics (7700R) Dual Images, BU/Restore Load sharing Fabrics 39
Network Availability
• • • • Network Availability can be achieved by a combination of fault tolerant features and fault tolerant network design Network Availability can be delivered via the following: – Link Redundancy – across the backbone, at the wiring closet or the server connectivity – – – – Resilient Network Topology – Standby backbone devices, redundant data paths, multi-homed devices Protocol Resiliency – Useful for Layer 3 switching implementations Wireless Network Availability – for wireless devices WAN connectivity Network availability for wired networks can be implemented using a variety of LAN products depending on cost and performance requirements – Based on SuperStack switches, Switch 7700/8800 switches or a combination Fault tolerant network infrastructure implementations can introduce complexity and thus need to be designed carefully 40
Link Aggregation
Aggregated Gigabit Links Switch 4900 100/1000 7700 SS4400 SS4900SX SS4900
• • • • • • • Parallel active links “bonded” as a single logical channel for greater performance It is a Point to Point technology – Point to multipoint can be achieved with XRN Fabrics Traffic is hashed across Aggregated links based on: – – – Source/Destination MAC address Source/Destination IP Address Source/Destination IPX Address (7700 only) Automatic recovery of any failed link for redundancy Transparent to Spanning Tree protocol and can participate in 802.1w
VLAN Configuration implemented on individual ports and aggregated links Standardized by IEEE 802.3ad and LACP 41
802.1w Rapid Spanning Tree
• • • • • • IEEE Std. 802.1w
– Replaces legacy STP from 802.1D but interoperable Determination of the Active Topology for an arbitrary network – Automatically eliminates loops – Chooses optimum links with lowest Path Cost Can disable Spanning Tree on a per port basis Operates in a backward compatible mode – Automatically inter-operates with legacy STP – Allows staged deployment in existing networks Allows the use of redundant links – Automatic use of a backup link after failure Very fast convergence time (less than 5 sec) 42
Multiple Spanning Tree Protocol
• • VLANs are grouped into multiple spanning tree instances Each spanning tree instance (MSTI) has it’s own spanning tree topology with it’s own Root bridge • Load balance VLANs across multiple data forwarding paths makes better use of bandwidth – e.g. from A, VLAN’s 11-20 carried across link to B; VLAN’s 21-30 are blocked across this same link
C
• 48 MSTI supported
VLAN’s 11-20 VLAN’s 21-30
• Different load balancing schemes can be supported through the use of regions
X A X VLAN’s 21-30 VLAN’s 11-20
43
• • • • • •
Redundant Backbone Design
Delivers an Active-Standby networking infrastructure using multi-homing and standby core devices Most common fault tolerant network design implementation Simplest form of resilient topology Redundant core acts as a hot standby to protect against failure on the primary core Link Redundancy delivered using STP/RSTP/MSTP across the backbone Considerations – Use alternative devices for the redundant core backbone to minimize cost – Distribute wiring closet across core devices for increased performance – Take into account protocol resiliency in implementing L3 switching by using protocols like OSPF
Redundant Core
44
Router Resiliency Using VRRP
• • • • • • • Virtual Router Redundancy Protocol based on RFC2338 Eliminates router single point of failure Fast fail-over to virtual redundant router Transparent to attached devices Available for Switch 7700 family and 3Com routers VRRP is a common router redundancy implementation offered by a variety of vendors Considerations – Create multiple VRRP instances with the master router configured on separate physical switches for extra redundancy – VRRP is only supported for unicast IP routing
Master Router Switch 7700 VLAN C VLAN B VLAN C VRRP Backup Router Switch 7700
45
Manual Load Distribution
• Manual load distribution – Link Failure across any path is recoverable using RSTP – Users in each VLAN are served by a different Layer 3 switch for load distribution – – VRRP failover ensures default gateway protection within seconds Potential complex implementation VRRP Master VRRP Backup VRRP Master VRRP Backup
B C 802.1Q (VID=1,2) MSTP VID = 1 VID = 2 A
46
XRN Core Technology Overview
XRN Core Tech. is an Innovative hardware and software implementation that allows the design of High Performance, Highly Available Gigabit networks based on XRN Distributed Fabrics XRN Core Tech. is patented 3Com tech. that is based on standards allowing any device to connect to a Fabric and take advantage of the performance and availability of XRN Distributed Device Management
Enables the Switches in an XRN Fabric to behave and configured as a Single Management entity (single IP address mgmt, fabric wide configuration etc)
Distributed Link Aggregation
Enables port trunking across both switches in the Fabric as if they were a single switch
Distributed Resilient Routing
Enables the entire fabric To behave as a single router That uses the performance of all switches in the fabric 47
XRN Resiliency
• XRN delivers network wide fault tolerance via the following: – XRN Distributed Fabric • An XRN Fabric provides no single point of failure for management, L2 and L3 switching across the interconnected switches • Support for hardware availability on XRN enabled switches (i.e. RPS, Dual PSU, hot swap fans, hot swap GBICs) • Support for fault tolerant software features across the Fabric (i.e. Link Aggregation, STP/RSTP, Resilient Links) – Enabling Resilient Network Design • XRN’s network availability is also delivered via supporting dual homed aggregated links across both switches in the Fabric • It provides management, L2 and routing resilience for all dual homed devices • Application availability via support for advanced Class of service and traffic prioritization features across a Fabric • XRN has integrated self healing capabilities allowing for smooth network recovery following unit, cable, or fabric interconnect failure in the Fabric 48
Availability for Wireless Networks
• WiFi networking has inherent resiliency since it enables users to roam among distributed Access Points • • Failure in wireless LANs can be experienced via: – – – Loss or limited signal coverage Loss of centralised security services (RADIUS) Interference by rogue Access Points Key recommendations for Wireless Availability – Conduct Site Surveys to ensure sufficient coverage among the campus – – – Implement WiFi security (802.1X and WPA) Implement consistent ESSIDs to minimise re-authentication Wireless Switching delivers the highest level of availability for wireless clients by enabling clients to roam seamlessly between APs, wireless switches, subnets within a Mobility Domain and provides rogue AP detection 49
Network Availability Recommendations
• • • • Network Availability should permeate overall network design Multi-homing and redundant paths between layers extend the level of fault tolerance for the campus network – Rapid Spanning Tree should be enabled across all devices to provide fast convergence – Mixing RSTP and STP in the same campus will result is slower convergence times during failure and greater complexity – Understand your STP topology and chose the most appropriate root bridge – Link Aggregation delivers redundancy and bandwidth • Deploy routing protocols like OSPF for fast convergence of routed links Implement Default gateway protection for IP hosts delivered via VRRP or XRN DRR Implement WLAN Switching for wireless network availability 50
Application Availability
• • • • Application Availability is a fundamental component of all high availability network design Designing for Convergence section covers Application Availability in greater detail Application Availability is delivered – Application prioritization – identifying mission critical applications to ensure consistent performance across the infrastructure – – – Application Filtering – intelligently identifying rogue applications and stopping them from consuming network bandwidth without impeding on the remaining applications Network Security – protect mission critical network devices and applications and control network access to authorized personnel Time base rules – tie application filtering and prioritization to time based rules for extra flexibility Application availability enforced primarily through technology deployed at the edge of the network but honored across the backbone and potentially the WAN 51
Network Availability Features
Product 802.1D/802.1w
Layer 2 802.1s
Access Layer Intellijack SuperStack 3 Switch 4400 SuperStack 3 Switch 3200 SuperStack 3 Switch 3824/48 SuperStack 3 Switch 3870 SuperStack 3 Switch 4900 Switch 7700 N Y Y Y Y Y Y N N N N N N Y WX1200/4400 Y PVST+ Core/Distribution Switch 40x0 Switch 7700 Switch 8800 Y Y Y N Y Y Y N N N Y Y Y Y Y Y
802.3ad/LACP Router Redundancy Layer 3 Routing Protocols
N/A XRN DRR VRRP OSPF OSPF, BGP, ISIS Future XRN DRR VRRP VRRP OSPF OSPF, BGP, ISIS OSPF, BGP, ISIS 52
Network Availability Features
Product 802.1D/802.1w
Access Layer Intellijack Baseline 2226 PWR SuperStack 3 Switch 4400 SuperStack 3 Switch 3200 SuperStack 3 Switch 3824/48 SuperStack 3 Switch 3870 SuperStack 3 Switch 4900 Switch 7700 WX1200/4400 Core/Distribution Switch 40x0 Switch 7700 Switch 8800 Y Y Y Y N N Y Y Y Y Y Y
Layer 2 802.1s
802.3ad/LACP
N Y Y N N N N N N N Y PVST+ N N Y Y Y Y Y Y Future Y N N
Router Redundancy Layer 3 Routing Protocols
N/A XRN DRR VRRP XRN DRR VRRP VRRP OSPF OSPF, BGP, ISIS OSPF OSPF, BGP, ISIS OSPF, BGP, ISIS 53
Designing for Convergence
3Com Confidential 54
Designing for Convergence
• • • • Designing for Convergence enables Enterprise networks to accommodate real time networked applications across the entire infrastructure Key Performance Considerations for Convergence – Service Performance Parameters • Packet Loss – Number of packets or % of packets lost during transmission between two end points • Latency – Also known as delay, is the amount of time taken for a packet to reach its destination end point after transmission • Jitter – Also known as delay variation, is the difference in end to end delay between packets transmitted on a network – – – Implementing Traffic Prioritisation Broadcast/Multicast containment Efficient transport of Multicast Designing for Convergence should be inherent in all aspects of network design and all media (wired and wireless) Convergence enabled network design results in high performance 55
Traffic Classification and Prioritization
High priority Traffic e.g. Video/Voice Classification Ingress Port Protocol IP Addr TCP/UDP Port Ether type TCP flag VLAN Mac Addr Physical Port Time Precedence Access Control List’s TOS Un-prioritised traffic e.g. Email Optimal Prioritisation 1 to 1 Mapping De-prioritised traffic e.g. Web file downloads 802.1D Priority 7 6 1 2 5 4 3 0 High Priority Discard Filtered traffic e.g. Soulseek
Queue 8 Queue 7 Queue 6 Queue 5 Queue 4 Queue 3 Queue 2 Queue 1
Low Priority Dropped Frames
57
Traffic Policing, Traffic Shaping and Rate Limiting
incoming packets Tokens enter bucket at configured speed outgoing packets incoming packets Tokens enter bucket at configured speed outgoing packets classify Token Bucket queue Discarded packets • Traffic Shaping – Packets that exceed rate are queued – Queue empties at uniform rate – – Introduces latency Less disruptive to TCP bulk transfers classify Token Bucket Discarded packets • Traffic Policing – Uses “Committed Access Rate” – Packets that exceed rate are marked or discarded – No queuing • Does not introduce latency incoming packets Tokens enter bucket at configured speed outgoing packets classify queue buffer Token Bucket • Line Rate Limiting –
All
traffic is limited to a particular rate out of an interface or port – Performed on the port 58
Considerations for Policing, Shaping and Limiting
• Traffic Shaping is used to adjust the output rate – – Occurs after classification, so can be done selectively Traffic Shaping may increase network delay, at least for some packets • Traffic Policing is used to adjust the input rate – Occurs after classification, so can be done selectively – Traffic Policing may cause higher layers to resend • Line Rate Limiting performed on the port – Limits the output rate of all traffic irrespective of classification 59
Traffic Prioritization on 3Com Switches
Product Access Layer
Intellijack Baseline 2226 PWR SuperStack 3 Switch 4400 SuperStack 3 Switch 3200 SuperStack 3 Switch 3824/48 SuperStack 3 Switch 3870 SuperStack 3 Switch 4900 Switch 7700 4 4 4 4 4 8 4 2
Core/Distribution
Switch 40x0 Switch 7700 Switch 8800 4 8 8
Queues Queue Scheduling Classification/Pr ioritisation Application Filtering
WFQ/SPQ N/A WRR/SPQ WRR/SPQ WRR WRR/SPQ WRR/SPQ WRR
WRR/SPQ
WRR WRR/SPQ 802.1p, DSCP 802.1p
No No 802.1p, DSCP, L2 L4, Remarking 802.1p, DSCP, L2-L4 Yes Limited (IP ACL) 802.1p, DSCP N/A 802.1p, DSCP, L2-L4 Limited (IP ACL) 802.1p, DSCP, L2 L4, Remarking 802.1p, DSCP, L2 L4, Remarking, Time Yes Yes via ACLs 802.1p, DSCP, L2 L4, Remarking 802.1p, DSCP, L2 L4, Remarking, Time 802.1p, DSCP, L2 L4, Remarking, Time Yes Yes via ACLs Yes via ACLs
Provisioning
Line Rate Limiting N/A Traffic Shaping Line Rate Limiting N/A Line Rate Limiting N/A Policing/Shaping/Line Rate Limiting N/A Policing/Shaping/Line Rate Limiting Policing/Shaping/Line Rate Limiting 60
Convergence Ready Wireless
• • Having the ability to support convergence applications over a wireless medium is even more important due to limited bandwidth – Voice quality must be as good as wireline • <50 ms inter-subnet latency is recommended – – Reliable performance under load (capacity management) Other issues for convergence over wireless (batter preservation, voice security etc.) Key recommendations for Convergence capable Wireless Service – Separate VLANs for VoWLAN devices and assign high priority – Deploy 802.11e capable wireless devices (clients, APs, WLAN switches) • EDCA:
adds “offset contention windows” that separate high priority packets from low priority packets by assigning a larger random backoff window to lower priorities than to higher priorities.
• HCCA
: adds AP-controlled client access on top of EDCF. Agreements between the AP and client provide policed bandwidth, polling, delay, and jitter definitions.
61
Multicast Applications
• • • Many emerging applications used in enterprise networks today utilise IP multicasting as a transport – Video Streaming – Microsoft Windows Media Services, RealNetworks Helix Server, Apple QuickTime, IP/TV etc.
– – Voice – Music on Hold, Voice Conferencing Application Sharing – Microsoft Live Meeting – etc.
Other applications: NetWare 6, Symantec Ghost etc.
Supporting Multicast applications in Enterprise networks is a key requirement in most campus designs The deployment of bandwidth intensive multicast applications on networks that are not designed to support them can significantly impact network performance 62
Multicast Support in 3Com Switches
Multicast Filtering Product Access Layer
Intellijack SuperStack 3 Switch 4400 IGMP Snooping IGMP Snooping
Multicast Routing
SuperStack 3 Switch 3200 SuperStack 3 Switch 3824/48 SuperStack 3 Switch 3870 SuperStack 3 Switch 4900 WX1206/4400 Switch 7700
Core/Distribution
Switch 40x0 Switch 7700 IGMP Snooping IGMP Snooping IGMP Snooping IGMP Snooping IGMP Snooping IGMP Snooping, GMRP IGMP Snooping IGMP Snooping, GMRP PIM-SM, PIM-DM, MSDP PIM-SM, PIM-DM, MSDP Switch 8800 IGMP Snooping, GMRP PIM-SM, PIM-DM, MSDP 66
Defining Oversubscription
• • • • • No Gigabit network can be end to end non-blocking Oversubscription can occur at every design layer in a campus infrastructure Oversubscription is more common at the Access Layer – Real life traffic at the wiring closet is typically bursty A variety of subscription ratios can be considered at the Access Layer – 2:1, 4:1, 8:1, 10:1 Mechanisms used for improving the effects of oversubscription – TCP Windowing, Ethernet flow control 802.3x, traffic prioritisation 100Mbps n x 100Mbps 67
Considerations for Oversubscription
• • • • • • Understand the implications of oversubscription on active devices – In some switches oversubscription may not be clearly identifiable – Throughput figures for some vendors products may be based on theoretical or unrealistic conditions Understand traffic patterns on the campus network – What percentage of traffic is localised, peer to peer, or going to the server farm/Internet Understand applications on the network and the effect oversubscription will have on these – Oversubscription results in latency which detrimental for multimedia Minimize oversubscription at the Core Layer – Most traffic will transverse the Core Layer – Distributed forwarding capabilities on Core Layer switches can alleviate congestion Ensure that the Server Aggregation Layer does not become a problem area – If all traffic is destined to the Server Aggregation layer and a single Gigabit port is connecting it to the Core layer then this is the main point of congestion Implement Traffic Prioritisation to minimise the impact of oversubscription for mission critical applications 68
Designing for Pervasive Network Security
3Com Confidential 69
Pervasive Security Services
“Defence in Depth”
Users Intrusion Detection Application Devices Protocols
Detection Prevention Security Policy
User & Device Profiles
Management
Identity Management (e.g. X.509 certificates) Auditing, Change Control etc.
Enforcement Authentication, Encryption, Antivirus, IPS, VPN, FW, Security Updates, Support, Isolation
70
Enterprise Topology
Extended Perimeter
Secure Topology
Application/Host/Content Internal
Telephones
Firewalls
Security Policy Management Branch Office
Encrypted Tunnels
Multi-Media Factory Work
Network Access Control
Wi-Fi Network Factory Sales Rep
Intrusion Detection & Prevention
Home Worker Sales Dept CEO
System Integrity
Mobile Worker Executives
Unified Secure Management
Internet Public Areas Visitor Quarantine Local LAN Management Network 71
Designing for Security
• • Our aim in this section will be to concentrate on how campus Networks can be designed to address some of the security overlays – Detailed security implementations and 3Com’s Pervasive Network Security strategy available in the corresponding sessions Key Security implementations in Enterprise Campus Networks – Device Management Security – VLAN centric design • Separate VLANs for management • Separate VLANs for Wireless clients – If using WLAN switching wireless users can be on separate VLANs • Map VLANs to Security zones and use firewalls/security appliances where appropriate – Authentication and Authorisation • Network Login 802.1X
• AutoVLANs using 802.1X
– Identifying and Controlling Rogue Applications 72
VLAN Centric Design
• • • • • VLANs provide security and traffic segmentation and are supported by Network Cards, switches, wireless access points, routers and security appliances Use VLANs to segment network in logical groups or business functions VLANs can be mapped to IP Subnets and are terminated by routers/Layer 3 switches 802.1Q Tagging a standards based VLAN tagging mechanism VLAN Deployment Guidelines – Use consistent naming and VLAN Tags for all VLANs across the network – Configure the correct VLAN Tags on both ends of switch-switch links – Configure all VLANs across all switches for complete user mobility across the campus – In resilient topologies ensure STP does inadvertently block VLANs between switches (use MSTP instead) – Ensure that Aggregated Links carry the correct VLAN tagging information – Create a separate management VLAN for all active devices 73
Device Management Security
• • For networks concerned about the security of their active devices the following security capabilities should be considered – User Authentication for Device Management: Only authenticated users can access device management (RADIUS or Local) – Authorised manager access (Trusted IP): Only authorised IP addresses or subnets can gain management access – Device Management VLAN: Separate configurable VLAN/subnet for management – Selectable Device management options and encrypted management sessions: Enable/Disable TELNET, HTTP access and support for SSH, HTTPS etc.
A combination or all of these capabilities could be deployed to provide device protection for switches, routers and appliances 74
Device Management VLAN
• • • • A dedicated VLAN for management of active devices can be deployed for greater control The Device Management VLAN can span the entire campus using VLAN tagging Access to management can be in-band or out of band – For inband access, use routing with ACLs or security appliances to control traffic to the management VLAN Considerations for Device Management VLAN – Ensure devices support configurable VID for management – Campus wide management VLANs are more applicable in centralised Layer 3 topologies – Device Management VLANs can also be localised within a wiring closet or a building for distributed L3 topologies
VLAN10 VLAN20 VLAN30 VLAN40 VLAN50 VLAN60
75
Network Authentication and Authorisation
• Why use 802.1X?
– Users must authenticate before gaining access to network resources – – All authorizations can be administered centrally Accounts can be held ( who, when, where ) • Log files can record various session data, packet counts, session durations, user names.
• Information can be used for billing – Security Auditing • Network Administrators can record who is accessing the network real-time – Management • Network Management applications can display user information • Clients can be dynamically tracked in real time using Network Management 76
Network Login and wired VLANs
• 802.1X Network Login can be associated with VLANs using the following methods • Static – Authenticated users assume the pre-configured VLAN membership of their connected port • Dynamic (AutoVLANs) – Authenticated users are dynamically placed in their corresponding VLAN based on RADIUS attributes • Non-authenticated users are either excluded or become members of a “guest” VLAN • Some devices such as telephones are automatically authenticated based on MAC address 77
Auto VLAN and QoS Assignment using 802.1X
Valid User VLAN ID: Teacher VLAN QoS Profile: Email LowP, Web LowP, Student Records Server HighP User ID: Teacher PWD: @#$%^ Student VLAN Teacher VLAN User ID: Teacher PWD: @#$%^ User ID: ?
Pwd: ?
78
Network Login and wireless VLANs
• Wireless users can be placed dynamically in the appropriate VLAN using 802.1X Network Login and RADIUS (VLAN ID) • VLAN tagging on Ethernet port of Access point ensures that AP is aware of all configured VLANs • Wireless Access point will tunnel wireless user traffic on the appropriate tagged VLAN already configured on Ethernet port • Network Login based Wireless VLANs can deliver end to end mobility across wired and wireless media • Access Points also support multiple SSIDs that can be mapped to separate VLANs for greater level of security 79
Auto VLAN Assignment using 802.1X with Wireless Access Points
User ID: Teacher PWD: @#$%^ Student VLAN Valid User VLAN ID: Teacher VLAN User ID: Teacher PWD: @#$%^ User ID: ?
Pwd: ?
Teacher VLAN 80
Mapping VLANs to Security Zones
• • • • • Map vulnerable VLANs (i.e. wireless, guest VLAN) to Security zones in security appliances/Firewalls for greater control If all VLANs are mapped to security zones then routing will be centralised by security appliance – May have performance implications A combination of Layer 3 switching, ACLs and Security zones can provide greater protection without major performance compromises When multiple VLANs are mapped to a Security zone interVLAN routing within the security zone can be controlled by local Layer 3 switch Use routing policies or default routes for sending traffic to enforcement point
LAN 1 Security Zone LAN 2 Security Zone WAN Security Zone
Policy Enforcement Point
Internet DMZ Wireless Security Zone
81
Security Zones and VLANs
Security Zone D Security Zone C
Routed virtual interfaces
Security Zone E VLAN1 VLAN2 Security Zone A VLAN3 VLAN10 VLAN11 Security Zone B VLAN12
82
Controlling Rogue Applications
• • • • • Use QoS and Application Filtering to control rogue applications where they originate from: the Access Layer Using Network Management rogue users and applications can be identified quickly and corrective action taken Example: How Application Filtering and autoQoS assignment on the Switch 4400 could stop the proliferation of the W32.Blaster.Worm virus W32.Blaster.Worm virus exploits TCP:135 “DCOM RPC” and UDP:69 “TFTP” – Create a classifier on the 4400 for TCP:135 and UDP:69 – Create a QoS profile called Blaster and assign the previous classifiers and apply the discard service level – – – Enable 802.1X and AutoVLANs, autoQoS on the user ports On the RADIUS server assign to all users the filter-id=Blaster attribute Next time a user logs in to the network the Blaster profile will be applied on the switched port the user connects to 83
3Com Pervasive Network Security Solutions
• • • • • • Access Layer – 3Com Embedded Firewall – – Intellijack 220 for user location mapping SuperStack 3 Switch 4400 for Network Login, user based VLANs and user based Security/QoS profiles, device management VLAN – 3Com WX1200/4400 for secure WLAN switching and AP2750 with wireless encryption – dedicate wireless VLAN mapped to a security zone Distribution Layer – XRN Fabric using 3Com Switch 40x0 with Application filtering Core Layer – Switch 7700/8800 with Network Login for locally attached devices (servers), Layer 2 and Layer 3 extended ACLs, time based ACLs for greater flexibility – Security Switch 6200 defining security zones across the campus acting as the main chokepoint between wired and wireless users delivering firewalling, VPN connectivity and IDS across the Security zones WAN Perimeter – Router 5000/6000 delivering SPI Firewall support Remote offices – SecureIX deliver remote branch security via SPI Firewall, VPN support and branch office security zone flexibility Telecommuters – SecureIX delivering firewall, VPN support and security zones within the home network 84
Security Capabilities In 3Com Campus Devices
Product L2 Security L3 Security Management Security Identity Management Core/Access Layer
Intellijack SuperStack 3 Switch 4400 SuperStack 3 Switch 3200 SuperStack 3 Switch 3824/48 SuperStack 3 Switch 3870 WX4400/1200 DUD, VLANs, MAC authentication DUD, VLANs, MAC authentication VLANs, Port based ACLs VLANs VLANs, Port based ACLs AP2750/8x50/7250 SuperStack 3 Switch 4900 Switch 7700 VLANs VLANs DUD, VLAN VLANs Switch 8800 VLANs N/A Application Filtering N/A Configurable Mgmt VLAN, SSH, Trusted IP RADIUS, HTTPS, SSH RADIUS 802.1X, RADIUS Switch Login, user based VLANs and QoS profiles 802.1X
RADIUS, HTTPS, SSH 802.1X
Standard ACLs ACLs, Protocol Filtering RADIUS, HTTPS, SSH Protocol Filtering Application Filtering, Routed ACLs Standard and Extended ACLs, L2/L3/L4 ACLs, Time based ACLs Standard and Extended ACLs, L2/L3/L4 ACLs, Time based ACLs Routed ACLs Out of band Ethernet, SNMPv3, SSHv1.5
Out of band Ethernet, SNMPv3, SSHv1.5
802.1X
802.1X, user based VLAN and QoS profiles 802.1X
RADIUS Switch login 802.1X, RADIUS Switch Login 802.1X, RADIUS Switch Login 85
Summary
• • • • • Efficient Convergence Network Design is key to performance, business continuity and scalability Multi-tiered hierarchical network design provides significant benefits in terms of scalability and fault tolerance Business Continuity is delivered by introducing high availability capabilities across all network design layers Campus Network Designs can be optimised to support Convergence applications by taking into account service performance parameters, traffic prioritisation and support for multicast Pervasive Network security addresses multiple threats, at multiple network design areas and through a variety of mechanisms 86
Summary
IP Telephony Security Mobile
Applications
LAN WAN
87