Cisco Enterprise Architecture

Cisco Enterprise Architecture

Abstract

The Cisco Service Oriented Network Architecture (SONA - pronounced to rhyme with Mona) provides an enterprise architecture that includes the entire network - campus, data center, WAN, branch offices, and remote teleworkers. This white paper focuses on the Enterprise Campus, Enterprise Edge, and Service Provider Edge, and the submodules that make up each of these modules.

Sample

Access Layer

The access layer is used to give hosts (workstations, IP phones, servers) access to the network and networked services. In the campus architecture, the access layer usually consists of layer 2 switches, and VLANs are implemented to facilitate smaller broadcast domains at layer 2. Some newer network designs are implementing multilayer switches at the access layer.

Distribution Layer

The distribution layer aggregates the wiring closets and provides redundant connections for access devices. This aggregation keeps the failure domains small by segmenting workgroups and isolating network problems from negatively impacting the core. A characteristic of the distribution layer is that it implements policy-based decisions such as routing.

Core Layer

The function of the core layer is fast data transport. Because the core is critical for connectivity between the distribution switches and the enterprise edge, it must provide high availability and be able to adapt to change rapidly. Packet manipulation should not happen at the core; that is a function of the distribution layer.

The Function of the core layer is to provide fast and efficient data transport that:

  • Forms a high-speed backbone with fast transport services
  • Provides redundant and fault tolerance
  • Offers good manageability

Enterprise Campus Architecture

The access, distribution, core model cannot be scaled to accurately describe all of the functions in a modern enterprise network. However, the enterprise campus architecture defines modules, within which the hierarchical model of access, distribution and core can be applied. The entire network is divided into functional areas and modules that include access, distribution, and core functionality.

This model defines a deterministic network with clearly defined boundaries between modules. It provides scalability and allows new modules to be added easily. As the network grows, new functional modules can be added, and new services and solutions may be overlaid without changing the fundamental network design.

The three areas covered will be the enterprise campus, enterprise edge and service provider edge.

Building Access

This submodule contains workstations, IP phones, and access switches that connect devices to the distribution submodule. The building access submodule is where multiple services are implemented.

  • VLANs for broadcast control
  • VLAN access-lists
  • Quality of Service (QOS)
  • Port security

Building Distribution

This submodule provides aggregation of the wiring closets, most often using multilayer switches. This submodule also offers multiple services.

  • Routing
  • Access control
  • QOS
  • Route Filtering
  • Route Summarization
  • Fast failure recovery through two equal-cost paths in the routing table to all destination networks

Campus Backbone

This submodule provides redundant and fast-converging connectivity between distribution switches, and with the server farm and enterprise edge submodules. The campus backbone routes and switches traffic as fast as possible from one module to another.

Server Farm

The server farm module contains internal E-mail servers, corporate servers, and internal DNS servers. Typically, servers are dually homed to two different distribution layer switches, and each distribution layer switch is connected to two core devices. It is also common for Cisco Unified CallManager and network management stations to be located here.

Enterprise Edge

The enterprise edge module contains the following submodules.

  • E-Commerce Module
  • Internet Connectivity Module
  • VPN and Remote Access Module
  • WAN Module

The enterprise edge aggregates connectivity from outside of the enterprise campus and routes the traffic into the campus core. Because traffic from outside of the "trusted" enterprise campus traverses this module, security is extremely important at the enterprise edge.

E-Commerce Module

This is where e-business web servers would be placed. Firewall functionality, Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) exist here. There are multiple isolation LANs or demilitarized zones to secure traffic between web servers and their backend servers (database and application servers). Another key element would be high availability for web servers. This module will generally involve a "firewall sandwich" so that untrusted traffic from the outside world goes through the first one, traffic from web server to application server goes through the second one, and traffic from application server to database servers goes through the third one.

Internet Connectivity Module

This module provides internal users with internet connectivity, and it provides them with information published on the public servers of an enterprise like HTTP, SMTP, and FTP servers. As with the e-commerce module, the Internet connectivity module should have firewall functionality, and IDP or IPS.

Related Courses

CCDA Boot Camp
ICND1 - Interconnecting Cisco Network Devices 1
CCNA Boot Camp v2.0

Related White Papers

High Availability in the Enterprise Campus
Network Assessment in the Troubleshooting Process

Related Web Seminars

Essentials of Routing

Download Now

Date: 3/2/2009

Author: Carol Kavalla

Format: PDF

Pages: 9

 

  • White Paper Rating