UNLEASH YOUR NETWORK SERVICES - Cisco · Unleash Your Network Services 22 Cisco Service-Oriented Network Architecture outlines how enterprises like the National University of Singapore

UNLEASH YOURNETWORK SERVICESThe National University of Singapore Did 22

How to Achieve Network Nirvana 28

Behind the Scenes of a DMVPN Deployment 48

Navigate the Winding Road to IMS 61

CISCO.COM/PACKET

CISCO SYSTEMS USERS MAGAZINE FIRST QUARTER 2006

PA

CK

ET

FIRS

TQ

UA

RT

ER

2006V

OL

18N

O1

Reprinted with permission from Packet® magazine (Volume 18, No. 1), copyright © 2006 by Cisco Systems, Inc. All rights reserved.

c1_R1.qxd 2/6/06 3:21 PM Page 77

Unleash Your Network Services 22

Cisco Service-Oriented Network Architecture outlines

how enterprises like the National University of Singapore

can evolve their network to increase efficiencies, lower

costs, and strengthen business agility.

Network Nirvana 28

Through the process of simplification, networks

achieve new levels of resiliency—and lower total cost

of ownership.

Push to Talk Everywhere 34

Cisco IPICS creates communications interoperability

by joining radio systems with IP networks.

Minding the Store 38

As IT managers build out their organizations’ storage-

area networks, they face performance, security, and

management issues.

22

CISCO SYSTEMS USERS MAGAZINE FIRST QUARTER 2006

VOLUME 18, NO. 1

PACKET

28

ON THE COVER

COVER PHOTO: Tommy Hor, director of the computer center at the National University of Singapore


pC,E_R1.qxd 2/8/06 12:01 PM Page C

Say It with IPTV Services 53

Tapping the flexibility of a converged network infrastructure is smart business

for Hong Kong Broadband Network.

Gaining the Ethernet Edge 57

New OAM protocols enhance a carrier’s service deployments and make managing

and monitoring Metro Ethernet networks easier.

The Winding Road to IMS 61

Non-IP Multimedia Subsystem applications are still key in the service provider

evolution toward IP Multimedia Subsystem (IMS).

Primary Wireless 43

Employees at Intel’s Jones Farm campus will soon be using a wireless LAN as the

primary access method for data, voice, and video.

DMVPN Deployment 48

A British broadcaster moves from a mixed-media architecture to MPLS with the

help of mGRE technology.

Modular to the Core 65

Modular features and advanced services modules make the Catalyst 6500 Series

Switch an affordable option for midsized networks like Maryland’s nonprofit

Columbia Association.

From the Editor 1

Big Changes for Packet

User Connection 5

Networking Academy Advanced

Technology Training •

New Edition of Routing TCP/IP

Tech Tips & Training 7

Enterprising MPLS • Top 5

Freeware Tools • Reader Tips

New Product Dispatches 68

What’s new from Cisco over the

past quarter.

NetPro Expert 72

Advice from Cisco’s Jazib Frahim

on implementing and trouble-

shooting IPSec redundancy.

Mail 3

Acquisitions 5

Tech Tips 11

Advertiser Index 73

Cache File 74

The 5th Wave 74

IN EVERY ISSUE

SERVICE PROVIDER SOLUTIONS

ENTERPRISE SOLUTIONS

SMALL AND MIDSIZED BUSINESSES

43

53

65

DEPARTMENTS

TECHNOLOGYROUTING: EIGRP Efficiency 15

Best practices for scaling EIGRP neighbors in hub-and-spoke networks.

SWITCHING: Dynamic Buffer Limiting 19

Industry’s first hardware and flow-based congestion avoidance at wire speed.


pC,E_R1.qxd 2/8/06 12:01 PM Page E

CISCO SYSTEMS FIRST QUARTER 2006 PACKET 1

FROM THE EDITOR

Big Changes for Packet

Cisco is a company that practices what it preaches:that Internet technology will truly change the waywe live, work, play and learn. By IP-enablingmany of its own business processes, Cisco gener-ates gains in productivity and business agility thattranslate to millions of dollars in savings each year.The fact that Cisco uses its own networking tech-nology to gain a competitive edge is clearlydemonstrated in the Cisco IT@Work CDs we havedistributed with this magazine over the past year.

Whether mobilizing its workforce with secure wire-less networking, improving customer service via IPcontact centers, or increasing employee uptime andreducing travel expenses with desktop video confer-encing, Cisco prides itself on being its best referencecustomer. Our offices are quickly becoming showcases unto themselves for demonstratinghow networking technologies can be turned into real business differentiators.

Cisco migrated away from printed technical documentation in favor of electronic distribu-tion years ago. Every internal transaction, from signing a purchase order, submitting anexpense report, or rewarding an employee, is done completely via Web-based applications.Not a piece of paper in sight. So it should come as no surprise that Cisco will be placingsignificant emphasis on the digital distribution of Packet magazine in the coming year.

Cisco launched Packet Digital Edition last June. In just six months, we went from zeroto nearly 25,000 subscribers worldwide. Clearly, readers are responding positively to thenew format. However, not everyone is ready to jump headfirst into the paperless society.Many of you still prefer reading a printed publication, enjoy the mobility of print, or justplain like the feel of a real magazine in your hands.

For this reason, we have decided not to do away with the print edition of Packet. Instead,we will be offering readers a choice: You can subscribe to Packet Digital Edition for free,or pay a subscription price to continue to receive the print edition of Packet.

Starting with the Third Quarter 2006 issue, Packet will be a paid subscription publication. You will receive one more free issue after this one you hold in your hands.

But what an issue it will be!

Starting with the Second Quarter 2006 issue, Packet is being revamped and redesignedto be the premier publication for increasing the knowledge and expertise of Cisco net-working professionals. That means more tech tips, more deployment guides and trou-bleshooting tricks, more how-to articles and configurations, and more real-world exam-ples than ever before.

We think you’ll like what we’ve done and hope you’ll give the new Packet magazine atry, in whichever format you choose.

PACKET MAGAZINEDavid BallPublisher and Editor in Chief

Jennifer RedovianExecutive Editor

Susan BortonManaging Editor

Suzanne JacksonJoanie WexlerContributing Editors

Robert J. Smith Sunset Custom PublishingProject Manager

Nicole Collins, Amy Mackey, Mark RyanSunset Custom PublishingProduction

Jeff BrandArt Director

Emily BurchDesigner

Ellen SokoloffDiagram Illustrator

Bill LittellPrint Production Manager

Valerie MarliacPromotions Manager

Richard Koh, Eightfish Ltd.Cover Photograph

Advertising Information:Kristen Bergman, 408 [email protected]

Publisher Information: Packet magazine (ISSN 1535-2439) ispublished quarterly by Cisco Systems anddistributed free of charge to users of Ciscoproducts. Please send address corrections and othercorrespondence direct to [email protected].

Aironet, Catalyst, CCDA, CCIE, CCNA, Cisco, Cisco IOS, CiscoNetworking Academy, Cisco Press, the Cisco Powered Networklogo, the Cisco Systems logo, Cisco Unity, IOS, iQ, Linksys,Packet, and PIX are registered trademarks or trademarks of Cisco Systems, Inc., and/or its affiliates in the USA and certainother countries. All other trademarks mentioned in this publica-tion are the property of their respective owners.

Packet copyright © 2006 by Cisco Systems, Inc. All rightsreserved. Printed in the USA.

No part of this publication may be reproduced in any form, orby any means, without prior written permission from CiscoSystems, Inc.

This publication is distributed on an “as-is” basis, without war-ranty of any kind either express or implied, including but not lim-ited to the implied warranties of merchantability, fitness for a particular purpose, or noninfringement. This publication couldcontain technical inaccuracies or typographical errors. Laterissues may modify or update information provided in this issue.Neither the publisher nor any contributor shall have any liabilityto any person for any loss or damage caused directly or indirectlyby the information contained herein.

This magazine is printed on recycled paper.

10%TOTAL RECOVERED FIBER

Ro

b B

rod

ma

n

David BallEditor in [email protected]


p1.qxd 2/8/06 12:07 PM Page 1

MAIL

More Long-LastingRoutersThe recent readerletters about routeruptime that youpublished in yourpast two issuessparked me to lookat our own routerson the network.

BRISDCNR01>show verCisco Internetwork Operating SystemSoftware IOS (tm) 3600 Software (C3660-JS-M), Version 12.1(2)T, RELEASE SOFT-WARE(fc1)Copyright (c) 1986-2000 by cisco Systems,Inc.Compiled Tue 16-May-00 19:43 by ccaiImage text-base: 0x60008900, data-base:0x613B4000

ROM: System Bootstrap, Version 12.0(6r)T,RELEASE SOFTWARE (fc1)

BRISDCNR01 uptime is 4 years, 40 weeks, 5days, 17 hours, 1 minute System returnedto ROM by power-on System restarted at14:26:24 gmt Tue Dec 12 2000 System imagefile is “flash:c3660-js-mz.121-2.T.bin”

cisco c3660 (R527x) processor (revisionC0) with 83968K/14336K bytes of memory.Processor board ID JAB0429844KR527x CPU at 225Mhz, Implementation 40,Rev 10.0, 2048KB L2 Cache Bridging soft-ware.X.25 software, Version 3.0.0.SuperLAT software (copyright 1990 byMeridian Technology Corp).TN3270 Emulation software.

3660 Chassis type: ENTERPRISE2 FastEthernet/IEEE 802.3 interface(s)8 Serial network interface(s)DRAM configuration is 64 bits wide withparity disabled.

125K bytes of non-volatile configurationmemory.16384K bytes of processor board Systemflash (Read/Write)

Configuration register is 0x2102

No problemo.

—Robert McCallum CCIE No. 875,THUS, Glasgow, Scotland

Unsafe DrivingRecently, whilebrowsing throughyour Third Quarter2005 issue, as everlooking for moreexcellent material

to show my students, I was appalled tofind that a video clip on “Internet Bene-fits” (part of the enclosed Cisco IT@WorkCD) showed an extremely dangerouswork practice—specifically someonedriving a car with one hand while dialingon his mobile phone with the other. Byall means promote more efficient workpractices, but not at the expense ofendangering lives.

—Austin Kinsella, Institute of Technol-ogy, Carlow, Ireland

First-Time ReaderAs I’m writing this e-mail I’m holding inmy hand my first-ever Packet magazine(Fourth Quarter 2005). I am so excited tobe among those reading it as I start myCisco career as a consultant. I have readalmost all of the articles included in thisissue and I love every word of it. Thisvaluable tool will not only help me growmy business and knowledge, but will alsoinform others how Cisco is making a dif-ference in this field. Keep up the goodwork. I am now officially a Packet sub-scriber and a Cisco super fan.

—Erasmo J. Medina, London, Ontario, Canada

A Party for a RouterRouter uptime seems to be a big dealthese days. I guess we’re geeks. Afterreading all the recent letters from yourreaders, we found that we have a Cisco2610 Router located at our Hobby Lobbystore in Des Moines, Iowa, that has beenup for almost five years and is not on aUPS. Here’s where the geek part comes in:We had a party to celebrate the five-yearuptime. Fun was had by all and the cakewas great (see photo). Thanks for makingdurable and reliable products.

—Thomas R. Tucker, Matt Bowman,and Sherry Bowman, Hobby Lobby Network Services, Oklahoma City, Oklahoma, USA

Send your comments to Packet

We welcome your comments and

questions. Reach us through e-mail at

[email protected]. Be sure to

include your name, company affiliation,

and e-mail address. Letters may be

edited for clarity and length.

Note: The Packet editorial staff cannot

provide help-desk services.



USER CONNECTION


The Cisco Networking Academy hasbroadened its security and wireless train-ing programs. Course enhancements andexam updates include the following.

Network Security 2.0 ■ Replaces the “Fundamentals of Net-

working Security” course.

■ Combines Cisco PIX Firewall and CiscoIOS Software integration; includes newcourse content.

■ Covers advanced topics; curriculumupdates complement the Security+ exam.

■ Offers new equipment bundles, Cisco1800 Series Integrated Services Routerand Cisco PIX 515 Firewall, as the stan-dard classroom package.

■ Incorporates newer tools and technolo-gies to align with certification exams.

Wireless LANs 1.2 ■ Includes lab updates of 802.11g.

■ Offers new, dynamic simulations.

For more information about the CiscoNetworking Academy Program, visitcisco.com/go/netacad.

Cisco Networking Academy AdvancedTechnology Training

New Edition of Routing TCP/IP, Volume I

Cisco Press has introduced the second edi-tion of Routing TCP/IP, Volume I. Thenew edition includes information aboutprotocol changes, and describes Ciscofeatures that are used to enhance routingintegrity, secure routers from attacks initi-ated through routing protocols, and pro-vide greater control over the propagationof routing information for all IP interiorrouting protocols. Information withineach section of the new edition isenhanced and modified to include newdevelopments in routing protocols andCisco implementations.

About Cisco PressCisco Press is the Cisco Systems author-ized book publisher of Cisco networkingtechnology and Cisco certification self-study materials, and Cisco NetworkingAcademy Program materials for net-working students and professionals.Leading authorities from Cisco and otherindustry innovators write and contributeto the titles and series that make up theCisco Press product family. Productsfrom Cisco Press are part of a recom-mended learning path from Cisco.

For more information about RoutingTCP/IP, Volume I, Second Edition, visitcisco.com/packet/181_3b1.

Acquired

Cybertrust’s IntellishieldAlert Manager

Scientific-Atlanta, Inc.

Employees

26

7,500

Location

Herndon, Virginia, USA

Lawrenceville, Georgia, USA

Recently Announced Cisco Acquisitions

Web-based security intelligence service that provides dailyinformation about information security threats and IT productvulnerabilities that affect the entire corporate informationtechnology domain. Intellishield Alert manager will becomepart of the Cisco MySDN intelligence website. The Intellishieldteam will join the Technical Support Service’s group in Cisco’sCustomer Advocacy organization.

Provider of set-top boxes, end-to-end video distribution net-works, and video system integration. Scientific-Atlanta willbecome a division of Cisco’s Routing and Service ProviderTechnology Group.

Cisco-based networks are moving farbeyond basic IP communications togain the software intelligence requiredto self-adapt to network conditions.Beyond Basic IP (BBIP), a Ciscomonthly electronic publication, keepsnetworking professionals informedabout the latest networking softwareinnovations. Each BBIP issue coverstopics such as network security, voiceover IP (VoIP), high availability, high-performance design, troubleshooting,and quality of service (QoS).

To read the current issue of BBIP and toregister for a free subscription, visit cisco.com/packet/181_3c1.

Stay Informed withBeyond Basic IP


Thinking About Moving to an MPLS MAN or WAN? Here AreSome Things to Consider.

TECH TIPS & TRAINING


Many enterprises that have relied on ATM or FrameRelay transport for their metropolitan-area networks(MANs), WANs, or both, are now exploring IP Multiprotocol Label Switching (MPLS) for its flexibil-ity and scalability. In some cases, the impetus comesfrom the service provider, who invites an enterprisecustomer to take advantage of the benefits of its coreMPLS network. In other cases, the impetus is from theenterprise itself. In either instance, most IT depart-ments report knowing less about MPLS as an enter-prise tool than they would like, whether the enterpriseis setting up an MPLS network itself or ensuring thatan outsourced MPLS WAN meets its needs.

MPLS networks, incidentally, are just one alternativefor MAN and WAN deployments. To date, mostenterprises using IP across their WAN have chosen IPSecurity (IPSec), while others opt for multiple virtualrouting and forwarding (VRF) segmentations orencrypted private connectivity. Like MPLS, each ofthese is a viable solution that depends on the needs ofthe enterprise (see sidebar, page 8).

The primary market for IP MPLS MAN/WAN net-works is composed of organizations that use Layer 2technologies such as time-division multiplexing(TDM) circuit switching, Frame Relay, ATM, orSONET/SDH for transporting data and possiblyvoice. According to Kevin Loo, solutions managerin the Enterprise Systems Engineering group atCisco, these organizations are looking for provision-ing flexibility, broad geographic availability, little orno distance sensitivity in pricing, the ability to mixand match access speeds and technologies, and tosegment multiple departments or operating units,applications, and services securely within a singlenetwork. As with any architecture that providesVPNs over shared wide-area or metro-area facilities,MPLS networks can yield significant cost savingswhile providing fully meshed connectivity amonglocations, high inter-location bandwidth, and end-to-end quality of service (QoS).

If your enterprise is considering switching to MPLS,should you install and manage the MPLS network in-house or outsource those tasks to a service provider?The largest organizations, with the IT expertise anddesire for full control over their internal networks,

might choose to self-deploy MPLS. For the lion’sshare of enterprises, however, outsourcing will be amore practical choice.

Outsourcing Your MPLS NetworkSimplifying operations, lowering costs, and mitigatingthe risk of changes in technology are among the topreasons companies choose to outsource rather thanbuild their own MPLS MANs or WANs, according toa June 2005 report conducted by Forrester Research.When evaluating different service providers, youshould keep these and other business goals in mind.For example, will the proposed network be able tolink business applications, demarcate sufficiently andsecurely among various segments of your business, ordeliver the needed bandwidth to different locations?

The link between the enterprise and service providernetworks can take place at either Layer 2 or 3. Withpeering at Layer 3, the provider’s network routes thecustomer’s IP packets through its shared network,while guaranteeing secure transport. It does this byinstalling a VRF table for each customer that isolatesthat customer’s traffic from others. One of the advan-tages of Layer 3 peering is that the two networks canexchange routing information directly, says Bob Vigil,an engineer in the Service Provider Systems Engineer-ing group at Cisco. In addition, most service providerscan provide QoS with greater intelligence in Layer 3than in Layer 2. MPLS also offers true any-to-anyconnectivity and thus more efficient routing.

Any Transport over MPLS (AToM), in which Layer 2packets or cells are carried over an MPLS network, isa good solution for some enterprises, especially thosewith ATM, Frame Relay, or Ethernet networks thatneed point-to-point Layer 2 connectivity, says Vigil.The virtual point-to-point circuits characteristic ofLayer 2 networks are set up through VPNs.

Whether the managed MPLS service requested is atLayer 2 or Layer 3, many of the key questions enter-prises should ask prospective providers are the same.

Availability, Addressing, and TopologyAvailability is critical. What is the provider’s availabil-ity percentage? What backup is offered? Is the fall-back Frame Relay, ATM, leased lines, or the publicInternet? How will your data be protected?

By Janet Kreiling

Enterprising MPLS


Then, starting at your enterprise’s front door, howwill IP addressing be handled on the links to andfrom the provider? Often the provider determinesthe addressing scheme, which might use either theprovider’s or enterprise’s address space, privateaddress space, or unnumbered addressing on thelink. When the enterprise’s private address space isused, whoever does the addressing must ensure thatthe customer retains some private address space andthat standards-compliant addresses transmittedacross the link are not confused with either theenterprise’s or provider’s own addresses.

Network topology is another key consideration.MPLS networks inherently provide an any-to-anyarchitecture; Layer 2 networks are often hub-and-spoke. Enterprises might prefer Layer 2 networks ifthey want control over communications betweenspokes or to maintain firewalls between them. Forthese same reasons, enterprises choosing an MPLSnetwork should make sure that the provider canmaintain a hub-and-spoke design within it. Alterna-tively, if the enterprise moves from a hub-and-spokedesign to an MPLS network, Vigil points out, it mayfind that it reduces the number of physical and virtualcircuits, depending on the existing deployment.

Routing and Routing ConvergenceHow many routing prefixes will the provider accept?Which routing protocol will be used—EnhancedInterior Gateway Routing Protocol (EIGRP), OpenShortest Path First (OSPF), or Border Gateway Pro-tocol (BGP)? If the provider is managing the enter-prise-provider link, the provider is responsible forchoosing the protocol and maintaining the link.Does the provider impose limits on the number ofroutes your organization can use? What happens ifthe number is exceeded?

Routing convergence for your enterprise networkwill depend on how the provider handles conver-gence within its network. What are the approximateand maximum convergence times if a link fails or aroute is unavailable? Does the provider offer a con-vergence guarantee in its service-level agreement(SLA)? Can the provider deliver remote access to theMPLS VPN for telecommuters, mobile workers, andother remote users? When an enterprise site has mul-tiple links to the provider, who manages load balanc-ing? Will the provider route IP VPNs via VRF tablesfrom other companies if you want to create anextranet for suppliers or customers?

QoS, Security, and SLAsOf course, you want your critical, delay-sensitivetraffic to receive the appropriate priority across theprovider’s shared network as well as within your ownMAN or WAN. What classes of service does theprovider offer, and how many? Can the provider mapyour LAN classes, which are typically more numer-ous, to its own end to end across the network? If yourtraffic leaves the provider’s network for another net-work the provider has interconnected with toincrease its coverage area, will the end-to-end QoSand security be maintained?

If you need a specific capability such as multicasting,not all providers can support it. Some may still carrymulticasts through Generic Routing Encapsulation(GRE) tunnels rather than in native form, accordingto Loo. If the provider supports multicast VPNs, howmany multicast distribution trees does it offer?

Perhaps highest on the list of considerations is secu-rity. The level of security inherent in an MPLS net-work is the same as that in ATM or Frame Relaynetworks, but some questions are nonetheless inorder. Given that the network infrastructure isshared, what practices are in place to prevent miscon-figuration that could breach your network security?MPLS networks are inherently resistant to labelspoofing and other attacks, but you should under-stand how the provider protects its core networkfrom attacks of all kinds and whether the MPLS net-work and public Internet traffic use the same routersor other equipment. If so, can you get dedicatedprovider edge (PE) routers? What’s the cost?

Finally, don’t forget your SLA. Among the items theSLA should cover specifically are agreed-upon deliver-ables; consequences if the provider fails to deliver; def-initions of network availability; resolution responsetimes for problems that might arise and lead times fornew service, VPN, and site requests; bandwidth; laten-cies; QoS; and SLA reporting. Cisco has tools that canhelp you monitor your provider’s compliance with theSLA: IP SLA and the Optimized Edge Routing (OER)feature in Cisco IOS Software. For instance, if theMPLS cloud exceeds the permitted delay, OER

8 PACKET FIRST QUARTER 2006 CISCO SYSTEMS

In addition to IP MPLS, Cisco offers the following solutions for enterpriseMAN/WAN deployments:

Encrypted private connectivity adds Advanced Encryption Standard (AES) aswell as Digital Encryption Standard (DES) and Triple DES (3DES) to existing FrameRelay, ATM, or other links. It’s ideal for enterprises with moderate growth expec-tations that require secure, dedicated connectivity.

IPSec VPNs use the same strong encryption standards for transport over publicand private networks; most often used to link to branch offices and teleworkers.

Multi-VRF segmentation is an extension of VPN technology that helps keep traf-fic segregated across the WAN. Used with IP VPNs, IPSec VPNs, and encryptedprivate connections, multi-VRF segmentation is designed to enhance securitybetween departments, business functions, and user groups.

Enterprise MAN/WAN Deployment Options


reroutes traffic using an alternate path such as a GREtunnel over the Internet or another MPLS provider.

Deploying Your Own MPLS Network According to Forrester Research, companies whochoose to install and manage MPLS MANs and WANsthemselves already have the hardware and expertise inhouse, want to retain control over their networks, andbelieve they can save costs by doing it themselves. Looadds that the ability to segment their networks intoclosed user groups (CUGs) makes self-deploymentparticularly interesting to large organizations withmultiple units that want to keep internal networks sep-arate. For example, a large university might find thatlogically separate networks for individual departmentswork better administratively. Segmentation overall isincreasingly important to large enterprises, says Loo.In addition to keeping critical applications separateand secure, some companies might want to ensure thattop executives are on VPNs unavailable to otheremployees or set up CUGs that give limited access tocustomers, partners, or groups outside business unit ordepartmental boundaries.

An enterprise can create multiple virtual networks thatshare the same infrastructure, much as a serviceprovider creates virtual networks when it managesMPLS networks for multiple enterprise customers. If, for example, a worm infects a PC on one virtual net-work, the threat will not spread to other virtual networks. It is also a good idea to establish addresstransparency across organizations for scalable shared,or virtualized, services such as firewalls, intrusion pre-vention, and other security capabilities.

Enterprise IT staffers deploying their own MPLS net-work should be schooled in routing protocols includ-ing BGP, EIGRP, OSPF, Label Distribution Protocol(LDP), and, of course, MPLS. An understanding ofhow these protocols interact with backdoor links isrecommended as well. Enterprise IT will also need tohandle load balancing, because MPLS networks com-monly have multiple paths available between any twopoints. Several mechanisms can be used for efficientrouting, such as Cisco Express Forwarding orunequal cost load balancing.

Convergence and its effect on network performance isas important in self-deployed MPLS networks as in out-sourced ones. Of particular concern are convergence inthe backbone, in a VPN site, and VPN route redistribu-tion times. “Intelligent network design can help createfaster convergence times,” says Vigil. “Network engi-neers can optimize convergence times by tuning thetimers listed for each routing protocol and monitoringnetwork load and application requirements.”

Some enterprises might use a combination of self-deployed and outsourced MPLS networks, reservingthe self-deployed MPLS network for what it deemsmost critical or in need of segmentation.

Whether you are outsourcing your MPLS WAN to aprovider or deploying it yourself, with WAN trafficgoing over a provider network at some point, youshould look into whether the provider has a CiscoPowered Network designation, advises Loo. Capabil-ities such as availability, QoS, and integrated securityare more likely to be found with these providers whoemploy Cisco equipment and technologies end to endand meet Cisco’s support standards (find them atcisco.com/go/cpn).

◆ ◆ ◆

Whether self-deployed or outsourced, usually themove to an MPLS network does not entail a forkliftupgrade. Industry data shows that enterprises arealready moving gradually to MPLS IP VPNs. A com-pany might begin simply by upgrading the Cisco IOSSoftware feature sets on its routers and switches,which can provide some of the routing and securitycapabilities of an MPLS network. For many enter-prises, MPLS WANs will eventually be a reality, andusers and IT staffs alike will be glad to have them.


With more than 300 MPLS customer deployments, including more than 70 enter-prise installations, Cisco has the expertise to help businesses deploy and man-age MPLS networks. Enterprises that manage their own MPLS networks havethe choice of customer edge (CE), provider edge (PE), and provider (P) routers;those who outsource might be able to affect what CE routers their provideroffers. Either way, the advantages of an end-to-end Cisco network demonstratedby a Cisco Powered Network provider extend through to the CE and into the LAN.

Recommended PE and P routers include the Cisco 12000, 7600, and 7200 series,and the 7304 Router. The 12000 Series offers a modular, distributed architecturethat can scale from 2.5 Gbit/s to nx10 Gbit/s capacity per slot and support up to1,000 VRF instances. One of the highest performance and density platforms in theCisco edge/aggregation routing portfolio, the 7600 Series offers a completeLayer 2 or Layer 3 MPLS solution, full QoS, modular security services, and sup-port for up to 1,000 VRF instances. The most widely deployed MPLS router, the7200 Series offers flexibility with comprehensive IOS routing, QoS, and securityservices support at up to OC-3 speeds. The 7200 also supports up to 1,000 VRFinstances and complete Layer 2 and Layer 3 VPN services. The Cisco 7304Router supports complete AToM features, up to 1,000 VRF instances, and hard-ware-accelerated performance with QoS.

For outsourced MPLS networks, CE router choices include the Cisco 7200 Seriesas well as Cisco 3800, 2800, and 1800 Series Integrated Services Routers.Depending on the model, the Integrated Services Routers support five to 1,000VRF instances and 10,000 to 1 million VRF routes, with concurrent services at upto T3/E3 speeds.

Cisco Gear for Enterprise MPLS


1PuTTY for SSH access (putty.nl) is a Secure Shell (SSH)client that runs on Windows. You can use PuTTY to access

remote devices using the SSH protocol. With an increasedemphasis on security, most Cisco devices can now beremotely accessed via SSH. PuTTY supports SSH versions 1and 2 along with Data Encryption Standard (DES), Triple DES(3DES), Blowfish, and Advanced Encryption Standard (AES).With a single click of a button, you can log a session for laterreview. PuTTY also supports Telnet.

2PumpKIN TFTP server (kin.klever.net/pumpkin) Most Ciscodevices use the Trivial File Transfer Protocol (TFTP) as the

primary way to transfer system image files or configurationfiles, so a simple, stable TFTP server is an essential part of anetwork administrator’s toolkit. PumpKIN TFTP server providesa simple, easy-to-use GUI and runs on all versions of Win-dows. PumpKIN also plays .wav files to provide audio alertsindicating the state of a TFTP transfer—a feature that is veryhandy for multitasking network administrators.

3Kiwi Syslog server (kiwisyslog.com) Because most Ciscodevices use the Syslog protocol to generate system

messages, deploying a centralized Syslog server is often rec-ommended. Additionally, network administrators might occa-sionally need a local Syslog server that can be quicklydeployed for testing or troubleshooting purposes. Kiwi Syslogserver is an easy-to-use but versatile tool that runs on all ver-sions of Windows. Kiwi Syslog provides the built-in ability tolisten to Simple Network Management Protocol (SNMP)

traps, too. An additional useful feature is that the Kiwi willmonitor the free disk space on the server itself. When thedisk space falls below a configured threshold, Kiwi gener-ates e-mail and audio alerts—a very useful feature that pre-vents messages being lost due to lack of disk space.

4Nmap Network scanner (nmap.com) Originally developedas a hacker tool, mainstream networking professionals

now use Nmap for security testing of firewalls, routers, andintrusion detection system (IDS) devices. Nmap can generateping sweeps to scan a range of IP addresses, verify the work-ing of specific TCP or UDP ports on a target machine, quicklyscan the TCP or UDP ports on a target host, and use OS finger-printing techniques to make an educated guess about the OSrunning on the target devices. Nmap works with both Win-dows and Linux. Nmap use may be prohibited in many secureenvironments and can trigger IDS alarms, so always checkyour corporate security policies before using Nmap.

5Protocol Analyzer or Network Analyzer (ethereal.com)Ethereal is a commercial grade network analyzer that can

be installed over any Windows or Linux/UNIX platform. Ethe-real can analyze more than 700 protocols, including Ciscospecific protocols such as Cisco Discovery Protocol andInter Switch Link.

—Submitted by Anand Deveriya, CCIE No. 10401, NEC UnifiedSolutions, (author of Network Administrators Survival Guide,Cisco Press, 2005)

Would you like to efficiently manage your Cisco network using the tools commonly used by experts? These five freeware toolsare easy to set up and use and can help you manage your Cisco network.


TECH TIPS & TRAINING

Configure the Cisco VPN Client for Third-Party Client

Software. Learn how to configure a Cisco VPN Client tocoexist with third-party client software, includingMicrosoft, Nortel, Checkpoint, Intel, and others. Compati-bility includes the ability to use other VPN products whilethe VPN Client is installed. cisco.com/packet/181_4e1

Learn how to Move Cisco CallManager to a New Location.

This document outlines how to move Cisco CallManagerwith or without an IP address change. cisco.com/packet/181_4e2

Configuring a Wireless Domain Services Access Point as

an AAA Server. Learn how to configure an access point toprovide Wireless Domain Services (WDS) and perform therole of an authentication, authorization, and accounting(AAA) server. Use this setup when there is no externalRADIUS server to authenticate infrastructure accesspoints and client devices that participate in WDS. cisco.com/packet/181_4e3

Configure Access Point ACL Filters. Get help configur-ing access control list-based filters on Cisco Aironetaccess points using the command-line interface (CLI). cisco.com/packet/181_4e4

Tech Tips

Top 5 Freeware Tools for Cisco Network Administrators


Reader TipsTECH TIPS & TRAINING

Packet thanks all of the readers who have submitted

technical tips. Each quarter we receive many more

tips than we have space to include. While every

effort has been made to verify the following reader

tips, Packet magazine and Cisco Systems cannot

guarantee their accuracy or completeness, or be

held responsible for their use.


ConfigurationConfiguring Large Switch Environments

In a large switch environment, to configure all ormultiple interfaces on a switch with the same configu-ration parameters, do the following:

Switch(config)# interface range [ interface { portrange } ]

For example:

Switch(config)#interface range fastEthernet 0/1 - 30

To configure different ports with the same configu-ration:

Switch(config)#int range fa0/1 , fa0/12 , fa0/13

—Rajesh Kumar Ojha, Habib Bank Limited,Karachi, Pakistan

TroubleshootingBackup Solutions for Frame Relay Point-to-Point Networks

When implementing a Frame Relay point-to-pointnetwork, you might want to have a backup solutionin place. Most backup methods are triggered by eithera routing protocol failure or an interface going down.When using the interface method, problems can ariseif the Frame Relay provider is using multiple switchesbetween the two end points. A point-to-point inter-face on one end can be brought down due to a linkfailure, although it remains up on the other end. Thiscan cause the backup solution to fail. Frame Relayend-to-end keepalives (EEK) can resolve these typesof issues. For example:

TIP

TIP

Hostname R5 ! interface Serial0/0.30 point-to-point ip address 163.1.30.5 255.255.255.0 frame-relay interface-dlci 504 class EEK

! ! map-class frame-relay EEK frame-relay end-to-end keepalive mode request !

Hostname R4 ! ! interface Serial0/0.30 point-to-point ip address 163.1.30.4 255.255.255.0 frame-relay interface-dlci 405 class EEK ! ! map-class frame-relay EEK frame-relay end-to-end keepalive mode reply ! To verify that this is working properly:

R5#show frame-relay pvc 504 PVC Statistics for interface Serial0/0 (Frame RelayDTE) DLCI = 504, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE(EEK UP), INTERFACE = Serial0/0.30

input pkts 5161 output pkts 6022in bytes 56771 out bytes 331070 dropped pkts 0

in pkts dropped 0 out pkts dropped 0 out bytes

dropped 0 in FECN pkts 0 in BECN pkts 0

out FECN pkts 0 out BECN pkts 0 in DE pkts 0

out DE pkts 0 out bcast pkts 860 out bcast bytes 294936 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 14:19:49, last time pvc status

changed 13:45:49 !

—Mike Griffin, Robert Half International Inc.,Pleasanton, California, USA



Pinging Multiple IP Addresses with the putCommand

You can use the put command to ping multiple IPaddresses simultaneously from the router. The follow-ing is an example of pinging IP addresses

192.168.26.1, 192.168.25.1, and 192.168.17.2:tclshforeach addr { 192.168.26.1 192.168.25.1 192.168.17.2 } {puts [exec “ping $addr”]}

—Santosh Gamre, CCIE No. 13265, IPsoft, Inc.,New York, USA

Editor’s Note:This is indeed a good, simple use of TCL. However,there are better ways to ping multiple IP addresses. Youcan use either IP SLA (the old SAA or RTR feature) or the CISCO-PING-MIB. IP SLA has a very usable

TIP command-line interface and the reliability and accu-racy of the probes, whether through pings or anothermechanism, is considerably better than from the com-mand line or from the CISCO-PING-MIB. It is not dif-ficullt to create an IP SLA config to do this. While theCISCO-PING-MIB does not have a CLI interface, youcan write one in TCL and do the same thing as thescript above. The advantage of these strategies is thatthe process doing the pings is considerably lighterweight than TCL and, therefore, has much less impacton device performance. This is much more importantas soon as you make the first obvious enhancement tothis script, which is to ping every <x> seconds.

Help your fellow IT professionals by submitting

your most ingenious technical tip to packet-editor@

cisco.com. When submitting a tip, please tell us your

name, company, city, and country. Tips may be edited

for clarity and length.

SUBMIT A TIP



While many people count sheep to get to sleep, mostnetwork engineers find other things to count, such asIETF RFCs, and how many remote sites they canconnect to a hub-and-spoke Enhanced Interior Gate-way Routing Protocol (EIGRP) network. How manyEIGRP neighbors can you have on a hub-and-spokenetwork? Looking at current best practices and test-ing can help answer the question.

Native Mode Dual-Homed EIGRP Hub and SpokeTo understand how EIGRP normally operates in ahub-and-spoke network, refer to the simple set ofnetwork events in Figure 1.

1. A loses its connection to 192.168.1.0/24, marks theroute active, and sends queries to each of its neigh-bors. B, C, D, and E mark the route as active andsend queries to their neighbors.

2. At this point, the timing of the operations dependson the speed of the links, router types, routerprocessor load, and other things. For this example,assume that C, D, and E query B before B can sendits queries to the remotes.

3. B now has no neighbors from which it has notreceived a query, so it marks 192.168.1.0/24 asunreachable and sends replies to each of its neighbors.

4. C, D, and E now have no possible paths to192.168.1.0/24, so they mark it as unreachable, andsend replies to A.

5. When A receives these replies, it determines there areno other paths to 192.168.1.0/24, so A removes theroute from the local routing table and sends anupdate for 192.168.1.0/24 with an infinite metric.

As you can see, EIGRP scaling on a hub-and-spokenetwork is heavily impacted by the query process.The hub router must send and track queries for eachroute that it marks active.

Filtering Toward RemotesThe first practice network administrators can use toincrease EIGRP scaling on a hub-and-spoke networkis to reduce the number of routes sent to the remoteneighbors through filtering and aggregation. Thisreduces the number of queries and replies sent, evenin this simple network (Figure 2). Assume thatRouters A and B are filtering or aggregating routinginformation so that the default route 0.0.0.0/0 is theonly route transmitted to remote routers C, D, and E.

1. A loses its connection to 192.168.1.0/24, marks theroute active, and sends queries to each of its neighbors.

2. B determines its only path to 192.168.1.0/24 isthrough A. Why? Because C, D, and E are not even

TECHNOLOGY: Routing

EIGRP EfficiencyScaling EIGRP Neighbors in Hub-and-Spoke Networks

By Russ White

FIGURE 1 The queryprocess typically has aheavy impact on EIGRPscaling in a hub-and-spoke network. The hubrouter must send andtrack queries for eachroute that it marks active.

EIGRP OPERATION ON A HUB-AND-SPOKE NETWORK

192.168.1.0/24

A

5

B

21

C D E

2

192.168.1.0/24

A B

3

C D E

4

4


receiving this route, so they are not advertising itback to B.

3. C, D, and E have no alternate route to 192.168.1.0/24,so they reply to A. Router A receives these replies andnotes that all queried neighbors have replied. Amarks this route as unreachable and removes it fromthe local routing table.

Additionally, processing could be greatly reduced byconfiguring the remote routers as EIGRP stubs.

EIGRP Stub RoutersWhen considering this small network, one point isobvious: the remote routers will never be used totransit traffic between the two hub routers, A and B.Consequently, remote routers C, D, and E will neverhave an alternate path to any destination that the hubrouter has learned about through any other path.Therefore, there is no reason for the two hub routersto query the remote routers.

The EIGRP stub feature works from the assumptionthat a router configured as an EIGRP stub signals itsneighbors that it will never have any valid alternatepaths, so there is no reason to query the stub router.Using the same small network, with remote routersC, D, and E configured as EIGRP stub routers, whatdoes the processing look like when A loses a route?Figure 2 illustrates.

1. A loses its connection to 192.168.1.0/24.

2. A marks the route as active, examines each of itsneighbors, and determines which neighbor couldhave an alternate path to 192.168.1.0/24. Because

C, D, and E are advertising themselves as stubrouters, A does not need to query these neighbors.A sends a query to B.

3. B has only one path to 192.168.1.0/24, through A,so it will mark the route as unreachable and send areply to A. Why? Because C, D, and E are advertis-ing themselves as stub routers, which means theywill never have an alternate path.

4. Router A receives this reply from B, marks this routeas unreachable, and removes it from the local rout-ing table.

Configuring the remote routers as EIGRP stubs dra-matically decreases the processing at the hub routers.How much of a difference does this make?

Neighbor Counts with and Without Stub RoutersThis question has two answers, one based on real-world experience, and the other based on lab testing.In real deployments without the remotes configuredas EIGRP stub routers, the largest deployments are inthe 200 neighbor range on Cisco 7200 and Cisco7600 series routers equipped with fast processors.The primary determining factors to scaling thesedeployments is generally bandwidth on the linksbetween the hub and spoke routers and the process-ing requirements on the hub routers. The primarymechanism used to reach these neighbor counts isaggregation or route filtering.

By comparison, deployments where remote routersare configured as EIGRP stubs commonly reach ashigh as 800 or more remote routers using the samehub routers, and there are some exceptional largerexamples. Again, scaling these networks is verydependent on aggregation or filtering toward theremote routers; more routes transmitted toward the remote routers, lower bandwidth availablebetween the hub and the remote, and less router pro-cessing power at the hub and remote routers alltranslate to lower numbers of supportable neighbors.

Comparing these two deployment types, the ratios ofneighbor support with and without the remoterouters configured as EIGRP stubs is about 4:1.

Cisco’s Routing Protocols Verification Lab, inResearch Triangle Park, North Carolina, performedtests on large-scale hub-and-spoke EIGRP networks.Interestingly, the test results are very similar to thestability points in live networks:

Using standard EIGRP (no stub routers configured,no summarization or filtering), the network begins todestabilize when between 250 and 300 neighbors areattached. At this point, the network takes about 9minutes to converge initially, and takes hours to con-verge if a single hub router fails.


FIGURE 2 Filtering andaggregation is a goodway to increase EIGRPscaling on hub-and-spoke networks becausethis reduces the numberof routes sent to theremote neighbors.

RUSS WHITE, CCIE No. 2635, is a techni-cal leader in the Cisco IP TechnologiesGroup, where he specializes in designingand implementing routing protocols andscalable networks. He is a frequent con-tributor to Packet and IP Journal, and canbe reached at [email protected].

EIGRP ACTIVE PROCESSING WITH FILTERING

192.168.1.0/24

A B2

1

C D E

3 3 3


Configuring the dual-homed remotes as stub routers,the network begins to destabilize when between 800and 1,200 neighbors are attached. The network takesabout 9 minutes to converge initially, and about 30seconds to converge if a single hub router fails.

Essentially, lab tests conducted on large-scale hub-and-spoke EIGRP networks net results similar to real-world experience. The primary differences involvetraffic levels between the remote sites and the hubrouters. The lab tests do underscore the differences inconvergence time after configuring the remote sites asstub routers; this is something we cannot test underreal-world conditions, in most cases, with real trafficflowing through the network. We still see about a 4:1ratio between stub and nonstub neighbors in a large-scale EIGRP hub-and-spoke network.

Remote Sites with Multiple RoutersOne specific challenge arises when attempting to scaleto large numbers of EIGRP neighbors on networkswith two or three routers in a site that is considered astub. Figure 3 illustrates this situation.

In this network, Routers A and B are hubs, C and Dare connected together in one site, while E and F areconnected together in another site. If Router C is con-figured as a stub router, it will not advertise192.168.1.0/24 to Router D, so internally the site doesnot have full connectivity. In the same way, if the linkfrom Router D to B fails, C will not advertise anyroutes learned from A, including the default route, soany hosts attached to Router D will not be able to beconnected to any devices behind the hub routers.

Does this mean that multiple router sites cannot bescaled in the same ways as single router dual-homedsites, because the routers at these multiple routerremote sites cannot be configured as stub routers?Actually, a new EIGRP feature in the Cisco IOS Soft-ware allows a router to be configured as a stubrouter, but to leak specific prefixes to a peer router. Inthis case, we could configure Router C as a stubrouter but also configure it to advertise the defaultroute, learned from Router A, and the locally con-nected network 192.168.1.0/24, to Router D. In thesame way, Router D can be configured as a stubrouter and can also be configured to leak locally con-nected networks and the default route learned fromRouter B to Router C.

The following configuration illustrates how to config-ure an EIGRP leak-map in this network.

router eigrp 100eigrp stub connected summary leak-map stubsite

!route-map stubsite permit 10

match ip prefix-list defaultmatch interface e0/0

route-map foo permit 20

match ip prefix-list localroutesmatch interface s0/0

!ip prefix-list default permit 0.0.0.0/0!ip prefix-list localroutes permit 192.168.2.0/23 ge/24

In this configuration, the prefix lists allow differentparts of the address space, the default route from thehub routers toward the remote site routers, and the locally originated routes toward the hub. Theinterface matches tie the routes advertised to the inter-face facing the hub or the other remote site router.

Does this change the way the hub treats the remotesite? Figure 4 illustrates the difference by showing theactive process in a dual-homed multiple router site.

A loses its connection to 10.1.1.0/24. A marks theroute as active, examines each of its neighbors, anddetermines which could have an alternate path to10.1.1.0/24. Because C is advertising itself as stubrouters, A does not need to query this neighbor. Asends a query to B.


TYPICAL DUAL-HOMED REMOTE SITES

192.168.1.0/24

S0/0 S0/0 S0/0 S0/0

Site 1

Site 2

A B

C D E F

FIGURE 3 Site 1 does nothave full connectivitybecause Router C is configured as a stubrouter and does notadvertise the IP addressto Router D.

ACTIVE PROCESSING—MULTIPLE STUB SITES

192.168.1.0/24

10.1.1.0/241

2

4 S0/0 S0/0

A B

C D

3

FIGURE 4 When multiple router sites are configured as stubs, the hubtreats them the same as it does a remote site with a single router that isconfigured as a stub.

Continued on page 73



A Cisco innovation, Dynamic Buffer Limiting (DBL)is the first flow-based congestion avoidance quality-of-service (QoS) technique suitable for high-speedhardware implementation. Operating on all ports inthe Cisco Catalyst 4500 Series Switch, DBL effec-tively recognizes and limits numerous misbehavingtraffic flows, particularly flows in a network that areunresponsive to explicit congestion feedback such aspacket drops (typically UDP-based traffic flows). It isa multiprotocol technique that can examine a flow’sLayer 2/3/4 fields.

DBL provides on-demand Active Queue Manage-ment by tracking the queue length for each trafficflow in the switch. When the queue length of a specific flow exceeds its limit, DBL will drop packetsor mark the Explicit Congestion Notification (ECN)field in the packet headers, so the flow can be handledappropriately by servers in the unlikely event of net-work congestion. Unchecked flows—also known as

belligerent or non-adaptive flows—use excessive bandwidth, and their consumption of switch buffersresults in poor application performance for end users.This misbehaving traffic can also negatively affectwell-behaved flows and wreak havoc with QoS.

Because DBL is implemented in ASICs, wire-speedpacket manipulation is achieved without switchingperformance degradation. Up to 136-Gbit/s switchcapacity and 102 million pps of wire-speed forwardingare supported on a single Cisco Catalyst 4500 SeriesSwitch. This advanced QoS control is especially criti-cal in Internet edge, distribution, and core networks.

High-Speed Networks = Greater ProtectionMore than ever, today’s networks are built usingequipment with very high bandwidth (Gbit/s) andperformance (Mpps) characteristics. With morebandwidth comes greater responsibility to providegood QoS protection mechanisms. A Gigabit Ether-net network moves 1 billion bps compared to a WANT1/T3 network (1.55 or 45 Mbit/s). Without proper

TECHNOLOGY: Switching

Dynamic Buffer LimitingIndustry’s First Hardware and Flow-Based Congestion Avoidance at Wire Speed

By Rupa Kaur

FIGURE 1 Shown hereare the key ways DBLworks on a given flow.The switch maintains thenumber of credits andbuffers concurrently.

HOW DBL WORKS

DBL

Mark ECN

Time

Buffers

Credits

AggressiveCredit

Limit 10

T0 T1 T2 T3 T4

MaximumCredits

15 (Default)

Flow

AggressiveBuffer Limit

2 Packets

Belligerent Flow



safeguards, high end-user bandwidth puts more stresson QoS. Voice quality suffers in the presence of bel-ligerent flows, and QoS degrades when these flowscause denial of service (DoS) to well-behaved flows.

A belligerent flow travels at high speed (with multiplepackets) and does not reduce its traffic rate inresponse to packet drops. Examples include:

■ Thick UDP flows. Downloading a movie from theInternet is an example of a thick flow; it requires higherdynamic buffer utilization (high bps) compared to auser performing router terminal access using SecureShell (low bps). Voice is an example of a thin flow andtakes precedence using a strict priority queue.

■ Spanning Tree, IP Multicast loops. A Spanning TreeLoop usually lasts 30 seconds, during which networkbandwidth is consumed (on uplinks, for example).

■ Streaming multimedia, common in many Internetapplications.

DBL in MotionAfter meeting age requirements and passing a writtentest, a person in the US must pass a driving test toobtain their Class C automobile license. Each candi-

date starts with 100 points. The more mistakes onemakes (e.g., poor parking, exceeding the speed limit),the more points are deducted. If these points total 30or less, the candidate is issued a license.

DBL’s technique for congestion avoidance is similar.Instead of points, however, DBL uses credits. Creditsare decremented the moment a flow misbehaves. Inthe beginning phase of congestion, no packet isdropped and the ECN is marked. (IETF RFC 3168has more information on the ECN bits in the IPv4ToS field.) A single packet is marked with ECN so theflow has a chance to adjust or retreat without losingmore packets (a warning, unfortunately, the candi-date in the driving analogy doesn’t get).

Linux and Solaris 9 operating systems have supportfor ECN. Each flow starts with 15 credits (this

RUPA KAUR, a senior technical marketingengineer in Cisco’s Gigabit SwitchingBusiness Unit, has been at Cisco for tenyears. Prior to her role in technical mar-keting, she was a development engineerfor ATM platforms. She can be reached [email protected].


parameter can be configured globally) and countsdown. DBL is highly granular; it performs computa-tion based on a flow and not on all the packets withina queue. This is the main distinction between DBLand Weighted Random Early Detection (WRED).

As shown in Figure 1, for every active flow, the switchmaintains two parameters concurrently: the numberof credits and buffers. When a flow consumes more-buffers than the dynamically computed limit, DBL(starting at T1 in the plot) marks the ECN or dropsone packet. If the flow does not respond to the singlepacket drop and continues to send packets at the samerate, it will lose its credits one by one.

The flow is considered aggressive when its credits fallbelow the aggressive credit limit. At this point, thebuffer usage is also reduced to the aggressive bufferlimit. On the other hand, at time T3 when the flowadjusts itself and uses fewer buffers than the dynami-cally computed limit, the number of credits begins toincrease one at a time. Well-behaved TCP flowsregain to full credits immediately.

DBL Configuration OverviewThe Cisco IOS DBL configuration is very simple (see Figure 2). The switch uses the Modular QoS Command-Line Interface (MQC) with keyword “dbl”for the policy map. The ECN config is also global. Allthe above-mentioned buffer and credit parameters aredisplayed in the show qos dbl command.

The DBL transmit queue logic operates on each port’sfour transmit queues (a total of 1,500 queues for 384ports on a Cisco Catalyst 4510R Switch). In addition,DBL manages flows on any port type: switched,routed, trunk, access, or EtherChannel.

DBL Spanning Tree Loop PerformanceFigure 3 depicts DBL’s network performance improve-ment in a Spanning Tree Protocol (STP) loop scenario.In this case, without DBL, the TCP flow slows and anon-looping, well-behaved 70-Mbit/s flow has 26.5-Mbit/s (37 percent) throughput. With DBL, a non-looping flow has 69-Mbit/s (99 percent) throughputin addition to TCP flows. The throughput is just onelab scenario to ensure DBL’s effect during an STPloop. Similar behavior of well-behaved and adaptiveflows will be observed if the STP scenario is replacedby a Layer 3/4 deployment.

DBL, AutoQoS, and WREDWith more than 50 million ports deployed world-wide, the success of the Cisco Catalyst 4500 SeriesSwitch lies in its centralized architecture and simpleconfiguration macros. One such macro is AutoQoS,which automatically configures DBL and QoS on aparticular port. Thousands of enterprises are usingthe AutoQoS feature and running DBL for their IPtelephony deployments.

WRED is another popular Active Queue Manage-ment technique; DBL and WRED can work togetherin any network deployment. The main differencebetween DBL and WRED is that DBL is flow based.If congestion occurs, the hardware logic drops apacket based on the flow.

Also, a flow’s contribution to congestion is meas-ured. For example, if congestion occurs on an uplinkwire-speed 10 Gigabit Ethernet port, the UDP-basedaudio packets are higher targets than the voice orTelnet packets because audio uses more buffers. DBLonly operates when the pipe is full, e.g., if there ismore than 20 Gbit/s of data on a 2-port 10-Gbit/sEtherChannel.

◆ ◆ ◆

DBL is a Layer 2-4 multiprotocol congestion avoid-ance technique that strengthens network security bylimiting belligerent flows and preventing DoS attacks.Belligerent flows usually occur at the edge of the net-work where streaming media and other bandwidth-hungry applications wreak havoc on the network.Cisco Catalyst 4500 Series switches are positioned atthe network edge to provide proper safeguards againstnetwork congestion. These switches support DBL inhardware on all Supervisors (Sup2+ and higher) withperformance ranging from 64 Gbits/48 Mpps to 136Gbits/102 Mpps. The 1-rack-unit Catalyst 4948 fixedswitches also support DBL in hardware.


FIGURE 3 DBL improvesnetwork performance inan STP loop scenario.

DBL AND SPANNING TREE LOOP

SmartbitsLooping Flow75 Mbit/s

SmartbitsNon-LoopingFlow 70 Mbit/s

SmartbitsReceivingPort

Catalyst 4500Switch

Catalyst 4500Switch

Gi4/1 Gi4/1

Gi4/2

■ IETF RFC 3168, “The Addition of ECN to IP”

ietf.org/rfc/rfc3168.txt

■ Cisco Catalyst 4500 Series Switches

cisco.com/packet/181_5b1

CISCO IOS DBL CONFIGURATION

4xxx(config)#qos dbl4xxx(config)#qos dbl exceed-action ecn4xxx# show qos dbl // TruncatedDBL flow includes layer4-portsDBL uses ecn to indicate congestionDBL max credits: 15DBL aggressive credit limit: 10

FIGURE 2 All buffer andcredit parameters aredisplayed.

FURTHER READING


Network

PHOTOGR APH BY RICHARD KOH

Unleash Your



Cisco Service-Oriented Network Architecture outlines how enterprises can evolve

their network to increase efficiencies, lower costs, and strengthen business agility.

The National University of Singapore knows. By Janet Kreiling

aAT L E A S T O N E O F Y O U R

pressing business goals is probablyon this list:

■ Firing up your supply chain, all theway, before your stock gets thin

■ Improving security or mobility

■ Enabling locations anywhere inthe world to work smoothly withheadquarters and each other

■ Making your branch office effec-tive in supporting customers orremote employees

■ Delivering training efficiently

■ Ensuring fast recovery of opera-tions and data after an outage

■ Consolidating applications, dataoperations, and storage awayfrom vertical silos

■ Simplifying IT operations; savingcapital and operating expenses

Achieving every one of these goals,and hundreds more, will be easierand less costly if you take fulladvantage of your network and alsorethink how you view it. From thecorporate data center all the wayout to an office halfway around theworld, your network can improvethe way you serve your customers;the way you create and deploy newservices or products; the way youempower employees; and the valueyou get from any kind of data, yourproduction processes, inventorymanagement and supply chain,

financial systems, and every otheractivity your company engages in.

Impractical? Not really. But first,you must embrace a new perspec-tive on your network. Think of allyour business processes as sittingatop a single broad architecture—an architecture of architectures, ifyou will—so they make use of thesame network services.

The National University of Singa-pore (NUS) began to shift its per-spective five years ago when itdecided to build an integrated net-work and create an online portalfor students, faculty, and staff toconduct their day-to-day activities.NUS wanted to create an environ-ment where learning opportunitiessurrounded students 24 hours aday, everyday. It also wanted flexi-bility for the future. To support itsonline learning portal with vastcapabilities that could be expandedas needs arose, NUS replaced itsentire network with an integratedCisco infrastructure (see sidebar,page 25).

SONACisco has developed a frameworkcalled the Service-Oriented NetworkArchitecture (SONA) that embodiesthe National University of Singa-pore’s forward-thinking view of itsnetwork. SONA outlines how enter-prises can evolve their IT infrastruc-ture into an intelligent informationnetwork that accelerates applica-tions and maximizes businessprocesses and resources. The frame-work shows how integrated systemsacross a fully converged network

allow flexibility, while standardiza-tion and virtualization of resourcesincrease efficiency.

Cisco SONA has three layers (Fig-ure 1). The networked infrastruc-ture layer is where all of the ITresources are interconnected acrossa secure and converged networkfoundation. This layer encompassesall places in the network: campus,branches, data center, WAN/MAN,and teleworker locations.

The interactive services layerenables efficient allocation ofresources to applications and busi-ness processes delivered throughthe networked infrastructure.Residing here are services such assecurity, mobility, storage, authen-tication, policy management, vir-tualization, and segmentation.What defines these as services,rather than as applications, is thatthe systems providing them per-vade the network with variouscomponents residing on differentsystems, and they are available to all users, according to BridgetBisnette, Cisco’s global director for enterprise solution partners.Security, for example, involves fire-walls, Network Admission Con-trol (NAC), intrusion detectionand prevention, and much more.Some functions are router-based;others are on network appliances,but all are used collectively to provide security to users, applica-tions, and systems enterprise-wide.“Computing, voice, identity, andstorage services are others thatbegan as applications but evolved

Services


into services that can move into and be managed by the net-work,” says Bisnette.

The applications layer contains the business and collaborativeapplications that leverage efficiencies from the interactive services.These applications are also available enterprise-wide. Someone ina call center in India can pull up the same customer data on his orher desktop, from the same copy of the CRM application in thesame data center, as a user at the company headquarters in Europeor North America.

Underlying the services and applications layers is the concept ofvirtualization, which goes beyond mere access to availability. Forany user, applications and network services are as available as ifgenerated in the nearest departmental or branch equipment closet,whether the user is at headquarters or halfway around the world.Given that 50 to 80 percent of employees are usually not locatedat headquarters, virtualization must intuitively improve productiv-ity, emphasizes Paul McNab, vice president of marketing in theIntegrated Networks Systems Engineering group at Cisco.

Virtualization supports the trend toward convergence: of voice anddata networks, of services, and even of data itself—all of whichmust be protected through an integrated, end-to-end network withsecurity services embedded into it. Having only one installation ofa CRM, enterprise resource planning (ERP), or warehouse man-agement program saves all the work of replicating and updatingdata in copies in different locations. When data is always up to themillisecond, it can be used by one application after another, and thenetwork can ensure it flows from one application to others.

Moreover, data and applications can be located on any server orstorage device that has the available capacity.

What virtualization brings to data in any enterprise, McNabsays, is visibility—visibility to anyone in the enterprise or beyondwho needs it. “A large retail chain may have 5,000 stores andemploy 5,000 manufacturers. People or applications at the store,at headquarters, and all down the supply chain, wherever they’relocated, can be enabled to see the information when a store inLos Gatos, California, sells a widget,” he explains. “That com-munication, especially with all links in the supply chain, isbecoming crucial as companies need to control inventory tightlyand cost effectively.” The task at hand, he adds, “is no longermanaging the product, but managing data about the product.”

Making Silos ObsoleteIt used to be that applications and data storage needed to be neartheir users, so network latency didn’t become a problem. Therejust wasn’t the sheer volume of applications as there is today.Now, says Greg Mayfield, senior manager in the Enterprise Solu-tions Marketing group at Cisco, it’s not uncommon for an enter-prise to have hundreds of applications and databases in separatesilos, with a lot of vacant space on servers, and as many as athousand applications queued up to install and run.

Cisco has introduced several new products that optimize applica-tion performance. For example, latency can be cured by Cisco’sApplication Velocity System (AVS), which minimizes both thenumber of transmissions across the WAN to use an application andtheir content. Cisco’s Wide Area Application Services, which


CISCO SERVICE-ORIENTED NETWORK ARCHITECTURE

Ap

plicati

on

Layer PLM CRM

HCM

ERP

SCM

Co

llab

ora

tio

nLayer

Instant Messaging

UnifiedMessaging

IP Phone

MeetingPlace

VideoDelivery

Middleware and Application Platforms

IPCCProcurement

Inte

racti

ve

Se

rvic

es

Layer

Se

rvic

es

Vir

tua

liza

tio

n

Application Delivery Application-Oriented Networking

Security Services

Mobility Services

Storage Services

InfrastructureServices

InfrastructureServices

Network Infrastructure VirtualizationInfrastructure Management

Voice and Collaboration Services

Compute Services

Identity Services

Ad

ap

tive

Man

ag

em

en

tS

erv

ice

s

Campus Branch DataCenter

EnterpriseEdge WAN/MAN Teleworker

Server Storage ClientsNetw

ork

Infr

astr

uctu

reLayer

FIGURE 1 In Cisco’s three- to five-year vision for SONA, all IT resources are securely interconnected across a converged network foundation. In this new services infrastructure view,the network significantly enhances applications with its ability to deliver secure, optimized, resilient end-user services.


THE NETWORK MULTIPLIER

Storage

Servers

WithSONA

WithSONA

0

Net

wo

rk M

ult

iplie

r

3.2x

3.8x


The National University of Singapore (NUS) comprises 13 faculties, 12university-level research institutes and centers, 32,000 students, andmore than 3,000 faculty members and researchers. NUS beared severalgoals when it decided to build a network for supporting myriad multime-dia applications including e-learning, live lecture broadcasts, businesswarehousing, IP telephony, digital library and media archival, studentadministration, university admission, course registration, and GRID com-puting. Its network had to be scalable, robust, reliable, and achieve highperformance to adapt dynamically to all demands for real-time and non-real-time, asynchronous or synchronous traffic.

NUS turned to Cisco for an integrated, converged network, and has inthe five years since evolved its IT infrastructure into a highly available,intelligent network based on the Cisco SONA framework. The networkdistributes security, identity, wireless, and storage services across theorganization. It enables all students and faculty members to obtainWebcast lectures, test scores, assignments, library materials, a mes-saging system, and other resources through the Integrated VirtualLearning Environment (IVLE). With campus-wide wireless service,NUS also enables students to access course materials anytime any-where using notebook computers. With SONA, the wireless and wiredexperiences are the same, beginning with security. Authentication andauthorization services are consistent between both networks.

“Applications such as IVLE must be built without knowing exactly whatthe demand will be or how many people will use it simultaneously,”says Roland Yeo, network manager at NUS. “You have to base it on ascalable network and ensure that underlying network services willdeliver the application as it is needed.”

The network can manage very granular policies for all of its end users.For example, a student can log into the IVLE to take an online testthrough a secure VPN but meanwhile cannot access any otherresource on campus or off. Coded access cards, required to open alldoors on campus, can track individuals’ movements on campus in

times of emergency, which was useful during the SARS crisis whenthe university needed to know who might have been exposed. The net-work has also enabled new, mission-critical applications such as Cen-tralized Online Registration Systems (CORS) for module selection andallocation. “As the university advances towards a broad-based educa-tion, students will be required to enroll in modules across faculties, anda system must be established to facilitate fair, equitable, and responsi-ble selection of modules and, at the same time, allow teaching depart-ments to manage their resources optimally,” explains Kwee-Nam Thio,manager for academic information systems at NUS. CORS has suc-cessfully allocated 1,200 modules each semester to the more than20,000 students registering online from anywhere on or off campus.

“Our most important challenge is balancing security with openness,” Yeosays. “The Cisco SONA architecture provides a framework for ensuringsecurity, rather than ad hoc attempts at preventing a wide range of secu-rity threats.” The flexibility has become crucial, he adds, given that thenetwork is adept at fending off threats, such as denial-of-service attacks,that were unheard of when it was installed five years ago.

While the university has taken important steps towards establishing anextensive, e-enabled environment, Tommy Hor, director of the com-puter center at NUS, sees the following areas as important for futureNUS IT capabilities: a single-source environment, where universityreporting would all come from a central tool, creating a unified viewacross multiple departmental functions; integration of voice, data, andvideo, with more integrated interfaces for audio, video, and Web callswith simultaneous access to real-time databases and applications forintelligent, informed decision-making; wireless technology devicesand systems for always-on access to resources; personalized portalsfor distributing information instead of pure e-mail dissemination.

“The Cisco SONA architecture will greatly facilitate NUS in this journey,” says Hor.

The National University of Singapore: SONA in Practice

FIGURE 2 Virtualizationboosts the percentage ofnetwork assets utilized, inturn boosting the effective-ness of IT spend. This chartrepresents the experienceof Cisco’s IT departmentwith server capacity: theuse of servers was 3.2times more effective withSONA than without; theuse of storage systems 3.8times more effective.

caches stable information locally, also minimizes WAN traffic, asdo the Cisco Content Services Switch and Cisco Content ServicesModule, which balance request loads across multiple applicationservers according to policies that ensure requests go to the rightserver. For more on these and other products, see the Packet SpecialReport on Application Networking, Fourth Quarter 2005.

A sticking point in automating workflow processes has been theinability of applications to share data with each other becausethey employ many different languages and protocols. Cisco’sApplication-Oriented Networking (AON) products take care ofthat roadblock. An AON router blade functions as a universaltranslator for many enterprise applications, so data can movefrom one to another seamlessly. The AON module speaks manyprotocols and languages; it can read messages to see what they

contain and where the information should go. AON can alsoapply policies and priorities to messages.




in this stage, adding capabilities such as AON, with its inter-application translation services and intelligent data management.

The key to an effective migration, says Mayfield, is thinking firstabout the business problem, rather than the technology. What isthe business problem you want to solve? How can you bestaddress this problem? And then, What solution fulfills the imme-diate need and builds a foundation for handling future needs?There are many ways to begin migrating to a SONA architec-ture, adds McNab. “Most people begin with the network theyhave, rather than undergoing a forklift upgrade. They mightstart with one service or application, such as file management,identity verification, or user presence. The difference is that nowthey’d look at how to create an identity service that works acrosstheir entire enterprise, rather than just for one department.”

The Adaptable NetworkCisco’s products already have a high degree of interoperability.You can build an integrated network based on SONA for all thesub-architectures of your enterprise from available products. Inthe coming years, McNab says, Cisco will work on ensuring thatall the architectures and individual products interoperate froman applications perspective in providing network services. Thebottom-line deliverable for SONA is an adaptive network, onethat can provide a company the ability to react in real time tonew business opportunities, unforeseen market changes, and cus-tomer demands. That’s exactly what Roland Yeo, network man-ager at NUS, believes he has. “Our Cisco infrastructure met ourimmediate needs, and now, five years later, we are able to addsecurity services, deploy voice, and implement video applicationssimply by enabling QoS features in the network.”

The SONA-based network has changed the way NUS does busi-ness—the way it educates students and the way its employeesinteract with each other. Adaptable indeed. Oh, and the univer-sity is also saving US$1 million in voice telephony costs alone.

The Role of PartnersThe aforementioned AON products demonstrate Cisco’s role inthe SONA applications layer: to facilitate their use. But theapplications themselves and their integration into workflowprocesses are the task of Cisco partners, notes Bisnette. In fact,she says, SONA relies on Cisco partners for:

■ Supplying the Cisco products associated with SONA, and pro-viding the support services and overall IT systems managementrequired to deliver a complete solution, from separate businessapplications to lifecycle network design and implementation.

■ Consulting and business re-engineering as companies ready theirnetworks for SONA, and providing managed services. In thefuture, the next-generation networks deployed by serviceproviders will interface tightly with their customers’ SONAarchitectures, so hosted services and applications will passtransparently from one to the other.

How to Get StartedEvolving to a more intelligent, integrated network with SONA isdone in phases:

Convergence and standardization of networks across the entireenterprise. Best-in-class IT organizations are designing singlevoice/data/video networks to handle all business communica-tions, and standardizing on components in networks, desktops,and servers to optimize and simplify their infrastructure.

Consolidation of IT resources such as servers, which are notori-ously underused when siloed and spread across the globe. Manyare used to only 20 or 25 percent of their capacity.

Virtualization of IT resources, such as server clustering, where agiven application or data store resides in just one or a few centralplaces rather than in dozens or hundreds. Or virtual networking,which allows you to securely segment the network to address scala-ble and separately managed and billed network systems for han-dling multiple discreet businesses. In both cases, virtualizationallows you to group systems or assignments of tasks together tomaximize resources and reduce costs and overhead of management.

Automation, or deploying network-based services such as securityand identification across the network so all applications can anddo call on them. Enterprises also invoke application optimization

One size, of course, rarely fits all. The Cisco SONA framework mustencompass all places across the entire enterprise. So, Cisco has cre-ated model SONA “sub-architectures” for each of these places. Thecampus architecture, for example, is further divided into access, distri-bution, and core areas. Design guides for each architecture ensure thatthe systems installed perform the functions needed in each part of theoverall network and also work together network-wide. Take the varia-tions for branch offices. “There are many different types of branchoffice. A call center is a branch office,” says Jeanne Beliveau-Dunn,director of marketing for enterprise routing and switching at Cisco.

“But most branches don’t have resident IT support, and their networksare kitted and sent out from headquarters. Cisco has tried to do as muchintegration of the services that might be needed as possible. The SONAbranch architectures show customers a path for streamlining thoseoffices to include security, reliability, service convergence, IP teleph-ony, video, wide-area file sharing, content networking, QoS, applicationvelocity, application-oriented networking, or whatever they need.”Beliveau-Dunn adds, “That’s what a big part of SONA is all about—showcasing best practices for designing any part of the network.”

An Architecture of Architectures

■ The Business Case for a Service-Oriented Network Architecture

cisco.com/go/sona

■ Application Infrastructure Primer for Network Professionals

cisco.com/packet/181_6a1

■ SONA Branch Architectures

cisco.com/go/branch

FURTHER READING

Cisco SONA, Continued from page 25


Network


Nirvana

t

FIRST QUARTER 2006 PACKET 29

T H E C O N C E P T O F N E T W O R K S I M P L I C I T Y

sounds paradoxical. Networks are by definition highly complex,globally dispersed, assembled through any number of technologies,and accessed through any number of media. And these networksdeliver a wide array of sophisticated services. It’s safe to say that noenterprise network will ever be simple, but new technologies, prod-ucts, and processes enable it to be simplified, and the transforma-tion can make it a much more lucrative business investment.

As network technologies have matured over the past decade, thecorporate network has undergone major evolutionary phases,drastically changing the nature of its business role. As newadvances such as firewalls and Web-caching technologies arrivedon the market, they were sold as separate boxes, network add-ons. The network itself became more complex as new boxes froma variety of vendors were connected. This “network by commit-tee approach,” while able to satisfy certain new discreetdemands, drives operating costs higher, renders networks lessreliable, and lengthens the reaction time to each new onrushingrequirement.

Adding to the complexity of what was once simply the company’s“data network,” IP telephony integration, video, and wirelessaccess began to redefine the backbone as the overall communica-tions network, raising the stakes for dependability.

Then, with the widescale economic downturn in 2001, the net-work integration of new technologies continued, but most com-panies’ IT departments were understaffed in the operational

Through the process of simplification, networks achieve new levels

of resiliency, responsiveness, and lower total cost of ownership. By Joanna Holmes


these areas with automation technologies such as NAC [NetworkAdmission Control], IPS [intrusion protection systems], anddynamic VPNs provides huge benefits.”

It’s vital to take a step back and thoroughly assess where you are,what you have out there, and whether this network is going toserve you for the long haul,” says Beliveau-Dunn. “Even simplethings like updating and standardizing IOS software releases canmake a big difference.”

IT managers should develop plans to help them achieve the serv-ice-oriented networks they need. Often, the baseline networkhealth assessment is driven by a particular requirement. It mightbe the need to increase security for all protected devices, or therollout of a particular application. The impetus might be as sim-ple as a general spending review and a cost-cutting plan—or,more specifically, the need to streamline operations for an over-taxed IT staff.

Stretched thin as the IT staff is, the network evaluation shouldbe outsourced to a knowledgeable Cisco partner, or donethrough an advanced service from Cisco. A good first step is theCisco Discovery Tool (cisco.com/go/partner-discovery). This PC

application can create a record of all connected networkdevices, including product platforms and operating system versions. Cisco customers can get access to this application fromtheir Cisco sales reps or channel partners. Those with advancedservice contracts can also take advantage of network assessmentand security audits provided by Cisco’s Customer Advocacyorganization or its partners.

New functionality often drives the need for a baseline healthassessment, says Willis. “But even in a stable environment, afterseveral years’ time, it’s valuable to do an overall cost review, anoverall audit [of functionality]—and in a WAN, an assessment ofwhether you’re optimizing your carrier services so you’re notspending more than you need to.”

“One challenge that frequently affects our customers,” saysBeliveau-Dunn, “is that IT managers get hit with requirementsthey don’t even know if they can meet, because they don’t knowwhat’s in their networks.” A baseline health evaluation can givethem a two-to-three year outlook and help clarify the steps neces-sary to achieving their business goals.

“For example, we see hospitals looking at ways of lockingdown their networks, while maintaining or increasing networkperformance over many different connected devices,” Beliveau-Dunn continues. Hospitals characteristically must provide


resourcing supporting these networks, even as functionality andimportance was thrust upon them. Today, as the economy recov-ers, the challenge for most companies is that the resources allo-cated to their IT staffs are not keeping pace with networkexpansion. The result: longer hours and high stress levels—andincreasingly, failure to meet intensifying business requirements.

Fortunately, as network services mature, they are progressivelybecoming integral components of the network equipment itself—the routers and switches—giving network managers the ability topack more of the capabilities they need into a single box. “It’s anatural trend for features to be pulled into new equipment,” saysDavid Willis, chief of communications at research firm Gartner.“For example, we used to add on firewalls at the network edge.Nowadays you get firewall features that are quite strong builtinto the same edge device that you need there anyway.”

That type of integration is a key component of the next phase ofnetwork evolution—the age of the simplified network that effi-ciently and effectively delivers an ever-expanding set of high-impact services. In this phase, companies can begin tostreamline their networks, pulling in all the extraneous piecesand automating functions, then standardizing on single plat-

forms and virtualizing network and network-connectedresources. The resulting network is not only more resilient andresponsive, but has a much lower cost of ownership than itsmore complex predecessor.

Baseline Assessment of Network Health“It’s not that networks are getting simpler,” says Jeanne Beliveau-Dunn, a marketing director in Cisco’s Product and TechnologyMarketing Organization. “In fact,” she says, “by definitionthey’re getting extremely complex, because today they’re carryingeverything—secure data, voice, video, wireless communications,and more.” Now that the network has become the central nerv-ous system of the business there is more emphasis on things thatmake it resilient such as security and high availability built intoevery part of the network. Here, as business demands have inten-sified and technology has advanced, the network itself hasevolved to being more service delivery platform than basic con-nection utility (see related story, page 22). To achieve the bestresults through that service-oriented network, Beliveau-Dunnexplains, perform a step-by-step assessment of how you can con-solidate, standardize, and integrate many of its functions to pro-vide, for example, access control, intrusion prevention, andstateful failover—which in turn deliver better security and morereliable connection performance. “Our customers are strugglingwith automating policy controls and deploying multisite securenetwork connectivity. Developing a scalable strategy to address

“ ”“Complexity is the enemy. If you have an old infrastructure, you can give it

new functionality by introducing new devices, but over time, everything

collapses under its own weight because of the diversity of the equipment.”

—David Willis, Chief of Communications Research, Gartner


extensive wireless support—and a high level of security is vital.“Everyone these days is increasing security spending, but for themost part they’re not optimizing their security systems, whichmay be open and vulnerable.” A general assessment or securityaudit can go a long way toward improving the network’s health.

Achieving NirvanaAfter assessment, the heavy lifting of the network simplificationprocess begins. The company’s IT organization must review theassessment results to ensure that all the company’s mission-crit-ical applications and the teams that rely on them have rock-solid assurances of high network availability. Mark Leary, aproduct and systems marketing manager for foundation tech-nologies at Cisco, recommends that IT managers work towardbuilding “the four pillars of simplicity”: standardization, inte-gration, automation, and virtualization.

StandardizationParticularly in large networks, the single most important steptoward reducing network complexity is standardization. A net-work might have tens of thousands of connected devices, but bystandardizing on a few platforms and running uniform versionsof software on those platforms, businesses can reduce OpEx by

lowering training costs, decreasing the requirement for spareparts, and eliminating service gaps. Just as one US-based low-fareairline attributes its success to its business model of flying onlyone type of airplane, businesses can streamline their operationsby standardizing on a single networking vendor and a minimalnumber of routing or switching platforms within their networks.

“Imagine if you were in charge of a 100-branch network,” saysLeary. “Now multiply those 100 branches by a handful of devicesat each location—router, firewall, intrusion prevention system,voice system—and you’ve got a management nightmare. In con-trast, you could simply have 100 Cisco 3800 Series routers, all withthe same management system, the same operating system, the samehardware components—and all offering the same set of intelligentservices. Suddenly it’s much more manageable.”

IntegrationThe integration aspect of network simplification involves movingfeatures and functionality into a single box or, optimally, a singleplatform. Here, Cisco routers and switches serve as a foundationfor a services-oriented network. “For example, most high-impactCisco network services, such as NAC, VPN, firewall, intrusion pre-vention, IP telephony, wireless, and application networking, are


“In the USA, we call it ‘eating our own dog food.’In Europe, it’s more politely known as ‘drinkingour own champagne.’” Either way, says VladaMarjanovic, senior director of the Cisco onCisco program, it refers to the company’sreliance on its own network technologies tosupport its mission-critical corporate network.

Cisco’s core backbone supports 40,000 employ-ees, as well as countless partners. It integrates voice, video, SAN,and wireless access for all offices and visitors, with 11 VPN pointsworldwide for access by some 11,000 Cisco employees.

Growing network complexity continuously raises the bar for Cisco’sIT team. “As you start putting more eggs in one basket, that basketbecomes increasingly important—particularly from an availabilityand security perspective,” says Marjanovic. With a network thatreceives about US$18,000 per second in online transactions, Ciscocan be greatly affected by any outages. “When you start runningbusiness-critical applications on your network, it has to provide bet-ter quality and security than when you’re just Web surfing.”

The more you can simplify your network, the more you can secure itand increase its availability. The Cisco IT organization takes a serviceview of its long-term achitecture and works continuously to simplifythe corporate network, reducing complexity and improving resiliency

even as the network takes on increasingly moreservices and applications. One way the IT staffdoes this, says Marjanovic, is vigilant attentionto “the next phase.” In fact, at any given time,Cisco IT actually maintains two architectures.“We have a single architecture that lasts forthree years,” Marjanovic says, “and in themeantime, we are designing a new architecture.Every new capability gets assigned to the new

architecture.” He refers to the venerable IT adage, “the less youtouch the box, the higher your availability.” The vast majority of net-work problems, says Marjanovic, generally results from change.

Change management is Marjanovic’s number-one recommendationfor network health. “If you let the engineers be the engineers,” hesays, “they will experiment with technology and equipment andthere will be problems. Managing changes requires no CapEx orOpEx, but it can still be very difficult for IT managers.”

Another recommendation from Marjanovic: Always link your busi-ness to your network. “You have to ask yourself, where is my strate-gic advantage?” Imagine, for example, that you managevideoconferencing services for your entire network and you meetyour service-level agreements (SLAs), but you fail on your company’squarterly CEO/analyst call. You need to understand the businessimpact of your network, and prioritize accordingly.

Network Simplification Tips from Cisco IT




now offered as integrated services within our routing and switchingplatforms,” says Leary.

An example of an integrated platform is Cisco’s Integrated Ser-vices Router product line. Serving as a prime service-deliveryplatform within Cisco’s SONA, these routers deliver multipleconcurrent services, while maintaining consistent performance,providing an infrastructure that enables fast, secure access toessential business applications, and readily accommodates futureapplications.

These routers provide a convenient platform for branchoffices, helping IT staff by replacing functionality that waspreviously provided by other external devices. For example, ITengineers require much less training in networks that deploy acommon set of multiservice networking platforms from onevendor, versus a variety of more specialized networkingdevices from different vendors. A study conducted by SageResearch found that Cisco Integrated Services Router usersspend, on average, seven hours installing and configuring

devices when adding a new site to a network. In contrast, non-users spend an average of 12 hours to add a new site. “That’sjust the time savings in deployment for one site. Imagine thesavings possible in maintaining the network or resolving a net-work problem,” says Leary.

AutomationLargely enabled by standardization and integration, a highlyautomated system minimizes network and service disruptions,and boosts productivity for end users and—perhaps more impor-tantly—freeing up time for IT staff. For example, on the CiscoCatalyst 6500 Series Switch, the Embedded Event Manager(EEM) provides a method of triggering preprogrammed localactions upon detection of specific events, resulting in increasedmanageability, control, and resiliency. And that leads to goodthings for the network, says Leary. “Most IT teams today are justhappy to have their networks up and running on a consistentbasis. There’s no time to focus on network improvements.”

A recent Gartner study reports a 30/70 rule, where 30 percent orless of IT staff time goes to planning and proactive IT activities,and 70 percent is focused on day-to-day infrastructure operations,or what Gartner calls “keeping the lights on.” The report contendsthat businesses need to watch that ratio closely so that they canachieve healthy balances of proactive work versus reactive work,without neglecting operational demands. Increased automation isone solid way that businesses can bring that goal into sight.

VirtualizationAs the final “pillar of simplicity,” the process of virtualizing thenetwork enables companies to control IT costs, and avoid systems

slowdowns and failures while maximizing availability net-worked resources. As the single common denominator for all ITresources—servers, storage, desktops, mobile devices, applica-tions, etc.—the network should be central to any organization’smove toward virtualization. Here, gains in user productivity,information protection, and resource availability and utilizationare just now beginning to be realized.

Benefits of SimplicitySimplicity is the model—and perhaps a good mantra—for the“Nirvana Network,” but simplicity in itself is not the goal. Thereal aim is a smooth-running network with designed-in resiliency,sustainable performance, service readiness, and a lower cost ofoperation. “You may not be able to control or standardize oneverything the users are adopting for connecting to the corporatenetwork,” says Beliveau-Dunn, “but you can design the networkto provide sustainable resiliency and performance, and you canlower its cost by following the key planning principles of simplic-ity to assess and plan the network.”

To support the process of simplifying the network and creatingmore resilient and responsive services, Cisco is developing secure,high-availability components and automated systems. A recentexample is Cisco IOS Software Modularity on the Catalyst 6500Series Switch. This capability sets new standards for network avail-ability. It reduces the complexity of the software certification andupgrade process by allowing network administrators to applyincremental patches to address time-sensitive requirements, such ascritical security fixes, without impacting their network availability.

“Application adoption is happening today at twice the speed it wasfive years ago,” says Beliveau-Dunn. “With that acceleration, sim-plifying the network is more important than ever before. Networksimplification is a best practice in the IT industry. It comes down togetting more thoughtful and more assessment-based about yournetwork—and then getting ahead of the planning curve.”

■ Cisco IT@Work website

cisco.com/go/ciscoitatwork

■ LAN operations white paper


■ WAN operations white paper


■ Abercrombie & Fitch case study


■ Computerworld article on State Street Corporation


FURTHER READING

”““Once you’ve transformed your network into an integrated system, then you

can find ways to automate and virtualize many of its functions so that you’re not

increasing your OpEx and staffing costs as you create this Nirvana Network .”

—Jeanne Beliveau-Dunn, Cisco Product and Techology Marketing Organization

Network Nirvana, Continued from page 31


tT W O - W A Y R A D I O S , A L S O K N O W N A S

push-to-talk radios, have been a steady fixture in public safety,utilities, manufacturing, recreation, and warehousing industriesfor more than 50 years. From public agencies to emergency operations to global businesses, many workers depend on theseubiquitous devices to enable communications among their fieldand mobile workforces.

Until recently, however, two-way radio systems have been isolated. Based on proprietary technologies, push-to-talk radios,which include Land Mobile Radio (LMR), cellular, and wirelessLAN, have been unable to connect outside their own networks.Not only do these networks lack interoperability with othervoice networks, they are also incapable of handling new commu-nications modes such as messaging, presence, and video. Suchlack of interoperability greatly limits the usefulness of thesecrucial communications tools—exemplified most dramaticallyduring catastrophic events when fire, police, and local emer-gency workers are unable to share critical information due toradio incompatibilities.


Push to Talk

Cisco IPICS creates communications interoperability

by joining radio systems with IP networks. By David Barry



Everywhere

This lack of communications interoperability extends to anyindustry where enterprises conduct business-critical voice com-munications on traditional communications systems, includingtransportation, financial services, retail, and the public sector(see sidebar, “IPICS in Action: Maher Terminals”). Large-scalereplacement of these systems is disruptive and impractical.Regardless of the industry, a new network-based solution fromCisco—the Internet Protocol Interoperability and CollaborationSystem, or IPICS—aims to close this communications interoper-ability gap seamlessly and economically.

How IPICS WorksCisco IPICS is a systems-level, network-based solution for inte-grating traditional communications systems with other disparatevoice, video, and sensor networks. In addition to providing scala-bility and investment protection, Cisco IPICS takes full advantageof IP standards and the network infrastructure for greaterresilience, scalability, and security, says Ken Chen, product man-ager in the Safety and Security Systems Business Unit at Cisco.

The Cisco intelligent network is the foundation for IPICS, pro-viding the quality of service (QoS) and IP multicast that is criticalfor real-time communications. To bring radio traffic onto the IPnetwork, companies deploy LMR gateways—Cisco IntegratedServices Routers with special voice services, interface cards, anddigital signal processor (DSP) functionality installed. The CiscoLMR gateways convert analog radio traffic to IP traffic, therebyextending radio’s reach to other IP-based devices while preserv-ing the investment in traditional radio systems.

Each radio channel (or talk group as is the case with hoot-and-holler systems) is mapped to an IP multicast address. Users onIP-connected devices, such as the Cisco IPICS Push-to-TalkManagement Center (PMC) client application on a PC or lap-top, can also participate in these channels, enabling users thatwere previously blocked from communications to join the push-to-talk network.


Additionally, PSTN, cellular networks,and cellular push-to-talk networks (suchas Sprint Nextel Push to Talk) can beseamlessly integrated into the CiscoIPICS architecture. This comprehensivevoice interoperability delivers push totalk everywhere—interoperability fromany push-to-talk voice device to anyother push-to-talk voice device regardlessof the underlying networks.

Security is also part of the Cisco IPICSsolution. Users on a Cisco IPICS PMCclient, for example, must log in securelyand be authenticated by Secure SocketsLayer (SSL) before admission to a talkgroup. PMC client users can also accessvarious channels based on user privilegesor on demand via dispatch.

The first phase of the Cisco IPICS solutionfocuses on putting the foundation in placefor basic connectivity and managementbetween IP networks, various voice com-munications systems, and two-way radionetworks. The focus will later shift tointegrating other resources into the CiscoIPICS collaboration environment, such asstandard telephones, cell phones, videofeeds, remote sensors, and GPS devices.

Competing Interoperability SolutionsTwo competing approaches for achievinginteroperability among radio systemsinclude using the same radio system or

using gateway devices. While using thesame radio system among all organizationsand agencies can be an ideal solution, itisn’t practical. For public safety alone, a


Maher Terminals is one of the world’s largest shipping container operators, handling about1.2 million containers a year at its 450-acre headquarters in the Port of New York and NewJersey in Elizabeth, New Jersey. Maher has long used push-to-talk radios among its 250employees and several hundred contract workers—including field personnel operatingcranes moving 40-ton containers on and off ships and personnel on the ground coordinatingthe container movement.

Increasingly, Maher needed to enable communications between workers in the field and inoffices where radio reception was spotty. By deploying the new Cisco IPICS, Maher hasenabled instant communications between field and office personnel on IP phones (and PC-based softphones), and with others on 700 Sprint Nextel Push-to-Talk cell phones. Accordingto Steve Rummel, vice president of data systems at Maher, “Integrating the Sprint-Nextelphones leveraged an already substantial investment in the phones.” Beyond cost savings,IPICS provides immediate flexibility that the previous communications system lacked. Forexample, Maher can now easily patch together channels to create talk groups among anyassortment of devices as required by a project—such as an incoming ship—for instant com-munications among that group. In the future, Rummel hopes to link key employees with USCustoms and the Department of Homeland Security under a single push-to-talk system.

IPICS in Action: Maher Terminals

CISCO IPICS NETWORK ARCHITECTURE

••••

CiscoLMR

GatewayRouter

CiscoLMR

GatewayRouter

SecureMulticast QoS

Enabled Network

ChannelsA-F

Channels 1-9

AnalogPhones

PSTN

GSM

CiscoIP Phones

VoIP

Cisco IPICS Serverwith IPICS Server Software

Base Station

Secure Cisco IPICS PMC Client with

Multiple SoftwareSkin Options

COMMUNICATIONS EVERYWHERE Cisco IPICS enables communications interoperability between radio and cell phone push-to-talk networks with a converged IP network.


common radio communications system inthe local, state, and federal governmentswould cost approximately US$20 to $40billion, according to industry estimates.Additionally, the time to complete aninfrastructure replacement and installationwould be 20 years or so. Also, these radiosystems typically have a lifecycle of 15 to20 years, and in some cases they have onlyvery recently been deployed. Any newsolution, therefore, must be able to use theexisting radio systems.

A second option is to use gateways toprovide limited interoperability betweentwo otherwise incompatible systems. Butthese devices should be considered a tacti-cal, interim solution, says Dean Zanone,customer solutions manager in the Safetyand Security Systems Business Unit atCisco. This approach does not scale wellas the number of radio devices increases.Management is especially difficult withlarge, incompatible radio systems. Thus,radio gateways are best used in a locallyfocused, limited role to ease interoperabil-ity issues in the short term.

Most significantly, analog-to-analoggateways do not take advantage of thelatest technologies that greatly enhancecommunications. For example, thesegateways do not provide a means todynamically respond and adapt to ad hocevents and emergencies. And they can’t

tap into a converged voice, video, anddata IP network where rich communica-tions extend everywhere. Ultimately, anIP-based network solution such as CiscoIPICS will render these gateway devicesobsolete, says Zanone.

Radio Interoperability Using IPAn IP network-based interoperabilitysolution for push-to-talk, LMR, and hoot-and-holler systems is preferred over theaforementioned alternatives because itconnects communications paths togetherso that people can talk using their existingsystems and devices. (Hoot-and-holler sys-tems are hard-wired radio networkswidely used in the financial industry forinstant communications among stock bro-kers and analysts; these systems can bevery costly, however, as they use separateleased line circuits to connect remoteoffices. With IPICS, they become part ofthe converged network.) In addition,IPICS is flexible and allows for dynamiclinking of networks, organizations, andusers on a case-by-case or emergencybasis, a fundamental requirement forinteroperability during a catastrophe.

Zanone offers an example of a criticalevent within the financial services indus-try. Financial analysts and brokers con-tinually monitor worldwide events togauge their impact on futures marketssuch as oil, grain, or other commodities.


■ Cisco IPICS

cisco.com/go/ipics

■ Cisco IPICS Deployment Options

cisco.com/packet/181_6d1

FURTHER READING

If a natural disaster, such as a hurricane,develops and threatens oil platforms in aregion, this information or “situationalawareness” about the storm must berelayed to many people within a broker-age firm so they can reach consensus onhow best to advise their clients. WithCisco IPICS, the brokerage firm canquickly bring together onto a conferencecall a broad group of people on differentsystems, including push-to-talk radios,hoot-and-holler, PSTN, cell phones, andbrokers on laptops.

Real-Time Operations ManagementThe power and flexibility of an IP-basednetwork approach is demonstrated by theCisco IPICS solution that integrates an inci-dent management application—which vir-tualizes resources such as users, usergroups, or radio channels—across multiplenetworks and operational domains for dis-patch or incident command (see adjacentsidebar). This IPICS solution providesdynamic orchestration of various resourcesfor the event, and allows for graceful esca-lation and de-escalation as the situationunfolds or policies, roles, or responsibilitieschange, says Zanone. Companies and pub-lic safety departments can bring inresources on an as-needed basis and easilyremove them when the incident is over.What’s more, additional data such as Geo-graphic Information Systems (GIS) andpresence and database information (e.g.,the location of stairwells in an individualhigh-rise building or surveillance cameraimages) can be incorporated and conveyedcontextually to anyone who needs it in realtime. All of these capabilities make formore efficient, collaborative incident man-agement control.

◆ ◆ ◆

While providing an immediate tacticalsolution to voice interoperability, an IP-based network solution such as CiscoIPICS builds on the most widely deployed,scalable technology that will be drivinginnovative communications solutions inthe future. Radio systems will becomeanother application, like voice, video anddata, on the IP network—and will takeadvantage of application convergence toachieve new, powerful capabilities.

Imagine this: A fire breaks out in a high-rise building, and the fire chief needs to be updatedquickly on what has transpired as he heads to the location. Using Cisco IPICS and the incidentmanagement application, the incident commander at the scene (one of the first-responderfirefighters) can communicate with dispatch to orchestrate real-time communication amongnot just the fire chief but everyone involved in squelching the fire as fast as possible. Theapplication’s intuitive, drag-and-drop functions allow dispatchers to set virtual talk group(VTG) templates, activate VTGs to begin conferences, add or remove participants in VTG tem-plates and active VTGs, and monitor active VTGs and events—all based on users’ roles andpolicies and privileges assigned by an IPICS operator. The Cisco IPICS PMC client helps endusers participate, through an IP network, in one or more VTGs simultaneously.

Meanwhile, the fire chief receives a page from the incident management application that con-tains a URL address. On screen, the chief is taken to a rich conferencing environment. Instantly,he can begin talking directly with the incident commander on location, firefighters en route ontheir push-to-talk radios, and other officials on their cellular phones. He also can bring up a dis-play of the building’s assets—location of stairwells, exits, etc. (IPICS will integrate GIS technol-ogy and perform database lookups to match addresses to building information). Using presencetechnology and GIS, the chief can also see the location of the fire and the resources in transit.

IPICS in Action: Incident Management


StoreMinding

the


aA S H I F T I S T A K I N G

place in the way businessesdeploy storage networks. Thereason is that these networkshave come to play a significantrole in helping organizations toensure business continuance dur-ing system failures and site out-ages. Where data backup wasonce confined to a few servers,tape drives, and switches—easilycontrolled and secured in a singledata center—the spate of recentnatural disasters and other emer-gencies has caused most busi-nesses to rethink this design.

To better protect themselves,more organizations are backingup data in two or more loca-tions and using TCP/IP proto-cols for fast, versatile accessfrom distributed sites. The nowcommon use of IP-based storagetechnologies such as InternetSmall Computer System Inter-face (iSCSI) and Fibre Channelover IP (FCIP) allows users to beautomatically redirected tobackup resources in geographi-cally diverse locations, in theevent that data should becomeinaccessible in a primary site.This strategy is a boon to data

availability; however, it bringswith it some new considerationsfor the backup network.

These issues involve ensuringthe performance of storagedata across long-haul links, aswell as the security of that datain transit and the scalability ofthe storage-area network (SAN)footprint. In short, IT man-agers are beginning to facemany of the same issues withtheir storage networks thathave confronted them in theirdata networks. As with datanetworks, increasing volumesof storage data are traversingthe WAN, which introducesdistance-driven delay and newsecurity exposures into thedesign equation.

IT professionals should considerthe following issues as theybuild SANs that now mightreside many thousands of milesaway from the sites attemptingto gain access to them:

■ Are there ways to offset dis-tance-induced delay to accel-erate SAN performance?

Optimizing Your SAN for Business Continuance By Tom Nosella


p38-41,50_R1.qxd 2/8/06 10:29 AM Page 38


p38-41,50_R1.qxd 2/8/06 10:29 AM Page 39

■ How can storage data, now leaving thedata center and transiting common datanetworks, be secured against eavesdrop-ping, alteration, or theft?

■ How can strong authentication andauthorization of users, devices, and ITmanagement personnel be ensured?

■ Is there a way to partition access to SANresources, much in the way that Ethernetvirtual LANs (VLANs) partition access tolive servers, using logical user groups, forscalability, fault isolation, and security?

■ How do organizations manage a hetero-geneous SAN environment?

A combination of industry standardsand interfaces, along with features invendor equipment, help IT managersensure performance acceleration, secu-rity, and management in the SAN forimproving business continuance.

Accelerating the SANAcceleration in the SAN is conceptuallysimilar to application performance accel-eration in data networks. Instead of prox-ying application protocols for localacknowledgement, however, it is SANcontrol protocols that are locallyacknowledged to reduce the number ofround trips and associated time it takes tomove blocks of data from point A topoint B. For example, the SCSI protocolrequires two roundtrips of acknowledge-ments for every write issued. When localdevices request data from a distant SAN,those devices can be acknowledgedlocally to reduce WAN-induced latency.

There are two types of acceleration, orlocal acknowledgements, prominently inuse: write acceleration and tape accelera-tion. Their use depends on which type ofstorage media is to be accessed. Both aresupported in the Cisco MDS 9000 Familyof multiprotocol storage switches. Thesedevices simultaneously support FibreChannel, FCIP, iSCSI, and mainframeFibre Connection (FICON) connections.They switch Fibre Channel data among

like ports and also encapsulate FibreChannel data in IP and send it out anEthernet interface for IP transit.

Both types of acceleration boost per-formance.

Write Acceleration. This acknowledge-ment enhancement used for disk-to-diskand host-to-disk transmissions reducesSCSI’s two roundtrips to one, therebydoubling performance. In this case, anacknowledgement of the receipt of intactdata is sent after the second roundtrip ofthe handshaking process.

Tape Acceleration. This acknowledge-ment enhancement builds on write accel-eration, described above, to acceleratemoving storage data from a mediaserver to a tape drive. Performance isfirst enhanced by local acknowledge-ments that reduce the roundtrip WANacknowledgements by half. A config-urable file mark mechanism in tape sys-tems, however, also allows the ITadministrator to set the long-distanceacknowledgement mechanism to take

place after a desired number of datablocks rather than after every single oneto reduce the number of requiredacknowledgements even further. Data isbuffered between acknowledgements.Because tape media performance is noto-riously sluggish, reducing the acknowl-edgements required to every X numberof data blocks buys significant perform-ance benefits. For example, in someCisco customer tests, a 100-millisecondacknowledgement has had just a 15 per-cent impact on performance.

CompressionAs in data networks, compression canalso be used to increase the effectiveWAN bandwidth, avoid congestion, andimprove performance. Cisco storageswitches support different data compres-sion algorithms, selectable depending onconfiguration, that allow compressionratios as high as 30:1, depending on datacompressibility of the data block. Typicalratios for common database traffic are2:1 to 3:1.

Securing Storage DataTypical network security concerns arenow beginning to apply to SANs. SANs


FC-FS-2 Fibre Channel-Framing and Signaling-2. Specificationdefined by the T11 Technical Committee of the InterNationalCommittee for Information Technology Standards (INCITS) totransmit SCSI command, data, and status information betweena SCSI initiator and a SCSI target.

FC-GS-3 Fibre Channel-Generic Services-3. Inband manage-ment standard defined by the INCITS T11 Technical Committeefor transferring status and configuration information, includingVSAN information, among Fibre Channel devices.

FC-SP Fibre Channel-Security Protocols. Draft standard by the INCITS T11 Technical Com-mittee for securing Fibre Channel storage data in transit using data encryption, crypto-graphically secure key exchange, and device authentication. FC-SP is supported by avariety of SAN switch vendors and by all major host bus adapter vendors. Targeted forapproval in March 2006.

SMI-S Storage Management Initiative Specification. A standard developed by the StorageNetwork Industry Association (SNIA) that is intended to facilitate the management of stor-age devices from multiple vendors in SANs, allowing a single management application tohandle multiple tasks that would otherwise require multiple applications.

Storage Security and Management Lexicon

TOM NOSELLA, CCIE No. 1395, is Director ofEngineering in Cisco’sData Center, Switching,and Security TechnologyGroup. He can bereached [email protected].


p38-41,50_R1.qxd 2/8/06 10:29 AM Page 40

have generally been small and localizedwithin a single data center. Now, how-ever, long-haul networks involving severalservice provider infrastructures might beused to move critical storage data that maynever before have left a data center excepton a piece of physical media in a truck.

The result of this shift in the treatment ofstorage data is the need to apply the secu-rity features prevalent in IP network ele-ments to the Fibre Channel environment.This involves protecting data in transit,securing against unauthorized user anddevice access, and guarding against mali-cious management misconfiguration. In anetwork of storage switches such as theCisco MDS 9000, also called a storagefabric, this involves encryption, authenti-cation, and securing the SAN manage-ment infrastructure.

Encryption. Data encryption is importantfor preventing intruders from viewing ormodifying confidential information.Cisco storage switches use the IPSec pro-tocol to help ensure confidentiality anddata integrity of storage data in transit.Cisco MDS 9000 multiprotocol SANswitches, for example, include integratedhardware-based IPSec encryption/decryp-tion supporting Advanced EncryptionStandard (AES), Data Encryption Stan-dard (DES), and Triple Data EncryptionStandard (3DES) algorithms for iSCSIand FCIP storage traffic.

Authentication and Authorization. Thesefunctions are now necessary to avoidaccidental corruption and maliciousattacks on SAN data. They enable onlycertified users and devices to connect tostored data. Storage switch-to-switchauthentication and authentication ofother switches connecting to a Cisco stor-age fabric use the cryptographicallysecure key exchange and device authenti-cation components of the draft FibreChannel-Security Protocols (FC-SP) stan-dard of the American National StandardsInstitute’s InterNational Committeefor Information Technology Standards(INCITS) T11 Technical Committee (seesidebar, “Storage Security and Manage-ment Lexicon,” page 40). Organizationscan authenticate users and devices locallyin the storage switch, reducing latency, orremotely through centralized authentica-tion, authorization, and accounting(AAA) servers.

Secured Management Infrastructure. Thedata center management functions of net-work and storage devices must also besecured to thwart unauthorized access.Malicious users with access to the con-sole of a networked storage device caneasily alter configuration. As with otherCisco network elements, Cisco MDS9000 switches provide secured manage-ment functions, including Secure SocketsLayer (SSL) and Secure Shell (SSH) Pro-tocol Version 2, which secure remoteaccess using authentication and encryp-tion. SSHv2 can be used in conjunctionwith backend user authentication proto-cols such as TACACS+ and RADIUS that

may already be in place in the organiza-tion. In this case, the storage switch actsas a client to the back-end AAA serversrunning these protocols.

Finally, Simple Network ManagementProtocol version 3 (SNMPv3) supportprovides authentication and authorizationservices for accessing SNMP managementinformation bases (MIBs).

VSANs for Scale and Fault IsolationA well-planned virtual SAN (VSAN) archi-tecture reduces the total number of SANs(or fabrics) deployed, while enabling busi-nesses to separate their backup, recovery,and remote data mirroring domains fromapplication-specific SANs.

Cisco technology was chosen by theINCITS T11 Technical Committee lastyear as a standard for VSANs. VSANsallow network administrators to segmenta single, physical SAN fabric into manylogical, completely independent SANs.As with VLANs in an Ethernet data net-work, this approach enables the creationof separate SAN domains without havingto build out multiple separate and costlyphysical infrastructures.


■ Cisco MDS 9000 Family Fabric Manage-

ment Solutions Guide

cisco.com/packet/181_6c1

■ Storage Networking Industry Association

snia.org/home

FURTHER READING

WAN-INDUCED BUSINESS CONTINUANCE CHALLENGES

Cisco MDS 9000Series Switch

SAN SAN

Primary Data Center(Outage)

Backup Data Center

Branch Office UserRequesting Backup

Data

Cisco MDS 9000Series Switch

• Distance- Induced Latency• Security Exposure

WAN/MAN

IN THE CLEAR Considerable distances between data center SANs, and between branch offices and SANs, drives the need for SAN performance acceleration using local SAN protocolacknowledgements. Traditional security mechanisms should also be added to SAN data carried over the WAN.



p38-41,50_R1.qxd 2/8/06 10:29 AM Page 41


When Intel employees walk through the doors of theJones Farm campus, near Portland, Oregon, their lap-tops, which use Intel Centrino mobile technology,automatically detect the best available RF signal andlog onto the wireless network. Employees open theirlaptops and are immediately connected.

With nearly 6,000 employees, the Intel Jones Farmcampus is among the first in the world to adopt wire-less as its primary access method, successfully address-ing issues and challenges such as better performance,system management (RF coverage), increased security(RF interference and rogue detection), client roaming,and quality of service (QoS) for voice over wireless.The Intel IT group accomplished this engineering featusing some of the features that will soon be availablein the Cisco Business Class Wireless Suite, which com-bines the Cisco Unified Wireless Network and IntelCentrino notebooks with Intel Centrino mobile tech-nology. The company expects that when deploymentis complete later this year, 75 percent of campus resi-dents will use primary wireless exclusively.

The Ascent of WirelessIn the three years since Intel deployed its first WLAN,usage has skyrocketed—from 1,500 mostly US usersin 2002, to 55,000 global users in 200 locations atthe end of 2005. “When we first introduced wirelessnetworking, employees relied primarily on the wiredLAN, using the wireless LAN only for secondaryaccess such as connectivity in conference rooms,”says Sylvia Stump, Intel’s IT wireless program man-ager. But Intel’s IT surveys revealed that nearly allIntel employees using laptops actually preferred wire-less LAN connectivity. “Our employees enjoy thefreedom of working anywhere—conference rooms,common areas, cafeterias—just as productively as ifthey were at their desks,” Stump says.

The idea of using wireless for primary access arosewhen the Intel IT wireless team began investigatingways to increase employee productivity and reducenetwork costs. In 2004, Intel IT was managing threeseparate networks—LAN, WLAN, and telephony—which essentially tripled operational costs. And asthe number of wireless access points surpassed5,000, the WLAN management burden was becom-ing overwhelming. “With our original wireless archi-tecture, we managed each access point individually,”

Stump explains. “As the WLAN continued to growin size and complexity, we realized we would needcentralized management and more automation toprevent a dramatic rise in operational costs andstaffing requirements.”

Intel IT decided to build a next-generation networkthat would both continue to increase wireless net-work access and simplify network management. “Byintegrating the LAN, WLAN, and telephony net-works, we could put together a more robust, stable,and efficient architecture that delivers voice, video,and data,” says Yossi Bar-El, a wireless LAN engineer-ing manager for Intel. Using wireless as the primaryaccess method will reduce capital expenses for cablingwhile satisfying employees’ preference for mobility.

Jones Farm, where the Intel Centrino Group is head-quartered, became the model for primary wirelessLAN because the majority of employees is highlymobile and runs business applications that are bettersuited for wireless access.

Cisco Unified Wireless NetworkIntel is developing a primary wireless solution withthe Cisco Unified Wireless Network. The strategy isto build a unified wired and wireless solution tocost-effectively provide bandwidth for voice, video,and data, as well as the QoS needed to ensure callclarity. Intel’s Cisco Unified Wireless Network archi-tecture comprises Cisco Aironet 1240 AG Series


Primary WirelessAt Intel’s Jones Farm campus, employees will use a wireless LANas the primary access method for data, voice, and video.

By Rhonda Raider

WIDESPREAD ADOPTION This year 75 percent of the employees atIntel’s Jones Farm campus will be using wireless on the job as theirprimary means of connectivity.

Inte

l


lightweight access points, Cisco Wireless LAN Con-trollers, and the Cisco Wireless Control System(WCS) for simplified monitoring and management.The Cisco Aironet access points communicate withthe Cisco Wireless LAN Controllers using Light-weight Access Point Protocol (LWAPP, see sidebar,page 45). The underlying network is based on CiscoCatalyst 6500 Series switches at the distribution layer,and Cisco Catalyst 3550 and 4500 series switches atthe access layer.

Intel Centrino mobile technology enables laptops toautomatically detect and connect to the network withthe best bandwidth available—for example, IEEE802.11g at home, and 802.11a at work. “The clientperforms all the engineering work needed to associatewith the network, so the user doesn’t need to do any-thing but log into their notebook,” says Bar-El.

Intel is currently midway through a three-phasedeployment for primary wireless access:

■ Phase 1: Implement the wireless architecture in onebuilding, measuring wired and primary wireless net-works to ensure comparable performance within acontrol group of 200 employees. Intel completedthis phase in mid-2005, and is currently analyzingthe results.

■ Phase 2: Extend primary wireless data access to theentire campus. Completion is planned for mid-2006.

■ Phase 3: Add voice over wireless capabilities with IPtelephony softphones, Wi-Fi phones, and dual mode(Wi-Fi-cellular) devices. Completion is planned forthe end of 2006.

Planning Bandwidth CapacityIntel selected the 802.11a architecture because itprovides the most bandwidth in actual practice.“802.11a and 802.11g both provide theoreticalbandwidth of 54 Mbit/s, but 802.11a provides higheractual bandwidth because it has 12 channels com-pared to three for 802.11g,” says Bar-El. At Intel, forexample, 802.11a provides 24 Mbit/s to 54 Mbit/sper user, depending on the user’s distance from theaccess point. Each access point contains both types ofradios, and the 802.11b/g radios provide redundancy

and enable connectivity with older laptops that lack802.11a support.

To plan capacity, Intel is currently fine-tuning its esti-mates of how much bandwidth individual users needfor voice, video, and data. “We’re looking for the bestbalance between access point density and costs: theshorter the distance between a user and an access point,the greater the available bandwidth,” says Bar-El.

Centralized ManagementHistorically, Intel IT has manually configured,installed, and managed its thousands of access points.“But manual configuration introduces the risk oferror because technicians might interpret our designstandards differently,” says Stump, who adds that shecould detect a difference in WLAN performancewhen she worked at different Intel sites.

The Cisco Unified Wireless Network ensures consis-tency through centralized management. The majorityof network intelligence now resides in the wirelessLAN controllers. The Cisco Aironet 1240 AG light-weight access points provide RF services that supportdynamic RF monitoring, IDS detection, and locationtracking. The Cisco WCS sets up configuration tem-plates for all wireless LAN controllers, eliminatingthe human error that can occur when techniciansmanually enter settings. Newly installed access pointshave their RF channel and transmit power settingsautomatically configured by the wireless LAN con-trollers based on the Cisco WCS configuration tem-plates. The system monitors coverage and adjustsconfiguration as needed to help ensure consistent cov-erage and performance. And if one access pointbecomes unavailable, the WLAN self-heals: Neigh-boring access points are configured to compensate forthe unavailable access point and then resume theirnormal configuration when the faulty access point isback online.

“From support and engineering perspectives, theCisco Unified Wireless Network is very manageableand easy to support,” says Stump. “Instead of dedi-cating an access point to monitoring, as we used todo, we have one system that manages and inventoriesall solution components: how they’re doing, whatthey’re doing, the levels of roaming, and types ofusers connecting.”

SecurityThe principal security concern for the Intel JonesFarm campus is RF interference and loss of employeenetwork access, according to Bar-El. The 802.11a/gredundant radios and the Cisco Aironet 1240 AGaccess points, which dynamically select RF channelswith transmit power, help to ensure business continu-ity. If RF interference occurs in the 802.11a network,employees’ laptops automatically reconnect to a dif-ferent channel or the 802.11b/g network.


Want to share your expertise on wireless LANs withyour peers? Get answers to your questions from Ciscoexperts? Join the Networking Professionals Connectiondiscussion at cisco.com/discuss/wlangeneral.

Talk About It


Another of Intel IT’s tactics to combat denial-of-serviceattacks is using LWAPP to identify the attack source.

Intel’s current secondary access WLAN uses VPNtechnology to encrypt and protect data in transit. How-ever, VPNs also added an extra layer of infrastructureto manage, another point of failure, and the potentialfor bottlenecks. Today, Intel has eliminated the need forVPNs at the Jones Farm campus by using Wi-Fi Pro-tected Access (WPA) 2 and the Advanced EncryptionStandard (AES), part of the 802.11i encryption capabil-ities in the Cisco Unified Wireless Network.

And to authenticate users as part of network admis-sions control, Intel takes advantage of the 802.1Xauthentication in the Cisco Unified Wireless Networkto communicate with a centralized RADIUS serverlike the Cisco Secure Access Control Server (ACS).

Quality of Service“QoS has become essential now that the WLAN isused for primary access, because wireless bandwidthlimited,” says Bar-El. “And when we begin providingvoice over wireless, QoS is indispensable becausetime-sensitive voice traffic needs to receive priorityover data traffic.”

To provide QoS from the desktop client to the accesspoint, Intel uses Wi-Fi Multimedia (WMM), a subsetof the 802.11e QoS standard defined by the Wi-FiAlliance. WMM is built into the Cisco Unified Wire-less Network. Intel Centrino mobile technologyincorporates Cisco Compatible Extensions that takefull advantage of the QoS capabilities by using Differ-entiated Services Code Point (DSCP) marking onpackets based on transport layer filtering translating

to wireless mobile markings of the Cisco UnifiedWireless Network architecture, as well as its roamingand security features.

Roaming Between Network Segments and BuildingsRoaming capability ensures that an employee’s voiceor data connection is not interrupted when theemployee crosses subnet boundaries, as happenswhen he or she walks across campus while talking ona wireless Cisco IP Phone 7920, for example.

Intel IT enabled roaming via the WLAN controllersuse of the LWAPP. LWAPP enables the client to main-tain its IP address as it crosses subnet boundaries in asingle RF domain. The client is not aware that it’schanging subnets. Instead, the back-end controllersmanage the traffic among themselves, ensuring thattraffic reaches its destination no matter where theclient has moved within the network.


The LWAPP is a draft IETF standard. Authored initially byAirespace (acquired by Cisco in March 2005) and NTTDoCoMo, LWAPP standardizes the communications pro-tocol between access points and WLAN systems such ascontrollers, switches, and routers. Its goals are to:

■ Reduce the amount of processing within access points,freeing up their computing resources to focus exclu-sively on wireless access instead of filtering and policyenforcement

■ Enable centralized traffic handling, authentication,encryption, and policy enforcement for an entireWLAN system

■ Provide a generic encapsulation and transport mecha-nism for multivendor access point interoperability, usingeither a Layer 2 infrastructure or an IP routed network

The LWAPP specification accomplishes these goals bydefining:

■ Access point device discovery, information exchange,and configuration

■ Access point certification and software control

■ Packet encapsulation, fragmentation, and formatting

■ Communications control and management betweenaccess points and wireless controllers

LWAPP: Enabler for Centralized Intelligence in Wireless Networks


FURTHER READING■ Cisco and Intel Alliance

ciscointelalliance.com

■ Cisco and Intel Wireless and Mobility solutions


■ Cisco Unified Wireless Network


■ Lightweight Access Point Protocol white paper





ITV plc, Britain’s largest commercial broadcaster,needed to replace its 140 Mbit/s switched, video-onlynetwork. ITV needed a network with flexibility at thecornerstone—a design that could react to and evolvewith the changing needs of ITV’s broadcast lifecycle. Inparticular, the design needed to accommodate ITV’splan to migrate, over time, many of its video-centricoperations into a data-centric configuration by exploit-ing the emerging standards for file-based video encap-sulation, such as MXF (Media eXchange Format).

With the maturation of MXF and similar standards,coupled with IP class of service extensions, it was

reasonable to assume that convergence for connectiv-ity needs would be delivered over an IP-based topol-ogy. This new topology, which ITV calls its VideoContribution Network, entailed building a Multipro-tocol Label Switching (MPLS) network to deliverstudio-to-studio video connections and transmissionfeeds from multiple regional studios to central trans-mission sites in London and Leeds in the UK.

So, how did ITV do it?

Why Dynamic Multipoint GRE TunnelsITV initially had a multitude of complex networks

DMVPN DeploymentLarge British broadcaster moves from a mixed-media architectureto MPLS with the help of mGRE technology.

By Robert Thompson, Andy Murkin, and Tim Taverner

TYPICAL ITV DUAL DMVPN DEPLOYMENT

Cisco 2851 ISR(CE)

PE

PE

PE

PE

DualSpokeSiteFullEIGRPTable

DualSpokeSiteFullEIGRPTable

This Deployment Extends to an Additional 25 Spoke Sites.It Is More Commonly Known asa Dual Hub - Dual DMVPN Solution.

Primary SpokeSecondary Hub

Full EIGRP TableSecondary Multicast RP’s

Primary HubSecondary SpokeFull EIGRP Table

Primary Multicast RP’s

Cisco 2851 ISR(CE)

Cisco 2851 ISR(CE)

Cisco 2851 ISR(CE)

Cisco 2851 ISR(CE)

Cisco 2851 ISR(CE)

Cisco 2851 ISR(CE)

Cisco 2851 ISR(CE)

Primary HubStatic TunnelsSecondary HubStatic TunnelsSpoke to SpokeDynamic Tunnel

MPLSCore

DESIGN FOR TV OF THEFUTURE ITV’s Video Contribution Network isbased on core andaccess trunks withcapacities from 45 Mbit/sto n x 155 Mbit/s. SerialData Interface (SDI)video at 270 Mbit/s isencoded using MPEG2.The resulting DVB-ASItransport streams areconverted to IP and car-ried across the MPLSnetwork. The MPLS cloudallows every node tocommunicate with everyother node in either apoint-to-point or point-to-multipoint configuration.The bandwidth on theMPLS cloud is managedby a web-based schedul-ing system available toITV users.


p48-49,51.qxd 2/8/06 4:04 PM Page 48


joined together to form a resilient, redundant data net-work. With ATM, Frame Relay, and point-to-pointleased lines, the routing and redistribution betweendifferent protocols was a major hurdle ITV needed toclear in migrating to MPLS.

To implement MPLS with little or no impact on avail-ability, ITV introduced networks individually on asite-by-site basis, which also required the introductionof MPLS customer edge (CE) routers. In introducingthe CE routers, ITV faced a huge routing challenge:how to handle redistribution and the possible intro-duction of Border Gateway Protocol (BGP) or OpenShortest Path First (OSPF) on the ITV core network.Redistributing different protocols between each other(mutual redistribution) was not an option in the net-work because of the many redundant and backdoorlinks to each point of presence (POP) and local office(hundreds of links and redundant paths). Anotherchallenge: The MPLS core network did not containonly Cisco gear and, therefore, ITV’s use of EnhancedInterior Gateway Routing Protocol (EIGRP), fromprovider edge (PE) to CE, was not a viable option.

Scalability and cost were the main criteria in selectingnot only the CE hardware but the suitable means tointerconnect multiple sites. Because ITV’s core net-work was made up of a large number of sites, it wasnot financially viable to deploy large, high-end CErouters. In addition to being scalable and cost-efficient,ITV needed a network that could:

Move data, voice, and video traffic simultaneously;quality of service (QoS) was imperative.

Provide an “unwritten service-level agreement (SLA)”to end users, who needed to operate with the same, orbetter, level of service yielded by their legacy network.

Interconnect a large number of sites at all times; a fullmesh design was needed.

Provide a level of transparency to traffic entering theMPLS core; the CE devices needed to be the policingand shaping point of the voice, video, and data trafficprior to core ingress.

Ensure that ITV’s data network would continue tooperate as usual during the migration, and be highlyavailable upon deployment. We needed a phased

configuration, with changes and downtime consid-ered at each step of the install to limit downtime toalready-migrated sites. Failover and resilience mech-anisms, e.g., Next Hop Resolution Protocol (NHRP)tunnel failover and Hot Standby Router Protocol(HSRP), also needed to be factored in.

Be as standardized as possible (from a configurationand hardware perspective) to facilitate later adds,moves, and changes.

What’s more, ITV needed CE routers with a high levelof performance to ensure extremely low latency onthe voice and data packets and deliver the horse-power to effectively police and shape all the trafficwithout disabling the CE.

After research and testing, we chose a derivation ofCisco Dynamic Multipoint VPN (DMVPN) tunneltechnology—namely, multipoint Generic RoutingEncapsulation (mGRE) tunnels with QoS, failover (viaNHRP), HSRP, etc. This solution would give us theability to build the required full mesh between siteswhile retaining scalability and ease of configuration.

For the testing phase, ITV chose Cisco 2651XM multiservice routers for the CE devices. No additionalinterfaces were needed, because the PE routers werephysically sitting in ITV’s data communicationsrooms. The CE to PE routers were interconnectedusing a standard Category 6 crossover cable.

In subsequent testing and deployment, the final CEhardware solution—Cisco 2851 Integrated ServicesRouters—were chosen after the first deployment ofthe CE 2651XM routers had already taken place (see“The Implementation” section for more on how thisdeveloped).

The Test NetworkThe test network was built in the modern laboratoriesof BTSkynet. The core MPLS and PE network wasdesigned and built by BTSkynet and integrated into thePE-CE network with Cisco 2651XM multiservicerouters. The core was simulated with two Cisco Catalyst 6500 Series switches, running SupervisorEngine 720-3B technology and native IOS with MPLSsupport. A combination of line cards was used to inter-connect to PE devices. The logical routing protocol usedbetween the core and PE devices was OSPF. Multiproto-col BGP (MBGP) was used between the PE devices.

In October 2004, at the time we were developing andtesting ITV’s network, DMVPN was a relatively newtechnology from Cisco. To use this technology, wehad to build it and understand it. ITV, BTSkynet, andCisco worked together to build the test network as aproving ground for CE configurations based on IPSecurity (IPSec) DMVPN deployments that had beendeveloped for other projects involving voice and datatransmission across multipoint VPNs.

ROBERT THOMPSON, CCIE No. 10302, is a consulting engineer atBTSkynet, a Cisco Certified Gold Partner. He has more than 10 yearsexperience in communications.

ANDY MURKIN is a senior network engineer at ITV plc. He has morethan 15 years experience in communications and originally trialedDMVPN as a possible ITV solution.

TIM TAVERNER is a senior systems engineer with the UK and IrelandChannels Network Integrator team at Cisco. He has more than 18years of experience in networking and telecommunications.



p48-49,51.qxd 2/8/06 4:04 PM Page 49


Cisco MDS 9000 devices can create up to256 isolated VSAN topologies (the hard-ware supports expansion up to 4096 withinthe same physical infrastructure. Thisallows administrators to use simple zoningto restrict access and traffic flow amongdevices by securing access at the edge. Busi-nesses can segregate even a single storageswitch into multiple virtual environments,or domains. They can completely separatedifferent VSANs to help ensure that fabricinstability or a device outage is isolatedwithin a single VSAN and does not cause afabric-wide disruption.

Managing DiversityAs storage network environments con-tinue to grow, organizations are deploying

storage solutions using equipment frommultiple vendors, which each arrive withtheir own separate SAN managementprogram. Administrators require a wayto effectively manage the heterogeneousstorage environment in a way thatensures maximum performance and cost-effectiveness.

The Cisco Fabric Manager for SANs letsadministrators view and manage the het-erogeneous fabric as a collection ofdevices, recreating the entire topologyand representing it as a customizablemap. Any device in the fabric that sup-ports the INCITS T11 Fibre Channel-Generic Services-3 (FC-GS-3) standardfor in-band management can be discov-ered and mapped as part of the topol-ogy. A topology window displays thediscovered devices for customizationand navigation, while an inventory win-dow displays a tree-like structure ofboth physical and virtual elements. Yetanother window displays the toolsadministrators can use to configure,monitor, and troubleshoot devices.

Cisco Fabric Manager also supports openinterfaces with access to raw performance

and configuration information withinswitches that can be used by third-partymanagement applications. Support for theStorage Networking Industry Associa-tion’s Storage Management InitiativeSpecification (SMI-S), for example (seesidebar, page 40), enables element manage-ment across multiple vendors’ SAN man-agement products.

◆ ◆ ◆

Organizations tackling business continu-ance build out their SANs, they are find-ing themselves face to face with many ofthe WAN-centric performance, security,and management issues that have con-fronted them in their data networks.Because increasing volumes of storagedata are traversing the WAN, distance-driven delay and new security exposuresare rearing their heads. Enterprisesshould look to support for SAN accelera-tion techniques, multifaceted securitysupport, and support for industry-stan-dard management interfaces and capabil-ities to ensure that their SANs performwell and remain secure, cost-effective,and manageable.”

Want to share your expertise on storagetechnology with your peers? Getanswers to your questions from Ciscoexperts? Join the Networking Profes-sionals Connection storage discussionat cisco.com/discuss/storage.

Talk About It

SANs, Continued from page 41


p38-41,50_R1.qxd 2/8/06 10:29 AM Page 50


Different releases of Cisco IOS Software were testedduring this phase, because IOS had to support theEIGRP extensions that allowed EIGRP to workacross the mGRE tunnels. In the early testing phase,the IPSec features of DMVPN were extracted fromITV’s solution. Because ITV has a private, wholly-owned network, the additional overhead of IPSecheaders was deemed unnecessary.

QoS was tested to a degree in the lab, and multicast free-ware utilities were used to simulate multicast trafficacross the DMVPN cloud. The end solution had to sup-port voice, video, and data streams across the availablebandwidth without end users experiencing any differ-ence from their current mixed-media WAN deployment.

The ImplementationThe network implementation was conducted inphases. ITV Meridian, the ITV franchise holder forthe south and southeast of England, was relocating

to a new purpose-built digital television facilitybased in Whiteley, Hampshire, UK. Along with itsregional offices at Maidstone, Newbury, Brighton,and the London transmission center, this providedan ideal testbed for the DMVPN design and hard-ware. Rolling out the Cisco 2651XM multiservicerouters, pointing the spoke routers to hub routers inLondon and Whiteley, proved to be the best test wecould have.

In every network design, something surfaces that thenetwork engineer hadn’t counted on during the initialplanning stage. In ITV’s case, very high resolutioncompressed video images were being sent by FTP innonreal-time from one end of the news network tothe other at any time of day—which basically over-whelmed the Cisco 2651XM multiservice routers.Now, ITV had to find an alternative CE router.

With additional testing in the lab network atBTSkynet, the then newly-available Cisco 2851Integrated Services Router was put through itspaces—and passed. BTSkynet shipped the Cisco 2851Integrated Services Routers directly to the Whiteleyoffice, and they were deployed within hours.

The fourth-generation architecture of the CiscoIntegrated Services Router (integrated advancedservices at line rate) along with its built-in VPN andQoS acceleration features solved the performanceproblems—so well, in fact, that ITV and BTSkynetran a battery of tests to ensure the validity of thevastly improved performance data! As the newrouters came online, the network performanceincrease was so dramatic that the video tests wereconducted again and again, with added clips toprove that no caching on any end system was takingplace to fool the statistics we were seeing.

The Cisco 2851 Integrated Services Routers, runningtheir initially released (non-GD) IOS code, saved theimplementation. This model was then used as a tem-plate to roll out the main network, which consistedof an additional 20 sites, each with two Cisco 2851Integrated Services Routers.

In addition to the impressive performance of theCisco Integrated Services Routers, throughout thetesting and implementation phases, we found theDMVPN solution to be a configuration engineer’slifesaver. DMVPN really is a “build once, use many”technology that saved ITV time and effort through-out the project lifecycle.

During the latter implementation phases, ITV’s net-work server teams encountered a bizarre (at the time)performance issue. One particular network operatingsystem vendor was implementing Path MTU discov-ery (a technique for avoiding fragmentation) each andevery time a new client-server session started, andthen timing out the routing cache at regular intervals,resulting in further Path MTU discovery dialogues.The DMVPN tunnels had a 1,472 byte MTU (derivedfrom the 1,500 byte MTU of the underlying MPLS LSPless 24 bytes of standard GRE header and 4 bytes ofoptional GRE header, used for the key field). The DFbits of the IP packets were being seen by the routers,but not all of the Internet Control Message Protocol(ICMP) replies were being sent by the routers. Bydefault, the routers limited the number of replies theysent out for ICMP to 2 pps as a basic denial-of-service defense mechanism. This meant that PathMTU discovery was failing some of the time.

ITV solved the problem by rate limiting the ICMPreplies for “DF unreachable” to 1 ms, thus allowingfor a maximum of 1,000 replies per second. This wasachieved using the global config command ip icmp

rate-limit unreachable DF. ITV also tested the ip tcp

adjust-mss command on some routers, but it wasunnecessary after the ICMP rate limit was set.

Implementation Tale:Resolving a PerformanceIssue

FURTHER READING■ Dynamic Multipoint VPN


■ Cisco 2800 Series Integrated Services Routers


DMVPN Deployment, Continued from page 49


p48-49,51.qxd 2/8/06 4:04 PM Page 51

“It’s not what you have that counts, but how you use it,” as thesaying goes. Actually, what Hong Kong Broadband NetworkLimited (HKBN) has is quite impressive—a Carrier Ethernet net-work capable of delivering 1 Gbit/s to any residence or business.But it’s what the company is doing with the network that earnedHKBN the 2005 Global Entrepolis @ Singapore award for inno-vation, sponsored by the Asian Wall Street Journal and theSingapore Economic Development Board. HKBN is extending10– and 100–Mbit/s services to all subscribers who want them atconsiderably lower prices than its competitors; 1–GB service isavailable for a premium price. And most recently, HKBN hasbeen building a healthy market for IPTV.

A subsidiary of City Telecom (H.K.) Limited, HKBN has grownfrom 12 employees to Hong Kong’s second largest alternativeservice provider in a little more than ten years. How? HKBN

reaches out to underserved markets, starting with people whohave never used broadband, offers them a year’s service free, andthen continually introduces new services. By the end of 2005, itsnetwork, built at US$130 per home passed, had a reach ofapproximately 2 million residences, 90 percent of those in thecity. Symmetric 100-Mbit/s and 1-Gbit/s services are US$27 and$172 per month, respectively.

Underpinning HKBN’s successful content strategy for IPTV andits other innovative content and marketing strategies is a Cisco IPNext-Generation Network (IP NGN) infrastructure. “HKBN’sgreatest strength remains its Cisco IP NGN converged infrastruc-ture, which enables the carrier to stay flexible with its businessstrategies,” according to an October 2005 case study conductedby research firm IDC.

Say It with IPTV ServicesTapping the Flexibility of a Converged Network InfrastructureThat’s smart. Ask HKBN.

By Janet Kreiling



©Ju

sti

n G

ua

rig

lia

/Na

tio

na

l G

eo

gra

ph

ic Im

ag

e C

olle

cti

on


p53-56_R1.qxd 2/8/06 10:33 AM Page 53

Network Supports Business StrategyCisco equipped HKBN’s IP NGN Ethernet infrastruc-ture, and has also counseled the carrier on “creating anetwork architecture that delivers a better customerexperience, enables it to provide any and all servicesit wants to, and integrates seamlessly with the rest ofits video infrastructure,” says Pankaj Gupta, seniormanager for service provider marketing at Cisco.“Cisco helped to architect a network that comple-ments and helps enable HKBN’s business strategy.”

With its Cisco IP NGN, HKBN has deployed an intel-ligent network that is scalable and resilient to changingsubscriber usage patterns via its dynamic bandwidthcapabilities. For example, network usage and sub-scriber traffic patterns can vary widely between mostlybroadcast TV and mostly video-on-demand (VOD)services. HKBN can set its network to reallocate band-width dynamically if the traffic mix in a given area ofsubscribers varies across services, over time and sub-scriber growth, or around major sporting or otherevents. In this way, capacity is as available and used asefficiently and economically as possible, explainsWayne Cullen, senior manager in the Product andTechnology Marketing Organization at Cisco.

HKBN has essentially created a city-wide Ethernet

infrastructure (see figure). The core transport network isbuilt on the Cisco ONS 15454 SDH Multiservice Provi-sioning Platform (MSPP), which supports various Ether-net speeds as well as sub-50-millisecond Resilient PacketRing (RPR) protection. The latter is essential for voiceand video quality of service (QoS) as well as HKBN’sservice-level agreements (SLAs). At the network core is aMultiprotocol Label Switching (MPLS) backbone withCisco 7600 and 12000 series routers. Linked to the coreare Cisco Catalyst 4500 Series Ethernet switches, whichact as aggregation nodes; from there links fan out to thecity’s many multitenant high-rise buildings. Within thesehigh rises, HKBN deploys Cisco Catalyst 3550 and2950 series switches, the former in the basement and thelatter on individual floors. Most of the network runsover fiber; copper might handle the last few hundredmeters to an individual apartment or condominium.The network delivers 100 Mbit/s over copper or fiber,and 1 or more Gbit/s over fiber.

“With Cisco IP NGN, HKBN is enabling anenhanced subscriber experience,” says Cullen, “so itis better able to monetize its services and ensure theneeded QoS for paying IPTV customers.”

“HKBN has been able to roll out a succession ofnew services without making any changes in the


CERTIFIED NETWORKHKBN was one of thefirst service providers toearn the new Cisco Pow-ered Network QoS Certi-fication, which requiresthird-party verificationthat the network meetsCisco’s best practicesand standards for QoS.

HKBN CARRIER ETHERNET NETWORK ARCHITECTURE

Cisco ONS 15454Cisco IP + Optical

Network

N * 10GE/GE

N *10GE/GE

N * 10GE/GE

Cisco 7600/12000 Series Routers

Cisco Catalyst 4500 Switch



Core

IP MulticastVideo Servers

IPTV

VoIP

Broadband

STB


p53-56_R1.qxd 2/8/06 10:33 AM Page 54

infrastructure,” adds Gupta. “Moreover, the net-work is future-proof: the IP NGN architecture willbe able to handle whatever HKBN demands of it,such as high-definition TV.”

If HKBN chooses to compete for premium pay TVsubscribers, HDTV, or support online multiplayergaming, it can do so. As noted in the October 2005case study prepared by IDC, “Essentially, with an IPNGN converged network in place, HKBN can treatthese issues simply as business decisions and not astechnology-related roadblocks.”

IPTV: Marketing to the MassesThe fastest-growing segment of HKBN’s triple playservices, IPTV exemplifies the provider’s smart mar-keting strategy. Specifically, it is:

■ Expanding the market, rather than poaching subscribersfrom other providers. Most of its IPTV customers havenot previously subscribed to any pay TV service.

■ Bringing IPTV to markets not served by competitors,especially the Chinese-speaking population in HongKong, which until 1997 was a British colony whoseofficial language was English.

■ Offering desired TV programming not provided byother companies, presented in Chinese rather thanEnglish.

The market is wide open because pay TV penetrationis low. “Hong Kong has a population of 7 million,but fewer than half of the city’s residences subscribeto pay TV services,” notes Gupta.

At the heart of HKBN’s IPTV value proposition is itssavvy market segment analysis—its ability to identifytarget markets and serve them with the right contentat the right price. In this case, HKBN can offer IPTVat the aggressively low price point of US$16 permonth, a figure that is possible because of the car-rier’s low operating expenses and flexible IP NGNconverged infrastructure, according to Gupta.

Content Caters to Diverse Personal InterestsHong Kong residents in general are technologicallysophisticated, embracing new information servicesand gadgets. The more than half who don’t alreadysubscribe to pay TV are either not interested in pre-mium channels or cannot afford them. HKBN winsthem over with low prices, 50-plus channels, 23 ofthem interactive (its network has a total capacity of200 channels), and content not likely to be deliveredby its competitors. For example:

■ Highly popular Japanese football (soccer)

■ Live interactive healthcare programs, with physiciansto answer questions

■ The “Drama Buffet,” launched in September 2005,features episodes of popular Chinese, Korean, andJapanese soap operas and other programs in nearvideo-on-demand (NVOD) format. Viewers choosefrom episodes that air on the next hour or half hour,cycling through multiple episodes if they wish.

“Apart from delivering content which caters to thegeneral public, HKBN IPTV also addresses the audi-ence’s diverse personal interests,” says Haily Leung,senior vice president at HKBN Digital TV. “Thisdrives us toward more interactive and personalizedservices for our audience, making full use of the supe-riority of our IP network infrastructure.”

Cisco’s Commitment to VideoVideo, as HKBN has aptly discerned, is one oftoday’s biggest opportunities for service providers.


In its Carrier Ethernet network, HKBN beta tested thisnew switch, which Cisco engineered specifically forservice provider metro access. The Cisco ME 3400Series Ethernet Access Switch operates at Layers 2and 3, and is optimized for protected delivery of high-bandwidth Ethernet to the home (ETTH) triple play andEthernet to the business (ETTB) VPN services to mul-tiple customers.

Installed at the customer’s premises, the Cisco ME3400 Series can be deployed economically with a pay-as-you-grow approach. The switches support multiplesoftware images, with feature sets for triple play, pre-mium triple play/Layer 2 VPN services, or Layer 3 VPNservices. Providers pay only for the features they neednow and can add new ones with a simple upgrade foroptimizing their CapEx and OpEx. A single platform forthe ETTH and ETTB also reduces the provider’s train-ing, maintenance, and sparing costs.

What’s more, the Cisco ME 3400 Series switches pro-vide the most comprehensive, enhanced security forCarrier Ethernet deployments. Among their featuresare access control lists (ACLs) and IEEE 801.X supportat the network level; control plane protection, stormcontrol, and port security at the switch level; andUNI/NNI, Dynamic Address Resolution ProtocolInspection, and IP Source Guard at the subscriberlevel. For more on these new switches, seecisco.com/packet/181_8a1.

New Cisco ME 3400 SeriesEthernet Access Switch


p53-56_R1.qxd 2/8/06 10:33 AM Page 55


“Cisco has made a commitment to provide networkson which service providers can offer video services ina reliable, profitable model,” says Jeffrey Spagnola,vice president for global service provider marketingat Cisco. “We have learned how video architecturesneed to scale, whether we are talking about multicas-ting, VPLS [Virtual Private LAN Services], or MPLSin the infrastructure. Cisco has learned how to delivereconomic value and how to optimize the use of band-width and enable a better customer experience.”

Underscoring Cisco’s commitment is its intent toacquire (pending regulatory approval) Scientific-Atlanta, a global provider of set-top boxes, end-to-end video distribution networks, and video systemintegration. “The assets Scientific-Atlanta will bringto Cisco’s solution set are very complementary to ourability to transport video triple play over a digitalinfrastructure,” says Spagnola.

FURTHER READING■ IDC Case Study: “HKBN Implements IPTV Solution on

Cisco IP NGN Converged Infrastructure”


■ White paper: “Building the Carrier-Class IP NGN”


Hong Kong might seem like a unique market, with 7million people in some 2.2 million residences, denselypacked into 422 square miles of land. Concentratingresidents into multitenant buildings makes a fiber net-work relatively inexpensive, even when it includesfiber to the home. But, according to Gupta, “Theunderlying architecture for IPTV across access tech-nologies, such as fiber, DSL, and Ethernet, are similar.The major components of IPTV architectures are set-top boxes, access, aggregation, core, video head-ends, and middleware.”

So, what makes HKBN unique is not its fiber, but itssavvy market segment analysis, content choices, andIP NGN infrastructure. Profitable IPTV does not dependon a high-density market such as Hong Kong, notesGupta, but rather on providing an enhanced customerexperience, meeting the content needs of consumers,and differentiating yourself from competitors.

Is the Hong Kong MarketUnique for IPTV?


p53-56_R1.qxd 2/8/06 10:33 AM Page 56


Ethernet is a widely deployed technology not only inLANs but also increasingly in metropolitan- andwide-area networks (MANs and WANs). Ethernetin the MAN/WAN has amplified the need for flexi-ble, comprehensive management and monitoringfunctionalities to increase end-to-end service opera-tional efficiency. To foster wide-scale adoption ofMetro Ethernet and broadband services, equipmentvendors and service providers must jointly considerways to facilitate and expedite service deployment.Some of these ways can be found within protocolssuch as Ethernet Operations, Administration, andMaintenance (Ethernet OAM) and Ethernet LocalManagement Interface (E-LMI).

The Ethernet OAM standard brings to Ethernet muchof the OAM functionality found in traditional carrier

network technologies. Advanced capabilities such aslink monitoring, fault detection/isolation, and remoteloopback control give carriers the end-to-end OAMtools required to maintain and monitor their MetroEthernet networks in a manner consistent with othercarrier technologies.

OAM gives network operators the ability to monitorthe health of a network and, more importantly, thehealth of the services being offered, and quickly deter-mine the location of failing links or fault conditions(see Figure 1). This article details the functionalitiesof Ethernet OAM protocols, specifically E-LMI andnew OAM capabilities within IEEE 802.3 Clause 57(formerly known as 802.3ah) and 802.1ag. MPLSOAM falls outside the scope of this discussion.

By Chiara Regale

Gaining the Ethernet EdgeNew OAM protocols enhance a carrier’s service deployments andmake managing and monitoring Metro Ethernet networks easier.


ETHERNET OAM: THE BIG PICTURE

MPLS OAM: VCCV, LSP Ping/Traceroute

Customer Customer

Customer Domain

Service Provider

Ethernet Access Ethernet AccessMPLS Core

E-LMI: Automated Config of CE Based on EVCs and Bandwidth Profiles; Layer 2 Connectivity Management

802.1ag Connectivity Fault Management:

• Uses Domains to Contain OAM Flows and Bound OAM Responsibilities• Provides per-EVC Connectivity Management and Fault Isolation• Four Packet Types: Continuity Check, Layer 2 Ping, Layer 2 Traceroute, AIS

Connectivity and Performance Management:

• Cisco IP SLA Measures Availability/Connectivity, Packet Delivery Rate, Latency, and Jitter• Tailored Functionality for MPLS• For Ethernet, Measure per Physical Path Using IP Interface on Endpoints• Plan to Extend Cisco IP SLA to per-EVC Measurement

802.3ah:When Applicable, Physical Connectivity Management Between Devices. Most Applicable to First Mile.

Provider Domain

OperatorDomain

OperatorDomain

OperatorDomain

CE CE

FIGURE 1 With EthernetOAM, every networkdomain (from access toaggregation to core) andevery application layer(Layer 2 or IP/MPLS) ischaracterized by its own OAM protocol and recovery mechanism.


E-LMI Based on ITU-T Q.933, X.36, the E-LMI technicalspecification enables customer equipment (CE) torequest and receive status and service attribute infor-mation from the provider’s Metro Ethernet network,so that the CE can automatically configure itself toaccess Metro Ethernet services. E-LMI has local signif-icance at the User Network Interface (UNI) betweenthe Metro Ethernet access device and the CE, and alsoprovides UNI and Ethernet Virtual Connection (EVC)status information to the CE. This informationenables automatic configuration of the CE operationbased on the Metro Ethernet network configuration.The E-LMI protocol notifies the CE of an EVC addi-tion; notifies the CE of an EVC deletion; notifies theCE of the availability state of a configured EVC(active, not active, or partially active); and communi-cates UNI and EVC attributes to the CE. To transferE-LMI information, a framing or encapsulation mech-anism is required (see Figure 2).

IEEE 802.3 Clause 57 OAM at the Link LevelIEEE 802.3 Clause 57 provides new OAM standardsfor Ethernet that contain useful mechanisms for mon-itoring link operation, such as remote failure indica-tion and remote loopback control. The OAMdescribed in this standard provides data link layermechanisms that complement applications that mayreside in higher layers. Link Level OAM is intendedfor point-to-point and emulated point-to-point 802.3links. OAM information is conveyed in frames calledOAM protocol data units (OAMPDUs), which con-tain the appropriate control and status informationused to monitor, test, and troubleshoot OAM-enabled links. OAMPDUs traverse a single link, beingpassed between peer OAM entities. They are inter-cepted by the MAC sublayer and cannot propagatebeyond a single hop within an Ethernet network.

The three main functions of Ethernet OAM are dis-covery, link monitoring, and remote failure indication.

DiscoveryThis is a means for detecting the presence of an OAMsublayer at the remote peer and establishing OAM onthe link. In the Discovery phase, the following infor-mation is advertised in Type Length Values (TLVs)embedded within periodic Information OAMPDUs:

OAM mode: Conveyed to the remote OAM entity,this mode can be either active or passive, and can alsobe used to determine device functionality.

OAM configuration (capabilities): Advertises the capa-bilities of the local OAM entity. With this informa-tion, a peer can determine which functions aresupported and accessible, such as loopback capability.

OAMPDU configuration: Includes maximum OAM-PDU size for receipt and delivery. This informationalong with the rate limiting of ten frames/sec can beused to limit the bandwidth allocated to OAM traffic.

Platform identity: A combination of an OrganizationUnique Identifier (OUI) and 32 bits of vendor-specificinformation. OUI allocation is controlled by theIEEE, and OUIs are typically the first 3 bytes of aMAC address.

Discovery includes an optional phase wherein thelocal station can accept or reject the configuration ofthe peer OAM entity.

Link MonitoringEthernet Link OAM provides a mechanism to supportevent notification that permits link monitoring fordetecting and indicating link faults under a variety ofconditions. Link monitoring uses the Event Notifica-tion OAMPDU, and sends events to the remote OAMentity when problems are detected on the link. Because802.3 Clause 57 OAM does not provide a guaranteeddelivery of any OAMPDU, the Event NotificationOAMPDU may be sent multiple times to reduce theprobability of a lost notification. A sequence number isused to recognize duplicate events.

Remote Failure IndicationEthernet Link OAM provides a mechanism for anOAM entity to convey failure conditions to its peer,via specific flags in the OAMPDU. Failure conditionsinclude link fault—loss of signal is detected by thereceiver; for instance, the peer’s laser is malfunctioning;


CHIARA REGALE is a product manager forthe Catalyst 6500 Series Switch in the Inter-net System Business Unit at Cisco. A regularpresenter at the annual Networkers confer-ence, she focuses on product strategy andsolution roadmap for the Catalyst 6500 inMetro Ethernet/broadband aggregation. She can be reached at [email protected].

FIGURE 2 The E-LMIframing structure isbased on the IEEE 802.3untagged MAC frameformat. E-LMI messagesare encapsulated insideEthernet frames, makingE-LMI implementationeasy for organizationsthat already have Ciscorouters and switches.

Destination Address

6 Octets

Source Address

6 Octets

EtherType

2 Octets

E-LMI Framing Structure

PDU (Message

46-1500 Octets(Data + Pad)

CRC

4 Octets


applies only when the physical sublayer is capable ofindependent transmit and receive. Dying gasp—anunrecoverable, vendor-specific condition (e.g., a powerfailure); may be sent immediately and continuously.Critical event—an unspecified, vendor-specific criticalcondition; may be sent immediately and continuously.

Remote Loopback and MIB Variable RetrievalLink OAM provides an optional data link layer,frame-level loopback mode, which is controlledremotely. Remote loopback can be used for faultlocalization and link performance testing. Statisticsfrom both the local and remote peer can be queriedand compared at any time while the remote entity isin OAM remote loopback mode. An implementationmay analyze loopback frames within the OAM sub-layer to determine additional information about thehealth of the link (e.g., determine which frames arebeing dropped due to link errors). In addition, Ether-net Link OAM provides a read-only access to remoteMIB variables limited to a specific MIB branch andleaf. The request-response nature of variable retrievalcan also be used to estimate the link capability to sup-port a service-level agreement (SLA), similar to IP Pingfor measuring delay, jitter, and throughput. This func-tion assumes that the time accessing the variable isnegligible compared to propagation and queuingdelay of the request and response.

IEEE 802.1ag OAM Network-WideWhereas IEEE 802.3 Clause 57 OAM monitorsindividual Ethernet links, 802.1ag focuses on the

monitoring and fault detection capabilities across alarge Ethernet network, which help in troubleshootingproblems network-wide and at the service layersrather than just at the link layer. IEEE 802.1ag pro-vides service OAM capabilities for monitoring andtroubleshooting end-to-end Ethernet service instances.IEEE 802.1ag specifies the Ethernet ConnectivityFault Management (CFM) functionality that candetect, verify, and isolate connectivity failures in vir-tual bridged LANs. To support rapid detection offaults and accurate fault isolation without excessiveconsumption of network resources, CFM functionsare partitioned as follows:

■ Fault detection. Continuity Check protocol is used todetect both connectivity failures and unintendedconnectivity between service instances. ConnectivityCheck Messages (CCMs) are multicast frames thatcan be transmitted at a high rate, but are simply for-warded as data within the network and, thus, do notimpose a CPU processing load.

■ Fault verification and fault isolation. These areadministrative actions, usually performed after auto-matic detection of a fault or receipt of some othererror report. Fault verification is also used to confirmsuccessful restoration or initiation of connectivity.Fault verification uses the acknowledged Loopbackprotocol to verify connectivity. Fault isolation usesthe Linktrace protocol to determine the path fromone CFM entity to another. Each Linktrace Messageis sent to a multicast address to allow it to be read-ily intercepted on the path to the destination entitythat returns unicast Linktrace Replies.

■ Fault notification. This is provided, possibly by usingthe Continuity Check protocol, when a connectivityfault is detected.

◆ ◆ ◆

Equipped with advanced OAM capabilities, it mightsoon be possible for carriers to verify the SLA require-ments of a Metro Ethernet offering across an entirenetwork. And metrics such as uptime, latency, and jit-ter could be continuously monitored. This monitoringcan prove and improve SLAs between a carrier and itscustomers, as well as bolster the carrier’s revenuepotential with enhanced services and reduced cus-tomer churn. These and other performance monitor-ing standards are underway.


Cisco’s premier switching platform for Metro Ether-

net access and aggregation networks, the Catalyst

6500 Series provides increased end-to-end service

operational efficiency. Management and monitoring

features such as E-LMI and IEEE 802.3 Clause 57

OAM capabilities are already available in Cisco

Catalyst OS Software Release 8.5, and 802.1ag OAM

functionality will be supported in Catalyst OS Soft-

ware Release 8.6. By the end of 2006, Ethernet OAM

protocols will be introduced in Catalyst 6500 Series

Cisco IOS Software Releases, and will not require a

hardware forklift upgrade. Also by the end of 2006,

Cisco plans to introduce support for Ethernet OAM

protocols in the Cisco 7600 Series Router, Catalyst

4500 Series Switch, Catalyst 3750 Metro Series

Switch, and ME 3400 Series Ethernet Access Switch.

Also underway is the addition of E-LMI functionality

to CPE including Cisco Integrated Services Routers.

Support for Ethernet OAM

■ Metro Ethernet Forum

www.metroethernetforum.org

■ IEEE 802.3ah

ieee802.org/3/ah/

■ IEEE 802.1ag

ieee802.org/1/pages/802.1ag.html

FURTHER READING



Recently, the IP Multimedia Subsystem (IMS) has gen-erated quite a buzz within the service provider indus-try. It’s been hailed by many as the next-generationservice provider architecture standard that will usherin the era of seamless multimedia communicationsacross wireline, wireless, and cable networks. Mean-while, numerous skeptics emphasize that the com-plexity of IMS could ultimately make its road todeployment steep.

So, just what is the status of IMS today and its promisefor the future? While the road to IMS might prove to belong and winding, Cisco believes it will have significantrelevance and value for some providers and, accord-ingly, has dedicated resources and established strategicpartnerships to help companies navigate this road.

IMS and the Cisco IP NGN ArchitectureIMS is an open, standardized architecture that aims tomerge multimedia services across the cellular worldand IP networks using the same standard protocolsfor both mobile and fixed IP services. Based on SessionInitiation Protocol (SIP), IMS defines standard controlplane interfaces for creating new applications. IMSessentially takes the place of the control infrastructurein the traditional circuit-switched telephone network;the key difference is that IMS separates services fromthe underlying networks that carry them. In this way,presence-based services such as instant messaging andpush-to-talk (PTT), and other services such as voicemail and e-mail, can reside on application serversanywhere and be delivered by multiple wired andwireless providers.

In December 2005, Cisco introduced enhancements toits open Service Exchange Framework (SEF) thatenable support for IMS. A key component of Cisco’s IPNext-Generation Network (IP NGN) architecture, theCisco SEF provides ways to analyze, optimize, secure,and meter application and content-based servicesalready being deployed by service providers acrosswireless, wireline, and cable networks worldwide.

The IP NGN architecture defines three fundamentallayers of convergence. Cisco SEF operates at the serv-ice convergence layer:

■ Application convergence—integrating new, innovativeIP data, voice, and video applications for a rich sub-scriber experience on any device anywhere, and deliv-ered over a seamless, intelligent, high-performanceinfrastructure.

■ Service convergence––enabling providers to deliver“triple play on the move,” which combines voice,video, data, and mobility services for the overridingapplications. Service convergence includes policy-based network access and control that is technology-agnostic and seamlessly compatible with anyunderlying networking medium: mobile, fixed, wire-less, cable, DSL, optical, or Ethernet.

■ Network convergence—enabling providers to migratefrom deploying, managing, and maintaining multipleservice-specific networks to delivering all servicesacross a single network, which provides advancedmulticast, quality of service (QoS), and security capa-bilities end to end. Most often this network is basedon IP Multiprotocol Label Switching (IP MPLS).

The new Cisco Service Exchange Solution for IMSprovides a comprehensive foundation for deployingIMS-based services such as PTT and fixed mobileconvergence. The solution consists of Cisco and part-ner products that map to IMS specifications. (Formore on these products, see the white paper, “CiscoService Exchange Solution for IMS,” at cisco.com/packet/181_8c1.)

A cornerstone of an IP NGN network is providing theability for service providers to analyze, optimize, andmeter application and content-based services in theirexisting IP networks. This might require tracking serv-ices that traverse multiple network types, each with itsown unique capabilities, and the services could origi-nate and terminate on many different devices.

For example, cellular providers may evolve PTTservices so their subscribers can push to access avoice-enabled portal containing applications such asMapquest. Directions could be spoken or displayed.Today, however, most providers have very little ofthe detailed subscriber information or control theyneed to deliver such services and applications.

By David Barry

The Winding Road to IMSNon-IP Multimedia Subsystem applications are still key in the service provider evolution toward IMS.



Subscriber awareness and identity management are afew of the key capabilities now being enabled by theCisco Call Session Control Platform (CSCP), an inte-gral component of the Cisco Service Exchange Solu-tion for IMS. Cisco CSCP supports the IMS referencearchitecture as a 3GPP-defined Call Session ControlFunction (CSCF). Cisco CSCP enables innovativeIMS applications such as voice over broadband, PTT,presence-based services, video telephony, and fixedmobile convergence applications.

Among its other capabilities, Cisco CSCP helps toidentify users and their devices, determine a person’slocation, and establish presence for that person,including sharing his or her status (on or off network)with other subscribers. With these capabilities,providers can deploy presence-based services such asPTT, instant messaging, call routing and screening,and 3G+ mobile applications such as streaming audioand video and interactive gaming.

The Cisco CSCP also helps to simplify applicationdevelopment by handling tasks common to all appli-cations only once. This approach allows providers toattain greater customer control than was previouslyallowed in a traditional applications environment.The subscriber database, profile information, pres-ence and location, and other information that binds asubscriber to a particular service are all managed andcontrolled through a single mechanism.

With the Cisco CSCP, providers can mix and matchtheir applications to create new customer servicespackages. A mobile carrier might, for example, builda contact list application that simply shows whichusers are online. Although this list might initially beused to support an instant messaging service, thecarrier can make the same list available for a PTT ora “find me” service (allowing a subscriber to locateall the members of a predefined group simultane-ously). By aggregating the capabilities of individualapplications, the Cisco CSCP makes such applica-tions quite simple to develop—in sharp contrast tothe cumbersome process found in a traditionalmobile applications environment.

Non-IMS Services Continue to Drive RevenueService providers are waging intense competitive bat-tles as the explosion of new services and consumer enddevices spur a thriving market. In the consumer space,gaming, network-based personal video recorders,video on demand (VoD), Wi-Fi networks, and mobil-ity are especially high-growth areas. In this highlycompetitive, dynamic arena, providers must be nimbleand fast. They need to deploy revenue-generatingapplications and services that they can offer to theirsubscribers today.

In fact, many services that providers might want tooffer—from IPTV to Web to business IP VPNs andeven messaging—do not necessarily need to be offeredover an IMS infrastructure. And it isn’t merely a coin-cidence that many of these services are non-IMS-based.

“IMS is still in its early days, and therefore non-IMS-based service deployments are still important anddriving a lot of the service revenue,” according toMark Bieberich, director of Communication Net-work Infrastructure at The Yankee Group.


“IMS is still in its early days, and

therefore non-IMS-based service

deployments are still important and

driving a lot of the service revenue.”—Mark Bieberich, Director of Communication Network Infrastructure,

The Yankee Group

An open, standardized architecture, IMS defines how IPnetworks should handle voice calls and data sessions inthe emerging arena of multimedia communicationsacross wireline, wireless, and cable infrastructures. Atits core is SIP, the signaling system for setting up andhandling calls and data sessions, which already is thestandard for voice over IP products.

IMS was initially developed by the Third GenerationPartnership Project (3GPP) to meet the requirements ofGSM operators seeking to deploy IP applications overtheir 3G wireless networks. Standards bodies for CDMAwireless as well as wireline networks have sinceadopted specifications based on IMS.

CableLabs, the standards-setting organization for theNorth American cable industry, has also adopted thesignaling core of the IMS specification for PacketCa-ble 2.0. This specifies requirements for real-time,interactive, multimedia services over cable DOCSISaccess networks.

A Brief History of IMS


While SIP traffic will likely increase significantly overtime (the next 1 to 3 years), non-SIP/non-IMS appli-cations and services dominate the vast majority of IPnetwork bandwidth today and will likely remainpresent in many provider networks for some time tocome. All of these non-SIP/non-IMS applications rep-resent sizable revenue streams for service providers.So, it’s important for providers to have networks thatsupport both IMS and non-IMS traffic so that theycan provide the most attractive, profitable service mixfor their customers.

To that end, a service provider might decide to forego a“formal IMS” implementation altogether and insteaddeploy an alternative, IP-based control mechanism. Ora provider might decide on a combined IMS and non-IMS implementation within its architecture. The CiscoSEF supports providers in both cases.

With comprehensive support for non-IMS applica-tions, the SEF can help providers deliver:

■ More services via capabilities such as personalizationand differentiation through self-subscription; contentfiltering through deep packet inspection; more gran-ular charging models with extensive pre- and post-paid options.

■ Greater efficiencies via service prioritization throughdeep packet inspection; preservation of video QoS viaefficient management of oversubscription; greaterscalability through content virtualization; network-based service control and charging multiple accesstechnologies.

■ Better control via fair use enforcement through deeppacket inspection; higher availability through enhancedsecurity; transparent mobile data networking acrossmultiple access networks.

◆ ◆ ◆

Indeed, IMS provides the fodder for a provocative,forward-looking vision and merits consideration byservice providers today. But it is not a homogenousstandard. Rather it’s an evolving series of specificationsthat is still being crafted, digested, and interpreted byvendors and carriers across the diverse segments of thewireline, wireless, and cable landscape.

In the end, some providers might not pursue IMS at all,while others might decide to follow a customized,mixed architecture to address their service controlneeds. Whether they decide to take the IMS road ornot, Cisco has the solutions and expertise to help thembe successful on their IP NGN journey.


Fixed mobile convergence is a highly promising appli-cation that has gained high interest among serviceproviders. Fixed mobile convergence requires that ahandset be able to move seamlessly from a cellularenvironment to a Wi-Fi networking environment suchas a home or business. With such a dual-mode hand-set, users would have service on the cellular GSMnetwork while driving in their car, but on the walk intotheir house, the handset would automatically senseWi-Fi availability and switch to the Wi-Fi network.

At the Worldwide Analyst Conference in December2005, Cisco demonstrated such an application. Whilecarrying a dual-mode (Wi-Fi/SIP and GSM) handset tomake and receive voice calls, the demo presenterroamed across two access networks: Wi-Fi/802.11gand cellular GSM, with the call remaining activethroughout the handoff. Specifically, this demonstra-tion enabled the interworking of a variety of networkand signaling protocols including IMS, SIP, GSM,MAP, Media Gateway Control Protocol (MGCP), andWi-Fi. The demo also highlighted the standards-basedinteroperability of the Cisco SEF with critical partnerproducts and services including handset/clients,HLR/HSS, and policy servers.

In addition to showing how Cisco’s Service ExchangeSolution for IMS can deliver QoS over any access net-work while meeting operator-defined policy enforce-ment requirements, the demonstration validated therobustness of the key products underlying the solu-tion, in particular the Cisco CSCP, Cisco BTS 10200Softswitch, Cisco uBR10012 PacketCable-qualifiedcable modem termination system (CMTS), and theCisco PGW2200 Media Gateway Controller.

IMS in Action: Fixed Mobile Convergence

■ White paper: “Cisco Service Exchange Solution for IMS”


■ White paper: “Cisco Service Exchange Framework:

Supporting IMS for Mobile, Wireline, and Cable

Providers”


■ White paper: “Service Exchange Framework:

Providing Greater Control for Cisco IP NGNs”


FURTHER READING


SMALL AND MIDSIZED BUSINESSES

Modular to the Core

LAN switching features that were once available only to theworld’s largest enterprise networks are now available and afford-able to midsized networks with 250 to 1,500 end users—thanks toproduct innovations in Cisco’s Catalyst 6500 Series. Smaller formfactors, modular components, and lower prices have garnered greatinterest in the Catalyst 6500 Series product line among midsizedorganizations. A wide range of port densities and performance andfeature options make the platform equally attractive for multipledeployment scenarios.

Modularity, Options, and AffordabilityWhile smaller than enterprise networks, today’s midsized networksoften have many of the same requirements as networks with thou-sands of end users. Midsized organizations want converged data,voice, and video services. They consider high availability andresiliency essential. Ease of use is also a big plus, as networksbecome more complex and traffic volumes grow. And advancedservices such as firewalls, intrusion detection, wireless LAN, andvirtual private networking (VPN) are also highly desirable.

“Previously, midsized businesses would deploy the Catalyst 6500 inhigh-density and high-performance locations,” says Marie Hattar,director of Enterprise Switching in Cisco’s Product and TechnologyMarketing Organization. “But now they can get customized mod-els of the Catalyst 6500 that deliver the performance, features, andform factor they want, with the ability to add additional, integratedservice modules later because of the platform’s modular design.”

Cisco has enhanced the affordability of Catalyst 6500 models,now with an installed base of hundreds of thousands of chassisand millions of ports worldwide, through the introduction of aSupervisor 32 Engine, giving midsized customers an alternative tothe Supervisor 720. The 32 Gbit/s of throughput in the switchingfabric in the Supervisor 32 is ample for most midsized networks,compared with the 720 Gbit/s Supervisor Engine, which is stan-dard for large enterprises. The Catalyst 6500 Series chassis alsocomes with the choice of three, four, six, nine, or 13 slots.

“Midsized networks include many different kinds of businesseswith different needs. They are definitely not ‘one size fits all,’” saysGautam Roy, Cisco product manager for the Catalyst 6500.“Giving the customer a lot of choices in how to customize LANswitches, and giving them a full range of features to choose from,has proven very successful.”

Local Government Chooses Midsized Catalyst 6509The network staff serving the Columbia Association, a plannedcommunity in Columbia, Maryland, chose the Cisco Catalyst6509 switch for the core of the association’s first LAN WAN toconnect 42 facilities across Columbia. With 450 regular users and1,500 seasonal employees accessing the network, the ColumbiaAssociation began planning for the move to a converged IP envi-ronment with data, voice, and video services in 2001. At thattime there was no LAN or WAN, and none of the association’s

Modular features and flexibility make the Catalyst 6500 Series Switch anaffordable option for midsized networks.

By Gene Knauer


CATALYST OF CHOICE Midsized organizations like the nonprofit Columbia Associa-tion are beginning to use the Cisco Catalyst 6500 Series for their converged networks.

Co

lum

bia

As

so

cia

tio

n


p65-67.qxd 2/8/06 10:48 AM Page 65

42 facilities had e-mail. Only an aging minicomputerconnected to point-of-sale locations at recreationalfacilities such as skating rinks, pools, golf courses,parks, and association offices using 56K leased lines.The phone system was equally antiquated: the privatebranch exchange (PBX) required 10-digit dialingbetween each member facility.

Program and Project Manager Nagaraj Reddi realizedthat an IP network could meet the ColumbiaAssociation’s requirements for converged services,security, and resiliency. “We decided on the Catalyst6509 for the core because it was much more econom-ical to get one big switch to connect all of the facilitiestogether rather than buying many smaller switches,”says Reddi. “It occupies less space and gives us roomto grow; if we need more ports or services we just addanother service module blade.”

Cisco Catalyst 2950 Series edge switches in the mainoffice and remote sites provide Gigabit Ethernet con-nectivity. Redundant Cisco 3800 Series IntegratedServices Routers direct data, voice, and videoconfer-encing traffic over T1 lines, fractional T1 lines, DSL,and ISDN links to edge routers in ColumbiaAssociation facilities.

The Columbia Association has swiftly taken advantageof IP features in its Cisco end-to-end network.According to Reddi, it has installed nearly every modelof Cisco IP phone, along with Cisco Aironet accesspoints for wireless LAN connectivity in hotspots atmany of the association’s facilities. Segmented virtualLANs provide separate access for ColumbiaAssociation employees and visitors.

“The entire network was plug and play; we haven’t hada single issue, and we continue to add new featureswithout a problem,” says Reddi, who manages the net-work with a staff of seven. “The phones became verypopular once we showed people how to use all of thedifferent features, and now every staff person who hasa laptop can access the network through secure VPNsfrom their homes. The police pull up near WLAN hotspots throughout the city to access the network fromlaptops in their cars.”

Reddi also likes the durability of the Cisco IP phones,which have endured extreme heat and cold in outdoorlocations and chlorine beside indoor pools. For greaterredundancy, Reddi will soon add another Catalyst6509, although the network has thus far maintained itsgoal of 98 percent uptime.


INTEGRATED INFRA-STRUCTURE The Colum-bia Association networkincludes a Cisco Catalyst6509 with an integratedIntrusion Detection System module in thenetwork core.

COLUMBIA ASSOCIATION NETWORK

ISP #1 ISP #2

Internet

23 Pools Network

GRE Tunnel0 & 1

Cisco 1700Series ModularAccess Routers

Cisco3700 SeriesMultiservice Access Router

Cisco3700 SeriesMultiservice Access Router

VirtualLAN

CiscoPIX 515Firewall

CiscoPIX 515Firewall

Cisco VPN 3000SeriesConcentrator

Cisco VPN 3000SeriesConcentrator

Cisco 3800Series IntegratedServicesRouter

Cisco 3800Series IntegratedServicesRouter

Cisco Catalyst 6500Series Switch withIntrusion DetectionSystem Module

Cisco CallManagers

Cisco UnityVoice Mail

Servers

ISDN BRIfor Pools

Cisco 2600Router

CiscoWireless

Cisco 3600SeriesMultiserviceRouter

Columbia Association

LocalLines

Cisco VG200VoiceGateway

Cisco Catalyst2950 Switch

WAN

PSTN’s

Laptop

CiscoCatalyst2950Switch

CiscoCatalyst2950Switch

Cisco 3600SeriesMultiserviceRouter

CiscoWorks VPN/Security Management Solution


p65-67.qxd 2/8/06 10:48 AM Page 66


High Availability and Resiliency Availability and resiliency are crucial to networkswith converged voice and data services. The Catalyst6500 has redundant power supplies that use inde-pendent circuits to lower the risk of outages due to cir-cuit failure. This helps ensure that power-over-Ethernet(PoE) devices like IP phones always remain on. EachCatalyst 6500 Series Switch can support redundantsupervisor engines with Layer 3 subsecond failover tohelp ensure application continuity. Integrated onlinediagnostics monitor the system’s vital signs.

“Many midsized customers think that if a switch goesdown they can rely on a spare to provide redundancy,but with the Catalyst 6500 you have built-in high avail-ability and resiliency to eliminate downtime and lostproductivity,” says Cisco’s Hattar. “We have alsointroduced Cisco IOS Software Modularity, whichmakes the network even more resilient and available.You can restart processes, apply patches, and performsubsystem in-service upgrades without shutting theswitch down.”

Easier Than Ever to Deploy, Manage, and MaintainA variety of tools for diagnostics and troubleshootingease the burden of deploying, managing, and main-taining the smooth operation of applications on theCatalyst 6500. Smart ports, AutoQoS, and AutoSecuretools automate the consistent configuration of multipleports for deployment of advanced services. Web-basedtools like Cisco Network Assistant and Cisco ViewDevice Manager, help in configuration, management,and troubleshooting of the Cisco Catalyst 6500 Series.

Integrated Internal and External Security Midsized business networks need the same level ofsecurity as enterprise and service provider networks.Self-defending network features in the Catalyst 6500protect the network from attacks in a variety of ways.Identity-based networking services allow networkmanagers to identify users based on the IEEE 802.11wireless LAN specifications and either allow access,disable access, or place guest users in a separate andsecure VLAN. As users move from port to port, accesscontrol lists (ACLs), quality of service (QoS) settings,and other settings move with them. NetworkAdmission Control (NAC) on the Catalyst 6500 Series

enforces access privileges of a device based on its levelof antivirus software and software patch level, andensure policy compliance.

Malicious attacks, such as Dynamic Host ConfigurationProtocol (DHCP) snooping, the flooding of the AddressResolution Protocol (ARP) table, and the use ofspoofed IP addresses, are all mitigated on the Catalyst6500 Series with the Cisco Integrated Security Toolkit.Should the switch itself become a target, hardware-based control plane rate limiters and policers interceptmalicious traffic directed at the CPU to counter denial-of-service attacks. Integrated Cisco NetFlow supportprovides enhanced packet-capturing to detect anom-alous traffic behavior. Cisco NetFlow is also useful intraffic monitoring and network capacity planning,and for applications such as granular accounting foruser-based billing.

Longevity and Lower Total Cost of OwnershipAs midsized networks retool to add new features suchas converged services, advanced security, VoIP, andWLANs, they want to benefit from an integrated infra-structure that reduces their total cost of ownership.They also want the gear they buy today to last beyondthe typical three-year product refresh cycle. Productmanager Gautam Roy believes that the Catalyst 6500Series will create investment protection for customerdeployment needs for the next five years or more.

Prime candidates for the platform, according to Roy,are midsized data centers of organizations with up to1,500 employees that may support thousands of onlineusers. A special content switching module for theCatalyst 6500 provides Layer 4–7 services for fasterWeb response times.

FURTHER READING■ “Cisco Switching Solutions for the Midsized

Business” video


■ Cisco Catalyst 6500 Series Switches


■ Cisco Solutions for Small and Midsized Businesses


Want to share your expertise on LAN and WAN rout-ing and switching with your peers? Get answers toyour questions from Cisco experts? Join the Net-working Professionals Connection discussions atcisco.com/discuss/lan and cisco.com/discuss/wan.

Talk About It


p65-67.qxd 2/8/06 10:48 AM Page 67

NEW PRODUCT DISPATCHES


Core RoutingCisco CRS-1 Carrier Routing System: New DWDM Modules Two new modules support serviceprovider regional and long-haul trans-port applications: the Cisco CRS-1 sin-gle-port OC-768c/STM-256c TunableWDMPOS Interface Module that pro-vides up to 40 Gbit/s of data throughputacross existing 10-Gbit/s dense wave-length-division multiplexing (DWDM)systems, and the Cisco CRS-1 4-Port10GE Tunable WDMPHY InterfaceModule that is compatible with existingSONET/SDH operations support systems.Both modules are completely tunableacross the C band with 50-GHz spacingand support high-gain Enhanced ForwardError Correction (EFEC), extending reachup to 1,000 km without requiring signalregeneration. The modules allow serviceproviders to increase efficiencies, improvereliability, and reduce operational andcapital costs by eliminating expensive,bulky transponder gear, even as video-based applications rapidly increase trafficin their existing DWDM networks.cisco.com/go/crs

Cisco XR 12000 Series Routers:New Card and AdaptersThe Cisco XR 12000 Packet ServicesCard (PSC-1) provides Session BorderControl (SBC) functions integrated in therouter, eliminating the need for overlaynetworks and standalone SBC appliances.The PSC-1 can be used by cable, wireline,and wireless service providers in deploy-ments for peering or customer access.Separately, new Cisco 12000/XR 12000Series shared port adapter (SPA) interfaceprocessors (SIPs)—the SIP-401, SIP-501,and SIP-601—host the common SPAsused to interconnect routers with eachother or with gateways, Web servers, stor-age devices, and switches. The Cisco12000/XR 12000 Series SIPs offer multi-ple rates up to 10 Gbit/s and supportselected router models and specific SPAs.PSC-1: cisco.com/go/12000SIPs: cisco.com/packet/181_npd2

Cisco Catalyst 6500 Series Wireless Services ModuleCisco Wireless LAN Controller Module

SPOTLIGHT ON:

The new Cisco Catalyst

6500 Series Wireless

Services Module (WiSM)

helps network administra-

tors easily scale and man-

age wireless networks.

The Cisco WiSM works

with Cisco Aironet light-

weight access points, the

Cisco Wireless Control

System, and the Cisco

Wireless Location Appli-

ance. Designed for mid-

sized and large enterprise

facilities, the module pro-

vides clustering capa-

bilities of up to 3,600

lightweight access points per roaming domain and support for more than

10,000 wireless client devices per module.

cisco.com/go/wism

The Cisco Wireless LAN Controller Module (WLCM) allows small and

midsized businesses and enterprise branch offices to cost-effectively deploy

and manage secure wireless LANs. As a Cisco Integrated Services Router

module, it delivers centralized security policies, wireless intrusion prevention

capabilities, RF management, quality of service (QoS), and Layer 3 fast

secure roaming for wireless LANs. The Cisco Wireless LAN Controller Mod-

ule manages up to six Cisco Aironet lightweight access points and is sup-

ported on Cisco 2800 and 3800 Series Integrated Services Routers and

Cisco 3700 Series Multiservice Access Routers.

cisco.com/packet/181_npd1


p68-71.qxd 2/8/06 11:32 AM Page 68

Edge Routing, Access,and AggregationCisco Routers: New Shared PortAdapters Five new shared port adapters (SPAs) offerenhanced feature support and acceleratedservice delivery for specific Cisco core andedge routers. The Cisco I-Flex design com-bines SPAs and SPA interface processors(SIPs) that can be used to prioritize voice,video, and data services for intelligent,flexible, secure networking. The OC48-C/STM-16C ATM SPA for the Cisco 7600Series Router includes a comprehensiveATM feature set for cost-effective routingin service provider POP and core applica-tions. The Channelized STM-1/OC3 SPAsupports channelized, T3/E3, and T1/E1aggregation on Cisco 7600, 12000, andXR 12000 series routers. The 2-Port Giga-bit Ethernet SPA (for the Cisco 7600Series) and the 8-Port Fast Ethernet SPA(for the Cisco 12000 and XR 12000series) are suitable for POP aggregation,Metro Ethernet, and Internet peeringapplications. The 2-Port OC-48C/STM-16C Packet over SONET/SDH andResilient Packet Ring SPA are installed inthe Cisco 12000 and XR 12000 seriesrouters for applications including accessand aggregation, WAN uplinks, and Inter-net peering. cisco.com/packet/181_npd3

Cisco 7600 Series Routers: NewSupervisor Engine and SIP 600The Supervisor Engine 32 for Cisco 7600Series routers delivers security, availabil-ity, and manageability services for MetroEthernet access and smaller POP provideredge and enterprise WAN aggregation,deployed as a price-optimized, small formfactor edge device. The Supervisor Engine32 includes the policy feature card 3B(PFC3B) for architecture and feature con-sistency with the Supervisor Engine 720,and supports two uplink options: 8-portGigabit Ethernet Small Form Pluggable(SFP)-based uplinks and 2-port 10 Giga-bit Ethernet XENPAK-based uplinks. TheCisco 7600 Series SIP 600 supports band-width up to 10 Gbit/s, connects a varietyof Cisco SPAs, including the 10 GigabitEthernet SPA and OC192/STM64 Packetover SONET SPA, and combines Layer2/Layer 3 services for Metro Ethernet andVPN applications.

Supervisor Engine 32:cisco.com/packet/181_npd4SIP 600: cisco.com/packet/181_npd5

SwitchingCisco ME 3400 Series EthernetAccess SwitchThe Cisco ME 3400 Series EthernetAccess switches are specifically engineeredfor service provider metro access, andoptimized for protected delivery of Ether-net voice, video, and data services to resi-dential customers and Ethernet VPNservices to businesses. The Cisco ME3400 Series supports multiple softwareimages, giving service providers a pay-as-you-grow deployment model. Separatemodels provide an AC or DC power sup-ply; both models include 24 Ethernet10/100 ports and two 1000BASE-T SmallForm-Factor Pluggable (SFP) uplinks. Fora related article, see page 53.cisco.com/packet/181_npd6

Cisco Catalyst 6500 SeriesSwitch: New Supervisor EngineSupervisor Engine 32 for Catalyst 6500Series switches serves applications such ascore functions, distribution, and access forsmall and midsized LANs as well as enter-prise LAN/WAN access and serviceprovider metro access and provider edgeapplications. Now available with CiscoIOS Software, Supervisor Engine 32includes the policy feature card 3B(PFC3B) and Multilayer Switch FeatureCard 2A (MSFC2A), and supports twouplink options: the 8-port Gigabit EthernetSFP-based uplinks and 2-port 10 GigabitEthernet XENPAK-based uplinks. Supervi-sor Engine 32 provides architecture andfeature consistency with the Cisco Catalyst6500 Series Supervisor Engine 720, sup-porting all Catalyst 6500 Series classicmodules and CEF 256-based modules. cisco.com/packet/181_npd7

Security and VPNsCisco NAC Appliance The Cisco NAC Appliance uses CiscoClean Access technology to provide Net-work Admission Control (NAC) func-tions. The appliance allows networkadministrators to authenticate, authorize,evaluate, and remediate wired, wireless,and remote users and their machines

before allowing access to the network.The Cisco NAC Appliance integratesauthentication, posture assessment, andremediation into a single device installedin a single rack unit. It extends NAC to allnetwork access methods, including accessthrough LANs, remote-access gateways,and wireless access points. cisco.com/go/cca

Cisco Secure Access ControlServer Version 4.0 Available in both appliance and softwareoptions, the Cisco Secure Access ControlServer (ACS) products offer comprehen-sive, identity-based solutions for control-ling network access. The Cisco SecureACS version 4.0 software delivers manynew capabilities, including a policy deci-sion point for NAC deployments. Thisversion also supports access by moredevices and users than the previous ver-sion, enables profile-based access policies,and provides enhanced replication capa-bilities. Additionally, version 4.0 supportsCisco wireless LAN controllers and Ciscoadaptive security appliances.cisco.com/go/acs

Cisco Intrusion Prevention SystemVersion 5.1Among the numerous new features in theCisco Intrusion Prevention System soft-ware version 5.1 is its ability to collabo-rate with edge routers and switches topreserve bandwidth through rate-limitingfunctionality. A single interface allowsinline services on up to 255 virtual LANsacross the network. Version 5.1 also pro-vides a dedicated antivirus engine andinspection capabilities for Generic Rout-ing Encapsulation (GRE) traffic, IP-in-IPtraffic, and IPv6 traffic to detect and stopnetwork attacks. cisco.com/go/ips

Application Networking Cisco 2600/2800/3600/3700/3800 Series Routers: ContentEngine Network Module withWAFS SoftwareA content engine network module (NM-CE) with Cisco Wide Area File Services(WAFS) software installed is now avail-able for Cisco access routers that arecommonly deployed in branch offices.



p68-71.qxd 2/8/06 11:32 AM Page 69

NEW PRODUCT DISPATCHES


The WAFS software enables infrastruc-ture consolidation, simplifies data man-agement, and reduces costs by offeringcentrally managed file and print servicesfor users in remote offices. The NM-CEmodule is available for the Cisco 2600,3600, and 3700 Series multiservicerouters, and the Cisco 2800 and 3800Series Integrated Services Routers. cisco.com/packet/181_npd8

Storage NetworkingCisco Server Fabric Switch Portfolio The Cisco Server Fabric Switch (SFS)product portfolio uses InfiniBand technol-ogy to create a high-performance, unifiedfabric for connecting servers into comput-ing grids. The Cisco SFS 7000 SeriesInfiniBand Switch includes four modelswith up to 96 4X InfiniBand 10-Gbit/s or20-Gbit/s full-duplex ports. The CiscoSFS 3000 Series Multifabric Server Switchsupports up to 24 ports of 10 Gbit/sInfiniBand with up to 12 expansion mod-ules. The Cisco InfiniBand Host Channel

Adapter offers high-performance 10-Gbit/sInfiniBand connectivity to servers based onPCI-X or PCI-Express. Cisco VFrameServer Virtualization Software is a datacenter provisioning and orchestrationproduct for utility computing.cisco.com/go/servernetworking

Cisco MDS 9020 Fabric Switch The Cisco MDS 9020 Fabric Switch sup-plies 20 ports of 4-Gbit/s connectivity for astorage-area network (SAN) based onFibre Channel technology. Offering simpli-fied deployment and administration, theCisco MDS 9020 is well suited for smalland midsized businesses, branch offices,and enterprise workgroup applications.Included with the Cisco MDS 9020, theCisco Fabric Manager tool provides fabric-wide discovery and simplified SAN man-agement. Product features includetopology discovery, fabric configurationand verification, provisioning, monitoring,and fault resolution.cisco.com/go/mds

Network ManagementCisco Performance Visibility ManagerThe Cisco Performance Visibility Man-ager (PVM) software offers integrated,end-to-end visibility into the performanceof network and application resources.Used with Cisco Network Analysis Mod-ules (NAMs), Cisco PVM delivers capa-bilities for traffic analysis, monitoring ofapplication response times and band-width usage, and proactive monitoring ofother key network metrics. The product’sGUI simplifies troubleshooting, analysis,monitoring, and capacity planning. Suitesof preconfigured reports present a com-prehensive assessment of network andapplication performance.cisco.com/go/pvm

Voice and VideoCisco IP Phone 7900 Series: New Models New models in the Cisco IP Phone port-folio offer choices for both high- and


p68-71.qxd 2/8/06 11:32 AM Page 70

Cisco IOS Software Metro Ethernet EnhancementsSelected releases of Cisco IOS Softwarenow provide enhanced capabilities forMetro Ethernet deployments that useCisco 12000 Series routers, Cisco 7600Series routers, Cisco Catalyst 6500 Seriesswitches, or Cisco Catalyst 3750 MetroSeries switches. Among these enhance-ments is Hierarchical Virtual PrivateLAN Service (H-VPLS). VPLS is a multi-point, Layer 2 VPN technology thatallows connection of multiple sites over aservice provider-provisioned Multiproto-col Label Switching (MPLS) network.VPLS enables service providers to deliverpopular new services such as multipointEthernet, Ethernet point-to-point Layer 2VPN, and Ethernet access to Layer 3VPNs. H-VPLS improves the scalabilityof VPLS by significantly reducing signal-ing overhead and packet replicationrequirements for the provider edge. Bene-fits derived from the new feature are sim-plified Layer 2 and Layer 3 accessnetworks for multipoint transparentLAN services (TLS), the ability to inte-grate with an MPLS network, andimproved scalability due to a tiered hier-archical approach.cisco.com/packet/181_npd12

management. The Cisco IPICS PMCclient is a PC-based application that letsusers monitor and participate in up toeight PTT channels simultaneously. CiscoIPICS is covered in greater detail on page34. cisco.com/go/ipics

Networked HomeLinksys Wireless-G BroadbandRouter with SRX400 The Linksys Wireless-G BroadbandRouter with SRX400 (WRT54GX4)delivers a new generation of MIMO(Multiple Input, Multiple Output). Whenused with the new Linksys Wireless-G PCCard with SRX400 (WPC54GX4), thisrouter supports faster throughput forhome applications such as streaming con-tent and voice over IP. The MIMO tech-nology also reduces dead spots andincreases range compared to traditionalWireless-G networks. The WRT54GX4includes an Internet-sharing router, 4-port 10/100 Ethernet switch, and anenhanced Wireless-G Access Point. cisco.com/packet/181_npd9

Linksys Wireless-G USB Adapterwith Wi-Fi Finder The Linksys Wireless-G USB NetworkAdapter and Wi-Fi Finder (WUSBF54G)is a pocket-sized device that gives users awireless network scanner to locatehotspots and Wi-Fi connections. TheWUSBF54G LCD screen displays alocated network’s Service Set ID, signalstrength, 802.11 mode, channel, andsecurity. The WUSBF54G can then con-nect to the wireless network via the USBport and client software on the user’snotebook PC.cisco.com/packet/181_npd10

Linksys Internet Telephony Kit The Linksys Internet Telephony Kit(CIT200) enables users of the Internet-based Skype phone service to place andreceive calls on a handset instead of a PC.The kit includes a cordless handset,charger, and a base station that connectsto a USB port on the user’s PC. The basestation handles communication betweenthe handset and the Skype application onthe PC. The handset also supports a vari-ety of features for calling and messaging.cisco.com/packet/181_npd11

low-volume environments. The Cisco IPPhone 7961G-GE is a manager model,and the Cisco IP Phone 7941G-GE is abusiness model for users with high-vol-ume phone traffic or users running band-width-intensive (Gigabit) applications oncollocated PCs. The Cisco IP Phone7961G-GE provides six programmablebacklit line and feature buttons. TheCisco IP Phone 7941G-GE provides twobuttons. The Cisco IP Phone 7911G sup-ports cubicle, retail, classroom, andmanufacturing users with low-volumecall traffic. This single-line basic modelincludes four dynamic softkeys andoptions for inline or external power.cisco.com/go/ipphones

Service Exchange FrameworkProductsThe Cisco Service Exchange Frameworkincludes several enhanced products for aservice provider’s voice, video, and dataofferings. Among these new versions, theCisco Service Control Application release3.0 delivers new features for creating andmonitoring services, as well as enhancedsecurity, scalability, and integrationchoices. The Cisco Call Session Controlplatform release 3.0 supports innovativeservices such as push-to-talk (PTT), pres-ence-based communications, video teleph-ony, and fixed mobile convergence. A newsoftware version for the Cisco PGW 2200Softswitch supports media gateway con-trol functionality for the IP MultimediaSubsystem (IMS) architecture. The CiscoBTS 10200 Softswitch release 4.5 pro-vides enhanced operational capabilities,subscriber-focused telephony features,new platform support, and IMS integra-tion. For a related story, see page 61. SCA: cisco.com/go/servicecontrolCSCP, PGW, and BTS: cisco.com/go/sp-voice

Cisco IP Interoperability and Collaboration System Cisco IP Interoperability and Collabora-tion Systems (IPICS) technology inte-grates PTT and other two-way radiosystems with voice, video, and datadevices. The Cisco IPICS Server softwaremanages communications resources andprovides authentication and securityservices, enforces user roles and policies,administers Push-to-Talk ManagementCenter (PMC) clients, and collects auditinformation for training and operations


Keeping up with Cisco’s myriad newproducts can be a challenge. To helpreaders stay informed, Packet maga-zine’s “New Product Dispatches” provide snapshots of the latest prod-ucts released by Cisco betweenNovember 2005 and January 2006. Forreal-time announcements of the mostrecently released products, see“News Archive, News Releases byDate” at newsroom.cisco.com/dlls/.

ABOUT SOFTWARE: For the latestupdates, versions, and releases of allCisco software products—from IOS tomanagement to wireless—registeredCisco.com users can visit the Soft-ware Center at cisco.com/kobayashi/sw-center/.

ABOUT NEW PRODUCT DISPATCHES


p68-71.qxd 2/8/06 11:32 AM Page 71

NETPRO EXPERT


Implementing and Troubleshooting IPSec Redundancy

The Networking Professionals Connection is an online gatheringplace for Cisco experts and networking colleagues. Following areexcerpts from a recent Ask the Expert forum, “Implementing andTroubleshooting IPSec Redundancy,” moderated by Cisco’s JazibFrahim. To view the full discussion, visit cisco.com/packet/181_10a1. To join other live online discussions, visit cisco.com/discuss/networking.

Q: Is it possible to use high availability and load balance withouta routing protocol?

A: You do not have to use a routing protocol to use virtual tunnelinterfaces (VTIs). Routing protocols such as Open Shortest PathFirst (OSPF) simplify manageability of the routes. Optionally, youcan use static routes and point traffic over the tunnel interface.

Q: Referring to IPSec Virtual Tunnel Interface documentation atcisco.com/packet/181_10a2, how is the load balancing done?

A: You can load balance if you have two VTI tunnels defined.This is very similar to using the Generic Routing Encapsulation(GRE) tunnels.

Q: Is it possible to set up the two hub routers as active/active forIPSec traffic instead of active/standby?

A: You might be able to set up multiple Hot Standby Router Pro-tocol (HSRP) groups on the inside and outside interfaces andthen make one group active on Router 1 and the other groupactive on Router 2. You might need to do some policy routing tobe able to force traffic to take one virtual IP (VIP) or the other.

Q: I have the following IPSec redundancy using different ISPscenarios: Headquarters is connected to two different ISPs viatwo routers, namely ISP-A and ISP-B routers using different pub-lic IP. Behind ISP-A and ISP-B is a Layer 3 switch running OSPF.The remote branch is forming an IPSec tunnel to the headquar-ters ISP-A and ISP-B using a Cisco PIX firewall. What is the rec-ommended IPSec config for both sites? The setup from top tobottom is:

1. HQ network to L3 switch2. L3 switch to ISP-A and ISP-B router3a. ISP-A router to Internet3b. ISP-B router to Internet4. Internet to PIX5. PIX to branch network

A: On the remote PIX firewall, you can have multiple set peeraddresses in your crypto map. The PIX will try to connect with

the first address and if it does not respond, it will try to connectto the other address. Additionally, you will need to run HSRP onthe inside network to ensure that the preferred router becomesthe active routing/VPN termination device.

Q: Referring to your advice on configuring “multiple set peer” onPIX, are both configs (a) and (b) below workable?

(a)crypto map mymap 10 ipsec-isakmpcrypto map ios 10 match address aclcrypto map ios 10 set peer ISP-Acrypto map ios 10 set peer ISP-Bcrypto map ios 10 set transform-set trans

(b)crypto map mymap 10 ipsec-isakmpcrypto map ios 10 match address aclcrypto map ios 10 set peer ISP-Acrypto map ios 10 set transform-set transcrypto map mymap 20 ipsec-isakmpcrypto map ios 20 match address aclcrypto map ios 20 set peer ISP-Bcrypto map ios 20 set transform-set trans

How is the behavior of setting multiple peer for IPSec? PIX willpeer to ISP-B if ISP-A fails. If Security Association (SA) to ISP-Btimeout, will PIX peer to ISP-A or stick back to ISP-B? Assumingheadquarters and branch can initiate an IPSec tunnel, how do Iroute the branch network from the Layer 3 switch to headquar-ters? Can I use Reverse Route Injection (RRI) at the ISP-A andISP-B router?

A: The configuration in option (a) is correct. If the PIX is not ableto connect to ISP-A, it will try ISP-B. If ISP-B is not availableeither, it will try ISP-A again, and so on. To route traffic fromheadquarters to branch, you can use HSRP on the inside andmake your Layer 3 switch send traffic to the VIP. So, whicheverISP router is active will be responsible for establishing the tunnel.

Do you have a question about IPSec redundancy? Ask the Net-Pro Expert. Send your question to [email protected],with the subject line “Implementing and Troubleshooting IPSecRedundancy.”

JAZIB FRAHIM is a senior network security engineer forworldwide security services practices in Cisco’sAdvanced Services for Network Security group. He canbe reached at [email protected].


p72.qxd 2/8/06 11:34 AM Page 72

Bar-El compares the Layer 3 fast secureroaming capabilities in LWAPP to a post-office change-of-address service. “Mailaddressed to your old address [analogousto the original access point the client associ-ated with] isn’t actually sent there,” hesays. “Instead, the post office [analogous tothe controller] automatically forwards themail to the most recent address on record.”Thus, all traffic is directed to the CiscoAironet access point to which the client iscurrently associated and on to the Ciscowireless LAN controller.

Measuring SuccessThe Intel wireless team is currently per-forming packet level studies of wired andprimary wireless network performance tomeasure and validate that wireless per-formance is comparable to wired. A reportis due out early 2006 and will provide per-formance proof points

Network performance reporting will con-tinue throughout 2006 and primary wire-less ROI analysis will be added to strike abalance of technical and business proofpoints. Primary wireless ROI estimatedreductions: network capital costs areexpected to drop by 40 to 50 percent, andoperational costs by 20 to 30 percent.Another factor is an estimated US$25yearly savings per employee for moves,adds, and changes for both voice anddata services. “We’re also introducing animproved methodology to maintain anintegrated network, which will furtherreduce support requirements across theentire environment,” says Stump.

Intel expects even more productivity gainswhen it introduces voice over wireless thisyear. “Employees will be able to establisha virtual office anywhere on the campus,resulting in more spontaneous collabora-tion, faster decision-making and action,and increased productivity,” says JimJohnson, vice president and general man-ager of Intel’s Handheld Platform Group.

Intelligent Networks Rely Upon IntelligentClientsWireless manageability and usabilitydepends upon intelligent networks thatconnect to intelligent clients. Intel IT hasfound that primary wireless requires intel-ligence in the clients to deliver end-to-endperformance. “Employees expect their

notebooks, PDAs, and smartphones toeasily connect to the mobile infrastructureand onto the service,” says Johnson.

More Consistent Than the LAN The Intel Jones Farm deploymentdemonstrates that wireless networkingcan be pervasively deployed to supportbusiness-critical applications andadvanced wireless services such asvoice. The proof is in the uptake.“Originally, employees preferred theLAN because the quality and stabilityof the WLAN was inconsistent,” saysStump. “Now they prefer the WLANbecause the user experience has beenmade consistent, simple—and withmobility—ubiquitous.”

B examines its local tables and finds theonly path it has to 10.1.1.0/24 through Adirectly. Because D is advertising itself asa stub router, B has no reason to query Dfor an alternate path to 10.1.1.0/24.

Router A receives this reply from B,marks this route as unreachable, andremoves it from the local routing table.

If the steps look familiar, they should;multiple router sites configured as stubsare treated the same as a remote site witha single router configured as a stub.

◆ ◆ ◆

If you’re counting neighbors to get to sleep,and you’ve designed the network correctly,you can count high enough to overcomealmost any insomnia issues. Not only willthe neighbor count be high enough to lullyou to sleep, you’ll rest easier knowing yournetwork is designed to withstand just aboutanything. The key is to limit the informa-tion that EIGRP advertises to each remotesite, and to configure the remote sites asEIGRP stubs. In the future, newer EIGRPfeatures will be introduced to increase scal-ing even further than the neighbor countsdiscussed in this article.


Intel, Continued from page 45

EIGRP, Continued from page 17

PACKET ADVERTISER INDEX

ADVERTISER URL PAGE

ADC - The Broadband Company www.adc.com/truenet D

AdTran www.adtran.com/info/wanemulation 2

Aladdin Knowledge Systems www.Aladdin.com/Cisco IFC

Boson Software www.boson.com/p16 A

Cisco Marketplace www.cisco.com/go/marketplace/packetdvd 4

Cisco Press www.ciscopress.com B

Cisco Systems www.cisco.com/poweredby 42

Citrix www.citrix.com/cisco 52

Colt www.colt.net 32

eIQnetworks www.eiqnetworks.com/cisco 20

Empirix www.empirix.com/cisco 12

Energis www.energis.com 64

Funk Software www.funk.com/cisco 70

Hong Kong Broadband Network www.hkbn.net 26

IPcelerate www.ipcelerate.com 10/56

Network General www.networkgeneral.com/cisco4 60

OPNET Technologies www.opnet.com 18

Panduit www.panduit.com/dp38 IBC

Solsoft www.solsoft.com/packet2 14

Spanlink Communications www.spanlink.com 6

Spirent Communications www.spirentcom.com/go/securitytest 50

Statseeker www.statseeker.com F

Trend Micro www.trendmicro.com/cisco 46/47

Websense www.websense.com/security OBC


CACHE FILESnippets of Wisdom from Out on the Net

China’s Skyrocketing

Broadband Usage

While the US currently has the highestnumber of broadband subscribers inthe world, with 46.9 million sub-scribers, a Computer Industry Almanacreport says China could surpass the USin broadband users in the next fewyears. Subscribers to broadband serv-ices worldwide are projected to exceed500 million by 2010. South Korea leadsin broadband subscribers per capita.

E-Paper’s Killer Application?Electronics maker Siemens is readying apaper-thin electronic-display technologyso cheap it could replace conventionallabels on disposable packaging. In lessthan two years, Siemens says, the tech-nology could transform consumer-goodspackaging from the fixed, ink-printedimages of today to a digital medium offlashing graphics and text that displaysprices, special offers, or alluring photos,all blinking on miniature flat screens.[wired.com]

Small Shops Get Up to Speed but Still Like PhonesSwitching from dialup to broadband Internet access improves productivityand efficiency in small organizations, but the telephone is the dominantbusiness tool, according to a joint report from Covad Communications andSprint, and conducted by Equation Research. The survey of nearly 500 rep-resentatives of US companies with fewer than 100 employees found thatrespondents spent more time online than they did on the phone, yet morethan half chose the telephone as the tool their business could not functionwithout. Telephones are the primary communication tool for small busi-nesses, while the Internet is viewed as an information resource. [clickz.com]

Net LingoAlpha Geek—The most knowledgeable, technically proficient person in anoffice or work group. [whatis.com]

Consumers Privacy Fears Continue to EscalatePersonalization remains something most consumers want, though their privacyfears continue to escalate. According to the second annual personalization studyconducted by personalization vendor Choicestream, 80 percent of consumers ina 2005 survey were interested in receiving personalized content. Despite the factusers want more personalization and would buy more if they could get more per-sonalized content, they’re not willing to share as much personal information asthey once were. Respondents indicated decreasing willingness to share preference(59 percent in 2005 compared to 65 percent in 2004) and demographic informa-tion (46 percent in 2005 compared to 57 percent in 2004) to receive personalizedcontent. [clickz.com]

THE 5TH WAVE

©The 5th Wave, www.the5thwave.com

CYBER QUOTE

“Where a calculator on

the ENIAC is equipped

with 18,000 vacuum

tubes and weighs 30

tons, computers in the

future may have only

1,000 vacuum tubes

and weigh 1.5 tons.”

—Popular Mechanics, March 1949

“Why can’t you just bring your iPod like everyone else?”


p74_R1.qxd 2/8/06 11:58 AM Page 74

UNLEASH YOUR NETWORK SERVICES - Cisco · Unleash Your Network Services 22 Cisco Service-Oriented Network Architecture outlines how enterprises like the National University of Singapore

Documents