Tài liệu cisco migration_LAN Baseline Architecture Branch Office docx

5
LAN Baseline Architecture Branch Office Network Reference Design Guide
OL-11332-01
Branch LAN Design Options
• Does not support Switched Virtual Interfaces (SVIs)
• Cannot be channeled with other 10/100/1000 integrated interfaces on the ISR
• Can be used as a trunk for multiple VLANs (different L3 subnet)
• Redundant links to the distribution with static and dynamic routing
The HWIC Ethernet interface is not recommended in a multi-layered architecture for the following
reasons:
• No support for channeling
• Supports only 10/100 interfaces which cannot be used for uplinks
The third option shown in Figure 1 uses an integrated network module, or an integrated EtherSwitch
Services Module. Table 1 provides a brief description of the capabilities of both the network modules.
T
Note The services module comes in various form factors with and without stacking capability.
NME-16ES-1G-P is one example of services module.
Because of the support of 802.1s/w on the services module and other advanced features, it is the
preferred module because it provides multiple options of connectivity without compromising high
availability and scalability.
Details concerning the options of integrating the access or distribution are provided in later sections.
Branch LAN Design Options
Based on the number of users in the branch, three design models can be used, each of which offers a
certain amount of scalability. The choice of models is affected by requirements such as high availability,
because some of the interfaces on the edge router do not support EtherChannels. If a server farm must
be supported in the branch, the design must support the required port density to connect the small server
farms and to meet the additional DMZ requirements. High availability, scalability, and advanced services
add to the cost of the infrastructure. Layer 2 and Layer 3 switches do provide some alternatives to which
Table 1 Comparison of Two Network Modules
NME-16ESW Services Module (NME-16ES-1G-P)
• 10/100 internal interface to the ISR
• Does not support 802.1s/w
• Supports SVCs, channels
• Can be integrated at Layer 2 or Layer 3 with
the internal interface
• 802.1x CLI is not consistent with Cisco
Catalyst switches
• Advanced QoS features of Cisco Catalyst
3750/3650 are not supported
• Cannot be stacked with external Catalyst
3750 switches
• 10/100/1000 internal interface to the ISR
• Supports 802.1s/w
• Supports SVCs and channels
• Can be integrated at Layer 2 or Layer 3 with
the internal interface
• 802.1x CLI is consistent with Cisco Catalyst
switches
• Advanced QoS features of Cisco Catalyst
3750/3650 are supported
• Can be stacked with external Cisco Catalyst
3750 switches

6
LAN Baseline Architecture Branch Office Network Reference Design Guide
OL-11332-01
Branch LAN Design Options
software images can be used to keep the cost low while still providing high availability and scalability.
Also, the infrastructure can be reused to migrate to advanced services if required without having to
redesign.
Another consideration for the LAN design is the oversubscription at the access layer. Erlang suggests an
oversubscription ratio of 3:1 for voice over IP (VoIP). For data networks, no rule dictates how data
networks can be efficiently oversubscribed. Oversubscription ratios really depend on the end user
utilization (applications being used). Studies done by the industry and academic institutions suggest that
the network is highly underutilized at the edge of the network. The bursty nature of the data traffic and
the underutilization of the Ethernet suggest that networks can be oversubscribed intelligently. Queuing
and scheduling mechanisms in the end devices can be effectively used to handle congestion at the edge
of the network, and at the access layer in the case of the branch and campus network. For more
information, see the following URL:
http://www.cisco.com/en/US/partner/products/hw/switches/ps5206/products_configuration_guide_cha
pter09186a008039ed19.html#wp1284809
The oversubscription requirements can be different if a server farm must be supported at the branch
office. Typically, the server farm has better utilization of the Ethernet bandwidth, and lower
oversubscription ratios are recommended. Again, no predefined ratios can be used in such cases. The
oversubscription depends on the applications and the traffic to and from the server farm.
Manageability of the branch network should be simple enough to deploy and maintain. The architecture
should enable the management of the networks and yet meet all the design criteria.
The requirements are different for different-sized branch offices. Based on the discussions above, the
following lists the basis for LAN design at the branches:
• Number of users
• Cost
• High availability
• Scalability
• Security
• Server farms and DMZ requirements
• Management
The number of users supported is really limited by the physical number of ports available. Besides the
scalability considerations, the high availability requirements point to various design models as well.
Based on the number of users, the branch office is categorized as follows.
• Small office—Up to 50 users
• Medium office—Between 50 and 100 users
• Large office—Between 100 and 200 users
Based on this classification, the various design models are described in the following sections. High
availability, scalability, and migration to advanced services requirements also influence the model
adopted.
Small Office Design
Figure 2 provides two models that can be used for a small office design to support up to 50 users. The
first option, called a trunked topology, uses the integrated network interface on the Cisco ISR. There is
no link redundancy between the access switch and the ISR. The second option, called the EtherChannel

7
LAN Baseline Architecture Branch Office Network Reference Design Guide
OL-11332-01
Branch LAN Design Options
topology, uses a network module-based switch on the ISR to provide link redundancy to the access layer.
Note that the second option uses the Cisco 2811 ISR. If redundant links and higher bandwidth uplinks
are required, only the second option can be used.
Figure 2 Small Office Design
The Cisco 2801 ISR has a fixed configuration from an Ethernet connectivity perspective. The Cisco 2811
has several options that can be used in various ways. Table 2 summarizes the characteristics of the Fast
Ethernet interfaces of the 2801 and 2811. The choice of the edge router also depends on the voice and
VPN considerations which are not discussed in this document.
With Intergrated Network Interface on ISR
ISR at the edge
(2801/2811)
Edge
Access
10/100 Interfaces
(L3 Trunk)
29xx or 3560 or 3550
24 ports 24 ports
190342
ISR at the edge
(2821)
29xx or 3560 or 3550
24 Ports 24 Ports
With Network Module Based Switch on ISR
10/100
Ether-channels
(SVI)

8
LAN Baseline Architecture Branch Office Network Reference Design Guide
OL-11332-01
Branch LAN Design Options
The difference between a Cisco 2801 and a Cisco 2811 from LAN perspective is the support of a slot for
a network module, as shown in Table 2. Figure 3 shows a logical diagram for the topologies.
Table 2 Ethernet Interfaces of Cisco 2801 and Cisco 2811
Cisco 2801 Cisco 2811
Two integrated 10/100 interfaces
Supports Layer 3 dot1q trunk
No SVIs supported
No EtherChannels supported
Two integrated 10/100 interfaces
Supports Layer 3 dot1q trunk
No SVIs supported on integrated interfaces
Supports Ethernet HWIC module with the following
characteristics:
• 10/100 Interfaces
• No EtherChannel support
• Supports SVI
• Single Fast Ethernet connects the HWIC module with the
router internally
• Supports a slot for network module
• 16 port Ethernet switch module with support for SVIs
and EtherChannels
• Single Fast Ethernet connects the network module with
the router
• IDS module
• Supports network-module with the following
characteristics
• 10/100 and 1000 depending on the type of network
module used
• Provides Etherchannel support
• Ethernet Switch with support for SVIs and
EtherChannels
• Single GigabitEthernet connects the network module
with the router internally
• Supports only 802.1D Spanning Tree

9
LAN Baseline Architecture Branch Office Network Reference Design Guide
OL-11332-01
Branch LAN Design Options
Figure 3 Logical Topologies Diagram
The access switch supports Layer 2 services, and the Cisco ISR provides Layer 3 services. In both cases,
the default gateway is on the ISR. With a 24-port access switch, this model supports up to 24 users per
access switch. If PoE is desired for all the users on the access switch, see the product documentation to
find out whether PoE is supported on all the ports of the access switch.
To keep the manageability simple, there are no loops in the topology. In option (2) for small office
design, where the network module-based Ethernet switch is used, redundancy can be provided by
EtherChannels. The switch icon represents the network module, as shown in option (2) of Figure 3. The
ISR provides Layer 3 services such as DHCP, firewall, and NAT. As shown in Table 2, the connectivity
between Ethernet network module and the ISR is via Fast Ethernet.
The Layer 2 domain requires a spanning tree protocol. Note that there are no Layer 2 loops in this design,
and that spanning tree must be enabled and configured to protect the network from any accidental loops.
The recommended spanning tree protocol is Rapid PVST+ for all Layer 2 deployments in a branch office
environment. In the current topology (option 2 in Figure 3), the network module-based Ethernet switch
in the ISR is configured as the primary root. If the primary root fails, there is no redundant path for the
traffic. ISR high availability is currently being investigated, and the design guidance will be provided in
the near future. The complexity arises because of the CallManager Express and Cisco Unity Express on
the ISR. Note also that in this topology, the network module-based Ethernet switch in the ISR does not
support enhanced spanning tree protocol. However, the EtherSwitch Services Module supports enhanced
spanning tree protocol in the network module, and the design details are covered in the Large Branch
Office Design section of this guide. The Ethernet Switch Module (NM-16ESW) running 802.1D
spanning tree interoperates with the access switches running enhanced spanning tree. The spanning tree
configuration details are provided in a later section of this guide.
The traffic between access switch and the ISR is not load balanced on a per-packet basis. Rather, the load
balancing is done based on the source or destination MAC address. Packets originating from a specific
address always use the same link of the channel at all times. The switch provides a choice of source or
destination address to be used for load balancing. Cisco recommends using the source MAC address for
traffic originating from the access switch, and to use the destination MAC address for traffic originating
from the ISR.
The default gateways for the clients are configured on the ISRs. There is a default gateway for each
VLAN configured in the topology. All the Layer 3 configurations are done on the ISR. The access
switches must be configured with an IP address for management purposes.
Edge
Access
With Network Module Based Switch on ISR
With Integrated Network Interface on ISR
L2
L3
Trunk
Data VLAN
L2
L3
2811
L2
L3
190343
1
Voice VLAN
Data VLAN
Voice VLAN
Data VLAN
Voice VLAN
2
Trunk
Trunked
Ether-Channel

10
LAN Baseline Architecture Branch Office Network Reference Design Guide
OL-11332-01
Branch LAN Design Options
Scalability and High Availability
From a scalability perspective, the number of switches that can be deployed for end user connectivity is
limited in option 1. With option 2, more access switches can be connected to the network module-based
Ethernet switch. Scalability requirements to some extent are also met with this design.
The EtherChannels between the access switch and the switch module in the ISR supports high
availability in relation to link failure, as well as load balancing the EtherChannel traffic.
Note The access switches cannot be connected to multiple network modules. Failure of the network module
implies that there is no redundant path for the end users.
Another possible failure, although rare, is the internal link between the ISR and the network module.
Because it is a bus, the link status is always up in case of interface failure or unidirectional link. Under
such circumstances, there is no redundant path in the small office design.
Note For more information, see Large Office Design, page 13, which describes a redundant path in such
failure scenarios using EtherSwitch Services Modules.
Security and Manageability
Although 802.1x is supported on the network modules, Cisco recommends using the access layer and
the network modules to provide redundancy and scalability, because of the lack of implementation
consistency (from a CLI perspective) with the Cisco Catalyst access switches. Layer 2 security is
supported only on the Cisco EtherSwitch Service Module. To be able to scale and incorporate Layer 2
security into a branch LAN design, Cisco recommends using the access layer with Cisco Catalyst
switches.
In addition to the security features, the Cisco EtherSwitch Services Module also supports 802.1s/w. The
access layer switches, when used with the EtherSwitch Service Module, provide quick Layer 2
convergence if Layer 2 loops are present in the topology.
Note When the network grows, it might be necessary to move to a large-scale model, where 802.1s/w becomes
important.
From a manageability standpoint, it is fairly straightforward to manage all the topologies. Having Cisco
EtherSwitch Service Modules in the ISR provides additional benefits as discussed in the Large Office
Design section.
Medium Office Design
The medium office topology is similar to the small office topology except that the edge router used is
either a Cisco 2821 or Cisco 2851. Similar concepts are used for the design. Both the 2821 and 2851
support two integrated 10/100/1000 interfaces, which are L3 native. Both the 2821 and 2851 support one
slot for a network module. To scale up to 100 users, the following options are available:
• Use higher port density access switch (48 port)
• Use the network module that supports up to 16 ports, and use EtherChannels to connect to the access
switches

11
LAN Baseline Architecture Branch Office Network Reference Design Guide
OL-11332-01
Branch LAN Design Options
Although the 48-port access switch supports the required GigE interfaces, see the product documentation
for inline power considerations. To scale up to 100 users, the second option provides the required
scalability, in addition to providing high availability (link redundancy).
Note Only the Cisco 2851 supports the high-density 36-port network module. The Cisco 2821 supports only
the 16-port network module.
Figure 4 shows the first of the two topologies that fit the medium office design.
Figure 4 Medium Office Design (Trunked Topology)
This topology uses the integrated 10/100/1000 interfaces as Layer 3 trunks. The 10/100/1000 interface
provides the flexibility to use various access switches. The stackable Cisco Catalyst 3750 with a standard
image or an IP base image can be used as the access switch to support 24/48 users per switch. Support
for the number of users needing PoE depends on what is supported on the access switch. With two
switches and 24 users per switch, the design can easily meet the medium office requirements. The users
are grouped into two different subnets. As shown in Figure 4, there is always the option of using different
access switches. To be able to meet the medium office requirements, using a stackable switch on two
different 10/100/1000 interfaces is a good approach. The Catalyst 3750 supports all the access features
that are available and is a good fit for a medium-sized office.
The default gateways for voice and data reside on two different dot1q sub-interfaces. Also with this
model, the users coming in through a different access switch also reside on a different subnet on the
second 10/100/1000 interface. With route summarization at the edge in mind, data and voice IP
addressing can be subnetted to be contiguous on the two physical interfaces of the edge router.
There is no Layer 2 switch on the edge router, and there are also no loops in the topology. With this
topology, there is no need to configure a Layer 2 topology. By default, spanning tree is enabled on all
access switches, but there is no spanning tree configuration involved. However, it is important to follow
a consistent access switch configuration so that if in the future a network module-based EtherSwitch is
used in the edge router, only the EtherSwitch in the edge router needs to be configured as the root bridge.
Logical DiagramWith Intergrated Network Interface on ISR
ISR at the edge
(2801/2811)
29xx, 3560 or 3550
24/48 ports
24 ports
190344
3750 stackable
Edge
Access
L2
L3
Data VLAN
Voice VLAN
Data VLAN
Voice VLAN
Trunk
Data VLAN
Voice VLAN
Data VLAN
Voice VLAN
Trunk
Default
Gateways
10/100/1000 Interfaces
(L3 Trunk)

12
LAN Baseline Architecture Branch Office Network Reference Design Guide
OL-11332-01
Branch LAN Design Options
Figure 5 shows the second option.
Figure 5 Topology for Medium Office Design (EtherChannel Topology)
This topology is similar to the small office design. In this topology, there is no need to subnet the traffic
from different access switches. One default gateway for the data VLAN and one default gateway for the
voice VLAN is all that is needed for this topology.
To be able to support the required number of users, the network module-based Ethernet switch becomes
a bottleneck because the switch connects to the ISR CPU by a single 10/100 connection. Although this
topology supports trunking and high availability from link failures, the bandwidth limitation between the
network module switch and the ISR is a concern. Until the bandwidth limitation is relieved, this topology
is not recommended with the existing 16-port network module. In addition to the bandwidth limitation,
there is the loss of a slot that could have been used for intrusion detection.
With the topology in Figure 5, the network module-based Ethernet switch has to be configured as the
root bridge. Although there are no Layer 2 loops, turning the spanning tree on provides protection
against accidental loops. The Layer 2 recommendations are similar to a small office design. The
NM-ESW16 and NM-ESW36 do not support Rapid Spanning Tree Protocol. The EtherSwitch in the
edge router must run 802.1D Spanning Tree Protocol. The CPU on the edge router is involved in
spanning tree; however, the access switches can be running the Rapid Spanning Tree, and it interoperates
with 802.1D on the edge router. The edge router is the spanning tree root.
Scalability and High Availability
This design is almost identical to the small branch office. Deploying an integrated switch in ISR helps
to achieve high availability and scalability. Access layer switches have to be used to scale up to the
required number of users. As noted in the previous section, high availability is limited to link failures.
Device failure (integrated switch failure) isolates a segment of the users. However, if high availability is
one of the primary concerns, a model described in Large Office Design, page 13 can be used.
Edge
Access
Logical DiagramWith Intergrated Network Interface on ISR
190345
ISR at the edge
(2821 and bove)
29xx, 3560 or 3550
24 Ports 24 Ports
10/100
Ether-channels
(SVI)
L2
L3
Data VLAN
Voice VLAN
Data VLAN
Voice VLAN
Trunked
Ether-Channel
Voice
VLAN
Default
Gateway
Data
VLAN
Default
Gateway

13
LAN Baseline Architecture Branch Office Network Reference Design Guide
OL-11332-01
Branch LAN Design Options
Security and Manageability
The discussion for the small branch office design applies also to the medium branch office design.
Deploying the access layer switches helps in achieving a uniform perimeter design for the branch office
design.
Large Office Design
A large office design is one step closer to a campus design. In addition to supporting more users, a large
office might also need higher LAN switching capability if supporting a server farm (DMZ). Support for
some of these services requires the use of appliance devices if higher throughput is required. To meet
these requirements, a distribution layer is added to the small office or medium office topology by
introducing a Layer 2/Layer 3 switch to provide the required LAN switching capabilities, port density,
and flexibility to support additional appliances.
There are the following two options:
• Conventional design using external switches for the distribution layer
• Integrated routing and switching using integrated switching for the distribution layer
Conventional Design
Figure 6 shows a large office LAN topology. In this topology, a stackable switch (Cisco Catalyst 3750)
is shown. The stackable distribution switch can be replaced by a Cisco Catalyst 4500 switch.
Figure 6 Large Office Network Topology
This LAN topology is highly available, scalable, and manageable. High availability requirements are met
because link redundancy and device redundancy are built into the design. As shown in Figure 6, the
EtherChannel is across the stack that provides redundancy for link as well as stack-switch failure. When
ISR at the edge
(3825/3845)
Edge
Access
29xx, 3560 or 3550
10/100/1000 Interfaces
24/48 Port Access Switch
Distribution
Si
Si
190346

14
LAN Baseline Architecture Branch Office Network Reference Design Guide
OL-11332-01
Branch LAN Design Options
the solution was tested, the only support available was EtherChannel for cross stack switches. For high
availability between the distribution and the edge layers, only redundant links can be used with both the
IP base image and enhanced image. With the enhanced image, per-packet load balancing can also be
configured. With the IP base image, two default routes can be configured with different metrics on the
distribution layer.
This design meets the scalability requirements as well. The port density of the stacked switches allows
a number of access switches to be connected without compromising high availability. The distribution
switch capacity can be increased by adding additional switches to the stack if required.
The distribution switches can run either standard/base image with static routing, or the enhanced images,
which support more features including various routing protocols. With the standard image, some of the
advanced features such as PVLAN, policy-based routing, and routing are not available. With this design,
it is possible to add advanced services by using an enhanced image on the distribution switch.
To achieve high availability with a chassis-based solution (Cisco Catalyst 4500), a redundant supervisor
and redundant power supply must be deployed. The chassis-based solution is not described in this
document.
Figure 7 provides a logical view of a large branch office topology. The Layer 2 traffic for all VLANs
terminates at the distribution layer. The distribution layer must run both Layer 2 and Layer 3 protocols.
Layer 2 protocols provide connectivity to the access layer and Layer 3 provides connectivity to the
distribution layer.
Figure 7 Logical Diagram of a Large Branch Office Topology
The distribution layer and the access layer switches are running RSTP. The distribution layer is the root
bridge. Again, by using RSTP, there is no need to enable UplinkFast and BackboneFast. In addition to
RSTP, additional features to protect against loops are enabled on the distribution and the access layers.
For instance, RootGuard can be enabled on the distribution switch to protect against the claims as root
of another switch.
ISR at the edge
(3825/3845)
Edge
Access
29xx, 3560 or 3750
Distribution
Layer 3
Layer 2 (Rapid PVST+)
190347
Data VLAN
Voice VLAN
Data VLAN
Voice VLAN
Si
Si
10/100/1000 Interfaces
Data VLAN
Voice VLAN
Voice
VLAN
Default
Gateway
Data
VLAN
Default
Gateway

Xem chi tiết: Tài liệu cisco migration_LAN Baseline Architecture Branch Office docx