Designing the Enterprise WAN
Many WAN technologies exist today, and new technologies are constantly emerging. In general, the most appropriate WAN selection results in high efficiency and leads to user satisfaction. The network designer should be aware of possible WAN design choices when considering enterprise requirements. The following sections describe the characteristics of WAN architectures.
Traditional WAN Designs
Each WAN design is based on application requirements, the geography, and the available service provider offerings. One of the main issues in traditional WAN connections is the selection of the appropriate physical WAN technology. Options include the following:
- Leased lines: Point-to-point connections that are reserved for transmissions rather than used only when transmission is required. The carrier establishes the connection to dedicate a physical wire or to delegate a channel using frequency division multiplexing (FDM) or time-division multiplexing (TDM). Usually, leased-line connections use synchronous transmission.
- Circuit-switched networks: This is a type of network that, for the duration of the connection, obtains and dedicates a physical path to a single connection between two endpoints in the network. Ordinary voice telephone service over the public switched telephone network (PSTN) is circuit switched. The telephone company reserves a specific physical path to the number being called for the duration of the call. During that time, no one else can use the physical lines that are involved. Examples of circuit-switched networks are asynchronous serial and ISDN.
- Packet- and cell-switched networks: These are carrier-created permanent virtual circuits (PVC) or switched virtual circuits (SVC) that deliver packets among different sites. Users share common carrier resources and can use different paths through the WAN. This option allows the carrier to use its infrastructure more efficiently than with leased point-to-point links. Examples of packet-switched networks are X.25, Frame Relay, and Switched Multimegabit Data Service (SMDS).
The three basic design approaches for packet-switched networks include star, fully meshed, and partially meshed topologies.
Star Topology
A star, or hub-and-spoke, topology features a single hub (central router) that provides access from remote networks into a core router. All communication between networks goes through the core router. The advantages of a star approach are simplified management and minimized tariff costs. However, the disadvantages are significant. Consider the following:
- The central router (hub) represents a single point of failure.
- The central router limits overall performance for access to centralized resources.
- The central router is a single pipe that manages all traffic that is intended either for the centralized resources or for the other regional routers.
- The topology is not scalable.
Fully Meshed Topology
In a fully meshed topology, each routing node on the periphery of a given packet-switching network has a direct path to every other node on the cloud. The key rationale for creating a fully meshed environment is to provide a high level of redundancy. It is not viable in large packet-switched networks. The following are key issues for a fully meshed topology:
- A large number of virtual circuits are required (one for every connection between routers).
- Problems are associated with the requirement for large numbers of packet and broadcast replications.
- Configuration is complex for routers without routing protocol multicast support in nonbroadcast environments.
Partially Meshed Topology
A partially meshed topology reduces the number of routers within a region that have direct connections to all other nodes in the region. All nodes are not connected to all other nodes. There are many forms of partially meshed topologies. In general, partially meshed approaches provide the best balance for regional topologies, based on the number of virtual circuits, redundancy, and performance.
Remote-Access Network Design
Remote access provides access primarily to users who are connecting to network resources from external locations, such as Internet hotspots, public access, and so on. The principal function is to provide access to internal resources and applications. Remote access is an important service for the Internet edge. With remote access enabled on the Internet edge, mobile workers, teleworkers, partners, and even external customers are able to access resources. To ensure that this service is available and secure, many important security design considerations must be taken into account.
When designing a remote-access network for teleworkers and traveling employees, the type of connection influences the technology selections. For example, the decision needs to be made whether to choose a data link or a network layer connection. The most suitable choice among a wide range of remote-access technologies can be made by analyzing the application requirements and service provider offerings.
Here is a summary of typical remote-access requirements:
- Data link layer WAN technology from remote sites to the enterprise edge network (consider investment and running costs)
- Low-volume data file transfer and interactive traffic, without any specific requirements regarding quality
- The ability to access the same applications that are used in the office, both voice and data, from anywhere
Remote access to the enterprise network is typically provided over permanent or on-demand connections. The typical initial design options are as follows:
- On-demand connections for traveling workers
- Permanent connections for remote teleworkers through a dedicated circuit or a provisioned service
Remote-access technologies can include DSL, cable, and hotspot wireless services.
VPN Design
A VPN is defined as connectivity that is deployed on a shared infrastructure with the same policies, including security and performance, as a private network. The infrastructure that is used can be the Internet, an IP infrastructure, or any WAN infrastructure, such as a Frame Relay network or an ATM WAN.
The three types of VPNs are grouped according to their applications:
- Access VPN: Provides entry to a corporate intranet over a shared infrastructure with the same policies as a private network. Remote-access connectivity is through ISDN, DSL, wireless, or cable technologies. Access VPNs enable businesses to outsource their dialup or other broadband remote-access connections without compromising their security policy. Access VPNs include two architectural options: client-initiated connections or connections that are initiated by a network access server (NAS). With client-initiated access VPNs, users establish an encrypted IP tunnel from their PCs across the shared network of a service provider to their corporate network. An alternate architecture for access VPNs defines the tunnels that are initiated from the NAS, where remote users dial in to the local service provider points of presence (POP) and the service provider initiates a secure, encrypted tunnel to the corporate network.
-
Intranet VPN: Links remote offices. The intranet VPN services are typically based on dedicated access that extends the basic remote-access VPN to other corporate offices across the Internet or across the IP backbone of the service provider. The main benefits of intranet VPNs are as follows:
- Reduced WAN infrastructure needs
- Lower ongoing leased-line or Frame Relay charges
- Operational savings
- Extranet VPN: An organization uses either the Internet or a service provider network to connect to its business partners. The security policy becomes very important at this point because the organization does not want a hacker to spoof any orders from a business partner.
Enterprise Versus Service Provider–Managed VPNs
Deploying a VPN can help ensure a business that its networks provide secure remote connectivity. The next step is to determine whether to design, build, and manage the network in house or to use a provider for service management. The following points represent technology that is used by the enterprise (in house) or a service provider to offer multiservice IP VPNs:
- Enterprise-managed VPN
- IP Security (IPsec):
- IPsec direct encapsulation
- Cisco Easy VPN
- Point-to-point Generic Routing Encapsulation (GRE) over IPsec
- Dynamic Multipoint Virtual Private Network (DMVPN)
- Virtual tunnel interface (VTI)
- Layer 2 Tunneling Protocol version 3 (L2TPv3)
- IP Security (IPsec):
- Service provider
- Multiprotocol Label Switching (MPLS)
- Metro Ethernet
- Virtual Private LAN Services (VPLS)
Enterprise Managed VPN: IPsec
The IPsec standard provides a method to manage authentication and data protection between multiple cryptographic peers that are engaging in secure data transfer. IPsec includes the Internet Security Association and Key Management Protocol (ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Payload (ESP) protocol and Authentication Header (AH).
IPsec uses symmetrical encryption algorithms for data protection. Symmetrical encryption algorithms are more efficient and easier to implement in hardware. These algorithms need a secure method of key exchange to ensure data protection. Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide this capability.
This solution requires a standards-based way to secure data from eavesdropping and modification. IPsec provides such a method. IPsec provides a choice of transform sets so that a user can choose the strength of his data protection. IPsec also has several Hash-based Message Authentication Codes (HMAC) from which to choose. Each provides different levels of protection for attacks, such as man-in-the-middle packet replay (antireplay) and data integrity attacks.
IPsec Direct Encapsulation
IPsec provides a tunnel mode of operation that enables it to be used as a standalone connection method. This option is the most fundamental IPsec VPN design model; Figure 5-7 illustrates this model. IPsec direct encapsulation designs cannot transport IGP dynamic routing protocols or IP multicast traffic.
Figure 5-7 IPsec Direct Encapsulation
Each remote site initiates an IPsec tunnel to a predefined head end. Remotes can have static or dynamic IP addresses, while head ends must have static IP addresses.
Resiliency can be provided by IPsec stateful failover at the head-end locations. Branch routers can be configured with a list of head ends. If a connection cannot be established with the first head end, subsequent head ends are tried until a successful connection is made.
Cisco Easy VPN
Cable modems, xDSL routers, and other forms of broadband access provide high-performance connections to the Internet. Many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints. However, establishing a VPN connection between two routers can be complicated. Typically, it requires tedious coordination between network administrators to configure the VPN parameters of the two routers.
As Figure 5-8 illustrates, the Cisco Easy VPN Remote feature eliminates much of this tedious work by implementing the Cisco VPN Client protocol. This allows most VPN parameters to be defined at a Cisco Easy VPN Server. After the Cisco Easy VPN Server has been configured, a VPN connection can be created with minimal configuration on a Cisco Easy VPN Remote, such as a Cisco 800 Series router or a Cisco 1700 Series Modular Access Router.
Figure 5-8 Cisco Easy VPN
Point-to-Point GRE over IPsec
IPsec can be deployed with point-to-point Generic Route Encapsulation (GRE), which is an IPsec-encrypted, point-to-point GRE tunnel that provides additional functionality. With the addition of point-to-point GRE to IPsec, dynamic interior gateway protocol (IGP) routing protocols and IP multicast traffic can be transported over the VPN tunnel.
GRE over IPsec designs offer the following advantages:
- IP multicast and non-IP protocols are supported.
- Dynamic IGP routing protocols over the VPN tunnel are supported.
- Quality of service (QoS) policies can be configured per point-to-point GRE over an IPsec tunnel (scalability might be an issue).
- Distribution of IPsec tunnels to head-end routers is deterministic, with routing metrics and convergence choosing the best path.
- All primary and secondary or backup point-to-point GRE over IPsec tunnels are preestablished. A new tunnel does not have to be established in the event of a failure scenario.
Each remote site is connected with a point-to-point GRE over IPsec tunnel to a predefined head end. Remotes can have static or dynamic IP addresses, while head ends must have static IP addresses.
Resiliency can be provided by configuring point-to-point GRE over IPsec tunnels to multiple head-end routers at one or more geographic hub locations. An IGP dynamic routing protocol is exchanged over the point-to-point GRE over IPsec tunnels. Primary tunnels are differentiated from secondary tunnels by configuring slightly different routing metrics.
IPsec DMVPN
Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software solution for building IPsec + GRE VPNs in an easy, dynamic, and scalable manner. DMVPN relies on two proven technologies:
- Next-Hop Resolution Protocol (NHRP): Creates a distributed (NHRP) mapping database of all the spoke tunnels to real (public interface) addresses
- Multipoint GRE (mGRE) tunnel interface: A single GRE interface to support multiple GRE and IPsec tunnels, which simplifies size and complexity of configuration
DMVPN offers configuration reduction and no-touch deployment. DMVPN also supports the following features:
- IP unicast, IP multicast, and dynamic routing protocols
- Remote peers with dynamically assigned addresses
- Spoke routers behind dynamic NAT and hub routers behind static NAT
- Dynamic spoke-to-spoke tunnels for scaling partially meshed or fully meshed VPNs
In addition, the following items are true about DMVPNs:
- Dynamic IGP routing protocols over the VPN tunnel are supported.
- QoS service policies can be configured per point-to-point GRE over IPsec tunnel (scalability might be an issue).
- Distribution of IPsec tunnels to head-end routers is deterministic, with routing metrics and convergence choosing the best path.
- All primary and secondary or backup GRE over IPsec tunnels are preestablished. A new tunnel does not have to be established in the event of a failure scenario.
Each remote site is connected with a point-to-point GRE tunnel interface to a predefined head end. The head-end routers use mGRE interfaces to dynamically accept new tunnel connections.
Resiliency can be provided by configuring DMVPN tunnels that are mapped to mGRE interfaces on multiple head-end routers at one or more geographic hub locations.
Remotes can have static or dynamic IP addresses, while head ends must have static IP addresses. An IGP dynamic routing protocol is exchanged over the DMVPN tunnels, and primary and secondary tunnels are differentiated by configuring slightly different routing metrics.
IPsec tunnel protection is generally used to map the cryptographic attributes to the tunnel that is originated by the remote router. Dead peer detection (DPD) can be enabled to the detect loss of a peer connection.
NHRP is configured on both the head-end and branch office routers, and is a requirement for using mGRE interfaces.
IPsec VTI Design
Virtual tunnel interface (VTI) design is one of the newest IPsec VPN design options available in Cisco IOS Software. VTI designs have a number of distinct advantages over other IPsec design options, including the ability to transport IGP dynamic routing protocols and IP multicast traffic without the addition of point-to-point GRE or mGRE headers.
In addition, VTI tunnels are assigned an interface so that tunnel-level features, such as a QoS service policy, can be enabled on each tunnel. This makes it possible to have per-VPN tunnel/destination QoS.
L2TPv3 Design
L2TPv3 offers a high-speed, transparent Layer 2–to–Layer 2 service over an IP backbone. L2TPv3 signaling is responsible for negotiating control plane parameters, session IDs, and cookies; for performing authentication; and for exchanging configuration parameters. L2TPv3 is also used to deliver hello messages and circuit status messages in a reliable manner. These messages are critical to support circuit interworking, such as the Local Management Interface (LMI), and to monitor the remote circuit status.
L2TPv3 supports the following Layer 2 payloads, which can be included in L2TP packets that are tunneled over the pseudowire:
- Frame Relay
- Ethernet
- IEEE 802.1q (VLAN)
- High-Level Data Link Control (HDLC)
- PPP
Service Provider–Managed VPNs: MPLS
Multiprotocol Label Switching (MPLS) enables enterprises and service providers to build next-generation intelligent networks that deliver a wide variety of advanced, value-added services over a single infrastructure. This economical solution can be integrated seamlessly over any existing infrastructure, such as IP, Frame Relay, ATM, or Ethernet. Subscribers with differing access links can be aggregated on an MPLS edge without changing their current environments, as MPLS is independent of access technologies.
Integration of MPLS application components, including Layer 3 VPNs, Layer 2 VPNs, traffic engineering, QoS, and IP version 6 (IPv6), enable the development of highly efficient, scalable, and secure networks that guarantee service-level agreements (SLA).
MPLS Layer 3 VPN Design
Cisco IOS MPLS Layer 3 VPN is the most widely deployed MPLS technology. MPLS Layer 3 VPNs use a peer-to-peer VPN model that leverages Border Gateway Protocol (BGP) to distribute VPN-related information. This peer-to-peer model allows enterprise subscribers to "outsource" routing information to service providers, resulting in significant cost savings and a reduction in operational complexity for enterprises.
With MPLS VPNs, networks are learned with an interior gateway protocol (IGP) routing protocol such as Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), or Routing Information Protocol version 2 (RIPv2), with static addresses that are configured by an administrator or with BGP from other internal routers. MPLS VPNs use an additional label to specify the VPN and the corresponding VPN destination network. This additional label allows overlapping addresses between VPNs.
With MPLS Layer 3 VPNs, service providers can offer value-added services like QoS and traffic engineering, enabling network convergence that encompasses voice, video, and data. MPLS Layer 3 VPNs can be deployed with a Cisco MPLS TE and Fast Reroute (FRR) to offer "tight SLAs." QoS-based offerings vary from two to five classes of services.
Service Provider–Managed VPNs: Metro Ethernet
Demand for bandwidth in the metropolitan-area network (MAN or metro) is exploding as a result of data-intensive applications, new business models that rely on the Internet, and population growth. Increasingly, service providers are meeting that demand with Metro Ethernet access services. These services are based on Ethernet, IP, and optical technologies such as dense wavelength division multiplexing (DWDM) or coarse wavelength division multiplexing (CWDM). Compared to fixed bandwidth facilities, Metro Ethernet access services provide more bandwidth, the ability to provision bandwidth in flexible increments, resiliency with Route Processor Redundancy (RPR), and better support for converged voice, video, and data services.
Today, more service providers are using Ethernet access to their backbone network, whether through SONET/SDH, MPLS, Frame Relay, or the Internet. Broadband connectivity is provided by an Ethernet hand-off to either a cable modem or DSL bridge. This provides the following benefits:
- Service-enabling solution: Layering value-added advanced services in addition to the network
-
More flexible architecture:
- Increasing port speeds without the need to dispatch a technician, and typically with no new customer premises equipment (CPE)
- Evolving existing services (Frame Relay/ATM internetworking) to an IP-optimized solution
- Seamless enterprise integration: Ease of integration with typical LAN network equipment
Service Provider–Managed VPNs: VPLS
VPLS is a class of VPN that supports the connection of multiple sites in a single bridged domain over a managed IP/MPLS network. VPLS presents an Ethernet interface to customers. This interface simplifies the LAN/WAN boundary for service providers and customers and enables rapid and flexible service provisioning. This is illustrated in Figure 5-9. This occurs because the service bandwidth is not tied to the physical interface. All services in a VPLS appear to be on the same LAN, regardless of location.
Figure 5-9 VPLS Design
VPLS uses edge routers that can learn, bridge, and replicate on a VPN basis. These routers are connected by a full mesh of tunnels, enabling any-to-any connectivity.
VPLS supplies an architecture that provides Ethernet Multipoint Service (EMS) across geographically dispersed locations using MPLS as a transport. EMSs are attractive. They offer solutions to problems that many enterprise customers and service providers are seeking to address (for example, high-speed, secure, any-to-any forwarding at Layer 2). The requirement to forward frames at Layer 2 is important. Many new applications and services dictate that the service be transparent to upper-layer protocols (ULP) or can lack network layer addressing altogether (for example, NetBIOS Extended User Interface [NetBEUI]).
WAN Backup Strategy Design
WAN links are relatively unreliable compared to LAN links, and often are much slower than the LANs that they connect. The combination of uncertain reliability, lack of speed, and high importance makes the WAN link a good candidate for redundancy.
Each enterprise edge solution requires a WAN backup to provide high availability between sites. Branch offices should experience minimum downtime in the event of primary link failure. Backup connections can be established using either dialup or permanent connections.
The primary WAN backup options are as follows:
- Dial backup routing: Dial backup routing uses dialup services such as ISDN. The switched circuit provides the backup service for another type of circuit, such as point-to-point or Frame Relay. The router initiates the dial backup line based on object tracking parameters or when a failure is detected on the primary circuit. The dial backup line provides WAN connectivity until the primary circuit is restored and then terminates.
-
Permanent secondary WAN link: The deployment of an additional permanent WAN link between each remote office and the central office (CO) makes the network more fault-tolerant. This capability offers two advantages:
- Backup link: If a connection between any remote office and the CO fails, the backup link is used. The Reliable Static Routing Backup Using Object Tracking feature can ensure reliable backup in the case of several catastrophic events. If the connection to the main office is lost, the status of the tracked object changes from up to down. When the state of the tracked object changes to down, the routing table entry for the primary interface is removed. Traffic is then forwarded to the preconfigured destination from the secondary interface. This ability allows applications to proceed in the event of a WAN link failure and thus improves application availability.
- Increased bandwidth: This additional bandwidth decreases response times when the router connected supports load balancing between two parallel links of equal cost. In this case, load balancing is performed automatically through routing protocol.
- IPsec: Using an IPsec VPN, the WAN traffic can be directed back to the corporate headquarters through the Internet when a failure is detected.
In Figure 5-10, the connections between the central site enterprise edge and remote sites use permanent primary and secondary WAN links for redundancy. To increase the utilization of the backup link, a routing protocol such as EIGRP is used to support load balancing over unequal paths on either a per-packet or a per-destination basis.
Figure 5-10 WAN Backup Example
Backup links should be provisioned so that they become active when a primary link fails or becomes congested. Backup links often use different technologies; for example, leased lines are used with backup IPsec VPNs.
Using the Internet as a WAN Backup
The Internet can be used as an alternate option for a failed WAN connection. This type of connection is considered "best effort" and guarantees no bandwidth. This topic describes a WAN backup design for use over the Internet.
When relying on the Internet to provide a backup for branch offices, the enterprise must cooperate fully with the ISP and announce its networks to gain connectivity. If a connection between any branch office and the CO fails, the backup IPsec tunnel is used. In addition, the Reliable Static Routing Backup Using Object Tracking feature can ensure reliable backup in the case of several failures.
Selecting the Enterprise WAN Architecture
After identifying the remote connectivity requirements and understanding traditional WAN designs, the WAN architecture is ready to be selected.
When selecting technologies, decision makers should consider the following factors:
- Support for network growth: Enterprises that anticipate significant growth should choose a technology that allows the network to grow with their business. Issues to be considered are the amount of time, cost, and effort that is involved in connecting new branches and remote offices. WAN technologies with high support for network growth make it possible to add new branches or remote offices with minimal configuration at existing sites. This minimizes costs and IT staff requirements for such changes. WAN technologies with lower support for network growth require significantly more time and cost to expand the network.
- Appropriate availability: Businesses that are heavily impacted by even the smallest disruption in network communications should consider availability to be a priority when choosing a connectivity technology. Highly available technologies provide inherent redundancy where no single point of failure exists in the network. Lower-availability technologies can still dynamically recover from a network disruption in a short time, but this minor disruption might be considered too costly for some businesses. Technologies that do not inherently provide high availability can be more accessible through redundancy in design by using products with redundant characteristics, such as multiple WAN connections, or by using backup power supplies.
- Operational expenses: Some WAN technologies can result in higher costs than others. A private-line technology such as Frame Relay or ATM, for example, typically results in higher carrier fees than a technology such as an IPsec-based IP VPN, which can take advantage of the public Internet to help reduce costs. It is important to note, however, that migrating to a particular technology for the sole purpose of reducing carrier fees, without considering network performance and QoS, can limit support for some advanced technologies such as voice and video.
- Operational complexity: Cisco MAN and WAN technologies have varying levels of inherent technical complexity, so the level of technical expertise that is required within the enterprise can also vary. In most cases, businesses can upgrade their MAN or WAN to take advantage of the expertise of the existing IT staff, requiring minimal training. When an enterprise chooses to maintain greater control over its network by taking on responsibilities that are usually reserved for a service provider, extensive IT training would be required to successfully deploy and manage a particular WAN technology.
- Voice and video support: Most Cisco MAN and WAN technologies support QoS, which helps enable advanced applications such as voice and video over the network. In cases where a WAN technology uses a service provider with a Cisco QoS–certified, multiservice IP VPN, an adequate level of QoS is assured to support voice and video traffic. In cases where the public Internet is used as the WAN connection, QoS cannot always be guaranteed. A high-broadband connection (greater than 786 kbps upstream) might be required for small offices, teleworkers, and remote Cisco Contact Center agents using voice and video communications.
- Effort and equipment cost to migrate from private connectivity: When an enterprise is taking the next step in upgrading its MAN or WAN, it is important to evaluate the short- and long-term costs and benefits. In many cases, a business can migrate from private connectivity to another technology with minimal investment in equipment, time, and IT staffing. In some instances, however, this transition can require a significant short-term investment, not only in new equipment but also in IT training. Such an investment can provide increased cost savings, lower operational expenditures, and increased productivity over the long term.
- Network segmentation support: Network segmentation allows enterprises to support a single network that is logically segmented. One advantage to network segmentation is the reduction of expenditures that are associated with equipment and maintenance, network administration, and network carrier charges, compared to separate physical networks. Another advantage is increased security because segmentation can ease the effort in isolating departments or limiting the access of partners on the corporate network.
Cisco Enterprise MAN and WAN Architecture
The Cisco Enterprise MAN and WAN Architecture employs a number of MAN and WAN technologies that are engineered and optimized to interoperate as a contiguous system.
The architecture provides the integrated QoS, network security, reliability, and manageability that are required for supporting various advanced business applications and services. These architectures offer a number of secure alternatives to traditional private WAN connectivity and help increase network scalability and reduce monthly carrier fees.
The Cisco Enterprise MAN and WAN Architecture technologies are compared in Table 5-3.
Table 5-3. Cisco Enterprise WAN and MAN Architecture Comparison
Private WAN |
ISP Service |
Service Provider MPLS and IP VPN |
Self-Deployed MPLS |
|
Secure Transport |
IPsec (optional) |
IPsec (mandatory) |
IPsec (mandatory) |
IPsec (mandatory) |
High Availability |
Excellent |
Good |
Excellent |
Excellent |
Multicast |
Good |
Good |
Good |
Excellent |
Voice and Video Support |
Excellent |
Low |
Excellent |
Excellent |
Scalable Network Growth |
Moderate |
Good |
Excellent |
Excellent |
Easily Shared WAN Links |
Moderate |
Moderate |
Moderate |
Excellent |
Operational Costs |
High |
Low |
Moderate (depends on transport) |
Moderate to High |
Network Control |
High |
Moderate |
Moderate |
High |
Effort to Migrate from Private to WAN |
Low |
Moderate |
Moderate |
High |
Additional architectural technology information includes the following:
- Private WAN: Private connectivity takes advantage of existing Frame Relay, ATM, or other connections. To provide an additional level of security when connecting sites, these technologies can be combined with strong encryption, such as Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES). It is ideally suited for an enterprise with moderate growth expectations and where relatively few new branches or remote offices will be deployed over the coming years. Businesses require secure, dedicated, and reliable connectivity for compliance with information privacy standards. However, this technology can result in relatively high recurring monthly carrier fees and is not the preferred technology for extending connectivity to teleworkers and remote call agents. An enterprise might choose encrypted private connectivity to network its larger branch offices, but it might opt for other technologies, such as an IPsec VPN, to connect remote users and smaller sites.
- ISP service (site-to-site and remote-access IPsec VPN): These services take advantage of the ubiquity of public and private IP networks. The use of strong encryption standards (DES, 3DES, and AES) makes this WAN option more secure than traditional private connectivity. This option is also compliant with many of the new information security regulations imposed on government and industry groups, such as healthcare and finance. This technology, when implemented over the public Internet, is best suited for businesses that require basic data connectivity. However, if support for delay-sensitive, advance applications such as voice and video is required, an IPsec VPN should be implemented over a service provider private network where an adequate level of QoS is assured to support voice and video traffic. Relatively low carrier fees make this technology appropriate for businesses seeking to connect a high number of teleworkers, remote Cisco Contact Center agents, or small remote offices over a geographically dispersed area.
- SP MPLS and IP VPN: A network-based IP VPN is similar in many ways to private connectivity but with added flexibility, scalability, and reach. The any-to-any nature of an MPLS-enabled IP VPN (in other words, any branch can be networked to any branch), combined with its comprehensive QoS for voice and video traffic, suits the needs of many enterprises. This is especially true for businesses with high growth expectations, where many new branches and remote offices will be added over the next few years. The secure, reliable connectivity and relatively lower carrier fees that are inherent in this technology make a network-based IP VPN a good choice for businesses that want to use a managed service solution to connect branches, remote offices, teleworkers, and remote call agents.
- Self-deployed MPLS: Self-deployed MPLS is a network segmentation technique that allows enterprises to logically segment the network. Self-deployed MPLS is typically reserved for very large enterprises or a service provider that is willing to make a significant investment in network equipment and training. It is also used for those businesses that have an IT staff that is comfortable with a high degree of technical complexity. Further discussion of self-deployed MPLS is beyond the scope of this book.
Enterprises can use a combination of these architectures as needed to support their remote connectivity requirements.
Figure 5-11 shows an example implementation of three Cisco Enterprise MAN and WAN Architectures in a healthcare environment.
Figure 5-11 Cisco WAN Architecture Example
Selecting Enterprise WAN Components
After identifying the remote connectivity requirements and architecture, select the individual WAN components.
Hardware Selection
When selecting hardware, use the Cisco documentation to evaluate the WAN hardware components. Consider the following functions and features:
- Port densities
- Packet throughput
- Expandability capabilities
- Readiness to provide redundant connections
Hardware Selection: Cisco ISR G2
Cisco ISR G2s are part of the Borderless Networks within the Cisco Network Architectures for the Enterprise that enable business innovation and growth across all remote sites. The next-generation architecture delivers a new workspace experience by meeting the performance requirements for the next generation of WAN and network services. This architecture enables the cost-effective delivery of high-definition collaboration at the branch office and provides it secure transition to the next generation of cloud and virtualized network services.
Designed for optimal service delivery on a single platform, the new Cisco ISR G2 routers provide businesses with greater power to deliver a superior customer experience and deploy services "on demand" as business needs dictate, while reducing overall operating costs. A general layout of how each of the specific ISR G2 places within the enterprise is shown in Figure 5-12.
Figure 5-12 Cisco ISR G2 Selections
These innovations enable branch offices to do the following:
- Deliver next-generation WAN and network service requirements
- Become more productive through increased video-based collaboration and rich-media services
- Securely transition to cloud and virtualized network services
- Minimize energy consumption and costs to support corporate sustainability
- Enable small IT teams to scale services worldwide