CCDA DESGN 640-864: Designing Remote Connectivity

This chapter discusses wide-area network technologies and design and includes sections covering Identifying WAN Technology Considerations, Designing the Enterprise WAN, and Designing the Enterprise Branch.

Connectivity to remote locations such as the Internet, branches, offices, and teleworkers is provided through enterprise edge technologies and the enterprise WAN architecture. Infrastructure support is provided at the remote locations with enterprise branch architectures.

To connect to remote locations, WAN technologies and WAN transport media must be utilized when considering ownership, reliability, and backup issues. In addition, WAN remote access choices include cable and DSL technologies that are used with Virtual Private Networks (VPN). The enterprise branch is a remote location that is smaller than an enterprise campus and can use a simpler architecture.

Identifying WAN Technology Considerations

The enterprise edge connects campus resources to remote enterprise locations. It can include the WAN, Internet connectivity, remote access, and VPN modules. Many WAN technologies exist today, and new technologies are constantly emerging. The following sections explain the role of a WAN and the requirements necessary for achieving a reliable and efficient WAN design. They also describe the characteristics of the WAN technologies that are currently available.

Review of WAN Features

A WAN is a communications network that covers a relatively broad geographic area. Most often, a WAN uses the transmission facilities that are provided by service providers (carriers) such as telephone companies. WANs generally carry various traffic types, such as voice, data, and video. A network provider often charges user fees called tariffs for the services that are provided by the WAN. Therefore, WAN communication is often known as a service; some considerations include

• Service-level agreements (SLA): Networks carry application information between computers. If the applications are not available to network users, the network is failing to achieve its design objectives. Organizations need to define what level of service, such as bandwidth or allowed latency and loss, is acceptable for the applications that run across the WAN.
• Cost of investment and usage: WAN designs are always subject to budget limitations. Selecting the right type of WAN technology is critical in providing reliable services for end-user applications in a cost-effective and efficient manner.

The following are the objectives of an effective WAN design:

• A well-designed WAN must reflect the goals, characteristics, and policies of an organization.
• The selected technology should be sufficient for current and (to some extent) future application requirements.
• The associated costs of investment and usage should stay within the budget limitations.

Figure 5-1 illustrates ways that WAN technologies connect the enterprise network modules.

Typically, the intent is to provide these results:

• Connectivity between the enterprise edge modules and ISPs
• Connectivity between enterprise sites across the service provider and public switched telephone network (PSTN) carrier network
• Connectivity between enterprise sites across the ISP network

WAN connections can be point-to-point between two locations or a connection to a multipoint WAN service offering, such as a Frame Relay or Multiprotocol Label Switching (MPLS) network. An alternative to WAN connections is a service provider IP network that links the remote sites of an enterprise network. Complete cooperation at the IP layer between the enterprise edge and service provider network is required for this type of connection. DSL and cable are technologies that are frequently used for ISP access for teleworkers and very small offices. This type of network service provides no guarantee of the quality of sessions and is considered a "best effort."

Comparison of WAN Transport Technologies

Table 5-1 reviews WAN technologies that are based on the main factors that influence technology selection. The table provides baseline information to help compare the performance and features that different technologies offer. The options that service providers offer usually limit technology decisions.

Table 5-1. WAN Transport Technology Comparison

Technology	Bandwidth	Latency and Jitter	Connect Time	Tariff	Initial Cost	Reliability
TDM	M	L *	L	M	M	M
ISDN	L	M/H	M	M	L	M
Frame Relay	L	L	L	M	M	M
ATM	M/H	L	L	M	M	H
MPLS	M/H	L	L	M	M	H
Metro Ethernet	M/H	L	L	M	M	H
DSL	L/M **	M/H	L	L	L	M
Cable Modem	L/M **	M/H	L	L	M	L
Wireless	L/M	M/H	L	L	M	L
SONET/SDH	H	L	L	M	H	H
DWDM	H	L	L	M	H	H
Dark Fiber	H	L	L	M	H	H

Time-Division Multiplexing

Time-division multiplexing (TDM) reserves point-to-point connection bandwidth for transmissions indefinitely, rather than using bandwidth only as required. TDM is a type of digital multiplexing in which two or more channels are derived from a given data stream by interleaving pulses representing bits from different channels. For example, a North American T1 circuit is made up of 24 channels that run at 64 kbps, for a total of 1.536 Mbps. When framing overhead is included, the total reaches 1.544 Mbps. A T3 circuit is made up of 28 T1s or 672 channels; including overhead, a T3 circuit provides 44.736 Mbps. Corresponding European standards are the E1 standard, which supports 32 64-kbps channels for a total of 2.04 Mbps, and the E3 standard, which supports 480 64-kbps channels that provides 34.368 Mbps. A carrier can establish a connection in the TDM network by dedicating a channel with the use of TDM. By contrast, packet-switched networks traditionally offer the service provider more flexibility and use network bandwidth more efficiently than TDM networks because the network resources are shared dynamically. Subscribers using TDM are charged an amount based on their guaranteed use of the network.

ISDN Connectivity

Integrated Services Digital Network (ISDN) is a system of digital phone connections that has been available as a communications standard since 1984. This system allows voice and data to be transmitted simultaneously across the world using end-to-end digital connectivity. Connectivity over ISDN offers increased bandwidth, reduced call setup time, reduced latency, and lower signal-to-noise ratios than analog dialup. However, the industry is moving from broadband technologies such as DSL, cable, and public wireless to IP Security (IPsec) VPNs. ISDN presents an effective solution solely for remote-user applications, where broadband technologies are not available.

Analog modern dialup or plain old telephone service (POTS) provides data connectivity over the PSTN using analog modems. Dialup supports relatively low-speed connections, while broadband technologies such as DSL, cable, and public wireless are faster. Dialup point-to-point service is typically no longer a cost-effective solution for WAN connectivity. It is only cost-effective as a backup access solution for Internet connectivity in teleworker environments.

Frame Relay

Frame Relay is an example of a packet-switched technology for connecting devices on a WAN. Frame Relay has been deployed since the late 1980s. Frame Relay networks transfer data using one of two connection types:

• Permanent virtual circuits (PVC), which are permanent connections
• Switched virtual circuits (SVC), which are temporary connections that are created for each data transfer and are then terminated when the data transfer is complete (not a widely used connection)

Multiprotocol Label Switching

MPLS is a switching mechanism that uses labels (numbers) to forward packets. In a normal routed environment, frames pass from a source to a destination on a hop-by-hop basis. Transit routers evaluate the Layer 3 header of each frame and perform a route table lookup to determine the next hop toward the destination. However, MPLS enables devices to specify paths through the network. This is performed by using labels that are based on initial route lookup and classification of quality of service (QoS), as well as bandwidth needs of the applications, while taking into account Layer 2 attributes. MPLS labels can correspond to parameters such as a QoS value, a source address, or a Layer 2 circuit identifier. After a path has been established, packets that are destined to the same endpoint with the same requirements can be forwarded based on these labels, without a routing decision at every hop. Labels usually correspond to a Layer 3 destination address, which makes MPLS equal to destination-based routing. Label switching occurs regardless of the Layer 3 protocol. One of the strengths of MPLS is that it can be used to carry many kinds of traffic, including IP packets, as well as native ATM, SONET, and Ethernet frames. A designer's main objective is to minimize routing decisions and maximize switching use.

Metro Ethernet

Metro Ethernet uses Ethernet technology to deliver cost-effective, high-speed connectivity for metropolitan-area network (MAN) and WAN applications. Service providers have started to offer Metro Ethernet services to deliver converged voice, video, and data networking. Metro Ethernet provides a data-optimized connectivity solution for the MAN and WAN based on technology that is widely deployed within the enterprise LAN. Metro Ethernet supports high-performance networks in the metropolitan area, meeting the increasing need for faster data speeds and more stringent QoS requirements. Where traditional TDM access is rigid, complex, and costly to provision, Metro Ethernet services provide scalable bandwidth in flexible increments, simplified management, and faster, lower-cost provisioning. This simple, easy-to-use technology appeals to customers who are already using Ethernet throughout their LANs.

DSL Technology

Digital subscriber line (DSL) is a technology that delivers high bandwidth over traditional telephone copper lines. The term xDSL covers a number of similar yet competing forms of DSL. Asymmetric DSL (ADSL) is the most common form of DSL, which utilizes frequencies that normally are not used by a voice telephone call—in particular, frequencies higher than normal human hearing. ADSL can be used only over short distances, typically less than 18,000 ft. The distinguishing characteristic of ADSL over other forms of DSL is that the volume of data flow is greater in one direction than the other; that is, it is asymmetric.

Figure 5-2 illustrates a typical ADSL service architecture.

The network consists of customer premises equipment (CPE), the network access provider (NAP), and the network service provider (NSP):

• The CPE refers to an end-user workstation, such as a PC, together with an ADSL modem or an ADSL transmission unit-remote (ATU-R).
• The NAP provides ADSL line termination by using DSL access multiplexers (DSLAM).
• The DSLAM forwards traffic to the local access concentrator, the NSP, which is used for Layer 3 termination.

An ADSL circuit connects an ADSL modem on each end of a twisted-pair telephone line. This setup creates three information channels:

• Medium-speed downstream channel
• Low-speed upstream channel
• Basic telephone service channel

Filters (splitters) split off the basic telephone service channel from the digital modem. This feature guarantees uninterrupted basic telephone service, even if ADSL fails.

Cable Technology

Cable is a technology for data transport that uses coaxial cable media over cable distribution systems. This technology is a good option for environments where cable television is widely deployed.

The Universal Broadband Router (uBR), also referred to as the cable modem termination system (CMTS), provides high-speed data connectivity and is deployed at the cable company head end. The uBR forwards data upstream to connect with either the PSTN or the Internet. The cable modem (also referred to as the cable access router) at the remote location supports voice, modem, and fax calls over the TCP/IP cable network. The uBR is designed to be installed at the head-end facility or distribution hub of a cable operator and to function as the CMTS for subscriber end devices. In general, cable operators install cable modems at the customer premises to support small businesses, branch offices, and corporate telecommuters.

Wireless Technology

The term wireless describes telecommunications in which electromagnetic waves carry the signal. Common examples of wireless equipment include cellular phones, Global Positioning Systems (GPS), cordless computer peripherals, satellite television, and wireless LANs.

Wireless implementations include the following:

• Bridged wireless: Designed to connect two or more networks, typically located in different buildings at high data rates for data-intensive, line-of-sight applications. Building-to-building wireless connects two or more networks that are located in different buildings. A series of wireless bridges or routers can connect discrete distant sites into a single LAN and thus interconnect hard-to-wire sites, discontiguous floors, satellite offices, school or corporate campus settings, temporary networks, and warehouses.
• Mobile wireless: Includes cellular applications and others. Mobile cellular wireless technologies are migrating to digital services on wireless. Second- and third-generation mobile phones are migrating to digital services that offer connectivity and higher speeds. There are three widely deployed mobile wireless technologies:
  • Global System for Mobile Communications (GSM): A GSM is a digital mobile radio that uses the Time Division Multiple Access (TDMA) technology, which allows eight simultaneous calls on the same RF in three bands: 900, 1800, and 1900 MHz. The transfer data rate is 9.6 kbps. A unique benefit of GSM is its international coverage, allowing the use of a GSM phones almost transparently while traveling abroad, without the need to change any settings or configuration parameters.
  • General Packet Radio Service (GPRS): A GPRS extends the capability of GSM speed and supports intermittent and bursty data transfer. Speeds that are offered the client are in the range of ISDN speeds (64 to 128 kbps).
  • Universal Mobile Telecommunications Service (UMTS): Also called third-generation (3G) broadband, UMTS provides packet-based transmission of text, digitized voice, video, and multimedia at data rates of up to 2 Mbps. UMTS offers a consistent set of services to mobile computer and phone users, no matter where they are located in the world.
• Wireless LAN: Developed to meet the demand for LAN connections over the air. It is often used in intrabuilding connections. Wireless LANs have developed to cover a growing range of applications, such as guest access and voice over wireless. They support services such as advanced security and location of wireless devices.

SONET and SDH Technology

Circuit-based services architecture is the basis for SONET and Synchronous Digital Hierarchy (SDH). This technology uses TDM and delivers high-value services over an optical infrastructure. SONET or SDH provides high-speed, point-to-point connections that guarantee bandwidth, regardless of actual usage (for example, common bit rates are 155 and 622 Mbps, with a maximum of 10 Gbps). SONET or SDH rings offer proactive performance monitoring and automatic recovery ("self-healing") through an automatic protection switching (APS) mechanism.

Figure 5-3 illustrates a typical SONET/SDH implementation example.

SONET or SDH rings support two IP encapsulations for user interfaces: ATM or Packet over SONET/SDH (POS), which sends native IP packets directly over SONET or SDH frames. Optical Carrier (OC) rates are the digital hierarchies of the SONET standard. They support the following speeds:

• OC-1 = 51.85 Mbps
• OC-3 = 155.52 Mbps
• OC-12 = 622.08 Mbps
• OC-24 = 1.244 Gbps
• OC-48 = 2.488 Gbps
• OC-192 = 9.962 Gbps
• OC-255 = 13.21 Gbps

DWDM Technology

Dense wavelength division multiplexing (DWDM) improves the utilization of optical fiber. Multichannel signaling on a single strand of fiber increases its available bandwidth to the equivalent of several Gigabit Ethernet links. DWDM is a crucial component of optical networks. It maximizes the use of installed fiber cable and allows service providers to efficiently offer new services over the existing infrastructure. Flexible add-and-drop modules permit service providers to drop and insert individual channels along a route. An open architecture system allows various devices, including SONET terminals, ATM switches, and IP routers, to be connected.

Dark Fiber

Dark fiber refers to fiber-optic cables that are leased from the service provider, where the framing is provided by the enterprise. Dark fiber connection allows framing options other than SONET/SDH. The edge devices connect directly over the site-to-site dark fiber using other encapsulations, such as Gigabit Ethernet. To transmit data over long distances, regenerators are inserted into the link to maintain signal integrity and provide appropriate jitter control. Depending on the carrier and location, dark fiber is now available on the wholesale market for both metro and wide-area links at prices that were previously associated with leased-line rentals.

In terms of reliability, SONET/SDH networks offer advanced features over DWDM and dark fiber, such as automatic backup and repair mechanisms to cope with system failure. The failure of a single SONET/SDH link or network element does not lead to failure of the entire network.

WAN Link Categories

From the ownership perspective, WAN links are divided into three broad categories:

• Private WAN: Uses private transmission systems to connect distant LANs. The owner of a private WAN must buy, configure, and maintain the physical layer connectivity (copper, fiber, wireless, coaxial) and the terminal equipment that is required to connect locations. Thus, private WANs are expensive to build, labor-intensive to maintain, and difficult to reconfigure for constantly changing business needs. The advantages of using a private WAN include higher levels of security and transmission quality.
• Leased WAN: Uses dedicated bandwidth that is leased by an enterprise from a service provider with either private or leased terminal equipment. The provider provisions the circuit and is responsible for maintenance. Some examples include TDM and SONET circuits. The enterprise pays for the allocated bandwidth, whether or not it is used, and operating costs tend to be high.
• Shared WAN: Shares physical resources with many users. Carriers offer various circuit- or packet-switching transport networks, such as MPLS or Frame Relay, for user traffic. The provider provisions the circuit and is responsible for the maintenance. Linking LANs and private WANs into a shared network involves a compromise among cost, performance, and security.

There are fixed costs in a typical WAN environment:

• Equipment purchases, such as modems, CSUs and DSUs, and router interfaces
• Circuit and service provisioning
• Network management tools and platforms

Recurring costs include the service provider monthly circuit fees and the support and maintenance of the WAN, including any network management center personnel.

WAN Transport Technology Pricing and Contract Considerations

Historically, WAN transport costs include an access circuit charge and, for TDM, a distance-sensitive rate. Some carriers have dropped or reduced distance-based factors as TDM circuits have become a commodity.

Access circuits generally take 60 days or more to be provisioned by the service provider. The higher the bandwidth, the more lead time it can take. For Metro Ethernet, availability can be spotty and the lead times can be long. Construction fees can be required for the fiber access. Service and pricing options between carriers should be compared to reduce fees, depending on competition in the area.

For Frame Relay and ATM, typical charges include a combination of an access circuit charge (per-PVC) and possibly per-bandwidth (committed information rate [CIR] or minimum information rate [MIR]) charges. Some carriers have simplified these rates by charging based on the access circuit and then setting the CIR or MIR to half that speed. This technique allows bursts to two times the guaranteed rate.

Frame Relay generally has been available at up to T3 speeds. In some cases, T3 is the size of trunks between Frame Relay switches, so the service providers do not want to offer T3 access circuits.

For MPLS VPN service, pricing is generally set to compete with Frame Relay and ATM. Some providers are encouraging customers to move to MPLS VPNs by offering lower prices for bandwidth than for Frame Relay and ATM. Other service providers price MPLS VPNs somewhat higher than Frame Relay or ATM because they are providing a routing service, which has value beyond bandwidth alone.

Tariffed commercial services are typically available at published rates and are subject to certain restrictions. Some carriers are moving toward unpublished rates, allowing more flexibility in options and charges.

In general, for a standard carrier package, the time that is needed to contract a WAN circuit is usually one month. If negotiating a service-level agreement (SLA), six months or more of discussions with the service provider, including the legal department, should be expected. Unless a very large customer is represented, it might not be possible to influence many changes in the SLA.

Contract periods usually last from one to five years. Because the telecommunications industry is changing rapidly, enterprises generally do not want to get locked into a long-term contract. Escape clauses that apply in the case of a merger or poor performance can help mitigate the business risks of long-term contracts.

For dark fiber, contract periods are generally 20 years in length. One key factor is the right of nonreversion, meaning that no matter what happens to the provider, the fiber belongs to the customer for 20 years. This way, the enterprise is protected in the case of situations such as a service provider merger, bankruptcy, and so on. The process to repair fiber cuts needs to be defined in the SLA.

WAN Design Requirements

When developing the WAN design by using the Prepare, Plan, Design, Implement, Operate, and Optimize (PPDIOO) methodology, continue the process of designing the topology and network solutions. This should be accomplished after taking the earlier steps of analyzing organizational requirements and characterizing the existing network.

To develop the WAN topology, consider the projected traffic patterns, technology performance constraints, and network reliability. The design document should describe a set of discrete functions that the enterprise edge modules perform. The document should also describe the expected level of service that is provided by each selected technology, based on the services that a service provider offers.

A network design should be adaptable to future technologies and should not include any design elements that limit the adoption of new technologies as they become available. This consideration needs to be balanced with the issue of cost-effectiveness throughout a network design and implementation. For example, many new internetworks are rapidly adopting VoIP. Network designs should support future VoIP without requiring a substantial upgrade by provisioning hardware and software that have options for expansion and upgradability.

Most users seek application availability in their networks. The chief components of application availability are response time, throughput, and reliability. Applications such as voice and video are negatively impacted by jitter and latency. Table 5-2 shows some examples of applications and their requirements.

Table 5-2. Identifying Application Requirements

Requirement	Data File Transfer	Data-Interactive Application	Real-Time Voice	Real-Time Video
Response time	Reasonable	Within a second	Round trip of less than 250 ms of delay with low jitter	Minimum delay and jitter
Throughput and packet loss tolerance	High/Medium	Low/Low	Low/Low	High/Medium
Downtime (high reliability has low downtime)	Reasonable; zero downtime for mission-critical applications	Low; zero downtime for mission-critical applications	Low; zero downtime for mission-critical applications	Minimum; zero downtime for mission-critical applications

Response Time

Response time is the time between a user request and a response from the host system. Users accept response times up to a certain limit, at which point user satisfaction declines. Applications in which a fast response time is considered critical include interactive online services, such as point-of-sale machines.

Response time is also a measure of usability for end users. They perceive the communication experience in terms of how quickly a screen updates or how much delay is present on a phone call. They view the network in terms of response time, not link utilization.

Throughput

In data transmission, throughput is the amount of data that is moved successfully from one place to another in a given time period. Applications that put high-volume traffic onto the network have a high impact on throughput. In general, throughput-intensive applications involve file-transfer activities. Usually, throughput-intensive applications do not require short response times, so they can be scheduled when response time–sensitive traffic is low (for example, after normal work hours).

Figure 5-4 illustrates response time and link utilization.

The response time increases with the offered traffic until it becomes unacceptable to the end user. Similarly, the link utilization increases with the offered traffic until the link becomes saturated. The goal of the designer is to determine the maximum offered traffic that is acceptable to both the end user and the network manager. Planning for a WAN capacity increase should begin early, usually when link utilization reaches 50 percent. Additional bandwidth purchases should start at 60 percent utilization. A link utilization of 75 percent typically means that increased WAN capacity is already urgently needed.

Packet Loss

BER is usually expressed as 10 to a negative power. For example, a transmission might have a BER of 10 to the minus 6 (10^–6), meaning that 1 out of 1,000,000 bits transmitted was in error. The BER indicates how frequently a packet or other data unit must be retransmitted because of an error. A BER that is too high might indicate that a slower data rate could improve the overall transmission time for a given amount of transmitted data. In other words, a slower data rate can reduce the BER, thereby lowering the number of packets that must be resent.

Reliability

Although reliability is always important, some applications have requirements that exceed typical needs. Some organizations that require nearly 100 percent uptime for critical applications are

• Financial services
• Securities exchanges
• Emergency
• Police
• Military operations

These organizations require a high level of hardware and topological redundancy. Determining the cost of any downtime is essential to identify the relative importance of the reliability of the network.

QoS Considerations for Bandwidth Constraints

WAN links are typically much slower than LAN links. Transmitting data over a WAN is expensive. Therefore, using data compression, adjusting window sizes, or using a combination of queuing, access rate limits, and traffic shaping can optimize bandwidth usage and improve overall efficiency.

Cisco has developed QoS techniques to mitigate temporary congestion and provide preferential treatment for critical applications. QoS mechanisms, such as queuing, policing (limiting) of the access rate, and traffic shaping enable network operators to deploy and operate large-scale networks. These networks can efficiently manage both bandwidth-hungry applications, such as multimedia, and web traffic and mission-critical applications, such as host-based applications.

Figure 5-5 illustrates how the different technologies covered in this section fit together within the enterprise edge.

Classification

To provide priority to certain flows, the flow must first be identified and (if desired) marked. These two tasks are commonly referred to as just classification. The following represents features that support the classification process:

• Network-Based Application Recognition (NBAR): Allows packets to be classified by matching on fields at the application layer. Prior to the introduction of NBAR, the most granular classification was Layer 4 TCP and User Datagram Protocol (UDP) port numbers.
• Committed access rate (CAR): Used to set precedence that is based on extended access list classification. This allows considerable flexibility for precedence assignment, including assignment by application or user, by destination and source subnet, and so on.

Congestion Management

One of the ways that network elements manage an overflow of arriving traffic is to use a queuing algorithm. It sorts the traffic and then determines a method of prioritizing it onto an output link.

When positioning the role of queuing in networks, the primary issue is the duration of congestion. If WAN links are constantly congested, an organization either requires greater bandwidth or should use compression. Queuing is required only on congested WAN links.

There are two types of queues:

• Hardware queue: Uses the first in, first out (FIFO) strategy, which is necessary for the interface drivers to transmit packets one by one. The hardware queue is sometimes referred to as the transmit queue, or TxQ.
• Software queue: Schedules packets into the hardware queue based on the QoS requirements, custom queuing (CQ), priority queuing (PQ), and weighted fair queuing (WFQ).

Priority Queuing

PQ is useful for time-sensitive, mission-critical protocols. It establishes four interface output queues, each serving a different priority level.

Custom Queuing

CQ establishes up to 16 interface output queues. When the appropriate number of frames is transmitted from a queue, the transmission window size is reached and the next queue is checked. CQ is a much more equitable solution for mission-critical applications than PQ because it guarantees some level of service to all traffic.

Weighted Fair Queuing

WFQ manages problems inherent in the FIFO queuing method. WFQ ensures that different traffic flows are sorted into separate streams, or conversation sessions, and alternately dispatched. WFQ is the default in Cisco IOS Software for links at or below 2.048 Mbps. Faster links use a hardware FIFO default.

Class-Based Weighted Fair Queuing

Class-based weighted fair queuing (CBWFQ) extends the standard WFQ functionality to provide support for user-defined traffic classes. With CBWFQ, traffic classes are defined based on match criteria, including protocols, access control lists (ACL), and input interfaces. Packets that satisfy the match criteria for a class constitute the traffic for that class. A queue is reserved for each class, and traffic that belongs to a class is directed to the appropriate queue.

After a class has been defined according to its match criteria, characteristics can be assigned. To characterize a class, assign it bandwidth, weight, and maximum packet limit. The bandwidth that is assigned to a class is the guaranteed bandwidth that is delivered to the class during congestion.

To characterize a class, the queue limit for that class needs to be specified, which is the maximum number of packets that are allowed to accumulate in the queue for the class. Packets that belong to a class are subject to the bandwidth and queue limits that characterize the class.

Low Latency Queuing

Low latency queuing (LLQ) brings strict PQ to CBWFQ. Strict PQ allows delay-sensitive data such as voice to be dequeued and sent first (before packets in other queues are dequeued), which gives delay-sensitive preferential treatment over other traffic.

Without LLQ, CBWFQ provides WFQ that is based on defined classes with no strict priority queue available for real-time traffic. CBWFQ allows traffic classes to be defined and assigned characteristics. For example, the minimum bandwidth that is delivered to the class during congestion can be designated.

For CBWFQ, the weight for a packet that belongs to a specific class is derived from the bandwidth that is assigned to the class during configuration. Therefore, the bandwidth of a class determines the order in which packets are sent. All packets are serviced fairly based on weight. No class of packets can be granted strict priority. This scheme poses problems for voice traffic, which is largely intolerant of delay, and especially for voice traffic that is intolerant of variation in delay.

Traffic Shaping and Policing

Traffic shaping and traffic policing (also referred to as committed access rate [CAR]) are similar mechanisms. They inspect traffic and then take an action that is based on the characteristics of that traffic (usually the traffic is over or under a given rate). An example of traffic shaping is shown in Figure 5-6. Sometimes, the action is based on bits in the headers, such as the Differentiated Services Code Point (DSCP) or IP precedence.

Policing either discards the packet or modifies some aspect of it, such as its IP precedence. In this case, the policing agent determines that the packet meets given criteria. By comparison, traffic shaping adjusts the transmission rate of packets that match certain criteria. Traffic shaping holds packets in a buffer and releases them based on a preconfigured rate. It is available only on traffic that is leaving an interface.

An enterprise policy management scheme could deem that traffic generated by a particular resource such as voice should be considered "first-class" traffic so that it receives a top-priority marking. Other traffic, such as data, could drop to a lower-priority class.

Topologies that have higher-speed links that feed into lower-speed links (such as from a central site to a branch office) often experience bottlenecks at the remote end. Traffic shaping helps eliminate the bottleneck by throttling back traffic volume at the source. The most common use of traffic shaping in the enterprise is to smooth the flow of traffic across a single link toward a service provider transport network. This is done to ensure compliance with the traffic contract. This technique avoids service provider policing at the receiving end. Shaping reduces the bursty nature of the transmitted data. It is most useful when the contract rate is less than the line rate. Traffic shaping can also be used to respond to signaled congestion from the transport network when the traffic rates exceed the contract guarantee.

Link Efficiency

Currently, Cisco IOS Software offers several efficiency mechanisms: Link Fragmentation and Interleaving (LFI), Multilink PPP (MLP), and Real-Time Transport Protocol (RTP) header compression:

• Multilink PPP (MLP): Can logically connect multiple links between two systems, as needed, to provide extra bandwidth. Remotely accessing resources through MLP allows an increase in overall throughput. This is done by logically aggregating the bandwidth of two or more physical communication links such as analog modems, ISDN, and other analog or digital links. MLP is based on Internet Engineering Task Force (IETF) standard RFC 1990.

  PPP is commonly used to establish a direct connection between two nodes. It can connect computers using serial cable, phone lines, trunk lines, cellular telephones, specialized radio links, or fiber-optic links. Most ISPs use PPP for their customers' dialup access to the Internet. An encapsulated form of PPP, called PPP over Ethernet, or PPPoE, is commonly used in a similar role with DSL Internet service. PPP is frequently used as a Layer 2 protocol for connection over synchronous and asynchronous circuits.

• Link Fragmentation and Interleaving (LFI): Interactive traffic (Telnet, VoIP, and so on) is susceptible to increased latency and jitter when the network processes large packets (for example, LAN-to-LAN FTP transfers traversing a WAN link), especially as they are queued on slower links. The Cisco IOS LFI feature reduces delay and jitter on slower-speed links by breaking up large datagrams and interleaving low-delay traffic packets with the resulting smaller packets.
• Real-Time Transport Protocol (RTP) header compression: Increases efficiency for many of the newer VoIP or multimedia applications that take advantage of RTP, especially on slow links, by compressing the RTP/UDP/IP header from 40 bytes to 2 to 4 bytes.

Window Size

The window size specifies the maximum number of frames that are transmitted without receiving an acknowledgment. Acknowledgment procedures are particularly important in a protocol layer that provides reliability, such as hop-by-hop acknowledgment in a reliable link protocol or end-to-end acknowledgment in a transport protocol.

The current window is defined as the amount of data that can be sent by a protocol without acknowledgment, which is always less than or equal to the window size. This form of data acknowledgment provides a means in which the network is "self-clocked" so that data flows steadily between the two endpoints of the connection. For example, if the TCP window size is set to 8192, the sender must stop after sending 8192 bytes if no acknowledgment comes from the receiver. This value might be unacceptable for long WAN links with significant delays. In these cases, the window size can be adjusted to a higher value. Frequent retransmissions are a risk, however, because of links with high error rates, which reduce the throughput dramatically.

Designing the Enterprise WAN

Many WAN technologies exist today, and new technologies are constantly emerging. In general, the most appropriate WAN selection results in high efficiency and leads to user satisfaction. The network designer should be aware of possible WAN design choices when considering enterprise requirements. The following sections describe the characteristics of WAN architectures.

Traditional WAN Designs

Each WAN design is based on application requirements, the geography, and the available service provider offerings. One of the main issues in traditional WAN connections is the selection of the appropriate physical WAN technology. Options include the following:

• Leased lines: Point-to-point connections that are reserved for transmissions rather than used only when transmission is required. The carrier establishes the connection to dedicate a physical wire or to delegate a channel using frequency division multiplexing (FDM) or time-division multiplexing (TDM). Usually, leased-line connections use synchronous transmission.
• Circuit-switched networks: This is a type of network that, for the duration of the connection, obtains and dedicates a physical path to a single connection between two endpoints in the network. Ordinary voice telephone service over the public switched telephone network (PSTN) is circuit switched. The telephone company reserves a specific physical path to the number being called for the duration of the call. During that time, no one else can use the physical lines that are involved. Examples of circuit-switched networks are asynchronous serial and ISDN.
• Packet- and cell-switched networks: These are carrier-created permanent virtual circuits (PVC) or switched virtual circuits (SVC) that deliver packets among different sites. Users share common carrier resources and can use different paths through the WAN. This option allows the carrier to use its infrastructure more efficiently than with leased point-to-point links. Examples of packet-switched networks are X.25, Frame Relay, and Switched Multimegabit Data Service (SMDS).

The three basic design approaches for packet-switched networks include star, fully meshed, and partially meshed topologies.

Star Topology

A star, or hub-and-spoke, topology features a single hub (central router) that provides access from remote networks into a core router. All communication between networks goes through the core router. The advantages of a star approach are simplified management and minimized tariff costs. However, the disadvantages are significant. Consider the following:

• The central router (hub) represents a single point of failure.
• The central router limits overall performance for access to centralized resources.
• The central router is a single pipe that manages all traffic that is intended either for the centralized resources or for the other regional routers.
• The topology is not scalable.

Fully Meshed Topology

In a fully meshed topology, each routing node on the periphery of a given packet-switching network has a direct path to every other node on the cloud. The key rationale for creating a fully meshed environment is to provide a high level of redundancy. It is not viable in large packet-switched networks. The following are key issues for a fully meshed topology:

• A large number of virtual circuits are required (one for every connection between routers).
• Problems are associated with the requirement for large numbers of packet and broadcast replications.
• Configuration is complex for routers without routing protocol multicast support in nonbroadcast environments.

Partially Meshed Topology

A partially meshed topology reduces the number of routers within a region that have direct connections to all other nodes in the region. All nodes are not connected to all other nodes. There are many forms of partially meshed topologies. In general, partially meshed approaches provide the best balance for regional topologies, based on the number of virtual circuits, redundancy, and performance.

Remote-Access Network Design

Remote access provides access primarily to users who are connecting to network resources from external locations, such as Internet hotspots, public access, and so on. The principal function is to provide access to internal resources and applications. Remote access is an important service for the Internet edge. With remote access enabled on the Internet edge, mobile workers, teleworkers, partners, and even external customers are able to access resources. To ensure that this service is available and secure, many important security design considerations must be taken into account.

When designing a remote-access network for teleworkers and traveling employees, the type of connection influences the technology selections. For example, the decision needs to be made whether to choose a data link or a network layer connection. The most suitable choice among a wide range of remote-access technologies can be made by analyzing the application requirements and service provider offerings.

Here is a summary of typical remote-access requirements:

• Data link layer WAN technology from remote sites to the enterprise edge network (consider investment and running costs)
• Low-volume data file transfer and interactive traffic, without any specific requirements regarding quality
• The ability to access the same applications that are used in the office, both voice and data, from anywhere

Remote access to the enterprise network is typically provided over permanent or on-demand connections. The typical initial design options are as follows:

• On-demand connections for traveling workers
• Permanent connections for remote teleworkers through a dedicated circuit or a provisioned service

Remote-access technologies can include DSL, cable, and hotspot wireless services.

VPN Design

A VPN is defined as connectivity that is deployed on a shared infrastructure with the same policies, including security and performance, as a private network. The infrastructure that is used can be the Internet, an IP infrastructure, or any WAN infrastructure, such as a Frame Relay network or an ATM WAN.

The three types of VPNs are grouped according to their applications:

• Access VPN: Provides entry to a corporate intranet over a shared infrastructure with the same policies as a private network. Remote-access connectivity is through ISDN, DSL, wireless, or cable technologies. Access VPNs enable businesses to outsource their dialup or other broadband remote-access connections without compromising their security policy. Access VPNs include two architectural options: client-initiated connections or connections that are initiated by a network access server (NAS). With client-initiated access VPNs, users establish an encrypted IP tunnel from their PCs across the shared network of a service provider to their corporate network. An alternate architecture for access VPNs defines the tunnels that are initiated from the NAS, where remote users dial in to the local service provider points of presence (POP) and the service provider initiates a secure, encrypted tunnel to the corporate network.
• Intranet VPN: Links remote offices. The intranet VPN services are typically based on dedicated access that extends the basic remote-access VPN to other corporate offices across the Internet or across the IP backbone of the service provider. The main benefits of intranet VPNs are as follows:
  • Reduced WAN infrastructure needs
  • Lower ongoing leased-line or Frame Relay charges
  • Operational savings
• Extranet VPN: An organization uses either the Internet or a service provider network to connect to its business partners. The security policy becomes very important at this point because the organization does not want a hacker to spoof any orders from a business partner.

Enterprise Versus Service Provider–Managed VPNs

Deploying a VPN can help ensure a business that its networks provide secure remote connectivity. The next step is to determine whether to design, build, and manage the network in house or to use a provider for service management. The following points represent technology that is used by the enterprise (in house) or a service provider to offer multiservice IP VPNs:

• Enterprise-managed VPN
  • IP Security (IPsec):
    • IPsec direct encapsulation
    • Cisco Easy VPN
    • Point-to-point Generic Routing Encapsulation (GRE) over IPsec
    • Dynamic Multipoint Virtual Private Network (DMVPN)
    • Virtual tunnel interface (VTI)
    • Layer 2 Tunneling Protocol version 3 (L2TPv3)
• Service provider
  • Multiprotocol Label Switching (MPLS)
  • Metro Ethernet
  • Virtual Private LAN Services (VPLS)

Enterprise Managed VPN: IPsec

The IPsec standard provides a method to manage authentication and data protection between multiple cryptographic peers that are engaging in secure data transfer. IPsec includes the Internet Security Association and Key Management Protocol (ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Payload (ESP) protocol and Authentication Header (AH).

IPsec uses symmetrical encryption algorithms for data protection. Symmetrical encryption algorithms are more efficient and easier to implement in hardware. These algorithms need a secure method of key exchange to ensure data protection. Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide this capability.

This solution requires a standards-based way to secure data from eavesdropping and modification. IPsec provides such a method. IPsec provides a choice of transform sets so that a user can choose the strength of his data protection. IPsec also has several Hash-based Message Authentication Codes (HMAC) from which to choose. Each provides different levels of protection for attacks, such as man-in-the-middle packet replay (antireplay) and data integrity attacks.

IPsec Direct Encapsulation

IPsec provides a tunnel mode of operation that enables it to be used as a standalone connection method. This option is the most fundamental IPsec VPN design model; Figure 5-7 illustrates this model. IPsec direct encapsulation designs cannot transport IGP dynamic routing protocols or IP multicast traffic.

Each remote site initiates an IPsec tunnel to a predefined head end. Remotes can have static or dynamic IP addresses, while head ends must have static IP addresses.

Resiliency can be provided by IPsec stateful failover at the head-end locations. Branch routers can be configured with a list of head ends. If a connection cannot be established with the first head end, subsequent head ends are tried until a successful connection is made.

Cisco Easy VPN

Cable modems, xDSL routers, and other forms of broadband access provide high-performance connections to the Internet. Many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints. However, establishing a VPN connection between two routers can be complicated. Typically, it requires tedious coordination between network administrators to configure the VPN parameters of the two routers.

As Figure 5-8 illustrates, the Cisco Easy VPN Remote feature eliminates much of this tedious work by implementing the Cisco VPN Client protocol. This allows most VPN parameters to be defined at a Cisco Easy VPN Server. After the Cisco Easy VPN Server has been configured, a VPN connection can be created with minimal configuration on a Cisco Easy VPN Remote, such as a Cisco 800 Series router or a Cisco 1700 Series Modular Access Router.

Point-to-Point GRE over IPsec

IPsec can be deployed with point-to-point Generic Route Encapsulation (GRE), which is an IPsec-encrypted, point-to-point GRE tunnel that provides additional functionality. With the addition of point-to-point GRE to IPsec, dynamic interior gateway protocol (IGP) routing protocols and IP multicast traffic can be transported over the VPN tunnel.

GRE over IPsec designs offer the following advantages:

• IP multicast and non-IP protocols are supported.
• Dynamic IGP routing protocols over the VPN tunnel are supported.
• Quality of service (QoS) policies can be configured per point-to-point GRE over an IPsec tunnel (scalability might be an issue).
• Distribution of IPsec tunnels to head-end routers is deterministic, with routing metrics and convergence choosing the best path.
• All primary and secondary or backup point-to-point GRE over IPsec tunnels are preestablished. A new tunnel does not have to be established in the event of a failure scenario.

Each remote site is connected with a point-to-point GRE over IPsec tunnel to a predefined head end. Remotes can have static or dynamic IP addresses, while head ends must have static IP addresses.

Resiliency can be provided by configuring point-to-point GRE over IPsec tunnels to multiple head-end routers at one or more geographic hub locations. An IGP dynamic routing protocol is exchanged over the point-to-point GRE over IPsec tunnels. Primary tunnels are differentiated from secondary tunnels by configuring slightly different routing metrics.

IPsec DMVPN

Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software solution for building IPsec + GRE VPNs in an easy, dynamic, and scalable manner. DMVPN relies on two proven technologies:

• Next-Hop Resolution Protocol (NHRP): Creates a distributed (NHRP) mapping database of all the spoke tunnels to real (public interface) addresses
• Multipoint GRE (mGRE) tunnel interface: A single GRE interface to support multiple GRE and IPsec tunnels, which simplifies size and complexity of configuration

DMVPN offers configuration reduction and no-touch deployment. DMVPN also supports the following features:

• IP unicast, IP multicast, and dynamic routing protocols
• Remote peers with dynamically assigned addresses
• Spoke routers behind dynamic NAT and hub routers behind static NAT
• Dynamic spoke-to-spoke tunnels for scaling partially meshed or fully meshed VPNs

In addition, the following items are true about DMVPNs:

• Dynamic IGP routing protocols over the VPN tunnel are supported.
• QoS service policies can be configured per point-to-point GRE over IPsec tunnel (scalability might be an issue).
• Distribution of IPsec tunnels to head-end routers is deterministic, with routing metrics and convergence choosing the best path.
• All primary and secondary or backup GRE over IPsec tunnels are preestablished. A new tunnel does not have to be established in the event of a failure scenario.

Each remote site is connected with a point-to-point GRE tunnel interface to a predefined head end. The head-end routers use mGRE interfaces to dynamically accept new tunnel connections.

Resiliency can be provided by configuring DMVPN tunnels that are mapped to mGRE interfaces on multiple head-end routers at one or more geographic hub locations.

Remotes can have static or dynamic IP addresses, while head ends must have static IP addresses. An IGP dynamic routing protocol is exchanged over the DMVPN tunnels, and primary and secondary tunnels are differentiated by configuring slightly different routing metrics.

IPsec tunnel protection is generally used to map the cryptographic attributes to the tunnel that is originated by the remote router. Dead peer detection (DPD) can be enabled to the detect loss of a peer connection.

NHRP is configured on both the head-end and branch office routers, and is a requirement for using mGRE interfaces.

IPsec VTI Design

Virtual tunnel interface (VTI) design is one of the newest IPsec VPN design options available in Cisco IOS Software. VTI designs have a number of distinct advantages over other IPsec design options, including the ability to transport IGP dynamic routing protocols and IP multicast traffic without the addition of point-to-point GRE or mGRE headers.

In addition, VTI tunnels are assigned an interface so that tunnel-level features, such as a QoS service policy, can be enabled on each tunnel. This makes it possible to have per-VPN tunnel/destination QoS.

L2TPv3 Design

L2TPv3 offers a high-speed, transparent Layer 2–to–Layer 2 service over an IP backbone. L2TPv3 signaling is responsible for negotiating control plane parameters, session IDs, and cookies; for performing authentication; and for exchanging configuration parameters. L2TPv3 is also used to deliver hello messages and circuit status messages in a reliable manner. These messages are critical to support circuit interworking, such as the Local Management Interface (LMI), and to monitor the remote circuit status.

L2TPv3 supports the following Layer 2 payloads, which can be included in L2TP packets that are tunneled over the pseudowire:

• Frame Relay
• Ethernet
• IEEE 802.1q (VLAN)
• High-Level Data Link Control (HDLC)
• PPP

Service Provider–Managed VPNs: MPLS

Multiprotocol Label Switching (MPLS) enables enterprises and service providers to build next-generation intelligent networks that deliver a wide variety of advanced, value-added services over a single infrastructure. This economical solution can be integrated seamlessly over any existing infrastructure, such as IP, Frame Relay, ATM, or Ethernet. Subscribers with differing access links can be aggregated on an MPLS edge without changing their current environments, as MPLS is independent of access technologies.

Integration of MPLS application components, including Layer 3 VPNs, Layer 2 VPNs, traffic engineering, QoS, and IP version 6 (IPv6), enable the development of highly efficient, scalable, and secure networks that guarantee service-level agreements (SLA).

MPLS Layer 3 VPN Design

Cisco IOS MPLS Layer 3 VPN is the most widely deployed MPLS technology. MPLS Layer 3 VPNs use a peer-to-peer VPN model that leverages Border Gateway Protocol (BGP) to distribute VPN-related information. This peer-to-peer model allows enterprise subscribers to "outsource" routing information to service providers, resulting in significant cost savings and a reduction in operational complexity for enterprises.

With MPLS VPNs, networks are learned with an interior gateway protocol (IGP) routing protocol such as Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), or Routing Information Protocol version 2 (RIPv2), with static addresses that are configured by an administrator or with BGP from other internal routers. MPLS VPNs use an additional label to specify the VPN and the corresponding VPN destination network. This additional label allows overlapping addresses between VPNs.

With MPLS Layer 3 VPNs, service providers can offer value-added services like QoS and traffic engineering, enabling network convergence that encompasses voice, video, and data. MPLS Layer 3 VPNs can be deployed with a Cisco MPLS TE and Fast Reroute (FRR) to offer "tight SLAs." QoS-based offerings vary from two to five classes of services.

Service Provider–Managed VPNs: Metro Ethernet

Demand for bandwidth in the metropolitan-area network (MAN or metro) is exploding as a result of data-intensive applications, new business models that rely on the Internet, and population growth. Increasingly, service providers are meeting that demand with Metro Ethernet access services. These services are based on Ethernet, IP, and optical technologies such as dense wavelength division multiplexing (DWDM) or coarse wavelength division multiplexing (CWDM). Compared to fixed bandwidth facilities, Metro Ethernet access services provide more bandwidth, the ability to provision bandwidth in flexible increments, resiliency with Route Processor Redundancy (RPR), and better support for converged voice, video, and data services.

Today, more service providers are using Ethernet access to their backbone network, whether through SONET/SDH, MPLS, Frame Relay, or the Internet. Broadband connectivity is provided by an Ethernet hand-off to either a cable modem or DSL bridge. This provides the following benefits:

• Service-enabling solution: Layering value-added advanced services in addition to the network
• More flexible architecture:
  • Increasing port speeds without the need to dispatch a technician, and typically with no new customer premises equipment (CPE)
  • Evolving existing services (Frame Relay/ATM internetworking) to an IP-optimized solution
• Seamless enterprise integration: Ease of integration with typical LAN network equipment

Service Provider–Managed VPNs: VPLS

VPLS is a class of VPN that supports the connection of multiple sites in a single bridged domain over a managed IP/MPLS network. VPLS presents an Ethernet interface to customers. This interface simplifies the LAN/WAN boundary for service providers and customers and enables rapid and flexible service provisioning. This is illustrated in Figure 5-9. This occurs because the service bandwidth is not tied to the physical interface. All services in a VPLS appear to be on the same LAN, regardless of location.

VPLS uses edge routers that can learn, bridge, and replicate on a VPN basis. These routers are connected by a full mesh of tunnels, enabling any-to-any connectivity.

VPLS supplies an architecture that provides Ethernet Multipoint Service (EMS) across geographically dispersed locations using MPLS as a transport. EMSs are attractive. They offer solutions to problems that many enterprise customers and service providers are seeking to address (for example, high-speed, secure, any-to-any forwarding at Layer 2). The requirement to forward frames at Layer 2 is important. Many new applications and services dictate that the service be transparent to upper-layer protocols (ULP) or can lack network layer addressing altogether (for example, NetBIOS Extended User Interface [NetBEUI]).

WAN Backup Strategy Design

WAN links are relatively unreliable compared to LAN links, and often are much slower than the LANs that they connect. The combination of uncertain reliability, lack of speed, and high importance makes the WAN link a good candidate for redundancy.

Each enterprise edge solution requires a WAN backup to provide high availability between sites. Branch offices should experience minimum downtime in the event of primary link failure. Backup connections can be established using either dialup or permanent connections.

The primary WAN backup options are as follows:

• Dial backup routing: Dial backup routing uses dialup services such as ISDN. The switched circuit provides the backup service for another type of circuit, such as point-to-point or Frame Relay. The router initiates the dial backup line based on object tracking parameters or when a failure is detected on the primary circuit. The dial backup line provides WAN connectivity until the primary circuit is restored and then terminates.
• Permanent secondary WAN link: The deployment of an additional permanent WAN link between each remote office and the central office (CO) makes the network more fault-tolerant. This capability offers two advantages:
  • Backup link: If a connection between any remote office and the CO fails, the backup link is used. The Reliable Static Routing Backup Using Object Tracking feature can ensure reliable backup in the case of several catastrophic events. If the connection to the main office is lost, the status of the tracked object changes from up to down. When the state of the tracked object changes to down, the routing table entry for the primary interface is removed. Traffic is then forwarded to the preconfigured destination from the secondary interface. This ability allows applications to proceed in the event of a WAN link failure and thus improves application availability.
  • Increased bandwidth: This additional bandwidth decreases response times when the router connected supports load balancing between two parallel links of equal cost. In this case, load balancing is performed automatically through routing protocol.
• IPsec: Using an IPsec VPN, the WAN traffic can be directed back to the corporate headquarters through the Internet when a failure is detected.

In Figure 5-10, the connections between the central site enterprise edge and remote sites use permanent primary and secondary WAN links for redundancy. To increase the utilization of the backup link, a routing protocol such as EIGRP is used to support load balancing over unequal paths on either a per-packet or a per-destination basis.

Backup links should be provisioned so that they become active when a primary link fails or becomes congested. Backup links often use different technologies; for example, leased lines are used with backup IPsec VPNs.

Using the Internet as a WAN Backup

The Internet can be used as an alternate option for a failed WAN connection. This type of connection is considered "best effort" and guarantees no bandwidth. This topic describes a WAN backup design for use over the Internet.

When relying on the Internet to provide a backup for branch offices, the enterprise must cooperate fully with the ISP and announce its networks to gain connectivity. If a connection between any branch office and the CO fails, the backup IPsec tunnel is used. In addition, the Reliable Static Routing Backup Using Object Tracking feature can ensure reliable backup in the case of several failures.

Selecting the Enterprise WAN Architecture

After identifying the remote connectivity requirements and understanding traditional WAN designs, the WAN architecture is ready to be selected.

When selecting technologies, decision makers should consider the following factors:

• Support for network growth: Enterprises that anticipate significant growth should choose a technology that allows the network to grow with their business. Issues to be considered are the amount of time, cost, and effort that is involved in connecting new branches and remote offices. WAN technologies with high support for network growth make it possible to add new branches or remote offices with minimal configuration at existing sites. This minimizes costs and IT staff requirements for such changes. WAN technologies with lower support for network growth require significantly more time and cost to expand the network.
• Appropriate availability: Businesses that are heavily impacted by even the smallest disruption in network communications should consider availability to be a priority when choosing a connectivity technology. Highly available technologies provide inherent redundancy where no single point of failure exists in the network. Lower-availability technologies can still dynamically recover from a network disruption in a short time, but this minor disruption might be considered too costly for some businesses. Technologies that do not inherently provide high availability can be more accessible through redundancy in design by using products with redundant characteristics, such as multiple WAN connections, or by using backup power supplies.
• Operational expenses: Some WAN technologies can result in higher costs than others. A private-line technology such as Frame Relay or ATM, for example, typically results in higher carrier fees than a technology such as an IPsec-based IP VPN, which can take advantage of the public Internet to help reduce costs. It is important to note, however, that migrating to a particular technology for the sole purpose of reducing carrier fees, without considering network performance and QoS, can limit support for some advanced technologies such as voice and video.
• Operational complexity: Cisco MAN and WAN technologies have varying levels of inherent technical complexity, so the level of technical expertise that is required within the enterprise can also vary. In most cases, businesses can upgrade their MAN or WAN to take advantage of the expertise of the existing IT staff, requiring minimal training. When an enterprise chooses to maintain greater control over its network by taking on responsibilities that are usually reserved for a service provider, extensive IT training would be required to successfully deploy and manage a particular WAN technology.
• Voice and video support: Most Cisco MAN and WAN technologies support QoS, which helps enable advanced applications such as voice and video over the network. In cases where a WAN technology uses a service provider with a Cisco QoS–certified, multiservice IP VPN, an adequate level of QoS is assured to support voice and video traffic. In cases where the public Internet is used as the WAN connection, QoS cannot always be guaranteed. A high-broadband connection (greater than 786 kbps upstream) might be required for small offices, teleworkers, and remote Cisco Contact Center agents using voice and video communications.
• Effort and equipment cost to migrate from private connectivity: When an enterprise is taking the next step in upgrading its MAN or WAN, it is important to evaluate the short- and long-term costs and benefits. In many cases, a business can migrate from private connectivity to another technology with minimal investment in equipment, time, and IT staffing. In some instances, however, this transition can require a significant short-term investment, not only in new equipment but also in IT training. Such an investment can provide increased cost savings, lower operational expenditures, and increased productivity over the long term.
• Network segmentation support: Network segmentation allows enterprises to support a single network that is logically segmented. One advantage to network segmentation is the reduction of expenditures that are associated with equipment and maintenance, network administration, and network carrier charges, compared to separate physical networks. Another advantage is increased security because segmentation can ease the effort in isolating departments or limiting the access of partners on the corporate network.

Cisco Enterprise MAN and WAN Architecture

The Cisco Enterprise MAN and WAN Architecture employs a number of MAN and WAN technologies that are engineered and optimized to interoperate as a contiguous system.

The architecture provides the integrated QoS, network security, reliability, and manageability that are required for supporting various advanced business applications and services. These architectures offer a number of secure alternatives to traditional private WAN connectivity and help increase network scalability and reduce monthly carrier fees.

The Cisco Enterprise MAN and WAN Architecture technologies are compared in Table 5-3.

Table 5-3. Cisco Enterprise WAN and MAN Architecture Comparison

	Private WAN	ISP Service	Service Provider MPLS and IP VPN	Self-Deployed MPLS
Secure Transport	IPsec (optional)	IPsec (mandatory)	IPsec (mandatory)	IPsec (mandatory)
High Availability	Excellent	Good	Excellent	Excellent
Multicast	Good	Good	Good	Excellent
Voice and Video Support	Excellent	Low	Excellent	Excellent
Scalable Network Growth	Moderate	Good	Excellent	Excellent
Easily Shared WAN Links	Moderate	Moderate	Moderate	Excellent
Operational Costs	High	Low	Moderate (depends on transport)	Moderate to High
Network Control	High	Moderate	Moderate	High
Effort to Migrate from Private to WAN	Low	Moderate	Moderate	High

Additional architectural technology information includes the following:

• Private WAN: Private connectivity takes advantage of existing Frame Relay, ATM, or other connections. To provide an additional level of security when connecting sites, these technologies can be combined with strong encryption, such as Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES). It is ideally suited for an enterprise with moderate growth expectations and where relatively few new branches or remote offices will be deployed over the coming years. Businesses require secure, dedicated, and reliable connectivity for compliance with information privacy standards. However, this technology can result in relatively high recurring monthly carrier fees and is not the preferred technology for extending connectivity to teleworkers and remote call agents. An enterprise might choose encrypted private connectivity to network its larger branch offices, but it might opt for other technologies, such as an IPsec VPN, to connect remote users and smaller sites.
• ISP service (site-to-site and remote-access IPsec VPN): These services take advantage of the ubiquity of public and private IP networks. The use of strong encryption standards (DES, 3DES, and AES) makes this WAN option more secure than traditional private connectivity. This option is also compliant with many of the new information security regulations imposed on government and industry groups, such as healthcare and finance. This technology, when implemented over the public Internet, is best suited for businesses that require basic data connectivity. However, if support for delay-sensitive, advance applications such as voice and video is required, an IPsec VPN should be implemented over a service provider private network where an adequate level of QoS is assured to support voice and video traffic. Relatively low carrier fees make this technology appropriate for businesses seeking to connect a high number of teleworkers, remote Cisco Contact Center agents, or small remote offices over a geographically dispersed area.
• SP MPLS and IP VPN: A network-based IP VPN is similar in many ways to private connectivity but with added flexibility, scalability, and reach. The any-to-any nature of an MPLS-enabled IP VPN (in other words, any branch can be networked to any branch), combined with its comprehensive QoS for voice and video traffic, suits the needs of many enterprises. This is especially true for businesses with high growth expectations, where many new branches and remote offices will be added over the next few years. The secure, reliable connectivity and relatively lower carrier fees that are inherent in this technology make a network-based IP VPN a good choice for businesses that want to use a managed service solution to connect branches, remote offices, teleworkers, and remote call agents.
• Self-deployed MPLS: Self-deployed MPLS is a network segmentation technique that allows enterprises to logically segment the network. Self-deployed MPLS is typically reserved for very large enterprises or a service provider that is willing to make a significant investment in network equipment and training. It is also used for those businesses that have an IT staff that is comfortable with a high degree of technical complexity. Further discussion of self-deployed MPLS is beyond the scope of this book.

Enterprises can use a combination of these architectures as needed to support their remote connectivity requirements.

Figure 5-11 shows an example implementation of three Cisco Enterprise MAN and WAN Architectures in a healthcare environment.

Selecting Enterprise WAN Components

After identifying the remote connectivity requirements and architecture, select the individual WAN components.

Hardware Selection

When selecting hardware, use the Cisco documentation to evaluate the WAN hardware components. Consider the following functions and features:

• Port densities
• Packet throughput
• Expandability capabilities
• Readiness to provide redundant connections

Hardware Selection: Cisco ISR G2

Cisco ISR G2s are part of the Borderless Networks within the Cisco Network Architectures for the Enterprise that enable business innovation and growth across all remote sites. The next-generation architecture delivers a new workspace experience by meeting the performance requirements for the next generation of WAN and network services. This architecture enables the cost-effective delivery of high-definition collaboration at the branch office and provides it secure transition to the next generation of cloud and virtualized network services.

Designed for optimal service delivery on a single platform, the new Cisco ISR G2 routers provide businesses with greater power to deliver a superior customer experience and deploy services "on demand" as business needs dictate, while reducing overall operating costs. A general layout of how each of the specific ISR G2 places within the enterprise is shown in Figure 5-12.

These innovations enable branch offices to do the following:

• Deliver next-generation WAN and network service requirements
• Become more productive through increased video-based collaboration and rich-media services
• Securely transition to cloud and virtualized network services
• Minimize energy consumption and costs to support corporate sustainability
• Enable small IT teams to scale services worldwide

Designing the Enterprise Branch

The Cisco Enterprise Branch Architecture takes into account services such as voice, data, video, and security that customers want to deploy at their endpoints, no matter how far away the endpoints are or how they are connected. Using Borderless Networks, the Cisco Enterprise Branch Architecture should provide seamless connectivity.

An effective network design for enterprise branches and teleworkers requires knowledge of the campus technologies.

Enterprise Branch Architecture

The Cisco Enterprise Branch Architecture takes into account the services that customers want to deploy at their endpoints, no matter how far away the endpoints are or how they are connected.

Customers are seeking opportunities to protect, optimize, and grow their businesses by increasing security and consolidating voice, video, and data onto a single IP network. Additional concerns include investing in applications that will improve productivity and operating efficiencies. These services provide customers with new opportunities to reduce costs, improve productivity, and safeguard information assets.

The Cisco Enterprise Branch Architecture is an integrated, flexible, and secure framework for extending headquarters applications in real time to remote sites. It uses the Cisco Network Architectures for the Enterprise framework but applies it to the smaller scale of a branch location. Common network components that can be implemented in the branch include the following:

• Routers that provide WAN edge connectivity
• Switches that provide the LAN infrastructure
• Security appliances that defend the branch devices
• Wireless access points for device mobility
• Call-processing and video equipment for IP telephony and video support
• End-user devices, including IP phones and computers

Enterprise Branch Design

Requirements vary for different-sized branch offices. For the branch design, the following questions should be asked:

1. How many branch locations need to be supported?
2. How many existing devices (users, hosts, and network infrastructure) will be supported at each location?
3. What amount of scalability should be supported? (How much growth is expected at each location?)
4. What are the high-availability requirements at each location?
5. Which level of security should be integrated in the design?
6. Should security be managed locally or through the corporate location?
7. Are there any requirements for local server farms or network areas that sit between the internal network and an external network (a demilitarized zone [DMZ])?
8. Should network management be supported locally or through the corporate location?
9. What wireless services are needed, and how will they affect the clients, network, and environment?
10. What is the approximate available budget?

The number of devices that are supported is limited by the physical number of ports available. In addition to the scalability considerations, the high-availability requirements point to various design models as well.

It is recommended that branch offices be categorized based on the number of users as follows:

• Small office: Up to 50 users, single-tier design
• Medium office: Between 50 and 100 users, dual-tier design
• Large office: Between 100 and 200 users, three-tier design

Using this classification, the design models are described in the following sections. High availability, scalability, and migration to advanced services requirements also influence the model to be adopted.

The Integrated Services Router (ISR) at the WAN edge provides various voice, security, and data services that are integrated with the LAN infrastructure. Depending on the edge router, the following interfaces are available to integrate with the LAN:

• Integrated interfaces (10/100/1000)
• High-speed WAN interface card (WIC) Ethernet 10/100 interfaces
• Network modules
• Embedded security

New Features on the ISR G2 Routers

The Cisco Integrated Services Router Second Generation (ISR G2) portfolio builds upon the market success of the first generation of ISRs with new features that deliver greater enhancements for service virtualization, video-ready capabilities, and operational excellence. The Cisco ISR G2 innovations deliver the following:

• Video-ready branch office for a superior customer experience with new services that transform the branch-office workspace such as
  • Media engines that enable business-grade video applications that are based on high-density, video-ready digital signal processors (DSP) that deliver the medianet high-definition experience
  • Bandwidth-optimized and scalable video services, including media-rich video conferencing, video surveillance, video streaming, and digital signage
  • High-performance (up to 8x), nonstop branch office experience to meet your future WAN and services requirements
  • Cisco TelePresence capability to your midsize branch offices with T1/E1 links
• Service virtualization to deliver highly effective business innovation that achieves unparalleled service that includes
  • Cloud extensibility and services virtualization for mission-critical application survivability to remote sites
  • Broadest services offering to all branch-office sites, including security, unified communications, WAN optimization, application integration, and customizable virtual services
  • A revolutionary "on-demand" services delivery model that is enabled by the innovative Cisco Services Ready Engine (SRE)

Small Branch Office Design

Small branch office designs connect the access router with Layer 2 switch ports in one of three ways:

• Integrated switching in the ISR or multiservice router: This option has a lower port density and supports from 16 to 48 client devices on either a Cisco EtherSwitch network module or a Cisco EtherSwitch service module. This option provides a one-box solution that offers ease of management and uses the Cisco 3900 Series ISR or Cisco 2900 Series ISR for streamlined branch offices. Depending on the module, the integrated switch ports can provide power to end devices using Power over Ethernet (PoE).
• Trunked network interface on the ISR to external switches or access points: There is no link redundancy between the access switches or access points and the ISR. The access switches can provide power to end devices, including access points using PoE.
• Logical EtherChannel interface between the ISR and access switches: This approach uses a Cisco EtherSwitch module in the ISR to provide link redundancy to access layer switches. The access switches can provide power to end devices using PoE.

In all cases, the default gateway is on the ISR. The ISR provides Layer 3 services such as DHCP, firewall, and Network Address Translation (NAT).

If redundant access layer links and higher-bandwidth uplinks are required, only the second option, with higher-performance devices, can be used. The choice of the edge router also depends on the voice and Virtual Private Network (VPN) support that is needed.

The access switch supports Layer 2 services, and the Cisco ISR provides Layer 3 services. Typical access switches include the Cisco Catalyst 2960, 3560, and 3750 Series switches. To keep manageability simple, there are no loops in the topology.

The recommended spanning-tree protocol is Rapid per-VLAN Spanning Tree Plus (RPVST+) for all Layer 2 deployments in a branch office environment. There is a default gateway for each VLAN configured in the topology. All the Layer 3 configurations are done on the ISR. The access switches must be configured with an IP address for management purposes.

Both the Cisco 2921 and 2951 ISRs support three integrated 10/100/1000 interfaces, which are Layer 3 native. Both the Cisco 2921 and 2951 ISRs support one slot for a network module. The Cisco 2921 and 2951 ISRs both support the 16-, 24-, and 48-port Cisco EtherSwitch network modules.

Medium Branch Office Design

The medium branch office topology is similar to the small office topology. One exception is that the WAN edge devices are larger, typically two Cisco 2921 or Cisco 2951 ISRs, and the access switches supporting LAN connectivity are external.

To scale up to 100 users, the following options are available:

• Use a higher-port-density external access switch.
• Use an ISR module that supports switched access ports that provide redundancy in the connection to the access switches through EtherChannel.

This design uses the integrated 10/100/1000 interfaces as Layer 3 trunks, providing the flexibility to use various access switches. The stackable Cisco Catalyst 3750 Series switch with an IP base image or an IP services image can be used as the access switch to support 24 or 48 users per switch. The IP base image feature set includes advanced quality of service (QoS), rate limiting, access control lists (ACL), and basic static and Routing Information Protocol (RIP) routing capability. The IP services image provides a richer set of enterprise-class features, including advanced hardware-based IP unicast and multicast routing.

An additional Advanced IP Services Software license is also available. This license is required for IP version 6 (IPv6) routing (Layer 3 switching).

With Cisco StackWise technology, customers can create a single, 32-Gbps switching unit with up to nine Cisco Catalyst 3750 Series switches. Cisco StackWise technology uses special stack-interconnect cables and stacking software. The stack behaves as a single switching unit that is managed by a master switch that is elected from one of the member switches. The master switch automatically creates and updates all the switching and optional routing tables. Support for the number of users needing PoE depends on the specific access switch that is used.

Large Branch Office Design

A large branch office design is like a small to medium campus design with 100 to 1000 users.

In addition to supporting more users, a large office might also need higher LAN switching capability if it is supporting a server farm or DMZ. Support for some of these services requires the use of appliance devices if higher throughput is required. To meet these requirements, a distribution layer is added to the small-office or medium-office topology by introducing a multilayer switch to provide the required LAN switching capabilities, port density, and flexibility to support additional appliances.

A stacked switch LAN topology is highly available, scalable, and manageable. High-availability requirements are met because link redundancy and device redundancy are built into the design. For high availability between the distribution and the edge layers, redundant links are used.

The port density of the stacked switches allows a number of access switches to be connected without compromising high availability. The distribution switches typically run the enhanced images, which support more features, including various routing protocols and advanced features, such as policy-based routing.

If Cisco Catalyst 3560 and 3750 Series switches are used at the access layers, other Layer 2 security features, such as DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard, can be enabled to provide additional security measures. The default gateways for all the VLANs at the access layer are configured on the distribution layer.

Enterprise Teleworker (Cisco Virtual Office Solution) Design

Another remote place in the enterprise network consists of the enterprise teleworkers. Organizations are constantly striving to reduce costs, improve employee productivity, and retain valued employees. These goals can be attained by providing employees with the ability to work from home with the same level of quality, function, performance, convenience, and security that is available in the office. With a work environment in the residence, employees can optimally manage their work schedules, allowing higher productivity (less affected by office distractions) and greater job satisfaction (flexibility in schedule). This transparent extension of the enterprise to employee homes is the objective of the Cisco Enterprise Teleworker (or Cisco Virtual Office solution) Architecture.

Occasional remote users have much lighter application requirements than part-time and full-time teleworkers. They can connect through a wireless hotspot or as a guest network at a hotel, allowing them to have little control over network resiliency and availability.

The situation of enterprise teleworkers that are operating as a Cisco Virtual Office can be differentiated from other forms of work-at-home or telecommuting scenarios. The difference is that the emphasis is on delivering seamless managed accessibility to the complete range of applications and services that are critical to the operational effectiveness of enterprises. The Cisco Enterprise Teleworker Architecture is part of the overall secure Cisco Network Architectures for the Enterprise infrastructure. The Cisco Enterprise Teleworker Architecture gives companies the ability to integrate and securely manage their remote workers within the corporate network, while providing a high-quality end-user experience that supports a complete range of enterprise applications for the enterprise teleworker. The enterprise teleworker typically connects to an ISP through a DSL or cable modem and can use an analog dialup session to back up this connection.

The enterprise teleworker solution is implemented with a small ISR such as the Cisco 877, 878, and 888 Integrated Services Routers with integrated switch ports behind a broadband modem. The solution uses a transparent, always-on VPN tunnel back to the enterprise.

This architecture provides centralized management, where the customer can apply security policies, push configurations, and periodically test the connection through the broadband cloud and back to the corporate office. This allows the customer to see the latency, jitter, and packet loss that is being experienced at any given time. This solution can support advanced applications such as voice and video as part of the complete suite of enterprise services for the end user. For example, a teleworker can access the central-office IP telephone system from home, with comparable voice quality. The teleworker can also take advantage of higher-function IP telephony capabilities instead of using the public switched telephone network (PSTN).

An alternative solution is an unmanaged VPN approach, where the end user implements a software VPN from the PC across a generic broadband router, access point, or hub appliance. This alternate solution typically cannot support the level of feature integration, QoS, and managed support that is needed to deliver voice, video, multimedia, and traditional data to the end user in a reliable manner. The alternate solution is appropriate for occasional remote users, with their lighter application requirements.

New ISRs for Small Offices and Teleworkers

Cisco 860 and 880 Series ISRs deliver integrated services at broadband speeds to small offices and teleworkers or to service providers to deploy as part of their managed network services:

• Cisco 860 Series ISRs offer the following:
  • Concurrent broadband services for small offices and remote sites
  • Security features, including:
    • Stateful Inspection Firewall
    • IPsec VPNs (Triple Data Encryption Standard [3DES] or Advanced Encryption Standard [AES])
  • 4-port 10/100 Fast Ethernet managed switch with VLAN support
  • CON/AUX port for console or external modem
  • Secure IEEE 802.11g/n access-point option that is based on the IEEE 802.11n 2.0 standard
  • Easy setup, deployment, and remote management capabilities through web-based tools and Cisco IOS Software
• Cisco 880 Series ISRs offer the following:
  • High performance for broadband access in small offices and small branch-office and teleworker sites
  • Collaborative services with secure analog, digital voice, and data communication
  • Business continuity and WAN diversity with redundant WAN links: Fast Ethernet, symmetric high-bit-rate DSL (G.shdsl), asymmetric DSL (ADSL) 2/2+, very-high-data-rate DSL 2 (VDSL2), third-generation (3G), and ISDN
  • Survivable Remote Site Telephony (SRST) voice continuity for enterprise small branch-office and teleworker sites
  • Enhanced security, including:
    • Firewall: With advanced application and control for email, instant messaging (IM), and HTTP traffic
    • Site-to-site, remote-access and dynamic VPN services: IPsec VPNs (3DES or AES), Dynamic Multipoint VPNs (DMVPN), Group Encrypted Transport VPNs (GET VPN) with onboard acceleration, and Secure Socket Layer (SSL) VPNs
    • Intrusion prevention system (IPS): An inline, deep-packet inspection feature that effectively mitigates a wide range of network attacks
    • Content filtering: A subscription-based integrated security solution that offers category-based reputation rating, keyword blocking, and protection against adware, malware, spyware, and URL blocking
  • Four-port 10/100 Fast Ethernet–managed switch with VLAN support; two ports support Power over Ethernet (PoE) for powering IP phones or external access points
  • Secure IEEE 802.11g/n access-point option based on draft 802.11n standard with support for autonomous or Cisco Unified WLAN architectures
  • CON/AUX port for console or external modem
  • One USB 1.1 port for security eToken credentials, booting from USB, and loading configuration
  • Easy setup, deployment, and remote-management capabilities through web-based tools and Cisco IOS Software

Summary

In this chapter, the following key points were covered on remote connectivity network design:

• Analyze network requirements:
  • Type of applications, traffic volume, and traffic pattern
  • Redundancy and backup needed
• Characterize the existing network and sites:
  • Technology used
  • Location of hosts, servers, terminals, and other end nodes
• Develop WAN and branch network design:
  • Select WAN and branch technology to support requirements
  • Select hardware and software components to support requirements
• Network application and connectivity requirements that influence the WAN design
• The Cisco Enterprise MAN and WAN Architecture provides integrated QoS, network security, reliability, and manageability:
  • On private WANs
  • On ISP service through site-to-site and remote-access VPNs
  • On service provider–managed IPO or MPLS VPNs
• The Cisco Enterprise Branch Architecture supports small, medium, large, and teleworker locations.

References

For additional information, refer to these resources:

• Cisco, Inc. Cisco product index for routers, at www.cisco.com/en/US/products/hw/routers/index.html.
• Cisco, Inc. Cisco product index for switches, at www.cisco.com/en/US/products/hw/switches/index.html.
• Cisco, Inc. Ethernet Access for Next Gen Metro and Wide Area Networks, at www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Ethernet_Access_for_NG_MAN_WAN_V3.1_external.html.
• Cisco, Inc. Enterprise Internet Edge Design Guide, at www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html.
• Cisco, Inc. Cisco Integrated Services Routers, at www.cisco.com/en/US/products/ps10906/Products_Sub_Category_Home.htm.
• Cisco, Inc. Cisco Internetworking Technology Handbook, at docwiki.cisco.com/wiki/Internetworking_Technology_Handbook.
• Cisco, Inc. LAN Baseline Architecture Branch Office Network Reference Design Guide, at www.cisco.com/univercd/cc/td/doc/solution/designex.pdf.
• Cisco, Inc. LAN Baseline Architecture Overview—Branch Office Network, at www.cisco.com/univercd/cc/td/doc/solution/lanovext.pdf.

Review Questions

Answer the following questions, and then refer to Appendix A for the answers.

1. What is the definition of a WAN?

2. Which of the WAN transport technologies reserves a point-to-point connection bandwidth indefinitely for transmissions?

3. Which device is used to provide ADSL line termination?

4. Which of SONET's optical carrier rates provides 622.08 Mbps?

5. Which feature is able to classify packets based on matching fields at the application layer?

6. Which WAN topology includes a single central hub with remote networks directly connected back to the central location?

7. Which Cisco IOS Software technology provides an easy, dynamic, and scalable IPsec and GRE VPN solution?

8. Which Layer 3 VPN technology leverages the Border Gateway Protocol to distribute VPN-related information?

9. Which service provider VPN technology presents itself as an Ethernet interface to customers and allows several remote sites to appear as if they are on the same LAN?

10. Which Cisco Enterprise MAN and WAN technology provides a comprehensive WAN optimization solution that accelerates applications over the WAN?