larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide: (CCDP ARCH 642-874), 3rd Edition

eBook (Watermarked)

  • Your Price: $40.11
  • List Price: $50.14
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

  • Description
  • Sample Content
  • Updates
  • Copyright 2012
  • Dimensions: 7-3/8" x 9-1/8"
  • Edition: 3rd
  • eBook (Watermarked)
  • ISBN-10: 0-13-265295-1
  • ISBN-13: 978-0-13-265295-7

Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide, Third Edition, is a Cisco®-authorized, self-paced learning tool for CCDP® foundation learning. This book provides you with the knowledge needed to perform the conceptual, intermediate, and detailed design of a network infrastructure that supports desired network solutions over intelligent network services, in order to achieve effective performance, scalability, and availability. By reading this book, you will gain a thorough understanding of how to apply solid Cisco network solution models and recommended design practices to provide viable, stable enterprise internetworking solutions. The book presents concepts and examples that are necessary to design converged enterprise networks. Advanced network infrastructure technologies, such as virtual private networks (VPNs) and other security solutions are also covered.

Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide, Third Edition teaches you the latest development in network design and technologies, including network infrastructure, intelligent network services, and converged network solutions. Specific topics include campus, routing, addressing, WAN services, data center, e-commerce, SAN, security, VPN, and IP multicast design, as well as network management. Chapter-ending review questions illustrate and help solidify the concepts presented in the book.

Whether you are preparing for CCDP certification or simply want to gain a better understanding of designing scalable and reliable network architectures, you will benefit from the foundation information presented in this book.

Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide, Third Edition, is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit

John Tiso, CCIE No. 5162, CCDP is a Product Manager for Cisco Systems. He holds a B.S. Degree in Computer Science and Mathematics from Adelphi University and a Graduate Citation in Strategic Management from Harvard University. John is a published author, has served as a technical editor for Cisco Press, and has participated as a SME for the CCIE program. Prior to Cisco, he was a senior consultant and architect in the Cisco partner channel.

·        Learn about the Cisco Enterprise Architecture

·        Create highly available campus and data center network designs

·        Develop optimum Layer 3 designs

·        Examine advanced WAN services design considerations

·        Evaluate SAN design considerations

·        Deploy effective e-commerce module designs

·        Create effective security services and IPsec and SSL VPN designs

·        Design IP multicast networks

·        Understand the network management capabilities within Cisco IOS Software

This book is in the Foundation Learning Guide Series. These guides are developed together with Cisco® as the only authorized, self-paced learning tools that help networking professionals build their understanding of networking concepts and prepare for Cisco certification exams.

Category: Cisco Certification

Covers: CCDP ARCH 642-874

Table of Contents

    Foreword xxx

    Introduction xxxi

Chapter 1 The Cisco Enterprise Architecture 1

    Reviewing Cisco Enterprise Architecture 1

    The Hierarchical Model 2

        Example Hierarchical Network 3

    Enterprise Network Design for Cisco Architectures 4

    Service and Application Integration 7

        Network Services 7

        Network Applications 9

        Modularity in Cisco Network Architectures for the Enterprise 9

    Reviewing the Cisco PPDIOO Approach 12

        PPDIOO Network Lifecycle Approach 13

        Benefits of the Lifecycle Approach 14

        Using the Design Methodology Under PPDIOO 16

    Identifying Customer Requirements 16

    Characterizing the Existing Network and Sites 17

    Designing the Topology and Network Solutions 18

        Dividing the Network into Areas 18

    Summary 20

    References 21

    Review Questions 21

Chapter 2 Enterprise Campus Network Design 23

    Designing High Availability in the Enterprise Campus 24

        Enterprise Campus Infrastructure Review 24

        Access Layer 24

        Distribution Layer 26

        Core Layer 27

        Collapsed-Core Model 29

        High-Availability Considerations 30

        Implement Optimal Redundancy 30

        Provide Alternate Paths 32

        Avoid Single Points of Failure 33

        Cisco NSF with SSO 33

        Routing Protocol Requirements for Cisco NSF 34

        Cisco IOS Software Modularity Architecture 35

        Example: Software Modularity Benefits 37

    Designing an Optimum Design for Layer 2 38

        Recommended Practices for Spanning-Tree Configuration 38

        Cisco STP Toolkit 40

        STP Standards and Features 40

        Recommended Practices for STP Hardening 41

        Recommended Practices for Trunk Configuration and Vlan Trunking Protocol 43

        Dynamic Trunking Protocol 45

        Recommended Practices for UDLD Configuration 46

        Recommended Practices for EtherChannel 47

        Port Aggregation Protocol 49

        Link Aggregation Control Protocol 49

        Supporting Virtual Switching Systems Designs 50

        Common Access-Distribution Block Designs 51

        Multichassis EtherChannels and VSS 52

        VSS Design Considerations 53

        Dual Active Detection and Recovery 54

        VSS Design Best Practices 55

        Developing an Optimum Design for Layer 3 55

        Managing Oversubscription and Bandwidth 56

        Bandwidth Management with EtherChannel 56

        Bandwidth Management with 10 Gigabit Interfaces 57

        Link Load Balancing 57

        Link Load Balancing with EtherChannel 58

        EtherChannel Design Versus Equal-Cost Multipathing 59

        Routing Protocol Design 60

        Build Redundant Triangles 60

        Peer Only on Transit Links 60

        Summarize at the Distribution Layer 62

        First-Hop Redundancy 64

        Preempt Delay Tuning 65

        Elimination of FHRP in VSS Designs 66

        Overview of Gateway Load Balancing Protocol 67

        Optimizing FHRP Convergence 69

    Supporting a Layer 2 to Layer 3 Boundary Design 71

        Layer 2 to Layer 3 Boundary Design Models 71

        Layer 2 Distribution Switch Interconnection 71

        Layer 3 Distribution Switch Interconnection (with HSRP) 72

        Layer 3 Distribution Switch Interconnection (with GLBP) 72

        Layer 3 Distribution Switch with VSS Interconnection 73

        Layer 3 Access to Distribution Interconnection 74

        EIGRP Access Design Recommendations 75

        OSPF Access Design Recommendations 76

        Potential Design Issues 77

        Daisy Chaining Access Layer Switches 77

        Cisco StackWise Technology in the Access Layer 78

        Too Much Redundancy 79

        Too Little Redundancy 80

        Example: Impact of an Uplink Failure 80

        Example: Impact on Return-Path Traffic 82

        Asymmetric Routing (Unicast Flooding) 82

        Unicast Flooding Prevention 83

    Supporting Infrastructure Services 84

        IP Telephony Considerations 84

        IP Telephony Extends the Network Edge 84

        PoE Requirements 85

        Power Budget and Management 87

        Multi-VLAN Access Port 89

        Soft Phones and Voice VLANs 90

        QoS Considerations 90

        Recommended Practices for QoS 91

        Transmit Queue Congestion 91

        QoS Role in the Campus 92

        Campus QoS Design Considerations 92

        Cisco Catalyst Integrated Security Features 93

        Port Security Prevents MAC-Based Attacks 93

        DHCP Snooping Protects Against Rogue and Malicious DHCP Servers 94

        Dynamic ARP Inspection Protects Against ARP Poisoning 94

        IP Source Guard Protects Against Spoofed IP Addresses 95

        Example Catalyst Integrated Security Feature Configuration 95

    Summary 95

    References 96

    Review Questions 97

Chapter 3 Developing an Optimum Design for Layer 3 101

    Designing Advanced IP Addressing 101

        IP Address Planning as a Foundation 102

        Summary Address Blocks 102

        Summarization for IPv6 103

        Changing IP Addressing Needs 104

        Planning Addresses 104

        Applications of Summary Address Blocks 105

        Implementing Role-Based Addressing 105

        Bit Splitting for Route Summarization 106

        Example: Bit Splitting for Area 1 107

        IPv6 Address Planning 107

        Bit Splitting for IPv6 108

        Addressing for VPN Clients 109

        NAT in the Enterprise 109

        NAT with External Partners 110

    Design Considerations for IPv6 in Campus Networks 111

        IPv6 Campus Design Considerations 111

        Dual-Stack Model 112

        Hybrid Model 112

        Service Block Model 114

    Designing Advanced Routing 115

        Route Summarization and Default Routing 115

        Originating Default Routes 116

        Stub Areas and Default Route 117

        Route Filtering in the Network Design 118

        Inappropriate Transit Traffic 118

        Defensive Filtering 120

        Designing Redistribution 121

        Filtered Redistribution 122

    Migrating Between Routing Protocols 123

    Designing Scalable EIGRP Designs 123

        Scaling EIGRP Designs 124

        EIGRP Fast Convergence 124

        EIGRP Fast-Convergence Metrics 125

        Scaling EIGRP with Multiple Autonomous Systems 126

        Example: External Route Redistribution Issue 126

        Filtering EIGRP Redistribution with Route Tags 127

        Filtering EIGRP Routing Updates with Inbound Route Tags 128

        Example: Queries with Multiple EIGRP Autonomous Systems 130

        Reasons for Multiple EIGRP Autonomous Systems 130

        Designing Scalable OSPF Design 131

        Factors Influencing OSPF Scalability 131

        Number of Adjacent Neighbors and DRs 132

        Routing Information in the Area and Domain 132

        Designing OSPF Areas 133

        Area Size: How Many Routers in an Area? 134

        OSPF Hierarchy 134

        Area and Domain Summarization 136

        Number of Areas in an OSPF Hub-and-Spoke Design 137

        OSPF Hub-and-Spoke Design 137

        Issues with Hub-and-Spoke Design 138

        OSPF Hub-and-Spoke Network Types 140

        OSPF Area Border Connection Behavior 141

        Fast Convergence in OSPF 142

        OSPF Exponential Backoff 143

        Tuning OSPF Parameters 143

        OSPF LSA Pacing 145

        OSPF Event Processing 145

        Bidirectional Forwarding Detection 145

    Designing Scalable BGP Designs 146

        Scaling BGP Designs 146

        Full-Mesh IBGP Scalability 147

        Scaling IBGP with Route Reflectors 148

        BGP Route Reflector Definitions 148

        Route Reflector Basics 150

        Scaling IBGP with Confederations 151

        BGP Confederation Definitions 151

        Confederation Basics 151

        Confederations Reduce Meshing 152

        Deploying Confederations 154

    Summary 155

    References 157

    Review Questions 158

Chapter 4 Advanced WAN Services Design Considerations 161

    Advanced WAN Service Layers 161

        Enterprise Optical Interconnections 162

        Overview of SONET and SDH 163

        Enterprise View of SONET 164

        WDM Overview 165

        CWDM Technical Overview 165

        DWDM Technical Overview 166

        DWDM Systems 167

        RPR Overview 168

        RPR in the Enterprise 168

        Metro Ethernet Overview 170

        Metro Ethernet Service Model 170

        Metro Ethernet Architecture 170

        Metro Ethernet LAN Services 172

        Ethernet Private Line Service 173

        Ethernet Relay Service 174

        Ethernet Wire Service 175

        Ethernet Multipoint Service 175

        Ethernet Relay Multipoint Service 176

        Any Transport over MPLS 176

        Ethernet over MPLS 177

        End-to-End QoS 179

        Shaping and Policing on Subrate Ethernet WAN 180

        Choosing the Right Service 181

        VPLS Overview 181

        VPLS Architecture Model 182

        VPLS in the Enterprise 183

        Hierarchical VPLS Overview 184

        Scaling VPLS 184

        QoS Issues with EMS or VPLS 186

        EMS or VPLS and Routing Implications 186

        VPLS and IP Multicast 187

        VPLS Availability 187

        MPLS VPN Overview 187

        Customer Considerations with MPLS VPNs 188

        Routing Considerations: Backdoor Routes 189

        Routing Considerations: Managed Router Combined with Internal Routing 189

        Routing Considerations: Managed Router from Two Service Providers 190

    Implementing Advanced WAN Services 191

        Advanced WAN Service Selection 192

        Business Risk Assessment 192

        WAN Features and Requirements 194

        SLA Overview 195

        SLA Monitoring 196

        Application Performance Across the WAN 197

        WAN CPE Selection Considerations 198

        Cisco PfR Overview 200

        Cisco PfR Operations 200

        Cisco PfR Design and Deployment Considerations 203

    Summary 204

    References 205

    Review Questions 206

Chapter 5 Enterprise Data Center Design 211

    Designing the Core and Aggregation Layers 212

        Data Center Architecture Overview 213

        Benefits of the Three-Layer Model 213

        The Services Layer 214

        Using Dedicated Service Appliances 215

        Data Center Core Layer Design 217

        Layer 3 Characteristics for the Data Center Core 218

        OSPF Routing Protocol Design Recommendations 220

        EIGRP Routing Protocol Design Recommendations 221

        Aggregation Layer Design 221

        Scaling the Aggregation Layer 223

        STP Design 224

        Understanding Bridge Assurance 226

        Integrated Service Modules 227

        Service Module Placement Consideration 227

        Service Modules and the Services Layer 228

        Active STP, HSRP, and Service Context Alignment 230

        Active/Standby Service Module Design 232

        Active/Active Service Module Design 232

        Establishing Inbound Path Preference 233

        Using VRFs in the Data Center 235

        Using the Cisco Nexus 7000 Series in the Core and Aggregation Layer 236

        VDCs 238

        Designs Enabled by VDCs 239

        vPCs 241

        vPC Best Practices 242

        Designs Enabled by vPC 243

        Layer 2 Multipathing 244

        Designing the Access Layer 245

        Overview of the Data Center Access Layer 245

        Layer 2 Looped Designs 246

        Layer 2 Looped Topologies 247

        Layer 2 Looped Design Issues 249

        Layer 2 Loop-Free Designs 250

        Loop-Free Topologies 251

        Example: Loop-Free U Design and Layer 2 Service Modules 253

        Example: Loop-Free U Design and Cisco ACE Service Module 254

        Layer 2 FlexLink Designs 255

        FlexLink Issues and Considerations 256

        Comparison of Layer 2 Access Designs 259

        Layer 3 Access Layer Designs 260

        Multicast Source Support 261

        Benefits of Layer 3 Access 262

        Drawbacks of Layer 3 Access 262

        Blade Server Overview 262

        Blade Server Connectivity Options 264

        Blade Server Trunk Failover Feature 265

        Virtual Blade Switching 266

        Cisco Nexus Switch Family in the Access Layer 267

        TOR and EOR Designs 267

        Static and Dynamic Pinning 267

        Cisco Nexus 2000 FEX Dynamic Pinning 268

        Virtual Port Channel in the Data Center Access Layer 269

        Straight-Through FEX Design 270

        Active/Active FEX Design 270

    Cisco Nexus 1000V in the Data Center Access Layer 272

        Virtual Port Channel Host Mode 273

        Design Considerations for the Cisco Nexus 1000V 274

        Cisco Nexus 1010 275

    Layer 2 or Layer 3 Access Design? 276

    Scaling the Data Center Architecture 277

        TOR Versus EOR Designs 277

        Cabinet Design with TOR Switching 279

        Example: Network Topology with TOR Switching Model 280

        Cabinet Design with Modular Access Switches 281

        Example: Network Topology with Modular Access Switches 281

        Cabinet Design with Fabric Extenders 282

        Server NIC Density 284

        Hybrid Example with a Separate OOB Switch 284

        Oversubscription and Uplinks 285

        Scaling Bandwidth and Uplink Density 286

        Optimizing EtherChannel Utilization with Load Balancing 286

        Optimizing EtherChannel Utilization with Min-Links 287

        Scaling with Service Layer Switches 288

        Scaling Service on Cisco ACE Modules 289

    Scaling Spanning Tree and High Availability 290

        Scalability 290

        STPs in the Data Center 290

        STP Scaling 291

        STP Logical Interfaces 292

        STP Scaling with 120 Systemwide VLANs 293

        STP in 1RU Designs 295

        STP Scaling Design Guidelines 295

        Scaling the Data Center Using Zones 296

    High Availability in the Data Center 296

        Common NIC Teaming Configurations 296

        Server Attachment Methods 298

        High Availability and Failover Times 299

        High Availability and Cisco NSF with SSO 300

    Describing Network Virtualization in More Detail 302

        Definition of Virtualization 302

        Virtualization Categories 303

        Network Virtualization 304

        Virtual Routing and Forwarding 305

        Layer 3 VPNs and Network Virtualization 306

    Summary 308

    References 308

    Review Questions 309

Chapter 6 SAN Design Considerations 313

    Identifying SAN Components and Technologies 314

        SAN Components 315

        RAID Overview 317

    Storage Topologies 318

        DAS 318

        NAS 319

    SAN Technologies 320

        SCSI Overview 320

        Fibre Channel Overview 321

        Fibre Channel Communications Model 322

        VSAN 323

        IVR 324

        FSPF 325

        Zoning 325

        FICON 326

        SANTap 327

    Designing SAN and SAN Extension 328

        Port Density and Topology Requirements 329

        Device Oversubscription 330

        Traffic Management 331

        Fault Isolation 331

        Convergence and Stability 331

        SAN Designs with the Cisco MDS 9000 Family 331

        SAN Consolidation with VSANs 332

        Comprehensive SAN Security 332

        Simplified SAN Management 332

        Single-Switch Collapsed-Core Design 333

        Small-Scale, Dual-Fabric Collapsed-Core Design 334

        Medium-Scale, Dual-Fabric Collapsed-Core Design 335

        Large-Scale, Dual-Fabric Core-Edge Design 336

    SAN Extension 337

        SAN Extension Protocols 339

        Fibre Channel over IP 339

        iSCSI 340

        SAN Extension Developments 342

        High-Availability SAN Extension 343

    Integrated Fabric Designs Using Cisco Nexus Technology Overview 343

        Unified Fabric Technologies 344

        I/O Consideration in the Data Center 345

    Challenges When Building a Unified Fabric Based on 10 Gigabit Ethernet 346

        SAN Protocol Stack Extensions 348

        FCoE Components: Converged Network Adapter 349

        FCoE Components: Fibre Channel Forwarder 350

        Data Center Bridging Standards 351

        Unified Fabric Design Considerations 352

        Deploying Nexus in the Access Layer 353

        Nexus 5000/2000 Deployment Options in the Data Center 355

        FCoE VLAN to VSAN Mapping, VLAN Trunking, and the CNA 355

        Switch Mode Versus NPV Mode 357

        Unified Fabric Best Practices 358

    Summary 359

    References 359

    Review Questions 360

Chapter 7 E-Commerce Module Design 363

    Designing High Availability for E-Commerce 363

        E-Commerce High-Availability Requirements 364

        Components of High Availability 364

        Redundancy 365

        Technology 365

        People 366

        Processes 366

        Tools 367

    Common E-Commerce Module Designs 368

        Common E-Commerce Firewall Designs 368

        Typical E-Commerce Module Topology 368

        Using a Server as an Application Gateway 370

        Virtualization with Firewall Contexts 371

        Virtual Firewall Layers 372

        Firewall Modes 373

        Common E-Commerce Server Load Balancer Designs 375

        Functions of a Server Load Balancer 375

        SLB Design Models 376

        SLB Router Mode 377

        Application Control Engine 378

        SLB Inline Bridge Mode 378

        SLB One-Armed Mode 379

        Common E-Commerce Design Topologies for Connecting to Multiple ISPs 382

        One Firewall per ISP 382

        Stateful Failover with Common External Prefix 384

        Distributed Data Centers 384

    Design Option: Distributed Data Centers 385

    Additional Data Center Services 386

    Integrated E-Commerce Designs 388

        Base E-Commerce Module Design 388

        Base Design Routing Logic 390

        Base Design Server Traffic Flows 391

        Two Firewall Layers in the E-Commerce Module Design 393

        Traffic Flows in a Two-Firewall Layer Design 394

        One-Armed SLB Two-Firewall E-Commerce Module Design 395

        Traffic Flows in a One-Armed SLB Two-Firewall Layer Design 396

        Direct Server Traffic Flows in a One-Armed SLB Two-Firewall Layer Design 398

        One-Armed SLB E-Commerce Module Design with Firewall Contexts 398

        Traffic Flows in a One-Armed SLB Design with Firewall Contexts 400

        One-Armed SLB E-Commerce Module Design with ACE 401

        Testing E-Commerce Module Designs 403

    Summary 404

    References 405

    Review Questions 405

Chapter 8 Security Services Design 407

    Designing Firewalls 407

        Firewall Modes 408

        Zone-Based Policy Firewall 410

        Virtual Firewall Overview 411

        Firewall Context Design Considerations 413

        MSFC Placement 414

        Active/Active Firewall Topology 415

        Active/Active Topology Features 416

        Asymmetric Routing with Firewalls 416

        Asymmetric Routing with ASR Group on a Single FWSM 417

        Asymmetric Routing with Active/Active Topology 418

        Performance Scaling with Multiple FWSMs 419

        Example: Load Balancing FWSMs Using PBR 419

        Load Balancing FWSMs Using ECMP Routing 420

        PVLAN Security 420

        FWSM in a PVLAN Environment: Isolated Ports 422

        FWSM in a PVLAN Environment: Community VLANs 423

    Designing NAC Services 423

        Network Security with Access Control 424

        NAC Comparison 425

        Cisco NAC Appliance Fundamentals 426

        Cisco NAC Appliance Components 426

        Cisco NAC Appliance Policy Updates 427

        Process Flow with the Cisco NAC Appliance 428

        Cisco NAS Scaling 429

        Cisco NAS Deployment Options 429

        Cisco NAS Gateway Modes 430

        Cisco NAS Client Access Modes 431

        Cisco NAS Operating Modes 431

        Physical Deployment Models 432

        Cisco NAC Appliance Designs 432

        Layer 2 In-Band Designs 434

        Example: Layer 2 In-Band Virtual Gateway 434

        Example: Layer 2 In-Band Real IP Gateway 435

        Layer 2 Out-of-Band Designs 435

        Example: Layer 2 Out-of-Band Virtual Gateway 436

        Layer 3 In-Band Designs 437

        Example: Layer 3 In-Band Virtual Gateway 437

        Example: Layer 3 In-Band with Multiple Remotes 438

        Layer 3 Out-of-Band Designs 439

        Example: Layer 3 OOB with Addressing 440

        NAC Framework Overview 441

        Router Platform Support for the NAC Framework 442

        Switch Platform Support for the NAC Framework 443

    IPS and IDS Overview 444

        Threat Detection and Mitigation 444

        IDSs 444

        Intrusion-Prevention Systems 445

        IDS and IPS Overview 446

        Host Intrusion-Prevention Systems 447

        IDS and IPS Design Considerations 447

        IDS or IPS Deployment Considerations 448

        IPS Appliance Deployment Options 448

        Feature: Inline VLAN Pairing 450

        IPS Deployment Challenges 450

        IDS or IPS Management Interface Deployment Options 450

        In-Band Management Through Tunnels 451

        IDS and IPS Monitoring and Management 451

        Scaling Cisco Security MARS with Global Controller Deployment 453

    Summary 453

    References 454

    Review Questions 455

Chapter 9 IPsec and SSL VPN Design 459

    Designing Remote-Access VPNs 459

        Remote-Access VPN Overview 460

        Example: Cisco Easy VPN Client IPsec Implementation 461

        SSL VPN Overview 461

        Clientless Access 462

        Thin Client 463

        Thick Client 464

        Remote-Access VPN Design Considerations 464

        VPN Termination Device and Firewall Placement 465

        Address Assignment Considerations 465

        Routing Design Considerations 465

        Other Design Considerations 466

    Designing Site-to-Site VPNs 467

        Site-to-Site VPN Applications 468

        WAN Replacement Using Site-to-Site IPsec VPNs 468

        WAN Backup Using Site-to-Site IPsec VPNs 469

        Regulatory Encryption Using Site-to-Site IPsec VPNs 470

        Site-to-Site VPN Design Considerations 470

        IP Addressing and Routing 470

        Scaling, Sizing, and Performance 471

        Cisco Router Performance with IPsec VPNs 471

        Typical VPN Device Deployments 475

        Design Topologies 476

        VPN Device Placement Designs 476

        VPN Device Parallel to Firewall 476

        VPN Device on a Firewall DMZ 477

        Integrated VPN and Firewall 478

    Using IPsec VPN Technologies 478

        IPsec VPN Overview 478

        Extensions to Basic IPsec VPNs 480

        Cisco Easy VPN 480

        Overview of Cisco Easy VPN Server Wizard on Cisco SDM 480

        Overview of Easy VPN Remote Wizard on Cisco SDM 482

        GRE over IPsec Design Recommendations 483

        GRE over IPsec Design Recommendations 483

        DMVPN 485

        DMVPN Overview 485

        DMVPN Design Recommendations 487

        Virtual Tunnel Interfaces Overview 487

        Group Encrypted Transport VPN 489

        GET VPN Topology 489

    Managing and Scaling VPNs 491

        Recommendations for Managing VPNs 491

        Considerations for Scaling VPNs 491

        Determining PPS 493

        Routing Protocol Considerations for IPsec VPNs 497

        EIGRP Metric Component Consideration 498

    Summary 498

    References 499

    Review Questions 500

Chapter 10 IP Multicast Design 505

    IP Multicast Technologies 506

        Introduction to Multicast 506

        Multicast Versus Unicast 506

        IP Multicast Group Membership 507

        Multicast Applications and Multicast Adoption Trends 508

        Learning About Multicast Sessions 509

        Advantages of Multicast 510

        Disadvantages of Multicast 510

        Multicast IP Addresses 511

        Layer 2 Multicast Addresses 512

        Multicast Address Assignment 514

        Cisco Multicast Architecture 515

        IGMP and CGMP 516

        IGMP Version 1 516

        IGMP Version 2 517

        IGMP Version 3 518

    Multicast with Layer 2 Switches 518

        IGMP Snooping 519

        CGMP 520

        PIM Routing Protocol 520

        PIM Terminology 521

        Multicast Distribution Tree Creation 522

        Reverse Path Forwarding 522

        Source Distribution Trees 524

        Shared Distribution Trees 525

        Multicast Distribution Tree Notation 527

    Deploying PIM and RPs 527

        PIM Deployment Models 527

        ASM or PIM-SM 528

        PIM-SM Shared Tree Join 528

        PIM-SM Sender Registration 529

        PIM-SM SPT Switchover 530

        Bidirectional PIM 532

        Source-Specific Multicast 533

        SSM Join Process 534

        SSM Source Tree Creation 535

        PIM Dense Mode 535

        RP Considerations 536

        Static RP Addressing 537

        Anycast RP 537

        Auto-RP 538

        DM Fallback and DM Flooding 540

        Boot Strap Router 541

    Securing IP Multicast 543

        Security Considerations for IP Multicast 543

        Security Goals for Multicast Environments 543

        Unicast and Multicast State Requirements 544

        Unicast and Multicast Replication Requirements 546

        Attack Traffic from Rogue Sources to Receivers 547

        Attack Traffic from Sources to Networks Without Receivers 547

        Attack Traffic from Rogue Receivers 548

        Scoped Addresses 548

        Multicast Access Control 549

        Packet Filter-Based Access Control 549

        Host Receiver-Side Access Control 551

        PIM-SM Source Control 552

        Disabling Multicast Groups for IPv6 553

        Multicast over IPsec VPNs 553

        Traditional Direct Encapsulation IPsec VPNs 554

        Multicast over IPsec GRE 555

        Multicast over DMVPN 555

        Multicast Using GET VPN 557

    Summary 558

    References 560

    Review Questions 561

Chapter 11 Network Management Capabilities Within Cisco IOS Software 565

    Cisco IOS Embedded Management Tools 565

        Embedded Management Rationale 566

        Network Management Functional Areas 566

        Designing Network Management Solutions 567

        Cisco IOS Software Support of Network Management 567

        Application Optimization and Cisco IOS Technologies 568

        Syslog Considerations 571

        Cisco IOS Syslog Message Standard 571

        Issues with Syslog 572

    NetFlow 573

        NetFlow Overview 573

        Principal NetFlow Uses 574

        Definition of a Flow 574

        Traditional IP Flows 575

        Flow Record Creation 576

        NetFlow Cache Management 578

        NetFlow Export Versions 579

        NetFlow Version 9 Export Packet 580

        Flexible NetFlow Advantages 581

        NetFlow Deployment 582

        Where to Apply NetFlow Monitoring 582

    NBAR 583

        NBAR Overview 583

        NBAR Packet Inspection 584

        NBAR Protocol Discovery 586

        NetFlow and NBAR Differentiation 586

        Reporting NBAR Protocol Discovery Statistics from the Command Line 587

        NBAR and Cisco AutoQoS 588

    Cisco AutoQoS for the Enterprise 589

        Example: Cisco AutoQoS Discovery Progress 590

        Cisco AutoQoS Suggested Policy 591

    IP SLA Considerations 592

        IP SLA Overview 592

        SLAs 592

    Cisco IOS IP SLA Measurements 593

    IP SLA SNMP Features 594

        Deploying IP SLA Measurements 595

    Impact of QoS Deployment on IP SLA Statistics 596

    Scaling IP SLA Deployments 597

        Hierarchical Monitoring with IP SLA Measurements 598

        Network Management Applications Using IP SLA Measurements 599

        CiscoWorks IPM Application Example 599

    IP SLA Network Management Application Consideration 600

    Summary 600

    References 602

    Review Questions 603

Appendix A Answers to Review Questions 605

Appendix B Acronyms and Abbreviations 611

Appendix C VoWLAN Design 625

TOC, 9781587142888, 9/29/2011

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020