LAN

A properly designed LAN will take into consideration the needs for high availability and quality of service. This will account for the Access layer, Distribution layer, and Core layer of the typical enterprise network infrastructure. The Access layer offers in-line power to the phones, multiple queue support, 802.1p and 802.1q, and fast link convergence. The Distribution and Core switches offer multiple queue support as well as 802.1p and 802.1q, the same as the Access layer, along with traffic classification and reclassification. An IEEE protocol, 802.1p refers to the support of QoS on Layer 2 switches. Also an IEEE protocol, 802.1Q refers to the support of virtual LANs on Layer 2 switches.

Access Layer

High availability can be configured on the Access layer by using the Spanning Tree Protocol (STP). STP is a Layer 2 protocol that runs on switches and is specified by the IEEE standard 802.1d. The purpose of STP is to prevent loops when configuring redundant paths within the network. In Figure 12-1, observe that each switch is connected to two or more other switches, so that if one path fails, there is a redundant path to the destination. On the switch ports, STP can be configured to block traffic on one port and forward traffic on the other port. In the event that the forwarding port can no longer send and receive communications, the state of the blocking port will change to allow the data to flow along the alternate path. This ensures that there is an alternate path for routing traffic but eliminates the chance of a loop occurring with two open ports. Different flavors of STP can be used, and each one requires different timing for convergence. Therefore, it is recommended that the same version of STP be used within a single environment. Some of the other Spanning Tree Protocols that exist include IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) and IEEE 802.1s Multiple Instance Spanning Tree Protocol (MISTP). These two can converge at much higher rates than the traditional STP.

A virtual local-area network, or VLAN, is another essential part of the Access layer switch, and it should be configured prior to setting up STP. A VLAN is a logical grouping of devices connected to the switch that allows data traffic in the network to be decoupled for access control and prioritization. VLANs can be used to group devices in several ways, such as device type or department. For example, there may be a server where accounting software resides. The accounting team needs access to this software, but the sales team does not need access. The accounting team also needs to be able to communicate with the sales team for handling expense reports. In this scenario, three VLANs can be used to control who can access the accounting software. The server where the software resides can be placed in VLAN110, the accounting team computers can be placed in VLAN120, and the sales team computers can be placed in VLAN130. Then the network administrator can create connections from VLAN120 to VLAN110, and from VLAN120 to VLAN130. This will allow the accounting team to access the accounting software and communicate with the sales team. However, the sales team will be restricted from accessing the accounting software.

In a Cisco collaboration environment, VLANs are essential to implementing proper QoS. At least two VLANs should be created in this environment: a data VLAN and a voice and video VLAN, which is typically signified as VVID (Voice VLAN ID). Voice and video data can traverse the same VLAN, even though they typically experience different QoS markings. The reason these two VLANs need to be created is that Cisco phones have a NIC connecting the phone to a switch and a computer NIC connecting a computer to the phone. The phone and the computer require different QoS treatment and therefore should belong in different VLANs. This is where the configuration gets really interesting. If the phone is connected to the switch and the computer is connected to the phone, how can they possibly be decoupled into different VLANs? On the port at the switch where the phone is connected, both the Data VLAN and the VVID can be assigned. When the phone boots up, CDP or LLDP-MED can be used to discover both of these VLANs. There is a third virtual NIC in the phone that exists to monitor egress traffic and determine which VLAN should be used. Data traffic sourced from the computer will use the Data VLAN. Voice and video data from the phone will use the VVID. If content is being shared from the computer during a video call, then the VVID will be used for that particular data sourced from the computer.

One final offering that can be utilized at the Access layer needs to be mentioned here: inline power. Inline power, or Power over Ethernet (PoE), has already been discussed at great length. For a review of the information coving PoE, refer to Chapter 9, “Endpoint Registration.” Table 12-2 outlines the different types of PoE and the maximum power available. Some examples of Cisco switches that support the different types of PoE can also be found in Table 12-2.

PoE Type	PoE Power Capabilities	Example Switches
Pre-Standard Inline Power	6.3 Watts power	3550-24 or 48 ports
802.3af PoE	15.4 Watts power (Type 1)	3560-24 ports or 3670-48 ports
802.3at PoE	30 Watts power (Type 2)	2960-24 is Type 1 or Type 2
60 Watts power (Type 3)	4500 supports all types of PoE
100 Watts power (Type 4)	9000 supports all types of PoE

Distribution Layer

The Distribution layer switches can offer the same multiple queue support, 802.1p, 802.1q, and fast link convergence as the Access layer. However, the focus of the Distribution layer should be to offer Layer 3 routing, load balancing, and fault tolerance. These Distribution layer switches are the bridge between Layer 2 and Layer 3 of the enterprise network.

The Distribution layer switch can often serve as the Layer 3 default gateway for the Layer 2 devices. Should the Distribution layer switch fail, then many devices could lose communication across the network. Cisco initially released the Hot Standby Router Protocol (HSRP) to provide a fault-tolerant default gateway. The IETF developed a similar protocol called the Virtual Router Redundancy Protocol (VRRP) with RFC 5798. Although these two protocols are similar in nature and resolve the gateway redundancy issue, they are not compatible protocols and they each have some limitations. Cisco overcame these limitations when it released another protocol called the Gateway Load Balancing Protocol (GLBP). This protocol protects data traffic from a failed router or circuit, while also allowing packet load sharing between a group of redundant routers.

Endpoints use the Address Resolution Protocol (ARP) to learn the physical MAC address of their default gateway. With HSRP, a single virtual MAC address is provided to these endpoints. With GLBP, two virtual MAC addresses can be provided to the endpoints—one from the primary gateway and one from a peer gateway—which are distributed using round-robin technique.

Another way to ensure fast convergence, load balancing, and fault tolerance on the Distribution layer is to use Layer 3 routing protocols such as OSPF or EIGRP. You can use parameters such as routing protocol timers, path or link costs, and address summaries to optimize and control convergence times as well as to distribute traffic across multiple paths and devices. Cisco also recommends using the passive-interface command to prevent routing neighbor adjacencies via the access layer. These adjacencies are typically unnecessary, and they create extra CPU overhead and increased memory utilization because the routing protocol keeps track of them. By using the passive-interface command on all interfaces facing the access layer, you prevent routing updates from being sent out on these interfaces, and therefore, neighbor adjacencies are not formed.

Core Layer

The Core layer operates entirely in Layer 3 of the enterprise network. This layer can consist of Layer 3 switches or routers. The purpose of the Core layer is to provide redundancy between different Distribution switches. In the event of network outages, the Core layer can redirect traffic along a more stable path. The types of redundancy that need to be provided at the Core layer include Layer 1 link paths, redundant devices, and redundant device subsystems, such as power supplies and module cards. The Cisco Catalyst switches with Virtual Switching System (VSS) provide a method to ensure redundancy in all of these areas by pooling together two Catalyst supervisor engines to act as one. This is why Cisco recommends using a Layer 3 switch at the Core layer. Routing protocols at the Core layer should again be configured and optimized for path redundancy and fast convergence. There should be no STP in the core because network connectivity should be routed at Layer 3. Finally, each link between the core and distribution devices should belong to its own VLAN or subnet and be configured using a 30-bit subnet mask.

In the campus LAN, bandwidth provisioning recommendations can be summarized by the motto “overprovision and undersubscribe.” This motto implies careful planning of the LAN infrastructure so that the available bandwidth is always considerably higher than the load and there is no steady-state congestion over the LAN links. The addition of voice traffic onto a converged network does not represent a significant increase in overall network traffic load; the bandwidth provisioning is still driven by the demands of the data traffic requirements. The design goal is to avoid extensive data traffic congestion on any link that will be traversed by telephony signaling or media flows. Contrasting the bandwidth requirements of a single G.711 voice call (approximately 86 kbps) to the raw bandwidth of a Fast Ethernet link (100 Mbps) indicates that voice is not a source of traffic that causes network congestion in the LAN, but rather it is a traffic flow to be protected from LAN congestion.

WAN

The next layer in the enterprise network solution is the WAN Aggregation layer. These are the edge routers that allow different locations to communicate over the public Internet. There are general design considerations for deploying a WAN, as well as specific bandwidth considerations. There are also QoS tools at the WAN that will need careful design because the WAN presents the greatest potential for congestion. QoS topics will be discussed in the next chapter.

The Cisco recommendation when designing the WAN Aggregation layer is to establish multiple links for redundancy in case one of the links should fail. WAN designs include hub and spoke, full mesh, and partial mesh. The hub-and-spoke design contains one central “hub” router connected to multiple “spoke” routers. Each spoke is one hop away from the hub and two hops away from other spokes. Alternatively, a full mesh or partial mesh design could be implemented. In this type of design, multiple WAN links are established between locations so that each location has at least two WAN links, each link to a different router. Redundancy should be built into the WAN Aggregation layer using multiple links. This will ensure connectivity in the event one link fails, and additional bandwidth can be provisioned for load-balancing network traffic. Another design consideration for WAN Aggregation is noncentralized resources so that these services are available to all locations in the event of a WAN failure. These resources include media resources, DHCP servers, voice gateways, and call-processing applications. Earlier in this chapter, we discussed some of the call-processing applications such as SRST or Cisco Unified Communications Manager Express. If you are unfamiliar with these call-processing applications, you may want to research them on your own because they are outside the scope of this book.

The two types of bandwidth options to choose from when designing the WAN Aggregation layer are best-effort bandwidth and guaranteed bandwidth. Examples of best-effort bandwidth include the public Internet, DSL, cable, satellite, and wireless. With best effort there is no QoS, and bandwidth availability is on a first-come basis. Although these types of links are suitable for home offices or commuters, voice and video traffic will suffer. Therefore, Cisco recommends that you do not use best effort for voice-enabled networks that require enterprise-class voice services and quality.

Alternatively, you can choose from available guaranteed bandwidth link options. Leased Lines, Frame Relay, Asynchronous Transfer Mode (ATM), and ATM/Frame-Relay Service Interworking are older technologies that use dedicated circuits through a telephony service provider. These were the best options available to corporations prior to the introduction of broadband and high-speed Internet. Today, these technologies are very expensive and offer lower bandwidth rates compared to other packet-switched solutions available.

Some other guaranteed bandwidth link options available include Multiprotocol Label Switching (MPLS), Cisco Voice and Video Enabled IP Security Virtual Private Network (IPSec V3PN), and Dynamic Multipoint Virtual Private Network (DMVPN). MPLS is a transport protocol that uses “labels” to route traffic rather than network addresses. Packets are forwarded based on the content of the label, so deciphering between voice, video, and data is simple. It is protocol agnostic, so it will function in circuit-switched or packet-switched networks. IPSec V3PN integrates three core Cisco technologies: IP Telephony, QoS, and IPSec VPN. This results in an end-to-end VPN service that can guarantee the delivery of latency-sensitive voice and video communications. DMVPN is a solution that provides an alternative to the complicated administrative setup and maintenance that comes with establishing a mesh network. Initially, the DMVPN is set up as a hub-and-spoke network. Once communication is established between the spokes and the hub, each spoke will dynamically discover each of the other spokes and establish a tunnel between one another. This will reduce the amount of traffic at the hub, preserving bandwidth and processing capacity limits. For information on the deployment of multisite DMVPN WANs with centralized call processing, refer to “Cisco Unified Communications Voice over Spoke-to-Spoke DMVPN Test Results and Recommendations,” available at https://www.cisco.com/go/designzone. Figure 12-2 illustrates how a DMVPN network operates.

WLAN

The wireless local-area network (WLAN) is a whole infrastructure deployment that hangs off the LAN but requires a unique set of configurations. WLAN infrastructure design becomes important when collaboration endpoints are added to the WLAN portions of a converged network. With the introduction of Cisco Unified Wireless endpoints, voice and video traffic has moved onto the WLAN and is now converged with the existing data traffic there. Just as with wired LAN and wired WAN infrastructure, the addition of voice and video in the WLAN requires following basic configuration and design best practices for deploying a highly available network. In addition, proper WLAN infrastructure design requires understanding and deploying QoS on the wireless network to ensure end-to-end voice and video quality on the entire network.

Basic Configuration and Design

Wireless IP network architectures enable IP telephony to deliver enterprise mobility by providing on-premises roaming communications to the users with wireless IP telephony devices. Wireless IP telephony and wireless IP video telephony are extensions of their wired counterparts, which leverage the same call elements. Additionally, wireless IP telephony and IP video telephony take advantage of wireless 802.11-enabled media, thus providing a cordless IP voice and video experience. The cordless experience is achieved by leveraging the wireless network infrastructure elements for the transmission and reception of the control and media packets. The architecture for voice and video over wireless LAN includes the following basic elements:

• Wireless access points

• Wireless LAN controllers

• Authentication database

• Supporting wired network

• Wireless collaboration endpoints

• Wired call elements

The wireless access points enable wireless devices to communicate with wired network elements. In the case of a Cisco Collaboration environment, these wireless devices include all the UC voice and video endpoints that support wireless communications. Access points function as adapters between the wired and wireless world, creating an entryway between these two media components. Cisco access points can be managed by a wireless LAN controller (WLC), or they can function in autonomous mode. When the access points are managed by a WLC, they are referred to as lightweight access points (LWAPs), and in this mode, they use the Lightweight Access Point Protocol (LWAPP) or Control and Provisioning of Wireless Access Points (CAPWAP) protocol, depending on the controller version, when communicating with the WLC.

Many corporate environments require deployment of wireless networks on a large scale. The wireless LAN controller (WLC) is a device that assumes a central role in the wireless network and helps make it easier to manage such large-scale deployments. Traditional roles of access points, such as association or authentication of wireless clients, are handled by the WLC. Access points, called lightweight access points in the Unified Communications environment, register themselves with a WLC and tunnel all the management and data packets to the WLCs, which then switch the packets between wireless clients and the wired portion of the network. All the configurations are done on the WLC. LWAPs download the entire configuration from WLCs and act as a wireless interface to the clients. Figure 12-3 illustrates the relationship between the WLC and the LWAP.

The authentication database is a core component of the wireless networks, and it holds the credentials of the users to be authenticated while the wireless association is in progress. The authentication database provides network administrators with a centralized repository to validate the credentials. Network administrators simply add the wireless network users to the authentication database instead of having to add the users to all the wireless access points with which the wireless devices might associate. In a typical wireless authentication scenario, the WLC couples with the authentication database to allow the wireless association to proceed or fail. Authentication databases commonly used are LDAP and RADIUS, although under some scenarios the WLC can also store a small user database locally that can be used for authentication purposes.

The supporting wired network is the portion of the system that serves as a path between WLCs, WAPs, and wired call elements. Because the WAPs need to communicate to the wired world, part of the wired network has to enable those communications. The supporting wired network consists of the LAN switches, routers, and WAN links that work together to communicate with the various components that form the architecture for voice and video over WLAN.

The wireless collaboration endpoints are the user-facing voice and video nodes that operate over the WLAN, which are used for communication. These endpoints can be voice only or enabled for both voice and video. When end users employ the wireless communication endpoints to call a desired destination, the endpoints in turn forward the request to their associated call-processing server. If the call is allowed, the endpoints process the voice or video, encode it, and send it to the receiving device or the next hop of processing. Typical Cisco wireless endpoints are wireless IP phones, voice and video software clients running on desktop computers, mobile smartphones connected through wireless media, and mobile collaboration enterprise tablets. Specifically, the Cisco Unified IP Phones 7861, 8861, and 8865 support wireless communication. Any Windows or Mac computer running the Cisco Jabber application, or any smartphone or tablet running Jabber, could be connected wirelessly to the network. Also, the Cisco DX series endpoints support wireless connections to the network.

Whether the wireless collaboration endpoints initiate a session between each other or with wired endpoints, wired call elements are involved in some way. Wired call elements, such as gateways and call-processing entities, are the supporting infrastructure for voice and video endpoints coupled to that infrastructure. Figure 12-4 illustrates all of the components needed in a WLAN deployment.

High Availability

Providing high availability in collaboration solutions is a critical requirement for meeting the modern demands of continuous connectivity. Collaboration deployments designed for high availability increase reliability and uptime. Using real-time applications such as voice or video over WLAN without high availability could have very adverse effects on the end-user experience, including an inability to make voice or video calls.

A unique aspect of high availability for voice and video over WLAN is high availability of radio frequency (RF) coverage to provide Wi-Fi channel coverage that does not depend on a single WLAN radio. The Wi-Fi channel coverage is provided by the AP radios in the 2.4 GHz and 5 GHz frequency bands.

The primary mechanism for providing RF high availability is cell boundary overlap. In general, a cell boundary overlap of 20 to 30 percent on nonadjacent channels is recommended to provide high availability in the wireless network. For mission-critical environments, at least two APs should be visible at the required signal level (−67 dBm or better). An overlap of 20 percent means that the RF cells of APs using nonadjacent channels overlap each other on 20 percent of their coverage area, while the remaining 80 percent of the coverage area is handled by a single AP. Furthermore, when determining the locations for installing the APs, you should avoid mounting them on reflective surfaces, such as metal, glass, and so forth, which could cause multipath effects that result in signal distortion. Figure 12-5 illustrates a high availability deployment of WLANs using overlapping channel cells.

Careful deployment of APs and channel configuration within the wireless infrastructure are imperative for proper wireless network operation. For this reason, Cisco requires customers to conduct a complete and thorough site survey before deploying wireless networks in a production environment. The survey should include verifying nonoverlapping channel configurations, Wi-Fi channel coverage, and required data and traffic rates; eliminating rogue APs; and identifying and mitigating the impact of potential interference sources. Additionally, you should evaluate utilizing a 5 GHz frequency band, which is generally less crowded and thus usually less prone to interference. If Bluetooth is used, it is highly recommended to use a 5 GHz WLAN band (802.11a/n/ac) whenever possible for endpoint connectivity. Similarly, the use of Cisco CleanAir technology will increase the WLAN reliability by detecting radio frequency interference in real time and providing a self-healing and self-optimizing wireless network.

Capacity Planning

A crucial piece in planning for voice and video over WLAN is adequately sizing the solution for the desired call capacity. Capacity is defined as the number of simultaneous voice and video sessions over WLAN that can be supported in a given area. Capacity can vary depending on the RF environment, the collaboration endpoint features, and the WLAN system features. For instance, a solution using Cisco Unified Wireless IP Phones 8861 on a WLAN that provides optimized WLAN services would have a maximum call capacity of 27 simultaneous sessions per channel at a data rate of 24 Mbps or higher for both 802.11a and 802.11g. On the other hand, a similar solution with a wireless device such as a tablet running the Jabber client making video calls at 720p and a video rate of 2500 kbps on a WLAN, where access points are configured as 802.11a/n with a data rate index of Modulation and Coding Scheme 7 in 40 MHz channels, would have a maximum capacity of seven video calls and two bidirectional voice and video streams per channel. To achieve these capacities, there must be minimal wireless LAN background traffic and RF utilization, and Bluetooth must be disabled in the devices. It is also important to understand that call capacities are established per nonoverlapping channel because the limiting factor is the channel capacity and not the number of access points (APs). The call capacity specified by the actual wireless endpoint should be used for deployment purposes because it is the supported capacity of that endpoint.

Design Considerations

It is easy to understand that the design and implementation of a WLAN environment in the workplace is very complex and requires many considerations to be factored into the overall network design. Additionally, WLAN configuration specifics can vary depending on the voice or video WLAN devices being used and the WLAN design. Other design considerations for a proper WLAN deployment include the following:

• VLANs

• Roaming

• Wireless channels

• Wireless interference and multipath distortion

• Multicast on the WLAN

• Wireless AP configuration and design

• Wireless LAN controller design considerations

• WLAN quality of service

An entire series of books could be written just to cover the WLAN components and considerations that must be accounted for in a network design that supports voice and video communications. Cisco has a CCNP and CCIE certification track that deals with the many facets of a WLAN environment, and many resources are available to extend an engineer’s understanding of these solutions. To keep the contents of this section relevant to the scope of this book, we will not cover the preceding topics. However, the next chapter will delve into some of the WLAN QoS settings that need to be configured to support voice and video over a WLAN environment.

ISR, ASR, and IOS Software Comparisons

Cisco has a line of routers that offer advanced services beyond what traditional routers can offer. These routers are ideal for use in voice and video environments as well as support of smaller branch office locations or hybrid communication to the cloud. They are the Integrated Services Routers (ISRs), Aggregation Services Routers (ASRs), and Cloud Services Routers (CSRs). The biggest difference between Cisco ASR and ISR routers is that ASR routers are for enterprises and service providers, whereas ISRs are for customers with small- or medium-sized networks. CSRs go beyond the scope of this book, so the focus will be on the ISR and ASR options.

Two factors that should be considered will influence which of these router product lines should be used within a particular customer environment. Sizing is the most important factor, followed by the software running on the router. Different software will provide different features and capabilities. The classic IOS software was used on all Cisco routers prior to 2007 and may still be found running on some routers in production today. However, most current products in the Cisco ISR and ASR routers use either the IOS XE or IOS XR software version.

Cisco IOS XE software is an open and flexible operating system optimized for a new era of enterprise networks. Its standards-based programmable interfaces automate network operations and give you deep visibility into user, application, and device behaviors. As the single OS for enterprise wired and wireless access, aggregation, core, and WAN, Cisco IOS XE reduces business and network complexity. Cisco IOS XE software is open because it includes the following open standards-based capabilities: NETCONF (RFC 6241) programmable interfaces, IETF YANG push telemetry, OpenConfig and IETF YANG data models, and Guest Shell Linux Containers (LXC). Yet the user interface is the same familiar CLI that engineers have been using throughout the lifecycle of the older classic IOS software. This highly scalable software has been developed with resiliency in mind; Cisco IOS XE reduces planned and unplanned downtime. Service and software upgrades are more efficient, and Graceful Insertion and Removal lets you update or debug a switch without disrupting network traffic. Cisco IOS XE software also has built-in security and trust, which helps protect against modern cyberattacks. It assures that Cisco hardware and software are genuine and unmodified. And its enhanced platform integrity, security, and resilience mean you can be confident that data is trustworthy. Additionally, all IOS XE software-based routers support hybrid cloud services.

IOS XR is Cisco IOS software used on the high-end Network Converging System (NCS), carrier-grade routers such as the CRS Series, 12000 Series, and ASR9000 Series. In fact, the ASR9000 Series are the only ASR or ISR routers that support the IOS XR software. Cisco’s IOS XR software shares very little infrastructure or feature support with the other IOS software options and is instead built on a preemptive, memory-protected, multitasking, microkernel-based operating system. The microkernel was formerly provided by QNX; versions 6.0 and up use the Wind River Linux distribution. IOS XR is an on-premises-only software solution with no hybrid cloud support, and it aims to provide the following advantages over the earlier IOS versions:

• Improved high availability (largely through support for hardware redundancy and fault containment methods such as protected memory spaces for individual processes and process restart-ability)

• Better scalability for large hardware configurations (through a distributed software infrastructure and a two-stage forwarding architecture)

• A package-based software distribution model (allowing optional features such as multicast routing and MPLS to be installed and removed while the router is in service)

• The ability to install package upgrades and patches (potentially while the router remains in service)

• A web-based GUI for system management (making use of a generic, XML management interface)

As mentioned previously, the number of users the router needs to support for sizing and the software version will determine the specific product needed for a given customer site. Table 12-3 identifies all the different series of ISR and ASR routers available with their sizing limitations and software availability.

ISR Products Explained

As Table 12-3 shows, you have many product lines to choose from when deploying the Cisco ISR. This section will delve into four specific ISRs: the ISRv (which is a virtual router), 800 Series ISR, 1000 Series ISR, and the 4000 Series ISR. The 800 Series ISR is the only router discussed in this section that runs the classic IOS software instead of the IOS XE software. However, this is a great router to use for remote office locations, and it supports DMVPN.

There are many benefits to using the ISRv. First, it supports rapid deployment and service automation. The virtual form factor accelerates deployment and eliminates hardware costs such as complete equipment upgrades and return materials authorization (RMA). It also supports single-tenant use. This feature allows a cloud service provider to provision a routing instance per tenant, simplifying service delivery and tenant management. It also helps the provider overcome VLAN scale limits, increasing tenant scale. The enterprise network extension to the cloud feature provides enterprises highly secure direct connections from their distributed sites to their cloud-hosted applications, improving application response time and user experience. The network consistency feature uses familiar enterprise-class Cisco IOS software features for consistent network operation across premises and the cloud, allowing the enterprise to view the cloud as just another node in its network. Network scalability allows scale beyond the limitations of 802.1q VLAN tagging by building a VXLAN network or extending Layer 3 routing deeper into the cloud environment. Finally, consolidation of network functions eliminates the facility requirements and complexity of physical network devices by consolidating multiple network functions onto a single piece of server hardware.

The following features are supported on the Cisco ISRv:

• Routing: Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Policy-Based Routing, IPv6, Virtual Route Forwarding Lite (VRF-Lite), Multicast, LISP, and Generic Routing Encapsulation (GRE)

• Addressing: Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Network Address Translation (NAT), 802.1Q VLAN, Ethernet Virtual Connection (EVC), and VXLAN

• VPN: IPsec VPN, DMVPN, Easy VPN, SSL VPN, and FlexVPN

• MPLS: MPLS VPN, VRF, and Bidirectional Forwarding Detection (BFD)

• Security: Cisco IOS Zone-Based Firewall (ZBFW); access control list (ACL); authentication, authorization, and accounting (AAA); RADIUS; and TACACS+

• High availability: HSRP, Virtual Router Redundancy Protocol (VRRP), Gateway Load Balancing Protocol (GLBP), and box-to-box high availability for ZBFW and NAT

• Traffic redirection: AppNav (to Cisco Wide Area Application Services [WAAS]) and Web Cache Communication Protocol (WCCP) application visibility, performance monitoring, and control: quality of service (QoS), AVC, and IP service-level agreement (SLA)

• Hybrid cloud connectivity: OTV, Virtual Private LAN Service (VPLS), and Ethernet over MPLS (EoMPLS)

• Management: Command-line interface (CLI), Secure Shell (SSH) Protocol, NetFlow, Simple Network Management Protocol (SNMP), Embedded Event Manager (EEM), and RESTful application programming interfaces (APIs)

• NFV: Virtual route reflector (vRR), virtual broadband network gateway (vBNG), and virtual intelligent services gateway (vISG)

An affordable router series that supports important network services such as security is the Cisco 800 Series Integrated Services Routers. These ISRs deliver secure, reliable WAN connectivity that small offices and remote workers need. Additionally, they support built-in voice features, wireless, WAN optimization, and machine-to-machine communications. Different models in the series support different connection types to serve the specific needs of a small office. That could be xDSL, Wi-Fi, 4G LTE, Ethernet, fiber, or something else. Routing, switching, wireless, and intelligent IP network services are all bundled into one compact form factor that’s quick to install using the Cisco Configuration Professional Express tool. They can all be managed centrally from a data center with Cisco Prime Infrastructure and LiveAction applications. The 800 ISRs provide comprehensive security—encryption, VPN, firewall, and cloud-based URL filtering—to help safeguard customers and data. Table 12-4 outlines the models in the 800 Series ISRs and includes deployment recommendations and top WAN speeds.

The Cisco 1000 Series ISR platform with its small form factor is best suited for small and midsize businesses, enterprise branches, and as customer premises equipment in managed services environments. The routers come with four or eight LAN ports in various model options. They have high performance with Gigabit Ethernet packet-forwarding capabilities. The multicore architecture has separate cores for the data plane and control plane. The 1000 Series ISRs support Power over Ethernet (PoE) and PoE+ to power branch devices such as IP phones and cameras. They are easy to deploy with zero-touch provisioning using Plug-and-Play capability. There are multiple combinations to choose from, including LAN, WLAN, WAN, DSL, LTE, and pluggable, depending on your branch needs. The 1000 Series can be used in ATMs, retail stores, and kiosks, as well as for various other purposes. The 1000 Series ISRs address the demands of increased mobility with LTE Advanced and 802.11ac (Wave 2) Wi-Fi. It has a comprehensive set of WAN connectivity options such as Ethernet, Fiber, LTE, and the latest DSL technologies, like G.fast. The routers provide a great return on investment, allowing you to save on operating expenses by reducing WAN link costs with software-defined WAN capability and transport independence using Cisco SD-WAN. You can also reduce capital expenses using pay-as-you-grow licensing for IPsec performance. The 1000 Series ISRs answer the latest security threats to networking devices with advanced features such as zone-based firewall, Trustworthy Systems, Cisco Umbrella security, and Encrypted Traffic Analytics.

The Cisco 1000 Series ISRs include the following models:

• Cisco 1100-8P ISR with LTE Advanced

• Cisco 1100-4P ISR with DSL

• Cisco 1101-4P

• Cisco 1101-4PLTEP

As you build out the digital capabilities in your enterprise branch offices, you should consider the full-service sophistication of the Cisco 4000 Series Integrated Services Routers. The 4000 Series ISRs consolidate many must-have IT functions, including network, security, compute, storage, and unified communications. So, you get everything you need in a single platform. That means significant savings in capital, operational, and management expenses for lower total cost of ownership. The platform is modular and upgradable, so you can add new services without changing equipment. It supports multiple application-aware services concurrently while maintaining WAN performance of up to 2 Gbps, even during heavy traffic loads. The backplane architecture supports high-bandwidth, module-to-module communication at speeds up to 10 Gbps. The 4000 Series includes Cisco Trust Anchor Technologies that help mitigate modern cyberattacks by verifying platform integrity and providing protection from counterfeit and unauthorized modification of hardware and software.

The 4000 Series runs Cisco Intelligent WAN (IWAN), a comprehensive set of traffic control and security features. IWAN includes all the business-grade capabilities of a Multiprotocol Label Switching (MPLS) VPN using other types of less-expensive links, such as per-application traffic management, WAN optimization, and VPN tunneling, which can be put to work across Internet, cellular, and other lower-cost services as connections are added. Additionally, new router services can be activated on demand through a simple licensing change. Local IT staff are not needed in the branch to deliver a fully comprehensive computing and networking experience with remote application installation and management capabilities.

Cisco IWAN features can now be configured in next to no time, thanks to Cisco’s enterprise software-defined networking (SDN) controller, the Application Policy Infrastructure Controller Enterprise Module (APIC EM). APIC EM allows automation of lots of tasks across the network. You can implement an SDN on the Cisco WAN infrastructure without having to upgrade any equipment; just install the no-charge APIC EM software-based controller between applications and network infrastructure. The controller translates business policy directly into network device-level policy for automatic compliance with any corporate and industry-mandated polices. For additional WAN management simplicity, you can also use the IWAN app for APIC EM. The app automates the configuration of Cisco Intelligent WAN features, such as quality of service, WAN optimization, and security, in Cisco branch and edge WAN routers. The app slashes what used to require 1000 CLI steps to just 10 mouse clicks per site. With the IWAN app’s template functionality, the ability to configure, deploy, and manage large numbers of branch offices has never been easier. The 4000 Series ISR contains these platforms: the 4451, 4431, 4351, 4331, 4321, and 4221 ISRs.

APIC EM is now wrapped into DNA Center, which falls under SD-Access. It could also be described as “Cisco’s Software-Defined Access (SD-Access) solution” because it’s the blanket term of the software-defined LAN side. Also, to add to the confusion, APIC EM and IWAN are still being used, but more attention is focused on the Cisco SD-WAN solution that’s based on the Viptela acquisition. Lastly, both SD-Access and SD-WAN fall under Cisco Digital Network Architecture (Cisco DNA), similar to how everything in collaboration now falls under Webex.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here, Chapter 32, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online.