A Network Architecture for Business Value Acceleration By Cisco

Introduction
Nearly every enterprise today is affected by globalization, outsourcing, private equity competition, increased regulation, Web 2.0 or all of the above, placing increased demands on enterprise computing requirements. To survive and prosper, companies must reduce operating costs, increase automation and control, and prepare to scale the number of business relationships they can support.

The platform to facilitate this transformation is common across the enterprise – the network. The transport-centric vision of the network is now giving way to a converged vision in which business objectives and network architecture meet. But what does this really mean?

Agility and efficiency are no longer a matter of building solutions to support a specific business model. Rather, the ability to rapidly evolve to support innovation in business models must be part of the enterprise architecture strategy from the beginning of business process change. A service-oriented network architecture (SONA) can create a platform that enables change and accelerates business value. The SONA framework was developed by Cisco® and is being used successfully within its own IT organization and by many of its customers to align business goals with enterprise architecture.

The Transformation Process
Everything starts with enterprise architecture, the global plan for how all processes in a company will be implemented. But many enterprise architecture initiatives fail to engage the business. A successful transformation using a SONA framework addresses both processes and business goals:

1. The business context is created, providing the foundational assumptions for the future-state architecture.
2. Strategic requirements are analyzed, while articulating a set of architecture principles.
3. Key business functions to fulfil the business strategy are evaluated.

As these requirements are articulated, enterprise architecture teams can identify the IT services that support the business functions and processes needed to achieve the business strategy.

As technology influences – including Web 2.0 and service oriented applications – gain momentum, companies realize that traditional definitions of enterprise architecture are too small to contain the scope of the solution. Many of the services that are crucial in these implementations find their natural home in the network, not in the application.

Supporting these new technologies requires that network architecture become part of the design process, not just an invisible transport layer. If business transformation is not supported by the right network design, the efforts will most likely not deliver on performance requirements.

The Network in a Service Oriented World
The architectural complexity of the information highway is changing dramatically – from a simple two-lane road connected by switches and routers to one with a much more complex structure, featuring a variety of special-purpose checkpoints along the way.

Checkpoints include well-established functions such as firewalls and encryption functionality like Secure Sockets Layer (SSL). But upon closer inspection, it becomes clear that many common services for security and identity management work identically in every application, making them perfect candidates to be provisioned in the network.

The core functions of many types of applications (GRC, in particular) can be enhanced by adding checkpoints that look inside the packets flowing through the network and recognize important events, which are then sent to applications. Radio frequency identification (RFID) and other real-world awareness services that report on the location of people and things feed their information into a network, where it is consumed by applications that need it. Virtualization allows one point on a network to imitate many different devices and services.

Yet, in the face of all of these demands and opportunities, the shape of the network architecture has changed very little. In spite of bigger pathways and more complicated topology, loading more packet volume and IP-based services on today’s network will eventually lead to a traffic jam and prevent enterprises from cost-effective transformations.

Which Types of Applications as Services?
Enterprise systems today can improve their performance using a feedback loop based on data collected or through other means such as location-based services. Services that capture events are particularly important and are ideally suited to move into the network. In an extended event-driven business network, a supply chain event indicating a primary material shortage might have tremendous downstream implications. But it is useless unless that event is communicated to all the networks and people that need to be aware of it.

The services used in these contexts must have the operational characteristics of production systems to succeed. Many of the most valuable services are extensions of core systems at the hub of the enterprise, such as enterprise resource planning (ERP) and customer relationship management (CRM).

As hub systems become available through services in ways that protect the transactional integrity of the data, the value of these systems extends to the edge of the enterprise where the information may be used in looser, more collaborative processes.

Which Services in the Network
What does it mean, exactly, for services to migrate to the network? Essentially, it means that code that was running in an application server now runs on routers, switches and other special-purpose devices used to run and manage the network.

This gives applications a simpler architecture and extended reach. Applications can siphon functions that are better performed by network-based services and gain enhanced functionality by network services that recognize important events and feed them to the applications. Applications remain the brain; the network becomes an extended nervous system.

The network is the natural platform for a certain class of generic services for unified communications, authentication, virtualization, mobility and voice. Because the network is the only ubiquitous component in the IT landscape, it is the natural home for the most generic services. Services likely to migrate into the network include backup, identity management, location-based services, caching and GRC-related events, which are all generic and operate in the same way regardless of the application context. Provisioning services that are used by every application in the same way from the network is less costly, faster and easier, and is the only way to help ensure consistency and compliance.

The network is also the natural platform for collaboration-related services that provide location awareness, instant messaging, telepresence and voice conferencing. For example, such services would allow a hospital to deliver a multi-gigabyte digital X-ray image to the reader closest to a doctor who is location-aware to the network. The same intelligence could avoid delivering such a large file over a less optimal network location if the doctor were using a mobile device.

Architectural Implications
One major implication of providing these services through the network is a convergence of enterprise architectures and network architectures. Moving services into the network requires tight coordination of business planning, enterprise architecture and network architecture. Organizations must examine architecting the network to the business strategy before moving to the provisioning phases.

Network topology will be influenced and network device capacities and capabilities must change as they are asked to do more. There must be an optimal number of points for information collection to recognize and capture application-oriented events and deliver other services. Each collection point must have appropriate access to traffic and processing capability.

To create such a platform means examining networks that were designed sometimes decades ago and then incrementally enhanced. A vision will be required, followed by a roadmap to achieve that vision. The two most likely first steps after establishing the vision involve network provisioning of event recognition for applications as described earlier, and security.

Traditional network security functions such as firewalls, SSL encryption, and virtual private networks (VPNs), along with newer message-level and application-level security and reducing unwanted traffic provide an example of how services can migrate to the network for added functionality and cost savings.

Security and Web 2.0
As companies pursue Web 2.0 business models and implement Web services-based application programming interfaces (APIs), fresh security challenges arise that require a more flexible, responsive architecture. Web services that enable e-commerce transactions or update supply chain information carry significant security risks. Misuse of these services can be incredibly damaging and the protection provided by the network and other security mechanisms must be an order of magnitude more robust than before.

Crafting a SONA
Applications can be made immensely more effective using Cisco’s SONA framework. When generic services are migrated to the network, along with specialized services for location or unified communications, the character of an IT infrastructure changes and becomes more flexible and supple.

As more and more services are added to the IP network, however, network architecture and capacity planning become more complex than just adding “more network.” For example, prioritization must be available for voice packets within the IP stream. And while security, identity management and similar services might have predictable growth curves, data centres supporting various virtualized services may face extremely irregular growth patterns.

Application-oriented networking and virtualization add their own requirements for topology. Melding the network with enterprise architecture makes getting to the right architecture for network-based services more difficult still. A successful approach to implementing a SONA framework is an incremental journey of several coordinated steps. Pursuing a business strategy without incorporating network centric principles at the origination of the idea may cause business value to be lost in the vast functional potential.

Value of Getting It Right from the Start
The primary benefit of identifying enterprise architecture strategies early in the IT planning process is the ability to create more business value to keep pace with the ever-changing global marketplace. It requires working closely with valued technology partners well versed in the implementation of service-oriented networks and applications, which will help accelerate business value creation by: increasing internal process flexibility; reducing costs through standardization; fostering innovation inside and outside a company; improving the value created by enterprise applications; and boosting adoption of Web 2.0-enabled business models.

Who Stands to Gain from SONA?
As with any significant technology shift, companies embrace new concepts and ways of doing business differently. Forward-thinking organizations will recognize the benefits of constructing a SONA to harness the benefits of Web 2.0 and other emerging technologies, and will more quickly reap the benefits when compared to their more cautious competitors. Companies that move quickly to prepare a scalable and robust infrastructure for service delivery inside and outside the firewall stand to increase business value and gain competitive advantage. The entire foundation of this new wave of business value is reliable, manageable and operationally robust dynamic services, which can only be delivered by the strategically architected network.

Cisco Nonstop Forwarding for EIGRP

OVERVIEW

Cisco Nonstop Forwarding (NSF) with Stateful Switchover (SSO) is a Cisco innovation for routers with dual route processors. Cisco NSF with SSO allows a router, which has experienced a hardware or software failure of an active route processor, to maintain data link layer connections and continue forwarding packets during the switchover to the Standby route processor. This forwarding can continue despite the loss of routing protocol peering arrangements with other routers. Routing information is recovered dynamically, in the background, while packet forwarding proceeds uninterrupted.

Service Provider environments can benefit from the initial release of Cisco NSF with SSO in Cisco IOS® Software Release 12.0(22)S. It includes support for the Border Gateway Protocol (BGP), Open Shortest Path First (OSPF) and Intermediate System-Intermediate System (IS-IS) routing protocols. However, as Cisco NSF with SSO is ported to more traditional Enterprise platforms, such as the Cisco Catalyst 6500 Series Switch, there is a corresponding requirement to support the Enhanced Interior Gateway Routing Protocol (EIGRP).

There are two components of Cisco NSF for EIGRP:

• 
  
  NSF-capability: re-startable EIGRP component that is run by a router and supports dual route processors. Cisco NSF for EIGRP is available in Cisco IOS Software Release 12.2(18)S for the Cisco 7500 Series Router and in Release12.2(18)SXD for the Cisco Catalyst® 6500 Series Switch. This functionality may also be available in other platform-specific software releases for other Cisco dual route processor devices.


• 
  
  NSF-awareness: compatible components that run on the neighbors of the restarting router and help the restarting router reacquire its routing information. Available in Cisco IOS Software Release 12.2(15)T.

TECHNICAL DETAILS
Internally, a Cisco router equipped with dual route processors can maintain Layer 2 data link connections and up-to-date "next-hop" information to continue forwarding packets in the event of a route processor switchover.

However, all of these innovations would be for naught if routers that are neighbors with the router performing the switchover (hereafter, the neighbor routers) did not continue to forward packets to that router. In order for a neighbor router to continue packet forwarding, several conditions must be met:

• 
  
  Restarting routers and their neighbor routers must each support the appropriate EIGRP extensions.


• 
  
  Neighbor routers must not prematurely declare the restarting router as unavailable.


• 
  
  Neighbor routers must not communicate any state change in the restarting router to any of its own neighbors. This avoids the significant detrimental effect on network performance associated with the failure of a router.


• 
  
  Restarting router must signal its neighbors that it has restarted.


• 
  
  Neighbor routers must send EIGRP topology updates to help the restarting NSF router reacquire its EIGRP Topology Database.


• 
  
  Neighbor routers must signal the completion of the initial routing update by sending the End-of-Table marker.


• 
  
  In the interim (before the restarting router has reacquired the routing information), the neighbor routers must mark any routes associated with the restarting router as "stale", but continue to use those routes for packet forwarding.

To accomplish these conditions, some enhancements were made to EIGRP. A new bit-the Restart bit-was introduced in the EIGRP UPDATE and HELLO packets. In addition, an End-of-Table (EOT) signal was introduced, so that neighbor routers could tell a restarting router when it had completed sending its updates. The EOT allows the restarting router to begin topology and route calculation as quickly as possible, and speeds convergence. Figure 1 illustrates the process that occurs when an EIGRP/NSF capable router restarts.

Figure 1. Restart of an EIGRP/NSF Capable Router

As quickly as possible after switching over to its redundant route processor, the restarting router will send out an empty update packet with both the INIT and RESTART (RS) bits set. This notifies neighbors of the restarting router that a restart has occurred, and that their assistance will be required to refresh the routing database of the restarting router.

During this process, the restarting router may also send HELLO packets, in order to maintain neighbor adjacency. These HELLO packets will also have the RS bit set.

Upon receiving the INIT and RS, the neighbors of the restarting router will acknowledge the update while realizing that the restarting router has restarted. As such, the restarting router will have no routing information, and will need to reacquire it. Each neighbor of the restarting router will begin sending updates containing routing information. In its last update, each neighbor will set an EOT signal so the restarting router knows that it has all available information and may begin the process of calculating routes.

At this point, the restarting router exits "receive-only mode" and performs a Diffusing Update Algorithm (DUAL) calculation to select the best loop-free routes for each destination in the topology database. Once the DUAL calculation is complete, the restarting router will send updates to each of its neighbors regarding routing destinations accessible through it. Once all updates have been sent and acknowledged, convergence is complete.

Once convergence is complete, the restarting router will clear the RS bit in its HELLO packets, and network operation will continue as normal.

Note that the restarting router and all of its neighbors have continued to forward packets throughout this entire operation.

DEPLOYMENT CONSIDERATIONS
The primary deployment scenario for EIGRP/NSF is in single-point-of-failure routers. A good example of a single-point-of-failure router is an Enterprise WAN edge router that has no redundant multi-homed path to particular destinations.

EIGRP/NSF can also be deployed in multi-homed environments or on the Enterprise Distribution or Core layers. Note one important caveat for this type of deployment: Cisco NSF maintains the capability of forwarding packets by "freezing" the Cisco Express Forwarding table at the point where the RP switchover occurs. Forwarding occurs to the last-known-good next-hop for any particular IP destination. Therefore, if a routing topology change occurs prior to the restarting router reacquiring the most recent routing information, then transient routing loops, asymmetrical routing, or routing "black holes" may occur.

The following points mitigate this caveat:

• NSF must be compared to its alternative: the complete reset of a router, which can also result in routing loops, asymmetrical routing, or routing "black holes".
• In most network designs, asymmetrical routing is the most common occurrence. While this is usually undesirable, it does not prohibit packets from reaching their ultimate destination.
• Depending on what topology change occurs, only a small portion of the traffic may be subject to routing loops or black holes. Other traffic continues to flow to its appropriate destinations.
• NSF is a self-correcting protocol. Routing loops or black holes disappear after convergence. In addition, EIGRP converges very quickly, so any routing problems will be shortly resolved.

CONCLUSION
Cisco Nonstop Forwarding for EIGRP can significantly reduce downtime on Enterprise networks during a failure on a route processor. Provided that careful attention is dedicated to the potential deployment scenarios, and that due diligence is accorded the potential caveats when incorporating NSF into the overall network design, users can achieve unprecedented levels of network availability.

Why Firewall?

Firewalls are usually seen as a requirement if you are going to attach your network to other networks, especially the Internet. Unfortunately, some network administrators and managers do not understand the strengths a firewall can offer, resulting in poor product choice, deployment, configuration and management. Like any security technology, firewalls are only effective if the implementation is done properly and there is proper maintenance and response to security events.

Additionally, with the proper deployment of firewalls other security strategies are often much easier to integrate, such as VPNs and IDS systems. So what makes firewalls good, and what can you do to ensure they are used properly?

Perimeter
One of firewalls' weaknesses is also one of their strengths. Firewalls are typically deployed as a perimeter defence, usually intersecting network links that connect your network to others. If the firewall is properly deployed on all paths into your network, you can control what enters and leaves your network.

Of course, as with any form of perimeter defence, if an attack is launched from inside, firewalls are not too effective. However, this deployment on your network perimeter allows you to prevent certain kinds of data from entering your network, such as scans and probes, or even malicious attacks against services you run.

Conversely, it allows you to restrict outbound information. It would be nearly impossible to configure every workstation to disallow IRC, but blocking ports 6667-7000 (the most common IRC ports) is relatively easy on your perimeter firewalls.

While you can employ access control lists on servers internally, this still allows attackers to scan them, and possibly talk to the network portion of the OS on the server — making a number of attacks possible. This perimeter also allows you to deploy IDS systems much more easily, since "chokepoints" will have already been created, and you can monitor all data coming in or leaving.

VPN deployment also becomes easy. Instead of loading up VPN software on every desktop that might need it, you can simply employ VPN servers at those network access points, either as separate servers or directly on your firewall, which is becoming increasingly popular.

Concentrated Security
Controlling one, or even multiple firewalls is a much easier job than maintaining access control lists on numerous separate internal servers that are probably not all running the same operating system or services. With firewalls you can simply block all inbound mail access except for the official mail server. If someone forgets to disable email server software on a newly installed server, you do not need to worry about an external attacker connecting to it and exploiting any flaws.

Most modern firewall products are administered from a central console. You get an overall view of your network and can block or allow services as needed very quickly and efficiently.

With VPN-capable firewalls you can easily specify that access to certain networks must be done via encrypted tunnels, or otherwise blocked. With VPN software on each client, you would have more to worry about with misconfiguration or user interference. This results in sensitive data being accidentally sent out unencrypted. If your firewall is set up to block all but a few specific outbound services, then no matter what a user does - even to bring in their own laptop - they will probably not be able to access the blocked services. Enforcing this without firewalls and instead on each client machine is nearly impossible.

Enforcement of Security Policies
You may have a set of corporate guidelines for network usage that include such items as:

1. Chat clients such as IRC, AIM, and Yahoo IM are strictly forbidden, as they can transfer files.
2. Accessing external mail servers is forbidden (antivirus policy); only use the internal server to send or receive.
3. Network games, such as Doom or Quake, are forbidden, except between 8 a.m. and 6 p.m. all weekdays for members of management.
4. Websites such as playboy.com are forbidden for legal reasons.

Enforcing the first policy without a firewall would be possible, but difficult. In theory, if you managed to secure every single desktop machine and prevent users from installing software, it would be possible. Then you would need to prevent people from attaching "rogue" laptops and so forth to the internal LAN with software preinstalled. While possible, this is a Herculean task compared to configuring a dozen rules (or even a hundred rules) on your firewalls to prevent access to the ports and servers that IRC, AIM and the rest use.

The second policy would be very difficult to enforce without a firewall. You would need to do the above steps to prevent people from installing their own email software or using rogue machines such as laptops with it preinstalled. Moreover, any email software you do use (such as Outlook or Eudora) would need to be configured so that users could not modify any preferences, add new accounts and so on. This is not possible in almost all email clients.

The third policy is virtually impossible to enforce without a firewall. You would need to take the above steps to prevent any user except for management installing the software. One possibility would be to place the software on a network share and only make it available from 6 p.m. to 8 a.m., and on weekends to users of the management group. However, many network games would not function properly, and you would have to prevent the software from being copied off, etc.

Even with all this, the software may still continue to function after 8 a.m. if it is running on the client machine (or it might crash horribly). In any event, this is much easier to enforce with a firewall such as FW-1: enable user authentication, then define a policy that allows users of the management group access to the ports used by these games at the appropriate times.

Enforcing policy number four is basically impossible as well without a firewall. While some Web clients do allow you to list sites that are off limits, keeping the browsers on multiple workstations up to date would be a virtually impossible task. Compare that with configuring the firewall to force WWW access through an application-level.

A Secure Network Is a Healthy Network
Generally speaking, any security implementation done in a network will help with its overall health. Cataloguing systems and software versions to decide what needs upgrading first, implementing automated software upgrade procedures, and so on all helps with the overall health of your network and its systems.

A network configuration that creates chokepoints for firewall deployment also means you can easily implement a DMZ, a zone with servers to handle inbound and outbound information with the public. These servers can typically run a hardened and stripped down OS and application software. A proxy email server, for example, only needs to be able to accept and send email. There is no need for user accounts, POP or IMAP services, or GroupWare software integration.

Usually the simpler a system is, the easier it is to secure, and hence the harder it is for an attacker to break into. Securing a messy network is almost impossible. You must find out what you have, which versions, where the servers are deployed, what network links exist, and so on.

Kurt Seifried.
Security Analyst & the author of the Linux Administrators Security Guide.

Eon Network has now become registered partner of Cisco System

Eon Networks Pvt Ltd., an IT infrastructure solution & service provider to domestic customers, today announced its Partnership with Cisco India. This partnership will encourage our passion for the network technology and enable us to deliver various Cisco networking and security solutions to customers in India. This acknowledgement will strengthen our solution disciplines and make us more competent to capture new markets and create new business opportunities.

Eon Networks is proud to be associated with some of the best technology and product vendors in IT. We work with our alliance partners to create integrated solutions that meet the technical and business needs of our customers. Through our joint efforts, customers are able to minimize their risk and maximize their returns.

Eon Networks will provide architecture roadmaps which will help to build a more resilient, adaptive and intelligent network infrastructure. Eon Networks offers a technology vision as well as segment-specific architectures for building a network infrastructure. Its services excel in business processes, agility, security and productivity. Its team of highly skilled and experienced network engineers and design professionals will help its clients implement a robust, lasting and modern network infrastructure.

Organisations today are seeking ways to excel in business processes, agility, security and productivity. An intelligent network builds an existing infrastructure foundation and turns the traditional IT Cost Center into a Strategic Tool that helps enable sophisticated IT functionality. The value of an organisation’s data and communications network must be evaluated by the ability to support business objectives, enhance productivity and provide optimal performance in today’s constantly connected world. Our Managed Services, Infrastructure Solutions and Network Consulting Group concentrate on providing network and communication solutions which can lower the cost and improve the performance of the IT infrastructures of our clients.