Cisco Cisco IPS 4345 Sensor Weißbuch
6
Architecture Overview
August 2012 Series
6
Internet Edge Connectivity
Business demand for Internet connectivity has increased steadily over the
last few decades; for many organizations, access to Internet-based services
is a fundamental requirement for conducting day-to-day activity. Email, web
access, remote-access VPN, and, more recently, cloud-based services are
critical functions enabling businesses to pursue their missions. An Internet
connection that supports these services must be designed to enable the
organization to accomplish its Internet-based business goals.
last few decades; for many organizations, access to Internet-based services
is a fundamental requirement for conducting day-to-day activity. Email, web
access, remote-access VPN, and, more recently, cloud-based services are
critical functions enabling businesses to pursue their missions. An Internet
connection that supports these services must be designed to enable the
organization to accomplish its Internet-based business goals.
Three factors define the business requirements for an organization’s Internet
connection:
connection:
• Value of Internet-based business activity:
◦
revenue realized from Internet business
◦
savings realized by Internet-based services
• Revenue impact from loss of Internet connectivity
• Capital and operational expense of implementing and maintaining vari-
• Capital and operational expense of implementing and maintaining vari-
ous Internet connectivity options
The organization must identify and understand its Internet connection
requirements in order to effectively meet the demands of Internet-based
business activity.
requirements in order to effectively meet the demands of Internet-based
business activity.
Internet connection speed, availability, and address space requirements are
criteria that will shape an Internet connection design. The Internet con-
nection must be able to accommodate an organization’s requirements for
data volume to the Internet, offer sufficient resiliency to meet service-level
agreements, and provide sufficient IP address space to accommodate both
Internet-facing and Internet-based services.
criteria that will shape an Internet connection design. The Internet con-
nection must be able to accommodate an organization’s requirements for
data volume to the Internet, offer sufficient resiliency to meet service-level
agreements, and provide sufficient IP address space to accommodate both
Internet-facing and Internet-based services.
An organization’s IT staff needs to address three main requirements when
designing and implementing an Internet edge architecture:
designing and implementing an Internet edge architecture:
•
Connectivity speed
—What is the expected throughput required? Are
short bursts of high-volume traffic expected?
•
IP address space
—A small organization or one that does not rely heav-
ily on web-based services to the Internet will have a different IP space
requirement than a large organization that depends heavily on email,
remote-access VPN, and content or cloud-based services offered to the
Internet.
requirement than a large organization that depends heavily on email,
remote-access VPN, and content or cloud-based services offered to the
Internet.
•
Availability
—Connection speed is only part of the equation; if con-
nectivity must be maintained when the primary Internet connection fails,
then the design must offer a resilient Internet connection via a second-
ary Internet connection.
then the design must offer a resilient Internet connection via a second-
ary Internet connection.
Internet connectivity options vary widely by geographic region and service
provider. An organization may be able to choose between cable, DSL,
leased line, or Ethernet for the physical connection to the Internet. A com-
mon denominator of Internet connectivity is the Ethernet connection to the
customer-premises equipment (CPE) device (cable modem, T1 CPE router,
etc.), and this is assumed as the demarcation for this design.
provider. An organization may be able to choose between cable, DSL,
leased line, or Ethernet for the physical connection to the Internet. A com-
mon denominator of Internet connectivity is the Ethernet connection to the
customer-premises equipment (CPE) device (cable modem, T1 CPE router,
etc.), and this is assumed as the demarcation for this design.
Figure 3 - Internet connectivity demarcation for this design
3001
Internet
Firewall
Outside
Switches
Internet
CPE Device
Organizations deploying this design typically fall into the following Internet
connection speed ranges.
connection speed ranges.
Table 1 - Internet connection speed requirements
Number of connected users
Internet connection speed
Up to 4,500
20–50 Mbps
3,000 to 7,000
35–75 Mbps
6,000 to 10,000
70–130 Mbps
If the business needs include WAN connectivity to connect geographically
diverse sites, a cost savings can be realized by combining WAN and Internet
connectivity over the same service. A service provider may offer hardware
to terminate WAN/Internet connectivity on premise and manage the
Internet/WAN connection device. Provider-supplied hardware and service
offerings may reduce operational burden. The organization must assess the
impact of configuration-change lead times and configuration flexibility.
diverse sites, a cost savings can be realized by combining WAN and Internet
connectivity over the same service. A service provider may offer hardware
to terminate WAN/Internet connectivity on premise and manage the
Internet/WAN connection device. Provider-supplied hardware and service
offerings may reduce operational burden. The organization must assess the
impact of configuration-change lead times and configuration flexibility.
Regardless of how access is delivered, design and configuration discus-
sions for this guide begin at the Ethernet handoff on the outside switch in
the Internet edge.
sions for this guide begin at the Ethernet handoff on the outside switch in
the Internet edge.