Table of Contents
Module 2 - Design the Network Structure
Section 6 - Provision Software Features
Market Mavericks: Solution
1. Users at corporate headquarters need to access
all the Novell file servers. Users at the branch offices
need to access only their
own servers and the corporate file servers (though not the corporate print
servers).
Ms. Martin is tentatively
planning to apply an outbound SAP filter on the serial link of the
Cisco 4000 router
to deny all branch-office
servers from being advertised. She will also deny all corporate print servers.
What scalability constraints
should you discuss with Ms. Martin as she considers using the scheme to
filter SAPs?
-
The problem with this scheme is that it requires Ms. Martin to write 121
deny statements.
-
One deny statement for each branch network with file servers (60)
-
One deny statement for each branch network with print servers (60)
-
One deny statement for the print servers on the corporate network
-
A list of this length is hard to maintain and keep current. This scheme
does not scale very well.
-
The other problem is that processing this list every 60 seconds will require
a significant percentage of the CPU power available on the Cisco 4700 router
at corporate headquarters.
-
Luckily, the solution is simple. Instead of writing deny statements, Ms.
Martin should write permit statements for each of the corporate file servers.
Because there are only five corporate file servers, this is a much more
scalable solution. When you use a permit statement, the router assumes
an implicit deny statement for everything that does not match the permit
statement. All the branch office file servers can be denied without requiring
the router to process 121 deny statements.
2. How will an inbound IP access list at the corporate
router affect IP performance for all the other branch
offices?
-
Remember that Ms. Martin has a Cisco 4000 router running Cisco IOS
Release 10.3 at headquarters.
-
In addition to worrying about Novell constraints, Ms. Martin has been asked
to filter any IP packets coming from the California branch office. Because
Ms. Martin is running Cisco IOS Release 10.3 at headquarters, the access
list will not seriously affect the IP performance for all the other branch
offices. Cisco has been able to fast-switch packets even when there are
inbound access lists for a long time.
-
However, Ms. Martin should investigate purchasing a faster router platform.
Her Cisco 4000 router can fast-switch packets at approximately 14,000 packets
per second. If she upgraded to a Cisco 7500 router, fast switching would
be approximately 50,000 packets per second.
-
If Ms. Martin had a Cisco 7500 series router, she could use NetFlow switching.
NetFlow switching determines which sessions require special processing
and quickly applies the special processing while switching packets, which
means that inbound access lists do not have a significant impact on performance.
The list need not to be processed with each packet that needs switching.
-
Ms. Martin should be careful when designing the access list. If she makes
sure that most packets match the first few conditions, she can maximize
performance. She should study traffic flows before designing the access
list. The first condition should match the most packets, the second condition
the next most packets, and so on. The goal should be to minimize the number
of statements the router must process.
3. The financial data that the brokers at the
branch offices send over TCP/IP is highly confidential.
Ms. Martin is considering
using encryption features on the branch routers and the corporate router.
How might these features
affect performance?
-
When running services such as encryption and compression on the Cisco 4000
series and Cisco 2500 series routers, you run the risk of overwhelming
the router CPU. To determine if the router is overwhelmed, use the show
processes Cisco IOS software command to get a baseline reading before
enabling encryption or compression. Then enable the service and use the
show processes command again to assess the difference. Cisco recommends
that you disable compression or encryption if the router CPU load exceeds
40 percent.
4. Ms. Martin wants to know if you recommend priority
queuing for the TCP/IP brokerage applications.
The data that the brokers
generate is considered mission-critical, but the marketing and administrative
data on the AppleTalk
and Novell networks is not as critical. What would you tell Ms. Martin
regarding
priority queuing? What
are the advantages and disadvantages? Would custom queuing work better
for her?
-
Priority queuing is probably not necessary. Priority queuing is a drastic
solution that should be recommended for slow serial links that are experiencing
congestion. You should do some testing to determine if the links at each
of the sites is congested. You should also determine if the TCP/IP applications
are experiencing poor performance. If you determine that the performance
for the TCP/IP applications should be improved and that the links are congested,
then you could run a trial of priority queuing.
-
Priority queuing could improve performance of the TCP/IP applications because
it specifies that packets identified as "high" priority are always sent
before other packets. The caveat is that the performance of the AppleTalk
and Novell applications could suffer drastically. These applications are
not mission-critical, but they are probably important to the company. Custom
queuing could be a less drastic solution.
Click on the Back button in your browser to review Section 6 of Module
2. If you are finished with that section, click
here to go on to the CareTaker Publications case study.
Copyright Cisco Systems, Inc. -- Version 2.0 7/98