The Cisco Enterprise Composite Model (ECM) or Enterprise Composite Network Model (ECNM) provides a detailed design for the enterprise campus network and a converged, intelligent infrastructure to access IT resources across enterprise locations. This model expands on the traditional hierarchical concepts of core, distribution, and access layers and is based on the principles described in Cisco’s description of converged networks. It is therefore important to keep in mind that this is not an industry standard but, rather, a Cisco recommendation.
The model provides a framework for the recommended design and implementation of an enterprise campus network. The enterprise network comprises two functional areas, which are the enterprise campus and the enterprise edge. These two areas are further divided into modules or blocks that define the various functions of each area in detail. The enterprise campus is comprised of the following modules:
- The Building or Switch Module
- The Core Module
- The Management Module
- The Server Module
- The Enterprise Edge Distribution Module
The building or switch module is defined as the portion of the network that contains end-user workstations, phones, and their associated Layer 2 access points. Its primary goal is to provide services to end users. This module is comprised of access layer switches as well as their related distribution layer switches.
The core module is the portion of the network that routes and switches traffic as fast as possible from one network to another. This is simply the core layer in the hierarchical network model.
The management module allows for the secure management of all devices and hosts within the enterprise. Within this module, logging and reporting information flows from the devices to the management hosts, while content, configurations, and new software flows to the devices from the management hosts.
The server, or server farm, module provides application services to end users and devices. Traffic flows on the server module are inspected by on-board intrusion detection within the Layer 3 switches. This module is tied into the switch block.
The enterprise edge distribution module aggregates connectivity from the various elements at the network edge, which may include external-facing routers or firewalls. At the enterprise edge distribution module, network traffic is filtered and routed from the edge modules to the core modules. Figure 1-4 below illustrates the modules within an enterprise campus:
The enterprise edge distribution module is comprised of the following modules:
- The Corporate Internet Module
- The VPN and Remote Access Module
- The WAN Module
- The E-Commerce Module
The corporate Internet module provides internal users with connectivity to Internet services. It also provides Internet users access to information on the corporate public servers, such as public-facing E-Mail servers, for example. To protect these servers, security devices such as Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS), as well as firewalls, typically are integrated into the design of this module.
Inbound traffic flows from this module to the VPN and remote access module, where VPN termination takes place. It is important to remember that this module is not designed to serve E-Commerce-type applications. Figure 1-5 below illustrates an example of how the corporate Internet module might be implemented:
NOTE: In referencing this diagram, keep in mind that security requirements differ depending on the objectives and type of business. No standard template is applicable to all business types or organizations. Always follow the practices and methodologies used in your particular business.
The VPN and remote access block is responsible for terminating VPN traffic from remote users, providing a hub for terminating VPN traffic from remote sites, and terminating traffic from dial-in users. All traffic forwarded to the enterprise edge distribution module is from remote corporate users that are authenticated in some fashion before being allowed through the firewall. Figure 1-6 below is an example of how the VPN and remote access block might be designed:
The WAN module is the simplest. It provides and allows for WAN termination via ATM and Frame Relay, for example. The WAN module is used for network connectivity between the central (hub) site and remote (spoke) sites.
The E-Commerce module, which is used for E-Commerce, interfaces with the enterprise edge distribution module and the service provider edge module. Figure 1-7 below illustrates how the E-Commerce module might be implemented:
As has been demonstrated in this section, LAN design and implementation is considerably more than interconnecting switches and connecting network hosts to these switches. Instead, extensive thought and planning should go into the design of the enterprise LAN.
The Enterprise Composite Model (ECM) divides functional areas of the LAN into modules. This allows for easier implementation of other network functions, such as security, on a module-by-module basis, rather than attempting to do so all at once on the entire network.
The ECM provides several advantages. The first is that it addresses performance by dividing functional areas into modules and connecting them together over a high-speed backbone. This allows for efficient summarization of networks and for more efficient use of high-speed uplink ports. Secondly, with its modular approach, the ECM allows for network scalability by allowing administrators to add on more function modules easily, as required. Finally, the ECM allows for high availability within the network, as different modules can be connected in a redundant fashion to the core and distribution layers with relative ease.
