Q&A: Cisco engineer on LANs, NAC, network design

Cisco network engineer and author James Henry Carmouche discusses trends and challenges in campus LAN, security and NAC deployments.

James Henry Carmouche might have already built and tested the network you will soon be deploying. As technical marketing engineer in Cisco's Enterprise Systems Engineering group, Carmouche figures out the best way to put together the products Cisco makes, then builds and validates network reference designs for campus LANs, VPNs, Network Admission Control and convergence. The CCIE-certified engineer also consults with customers on how to implement Cisco reference designs, and wrote the book "IPSec Virtual Private Network Fundamentals." He took time out this week to discuss the trends he's seeing in network designs in between his "Meet the Engineer" one-on-one sessions at Cisco's Networkers show this week.

What design issues or problems are customers bringing to you for help?

It varies so wildly. In the "Meet the Engineer" sessions, there's been so many [different issues]. From an IPSec standpoint… as the network becomes more diverse in what it can offer, in terms of voice and multicasting and video and all different other types of business networking applications, the encrypted infrastructure and encrypted technologies need to be able to support that. So we're constantly looking at innovations into IPSec and cryptography to enable that support seamlessly and scalably.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

James Henry Carmouche might have already built and tested the network you will soon be deploying. As technical marketing engineer in Cisco's Enterprise Systems Engineering group, Carmouche figures out the best way to put together the products Cisco makes, then builds and validates network reference designs for campus LANs, VPNs, Network Admission Control and convergence. The CCIE-certified engineer also consults with customers on how to implement Cisco reference designs, and wrote the book "IPSec Virtual Private Network Fundamentals." He took time out this week to discuss the trends he's seeing in network designs in between his "Meet the Engineer" one-on-one sessions at Cisco's Networkers show this week.

What design issues or problems are customers bringing to you for help?

It varies so wildly. In the "Meet the Engineer" sessions, there's been so many [different issues]. From an IPSec standpoint… as the network becomes more diverse in what it can offer, in terms of voice and multicasting and video and all different other types of business networking applications, the encrypted infrastructure and encrypted technologies need to be able to support that. So we're constantly looking at innovations into IPSec and cryptography to enable that support seamlessly and scalably.

It comes down to helping customers understand what are the issues with IPSec. What is the number of tunnels [they] can support. Is it the bandwidth you get through? It really comes down to packets per second - encrypted packets per second. There are all different kinds of [things] that impact [the performance] of encrypted packets per second - how it's switched in the hardware, in the data-forwarding plane. [This] impacts the scalability of the design.

It's a continuous drive, as you converge applications on [encrypted networks], to understand the scalability and functionality of the VPN. So that's where we play, to keep that awareness up, to speed the rate of adoption with customers.

Does this involve deploying new gear, or reconfiguring or adjusting switches and routers that are already deployed?

As bandwidth increases, the theory is also that the switching capacity - or the equipment that supports that bandwidth - is going to increase. What we've seen with convergence is smaller packet sizes. We've seen situations in which a small bandwidth pipe is now receiving small packets across it, so in other words the bandwidth doesn't increase, but the number of packets that are going through are increasing, because we're sending smaller packets. So you have to be able to switch that traffic very fast, and predictability with low jitter and all that good stuff.

What other reference designs are you working on to integrate infrastructure and security?

My most recent project was with the Network Admission Control initiative. That's a shift in gears for me from the IPSec world to NAC. Over the past few years, I've been trying to understand the impact of integrating Network Admission Control into a recommended best-practice campus architecture. The team I work for has put out several designs that pertain to convergence. High-speed convergence in the campus is very important, with scalability and security services in terms of hardening the infrastructure.