Chapter 14: Network Design for Application Requirements
Learning Objectives
Design network solutions optimized for specific application behaviors and performance requirements
Analyze application traffic patterns and translate them into network design specifications
Design networks that support diverse application portfolios including voice, video, IoT, and storage
Develop implementation and migration plans that minimize application disruption
Pre-Study Assessment
Answer these questions before studying the material. Do not worry about getting them wrong -- the goal is to prime your thinking.
Pre-Quiz
1. A network architect discovers that a new VoIP deployment suffers from choppy audio on calls traversing the WAN. The one-way delay measures 170 ms. Which design element most directly addresses this issue?
Increase link bandwidth to 10 GbpsImplement QoS with a Low-Latency Queue for voice traffic marked EFEnable IGMP snooping on all access switchesDeploy asynchronous storage replication
2. An organization wants to deliver a live IPTV stream to 500 viewers across 20 VLANs. Without any optimization, a single 5 Mbps stream would consume how much source bandwidth?
5 Mbps, because switches replicate frames automatically100 Mbps, because each VLAN gets a copy2.5 Gbps, because every viewer receives a unicast copy500 Mbps, because each viewer gets a 1 Mbps portion
3. Which QoS design rule ensures that real-time traffic does not starve other traffic classes on a congested link?
Mark all traffic as EF (Expedited Forwarding)Limit Low-Latency Queues to 33% of link capacity and reserve at least 25% for Best EffortEnable WRED on the priority queueDisable QoS and rely on overprovisioned bandwidth
4. A designer is planning a converged LAN/SAN fabric using FCoE. Which technology set is required to prevent frame loss on the Ethernet fabric?
OSPF with BFD for fast convergenceData Center Bridging (PFC, ETS, DCBX)IGMP snooping and PIM Sparse ModeIPsec with QoS Preclassify
5. Synchronous storage replication becomes impractical beyond approximately what distance, and why?
10 km, because Fibre Channel cables have limited reach1,000 km, because TCP window sizes limit throughput100 km, because the speed of light adds unacceptable write latency at greater distances500 km, because DWDM signal degradation causes errors
6. An IoT deployment of 10,000 agricultural sensors needs to operate for 5+ years on battery. Which connectivity technology is most appropriate?
Wi-Fi 6 (802.11ax)LoRaWAN (LPWAN)Bluetooth Low Energy (BLE)5G cellular
7. Why is application dependency mapping critical before a network migration?
It determines which DSCP markings to use for each traffic classIt identifies relationships between applications, revealing hidden single points of failure and components that must move togetherIt measures the current bandwidth utilization on each linkIt automates the rollback procedure if migration fails
8. On a WAN link below 768 Kbps carrying voice traffic, which mechanism prevents a single large data packet from causing serialization delay that disrupts voice quality?
Call Admission Control (CAC)WRED (Weighted Random Early Detection)Link Fragmentation and Interleaving (LFI)TCP Adjust-MSS
9. A company needs to migrate a mission-critical ERP system with zero tolerance for downtime. Which migration strategy is most appropriate?
Direct cutover (Big Bang)Phased implementationParallel runningPilot deployment
10. What is the primary purpose of establishing a performance baseline before a network migration?
To justify the budget for new hardware purchasesTo provide objective acceptance criteria for validating the new design after migrationTo determine which vendor equipment to selectTo satisfy regulatory compliance requirements
11. Source-Specific Multicast (SSM) is preferred over PIM Sparse Mode for IPTV deployments primarily because:
SSM supports higher bandwidth streams than PIM-SMSSM eliminates the Rendezvous Point as a potential bottleneck and single point of failureSSM works without IGMP snooping on switchesSSM encrypts multicast traffic for security
12. In a QoS trust boundary design, BYOD devices connecting to access-layer switches should be treated as:
Conditionally trusted, with markings verified via CDP/LLDPFully trusted, since users authenticate via 802.1XUntrusted, with their markings stripped and re-marked at ingressTrusted after a one-time manual approval by network operations
13. Edge computing is critical for IoT network design because it:
Replaces the need for network segmentation and firewallsFilters and aggregates data locally, reducing bandwidth to the data center and enabling real-time analyticsProvides lossless Ethernet transport for IoT sensor dataEliminates the need for IoT gateways and protocol translation
14. When deploying VoIP over an IPsec VPN tunnel, the QoS Preclassify feature is essential because:
It compresses the voice payload to reduce bandwidth consumptionIt clones the original IP header before encryption so classification can occur before the payload becomes opaqueIt fragments large packets to prevent serialization delayIt limits the number of simultaneous VPN tunnels to prevent oversubscription
15. A traffic matrix produced by application profiling is the foundation for which three design activities?
VLAN assignment, spanning tree tuning, and port-channel configurationLink sizing, QoS policy design, and failover capacity planningIP addressing, DNS zone design, and DHCP scope planningFirewall rule creation, NAT policy design, and VPN tunnel configuration
Section 1: Application-Aware Network Design
Application Profiling and Traffic Characterization
Application profiling is the systematic process of cataloging every application that traverses the network, documenting its traffic behavior, performance requirements, and business criticality. The output of profiling is a traffic matrix -- a table showing the volume and characteristics of traffic between every source-destination pair. This matrix drives link sizing, QoS policy design, and failover capacity planning.
Traffic characterization examines multiple dimensions of each application:
Dimension
What It Measures
Example
Bandwidth demand
Sustained and peak throughput
Video call: 2-6 Mbps per stream
Flow pattern
Unicast, multicast, or broadcast
IPTV: multicast; email: unicast
Directionality
Symmetric vs. asymmetric
VoIP: symmetric; web browsing: asymmetric
Burstiness
Ratio of peak to average rate
Backup jobs: highly bursty
Session duration
Short-lived vs. long-lived flows
DNS query: ms; file transfer: minutes
Transport protocol
TCP, UDP, or application-specific
Voice: UDP/RTP; database: TCP
Loss/delay/jitter tolerance
Real-time vs. elastic
Voice: intolerant; email: tolerant
Animation: Interactive traffic profiling dashboard showing how different application types generate distinct traffic patterns (bandwidth graph, flow direction arrows, burst visualization)
Latency, Jitter, and Loss Requirements
Different applications have dramatically different tolerances for network impairments. These thresholds are not arbitrary -- they derive from human perception and protocol behavior. The 150 ms one-way latency target for voice comes from ITU-T G.114.
Application Type
One-Way Latency
Jitter
Packet Loss
Bandwidth/Session
Voice (VoIP)
≤150 ms
≤30 ms
≤1%
20-320 Kbps
Cisco TelePresence
≤150 ms
≤10 ms
≤0.05%
4-20 Mbps
Interactive Video
≤200 ms
≤50 ms
0.1-1%
1-6 Mbps
Streaming Video
≤400 ms
Tolerant (buffered)
≤1%
1-20 Mbps
Transactional Data
≤200 ms RT
N/A
≤0.1%
Variable
Bulk Data
Tolerant
N/A
Zero (TCP)
High burst
IoT Telemetry
Varies
Tolerant
App-dependent
Bytes-Kbps
The latency budget is your primary design constraint for real-time applications. A 150 ms one-way budget must account for serialization delay, propagation delay (~5 ms per 1,000 km of fiber), queuing delay, and codec processing delay.
QoS Design Framework
QoS is "managed unfairness, measured numerically in latency, jitter, and packet loss." The deployment framework follows seven steps: define business objectives, determine traffic classes, analyze application requirements, design platform-specific policies, test in controlled environments, pilot rollout, and production deployment with monitoring.
Traffic Class
DSCP Marking
PHB
Queue Treatment
Voice
EF (46)
Expedited Forwarding
Low-Latency Queue (priority)
Broadcast Video
CS5 (40)
Class Selector
Priority or bandwidth guarantee
Interactive Video
CS4 (32)
Class Selector
Bandwidth guarantee
Multimedia Conferencing
AF41/42/43
Assured Forwarding
Bandwidth guarantee + WRED
Signaling
CS3 (24)
Class Selector
Bandwidth guarantee
Transactional Data
AF21/22/23
Assured Forwarding
Bandwidth guarantee + WRED
Bulk Data
AF11/12/13
Assured Forwarding
Bandwidth guarantee + WRED
Best Effort
DF (0)
Default
Remaining bandwidth (≥25%)
Design rules: Limit all Low-Latency Queues (LLQ) to 33% of aggregate link capacity. Reserve at least 25% for Best Effort traffic. Disable WRED on the LLQ; enable it on all Assured Forwarding classes.
flowchart TD
A["1. Define Business Objectives\n(Identify mission-critical apps)"] --> B["2. Determine Traffic Classes\n(Group apps by similar needs)"]
B --> C["3. Analyze Application Requirements\n(Map latency/jitter/loss targets)"]
C --> D["4. Design Platform-Specific Policies\n(Queuing, shaping, policing per device)"]
D --> E["5. Test in Controlled Environment\n(Lab validation)"]
E --> F["6. Pilot Rollout\n(Limited deployment + monitoring)"]
F --> G["7. Production Deployment\n(Full rollout + continuous measurement)"]
G -.->|"Feedback loop"| C
Figure 14.1: QoS Deployment Framework -- seven-step process with continuous feedback
Trust Boundaries and Classification
Traffic should be classified and marked as close to the source as possible. The trust boundary defines where the network begins honoring endpoint markings:
Conditionally trusted: Cisco IP phones, TelePresence endpoints, cameras (verified via CDP/LLDP)
Untrusted: BYOD devices, printers, guest endpoints -- markings stripped and re-marked at ingress
At access-layer switches: policing on all edge ports (ingress), queuing on all switch ports (egress), minimum 1P3Q (one priority queue + three normal queues).
Application Dependency Mapping
ADM identifies relationships between applications, their supporting infrastructure, and communication patterns. It serves three design purposes: validation (ensures adequate connectivity for all dependency chains), risk identification (reveals hidden single points of failure), and migration planning (identifies which components must move together).
graph TD
WEB["Web Application\n(Frontend)"] --> AUTH["Authentication\nService"]
WEB --> DB["Database Server\n(Primary)"]
WEB --> DNS["DNS Resolver"]
WEB --> CDN["CDN / Load Balancer"]
DB --> STORAGE["Storage Backend\n(SAN/NAS)"]
DB --> REPLICA["Database Replica\n(DR Site)"]
AUTH --> LDAP["LDAP / Active\nDirectory"]
WEB --> API["External API\nGateway"]
Figure 14.2: Application dependency map showing infrastructure relationships and potential single points of failure
Key Points -- Section 1
Application profiling produces a traffic matrix that drives link sizing, QoS policy, and failover capacity planning
The 150 ms one-way latency budget for voice must be decomposed across codec, serialization, propagation, queuing, and de-jitter buffer delay
QoS design rule: LLQ capped at 33% of link capacity; Best Effort gets at least 25%; WRED disabled on priority queues
Trust boundaries should classify traffic as close to the source as possible; BYOD devices are always untrusted
Animation: Latency budget breakdown showing how 150 ms is consumed across each hop -- codec delay, packetization, serialization, propagation, queuing, de-jitter buffer -- with sliders to adjust path length and observe impact
Section 2: Designing for Specific Application Types
Voice and Unified Communications
VoIP and UC place the strictest real-time requirements on the network. Core constraints: one-way delay ≤150 ms, jitter ≤30 ms (10 ms for TelePresence), packet loss ≤1% (0.05% for TelePresence), bandwidth 20-320 Kbps per call depending on codec.
WAN Design for Voice:
LFI (Link Fragmentation and Interleaving): Essential on links below 768 Kbps -- fragments large packets and interleaves voice between fragments to reduce serialization delay
QoS Preclassify: For VPN deployments, clones the original IP header before encryption so voice can be classified even when the payload is encrypted
TCP Adjust-MSS: Rewrites SYN packets to prevent fragmentation with IPsec/GRE overhead (effective MTU drops to ~1,378 bytes)
Call Admission Control (CAC): Limits simultaneous calls to match available bandwidth, rejecting new calls gracefully rather than degrading existing ones
Video Conferencing and Streaming Media
Video traffic falls into three distinct categories:
Interactive Video Conferencing: Real-time, 1-20 Mbps, latency ≤200 ms, jitter ≤50 ms. Mark CS4/AF41 with bandwidth guarantees.
Streaming Video (On-Demand): Buffered at client, tolerant of moderate jitter but needs sustained bandwidth. Mark AF31/32/33 with WRED.
Broadcast Video (Live IPTV): Uses multicast for scalability -- a 5 Mbps stream to 200 viewers consumes only 5 Mbps (vs. 1 Gbps with unicast).
Multicast Design Decisions:
Decision
Options
When to Use
PIM mode
PIM Sparse Mode (PIM-SM)
General multicast, many-to-many or one-to-many
PIM mode
Source-Specific Multicast (SSM)
One-to-many (IPTV); requires IGMPv3; no RP needed
RP placement
Static RP, Auto-RP, BSR
Static for small/stable; BSR for large/dynamic
L2 optimization
IGMP snooping
Always enable on switches to prevent multicast flooding
IoT Network Design
IoT introduces challenges fundamentally different from traditional enterprise applications: massive device counts, resource-constrained hardware, diverse connectivity technologies, and critical security segmentation needs.
Technology
Range
Bandwidth
Power
Use Case
Wi-Fi (802.11)
30-100 m
High (Mbps-Gbps)
Moderate-High
Indoor sensors, cameras
Bluetooth/BLE
10-100 m
Low (1-3 Mbps)
Very Low
Wearables, beacons
Zigbee/Thread
10-100 m
Very Low (250 Kbps)
Very Low
Home automation, mesh
LoRaWAN (LPWAN)
2-15 km
Very Low (0.3-50 Kbps)
Ultra-Low
Agriculture, utilities
Cellular (4G/5G)
km-scale
Moderate-High
Moderate
Mobile assets, vehicles
Security segmentation isolates IoT from critical business systems via VLANs, firewalls, or overlays for containment, policy enforcement, and visibility. Edge computing filters and aggregates data locally, reducing upstream bandwidth and enabling real-time analytics. MQTT publish-subscribe messaging scales better than client-server for thousands of devices.
Figure 14.3: IoT network architecture from device layer through edge computing to segmented core
Storage Replication and Backup Traffic
Storage traffic demands zero packet loss and often sustains high throughput for extended periods.
Protocol
Transport
Latency
Lossless Required
Use Case
Fibre Channel (FC)
Dedicated fabric
Ultra-low (<1 ms)
Yes (credit-based)
High-performance primary storage
FCoE
Converged Ethernet
Low
Yes (DCB/PFC required)
Unified LAN+SAN fabric
iSCSI
TCP/IP over Ethernet
Low-moderate
No (TCP retransmits)
Cost-effective SAN over existing IP
NFS/SMB
TCP/IP
Moderate
No (TCP retransmits)
File-level access, NAS
Data Center Bridging (DCB) enables lossless Ethernet for FCoE/RoCE: Priority Flow Control (PFC, 802.1Qbb) prevents frame loss per CoS; Enhanced Transmission Selection (ETS, 802.1Qaz) allocates bandwidth; DCBX auto-negotiates parameters between peers.
Replication modes: Synchronous replication (RPO=0, distance-limited to ~100 km due to speed-of-light latency on every write) vs. asynchronous replication (any distance, RPO of minutes to hours, batched writes).
flowchart TD
START["Storage Network\nDesign Decision"] --> Q1{"Lossless transport\nrequired?"}
Q1 -->|"Yes"| Q2{"Dedicated fabric\nacceptable?"}
Q1 -->|"No"| ISCSI["iSCSI over TCP/IP\n(Cost-effective)"]
Q2 -->|"Yes"| FC["Fibre Channel\n(Dedicated fabric)"]
Q2 -->|"No"| FCOE["FCoE / RoCE\n(Converged, requires DCB)"]
FC --> REP{"Replication\nmode?"}
FCOE --> REP
ISCSI --> REP
REP -->|"RPO = 0, less than 100 km"| SYNC["Synchronous\n(Zero data loss)"]
REP -->|"RPO > 0, Any distance"| ASYNC["Asynchronous\n(Batched writes)"]
Figure 14.4: Storage protocol and replication decision tree
Key Points -- Section 2
Voice design is about strict budgets: 150 ms latency, 30 ms jitter, 1% loss; LFI on slow WAN links, CAC to prevent oversubscription, QoS Preclassify for VPN deployments
Multicast (PIM + IGMP snooping) is non-negotiable for scalable broadcast video; SSM eliminates the RP bottleneck for one-to-many flows
IoT requires LPWAN for long-range battery-powered devices, network segmentation for security, edge computing for local processing, and MQTT for scalable pub/sub messaging
FCoE and RoCE require DCB (PFC + ETS + DCBX) for lossless Ethernet; synchronous replication is physically limited to ~100 km by speed-of-light latency
The choice between dedicated FC, converged FCoE, and iSCSI is one of the most consequential data center design decisions
Animation: Multicast vs. unicast comparison showing a source sending video to N receivers -- unicast traffic multiplies linearly while multicast stays flat regardless of receiver count
Section 3: Implementation and Migration Planning
Phased Implementation Strategies
The recommended implementation framework follows six steps:
Assessment: Evaluate users, devices, applications, and performance targets. Establish baselines.
Security Integration: Layer firewalls, VLANs, IDS/IPS, and encryption into the design (not as an afterthought).
Installation and Configuration: Deploy with clear labeling, documented configs, static IPs for infrastructure.
Performance Testing: Stress-test under realistic load and optimize bottlenecks before production.
Monitoring and Maintenance: Continuous traffic observation, alerting, patching, lifecycle management.
flowchart LR
A["Assessment\n(Baseline)"] --> B["Design Mapping\n(Topology)"]
B --> C["Security\nIntegration"]
C --> D["Installation &\nConfiguration"]
D --> E["Performance\nTesting"]
E --> F["Monitoring &\nMaintenance"]
E -.->|"Bottleneck found"| D
F -.->|"Drift detected"| A
Figure 14.5: Phased implementation framework with feedback loops
Migration Strategies
Four primary strategies with different risk-cost tradeoffs:
Strategy
Risk
Cost
Speed
Best For
Parallel Running
Lowest
Highest
Slowest
Mission-critical, zero downtime tolerance
Direct Cutover
Highest
Lowest
Fastest
Simple systems or when parallel is impossible
Phased
Moderate
Moderate
Moderate
Large, complex environments with separable components
Pilot
Low-Moderate
Moderate
Moderate
New technologies needing production validation
flowchart TD
START["Migration Strategy\nSelection"] --> Q1{"Zero downtime\nrequired?"}
Q1 -->|"Yes"| Q2{"Budget for\ndual operation?"}
Q1 -->|"No"| Q3{"System separable\ninto components?"}
Q2 -->|"Yes"| PARALLEL["Parallel Running\n(Lowest risk)"]
Q2 -->|"No"| PILOT["Pilot Deployment\n(Validate with subset)"]
Q3 -->|"Yes"| PHASED["Phased Implementation\n(Tranche by tranche)"]
Q3 -->|"No"| BIGBANG["Direct Cutover\n(Highest risk, fastest)"]
PARALLEL --> VAL["Post-Migration\nValidation vs Baseline"]
PILOT --> VAL
PHASED --> VAL
BIGBANG --> VAL
Figure 14.6: Migration strategy decision tree
Performance Baseline and Validation
Baselines established before migration serve as acceptance criteria afterward. Without a baseline, you cannot objectively determine whether the new design meets requirements.
Validation sequence: pre-migration baseline, lab validation, pilot validation (compare to baseline), post-migration validation (acceptance thresholds), ongoing monitoring (detect drift).
A migration without a baseline is a leap of faith. A migration without a rollback plan is reckless. The CCDE exam expects designs that are measured, phased, and reversible.
Key Points -- Section 3
Implementation follows six phases: assessment, design mapping, security integration, installation, performance testing, monitoring -- with feedback loops for optimization
Parallel running is the safest migration strategy (lowest risk, highest cost); direct cutover is the riskiest (highest risk, lowest cost, fastest)
Every migration phase must have a tested rollback procedure; changes should be scheduled during maintenance windows
Performance baselines provide objective acceptance criteria: measure before, during, and after migration
Application dependency mapping reveals which components must move together and which can migrate independently
Animation: Side-by-side comparison of migration strategies -- parallel running (two bridges), direct cutover (instant swap), phased (lane-by-lane), pilot (small group first) -- with risk/cost meters
Post-Study Assessment
Now that you have studied the material, answer the same questions again. Compare your pre and post scores to measure learning.
Post-Quiz
1. A network architect discovers that a new VoIP deployment suffers from choppy audio on calls traversing the WAN. The one-way delay measures 170 ms. Which design element most directly addresses this issue?
Increase link bandwidth to 10 GbpsImplement QoS with a Low-Latency Queue for voice traffic marked EFEnable IGMP snooping on all access switchesDeploy asynchronous storage replication
2. An organization wants to deliver a live IPTV stream to 500 viewers across 20 VLANs. Without any optimization, a single 5 Mbps stream would consume how much source bandwidth?
5 Mbps, because switches replicate frames automatically100 Mbps, because each VLAN gets a copy2.5 Gbps, because every viewer receives a unicast copy500 Mbps, because each viewer gets a 1 Mbps portion
3. Which QoS design rule ensures that real-time traffic does not starve other traffic classes on a congested link?
Mark all traffic as EF (Expedited Forwarding)Limit Low-Latency Queues to 33% of link capacity and reserve at least 25% for Best EffortEnable WRED on the priority queueDisable QoS and rely on overprovisioned bandwidth
4. A designer is planning a converged LAN/SAN fabric using FCoE. Which technology set is required to prevent frame loss on the Ethernet fabric?
OSPF with BFD for fast convergenceData Center Bridging (PFC, ETS, DCBX)IGMP snooping and PIM Sparse ModeIPsec with QoS Preclassify
5. Synchronous storage replication becomes impractical beyond approximately what distance, and why?
10 km, because Fibre Channel cables have limited reach1,000 km, because TCP window sizes limit throughput100 km, because the speed of light adds unacceptable write latency at greater distances500 km, because DWDM signal degradation causes errors
6. An IoT deployment of 10,000 agricultural sensors needs to operate for 5+ years on battery. Which connectivity technology is most appropriate?
Wi-Fi 6 (802.11ax)LoRaWAN (LPWAN)Bluetooth Low Energy (BLE)5G cellular
7. Why is application dependency mapping critical before a network migration?
It determines which DSCP markings to use for each traffic classIt identifies relationships between applications, revealing hidden single points of failure and components that must move togetherIt measures the current bandwidth utilization on each linkIt automates the rollback procedure if migration fails
8. On a WAN link below 768 Kbps carrying voice traffic, which mechanism prevents a single large data packet from causing serialization delay that disrupts voice quality?
Call Admission Control (CAC)WRED (Weighted Random Early Detection)Link Fragmentation and Interleaving (LFI)TCP Adjust-MSS
9. A company needs to migrate a mission-critical ERP system with zero tolerance for downtime. Which migration strategy is most appropriate?
Direct cutover (Big Bang)Phased implementationParallel runningPilot deployment
10. What is the primary purpose of establishing a performance baseline before a network migration?
To justify the budget for new hardware purchasesTo provide objective acceptance criteria for validating the new design after migrationTo determine which vendor equipment to selectTo satisfy regulatory compliance requirements
11. Source-Specific Multicast (SSM) is preferred over PIM Sparse Mode for IPTV deployments primarily because:
SSM supports higher bandwidth streams than PIM-SMSSM eliminates the Rendezvous Point as a potential bottleneck and single point of failureSSM works without IGMP snooping on switchesSSM encrypts multicast traffic for security
12. In a QoS trust boundary design, BYOD devices connecting to access-layer switches should be treated as:
Conditionally trusted, with markings verified via CDP/LLDPFully trusted, since users authenticate via 802.1XUntrusted, with their markings stripped and re-marked at ingressTrusted after a one-time manual approval by network operations
13. Edge computing is critical for IoT network design because it:
Replaces the need for network segmentation and firewallsFilters and aggregates data locally, reducing bandwidth to the data center and enabling real-time analyticsProvides lossless Ethernet transport for IoT sensor dataEliminates the need for IoT gateways and protocol translation
14. When deploying VoIP over an IPsec VPN tunnel, the QoS Preclassify feature is essential because:
It compresses the voice payload to reduce bandwidth consumptionIt clones the original IP header before encryption so classification can occur before the payload becomes opaqueIt fragments large packets to prevent serialization delayIt limits the number of simultaneous VPN tunnels to prevent oversubscription
15. A traffic matrix produced by application profiling is the foundation for which three design activities?
VLAN assignment, spanning tree tuning, and port-channel configurationLink sizing, QoS policy design, and failover capacity planningIP addressing, DNS zone design, and DHCP scope planningFirewall rule creation, NAT policy design, and VPN tunnel configuration