View
242
Download
0
Category
Preview:
Citation preview
2007CiscoSystems,Inc.Allrightsreserved. CiscoPublicITEPCv4.0Chapter1 1
CCNADiscovery4.0DesigningandSupportingComputerNetworks
CreatingtheNetworkDesignChapter5
ITEPCv4.0Chapter1 22007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Objectives
ITEPCv4.0Chapter1 32007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
AnalyzingBusinessgoalsandtechnicalrequirements
Determininghowtodesignanetworktomeetbusinessgoalsisamultistepprocess.Thedesignerusuallyfollowsthesesteps:
Step1:Listthebusinessgoalsthatmustbemetbythenewdesign.
Step2:Determinewhatchangesoradditionsarenecessaryforthebusinesstomeetitsgoals.
Step3:Decidewhattechnicalrequirementsarenecessarytoimplementeachchange.
Step4:Determinehowthedesigncanaddresseachofthetechnicalrequirements.
Step5:Decidewhichdesignelementsmustbepresentinthefinaldesign.
ITEPCv4.0Chapter1 42007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
AnalyzingBusinessgoalsandtechnicalrequirements
DealingwithConstraints
TheDesignRequirementsdocumentincludesalistofconstraints.Usually,whenconstraintsaffectthedesign,compromisesmustbemade.Thenetworkdesignerexploresallpossiblealternativesandselectsthebestonestoincludeinthedesign.
MakingTradeoffs
Atradeoffisanexchangeofonebenefitoradvantageforanotherbenefitthatisdeterminedtobemoredesirable.Networkdesignconstraintsoftenforcetradeoffsbetweentheidealdesignandadesignthatisrealisticallyachievable.
ITEPCv4.0Chapter1 52007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
AnalyzingBusinessgoalsandtechnicalrequirements
Tradeoffsbetweenthebenefitsofanidealsolutionandtherealityofcostortimeconstraintsarecommon.Itisthejobofthedesignertominimizetheeffectsofthesetradeoffsonthemaingoalsofscalability,availability,security,andmanageability.
AnexampleofatradeoffinthestadiumnetworkdesignisabudgetlimitationthatpreventsaconnectiontoasecondaryInternetserviceprovider(ISP).Becauseofthislimitation,analternativestrategymustbedesignedtomeettheavailabilityrequirementsfortheecommerceservers.
ITEPCv4.0Chapter1 62007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
AnalyzingBusinessgoalsandtechnicalrequirements
ITEPCv4.0Chapter1 72007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementsforscalability
Thestadiummanagementanticipatessignificantgrowthincertainareasofthenetwork.Theydonotexpectthenumberofwiredconnectionstoincreaserapidly.Thestadiummanagementplanstoaddatleasttwonewremoteofficesites.Thisexpansionincreasesthenumberofusersby50percent,toapproximately750users.
Thescalabilityrequirementsreceivedfromthestadiummanagementaresignificant:
ITEPCv4.0Chapter1 82007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementsforscalability
50percentincreaseinthenumberoftotalusers(LANandWAN)
75percentincreaseinthenumberofwirelessusers
75percentincreaseinthenumberofonlinetransactionsservicedbythestadiumecommerceservers
100percentincreaseinthenumberofremotesites
AdditionofIPphones,andtheincorporationofthevideonetwork,adding350enddevices
ITEPCv4.0Chapter1 92007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementsforscalability
PlannedWirelessAP
ExistingwirelessAP
ITEPCv4.0Chapter1 102007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementsforscalability
Tosupportthisrapidgrowth,thenetworkdesignerdevelopsastrategytoenablethenetworktoscaleeffectivelyandeasily.Includedinthestrategyarethefollowingrecommendations:
DesignAccessLayermodulesthatcanbeaddedasnecessarywithoutaffectingthedesignoftheDistributionandCoreLayers.
Useexpandable,modularequipmentorclustereddevicesthatcanbeeasilyupgradedtoincreasecapabilities.
ITEPCv4.0Chapter1 112007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementsforscalability
Chooseroutersormultilayerswitchestolimitbroadcastsandfilterotherundesirabletrafficfromthenetwork.
Plantousemultiplelinksbetweenequipment,usingeitherEtherChannelorequalcostloadbalancing,toincreasebandwidth.
CreateanIPaddressstrategythatishierarchicalandthatsupportssummarization.
Whenpossible,keepVLANslocaltothewiringcloset.
ITEPCv4.0Chapter1 122007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RequirementsforAvailabilityOnthestadiumnetwork,theplannedecommerce,security,andIPtelephonysystemsrelyontheunderlyingnetworkbeingavailable24hoursaday,7daysaweek.
Incompletewebsitetransactionscancausethestadiummanagementtoloserevenue.Ifthesecuritymonitoringbecomesunavailable,thesafetyofthestadiumcustomerscanbeendangered.Intheeventthatthetelephonesystemisdown,vitalcommunicationsarelost.
ITEPCv4.0Chapter1 132007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RequirementsforAvailability
Thenetworkdesignermustdevelopastrategyforavailabilitythatprovidesthemaximumprotectionfromfailureandthatisnottooexpensivetoimplement.Toprovidethenearly100percentuptimerequirementofthenetworkapplications,thedesignermustimplementhighavailabilityandredundancycharacteristicsinthenewdesign.
ITEPCv4.0Chapter1 142007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RequirementsforAvailability
ITEPCv4.0Chapter1 152007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RequirementsforAvailability
AvailabilityforECommerce
Anunreliablewebsitecanquicklybecomeasupportproblemandevendiscouragecustomersfrommakingtransactions.Toensurereliabilityforecommerce,usethefollowingrecommendedpractices:
DualconnecttheserversontwodifferentAccessLayerswitches.
ProvideredundantconnectionsattheDistributionLayer.
ITEPCv4.0Chapter1 162007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RequirementsforAvailability
ProvidesecondaryDNSserverscolocatedattheISP.
IncludeadditionalmonitoringlocallyandthroughtheInternetfordevicesinthecriticalpath.
Wherepossible,includeredundantmodulesandpowersuppliesincriticalpiecesofequipment.
ProvideUPSandgeneratorpowerbackup.
Choosearoutingprotocolstrategythatensuresfastconvergenceandreliableoperation.
InvestigateoptionstoprovideanadditionalInternetserviceprovider(ISP)orredundantconnectivitytothesingleISP
ITEPCv4.0Chapter1 172007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RequirementsforAvailability
ITEPCv4.0Chapter1 182007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RequirementsforAvailability
TheSecurityMonitoringSystem
Theserversthatmaintainthevideofilesandthesecuritymanagementsoftwarehavethesameavailabilityrequirementsastheecommerceservers.Thefollowingadditionalmeasuresareneededforthecamerasandsurveillanceequipment:
Redundantcamerasincriticalareasthatareconnectedtoseparateswitchestolimittheaffectofafailure
PoweroverEthernet(PoE)tothecameras,withUPSand/orgeneratorbackup
ITEPCv4.0Chapter1 192007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RequirementsforAvailability
TheIPTelephoneSystem
AlthoughtheinstallationofthenewIPtelephonesystemisoutsidethescopeofthisnetworkdesignproject,itisstillnecessaryforthenetworkdesignertoconsidertheavailabilityrequirementsinthedesign.ThedesignerfocusesonthefollowingrequirementsforprovidingredundancyandhighavailabilityontheAccessLayerswitches:
ITEPCv4.0Chapter1 202007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RequirementsforAvailability
ImplementLayer3connectivitybetweentheAccessLayerandDistributionLayerdeviceswhenpossible.
ProvideredundantpowerandUPSbackup.
CreateredundantpathsfromtheAccessLayertotheCoreLayer.
Reducethesizeoffailuredomains.
Whenpossible,selectequipmentthatcansupportredundantcomponents.
Useafast,convergingroutingprotocol,suchasEIGRP
ITEPCv4.0Chapter1 212007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RequirementsforAvailability
ITEPCv4.0Chapter1 222007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementfornetworkperformance
Convergednetworks,suchasthenetworkbeingdesignedforthestadium,carryacombinationofdata,voice,andvideotraffic.Eachtypeoftraffichasuniqueservicerequirements.
Characteristicfeaturesofapplicationsonatypicalconvergednetworkinclude:
Packetsofvarioussizes
Distinctsetsofprotocols
Differenttolerancestodelayandjitter
ITEPCv4.0Chapter1 232007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementfornetworkperformance
Sometimestheservicerequirementsofoneapplicationconflictwiththeservicerequirementsofanother,resultinginperformanceproblems.Whenthissituationoccurs,frustrateduserscallthehelpdesktoreportthattheirapplicationisslow.
Evenskilled,experiencedITprofessionalsstruggletomaintainhighapplicationperformance.Deployingnewapplicationsandserviceswithoutdisruptingexistingonesisdifficult.
ITEPCv4.0Chapter1 242007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementfornetworkperformance
Onthenewstadiumnetwork,threeapplicationshavespecificperformancerequirementsthatmustbeaddressed:
TransactionProcessing
VideoDistributionandMonitoring
IPTelephoneVoiceQuality
ITEPCv4.0Chapter1 252007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementfornetworkperformance
Thenetworkdesignercreatesalistofthedesigngoalsandconsiderationsthatcouldaffecttheperformanceofthesehighpriorityapplications.
Goal:Improvetransactionprocessingtimetolessthan3seconds.
Reducethenetworkdiameter.
Restrictunwantedtrafficandbroadcasts.
Providehighbandwidthpathstokeyservers.
Recommendadditionalhighspeedstorageorcontentservers.
ITEPCv4.0Chapter1 262007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementfornetworkperformance
Goal:Providehighqualityvoiceandstreamingvideo.
DesignVLANandtrafficclassificationstrategy.
Keepthepathsfromservertoendpointsshort.
Reducethenumberoftimestrafficisfilteredorprocessed.
IncreaseWANsitebandwidthandimproveconnectivity.
DetermineQoSstrategyandtrafficpriorities.
IdentifyareaswherebottlenecksmightoccuranddeployaQoSstrategy.
ITEPCv4.0Chapter1 272007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementsforsecurity
Securityistheoneareaofnetworkdesignwheretradeoffsshouldnotbemade.Althoughitmaybenecessarytofindlowercostorlessstreamlinedwaystoprovideasecurenetwork,itisneveracceptabletodisregardsecurityinordertoaddothernetworkcapabilities.
Anetworkriskassessmentidentifiestheareaswhereanetworkismostvulnerable.Networksthatcontainhighlyconfidentialorcriticalinformationoftenhaveuniquesecurityconsiderations.Organizationsdoriskassessmentsaspartoftheiroverallbusinesscontinuityanddisasterrecoveryplanning.
ITEPCv4.0Chapter1 282007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementsforsecurity
Mostnetworksbenefitfromstandardrecommendedpracticeswhenitcomestodeployingsecurity.Recommendedsecuritypracticesinclude:
Usefirewallstoseparatealllevelsofthesecuredcorporatenetworkfromotherunsecurednetworks,suchastheInternet.Configurefirewallstomonitorandcontrolthetraffic,basedonawrittensecuritypolicy.
CreatesecuredcommunicationsbyusingVPNstoencryptinformationbeforeitissentthroughthirdpartyorunprotectednetworks.
ITEPCv4.0Chapter1 292007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementsforsecurity
Preventnetworkintrusionsandattacksbydeployingintrusionpreventionsystems.Thesesystemsscanthenetworkforharmfulormaliciousbehaviorandalertnetworkmanagers.
ControlInternetthreatsbyemployingdefensestoprotectcontentandusersfromviruses,spyware,andspam.
Manageendpointsecuritytoprotectthenetworkbyverifyingtheidentityofeachuserbeforegrantingaccess.
Ensurethatphysicalsecuritymeasuresareinplacetopreventunauthorizedaccesstonetworkdevicesandfacilities.
SecurewirelessAPsanddeploywirelessmanagementsolutions.
ITEPCv4.0Chapter1 302007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Requirementsforsecurity
ITEPCv4.0Chapter1 312007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
MakingNetworkDesignTradeoffs
Afterthenetworkdesignerlistsalltheelementsthatneedtobepresentinthestadiumupgradedesign,someharddecisionsmustbemade.Unfortunately,fewnetworkscanbedesignedwithoutconsidering:
Thecostofthenetwork
Thedifficultyofimplementation
Thefuturesupportrequirements
TheStadiumCompanyhasplacedsomeconstraintsonthenetworkupgradethatrequirethedesignertoevaluatedifferentdesignoptions.Itmaybenecessarytomaketradeoffsinsomeareastoaccommodatetheseconstraints.
ITEPCv4.0Chapter1 322007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
MakingNetworkDesignTradeoffs
TheprimarybusinessgoaloftheStadiumCompanyistoimprovetheatmosphereandsafetyforthethousandsofpeoplewhoattendstadiumevents.Networkimprovementsthatdirectlyaffecthowthenetworksupportsthisgoalmustbeatoppriorityforthedesignerwhenmakingdesigntradeoffs.
Supportingthebusinessgoalsmayleadtodecisionsthateliminateorcomplicateotherdesirableornecessaryimprovements.Forexample,addingwirelessaccesstoimprovethecustomerexperienceintheluxuryboxesandrestaurantmaydecreaseserversecurityunlesstheguestaccessisisolatedfromtheinternalnetwork.
ITEPCv4.0Chapter1 332007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
MakingNetworkDesignTradeoffs
ITEPCv4.0Chapter1 342007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigninganAccessLayerTopology AccessLayerRequirements
ThedesignercreatesthefollowinglistofAccessLayernetworkrequirementsforthenewnetwork:
ProvideconnectivityforexistingnetworkdevicesandaddwirelessaccessandIPtelephones.
CreateVLANstoseparatevoice,securitysurveillancemonitoring,wirelessaccess,andnormaldatadevices.
RestrictVLANstowiringclosets,withtheexceptionofthewirelessVLAN,tosupportfutureroamingrequirements.
ITEPCv4.0Chapter1 352007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigninganAccessLayerTopology
ProvideredundantlinkstotheDistributionLayernetwork.Usethe16existing2960switcheswherepossible.ProvidePoweroverEthernet(PoE)toIPphonesandwirelessaccesspoints,ifpossible.ProvideQoSclassificationandmarkingcapabilities.
ITEPCv4.0Chapter1 362007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigninganAccessLayerTopology
Anincreaseinthenumberofhostsdoesnotalwaysnecessitateanequalincreaseinthenumberofdevicesandports.Forexample,IPphonesandotherdevicesincludeanembeddedswitchthatpermitsaPCtobepluggeddirectlyintothephone.Thisswitchreducesthenumberofportsneededinthewiringclosettoconnecttheadditionaldevices.Assumingthatover50percentoftheIPphonesalsoconnectPCdevices,addingmoredataconnectionsmaynotrequiretheadditionofanewswitchtothewiringcloset.
ITEPCv4.0Chapter1 372007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigninganAccessLayerTopology
IPPhoneshavethreeports:
Port1isanexternalportthatconnectstotheswitchoranotherVoIPdevice.
Port2isaninternal10/100interfacethatcarriestheIPphonetraffic.
Port3isanexternalaccessportthatconnectstoaPCoranotherdevice.
ITEPCv4.0Chapter1 382007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigninganAccessLayerTopology
The16existing2960switchesaretobeusedintheAccessLayertoprovideenduserconnectivity.Thenetworkdesignermustensurethatthe2960switchissuitableforthenewnetwork.
2960SwitchCapabilities
Theseswitchesarefixedconfiguration10/100Ethernetswitcheswithtwo10/100/1000uplinkports.The2960cansupportmostofthefollowingrequirementsoftheAccessLayernetwork:
ITEPCv4.0Chapter1 392007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigninganAccessLayerTopology
ScalabilityThe2960supportsCiscoswitchclustering;therefore,newswitchescaneasilybeaddedtosupportadditionalconnectivity.
AvailabilityThe2960supportsredundantpowersupplies.Redundantswitchmanagementisavailablewhentheswitchesareconfiguredinacluster.Twoswitchescanbeconfiguredasthecommandswitches.Ifonefails,therestoftheclustercanstillfunction.Classificationandmarkingcapabilitiesarealsoavailableinthismodel.
ITEPCv4.0Chapter1 402007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigninganAccessLayerTopology
SecurityPortsecurityandotherswitchsecurityoptionsareavailable.
ManageabilityTheswitchessupportSimpleNetworkManagementProtocol(SNMP).Theycanbemanagedinbandandoutofband.The2960supportsthestandardCiscoIOSsoftwarecommandset,aswellasCiscoNetworkAssistantGUIconfigurationandmanagementtools.
ITEPCv4.0Chapter1 412007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigninganAccessLayerTopology
ITEPCv4.0Chapter1 422007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigninganAccessLayerTopology
LimitationsoftheExistingEquipment
The2960switchhascertainlimitationsinthenewnetworkdesign.Thecurrent2960switchesinthestadiumnetworkneedadditionaltransceiverstosupportthefiberuplinks.Becauseonlytwofiberconnectionsareavailabletoeachwiringcloset,multiple2960switchesmustbeclusteredtosharetheuplinks.The2960isaLayer2switch;therefore,thenetworkdesignerislimitedtoprovidingLayer2functionalityattheAccessLayer.
ITEPCv4.0Chapter1 432007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigninganAccessLayerTopology
PowerRequirements
Althoughthe2960switchdoesnotsupportPoE,itdoessupportvoiceVLANcapability.ItmaybenecessarytousepoweredpatchpanelstoprovidepowertotheIPphonesuntiltheswitchesarereplacedinthefuture.
UPSunitsprovidebackuppowerfortheswitchesandthepoweredpatchpanels.ThedesignerrecommendsthepurchaseofageneratortoprovidepowertocriticalareasoftheAccessLayer.
ITEPCv4.0Chapter1 442007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigninganAccessLayerTopology
ITEPCv4.0Chapter1 452007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningDistributionLayerTopology DistributionLayerRequirements
ThenetworkdesignercreatesthefollowinglistofDistributionLayerrequirementsforthenewnetwork:
Provideredundantcomponentsandlinkstominimizetheeffectofafailure.
Supporthighdensityrouting.Eachofthe16wiringclosetsinthestadiummayeventuallyhavemorethanoneuplinktotheDistributionLayerswitches.
Providetrafficfilteringcapabilities.
ImplementQoSmechanisms.
Providehighbandwidthconnectivity.
Implementafastconvergingroutingprotocol.
Aggregatetrafficandperformroutesummarization.
ITEPCv4.0Chapter1 462007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningDistributionLayerTopology
Multilayerswitchesareanappropriatechoiceformeetingtheserequirements.Theyprovidehighportdensityandsupportthenecessaryroutingcapabilities.TheDistributionLayerdesignincludesconnectivityfortheLANusers,serverfarm,andenterpriseedgedistribution.Sixmultilayerswitchesneedtobepurchasedtoprovidetherequiredsupport.
ITEPCv4.0Chapter1 472007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningDistributionLayerTopology
DesignConstraints
ThelimitedamountoffiberconnectivitytothewiringclosetsistheonlydesignconstraintthatlimitstheDistributionLayer.ThetwofiberpairsthatconnectthewiringclosetslimitthenumberofswitchesthatcanberedundantlyconnectedtotheDistributionLayerequipment.Becauseallofthefiberterminatesinacentrallocation,muchoftheDistributionLayerequipmentmustbeinstalledinthenewdatacenter.
ITEPCv4.0Chapter1 482007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningDistributionLayerTopology
MultilayerSwitchCapabilities
UsingMultilayerswitchesattheDistributionLayermeetsthestadiumdesigntechnicalrequirements:
ScalabilityThemodularmultilayerswitchessupportadditionalfiberandcopperports.UsingroutingattheDistributionLayeravoidsmanyLayer2SpanningTreeProtocol(STP)reconfigurationissues.Newswitchblockscanbeaddedwithoutaffectingtheexistingtopology.
ITEPCv4.0Chapter1 492007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningDistributionLayerTopology
AvailabilityThemidrangemultilayerswitchessupportredundantpowersuppliesandfans.Moreimportantly,theysupportredundantmanagementmodulesandfastfailovertechnology.Ifonemanagementmodulefails,thesecondarymoduletakesover,withnoperceptiblelossofconnectivity.TheLayer3switcheddesignmakesthebestuseofnetworklinksbyefficientloadbalancingoftheroutedtraffic.RoutingprotocolscanbeconfiguredtoconvergeasfastasSTPorfaster.RoutesummarizationcanoccurattheDistributionLayer,reducingtheimpactofanAccessLayerdeviceorlinkfailureontheCoreLayerrouting.
ITEPCv4.0Chapter1 502007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningDistributionLayerTopology
SecurityAccesslistfiltering,portsecurity,andfirewallfeaturesetsareavailableonthemultilayerswitchCiscoIOS.Additionalsecurityfeaturespreventunauthorizedorunwantednetworktraffic.
ManageabilityTheswitchessupportSNMP.Theycanbemanagedbothinbandandoutofband.
ITEPCv4.0Chapter1 512007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoreLayerTopology
TheCoreLayerofthestadiumLANmustprovidehighspeedconnectivityandhighavailability.BoththelocalandremotestadiumnetworksdependontheCoreswitchesforconnectivity.
CoreLayerRequirements
DesignrequirementsfortheCoreLayernetworkinclude:
HighspeedconnectivitytotheDistributionLayerswitches
24X7availability
RoutedinterconnectionsbetweenCoredevices
HighspeedredundantlinksbetweenCoreswitchesandbetweentheCoreandDistributionLayerdevices
ITEPCv4.0Chapter1 522007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoreLayerTopology TheCoreLayerdesignrequireshighspeed,lowerdensity,multilayerswitching.Inthenewdesign,
theCoreLayernetworkforthestadiumcanbeimplementedontwopowerfulmultilayerswitches.
TheCoreLayerisreservedforhighspeedtrafficswitching;therefore,littleornopacketfilteringisdoneatthislayer.
Inasmallbusinessenvironment,theDistributionandtheCoreLayersarefrequentlycombined.ThismaybereferredtoasacollapsedCoreoracollapsedbackbone.
ITEPCv4.0Chapter1 532007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoreLayerTopology
HighAvailability
ThetoppriorityattheCoreLayerofthenetworkishighavailablity.Thenetworkdesignerneedstoconsideranymeasuresthatcanbetakentoimprovereliabilityanduptime.
RedundantlinksbetweentheCoreLayerandtheDistributionLayershouldbeestablished.Installingredundantcomponentsandtakingadditionalmeasurestoprovideredundantairconditioning,power,andservicestotheCoreLayerdevicesshouldbeimplementedwhereverpossible.
ITEPCv4.0Chapter1 542007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoreLayerTopology
UsingaLayer3routingprotocolsuchasEIGRPorOSPFattheCoreLayercandecreasethetimeittakestorecoverfromalinkfailure.RoutedconnectionsbetweentheCoreLayerswitchescanprovideequalcostloadbalancingaswellasrapidrecovery.
Speed
ThenextpriorityattheCoreLayerisspeed.AlmostallofthestadiumnetworktrafficmusttravelthroughtheCoreLayerdevices.Highspeedinterfaces,fiberconnectivity,andtechnologiessuchasEtherChannelcanprovideenoughbandwidthtosupportthetrafficlevelandletthenetworkgrowinthefuture.
ITEPCv4.0Chapter1 552007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoreLayerTopology
ITEPCv4.0Chapter1 562007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
CreatingthelogicalnetworkDiagramfortheWAN
CreatingtheLogicalLANDiagram
ThefinalstepinthepreliminaryLANnetworkdesignistocreatethelogicaldiagramforthenewstadiumnetwork.Thisdiagramshowshowallofthevariouslayersanddevicesinterconnect.
InthenewstadiumLAN,eachofthe16wiringclosetscontainsatleastone2960switch.Becausetherearethreedistinctmodulesinthestadiumnetwork,sixDistributionLayerswitchesaggregateandroutetrafficbetweentheAccessLayerandtheCoreLayer.
ITEPCv4.0Chapter1 572007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
TheCoreLayerconsistsoftwohighendmultilayerswitcheswithredundancy.TheyareconnectedtotheDistributionLayerandtoeachotherwithgigabitlinks.
ThenetworkdesignermakesnotesonthenetworkdiagramtoindicatewheretheserversandIPservicesarelocated.AftercompletingthewiredcampusLANdesign,thedesignerthenplanstheportionofthenetworkthatsupportsremoteconnectivityintothestadiumLAN.
CreatingthelogicalnetworkDiagramfortheWAN
ITEPCv4.0Chapter1 582007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
CreatingthelogicalnetworkDiagramfortheWAN
ITEPCv4.0Chapter1 592007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DeterminingConnectivityfortheremotesites
Attheenterpriseedge,thestadiumnetworkconnectstotheInternetviaDSLprovidedbyalocalISP.ISPmanagedroutersarelocatedatthestadiumconnectedtotheEdgeRouteroftheStadiumCompany.
ExtendingServicestoRemoteLocations
Thetwoexistingremotelocations,aticketingofficelocatedinthedowntownareaandasouvenirshopinalocalshoppingmall,usethesameISPproviderasthemainstadiumsite.TheISPalsoprovidesamanagedVPNservicetothem.Theseconnectionsprovidetheremotesiteswithaccesstothedatabaseslocatedonserversinthestadiummanagementoffices.
ITEPCv4.0Chapter1 602007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DeterminingConnectivityfortheremotesites
Oneofthehighprioritygoalsofthenewstadiumnetworkistoextendthevoiceandvideonetworktotheremotelocations.Therearetwoadditionalremoteconnectionsplanned:
Afilmproductioncompany,hiredtoprovidevideoduringandafterevents,needstoconnecttothestadiumnetworktoexchangefiles.
Asportsteamthatcurrentlyleasesspaceinthestadiumisexpandingtoaremoteofficelocation.TheteamneedsaccesstothesamenetworkresourcesthatitusesonthestadiumLAN.
ITEPCv4.0Chapter1 612007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DeterminingConnectivityfortheremotesites
ITEPCv4.0Chapter1 622007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DeterminingConnectivityfortheremotesites
AddingNewWANConnections
ThenetworkdesignerrealizesthatdedicatedWANconnectionsarerequiredtomeetthesenewgoals.ARFQissenttotheTelecommunicationsServiceProviders(TSPs)intheareatodeterminethecostandavailabilityofWANservices.
Becausethestadiumislocatedoutsidethecitylimits,thechoicesforWANconnectivityarelimitedtopointtopointT1andFrameRelay.TheseservicesareavailabletoboththestadiumandtheremotelocationsthroughalocalTSP.
ITEPCv4.0Chapter1 632007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DeterminingConnectivityfortheremotesites
AlthoughthepointtopointT1serviceoffersthemostcontroloverthequalityofserviceavailabletotheWANsites,theFrameRelayserviceislessexpensive.ThenetworkdesignerrecommendsthatthestadiumuseFrameRelaytoconnecttotheremotesitesuntilaMetroEthernetorotherhighspeedservicebecomesavailableinthearea.
ITEPCv4.0Chapter1 642007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DeterminingConnectivityfortheremotesites
ITEPCv4.0Chapter1 652007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DeterminingConnectivityfortheremotesites
AnadvantageofusingaFrameRelayconnectionoverpointtopointT1connectionsisthatasinglephysicalconnectiontotheTSPcanprovideconnectivityfromthestadiumtomultipleremotesitelocations.
FrameRelayConnectionTypes
FrameRelaynetworkstransferdatausingoneofthesetwoconnectiontypes:
ITEPCv4.0Chapter1 662007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DeterminingConnectivityfortheremotesites
SwitchedVirtualCircuits(SVCs)aretemporaryconnectionscreatedforeachdatatransferandthenterminatedwhenthedatatransferiscomplete.
PermanentVirtualCircuits(PVCs)arepermanentconnections.ThistypeofconnectionistobeprovidedbetweenthestadiumnetworkandtheremoteWANsites.
Afterdiscussionswithstadiummanagement,theNetworkingCompanystaffdecidestoinstallaFrameRelayconnectionfromthestadiumtothesouvenirshopasapilottotestthededicatedWANconnectivity.
ITEPCv4.0Chapter1 672007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DeterminingConnectivityfortheremotesites
ITEPCv4.0Chapter1 682007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DefiningTrafficPatternsandapplicationsupport
NetworkServicesforRemoteSites
Whendeterminingthephysicalmethodforconnectingtheremotesitestothemainstadiumnetwork,thenetworkdesignermustalsoanalyzehowworkersattheremotesitesexpecttousethenetworkservices.Theremotesiteshavesomeapplicationsincommonandsomerequirementsthatareunique.Servicesneededbytheremotesitesinclude:
Accesstotheecommerceanddatabaseservices
IPtelephony
Videosurveillanceandmonitoring
ITEPCv4.0Chapter1 692007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DefiningTrafficPatternsandapplicationsupport
Inaddition,thenewremoteteamofficerequiresaccesstotheteampayrollandaccountingserverlocatedatthestadium.
TheFilmCompanyemployeesneedtobeabletoremotelymonitorthevideoscreensthroughoutthestadiumandtransfervideofilestothestadiumwebservers.
ThedesignermakesachartofthetrafficflowsfromeachWANconnectionthroughthenetworktothevariousservicelocations.
ITEPCv4.0Chapter1 702007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DefiningTrafficPatternsandapplicationsupport
ITEPCv4.0Chapter1 712007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningVPNandEndpointConnectivityOptions
BackinguptheFrameRelayLink
TheticketsalesofficeandthesouvenirshopconnectbacktothestadiumnetworkusingsitetositeVPNsthroughtheInternet.TheroutersatthestadiumandremotesitesthatprovideendpointsforeachVPNareownedandmanagedbytheISP.ThenetworkdesignerplanstousetheseVPNconnectionsasabackuptotheFrameRelaydedicatedconnections,intheeventthattheFrameRelaylinkfails.Thedesignerrecommendsabackuplinkfromeachofthetwonewsitesaswell.Asecondedgerouteratthemainsiteisplannedforredundancy.
ITEPCv4.0Chapter1 722007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
SupportingRemoteWorkers
Thestadiummanagementwouldalsoliketosupportremoteworkerswhooccasionallyworkfromhomeorfromotherremotesites.Thesportsteampersonnel,forexample,needtobeabletoaccesstheteamserversecurelywhentraveling.ClientVPNaccesscanbeprovidedthroughthesameISPmanagedservice.Thedesignerrecommendsthatthestadiummanagementinvestigatethisoption.TheyagreetocontacttheISPtodiscusstheupgrade.
DesigningVPNandEndpointConnectivityOptions
ITEPCv4.0Chapter1 732007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningVPNandEndpointConnectivityOptions
ITEPCv4.0Chapter1 742007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
CreatingthelogicalNetworkdesignforWAN
RoutingandIPAddressing
Intheexistingnetwork,theWANsitesuseonlytheVPNtoconnectbacktothestadium.Simplestaticroutesaresufficienttoensureconnectivity.DHCPaddressingisprovidedtotheremotesiteLANsbytheISPmanagedservicesrouter.
ProvidingbothVPNanddedicatedWANconnectionstoeachsiterequiresthatthenetworkdesignercarefullychoosetheIPaddressrangesthatareusedforeachsite.Itmaybenecessarytochangetheaddressrangesfortheremotesites.
ITEPCv4.0Chapter1 752007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
CreatingthelogicalNetworkdesignforWANTheadditionofthenewWANconnectiontoeachofthesitesincreasesthenumberofpossiblepathstothestadiumnetworkfromonetotwo.Asaresult,staticroutingmaynotbethebestmethodusedtoensureconnectivitytotheservicesonthestadiumLAN.ItmaybenecessarytouseadynamicroutingprotocoltoenabletheremoteLANstomaintainconnectivityintheeventofaFrameRelaylinkfailure.Thenetworkdesignermakesanoteofthis,sothatitisconsideredwhenthestadiumroutingprotocolimplementationisdesigned.
ITEPCv4.0Chapter1 762007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
CreatingthelogicalNetworkdesignforWAN
ITEPCv4.0Chapter1 772007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
AddingWirelessNetworkCoverage
Aprimarygoalofthenewdesignistoaddwirelessnetworkcoveragetothenetwork.
Inresponsetorequestsfromthelocalmedia,thestadiummanagementaddedaninexpensivewirelessAPtoprovidewirelessInternetinthepressbox.Someemployeesalsopurchasedwirelessaccessrouters,providinglowgradewirelesscoverageintheteamoffices.ThesetypesofdevicesarenotrobustenoughforanenterpriseLANwirelessimplementation.
ITEPCv4.0Chapter1 782007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
WirelessNetworkCoverage
Tomeetthegoalsforthenewstadiumnetworkdesign,wirelesscoverageisnecessaryinfouridentifiedareas:
Pressbox
Teamloungeareas
Stadiumrestaurant
Luxurysuiteslocatedaroundthestadium
ThetwoexistingwirelessAPsneedtobereplacedwithmoremanageabledevices.Someareasrequireguestwirelessaccess.
ITEPCv4.0Chapter1 792007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
Play5.4.1
file:///C:/CISCO_CCNA/Discovery4_English/index.html
ITEPCv4.0Chapter1 802007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
UnifiedWirelessandWiredSolutions
IntegrationofthenewwirelessnetworkwiththewiredstadiumLANsimplifiesmanagementandmakesuseofthesecurityandredundancyoftheEthernetinfrastructure.
StandaloneAPsconnectedtotheEthernetswitchesinthewiringclosetcanprovidethenecessarywirelesscoveragetothefourpreviouslyidentifiedareasinthestadium.LimitedwirelessroamingcanbesupportedbycreatingwirelessVLANsthatspanthenetworkandwirelesscoverageareasthatoverlap.
ITEPCv4.0Chapter1 812007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
Althoughthissolutionmeetsthecurrentstadiumnetworkgoals,thenetworkdesignerrecommendsthatthestadiumpurchaseLightweightAccessPointsLAPsandwirelessLANcontrollerstosupportthewirelessrequirements.LAPsarenotstandalonedevices;theyrelyonthewirelesscontrollerforconfigurationandsecurityinformation.
Unifiedwirelessnetworksolutionsthatincludewirelesscontrolsystemsoftwareofferadvancedfeatures,suchascentralizedmanagementandmultipleservicelevelsfordifferentuserandclienttypes.ThesesystemsallowdifferentlevelsofQoSandsecurityfordifferenttypesofwirelessuse.
ITEPCv4.0Chapter1 822007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
ITEPCv4.0Chapter1 832007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
Thewirelesssolutionproposedbythenetworkdesignermeetsthefollowingrequirementsforthestadiumnetworkupgrade:
ScalabilityNewLAPscanbeaddedeasilyandmanagedcentrally.
AvailabilityAPscanautomaticallyincreasetheirsignalstrengthifoneAPfails.
ITEPCv4.0Chapter1 842007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
SecurityEnterprisewidesecuritypoliciesapplytoalllayersofawirelessnetwork,fromtheradiolayerthroughtheMACLayerandintotheNetworkLayer.Thissolutionmakesiteasiertoprovideuniformlyenforcedsecurity,QoS,anduserpolicies.Thesepoliciesaddressthespecificcapabilitiesofdifferentclassesofdevices,suchashandheldscanners,PDAs,andnotebookcomputers.SecuritypoliciesalsoprovidediscoveryandmitigationofDoSattacks,anddetectionanddenialofrogueAPs.ThesefunctionsoccuracrossanentiremanagedWLAN.
ITEPCv4.0Chapter1 852007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
ManageabilityThesolutionprovidesdynamic,systemwideRFmanagement,includingfeaturesthataidsmoothwirelessoperations,suchasdynamicchannelassignment,transmitpowercontrol,andloadbalancing.ThesinglegraphicalinterfaceforenterprisewidepoliciesincludesVLANs,security,andQoS.
ITEPCv4.0Chapter1 862007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
ITEPCv4.0Chapter1 872007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
TheresultsofthestadiumwirelesssitesurveyindicatethattherestaurantrequiresatleasttwoAPstoprovidehighqualitywirelesscoverage.
Thenetworkdesignerdeterminesthattocontainthewirelesssignalwithintherestaurant,itisbesttomountdirectionalAPsagainstthetwooutsidewalls.
Thesitesurveydidnotuncoveranyissuesthatwouldcausewirelessinterferencewithintheeatingareas.However,thekitchenareamicrowaveovenmaycauseinterferencenearthebar.
ITEPCv4.0Chapter1 882007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
DesigningCoverageoptionsandmobility
Eachofthe20luxurysuiteslocatedaroundthestadiumrequiresasingle,ceilingmounted,lowpowerAPinthecenterofroom.
ThepressboxcurrentlyhasasinglestandaloneAPthatdoesnothaveadequatecoverage.TwonewlightweightAPsarerecommended.
ITEPCv4.0Chapter1 892007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RedundancyandresiliencyinawirelessNetwork
AvailabilityConsiderations
Theavailabilityofawirelessconnectionisdependentonthefollowingfactors:
LocationoftheAP
SignalstrengthoftheAP
NumberofuserssharingtheAPconnectivity
WirelessnetworksusingstandaloneAPsusuallyhavetheAPsconfiguredanddeployedwiththechannelandpowerstaticallyset.Thechannelandpowersettingsaredeterminedbythenetworkdesigner.
ITEPCv4.0Chapter1 902007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RedundancyandresiliencyinawirelessNetwork
DynamicReconfiguration
IncontrasttotheautonomousAPs,wirelessLANcontrollersautomaticallydeterminethesignalstrengththatexistsbetweenlightweightAPswithinthesamenetwork.Thesecontrollerscanusethisinformationtocreateadynamic,optimalRFtopologyforthenetwork.
WhenaCiscoLAPboots,itimmediatelylooksforawirelessLANcontrollerwithinthenetwork.WhenitdetectsawirelessLANcontroller,theAPsendsoutencryptedneighbormessagesthatincludetheMACaddressandsignalstrengthofanyneighboringAPs.
ITEPCv4.0Chapter1 912007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RedundancyandresiliencyinawirelessNetwork
CentralizationLoadBalancesUsers
Throughencryptedovertheairmessages,CiscowirelessLANcontrollersdetecttheentirenetwork.ThesecontrollersalsodetectsignalstrengthbetweenAPs.WhenaclientlooksforanAPtoconnectto,aprobeissenttothecontrollerfromeachAPthathearstherequestfromtheclient.ThecontrollerdetermineswhichAPrespondstotherequestfromtheclient,takingintoaccountthesignalstrengthoftheclientandsignaltonoiseratio.
ITEPCv4.0Chapter1 922007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RedundancyandresiliencyinawirelessNetwork
Forexample,anadjacentAPmayprovideanequivalentservicebutatalowersignalstrength.ThecontrollerdetermineswhichAPshouldrespondtotheprobefromtheclient,basedonitssignalstrength,orReceiverSignalStrengthIndicator(RSSI).
ThesemeasuresimprovetheavailabilityofwirelessserviceswithintheWLAN.WirelesscontrollerscentrallylocatedinthedatacenterbenefitfromthehighavailabilityandredundantconnectionscontainedinthewiredLAN.
ITEPCv4.0Chapter1 932007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
RedundancyandresiliencyinawirelessNetwork
ITEPCv4.0Chapter1 942007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
CreatingtheLogicalNetworkDesignforaWAN
IPAddressinginaWLAN
ThenetworkdesignermustalsoconsidertheIPaddressingstructurewhenplanningwirelessroaminginaWLAN.InthecaseofstandaloneAPs,asingleVLANiscreatedandextendedtoallofthewiringclosetstoconnecttheAPsinthesameLayer3IPnetwork.However,ifalargenumberofwirelessusersconnecttothenetwork,broadcastsbecomeaproblem.Thenetworkisnolongerscalable.
ITEPCv4.0Chapter1 952007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
CreatingtheLogicalNetworkDesignforaWAN
Layer3Roaming
WhenusingthewirelesscontrollersandlightweightAPs,Layer3roamingcanbeintroducedintoanetwork.ItisnotnecessarytoextendVLANstoalloftheAPsinthenetworktokeepaflatwirelesssubnet.
Withthewirelesscontroller,thelightweightAPsareinstalledinthenormalsubnetinfrastructureandaregivenanIPaddressthatislocaltothesubnettowhichtheyaredeployed.AlltrafficthatcomesfromwirelessclientsisplacedintoapacketthatistunneledthroughtheunderlyingnetworktothewirelessLANcontroller.
ITEPCv4.0Chapter1 962007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
CreatingtheLogicalNetworkDesignforaWAN
Play5.4.4
file:///C:/CISCO_CCNA/Discovery4_English/index.html
ITEPCv4.0Chapter1 972007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Placingsecurityfunctionsandappliances
Threatstonetworkscancomeinmanydifferentforms,andfrombothinternalandexternalsources.Simplyplacingafirewallattheenterpriseedgedoesnotensurenetworksecurity.Thenetworkdesignermustidentifywhichdataandcommunicationsareatriskandwhatthepotentialsourcesofattacksare.Securityservicesthenneedtobeplacedatappropriatepointsthroughoutthenetworkdesigntopreventlikelyattacks.
ITEPCv4.0Chapter1 982007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Placingsecurityfunctionsandappliances Theecommerceserversonthestadiumnetworkcontaincustomer
informationthatmayincludecreditcardandbankingdetails.UsersaccesstheseserversfromwithinthestadiumnetworkandthroughtheInternet.
Thestadiummanagementandteamadministrativeserverscontainpersonnelandpayrollinformation.Theseservers,andtheinfrastructurethattransportsthedatatheycontain,mustbesecuredadequatelytoprotectthisinformationfromunauthorizeduse.
Securitymeasuresrelatingtothestadiumwirelessnetworkneedtobeconsideredaswell.
ITEPCv4.0Chapter1 992007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Placingsecurityfunctionsandappliances
ITEPCv4.0Chapter1 1002007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Placingsecurityfunctionsandappliances
Securityserviceshelpprotectthedevicesandthenetworkfromintrusion,tampering,alteringofdata,anddisruptionofservicesthroughDenialofService(DoS)attacks.Theprimarycategoriesofsecurityservicesinclude:
Infrastructureprotection
Secureconnectivity
Threatdetection,defense,andmitigation
ITEPCv4.0Chapter1 1012007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Placingsecurityfunctionsandappliances
InfrastructureProtection
Networksecuritybeginswithsecuringthenetworkdevicesthemselves.ThisinvolvessecuringCiscoIOSsoftwarebasedrouters,switches,andappliancesfromdirectaswellasindirectattacks.Thisprotectionhelpstoensureavailabilityofthenetworkfordatatransport.
SecureConnectivity
Itiscriticaltopreventunauthorizedusersfromaccessingthenetwork.Thiscanbedonebyensuringthatthephysicalnetworkissecure,andbyrequiringauthenticationtogainaccesstowirelessservices.
ITEPCv4.0Chapter1 1022007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Placingsecurityfunctionsandappliances
ThreatDetection,Defense,andMitigation
Firewalls,IDS,IPSandACLsprovideprotectionfromthreatsandattackers.ACLsandfirewallrulesfiltertraffictopermitonlydesirabletrafficthroughthenetwork.
ITEPCv4.0Chapter1 1032007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Placingsecurityfunctionsandappliances
ImplementingSecurityServices
Securityservicesarenoteffectiveiftheyarenotimplementedatthecorrectlocationsthroughoutthenetwork.FirewallsandfiltersplacedattheenterpriseedgedonotprotectserversfromattacksfromwithintheLAN.Thenetworkdesigneranalyzesthetrafficflowdiagramsthatwerecreatedearlierthatshow:
Resourcesthatareaccessedbyinternalusers
Resourcesthatareaccessedbyexternalusers
Pathsthatthisaccesstakesthroughthenetwork
ITEPCv4.0Chapter1 1042007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
Placingsecurityfunctionsandappliances
UsingIntegratedServices
Whereverpossible,thenetworkdesignerusesintegratedservices,suchasIOSbasedfirewallfeaturesandIDSmodulestoeliminatetheneedforadditionalsecuritydevices.Inalargernetwork,itisnecessarytouseseparatedevicesbecausetheadditionalprocessingcancauseroutersandswitchestobecomeoverloaded.
ITEPCv4.0Chapter1 1052007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
ImplementingAccessControlListandFilters
ThenetworkdesignerworkswiththestadiumITstafftodefinethefirewallrulesetstobeimplementedinthestadiumnetworkupgrade.
Examplesoffirewallrulesetsincludethesestatements:
DenyallinboundtrafficwithnetworkaddressesmatchinginternalregisteredIPaddressesInboundtrafficshouldnotoriginatefromnetworkaddressesmatchinginternaladdresses.
DenyallinboundtraffictoserverexternaladdressesThisruleincludesdenyingservertranslatedaddresses,withtheexceptionofpermittedports.
ITEPCv4.0Chapter1 1062007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
ImplementingAccessControlListandFilters
DenyallinboundICMPechorequesttrafficThisrulepreventsinternalnetworkhostsfromreceivingpingrequestsgeneratedfromoutsidethetrustednetwork.
DenyallinboundMicrosoftDomainLocalBroadcasts,ActiveDirectory,andSQLserverportsMicrosoftdomaintrafficshouldbecarriedoverVPNconnections.
AllowDNS(UDP53)toDNSserverPermitexternalDNSlookups.
Allowwebtraffic(TCP80/443)fromanyexternaladdresstothewebserveraddressrange.
ITEPCv4.0Chapter1 1072007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
ImplementingAccessControlListandFilters
Allowtraffic(TCP21)toFTPserveraddressrangesIfFTPservicesareprovidedtoexternalusers,thisrulepermitsaccesstotheFTPserver.Asareminder,whenusingFTPservices,useraccountandpasswordinformationistransmittedincleartext.UseofpassiveFTP(PASV)negotiatesarandomdataportversustheuseofTCPport20.
Allowtraffic(TCP25)toSMTPserverPermitexternalSMTPusersandserversaccesstointernalSMTPmailserver.
Allowtraffic(TCP143)tointernalIMAPserverPermitexternalIMAPclientsaccesstointernalIMAPserver.
ITEPCv4.0Chapter1 1082007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
ImplementingAccessControlListandFilters
ITEPCv4.0Chapter1 1092007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
ImplementingAccessControlListandFilters
Thesecuritypoliciesofthestadiummanagementdictateuserandgrouppermissionstoresources.Thedesigneralsocomplieswiththerecommendedpracticesdefinedbytheserveroperatingsystemvendors.Thesepracticeshelptoidentifyandfiltertrafficthatisknowntobemalicious.
WhendesigningfirewallrulesetsandACLs,thegeneralpolicyistodenyalltrafficthatiseithernotspecificallyauthorizedorisnotinresponsetoapermittedinquiry.
ITEPCv4.0Chapter1 1102007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
ImplementingAccessControlListandFilters
ITEPCv4.0Chapter1 1112007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
ImplementingAccessControlListandFilters
RuleSetsandAccessControlLists
FirewallrulesetsareusedtocreatetheACLstatementsthatareimplementedontheroutersandfirewallappliances.EachfirewallrulesetmayrequiremorethanoneACLstatementandmayrequirebothinboundandoutboundplacement.
ITEPCv4.0Chapter1 1122007CiscoSystems,Inc.Allrightsreserved. CiscoPublic
UpdatingtheLogicalNetworkDesignDocumentation
ThedesigndocumentationincludesallfirewallrulesetsandACLsanddefineswheretheyareimplemented.Rulesetstatementsbecomepartofthestadiummanagementsecuritypolicydocumentation.
DocumentingthefirewallrulesetsandtheACLplacementoffersthesebenefits:
Providesevidencethatthesecuritypolicyisimplementedonthenetwork
Ensuresthatwhenchangesarenecessary,allinstancesofapermitordenyconditionareknownandevaluated
Assistsintroubleshootingproblemswithaccesstoapplicationsorsegmentsofthenetwork
CCNA Discovery 4.0 Designing and Supporting Computer NetworksObjectivesAnalyzing Business goals and technical requirementsSlide 4Slide 5Slide 6Requirements for scalabilitySlide 8Slide 9Slide 10Slide 11Requirements for AvailabilitySlide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Requirement for network performanceSlide 23Slide 24Slide 25Slide 26Requirements for securitySlide 28Slide 29Slide 30Making Network Design TradeoffsSlide 32Slide 33Designing an Access Layer TopologySlide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Designing Distribution Layer TopologySlide 46Slide 47Slide 48Slide 49Slide 50Designing Core Layer TopologySlide 52Slide 53Slide 54Slide 55Creating the logical network Diagram for the WANSlide 57Slide 58Determining Connectivity for the remote sitesSlide 60Slide 61Slide 62Slide 63Slide 64Slide 65Slide 66Slide 67Defining Traffic Patterns and application supportSlide 69Slide 70Designing VPN and End point Connectivity OptionsSlide 72Slide 73Creating the logical Network design for WANSlide 75Slide 76Designing Coverage options and mobilitySlide 78Slide 79Slide 80Slide 81Slide 82Slide 83Slide 84Slide 85Slide 86Slide 87Slide 88Redundancy and resiliency in a wireless NetworkSlide 90Slide 91Slide 92Slide 93Creating the Logical Network Design for a WANSlide 95Slide 96Placing security functions and appliancesSlide 98Slide 99Slide 100Slide 101Slide 102Slide 103Slide 104Implementing Access Control List and FiltersSlide 106Slide 107Slide 108Slide 109Slide 110Slide 111Updating the Logical Network Design Documentation
Recommended