designing network topology week 4. network topology cisco has developed several models to help...
TRANSCRIPT
Network Topology
Cisco has developed several models to help network designers conceptualize
Some of the models we will load at are :HierarchicalEnterprise CampusThree Part FirewallRedundancy in Design
Overview of the Hierarchical Model
Hierarchical model lets you design the internetwork in layers (modular)
Why? Simplifies tasks required for two systems to
communicate (like the OSI model) Focuses functionality to unique layers Assigns bandwidth appropriately to each layer Network management issues such as training and
staff costs are controlled Allows for distributed modular network
management
Overview of the Hierarchical Model
BenefitsCost savings
Many organizations report that this model saves them money because they are not always doing all routing/switching on one platform
Appropriate bandwidth per module means no wasted capacity
Overview of the Hierarchical Model
Ease of UnderstandingSimpler and small design units facilitates
understandingAn easier system will reduce training and staff
costsDifferent layers of the models can be assigned
differing management responsibilities and management systems thus driving down management overheads
Overview of the Hierarchical Model
Easy Network Growth Growth is facilitated through modules As a network grows specific modules can be replicated
to handle the growth The cost and complexity of a making the growth is
contained to only the new subset module
Compare this to a fully meshed network or flat network were everyone is a peer dropping something in the middle necessitates a change for everything else.
Overview of the Hierarchical Model
Improved fault IsolationBy having limited isolation points between
modules a network manager can target and isolate failure points faster and easier.
Today’s fast converging protocols are designed for hierarchical topologies such as EIGRP
Hierarchical Network Design Layers
CoreCoreHigh Speed Switching
Distribution LayerDistribution LayerPolicy Based Connectivity
Access LayerAccess LayerLocal and Remote Workgroup Access
Core Layer Function
The core layer is a high-speed switching backbone and should be designed to switch packets as fast as possible. This layer of the network should not perform any packet manipulation, such as access lists and filtering, that would slow down the switching of packets.
Core Layer Should
Fast transportHigh reliabilityRedundancyFault toleranceQuick adaptationLow latency and good manageabilityAvoidance of slow packet manipulationLimited And consistent diameter
Distribution Layer
The distribution layer of the network is the demarcation point between the access and core layers and helps to define and differentiate the core. The purpose of this layer is to provide boundary definition and is the place at which packet manipulation can take place.
Distribution Layer Should
Implement the following functions Policy and security Address and area aggregation Departmental or workgroup access Broadcast/multicast domain definition Routing between virtual LANs Media Translations Redistribution between routing domains Demarcation between static and dynamic routing
protocols
Distribution Layer
Using Cisco IOS software you can implement policy Filter source or destination addresses Filter input and output ports Hide internal network numbers by route filtering Static routing Quality of Service mechanisms (can every device
on the path handle the information being distributed)
Access Layer
The access layer is the point at which local end users are allowed into the network. This layer may also use access lists or filters to further optimize the needs of a particular set of users.
Access Layer Should
Provide users on local segments access to the networkBe characterized by switched or shared bandwidth LANsSome characteristics of the excess latter include: High-availability Port security ARP inspection Virtual access lists Trust classification
Enterprise Composite Model
The enterprise composite model facilitates the design of larger and more scalable networks.The network is divided into functional components containing network modulesThe three major functional components are: Enterprise campus Enterprise edge Service provider edge
Enterprise Campus Modules
The modules are:Enterprise
infrastructure Edge distributionServer farmsNetwork
management
Hot Standby Router Protocol (HRSP)
Hot Standby Router Protocol. Provides high network availability and transparent network topology changes. HSRP creates a Hot Standby router group with a lead router that services all packets sent to the Hot Standby address. (phantom)The lead router is monitored by other routers in the group, and if it fails, one of these standby routers inherits the lead position and the Hot Standby group address.
Server Redundancy
Complete server redundancy Servers on different networks and power sources Very expensive but stock traders require it
Disk Mirroring Synchronizing two disks
Disk Duplexing Disk mirroring plus each disk has a different disk
controller
Media Redundancy
Mission critical requires redundant media (hardware)Media redundancy on the LANRelies on redundant links between
switchesUses spanning tree for loop avoidance
Media redundancy on the WANRelies on backup links
Media Redundancy
WAN backup linksUse different technologies for backups (ISDN)Use floating static routes by specifying higher
administrative distance so it won’t be used unless primary route is goes down
Beware, different carriers may actual use the same physical circuit
Route Redundancy
Provides load balancing IP balances across six parallel links of
equal cost
Minimizes downtime from link failuresFull mesh provides complete redundancyPartial mesh provides redundancy with
lower cost and more scalability
Bastion Hosts
Provide the following servicesAnonymous FTP serverWeb serverDomain Name serverSpecialized security softwareTelnet ??? In the book, on the CCDA test, but don’t do it
Three- Part Firewall System Rules
The inside packet filter router should allow inbound TCP packets from established sessions
The outside packet filter router should allow inbound TCP packets from established TCP sessions
The outside packet filter router should also allow packets to specific TCP or UDP ports going to specific bastion hosts.
Rules (cont’d)
Do not enable any unnecessary services on the outside filter router Turn off Telnet access (no virtual terminals) Use static routing only Do not make it a TFTP server Use password encryption Turn off proxy ARP and finger service Turn off IP redirects and route caching Do not make it a MacIP server
PIX Firewalls
The Cisco Secure PIX Firewall series delivers strong security in an easy-to-install, integrated hardware/software appliance that offers outstanding performance. The series allows you to rigorously protect your internal network from the outside world—providing full firewall security protection. Unlike typical CPU-intensive full-time proxy servers that perform extensive processing on each data packet at the application level, Cisco Secure PIX Firewalls use a non-UNIX, secure, real-time, embedded system.
Cisco Secure PIX Firewall Series
Less complex and more robust than packet filters
No downtime for installation
No upgrading hosts or routers required
No day to day management requirement
Generally better performance than delivered by other appliance-like firewalls or those based on general-purpose operating systems
(Unix NT Netware)