Designing Network Topology

Week 4

Network Topology

Cisco has developed several models to help network designers conceptualize

Some of the models we will load at are :HierarchicalEnterprise CampusThree Part FirewallRedundancy in Design

Overview of the Hierarchical Model

Hierarchical model lets you design the internetwork in layers (modular)

Why? Simplifies tasks required for two systems to

communicate (like the OSI model) Focuses functionality to unique layers Assigns bandwidth appropriately to each layer Network management issues such as training and

staff costs are controlled Allows for distributed modular network

management

Overview of the Hierarchical Model

BenefitsCost savings

Many organizations report that this model saves them money because they are not always doing all routing/switching on one platform

Appropriate bandwidth per module means no wasted capacity

Overview of the Hierarchical Model

Ease of UnderstandingSimpler and small design units facilitates

understandingAn easier system will reduce training and staff

costsDifferent layers of the models can be assigned

differing management responsibilities and management systems thus driving down management overheads

Overview of the Hierarchical Model

Easy Network Growth Growth is facilitated through modules As a network grows specific modules can be replicated

to handle the growth The cost and complexity of a making the growth is

contained to only the new subset module

Compare this to a fully meshed network or flat network were everyone is a peer dropping something in the middle necessitates a change for everything else.

Overview of the Hierarchical Model

Improved fault IsolationBy having limited isolation points between

modules a network manager can target and isolate failure points faster and easier.

Today’s fast converging protocols are designed for hierarchical topologies such as EIGRP

Hierarchical Network Design Layers

CoreCoreHigh Speed Switching

Distribution LayerDistribution LayerPolicy Based Connectivity

Access LayerAccess LayerLocal and Remote Workgroup Access

Core Layer Function

The core layer is a high-speed switching backbone and should be designed to switch packets as fast as possible. This layer of the network should not perform any packet manipulation, such as access lists and filtering, that would slow down the switching of packets.

Core Layer Should

Fast transportHigh reliabilityRedundancyFault toleranceQuick adaptationLow latency and good manageabilityAvoidance of slow packet manipulationLimited And consistent diameter

Distribution Layer

The distribution layer of the network is the demarcation point between the access and core layers and helps to define and differentiate the core. The purpose of this layer is to provide boundary definition and is the place at which packet manipulation can take place.

Distribution Layer Should

Implement the following functions Policy and security Address and area aggregation Departmental or workgroup access Broadcast/multicast domain definition Routing between virtual LANs Media Translations Redistribution between routing domains Demarcation between static and dynamic routing

protocols

Distribution Layer

Using Cisco IOS software you can implement policy Filter source or destination addresses Filter input and output ports Hide internal network numbers by route filtering Static routing Quality of Service mechanisms (can every device

on the path handle the information being distributed)

Access Layer

The access layer is the point at which local end users are allowed into the network. This layer may also use access lists or filters to further optimize the needs of a particular set of users.

Access Layer Should

Provide users on local segments access to the networkBe characterized by switched or shared bandwidth LANsSome characteristics of the excess latter include: High-availability Port security ARP inspection Virtual access lists Trust classification

Switched Hierarchical Designs

Routed Hierarchical Designs

Enterprise Composite Model

The enterprise composite model facilitates the design of larger and more scalable networks.The network is divided into functional components containing network modulesThe three major functional components are: Enterprise campus Enterprise edge Service provider edge

Enterprise Composite Model

Enterprise Campus Modules

The modules are:Enterprise

infrastructure Edge distributionServer farmsNetwork

management

Enterprise Edge Modules

E-commerce networksInternet connectionsVPN and remote accessClassic WAN

Hot Standby Router Protocol (HSRP)

Hot Standby Router Protocol (HRSP)

Hot Standby Router Protocol. Provides high network availability and transparent network topology changes. HSRP creates a Hot Standby router group with a lead router that services all packets sent to the Hot Standby address. (phantom)The lead router is monitored by other routers in the group, and if it fails, one of these standby routers inherits the lead position and the Hot Standby group address.

Server Redundancy

Complete server redundancy Servers on different networks and power sources Very expensive but stock traders require it

Disk Mirroring Synchronizing two disks

Disk Duplexing Disk mirroring plus each disk has a different disk

controller

Media Redundancy

Mission critical requires redundant media (hardware)Media redundancy on the LANRelies on redundant links between

switchesUses spanning tree for loop avoidance

Media redundancy on the WANRelies on backup links

Media Redundancy

WAN backup linksUse different technologies for backups (ISDN)Use floating static routes by specifying higher

administrative distance so it won’t be used unless primary route is goes down

Beware, different carriers may actual use the same physical circuit

Media Redundancy

Route Redundancy

Provides load balancing IP balances across six parallel links of

equal cost

Minimizes downtime from link failuresFull mesh provides complete redundancyPartial mesh provides redundancy with

lower cost and more scalability

Route Redundancy

Route Redundancy

Three Part Firewall System

Bastion Hosts

Provide the following servicesAnonymous FTP serverWeb serverDomain Name serverSpecialized security softwareTelnet ??? In the book, on the CCDA test, but don’t do it

Three- Part Firewall System Rules

The inside packet filter router should allow inbound TCP packets from established sessions

The outside packet filter router should allow inbound TCP packets from established TCP sessions

The outside packet filter router should also allow packets to specific TCP or UDP ports going to specific bastion hosts.

Rules (cont’d)

Do not enable any unnecessary services on the outside filter router Turn off Telnet access (no virtual terminals) Use static routing only Do not make it a TFTP server Use password encryption Turn off proxy ARP and finger service Turn off IP redirects and route caching Do not make it a MacIP server

PIX Firewalls

The Cisco Secure PIX Firewall series delivers strong security in an easy-to-install, integrated hardware/software appliance that offers outstanding performance. The series allows you to rigorously protect your internal network from the outside world—providing full firewall security protection. Unlike typical CPU-intensive full-time proxy servers that perform extensive processing on each data packet at the application level, Cisco Secure PIX Firewalls use a non-UNIX, secure, real-time, embedded system.

Cisco Secure PIX Firewall Series

Less complex and more robust than packet filters

No downtime for installation

No upgrading hosts or routers required

No day to day management requirement

Generally better performance than delivered by other appliance-like firewalls or those based on general-purpose operating systems

(Unix NT Netware)