Upload File

ccna discovery 4.0 designing and supporting computer...

  • Home
  • Documents
  • CCNA Discovery 4.0 Designing and Supporting Computer Networkskabulcs.weebly.com/uploads/5/0/3/5/5035021/ccna_discovery_4-5.pdf · CCNA Discovery 4.0 ... The stadium management anticipates
Download CCNA Discovery 4.0 Designing and Supporting Computer Networkskabulcs.weebly.com/uploads/5/0/3/5/5035021/ccna_discovery_4-5.pdf · CCNA Discovery 4.0 ... The stadium management anticipates

If you can't read please download the document

Upload: letuyen

Post on 09-Feb-2018

236 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • 2007CiscoSystems,Inc.Allrightsreserved. CiscoPublicITEPCv4.0Chapter1 1

    CCNADiscovery4.0DesigningandSupportingComputerNetworks

    CreatingtheNetworkDesignChapter5

  • ITEPCv4.0Chapter1 22007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Objectives

  • ITEPCv4.0Chapter1 32007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    AnalyzingBusinessgoalsandtechnicalrequirements

    Determininghowtodesignanetworktomeetbusinessgoalsisamultistepprocess.Thedesignerusuallyfollowsthesesteps:

    Step1:Listthebusinessgoalsthatmustbemetbythenewdesign.

    Step2:Determinewhatchangesoradditionsarenecessaryforthebusinesstomeetitsgoals.

    Step3:Decidewhattechnicalrequirementsarenecessarytoimplementeachchange.

    Step4:Determinehowthedesigncanaddresseachofthetechnicalrequirements.

    Step5:Decidewhichdesignelementsmustbepresentinthefinaldesign.

  • ITEPCv4.0Chapter1 42007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    AnalyzingBusinessgoalsandtechnicalrequirements

    DealingwithConstraints

    TheDesignRequirementsdocumentincludesalistofconstraints.Usually,whenconstraintsaffectthedesign,compromisesmustbemade.Thenetworkdesignerexploresallpossiblealternativesandselectsthebestonestoincludeinthedesign.

    MakingTradeoffs

    Atradeoffisanexchangeofonebenefitoradvantageforanotherbenefitthatisdeterminedtobemoredesirable.Networkdesignconstraintsoftenforcetradeoffsbetweentheidealdesignandadesignthatisrealisticallyachievable.

  • ITEPCv4.0Chapter1 52007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    AnalyzingBusinessgoalsandtechnicalrequirements

    Tradeoffsbetweenthebenefitsofanidealsolutionandtherealityofcostortimeconstraintsarecommon.Itisthejobofthedesignertominimizetheeffectsofthesetradeoffsonthemaingoalsofscalability,availability,security,andmanageability.

    AnexampleofatradeoffinthestadiumnetworkdesignisabudgetlimitationthatpreventsaconnectiontoasecondaryInternetserviceprovider(ISP).Becauseofthislimitation,analternativestrategymustbedesignedtomeettheavailabilityrequirementsfortheecommerceservers.

  • ITEPCv4.0Chapter1 62007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    AnalyzingBusinessgoalsandtechnicalrequirements

  • ITEPCv4.0Chapter1 72007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementsforscalability

    Thestadiummanagementanticipatessignificantgrowthincertainareasofthenetwork.Theydonotexpectthenumberofwiredconnectionstoincreaserapidly.Thestadiummanagementplanstoaddatleasttwonewremoteofficesites.Thisexpansionincreasesthenumberofusersby50percent,toapproximately750users.

    Thescalabilityrequirementsreceivedfromthestadiummanagementaresignificant:

  • ITEPCv4.0Chapter1 82007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementsforscalability

    50percentincreaseinthenumberoftotalusers(LANandWAN)

    75percentincreaseinthenumberofwirelessusers

    75percentincreaseinthenumberofonlinetransactionsservicedbythestadiumecommerceservers

    100percentincreaseinthenumberofremotesites

    AdditionofIPphones,andtheincorporationofthevideonetwork,adding350enddevices

  • ITEPCv4.0Chapter1 92007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementsforscalability

    PlannedWirelessAP

    ExistingwirelessAP

  • ITEPCv4.0Chapter1 102007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementsforscalability

    Tosupportthisrapidgrowth,thenetworkdesignerdevelopsastrategytoenablethenetworktoscaleeffectivelyandeasily.Includedinthestrategyarethefollowingrecommendations:

    DesignAccessLayermodulesthatcanbeaddedasnecessarywithoutaffectingthedesignoftheDistributionandCoreLayers.

    Useexpandable,modularequipmentorclustereddevicesthatcanbeeasilyupgradedtoincreasecapabilities.

  • ITEPCv4.0Chapter1 112007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementsforscalability

    Chooseroutersormultilayerswitchestolimitbroadcastsandfilterotherundesirabletrafficfromthenetwork.

    Plantousemultiplelinksbetweenequipment,usingeitherEtherChannelorequalcostloadbalancing,toincreasebandwidth.

    CreateanIPaddressstrategythatishierarchicalandthatsupportssummarization.

    Whenpossible,keepVLANslocaltothewiringcloset.

  • ITEPCv4.0Chapter1 122007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RequirementsforAvailabilityOnthestadiumnetwork,theplannedecommerce,security,andIPtelephonysystemsrelyontheunderlyingnetworkbeingavailable24hoursaday,7daysaweek.

    Incompletewebsitetransactionscancausethestadiummanagementtoloserevenue.Ifthesecuritymonitoringbecomesunavailable,thesafetyofthestadiumcustomerscanbeendangered.Intheeventthatthetelephonesystemisdown,vitalcommunicationsarelost.

  • ITEPCv4.0Chapter1 132007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RequirementsforAvailability

    Thenetworkdesignermustdevelopastrategyforavailabilitythatprovidesthemaximumprotectionfromfailureandthatisnottooexpensivetoimplement.Toprovidethenearly100percentuptimerequirementofthenetworkapplications,thedesignermustimplementhighavailabilityandredundancycharacteristicsinthenewdesign.

  • ITEPCv4.0Chapter1 142007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RequirementsforAvailability

  • ITEPCv4.0Chapter1 152007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RequirementsforAvailability

    AvailabilityforECommerce

    Anunreliablewebsitecanquicklybecomeasupportproblemandevendiscouragecustomersfrommakingtransactions.Toensurereliabilityforecommerce,usethefollowingrecommendedpractices:

    DualconnecttheserversontwodifferentAccessLayerswitches.

    ProvideredundantconnectionsattheDistributionLayer.

  • ITEPCv4.0Chapter1 162007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RequirementsforAvailability

    ProvidesecondaryDNSserverscolocatedattheISP.

    IncludeadditionalmonitoringlocallyandthroughtheInternetfordevicesinthecriticalpath.

    Wherepossible,includeredundantmodulesandpowersuppliesincriticalpiecesofequipment.

    ProvideUPSandgeneratorpowerbackup.

    Choosearoutingprotocolstrategythatensuresfastconvergenceandreliableoperation.

    InvestigateoptionstoprovideanadditionalInternetserviceprovider(ISP)orredundantconnectivitytothesingleISP

  • ITEPCv4.0Chapter1 172007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RequirementsforAvailability

  • ITEPCv4.0Chapter1 182007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RequirementsforAvailability

    TheSecurityMonitoringSystem

    Theserversthatmaintainthevideofilesandthesecuritymanagementsoftwarehavethesameavailabilityrequirementsastheecommerceservers.Thefollowingadditionalmeasuresareneededforthecamerasandsurveillanceequipment:

    Redundantcamerasincriticalareasthatareconnectedtoseparateswitchestolimittheaffectofafailure

    PoweroverEthernet(PoE)tothecameras,withUPSand/orgeneratorbackup

  • ITEPCv4.0Chapter1 192007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RequirementsforAvailability

    TheIPTelephoneSystem

    AlthoughtheinstallationofthenewIPtelephonesystemisoutsidethescopeofthisnetworkdesignproject,itisstillnecessaryforthenetworkdesignertoconsidertheavailabilityrequirementsinthedesign.ThedesignerfocusesonthefollowingrequirementsforprovidingredundancyandhighavailabilityontheAccessLayerswitches:

  • ITEPCv4.0Chapter1 202007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RequirementsforAvailability

    ImplementLayer3connectivitybetweentheAccessLayerandDistributionLayerdeviceswhenpossible.

    ProvideredundantpowerandUPSbackup.

    CreateredundantpathsfromtheAccessLayertotheCoreLayer.

    Reducethesizeoffailuredomains.

    Whenpossible,selectequipmentthatcansupportredundantcomponents.

    Useafast,convergingroutingprotocol,suchasEIGRP

  • ITEPCv4.0Chapter1 212007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RequirementsforAvailability

  • ITEPCv4.0Chapter1 222007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementfornetworkperformance

    Convergednetworks,suchasthenetworkbeingdesignedforthestadium,carryacombinationofdata,voice,andvideotraffic.Eachtypeoftraffichasuniqueservicerequirements.

    Characteristicfeaturesofapplicationsonatypicalconvergednetworkinclude:

    Packetsofvarioussizes

    Distinctsetsofprotocols

    Differenttolerancestodelayandjitter

  • ITEPCv4.0Chapter1 232007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementfornetworkperformance

    Sometimestheservicerequirementsofoneapplicationconflictwiththeservicerequirementsofanother,resultinginperformanceproblems.Whenthissituationoccurs,frustrateduserscallthehelpdesktoreportthattheirapplicationisslow.

    Evenskilled,experiencedITprofessionalsstruggletomaintainhighapplicationperformance.Deployingnewapplicationsandserviceswithoutdisruptingexistingonesisdifficult.

  • ITEPCv4.0Chapter1 242007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementfornetworkperformance

    Onthenewstadiumnetwork,threeapplicationshavespecificperformancerequirementsthatmustbeaddressed:

    TransactionProcessing

    VideoDistributionandMonitoring

    IPTelephoneVoiceQuality

  • ITEPCv4.0Chapter1 252007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementfornetworkperformance

    Thenetworkdesignercreatesalistofthedesigngoalsandconsiderationsthatcouldaffecttheperformanceofthesehighpriorityapplications.

    Goal:Improvetransactionprocessingtimetolessthan3seconds.

    Reducethenetworkdiameter.

    Restrictunwantedtrafficandbroadcasts.

    Providehighbandwidthpathstokeyservers.

    Recommendadditionalhighspeedstorageorcontentservers.

  • ITEPCv4.0Chapter1 262007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementfornetworkperformance

    Goal:Providehighqualityvoiceandstreamingvideo.

    DesignVLANandtrafficclassificationstrategy.

    Keepthepathsfromservertoendpointsshort.

    Reducethenumberoftimestrafficisfilteredorprocessed.

    IncreaseWANsitebandwidthandimproveconnectivity.

    DetermineQoSstrategyandtrafficpriorities.

    IdentifyareaswherebottlenecksmightoccuranddeployaQoSstrategy.

  • ITEPCv4.0Chapter1 272007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementsforsecurity

    Securityistheoneareaofnetworkdesignwheretradeoffsshouldnotbemade.Althoughitmaybenecessarytofindlowercostorlessstreamlinedwaystoprovideasecurenetwork,itisneveracceptabletodisregardsecurityinordertoaddothernetworkcapabilities.

    Anetworkriskassessmentidentifiestheareaswhereanetworkismostvulnerable.Networksthatcontainhighlyconfidentialorcriticalinformationoftenhaveuniquesecurityconsiderations.Organizationsdoriskassessmentsaspartoftheiroverallbusinesscontinuityanddisasterrecoveryplanning.

  • ITEPCv4.0Chapter1 282007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementsforsecurity

    Mostnetworksbenefitfromstandardrecommendedpracticeswhenitcomestodeployingsecurity.Recommendedsecuritypracticesinclude:

    Usefirewallstoseparatealllevelsofthesecuredcorporatenetworkfromotherunsecurednetworks,suchastheInternet.Configurefirewallstomonitorandcontrolthetraffic,basedonawrittensecuritypolicy.

    CreatesecuredcommunicationsbyusingVPNstoencryptinformationbeforeitissentthroughthirdpartyorunprotectednetworks.

  • ITEPCv4.0Chapter1 292007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementsforsecurity

    Preventnetworkintrusionsandattacksbydeployingintrusionpreventionsystems.Thesesystemsscanthenetworkforharmfulormaliciousbehaviorandalertnetworkmanagers.

    ControlInternetthreatsbyemployingdefensestoprotectcontentandusersfromviruses,spyware,andspam.

    Manageendpointsecuritytoprotectthenetworkbyverifyingtheidentityofeachuserbeforegrantingaccess.

    Ensurethatphysicalsecuritymeasuresareinplacetopreventunauthorizedaccesstonetworkdevicesandfacilities.

    SecurewirelessAPsanddeploywirelessmanagementsolutions.

  • ITEPCv4.0Chapter1 302007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Requirementsforsecurity

  • ITEPCv4.0Chapter1 312007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    MakingNetworkDesignTradeoffs

    Afterthenetworkdesignerlistsalltheelementsthatneedtobepresentinthestadiumupgradedesign,someharddecisionsmustbemade.Unfortunately,fewnetworkscanbedesignedwithoutconsidering:

    Thecostofthenetwork

    Thedifficultyofimplementation

    Thefuturesupportrequirements

    TheStadiumCompanyhasplacedsomeconstraintsonthenetworkupgradethatrequirethedesignertoevaluatedifferentdesignoptions.Itmaybenecessarytomaketradeoffsinsomeareastoaccommodatetheseconstraints.

  • ITEPCv4.0Chapter1 322007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    MakingNetworkDesignTradeoffs

    TheprimarybusinessgoaloftheStadiumCompanyistoimprovetheatmosphereandsafetyforthethousandsofpeoplewhoattendstadiumevents.Networkimprovementsthatdirectlyaffecthowthenetworksupportsthisgoalmustbeatoppriorityforthedesignerwhenmakingdesigntradeoffs.

    Supportingthebusinessgoalsmayleadtodecisionsthateliminateorcomplicateotherdesirableornecessaryimprovements.Forexample,addingwirelessaccesstoimprovethecustomerexperienceintheluxuryboxesandrestaurantmaydecreaseserversecurityunlesstheguestaccessisisolatedfromtheinternalnetwork.

  • ITEPCv4.0Chapter1 332007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    MakingNetworkDesignTradeoffs

  • ITEPCv4.0Chapter1 342007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigninganAccessLayerTopology AccessLayerRequirements

    ThedesignercreatesthefollowinglistofAccessLayernetworkrequirementsforthenewnetwork:

    ProvideconnectivityforexistingnetworkdevicesandaddwirelessaccessandIPtelephones.

    CreateVLANstoseparatevoice,securitysurveillancemonitoring,wirelessaccess,andnormaldatadevices.

    RestrictVLANstowiringclosets,withtheexceptionofthewirelessVLAN,tosupportfutureroamingrequirements.

  • ITEPCv4.0Chapter1 352007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigninganAccessLayerTopology

    ProvideredundantlinkstotheDistributionLayernetwork.Usethe16existing2960switcheswherepossible.ProvidePoweroverEthernet(PoE)toIPphonesandwirelessaccesspoints,ifpossible.ProvideQoSclassificationandmarkingcapabilities.

  • ITEPCv4.0Chapter1 362007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigninganAccessLayerTopology

    Anincreaseinthenumberofhostsdoesnotalwaysnecessitateanequalincreaseinthenumberofdevicesandports.Forexample,IPphonesandotherdevicesincludeanembeddedswitchthatpermitsaPCtobepluggeddirectlyintothephone.Thisswitchreducesthenumberofportsneededinthewiringclosettoconnecttheadditionaldevices.Assumingthatover50percentoftheIPphonesalsoconnectPCdevices,addingmoredataconnectionsmaynotrequiretheadditionofanewswitchtothewiringcloset.

  • ITEPCv4.0Chapter1 372007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigninganAccessLayerTopology

    IPPhoneshavethreeports:

    Port1isanexternalportthatconnectstotheswitchoranotherVoIPdevice.

    Port2isaninternal10/100interfacethatcarriestheIPphonetraffic.

    Port3isanexternalaccessportthatconnectstoaPCoranotherdevice.

  • ITEPCv4.0Chapter1 382007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigninganAccessLayerTopology

    The16existing2960switchesaretobeusedintheAccessLayertoprovideenduserconnectivity.Thenetworkdesignermustensurethatthe2960switchissuitableforthenewnetwork.

    2960SwitchCapabilities

    Theseswitchesarefixedconfiguration10/100Ethernetswitcheswithtwo10/100/1000uplinkports.The2960cansupportmostofthefollowingrequirementsoftheAccessLayernetwork:

  • ITEPCv4.0Chapter1 392007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigninganAccessLayerTopology

    ScalabilityThe2960supportsCiscoswitchclustering;therefore,newswitchescaneasilybeaddedtosupportadditionalconnectivity.

    AvailabilityThe2960supportsredundantpowersupplies.Redundantswitchmanagementisavailablewhentheswitchesareconfiguredinacluster.Twoswitchescanbeconfiguredasthecommandswitches.Ifonefails,therestoftheclustercanstillfunction.Classificationandmarkingcapabilitiesarealsoavailableinthismodel.

  • ITEPCv4.0Chapter1 402007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigninganAccessLayerTopology

    SecurityPortsecurityandotherswitchsecurityoptionsareavailable.

    ManageabilityTheswitchessupportSimpleNetworkManagementProtocol(SNMP).Theycanbemanagedinbandandoutofband.The2960supportsthestandardCiscoIOSsoftwarecommandset,aswellasCiscoNetworkAssistantGUIconfigurationandmanagementtools.

  • ITEPCv4.0Chapter1 412007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigninganAccessLayerTopology

  • ITEPCv4.0Chapter1 422007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigninganAccessLayerTopology

    LimitationsoftheExistingEquipment

    The2960switchhascertainlimitationsinthenewnetworkdesign.Thecurrent2960switchesinthestadiumnetworkneedadditionaltransceiverstosupportthefiberuplinks.Becauseonlytwofiberconnectionsareavailabletoeachwiringcloset,multiple2960switchesmustbeclusteredtosharetheuplinks.The2960isaLayer2switch;therefore,thenetworkdesignerislimitedtoprovidingLayer2functionalityattheAccessLayer.

  • ITEPCv4.0Chapter1 432007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigninganAccessLayerTopology

    PowerRequirements

    Althoughthe2960switchdoesnotsupportPoE,itdoessupportvoiceVLANcapability.ItmaybenecessarytousepoweredpatchpanelstoprovidepowertotheIPphonesuntiltheswitchesarereplacedinthefuture.

    UPSunitsprovidebackuppowerfortheswitchesandthepoweredpatchpanels.ThedesignerrecommendsthepurchaseofageneratortoprovidepowertocriticalareasoftheAccessLayer.

  • ITEPCv4.0Chapter1 442007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigninganAccessLayerTopology

  • ITEPCv4.0Chapter1 452007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningDistributionLayerTopology DistributionLayerRequirements

    ThenetworkdesignercreatesthefollowinglistofDistributionLayerrequirementsforthenewnetwork:

    Provideredundantcomponentsandlinkstominimizetheeffectofafailure.

    Supporthighdensityrouting.Eachofthe16wiringclosetsinthestadiummayeventuallyhavemorethanoneuplinktotheDistributionLayerswitches.

    Providetrafficfilteringcapabilities.

    ImplementQoSmechanisms.

    Providehighbandwidthconnectivity.

    Implementafastconvergingroutingprotocol.

    Aggregatetrafficandperformroutesummarization.

  • ITEPCv4.0Chapter1 462007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningDistributionLayerTopology

    Multilayerswitchesareanappropriatechoiceformeetingtheserequirements.Theyprovidehighportdensityandsupportthenecessaryroutingcapabilities.TheDistributionLayerdesignincludesconnectivityfortheLANusers,serverfarm,andenterpriseedgedistribution.Sixmultilayerswitchesneedtobepurchasedtoprovidetherequiredsupport.

  • ITEPCv4.0Chapter1 472007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningDistributionLayerTopology

    DesignConstraints

    ThelimitedamountoffiberconnectivitytothewiringclosetsistheonlydesignconstraintthatlimitstheDistributionLayer.ThetwofiberpairsthatconnectthewiringclosetslimitthenumberofswitchesthatcanberedundantlyconnectedtotheDistributionLayerequipment.Becauseallofthefiberterminatesinacentrallocation,muchoftheDistributionLayerequipmentmustbeinstalledinthenewdatacenter.

  • ITEPCv4.0Chapter1 482007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningDistributionLayerTopology

    MultilayerSwitchCapabilities

    UsingMultilayerswitchesattheDistributionLayermeetsthestadiumdesigntechnicalrequirements:

    ScalabilityThemodularmultilayerswitchessupportadditionalfiberandcopperports.UsingroutingattheDistributionLayeravoidsmanyLayer2SpanningTreeProtocol(STP)reconfigurationissues.Newswitchblockscanbeaddedwithoutaffectingtheexistingtopology.

  • ITEPCv4.0Chapter1 492007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningDistributionLayerTopology

    AvailabilityThemidrangemultilayerswitchessupportredundantpowersuppliesandfans.Moreimportantly,theysupportredundantmanagementmodulesandfastfailovertechnology.Ifonemanagementmodulefails,thesecondarymoduletakesover,withnoperceptiblelossofconnectivity.TheLayer3switcheddesignmakesthebestuseofnetworklinksbyefficientloadbalancingoftheroutedtraffic.RoutingprotocolscanbeconfiguredtoconvergeasfastasSTPorfaster.RoutesummarizationcanoccurattheDistributionLayer,reducingtheimpactofanAccessLayerdeviceorlinkfailureontheCoreLayerrouting.

  • ITEPCv4.0Chapter1 502007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningDistributionLayerTopology

    SecurityAccesslistfiltering,portsecurity,andfirewallfeaturesetsareavailableonthemultilayerswitchCiscoIOS.Additionalsecurityfeaturespreventunauthorizedorunwantednetworktraffic.

    ManageabilityTheswitchessupportSNMP.Theycanbemanagedbothinbandandoutofband.

  • ITEPCv4.0Chapter1 512007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoreLayerTopology

    TheCoreLayerofthestadiumLANmustprovidehighspeedconnectivityandhighavailability.BoththelocalandremotestadiumnetworksdependontheCoreswitchesforconnectivity.

    CoreLayerRequirements

    DesignrequirementsfortheCoreLayernetworkinclude:

    HighspeedconnectivitytotheDistributionLayerswitches

    24X7availability

    RoutedinterconnectionsbetweenCoredevices

    HighspeedredundantlinksbetweenCoreswitchesandbetweentheCoreandDistributionLayerdevices

  • ITEPCv4.0Chapter1 522007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoreLayerTopology TheCoreLayerdesignrequireshighspeed,lowerdensity,multilayerswitching.Inthenewdesign,

    theCoreLayernetworkforthestadiumcanbeimplementedontwopowerfulmultilayerswitches.

    TheCoreLayerisreservedforhighspeedtrafficswitching;therefore,littleornopacketfilteringisdoneatthislayer.

    Inasmallbusinessenvironment,theDistributionandtheCoreLayersarefrequentlycombined.ThismaybereferredtoasacollapsedCoreoracollapsedbackbone.

  • ITEPCv4.0Chapter1 532007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoreLayerTopology

    HighAvailability

    ThetoppriorityattheCoreLayerofthenetworkishighavailablity.Thenetworkdesignerneedstoconsideranymeasuresthatcanbetakentoimprovereliabilityanduptime.

    RedundantlinksbetweentheCoreLayerandtheDistributionLayershouldbeestablished.Installingredundantcomponentsandtakingadditionalmeasurestoprovideredundantairconditioning,power,andservicestotheCoreLayerdevicesshouldbeimplementedwhereverpossible.

  • ITEPCv4.0Chapter1 542007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoreLayerTopology

    UsingaLayer3routingprotocolsuchasEIGRPorOSPFattheCoreLayercandecreasethetimeittakestorecoverfromalinkfailure.RoutedconnectionsbetweentheCoreLayerswitchescanprovideequalcostloadbalancingaswellasrapidrecovery.

    Speed

    ThenextpriorityattheCoreLayerisspeed.AlmostallofthestadiumnetworktrafficmusttravelthroughtheCoreLayerdevices.Highspeedinterfaces,fiberconnectivity,andtechnologiessuchasEtherChannelcanprovideenoughbandwidthtosupportthetrafficlevelandletthenetworkgrowinthefuture.

  • ITEPCv4.0Chapter1 552007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoreLayerTopology

  • ITEPCv4.0Chapter1 562007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    CreatingthelogicalnetworkDiagramfortheWAN

    CreatingtheLogicalLANDiagram

    ThefinalstepinthepreliminaryLANnetworkdesignistocreatethelogicaldiagramforthenewstadiumnetwork.Thisdiagramshowshowallofthevariouslayersanddevicesinterconnect.

    InthenewstadiumLAN,eachofthe16wiringclosetscontainsatleastone2960switch.Becausetherearethreedistinctmodulesinthestadiumnetwork,sixDistributionLayerswitchesaggregateandroutetrafficbetweentheAccessLayerandtheCoreLayer.

  • ITEPCv4.0Chapter1 572007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    TheCoreLayerconsistsoftwohighendmultilayerswitcheswithredundancy.TheyareconnectedtotheDistributionLayerandtoeachotherwithgigabitlinks.

    ThenetworkdesignermakesnotesonthenetworkdiagramtoindicatewheretheserversandIPservicesarelocated.AftercompletingthewiredcampusLANdesign,thedesignerthenplanstheportionofthenetworkthatsupportsremoteconnectivityintothestadiumLAN.

    CreatingthelogicalnetworkDiagramfortheWAN

  • ITEPCv4.0Chapter1 582007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    CreatingthelogicalnetworkDiagramfortheWAN

  • ITEPCv4.0Chapter1 592007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DeterminingConnectivityfortheremotesites

    Attheenterpriseedge,thestadiumnetworkconnectstotheInternetviaDSLprovidedbyalocalISP.ISPmanagedroutersarelocatedatthestadiumconnectedtotheEdgeRouteroftheStadiumCompany.

    ExtendingServicestoRemoteLocations

    Thetwoexistingremotelocations,aticketingofficelocatedinthedowntownareaandasouvenirshopinalocalshoppingmall,usethesameISPproviderasthemainstadiumsite.TheISPalsoprovidesamanagedVPNservicetothem.Theseconnectionsprovidetheremotesiteswithaccesstothedatabaseslocatedonserversinthestadiummanagementoffices.

  • ITEPCv4.0Chapter1 602007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DeterminingConnectivityfortheremotesites

    Oneofthehighprioritygoalsofthenewstadiumnetworkistoextendthevoiceandvideonetworktotheremotelocations.Therearetwoadditionalremoteconnectionsplanned:

    Afilmproductioncompany,hiredtoprovidevideoduringandafterevents,needstoconnecttothestadiumnetworktoexchangefiles.

    Asportsteamthatcurrentlyleasesspaceinthestadiumisexpandingtoaremoteofficelocation.TheteamneedsaccesstothesamenetworkresourcesthatitusesonthestadiumLAN.

  • ITEPCv4.0Chapter1 612007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DeterminingConnectivityfortheremotesites

  • ITEPCv4.0Chapter1 622007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DeterminingConnectivityfortheremotesites

    AddingNewWANConnections

    ThenetworkdesignerrealizesthatdedicatedWANconnectionsarerequiredtomeetthesenewgoals.ARFQissenttotheTelecommunicationsServiceProviders(TSPs)intheareatodeterminethecostandavailabilityofWANservices.

    Becausethestadiumislocatedoutsidethecitylimits,thechoicesforWANconnectivityarelimitedtopointtopointT1andFrameRelay.TheseservicesareavailabletoboththestadiumandtheremotelocationsthroughalocalTSP.

  • ITEPCv4.0Chapter1 632007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DeterminingConnectivityfortheremotesites

    AlthoughthepointtopointT1serviceoffersthemostcontroloverthequalityofserviceavailabletotheWANsites,theFrameRelayserviceislessexpensive.ThenetworkdesignerrecommendsthatthestadiumuseFrameRelaytoconnecttotheremotesitesuntilaMetroEthernetorotherhighspeedservicebecomesavailableinthearea.

  • ITEPCv4.0Chapter1 642007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DeterminingConnectivityfortheremotesites

  • ITEPCv4.0Chapter1 652007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DeterminingConnectivityfortheremotesites

    AnadvantageofusingaFrameRelayconnectionoverpointtopointT1connectionsisthatasinglephysicalconnectiontotheTSPcanprovideconnectivityfromthestadiumtomultipleremotesitelocations.

    FrameRelayConnectionTypes

    FrameRelaynetworkstransferdatausingoneofthesetwoconnectiontypes:

  • ITEPCv4.0Chapter1 662007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DeterminingConnectivityfortheremotesites

    SwitchedVirtualCircuits(SVCs)aretemporaryconnectionscreatedforeachdatatransferandthenterminatedwhenthedatatransferiscomplete.

    PermanentVirtualCircuits(PVCs)arepermanentconnections.ThistypeofconnectionistobeprovidedbetweenthestadiumnetworkandtheremoteWANsites.

    Afterdiscussionswithstadiummanagement,theNetworkingCompanystaffdecidestoinstallaFrameRelayconnectionfromthestadiumtothesouvenirshopasapilottotestthededicatedWANconnectivity.

  • ITEPCv4.0Chapter1 672007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DeterminingConnectivityfortheremotesites

  • ITEPCv4.0Chapter1 682007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DefiningTrafficPatternsandapplicationsupport

    NetworkServicesforRemoteSites

    Whendeterminingthephysicalmethodforconnectingtheremotesitestothemainstadiumnetwork,thenetworkdesignermustalsoanalyzehowworkersattheremotesitesexpecttousethenetworkservices.Theremotesiteshavesomeapplicationsincommonandsomerequirementsthatareunique.Servicesneededbytheremotesitesinclude:

    Accesstotheecommerceanddatabaseservices

    IPtelephony

    Videosurveillanceandmonitoring

  • ITEPCv4.0Chapter1 692007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DefiningTrafficPatternsandapplicationsupport

    Inaddition,thenewremoteteamofficerequiresaccesstotheteampayrollandaccountingserverlocatedatthestadium.

    TheFilmCompanyemployeesneedtobeabletoremotelymonitorthevideoscreensthroughoutthestadiumandtransfervideofilestothestadiumwebservers.

    ThedesignermakesachartofthetrafficflowsfromeachWANconnectionthroughthenetworktothevariousservicelocations.

  • ITEPCv4.0Chapter1 702007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DefiningTrafficPatternsandapplicationsupport

  • ITEPCv4.0Chapter1 712007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningVPNandEndpointConnectivityOptions

    BackinguptheFrameRelayLink

    TheticketsalesofficeandthesouvenirshopconnectbacktothestadiumnetworkusingsitetositeVPNsthroughtheInternet.TheroutersatthestadiumandremotesitesthatprovideendpointsforeachVPNareownedandmanagedbytheISP.ThenetworkdesignerplanstousetheseVPNconnectionsasabackuptotheFrameRelaydedicatedconnections,intheeventthattheFrameRelaylinkfails.Thedesignerrecommendsabackuplinkfromeachofthetwonewsitesaswell.Asecondedgerouteratthemainsiteisplannedforredundancy.

  • ITEPCv4.0Chapter1 722007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    SupportingRemoteWorkers

    Thestadiummanagementwouldalsoliketosupportremoteworkerswhooccasionallyworkfromhomeorfromotherremotesites.Thesportsteampersonnel,forexample,needtobeabletoaccesstheteamserversecurelywhentraveling.ClientVPNaccesscanbeprovidedthroughthesameISPmanagedservice.Thedesignerrecommendsthatthestadiummanagementinvestigatethisoption.TheyagreetocontacttheISPtodiscusstheupgrade.

    DesigningVPNandEndpointConnectivityOptions

  • ITEPCv4.0Chapter1 732007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningVPNandEndpointConnectivityOptions

  • ITEPCv4.0Chapter1 742007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    CreatingthelogicalNetworkdesignforWAN

    RoutingandIPAddressing

    Intheexistingnetwork,theWANsitesuseonlytheVPNtoconnectbacktothestadium.Simplestaticroutesaresufficienttoensureconnectivity.DHCPaddressingisprovidedtotheremotesiteLANsbytheISPmanagedservicesrouter.

    ProvidingbothVPNanddedicatedWANconnectionstoeachsiterequiresthatthenetworkdesignercarefullychoosetheIPaddressrangesthatareusedforeachsite.Itmaybenecessarytochangetheaddressrangesfortheremotesites.

  • ITEPCv4.0Chapter1 752007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    CreatingthelogicalNetworkdesignforWANTheadditionofthenewWANconnectiontoeachofthesitesincreasesthenumberofpossiblepathstothestadiumnetworkfromonetotwo.Asaresult,staticroutingmaynotbethebestmethodusedtoensureconnectivitytotheservicesonthestadiumLAN.ItmaybenecessarytouseadynamicroutingprotocoltoenabletheremoteLANstomaintainconnectivityintheeventofaFrameRelaylinkfailure.Thenetworkdesignermakesanoteofthis,sothatitisconsideredwhenthestadiumroutingprotocolimplementationisdesigned.

  • ITEPCv4.0Chapter1 762007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    CreatingthelogicalNetworkdesignforWAN

  • ITEPCv4.0Chapter1 772007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

    AddingWirelessNetworkCoverage

    Aprimarygoalofthenewdesignistoaddwirelessnetworkcoveragetothenetwork.

    Inresponsetorequestsfromthelocalmedia,thestadiummanagementaddedaninexpensivewirelessAPtoprovidewirelessInternetinthepressbox.Someemployeesalsopurchasedwirelessaccessrouters,providinglowgradewirelesscoverageintheteamoffices.ThesetypesofdevicesarenotrobustenoughforanenterpriseLANwirelessimplementation.

  • ITEPCv4.0Chapter1 782007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

    WirelessNetworkCoverage

    Tomeetthegoalsforthenewstadiumnetworkdesign,wirelesscoverageisnecessaryinfouridentifiedareas:

    Pressbox

    Teamloungeareas

    Stadiumrestaurant

    Luxurysuiteslocatedaroundthestadium

    ThetwoexistingwirelessAPsneedtobereplacedwithmoremanageabledevices.Someareasrequireguestwirelessaccess.

  • ITEPCv4.0Chapter1 792007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

    Play5.4.1

    file:///C:/CISCO_CCNA/Discovery4_English/index.html

  • ITEPCv4.0Chapter1 802007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

    UnifiedWirelessandWiredSolutions

    IntegrationofthenewwirelessnetworkwiththewiredstadiumLANsimplifiesmanagementandmakesuseofthesecurityandredundancyoftheEthernetinfrastructure.

    StandaloneAPsconnectedtotheEthernetswitchesinthewiringclosetcanprovidethenecessarywirelesscoveragetothefourpreviouslyidentifiedareasinthestadium.LimitedwirelessroamingcanbesupportedbycreatingwirelessVLANsthatspanthenetworkandwirelesscoverageareasthatoverlap.

  • ITEPCv4.0Chapter1 812007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

    Althoughthissolutionmeetsthecurrentstadiumnetworkgoals,thenetworkdesignerrecommendsthatthestadiumpurchaseLightweightAccessPointsLAPsandwirelessLANcontrollerstosupportthewirelessrequirements.LAPsarenotstandalonedevices;theyrelyonthewirelesscontrollerforconfigurationandsecurityinformation.

    Unifiedwirelessnetworksolutionsthatincludewirelesscontrolsystemsoftwareofferadvancedfeatures,suchascentralizedmanagementandmultipleservicelevelsfordifferentuserandclienttypes.ThesesystemsallowdifferentlevelsofQoSandsecurityfordifferenttypesofwirelessuse.

  • ITEPCv4.0Chapter1 822007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

  • ITEPCv4.0Chapter1 832007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

    Thewirelesssolutionproposedbythenetworkdesignermeetsthefollowingrequirementsforthestadiumnetworkupgrade:

    ScalabilityNewLAPscanbeaddedeasilyandmanagedcentrally.

    AvailabilityAPscanautomaticallyincreasetheirsignalstrengthifoneAPfails.

  • ITEPCv4.0Chapter1 842007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

    SecurityEnterprisewidesecuritypoliciesapplytoalllayersofawirelessnetwork,fromtheradiolayerthroughtheMACLayerandintotheNetworkLayer.Thissolutionmakesiteasiertoprovideuniformlyenforcedsecurity,QoS,anduserpolicies.Thesepoliciesaddressthespecificcapabilitiesofdifferentclassesofdevices,suchashandheldscanners,PDAs,andnotebookcomputers.SecuritypoliciesalsoprovidediscoveryandmitigationofDoSattacks,anddetectionanddenialofrogueAPs.ThesefunctionsoccuracrossanentiremanagedWLAN.

  • ITEPCv4.0Chapter1 852007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

    ManageabilityThesolutionprovidesdynamic,systemwideRFmanagement,includingfeaturesthataidsmoothwirelessoperations,suchasdynamicchannelassignment,transmitpowercontrol,andloadbalancing.ThesinglegraphicalinterfaceforenterprisewidepoliciesincludesVLANs,security,andQoS.

  • ITEPCv4.0Chapter1 862007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

  • ITEPCv4.0Chapter1 872007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

    TheresultsofthestadiumwirelesssitesurveyindicatethattherestaurantrequiresatleasttwoAPstoprovidehighqualitywirelesscoverage.

    Thenetworkdesignerdeterminesthattocontainthewirelesssignalwithintherestaurant,itisbesttomountdirectionalAPsagainstthetwooutsidewalls.

    Thesitesurveydidnotuncoveranyissuesthatwouldcausewirelessinterferencewithintheeatingareas.However,thekitchenareamicrowaveovenmaycauseinterferencenearthebar.

  • ITEPCv4.0Chapter1 882007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    DesigningCoverageoptionsandmobility

    Eachofthe20luxurysuiteslocatedaroundthestadiumrequiresasingle,ceilingmounted,lowpowerAPinthecenterofroom.

    ThepressboxcurrentlyhasasinglestandaloneAPthatdoesnothaveadequatecoverage.TwonewlightweightAPsarerecommended.

  • ITEPCv4.0Chapter1 892007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RedundancyandresiliencyinawirelessNetwork

    AvailabilityConsiderations

    Theavailabilityofawirelessconnectionisdependentonthefollowingfactors:

    LocationoftheAP

    SignalstrengthoftheAP

    NumberofuserssharingtheAPconnectivity

    WirelessnetworksusingstandaloneAPsusuallyhavetheAPsconfiguredanddeployedwiththechannelandpowerstaticallyset.Thechannelandpowersettingsaredeterminedbythenetworkdesigner.

  • ITEPCv4.0Chapter1 902007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RedundancyandresiliencyinawirelessNetwork

    DynamicReconfiguration

    IncontrasttotheautonomousAPs,wirelessLANcontrollersautomaticallydeterminethesignalstrengththatexistsbetweenlightweightAPswithinthesamenetwork.Thesecontrollerscanusethisinformationtocreateadynamic,optimalRFtopologyforthenetwork.

    WhenaCiscoLAPboots,itimmediatelylooksforawirelessLANcontrollerwithinthenetwork.WhenitdetectsawirelessLANcontroller,theAPsendsoutencryptedneighbormessagesthatincludetheMACaddressandsignalstrengthofanyneighboringAPs.

  • ITEPCv4.0Chapter1 912007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RedundancyandresiliencyinawirelessNetwork

    CentralizationLoadBalancesUsers

    Throughencryptedovertheairmessages,CiscowirelessLANcontrollersdetecttheentirenetwork.ThesecontrollersalsodetectsignalstrengthbetweenAPs.WhenaclientlooksforanAPtoconnectto,aprobeissenttothecontrollerfromeachAPthathearstherequestfromtheclient.ThecontrollerdetermineswhichAPrespondstotherequestfromtheclient,takingintoaccountthesignalstrengthoftheclientandsignaltonoiseratio.

  • ITEPCv4.0Chapter1 922007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RedundancyandresiliencyinawirelessNetwork

    Forexample,anadjacentAPmayprovideanequivalentservicebutatalowersignalstrength.ThecontrollerdetermineswhichAPshouldrespondtotheprobefromtheclient,basedonitssignalstrength,orReceiverSignalStrengthIndicator(RSSI).

    ThesemeasuresimprovetheavailabilityofwirelessserviceswithintheWLAN.WirelesscontrollerscentrallylocatedinthedatacenterbenefitfromthehighavailabilityandredundantconnectionscontainedinthewiredLAN.

  • ITEPCv4.0Chapter1 932007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    RedundancyandresiliencyinawirelessNetwork

  • ITEPCv4.0Chapter1 942007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    CreatingtheLogicalNetworkDesignforaWAN

    IPAddressinginaWLAN

    ThenetworkdesignermustalsoconsidertheIPaddressingstructurewhenplanningwirelessroaminginaWLAN.InthecaseofstandaloneAPs,asingleVLANiscreatedandextendedtoallofthewiringclosetstoconnecttheAPsinthesameLayer3IPnetwork.However,ifalargenumberofwirelessusersconnecttothenetwork,broadcastsbecomeaproblem.Thenetworkisnolongerscalable.

  • ITEPCv4.0Chapter1 952007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    CreatingtheLogicalNetworkDesignforaWAN

    Layer3Roaming

    WhenusingthewirelesscontrollersandlightweightAPs,Layer3roamingcanbeintroducedintoanetwork.ItisnotnecessarytoextendVLANstoalloftheAPsinthenetworktokeepaflatwirelesssubnet.

    Withthewirelesscontroller,thelightweightAPsareinstalledinthenormalsubnetinfrastructureandaregivenanIPaddressthatislocaltothesubnettowhichtheyaredeployed.AlltrafficthatcomesfromwirelessclientsisplacedintoapacketthatistunneledthroughtheunderlyingnetworktothewirelessLANcontroller.

  • ITEPCv4.0Chapter1 962007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    CreatingtheLogicalNetworkDesignforaWAN

    Play5.4.4

    file:///C:/CISCO_CCNA/Discovery4_English/index.html

  • ITEPCv4.0Chapter1 972007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Placingsecurityfunctionsandappliances

    Threatstonetworkscancomeinmanydifferentforms,andfrombothinternalandexternalsources.Simplyplacingafirewallattheenterpriseedgedoesnotensurenetworksecurity.Thenetworkdesignermustidentifywhichdataandcommunicationsareatriskandwhatthepotentialsourcesofattacksare.Securityservicesthenneedtobeplacedatappropriatepointsthroughoutthenetworkdesigntopreventlikelyattacks.

  • ITEPCv4.0Chapter1 982007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Placingsecurityfunctionsandappliances Theecommerceserversonthestadiumnetworkcontaincustomer

    informationthatmayincludecreditcardandbankingdetails.UsersaccesstheseserversfromwithinthestadiumnetworkandthroughtheInternet.

    Thestadiummanagementandteamadministrativeserverscontainpersonnelandpayrollinformation.Theseservers,andtheinfrastructurethattransportsthedatatheycontain,mustbesecuredadequatelytoprotectthisinformationfromunauthorizeduse.

    Securitymeasuresrelatingtothestadiumwirelessnetworkneedtobeconsideredaswell.

  • ITEPCv4.0Chapter1 992007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Placingsecurityfunctionsandappliances

  • ITEPCv4.0Chapter1 1002007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Placingsecurityfunctionsandappliances

    Securityserviceshelpprotectthedevicesandthenetworkfromintrusion,tampering,alteringofdata,anddisruptionofservicesthroughDenialofService(DoS)attacks.Theprimarycategoriesofsecurityservicesinclude:

    Infrastructureprotection

    Secureconnectivity

    Threatdetection,defense,andmitigation

  • ITEPCv4.0Chapter1 1012007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Placingsecurityfunctionsandappliances

    InfrastructureProtection

    Networksecuritybeginswithsecuringthenetworkdevicesthemselves.ThisinvolvessecuringCiscoIOSsoftwarebasedrouters,switches,andappliancesfromdirectaswellasindirectattacks.Thisprotectionhelpstoensureavailabilityofthenetworkfordatatransport.

    SecureConnectivity

    Itiscriticaltopreventunauthorizedusersfromaccessingthenetwork.Thiscanbedonebyensuringthatthephysicalnetworkissecure,andbyrequiringauthenticationtogainaccesstowirelessservices.

  • ITEPCv4.0Chapter1 1022007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Placingsecurityfunctionsandappliances

    ThreatDetection,Defense,andMitigation

    Firewalls,IDS,IPSandACLsprovideprotectionfromthreatsandattackers.ACLsandfirewallrulesfiltertraffictopermitonlydesirabletrafficthroughthenetwork.

  • ITEPCv4.0Chapter1 1032007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Placingsecurityfunctionsandappliances

    ImplementingSecurityServices

    Securityservicesarenoteffectiveiftheyarenotimplementedatthecorrectlocationsthroughoutthenetwork.FirewallsandfiltersplacedattheenterpriseedgedonotprotectserversfromattacksfromwithintheLAN.Thenetworkdesigneranalyzesthetrafficflowdiagramsthatwerecreatedearlierthatshow:

    Resourcesthatareaccessedbyinternalusers

    Resourcesthatareaccessedbyexternalusers

    Pathsthatthisaccesstakesthroughthenetwork

  • ITEPCv4.0Chapter1 1042007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    Placingsecurityfunctionsandappliances

    UsingIntegratedServices

    Whereverpossible,thenetworkdesignerusesintegratedservices,suchasIOSbasedfirewallfeaturesandIDSmodulestoeliminatetheneedforadditionalsecuritydevices.Inalargernetwork,itisnecessarytouseseparatedevicesbecausetheadditionalprocessingcancauseroutersandswitchestobecomeoverloaded.

  • ITEPCv4.0Chapter1 1052007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    ImplementingAccessControlListandFilters

    ThenetworkdesignerworkswiththestadiumITstafftodefinethefirewallrulesetstobeimplementedinthestadiumnetworkupgrade.

    Examplesoffirewallrulesetsincludethesestatements:

    DenyallinboundtrafficwithnetworkaddressesmatchinginternalregisteredIPaddressesInboundtrafficshouldnotoriginatefromnetworkaddressesmatchinginternaladdresses.

    DenyallinboundtraffictoserverexternaladdressesThisruleincludesdenyingservertranslatedaddresses,withtheexceptionofpermittedports.

  • ITEPCv4.0Chapter1 1062007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    ImplementingAccessControlListandFilters

    DenyallinboundICMPechorequesttrafficThisrulepreventsinternalnetworkhostsfromreceivingpingrequestsgeneratedfromoutsidethetrustednetwork.

    DenyallinboundMicrosoftDomainLocalBroadcasts,ActiveDirectory,andSQLserverportsMicrosoftdomaintrafficshouldbecarriedoverVPNconnections.

    AllowDNS(UDP53)toDNSserverPermitexternalDNSlookups.

    Allowwebtraffic(TCP80/443)fromanyexternaladdresstothewebserveraddressrange.

  • ITEPCv4.0Chapter1 1072007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    ImplementingAccessControlListandFilters

    Allowtraffic(TCP21)toFTPserveraddressrangesIfFTPservicesareprovidedtoexternalusers,thisrulepermitsaccesstotheFTPserver.Asareminder,whenusingFTPservices,useraccountandpasswordinformationistransmittedincleartext.UseofpassiveFTP(PASV)negotiatesarandomdataportversustheuseofTCPport20.

    Allowtraffic(TCP25)toSMTPserverPermitexternalSMTPusersandserversaccesstointernalSMTPmailserver.

    Allowtraffic(TCP143)tointernalIMAPserverPermitexternalIMAPclientsaccesstointernalIMAPserver.

  • ITEPCv4.0Chapter1 1082007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    ImplementingAccessControlListandFilters

  • ITEPCv4.0Chapter1 1092007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    ImplementingAccessControlListandFilters

    Thesecuritypoliciesofthestadiummanagementdictateuserandgrouppermissionstoresources.Thedesigneralsocomplieswiththerecommendedpracticesdefinedbytheserveroperatingsystemvendors.Thesepracticeshelptoidentifyandfiltertrafficthatisknowntobemalicious.

    WhendesigningfirewallrulesetsandACLs,thegeneralpolicyistodenyalltrafficthatiseithernotspecificallyauthorizedorisnotinresponsetoapermittedinquiry.

  • ITEPCv4.0Chapter1 1102007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    ImplementingAccessControlListandFilters

  • ITEPCv4.0Chapter1 1112007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    ImplementingAccessControlListandFilters

    RuleSetsandAccessControlLists

    FirewallrulesetsareusedtocreatetheACLstatementsthatareimplementedontheroutersandfirewallappliances.EachfirewallrulesetmayrequiremorethanoneACLstatementandmayrequirebothinboundandoutboundplacement.

  • ITEPCv4.0Chapter1 1122007CiscoSystems,Inc.Allrightsreserved. CiscoPublic

    UpdatingtheLogicalNetworkDesignDocumentation

    ThedesigndocumentationincludesallfirewallrulesetsandACLsanddefineswheretheyareimplemented.Rulesetstatementsbecomepartofthestadiummanagementsecuritypolicydocumentation.

    DocumentingthefirewallrulesetsandtheACLplacementoffersthesebenefits:

    Providesevidencethatthesecuritypolicyisimplementedonthenetwork

    Ensuresthatwhenchangesarenecessary,allinstancesofapermitordenyconditionareknownandevaluated

    Assistsintroubleshootingproblemswithaccesstoapplicationsorsegmentsofthenetwork

    CCNA Discovery 4.0 Designing and Supporting Computer NetworksObjectivesAnalyzing Business goals and technical requirementsSlide 4Slide 5Slide 6Requirements for scalabilitySlide 8Slide 9Slide 10Slide 11Requirements for AvailabilitySlide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Requirement for network performanceSlide 23Slide 24Slide 25Slide 26Requirements for securitySlide 28Slide 29Slide 30Making Network Design TradeoffsSlide 32Slide 33Designing an Access Layer TopologySlide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Designing Distribution Layer TopologySlide 46Slide 47Slide 48Slide 49Slide 50Designing Core Layer TopologySlide 52Slide 53Slide 54Slide 55Creating the logical network Diagram for the WANSlide 57Slide 58Determining Connectivity for the remote sitesSlide 60Slide 61Slide 62Slide 63Slide 64Slide 65Slide 66Slide 67Defining Traffic Patterns and application supportSlide 69Slide 70Designing VPN and End point Connectivity OptionsSlide 72Slide 73Creating the logical Network design for WANSlide 75Slide 76Designing Coverage options and mobilitySlide 78Slide 79Slide 80Slide 81Slide 82Slide 83Slide 84Slide 85Slide 86Slide 87Slide 88Redundancy and resiliency in a wireless NetworkSlide 90Slide 91Slide 92Slide 93Creating the Logical Network Design for a WANSlide 95Slide 96Placing security functions and appliancesSlide 98Slide 99Slide 100Slide 101Slide 102Slide 103Slide 104Implementing Access Control List and FiltersSlide 106Slide 107Slide 108Slide 109Slide 110Slide 111Updating the Logical Network Design Documentation


Ccna 3 Discovery 4.0 Chapter 1

CCNA Exploration 4.0 LAN Switching and Wireless

Examnes CCNA 4.0 Exploration-Routing Protocols and Concepts

CCNA Exploration 4.0 ERouting Final Exam 59 Questions 100%

EWAN Final Exam CCNA 4 Full Answers 100% 4.0 2013 2014 « QCrack.Com - i learning - CCNA Exploration 4.0, CCNA 640-802, CCNA Exam Final Answers, CCNA Blog

CCNA 3 4.0 ESwitching Final Exam 06

CCNA Exploration 4.0 Conceptos y protocolos de ...2... · CCNA Exploration 4.0 Conceptos y protocolos de enrutamiento ... Verificar y probar las configuraciones mediante los comandos

ESwitching CCNA 3 Final 2013 - 2014 Exam Answers 100% – Full - LAN Switching and Wireless (Version 4.0) « QCrack.Com - i learning - CCNA Exploration 4.0, CCNA 640-802, CCNA Exam

Ccna 3 Chapter 6 (version 4.0)

CCNA Discovery 4.0 Designing and Supporting Computer Networks

CCNA 4.0 LABS. MODULO 4 EWAN_ILM_v40

Currícula Ccna 4.0 Exploration 1 Español

CCNA Exploration 4.0 Networking Fundamentals Student Lab Manual

Ccna exploration 4.0 aspectos básicos de redes

CCNA Discovery 4.0 Designing and Supporting Computer Networkskabulcs.weebly.com/uploads/5/0/3/5/5035021/ccna_discovery_4-6.pdf · © 2007 Cisco Systems, Inc. All rights reserved

CCNA Exploration 4.0 - Chapter 2: Static Routing

CISCO CCNA EXPLORATION 4.0

Cisco CCNA 4.0 Final 1

Ccna 4.0 Exploration 02 - Examenes

CCNA Discovery 4.0 Designing and Supporting Computer Networkskabulcs.weebly.com/.../0/3/5/5035021/ccna_discovery_4-8.pdf · 2018-10-17 · In the NetworkingCompany prototype lab environment,

CCNA 3 ESwitching Practice Final Exam v 4.0

CCNA Discovery 4.0 Designing and Supporting Computer Networkskabulcs.weebly.com/uploads/5/0/3/5/5035021/ccna_discovery_4-2.pdf · CCNA Discovery 4.0 Designing and Supporting Computer

ccna 1 exploration 4.0 examen final

CCNA Exploration 3 - FINAL Exam Answers Version 4.0

CCNA Exp3(v 4.0) All Chap QnA All

CCNA 4.0 LABS. MODULO 2 ERouting_ILM_v40

CCNA Final Exam 4.0

Examenes CCNA 4.0 Exploration-Network Fundamentals

Ccna 4.0 Practical Exam

CCNA 3 Discovery 4.0 final Exam

CCNA Exploration 4.0 Routing Protocols and Conceptsroutingprotocolsandconcepts.wikispaces.com/file/view/en...CCNA Exploration 4.0 Routing Protocols and Concepts Student Packet Tracer

Final de cisco CCNA 4 V. 4.0

Ccna 4 Final 2 Version 4.0 Answers

CCNA Exploration 4.0 ERouting Final Exam 57 Questions 100%

CCNA Discovery 3 Final Exam Answers Ver 4.0