Designing Network Topology Week 4

Network Topology Cisco has developed several models to help network designers conceptualize Some of the models we will load at are : Hierarchical Enterprise Campus Three Part Firewall Redundancy in Design

Overview of the Hierarchical Model Hierarchical model lets you design the internetwork in layers (modular) Why? Simplifies tasks required for two systems to communicate (like the OSI model) Focuses functionality to unique layers Assigns bandwidth appropriately to each layer Network management issues such as training and staff costs are controlled Allows for distributed modular network management

Overview of the Hierarchical Model Benefits Cost savings Many organizations report that this model saves them money because they are not always doing all routing/switching on one platform Appropriate bandwidth per module means no wasted capacity

Overview of the Hierarchical Model Ease of Understanding Simpler and small design units facilitates understanding An easier system will reduce training and staff costs Different layers of the models can be assigned differing management responsibilities and management systems thus driving down management overheads

Overview of the Hierarchical Model Easy Network Growth Growth is facilitated through modules As a network grows specific modules can be replicated to handle the growth The cost and complexity of a making the growth is contained to only the new subset module Compare this to a fully meshed network or flat network were everyone is a peer dropping something in the middle necessitates a change for everything else.

Overview of the Hierarchical Model Improved fault Isolation By having limited isolation points between modules a network manager can target and isolate failure points faster and easier. Today’s fast converging protocols are designed for hierarchical topologies such as EIGRP

Hierarchical Network Design Layers Core High Speed Switching Distribution Layer Policy Based Connectivity Access Layer Local and Remote Workgroup Access

Core Layer Function The core layer is a high-speed switching backbone and should be designed to switch packets as fast as possible. This layer of the network should not perform any packet manipulation, such as access lists and filtering, that would slow down the switching of packets.

Core Layer Should Fast transport High reliability Redundancy Fault tolerance Quick adaptation Low latency and good manageability Avoidance of slow packet manipulation Limited And consistent diameter

Distribution Layer The distribution layer of the network is the demarcation point between the access and core layers and helps to define and differentiate the core. The purpose of this layer is to provide boundary definition and is the place at which packet manipulation can take place.

Distribution Layer Should Implement the following functions Policy and security Address and area aggregation Departmental or workgroup access Broadcast/multicast domain definition Routing between virtual LANs Media Translations Redistribution between routing domains Demarcation between static and dynamic routing protocols

Distribution Layer Using Cisco IOS software you can implement policy Filter source or destination addresses Filter input and output ports Hide internal network numbers by route filtering Static routing Quality of Service mechanisms (can every device on the path handle the information being distributed)

Access Layer The access layer is the point at which local end users are allowed into the network. This layer may also use access lists or filters to further optimize the needs of a particular set of users.

Access Layer Should Provide users on local segments access to the network Be characterized by switched or shared bandwidth LANs Some characteristics of the excess latter include: High-availability Port security ARP inspection Virtual access lists Trust classification

Switched Hierarchical Designs

Routed Hierarchical Designs

Enterprise Composite Model The enterprise composite model facilitates the design of larger and more scalable networks. The network is divided into functional components containing network modules The three major functional components are: Enterprise campus Enterprise edge Service provider edge

Enterprise Composite Model

Enterprise Campus Modules The modules are: Enterprise infrastructure Edge distribution Server farms Network management

Enterprise Edge Modules E-commerce networks Internet connections VPN and remote access Classic WAN

Hot Standby Router Protocol (HSRP)

Hot Standby Router Protocol (HRSP) Hot Standby Router Protocol. Provides high network availability and transparent network topology changes. HSRP creates a Hot Standby router group with a lead router that services all packets sent to the Hot Standby address. (phantom) The lead router is monitored by other routers in the group, and if it fails, one of these standby routers inherits the lead position and the Hot Standby group address.

Server Redundancy Complete server redundancy Servers on different networks and power sources Very expensive but stock traders require it Disk Mirroring Synchronizing two disks Disk Duplexing Disk mirroring plus each disk has a different disk controller

Media Redundancy Mission critical requires redundant media (hardware) Media redundancy on the LAN Relies on redundant links between switches Uses spanning tree for loop avoidance Media redundancy on the WAN Relies on backup links

Media Redundancy WAN backup links Use different technologies for backups (ISDN) Use floating static routes by specifying higher administrative distance so it won’t be used unless primary route is goes down Beware, different carriers may actual use the same physical circuit

Media Redundancy

Route Redundancy Provides load balancing IP balances across six parallel links of equal cost Minimizes downtime from link failures Full mesh provides complete redundancy Partial mesh provides redundancy with lower cost and more scalability

Route Redundancy

Three Part Firewall System

Bastion Hosts Provide the following services Anonymous FTP server Web server Domain Name server Specialized security software Telnet ??? In the book, on the CCDA test, but don’t do it

Three- Part Firewall System Rules The inside packet filter router should allow inbound TCP packets from established sessions The outside packet filter router should allow inbound TCP packets from established TCP sessions The outside packet filter router should also allow packets to specific TCP or UDP ports going to specific bastion hosts.

Rules (cont’d) Do not enable any unnecessary services on the outside filter router Turn off Telnet access (no virtual terminals) Use static routing only Do not make it a TFTP server Use password encryption Turn off proxy ARP and finger service Turn off IP redirects and route caching Do not make it a MacIP server

PIX Firewalls The Cisco Secure PIX Firewall series delivers strong security in an easy-to-install, integrated hardware/software appliance that offers outstanding performance. The series allows you to rigorously protect your internal network from the outside world— providing full firewall security protection. Unlike typical CPU-intensive full-time proxy servers that perform extensive processing on each data packet at the application level, Cisco Secure PIX Firewalls use a non-UNIX, secure, real-time, embedded system.

Cisco Secure PIX Firewall Series Less complex and more robust than packet filters No downtime for installation No upgrading hosts or routers required No day to day management requirement Generally better performance than delivered by other appliance-like firewalls or those based on general-purpose operating systems (Unix NT Netware)