ch 9 l ogical n etwork d esign 1 network topology addressing and naming switching and routing...
TRANSCRIPT
![Page 1: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/1.jpg)
CH 9 LOGICAL NETWORK DESIGN
1
Network TopologyAddressing and Naming Switching and Routing ProtocolsNetwork Security Strategies Management Strategies
![Page 2: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/2.jpg)
9.1
DESIGNING A NETWORK TOPOLOGY
Copyright 2010 Cisco Press & Priscilla Oppenheimer
2
![Page 3: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/3.jpg)
NETWORK TOPOLOGY DESIGN THEMES
Hierarchy (opposite to flat or mesh network)• Core layer • Distribution layer• Access layers
Redundancy Modularity Well-defined entries and exits Protected areas 3
![Page 4: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/4.jpg)
WHY USE A HIERARCHICAL MODEL?
Reduces workload on network devicesAvoids devices having to communicate with
too many other devices (reduces “CPU adjacencies”)
Constrains broadcast domains Minimize costs. Only buy appropriate
devices for each layer Facilitates changes easy and cheap Good for modularity and scalability
4
![Page 5: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/5.jpg)
5
![Page 6: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/6.jpg)
HIERARCHICAL NETWORK DESIGN
Enterprise WANBackbone
Campus A Campus B
Campus C
Building C-1 Building C-2
Campus C Backbone
Core Layer
Distribution Layer
Access Layer
6
![Page 7: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/7.jpg)
CISCO’S HIERARCHICAL DESIGN MODEL
A core layer of high-end routers and switches that are optimized for availability and speed
A distribution layer of routers and switches that implement policies and segment traffic
An access layer that connects users via hubs, switches, and other devices
7
![Page 8: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/8.jpg)
UTILIZE THE HIERARCHICAL DESIGN MODEL TO DEVELOP A COST-EFFECTIVE NETWORK DESIGN
Access Layer requirements:
Connectivity for existing devices and new devices
VLANs to separate voice, security, wireless, and normal data services
Redundancy QoS
![Page 9: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/9.jpg)
UTILIZE THE HIERARCHICAL DESIGN MODEL TO DEVELOP A COST-EFFECTIVE NETWORK DESIGN
Distribution layer requirements:
Redundant components and links
High-density routing Traffic filtering QoS implementation High-bandwidth connectivity Fast convergence Route summarization
![Page 10: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/10.jpg)
UTILIZE THE HIERARCHICAL DESIGN MODEL TO DEVELOP A COST-EFFECTIVE NETWORK DESIGN
Core Layer requirements:
High-speed connectivity
Routed interconnections
High-speed redundant links
![Page 11: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/11.jpg)
FLAT VERSUS HIERARCHY
Flat Loop Topology
Headquarters in Medford
Grants Pass Branch Office
Ashland Branch Office
Klamath Falls Branch Office
Headquarters in Medford
Ashland Branch Office
Klamath Falls Branch Office
Grants Pass Branch Office
White City Branch Office
Hierarchical Redundant Topology11
![Page 12: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/12.jpg)
MESH DESIGNS
Partial-Mesh Topology
Full-Mesh Topology12
![Page 13: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/13.jpg)
A PARTIAL-MESH HIERARCHICAL DESIGN
Headquarters (Core Layer)
Branch Offices (Access Layer)
Regional Offices
(Distribution Layer)
13
![Page 14: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/14.jpg)
A HUB-AND-SPOKE HIERARCHICAL TOPOLOGY FOR SMALL COMPANY
Corporate Headquarters
Branch Office Branch OfficeHome Office
14
![Page 15: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/15.jpg)
AVOID CHAINS AND BACKDOORS
Core Layer
Distribution Layer
Access Layer
ChainBackdoor
Chain: extra layerBack door: connection between devices in the same layer, makes unexpected routing and switching problems.
15
![Page 16: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/16.jpg)
CAMPUS TOPOLOGY DESIGN
Use a hierarchical, modular approach Minimize the size of collision domains Minimize the size of broadcast
domains Provide redundancy
16
![Page 17: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/17.jpg)
A SIMPLE CAMPUS REDUNDANT DESIGN
Host A
Host B
LAN X
LAN Y
Switch 1 Switch 2
17
![Page 18: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/18.jpg)
BRIDGES/SWITCHES USE SPANNING-TREE PROTOCOL (STP) TO AVOID LOOPS
X
Host A
Host B
LAN X
LAN Y
Switch 1 Switch 2
18
![Page 19: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/19.jpg)
VLANS VERSUS REAL LANSSwitch A
Station A1 Station A2 Station A3
Network A
Switch B
Station B1 Station B2 Station B3
Network B
VIRTUAL LANS (VLANS)
19
Two switches that are not connected to each other in any way. When Station A1 sends a broadcast, Station A2 and Station A3 receive the broadcast, but none of the stations in Network B receive the broadcast
![Page 20: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/20.jpg)
A SWITCH WITH VLANS
Station A1 Station A2 Station A3
VLAN A
Station B1 Station B2 Station B3
VLAN B
20
Through the configuration of the switch there are now two virtual LANs implemented in a single switch. The broadcast, multicast, and unknown-destination traffic originating with any member of VLAN A is forwarded to all other members of VLAN A, and not to a member of VLAN B. VLAN A has the same properties as a physically separate LAN bounded by routers.
![Page 21: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/21.jpg)
VLANS SPAN SWITCHES
Switch A
Station B1 Station B2 Station B3
Switch B
Station B4 Station B5 Station B6
Station A1 Station A2 Station A3 Station A4 Station A5 Station A6
VLAN B
VLAN A
VLAN B
VLAN A
21
VLANs can span multiple switches.
![Page 22: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/22.jpg)
INCORPORATE WIRELESS CONNECTIVITY INTO THE LAN DESIGN
Factors influencing availability in a wireless network:
Location of the AP Signal strength of the AP Number of users Dynamic
reconfiguration Centralization
![Page 23: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/23.jpg)
WLANS AND VLANS A wireless LAN (WLAN) is often implemented
as a VLAN WLAN should be a separate subnetLSBU, WLAN: 172. 20.X.X LAN 136.148.X.X Clients roaming but Users remain in the same
VLAN and IP subnet as they roam, so there’s no need to change addressing information
Also makes it easier to set up filters ACL(Access Control Lists) to protect the wired network from wireless users.
23
![Page 24: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/24.jpg)
SECURITY TOPOLOGIES
EnterpriseNetwork
DMZ
Web, File, DNS, Mail Servers
Internet
24
![Page 25: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/25.jpg)
DMZ
25
DMZ: demilitarized zone: is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.In a computer network, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as e-mail, web and Domain Name System (DNS) servers.
![Page 26: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/26.jpg)
SECURITY TOPOLOGIES
Internet
Enterprise NetworkDMZ
Web, File, DNS, Mail Servers
Firewall
Firewall: boundary between two or more networks
26
![Page 27: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/27.jpg)
FIREWALL
A firewall can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set.
27
![Page 28: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/28.jpg)
SUMMARY
Use a systematic, top-down approach Plan the logical design before the physical
design Topology design should feature hierarchy,
redundancy, modularity, and security
28
![Page 29: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/29.jpg)
REVIEW QUESTIONS
Why are hierarchy and modularity important for network designs?
What are the three layers of Cisco’s hierarchical network design?
What are the major components of Cisco’s enterprise composite network model?
What are the advantages and disadvantages of the various options for multihoming an Internet connection?
29
![Page 30: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/30.jpg)
9.2
DESIGNING MODELS FOR ADDRESSING AND NAMING
Copyright 2010 Cisco Press & Priscilla Oppenheimer
30
![Page 31: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/31.jpg)
GUIDELINES FOR ADDRESSING AND NAMING
Use a structured model for addressing and naming
Assign addresses and names hierarchically
Decide in advance
31
![Page 32: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/32.jpg)
ADVANTAGES OF STRUCTURED MODELS FOR ADDRESSING & NAMING
It makes it easier toRead network mapsOperate network management softwareRecognize devices in protocol analyzer
tracesMeet goals for usabilityDesign filters on firewalls and routers Implement route summarization
32
![Page 33: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/33.jpg)
PUBLIC IP ADDRESSES Managed by the Internet Assigned Numbers Authority (
IANA) Users are assigned IP addresses by Internet Service
Providers (ISPs). ISPs obtain allocations of IP addresses from their
appropriate Regional Internet Registry (RIR) Public address is essential for web server or other
servers that external users access. But not necessary for all internal hosts and networks. Private address is ok.
Addressing for internal host that need access to outside services can be handled by NAT (Network Address Translation) gateway.
33
![Page 34: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/34.jpg)
REGIONAL INTERNET REGISTRIES (RIR)
American Registry for Internet Numbers (ARIN) serves North America and parts of the Caribbean.
RIPE Network Coordination Centre (RIPE NCC) serves Europe, the Middle East, and Central Asia.
Asia-Pacific Network Information Centre (APNIC) serves Asia and the Pacific region.
Latin American and Caribbean Internet Addresses Registry (LACNIC) serves Latin America and parts of the Caribbean.
African Network Information Centre (AfriNIC) serves Africa.
34
![Page 35: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/35.jpg)
PRIVATE ADDRESSING
10.0.0.0 – 10.255.255.255172.16.0.0 – 172.31.255.255192.168.0.0 – 192.168.255.255
An enterprise network administrator assigns to internal networks and hosts without any coordination from an ISP or RIRs.
Advantages: Security. Private network numbers are not advertised. Flexibility. Easy to change to new ISP. Save IP address resources. 35
![Page 36: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/36.jpg)
DESIGNING NETWORKS WITH SUBNETS
Determining subnet size Computing subnet mask Computing IP addresses
36
![Page 37: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/37.jpg)
37
SUBNETS
Subnetting is the process to divide a network into several smaller networks.
Within a subnet, all the hosts have the same network ID in their IP addresses.
With subnets, a physical network can be divided into logical units.
The hosts in each unit can directly communicate with each other and use the same router to communicate with the hosts in the other subnets.
Local broadcasting is limited within a subnet.
![Page 38: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/38.jpg)
38
REASONS FOR USING SUBNETS
To efficiently use IP addresses To reduce the number of collisions To reduce broadcasting traffic To strengthen network security control To implement the network structure at the
site, building, department, and office levels To reduce the cost of paying the ISP for public
IP addresses
![Page 39: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/39.jpg)
ADDRESSES TO AVOID WHEN SUBNETTING
A node address of all ones (broadcast) A node address of all zeros (network) A subnet address of all ones (all
subnets) A subnet address of all zeros
(confusing)
39
![Page 40: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/40.jpg)
GUIDELINES FOR ASSIGNING NAMES
Names should beShortMeaningfulClearDistinctCase insensitive
Avoid names with unusual charactersHyphens, underscores, asterisks, and so on
40
![Page 41: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/41.jpg)
DOMAIN NAME SYSTEM (DNS)
Maps names to IP addresses Supports hierarchical naming
example: eent3.lsbu.ac.uk A DNS server has a database of resource
records (RRs) that maps names to addresses in the server’s “zone of authority”
Client queries serverUses UDP port 53 for name queries and repliesUses TCP port 53 for zone transfers
41
![Page 42: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/42.jpg)
SUMMARY
Use a systematic, structured, top-down approach to addressing and naming
Assign addresses in a hierarchical fashion Distribute authority for addressing and
naming where appropriate IPv6 looms in our future
42
![Page 43: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/43.jpg)
REVIEW QUESTIONS
Why is it important to use a structured model for addressing and naming?
When is it appropriate to use IP private addressing versus public addressing?
When is it appropriate to use static versus dynamic addressing?
What are some approaches to upgrading to IPv6?
43
![Page 44: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/44.jpg)
9.3
SELECTING SWITCHING AND ROUTING PROTOCOLS
Copyright 2010 Cisco Press & Priscilla Oppenheimer
44
![Page 45: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/45.jpg)
SWITCHING AND ROUTING CHOICES
Switching Layer 2 transparent bridging (switching) Multilayer switching Spanning Tree Protocol enhancements VLAN technologies
Routing Static or dynamic Distance-vector and link-state protocols Interior and exterior Etc.
45
![Page 46: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/46.jpg)
SELECTION CRITERIA FOR SWITCHING AND ROUTING PROTOCOLS
Network traffic characteristics Bandwidth, memory, and CPU usage The number of peers supported The capability to adapt to changes
quickly Support for authentication
46
![Page 47: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/47.jpg)
EXAMPLE DECISION TABLE
47
![Page 48: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/48.jpg)
SELECTING ROUTING PROTOCOLS
They all have the same general goal: To share network reachability information among
routers They differ in many ways:
Interior versus exterior Metrics supported Dynamic versus static and default Distance-vector versus link-sate Classful versus classless Scalability 48
A routing protocol lets a router dynamically learn how to reach other networks and exchange this information with other routers.
![Page 49: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/49.jpg)
INTERIOR VERSUS EXTERIOR ROUTING PROTOCOLS
Interior routing protocols are used within one organization. The current lead Interior Routing Protocol is OSPF. Other Interior Protocols include IS-IS, RIP, and EIGRP.
Exterior routing protocols are used between organizations. The current lead Exterior Gateway Protocol is BGP. The current revision of BGP is BGP4. There are no other Exterior Gateway Routing protocols in current competition with BGP4.
49
![Page 50: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/50.jpg)
ROUTING PROTOCOL METRICS
Metric: the determining factor used by a routing algorithm to decide which route to a network is better than another
Examples of metrics:Bandwidth - capacityDelay - timeLoad - amount of network traffic Reliability - error rateHop count - number of routers that a packet
must travel through before reaching the destination network
Cost - arbitrary value defined by the protocol or administrator 50
![Page 51: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/51.jpg)
51
![Page 52: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/52.jpg)
SUMMARY The selection of switching and routing protocols
should be based on an analysis of Goals Scalability and performance characteristics of the
protocols Transparent bridging is used on modern
switches But other choices involve enhancements to STP and
protocols for transporting VLAN information There are many types of routing protocols and
many choices within each type
52
![Page 53: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/53.jpg)
REVIEW QUESTIONS What are some options for enhancing the
Spanning Tree Protocol? What factors will help you decide whether
distance-vector or link-state routing is best for your design customer?
What factors will help you select a specific routing protocol?
Why do static and default routing still play a role in many modern network designs?
53
![Page 54: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/54.jpg)
9.4
DEVELOPING NETWORK SECURITY STRATEGIES
Copyright 2010 Cisco Press & Priscilla Oppenheimer
54
![Page 55: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/55.jpg)
NETWORK SECURITY DESIGNTHE 12 STEP PROGRAM
1. Identify network assets2. Analyze security risks3. Analyze security requirements and
tradeoffs4. Develop a security plan5. Define a security policy6. Develop procedures for applying
security policies55
ch2
ch8
![Page 56: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/56.jpg)
THE 12 STEP PROGRAM (CONTINUED)7. Develop a technical implementation
strategy8. Achieve buy-in from users, managers, and
technical staff9. Train users, managers, and technical staff10. Implement the technical strategy and
security procedures11. Test the security and update it if any
problems are found12. Maintain security
56
out
ch12
ch8
![Page 57: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/57.jpg)
NETWORK ASSETS
Hardware Software Applications Data Intellectual property Trade secrets Company’s reputation
57
![Page 58: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/58.jpg)
SECURITY RISKS
Hacked network devicesData can be intercepted, analyzed, altered,
or deletedUser passwords can be compromisedDevice configurations can be changed
Reconnaissance attacks (gather information )
Denial-of-service attacks (make a computer resource unavailable to its intended users)
58
![Page 59: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/59.jpg)
SECURITY TRADEOFFS
Tradeoffs must be made between security goals and other goals:AffordabilityUsabilityPerformanceAvailabilityManageability
59
Security adds to management work (user ID, passwords ), and affects network performance. Encryption consume upto 15% of CPU power on a router or network throughput.
![Page 60: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/60.jpg)
A SECURITY PLAN
High-level document that proposes what an organization is going to do to meet security requirements
Specifies time, people, and other resources that will be required to develop a security policy and achieve implementation of the policy 60
![Page 61: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/61.jpg)
A SECURITY POLICY
A security policy is a“Formal statement of the rules by which
people who are given access to an organization’s technology and information assets must abide.”
The policy should addressAccess, accountability, authentication,
privacy, and computer technology purchasing guidelines
61
![Page 62: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/62.jpg)
SECURITY MECHANISMS Physical security Authentication Authorization Accounting (Auditing) Data encryption Packet filters Firewalls Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS)
62
![Page 63: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/63.jpg)
MODULARIZING SECURITY DESIGN
Security defense in depthNetwork security should be multilayered with
many different techniques used to protect the network
Belt-and-suspenders approachDon’t get caught with your pants down
63
![Page 64: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/64.jpg)
MODULARIZING SECURITY DESIGN
Secure all components of a modular design: Internet connectionsPublic servers and e-commerce serversRemote access networks and VPNsNetwork services and network managementServer farmsUser servicesWireless networks
64
![Page 65: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/65.jpg)
SECURING INTERNET CONNECTIONS
Physical security Firewalls and packet filters Audit logs, authentication,
authorization Well-defined exit and entry points Routing protocols that support
authentication
65
![Page 66: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/66.jpg)
SECURING PUBLIC SERVERS Place servers in a DMZ that is protected
via firewalls Run a firewall on the server itself Enable DoS protection
Limit the number of connections per timeframe
Use reliable operating systems with the latest security patches
Maintain modularityFront-end Web server doesn’t also run other
services (FTP services not run on the same server as Web services, e-commerce database should not be on the web server.)
66
![Page 67: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/67.jpg)
SECURING REMOTE-ACCESS AND VIRTUAL PRIVATE NETWORKS (VPN)
Physical security Firewalls Authentication, authorization, and auditing Encryption One-time passwords Security protocols
CHAPRADIUS IPSec
67
![Page 68: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/68.jpg)
SECURING NETWORK SERVICES Treat each network device (routers,
switches, and so on) as a high-value host and harden it against possible intrusions
Require login IDs and passwords for accessing devices Require extra authorization for risky configuration
commands Use SSH rather than Telnet Change the welcome banner to be less
welcoming
68
![Page 69: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/69.jpg)
SECURING SERVER FARMS Deploy network and host IDSs to monitor
server subnets and individual servers Configure filters that limit connectivity from
the server in case the server is compromised Fix known security bugs in server operating
systems Require authentication and authorization for
server access and management Limit root password to a few people Avoid guest accounts
69
![Page 70: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/70.jpg)
SECURING USER SERVICES Specify which applications are allowed to run
on networked PCs in the security policy Require personal firewalls and antivirus
software on networked PCs Implement written procedures that specify how
the software is installed and kept current Encourage users to log out when leaving
their desks Consider using 802.1X port-based security
on switches
70
![Page 71: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/71.jpg)
SECURING WIRELESS NETWORKS
Place wireless LANs (WLANs) in their own subnet or VLANSimplifies addressing and makes it easier to
configure packet filters Require all wireless (and wired) laptops to
run personal firewall and antivirus software Disable beacons that broadcast the SSID,
and require MAC address authentication
71
![Page 72: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/72.jpg)
VPN SOFTWARE ON WIRELESS CLIENTS Safest way to do wireless networking for
corporations Wireless client requires VPN software Connects to VPN concentrator at HQ Creates a tunnel for sending all traffic VPN security provides:
User authenticationStrong encryption of dataData integrity
72
![Page 73: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/73.jpg)
SUMMARY
Use a top-down approachChapter 2 talks about identifying assets and
risks and developing security requirementsChapter 5 talks about logical design for
security (secure topologies)Chapter 8 talks about the security plan, policy,
and proceduresChapter 8 also covers security mechanisms
and selecting the right mechanisms for the different components of a modular network design
73
![Page 74: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/74.jpg)
REVIEW QUESTIONS How does a security plan differ from a
security policy? Why is it important to achieve buy-in from
users, managers, and technical staff for the security policy?
What are some methods for keeping hackers from viewing and changing router and switch configuration information?
How can a network manager secure a wireless network?
74
![Page 75: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/75.jpg)
9.5
DEVELOPING NETWORK MANAGEMENT STRATEGIES
Copyright 2010 Cisco Press & Priscilla Oppenheimer
75
![Page 76: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/76.jpg)
NETWORK MANAGEMENT Helps an organization achieve availability,
performance, and security goals Helps an organization measure how well
design goals are being met and adjust network parameters if they are not being met
Facilitates scalabilityHelps an organization analyze current network
behavior, apply upgrades appropriately, and troubleshoot any problems with upgrades
76
![Page 77: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/77.jpg)
NETWORK MANAGEMENT DESIGN
Consider scalability, traffic patterns, data formats, cost/benefit tradeoffs
Determine which resources should be monitored
Determine metrics for measuring performance
Determine which and how much data to collect
77
![Page 78: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/78.jpg)
PROACTIVE NETWORK MANAGEMENT
Plan to check the health of the network during normal operation, not just when there are problems
Recognize potential problems as they develop
Optimize performance Plan upgrades appropriately
78
![Page 79: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/79.jpg)
NETWORK MANAGEMENT PROCESSES ACCORDING TO THE ISO
Fault management Configuration management Accounting management Performance management Security management
79
![Page 80: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/80.jpg)
NETWORK MANAGEMENT COMPONENTS
A managed device is a network node that collects and stores management information
An agent is network-management software that resides in a managed device
A network-management system (NMS) runs applications to display management data, monitor and control managed devices, and communicate with agents
85
![Page 81: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/81.jpg)
NETWORK MANAGEMENT ARCHITECTURE
NMS
Management Database
Agent
Management Database
Agent
Management Database
Agent
Managed Devices
86
![Page 82: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/82.jpg)
ARCHITECTURE CONCERNS
In-band versus out-of-band monitoring In-band control passes control data on the same
connection as main data. Out-of-band control passes control data on a separate connection from main data. In-band is easier to develop, but results in management data being impacted by network problems
Centralized versus distributed monitoringCentralized management is simpler to develop
and maintain, but may require huge amounts of information to travel back to a centralized network operations center (NOC) 87
![Page 83: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/83.jpg)
REVIEW QUESTIONS Why is network management design important? Define the five types of network management
processes according to the ISO. What are some advantages and disadvantages of
using in-band network management versus out-of-band network management?
What are some advantages and disadvantages of using centralized network management versus distributed network management?
88
![Page 84: CH 9 L OGICAL N ETWORK D ESIGN 1 Network Topology Addressing and Naming Switching and Routing Protocols Network Security Strategies Management](https://reader031.vdocuments.net/reader031/viewer/2022032705/56649dc85503460f94abd61c/html5/thumbnails/84.jpg)
89