Cisco Discovery 4 Module 1 Picture Descriptions 1.0 Chapter Introduction 1.0.1 Introduction Slideshow Slide one text ?Network designers ensure that our communication networks are able to adjust and scale to the demands for new services.? Slide two text ?To support our new network-based economy, designers must work to create networks that are available nearly 100 percent of the time.? Slide three text ?Information network security must be designed to automatically protect against unexpected and security incidents.? Slide four text ?Using hierarchical network design principles and an organized design methodology, designers create networks that are both manageable and supportable.? Slide five text ?By successfully completing this chapter, you will be able to: - Review the benefits of a hierarchical network design - Explain the design methodology used by network designers - Describe the various design considerations at each area of the network: o The Core, Distribution and Access Layers o The network Enterprise Edge o The Data Centre Server Farm o Remote Worker Support o Enterprise Wireless? 1.1 Discovering Network Design Basics 1.1.1 Network Design Overview 2 Diagrams Diagram 1, image 5 pictures of various people at work are shown. Pop up text for each image is as follows. Step 1: Verify the business and Technical needs Step 2: Determine the features and functions required to meet the needs identified in step 1 Step 3: Perform a network readiness assessment Step 4: Create a solution and site acceptance test plan Step 5: Create a project plan Diagram 2, relational The diagram depicts several small networks connected to switches. The central switch that all other switches connect to, also connects to a router. An image of a clipboard has the following terms listed and a dialog box appears when the term is selected. Scalability: Scalable network designs are able to grow to include new user groups and remote sites and can support new applications without impacting the level of service delivered to existing users. Availability: A network designed for availability is one that delivers consistent, reliable performance, 24 hours a day, 7 days a week. Additionally, the failure of a single link or piece of equipment should not significantly impact network performance. Security: Security is a feature that must be designed into the network, not added on after the network is complete. Planning the location of security devices, filters, and firewall features is critical to safeguarding network resources. Manageability: No matter how good the initial network design is, the available network staff must be able to manage and support the network. A network that is too complex or difficult to maintain cannot function effectively and efficiently. 1.1.2 - The Benefits of a Hierarchical Network Design 4 diagrams Diagram 1, animation The animation begins with a ?flat switched network?. In this design groups of computers are connected to a switch, in this case 3 groups of computers each connect to their own switch (we call it the access layer switch). The switches are connected together as a backbone. As the animation continues an additional layer of switches is displayed (these connect to the access layer switches). These are the Distribution layer switches. The 3 distribution layer switches all connect to a single Core layer switch. Hence we have a hierarchical network. From the top down, a single Core layer switch connects to 3 Distribution switches. These Distribution layer switches connect to the Access layer switches that have the computers connected. Diagram 2, relational In this diagram several blocks of network architecture blocks are displayed. In the enterprise campus block we have building access, building distribution and campus core layers. The core layer connects to the server farm and data centre (network management). This block connects to the ?Enterprise Edge?. The enterprise edge block contains e-commerce, Internet connectivity, WAN and Metro Ethernet site to site VPN and Remote access and VPN blocks. The enterprise edge connects to the WAN and Internet Block. This block contains ISP a, ISP B, Frame Relay/ATM/Metro/Ethernet and PSTN blocks. The WAN and Internet block connects to 2 other single boxes, Enterprise branch and enterprise teleworker. A description of each is below. Building Access This Access Layer module contains Layer 2 or Layer 3 switches to provide the required port density. Implementation of VLANs and trunk links to the Building Distribution layer occurs here. Redundancy to Building Distribution switches is important. Building Distribution This Distribution Layer module aggregates building access using Layer 3 devices. Routing, access control, and QoS are performed at this layer. It is critical to provide redundancy in this area. Campus Core This Core Layer module provides high-speed interconnectivity between Distribution Layer modules, data center server farms, and the Enterprise Edge. Redundancy, fast convergence, and fault tolerance are the focus of the design in this area. Network Management This critical area monitors performance by monitoring device and network availability. Server Farm This module provides high-speed connectivity and protection for servers. It is critical to provide security, redundancy, and fault tolerance in this area. Enterprise Edge This module extends the enterprise services to remote sites and enables the enterprise to use Internet and partner resources. It provides QoS, policy enforcement, service levels, and security. Diagram 3, Image This diagram depicts an example topology that uses the hierarchical design. Each building in an enterprise campus connects to the campus backbone with various services being handled by devices (such as firewalls, webservers etc) within the enterprise edge. Diagram 4, activity Match the characteristics of the hierarchical model and the Cisco Enterprise Architecture to the correct layer or area. A: Provides redundancy and fast convergence between other network layers or modules B: Aggregates access devices and supports routing, access control, and QoS C: Provides network connectivity for hosts and end devices D: Provides network support for all enterprise services within a campus E: Protects server resources with reliable, high-speed connectivity F: Extends enterprise services to remote sites and provides connectivity to external sites using QoS, policy enforcement, service levels, and security 1: Access Layer 2: Enterprise Campus 3: Core layer 4: Enterprise Edge 5: Distribution Layer 6: Server Farm 1.1.3 - Network Design Methodologies 4 Diagrams Diagram 1, image Diagram depicts several people sitting around a table. Two speech bubbles are shown. Worker 1: ?What business goals do you want to accomplish with the network upgrade?? Worker 2: ?Our network designers need to schedule a meeting with your IT manager to gather information about your current network infrastructure.? Diagram 2, Image This diagram depicts an example topology that uses the hierarchical design. Each building in an enterprise campus connects to the campus backbone with various services being handled by devices (such as firewalls, webservers etc) within the enterprise edge. Diagram 3, Animation Uses the same topology described in previous diagrams. Each of the points in the text are linked to an area of the network as described in the text body. Diagram 4, Activity Match the proposed design change with project scope (entire network or only a portion of the network) 1: Add server farm bandwidth 2: Provide Core Layer redundancy 3: Add a wireless access point 4: Add new security policies 5: Upgrade WAN bandwidth 6: Routing Protocol Change 7: Centralize servers and services 1.2.1 hat happens at the Core Layer? 3 Diagrams Diagram 1, image Diagram depicts a network consisting of several PCs and IP phones connected to workgroup switches. The switches connect to multilayer switches, which in turn connect to the Core layer multilayer switches. The core layer connects to the firewall/routers that connect to the Internet. Diagram 2, image Diagram depicts a complex network showing the concept of a Mesh Topology. 2 server farms are connected to the Core layer switches. Each building (3 shown) include the Access layer switches connected to the Distribution layer switches, which in turn connect to the Core Layer switches. Key in this diagram is that there are many connections between each layer. Diagram 3, Packet Tracer Activity. 1.2.2 Network Traffic Prioritization 1 Diagram, Image Figure shows a Pie Chart with the following data Causes of Network Outages Source: Gartner; Copyright @2001 40% Human Errors 20% Environmental Factors, HW, OS, Power, Disasters 40% Application Failures 1.2.3 Network Convergence 2 Diagrams Diagram 1, animation Diagram depicts a large, complex group of interconnected networks. The animation shows network routing updates being propagated throughout the various networks until convergence occurs. Diagram 2, Packet tracer activity 1.3.1 What Happens at the Distribution Layer? 3 Diagrams Diagram 1, image Same network topology as in 1.2.1 with the Distribution Layer highlighted. Diagram 2, Image Same Diagram as in previous sections is used to highlight the connections between the several Distribution Layer Switches and the Core Layer. Multiple (Mesh) connections exist between each of the Distribution Layer switches and the Access Layer Switches. Diagram 3, Packet Tracer Exercise 1.3.2 Limiting the Scope of Network Failure 2 Diagrams Diagram 1, image Diagram explained sufficiently in text body. Diagram 2, Packet Tracer exercise 1.3.3 Building a Redundant Network 2 Diagrams Diagram 1, Interactive activity Diagram consists of 4 switches connected in a square (see below if description needed). 2 scenarios, 1 without STP, one with. Without STP, one with a PC attached, the PC sends a broadcast packet. The packet travels to switch 1, switch 1 passes the packet on to switch 2 & 4, switch 2 & 4 broadcast on to switch 3, switch 3 broadcasts the packet from switch 2 to switch 4 (same happens for the packet from switch 4, sent to switch 1) so loops exist. With STP, one port is blocked (from switch 1 to switch 4 in this case) so a loop does not exist. Topology: PC connected to switch 1, switch 1 to switch 2, switch 2 to switch 3, switch 3 to switch 4 and switch 4 back to switch 1. Diagram 2, Animation Diagram depicts the 4 switches connected in a loop as previously described. A server on switch 3 sends a packet to the host on port 1. The link between switch 4 and 1 is blocked by the STP calculation. If the link between switch 3 and 2 fails, the following occurs. Switch 2: A link is down. I need to recalculate the STP tree. All switches: Busy recalculating STP. Switch 3: I need a new root port Switch 3: I need a new root port Switch 4: My port status will change. Switch 1: My root port remains the same Switch 2: I can still see connectivity to all switches. And the packets may now continue to flow. 1.3.4 Traffic Filtering at the Distribution Layer 4 Diagrams Diagram 1, Activity Diagram depicts a network consisting of 3 hosts, 3 switches and 3 routers. There are 3 buttons on the activity, No ACL, Standard ACL and Extended ACL. Host 1 (H1) has an IP 192.168.1.55 and connects to switch 1 (S1), S1 connects to router 2 (R2). Host 2 (H2) connects to switch 2 (S2) which is also connected to R2. R2 connects to router 1 (R1) and R1 connects to switch 3 (S3), where host 3 (H3) is connected. When the No ACL button is selected a speech bubble above R2 states ?With no ACL in place, all traffic from 192.168.11.0/25 is allowed.? When the standard ACL button is selected, H2 is shown to have the IP Network address of 192.168.30.0/25. A speech bubble above R2 says ?If a standard ACL is applied here, all traffic from 192.168.11.0/25 is blocked.? When the extended ACL button is selected A speech bubble above R2 says ?If an extended ACL is allied here, telnet and FTP traffic from 192.168.11.55 is blocked, all other traffic is allowed.? Other text boxes also appear showing the traffic blocked. (no additional info to speech bubble) There is also a more info button that displays the text ?This list contains a quick review of the rules for designing and applying access control lists (ACLs): * There can be one ACL per protocol per direction per interface. * Standard ACLs should be applied closest to the destination. * Extended ACLs should be applied closest to the source. * The inbound or outbound interface should be referenced as if looking at the port from inside the router. * Statements are processed sequentially from the top of the list to the bottom until a match is found. If no match is found, the packet is denied and discarded. * There is an implicit "deny any" at the end of all ACLs. This statement does not appear in the configuration listing. * The network administrator should configure access control list entries in an order that filters from specific to general. Specific hosts should be denied first, and groups or general filters should come last. * The match condition is examined first. The "permit" or "deny" is examined only if the match is true. * Never work with an ACL that is actively applied. * Use a text editor to create comments that outline the logic. Then fill in the statements that perform the logic. * The default behaviour is that new lines are always added to the end of the ACL. A no access-list x command removes the whole list. * An IP access control list sends an Internet Control Message Protocol (ICMP) host unreachable message to the sender of the rejected packet and discards the packet in the bit bucket. * An ACL should be removed carefully. Removing an access list immediately stops the filtering process. * Outbound filters do not affect traffic that originates from the local router. Diagram 2, Activity Match the correct ACL to the appropriate statement A: A Standard Access List that allows you to permit traffic from 172.16.3.XXX B: A Standard Access List that allows you to deny traffic from 172.16.5.2 C: A Standard Access List that allows you to permit traffic from any host D: A Standard Access List that allows you to permit traffic from 172.16.5.5 1: access-list 10 permit 172.16.3.0 0.0.0.255 2: access-list 1 deny 172.16.5.2 0.0.0.0 3: access-list 10 permit 172.16.5.5 0.0.0.0 4: access-list 10 permit any Diagram 3, Packet Tracer exercise Diagram 4, Hands on Lab 1.3.5 - Routing Protocols at the Distribution Layer 2 Diagrams Diagram 1, Activity Diagram depicts a network consisting of 4 switches and 3 routers. 2 switches are connected to R1. Connections are on fa0/0, IP address 172.18.0.0/16 and fa0/1 192.168.19.0.0/16. R1 connects to r2 on 172.17.0.0/16. R2 has a switch connected on fa0/0, IP address 172.16.0.0/16 and a connection to R3, IP address 172.16.0.0.0-172.19.0.0. These are marked as individual routes. When the Summarized routes button is selected, the list of individual routes changes to summary routes 172.16.0.0/14. The key is the change from 4 routes with the /16 subnet to one route with the /14 subnet mask. Diagram 2, activity Diagram depicts 3 routers, A, B and C, connected to a Cloud (labeled Core). Each router has a number of connection/subnets attached as per the list below. There are 3 questions to answer. What is the appropriate summary route for each router to the Core? Router A 172.16.199.0/24 172.16.200.0/24 172.16.201.0/24 172.16.202.0/24 Router B: 172.16.28.0/24 172.16.27.0/24 172.16.26.0/24 172.16.25.0/24 Router C: 172.16.160.0/21 172.16.168.0/21 172.16.176.0/21 172.16.184.0/21 1.4.1 - What Happens at the Access Layer? 4 Diagrams Diagram 1, image Same Diagram as in previous sections is used to highlight the connections between the several Distribution Layer Switches and the Core Layer. Multiple (Mesh) connections exist between each of the Distribution Layer switches and the Access Layer Switches. Access layer is highlighted. Diagram 2, Image Diagram depicts several devices connected to a switch. Diagram 3, Image A screen capture from Cisco Network Assistant application. Diagram 4, Packet Tracer exercise 1.4.2 - Network Topologies at the Access Layer 2 Diagrams Diagram 1, Activity Diagram depicts 2 networks, one of a star connection of multi layer switches, the other of a mesh connection of the same switches. Buttons allow a view of a photo of equipment configured in both topologies. Diagram 2, Packet Tracer exercise 1.4.3 - How VLANs Segregate and Control Network Traffic 2 Diagrams Diagram 1, animation Diagram depicts 7 hosts connected to a switch. When a broadcast is sent, all PCs receive the message. Once VLANs segregate the traffic, only hosts on the VLAN where the broadcast originates receive the message. Diagram 2, Hands on Lab 1.4.4 - Services at the Network Edge 1 Diagram, Image Diagram depicts several network devices connected to a router. They are an IP phone, computer running financial transactions and a web application (server perhaps). The VoIP packets get high priority and are sent first when possible, financial packets get medium priority and the web traffic low priority. A caption states ?All communication has access to the media, but higher priority communication has a greater percentage of the packets. 1.4.5 - Security at the Network Edge 2 Diagrams Diagram 1, Image Contains no useful information. Diagram 2, Hands on Lab 1.4.6 - Security Measures 3 Diagrams Diagram 1, animation Diagram depicts a unauthorized person sneaking into a room. Diagram 2, Hands on Lab Diagram 3, Hands on Lab 1.5.1 - What is a Server Farm? 2 Diagrams Diagram 1, Activity Diagram has 2 buttons, Centralised and Decentralised. It shows a network with servers scattered through the access layer when decentralised. When Centralised, all servers are attached to a separate network but grouped together in their on access layer. Diagram 2, Packet Tracer exercise 1.5.2 - Security, Firewalls, and DMZs 2 Diagrams Diagram 1, Image Diagram depicts a network topology with 3 types of servers, Web, Database and Application. Each group of servers connect to access layer switches which in turn connect to a block labeled Aggregation. The Aggregation block connects to IDS1, IDS2 and IDS3. Explanations of each block are below. IDS: Host-based and network-based intrusion detection and prevention systems Aggregation: Contains Firewall, Network Analysis, LAN switch security features and Management and Load balancer Additionally the diagram ties certain areas together- IDS, access layer switches and servers Firewall and Servers Diagram 2, animation The animation displays the move from traditional to multilayer security topologies. Traditional topology displays the DMZ servers, corporate LAN Servers and Internal protected servers each connected via separate links to the firewall/router that connects to the Internet. The animation displays the addition of other security devices as below: - Cisco ASA with firewall and IDS services added between the Internet and the firewall/router - Multilayer switching with filtering is added between the ASA and each network (replaces the firewall/router) - Intrusion protection is added between the Multi layer switch and the internal protected servers, labeled intrusion prevention. 1.5.3 - High Availability 2 Diagrams Diagram 1, Image Depicts many links between Access layer and Distribution layers. Some are Primary links, others are Secondary links. Diagram 2, Packet Tracer exercise 1.6.1 - Considerations Unique to WLAN 2 Diagrams Diagram 1, Image Diagram depicts a network topology. Wireless clients connect to access points, which are wired into ?floor? switches. These switches connect to backbone switches that in turn connect to a router. The router connects to the WAN/Internet and Authentication servers. Diagram 2, Image Explained in text body 1.6.2 - Considerations Unique to WLAN 1 Diagram, Activity Activity has 2 buttons, Open Guest Access and Secured Employee Access. Topology shows Data, Voice and Guest access, each with its own SSID. The access point has data, voice and Guest VLANS to a switch. A more info text box contains the following: One of the primary benefits of wireless networking is ease and convenience of connecting devices. Unfortunately that ease of connectivity and the fact that the information is transmitted through the air makes a wireless network vulnerable to interception and attacks. Standard best practices for securing a wireless Access Point and the associated wireless transmissions include the following procedures: ? Modify the default SSID, and do not broadcast it unless necessary. ? Use strong encryption. ? Deploy mutual authentication between the client and the network using pre-shared keys or an implementation of Extensible Authentication Protocol (EAP). ? Use VPNs or WPA combined with MAC address control lists to secure business-specific devices. ? Use VLANs to restrict access to network resources. ? Ensure that management ports are secured. ? Deploy lightweight Access Points because they do not store security information locally. ? Physically hide or secure Access Points to prevent tampering. ? Monitor the exterior building and site for suspicious activity. Some of these factors affect network design; for example, the location and type of authentication servers and VPN end-points, as well as the choice of lightweight Access Points. Other factors to consider when deciding on the WLAN design include: ? Determining the secure physical locations for wireless equipment ? Securing the wired network WLANs connect to 1.7.1 - Design Considerations at the Enterprise Edge 1 Diagram, Image Identical to the diagram in 1.1.2 1.7.2 - Integrating Remote Sites Into the Network Design 3 Diagrams Diagram 1, Image Diagram depicts different connection types for differing Users Medium sized business ? T1/E1 1.544/2.48 (sic) should be 2.048 Mbps Connects via a service provider Large Business ? T3/E3 44.763 Mbps Connects via a service provider (SP) Large business with branch offices in same city ? Metro Ethernet, 10Gbps Home user DSL Modem connects via SP DSLAM 512kbps Home user Cable Modem connects via SP POP 512kbps A More Info text box contains the following: Multiprotocol Label Switching (MPLS) Cisco IOS Multiprotocol Label Switching (MPLS) enables enterprises and service providers to build next-generation intelligent networks. MPLS encapsulates packets with an additional header containing "label" information. The labels are used to switch the packets through the MPLS network. MPLS can be integrated seamlessly over any existing infrastructure, such as IP, Frame Relay, ATM, or Ethernet. MPLS is independent of access technologies. MPLS technology is critical to scalable Virtual Private Networks (VPNs) and end-to-end quality of service (QoS). MPLS enables efficient use of existing networks to meet future growth and rapid fault correction of link and node failure. The technology also helps deliver highly scalable, end-to-end IP services with simpler configuration, management, and provisioning for both Internet providers and subscribers. Diagram 2, Image No useful information contained Diagram 3, Activity Match the scenarios below with the appropriate WAN or VPN. A: Evelyn is a production manager. She attends some meetings in person, but most of her work, including remote teleconferences, is done from her home office. B: John supports multiple regions for a pharmaceutical company. He enters data from his sales calls into a corporate database when he returns to his home based office. C: Eduardo is a chemical engineer that performs geological studies all over the world. He needs to reach the corporate database from very D: Kim works from her home. She must be able to send e-mail with her editor, publicist, and production personnel, and she likes writing outdoors. 1: VPN over DSL 2: VPN over a satellite modem 3: Wireless LAN connected to Internet 4: Enterprise teleworker using router supporting IP telephony and a VPN 1.7.3 - Redundancy and Backup Links 2 Diagrams Diagram 1, Animation Provides no additional information to the main text Diagram 2, Activity Match the connectivity options to the appropriate ?cloud?. Topology is as follows: The Enterprise network, telecommuter, branch office and teleworker Home PC all connect to various clouds, name the connections for each. Enterprise: Primary Backup Internet Telecommuter: Primary Backup Branch Office: Primary Backup Teleworker home PC Primary Backup Available connection types are: Alternate Local Loop (Frame Relay) Dial-Up DSL or Cable VPN Frame Relay Frame Relay (DS3) Internet VPN Wireless Hotel WAN 1.8.1 ? Summary 4 Diagrams, click through buttons Diagram 1, text * Good networks do not happen by accident. They are the result of hard work by network designers and technicians, who identify network requirements and select the best solutions to meet the needs of a business. * The four fundamental technical requirements of network design are: Scalability, Availability, Security and Manageability. * The Cisco Enterprise Architectures can be used to further divide the three-layer hierarchical design into modular areas. The modules represent areas that have different physical or logical connectivity. * Large network design projects are normally divided into three distinct steps: * Step 1: Identify the network requirements. * Step 2: Characterize the existing network. * Step 3: Design the network topology and solutions. Diagram 2, text continues * Failure to correctly estimate the scope of a network upgrade project can greatly increase the cost and time required to implement the new design. * Goals of the Core Layer Design include: o Provide 100% uptime o Maximize throughput o Facilitate network growth * Redundancy at the Core Layer enables the network to keep functioning even when a device or link fails. * Layer 3 Devices, including multi-layer switches, are usually deployed at the Core Layer of the Network. * Most Core Layers in a network are wired in either a full mesh or partial mesh topology. * Devices at the Core Layer usually contain redundant power supplies and hot-swappable components. * Fast converging routing protocols, such as OSPF or EIGRP, are the appropriate choice for the Core Layer. Diagram 3, text continues * The Distribution Layer represents a routing boundary between the Access Layer and the Core Layer. * The design goals for the Distribution Layer are: o Filtering and managing traffic flows o Enforcing access control policies o Summarizing routes before advertising them to the core o Isolating the core from Access Layer failures or disruptions * Routing between Access Layer VLANs * In the hierarchical design model, it is easiest and usually least expensive to control the size of a failure domain in the Distribution Layer. * Redundancy at the Distribution Layer ensures that failure domains remain small. * Providing multiple connections to Layer 2 switches can cause unstable behavior in a network unless STP is enabled. * To filter network traffic, the router examines each packet and then either forwards or discards it, based on the conditions specified in the ACL. The criteria for the decisions can be: o Source address o Destination address o Protocols o Upper-layer port numbers o Whether the packet is part of an established stream Diagram 4, text continues * In addition to providing basic connectivity at the Access Layer, the designer needs to consider: o Naming structures o VLAN architecture o Traffic patterns o Prioritization strategies * Most recent Ethernet networks use a star topology, which is sometimes called a hub and spoke topology. * Using VLANs and IP subnets is the most common method for segregating user groups and traffic within the Access Layer network. * Networks also need mechanisms to control congestion when traffic increases and queues for delivery. * Congestion is caused when the demand on the network resources exceeds the available capacity. * Classifying data at or near the source enables the data to be assigned the appropriate priority as it moves through the entire network. * On some network devices, like routers and switches, physical access can provide the opportunity to change passwords and obtain full access to devices.