Module 5.0 - Creating the Network Design 5.0 - Chapter Introduction 5.0.1 - Introduction Single Diagram Diagram 1, Slideshow It is critical to the success of a network design project that all of the business goals are addressed with the new design. Determining which elements to include in the design is a multi-step process. At each step of the process, the network designer takes into account the goals and requirements, the existing network capabilities and the new technologies that need to be integrated. To produce the final design, the network designer chooses the best equipment and technology solutions to meet the goals and requirements of the customer. 5.1 - Analyzing the Requirements 5.1.1 - Analyzing Business Goals & Technical Requirements Four diagrams Diagram 1, Image Step 1: List a business goal that must be met by the new design: Provide better atmosphere and safety for people attending events. Reduce costs by consolidating the separate voice, video and data networks. Provide better customer service by improving the access to the web site for viewing of schedules, purchasing and printing of tickets, and purchasing of merchandise. Support the growth of the stadium company as it expands and adds new types of entertainment, new partners and vendors. Step 2. Determine what changes or additions are necessary for the business to meet its goal: 1. Provide 24 hr. access to the cameras and stored video, both through the local network and over the Internet. 2. Support an automated ticket scanning process to speed customer entry into the stadium. 3. Provide additional wireless coverage to meet customer demands. 4. Improve and expand the number of vendors and services offered within the stadium complex. Step 3. Decide what the technical requirements are to meet each network goal: 1. Provide 24 hr. access to the cameras and stored video, both through the local network and over the Internet. * Connect the security monitoring network to the LAN. * Provide restricted access to the camera devices and video storage server. * Provide web access to the cameras and stored video. * Ensure availability of the security monitoring network. Step 4. Determine the design implications of each technical requirement: Connect the security monitoring network to the LAN. * Decide where in the LAN to connect the security monitoring network (Access Layer? Distribution Layer? Core Layer?) * Decide on necessary equipment capabilities - what bandwidth is necessary? How many connections are required? Is it a routed or switched connection? Step 5. Decide which design elements must be present in the final design: * A routed connection to the Core Layer provides access to the video from both the local LAN and the Internet. * The firewall features on the router enable configuration of access restrictions, to ensure only authorized stations view the video. Diagram 2, Tabular Constraint: Budget Gathered Information: * No Plans to fund redundancy at the access-layer. Must also reuse sixteen existing 2960-48TT switches. * New cable runs are not funded, except for fiber to connect new wireless access points. Designers Notes: Since the 2960s only support Layer 2 services, Layer 3 wiring closets will not be possible. The two pairs of fiber to each closet can support a connection to a pair of distribution switches. Constraint: Policy Gathered Information: * The management guideline was to use ISP managed VPNs across the internet for low cost remote connectivity. (This is under review.) Designers Notes: Since the QoS and SLA support needed for the business applications is not possible through the local ISP, need to investigate alternate WAN technologies. Constraint: Schedule Gathered Information: * The timeframe for implementing a major change is approximately four months, the time until the primary sports season starts. Designers Notes: need to consider the time required for the installation and turn up of any new circuits and equipment. Constraint: Personnel Gathered Information: * There is no plan to add additional staff Designers Notes: Currently understaffed for the planned network expansion with only one network administrator, three network technicians and one manager. Staff needs immediate training in wireless and IP telephony. Look to reduce complexity. Diagram 3, Activity Identify which business goals and technical requirements impact the network design decisions. Question 1 The stadium needs wireless connectivity for handheld devices; however, the concrete structure is causing some dead spots in certain areas of the walkway ramps in initial testing designs. The Access Points selected for not have an antenna option that can provide the necessary coverage. Changing the access point model or increasing the number of Access Points in the design will significantly increase the cost. Which two design constraints will cause the designer to have to make a trade-off in the wireless coverage in the press box? (Choose two.) A. Budget B. Policy C. Schedule D. Personnel E. Technical Question 2 Equipment and supplies are being taken from the stadium locker room. The designer recommends that wireless cameras be installed, but a statement in the players contracts prohibits videotaping in the locker room without federation approval. Which design constraints restricts the use of the wireless cameras? A. Budget B. Policy C. Schedule D. Personnel E. Technical Question 3 When the players and coaches are checking email on their handheld devices they frequently loose connectivity and have to reconnect to the network. The problem is that quality of service (QoS) needs to be implemented in the network design, but the technical staff members are not trained in QoS and there is not enough money to hire a consultant. What two design constraints are being affected? (Choose two.) A. Budget B. Policy C. Schedule D. Personnel E. Technical Diagram 4, Hands-on Lab 5.1.2 - Requirements for Scalability Four Diagrams Diagram 1, Existing Wireless APs Schematic of the stadium showing the existing wireless access points. Planned Wireless APs Schematic of the stadium showing the planned wireless access points. Diagram 2, Image Build and test a sample Access Layer modular block to see the effect of adding devices to the network. Use this tested design as the template to make it easier to scale the network. Use Layer 3 devices at the Distribution Layer to filter and reduce traffic to the network core. With a modular Layer 3 Distribution Layer design, new Access Layer modules can be connected without requiring major reconfiguration. Careful IP address planning eliminates the need to re-address the network to support additional users and services. Route summarization reduces the routing table size. Small routing tables improve network convergence time. Modules can be added to the existing equipment to support new features and devices without requiring major equipment upgrades. Some devices can be integrated in a cluster to act as one device to simplify management and configuration. Combining multiple Ethernet links into a load-balanced EtherChannel configuration increases available bandwidth. EtherChannel implementations can be used when budget restrictions prohibit purchasing high speed interfaces and fiber runs. Keep VLANs local to the wiring closet to minimize the need for Spanning Tree configurations. This design helps speed network convergence and increases scalability and stability. Diagram 3, Activity Image shows schematic of the stadium with 33 access points. Based on the number of planned APs, and an estimate of 20 data devices per AP, approximately how many wireless devices can the proposed stadium network support? A. 40 data devices B. 320 data devices C. 680 data devices D. 680 voice and data devices E. 940 data devices F. 940 voice and data devices Diagram 4, Hands-on Lab 5.1.3 - Requirements for Availability Five Diagrams Diagram 1, Image Image shows the network layer for the stadium including the security, telephony, firewalls, servers and clients. Diagram 2, Image Network diagram showing the data centre and a variety of servers include file server/video surveillance, DNS, E-Commerce Database and Web. Availability strategies for servers: * Multiple network interface cards * UPS power backup * RAID disk controllers * Multiple power supplies * Monitoring through a management software package with alerting on errors Diagram 3, Image A network diagram of the datacenter showing internet and WAN connections via firewall Edge 1 and Edge 2. Image also shows layer 3 switches, layer 2 switches and other equipment as previously mentioned in Diagram 2. Availability strategies for Internet/Enterprise Edge: Dual ISP providers or dual connectivity to a single provider Co-located servers Secondary DNS servers Availability strategies for routers: Redundant power supplies, UPS, and generator power Redundant devices Redundant links Out-of-band management Fast converging routing protocols Availability strategies for Layer 3 switches: Redundant power supplies, modules, and devices UPS and generator power Hot-swappable cards and controllers Redundant links Out-of-band management Fast converging routing protocols Availability strategies for Layer 2 switches: Redundant power supplies, modules, and devices Hot-swappable cards and controllers Redundant links UPS and generator power More Information The documents at Cisco.com are excellent references when planning the implementation of an IP telephone system such as http://www.cisco.com/en/US/netsol/ns641/networking_solutions_packages_list.html Diagram 4, Activity Identify how various availability strategies improve the reliability of the network and limit the effects of failures. Question 1 All of the statements relate to an advantage of having Power over Ethernet (PoE) except one. Select the statement that does not provide a high availability or good design strategy. A. Provides access point redundancy B. Reduces amount of electrical wiring C. Needed for access points D. Provides power to IP Phones E. Serves as a connectivity option for network-based surveillance cameras Question 2 What are two advantages of having dual NICs installed in the DHCP server? (Choose two.) A. Distribution layer redundancy B. Load balance for DHCP activity C. Provides connectivity for IP phones D. Provides redundancy in case of host NIC failure E. Provides connectivity to hosts in case of a single network card failure Question 3 What is an advantage of having two links connected between switches when one of the switches has a server attached? A. Provides redundancy in case a single switch fails B. Provide connectivity to the other switch when the link to the server fails. C. Provides power to the other switch when the other switch has lost AC power D. Provides connectivity when one of the links between the switches fails. Diagram 5, Hands-on Lab 5.1.4 - Requirements for Network Performance Two Diagrams Diagram 1, Image Examines the processes viewed from the user perspective, through the technology and from the management perspective through the technology. User Perspective: "I need my applications to perform properly." * Data Transactions * Video * Voice Manager Perspective: "I need to manage bandwidth to deliver application performance." * Delay * Jitter * Packet loss Network Performance Critical Applications: Transaction-Processing The stadium set a goal to provide a response time of under three seconds for the primary applications using its database servers. Video Distribution and Monitoring The vision of the stadium management is to provide live, high-quality video throughout the stadium. Management also needs the surveillance camera video quality to be high. IP Telephone Voice Quality User expectations for voice quality are high. They expect that there will be no difference between their current digital phone voice quality and the new IP telephone sets. Diagram 2, Image not relevant. 5.1.5 - Requirements for Security Two Diagrams Diagram 1, Image Diagram shows the enterprise network with marked areas showing the following sections: * Data Center * Core * Distribution * Access * Enterprise Edge * Internet * Frame Relay * Remote Worker * Branches Recommended security for the following devices: Multi-Layer Switch Multi-layer switches with integrated firewall, IDS, and VPN Services Host-based Security Services Firewalls, Cisco Security Agent Integrated Routers IOS firewalls, IPS and VPN Services Diagram 2, Hands-on Lab 5.1.6 - Making Network Design Tradeoffs Two Diagrams Diagram 1, Image A man sitting on his chair reading the following text: 1. Provide better atmosphere and safety for people attending events. 2. Reduce costs by consolidating the separate voice, video, and data networks. 3. Provide better customer service by improving the access to the website for viewing of schedules, purchasing and printing of tickets, and purchasing of merchandise. 4. Support the growth of the Stadium Company as it expands and add new types of entertainment, new partners, and new vendors. The man says to himself ?I have to give wireless access to the luxury box users and the restaurant. I will need to isolate those guests users on a separate VLAN so they won't be a security risk to the Stadium Company.? Diagram 2, Activity Based on the prioritized business goals of the StadiumCompany, make design decisions. Select the highest priority design option for the StadiumCompany. Business Goal Summary: 1. Provide better atmosphere and safety 2. Reduce costs 3. Provide better customer service 4. Support growth Show More Details Stadium Company Business Goals: 1. Provide better atmosphere and safety for people attending events. * Provide 24 hour service over the network and the web for the security video monitoring. * Automate the customer entry process with a computerized ticket scanning system. * Add additional wireless coverage to meet customer demand. * Improve the customer experience by providing customized services for different categories of customers. * Improve the vendor experience by streamlining the ordering of supplies and automating the customer order processes. 2. Reduce costs by consolidating the separate voice, video, and data networks. * Reduce telephony costs and add remote sites to the local telephone system. * Provide additional services, like voice and video, to the remote sites 3. Provide better customer service by improving the access to the website for viewing of schedules, purchasing and printing of tickets, and purchasing of merchandise. * Streamline the on-line ticket purchasing. * Improve server security and control access to network resources. * Create an on-line customer service site. 4. Support the growth of the StadiumCompany as it expands and add new types of entertainment, new partners, and new vendors. * The network design will support anticipated growth rates from 50% to 75%. * Minimize downtime as new services have new availability requirements. Question 1 Which option should be implemented first? A. Implement redundant on-line ticker purchase servers. B. Implement network access control software that provides centralized authentication for both wired and wireless users to improve server security. C. Upgrade the WAN connections to support voice and video to the remote sites. Question 2 Which option should be implemented first? A. Integrate surveillance video camera into the network to save costs and so that video footage can be viewed 24 hours a day. B. Install a UPS and backup generator to help minimize server and network down time. C. Create and staff a web-based on-line customer service site. Question 3 Which option should be implemented first? A. Implement network access control software that provides centralized authentication for users to improve server security. B. Implement wireless APs to support team areas, luxury boxes, restaurant and press areas. C. Implement IP telephony for additional applications such as directory services. 5.2 - Selecting the Appropriate LAN Topology 5.2.1 - Designing an Access Layer Topology Four Diagrams Diagram 1, Image Network diagram showing how the internet connects to the network via a firewall which is then connected to the core and then distribution followed by the access component of the network which consists of switches, modems, IP phones and clients. Diagram 2, Image Network diagram of a three-port switch. P1 connects to a switch, P2 connects to a Cisco IP Phone and P3 connects to a client. Diagram 3, Image Image of a 2960 switch. Diagram 4, Image Network diagram showing how the internet connects to the network via a firewall which is then connected to the core and then distribution followed by the access component of the network which consists of switches, modems, IP phones and clients. In this diagram the access layer is highlighted. 5.2.2 - Designing Distribution Layer Topology Three Diagrams Diagram 1, Image Image of a Catalyst 4305 Diagram 2, Image Network diagram showing how the internet connects to the network via a firewall which is then connected to the core and then distribution followed by the access component of the network which consists of switches, modems, IP phones and clients. In this diagram the distribution portion is highlighted showing pictures of multi-layer switches. Diagram 3, Packet Tracer Exploration 5.2.3 - Designing Core Layer Topology Three Diagrams Diagram 1, Image Image of Cisco WS-C6504-E. Diagram 2, Image Network diagram showing how the internet connects to the network via a firewall which is then connected to the core and then distribution followed by the access component of the network which consists of switches, modems, IP phones and clients. In this diagram the core section is highlighted. Diagram 3, Hands-on Lab 5.2.4 - Creating the Logical Network Design for the LAN Two Diagrams Diagram 1, Image Image shows a Diagram of a network with the following areas highlighted: * Teams and Vendors * Stadium * Data Center It also shows how the internet connects through ISP1 router into the firewall EdgeRouter and then into the network. Diagram 2, Hands-on Lab 5.3 - Designing the WAN and Remote Worker Support 5.3.1 - Determining Connectivity for Remote Sites Three Diagrams Diagram 1, Image Image shows how the Ticket Sales Office connects through ISP2 using VPN via the Internet to connect into the Stadium network via ISP1. It also shows how Vendor (Souvenir Shop) connects via ISP3 using DSL via the internet to connect to ISP1 on the Stadium network. The diagram highlights how the FilmCompany is planned to connect to the Stadium network wirelessly via ISP4. Also highlighted Team A Remote Office not yet with method for connecting to the stadium network. Diagram 2, Tabular Options: Circuit switching Descriptions: A dedicated circuit path is created between end points. Best example is dialup connections. Advantages: Less expensive Disadvantages: Call Setup Bandwidth range: 28ÿKpbs to 144ÿKpbs Sample protocols used: PPP, ISDN Options: Packet Switching Descriptions: Devices transport packets via a shared single point-to-point or point-to-multipoint link across a carrier internetwork. Variable length packets are transmitted over Permanent Virtual Circuits (PVC) or Switched Virtual Circuits (SVC) Advantages: Flexible bandwidth, less expensive Disadvantages: Shared media across link Bandwidth range: 56ÿKpbs to 45ÿMpbs Sample protocols used: Frame Relay Options: Leased Line Descriptions: Point-to-point connection between two computers or Local Area Networks (LANs) Advantages: Most secure Disadvantages: Expensive Bandwidth range: 6ÿKpbs to 45ÿMpbs Sample protocols used: PPP, HDLC, SDLC Options: Call relay Descriptions: Similar to packet switching, but users fixed length cells instead of variable length packets. Data is divided into fixed-length cells and then transported across virtual circuits. Advantages: Best for simultaneous use of voice and data Disadvantages: Overhead can be considerable Bandwidth range: 1.54ÿMpbs to 622ÿMpbs Sample protocols used: ATM Diagram 3, Image Network diagram showing how Ticket Sales Office uses both DSL via the internet and Frame Relay to directly connect to the Stadium LAN. It highlights the Vendor (Souvenir Shop) connected via Frame Relay to the Stadium LAN as well as via DSL over the internet to the Stadium LAN. It also shows the FilmCompany and Team A Remote Office both connecting via Frame Relay to the Stadium LAN. All the Frame Relay connections to the Stadium LAN are service by one Frame Relay connection from the EdgeRouter. 5.3.2 - Defining Traffic Patterns and Application Support Two Diagrams Diagram 1, Image Network diagram showing the Ticket Sales Office connecting using DSL via the internet and Frame Relay directly to the Edge Router of the Stadium network. In the diagram there are dashed arrows indicating traffic patterns from the Ticket Sales Office to the different services used by the Ticket Sales Office on the Stadium networks. These services are: * File Server/Video Surveillance * DNS * E-Commerce Database * Web * IP Telephony Diagram 2, Packet Tracer Exploration 5.3.3 Designing VPN End-Point Connectivity Options Diagram 1, Image Network diagram showing how Ticket Sales Office uses both DSL via the Internet and Frame Relay to directly connect to the Stadium LAN. It highlights the Vendor (Souvenir Shop) connected via Frame Relay to the Stadium LAN as well as via DSL over the internet to the Stadium LAN. It also shows the FilmCompany connected via frame relay as well as a wireless DSL connection via the internet to the Stadium LAN. It shows Team A Remote Office connected via Frame Relay to the Stadium LAN as well as via DSL via the internet to the Stadium LAN. All the frame relay connectivity is serviced by a single connection from router Edge 2. Edge 1 handles the connection via the internet. 5.3.4 - Creating the Logical Network Design for the WAN Two Diagrams Diagram 1, Image Network diagram showing the Ticket Sales Office connected via a switch to router ISP2 which connects to the internet. The ticket sales office switch also connects to a firewall router BR2 which connects via Frame Relay to firewall router Edge2 in the Stadium network. Firewall router Edge1 in the Stadium network connects to the internet. Both Edge1 and Edge2 connect to the Core of the Stadium network. Diagram 2, Packet Tracer Exploration 5.4 - Designing Wireless Networks 5.4.1 - Designing Coverage Options and Mobility Four Diagrams Diagram 1, Animation A man on the third floor of a building roaming with IP phone gets into the lift on the third floor and becomes disconnected on roam. He exits the lift on the first floor and is re-associating with new AP, reconnect the call. AP reconnects to AP. The man reenters the first floor lift and becomes disconnected on roam. He exits the lift on the third floor and re-association with new AP, reconnect the call. AP reconnects to AP. Diagram 2, Image A Cisco Aironet Lightweight Access Point access point connects to a cloud containing a switched/routed network which then connects to a Cisco wireless LAN controller which then connects to a Cisco Wireless Control System. The Cisco Wireless Control System provides Mobility Services as follows: * Enhanced Security * Voice Services * Location Services * Guest Access Lightweight Access Point Provides wireless connectivity and operate in conjunction with Cisco wireless LAN controllers. Wireless LAN Controller Standalone, integrated or modular devices that simplify the deployment and operation of wireless networks, helping to ensure smooth performance, enhanced security, and maximum network availability. Wireless Control System Allows design, control, and monitoring of enterprise wireless networks from a centralized location, simplifying operations and reducing the total cost of ownership. Security Services Unify wired and wireless security to control and contain wireless threats, enforce security policy compliance, and safeguard information. Voice Services Extend the seamless mobility of the Unified Wireless Network to enable real-time mobile voice communications. Location Services Enable the use of RF-ID for asset tracking, network management, security, and context-based applications. Guest Access Makes companies more competitive in today's anywhere, anytime business climate by providing real-time wireless Internet access to guests, vendors, and partners. Diagram 3, Image Picture of Lightweight Access Points and Wireless Controllers Diagram 4, Activity Identify the design differences between standalone APs and wireless controllers with LWAPs. Select the appropriate response for each of a series of questions. Question 1 What is an advantage of having a wireless controller design as compared to a standalone access point design? A. Easier to upgrade larger installations using centralize access point management B. Easier to implement for small installations using centralize access point management C. Easier to provide connectivity to the wired network D. Lease expensive wireless solution for a few users Question 2 What is an advantage of having a standalone access point design as compared to a wireless controller? A. Provides load balancing capabilities B. Provides a better solution for roaming using end-to-end VLANs C. Easier to provide connectivity to the wired network D. Least expensive wireless solution for a few users Question 3 What is an advantage of having a wireless controller design as compared to a standalone access point design? A. Reduces the chance of access point failure B. Synchronizes wireless connectivity C. Offers easier support of QoS and security levels D. Provides centralized connectivity for all wireless users 5.4.2.0 - Locating Wireless APs Two Diagrams Diagram 1, Image Diagram shows the Stadium Restaurant Floor Plan of an office showing the overlaps in service provided by: * Two centrally-located low power APs * One centrally-located high power AP * Directional APs mounted on the walls Diagram 2, Hands-on Lab 5.4.3 - Redundancy and Resiliency in a Wireless Network Two Diagrams Diagram 1, Image Image not relevant. Diagram 2, Image Network diagram shows a Cisco Wireless LAN Controller connected to a Lightweight Access Point. The access point is connected to various wireless devices with the following RSSI: * RSSI -47dBm * RSSI -55dBm * RSSI -45dBm * RSSI -50dBm The Cisco Wireless LAN Controller is connected to another Lightweight Access Point which connects to several wireless devices with the following RSSI: * RSSI -64dBm * RSSI -53dBm * RSSI -60dBm * RSSI -57dBm * RSSI -57dBm 5.4.4 - Creating the Logical Network Design for the WLAN Two Diagrams Diagram 1, Animation A man with a laptop, with the IP address 172.18.3.11. The man enters the lift on the third floor and exits the lift on the first floor. His IP address remains the same. He reenters the lift and returns to the third floor. His IP address does not change. Diagram 2, Activity Answer questions about the IP addressing for this wireless controller design. Select the appropriate response for each of a series of questions. Network shows VLC-1 with the IP address 192.168.4.8/24 connected to the network cloud. Host-A with the IP address 192.168.14.3/24 is connected to a multi layer switch, which is connected to the network cloud. PC2 with the IP address 92.168.14.23/24 is wirelessly connected to LWAPP-2 with the IP address 192.168.19/24, which connects to the network cloud. PC1 with the IP address 192.168.140.17/24 wirelessly connects to LWAPP-1, which connects to the network cloud. Wireless IP Phone with the IP address 192.168.188.55/24 is also wirelessly connected to LWAPP-1. Question 1 Why would PC1 and the wireless IP phone be on different subnets if they both connect wirelessly to the same AP? A. So that their wireless signals do not interfere with on another B. To provide a better solution for wireless roaming C. To isolate data traffic and voice traffic on separate networks D. To eliminate the need for VLAN E. To eliminate the need for encryption Question 2 Why would PC1 and PC2 be on the same subnet? A. To reduce the chance of collision B. Because client devices receive their IP addresses from the controller not from the AP C. Because client devices receive their IP from APs that can be configures to assign parts of the same subnet range to users D. Because on is a vendor located in the stadium and the other is a stadium employee E. Because a VLAN spans two different parts of the stadium Question 3 What IP address is appropriate for LWAPP-1? A. 192.168.1.17/24 so it can be on the same VLAN as LWAPP-2 and receive broadcasts from LWAPP-2 B. 192.168.4.11/24 so that it can receive broadcast from WLC-1 for ease of centralized management. C. 192.168.2.11/24 so that it can connect to PC1 D. 192.168.2.11/24 f is appropriate based on the location in the network IP addressing scheme E. 192.168.1.17/24 if is appropriate base on the location in the network IP addressing scheme 5.5 - Incorporating Security 5.5.1 - Placing Security Functions and Appliances Four Diagrams Diagram 1, Image Network diagram shows the topology of the stadium LAN and its WAN connections to off-site locations. The following devices in the topology are highlighted and detail the security functions and applications they have: * AP ? Isolate Guest Wireless LAN Controller and VLANs * Host based security services including firewalls and Cisco Security agent. * Integrated Data Center protection with IDS and ACLs * Edge2 ? ISRs with IOS firewalls and IDS provide perimeter protection * Multilayer Switches with integrated firewall, IDS and VPN services. Identify and authenticate source device. Diagram 2, Image Images of switches with the following checklist: * Turn off unnecessary services * Shut down any unused ports and interfaces * Configure logging * Enable SSH and disable Telnet * Enable HTTPS for web administration * Set timeouts and ACLs for VTY, console, and AUX ports * Use strong passwords and password encryption * Security Checklist Diagram 3, Image Network diagram of the stadium LAN with the following parts labeled. * Teams and Vendors * Edge1 * Edge2 * Stadium * Data Center * Core Diagram 4, Activity Determine the appropriate place to provide security service. Drag the security measure to the appropriate pair of network devices: Edge routers connect to the Core Layer. Core layer has connections to each of the following network blocks: Teams and Vendors Stadium Data Centre Security Measure A. ACL to block Stadium accounting user from reaching e-commerce credit card database in Data Center B. IDS and firewall feature set to protect attempts from Internet to reach services on a non-supported port C. ACL to prevent concession vendor from going to ticketing application in Data Center D. Virus protection to protect servers from a worm infection E. Provide physical security for the infrastructure devices Places 1. Edge1 and Edge2 2. Teams and Vendors 3. Core 4. Data Center 5. Stadium 5.5.2 - Implementing Access Control Lists and Filtering Two Diagrams Diagram 1, Image A LAN cloud connected to the firewall, internet cloud connected to the firewall and a web server with the IP address 200.1.2.11 connected to the firewall. The firewall has the following rule: Firewall Rule: Deny all inbound traffic from the Internet to a Web Server except on the permitted ports. Access Control List statements: access-list 112 permit tcp any host 200.1.2.11 eq www access-list 112 permit tcp any host 200.1.2.11 eq ftp access-list 112 permit tcp any host 200.1.2.11 eq 7000 access-list 112 permit tcp any host 200.1.2.11 eq 1755 access-list 112 permit tcp any host 200.1.2.11 eq 1720 access-list 112 deny ip any host 200.1.2.11 log Diagram 2, Animation Animation shows a globe of the earth a brick wall with a small hole in it. On the other side of the brick wall is a server. The globe is firing arrows which represent traffic at the wall trying to get through to the server. The firewall has the following ACLs: * Deny all inbound traffic with network addresses matching internal-registered IP addresses * Deny all inbound traffic to server external addresses * Deny all inbound ICMP echo request traffic * Deny all inbound MS Active Directory * Deny all inbound MS SQL server ports * Deny all MS Domain Local Broadcasts * Allow web traffic from any external address to the web server * Allow traffic to FTP server * Allow traffic to SMTP server * Allow traffic to internal IMAP server 5.5.3 - Updating the Logical Network Design Documentation Three Diagrams Diagram 1, Animation A customer sitting at his workstation connected to a technician sitting at her work station via the network cloud. The technician says ?Good Morning. My name is Jill, how can I help you?? Customer replies ?Good Morning. This is Phil from the Team A office. I can send mail, but I cannot receive email.? Technician says ?Phil, how is your email client configured? POP or IMAP?? Customer says ?I picked IMAP server, since it was first on the list.? Technician replies ?Let me check the security policy to see if I can identify the issue.? Customer replies ?Thanks.? Technician says ?According to the firewall ruleset, the IMAP port is not permitted. Since it is not in the security policy, Phil may I talk you through setting up POP mail?? Diagram 2, Packet Tracer Exploration Diagram 3, Hands-on Lab 5.6 - Chapter Summary 5.6.1 - Summary Single Diagram Diagram 1, Slideshow Slide 1 * Determining how to design the network to meet the business goals is a multi-step process. * For each business goal, the designer must determine what network changes are necessary to meet the goal. Each change has technical requirements that can be addressed by elements of the network design. * Once the design elements are determined, the designer takes into account any constraints applied by the customer and makes compromises or trade-offs as necessary. * All design decisions are evaluated on how well they meet the four primary technical requirements of scalability, availability, security and manageability. * Converged networks, such as the network being designed for the stadium, carry a combination of data, voice, and video traffic. Each type of traffic has unique performance requirements that require QoS to be included in the design. * Security is the one area of network design where trade-offs should not be made. Although it may be necessary to find lower cost or less streamlined ways to provide a secure network, it is never acceptable to disregard security in order to add other network capabilities. Slide 2 Network topology showing the different parts of the network. The core is highlighted. * When applying constraints to the network design, consideration is made to the prioritized business goals of the customer. When trade-offs are necessary, the features that support the higher priority goals should be included, while features that support lower priority goals may be postponed. * Design elements required at the Access Layer include: port density,VLAN strategies, physical security, power requirements, QoS classification and marking capabilities, and the support for redundant links to the Distribution Layer. * Distribution Layer design elements include: redundant components and links, high density routing, traffic filtering, QoS mechanisms, fast convergence and traffic aggregation. * At the Core Layer, the elements of the design include: redundant components and links, high availability features, and fast converging protocols. Slide 3 Image showing the different types of connections available to remote sites, e.g., VPN, DSL, Frame Relay and wireless. * Designing WAN connectivity requires evaluation of the telecommunications services available in the customer's geographic area. * When determining the physical method for connecting the remote sites to the main stadium network, the network designer must also analyze how workers at the remote sites expect to use the network services. Traffic patterns to and from servers at the main location determine bandwidth requirements and security mechanisms. * Because WAN connectivity may not be as reliable as LAN connectivity methods, it is important to consider implementing back-up or alternate access methods in a WAN design. * VPNs can provide secure remote access through the Internet for remote workers and small remote office locations. This type of VPN connection is also an effective backup connectivity option. Slide 4 Network diagram showing a Cisco Wireless Control System providing the following mobility services: * Enhance security * Voice services * Location services * Guest access * Unified wireless network solutions that include wireless control system software offer advanced features, such as centralized management and multiple service levels for different user and client types. * Using lightweight wireless Access Points and a wireless LAN controller in the network design provides centralized management, dynamic reconfiguration of APs, and Layer 3 roaming. * Layer 3 roaming is supported by LWAPP-enabled Access Points and wireless controllers. Users on the wireless network are assigned IP addresses independent of the physical network where the Access Points are installed. Slide 5 Network diagram showing firewall rule. * The network designer must identify which data and communications are at risk and what the potential sources of attacks are. Doing this helps the designer place security services at appropriate points throughout the network design to prevent likely attacks. * There are three main categories of security services: infrastructure protection, secure connectivity, and threat detection. Threat detection includes defense and mitigation. * Wherever possible, the design should use integrated services, such as IOS-based firewall features and intrusion detection system (IDS) modules to eliminate the need for additional security devices. * When designing firewall rule sets and access control lists, the general policy is to deny all traffic that is either not specifically authorized or is not in response to a permitted inquiry. 5.7 - Chapter Quiz 5.7.1.0 - Quiz Single Diagram Diagram 1, Quiz 1. What three multilayer switch feature support the network design goal of availability? (Choose three.) * In-band and out-of-band management * Efficient load balancing of routed traffic * Software-based packet forwarding or prioritized traffic with QoS * Redundant power supplied and fans * Route summarization that reduces the impact of a lower level device failure * Security features preventing unauthorized or unwanted network traffic 2. A network administrator would like to improve transactional processing time as well as voice and video quality. What three things can be done to help achieve these goals? (Choose Three.) * Reduce traffic and network broadcasts * Construction of VLANs for different traffic types * Remove high speed storage and content servers * Implement QoS on the network * Increase traffic filering * Lengthen the end-point of traffic 3. How should the information gathered during risk assessment be used to support the network design? * To help identify unknown traffic * To establish firewall rule sets * To determine redundancy requirements * To isolate and identify a security attack 4. Drag the design requirement on the left to the associated design layer on the right. Right * 24x7 availability * Aggregate traffic * create VLANs * high-speed connectivity to Distribution Layer switches * QoS classification * Traffic filtering Left * Access * Access * Core * Core * Distribution * Distribution 5. A network administrator has been asked to provide a report on any measures taken to ensure full availability at the Core Layer of an enterprise network. If the network has been configured correctly, which three options will the administrator be able to include as part of the report? (Choose three.) * Redundant link between the Core and Distribution Layers * Backup power supply and functioning air conditioning system * EIGRP routing protocols * Access control lists * Switch port security * QoS mechanisms 6. Which design implementation eliminated the need to create a single end-to-end VLAN for wireless roaming? * Using a lightweight access point solution with wireless LAN controllers * Configuring each standalone access point with a different VLAN address * Putting all of the standalone access points in the same IP subnet * Configuring all of the access points to use the same channel 7. A local bookstore manager asks one of his employees which is studying networking to implement a wireless network to provide connectivity to the internet for customers and employees. The wireless network should be able to function even if an AP fails because other competitors nearby also offer this service. The bookstore owner is planning to expand into another area of their current building and wants to be able to install additional AP easily. The bookstore staff do not have a lot of technical expertise so they want the configuration of the security parameters to be automatic on all the wireless APs. The networking student recommends the following: 1. Install a twelve port Layer 2 switch and attach two wireless access points to the switch in the same VLAN, but on different channels. 2. Train the staff to install the APs using the default security settings. Which statement best describes how the recommendation supports the goals of the bookstore? * The recommendation meets all of the technical goals of the customer * The recommendation does not meet the goal of scalability * The recommendation does not meet the goal of availability * The recommendation does not meet the goal of security * The recommendation does not meet the goal of manageability 8. A large company requires their external worker to have internal access to the information stored on the company server. What method provides secure tunneling through the internet? * Virtual private network * Public wireless access point * Intrusion detection system * SSH protocol 9. In which circumstances would a point-to-point T1 connection be preferred over Frame Relay? * Cost concerns are the highest priority * Qos is the highest priority * Only data traffic uses the connection * Connectivity to multiple sites over the same physical connection is required 10. Refer to the exhibit. Where would the network administrator place a standard ACL to prevent the users in the 10.10.10.0/24 subnet from accessing the server in the 10.10.20.0/24 subnet? A user is connected to a switch with the IP address 10.10.10.0/24 The switch is connected to Fa0/0 of router (RTR1). RTR1 is connected via s0/0 to the s0/0 port of router (RTR2). RTR2 is connected to the Internet as well as to a switch via Fa0/0. The switch is connected to a server with the IP address 10.10.20.0/24. * Router RTR1 interface, inbound * Router RTR1, s0/0 interface, outbound * Router RTR2, s0/0 interface, inbound * Router RTR2, F0/0 interface, outbound