UPL NET - DESIGN

2015-2016

INGENIERIE RESEAUX

NET - DESIGN
ANALYSE DES SYSTEMES

NOTES CONCUES OU COMPILEES par Bertin Polombwe

Version 1.0 – 2015/2016
 UPL NET - DESIGN
2015-2016

Chapitre 3
Logical Network Design
Network Topology
Addressing and Naming
 Switching and Routing Protocols
Network Security Strategies
 Management Strategies

2
 UPL NET - DESIGN
2015-2016

1. Designing a Network Topology

Copyright 2010 Cisco Press & Priscilla

Oppenheimer
3
 UPL NET - DESIGN
2015-2016
Network Topology Design Themes

Hierarchy (opposite to flat or mesh network)

• Core layer
• Distribution layer
• Access layers
Redundancy
Modularity
Well-defined entries and exits
Protected areas
4
 UPL
2015-2016 Why Use a Hierarchical Model? NET - DESIGN

Reduces workload on network devices

–Avoids devices having to communicate with too
many other devices (reduces “CPU adjacencies”)
–Constrains broadcast domains
Minimize costs. Only buy appropriate
devices for each layer
Facilitates changes easy and cheap
Good for modularity and scalability

5
 UPL NET - DESIGN
2015-2016

6
 UPL
2015-2016 Hierarchical Network Design NET - DESIGN

Enterprise WAN
Core Layer
Backbone
Campus A Campus B

Campus C

Distribution
Campus C Backbone Layer

Access Layer

Building C-1 Building C-2 7

 UPL NET - DESIGN
2015-2016
Cisco’s Hierarchical Design Model
A core layer of high-end routers and switches that are
optimized for availability and speed
A distribution layer of routers and switches that implement
policies and segment traffic
An access layer that connects users via hubs, switches, and
other devices

8
 UPL NET - DESIGN
2015-2016 Utilize the Hierarchical Design Model to Develop a
Cost-Effective Network Design

Access Layer
requirements:
Connectivity for existing
devices and new devices
VLANs to separate voice,
security, wireless, and
normal data services
Redundancy
QoS
 UPL Utilize the Hierarchical Design Model to Develop a NET - DESIGN
2015-2016
Cost-Effective Network Design

Distribution layer
requirements:
Redundant components
and links
High-density routing
Traffic filtering
QoS implementation
High-bandwidth
connectivity
Fast convergence
Route summarization
 UPL NET - DESIGN
2015-2016 Utilize the Hierarchical Design Model to Develop a
Cost-Effective Network Design

Core Layer
requirements:
High-speed
connectivity
Routed
interconnections
High-speed
redundant links
 UPL
2015-2016 Flat Versus Hierarchy NET - DESIGN

Headquarters
in Medford

Headquarters Grants Pass

in Medford Branch
Office

Klamath Falls Ashland Grants Pass Klamath Falls Ashland White City
Branch Office Branch Branch Branch Office Branch Branch
Office Office Office Office

Flat Loop Topology Hierarchical Redundant Topology

12
 UPL Mesh Designs NET - DESIGN
2015-2016

Partial-Mesh Topology

13
Full-Mesh Topology
 UPL
2015-2016 A Partial-Mesh Hierarchical Design NET - DESIGN

Headquarters
(Core Layer)

Regional
Offices
(Distribution
Layer)

Branch Offices (Access Layer) 14

 UPL A Hub-and-Spoke Hierarchical NET - DESIGN
2015-2016
Topology for small company
Corporate
Headquarter
s

15
Branch Home Office Branch
Office Office
 UPL
2015-2016 Avoid Chains and Backdoors NET - DESIGN

Chain: extra layer

Back door:
connection
between devices Core Layer
in the same layer,
makes
unexpected
Distribution Layer
routing and
switching
problems.
Access Layer

Backdoor
Chain 16
 UPL
2015-2016 Campus Topology Design NET - DESIGN

Use a hierarchical, modular approach

Minimize the size of bandwidth domains
Minimize the size of broadcast domains
Provide redundancy

17
 UPL NET - DESIGN
A Simple Campus Redundant Design
2015-2016

Host A

LAN X

Switch 1 Switch 2

LAN Y

Host B 18
 UPL NET - DESIGN
Bridges and Switches use Spanning-
2015-2016

Tree Protocol (STP) to Avoid Loops

Host A

LAN X

Switch 1 X Switch 2

LAN Y

Host B 19
 UPL NET - DESIGN
2015-2016
VIRTUAL LANS (VLANS)
VLANs versus Real LANs
Switch A Switch B

Station A1 Station A2 Station A3 Station B1 Station B2 Station B3

Network A Network B

Two switches that are not connected to each other in any way. When
Station A1 sends a broadcast, Station A2 and Station A3 receive the
broadcast, but none of the stations in Network B receive the broadcast 20
 UPL
2015-2016 A Switch with VLANs NET - DESIGN

VLAN A
Through the configuration of the
Station A1 Station A2 Station A3
switch there are now two virtual
LANs implemented in a single
switch. The broadcast, multicast,
and unknown-destination traffic
originating with any member of
VLAN A is forwarded to all other
members of VLAN A, and not to a
member of VLAN B. VLAN A has
the same properties as a
physically separate LAN bounded
by routers. Station B1 Station B2 Station B3
21
VLAN B
 UPL
2015-2016 VLANs Span Switches NET - DESIGN

VLAN A VLAN A

Station A1 Station A2 Station A3 Station A4 Station A5 Station A6

Switch A Switch B

Station B1 Station B2 Station B3 Station B4 Station B5 Station B6

VLAN B VLAN B

VLANs can span multiple switches.

22
 UPL NET - DESIGN
2015-2016
Incorporate Wireless Connectivity into
the LAN Design
Factors influencing availability in a
wireless network:
Location of the AP
Signal strength of the AP
Number of users
Dynamic
reconfiguration
Centralization
 UPL
2015-2016 WLANs and VLANs NET - DESIGN

A wireless LAN (WLAN) is often

implemented as a VLAN
WLAN should be a separate subnet
Clients roaming but Users remain in the
same VLAN and IP subnet as they roam, so
there’s no need to change addressing
information
Also makes it easier to set up filters
ACL(Access Control Lists) to protect the
wired network from wireless users.

24
 UPL
2015-2016 Security Topologies NET - DESIGN

DMZ
Enterprise Internet
Network

Web, File, DNS, Mail Servers

25
 UPL
2015-2016 DMZ NET - DESIGN

DMZ: demilitarized zone: is a physical or

logical subnetwork that contains and exposes an
organization's external-facing services to a larger untrusted
network, usually the Internet.
The purpose of a DMZ is to add an additional layer of
security to an organization's local area network (LAN); an
external attacker only has access to equipment in the
DMZ, rather than any other part of the network.
In a computer network, the hosts most vulnerable to attack
are those that provide services to users outside of the local
area network, such as e-mail, web and Domain Name
System (DNS) servers.
26
 UPL
2015-2016 Security Topologies NET - DESIGN

Firewall: boundary
between two or more
networks
Internet

Firewall

DMZ
Enterprise Network

27
Web, File, DNS, Mail Servers
 UPL
2015-2016 Firewall NET - DESIGN

A firewall can either be software-based or hardware-based and

is used to help keep a network secure. Its primary objective is to
control the incoming and outgoing network traffic by analyzing
the data packets and determining whether it should be allowed
through or not, based on a predetermined rule set.

28
 UPL
2015-2016 Summary NET - DESIGN

Use a systematic, top-down approach

Plan the logical design before the physical
design
Topology design should feature hierarchy,
redundancy, modularity, and security

29
 UPL
2015-2016 Review Questions NET - DESIGN

Why are hierarchy and modularity important

for network designs?
What are the three layers of Cisco’s
hierarchical network design?
What are the major components of Cisco’s
enterprise composite network model?
What are the advantages and disadvantages
of the various options for multihoming an
Internet connection?
30
 UPL NET - DESIGN
2015-2016

2. Designing Models for Addressing and Naming

Copyright 2010 Cisco Press & Priscilla

Oppenheimer
31
 UPL
2015-2016 Guidelines for Addressing and NET - DESIGN

Naming
Use a structured model for addressing and
naming
Assign addresses and names hierarchically
Decide in advance

32
 UPL
2015-2016 Advantages of Structured Models NET - DESIGN

for Addressing & Naming

It makes it easier to
–Read network maps
–Operate network management software
–Recognize devices in protocol analyzer traces
–Meet goals for usability
–Design filters on firewalls and routers
–Implement route summarization

33
 UPL
2015-2016 Public IP Addresses NET - DESIGN

Managed by the Internet Assigned Numbers

Authority (IANA)
Users are assigned IP addresses by Internet
Service Providers (ISPs).
ISPs obtain allocations of IP addresses from their
appropriate Regional Internet Registry (RIR)
Public address is essential for web server or other
servers that external users access. But not
necessary for all internal hosts and networks.
Private address is ok.
Addressing for internal host that need access to
outside services can be handled by NAT (Network
Address Translation) gateway.

34
 UPL
2015-2016 Regional Internet Registries (RIR) NET - DESIGN

American Registry for Internet Numbers (ARIN)

serves North America and parts of the Caribbean.
RIPE Network Coordination Centre (RIPE NCC)
serves Europe, the Middle East, and Central Asia.
Asia-Pacific Network Information Centre (APNIC)
serves Asia and the Pacific region.
Latin American and Caribbean Internet Addresses
Registry (LACNIC) serves Latin America and parts
of the Caribbean.
African Network Information Centre (AfriNIC)
serves Africa. 35
 UPL
2015-2016 Private Addressing NET - DESIGN

An enterprise network administrator assigns to

internal networks and hosts without any
coordination from an ISP or RIRs.

10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
Advantages:
 Security. Private network numbers are not
advertised.
 Flexibility. Easy to change to new ISP. 36
 Save IP address resources.
 UPL
2015-2016 The Two Parts of an IP Address NET - DESIGN

32 Bits

Prefix Host

Prefix Length

37
 UPL NET - DESIGN
2015-2016
Designing Networks with Subnets

Determining subnet size

Computing subnet mask
Computing IP addresses

38
 UPL Subnets NET - DESIGN
2015-2016

Subnetting is the process to divide a network into

several smaller networks.
Within a subnet, all the hosts have the same
network ID in their IP addresses.
With subnets, a physical network can be divided
into logical units.
The hosts in each unit can directly communicate
with each other and use the same router to
communicate with the hosts in the other subnets.
Local broadcasting is limited within a subnet.

39
 UPL Reasons for Using Subnets NET - DESIGN
2015-2016

To efficiently use IP addresses

To reduce the number of collisions
To reduce broadcasting traffic
To strengthen network security control
To implement the network structure at the
site, building, department, and office levels
To reduce the cost of paying the ISP for
public IP addresses

40
 UPL Subnet Masks NET - DESIGN
2015-2016

A subnet mask is a string of 32-bit binary code used to determine

which part of an IP address is used as the network ID.

Binary Subnet Mask Decimal Subnet Mask

11111111 00000000 00000000 00000000 255.0.0.0
11111111 11111111 00000000 00000000 255.255.0.0
11111111 11111111 11111111 00000000 255.255.255.0
11111111 11111111 11100000 00000000 255.255.224.0
11111111 11111111 11111111 11110000 255.255.255.240
The leftmost bits in a subnet mask are a sequence of consecutive 1s and
rightmost bits must be consecutive 0s. Invalid masks are listed below.
Binary Decimal
11111111 00000101 00000000 00000000 255.5.0.0
11111111 11111100 11111111 00000000 255.252.255.0
10000000 11111111 11111111 00000000 128.255.255.0
11111111 11111111 11111111 11110001 255.255.255.241 41
 UPL
2015-2016 Addresses to Avoid When NET - DESIGN

Subnetting

A node address of all ones (broadcast)

A node address of all zeros (network)
A subnet address of all ones (all subnets)
A subnet address of all zeros (confusing)

42
 UPL
2015-2016 Classful IP Addressing NET - DESIGN

Class First First Byte Prefix Intent

Few Bits Length

A 0 1-126* 8 Very large networks

B 10 128-191 16 Large networks
C 110 192-223 24 Small networks
D 1110 224-239 NA IP multicast
E 1111 240-255 NA Experimental

*Addresses starting with 127 are reserved for IP traffic local to a host.

43
 UPL
2015-2016 Division of the Classful Address NET - DESIGN

Space

Class Prefix Number of Addresses

Length per Network

A 8 224-2 = 16,777,214
B 16 216-2 = 65,534
C 24 28-2 = 254

44
 UPL
2015-2016 Classful IP is Wasteful NET - DESIGN

Class A uses 50% of address space

Class B uses 25% of address space
Class C uses 12.5% of address space
Class D and E use 12.5% of address space

45
 UPL
2015-2016 Classless Addressing NET - DESIGN

Prefix/host boundary can be anywhere

Less wasteful
Supports route summarization (Aggregation)
–Also known as
 Aggregation
 Supernetting
 Classless routing
 Classless inter-domain routing (CIDR)
 Prefix routing

46
 UPL Supernetting NET - DESIGN
2015-2016

172.16.0.0

172.17.0.0

172.18.0.0

Branch-Office Router

172.19.0.0

Enterprise Core
Branch-Office Networks Network

Move prefix boundary to the left

Branch office advertises 172.16.0.0/14
47
 UPL
2015-2016 Guidelines for Assigning Names NET - DESIGN

Names should be
–Short
–Meaningful
–Clear
–Distinct
–Case insensitive
Avoid names with unusual characters
–Hyphens, underscores, asterisks, and so on
48
 UPL
2015-2016 Domain Name System (DNS) NET - DESIGN

Maps names to IP addresses

Supports hierarchical naming
–example: eent3.lsbu.ac.uk
A DNS server has a database of resource
records (RRs) that maps names to addresses in
the server’s “zone of authority”
Client queries server
–Uses UDP port 53 for name queries and replies
–Uses TCP port 53 for zone transfers

49
 UPL NET - DESIGN
2015-2016
Describe IPv6 Implementations and IPv6
to IPv4 Interactions
Enhancements available with IPv6:
Mobility and security
Simpler header
Address formatting
 UPL
2015-2016 Summary NET - DESIGN

Use a systematic, structured, top-down

approach to addressing and naming
Assign addresses in a hierarchical fashion
Distribute authority for addressing and
naming where appropriate
IPv6 looms in our future

51
 UPL
2015-2016 Review Questions NET - DESIGN

Why is it important to use a structured model

for addressing and naming?
When is it appropriate to use IP private
addressing versus public addressing?
When is it appropriate to use static versus
dynamic addressing?
What are some approaches to upgrading to
IPv6?

52
 UPL NET - DESIGN
2015-2016

3. Selecting Switching and Routing Protocols

Copyright 2010 Cisco Press & Priscilla

Oppenheimer
53
 UPL
2015-2016 Switching and Routing Choices NET - DESIGN

Switching
–Layer 2 transparent bridging (switching)
–Multilayer switching
–Spanning Tree Protocol enhancements
–VLAN technologies
Routing
–Static or dynamic
–Distance-vector and link-state protocols
–Interior and exterior
–Etc.

54
 UPL
2015-2016 Selection Criteria for Switching NET - DESIGN

and Routing Protocols

Network traffic characteristics
Bandwidth, memory, and CPU usage
The number of peers supported
The capability to adapt to changes quickly
Support for authentication

55
 UPL
2015-2016 Example Decision Table NET - DESIGN

56
 UPL NET - DESIGN
2015-2016
Transparent Bridging (Switching) Tasks

Forward frames transparently

Learn location of devices by source address
in each frame
Bridge develops a switch/bridge table, or
MAC address table, or Content Address
Memory (CAM) table.
Floods unknown or broadcast frames
Layer 1 and 2 device (physical address),
don’t look at IP address.
Store-and-forward device. Receive a
complete frame, determines outgoing port,
calculates CRC then transmits the frame
when the port is free
57
 UPL NET - DESIGN
2015-2016
Switching Table on a Bridge or Switch

58
 UPL NET - DESIGN
2015-2016
Protocols for Transporting VLAN Information
Switches need a method to make sure intra-
VLAN traffic goes to the correct interfaces.
IEEE 802.1Q
VLAN Trunk Protocol (VTP)
–VLAN management protocol
VLAN A VLAN A

Station A1 Station A2 Station A3 Station A4 Station A5 Station A6

Switch A Switch B

59
Station B1 Station B2 Station B3 Station B4 Station B5 Station B6
VLAN B VLAN B
 UPL Routing vs. Bridging and Switching NET - DESIGN
2015-2016
Routing is operating at the Network Layer of the
OSI Model. Bridging and switching occur on the
Data Link Layer.

60
 UPL
2015-2016 Selecting Routing Protocols NET - DESIGN

A routing protocol lets a router dynamically learn

how to reach other networks and exchange this
information with other routers.
They all have the same general goal:
–To share network reachability information among routers
They differ in many ways:
–Interior versus exterior
–Metrics supported
–Dynamic versus static and default
–Distance-vector versus link-sate
–Classful versus classless
–Scalability
61
 UPL
2015-2016 Interior Versus Exterior Routing NET - DESIGN

Protocols
Interior routing protocols are used within
one organization. The current lead Interior
Routing Protocol is OSPF. Other Interior
Protocols include IS-IS, RIP, and EIGRP.

Exterior routing protocols are used

between organizations. The current lead
Exterior Gateway Protocol is BGP. The current
revision of BGP is BGP4. There are no other
Exterior Gateway Routing protocols in current
competition with BGP4.
62
 UPL
2015-2016 Routing Protocol Metrics NET - DESIGN

Metric: the determining factor used by a

routing algorithm to decide which route to a
network is better than another
Examples of metrics:
–Bandwidth - capacity
–Delay - time
–Load - amount of network traffic
–Reliability - error rate
–Hop count - number of routers that a packet must travel
through before reaching the destination network
–Cost - arbitrary value defined by the protocol or
administrator
63
 UPL
2015-2016 Routing Algorithms NET - DESIGN

Static routing
–Calculated beforehand, offline
Default routing
–“If I don’t recognize the destination, just send the packet to
Router X”
Cisco’s On-Demand Routing
–Routing for stub networks
–Uses Cisco Discovery Protocol (CDP)
Dynamic routing protocol
–Distance-vector algorithms
–Link-state algorithms

64
 UPL
2015-2016 Distance-Vector Vs. Link-State NET - DESIGN

Distance-vector algorithms keep a list of

networks, with next hop and distance (metric)
information
Link-state algorithms keep a database of
routers and links between them
–Link-state algorithms think of the internetwork as a
graph instead of a list
–When changes occur, link-state algorithms apply
Dijkstra’s shortest-path algorithm to find the shortest
path between any two nodes
65
 UPL
2015-2016 Choosing Between Distance- NET - DESIGN

Vector and Link-State

Choose Distance-Vector Choose Link-State

• Hierarchical topology
Simple, flat topology
• More senior network
Hub-and-spoke administrators
topology • Fast convergence is critical
Junior network
administrators
Convergence time not a
big concern

66
 UPL
2015-2016 Dynamic IP Routing Protocols NET - DESIGN

Distance-Vector Link-State
Routing Information • Open Shortest Path First
Protocol (RIP) Version 1 and (OSPF)
2
• Intermediate System-to-
Interior Gateway Routing Intermediate System (IS-IS)
Protocol (IGRP)
Enhanced IGRP
Border Gateway Protocol
(BGP)

67
 UPL NET - DESIGN
2015-2016

68
 UPL Summary NET - DESIGN
2015-2016

The selection of switching and routing protocols

should be based on an analysis of
–Goals
–Scalability and performance characteristics of the
protocols
Transparent bridging is used on modern switches
–But other choices involve enhancements to STP and
protocols for transporting VLAN information
There are many types of routing protocols and
many choices within each type

69
 UPL
2015-2016 Review Questions NET - DESIGN

What are some options for enhancing the

Spanning Tree Protocol?
What factors will help you decide whether
distance-vector or link-state routing is best for
your design customer?
What factors will help you select a specific
routing protocol?
Why do static and default routing still play a
role in many modern network designs?

70
 UPL NET - DESIGN
2015-2016

4. Developing Network Security Strategies

Copyright 2010 Cisco Press & Priscilla

Oppenheimer
71
 UPL
2015-2016 Network Security Design NET - DESIGN

The 12 Step Program

1. Identify network assets
2. Analyze security risks
3. Analyze security requirements and
tradeoffs
4. Develop a security plan
5. Define a security policy
6. Develop procedures for applying
security policies
72
 UPL
2015-2016 The 12 Step Program (continued) NET - DESIGN

7. Develop a technical implementation

strategy
8. Achieve buy-in from users, managers, and
technical staff
9. Train users, managers, and technical staff
10. Implement the technical strategy and
security procedures
11. Test the security and update it if any
problems are found
12. Maintain security

73
 UPL
2015-2016 Network Assets NET - DESIGN

Hardware
Software
Applications
Data
Intellectual property
Trade secrets
Company’s reputation

74
 UPL
2015-2016 Security Risks NET - DESIGN

Hacked network devices

–Data can be intercepted, analyzed, altered, or
deleted
–User passwords can be compromised
–Device configurations can be changed
Reconnaissance attacks (gather information )
Denial-of-service attacks (make a computer
resource unavailable to its intended users)

75
 UPL
2015-2016 Security Tradeoffs NET - DESIGN

Tradeoffs must be made between security

goals and other goals:
–Affordability
–Usability
–Performance
–Availability
–Manageability
Security adds to management work (user ID, passwords ), and affects
network performance. Encryption consume upto 15% of CPU power on
a router or network throughput.
76
 UPL
2015-2016 A Security Plan NET - DESIGN

High-level document that

proposes what an organization
is going to do to meet security
requirements
Specifies time, people, and
other resources that will be
required to develop a security
policy and achieve
implementation of the policy

77
 UPL
2015-2016 A Security Policy NET - DESIGN

A security policy is a
–“Formal statement of the rules by which people
who are given access to an organization’s
technology and information assets must abide.”
The policy should address
–Access, accountability, authentication, privacy, and
computer technology purchasing guidelines

78
 UPL
2015-2016 Security Mechanisms NET - DESIGN

Physical security
Authentication
Authorization
Accounting (Auditing)
Data encryption
Packet filters
Firewalls
Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS)

79
 UPL
2015-2016 Modularizing Security Design NET - DESIGN

Security defense in depth

–Network security should be multilayered with
many different techniques used to protect the
network
Belt-and-suspenders approach
–Don’t get caught with your pants down

80
 UPL
2015-2016 Modularizing Security Design NET - DESIGN

Secure all components of a modular

design:
–Internet connections
–Public servers and e-commerce servers
–Remote access networks and VPNs
–Network services and network management
–Server farms
–User services
–Wireless networks
81
 UPL
2015-2016 Securing Internet Connections NET - DESIGN

Physical security
Firewalls and packet filters
Audit logs, authentication, authorization
Well-defined exit and entry points
Routing protocols that support authentication

82
 UPL
2015-2016 Securing Public Servers NET - DESIGN

Place servers in a DMZ that is protected via

firewalls
Run a firewall on the server itself
Enable DoS protection
–Limit the number of connections per timeframe
Use reliable operating systems with the
latest security patches
Maintain modularity
–Front-end Web server doesn’t also run other
services (FTP services not run on the same server
as Web services, e-commerce database should not
be on the web server.) 83
 UPL
2015-2016 Securing Remote-Access and NET - DESIGN

Virtual Private Networks (VPN)

Physical security
Firewalls
Authentication, authorization, and auditing
Encryption
One-time passwords
Security protocols
–CHAP
–RADIUS
–IPSec
84
 UPL
2015-2016 Securing Network Services NET - DESIGN

Treat each network device (routers, switches,

and so on) as a high-value host and harden it
against possible intrusions
Require login IDs and passwords for accessing
devices
–Require extra authorization for risky configuration
commands
Use SSH rather than Telnet
Change the welcome banner to be less
welcoming

85
 UPL
2015-2016 Securing Server Farms NET - DESIGN

Deploy network and host IDSs to monitor server

subnets and individual servers
Configure filters that limit connectivity from the
server in case the server is compromised
Fix known security bugs in server operating
systems
Require authentication and authorization for
server access and management
Limit root password to a few people
Avoid guest accounts

86
 UPL
2015-2016 Securing User Services NET - DESIGN

Specify which applications are allowed to run

on networked PCs in the security policy
Require personal firewalls and antivirus
software on networked PCs
–Implement written procedures that specify how the
software is installed and kept current
Encourage users to log out when leaving their
desks
Consider using 802.1X port-based security on
switches

87
 UPL
2015-2016 Securing Wireless Networks NET - DESIGN

Place wireless LANs (WLANs) in their own

subnet or VLAN
–Simplifies addressing and makes it easier to
configure packet filters
Require all wireless (and wired) laptops to run
personal firewall and antivirus software
Disable beacons that broadcast the SSID, and
require MAC address authentication
–Except in cases where the WLAN is used by visitors
88
 UPL
2015-2016 WLAN Security Options NET - DESIGN

Wired Equivalent Privacy (WEP) (danger)

IEEE 802.11i
Wi-Fi Protected Access (WPA)
IEEE 802.1X Extensible Authentication
Protocol (EAP)
–Lightweight EAP or LEAP (Cisco)
–Protected EAP (PEAP)
Virtual Private Networks (VPNs)
Any other acronyms we can think of? :-)
89
 UPL
2015-2016 Wired Equivalent Privacy (WEP) NET - DESIGN

Defined by IEEE 802.11

Users must possess the appropriate WEP
key that is also configured on the access
point
–64 or 128-bit key (or passphrase)
WEP encrypts the data using the RC4
stream cipher method
Infamous for being crackable (within 30
minutes by normal laptop)
90
 UPL
2015-2016 WEP Alternatives NET - DESIGN

Vendor enhancements to WEP

Temporal Key Integrity Protocol (TKIP)
–Every frame has a new and unique WEP key
Advanced Encryption Standard (AES)
IEEE 802.11i
Wi-Fi Protected Access (WPA) from the Wi-
Fi Alliance

91
 UPL NET - DESIGN
2015-2016
Extensible Authentication Protocol
(EAP)
With 802.1X and EAP, devices take on one of three roles:
–The supplicant resides on the wireless LAN client
–The authenticator resides on the access point
–An authentication server resides on a RADIUS server

92
 UPL
2015-2016 EAP (Continued) NET - DESIGN

An EAP supplicant on the client obtains

credentials from the user, which could be a
user ID and password
The credentials are passed by the
authenticator to the server and a session key is
developed
Periodically the client must reauthenticate to
maintain network connectivity
Reauthentication generates a new, dynamic
WEP key

93
 UPL
2015-2016 VPN Software on Wireless Clients NET - DESIGN

Safest way to do wireless networking for

corporations
Wireless client requires VPN software
Connects to VPN concentrator at HQ
Creates a tunnel for sending all traffic
VPN security provides:
–User authentication
–Strong encryption of data
–Data integrity
94
 UPL Summary NET - DESIGN
2015-2016

Use a top-down approach

–Chapter 2 talks about identifying assets and risks and
developing security requirements
–Chapter 5 talks about logical design for security
(secure topologies)
–Chapter 8 talks about the security plan, policy, and
procedures
–Chapter 8 also covers security mechanisms and
selecting the right mechanisms for the different
components of a modular network design
95
 UPL Review Questions NET - DESIGN
2015-2016

How does a security plan differ from a

security policy?
Why is it important to achieve buy-in from
users, managers, and technical staff for the
security policy?
What are some methods for keeping hackers
from viewing and changing router and switch
configuration information?
How can a network manager secure a wireless
network?

96
 UPL NET - DESIGN
2015-2016

5. Developing Network Management Strategies

Copyright 2010 Cisco Press & Priscilla

Oppenheimer
97
 UPL
2015-2016 Network Management NET - DESIGN

Helps an organization achieve availability,

performance, and security goals
Helps an organization measure how well
design goals are being met and adjust
network parameters if they are not being
met
Facilitates scalability
–Helps an organization analyze current network
behavior, apply upgrades appropriately, and
troubleshoot any problems with upgrades

98
 UPL
2015-2016 Network Management Design NET - DESIGN

Consider scalability, traffic patterns, data

formats, cost/benefit tradeoffs
Determine which resources should be
monitored
Determine metrics for measuring
performance
Determine which and how much data to
collect

99
 UPL
2015-2016 Proactive Network Management NET - DESIGN

Plan to check the health of the network

during normal operation, not just when there
are problems
Recognize potential problems as they
develop
Optimize performance
Plan upgrades appropriately

100
 UPL
2015-2016 Network Management Processes NET - DESIGN

According to the ISO

Fault management
Configuration management
Accounting management
Performance management
Security management

101
 UPL
2015-2016 Fault Management NET - DESIGN

Detect, isolate, diagnose, and correct problems

Report status to end users and managers
Track trends related to problems

102
 UPL
2015-2016 Configuration Management NET - DESIGN

Keep track of network devices and their configurations

Maintain an inventory of network assets
Log versions of operating systems and applications

103
 UPL
2015-2016 Accounting Management NET - DESIGN

Keep track of network usage by departments or individuals

Facilitate usage-based billing
Find abusers who use more resources than they should

104
 UPL
2015-2016 Performance Management NET - DESIGN

Monitor end-to-end performance

Also monitor component performance
(individual links and devices)
Test reachability
Measure response times
Measure traffic flow and volume
Record route changes

105
 UPL
2015-2016 Security Management NET - DESIGN

Maintain and distribute user names and

passwords
Generate, distribute, and store encryption
keys
Analyze router, switch, and server
configurations for compliance with security
policies and procedures
Collect, store, and examine security audit
logs

106
 UPL
2015-2016 Network Management Components NET - DESIGN

A managed device is a network node that

collects and stores management information
An agent is network-management software
that resides in a managed device
A network-management system (NMS) runs
applications to display management data,
monitor and control managed devices, and
communicate with agents

107
 UPL
2015-2016 Network Management Architecture NET - DESIGN

NMS

Agent Agent Agent

Management Management Management

Database Database Database

Managed
108
Devices
 UPL
2015-2016 Architecture Concerns NET - DESIGN

In-band versus out-of-band monitoring

–In-band control passes control data on the same
connection as main data. Out-of-band control passes
control data on a separate connection from main data.
In-band is easier to develop, but results in management
data being impacted by network problems
Centralized versus distributed monitoring
–Centralized management is simpler to develop and
maintain, but may require huge amounts of information
to travel back to a centralized network operations
center (NOC)
109
 UPL
2015-2016 Simple Network Management NET - DESIGN

Protocol (SNMP)
Most popular network management protocol
SNMPv3 should gradually supplant versions 1 and 2 because it
offers better authentication
SNMP works with Management Information Bases (MIBs)

110
 UPL
2015-2016 Remote Monitoring (RMON) NET - DESIGN

Developed by the IETF in the early 1990s to

address shortcomings in standard MIBs
–Provides information on data link and physical
layer parameters
–Nine groups of data for Ethernet
–The statistics group tracks packets, octets, packet-
size distribution, broadcasts, collisions, dropped
packets, fragments, CRC and alignment errors,
jabbers, and undersized and oversized packets
111
 UPL
2015-2016 Cisco Tools NET - DESIGN

Cisco Discovery Protocol

–With the show cdp neighbors detail command, you can
display detailed information about neighboring routers and
switches, including which protocols are enabled, network
addresses for enabled protocols, the number and types of
interfaces, the type of platform and its capabilities, and the
version of Cisco IOS Software running on the neighbor.
NetFlow Accounting
–An integral part of Cisco IOS Software that collects and
measures data as it enters router or switch interfaces

112
 UPL Summary NET - DESIGN
2015-2016

Determine which resources to monitor, which

data about these resources to collect, and how
to interpret that data
Develop processes that address performance,
fault, configuration, security, and accounting
management
Develop a network management architecture
Select management protocols and tools

113
 UPL
2015-2016 Review Questions NET - DESIGN

Why is network management design important?

Define the five types of network management
processes according to the ISO.
What are some advantages and disadvantages of
using in-band network management versus out-of-
band network management?
What are some advantages and disadvantages of
using centralized network management versus
distributed network management?

114